From: Greg Kroah-Hartman Date: Wed, 3 May 2017 04:01:30 +0000 (-0700) Subject: fix up next-4.4/ X-Git-Tag: v4.4.66~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5e328e8b0b58703d1ac0e670e66a4d93da9a39ab;p=thirdparty%2Fkernel%2Fstable-queue.git fix up next-4.4/ --- diff --git a/next-4.4/alsa-ppc-awacs-shut-up-maybe-uninitialized-warning.patch b/next-4.4/alsa-ppc-awacs-shut-up-maybe-uninitialized-warning.patch new file mode 100644 index 00000000000..a551ca13357 --- /dev/null +++ b/next-4.4/alsa-ppc-awacs-shut-up-maybe-uninitialized-warning.patch @@ -0,0 +1,35 @@ +From b268c34e5ee92a4cc3099b0caaf26e6bfbdf0f18 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 4 Jul 2016 17:07:45 +0200 +Subject: ALSA: ppc/awacs: shut up maybe-uninitialized warning + +From: Arnd Bergmann + +commit b268c34e5ee92a4cc3099b0caaf26e6bfbdf0f18 upstream. + +The awacs sound driver produces a false-positive warning in ppc64_defconfig: + +sound/ppc/awacs.c: In function 'snd_pmac_awacs_init': +include/sound/control.h:219:9: warning: 'master_vol' may be used uninitialized in this function [-Wmaybe-uninitialized] + +I haven't come up with a good way to rewrite the code to avoid the +warning, so here is a bad one: I initialize the variable before +the conditionall initialization so gcc no longer has to worry about +it. + +Signed-off-by: Arnd Bergmann +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +diff --git a/sound/ppc/awacs.c b/sound/ppc/awacs.c +index 09da7b52bc2e..1468e4b7bf93 100644 +--- a/sound/ppc/awacs.c ++++ b/sound/ppc/awacs.c +@@ -991,6 +991,7 @@ snd_pmac_awacs_init(struct snd_pmac *chip) + if (err < 0) + return err; + } ++ master_vol = NULL; + if (pm7500) + err = build_mixers(chip, + ARRAY_SIZE(snd_pmac_awacs_mixers_pmac7500), diff --git a/next-4.4/arm-omap2-timer-add-probe-for-clocksources.patch b/next-4.4/arm-omap2-timer-add-probe-for-clocksources.patch deleted file mode 100644 index 8a46eb98834..00000000000 --- a/next-4.4/arm-omap2-timer-add-probe-for-clocksources.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 970f9091d25df14e9540ec7ff48a2f709e284cd1 Mon Sep 17 00:00:00 2001 -From: Tero Kristo -Date: Thu, 16 Jun 2016 15:25:18 +0300 -Subject: ARM: OMAP2+: timer: add probe for clocksources - -From: Tero Kristo - -commit 970f9091d25df14e9540ec7ff48a2f709e284cd1 upstream. - -A few platforms are currently missing clocksource_probe() completely -in their time_init functionality. On OMAP3430 for example, this is -causing cpuidle to be pretty much dead, as the counter32k is not -going to be registered and instead a gptimer is used as a clocksource. -This will tick in periodic mode, preventing any deeper idle states. - -While here, also drop one unnecessary check for populated DT before -existing clocksource_probe() call. - -Signed-off-by: Tero Kristo -Signed-off-by: Tony Lindgren -Cc: Julia Lawall -Signed-off-by: Greg Kroah-Hartman - ---- - arch/arm/mach-omap2/timer.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - ---- a/arch/arm/mach-omap2/timer.c -+++ b/arch/arm/mach-omap2/timer.c -@@ -496,8 +496,7 @@ void __init omap_init_time(void) - __omap_sync32k_timer_init(1, "timer_32k_ck", "ti,timer-alwon", - 2, "timer_sys_ck", NULL, false); - -- if (of_have_populated_dt()) -- clocksource_probe(); -+ clocksource_probe(); - } - - #if defined(CONFIG_ARCH_OMAP3) || defined(CONFIG_SOC_AM43XX) -@@ -505,6 +504,8 @@ void __init omap3_secure_sync32k_timer_i - { - __omap_sync32k_timer_init(12, "secure_32k_fck", "ti,timer-secure", - 2, "timer_sys_ck", NULL, false); -+ -+ clocksource_probe(); - } - #endif /* CONFIG_ARCH_OMAP3 */ - -@@ -513,6 +514,8 @@ void __init omap3_gptimer_timer_init(voi - { - __omap_sync32k_timer_init(2, "timer_sys_ck", NULL, - 1, "timer_sys_ck", "ti,timer-alwon", true); -+ -+ clocksource_probe(); - } - #endif - diff --git a/next-4.4/clk-sunxi-add-apb0-gates-for-h3.patch b/next-4.4/clk-sunxi-add-apb0-gates-for-h3.patch deleted file mode 100644 index 186dd2e231e..00000000000 --- a/next-4.4/clk-sunxi-add-apb0-gates-for-h3.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 6e17b4181603d183d20c73f4535529ddf2a2a020 Mon Sep 17 00:00:00 2001 -From: Krzysztof Adamski -Date: Mon, 22 Feb 2016 14:03:25 +0100 -Subject: clk: sunxi: Add apb0 gates for H3 - -From: Krzysztof Adamski - -commit 6e17b4181603d183d20c73f4535529ddf2a2a020 upstream. - -This patch adds support for APB0 in H3. It seems to be compatible with -earlier SOCs. apb0 gates controls R_ block peripherals (R_PIO, R_IR, -etc). - -Since this gates behave just like any Allwinner clock gate, add a generic -compatible that can be reused if we don't have any clock to protect. - -Signed-off-by: Krzysztof Adamski -[Maxime: Removed the H3 compatible from the simple-gates driver, reworked - the commit log a bit] -Signed-off-by: Maxime Ripard -Cc: Julia Lawall -Signed-off-by: Greg Kroah-Hartman - ---- - Documentation/devicetree/bindings/clock/sunxi.txt | 2 ++ - drivers/clk/sunxi/clk-simple-gates.c | 2 ++ - 2 files changed, 4 insertions(+) - ---- a/Documentation/devicetree/bindings/clock/sunxi.txt -+++ b/Documentation/devicetree/bindings/clock/sunxi.txt -@@ -18,6 +18,7 @@ Required properties: - "allwinner,sun4i-a10-cpu-clk" - for the CPU multiplexer clock - "allwinner,sun4i-a10-axi-clk" - for the AXI clock - "allwinner,sun8i-a23-axi-clk" - for the AXI clock on A23 -+ "allwinner,sun4i-a10-gates-clk" - for generic gates on all compatible SoCs - "allwinner,sun4i-a10-axi-gates-clk" - for the AXI gates - "allwinner,sun4i-a10-ahb-clk" - for the AHB clock - "allwinner,sun5i-a13-ahb-clk" - for the AHB clock on A13 -@@ -43,6 +44,7 @@ Required properties: - "allwinner,sun6i-a31-apb0-gates-clk" - for the APB0 gates on A31 - "allwinner,sun7i-a20-apb0-gates-clk" - for the APB0 gates on A20 - "allwinner,sun8i-a23-apb0-gates-clk" - for the APB0 gates on A23 -+ "allwinner,sun8i-h3-apb0-gates-clk" - for the APB0 gates on H3 - "allwinner,sun9i-a80-apb0-gates-clk" - for the APB0 gates on A80 - "allwinner,sun4i-a10-apb1-clk" - for the APB1 clock - "allwinner,sun9i-a80-apb1-clk" - for the APB1 bus clock on A80 ---- a/drivers/clk/sunxi/clk-simple-gates.c -+++ b/drivers/clk/sunxi/clk-simple-gates.c -@@ -98,6 +98,8 @@ static void __init sunxi_simple_gates_in - sunxi_simple_gates_setup(node, NULL, 0); - } - -+CLK_OF_DECLARE(sun4i_a10_gates, "allwinner,sun4i-a10-gates-clk", -+ sunxi_simple_gates_init); - CLK_OF_DECLARE(sun4i_a10_apb0, "allwinner,sun4i-a10-apb0-gates-clk", - sunxi_simple_gates_init); - CLK_OF_DECLARE(sun4i_a10_apb1, "allwinner,sun4i-a10-apb1-gates-clk", diff --git a/next-4.4/crypto-testmgr-fix-out-of-bound-read-in-__test_aead.patch b/next-4.4/crypto-testmgr-fix-out-of-bound-read-in-__test_aead.patch deleted file mode 100644 index 49b42b46051..00000000000 --- a/next-4.4/crypto-testmgr-fix-out-of-bound-read-in-__test_aead.patch +++ /dev/null @@ -1,53 +0,0 @@ -From abfa7f4357e3640fdee87dfc276fd0f379fb5ae6 Mon Sep 17 00:00:00 2001 -From: Jerome Marchand -Date: Wed, 3 Feb 2016 13:58:12 +0100 -Subject: crypto: testmgr - fix out of bound read in __test_aead() - -From: Jerome Marchand - -commit abfa7f4357e3640fdee87dfc276fd0f379fb5ae6 upstream. - -__test_aead() reads MAX_IVLEN bytes from template[i].iv, but the -actual length of the initialisation vector can be shorter. -The length of the IV is already calculated earlier in the -function. Let's just reuses that. Also the IV length is currently -calculated several time for no reason. Let's fix that too. -This fix an out-of-bound error detected by KASan. - -Signed-off-by: Jerome Marchand -Signed-off-by: Herbert Xu -Cc: Julia Lawall -Signed-off-by: Greg Kroah-Hartman - ---- - crypto/testmgr.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - ---- a/crypto/testmgr.c -+++ b/crypto/testmgr.c -@@ -488,6 +488,8 @@ static int __test_aead(struct crypto_aea - aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG, - tcrypt_complete, &result); - -+ iv_len = crypto_aead_ivsize(tfm); -+ - for (i = 0, j = 0; i < tcount; i++) { - if (template[i].np) - continue; -@@ -508,7 +510,6 @@ static int __test_aead(struct crypto_aea - - memcpy(input, template[i].input, template[i].ilen); - memcpy(assoc, template[i].assoc, template[i].alen); -- iv_len = crypto_aead_ivsize(tfm); - if (template[i].iv) - memcpy(iv, template[i].iv, iv_len); - else -@@ -617,7 +618,7 @@ static int __test_aead(struct crypto_aea - j++; - - if (template[i].iv) -- memcpy(iv, template[i].iv, MAX_IVLEN); -+ memcpy(iv, template[i].iv, iv_len); - else - memset(iv, 0, MAX_IVLEN); - diff --git a/next-4.4/drbd-avoid-redefinition-of-bits_per_page.patch b/next-4.4/drbd-avoid-redefinition-of-bits_per_page.patch new file mode 100644 index 00000000000..49d4aa47c75 --- /dev/null +++ b/next-4.4/drbd-avoid-redefinition-of-bits_per_page.patch @@ -0,0 +1,40 @@ +From 2630628b2dbc3fc320aafaf84836119e4e3d62f1 Mon Sep 17 00:00:00 2001 +From: Lars Ellenberg +Date: Fri, 20 Mar 2015 15:47:22 +0100 +Subject: drbd: avoid redefinition of BITS_PER_PAGE + +From: Lars Ellenberg + +commit 2630628b2dbc3fc320aafaf84836119e4e3d62f1 upstream. + +Apparently we now implicitly get definitions for BITS_PER_PAGE and +BITS_PER_PAGE_MASK from the pid_namespace.h + +Instead of renaming our defines, I chose to define only if not yet +defined, but to double check the value if already defined. + +Signed-off-by: Philipp Reisner +Signed-off-by: Lars Ellenberg +Signed-off-by: Jens Axboe +Cc: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman + +diff --git a/drivers/block/drbd/drbd_bitmap.c b/drivers/block/drbd/drbd_bitmap.c +index 9462d2752850..8bdc34dbaedf 100644 +--- a/drivers/block/drbd/drbd_bitmap.c ++++ b/drivers/block/drbd/drbd_bitmap.c +@@ -479,8 +479,14 @@ void drbd_bm_cleanup(struct drbd_device *device) + * this masks out the remaining bits. + * Returns the number of bits cleared. + */ ++#ifndef BITS_PER_PAGE + #define BITS_PER_PAGE (1UL << (PAGE_SHIFT + 3)) + #define BITS_PER_PAGE_MASK (BITS_PER_PAGE - 1) ++#else ++# if BITS_PER_PAGE != (1UL << (PAGE_SHIFT + 3)) ++# error "ambiguous BITS_PER_PAGE" ++# endif ++#endif + #define BITS_PER_LONG_MASK (BITS_PER_LONG - 1) + static int bm_clear_surplus(struct drbd_bitmap *b) + { diff --git a/next-4.4/drm-amdgpu-fix-array-out-of-bounds.patch b/next-4.4/drm-amdgpu-fix-array-out-of-bounds.patch deleted file mode 100644 index cbc83c5a9f6..00000000000 --- a/next-4.4/drm-amdgpu-fix-array-out-of-bounds.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 484f689fc9d4eb91c68f53e97dc355b1b06c3edb Mon Sep 17 00:00:00 2001 -From: tom will -Date: Mon, 16 May 2016 10:31:07 -0400 -Subject: drm/amdgpu: fix array out of bounds - -From: tom will - -commit 484f689fc9d4eb91c68f53e97dc355b1b06c3edb upstream. - -When the initial value of i is greater than zero, -it may cause endless loop, resulting in array out -of bounds, fix it. - -This is a port of the radeon fix to amdgpu. - -Signed-off-by: tom will -Signed-off-by: Alex Deucher -Cc: Julia Lawall -Signed-off-by: Greg Kroah-Hartman - ---- - drivers/gpu/drm/amd/amdgpu/kv_dpm.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/gpu/drm/amd/amdgpu/kv_dpm.c -+++ b/drivers/gpu/drm/amd/amdgpu/kv_dpm.c -@@ -2258,7 +2258,7 @@ static void kv_apply_state_adjust_rules( - if (pi->caps_stable_p_state) { - stable_p_state_sclk = (max_limits->sclk * 75) / 100; - -- for (i = table->count - 1; i >= 0; i++) { -+ for (i = table->count - 1; i >= 0; i--) { - if (stable_p_state_sclk >= table->entries[i].clk) { - stable_p_state_sclk = table->entries[i].clk; - break; diff --git a/next-4.4/ext4-check-if-in-inode-xattr-is-corrupted-in-ext4_expand_extra_isize_ea.patch b/next-4.4/ext4-check-if-in-inode-xattr-is-corrupted-in-ext4_expand_extra_isize_ea.patch deleted file mode 100644 index 37111a128c9..00000000000 --- a/next-4.4/ext4-check-if-in-inode-xattr-is-corrupted-in-ext4_expand_extra_isize_ea.patch +++ /dev/null @@ -1,92 +0,0 @@ -From 9e92f48c34eb2b9af9d12f892e2fe1fce5e8ce35 Mon Sep 17 00:00:00 2001 -From: Theodore Ts'o -Date: Tue, 22 Mar 2016 16:13:15 -0400 -Subject: ext4: check if in-inode xattr is corrupted in ext4_expand_extra_isize_ea() - -From: Theodore Ts'o - -commit 9e92f48c34eb2b9af9d12f892e2fe1fce5e8ce35 upstream. - -We aren't checking to see if the in-inode extended attribute is -corrupted before we try to expand the inode's extra isize fields. - -This can lead to potential crashes caused by the BUG_ON() check in -ext4_xattr_shift_entries(). - -Signed-off-by: Theodore Ts'o -Cc: Julia Lawall -Signed-off-by: Greg Kroah-Hartman - ---- - fs/ext4/xattr.c | 32 ++++++++++++++++++++++++++++---- - 1 file changed, 28 insertions(+), 4 deletions(-) - ---- a/fs/ext4/xattr.c -+++ b/fs/ext4/xattr.c -@@ -233,6 +233,27 @@ ext4_xattr_check_block(struct inode *ino - return error; - } - -+static int -+__xattr_check_inode(struct inode *inode, struct ext4_xattr_ibody_header *header, -+ void *end, const char *function, unsigned int line) -+{ -+ struct ext4_xattr_entry *entry = IFIRST(header); -+ int error = -EFSCORRUPTED; -+ -+ if (((void *) header >= end) || -+ (header->h_magic != le32_to_cpu(EXT4_XATTR_MAGIC))) -+ goto errout; -+ error = ext4_xattr_check_names(entry, end, entry); -+errout: -+ if (error) -+ __ext4_error_inode(inode, function, line, 0, -+ "corrupted in-inode xattr"); -+ return error; -+} -+ -+#define xattr_check_inode(inode, header, end) \ -+ __xattr_check_inode((inode), (header), (end), __func__, __LINE__) -+ - static inline int - ext4_xattr_check_entry(struct ext4_xattr_entry *entry, size_t size) - { -@@ -344,7 +365,7 @@ ext4_xattr_ibody_get(struct inode *inode - header = IHDR(inode, raw_inode); - entry = IFIRST(header); - end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size; -- error = ext4_xattr_check_names(entry, end, entry); -+ error = xattr_check_inode(inode, header, end); - if (error) - goto cleanup; - error = ext4_xattr_find_entry(&entry, name_index, name, -@@ -475,7 +496,7 @@ ext4_xattr_ibody_list(struct dentry *den - raw_inode = ext4_raw_inode(&iloc); - header = IHDR(inode, raw_inode); - end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size; -- error = ext4_xattr_check_names(IFIRST(header), end, IFIRST(header)); -+ error = xattr_check_inode(inode, header, end); - if (error) - goto cleanup; - error = ext4_xattr_list_entries(dentry, IFIRST(header), -@@ -991,8 +1012,7 @@ int ext4_xattr_ibody_find(struct inode * - is->s.here = is->s.first; - is->s.end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size; - if (ext4_test_inode_state(inode, EXT4_STATE_XATTR)) { -- error = ext4_xattr_check_names(IFIRST(header), is->s.end, -- IFIRST(header)); -+ error = xattr_check_inode(inode, header, is->s.end); - if (error) - return error; - /* Find the named attribute. */ -@@ -1293,6 +1313,10 @@ retry: - last = entry; - total_ino = sizeof(struct ext4_xattr_ibody_header); - -+ error = xattr_check_inode(inode, header, end); -+ if (error) -+ goto cleanup; -+ - free = ext4_xattr_free_space(last, &min_offs, base, &total_ino); - if (free >= isize_diff) { - entry = IFIRST(header); diff --git a/next-4.4/md-raid1-fix-a-dead-loop-when-read-from-a-writemostly-disk.patch b/next-4.4/md-raid1-fix-a-dead-loop-when-read-from-a-writemostly-disk.patch deleted file mode 100644 index 6ebf48b867e..00000000000 --- a/next-4.4/md-raid1-fix-a-dead-loop-when-read-from-a-writemostly-disk.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 816b0acf3deb6d6be5d0519b286fdd4bafade905 Mon Sep 17 00:00:00 2001 -From: Wei Fang -Date: Mon, 21 Mar 2016 19:18:32 +0800 -Subject: md:raid1: fix a dead loop when read from a WriteMostly disk - -From: Wei Fang - -commit 816b0acf3deb6d6be5d0519b286fdd4bafade905 upstream. - -If first_bad == this_sector when we get the WriteMostly disk -in read_balance(), valid disk will be returned with zero -max_sectors. It'll lead to a dead loop in make_request(), and -OOM will happen because of endless allocation of struct bio. - -Since we can't get data from this disk in this case, so -continue for another disk. - -Signed-off-by: Wei Fang -Signed-off-by: Shaohua Li -Cc: Julia Lawall -Signed-off-by: Greg Kroah-Hartman - ---- - drivers/md/raid1.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/md/raid1.c -+++ b/drivers/md/raid1.c -@@ -570,7 +570,7 @@ static int read_balance(struct r1conf *c - if (best_dist_disk < 0) { - if (is_badblock(rdev, this_sector, sectors, - &first_bad, &bad_sectors)) { -- if (first_bad < this_sector) -+ if (first_bad <= this_sector) - /* Cannot use this */ - continue; - best_good_sectors = first_bad - this_sector; diff --git a/next-4.4/mips-fix-crash-registers-on-non-crashing-cpus.patch b/next-4.4/mips-fix-crash-registers-on-non-crashing-cpus.patch deleted file mode 100644 index 2db0aff21fe..00000000000 --- a/next-4.4/mips-fix-crash-registers-on-non-crashing-cpus.patch +++ /dev/null @@ -1,58 +0,0 @@ -From c80e1b62ffca52e2d1d865ee58bc79c4c0c55005 Mon Sep 17 00:00:00 2001 -From: Corey Minyard -Date: Mon, 11 Apr 2016 09:10:19 -0500 -Subject: MIPS: Fix crash registers on non-crashing CPUs - -From: Corey Minyard - -commit c80e1b62ffca52e2d1d865ee58bc79c4c0c55005 upstream. - -As part of handling a crash on an SMP system, an IPI is send to -all other CPUs to save their current registers and stop. It was -using task_pt_regs(current) to get the registers, but that will -only be accurate if the CPU was interrupted running in userland. -Instead allow the architecture to pass in the registers (all -pass NULL now, but allow for the future) and then use get_irq_regs() -which should be accurate as we are in an interrupt. Fall back to -task_pt_regs(current) if nothing else is available. - -Signed-off-by: Corey Minyard -Cc: David Daney -Cc: linux-mips@linux-mips.org -Patchwork: https://patchwork.linux-mips.org/patch/13050/ -Signed-off-by: Ralf Baechle -Cc: Julia Lawall -Signed-off-by: Greg Kroah-Hartman - ---- - arch/mips/kernel/crash.c | 16 +++++++++++++--- - 1 file changed, 13 insertions(+), 3 deletions(-) - ---- a/arch/mips/kernel/crash.c -+++ b/arch/mips/kernel/crash.c -@@ -14,12 +14,22 @@ static int crashing_cpu = -1; - static cpumask_t cpus_in_crash = CPU_MASK_NONE; - - #ifdef CONFIG_SMP --static void crash_shutdown_secondary(void *ignore) -+static void crash_shutdown_secondary(void *passed_regs) - { -- struct pt_regs *regs; -+ struct pt_regs *regs = passed_regs; - int cpu = smp_processor_id(); - -- regs = task_pt_regs(current); -+ /* -+ * If we are passed registers, use those. Otherwise get the -+ * regs from the last interrupt, which should be correct, as -+ * we are in an interrupt. But if the regs are not there, -+ * pull them from the top of the stack. They are probably -+ * wrong, but we need something to keep from crashing again. -+ */ -+ if (!regs) -+ regs = get_irq_regs(); -+ if (!regs) -+ regs = task_pt_regs(current); - - if (!cpu_online(cpu)) - return; diff --git a/next-4.4/mtd-avoid-stack-overflow-in-mtd-cfi-code.patch b/next-4.4/mtd-avoid-stack-overflow-in-mtd-cfi-code.patch new file mode 100644 index 00000000000..a1a6cfdec7b --- /dev/null +++ b/next-4.4/mtd-avoid-stack-overflow-in-mtd-cfi-code.patch @@ -0,0 +1,80 @@ +From fddcca5107051adf9e4481d2a79ae0616577fd2c Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 29 Feb 2016 13:20:28 +0100 +Subject: mtd: avoid stack overflow in MTD CFI code + +From: Arnd Bergmann + +commit fddcca5107051adf9e4481d2a79ae0616577fd2c upstream. + +When map_word gets too large, we use a lot of kernel stack, and for +MTD_MAP_BANK_WIDTH_32, this means we use more than the recommended +1024 bytes in a number of functions: + +drivers/mtd/chips/cfi_cmdset_0020.c: In function 'cfi_staa_write_buffers': +drivers/mtd/chips/cfi_cmdset_0020.c:651:1: warning: the frame size of 1336 bytes is larger than 1024 bytes [-Wframe-larger-than=] +drivers/mtd/chips/cfi_cmdset_0020.c: In function 'cfi_staa_erase_varsize': +drivers/mtd/chips/cfi_cmdset_0020.c:972:1: warning: the frame size of 1208 bytes is larger than 1024 bytes [-Wframe-larger-than=] +drivers/mtd/chips/cfi_cmdset_0001.c: In function 'do_write_buffer': +drivers/mtd/chips/cfi_cmdset_0001.c:1835:1: warning: the frame size of 1240 bytes is larger than 1024 bytes [-Wframe-larger-than=] + +This can be avoided if all operations on the map word are done +indirectly and the stack gets reused between the calls. We can +mostly achieve this by selecting MTD_COMPLEX_MAPPINGS whenever +MTD_MAP_BANK_WIDTH_32 is set, but for the case that no other +bank width is enabled, we also need to use a non-constant +map_bankwidth() to convince the compiler to use less stack. + +Signed-off-by: Arnd Bergmann +[Brian: this patch mostly achieves its goal by forcing + MTD_COMPLEX_MAPPINGS (and the accompanying indirection) for 256-bit + mappings; the rest of the change is mostly a wash, though it helps + reduce stack size slightly. If we really care about supporting + 256-bit mappings though, we should consider rewriting some of this + code to avoid keeping and assigning so many 256-bit objects on the + stack.] +Signed-off-by: Brian Norris +Signed-off-by: Greg Kroah-Hartman + +diff --git a/drivers/mtd/chips/Kconfig b/drivers/mtd/chips/Kconfig +index 3b3dabce58de..bbfa1f129266 100644 +--- a/drivers/mtd/chips/Kconfig ++++ b/drivers/mtd/chips/Kconfig +@@ -115,6 +115,7 @@ config MTD_MAP_BANK_WIDTH_16 + + config MTD_MAP_BANK_WIDTH_32 + bool "Support 256-bit buswidth" if MTD_CFI_GEOMETRY ++ select MTD_COMPLEX_MAPPINGS if HAS_IOMEM + default n + help + If you wish to support CFI devices on a physical bus which is +diff --git a/include/linux/mtd/map.h b/include/linux/mtd/map.h +index 5e0eb7ccabd4..3aa56e3104bb 100644 +--- a/include/linux/mtd/map.h ++++ b/include/linux/mtd/map.h +@@ -122,18 +122,13 @@ + #endif + + #ifdef CONFIG_MTD_MAP_BANK_WIDTH_32 +-# ifdef map_bankwidth +-# undef map_bankwidth +-# define map_bankwidth(map) ((map)->bankwidth) +-# undef map_bankwidth_is_large +-# define map_bankwidth_is_large(map) (map_bankwidth(map) > BITS_PER_LONG/8) +-# undef map_words +-# define map_words(map) map_calc_words(map) +-# else +-# define map_bankwidth(map) 32 +-# define map_bankwidth_is_large(map) (1) +-# define map_words(map) map_calc_words(map) +-# endif ++/* always use indirect access for 256-bit to preserve kernel stack */ ++# undef map_bankwidth ++# define map_bankwidth(map) ((map)->bankwidth) ++# undef map_bankwidth_is_large ++# define map_bankwidth_is_large(map) (map_bankwidth(map) > BITS_PER_LONG/8) ++# undef map_words ++# define map_words(map) map_calc_words(map) + #define map_bankwidth_is_32(map) (map_bankwidth(map) == 32) + #undef MAX_MAP_BANKWIDTH + #define MAX_MAP_BANKWIDTH 32 diff --git a/next-4.4/net-cavium-liquidio-avoid-dma_unmap_single-on-uninitialized-ndata.patch b/next-4.4/net-cavium-liquidio-avoid-dma_unmap_single-on-uninitialized-ndata.patch deleted file mode 100644 index e11c22705a2..00000000000 --- a/next-4.4/net-cavium-liquidio-avoid-dma_unmap_single-on-uninitialized-ndata.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 8e6ce7ebeb34f0992f56de078c3744fb383657fa Mon Sep 17 00:00:00 2001 -From: Florian Fainelli -Date: Fri, 15 Jul 2016 16:42:16 -0700 -Subject: net: cavium: liquidio: Avoid dma_unmap_single on uninitialized ndata - -From: Florian Fainelli - -commit 8e6ce7ebeb34f0992f56de078c3744fb383657fa upstream. - -The label lio_xmit_failed is used 3 times through liquidio_xmit() but it -always makes a call to dma_unmap_single() using potentially -uninitialized variables from "ndata" variable. Out of the 3 gotos, 2 run -after ndata has been initialized, and had a prior dma_map_single() call. - -Fix this by adding a new error label: lio_xmit_dma_failed which does -this dma_unmap_single() and then processed with the lio_xmit_failed -fallthrough. - -Fixes: f21fb3ed364bb ("Add support of Cavium Liquidio ethernet adapters") -Reported-by: coverity (CID 1309740) -Signed-off-by: Florian Fainelli -Signed-off-by: David S. Miller -Cc: Julia Lawall -Signed-off-by: Greg Kroah-Hartman - ---- - drivers/net/ethernet/cavium/liquidio/lio_main.c | 9 +++++---- - 1 file changed, 5 insertions(+), 4 deletions(-) - ---- a/drivers/net/ethernet/cavium/liquidio/lio_main.c -+++ b/drivers/net/ethernet/cavium/liquidio/lio_main.c -@@ -2823,7 +2823,7 @@ static int liquidio_xmit(struct sk_buff - if (!g) { - netif_info(lio, tx_err, lio->netdev, - "Transmit scatter gather: glist null!\n"); -- goto lio_xmit_failed; -+ goto lio_xmit_dma_failed; - } - - cmdsetup.s.gather = 1; -@@ -2894,7 +2894,7 @@ static int liquidio_xmit(struct sk_buff - else - status = octnet_send_nic_data_pkt(oct, &ndata, xmit_more); - if (status == IQ_SEND_FAILED) -- goto lio_xmit_failed; -+ goto lio_xmit_dma_failed; - - netif_info(lio, tx_queued, lio->netdev, "Transmit queued successfully\n"); - -@@ -2908,12 +2908,13 @@ static int liquidio_xmit(struct sk_buff - - return NETDEV_TX_OK; - -+lio_xmit_dma_failed: -+ dma_unmap_single(&oct->pci_dev->dev, ndata.cmd.dptr, -+ ndata.datasize, DMA_TO_DEVICE); - lio_xmit_failed: - stats->tx_dropped++; - netif_info(lio, tx_err, lio->netdev, "IQ%d Transmit dropped:%llu\n", - iq_no, stats->tx_dropped); -- dma_unmap_single(&oct->pci_dev->dev, ndata.cmd.dptr, -- ndata.datasize, DMA_TO_DEVICE); - recv_buffer_free(skb); - return NETDEV_TX_OK; - } diff --git a/next-4.4/net-tg3-avoid-uninitialized-variable-warning.patch b/next-4.4/net-tg3-avoid-uninitialized-variable-warning.patch new file mode 100644 index 00000000000..a0ac336934a --- /dev/null +++ b/next-4.4/net-tg3-avoid-uninitialized-variable-warning.patch @@ -0,0 +1,36 @@ +From e434e04110704eb91acfecbd0fb8ca8e2da9c29b Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 29 Jan 2016 12:39:15 +0100 +Subject: net: tg3: avoid uninitialized variable warning + +From: Arnd Bergmann + +commit e434e04110704eb91acfecbd0fb8ca8e2da9c29b upstream. + +The tg3_set_eeprom() function correctly initializes the 'start' variable, +but gcc generates a false warning: + +drivers/net/ethernet/broadcom/tg3.c: In function 'tg3_set_eeprom': +drivers/net/ethernet/broadcom/tg3.c:12057:4: warning: 'start' may be used uninitialized in this function [-Wmaybe-uninitialized] + +I have not come up with a way to restructure the code in a way that +avoids the warning without making it less readable, so this adds an +initialization for the declaration to shut up that warning. + +Signed-off-by: Arnd Bergmann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c +index 9293675df7ba..49eea8981332 100644 +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -12016,7 +12016,7 @@ static int tg3_set_eeprom(struct net_device *dev, struct ethtool_eeprom *eeprom, + int ret; + u32 offset, len, b_offset, odd_len; + u8 *buf; +- __be32 start, end; ++ __be32 start = 0, end; + + if (tg3_flag(tp, NO_NVRAM) || + eeprom->magic != TG3_EEPROM_MAGIC) diff --git a/next-4.4/net_sched-close-another-race-condition-in-tcf_mirred_release.patch b/next-4.4/net_sched-close-another-race-condition-in-tcf_mirred_release.patch deleted file mode 100644 index fd06fff67e4..00000000000 --- a/next-4.4/net_sched-close-another-race-condition-in-tcf_mirred_release.patch +++ /dev/null @@ -1,80 +0,0 @@ -From dc327f8931cb9d66191f489eb9a852fc04530546 Mon Sep 17 00:00:00 2001 -From: WANG Cong -Date: Mon, 16 May 2016 15:11:18 -0700 -Subject: net_sched: close another race condition in tcf_mirred_release() - -From: WANG Cong - -commit dc327f8931cb9d66191f489eb9a852fc04530546 upstream. - -We saw the following extra refcount release on veth device: - - kernel: [7957821.463992] unregister_netdevice: waiting for mesos50284 to become free. Usage count = -1 - -Since we heavily use mirred action to redirect packets to veth, I think -this is caused by the following race condition: - -CPU0: -tcf_mirred_release(): (in RCU callback) - struct net_device *dev = rcu_dereference_protected(m->tcfm_dev, 1); - -CPU1: -mirred_device_event(): - spin_lock_bh(&mirred_list_lock); - list_for_each_entry(m, &mirred_list, tcfm_list) { - if (rcu_access_pointer(m->tcfm_dev) == dev) { - dev_put(dev); - /* Note : no rcu grace period necessary, as - * net_device are already rcu protected. - */ - RCU_INIT_POINTER(m->tcfm_dev, NULL); - } - } - spin_unlock_bh(&mirred_list_lock); - -CPU0: -tcf_mirred_release(): - spin_lock_bh(&mirred_list_lock); - list_del(&m->tcfm_list); - spin_unlock_bh(&mirred_list_lock); - if (dev) // <======== Stil refers to the old m->tcfm_dev - dev_put(dev); // <======== dev_put() is called on it again - -The action init code path is good because it is impossible to modify -an action that is being removed. - -So, fix this by moving everything under the spinlock. - -Fixes: 2ee22a90c7af ("net_sched: act_mirred: remove spinlock in fast path") -Fixes: 6bd00b850635 ("act_mirred: fix a race condition on mirred_list") -Cc: Jamal Hadi Salim -Signed-off-by: Cong Wang -Acked-by: Jamal Hadi Salim -Signed-off-by: David S. Miller -Cc: Julia Lawall -Signed-off-by: Greg Kroah-Hartman - ---- - net/sched/act_mirred.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - ---- a/net/sched/act_mirred.c -+++ b/net/sched/act_mirred.c -@@ -36,14 +36,15 @@ static DEFINE_SPINLOCK(mirred_list_lock) - static void tcf_mirred_release(struct tc_action *a, int bind) - { - struct tcf_mirred *m = to_mirred(a); -- struct net_device *dev = rcu_dereference_protected(m->tcfm_dev, 1); -+ struct net_device *dev; - - /* We could be called either in a RCU callback or with RTNL lock held. */ - spin_lock_bh(&mirred_list_lock); - list_del(&m->tcfm_list); -- spin_unlock_bh(&mirred_list_lock); -+ dev = rcu_dereference_protected(m->tcfm_dev, 1); - if (dev) - dev_put(dev); -+ spin_unlock_bh(&mirred_list_lock); - } - - static const struct nla_policy mirred_policy[TCA_MIRRED_MAX + 1] = { diff --git a/next-4.4/rds-fix-the-atomicity-for-congestion-map-update.patch b/next-4.4/rds-fix-the-atomicity-for-congestion-map-update.patch deleted file mode 100644 index 87dbbacb159..00000000000 --- a/next-4.4/rds-fix-the-atomicity-for-congestion-map-update.patch +++ /dev/null @@ -1,50 +0,0 @@ -From e47db94e10447fc467777a40302f2b393e9af2fa Mon Sep 17 00:00:00 2001 -From: "santosh.shilimkar@oracle.com" -Date: Thu, 14 Apr 2016 10:43:27 -0700 -Subject: RDS: Fix the atomicity for congestion map update - -From: santosh.shilimkar@oracle.com - -commit e47db94e10447fc467777a40302f2b393e9af2fa upstream. - -Two different threads with different rds sockets may be in -rds_recv_rcvbuf_delta() via receive path. If their ports -both map to the same word in the congestion map, then -using non-atomic ops to update it could cause the map to -be incorrect. Lets use atomics to avoid such an issue. - -Full credit to Wengang for -finding the issue, analysing it and also pointing out -to offending code with spin lock based fix. - -Reviewed-by: Leon Romanovsky -Signed-off-by: Wengang Wang -Signed-off-by: Santosh Shilimkar -Signed-off-by: David S. Miller -Cc: Julia Lawall -Signed-off-by: Greg Kroah-Hartman - ---- - net/rds/cong.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/net/rds/cong.c -+++ b/net/rds/cong.c -@@ -299,7 +299,7 @@ void rds_cong_set_bit(struct rds_cong_ma - i = be16_to_cpu(port) / RDS_CONG_MAP_PAGE_BITS; - off = be16_to_cpu(port) % RDS_CONG_MAP_PAGE_BITS; - -- __set_bit_le(off, (void *)map->m_page_addrs[i]); -+ set_bit_le(off, (void *)map->m_page_addrs[i]); - } - - void rds_cong_clear_bit(struct rds_cong_map *map, __be16 port) -@@ -313,7 +313,7 @@ void rds_cong_clear_bit(struct rds_cong_ - i = be16_to_cpu(port) / RDS_CONG_MAP_PAGE_BITS; - off = be16_to_cpu(port) % RDS_CONG_MAP_PAGE_BITS; - -- __clear_bit_le(off, (void *)map->m_page_addrs[i]); -+ clear_bit_le(off, (void *)map->m_page_addrs[i]); - } - - static int rds_cong_test_bit(struct rds_cong_map *map, __be16 port) diff --git a/next-4.4/regulator-core-clear-the-supply-pointer-if-enabling-fails.patch b/next-4.4/regulator-core-clear-the-supply-pointer-if-enabling-fails.patch deleted file mode 100644 index f990bdc5e97..00000000000 --- a/next-4.4/regulator-core-clear-the-supply-pointer-if-enabling-fails.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 8e5356a73604f53da6a1e0756727cb8f9f7bba17 Mon Sep 17 00:00:00 2001 -From: Jon Hunter -Date: Thu, 21 Apr 2016 17:11:58 +0100 -Subject: regulator: core: Clear the supply pointer if enabling fails - -From: Jon Hunter - -commit 8e5356a73604f53da6a1e0756727cb8f9f7bba17 upstream. - -During the resolution of a regulator's supply, we may attempt to enable -the supply if the regulator itself is already enabled. If enabling the -supply fails, then we will call _regulator_put() for the supply. -However, the pointer to the supply has not been cleared for the -regulator and this will cause a crash if we then unregister the -regulator and attempt to call regulator_put() a second time for the -supply. Fix this by clearing the supply pointer if enabling the supply -after fails when resolving the supply for a regulator. - -Signed-off-by: Jon Hunter -Signed-off-by: Mark Brown -Cc: Julia Lawall -Signed-off-by: Greg Kroah-Hartman - ---- - drivers/regulator/core.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/drivers/regulator/core.c -+++ b/drivers/regulator/core.c -@@ -1519,6 +1519,7 @@ static int regulator_resolve_supply(stru - ret = regulator_enable(rdev->supply); - if (ret < 0) { - _regulator_put(rdev->supply); -+ rdev->supply = NULL; - return ret; - } - } diff --git a/next-4.4/usb-gadget-f_midi-fixed-a-bug-when-buflen-was-smaller-than-wmaxpacketsize.patch b/next-4.4/usb-gadget-f_midi-fixed-a-bug-when-buflen-was-smaller-than-wmaxpacketsize.patch deleted file mode 100644 index fc87a34bd50..00000000000 --- a/next-4.4/usb-gadget-f_midi-fixed-a-bug-when-buflen-was-smaller-than-wmaxpacketsize.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 03d27ade4941076b34c823d63d91dc895731a595 Mon Sep 17 00:00:00 2001 -From: "Felipe F. Tonello" -Date: Wed, 9 Mar 2016 19:39:30 +0000 -Subject: usb: gadget: f_midi: Fixed a bug when buflen was smaller than wMaxPacketSize - -From: Felipe F. Tonello - -commit 03d27ade4941076b34c823d63d91dc895731a595 upstream. - -buflen by default (256) is smaller than wMaxPacketSize (512) in high-speed -devices. - -That caused the OUT endpoint to freeze if the host send any data packet of -length greater than 256 bytes. - -This is an example dump of what happended on that enpoint: -HOST: [DATA][Length=260][...] -DEVICE: [NAK] -HOST: [PING] -DEVICE: [NAK] -HOST: [PING] -DEVICE: [NAK] -... -HOST: [PING] -DEVICE: [NAK] - -This patch fixes this problem by setting the minimum usb_request's buffer size -for the OUT endpoint as its wMaxPacketSize. - -Acked-by: Michal Nazarewicz -Signed-off-by: Felipe F. Tonello -Signed-off-by: Felipe Balbi -Cc: Julia Lawall -Signed-off-by: Greg Kroah-Hartman - ---- - drivers/usb/gadget/function/f_midi.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - ---- a/drivers/usb/gadget/function/f_midi.c -+++ b/drivers/usb/gadget/function/f_midi.c -@@ -361,7 +361,9 @@ static int f_midi_set_alt(struct usb_fun - /* allocate a bunch of read buffers and queue them all at once. */ - for (i = 0; i < midi->qlen && err == 0; i++) { - struct usb_request *req = -- midi_alloc_ep_req(midi->out_ep, midi->buflen); -+ midi_alloc_ep_req(midi->out_ep, -+ max_t(unsigned, midi->buflen, -+ bulk_out_desc.wMaxPacketSize)); - if (req == NULL) - return -ENOMEM; - diff --git a/next-4.4/xen-x86-don-t-lose-event-interrupts.patch b/next-4.4/xen-x86-don-t-lose-event-interrupts.patch deleted file mode 100644 index 5c77e0a006a..00000000000 --- a/next-4.4/xen-x86-don-t-lose-event-interrupts.patch +++ /dev/null @@ -1,47 +0,0 @@ -From c06b6d70feb32d28f04ba37aa3df17973fd37b6b Mon Sep 17 00:00:00 2001 -From: Stefano Stabellini -Date: Fri, 15 Apr 2016 18:23:00 -0700 -Subject: xen/x86: don't lose event interrupts - -From: Stefano Stabellini - -commit c06b6d70feb32d28f04ba37aa3df17973fd37b6b upstream. - -On slow platforms with unreliable TSC, such as QEMU emulated machines, -it is possible for the kernel to request the next event in the past. In -that case, in the current implementation of xen_vcpuop_clockevent, we -simply return -ETIME. To be precise the Xen returns -ETIME and we pass -it on. However the result of this is a missed event, which simply causes -the kernel to hang. - -Instead it is better to always ask the hypervisor for a timer event, -even if the timeout is in the past. That way there are no lost -interrupts and the kernel survives. To do that, remove the -VCPU_SSHOTTMR_future flag. - -Signed-off-by: Stefano Stabellini -Acked-by: Juergen Gross -Cc: Julia Lawall -Signed-off-by: Greg Kroah-Hartman - ---- - arch/x86/xen/time.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - ---- a/arch/x86/xen/time.c -+++ b/arch/x86/xen/time.c -@@ -343,11 +343,11 @@ static int xen_vcpuop_set_next_event(uns - WARN_ON(!clockevent_state_oneshot(evt)); - - single.timeout_abs_ns = get_abs_timeout(delta); -- single.flags = VCPU_SSHOTTMR_future; -+ /* Get an event anyway, even if the timeout is already expired */ -+ single.flags = 0; - - ret = HYPERVISOR_vcpu_op(VCPUOP_set_singleshot_timer, cpu, &single); -- -- BUG_ON(ret != 0 && ret != -ETIME); -+ BUG_ON(ret != 0); - - return ret; - }