From: Greg Kroah-Hartman Date: Thu, 22 Sep 2016 13:41:19 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v4.4.22~14 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6bd99ffc9b00728c62b8238a0cd49555636fa57e;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: arc-mm-fix-build-breakage-with-strict_mm_typechecks.patch arm-am43xx-hwmod-fix-rstst-register-offset-for-pruss.patch arm-dts-imx6qdl-fix-spdif-regression.patch arm-dts-overo-fix-gpmc-nand-cs0-range.patch arm-dts-overo-fix-gpmc-nand-on-boards-with-ethernet.patch arm-dts-stih407-family-provide-interconnect-clock-for-consumption-in-st-sdhci.patch arm-dts-stih410-handle-interconnect-clock-required-by-ehci-ohci-usb.patch arm-imx6-add-missing-bm_clpcr_byp_mmdc_ch0_lpm_hs-setting-for-imx6ul.patch arm-imx6-add-missing-bm_clpcr_bypass_pmic_ready-setting-for-imx6sx.patch arm-kirkwood-ib62x0-fix-size-of-u-boot-environment-partition.patch arm-omap3-hwmod-data-add-sysc-information-for-dsi.patch arm64-spinlocks-implement-smp_mb__before_spinlock-as-smp_mb.patch ath9k-fix-using-sta-drv_priv-before-initializing-it.patch audit-fix-exe_file-access-in-audit_exe_compare.patch btrfs-remove-root_log_ctx-from-ctx-list-before-btrfs_sync_log-returns.patch bus-arm-ccn-do-not-attempt-to-configure-xps-for-cycle-counter.patch bus-arm-ccn-fix-pmu-handling-of-mn.patch bus-arm-ccn-fix-xp-watchpoint-settings-bitmask.patch cpuset-make-sure-new-tasks-conform-to-the-current-config-of-the-cpuset.patch crypto-cryptd-initialize-child-shash_desc-on-import.patch cxl-use-pcibios_free_controller_deferred-when-removing-vphbs.patch dm-crypt-fix-error-with-too-large-bios.patch dm-flakey-fix-reads-to-be-issued-if-drop_writes-configured.patch dm-log-writes-fix-check-of-kthread_run-return-value.patch dm-log-writes-move-io-accounting-earlier-to-fix-error-path.patch fuse-direct-io-don-t-dirty-iter_bvec-pages.patch ib-uverbs-fix-race-between-uverbs_close-and-remove_one.patch iio-accel-bmc150-reset-chip-at-init-time.patch iio-accel-kxsd9-fix-raw-read-return.patch iio-accel-kxsd9-fix-scaling-bug.patch iio-ad799x-fix-buffered-capture-for-ad7991-ad7995-ad7999.patch iio-adc-at91-unbreak-channel-adc-channel-3.patch iio-adc-rockchip_saradc-reset-saradc-controller-before-programming-it.patch iio-adc-ti_am335x_adc-increase-timeout-value-waiting-for-adc-sample.patch iio-adc-ti_am335x_adc-protect-fifo1-from-concurrent-access.patch iio-core-fix-iio_val_fractional-sign-handling.patch iio-ensure-ret-is-initialized-to-zero-before-entering-do-loop.patch iio-fix-pressure-data-output-unit-in-hid-sensor-attributes.patch iio-proximity-as3935-set-up-buffer-timestamps-for-non-zero-values.patch ipv6-addrconf-fix-dev-refcont-leak-when-dad-failed.patch kernfs-don-t-depend-on-d_find_any_alias-when-generating-notifications.patch kexec-fix-double-free-when-failing-to-relocate-the-purgatory.patch kvm-arm-unmap-shadow-pagetables-properly.patch md-cluster-make-md-cluster-also-can-work-when-compiled-into-kernel.patch mm-introduce-get_task_exe_file.patch net-thunderx-fix-oops-with-ethtool-register-dump.patch nfsd-close-race-between-nfsd4_release_lockowner-and-nfsd4_lock.patch nfsv4.1-fix-oopsable-condition-in-server-callback-races.patch nfsv4.1-fix-the-create_session-slot-number-accounting.patch nfsv4.x-fix-a-refcount-leak-in-nfs_callback_up_net.patch pinctrl-pistachio-fix-mfio-pll_lock-pinmux.patch pinctrl-sunxi-fix-uart1-cts-rts-pins-at-pg-on-a23-a33.patch pnfs-ensure-layoutget-and-layoutreturn-are-properly-serialised.patch pnfs-the-client-must-not-do-i-o-to-the-ds-if-it-s-lease-has-expired.patch powerpc-mm-don-t-alias-user-region-to-other-regions-below-page_offset.patch powerpc-powernv-drop-reference-added-by-kset_find_obj.patch powerpc-tm-do-not-use-r13-for-tabort_syscall.patch revert-wext-fix-32-bit-iwpriv-compatibility-issue-with-64-bit-kernel.patch sched-core-fix-a-race-between-try_to_wake_up-and-a-woken-up-task.patch serial-8250-added-acces-i-o-products-quad-and-octal-serial-cards.patch serial-8250_mid-fix-divide-error-bug-if-baud-rate-is-0.patch usb-change-binterval-default-to-10-ms.patch usb-chipidea-udc-fix-null-ptr-dereference-in-isr_setup_status_phase.patch usb-renesas_usbhs-fix-clearing-the-brdy-bemp-sts-condition.patch usb-serial-simple-add-support-for-another-infineon-flashloader.patch x86-amd-apply-erratum-665-on-machines-without-a-bios-fix.patch x86-paravirt-do-not-trace-_paravirt_ident_-functions.patch xhci-fix-null-pointer-dereference-in-stop-command-timeout-function.patch --- diff --git a/queue-4.4/arc-mm-fix-build-breakage-with-strict_mm_typechecks.patch b/queue-4.4/arc-mm-fix-build-breakage-with-strict_mm_typechecks.patch new file mode 100644 index 00000000000..f26cbdef53c --- /dev/null +++ b/queue-4.4/arc-mm-fix-build-breakage-with-strict_mm_typechecks.patch @@ -0,0 +1,61 @@ +From 1c3c909303924d30145601f47b6c058fdd2cbc2e Mon Sep 17 00:00:00 2001 +From: Vineet Gupta +Date: Tue, 16 Aug 2016 18:27:07 -0700 +Subject: ARC: mm: fix build breakage with STRICT_MM_TYPECHECKS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Vineet Gupta + +commit 1c3c909303924d30145601f47b6c058fdd2cbc2e upstream. + +| CC mm/memory.o +| In file included from ../mm/memory.c:53:0: +| ../include/linux/pfn_t.h: In function ‘pfn_t_pte’: +| ../include/linux/pfn_t.h:78:2: error: conversion to non-scalar type requested +| return pfn_pte(pfn_t_to_pfn(pfn), pgprot); + +With STRICT_MM_TYPECHECKS pte_t is a struct and the offending code +forces a cast which ends up shifting a struct and hence the gcc warning. + +Note that in recent past some of the arches (aarch64, s390) made +STRICT_MM_TYPECHECKS default, but we don't for ARC as this leads to slightly +worse generated code, given ARC ABI definition of returning structs +(which pte_t would become) + +Quoting from ARC ABI... + + "Results of type struct are returned in a caller-supplied temporary + variable whose address is passed in r0. + For such functions, the arguments are shifted so that they are + passed in r1 and up." + +So + - struct to be returned would be allocated on stack requiring extra + code at call sites + - callee updates stack memory to facilitate the return (vs. simple + MOV into return reg r0) + +Hence STRICT_MM_TYPECHECKS is not enabled by default for ARC + +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + + +--- + arch/arc/include/asm/pgtable.h | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/arc/include/asm/pgtable.h ++++ b/arch/arc/include/asm/pgtable.h +@@ -277,8 +277,7 @@ static inline void pmd_set(pmd_t *pmdp, + + #define mk_pte(page, prot) pfn_pte(page_to_pfn(page), prot) + #define pte_pfn(pte) (pte_val(pte) >> PAGE_SHIFT) +-#define pfn_pte(pfn, prot) (__pte(((pte_t)(pfn) << PAGE_SHIFT) | \ +- pgprot_val(prot))) ++#define pfn_pte(pfn, prot) (__pte(((pfn) << PAGE_SHIFT) | pgprot_val(prot))) + #define __pte_index(addr) (((addr) >> PAGE_SHIFT) & (PTRS_PER_PTE - 1)) + + /* diff --git a/queue-4.4/arm-am43xx-hwmod-fix-rstst-register-offset-for-pruss.patch b/queue-4.4/arm-am43xx-hwmod-fix-rstst-register-offset-for-pruss.patch new file mode 100644 index 00000000000..92f402823df --- /dev/null +++ b/queue-4.4/arm-am43xx-hwmod-fix-rstst-register-offset-for-pruss.patch @@ -0,0 +1,44 @@ +From b00ccf5b684992829610d162e78a7836933a1b19 Mon Sep 17 00:00:00 2001 +From: Keerthy +Date: Mon, 20 Jun 2016 09:22:25 +0530 +Subject: ARM: AM43XX: hwmod: Fix RSTST register offset for pruss + +From: Keerthy + +commit b00ccf5b684992829610d162e78a7836933a1b19 upstream. + +pruss hwmod RSTST register wrongly points to PWRSTCTRL register in case of +am43xx. Fix the RSTST register offset value. + +This can lead to setting of wrong power state values for PER domain. + +Fixes: 1c7e224d ("ARM: OMAP2+: hwmod: AM335x: runtime register update") +Signed-off-by: Keerthy +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-omap2/omap_hwmod_33xx_43xx_ipblock_data.c | 1 + + arch/arm/mach-omap2/prcm43xx.h | 1 + + 2 files changed, 2 insertions(+) + +--- a/arch/arm/mach-omap2/omap_hwmod_33xx_43xx_ipblock_data.c ++++ b/arch/arm/mach-omap2/omap_hwmod_33xx_43xx_ipblock_data.c +@@ -1474,6 +1474,7 @@ static void omap_hwmod_am43xx_rst(void) + { + RSTCTRL(am33xx_pruss_hwmod, AM43XX_RM_PER_RSTCTRL_OFFSET); + RSTCTRL(am33xx_gfx_hwmod, AM43XX_RM_GFX_RSTCTRL_OFFSET); ++ RSTST(am33xx_pruss_hwmod, AM43XX_RM_PER_RSTST_OFFSET); + RSTST(am33xx_gfx_hwmod, AM43XX_RM_GFX_RSTST_OFFSET); + } + +--- a/arch/arm/mach-omap2/prcm43xx.h ++++ b/arch/arm/mach-omap2/prcm43xx.h +@@ -39,6 +39,7 @@ + + /* RM RSTST offsets */ + #define AM43XX_RM_GFX_RSTST_OFFSET 0x0014 ++#define AM43XX_RM_PER_RSTST_OFFSET 0x0014 + #define AM43XX_RM_WKUP_RSTST_OFFSET 0x0014 + + /* CM instances */ diff --git a/queue-4.4/arm-dts-imx6qdl-fix-spdif-regression.patch b/queue-4.4/arm-dts-imx6qdl-fix-spdif-regression.patch new file mode 100644 index 00000000000..ec3c657be25 --- /dev/null +++ b/queue-4.4/arm-dts-imx6qdl-fix-spdif-regression.patch @@ -0,0 +1,46 @@ +From f065e9e4addd75c21bb976bb2558648bf4f61de6 Mon Sep 17 00:00:00 2001 +From: Fabio Estevam +Date: Wed, 31 Aug 2016 10:56:48 -0300 +Subject: ARM: dts: imx6qdl: Fix SPDIF regression + +From: Fabio Estevam + +commit f065e9e4addd75c21bb976bb2558648bf4f61de6 upstream. + +Commit 833f2cbf7091 ("ARM: dts: imx6: change the core clock of spdif") +changed many more clocks than only the SPDIF core clock as stated in +the commit message. + +The MLB clock has been added and this causes SPDIF regression as +reported by Xavi Drudis Ferran and also in this forum post: +https://forum.digikey.com/thread/34240 + +The MX6Q Reference Manual does not mention that MLB is a clock related +to SPDIF, so change it back to a dummy clock to restore SPDIF +functionality. + +Thanks to Ambika for providing the fix at: +https://community.nxp.com/thread/387131 + +Fixes: 833f2cbf7091 ("ARM: dts: imx6: change the core clock of spdif") +Reported-by: Xavi Drudis Ferran +Signed-off-by: Fabio Estevam +Tested-by: Xavi Drudis Ferran +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/imx6qdl.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/imx6qdl.dtsi ++++ b/arch/arm/boot/dts/imx6qdl.dtsi +@@ -221,7 +221,7 @@ + clocks = <&clks IMX6QDL_CLK_SPDIF_GCLK>, <&clks IMX6QDL_CLK_OSC>, + <&clks IMX6QDL_CLK_SPDIF>, <&clks IMX6QDL_CLK_ASRC>, + <&clks IMX6QDL_CLK_DUMMY>, <&clks IMX6QDL_CLK_ESAI_EXTAL>, +- <&clks IMX6QDL_CLK_IPG>, <&clks IMX6QDL_CLK_MLB>, ++ <&clks IMX6QDL_CLK_IPG>, <&clks IMX6QDL_CLK_DUMMY>, + <&clks IMX6QDL_CLK_DUMMY>, <&clks IMX6QDL_CLK_SPBA>; + clock-names = "core", "rxtx0", + "rxtx1", "rxtx2", diff --git a/queue-4.4/arm-dts-overo-fix-gpmc-nand-cs0-range.patch b/queue-4.4/arm-dts-overo-fix-gpmc-nand-cs0-range.patch new file mode 100644 index 00000000000..8b70fbb373b --- /dev/null +++ b/queue-4.4/arm-dts-overo-fix-gpmc-nand-cs0-range.patch @@ -0,0 +1,39 @@ +From 5e0568dfbfb8c13cdb69c9fd06d600593ad4b430 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 15 Aug 2016 09:10:45 -0700 +Subject: ARM: dts: overo: fix gpmc nand cs0 range + +From: Johan Hovold + +commit 5e0568dfbfb8c13cdb69c9fd06d600593ad4b430 upstream. + +The gpmc ranges property for NAND at CS0 has been broken since it was +first added. + +This currently prevents the nand gpmc child node from being probed: + + omap-gpmc 6e000000.gpmc: /ocp/gpmc@6e000000/nand@0,0 has + malformed 'reg' property + +and consequently the NAND device from being registered. + +Fixes: 98ce6007efb4 ("ARM: dts: overo: Support PoP NAND") +Signed-off-by: Johan Hovold +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/omap3-overo-base.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/omap3-overo-base.dtsi ++++ b/arch/arm/boot/dts/omap3-overo-base.dtsi +@@ -223,7 +223,7 @@ + }; + + &gpmc { +- ranges = <0 0 0x00000000 0x20000000>; ++ ranges = <0 0 0x30000000 0x1000000>; /* CS0 */ + + nand@0,0 { + linux,mtd-name= "micron,mt29c4g96maz"; diff --git a/queue-4.4/arm-dts-overo-fix-gpmc-nand-on-boards-with-ethernet.patch b/queue-4.4/arm-dts-overo-fix-gpmc-nand-on-boards-with-ethernet.patch new file mode 100644 index 00000000000..9689940e75d --- /dev/null +++ b/queue-4.4/arm-dts-overo-fix-gpmc-nand-on-boards-with-ethernet.patch @@ -0,0 +1,78 @@ +From 153b58ea932b2d0642fa5cd41c93bb0555f3f09b Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 15 Aug 2016 09:10:49 -0700 +Subject: ARM: dts: overo: fix gpmc nand on boards with ethernet + +From: Johan Hovold + +commit 153b58ea932b2d0642fa5cd41c93bb0555f3f09b upstream. + +The gpmc ranges property for NAND at CS0 was being overridden by later +includes that defined gpmc ethernet nodes, effectively breaking NAND on +these systems: + + omap-gpmc 6e000000.gpmc: /ocp/gpmc@6e000000/nand@0,0 has + malformed 'reg' property + +Instead of redefining the NAND range in every such dtsi, define all +currently used ranges in omap3-overo-base.dtsi. + +Fixes: 98ce6007efb4 ("ARM: dts: overo: Support PoP NAND") +Signed-off-by: Johan Hovold +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/omap3-overo-base.dtsi | 4 +++- + arch/arm/boot/dts/omap3-overo-chestnut43-common.dtsi | 2 -- + arch/arm/boot/dts/omap3-overo-tobi-common.dtsi | 2 -- + arch/arm/boot/dts/omap3-overo-tobiduo-common.dtsi | 3 --- + 4 files changed, 3 insertions(+), 8 deletions(-) + +--- a/arch/arm/boot/dts/omap3-overo-base.dtsi ++++ b/arch/arm/boot/dts/omap3-overo-base.dtsi +@@ -223,7 +223,9 @@ + }; + + &gpmc { +- ranges = <0 0 0x30000000 0x1000000>; /* CS0 */ ++ ranges = <0 0 0x30000000 0x1000000>, /* CS0 */ ++ <4 0 0x2b000000 0x1000000>, /* CS4 */ ++ <5 0 0x2c000000 0x1000000>; /* CS5 */ + + nand@0,0 { + linux,mtd-name= "micron,mt29c4g96maz"; +--- a/arch/arm/boot/dts/omap3-overo-chestnut43-common.dtsi ++++ b/arch/arm/boot/dts/omap3-overo-chestnut43-common.dtsi +@@ -55,8 +55,6 @@ + #include "omap-gpmc-smsc9221.dtsi" + + &gpmc { +- ranges = <5 0 0x2c000000 0x1000000>; /* CS5 */ +- + ethernet@gpmc { + reg = <5 0 0xff>; + interrupt-parent = <&gpio6>; +--- a/arch/arm/boot/dts/omap3-overo-tobi-common.dtsi ++++ b/arch/arm/boot/dts/omap3-overo-tobi-common.dtsi +@@ -27,8 +27,6 @@ + #include "omap-gpmc-smsc9221.dtsi" + + &gpmc { +- ranges = <5 0 0x2c000000 0x1000000>; /* CS5 */ +- + ethernet@gpmc { + reg = <5 0 0xff>; + interrupt-parent = <&gpio6>; +--- a/arch/arm/boot/dts/omap3-overo-tobiduo-common.dtsi ++++ b/arch/arm/boot/dts/omap3-overo-tobiduo-common.dtsi +@@ -15,9 +15,6 @@ + #include "omap-gpmc-smsc9221.dtsi" + + &gpmc { +- ranges = <4 0 0x2b000000 0x1000000>, /* CS4 */ +- <5 0 0x2c000000 0x1000000>; /* CS5 */ +- + smsc1: ethernet@gpmc { + reg = <5 0 0xff>; + interrupt-parent = <&gpio6>; diff --git a/queue-4.4/arm-dts-stih407-family-provide-interconnect-clock-for-consumption-in-st-sdhci.patch b/queue-4.4/arm-dts-stih407-family-provide-interconnect-clock-for-consumption-in-st-sdhci.patch new file mode 100644 index 00000000000..cb55de4ed81 --- /dev/null +++ b/queue-4.4/arm-dts-stih407-family-provide-interconnect-clock-for-consumption-in-st-sdhci.patch @@ -0,0 +1,66 @@ +From 78567f135d9bbbaf4538f63656d3e4d957c35fe9 Mon Sep 17 00:00:00 2001 +From: Lee Jones +Date: Thu, 8 Sep 2016 11:11:00 +0200 +Subject: ARM: dts: STiH407-family: Provide interconnect clock for consumption in ST SDHCI + +From: Lee Jones + +commit 78567f135d9bbbaf4538f63656d3e4d957c35fe9 upstream. + +The STiH4{07,10} platform contains some interconnect clocks which are used +by various IPs. If these clocks aren't handled correctly by ST's SDHCI +driver MMC will break and the following output can be observed: + +[ 13.916949] mmc0: Timeout waiting for hardware interrupt. +[ 13.922349] sdhci: =========== REGISTER DUMP (mmc0)=========== +[ 13.928175] sdhci: Sys addr: 0x00000000 | Version: 0x00001002 +[ 13.933999] sdhci: Blk size: 0x00007040 | Blk cnt: 0x00000001 +[ 13.939825] sdhci: Argument: 0x00fffff0 | Trn mode: 0x00000013 +[ 13.945650] sdhci: Present: 0x1fff0206 | Host ctl: 0x00000011 +[ 13.951475] sdhci: Power: 0x0000000f | Blk gap: 0x00000080 +[ 13.957300] sdhci: Wake-up: 0x00000000 | Clock: 0x00003f07 +[ 13.963126] sdhci: Timeout: 0x00000004 | Int stat: 0x00000000 +[ 13.968952] sdhci: Int enab: 0x02ff008b | Sig enab: 0x02ff008b +[ 13.974777] sdhci: AC12 err: 0x00000000 | Slot int: 0x00000000 +[ 13.980602] sdhci: Caps: 0x21ed3281 | Caps_1: 0x00000000 +[ 13.986428] sdhci: Cmd: 0x0000063a | Max curr: 0x00000000 +[ 13.992252] sdhci: Host ctl2: 0x00000000 +[ 13.996166] sdhci: ADMA Err: 0x00000000 | ADMA Ptr: 0x7c048200 +[ 14.001990] sdhci: =========================================== +[ 14.009802] mmc0: Got data interrupt 0x02000000 even though no data operation was in progress. + +Tested-by: Peter Griffin +Signed-off-by: Lee Jones +Acked-by: Patrice Chotard +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/stih407-family.dtsi | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/arch/arm/boot/dts/stih407-family.dtsi ++++ b/arch/arm/boot/dts/stih407-family.dtsi +@@ -497,8 +497,9 @@ + interrupt-names = "mmcirq"; + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_mmc0>; +- clock-names = "mmc"; +- clocks = <&clk_s_c0_flexgen CLK_MMC_0>; ++ clock-names = "mmc", "icn"; ++ clocks = <&clk_s_c0_flexgen CLK_MMC_0>, ++ <&clk_s_c0_flexgen CLK_RX_ICN_HVA>; + bus-width = <8>; + non-removable; + }; +@@ -512,8 +513,9 @@ + interrupt-names = "mmcirq"; + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_sd1>; +- clock-names = "mmc"; +- clocks = <&clk_s_c0_flexgen CLK_MMC_1>; ++ clock-names = "mmc", "icn"; ++ clocks = <&clk_s_c0_flexgen CLK_MMC_1>, ++ <&clk_s_c0_flexgen CLK_RX_ICN_HVA>; + resets = <&softreset STIH407_MMC1_SOFTRESET>; + bus-width = <4>; + }; diff --git a/queue-4.4/arm-dts-stih410-handle-interconnect-clock-required-by-ehci-ohci-usb.patch b/queue-4.4/arm-dts-stih410-handle-interconnect-clock-required-by-ehci-ohci-usb.patch new file mode 100644 index 00000000000..f620006c808 --- /dev/null +++ b/queue-4.4/arm-dts-stih410-handle-interconnect-clock-required-by-ehci-ohci-usb.patch @@ -0,0 +1,67 @@ +From 7e9d2850a8db4e0d85a20bb692198bf2cc4be3b7 Mon Sep 17 00:00:00 2001 +From: Lee Jones +Date: Thu, 8 Sep 2016 11:11:00 +0200 +Subject: ARM: dts: STiH410: Handle interconnect clock required by EHCI/OHCI (USB) + +From: Lee Jones + +commit 7e9d2850a8db4e0d85a20bb692198bf2cc4be3b7 upstream. + +The STiH4{07,10} platform contains some interconnect clocks which are used +by various IPs. If this clock isn't handled correctly by ST's EHCI/OHCI +drivers, their hub won't be found, the following error be shown and the +result will be non-working USB: + + [ 97.221963] hub 2-1:1.0: hub_ext_port_status failed (err = -110) + +Tested-by: Peter Griffin +Signed-off-by: Lee Jones +Acked-by: Patrice Chotard +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/stih410.dtsi | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/arch/arm/boot/dts/stih410.dtsi ++++ b/arch/arm/boot/dts/stih410.dtsi +@@ -41,7 +41,8 @@ + compatible = "st,st-ohci-300x"; + reg = <0x9a03c00 0x100>; + interrupts = ; +- clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>; ++ clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>, ++ <&clk_s_c0_flexgen CLK_RX_ICN_DISP_0>; + resets = <&powerdown STIH407_USB2_PORT0_POWERDOWN>, + <&softreset STIH407_USB2_PORT0_SOFTRESET>; + reset-names = "power", "softreset"; +@@ -57,7 +58,8 @@ + interrupts = ; + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_usb0>; +- clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>; ++ clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>, ++ <&clk_s_c0_flexgen CLK_RX_ICN_DISP_0>; + resets = <&powerdown STIH407_USB2_PORT0_POWERDOWN>, + <&softreset STIH407_USB2_PORT0_SOFTRESET>; + reset-names = "power", "softreset"; +@@ -71,7 +73,8 @@ + compatible = "st,st-ohci-300x"; + reg = <0x9a83c00 0x100>; + interrupts = ; +- clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>; ++ clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>, ++ <&clk_s_c0_flexgen CLK_RX_ICN_DISP_0>; + resets = <&powerdown STIH407_USB2_PORT1_POWERDOWN>, + <&softreset STIH407_USB2_PORT1_SOFTRESET>; + reset-names = "power", "softreset"; +@@ -87,7 +90,8 @@ + interrupts = ; + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_usb1>; +- clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>; ++ clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>, ++ <&clk_s_c0_flexgen CLK_RX_ICN_DISP_0>; + resets = <&powerdown STIH407_USB2_PORT1_POWERDOWN>, + <&softreset STIH407_USB2_PORT1_SOFTRESET>; + reset-names = "power", "softreset"; diff --git a/queue-4.4/arm-imx6-add-missing-bm_clpcr_byp_mmdc_ch0_lpm_hs-setting-for-imx6ul.patch b/queue-4.4/arm-imx6-add-missing-bm_clpcr_byp_mmdc_ch0_lpm_hs-setting-for-imx6ul.patch new file mode 100644 index 00000000000..aa20d763f2f --- /dev/null +++ b/queue-4.4/arm-imx6-add-missing-bm_clpcr_byp_mmdc_ch0_lpm_hs-setting-for-imx6ul.patch @@ -0,0 +1,36 @@ +From f5a49057c71433e35a4712ab8d8f00641b3e1ec0 Mon Sep 17 00:00:00 2001 +From: Peter Chen +Date: Tue, 9 Aug 2016 16:24:43 +0800 +Subject: ARM: imx6: add missing BM_CLPCR_BYP_MMDC_CH0_LPM_HS setting for imx6ul + +From: Peter Chen + +commit f5a49057c71433e35a4712ab8d8f00641b3e1ec0 upstream. + +There is a missing BM_CLPCR_BYP_MMDC_CH0_LPM_HS setting for imx6ul, +without it, the "standby" mode can't work well, the system can't be +resumed. + +With this commit, the "standby" mode works well. + +Signed-off-by: Peter Chen +Cc: Anson Huang +Fixes: ee4a5f838c84 ("ARM: imx: add suspend/resume support for i.mx6ul") +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-imx/pm-imx6.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/mach-imx/pm-imx6.c ++++ b/arch/arm/mach-imx/pm-imx6.c +@@ -295,7 +295,7 @@ int imx6_set_lpm(enum mxc_cpu_pwr_mode m + val &= ~BM_CLPCR_SBYOS; + if (cpu_is_imx6sl()) + val |= BM_CLPCR_BYPASS_PMIC_READY; +- if (cpu_is_imx6sl() || cpu_is_imx6sx()) ++ if (cpu_is_imx6sl() || cpu_is_imx6sx() || cpu_is_imx6ul()) + val |= BM_CLPCR_BYP_MMDC_CH0_LPM_HS; + else + val |= BM_CLPCR_BYP_MMDC_CH1_LPM_HS; diff --git a/queue-4.4/arm-imx6-add-missing-bm_clpcr_bypass_pmic_ready-setting-for-imx6sx.patch b/queue-4.4/arm-imx6-add-missing-bm_clpcr_bypass_pmic_ready-setting-for-imx6sx.patch new file mode 100644 index 00000000000..43bb31a0cc4 --- /dev/null +++ b/queue-4.4/arm-imx6-add-missing-bm_clpcr_bypass_pmic_ready-setting-for-imx6sx.patch @@ -0,0 +1,37 @@ +From 8aade778f787305fdbfd3c1d54e6b583601b5902 Mon Sep 17 00:00:00 2001 +From: Anson Huang +Date: Mon, 22 Aug 2016 23:53:25 +0800 +Subject: ARM: imx6: add missing BM_CLPCR_BYPASS_PMIC_READY setting for imx6sx + +From: Anson Huang + +commit 8aade778f787305fdbfd3c1d54e6b583601b5902 upstream. + +i.MX6SX has bypass PMIC ready function, as this function +is normally NOT enabled on the board design, so we need +to bypass the PMIC ready pin check during DSM mode resume +flow, otherwise, the internal DSM resume logic will be +waiting for this signal to be ready forever and cause +resume fail. + +Signed-off-by: Anson Huang +Fixes: ff843d621bfc ("ARM: imx: add suspend support for i.mx6sx") +Tested-by: Peter Chen +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-imx/pm-imx6.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/mach-imx/pm-imx6.c ++++ b/arch/arm/mach-imx/pm-imx6.c +@@ -310,7 +310,7 @@ int imx6_set_lpm(enum mxc_cpu_pwr_mode m + val |= 0x3 << BP_CLPCR_STBY_COUNT; + val |= BM_CLPCR_VSTBY; + val |= BM_CLPCR_SBYOS; +- if (cpu_is_imx6sl()) ++ if (cpu_is_imx6sl() || cpu_is_imx6sx()) + val |= BM_CLPCR_BYPASS_PMIC_READY; + if (cpu_is_imx6sl() || cpu_is_imx6sx() || cpu_is_imx6ul()) + val |= BM_CLPCR_BYP_MMDC_CH0_LPM_HS; diff --git a/queue-4.4/arm-kirkwood-ib62x0-fix-size-of-u-boot-environment-partition.patch b/queue-4.4/arm-kirkwood-ib62x0-fix-size-of-u-boot-environment-partition.patch new file mode 100644 index 00000000000..38b56dd344f --- /dev/null +++ b/queue-4.4/arm-kirkwood-ib62x0-fix-size-of-u-boot-environment-partition.patch @@ -0,0 +1,40 @@ +From a778937888867aac17a33887d1c429120790fbc2 Mon Sep 17 00:00:00 2001 +From: Simon Baatz +Date: Fri, 12 Aug 2016 19:12:50 +0200 +Subject: ARM: kirkwood: ib62x0: fix size of u-boot environment partition + +From: Simon Baatz + +commit a778937888867aac17a33887d1c429120790fbc2 upstream. + +Commit 148c274ea644 ("ARM: kirkwood: ib62x0: add u-boot environment +partition") split the "u-boot" partition into "u-boot" and "u-boot +environment". However, instead of the size of the environment, an offset +was given, resulting in overlapping partitions. + +Signed-off-by: Simon Baatz +Fixes: 148c274ea644 ("ARM: kirkwood: ib62x0: add u-boot environment partition") +Cc: Jason Cooper +Cc: Andrew Lunn +Cc: Gregory Clement +Cc: Sebastian Hesselbarth +Cc: Luka Perkov +Reviewed-by: Andrew Lunn +Signed-off-by: Gregory CLEMENT +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/kirkwood-ib62x0.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/kirkwood-ib62x0.dts ++++ b/arch/arm/boot/dts/kirkwood-ib62x0.dts +@@ -113,7 +113,7 @@ + + partition@e0000 { + label = "u-boot environment"; +- reg = <0xe0000 0x100000>; ++ reg = <0xe0000 0x20000>; + }; + + partition@100000 { diff --git a/queue-4.4/arm-omap3-hwmod-data-add-sysc-information-for-dsi.patch b/queue-4.4/arm-omap3-hwmod-data-add-sysc-information-for-dsi.patch new file mode 100644 index 00000000000..40f85c94a52 --- /dev/null +++ b/queue-4.4/arm-omap3-hwmod-data-add-sysc-information-for-dsi.patch @@ -0,0 +1,48 @@ +From b46211d6dcfb81a8af66b8684a42d629183670d4 Mon Sep 17 00:00:00 2001 +From: Sebastian Reichel +Date: Fri, 24 Jun 2016 03:59:33 +0200 +Subject: ARM: OMAP3: hwmod data: Add sysc information for DSI + +From: Sebastian Reichel + +commit b46211d6dcfb81a8af66b8684a42d629183670d4 upstream. + +Add missing sysconfig/sysstatus information +to OMAP3 hwmod. The information has been +checked against OMAP34xx and OMAP36xx TRM. + +Without this change DSI block is not reset +during boot, which is required for working +Nokia N950 display. + +Signed-off-by: Sebastian Reichel +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-omap2/omap_hwmod_3xxx_data.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c ++++ b/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c +@@ -723,8 +723,20 @@ static struct omap_hwmod omap3xxx_dss_di + * display serial interface controller + */ + ++static struct omap_hwmod_class_sysconfig omap3xxx_dsi_sysc = { ++ .rev_offs = 0x0000, ++ .sysc_offs = 0x0010, ++ .syss_offs = 0x0014, ++ .sysc_flags = (SYSC_HAS_AUTOIDLE | SYSC_HAS_CLOCKACTIVITY | ++ SYSC_HAS_ENAWAKEUP | SYSC_HAS_SIDLEMODE | ++ SYSC_HAS_SOFTRESET | SYSS_HAS_RESET_STATUS), ++ .idlemodes = (SIDLE_FORCE | SIDLE_NO | SIDLE_SMART), ++ .sysc_fields = &omap_hwmod_sysc_type1, ++}; ++ + static struct omap_hwmod_class omap3xxx_dsi_hwmod_class = { + .name = "dsi", ++ .sysc = &omap3xxx_dsi_sysc, + }; + + static struct omap_hwmod_irq_info omap3xxx_dsi1_irqs[] = { diff --git a/queue-4.4/arm64-spinlocks-implement-smp_mb__before_spinlock-as-smp_mb.patch b/queue-4.4/arm64-spinlocks-implement-smp_mb__before_spinlock-as-smp_mb.patch new file mode 100644 index 00000000000..7ff1d68edd1 --- /dev/null +++ b/queue-4.4/arm64-spinlocks-implement-smp_mb__before_spinlock-as-smp_mb.patch @@ -0,0 +1,47 @@ +From 872c63fbf9e153146b07f0cece4da0d70b283eeb Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Mon, 5 Sep 2016 11:56:05 +0100 +Subject: arm64: spinlocks: implement smp_mb__before_spinlock() as smp_mb() + +From: Will Deacon + +commit 872c63fbf9e153146b07f0cece4da0d70b283eeb upstream. + +smp_mb__before_spinlock() is intended to upgrade a spin_lock() operation +to a full barrier, such that prior stores are ordered with respect to +loads and stores occuring inside the critical section. + +Unfortunately, the core code defines the barrier as smp_wmb(), which +is insufficient to provide the required ordering guarantees when used in +conjunction with our load-acquire-based spinlock implementation. + +This patch overrides the arm64 definition of smp_mb__before_spinlock() +to map to a full smp_mb(). + +Cc: Peter Zijlstra +Reported-by: Alan Stern +Signed-off-by: Will Deacon +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/spinlock.h | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/arch/arm64/include/asm/spinlock.h ++++ b/arch/arm64/include/asm/spinlock.h +@@ -312,4 +312,14 @@ static inline int arch_read_trylock(arch + #define arch_read_relax(lock) cpu_relax() + #define arch_write_relax(lock) cpu_relax() + ++/* ++ * Accesses appearing in program order before a spin_lock() operation ++ * can be reordered with accesses inside the critical section, by virtue ++ * of arch_spin_lock being constructed using acquire semantics. ++ * ++ * In cases where this is problematic (e.g. try_to_wake_up), an ++ * smp_mb__before_spinlock() can restore the required ordering. ++ */ ++#define smp_mb__before_spinlock() smp_mb() ++ + #endif /* __ASM_SPINLOCK_H */ diff --git a/queue-4.4/ath9k-fix-using-sta-drv_priv-before-initializing-it.patch b/queue-4.4/ath9k-fix-using-sta-drv_priv-before-initializing-it.patch new file mode 100644 index 00000000000..2da92a0803d --- /dev/null +++ b/queue-4.4/ath9k-fix-using-sta-drv_priv-before-initializing-it.patch @@ -0,0 +1,42 @@ +From 7711aaf08ad3fc4d0e937eec1de0a63620444ce7 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Fri, 19 Aug 2016 13:37:46 +0300 +Subject: ath9k: fix using sta->drv_priv before initializing it + +From: Felix Fietkau + +commit 7711aaf08ad3fc4d0e937eec1de0a63620444ce7 upstream. + +A station pointer can be passed to the driver on tx, before it has been +marked as associated. Since ath9k_sta_state was initializing the entry +too late, it resulted in some spurious crashes. + +Fixes: df3c6eb34da5 ("ath9k: Use sta_state() callback") +Signed-off-by: Felix Fietkau +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/main.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/ath/ath9k/main.c ++++ b/drivers/net/wireless/ath/ath9k/main.c +@@ -1550,13 +1550,13 @@ static int ath9k_sta_state(struct ieee80 + struct ath_common *common = ath9k_hw_common(sc->sc_ah); + int ret = 0; + +- if (old_state == IEEE80211_STA_AUTH && +- new_state == IEEE80211_STA_ASSOC) { ++ if (old_state == IEEE80211_STA_NOTEXIST && ++ new_state == IEEE80211_STA_NONE) { + ret = ath9k_sta_add(hw, vif, sta); + ath_dbg(common, CONFIG, + "Add station: %pM\n", sta->addr); +- } else if (old_state == IEEE80211_STA_ASSOC && +- new_state == IEEE80211_STA_AUTH) { ++ } else if (old_state == IEEE80211_STA_NONE && ++ new_state == IEEE80211_STA_NOTEXIST) { + ret = ath9k_sta_remove(hw, vif, sta); + ath_dbg(common, CONFIG, + "Remove station: %pM\n", sta->addr); diff --git a/queue-4.4/audit-fix-exe_file-access-in-audit_exe_compare.patch b/queue-4.4/audit-fix-exe_file-access-in-audit_exe_compare.patch new file mode 100644 index 00000000000..dadebbbb74c --- /dev/null +++ b/queue-4.4/audit-fix-exe_file-access-in-audit_exe_compare.patch @@ -0,0 +1,49 @@ +From 5efc244346f9f338765da3d592f7947b0afdc4b5 Mon Sep 17 00:00:00 2001 +From: Mateusz Guzik +Date: Tue, 23 Aug 2016 16:20:39 +0200 +Subject: audit: fix exe_file access in audit_exe_compare + +From: Mateusz Guzik + +commit 5efc244346f9f338765da3d592f7947b0afdc4b5 upstream. + +Prior to the change the function would blindly deference mm, exe_file +and exe_file->f_inode, each of which could have been NULL or freed. + +Use get_task_exe_file to safely obtain stable exe_file. + +Signed-off-by: Mateusz Guzik +Acked-by: Konstantin Khlebnikov +Acked-by: Richard Guy Briggs +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/audit_watch.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/kernel/audit_watch.c ++++ b/kernel/audit_watch.c +@@ -19,6 +19,7 @@ + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + ++#include + #include + #include + #include +@@ -544,10 +545,11 @@ int audit_exe_compare(struct task_struct + unsigned long ino; + dev_t dev; + +- rcu_read_lock(); +- exe_file = rcu_dereference(tsk->mm->exe_file); ++ exe_file = get_task_exe_file(tsk); ++ if (!exe_file) ++ return 0; + ino = exe_file->f_inode->i_ino; + dev = exe_file->f_inode->i_sb->s_dev; +- rcu_read_unlock(); ++ fput(exe_file); + return audit_mark_compare(mark, ino, dev); + } diff --git a/queue-4.4/btrfs-remove-root_log_ctx-from-ctx-list-before-btrfs_sync_log-returns.patch b/queue-4.4/btrfs-remove-root_log_ctx-from-ctx-list-before-btrfs_sync_log-returns.patch new file mode 100644 index 00000000000..dcf138f70bf --- /dev/null +++ b/queue-4.4/btrfs-remove-root_log_ctx-from-ctx-list-before-btrfs_sync_log-returns.patch @@ -0,0 +1,35 @@ +From cbd60aa7cd17d81a434234268c55192862147439 Mon Sep 17 00:00:00 2001 +From: Chris Mason +Date: Tue, 6 Sep 2016 05:37:40 -0700 +Subject: Btrfs: remove root_log_ctx from ctx list before btrfs_sync_log returns + +From: Chris Mason + +commit cbd60aa7cd17d81a434234268c55192862147439 upstream. + +We use a btrfs_log_ctx structure to pass information into the +tree log commit, and get error values out. It gets added to a per +log-transaction list which we walk when things go bad. + +Commit d1433debe added an optimization to skip waiting for the log +commit, but didn't take root_log_ctx out of the list. This +patch makes sure we remove things before exiting. + +Signed-off-by: Chris Mason +Fixes: d1433debe7f4346cf9fc0dafc71c3137d2a97bc4 +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/tree-log.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -2850,6 +2850,7 @@ int btrfs_sync_log(struct btrfs_trans_ha + + if (log_root_tree->log_transid_committed >= root_log_ctx.log_transid) { + blk_finish_plug(&plug); ++ list_del_init(&root_log_ctx.list); + mutex_unlock(&log_root_tree->log_mutex); + ret = root_log_ctx.log_ret; + goto out; diff --git a/queue-4.4/bus-arm-ccn-do-not-attempt-to-configure-xps-for-cycle-counter.patch b/queue-4.4/bus-arm-ccn-do-not-attempt-to-configure-xps-for-cycle-counter.patch new file mode 100644 index 00000000000..9192c17ab94 --- /dev/null +++ b/queue-4.4/bus-arm-ccn-do-not-attempt-to-configure-xps-for-cycle-counter.patch @@ -0,0 +1,39 @@ +From b7c1beb278e8e3dc664ed3df3fc786db126120a9 Mon Sep 17 00:00:00 2001 +From: Pawel Moll +Date: Fri, 5 Aug 2016 15:07:10 +0100 +Subject: bus: arm-ccn: Do not attempt to configure XPs for cycle counter + +From: Pawel Moll + +commit b7c1beb278e8e3dc664ed3df3fc786db126120a9 upstream. + +Fuzzing the CCN perf driver revealed a small but definitely dangerous +mistake in the event setup code. When a cycle counter is requested, the +driver should not reconfigure the events bus at all, otherwise it will +corrupt (in most but the simplest cases) its configuration and may end +up accessing XP array out of its bounds and corrupting control +registers. + +Reported-by: Mark Rutland +Reviewed-by: Mark Rutland +Tested-by: Mark Rutland +Signed-off-by: Pawel Moll +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bus/arm-ccn.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/bus/arm-ccn.c ++++ b/drivers/bus/arm-ccn.c +@@ -895,6 +895,10 @@ static void arm_ccn_pmu_xp_dt_config(str + struct arm_ccn_component *xp; + u32 val, dt_cfg; + ++ /* Nothing to do for cycle counter */ ++ if (hw->idx == CCN_IDX_PMU_CYCLE_COUNTER) ++ return; ++ + if (CCN_CONFIG_TYPE(event->attr.config) == CCN_TYPE_XP) + xp = &ccn->xp[CCN_CONFIG_XP(event->attr.config)]; + else diff --git a/queue-4.4/bus-arm-ccn-fix-pmu-handling-of-mn.patch b/queue-4.4/bus-arm-ccn-fix-pmu-handling-of-mn.patch new file mode 100644 index 00000000000..e0ecf91bbf2 --- /dev/null +++ b/queue-4.4/bus-arm-ccn-fix-pmu-handling-of-mn.patch @@ -0,0 +1,92 @@ +From 4e486cba285ff06a1f28f0fc2991dde1482d1dcf Mon Sep 17 00:00:00 2001 +From: Pawel Moll +Date: Tue, 2 Aug 2016 16:45:37 +0100 +Subject: bus: arm-ccn: Fix PMU handling of MN + +From: Pawel Moll + +commit 4e486cba285ff06a1f28f0fc2991dde1482d1dcf upstream. + +The "Miscellaneous Node" fell through cracks of node initialisation, +as its ID is shared with HN-I. + +This patch treats MN as a special case (which it is), adding separate +validation check for it and pre-defining the node ID in relevant events +descriptions. That way one can simply run: + + # perf stat -a -e ccn/mn_ecbarrier/ + +Additionally, direction in the MN pseudo-events XP watchpoint +definitions is corrected to be "TX" (1) as they are defined from the +crosspoint point of view (thus barriers are transmitted from XP to MN). + +Signed-off-by: Pawel Moll +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bus/arm-ccn.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +--- a/drivers/bus/arm-ccn.c ++++ b/drivers/bus/arm-ccn.c +@@ -187,6 +187,7 @@ struct arm_ccn { + struct arm_ccn_component *xp; + + struct arm_ccn_dt dt; ++ int mn_id; + }; + + +@@ -326,6 +327,7 @@ struct arm_ccn_pmu_event { + static ssize_t arm_ccn_pmu_event_show(struct device *dev, + struct device_attribute *attr, char *buf) + { ++ struct arm_ccn *ccn = pmu_to_arm_ccn(dev_get_drvdata(dev)); + struct arm_ccn_pmu_event *event = container_of(attr, + struct arm_ccn_pmu_event, attr); + ssize_t res; +@@ -352,6 +354,9 @@ static ssize_t arm_ccn_pmu_event_show(st + res += snprintf(buf + res, PAGE_SIZE - res, + ",cmp_l=?,cmp_h=?,mask=?"); + break; ++ case CCN_TYPE_MN: ++ res += snprintf(buf + res, PAGE_SIZE - res, ",node=%d", ccn->mn_id); ++ break; + default: + res += snprintf(buf + res, PAGE_SIZE - res, ",node=?"); + break; +@@ -381,9 +386,9 @@ static umode_t arm_ccn_pmu_events_is_vis + } + + static struct arm_ccn_pmu_event arm_ccn_pmu_events[] = { +- CCN_EVENT_MN(eobarrier, "dir=0,vc=0,cmp_h=0x1c00", CCN_IDX_MASK_OPCODE), +- CCN_EVENT_MN(ecbarrier, "dir=0,vc=0,cmp_h=0x1e00", CCN_IDX_MASK_OPCODE), +- CCN_EVENT_MN(dvmop, "dir=0,vc=0,cmp_h=0x2800", CCN_IDX_MASK_OPCODE), ++ CCN_EVENT_MN(eobarrier, "dir=1,vc=0,cmp_h=0x1c00", CCN_IDX_MASK_OPCODE), ++ CCN_EVENT_MN(ecbarrier, "dir=1,vc=0,cmp_h=0x1e00", CCN_IDX_MASK_OPCODE), ++ CCN_EVENT_MN(dvmop, "dir=1,vc=0,cmp_h=0x2800", CCN_IDX_MASK_OPCODE), + CCN_EVENT_HNI(txdatflits, "dir=1,vc=3", CCN_IDX_MASK_ANY), + CCN_EVENT_HNI(rxdatflits, "dir=0,vc=3", CCN_IDX_MASK_ANY), + CCN_EVENT_HNI(txreqflits, "dir=1,vc=0", CCN_IDX_MASK_ANY), +@@ -757,6 +762,12 @@ static int arm_ccn_pmu_event_init(struct + + /* Validate node/xp vs topology */ + switch (type) { ++ case CCN_TYPE_MN: ++ if (node_xp != ccn->mn_id) { ++ dev_warn(ccn->dev, "Invalid MN ID %d!\n", node_xp); ++ return -EINVAL; ++ } ++ break; + case CCN_TYPE_XP: + if (node_xp >= ccn->num_xps) { + dev_warn(ccn->dev, "Invalid XP ID %d!\n", node_xp); +@@ -1368,6 +1379,8 @@ static int arm_ccn_init_nodes(struct arm + + switch (type) { + case CCN_TYPE_MN: ++ ccn->mn_id = id; ++ return 0; + case CCN_TYPE_DT: + return 0; + case CCN_TYPE_XP: diff --git a/queue-4.4/bus-arm-ccn-fix-xp-watchpoint-settings-bitmask.patch b/queue-4.4/bus-arm-ccn-fix-xp-watchpoint-settings-bitmask.patch new file mode 100644 index 00000000000..ccd2864c7ae --- /dev/null +++ b/queue-4.4/bus-arm-ccn-fix-xp-watchpoint-settings-bitmask.patch @@ -0,0 +1,45 @@ +From b928466b2169e061822daad48ecf55b005445547 Mon Sep 17 00:00:00 2001 +From: Pawel Moll +Date: Wed, 10 Aug 2016 17:06:26 +0100 +Subject: bus: arm-ccn: Fix XP watchpoint settings bitmask + +From: Pawel Moll + +commit b928466b2169e061822daad48ecf55b005445547 upstream. + +The code setting XP watchpoint comparator and mask registers should, in +order to be fully compliant with specification, zero one or more most +significant bits of each field. In both L cases it means zeroing bit 63. +The bitmask doing this was wrong, though, zeroing bit 60 instead. +Fortunately, due to a lucky coincidence, this turned out to be fairly +innocent with the existing hardware. + +Fixed now. + +Signed-off-by: Pawel Moll +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bus/arm-ccn.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/bus/arm-ccn.c ++++ b/drivers/bus/arm-ccn.c +@@ -1001,7 +1001,7 @@ static void arm_ccn_pmu_xp_watchpoint_co + + /* Comparison values */ + writel(cmp_l & 0xffffffff, source->base + CCN_XP_DT_CMP_VAL_L(wp)); +- writel((cmp_l >> 32) & 0xefffffff, ++ writel((cmp_l >> 32) & 0x7fffffff, + source->base + CCN_XP_DT_CMP_VAL_L(wp) + 4); + writel(cmp_h & 0xffffffff, source->base + CCN_XP_DT_CMP_VAL_H(wp)); + writel((cmp_h >> 32) & 0x0fffffff, +@@ -1009,7 +1009,7 @@ static void arm_ccn_pmu_xp_watchpoint_co + + /* Mask */ + writel(mask_l & 0xffffffff, source->base + CCN_XP_DT_CMP_MASK_L(wp)); +- writel((mask_l >> 32) & 0xefffffff, ++ writel((mask_l >> 32) & 0x7fffffff, + source->base + CCN_XP_DT_CMP_MASK_L(wp) + 4); + writel(mask_h & 0xffffffff, source->base + CCN_XP_DT_CMP_MASK_H(wp)); + writel((mask_h >> 32) & 0x0fffffff, diff --git a/queue-4.4/cpuset-make-sure-new-tasks-conform-to-the-current-config-of-the-cpuset.patch b/queue-4.4/cpuset-make-sure-new-tasks-conform-to-the-current-config-of-the-cpuset.patch new file mode 100644 index 00000000000..638e1cab64c --- /dev/null +++ b/queue-4.4/cpuset-make-sure-new-tasks-conform-to-the-current-config-of-the-cpuset.patch @@ -0,0 +1,53 @@ +From 06f4e94898918bcad00cdd4d349313a439d6911e Mon Sep 17 00:00:00 2001 +From: Zefan Li +Date: Tue, 9 Aug 2016 11:25:01 +0800 +Subject: cpuset: make sure new tasks conform to the current config of the cpuset + +From: Zefan Li + +commit 06f4e94898918bcad00cdd4d349313a439d6911e upstream. + +A new task inherits cpus_allowed and mems_allowed masks from its parent, +but if someone changes cpuset's config by writing to cpuset.cpus/cpuset.mems +before this new task is inserted into the cgroup's task list, the new task +won't be updated accordingly. + +Signed-off-by: Zefan Li +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/cpuset.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/kernel/cpuset.c ++++ b/kernel/cpuset.c +@@ -2074,6 +2074,20 @@ static void cpuset_bind(struct cgroup_su + mutex_unlock(&cpuset_mutex); + } + ++/* ++ * Make sure the new task conform to the current state of its parent, ++ * which could have been changed by cpuset just after it inherits the ++ * state from the parent and before it sits on the cgroup's task list. ++ */ ++void cpuset_fork(struct task_struct *task) ++{ ++ if (task_css_is_root(task, cpuset_cgrp_id)) ++ return; ++ ++ set_cpus_allowed_ptr(task, ¤t->cpus_allowed); ++ task->mems_allowed = current->mems_allowed; ++} ++ + struct cgroup_subsys cpuset_cgrp_subsys = { + .css_alloc = cpuset_css_alloc, + .css_online = cpuset_css_online, +@@ -2084,6 +2098,7 @@ struct cgroup_subsys cpuset_cgrp_subsys + .attach = cpuset_attach, + .post_attach = cpuset_post_attach, + .bind = cpuset_bind, ++ .fork = cpuset_fork, + .legacy_cftypes = files, + .early_init = 1, + }; diff --git a/queue-4.4/crypto-cryptd-initialize-child-shash_desc-on-import.patch b/queue-4.4/crypto-cryptd-initialize-child-shash_desc-on-import.patch new file mode 100644 index 00000000000..0297fb64c3e --- /dev/null +++ b/queue-4.4/crypto-cryptd-initialize-child-shash_desc-on-import.patch @@ -0,0 +1,40 @@ +From 0bd2223594a4dcddc1e34b15774a3a4776f7749e Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Thu, 1 Sep 2016 14:25:43 +0100 +Subject: crypto: cryptd - initialize child shash_desc on import + +From: Ard Biesheuvel + +commit 0bd2223594a4dcddc1e34b15774a3a4776f7749e upstream. + +When calling .import() on a cryptd ahash_request, the structure members +that describe the child transform in the shash_desc need to be initialized +like they are when calling .init() + +Signed-off-by: Ard Biesheuvel +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/cryptd.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/crypto/cryptd.c ++++ b/crypto/cryptd.c +@@ -594,9 +594,14 @@ static int cryptd_hash_export(struct aha + + static int cryptd_hash_import(struct ahash_request *req, const void *in) + { +- struct cryptd_hash_request_ctx *rctx = ahash_request_ctx(req); ++ struct crypto_ahash *tfm = crypto_ahash_reqtfm(req); ++ struct cryptd_hash_ctx *ctx = crypto_ahash_ctx(tfm); ++ struct shash_desc *desc = cryptd_shash_desc(req); + +- return crypto_shash_import(&rctx->desc, in); ++ desc->tfm = ctx->child; ++ desc->flags = req->base.flags; ++ ++ return crypto_shash_import(desc, in); + } + + static int cryptd_create_hash(struct crypto_template *tmpl, struct rtattr **tb, diff --git a/queue-4.4/cxl-use-pcibios_free_controller_deferred-when-removing-vphbs.patch b/queue-4.4/cxl-use-pcibios_free_controller_deferred-when-removing-vphbs.patch new file mode 100644 index 00000000000..ca76e56c145 --- /dev/null +++ b/queue-4.4/cxl-use-pcibios_free_controller_deferred-when-removing-vphbs.patch @@ -0,0 +1,68 @@ +From 6f38a8b9a45833495dc878c335c5431cd98a16ed Mon Sep 17 00:00:00 2001 +From: Andrew Donnellan +Date: Thu, 18 Aug 2016 17:35:14 +1000 +Subject: cxl: use pcibios_free_controller_deferred() when removing vPHBs + +From: Andrew Donnellan + +commit 6f38a8b9a45833495dc878c335c5431cd98a16ed upstream. + +When cxl removes a vPHB, it's possible that the pci_controller may be freed +before all references to the devices on the vPHB have been released. This +in turn causes an invalid memory access when the devices are eventually +released, as pcibios_release_device() attempts to call the phb's +release_device hook. + +In cxl_pci_vphb_remove(), remove the existing call to +pcibios_free_controller(). Instead, use +pcibios_free_controller_deferred() to free the pci_controller after all +devices have been released. Export pci_set_host_bridge_release() so we can +do this. + +Signed-off-by: Andrew Donnellan +Reviewed-by: Matthew R. Ochs +Acked-by: Ian Munsie +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/cxl/vphb.c | 10 +++++++++- + drivers/pci/host-bridge.c | 1 + + 2 files changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/misc/cxl/vphb.c ++++ b/drivers/misc/cxl/vphb.c +@@ -258,6 +258,11 @@ int cxl_pci_vphb_add(struct cxl_afu *afu + if (phb->bus == NULL) + return -ENXIO; + ++ /* Set release hook on root bus */ ++ pci_set_host_bridge_release(to_pci_host_bridge(phb->bus->bridge), ++ pcibios_free_controller_deferred, ++ (void *) phb); ++ + /* Claim resources. This might need some rework as well depending + * whether we are doing probe-only or not, like assigning unassigned + * resources etc... +@@ -293,7 +298,10 @@ void cxl_pci_vphb_remove(struct cxl_afu + afu->phb = NULL; + + pci_remove_root_bus(phb->bus); +- pcibios_free_controller(phb); ++ /* ++ * We don't free phb here - that's handled by ++ * pcibios_free_controller_deferred() ++ */ + } + + struct cxl_afu *cxl_pci_to_afu(struct pci_dev *dev) +--- a/drivers/pci/host-bridge.c ++++ b/drivers/pci/host-bridge.c +@@ -44,6 +44,7 @@ void pci_set_host_bridge_release(struct + bridge->release_fn = release_fn; + bridge->release_data = release_data; + } ++EXPORT_SYMBOL_GPL(pci_set_host_bridge_release); + + void pcibios_resource_to_bus(struct pci_bus *bus, struct pci_bus_region *region, + struct resource *res) diff --git a/queue-4.4/dm-crypt-fix-error-with-too-large-bios.patch b/queue-4.4/dm-crypt-fix-error-with-too-large-bios.patch new file mode 100644 index 00000000000..d3241999e2d --- /dev/null +++ b/queue-4.4/dm-crypt-fix-error-with-too-large-bios.patch @@ -0,0 +1,44 @@ +From 4e870e948fbabf62b78e8410f04c67703e7c816b Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Tue, 30 Aug 2016 16:38:42 -0400 +Subject: dm crypt: fix error with too large bios + +From: Mikulas Patocka + +commit 4e870e948fbabf62b78e8410f04c67703e7c816b upstream. + +When dm-crypt processes writes, it allocates a new bio in +crypt_alloc_buffer(). The bio is allocated from a bio set and it can +have at most BIO_MAX_PAGES vector entries, however the incoming bio can be +larger (e.g. if it was allocated by bcache). If the incoming bio is +larger, bio_alloc_bioset() fails and an error is returned. + +To avoid the error, we test for a too large bio in the function +crypt_map() and use dm_accept_partial_bio() to split the bio. +dm_accept_partial_bio() trims the current bio to the desired size and +asks DM core to send another bio with the rest of the data. + +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-crypt.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/md/dm-crypt.c ++++ b/drivers/md/dm-crypt.c +@@ -1920,6 +1920,13 @@ static int crypt_map(struct dm_target *t + return DM_MAPIO_REMAPPED; + } + ++ /* ++ * Check if bio is too large, split as needed. ++ */ ++ if (unlikely(bio->bi_iter.bi_size > (BIO_MAX_PAGES << PAGE_SHIFT)) && ++ bio_data_dir(bio) == WRITE) ++ dm_accept_partial_bio(bio, ((BIO_MAX_PAGES << PAGE_SHIFT) >> SECTOR_SHIFT)); ++ + io = dm_per_bio_data(bio, cc->per_bio_data_size); + crypt_io_init(io, cc, bio, dm_target_offset(ti, bio->bi_iter.bi_sector)); + io->ctx.req = (struct ablkcipher_request *)(io + 1); diff --git a/queue-4.4/dm-flakey-fix-reads-to-be-issued-if-drop_writes-configured.patch b/queue-4.4/dm-flakey-fix-reads-to-be-issued-if-drop_writes-configured.patch new file mode 100644 index 00000000000..143ab2b8816 --- /dev/null +++ b/queue-4.4/dm-flakey-fix-reads-to-be-issued-if-drop_writes-configured.patch @@ -0,0 +1,71 @@ +From 299f6230bc6d0ccd5f95bb0fb865d80a9c7d5ccc Mon Sep 17 00:00:00 2001 +From: Mike Snitzer +Date: Wed, 24 Aug 2016 21:12:58 -0400 +Subject: dm flakey: fix reads to be issued if drop_writes configured + +From: Mike Snitzer + +commit 299f6230bc6d0ccd5f95bb0fb865d80a9c7d5ccc upstream. + +v4.8-rc3 commit 99f3c90d0d ("dm flakey: error READ bios during the +down_interval") overlooked the 'drop_writes' feature, which is meant to +allow reads to be issued rather than errored, during the down_interval. + +Fixes: 99f3c90d0d ("dm flakey: error READ bios during the down_interval") +Reported-by: Qu Wenruo +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-flakey.c | 27 ++++++++++++++++----------- + 1 file changed, 16 insertions(+), 11 deletions(-) + +--- a/drivers/md/dm-flakey.c ++++ b/drivers/md/dm-flakey.c +@@ -289,15 +289,13 @@ static int flakey_map(struct dm_target * + pb->bio_submitted = true; + + /* +- * Map reads as normal only if corrupt_bio_byte set. ++ * Error reads if neither corrupt_bio_byte or drop_writes are set. ++ * Otherwise, flakey_end_io() will decide if the reads should be modified. + */ + if (bio_data_dir(bio) == READ) { +- /* If flags were specified, only corrupt those that match. */ +- if (fc->corrupt_bio_byte && (fc->corrupt_bio_rw == READ) && +- all_corrupt_bio_flags_match(bio, fc)) +- goto map_bio; +- else ++ if (!fc->corrupt_bio_byte && !test_bit(DROP_WRITES, &fc->flags)) + return -EIO; ++ goto map_bio; + } + + /* +@@ -334,14 +332,21 @@ static int flakey_end_io(struct dm_targe + struct flakey_c *fc = ti->private; + struct per_bio_data *pb = dm_per_bio_data(bio, sizeof(struct per_bio_data)); + +- /* +- * Corrupt successful READs while in down state. +- */ + if (!error && pb->bio_submitted && (bio_data_dir(bio) == READ)) { +- if (fc->corrupt_bio_byte) ++ if (fc->corrupt_bio_byte && (fc->corrupt_bio_rw == READ) && ++ all_corrupt_bio_flags_match(bio, fc)) { ++ /* ++ * Corrupt successful matching READs while in down state. ++ */ + corrupt_bio_data(bio, fc); +- else ++ ++ } else if (!test_bit(DROP_WRITES, &fc->flags)) { ++ /* ++ * Error read during the down_interval if drop_writes ++ * wasn't configured. ++ */ + return -EIO; ++ } + } + + return error; diff --git a/queue-4.4/dm-log-writes-fix-check-of-kthread_run-return-value.patch b/queue-4.4/dm-log-writes-fix-check-of-kthread_run-return-value.patch new file mode 100644 index 00000000000..ac512f4562a --- /dev/null +++ b/queue-4.4/dm-log-writes-fix-check-of-kthread_run-return-value.patch @@ -0,0 +1,35 @@ +From 91e630d9ae6de6f740ef7c8176736eb55366833e Mon Sep 17 00:00:00 2001 +From: Vladimir Zapolskiy +Date: Thu, 10 Mar 2016 01:22:19 +0200 +Subject: dm log writes: fix check of kthread_run() return value + +From: Vladimir Zapolskiy + +commit 91e630d9ae6de6f740ef7c8176736eb55366833e upstream. + +The kthread_run() function returns either a valid task_struct or +ERR_PTR() value, check for NULL is invalid. This change fixes potential +for oops, e.g. in OOM situation. + +Signed-off-by: Vladimir Zapolskiy +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-log-writes.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/md/dm-log-writes.c ++++ b/drivers/md/dm-log-writes.c +@@ -456,9 +456,9 @@ static int log_writes_ctr(struct dm_targ + goto bad; + } + +- ret = -EINVAL; + lc->log_kthread = kthread_run(log_writes_kthread, lc, "log-write"); +- if (!lc->log_kthread) { ++ if (IS_ERR(lc->log_kthread)) { ++ ret = PTR_ERR(lc->log_kthread); + ti->error = "Couldn't alloc kthread"; + dm_put_device(ti, lc->dev); + dm_put_device(ti, lc->logdev); diff --git a/queue-4.4/dm-log-writes-move-io-accounting-earlier-to-fix-error-path.patch b/queue-4.4/dm-log-writes-move-io-accounting-earlier-to-fix-error-path.patch new file mode 100644 index 00000000000..bb85b81e5b2 --- /dev/null +++ b/queue-4.4/dm-log-writes-move-io-accounting-earlier-to-fix-error-path.patch @@ -0,0 +1,39 @@ +From a5d60783df61fbb67b7596b8a0f6b4b2e05251d5 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Tue, 30 Aug 2016 16:11:53 -0400 +Subject: dm log writes: move IO accounting earlier to fix error path + +From: Mikulas Patocka + +commit a5d60783df61fbb67b7596b8a0f6b4b2e05251d5 upstream. + +Move log_one_block()'s atomic_inc(&lc->io_blocks) before bio_alloc() to +fix a bug that the target hangs if bio_alloc() fails. The error path +does put_io_block(lc), so atomic_inc(&lc->io_blocks) must occur before +invoking the error path to avoid underflow of lc->io_blocks. + +Signed-off-by: Mikulas Patocka +Reviewed-by: Josef Bacik +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-log-writes.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/dm-log-writes.c ++++ b/drivers/md/dm-log-writes.c +@@ -258,12 +258,12 @@ static int log_one_block(struct log_writ + goto out; + sector++; + ++ atomic_inc(&lc->io_blocks); + bio = bio_alloc(GFP_KERNEL, block->vec_cnt); + if (!bio) { + DMERR("Couldn't alloc log bio"); + goto error; + } +- atomic_inc(&lc->io_blocks); + bio->bi_iter.bi_size = 0; + bio->bi_iter.bi_sector = sector; + bio->bi_bdev = lc->logdev->bdev; diff --git a/queue-4.4/fuse-direct-io-don-t-dirty-iter_bvec-pages.patch b/queue-4.4/fuse-direct-io-don-t-dirty-iter_bvec-pages.patch new file mode 100644 index 00000000000..79528d828b6 --- /dev/null +++ b/queue-4.4/fuse-direct-io-don-t-dirty-iter_bvec-pages.patch @@ -0,0 +1,66 @@ +From 8fba54aebbdf1f999738121922e74bf796ad60ee Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Wed, 24 Aug 2016 18:17:04 +0200 +Subject: fuse: direct-io: don't dirty ITER_BVEC pages + +From: Miklos Szeredi + +commit 8fba54aebbdf1f999738121922e74bf796ad60ee upstream. + +When reading from a loop device backed by a fuse file it deadlocks on +lock_page(). + +This is because the page is already locked by the read() operation done on +the loop device. In this case we don't want to either lock the page or +dirty it. + +So do what fs/direct-io.c does: only dirty the page for ITER_IOVEC vectors. + +Reported-by: Sheng Yang +Fixes: aa4d86163e4e ("block: loop: switch to VFS ITER_BVEC") +Signed-off-by: Miklos Szeredi +Reviewed-by: Sheng Yang +Reviewed-by: Ashish Samant +Tested-by: Sheng Yang +Tested-by: Ashish Samant +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/file.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -540,13 +540,13 @@ void fuse_read_fill(struct fuse_req *req + req->out.args[0].size = count; + } + +-static void fuse_release_user_pages(struct fuse_req *req, int write) ++static void fuse_release_user_pages(struct fuse_req *req, bool should_dirty) + { + unsigned i; + + for (i = 0; i < req->num_pages; i++) { + struct page *page = req->pages[i]; +- if (write) ++ if (should_dirty) + set_page_dirty_lock(page); + put_page(page); + } +@@ -1331,6 +1331,7 @@ ssize_t fuse_direct_io(struct fuse_io_pr + loff_t *ppos, int flags) + { + int write = flags & FUSE_DIO_WRITE; ++ bool should_dirty = !write && iter_is_iovec(iter); + int cuse = flags & FUSE_DIO_CUSE; + struct file *file = io->file; + struct inode *inode = file->f_mapping->host; +@@ -1375,7 +1376,7 @@ ssize_t fuse_direct_io(struct fuse_io_pr + nres = fuse_send_read(req, io, pos, nbytes, owner); + + if (!io->async) +- fuse_release_user_pages(req, !write); ++ fuse_release_user_pages(req, should_dirty); + if (req->out.h.error) { + if (!res) + res = req->out.h.error; diff --git a/queue-4.4/ib-uverbs-fix-race-between-uverbs_close-and-remove_one.patch b/queue-4.4/ib-uverbs-fix-race-between-uverbs_close-and-remove_one.patch new file mode 100644 index 00000000000..fd2dd82ca7f --- /dev/null +++ b/queue-4.4/ib-uverbs-fix-race-between-uverbs_close-and-remove_one.patch @@ -0,0 +1,125 @@ +From d1e09f304a1d9651c5059ebfeb696dc2effc9b32 Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Sun, 3 Jul 2016 15:28:18 +0300 +Subject: IB/uverbs: Fix race between uverbs_close and remove_one + +From: Jason Gunthorpe + +commit d1e09f304a1d9651c5059ebfeb696dc2effc9b32 upstream. + +Fixes an oops that might happen if uverbs_close races with +remove_one. + +Both contexts may run ib_uverbs_cleanup_ucontext, it depends +on the flow. + +Currently, there is no protection for a case that remove_one +didn't make the cleanup it runs to its end, the underlying +ib_device was freed then uverbs_close will call +ib_uverbs_cleanup_ucontext and OOPs. + +Above might happen if uverbs_close deleted the file from the list +then remove_one didn't find it and runs to its end. + +Fixes to protect against that case by a new cleanup lock so that +ib_uverbs_cleanup_ucontext will be called always before that +remove_one is ended. + +Fixes: 35d4a0b63dc0 ("IB/uverbs: Fix race between ib_uverbs_open and remove_one") +Reported-by: Devesh Sharma +Signed-off-by: Jason Gunthorpe +Signed-off-by: Yishai Hadas +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/uverbs.h | 1 + drivers/infiniband/core/uverbs_main.c | 37 ++++++++++++++++++++++------------ + 2 files changed, 25 insertions(+), 13 deletions(-) + +--- a/drivers/infiniband/core/uverbs.h ++++ b/drivers/infiniband/core/uverbs.h +@@ -116,6 +116,7 @@ struct ib_uverbs_event_file { + struct ib_uverbs_file { + struct kref ref; + struct mutex mutex; ++ struct mutex cleanup_mutex; /* protect cleanup */ + struct ib_uverbs_device *device; + struct ib_ucontext *ucontext; + struct ib_event_handler event_handler; +--- a/drivers/infiniband/core/uverbs_main.c ++++ b/drivers/infiniband/core/uverbs_main.c +@@ -922,6 +922,7 @@ static int ib_uverbs_open(struct inode * + file->async_file = NULL; + kref_init(&file->ref); + mutex_init(&file->mutex); ++ mutex_init(&file->cleanup_mutex); + + filp->private_data = file; + kobject_get(&dev->kobj); +@@ -947,18 +948,20 @@ static int ib_uverbs_close(struct inode + { + struct ib_uverbs_file *file = filp->private_data; + struct ib_uverbs_device *dev = file->device; +- struct ib_ucontext *ucontext = NULL; ++ ++ mutex_lock(&file->cleanup_mutex); ++ if (file->ucontext) { ++ ib_uverbs_cleanup_ucontext(file, file->ucontext); ++ file->ucontext = NULL; ++ } ++ mutex_unlock(&file->cleanup_mutex); + + mutex_lock(&file->device->lists_mutex); +- ucontext = file->ucontext; +- file->ucontext = NULL; + if (!file->is_closed) { + list_del(&file->list); + file->is_closed = 1; + } + mutex_unlock(&file->device->lists_mutex); +- if (ucontext) +- ib_uverbs_cleanup_ucontext(file, ucontext); + + if (file->async_file) + kref_put(&file->async_file->ref, ib_uverbs_release_event_file); +@@ -1172,22 +1175,30 @@ static void ib_uverbs_free_hw_resources( + mutex_lock(&uverbs_dev->lists_mutex); + while (!list_empty(&uverbs_dev->uverbs_file_list)) { + struct ib_ucontext *ucontext; +- + file = list_first_entry(&uverbs_dev->uverbs_file_list, + struct ib_uverbs_file, list); + file->is_closed = 1; +- ucontext = file->ucontext; + list_del(&file->list); +- file->ucontext = NULL; + kref_get(&file->ref); + mutex_unlock(&uverbs_dev->lists_mutex); +- /* We must release the mutex before going ahead and calling +- * disassociate_ucontext. disassociate_ucontext might end up +- * indirectly calling uverbs_close, for example due to freeing +- * the resources (e.g mmput). +- */ ++ + ib_uverbs_event_handler(&file->event_handler, &event); ++ ++ mutex_lock(&file->cleanup_mutex); ++ ucontext = file->ucontext; ++ file->ucontext = NULL; ++ mutex_unlock(&file->cleanup_mutex); ++ ++ /* At this point ib_uverbs_close cannot be running ++ * ib_uverbs_cleanup_ucontext ++ */ + if (ucontext) { ++ /* We must release the mutex before going ahead and ++ * calling disassociate_ucontext. disassociate_ucontext ++ * might end up indirectly calling uverbs_close, ++ * for example due to freeing the resources ++ * (e.g mmput). ++ */ + ib_dev->disassociate_ucontext(ucontext); + ib_uverbs_cleanup_ucontext(file, ucontext); + } diff --git a/queue-4.4/iio-accel-bmc150-reset-chip-at-init-time.patch b/queue-4.4/iio-accel-bmc150-reset-chip-at-init-time.patch new file mode 100644 index 00000000000..8069a9f29f1 --- /dev/null +++ b/queue-4.4/iio-accel-bmc150-reset-chip-at-init-time.patch @@ -0,0 +1,53 @@ +From 1c500840934a138bd6b13556c210516e9301fbee Mon Sep 17 00:00:00 2001 +From: Olof Johansson +Date: Thu, 25 Aug 2016 09:45:33 -0700 +Subject: iio: accel: bmc150: reset chip at init time + +From: Olof Johansson + +commit 1c500840934a138bd6b13556c210516e9301fbee upstream. + +In at least one known setup, the chip comes up in a state where reading +the chip ID returns garbage unless it's been reset, due to noise on the +wires during system boot. + +All supported chips have the same reset method, and based on the +datasheets they all need 1.3 or 1.8ms to recover after reset. So, do +the conservative thing here and always reset the chip. + +Signed-off-by: Olof Johansson +Reviewed-by: Srinivas Pandruvada +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/accel/bmc150-accel-core.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/iio/accel/bmc150-accel-core.c ++++ b/drivers/iio/accel/bmc150-accel-core.c +@@ -68,6 +68,9 @@ + #define BMC150_ACCEL_REG_PMU_BW 0x10 + #define BMC150_ACCEL_DEF_BW 125 + ++#define BMC150_ACCEL_REG_RESET 0x14 ++#define BMC150_ACCEL_RESET_VAL 0xB6 ++ + #define BMC150_ACCEL_REG_INT_MAP_0 0x19 + #define BMC150_ACCEL_INT_MAP_0_BIT_SLOPE BIT(2) + +@@ -1487,6 +1490,14 @@ static int bmc150_accel_chip_init(struct + int ret, i; + unsigned int val; + ++ /* ++ * Reset chip to get it in a known good state. A delay of 1.8ms after ++ * reset is required according to the data sheets of supported chips. ++ */ ++ regmap_write(data->regmap, BMC150_ACCEL_REG_RESET, ++ BMC150_ACCEL_RESET_VAL); ++ usleep_range(1800, 2500); ++ + ret = regmap_read(data->regmap, BMC150_ACCEL_REG_CHIP_ID, &val); + if (ret < 0) { + dev_err(data->dev, diff --git a/queue-4.4/iio-accel-kxsd9-fix-raw-read-return.patch b/queue-4.4/iio-accel-kxsd9-fix-raw-read-return.patch new file mode 100644 index 00000000000..5ba7108546b --- /dev/null +++ b/queue-4.4/iio-accel-kxsd9-fix-raw-read-return.patch @@ -0,0 +1,32 @@ +From 7ac61a062f3147dc23e3f12b9dfe7c4dd35f9cb8 Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Tue, 16 Aug 2016 15:33:28 +0200 +Subject: iio: accel: kxsd9: Fix raw read return + +From: Linus Walleij + +commit 7ac61a062f3147dc23e3f12b9dfe7c4dd35f9cb8 upstream. + +Any readings from the raw interface of the KXSD9 driver will +return an empty string, because it does not return +IIO_VAL_INT but rather some random value from the accelerometer +to the caller. + +Signed-off-by: Linus Walleij +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/accel/kxsd9.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iio/accel/kxsd9.c ++++ b/drivers/iio/accel/kxsd9.c +@@ -160,6 +160,7 @@ static int kxsd9_read_raw(struct iio_dev + if (ret < 0) + goto error_ret; + *val = ret; ++ ret = IIO_VAL_INT; + break; + case IIO_CHAN_INFO_SCALE: + ret = spi_w8r8(st->us, KXSD9_READ(KXSD9_REG_CTRL_C)); diff --git a/queue-4.4/iio-accel-kxsd9-fix-scaling-bug.patch b/queue-4.4/iio-accel-kxsd9-fix-scaling-bug.patch new file mode 100644 index 00000000000..0ccf17b5db6 --- /dev/null +++ b/queue-4.4/iio-accel-kxsd9-fix-scaling-bug.patch @@ -0,0 +1,40 @@ +From 307fe9dd11ae44d4f8881ee449a7cbac36e1f5de Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Thu, 1 Sep 2016 11:44:35 +0200 +Subject: iio: accel: kxsd9: Fix scaling bug + +From: Linus Walleij + +commit 307fe9dd11ae44d4f8881ee449a7cbac36e1f5de upstream. + +All the scaling of the KXSD9 involves multiplication with a +fraction number < 1. + +However the scaling value returned from IIO_INFO_SCALE was +unpredictable as only the micros of the value was assigned, and +not the integer part, resulting in scaling like this: + +$cat in_accel_scale +-1057462640.011978 + +Fix this by assigning zero to the integer part. + +Tested-by: Jonathan Cameron +Signed-off-by: Linus Walleij +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/accel/kxsd9.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iio/accel/kxsd9.c ++++ b/drivers/iio/accel/kxsd9.c +@@ -166,6 +166,7 @@ static int kxsd9_read_raw(struct iio_dev + ret = spi_w8r8(st->us, KXSD9_READ(KXSD9_REG_CTRL_C)); + if (ret < 0) + goto error_ret; ++ *val = 0; + *val2 = kxsd9_micro_scales[ret & KXSD9_FS_MASK]; + ret = IIO_VAL_INT_PLUS_MICRO; + break; diff --git a/queue-4.4/iio-ad799x-fix-buffered-capture-for-ad7991-ad7995-ad7999.patch b/queue-4.4/iio-ad799x-fix-buffered-capture-for-ad7991-ad7995-ad7999.patch new file mode 100644 index 00000000000..132366e8ff7 --- /dev/null +++ b/queue-4.4/iio-ad799x-fix-buffered-capture-for-ad7991-ad7995-ad7999.patch @@ -0,0 +1,35 @@ +From 7d3cc21dab5313a02f2f3ca8164529b828a030d1 Mon Sep 17 00:00:00 2001 +From: Lars-Peter Clausen +Date: Mon, 11 Jul 2016 13:54:17 +0200 +Subject: iio: ad799x: Fix buffered capture for ad7991/ad7995/ad7999 + +From: Lars-Peter Clausen + +commit 7d3cc21dab5313a02f2f3ca8164529b828a030d1 upstream. + +The data buffer for captured mode for the ad799x driver is allocated in the +update_scan_mode() callback. This callback is not set in the iio_info +struct for the ad7791/ad7995/ad7999, which means that the data buffer is +not allocated when a captured transfer is started. As a result the driver +crashes when the first sample is received. To fix this properly set the +update_scan_mode() callback. + +Fixes: d8dca33027c1 ("staging:iio:ad799x: Preallocate sample buffer") +Signed-off-by: Lars-Peter Clausen +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/ad799x.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iio/adc/ad799x.c ++++ b/drivers/iio/adc/ad799x.c +@@ -533,6 +533,7 @@ static struct attribute_group ad799x_eve + static const struct iio_info ad7991_info = { + .read_raw = &ad799x_read_raw, + .driver_module = THIS_MODULE, ++ .update_scan_mode = ad799x_update_scan_mode, + }; + + static const struct iio_info ad7993_4_7_8_noirq_info = { diff --git a/queue-4.4/iio-adc-at91-unbreak-channel-adc-channel-3.patch b/queue-4.4/iio-adc-at91-unbreak-channel-adc-channel-3.patch new file mode 100644 index 00000000000..c541db4441e --- /dev/null +++ b/queue-4.4/iio-adc-at91-unbreak-channel-adc-channel-3.patch @@ -0,0 +1,42 @@ +From c2ab447454d498e709d9011c0f2d2945ee321f9b Mon Sep 17 00:00:00 2001 +From: Anders Darander +Date: Mon, 8 Aug 2016 14:42:16 +0200 +Subject: iio: adc: at91: unbreak channel adc channel 3 + +From: Anders Darander + +commit c2ab447454d498e709d9011c0f2d2945ee321f9b upstream. + +The driver always assumes that an input device has been created when +reading channel 3. This causes a kernel panic when dereferencing +st->ts_input. + +The change was introduced in +commit 84882b060301 ("iio: adc: at91_adc: Add support for touchscreens +without TSMR"). Earlier versions only entered that part of the if-else +statement if only the following flags are set: + +AT91_ADC_IER_XRDY | AT91_ADC_IER_YRDY | AT91_ADC_IER_PRDY + +Signed-off-by: Anders Darander +Acked-by: Alexandre Belloni +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/at91_adc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/iio/adc/at91_adc.c ++++ b/drivers/iio/adc/at91_adc.c +@@ -381,8 +381,8 @@ static irqreturn_t at91_adc_rl_interrupt + st->ts_bufferedmeasure = false; + input_report_key(st->ts_input, BTN_TOUCH, 0); + input_sync(st->ts_input); +- } else if (status & AT91_ADC_EOC(3)) { +- /* Conversion finished */ ++ } else if (status & AT91_ADC_EOC(3) && st->ts_input) { ++ /* Conversion finished and we've a touchscreen */ + if (st->ts_bufferedmeasure) { + /* + * Last measurement is always discarded, since it can diff --git a/queue-4.4/iio-adc-rockchip_saradc-reset-saradc-controller-before-programming-it.patch b/queue-4.4/iio-adc-rockchip_saradc-reset-saradc-controller-before-programming-it.patch new file mode 100644 index 00000000000..87ea7cdf830 --- /dev/null +++ b/queue-4.4/iio-adc-rockchip_saradc-reset-saradc-controller-before-programming-it.patch @@ -0,0 +1,128 @@ +From 543852af8e5902aee8f7c72c89e1513663e0f696 Mon Sep 17 00:00:00 2001 +From: Caesar Wang +Date: Wed, 27 Jul 2016 22:24:04 +0800 +Subject: iio: adc: rockchip_saradc: reset saradc controller before programming it + +From: Caesar Wang + +commit 543852af8e5902aee8f7c72c89e1513663e0f696 upstream. + +SARADC controller needs to be reset before programming it, otherwise +it will not function properly. + +Signed-off-by: Caesar Wang +Cc: Jonathan Cameron +Cc: Heiko Stuebner +Cc: Rob Herring +Cc: linux-iio@vger.kernel.org +Cc: linux-rockchip@lists.infradead.org +Tested-by: Guenter Roeck +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/devicetree/bindings/iio/adc/rockchip-saradc.txt | 7 ++ + drivers/iio/adc/Kconfig | 1 + drivers/iio/adc/rockchip_saradc.c | 30 ++++++++++ + 3 files changed, 38 insertions(+) + +--- a/Documentation/devicetree/bindings/iio/adc/rockchip-saradc.txt ++++ b/Documentation/devicetree/bindings/iio/adc/rockchip-saradc.txt +@@ -12,6 +12,11 @@ Required properties: + - vref-supply: The regulator supply ADC reference voltage. + - #io-channel-cells: Should be 1, see ../iio-bindings.txt + ++Optional properties: ++- resets: Must contain an entry for each entry in reset-names if need support ++ this option. See ../reset/reset.txt for details. ++- reset-names: Must include the name "saradc-apb". ++ + Example: + saradc: saradc@2006c000 { + compatible = "rockchip,saradc"; +@@ -19,6 +24,8 @@ Example: + interrupts = ; + clocks = <&cru SCLK_SARADC>, <&cru PCLK_SARADC>; + clock-names = "saradc", "apb_pclk"; ++ resets = <&cru SRST_SARADC>; ++ reset-names = "saradc-apb"; + #io-channel-cells = <1>; + vref-supply = <&vcc18>; + }; +--- a/drivers/iio/adc/Kconfig ++++ b/drivers/iio/adc/Kconfig +@@ -306,6 +306,7 @@ config QCOM_SPMI_VADC + config ROCKCHIP_SARADC + tristate "Rockchip SARADC driver" + depends on ARCH_ROCKCHIP || (ARM && COMPILE_TEST) ++ depends on RESET_CONTROLLER + help + Say yes here to build support for the SARADC found in SoCs from + Rockchip. +--- a/drivers/iio/adc/rockchip_saradc.c ++++ b/drivers/iio/adc/rockchip_saradc.c +@@ -21,6 +21,8 @@ + #include + #include + #include ++#include ++#include + #include + #include + +@@ -53,6 +55,7 @@ struct rockchip_saradc { + struct clk *clk; + struct completion completion; + struct regulator *vref; ++ struct reset_control *reset; + const struct rockchip_saradc_data *data; + u16 last_val; + }; +@@ -171,6 +174,16 @@ static const struct of_device_id rockchi + }; + MODULE_DEVICE_TABLE(of, rockchip_saradc_match); + ++/** ++ * Reset SARADC Controller. ++ */ ++static void rockchip_saradc_reset_controller(struct reset_control *reset) ++{ ++ reset_control_assert(reset); ++ usleep_range(10, 20); ++ reset_control_deassert(reset); ++} ++ + static int rockchip_saradc_probe(struct platform_device *pdev) + { + struct rockchip_saradc *info = NULL; +@@ -199,6 +212,20 @@ static int rockchip_saradc_probe(struct + if (IS_ERR(info->regs)) + return PTR_ERR(info->regs); + ++ /* ++ * The reset should be an optional property, as it should work ++ * with old devicetrees as well ++ */ ++ info->reset = devm_reset_control_get(&pdev->dev, "saradc-apb"); ++ if (IS_ERR(info->reset)) { ++ ret = PTR_ERR(info->reset); ++ if (ret != -ENOENT) ++ return ret; ++ ++ dev_dbg(&pdev->dev, "no reset control found\n"); ++ info->reset = NULL; ++ } ++ + init_completion(&info->completion); + + irq = platform_get_irq(pdev, 0); +@@ -233,6 +260,9 @@ static int rockchip_saradc_probe(struct + return PTR_ERR(info->vref); + } + ++ if (info->reset) ++ rockchip_saradc_reset_controller(info->reset); ++ + /* + * Use a default value for the converter clock. + * This may become user-configurable in the future. diff --git a/queue-4.4/iio-adc-ti_am335x_adc-increase-timeout-value-waiting-for-adc-sample.patch b/queue-4.4/iio-adc-ti_am335x_adc-increase-timeout-value-waiting-for-adc-sample.patch new file mode 100644 index 00000000000..e0d81800f54 --- /dev/null +++ b/queue-4.4/iio-adc-ti_am335x_adc-increase-timeout-value-waiting-for-adc-sample.patch @@ -0,0 +1,61 @@ +From 7175cce1c3f1d8c8840d2004f78f96a3904249b5 Mon Sep 17 00:00:00 2001 +From: Vignesh R +Date: Wed, 17 Aug 2016 17:43:01 +0530 +Subject: iio: adc: ti_am335x_adc: Increase timeout value waiting for ADC sample + +From: Vignesh R + +commit 7175cce1c3f1d8c8840d2004f78f96a3904249b5 upstream. + +Now that open delay and sample delay for each channel is configurable +via DT, the default IDLE_TIMEOUT value is not enough as this is +calculated based on hardcoded macros. This results in driver returning +EBUSY sometimes. Fix this by increasing the timeout +value based on maximum value possible to open delay and sample delays +for each channel. + +Fixes: 5dc11e810676e ("iio: adc: ti_am335x_adc: make sample delay, open delay, averaging DT parameters") +Signed-off-by: Vignesh R +Acked-by: Lee Jones +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/ti_am335x_adc.c | 2 +- + include/linux/mfd/ti_am335x_tscadc.h | 8 ++++---- + 2 files changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/iio/adc/ti_am335x_adc.c ++++ b/drivers/iio/adc/ti_am335x_adc.c +@@ -382,7 +382,7 @@ static int tiadc_read_raw(struct iio_dev + + am335x_tsc_se_set_once(adc_dev->mfd_tscadc, step_en); + +- timeout = jiffies + usecs_to_jiffies ++ timeout = jiffies + msecs_to_jiffies + (IDLE_TIMEOUT * adc_dev->channels); + /* Wait for Fifo threshold interrupt */ + while (1) { +--- a/include/linux/mfd/ti_am335x_tscadc.h ++++ b/include/linux/mfd/ti_am335x_tscadc.h +@@ -138,16 +138,16 @@ + /* + * time in us for processing a single channel, calculated as follows: + * +- * num cycles = open delay + (sample delay + conv time) * averaging ++ * max num cycles = open delay + (sample delay + conv time) * averaging + * +- * num cycles: 152 + (1 + 13) * 16 = 376 ++ * max num cycles: 262143 + (255 + 13) * 16 = 266431 + * + * clock frequency: 26MHz / 8 = 3.25MHz + * clock period: 1 / 3.25MHz = 308ns + * +- * processing time: 376 * 308ns = 116us ++ * max processing time: 266431 * 308ns = 83ms(approx) + */ +-#define IDLE_TIMEOUT 116 /* microsec */ ++#define IDLE_TIMEOUT 83 /* milliseconds */ + + #define TSCADC_CELLS 2 + diff --git a/queue-4.4/iio-adc-ti_am335x_adc-protect-fifo1-from-concurrent-access.patch b/queue-4.4/iio-adc-ti_am335x_adc-protect-fifo1-from-concurrent-access.patch new file mode 100644 index 00000000000..6243f986ced --- /dev/null +++ b/queue-4.4/iio-adc-ti_am335x_adc-protect-fifo1-from-concurrent-access.patch @@ -0,0 +1,87 @@ +From 90c43ec6997a892448f1f86180a515f59cafd8a3 Mon Sep 17 00:00:00 2001 +From: Vignesh R +Date: Wed, 17 Aug 2016 17:43:00 +0530 +Subject: iio: adc: ti_am335x_adc: Protect FIFO1 from concurrent access + +From: Vignesh R + +commit 90c43ec6997a892448f1f86180a515f59cafd8a3 upstream. + +It is possible that two or more ADC channels can be simultaneously +requested for raw samples, in which case there can be race in access to +FIFO data resulting in loss of samples. +If am335x_tsc_se_set_once() is called again from tiadc_read_raw(), when +ADC is still acquired to sample one of the channels, the second process +might be put into uninterruptible sleep state. Fix these issues, by +protecting FIFO access and channel configurations with a mutex. Since +tiadc_read_raw() might take anywhere between few microseconds to few +milliseconds to finish execution (depending on averaging and delay +values supplied via DT), its better to use mutex instead of spinlock. + +Fixes: 7ca6740cd1cd4 ("mfd: input: iio: ti_amm335x: Rework TSC/ADC synchronization") +Signed-off-by: Vignesh R +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/ti_am335x_adc.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/drivers/iio/adc/ti_am335x_adc.c ++++ b/drivers/iio/adc/ti_am335x_adc.c +@@ -32,6 +32,7 @@ + + struct tiadc_device { + struct ti_tscadc_dev *mfd_tscadc; ++ struct mutex fifo1_lock; /* to protect fifo access */ + int channels; + u8 channel_line[8]; + u8 channel_step[8]; +@@ -360,6 +361,7 @@ static int tiadc_read_raw(struct iio_dev + int *val, int *val2, long mask) + { + struct tiadc_device *adc_dev = iio_priv(indio_dev); ++ int ret = IIO_VAL_INT; + int i, map_val; + unsigned int fifo1count, read, stepid; + bool found = false; +@@ -373,6 +375,7 @@ static int tiadc_read_raw(struct iio_dev + if (!step_en) + return -EINVAL; + ++ mutex_lock(&adc_dev->fifo1_lock); + fifo1count = tiadc_readl(adc_dev, REG_FIFO1CNT); + while (fifo1count--) + tiadc_readl(adc_dev, REG_FIFO1); +@@ -389,7 +392,8 @@ static int tiadc_read_raw(struct iio_dev + + if (time_after(jiffies, timeout)) { + am335x_tsc_se_adc_done(adc_dev->mfd_tscadc); +- return -EAGAIN; ++ ret = -EAGAIN; ++ goto err_unlock; + } + } + map_val = adc_dev->channel_step[chan->scan_index]; +@@ -415,8 +419,11 @@ static int tiadc_read_raw(struct iio_dev + am335x_tsc_se_adc_done(adc_dev->mfd_tscadc); + + if (found == false) +- return -EBUSY; +- return IIO_VAL_INT; ++ ret = -EBUSY; ++ ++err_unlock: ++ mutex_unlock(&adc_dev->fifo1_lock); ++ return ret; + } + + static const struct iio_info tiadc_info = { +@@ -485,6 +492,7 @@ static int tiadc_probe(struct platform_d + + tiadc_step_config(indio_dev); + tiadc_writel(adc_dev, REG_FIFO1THR, FIFO1_THRESHOLD); ++ mutex_init(&adc_dev->fifo1_lock); + + err = tiadc_channel_init(indio_dev, adc_dev->channels); + if (err < 0) diff --git a/queue-4.4/iio-core-fix-iio_val_fractional-sign-handling.patch b/queue-4.4/iio-core-fix-iio_val_fractional-sign-handling.patch new file mode 100644 index 00000000000..edb6d6a478a --- /dev/null +++ b/queue-4.4/iio-core-fix-iio_val_fractional-sign-handling.patch @@ -0,0 +1,43 @@ +From 171c0091837c81ed5c949fec6966bb5afff2d1cf Mon Sep 17 00:00:00 2001 +From: Gregor Boirie +Date: Fri, 2 Sep 2016 20:27:46 +0200 +Subject: iio:core: fix IIO_VAL_FRACTIONAL sign handling + +From: Gregor Boirie + +commit 171c0091837c81ed5c949fec6966bb5afff2d1cf upstream. + +7985e7c100 ("iio: Introduce a new fractional value type") introduced a +new IIO_VAL_FRACTIONAL value type meant to represent rational type numbers +expressed by a numerator and denominator combination. + +Formating of IIO_VAL_FRACTIONAL values relies upon do_div() usage. This +fails handling negative values properly since parameters are reevaluated +as unsigned values. +Fix this by using div_s64_rem() instead. Computed integer part will carry +properly signed value. Formatted fractional part will always be positive. + +Fixes: 7985e7c100 ("iio: Introduce a new fractional value type") +Signed-off-by: Gregor Boirie +Reviewed-by: Lars-Peter Clausen +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/industrialio-core.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/iio/industrialio-core.c ++++ b/drivers/iio/industrialio-core.c +@@ -447,9 +447,8 @@ ssize_t iio_format_value(char *buf, unsi + return sprintf(buf, "%d.%09u\n", vals[0], vals[1]); + case IIO_VAL_FRACTIONAL: + tmp = div_s64((s64)vals[0] * 1000000000LL, vals[1]); +- vals[1] = do_div(tmp, 1000000000LL); +- vals[0] = tmp; +- return sprintf(buf, "%d.%09u\n", vals[0], vals[1]); ++ vals[0] = (int)div_s64_rem(tmp, 1000000000, &vals[1]); ++ return sprintf(buf, "%d.%09u\n", vals[0], abs(vals[1])); + case IIO_VAL_FRACTIONAL_LOG2: + tmp = (s64)vals[0] * 1000000000LL >> vals[1]; + vals[1] = do_div(tmp, 1000000000LL); diff --git a/queue-4.4/iio-ensure-ret-is-initialized-to-zero-before-entering-do-loop.patch b/queue-4.4/iio-ensure-ret-is-initialized-to-zero-before-entering-do-loop.patch new file mode 100644 index 00000000000..f92d90d8b40 --- /dev/null +++ b/queue-4.4/iio-ensure-ret-is-initialized-to-zero-before-entering-do-loop.patch @@ -0,0 +1,45 @@ +From 5dba4b14bafe801083d01e1f400816df7e5a8f2e Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Mon, 5 Sep 2016 15:39:06 +0100 +Subject: iio: ensure ret is initialized to zero before entering do loop + +From: Colin Ian King + +commit 5dba4b14bafe801083d01e1f400816df7e5a8f2e upstream. + +A recent fix to iio_buffer_read_first_n_outer removed ret from being set by +a return from wait_event_interruptible and also added a continue in a loop +which causes the variable ret to not be set when it reaches the end of the +loop. Fix this by initializing ret to zero. + +Also remove extraneous white space at the end of the loop. + +Fixes: fcf68f3c0bb2a5 ("fix sched WARNING "do not call blocking ops when !TASK_RUNNING") +Signed-off-by: Colin Ian King +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/industrialio-buffer.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/iio/industrialio-buffer.c ++++ b/drivers/iio/industrialio-buffer.c +@@ -110,7 +110,7 @@ ssize_t iio_buffer_read_first_n_outer(st + DEFINE_WAIT_FUNC(wait, woken_wake_function); + size_t datum_size; + size_t to_wait; +- int ret; ++ int ret = 0; + + if (!indio_dev->info) + return -ENODEV; +@@ -153,7 +153,7 @@ ssize_t iio_buffer_read_first_n_outer(st + ret = rb->access->read_first_n(rb, n, buf); + if (ret == 0 && (filp->f_flags & O_NONBLOCK)) + ret = -EAGAIN; +- } while (ret == 0); ++ } while (ret == 0); + remove_wait_queue(&rb->pollq, &wait); + + return ret; diff --git a/queue-4.4/iio-fix-pressure-data-output-unit-in-hid-sensor-attributes.patch b/queue-4.4/iio-fix-pressure-data-output-unit-in-hid-sensor-attributes.patch new file mode 100644 index 00000000000..b7331d81550 --- /dev/null +++ b/queue-4.4/iio-fix-pressure-data-output-unit-in-hid-sensor-attributes.patch @@ -0,0 +1,38 @@ +From 36afb176d3c9580651d7f410ed7f000ec48b5137 Mon Sep 17 00:00:00 2001 +From: "Kweh, Hock Leong" +Date: Mon, 29 Aug 2016 18:50:56 +0800 +Subject: iio: fix pressure data output unit in hid-sensor-attributes + +From: Kweh, Hock Leong + +commit 36afb176d3c9580651d7f410ed7f000ec48b5137 upstream. + +According to IIO ABI definition, IIO_PRESSURE data output unit is +kilopascal: +http://lxr.free-electrons.com/source/Documentation/ABI/testing/sysfs-bus-iio + +This patch fix output unit of HID pressure sensor IIO driver from pascal to +kilopascal to follow IIO ABI definition. + +Signed-off-by: Kweh, Hock Leong +Reviewed-by: Srinivas Pandruvada +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/common/hid-sensors/hid-sensor-attributes.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/iio/common/hid-sensors/hid-sensor-attributes.c ++++ b/drivers/iio/common/hid-sensors/hid-sensor-attributes.c +@@ -56,8 +56,8 @@ static struct { + {HID_USAGE_SENSOR_ALS, 0, 1, 0}, + {HID_USAGE_SENSOR_ALS, HID_USAGE_SENSOR_UNITS_LUX, 1, 0}, + +- {HID_USAGE_SENSOR_PRESSURE, 0, 100000, 0}, +- {HID_USAGE_SENSOR_PRESSURE, HID_USAGE_SENSOR_UNITS_PASCAL, 1, 0}, ++ {HID_USAGE_SENSOR_PRESSURE, 0, 100, 0}, ++ {HID_USAGE_SENSOR_PRESSURE, HID_USAGE_SENSOR_UNITS_PASCAL, 0, 1000}, + }; + + static int pow_10(unsigned power) diff --git a/queue-4.4/iio-proximity-as3935-set-up-buffer-timestamps-for-non-zero-values.patch b/queue-4.4/iio-proximity-as3935-set-up-buffer-timestamps-for-non-zero-values.patch new file mode 100644 index 00000000000..b5fb16dc117 --- /dev/null +++ b/queue-4.4/iio-proximity-as3935-set-up-buffer-timestamps-for-non-zero-values.patch @@ -0,0 +1,32 @@ +From f8adf645db03345af2d9a8b6095b02327ea50885 Mon Sep 17 00:00:00 2001 +From: Alison Schofield +Date: Mon, 11 Jul 2016 08:26:56 -0700 +Subject: iio: proximity: as3935: set up buffer timestamps for non-zero values + +From: Alison Schofield + +commit f8adf645db03345af2d9a8b6095b02327ea50885 upstream. + +Use the iio_pollfunc_store_time parameter during triggered buffer +set-up to get valid timestamps. + +Signed-off-by: Alison Schofield +Cc: Daniel Baluta +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/proximity/as3935.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/proximity/as3935.c ++++ b/drivers/iio/proximity/as3935.c +@@ -392,7 +392,7 @@ static int as3935_probe(struct spi_devic + return ret; + } + +- ret = iio_triggered_buffer_setup(indio_dev, NULL, ++ ret = iio_triggered_buffer_setup(indio_dev, iio_pollfunc_store_time, + &as3935_trigger_handler, NULL); + + if (ret) { diff --git a/queue-4.4/ipv6-addrconf-fix-dev-refcont-leak-when-dad-failed.patch b/queue-4.4/ipv6-addrconf-fix-dev-refcont-leak-when-dad-failed.patch new file mode 100644 index 00000000000..091bff3cd84 --- /dev/null +++ b/queue-4.4/ipv6-addrconf-fix-dev-refcont-leak-when-dad-failed.patch @@ -0,0 +1,59 @@ +From 751eb6b6042a596b0080967c1a529a9fe98dac1d Mon Sep 17 00:00:00 2001 +From: Wei Yongjun +Date: Mon, 5 Sep 2016 16:06:31 +0800 +Subject: ipv6: addrconf: fix dev refcont leak when DAD failed + +From: Wei Yongjun + +commit 751eb6b6042a596b0080967c1a529a9fe98dac1d upstream. + +In general, when DAD detected IPv6 duplicate address, ifp->state +will be set to INET6_IFADDR_STATE_ERRDAD and DAD is stopped by a +delayed work, the call tree should be like this: + +ndisc_recv_ns + -> addrconf_dad_failure <- missing ifp put + -> addrconf_mod_dad_work + -> schedule addrconf_dad_work() + -> addrconf_dad_stop() <- missing ifp hold before call it + +addrconf_dad_failure() called with ifp refcont holding but not put. +addrconf_dad_work() call addrconf_dad_stop() without extra holding +refcount. This will not cause any issue normally. + +But the race between addrconf_dad_failure() and addrconf_dad_work() +may cause ifp refcount leak and netdevice can not be unregister, +dmesg show the following messages: + +IPv6: eth0: IPv6 duplicate address fe80::XX:XXXX:XXXX:XX detected! +... +unregister_netdevice: waiting for eth0 to become free. Usage count = 1 + +Fixes: c15b1ccadb32 ("ipv6: move DAD and addrconf_verify processing +to workqueue") +Signed-off-by: Wei Yongjun +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/addrconf.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -1898,6 +1898,7 @@ errdad: + spin_unlock_bh(&ifp->lock); + + addrconf_mod_dad_work(ifp, 0); ++ in6_ifa_put(ifp); + } + + /* Join to solicited addr multicast group. +@@ -3609,6 +3610,7 @@ static void addrconf_dad_work(struct wor + addrconf_dad_begin(ifp); + goto out; + } else if (action == DAD_ABORT) { ++ in6_ifa_hold(ifp); + addrconf_dad_stop(ifp, 1); + goto out; + } diff --git a/queue-4.4/kernfs-don-t-depend-on-d_find_any_alias-when-generating-notifications.patch b/queue-4.4/kernfs-don-t-depend-on-d_find_any_alias-when-generating-notifications.patch new file mode 100644 index 00000000000..f7e09410ecf --- /dev/null +++ b/queue-4.4/kernfs-don-t-depend-on-d_find_any_alias-when-generating-notifications.patch @@ -0,0 +1,88 @@ +From df6a58c5c5aa8ecb1e088ecead3fa33ae70181f1 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Fri, 17 Jun 2016 17:51:17 -0400 +Subject: kernfs: don't depend on d_find_any_alias() when generating notifications + +From: Tejun Heo + +commit df6a58c5c5aa8ecb1e088ecead3fa33ae70181f1 upstream. + +kernfs_notify_workfn() sends out file modified events for the +scheduled kernfs_nodes. Because the modifications aren't from +userland, it doesn't have the matching file struct at hand and can't +use fsnotify_modify(). Instead, it looked up the inode and then used +d_find_any_alias() to find the dentry and used fsnotify_parent() and +fsnotify() directly to generate notifications. + +The assumption was that the relevant dentries would have been pinned +if there are listeners, which isn't true as inotify doesn't pin +dentries at all and watching the parent doesn't pin the child dentries +even for dnotify. This led to, for example, inotify watchers not +getting notifications if the system is under memory pressure and the +matching dentries got reclaimed. It can also be triggered through +/proc/sys/vm/drop_caches or a remount attempt which involves shrinking +dcache. + +fsnotify_parent() only uses the dentry to access the parent inode, +which kernfs can do easily. Update kernfs_notify_workfn() so that it +uses fsnotify() directly for both the parent and target inodes without +going through d_find_any_alias(). While at it, supply the target file +name to fsnotify() from kernfs_node->name. + +Signed-off-by: Tejun Heo +Reported-by: Evgeny Vereshchagin +Fixes: d911d9874801 ("kernfs: make kernfs_notify() trigger inotify events too") +Cc: John McCutchan +Cc: Robert Love +Cc: Eric Paris +Signed-off-by: Greg Kroah-Hartman + +--- + fs/kernfs/file.c | 28 +++++++++++++++++++++------- + 1 file changed, 21 insertions(+), 7 deletions(-) + +--- a/fs/kernfs/file.c ++++ b/fs/kernfs/file.c +@@ -833,21 +833,35 @@ repeat: + mutex_lock(&kernfs_mutex); + + list_for_each_entry(info, &kernfs_root(kn)->supers, node) { ++ struct kernfs_node *parent; + struct inode *inode; +- struct dentry *dentry; + ++ /* ++ * We want fsnotify_modify() on @kn but as the ++ * modifications aren't originating from userland don't ++ * have the matching @file available. Look up the inodes ++ * and generate the events manually. ++ */ + inode = ilookup(info->sb, kn->ino); + if (!inode) + continue; + +- dentry = d_find_any_alias(inode); +- if (dentry) { +- fsnotify_parent(NULL, dentry, FS_MODIFY); +- fsnotify(inode, FS_MODIFY, inode, FSNOTIFY_EVENT_INODE, +- NULL, 0); +- dput(dentry); ++ parent = kernfs_get_parent(kn); ++ if (parent) { ++ struct inode *p_inode; ++ ++ p_inode = ilookup(info->sb, parent->ino); ++ if (p_inode) { ++ fsnotify(p_inode, FS_MODIFY | FS_EVENT_ON_CHILD, ++ inode, FSNOTIFY_EVENT_INODE, kn->name, 0); ++ iput(p_inode); ++ } ++ ++ kernfs_put(parent); + } + ++ fsnotify(inode, FS_MODIFY, inode, FSNOTIFY_EVENT_INODE, ++ kn->name, 0); + iput(inode); + } + diff --git a/queue-4.4/kexec-fix-double-free-when-failing-to-relocate-the-purgatory.patch b/queue-4.4/kexec-fix-double-free-when-failing-to-relocate-the-purgatory.patch new file mode 100644 index 00000000000..9b85ed66da8 --- /dev/null +++ b/queue-4.4/kexec-fix-double-free-when-failing-to-relocate-the-purgatory.patch @@ -0,0 +1,69 @@ +From 070c43eea5043e950daa423707ae3c77e2f48edb Mon Sep 17 00:00:00 2001 +From: Thiago Jung Bauermann +Date: Thu, 1 Sep 2016 16:14:44 -0700 +Subject: kexec: fix double-free when failing to relocate the purgatory + +From: Thiago Jung Bauermann + +commit 070c43eea5043e950daa423707ae3c77e2f48edb upstream. + +If kexec_apply_relocations fails, kexec_load_purgatory frees pi->sechdrs +and pi->purgatory_buf. This is redundant, because in case of error +kimage_file_prepare_segments calls kimage_file_post_load_cleanup, which +will also free those buffers. + +This causes two warnings like the following, one for pi->sechdrs and the +other for pi->purgatory_buf: + + kexec-bzImage64: Loading purgatory failed + ------------[ cut here ]------------ + WARNING: CPU: 1 PID: 2119 at mm/vmalloc.c:1490 __vunmap+0xc1/0xd0 + Trying to vfree() nonexistent vm area (ffffc90000e91000) + Modules linked in: + CPU: 1 PID: 2119 Comm: kexec Not tainted 4.8.0-rc3+ #5 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 + Call Trace: + dump_stack+0x4d/0x65 + __warn+0xcb/0xf0 + warn_slowpath_fmt+0x4f/0x60 + ? find_vmap_area+0x19/0x70 + ? kimage_file_post_load_cleanup+0x47/0xb0 + __vunmap+0xc1/0xd0 + vfree+0x2e/0x70 + kimage_file_post_load_cleanup+0x5e/0xb0 + SyS_kexec_file_load+0x448/0x680 + ? putname+0x54/0x60 + ? do_sys_open+0x190/0x1f0 + entry_SYSCALL_64_fastpath+0x13/0x8f + ---[ end trace 158bb74f5950ca2b ]--- + +Fix by setting pi->sechdrs an pi->purgatory_buf to NULL, since vfree +won't try to free a NULL pointer. + +Link: http://lkml.kernel.org/r/1472083546-23683-1-git-send-email-bauerman@linux.vnet.ibm.com +Signed-off-by: Thiago Jung Bauermann +Acked-by: Baoquan He +Cc: "Eric W. Biederman" +Cc: Vivek Goyal +Cc: Dave Young +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/kexec_file.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/kernel/kexec_file.c ++++ b/kernel/kexec_file.c +@@ -934,7 +934,10 @@ int kexec_load_purgatory(struct kimage * + return 0; + out: + vfree(pi->sechdrs); ++ pi->sechdrs = NULL; ++ + vfree(pi->purgatory_buf); ++ pi->purgatory_buf = NULL; + return ret; + } + diff --git a/queue-4.4/kvm-arm-unmap-shadow-pagetables-properly.patch b/queue-4.4/kvm-arm-unmap-shadow-pagetables-properly.patch new file mode 100644 index 00000000000..9f75ccd8b5e --- /dev/null +++ b/queue-4.4/kvm-arm-unmap-shadow-pagetables-properly.patch @@ -0,0 +1,92 @@ +From 293f293637b55db4f9f522a5a72514e98a541076 Mon Sep 17 00:00:00 2001 +From: Suzuki K Poulose +Date: Thu, 8 Sep 2016 16:25:49 +0100 +Subject: kvm-arm: Unmap shadow pagetables properly + +From: Suzuki K Poulose + +commit 293f293637b55db4f9f522a5a72514e98a541076 upstream. + +On arm/arm64, we depend on the kvm_unmap_hva* callbacks (via +mmu_notifiers::invalidate_*) to unmap the stage2 pagetables when +the userspace buffer gets unmapped. However, when the Hypervisor +process exits without explicit unmap of the guest buffers, the only +notifier we get is kvm_arch_flush_shadow_all() (via mmu_notifier::release +) which does nothing on arm. Later this causes us to access pages that +were already released [via exit_mmap() -> unmap_vmas()] when we actually +get to unmap the stage2 pagetable [via kvm_arch_destroy_vm() -> +kvm_free_stage2_pgd()]. This triggers crashes with CONFIG_DEBUG_PAGEALLOC, +which unmaps any free'd pages from the linear map. + + [ 757.644120] Unable to handle kernel paging request at virtual address + ffff800661e00000 + [ 757.652046] pgd = ffff20000b1a2000 + [ 757.655471] [ffff800661e00000] *pgd=00000047fffe3003, *pud=00000047fcd8c003, + *pmd=00000047fcc7c003, *pte=00e8004661e00712 + [ 757.666492] Internal error: Oops: 96000147 [#3] PREEMPT SMP + [ 757.672041] Modules linked in: + [ 757.675100] CPU: 7 PID: 3630 Comm: qemu-system-aar Tainted: G D + 4.8.0-rc1 #3 + [ 757.683240] Hardware name: AppliedMicro X-Gene Mustang Board/X-Gene Mustang Board, + BIOS 3.06.15 Aug 19 2016 + [ 757.692938] task: ffff80069cdd3580 task.stack: ffff8006adb7c000 + [ 757.698840] PC is at __flush_dcache_area+0x1c/0x40 + [ 757.703613] LR is at kvm_flush_dcache_pmd+0x60/0x70 + [ 757.708469] pc : [] lr : [] pstate: 20000145 + ... + [ 758.357249] [] __flush_dcache_area+0x1c/0x40 + [ 758.363059] [] unmap_stage2_range+0x458/0x5f0 + [ 758.368954] [] kvm_free_stage2_pgd+0x34/0x60 + [ 758.374761] [] kvm_arch_destroy_vm+0x20/0x68 + [ 758.380570] [] kvm_put_kvm+0x210/0x358 + [ 758.385860] [] kvm_vm_release+0x2c/0x40 + [ 758.391239] [] __fput+0x114/0x2e8 + [ 758.396096] [] ____fput+0xc/0x18 + [ 758.400869] [] task_work_run+0x108/0x138 + [ 758.406332] [] do_exit+0x48c/0x10e8 + [ 758.411363] [] do_group_exit+0x6c/0x130 + [ 758.416739] [] get_signal+0x284/0xa18 + [ 758.421943] [] do_signal+0x158/0x860 + [ 758.427060] [] do_notify_resume+0x6c/0x88 + [ 758.432608] [] work_pending+0x10/0x14 + [ 758.437812] Code: 9ac32042 8b010001 d1000443 8a230000 (d50b7e20) + +This patch fixes the issue by moving the kvm_free_stage2_pgd() to +kvm_arch_flush_shadow_all(). + +Tested-by: Itaru Kitayama +Reported-by: Itaru Kitayama +Reported-by: James Morse +Cc: Marc Zyngier +Cc: Catalin Marinas +Cc: Christoffer Dall +Signed-off-by: Suzuki K Poulose +Signed-off-by: Christoffer Dall +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/kvm/arm.c | 2 -- + arch/arm/kvm/mmu.c | 1 + + 2 files changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/arm/kvm/arm.c ++++ b/arch/arm/kvm/arm.c +@@ -155,8 +155,6 @@ void kvm_arch_destroy_vm(struct kvm *kvm + { + int i; + +- kvm_free_stage2_pgd(kvm); +- + for (i = 0; i < KVM_MAX_VCPUS; ++i) { + if (kvm->vcpus[i]) { + kvm_arch_vcpu_free(kvm->vcpus[i]); +--- a/arch/arm/kvm/mmu.c ++++ b/arch/arm/kvm/mmu.c +@@ -1852,6 +1852,7 @@ void kvm_arch_memslots_updated(struct kv + + void kvm_arch_flush_shadow_all(struct kvm *kvm) + { ++ kvm_free_stage2_pgd(kvm); + } + + void kvm_arch_flush_shadow_memslot(struct kvm *kvm, diff --git a/queue-4.4/md-cluster-make-md-cluster-also-can-work-when-compiled-into-kernel.patch b/queue-4.4/md-cluster-make-md-cluster-also-can-work-when-compiled-into-kernel.patch new file mode 100644 index 00000000000..979cc283da6 --- /dev/null +++ b/queue-4.4/md-cluster-make-md-cluster-also-can-work-when-compiled-into-kernel.patch @@ -0,0 +1,51 @@ +From 47a7b0d8888c04c9746812820b6e60553cc77bbc Mon Sep 17 00:00:00 2001 +From: Guoqing Jiang +Date: Sun, 4 Sep 2016 22:17:28 -0400 +Subject: md-cluster: make md-cluster also can work when compiled into kernel + +From: Guoqing Jiang + +commit 47a7b0d8888c04c9746812820b6e60553cc77bbc upstream. + +The md-cluster is compiled as module by default, +if it is compiled by built-in way, then we can't +make md-cluster works. + +[64782.630008] md/raid1:md127: active with 2 out of 2 mirrors +[64782.630528] md-cluster module not found. +[64782.630530] md127: Could not setup cluster service (-2) + +Fixes: edb39c9 ("Introduce md_cluster_operations to handle cluster functions") +Reported-by: Marc Smith +Reviewed-by: NeilBrown +Signed-off-by: Guoqing Jiang +Signed-off-by: Shaohua Li +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/md.c | 12 ++++-------- + 1 file changed, 4 insertions(+), 8 deletions(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -7572,16 +7572,12 @@ EXPORT_SYMBOL(unregister_md_cluster_oper + + int md_setup_cluster(struct mddev *mddev, int nodes) + { +- int err; +- +- err = request_module("md-cluster"); +- if (err) { +- pr_err("md-cluster module not found.\n"); +- return -ENOENT; +- } +- ++ if (!md_cluster_ops) ++ request_module("md-cluster"); + spin_lock(&pers_lock); ++ /* ensure module won't be unloaded */ + if (!md_cluster_ops || !try_module_get(md_cluster_mod)) { ++ pr_err("can't find md-cluster module or get it's reference.\n"); + spin_unlock(&pers_lock); + return -ENOENT; + } diff --git a/queue-4.4/mm-introduce-get_task_exe_file.patch b/queue-4.4/mm-introduce-get_task_exe_file.patch new file mode 100644 index 00000000000..4df0caf19d9 --- /dev/null +++ b/queue-4.4/mm-introduce-get_task_exe_file.patch @@ -0,0 +1,92 @@ +From cd81a9170e69e018bbaba547c1fd85a585f5697a Mon Sep 17 00:00:00 2001 +From: Mateusz Guzik +Date: Tue, 23 Aug 2016 16:20:38 +0200 +Subject: mm: introduce get_task_exe_file + +From: Mateusz Guzik + +commit cd81a9170e69e018bbaba547c1fd85a585f5697a upstream. + +For more convenient access if one has a pointer to the task. + +As a minor nit take advantage of the fact that only task lock + rcu are +needed to safely grab ->exe_file. This saves mm refcount dance. + +Use the helper in proc_exe_link. + +Signed-off-by: Mateusz Guzik +Acked-by: Konstantin Khlebnikov +Acked-by: Richard Guy Briggs +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +--- + fs/proc/base.c | 7 +------ + include/linux/mm.h | 1 + + kernel/fork.c | 23 +++++++++++++++++++++++ + 3 files changed, 25 insertions(+), 6 deletions(-) + +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -1545,18 +1545,13 @@ static const struct file_operations proc + static int proc_exe_link(struct dentry *dentry, struct path *exe_path) + { + struct task_struct *task; +- struct mm_struct *mm; + struct file *exe_file; + + task = get_proc_task(d_inode(dentry)); + if (!task) + return -ENOENT; +- mm = get_task_mm(task); ++ exe_file = get_task_exe_file(task); + put_task_struct(task); +- if (!mm) +- return -ENOENT; +- exe_file = get_mm_exe_file(mm); +- mmput(mm); + if (exe_file) { + *exe_path = exe_file->f_path; + path_get(&exe_file->f_path); +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -1898,6 +1898,7 @@ extern void mm_drop_all_locks(struct mm_ + + extern void set_mm_exe_file(struct mm_struct *mm, struct file *new_exe_file); + extern struct file *get_mm_exe_file(struct mm_struct *mm); ++extern struct file *get_task_exe_file(struct task_struct *task); + + extern int may_expand_vm(struct mm_struct *mm, unsigned long npages); + extern struct vm_area_struct *_install_special_mapping(struct mm_struct *mm, +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -764,6 +764,29 @@ struct file *get_mm_exe_file(struct mm_s + EXPORT_SYMBOL(get_mm_exe_file); + + /** ++ * get_task_exe_file - acquire a reference to the task's executable file ++ * ++ * Returns %NULL if task's mm (if any) has no associated executable file or ++ * this is a kernel thread with borrowed mm (see the comment above get_task_mm). ++ * User must release file via fput(). ++ */ ++struct file *get_task_exe_file(struct task_struct *task) ++{ ++ struct file *exe_file = NULL; ++ struct mm_struct *mm; ++ ++ task_lock(task); ++ mm = task->mm; ++ if (mm) { ++ if (!(task->flags & PF_KTHREAD)) ++ exe_file = get_mm_exe_file(mm); ++ } ++ task_unlock(task); ++ return exe_file; ++} ++EXPORT_SYMBOL(get_task_exe_file); ++ ++/** + * get_task_mm - acquire a reference to the task's mm + * + * Returns %NULL if the task has no mm. Checks PF_KTHREAD (meaning diff --git a/queue-4.4/net-thunderx-fix-oops-with-ethtool-register-dump.patch b/queue-4.4/net-thunderx-fix-oops-with-ethtool-register-dump.patch new file mode 100644 index 00000000000..68648b2fe8c --- /dev/null +++ b/queue-4.4/net-thunderx-fix-oops-with-ethtool-register-dump.patch @@ -0,0 +1,50 @@ +From 1423661fed2c40d6d71b5e2e3aa390f85157f9d5 Mon Sep 17 00:00:00 2001 +From: David Daney +Date: Tue, 16 Aug 2016 13:30:36 -0700 +Subject: net: thunderx: Fix OOPs with ethtool --register-dump + +From: David Daney + +commit 1423661fed2c40d6d71b5e2e3aa390f85157f9d5 upstream. + +The ethtool_ops .get_regs function attempts to read the nonexistent +register NIC_QSET_SQ_0_7_CNM_CHG, which produces a "bus error" type +OOPs. + +Fix by not attempting to read, and removing the definition of, +NIC_QSET_SQ_0_7_CNM_CHG. A zero is written into the register dump to +keep the layout unchanged. + +Signed-off-by: David Daney +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/cavium/thunder/nic_reg.h | 1 - + drivers/net/ethernet/cavium/thunder/nicvf_ethtool.c | 5 ++++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/cavium/thunder/nic_reg.h ++++ b/drivers/net/ethernet/cavium/thunder/nic_reg.h +@@ -170,7 +170,6 @@ + #define NIC_QSET_SQ_0_7_DOOR (0x010838) + #define NIC_QSET_SQ_0_7_STATUS (0x010840) + #define NIC_QSET_SQ_0_7_DEBUG (0x010848) +-#define NIC_QSET_SQ_0_7_CNM_CHG (0x010860) + #define NIC_QSET_SQ_0_7_STAT_0_1 (0x010900) + + #define NIC_QSET_RBDR_0_1_CFG (0x010C00) +--- a/drivers/net/ethernet/cavium/thunder/nicvf_ethtool.c ++++ b/drivers/net/ethernet/cavium/thunder/nicvf_ethtool.c +@@ -380,7 +380,10 @@ static void nicvf_get_regs(struct net_de + p[i++] = nicvf_queue_reg_read(nic, NIC_QSET_SQ_0_7_DOOR, q); + p[i++] = nicvf_queue_reg_read(nic, NIC_QSET_SQ_0_7_STATUS, q); + p[i++] = nicvf_queue_reg_read(nic, NIC_QSET_SQ_0_7_DEBUG, q); +- p[i++] = nicvf_queue_reg_read(nic, NIC_QSET_SQ_0_7_CNM_CHG, q); ++ /* Padding, was NIC_QSET_SQ_0_7_CNM_CHG, which ++ * produces bus errors when read ++ */ ++ p[i++] = 0; + p[i++] = nicvf_queue_reg_read(nic, NIC_QSET_SQ_0_7_STAT_0_1, q); + reg_offset = NIC_QSET_SQ_0_7_STAT_0_1 | (1 << 3); + p[i++] = nicvf_queue_reg_read(nic, reg_offset, q); diff --git a/queue-4.4/nfsd-close-race-between-nfsd4_release_lockowner-and-nfsd4_lock.patch b/queue-4.4/nfsd-close-race-between-nfsd4_release_lockowner-and-nfsd4_lock.patch new file mode 100644 index 00000000000..62ba551d2e1 --- /dev/null +++ b/queue-4.4/nfsd-close-race-between-nfsd4_release_lockowner-and-nfsd4_lock.patch @@ -0,0 +1,97 @@ +From 885848186fbc2d1d8fb6d2fdc2156638ae289a46 Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Wed, 13 Jul 2016 16:40:14 -0400 +Subject: nfsd: Close race between nfsd4_release_lockowner and nfsd4_lock + +From: Chuck Lever + +commit 885848186fbc2d1d8fb6d2fdc2156638ae289a46 upstream. + +nfsd4_release_lockowner finds a lock owner that has no lock state, +and drops cl_lock. Then release_lockowner picks up cl_lock and +unhashes the lock owner. + +During the window where cl_lock is dropped, I don't see anything +preventing a concurrent nfsd4_lock from finding that same lock owner +and adding lock state to it. + +Move release_lockowner() into nfsd4_release_lockowner and hang onto +the cl_lock until after the lock owner's state cannot be found +again. + +Found by inspection, we don't currently have a reproducer. + +Fixes: 2c41beb0e5cf ("nfsd: reduce cl_lock thrashing in ... ") +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs4state.c | 40 +++++++++++++++++----------------------- + 1 file changed, 17 insertions(+), 23 deletions(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -1200,27 +1200,6 @@ free_ol_stateid_reaplist(struct list_hea + } + } + +-static void release_lockowner(struct nfs4_lockowner *lo) +-{ +- struct nfs4_client *clp = lo->lo_owner.so_client; +- struct nfs4_ol_stateid *stp; +- struct list_head reaplist; +- +- INIT_LIST_HEAD(&reaplist); +- +- spin_lock(&clp->cl_lock); +- unhash_lockowner_locked(lo); +- while (!list_empty(&lo->lo_owner.so_stateids)) { +- stp = list_first_entry(&lo->lo_owner.so_stateids, +- struct nfs4_ol_stateid, st_perstateowner); +- WARN_ON(!unhash_lock_stateid(stp)); +- put_ol_stateid_locked(stp, &reaplist); +- } +- spin_unlock(&clp->cl_lock); +- free_ol_stateid_reaplist(&reaplist); +- nfs4_put_stateowner(&lo->lo_owner); +-} +- + static void release_open_stateid_locks(struct nfs4_ol_stateid *open_stp, + struct list_head *reaplist) + { +@@ -5952,6 +5931,7 @@ nfsd4_release_lockowner(struct svc_rqst + __be32 status; + struct nfsd_net *nn = net_generic(SVC_NET(rqstp), nfsd_net_id); + struct nfs4_client *clp; ++ LIST_HEAD (reaplist); + + dprintk("nfsd4_release_lockowner clientid: (%08x/%08x):\n", + clid->cl_boot, clid->cl_id); +@@ -5982,9 +5962,23 @@ nfsd4_release_lockowner(struct svc_rqst + nfs4_get_stateowner(sop); + break; + } ++ if (!lo) { ++ spin_unlock(&clp->cl_lock); ++ return status; ++ } ++ ++ unhash_lockowner_locked(lo); ++ while (!list_empty(&lo->lo_owner.so_stateids)) { ++ stp = list_first_entry(&lo->lo_owner.so_stateids, ++ struct nfs4_ol_stateid, ++ st_perstateowner); ++ WARN_ON(!unhash_lock_stateid(stp)); ++ put_ol_stateid_locked(stp, &reaplist); ++ } + spin_unlock(&clp->cl_lock); +- if (lo) +- release_lockowner(lo); ++ free_ol_stateid_reaplist(&reaplist); ++ nfs4_put_stateowner(&lo->lo_owner); ++ + return status; + } + diff --git a/queue-4.4/nfsv4.1-fix-oopsable-condition-in-server-callback-races.patch b/queue-4.4/nfsv4.1-fix-oopsable-condition-in-server-callback-races.patch new file mode 100644 index 00000000000..1a4d9e3cfdb --- /dev/null +++ b/queue-4.4/nfsv4.1-fix-oopsable-condition-in-server-callback-races.patch @@ -0,0 +1,89 @@ +From e09c978aae5bedfdb379be80363b024b7d82638b Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Sat, 27 Aug 2016 23:44:04 -0400 +Subject: NFSv4.1: Fix Oopsable condition in server callback races + +From: Trond Myklebust + +commit e09c978aae5bedfdb379be80363b024b7d82638b upstream. + +The slot table hasn't been an array since v3.7. Ensure that we +use nfs4_lookup_slot() to access the slot correctly. + +Fixes: 87dda67e7386 ("NFSv4.1: Allow SEQUENCE to resize the slot table...") +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/callback_proc.c | 5 +---- + fs/nfs/nfs4session.c | 33 +++++++++++++++++++++++++++++++++ + fs/nfs/nfs4session.h | 1 + + 3 files changed, 35 insertions(+), 4 deletions(-) + +--- a/fs/nfs/callback_proc.c ++++ b/fs/nfs/callback_proc.c +@@ -400,11 +400,8 @@ static bool referring_call_exists(struct + ((u32 *)&rclist->rcl_sessionid.data)[3], + ref->rc_sequenceid, ref->rc_slotid); + +- spin_lock(&tbl->slot_tbl_lock); +- status = (test_bit(ref->rc_slotid, tbl->used_slots) && +- tbl->slots[ref->rc_slotid].seq_nr == ++ status = nfs4_slot_seqid_in_use(tbl, ref->rc_slotid, + ref->rc_sequenceid); +- spin_unlock(&tbl->slot_tbl_lock); + if (status) + goto out; + } +--- a/fs/nfs/nfs4session.c ++++ b/fs/nfs/nfs4session.c +@@ -135,6 +135,39 @@ static struct nfs4_slot *nfs4_find_or_cr + return ERR_PTR(-ENOMEM); + } + ++static int nfs4_slot_get_seqid(struct nfs4_slot_table *tbl, u32 slotid, ++ u32 *seq_nr) ++ __must_hold(&tbl->slot_tbl_lock) ++{ ++ struct nfs4_slot *slot; ++ ++ slot = nfs4_lookup_slot(tbl, slotid); ++ if (IS_ERR(slot)) ++ return PTR_ERR(slot); ++ *seq_nr = slot->seq_nr; ++ return 0; ++} ++ ++/* ++ * nfs4_slot_seqid_in_use - test if a slot sequence id is still in use ++ * ++ * Given a slot table, slot id and sequence number, determine if the ++ * RPC call in question is still in flight. This function is mainly ++ * intended for use by the callback channel. ++ */ ++bool nfs4_slot_seqid_in_use(struct nfs4_slot_table *tbl, u32 slotid, u32 seq_nr) ++{ ++ u32 cur_seq; ++ bool ret = false; ++ ++ spin_lock(&tbl->slot_tbl_lock); ++ if (nfs4_slot_get_seqid(tbl, slotid, &cur_seq) == 0 && ++ cur_seq == seq_nr && test_bit(slotid, tbl->used_slots)) ++ ret = true; ++ spin_unlock(&tbl->slot_tbl_lock); ++ return ret; ++} ++ + /* + * nfs4_alloc_slot - efficiently look for a free slot + * +--- a/fs/nfs/nfs4session.h ++++ b/fs/nfs/nfs4session.h +@@ -77,6 +77,7 @@ extern int nfs4_setup_slot_table(struct + unsigned int max_reqs, const char *queue); + extern void nfs4_shutdown_slot_table(struct nfs4_slot_table *tbl); + extern struct nfs4_slot *nfs4_alloc_slot(struct nfs4_slot_table *tbl); ++extern bool nfs4_slot_seqid_in_use(struct nfs4_slot_table *tbl, u32 slotid, u32 seq_nr); + extern void nfs4_free_slot(struct nfs4_slot_table *tbl, struct nfs4_slot *slot); + extern void nfs4_slot_tbl_drain_complete(struct nfs4_slot_table *tbl); + bool nfs41_wake_and_assign_slot(struct nfs4_slot_table *tbl, diff --git a/queue-4.4/nfsv4.1-fix-the-create_session-slot-number-accounting.patch b/queue-4.4/nfsv4.1-fix-the-create_session-slot-number-accounting.patch new file mode 100644 index 00000000000..8da40c28f4c --- /dev/null +++ b/queue-4.4/nfsv4.1-fix-the-create_session-slot-number-accounting.patch @@ -0,0 +1,46 @@ +From b519d408ea32040b1c7e10b155a3ee9a36660947 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Sun, 11 Sep 2016 14:50:01 -0400 +Subject: NFSv4.1: Fix the CREATE_SESSION slot number accounting + +From: Trond Myklebust + +commit b519d408ea32040b1c7e10b155a3ee9a36660947 upstream. + +Ensure that we conform to the algorithm described in RFC5661, section +18.36.4 for when to bump the sequence id. In essence we do it for all +cases except when the RPC call timed out, or in case of the server returning +NFS4ERR_DELAY or NFS4ERR_STALE_CLIENTID. + +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4proc.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -7424,12 +7424,20 @@ static int _nfs4_proc_create_session(str + status = rpc_call_sync(session->clp->cl_rpcclient, &msg, RPC_TASK_TIMEOUT); + trace_nfs4_create_session(clp, status); + ++ switch (status) { ++ case -NFS4ERR_STALE_CLIENTID: ++ case -NFS4ERR_DELAY: ++ case -ETIMEDOUT: ++ case -EACCES: ++ case -EAGAIN: ++ goto out; ++ }; ++ ++ clp->cl_seqid++; + if (!status) { + /* Verify the session's negotiated channel_attrs values */ + status = nfs4_verify_channel_attrs(&args, &res); + /* Increment the clientid slot sequence id */ +- if (clp->cl_seqid == res.seqid) +- clp->cl_seqid++; + if (status) + goto out; + nfs4_update_session(session, &res); diff --git a/queue-4.4/nfsv4.x-fix-a-refcount-leak-in-nfs_callback_up_net.patch b/queue-4.4/nfsv4.x-fix-a-refcount-leak-in-nfs_callback_up_net.patch new file mode 100644 index 00000000000..d51f5284d46 --- /dev/null +++ b/queue-4.4/nfsv4.x-fix-a-refcount-leak-in-nfs_callback_up_net.patch @@ -0,0 +1,29 @@ +From 98b0f80c2396224bbbed81792b526e6c72ba9efa Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Mon, 29 Aug 2016 11:15:36 -0400 +Subject: NFSv4.x: Fix a refcount leak in nfs_callback_up_net + +From: Trond Myklebust + +commit 98b0f80c2396224bbbed81792b526e6c72ba9efa upstream. + +On error, the callers expect us to return without bumping +nn->cb_users[]. + +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/callback.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/nfs/callback.c ++++ b/fs/nfs/callback.c +@@ -275,6 +275,7 @@ static int nfs_callback_up_net(int minor + err_socks: + svc_rpcb_cleanup(serv, net); + err_bind: ++ nn->cb_users[minorversion]--; + dprintk("NFS: Couldn't create callback socket: err = %d; " + "net = %p\n", ret, net); + return ret; diff --git a/queue-4.4/pinctrl-pistachio-fix-mfio-pll_lock-pinmux.patch b/queue-4.4/pinctrl-pistachio-fix-mfio-pll_lock-pinmux.patch new file mode 100644 index 00000000000..464db8bedb8 --- /dev/null +++ b/queue-4.4/pinctrl-pistachio-fix-mfio-pll_lock-pinmux.patch @@ -0,0 +1,52 @@ +From a32ac2912f97d7ea9b67eb67bb4aa30b9156a88e Mon Sep 17 00:00:00 2001 +From: James Hartley +Date: Fri, 19 Aug 2016 12:03:23 +0100 +Subject: pinctrl: pistachio: fix mfio pll_lock pinmux + +From: James Hartley + +commit a32ac2912f97d7ea9b67eb67bb4aa30b9156a88e upstream. + +A previous patch attempted to fix the pinmuxes for mfio 84 - 89, but it +omitted a change to pistachio_pin_group pistachio_groups, which results +in incorrect pll_lock signals being routed. + +Apply the correct mux settings throughout the driver. + +fixes: cefc03e5995e ("pinctrl: Add Pistachio SoC pin control driver") +fixes: e9adb336d0bf ("pinctrl: pistachio: fix mfio84-89 function description and pinmux.") +Signed-off-by: James Hartley +Reviewed-by: Sifan Naeem +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/pinctrl-pistachio.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/pinctrl/pinctrl-pistachio.c ++++ b/drivers/pinctrl/pinctrl-pistachio.c +@@ -809,17 +809,17 @@ static const struct pistachio_pin_group + PADS_FUNCTION_SELECT2, 12, 0x3), + MFIO_MUX_PIN_GROUP(83, MIPS_PLL_LOCK, MIPS_TRACE_DATA, USB_DEBUG, + PADS_FUNCTION_SELECT2, 14, 0x3), +- MFIO_MUX_PIN_GROUP(84, SYS_PLL_LOCK, MIPS_TRACE_DATA, USB_DEBUG, ++ MFIO_MUX_PIN_GROUP(84, AUDIO_PLL_LOCK, MIPS_TRACE_DATA, USB_DEBUG, + PADS_FUNCTION_SELECT2, 16, 0x3), +- MFIO_MUX_PIN_GROUP(85, WIFI_PLL_LOCK, MIPS_TRACE_DATA, SDHOST_DEBUG, ++ MFIO_MUX_PIN_GROUP(85, RPU_V_PLL_LOCK, MIPS_TRACE_DATA, SDHOST_DEBUG, + PADS_FUNCTION_SELECT2, 18, 0x3), +- MFIO_MUX_PIN_GROUP(86, BT_PLL_LOCK, MIPS_TRACE_DATA, SDHOST_DEBUG, ++ MFIO_MUX_PIN_GROUP(86, RPU_L_PLL_LOCK, MIPS_TRACE_DATA, SDHOST_DEBUG, + PADS_FUNCTION_SELECT2, 20, 0x3), +- MFIO_MUX_PIN_GROUP(87, RPU_V_PLL_LOCK, DREQ2, SOCIF_DEBUG, ++ MFIO_MUX_PIN_GROUP(87, SYS_PLL_LOCK, DREQ2, SOCIF_DEBUG, + PADS_FUNCTION_SELECT2, 22, 0x3), +- MFIO_MUX_PIN_GROUP(88, RPU_L_PLL_LOCK, DREQ3, SOCIF_DEBUG, ++ MFIO_MUX_PIN_GROUP(88, WIFI_PLL_LOCK, DREQ3, SOCIF_DEBUG, + PADS_FUNCTION_SELECT2, 24, 0x3), +- MFIO_MUX_PIN_GROUP(89, AUDIO_PLL_LOCK, DREQ4, DREQ5, ++ MFIO_MUX_PIN_GROUP(89, BT_PLL_LOCK, DREQ4, DREQ5, + PADS_FUNCTION_SELECT2, 26, 0x3), + PIN_GROUP(TCK, "tck"), + PIN_GROUP(TRSTN, "trstn"), diff --git a/queue-4.4/pinctrl-sunxi-fix-uart1-cts-rts-pins-at-pg-on-a23-a33.patch b/queue-4.4/pinctrl-sunxi-fix-uart1-cts-rts-pins-at-pg-on-a23-a33.patch new file mode 100644 index 00000000000..de3262e605c --- /dev/null +++ b/queue-4.4/pinctrl-sunxi-fix-uart1-cts-rts-pins-at-pg-on-a23-a33.patch @@ -0,0 +1,57 @@ +From 486095fae3a8a6b1ae07c51844699d9bd5cfbebc Mon Sep 17 00:00:00 2001 +From: Icenowy Zheng +Date: Tue, 23 Aug 2016 13:58:25 +0800 +Subject: pinctrl: sunxi: fix uart1 CTS/RTS pins at PG on A23/A33 + +From: Icenowy Zheng + +commit 486095fae3a8a6b1ae07c51844699d9bd5cfbebc upstream. + +PG8, PG9 is said to be the CTS/RTS pins for UART1 according to the A23/33 +datasheets. However, the function is wrongly named "uart2" in the pinctrl +driver. This patch fixes this by modifying them to be named "uart1". + +Signed-off-by: Icenowy Zheng +Acked-by: Maxime Ripard +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/sunxi/pinctrl-sun8i-a23.c | 4 ++-- + drivers/pinctrl/sunxi/pinctrl-sun8i-a33.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/pinctrl/sunxi/pinctrl-sun8i-a23.c ++++ b/drivers/pinctrl/sunxi/pinctrl-sun8i-a23.c +@@ -485,12 +485,12 @@ static const struct sunxi_desc_pin sun8i + SUNXI_PIN(SUNXI_PINCTRL_PIN(G, 8), + SUNXI_FUNCTION(0x0, "gpio_in"), + SUNXI_FUNCTION(0x1, "gpio_out"), +- SUNXI_FUNCTION(0x2, "uart2"), /* RTS */ ++ SUNXI_FUNCTION(0x2, "uart1"), /* RTS */ + SUNXI_FUNCTION_IRQ_BANK(0x4, 2, 8)), /* PG_EINT8 */ + SUNXI_PIN(SUNXI_PINCTRL_PIN(G, 9), + SUNXI_FUNCTION(0x0, "gpio_in"), + SUNXI_FUNCTION(0x1, "gpio_out"), +- SUNXI_FUNCTION(0x2, "uart2"), /* CTS */ ++ SUNXI_FUNCTION(0x2, "uart1"), /* CTS */ + SUNXI_FUNCTION_IRQ_BANK(0x4, 2, 9)), /* PG_EINT9 */ + SUNXI_PIN(SUNXI_PINCTRL_PIN(G, 10), + SUNXI_FUNCTION(0x0, "gpio_in"), +--- a/drivers/pinctrl/sunxi/pinctrl-sun8i-a33.c ++++ b/drivers/pinctrl/sunxi/pinctrl-sun8i-a33.c +@@ -407,12 +407,12 @@ static const struct sunxi_desc_pin sun8i + SUNXI_PIN(SUNXI_PINCTRL_PIN(G, 8), + SUNXI_FUNCTION(0x0, "gpio_in"), + SUNXI_FUNCTION(0x1, "gpio_out"), +- SUNXI_FUNCTION(0x2, "uart2"), /* RTS */ ++ SUNXI_FUNCTION(0x2, "uart1"), /* RTS */ + SUNXI_FUNCTION_IRQ_BANK(0x4, 1, 8)), /* PG_EINT8 */ + SUNXI_PIN(SUNXI_PINCTRL_PIN(G, 9), + SUNXI_FUNCTION(0x0, "gpio_in"), + SUNXI_FUNCTION(0x1, "gpio_out"), +- SUNXI_FUNCTION(0x2, "uart2"), /* CTS */ ++ SUNXI_FUNCTION(0x2, "uart1"), /* CTS */ + SUNXI_FUNCTION_IRQ_BANK(0x4, 1, 9)), /* PG_EINT9 */ + SUNXI_PIN(SUNXI_PINCTRL_PIN(G, 10), + SUNXI_FUNCTION(0x0, "gpio_in"), diff --git a/queue-4.4/pnfs-ensure-layoutget-and-layoutreturn-are-properly-serialised.patch b/queue-4.4/pnfs-ensure-layoutget-and-layoutreturn-are-properly-serialised.patch new file mode 100644 index 00000000000..c8edea3c64d --- /dev/null +++ b/queue-4.4/pnfs-ensure-layoutget-and-layoutreturn-are-properly-serialised.patch @@ -0,0 +1,55 @@ +From bf0291dd2267a2b9a4cd74d65249553d11bb45d6 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Sat, 3 Sep 2016 10:39:51 -0400 +Subject: pNFS: Ensure LAYOUTGET and LAYOUTRETURN are properly serialised + +From: Trond Myklebust + +commit bf0291dd2267a2b9a4cd74d65249553d11bb45d6 upstream. + +According to RFC5661, the client is responsible for serialising +LAYOUTGET and LAYOUTRETURN to avoid ambiguity. Consider the case +where we send both in parallel. + +Client Server +====== ====== +LAYOUTGET(seqid=X) +LAYOUTRETURN(seqid=X) + LAYOUTGET return seqid=X+1 + LAYOUTRETURN return seqid=X+2 +Process LAYOUTRETURN + Forget layout stateid +Process LAYOUTGET + Set seqid=X+1 + +The client processes the layoutget/layoutreturn in the wrong order, +and since the result of the layoutreturn was to clear the only +existing layout segment, the client forgets the layout stateid. + +When the LAYOUTGET comes in, it is treated as having a completely +new stateid, and so the client sets the wrong sequence id... + +Fix is to check if there are outstanding LAYOUTGET requests +before we send the LAYOUTRETURN (note that LAYOUGET will already +wait if it sees an outstanding LAYOUTRETURN). + +Signed-off-by: Trond Myklebust +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/pnfs.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -365,6 +365,9 @@ pnfs_layout_need_return(struct pnfs_layo + static bool + pnfs_prepare_layoutreturn(struct pnfs_layout_hdr *lo) + { ++ /* Serialise LAYOUTGET/LAYOUTRETURN */ ++ if (atomic_read(&lo->plh_outstanding) != 0) ++ return false; + if (test_and_set_bit(NFS_LAYOUT_RETURN, &lo->plh_flags)) + return false; + lo->plh_return_iomode = 0; diff --git a/queue-4.4/pnfs-the-client-must-not-do-i-o-to-the-ds-if-it-s-lease-has-expired.patch b/queue-4.4/pnfs-the-client-must-not-do-i-o-to-the-ds-if-it-s-lease-has-expired.patch new file mode 100644 index 00000000000..047d992a00c --- /dev/null +++ b/queue-4.4/pnfs-the-client-must-not-do-i-o-to-the-ds-if-it-s-lease-has-expired.patch @@ -0,0 +1,34 @@ +From b88fa69eaa8649f11828158c7b65c4bcd886ebd5 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Tue, 23 Aug 2016 11:19:33 -0400 +Subject: pNFS: The client must not do I/O to the DS if it's lease has expired + +From: Trond Myklebust + +commit b88fa69eaa8649f11828158c7b65c4bcd886ebd5 upstream. + +Ensure that the client conforms to the normative behaviour described in +RFC5661 Section 12.7.2: "If a client believes its lease has expired, +it MUST NOT send I/O to the storage device until it has validated its +lease." + +So ensure that we wait for the lease to be validated before using +the layout. + +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/pnfs.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -1530,6 +1530,7 @@ pnfs_update_layout(struct inode *ino, + goto out; + + lookup_again: ++ nfs4_client_recover_expired_lease(clp); + first = false; + spin_lock(&ino->i_lock); + lo = pnfs_find_alloc_layout(ino, ctx, gfp_flags); diff --git a/queue-4.4/powerpc-mm-don-t-alias-user-region-to-other-regions-below-page_offset.patch b/queue-4.4/powerpc-mm-don-t-alias-user-region-to-other-regions-below-page_offset.patch new file mode 100644 index 00000000000..5fa93bb5bdd --- /dev/null +++ b/queue-4.4/powerpc-mm-don-t-alias-user-region-to-other-regions-below-page_offset.patch @@ -0,0 +1,58 @@ +From f077aaf0754bcba0fffdbd925bc12f09cd1e38aa Mon Sep 17 00:00:00 2001 +From: Paul Mackerras +Date: Fri, 2 Sep 2016 21:47:59 +1000 +Subject: powerpc/mm: Don't alias user region to other regions below PAGE_OFFSET + +From: Paul Mackerras + +commit f077aaf0754bcba0fffdbd925bc12f09cd1e38aa upstream. + +In commit c60ac5693c47 ("powerpc: Update kernel VSID range", 2013-03-13) +we lost a check on the region number (the top four bits of the effective +address) for addresses below PAGE_OFFSET. That commit replaced a check +that the top 18 bits were all zero with a check that bits 46 - 59 were +zero (performed for all addresses, not just user addresses). + +This means that userspace can access an address like 0x1000_0xxx_xxxx_xxxx +and we will insert a valid SLB entry for it. The VSID used will be the +same as if the top 4 bits were 0, but the page size will be some random +value obtained by indexing beyond the end of the mm_ctx_high_slices_psize +array in the paca. If that page size is the same as would be used for +region 0, then userspace just has an alias of the region 0 space. If the +page size is different, then no HPTE will be found for the access, and +the process will get a SIGSEGV (since hash_page_mm() will refuse to create +a HPTE for the bogus address). + +The access beyond the end of the mm_ctx_high_slices_psize can be at most +5.5MB past the array, and so will be in RAM somewhere. Since the access +is a load performed in real mode, it won't fault or crash the kernel. +At most this bug could perhaps leak a little bit of information about +blocks of 32 bytes of memory located at offsets of i * 512kB past the +paca->mm_ctx_high_slices_psize array, for 1 <= i <= 11. + +Fixes: c60ac5693c47 ("powerpc: Update kernel VSID range") +Signed-off-by: Paul Mackerras +Reviewed-by: Aneesh Kumar K.V +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/mm/slb_low.S | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/mm/slb_low.S ++++ b/arch/powerpc/mm/slb_low.S +@@ -113,7 +113,12 @@ BEGIN_FTR_SECTION + END_MMU_FTR_SECTION_IFCLR(MMU_FTR_1T_SEGMENT) + b slb_finish_load_1T + +-0: ++0: /* ++ * For userspace addresses, make sure this is region 0. ++ */ ++ cmpdi r9, 0 ++ bne 8f ++ + /* when using slices, we extract the psize off the slice bitmaps + * and then we need to get the sllp encoding off the mmu_psize_defs + * array. diff --git a/queue-4.4/powerpc-powernv-drop-reference-added-by-kset_find_obj.patch b/queue-4.4/powerpc-powernv-drop-reference-added-by-kset_find_obj.patch new file mode 100644 index 00000000000..ffa48b267a6 --- /dev/null +++ b/queue-4.4/powerpc-powernv-drop-reference-added-by-kset_find_obj.patch @@ -0,0 +1,79 @@ +From a9cbf0b2195b695cbeeeecaa4e2770948c212e9a Mon Sep 17 00:00:00 2001 +From: Mukesh Ojha +Date: Mon, 22 Aug 2016 12:17:44 +0530 +Subject: powerpc/powernv : Drop reference added by kset_find_obj() + +From: Mukesh Ojha + +commit a9cbf0b2195b695cbeeeecaa4e2770948c212e9a upstream. + +In a situation, where Linux kernel gets notified about duplicate error log +from OPAL, it is been observed that kernel fails to remove sysfs entries +(/sys/firmware/opal/elog/0xXXXXXXXX) of such error logs. This is because, +we currently search the error log/dump kobject in the kset list via +'kset_find_obj()' routine. Which eventually increment the reference count +by one, once it founds the kobject. + +So, unless we decrement the reference count by one after it found the kobject, +we would not be able to release the kobject properly later. + +This patch adds the 'kobject_put()' which was missing earlier. + +Signed-off-by: Mukesh Ojha +Reviewed-by: Vasant Hegde +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/powernv/opal-dump.c | 7 ++++++- + arch/powerpc/platforms/powernv/opal-elog.c | 7 ++++++- + 2 files changed, 12 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/platforms/powernv/opal-dump.c ++++ b/arch/powerpc/platforms/powernv/opal-dump.c +@@ -370,6 +370,7 @@ static irqreturn_t process_dump(int irq, + uint32_t dump_id, dump_size, dump_type; + struct dump_obj *dump; + char name[22]; ++ struct kobject *kobj; + + rc = dump_read_info(&dump_id, &dump_size, &dump_type); + if (rc != OPAL_SUCCESS) +@@ -381,8 +382,12 @@ static irqreturn_t process_dump(int irq, + * that gracefully and not create two conflicting + * entries. + */ +- if (kset_find_obj(dump_kset, name)) ++ kobj = kset_find_obj(dump_kset, name); ++ if (kobj) { ++ /* Drop reference added by kset_find_obj() */ ++ kobject_put(kobj); + return 0; ++ } + + dump = create_dump_obj(dump_id, dump_size, dump_type); + if (!dump) +--- a/arch/powerpc/platforms/powernv/opal-elog.c ++++ b/arch/powerpc/platforms/powernv/opal-elog.c +@@ -247,6 +247,7 @@ static irqreturn_t elog_event(int irq, v + uint64_t elog_type; + int rc; + char name[2+16+1]; ++ struct kobject *kobj; + + rc = opal_get_elog_size(&id, &size, &type); + if (rc != OPAL_SUCCESS) { +@@ -269,8 +270,12 @@ static irqreturn_t elog_event(int irq, v + * that gracefully and not create two conflicting + * entries. + */ +- if (kset_find_obj(elog_kset, name)) ++ kobj = kset_find_obj(elog_kset, name); ++ if (kobj) { ++ /* Drop reference added by kset_find_obj() */ ++ kobject_put(kobj); + return IRQ_HANDLED; ++ } + + create_elog_obj(log_id, elog_size, elog_type); + diff --git a/queue-4.4/powerpc-tm-do-not-use-r13-for-tabort_syscall.patch b/queue-4.4/powerpc-tm-do-not-use-r13-for-tabort_syscall.patch new file mode 100644 index 00000000000..6611fac0c83 --- /dev/null +++ b/queue-4.4/powerpc-tm-do-not-use-r13-for-tabort_syscall.patch @@ -0,0 +1,54 @@ +From cc7786d3ee7e3c979799db834b528db2c0834c2e Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Mon, 25 Jul 2016 14:26:51 +1000 +Subject: powerpc/tm: do not use r13 for tabort_syscall + +From: Nicholas Piggin + +commit cc7786d3ee7e3c979799db834b528db2c0834c2e upstream. + +tabort_syscall runs with RI=1, so a nested recoverable machine +check will load the paca into r13 and overwrite what we loaded +it with, because exceptions returning to privileged mode do not +restore r13. + +Fixes: b4b56f9ecab4 (powerpc/tm: Abort syscalls in active transactions) +Signed-off-by: Nick Piggin +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/entry_64.S | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/arch/powerpc/kernel/entry_64.S ++++ b/arch/powerpc/kernel/entry_64.S +@@ -334,13 +334,13 @@ syscall_exit_work: + tabort_syscall: + /* Firstly we need to enable TM in the kernel */ + mfmsr r10 +- li r13, 1 +- rldimi r10, r13, MSR_TM_LG, 63-MSR_TM_LG ++ li r9, 1 ++ rldimi r10, r9, MSR_TM_LG, 63-MSR_TM_LG + mtmsrd r10, 0 + + /* tabort, this dooms the transaction, nothing else */ +- li r13, (TM_CAUSE_SYSCALL|TM_CAUSE_PERSISTENT) +- TABORT(R13) ++ li r9, (TM_CAUSE_SYSCALL|TM_CAUSE_PERSISTENT) ++ TABORT(R9) + + /* + * Return directly to userspace. We have corrupted user register state, +@@ -348,8 +348,8 @@ tabort_syscall: + * resume after the tbegin of the aborted transaction with the + * checkpointed register state. + */ +- li r13, MSR_RI +- andc r10, r10, r13 ++ li r9, MSR_RI ++ andc r10, r10, r9 + mtmsrd r10, 1 + mtspr SPRN_SRR0, r11 + mtspr SPRN_SRR1, r12 diff --git a/queue-4.4/revert-wext-fix-32-bit-iwpriv-compatibility-issue-with-64-bit-kernel.patch b/queue-4.4/revert-wext-fix-32-bit-iwpriv-compatibility-issue-with-64-bit-kernel.patch new file mode 100644 index 00000000000..a29d058132e --- /dev/null +++ b/queue-4.4/revert-wext-fix-32-bit-iwpriv-compatibility-issue-with-64-bit-kernel.patch @@ -0,0 +1,63 @@ +From 4d0bd46a4d55383f7b925e6cf7865a77e0f0e020 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Mon, 8 Aug 2016 08:45:33 +0200 +Subject: Revert "wext: Fix 32 bit iwpriv compatibility issue with 64 bit Kernel" + +From: Johannes Berg + +commit 4d0bd46a4d55383f7b925e6cf7865a77e0f0e020 upstream. + +This reverts commit 3d5fdff46c4b2b9534fa2f9fc78e90a48e0ff724. + +Ben Hutchings pointed out that the commit isn't safe since it assumes +that the structure used by the driver is iw_point, when in fact there's +no way to know about that. + +Fortunately, the only driver in the tree that ever runs this code path +is the wilc1000 staging driver, so it doesn't really matter. + +Clearly I should have investigated this better before applying, sorry. + +Reported-by: Ben Hutchings +Fixes: 3d5fdff46c4b ("wext: Fix 32 bit iwpriv compatibility issue with 64 bit Kernel") +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/wext-core.c | 25 ++----------------------- + 1 file changed, 2 insertions(+), 23 deletions(-) + +--- a/net/wireless/wext-core.c ++++ b/net/wireless/wext-core.c +@@ -955,29 +955,8 @@ static int wireless_process_ioctl(struct + return private(dev, iwr, cmd, info, handler); + } + /* Old driver API : call driver ioctl handler */ +- if (dev->netdev_ops->ndo_do_ioctl) { +-#ifdef CONFIG_COMPAT +- if (info->flags & IW_REQUEST_FLAG_COMPAT) { +- int ret = 0; +- struct iwreq iwr_lcl; +- struct compat_iw_point *iwp_compat = (void *) &iwr->u.data; +- +- memcpy(&iwr_lcl, iwr, sizeof(struct iwreq)); +- iwr_lcl.u.data.pointer = compat_ptr(iwp_compat->pointer); +- iwr_lcl.u.data.length = iwp_compat->length; +- iwr_lcl.u.data.flags = iwp_compat->flags; +- +- ret = dev->netdev_ops->ndo_do_ioctl(dev, (void *) &iwr_lcl, cmd); +- +- iwp_compat->pointer = ptr_to_compat(iwr_lcl.u.data.pointer); +- iwp_compat->length = iwr_lcl.u.data.length; +- iwp_compat->flags = iwr_lcl.u.data.flags; +- +- return ret; +- } else +-#endif +- return dev->netdev_ops->ndo_do_ioctl(dev, ifr, cmd); +- } ++ if (dev->netdev_ops->ndo_do_ioctl) ++ return dev->netdev_ops->ndo_do_ioctl(dev, ifr, cmd); + return -EOPNOTSUPP; + } + diff --git a/queue-4.4/sched-core-fix-a-race-between-try_to_wake_up-and-a-woken-up-task.patch b/queue-4.4/sched-core-fix-a-race-between-try_to_wake_up-and-a-woken-up-task.patch new file mode 100644 index 00000000000..ccaac8c3e48 --- /dev/null +++ b/queue-4.4/sched-core-fix-a-race-between-try_to_wake_up-and-a-woken-up-task.patch @@ -0,0 +1,146 @@ +From 135e8c9250dd5c8c9aae5984fde6f230d0cbfeaf Mon Sep 17 00:00:00 2001 +From: Balbir Singh +Date: Mon, 5 Sep 2016 13:16:40 +1000 +Subject: sched/core: Fix a race between try_to_wake_up() and a woken up task + +From: Balbir Singh + +commit 135e8c9250dd5c8c9aae5984fde6f230d0cbfeaf upstream. + +The origin of the issue I've seen is related to +a missing memory barrier between check for task->state and +the check for task->on_rq. + +The task being woken up is already awake from a schedule() +and is doing the following: + + do { + schedule() + set_current_state(TASK_(UN)INTERRUPTIBLE); + } while (!cond); + +The waker, actually gets stuck doing the following in +try_to_wake_up(): + + while (p->on_cpu) + cpu_relax(); + +Analysis: + +The instance I've seen involves the following race: + + CPU1 CPU2 + + while () { + if (cond) + break; + do { + schedule(); + set_current_state(TASK_UN..) + } while (!cond); + wakeup_routine() + spin_lock_irqsave(wait_lock) + raw_spin_lock_irqsave(wait_lock) wake_up_process() + } try_to_wake_up() + set_current_state(TASK_RUNNING); .. + list_del(&waiter.list); + +CPU2 wakes up CPU1, but before it can get the wait_lock and set +current state to TASK_RUNNING the following occurs: + + CPU3 + wakeup_routine() + raw_spin_lock_irqsave(wait_lock) + if (!list_empty) + wake_up_process() + try_to_wake_up() + raw_spin_lock_irqsave(p->pi_lock) + .. + if (p->on_rq && ttwu_wakeup()) + .. + while (p->on_cpu) + cpu_relax() + .. + +CPU3 tries to wake up the task on CPU1 again since it finds +it on the wait_queue, CPU1 is spinning on wait_lock, but immediately +after CPU2, CPU3 got it. + +CPU3 checks the state of p on CPU1, it is TASK_UNINTERRUPTIBLE and +the task is spinning on the wait_lock. Interestingly since p->on_rq +is checked under pi_lock, I've noticed that try_to_wake_up() finds +p->on_rq to be 0. This was the most confusing bit of the analysis, +but p->on_rq is changed under runqueue lock, rq_lock, the p->on_rq +check is not reliable without this fix IMHO. The race is visible +(based on the analysis) only when ttwu_queue() does a remote wakeup +via ttwu_queue_remote. In which case the p->on_rq change is not +done uder the pi_lock. + +The result is that after a while the entire system locks up on +the raw_spin_irqlock_save(wait_lock) and the holder spins infintely + +Reproduction of the issue: + +The issue can be reproduced after a long run on my system with 80 +threads and having to tweak available memory to very low and running +memory stress-ng mmapfork test. It usually takes a long time to +reproduce. I am trying to work on a test case that can reproduce +the issue faster, but thats work in progress. I am still testing the +changes on my still in a loop and the tests seem OK thus far. + +Big thanks to Benjamin and Nick for helping debug this as well. +Ben helped catch the missing barrier, Nick caught every missing +bit in my theory. + +Signed-off-by: Balbir Singh +[ Updated comment to clarify matching barriers. Many + architectures do not have a full barrier in switch_to() + so that cannot be relied upon. ] +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Benjamin Herrenschmidt +Cc: Alexey Kardashevskiy +Cc: Linus Torvalds +Cc: Nicholas Piggin +Cc: Nicholas Piggin +Cc: Oleg Nesterov +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/e02cce7b-d9ca-1ad0-7a61-ea97c7582b37@gmail.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/sched/core.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -1945,6 +1945,28 @@ try_to_wake_up(struct task_struct *p, un + success = 1; /* we're going to change ->state */ + cpu = task_cpu(p); + ++ /* ++ * Ensure we load p->on_rq _after_ p->state, otherwise it would ++ * be possible to, falsely, observe p->on_rq == 0 and get stuck ++ * in smp_cond_load_acquire() below. ++ * ++ * sched_ttwu_pending() try_to_wake_up() ++ * [S] p->on_rq = 1; [L] P->state ++ * UNLOCK rq->lock -----. ++ * \ ++ * +--- RMB ++ * schedule() / ++ * LOCK rq->lock -----' ++ * UNLOCK rq->lock ++ * ++ * [task p] ++ * [S] p->state = UNINTERRUPTIBLE [L] p->on_rq ++ * ++ * Pairs with the UNLOCK+LOCK on rq->lock from the ++ * last wakeup of our task and the schedule that got our task ++ * current. ++ */ ++ smp_rmb(); + if (p->on_rq && ttwu_remote(p, wake_flags)) + goto stat; + diff --git a/queue-4.4/serial-8250-added-acces-i-o-products-quad-and-octal-serial-cards.patch b/queue-4.4/serial-8250-added-acces-i-o-products-quad-and-octal-serial-cards.patch new file mode 100644 index 00000000000..108d40b9d29 --- /dev/null +++ b/queue-4.4/serial-8250-added-acces-i-o-products-quad-and-octal-serial-cards.patch @@ -0,0 +1,175 @@ +From c8d192428f52f244130b84650ad616df09f2b1e1 Mon Sep 17 00:00:00 2001 +From: Jimi Damon +Date: Wed, 20 Jul 2016 17:00:40 -0700 +Subject: serial: 8250: added acces i/o products quad and octal serial cards + +From: Jimi Damon + +commit c8d192428f52f244130b84650ad616df09f2b1e1 upstream. + +Added devices ids for acces i/o products quad and octal serial cards +that make use of existing Pericom PI7C9X7954 and PI7C9X7958 +configurations . + +Signed-off-by: Jimi Damon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/8250/8250_pci.c | 139 +++++++++++++++++++++++++++++++++++++ + 1 file changed, 139 insertions(+) + +--- a/drivers/tty/serial/8250/8250_pci.c ++++ b/drivers/tty/serial/8250/8250_pci.c +@@ -1952,6 +1952,43 @@ pci_wch_ch38x_setup(struct serial_privat + #define PCI_DEVICE_ID_PERICOM_PI7C9X7954 0x7954 + #define PCI_DEVICE_ID_PERICOM_PI7C9X7958 0x7958 + ++#define PCI_VENDOR_ID_ACCESIO 0x494f ++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM_2SDB 0x1051 ++#define PCI_DEVICE_ID_ACCESIO_MPCIE_COM_2S 0x1053 ++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SDB 0x105C ++#define PCI_DEVICE_ID_ACCESIO_MPCIE_COM_4S 0x105E ++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM232_2DB 0x1091 ++#define PCI_DEVICE_ID_ACCESIO_MPCIE_COM232_2 0x1093 ++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM232_4DB 0x1099 ++#define PCI_DEVICE_ID_ACCESIO_MPCIE_COM232_4 0x109B ++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM_2SMDB 0x10D1 ++#define PCI_DEVICE_ID_ACCESIO_MPCIE_COM_2SM 0x10D3 ++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SMDB 0x10DA ++#define PCI_DEVICE_ID_ACCESIO_MPCIE_COM_4SM 0x10DC ++#define PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_1 0x1108 ++#define PCI_DEVICE_ID_ACCESIO_MPCIE_ICM422_2 0x1110 ++#define PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_2 0x1111 ++#define PCI_DEVICE_ID_ACCESIO_MPCIE_ICM422_4 0x1118 ++#define PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_4 0x1119 ++#define PCI_DEVICE_ID_ACCESIO_PCIE_ICM_2S 0x1152 ++#define PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4S 0x115A ++#define PCI_DEVICE_ID_ACCESIO_PCIE_ICM232_2 0x1190 ++#define PCI_DEVICE_ID_ACCESIO_MPCIE_ICM232_2 0x1191 ++#define PCI_DEVICE_ID_ACCESIO_PCIE_ICM232_4 0x1198 ++#define PCI_DEVICE_ID_ACCESIO_MPCIE_ICM232_4 0x1199 ++#define PCI_DEVICE_ID_ACCESIO_PCIE_ICM_2SM 0x11D0 ++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM422_4 0x105A ++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM485_4 0x105B ++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM422_8 0x106A ++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM485_8 0x106B ++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM232_4 0x1098 ++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM232_8 0x10A9 ++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SM 0x10D9 ++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM_8SM 0x10E9 ++#define PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4SM 0x11D8 ++ ++ ++ + /* Unknown vendors/cards - this should not be in linux/pci_ids.h */ + #define PCI_SUBDEVICE_ID_UNKNOWN_0x1584 0x1584 + #define PCI_SUBDEVICE_ID_UNKNOWN_0x1588 0x1588 +@@ -5120,6 +5157,108 @@ static struct pci_device_id serial_pci_t + 0, + 0, pbn_pericom_PI7C9X7958 }, + /* ++ * ACCES I/O Products quad ++ */ ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_2SDB, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM_2S, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SDB, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM_4S, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM232_2DB, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM232_2, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM232_4DB, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM232_4, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_2SMDB, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM_2SM, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SMDB, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM_4SM, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_1, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM422_2, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_2, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM422_4, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_4, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM_2S, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4S, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM232_2, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM232_2, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM232_4, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM232_4, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM_2SM, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM422_4, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7958 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM485_4, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7958 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM422_8, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7958 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM485_8, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7958 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM232_4, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7958 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM232_8, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7958 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SM, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7958 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_8SM, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7958 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4SM, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7958 }, ++ /* + * Topic TP560 Data/Fax/Voice 56k modem (reported by Evan Clarke) + */ + { PCI_VENDOR_ID_TOPIC, PCI_DEVICE_ID_TOPIC_TP560, diff --git a/queue-4.4/serial-8250_mid-fix-divide-error-bug-if-baud-rate-is-0.patch b/queue-4.4/serial-8250_mid-fix-divide-error-bug-if-baud-rate-is-0.patch new file mode 100644 index 00000000000..987062870ef --- /dev/null +++ b/queue-4.4/serial-8250_mid-fix-divide-error-bug-if-baud-rate-is-0.patch @@ -0,0 +1,35 @@ +From 47b34d2ef266e2c283b514d65c8963c2ccd42474 Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Fri, 1 Jul 2016 17:21:49 +0300 +Subject: serial: 8250_mid: fix divide error bug if baud rate is 0 + +From: Andy Shevchenko + +commit 47b34d2ef266e2c283b514d65c8963c2ccd42474 upstream. + +Since the commit c1a67b48f6a5 ("serial: 8250_pci: replace switch-case by +formula for Intel MID"), the 8250 driver crashes in the byt_set_termios() +function with a divide error. This is caused by the fact that a baud rate of 0 +(B0) is not handled properly. Fix it by falling back to B9600 in this case. + +Reported-by: "Mendez Salinas, Fernando" +Fixes: c1a67b48f6a5 ("serial: 8250_pci: replace switch-case by formula for Intel MID") +Signed-off-by: Andy Shevchenko +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/8250/8250_mid.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/tty/serial/8250/8250_mid.c ++++ b/drivers/tty/serial/8250/8250_mid.c +@@ -149,6 +149,9 @@ static void mid8250_set_termios(struct u + unsigned long w = BIT(24) - 1; + unsigned long mul, div; + ++ /* Gracefully handle the B0 case: fall back to B9600 */ ++ fuart = fuart ? fuart : 9600 * 16; ++ + if (mid->board->freq < fuart) { + /* Find prescaler value that satisfies Fuart < Fref */ + if (mid->board->freq > baud) diff --git a/queue-4.4/series b/queue-4.4/series index 62c97a9258b..7a92d667534 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -6,3 +6,71 @@ revert-kvm-x86-fix-missed-hardware-breakpoints.patch fscrypto-require-write-access-to-mount-to-set-encryption-policy.patch lightnvm-put-bio-before-return.patch tipc-move-linearization-of-buffers-to-generic-code.patch +powerpc-tm-do-not-use-r13-for-tabort_syscall.patch +powerpc-powernv-drop-reference-added-by-kset_find_obj.patch +powerpc-mm-don-t-alias-user-region-to-other-regions-below-page_offset.patch +kernfs-don-t-depend-on-d_find_any_alias-when-generating-notifications.patch +pnfs-the-client-must-not-do-i-o-to-the-ds-if-it-s-lease-has-expired.patch +nfsv4.1-fix-oopsable-condition-in-server-callback-races.patch +nfsv4.x-fix-a-refcount-leak-in-nfs_callback_up_net.patch +nfsd-close-race-between-nfsd4_release_lockowner-and-nfsd4_lock.patch +pnfs-ensure-layoutget-and-layoutreturn-are-properly-serialised.patch +nfsv4.1-fix-the-create_session-slot-number-accounting.patch +kexec-fix-double-free-when-failing-to-relocate-the-purgatory.patch +mm-introduce-get_task_exe_file.patch +audit-fix-exe_file-access-in-audit_exe_compare.patch +dm-flakey-fix-reads-to-be-issued-if-drop_writes-configured.patch +ib-uverbs-fix-race-between-uverbs_close-and-remove_one.patch +arc-mm-fix-build-breakage-with-strict_mm_typechecks.patch +x86-paravirt-do-not-trace-_paravirt_ident_-functions.patch +x86-amd-apply-erratum-665-on-machines-without-a-bios-fix.patch +kvm-arm-unmap-shadow-pagetables-properly.patch +iio-accel-kxsd9-fix-raw-read-return.patch +iio-proximity-as3935-set-up-buffer-timestamps-for-non-zero-values.patch +iio-adc-rockchip_saradc-reset-saradc-controller-before-programming-it.patch +iio-adc-ti_am335x_adc-protect-fifo1-from-concurrent-access.patch +iio-adc-ti_am335x_adc-increase-timeout-value-waiting-for-adc-sample.patch +iio-ad799x-fix-buffered-capture-for-ad7991-ad7995-ad7999.patch +iio-adc-at91-unbreak-channel-adc-channel-3.patch +iio-accel-bmc150-reset-chip-at-init-time.patch +iio-fix-pressure-data-output-unit-in-hid-sensor-attributes.patch +iio-accel-kxsd9-fix-scaling-bug.patch +iio-core-fix-iio_val_fractional-sign-handling.patch +iio-ensure-ret-is-initialized-to-zero-before-entering-do-loop.patch +serial-8250_mid-fix-divide-error-bug-if-baud-rate-is-0.patch +serial-8250-added-acces-i-o-products-quad-and-octal-serial-cards.patch +usb-serial-simple-add-support-for-another-infineon-flashloader.patch +usb-renesas_usbhs-fix-clearing-the-brdy-bemp-sts-condition.patch +usb-chipidea-udc-fix-null-ptr-dereference-in-isr_setup_status_phase.patch +arm-dts-stih410-handle-interconnect-clock-required-by-ehci-ohci-usb.patch +usb-change-binterval-default-to-10-ms.patch +cxl-use-pcibios_free_controller_deferred-when-removing-vphbs.patch +net-thunderx-fix-oops-with-ethtool-register-dump.patch +cpuset-make-sure-new-tasks-conform-to-the-current-config-of-the-cpuset.patch +arm-am43xx-hwmod-fix-rstst-register-offset-for-pruss.patch +arm-imx6-add-missing-bm_clpcr_byp_mmdc_ch0_lpm_hs-setting-for-imx6ul.patch +arm-imx6-add-missing-bm_clpcr_bypass_pmic_ready-setting-for-imx6sx.patch +arm-kirkwood-ib62x0-fix-size-of-u-boot-environment-partition.patch +arm-omap3-hwmod-data-add-sysc-information-for-dsi.patch +arm-dts-imx6qdl-fix-spdif-regression.patch +arm-dts-overo-fix-gpmc-nand-cs0-range.patch +arm-dts-overo-fix-gpmc-nand-on-boards-with-ethernet.patch +arm-dts-stih407-family-provide-interconnect-clock-for-consumption-in-st-sdhci.patch +bus-arm-ccn-fix-pmu-handling-of-mn.patch +bus-arm-ccn-do-not-attempt-to-configure-xps-for-cycle-counter.patch +bus-arm-ccn-fix-xp-watchpoint-settings-bitmask.patch +dm-log-writes-fix-check-of-kthread_run-return-value.patch +dm-log-writes-move-io-accounting-earlier-to-fix-error-path.patch +dm-crypt-fix-error-with-too-large-bios.patch +pinctrl-pistachio-fix-mfio-pll_lock-pinmux.patch +pinctrl-sunxi-fix-uart1-cts-rts-pins-at-pg-on-a23-a33.patch +arm64-spinlocks-implement-smp_mb__before_spinlock-as-smp_mb.patch +crypto-cryptd-initialize-child-shash_desc-on-import.patch +btrfs-remove-root_log_ctx-from-ctx-list-before-btrfs_sync_log-returns.patch +fuse-direct-io-don-t-dirty-iter_bvec-pages.patch +xhci-fix-null-pointer-dereference-in-stop-command-timeout-function.patch +md-cluster-make-md-cluster-also-can-work-when-compiled-into-kernel.patch +ath9k-fix-using-sta-drv_priv-before-initializing-it.patch +revert-wext-fix-32-bit-iwpriv-compatibility-issue-with-64-bit-kernel.patch +sched-core-fix-a-race-between-try_to_wake_up-and-a-woken-up-task.patch +ipv6-addrconf-fix-dev-refcont-leak-when-dad-failed.patch diff --git a/queue-4.4/usb-change-binterval-default-to-10-ms.patch b/queue-4.4/usb-change-binterval-default-to-10-ms.patch new file mode 100644 index 00000000000..ae5127770ca --- /dev/null +++ b/queue-4.4/usb-change-binterval-default-to-10-ms.patch @@ -0,0 +1,97 @@ +From 08c5cd37480f59ea39682f4585d92269be6b1424 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Fri, 16 Sep 2016 10:24:26 -0400 +Subject: USB: change bInterval default to 10 ms + +From: Alan Stern + +commit 08c5cd37480f59ea39682f4585d92269be6b1424 upstream. + +Some full-speed mceusb infrared transceivers contain invalid endpoint +descriptors for their interrupt endpoints, with bInterval set to 0. +In the past they have worked out okay with the mceusb driver, because +the driver sets the bInterval field in the descriptor to 1, +overwriting whatever value may have been there before. However, this +approach was never sanctioned by the USB core, and in fact it does not +work with xHCI controllers, because they use the bInterval value that +was present when the configuration was installed. + +Currently usbcore uses 32 ms as the default interval if the value in +the endpoint descriptor is invalid. It turns out that these IR +transceivers don't work properly unless the interval is set to 10 ms +or below. To work around this mceusb problem, this patch changes the +endpoint-descriptor parsing routine, making the default interval value +be 10 ms rather than 32 ms. + +Signed-off-by: Alan Stern +Tested-by: Wade Berrier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/config.c | 28 +++++++++++++++++----------- + 1 file changed, 17 insertions(+), 11 deletions(-) + +--- a/drivers/usb/core/config.c ++++ b/drivers/usb/core/config.c +@@ -211,8 +211,10 @@ static int usb_parse_endpoint(struct dev + memcpy(&endpoint->desc, d, n); + INIT_LIST_HEAD(&endpoint->urb_list); + +- /* Fix up bInterval values outside the legal range. Use 32 ms if no +- * proper value can be guessed. */ ++ /* ++ * Fix up bInterval values outside the legal range. ++ * Use 10 or 8 ms if no proper value can be guessed. ++ */ + i = 0; /* i = min, j = max, n = default */ + j = 255; + if (usb_endpoint_xfer_int(d)) { +@@ -221,13 +223,15 @@ static int usb_parse_endpoint(struct dev + case USB_SPEED_SUPER_PLUS: + case USB_SPEED_SUPER: + case USB_SPEED_HIGH: +- /* Many device manufacturers are using full-speed ++ /* ++ * Many device manufacturers are using full-speed + * bInterval values in high-speed interrupt endpoint +- * descriptors. Try to fix those and fall back to a +- * 32 ms default value otherwise. */ ++ * descriptors. Try to fix those and fall back to an ++ * 8-ms default value otherwise. ++ */ + n = fls(d->bInterval*8); + if (n == 0) +- n = 9; /* 32 ms = 2^(9-1) uframes */ ++ n = 7; /* 8 ms = 2^(7-1) uframes */ + j = 16; + + /* +@@ -242,10 +246,12 @@ static int usb_parse_endpoint(struct dev + } + break; + default: /* USB_SPEED_FULL or _LOW */ +- /* For low-speed, 10 ms is the official minimum. ++ /* ++ * For low-speed, 10 ms is the official minimum. + * But some "overclocked" devices might want faster +- * polling so we'll allow it. */ +- n = 32; ++ * polling so we'll allow it. ++ */ ++ n = 10; + break; + } + } else if (usb_endpoint_xfer_isoc(d)) { +@@ -253,10 +259,10 @@ static int usb_parse_endpoint(struct dev + j = 16; + switch (to_usb_device(ddev)->speed) { + case USB_SPEED_HIGH: +- n = 9; /* 32 ms = 2^(9-1) uframes */ ++ n = 7; /* 8 ms = 2^(7-1) uframes */ + break; + default: /* USB_SPEED_FULL */ +- n = 6; /* 32 ms = 2^(6-1) frames */ ++ n = 4; /* 8 ms = 2^(4-1) frames */ + break; + } + } diff --git a/queue-4.4/usb-chipidea-udc-fix-null-ptr-dereference-in-isr_setup_status_phase.patch b/queue-4.4/usb-chipidea-udc-fix-null-ptr-dereference-in-isr_setup_status_phase.patch new file mode 100644 index 00000000000..7260dc225e7 --- /dev/null +++ b/queue-4.4/usb-chipidea-udc-fix-null-ptr-dereference-in-isr_setup_status_phase.patch @@ -0,0 +1,48 @@ +From 6f3c4fb6d05e63c9c6d8968302491c3a5457be61 Mon Sep 17 00:00:00 2001 +From: Clemens Gruber +Date: Mon, 5 Sep 2016 19:29:58 +0200 +Subject: usb: chipidea: udc: fix NULL ptr dereference in isr_setup_status_phase + +From: Clemens Gruber + +commit 6f3c4fb6d05e63c9c6d8968302491c3a5457be61 upstream. + +Problems with the signal integrity of the high speed USB data lines or +noise on reference ground lines can cause the i.MX6 USB controller to +violate USB specs and exhibit unexpected behavior. + +It was observed that USBi_UI interrupts were triggered first and when +isr_setup_status_phase was called, ci->status was NULL, which lead to a +NULL pointer dereference kernel panic. + +This patch fixes the kernel panic, emits a warning once and returns +-EPIPE to halt the device and let the host get stalled. +It also adds a comment to point people, who are experiencing this issue, +to their USB hardware design. + +Signed-off-by: Clemens Gruber +Signed-off-by: Peter Chen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/chipidea/udc.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/usb/chipidea/udc.c ++++ b/drivers/usb/chipidea/udc.c +@@ -939,6 +939,15 @@ static int isr_setup_status_phase(struct + int retval; + struct ci_hw_ep *hwep; + ++ /* ++ * Unexpected USB controller behavior, caused by bad signal integrity ++ * or ground reference problems, can lead to isr_setup_status_phase ++ * being called with ci->status equal to NULL. ++ * If this situation occurs, you should review your USB hardware design. ++ */ ++ if (WARN_ON_ONCE(!ci->status)) ++ return -EPIPE; ++ + hwep = (ci->ep0_dir == TX) ? ci->ep0out : ci->ep0in; + ci->status->context = ci; + ci->status->complete = isr_setup_status_complete; diff --git a/queue-4.4/usb-renesas_usbhs-fix-clearing-the-brdy-bemp-sts-condition.patch b/queue-4.4/usb-renesas_usbhs-fix-clearing-the-brdy-bemp-sts-condition.patch new file mode 100644 index 00000000000..a8e9048300f --- /dev/null +++ b/queue-4.4/usb-renesas_usbhs-fix-clearing-the-brdy-bemp-sts-condition.patch @@ -0,0 +1,56 @@ +From 519d8bd4b5d3d82c413eac5bb42b106bb4b9ec15 Mon Sep 17 00:00:00 2001 +From: Yoshihiro Shimoda +Date: Mon, 29 Aug 2016 18:00:38 +0900 +Subject: usb: renesas_usbhs: fix clearing the {BRDY,BEMP}STS condition + +From: Yoshihiro Shimoda + +commit 519d8bd4b5d3d82c413eac5bb42b106bb4b9ec15 upstream. + +The previous driver is possible to stop the transfer wrongly. +For example: + 1) An interrupt happens, but not BRDY interruption. + 2) Read INTSTS0. And than state->intsts0 is not set to BRDY. + 3) BRDY is set to 1 here. + 4) Read BRDYSTS. + 5) Clear the BRDYSTS. And then. the BRDY is cleared wrongly. + +Remarks: + - The INTSTS0.BRDY is read only. + - If any bits of BRDYSTS are set to 1, the BRDY is set to 1. + - If BRDYSTS is 0, the BRDY is set to 0. + +So, this patch adds condition to avoid such situation. (And about +NRDYSTS, this is not used for now. But, avoiding any side effects, +this patch doesn't touch it.) + +Fixes: d5c6a1e024dd ("usb: renesas_usbhs: fixup interrupt status clear method") +Signed-off-by: Yoshihiro Shimoda +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/renesas_usbhs/mod.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/usb/renesas_usbhs/mod.c ++++ b/drivers/usb/renesas_usbhs/mod.c +@@ -282,9 +282,16 @@ static irqreturn_t usbhs_interrupt(int i + if (usbhs_mod_is_host(priv)) + usbhs_write(priv, INTSTS1, ~irq_state.intsts1 & INTSTS1_MAGIC); + +- usbhs_write(priv, BRDYSTS, ~irq_state.brdysts); ++ /* ++ * The driver should not clear the xxxSTS after the line of ++ * "call irq callback functions" because each "if" statement is ++ * possible to call the callback function for avoiding any side effects. ++ */ ++ if (irq_state.intsts0 & BRDY) ++ usbhs_write(priv, BRDYSTS, ~irq_state.brdysts); + usbhs_write(priv, NRDYSTS, ~irq_state.nrdysts); +- usbhs_write(priv, BEMPSTS, ~irq_state.bempsts); ++ if (irq_state.intsts0 & BEMP) ++ usbhs_write(priv, BEMPSTS, ~irq_state.bempsts); + + /* + * call irq callback functions diff --git a/queue-4.4/usb-serial-simple-add-support-for-another-infineon-flashloader.patch b/queue-4.4/usb-serial-simple-add-support-for-another-infineon-flashloader.patch new file mode 100644 index 00000000000..31228144803 --- /dev/null +++ b/queue-4.4/usb-serial-simple-add-support-for-another-infineon-flashloader.patch @@ -0,0 +1,34 @@ +From f190fd92458da3e869b4e2c6289e2c617490ae53 Mon Sep 17 00:00:00 2001 +From: Daniele Palmas +Date: Fri, 2 Sep 2016 10:37:56 +0200 +Subject: USB: serial: simple: add support for another Infineon flashloader + +From: Daniele Palmas + +commit f190fd92458da3e869b4e2c6289e2c617490ae53 upstream. + +This patch adds support for Infineon flashloader 0x8087/0x0801. + +The flashloader is used in Telit LE940B modem family with Telit +flashing application. + +Signed-off-by: Daniele Palmas +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/usb-serial-simple.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/serial/usb-serial-simple.c ++++ b/drivers/usb/serial/usb-serial-simple.c +@@ -54,7 +54,8 @@ DEVICE(funsoft, FUNSOFT_IDS); + /* Infineon Flashloader driver */ + #define FLASHLOADER_IDS() \ + { USB_DEVICE_INTERFACE_CLASS(0x058b, 0x0041, USB_CLASS_CDC_DATA) }, \ +- { USB_DEVICE(0x8087, 0x0716) } ++ { USB_DEVICE(0x8087, 0x0716) }, \ ++ { USB_DEVICE(0x8087, 0x0801) } + DEVICE(flashloader, FLASHLOADER_IDS); + + /* Google Serial USB SubClass */ diff --git a/queue-4.4/x86-amd-apply-erratum-665-on-machines-without-a-bios-fix.patch b/queue-4.4/x86-amd-apply-erratum-665-on-machines-without-a-bios-fix.patch new file mode 100644 index 00000000000..84dff58d355 --- /dev/null +++ b/queue-4.4/x86-amd-apply-erratum-665-on-machines-without-a-bios-fix.patch @@ -0,0 +1,55 @@ +From d1992996753132e2dafe955cccb2fb0714d3cfc4 Mon Sep 17 00:00:00 2001 +From: Emanuel Czirai +Date: Fri, 2 Sep 2016 07:35:50 +0200 +Subject: x86/AMD: Apply erratum 665 on machines without a BIOS fix + +From: Emanuel Czirai + +commit d1992996753132e2dafe955cccb2fb0714d3cfc4 upstream. + +AMD F12h machines have an erratum which can cause DIV/IDIV to behave +unpredictably. The workaround is to set MSRC001_1029[31] but sometimes +there is no BIOS update containing that workaround so let's do it +ourselves unconditionally. It is simple enough. + +[ Borislav: Wrote commit message. ] + +Signed-off-by: Emanuel Czirai +Signed-off-by: Borislav Petkov +Cc: Yaowu Xu +Link: http://lkml.kernel.org/r/20160902053550.18097-1-bp@alien8.de +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/amd.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -656,6 +656,17 @@ static void init_amd_gh(struct cpuinfo_x + set_cpu_bug(c, X86_BUG_AMD_TLB_MMATCH); + } + ++#define MSR_AMD64_DE_CFG 0xC0011029 ++ ++static void init_amd_ln(struct cpuinfo_x86 *c) ++{ ++ /* ++ * Apply erratum 665 fix unconditionally so machines without a BIOS ++ * fix work. ++ */ ++ msr_set_bit(MSR_AMD64_DE_CFG, 31); ++} ++ + static void init_amd_bd(struct cpuinfo_x86 *c) + { + u64 value; +@@ -713,6 +724,7 @@ static void init_amd(struct cpuinfo_x86 + case 6: init_amd_k7(c); break; + case 0xf: init_amd_k8(c); break; + case 0x10: init_amd_gh(c); break; ++ case 0x12: init_amd_ln(c); break; + case 0x15: init_amd_bd(c); break; + } + diff --git a/queue-4.4/x86-paravirt-do-not-trace-_paravirt_ident_-functions.patch b/queue-4.4/x86-paravirt-do-not-trace-_paravirt_ident_-functions.patch new file mode 100644 index 00000000000..af4f2897172 --- /dev/null +++ b/queue-4.4/x86-paravirt-do-not-trace-_paravirt_ident_-functions.patch @@ -0,0 +1,86 @@ +From 15301a570754c7af60335d094dd2d1808b0641a5 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Wed, 25 May 2016 13:47:26 -0400 +Subject: x86/paravirt: Do not trace _paravirt_ident_*() functions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Steven Rostedt + +commit 15301a570754c7af60335d094dd2d1808b0641a5 upstream. + +Łukasz Daniluk reported that on a RHEL kernel that his machine would lock up +after enabling function tracer. I asked him to bisect the functions within +available_filter_functions, which he did and it came down to three: + + _paravirt_nop(), _paravirt_ident_32() and _paravirt_ident_64() + +It was found that this is only an issue when noreplace-paravirt is added +to the kernel command line. + +This means that those functions are most likely called within critical +sections of the funtion tracer, and must not be traced. + +In newer kenels _paravirt_nop() is defined within gcc asm(), and is no +longer an issue. But both _paravirt_ident_{32,64}() causes the +following splat when they are traced: + + mm/pgtable-generic.c:33: bad pmd ffff8800d2435150(0000000001d00054) + mm/pgtable-generic.c:33: bad pmd ffff8800d3624190(0000000001d00070) + mm/pgtable-generic.c:33: bad pmd ffff8800d36a5110(0000000001d00054) + mm/pgtable-generic.c:33: bad pmd ffff880118eb1450(0000000001d00054) + NMI watchdog: BUG: soft lockup - CPU#2 stuck for 22s! [systemd-journal:469] + Modules linked in: e1000e + CPU: 2 PID: 469 Comm: systemd-journal Not tainted 4.6.0-rc4-test+ #513 + Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v02.05 05/07/2012 + task: ffff880118f740c0 ti: ffff8800d4aec000 task.ti: ffff8800d4aec000 + RIP: 0010:[] [] queued_spin_lock_slowpath+0x118/0x1a0 + RSP: 0018:ffff8800d4aefb90 EFLAGS: 00000246 + RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88011eb16d40 + RDX: ffffffff82485760 RSI: 000000001f288820 RDI: ffffea0000008030 + RBP: ffff8800d4aefb90 R08: 00000000000c0000 R09: 0000000000000000 + R10: ffffffff821c8e0e R11: 0000000000000000 R12: ffff880000200fb8 + R13: 00007f7a4e3f7000 R14: ffffea000303f600 R15: ffff8800d4b562e0 + FS: 00007f7a4e3d7840(0000) GS:ffff88011eb00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007f7a4e3f7000 CR3: 00000000d3e71000 CR4: 00000000001406e0 + Call Trace: + _raw_spin_lock+0x27/0x30 + handle_pte_fault+0x13db/0x16b0 + handle_mm_fault+0x312/0x670 + __do_page_fault+0x1b1/0x4e0 + do_page_fault+0x22/0x30 + page_fault+0x28/0x30 + __vfs_read+0x28/0xe0 + vfs_read+0x86/0x130 + SyS_read+0x46/0xa0 + entry_SYSCALL_64_fastpath+0x1e/0xa8 + Code: 12 48 c1 ea 0c 83 e8 01 83 e2 30 48 98 48 81 c2 40 6d 01 00 48 03 14 c5 80 6a 5d 82 48 89 0a 8b 41 08 85 c0 75 09 f3 90 8b 41 08 <85> c0 74 f7 4c 8b 09 4d 85 c9 74 08 41 0f 18 09 eb 02 f3 90 8b + +Reported-by: Łukasz Daniluk +Signed-off-by: Steven Rostedt +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/paravirt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/paravirt.c ++++ b/arch/x86/kernel/paravirt.c +@@ -55,12 +55,12 @@ asm (".pushsection .entry.text, \"ax\"\n + ".popsection"); + + /* identity function, which can be inlined */ +-u32 _paravirt_ident_32(u32 x) ++u32 notrace _paravirt_ident_32(u32 x) + { + return x; + } + +-u64 _paravirt_ident_64(u64 x) ++u64 notrace _paravirt_ident_64(u64 x) + { + return x; + } diff --git a/queue-4.4/xhci-fix-null-pointer-dereference-in-stop-command-timeout-function.patch b/queue-4.4/xhci-fix-null-pointer-dereference-in-stop-command-timeout-function.patch new file mode 100644 index 00000000000..1ab6b09ef41 --- /dev/null +++ b/queue-4.4/xhci-fix-null-pointer-dereference-in-stop-command-timeout-function.patch @@ -0,0 +1,48 @@ +From bcf42aa60c2832510b9be0f30c090bfd35bb172d Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Wed, 7 Sep 2016 17:26:33 +0300 +Subject: xhci: fix null pointer dereference in stop command timeout function + +From: Mathias Nyman + +commit bcf42aa60c2832510b9be0f30c090bfd35bb172d upstream. + +The stop endpoint command has its own 5 second timeout timer. +If the timeout function is triggered between USB3 and USB2 host +removal it will try to call usb_hc_died(xhci_to_hcd(xhci)->primary_hcd) + +the ->primary_hcd will be set to NULL at USB3 hcd removal. + +Fix this by first checking if the PCI host is being removed, and +also by using only xhci_to_hcd() as it will always return the primary +hcd. + +Signed-off-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-ring.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -846,6 +846,10 @@ void xhci_stop_endpoint_command_watchdog + spin_lock_irqsave(&xhci->lock, flags); + + ep->stop_cmds_pending--; ++ if (xhci->xhc_state & XHCI_STATE_REMOVING) { ++ spin_unlock_irqrestore(&xhci->lock, flags); ++ return; ++ } + if (xhci->xhc_state & XHCI_STATE_DYING) { + xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb, + "Stop EP timer ran, but another timer marked " +@@ -899,7 +903,7 @@ void xhci_stop_endpoint_command_watchdog + spin_unlock_irqrestore(&xhci->lock, flags); + xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb, + "Calling usb_hc_died()"); +- usb_hc_died(xhci_to_hcd(xhci)->primary_hcd); ++ usb_hc_died(xhci_to_hcd(xhci)); + xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb, + "xHCI host controller is dead."); + }