From: Greg Kroah-Hartman Date: Wed, 5 Oct 2016 08:18:12 +0000 (+0200) Subject: 4.7-stable patches X-Git-Tag: v4.8.1~24 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6dfab9526df185d33f6c61f7d60eb28f949ca3b9;p=thirdparty%2Fkernel%2Fstable-queue.git 4.7-stable patches added patches: arm-8618-1-decompressor-reset-ttbcr-fields-to-use-ttbr0-on-armv7.patch arm64-debug-avoid-resetting-stepping-state-machine-when-tif_singlestep.patch batman-adv-add-missing-refcnt-for-last_candidate.patch batman-adv-fix-elp-packet-data-reservation.patch gpio-sa1100-fix-irq-probing-for-ucb1x00.patch i40iw-add-missing-check-for-interface-already-open.patch i40iw-add-missing-null-check-for-mpa-private-data.patch i40iw-avoid-writing-to-freed-memory.patch i40iw-change-mem_resources-pointer-to-a-u8.patch i40iw-do-not-set-self-referencing-pointer-to-null-after-kfree.patch i40iw-fix-double-free-of-allocated_buffer.patch i40iw-protect-req_resource_num-update.patch i40iw-receive-notification-events-correctly.patch i40iw-send-last-streaming-mode-message-for-loopback-connections.patch i40iw-update-hw_iwarp_state.patch irqchip-gicv3-silence-noisy-debug_per_cpu_maps-warning.patch mac80211-check-skb_linearize-return-value.patch usb-gadget-fsl_qe_udc-signedness-bug-in-qe_get_frame.patch --- diff --git a/queue-4.7/arm-8618-1-decompressor-reset-ttbcr-fields-to-use-ttbr0-on-armv7.patch b/queue-4.7/arm-8618-1-decompressor-reset-ttbcr-fields-to-use-ttbr0-on-armv7.patch new file mode 100644 index 00000000000..9ec79b4ba4a --- /dev/null +++ b/queue-4.7/arm-8618-1-decompressor-reset-ttbcr-fields-to-use-ttbr0-on-armv7.patch @@ -0,0 +1,42 @@ +From 117e5e9c4cfcb7628f08de074fbfefec1bb678b7 Mon Sep 17 00:00:00 2001 +From: Srinivas Ramana +Date: Fri, 30 Sep 2016 15:03:31 +0100 +Subject: ARM: 8618/1: decompressor: reset ttbcr fields to use TTBR0 on ARMv7 + +From: Srinivas Ramana + +commit 117e5e9c4cfcb7628f08de074fbfefec1bb678b7 upstream. + +If the bootloader uses the long descriptor format and jumps to +kernel decompressor code, TTBCR may not be in a right state. +Before enabling the MMU, it is required to clear the TTBCR.PD0 +field to use TTBR0 for translation table walks. + +The commit dbece45894d3a ("ARM: 7501/1: decompressor: +reset ttbcr for VMSA ARMv7 cores") does the reset of TTBCR.N, but +doesn't consider all the bits for the size of TTBCR.N. + +Clear TTBCR.PD0 field and reset all the three bits of TTBCR.N to +indicate the use of TTBR0 and the correct base address width. + +Fixes: dbece45894d3 ("ARM: 7501/1: decompressor: reset ttbcr for VMSA ARMv7 cores") +Acked-by: Robin Murphy +Signed-off-by: Srinivas Ramana +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/compressed/head.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/compressed/head.S ++++ b/arch/arm/boot/compressed/head.S +@@ -779,7 +779,7 @@ __armv7_mmu_cache_on: + orrne r0, r0, #1 @ MMU enabled + movne r1, #0xfffffffd @ domain 0 = client + bic r6, r6, #1 << 31 @ 32-bit translation system +- bic r6, r6, #3 << 0 @ use only ttbr0 ++ bic r6, r6, #(7 << 0) | (1 << 4) @ use only ttbr0 + mcrne p15, 0, r3, c2, c0, 0 @ load page table pointer + mcrne p15, 0, r1, c3, c0, 0 @ load domain access control + mcrne p15, 0, r6, c2, c0, 2 @ load ttb control diff --git a/queue-4.7/arm64-debug-avoid-resetting-stepping-state-machine-when-tif_singlestep.patch b/queue-4.7/arm64-debug-avoid-resetting-stepping-state-machine-when-tif_singlestep.patch new file mode 100644 index 00000000000..2898e22c426 --- /dev/null +++ b/queue-4.7/arm64-debug-avoid-resetting-stepping-state-machine-when-tif_singlestep.patch @@ -0,0 +1,46 @@ +From 3a402a709500c5a3faca2111668c33d96555e35a Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Fri, 26 Aug 2016 11:36:39 +0100 +Subject: arm64: debug: avoid resetting stepping state machine when TIF_SINGLESTEP + +From: Will Deacon + +commit 3a402a709500c5a3faca2111668c33d96555e35a upstream. + +When TIF_SINGLESTEP is set for a task, the single-step state machine is +enabled and we must take care not to reset it to the active-not-pending +state if it is already in the active-pending state. + +Unfortunately, that's exactly what user_enable_single_step does, by +unconditionally setting the SS bit in the SPSR for the current task. +This causes failures in the GDB testsuite, where GDB ends up missing +expected step traps if the instruction being stepped generates another +trap, e.g. PTRACE_EVENT_FORK from an SVC instruction. + +This patch fixes the problem by preserving the current state of the +stepping state machine when TIF_SINGLESTEP is set on the current thread. + +Cc: +Reported-by: Yao Qi +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/debug-monitors.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/arm64/kernel/debug-monitors.c ++++ b/arch/arm64/kernel/debug-monitors.c +@@ -417,8 +417,10 @@ int kernel_active_single_step(void) + /* ptrace API */ + void user_enable_single_step(struct task_struct *task) + { +- set_ti_thread_flag(task_thread_info(task), TIF_SINGLESTEP); +- set_regs_spsr_ss(task_pt_regs(task)); ++ struct thread_info *ti = task_thread_info(task); ++ ++ if (!test_and_set_ti_thread_flag(ti, TIF_SINGLESTEP)) ++ set_regs_spsr_ss(task_pt_regs(task)); + } + + void user_disable_single_step(struct task_struct *task) diff --git a/queue-4.7/batman-adv-add-missing-refcnt-for-last_candidate.patch b/queue-4.7/batman-adv-add-missing-refcnt-for-last_candidate.patch new file mode 100644 index 00000000000..511e6a3d0a9 --- /dev/null +++ b/queue-4.7/batman-adv-add-missing-refcnt-for-last_candidate.patch @@ -0,0 +1,78 @@ +From 936523441bb64cdc9a5b263e8fd2782e70313a57 Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Sat, 6 Aug 2016 15:50:52 +0200 +Subject: batman-adv: Add missing refcnt for last_candidate + +From: Sven Eckelmann + +commit 936523441bb64cdc9a5b263e8fd2782e70313a57 upstream. + +batadv_find_router dereferences last_bonding_candidate from +orig_node without making sure that it has a valid reference. This reference +has to be retrieved by increasing the reference counter while holding +neigh_list_lock. The lock is required to avoid that +batadv_last_bonding_replace removes the current last_bonding_candidate, +reduces the reference counter and maybe destroys the object in this +process. + +Fixes: f3b3d9018975 ("batman-adv: add bonding again") +Signed-off-by: Sven Eckelmann +Signed-off-by: Marek Lindner +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman + +--- + net/batman-adv/routing.c | 28 +++++++++++++++++++++++++++- + 1 file changed, 27 insertions(+), 1 deletion(-) + +--- a/net/batman-adv/routing.c ++++ b/net/batman-adv/routing.c +@@ -456,6 +456,29 @@ static int batadv_check_unicast_packet(s + } + + /** ++ * batadv_last_bonding_get - Get last_bonding_candidate of orig_node ++ * @orig_node: originator node whose last bonding candidate should be retrieved ++ * ++ * Return: last bonding candidate of router or NULL if not found ++ * ++ * The object is returned with refcounter increased by 1. ++ */ ++static struct batadv_orig_ifinfo * ++batadv_last_bonding_get(struct batadv_orig_node *orig_node) ++{ ++ struct batadv_orig_ifinfo *last_bonding_candidate; ++ ++ spin_lock_bh(&orig_node->neigh_list_lock); ++ last_bonding_candidate = orig_node->last_bonding_candidate; ++ ++ if (last_bonding_candidate) ++ kref_get(&last_bonding_candidate->refcount); ++ spin_unlock_bh(&orig_node->neigh_list_lock); ++ ++ return last_bonding_candidate; ++} ++ ++/** + * batadv_last_bonding_replace - Replace last_bonding_candidate of orig_node + * @orig_node: originator node whose bonding candidates should be replaced + * @new_candidate: new bonding candidate or NULL +@@ -525,7 +548,7 @@ batadv_find_router(struct batadv_priv *b + * router - obviously there are no other candidates. + */ + rcu_read_lock(); +- last_candidate = orig_node->last_bonding_candidate; ++ last_candidate = batadv_last_bonding_get(orig_node); + if (last_candidate) + last_cand_router = rcu_dereference(last_candidate->router); + +@@ -617,6 +640,9 @@ next: + batadv_orig_ifinfo_put(next_candidate); + } + ++ if (last_candidate) ++ batadv_orig_ifinfo_put(last_candidate); ++ + return router; + } + diff --git a/queue-4.7/batman-adv-fix-elp-packet-data-reservation.patch b/queue-4.7/batman-adv-fix-elp-packet-data-reservation.patch new file mode 100644 index 00000000000..8df1352817e --- /dev/null +++ b/queue-4.7/batman-adv-fix-elp-packet-data-reservation.patch @@ -0,0 +1,40 @@ +From 1e5d343b8f23770e8ac5d31f5c439826bdb35148 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Linus=20L=C3=BCssing?= +Date: Tue, 23 Aug 2016 03:13:03 +0200 +Subject: batman-adv: fix elp packet data reservation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Lüssing + +commit 1e5d343b8f23770e8ac5d31f5c439826bdb35148 upstream. + +The skb_reserve() call only reserved headroom for the mac header, but +not the elp packet header itself. + +Fixing this by using skb_put()'ing towards the skb tail instead of +skb_push()'ing towards the skb head. + +Fixes: d6f94d91f766 ("batman-adv: ELP - adding basic infrastructure") +Signed-off-by: Linus Lüssing +Signed-off-by: Marek Lindner +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman + +--- + net/batman-adv/bat_v_elp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/batman-adv/bat_v_elp.c ++++ b/net/batman-adv/bat_v_elp.c +@@ -334,7 +334,7 @@ int batadv_v_elp_iface_enable(struct bat + goto out; + + skb_reserve(hard_iface->bat_v.elp_skb, ETH_HLEN + NET_IP_ALIGN); +- elp_buff = skb_push(hard_iface->bat_v.elp_skb, BATADV_ELP_HLEN); ++ elp_buff = skb_put(hard_iface->bat_v.elp_skb, BATADV_ELP_HLEN); + elp_packet = (struct batadv_elp_packet *)elp_buff; + memset(elp_packet, 0, BATADV_ELP_HLEN); + diff --git a/queue-4.7/gpio-sa1100-fix-irq-probing-for-ucb1x00.patch b/queue-4.7/gpio-sa1100-fix-irq-probing-for-ucb1x00.patch new file mode 100644 index 00000000000..564b4d4def6 --- /dev/null +++ b/queue-4.7/gpio-sa1100-fix-irq-probing-for-ucb1x00.patch @@ -0,0 +1,34 @@ +From 56beac95cb88c188d2a885825a5da131edb41fe3 Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Mon, 29 Aug 2016 11:24:10 +0100 +Subject: gpio: sa1100: fix irq probing for ucb1x00 + +From: Russell King + +commit 56beac95cb88c188d2a885825a5da131edb41fe3 upstream. + +ucb1x00 has used IRQ probing since it's dawn to find the GPIO interrupt +that it's connected to. However, commit 23393d49fb75 ("gpio: kill off +set_irq_flags usage") broke this by disabling IRQ probing on GPIO +interrupts. Fix this. + +Fixes: 23393d49fb75 ("gpio: kill off set_irq_flags usage") +Signed-off-by: Russell King +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpio-sa1100.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpio/gpio-sa1100.c ++++ b/drivers/gpio/gpio-sa1100.c +@@ -155,7 +155,7 @@ static int sa1100_gpio_irqdomain_map(str + { + irq_set_chip_and_handler(irq, &sa1100_gpio_irq_chip, + handle_edge_irq); +- irq_set_noprobe(irq); ++ irq_set_probe(irq); + + return 0; + } diff --git a/queue-4.7/i40iw-add-missing-check-for-interface-already-open.patch b/queue-4.7/i40iw-add-missing-check-for-interface-already-open.patch new file mode 100644 index 00000000000..5e4a0244537 --- /dev/null +++ b/queue-4.7/i40iw-add-missing-check-for-interface-already-open.patch @@ -0,0 +1,37 @@ +From faa739fb5df56aadab96bcd2f6eb3486cc3a3aec Mon Sep 17 00:00:00 2001 +From: Mustafa Ismail +Date: Mon, 22 Aug 2016 18:17:12 -0500 +Subject: i40iw: Add missing check for interface already open + +From: Mustafa Ismail + +commit faa739fb5df56aadab96bcd2f6eb3486cc3a3aec upstream. + +In i40iw_open(), check if interface is already open +and return success if it is. + +Fixes: 8e06af711bf2 ("i40iw: add main, hdr, status") + +Reported-by: Stefan Assmann +Signed-off-by: Mustafa Ismail +Signed-off-by: Shiraz Saleem +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/i40iw/i40iw_main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/infiniband/hw/i40iw/i40iw_main.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_main.c +@@ -1558,6 +1558,10 @@ static int i40iw_open(struct i40e_info * + enum i40iw_status_code status; + struct i40iw_handler *hdl; + ++ hdl = i40iw_find_netdev(ldev->netdev); ++ if (hdl) ++ return 0; ++ + hdl = kzalloc(sizeof(*hdl), GFP_KERNEL); + if (!hdl) + return -ENOMEM; diff --git a/queue-4.7/i40iw-add-missing-null-check-for-mpa-private-data.patch b/queue-4.7/i40iw-add-missing-null-check-for-mpa-private-data.patch new file mode 100644 index 00000000000..361eb02ab54 --- /dev/null +++ b/queue-4.7/i40iw-add-missing-null-check-for-mpa-private-data.patch @@ -0,0 +1,40 @@ +From 5dfd5e5e3bc68ab3912acc712c8180942094fc69 Mon Sep 17 00:00:00 2001 +From: Shiraz Saleem +Date: Mon, 22 Aug 2016 18:16:37 -0500 +Subject: i40iw: Add missing NULL check for MPA private data + +From: Shiraz Saleem + +commit 5dfd5e5e3bc68ab3912acc712c8180942094fc69 upstream. + +Add NULL check for pdata and pdata->addr before the memcpy in +i40iw_form_cm_frame(). This fixes a NULL pointer de-reference +which occurs when the MPA private data pointer is NULL. Also +only copy pdata->size bytes in the memcpy to prevent reading +past the length of the private data buffer provided by upper layer. + +Fixes: f27b4746f378 ("i40iw: add connection management code") + +Reported-by: Stefan Assmann +Signed-off-by: Mustafa Ismail +Signed-off-by: Shiraz Saleem +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/i40iw/i40iw_cm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/hw/i40iw/i40iw_cm.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_cm.c +@@ -535,8 +535,8 @@ static struct i40iw_puda_buf *i40iw_form + buf += hdr_len; + } + +- if (pd_len) +- memcpy(buf, pdata->addr, pd_len); ++ if (pdata && pdata->addr) ++ memcpy(buf, pdata->addr, pdata->size); + + atomic_set(&sqbuf->refcount, 1); + diff --git a/queue-4.7/i40iw-avoid-writing-to-freed-memory.patch b/queue-4.7/i40iw-avoid-writing-to-freed-memory.patch new file mode 100644 index 00000000000..8bbf00db181 --- /dev/null +++ b/queue-4.7/i40iw-avoid-writing-to-freed-memory.patch @@ -0,0 +1,37 @@ +From 433c58139f6a7d59824aadd23d6c9cac1d4e6100 Mon Sep 17 00:00:00 2001 +From: Mustafa Ismail +Date: Tue, 23 Aug 2016 17:24:56 -0500 +Subject: i40iw: Avoid writing to freed memory + +From: Mustafa Ismail + +commit 433c58139f6a7d59824aadd23d6c9cac1d4e6100 upstream. + +iwpbl->iwmr points to the structure that contains iwpbl, +which is iwmr. Setting this to NULL would result in +writing to freed memory. So just free iwmr, and return. + +Fixes: d37498417947 ("i40iw: add files for iwarp interface") + +Reported-by: Stefan Assmann +Signed-off-by: Mustafa Ismail +Signed-off-by: Shiraz Saleem +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/i40iw/i40iw_verbs.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/infiniband/hw/i40iw/i40iw_verbs.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_verbs.c +@@ -1924,8 +1924,7 @@ static int i40iw_dereg_mr(struct ib_mr * + } + if (iwpbl->pbl_allocated) + i40iw_free_pble(iwdev->pble_rsrc, palloc); +- kfree(iwpbl->iwmr); +- iwpbl->iwmr = NULL; ++ kfree(iwmr); + return 0; + } + diff --git a/queue-4.7/i40iw-change-mem_resources-pointer-to-a-u8.patch b/queue-4.7/i40iw-change-mem_resources-pointer-to-a-u8.patch new file mode 100644 index 00000000000..9797053c841 --- /dev/null +++ b/queue-4.7/i40iw-change-mem_resources-pointer-to-a-u8.patch @@ -0,0 +1,38 @@ +From 6c7d46fdb8165ece4b0a17fb8f0b9320dbfeffc2 Mon Sep 17 00:00:00 2001 +From: Shiraz Saleem +Date: Mon, 22 Aug 2016 18:09:14 -0500 +Subject: i40iw: Change mem_resources pointer to a u8 + +From: Shiraz Saleem + +commit 6c7d46fdb8165ece4b0a17fb8f0b9320dbfeffc2 upstream. + +iwdev->mem_resources is incorrectly defined as an unsigned +long instead of u8. As a result, the offset into the dynamic +allocated structures in i40iw_initialize_hw_resources() is +incorrectly calculated and would lead to writing of memory +regions outside of the allocated buffer. + +Fixes: 8e06af711bf2 ("i40iw: add main, hdr, status") + +Reported-by: Stefan Assmann +Signed-off-by: Mustafa Ismail +Signed-off-by: Shiraz Saleem +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/i40iw/i40iw.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/i40iw/i40iw.h ++++ b/drivers/infiniband/hw/i40iw/i40iw.h +@@ -232,7 +232,7 @@ struct i40iw_device { + struct i40e_client *client; + struct i40iw_hw hw; + struct i40iw_cm_core cm_core; +- unsigned long *mem_resources; ++ u8 *mem_resources; + unsigned long *allocated_qps; + unsigned long *allocated_cqs; + unsigned long *allocated_mrs; diff --git a/queue-4.7/i40iw-do-not-set-self-referencing-pointer-to-null-after-kfree.patch b/queue-4.7/i40iw-do-not-set-self-referencing-pointer-to-null-after-kfree.patch new file mode 100644 index 00000000000..6adde4cc21d --- /dev/null +++ b/queue-4.7/i40iw-do-not-set-self-referencing-pointer-to-null-after-kfree.patch @@ -0,0 +1,40 @@ +From 7eaf8313b1cfe93417a22bdc3f7380cac2a3dc6d Mon Sep 17 00:00:00 2001 +From: Mustafa Ismail +Date: Mon, 22 Aug 2016 19:01:47 -0500 +Subject: i40iw: Do not set self-referencing pointer to NULL after kfree + +From: Mustafa Ismail + +commit 7eaf8313b1cfe93417a22bdc3f7380cac2a3dc6d upstream. + +In i40iw_free_virt_mem(), do not set mem->va to NULL +after freeing it as mem->va is a self-referencing pointer +to mem. + +Fixes: 4e9042e647ff ("i40iw: add hw and utils files") + +Reported-by: Stefan Assmann +Signed-off-by: Mustafa Ismail +Signed-off-by: Shiraz Saleem +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/i40iw/i40iw_utils.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/i40iw/i40iw_utils.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_utils.c +@@ -673,8 +673,11 @@ enum i40iw_status_code i40iw_free_virt_m + { + if (!mem) + return I40IW_ERR_PARAM; ++ /* ++ * mem->va points to the parent of mem, so both mem and mem->va ++ * can not be touched once mem->va is freed ++ */ + kfree(mem->va); +- mem->va = NULL; + return 0; + } + diff --git a/queue-4.7/i40iw-fix-double-free-of-allocated_buffer.patch b/queue-4.7/i40iw-fix-double-free-of-allocated_buffer.patch new file mode 100644 index 00000000000..7a58a10960d --- /dev/null +++ b/queue-4.7/i40iw-fix-double-free-of-allocated_buffer.patch @@ -0,0 +1,34 @@ +From d41d0910d97f05be987d2d60de7e8685c108963b Mon Sep 17 00:00:00 2001 +From: Mustafa Ismail +Date: Tue, 23 Aug 2016 16:50:13 -0500 +Subject: i40iw: Fix double free of allocated_buffer + +From: Mustafa Ismail + +commit d41d0910d97f05be987d2d60de7e8685c108963b upstream. + +Memory allocated for iwqp; iwqp->allocated_buffer is freed twice in +the create_qp error path. Correct this by having it freed only once in +i40iw_free_qp_resources(). + +Fixes: d37498417947 ("i40iw: add files for iwarp interface") + +Signed-off-by: Mustafa Ismail +Signed-off-by: Shiraz Saleem +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/i40iw/i40iw_verbs.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/infiniband/hw/i40iw/i40iw_verbs.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_verbs.c +@@ -794,7 +794,6 @@ static struct ib_qp *i40iw_create_qp(str + return &iwqp->ibqp; + error: + i40iw_free_qp_resources(iwdev, iwqp, qp_num); +- kfree(mem); + return ERR_PTR(err_code); + } + diff --git a/queue-4.7/i40iw-protect-req_resource_num-update.patch b/queue-4.7/i40iw-protect-req_resource_num-update.patch new file mode 100644 index 00000000000..47cfd947373 --- /dev/null +++ b/queue-4.7/i40iw-protect-req_resource_num-update.patch @@ -0,0 +1,36 @@ +From 44856be3e95c87f03e850ef4fdf8c0503c2dde18 Mon Sep 17 00:00:00 2001 +From: Mustafa Ismail +Date: Mon, 22 Aug 2016 18:15:58 -0500 +Subject: i40iw: Protect req_resource_num update + +From: Mustafa Ismail + +commit 44856be3e95c87f03e850ef4fdf8c0503c2dde18 upstream. + +In i40iw_alloc_resource(), ensure that the update to +req_resource_num is protected by the lock. + +Fixes: 8e06af711bf2 ("i40iw: add main, hdr, status") + +Reported-by: Stefan Assmann +Signed-off-by: Mustafa Ismail +Signed-off-by: Shiraz Saleem +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/i40iw/i40iw.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/i40iw/i40iw.h ++++ b/drivers/infiniband/hw/i40iw/i40iw.h +@@ -435,8 +435,8 @@ static inline int i40iw_alloc_resource(s + *next = resource_num + 1; + if (*next == max_resources) + *next = 0; +- spin_unlock_irqrestore(&iwdev->resource_lock, flags); + *req_resource_num = resource_num; ++ spin_unlock_irqrestore(&iwdev->resource_lock, flags); + + return 0; + } diff --git a/queue-4.7/i40iw-receive-notification-events-correctly.patch b/queue-4.7/i40iw-receive-notification-events-correctly.patch new file mode 100644 index 00000000000..a6d5a8778e2 --- /dev/null +++ b/queue-4.7/i40iw-receive-notification-events-correctly.patch @@ -0,0 +1,62 @@ +From b71121b4b70a995c0b794026e84c880c4f26c361 Mon Sep 17 00:00:00 2001 +From: Shiraz Saleem +Date: Thu, 25 Aug 2016 11:53:24 -0500 +Subject: i40iw: Receive notification events correctly + +From: Shiraz Saleem + +commit b71121b4b70a995c0b794026e84c880c4f26c361 upstream. + +Device notifications are not received after the first interface is +closed; since there is an unregister for notifications on every +interface close. Correct this by unregistering for device +notifications only when the last interface is closed. Also, make +all operations on the i40iw_notifiers_registered atomic as it +can be read/modified concurrently. + +Fixes: 8e06af711bf2 ("i40iw: add main, hdr, status") + +Signed-off-by: Mustafa Ismail +Signed-off-by: Shiraz Saleem +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/i40iw/i40iw_main.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/drivers/infiniband/hw/i40iw/i40iw_main.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_main.c +@@ -100,7 +100,7 @@ static struct notifier_block i40iw_net_n + .notifier_call = i40iw_net_event + }; + +-static int i40iw_notifiers_registered; ++static atomic_t i40iw_notifiers_registered; + + /** + * i40iw_find_i40e_handler - find a handler given a client info +@@ -1342,12 +1342,11 @@ exit: + */ + static void i40iw_register_notifiers(void) + { +- if (!i40iw_notifiers_registered) { ++ if (atomic_inc_return(&i40iw_notifiers_registered) == 1) { + register_inetaddr_notifier(&i40iw_inetaddr_notifier); + register_inet6addr_notifier(&i40iw_inetaddr6_notifier); + register_netevent_notifier(&i40iw_net_notifier); + } +- i40iw_notifiers_registered++; + } + + /** +@@ -1429,8 +1428,7 @@ static void i40iw_deinit_device(struct i + i40iw_del_macip_entry(iwdev, (u8)iwdev->mac_ip_table_idx); + /* fallthrough */ + case INET_NOTIFIER: +- if (i40iw_notifiers_registered > 0) { +- i40iw_notifiers_registered--; ++ if (!atomic_dec_return(&i40iw_notifiers_registered)) { + unregister_netevent_notifier(&i40iw_net_notifier); + unregister_inetaddr_notifier(&i40iw_inetaddr_notifier); + unregister_inet6addr_notifier(&i40iw_inetaddr6_notifier); diff --git a/queue-4.7/i40iw-send-last-streaming-mode-message-for-loopback-connections.patch b/queue-4.7/i40iw-send-last-streaming-mode-message-for-loopback-connections.patch new file mode 100644 index 00000000000..a8192e56f7e --- /dev/null +++ b/queue-4.7/i40iw-send-last-streaming-mode-message-for-loopback-connections.patch @@ -0,0 +1,64 @@ +From 07c72d7d54d138eb2ca37709a5a3d55fbcc01536 Mon Sep 17 00:00:00 2001 +From: Tatyana Nikolova +Date: Wed, 24 Aug 2016 13:59:17 -0500 +Subject: i40iw: Send last streaming mode message for loopback connections + +From: Tatyana Nikolova + +commit 07c72d7d54d138eb2ca37709a5a3d55fbcc01536 upstream. + +Send a zero length last streaming mode message for loopback +connections to synchronize between accepting QP and connecting QP. +This avoids data transfer to start on the accepting QP before +the connecting QP is in RTS. Also remove function i40iw_loopback_nop() +as it is no longer used. + +Fixes: f27b4746f378 ("i40iw: add connection management code") + +Signed-off-by: Tatyana Nikolova +Signed-off-by: Shiraz Saleem +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/i40iw/i40iw_cm.c | 22 +--------------------- + 1 file changed, 1 insertion(+), 21 deletions(-) + +--- a/drivers/infiniband/hw/i40iw/i40iw_cm.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_cm.c +@@ -3347,26 +3347,6 @@ int i40iw_cm_disconn(struct i40iw_qp *iw + } + + /** +- * i40iw_loopback_nop - Send a nop +- * @qp: associated hw qp +- */ +-static void i40iw_loopback_nop(struct i40iw_sc_qp *qp) +-{ +- u64 *wqe; +- u64 header; +- +- wqe = qp->qp_uk.sq_base->elem; +- set_64bit_val(wqe, 0, 0); +- set_64bit_val(wqe, 8, 0); +- set_64bit_val(wqe, 16, 0); +- +- header = LS_64(I40IWQP_OP_NOP, I40IWQPSQ_OPCODE) | +- LS_64(0, I40IWQPSQ_SIGCOMPL) | +- LS_64(qp->qp_uk.swqe_polarity, I40IWQPSQ_VALID); +- set_64bit_val(wqe, 24, header); +-} +- +-/** + * i40iw_qp_disconnect - free qp and close cm + * @iwqp: associate qp for the connection + */ +@@ -3638,7 +3618,7 @@ int i40iw_accept(struct iw_cm_id *cm_id, + } else { + if (iwqp->page) + iwqp->sc_qp.qp_uk.sq_base = kmap(iwqp->page); +- i40iw_loopback_nop(&iwqp->sc_qp); ++ dev->iw_priv_qp_ops->qp_send_lsmm(&iwqp->sc_qp, NULL, 0, 0); + } + + if (iwqp->page) diff --git a/queue-4.7/i40iw-update-hw_iwarp_state.patch b/queue-4.7/i40iw-update-hw_iwarp_state.patch new file mode 100644 index 00000000000..33a1200734f --- /dev/null +++ b/queue-4.7/i40iw-update-hw_iwarp_state.patch @@ -0,0 +1,35 @@ +From 866e0f4d73390ee6f5cd68aa92cf74eef3a2b0f2 Mon Sep 17 00:00:00 2001 +From: Mustafa Ismail +Date: Thu, 25 Aug 2016 11:52:47 -0500 +Subject: i40iw: Update hw_iwarp_state + +From: Mustafa Ismail + +commit 866e0f4d73390ee6f5cd68aa92cf74eef3a2b0f2 upstream. + +Update iwqp->hw_iwarp_state to reflect the new state of the CQP +modify QP operation. This avoids reissuing a CQP operation to +modify a QP to a state that it is already in. + +Fixes: 4e9042e647ff ("i40iw: add hw and utils files") + +Reported-by: Stefan Assmann +Signed-off-by: Mustafa Ismail +Signed-off-by: Shiraz Saleem +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/i40iw/i40iw_hw.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/infiniband/hw/i40iw/i40iw_hw.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_hw.c +@@ -265,6 +265,7 @@ void i40iw_next_iw_state(struct i40iw_qp + info.dont_send_fin = false; + if (iwqp->sc_qp.term_flags && (state == I40IW_QP_STATE_ERROR)) + info.reset_tcp_conn = true; ++ iwqp->hw_iwarp_state = state; + i40iw_hw_modify_qp(iwqp->iwdev, iwqp, &info, 0); + } + diff --git a/queue-4.7/irqchip-gicv3-silence-noisy-debug_per_cpu_maps-warning.patch b/queue-4.7/irqchip-gicv3-silence-noisy-debug_per_cpu_maps-warning.patch new file mode 100644 index 00000000000..a3ea48ee265 --- /dev/null +++ b/queue-4.7/irqchip-gicv3-silence-noisy-debug_per_cpu_maps-warning.patch @@ -0,0 +1,92 @@ +From 727653d6ce7103b245eb8041f55dd5885f4c3289 Mon Sep 17 00:00:00 2001 +From: James Morse +Date: Mon, 19 Sep 2016 18:29:15 +0100 +Subject: irqchip/gicv3: Silence noisy DEBUG_PER_CPU_MAPS warning + +From: James Morse + +commit 727653d6ce7103b245eb8041f55dd5885f4c3289 upstream. + +gic_raise_softirq() walks the list of cpus using for_each_cpu(), it calls +gic_compute_target_list() which advances the iterator by the number of +CPUs in the cluster. + +If gic_compute_target_list() reaches the last CPU it leaves the iterator +pointing at the last CPU. This means the next time round the for_each_cpu() +loop cpumask_next() will be called with an invalid CPU. + +This triggers a warning when built with CONFIG_DEBUG_PER_CPU_MAPS: +[ 3.077738] GICv3: CPU1: found redistributor 1 region 0:0x000000002f120000 +[ 3.077943] CPU1: Booted secondary processor [410fd0f0] +[ 3.078542] ------------[ cut here ]------------ +[ 3.078746] WARNING: CPU: 1 PID: 0 at ../include/linux/cpumask.h:121 gic_raise_softirq+0x12c/0x170 +[ 3.078812] Modules linked in: +[ 3.078869] +[ 3.078930] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.8.0-rc5+ #5188 +[ 3.078994] Hardware name: Foundation-v8A (DT) +[ 3.079059] task: ffff80087a1a0080 task.stack: ffff80087a19c000 +[ 3.079145] PC is at gic_raise_softirq+0x12c/0x170 +[ 3.079226] LR is at gic_raise_softirq+0xa4/0x170 +[ 3.079296] pc : [] lr : [] pstate: 200001c9 +[ 3.081139] Call trace: +[ 3.081202] Exception stack(0xffff80087a19fbe0 to 0xffff80087a19fd10) + +[ 3.082269] [] gic_raise_softirq+0x12c/0x170 +[ 3.082354] [] smp_send_reschedule+0x34/0x40 +[ 3.082433] [] resched_curr+0x50/0x88 +[ 3.082512] [] check_preempt_curr+0x60/0xd0 +[ 3.082593] [] ttwu_do_wakeup+0x20/0xe8 +[ 3.082672] [] ttwu_do_activate+0x90/0xc0 +[ 3.082753] [] try_to_wake_up+0x224/0x370 +[ 3.082836] [] default_wake_function+0x10/0x18 +[ 3.082920] [] __wake_up_common+0x5c/0xa0 +[ 3.083003] [] __wake_up_locked+0x14/0x20 +[ 3.083086] [] complete+0x40/0x60 +[ 3.083168] [] secondary_start_kernel+0x15c/0x1d0 +[ 3.083240] [<00000000808911a4>] 0x808911a4 +[ 3.113401] Detected PIPT I-cache on CPU2 + +Avoid updating the iterator if the next call to cpumask_next() would +cause the for_each_cpu() loop to exit. + +There is no change to gic_raise_softirq()'s behaviour, (cpumask_next()s +eventual call to _find_next_bit() will return early as start >= nbits), +this patch just silences the warning. + +Fixes: 021f653791ad ("irqchip: gic-v3: Initial support for GICv3") +Signed-off-by: James Morse +Acked-by: Marc Zyngier +Cc: linux-arm-kernel@lists.infradead.org +Cc: Jason Cooper +Link: http://lkml.kernel.org/r/1474306155-3303-1-git-send-email-james.morse@arm.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/irqchip/irq-gic-v3.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/irqchip/irq-gic-v3.c ++++ b/drivers/irqchip/irq-gic-v3.c +@@ -558,7 +558,7 @@ static struct notifier_block gic_cpu_not + static u16 gic_compute_target_list(int *base_cpu, const struct cpumask *mask, + unsigned long cluster_id) + { +- int cpu = *base_cpu; ++ int next_cpu, cpu = *base_cpu; + unsigned long mpidr = cpu_logical_map(cpu); + u16 tlist = 0; + +@@ -572,9 +572,10 @@ static u16 gic_compute_target_list(int * + + tlist |= 1 << (mpidr & 0xf); + +- cpu = cpumask_next(cpu, mask); +- if (cpu >= nr_cpu_ids) ++ next_cpu = cpumask_next(cpu, mask); ++ if (next_cpu >= nr_cpu_ids) + goto out; ++ cpu = next_cpu; + + mpidr = cpu_logical_map(cpu); + diff --git a/queue-4.7/iwlwifi-mvm-handle-frame_release-in-mq-code.patch b/queue-4.7/iwlwifi-mvm-handle-frame_release-in-mq-code.patch deleted file mode 100644 index ffe7a495bac..00000000000 --- a/queue-4.7/iwlwifi-mvm-handle-frame_release-in-mq-code.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 58035432d60616cc2ef6514a3d0e6d6ad01bf705 Mon Sep 17 00:00:00 2001 -From: Johannes Berg -Date: Wed, 27 Apr 2016 13:33:26 +0200 -Subject: iwlwifi: mvm: handle FRAME_RELEASE in MQ code - -From: Johannes Berg - -commit 58035432d60616cc2ef6514a3d0e6d6ad01bf705 upstream. - -For some reason, the FRAME_RELEASE message handling for the -default queue ended up being in the only/default queue for -non-RSS devices; fix that and handle FRAME_RELEASE properly -on the default queue for RSS devices. - -Fixes: 585a6fccf5b8 ("iwlwifi: mvm: infrastructure for frame-release message") -Signed-off-by: Johannes Berg -Signed-off-by: Luca Coelho -Signed-off-by: Greg Kroah-Hartman - ---- - drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c -+++ b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c -@@ -936,8 +936,6 @@ static void iwl_mvm_rx(struct iwl_op_mod - - if (likely(pkt->hdr.cmd == REPLY_RX_MPDU_CMD)) - iwl_mvm_rx_rx_mpdu(mvm, napi, rxb); -- else if (pkt->hdr.cmd == FRAME_RELEASE) -- iwl_mvm_rx_frame_release(mvm, napi, rxb, 0); - else if (pkt->hdr.cmd == REPLY_RX_PHY_CMD) - iwl_mvm_rx_rx_phy_cmd(mvm, rxb); - else -@@ -958,6 +956,8 @@ static void iwl_mvm_rx_mq(struct iwl_op_ - else if (unlikely(pkt->hdr.group_id == DATA_PATH_GROUP && - pkt->hdr.cmd == RX_QUEUES_NOTIFICATION)) - iwl_mvm_rx_queue_notif(mvm, rxb, 0); -+ else if (pkt->hdr.cmd == FRAME_RELEASE) -+ iwl_mvm_rx_frame_release(mvm, napi, rxb, 0); - else - iwl_mvm_rx_common(mvm, rxb, pkt); - } diff --git a/queue-4.7/mac80211-check-skb_linearize-return-value.patch b/queue-4.7/mac80211-check-skb_linearize-return-value.patch new file mode 100644 index 00000000000..5e4d64004ef --- /dev/null +++ b/queue-4.7/mac80211-check-skb_linearize-return-value.patch @@ -0,0 +1,39 @@ +From 0b97a484e52cb423662eb98904aad82dafcc1f10 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Wed, 14 Sep 2016 09:41:34 +0200 +Subject: mac80211: check skb_linearize() return value + +From: Johannes Berg + +commit 0b97a484e52cb423662eb98904aad82dafcc1f10 upstream. + +The A-MSDU TX code (within TXQs) didn't always check the return value +of skb_linearize() properly, resulting in potentially passing a frag- +list SKB down to the driver even when it said it can't handle it. Fix +that. + +Fixes: 6e0456b545456 ("mac80211: add A-MSDU tx support") +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/tx.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -1330,8 +1330,12 @@ out: + spin_unlock_bh(&txqi->queue.lock); + + if (skb && skb_has_frag_list(skb) && +- !ieee80211_hw_check(&local->hw, TX_FRAG_LIST)) +- skb_linearize(skb); ++ !ieee80211_hw_check(&local->hw, TX_FRAG_LIST)) { ++ if (skb_linearize(skb)) { ++ ieee80211_free_txskb(&local->hw, skb); ++ return NULL; ++ } ++ } + + return skb; + } diff --git a/queue-4.7/series b/queue-4.7/series index 6e11e66a7b7..1a0b6d6475a 100644 --- a/queue-4.7/series +++ b/queue-4.7/series @@ -24,7 +24,6 @@ nvmem-declare-nvmem_cell_read-consistently.patch hwmon-adt7411-set-bit-3-in-cfg1-register.patch sched-cputime-fix-prev-steal-time-accouting-during-cpu-hotplug.patch spi-sh-msiof-avoid-invalid-clock-generator-parameters.patch -iwlwifi-mvm-handle-frame_release-in-mq-code.patch iwlwifi-mvm-checksum-ipv6-fragmented-packet.patch iwlwifi-mvm-fix-txq-aggregation-bug.patch iwlwifi-mvm-write-the-correct-internal-txf-index.patch @@ -33,3 +32,21 @@ iwlwifi-pcie-fix-access-to-scratch-buffer.patch iwlwifi-mvm-free-rx-reorder-buffer-on-restart.patch iwlwifi-mvm-avoid-harmless-wmaybe-uninialized-warning.patch iwlwifi-mvm-don-t-use-ret-when-not-initialised.patch +usb-gadget-fsl_qe_udc-signedness-bug-in-qe_get_frame.patch +gpio-sa1100-fix-irq-probing-for-ucb1x00.patch +mac80211-check-skb_linearize-return-value.patch +i40iw-protect-req_resource_num-update.patch +i40iw-add-missing-check-for-interface-already-open.patch +i40iw-change-mem_resources-pointer-to-a-u8.patch +i40iw-fix-double-free-of-allocated_buffer.patch +i40iw-do-not-set-self-referencing-pointer-to-null-after-kfree.patch +i40iw-avoid-writing-to-freed-memory.patch +i40iw-add-missing-null-check-for-mpa-private-data.patch +i40iw-send-last-streaming-mode-message-for-loopback-connections.patch +i40iw-update-hw_iwarp_state.patch +i40iw-receive-notification-events-correctly.patch +batman-adv-add-missing-refcnt-for-last_candidate.patch +batman-adv-fix-elp-packet-data-reservation.patch +irqchip-gicv3-silence-noisy-debug_per_cpu_maps-warning.patch +arm-8618-1-decompressor-reset-ttbcr-fields-to-use-ttbr0-on-armv7.patch +arm64-debug-avoid-resetting-stepping-state-machine-when-tif_singlestep.patch diff --git a/queue-4.7/usb-gadget-fsl_qe_udc-signedness-bug-in-qe_get_frame.patch b/queue-4.7/usb-gadget-fsl_qe_udc-signedness-bug-in-qe_get_frame.patch new file mode 100644 index 00000000000..e8eb2dabad5 --- /dev/null +++ b/queue-4.7/usb-gadget-fsl_qe_udc-signedness-bug-in-qe_get_frame.patch @@ -0,0 +1,37 @@ +From f4693b08cc901912a87369c46537b94ed4084ea0 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 15 Jul 2016 14:15:47 +0300 +Subject: usb: gadget: fsl_qe_udc: signedness bug in qe_get_frame() + +From: Dan Carpenter + +commit f4693b08cc901912a87369c46537b94ed4084ea0 upstream. + +We can't assign -EINVAL to a u16. + +Fixes: 3948f0e0c999 ('usb: add Freescale QE/CPM USB peripheral controller driver') +Acked-by: Peter Chen +Signed-off-by: Dan Carpenter +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/udc/fsl_qe_udc.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/drivers/usb/gadget/udc/fsl_qe_udc.c ++++ b/drivers/usb/gadget/udc/fsl_qe_udc.c +@@ -1878,11 +1878,8 @@ static int qe_get_frame(struct usb_gadge + + tmp = in_be16(&udc->usb_param->frame_n); + if (tmp & 0x8000) +- tmp = tmp & 0x07ff; +- else +- tmp = -EINVAL; +- +- return (int)tmp; ++ return tmp & 0x07ff; ++ return -EINVAL; + } + + static int fsl_qe_start(struct usb_gadget *gadget,