From: Greg Kroah-Hartman Date: Mon, 5 Sep 2016 13:36:04 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v3.14.78~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7b1937859f44b5fd3310ba9ff1e71a9a3d70d35f;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: aacraid-check-size-values-after-double-fetch-from-user.patch arc-build-better-way-to-detect-isa-compatible-toolchain.patch arc-call-trace_hardirqs_on-before-enabling-irqs.patch arc-elide-redundant-setup-of-dma-callbacks.patch arc-use-correct-offset-in-pt_regs-for-saving-restoring-user-mode-r25.patch arm64-dts-rockchip-add-reset-saradc-node-for-rk3368-socs.patch btrfs-properly-track-when-rescan-worker-is-running.patch btrfs-waiting-on-qgroup-rescan-should-not-always-be-interruptible.patch cdc-acm-fix-wrong-pipe-type-on-rx-interrupt-xfers.patch drm-amd-amdgpu-sdma-resume-fail-during-s4-on-ci.patch drm-amdgpu-avoid-a-possible-array-overflow.patch drm-amdgpu-change-gart-offset-to-64-bit.patch drm-amdgpu-fix-amdgpu_move_blit-on-32bit-systems.patch drm-amdgpu-record-error-code-when-ring-test-failed.patch drm-amdgpu-skip-tv-cv-in-display-parsing.patch drm-i915-fix-aliasing_ppgtt-leak.patch edac-increment-correct-counter-in-edac_inc_ue_error.patch fs-seq_file-fix-out-of-bounds-read.patch gpio-fix-of-build-problem-on-um.patch i2c-cros-ec-tunnel-fix-usage-of-cros_ec_cmd_xfer.patch iio-fix-sched-warning-do-not-call-blocking-ops-when-task_running.patch iommu-arm-smmu-don-t-bug-if-we-find-aborting-stes-with-disable_bypass.patch iommu-arm-smmu-fix-cmdq-error-handling.patch iommu-dma-don-t-put-uninitialised-iova-domains.patch mac80211-fix-purging-multicast-ps-buffer-queue.patch megaraid_sas-fix-probing-cards-without-io-port.patch mfd-cros_ec-add-cros_ec_cmd_xfer_status-helper.patch mpt3sas-fix-resume-on-warpdrive-flash-cards.patch of-fix-reference-counting-in-of_graph_get_endpoint_by_regs.patch pinctrl-amd-remove-the-default-de-bounce-time.patch s390-dasd-fix-hanging-device-after-clear-subchannel.patch sched-cputime-fix-no_hz_full-getrusage-monotonicity-regression.patch sched-nohz-fix-affine-unpinned-timers-mess.patch usb-renesas_usbhs-gadget-fix-return-value-check-in-usbhs_mod_gadget_probe.patch --- diff --git a/queue-4.4/aacraid-check-size-values-after-double-fetch-from-user.patch b/queue-4.4/aacraid-check-size-values-after-double-fetch-from-user.patch new file mode 100644 index 00000000000..2ab30e68bdc --- /dev/null +++ b/queue-4.4/aacraid-check-size-values-after-double-fetch-from-user.patch @@ -0,0 +1,65 @@ +From fa00c437eef8dc2e7b25f8cd868cfa405fcc2bb3 Mon Sep 17 00:00:00 2001 +From: Dave Carroll +Date: Fri, 5 Aug 2016 13:44:10 -0600 +Subject: aacraid: Check size values after double-fetch from user + +From: Dave Carroll + +commit fa00c437eef8dc2e7b25f8cd868cfa405fcc2bb3 upstream. + +In aacraid's ioctl_send_fib() we do two fetches from userspace, one the +get the fib header's size and one for the fib itself. Later we use the +size field from the second fetch to further process the fib. If for some +reason the size from the second fetch is different than from the first +fix, we may encounter an out-of- bounds access in aac_fib_send(). We +also check the sender size to insure it is not out of bounds. This was +reported in https://bugzilla.kernel.org/show_bug.cgi?id=116751 and was +assigned CVE-2016-6480. + +Reported-by: Pengfei Wang +Fixes: 7c00ffa31 '[SCSI] 2.6 aacraid: Variable FIB size (updated patch)' +Signed-off-by: Dave Carroll +Reviewed-by: Johannes Thumshirn +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/aacraid/commctrl.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/aacraid/commctrl.c ++++ b/drivers/scsi/aacraid/commctrl.c +@@ -63,7 +63,7 @@ static int ioctl_send_fib(struct aac_dev + struct fib *fibptr; + struct hw_fib * hw_fib = (struct hw_fib *)0; + dma_addr_t hw_fib_pa = (dma_addr_t)0LL; +- unsigned size; ++ unsigned int size, osize; + int retval; + + if (dev->in_reset) { +@@ -87,7 +87,8 @@ static int ioctl_send_fib(struct aac_dev + * will not overrun the buffer when we copy the memory. Return + * an error if we would. + */ +- size = le16_to_cpu(kfib->header.Size) + sizeof(struct aac_fibhdr); ++ osize = size = le16_to_cpu(kfib->header.Size) + ++ sizeof(struct aac_fibhdr); + if (size < le16_to_cpu(kfib->header.SenderSize)) + size = le16_to_cpu(kfib->header.SenderSize); + if (size > dev->max_fib_size) { +@@ -118,6 +119,14 @@ static int ioctl_send_fib(struct aac_dev + goto cleanup; + } + ++ /* Sanity check the second copy */ ++ if ((osize != le16_to_cpu(kfib->header.Size) + ++ sizeof(struct aac_fibhdr)) ++ || (size < le16_to_cpu(kfib->header.SenderSize))) { ++ retval = -EINVAL; ++ goto cleanup; ++ } ++ + if (kfib->header.Command == cpu_to_le16(TakeABreakPt)) { + aac_adapter_interrupt(dev); + /* diff --git a/queue-4.4/arc-build-better-way-to-detect-isa-compatible-toolchain.patch b/queue-4.4/arc-build-better-way-to-detect-isa-compatible-toolchain.patch new file mode 100644 index 00000000000..8a98104be6e --- /dev/null +++ b/queue-4.4/arc-build-better-way-to-detect-isa-compatible-toolchain.patch @@ -0,0 +1,76 @@ +From 20d780374c81cf237834af2202c26df2100ddd69 Mon Sep 17 00:00:00 2001 +From: Vineet Gupta +Date: Thu, 25 Feb 2016 22:04:38 +0530 +Subject: ARC: build: Better way to detect ISA compatible toolchain + +From: Vineet Gupta + +commit 20d780374c81cf237834af2202c26df2100ddd69 upstream. + +ARC architecture has 2 instruction sets: ARCompact/ARCv2. +While same gcc supports compiling for either (using appropriate toggles), +we can't use the same toolchain to build kernel because libgcc needs +to be unique and the toolchian (uClibc based) is not multilibed. + +uClibc toolchain is convenient since it allows all userspace and +kernel to be built with a single install for an ISA. + +This however means 2 gnu installs (with same triplet prefix) are needed +for building for 2 ISA and need to be in PATH. +As developers we keep switching the builds, but would occassionally fail +to update the PATH leading to usage of wrong tools. And this would only +show up at the end of kernel build when linking incompatible libgcc. + +So the initial solution was to have gcc define a special preprocessor macro +DEFAULT_CPU_xxx which is unique for default toolchain configuration. +Claudiu proposed using grep for an existing preprocessor macro which is +again uniquely defined per ISA. + +Cc: Michal Marek +Suggested-by: Claudiu Zissulescu +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/Makefile | 14 ++++++++++++++ + arch/arc/include/asm/arcregs.h | 6 ------ + 2 files changed, 14 insertions(+), 6 deletions(-) + +--- a/arch/arc/Makefile ++++ b/arch/arc/Makefile +@@ -18,6 +18,20 @@ cflags-y += -fno-common -pipe -fno-built + cflags-$(CONFIG_ISA_ARCOMPACT) += -mA7 + cflags-$(CONFIG_ISA_ARCV2) += -mcpu=archs + ++is_700 = $(shell $(CC) -dM -E - < /dev/null | grep -q "ARC700" && echo 1 || echo 0) ++ ++ifdef CONFIG_ISA_ARCOMPACT ++ifeq ($(is_700), 0) ++ $(error Toolchain not configured for ARCompact builds) ++endif ++endif ++ ++ifdef CONFIG_ISA_ARCV2 ++ifeq ($(is_700), 1) ++ $(error Toolchain not configured for ARCv2 builds) ++endif ++endif ++ + ifdef CONFIG_ARC_CURR_IN_REG + # For a global register defintion, make sure it gets passed to every file + # We had a customer reported bug where some code built in kernel was NOT using +--- a/arch/arc/include/asm/arcregs.h ++++ b/arch/arc/include/asm/arcregs.h +@@ -374,12 +374,6 @@ static inline int is_isa_arcompact(void) + return IS_ENABLED(CONFIG_ISA_ARCOMPACT); + } + +-#if defined(CONFIG_ISA_ARCOMPACT) && !defined(_CPU_DEFAULT_A7) +-#error "Toolchain not configured for ARCompact builds" +-#elif defined(CONFIG_ISA_ARCV2) && !defined(_CPU_DEFAULT_HS) +-#error "Toolchain not configured for ARCv2 builds" +-#endif +- + #endif /* __ASEMBLY__ */ + + #endif /* _ASM_ARC_ARCREGS_H */ diff --git a/queue-4.4/arc-call-trace_hardirqs_on-before-enabling-irqs.patch b/queue-4.4/arc-call-trace_hardirqs_on-before-enabling-irqs.patch new file mode 100644 index 00000000000..0113bdfb1a3 --- /dev/null +++ b/queue-4.4/arc-call-trace_hardirqs_on-before-enabling-irqs.patch @@ -0,0 +1,63 @@ +From 18b43e89d295cc65151c505c643c98fb2c320e59 Mon Sep 17 00:00:00 2001 +From: Daniel Mentz +Date: Thu, 4 Aug 2016 17:56:53 -0700 +Subject: ARC: Call trace_hardirqs_on() before enabling irqs + +From: Daniel Mentz + +commit 18b43e89d295cc65151c505c643c98fb2c320e59 upstream. + +trace_hardirqs_on_caller() in lockdep.c expects to be called before, not +after interrupts are actually enabled. + +The following comment in kernel/locking/lockdep.c substantiates this +claim: + +" +/* + * We're enabling irqs and according to our state above irqs weren't + * already enabled, yet we find the hardware thinks they are in fact + * enabled.. someone messed up their IRQ state tracing. + */ +" + +An example can be found in include/linux/irqflags.h: + + do { trace_hardirqs_on(); raw_local_irq_enable(); } while (0) + +Without this change, we hit the following DEBUG_LOCKS_WARN_ON. + +[ 7.760000] ------------[ cut here ]------------ +[ 7.760000] WARNING: CPU: 0 PID: 1 at kernel/locking/lockdep.c:2711 resume_user_mode_begin+0x48/0xf0 +[ 7.770000] DEBUG_LOCKS_WARN_ON(!irqs_disabled()) +[ 7.780000] Modules linked in: +[ 7.780000] CPU: 0 PID: 1 Comm: init Not tainted 4.7.0-00003-gc668bb9-dirty #366 +[ 7.790000] +[ 7.790000] Stack Trace: +[ 7.790000] arc_unwind_core.constprop.1+0xa4/0x118 +[ 7.800000] warn_slowpath_fmt+0x72/0x158 +[ 7.800000] resume_user_mode_begin+0x48/0xf0 +[ 7.810000] ---[ end trace 6f6a7a8fae20d2f0 ]--- + +Signed-off-by: Daniel Mentz +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/include/asm/irqflags-compact.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arc/include/asm/irqflags-compact.h ++++ b/arch/arc/include/asm/irqflags-compact.h +@@ -188,10 +188,10 @@ static inline int arch_irqs_disabled(voi + .endm + + .macro IRQ_ENABLE scratch ++ TRACE_ASM_IRQ_ENABLE + lr \scratch, [status32] + or \scratch, \scratch, (STATUS_E1_MASK | STATUS_E2_MASK) + flag \scratch +- TRACE_ASM_IRQ_ENABLE + .endm + + #endif /* __ASSEMBLY__ */ diff --git a/queue-4.4/arc-elide-redundant-setup-of-dma-callbacks.patch b/queue-4.4/arc-elide-redundant-setup-of-dma-callbacks.patch new file mode 100644 index 00000000000..351c2a753c3 --- /dev/null +++ b/queue-4.4/arc-elide-redundant-setup-of-dma-callbacks.patch @@ -0,0 +1,37 @@ +From 45c3b08a117e2232fc8d7b9e849ead36386f4f96 Mon Sep 17 00:00:00 2001 +From: Vineet Gupta +Date: Mon, 13 Jun 2016 16:38:27 +0200 +Subject: ARC: Elide redundant setup of DMA callbacks + +From: Vineet Gupta + +commit 45c3b08a117e2232fc8d7b9e849ead36386f4f96 upstream. + +For resources shared by all cores such as SLC and IOC, only the master +core needs to do any setups / enabling / disabling etc. + +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/mm/cache.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/arch/arc/mm/cache.c ++++ b/arch/arc/mm/cache.c +@@ -914,6 +914,15 @@ void arc_cache_init(void) + + printk(arc_cache_mumbojumbo(0, str, sizeof(str))); + ++ /* ++ * Only master CPU needs to execute rest of function: ++ * - Assume SMP so all cores will have same cache config so ++ * any geomtry checks will be same for all ++ * - IOC setup / dma callbacks only need to be setup once ++ */ ++ if (cpu) ++ return; ++ + if (IS_ENABLED(CONFIG_ARC_HAS_ICACHE)) { + struct cpuinfo_arc_cache *ic = &cpuinfo_arc700[cpu].icache; + diff --git a/queue-4.4/arc-use-correct-offset-in-pt_regs-for-saving-restoring-user-mode-r25.patch b/queue-4.4/arc-use-correct-offset-in-pt_regs-for-saving-restoring-user-mode-r25.patch new file mode 100644 index 00000000000..7813656dec3 --- /dev/null +++ b/queue-4.4/arc-use-correct-offset-in-pt_regs-for-saving-restoring-user-mode-r25.patch @@ -0,0 +1,48 @@ +From 86147e3cfa5e118b61e78f4f0bf29e920dcbd477 Mon Sep 17 00:00:00 2001 +From: Liav Rehana +Date: Tue, 16 Aug 2016 10:55:35 +0300 +Subject: ARC: use correct offset in pt_regs for saving/restoring user mode r25 + +From: Liav Rehana + +commit 86147e3cfa5e118b61e78f4f0bf29e920dcbd477 upstream. + +User mode callee regs are explicitly collected before signal delivery or +breakpoint trap. r25 is special for kernel as it serves as task pointer, +so user mode value is clobbered very early. It is saved in pt_regs where +generally only scratch (aka caller saved) regs are saved. + +The code to access the corresponding pt_regs location had a subtle bug as +it was using load/store with scaling of offset, whereas the offset was already +byte wise correct. So fix this by replacing LD.AS with a standard LD + +Signed-off-by: Liav Rehana +Reviewed-by: Alexey Brodkin +[vgupta: rewrote title and commit log] +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/include/asm/entry.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arc/include/asm/entry.h ++++ b/arch/arc/include/asm/entry.h +@@ -142,7 +142,7 @@ + + #ifdef CONFIG_ARC_CURR_IN_REG + ; Retrieve orig r25 and save it with rest of callee_regs +- ld.as r12, [r12, PT_user_r25] ++ ld r12, [r12, PT_user_r25] + PUSH r12 + #else + PUSH r25 +@@ -198,7 +198,7 @@ + + ; SP is back to start of pt_regs + #ifdef CONFIG_ARC_CURR_IN_REG +- st.as r12, [sp, PT_user_r25] ++ st r12, [sp, PT_user_r25] + #endif + .endm + diff --git a/queue-4.4/arm64-dts-rockchip-add-reset-saradc-node-for-rk3368-socs.patch b/queue-4.4/arm64-dts-rockchip-add-reset-saradc-node-for-rk3368-socs.patch new file mode 100644 index 00000000000..6568e83b298 --- /dev/null +++ b/queue-4.4/arm64-dts-rockchip-add-reset-saradc-node-for-rk3368-socs.patch @@ -0,0 +1,32 @@ +From 78ec79bfd59e126e1cb394302bfa531a420b3ecd Mon Sep 17 00:00:00 2001 +From: Caesar Wang +Date: Wed, 27 Jul 2016 22:24:06 +0800 +Subject: arm64: dts: rockchip: add reset saradc node for rk3368 SoCs + +From: Caesar Wang + +commit 78ec79bfd59e126e1cb394302bfa531a420b3ecd upstream. + +SARADC controller needs to be reset before programming it, otherwise +it will not function properly. + +Signed-off-by: Caesar Wang +Acked-by: Heiko Stuebner +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/boot/dts/rockchip/rk3368.dtsi | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm64/boot/dts/rockchip/rk3368.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3368.dtsi +@@ -262,6 +262,8 @@ + #io-channel-cells = <1>; + clocks = <&cru SCLK_SARADC>, <&cru PCLK_SARADC>; + clock-names = "saradc", "apb_pclk"; ++ resets = <&cru SRST_SARADC>; ++ reset-names = "saradc-apb"; + status = "disabled"; + }; + diff --git a/queue-4.4/btrfs-properly-track-when-rescan-worker-is-running.patch b/queue-4.4/btrfs-properly-track-when-rescan-worker-is-running.patch new file mode 100644 index 00000000000..4ba1f6faa8c --- /dev/null +++ b/queue-4.4/btrfs-properly-track-when-rescan-worker-is-running.patch @@ -0,0 +1,89 @@ +From d2c609b834d62f1e91f1635a27dca29f7806d3d6 Mon Sep 17 00:00:00 2001 +From: Jeff Mahoney +Date: Mon, 15 Aug 2016 12:10:33 -0400 +Subject: btrfs: properly track when rescan worker is running + +From: Jeff Mahoney + +commit d2c609b834d62f1e91f1635a27dca29f7806d3d6 upstream. + +The qgroup_flags field is overloaded such that it reflects the on-disk +status of qgroups and the runtime state. The BTRFS_QGROUP_STATUS_FLAG_RESCAN +flag is used to indicate that a rescan operation is in progress, but if +the file system is unmounted while a rescan is running, the rescan +operation is paused. If the file system is then mounted read-only, +the flag will still be present but the rescan operation will not have +been resumed. When we go to umount, btrfs_qgroup_wait_for_completion +will see the flag and interpret it to mean that the rescan worker is +still running and will wait for a completion that will never come. + +This patch uses a separate flag to indicate when the worker is +running. The locking and state surrounding the qgroup rescan worker +needs a lot of attention beyond this patch but this is enough to +avoid a hung umount. + +Signed-off-by; Jeff Mahoney +Reviewed-by: Qu Wenruo +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +Signed-off-by: Chris Mason + +--- + fs/btrfs/ctree.h | 1 + + fs/btrfs/disk-io.c | 1 + + fs/btrfs/qgroup.c | 9 ++++++++- + 3 files changed, 10 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/ctree.h ++++ b/fs/btrfs/ctree.h +@@ -1770,6 +1770,7 @@ struct btrfs_fs_info { + struct btrfs_workqueue *qgroup_rescan_workers; + struct completion qgroup_rescan_completion; + struct btrfs_work qgroup_rescan_work; ++ bool qgroup_rescan_running; /* protected by qgroup_rescan_lock */ + + /* filesystem state */ + unsigned long fs_state; +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -2276,6 +2276,7 @@ static void btrfs_init_qgroup(struct btr + fs_info->quota_enabled = 0; + fs_info->pending_quota_state = 0; + fs_info->qgroup_ulist = NULL; ++ fs_info->qgroup_rescan_running = false; + mutex_init(&fs_info->qgroup_rescan_lock); + } + +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -2283,6 +2283,10 @@ static void btrfs_qgroup_rescan_worker(s + int err = -ENOMEM; + int ret = 0; + ++ mutex_lock(&fs_info->qgroup_rescan_lock); ++ fs_info->qgroup_rescan_running = true; ++ mutex_unlock(&fs_info->qgroup_rescan_lock); ++ + path = btrfs_alloc_path(); + if (!path) + goto out; +@@ -2349,6 +2353,9 @@ out: + } + + done: ++ mutex_lock(&fs_info->qgroup_rescan_lock); ++ fs_info->qgroup_rescan_running = false; ++ mutex_unlock(&fs_info->qgroup_rescan_lock); + complete_all(&fs_info->qgroup_rescan_completion); + } + +@@ -2475,7 +2482,7 @@ int btrfs_qgroup_wait_for_completion(str + + mutex_lock(&fs_info->qgroup_rescan_lock); + spin_lock(&fs_info->qgroup_lock); +- running = fs_info->qgroup_flags & BTRFS_QGROUP_STATUS_FLAG_RESCAN; ++ running = fs_info->qgroup_rescan_running; + spin_unlock(&fs_info->qgroup_lock); + mutex_unlock(&fs_info->qgroup_rescan_lock); + diff --git a/queue-4.4/btrfs-waiting-on-qgroup-rescan-should-not-always-be-interruptible.patch b/queue-4.4/btrfs-waiting-on-qgroup-rescan-should-not-always-be-interruptible.patch new file mode 100644 index 00000000000..1563f3a986e --- /dev/null +++ b/queue-4.4/btrfs-waiting-on-qgroup-rescan-should-not-always-be-interruptible.patch @@ -0,0 +1,100 @@ +From d06f23d6a947c9abae41dc46be69a56baf36f436 Mon Sep 17 00:00:00 2001 +From: Jeff Mahoney +Date: Mon, 8 Aug 2016 22:08:06 -0400 +Subject: btrfs: waiting on qgroup rescan should not always be interruptible + +From: Jeff Mahoney + +commit d06f23d6a947c9abae41dc46be69a56baf36f436 upstream. + +We wait on qgroup rescan completion in three places: file system +shutdown, the quota disable ioctl, and the rescan wait ioctl. If the +user sends a signal while we're waiting, we continue happily along. This +is expected behavior for the rescan wait ioctl. It's racy in the shutdown +path but mostly works due to other unrelated synchronization points. +In the quota disable path, it Oopses the kernel pretty much immediately. + +Signed-off-by: Jeff Mahoney +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/disk-io.c | 2 +- + fs/btrfs/ioctl.c | 2 +- + fs/btrfs/qgroup.c | 12 +++++++++--- + fs/btrfs/qgroup.h | 3 ++- + 4 files changed, 13 insertions(+), 6 deletions(-) + +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -3811,7 +3811,7 @@ void close_ctree(struct btrfs_root *root + smp_mb(); + + /* wait for the qgroup rescan worker to stop */ +- btrfs_qgroup_wait_for_completion(fs_info); ++ btrfs_qgroup_wait_for_completion(fs_info, false); + + /* wait for the uuid_scan task to finish */ + down(&fs_info->uuid_tree_rescan_sem); +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -5121,7 +5121,7 @@ static long btrfs_ioctl_quota_rescan_wai + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; + +- return btrfs_qgroup_wait_for_completion(root->fs_info); ++ return btrfs_qgroup_wait_for_completion(root->fs_info, true); + } + + static long _btrfs_ioctl_set_received_subvol(struct file *file, +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -995,7 +995,7 @@ int btrfs_quota_disable(struct btrfs_tra + goto out; + fs_info->quota_enabled = 0; + fs_info->pending_quota_state = 0; +- btrfs_qgroup_wait_for_completion(fs_info); ++ btrfs_qgroup_wait_for_completion(fs_info, false); + spin_lock(&fs_info->qgroup_lock); + quota_root = fs_info->quota_root; + fs_info->quota_root = NULL; +@@ -2467,7 +2467,8 @@ btrfs_qgroup_rescan(struct btrfs_fs_info + return 0; + } + +-int btrfs_qgroup_wait_for_completion(struct btrfs_fs_info *fs_info) ++int btrfs_qgroup_wait_for_completion(struct btrfs_fs_info *fs_info, ++ bool interruptible) + { + int running; + int ret = 0; +@@ -2478,9 +2479,14 @@ int btrfs_qgroup_wait_for_completion(str + spin_unlock(&fs_info->qgroup_lock); + mutex_unlock(&fs_info->qgroup_rescan_lock); + +- if (running) ++ if (!running) ++ return 0; ++ ++ if (interruptible) + ret = wait_for_completion_interruptible( + &fs_info->qgroup_rescan_completion); ++ else ++ wait_for_completion(&fs_info->qgroup_rescan_completion); + + return ret; + } +--- a/fs/btrfs/qgroup.h ++++ b/fs/btrfs/qgroup.h +@@ -46,7 +46,8 @@ int btrfs_quota_disable(struct btrfs_tra + struct btrfs_fs_info *fs_info); + int btrfs_qgroup_rescan(struct btrfs_fs_info *fs_info); + void btrfs_qgroup_rescan_resume(struct btrfs_fs_info *fs_info); +-int btrfs_qgroup_wait_for_completion(struct btrfs_fs_info *fs_info); ++int btrfs_qgroup_wait_for_completion(struct btrfs_fs_info *fs_info, ++ bool interruptible); + int btrfs_add_qgroup_relation(struct btrfs_trans_handle *trans, + struct btrfs_fs_info *fs_info, u64 src, u64 dst); + int btrfs_del_qgroup_relation(struct btrfs_trans_handle *trans, diff --git a/queue-4.4/cdc-acm-fix-wrong-pipe-type-on-rx-interrupt-xfers.patch b/queue-4.4/cdc-acm-fix-wrong-pipe-type-on-rx-interrupt-xfers.patch new file mode 100644 index 00000000000..d08e6d2b716 --- /dev/null +++ b/queue-4.4/cdc-acm-fix-wrong-pipe-type-on-rx-interrupt-xfers.patch @@ -0,0 +1,57 @@ +From add125054b8727103631dce116361668436ef6a7 Mon Sep 17 00:00:00 2001 +From: Gavin Li +Date: Fri, 12 Aug 2016 00:52:56 -0700 +Subject: cdc-acm: fix wrong pipe type on rx interrupt xfers + +From: Gavin Li + +commit add125054b8727103631dce116361668436ef6a7 upstream. + +This fixes the "BOGUS urb xfer" warning logged by usb_submit_urb(). + +Signed-off-by: Gavin Li +Acked-by: Oliver Neukum +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/class/cdc-acm.c | 5 ++--- + drivers/usb/class/cdc-acm.h | 1 - + 2 files changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1336,7 +1336,6 @@ made_compressed_probe: + spin_lock_init(&acm->write_lock); + spin_lock_init(&acm->read_lock); + mutex_init(&acm->mutex); +- acm->rx_endpoint = usb_rcvbulkpipe(usb_dev, epread->bEndpointAddress); + acm->is_int_ep = usb_endpoint_xfer_int(epread); + if (acm->is_int_ep) + acm->bInterval = epread->bInterval; +@@ -1376,14 +1375,14 @@ made_compressed_probe: + urb->transfer_dma = rb->dma; + if (acm->is_int_ep) { + usb_fill_int_urb(urb, acm->dev, +- acm->rx_endpoint, ++ usb_rcvintpipe(usb_dev, epread->bEndpointAddress), + rb->base, + acm->readsize, + acm_read_bulk_callback, rb, + acm->bInterval); + } else { + usb_fill_bulk_urb(urb, acm->dev, +- acm->rx_endpoint, ++ usb_rcvbulkpipe(usb_dev, epread->bEndpointAddress), + rb->base, + acm->readsize, + acm_read_bulk_callback, rb); +--- a/drivers/usb/class/cdc-acm.h ++++ b/drivers/usb/class/cdc-acm.h +@@ -95,7 +95,6 @@ struct acm { + struct urb *read_urbs[ACM_NR]; + struct acm_rb read_buffers[ACM_NR]; + int rx_buflimit; +- int rx_endpoint; + spinlock_t read_lock; + int write_used; /* number of non-empty write buffers */ + int transmitting; diff --git a/queue-4.4/drm-amd-amdgpu-sdma-resume-fail-during-s4-on-ci.patch b/queue-4.4/drm-amd-amdgpu-sdma-resume-fail-during-s4-on-ci.patch new file mode 100644 index 00000000000..4e744c8767a --- /dev/null +++ b/queue-4.4/drm-amd-amdgpu-sdma-resume-fail-during-s4-on-ci.patch @@ -0,0 +1,40 @@ +From 10ea9434065e56fe14287f89258ecf2fb684ed1a Mon Sep 17 00:00:00 2001 +From: jimqu +Date: Tue, 30 Aug 2016 08:59:42 +0800 +Subject: drm/amd/amdgpu: sdma resume fail during S4 on CI + +From: jimqu + +commit 10ea9434065e56fe14287f89258ecf2fb684ed1a upstream. + +SDMA could be fail in the thaw() and restore() processes, do software reset +if each SDMA engine is busy. + +Signed-off-by: JimQu +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/cik_sdma.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/cik_sdma.c ++++ b/drivers/gpu/drm/amd/amdgpu/cik_sdma.c +@@ -52,6 +52,7 @@ static void cik_sdma_set_ring_funcs(stru + static void cik_sdma_set_irq_funcs(struct amdgpu_device *adev); + static void cik_sdma_set_buffer_funcs(struct amdgpu_device *adev); + static void cik_sdma_set_vm_pte_funcs(struct amdgpu_device *adev); ++static int cik_sdma_soft_reset(void *handle); + + MODULE_FIRMWARE("radeon/bonaire_sdma.bin"); + MODULE_FIRMWARE("radeon/bonaire_sdma1.bin"); +@@ -1030,6 +1031,8 @@ static int cik_sdma_resume(void *handle) + { + struct amdgpu_device *adev = (struct amdgpu_device *)handle; + ++ cik_sdma_soft_reset(handle); ++ + return cik_sdma_hw_init(adev); + } + diff --git a/queue-4.4/drm-amdgpu-avoid-a-possible-array-overflow.patch b/queue-4.4/drm-amdgpu-avoid-a-possible-array-overflow.patch new file mode 100644 index 00000000000..633a779f1ef --- /dev/null +++ b/queue-4.4/drm-amdgpu-avoid-a-possible-array-overflow.patch @@ -0,0 +1,42 @@ +From e1718d97aa88ea44a6a8f50ff464253dd0dacf01 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Wed, 24 Aug 2016 12:31:36 -0400 +Subject: drm/amdgpu: avoid a possible array overflow +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +commit e1718d97aa88ea44a6a8f50ff464253dd0dacf01 upstream. + +When looking up the connector type make sure the index +is valid. Avoids a later crash if we read past the end +of the array. + +Workaround for bug: +https://bugs.freedesktop.org/show_bug.cgi?id=97460 + +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c +@@ -331,6 +331,12 @@ bool amdgpu_atombios_get_connector_info_ + (le16_to_cpu(path->usConnObjectId) & + OBJECT_TYPE_MASK) >> OBJECT_TYPE_SHIFT; + ++ if (con_obj_id >= ARRAY_SIZE(object_connector_convert)) { ++ DRM_ERROR("invalid con_obj_id %d for device tag 0x%04x\n", ++ con_obj_id, le16_to_cpu(path->usDeviceTag)); ++ continue; ++ } ++ + connector_type = + object_connector_convert[con_obj_id]; + connector_object_id = con_obj_id; diff --git a/queue-4.4/drm-amdgpu-change-gart-offset-to-64-bit.patch b/queue-4.4/drm-amdgpu-change-gart-offset-to-64-bit.patch new file mode 100644 index 00000000000..7cbd8e73c7f --- /dev/null +++ b/queue-4.4/drm-amdgpu-change-gart-offset-to-64-bit.patch @@ -0,0 +1,60 @@ +From cab0b8d50e9bbef62c04067072c953433a87a9ff Mon Sep 17 00:00:00 2001 +From: Felix Kuehling +Date: Fri, 12 Aug 2016 19:25:21 -0400 +Subject: drm/amdgpu: Change GART offset to 64-bit +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Felix Kuehling + +commit cab0b8d50e9bbef62c04067072c953433a87a9ff upstream. + +The GART aperture size can be bigger than 4GB. Therefore the offset +used in amdgpu_gart_bind and amdgpu_gart_unbind must be 64-bit. + +Reviewed-by: Christian König +Signed-off-by: Felix Kuehling +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu.h | 4 ++-- + drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu.h +@@ -710,9 +710,9 @@ int amdgpu_gart_table_vram_pin(struct am + void amdgpu_gart_table_vram_unpin(struct amdgpu_device *adev); + int amdgpu_gart_init(struct amdgpu_device *adev); + void amdgpu_gart_fini(struct amdgpu_device *adev); +-void amdgpu_gart_unbind(struct amdgpu_device *adev, unsigned offset, ++void amdgpu_gart_unbind(struct amdgpu_device *adev, uint64_t offset, + int pages); +-int amdgpu_gart_bind(struct amdgpu_device *adev, unsigned offset, ++int amdgpu_gart_bind(struct amdgpu_device *adev, uint64_t offset, + int pages, struct page **pagelist, + dma_addr_t *dma_addr, uint32_t flags); + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c +@@ -221,7 +221,7 @@ void amdgpu_gart_table_vram_free(struct + * Unbinds the requested pages from the gart page table and + * replaces them with the dummy page (all asics). + */ +-void amdgpu_gart_unbind(struct amdgpu_device *adev, unsigned offset, ++void amdgpu_gart_unbind(struct amdgpu_device *adev, uint64_t offset, + int pages) + { + unsigned t; +@@ -269,7 +269,7 @@ void amdgpu_gart_unbind(struct amdgpu_de + * (all asics). + * Returns 0 for success, -EINVAL for failure. + */ +-int amdgpu_gart_bind(struct amdgpu_device *adev, unsigned offset, ++int amdgpu_gart_bind(struct amdgpu_device *adev, uint64_t offset, + int pages, struct page **pagelist, dma_addr_t *dma_addr, + uint32_t flags) + { diff --git a/queue-4.4/drm-amdgpu-fix-amdgpu_move_blit-on-32bit-systems.patch b/queue-4.4/drm-amdgpu-fix-amdgpu_move_blit-on-32bit-systems.patch new file mode 100644 index 00000000000..ce391e9c61c --- /dev/null +++ b/queue-4.4/drm-amdgpu-fix-amdgpu_move_blit-on-32bit-systems.patch @@ -0,0 +1,36 @@ +From 815d27a46f3119f74fe01fe10bf683aa5bc55597 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20K=C3=B6nig?= +Date: Wed, 17 Aug 2016 09:45:25 +0200 +Subject: drm/amdgpu: fix amdgpu_move_blit on 32bit systems +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christian König + +commit 815d27a46f3119f74fe01fe10bf683aa5bc55597 upstream. + +This bug seems to be present for a very long time. + +Signed-off-by: Christian König +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c +@@ -233,8 +233,8 @@ static int amdgpu_move_blit(struct ttm_b + + adev = amdgpu_get_adev(bo->bdev); + ring = adev->mman.buffer_funcs_ring; +- old_start = old_mem->start << PAGE_SHIFT; +- new_start = new_mem->start << PAGE_SHIFT; ++ old_start = (u64)old_mem->start << PAGE_SHIFT; ++ new_start = (u64)new_mem->start << PAGE_SHIFT; + + switch (old_mem->mem_type) { + case TTM_PL_VRAM: diff --git a/queue-4.4/drm-amdgpu-record-error-code-when-ring-test-failed.patch b/queue-4.4/drm-amdgpu-record-error-code-when-ring-test-failed.patch new file mode 100644 index 00000000000..e75d4d1ec73 --- /dev/null +++ b/queue-4.4/drm-amdgpu-record-error-code-when-ring-test-failed.patch @@ -0,0 +1,48 @@ +From 1f703e6679f373f5bba4efe7093aa82e91af4037 Mon Sep 17 00:00:00 2001 +From: Chunming Zhou +Date: Tue, 30 Aug 2016 17:59:11 +0800 +Subject: drm/amdgpu: record error code when ring test failed +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chunming Zhou + +commit 1f703e6679f373f5bba4efe7093aa82e91af4037 upstream. + +Otherwise we may miss errors. + +Signed-off-by: Chunming Zhou +Reviewed-by: Christian König +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c +@@ -288,7 +288,7 @@ void amdgpu_ib_pool_fini(struct amdgpu_d + int amdgpu_ib_ring_tests(struct amdgpu_device *adev) + { + unsigned i; +- int r; ++ int r, ret = 0; + + for (i = 0; i < AMDGPU_MAX_RINGS; ++i) { + struct amdgpu_ring *ring = adev->rings[i]; +@@ -309,10 +309,11 @@ int amdgpu_ib_ring_tests(struct amdgpu_d + } else { + /* still not good, but we can live with it */ + DRM_ERROR("amdgpu: failed testing IB on ring %d (%d).\n", i, r); ++ ret = r; + } + } + } +- return 0; ++ return ret; + } + + /* diff --git a/queue-4.4/drm-amdgpu-skip-tv-cv-in-display-parsing.patch b/queue-4.4/drm-amdgpu-skip-tv-cv-in-display-parsing.patch new file mode 100644 index 00000000000..5910cd33759 --- /dev/null +++ b/queue-4.4/drm-amdgpu-skip-tv-cv-in-display-parsing.patch @@ -0,0 +1,41 @@ +From 611a1507fe8569ce1adab3abc982ea58ab559fb9 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Wed, 24 Aug 2016 13:04:15 -0400 +Subject: drm/amdgpu: skip TV/CV in display parsing +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +commit 611a1507fe8569ce1adab3abc982ea58ab559fb9 upstream. + +No asics supported by amdgpu support analog TV. + +Workaround for bug: +https://bugs.freedesktop.org/show_bug.cgi?id=97460 + +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c +@@ -331,6 +331,13 @@ bool amdgpu_atombios_get_connector_info_ + (le16_to_cpu(path->usConnObjectId) & + OBJECT_TYPE_MASK) >> OBJECT_TYPE_SHIFT; + ++ /* Skip TV/CV support */ ++ if ((le16_to_cpu(path->usDeviceTag) == ++ ATOM_DEVICE_TV1_SUPPORT) || ++ (le16_to_cpu(path->usDeviceTag) == ++ ATOM_DEVICE_CV_SUPPORT)) ++ continue; ++ + if (con_obj_id >= ARRAY_SIZE(object_connector_convert)) { + DRM_ERROR("invalid con_obj_id %d for device tag 0x%04x\n", + con_obj_id, le16_to_cpu(path->usDeviceTag)); diff --git a/queue-4.4/drm-i915-fix-aliasing_ppgtt-leak.patch b/queue-4.4/drm-i915-fix-aliasing_ppgtt-leak.patch new file mode 100644 index 00000000000..0b38e05aee8 --- /dev/null +++ b/queue-4.4/drm-i915-fix-aliasing_ppgtt-leak.patch @@ -0,0 +1,58 @@ +From 3871f42a57efcdc6a9da751a8cb6fa196c212289 Mon Sep 17 00:00:00 2001 +From: Matthew Auld +Date: Fri, 5 Aug 2016 19:04:40 +0100 +Subject: drm/i915: fix aliasing_ppgtt leak + +From: Matthew Auld + +commit 3871f42a57efcdc6a9da751a8cb6fa196c212289 upstream. + +In i915_ggtt_cleanup_hw we need to remember to free aliasing_ppgtt. This +fixes the following kmemleak message: + +unreferenced object 0xffff880213cca000 (size 8192): + comm "modprobe", pid 1298, jiffies 4294745402 (age 703.930s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] kmemleak_alloc+0x4e/0xb0 + [] kmem_cache_alloc_trace+0x142/0x1d0 + [] i915_gem_init_ggtt+0x10f/0x210 [i915] + [] i915_gem_init+0x5b/0xd0 [i915] + [] i915_driver_load+0x97a/0x1460 [i915] + [] i915_pci_probe+0x4f/0x70 [i915] + [] local_pci_probe+0x45/0xa0 + [] pci_device_probe+0x103/0x150 + [] driver_probe_device+0x22c/0x440 + [] __driver_attach+0xd1/0xf0 + [] bus_for_each_dev+0x6c/0xc0 + [] driver_attach+0x1e/0x20 + [] bus_add_driver+0x1c3/0x280 + [] driver_register+0x60/0xe0 + [] __pci_register_driver+0x4c/0x50 + [] 0xffffffffa013605b + +Signed-off-by: Matthew Auld +Reviewed-by: Chris Wilson +Fixes: b18b6bde300e ("drm/i915/bdw: Free PPGTT struct") +Signed-off-by: Daniel Vetter +Link: http://patchwork.freedesktop.org/patch/msgid/1470420280-21417-1-git-send-email-matthew.auld@intel.com +(cherry picked from commit cb7f27601c81a1e0454e9461e96f65b31fafbea0) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/i915_gem_gtt.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/i915/i915_gem_gtt.c ++++ b/drivers/gpu/drm/i915/i915_gem_gtt.c +@@ -2747,6 +2747,7 @@ void i915_global_gtt_cleanup(struct drm_ + struct i915_hw_ppgtt *ppgtt = dev_priv->mm.aliasing_ppgtt; + + ppgtt->base.cleanup(&ppgtt->base); ++ kfree(ppgtt); + } + + if (drm_mm_initialized(&vm->mm)) { diff --git a/queue-4.4/edac-increment-correct-counter-in-edac_inc_ue_error.patch b/queue-4.4/edac-increment-correct-counter-in-edac_inc_ue_error.patch new file mode 100644 index 00000000000..d43ad74e91a --- /dev/null +++ b/queue-4.4/edac-increment-correct-counter-in-edac_inc_ue_error.patch @@ -0,0 +1,35 @@ +From 993f88f1cc7f0879047ff353e824e5cc8f10adfc Mon Sep 17 00:00:00 2001 +From: Emmanouil Maroudas +Date: Sat, 23 Apr 2016 18:33:00 +0300 +Subject: EDAC: Increment correct counter in edac_inc_ue_error() + +From: Emmanouil Maroudas + +commit 993f88f1cc7f0879047ff353e824e5cc8f10adfc upstream. + +Fix typo in edac_inc_ue_error() to increment ue_noinfo_count instead of +ce_noinfo_count. + +Signed-off-by: Emmanouil Maroudas +Cc: Mauro Carvalho Chehab +Cc: linux-edac +Fixes: 4275be635597 ("edac: Change internal representation to work with layers") +Link: http://lkml.kernel.org/r/1461425580-5898-1-git-send-email-emmanouil.maroudas@gmail.com +Signed-off-by: Borislav Petkov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/edac/edac_mc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/edac/edac_mc.c ++++ b/drivers/edac/edac_mc.c +@@ -966,7 +966,7 @@ static void edac_inc_ue_error(struct mem + mci->ue_mc += count; + + if (!enable_per_layer_report) { +- mci->ce_noinfo_count += count; ++ mci->ue_noinfo_count += count; + return; + } + diff --git a/queue-4.4/fs-seq_file-fix-out-of-bounds-read.patch b/queue-4.4/fs-seq_file-fix-out-of-bounds-read.patch new file mode 100644 index 00000000000..db64a405d83 --- /dev/null +++ b/queue-4.4/fs-seq_file-fix-out-of-bounds-read.patch @@ -0,0 +1,110 @@ +From 088bf2ff5d12e2e32ee52a4024fec26e582f44d3 Mon Sep 17 00:00:00 2001 +From: Vegard Nossum +Date: Thu, 25 Aug 2016 15:17:11 -0700 +Subject: fs/seq_file: fix out-of-bounds read + +From: Vegard Nossum + +commit 088bf2ff5d12e2e32ee52a4024fec26e582f44d3 upstream. + +seq_read() is a nasty piece of work, not to mention buggy. + +It has (I think) an old bug which allows unprivileged userspace to read +beyond the end of m->buf. + +I was getting these: + + BUG: KASAN: slab-out-of-bounds in seq_read+0xcd2/0x1480 at addr ffff880116889880 + Read of size 2713 by task trinity-c2/1329 + CPU: 2 PID: 1329 Comm: trinity-c2 Not tainted 4.8.0-rc1+ #96 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014 + Call Trace: + kasan_object_err+0x1c/0x80 + kasan_report_error+0x2cb/0x7e0 + kasan_report+0x4e/0x80 + check_memory_region+0x13e/0x1a0 + kasan_check_read+0x11/0x20 + seq_read+0xcd2/0x1480 + proc_reg_read+0x10b/0x260 + do_loop_readv_writev.part.5+0x140/0x2c0 + do_readv_writev+0x589/0x860 + vfs_readv+0x7b/0xd0 + do_readv+0xd8/0x2c0 + SyS_readv+0xb/0x10 + do_syscall_64+0x1b3/0x4b0 + entry_SYSCALL64_slow_path+0x25/0x25 + Object at ffff880116889100, in cache kmalloc-4096 size: 4096 + Allocated: + PID = 1329 + save_stack_trace+0x26/0x80 + save_stack+0x46/0xd0 + kasan_kmalloc+0xad/0xe0 + __kmalloc+0x1aa/0x4a0 + seq_buf_alloc+0x35/0x40 + seq_read+0x7d8/0x1480 + proc_reg_read+0x10b/0x260 + do_loop_readv_writev.part.5+0x140/0x2c0 + do_readv_writev+0x589/0x860 + vfs_readv+0x7b/0xd0 + do_readv+0xd8/0x2c0 + SyS_readv+0xb/0x10 + do_syscall_64+0x1b3/0x4b0 + return_from_SYSCALL_64+0x0/0x6a + Freed: + PID = 0 + (stack is not available) + Memory state around the buggy address: + ffff88011688a000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff88011688a080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + >ffff88011688a100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ^ + ffff88011688a180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff88011688a200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ================================================================== + Disabling lock debugging due to kernel taint + +This seems to be the same thing that Dave Jones was seeing here: + + https://lkml.org/lkml/2016/8/12/334 + +There are multiple issues here: + + 1) If we enter the function with a non-empty buffer, there is an attempt + to flush it. But it was not clearing m->from after doing so, which + means that if we try to do this flush twice in a row without any call + to traverse() in between, we are going to be reading from the wrong + place -- the splat above, fixed by this patch. + + 2) If there's a short write to userspace because of page faults, the + buffer may already contain multiple lines (i.e. pos has advanced by + more than 1), but we don't save the progress that was made so the + next call will output what we've already returned previously. Since + that is a much less serious issue (and I have a headache after + staring at seq_read() for the past 8 hours), I'll leave that for now. + +Link: http://lkml.kernel.org/r/1471447270-32093-1-git-send-email-vegard.nossum@oracle.com +Signed-off-by: Vegard Nossum +Reported-by: Dave Jones +Cc: Al Viro +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/seq_file.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/seq_file.c ++++ b/fs/seq_file.c +@@ -222,8 +222,10 @@ ssize_t seq_read(struct file *file, char + size -= n; + buf += n; + copied += n; +- if (!m->count) ++ if (!m->count) { ++ m->from = 0; + m->index++; ++ } + if (!size) + goto Done; + } diff --git a/queue-4.4/gpio-fix-of-build-problem-on-um.patch b/queue-4.4/gpio-fix-of-build-problem-on-um.patch new file mode 100644 index 00000000000..156cce42652 --- /dev/null +++ b/queue-4.4/gpio-fix-of-build-problem-on-um.patch @@ -0,0 +1,33 @@ +From 2527ecc9195e9c66252af24c4689e8a67cd4ccb9 Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Tue, 16 Aug 2016 09:58:25 +0200 +Subject: gpio: Fix OF build problem on UM + +From: Linus Walleij + +commit 2527ecc9195e9c66252af24c4689e8a67cd4ccb9 upstream. + +The UserMode (UM) Linux build was failing in gpiolib-of as it requires +ioremap()/iounmap() to exist, which is absent from UM. The non-existence +of IO memory is negatively defined as CONFIG_NO_IOMEM which means we +need to depend on HAS_IOMEM. + +Cc: Geert Uytterhoeven +Reported-by: kbuild test robot +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpio/Kconfig ++++ b/drivers/gpio/Kconfig +@@ -50,6 +50,7 @@ config GPIO_DEVRES + config OF_GPIO + def_bool y + depends on OF ++ depends on HAS_IOMEM + + config GPIO_ACPI + def_bool y diff --git a/queue-4.4/i2c-cros-ec-tunnel-fix-usage-of-cros_ec_cmd_xfer.patch b/queue-4.4/i2c-cros-ec-tunnel-fix-usage-of-cros_ec_cmd_xfer.patch new file mode 100644 index 00000000000..1b2fe78e651 --- /dev/null +++ b/queue-4.4/i2c-cros-ec-tunnel-fix-usage-of-cros_ec_cmd_xfer.patch @@ -0,0 +1,42 @@ +From 4d01d88019261d05ec3bff5f1a6013393faa3b9e Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Wed, 10 Aug 2016 13:37:18 -0700 +Subject: i2c: cros-ec-tunnel: Fix usage of cros_ec_cmd_xfer() + +From: Brian Norris + +commit 4d01d88019261d05ec3bff5f1a6013393faa3b9e upstream. + +cros_ec_cmd_xfer returns success status if the command transport +completes successfully, but the execution result is incorrectly ignored. +In many cases, the execution result is assumed to be successful, leading +to ignored errors and operating on uninitialized data. + +We've recently introduced the cros_ec_cmd_xfer_status() helper to avoid these +problems. Let's use it. + +[Regarding the 'Fixes' tag; there is significant refactoring since the driver's +introduction, but the underlying logical error exists throughout I believe] + +Fixes: 9d230c9e4f4e ("i2c: ChromeOS EC tunnel driver") +Signed-off-by: Brian Norris +Reviewed-by: Javier Martinez Canillas +Reviewed-by: Guenter Roeck +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-cros-ec-tunnel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/i2c/busses/i2c-cros-ec-tunnel.c ++++ b/drivers/i2c/busses/i2c-cros-ec-tunnel.c +@@ -215,7 +215,7 @@ static int ec_i2c_xfer(struct i2c_adapte + msg->outsize = request_len; + msg->insize = response_len; + +- result = cros_ec_cmd_xfer(bus->ec, msg); ++ result = cros_ec_cmd_xfer_status(bus->ec, msg); + if (result < 0) { + dev_err(dev, "Error transferring EC i2c message %d\n", result); + goto exit; diff --git a/queue-4.4/iio-fix-sched-warning-do-not-call-blocking-ops-when-task_running.patch b/queue-4.4/iio-fix-sched-warning-do-not-call-blocking-ops-when-task_running.patch new file mode 100644 index 00000000000..43d4f63baa9 --- /dev/null +++ b/queue-4.4/iio-fix-sched-warning-do-not-call-blocking-ops-when-task_running.patch @@ -0,0 +1,89 @@ +From fcf68f3c0bb2a541aa47a2a38b8939edf84fd529 Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Mon, 8 Aug 2016 17:19:38 -0700 +Subject: iio: fix sched WARNING "do not call blocking ops when !TASK_RUNNING" + +From: Brian Norris + +commit fcf68f3c0bb2a541aa47a2a38b8939edf84fd529 upstream. + +When using CONFIG_DEBUG_ATOMIC_SLEEP, the scheduler nicely points out +that we're calling sleeping primitives within the wait_event loop, which +means we might clobber the task state: + +[ 10.831289] do not call blocking ops when !TASK_RUNNING; state=1 set at [] +[ 10.845531] ------------[ cut here ]------------ +[ 10.850161] WARNING: at kernel/sched/core.c:7630 +... +[ 12.164333] ---[ end trace 45409966a9a76438 ]--- +[ 12.168942] Call trace: +[ 12.171391] [] __might_sleep+0x64/0x90 +[ 12.176699] [] mutex_lock_nested+0x50/0x3fc +[ 12.182440] [] iio_kfifo_buf_data_available+0x28/0x4c +[ 12.189043] [] iio_buffer_ready+0x60/0xe0 +[ 12.194608] [] iio_buffer_read_first_n_outer+0x108/0x1a8 +[ 12.201474] [] __vfs_read+0x58/0x114 +[ 12.206606] [] vfs_read+0x94/0x118 +[ 12.211564] [] SyS_read+0x64/0xb4 +[ 12.216436] [] el0_svc_naked+0x24/0x28 + +To avoid this, we should (a la https://lwn.net/Articles/628628/) use the +wait_woken() function, which avoids the nested sleeping while still +handling races between waiting / wake-events. + +Signed-off-by: Brian Norris +Reviewed-by: Lars-Peter Clausen +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/industrialio-buffer.c | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +--- a/drivers/iio/industrialio-buffer.c ++++ b/drivers/iio/industrialio-buffer.c +@@ -107,6 +107,7 @@ ssize_t iio_buffer_read_first_n_outer(st + { + struct iio_dev *indio_dev = filp->private_data; + struct iio_buffer *rb = indio_dev->buffer; ++ DEFINE_WAIT_FUNC(wait, woken_wake_function); + size_t datum_size; + size_t to_wait; + int ret; +@@ -131,19 +132,29 @@ ssize_t iio_buffer_read_first_n_outer(st + else + to_wait = min_t(size_t, n / datum_size, rb->watermark); + ++ add_wait_queue(&rb->pollq, &wait); + do { +- ret = wait_event_interruptible(rb->pollq, +- iio_buffer_ready(indio_dev, rb, to_wait, n / datum_size)); +- if (ret) +- return ret; +- +- if (!indio_dev->info) +- return -ENODEV; ++ if (!indio_dev->info) { ++ ret = -ENODEV; ++ break; ++ } ++ ++ if (!iio_buffer_ready(indio_dev, rb, to_wait, n / datum_size)) { ++ if (signal_pending(current)) { ++ ret = -ERESTARTSYS; ++ break; ++ } ++ ++ wait_woken(&wait, TASK_INTERRUPTIBLE, ++ MAX_SCHEDULE_TIMEOUT); ++ continue; ++ } + + ret = rb->access->read_first_n(rb, n, buf); + if (ret == 0 && (filp->f_flags & O_NONBLOCK)) + ret = -EAGAIN; + } while (ret == 0); ++ remove_wait_queue(&rb->pollq, &wait); + + return ret; + } diff --git a/queue-4.4/iommu-arm-smmu-don-t-bug-if-we-find-aborting-stes-with-disable_bypass.patch b/queue-4.4/iommu-arm-smmu-don-t-bug-if-we-find-aborting-stes-with-disable_bypass.patch new file mode 100644 index 00000000000..0a5ec2658bd --- /dev/null +++ b/queue-4.4/iommu-arm-smmu-don-t-bug-if-we-find-aborting-stes-with-disable_bypass.patch @@ -0,0 +1,41 @@ +From 5bc0a11664e17e9f9551983f5b660bd48b57483c Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Tue, 16 Aug 2016 14:29:16 +0100 +Subject: iommu/arm-smmu: Don't BUG() if we find aborting STEs with disable_bypass + +From: Will Deacon + +commit 5bc0a11664e17e9f9551983f5b660bd48b57483c upstream. + +The disable_bypass cmdline option changes the SMMUv3 driver to put down +faulting stream table entries by default, as opposed to bypassing +transactions from unconfigured devices. + +In this mode of operation, it is entirely expected to see aborting +entries in the stream table if and when we come to installing a valid +translation, so don't trigger a BUG() as a result of misdiagnosing these +entries as stream table corruption. + +Fixes: 48ec83bcbcf5 ("iommu/arm-smmu: Add initial driver support for ARM SMMUv3 devices") +Tested-by: Robin Murphy +Reported-by: Robin Murphy +Reviewed-by: Robin Murphy +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/arm-smmu-v3.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/iommu/arm-smmu-v3.c ++++ b/drivers/iommu/arm-smmu-v3.c +@@ -1025,6 +1025,9 @@ static void arm_smmu_write_strtab_ent(st + case STRTAB_STE_0_CFG_S2_TRANS: + ste_live = true; + break; ++ case STRTAB_STE_0_CFG_ABORT: ++ if (disable_bypass) ++ break; + default: + BUG(); /* STE corruption */ + } diff --git a/queue-4.4/iommu-arm-smmu-fix-cmdq-error-handling.patch b/queue-4.4/iommu-arm-smmu-fix-cmdq-error-handling.patch new file mode 100644 index 00000000000..f949a7d695a --- /dev/null +++ b/queue-4.4/iommu-arm-smmu-fix-cmdq-error-handling.patch @@ -0,0 +1,55 @@ +From aea2037e0d3e23c3be1498feae29f71ca997d9e6 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Fri, 29 Jul 2016 11:15:37 +0100 +Subject: iommu/arm-smmu: Fix CMDQ error handling + +From: Will Deacon + +commit aea2037e0d3e23c3be1498feae29f71ca997d9e6 upstream. + +In the unlikely event of a global command queue error, the ARM SMMUv3 +driver attempts to convert the problematic command into a CMD_SYNC and +resume the command queue. Unfortunately, this code is pretty badly +broken: + + 1. It uses the index into the error string table as the CMDQ index, + so we probably read the wrong entry out of the queue + + 2. The arguments to queue_write are the wrong way round, so we end up + writing from the queue onto the stack. + +These happily cancel out, so the kernel is likely to stay alive, but +the command queue will probably fault again when we resume. + +This patch fixes the error handling code to use the correct queue index +and write back the CMD_SYNC to the faulting entry. + +Fixes: 48ec83bcbcf5 ("iommu/arm-smmu: Add initial driver support for ARM SMMUv3 devices") +Reported-by: Diwakar Subraveti +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/arm-smmu-v3.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/iommu/arm-smmu-v3.c ++++ b/drivers/iommu/arm-smmu-v3.c +@@ -870,7 +870,7 @@ static void arm_smmu_cmdq_skip_err(struc + * We may have concurrent producers, so we need to be careful + * not to touch any of the shadow cmdq state. + */ +- queue_read(cmd, Q_ENT(q, idx), q->ent_dwords); ++ queue_read(cmd, Q_ENT(q, cons), q->ent_dwords); + dev_err(smmu->dev, "skipping command in error state:\n"); + for (i = 0; i < ARRAY_SIZE(cmd); ++i) + dev_err(smmu->dev, "\t0x%016llx\n", (unsigned long long)cmd[i]); +@@ -881,7 +881,7 @@ static void arm_smmu_cmdq_skip_err(struc + return; + } + +- queue_write(cmd, Q_ENT(q, idx), q->ent_dwords); ++ queue_write(Q_ENT(q, cons), cmd, q->ent_dwords); + } + + static void arm_smmu_cmdq_issue_cmd(struct arm_smmu_device *smmu, diff --git a/queue-4.4/iommu-dma-don-t-put-uninitialised-iova-domains.patch b/queue-4.4/iommu-dma-don-t-put-uninitialised-iova-domains.patch new file mode 100644 index 00000000000..11e0c41b785 --- /dev/null +++ b/queue-4.4/iommu-dma-don-t-put-uninitialised-iova-domains.patch @@ -0,0 +1,45 @@ +From 3ec60043f7c02e1f79e4a90045ff2d2e80042941 Mon Sep 17 00:00:00 2001 +From: Robin Murphy +Date: Tue, 9 Aug 2016 16:23:17 +0100 +Subject: iommu/dma: Don't put uninitialised IOVA domains + +From: Robin Murphy + +commit 3ec60043f7c02e1f79e4a90045ff2d2e80042941 upstream. + +Due to the limitations of having to wait until we see a device's DMA +restrictions before we know how we want an IOVA domain initialised, +there is a window for error if a DMA ops domain is allocated but later +freed without ever being used. In that case, init_iova_domain() was +never called, so calling put_iova_domain() from iommu_put_dma_cookie() +ends up trying to take an uninitialised lock and crashing. + +Make things robust by skipping the call unless the IOVA domain actually +has been initialised, as we probably should have done from the start. + +Fixes: 0db2e5d18f76 ("iommu: Implement common IOMMU ops for DMA mapping") +Reported-by: Nate Watterson +Reviewed-by: Nate Watterson +Tested-by: Nate Watterson +Reviewed-by: Eric Auger +Tested-by: Eric Auger +Signed-off-by: Robin Murphy +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/dma-iommu.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/iommu/dma-iommu.c ++++ b/drivers/iommu/dma-iommu.c +@@ -68,7 +68,8 @@ void iommu_put_dma_cookie(struct iommu_d + if (!iovad) + return; + +- put_iova_domain(iovad); ++ if (iovad->granule) ++ put_iova_domain(iovad); + kfree(iovad); + domain->iova_cookie = NULL; + } diff --git a/queue-4.4/mac80211-fix-purging-multicast-ps-buffer-queue.patch b/queue-4.4/mac80211-fix-purging-multicast-ps-buffer-queue.patch new file mode 100644 index 00000000000..f3e1cd18500 --- /dev/null +++ b/queue-4.4/mac80211-fix-purging-multicast-ps-buffer-queue.patch @@ -0,0 +1,65 @@ +From 6b07d9ca9b5363dda959b9582a3fc9c0b89ef3b5 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Tue, 2 Aug 2016 11:13:41 +0200 +Subject: mac80211: fix purging multicast PS buffer queue + +From: Felix Fietkau + +commit 6b07d9ca9b5363dda959b9582a3fc9c0b89ef3b5 upstream. + +The code currently assumes that buffered multicast PS frames don't have +a pending ACK frame for tx status reporting. +However, hostapd sends a broadcast deauth frame on teardown for which tx +status is requested. This can lead to the "Have pending ack frames" +warning on module reload. +Fix this by using ieee80211_free_txskb/ieee80211_purge_tx_queue. + +Signed-off-by: Felix Fietkau +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/cfg.c | 2 +- + net/mac80211/tx.c | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -865,7 +865,7 @@ static int ieee80211_stop_ap(struct wiph + + /* free all potentially still buffered bcast frames */ + local->total_ps_buffered -= skb_queue_len(&sdata->u.ap.ps.bc_buf); +- skb_queue_purge(&sdata->u.ap.ps.bc_buf); ++ ieee80211_purge_tx_queue(&local->hw, &sdata->u.ap.ps.bc_buf); + + mutex_lock(&local->mtx); + ieee80211_vif_copy_chanctx_to_vlans(sdata, true); +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -365,7 +365,7 @@ static void purge_old_ps_buffers(struct + skb = skb_dequeue(&ps->bc_buf); + if (skb) { + purged++; +- dev_kfree_skb(skb); ++ ieee80211_free_txskb(&local->hw, skb); + } + total += skb_queue_len(&ps->bc_buf); + } +@@ -448,7 +448,7 @@ ieee80211_tx_h_multicast_ps_buf(struct i + if (skb_queue_len(&ps->bc_buf) >= AP_MAX_BC_BUFFER) { + ps_dbg(tx->sdata, + "BC TX buffer full - dropping the oldest frame\n"); +- dev_kfree_skb(skb_dequeue(&ps->bc_buf)); ++ ieee80211_free_txskb(&tx->local->hw, skb_dequeue(&ps->bc_buf)); + } else + tx->local->total_ps_buffered++; + +@@ -3781,7 +3781,7 @@ ieee80211_get_buffered_bc(struct ieee802 + sdata = IEEE80211_DEV_TO_SUB_IF(skb->dev); + if (!ieee80211_tx_prepare(sdata, &tx, NULL, skb)) + break; +- dev_kfree_skb_any(skb); ++ ieee80211_free_txskb(hw, skb); + } + + info = IEEE80211_SKB_CB(skb); diff --git a/queue-4.4/megaraid_sas-fix-probing-cards-without-io-port.patch b/queue-4.4/megaraid_sas-fix-probing-cards-without-io-port.patch new file mode 100644 index 00000000000..11cee0455ba --- /dev/null +++ b/queue-4.4/megaraid_sas-fix-probing-cards-without-io-port.patch @@ -0,0 +1,84 @@ +From e7f851684efb3377e9c93aca7fae6e76212e5680 Mon Sep 17 00:00:00 2001 +From: Yinghai Lu +Date: Fri, 5 Aug 2016 23:37:34 -0700 +Subject: megaraid_sas: Fix probing cards without io port + +From: Yinghai Lu + +commit e7f851684efb3377e9c93aca7fae6e76212e5680 upstream. + +Found one megaraid_sas HBA probe fails, + +[ 187.235190] scsi host2: Avago SAS based MegaRAID driver +[ 191.112365] megaraid_sas 0000:89:00.0: BAR 0: can't reserve [io 0x0000-0x00ff] +[ 191.120548] megaraid_sas 0000:89:00.0: IO memory region busy! + +and the card has resource like, +[ 125.097714] pci 0000:89:00.0: [1000:005d] type 00 class 0x010400 +[ 125.104446] pci 0000:89:00.0: reg 0x10: [io 0x0000-0x00ff] +[ 125.110686] pci 0000:89:00.0: reg 0x14: [mem 0xce400000-0xce40ffff 64bit] +[ 125.118286] pci 0000:89:00.0: reg 0x1c: [mem 0xce300000-0xce3fffff 64bit] +[ 125.125891] pci 0000:89:00.0: reg 0x30: [mem 0xce200000-0xce2fffff pref] + +that does not io port resource allocated from BIOS, and kernel can not +assign one as io port shortage. + +The driver is only looking for MEM, and should not fail. + +It turns out megasas_init_fw() etc are using bar index as mask. index 1 +is used as mask 1, so that pci_request_selected_regions() is trying to +request BAR0 instead of BAR1. + +Fix all related reference. + +Fixes: b6d5d8808b4c ("megaraid_sas: Use lowest memory bar for SR-IOV VF support") +Signed-off-by: Yinghai Lu +Acked-by: Kashyap Desai +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/megaraid/megaraid_sas_base.c | 6 +++--- + drivers/scsi/megaraid/megaraid_sas_fusion.c | 2 +- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/scsi/megaraid/megaraid_sas_base.c ++++ b/drivers/scsi/megaraid/megaraid_sas_base.c +@@ -4669,7 +4669,7 @@ static int megasas_init_fw(struct megasa + /* Find first memory bar */ + bar_list = pci_select_bars(instance->pdev, IORESOURCE_MEM); + instance->bar = find_first_bit(&bar_list, sizeof(unsigned long)); +- if (pci_request_selected_regions(instance->pdev, instance->bar, ++ if (pci_request_selected_regions(instance->pdev, 1<bar, + "megasas: LSI")) { + dev_printk(KERN_DEBUG, &instance->pdev->dev, "IO memory region busy!\n"); + return -EBUSY; +@@ -4960,7 +4960,7 @@ fail_ready_state: + iounmap(instance->reg_set); + + fail_ioremap: +- pci_release_selected_regions(instance->pdev, instance->bar); ++ pci_release_selected_regions(instance->pdev, 1<bar); + + return -EINVAL; + } +@@ -4981,7 +4981,7 @@ static void megasas_release_mfi(struct m + + iounmap(instance->reg_set); + +- pci_release_selected_regions(instance->pdev, instance->bar); ++ pci_release_selected_regions(instance->pdev, 1<bar); + } + + /** +--- a/drivers/scsi/megaraid/megaraid_sas_fusion.c ++++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c +@@ -2437,7 +2437,7 @@ megasas_release_fusion(struct megasas_in + + iounmap(instance->reg_set); + +- pci_release_selected_regions(instance->pdev, instance->bar); ++ pci_release_selected_regions(instance->pdev, 1<bar); + } + + /** diff --git a/queue-4.4/mfd-cros_ec-add-cros_ec_cmd_xfer_status-helper.patch b/queue-4.4/mfd-cros_ec-add-cros_ec_cmd_xfer_status-helper.patch new file mode 100644 index 00000000000..d17fdb2a7f5 --- /dev/null +++ b/queue-4.4/mfd-cros_ec-add-cros_ec_cmd_xfer_status-helper.patch @@ -0,0 +1,72 @@ +From 9798ac6d32c1a32d6d92d853ff507d2d39c4300c Mon Sep 17 00:00:00 2001 +From: Tomeu Vizoso +Date: Fri, 15 Jul 2016 16:28:41 -0700 +Subject: mfd: cros_ec: Add cros_ec_cmd_xfer_status() helper + +From: Tomeu Vizoso + +commit 9798ac6d32c1a32d6d92d853ff507d2d39c4300c upstream. + +So that callers of cros_ec_cmd_xfer() don't have to repeat boilerplate +code when checking for errors from the EC side. + +Signed-off-by: Tomeu Vizoso +Reviewed-by: Benson Leung +Signed-off-by: Brian Norris +Acked-by: Lee Jones +Tested-by: Enric Balletbo i Serra +Signed-off-by: Thierry Reding +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/platform/chrome/cros_ec_proto.c | 17 +++++++++++++++++ + include/linux/mfd/cros_ec.h | 15 +++++++++++++++ + 2 files changed, 32 insertions(+) + +--- a/drivers/platform/chrome/cros_ec_proto.c ++++ b/drivers/platform/chrome/cros_ec_proto.c +@@ -380,3 +380,20 @@ int cros_ec_cmd_xfer(struct cros_ec_devi + return ret; + } + EXPORT_SYMBOL(cros_ec_cmd_xfer); ++ ++int cros_ec_cmd_xfer_status(struct cros_ec_device *ec_dev, ++ struct cros_ec_command *msg) ++{ ++ int ret; ++ ++ ret = cros_ec_cmd_xfer(ec_dev, msg); ++ if (ret < 0) { ++ dev_err(ec_dev->dev, "Command xfer error (err:%d)\n", ret); ++ } else if (msg->result != EC_RES_SUCCESS) { ++ dev_dbg(ec_dev->dev, "Command result (err: %d)\n", msg->result); ++ return -EPROTO; ++ } ++ ++ return ret; ++} ++EXPORT_SYMBOL(cros_ec_cmd_xfer_status); +--- a/include/linux/mfd/cros_ec.h ++++ b/include/linux/mfd/cros_ec.h +@@ -224,6 +224,21 @@ int cros_ec_cmd_xfer(struct cros_ec_devi + struct cros_ec_command *msg); + + /** ++ * cros_ec_cmd_xfer_status - Send a command to the ChromeOS EC ++ * ++ * This function is identical to cros_ec_cmd_xfer, except it returns success ++ * status only if both the command was transmitted successfully and the EC ++ * replied with success status. It's not necessary to check msg->result when ++ * using this function. ++ * ++ * @ec_dev: EC device ++ * @msg: Message to write ++ * @return: Num. of bytes transferred on success, <0 on failure ++ */ ++int cros_ec_cmd_xfer_status(struct cros_ec_device *ec_dev, ++ struct cros_ec_command *msg); ++ ++/** + * cros_ec_remove - Remove a ChromeOS EC + * + * Call this to deregister a ChromeOS EC, then clean up any private data. diff --git a/queue-4.4/mpt3sas-fix-resume-on-warpdrive-flash-cards.patch b/queue-4.4/mpt3sas-fix-resume-on-warpdrive-flash-cards.patch new file mode 100644 index 00000000000..8ad6585dd54 --- /dev/null +++ b/queue-4.4/mpt3sas-fix-resume-on-warpdrive-flash-cards.patch @@ -0,0 +1,97 @@ +From ce7c6c9e1d997a2670aead3a7b87f4df32c11118 Mon Sep 17 00:00:00 2001 +From: Greg Edwards +Date: Sat, 30 Jul 2016 10:06:26 -0600 +Subject: mpt3sas: Fix resume on WarpDrive flash cards + +From: Greg Edwards + +commit ce7c6c9e1d997a2670aead3a7b87f4df32c11118 upstream. + +mpt3sas crashes on resume after suspend with WarpDrive flash cards. The +reply_post_host_index array is not set back up after the resume, and we +deference a stale pointer in _base_interrupt(). + +[ 47.309711] BUG: unable to handle kernel paging request at ffffc90001f8006c +[ 47.318289] IP: [] _base_interrupt+0x49f/0xa30 [mpt3sas] +[ 47.326749] PGD 41ccaa067 PUD 41ccab067 PMD 3466c067 PTE 0 +[ 47.333848] Oops: 0002 [#1] SMP +... +[ 47.452708] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.7.0 #6 +[ 47.460506] Hardware name: Dell Inc. OptiPlex 990/06D7TR, BIOS A18 09/24/2013 +[ 47.469629] task: ffffffff81c0d500 ti: ffffffff81c00000 task.ti: ffffffff81c00000 +[ 47.479112] RIP: 0010:[] [] _base_interrupt+0x49f/0xa30 [mpt3sas] +[ 47.490466] RSP: 0018:ffff88041d203e30 EFLAGS: 00010002 +[ 47.497801] RAX: 0000000000000001 RBX: ffff880033f4c000 RCX: 0000000000000001 +[ 47.506973] RDX: ffffc90001f8006c RSI: 0000000000000082 RDI: 0000000000000082 +[ 47.516141] RBP: ffff88041d203eb0 R08: ffff8804118e2820 R09: 0000000000000001 +[ 47.525300] R10: 0000000000000001 R11: 00000000100c0000 R12: 0000000000000000 +[ 47.534457] R13: ffff880412c487e0 R14: ffff88041a8987d8 R15: 0000000000000001 +[ 47.543632] FS: 0000000000000000(0000) GS:ffff88041d200000(0000) knlGS:0000000000000000 +[ 47.553796] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 47.561632] CR2: ffffc90001f8006c CR3: 0000000001c06000 CR4: 00000000000406f0 +[ 47.570883] Stack: +[ 47.575015] 000000001d211228 ffff88041d2100c0 ffff8800c47d8130 0000000000000100 +[ 47.584625] ffff8804100c0000 100c000000000000 ffff88041a8992a0 ffff88041a8987f8 +[ 47.594230] ffff88041d203e00 ffffffff81111e55 000000000000038c ffff880414ad4280 +[ 47.603862] Call Trace: +[ 47.608474] +[ 47.610413] [] ? call_timer_fn+0x35/0x120 +[ 47.620539] [] handle_irq_event_percpu+0x7f/0x1c0 +[ 47.629061] [] handle_irq_event+0x2c/0x50 +[ 47.636859] [] handle_edge_irq+0x6f/0x130 +[ 47.644654] [] handle_irq+0x73/0x120 +[ 47.652011] [] ? atomic_notifier_call_chain+0x1a/0x20 +[ 47.660854] [] do_IRQ+0x4b/0xd0 +[ 47.667777] [] common_interrupt+0x8c/0x8c +[ 47.675635] + +Move the reply_post_host_index array setup into +mpt3sas_base_map_resources(), which is also in the resume path. + +Signed-off-by: Greg Edwards +Acked-by: Chaitra P B +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/mpt3sas/mpt3sas_base.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +--- a/drivers/scsi/mpt3sas/mpt3sas_base.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_base.c +@@ -2155,6 +2155,17 @@ mpt3sas_base_map_resources(struct MPT3SA + } else + ioc->msix96_vector = 0; + ++ if (ioc->is_warpdrive) { ++ ioc->reply_post_host_index[0] = (resource_size_t __iomem *) ++ &ioc->chip->ReplyPostHostIndex; ++ ++ for (i = 1; i < ioc->cpu_msix_table_sz; i++) ++ ioc->reply_post_host_index[i] = ++ (resource_size_t __iomem *) ++ ((u8 __iomem *)&ioc->chip->Doorbell + (0x4000 + ((i - 1) ++ * 4))); ++ } ++ + list_for_each_entry(reply_q, &ioc->reply_queue_list, list) + pr_info(MPT3SAS_FMT "%s: IRQ %d\n", + reply_q->name, ((ioc->msix_enable) ? "PCI-MSI-X enabled" : +@@ -5201,17 +5212,6 @@ mpt3sas_base_attach(struct MPT3SAS_ADAPT + if (r) + goto out_free_resources; + +- if (ioc->is_warpdrive) { +- ioc->reply_post_host_index[0] = (resource_size_t __iomem *) +- &ioc->chip->ReplyPostHostIndex; +- +- for (i = 1; i < ioc->cpu_msix_table_sz; i++) +- ioc->reply_post_host_index[i] = +- (resource_size_t __iomem *) +- ((u8 __iomem *)&ioc->chip->Doorbell + (0x4000 + ((i - 1) +- * 4))); +- } +- + pci_set_drvdata(ioc->pdev, ioc->shost); + r = _base_get_ioc_facts(ioc, CAN_SLEEP); + if (r) diff --git a/queue-4.4/of-fix-reference-counting-in-of_graph_get_endpoint_by_regs.patch b/queue-4.4/of-fix-reference-counting-in-of_graph_get_endpoint_by_regs.patch new file mode 100644 index 00000000000..1f282d26985 --- /dev/null +++ b/queue-4.4/of-fix-reference-counting-in-of_graph_get_endpoint_by_regs.patch @@ -0,0 +1,53 @@ +From 34276bb062b8449b3b0a208c9b848a1a27920075 Mon Sep 17 00:00:00 2001 +From: Lucas Stach +Date: Mon, 15 Aug 2016 14:58:43 +0200 +Subject: of: fix reference counting in of_graph_get_endpoint_by_regs + +From: Lucas Stach + +commit 34276bb062b8449b3b0a208c9b848a1a27920075 upstream. + +The called of_graph_get_next_endpoint() already decrements the refcount +of the prev node, so it is wrong to do it again in the calling function. + +Use the for_each_endpoint_of_node() helper to interate through the +endpoint OF nodes, which already does the right thing and simplifies +the code a bit. + +Fixes: 8ccd0d0ca041 +(of: add helper for getting endpoint node of specific identifiers) +Reported-by: David Jander +Signed-off-by: Lucas Stach +Acked-by: Philipp Zabel +Signed-off-by: Rob Herring +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/of/base.c | 11 ++--------- + 1 file changed, 2 insertions(+), 9 deletions(-) + +--- a/drivers/of/base.c ++++ b/drivers/of/base.c +@@ -2253,20 +2253,13 @@ struct device_node *of_graph_get_endpoin + const struct device_node *parent, int port_reg, int reg) + { + struct of_endpoint endpoint; +- struct device_node *node, *prev_node = NULL; +- +- while (1) { +- node = of_graph_get_next_endpoint(parent, prev_node); +- of_node_put(prev_node); +- if (!node) +- break; ++ struct device_node *node = NULL; + ++ for_each_endpoint_of_node(parent, node) { + of_graph_parse_endpoint(node, &endpoint); + if (((port_reg == -1) || (endpoint.port == port_reg)) && + ((reg == -1) || (endpoint.id == reg))) + return node; +- +- prev_node = node; + } + + return NULL; diff --git a/queue-4.4/pinctrl-amd-remove-the-default-de-bounce-time.patch b/queue-4.4/pinctrl-amd-remove-the-default-de-bounce-time.patch new file mode 100644 index 00000000000..c840325c9a5 --- /dev/null +++ b/queue-4.4/pinctrl-amd-remove-the-default-de-bounce-time.patch @@ -0,0 +1,65 @@ +From 8cf4345575a416e6856a6856ac6eaa31ad883126 Mon Sep 17 00:00:00 2001 +From: "Agrawal, Nitesh-kumar" +Date: Tue, 26 Jul 2016 08:28:19 +0000 +Subject: pinctrl/amd: Remove the default de-bounce time +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Agrawal, Nitesh-kumar + +commit 8cf4345575a416e6856a6856ac6eaa31ad883126 upstream. + +In the function amd_gpio_irq_enable() and +amd_gpio_direction_input(), remove the code which is setting +the default de-bounce time to 2.75ms. + +The driver code shall use the same settings as specified in +BIOS. Any default assignment impacts TouchPad behaviour when +the LevelTrig is set to EDGE FALLING. + +Reviewed-by:  Ken Xue +Signed-off-by: Nitesh Kumar Agrawal +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/pinctrl-amd.c | 20 -------------------- + 1 file changed, 20 deletions(-) + +--- a/drivers/pinctrl/pinctrl-amd.c ++++ b/drivers/pinctrl/pinctrl-amd.c +@@ -48,17 +48,6 @@ static int amd_gpio_direction_input(stru + + spin_lock_irqsave(&gpio_dev->lock, flags); + pin_reg = readl(gpio_dev->base + offset * 4); +- /* +- * Suppose BIOS or Bootloader sets specific debounce for the +- * GPIO. if not, set debounce to be 2.75ms and remove glitch. +- */ +- if ((pin_reg & DB_TMR_OUT_MASK) == 0) { +- pin_reg |= 0xf; +- pin_reg |= BIT(DB_TMR_OUT_UNIT_OFF); +- pin_reg |= DB_TYPE_REMOVE_GLITCH << DB_CNTRL_OFF; +- pin_reg &= ~BIT(DB_TMR_LARGE_OFF); +- } +- + pin_reg &= ~BIT(OUTPUT_ENABLE_OFF); + writel(pin_reg, gpio_dev->base + offset * 4); + spin_unlock_irqrestore(&gpio_dev->lock, flags); +@@ -331,15 +320,6 @@ static void amd_gpio_irq_enable(struct i + + spin_lock_irqsave(&gpio_dev->lock, flags); + pin_reg = readl(gpio_dev->base + (d->hwirq)*4); +- /* +- Suppose BIOS or Bootloader sets specific debounce for the +- GPIO. if not, set debounce to be 2.75ms. +- */ +- if ((pin_reg & DB_TMR_OUT_MASK) == 0) { +- pin_reg |= 0xf; +- pin_reg |= BIT(DB_TMR_OUT_UNIT_OFF); +- pin_reg &= ~BIT(DB_TMR_LARGE_OFF); +- } + pin_reg |= BIT(INTERRUPT_ENABLE_OFF); + pin_reg |= BIT(INTERRUPT_MASK_OFF); + writel(pin_reg, gpio_dev->base + (d->hwirq)*4); diff --git a/queue-4.4/s390-dasd-fix-hanging-device-after-clear-subchannel.patch b/queue-4.4/s390-dasd-fix-hanging-device-after-clear-subchannel.patch new file mode 100644 index 00000000000..20e644dba55 --- /dev/null +++ b/queue-4.4/s390-dasd-fix-hanging-device-after-clear-subchannel.patch @@ -0,0 +1,56 @@ +From 9ba333dc55cbb9523553df973adb3024d223e905 Mon Sep 17 00:00:00 2001 +From: Stefan Haberland +Date: Mon, 8 Aug 2016 14:08:17 +0200 +Subject: s390/dasd: fix hanging device after clear subchannel + +From: Stefan Haberland + +commit 9ba333dc55cbb9523553df973adb3024d223e905 upstream. + +When a device is in a status where CIO has killed all I/O by itself the +interrupt for a clear request may not contain an irb to determine the +clear function. Instead it contains an error pointer -EIO. +This was ignored by the DASD int_handler leading to a hanging device +waiting for a clear interrupt. + +Handle -EIO error pointer correctly for requests that are clear pending and +treat the clear as successful. + +Signed-off-by: Stefan Haberland +Reviewed-by: Sebastian Ott +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/s390/block/dasd.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/s390/block/dasd.c ++++ b/drivers/s390/block/dasd.c +@@ -1584,9 +1584,18 @@ void dasd_int_handler(struct ccw_device + unsigned long long now; + int expires; + ++ cqr = (struct dasd_ccw_req *) intparm; + if (IS_ERR(irb)) { + switch (PTR_ERR(irb)) { + case -EIO: ++ if (cqr && cqr->status == DASD_CQR_CLEAR_PENDING) { ++ device = (struct dasd_device *) cqr->startdev; ++ cqr->status = DASD_CQR_CLEARED; ++ dasd_device_clear_timer(device); ++ wake_up(&dasd_flush_wq); ++ dasd_schedule_device_bh(device); ++ return; ++ } + break; + case -ETIMEDOUT: + DBF_EVENT_DEVID(DBF_WARNING, cdev, "%s: " +@@ -1602,7 +1611,6 @@ void dasd_int_handler(struct ccw_device + } + + now = get_tod_clock(); +- cqr = (struct dasd_ccw_req *) intparm; + /* check for conditions that should be handled immediately */ + if (!cqr || + !(scsw_dstat(&irb->scsw) == (DEV_STAT_CHN_END | DEV_STAT_DEV_END) && diff --git a/queue-4.4/sched-cputime-fix-no_hz_full-getrusage-monotonicity-regression.patch b/queue-4.4/sched-cputime-fix-no_hz_full-getrusage-monotonicity-regression.patch new file mode 100644 index 00000000000..abbd7524045 --- /dev/null +++ b/queue-4.4/sched-cputime-fix-no_hz_full-getrusage-monotonicity-regression.patch @@ -0,0 +1,86 @@ +From 173be9a14f7b2e901cf77c18b1aafd4d672e9d9e Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Mon, 15 Aug 2016 18:38:42 +0200 +Subject: sched/cputime: Fix NO_HZ_FULL getrusage() monotonicity regression + +From: Peter Zijlstra + +commit 173be9a14f7b2e901cf77c18b1aafd4d672e9d9e upstream. + +Mike reports: + + Roughly 10% of the time, ltp testcase getrusage04 fails: + getrusage04 0 TINFO : Expected timers granularity is 4000 us + getrusage04 0 TINFO : Using 1 as multiply factor for max [us]time increment (1000+4000us)! + getrusage04 0 TINFO : utime: 0us; stime: 179us + getrusage04 0 TINFO : utime: 3751us; stime: 0us + getrusage04 1 TFAIL : getrusage04.c:133: stime increased > 5000us: + +And tracked it down to the case where the task simply doesn't get +_any_ [us]time ticks. + +Update the code to assume all rtime is utime when we lack information, +thus ensuring a task that elides the tick gets time accounted. + +Reported-by: Mike Galbraith +Tested-by: Mike Galbraith +Signed-off-by: Peter Zijlstra (Intel) +Cc: Frederic Weisbecker +Cc: Fredrik Markstrom +Cc: Linus Torvalds +Cc: Paolo Bonzini +Cc: Peter Zijlstra +Cc: Radim +Cc: Rik van Riel +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: Wanpeng Li +Fixes: 9d7fb0427648 ("sched/cputime: Guarantee stime + utime == rtime") +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/sched/cputime.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/kernel/sched/cputime.c ++++ b/kernel/sched/cputime.c +@@ -600,19 +600,25 @@ static void cputime_adjust(struct task_c + stime = curr->stime; + utime = curr->utime; + +- if (utime == 0) { +- stime = rtime; ++ /* ++ * If either stime or both stime and utime are 0, assume all runtime is ++ * userspace. Once a task gets some ticks, the monotonicy code at ++ * 'update' will ensure things converge to the observed ratio. ++ */ ++ if (stime == 0) { ++ utime = rtime; + goto update; + } + +- if (stime == 0) { +- utime = rtime; ++ if (utime == 0) { ++ stime = rtime; + goto update; + } + + stime = scale_stime((__force u64)stime, (__force u64)rtime, + (__force u64)(stime + utime)); + ++update: + /* + * Make sure stime doesn't go backwards; this preserves monotonicity + * for utime because rtime is monotonic. +@@ -635,7 +641,6 @@ static void cputime_adjust(struct task_c + stime = rtime - utime; + } + +-update: + prev->stime = stime; + prev->utime = utime; + out: diff --git a/queue-4.4/sched-nohz-fix-affine-unpinned-timers-mess.patch b/queue-4.4/sched-nohz-fix-affine-unpinned-timers-mess.patch new file mode 100644 index 00000000000..d1e48123fe5 --- /dev/null +++ b/queue-4.4/sched-nohz-fix-affine-unpinned-timers-mess.patch @@ -0,0 +1,65 @@ +From 444969223c81c7d0a95136b7b4cfdcfbc96ac5bd Mon Sep 17 00:00:00 2001 +From: Wanpeng Li +Date: Wed, 4 May 2016 14:45:34 +0800 +Subject: sched/nohz: Fix affine unpinned timers mess + +From: Wanpeng Li + +commit 444969223c81c7d0a95136b7b4cfdcfbc96ac5bd upstream. + +The following commit: + + 9642d18eee2c ("nohz: Affine unpinned timers to housekeepers")' + +intended to affine unpinned timers to housekeepers: + + unpinned timers(full dynaticks, idle) => nearest busy housekeepers(otherwise, fallback to any housekeepers) + unpinned timers(full dynaticks, busy) => nearest busy housekeepers(otherwise, fallback to any housekeepers) + unpinned timers(houserkeepers, idle) => nearest busy housekeepers(otherwise, fallback to itself) + +However, the !idle_cpu(i) && is_housekeeping_cpu(cpu) check modified the +intention to: + + unpinned timers(full dynaticks, idle) => any housekeepers(no mattter cpu topology) + unpinned timers(full dynaticks, busy) => any housekeepers(no mattter cpu topology) + unpinned timers(housekeepers, idle) => any busy cpus(otherwise, fallback to any housekeepers) + +This patch fixes it by checking if there are busy housekeepers nearby, +otherwise falls to any housekeepers/itself. After the patch: + + unpinned timers(full dynaticks, idle) => nearest busy housekeepers(otherwise, fallback to any housekeepers) + unpinned timers(full dynaticks, busy) => nearest busy housekeepers(otherwise, fallback to any housekeepers) + unpinned timers(housekeepers, idle) => nearest busy housekeepers(otherwise, fallback to itself) + +Signed-off-by: Wanpeng Li +Signed-off-by: Peter Zijlstra (Intel) +[ Fixed the changelog. ] +Cc: Frederic Weisbecker +Cc: Linus Torvalds +Cc: Mike Galbraith +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-kernel@vger.kernel.org +Fixes: 'commit 9642d18eee2c ("nohz: Affine unpinned timers to housekeepers")' +Link: http://lkml.kernel.org/r/1462344334-8303-1-git-send-email-wanpeng.li@hotmail.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/sched/core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -627,7 +627,10 @@ int get_nohz_timer_target(void) + rcu_read_lock(); + for_each_domain(cpu, sd) { + for_each_cpu(i, sched_domain_span(sd)) { +- if (!idle_cpu(i) && is_housekeeping_cpu(cpu)) { ++ if (cpu == i) ++ continue; ++ ++ if (!idle_cpu(i) && is_housekeeping_cpu(i)) { + cpu = i; + goto unlock; + } diff --git a/queue-4.4/series b/queue-4.4/series index 2da38abe034..7b9d5d592e8 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -51,3 +51,37 @@ usb-serial-option-add-support-for-telit-le920a4.patch usb-serial-ftdi_sio-add-device-id-for-wiced-usb-uart-dev-board.patch usb-serial-ftdi_sio-add-pids-for-ivium-technologies-devices.patch xhci-make-sure-xhci-handles-usb_speed_super_plus-devices.patch +iommu-dma-don-t-put-uninitialised-iova-domains.patch +iommu-arm-smmu-fix-cmdq-error-handling.patch +iommu-arm-smmu-don-t-bug-if-we-find-aborting-stes-with-disable_bypass.patch +pinctrl-amd-remove-the-default-de-bounce-time.patch +edac-increment-correct-counter-in-edac_inc_ue_error.patch +s390-dasd-fix-hanging-device-after-clear-subchannel.patch +mac80211-fix-purging-multicast-ps-buffer-queue.patch +arm64-dts-rockchip-add-reset-saradc-node-for-rk3368-socs.patch +of-fix-reference-counting-in-of_graph_get_endpoint_by_regs.patch +sched-cputime-fix-no_hz_full-getrusage-monotonicity-regression.patch +sched-nohz-fix-affine-unpinned-timers-mess.patch +iio-fix-sched-warning-do-not-call-blocking-ops-when-task_running.patch +drm-amdgpu-change-gart-offset-to-64-bit.patch +drm-amdgpu-fix-amdgpu_move_blit-on-32bit-systems.patch +drm-amdgpu-avoid-a-possible-array-overflow.patch +drm-amdgpu-skip-tv-cv-in-display-parsing.patch +drm-amd-amdgpu-sdma-resume-fail-during-s4-on-ci.patch +drm-amdgpu-record-error-code-when-ring-test-failed.patch +drm-i915-fix-aliasing_ppgtt-leak.patch +arc-build-better-way-to-detect-isa-compatible-toolchain.patch +arc-use-correct-offset-in-pt_regs-for-saving-restoring-user-mode-r25.patch +arc-call-trace_hardirqs_on-before-enabling-irqs.patch +arc-elide-redundant-setup-of-dma-callbacks.patch +aacraid-check-size-values-after-double-fetch-from-user.patch +mfd-cros_ec-add-cros_ec_cmd_xfer_status-helper.patch +i2c-cros-ec-tunnel-fix-usage-of-cros_ec_cmd_xfer.patch +cdc-acm-fix-wrong-pipe-type-on-rx-interrupt-xfers.patch +mpt3sas-fix-resume-on-warpdrive-flash-cards.patch +megaraid_sas-fix-probing-cards-without-io-port.patch +usb-renesas_usbhs-gadget-fix-return-value-check-in-usbhs_mod_gadget_probe.patch +gpio-fix-of-build-problem-on-um.patch +fs-seq_file-fix-out-of-bounds-read.patch +btrfs-waiting-on-qgroup-rescan-should-not-always-be-interruptible.patch +btrfs-properly-track-when-rescan-worker-is-running.patch diff --git a/queue-4.4/usb-renesas_usbhs-gadget-fix-return-value-check-in-usbhs_mod_gadget_probe.patch b/queue-4.4/usb-renesas_usbhs-gadget-fix-return-value-check-in-usbhs_mod_gadget_probe.patch new file mode 100644 index 00000000000..4b3e4a64c93 --- /dev/null +++ b/queue-4.4/usb-renesas_usbhs-gadget-fix-return-value-check-in-usbhs_mod_gadget_probe.patch @@ -0,0 +1,35 @@ +From 3295235fd70ed6d594aadee8c892a14f6a4b2d2e Mon Sep 17 00:00:00 2001 +From: Wei Yongjun +Date: Sat, 13 Aug 2016 01:28:24 +0000 +Subject: usb: renesas_usbhs: gadget: fix return value check in usbhs_mod_gadget_probe() + +From: Wei Yongjun + +commit 3295235fd70ed6d594aadee8c892a14f6a4b2d2e upstream. + +In case of error, the function usb_get_phy() returns ERR_PTR() and never +returns NULL. The NULL test in the return value check should be replaced +with IS_ERR(). + +Fixes: b5a2875605ca ("usb: renesas_usbhs: Allow an OTG PHY driver to + provide VBUS") +Acked-by: Yoshihiro Shimoda +Signed-off-by: Wei Yongjun +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/renesas_usbhs/mod_gadget.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/renesas_usbhs/mod_gadget.c ++++ b/drivers/usb/renesas_usbhs/mod_gadget.c +@@ -1075,7 +1075,7 @@ int usbhs_mod_gadget_probe(struct usbhs_ + + gpriv->transceiver = usb_get_phy(USB_PHY_TYPE_UNDEFINED); + dev_info(dev, "%stransceiver found\n", +- gpriv->transceiver ? "" : "no "); ++ !IS_ERR(gpriv->transceiver) ? "" : "no "); + + /* + * CAUTION