From: Greg Kroah-Hartman Date: Tue, 17 Jan 2017 16:11:07 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v4.9.5~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7e0d956d240ab9ef9b62bff2b1679127d2ae7f00;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: acpi-apei-fix-nmi-notification-handling.patch blk-mq-always-schedule-hctx-next_cpu.patch block-cfq_cpd_alloc-should-use-gfp.patch btrfs-fix-error-handling-when-run_delayed_extent_op-fails.patch btrfs-fix-locking-when-we-put-back-a-delayed-ref-that-s-too-new.patch bus-vexpress-config-fix-device-reference-leak.patch cpufreq-powernv-disable-preemption-while-checking-cpu-throttling-state.patch drm-radeon-drop-verde-dpm-quirks.patch nfs-fix-a-performance-regression-in-readdir.patch nfsv4.1-nfs4_fl_prepare_ds-must-be-careful-about-reporting-success.patch pinctrl-meson-fix-gpio-request-disabling-other-modes.patch pnfs-fix-race-in-pnfs_wait_on_layoutreturn.patch powerpc-ibmebus-fix-device-reference-leaks-in-sysfs-interface.patch powerpc-ibmebus-fix-further-device-reference-leaks.patch sysctl-drop-reference-added-by-grab_header-in-proc_sys_readdir.patch sysrq-attach-sysrq-handler-correctly-for-32-bit-kernel.patch tty-serial-atmel_serial-bug-stop-dma-from-transmitting-in-stop_tx.patch usb-serial-ch341-fix-modem-control-and-b0-handling.patch usb-serial-ch341-fix-resume-after-reset.patch x86-cpu-fix-bootup-crashes-by-sanitizing-the-argument-of-the-clearcpuid-command-line-option.patch --- diff --git a/queue-4.4/acpi-apei-fix-nmi-notification-handling.patch b/queue-4.4/acpi-apei-fix-nmi-notification-handling.patch new file mode 100644 index 00000000000..2e20d38efe9 --- /dev/null +++ b/queue-4.4/acpi-apei-fix-nmi-notification-handling.patch @@ -0,0 +1,81 @@ +From a545715d2dae8d071c5b06af947b07ffa846b288 Mon Sep 17 00:00:00 2001 +From: Prarit Bhargava +Date: Wed, 30 Nov 2016 08:19:39 -0500 +Subject: ACPI / APEI: Fix NMI notification handling + +From: Prarit Bhargava + +commit a545715d2dae8d071c5b06af947b07ffa846b288 upstream. + +When removing and adding cpu 0 on a system with GHES NMI the following stack +trace is seen when re-adding the cpu: + +WARNING: CPU: 0 PID: 0 at arch/x86/kernel/apic/apic.c:1349 setup_local_APIC+ +Modules linked in: nfsv3 rpcsec_gss_krb5 nfsv4 nfs fscache coretemp intel_ra +CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.9.0-rc6+ #2 +Call Trace: + dump_stack+0x63/0x8e + __warn+0xd1/0xf0 + warn_slowpath_null+0x1d/0x20 + setup_local_APIC+0x275/0x370 + apic_ap_setup+0xe/0x20 + start_secondary+0x48/0x180 + set_init_arg+0x55/0x55 + early_idt_handler_array+0x120/0x120 + x86_64_start_reservations+0x2a/0x2c + x86_64_start_kernel+0x13d/0x14c + +During the cpu bringup, wakeup_cpu_via_init_nmi() is called and issues an +NMI on CPU 0. The GHES NMI handler, ghes_notify_nmi() runs the +ghes_proc_irq_work work queue which ends up setting IRQ_WORK_VECTOR +(0xf6). The "faulty" IR line set at arch/x86/kernel/apic/apic.c:1349 is also +0xf6 (specifically APIC IRR for irqs 255 to 224 is 0x400000) which confirms +that something has set the IRQ_WORK_VECTOR line prior to the APIC being +initialized. + +Commit 2383844d4850 ("GHES: Elliminate double-loop in the NMI handler") +incorrectly modified the behavior such that the handler returns +NMI_HANDLED only if an error was processed, and incorrectly runs the ghes +work queue for every NMI. + +This patch modifies the ghes_proc_irq_work() to run as it did prior to +2383844d4850 ("GHES: Elliminate double-loop in the NMI handler") by +properly returning NMI_HANDLED and only calling the work queue if +NMI_HANDLED has been set. + +Fixes: 2383844d4850 (GHES: Elliminate double-loop in the NMI handler) +Signed-off-by: Prarit Bhargava +Reviewed-by: Borislav Petkov +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/apei/ghes.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/acpi/apei/ghes.c ++++ b/drivers/acpi/apei/ghes.c +@@ -847,6 +847,8 @@ static int ghes_notify_nmi(unsigned int + if (ghes_read_estatus(ghes, 1)) { + ghes_clear_estatus(ghes); + continue; ++ } else { ++ ret = NMI_HANDLED; + } + + sev = ghes_severity(ghes->estatus->error_severity); +@@ -858,12 +860,11 @@ static int ghes_notify_nmi(unsigned int + + __process_error(ghes); + ghes_clear_estatus(ghes); +- +- ret = NMI_HANDLED; + } + + #ifdef CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG +- irq_work_queue(&ghes_proc_irq_work); ++ if (ret == NMI_HANDLED) ++ irq_work_queue(&ghes_proc_irq_work); + #endif + atomic_dec(&ghes_in_nmi); + return ret; diff --git a/queue-4.4/blk-mq-always-schedule-hctx-next_cpu.patch b/queue-4.4/blk-mq-always-schedule-hctx-next_cpu.patch new file mode 100644 index 00000000000..0fc81257e2e --- /dev/null +++ b/queue-4.4/blk-mq-always-schedule-hctx-next_cpu.patch @@ -0,0 +1,51 @@ +From c02ebfdddbafa9a6a0f52fbd715e6bfa229af9d3 Mon Sep 17 00:00:00 2001 +From: Gabriel Krisman Bertazi +Date: Wed, 28 Sep 2016 00:24:24 -0300 +Subject: blk-mq: Always schedule hctx->next_cpu + +From: Gabriel Krisman Bertazi + +commit c02ebfdddbafa9a6a0f52fbd715e6bfa229af9d3 upstream. + +Commit 0e87e58bf60e ("blk-mq: improve warning for running a queue on the +wrong CPU") attempts to avoid triggering the WARN_ON in +__blk_mq_run_hw_queue when the expected CPU is dead. Problem is, in the +last batch execution before round robin, blk_mq_hctx_next_cpu can +schedule a dead CPU and also update next_cpu to the next alive CPU in +the mask, which will trigger the WARN_ON despite the previous +workaround. + +The following patch fixes this scenario by always scheduling the value +in hctx->next_cpu. This changes the moment when we round-robin the CPU +running the hctx, but it really doesn't matter, since it still executes +BLK_MQ_CPU_WORK_BATCH times in a row before switching to another CPU. + +Fixes: 0e87e58bf60e ("blk-mq: improve warning for running a queue on the wrong CPU") +Signed-off-by: Gabriel Krisman Bertazi +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/blk-mq.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -842,7 +842,7 @@ static int blk_mq_hctx_next_cpu(struct b + return WORK_CPU_UNBOUND; + + if (--hctx->next_cpu_batch <= 0) { +- int cpu = hctx->next_cpu, next_cpu; ++ int next_cpu; + + next_cpu = cpumask_next(hctx->next_cpu, hctx->cpumask); + if (next_cpu >= nr_cpu_ids) +@@ -850,8 +850,6 @@ static int blk_mq_hctx_next_cpu(struct b + + hctx->next_cpu = next_cpu; + hctx->next_cpu_batch = BLK_MQ_CPU_WORK_BATCH; +- +- return cpu; + } + + return hctx->next_cpu; diff --git a/queue-4.4/block-cfq_cpd_alloc-should-use-gfp.patch b/queue-4.4/block-cfq_cpd_alloc-should-use-gfp.patch new file mode 100644 index 00000000000..093c7d206e3 --- /dev/null +++ b/queue-4.4/block-cfq_cpd_alloc-should-use-gfp.patch @@ -0,0 +1,35 @@ +From ebc4ff661fbe76781c6b16dfb7b754a5d5073f8e Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Thu, 10 Nov 2016 11:16:37 -0500 +Subject: block: cfq_cpd_alloc() should use @gfp + +From: Tejun Heo + +commit ebc4ff661fbe76781c6b16dfb7b754a5d5073f8e upstream. + +cfq_cpd_alloc() which is the cpd_alloc_fn implementation for cfq was +incorrectly hard coding GFP_KERNEL instead of using the mask specified +through the @gfp parameter. This currently doesn't cause any actual +issues because all current callers specify GFP_KERNEL. Fix it. + +Signed-off-by: Tejun Heo +Reported-by: Dan Carpenter +Fixes: e4a9bde9589f ("blkcg: replace blkcg_policy->cpd_size with ->cpd_alloc/free_fn() methods") +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/cfq-iosched.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/block/cfq-iosched.c ++++ b/block/cfq-iosched.c +@@ -1572,7 +1572,7 @@ static struct blkcg_policy_data *cfq_cpd + { + struct cfq_group_data *cgd; + +- cgd = kzalloc(sizeof(*cgd), GFP_KERNEL); ++ cgd = kzalloc(sizeof(*cgd), gfp); + if (!cgd) + return NULL; + return &cgd->cpd; diff --git a/queue-4.4/btrfs-fix-error-handling-when-run_delayed_extent_op-fails.patch b/queue-4.4/btrfs-fix-error-handling-when-run_delayed_extent_op-fails.patch new file mode 100644 index 00000000000..6f6a338831c --- /dev/null +++ b/queue-4.4/btrfs-fix-error-handling-when-run_delayed_extent_op-fails.patch @@ -0,0 +1,38 @@ +From aa7c8da35d1905d80e840d075f07d26ec90144b5 Mon Sep 17 00:00:00 2001 +From: Jeff Mahoney +Date: Tue, 20 Dec 2016 13:28:27 -0500 +Subject: btrfs: fix error handling when run_delayed_extent_op fails + +From: Jeff Mahoney + +commit aa7c8da35d1905d80e840d075f07d26ec90144b5 upstream. + +In __btrfs_run_delayed_refs, the error path when run_delayed_extent_op +fails sets locked_ref->processing = 0 but doesn't re-increment +delayed_refs->num_heads_ready. As a result, we end up triggering +the WARN_ON in btrfs_select_ref_head. + +Fixes: d7df2c796d7 (Btrfs: attach delayed ref updates to delayed ref heads) +Reported-by: Jon Nelson +Signed-off-by: Jeff Mahoney +Reviewed-by: Liu Bo +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/extent-tree.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -2570,7 +2570,10 @@ static noinline int __btrfs_run_delayed_ + */ + if (must_insert_reserved) + locked_ref->must_insert_reserved = 1; ++ spin_lock(&delayed_refs->lock); + locked_ref->processing = 0; ++ delayed_refs->num_heads_ready++; ++ spin_unlock(&delayed_refs->lock); + btrfs_debug(fs_info, "run_delayed_extent_op returned %d", ret); + btrfs_delayed_ref_unlock(locked_ref); + return ret; diff --git a/queue-4.4/btrfs-fix-locking-when-we-put-back-a-delayed-ref-that-s-too-new.patch b/queue-4.4/btrfs-fix-locking-when-we-put-back-a-delayed-ref-that-s-too-new.patch new file mode 100644 index 00000000000..618030720a4 --- /dev/null +++ b/queue-4.4/btrfs-fix-locking-when-we-put-back-a-delayed-ref-that-s-too-new.patch @@ -0,0 +1,40 @@ +From d0280996437081dd12ed1e982ac8aeaa62835ec4 Mon Sep 17 00:00:00 2001 +From: Jeff Mahoney +Date: Tue, 20 Dec 2016 13:28:28 -0500 +Subject: btrfs: fix locking when we put back a delayed ref that's too new + +From: Jeff Mahoney + +commit d0280996437081dd12ed1e982ac8aeaa62835ec4 upstream. + +In __btrfs_run_delayed_refs, when we put back a delayed ref that's too +new, we have already dropped the lock on locked_ref when we set +->processing = 0. + +This patch keeps the lock to cover that assignment. + +Fixes: d7df2c796d7 (Btrfs: attach delayed ref updates to delayed ref heads) +Signed-off-by: Jeff Mahoney +Reviewed-by: Liu Bo +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/extent-tree.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -2520,11 +2520,11 @@ static noinline int __btrfs_run_delayed_ + if (ref && ref->seq && + btrfs_check_delayed_seq(fs_info, delayed_refs, ref->seq)) { + spin_unlock(&locked_ref->lock); +- btrfs_delayed_ref_unlock(locked_ref); + spin_lock(&delayed_refs->lock); + locked_ref->processing = 0; + delayed_refs->num_heads_ready++; + spin_unlock(&delayed_refs->lock); ++ btrfs_delayed_ref_unlock(locked_ref); + locked_ref = NULL; + cond_resched(); + count++; diff --git a/queue-4.4/bus-vexpress-config-fix-device-reference-leak.patch b/queue-4.4/bus-vexpress-config-fix-device-reference-leak.patch new file mode 100644 index 00000000000..f88c6ea9b53 --- /dev/null +++ b/queue-4.4/bus-vexpress-config-fix-device-reference-leak.patch @@ -0,0 +1,45 @@ +From c090959b9dd8c87703e275079aa4b4a824ba3f8e Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 16 Nov 2016 17:31:30 +0000 +Subject: bus: vexpress-config: fix device reference leak + +From: Johan Hovold + +commit c090959b9dd8c87703e275079aa4b4a824ba3f8e upstream. + +Make sure to drop the reference to the parent device taken by +class_find_device() after populating the bus. + +Fixes: 3b9334ac835b ("mfd: vexpress: Convert custom func API to regmap") +Acked-by: Sudeep Holla +Signed-off-by: Johan Hovold +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bus/vexpress-config.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/bus/vexpress-config.c ++++ b/drivers/bus/vexpress-config.c +@@ -171,6 +171,7 @@ static int vexpress_config_populate(stru + { + struct device_node *bridge; + struct device *parent; ++ int ret; + + bridge = of_parse_phandle(node, "arm,vexpress,config-bridge", 0); + if (!bridge) +@@ -181,7 +182,11 @@ static int vexpress_config_populate(stru + if (WARN_ON(!parent)) + return -ENODEV; + +- return of_platform_populate(node, NULL, NULL, parent); ++ ret = of_platform_populate(node, NULL, NULL, parent); ++ ++ put_device(parent); ++ ++ return ret; + } + + static int __init vexpress_config_init(void) diff --git a/queue-4.4/cpufreq-powernv-disable-preemption-while-checking-cpu-throttling-state.patch b/queue-4.4/cpufreq-powernv-disable-preemption-while-checking-cpu-throttling-state.patch new file mode 100644 index 00000000000..567a935c270 --- /dev/null +++ b/queue-4.4/cpufreq-powernv-disable-preemption-while-checking-cpu-throttling-state.patch @@ -0,0 +1,59 @@ +From 8a10c06a20ec8097a68fd7a4a1c0e285095b4d2f Mon Sep 17 00:00:00 2001 +From: Denis Kirjanov +Date: Tue, 8 Nov 2016 05:39:28 -0500 +Subject: cpufreq: powernv: Disable preemption while checking CPU throttling state + +From: Denis Kirjanov + +commit 8a10c06a20ec8097a68fd7a4a1c0e285095b4d2f upstream. + +With preemption turned on we can read incorrect throttling state +while being switched to CPU on a different chip. + + BUG: using smp_processor_id() in preemptible [00000000] code: cat/7343 + caller is .powernv_cpufreq_throttle_check+0x2c/0x710 + CPU: 13 PID: 7343 Comm: cat Not tainted 4.8.0-rc5-dirty #1 + Call Trace: + [c0000007d25b75b0] [c000000000971378] .dump_stack+0xe4/0x150 (unreliable) + [c0000007d25b7640] [c0000000005162e4] .check_preemption_disabled+0x134/0x150 + [c0000007d25b76e0] [c0000000007b63ac] .powernv_cpufreq_throttle_check+0x2c/0x710 + [c0000007d25b7790] [c0000000007b6d18] .powernv_cpufreq_target_index+0x288/0x360 + [c0000007d25b7870] [c0000000007acee4] .__cpufreq_driver_target+0x394/0x8c0 + [c0000007d25b7920] [c0000000007b22ac] .cpufreq_set+0x7c/0xd0 + [c0000007d25b79b0] [c0000000007adf50] .store_scaling_setspeed+0x80/0xc0 + [c0000007d25b7a40] [c0000000007ae270] .store+0xa0/0x100 + [c0000007d25b7ae0] [c0000000003566e8] .sysfs_kf_write+0x88/0xb0 + [c0000007d25b7b70] [c0000000003553b8] .kernfs_fop_write+0x178/0x260 + [c0000007d25b7c10] [c0000000002ac3cc] .__vfs_write+0x3c/0x1c0 + [c0000007d25b7cf0] [c0000000002ad584] .vfs_write+0xc4/0x230 + [c0000007d25b7d90] [c0000000002aeef8] .SyS_write+0x58/0x100 + [c0000007d25b7e30] [c00000000000bfec] system_call+0x38/0xfc + +Fixes: 09a972d16209 (cpufreq: powernv: Report cpu frequency throttling) +Reviewed-by: Gautham R. Shenoy +Signed-off-by: Denis Kirjanov +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cpufreq/powernv-cpufreq.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/cpufreq/powernv-cpufreq.c ++++ b/drivers/cpufreq/powernv-cpufreq.c +@@ -373,8 +373,14 @@ static int powernv_cpufreq_target_index( + if (unlikely(rebooting) && new_index != get_nominal_index()) + return 0; + +- if (!throttled) ++ if (!throttled) { ++ /* we don't want to be preempted while ++ * checking if the CPU frequency has been throttled ++ */ ++ preempt_disable(); + powernv_cpufreq_throttle_check(NULL); ++ preempt_enable(); ++ } + + freq_data.pstate_id = powernv_freqs[new_index].driver_data; + diff --git a/queue-4.4/drm-radeon-drop-verde-dpm-quirks.patch b/queue-4.4/drm-radeon-drop-verde-dpm-quirks.patch new file mode 100644 index 00000000000..ea736b2a1b4 --- /dev/null +++ b/queue-4.4/drm-radeon-drop-verde-dpm-quirks.patch @@ -0,0 +1,44 @@ +From 8a08403bcb39f5d0e733bcf59a8a74f16b538f6e Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Thu, 5 Jan 2017 12:39:01 -0500 +Subject: drm/radeon: drop verde dpm quirks + +From: Alex Deucher + +commit 8a08403bcb39f5d0e733bcf59a8a74f16b538f6e upstream. + +fixes: +https://bugs.freedesktop.org/show_bug.cgi?id=98897 +https://bugs.launchpad.net/bugs/1651981 + +Acked-by: Edward O'Callaghan +Signed-off-by: Alex Deucher +Cc: Adrian Fiergolski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/si_dpm.c | 13 ------------- + 1 file changed, 13 deletions(-) + +--- a/drivers/gpu/drm/radeon/si_dpm.c ++++ b/drivers/gpu/drm/radeon/si_dpm.c +@@ -3008,19 +3008,6 @@ static void si_apply_state_adjust_rules( + (rdev->pdev->device == 0x6817) || + (rdev->pdev->device == 0x6806)) + max_mclk = 120000; +- } else if (rdev->family == CHIP_VERDE) { +- if ((rdev->pdev->revision == 0x81) || +- (rdev->pdev->revision == 0x83) || +- (rdev->pdev->revision == 0x87) || +- (rdev->pdev->device == 0x6820) || +- (rdev->pdev->device == 0x6821) || +- (rdev->pdev->device == 0x6822) || +- (rdev->pdev->device == 0x6823) || +- (rdev->pdev->device == 0x682A) || +- (rdev->pdev->device == 0x682B)) { +- max_sclk = 75000; +- max_mclk = 80000; +- } + } else if (rdev->family == CHIP_OLAND) { + if ((rdev->pdev->revision == 0xC7) || + (rdev->pdev->revision == 0x80) || diff --git a/queue-4.4/nfs-fix-a-performance-regression-in-readdir.patch b/queue-4.4/nfs-fix-a-performance-regression-in-readdir.patch new file mode 100644 index 00000000000..3853e63501e --- /dev/null +++ b/queue-4.4/nfs-fix-a-performance-regression-in-readdir.patch @@ -0,0 +1,72 @@ +From 79f687a3de9e3ba2518b4ea33f38ca6cbe9133eb Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Sat, 19 Nov 2016 10:54:55 -0500 +Subject: NFS: Fix a performance regression in readdir + +From: Trond Myklebust + +commit 79f687a3de9e3ba2518b4ea33f38ca6cbe9133eb upstream. + +Ben Coddington reports that commit 311324ad1713, by adding the function +nfs_dir_mapping_need_revalidate() that checks page cache validity on +each call to nfs_readdir() causes a performance regression when +the directory is being modified. + +If the directory is changing while we're iterating through the directory, +POSIX does not require us to invalidate the page cache unless the user +calls rewinddir(). However, we still do want to ensure that we use +readdirplus in order to avoid a load of stat() calls when the user +is doing an 'ls -l' workload. + +The fix should be to invalidate the page cache immediately when we're +setting the NFS_INO_ADVISE_RDPLUS bit. + +Reported-by: Benjamin Coddington +Fixes: 311324ad1713 ("NFS: Be more aggressive in using readdirplus...") +Reviewed-by: Benjamin Coddington +Tested-by: Benjamin Coddington +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/dir.c | 15 ++------------- + 1 file changed, 2 insertions(+), 13 deletions(-) + +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -462,7 +462,7 @@ void nfs_force_use_readdirplus(struct in + { + if (!list_empty(&NFS_I(dir)->open_files)) { + nfs_advise_use_readdirplus(dir); +- nfs_zap_mapping(dir, dir->i_mapping); ++ invalidate_mapping_pages(dir->i_mapping, 0, -1); + } + } + +@@ -847,17 +847,6 @@ int uncached_readdir(nfs_readdir_descrip + goto out; + } + +-static bool nfs_dir_mapping_need_revalidate(struct inode *dir) +-{ +- struct nfs_inode *nfsi = NFS_I(dir); +- +- if (nfs_attribute_cache_expired(dir)) +- return true; +- if (nfsi->cache_validity & NFS_INO_INVALID_DATA) +- return true; +- return false; +-} +- + /* The file offset position represents the dirent entry number. A + last cookie cache takes care of the common case of reading the + whole directory. +@@ -890,7 +879,7 @@ static int nfs_readdir(struct file *file + desc->plus = nfs_use_readdirplus(inode, ctx) ? 1 : 0; + + nfs_block_sillyrename(dentry); +- if (ctx->pos == 0 || nfs_dir_mapping_need_revalidate(inode)) ++ if (ctx->pos == 0 || nfs_attribute_cache_expired(inode)) + res = nfs_revalidate_mapping(inode, file->f_mapping); + if (res < 0) + goto out; diff --git a/queue-4.4/nfsv4.1-nfs4_fl_prepare_ds-must-be-careful-about-reporting-success.patch b/queue-4.4/nfsv4.1-nfs4_fl_prepare_ds-must-be-careful-about-reporting-success.patch new file mode 100644 index 00000000000..cca4dde87b7 --- /dev/null +++ b/queue-4.4/nfsv4.1-nfs4_fl_prepare_ds-must-be-careful-about-reporting-success.patch @@ -0,0 +1,42 @@ +From cfd278c280f997cf2fe4662e0acab0fe465f637b Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Mon, 19 Dec 2016 11:19:31 +1100 +Subject: NFSv4.1: nfs4_fl_prepare_ds must be careful about reporting success. + +From: NeilBrown + +commit cfd278c280f997cf2fe4662e0acab0fe465f637b upstream. + +Various places assume that if nfs4_fl_prepare_ds() turns a non-NULL 'ds', +then ds->ds_clp will also be non-NULL. + +This is not necessasrily true in the case when the process received a fatal signal +while nfs4_pnfs_ds_connect is waiting in nfs4_wait_ds_connect(). +In that case ->ds_clp may not be set, and the devid may not recently have been marked +unavailable. + +So add a test for ds_clp == NULL and return NULL in that case. + +Fixes: c23266d532b4 ("NFS4.1 Fix data server connection race") +Signed-off-by: NeilBrown +Acked-by: Olga Kornievskaia +Acked-by: Adamson, Andy +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/filelayout/filelayoutdev.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/nfs/filelayout/filelayoutdev.c ++++ b/fs/nfs/filelayout/filelayoutdev.c +@@ -283,7 +283,8 @@ nfs4_fl_prepare_ds(struct pnfs_layout_se + s->nfs_client->cl_rpcclient->cl_auth->au_flavor); + + out_test_devid: +- if (filelayout_test_devid_unavailable(devid)) ++ if (ret->ds_clp == NULL || ++ filelayout_test_devid_unavailable(devid)) + ret = NULL; + out: + return ret; diff --git a/queue-4.4/pinctrl-meson-fix-gpio-request-disabling-other-modes.patch b/queue-4.4/pinctrl-meson-fix-gpio-request-disabling-other-modes.patch new file mode 100644 index 00000000000..97081fce963 --- /dev/null +++ b/queue-4.4/pinctrl-meson-fix-gpio-request-disabling-other-modes.patch @@ -0,0 +1,37 @@ +From f24d311f92b516a8aadef5056424ccabb4068e7b Mon Sep 17 00:00:00 2001 +From: Neil Armstrong +Date: Tue, 6 Dec 2016 15:08:16 +0100 +Subject: pinctrl: meson: fix gpio request disabling other modes + +From: Neil Armstrong + +commit f24d311f92b516a8aadef5056424ccabb4068e7b upstream. + +The pinctrl_gpio_request is called with the "full" gpio number, already +containing the base, then meson_pmx_request_gpio is then called with the +final pin number. +Remove the base addition when calling meson_pmx_disable_other_groups. + +Fixes: 6ac730951104 ("pinctrl: add driver for Amlogic Meson SoCs") +CC: Beniamino Galvani +Signed-off-by: Neil Armstrong +Acked-by: Kevin Hilman +Acked-by: Beniamino Galvani +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/meson/pinctrl-meson.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pinctrl/meson/pinctrl-meson.c ++++ b/drivers/pinctrl/meson/pinctrl-meson.c +@@ -246,7 +246,7 @@ static int meson_pmx_request_gpio(struct + { + struct meson_pinctrl *pc = pinctrl_dev_get_drvdata(pcdev); + +- meson_pmx_disable_other_groups(pc, range->pin_base + offset, -1); ++ meson_pmx_disable_other_groups(pc, offset, -1); + + return 0; + } diff --git a/queue-4.4/pnfs-fix-race-in-pnfs_wait_on_layoutreturn.patch b/queue-4.4/pnfs-fix-race-in-pnfs_wait_on_layoutreturn.patch new file mode 100644 index 00000000000..27fc959fe33 --- /dev/null +++ b/queue-4.4/pnfs-fix-race-in-pnfs_wait_on_layoutreturn.patch @@ -0,0 +1,39 @@ +From ee284e35d8c71bf5d4d807eaff6f67a17134b359 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Fri, 18 Nov 2016 15:21:30 -0500 +Subject: pNFS: Fix race in pnfs_wait_on_layoutreturn + +From: Trond Myklebust + +commit ee284e35d8c71bf5d4d807eaff6f67a17134b359 upstream. + +We must put the task to sleep while holding the inode->i_lock in order +to ensure atomicity with the test for NFS_LAYOUT_RETURN. + +Fixes: 500d701f336b ("NFS41: make close wait for layoutreturn") +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/pnfs.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -1185,13 +1185,11 @@ bool pnfs_wait_on_layoutreturn(struct in + * i_lock */ + spin_lock(&ino->i_lock); + lo = nfsi->layout; +- if (lo && test_bit(NFS_LAYOUT_RETURN, &lo->plh_flags)) ++ if (lo && test_bit(NFS_LAYOUT_RETURN, &lo->plh_flags)) { ++ rpc_sleep_on(&NFS_SERVER(ino)->roc_rpcwaitq, task, NULL); + sleep = true; ++ } + spin_unlock(&ino->i_lock); +- +- if (sleep) +- rpc_sleep_on(&NFS_SERVER(ino)->roc_rpcwaitq, task, NULL); +- + return sleep; + } + diff --git a/queue-4.4/powerpc-ibmebus-fix-device-reference-leaks-in-sysfs-interface.patch b/queue-4.4/powerpc-ibmebus-fix-device-reference-leaks-in-sysfs-interface.patch new file mode 100644 index 00000000000..38e755f0f58 --- /dev/null +++ b/queue-4.4/powerpc-ibmebus-fix-device-reference-leaks-in-sysfs-interface.patch @@ -0,0 +1,53 @@ +From fe0f3168169f7c34c29b0cf0c489f126a7f29643 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 1 Nov 2016 16:26:00 +0100 +Subject: powerpc/ibmebus: Fix device reference leaks in sysfs interface + +From: Johan Hovold + +commit fe0f3168169f7c34c29b0cf0c489f126a7f29643 upstream. + +Make sure to drop any reference taken by bus_find_device() in the sysfs +callbacks that are used to create and destroy devices based on +device-tree entries. + +Fixes: 6bccf755ff53 ("[POWERPC] ibmebus: dynamic addition/removal of adapters, some code cleanup") +Signed-off-by: Johan Hovold +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/ibmebus.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/kernel/ibmebus.c ++++ b/arch/powerpc/kernel/ibmebus.c +@@ -266,6 +266,7 @@ static ssize_t ibmebus_store_probe(struc + const char *buf, size_t count) + { + struct device_node *dn = NULL; ++ struct device *dev; + char *path; + ssize_t rc = 0; + +@@ -273,8 +274,10 @@ static ssize_t ibmebus_store_probe(struc + if (!path) + return -ENOMEM; + +- if (bus_find_device(&ibmebus_bus_type, NULL, path, +- ibmebus_match_path)) { ++ dev = bus_find_device(&ibmebus_bus_type, NULL, path, ++ ibmebus_match_path); ++ if (dev) { ++ put_device(dev); + printk(KERN_WARNING "%s: %s has already been probed\n", + __func__, path); + rc = -EEXIST; +@@ -311,6 +314,7 @@ static ssize_t ibmebus_store_remove(stru + if ((dev = bus_find_device(&ibmebus_bus_type, NULL, path, + ibmebus_match_path))) { + of_device_unregister(to_platform_device(dev)); ++ put_device(dev); + + kfree(path); + return count; diff --git a/queue-4.4/powerpc-ibmebus-fix-further-device-reference-leaks.patch b/queue-4.4/powerpc-ibmebus-fix-further-device-reference-leaks.patch new file mode 100644 index 00000000000..c6a472b9ac5 --- /dev/null +++ b/queue-4.4/powerpc-ibmebus-fix-further-device-reference-leaks.patch @@ -0,0 +1,46 @@ +From 815a7141c4d1b11610dccb7fcbb38633759824f2 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 1 Nov 2016 16:26:01 +0100 +Subject: powerpc/ibmebus: Fix further device reference leaks + +From: Johan Hovold + +commit 815a7141c4d1b11610dccb7fcbb38633759824f2 upstream. + +Make sure to drop any reference taken by bus_find_device() when creating +devices during init and driver registration. + +Fixes: 55347cc9962f ("[POWERPC] ibmebus: Add device creation and bus probing based on of_device") +Signed-off-by: Johan Hovold +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/ibmebus.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/kernel/ibmebus.c ++++ b/arch/powerpc/kernel/ibmebus.c +@@ -180,6 +180,7 @@ static int ibmebus_create_device(struct + static int ibmebus_create_devices(const struct of_device_id *matches) + { + struct device_node *root, *child; ++ struct device *dev; + int ret = 0; + + root = of_find_node_by_path("/"); +@@ -188,9 +189,12 @@ static int ibmebus_create_devices(const + if (!of_match_node(matches, child)) + continue; + +- if (bus_find_device(&ibmebus_bus_type, NULL, child, +- ibmebus_match_node)) ++ dev = bus_find_device(&ibmebus_bus_type, NULL, child, ++ ibmebus_match_node); ++ if (dev) { ++ put_device(dev); + continue; ++ } + + ret = ibmebus_create_device(child); + if (ret) { diff --git a/queue-4.4/series b/queue-4.4/series index c7ad0a03063..e632d711d3f 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -25,3 +25,23 @@ i2c-fix-kernel-memory-disclosure-in-dev-interface.patch xhci-fix-deadlock-at-host-remove-by-running-watchdog-correctly.patch vme-fix-wrong-pointer-utilization-in-ca91cx42_slave_get.patch mnt-protect-the-mountpoint-hashtable-with-mount_lock.patch +tty-serial-atmel_serial-bug-stop-dma-from-transmitting-in-stop_tx.patch +sysrq-attach-sysrq-handler-correctly-for-32-bit-kernel.patch +sysctl-drop-reference-added-by-grab_header-in-proc_sys_readdir.patch +drm-radeon-drop-verde-dpm-quirks.patch +usb-serial-ch341-fix-resume-after-reset.patch +usb-serial-ch341-fix-modem-control-and-b0-handling.patch +x86-cpu-fix-bootup-crashes-by-sanitizing-the-argument-of-the-clearcpuid-command-line-option.patch +btrfs-fix-locking-when-we-put-back-a-delayed-ref-that-s-too-new.patch +btrfs-fix-error-handling-when-run_delayed_extent_op-fails.patch +pinctrl-meson-fix-gpio-request-disabling-other-modes.patch +pnfs-fix-race-in-pnfs_wait_on_layoutreturn.patch +nfs-fix-a-performance-regression-in-readdir.patch +nfsv4.1-nfs4_fl_prepare_ds-must-be-careful-about-reporting-success.patch +cpufreq-powernv-disable-preemption-while-checking-cpu-throttling-state.patch +block-cfq_cpd_alloc-should-use-gfp.patch +acpi-apei-fix-nmi-notification-handling.patch +blk-mq-always-schedule-hctx-next_cpu.patch +bus-vexpress-config-fix-device-reference-leak.patch +powerpc-ibmebus-fix-further-device-reference-leaks.patch +powerpc-ibmebus-fix-device-reference-leaks-in-sysfs-interface.patch diff --git a/queue-4.4/sysctl-drop-reference-added-by-grab_header-in-proc_sys_readdir.patch b/queue-4.4/sysctl-drop-reference-added-by-grab_header-in-proc_sys_readdir.patch new file mode 100644 index 00000000000..b067232e826 --- /dev/null +++ b/queue-4.4/sysctl-drop-reference-added-by-grab_header-in-proc_sys_readdir.patch @@ -0,0 +1,87 @@ +From 93362fa47fe98b62e4a34ab408c4a418432e7939 Mon Sep 17 00:00:00 2001 +From: Zhou Chengming +Date: Fri, 6 Jan 2017 09:32:32 +0800 +Subject: sysctl: Drop reference added by grab_header in proc_sys_readdir + +From: Zhou Chengming + +commit 93362fa47fe98b62e4a34ab408c4a418432e7939 upstream. + +Fixes CVE-2016-9191, proc_sys_readdir doesn't drop reference +added by grab_header when return from !dir_emit_dots path. +It can cause any path called unregister_sysctl_table will +wait forever. + +The calltrace of CVE-2016-9191: + +[ 5535.960522] Call Trace: +[ 5535.963265] [] schedule+0x3f/0xa0 +[ 5535.968817] [] schedule_timeout+0x3db/0x6f0 +[ 5535.975346] [] ? wait_for_completion+0x45/0x130 +[ 5535.982256] [] wait_for_completion+0xc3/0x130 +[ 5535.988972] [] ? wake_up_q+0x80/0x80 +[ 5535.994804] [] drop_sysctl_table+0xc4/0xe0 +[ 5536.001227] [] drop_sysctl_table+0x77/0xe0 +[ 5536.007648] [] unregister_sysctl_table+0x4d/0xa0 +[ 5536.014654] [] unregister_sysctl_table+0x7f/0xa0 +[ 5536.021657] [] unregister_sched_domain_sysctl+0x15/0x40 +[ 5536.029344] [] partition_sched_domains+0x44/0x450 +[ 5536.036447] [] ? __mutex_unlock_slowpath+0x111/0x1f0 +[ 5536.043844] [] rebuild_sched_domains_locked+0x64/0xb0 +[ 5536.051336] [] update_flag+0x11d/0x210 +[ 5536.057373] [] ? mutex_lock_nested+0x2df/0x450 +[ 5536.064186] [] ? cpuset_css_offline+0x1b/0x60 +[ 5536.070899] [] ? trace_hardirqs_on+0xd/0x10 +[ 5536.077420] [] ? mutex_lock_nested+0x2df/0x450 +[ 5536.084234] [] ? css_killed_work_fn+0x25/0x220 +[ 5536.091049] [] cpuset_css_offline+0x35/0x60 +[ 5536.097571] [] css_killed_work_fn+0x5c/0x220 +[ 5536.104207] [] process_one_work+0x1df/0x710 +[ 5536.110736] [] ? process_one_work+0x160/0x710 +[ 5536.117461] [] worker_thread+0x12b/0x4a0 +[ 5536.123697] [] ? process_one_work+0x710/0x710 +[ 5536.130426] [] kthread+0xfe/0x120 +[ 5536.135991] [] ret_from_fork+0x1f/0x40 +[ 5536.142041] [] ? kthread_create_on_node+0x230/0x230 + +One cgroup maintainer mentioned that "cgroup is trying to offline +a cpuset css, which takes place under cgroup_mutex. The offlining +ends up trying to drain active usages of a sysctl table which apprently +is not happening." +The real reason is that proc_sys_readdir doesn't drop reference added +by grab_header when return from !dir_emit_dots path. So this cpuset +offline path will wait here forever. + +See here for details: http://www.openwall.com/lists/oss-security/2016/11/04/13 + +Fixes: f0c3b5093add ("[readdir] convert procfs") +Reported-by: CAI Qian +Tested-by: Yang Shukui +Signed-off-by: Zhou Chengming +Acked-by: Al Viro +Signed-off-by: Eric W. Biederman +Signed-off-by: Greg Kroah-Hartman + +--- + fs/proc/proc_sysctl.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/proc/proc_sysctl.c ++++ b/fs/proc/proc_sysctl.c +@@ -703,7 +703,7 @@ static int proc_sys_readdir(struct file + ctl_dir = container_of(head, struct ctl_dir, header); + + if (!dir_emit_dots(file, ctx)) +- return 0; ++ goto out; + + pos = 2; + +@@ -713,6 +713,7 @@ static int proc_sys_readdir(struct file + break; + } + } ++out: + sysctl_head_finish(head); + return 0; + } diff --git a/queue-4.4/sysrq-attach-sysrq-handler-correctly-for-32-bit-kernel.patch b/queue-4.4/sysrq-attach-sysrq-handler-correctly-for-32-bit-kernel.patch new file mode 100644 index 00000000000..3543a0dd98f --- /dev/null +++ b/queue-4.4/sysrq-attach-sysrq-handler-correctly-for-32-bit-kernel.patch @@ -0,0 +1,43 @@ +From 802c03881f29844af0252b6e22be5d2f65f93fd0 Mon Sep 17 00:00:00 2001 +From: Akinobu Mita +Date: Fri, 6 Jan 2017 02:14:16 +0900 +Subject: sysrq: attach sysrq handler correctly for 32-bit kernel + +From: Akinobu Mita + +commit 802c03881f29844af0252b6e22be5d2f65f93fd0 upstream. + +The sysrq input handler should be attached to the input device which has +a left alt key. + +On 32-bit kernels, some input devices which has a left alt key cannot +attach sysrq handler. Because the keybit bitmap in struct input_device_id +for sysrq is not correctly initialized. KEY_LEFTALT is 56 which is +greater than BITS_PER_LONG on 32-bit kernels. + +I found this problem when using a matrix keypad device which defines +a KEY_LEFTALT (56) but doesn't have a KEY_O (24 == 56%32). + +Cc: Jiri Slaby +Signed-off-by: Akinobu Mita +Acked-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/sysrq.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/tty/sysrq.c ++++ b/drivers/tty/sysrq.c +@@ -939,8 +939,8 @@ static const struct input_device_id sysr + { + .flags = INPUT_DEVICE_ID_MATCH_EVBIT | + INPUT_DEVICE_ID_MATCH_KEYBIT, +- .evbit = { BIT_MASK(EV_KEY) }, +- .keybit = { BIT_MASK(KEY_LEFTALT) }, ++ .evbit = { [BIT_WORD(EV_KEY)] = BIT_MASK(EV_KEY) }, ++ .keybit = { [BIT_WORD(KEY_LEFTALT)] = BIT_MASK(KEY_LEFTALT) }, + }, + { }, + }; diff --git a/queue-4.4/tty-serial-atmel_serial-bug-stop-dma-from-transmitting-in-stop_tx.patch b/queue-4.4/tty-serial-atmel_serial-bug-stop-dma-from-transmitting-in-stop_tx.patch new file mode 100644 index 00000000000..945090c74d0 --- /dev/null +++ b/queue-4.4/tty-serial-atmel_serial-bug-stop-dma-from-transmitting-in-stop_tx.patch @@ -0,0 +1,54 @@ +From 89d8232411a85b9a6b12fd5da4d07d8a138a8e0c Mon Sep 17 00:00:00 2001 +From: Richard Genoud +Date: Tue, 13 Dec 2016 17:27:56 +0100 +Subject: tty/serial: atmel_serial: BUG: stop DMA from transmitting in stop_tx + +From: Richard Genoud + +commit 89d8232411a85b9a6b12fd5da4d07d8a138a8e0c upstream. + +If we don't disable the transmitter in atmel_stop_tx, the DMA buffer +continues to send data until it is emptied. +This cause problems with the flow control (CTS is asserted and data are +still sent). + +So, disabling the transmitter in atmel_stop_tx is a sane thing to do. + +Tested on at91sam9g35-cm(DMA) +Tested for regressions on sama5d2-xplained(Fifo) and at91sam9g20ek(PDC) + +Signed-off-by: Richard Genoud +Acked-by: Nicolas Ferre +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/atmel_serial.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/tty/serial/atmel_serial.c ++++ b/drivers/tty/serial/atmel_serial.c +@@ -470,6 +470,14 @@ static void atmel_stop_tx(struct uart_po + /* disable PDC transmit */ + atmel_uart_writel(port, ATMEL_PDC_PTCR, ATMEL_PDC_TXTDIS); + } ++ ++ /* ++ * Disable the transmitter. ++ * This is mandatory when DMA is used, otherwise the DMA buffer ++ * is fully transmitted. ++ */ ++ atmel_uart_writel(port, ATMEL_US_CR, ATMEL_US_TXDIS); ++ + /* Disable interrupts */ + atmel_uart_writel(port, ATMEL_US_IDR, atmel_port->tx_done_mask); + +@@ -502,6 +510,9 @@ static void atmel_start_tx(struct uart_p + + /* Enable interrupts */ + atmel_uart_writel(port, ATMEL_US_IER, atmel_port->tx_done_mask); ++ ++ /* re-enable the transmitter */ ++ atmel_uart_writel(port, ATMEL_US_CR, ATMEL_US_TXEN); + } + + /* diff --git a/queue-4.4/usb-serial-ch341-fix-modem-control-and-b0-handling.patch b/queue-4.4/usb-serial-ch341-fix-modem-control-and-b0-handling.patch new file mode 100644 index 00000000000..5f0066b1417 --- /dev/null +++ b/queue-4.4/usb-serial-ch341-fix-modem-control-and-b0-handling.patch @@ -0,0 +1,60 @@ +From 030ee7ae52a46a2be52ccc8242c4a330aba8d38e Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 6 Jan 2017 19:15:12 +0100 +Subject: USB: serial: ch341: fix modem-control and B0 handling + +From: Johan Hovold + +commit 030ee7ae52a46a2be52ccc8242c4a330aba8d38e upstream. + +The modem-control signals are managed by the tty-layer during open and +should not be asserted prematurely when set_termios is called from +driver open. + +Also make sure that the signals are asserted only when changing speed +from B0. + +Fixes: 664d5df92e88 ("USB: usb-serial ch341: support for DTR/RTS/CTS") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ch341.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/drivers/usb/serial/ch341.c ++++ b/drivers/usb/serial/ch341.c +@@ -362,24 +362,24 @@ static void ch341_set_termios(struct tty + baud_rate = tty_get_baud_rate(tty); + + if (baud_rate) { +- spin_lock_irqsave(&priv->lock, flags); +- priv->line_control |= (CH341_BIT_DTR | CH341_BIT_RTS); +- spin_unlock_irqrestore(&priv->lock, flags); + priv->baud_rate = baud_rate; + ch341_set_baudrate(port->serial->dev, priv); +- } else { +- spin_lock_irqsave(&priv->lock, flags); +- priv->line_control &= ~(CH341_BIT_DTR | CH341_BIT_RTS); +- spin_unlock_irqrestore(&priv->lock, flags); + } + +- ch341_set_handshake(port->serial->dev, priv->line_control); +- + /* Unimplemented: + * (cflag & CSIZE) : data bits [5, 8] + * (cflag & PARENB) : parity {NONE, EVEN, ODD} + * (cflag & CSTOPB) : stop bits [1, 2] + */ ++ ++ spin_lock_irqsave(&priv->lock, flags); ++ if (C_BAUD(tty) == B0) ++ priv->line_control &= ~(CH341_BIT_DTR | CH341_BIT_RTS); ++ else if (old_termios && (old_termios->c_cflag & CBAUD) == B0) ++ priv->line_control |= (CH341_BIT_DTR | CH341_BIT_RTS); ++ spin_unlock_irqrestore(&priv->lock, flags); ++ ++ ch341_set_handshake(port->serial->dev, priv->line_control); + } + + static void ch341_break_ctl(struct tty_struct *tty, int break_state) diff --git a/queue-4.4/usb-serial-ch341-fix-resume-after-reset.patch b/queue-4.4/usb-serial-ch341-fix-resume-after-reset.patch new file mode 100644 index 00000000000..89cdb0e06cd --- /dev/null +++ b/queue-4.4/usb-serial-ch341-fix-resume-after-reset.patch @@ -0,0 +1,53 @@ +From ce5e292828117d1b71cbd3edf9e9137cf31acd30 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 6 Jan 2017 19:15:14 +0100 +Subject: USB: serial: ch341: fix resume after reset + +From: Johan Hovold + +commit ce5e292828117d1b71cbd3edf9e9137cf31acd30 upstream. + +Fix reset-resume handling which failed to resubmit the read and +interrupt URBs, thereby leaving a port that was open before suspend in a +broken state until closed and reopened. + +Fixes: 1ded7ea47b88 ("USB: ch341 serial: fix port number changed after +resume") +Fixes: 2bfd1c96a9fb ("USB: serial: ch341: remove reset_resume callback") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ch341.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +--- a/drivers/usb/serial/ch341.c ++++ b/drivers/usb/serial/ch341.c +@@ -554,14 +554,23 @@ static int ch341_tiocmget(struct tty_str + + static int ch341_reset_resume(struct usb_serial *serial) + { +- struct ch341_private *priv; +- +- priv = usb_get_serial_port_data(serial->port[0]); ++ struct usb_serial_port *port = serial->port[0]; ++ struct ch341_private *priv = usb_get_serial_port_data(port); ++ int ret; + + /* reconfigure ch341 serial port after bus-reset */ + ch341_configure(serial->dev, priv); + +- return 0; ++ if (test_bit(ASYNCB_INITIALIZED, &port->port.flags)) { ++ ret = usb_submit_urb(port->interrupt_in_urb, GFP_NOIO); ++ if (ret) { ++ dev_err(&port->dev, "failed to submit interrupt urb: %d\n", ++ ret); ++ return ret; ++ } ++ } ++ ++ return usb_serial_generic_resume(serial); + } + + static struct usb_serial_driver ch341_device = { diff --git a/queue-4.4/x86-cpu-fix-bootup-crashes-by-sanitizing-the-argument-of-the-clearcpuid-command-line-option.patch b/queue-4.4/x86-cpu-fix-bootup-crashes-by-sanitizing-the-argument-of-the-clearcpuid-command-line-option.patch new file mode 100644 index 00000000000..f379738484c --- /dev/null +++ b/queue-4.4/x86-cpu-fix-bootup-crashes-by-sanitizing-the-argument-of-the-clearcpuid-command-line-option.patch @@ -0,0 +1,49 @@ +From dd853fd216d1485ed3045ff772079cc8689a9a4a Mon Sep 17 00:00:00 2001 +From: Lukasz Odzioba +Date: Wed, 28 Dec 2016 14:55:40 +0100 +Subject: x86/cpu: Fix bootup crashes by sanitizing the argument of the 'clearcpuid=' command-line option + +From: Lukasz Odzioba + +commit dd853fd216d1485ed3045ff772079cc8689a9a4a upstream. + +A negative number can be specified in the cmdline which will be used as +setup_clear_cpu_cap() argument. With that we can clear/set some bit in +memory predceeding boot_cpu_data/cpu_caps_cleared which may cause kernel +to misbehave. This patch adds lower bound check to setup_disablecpuid(). + +Boris Petkov reproduced a crash: + + [ 1.234575] BUG: unable to handle kernel paging request at ffffffff858bd540 + [ 1.236535] IP: memcpy_erms+0x6/0x10 + +Signed-off-by: Lukasz Odzioba +Acked-by: Borislav Petkov +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: andi.kleen@intel.com +Cc: bp@alien8.de +Cc: dave.hansen@linux.intel.com +Cc: luto@kernel.org +Cc: slaoub@gmail.com +Fixes: ac72e7888a61 ("x86: add generic clearcpuid=... option") +Link: http://lkml.kernel.org/r/1482933340-11857-1-git-send-email-lukasz.odzioba@intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -1129,7 +1129,7 @@ static __init int setup_disablecpuid(cha + { + int bit; + +- if (get_option(&arg, &bit) && bit < NCAPINTS*32) ++ if (get_option(&arg, &bit) && bit >= 0 && bit < NCAPINTS * 32) + setup_clear_cpu_cap(bit); + else + return 0;