From: Greg Kroah-Hartman Date: Wed, 5 Oct 2016 13:20:45 +0000 (+0200) Subject: 4.7-stable patches X-Git-Tag: v4.8.1~17 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=83f48a731038adcadf80ba0cc184a0271d9ae55d;p=thirdparty%2Fkernel%2Fstable-queue.git 4.7-stable patches added patches: asoc-intel-skylake-fix-error-return-code-in-skl_probe.patch asoc-omap-mcpdm-fix-irq-resource-handling.patch brcmfmac-fix-glob_skb-leak-in-brcmf_sdiod_recv_chain.patch brcmsmac-free-packet-if-dma_mapping_error-fails-in-dma_rxfill.patch brcmsmac-initialize-power-in-brcms_c_stf_ss_algo_channel_get.patch cxl-fix-potential-null-dereference-in-free_adapter.patch ib-core-fix-possible-memory-leak-in-cma_resolve_iboe_route.patch nfs-don-t-drop-cb-requests-with-invalid-principals.patch pnfs-files-fix-layoutcommit-after-a-commit-to-ds.patch pnfs-flexfiles-fix-layoutcommit-after-a-commit-to-ds.patch powerpc-prom-fix-sub-processor-option-passed-to-ibm-client-architecture-support.patch staging-comedi-adv_pci1760-do-not-return-einval-for-cmdf_round_down.patch svc-avoid-garbage-replies-when-pc_func-returns-rpc_drop_reply.patch sysctl-handle-error-writing-uint_max-to-u32-fields.patch watchdog-core-clear-wdog_hw_running-before-calling-the-stop-function.patch xprtrdma-remove-fmrs-from-the-unmap-list-after-unmapping.patch --- diff --git a/queue-4.7/asoc-intel-skylake-fix-error-return-code-in-skl_probe.patch b/queue-4.7/asoc-intel-skylake-fix-error-return-code-in-skl_probe.patch new file mode 100644 index 00000000000..e261e569e69 --- /dev/null +++ b/queue-4.7/asoc-intel-skylake-fix-error-return-code-in-skl_probe.patch @@ -0,0 +1,36 @@ +From 979cf59acc9d634cc140aadd0d2915947ab303cc Mon Sep 17 00:00:00 2001 +From: Wei Yongjun +Date: Fri, 12 Aug 2016 11:45:18 +0000 +Subject: ASoC: Intel: Skylake: Fix error return code in skl_probe() + +From: Wei Yongjun + +commit 979cf59acc9d634cc140aadd0d2915947ab303cc upstream. + +Fix to return error code -ENODEV from the error handling +case instead of 0, as done elsewhere in this function. + +Fixes: 87b2bdf02278 ("ASoC: Intel: Skylake: Initialize NHLT table") +Signed-off-by: Wei Yongjun +Acked-By: Vinod Koul +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/intel/skylake/skl.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/sound/soc/intel/skylake/skl.c ++++ b/sound/soc/intel/skylake/skl.c +@@ -659,8 +659,10 @@ static int skl_probe(struct pci_dev *pci + + skl->nhlt = skl_nhlt_init(bus->dev); + +- if (skl->nhlt == NULL) ++ if (skl->nhlt == NULL) { ++ err = -ENODEV; + goto out_free; ++ } + + skl_nhlt_update_topology_bin(skl); + diff --git a/queue-4.7/asoc-omap-mcpdm-fix-irq-resource-handling.patch b/queue-4.7/asoc-omap-mcpdm-fix-irq-resource-handling.patch new file mode 100644 index 00000000000..995b3be437e --- /dev/null +++ b/queue-4.7/asoc-omap-mcpdm-fix-irq-resource-handling.patch @@ -0,0 +1,45 @@ +From a8719670687c46ed2e904c0d05fa4cd7e4950cd1 Mon Sep 17 00:00:00 2001 +From: Peter Ujfalusi +Date: Tue, 23 Aug 2016 10:27:19 +0300 +Subject: ASoC: omap-mcpdm: Fix irq resource handling + +From: Peter Ujfalusi + +commit a8719670687c46ed2e904c0d05fa4cd7e4950cd1 upstream. + +Fixes: ddd17531ad908 ("ASoC: omap-mcpdm: Clean up with devm_* function") + +Managed irq request will not doing any good in ASoC probe level as it is +not going to free up the irq when the driver is unbound from the sound +card. + +Signed-off-by: Peter Ujfalusi +Reported-by: Russell King +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/omap/omap-mcpdm.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/sound/soc/omap/omap-mcpdm.c ++++ b/sound/soc/omap/omap-mcpdm.c +@@ -390,8 +390,8 @@ static int omap_mcpdm_probe(struct snd_s + pm_runtime_get_sync(mcpdm->dev); + omap_mcpdm_write(mcpdm, MCPDM_REG_CTRL, 0x00); + +- ret = devm_request_irq(mcpdm->dev, mcpdm->irq, omap_mcpdm_irq_handler, +- 0, "McPDM", (void *)mcpdm); ++ ret = request_irq(mcpdm->irq, omap_mcpdm_irq_handler, 0, "McPDM", ++ (void *)mcpdm); + + pm_runtime_put_sync(mcpdm->dev); + +@@ -416,6 +416,7 @@ static int omap_mcpdm_remove(struct snd_ + { + struct omap_mcpdm *mcpdm = snd_soc_dai_get_drvdata(dai); + ++ free_irq(mcpdm->irq, (void *)mcpdm); + pm_runtime_disable(mcpdm->dev); + + return 0; diff --git a/queue-4.7/brcmfmac-fix-glob_skb-leak-in-brcmf_sdiod_recv_chain.patch b/queue-4.7/brcmfmac-fix-glob_skb-leak-in-brcmf_sdiod_recv_chain.patch new file mode 100644 index 00000000000..286cc397272 --- /dev/null +++ b/queue-4.7/brcmfmac-fix-glob_skb-leak-in-brcmf_sdiod_recv_chain.patch @@ -0,0 +1,38 @@ +From 3bdae810721b33061d2e541bd78a70f86ca42af3 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Mon, 18 Jul 2016 16:24:34 -0700 +Subject: brcmfmac: Fix glob_skb leak in brcmf_sdiod_recv_chain + +From: Florian Fainelli + +commit 3bdae810721b33061d2e541bd78a70f86ca42af3 upstream. + +In case brcmf_sdiod_recv_chain() cannot complete a succeful call to +brcmf_sdiod_buffrw, we would be leaking glom_skb and not free it as we +should, fix this. + +Reported-by: coverity (CID 1164856) +Fixes: a413e39a38573 ("brcmfmac: fix brcmf_sdcard_recv_chain() for host without sg support") +Signed-off-by: Florian Fainelli +Acked-by: Arend van Spriel +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c +@@ -722,8 +722,10 @@ int brcmf_sdiod_recv_chain(struct brcmf_ + return -ENOMEM; + err = brcmf_sdiod_buffrw(sdiodev, SDIO_FUNC_2, false, addr, + glom_skb); +- if (err) ++ if (err) { ++ brcmu_pkt_buf_free_skb(glom_skb); + goto done; ++ } + + skb_queue_walk(pktq, skb) { + memcpy(skb->data, glom_skb->data, skb->len); diff --git a/queue-4.7/brcmsmac-free-packet-if-dma_mapping_error-fails-in-dma_rxfill.patch b/queue-4.7/brcmsmac-free-packet-if-dma_mapping_error-fails-in-dma_rxfill.patch new file mode 100644 index 00000000000..bde5d3a2f1b --- /dev/null +++ b/queue-4.7/brcmsmac-free-packet-if-dma_mapping_error-fails-in-dma_rxfill.patch @@ -0,0 +1,37 @@ +From 5c5fa1f464ac954982df1d96b9f9a5103d21aedd Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Mon, 18 Jul 2016 16:24:35 -0700 +Subject: brcmsmac: Free packet if dma_mapping_error() fails in dma_rxfill + +From: Florian Fainelli + +commit 5c5fa1f464ac954982df1d96b9f9a5103d21aedd upstream. + +In case dma_mapping_error() returns an error in dma_rxfill, we would be +leaking a packet that we allocated with brcmu_pkt_buf_get_skb(). + +Reported-by: coverity (CID 1081819) +Fixes: 67d0cf50bd32 ("brcmsmac: Fix WARNING caused by lack of calls to dma_mapping_error()") +Signed-off-by: Florian Fainelli +Acked-by: Arend van Spriel +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/broadcom/brcm80211/brcmsmac/dma.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/dma.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/dma.c +@@ -1079,8 +1079,10 @@ bool dma_rxfill(struct dma_pub *pub) + + pa = dma_map_single(di->dmadev, p->data, di->rxbufsize, + DMA_FROM_DEVICE); +- if (dma_mapping_error(di->dmadev, pa)) ++ if (dma_mapping_error(di->dmadev, pa)) { ++ brcmu_pkt_buf_free_skb(p); + return false; ++ } + + /* save the free packet pointer */ + di->rxp[rxout] = p; diff --git a/queue-4.7/brcmsmac-initialize-power-in-brcms_c_stf_ss_algo_channel_get.patch b/queue-4.7/brcmsmac-initialize-power-in-brcms_c_stf_ss_algo_channel_get.patch new file mode 100644 index 00000000000..4768f418b38 --- /dev/null +++ b/queue-4.7/brcmsmac-initialize-power-in-brcms_c_stf_ss_algo_channel_get.patch @@ -0,0 +1,36 @@ +From f823a2aa8f4674c095a5413b9e3ba12d82df06f2 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Mon, 18 Jul 2016 16:24:37 -0700 +Subject: brcmsmac: Initialize power in brcms_c_stf_ss_algo_channel_get() + +From: Florian Fainelli + +commit f823a2aa8f4674c095a5413b9e3ba12d82df06f2 upstream. + +wlc_phy_txpower_get_current() does a logical OR of power->flags, which +presumes that power.flags was initiliazed earlier by the caller, +unfortunately, this is not the case, so make sure we zero out the struct +tx_power before calling into wlc_phy_txpower_get_current(). + +Reported-by: coverity (CID 146011) +Fixes: 5b435de0d7868 ("net: wireless: add brcm80211 drivers") +Signed-off-by: Florian Fainelli +Acked-by: Arend van Spriel +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/broadcom/brcm80211/brcmsmac/stf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/stf.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/stf.c +@@ -87,7 +87,7 @@ void + brcms_c_stf_ss_algo_channel_get(struct brcms_c_info *wlc, u16 *ss_algo_channel, + u16 chanspec) + { +- struct tx_power power; ++ struct tx_power power = { }; + u8 siso_mcs_id, cdd_mcs_id, stbc_mcs_id; + + /* Clear previous settings */ diff --git a/queue-4.7/cxl-fix-potential-null-dereference-in-free_adapter.patch b/queue-4.7/cxl-fix-potential-null-dereference-in-free_adapter.patch new file mode 100644 index 00000000000..595c2d776c4 --- /dev/null +++ b/queue-4.7/cxl-fix-potential-null-dereference-in-free_adapter.patch @@ -0,0 +1,55 @@ +From 8fbaa51d43ef2c6a72849ec34060910723a0365f Mon Sep 17 00:00:00 2001 +From: Andrew Donnellan +Date: Fri, 15 Jul 2016 17:20:36 +1000 +Subject: cxl: fix potential NULL dereference in free_adapter() + +From: Andrew Donnellan + +commit 8fbaa51d43ef2c6a72849ec34060910723a0365f upstream. + +If kzalloc() fails when allocating adapter->guest in +cxl_guest_init_adapter(), we call free_adapter() before erroring out. +free_adapter() in turn attempts to dereference adapter->guest, which in +this case is NULL. + +In free_adapter(), skip the adapter->guest cleanup if adapter->guest is +NULL. + +Fixes: 14baf4d9c739 ("cxl: Add guest-specific code") +Reported-by: Dan Carpenter +Signed-off-by: Andrew Donnellan +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/cxl/guest.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +--- a/drivers/misc/cxl/guest.c ++++ b/drivers/misc/cxl/guest.c +@@ -1052,16 +1052,18 @@ static void free_adapter(struct cxl *ada + struct irq_avail *cur; + int i; + +- if (adapter->guest->irq_avail) { +- for (i = 0; i < adapter->guest->irq_nranges; i++) { +- cur = &adapter->guest->irq_avail[i]; +- kfree(cur->bitmap); ++ if (adapter->guest) { ++ if (adapter->guest->irq_avail) { ++ for (i = 0; i < adapter->guest->irq_nranges; i++) { ++ cur = &adapter->guest->irq_avail[i]; ++ kfree(cur->bitmap); ++ } ++ kfree(adapter->guest->irq_avail); + } +- kfree(adapter->guest->irq_avail); ++ kfree(adapter->guest->status); ++ kfree(adapter->guest); + } +- kfree(adapter->guest->status); + cxl_remove_adapter_nr(adapter); +- kfree(adapter->guest); + kfree(adapter); + } + diff --git a/queue-4.7/ib-core-fix-possible-memory-leak-in-cma_resolve_iboe_route.patch b/queue-4.7/ib-core-fix-possible-memory-leak-in-cma_resolve_iboe_route.patch new file mode 100644 index 00000000000..9611077db4d --- /dev/null +++ b/queue-4.7/ib-core-fix-possible-memory-leak-in-cma_resolve_iboe_route.patch @@ -0,0 +1,56 @@ +From 23d70503ee187819a3775c7ac73f17c5bfe3fad0 Mon Sep 17 00:00:00 2001 +From: Wei Yongjun +Date: Fri, 5 Aug 2016 13:46:49 +0000 +Subject: IB/core: Fix possible memory leak in cma_resolve_iboe_route() + +From: Wei Yongjun + +commit 23d70503ee187819a3775c7ac73f17c5bfe3fad0 upstream. + +'work' and 'route->path_rec' are malloced in cma_resolve_iboe_route() +and should be freed before leaving from the error handling cases, +otherwise it will cause memory leak. + +Fixes: 200298326b27 ('IB/core: Validate route when we init ah') +Signed-off-by: Wei Yongjun +Reviewed-by: Haggai Eran +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/cma.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -2452,18 +2452,24 @@ static int cma_resolve_iboe_route(struct + + if (addr->dev_addr.bound_dev_if) { + ndev = dev_get_by_index(&init_net, addr->dev_addr.bound_dev_if); +- if (!ndev) +- return -ENODEV; ++ if (!ndev) { ++ ret = -ENODEV; ++ goto err2; ++ } + + if (ndev->flags & IFF_LOOPBACK) { + dev_put(ndev); +- if (!id_priv->id.device->get_netdev) +- return -EOPNOTSUPP; ++ if (!id_priv->id.device->get_netdev) { ++ ret = -EOPNOTSUPP; ++ goto err2; ++ } + + ndev = id_priv->id.device->get_netdev(id_priv->id.device, + id_priv->id.port_num); +- if (!ndev) +- return -ENODEV; ++ if (!ndev) { ++ ret = -ENODEV; ++ goto err2; ++ } + } + + route->path_rec->net = &init_net; diff --git a/queue-4.7/nfs-don-t-drop-cb-requests-with-invalid-principals.patch b/queue-4.7/nfs-don-t-drop-cb-requests-with-invalid-principals.patch new file mode 100644 index 00000000000..4e241f8576d --- /dev/null +++ b/queue-4.7/nfs-don-t-drop-cb-requests-with-invalid-principals.patch @@ -0,0 +1,63 @@ +From a4e187d83d88eeaba6252aac0a2ffe5eaa73a818 Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Wed, 29 Jun 2016 13:55:22 -0400 +Subject: NFS: Don't drop CB requests with invalid principals + +From: Chuck Lever + +commit a4e187d83d88eeaba6252aac0a2ffe5eaa73a818 upstream. + +Before commit 778be232a207 ("NFS do not find client in NFSv4 +pg_authenticate"), the Linux callback server replied with +RPC_AUTH_ERROR / RPC_AUTH_BADCRED, instead of dropping the CB +request. Let's restore that behavior so the server has a chance to +do something useful about it, and provide a warning that helps +admins correct the problem. + +Fixes: 778be232a207 ("NFS do not find client in NFSv4 ...") +Signed-off-by: Chuck Lever +Tested-by: Steve Wise +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/callback_xdr.c | 6 +++++- + net/sunrpc/svc.c | 5 +++++ + 2 files changed, 10 insertions(+), 1 deletion(-) + +--- a/fs/nfs/callback_xdr.c ++++ b/fs/nfs/callback_xdr.c +@@ -925,7 +925,7 @@ static __be32 nfs4_callback_compound(str + if (hdr_arg.minorversion == 0) { + cps.clp = nfs4_find_client_ident(SVC_NET(rqstp), hdr_arg.cb_ident); + if (!cps.clp || !check_gss_callback_principal(cps.clp, rqstp)) +- return rpc_drop_reply; ++ goto out_invalidcred; + } + + cps.minorversion = hdr_arg.minorversion; +@@ -953,6 +953,10 @@ static __be32 nfs4_callback_compound(str + nfs_put_client(cps.clp); + dprintk("%s: done, status = %u\n", __func__, ntohl(status)); + return rpc_success; ++ ++out_invalidcred: ++ pr_warn_ratelimited("NFS: NFSv4 callback contains invalid cred\n"); ++ return rpc_autherr_badcred; + } + + /* +--- a/net/sunrpc/svc.c ++++ b/net/sunrpc/svc.c +@@ -1194,6 +1194,11 @@ svc_process_common(struct svc_rqst *rqst + procp->pc_release(rqstp, NULL, rqstp->rq_resp); + goto dropit; + } ++ if (*statp == rpc_autherr_badcred) { ++ if (procp->pc_release) ++ procp->pc_release(rqstp, NULL, rqstp->rq_resp); ++ goto err_bad_auth; ++ } + if (*statp == rpc_success && + (xdr = procp->pc_encode) && + !xdr(rqstp, resv->iov_base+resv->iov_len, rqstp->rq_resp)) { diff --git a/queue-4.7/pnfs-files-fix-layoutcommit-after-a-commit-to-ds.patch b/queue-4.7/pnfs-files-fix-layoutcommit-after-a-commit-to-ds.patch new file mode 100644 index 00000000000..2be225da8de --- /dev/null +++ b/queue-4.7/pnfs-files-fix-layoutcommit-after-a-commit-to-ds.patch @@ -0,0 +1,33 @@ +From 73e6c5d854d3f7f75e8b46d3e54aeb5d83fe6b1f Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Sun, 26 Jun 2016 12:27:25 -0400 +Subject: pNFS/files: Fix layoutcommit after a commit to DS + +From: Trond Myklebust + +commit 73e6c5d854d3f7f75e8b46d3e54aeb5d83fe6b1f upstream. + +According to the errata +https://www.rfc-editor.org/errata_search.php?rfc=5661&eid=2751 +we should always send layout commit after a commit to DS. + +Fixes: bc7d4b8fd091 ("nfs/filelayout: set layoutcommit...") +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/filelayout/filelayout.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/fs/nfs/filelayout/filelayout.c ++++ b/fs/nfs/filelayout/filelayout.c +@@ -375,8 +375,7 @@ static int filelayout_commit_done_cb(str + return -EAGAIN; + } + +- if (data->verf.committed == NFS_UNSTABLE) +- pnfs_set_layoutcommit(data->inode, data->lseg, data->lwb); ++ pnfs_set_layoutcommit(data->inode, data->lseg, data->lwb); + + return 0; + } diff --git a/queue-4.7/pnfs-flexfiles-fix-layoutcommit-after-a-commit-to-ds.patch b/queue-4.7/pnfs-flexfiles-fix-layoutcommit-after-a-commit-to-ds.patch new file mode 100644 index 00000000000..8f8969f1536 --- /dev/null +++ b/queue-4.7/pnfs-flexfiles-fix-layoutcommit-after-a-commit-to-ds.patch @@ -0,0 +1,32 @@ +From c001c87a63aa2f35358e33eb05e45e4cbcb34f54 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Sun, 26 Jun 2016 12:39:49 -0400 +Subject: pNFS/flexfiles: Fix layoutcommit after a commit to DS + +From: Trond Myklebust + +commit c001c87a63aa2f35358e33eb05e45e4cbcb34f54 upstream. + +We should always do a layoutcommit after commit to DS, except if +the layout segment we're using has set FF_FLAGS_NO_LAYOUTCOMMIT. + +Fixes: d67ae825a59d ("pnfs/flexfiles: Add the FlexFile Layout Driver") +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/flexfilelayout/flexfilelayout.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/fs/nfs/flexfilelayout/flexfilelayout.c ++++ b/fs/nfs/flexfilelayout/flexfilelayout.c +@@ -1529,8 +1529,7 @@ static int ff_layout_commit_done_cb(stru + return -EAGAIN; + } + +- if (data->verf.committed == NFS_UNSTABLE +- && ff_layout_need_layoutcommit(data->lseg)) ++ if (ff_layout_need_layoutcommit(data->lseg)) + pnfs_set_layoutcommit(data->inode, data->lseg, data->lwb); + + return 0; diff --git a/queue-4.7/powerpc-prom-fix-sub-processor-option-passed-to-ibm-client-architecture-support.patch b/queue-4.7/powerpc-prom-fix-sub-processor-option-passed-to-ibm-client-architecture-support.patch new file mode 100644 index 00000000000..5c3a56ca720 --- /dev/null +++ b/queue-4.7/powerpc-prom-fix-sub-processor-option-passed-to-ibm-client-architecture-support.patch @@ -0,0 +1,71 @@ +From 66443efa83dc73775100b7442962ce2cb0d4472e Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Fri, 12 Aug 2016 21:45:52 +1000 +Subject: powerpc/prom: Fix sub-processor option passed to ibm, client-architecture-support + +From: Michael Ellerman + +commit 66443efa83dc73775100b7442962ce2cb0d4472e upstream. + +When booting from an OpenFirmware which supports it, we use the +"ibm,client-architecture-support" firmware call to communicate +our capabilities to firmware. + +The format of the structure we pass to firmware is specified in +PAPR (Power Architecture Platform Requirements), or the public version +LoPAPR (Linux on Power Architecture Platform Reference). + +Referring to table 244 in LoPAPR v1.1, option vector 5 contains a 4 byte +field at bytes 17-20 for the "Platform Facilities Enable". This is +followed by a 1 byte field at byte 21 for "Sub-Processor Represenation +Level". + +Comparing to the code, there we have the Platform Facilities +options (OV5_PFO_*) at byte 17, but we fail to pad that field out to its +full width of 4 bytes. This means the OV5_SUB_PROCESSORS option is +incorrectly placed at byte 18. + +Fix it by adding zero bytes for bytes 18, 19, 20, and comment the bytes +to hopefully make it clearer in future. + +As far as I'm aware nothing actually consumes this value at this time, +so the effect of this bug is nil in practice. + +It does mean we've been incorrectly setting bit 15 of the "Platform +Facilities Enable" option for the past ~3 1/2 years, so we should avoid +allocating that bit to anything else in future. + +Fixes: df77c7992029 ("powerpc/pseries: Update ibm,architecture.vec for PAPR 2.7/POWER8") +Signed-off-by: Michael Ellerman +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/prom_init.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/arch/powerpc/kernel/prom_init.c ++++ b/arch/powerpc/kernel/prom_init.c +@@ -695,7 +695,7 @@ unsigned char ibm_architecture_vec[] = { + OV4_MIN_ENT_CAP, /* minimum VP entitled capacity */ + + /* option vector 5: PAPR/OF options */ +- VECTOR_LENGTH(18), /* length */ ++ VECTOR_LENGTH(21), /* length */ + 0, /* don't ignore, don't halt */ + OV5_FEAT(OV5_LPAR) | OV5_FEAT(OV5_SPLPAR) | OV5_FEAT(OV5_LARGE_PAGES) | + OV5_FEAT(OV5_DRCONF_MEMORY) | OV5_FEAT(OV5_DONATE_DEDICATE_CPU) | +@@ -726,8 +726,11 @@ unsigned char ibm_architecture_vec[] = { + 0, + 0, + OV5_FEAT(OV5_PFO_HW_RNG) | OV5_FEAT(OV5_PFO_HW_ENCR) | +- OV5_FEAT(OV5_PFO_HW_842), +- OV5_FEAT(OV5_SUB_PROCESSORS), ++ OV5_FEAT(OV5_PFO_HW_842), /* Byte 17 */ ++ 0, /* Byte 18 */ ++ 0, /* Byte 19 */ ++ 0, /* Byte 20 */ ++ OV5_FEAT(OV5_SUB_PROCESSORS), /* Byte 21 */ + + /* option vector 6: IBM PAPR hints */ + VECTOR_LENGTH(3), /* length */ diff --git a/queue-4.7/series b/queue-4.7/series index 9aeaeacffeb..9623f034641 100644 --- a/queue-4.7/series +++ b/queue-4.7/series @@ -92,3 +92,19 @@ tracing-have-hist_triggers-select-tracing.patch dmaengine-bcm2835-fix-64-bit-warning.patch dmaengine-at_xdmac-fix-debug-string.patch nfs-pnfs-do-not-clobber-existing-pgio_done_cb-in-nfs4_proc_read_setup.patch +svc-avoid-garbage-replies-when-pc_func-returns-rpc_drop_reply.patch +nfs-don-t-drop-cb-requests-with-invalid-principals.patch +pnfs-files-fix-layoutcommit-after-a-commit-to-ds.patch +pnfs-flexfiles-fix-layoutcommit-after-a-commit-to-ds.patch +watchdog-core-clear-wdog_hw_running-before-calling-the-stop-function.patch +cxl-fix-potential-null-dereference-in-free_adapter.patch +xprtrdma-remove-fmrs-from-the-unmap-list-after-unmapping.patch +asoc-intel-skylake-fix-error-return-code-in-skl_probe.patch +brcmfmac-fix-glob_skb-leak-in-brcmf_sdiod_recv_chain.patch +brcmsmac-free-packet-if-dma_mapping_error-fails-in-dma_rxfill.patch +brcmsmac-initialize-power-in-brcms_c_stf_ss_algo_channel_get.patch +staging-comedi-adv_pci1760-do-not-return-einval-for-cmdf_round_down.patch +powerpc-prom-fix-sub-processor-option-passed-to-ibm-client-architecture-support.patch +sysctl-handle-error-writing-uint_max-to-u32-fields.patch +asoc-omap-mcpdm-fix-irq-resource-handling.patch +ib-core-fix-possible-memory-leak-in-cma_resolve_iboe_route.patch diff --git a/queue-4.7/staging-comedi-adv_pci1760-do-not-return-einval-for-cmdf_round_down.patch b/queue-4.7/staging-comedi-adv_pci1760-do-not-return-einval-for-cmdf_round_down.patch new file mode 100644 index 00000000000..6f2e588e081 --- /dev/null +++ b/queue-4.7/staging-comedi-adv_pci1760-do-not-return-einval-for-cmdf_round_down.patch @@ -0,0 +1,30 @@ +From c71f20ee76342376e3c4c67cdbe7421d8c4e886e Mon Sep 17 00:00:00 2001 +From: Phil Turnbull +Date: Fri, 29 Jul 2016 09:43:56 -0400 +Subject: staging: comedi: adv_pci1760: Do not return EINVAL for CMDF_ROUND_DOWN. + +From: Phil Turnbull + +commit c71f20ee76342376e3c4c67cdbe7421d8c4e886e upstream. + +The CMDF_ROUND_DOWN case falls through and so always returns -EINVAL. + +Fixes: 14b93bb6bbf0 ("staging: comedi: adv_pci_dio: separate out PCI-1760 support") +Signed-off-by: Phil Turnbull +Reviewed-by: Ian Abbott +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/drivers/adv_pci1760.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/staging/comedi/drivers/adv_pci1760.c ++++ b/drivers/staging/comedi/drivers/adv_pci1760.c +@@ -196,6 +196,7 @@ static int pci1760_pwm_ns_to_div(unsigne + break; + case CMDF_ROUND_DOWN: + divisor = ns / PCI1760_PWM_TIMEBASE; ++ break; + default: + return -EINVAL; + } diff --git a/queue-4.7/svc-avoid-garbage-replies-when-pc_func-returns-rpc_drop_reply.patch b/queue-4.7/svc-avoid-garbage-replies-when-pc_func-returns-rpc_drop_reply.patch new file mode 100644 index 00000000000..9aaa6d8fff1 --- /dev/null +++ b/queue-4.7/svc-avoid-garbage-replies-when-pc_func-returns-rpc_drop_reply.patch @@ -0,0 +1,36 @@ +From 0533b13072f4bf35738290d2cf9e299c7bc6c42a Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Wed, 29 Jun 2016 13:55:14 -0400 +Subject: svc: Avoid garbage replies when pc_func() returns rpc_drop_reply + +From: Chuck Lever + +commit 0533b13072f4bf35738290d2cf9e299c7bc6c42a upstream. + +If an RPC program does not set vs_dispatch and pc_func() returns +rpc_drop_reply, the server sends a reply anyway containing a single +word containing the value RPC_DROP_REPLY (in network byte-order, of +course). This is a nonsense RPC message. + +Fixes: 9e701c610923 ("svcrpc: simpler request dropping") +Signed-off-by: Chuck Lever +Tested-by: Steve Wise +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/svc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/sunrpc/svc.c ++++ b/net/sunrpc/svc.c +@@ -1188,7 +1188,8 @@ svc_process_common(struct svc_rqst *rqst + *statp = procp->pc_func(rqstp, rqstp->rq_argp, rqstp->rq_resp); + + /* Encode reply */ +- if (test_bit(RQ_DROPME, &rqstp->rq_flags)) { ++ if (*statp == rpc_drop_reply || ++ test_bit(RQ_DROPME, &rqstp->rq_flags)) { + if (procp->pc_release) + procp->pc_release(rqstp, NULL, rqstp->rq_resp); + goto dropit; diff --git a/queue-4.7/sysctl-handle-error-writing-uint_max-to-u32-fields.patch b/queue-4.7/sysctl-handle-error-writing-uint_max-to-u32-fields.patch new file mode 100644 index 00000000000..61c90981451 --- /dev/null +++ b/queue-4.7/sysctl-handle-error-writing-uint_max-to-u32-fields.patch @@ -0,0 +1,135 @@ +From e7d316a02f683864a12389f8808570e37fb90aa3 Mon Sep 17 00:00:00 2001 +From: Subash Abhinov Kasiviswanathan +Date: Thu, 25 Aug 2016 15:16:51 -0700 +Subject: sysctl: handle error writing UINT_MAX to u32 fields + +From: Subash Abhinov Kasiviswanathan + +commit e7d316a02f683864a12389f8808570e37fb90aa3 upstream. + +We have scripts which write to certain fields on 3.18 kernels but this +seems to be failing on 4.4 kernels. An entry which we write to here is +xfrm_aevent_rseqth which is u32. + + echo 4294967295 > /proc/sys/net/core/xfrm_aevent_rseqth + +Commit 230633d109e3 ("kernel/sysctl.c: detect overflows when converting +to int") prevented writing to sysctl entries when integer overflow +occurs. However, this does not apply to unsigned integers. + +Heinrich suggested that we introduce a new option to handle 64 bit +limits and set min as 0 and max as UINT_MAX. This might not work as it +leads to issues similar to __do_proc_doulongvec_minmax. Alternatively, +we would need to change the datatype of the entry to 64 bit. + + static int __do_proc_doulongvec_minmax(void *data, struct ctl_table + { + i = (unsigned long *) data; //This cast is causing to read beyond the size of data (u32) + vleft = table->maxlen / sizeof(unsigned long); //vleft is 0 because maxlen is sizeof(u32) which is lesser than sizeof(unsigned long) on x86_64. + +Introduce a new proc handler proc_douintvec. Individual proc entries +will need to be updated to use the new handler. + +[akpm@linux-foundation.org: coding-style fixes] +Fixes: 230633d109e3 ("kernel/sysctl.c:detect overflows when converting to int") +Link: http://lkml.kernel.org/r/1471479806-5252-1-git-send-email-subashab@codeaurora.org +Signed-off-by: Subash Abhinov Kasiviswanathan +Cc: Heinrich Schuchardt +Cc: Kees Cook +Cc: "David S. Miller" +Cc: Ingo Molnar +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/sysctl.h | 2 ++ + kernel/sysctl.c | 45 +++++++++++++++++++++++++++++++++++++++++++-- + 2 files changed, 45 insertions(+), 2 deletions(-) + +--- a/include/linux/sysctl.h ++++ b/include/linux/sysctl.h +@@ -41,6 +41,8 @@ extern int proc_dostring(struct ctl_tabl + void __user *, size_t *, loff_t *); + extern int proc_dointvec(struct ctl_table *, int, + void __user *, size_t *, loff_t *); ++extern int proc_douintvec(struct ctl_table *, int, ++ void __user *, size_t *, loff_t *); + extern int proc_dointvec_minmax(struct ctl_table *, int, + void __user *, size_t *, loff_t *); + extern int proc_dointvec_jiffies(struct ctl_table *, int, +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -2122,6 +2122,21 @@ static int do_proc_dointvec_conv(bool *n + return 0; + } + ++static int do_proc_douintvec_conv(bool *negp, unsigned long *lvalp, ++ int *valp, ++ int write, void *data) ++{ ++ if (write) { ++ if (*negp) ++ return -EINVAL; ++ *valp = *lvalp; ++ } else { ++ unsigned int val = *valp; ++ *lvalp = (unsigned long)val; ++ } ++ return 0; ++} ++ + static const char proc_wspace_sep[] = { ' ', '\t', '\n' }; + + static int __do_proc_dointvec(void *tbl_data, struct ctl_table *table, +@@ -2241,8 +2256,27 @@ static int do_proc_dointvec(struct ctl_t + int proc_dointvec(struct ctl_table *table, int write, + void __user *buffer, size_t *lenp, loff_t *ppos) + { +- return do_proc_dointvec(table,write,buffer,lenp,ppos, +- NULL,NULL); ++ return do_proc_dointvec(table, write, buffer, lenp, ppos, NULL, NULL); ++} ++ ++/** ++ * proc_douintvec - read a vector of unsigned integers ++ * @table: the sysctl table ++ * @write: %TRUE if this is a write to the sysctl file ++ * @buffer: the user buffer ++ * @lenp: the size of the user buffer ++ * @ppos: file position ++ * ++ * Reads/writes up to table->maxlen/sizeof(unsigned int) unsigned integer ++ * values from/to the user buffer, treated as an ASCII string. ++ * ++ * Returns 0 on success. ++ */ ++int proc_douintvec(struct ctl_table *table, int write, ++ void __user *buffer, size_t *lenp, loff_t *ppos) ++{ ++ return do_proc_dointvec(table, write, buffer, lenp, ppos, ++ do_proc_douintvec_conv, NULL); + } + + /* +@@ -2840,6 +2874,12 @@ int proc_dointvec(struct ctl_table *tabl + return -ENOSYS; + } + ++int proc_douintvec(struct ctl_table *table, int write, ++ void __user *buffer, size_t *lenp, loff_t *ppos) ++{ ++ return -ENOSYS; ++} ++ + int proc_dointvec_minmax(struct ctl_table *table, int write, + void __user *buffer, size_t *lenp, loff_t *ppos) + { +@@ -2885,6 +2925,7 @@ int proc_doulongvec_ms_jiffies_minmax(st + * exception granted :-) + */ + EXPORT_SYMBOL(proc_dointvec); ++EXPORT_SYMBOL(proc_douintvec); + EXPORT_SYMBOL(proc_dointvec_jiffies); + EXPORT_SYMBOL(proc_dointvec_minmax); + EXPORT_SYMBOL(proc_dointvec_userhz_jiffies); diff --git a/queue-4.7/watchdog-core-clear-wdog_hw_running-before-calling-the-stop-function.patch b/queue-4.7/watchdog-core-clear-wdog_hw_running-before-calling-the-stop-function.patch new file mode 100644 index 00000000000..4067b210819 --- /dev/null +++ b/queue-4.7/watchdog-core-clear-wdog_hw_running-before-calling-the-stop-function.patch @@ -0,0 +1,49 @@ +From 3c10bbde10fe4dca52726e246cefa6b0a1dfbd3e Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Thu, 21 Jul 2016 14:21:56 -0700 +Subject: watchdog: core: Clear WDOG_HW_RUNNING before calling the stop function + +From: Guenter Roeck + +commit 3c10bbde10fe4dca52726e246cefa6b0a1dfbd3e upstream. + +WDOG_HW_RUNNING indicates that the hardware watchdog is running while the +watchdog device is closed. The flag may be set by the driver when it is +instantiated to indicate that the watchdog is running, and that the +watchdog core needs to send heartbeat requests to the driver until the +watchdog device is opened. + +When the watchdog device is closed, the flag can be used by the driver's +stop function to indicate to the watchdog core that it was unable to stop +the watchdog, and that the watchdog core needs to send heartbeat requests. +This only works if the flag is actually cleared when the watchdog is +stopped. To avoid having to clear the flag in each driver's stop function, +clear it in the watchdog core before calling the stop function. + +Reported-by: Rasmus Villemoes +Fixes: ee142889e32f ("watchdog: Introduce WDOG_HW_RUNNING flag") +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/watchdog/watchdog_dev.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/watchdog/watchdog_dev.c ++++ b/drivers/watchdog/watchdog_dev.c +@@ -258,10 +258,12 @@ static int watchdog_stop(struct watchdog + return -EBUSY; + } + +- if (wdd->ops->stop) ++ if (wdd->ops->stop) { ++ clear_bit(WDOG_HW_RUNNING, &wdd->status); + err = wdd->ops->stop(wdd); +- else ++ } else { + set_bit(WDOG_HW_RUNNING, &wdd->status); ++ } + + if (err == 0) { + clear_bit(WDOG_ACTIVE, &wdd->status); diff --git a/queue-4.7/xprtrdma-remove-fmrs-from-the-unmap-list-after-unmapping.patch b/queue-4.7/xprtrdma-remove-fmrs-from-the-unmap-list-after-unmapping.patch new file mode 100644 index 00000000000..c6fb70d104b --- /dev/null +++ b/queue-4.7/xprtrdma-remove-fmrs-from-the-unmap-list-after-unmapping.patch @@ -0,0 +1,69 @@ +From 38f1932e60ba249660bbae585f61ef2dee3313a4 Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Wed, 29 Jun 2016 13:52:12 -0400 +Subject: xprtrdma: Remove FMRs from the unmap list after unmapping + +From: Chuck Lever + +commit 38f1932e60ba249660bbae585f61ef2dee3313a4 upstream. + +ib_unmap_fmr() takes a list of FMRs to unmap. However, it does not +remove the FMRs from this list as it processes them. Other +ib_unmap_fmr() call sites are careful to remove FMRs from the list +after ib_unmap_fmr() returns. + +Since commit 7c7a5390dc6c8 ("xprtrdma: Add ro_unmap_sync method for FMR") +fmr_op_unmap_sync passes more than one FMR to ib_unmap_fmr(), but +it didn't bother to remove the FMRs from that list once the call was +complete. + +I've noticed some instability that could be related to list +tangling by the new fmr_op_unmap_sync() logic. In an abundance +of caution, add some defensive logic to clean up properly after +ib_unmap_fmr(). + +Fixes: 7c7a5390dc6c8 ("xprtrdma: Add ro_unmap_sync method for FMR") +Signed-off-by: Chuck Lever +Tested-by: Steve Wise +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/xprtrdma/fmr_ops.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/net/sunrpc/xprtrdma/fmr_ops.c ++++ b/net/sunrpc/xprtrdma/fmr_ops.c +@@ -63,9 +63,12 @@ static int + __fmr_unmap(struct rpcrdma_mw *mw) + { + LIST_HEAD(l); ++ int rc; + + list_add(&mw->fmr.fmr->list, &l); +- return ib_unmap_fmr(&l); ++ rc = ib_unmap_fmr(&l); ++ list_del_init(&mw->fmr.fmr->list); ++ return rc; + } + + /* Deferred reset of a single FMR. Generate a fresh rkey by +@@ -267,7 +270,7 @@ fmr_op_unmap_sync(struct rpcrdma_xprt *r + seg = &req->rl_segments[i]; + mw = seg->rl_mw; + +- list_add(&mw->fmr.fmr->list, &unmap_list); ++ list_add_tail(&mw->fmr.fmr->list, &unmap_list); + + i += seg->mr_nsegs; + } +@@ -280,7 +283,9 @@ fmr_op_unmap_sync(struct rpcrdma_xprt *r + */ + for (i = 0, nchunks = req->rl_nchunks; nchunks; nchunks--) { + seg = &req->rl_segments[i]; ++ mw = seg->rl_mw; + ++ list_del_init(&mw->fmr.fmr->list); + __fmr_dma_unmap(r_xprt, seg); + rpcrdma_put_mw(r_xprt, seg->rl_mw); +