From: Greg Kroah-Hartman Date: Wed, 19 Aug 2015 16:20:20 +0000 (-0700) Subject: 4.1-stable patches X-Git-Tag: v3.10.88~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8e72a6bd47dd21530de06d4169de41349716b7e2;p=thirdparty%2Fkernel%2Fstable-queue.git 4.1-stable patches added patches: dm-thin-metadata-delete-btrees-when-releasing-metadata-snapshot.patch drm-radeon-add-new-oland-pci-id.patch drm-vmwgfx-fix-execbuf-locking-issues.patch edac-ppc4xx-access-mci-csrows-array-elements-properly.patch hid-hid-input-fix-accessing-freed-memory-during-device-disconnect.patch hid-uclogic-fix-limit-in-uclogic_tablet_enable.patch iwlwifi-pcie-fix-prepare-card-flow.patch localmodconfig-use-kbuild-files-too.patch perf-fix-double-free-of-the-aux-buffer.patch perf-fix-fasync-handling-on-inherited-events.patch perf-fix-perf_event_ioc_period-migration-race.patch perf-fix-running-time-accounting.patch rtlwifi-fix-null-dereference-when-pci-driver-used-as-an-ap.patch rtlwifi-rtl8723be-add-module-parameter-for-msi-interrupts.patch x86-xen-build-xen-pv-apic-driver-for-domu-as-well.patch xen-xenbus-don-t-leak-memory-when-unmapping-the-ring-on-hvm-backend.patch --- diff --git a/queue-4.1/dm-thin-metadata-delete-btrees-when-releasing-metadata-snapshot.patch b/queue-4.1/dm-thin-metadata-delete-btrees-when-releasing-metadata-snapshot.patch new file mode 100644 index 00000000000..3f3678c8e9e --- /dev/null +++ b/queue-4.1/dm-thin-metadata-delete-btrees-when-releasing-metadata-snapshot.patch @@ -0,0 +1,33 @@ +From 7f518ad0a212e2a6fd68630e176af1de395070a7 Mon Sep 17 00:00:00 2001 +From: Joe Thornber +Date: Wed, 12 Aug 2015 15:10:21 +0100 +Subject: dm thin metadata: delete btrees when releasing metadata snapshot + +From: Joe Thornber + +commit 7f518ad0a212e2a6fd68630e176af1de395070a7 upstream. + +The device details and mapping trees were just being decremented +before. Now btree_del() is called to do a deep delete. + +Signed-off-by: Joe Thornber +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-thin-metadata.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/md/dm-thin-metadata.c ++++ b/drivers/md/dm-thin-metadata.c +@@ -1295,8 +1295,8 @@ static int __release_metadata_snap(struc + return r; + + disk_super = dm_block_data(copy); +- dm_sm_dec_block(pmd->metadata_sm, le64_to_cpu(disk_super->data_mapping_root)); +- dm_sm_dec_block(pmd->metadata_sm, le64_to_cpu(disk_super->device_details_root)); ++ dm_btree_del(&pmd->info, le64_to_cpu(disk_super->data_mapping_root)); ++ dm_btree_del(&pmd->details_info, le64_to_cpu(disk_super->device_details_root)); + dm_sm_dec_block(pmd->metadata_sm, held_root); + + return dm_tm_unlock(pmd->tm, copy); diff --git a/queue-4.1/drm-radeon-add-new-oland-pci-id.patch b/queue-4.1/drm-radeon-add-new-oland-pci-id.patch new file mode 100644 index 00000000000..fc3b4431ad7 --- /dev/null +++ b/queue-4.1/drm-radeon-add-new-oland-pci-id.patch @@ -0,0 +1,26 @@ +From e037239e5e7b61007763984aa35a8329596d8c88 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Mon, 10 Aug 2015 15:28:49 -0400 +Subject: drm/radeon: add new OLAND pci id + +From: Alex Deucher + +commit e037239e5e7b61007763984aa35a8329596d8c88 upstream. + +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + include/drm/drm_pciids.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/include/drm/drm_pciids.h ++++ b/include/drm/drm_pciids.h +@@ -172,6 +172,7 @@ + {0x1002, 0x6610, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_OLAND|RADEON_NEW_MEMMAP}, \ + {0x1002, 0x6611, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_OLAND|RADEON_NEW_MEMMAP}, \ + {0x1002, 0x6613, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_OLAND|RADEON_NEW_MEMMAP}, \ ++ {0x1002, 0x6617, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_OLAND|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP}, \ + {0x1002, 0x6620, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_OLAND|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP}, \ + {0x1002, 0x6621, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_OLAND|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP}, \ + {0x1002, 0x6623, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_OLAND|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP}, \ diff --git a/queue-4.1/drm-vmwgfx-fix-execbuf-locking-issues.patch b/queue-4.1/drm-vmwgfx-fix-execbuf-locking-issues.patch new file mode 100644 index 00000000000..c82323107fd --- /dev/null +++ b/queue-4.1/drm-vmwgfx-fix-execbuf-locking-issues.patch @@ -0,0 +1,60 @@ +From 3e04e2fe6d87807d27521ad6ebb9e7919d628f25 Mon Sep 17 00:00:00 2001 +From: Thomas Hellstrom +Date: Tue, 11 Aug 2015 22:31:17 -0700 +Subject: drm/vmwgfx: Fix execbuf locking issues + +From: Thomas Hellstrom + +commit 3e04e2fe6d87807d27521ad6ebb9e7919d628f25 upstream. + +This addresses two issues that cause problems with viewperf maya-03 in +situation with memory pressure. + +The first issue causes attempts to unreserve buffers if batched +reservation fails due to, for example, a signal pending. While previously +the ttm_eu api was resistant against this type of error, it is no longer +and the lockdep code will complain about attempting to unreserve buffers +that are not reserved. The issue is resolved by avoid calling +ttm_eu_backoff_reservation in the buffer reserve error path. + +The second issue is that the binding_mutex may be held when user-space +fence objects are created and hence during memory reclaims. This may cause +recursive attempts to grab the binding mutex. The issue is resolved by not +holding the binding mutex across fence creation and submission. + +Signed-off-by: Thomas Hellstrom +Reviewed-by: Sinclair Yeh +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +@@ -2492,7 +2492,7 @@ int vmw_execbuf_process(struct drm_file + ret = ttm_eu_reserve_buffers(&ticket, &sw_context->validate_nodes, + true, NULL); + if (unlikely(ret != 0)) +- goto out_err; ++ goto out_err_nores; + + ret = vmw_validate_buffers(dev_priv, sw_context); + if (unlikely(ret != 0)) +@@ -2536,6 +2536,7 @@ int vmw_execbuf_process(struct drm_file + vmw_resource_relocations_free(&sw_context->res_relocations); + + vmw_fifo_commit(dev_priv, command_size); ++ mutex_unlock(&dev_priv->binding_mutex); + + vmw_query_bo_switch_commit(dev_priv, sw_context); + ret = vmw_execbuf_fence_commands(file_priv, dev_priv, +@@ -2551,7 +2552,6 @@ int vmw_execbuf_process(struct drm_file + DRM_ERROR("Fence submission error. Syncing.\n"); + + vmw_resource_list_unreserve(&sw_context->resource_list, false); +- mutex_unlock(&dev_priv->binding_mutex); + + ttm_eu_fence_buffer_objects(&ticket, &sw_context->validate_nodes, + (void *) fence); diff --git a/queue-4.1/edac-ppc4xx-access-mci-csrows-array-elements-properly.patch b/queue-4.1/edac-ppc4xx-access-mci-csrows-array-elements-properly.patch new file mode 100644 index 00000000000..bc5b51c9b65 --- /dev/null +++ b/queue-4.1/edac-ppc4xx-access-mci-csrows-array-elements-properly.patch @@ -0,0 +1,39 @@ +From 5c16179b550b9fd8114637a56b153c9768ea06a5 Mon Sep 17 00:00:00 2001 +From: Michael Walle +Date: Tue, 21 Jul 2015 11:00:53 +0200 +Subject: EDAC, ppc4xx: Access mci->csrows array elements properly + +From: Michael Walle + +commit 5c16179b550b9fd8114637a56b153c9768ea06a5 upstream. + +The commit + + de3910eb79ac ("edac: change the mem allocation scheme to + make Documentation/kobject.txt happy") + +changed the memory allocation for the csrows member. But ppc4xx_edac was +forgotten in the patch. Fix it. + +Signed-off-by: Michael Walle +Cc: linux-edac +Cc: Mauro Carvalho Chehab +Link: http://lkml.kernel.org/r/1437469253-8611-1-git-send-email-michael@walle.cc +Signed-off-by: Borislav Petkov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/edac/ppc4xx_edac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/edac/ppc4xx_edac.c ++++ b/drivers/edac/ppc4xx_edac.c +@@ -920,7 +920,7 @@ static int ppc4xx_edac_init_csrows(struc + */ + + for (row = 0; row < mci->nr_csrows; row++) { +- struct csrow_info *csi = &mci->csrows[row]; ++ struct csrow_info *csi = mci->csrows[row]; + + /* + * Get the configuration settings for this diff --git a/queue-4.1/hid-hid-input-fix-accessing-freed-memory-during-device-disconnect.patch b/queue-4.1/hid-hid-input-fix-accessing-freed-memory-during-device-disconnect.patch new file mode 100644 index 00000000000..a1548fe1a97 --- /dev/null +++ b/queue-4.1/hid-hid-input-fix-accessing-freed-memory-during-device-disconnect.patch @@ -0,0 +1,52 @@ +From 0621809e37936e7c2b3eac9165cf2aad7f9189eb Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Mon, 3 Aug 2015 14:57:30 +0900 +Subject: HID: hid-input: Fix accessing freed memory during device disconnect + +From: Krzysztof Kozlowski + +commit 0621809e37936e7c2b3eac9165cf2aad7f9189eb upstream. + +During unbinding the driver was dereferencing a pointer to memory +already freed by power_supply_unregister(). + +Driver was freeing its internal description of battery through pointers +stored in power_supply structure. However, because the core owns the +power supply instance, after calling power_supply_unregister() this +memory is freed and the driver cannot access these members. + +Fix this by storing the pointer to internal description of battery in a +local variable before calling power_supply_unregister(), so the pointer +remains valid. + +Signed-off-by: Krzysztof Kozlowski +Reported-by: H.J. Lu +Fixes: 297d716f6260 ("power_supply: Change ownership from driver to core") +Reviewed-by: Dmitry Torokhov +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-input.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/hid/hid-input.c ++++ b/drivers/hid/hid-input.c +@@ -462,12 +462,15 @@ out: + + static void hidinput_cleanup_battery(struct hid_device *dev) + { ++ const struct power_supply_desc *psy_desc; ++ + if (!dev->battery) + return; + ++ psy_desc = dev->battery->desc; + power_supply_unregister(dev->battery); +- kfree(dev->battery->desc->name); +- kfree(dev->battery->desc); ++ kfree(psy_desc->name); ++ kfree(psy_desc); + dev->battery = NULL; + } + #else /* !CONFIG_HID_BATTERY_STRENGTH */ diff --git a/queue-4.1/hid-uclogic-fix-limit-in-uclogic_tablet_enable.patch b/queue-4.1/hid-uclogic-fix-limit-in-uclogic_tablet_enable.patch new file mode 100644 index 00000000000..54b4f47ccf7 --- /dev/null +++ b/queue-4.1/hid-uclogic-fix-limit-in-uclogic_tablet_enable.patch @@ -0,0 +1,33 @@ +From 4a8e70f5d0d80675fc17b9ba1e62db8ca6b91775 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 29 Jul 2015 13:16:06 +0300 +Subject: HID: uclogic: fix limit in uclogic_tablet_enable() + +From: Dan Carpenter + +commit 4a8e70f5d0d80675fc17b9ba1e62db8ca6b91775 upstream. + +The limit should be ARRAY_SIZE(params) (5 elements) here instead of +sizeof(params) (20 bytes). + +Fixes: 08177f40bd00 ('HID: uclogic: merge hid-huion driver in hid-uclogic') +Signed-off-by: Dan Carpenter +Reviewed-by: Nikolai Kondrashov +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-uclogic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hid/hid-uclogic.c ++++ b/drivers/hid/hid-uclogic.c +@@ -858,7 +858,7 @@ static int uclogic_tablet_enable(struct + for (p = drvdata->rdesc; + p <= drvdata->rdesc + drvdata->rsize - 4;) { + if (p[0] == 0xFE && p[1] == 0xED && p[2] == 0x1D && +- p[3] < sizeof(params)) { ++ p[3] < ARRAY_SIZE(params)) { + v = params[p[3]]; + put_unaligned(cpu_to_le32(v), (s32 *)p); + p += 4; diff --git a/queue-4.1/iwlwifi-pcie-fix-prepare-card-flow.patch b/queue-4.1/iwlwifi-pcie-fix-prepare-card-flow.patch new file mode 100644 index 00000000000..6aa67a1e954 --- /dev/null +++ b/queue-4.1/iwlwifi-pcie-fix-prepare-card-flow.patch @@ -0,0 +1,83 @@ +From c9fdec9f3970eeaa1b176422f46167f5f5158804 Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Mon, 20 Jul 2015 12:14:39 +0300 +Subject: iwlwifi: pcie: fix prepare card flow + +From: Emmanuel Grumbach + +commit c9fdec9f3970eeaa1b176422f46167f5f5158804 upstream. + +When the card is not owned by the PCIe bus, we need to +acquire ownership first. This flow is implemented in +iwl_pcie_prepare_card_hw. Because of a hardware bug, we +need to disable link power management before we can +request ownership otherwise the other user of the device +won't get notified that we are requesting the device which +will prevent us from acquire ownership. + +Same holds for the down flow where we need to make sure +that any other potential user is notified that the driver +is going down. + +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/iwlwifi/pcie/trans.c | 22 +++++++++++++++++++--- + 1 file changed, 19 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/iwlwifi/pcie/trans.c ++++ b/drivers/net/wireless/iwlwifi/pcie/trans.c +@@ -457,10 +457,16 @@ static void iwl_pcie_apm_stop(struct iwl + if (trans->cfg->device_family == IWL_DEVICE_FAMILY_7000) + iwl_set_bits_prph(trans, APMG_PCIDEV_STT_REG, + APMG_PCIDEV_STT_VAL_WAKE_ME); +- else if (trans->cfg->device_family == IWL_DEVICE_FAMILY_8000) ++ else if (trans->cfg->device_family == IWL_DEVICE_FAMILY_8000) { ++ iwl_set_bit(trans, CSR_DBG_LINK_PWR_MGMT_REG, ++ CSR_RESET_LINK_PWR_MGMT_DISABLED); + iwl_set_bit(trans, CSR_HW_IF_CONFIG_REG, + CSR_HW_IF_CONFIG_REG_PREPARE | + CSR_HW_IF_CONFIG_REG_ENABLE_PME); ++ mdelay(1); ++ iwl_clear_bit(trans, CSR_DBG_LINK_PWR_MGMT_REG, ++ CSR_RESET_LINK_PWR_MGMT_DISABLED); ++ } + mdelay(5); + } + +@@ -555,6 +561,10 @@ static int iwl_pcie_prepare_card_hw(stru + if (ret >= 0) + return 0; + ++ iwl_set_bit(trans, CSR_DBG_LINK_PWR_MGMT_REG, ++ CSR_RESET_LINK_PWR_MGMT_DISABLED); ++ msleep(1); ++ + for (iter = 0; iter < 10; iter++) { + /* If HW is not ready, prepare the conditions to check again */ + iwl_set_bit(trans, CSR_HW_IF_CONFIG_REG, +@@ -562,8 +572,10 @@ static int iwl_pcie_prepare_card_hw(stru + + do { + ret = iwl_pcie_set_hw_ready(trans); +- if (ret >= 0) +- return 0; ++ if (ret >= 0) { ++ ret = 0; ++ goto out; ++ } + + usleep_range(200, 1000); + t += 200; +@@ -573,6 +585,10 @@ static int iwl_pcie_prepare_card_hw(stru + + IWL_ERR(trans, "Couldn't prepare the card\n"); + ++out: ++ iwl_clear_bit(trans, CSR_DBG_LINK_PWR_MGMT_REG, ++ CSR_RESET_LINK_PWR_MGMT_DISABLED); ++ + return ret; + } + diff --git a/queue-4.1/localmodconfig-use-kbuild-files-too.patch b/queue-4.1/localmodconfig-use-kbuild-files-too.patch new file mode 100644 index 00000000000..8fd1677bba8 --- /dev/null +++ b/queue-4.1/localmodconfig-use-kbuild-files-too.patch @@ -0,0 +1,36 @@ +From c0ddc8c745b7f89c50385fd7aa03c78dc543fa7a Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Mon, 27 Jul 2015 00:06:55 +0200 +Subject: localmodconfig: Use Kbuild files too + +From: Richard Weinberger + +commit c0ddc8c745b7f89c50385fd7aa03c78dc543fa7a upstream. + +In kbuild it is allowed to define objects in files named "Makefile" +and "Kbuild". +Currently localmodconfig reads objects only from "Makefile"s and misses +modules like nouveau. + +Link: http://lkml.kernel.org/r/1437948415-16290-1-git-send-email-richard@nod.at + +Reported-and-tested-by: Leonidas Spyropoulos +Signed-off-by: Richard Weinberger +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + scripts/kconfig/streamline_config.pl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/scripts/kconfig/streamline_config.pl ++++ b/scripts/kconfig/streamline_config.pl +@@ -137,7 +137,7 @@ my $ksource = ($ARGV[0] ? $ARGV[0] : '.' + my $kconfig = $ARGV[1]; + my $lsmod_file = $ENV{'LSMOD'}; + +-my @makefiles = `find $ksource -name Makefile 2>/dev/null`; ++my @makefiles = `find $ksource -name Makefile -or -name Kbuild 2>/dev/null`; + chomp @makefiles; + + my %depends; diff --git a/queue-4.1/perf-fix-double-free-of-the-aux-buffer.patch b/queue-4.1/perf-fix-double-free-of-the-aux-buffer.patch new file mode 100644 index 00000000000..ec4417045d2 --- /dev/null +++ b/queue-4.1/perf-fix-double-free-of-the-aux-buffer.patch @@ -0,0 +1,49 @@ +From ee9397a6fb9bc4e52677f5e33eed4abee0f515e6 Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Mon, 27 Jul 2015 00:31:08 +0100 +Subject: perf: Fix double-free of the AUX buffer + +From: Ben Hutchings + +commit ee9397a6fb9bc4e52677f5e33eed4abee0f515e6 upstream. + +If rb->aux_refcount is decremented to zero before rb->refcount, +__rb_free_aux() may be called twice resulting in a double free of +rb->aux_pages. Fix this by adding a check to __rb_free_aux(). + +Signed-off-by: Ben Hutchings +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: 57ffc5ca679f ("perf: Fix AUX buffer refcounting") +Link: http://lkml.kernel.org/r/1437953468.12842.17.camel@decadent.org.uk +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/events/ring_buffer.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/kernel/events/ring_buffer.c ++++ b/kernel/events/ring_buffer.c +@@ -547,11 +547,13 @@ static void __rb_free_aux(struct ring_bu + rb->aux_priv = NULL; + } + +- for (pg = 0; pg < rb->aux_nr_pages; pg++) +- rb_free_aux_page(rb, pg); ++ if (rb->aux_nr_pages) { ++ for (pg = 0; pg < rb->aux_nr_pages; pg++) ++ rb_free_aux_page(rb, pg); + +- kfree(rb->aux_pages); +- rb->aux_nr_pages = 0; ++ kfree(rb->aux_pages); ++ rb->aux_nr_pages = 0; ++ } + } + + void rb_free_aux(struct ring_buffer *rb) diff --git a/queue-4.1/perf-fix-fasync-handling-on-inherited-events.patch b/queue-4.1/perf-fix-fasync-handling-on-inherited-events.patch new file mode 100644 index 00000000000..c9c5315b539 --- /dev/null +++ b/queue-4.1/perf-fix-fasync-handling-on-inherited-events.patch @@ -0,0 +1,69 @@ +From fed66e2cdd4f127a43fd11b8d92a99bdd429528c Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Thu, 11 Jun 2015 10:32:01 +0200 +Subject: perf: Fix fasync handling on inherited events + +From: Peter Zijlstra + +commit fed66e2cdd4f127a43fd11b8d92a99bdd429528c upstream. + +Vince reported that the fasync signal stuff doesn't work proper for +inherited events. So fix that. + +Installing fasync allocates memory and sets filp->f_flags |= FASYNC, +which upon the demise of the file descriptor ensures the allocation is +freed and state is updated. + +Now for perf, we can have the events stick around for a while after the +original FD is dead because of references from child events. So we +cannot copy the fasync pointer around. We can however consistently use +the parent's fasync, as that will be updated. + +Reported-and-Tested-by: Vince Weaver +Signed-off-by: Peter Zijlstra (Intel) +Cc: Arnaldo Carvalho deMelo +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: eranian@google.com +Link: http://lkml.kernel.org/r/1434011521.1495.71.camel@twins +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/events/core.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -4766,12 +4766,20 @@ static const struct file_operations perf + * to user-space before waking everybody up. + */ + ++static inline struct fasync_struct **perf_event_fasync(struct perf_event *event) ++{ ++ /* only the parent has fasync state */ ++ if (event->parent) ++ event = event->parent; ++ return &event->fasync; ++} ++ + void perf_event_wakeup(struct perf_event *event) + { + ring_buffer_wakeup(event); + + if (event->pending_kill) { +- kill_fasync(&event->fasync, SIGIO, event->pending_kill); ++ kill_fasync(perf_event_fasync(event), SIGIO, event->pending_kill); + event->pending_kill = 0; + } + } +@@ -6117,7 +6125,7 @@ static int __perf_event_overflow(struct + else + perf_event_output(event, data, regs); + +- if (event->fasync && event->pending_kill) { ++ if (*perf_event_fasync(event) && event->pending_kill) { + event->pending_wakeup = 1; + irq_work_queue(&event->pending); + } diff --git a/queue-4.1/perf-fix-perf_event_ioc_period-migration-race.patch b/queue-4.1/perf-fix-perf_event_ioc_period-migration-race.patch new file mode 100644 index 00000000000..15f3ac35339 --- /dev/null +++ b/queue-4.1/perf-fix-perf_event_ioc_period-migration-race.patch @@ -0,0 +1,125 @@ +From c7999c6f3fed9e383d3131474588f282ae6d56b9 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Tue, 4 Aug 2015 19:22:49 +0200 +Subject: perf: Fix PERF_EVENT_IOC_PERIOD migration race + +From: Peter Zijlstra + +commit c7999c6f3fed9e383d3131474588f282ae6d56b9 upstream. + +I ran the perf fuzzer, which triggered some WARN()s which are due to +trying to stop/restart an event on the wrong CPU. + +Use the normal IPI pattern to ensure we run the code on the correct CPU. + +Signed-off-by: Peter Zijlstra (Intel) +Cc: Vince Weaver +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: bad7192b842c ("perf: Fix PERF_EVENT_IOC_PERIOD to force-reset the period") +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/events/core.c | 75 +++++++++++++++++++++++++++++++++++++-------------- + 1 file changed, 55 insertions(+), 20 deletions(-) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -3976,28 +3976,21 @@ static void perf_event_for_each(struct p + perf_event_for_each_child(sibling, func); + } + +-static int perf_event_period(struct perf_event *event, u64 __user *arg) +-{ +- struct perf_event_context *ctx = event->ctx; +- int ret = 0, active; ++struct period_event { ++ struct perf_event *event; + u64 value; ++}; + +- if (!is_sampling_event(event)) +- return -EINVAL; +- +- if (copy_from_user(&value, arg, sizeof(value))) +- return -EFAULT; +- +- if (!value) +- return -EINVAL; ++static int __perf_event_period(void *info) ++{ ++ struct period_event *pe = info; ++ struct perf_event *event = pe->event; ++ struct perf_event_context *ctx = event->ctx; ++ u64 value = pe->value; ++ bool active; + +- raw_spin_lock_irq(&ctx->lock); ++ raw_spin_lock(&ctx->lock); + if (event->attr.freq) { +- if (value > sysctl_perf_event_sample_rate) { +- ret = -EINVAL; +- goto unlock; +- } +- + event->attr.sample_freq = value; + } else { + event->attr.sample_period = value; +@@ -4016,11 +4009,53 @@ static int perf_event_period(struct perf + event->pmu->start(event, PERF_EF_RELOAD); + perf_pmu_enable(ctx->pmu); + } ++ raw_spin_unlock(&ctx->lock); ++ ++ return 0; ++} ++ ++static int perf_event_period(struct perf_event *event, u64 __user *arg) ++{ ++ struct period_event pe = { .event = event, }; ++ struct perf_event_context *ctx = event->ctx; ++ struct task_struct *task; ++ u64 value; ++ ++ if (!is_sampling_event(event)) ++ return -EINVAL; ++ ++ if (copy_from_user(&value, arg, sizeof(value))) ++ return -EFAULT; ++ ++ if (!value) ++ return -EINVAL; ++ ++ if (event->attr.freq && value > sysctl_perf_event_sample_rate) ++ return -EINVAL; ++ ++ task = ctx->task; ++ pe.value = value; ++ ++ if (!task) { ++ cpu_function_call(event->cpu, __perf_event_period, &pe); ++ return 0; ++ } ++ ++retry: ++ if (!task_function_call(task, __perf_event_period, &pe)) ++ return 0; ++ ++ raw_spin_lock_irq(&ctx->lock); ++ if (ctx->is_active) { ++ raw_spin_unlock_irq(&ctx->lock); ++ task = ctx->task; ++ goto retry; ++ } + +-unlock: ++ __perf_event_period(&pe); + raw_spin_unlock_irq(&ctx->lock); + +- return ret; ++ return 0; + } + + static const struct file_operations perf_fops; diff --git a/queue-4.1/perf-fix-running-time-accounting.patch b/queue-4.1/perf-fix-running-time-accounting.patch new file mode 100644 index 00000000000..7fae9b526cc --- /dev/null +++ b/queue-4.1/perf-fix-running-time-accounting.patch @@ -0,0 +1,49 @@ +From 00a2916f7f82c348a2a94dbb572874173bc308a3 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Mon, 27 Jul 2015 10:35:07 +0200 +Subject: perf: Fix running time accounting + +From: Peter Zijlstra + +commit 00a2916f7f82c348a2a94dbb572874173bc308a3 upstream. + +A recent fix to the shadow timestamp inadvertly broke the running time +accounting. + +We must not update the running timestamp if we fail to schedule the +event, the event will not have ran. This can (and did) result in +negative total runtime because the stopped timestamp was before the +running timestamp (we 'started' but never stopped the event -- because +it never really started we didn't have to stop it either). + +Reported-and-Tested-by: Vince Weaver +Fixes: 72f669c0086f ("perf: Update shadow timestamp before add event") +Signed-off-by: Peter Zijlstra (Intel) +Cc: Shaohua Li +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/events/core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -1886,8 +1886,6 @@ event_sched_in(struct perf_event *event, + + perf_pmu_disable(event->pmu); + +- event->tstamp_running += tstamp - event->tstamp_stopped; +- + perf_set_shadow_time(event, ctx, tstamp); + + perf_log_itrace_start(event); +@@ -1899,6 +1897,8 @@ event_sched_in(struct perf_event *event, + goto out; + } + ++ event->tstamp_running += tstamp - event->tstamp_stopped; ++ + if (!is_software_event(event)) + cpuctx->active_oncpu++; + if (!ctx->nr_active++) diff --git a/queue-4.1/rtlwifi-fix-null-dereference-when-pci-driver-used-as-an-ap.patch b/queue-4.1/rtlwifi-fix-null-dereference-when-pci-driver-used-as-an-ap.patch new file mode 100644 index 00000000000..e15d8bb4404 --- /dev/null +++ b/queue-4.1/rtlwifi-fix-null-dereference-when-pci-driver-used-as-an-ap.patch @@ -0,0 +1,59 @@ +From 7c62940165e9ae4004ce4e6b5117330bab94df68 Mon Sep 17 00:00:00 2001 +From: Luis Felipe Dominguez Vega +Date: Wed, 29 Jul 2015 21:11:20 -0500 +Subject: rtlwifi: Fix NULL dereference when PCI driver used as an AP + +From: Luis Felipe Dominguez Vega + +commit 7c62940165e9ae4004ce4e6b5117330bab94df68 upstream. + +In commit 33511b157bbcebaef853cc1811992b664a2e5862 ("rtlwifi: add support to +send beacon frame"), the mechanism for sending beacons was established. That +patch works correctly for rtl8192cu, but there is a possibility of getting +the following warnings in the PCI drivers: + +WARNING: CPU: 1 PID: 2439 at net/mac80211/driver-ops.h:12 +ieee80211_bss_info_change_notify+0x179/0x1d0 [mac80211]() +wlp5s0: Failed check-sdata-in-driver check, flags: 0x0 + +The warning is followed by a NULL pointer dereference as follows: + +BUG: unable to handle kernel NULL pointer dereference at 0000000000000006 +IP: [] rtl_get_tcb_desc+0x5e/0x760 [rtlwifi] + +This problem was reported at http://thread.gmane.org/gmane.linux.kernel.wireless.general/138645, +but no solution was found at that time. + +The problem was also reported at https://bugzilla.kernel.org/show_bug.cgi?id=9744 +and this solution was developed and tested there. + +The USB driver works with a NULL final argument in the adapter_tx() callback; +however, the PCI drivers need a struct rtl_tcb_desc in that position. + +Fixes: 33511b157bbc ("rtlwifi: add support to send beacon frame.") +Signed-off-by: Luis Felipe Dominguez Vega +Signed-off-by: Larry Finger +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/rtlwifi/core.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/rtlwifi/core.c ++++ b/drivers/net/wireless/rtlwifi/core.c +@@ -1015,9 +1015,12 @@ static void send_beacon_frame(struct iee + { + struct rtl_priv *rtlpriv = rtl_priv(hw); + struct sk_buff *skb = ieee80211_beacon_get(hw, vif); ++ struct rtl_tcb_desc tcb_desc; + +- if (skb) +- rtlpriv->intf_ops->adapter_tx(hw, NULL, skb, NULL); ++ if (skb) { ++ memset(&tcb_desc, 0, sizeof(struct rtl_tcb_desc)); ++ rtlpriv->intf_ops->adapter_tx(hw, NULL, skb, &tcb_desc); ++ } + } + + static void rtl_op_bss_info_changed(struct ieee80211_hw *hw, diff --git a/queue-4.1/rtlwifi-rtl8723be-add-module-parameter-for-msi-interrupts.patch b/queue-4.1/rtlwifi-rtl8723be-add-module-parameter-for-msi-interrupts.patch new file mode 100644 index 00000000000..2ab05f5e966 --- /dev/null +++ b/queue-4.1/rtlwifi-rtl8723be-add-module-parameter-for-msi-interrupts.patch @@ -0,0 +1,30 @@ +From 741e3b9902d11585e18bfc7f8d47e913616bb070 Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Sun, 2 Aug 2015 13:24:13 -0500 +Subject: rtlwifi: rtl8723be: Add module parameter for MSI interrupts + +From: Larry Finger + +commit 741e3b9902d11585e18bfc7f8d47e913616bb070 upstream. + +The driver code allows for the disabling of MSI interrupts; however the +module_parm line was missed and the option fails to show with modinfo. + +Signed-off-by: Larry Finger +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/rtlwifi/rtl8723be/sw.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/rtlwifi/rtl8723be/sw.c ++++ b/drivers/net/wireless/rtlwifi/rtl8723be/sw.c +@@ -385,6 +385,7 @@ module_param_named(debug, rtl8723be_mod_ + module_param_named(ips, rtl8723be_mod_params.inactiveps, bool, 0444); + module_param_named(swlps, rtl8723be_mod_params.swctrl_lps, bool, 0444); + module_param_named(fwlps, rtl8723be_mod_params.fwctrl_lps, bool, 0444); ++module_param_named(msi, rtl8723be_mod_params.msi_support, bool, 0444); + module_param_named(disable_watchdog, rtl8723be_mod_params.disable_watchdog, + bool, 0444); + MODULE_PARM_DESC(swenc, "Set to 1 for software crypto (default 0)\n"); diff --git a/queue-4.1/series b/queue-4.1/series index 5158be29a03..61ae218739f 100644 --- a/queue-4.1/series +++ b/queue-4.1/series @@ -6,3 +6,19 @@ clk-pxa-pxa3xx-fix-cken-register-access.patch xen-blkfront-don-t-add-indirect-pages-to-list-when.patch xen-blkback-replace-work_pending-with-work_busy-in-purge_persistent_gnt.patch rsi-fix-failure-to-load-firmware-after-memory-leak-fix-and-fix-the-leak.patch +perf-fix-fasync-handling-on-inherited-events.patch +perf-fix-running-time-accounting.patch +perf-fix-double-free-of-the-aux-buffer.patch +perf-fix-perf_event_ioc_period-migration-race.patch +iwlwifi-pcie-fix-prepare-card-flow.patch +rtlwifi-rtl8723be-add-module-parameter-for-msi-interrupts.patch +rtlwifi-fix-null-dereference-when-pci-driver-used-as-an-ap.patch +x86-xen-build-xen-pv-apic-driver-for-domu-as-well.patch +xen-xenbus-don-t-leak-memory-when-unmapping-the-ring-on-hvm-backend.patch +dm-thin-metadata-delete-btrees-when-releasing-metadata-snapshot.patch +localmodconfig-use-kbuild-files-too.patch +edac-ppc4xx-access-mci-csrows-array-elements-properly.patch +hid-hid-input-fix-accessing-freed-memory-during-device-disconnect.patch +hid-uclogic-fix-limit-in-uclogic_tablet_enable.patch +drm-radeon-add-new-oland-pci-id.patch +drm-vmwgfx-fix-execbuf-locking-issues.patch diff --git a/queue-4.1/x86-xen-build-xen-pv-apic-driver-for-domu-as-well.patch b/queue-4.1/x86-xen-build-xen-pv-apic-driver-for-domu-as-well.patch new file mode 100644 index 00000000000..d2672797c38 --- /dev/null +++ b/queue-4.1/x86-xen-build-xen-pv-apic-driver-for-domu-as-well.patch @@ -0,0 +1,87 @@ +From fc5fee86bdd3d720e2d1d324e4fae0c35845fa63 Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Mon, 10 Aug 2015 15:40:27 +0200 +Subject: x86/xen: build "Xen PV" APIC driver for domU as well + +From: "Jason A. Donenfeld" + +commit fc5fee86bdd3d720e2d1d324e4fae0c35845fa63 upstream. + +It turns out that a PV domU also requires the "Xen PV" APIC +driver. Otherwise, the flat driver is used and we get stuck in busy +loops that never exit, such as in this stack trace: + +(gdb) target remote localhost:9999 +Remote debugging using localhost:9999 +__xapic_wait_icr_idle () at ./arch/x86/include/asm/ipi.h:56 +56 while (native_apic_mem_read(APIC_ICR) & APIC_ICR_BUSY) +(gdb) bt + #0 __xapic_wait_icr_idle () at ./arch/x86/include/asm/ipi.h:56 + #1 __default_send_IPI_shortcut (shortcut=, +dest=, vector=) at +./arch/x86/include/asm/ipi.h:75 + #2 apic_send_IPI_self (vector=246) at arch/x86/kernel/apic/probe_64.c:54 + #3 0xffffffff81011336 in arch_irq_work_raise () at +arch/x86/kernel/irq_work.c:47 + #4 0xffffffff8114990c in irq_work_queue (work=0xffff88000fc0e400) at +kernel/irq_work.c:100 + #5 0xffffffff8110c29d in wake_up_klogd () at kernel/printk/printk.c:2633 + #6 0xffffffff8110ca60 in vprintk_emit (facility=0, level=, dict=0x0 , dictlen=, +fmt=, args=) + at kernel/printk/printk.c:1778 + #7 0xffffffff816010c8 in printk (fmt=) at +kernel/printk/printk.c:1868 + #8 0xffffffffc00013ea in ?? () + #9 0x0000000000000000 in ?? () + +Mailing-list-thread: https://lkml.org/lkml/2015/8/4/755 +Signed-off-by: Jason A. Donenfeld +Signed-off-by: David Vrabel +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/xen/Makefile | 4 ++-- + arch/x86/xen/xen-ops.h | 6 ++---- + 2 files changed, 4 insertions(+), 6 deletions(-) + +--- a/arch/x86/xen/Makefile ++++ b/arch/x86/xen/Makefile +@@ -13,13 +13,13 @@ CFLAGS_mmu.o := $(nostackp) + obj-y := enlighten.o setup.o multicalls.o mmu.o irq.o \ + time.o xen-asm.o xen-asm_$(BITS).o \ + grant-table.o suspend.o platform-pci-unplug.o \ +- p2m.o ++ p2m.o apic.o + + obj-$(CONFIG_EVENT_TRACING) += trace.o + + obj-$(CONFIG_SMP) += smp.o + obj-$(CONFIG_PARAVIRT_SPINLOCKS)+= spinlock.o + obj-$(CONFIG_XEN_DEBUG_FS) += debugfs.o +-obj-$(CONFIG_XEN_DOM0) += apic.o vga.o ++obj-$(CONFIG_XEN_DOM0) += vga.o + obj-$(CONFIG_SWIOTLB_XEN) += pci-swiotlb-xen.o + obj-$(CONFIG_XEN_EFI) += efi.o +--- a/arch/x86/xen/xen-ops.h ++++ b/arch/x86/xen/xen-ops.h +@@ -101,17 +101,15 @@ struct dom0_vga_console_info; + + #ifdef CONFIG_XEN_DOM0 + void __init xen_init_vga(const struct dom0_vga_console_info *, size_t size); +-void __init xen_init_apic(void); + #else + static inline void __init xen_init_vga(const struct dom0_vga_console_info *info, + size_t size) + { + } +-static inline void __init xen_init_apic(void) +-{ +-} + #endif + ++void __init xen_init_apic(void); ++ + #ifdef CONFIG_XEN_EFI + extern void xen_efi_init(void); + #else diff --git a/queue-4.1/xen-xenbus-don-t-leak-memory-when-unmapping-the-ring-on-hvm-backend.patch b/queue-4.1/xen-xenbus-don-t-leak-memory-when-unmapping-the-ring-on-hvm-backend.patch new file mode 100644 index 00000000000..68e0e3e14e2 --- /dev/null +++ b/queue-4.1/xen-xenbus-don-t-leak-memory-when-unmapping-the-ring-on-hvm-backend.patch @@ -0,0 +1,40 @@ +From c22fe519e7e2b94ad173e0ea3b89c1a7d8be8d00 Mon Sep 17 00:00:00 2001 +From: Julien Grall +Date: Mon, 10 Aug 2015 19:10:38 +0100 +Subject: xen/xenbus: Don't leak memory when unmapping the ring on HVM backend + +From: Julien Grall + +commit c22fe519e7e2b94ad173e0ea3b89c1a7d8be8d00 upstream. + +The commit ccc9d90a9a8b5c4ad7e9708ec41f75ff9e98d61d "xenbus_client: +Extend interface to support multi-page ring" removes the call to +free_xenballooned_pages() in xenbus_unmap_ring_vfree_hvm(), leaking a +page for every shared ring. + +Only with backends running in HVM domains were affected. + +Signed-off-by: Julien Grall +Reviewed-by: Boris Ostrovsky +Reviewed-by: Wei Liu +Signed-off-by: David Vrabel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/xenbus/xenbus_client.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/xen/xenbus/xenbus_client.c ++++ b/drivers/xen/xenbus/xenbus_client.c +@@ -814,8 +814,10 @@ static int xenbus_unmap_ring_vfree_hvm(s + + rv = xenbus_unmap_ring(dev, node->handles, node->nr_handles, + addrs); +- if (!rv) ++ if (!rv) { + vunmap(vaddr); ++ free_xenballooned_pages(node->nr_handles, node->hvm.pages); ++ } + else + WARN(1, "Leaking %p, size %u page(s)\n", vaddr, + node->nr_handles);