From: Greg Kroah-Hartman Date: Mon, 23 Jan 2017 14:35:18 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.4.45~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8eac3db0cb1ff002845a83c04390511c9b2a12ca;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: arc-module-fix-config_arc_dw2_unwind-builds.patch arm-8634-1-hw_breakpoint-blacklist-scorpion-cpus.patch arm-dts-da850-evm-fix-read-access-to-spi-flash.patch arm-dts-omap5-dra7-indicate-that-sata-port-0-is-available.patch arm64-avoid-returning-from-bad_mode.patch arm64-ptrace-avoid-uninitialised-struct-padding-in-fpr_set.patch arm64-ptrace-preserve-previous-registers-for-short-regset-write-2.patch arm64-ptrace-preserve-previous-registers-for-short-regset-write-3.patch arm64-ptrace-preserve-previous-registers-for-short-regset-write.patch arm64-ptrace-reject-attempts-to-set-incomplete-hardware-breakpoint-fields.patch ceph-fix-bad-endianness-handling-in-parse_reply_info_extra.patch clocksource-exynos_mct-clear-interrupt-when-cpu-is-shut-down.patch fuse-clear-fr_pending-flag-when-moving-requests-out-of-pending-queue.patch fuse-fix-time_to_jiffies-nsec-sanity-check.patch hid-corsair-fix-control-transfer-error-handling.patch hid-corsair-fix-dma-buffers-on-stack.patch ibmvscsis-fix-max-transfer-length.patch ibmvscsis-fix-sleeping-in-interrupt-context.patch ieee802154-atusb-do-not-use-the-stack-for-buffers-to-make-them-dma-able.patch kvm-arm-arm64-vgic-fix-deadlock-on-error-handling.patch kvm-s390-do-not-expose-random-data-via-facility-bitmap.patch libnvdimm-namespace-fix-pmem-namespace-leak-delete-when-size-set-to-zero.patch mac80211-implement-multicast-forwarding-on-fast-rx-path.patch mmc-mxs-mmc-fix-additional-cycles-after-transmission-stop.patch mmc-sdhci-acpi-only-powered-up-enabled-acpi-child-devices.patch mtd-nand-lpc32xx-fix-invalid-error-handling-of-a-requested-irq.patch mtd-nand-xway-disable-module-support.patch mtd-nand-xway-fix-build-because-of-module-functions.patch pci-designware-check-for-iatu-unroll-only-on-platforms-that-use-atu.patch pci-enumerate-switches-below-pci-to-pcie-bridges.patch powerpc-icp-opal-fix-missing-kvm-case-and-harden-replay.patch powerpc-ignore-reserved-field-in-dcsr-and-pvr-reads-and-writes.patch powerpc-perf-fix-pm_bru_cmpl-event-code-for-power9.patch powerpc-ptrace-preserve-previous-fprs-vsrs-on-short-regset-write.patch powerpc-ptrace-preserve-previous-tm-fprs-vsrs-on-short-regset-write.patch qla2xxx-fix-crash-due-to-null-pointer-access.patch svcrdma-avoid-duplicate-dma-unmapping-during-error-recovery.patch svcrpc-don-t-leak-contexts-on-proc_destroy.patch ubifs-fix-journal-replay-wrt.-xattr-nodes.patch x86-ioapic-restore-io-apic-irq_chip-retrigger-callback.patch --- diff --git a/queue-4.9/arc-module-fix-config_arc_dw2_unwind-builds.patch b/queue-4.9/arc-module-fix-config_arc_dw2_unwind-builds.patch new file mode 100644 index 00000000000..325fb1babc1 --- /dev/null +++ b/queue-4.9/arc-module-fix-config_arc_dw2_unwind-builds.patch @@ -0,0 +1,81 @@ +From eb1357d942e5d96de6b4c20a8ffa55acf96233a2 Mon Sep 17 00:00:00 2001 +From: Vineet Gupta +Date: Mon, 16 Jan 2017 10:48:09 -0800 +Subject: ARC: module: Fix !CONFIG_ARC_DW2_UNWIND builds + +From: Vineet Gupta + +commit eb1357d942e5d96de6b4c20a8ffa55acf96233a2 upstream. + +commit d65283f7b695b5 added mod->arch.secstr under +CONFIG_ARC_DW2_UNWIND, but used it unconditionally which broke builds +when the option was disabled. Fix that by adjusting the #ifdef guard. + +And while at it add a missing guard (for unwinder) in module.c as well + +Reported-by: Waldemar Brodkorb +Fixes: d65283f7b695b5 ("ARC: module: elide loop to save reference to .eh_frame") +Tested-by: Anton Kolesov +Reviewed-by: Alexey Brodkin +[abrodkin: provided fixlet to Kconfig per failure in allnoconfig build] +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/Kconfig | 2 +- + arch/arc/include/asm/module.h | 4 ++-- + arch/arc/kernel/module.c | 4 +++- + 3 files changed, 6 insertions(+), 4 deletions(-) + +--- a/arch/arc/Kconfig ++++ b/arch/arc/Kconfig +@@ -28,7 +28,7 @@ config ARC + select HAVE_KPROBES + select HAVE_KRETPROBES + select HAVE_MEMBLOCK +- select HAVE_MOD_ARCH_SPECIFIC if ARC_DW2_UNWIND ++ select HAVE_MOD_ARCH_SPECIFIC + select HAVE_OPROFILE + select HAVE_PERF_EVENTS + select HANDLE_DOMAIN_IRQ +--- a/arch/arc/include/asm/module.h ++++ b/arch/arc/include/asm/module.h +@@ -14,13 +14,13 @@ + + #include + +-#ifdef CONFIG_ARC_DW2_UNWIND + struct mod_arch_specific { ++#ifdef CONFIG_ARC_DW2_UNWIND + void *unw_info; + int unw_sec_idx; ++#endif + const char *secstr; + }; +-#endif + + #define MODULE_PROC_FAMILY "ARC700" + +--- a/arch/arc/kernel/module.c ++++ b/arch/arc/kernel/module.c +@@ -32,8 +32,8 @@ int module_frob_arch_sections(Elf_Ehdr * + #ifdef CONFIG_ARC_DW2_UNWIND + mod->arch.unw_sec_idx = 0; + mod->arch.unw_info = NULL; +- mod->arch.secstr = secstr; + #endif ++ mod->arch.secstr = secstr; + return 0; + } + +@@ -113,8 +113,10 @@ int apply_relocate_add(Elf32_Shdr *sechd + + } + ++#ifdef CONFIG_ARC_DW2_UNWIND + if (strcmp(module->arch.secstr+sechdrs[tgtsec].sh_name, ".eh_frame") == 0) + module->arch.unw_sec_idx = tgtsec; ++#endif + + return 0; + diff --git a/queue-4.9/arm-8634-1-hw_breakpoint-blacklist-scorpion-cpus.patch b/queue-4.9/arm-8634-1-hw_breakpoint-blacklist-scorpion-cpus.patch new file mode 100644 index 00000000000..ea5bb533410 --- /dev/null +++ b/queue-4.9/arm-8634-1-hw_breakpoint-blacklist-scorpion-cpus.patch @@ -0,0 +1,74 @@ +From ddc37832a1349f474c4532de381498020ed71d31 Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Fri, 6 Jan 2017 13:12:47 +0100 +Subject: ARM: 8634/1: hw_breakpoint: blacklist Scorpion CPUs + +From: Mark Rutland + +commit ddc37832a1349f474c4532de381498020ed71d31 upstream. + +On APQ8060, the kernel crashes in arch_hw_breakpoint_init, taking an +undefined instruction trap within write_wb_reg. This is because Scorpion +CPUs erroneously appear to set DBGPRSR.SPD when WFI is issued, even if +the core is not powered down. When DBGPRSR.SPD is set, breakpoint and +watchpoint registers are treated as undefined. + +It's possible to trigger similar crashes later on from userspace, by +requesting the kernel to install a breakpoint or watchpoint, as we can +go idle at any point between the reset of the debug registers and their +later use. This has always been the case. + +Given that this has always been broken, no-one has complained until now, +and there is no clear workaround, disable hardware breakpoints and +watchpoints on Scorpion to avoid these issues. + +Signed-off-by: Mark Rutland +Reported-by: Linus Walleij +Reviewed-by: Stephen Boyd +Acked-by: Will Deacon +Cc: Russell King +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/include/asm/cputype.h | 3 +++ + arch/arm/kernel/hw_breakpoint.c | 16 ++++++++++++++++ + 2 files changed, 19 insertions(+) + +--- a/arch/arm/include/asm/cputype.h ++++ b/arch/arm/include/asm/cputype.h +@@ -94,6 +94,9 @@ + #define ARM_CPU_XSCALE_ARCH_V2 0x4000 + #define ARM_CPU_XSCALE_ARCH_V3 0x6000 + ++/* Qualcomm implemented cores */ ++#define ARM_CPU_PART_SCORPION 0x510002d0 ++ + extern unsigned int processor_id; + + #ifdef CONFIG_CPU_CP15 +--- a/arch/arm/kernel/hw_breakpoint.c ++++ b/arch/arm/kernel/hw_breakpoint.c +@@ -1066,6 +1066,22 @@ static int __init arch_hw_breakpoint_ini + return 0; + } + ++ /* ++ * Scorpion CPUs (at least those in APQ8060) seem to set DBGPRSR.SPD ++ * whenever a WFI is issued, even if the core is not powered down, in ++ * violation of the architecture. When DBGPRSR.SPD is set, accesses to ++ * breakpoint and watchpoint registers are treated as undefined, so ++ * this results in boot time and runtime failures when these are ++ * accessed and we unexpectedly take a trap. ++ * ++ * It's not clear if/how this can be worked around, so we blacklist ++ * Scorpion CPUs to avoid these issues. ++ */ ++ if (read_cpuid_part() == ARM_CPU_PART_SCORPION) { ++ pr_info("Scorpion CPU detected. Hardware breakpoints and watchpoints disabled\n"); ++ return 0; ++ } ++ + has_ossr = core_has_os_save_restore(); + + /* Determine how many BRPs/WRPs are available. */ diff --git a/queue-4.9/arm-dts-da850-evm-fix-read-access-to-spi-flash.patch b/queue-4.9/arm-dts-da850-evm-fix-read-access-to-spi-flash.patch new file mode 100644 index 00000000000..4a95012db4f --- /dev/null +++ b/queue-4.9/arm-dts-da850-evm-fix-read-access-to-spi-flash.patch @@ -0,0 +1,40 @@ +From 43849785e1079f6606a31cb7fda92d1200849728 Mon Sep 17 00:00:00 2001 +From: Fabien Parent +Date: Tue, 17 Jan 2017 13:57:42 +0100 +Subject: ARM: dts: da850-evm: fix read access to SPI flash + +From: Fabien Parent + +commit 43849785e1079f6606a31cb7fda92d1200849728 upstream. + +Read access to the SPI flash are broken on da850-evm, i.e. the data +read is not what is actually programmed on the flash. +According to the datasheet for the M25P64 part present on the da850-evm, +if the SPI frequency is higher than 20MHz then the READ command is not +usable anymore and only the FAST_READ command can be used to read data. + +This commit specifies in the DTS that we should use FAST_READ command +instead of the READ command. + +Tested-by: Kevin Hilman +Signed-off-by: Fabien Parent +[nsekhar@ti.com: subject line adjustment] +Signed-off-by: Sekhar Nori +Signed-off-by: Greg Kroah-Hartman + +Signed-off-by: Olof Johansson + +--- + arch/arm/boot/dts/da850-evm.dts | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm/boot/dts/da850-evm.dts ++++ b/arch/arm/boot/dts/da850-evm.dts +@@ -99,6 +99,7 @@ + #size-cells = <1>; + compatible = "m25p64"; + spi-max-frequency = <30000000>; ++ m25p,fast-read; + reg = <0>; + partition@0 { + label = "U-Boot-SPL"; diff --git a/queue-4.9/arm-dts-omap5-dra7-indicate-that-sata-port-0-is-available.patch b/queue-4.9/arm-dts-omap5-dra7-indicate-that-sata-port-0-is-available.patch new file mode 100644 index 00000000000..b5d5557cf71 --- /dev/null +++ b/queue-4.9/arm-dts-omap5-dra7-indicate-that-sata-port-0-is-available.patch @@ -0,0 +1,55 @@ +From 87cb12910a2ab6ed41ae951ea4d9c1cc1120199a Mon Sep 17 00:00:00 2001 +From: Jean-Jacques Hiblot +Date: Mon, 9 Jan 2017 13:22:15 +0100 +Subject: ARM: dts: OMAP5 / DRA7: indicate that SATA port 0 is available. + +From: Jean-Jacques Hiblot + +commit 87cb12910a2ab6ed41ae951ea4d9c1cc1120199a upstream. + +AHCI provides the register PORTS_IMPL to let the software know which port +is supported. The register must be initialized by the bootloader. However +in some cases u-boot doesn't properly initialize this value (if it is not +compiled with SATA support for example or if the SATA initialization fails). +The DTS entry "ports-implemented" can be used to override the value in +PORTS_IMPL. + +Without this patch the SATA will not work in the following two cases: + +* if there has been a failure to initialize SATA in u-boot. + +* if ahci_platform module has been removed and re-inserted. The reason is + that the content of PORTS_IMPL is lost after the module is removed. + I suspect that it's because the controller is reset by the hwmod. + +Signed-off-by: Jean-Jacques Hiblot +Acked-by: Roger Quadros +[tony@atomide.com: updated comments with what goes wrong] +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/dra7.dtsi | 1 + + arch/arm/boot/dts/omap5.dtsi | 1 + + 2 files changed, 2 insertions(+) + +--- a/arch/arm/boot/dts/dra7.dtsi ++++ b/arch/arm/boot/dts/dra7.dtsi +@@ -1376,6 +1376,7 @@ + phy-names = "sata-phy"; + clocks = <&sata_ref_clk>; + ti,hwmods = "sata"; ++ ports-implemented = <0x1>; + }; + + rtc: rtc@48838000 { +--- a/arch/arm/boot/dts/omap5.dtsi ++++ b/arch/arm/boot/dts/omap5.dtsi +@@ -985,6 +985,7 @@ + phy-names = "sata-phy"; + clocks = <&sata_ref_clk>; + ti,hwmods = "sata"; ++ ports-implemented = <0x1>; + }; + + dss: dss@58000000 { diff --git a/queue-4.9/arm64-avoid-returning-from-bad_mode.patch b/queue-4.9/arm64-avoid-returning-from-bad_mode.patch new file mode 100644 index 00000000000..e3ad9513c5b --- /dev/null +++ b/queue-4.9/arm64-avoid-returning-from-bad_mode.patch @@ -0,0 +1,105 @@ +From 7d9e8f71b989230bc613d121ca38507d34ada849 Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Wed, 18 Jan 2017 17:23:41 +0000 +Subject: arm64: avoid returning from bad_mode + +From: Mark Rutland + +commit 7d9e8f71b989230bc613d121ca38507d34ada849 upstream. + +Generally, taking an unexpected exception should be a fatal event, and +bad_mode is intended to cater for this. However, it should be possible +to contain unexpected synchronous exceptions from EL0 without bringing +the kernel down, by sending a SIGILL to the task. + +We tried to apply this approach in commit 9955ac47f4ba1c95 ("arm64: +don't kill the kernel on a bad esr from el0"), by sending a signal for +any bad_mode call resulting from an EL0 exception. + +However, this also applies to other unexpected exceptions, such as +SError and FIQ. The entry paths for these exceptions branch to bad_mode +without configuring the link register, and have no kernel_exit. Thus, if +we take one of these exceptions from EL0, bad_mode will eventually +return to the original user link register value. + +This patch fixes this by introducing a new bad_el0_sync handler to cater +for the recoverable case, and restoring bad_mode to its original state, +whereby it calls panic() and never returns. The recoverable case +branches to bad_el0_sync with a bl, and returns to userspace via the +usual ret_to_user mechanism. + +Signed-off-by: Mark Rutland +Fixes: 9955ac47f4ba1c95 ("arm64: don't kill the kernel on a bad esr from el0") +Reported-by: Mark Salter +Cc: Will Deacon +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/entry.S | 2 +- + arch/arm64/kernel/traps.c | 28 ++++++++++++++++++++++++---- + 2 files changed, 25 insertions(+), 5 deletions(-) + +--- a/arch/arm64/kernel/entry.S ++++ b/arch/arm64/kernel/entry.S +@@ -624,7 +624,7 @@ el0_inv: + mov x0, sp + mov x1, #BAD_SYNC + mov x2, x25 +- bl bad_mode ++ bl bad_el0_sync + b ret_to_user + ENDPROC(el0_sync) + +--- a/arch/arm64/kernel/traps.c ++++ b/arch/arm64/kernel/traps.c +@@ -596,17 +596,34 @@ const char *esr_get_class_string(u32 esr + } + + /* +- * bad_mode handles the impossible case in the exception vector. ++ * bad_mode handles the impossible case in the exception vector. This is always ++ * fatal. + */ + asmlinkage void bad_mode(struct pt_regs *regs, int reason, unsigned int esr) + { +- siginfo_t info; +- void __user *pc = (void __user *)instruction_pointer(regs); + console_verbose(); + + pr_crit("Bad mode in %s handler detected on CPU%d, code 0x%08x -- %s\n", + handler[reason], smp_processor_id(), esr, + esr_get_class_string(esr)); ++ ++ die("Oops - bad mode", regs, 0); ++ local_irq_disable(); ++ panic("bad mode"); ++} ++ ++/* ++ * bad_el0_sync handles unexpected, but potentially recoverable synchronous ++ * exceptions taken from EL0. Unlike bad_mode, this returns. ++ */ ++asmlinkage void bad_el0_sync(struct pt_regs *regs, int reason, unsigned int esr) ++{ ++ siginfo_t info; ++ void __user *pc = (void __user *)instruction_pointer(regs); ++ console_verbose(); ++ ++ pr_crit("Bad EL0 synchronous exception detected on CPU%d, code 0x%08x -- %s\n", ++ smp_processor_id(), esr, esr_get_class_string(esr)); + __show_regs(regs); + + info.si_signo = SIGILL; +@@ -614,7 +631,10 @@ asmlinkage void bad_mode(struct pt_regs + info.si_code = ILL_ILLOPC; + info.si_addr = pc; + +- arm64_notify_die("Oops - bad mode", regs, &info, 0); ++ current->thread.fault_address = 0; ++ current->thread.fault_code = 0; ++ ++ force_sig_info(info.si_signo, &info, current); + } + + void __pte_error(const char *file, int line, unsigned long val) diff --git a/queue-4.9/arm64-ptrace-avoid-uninitialised-struct-padding-in-fpr_set.patch b/queue-4.9/arm64-ptrace-avoid-uninitialised-struct-padding-in-fpr_set.patch new file mode 100644 index 00000000000..2ee931014fc --- /dev/null +++ b/queue-4.9/arm64-ptrace-avoid-uninitialised-struct-padding-in-fpr_set.patch @@ -0,0 +1,36 @@ +From aeb1f39d814b2e21e5e5706a48834bfd553d0059 Mon Sep 17 00:00:00 2001 +From: Dave Martin +Date: Wed, 18 Jan 2017 16:25:23 +0000 +Subject: arm64/ptrace: Avoid uninitialised struct padding in fpr_set() + +From: Dave Martin + +commit aeb1f39d814b2e21e5e5706a48834bfd553d0059 upstream. + +This patch adds an explicit __reserved[] field to user_fpsimd_state +to replace what was previously unnamed padding. + +This ensures that data in this region are propagated across +assignment rather than being left possibly uninitialised at the +destination. + +Fixes: 60ffc30d5652 ("arm64: Exception handling") +Signed-off-by: Dave Martin +Acked-by: Will Deacon +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/uapi/asm/ptrace.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm64/include/uapi/asm/ptrace.h ++++ b/arch/arm64/include/uapi/asm/ptrace.h +@@ -77,6 +77,7 @@ struct user_fpsimd_state { + __uint128_t vregs[32]; + __u32 fpsr; + __u32 fpcr; ++ __u32 __reserved[2]; + }; + + struct user_hwdebug_state { diff --git a/queue-4.9/arm64-ptrace-preserve-previous-registers-for-short-regset-write-2.patch b/queue-4.9/arm64-ptrace-preserve-previous-registers-for-short-regset-write-2.patch new file mode 100644 index 00000000000..3be4a3abd5b --- /dev/null +++ b/queue-4.9/arm64-ptrace-preserve-previous-registers-for-short-regset-write-2.patch @@ -0,0 +1,35 @@ +From 9dd73f72f218320c6c90da5f834996e7360dc227 Mon Sep 17 00:00:00 2001 +From: Dave Martin +Date: Wed, 18 Jan 2017 16:25:21 +0000 +Subject: arm64/ptrace: Preserve previous registers for short regset write - 2 + +From: Dave Martin + +commit 9dd73f72f218320c6c90da5f834996e7360dc227 upstream. + +Ensure that if userspace supplies insufficient data to +PTRACE_SETREGSET to fill all the registers, the thread's old +registers are preserved. + +Fixes: 766a85d7bc5d ("arm64: ptrace: add NT_ARM_SYSTEM_CALL regset") +Signed-off-by: Dave Martin +Acked-by: Will Deacon +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/ptrace.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/arm64/kernel/ptrace.c ++++ b/arch/arm64/kernel/ptrace.c +@@ -676,7 +676,8 @@ static int system_call_set(struct task_s + unsigned int pos, unsigned int count, + const void *kbuf, const void __user *ubuf) + { +- int syscallno, ret; ++ int syscallno = task_pt_regs(target)->syscallno; ++ int ret; + + ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &syscallno, 0, -1); + if (ret) diff --git a/queue-4.9/arm64-ptrace-preserve-previous-registers-for-short-regset-write-3.patch b/queue-4.9/arm64-ptrace-preserve-previous-registers-for-short-regset-write-3.patch new file mode 100644 index 00000000000..93c1a8ed221 --- /dev/null +++ b/queue-4.9/arm64-ptrace-preserve-previous-registers-for-short-regset-write-3.patch @@ -0,0 +1,34 @@ +From a672401c00f82e4e19704aff361d9bad18003714 Mon Sep 17 00:00:00 2001 +From: Dave Martin +Date: Wed, 18 Jan 2017 16:25:22 +0000 +Subject: arm64/ptrace: Preserve previous registers for short regset write - 3 + +From: Dave Martin + +commit a672401c00f82e4e19704aff361d9bad18003714 upstream. + +Ensure that if userspace supplies insufficient data to +PTRACE_SETREGSET to fill all the registers, the thread's old +registers are preserved. + +Fixes: 5d220ff9420f ("arm64: Better native ptrace support for compat tasks") +Signed-off-by: Dave Martin +Acked-by: Will Deacon +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/ptrace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/kernel/ptrace.c ++++ b/arch/arm64/kernel/ptrace.c +@@ -949,7 +949,7 @@ static int compat_tls_set(struct task_st + const void __user *ubuf) + { + int ret; +- compat_ulong_t tls; ++ compat_ulong_t tls = target->thread.tp_value; + + ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &tls, 0, -1); + if (ret) diff --git a/queue-4.9/arm64-ptrace-preserve-previous-registers-for-short-regset-write.patch b/queue-4.9/arm64-ptrace-preserve-previous-registers-for-short-regset-write.patch new file mode 100644 index 00000000000..1d4a8cc8d97 --- /dev/null +++ b/queue-4.9/arm64-ptrace-preserve-previous-registers-for-short-regset-write.patch @@ -0,0 +1,53 @@ +From 9a17b876b573441bfb3387ad55d98bf7184daf9d Mon Sep 17 00:00:00 2001 +From: Dave Martin +Date: Wed, 18 Jan 2017 16:25:20 +0000 +Subject: arm64/ptrace: Preserve previous registers for short regset write + +From: Dave Martin + +commit 9a17b876b573441bfb3387ad55d98bf7184daf9d upstream. + +Ensure that if userspace supplies insufficient data to +PTRACE_SETREGSET to fill all the registers, the thread's old +registers are preserved. + +Fixes: 478fcb2cdb23 ("arm64: Debugging support") +Signed-off-by: Dave Martin +Acked-by: Will Deacon +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/ptrace.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/arch/arm64/kernel/ptrace.c ++++ b/arch/arm64/kernel/ptrace.c +@@ -595,7 +595,7 @@ static int gpr_set(struct task_struct *t + const void *kbuf, const void __user *ubuf) + { + int ret; +- struct user_pt_regs newregs; ++ struct user_pt_regs newregs = task_pt_regs(target)->user_regs; + + ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &newregs, 0, -1); + if (ret) +@@ -625,7 +625,8 @@ static int fpr_set(struct task_struct *t + const void *kbuf, const void __user *ubuf) + { + int ret; +- struct user_fpsimd_state newstate; ++ struct user_fpsimd_state newstate = ++ target->thread.fpsimd_state.user_fpsimd; + + ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &newstate, 0, -1); + if (ret) +@@ -649,7 +650,7 @@ static int tls_set(struct task_struct *t + const void *kbuf, const void __user *ubuf) + { + int ret; +- unsigned long tls; ++ unsigned long tls = target->thread.tp_value; + + ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &tls, 0, -1); + if (ret) diff --git a/queue-4.9/arm64-ptrace-reject-attempts-to-set-incomplete-hardware-breakpoint-fields.patch b/queue-4.9/arm64-ptrace-reject-attempts-to-set-incomplete-hardware-breakpoint-fields.patch new file mode 100644 index 00000000000..459d0985e7c --- /dev/null +++ b/queue-4.9/arm64-ptrace-reject-attempts-to-set-incomplete-hardware-breakpoint-fields.patch @@ -0,0 +1,45 @@ +From ad9e202aa1ce571b1d7fed969d06f66067f8a086 Mon Sep 17 00:00:00 2001 +From: Dave Martin +Date: Wed, 18 Jan 2017 16:25:24 +0000 +Subject: arm64/ptrace: Reject attempts to set incomplete hardware breakpoint fields + +From: Dave Martin + +commit ad9e202aa1ce571b1d7fed969d06f66067f8a086 upstream. + +We cannot preserve partial fields for hardware breakpoints, because +the values written by userspace to the hardware breakpoint +registers can't subsequently be recovered intact from the hardware. + +So, just reject attempts to write incomplete fields with -EINVAL. + +Fixes: 478fcb2cdb23 ("arm64: Debugging support") +Signed-off-by: Dave Martin +Acked-by: Will Deacon +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/ptrace.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/arm64/kernel/ptrace.c ++++ b/arch/arm64/kernel/ptrace.c +@@ -550,6 +550,8 @@ static int hw_break_set(struct task_stru + /* (address, ctrl) registers */ + limit = regset->n * regset->size; + while (count && offset < limit) { ++ if (count < PTRACE_HBP_ADDR_SZ) ++ return -EINVAL; + ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &addr, + offset, offset + PTRACE_HBP_ADDR_SZ); + if (ret) +@@ -559,6 +561,8 @@ static int hw_break_set(struct task_stru + return ret; + offset += PTRACE_HBP_ADDR_SZ; + ++ if (!count) ++ break; + ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &ctrl, + offset, offset + PTRACE_HBP_CTRL_SZ); + if (ret) diff --git a/queue-4.9/ceph-fix-bad-endianness-handling-in-parse_reply_info_extra.patch b/queue-4.9/ceph-fix-bad-endianness-handling-in-parse_reply_info_extra.patch new file mode 100644 index 00000000000..403fbddf5f8 --- /dev/null +++ b/queue-4.9/ceph-fix-bad-endianness-handling-in-parse_reply_info_extra.patch @@ -0,0 +1,47 @@ +From 6df8c9d80a27cb587f61b4f06b57e248d8bc3f86 Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Thu, 12 Jan 2017 14:42:41 -0500 +Subject: ceph: fix bad endianness handling in parse_reply_info_extra + +From: Jeff Layton + +commit 6df8c9d80a27cb587f61b4f06b57e248d8bc3f86 upstream. + +sparse says: + + fs/ceph/mds_client.c:291:23: warning: restricted __le32 degrades to integer + fs/ceph/mds_client.c:293:28: warning: restricted __le32 degrades to integer + fs/ceph/mds_client.c:294:28: warning: restricted __le32 degrades to integer + fs/ceph/mds_client.c:296:28: warning: restricted __le32 degrades to integer + +The op value is __le32, so we need to convert it before comparing it. + +Signed-off-by: Jeff Layton +Reviewed-by: Sage Weil +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ceph/mds_client.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/fs/ceph/mds_client.c ++++ b/fs/ceph/mds_client.c +@@ -288,12 +288,13 @@ static int parse_reply_info_extra(void * + struct ceph_mds_reply_info_parsed *info, + u64 features) + { +- if (info->head->op == CEPH_MDS_OP_GETFILELOCK) ++ u32 op = le32_to_cpu(info->head->op); ++ ++ if (op == CEPH_MDS_OP_GETFILELOCK) + return parse_reply_info_filelock(p, end, info, features); +- else if (info->head->op == CEPH_MDS_OP_READDIR || +- info->head->op == CEPH_MDS_OP_LSSNAP) ++ else if (op == CEPH_MDS_OP_READDIR || op == CEPH_MDS_OP_LSSNAP) + return parse_reply_info_dir(p, end, info, features); +- else if (info->head->op == CEPH_MDS_OP_CREATE) ++ else if (op == CEPH_MDS_OP_CREATE) + return parse_reply_info_create(p, end, info, features); + else + return -EIO; diff --git a/queue-4.9/clocksource-exynos_mct-clear-interrupt-when-cpu-is-shut-down.patch b/queue-4.9/clocksource-exynos_mct-clear-interrupt-when-cpu-is-shut-down.patch new file mode 100644 index 00000000000..d4950bd0406 --- /dev/null +++ b/queue-4.9/clocksource-exynos_mct-clear-interrupt-when-cpu-is-shut-down.patch @@ -0,0 +1,49 @@ +From bc7c36eedb0c7004aa06c2afc3c5385adada8fa3 Mon Sep 17 00:00:00 2001 +From: Joonyoung Shim +Date: Tue, 17 Jan 2017 13:54:36 +0900 +Subject: clocksource/exynos_mct: Clear interrupt when cpu is shut down + +From: Joonyoung Shim + +commit bc7c36eedb0c7004aa06c2afc3c5385adada8fa3 upstream. + +When a CPU goes offline a potentially pending timer interrupt is not +cleared. When the CPU comes online again then the pending interrupt is +delivered before the per cpu clockevent device is initialized. As a +consequence the tick interrupt handler dereferences a NULL pointer. + +[ 51.251378] Unable to handle kernel NULL pointer dereference at virtual address 00000040 +[ 51.289348] task: ee942d00 task.stack: ee960000 +[ 51.293861] PC is at tick_periodic+0x38/0xb0 +[ 51.298102] LR is at tick_handle_periodic+0x1c/0x90 + +Clear the pending interrupt in the cpu dying path. + +Fixes: 56a94f13919c ("clocksource: exynos_mct: Avoid blocking calls in the cpu hotplug notifier") +Reported-by: Seung-Woo Kim +Signed-off-by: Joonyoung Shim +Cc: linux-samsung-soc@vger.kernel.org +Cc: cw00.choi@samsung.com +Cc: daniel.lezcano@linaro.org +Cc: javier@osg.samsung.com +Cc: kgene@kernel.org +Cc: krzk@kernel.org +Cc: linux-arm-kernel@lists.infradead.org +Link: http://lkml.kernel.org/r/1484628876-22065-1-git-send-email-jy0922.shim@samsung.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clocksource/exynos_mct.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/clocksource/exynos_mct.c ++++ b/drivers/clocksource/exynos_mct.c +@@ -495,6 +495,7 @@ static int exynos4_mct_dying_cpu(unsigne + if (mct_int_type == MCT_INT_SPI) { + if (evt->irq != -1) + disable_irq_nosync(evt->irq); ++ exynos4_mct_write(0x1, mevt->base + MCT_L_INT_CSTAT_OFFSET); + } else { + disable_percpu_irq(mct_irqs[MCT_L0_IRQ]); + } diff --git a/queue-4.9/fuse-clear-fr_pending-flag-when-moving-requests-out-of-pending-queue.patch b/queue-4.9/fuse-clear-fr_pending-flag-when-moving-requests-out-of-pending-queue.patch new file mode 100644 index 00000000000..4fa6a8c4a2c --- /dev/null +++ b/queue-4.9/fuse-clear-fr_pending-flag-when-moving-requests-out-of-pending-queue.patch @@ -0,0 +1,49 @@ +From a8a86d78d673b1c99fe9b0064739fde9e9774184 Mon Sep 17 00:00:00 2001 +From: Tahsin Erdogan +Date: Thu, 12 Jan 2017 12:04:04 -0800 +Subject: fuse: clear FR_PENDING flag when moving requests out of pending queue + +From: Tahsin Erdogan + +commit a8a86d78d673b1c99fe9b0064739fde9e9774184 upstream. + +fuse_abort_conn() moves requests from pending list to a temporary list +before canceling them. This operation races with request_wait_answer() +which also tries to remove the request after it gets a fatal signal. It +checks FR_PENDING flag to determine whether the request is still in the +pending list. + +Make fuse_abort_conn() clear FR_PENDING flag so that request_wait_answer() +does not remove the request from temporary list. + +This bug causes an Oops when trying to delete an already deleted list entry +in end_requests(). + +Fixes: ee314a870e40 ("fuse: abort: no fc->lock needed for request ending") +Signed-off-by: Tahsin Erdogan +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/dev.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/fuse/dev.c ++++ b/fs/fuse/dev.c +@@ -2025,7 +2025,6 @@ static void end_requests(struct fuse_con + struct fuse_req *req; + req = list_entry(head->next, struct fuse_req, list); + req->out.h.error = -ECONNABORTED; +- clear_bit(FR_PENDING, &req->flags); + clear_bit(FR_SENT, &req->flags); + list_del_init(&req->list); + request_end(fc, req); +@@ -2103,6 +2102,8 @@ void fuse_abort_conn(struct fuse_conn *f + spin_lock(&fiq->waitq.lock); + fiq->connected = 0; + list_splice_init(&fiq->pending, &to_end2); ++ list_for_each_entry(req, &to_end2, list) ++ clear_bit(FR_PENDING, &req->flags); + while (forget_pending(fiq)) + kfree(dequeue_forget(fiq, 1, NULL)); + wake_up_all_locked(&fiq->waitq); diff --git a/queue-4.9/fuse-fix-time_to_jiffies-nsec-sanity-check.patch b/queue-4.9/fuse-fix-time_to_jiffies-nsec-sanity-check.patch new file mode 100644 index 00000000000..d5c4d2072ea --- /dev/null +++ b/queue-4.9/fuse-fix-time_to_jiffies-nsec-sanity-check.patch @@ -0,0 +1,34 @@ +From 210675270caa33253e4c33f3c5e657e7d6060812 Mon Sep 17 00:00:00 2001 +From: David Sheets +Date: Fri, 13 Jan 2017 15:58:30 +0000 +Subject: fuse: fix time_to_jiffies nsec sanity check + +From: David Sheets + +commit 210675270caa33253e4c33f3c5e657e7d6060812 upstream. + +Commit bcb6f6d2b9c2 ("fuse: use timespec64") introduced clamped nsec values +in time_to_jiffies but used the max of nsec and NSEC_PER_SEC - 1 instead of +the min. Because of this, dentries would stay in the cache longer than +requested and go stale in scenarios that relied on their timely eviction. + +Fixes: bcb6f6d2b9c2 ("fuse: use timespec64") +Signed-off-by: David Sheets +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/dir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/fuse/dir.c ++++ b/fs/fuse/dir.c +@@ -68,7 +68,7 @@ static u64 time_to_jiffies(u64 sec, u32 + if (sec || nsec) { + struct timespec64 ts = { + sec, +- max_t(u32, nsec, NSEC_PER_SEC - 1) ++ min_t(u32, nsec, NSEC_PER_SEC - 1) + }; + + return get_jiffies_64() + timespec64_to_jiffies(&ts); diff --git a/queue-4.9/hid-corsair-fix-control-transfer-error-handling.patch b/queue-4.9/hid-corsair-fix-control-transfer-error-handling.patch new file mode 100644 index 00000000000..633f552d45a --- /dev/null +++ b/queue-4.9/hid-corsair-fix-control-transfer-error-handling.patch @@ -0,0 +1,54 @@ +From 7a546af50eb78ab99840903083231eb635c8a566 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 12 Jan 2017 18:17:43 +0100 +Subject: HID: corsair: fix control-transfer error handling + +From: Johan Hovold + +commit 7a546af50eb78ab99840903083231eb635c8a566 upstream. + +Make sure to check for short control transfers in order to avoid parsing +uninitialised buffer data and leaking it to user space. + +Note that the backlight and macro-mode buffer constraints are kept as +loose as possible in order to avoid any regressions should the current +buffer sizes be larger than necessary. + +Fixes: 6f78193ee9ea ("HID: corsair: Add Corsair Vengeance K90 driver") +Signed-off-by: Johan Hovold +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-corsair.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/hid/hid-corsair.c ++++ b/drivers/hid/hid-corsair.c +@@ -159,7 +159,7 @@ static enum led_brightness k90_backlight + USB_DIR_IN | USB_TYPE_VENDOR | + USB_RECIP_DEVICE, 0, 0, data, 8, + USB_CTRL_SET_TIMEOUT); +- if (ret < 0) { ++ if (ret < 5) { + dev_warn(dev, "Failed to get K90 initial state (error %d).\n", + ret); + ret = -EIO; +@@ -274,7 +274,7 @@ static ssize_t k90_show_macro_mode(struc + USB_DIR_IN | USB_TYPE_VENDOR | + USB_RECIP_DEVICE, 0, 0, data, 2, + USB_CTRL_SET_TIMEOUT); +- if (ret < 0) { ++ if (ret < 1) { + dev_warn(dev, "Failed to get K90 initial mode (error %d).\n", + ret); + ret = -EIO; +@@ -351,7 +351,7 @@ static ssize_t k90_show_current_profile( + USB_DIR_IN | USB_TYPE_VENDOR | + USB_RECIP_DEVICE, 0, 0, data, 8, + USB_CTRL_SET_TIMEOUT); +- if (ret < 0) { ++ if (ret < 8) { + dev_warn(dev, "Failed to get K90 initial state (error %d).\n", + ret); + ret = -EIO; diff --git a/queue-4.9/hid-corsair-fix-dma-buffers-on-stack.patch b/queue-4.9/hid-corsair-fix-dma-buffers-on-stack.patch new file mode 100644 index 00000000000..cf5df72bfd3 --- /dev/null +++ b/queue-4.9/hid-corsair-fix-dma-buffers-on-stack.patch @@ -0,0 +1,144 @@ +From 6d104af38b570d37aa32a5803b04c354f8ed513d Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 12 Jan 2017 18:17:42 +0100 +Subject: HID: corsair: fix DMA buffers on stack + +From: Johan Hovold + +commit 6d104af38b570d37aa32a5803b04c354f8ed513d upstream. + +Not all platforms support DMA to the stack, and specifically since v4.9 +this is no longer supported on x86 with VMAP_STACK either. + +Note that the macro-mode buffer was larger than necessary. + +Fixes: 6f78193ee9ea ("HID: corsair: Add Corsair Vengeance K90 driver") +Signed-off-by: Johan Hovold +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-corsair.c | 54 +++++++++++++++++++++++++++++++++++----------- + 1 file changed, 42 insertions(+), 12 deletions(-) + +--- a/drivers/hid/hid-corsair.c ++++ b/drivers/hid/hid-corsair.c +@@ -148,7 +148,11 @@ static enum led_brightness k90_backlight + struct usb_interface *usbif = to_usb_interface(dev->parent); + struct usb_device *usbdev = interface_to_usbdev(usbif); + int brightness; +- char data[8]; ++ char *data; ++ ++ data = kmalloc(8, GFP_KERNEL); ++ if (!data) ++ return -ENOMEM; + + ret = usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0), + K90_REQUEST_STATUS, +@@ -158,16 +162,22 @@ static enum led_brightness k90_backlight + if (ret < 0) { + dev_warn(dev, "Failed to get K90 initial state (error %d).\n", + ret); +- return -EIO; ++ ret = -EIO; ++ goto out; + } + brightness = data[4]; + if (brightness < 0 || brightness > 3) { + dev_warn(dev, + "Read invalid backlight brightness: %02hhx.\n", + data[4]); +- return -EIO; ++ ret = -EIO; ++ goto out; + } +- return brightness; ++ ret = brightness; ++out: ++ kfree(data); ++ ++ return ret; + } + + static enum led_brightness k90_record_led_get(struct led_classdev *led_cdev) +@@ -253,7 +263,11 @@ static ssize_t k90_show_macro_mode(struc + struct usb_interface *usbif = to_usb_interface(dev->parent); + struct usb_device *usbdev = interface_to_usbdev(usbif); + const char *macro_mode; +- char data[8]; ++ char *data; ++ ++ data = kmalloc(2, GFP_KERNEL); ++ if (!data) ++ return -ENOMEM; + + ret = usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0), + K90_REQUEST_GET_MODE, +@@ -263,7 +277,8 @@ static ssize_t k90_show_macro_mode(struc + if (ret < 0) { + dev_warn(dev, "Failed to get K90 initial mode (error %d).\n", + ret); +- return -EIO; ++ ret = -EIO; ++ goto out; + } + + switch (data[0]) { +@@ -277,10 +292,15 @@ static ssize_t k90_show_macro_mode(struc + default: + dev_warn(dev, "K90 in unknown mode: %02hhx.\n", + data[0]); +- return -EIO; ++ ret = -EIO; ++ goto out; + } + +- return snprintf(buf, PAGE_SIZE, "%s\n", macro_mode); ++ ret = snprintf(buf, PAGE_SIZE, "%s\n", macro_mode); ++out: ++ kfree(data); ++ ++ return ret; + } + + static ssize_t k90_store_macro_mode(struct device *dev, +@@ -320,7 +340,11 @@ static ssize_t k90_show_current_profile( + struct usb_interface *usbif = to_usb_interface(dev->parent); + struct usb_device *usbdev = interface_to_usbdev(usbif); + int current_profile; +- char data[8]; ++ char *data; ++ ++ data = kmalloc(8, GFP_KERNEL); ++ if (!data) ++ return -ENOMEM; + + ret = usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0), + K90_REQUEST_STATUS, +@@ -330,16 +354,22 @@ static ssize_t k90_show_current_profile( + if (ret < 0) { + dev_warn(dev, "Failed to get K90 initial state (error %d).\n", + ret); +- return -EIO; ++ ret = -EIO; ++ goto out; + } + current_profile = data[7]; + if (current_profile < 1 || current_profile > 3) { + dev_warn(dev, "Read invalid current profile: %02hhx.\n", + data[7]); +- return -EIO; ++ ret = -EIO; ++ goto out; + } + +- return snprintf(buf, PAGE_SIZE, "%d\n", current_profile); ++ ret = snprintf(buf, PAGE_SIZE, "%d\n", current_profile); ++out: ++ kfree(data); ++ ++ return ret; + } + + static ssize_t k90_store_current_profile(struct device *dev, diff --git a/queue-4.9/ibmvscsis-fix-max-transfer-length.patch b/queue-4.9/ibmvscsis-fix-max-transfer-length.patch new file mode 100644 index 00000000000..2efea433ae4 --- /dev/null +++ b/queue-4.9/ibmvscsis-fix-max-transfer-length.patch @@ -0,0 +1,41 @@ +From 387b978cb0d12cf3720ecb17e652e0a9991a08e2 Mon Sep 17 00:00:00 2001 +From: "Bryant G. Ly" +Date: Wed, 11 Jan 2017 13:52:27 -0600 +Subject: ibmvscsis: Fix max transfer length + +From: Bryant G. Ly + +commit 387b978cb0d12cf3720ecb17e652e0a9991a08e2 upstream. + +Current code incorrectly calculates the max transfer length, since +it is assuming a 4k page table, but ppc64 all run on 64k page tables. + +Reported-by: Steven Royer +Tested-by: Steven Royer +Signed-off-by: Bryant G. Ly +Signed-off-by: Bart Van Assche +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c ++++ b/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c +@@ -45,6 +45,7 @@ + + #define INITIAL_SRP_LIMIT 800 + #define DEFAULT_MAX_SECTORS 256 ++#define MAX_TXU 1024 * 1024 + + static uint max_vdma_size = MAX_H_COPY_RDMA; + +@@ -1291,7 +1292,7 @@ static long ibmvscsis_adapter_info(struc + info->mad_version = cpu_to_be32(MAD_VERSION_1); + info->os_type = cpu_to_be32(LINUX); + memset(&info->port_max_txu[0], 0, sizeof(info->port_max_txu)); +- info->port_max_txu[0] = cpu_to_be32(128 * PAGE_SIZE); ++ info->port_max_txu[0] = cpu_to_be32(MAX_TXU); + + dma_wmb(); + rc = h_copy_rdma(sizeof(*info), vscsi->dds.window[LOCAL].liobn, diff --git a/queue-4.9/ibmvscsis-fix-sleeping-in-interrupt-context.patch b/queue-4.9/ibmvscsis-fix-sleeping-in-interrupt-context.patch new file mode 100644 index 00000000000..1d4474aba95 --- /dev/null +++ b/queue-4.9/ibmvscsis-fix-sleeping-in-interrupt-context.patch @@ -0,0 +1,43 @@ +From a5b0e4062fb225155189e593699bbfcd0597f8b5 Mon Sep 17 00:00:00 2001 +From: "Bryant G. Ly" +Date: Wed, 11 Jan 2017 13:16:42 -0600 +Subject: ibmvscsis: Fix sleeping in interrupt context + +From: Bryant G. Ly + +commit a5b0e4062fb225155189e593699bbfcd0597f8b5 upstream. + +Currently, dma_alloc_coherent is being called with a GFP_KERNEL +flag which allows it to sleep in an interrupt context, need to +change to GFP_ATOMIC. + +Tested-by: Steven Royer +Reviewed-by: Michael Cyr +Signed-off-by: Bryant G. Ly +Signed-off-by: Bart Van Assche +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c ++++ b/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c +@@ -1239,7 +1239,7 @@ static long ibmvscsis_adapter_info(struc + } + + info = dma_alloc_coherent(&vscsi->dma_dev->dev, sizeof(*info), &token, +- GFP_KERNEL); ++ GFP_ATOMIC); + if (!info) { + dev_err(&vscsi->dev, "bad dma_alloc_coherent %p\n", + iue->target); +@@ -1357,7 +1357,7 @@ static int ibmvscsis_cap_mad(struct scsi + } + + cap = dma_alloc_coherent(&vscsi->dma_dev->dev, olen, &token, +- GFP_KERNEL); ++ GFP_ATOMIC); + if (!cap) { + dev_err(&vscsi->dev, "bad dma_alloc_coherent %p\n", + iue->target); diff --git a/queue-4.9/ieee802154-atusb-do-not-use-the-stack-for-buffers-to-make-them-dma-able.patch b/queue-4.9/ieee802154-atusb-do-not-use-the-stack-for-buffers-to-make-them-dma-able.patch new file mode 100644 index 00000000000..10a07831073 --- /dev/null +++ b/queue-4.9/ieee802154-atusb-do-not-use-the-stack-for-buffers-to-make-them-dma-able.patch @@ -0,0 +1,98 @@ +From 05a974efa4bdf6e2a150e3f27dc6fcf0a9ad5655 Mon Sep 17 00:00:00 2001 +From: Stefan Schmidt +Date: Thu, 15 Dec 2016 18:40:14 +0100 +Subject: ieee802154: atusb: do not use the stack for buffers to make them DMA able + +From: Stefan Schmidt + +commit 05a974efa4bdf6e2a150e3f27dc6fcf0a9ad5655 upstream. + +From 4.9 we should really avoid using the stack here as this will not be DMA +able on various platforms. This changes the buffers already being present in +time of 4.9 being released. This should go into stable as well. + +Reported-by: Dan Carpenter +Signed-off-by: Stefan Schmidt +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ieee802154/atusb.c | 31 +++++++++++++++++++++++++++---- + 1 file changed, 27 insertions(+), 4 deletions(-) + +--- a/drivers/net/ieee802154/atusb.c ++++ b/drivers/net/ieee802154/atusb.c +@@ -112,13 +112,26 @@ static int atusb_read_reg(struct atusb * + { + struct usb_device *usb_dev = atusb->usb_dev; + int ret; ++ uint8_t *buffer; + uint8_t value; + ++ buffer = kmalloc(1, GFP_KERNEL); ++ if (!buffer) ++ return -ENOMEM; ++ + dev_dbg(&usb_dev->dev, "atusb: reg = 0x%x\n", reg); + ret = atusb_control_msg(atusb, usb_rcvctrlpipe(usb_dev, 0), + ATUSB_REG_READ, ATUSB_REQ_FROM_DEV, +- 0, reg, &value, 1, 1000); +- return ret >= 0 ? value : ret; ++ 0, reg, buffer, 1, 1000); ++ ++ if (ret >= 0) { ++ value = buffer[0]; ++ kfree(buffer); ++ return value; ++ } else { ++ kfree(buffer); ++ return ret; ++ } + } + + static int atusb_write_subreg(struct atusb *atusb, uint8_t reg, uint8_t mask, +@@ -587,9 +600,13 @@ static struct ieee802154_ops atusb_ops = + static int atusb_get_and_show_revision(struct atusb *atusb) + { + struct usb_device *usb_dev = atusb->usb_dev; +- unsigned char buffer[3]; ++ unsigned char *buffer; + int ret; + ++ buffer = kmalloc(3, GFP_KERNEL); ++ if (!buffer) ++ return -ENOMEM; ++ + /* Get a couple of the ATMega Firmware values */ + ret = atusb_control_msg(atusb, usb_rcvctrlpipe(usb_dev, 0), + ATUSB_ID, ATUSB_REQ_FROM_DEV, 0, 0, +@@ -605,15 +622,20 @@ static int atusb_get_and_show_revision(s + dev_info(&usb_dev->dev, "Please update to version 0.2 or newer"); + } + ++ kfree(buffer); + return ret; + } + + static int atusb_get_and_show_build(struct atusb *atusb) + { + struct usb_device *usb_dev = atusb->usb_dev; +- char build[ATUSB_BUILD_SIZE + 1]; ++ char *build; + int ret; + ++ build = kmalloc(ATUSB_BUILD_SIZE + 1, GFP_KERNEL); ++ if (!build) ++ return -ENOMEM; ++ + ret = atusb_control_msg(atusb, usb_rcvctrlpipe(usb_dev, 0), + ATUSB_BUILD, ATUSB_REQ_FROM_DEV, 0, 0, + build, ATUSB_BUILD_SIZE, 1000); +@@ -622,6 +644,7 @@ static int atusb_get_and_show_build(stru + dev_info(&usb_dev->dev, "Firmware: build %s\n", build); + } + ++ kfree(build); + return ret; + } + diff --git a/queue-4.9/kvm-arm-arm64-vgic-fix-deadlock-on-error-handling.patch b/queue-4.9/kvm-arm-arm64-vgic-fix-deadlock-on-error-handling.patch new file mode 100644 index 00000000000..79bd7d73b99 --- /dev/null +++ b/queue-4.9/kvm-arm-arm64-vgic-fix-deadlock-on-error-handling.patch @@ -0,0 +1,104 @@ +From 1193e6aeecb36c74c48c7cd0f641acbbed9ddeef Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Thu, 12 Jan 2017 09:21:56 +0000 +Subject: KVM: arm/arm64: vgic: Fix deadlock on error handling + +From: Marc Zyngier + +commit 1193e6aeecb36c74c48c7cd0f641acbbed9ddeef upstream. + +Dmitry Vyukov reported that the syzkaller fuzzer triggered a +deadlock in the vgic setup code when an error was detected, as +the cleanup code tries to take a lock that is already held by +the setup code. + +The fix is to avoid retaking the lock when cleaning up, by +telling the cleanup function that we already hold it. + +Reported-by: Dmitry Vyukov +Reviewed-by: Christoffer Dall +Reviewed-by: Eric Auger +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/arm/vgic/vgic-init.c | 18 +++++++++++++----- + virt/kvm/arm/vgic/vgic-v2.c | 2 -- + virt/kvm/arm/vgic/vgic-v3.c | 2 -- + 3 files changed, 13 insertions(+), 9 deletions(-) + +--- a/virt/kvm/arm/vgic/vgic-init.c ++++ b/virt/kvm/arm/vgic/vgic-init.c +@@ -268,15 +268,11 @@ static void kvm_vgic_dist_destroy(struct + { + struct vgic_dist *dist = &kvm->arch.vgic; + +- mutex_lock(&kvm->lock); +- + dist->ready = false; + dist->initialized = false; + + kfree(dist->spis); + dist->nr_spis = 0; +- +- mutex_unlock(&kvm->lock); + } + + void kvm_vgic_vcpu_destroy(struct kvm_vcpu *vcpu) +@@ -286,7 +282,8 @@ void kvm_vgic_vcpu_destroy(struct kvm_vc + INIT_LIST_HEAD(&vgic_cpu->ap_list_head); + } + +-void kvm_vgic_destroy(struct kvm *kvm) ++/* To be called with kvm->lock held */ ++static void __kvm_vgic_destroy(struct kvm *kvm) + { + struct kvm_vcpu *vcpu; + int i; +@@ -297,6 +294,13 @@ void kvm_vgic_destroy(struct kvm *kvm) + kvm_vgic_vcpu_destroy(vcpu); + } + ++void kvm_vgic_destroy(struct kvm *kvm) ++{ ++ mutex_lock(&kvm->lock); ++ __kvm_vgic_destroy(kvm); ++ mutex_unlock(&kvm->lock); ++} ++ + /** + * vgic_lazy_init: Lazy init is only allowed if the GIC exposed to the guest + * is a GICv2. A GICv3 must be explicitly initialized by the guest using the +@@ -348,6 +352,10 @@ int kvm_vgic_map_resources(struct kvm *k + ret = vgic_v2_map_resources(kvm); + else + ret = vgic_v3_map_resources(kvm); ++ ++ if (ret) ++ __kvm_vgic_destroy(kvm); ++ + out: + mutex_unlock(&kvm->lock); + return ret; +--- a/virt/kvm/arm/vgic/vgic-v2.c ++++ b/virt/kvm/arm/vgic/vgic-v2.c +@@ -293,8 +293,6 @@ int vgic_v2_map_resources(struct kvm *kv + dist->ready = true; + + out: +- if (ret) +- kvm_vgic_destroy(kvm); + return ret; + } + +--- a/virt/kvm/arm/vgic/vgic-v3.c ++++ b/virt/kvm/arm/vgic/vgic-v3.c +@@ -302,8 +302,6 @@ int vgic_v3_map_resources(struct kvm *kv + dist->ready = true; + + out: +- if (ret) +- kvm_vgic_destroy(kvm); + return ret; + } + diff --git a/queue-4.9/kvm-s390-do-not-expose-random-data-via-facility-bitmap.patch b/queue-4.9/kvm-s390-do-not-expose-random-data-via-facility-bitmap.patch new file mode 100644 index 00000000000..2c308afc96c --- /dev/null +++ b/queue-4.9/kvm-s390-do-not-expose-random-data-via-facility-bitmap.patch @@ -0,0 +1,54 @@ +From 04478197416e3a302e9ebc917ba1aa884ef9bfab Mon Sep 17 00:00:00 2001 +From: Christian Borntraeger +Date: Thu, 12 Jan 2017 16:25:15 +0100 +Subject: KVM: s390: do not expose random data via facility bitmap + +From: Christian Borntraeger + +commit 04478197416e3a302e9ebc917ba1aa884ef9bfab upstream. + +kvm_s390_get_machine() populates the facility bitmap by copying bytes +from the host results that are stored in a 256 byte array in the prefix +page. The KVM code does use the size of the target buffer (2k), thus +copying and exposing unrelated kernel memory (mostly machine check +related logout data). + +Let's use the size of the source buffer instead. This is ok, as the +target buffer will always be greater or equal than the source buffer as +the KVM internal buffers (and thus S390_ARCH_FAC_LIST_SIZE_BYTE) cover +the maximum possible size that is allowed by STFLE, which is 256 +doublewords. All structures are zero allocated so we can leave bytes +256-2047 unchanged. + +Add a similar fix for kvm_arch_init_vm(). + +Reported-by: Heiko Carstens +[found with smatch] +Signed-off-by: Christian Borntraeger +Acked-by: Cornelia Huck +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kvm/kvm-s390.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -916,7 +916,7 @@ static int kvm_s390_get_machine(struct k + memcpy(&mach->fac_mask, kvm->arch.model.fac_mask, + S390_ARCH_FAC_LIST_SIZE_BYTE); + memcpy((unsigned long *)&mach->fac_list, S390_lowcore.stfle_fac_list, +- S390_ARCH_FAC_LIST_SIZE_BYTE); ++ sizeof(S390_lowcore.stfle_fac_list)); + if (copy_to_user((void __user *)attr->addr, mach, sizeof(*mach))) + ret = -EFAULT; + kfree(mach); +@@ -1437,7 +1437,7 @@ int kvm_arch_init_vm(struct kvm *kvm, un + + /* Populate the facility mask initially. */ + memcpy(kvm->arch.model.fac_mask, S390_lowcore.stfle_fac_list, +- S390_ARCH_FAC_LIST_SIZE_BYTE); ++ sizeof(S390_lowcore.stfle_fac_list)); + for (i = 0; i < S390_ARCH_FAC_LIST_SIZE_U64; i++) { + if (i < kvm_s390_fac_list_mask_size()) + kvm->arch.model.fac_mask[i] &= kvm_s390_fac_list_mask[i]; diff --git a/queue-4.9/libnvdimm-namespace-fix-pmem-namespace-leak-delete-when-size-set-to-zero.patch b/queue-4.9/libnvdimm-namespace-fix-pmem-namespace-leak-delete-when-size-set-to-zero.patch new file mode 100644 index 00000000000..deceaafb739 --- /dev/null +++ b/queue-4.9/libnvdimm-namespace-fix-pmem-namespace-leak-delete-when-size-set-to-zero.patch @@ -0,0 +1,71 @@ +From 1f19b983a8877f81763fab3e693c6befe212736d Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Mon, 9 Jan 2017 17:30:49 -0800 +Subject: libnvdimm, namespace: fix pmem namespace leak, delete when size set to zero + +From: Dan Williams + +commit 1f19b983a8877f81763fab3e693c6befe212736d upstream. + +Commit 98a29c39dc68 ("libnvdimm, namespace: allow creation of multiple +pmem-namespaces per region") added support for establishing additional +pmem namespace beyond the seed device, similar to blk namespaces. +However, it neglected to delete the namespace when the size is set to +zero. + +Fixes: 98a29c39dc68 ("libnvdimm, namespace: allow creation of multiple pmem-namespaces per region") +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nvdimm/namespace_devs.c | 23 ++++++++++------------- + 1 file changed, 10 insertions(+), 13 deletions(-) + +--- a/drivers/nvdimm/namespace_devs.c ++++ b/drivers/nvdimm/namespace_devs.c +@@ -957,6 +957,7 @@ static ssize_t __size_store(struct devic + { + resource_size_t allocated = 0, available = 0; + struct nd_region *nd_region = to_nd_region(dev->parent); ++ struct nd_namespace_common *ndns = to_ndns(dev); + struct nd_mapping *nd_mapping; + struct nvdimm_drvdata *ndd; + struct nd_label_id label_id; +@@ -964,7 +965,7 @@ static ssize_t __size_store(struct devic + u8 *uuid = NULL; + int rc, i; + +- if (dev->driver || to_ndns(dev)->claim) ++ if (dev->driver || ndns->claim) + return -EBUSY; + + if (is_namespace_pmem(dev)) { +@@ -1034,20 +1035,16 @@ static ssize_t __size_store(struct devic + + nd_namespace_pmem_set_resource(nd_region, nspm, + val * nd_region->ndr_mappings); +- } else if (is_namespace_blk(dev)) { +- struct nd_namespace_blk *nsblk = to_nd_namespace_blk(dev); +- +- /* +- * Try to delete the namespace if we deleted all of its +- * allocation, this is not the seed device for the +- * region, and it is not actively claimed by a btt +- * instance. +- */ +- if (val == 0 && nd_region->ns_seed != dev +- && !nsblk->common.claim) +- nd_device_unregister(dev, ND_ASYNC); + } + ++ /* ++ * Try to delete the namespace if we deleted all of its ++ * allocation, this is not the seed device for the region, and ++ * it is not actively claimed by a btt instance. ++ */ ++ if (val == 0 && nd_region->ns_seed != dev && !ndns->claim) ++ nd_device_unregister(dev, ND_ASYNC); ++ + return rc; + } + diff --git a/queue-4.9/mac80211-implement-multicast-forwarding-on-fast-rx-path.patch b/queue-4.9/mac80211-implement-multicast-forwarding-on-fast-rx-path.patch new file mode 100644 index 00000000000..1068bf36a43 --- /dev/null +++ b/queue-4.9/mac80211-implement-multicast-forwarding-on-fast-rx-path.patch @@ -0,0 +1,71 @@ +From eeb0d56fab4cd7848cf2be6704fa48900dbc1381 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Wed, 14 Dec 2016 16:47:43 +0100 +Subject: mac80211: implement multicast forwarding on fast-RX path + +From: Johannes Berg + +commit eeb0d56fab4cd7848cf2be6704fa48900dbc1381 upstream. + +In AP (or VLAN) mode, when unicast 802.11 packets are received, +they might actually be multicast after conversion. In this case +the fast-RX path didn't handle them properly to send them back +to the wireless medium. Implement that by copying the SKB and +sending it back out. + +The possible alternative would be to just punt the packet back +to the regular (slow) RX path, but since we have almost all of +the required code here already it's not so complicated to add +here. Punting it back would also mean acquiring the spinlock, +which would be bad for the stated purpose of the fast-RX path, +to enable well-performing parallel RX. + +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/rx.c | 26 ++++++++++++++++++-------- + 1 file changed, 18 insertions(+), 8 deletions(-) + +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -3939,21 +3939,31 @@ static bool ieee80211_invoke_fast_rx(str + u64_stats_update_end(&stats->syncp); + + if (fast_rx->internal_forward) { +- struct sta_info *dsta = sta_info_get(rx->sdata, skb->data); ++ struct sk_buff *xmit_skb = NULL; ++ bool multicast = is_multicast_ether_addr(skb->data); + +- if (dsta) { ++ if (multicast) { ++ xmit_skb = skb_copy(skb, GFP_ATOMIC); ++ } else if (sta_info_get(rx->sdata, skb->data)) { ++ xmit_skb = skb; ++ skb = NULL; ++ } ++ ++ if (xmit_skb) { + /* + * Send to wireless media and increase priority by 256 + * to keep the received priority instead of + * reclassifying the frame (see cfg80211_classify8021d). + */ +- skb->priority += 256; +- skb->protocol = htons(ETH_P_802_3); +- skb_reset_network_header(skb); +- skb_reset_mac_header(skb); +- dev_queue_xmit(skb); +- return true; ++ xmit_skb->priority += 256; ++ xmit_skb->protocol = htons(ETH_P_802_3); ++ skb_reset_network_header(xmit_skb); ++ skb_reset_mac_header(xmit_skb); ++ dev_queue_xmit(xmit_skb); + } ++ ++ if (!skb) ++ return true; + } + + /* deliver to local stack */ diff --git a/queue-4.9/mmc-mxs-mmc-fix-additional-cycles-after-transmission-stop.patch b/queue-4.9/mmc-mxs-mmc-fix-additional-cycles-after-transmission-stop.patch new file mode 100644 index 00000000000..628de4319fe --- /dev/null +++ b/queue-4.9/mmc-mxs-mmc-fix-additional-cycles-after-transmission-stop.patch @@ -0,0 +1,45 @@ +From 01167c7b9cbf099c69fe411a228e4e9c7104e123 Mon Sep 17 00:00:00 2001 +From: Stefan Wahren +Date: Thu, 5 Jan 2017 19:24:04 +0000 +Subject: mmc: mxs-mmc: Fix additional cycles after transmission stop + +From: Stefan Wahren + +commit 01167c7b9cbf099c69fe411a228e4e9c7104e123 upstream. + +According to the code the intention is to append 8 SCK cycles +instead of 4 at end of a MMC_STOP_TRANSMISSION command. But this +will never happened because it's an AC command not an ADTC command. +So fix this by moving the statement into the right function. + +Signed-off-by: Stefan Wahren +Fixes: e4243f13d10e (mmc: mxs-mmc: add mmc host driver for i.MX23/28) +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/mxs-mmc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/mmc/host/mxs-mmc.c ++++ b/drivers/mmc/host/mxs-mmc.c +@@ -309,6 +309,9 @@ static void mxs_mmc_ac(struct mxs_mmc_ho + cmd0 = BF_SSP(cmd->opcode, CMD0_CMD); + cmd1 = cmd->arg; + ++ if (cmd->opcode == MMC_STOP_TRANSMISSION) ++ cmd0 |= BM_SSP_CMD0_APPEND_8CYC; ++ + if (host->sdio_irq_en) { + ctrl0 |= BM_SSP_CTRL0_SDIO_IRQ_CHECK; + cmd0 |= BM_SSP_CMD0_CONT_CLKING_EN | BM_SSP_CMD0_SLOW_CLKING_EN; +@@ -417,8 +420,7 @@ static void mxs_mmc_adtc(struct mxs_mmc_ + ssp->base + HW_SSP_BLOCK_SIZE); + } + +- if ((cmd->opcode == MMC_STOP_TRANSMISSION) || +- (cmd->opcode == SD_IO_RW_EXTENDED)) ++ if (cmd->opcode == SD_IO_RW_EXTENDED) + cmd0 |= BM_SSP_CMD0_APPEND_8CYC; + + cmd1 = cmd->arg; diff --git a/queue-4.9/mmc-sdhci-acpi-only-powered-up-enabled-acpi-child-devices.patch b/queue-4.9/mmc-sdhci-acpi-only-powered-up-enabled-acpi-child-devices.patch new file mode 100644 index 00000000000..cfb301a49eb --- /dev/null +++ b/queue-4.9/mmc-sdhci-acpi-only-powered-up-enabled-acpi-child-devices.patch @@ -0,0 +1,47 @@ +From e1d070c3793a2766122865a7c2142853b48808c5 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Wed, 21 Dec 2016 00:19:19 +0100 +Subject: mmc: sdhci-acpi: Only powered up enabled acpi child devices + +From: Hans de Goede + +commit e1d070c3793a2766122865a7c2142853b48808c5 upstream. + +Commit e5bbf30733f9 ("mmc: sdhci-acpi: Ensure connected devices are +powered when probing") introduced code to powerup any acpi child +nodes listed in the dstd. But some dstd-s list all possible devices +used on some board variants, while reporting if the device is actually +present and enabled in the status field of the device. + +So we end up calling the acpi _PS0 (power-on) method for devices which +are not actually present. This does not always end well, e.g. on my +cube iwork8 air tablet, this results in freezing the entire tablet as +soon as the r8723bs module is loaded. + +This commit fixes this by checking the child device's status.present +and status.enabled bits and only call acpi_device_fix_up_power() +if both are set. + +Fixes: e5bbf30733f9 ("mmc: sdhci-acpi: Ensure connected devices are powered when probing") +BugLink: https://github.com/hadess/rtl8723bs/issues/80 +Signed-off-by: Hans de Goede +Acked-by: Adrian Hunter +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci-acpi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/host/sdhci-acpi.c ++++ b/drivers/mmc/host/sdhci-acpi.c +@@ -394,7 +394,8 @@ static int sdhci_acpi_probe(struct platf + /* Power on the SDHCI controller and its children */ + acpi_device_fix_up_power(device); + list_for_each_entry(child, &device->children, node) +- acpi_device_fix_up_power(child); ++ if (child->status.present && child->status.enabled) ++ acpi_device_fix_up_power(child); + + if (acpi_bus_get_status(device) || !device->status.present) + return -ENODEV; diff --git a/queue-4.9/mtd-nand-lpc32xx-fix-invalid-error-handling-of-a-requested-irq.patch b/queue-4.9/mtd-nand-lpc32xx-fix-invalid-error-handling-of-a-requested-irq.patch new file mode 100644 index 00000000000..cb972e292fa --- /dev/null +++ b/queue-4.9/mtd-nand-lpc32xx-fix-invalid-error-handling-of-a-requested-irq.patch @@ -0,0 +1,39 @@ +From cf9e1672a66c49ed8903c01b4c380a2f2dc91b40 Mon Sep 17 00:00:00 2001 +From: Vladimir Zapolskiy +Date: Mon, 5 Dec 2016 03:47:10 +0200 +Subject: mtd: nand: lpc32xx: fix invalid error handling of a requested irq + +From: Vladimir Zapolskiy + +commit cf9e1672a66c49ed8903c01b4c380a2f2dc91b40 upstream. + +Semantics of NR_IRQS is different on machines with SPARSE_IRQ option +disabled or enabled, in the latter case IRQs are allocated starting +at least from the value specified by NR_IRQS and going upwards, so +the check of (irq >= NR_IRQ) to decide about an error code returned by +platform_get_irq() is completely invalid, don't attempt to overrule +irq subsystem in the driver. + +The change fixes LPC32xx NAND MLC driver initialization on boot. + +Fixes: 8cb17b5ed017 ("irqchip: Add LPC32xx interrupt controller driver") +Signed-off-by: Vladimir Zapolskiy +Acked-by: Sylvain Lemieux +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/lpc32xx_mlc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mtd/nand/lpc32xx_mlc.c ++++ b/drivers/mtd/nand/lpc32xx_mlc.c +@@ -776,7 +776,7 @@ static int lpc32xx_nand_probe(struct pla + init_completion(&host->comp_controller); + + host->irq = platform_get_irq(pdev, 0); +- if ((host->irq < 0) || (host->irq >= NR_IRQS)) { ++ if (host->irq < 0) { + dev_err(&pdev->dev, "failed to get platform irq\n"); + res = -EINVAL; + goto err_exit3; diff --git a/queue-4.9/mtd-nand-xway-disable-module-support.patch b/queue-4.9/mtd-nand-xway-disable-module-support.patch new file mode 100644 index 00000000000..0fe140d8c5c --- /dev/null +++ b/queue-4.9/mtd-nand-xway-disable-module-support.patch @@ -0,0 +1,34 @@ +From 73529c872a189c747bdb528ce9b85b67b0e28dec Mon Sep 17 00:00:00 2001 +From: Hauke Mehrtens +Date: Mon, 5 Dec 2016 22:14:36 +0100 +Subject: mtd: nand: xway: disable module support + +From: Hauke Mehrtens + +commit 73529c872a189c747bdb528ce9b85b67b0e28dec upstream. + +The xway_nand driver accesses the ltq_ebu_membase symbol which is not +exported. This also should not get exported and we should handle the +EBU interface in a better way later. This quick fix just deactivated +support for building as module. + +Fixes: 99f2b107924c ("mtd: lantiq: Add NAND support on Lantiq XWAY SoC.") +Signed-off-by: Hauke Mehrtens +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mtd/nand/Kconfig ++++ b/drivers/mtd/nand/Kconfig +@@ -537,7 +537,7 @@ config MTD_NAND_FSMC + Flexible Static Memory Controller (FSMC) + + config MTD_NAND_XWAY +- tristate "Support for NAND on Lantiq XWAY SoC" ++ bool "Support for NAND on Lantiq XWAY SoC" + depends on LANTIQ && SOC_TYPE_XWAY + help + Enables support for NAND Flash chips on Lantiq XWAY SoCs. NAND is attached diff --git a/queue-4.9/mtd-nand-xway-fix-build-because-of-module-functions.patch b/queue-4.9/mtd-nand-xway-fix-build-because-of-module-functions.patch new file mode 100644 index 00000000000..85f4edac18e --- /dev/null +++ b/queue-4.9/mtd-nand-xway-fix-build-because-of-module-functions.patch @@ -0,0 +1,39 @@ +From a2724663494f7313f53da10d8c0a729c5e3c4dea Mon Sep 17 00:00:00 2001 +From: Hauke Mehrtens +Date: Mon, 5 Dec 2016 22:14:37 +0100 +Subject: mtd: nand: xway: fix build because of module functions + +From: Hauke Mehrtens + +commit a2724663494f7313f53da10d8c0a729c5e3c4dea upstream. + +Remove the usage of modules functions to make this driver compile +again. Otherwise an include of linux/modules.h would be needed. + +Fixes: 024366750c2e ("mtd: nand: xway: convert to normal platform driver") +Signed-off-by: Hauke Mehrtens +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/xway_nand.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/drivers/mtd/nand/xway_nand.c ++++ b/drivers/mtd/nand/xway_nand.c +@@ -232,7 +232,6 @@ static const struct of_device_id xway_na + { .compatible = "lantiq,nand-xway" }, + {}, + }; +-MODULE_DEVICE_TABLE(of, xway_nand_match); + + static struct platform_driver xway_nand_driver = { + .probe = xway_nand_probe, +@@ -243,6 +242,4 @@ static struct platform_driver xway_nand_ + }, + }; + +-module_platform_driver(xway_nand_driver); +- +-MODULE_LICENSE("GPL"); ++builtin_platform_driver(xway_nand_driver); diff --git a/queue-4.9/pci-designware-check-for-iatu-unroll-only-on-platforms-that-use-atu.patch b/queue-4.9/pci-designware-check-for-iatu-unroll-only-on-platforms-that-use-atu.patch new file mode 100644 index 00000000000..948a1b10e2c --- /dev/null +++ b/queue-4.9/pci-designware-check-for-iatu-unroll-only-on-platforms-that-use-atu.patch @@ -0,0 +1,68 @@ +From a782b5f986c3fa1cfa7f2b57941200c6a5809242 Mon Sep 17 00:00:00 2001 +From: Murali Karicheri +Date: Wed, 4 Jan 2017 14:32:30 -0500 +Subject: PCI: designware: Check for iATU unroll only on platforms that use ATU + +From: Murali Karicheri + +commit a782b5f986c3fa1cfa7f2b57941200c6a5809242 upstream. + +Previously we checked for iATU unroll support by reading PCIE_ATU_VIEWPORT +even on platforms, e.g., Keystone, that do not have ATU ports. This can +cause bad behavior such as asynchronous external aborts: + + OF: PCI: MEM 0x60000000..0x6fffffff -> 0x60000000 + Unhandled fault: asynchronous external abort (0x1211) at 0x00000000 + pgd = c0003000 + [00000000] *pgd=80000800004003, *pmd=00000000 + Internal error: : 1211 [#1] PREEMPT SMP ARM + Modules linked in: + CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.9.0-00009-g6ff59d2-dirty #7 + Hardware name: Keystone + task: eb878000 task.stack: eb866000 + PC is at dw_pcie_setup_rc+0x24/0x380 + LR is at ks_pcie_host_init+0x10/0x170 + +Move the dw_pcie_iatu_unroll_enabled() check so we only call it on +platforms that do not use the ATU. These platforms supply their own +->rd_other_conf() and ->wr_other_conf() methods. + +[bhelgaas: changelog] +Fixes: a0601a470537 ("PCI: designware: Add iATU Unroll feature") +Fixes: 416379f9ebde ("PCI: designware: Check for iATU unroll support after initializing host") +Tested-by: Kishon Vijay Abraham I +Signed-off-by: Murali Karicheri +Signed-off-by: Bjorn Helgaas +Acked-By: Joao Pinto +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/host/pcie-designware.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/pci/host/pcie-designware.c ++++ b/drivers/pci/host/pcie-designware.c +@@ -807,11 +807,6 @@ void dw_pcie_setup_rc(struct pcie_port * + { + u32 val; + +- /* get iATU unroll support */ +- pp->iatu_unroll_enabled = dw_pcie_iatu_unroll_enabled(pp); +- dev_dbg(pp->dev, "iATU unroll: %s\n", +- pp->iatu_unroll_enabled ? "enabled" : "disabled"); +- + /* set the number of lanes */ + val = dw_pcie_readl_rc(pp, PCIE_PORT_LINK_CONTROL); + val &= ~PORT_LINK_MODE_MASK; +@@ -882,6 +877,11 @@ void dw_pcie_setup_rc(struct pcie_port * + * we should not program the ATU here. + */ + if (!pp->ops->rd_other_conf) { ++ /* get iATU unroll support */ ++ pp->iatu_unroll_enabled = dw_pcie_iatu_unroll_enabled(pp); ++ dev_dbg(pp->dev, "iATU unroll: %s\n", ++ pp->iatu_unroll_enabled ? "enabled" : "disabled"); ++ + dw_pcie_prog_outbound_atu(pp, PCIE_ATU_REGION_INDEX0, + PCIE_ATU_TYPE_MEM, pp->mem_base, + pp->mem_bus_addr, pp->mem_size); diff --git a/queue-4.9/pci-enumerate-switches-below-pci-to-pcie-bridges.patch b/queue-4.9/pci-enumerate-switches-below-pci-to-pcie-bridges.patch new file mode 100644 index 00000000000..86640ec2bf3 --- /dev/null +++ b/queue-4.9/pci-enumerate-switches-below-pci-to-pcie-bridges.patch @@ -0,0 +1,81 @@ +From 51ebfc92b72b4f7dac1ab45683bf56741e454b8c Mon Sep 17 00:00:00 2001 +From: Bjorn Helgaas +Date: Wed, 11 Jan 2017 09:11:53 -0600 +Subject: PCI: Enumerate switches below PCI-to-PCIe bridges + +From: Bjorn Helgaas + +commit 51ebfc92b72b4f7dac1ab45683bf56741e454b8c upstream. + +A PCI-to-PCIe bridge (a "reverse bridge") has a PCI or PCI-X primary +interface and a PCI Express secondary interface. The PCIe interface is a +Downstream Port that originates a Link. See the "PCI Express to PCI/PCI-X +Bridge Specification", rev 1.0, sections 1.2 and A.6. + +The bug report below involves a PCI-to-PCIe bridge and a PCIe switch below +the bridge: + + 00:1e.0 Intel 82801 PCI Bridge to [bus 01-0a] + 01:00.0 Pericom PI7C9X111SL PCIe-to-PCI Reversible Bridge to [bus 02-0a] + 02:00.0 Pericom Device 8608 [PCIe Upstream Port] to [bus 03-0a] + 03:01.0 Pericom Device 8608 [PCIe Downstream Port] to [bus 0a] + +01:00.0 is configured as a PCI-to-PCIe bridge (despite the name printed by +lspci). As we traverse a PCIe hierarchy, device connections alternate +between PCIe Links and internal Switch logic. Previously we did not +recognize that 01:00.0 had a secondary link, so we thought the 02:00.0 +Upstream Port *did* have a secondary link. In fact, it's the other way +around: 01:00.0 has a secondary link, and 02:00.0 has internal Switch logic +on its secondary side. + +When we thought 02:00.0 had a secondary link, the pci_scan_slot() -> +only_one_child() path assumed 02:00.0 could have only one child, so 03:00.0 +was the only possible downstream device. But 03:00.0 doesn't exist, so we +didn't look for any other devices on bus 03. + +Booting with "pci=pcie_scan_all" is a workaround, but we don't want users +to have to do that. + +Recognize that PCI-to-PCIe bridges originate links on their secondary +interfaces. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=189361 +Fixes: d0751b98dfa3 ("PCI: Add dev->has_secondary_link to track downstream PCIe links") +Tested-by: Blake Moore +Signed-off-by: Bjorn Helgaas +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/probe.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/pci/probe.c ++++ b/drivers/pci/probe.c +@@ -1050,6 +1050,7 @@ void set_pcie_port_type(struct pci_dev * + pos = pci_find_capability(pdev, PCI_CAP_ID_EXP); + if (!pos) + return; ++ + pdev->pcie_cap = pos; + pci_read_config_word(pdev, pos + PCI_EXP_FLAGS, ®16); + pdev->pcie_flags_reg = reg16; +@@ -1057,13 +1058,14 @@ void set_pcie_port_type(struct pci_dev * + pdev->pcie_mpss = reg16 & PCI_EXP_DEVCAP_PAYLOAD; + + /* +- * A Root Port is always the upstream end of a Link. No PCIe +- * component has two Links. Two Links are connected by a Switch +- * that has a Port on each Link and internal logic to connect the +- * two Ports. ++ * A Root Port or a PCI-to-PCIe bridge is always the upstream end ++ * of a Link. No PCIe component has two Links. Two Links are ++ * connected by a Switch that has a Port on each Link and internal ++ * logic to connect the two Ports. + */ + type = pci_pcie_type(pdev); +- if (type == PCI_EXP_TYPE_ROOT_PORT) ++ if (type == PCI_EXP_TYPE_ROOT_PORT || ++ type == PCI_EXP_TYPE_PCIE_BRIDGE) + pdev->has_secondary_link = 1; + else if (type == PCI_EXP_TYPE_UPSTREAM || + type == PCI_EXP_TYPE_DOWNSTREAM) { diff --git a/queue-4.9/powerpc-icp-opal-fix-missing-kvm-case-and-harden-replay.patch b/queue-4.9/powerpc-icp-opal-fix-missing-kvm-case-and-harden-replay.patch new file mode 100644 index 00000000000..e247c6a1dba --- /dev/null +++ b/queue-4.9/powerpc-icp-opal-fix-missing-kvm-case-and-harden-replay.patch @@ -0,0 +1,87 @@ +From 9728a7c8ab2f7a1c8d5c95278d2e4f4ac1285385 Mon Sep 17 00:00:00 2001 +From: Benjamin Herrenschmidt +Date: Mon, 16 Jan 2017 11:58:53 -0600 +Subject: powerpc/icp-opal: Fix missing KVM case and harden replay + +From: Benjamin Herrenschmidt + +commit 9728a7c8ab2f7a1c8d5c95278d2e4f4ac1285385 upstream. + +The icp-opal call is missing the code from icp-native to recover +interrupts snatched by KVM. Without that, when running KVM, we can +get into a situation where an interrupt is lost and the CPU stuck +with an elevated CPPR. + +Also harden replay by always checking the return from opal_int_eoi(). + +Fixes: d74361881f0d ("powerpc/xics: Add ICP OPAL backend") +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/sysdev/xics/icp-opal.c | 31 ++++++++++++++++++++++++------- + 1 file changed, 24 insertions(+), 7 deletions(-) + +--- a/arch/powerpc/sysdev/xics/icp-opal.c ++++ b/arch/powerpc/sysdev/xics/icp-opal.c +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + + static void icp_opal_teardown_cpu(void) + { +@@ -39,7 +40,26 @@ static void icp_opal_flush_ipi(void) + * Should we be flagging idle loop instead? + * Or creating some task to be scheduled? + */ +- opal_int_eoi((0x00 << 24) | XICS_IPI); ++ if (opal_int_eoi((0x00 << 24) | XICS_IPI) > 0) ++ force_external_irq_replay(); ++} ++ ++static unsigned int icp_opal_get_xirr(void) ++{ ++ unsigned int kvm_xirr; ++ __be32 hw_xirr; ++ int64_t rc; ++ ++ /* Handle an interrupt latched by KVM first */ ++ kvm_xirr = kvmppc_get_xics_latch(); ++ if (kvm_xirr) ++ return kvm_xirr; ++ ++ /* Then ask OPAL */ ++ rc = opal_int_get_xirr(&hw_xirr, false); ++ if (rc < 0) ++ return 0; ++ return be32_to_cpu(hw_xirr); + } + + static unsigned int icp_opal_get_irq(void) +@@ -47,12 +67,8 @@ static unsigned int icp_opal_get_irq(voi + unsigned int xirr; + unsigned int vec; + unsigned int irq; +- int64_t rc; + +- rc = opal_int_get_xirr(&xirr, false); +- if (rc < 0) +- return 0; +- xirr = be32_to_cpu(xirr); ++ xirr = icp_opal_get_xirr(); + vec = xirr & 0x00ffffff; + if (vec == XICS_IRQ_SPURIOUS) + return 0; +@@ -67,7 +83,8 @@ static unsigned int icp_opal_get_irq(voi + xics_mask_unknown_vec(vec); + + /* We might learn about it later, so EOI it */ +- opal_int_eoi(xirr); ++ if (opal_int_eoi(xirr) > 0) ++ force_external_irq_replay(); + + return 0; + } diff --git a/queue-4.9/powerpc-ignore-reserved-field-in-dcsr-and-pvr-reads-and-writes.patch b/queue-4.9/powerpc-ignore-reserved-field-in-dcsr-and-pvr-reads-and-writes.patch new file mode 100644 index 00000000000..643edaabf0a --- /dev/null +++ b/queue-4.9/powerpc-ignore-reserved-field-in-dcsr-and-pvr-reads-and-writes.patch @@ -0,0 +1,60 @@ +From 178f358208ceb8b38e5cff3f815e0db4a6a70a07 Mon Sep 17 00:00:00 2001 +From: Anton Blanchard +Date: Thu, 19 Jan 2017 14:19:10 +1100 +Subject: powerpc: Ignore reserved field in DCSR and PVR reads and writes + +From: Anton Blanchard + +commit 178f358208ceb8b38e5cff3f815e0db4a6a70a07 upstream. + +IBM bit 31 (for the rest of us - bit 0) is a reserved field in the +instruction definition of mtspr and mfspr. Hardware is encouraged to +(and does) ignore it. + +As a result, if userspace executes an mtspr DSCR with the reserved bit +set, we get a DSCR facility unavailable exception. The kernel fails to +match against the expected value/mask, and we silently return to +userspace to try and re-execute the same mtspr DSCR instruction. We +loop forever until the process is killed. + +We should do something here, and it seems mirroring what hardware does +is the better option vs killing the process. While here, relax the +matching of mfspr PVR too. + +Signed-off-by: Anton Blanchard +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/ppc-opcode.h | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/arch/powerpc/include/asm/ppc-opcode.h ++++ b/arch/powerpc/include/asm/ppc-opcode.h +@@ -157,7 +157,7 @@ + #define PPC_INST_MCRXR 0x7c000400 + #define PPC_INST_MCRXR_MASK 0xfc0007fe + #define PPC_INST_MFSPR_PVR 0x7c1f42a6 +-#define PPC_INST_MFSPR_PVR_MASK 0xfc1fffff ++#define PPC_INST_MFSPR_PVR_MASK 0xfc1ffffe + #define PPC_INST_MFTMR 0x7c0002dc + #define PPC_INST_MSGSND 0x7c00019c + #define PPC_INST_MSGCLR 0x7c0001dc +@@ -174,13 +174,13 @@ + #define PPC_INST_RFDI 0x4c00004e + #define PPC_INST_RFMCI 0x4c00004c + #define PPC_INST_MFSPR_DSCR 0x7c1102a6 +-#define PPC_INST_MFSPR_DSCR_MASK 0xfc1fffff ++#define PPC_INST_MFSPR_DSCR_MASK 0xfc1ffffe + #define PPC_INST_MTSPR_DSCR 0x7c1103a6 +-#define PPC_INST_MTSPR_DSCR_MASK 0xfc1fffff ++#define PPC_INST_MTSPR_DSCR_MASK 0xfc1ffffe + #define PPC_INST_MFSPR_DSCR_USER 0x7c0302a6 +-#define PPC_INST_MFSPR_DSCR_USER_MASK 0xfc1fffff ++#define PPC_INST_MFSPR_DSCR_USER_MASK 0xfc1ffffe + #define PPC_INST_MTSPR_DSCR_USER 0x7c0303a6 +-#define PPC_INST_MTSPR_DSCR_USER_MASK 0xfc1fffff ++#define PPC_INST_MTSPR_DSCR_USER_MASK 0xfc1ffffe + #define PPC_INST_MFVSRD 0x7c000066 + #define PPC_INST_MTVSRD 0x7c000166 + #define PPC_INST_SLBFEE 0x7c0007a7 diff --git a/queue-4.9/powerpc-perf-fix-pm_bru_cmpl-event-code-for-power9.patch b/queue-4.9/powerpc-perf-fix-pm_bru_cmpl-event-code-for-power9.patch new file mode 100644 index 00000000000..3096ae24fa2 --- /dev/null +++ b/queue-4.9/powerpc-perf-fix-pm_bru_cmpl-event-code-for-power9.patch @@ -0,0 +1,32 @@ +From d89f473ff6f84872e761419f7233d6e00f99c340 Mon Sep 17 00:00:00 2001 +From: Madhavan Srinivasan +Date: Mon, 9 Jan 2017 19:00:15 +0530 +Subject: powerpc/perf: Fix PM_BRU_CMPL event code for power9 + +From: Madhavan Srinivasan + +commit d89f473ff6f84872e761419f7233d6e00f99c340 upstream. + +Use 0x10012 event code for PM_BRU_CMPL event in power9 event list +instead of current 0x40060. + +Fixes: 34922527a2bcb ('powerpc/perf: Add power9 event list macros for generic and cache events') +Signed-off-by: Madhavan Srinivasan +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/perf/power9-events-list.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/perf/power9-events-list.h ++++ b/arch/powerpc/perf/power9-events-list.h +@@ -16,7 +16,7 @@ EVENT(PM_CYC, 0x0001e) + EVENT(PM_ICT_NOSLOT_CYC, 0x100f8) + EVENT(PM_CMPLU_STALL, 0x1e054) + EVENT(PM_INST_CMPL, 0x00002) +-EVENT(PM_BRU_CMPL, 0x40060) ++EVENT(PM_BRU_CMPL, 0x10012) + EVENT(PM_BR_MPRED_CMPL, 0x400f6) + + /* All L1 D cache load references counted at finish, gated by reject */ diff --git a/queue-4.9/powerpc-ptrace-preserve-previous-fprs-vsrs-on-short-regset-write.patch b/queue-4.9/powerpc-ptrace-preserve-previous-fprs-vsrs-on-short-regset-write.patch new file mode 100644 index 00000000000..7f1b3188d57 --- /dev/null +++ b/queue-4.9/powerpc-ptrace-preserve-previous-fprs-vsrs-on-short-regset-write.patch @@ -0,0 +1,44 @@ +From 99dfe80a2a246c600440a815741fd2e74a8b4977 Mon Sep 17 00:00:00 2001 +From: Dave Martin +Date: Thu, 5 Jan 2017 16:50:57 +0000 +Subject: powerpc/ptrace: Preserve previous fprs/vsrs on short regset write + +From: Dave Martin + +commit 99dfe80a2a246c600440a815741fd2e74a8b4977 upstream. + +Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET +to fill all the registers, the thread's old registers are preserved. + +Fixes: c6e6771b87d4 ("powerpc: Introduce VSX thread_struct and CONFIG_VSX") +Signed-off-by: Dave Martin +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/ptrace.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/arch/powerpc/kernel/ptrace.c ++++ b/arch/powerpc/kernel/ptrace.c +@@ -463,6 +463,10 @@ static int fpr_set(struct task_struct *t + + flush_fp_to_thread(target); + ++ for (i = 0; i < 32 ; i++) ++ buf[i] = target->thread.TS_FPR(i); ++ buf[32] = target->thread.fp_state.fpscr; ++ + /* copy to local buffer then write that out */ + i = user_regset_copyin(&pos, &count, &kbuf, &ubuf, buf, 0, -1); + if (i) +@@ -672,6 +676,9 @@ static int vsr_set(struct task_struct *t + flush_altivec_to_thread(target); + flush_vsx_to_thread(target); + ++ for (i = 0; i < 32 ; i++) ++ buf[i] = target->thread.fp_state.fpr[i][TS_VSRLOWOFFSET]; ++ + ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, + buf, 0, 32 * sizeof(double)); + if (!ret) diff --git a/queue-4.9/powerpc-ptrace-preserve-previous-tm-fprs-vsrs-on-short-regset-write.patch b/queue-4.9/powerpc-ptrace-preserve-previous-tm-fprs-vsrs-on-short-regset-write.patch new file mode 100644 index 00000000000..26d071390e0 --- /dev/null +++ b/queue-4.9/powerpc-ptrace-preserve-previous-tm-fprs-vsrs-on-short-regset-write.patch @@ -0,0 +1,46 @@ +From b34ca60148c53971d373643195cc5c4d5d20be78 Mon Sep 17 00:00:00 2001 +From: Dave Martin +Date: Thu, 5 Jan 2017 16:50:57 +0000 +Subject: powerpc/ptrace: Preserve previous TM fprs/vsrs on short regset write + +From: Dave Martin + +commit b34ca60148c53971d373643195cc5c4d5d20be78 upstream. + +Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET +to fill all the check pointed registers, the thread's old check pointed +registers are preserved. + +Fixes: 9d3918f7c0e5 ("powerpc/ptrace: Enable support for NT_PPC_CVSX") +Fixes: 19cbcbf75a0c ("powerpc/ptrace: Enable support for NT_PPC_CFPR") +Signed-off-by: Dave Martin +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/ptrace.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/arch/powerpc/kernel/ptrace.c ++++ b/arch/powerpc/kernel/ptrace.c +@@ -1026,6 +1026,10 @@ static int tm_cfpr_set(struct task_struc + flush_fp_to_thread(target); + flush_altivec_to_thread(target); + ++ for (i = 0; i < 32; i++) ++ buf[i] = target->thread.TS_CKFPR(i); ++ buf[32] = target->thread.ckfp_state.fpscr; ++ + /* copy to local buffer then write that out */ + i = user_regset_copyin(&pos, &count, &kbuf, &ubuf, buf, 0, -1); + if (i) +@@ -1290,6 +1294,9 @@ static int tm_cvsx_set(struct task_struc + flush_altivec_to_thread(target); + flush_vsx_to_thread(target); + ++ for (i = 0; i < 32 ; i++) ++ buf[i] = target->thread.ckfp_state.fpr[i][TS_VSRLOWOFFSET]; ++ + ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, + buf, 0, 32 * sizeof(double)); + if (!ret) diff --git a/queue-4.9/qla2xxx-fix-crash-due-to-null-pointer-access.patch b/queue-4.9/qla2xxx-fix-crash-due-to-null-pointer-access.patch new file mode 100644 index 00000000000..bd706d5d003 --- /dev/null +++ b/queue-4.9/qla2xxx-fix-crash-due-to-null-pointer-access.patch @@ -0,0 +1,96 @@ +From fc1ffd6cb38a1c1af625b9833c41928039e733f5 Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Fri, 23 Dec 2016 18:06:10 -0800 +Subject: qla2xxx: Fix crash due to null pointer access + +From: Quinn Tran + +commit fc1ffd6cb38a1c1af625b9833c41928039e733f5 upstream. + +During code inspection, while investigating following stack trace +seen on one of the test setup, we found out there was possibility +of memory leak becuase driver was not unwinding the stack properly. + +This issue has not been reproduced in a test environment or on a +customer setup. + +Here's stack trace that was seen. + +[1469877.797315] Call Trace: +[1469877.799940] [] qla2x00_mem_alloc+0xb09/0x10c0 [qla2xxx] +[1469877.806980] [] qla2x00_probe_one+0x86a/0x1b50 [qla2xxx] +[1469877.814013] [] ? __pm_runtime_resume+0x51/0xa0 +[1469877.820265] [] ? _raw_spin_lock_irqsave+0x25/0x90 +[1469877.826776] [] ? _raw_spin_unlock_irqrestore+0x6d/0x80 +[1469877.833720] [] ? preempt_count_sub+0xb1/0x100 +[1469877.839885] [] ? _raw_spin_unlock_irqrestore+0x4c/0x80 +[1469877.846830] [] local_pci_probe+0x4c/0xb0 +[1469877.852562] [] ? preempt_count_sub+0xb1/0x100 +[1469877.858727] [] pci_call_probe+0x89/0xb0 + +Signed-off-by: Quinn Tran +Signed-off-by: Himanshu Madhani +Reviewed-by: Christoph Hellwig +[ bvanassche: Fixed spelling in patch description ] +Signed-off-by: Bart Van Assche +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_os.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -3489,7 +3489,7 @@ qla2x00_mem_alloc(struct qla_hw_data *ha + sizeof(struct ct6_dsd), 0, + SLAB_HWCACHE_ALIGN, NULL); + if (!ctx_cachep) +- goto fail_free_gid_list; ++ goto fail_free_srb_mempool; + } + ha->ctx_mempool = mempool_create_slab_pool(SRB_MIN_REQ, + ctx_cachep); +@@ -3642,7 +3642,7 @@ qla2x00_mem_alloc(struct qla_hw_data *ha + ha->loop_id_map = kzalloc(BITS_TO_LONGS(LOOPID_MAP_SIZE) * sizeof(long), + GFP_KERNEL); + if (!ha->loop_id_map) +- goto fail_async_pd; ++ goto fail_loop_id_map; + else { + qla2x00_set_reserved_loop_ids(ha); + ql_dbg_pci(ql_dbg_init, ha->pdev, 0x0123, +@@ -3651,6 +3651,8 @@ qla2x00_mem_alloc(struct qla_hw_data *ha + + return 0; + ++fail_loop_id_map: ++ dma_pool_free(ha->s_dma_pool, ha->async_pd, ha->async_pd_dma); + fail_async_pd: + dma_pool_free(ha->s_dma_pool, ha->ex_init_cb, ha->ex_init_cb_dma); + fail_ex_init_cb: +@@ -3678,6 +3680,10 @@ fail_free_ms_iocb: + dma_pool_free(ha->s_dma_pool, ha->ms_iocb, ha->ms_iocb_dma); + ha->ms_iocb = NULL; + ha->ms_iocb_dma = 0; ++ ++ if (ha->sns_cmd) ++ dma_free_coherent(&ha->pdev->dev, sizeof(struct sns_cmd_pkt), ++ ha->sns_cmd, ha->sns_cmd_dma); + fail_dma_pool: + if (IS_QLA82XX(ha) || ql2xenabledif) { + dma_pool_destroy(ha->fcp_cmnd_dma_pool); +@@ -3695,10 +3701,12 @@ fail_free_nvram: + kfree(ha->nvram); + ha->nvram = NULL; + fail_free_ctx_mempool: +- mempool_destroy(ha->ctx_mempool); ++ if (ha->ctx_mempool) ++ mempool_destroy(ha->ctx_mempool); + ha->ctx_mempool = NULL; + fail_free_srb_mempool: +- mempool_destroy(ha->srb_mempool); ++ if (ha->srb_mempool) ++ mempool_destroy(ha->srb_mempool); + ha->srb_mempool = NULL; + fail_free_gid_list: + dma_free_coherent(&ha->pdev->dev, qla2x00_gid_list_size(ha), diff --git a/queue-4.9/series b/queue-4.9/series index c030b224892..78983c6ad00 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -32,3 +32,43 @@ x86-pci-ignore-_crs-on-supermicro-x8dth-i-6-if-6f.patch rcu-remove-cond_resched-from-tiny-synchronize_sched.patch rcu-narrow-early-boot-window-of-illegal-synchronous-grace-periods.patch sunrpc-don-t-call-sleeping-functions-from-the-notifier-block-callbacks.patch +svcrpc-don-t-leak-contexts-on-proc_destroy.patch +libnvdimm-namespace-fix-pmem-namespace-leak-delete-when-size-set-to-zero.patch +arc-module-fix-config_arc_dw2_unwind-builds.patch +fuse-clear-fr_pending-flag-when-moving-requests-out-of-pending-queue.patch +fuse-fix-time_to_jiffies-nsec-sanity-check.patch +pci-designware-check-for-iatu-unroll-only-on-platforms-that-use-atu.patch +pci-enumerate-switches-below-pci-to-pcie-bridges.patch +hid-corsair-fix-dma-buffers-on-stack.patch +hid-corsair-fix-control-transfer-error-handling.patch +mmc-sdhci-acpi-only-powered-up-enabled-acpi-child-devices.patch +mmc-mxs-mmc-fix-additional-cycles-after-transmission-stop.patch +ieee802154-atusb-do-not-use-the-stack-for-buffers-to-make-them-dma-able.patch +mtd-nand-lpc32xx-fix-invalid-error-handling-of-a-requested-irq.patch +mtd-nand-xway-disable-module-support.patch +mtd-nand-xway-fix-build-because-of-module-functions.patch +kvm-s390-do-not-expose-random-data-via-facility-bitmap.patch +kvm-arm-arm64-vgic-fix-deadlock-on-error-handling.patch +powerpc-icp-opal-fix-missing-kvm-case-and-harden-replay.patch +powerpc-perf-fix-pm_bru_cmpl-event-code-for-power9.patch +powerpc-ptrace-preserve-previous-fprs-vsrs-on-short-regset-write.patch +powerpc-ptrace-preserve-previous-tm-fprs-vsrs-on-short-regset-write.patch +powerpc-ignore-reserved-field-in-dcsr-and-pvr-reads-and-writes.patch +x86-ioapic-restore-io-apic-irq_chip-retrigger-callback.patch +qla2xxx-fix-crash-due-to-null-pointer-access.patch +mac80211-implement-multicast-forwarding-on-fast-rx-path.patch +ubifs-fix-journal-replay-wrt.-xattr-nodes.patch +clocksource-exynos_mct-clear-interrupt-when-cpu-is-shut-down.patch +svcrdma-avoid-duplicate-dma-unmapping-during-error-recovery.patch +arm-8634-1-hw_breakpoint-blacklist-scorpion-cpus.patch +ibmvscsis-fix-sleeping-in-interrupt-context.patch +ibmvscsis-fix-max-transfer-length.patch +ceph-fix-bad-endianness-handling-in-parse_reply_info_extra.patch +arm-dts-omap5-dra7-indicate-that-sata-port-0-is-available.patch +arm-dts-da850-evm-fix-read-access-to-spi-flash.patch +arm64-avoid-returning-from-bad_mode.patch +arm64-ptrace-preserve-previous-registers-for-short-regset-write.patch +arm64-ptrace-preserve-previous-registers-for-short-regset-write-2.patch +arm64-ptrace-preserve-previous-registers-for-short-regset-write-3.patch +arm64-ptrace-avoid-uninitialised-struct-padding-in-fpr_set.patch +arm64-ptrace-reject-attempts-to-set-incomplete-hardware-breakpoint-fields.patch diff --git a/queue-4.9/svcrdma-avoid-duplicate-dma-unmapping-during-error-recovery.patch b/queue-4.9/svcrdma-avoid-duplicate-dma-unmapping-during-error-recovery.patch new file mode 100644 index 00000000000..77cb2326b94 --- /dev/null +++ b/queue-4.9/svcrdma-avoid-duplicate-dma-unmapping-during-error-recovery.patch @@ -0,0 +1,39 @@ +From ce1ca7d2d140a1f4aaffd297ac487f246963dd2f Mon Sep 17 00:00:00 2001 +From: Sriharsha Basavapatna +Date: Mon, 9 Jan 2017 16:00:44 +0530 +Subject: svcrdma: avoid duplicate dma unmapping during error recovery + +From: Sriharsha Basavapatna + +commit ce1ca7d2d140a1f4aaffd297ac487f246963dd2f upstream. + +In rdma_read_chunk_frmr() when ib_post_send() fails, the error code path +invokes ib_dma_unmap_sg() to unmap the sg list. It then invokes +svc_rdma_put_frmr() which in turn tries to unmap the same sg list through +ib_dma_unmap_sg() again. This second unmap is invalid and could lead to +problems when the iova being unmapped is subsequently reused. Remove +the call to unmap in rdma_read_chunk_frmr() and let svc_rdma_put_frmr() +handle it. + +Fixes: 412a15c0fe53 ("svcrdma: Port to new memory registration API") +Signed-off-by: Sriharsha Basavapatna +Reviewed-by: Chuck Lever +Reviewed-by: Yuval Shaia +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c ++++ b/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c +@@ -348,8 +348,6 @@ int rdma_read_chunk_frmr(struct svcxprt_ + atomic_inc(&rdma_stat_read); + return ret; + err: +- ib_dma_unmap_sg(xprt->sc_cm_id->device, +- frmr->sg, frmr->sg_nents, frmr->direction); + svc_rdma_put_context(ctxt, 0); + svc_rdma_put_frmr(xprt, frmr); + return ret; diff --git a/queue-4.9/svcrpc-don-t-leak-contexts-on-proc_destroy.patch b/queue-4.9/svcrpc-don-t-leak-contexts-on-proc_destroy.patch new file mode 100644 index 00000000000..416bb0f7f19 --- /dev/null +++ b/queue-4.9/svcrpc-don-t-leak-contexts-on-proc_destroy.patch @@ -0,0 +1,37 @@ +From 78794d1890708cf94e3961261e52dcec2cc34722 Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Mon, 9 Jan 2017 17:15:18 -0500 +Subject: svcrpc: don't leak contexts on PROC_DESTROY + +From: J. Bruce Fields + +commit 78794d1890708cf94e3961261e52dcec2cc34722 upstream. + +Context expiry times are in units of seconds since boot, not unix time. + +The use of get_seconds() here therefore sets the expiry time decades in +the future. This prevents timely freeing of contexts destroyed by +client RPC_GSS_PROC_DESTROY requests. We'd still free them eventually +(when the module is unloaded or the container shut down), but a lot of +contexts could pile up before then. + +Fixes: c5b29f885afe "sunrpc: use seconds since boot in expiry cache" +Reported-by: Andy Adamson +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/auth_gss/svcauth_gss.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sunrpc/auth_gss/svcauth_gss.c ++++ b/net/sunrpc/auth_gss/svcauth_gss.c +@@ -1489,7 +1489,7 @@ svcauth_gss_accept(struct svc_rqst *rqst + case RPC_GSS_PROC_DESTROY: + if (gss_write_verf(rqstp, rsci->mechctx, gc->gc_seq)) + goto auth_err; +- rsci->h.expiry_time = get_seconds(); ++ rsci->h.expiry_time = seconds_since_boot(); + set_bit(CACHE_NEGATIVE, &rsci->h.flags); + if (resv->iov_len + 4 > PAGE_SIZE) + goto drop; diff --git a/queue-4.9/ubifs-fix-journal-replay-wrt.-xattr-nodes.patch b/queue-4.9/ubifs-fix-journal-replay-wrt.-xattr-nodes.patch new file mode 100644 index 00000000000..5e298d61034 --- /dev/null +++ b/queue-4.9/ubifs-fix-journal-replay-wrt.-xattr-nodes.patch @@ -0,0 +1,85 @@ +From 1cb51a15b576ee325d527726afff40947218fd5e Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Tue, 10 Jan 2017 11:49:40 +0100 +Subject: ubifs: Fix journal replay wrt. xattr nodes + +From: Richard Weinberger + +commit 1cb51a15b576ee325d527726afff40947218fd5e upstream. + +When replaying the journal it can happen that a journal entry points to +a garbage collected node. +This is the case when a power-cut occurred between a garbage collect run +and a commit. In such a case nodes have to be read using the failable +read functions to detect whether the found node matches what we expect. + +One corner case was forgotten, when the journal contains an entry to +remove an inode all xattrs have to be removed too. UBIFS models xattr +like directory entries, so the TNC code iterates over +all xattrs of the inode and removes them too. This code re-uses the +functions for walking directories and calls ubifs_tnc_next_ent(). +ubifs_tnc_next_ent() expects to be used only after the journal and +aborts when a node does not match the expected result. This behavior can +render an UBIFS volume unmountable after a power-cut when xattrs are +used. + +Fix this issue by using failable read functions in ubifs_tnc_next_ent() +too when replaying the journal. +Fixes: 1e51764a3c2ac05a ("UBIFS: add new flash file system") +Reported-by: Rock Lee +Reviewed-by: David Gstir +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ubifs/tnc.c | 25 +++++++++++++++++++++++-- + 1 file changed, 23 insertions(+), 2 deletions(-) + +--- a/fs/ubifs/tnc.c ++++ b/fs/ubifs/tnc.c +@@ -34,6 +34,11 @@ + #include + #include "ubifs.h" + ++static int try_read_node(const struct ubifs_info *c, void *buf, int type, ++ int len, int lnum, int offs); ++static int fallible_read_node(struct ubifs_info *c, const union ubifs_key *key, ++ struct ubifs_zbranch *zbr, void *node); ++ + /* + * Returned codes of 'matches_name()' and 'fallible_matches_name()' functions. + * @NAME_LESS: name corresponding to the first argument is less than second +@@ -402,7 +407,19 @@ static int tnc_read_node_nm(struct ubifs + return 0; + } + +- err = ubifs_tnc_read_node(c, zbr, node); ++ if (c->replaying) { ++ err = fallible_read_node(c, &zbr->key, zbr, node); ++ /* ++ * When the node was not found, return -ENOENT, 0 otherwise. ++ * Negative return codes stay as-is. ++ */ ++ if (err == 0) ++ err = -ENOENT; ++ else if (err == 1) ++ err = 0; ++ } else { ++ err = ubifs_tnc_read_node(c, zbr, node); ++ } + if (err) + return err; + +@@ -2766,7 +2783,11 @@ struct ubifs_dent_node *ubifs_tnc_next_e + if (nm->name) { + if (err) { + /* Handle collisions */ +- err = resolve_collision(c, key, &znode, &n, nm); ++ if (c->replaying) ++ err = fallible_resolve_collision(c, key, &znode, &n, ++ nm, 0); ++ else ++ err = resolve_collision(c, key, &znode, &n, nm); + dbg_tnc("rc returned %d, znode %p, n %d", + err, znode, n); + if (unlikely(err < 0)) diff --git a/queue-4.9/x86-ioapic-restore-io-apic-irq_chip-retrigger-callback.patch b/queue-4.9/x86-ioapic-restore-io-apic-irq_chip-retrigger-callback.patch new file mode 100644 index 00000000000..663fe4181c1 --- /dev/null +++ b/queue-4.9/x86-ioapic-restore-io-apic-irq_chip-retrigger-callback.patch @@ -0,0 +1,49 @@ +From 020eb3daaba2857b32c4cf4c82f503d6a00a67de Mon Sep 17 00:00:00 2001 +From: Ruslan Ruslichenko +Date: Tue, 17 Jan 2017 16:13:52 +0200 +Subject: x86/ioapic: Restore IO-APIC irq_chip retrigger callback + +From: Ruslan Ruslichenko + +commit 020eb3daaba2857b32c4cf4c82f503d6a00a67de upstream. + +commit d32932d02e18 removed the irq_retrigger callback from the IO-APIC +chip and did not add it to the new IO-APIC-IR irq chip. + +Unfortunately the software resend fallback is not enabled on X86, so edge +interrupts which are received during the lazy disabled state of the +interrupt line are not retriggered and therefor lost. + +Restore the callbacks. + +[ tglx: Massaged changelog ] + +Fixes: d32932d02e18 ("x86/irq: Convert IOAPIC to use hierarchical irqdomain interfaces") +Signed-off-by: Ruslan Ruslichenko +Cc: xe-linux-external@cisco.com +Link: http://lkml.kernel.org/r/1484662432-13580-1-git-send-email-rruslich@cisco.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/apic/io_apic.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/x86/kernel/apic/io_apic.c ++++ b/arch/x86/kernel/apic/io_apic.c +@@ -1876,6 +1876,7 @@ static struct irq_chip ioapic_chip __rea + .irq_ack = irq_chip_ack_parent, + .irq_eoi = ioapic_ack_level, + .irq_set_affinity = ioapic_set_affinity, ++ .irq_retrigger = irq_chip_retrigger_hierarchy, + .flags = IRQCHIP_SKIP_SET_WAKE, + }; + +@@ -1887,6 +1888,7 @@ static struct irq_chip ioapic_ir_chip __ + .irq_ack = irq_chip_ack_parent, + .irq_eoi = ioapic_ir_ack_level, + .irq_set_affinity = ioapic_set_affinity, ++ .irq_retrigger = irq_chip_retrigger_hierarchy, + .flags = IRQCHIP_SKIP_SET_WAKE, + }; +