From: Greg Kroah-Hartman Date: Fri, 10 Mar 2017 08:32:51 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v4.4.53~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=91849255d748ef2d353b471ed58c855f120be7fa;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: bcma-use-get-put-_device-when-probing-removing-device-driver.patch can-usb_8dev-fix-memory-leak-of-priv-cmd_msg_buffer.patch dmaengine-ipu-make-sure-the-interrupt-routine-checks-all-interrupts.patch drivers-hv-util-backup-fix-a-rescind-processing-issue.patch drivers-hv-util-fcopy-fix-a-rescind-processing-issue.patch drivers-hv-util-kvp-fix-a-rescind-processing-issue.patch gfs2-add-missing-rcu-locking-for-glock-lookup.patch hv-allocate-synic-pages-for-all-present-cpus.patch hv-init-percpu_list-in-hv_synic_alloc.patch iio-pressure-mpl115-do-not-rely-on-structure-field-ordering.patch iio-pressure-mpl3115-do-not-rely-on-structure-field-ordering.patch md-linear-fix-a-race-between-linear_add-and-linear_congested.patch nfsd-minor-nfsd_setattr-cleanup.patch nfsd-special-case-truncates-some-more.patch nfsv4-fix-getacl-erange-for-some-acl-buffer-sizes.patch nfsv4-fix-getacl-head-length-estimation.patch nfsv4-fix-memory-and-state-leak-in-_nfs4_open_and_get_state.patch powerpc-xmon-fix-data-breakpoint.patch rdma-core-fix-incorrect-structure-packing-for-booleans.patch rdma_cm-fail-iwarp-accepts-w-o-connection-params.patch rtc-sun6i-add-some-locking.patch rtc-sun6i-switch-to-the-external-oscillator.patch rtlwifi-fix-alignment-issues.patch rtlwifi-rtl8192c-common-fix-bug-kasan.patch usb-gadget-udc-fsl-add-missing-complete-function.patch usb-host-xhci-plat-check-hcc_params-after-add-hcd.patch usb-musb-da8xx-remove-cppi-3.0-quirk-and-methods.patch w1-don-t-leak-refcount-on-slave-attach-failure-in-w1_attach_slave_device.patch w1-ds2490-usb-transfer-buffers-need-to-be-dmaable.patch --- diff --git a/queue-4.4/bcma-use-get-put-_device-when-probing-removing-device-driver.patch b/queue-4.4/bcma-use-get-put-_device-when-probing-removing-device-driver.patch new file mode 100644 index 00000000000..bea43e4a835 --- /dev/null +++ b/queue-4.4/bcma-use-get-put-_device-when-probing-removing-device-driver.patch @@ -0,0 +1,44 @@ +From a971df0b9d04674e325346c17de9a895425ca5e1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= +Date: Sat, 28 Jan 2017 14:31:22 +0100 +Subject: bcma: use (get|put)_device when probing/removing device driver +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafał Miłecki + +commit a971df0b9d04674e325346c17de9a895425ca5e1 upstream. + +This allows tracking device state and e.g. makes devm work as expected. + +Signed-off-by: Rafał Miłecki +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bcma/main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/bcma/main.c ++++ b/drivers/bcma/main.c +@@ -640,8 +640,11 @@ static int bcma_device_probe(struct devi + drv); + int err = 0; + ++ get_device(dev); + if (adrv->probe) + err = adrv->probe(core); ++ if (err) ++ put_device(dev); + + return err; + } +@@ -654,6 +657,7 @@ static int bcma_device_remove(struct dev + + if (adrv->remove) + adrv->remove(core); ++ put_device(dev); + + return 0; + } diff --git a/queue-4.4/can-usb_8dev-fix-memory-leak-of-priv-cmd_msg_buffer.patch b/queue-4.4/can-usb_8dev-fix-memory-leak-of-priv-cmd_msg_buffer.patch new file mode 100644 index 00000000000..8b2574bb7e7 --- /dev/null +++ b/queue-4.4/can-usb_8dev-fix-memory-leak-of-priv-cmd_msg_buffer.patch @@ -0,0 +1,52 @@ +From 7c42631376306fb3f34d51fda546b50a9b6dd6ec Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Thu, 2 Mar 2017 12:03:40 +0100 +Subject: can: usb_8dev: Fix memory leak of priv->cmd_msg_buffer + +From: Marc Kleine-Budde + +commit 7c42631376306fb3f34d51fda546b50a9b6dd6ec upstream. + +The priv->cmd_msg_buffer is allocated in the probe function, but never +kfree()ed. This patch converts the kzalloc() to resource-managed +kzalloc. + +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/usb/usb_8dev.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +--- a/drivers/net/can/usb/usb_8dev.c ++++ b/drivers/net/can/usb/usb_8dev.c +@@ -954,8 +954,8 @@ static int usb_8dev_probe(struct usb_int + for (i = 0; i < MAX_TX_URBS; i++) + priv->tx_contexts[i].echo_index = MAX_TX_URBS; + +- priv->cmd_msg_buffer = kzalloc(sizeof(struct usb_8dev_cmd_msg), +- GFP_KERNEL); ++ priv->cmd_msg_buffer = devm_kzalloc(&intf->dev, sizeof(struct usb_8dev_cmd_msg), ++ GFP_KERNEL); + if (!priv->cmd_msg_buffer) + goto cleanup_candev; + +@@ -969,7 +969,7 @@ static int usb_8dev_probe(struct usb_int + if (err) { + netdev_err(netdev, + "couldn't register CAN device: %d\n", err); +- goto cleanup_cmd_msg_buffer; ++ goto cleanup_candev; + } + + err = usb_8dev_cmd_version(priv, &version); +@@ -990,9 +990,6 @@ static int usb_8dev_probe(struct usb_int + cleanup_unregister_candev: + unregister_netdev(priv->netdev); + +-cleanup_cmd_msg_buffer: +- kfree(priv->cmd_msg_buffer); +- + cleanup_candev: + free_candev(netdev); + diff --git a/queue-4.4/dmaengine-ipu-make-sure-the-interrupt-routine-checks-all-interrupts.patch b/queue-4.4/dmaengine-ipu-make-sure-the-interrupt-routine-checks-all-interrupts.patch new file mode 100644 index 00000000000..e7634f00b0c --- /dev/null +++ b/queue-4.4/dmaengine-ipu-make-sure-the-interrupt-routine-checks-all-interrupts.patch @@ -0,0 +1,37 @@ +From adee40b265d7568296e218f079f478197ffa15bf Mon Sep 17 00:00:00 2001 +From: Magnus Lilja +Date: Wed, 21 Dec 2016 22:13:58 +0100 +Subject: dmaengine: ipu: Make sure the interrupt routine checks all interrupts. + +From: Magnus Lilja + +commit adee40b265d7568296e218f079f478197ffa15bf upstream. + +Commit 3d8cc00073d6 ("dmaengine: ipu: Consolidate duplicated irq handlers") +consolidated the two interrupts routines into one, but the remaining +interrupt routine only checks the status of the error interrupts, not the +normal interrupts. + +This patch fixes that problem (tested on i.MX31 PDK board). + +Fixes: 3d8cc00073d6 ("dmaengine: ipu: Consolidate duplicated irq handlers") +Cc: Vinod Koul +Signed-off-by: Magnus Lilja +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/ipu/ipu_irq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/dma/ipu/ipu_irq.c ++++ b/drivers/dma/ipu/ipu_irq.c +@@ -272,7 +272,7 @@ static void ipu_irq_handler(struct irq_d + u32 status; + int i, line; + +- for (i = IPU_IRQ_NR_FN_BANKS; i < IPU_IRQ_NR_BANKS; i++) { ++ for (i = 0; i < IPU_IRQ_NR_BANKS; i++) { + struct ipu_irq_bank *bank = irq_bank + i; + + raw_spin_lock(&bank_lock); diff --git a/queue-4.4/drivers-hv-util-backup-fix-a-rescind-processing-issue.patch b/queue-4.4/drivers-hv-util-backup-fix-a-rescind-processing-issue.patch new file mode 100644 index 00000000000..6d70bb6f994 --- /dev/null +++ b/queue-4.4/drivers-hv-util-backup-fix-a-rescind-processing-issue.patch @@ -0,0 +1,51 @@ +From d77044d142e960f7b5f814a91ecb8bcf86aa552c Mon Sep 17 00:00:00 2001 +From: "K. Y. Srinivasan" +Date: Thu, 22 Dec 2016 16:54:03 -0800 +Subject: Drivers: hv: util: Backup: Fix a rescind processing issue + +From: K. Y. Srinivasan + +commit d77044d142e960f7b5f814a91ecb8bcf86aa552c upstream. + +VSS may use a char device to support the communication between +the user level daemon and the driver. When the VSS channel is rescinded +we need to make sure that the char device is fully cleaned up before +we can process a new VSS offer from the host. Implement this logic. + +Signed-off-by: K. Y. Srinivasan +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hv/hv_snapshot.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/hv/hv_snapshot.c ++++ b/drivers/hv/hv_snapshot.c +@@ -66,6 +66,7 @@ static int dm_reg_value; + static const char vss_devname[] = "vmbus/hv_vss"; + static __u8 *recv_buffer; + static struct hvutil_transport *hvt; ++static struct completion release_event; + + static void vss_send_op(struct work_struct *dummy); + static void vss_timeout_func(struct work_struct *dummy); +@@ -326,11 +327,13 @@ static void vss_on_reset(void) + if (cancel_delayed_work_sync(&vss_timeout_work)) + vss_respond_to_host(HV_E_FAIL); + vss_transaction.state = HVUTIL_DEVICE_INIT; ++ complete(&release_event); + } + + int + hv_vss_init(struct hv_util_service *srv) + { ++ init_completion(&release_event); + if (vmbus_proto_version < VERSION_WIN8_1) { + pr_warn("Integration service 'Backup (volume snapshot)'" + " not supported on this host version.\n"); +@@ -360,4 +363,5 @@ void hv_vss_deinit(void) + cancel_delayed_work_sync(&vss_timeout_work); + cancel_work_sync(&vss_send_op_work); + hvutil_transport_destroy(hvt); ++ wait_for_completion(&release_event); + } diff --git a/queue-4.4/drivers-hv-util-fcopy-fix-a-rescind-processing-issue.patch b/queue-4.4/drivers-hv-util-fcopy-fix-a-rescind-processing-issue.patch new file mode 100644 index 00000000000..c41ca4cb2a5 --- /dev/null +++ b/queue-4.4/drivers-hv-util-fcopy-fix-a-rescind-processing-issue.patch @@ -0,0 +1,52 @@ +From 20951c7535b5e6af46bc37b7142105f716df739c Mon Sep 17 00:00:00 2001 +From: "K. Y. Srinivasan" +Date: Thu, 22 Dec 2016 16:54:02 -0800 +Subject: Drivers: hv: util: Fcopy: Fix a rescind processing issue + +From: K. Y. Srinivasan + +commit 20951c7535b5e6af46bc37b7142105f716df739c upstream. + +Fcopy may use a char device to support the communication between +the user level daemon and the driver. When the Fcopy channel is rescinded +we need to make sure that the char device is fully cleaned up before +we can process a new Fcopy offer from the host. Implement this logic. + +Signed-off-by: K. Y. Srinivasan +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hv/hv_fcopy.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/hv/hv_fcopy.c ++++ b/drivers/hv/hv_fcopy.c +@@ -61,6 +61,7 @@ static DECLARE_WORK(fcopy_send_work, fco + static const char fcopy_devname[] = "vmbus/hv_fcopy"; + static u8 *recv_buffer; + static struct hvutil_transport *hvt; ++static struct completion release_event; + /* + * This state maintains the version number registered by the daemon. + */ +@@ -312,12 +313,14 @@ static void fcopy_on_reset(void) + + if (cancel_delayed_work_sync(&fcopy_timeout_work)) + fcopy_respond_to_host(HV_E_FAIL); ++ complete(&release_event); + } + + int hv_fcopy_init(struct hv_util_service *srv) + { + recv_buffer = srv->recv_buffer; + ++ init_completion(&release_event); + /* + * When this driver loads, the user level daemon that + * processes the host requests may not yet be running. +@@ -339,4 +342,5 @@ void hv_fcopy_deinit(void) + fcopy_transaction.state = HVUTIL_DEVICE_DYING; + cancel_delayed_work_sync(&fcopy_timeout_work); + hvutil_transport_destroy(hvt); ++ wait_for_completion(&release_event); + } diff --git a/queue-4.4/drivers-hv-util-kvp-fix-a-rescind-processing-issue.patch b/queue-4.4/drivers-hv-util-kvp-fix-a-rescind-processing-issue.patch new file mode 100644 index 00000000000..aea7d52a4c1 --- /dev/null +++ b/queue-4.4/drivers-hv-util-kvp-fix-a-rescind-processing-issue.patch @@ -0,0 +1,53 @@ +From 5a66fecbf6aa528e375cbebccb1061cc58d80c84 Mon Sep 17 00:00:00 2001 +From: "K. Y. Srinivasan" +Date: Thu, 22 Dec 2016 16:54:01 -0800 +Subject: Drivers: hv: util: kvp: Fix a rescind processing issue + +From: K. Y. Srinivasan + +commit 5a66fecbf6aa528e375cbebccb1061cc58d80c84 upstream. + +KVP may use a char device to support the communication between +the user level daemon and the driver. When the KVP channel is rescinded +we need to make sure that the char device is fully cleaned up before +we can process a new KVP offer from the host. Implement this logic. + +Signed-off-by: K. Y. Srinivasan +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hv/hv_kvp.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/hv/hv_kvp.c ++++ b/drivers/hv/hv_kvp.c +@@ -86,6 +86,7 @@ static DECLARE_WORK(kvp_sendkey_work, kv + static const char kvp_devname[] = "vmbus/hv_kvp"; + static u8 *recv_buffer; + static struct hvutil_transport *hvt; ++static struct completion release_event; + /* + * Register the kernel component with the user-level daemon. + * As part of this registration, pass the LIC version number. +@@ -682,6 +683,7 @@ static void kvp_on_reset(void) + if (cancel_delayed_work_sync(&kvp_timeout_work)) + kvp_respond_to_host(NULL, HV_E_FAIL); + kvp_transaction.state = HVUTIL_DEVICE_INIT; ++ complete(&release_event); + } + + int +@@ -689,6 +691,7 @@ hv_kvp_init(struct hv_util_service *srv) + { + recv_buffer = srv->recv_buffer; + ++ init_completion(&release_event); + /* + * When this driver loads, the user level daemon that + * processes the host requests may not yet be running. +@@ -711,4 +714,5 @@ void hv_kvp_deinit(void) + cancel_delayed_work_sync(&kvp_timeout_work); + cancel_work_sync(&kvp_sendkey_work); + hvutil_transport_destroy(hvt); ++ wait_for_completion(&release_event); + } diff --git a/queue-4.4/gfs2-add-missing-rcu-locking-for-glock-lookup.patch b/queue-4.4/gfs2-add-missing-rcu-locking-for-glock-lookup.patch new file mode 100644 index 00000000000..dc15b7d147f --- /dev/null +++ b/queue-4.4/gfs2-add-missing-rcu-locking-for-glock-lookup.patch @@ -0,0 +1,54 @@ +From f38e5fb95a1f8feda88531eedc98f69b24748712 Mon Sep 17 00:00:00 2001 +From: Andrew Price +Date: Wed, 22 Feb 2017 12:05:03 -0500 +Subject: gfs2: Add missing rcu locking for glock lookup + +From: Andrew Price + +commit f38e5fb95a1f8feda88531eedc98f69b24748712 upstream. + +We must hold the rcu read lock across looking up glocks and trying to +bump their refcount to prevent the glocks from being freed in between. + +Signed-off-by: Andrew Price +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Bob Peterson +Signed-off-by: Greg Kroah-Hartman + +--- + fs/gfs2/glock.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/gfs2/glock.c ++++ b/fs/gfs2/glock.c +@@ -651,9 +651,11 @@ int gfs2_glock_get(struct gfs2_sbd *sdp, + struct kmem_cache *cachep; + int ret, tries = 0; + ++ rcu_read_lock(); + gl = rhashtable_lookup_fast(&gl_hash_table, &name, ht_parms); + if (gl && !lockref_get_not_dead(&gl->gl_lockref)) + gl = NULL; ++ rcu_read_unlock(); + + *glp = gl; + if (gl) +@@ -721,15 +723,18 @@ again: + + if (ret == -EEXIST) { + ret = 0; ++ rcu_read_lock(); + tmp = rhashtable_lookup_fast(&gl_hash_table, &name, ht_parms); + if (tmp == NULL || !lockref_get_not_dead(&tmp->gl_lockref)) { + if (++tries < 100) { ++ rcu_read_unlock(); + cond_resched(); + goto again; + } + tmp = NULL; + ret = -ENOMEM; + } ++ rcu_read_unlock(); + } else { + WARN_ON_ONCE(ret); + } diff --git a/queue-4.4/hv-allocate-synic-pages-for-all-present-cpus.patch b/queue-4.4/hv-allocate-synic-pages-for-all-present-cpus.patch new file mode 100644 index 00000000000..14b03efbc02 --- /dev/null +++ b/queue-4.4/hv-allocate-synic-pages-for-all-present-cpus.patch @@ -0,0 +1,41 @@ +From 421b8f20d3c381b215f988b42428f56fc3b82405 Mon Sep 17 00:00:00 2001 +From: Vitaly Kuznetsov +Date: Wed, 7 Dec 2016 01:16:25 -0800 +Subject: hv: allocate synic pages for all present CPUs + +From: Vitaly Kuznetsov + +commit 421b8f20d3c381b215f988b42428f56fc3b82405 upstream. + +It may happen that not all CPUs are online when we do hv_synic_alloc() and +in case more CPUs come online later we may try accessing these allocated +structures. + +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: K. Y. Srinivasan +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hv/hv.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/hv/hv.c ++++ b/drivers/hv/hv.c +@@ -422,7 +422,7 @@ int hv_synic_alloc(void) + goto err; + } + +- for_each_online_cpu(cpu) { ++ for_each_present_cpu(cpu) { + hv_context.event_dpc[cpu] = kmalloc(size, GFP_ATOMIC); + if (hv_context.event_dpc[cpu] == NULL) { + pr_err("Unable to allocate event dpc\n"); +@@ -485,7 +485,7 @@ void hv_synic_free(void) + int cpu; + + kfree(hv_context.hv_numa_map); +- for_each_online_cpu(cpu) ++ for_each_present_cpu(cpu) + hv_synic_free_cpu(cpu); + } + diff --git a/queue-4.4/hv-init-percpu_list-in-hv_synic_alloc.patch b/queue-4.4/hv-init-percpu_list-in-hv_synic_alloc.patch new file mode 100644 index 00000000000..2cfb835e405 --- /dev/null +++ b/queue-4.4/hv-init-percpu_list-in-hv_synic_alloc.patch @@ -0,0 +1,41 @@ +From 3c7630d35009e6635e5b58d62de554fd5b6db5df Mon Sep 17 00:00:00 2001 +From: Vitaly Kuznetsov +Date: Wed, 7 Dec 2016 01:16:26 -0800 +Subject: hv: init percpu_list in hv_synic_alloc() + +From: Vitaly Kuznetsov + +commit 3c7630d35009e6635e5b58d62de554fd5b6db5df upstream. + +Initializing hv_context.percpu_list in hv_synic_alloc() helps to prevent a +crash in percpu_channel_enq() when not all CPUs were online during +initialization and it naturally belongs there. + +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: K. Y. Srinivasan +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hv/hv.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/hv/hv.c ++++ b/drivers/hv/hv.c +@@ -461,6 +461,8 @@ int hv_synic_alloc(void) + pr_err("Unable to allocate post msg page\n"); + goto err; + } ++ ++ INIT_LIST_HEAD(&hv_context.percpu_list[cpu]); + } + + return 0; +@@ -555,8 +557,6 @@ void hv_synic_init(void *arg) + rdmsrl(HV_X64_MSR_VP_INDEX, vp_index); + hv_context.vp_index[cpu] = (u32)vp_index; + +- INIT_LIST_HEAD(&hv_context.percpu_list[cpu]); +- + /* + * Register the per-cpu clockevent source. + */ diff --git a/queue-4.4/iio-pressure-mpl115-do-not-rely-on-structure-field-ordering.patch b/queue-4.4/iio-pressure-mpl115-do-not-rely-on-structure-field-ordering.patch new file mode 100644 index 00000000000..c24ed7ae329 --- /dev/null +++ b/queue-4.4/iio-pressure-mpl115-do-not-rely-on-structure-field-ordering.patch @@ -0,0 +1,51 @@ +From 6a6e1d56a0769795a36c0461c64bf5e5b9bbb4c0 Mon Sep 17 00:00:00 2001 +From: Peter Rosin +Date: Wed, 1 Feb 2017 21:40:57 +0100 +Subject: iio: pressure: mpl115: do not rely on structure field ordering + +From: Peter Rosin + +commit 6a6e1d56a0769795a36c0461c64bf5e5b9bbb4c0 upstream. + +Fixes a regression triggered by a change in the layout of +struct iio_chan_spec, but the real bug is in the driver which assumed +a specific structure layout in the first place. Hint: the three bits were +not OR:ed together as implied by the indentation prior to this patch, +there was a comma between the first two, which accidentally moved the +..._SCALE and ..._OFFSET bits to the next structure field. That field +was .info_mask_shared_by_type before the _available attributes was added +by commit 51239600074b ("iio:core: add a callback to allow drivers to +provide _available attributes") and .info_mask_separate_available +afterwards, and the regression happened. + +info_mask_shared_by_type is actually a better choice than the originally +intended info_mask_separate for the ..._SCALE and ..._OFFSET bits since +a constant is returned from mpl115_read_raw for the scale/offset. Using +info_mask_shared_by_type also preserves the behavior from before the +regression and is therefore less likely to cause other interesting side +effects. + +The above mentioned regression causes unintended sysfs attibutes to +show up that are not backed by code, in turn causing a NULL pointer +defererence to happen on access. + +Fixes: 3017d90e8931 ("iio: Add Freescale MPL115A2 pressure / temperature sensor driver") +Fixes: 51239600074b ("iio:core: add a callback to allow drivers to provide _available attributes") +Signed-off-by: Peter Rosin +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/pressure/mpl115.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iio/pressure/mpl115.c ++++ b/drivers/iio/pressure/mpl115.c +@@ -136,6 +136,7 @@ static const struct iio_chan_spec mpl115 + { + .type = IIO_TEMP, + .info_mask_separate = BIT(IIO_CHAN_INFO_RAW), ++ .info_mask_shared_by_type = + BIT(IIO_CHAN_INFO_OFFSET) | BIT(IIO_CHAN_INFO_SCALE), + }, + }; diff --git a/queue-4.4/iio-pressure-mpl3115-do-not-rely-on-structure-field-ordering.patch b/queue-4.4/iio-pressure-mpl3115-do-not-rely-on-structure-field-ordering.patch new file mode 100644 index 00000000000..d5c468cf3ed --- /dev/null +++ b/queue-4.4/iio-pressure-mpl3115-do-not-rely-on-structure-field-ordering.patch @@ -0,0 +1,128 @@ +From 9cf6cdba586ced75c69b8314b88b2d2f5ce9b3ed Mon Sep 17 00:00:00 2001 +From: Peter Rosin +Date: Wed, 1 Feb 2017 21:40:56 +0100 +Subject: iio: pressure: mpl3115: do not rely on structure field ordering + +From: Peter Rosin + +commit 9cf6cdba586ced75c69b8314b88b2d2f5ce9b3ed upstream. + +Fixes a regression triggered by a change in the layout of +struct iio_chan_spec, but the real bug is in the driver which assumed +a specific structure layout in the first place. Hint: the two bits were +not OR:ed together as implied by the indentation prior to this patch, +there was a comma between them, which accidentally moved the ..._SCALE +bit to the next structure field. That field was .info_mask_shared_by_type +before the _available attributes was added by commit 51239600074b +("iio:core: add a callback to allow drivers to provide _available +attributes") and .info_mask_separate_available afterwards, and the +regression happened. + +info_mask_shared_by_type is actually a better choice than the originally +intended info_mask_separate for the ..._SCALE bit since a constant is +returned from mpl3115_read_raw for the scale. Using +info_mask_shared_by_type also preserves the behavior from before the +regression and is therefore less likely to cause other interesting side +effects. + +The above mentioned regression causes an unintended sysfs attibute to +show up that is not backed by code, in turn causing the following NULL +pointer defererence to happen on access. + +Segmentation fault + +Unable to handle kernel NULL pointer dereference at virtual address 00000000 +pgd = ecc3c000 +[00000000] *pgd=87f91831 +Internal error: Oops: 80000007 [#1] SMP ARM +Modules linked in: +CPU: 1 PID: 1051 Comm: cat Not tainted 4.10.0-rc5-00009-gffd8858-dirty #3 +Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) +task: ed54ec00 task.stack: ee2bc000 +PC is at 0x0 +LR is at iio_read_channel_info_avail+0x40/0x280 +pc : [<00000000>] lr : [] psr: a0070013 +sp : ee2bdda8 ip : 00000000 fp : ee2bddf4 +r10: c0a53c74 r9 : ed79f000 r8 : ee8d1018 +r7 : 00001000 r6 : 00000fff r5 : ee8b9a00 r4 : ed79f000 +r3 : ee2bddc4 r2 : ee2bddbc r1 : c0a86dcc r0 : ee8d1000 +Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none +Control: 10c5387d Table: 3cc3c04a DAC: 00000051 +Process cat (pid: 1051, stack limit = 0xee2bc210) +Stack: (0xee2bdda8 to 0xee2be000) +dda0: ee2bddc0 00000002 c016d720 c016d394 ed54ec00 00000000 +ddc0: 60070013 ed413780 00000001 edffd480 ee8b9a00 00000fff 00001000 ee8d1018 +dde0: ed79f000 c0a53c74 ee2bde0c ee2bddf8 c0513c58 c06fbbe8 edffd480 edffd540 +de00: ee2bde3c ee2bde10 c0293474 c0513c40 c02933e4 ee2bde60 00000001 ed413780 +de20: 00000001 ed413780 00000000 edffd480 ee2bde4c ee2bde40 c0291d00 c02933f0 +de40: ee2bde9c ee2bde50 c024679c c0291ce0 edffd4b0 b6e37000 00020000 ee2bdf78 +de60: 00000000 00000000 ed54ec00 ed013200 00000817 c0a111fc edffd540 ed413780 +de80: b6e37000 00020000 00020000 ee2bdf78 ee2bded4 ee2bdea0 c0292890 c0246604 +dea0: c0117940 c016ba50 00000025 c0a111fc b6e37000 ed413780 ee2bdf78 00020000 +dec0: ee2bc000 b6e37000 ee2bdf44 ee2bded8 c021d158 c0292770 c0117764 b6e36004 +dee0: c0f0d7c4 ee2bdfb0 b6f89228 00021008 ee2bdfac ee2bdf00 c0101374 c0117770 +df00: 00000000 00000000 ee2bc000 00000000 ee2bdf34 ee2bdf20 c016ba04 c0171080 +df20: 00000000 00020000 ed413780 b6e37000 00000000 ee2bdf78 ee2bdf74 ee2bdf48 +df40: c021e7a0 c021d130 c023e300 c023e280 ee2bdf74 00000000 00000000 ed413780 +df60: ed413780 00020000 ee2bdfa4 ee2bdf78 c021e870 c021e71c 00000000 00000000 +df80: 00020000 00020000 b6e37000 00000003 c0108084 00000000 00000000 ee2bdfa8 +dfa0: c0107ee0 c021e838 00020000 00020000 00000003 b6e37000 00020000 0001a2b4 +dfc0: 00020000 00020000 b6e37000 00000003 7fffe000 00000000 00000000 00020000 +dfe0: 00000000 be98eb4c 0000c740 b6f1985c 60070010 00000003 00000000 00000000 +Backtrace: +[] (iio_read_channel_info_avail) from [] (dev_attr_show+0x24/0x50) + r10:c0a53c74 r9:ed79f000 r8:ee8d1018 r7:00001000 r6:00000fff r5:ee8b9a00 + r4:edffd480 +[] (dev_attr_show) from [] (sysfs_kf_seq_show+0x90/0x110) + r5:edffd540 r4:edffd480 +[] (sysfs_kf_seq_show) from [] (kernfs_seq_show+0x2c/0x30) + r10:edffd480 r9:00000000 r8:ed413780 r7:00000001 r6:ed413780 r5:00000001 + r4:ee2bde60 r3:c02933e4 +[] (kernfs_seq_show) from [] (seq_read+0x1a4/0x4e0) +[] (seq_read) from [] (kernfs_fop_read+0x12c/0x1cc) + r10:ee2bdf78 r9:00020000 r8:00020000 r7:b6e37000 r6:ed413780 r5:edffd540 + r4:c0a111fc +[] (kernfs_fop_read) from [] (__vfs_read+0x34/0x118) + r10:b6e37000 r9:ee2bc000 r8:00020000 r7:ee2bdf78 r6:ed413780 r5:b6e37000 + r4:c0a111fc +[] (__vfs_read) from [] (vfs_read+0x90/0x11c) + r8:ee2bdf78 r7:00000000 r6:b6e37000 r5:ed413780 r4:00020000 +[] (vfs_read) from [] (SyS_read+0x44/0x90) + r8:00020000 r7:ed413780 r6:ed413780 r5:00000000 r4:00000000 +[] (SyS_read) from [] (ret_fast_syscall+0x0/0x1c) + r10:00000000 r8:c0108084 r7:00000003 r6:b6e37000 r5:00020000 r4:00020000 +Code: bad PC value +---[ end trace 9c4938ccd0389004 ]--- + +Fixes: cc26ad455f57 ("iio: Add Freescale MPL3115A2 pressure / temperature sensor driver") +Fixes: 51239600074b ("iio:core: add a callback to allow drivers to provide _available attributes") +Reported-by: Ken Lin +Tested-by: Ken Lin +Signed-off-by: Peter Rosin +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/pressure/mpl3115.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/iio/pressure/mpl3115.c ++++ b/drivers/iio/pressure/mpl3115.c +@@ -182,7 +182,7 @@ static const struct iio_chan_spec mpl311 + { + .type = IIO_PRESSURE, + .info_mask_separate = BIT(IIO_CHAN_INFO_RAW), +- BIT(IIO_CHAN_INFO_SCALE), ++ .info_mask_shared_by_type = BIT(IIO_CHAN_INFO_SCALE), + .scan_index = 0, + .scan_type = { + .sign = 'u', +@@ -195,7 +195,7 @@ static const struct iio_chan_spec mpl311 + { + .type = IIO_TEMP, + .info_mask_separate = BIT(IIO_CHAN_INFO_RAW), +- BIT(IIO_CHAN_INFO_SCALE), ++ .info_mask_shared_by_type = BIT(IIO_CHAN_INFO_SCALE), + .scan_index = 1, + .scan_type = { + .sign = 's', diff --git a/queue-4.4/md-linear-fix-a-race-between-linear_add-and-linear_congested.patch b/queue-4.4/md-linear-fix-a-race-between-linear_add-and-linear_congested.patch new file mode 100644 index 00000000000..50950dcc2bf --- /dev/null +++ b/queue-4.4/md-linear-fix-a-race-between-linear_add-and-linear_congested.patch @@ -0,0 +1,171 @@ +From 03a9e24ef2aaa5f1f9837356aed79c860521407a Mon Sep 17 00:00:00 2001 +From: "colyli@suse.de" +Date: Sat, 28 Jan 2017 21:11:49 +0800 +Subject: md linear: fix a race between linear_add() and linear_congested() + +From: colyli@suse.de + +commit 03a9e24ef2aaa5f1f9837356aed79c860521407a upstream. + +Recently I receive a bug report that on Linux v3.0 based kerenl, hot add +disk to a md linear device causes kernel crash at linear_congested(). From +the crash image analysis, I find in linear_congested(), mddev->raid_disks +contains value N, but conf->disks[] only has N-1 pointers available. Then +a NULL pointer deference crashes the kernel. + +There is a race between linear_add() and linear_congested(), RCU stuffs +used in these two functions cannot avoid the race. Since Linuv v4.0 +RCU code is replaced by introducing mddev_suspend(). After checking the +upstream code, it seems linear_congested() is not called in +generic_make_request() code patch, so mddev_suspend() cannot provent it +from being called. The possible race still exists. + +Here I explain how the race still exists in current code. For a machine +has many CPUs, on one CPU, linear_add() is called to add a hard disk to a +md linear device; at the same time on other CPU, linear_congested() is +called to detect whether this md linear device is congested before issuing +an I/O request onto it. + +Now I use a possible code execution time sequence to demo how the possible +race happens, + +seq linear_add() linear_congested() + 0 conf=mddev->private + 1 oldconf=mddev->private + 2 mddev->raid_disks++ + 3 for (i=0; iraid_disks;i++) + 4 bdev_get_queue(conf->disks[i].rdev->bdev) + 5 mddev->private=newconf + +In linear_add() mddev->raid_disks is increased in time seq 2, and on +another CPU in linear_congested() the for-loop iterates conf->disks[i] by +the increased mddev->raid_disks in time seq 3,4. But conf with one more +element (which is a pointer to struct dev_info type) to conf->disks[] is +not updated yet, accessing its structure member in time seq 4 will cause a +NULL pointer deference fault. + +To fix this race, there are 2 parts of modification in the patch, + 1) Add 'int raid_disks' in struct linear_conf, as a copy of + mddev->raid_disks. It is initialized in linear_conf(), always being + consistent with pointers number of 'struct dev_info disks[]'. When + iterating conf->disks[] in linear_congested(), use conf->raid_disks to + replace mddev->raid_disks in the for-loop, then NULL pointer deference + will not happen again. + 2) RCU stuffs are back again, and use kfree_rcu() in linear_add() to + free oldconf memory. Because oldconf may be referenced as mddev->private + in linear_congested(), kfree_rcu() makes sure that its memory will not + be released until no one uses it any more. +Also some code comments are added in this patch, to make this modification +to be easier understandable. + +This patch can be applied for kernels since v4.0 after commit: +3be260cc18f8 ("md/linear: remove rcu protections in favour of +suspend/resume"). But this bug is reported on Linux v3.0 based kernel, for +people who maintain kernels before Linux v4.0, they need to do some back +back port to this patch. + +Changelog: + - V3: add 'int raid_disks' in struct linear_conf, and use kfree_rcu() to + replace rcu_call() in linear_add(). + - v2: add RCU stuffs by suggestion from Shaohua and Neil. + - v1: initial effort. + +Signed-off-by: Coly Li +Cc: Shaohua Li +Cc: Neil Brown +Signed-off-by: Shaohua Li +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/linear.c | 39 ++++++++++++++++++++++++++++++++++----- + drivers/md/linear.h | 1 + + 2 files changed, 35 insertions(+), 5 deletions(-) + +--- a/drivers/md/linear.c ++++ b/drivers/md/linear.c +@@ -52,18 +52,26 @@ static inline struct dev_info *which_dev + return conf->disks + lo; + } + ++/* ++ * In linear_congested() conf->raid_disks is used as a copy of ++ * mddev->raid_disks to iterate conf->disks[], because conf->raid_disks ++ * and conf->disks[] are created in linear_conf(), they are always ++ * consitent with each other, but mddev->raid_disks does not. ++ */ + static int linear_congested(struct mddev *mddev, int bits) + { + struct linear_conf *conf; + int i, ret = 0; + +- conf = mddev->private; ++ rcu_read_lock(); ++ conf = rcu_dereference(mddev->private); + +- for (i = 0; i < mddev->raid_disks && !ret ; i++) { ++ for (i = 0; i < conf->raid_disks && !ret ; i++) { + struct request_queue *q = bdev_get_queue(conf->disks[i].rdev->bdev); + ret |= bdi_congested(&q->backing_dev_info, bits); + } + ++ rcu_read_unlock(); + return ret; + } + +@@ -143,6 +151,19 @@ static struct linear_conf *linear_conf(s + conf->disks[i-1].end_sector + + conf->disks[i].rdev->sectors; + ++ /* ++ * conf->raid_disks is copy of mddev->raid_disks. The reason to ++ * keep a copy of mddev->raid_disks in struct linear_conf is, ++ * mddev->raid_disks may not be consistent with pointers number of ++ * conf->disks[] when it is updated in linear_add() and used to ++ * iterate old conf->disks[] earray in linear_congested(). ++ * Here conf->raid_disks is always consitent with number of ++ * pointers in conf->disks[] array, and mddev->private is updated ++ * with rcu_assign_pointer() in linear_addr(), such race can be ++ * avoided. ++ */ ++ conf->raid_disks = raid_disks; ++ + return conf; + + out: +@@ -195,15 +216,23 @@ static int linear_add(struct mddev *mdde + if (!newconf) + return -ENOMEM; + ++ /* newconf->raid_disks already keeps a copy of * the increased ++ * value of mddev->raid_disks, WARN_ONCE() is just used to make ++ * sure of this. It is possible that oldconf is still referenced ++ * in linear_congested(), therefore kfree_rcu() is used to free ++ * oldconf until no one uses it anymore. ++ */ + mddev_suspend(mddev); +- oldconf = mddev->private; ++ oldconf = rcu_dereference(mddev->private); + mddev->raid_disks++; +- mddev->private = newconf; ++ WARN_ONCE(mddev->raid_disks != newconf->raid_disks, ++ "copied raid_disks doesn't match mddev->raid_disks"); ++ rcu_assign_pointer(mddev->private, newconf); + md_set_array_sectors(mddev, linear_size(mddev, 0, 0)); + set_capacity(mddev->gendisk, mddev->array_sectors); + mddev_resume(mddev); + revalidate_disk(mddev->gendisk); +- kfree(oldconf); ++ kfree_rcu(oldconf, rcu); + return 0; + } + +--- a/drivers/md/linear.h ++++ b/drivers/md/linear.h +@@ -10,6 +10,7 @@ struct linear_conf + { + struct rcu_head rcu; + sector_t array_sectors; ++ int raid_disks; /* a copy of mddev->raid_disks */ + struct dev_info disks[0]; + }; + #endif diff --git a/queue-4.4/nfsd-minor-nfsd_setattr-cleanup.patch b/queue-4.4/nfsd-minor-nfsd_setattr-cleanup.patch new file mode 100644 index 00000000000..09972515e4b --- /dev/null +++ b/queue-4.4/nfsd-minor-nfsd_setattr-cleanup.patch @@ -0,0 +1,97 @@ +From 758e99fefe1d9230111296956335cd35995c0eaf Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Mon, 20 Feb 2017 17:04:42 -0500 +Subject: nfsd: minor nfsd_setattr cleanup + +From: Christoph Hellwig + +commit 758e99fefe1d9230111296956335cd35995c0eaf upstream. + +Simplify exit paths, size_change use. + +Signed-off-by: Christoph Hellwig +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/vfs.c | 29 ++++++++++++----------------- + 1 file changed, 12 insertions(+), 17 deletions(-) + +--- a/fs/nfsd/vfs.c ++++ b/fs/nfsd/vfs.c +@@ -369,7 +369,7 @@ nfsd_setattr(struct svc_rqst *rqstp, str + __be32 err; + int host_err; + bool get_write_count; +- int size_change = 0; ++ bool size_change = (iap->ia_valid & ATTR_SIZE); + + if (iap->ia_valid & (ATTR_ATIME | ATTR_MTIME | ATTR_SIZE)) + accmode |= NFSD_MAY_WRITE|NFSD_MAY_OWNER_OVERRIDE; +@@ -382,11 +382,11 @@ nfsd_setattr(struct svc_rqst *rqstp, str + /* Get inode */ + err = fh_verify(rqstp, fhp, ftype, accmode); + if (err) +- goto out; ++ return err; + if (get_write_count) { + host_err = fh_want_write(fhp); + if (host_err) +- return nfserrno(host_err); ++ goto out; + } + + dentry = fhp->fh_dentry; +@@ -397,19 +397,21 @@ nfsd_setattr(struct svc_rqst *rqstp, str + iap->ia_valid &= ~ATTR_MODE; + + if (!iap->ia_valid) +- goto out; ++ return 0; + + nfsd_sanitize_attrs(inode, iap); + ++ if (check_guard && guardtime != inode->i_ctime.tv_sec) ++ return nfserr_notsync; ++ + /* + * The size case is special, it changes the file in addition to the + * attributes. + */ +- if (iap->ia_valid & ATTR_SIZE) { ++ if (size_change) { + err = nfsd_get_write_access(rqstp, fhp, iap); + if (err) +- goto out; +- size_change = 1; ++ return err; + + /* + * RFC5661, Section 18.30.4: +@@ -424,23 +426,16 @@ nfsd_setattr(struct svc_rqst *rqstp, str + + iap->ia_valid |= ATTR_CTIME; + +- if (check_guard && guardtime != inode->i_ctime.tv_sec) { +- err = nfserr_notsync; +- goto out_put_write_access; +- } +- + fh_lock(fhp); + host_err = notify_change(dentry, iap, NULL); + fh_unlock(fhp); +- err = nfserrno(host_err); + +-out_put_write_access: + if (size_change) + put_write_access(inode); +- if (!err) +- err = nfserrno(commit_metadata(fhp)); + out: +- return err; ++ if (!host_err) ++ host_err = commit_metadata(fhp); ++ return nfserrno(host_err); + } + + #if defined(CONFIG_NFSD_V4) diff --git a/queue-4.4/nfsd-special-case-truncates-some-more.patch b/queue-4.4/nfsd-special-case-truncates-some-more.patch new file mode 100644 index 00000000000..d6d91038c46 --- /dev/null +++ b/queue-4.4/nfsd-special-case-truncates-some-more.patch @@ -0,0 +1,94 @@ +From 783112f7401ff449d979530209b3f6c2594fdb4e Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Mon, 20 Feb 2017 07:21:33 +0100 +Subject: nfsd: special case truncates some more + +From: Christoph Hellwig + +commit 783112f7401ff449d979530209b3f6c2594fdb4e upstream. + +Both the NFS protocols and the Linux VFS use a setattr operation with a +bitmap of attributes to set to set various file attributes including the +file size and the uid/gid. + +The Linux syscalls never mix size updates with unrelated updates like +the uid/gid, and some file systems like XFS and GFS2 rely on the fact +that truncates don't update random other attributes, and many other file +systems handle the case but do not update the other attributes in the +same transaction. NFSD on the other hand passes the attributes it gets +on the wire more or less directly through to the VFS, leading to updates +the file systems don't expect. XFS at least has an assert on the +allowed attributes, which caught an unusual NFS client setting the size +and group at the same time. + +To handle this issue properly this splits the notify_change call in +nfsd_setattr into two separate ones. + +Signed-off-by: Christoph Hellwig +Tested-by: Chuck Lever +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/vfs.c | 32 ++++++++++++++++++++++++++------ + 1 file changed, 26 insertions(+), 6 deletions(-) + +--- a/fs/nfsd/vfs.c ++++ b/fs/nfsd/vfs.c +@@ -406,13 +406,19 @@ nfsd_setattr(struct svc_rqst *rqstp, str + + /* + * The size case is special, it changes the file in addition to the +- * attributes. ++ * attributes, and file systems don't expect it to be mixed with ++ * "random" attribute changes. We thus split out the size change ++ * into a separate call to ->setattr, and do the rest as a separate ++ * setattr call. + */ + if (size_change) { + err = nfsd_get_write_access(rqstp, fhp, iap); + if (err) + return err; ++ } + ++ fh_lock(fhp); ++ if (size_change) { + /* + * RFC5661, Section 18.30.4: + * Changing the size of a file with SETATTR indirectly +@@ -420,16 +426,30 @@ nfsd_setattr(struct svc_rqst *rqstp, str + * + * (and similar for the older RFCs) + */ +- if (iap->ia_size != i_size_read(inode)) +- iap->ia_valid |= ATTR_MTIME; ++ struct iattr size_attr = { ++ .ia_valid = ATTR_SIZE | ATTR_CTIME | ATTR_MTIME, ++ .ia_size = iap->ia_size, ++ }; ++ ++ host_err = notify_change(dentry, &size_attr, NULL); ++ if (host_err) ++ goto out_unlock; ++ iap->ia_valid &= ~ATTR_SIZE; ++ ++ /* ++ * Avoid the additional setattr call below if the only other ++ * attribute that the client sends is the mtime, as we update ++ * it as part of the size change above. ++ */ ++ if ((iap->ia_valid & ~ATTR_MTIME) == 0) ++ goto out_unlock; + } + + iap->ia_valid |= ATTR_CTIME; +- +- fh_lock(fhp); + host_err = notify_change(dentry, iap, NULL); +- fh_unlock(fhp); + ++out_unlock: ++ fh_unlock(fhp); + if (size_change) + put_write_access(inode); + out: diff --git a/queue-4.4/nfsv4-fix-getacl-erange-for-some-acl-buffer-sizes.patch b/queue-4.4/nfsv4-fix-getacl-erange-for-some-acl-buffer-sizes.patch new file mode 100644 index 00000000000..5f8aa576ce6 --- /dev/null +++ b/queue-4.4/nfsv4-fix-getacl-erange-for-some-acl-buffer-sizes.patch @@ -0,0 +1,50 @@ +From ed92d8c137b7794c2c2aa14479298b9885967607 Mon Sep 17 00:00:00 2001 +From: Weston Andros Adamson +Date: Thu, 23 Feb 2017 14:54:21 -0500 +Subject: NFSv4: fix getacl ERANGE for some ACL buffer sizes + +From: Weston Andros Adamson + +commit ed92d8c137b7794c2c2aa14479298b9885967607 upstream. + +We're not taking into account that the space needed for the (variable +length) attr bitmap, with the result that we'd sometimes get a spurious +ERANGE when the ACL data got close to the end of a page. + +Just add in an extra page to make sure. + +Signed-off-by: Weston Andros Adamson +Signed-off-by: J. Bruce Fields +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4proc.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -4711,7 +4711,7 @@ out: + */ + static ssize_t __nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t buflen) + { +- struct page *pages[NFS4ACL_MAXPAGES] = {NULL, }; ++ struct page *pages[NFS4ACL_MAXPAGES + 1] = {NULL, }; + struct nfs_getaclargs args = { + .fh = NFS_FH(inode), + .acl_pages = pages, +@@ -4725,13 +4725,9 @@ static ssize_t __nfs4_get_acl_uncached(s + .rpc_argp = &args, + .rpc_resp = &res, + }; +- unsigned int npages = DIV_ROUND_UP(buflen, PAGE_SIZE); ++ unsigned int npages = DIV_ROUND_UP(buflen, PAGE_SIZE) + 1; + int ret = -ENOMEM, i; + +- /* As long as we're doing a round trip to the server anyway, +- * let's be prepared for a page of acl data. */ +- if (npages == 0) +- npages = 1; + if (npages > ARRAY_SIZE(pages)) + return -ERANGE; + diff --git a/queue-4.4/nfsv4-fix-getacl-head-length-estimation.patch b/queue-4.4/nfsv4-fix-getacl-head-length-estimation.patch new file mode 100644 index 00000000000..ba429457bdb --- /dev/null +++ b/queue-4.4/nfsv4-fix-getacl-head-length-estimation.patch @@ -0,0 +1,36 @@ +From 6682c14bbe505a8b912c57faf544f866777ee48d Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Thu, 23 Feb 2017 14:53:39 -0500 +Subject: NFSv4: fix getacl head length estimation + +From: J. Bruce Fields + +commit 6682c14bbe505a8b912c57faf544f866777ee48d upstream. + +Bitmap and attrlen follow immediately after the op reply header. This +was an oversight from commit bf118a342f. + +Consequences of this are just minor efficiency (extra calls to +xdr_shrink_bufhead). + +Fixes: bf118a342f10 "NFSv4: include bitmap in nfsv4 get acl data" +Reviewed-by: Kinglong Mee +Signed-off-by: J. Bruce Fields +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4xdr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfs/nfs4xdr.c ++++ b/fs/nfs/nfs4xdr.c +@@ -2487,7 +2487,7 @@ static void nfs4_xdr_enc_getacl(struct r + encode_compound_hdr(xdr, req, &hdr); + encode_sequence(xdr, &args->seq_args, &hdr); + encode_putfh(xdr, args->fh, &hdr); +- replen = hdr.replen + op_decode_hdr_maxsz + 1; ++ replen = hdr.replen + op_decode_hdr_maxsz; + encode_getattr_two(xdr, FATTR4_WORD0_ACL, 0, &hdr); + + xdr_inline_pages(&req->rq_rcv_buf, replen << 2, diff --git a/queue-4.4/nfsv4-fix-memory-and-state-leak-in-_nfs4_open_and_get_state.patch b/queue-4.4/nfsv4-fix-memory-and-state-leak-in-_nfs4_open_and_get_state.patch new file mode 100644 index 00000000000..57f858626df --- /dev/null +++ b/queue-4.4/nfsv4-fix-memory-and-state-leak-in-_nfs4_open_and_get_state.patch @@ -0,0 +1,40 @@ +From a974deee477af89411e0f80456bfb344ac433c98 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Wed, 8 Feb 2017 11:29:46 -0500 +Subject: NFSv4: Fix memory and state leak in _nfs4_open_and_get_state + +From: Trond Myklebust + +commit a974deee477af89411e0f80456bfb344ac433c98 upstream. + +If we exit because the file access check failed, we currently +leak the struct nfs4_state. We need to attach it to the +open context before returning. + +Fixes: 3efb9722475e ("NFSv4: Refactor _nfs4_open_and_get_state..") +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4proc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -2452,6 +2452,7 @@ static int _nfs4_open_and_get_state(stru + ret = PTR_ERR(state); + if (IS_ERR(state)) + goto out; ++ ctx->state = state; + if (server->caps & NFS_CAP_POSIX_LOCK) + set_bit(NFS_STATE_POSIX_LOCKS, &state->flags); + +@@ -2474,7 +2475,6 @@ static int _nfs4_open_and_get_state(stru + if (ret != 0) + goto out; + +- ctx->state = state; + if (d_inode(dentry) == state->inode) { + nfs_inode_attach_open_context(ctx); + if (read_seqcount_retry(&sp->so_reclaim_seqcount, seq)) diff --git a/queue-4.4/powerpc-xmon-fix-data-breakpoint.patch b/queue-4.4/powerpc-xmon-fix-data-breakpoint.patch new file mode 100644 index 00000000000..a4494cd29c9 --- /dev/null +++ b/queue-4.4/powerpc-xmon-fix-data-breakpoint.patch @@ -0,0 +1,44 @@ +From c21a493a2b44650707d06741601894329486f2ad Mon Sep 17 00:00:00 2001 +From: Ravi Bangoria +Date: Tue, 22 Nov 2016 14:55:59 +0530 +Subject: powerpc/xmon: Fix data-breakpoint + +From: Ravi Bangoria + +commit c21a493a2b44650707d06741601894329486f2ad upstream. + +Currently xmon data-breakpoint feature is broken. + +Whenever there is a watchpoint match occurs, hw_breakpoint_handler will +be called by do_break via notifier chains mechanism. If watchpoint is +registered by xmon, hw_breakpoint_handler won't find any associated +perf_event and returns immediately with NOTIFY_STOP. Similarly, do_break +also returns without notifying to xmon. + +Solve this by returning NOTIFY_DONE when hw_breakpoint_handler does not +find any perf_event associated with matched watchpoint, rather than +NOTIFY_STOP, which tells the core code to continue calling the other +breakpoint handlers including the xmon one. + +Signed-off-by: Ravi Bangoria +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/hw_breakpoint.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/kernel/hw_breakpoint.c ++++ b/arch/powerpc/kernel/hw_breakpoint.c +@@ -227,8 +227,10 @@ int __kprobes hw_breakpoint_handler(stru + rcu_read_lock(); + + bp = __this_cpu_read(bp_per_reg); +- if (!bp) ++ if (!bp) { ++ rc = NOTIFY_DONE; + goto out; ++ } + info = counter_arch_bp(bp); + + /* diff --git a/queue-4.4/rdma-core-fix-incorrect-structure-packing-for-booleans.patch b/queue-4.4/rdma-core-fix-incorrect-structure-packing-for-booleans.patch new file mode 100644 index 00000000000..366dde8e124 --- /dev/null +++ b/queue-4.4/rdma-core-fix-incorrect-structure-packing-for-booleans.patch @@ -0,0 +1,63 @@ +From 55efcfcd7776165b294f8b5cd6e05ca00ec89b7c Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Thu, 22 Dec 2016 18:07:52 -0700 +Subject: RDMA/core: Fix incorrect structure packing for booleans + +From: Jason Gunthorpe + +commit 55efcfcd7776165b294f8b5cd6e05ca00ec89b7c upstream. + +The RDMA core uses ib_pack() to convert from unpacked CPU structs +to on-the-wire bitpacked structs. + +This process requires that 1 bit fields are declared as u8 in the +unpacked struct, otherwise the packing process does not read the +value properly and the packed result is wired to 0. Several +places wrongly used int. + +Crucially this means the kernel has never, set reversible +correctly in the path record request. It has always asked for +irreversible paths even if the ULP requests otherwise. + +When the kernel is used with a SM that supports this feature, it +completely breaks communication management if reversible paths are +not properly requested. + +The only reason this ever worked is because opensm ignores the +reversible bit. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Jason Gunthorpe +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + include/rdma/ib_sa.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/include/rdma/ib_sa.h ++++ b/include/rdma/ib_sa.h +@@ -138,12 +138,12 @@ struct ib_sa_path_rec { + union ib_gid sgid; + __be16 dlid; + __be16 slid; +- int raw_traffic; ++ u8 raw_traffic; + /* reserved */ + __be32 flow_label; + u8 hop_limit; + u8 traffic_class; +- int reversible; ++ u8 reversible; + u8 numb_path; + __be16 pkey; + __be16 qos_class; +@@ -204,7 +204,7 @@ struct ib_sa_mcmember_rec { + u8 hop_limit; + u8 scope; + u8 join_state; +- int proxy_join; ++ u8 proxy_join; + }; + + /* Service Record Component Mask Sec 15.2.5.14 Ver 1.1 */ diff --git a/queue-4.4/rdma_cm-fail-iwarp-accepts-w-o-connection-params.patch b/queue-4.4/rdma_cm-fail-iwarp-accepts-w-o-connection-params.patch new file mode 100644 index 00000000000..b53453e4152 --- /dev/null +++ b/queue-4.4/rdma_cm-fail-iwarp-accepts-w-o-connection-params.patch @@ -0,0 +1,34 @@ +From f2625f7db4dd0bbd16a9c7d2950e7621f9aa57ad Mon Sep 17 00:00:00 2001 +From: Steve Wise +Date: Tue, 21 Feb 2017 11:21:57 -0800 +Subject: rdma_cm: fail iwarp accepts w/o connection params + +From: Steve Wise + +commit f2625f7db4dd0bbd16a9c7d2950e7621f9aa57ad upstream. + +cma_accept_iw() needs to return an error if conn_params is NULL. +Since this is coming from user space, we can crash. + +Reported-by: Shaobo He +Acked-by: Sean Hefty +Signed-off-by: Steve Wise +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/cma.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -3349,6 +3349,9 @@ static int cma_accept_iw(struct rdma_id_ + struct iw_cm_conn_param iw_param; + int ret; + ++ if (!conn_param) ++ return -EINVAL; ++ + ret = cma_modify_qp_rtr(id_priv, conn_param); + if (ret) + return ret; diff --git a/queue-4.4/rtc-sun6i-add-some-locking.patch b/queue-4.4/rtc-sun6i-add-some-locking.patch new file mode 100644 index 00000000000..65882ad0d2e --- /dev/null +++ b/queue-4.4/rtc-sun6i-add-some-locking.patch @@ -0,0 +1,100 @@ +From a9422a19ce270a22fc520f2278fb7e80c58be508 Mon Sep 17 00:00:00 2001 +From: Maxime Ripard +Date: Mon, 23 Jan 2017 11:41:47 +0100 +Subject: rtc: sun6i: Add some locking + +From: Maxime Ripard + +commit a9422a19ce270a22fc520f2278fb7e80c58be508 upstream. + +Some registers have a read-modify-write access pattern that are not atomic. + +Add some locking to prevent from concurrent accesses. + +Acked-by: Chen-Yu Tsai +Signed-off-by: Maxime Ripard +Signed-off-by: Alexandre Belloni +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/rtc/rtc-sun6i.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +--- a/drivers/rtc/rtc-sun6i.c ++++ b/drivers/rtc/rtc-sun6i.c +@@ -114,13 +114,17 @@ struct sun6i_rtc_dev { + void __iomem *base; + int irq; + unsigned long alarm; ++ ++ spinlock_t lock; + }; + + static irqreturn_t sun6i_rtc_alarmirq(int irq, void *id) + { + struct sun6i_rtc_dev *chip = (struct sun6i_rtc_dev *) id; ++ irqreturn_t ret = IRQ_NONE; + u32 val; + ++ spin_lock(&chip->lock); + val = readl(chip->base + SUN6I_ALRM_IRQ_STA); + + if (val & SUN6I_ALRM_IRQ_STA_CNT_IRQ_PEND) { +@@ -129,10 +133,11 @@ static irqreturn_t sun6i_rtc_alarmirq(in + + rtc_update_irq(chip->rtc, 1, RTC_AF | RTC_IRQF); + +- return IRQ_HANDLED; ++ ret = IRQ_HANDLED; + } ++ spin_unlock(&chip->lock); + +- return IRQ_NONE; ++ return ret; + } + + static void sun6i_rtc_setaie(int to, struct sun6i_rtc_dev *chip) +@@ -140,6 +145,7 @@ static void sun6i_rtc_setaie(int to, str + u32 alrm_val = 0; + u32 alrm_irq_val = 0; + u32 alrm_wake_val = 0; ++ unsigned long flags; + + if (to) { + alrm_val = SUN6I_ALRM_EN_CNT_EN; +@@ -150,9 +156,11 @@ static void sun6i_rtc_setaie(int to, str + chip->base + SUN6I_ALRM_IRQ_STA); + } + ++ spin_lock_irqsave(&chip->lock, flags); + writel(alrm_val, chip->base + SUN6I_ALRM_EN); + writel(alrm_irq_val, chip->base + SUN6I_ALRM_IRQ_EN); + writel(alrm_wake_val, chip->base + SUN6I_ALARM_CONFIG); ++ spin_unlock_irqrestore(&chip->lock, flags); + } + + static int sun6i_rtc_gettime(struct device *dev, struct rtc_time *rtc_tm) +@@ -191,11 +199,15 @@ static int sun6i_rtc_gettime(struct devi + static int sun6i_rtc_getalarm(struct device *dev, struct rtc_wkalrm *wkalrm) + { + struct sun6i_rtc_dev *chip = dev_get_drvdata(dev); ++ unsigned long flags; + u32 alrm_st; + u32 alrm_en; + ++ spin_lock_irqsave(&chip->lock, flags); + alrm_en = readl(chip->base + SUN6I_ALRM_IRQ_EN); + alrm_st = readl(chip->base + SUN6I_ALRM_IRQ_STA); ++ spin_unlock_irqrestore(&chip->lock, flags); ++ + wkalrm->enabled = !!(alrm_en & SUN6I_ALRM_EN_CNT_EN); + wkalrm->pending = !!(alrm_st & SUN6I_ALRM_EN_CNT_EN); + rtc_time_to_tm(chip->alarm, &wkalrm->time); +@@ -356,6 +368,7 @@ static int sun6i_rtc_probe(struct platfo + chip = devm_kzalloc(&pdev->dev, sizeof(*chip), GFP_KERNEL); + if (!chip) + return -ENOMEM; ++ spin_lock_init(&chip->lock); + + platform_set_drvdata(pdev, chip); + chip->dev = &pdev->dev; diff --git a/queue-4.4/rtc-sun6i-switch-to-the-external-oscillator.patch b/queue-4.4/rtc-sun6i-switch-to-the-external-oscillator.patch new file mode 100644 index 00000000000..5bc76ef0683 --- /dev/null +++ b/queue-4.4/rtc-sun6i-switch-to-the-external-oscillator.patch @@ -0,0 +1,52 @@ +From fb61bb82cb46a932ef2fc62e1c731c8e7e6640d5 Mon Sep 17 00:00:00 2001 +From: Maxime Ripard +Date: Mon, 23 Jan 2017 11:41:48 +0100 +Subject: rtc: sun6i: Switch to the external oscillator + +From: Maxime Ripard + +commit fb61bb82cb46a932ef2fc62e1c731c8e7e6640d5 upstream. + +The RTC is clocked from either an internal, imprecise, oscillator or an +external one, which is usually much more accurate. + +The difference perceived between the time elapsed and the time reported by +the RTC is in a 10% scale, which prevents the RTC from being useful at all. + +Fortunately, the external oscillator is reported to be mandatory in the +Allwinner datasheet, so we can just switch to it. + +Fixes: 9765d2d94309 ("rtc: sun6i: Add sun6i RTC driver") +Signed-off-by: Maxime Ripard +Signed-off-by: Alexandre Belloni +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/rtc/rtc-sun6i.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/rtc/rtc-sun6i.c ++++ b/drivers/rtc/rtc-sun6i.c +@@ -37,9 +37,11 @@ + + /* Control register */ + #define SUN6I_LOSC_CTRL 0x0000 ++#define SUN6I_LOSC_CTRL_KEY (0x16aa << 16) + #define SUN6I_LOSC_CTRL_ALM_DHMS_ACC BIT(9) + #define SUN6I_LOSC_CTRL_RTC_HMS_ACC BIT(8) + #define SUN6I_LOSC_CTRL_RTC_YMD_ACC BIT(7) ++#define SUN6I_LOSC_CTRL_EXT_OSC BIT(0) + #define SUN6I_LOSC_CTRL_ACC_MASK GENMASK(9, 7) + + /* RTC */ +@@ -417,6 +419,10 @@ static int sun6i_rtc_probe(struct platfo + /* disable alarm wakeup */ + writel(0, chip->base + SUN6I_ALARM_CONFIG); + ++ /* switch to the external, more precise, oscillator */ ++ writel(SUN6I_LOSC_CTRL_KEY | SUN6I_LOSC_CTRL_EXT_OSC, ++ chip->base + SUN6I_LOSC_CTRL); ++ + chip->rtc = rtc_device_register("rtc-sun6i", &pdev->dev, + &sun6i_rtc_ops, THIS_MODULE); + if (IS_ERR(chip->rtc)) { diff --git a/queue-4.4/rtlwifi-fix-alignment-issues.patch b/queue-4.4/rtlwifi-fix-alignment-issues.patch new file mode 100644 index 00000000000..e1a7e7fda6d --- /dev/null +++ b/queue-4.4/rtlwifi-fix-alignment-issues.patch @@ -0,0 +1,48 @@ +From 40b368af4b750863b2cb66a3a9513241db2f0793 Mon Sep 17 00:00:00 2001 +From: Ping-Ke Shih +Date: Wed, 28 Dec 2016 15:40:04 -0600 +Subject: rtlwifi: Fix alignment issues + +From: Ping-Ke Shih + +commit 40b368af4b750863b2cb66a3a9513241db2f0793 upstream. + +The addresses of Wlan NIC registers are natural alignment, but some +drivers have bugs. These are evident on platforms that need natural +alignment to access registers. This change contains the following: + 1. Function _rtl8821ae_dbi_read() is used to read one byte from DBI, + thus it should use rtl_read_byte(). + 2. Register 0x4C7 of 8192ee is single byte. + +Signed-off-by: Ping-Ke Shih +Signed-off-by: Larry Finger +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtlwifi/rtl8192ee/hw.c | 2 +- + drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/hw.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/hw.c +@@ -1003,7 +1003,7 @@ static void _rtl92ee_hw_configure(struct + rtl_write_word(rtlpriv, REG_SIFS_TRX, 0x100a); + + /* Note Data sheet don't define */ +- rtl_write_word(rtlpriv, 0x4C7, 0x80); ++ rtl_write_byte(rtlpriv, 0x4C7, 0x80); + + rtl_write_byte(rtlpriv, REG_RX_PKT_LIMIT, 0x20); + +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c +@@ -1127,7 +1127,7 @@ static u8 _rtl8821ae_dbi_read(struct rtl + } + if (0 == tmp) { + read_addr = REG_DBI_RDATA + addr % 4; +- ret = rtl_read_word(rtlpriv, read_addr); ++ ret = rtl_read_byte(rtlpriv, read_addr); + } + return ret; + } diff --git a/queue-4.4/rtlwifi-rtl8192c-common-fix-bug-kasan.patch b/queue-4.4/rtlwifi-rtl8192c-common-fix-bug-kasan.patch new file mode 100644 index 00000000000..398daa5e771 --- /dev/null +++ b/queue-4.4/rtlwifi-rtl8192c-common-fix-bug-kasan.patch @@ -0,0 +1,82 @@ +From 6773386f977ce5af339f9678fa2918909a946c6b Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Sun, 5 Feb 2017 10:24:22 -0600 +Subject: rtlwifi: rtl8192c-common: Fix "BUG: KASAN: + +From: Larry Finger + +commit 6773386f977ce5af339f9678fa2918909a946c6b upstream. + +Kernels built with CONFIG_KASAN=y report the following BUG for rtl8192cu +and rtl8192c-common: + +================================================================== +BUG: KASAN: slab-out-of-bounds in rtl92c_dm_bt_coexist+0x858/0x1e40 + [rtl8192c_common] at addr ffff8801c90edb08 +Read of size 1 by task kworker/0:1/38 +page:ffffea0007243800 count:1 mapcount:0 mapping: (null) + index:0x0 compound_mapcount: 0 +flags: 0x8000000000004000(head) +page dumped because: kasan: bad access detected +CPU: 0 PID: 38 Comm: kworker/0:1 Not tainted 4.9.7-gentoo #3 +Hardware name: Gigabyte Technology Co., Ltd. To be filled by + O.E.M./Z77-DS3H, BIOS F11a 11/13/2013 +Workqueue: rtl92c_usb rtl_watchdog_wq_callback [rtlwifi] + 0000000000000000 ffffffff829eea33 ffff8801d7f0fa30 ffff8801c90edb08 + ffffffff824c0f09 ffff8801d4abee80 0000000000000004 0000000000000297 + ffffffffc070b57c ffff8801c7aa7c48 ffff880100000004 ffffffff000003e8 +Call Trace: + [] ? dump_stack+0x5c/0x79 + [] ? kasan_report_error+0x4b9/0x4e0 + [] ? _usb_read_sync+0x15c/0x280 [rtl_usb] + [] ? __asan_report_load1_noabort+0x45/0x50 + [] ? rtl92c_dm_bt_coexist+0x858/0x1e40 [rtl8192c_common] + [] ? rtl92c_dm_bt_coexist+0x858/0x1e40 [rtl8192c_common] + [] ? rtl92c_dm_rf_saving+0x96e/0x1330 [rtl8192c_common] +... + +The problem is due to rtl8192ce and rtl8192cu sharing routines, and having +different layouts of struct rtl_pci_priv, which is used by rtl8192ce, and +struct rtl_usb_priv, which is used by rtl8192cu. The problem was resolved +by placing the struct bt_coexist_info at the head of each of those private +areas. + +Reported-and-tested-by: Dmitry Osipenko +Signed-off-by: Larry Finger +Cc: Dmitry Osipenko +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtlwifi/pci.h | 4 ++-- + drivers/net/wireless/realtek/rtlwifi/usb.h | 3 ++- + 2 files changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/realtek/rtlwifi/pci.h ++++ b/drivers/net/wireless/realtek/rtlwifi/pci.h +@@ -275,10 +275,10 @@ struct mp_adapter { + }; + + struct rtl_pci_priv { ++ struct bt_coexist_info bt_coexist; ++ struct rtl_led_ctl ledctl; + struct rtl_pci dev; + struct mp_adapter ndis_adapter; +- struct rtl_led_ctl ledctl; +- struct bt_coexist_info bt_coexist; + }; + + #define rtl_pcipriv(hw) (((struct rtl_pci_priv *)(rtl_priv(hw))->priv)) +--- a/drivers/net/wireless/realtek/rtlwifi/usb.h ++++ b/drivers/net/wireless/realtek/rtlwifi/usb.h +@@ -150,8 +150,9 @@ struct rtl_usb { + }; + + struct rtl_usb_priv { +- struct rtl_usb dev; ++ struct bt_coexist_info bt_coexist; + struct rtl_led_ctl ledctl; ++ struct rtl_usb dev; + }; + + #define rtl_usbpriv(hw) (((struct rtl_usb_priv *)(rtl_priv(hw))->priv)) diff --git a/queue-4.4/series b/queue-4.4/series index b38d67619ff..0c8d1c3e3ae 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -57,3 +57,32 @@ ath9k-use-correct-otp-register-offsets-for-the-ar9340-and-ar9550.patch crypto-testmgr-pad-aes_ccm_enc_tv_template-vector.patch fuse-add-missing-fr_force.patch arm-arm64-kvm-enforce-unconditional-flush-to-poc-when-mapping-to-stage-2.patch +iio-pressure-mpl115-do-not-rely-on-structure-field-ordering.patch +iio-pressure-mpl3115-do-not-rely-on-structure-field-ordering.patch +can-usb_8dev-fix-memory-leak-of-priv-cmd_msg_buffer.patch +w1-don-t-leak-refcount-on-slave-attach-failure-in-w1_attach_slave_device.patch +w1-ds2490-usb-transfer-buffers-need-to-be-dmaable.patch +usb-musb-da8xx-remove-cppi-3.0-quirk-and-methods.patch +usb-host-xhci-plat-check-hcc_params-after-add-hcd.patch +usb-gadget-udc-fsl-add-missing-complete-function.patch +hv-allocate-synic-pages-for-all-present-cpus.patch +hv-init-percpu_list-in-hv_synic_alloc.patch +drivers-hv-util-kvp-fix-a-rescind-processing-issue.patch +drivers-hv-util-fcopy-fix-a-rescind-processing-issue.patch +drivers-hv-util-backup-fix-a-rescind-processing-issue.patch +rdma-core-fix-incorrect-structure-packing-for-booleans.patch +rdma_cm-fail-iwarp-accepts-w-o-connection-params.patch +gfs2-add-missing-rcu-locking-for-glock-lookup.patch +rtlwifi-fix-alignment-issues.patch +rtlwifi-rtl8192c-common-fix-bug-kasan.patch +nfsd-minor-nfsd_setattr-cleanup.patch +nfsd-special-case-truncates-some-more.patch +nfsv4-fix-memory-and-state-leak-in-_nfs4_open_and_get_state.patch +nfsv4-fix-getacl-head-length-estimation.patch +nfsv4-fix-getacl-erange-for-some-acl-buffer-sizes.patch +rtc-sun6i-add-some-locking.patch +rtc-sun6i-switch-to-the-external-oscillator.patch +md-linear-fix-a-race-between-linear_add-and-linear_congested.patch +bcma-use-get-put-_device-when-probing-removing-device-driver.patch +dmaengine-ipu-make-sure-the-interrupt-routine-checks-all-interrupts.patch +powerpc-xmon-fix-data-breakpoint.patch diff --git a/queue-4.4/usb-gadget-udc-fsl-add-missing-complete-function.patch b/queue-4.4/usb-gadget-udc-fsl-add-missing-complete-function.patch new file mode 100644 index 00000000000..7f08e6c240f --- /dev/null +++ b/queue-4.4/usb-gadget-udc-fsl-add-missing-complete-function.patch @@ -0,0 +1,58 @@ +From 5528954a1a0c49c6974ef1b8d6eaceff536204d5 Mon Sep 17 00:00:00 2001 +From: Magnus Lilja +Date: Wed, 25 Jan 2017 22:07:59 +0100 +Subject: usb: gadget: udc: fsl: Add missing complete function. + +From: Magnus Lilja + +commit 5528954a1a0c49c6974ef1b8d6eaceff536204d5 upstream. + +Commit 304f7e5e1d08 ("usb: gadget: Refactor request completion") +removed check if req->req.complete is non-NULL, resulting in a NULL +pointer derefence and a kernel panic. +This patch adds an empty complete function instead of re-introducing +the req->req.complete check. + +Fixes: 304f7e5e1d08 ("usb: gadget: Refactor request completion") + +Signed-off-by: Magnus Lilja +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/udc/fsl_udc_core.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/usb/gadget/udc/fsl_udc_core.c ++++ b/drivers/usb/gadget/udc/fsl_udc_core.c +@@ -1249,6 +1249,12 @@ static const struct usb_gadget_ops fsl_g + .udc_stop = fsl_udc_stop, + }; + ++/* ++ * Empty complete function used by this driver to fill in the req->complete ++ * field when creating a request since the complete field is mandatory. ++ */ ++static void fsl_noop_complete(struct usb_ep *ep, struct usb_request *req) { } ++ + /* Set protocol stall on ep0, protocol stall will automatically be cleared + on new transaction */ + static void ep0stall(struct fsl_udc *udc) +@@ -1283,7 +1289,7 @@ static int ep0_prime_status(struct fsl_u + req->req.length = 0; + req->req.status = -EINPROGRESS; + req->req.actual = 0; +- req->req.complete = NULL; ++ req->req.complete = fsl_noop_complete; + req->dtd_count = 0; + + ret = usb_gadget_map_request(&ep->udc->gadget, &req->req, ep_is_in(ep)); +@@ -1366,7 +1372,7 @@ static void ch9getstatus(struct fsl_udc + req->req.length = 2; + req->req.status = -EINPROGRESS; + req->req.actual = 0; +- req->req.complete = NULL; ++ req->req.complete = fsl_noop_complete; + req->dtd_count = 0; + + ret = usb_gadget_map_request(&ep->udc->gadget, &req->req, ep_is_in(ep)); diff --git a/queue-4.4/usb-host-xhci-plat-check-hcc_params-after-add-hcd.patch b/queue-4.4/usb-host-xhci-plat-check-hcc_params-after-add-hcd.patch new file mode 100644 index 00000000000..816b6e466c9 --- /dev/null +++ b/queue-4.4/usb-host-xhci-plat-check-hcc_params-after-add-hcd.patch @@ -0,0 +1,49 @@ +From 5de4e1ea9a731cad195ce5152705c21daef3bbba Mon Sep 17 00:00:00 2001 +From: William wu +Date: Tue, 17 Jan 2017 15:32:07 +0800 +Subject: usb: host: xhci: plat: check hcc_params after add hcd + +From: William wu + +commit 5de4e1ea9a731cad195ce5152705c21daef3bbba upstream. + +The commit 4ac53087d6d4 ("usb: xhci: plat: Create both +HCDs before adding them") move add hcd to the end of +probe, this cause hcc_params uninitiated, because xHCI +driver sets hcc_params in xhci_gen_setup() called from +usb_add_hcd(). + +This patch checks the Maximum Primary Stream Array Size +in the hcc_params register after add primary hcd. + +Signed-off-by: William wu +Acked-by: Roger Quadros +Fixes: 4ac53087d6d4 ("usb: xhci: plat: Create both HCDs before adding them") +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-plat.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/usb/host/xhci-plat.c ++++ b/drivers/usb/host/xhci-plat.c +@@ -162,9 +162,6 @@ static int xhci_plat_probe(struct platfo + (pdata && pdata->usb3_lpm_capable)) + xhci->quirks |= XHCI_LPM_SUPPORT; + +- if (HCC_MAX_PSA(xhci->hcc_params) >= 4) +- xhci->shared_hcd->can_do_streams = 1; +- + hcd->usb_phy = devm_usb_get_phy_by_phandle(&pdev->dev, "usb-phy", 0); + if (IS_ERR(hcd->usb_phy)) { + ret = PTR_ERR(hcd->usb_phy); +@@ -181,6 +178,9 @@ static int xhci_plat_probe(struct platfo + if (ret) + goto disable_usb_phy; + ++ if (HCC_MAX_PSA(xhci->hcc_params) >= 4) ++ xhci->shared_hcd->can_do_streams = 1; ++ + ret = usb_add_hcd(xhci->shared_hcd, irq, IRQF_SHARED); + if (ret) + goto dealloc_usb2_hcd; diff --git a/queue-4.4/usb-musb-da8xx-remove-cppi-3.0-quirk-and-methods.patch b/queue-4.4/usb-musb-da8xx-remove-cppi-3.0-quirk-and-methods.patch new file mode 100644 index 00000000000..efb1240e1a5 --- /dev/null +++ b/queue-4.4/usb-musb-da8xx-remove-cppi-3.0-quirk-and-methods.patch @@ -0,0 +1,44 @@ +From a994ce2d7e66008381a0b184c73be9ae9b72eb5c Mon Sep 17 00:00:00 2001 +From: Alexandre Bailon +Date: Wed, 1 Feb 2017 21:30:12 -0600 +Subject: usb: musb: da8xx: Remove CPPI 3.0 quirk and methods + +From: Alexandre Bailon + +commit a994ce2d7e66008381a0b184c73be9ae9b72eb5c upstream. + +DA8xx driver is registering and using the CPPI 3.0 DMA controller but +actually, the DA8xx has a CPPI 4.1 DMA controller. +Remove the CPPI 3.0 quirk and methods. + +Fixes: f8e9f34f80a2 ("usb: musb: Fix up DMA related macros") +Fixes: 7f6283ed6fe8 ("usb: musb: Set up function pointers for DMA") +Signed-off-by: Alexandre Bailon +Acked-by: Sergei Shtylyov +Acked-by: Tony Lindgren +Signed-off-by: Bin Liu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/musb/da8xx.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/drivers/usb/musb/da8xx.c ++++ b/drivers/usb/musb/da8xx.c +@@ -458,15 +458,11 @@ static int da8xx_musb_exit(struct musb * + } + + static const struct musb_platform_ops da8xx_ops = { +- .quirks = MUSB_DMA_CPPI | MUSB_INDEXED_EP, ++ .quirks = MUSB_INDEXED_EP, + .init = da8xx_musb_init, + .exit = da8xx_musb_exit, + + .fifo_mode = 2, +-#ifdef CONFIG_USB_TI_CPPI_DMA +- .dma_init = cppi_dma_controller_create, +- .dma_exit = cppi_dma_controller_destroy, +-#endif + .enable = da8xx_musb_enable, + .disable = da8xx_musb_disable, + diff --git a/queue-4.4/w1-don-t-leak-refcount-on-slave-attach-failure-in-w1_attach_slave_device.patch b/queue-4.4/w1-don-t-leak-refcount-on-slave-attach-failure-in-w1_attach_slave_device.patch new file mode 100644 index 00000000000..c76998186e9 --- /dev/null +++ b/queue-4.4/w1-don-t-leak-refcount-on-slave-attach-failure-in-w1_attach_slave_device.patch @@ -0,0 +1,34 @@ +From d2ce4ea1a0b0162e5d2d7e7942ab6f5cc2063d5a Mon Sep 17 00:00:00 2001 +From: "Maciej S. Szmigiero" +Date: Sat, 21 Jan 2017 23:50:18 +0100 +Subject: w1: don't leak refcount on slave attach failure in w1_attach_slave_device() + +From: Maciej S. Szmigiero + +commit d2ce4ea1a0b0162e5d2d7e7942ab6f5cc2063d5a upstream. + +Near the beginning of w1_attach_slave_device() we increment a w1 master +reference count. +Later, when we are going to exit this function without actually attaching +a slave device (due to failure of __w1_attach_slave_device()) we need to +decrement this reference count back. + +Signed-off-by: Maciej S. Szmigiero +Fixes: 9fcbbac5ded489 ("w1: process w1 netlink commands in w1_process thread") +Cc: Evgeniy Polyakov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/w1/w1.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/w1/w1.c ++++ b/drivers/w1/w1.c +@@ -763,6 +763,7 @@ int w1_attach_slave_device(struct w1_mas + dev_err(&dev->dev, "%s: Attaching %s failed.\n", __func__, + sl->name); + w1_family_put(sl->family); ++ atomic_dec(&sl->master->refcnt); + kfree(sl); + return err; + } diff --git a/queue-4.4/w1-ds2490-usb-transfer-buffers-need-to-be-dmaable.patch b/queue-4.4/w1-ds2490-usb-transfer-buffers-need-to-be-dmaable.patch new file mode 100644 index 00000000000..3aa58a23ab3 --- /dev/null +++ b/queue-4.4/w1-ds2490-usb-transfer-buffers-need-to-be-dmaable.patch @@ -0,0 +1,357 @@ +From 61cd1b4cd1e8f7f7642ab64529d9bd52e8374641 Mon Sep 17 00:00:00 2001 +From: "Maciej S. Szmigiero" +Date: Wed, 18 Jan 2017 21:31:11 +0100 +Subject: w1: ds2490: USB transfer buffers need to be DMAable + +From: Maciej S. Szmigiero + +commit 61cd1b4cd1e8f7f7642ab64529d9bd52e8374641 upstream. + +ds2490 driver was doing USB transfers from / to buffers on a stack. +This is not permitted and made the driver non-working with vmapped stacks. + +Since all these transfers are done under the same bus_mutex lock we can +simply use shared buffers in a device private structure for two most common +of them. + +While we are at it, let's also fix a comparison between int and size_t in +ds9490r_search() which made the driver spin in this function if state +register get requests were failing. + +Signed-off-by: Maciej S. Szmigiero +Acked-by: Evgeniy Polyakov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/w1/masters/ds2490.c | 142 ++++++++++++++++++++++++++------------------ + 1 file changed, 84 insertions(+), 58 deletions(-) + +--- a/drivers/w1/masters/ds2490.c ++++ b/drivers/w1/masters/ds2490.c +@@ -153,6 +153,9 @@ struct ds_device + */ + u16 spu_bit; + ++ u8 st_buf[ST_SIZE]; ++ u8 byte_buf; ++ + struct w1_bus_master master; + }; + +@@ -174,7 +177,6 @@ struct ds_status + u8 data_in_buffer_status; + u8 reserved1; + u8 reserved2; +- + }; + + static struct usb_device_id ds_id_table [] = { +@@ -244,28 +246,6 @@ static int ds_send_control(struct ds_dev + return err; + } + +-static int ds_recv_status_nodump(struct ds_device *dev, struct ds_status *st, +- unsigned char *buf, int size) +-{ +- int count, err; +- +- memset(st, 0, sizeof(*st)); +- +- count = 0; +- err = usb_interrupt_msg(dev->udev, usb_rcvintpipe(dev->udev, +- dev->ep[EP_STATUS]), buf, size, &count, 1000); +- if (err < 0) { +- pr_err("Failed to read 1-wire data from 0x%x: err=%d.\n", +- dev->ep[EP_STATUS], err); +- return err; +- } +- +- if (count >= sizeof(*st)) +- memcpy(st, buf, sizeof(*st)); +- +- return count; +-} +- + static inline void ds_print_msg(unsigned char *buf, unsigned char *str, int off) + { + pr_info("%45s: %8x\n", str, buf[off]); +@@ -324,6 +304,35 @@ static void ds_dump_status(struct ds_dev + } + } + ++static int ds_recv_status(struct ds_device *dev, struct ds_status *st, ++ bool dump) ++{ ++ int count, err; ++ ++ if (st) ++ memset(st, 0, sizeof(*st)); ++ ++ count = 0; ++ err = usb_interrupt_msg(dev->udev, ++ usb_rcvintpipe(dev->udev, ++ dev->ep[EP_STATUS]), ++ dev->st_buf, sizeof(dev->st_buf), ++ &count, 1000); ++ if (err < 0) { ++ pr_err("Failed to read 1-wire data from 0x%x: err=%d.\n", ++ dev->ep[EP_STATUS], err); ++ return err; ++ } ++ ++ if (dump) ++ ds_dump_status(dev, dev->st_buf, count); ++ ++ if (st && count >= sizeof(*st)) ++ memcpy(st, dev->st_buf, sizeof(*st)); ++ ++ return count; ++} ++ + static void ds_reset_device(struct ds_device *dev) + { + ds_send_control_cmd(dev, CTL_RESET_DEVICE, 0); +@@ -344,7 +353,6 @@ static void ds_reset_device(struct ds_de + static int ds_recv_data(struct ds_device *dev, unsigned char *buf, int size) + { + int count, err; +- struct ds_status st; + + /* Careful on size. If size is less than what is available in + * the input buffer, the device fails the bulk transfer and +@@ -359,14 +367,9 @@ static int ds_recv_data(struct ds_device + err = usb_bulk_msg(dev->udev, usb_rcvbulkpipe(dev->udev, dev->ep[EP_DATA_IN]), + buf, size, &count, 1000); + if (err < 0) { +- u8 buf[ST_SIZE]; +- int count; +- + pr_info("Clearing ep0x%x.\n", dev->ep[EP_DATA_IN]); + usb_clear_halt(dev->udev, usb_rcvbulkpipe(dev->udev, dev->ep[EP_DATA_IN])); +- +- count = ds_recv_status_nodump(dev, &st, buf, sizeof(buf)); +- ds_dump_status(dev, buf, count); ++ ds_recv_status(dev, NULL, true); + return err; + } + +@@ -404,7 +407,6 @@ int ds_stop_pulse(struct ds_device *dev, + { + struct ds_status st; + int count = 0, err = 0; +- u8 buf[ST_SIZE]; + + do { + err = ds_send_control(dev, CTL_HALT_EXE_IDLE, 0); +@@ -413,7 +415,7 @@ int ds_stop_pulse(struct ds_device *dev, + err = ds_send_control(dev, CTL_RESUME_EXE, 0); + if (err) + break; +- err = ds_recv_status_nodump(dev, &st, buf, sizeof(buf)); ++ err = ds_recv_status(dev, &st, false); + if (err) + break; + +@@ -456,18 +458,17 @@ int ds_detect(struct ds_device *dev, str + + static int ds_wait_status(struct ds_device *dev, struct ds_status *st) + { +- u8 buf[ST_SIZE]; + int err, count = 0; + + do { + st->status = 0; +- err = ds_recv_status_nodump(dev, st, buf, sizeof(buf)); ++ err = ds_recv_status(dev, st, false); + #if 0 + if (err >= 0) { + int i; + printk("0x%x: count=%d, status: ", dev->ep[EP_STATUS], err); + for (i=0; ist_buf[i]); + printk("\n"); + } + #endif +@@ -485,7 +486,7 @@ static int ds_wait_status(struct ds_devi + * can do something with it). + */ + if (err > 16 || count >= 100 || err < 0) +- ds_dump_status(dev, buf, err); ++ ds_dump_status(dev, dev->st_buf, err); + + /* Extended data isn't an error. Well, a short is, but the dump + * would have already told the user that and we can't do anything +@@ -608,7 +609,6 @@ static int ds_write_byte(struct ds_devic + { + int err; + struct ds_status st; +- u8 rbyte; + + err = ds_send_control(dev, COMM_BYTE_IO | COMM_IM | dev->spu_bit, byte); + if (err) +@@ -621,11 +621,11 @@ static int ds_write_byte(struct ds_devic + if (err) + return err; + +- err = ds_recv_data(dev, &rbyte, sizeof(rbyte)); ++ err = ds_recv_data(dev, &dev->byte_buf, 1); + if (err < 0) + return err; + +- return !(byte == rbyte); ++ return !(byte == dev->byte_buf); + } + + static int ds_read_byte(struct ds_device *dev, u8 *byte) +@@ -712,7 +712,6 @@ static void ds9490r_search(void *data, s + int err; + u16 value, index; + struct ds_status st; +- u8 st_buf[ST_SIZE]; + int search_limit; + int found = 0; + int i; +@@ -724,7 +723,12 @@ static void ds9490r_search(void *data, s + /* FIFO 128 bytes, bulk packet size 64, read a multiple of the + * packet size. + */ +- u64 buf[2*64/8]; ++ const size_t bufsize = 2 * 64; ++ u64 *buf; ++ ++ buf = kmalloc(bufsize, GFP_KERNEL); ++ if (!buf) ++ return; + + mutex_lock(&master->bus_mutex); + +@@ -745,10 +749,9 @@ static void ds9490r_search(void *data, s + do { + schedule_timeout(jtime); + +- if (ds_recv_status_nodump(dev, &st, st_buf, sizeof(st_buf)) < +- sizeof(st)) { ++ err = ds_recv_status(dev, &st, false); ++ if (err < 0 || err < sizeof(st)) + break; +- } + + if (st.data_in_buffer_status) { + /* Bulk in can receive partial ids, but when it does +@@ -758,7 +761,7 @@ static void ds9490r_search(void *data, s + * bulk without first checking if status says there + * is data to read. + */ +- err = ds_recv_data(dev, (u8 *)buf, sizeof(buf)); ++ err = ds_recv_data(dev, (u8 *)buf, bufsize); + if (err < 0) + break; + for (i = 0; i < err/8; ++i) { +@@ -794,9 +797,14 @@ static void ds9490r_search(void *data, s + } + search_out: + mutex_unlock(&master->bus_mutex); ++ kfree(buf); + } + + #if 0 ++/* ++ * FIXME: if this disabled code is ever used in the future all ds_send_data() ++ * calls must be changed to use a DMAable buffer. ++ */ + static int ds_match_access(struct ds_device *dev, u64 init) + { + int err; +@@ -845,13 +853,12 @@ static int ds_set_path(struct ds_device + + static u8 ds9490r_touch_bit(void *data, u8 bit) + { +- u8 ret; + struct ds_device *dev = data; + +- if (ds_touch_bit(dev, bit, &ret)) ++ if (ds_touch_bit(dev, bit, &dev->byte_buf)) + return 0; + +- return ret; ++ return dev->byte_buf; + } + + #if 0 +@@ -866,13 +873,12 @@ static u8 ds9490r_read_bit(void *data) + { + struct ds_device *dev = data; + int err; +- u8 bit = 0; + +- err = ds_touch_bit(dev, 1, &bit); ++ err = ds_touch_bit(dev, 1, &dev->byte_buf); + if (err) + return 0; + +- return bit & 1; ++ return dev->byte_buf & 1; + } + #endif + +@@ -887,32 +893,52 @@ static u8 ds9490r_read_byte(void *data) + { + struct ds_device *dev = data; + int err; +- u8 byte = 0; + +- err = ds_read_byte(dev, &byte); ++ err = ds_read_byte(dev, &dev->byte_buf); + if (err) + return 0; + +- return byte; ++ return dev->byte_buf; + } + + static void ds9490r_write_block(void *data, const u8 *buf, int len) + { + struct ds_device *dev = data; ++ u8 *tbuf; ++ ++ if (len <= 0) ++ return; ++ ++ tbuf = kmalloc(len, GFP_KERNEL); ++ if (!tbuf) ++ return; ++ ++ memcpy(tbuf, buf, len); ++ ds_write_block(dev, tbuf, len); + +- ds_write_block(dev, (u8 *)buf, len); ++ kfree(tbuf); + } + + static u8 ds9490r_read_block(void *data, u8 *buf, int len) + { + struct ds_device *dev = data; + int err; ++ u8 *tbuf; + +- err = ds_read_block(dev, buf, len); +- if (err < 0) ++ if (len <= 0) ++ return 0; ++ ++ tbuf = kmalloc(len, GFP_KERNEL); ++ if (!tbuf) + return 0; + +- return len; ++ err = ds_read_block(dev, tbuf, len); ++ if (err >= 0) ++ memcpy(buf, tbuf, len); ++ ++ kfree(tbuf); ++ ++ return err >= 0 ? len : 0; + } + + static u8 ds9490r_reset(void *data)