From: Greg Kroah-Hartman Date: Fri, 31 Jul 2015 19:37:59 +0000 (-0700) Subject: 4.1-stable patches X-Git-Tag: v4.1.4~3 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=93ae21fea25e1a495798bde26137c770fe296497;p=thirdparty%2Fkernel%2Fstable-queue.git 4.1-stable patches added patches: 9p-don-t-leave-a-half-initialized-inode-sitting-around.patch 9p-forgetting-to-cancel-request-on-interrupted-zero-copy-rpc.patch agp-intel-fix-typo-in-needs_ilk_vtd_wa.patch arm-8393-1-smp-fix-suspicious-rcu-usage-with-ipi-tracepoints.patch arm-8397-1-fix-vdsomunge-not-to-depend-on-glibc-specific-error.h.patch arm-dove-fix-legacy-dove-irq-numbers.patch arm64-bpf-fix-endianness-conversion-bugs.patch arm64-bpf-fix-out-of-bounds-read-in-bpf2a64_offset.patch arm64-don-t-report-clear-pmds-and-puds-as-huge.patch arm64-smp-fix-suspicious-rcu-usage-with-ipi-tracepoints.patch edac-octeon-fix-broken-build-due-to-model-helper-renames.patch fix-firmware-loader-uevent-buffer-null-pointer-dereference.patch fixing-infinite-open-loop-in-4.0-stateid-recovery.patch hpfs-hpfs_error-remove-static-buffer-use-vsprintf-extension-pv-instead.patch hpfs-kstrdup-out-of-memory-handling.patch nfs-always-update-creds-in-mirror-even-when-we-have-an-already-connected-ds.patch nfs-ensure-we-set-nfs_context_resend_writes-when-requeuing-writes.patch nfs-fix-potential-credential-leak-in-ff_layout_update_mirror_cred.patch nfs-increase-size-of-exchange_id-name-string-buffer.patch p9_client_write-avoid-double-p9_free_req.patch perf-bench-numa-fix-to-show-proper-convergence-stats.patch rbd-use-gfp_noio-in-rbd_obj_request_create.patch sunrpc-fix-a-memory-leak-in-the-backchannel-code.patch --- diff --git a/queue-4.1/9p-don-t-leave-a-half-initialized-inode-sitting-around.patch b/queue-4.1/9p-don-t-leave-a-half-initialized-inode-sitting-around.patch new file mode 100644 index 00000000000..90072d0c868 --- /dev/null +++ b/queue-4.1/9p-don-t-leave-a-half-initialized-inode-sitting-around.patch @@ -0,0 +1,41 @@ +From 0a73d0a204a4a04a1e110539c5a524ae51f91d6d Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sun, 12 Jul 2015 10:34:29 -0400 +Subject: 9p: don't leave a half-initialized inode sitting around + +From: Al Viro + +commit 0a73d0a204a4a04a1e110539c5a524ae51f91d6d upstream. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/9p/vfs_inode.c | 3 +-- + fs/9p/vfs_inode_dotl.c | 3 +-- + 2 files changed, 2 insertions(+), 4 deletions(-) + +--- a/fs/9p/vfs_inode.c ++++ b/fs/9p/vfs_inode.c +@@ -540,8 +540,7 @@ static struct inode *v9fs_qid_iget(struc + unlock_new_inode(inode); + return inode; + error: +- unlock_new_inode(inode); +- iput(inode); ++ iget_failed(inode); + return ERR_PTR(retval); + + } +--- a/fs/9p/vfs_inode_dotl.c ++++ b/fs/9p/vfs_inode_dotl.c +@@ -149,8 +149,7 @@ static struct inode *v9fs_qid_iget_dotl( + unlock_new_inode(inode); + return inode; + error: +- unlock_new_inode(inode); +- iput(inode); ++ iget_failed(inode); + return ERR_PTR(retval); + + } diff --git a/queue-4.1/9p-forgetting-to-cancel-request-on-interrupted-zero-copy-rpc.patch b/queue-4.1/9p-forgetting-to-cancel-request-on-interrupted-zero-copy-rpc.patch new file mode 100644 index 00000000000..2f7e666f642 --- /dev/null +++ b/queue-4.1/9p-forgetting-to-cancel-request-on-interrupted-zero-copy-rpc.patch @@ -0,0 +1,34 @@ +From a84b69cb6e0a41e86bc593904faa6def3b957343 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sat, 4 Jul 2015 16:04:19 -0400 +Subject: 9p: forgetting to cancel request on interrupted zero-copy RPC + +From: Al Viro + +commit a84b69cb6e0a41e86bc593904faa6def3b957343 upstream. + +If we'd already sent a request and decide to abort it, we *must* +issue TFLUSH properly and not just blindly reuse the tag, or +we'll get seriously screwed when response eventually arrives +and we confuse it for response to later request that had reused +the same tag. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + net/9p/client.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/9p/client.c ++++ b/net/9p/client.c +@@ -843,7 +843,8 @@ static struct p9_req_t *p9_client_zc_rpc + if (err < 0) { + if (err == -EIO) + c->status = Disconnected; +- goto reterr; ++ if (err != -ERESTARTSYS) ++ goto reterr; + } + if (req->status == REQ_STATUS_ERROR) { + p9_debug(P9_DEBUG_ERROR, "req_status error %d\n", req->t_err); diff --git a/queue-4.1/agp-intel-fix-typo-in-needs_ilk_vtd_wa.patch b/queue-4.1/agp-intel-fix-typo-in-needs_ilk_vtd_wa.patch new file mode 100644 index 00000000000..9996c4f2260 --- /dev/null +++ b/queue-4.1/agp-intel-fix-typo-in-needs_ilk_vtd_wa.patch @@ -0,0 +1,44 @@ +From 8b572a4200828b4e75cc22ed2f494b58d5372d65 Mon Sep 17 00:00:00 2001 +From: Chris Wilson +Date: Sun, 28 Jun 2015 14:18:16 +0100 +Subject: agp/intel: Fix typo in needs_ilk_vtd_wa() + +From: Chris Wilson + +commit 8b572a4200828b4e75cc22ed2f494b58d5372d65 upstream. + +In needs_ilk_vtd_wa(), we pass in the GPU device but compared it against +the ids for the mobile GPU and the mobile host bridge. That latter is +impossible and so likely was just a typo for the desktop GPU device id +(which is also buggy). + +Fixes commit da88a5f7f7d434e2cde1b3e19d952e6d84533662 +Author: Chris Wilson +Date: Wed Feb 13 09:31:53 2013 +0000 + + drm/i915: Disable WC PTE updates to w/a buggy IOMMU on ILK + +Reported-by: Ting-Wei Lan +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=91127 +References: https://bugzilla.freedesktop.org/show_bug.cgi?id=60391 +Signed-off-by: Chris Wilson +Cc: Daniel Vetter +Reviewed-by: Daniel Vetter +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/agp/intel-gtt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/char/agp/intel-gtt.c ++++ b/drivers/char/agp/intel-gtt.c +@@ -581,7 +581,7 @@ static inline int needs_ilk_vtd_wa(void) + /* Query intel_iommu to see if we need the workaround. Presumably that + * was loaded first. + */ +- if ((gpu_devid == PCI_DEVICE_ID_INTEL_IRONLAKE_M_HB || ++ if ((gpu_devid == PCI_DEVICE_ID_INTEL_IRONLAKE_D_IG || + gpu_devid == PCI_DEVICE_ID_INTEL_IRONLAKE_M_IG) && + intel_iommu_gfx_mapped) + return 1; diff --git a/queue-4.1/arm-8393-1-smp-fix-suspicious-rcu-usage-with-ipi-tracepoints.patch b/queue-4.1/arm-8393-1-smp-fix-suspicious-rcu-usage-with-ipi-tracepoints.patch new file mode 100644 index 00000000000..b1af5789120 --- /dev/null +++ b/queue-4.1/arm-8393-1-smp-fix-suspicious-rcu-usage-with-ipi-tracepoints.patch @@ -0,0 +1,81 @@ +From 398f74569cebbf06bc6b069442bcd0e9616ca465 Mon Sep 17 00:00:00 2001 +From: Stephen Boyd +Date: Fri, 19 Jun 2015 21:37:56 +0100 +Subject: ARM: 8393/1: smp: Fix suspicious RCU usage with ipi tracepoints + +From: Stephen Boyd + +commit 398f74569cebbf06bc6b069442bcd0e9616ca465 upstream. + +John Stultz reports an RCU splat on boot with ARM ipi trace +events enabled. + +=============================== +[ INFO: suspicious RCU usage. ] +4.1.0-rc7-00033-gb5bed2f #153 Not tainted +------------------------------- +include/trace/events/ipi.h:68 suspicious rcu_dereference_check() usage! + +other info that might help us debug this: + +RCU used illegally from idle CPU! +rcu_scheduler_active = 1, debug_locks = 0 +RCU used illegally from extended quiescent state! +no locks held by swapper/0/0. + +stack backtrace: +CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.1.0-rc7-00033-gb5bed2f #153 +Hardware name: Qualcomm (Flattened Device Tree) +[] (unwind_backtrace) from [] (show_stack+0x10/0x14) +[] (show_stack) from [] (dump_stack+0x70/0xbc) +[] (dump_stack) from [] (handle_IPI+0x428/0x604) +[] (handle_IPI) from [] (gic_handle_irq+0x54/0x5c) +[] (gic_handle_irq) from [] (__irq_svc+0x44/0x7c) +Exception stack(0xc09f3f48 to 0xc09f3f90) +3f40: 00000001 00000001 00000000 c09f73b8 c09f4528 c0a5de9c +3f60: c076b4f0 00000000 00000000 c09ef108 c0a5cec1 00000001 00000000 c09f3f90 +3f80: c026bf60 c0210ab8 20000113 ffffffff +[] (__irq_svc) from [] (arch_cpu_idle+0x20/0x3c) +[] (arch_cpu_idle) from [] (cpu_startup_entry+0x2c0/0x5dc) +[] (cpu_startup_entry) from [] (start_kernel+0x358/0x3c4) +[] (start_kernel) from [<8020807c>] (0x8020807c) + +At this point in the IPI handling path we haven't called +irq_enter() yet, so RCU doesn't know that we're about to exit +idle and properly warns that we're using RCU from an idle CPU. +Use trace_ipi_entry_rcuidle() instead of trace_ipi_entry() so +that RCU is informed about our exit from idle. + +Fixes: 365ec7b17327 ("ARM: add IPI tracepoints") +Reported-by: John Stultz +Tested-by: John Stultz +Acked-by: Steven Rostedt +Reviewed-by: Paul E. McKenney +Signed-off-by: Stephen Boyd +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/kernel/smp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/kernel/smp.c ++++ b/arch/arm/kernel/smp.c +@@ -576,7 +576,7 @@ void handle_IPI(int ipinr, struct pt_reg + struct pt_regs *old_regs = set_irq_regs(regs); + + if ((unsigned)ipinr < NR_IPI) { +- trace_ipi_entry(ipi_types[ipinr]); ++ trace_ipi_entry_rcuidle(ipi_types[ipinr]); + __inc_irq_stat(cpu, ipi_irqs[ipinr]); + } + +@@ -635,7 +635,7 @@ void handle_IPI(int ipinr, struct pt_reg + } + + if ((unsigned)ipinr < NR_IPI) +- trace_ipi_exit(ipi_types[ipinr]); ++ trace_ipi_exit_rcuidle(ipi_types[ipinr]); + set_irq_regs(old_regs); + } + diff --git a/queue-4.1/arm-8397-1-fix-vdsomunge-not-to-depend-on-glibc-specific-error.h.patch b/queue-4.1/arm-8397-1-fix-vdsomunge-not-to-depend-on-glibc-specific-error.h.patch new file mode 100644 index 00000000000..8f82c06ae6a --- /dev/null +++ b/queue-4.1/arm-8397-1-fix-vdsomunge-not-to-depend-on-glibc-specific-error.h.patch @@ -0,0 +1,167 @@ +From 13ee9fdba96577eb1583dcd7b15767ef623fae12 Mon Sep 17 00:00:00 2001 +From: Szabolcs Nagy +Date: Wed, 1 Jul 2015 23:08:10 +0100 +Subject: ARM: 8397/1: fix vdsomunge not to depend on glibc specific error.h + +From: Szabolcs Nagy + +commit 13ee9fdba96577eb1583dcd7b15767ef623fae12 upstream. + +If the host toolchain is not glibc based then the arm kernel build +fails with + + arch/arm/vdso/vdsomunge.c:53:19: fatal error: error.h: No such file or directory + +error.h is a glibc only header (ie not available in musl, newlib and +bsd libcs). Changed the error reporting to standard conforming code +to avoid depending on specific C implementations. + +Signed-off-by: Szabolcs Nagy +Acked-by: Will Deacon +Fixes: 8512287a8165 ("ARM: 8330/1: add VDSO user-space code") +Signed-off-by: Nathan Lynch +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/vdso/vdsomunge.c | 56 +++++++++++++++++++++++++++------------------- + 1 file changed, 33 insertions(+), 23 deletions(-) + +--- a/arch/arm/vdso/vdsomunge.c ++++ b/arch/arm/vdso/vdsomunge.c +@@ -45,13 +45,11 @@ + * it does. + */ + +-#define _GNU_SOURCE +- + #include + #include + #include +-#include + #include ++#include + #include + #include + #include +@@ -82,11 +80,25 @@ + #define EF_ARM_ABI_FLOAT_HARD 0x400 + #endif + ++static int failed; ++static const char *argv0; + static const char *outfile; + ++static void fail(const char *fmt, ...) ++{ ++ va_list ap; ++ ++ failed = 1; ++ fprintf(stderr, "%s: ", argv0); ++ va_start(ap, fmt); ++ vfprintf(stderr, fmt, ap); ++ va_end(ap); ++ exit(EXIT_FAILURE); ++} ++ + static void cleanup(void) + { +- if (error_message_count > 0 && outfile != NULL) ++ if (failed && outfile != NULL) + unlink(outfile); + } + +@@ -119,68 +131,66 @@ int main(int argc, char **argv) + int infd; + + atexit(cleanup); ++ argv0 = argv[0]; + + if (argc != 3) +- error(EXIT_FAILURE, 0, "Usage: %s [infile] [outfile]", argv[0]); ++ fail("Usage: %s [infile] [outfile]\n", argv[0]); + + infile = argv[1]; + outfile = argv[2]; + + infd = open(infile, O_RDONLY); + if (infd < 0) +- error(EXIT_FAILURE, errno, "Cannot open %s", infile); ++ fail("Cannot open %s: %s\n", infile, strerror(errno)); + + if (fstat(infd, &stat) != 0) +- error(EXIT_FAILURE, errno, "Failed stat for %s", infile); ++ fail("Failed stat for %s: %s\n", infile, strerror(errno)); + + inbuf = mmap(NULL, stat.st_size, PROT_READ, MAP_PRIVATE, infd, 0); + if (inbuf == MAP_FAILED) +- error(EXIT_FAILURE, errno, "Failed to map %s", infile); ++ fail("Failed to map %s: %s\n", infile, strerror(errno)); + + close(infd); + + inhdr = inbuf; + + if (memcmp(&inhdr->e_ident, ELFMAG, SELFMAG) != 0) +- error(EXIT_FAILURE, 0, "Not an ELF file"); ++ fail("Not an ELF file\n"); + + if (inhdr->e_ident[EI_CLASS] != ELFCLASS32) +- error(EXIT_FAILURE, 0, "Unsupported ELF class"); ++ fail("Unsupported ELF class\n"); + + swap = inhdr->e_ident[EI_DATA] != HOST_ORDER; + + if (read_elf_half(inhdr->e_type, swap) != ET_DYN) +- error(EXIT_FAILURE, 0, "Not a shared object"); ++ fail("Not a shared object\n"); + +- if (read_elf_half(inhdr->e_machine, swap) != EM_ARM) { +- error(EXIT_FAILURE, 0, "Unsupported architecture %#x", +- inhdr->e_machine); +- } ++ if (read_elf_half(inhdr->e_machine, swap) != EM_ARM) ++ fail("Unsupported architecture %#x\n", inhdr->e_machine); + + e_flags = read_elf_word(inhdr->e_flags, swap); + + if (EF_ARM_EABI_VERSION(e_flags) != EF_ARM_EABI_VER5) { +- error(EXIT_FAILURE, 0, "Unsupported EABI version %#x", +- EF_ARM_EABI_VERSION(e_flags)); ++ fail("Unsupported EABI version %#x\n", ++ EF_ARM_EABI_VERSION(e_flags)); + } + + if (e_flags & EF_ARM_ABI_FLOAT_HARD) +- error(EXIT_FAILURE, 0, +- "Unexpected hard-float flag set in e_flags"); ++ fail("Unexpected hard-float flag set in e_flags\n"); + + clear_soft_float = !!(e_flags & EF_ARM_ABI_FLOAT_SOFT); + + outfd = open(outfile, O_RDWR | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR); + if (outfd < 0) +- error(EXIT_FAILURE, errno, "Cannot open %s", outfile); ++ fail("Cannot open %s: %s\n", outfile, strerror(errno)); + + if (ftruncate(outfd, stat.st_size) != 0) +- error(EXIT_FAILURE, errno, "Cannot truncate %s", outfile); ++ fail("Cannot truncate %s: %s\n", outfile, strerror(errno)); + + outbuf = mmap(NULL, stat.st_size, PROT_READ | PROT_WRITE, MAP_SHARED, + outfd, 0); + if (outbuf == MAP_FAILED) +- error(EXIT_FAILURE, errno, "Failed to map %s", outfile); ++ fail("Failed to map %s: %s\n", outfile, strerror(errno)); + + close(outfd); + +@@ -195,7 +205,7 @@ int main(int argc, char **argv) + } + + if (msync(outbuf, stat.st_size, MS_SYNC) != 0) +- error(EXIT_FAILURE, errno, "Failed to sync %s", outfile); ++ fail("Failed to sync %s: %s\n", outfile, strerror(errno)); + + return EXIT_SUCCESS; + } diff --git a/queue-4.1/arm-dove-fix-legacy-dove-irq-numbers.patch b/queue-4.1/arm-dove-fix-legacy-dove-irq-numbers.patch new file mode 100644 index 00000000000..38707afec6e --- /dev/null +++ b/queue-4.1/arm-dove-fix-legacy-dove-irq-numbers.patch @@ -0,0 +1,191 @@ +From 5d6bed2a9c8bc161bff4cc7cede00f2e0e27a7e7 Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Mon, 22 Jun 2015 18:39:43 +0100 +Subject: ARM: dove: fix legacy dove IRQ numbers + +From: Russell King + +commit 5d6bed2a9c8bc161bff4cc7cede00f2e0e27a7e7 upstream. + +v3.18 changed handle_IRQ() to call __handle_domain_irq(), which now +rejects attempts to deliver IRQ0. Since IRQ 0 is used as the timer +interrupt (just like the PIT on x86), this causes boot to fail as the +bogomips calibration never completes. + +Fix this by shuffling all interrupts up by one. + +Fixes: a71b092a9c68 ("ARM: Convert handle_IRQ to use __handle_domain_irq") +Signed-off-by: Russell King +Signed-off-by: Gregory CLEMENT +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-dove/include/mach/irqs.h | 118 ++++++++++++++++----------------- + arch/arm/mach-dove/irq.c | 8 +- + 2 files changed, 63 insertions(+), 63 deletions(-) + +--- a/arch/arm/mach-dove/include/mach/irqs.h ++++ b/arch/arm/mach-dove/include/mach/irqs.h +@@ -14,73 +14,73 @@ + /* + * Dove Low Interrupt Controller + */ +-#define IRQ_DOVE_BRIDGE 0 +-#define IRQ_DOVE_H2C 1 +-#define IRQ_DOVE_C2H 2 +-#define IRQ_DOVE_NAND 3 +-#define IRQ_DOVE_PDMA 4 +-#define IRQ_DOVE_SPI1 5 +-#define IRQ_DOVE_SPI0 6 +-#define IRQ_DOVE_UART_0 7 +-#define IRQ_DOVE_UART_1 8 +-#define IRQ_DOVE_UART_2 9 +-#define IRQ_DOVE_UART_3 10 +-#define IRQ_DOVE_I2C 11 +-#define IRQ_DOVE_GPIO_0_7 12 +-#define IRQ_DOVE_GPIO_8_15 13 +-#define IRQ_DOVE_GPIO_16_23 14 +-#define IRQ_DOVE_PCIE0_ERR 15 +-#define IRQ_DOVE_PCIE0 16 +-#define IRQ_DOVE_PCIE1_ERR 17 +-#define IRQ_DOVE_PCIE1 18 +-#define IRQ_DOVE_I2S0 19 +-#define IRQ_DOVE_I2S0_ERR 20 +-#define IRQ_DOVE_I2S1 21 +-#define IRQ_DOVE_I2S1_ERR 22 +-#define IRQ_DOVE_USB_ERR 23 +-#define IRQ_DOVE_USB0 24 +-#define IRQ_DOVE_USB1 25 +-#define IRQ_DOVE_GE00_RX 26 +-#define IRQ_DOVE_GE00_TX 27 +-#define IRQ_DOVE_GE00_MISC 28 +-#define IRQ_DOVE_GE00_SUM 29 +-#define IRQ_DOVE_GE00_ERR 30 +-#define IRQ_DOVE_CRYPTO 31 ++#define IRQ_DOVE_BRIDGE (1 + 0) ++#define IRQ_DOVE_H2C (1 + 1) ++#define IRQ_DOVE_C2H (1 + 2) ++#define IRQ_DOVE_NAND (1 + 3) ++#define IRQ_DOVE_PDMA (1 + 4) ++#define IRQ_DOVE_SPI1 (1 + 5) ++#define IRQ_DOVE_SPI0 (1 + 6) ++#define IRQ_DOVE_UART_0 (1 + 7) ++#define IRQ_DOVE_UART_1 (1 + 8) ++#define IRQ_DOVE_UART_2 (1 + 9) ++#define IRQ_DOVE_UART_3 (1 + 10) ++#define IRQ_DOVE_I2C (1 + 11) ++#define IRQ_DOVE_GPIO_0_7 (1 + 12) ++#define IRQ_DOVE_GPIO_8_15 (1 + 13) ++#define IRQ_DOVE_GPIO_16_23 (1 + 14) ++#define IRQ_DOVE_PCIE0_ERR (1 + 15) ++#define IRQ_DOVE_PCIE0 (1 + 16) ++#define IRQ_DOVE_PCIE1_ERR (1 + 17) ++#define IRQ_DOVE_PCIE1 (1 + 18) ++#define IRQ_DOVE_I2S0 (1 + 19) ++#define IRQ_DOVE_I2S0_ERR (1 + 20) ++#define IRQ_DOVE_I2S1 (1 + 21) ++#define IRQ_DOVE_I2S1_ERR (1 + 22) ++#define IRQ_DOVE_USB_ERR (1 + 23) ++#define IRQ_DOVE_USB0 (1 + 24) ++#define IRQ_DOVE_USB1 (1 + 25) ++#define IRQ_DOVE_GE00_RX (1 + 26) ++#define IRQ_DOVE_GE00_TX (1 + 27) ++#define IRQ_DOVE_GE00_MISC (1 + 28) ++#define IRQ_DOVE_GE00_SUM (1 + 29) ++#define IRQ_DOVE_GE00_ERR (1 + 30) ++#define IRQ_DOVE_CRYPTO (1 + 31) + + /* + * Dove High Interrupt Controller + */ +-#define IRQ_DOVE_AC97 32 +-#define IRQ_DOVE_PMU 33 +-#define IRQ_DOVE_CAM 34 +-#define IRQ_DOVE_SDIO0 35 +-#define IRQ_DOVE_SDIO1 36 +-#define IRQ_DOVE_SDIO0_WAKEUP 37 +-#define IRQ_DOVE_SDIO1_WAKEUP 38 +-#define IRQ_DOVE_XOR_00 39 +-#define IRQ_DOVE_XOR_01 40 +-#define IRQ_DOVE_XOR0_ERR 41 +-#define IRQ_DOVE_XOR_10 42 +-#define IRQ_DOVE_XOR_11 43 +-#define IRQ_DOVE_XOR1_ERR 44 +-#define IRQ_DOVE_LCD_DCON 45 +-#define IRQ_DOVE_LCD1 46 +-#define IRQ_DOVE_LCD0 47 +-#define IRQ_DOVE_GPU 48 +-#define IRQ_DOVE_PERFORM_MNTR 49 +-#define IRQ_DOVE_VPRO_DMA1 51 +-#define IRQ_DOVE_SSP_TIMER 54 +-#define IRQ_DOVE_SSP 55 +-#define IRQ_DOVE_MC_L2_ERR 56 +-#define IRQ_DOVE_CRYPTO_ERR 59 +-#define IRQ_DOVE_GPIO_24_31 60 +-#define IRQ_DOVE_HIGH_GPIO 61 +-#define IRQ_DOVE_SATA 62 ++#define IRQ_DOVE_AC97 (1 + 32) ++#define IRQ_DOVE_PMU (1 + 33) ++#define IRQ_DOVE_CAM (1 + 34) ++#define IRQ_DOVE_SDIO0 (1 + 35) ++#define IRQ_DOVE_SDIO1 (1 + 36) ++#define IRQ_DOVE_SDIO0_WAKEUP (1 + 37) ++#define IRQ_DOVE_SDIO1_WAKEUP (1 + 38) ++#define IRQ_DOVE_XOR_00 (1 + 39) ++#define IRQ_DOVE_XOR_01 (1 + 40) ++#define IRQ_DOVE_XOR0_ERR (1 + 41) ++#define IRQ_DOVE_XOR_10 (1 + 42) ++#define IRQ_DOVE_XOR_11 (1 + 43) ++#define IRQ_DOVE_XOR1_ERR (1 + 44) ++#define IRQ_DOVE_LCD_DCON (1 + 45) ++#define IRQ_DOVE_LCD1 (1 + 46) ++#define IRQ_DOVE_LCD0 (1 + 47) ++#define IRQ_DOVE_GPU (1 + 48) ++#define IRQ_DOVE_PERFORM_MNTR (1 + 49) ++#define IRQ_DOVE_VPRO_DMA1 (1 + 51) ++#define IRQ_DOVE_SSP_TIMER (1 + 54) ++#define IRQ_DOVE_SSP (1 + 55) ++#define IRQ_DOVE_MC_L2_ERR (1 + 56) ++#define IRQ_DOVE_CRYPTO_ERR (1 + 59) ++#define IRQ_DOVE_GPIO_24_31 (1 + 60) ++#define IRQ_DOVE_HIGH_GPIO (1 + 61) ++#define IRQ_DOVE_SATA (1 + 62) + + /* + * DOVE General Purpose Pins + */ +-#define IRQ_DOVE_GPIO_START 64 ++#define IRQ_DOVE_GPIO_START 65 + #define NR_GPIO_IRQS 64 + + /* +--- a/arch/arm/mach-dove/irq.c ++++ b/arch/arm/mach-dove/irq.c +@@ -126,14 +126,14 @@ __exception_irq_entry dove_legacy_handle + stat = readl_relaxed(dove_irq_base + IRQ_CAUSE_LOW_OFF); + stat &= readl_relaxed(dove_irq_base + IRQ_MASK_LOW_OFF); + if (stat) { +- unsigned int hwirq = __fls(stat); ++ unsigned int hwirq = 1 + __fls(stat); + handle_IRQ(hwirq, regs); + return; + } + stat = readl_relaxed(dove_irq_base + IRQ_CAUSE_HIGH_OFF); + stat &= readl_relaxed(dove_irq_base + IRQ_MASK_HIGH_OFF); + if (stat) { +- unsigned int hwirq = 32 + __fls(stat); ++ unsigned int hwirq = 33 + __fls(stat); + handle_IRQ(hwirq, regs); + return; + } +@@ -144,8 +144,8 @@ void __init dove_init_irq(void) + { + int i; + +- orion_irq_init(0, IRQ_VIRT_BASE + IRQ_MASK_LOW_OFF); +- orion_irq_init(32, IRQ_VIRT_BASE + IRQ_MASK_HIGH_OFF); ++ orion_irq_init(1, IRQ_VIRT_BASE + IRQ_MASK_LOW_OFF); ++ orion_irq_init(33, IRQ_VIRT_BASE + IRQ_MASK_HIGH_OFF); + + #ifdef CONFIG_MULTI_IRQ_HANDLER + set_handle_irq(dove_legacy_handle_irq); diff --git a/queue-4.1/arm64-bpf-fix-endianness-conversion-bugs.patch b/queue-4.1/arm64-bpf-fix-endianness-conversion-bugs.patch new file mode 100644 index 00000000000..767c9b4bad1 --- /dev/null +++ b/queue-4.1/arm64-bpf-fix-endianness-conversion-bugs.patch @@ -0,0 +1,90 @@ +From d63903bbc30c7ccad040851dfdb4da12d9a17bcf Mon Sep 17 00:00:00 2001 +From: Xi Wang +Date: Thu, 25 Jun 2015 18:39:15 -0700 +Subject: arm64: bpf: fix endianness conversion bugs + +From: Xi Wang + +commit d63903bbc30c7ccad040851dfdb4da12d9a17bcf upstream. + +Upper bits should be zeroed in endianness conversion: + +- even when there's no need to change endianness (i.e., BPF_FROM_BE + on big endian or BPF_FROM_LE on little endian); + +- after rev16. + +This patch fixes such bugs by emitting extra instructions to clear +upper bits. + +Cc: Zi Shen Lim +Acked-by: Alexei Starovoitov +Fixes: e54bcde3d69d ("arm64: eBPF JIT compiler") +Signed-off-by: Xi Wang +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/net/bpf_jit.h | 4 ++++ + arch/arm64/net/bpf_jit_comp.c | 22 ++++++++++++++++++++-- + 2 files changed, 24 insertions(+), 2 deletions(-) + +--- a/arch/arm64/net/bpf_jit.h ++++ b/arch/arm64/net/bpf_jit.h +@@ -110,6 +110,10 @@ + /* Rd = Rn >> shift; signed */ + #define A64_ASR(sf, Rd, Rn, shift) A64_SBFM(sf, Rd, Rn, shift, (sf) ? 63 : 31) + ++/* Zero extend */ ++#define A64_UXTH(sf, Rd, Rn) A64_UBFM(sf, Rd, Rn, 0, 15) ++#define A64_UXTW(sf, Rd, Rn) A64_UBFM(sf, Rd, Rn, 0, 31) ++ + /* Move wide (immediate) */ + #define A64_MOVEW(sf, Rd, imm16, shift, type) \ + aarch64_insn_gen_movewide(Rd, imm16, shift, \ +--- a/arch/arm64/net/bpf_jit_comp.c ++++ b/arch/arm64/net/bpf_jit_comp.c +@@ -289,23 +289,41 @@ static int build_insn(const struct bpf_i + case BPF_ALU | BPF_END | BPF_FROM_BE: + #ifdef CONFIG_CPU_BIG_ENDIAN + if (BPF_SRC(code) == BPF_FROM_BE) +- break; ++ goto emit_bswap_uxt; + #else /* !CONFIG_CPU_BIG_ENDIAN */ + if (BPF_SRC(code) == BPF_FROM_LE) +- break; ++ goto emit_bswap_uxt; + #endif + switch (imm) { + case 16: + emit(A64_REV16(is64, dst, dst), ctx); ++ /* zero-extend 16 bits into 64 bits */ ++ emit(A64_UXTH(is64, dst, dst), ctx); + break; + case 32: + emit(A64_REV32(is64, dst, dst), ctx); ++ /* upper 32 bits already cleared */ + break; + case 64: + emit(A64_REV64(dst, dst), ctx); + break; + } + break; ++emit_bswap_uxt: ++ switch (imm) { ++ case 16: ++ /* zero-extend 16 bits into 64 bits */ ++ emit(A64_UXTH(is64, dst, dst), ctx); ++ break; ++ case 32: ++ /* zero-extend 32 bits into 64 bits */ ++ emit(A64_UXTW(is64, dst, dst), ctx); ++ break; ++ case 64: ++ /* nop */ ++ break; ++ } ++ break; + /* dst = imm */ + case BPF_ALU | BPF_MOV | BPF_K: + case BPF_ALU64 | BPF_MOV | BPF_K: diff --git a/queue-4.1/arm64-bpf-fix-out-of-bounds-read-in-bpf2a64_offset.patch b/queue-4.1/arm64-bpf-fix-out-of-bounds-read-in-bpf2a64_offset.patch new file mode 100644 index 00000000000..dd98dbf77de --- /dev/null +++ b/queue-4.1/arm64-bpf-fix-out-of-bounds-read-in-bpf2a64_offset.patch @@ -0,0 +1,57 @@ +From 8eee539ddea09bccae2426f09b0ba6a18b72b691 Mon Sep 17 00:00:00 2001 +From: Xi Wang +Date: Thu, 25 Jun 2015 05:47:39 -0700 +Subject: arm64: bpf: fix out-of-bounds read in bpf2a64_offset() + +From: Xi Wang + +commit 8eee539ddea09bccae2426f09b0ba6a18b72b691 upstream. + +Problems occur when bpf_to or bpf_from has value prog->len - 1 (e.g., +"Very long jump backwards" in test_bpf where the last instruction is a +jump): since ctx->offset has length prog->len, ctx->offset[bpf_to + 1] +or ctx->offset[bpf_from + 1] will cause an out-of-bounds read, leading +to a bogus jump offset and kernel panic. + +This patch moves updating ctx->offset to after calling build_insn(), +and changes indexing to use bpf_to and bpf_from without + 1. + +Fixes: e54bcde3d69d ("arm64: eBPF JIT compiler") +Cc: Zi Shen Lim +Cc: Will Deacon +Acked-by: Alexei Starovoitov +Signed-off-by: Xi Wang +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/net/bpf_jit_comp.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/arch/arm64/net/bpf_jit_comp.c ++++ b/arch/arm64/net/bpf_jit_comp.c +@@ -113,9 +113,9 @@ static inline void emit_a64_mov_i(const + static inline int bpf2a64_offset(int bpf_to, int bpf_from, + const struct jit_ctx *ctx) + { +- int to = ctx->offset[bpf_to + 1]; ++ int to = ctx->offset[bpf_to]; + /* -1 to account for the Branch instruction */ +- int from = ctx->offset[bpf_from + 1] - 1; ++ int from = ctx->offset[bpf_from] - 1; + + return to - from; + } +@@ -640,10 +640,11 @@ static int build_body(struct jit_ctx *ct + const struct bpf_insn *insn = &prog->insnsi[i]; + int ret; + ++ ret = build_insn(insn, ctx); ++ + if (ctx->image == NULL) + ctx->offset[i] = ctx->idx; + +- ret = build_insn(insn, ctx); + if (ret > 0) { + i++; + continue; diff --git a/queue-4.1/arm64-don-t-report-clear-pmds-and-puds-as-huge.patch b/queue-4.1/arm64-don-t-report-clear-pmds-and-puds-as-huge.patch new file mode 100644 index 00000000000..0dac1e280ee --- /dev/null +++ b/queue-4.1/arm64-don-t-report-clear-pmds-and-puds-as-huge.patch @@ -0,0 +1,48 @@ +From fd28f5d439fca77348c129d5b73043a56f8a0296 Mon Sep 17 00:00:00 2001 +From: Christoffer Dall +Date: Wed, 1 Jul 2015 14:08:31 +0200 +Subject: arm64: Don't report clear pmds and puds as huge + +From: Christoffer Dall + +commit fd28f5d439fca77348c129d5b73043a56f8a0296 upstream. + +The current pmd_huge() and pud_huge() functions simply check if the table +bit is not set and reports the entries as huge in that case. This is +counter-intuitive as a clear pmd/pud cannot also be a huge pmd/pud, and +it is inconsistent with at least arm and x86. + +To prevent others from making the same mistake as me in looking at code +that calls these functions and to fix an issue with KVM on arm64 that +causes memory corruption due to incorrect page reference counting +resulting from this mistake, let's change the behavior. + +Signed-off-by: Christoffer Dall +Reviewed-by: Steve Capper +Acked-by: Marc Zyngier +Fixes: 084bd29810a5 ("ARM64: mm: HugeTLB support.") +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/mm/hugetlbpage.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/mm/hugetlbpage.c ++++ b/arch/arm64/mm/hugetlbpage.c +@@ -40,13 +40,13 @@ int huge_pmd_unshare(struct mm_struct *m + + int pmd_huge(pmd_t pmd) + { +- return !(pmd_val(pmd) & PMD_TABLE_BIT); ++ return pmd_val(pmd) && !(pmd_val(pmd) & PMD_TABLE_BIT); + } + + int pud_huge(pud_t pud) + { + #ifndef __PAGETABLE_PMD_FOLDED +- return !(pud_val(pud) & PUD_TABLE_BIT); ++ return pud_val(pud) && !(pud_val(pud) & PUD_TABLE_BIT); + #else + return 0; + #endif diff --git a/queue-4.1/arm64-smp-fix-suspicious-rcu-usage-with-ipi-tracepoints.patch b/queue-4.1/arm64-smp-fix-suspicious-rcu-usage-with-ipi-tracepoints.patch new file mode 100644 index 00000000000..3e56905ce4f --- /dev/null +++ b/queue-4.1/arm64-smp-fix-suspicious-rcu-usage-with-ipi-tracepoints.patch @@ -0,0 +1,51 @@ +From be081d9bf3e163a9ed1ca2f0f14f08424c7f9016 Mon Sep 17 00:00:00 2001 +From: Stephen Boyd +Date: Wed, 24 Jun 2015 13:14:18 -0700 +Subject: ARM64: smp: Fix suspicious RCU usage with ipi tracepoints + +From: Stephen Boyd + +commit be081d9bf3e163a9ed1ca2f0f14f08424c7f9016 upstream. + +John Stultz reported an RCU splat on ARM with ipi trace events +enabled. It looks like the same problem exists on ARM64. + +At this point in the IPI handling path we haven't called +irq_enter() yet, so RCU doesn't know that we're about to exit +idle and properly warns that we're using RCU from an idle CPU. +Use trace_ipi_entry_rcuidle() instead of trace_ipi_entry() so +that RCU is informed about our exit from idle. + +Cc: John Stultz +Cc: Nicolas Pitre +Acked-by: Steven Rostedt +Reviewed-by: Paul E. McKenney +Fixes: 45ed695ac10a ("ARM64: add IPI tracepoints") +Signed-off-by: Stephen Boyd +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/smp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/kernel/smp.c ++++ b/arch/arm64/kernel/smp.c +@@ -569,7 +569,7 @@ void handle_IPI(int ipinr, struct pt_reg + struct pt_regs *old_regs = set_irq_regs(regs); + + if ((unsigned)ipinr < NR_IPI) { +- trace_ipi_entry(ipi_types[ipinr]); ++ trace_ipi_entry_rcuidle(ipi_types[ipinr]); + __inc_irq_stat(cpu, ipi_irqs[ipinr]); + } + +@@ -612,7 +612,7 @@ void handle_IPI(int ipinr, struct pt_reg + } + + if ((unsigned)ipinr < NR_IPI) +- trace_ipi_exit(ipi_types[ipinr]); ++ trace_ipi_exit_rcuidle(ipi_types[ipinr]); + set_irq_regs(old_regs); + } + diff --git a/queue-4.1/edac-octeon-fix-broken-build-due-to-model-helper-renames.patch b/queue-4.1/edac-octeon-fix-broken-build-due-to-model-helper-renames.patch new file mode 100644 index 00000000000..879b759ef71 --- /dev/null +++ b/queue-4.1/edac-octeon-fix-broken-build-due-to-model-helper-renames.patch @@ -0,0 +1,65 @@ +From 75a15a7864c9e281c74a1670b10b69d1d7ff1c82 Mon Sep 17 00:00:00 2001 +From: Aaro Koskinen +Date: Wed, 1 Jul 2015 13:38:52 +0300 +Subject: EDAC, octeon: Fix broken build due to model helper renames + +From: Aaro Koskinen + +commit 75a15a7864c9e281c74a1670b10b69d1d7ff1c82 upstream. + +Commit + + debe6a623d3c ("MIPS: OCTEON: Update octeon-model.h code for new SoCs.") + +renamed some SoC model helper functions, but forgot to update the EDAC +drivers resulting in build failures. Fix that. + +Signed-off-by: Aaro Koskinen +Acked-by: David Daney +Cc: Mauro Carvalho Chehab +Cc: Ralf Baechle +Cc: linux-edac +Cc: linux-mips@linux-mips.org +Link: http://lkml.kernel.org/r/1435747132-10954-1-git-send-email-aaro.koskinen@nokia.com +Signed-off-by: Borislav Petkov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/edac/octeon_edac-l2c.c | 2 +- + drivers/edac/octeon_edac-lmc.c | 2 +- + drivers/edac/octeon_edac-pc.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/edac/octeon_edac-l2c.c ++++ b/drivers/edac/octeon_edac-l2c.c +@@ -151,7 +151,7 @@ static int octeon_l2c_probe(struct platf + l2c->ctl_name = "octeon_l2c_err"; + + +- if (OCTEON_IS_MODEL(OCTEON_FAM_1_PLUS)) { ++ if (OCTEON_IS_OCTEON1PLUS()) { + union cvmx_l2t_err l2t_err; + union cvmx_l2d_err l2d_err; + +--- a/drivers/edac/octeon_edac-lmc.c ++++ b/drivers/edac/octeon_edac-lmc.c +@@ -234,7 +234,7 @@ static int octeon_lmc_edac_probe(struct + layers[0].size = 1; + layers[0].is_virt_csrow = false; + +- if (OCTEON_IS_MODEL(OCTEON_FAM_1_PLUS)) { ++ if (OCTEON_IS_OCTEON1PLUS()) { + union cvmx_lmcx_mem_cfg0 cfg0; + + cfg0.u64 = cvmx_read_csr(CVMX_LMCX_MEM_CFG0(0)); +--- a/drivers/edac/octeon_edac-pc.c ++++ b/drivers/edac/octeon_edac-pc.c +@@ -73,7 +73,7 @@ static int co_cache_error_event(struct + edac_device_handle_ce(p->ed, cpu, 0, "dcache"); + + /* Clear the error indication */ +- if (OCTEON_IS_MODEL(OCTEON_FAM_2)) ++ if (OCTEON_IS_OCTEON2()) + write_octeon_c0_dcacheerr(1); + else + write_octeon_c0_dcacheerr(0); diff --git a/queue-4.1/fix-firmware-loader-uevent-buffer-null-pointer-dereference.patch b/queue-4.1/fix-firmware-loader-uevent-buffer-null-pointer-dereference.patch new file mode 100644 index 00000000000..634c0fde206 --- /dev/null +++ b/queue-4.1/fix-firmware-loader-uevent-buffer-null-pointer-dereference.patch @@ -0,0 +1,61 @@ +From 6f957724b94cb19f5c1c97efd01dd4df8ced323c Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Thu, 9 Jul 2015 11:20:01 -0700 +Subject: Fix firmware loader uevent buffer NULL pointer dereference + +From: Linus Torvalds + +commit 6f957724b94cb19f5c1c97efd01dd4df8ced323c upstream. + +The firmware class uevent function accessed the "fw_priv->buf" buffer +without the proper locking and testing for NULL. This is an old bug +(looks like it goes back to 2012 and commit 1244691c73b2: "firmware +loader: introduce firmware_buf"), but for some reason it's triggering +only now in 4.2-rc1. + +Shuah Khan is trying to bisect what it is that causes this to trigger +more easily, but in the meantime let's just fix the bug since others are +hitting it too (at least Ingo reports having seen it as well). + +Reported-and-tested-by: Shuah Khan +Acked-by: Ming Lei +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/firmware_class.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +--- a/drivers/base/firmware_class.c ++++ b/drivers/base/firmware_class.c +@@ -544,10 +544,8 @@ static void fw_dev_release(struct device + kfree(fw_priv); + } + +-static int firmware_uevent(struct device *dev, struct kobj_uevent_env *env) ++static int do_firmware_uevent(struct firmware_priv *fw_priv, struct kobj_uevent_env *env) + { +- struct firmware_priv *fw_priv = to_firmware_priv(dev); +- + if (add_uevent_var(env, "FIRMWARE=%s", fw_priv->buf->fw_id)) + return -ENOMEM; + if (add_uevent_var(env, "TIMEOUT=%i", loading_timeout)) +@@ -558,6 +556,18 @@ static int firmware_uevent(struct device + return 0; + } + ++static int firmware_uevent(struct device *dev, struct kobj_uevent_env *env) ++{ ++ struct firmware_priv *fw_priv = to_firmware_priv(dev); ++ int err = 0; ++ ++ mutex_lock(&fw_lock); ++ if (fw_priv->buf) ++ err = do_firmware_uevent(fw_priv, env); ++ mutex_unlock(&fw_lock); ++ return err; ++} ++ + static struct class firmware_class = { + .name = "firmware", + .class_attrs = firmware_class_attrs, diff --git a/queue-4.1/fixing-infinite-open-loop-in-4.0-stateid-recovery.patch b/queue-4.1/fixing-infinite-open-loop-in-4.0-stateid-recovery.patch new file mode 100644 index 00000000000..acb5f390094 --- /dev/null +++ b/queue-4.1/fixing-infinite-open-loop-in-4.0-stateid-recovery.patch @@ -0,0 +1,40 @@ +From e8d975e73e5fa05f983fbf2723120edcf68e0b38 Mon Sep 17 00:00:00 2001 +From: Olga Kornievskaia +Date: Fri, 15 May 2015 11:45:31 -0400 +Subject: fixing infinite OPEN loop in 4.0 stateid recovery + +From: Olga Kornievskaia + +commit e8d975e73e5fa05f983fbf2723120edcf68e0b38 upstream. + +Problem: When an operation like WRITE receives a BAD_STATEID, even though +recovery code clears the RECLAIM_NOGRACE recovery flag before recovering +the open state, because of clearing delegation state for the associated +inode, nfs_inode_find_state_and_recover() gets called and it makes the +same state with RECLAIM_NOGRACE flag again. As a results, when we restart +looking over the open states, we end up in the infinite loop instead of +breaking out in the next test of state flags. + +Solution: unset the RECLAIM_NOGRACE set because of +calling of nfs_inode_find_state_and_recover() after returning from calling +recover_open() function. + +Signed-off-by: Olga Kornievskaia +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4state.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/nfs/nfs4state.c ++++ b/fs/nfs/nfs4state.c +@@ -1482,6 +1482,8 @@ restart: + spin_unlock(&state->state_lock); + } + nfs4_put_open_state(state); ++ clear_bit(NFS4CLNT_RECLAIM_NOGRACE, ++ &state->flags); + spin_lock(&sp->so_lock); + goto restart; + } diff --git a/queue-4.1/hpfs-hpfs_error-remove-static-buffer-use-vsprintf-extension-pv-instead.patch b/queue-4.1/hpfs-hpfs_error-remove-static-buffer-use-vsprintf-extension-pv-instead.patch new file mode 100644 index 00000000000..10b25d1a573 --- /dev/null +++ b/queue-4.1/hpfs-hpfs_error-remove-static-buffer-use-vsprintf-extension-pv-instead.patch @@ -0,0 +1,48 @@ +From a28e4b2b18ccb90df402da3f21e1a83c9d4f8ec1 Mon Sep 17 00:00:00 2001 +From: Joe Perches +Date: Thu, 26 Mar 2015 20:47:10 -0700 +Subject: hpfs: hpfs_error: Remove static buffer, use vsprintf extension %pV instead + +From: Joe Perches + +commit a28e4b2b18ccb90df402da3f21e1a83c9d4f8ec1 upstream. + +Removing unnecessary static buffers is good. +Use the vsprintf %pV extension instead. + +Signed-off-by: Joe Perches +Signed-off-by: Mikulas Patocka +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/hpfs/super.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/fs/hpfs/super.c ++++ b/fs/hpfs/super.c +@@ -52,17 +52,20 @@ static void unmark_dirty(struct super_bl + } + + /* Filesystem error... */ +-static char err_buf[1024]; +- + void hpfs_error(struct super_block *s, const char *fmt, ...) + { ++ struct va_format vaf; + va_list args; + + va_start(args, fmt); +- vsnprintf(err_buf, sizeof(err_buf), fmt, args); ++ ++ vaf.fmt = fmt; ++ vaf.va = &args; ++ ++ pr_err("filesystem error: %pV", &vaf); ++ + va_end(args); + +- pr_err("filesystem error: %s", err_buf); + if (!hpfs_sb(s)->sb_was_error) { + if (hpfs_sb(s)->sb_err == 2) { + pr_cont("; crashing the system because you wanted it\n"); diff --git a/queue-4.1/hpfs-kstrdup-out-of-memory-handling.patch b/queue-4.1/hpfs-kstrdup-out-of-memory-handling.patch new file mode 100644 index 00000000000..4857e5add38 --- /dev/null +++ b/queue-4.1/hpfs-kstrdup-out-of-memory-handling.patch @@ -0,0 +1,40 @@ +From ce657611baf902f14ae559ce4e0787ead6712067 Mon Sep 17 00:00:00 2001 +From: Sanidhya Kashyap +Date: Sat, 21 Mar 2015 12:57:50 -0400 +Subject: hpfs: kstrdup() out of memory handling + +From: Sanidhya Kashyap + +commit ce657611baf902f14ae559ce4e0787ead6712067 upstream. + +There is a possibility of nothing being allocated to the new_opts in +case of memory pressure, therefore return ENOMEM for such case. + +Signed-off-by: Sanidhya Kashyap +Signed-off-by: Mikulas Patocka +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/hpfs/super.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/fs/hpfs/super.c ++++ b/fs/hpfs/super.c +@@ -424,11 +424,14 @@ static int hpfs_remount_fs(struct super_ + int o; + struct hpfs_sb_info *sbi = hpfs_sb(s); + char *new_opts = kstrdup(data, GFP_KERNEL); +- ++ ++ if (!new_opts) ++ return -ENOMEM; ++ + sync_filesystem(s); + + *flags |= MS_NOATIME; +- ++ + hpfs_lock(s); + uid = sbi->sb_uid; gid = sbi->sb_gid; + umask = 0777 & ~sbi->sb_mode; diff --git a/queue-4.1/nfs-always-update-creds-in-mirror-even-when-we-have-an-already-connected-ds.patch b/queue-4.1/nfs-always-update-creds-in-mirror-even-when-we-have-an-already-connected-ds.patch new file mode 100644 index 00000000000..8b2e47d2bcd --- /dev/null +++ b/queue-4.1/nfs-always-update-creds-in-mirror-even-when-we-have-an-already-connected-ds.patch @@ -0,0 +1,47 @@ +From 0c8315dd56577445dd1afe6b9cfa06b7efdf2f82 Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Wed, 24 Jun 2015 12:10:24 -0400 +Subject: nfs: always update creds in mirror, even when we have an already connected ds + +From: Jeff Layton + +commit 0c8315dd56577445dd1afe6b9cfa06b7efdf2f82 upstream. + +A ds can be associated with more than one mirror, but we currently skip +setting a mirror's credentials if we find that it's already set up with +a connected client. + +The upshot is that we can end up sending DS writes with MDS credentials +instead of properly setting them up. Fix nfs4_ff_layout_prepare_ds to +always verify that the mirror's credentials are set up, even when we +have a DS that's already connected. + +Reported-by: Tom Haynes +Signed-off-by: Jeff Layton +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/flexfilelayout/flexfilelayoutdev.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/nfs/flexfilelayout/flexfilelayoutdev.c ++++ b/fs/nfs/flexfilelayout/flexfilelayoutdev.c +@@ -387,7 +387,7 @@ nfs4_ff_layout_prepare_ds(struct pnfs_la + /* matching smp_wmb() in _nfs4_pnfs_v3/4_ds_connect */ + smp_rmb(); + if (ds->ds_clp) +- goto out; ++ goto out_update_creds; + + flavor = nfs4_ff_layout_choose_authflavor(mirror); + +@@ -431,7 +431,7 @@ nfs4_ff_layout_prepare_ds(struct pnfs_la + } + } + } +- ++out_update_creds: + if (ff_layout_update_mirror_cred(mirror, ds)) + ds = NULL; + out: diff --git a/queue-4.1/nfs-ensure-we-set-nfs_context_resend_writes-when-requeuing-writes.patch b/queue-4.1/nfs-ensure-we-set-nfs_context_resend_writes-when-requeuing-writes.patch new file mode 100644 index 00000000000..686e0eea6c4 --- /dev/null +++ b/queue-4.1/nfs-ensure-we-set-nfs_context_resend_writes-when-requeuing-writes.patch @@ -0,0 +1,41 @@ +From c70701131f7a8edea91fc49d11796d342cff7c62 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Wed, 17 Jun 2015 19:56:22 -0400 +Subject: NFS: Ensure we set NFS_CONTEXT_RESEND_WRITES when requeuing writes + +From: Trond Myklebust + +commit c70701131f7a8edea91fc49d11796d342cff7c62 upstream. + +If a write attempt fails, and the write is queued up for resending to +the server, as opposed to being dropped, then we need to set the +appropriate flag so that nfs_file_fsync() does the right thing. + +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/pnfs.c | 1 + + fs/nfs/write.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -1821,6 +1821,7 @@ int pnfs_write_done_resend_to_mds(struct + /* Resend all requests through the MDS */ + nfs_pageio_init_write(&pgio, hdr->inode, FLUSH_STABLE, true, + hdr->completion_ops); ++ set_bit(NFS_CONTEXT_RESEND_WRITES, &hdr->args.context->flags); + return nfs_pageio_resend(&pgio, hdr); + } + EXPORT_SYMBOL_GPL(pnfs_write_done_resend_to_mds); +--- a/fs/nfs/write.c ++++ b/fs/nfs/write.c +@@ -1289,6 +1289,7 @@ static void nfs_initiate_write(struct nf + static void nfs_redirty_request(struct nfs_page *req) + { + nfs_mark_request_dirty(req); ++ set_bit(NFS_CONTEXT_RESEND_WRITES, &req->wb_context->flags); + nfs_unlock_request(req); + nfs_end_page_writeback(req); + nfs_release_request(req); diff --git a/queue-4.1/nfs-fix-potential-credential-leak-in-ff_layout_update_mirror_cred.patch b/queue-4.1/nfs-fix-potential-credential-leak-in-ff_layout_update_mirror_cred.patch new file mode 100644 index 00000000000..a1e747d10d3 --- /dev/null +++ b/queue-4.1/nfs-fix-potential-credential-leak-in-ff_layout_update_mirror_cred.patch @@ -0,0 +1,37 @@ +From a24221dca1868101c9b4b5adde4a6a5b1a3a64a7 Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Wed, 24 Jun 2015 12:10:23 -0400 +Subject: nfs: fix potential credential leak in ff_layout_update_mirror_cred + +From: Jeff Layton + +commit a24221dca1868101c9b4b5adde4a6a5b1a3a64a7 upstream. + +If we have two tasks racing to update a mirror's credentials, then they +can end up leaking one (or more) sets of credentials. The first task +will set mirror->cred and then the second task will just overwrite it. + +Use a cmpxchg to ensure that the creds are only set once. If we get to +the point where we would set mirror->cred and find that they're already +set, then we just release the creds that were just found. + +Signed-off-by: Jeff Layton +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/flexfilelayout/flexfilelayoutdev.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/nfs/flexfilelayout/flexfilelayoutdev.c ++++ b/fs/nfs/flexfilelayout/flexfilelayoutdev.c +@@ -324,7 +324,8 @@ static int ff_layout_update_mirror_cred( + __func__, PTR_ERR(cred)); + return PTR_ERR(cred); + } else { +- mirror->cred = cred; ++ if (cmpxchg(&mirror->cred, NULL, cred)) ++ put_rpccred(cred); + } + } + return 0; diff --git a/queue-4.1/nfs-increase-size-of-exchange_id-name-string-buffer.patch b/queue-4.1/nfs-increase-size-of-exchange_id-name-string-buffer.patch new file mode 100644 index 00000000000..686e8e40c17 --- /dev/null +++ b/queue-4.1/nfs-increase-size-of-exchange_id-name-string-buffer.patch @@ -0,0 +1,32 @@ +From 764ad8ba8cd4c6f836fca9378f8c5121aece0842 Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Tue, 9 Jun 2015 19:43:56 -0400 +Subject: nfs: increase size of EXCHANGE_ID name string buffer + +From: Jeff Layton + +commit 764ad8ba8cd4c6f836fca9378f8c5121aece0842 upstream. + +The current buffer is much too small if you have a relatively long +hostname. Bring it up to the size of the one that SETCLIENTID has. + +Reported-by: Michael Skralivetsky +Signed-off-by: Jeff Layton +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/nfs_xdr.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/nfs_xdr.h ++++ b/include/linux/nfs_xdr.h +@@ -1142,7 +1142,7 @@ struct nfs41_state_protection { + struct nfs4_op_map allow; + }; + +-#define NFS4_EXCHANGE_ID_LEN (48) ++#define NFS4_EXCHANGE_ID_LEN (127) + struct nfs41_exchange_id_args { + struct nfs_client *client; + nfs4_verifier *verifier; diff --git a/queue-4.1/p9_client_write-avoid-double-p9_free_req.patch b/queue-4.1/p9_client_write-avoid-double-p9_free_req.patch new file mode 100644 index 00000000000..4313d1ff2b6 --- /dev/null +++ b/queue-4.1/p9_client_write-avoid-double-p9_free_req.patch @@ -0,0 +1,30 @@ +From 67e808fbb0404a12d9b9830a44bbb48d447d8bc9 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sat, 4 Jul 2015 16:11:05 -0400 +Subject: p9_client_write(): avoid double p9_free_req() + +From: Al Viro + +commit 67e808fbb0404a12d9b9830a44bbb48d447d8bc9 upstream. + +Braino in "9p: switch p9_client_write() to passing it struct iov_iter *"; +if response is impossible to parse and we discard the request, get the +out of the loop right there. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + net/9p/client.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/9p/client.c ++++ b/net/9p/client.c +@@ -1648,6 +1648,7 @@ p9_client_write(struct p9_fid *fid, u64 + if (*err) { + trace_9p_protocol_dump(clnt, req->rc); + p9_free_req(clnt, req); ++ break; + } + + p9_debug(P9_DEBUG_9P, "<<< RWRITE count %d\n", count); diff --git a/queue-4.1/perf-bench-numa-fix-to-show-proper-convergence-stats.patch b/queue-4.1/perf-bench-numa-fix-to-show-proper-convergence-stats.patch new file mode 100644 index 00000000000..ec23f0ba7ba --- /dev/null +++ b/queue-4.1/perf-bench-numa-fix-to-show-proper-convergence-stats.patch @@ -0,0 +1,52 @@ +From 2b42b09b88c831ba4da2d669581dde371c38c2af Mon Sep 17 00:00:00 2001 +From: Srikar Dronamraju +Date: Wed, 24 Jun 2015 16:40:04 +0530 +Subject: perf bench numa: Fix to show proper convergence stats + +From: Srikar Dronamraju + +commit 2b42b09b88c831ba4da2d669581dde371c38c2af upstream. + +With commit: e1e455f4f4d3 (perf tools: Work around lack of sched_getcpu +in glibc < 2.6), perf_bench numa mem with -c or -m option is not able to +correctly calculate convergence. + +With the above commit, sched_getcpu always seems to return -1. The +intention of commit e1e455f was to add a sched_getcpu in glibc < 2.6. +Hence keep the sched_getcpu definition under an ifdef. + +This regression happened occurred between v4.0 and v4.1 + +Signed-off-by: Srikar Dronamraju +Acked-by: Ingo Molnar +Cc: Jiri Olsa +Cc: Masami Hiramatsu +Cc: Namhyung Kim +Cc: Vinson Lee +Fixes: e1e455f4f4d3 ("perf tools: Work around lack of sched_getcpu in glibc < 2.6") +Link: http://lkml.kernel.org/r/20150624111004.GA5220@linux.vnet.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman + +--- + tools/perf/util/cloexec.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/tools/perf/util/cloexec.c ++++ b/tools/perf/util/cloexec.c +@@ -7,11 +7,15 @@ + + static unsigned long flag = PERF_FLAG_FD_CLOEXEC; + ++#ifdef __GLIBC_PREREQ ++#if !__GLIBC_PREREQ(2, 6) + int __weak sched_getcpu(void) + { + errno = ENOSYS; + return -1; + } ++#endif ++#endif + + static int perf_flag_probe(void) + { diff --git a/queue-4.1/rbd-use-gfp_noio-in-rbd_obj_request_create.patch b/queue-4.1/rbd-use-gfp_noio-in-rbd_obj_request_create.patch new file mode 100644 index 00000000000..ec255d95893 --- /dev/null +++ b/queue-4.1/rbd-use-gfp_noio-in-rbd_obj_request_create.patch @@ -0,0 +1,42 @@ +From 5a60e87603c4c533492c515b7f62578189b03c9c Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Wed, 24 Jun 2015 17:24:33 +0300 +Subject: rbd: use GFP_NOIO in rbd_obj_request_create() + +From: Ilya Dryomov + +commit 5a60e87603c4c533492c515b7f62578189b03c9c upstream. + +rbd_obj_request_create() is called on the main I/O path, so we need to +use GFP_NOIO to make sure allocation doesn't blow back on us. Not all +callers need this, but I'm still hardcoding the flag inside rather than +making it a parameter because a) this is going to stable, and b) those +callers shouldn't really use rbd_obj_request_create() and will be fixed +in the future. + +More memory allocation fixes will follow. + +Signed-off-by: Ilya Dryomov +Reviewed-by: Alex Elder +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/rbd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/block/rbd.c ++++ b/drivers/block/rbd.c +@@ -2001,11 +2001,11 @@ static struct rbd_obj_request *rbd_obj_r + rbd_assert(obj_request_type_valid(type)); + + size = strlen(object_name) + 1; +- name = kmalloc(size, GFP_KERNEL); ++ name = kmalloc(size, GFP_NOIO); + if (!name) + return NULL; + +- obj_request = kmem_cache_zalloc(rbd_obj_request_cache, GFP_KERNEL); ++ obj_request = kmem_cache_zalloc(rbd_obj_request_cache, GFP_NOIO); + if (!obj_request) { + kfree(name); + return NULL; diff --git a/queue-4.1/series b/queue-4.1/series index b48d51816a3..6c87c890adb 100644 --- a/queue-4.1/series +++ b/queue-4.1/series @@ -242,3 +242,26 @@ clk-qcom-use-parent-rate-when-set-rate-to-pixel-rcg-clock.patch pnfs-fix-a-memory-leak-when-attempted-pnfs-fails.patch pnfs-flexfiles-fix-the-reset-of-struct-pgio_header-when-resending.patch nfs-fix-size-of-nfsacl-setacl-operations.patch +fixing-infinite-open-loop-in-4.0-stateid-recovery.patch +nfs-increase-size-of-exchange_id-name-string-buffer.patch +nfs-ensure-we-set-nfs_context_resend_writes-when-requeuing-writes.patch +nfs-fix-potential-credential-leak-in-ff_layout_update_mirror_cred.patch +nfs-always-update-creds-in-mirror-even-when-we-have-an-already-connected-ds.patch +sunrpc-fix-a-memory-leak-in-the-backchannel-code.patch +9p-forgetting-to-cancel-request-on-interrupted-zero-copy-rpc.patch +9p-don-t-leave-a-half-initialized-inode-sitting-around.patch +rbd-use-gfp_noio-in-rbd_obj_request_create.patch +agp-intel-fix-typo-in-needs_ilk_vtd_wa.patch +arm-dove-fix-legacy-dove-irq-numbers.patch +edac-octeon-fix-broken-build-due-to-model-helper-renames.patch +p9_client_write-avoid-double-p9_free_req.patch +arm64-smp-fix-suspicious-rcu-usage-with-ipi-tracepoints.patch +arm64-bpf-fix-out-of-bounds-read-in-bpf2a64_offset.patch +arm64-bpf-fix-endianness-conversion-bugs.patch +arm64-don-t-report-clear-pmds-and-puds-as-huge.patch +perf-bench-numa-fix-to-show-proper-convergence-stats.patch +arm-8393-1-smp-fix-suspicious-rcu-usage-with-ipi-tracepoints.patch +arm-8397-1-fix-vdsomunge-not-to-depend-on-glibc-specific-error.h.patch +hpfs-kstrdup-out-of-memory-handling.patch +hpfs-hpfs_error-remove-static-buffer-use-vsprintf-extension-pv-instead.patch +fix-firmware-loader-uevent-buffer-null-pointer-dereference.patch diff --git a/queue-4.1/sunrpc-fix-a-memory-leak-in-the-backchannel-code.patch b/queue-4.1/sunrpc-fix-a-memory-leak-in-the-backchannel-code.patch new file mode 100644 index 00000000000..b497d3413f6 --- /dev/null +++ b/queue-4.1/sunrpc-fix-a-memory-leak-in-the-backchannel-code.patch @@ -0,0 +1,31 @@ +From 88de6af24f2b48b06c514d3c3d0a8f22fafe30bd Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Mon, 1 Jun 2015 15:10:25 -0400 +Subject: SUNRPC: Fix a memory leak in the backchannel code + +From: Trond Myklebust + +commit 88de6af24f2b48b06c514d3c3d0a8f22fafe30bd upstream. + +req->rq_private_buf isn't initialised when xprt_setup_backchannel calls +xprt_free_allocation. + +Fixes: fb7a0b9addbdb ("nfs41: New backchannel helper routines") +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/backchannel_rqst.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sunrpc/backchannel_rqst.c ++++ b/net/sunrpc/backchannel_rqst.c +@@ -60,7 +60,7 @@ static void xprt_free_allocation(struct + + dprintk("RPC: free allocations for req= %p\n", req); + WARN_ON_ONCE(test_bit(RPC_BC_PA_IN_USE, &req->rq_bc_pa_state)); +- xbufp = &req->rq_private_buf; ++ xbufp = &req->rq_rcv_buf; + free_page((unsigned long)xbufp->head[0].iov_base); + xbufp = &req->rq_snd_buf; + free_page((unsigned long)xbufp->head[0].iov_base);