From: Greg Kroah-Hartman Date: Thu, 22 Sep 2016 13:33:39 +0000 (+0200) Subject: 4.7-stable patches X-Git-Tag: v4.4.22~15 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=994caad4b7386a5af9b4713dbf87a9734dd4e503;p=thirdparty%2Fkernel%2Fstable-queue.git 4.7-stable patches added patches: ahci-disable-correct-irq-for-dummy-ports.patch arm-am43xx-hwmod-fix-rstst-register-offset-for-pruss.patch arm-dts-armada-388-clearfog-number-lan-ports-properly.patch arm-dts-imx6qdl-fix-spdif-regression.patch arm-dts-kirkwood-fix-pcie-label-on-openrd.patch arm-dts-overo-fix-gpmc-nand-cs0-range.patch arm-dts-overo-fix-gpmc-nand-on-boards-with-ethernet.patch arm-dts-rockchip-add-reset-node-for-the-exist-saradc-socs.patch arm-dts-stih407-family-provide-interconnect-clock-for-consumption-in-st-sdhci.patch arm-dts-stih410-handle-interconnect-clock-required-by-ehci-ohci-usb.patch arm-imx6-add-missing-bm_clpcr_byp_mmdc_ch0_lpm_hs-setting-for-imx6ul.patch arm-imx6-add-missing-bm_clpcr_bypass_pmic_ready-setting-for-imx6sx.patch arm-kirkwood-ib62x0-fix-size-of-u-boot-environment-partition.patch arm-omap3-hwmod-data-add-sysc-information-for-dsi.patch arm64-spinlocks-implement-smp_mb__before_spinlock-as-smp_mb.patch ath9k-bring-back-direction-setting-in-ath9k_-start_stop.patch ath9k-fix-using-sta-drv_priv-before-initializing-it.patch audit-fix-exe_file-access-in-audit_exe_compare.patch brcmfmac-avoid-potential-stack-overflow-in-brcmf_cfg80211_start_ap.patch btrfs-remove-root_log_ctx-from-ctx-list-before-btrfs_sync_log-returns.patch bus-arm-ccn-do-not-attempt-to-configure-xps-for-cycle-counter.patch bus-arm-ccn-fix-pmu-handling-of-mn.patch bus-arm-ccn-fix-xp-watchpoint-settings-bitmask.patch cpuset-make-sure-new-tasks-conform-to-the-current-config-of-the-cpuset.patch crypto-cryptd-initialize-child-shash_desc-on-import.patch cxl-use-pcibios_free_controller_deferred-when-removing-vphbs.patch devpts-return-null-pts-priv-entry-for-non-devpts-nodes.patch dm-crypt-fix-error-with-too-large-bios.patch dm-crypt-fix-free-of-bad-values-after-tfm-allocation-failure.patch dm-flakey-fix-reads-to-be-issued-if-drop_writes-configured.patch dm-log-writes-fix-check-of-kthread_run-return-value.patch dm-log-writes-move-io-accounting-earlier-to-fix-error-path.patch efi-libstub-allocate-headspace-in-efi_get_memory_map.patch efi-libstub-introduce-exitbootservices-helper.patch efi-libstub-use-efi_exit_boot_services-in-fdt.patch efi-make-for_each_efi_memory_desc_in_map-cope-with-running-on-xen.patch fuse-direct-io-don-t-dirty-iter_bvec-pages.patch ib-hfi1-ib-qib-fix-qp_stats-sleep-with-rcu-read-lock-held.patch ib-hfi1-reset-qsfp-on-every-run-through-channel-tuning.patch ib-uverbs-fix-race-between-uverbs_close-and-remove_one.patch iio-accel-bmc150-reset-chip-at-init-time.patch iio-accel-kxsd9-fix-raw-read-return.patch iio-accel-kxsd9-fix-scaling-bug.patch iio-ad799x-fix-buffered-capture-for-ad7991-ad7995-ad7999.patch iio-adc-at91-unbreak-channel-adc-channel-3.patch iio-adc-rockchip_saradc-reset-saradc-controller-before-programming-it.patch iio-adc-ti_am335x_adc-increase-timeout-value-waiting-for-adc-sample.patch iio-adc-ti_am335x_adc-protect-fifo1-from-concurrent-access.patch iio-core-fix-iio_val_fractional-sign-handling.patch iio-ensure-ret-is-initialized-to-zero-before-entering-do-loop.patch iio-fix-pressure-data-output-unit-in-hid-sensor-attributes.patch iio-humidity-am2315-set-up-buffer-timestamps-for-non-zero-values.patch iio-humidity-hdc100x-fix-sensor-data-reads-of-temp-and-humidity.patch iio-proximity-as3935-set-up-buffer-timestamps-for-non-zero-values.patch iio-sw-trigger-fix-config-group-initialization.patch iio-ti-ads1015-fix-a-wrong-pointer-definition.patch ipv6-don-t-unset-flowi6_proto-in-ipxip6_tnl_xmit.patch kernfs-don-t-depend-on-d_find_any_alias-when-generating-notifications.patch kexec-fix-double-free-when-failing-to-relocate-the-purgatory.patch kvm-arm-unmap-shadow-pagetables-properly.patch kvm-s390-don-t-use-current-thread.fpu.-when-accessing-registers.patch kvm-x86-correctly-reset-dest_map-vector-when-restoring-lapic-state.patch md-cluster-make-md-cluster-also-can-work-when-compiled-into-kernel.patch memory-omap-gpmc-allow-probe-of-child-nodes-to-fail.patch mm-fix-cache-mode-of-dax-pmd-mappings.patch mm-introduce-get_task_exe_file.patch mm-mempolicy-task-mempolicy-must-be-null-before-dropping-final-reference.patch mm-oom-prevent-premature-oom-killer-invocation-for-high-order-request.patch net-macb-correct-caps-mask.patch net-thunderx-fix-oops-with-ethtool-register-dump.patch nfsd-close-race-between-nfsd4_release_lockowner-and-nfsd4_lock.patch nfsv4.1-fix-oopsable-condition-in-server-callback-races.patch nfsv4.1-fix-the-create_session-slot-number-accounting.patch nfsv4.x-fix-a-refcount-leak-in-nfs_callback_up_net.patch perf-x86-amd-make-hw_cache_references-and-hw_cache_misses-measure-l2.patch perf-x86-intel-cqm-check-cqm-mbm-enabled-state-in-event-init.patch perf-x86-intel-fix-pebsv3-record-drain.patch perf-x86-intel-pt-do-validate-the-size-of-a-kernel-address-filter.patch perf-x86-intel-pt-fix-an-off-by-one-in-address-filter-configuration.patch perf-x86-intel-pt-fix-kernel-address-filter-s-offset-validation.patch pinctrl-pistachio-fix-mfio-pll_lock-pinmux.patch pinctrl-sunxi-fix-uart1-cts-rts-pins-at-pg-on-a23-a33.patch pnfs-ensure-layoutget-and-layoutreturn-are-properly-serialised.patch pnfs-flexfiles-fix-an-oopsable-condition-when-connection-to-the-ds-fails.patch pnfs-the-client-must-not-do-i-o-to-the-ds-if-it-s-lease-has-expired.patch powerpc-mm-don-t-alias-user-region-to-other-regions-below-page_offset.patch powerpc-powernv-drop-reference-added-by-kset_find_obj.patch powerpc-powernv-fix-corrupted-pe-allocation-bitmap-on-releasing-pe.patch powerpc-sysdev-cpm-fix-gpio-save_regs-functions.patch powerpc-tm-do-not-use-r13-for-tabort_syscall.patch rapidio-tsi721-fix-incorrect-detection-of-address-translation-condition.patch revert-wext-fix-32-bit-iwpriv-compatibility-issue-with-64-bit-kernel.patch sched-core-fix-a-race-between-try_to_wake_up-and-a-woken-up-task.patch serial-8250-added-acces-i-o-products-quad-and-octal-serial-cards.patch serial-8250_mid-fix-divide-error-bug-if-baud-rate-is-0.patch usb-change-binterval-default-to-10-ms.patch usb-chipidea-udc-fix-null-ptr-dereference-in-isr_setup_status_phase.patch usb-gadget-udc-renesas-usb3-clear-vbout-bit-in-drd_con.patch usb-renesas_usbhs-fix-clearing-the-brdy-bemp-sts-condition.patch usb-serial-simple-add-support-for-another-infineon-flashloader.patch x86-amd-apply-erratum-665-on-machines-without-a-bios-fix.patch x86-efi-use-efi_exit_boot_services.patch x86-paravirt-do-not-trace-_paravirt_ident_-functions.patch xhci-fix-null-pointer-dereference-in-stop-command-timeout-function.patch --- diff --git a/queue-4.7/ahci-disable-correct-irq-for-dummy-ports.patch b/queue-4.7/ahci-disable-correct-irq-for-dummy-ports.patch new file mode 100644 index 00000000000..053bdefffe3 --- /dev/null +++ b/queue-4.7/ahci-disable-correct-irq-for-dummy-ports.patch @@ -0,0 +1,32 @@ +From 9b4b3f6a062b22550e62523efe5213776cdd426b Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Thu, 11 Aug 2016 07:26:01 -0700 +Subject: ahci: disable correct irq for dummy ports + +From: Christoph Hellwig + +commit 9b4b3f6a062b22550e62523efe5213776cdd426b upstream. + +irq already contains the interrupt number for the port, don't add the +port index to it. + +Signed-off-by: Christoph Hellwig +Signed-off-by: Tejun Heo +Fixes: d684a90d38e2 ("ahci: per-port msix support") +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libahci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/ata/libahci.c ++++ b/drivers/ata/libahci.c +@@ -2516,7 +2516,7 @@ static int ahci_host_activate_multi_irqs + + /* Do not receive interrupts sent by dummy ports */ + if (!pp) { +- disable_irq(irq + i); ++ disable_irq(irq); + continue; + } + diff --git a/queue-4.7/arm-am43xx-hwmod-fix-rstst-register-offset-for-pruss.patch b/queue-4.7/arm-am43xx-hwmod-fix-rstst-register-offset-for-pruss.patch new file mode 100644 index 00000000000..e0159901adc --- /dev/null +++ b/queue-4.7/arm-am43xx-hwmod-fix-rstst-register-offset-for-pruss.patch @@ -0,0 +1,44 @@ +From b00ccf5b684992829610d162e78a7836933a1b19 Mon Sep 17 00:00:00 2001 +From: Keerthy +Date: Mon, 20 Jun 2016 09:22:25 +0530 +Subject: ARM: AM43XX: hwmod: Fix RSTST register offset for pruss + +From: Keerthy + +commit b00ccf5b684992829610d162e78a7836933a1b19 upstream. + +pruss hwmod RSTST register wrongly points to PWRSTCTRL register in case of +am43xx. Fix the RSTST register offset value. + +This can lead to setting of wrong power state values for PER domain. + +Fixes: 1c7e224d ("ARM: OMAP2+: hwmod: AM335x: runtime register update") +Signed-off-by: Keerthy +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-omap2/omap_hwmod_33xx_43xx_ipblock_data.c | 1 + + arch/arm/mach-omap2/prcm43xx.h | 1 + + 2 files changed, 2 insertions(+) + +--- a/arch/arm/mach-omap2/omap_hwmod_33xx_43xx_ipblock_data.c ++++ b/arch/arm/mach-omap2/omap_hwmod_33xx_43xx_ipblock_data.c +@@ -1476,6 +1476,7 @@ static void omap_hwmod_am43xx_rst(void) + { + RSTCTRL(am33xx_pruss_hwmod, AM43XX_RM_PER_RSTCTRL_OFFSET); + RSTCTRL(am33xx_gfx_hwmod, AM43XX_RM_GFX_RSTCTRL_OFFSET); ++ RSTST(am33xx_pruss_hwmod, AM43XX_RM_PER_RSTST_OFFSET); + RSTST(am33xx_gfx_hwmod, AM43XX_RM_GFX_RSTST_OFFSET); + } + +--- a/arch/arm/mach-omap2/prcm43xx.h ++++ b/arch/arm/mach-omap2/prcm43xx.h +@@ -39,6 +39,7 @@ + + /* RM RSTST offsets */ + #define AM43XX_RM_GFX_RSTST_OFFSET 0x0014 ++#define AM43XX_RM_PER_RSTST_OFFSET 0x0014 + #define AM43XX_RM_WKUP_RSTST_OFFSET 0x0014 + + /* CM instances */ diff --git a/queue-4.7/arm-dts-armada-388-clearfog-number-lan-ports-properly.patch b/queue-4.7/arm-dts-armada-388-clearfog-number-lan-ports-properly.patch new file mode 100644 index 00000000000..49dd441221b --- /dev/null +++ b/queue-4.7/arm-dts-armada-388-clearfog-number-lan-ports-properly.patch @@ -0,0 +1,70 @@ +From d9fd3c918114cfd3995947339549c7341181efb0 Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Fri, 8 Jul 2016 14:58:39 +0100 +Subject: ARM: dts: armada-388-clearfog: number LAN ports properly + +From: Russell King + +commit d9fd3c918114cfd3995947339549c7341181efb0 upstream. + +Currently, the ports as seen from the rear number as: + + eth0 sfp lan5 lan4 lan3 lan2 lan1 lan6 + +which is illogical - this came about because the rev 2.0 boards have the +LEDs on the front for the DSA switch (lan5-1) reversed. Rev 2.1 boards +fixed the LED issue, and the Clearfog case numbers the lan ports +increasing from left to right. + +Maintaining this illogical numbering causes confusion, with reports that +"my link isn't coming up" and "my connection negotiates 10base-Half" +both of which are due to people thinking that the port next to the SFP +is lan1. + +Fix this by renumbering the ports to match people's expectations. + +[gregory.clement@free-electrons.com: added the Fixes and stable tags] + +Fixes: 4c945e8556ec ("ARM: dts: Add SolidRun Armada 388 Clearfog A1 DT +file") +Signed-off-by: Russell King +Reviewed-by: Andrew Lunn +Signed-off-by: Gregory CLEMENT +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/armada-388-clearfog.dts | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/arm/boot/dts/armada-388-clearfog.dts ++++ b/arch/arm/boot/dts/armada-388-clearfog.dts +@@ -406,12 +406,12 @@ + + port@0 { + reg = <0>; +- label = "lan1"; ++ label = "lan5"; + }; + + port@1 { + reg = <1>; +- label = "lan2"; ++ label = "lan4"; + }; + + port@2 { +@@ -421,12 +421,12 @@ + + port@3 { + reg = <3>; +- label = "lan4"; ++ label = "lan2"; + }; + + port@4 { + reg = <4>; +- label = "lan5"; ++ label = "lan1"; + }; + + port@5 { diff --git a/queue-4.7/arm-dts-imx6qdl-fix-spdif-regression.patch b/queue-4.7/arm-dts-imx6qdl-fix-spdif-regression.patch new file mode 100644 index 00000000000..4320fc71a7e --- /dev/null +++ b/queue-4.7/arm-dts-imx6qdl-fix-spdif-regression.patch @@ -0,0 +1,46 @@ +From f065e9e4addd75c21bb976bb2558648bf4f61de6 Mon Sep 17 00:00:00 2001 +From: Fabio Estevam +Date: Wed, 31 Aug 2016 10:56:48 -0300 +Subject: ARM: dts: imx6qdl: Fix SPDIF regression + +From: Fabio Estevam + +commit f065e9e4addd75c21bb976bb2558648bf4f61de6 upstream. + +Commit 833f2cbf7091 ("ARM: dts: imx6: change the core clock of spdif") +changed many more clocks than only the SPDIF core clock as stated in +the commit message. + +The MLB clock has been added and this causes SPDIF regression as +reported by Xavi Drudis Ferran and also in this forum post: +https://forum.digikey.com/thread/34240 + +The MX6Q Reference Manual does not mention that MLB is a clock related +to SPDIF, so change it back to a dummy clock to restore SPDIF +functionality. + +Thanks to Ambika for providing the fix at: +https://community.nxp.com/thread/387131 + +Fixes: 833f2cbf7091 ("ARM: dts: imx6: change the core clock of spdif") +Reported-by: Xavi Drudis Ferran +Signed-off-by: Fabio Estevam +Tested-by: Xavi Drudis Ferran +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/imx6qdl.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/imx6qdl.dtsi ++++ b/arch/arm/boot/dts/imx6qdl.dtsi +@@ -242,7 +242,7 @@ + clocks = <&clks IMX6QDL_CLK_SPDIF_GCLK>, <&clks IMX6QDL_CLK_OSC>, + <&clks IMX6QDL_CLK_SPDIF>, <&clks IMX6QDL_CLK_ASRC>, + <&clks IMX6QDL_CLK_DUMMY>, <&clks IMX6QDL_CLK_ESAI_EXTAL>, +- <&clks IMX6QDL_CLK_IPG>, <&clks IMX6QDL_CLK_MLB>, ++ <&clks IMX6QDL_CLK_IPG>, <&clks IMX6QDL_CLK_DUMMY>, + <&clks IMX6QDL_CLK_DUMMY>, <&clks IMX6QDL_CLK_SPBA>; + clock-names = "core", "rxtx0", + "rxtx1", "rxtx2", diff --git a/queue-4.7/arm-dts-kirkwood-fix-pcie-label-on-openrd.patch b/queue-4.7/arm-dts-kirkwood-fix-pcie-label-on-openrd.patch new file mode 100644 index 00000000000..66a552e5f43 --- /dev/null +++ b/queue-4.7/arm-dts-kirkwood-fix-pcie-label-on-openrd.patch @@ -0,0 +1,39 @@ +From c721da1d05760ad0b4e7670896dae31b6b07d8d6 Mon Sep 17 00:00:00 2001 +From: Gregory CLEMENT +Date: Mon, 22 Aug 2016 18:09:36 +0200 +Subject: ARM: dts: kirkwood: Fix PCIe label on OpenRD + +From: Gregory CLEMENT + +commit c721da1d05760ad0b4e7670896dae31b6b07d8d6 upstream. + +While converting PCIe node on kirkwood by using label, the following +commit eb13cf8345e9 ("ARM: dts: kirkwood: Fixup pcie DT warnings") +introduced a regression on the OpenRD boards: the PCIe didn't work +anymore. As reported by Aaro Koskinen, the display/framebuffer was +lost. This commit adds the forgotten label. + +Reported-by: Aaro Koskinen +Tested-by: Aaro Koskinen +Fixes: eb13cf8345e9 ("ARM: dts: kirkwood: Fixup pcie DT warnings") +Reviewed-by: Andrew Lunn +Signed-off-by: Gregory CLEMENT +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/kirkwood-openrd.dtsi | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/arm/boot/dts/kirkwood-openrd.dtsi ++++ b/arch/arm/boot/dts/kirkwood-openrd.dtsi +@@ -116,6 +116,10 @@ + }; + }; + ++&pciec { ++ status = "okay"; ++}; ++ + &pcie0 { + status = "okay"; + }; diff --git a/queue-4.7/arm-dts-overo-fix-gpmc-nand-cs0-range.patch b/queue-4.7/arm-dts-overo-fix-gpmc-nand-cs0-range.patch new file mode 100644 index 00000000000..825ef8aa88d --- /dev/null +++ b/queue-4.7/arm-dts-overo-fix-gpmc-nand-cs0-range.patch @@ -0,0 +1,39 @@ +From 5e0568dfbfb8c13cdb69c9fd06d600593ad4b430 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 15 Aug 2016 09:10:45 -0700 +Subject: ARM: dts: overo: fix gpmc nand cs0 range + +From: Johan Hovold + +commit 5e0568dfbfb8c13cdb69c9fd06d600593ad4b430 upstream. + +The gpmc ranges property for NAND at CS0 has been broken since it was +first added. + +This currently prevents the nand gpmc child node from being probed: + + omap-gpmc 6e000000.gpmc: /ocp/gpmc@6e000000/nand@0,0 has + malformed 'reg' property + +and consequently the NAND device from being registered. + +Fixes: 98ce6007efb4 ("ARM: dts: overo: Support PoP NAND") +Signed-off-by: Johan Hovold +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/omap3-overo-base.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/omap3-overo-base.dtsi ++++ b/arch/arm/boot/dts/omap3-overo-base.dtsi +@@ -223,7 +223,7 @@ + }; + + &gpmc { +- ranges = <0 0 0x00000000 0x20000000>; ++ ranges = <0 0 0x30000000 0x1000000>; /* CS0 */ + + nand@0,0 { + compatible = "ti,omap2-nand"; diff --git a/queue-4.7/arm-dts-overo-fix-gpmc-nand-on-boards-with-ethernet.patch b/queue-4.7/arm-dts-overo-fix-gpmc-nand-on-boards-with-ethernet.patch new file mode 100644 index 00000000000..00f2e53d65d --- /dev/null +++ b/queue-4.7/arm-dts-overo-fix-gpmc-nand-on-boards-with-ethernet.patch @@ -0,0 +1,78 @@ +From 153b58ea932b2d0642fa5cd41c93bb0555f3f09b Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 15 Aug 2016 09:10:49 -0700 +Subject: ARM: dts: overo: fix gpmc nand on boards with ethernet + +From: Johan Hovold + +commit 153b58ea932b2d0642fa5cd41c93bb0555f3f09b upstream. + +The gpmc ranges property for NAND at CS0 was being overridden by later +includes that defined gpmc ethernet nodes, effectively breaking NAND on +these systems: + + omap-gpmc 6e000000.gpmc: /ocp/gpmc@6e000000/nand@0,0 has + malformed 'reg' property + +Instead of redefining the NAND range in every such dtsi, define all +currently used ranges in omap3-overo-base.dtsi. + +Fixes: 98ce6007efb4 ("ARM: dts: overo: Support PoP NAND") +Signed-off-by: Johan Hovold +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/omap3-overo-base.dtsi | 4 +++- + arch/arm/boot/dts/omap3-overo-chestnut43-common.dtsi | 2 -- + arch/arm/boot/dts/omap3-overo-tobi-common.dtsi | 2 -- + arch/arm/boot/dts/omap3-overo-tobiduo-common.dtsi | 3 --- + 4 files changed, 3 insertions(+), 8 deletions(-) + +--- a/arch/arm/boot/dts/omap3-overo-base.dtsi ++++ b/arch/arm/boot/dts/omap3-overo-base.dtsi +@@ -223,7 +223,9 @@ + }; + + &gpmc { +- ranges = <0 0 0x30000000 0x1000000>; /* CS0 */ ++ ranges = <0 0 0x30000000 0x1000000>, /* CS0 */ ++ <4 0 0x2b000000 0x1000000>, /* CS4 */ ++ <5 0 0x2c000000 0x1000000>; /* CS5 */ + + nand@0,0 { + compatible = "ti,omap2-nand"; +--- a/arch/arm/boot/dts/omap3-overo-chestnut43-common.dtsi ++++ b/arch/arm/boot/dts/omap3-overo-chestnut43-common.dtsi +@@ -55,8 +55,6 @@ + #include "omap-gpmc-smsc9221.dtsi" + + &gpmc { +- ranges = <5 0 0x2c000000 0x1000000>; /* CS5 */ +- + ethernet@gpmc { + reg = <5 0 0xff>; + interrupt-parent = <&gpio6>; +--- a/arch/arm/boot/dts/omap3-overo-tobi-common.dtsi ++++ b/arch/arm/boot/dts/omap3-overo-tobi-common.dtsi +@@ -27,8 +27,6 @@ + #include "omap-gpmc-smsc9221.dtsi" + + &gpmc { +- ranges = <5 0 0x2c000000 0x1000000>; /* CS5 */ +- + ethernet@gpmc { + reg = <5 0 0xff>; + interrupt-parent = <&gpio6>; +--- a/arch/arm/boot/dts/omap3-overo-tobiduo-common.dtsi ++++ b/arch/arm/boot/dts/omap3-overo-tobiduo-common.dtsi +@@ -15,9 +15,6 @@ + #include "omap-gpmc-smsc9221.dtsi" + + &gpmc { +- ranges = <4 0 0x2b000000 0x1000000>, /* CS4 */ +- <5 0 0x2c000000 0x1000000>; /* CS5 */ +- + smsc1: ethernet@gpmc { + reg = <5 0 0xff>; + interrupt-parent = <&gpio6>; diff --git a/queue-4.7/arm-dts-rockchip-add-reset-node-for-the-exist-saradc-socs.patch b/queue-4.7/arm-dts-rockchip-add-reset-node-for-the-exist-saradc-socs.patch new file mode 100644 index 00000000000..c50076566ec --- /dev/null +++ b/queue-4.7/arm-dts-rockchip-add-reset-node-for-the-exist-saradc-socs.patch @@ -0,0 +1,56 @@ +From 3d4267a5a3a4b7619b80ad1839d8b3bedd8b7a8d Mon Sep 17 00:00:00 2001 +From: Caesar Wang +Date: Wed, 27 Jul 2016 22:24:07 +0800 +Subject: arm: dts: rockchip: add reset node for the exist saradc SoCs + +From: Caesar Wang + +commit 3d4267a5a3a4b7619b80ad1839d8b3bedd8b7a8d upstream. + +SARADC controller needs to be reset before programming it, otherwise +it will not function properly. + +Signed-off-by: Caesar Wang +Acked-by: Heiko Stuebner +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/rk3066a.dtsi | 2 ++ + arch/arm/boot/dts/rk3288.dtsi | 2 ++ + arch/arm/boot/dts/rk3xxx.dtsi | 2 ++ + 3 files changed, 6 insertions(+) + +--- a/arch/arm/boot/dts/rk3066a.dtsi ++++ b/arch/arm/boot/dts/rk3066a.dtsi +@@ -197,6 +197,8 @@ + clock-names = "saradc", "apb_pclk"; + interrupts = ; + #io-channel-cells = <1>; ++ resets = <&cru SRST_SARADC>; ++ reset-names = "saradc-apb"; + status = "disabled"; + }; + +--- a/arch/arm/boot/dts/rk3288.dtsi ++++ b/arch/arm/boot/dts/rk3288.dtsi +@@ -279,6 +279,8 @@ + #io-channel-cells = <1>; + clocks = <&cru SCLK_SARADC>, <&cru PCLK_SARADC>; + clock-names = "saradc", "apb_pclk"; ++ resets = <&cru SRST_SARADC>; ++ reset-names = "saradc-apb"; + status = "disabled"; + }; + +--- a/arch/arm/boot/dts/rk3xxx.dtsi ++++ b/arch/arm/boot/dts/rk3xxx.dtsi +@@ -399,6 +399,8 @@ + #io-channel-cells = <1>; + clocks = <&cru SCLK_SARADC>, <&cru PCLK_SARADC>; + clock-names = "saradc", "apb_pclk"; ++ resets = <&cru SRST_SARADC>; ++ reset-names = "saradc-apb"; + status = "disabled"; + }; + diff --git a/queue-4.7/arm-dts-stih407-family-provide-interconnect-clock-for-consumption-in-st-sdhci.patch b/queue-4.7/arm-dts-stih407-family-provide-interconnect-clock-for-consumption-in-st-sdhci.patch new file mode 100644 index 00000000000..7a1ce3145b9 --- /dev/null +++ b/queue-4.7/arm-dts-stih407-family-provide-interconnect-clock-for-consumption-in-st-sdhci.patch @@ -0,0 +1,66 @@ +From 78567f135d9bbbaf4538f63656d3e4d957c35fe9 Mon Sep 17 00:00:00 2001 +From: Lee Jones +Date: Thu, 8 Sep 2016 11:11:00 +0200 +Subject: ARM: dts: STiH407-family: Provide interconnect clock for consumption in ST SDHCI + +From: Lee Jones + +commit 78567f135d9bbbaf4538f63656d3e4d957c35fe9 upstream. + +The STiH4{07,10} platform contains some interconnect clocks which are used +by various IPs. If these clocks aren't handled correctly by ST's SDHCI +driver MMC will break and the following output can be observed: + +[ 13.916949] mmc0: Timeout waiting for hardware interrupt. +[ 13.922349] sdhci: =========== REGISTER DUMP (mmc0)=========== +[ 13.928175] sdhci: Sys addr: 0x00000000 | Version: 0x00001002 +[ 13.933999] sdhci: Blk size: 0x00007040 | Blk cnt: 0x00000001 +[ 13.939825] sdhci: Argument: 0x00fffff0 | Trn mode: 0x00000013 +[ 13.945650] sdhci: Present: 0x1fff0206 | Host ctl: 0x00000011 +[ 13.951475] sdhci: Power: 0x0000000f | Blk gap: 0x00000080 +[ 13.957300] sdhci: Wake-up: 0x00000000 | Clock: 0x00003f07 +[ 13.963126] sdhci: Timeout: 0x00000004 | Int stat: 0x00000000 +[ 13.968952] sdhci: Int enab: 0x02ff008b | Sig enab: 0x02ff008b +[ 13.974777] sdhci: AC12 err: 0x00000000 | Slot int: 0x00000000 +[ 13.980602] sdhci: Caps: 0x21ed3281 | Caps_1: 0x00000000 +[ 13.986428] sdhci: Cmd: 0x0000063a | Max curr: 0x00000000 +[ 13.992252] sdhci: Host ctl2: 0x00000000 +[ 13.996166] sdhci: ADMA Err: 0x00000000 | ADMA Ptr: 0x7c048200 +[ 14.001990] sdhci: =========================================== +[ 14.009802] mmc0: Got data interrupt 0x02000000 even though no data operation was in progress. + +Tested-by: Peter Griffin +Signed-off-by: Lee Jones +Acked-by: Patrice Chotard +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/stih407-family.dtsi | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/arch/arm/boot/dts/stih407-family.dtsi ++++ b/arch/arm/boot/dts/stih407-family.dtsi +@@ -550,8 +550,9 @@ + interrupt-names = "mmcirq"; + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_mmc0>; +- clock-names = "mmc"; +- clocks = <&clk_s_c0_flexgen CLK_MMC_0>; ++ clock-names = "mmc", "icn"; ++ clocks = <&clk_s_c0_flexgen CLK_MMC_0>, ++ <&clk_s_c0_flexgen CLK_RX_ICN_HVA>; + bus-width = <8>; + non-removable; + }; +@@ -565,8 +566,9 @@ + interrupt-names = "mmcirq"; + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_sd1>; +- clock-names = "mmc"; +- clocks = <&clk_s_c0_flexgen CLK_MMC_1>; ++ clock-names = "mmc", "icn"; ++ clocks = <&clk_s_c0_flexgen CLK_MMC_1>, ++ <&clk_s_c0_flexgen CLK_RX_ICN_HVA>; + resets = <&softreset STIH407_MMC1_SOFTRESET>; + bus-width = <4>; + }; diff --git a/queue-4.7/arm-dts-stih410-handle-interconnect-clock-required-by-ehci-ohci-usb.patch b/queue-4.7/arm-dts-stih410-handle-interconnect-clock-required-by-ehci-ohci-usb.patch new file mode 100644 index 00000000000..f620006c808 --- /dev/null +++ b/queue-4.7/arm-dts-stih410-handle-interconnect-clock-required-by-ehci-ohci-usb.patch @@ -0,0 +1,67 @@ +From 7e9d2850a8db4e0d85a20bb692198bf2cc4be3b7 Mon Sep 17 00:00:00 2001 +From: Lee Jones +Date: Thu, 8 Sep 2016 11:11:00 +0200 +Subject: ARM: dts: STiH410: Handle interconnect clock required by EHCI/OHCI (USB) + +From: Lee Jones + +commit 7e9d2850a8db4e0d85a20bb692198bf2cc4be3b7 upstream. + +The STiH4{07,10} platform contains some interconnect clocks which are used +by various IPs. If this clock isn't handled correctly by ST's EHCI/OHCI +drivers, their hub won't be found, the following error be shown and the +result will be non-working USB: + + [ 97.221963] hub 2-1:1.0: hub_ext_port_status failed (err = -110) + +Tested-by: Peter Griffin +Signed-off-by: Lee Jones +Acked-by: Patrice Chotard +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/stih410.dtsi | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/arch/arm/boot/dts/stih410.dtsi ++++ b/arch/arm/boot/dts/stih410.dtsi +@@ -41,7 +41,8 @@ + compatible = "st,st-ohci-300x"; + reg = <0x9a03c00 0x100>; + interrupts = ; +- clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>; ++ clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>, ++ <&clk_s_c0_flexgen CLK_RX_ICN_DISP_0>; + resets = <&powerdown STIH407_USB2_PORT0_POWERDOWN>, + <&softreset STIH407_USB2_PORT0_SOFTRESET>; + reset-names = "power", "softreset"; +@@ -57,7 +58,8 @@ + interrupts = ; + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_usb0>; +- clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>; ++ clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>, ++ <&clk_s_c0_flexgen CLK_RX_ICN_DISP_0>; + resets = <&powerdown STIH407_USB2_PORT0_POWERDOWN>, + <&softreset STIH407_USB2_PORT0_SOFTRESET>; + reset-names = "power", "softreset"; +@@ -71,7 +73,8 @@ + compatible = "st,st-ohci-300x"; + reg = <0x9a83c00 0x100>; + interrupts = ; +- clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>; ++ clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>, ++ <&clk_s_c0_flexgen CLK_RX_ICN_DISP_0>; + resets = <&powerdown STIH407_USB2_PORT1_POWERDOWN>, + <&softreset STIH407_USB2_PORT1_SOFTRESET>; + reset-names = "power", "softreset"; +@@ -87,7 +90,8 @@ + interrupts = ; + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_usb1>; +- clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>; ++ clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>, ++ <&clk_s_c0_flexgen CLK_RX_ICN_DISP_0>; + resets = <&powerdown STIH407_USB2_PORT1_POWERDOWN>, + <&softreset STIH407_USB2_PORT1_SOFTRESET>; + reset-names = "power", "softreset"; diff --git a/queue-4.7/arm-imx6-add-missing-bm_clpcr_byp_mmdc_ch0_lpm_hs-setting-for-imx6ul.patch b/queue-4.7/arm-imx6-add-missing-bm_clpcr_byp_mmdc_ch0_lpm_hs-setting-for-imx6ul.patch new file mode 100644 index 00000000000..aa20d763f2f --- /dev/null +++ b/queue-4.7/arm-imx6-add-missing-bm_clpcr_byp_mmdc_ch0_lpm_hs-setting-for-imx6ul.patch @@ -0,0 +1,36 @@ +From f5a49057c71433e35a4712ab8d8f00641b3e1ec0 Mon Sep 17 00:00:00 2001 +From: Peter Chen +Date: Tue, 9 Aug 2016 16:24:43 +0800 +Subject: ARM: imx6: add missing BM_CLPCR_BYP_MMDC_CH0_LPM_HS setting for imx6ul + +From: Peter Chen + +commit f5a49057c71433e35a4712ab8d8f00641b3e1ec0 upstream. + +There is a missing BM_CLPCR_BYP_MMDC_CH0_LPM_HS setting for imx6ul, +without it, the "standby" mode can't work well, the system can't be +resumed. + +With this commit, the "standby" mode works well. + +Signed-off-by: Peter Chen +Cc: Anson Huang +Fixes: ee4a5f838c84 ("ARM: imx: add suspend/resume support for i.mx6ul") +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-imx/pm-imx6.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/mach-imx/pm-imx6.c ++++ b/arch/arm/mach-imx/pm-imx6.c +@@ -295,7 +295,7 @@ int imx6_set_lpm(enum mxc_cpu_pwr_mode m + val &= ~BM_CLPCR_SBYOS; + if (cpu_is_imx6sl()) + val |= BM_CLPCR_BYPASS_PMIC_READY; +- if (cpu_is_imx6sl() || cpu_is_imx6sx()) ++ if (cpu_is_imx6sl() || cpu_is_imx6sx() || cpu_is_imx6ul()) + val |= BM_CLPCR_BYP_MMDC_CH0_LPM_HS; + else + val |= BM_CLPCR_BYP_MMDC_CH1_LPM_HS; diff --git a/queue-4.7/arm-imx6-add-missing-bm_clpcr_bypass_pmic_ready-setting-for-imx6sx.patch b/queue-4.7/arm-imx6-add-missing-bm_clpcr_bypass_pmic_ready-setting-for-imx6sx.patch new file mode 100644 index 00000000000..43bb31a0cc4 --- /dev/null +++ b/queue-4.7/arm-imx6-add-missing-bm_clpcr_bypass_pmic_ready-setting-for-imx6sx.patch @@ -0,0 +1,37 @@ +From 8aade778f787305fdbfd3c1d54e6b583601b5902 Mon Sep 17 00:00:00 2001 +From: Anson Huang +Date: Mon, 22 Aug 2016 23:53:25 +0800 +Subject: ARM: imx6: add missing BM_CLPCR_BYPASS_PMIC_READY setting for imx6sx + +From: Anson Huang + +commit 8aade778f787305fdbfd3c1d54e6b583601b5902 upstream. + +i.MX6SX has bypass PMIC ready function, as this function +is normally NOT enabled on the board design, so we need +to bypass the PMIC ready pin check during DSM mode resume +flow, otherwise, the internal DSM resume logic will be +waiting for this signal to be ready forever and cause +resume fail. + +Signed-off-by: Anson Huang +Fixes: ff843d621bfc ("ARM: imx: add suspend support for i.mx6sx") +Tested-by: Peter Chen +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-imx/pm-imx6.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/mach-imx/pm-imx6.c ++++ b/arch/arm/mach-imx/pm-imx6.c +@@ -310,7 +310,7 @@ int imx6_set_lpm(enum mxc_cpu_pwr_mode m + val |= 0x3 << BP_CLPCR_STBY_COUNT; + val |= BM_CLPCR_VSTBY; + val |= BM_CLPCR_SBYOS; +- if (cpu_is_imx6sl()) ++ if (cpu_is_imx6sl() || cpu_is_imx6sx()) + val |= BM_CLPCR_BYPASS_PMIC_READY; + if (cpu_is_imx6sl() || cpu_is_imx6sx() || cpu_is_imx6ul()) + val |= BM_CLPCR_BYP_MMDC_CH0_LPM_HS; diff --git a/queue-4.7/arm-kirkwood-ib62x0-fix-size-of-u-boot-environment-partition.patch b/queue-4.7/arm-kirkwood-ib62x0-fix-size-of-u-boot-environment-partition.patch new file mode 100644 index 00000000000..38b56dd344f --- /dev/null +++ b/queue-4.7/arm-kirkwood-ib62x0-fix-size-of-u-boot-environment-partition.patch @@ -0,0 +1,40 @@ +From a778937888867aac17a33887d1c429120790fbc2 Mon Sep 17 00:00:00 2001 +From: Simon Baatz +Date: Fri, 12 Aug 2016 19:12:50 +0200 +Subject: ARM: kirkwood: ib62x0: fix size of u-boot environment partition + +From: Simon Baatz + +commit a778937888867aac17a33887d1c429120790fbc2 upstream. + +Commit 148c274ea644 ("ARM: kirkwood: ib62x0: add u-boot environment +partition") split the "u-boot" partition into "u-boot" and "u-boot +environment". However, instead of the size of the environment, an offset +was given, resulting in overlapping partitions. + +Signed-off-by: Simon Baatz +Fixes: 148c274ea644 ("ARM: kirkwood: ib62x0: add u-boot environment partition") +Cc: Jason Cooper +Cc: Andrew Lunn +Cc: Gregory Clement +Cc: Sebastian Hesselbarth +Cc: Luka Perkov +Reviewed-by: Andrew Lunn +Signed-off-by: Gregory CLEMENT +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/kirkwood-ib62x0.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/kirkwood-ib62x0.dts ++++ b/arch/arm/boot/dts/kirkwood-ib62x0.dts +@@ -113,7 +113,7 @@ + + partition@e0000 { + label = "u-boot environment"; +- reg = <0xe0000 0x100000>; ++ reg = <0xe0000 0x20000>; + }; + + partition@100000 { diff --git a/queue-4.7/arm-omap3-hwmod-data-add-sysc-information-for-dsi.patch b/queue-4.7/arm-omap3-hwmod-data-add-sysc-information-for-dsi.patch new file mode 100644 index 00000000000..c6df2d14967 --- /dev/null +++ b/queue-4.7/arm-omap3-hwmod-data-add-sysc-information-for-dsi.patch @@ -0,0 +1,48 @@ +From b46211d6dcfb81a8af66b8684a42d629183670d4 Mon Sep 17 00:00:00 2001 +From: Sebastian Reichel +Date: Fri, 24 Jun 2016 03:59:33 +0200 +Subject: ARM: OMAP3: hwmod data: Add sysc information for DSI + +From: Sebastian Reichel + +commit b46211d6dcfb81a8af66b8684a42d629183670d4 upstream. + +Add missing sysconfig/sysstatus information +to OMAP3 hwmod. The information has been +checked against OMAP34xx and OMAP36xx TRM. + +Without this change DSI block is not reset +during boot, which is required for working +Nokia N950 display. + +Signed-off-by: Sebastian Reichel +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-omap2/omap_hwmod_3xxx_data.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c ++++ b/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c +@@ -722,8 +722,20 @@ static struct omap_hwmod omap3xxx_dss_di + * display serial interface controller + */ + ++static struct omap_hwmod_class_sysconfig omap3xxx_dsi_sysc = { ++ .rev_offs = 0x0000, ++ .sysc_offs = 0x0010, ++ .syss_offs = 0x0014, ++ .sysc_flags = (SYSC_HAS_AUTOIDLE | SYSC_HAS_CLOCKACTIVITY | ++ SYSC_HAS_ENAWAKEUP | SYSC_HAS_SIDLEMODE | ++ SYSC_HAS_SOFTRESET | SYSS_HAS_RESET_STATUS), ++ .idlemodes = (SIDLE_FORCE | SIDLE_NO | SIDLE_SMART), ++ .sysc_fields = &omap_hwmod_sysc_type1, ++}; ++ + static struct omap_hwmod_class omap3xxx_dsi_hwmod_class = { + .name = "dsi", ++ .sysc = &omap3xxx_dsi_sysc, + }; + + static struct omap_hwmod_irq_info omap3xxx_dsi1_irqs[] = { diff --git a/queue-4.7/arm64-spinlocks-implement-smp_mb__before_spinlock-as-smp_mb.patch b/queue-4.7/arm64-spinlocks-implement-smp_mb__before_spinlock-as-smp_mb.patch new file mode 100644 index 00000000000..899b7f45784 --- /dev/null +++ b/queue-4.7/arm64-spinlocks-implement-smp_mb__before_spinlock-as-smp_mb.patch @@ -0,0 +1,47 @@ +From 872c63fbf9e153146b07f0cece4da0d70b283eeb Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Mon, 5 Sep 2016 11:56:05 +0100 +Subject: arm64: spinlocks: implement smp_mb__before_spinlock() as smp_mb() + +From: Will Deacon + +commit 872c63fbf9e153146b07f0cece4da0d70b283eeb upstream. + +smp_mb__before_spinlock() is intended to upgrade a spin_lock() operation +to a full barrier, such that prior stores are ordered with respect to +loads and stores occuring inside the critical section. + +Unfortunately, the core code defines the barrier as smp_wmb(), which +is insufficient to provide the required ordering guarantees when used in +conjunction with our load-acquire-based spinlock implementation. + +This patch overrides the arm64 definition of smp_mb__before_spinlock() +to map to a full smp_mb(). + +Cc: Peter Zijlstra +Reported-by: Alan Stern +Signed-off-by: Will Deacon +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/spinlock.h | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/arch/arm64/include/asm/spinlock.h ++++ b/arch/arm64/include/asm/spinlock.h +@@ -363,4 +363,14 @@ static inline int arch_read_trylock(arch + #define arch_read_relax(lock) cpu_relax() + #define arch_write_relax(lock) cpu_relax() + ++/* ++ * Accesses appearing in program order before a spin_lock() operation ++ * can be reordered with accesses inside the critical section, by virtue ++ * of arch_spin_lock being constructed using acquire semantics. ++ * ++ * In cases where this is problematic (e.g. try_to_wake_up), an ++ * smp_mb__before_spinlock() can restore the required ordering. ++ */ ++#define smp_mb__before_spinlock() smp_mb() ++ + #endif /* __ASM_SPINLOCK_H */ diff --git a/queue-4.7/ath9k-bring-back-direction-setting-in-ath9k_-start_stop.patch b/queue-4.7/ath9k-bring-back-direction-setting-in-ath9k_-start_stop.patch new file mode 100644 index 00000000000..55e56f4cfee --- /dev/null +++ b/queue-4.7/ath9k-bring-back-direction-setting-in-ath9k_-start_stop.patch @@ -0,0 +1,68 @@ +From e34f2ff40e0339f6a379e1ecf49e8f2759056453 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Giedrius=20Statkevi=C4=8Dius?= + +Date: Thu, 1 Sep 2016 20:47:02 +0300 +Subject: ath9k: bring back direction setting in ath9k_{start_stop} +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Giedrius Statkevičius + +commit e34f2ff40e0339f6a379e1ecf49e8f2759056453 upstream. + +A regression was introduced in commit id 79d4db1214a ("ath9k: cleanup +led_pin initial") that broken the WLAN status led on my laptop with +AR9287 after suspending and resuming. + +Steps to reproduce: +* Suspend (laptop) +* Resume (laptop) +* Observe that the WLAN led no longer turns ON/OFF depending on the + status and is always red + +Even though for my case it only needs to be set to OUT in ath9k_start +but for consistency bring back the IN direction setting as well. + +Fixes: 79d4db1214a0 ("ath9k: cleanup led_pin initial") +Cc: Miaoqing Pan +Cc: Kalle Valo +Link: https://bugzilla.kernel.org/show_bug.cgi?id=151711 +Signed-off-by: Giedrius Statkevičius +[kvalo@qca.qualcomm.com: improve commit log] +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/main.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/ath/ath9k/main.c ++++ b/drivers/net/wireless/ath/ath9k/main.c +@@ -718,9 +718,12 @@ static int ath9k_start(struct ieee80211_ + if (!ath_complete_reset(sc, false)) + ah->reset_power_on = false; + +- if (ah->led_pin >= 0) ++ if (ah->led_pin >= 0) { + ath9k_hw_set_gpio(ah, ah->led_pin, + (ah->config.led_active_high) ? 1 : 0); ++ ath9k_hw_gpio_request_out(ah, ah->led_pin, NULL, ++ AR_GPIO_OUTPUT_MUX_AS_OUTPUT); ++ } + + /* + * Reset key cache to sane defaults (all entries cleared) instead of +@@ -864,9 +867,11 @@ static void ath9k_stop(struct ieee80211_ + + spin_lock_bh(&sc->sc_pcu_lock); + +- if (ah->led_pin >= 0) ++ if (ah->led_pin >= 0) { + ath9k_hw_set_gpio(ah, ah->led_pin, + (ah->config.led_active_high) ? 0 : 1); ++ ath9k_hw_gpio_request_in(ah, ah->led_pin, NULL); ++ } + + ath_prepare_reset(sc); + diff --git a/queue-4.7/ath9k-fix-using-sta-drv_priv-before-initializing-it.patch b/queue-4.7/ath9k-fix-using-sta-drv_priv-before-initializing-it.patch new file mode 100644 index 00000000000..3abd23da50e --- /dev/null +++ b/queue-4.7/ath9k-fix-using-sta-drv_priv-before-initializing-it.patch @@ -0,0 +1,42 @@ +From 7711aaf08ad3fc4d0e937eec1de0a63620444ce7 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Fri, 19 Aug 2016 13:37:46 +0300 +Subject: ath9k: fix using sta->drv_priv before initializing it + +From: Felix Fietkau + +commit 7711aaf08ad3fc4d0e937eec1de0a63620444ce7 upstream. + +A station pointer can be passed to the driver on tx, before it has been +marked as associated. Since ath9k_sta_state was initializing the entry +too late, it resulted in some spurious crashes. + +Fixes: df3c6eb34da5 ("ath9k: Use sta_state() callback") +Signed-off-by: Felix Fietkau +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/main.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/ath/ath9k/main.c ++++ b/drivers/net/wireless/ath/ath9k/main.c +@@ -1552,13 +1552,13 @@ static int ath9k_sta_state(struct ieee80 + struct ath_common *common = ath9k_hw_common(sc->sc_ah); + int ret = 0; + +- if (old_state == IEEE80211_STA_AUTH && +- new_state == IEEE80211_STA_ASSOC) { ++ if (old_state == IEEE80211_STA_NOTEXIST && ++ new_state == IEEE80211_STA_NONE) { + ret = ath9k_sta_add(hw, vif, sta); + ath_dbg(common, CONFIG, + "Add station: %pM\n", sta->addr); +- } else if (old_state == IEEE80211_STA_ASSOC && +- new_state == IEEE80211_STA_AUTH) { ++ } else if (old_state == IEEE80211_STA_NONE && ++ new_state == IEEE80211_STA_NOTEXIST) { + ret = ath9k_sta_remove(hw, vif, sta); + ath_dbg(common, CONFIG, + "Remove station: %pM\n", sta->addr); diff --git a/queue-4.7/audit-fix-exe_file-access-in-audit_exe_compare.patch b/queue-4.7/audit-fix-exe_file-access-in-audit_exe_compare.patch new file mode 100644 index 00000000000..dadebbbb74c --- /dev/null +++ b/queue-4.7/audit-fix-exe_file-access-in-audit_exe_compare.patch @@ -0,0 +1,49 @@ +From 5efc244346f9f338765da3d592f7947b0afdc4b5 Mon Sep 17 00:00:00 2001 +From: Mateusz Guzik +Date: Tue, 23 Aug 2016 16:20:39 +0200 +Subject: audit: fix exe_file access in audit_exe_compare + +From: Mateusz Guzik + +commit 5efc244346f9f338765da3d592f7947b0afdc4b5 upstream. + +Prior to the change the function would blindly deference mm, exe_file +and exe_file->f_inode, each of which could have been NULL or freed. + +Use get_task_exe_file to safely obtain stable exe_file. + +Signed-off-by: Mateusz Guzik +Acked-by: Konstantin Khlebnikov +Acked-by: Richard Guy Briggs +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/audit_watch.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/kernel/audit_watch.c ++++ b/kernel/audit_watch.c +@@ -19,6 +19,7 @@ + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + ++#include + #include + #include + #include +@@ -544,10 +545,11 @@ int audit_exe_compare(struct task_struct + unsigned long ino; + dev_t dev; + +- rcu_read_lock(); +- exe_file = rcu_dereference(tsk->mm->exe_file); ++ exe_file = get_task_exe_file(tsk); ++ if (!exe_file) ++ return 0; + ino = exe_file->f_inode->i_ino; + dev = exe_file->f_inode->i_sb->s_dev; +- rcu_read_unlock(); ++ fput(exe_file); + return audit_mark_compare(mark, ino, dev); + } diff --git a/queue-4.7/brcmfmac-avoid-potential-stack-overflow-in-brcmf_cfg80211_start_ap.patch b/queue-4.7/brcmfmac-avoid-potential-stack-overflow-in-brcmf_cfg80211_start_ap.patch new file mode 100644 index 00000000000..f83093fb49e --- /dev/null +++ b/queue-4.7/brcmfmac-avoid-potential-stack-overflow-in-brcmf_cfg80211_start_ap.patch @@ -0,0 +1,38 @@ +From ded89912156b1a47d940a0c954c43afbabd0c42c Mon Sep 17 00:00:00 2001 +From: Arend Van Spriel +Date: Mon, 5 Sep 2016 10:45:47 +0100 +Subject: brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap() + +From: Arend Van Spriel + +commit ded89912156b1a47d940a0c954c43afbabd0c42c upstream. + +User-space can choose to omit NL80211_ATTR_SSID and only provide raw +IE TLV data. When doing so it can provide SSID IE with length exceeding +the allowed size. The driver further processes this IE copying it +into a local variable without checking the length. Hence stack can be +corrupted and used as exploit. + +Reported-by: Daxing Guo +Reviewed-by: Hante Meuleman +Reviewed-by: Pieter-Paul Giesberts +Reviewed-by: Franky Lin +Signed-off-by: Arend van Spriel +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +@@ -4467,7 +4467,7 @@ brcmf_cfg80211_start_ap(struct wiphy *wi + (u8 *)&settings->beacon.head[ie_offset], + settings->beacon.head_len - ie_offset, + WLAN_EID_SSID); +- if (!ssid_ie) ++ if (!ssid_ie || ssid_ie->len > IEEE80211_MAX_SSID_LEN) + return -EINVAL; + + memcpy(ssid_le.SSID, ssid_ie->data, ssid_ie->len); diff --git a/queue-4.7/btrfs-remove-root_log_ctx-from-ctx-list-before-btrfs_sync_log-returns.patch b/queue-4.7/btrfs-remove-root_log_ctx-from-ctx-list-before-btrfs_sync_log-returns.patch new file mode 100644 index 00000000000..1225735b86f --- /dev/null +++ b/queue-4.7/btrfs-remove-root_log_ctx-from-ctx-list-before-btrfs_sync_log-returns.patch @@ -0,0 +1,35 @@ +From cbd60aa7cd17d81a434234268c55192862147439 Mon Sep 17 00:00:00 2001 +From: Chris Mason +Date: Tue, 6 Sep 2016 05:37:40 -0700 +Subject: Btrfs: remove root_log_ctx from ctx list before btrfs_sync_log returns + +From: Chris Mason + +commit cbd60aa7cd17d81a434234268c55192862147439 upstream. + +We use a btrfs_log_ctx structure to pass information into the +tree log commit, and get error values out. It gets added to a per +log-transaction list which we walk when things go bad. + +Commit d1433debe added an optimization to skip waiting for the log +commit, but didn't take root_log_ctx out of the list. This +patch makes sure we remove things before exiting. + +Signed-off-by: Chris Mason +Fixes: d1433debe7f4346cf9fc0dafc71c3137d2a97bc4 +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/tree-log.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -2851,6 +2851,7 @@ int btrfs_sync_log(struct btrfs_trans_ha + + if (log_root_tree->log_transid_committed >= root_log_ctx.log_transid) { + blk_finish_plug(&plug); ++ list_del_init(&root_log_ctx.list); + mutex_unlock(&log_root_tree->log_mutex); + ret = root_log_ctx.log_ret; + goto out; diff --git a/queue-4.7/bus-arm-ccn-do-not-attempt-to-configure-xps-for-cycle-counter.patch b/queue-4.7/bus-arm-ccn-do-not-attempt-to-configure-xps-for-cycle-counter.patch new file mode 100644 index 00000000000..9192c17ab94 --- /dev/null +++ b/queue-4.7/bus-arm-ccn-do-not-attempt-to-configure-xps-for-cycle-counter.patch @@ -0,0 +1,39 @@ +From b7c1beb278e8e3dc664ed3df3fc786db126120a9 Mon Sep 17 00:00:00 2001 +From: Pawel Moll +Date: Fri, 5 Aug 2016 15:07:10 +0100 +Subject: bus: arm-ccn: Do not attempt to configure XPs for cycle counter + +From: Pawel Moll + +commit b7c1beb278e8e3dc664ed3df3fc786db126120a9 upstream. + +Fuzzing the CCN perf driver revealed a small but definitely dangerous +mistake in the event setup code. When a cycle counter is requested, the +driver should not reconfigure the events bus at all, otherwise it will +corrupt (in most but the simplest cases) its configuration and may end +up accessing XP array out of its bounds and corrupting control +registers. + +Reported-by: Mark Rutland +Reviewed-by: Mark Rutland +Tested-by: Mark Rutland +Signed-off-by: Pawel Moll +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bus/arm-ccn.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/bus/arm-ccn.c ++++ b/drivers/bus/arm-ccn.c +@@ -895,6 +895,10 @@ static void arm_ccn_pmu_xp_dt_config(str + struct arm_ccn_component *xp; + u32 val, dt_cfg; + ++ /* Nothing to do for cycle counter */ ++ if (hw->idx == CCN_IDX_PMU_CYCLE_COUNTER) ++ return; ++ + if (CCN_CONFIG_TYPE(event->attr.config) == CCN_TYPE_XP) + xp = &ccn->xp[CCN_CONFIG_XP(event->attr.config)]; + else diff --git a/queue-4.7/bus-arm-ccn-fix-pmu-handling-of-mn.patch b/queue-4.7/bus-arm-ccn-fix-pmu-handling-of-mn.patch new file mode 100644 index 00000000000..5ede6a90e53 --- /dev/null +++ b/queue-4.7/bus-arm-ccn-fix-pmu-handling-of-mn.patch @@ -0,0 +1,92 @@ +From 4e486cba285ff06a1f28f0fc2991dde1482d1dcf Mon Sep 17 00:00:00 2001 +From: Pawel Moll +Date: Tue, 2 Aug 2016 16:45:37 +0100 +Subject: bus: arm-ccn: Fix PMU handling of MN + +From: Pawel Moll + +commit 4e486cba285ff06a1f28f0fc2991dde1482d1dcf upstream. + +The "Miscellaneous Node" fell through cracks of node initialisation, +as its ID is shared with HN-I. + +This patch treats MN as a special case (which it is), adding separate +validation check for it and pre-defining the node ID in relevant events +descriptions. That way one can simply run: + + # perf stat -a -e ccn/mn_ecbarrier/ + +Additionally, direction in the MN pseudo-events XP watchpoint +definitions is corrected to be "TX" (1) as they are defined from the +crosspoint point of view (thus barriers are transmitted from XP to MN). + +Signed-off-by: Pawel Moll +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bus/arm-ccn.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +--- a/drivers/bus/arm-ccn.c ++++ b/drivers/bus/arm-ccn.c +@@ -187,6 +187,7 @@ struct arm_ccn { + struct arm_ccn_component *xp; + + struct arm_ccn_dt dt; ++ int mn_id; + }; + + +@@ -326,6 +327,7 @@ struct arm_ccn_pmu_event { + static ssize_t arm_ccn_pmu_event_show(struct device *dev, + struct device_attribute *attr, char *buf) + { ++ struct arm_ccn *ccn = pmu_to_arm_ccn(dev_get_drvdata(dev)); + struct arm_ccn_pmu_event *event = container_of(attr, + struct arm_ccn_pmu_event, attr); + ssize_t res; +@@ -352,6 +354,9 @@ static ssize_t arm_ccn_pmu_event_show(st + res += snprintf(buf + res, PAGE_SIZE - res, + ",cmp_l=?,cmp_h=?,mask=?"); + break; ++ case CCN_TYPE_MN: ++ res += snprintf(buf + res, PAGE_SIZE - res, ",node=%d", ccn->mn_id); ++ break; + default: + res += snprintf(buf + res, PAGE_SIZE - res, ",node=?"); + break; +@@ -381,9 +386,9 @@ static umode_t arm_ccn_pmu_events_is_vis + } + + static struct arm_ccn_pmu_event arm_ccn_pmu_events[] = { +- CCN_EVENT_MN(eobarrier, "dir=0,vc=0,cmp_h=0x1c00", CCN_IDX_MASK_OPCODE), +- CCN_EVENT_MN(ecbarrier, "dir=0,vc=0,cmp_h=0x1e00", CCN_IDX_MASK_OPCODE), +- CCN_EVENT_MN(dvmop, "dir=0,vc=0,cmp_h=0x2800", CCN_IDX_MASK_OPCODE), ++ CCN_EVENT_MN(eobarrier, "dir=1,vc=0,cmp_h=0x1c00", CCN_IDX_MASK_OPCODE), ++ CCN_EVENT_MN(ecbarrier, "dir=1,vc=0,cmp_h=0x1e00", CCN_IDX_MASK_OPCODE), ++ CCN_EVENT_MN(dvmop, "dir=1,vc=0,cmp_h=0x2800", CCN_IDX_MASK_OPCODE), + CCN_EVENT_HNI(txdatflits, "dir=1,vc=3", CCN_IDX_MASK_ANY), + CCN_EVENT_HNI(rxdatflits, "dir=0,vc=3", CCN_IDX_MASK_ANY), + CCN_EVENT_HNI(txreqflits, "dir=1,vc=0", CCN_IDX_MASK_ANY), +@@ -757,6 +762,12 @@ static int arm_ccn_pmu_event_init(struct + + /* Validate node/xp vs topology */ + switch (type) { ++ case CCN_TYPE_MN: ++ if (node_xp != ccn->mn_id) { ++ dev_warn(ccn->dev, "Invalid MN ID %d!\n", node_xp); ++ return -EINVAL; ++ } ++ break; + case CCN_TYPE_XP: + if (node_xp >= ccn->num_xps) { + dev_warn(ccn->dev, "Invalid XP ID %d!\n", node_xp); +@@ -1369,6 +1380,8 @@ static int arm_ccn_init_nodes(struct arm + + switch (type) { + case CCN_TYPE_MN: ++ ccn->mn_id = id; ++ return 0; + case CCN_TYPE_DT: + return 0; + case CCN_TYPE_XP: diff --git a/queue-4.7/bus-arm-ccn-fix-xp-watchpoint-settings-bitmask.patch b/queue-4.7/bus-arm-ccn-fix-xp-watchpoint-settings-bitmask.patch new file mode 100644 index 00000000000..ccd2864c7ae --- /dev/null +++ b/queue-4.7/bus-arm-ccn-fix-xp-watchpoint-settings-bitmask.patch @@ -0,0 +1,45 @@ +From b928466b2169e061822daad48ecf55b005445547 Mon Sep 17 00:00:00 2001 +From: Pawel Moll +Date: Wed, 10 Aug 2016 17:06:26 +0100 +Subject: bus: arm-ccn: Fix XP watchpoint settings bitmask + +From: Pawel Moll + +commit b928466b2169e061822daad48ecf55b005445547 upstream. + +The code setting XP watchpoint comparator and mask registers should, in +order to be fully compliant with specification, zero one or more most +significant bits of each field. In both L cases it means zeroing bit 63. +The bitmask doing this was wrong, though, zeroing bit 60 instead. +Fortunately, due to a lucky coincidence, this turned out to be fairly +innocent with the existing hardware. + +Fixed now. + +Signed-off-by: Pawel Moll +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bus/arm-ccn.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/bus/arm-ccn.c ++++ b/drivers/bus/arm-ccn.c +@@ -1001,7 +1001,7 @@ static void arm_ccn_pmu_xp_watchpoint_co + + /* Comparison values */ + writel(cmp_l & 0xffffffff, source->base + CCN_XP_DT_CMP_VAL_L(wp)); +- writel((cmp_l >> 32) & 0xefffffff, ++ writel((cmp_l >> 32) & 0x7fffffff, + source->base + CCN_XP_DT_CMP_VAL_L(wp) + 4); + writel(cmp_h & 0xffffffff, source->base + CCN_XP_DT_CMP_VAL_H(wp)); + writel((cmp_h >> 32) & 0x0fffffff, +@@ -1009,7 +1009,7 @@ static void arm_ccn_pmu_xp_watchpoint_co + + /* Mask */ + writel(mask_l & 0xffffffff, source->base + CCN_XP_DT_CMP_MASK_L(wp)); +- writel((mask_l >> 32) & 0xefffffff, ++ writel((mask_l >> 32) & 0x7fffffff, + source->base + CCN_XP_DT_CMP_MASK_L(wp) + 4); + writel(mask_h & 0xffffffff, source->base + CCN_XP_DT_CMP_MASK_H(wp)); + writel((mask_h >> 32) & 0x0fffffff, diff --git a/queue-4.7/cpuset-make-sure-new-tasks-conform-to-the-current-config-of-the-cpuset.patch b/queue-4.7/cpuset-make-sure-new-tasks-conform-to-the-current-config-of-the-cpuset.patch new file mode 100644 index 00000000000..a745c339686 --- /dev/null +++ b/queue-4.7/cpuset-make-sure-new-tasks-conform-to-the-current-config-of-the-cpuset.patch @@ -0,0 +1,53 @@ +From 06f4e94898918bcad00cdd4d349313a439d6911e Mon Sep 17 00:00:00 2001 +From: Zefan Li +Date: Tue, 9 Aug 2016 11:25:01 +0800 +Subject: cpuset: make sure new tasks conform to the current config of the cpuset + +From: Zefan Li + +commit 06f4e94898918bcad00cdd4d349313a439d6911e upstream. + +A new task inherits cpus_allowed and mems_allowed masks from its parent, +but if someone changes cpuset's config by writing to cpuset.cpus/cpuset.mems +before this new task is inserted into the cgroup's task list, the new task +won't be updated accordingly. + +Signed-off-by: Zefan Li +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/cpuset.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/kernel/cpuset.c ++++ b/kernel/cpuset.c +@@ -2078,6 +2078,20 @@ static void cpuset_bind(struct cgroup_su + mutex_unlock(&cpuset_mutex); + } + ++/* ++ * Make sure the new task conform to the current state of its parent, ++ * which could have been changed by cpuset just after it inherits the ++ * state from the parent and before it sits on the cgroup's task list. ++ */ ++void cpuset_fork(struct task_struct *task) ++{ ++ if (task_css_is_root(task, cpuset_cgrp_id)) ++ return; ++ ++ set_cpus_allowed_ptr(task, ¤t->cpus_allowed); ++ task->mems_allowed = current->mems_allowed; ++} ++ + struct cgroup_subsys cpuset_cgrp_subsys = { + .css_alloc = cpuset_css_alloc, + .css_online = cpuset_css_online, +@@ -2088,6 +2102,7 @@ struct cgroup_subsys cpuset_cgrp_subsys + .attach = cpuset_attach, + .post_attach = cpuset_post_attach, + .bind = cpuset_bind, ++ .fork = cpuset_fork, + .legacy_cftypes = files, + .early_init = true, + }; diff --git a/queue-4.7/crypto-cryptd-initialize-child-shash_desc-on-import.patch b/queue-4.7/crypto-cryptd-initialize-child-shash_desc-on-import.patch new file mode 100644 index 00000000000..0297fb64c3e --- /dev/null +++ b/queue-4.7/crypto-cryptd-initialize-child-shash_desc-on-import.patch @@ -0,0 +1,40 @@ +From 0bd2223594a4dcddc1e34b15774a3a4776f7749e Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Thu, 1 Sep 2016 14:25:43 +0100 +Subject: crypto: cryptd - initialize child shash_desc on import + +From: Ard Biesheuvel + +commit 0bd2223594a4dcddc1e34b15774a3a4776f7749e upstream. + +When calling .import() on a cryptd ahash_request, the structure members +that describe the child transform in the shash_desc need to be initialized +like they are when calling .init() + +Signed-off-by: Ard Biesheuvel +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/cryptd.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/crypto/cryptd.c ++++ b/crypto/cryptd.c +@@ -594,9 +594,14 @@ static int cryptd_hash_export(struct aha + + static int cryptd_hash_import(struct ahash_request *req, const void *in) + { +- struct cryptd_hash_request_ctx *rctx = ahash_request_ctx(req); ++ struct crypto_ahash *tfm = crypto_ahash_reqtfm(req); ++ struct cryptd_hash_ctx *ctx = crypto_ahash_ctx(tfm); ++ struct shash_desc *desc = cryptd_shash_desc(req); + +- return crypto_shash_import(&rctx->desc, in); ++ desc->tfm = ctx->child; ++ desc->flags = req->base.flags; ++ ++ return crypto_shash_import(desc, in); + } + + static int cryptd_create_hash(struct crypto_template *tmpl, struct rtattr **tb, diff --git a/queue-4.7/cxl-use-pcibios_free_controller_deferred-when-removing-vphbs.patch b/queue-4.7/cxl-use-pcibios_free_controller_deferred-when-removing-vphbs.patch new file mode 100644 index 00000000000..9c7cdc795c1 --- /dev/null +++ b/queue-4.7/cxl-use-pcibios_free_controller_deferred-when-removing-vphbs.patch @@ -0,0 +1,68 @@ +From 6f38a8b9a45833495dc878c335c5431cd98a16ed Mon Sep 17 00:00:00 2001 +From: Andrew Donnellan +Date: Thu, 18 Aug 2016 17:35:14 +1000 +Subject: cxl: use pcibios_free_controller_deferred() when removing vPHBs + +From: Andrew Donnellan + +commit 6f38a8b9a45833495dc878c335c5431cd98a16ed upstream. + +When cxl removes a vPHB, it's possible that the pci_controller may be freed +before all references to the devices on the vPHB have been released. This +in turn causes an invalid memory access when the devices are eventually +released, as pcibios_release_device() attempts to call the phb's +release_device hook. + +In cxl_pci_vphb_remove(), remove the existing call to +pcibios_free_controller(). Instead, use +pcibios_free_controller_deferred() to free the pci_controller after all +devices have been released. Export pci_set_host_bridge_release() so we can +do this. + +Signed-off-by: Andrew Donnellan +Reviewed-by: Matthew R. Ochs +Acked-by: Ian Munsie +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/cxl/vphb.c | 10 +++++++++- + drivers/pci/host-bridge.c | 1 + + 2 files changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/misc/cxl/vphb.c ++++ b/drivers/misc/cxl/vphb.c +@@ -243,6 +243,11 @@ int cxl_pci_vphb_add(struct cxl_afu *afu + if (phb->bus == NULL) + return -ENXIO; + ++ /* Set release hook on root bus */ ++ pci_set_host_bridge_release(to_pci_host_bridge(phb->bus->bridge), ++ pcibios_free_controller_deferred, ++ (void *) phb); ++ + /* Claim resources. This might need some rework as well depending + * whether we are doing probe-only or not, like assigning unassigned + * resources etc... +@@ -269,7 +274,10 @@ void cxl_pci_vphb_remove(struct cxl_afu + afu->phb = NULL; + + pci_remove_root_bus(phb->bus); +- pcibios_free_controller(phb); ++ /* ++ * We don't free phb here - that's handled by ++ * pcibios_free_controller_deferred() ++ */ + } + + bool cxl_pci_is_vphb_device(struct pci_dev *dev) +--- a/drivers/pci/host-bridge.c ++++ b/drivers/pci/host-bridge.c +@@ -44,6 +44,7 @@ void pci_set_host_bridge_release(struct + bridge->release_fn = release_fn; + bridge->release_data = release_data; + } ++EXPORT_SYMBOL_GPL(pci_set_host_bridge_release); + + void pcibios_resource_to_bus(struct pci_bus *bus, struct pci_bus_region *region, + struct resource *res) diff --git a/queue-4.7/devpts-return-null-pts-priv-entry-for-non-devpts-nodes.patch b/queue-4.7/devpts-return-null-pts-priv-entry-for-non-devpts-nodes.patch new file mode 100644 index 00000000000..ecd1f911630 --- /dev/null +++ b/queue-4.7/devpts-return-null-pts-priv-entry-for-non-devpts-nodes.patch @@ -0,0 +1,41 @@ +From 3e423945ea94412283eaba8bfbe9d6e0a80b434f Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Sat, 3 Sep 2016 11:02:50 -0700 +Subject: devpts: return NULL pts 'priv' entry for non-devpts nodes + +From: Linus Torvalds + +commit 3e423945ea94412283eaba8bfbe9d6e0a80b434f upstream. + +In commit 8ead9dd54716 ("devpts: more pty driver interface cleanups") I +made devpts_get_priv() just return the dentry->fs_data directly. And +because I thought it wouldn't happen, I added a warning if you ever saw +a pts node that wasn't on devpts. + +And no, that warning never triggered under any actual real use, but you +can trigger it by creating nonsensical pts nodes by hand. + +So just revert the warning, and make devpts_get_priv() return NULL for +that case like it used to. + +Reported-by: Dmitry Vyukov +Cc: Eric W Biederman" +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/devpts/inode.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/devpts/inode.c ++++ b/fs/devpts/inode.c +@@ -584,7 +584,8 @@ struct dentry *devpts_pty_new(struct pts + */ + void *devpts_get_priv(struct dentry *dentry) + { +- WARN_ON_ONCE(dentry->d_sb->s_magic != DEVPTS_SUPER_MAGIC); ++ if (dentry->d_sb->s_magic != DEVPTS_SUPER_MAGIC) ++ return NULL; + return dentry->d_fsdata; + } + diff --git a/queue-4.7/dm-crypt-fix-error-with-too-large-bios.patch b/queue-4.7/dm-crypt-fix-error-with-too-large-bios.patch new file mode 100644 index 00000000000..c1c68405068 --- /dev/null +++ b/queue-4.7/dm-crypt-fix-error-with-too-large-bios.patch @@ -0,0 +1,44 @@ +From 4e870e948fbabf62b78e8410f04c67703e7c816b Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Tue, 30 Aug 2016 16:38:42 -0400 +Subject: dm crypt: fix error with too large bios + +From: Mikulas Patocka + +commit 4e870e948fbabf62b78e8410f04c67703e7c816b upstream. + +When dm-crypt processes writes, it allocates a new bio in +crypt_alloc_buffer(). The bio is allocated from a bio set and it can +have at most BIO_MAX_PAGES vector entries, however the incoming bio can be +larger (e.g. if it was allocated by bcache). If the incoming bio is +larger, bio_alloc_bioset() fails and an error is returned. + +To avoid the error, we test for a too large bio in the function +crypt_map() and use dm_accept_partial_bio() to split the bio. +dm_accept_partial_bio() trims the current bio to the desired size and +asks DM core to send another bio with the rest of the data. + +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-crypt.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/md/dm-crypt.c ++++ b/drivers/md/dm-crypt.c +@@ -1923,6 +1923,13 @@ static int crypt_map(struct dm_target *t + return DM_MAPIO_REMAPPED; + } + ++ /* ++ * Check if bio is too large, split as needed. ++ */ ++ if (unlikely(bio->bi_iter.bi_size > (BIO_MAX_PAGES << PAGE_SHIFT)) && ++ bio_data_dir(bio) == WRITE) ++ dm_accept_partial_bio(bio, ((BIO_MAX_PAGES << PAGE_SHIFT) >> SECTOR_SHIFT)); ++ + io = dm_per_bio_data(bio, cc->per_bio_data_size); + crypt_io_init(io, cc, bio, dm_target_offset(ti, bio->bi_iter.bi_sector)); + io->ctx.req = (struct skcipher_request *)(io + 1); diff --git a/queue-4.7/dm-crypt-fix-free-of-bad-values-after-tfm-allocation-failure.patch b/queue-4.7/dm-crypt-fix-free-of-bad-values-after-tfm-allocation-failure.patch new file mode 100644 index 00000000000..ee620156489 --- /dev/null +++ b/queue-4.7/dm-crypt-fix-free-of-bad-values-after-tfm-allocation-failure.patch @@ -0,0 +1,33 @@ +From 5d0be84ec0cacfc7a6d6ea548afdd07d481324cd Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Tue, 30 Aug 2016 09:51:44 -0700 +Subject: dm crypt: fix free of bad values after tfm allocation failure + +From: Eric Biggers + +commit 5d0be84ec0cacfc7a6d6ea548afdd07d481324cd upstream. + +If crypt_alloc_tfms() had to allocate multiple tfms and it failed before +the last allocation, then it would call crypt_free_tfms() and could free +pointers from uninitialized memory -- due to the crypt_free_tfms() check +for non-zero cc->tfms[i]. Fix by allocating zeroed memory. + +Signed-off-by: Eric Biggers +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-crypt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/dm-crypt.c ++++ b/drivers/md/dm-crypt.c +@@ -1453,7 +1453,7 @@ static int crypt_alloc_tfms(struct crypt + unsigned i; + int err; + +- cc->tfms = kmalloc(cc->tfms_count * sizeof(struct crypto_skcipher *), ++ cc->tfms = kzalloc(cc->tfms_count * sizeof(struct crypto_skcipher *), + GFP_KERNEL); + if (!cc->tfms) + return -ENOMEM; diff --git a/queue-4.7/dm-flakey-fix-reads-to-be-issued-if-drop_writes-configured.patch b/queue-4.7/dm-flakey-fix-reads-to-be-issued-if-drop_writes-configured.patch new file mode 100644 index 00000000000..143ab2b8816 --- /dev/null +++ b/queue-4.7/dm-flakey-fix-reads-to-be-issued-if-drop_writes-configured.patch @@ -0,0 +1,71 @@ +From 299f6230bc6d0ccd5f95bb0fb865d80a9c7d5ccc Mon Sep 17 00:00:00 2001 +From: Mike Snitzer +Date: Wed, 24 Aug 2016 21:12:58 -0400 +Subject: dm flakey: fix reads to be issued if drop_writes configured + +From: Mike Snitzer + +commit 299f6230bc6d0ccd5f95bb0fb865d80a9c7d5ccc upstream. + +v4.8-rc3 commit 99f3c90d0d ("dm flakey: error READ bios during the +down_interval") overlooked the 'drop_writes' feature, which is meant to +allow reads to be issued rather than errored, during the down_interval. + +Fixes: 99f3c90d0d ("dm flakey: error READ bios during the down_interval") +Reported-by: Qu Wenruo +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-flakey.c | 27 ++++++++++++++++----------- + 1 file changed, 16 insertions(+), 11 deletions(-) + +--- a/drivers/md/dm-flakey.c ++++ b/drivers/md/dm-flakey.c +@@ -289,15 +289,13 @@ static int flakey_map(struct dm_target * + pb->bio_submitted = true; + + /* +- * Map reads as normal only if corrupt_bio_byte set. ++ * Error reads if neither corrupt_bio_byte or drop_writes are set. ++ * Otherwise, flakey_end_io() will decide if the reads should be modified. + */ + if (bio_data_dir(bio) == READ) { +- /* If flags were specified, only corrupt those that match. */ +- if (fc->corrupt_bio_byte && (fc->corrupt_bio_rw == READ) && +- all_corrupt_bio_flags_match(bio, fc)) +- goto map_bio; +- else ++ if (!fc->corrupt_bio_byte && !test_bit(DROP_WRITES, &fc->flags)) + return -EIO; ++ goto map_bio; + } + + /* +@@ -334,14 +332,21 @@ static int flakey_end_io(struct dm_targe + struct flakey_c *fc = ti->private; + struct per_bio_data *pb = dm_per_bio_data(bio, sizeof(struct per_bio_data)); + +- /* +- * Corrupt successful READs while in down state. +- */ + if (!error && pb->bio_submitted && (bio_data_dir(bio) == READ)) { +- if (fc->corrupt_bio_byte) ++ if (fc->corrupt_bio_byte && (fc->corrupt_bio_rw == READ) && ++ all_corrupt_bio_flags_match(bio, fc)) { ++ /* ++ * Corrupt successful matching READs while in down state. ++ */ + corrupt_bio_data(bio, fc); +- else ++ ++ } else if (!test_bit(DROP_WRITES, &fc->flags)) { ++ /* ++ * Error read during the down_interval if drop_writes ++ * wasn't configured. ++ */ + return -EIO; ++ } + } + + return error; diff --git a/queue-4.7/dm-log-writes-fix-check-of-kthread_run-return-value.patch b/queue-4.7/dm-log-writes-fix-check-of-kthread_run-return-value.patch new file mode 100644 index 00000000000..ac512f4562a --- /dev/null +++ b/queue-4.7/dm-log-writes-fix-check-of-kthread_run-return-value.patch @@ -0,0 +1,35 @@ +From 91e630d9ae6de6f740ef7c8176736eb55366833e Mon Sep 17 00:00:00 2001 +From: Vladimir Zapolskiy +Date: Thu, 10 Mar 2016 01:22:19 +0200 +Subject: dm log writes: fix check of kthread_run() return value + +From: Vladimir Zapolskiy + +commit 91e630d9ae6de6f740ef7c8176736eb55366833e upstream. + +The kthread_run() function returns either a valid task_struct or +ERR_PTR() value, check for NULL is invalid. This change fixes potential +for oops, e.g. in OOM situation. + +Signed-off-by: Vladimir Zapolskiy +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-log-writes.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/md/dm-log-writes.c ++++ b/drivers/md/dm-log-writes.c +@@ -456,9 +456,9 @@ static int log_writes_ctr(struct dm_targ + goto bad; + } + +- ret = -EINVAL; + lc->log_kthread = kthread_run(log_writes_kthread, lc, "log-write"); +- if (!lc->log_kthread) { ++ if (IS_ERR(lc->log_kthread)) { ++ ret = PTR_ERR(lc->log_kthread); + ti->error = "Couldn't alloc kthread"; + dm_put_device(ti, lc->dev); + dm_put_device(ti, lc->logdev); diff --git a/queue-4.7/dm-log-writes-move-io-accounting-earlier-to-fix-error-path.patch b/queue-4.7/dm-log-writes-move-io-accounting-earlier-to-fix-error-path.patch new file mode 100644 index 00000000000..98dd138bf5b --- /dev/null +++ b/queue-4.7/dm-log-writes-move-io-accounting-earlier-to-fix-error-path.patch @@ -0,0 +1,39 @@ +From a5d60783df61fbb67b7596b8a0f6b4b2e05251d5 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Tue, 30 Aug 2016 16:11:53 -0400 +Subject: dm log writes: move IO accounting earlier to fix error path + +From: Mikulas Patocka + +commit a5d60783df61fbb67b7596b8a0f6b4b2e05251d5 upstream. + +Move log_one_block()'s atomic_inc(&lc->io_blocks) before bio_alloc() to +fix a bug that the target hangs if bio_alloc() fails. The error path +does put_io_block(lc), so atomic_inc(&lc->io_blocks) must occur before +invoking the error path to avoid underflow of lc->io_blocks. + +Signed-off-by: Mikulas Patocka +Reviewed-by: Josef Bacik +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-log-writes.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/dm-log-writes.c ++++ b/drivers/md/dm-log-writes.c +@@ -258,12 +258,12 @@ static int log_one_block(struct log_writ + goto out; + sector++; + ++ atomic_inc(&lc->io_blocks); + bio = bio_alloc(GFP_KERNEL, block->vec_cnt); + if (!bio) { + DMERR("Couldn't alloc log bio"); + goto error; + } +- atomic_inc(&lc->io_blocks); + bio->bi_iter.bi_size = 0; + bio->bi_iter.bi_sector = sector; + bio->bi_bdev = lc->logdev->bdev; diff --git a/queue-4.7/efi-libstub-allocate-headspace-in-efi_get_memory_map.patch b/queue-4.7/efi-libstub-allocate-headspace-in-efi_get_memory_map.patch new file mode 100644 index 00000000000..efe270972ce --- /dev/null +++ b/queue-4.7/efi-libstub-allocate-headspace-in-efi_get_memory_map.patch @@ -0,0 +1,349 @@ +From dadb57abc37499f565b23933dbf49b435c3ba8af Mon Sep 17 00:00:00 2001 +From: Jeffrey Hugo +Date: Mon, 29 Aug 2016 14:38:51 -0600 +Subject: efi/libstub: Allocate headspace in efi_get_memory_map() + +From: Jeffrey Hugo + +commit dadb57abc37499f565b23933dbf49b435c3ba8af upstream. + +efi_get_memory_map() allocates a buffer to store the memory map that it +retrieves. This buffer may need to be reused by the client after +ExitBootServices() is called, at which point allocations are not longer +permitted. To support this usecase, provide the allocated buffer size back +to the client, and allocate some additional headroom to account for any +reasonable growth in the map that is likely to happen between the call to +efi_get_memory_map() and the client reusing the buffer. + +Signed-off-by: Jeffrey Hugo +Cc: Ard Biesheuvel +Cc: Mark Rutland +Cc: Leif Lindholm +Cc: Ingo Molnar +Signed-off-by: Matt Fleming +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/boot/compressed/eboot.c | 18 +++- + drivers/firmware/efi/libstub/efi-stub-helper.c | 96 +++++++++++++++++-------- + drivers/firmware/efi/libstub/fdt.c | 17 +++- + drivers/firmware/efi/libstub/random.c | 12 ++- + include/linux/efi.h | 15 ++- + 5 files changed, 110 insertions(+), 48 deletions(-) + +--- a/arch/x86/boot/compressed/eboot.c ++++ b/arch/x86/boot/compressed/eboot.c +@@ -1010,7 +1010,7 @@ static efi_status_t exit_boot(struct boo + void *handle, bool is64) + { + struct efi_info *efi = &boot_params->efi_info; +- unsigned long map_sz, key, desc_size; ++ unsigned long map_sz, key, desc_size, buff_size; + efi_memory_desc_t *mem_map; + struct setup_data *e820ext; + const char *signature; +@@ -1021,14 +1021,20 @@ static efi_status_t exit_boot(struct boo + bool called_exit = false; + u8 nr_entries; + int i; ++ struct efi_boot_memmap map; + +- nr_desc = 0; +- e820ext = NULL; +- e820ext_size = 0; ++ nr_desc = 0; ++ e820ext = NULL; ++ e820ext_size = 0; ++ map.map = &mem_map; ++ map.map_size = &map_sz; ++ map.desc_size = &desc_size; ++ map.desc_ver = &desc_version; ++ map.key_ptr = &key; ++ map.buff_size = &buff_size; + + get_map: +- status = efi_get_memory_map(sys_table, &mem_map, &map_sz, &desc_size, +- &desc_version, &key); ++ status = efi_get_memory_map(sys_table, &map); + + if (status != EFI_SUCCESS) + return status; +--- a/drivers/firmware/efi/libstub/efi-stub-helper.c ++++ b/drivers/firmware/efi/libstub/efi-stub-helper.c +@@ -41,6 +41,8 @@ static unsigned long __chunk_size = EFI_ + #define EFI_ALLOC_ALIGN EFI_PAGE_SIZE + #endif + ++#define EFI_MMAP_NR_SLACK_SLOTS 8 ++ + struct file_info { + efi_file_handle_t *handle; + u64 size; +@@ -63,49 +65,62 @@ void efi_printk(efi_system_table_t *sys_ + } + } + ++static inline bool mmap_has_headroom(unsigned long buff_size, ++ unsigned long map_size, ++ unsigned long desc_size) ++{ ++ unsigned long slack = buff_size - map_size; ++ ++ return slack / desc_size >= EFI_MMAP_NR_SLACK_SLOTS; ++} ++ + efi_status_t efi_get_memory_map(efi_system_table_t *sys_table_arg, +- efi_memory_desc_t **map, +- unsigned long *map_size, +- unsigned long *desc_size, +- u32 *desc_ver, +- unsigned long *key_ptr) ++ struct efi_boot_memmap *map) + { + efi_memory_desc_t *m = NULL; + efi_status_t status; + unsigned long key; + u32 desc_version; + +- *map_size = sizeof(*m) * 32; ++ *map->desc_size = sizeof(*m); ++ *map->map_size = *map->desc_size * 32; ++ *map->buff_size = *map->map_size; + again: +- /* +- * Add an additional efi_memory_desc_t because we're doing an +- * allocation which may be in a new descriptor region. +- */ +- *map_size += sizeof(*m); + status = efi_call_early(allocate_pool, EFI_LOADER_DATA, +- *map_size, (void **)&m); ++ *map->map_size, (void **)&m); + if (status != EFI_SUCCESS) + goto fail; + +- *desc_size = 0; ++ *map->desc_size = 0; + key = 0; +- status = efi_call_early(get_memory_map, map_size, m, +- &key, desc_size, &desc_version); +- if (status == EFI_BUFFER_TOO_SMALL) { ++ status = efi_call_early(get_memory_map, map->map_size, m, ++ &key, map->desc_size, &desc_version); ++ if (status == EFI_BUFFER_TOO_SMALL || ++ !mmap_has_headroom(*map->buff_size, *map->map_size, ++ *map->desc_size)) { + efi_call_early(free_pool, m); ++ /* ++ * Make sure there is some entries of headroom so that the ++ * buffer can be reused for a new map after allocations are ++ * no longer permitted. Its unlikely that the map will grow to ++ * exceed this headroom once we are ready to trigger ++ * ExitBootServices() ++ */ ++ *map->map_size += *map->desc_size * EFI_MMAP_NR_SLACK_SLOTS; ++ *map->buff_size = *map->map_size; + goto again; + } + + if (status != EFI_SUCCESS) + efi_call_early(free_pool, m); + +- if (key_ptr && status == EFI_SUCCESS) +- *key_ptr = key; +- if (desc_ver && status == EFI_SUCCESS) +- *desc_ver = desc_version; ++ if (map->key_ptr && status == EFI_SUCCESS) ++ *map->key_ptr = key; ++ if (map->desc_ver && status == EFI_SUCCESS) ++ *map->desc_ver = desc_version; + + fail: +- *map = m; ++ *map->map = m; + return status; + } + +@@ -113,13 +128,20 @@ fail: + unsigned long get_dram_base(efi_system_table_t *sys_table_arg) + { + efi_status_t status; +- unsigned long map_size; ++ unsigned long map_size, buff_size; + unsigned long membase = EFI_ERROR; + struct efi_memory_map map; + efi_memory_desc_t *md; ++ struct efi_boot_memmap boot_map; + +- status = efi_get_memory_map(sys_table_arg, (efi_memory_desc_t **)&map.map, +- &map_size, &map.desc_size, NULL, NULL); ++ boot_map.map = (efi_memory_desc_t **)&map.map; ++ boot_map.map_size = &map_size; ++ boot_map.desc_size = &map.desc_size; ++ boot_map.desc_ver = NULL; ++ boot_map.key_ptr = NULL; ++ boot_map.buff_size = &buff_size; ++ ++ status = efi_get_memory_map(sys_table_arg, &boot_map); + if (status != EFI_SUCCESS) + return membase; + +@@ -144,15 +166,22 @@ efi_status_t efi_high_alloc(efi_system_t + unsigned long size, unsigned long align, + unsigned long *addr, unsigned long max) + { +- unsigned long map_size, desc_size; ++ unsigned long map_size, desc_size, buff_size; + efi_memory_desc_t *map; + efi_status_t status; + unsigned long nr_pages; + u64 max_addr = 0; + int i; ++ struct efi_boot_memmap boot_map; ++ ++ boot_map.map = ↦ ++ boot_map.map_size = &map_size; ++ boot_map.desc_size = &desc_size; ++ boot_map.desc_ver = NULL; ++ boot_map.key_ptr = NULL; ++ boot_map.buff_size = &buff_size; + +- status = efi_get_memory_map(sys_table_arg, &map, &map_size, &desc_size, +- NULL, NULL); ++ status = efi_get_memory_map(sys_table_arg, &boot_map); + if (status != EFI_SUCCESS) + goto fail; + +@@ -230,14 +259,21 @@ efi_status_t efi_low_alloc(efi_system_ta + unsigned long size, unsigned long align, + unsigned long *addr) + { +- unsigned long map_size, desc_size; ++ unsigned long map_size, desc_size, buff_size; + efi_memory_desc_t *map; + efi_status_t status; + unsigned long nr_pages; + int i; ++ struct efi_boot_memmap boot_map; ++ ++ boot_map.map = ↦ ++ boot_map.map_size = &map_size; ++ boot_map.desc_size = &desc_size; ++ boot_map.desc_ver = NULL; ++ boot_map.key_ptr = NULL; ++ boot_map.buff_size = &buff_size; + +- status = efi_get_memory_map(sys_table_arg, &map, &map_size, &desc_size, +- NULL, NULL); ++ status = efi_get_memory_map(sys_table_arg, &boot_map); + if (status != EFI_SUCCESS) + goto fail; + +--- a/drivers/firmware/efi/libstub/fdt.c ++++ b/drivers/firmware/efi/libstub/fdt.c +@@ -175,13 +175,21 @@ efi_status_t allocate_new_fdt_and_exit_b + unsigned long fdt_addr, + unsigned long fdt_size) + { +- unsigned long map_size, desc_size; ++ unsigned long map_size, desc_size, buff_size; + u32 desc_ver; + unsigned long mmap_key; + efi_memory_desc_t *memory_map, *runtime_map; + unsigned long new_fdt_size; + efi_status_t status; + int runtime_entry_count = 0; ++ struct efi_boot_memmap map; ++ ++ map.map = &runtime_map; ++ map.map_size = &map_size; ++ map.desc_size = &desc_size; ++ map.desc_ver = &desc_ver; ++ map.key_ptr = &mmap_key; ++ map.buff_size = &buff_size; + + /* + * Get a copy of the current memory map that we will use to prepare +@@ -189,8 +197,7 @@ efi_status_t allocate_new_fdt_and_exit_b + * subsequent allocations adding entries, since they could not affect + * the number of EFI_MEMORY_RUNTIME regions. + */ +- status = efi_get_memory_map(sys_table, &runtime_map, &map_size, +- &desc_size, &desc_ver, &mmap_key); ++ status = efi_get_memory_map(sys_table, &map); + if (status != EFI_SUCCESS) { + pr_efi_err(sys_table, "Unable to retrieve UEFI memory map.\n"); + return status; +@@ -199,6 +206,7 @@ efi_status_t allocate_new_fdt_and_exit_b + pr_efi(sys_table, + "Exiting boot services and installing virtual address map...\n"); + ++ map.map = &memory_map; + /* + * Estimate size of new FDT, and allocate memory for it. We + * will allocate a bigger buffer if this ends up being too +@@ -218,8 +226,7 @@ efi_status_t allocate_new_fdt_and_exit_b + * we can get the memory map key needed for + * exit_boot_services(). + */ +- status = efi_get_memory_map(sys_table, &memory_map, &map_size, +- &desc_size, &desc_ver, &mmap_key); ++ status = efi_get_memory_map(sys_table, &map); + if (status != EFI_SUCCESS) + goto fail_free_new_fdt; + +--- a/drivers/firmware/efi/libstub/random.c ++++ b/drivers/firmware/efi/libstub/random.c +@@ -73,12 +73,20 @@ efi_status_t efi_random_alloc(efi_system + unsigned long random_seed) + { + unsigned long map_size, desc_size, total_slots = 0, target_slot; ++ unsigned long buff_size; + efi_status_t status; + efi_memory_desc_t *memory_map; + int map_offset; ++ struct efi_boot_memmap map; + +- status = efi_get_memory_map(sys_table_arg, &memory_map, &map_size, +- &desc_size, NULL, NULL); ++ map.map = &memory_map; ++ map.map_size = &map_size; ++ map.desc_size = &desc_size; ++ map.desc_ver = NULL; ++ map.key_ptr = NULL; ++ map.buff_size = &buff_size; ++ ++ status = efi_get_memory_map(sys_table_arg, &map); + if (status != EFI_SUCCESS) + return status; + +--- a/include/linux/efi.h ++++ b/include/linux/efi.h +@@ -118,6 +118,15 @@ typedef struct { + u32 imagesize; + } efi_capsule_header_t; + ++struct efi_boot_memmap { ++ efi_memory_desc_t **map; ++ unsigned long *map_size; ++ unsigned long *desc_size; ++ u32 *desc_ver; ++ unsigned long *key_ptr; ++ unsigned long *buff_size; ++}; ++ + /* + * EFI capsule flags + */ +@@ -1430,11 +1439,7 @@ char *efi_convert_cmdline(efi_system_tab + efi_loaded_image_t *image, int *cmd_line_len); + + efi_status_t efi_get_memory_map(efi_system_table_t *sys_table_arg, +- efi_memory_desc_t **map, +- unsigned long *map_size, +- unsigned long *desc_size, +- u32 *desc_ver, +- unsigned long *key_ptr); ++ struct efi_boot_memmap *map); + + efi_status_t efi_low_alloc(efi_system_table_t *sys_table_arg, + unsigned long size, unsigned long align, diff --git a/queue-4.7/efi-libstub-introduce-exitbootservices-helper.patch b/queue-4.7/efi-libstub-introduce-exitbootservices-helper.patch new file mode 100644 index 00000000000..b80b4c7f108 --- /dev/null +++ b/queue-4.7/efi-libstub-introduce-exitbootservices-helper.patch @@ -0,0 +1,136 @@ +From fc07716ba803483be91bc4b2344f9c84985e6f07 Mon Sep 17 00:00:00 2001 +From: Jeffrey Hugo +Date: Mon, 29 Aug 2016 14:38:52 -0600 +Subject: efi/libstub: Introduce ExitBootServices helper + +From: Jeffrey Hugo + +commit fc07716ba803483be91bc4b2344f9c84985e6f07 upstream. + +The spec allows ExitBootServices to fail with EFI_INVALID_PARAMETER if a +race condition has occurred where the EFI has updated the memory map after +the stub grabbed a reference to the map. The spec defines a retry +proceedure with specific requirements to handle this scenario. + +This scenario was previously observed on x86 - commit d3768d885c6c ("x86, +efi: retry ExitBootServices() on failure") but the current fix is not spec +compliant and the scenario is now observed on the Qualcomm Technologies +QDF2432 via the FDT stub which does not handle the error and thus causes +boot failures. The user will notice the boot failure as the kernel is not +executed and the system may drop back to a UEFI shell, but will be +unresponsive to input and the system will require a power cycle to recover. + +Add a helper to the stub library that correctly adheres to the spec in the +case of EFI_INVALID_PARAMETER from ExitBootServices and can be universally +used across all stub implementations. + +Signed-off-by: Jeffrey Hugo +Cc: Ard Biesheuvel +Cc: Mark Rutland +Cc: Leif Lindholm +Cc: Ingo Molnar +Signed-off-by: Matt Fleming +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/firmware/efi/libstub/efi-stub-helper.c | 73 +++++++++++++++++++++++++ + include/linux/efi.h | 11 +++ + 2 files changed, 84 insertions(+) + +--- a/drivers/firmware/efi/libstub/efi-stub-helper.c ++++ b/drivers/firmware/efi/libstub/efi-stub-helper.c +@@ -740,3 +740,76 @@ char *efi_convert_cmdline(efi_system_tab + *cmd_line_len = options_bytes; + return (char *)cmdline_addr; + } ++ ++/* ++ * Handle calling ExitBootServices according to the requirements set out by the ++ * spec. Obtains the current memory map, and returns that info after calling ++ * ExitBootServices. The client must specify a function to perform any ++ * processing of the memory map data prior to ExitBootServices. A client ++ * specific structure may be passed to the function via priv. The client ++ * function may be called multiple times. ++ */ ++efi_status_t efi_exit_boot_services(efi_system_table_t *sys_table_arg, ++ void *handle, ++ struct efi_boot_memmap *map, ++ void *priv, ++ efi_exit_boot_map_processing priv_func) ++{ ++ efi_status_t status; ++ ++ status = efi_get_memory_map(sys_table_arg, map); ++ ++ if (status != EFI_SUCCESS) ++ goto fail; ++ ++ status = priv_func(sys_table_arg, map, priv); ++ if (status != EFI_SUCCESS) ++ goto free_map; ++ ++ status = efi_call_early(exit_boot_services, handle, *map->key_ptr); ++ ++ if (status == EFI_INVALID_PARAMETER) { ++ /* ++ * The memory map changed between efi_get_memory_map() and ++ * exit_boot_services(). Per the UEFI Spec v2.6, Section 6.4: ++ * EFI_BOOT_SERVICES.ExitBootServices we need to get the ++ * updated map, and try again. The spec implies one retry ++ * should be sufficent, which is confirmed against the EDK2 ++ * implementation. Per the spec, we can only invoke ++ * get_memory_map() and exit_boot_services() - we cannot alloc ++ * so efi_get_memory_map() cannot be used, and we must reuse ++ * the buffer. For all practical purposes, the headroom in the ++ * buffer should account for any changes in the map so the call ++ * to get_memory_map() is expected to succeed here. ++ */ ++ *map->map_size = *map->buff_size; ++ status = efi_call_early(get_memory_map, ++ map->map_size, ++ *map->map, ++ map->key_ptr, ++ map->desc_size, ++ map->desc_ver); ++ ++ /* exit_boot_services() was called, thus cannot free */ ++ if (status != EFI_SUCCESS) ++ goto fail; ++ ++ status = priv_func(sys_table_arg, map, priv); ++ /* exit_boot_services() was called, thus cannot free */ ++ if (status != EFI_SUCCESS) ++ goto fail; ++ ++ status = efi_call_early(exit_boot_services, handle, *map->key_ptr); ++ } ++ ++ /* exit_boot_services() was called, thus cannot free */ ++ if (status != EFI_SUCCESS) ++ goto fail; ++ ++ return EFI_SUCCESS; ++ ++free_map: ++ efi_call_early(free_pool, *map->map); ++fail: ++ return status; ++} +--- a/include/linux/efi.h ++++ b/include/linux/efi.h +@@ -1470,4 +1470,15 @@ efi_status_t efi_setup_gop(efi_system_ta + unsigned long size); + + bool efi_runtime_disabled(void); ++ ++typedef efi_status_t (*efi_exit_boot_map_processing)( ++ efi_system_table_t *sys_table_arg, ++ struct efi_boot_memmap *map, ++ void *priv); ++ ++efi_status_t efi_exit_boot_services(efi_system_table_t *sys_table, ++ void *handle, ++ struct efi_boot_memmap *map, ++ void *priv, ++ efi_exit_boot_map_processing priv_func); + #endif /* _LINUX_EFI_H */ diff --git a/queue-4.7/efi-libstub-use-efi_exit_boot_services-in-fdt.patch b/queue-4.7/efi-libstub-use-efi_exit_boot_services-in-fdt.patch new file mode 100644 index 00000000000..790a97861a1 --- /dev/null +++ b/queue-4.7/efi-libstub-use-efi_exit_boot_services-in-fdt.patch @@ -0,0 +1,89 @@ +From ed9cc156c42ff0c0bf9b1d09df48a12bf0873473 Mon Sep 17 00:00:00 2001 +From: Jeffrey Hugo +Date: Mon, 29 Aug 2016 14:38:53 -0600 +Subject: efi/libstub: Use efi_exit_boot_services() in FDT + +From: Jeffrey Hugo + +commit ed9cc156c42ff0c0bf9b1d09df48a12bf0873473 upstream. + +The FDT code directly calls ExitBootServices. This is inadvisable as the +UEFI spec details a complex set of errors, race conditions, and API +interactions that the caller of ExitBootServices must get correct. The +FDT code does not handle EFI_INVALID_PARAMETER as required by the spec, +which causes intermittent boot failures on the Qualcomm Technologies +QDF2432. Call the efi_exit_boot_services() helper intead, which handles +the EFI_INVALID_PARAMETER scenario properly. + +Signed-off-by: Jeffrey Hugo +Cc: Ard Biesheuvel +Cc: Mark Rutland +Cc: Leif Lindholm +Cc: Ingo Molnar +Signed-off-by: Matt Fleming +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/firmware/efi/libstub/fdt.c | 37 +++++++++++++++++++++++++++---------- + 1 file changed, 27 insertions(+), 10 deletions(-) + +--- a/drivers/firmware/efi/libstub/fdt.c ++++ b/drivers/firmware/efi/libstub/fdt.c +@@ -152,6 +152,27 @@ fdt_set_fail: + #define EFI_FDT_ALIGN EFI_PAGE_SIZE + #endif + ++struct exit_boot_struct { ++ efi_memory_desc_t *runtime_map; ++ int *runtime_entry_count; ++}; ++ ++static efi_status_t exit_boot_func(efi_system_table_t *sys_table_arg, ++ struct efi_boot_memmap *map, ++ void *priv) ++{ ++ struct exit_boot_struct *p = priv; ++ /* ++ * Update the memory map with virtual addresses. The function will also ++ * populate @runtime_map with copies of just the EFI_MEMORY_RUNTIME ++ * entries so that we can pass it straight to SetVirtualAddressMap() ++ */ ++ efi_get_virtmap(*map->map, *map->map_size, *map->desc_size, ++ p->runtime_map, p->runtime_entry_count); ++ ++ return EFI_SUCCESS; ++} ++ + /* + * Allocate memory for a new FDT, then add EFI, commandline, and + * initrd related fields to the FDT. This routine increases the +@@ -183,6 +204,7 @@ efi_status_t allocate_new_fdt_and_exit_b + efi_status_t status; + int runtime_entry_count = 0; + struct efi_boot_memmap map; ++ struct exit_boot_struct priv; + + map.map = &runtime_map; + map.map_size = &map_size; +@@ -257,16 +279,11 @@ efi_status_t allocate_new_fdt_and_exit_b + } + } + +- /* +- * Update the memory map with virtual addresses. The function will also +- * populate @runtime_map with copies of just the EFI_MEMORY_RUNTIME +- * entries so that we can pass it straight into SetVirtualAddressMap() +- */ +- efi_get_virtmap(memory_map, map_size, desc_size, runtime_map, +- &runtime_entry_count); +- +- /* Now we are ready to exit_boot_services.*/ +- status = sys_table->boottime->exit_boot_services(handle, mmap_key); ++ sys_table->boottime->free_pool(memory_map); ++ priv.runtime_map = runtime_map; ++ priv.runtime_entry_count = &runtime_entry_count; ++ status = efi_exit_boot_services(sys_table, handle, &map, &priv, ++ exit_boot_func); + + if (status == EFI_SUCCESS) { + efi_set_virtual_address_map_t *svam; diff --git a/queue-4.7/efi-make-for_each_efi_memory_desc_in_map-cope-with-running-on-xen.patch b/queue-4.7/efi-make-for_each_efi_memory_desc_in_map-cope-with-running-on-xen.patch new file mode 100644 index 00000000000..f5615a65dec --- /dev/null +++ b/queue-4.7/efi-make-for_each_efi_memory_desc_in_map-cope-with-running-on-xen.patch @@ -0,0 +1,39 @@ +From d4c4fed08f31f3746000c46cb1b20bed2959547a Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Mon, 15 Aug 2016 09:05:45 -0600 +Subject: efi: Make for_each_efi_memory_desc_in_map() cope with running on Xen + +From: Jan Beulich + +commit d4c4fed08f31f3746000c46cb1b20bed2959547a upstream. + +While commit 55f1ea15216 ("efi: Fix for_each_efi_memory_desc_in_map() +for empty memmaps") made an attempt to deal with empty memory maps, it +didn't address the case where the map field never gets set, as is +apparently the case when running under Xen. + +Reported-by: +Tested-by: +Cc: Vitaly Kuznetsov +Cc: Jiri Slaby +Cc: Mark Rutland +Signed-off-by: Jan Beulich +[ Guard the loop with a NULL check instead of pointer underflow ] +Signed-off-by: Matt Fleming +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/efi.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/efi.h ++++ b/include/linux/efi.h +@@ -1005,7 +1005,7 @@ extern int efi_memattr_apply_permissions + /* Iterate through an efi_memory_map */ + #define for_each_efi_memory_desc_in_map(m, md) \ + for ((md) = (m)->map; \ +- ((void *)(md) + (m)->desc_size) <= (m)->map_end; \ ++ (md) && ((void *)(md) + (m)->desc_size) <= (m)->map_end; \ + (md) = (void *)(md) + (m)->desc_size) + + /** diff --git a/queue-4.7/fuse-direct-io-don-t-dirty-iter_bvec-pages.patch b/queue-4.7/fuse-direct-io-don-t-dirty-iter_bvec-pages.patch new file mode 100644 index 00000000000..5dd4f8e6919 --- /dev/null +++ b/queue-4.7/fuse-direct-io-don-t-dirty-iter_bvec-pages.patch @@ -0,0 +1,66 @@ +From 8fba54aebbdf1f999738121922e74bf796ad60ee Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Wed, 24 Aug 2016 18:17:04 +0200 +Subject: fuse: direct-io: don't dirty ITER_BVEC pages + +From: Miklos Szeredi + +commit 8fba54aebbdf1f999738121922e74bf796ad60ee upstream. + +When reading from a loop device backed by a fuse file it deadlocks on +lock_page(). + +This is because the page is already locked by the read() operation done on +the loop device. In this case we don't want to either lock the page or +dirty it. + +So do what fs/direct-io.c does: only dirty the page for ITER_IOVEC vectors. + +Reported-by: Sheng Yang +Fixes: aa4d86163e4e ("block: loop: switch to VFS ITER_BVEC") +Signed-off-by: Miklos Szeredi +Reviewed-by: Sheng Yang +Reviewed-by: Ashish Samant +Tested-by: Sheng Yang +Tested-by: Ashish Samant +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/file.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -540,13 +540,13 @@ void fuse_read_fill(struct fuse_req *req + req->out.args[0].size = count; + } + +-static void fuse_release_user_pages(struct fuse_req *req, int write) ++static void fuse_release_user_pages(struct fuse_req *req, bool should_dirty) + { + unsigned i; + + for (i = 0; i < req->num_pages; i++) { + struct page *page = req->pages[i]; +- if (write) ++ if (should_dirty) + set_page_dirty_lock(page); + put_page(page); + } +@@ -1331,6 +1331,7 @@ ssize_t fuse_direct_io(struct fuse_io_pr + loff_t *ppos, int flags) + { + int write = flags & FUSE_DIO_WRITE; ++ bool should_dirty = !write && iter_is_iovec(iter); + int cuse = flags & FUSE_DIO_CUSE; + struct file *file = io->file; + struct inode *inode = file->f_mapping->host; +@@ -1374,7 +1375,7 @@ ssize_t fuse_direct_io(struct fuse_io_pr + nres = fuse_send_read(req, io, pos, nbytes, owner); + + if (!io->async) +- fuse_release_user_pages(req, !write); ++ fuse_release_user_pages(req, should_dirty); + if (req->out.h.error) { + err = req->out.h.error; + break; diff --git a/queue-4.7/ib-hfi1-ib-qib-fix-qp_stats-sleep-with-rcu-read-lock-held.patch b/queue-4.7/ib-hfi1-ib-qib-fix-qp_stats-sleep-with-rcu-read-lock-held.patch new file mode 100644 index 00000000000..e1127efb603 --- /dev/null +++ b/queue-4.7/ib-hfi1-ib-qib-fix-qp_stats-sleep-with-rcu-read-lock-held.patch @@ -0,0 +1,162 @@ +From c62fb260a86dde3df5b2905432caa0e9f6898434 Mon Sep 17 00:00:00 2001 +From: Mike Marciniszyn +Date: Fri, 12 Aug 2016 11:17:37 -0400 +Subject: IB/hfi1,IB/qib: Fix qp_stats sleep with rcu read lock held + +From: Mike Marciniszyn + +commit c62fb260a86dde3df5b2905432caa0e9f6898434 upstream. + +The qp init function does a kzalloc() while holding the RCU +lock that encounters the following warning with a debug kernel +when a cat of the qp_stats is done: + +[ 231.723948] rcu_scheduler_active = 1, debug_locks = 0 +[ 231.731939] 3 locks held by cat/11355: +[ 231.736492] #0: (debugfs_srcu){......}, at: [] debugfs_use_file_start+0x5/0x90 +[ 231.746955] #1: (&p->lock){+.+.+.}, at: [] seq_read+0x4c/0x3c0 +[ 231.755873] #2: (rcu_read_lock){......}, at: [] _qp_stats_seq_start+0x5/0xd0 [hfi1] +[ 231.766862] + +The init functions do an implicit next which requires the rcu read lock +before the kzalloc(). + +Fix for both drivers is to change the scope of the init function to only +do the allocation and the initialization of the just allocated iter. + +The implict next is moved back into the respective start functions to fix +the issue. + +Signed-off-by: Ira Weiny +Signed-off-by: Mike Marciniszyn +Reviewed-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/hfi1/debugfs.c | 14 +++++++++----- + drivers/infiniband/hw/hfi1/qp.c | 4 ---- + drivers/infiniband/hw/qib/qib_debugfs.c | 12 +++++++++--- + drivers/infiniband/hw/qib/qib_qp.c | 4 ---- + 4 files changed, 18 insertions(+), 16 deletions(-) + +--- a/drivers/infiniband/hw/hfi1/debugfs.c ++++ b/drivers/infiniband/hw/hfi1/debugfs.c +@@ -223,28 +223,32 @@ DEBUGFS_SEQ_FILE_OPEN(ctx_stats) + DEBUGFS_FILE_OPS(ctx_stats); + + static void *_qp_stats_seq_start(struct seq_file *s, loff_t *pos) +-__acquires(RCU) ++ __acquires(RCU) + { + struct qp_iter *iter; + loff_t n = *pos; + +- rcu_read_lock(); + iter = qp_iter_init(s->private); ++ ++ /* stop calls rcu_read_unlock */ ++ rcu_read_lock(); ++ + if (!iter) + return NULL; + +- while (n--) { ++ do { + if (qp_iter_next(iter)) { + kfree(iter); + return NULL; + } +- } ++ } while (n--); + + return iter; + } + + static void *_qp_stats_seq_next(struct seq_file *s, void *iter_ptr, + loff_t *pos) ++ __must_hold(RCU) + { + struct qp_iter *iter = iter_ptr; + +@@ -259,7 +263,7 @@ static void *_qp_stats_seq_next(struct s + } + + static void _qp_stats_seq_stop(struct seq_file *s, void *iter_ptr) +-__releases(RCU) ++ __releases(RCU) + { + rcu_read_unlock(); + } +--- a/drivers/infiniband/hw/hfi1/qp.c ++++ b/drivers/infiniband/hw/hfi1/qp.c +@@ -595,10 +595,6 @@ struct qp_iter *qp_iter_init(struct hfi1 + + iter->dev = dev; + iter->specials = dev->rdi.ibdev.phys_port_cnt * 2; +- if (qp_iter_next(iter)) { +- kfree(iter); +- return NULL; +- } + + return iter; + } +--- a/drivers/infiniband/hw/qib/qib_debugfs.c ++++ b/drivers/infiniband/hw/qib/qib_debugfs.c +@@ -189,27 +189,32 @@ static int _ctx_stats_seq_show(struct se + DEBUGFS_FILE(ctx_stats) + + static void *_qp_stats_seq_start(struct seq_file *s, loff_t *pos) ++ __acquires(RCU) + { + struct qib_qp_iter *iter; + loff_t n = *pos; + +- rcu_read_lock(); + iter = qib_qp_iter_init(s->private); ++ ++ /* stop calls rcu_read_unlock */ ++ rcu_read_lock(); ++ + if (!iter) + return NULL; + +- while (n--) { ++ do { + if (qib_qp_iter_next(iter)) { + kfree(iter); + return NULL; + } +- } ++ } while (n--); + + return iter; + } + + static void *_qp_stats_seq_next(struct seq_file *s, void *iter_ptr, + loff_t *pos) ++ __must_hold(RCU) + { + struct qib_qp_iter *iter = iter_ptr; + +@@ -224,6 +229,7 @@ static void *_qp_stats_seq_next(struct s + } + + static void _qp_stats_seq_stop(struct seq_file *s, void *iter_ptr) ++ __releases(RCU) + { + rcu_read_unlock(); + } +--- a/drivers/infiniband/hw/qib/qib_qp.c ++++ b/drivers/infiniband/hw/qib/qib_qp.c +@@ -530,10 +530,6 @@ struct qib_qp_iter *qib_qp_iter_init(str + return NULL; + + iter->dev = dev; +- if (qib_qp_iter_next(iter)) { +- kfree(iter); +- return NULL; +- } + + return iter; + } diff --git a/queue-4.7/ib-hfi1-reset-qsfp-on-every-run-through-channel-tuning.patch b/queue-4.7/ib-hfi1-reset-qsfp-on-every-run-through-channel-tuning.patch new file mode 100644 index 00000000000..eee9e77b13a --- /dev/null +++ b/queue-4.7/ib-hfi1-reset-qsfp-on-every-run-through-channel-tuning.patch @@ -0,0 +1,42 @@ +From b5e710195492f682d93097cddac13e594d39a946 Mon Sep 17 00:00:00 2001 +From: Easwar Hariharan +Date: Mon, 25 Jul 2016 13:40:03 -0700 +Subject: IB/hfi1: Reset QSFP on every run through channel tuning + +From: Easwar Hariharan + +commit b5e710195492f682d93097cddac13e594d39a946 upstream. + +Active QSFP cables were reset only every alternate iteration of the +channel tuning algorithm instead of every iteration due to incorrect +reset of the flag that controlled QSFP reset, resulting in using stale +QSFP status in the channel tuning algorithm. + +Fixes: 8ebd4cf1852a ("Add active and optical cable support") +Reviewed-by: Dean Luick +Signed-off-by: Easwar Hariharan +Signed-off-by: Dennis Dalessandro +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/hfi1/platform.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/hfi1/platform.c ++++ b/drivers/infiniband/hw/hfi1/platform.c +@@ -638,9 +638,13 @@ static int tune_active_qsfp(struct hfi1_ + if (ret) + return ret; + ++ /* ++ * We'll change the QSFP memory contents from here on out, thus we set a ++ * flag here to remind ourselves to reset the QSFP module. This prevents ++ * reuse of stale settings established in our previous pass through. ++ */ + if (ppd->qsfp_info.reset_needed) { + reset_qsfp(ppd); +- ppd->qsfp_info.reset_needed = 0; + refresh_qsfp_cache(ppd, &ppd->qsfp_info); + } else { + ppd->qsfp_info.reset_needed = 1; diff --git a/queue-4.7/ib-uverbs-fix-race-between-uverbs_close-and-remove_one.patch b/queue-4.7/ib-uverbs-fix-race-between-uverbs_close-and-remove_one.patch new file mode 100644 index 00000000000..2d043725011 --- /dev/null +++ b/queue-4.7/ib-uverbs-fix-race-between-uverbs_close-and-remove_one.patch @@ -0,0 +1,125 @@ +From d1e09f304a1d9651c5059ebfeb696dc2effc9b32 Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Sun, 3 Jul 2016 15:28:18 +0300 +Subject: IB/uverbs: Fix race between uverbs_close and remove_one + +From: Jason Gunthorpe + +commit d1e09f304a1d9651c5059ebfeb696dc2effc9b32 upstream. + +Fixes an oops that might happen if uverbs_close races with +remove_one. + +Both contexts may run ib_uverbs_cleanup_ucontext, it depends +on the flow. + +Currently, there is no protection for a case that remove_one +didn't make the cleanup it runs to its end, the underlying +ib_device was freed then uverbs_close will call +ib_uverbs_cleanup_ucontext and OOPs. + +Above might happen if uverbs_close deleted the file from the list +then remove_one didn't find it and runs to its end. + +Fixes to protect against that case by a new cleanup lock so that +ib_uverbs_cleanup_ucontext will be called always before that +remove_one is ended. + +Fixes: 35d4a0b63dc0 ("IB/uverbs: Fix race between ib_uverbs_open and remove_one") +Reported-by: Devesh Sharma +Signed-off-by: Jason Gunthorpe +Signed-off-by: Yishai Hadas +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/uverbs.h | 1 + drivers/infiniband/core/uverbs_main.c | 37 ++++++++++++++++++++++------------ + 2 files changed, 25 insertions(+), 13 deletions(-) + +--- a/drivers/infiniband/core/uverbs.h ++++ b/drivers/infiniband/core/uverbs.h +@@ -116,6 +116,7 @@ struct ib_uverbs_event_file { + struct ib_uverbs_file { + struct kref ref; + struct mutex mutex; ++ struct mutex cleanup_mutex; /* protect cleanup */ + struct ib_uverbs_device *device; + struct ib_ucontext *ucontext; + struct ib_event_handler event_handler; +--- a/drivers/infiniband/core/uverbs_main.c ++++ b/drivers/infiniband/core/uverbs_main.c +@@ -931,6 +931,7 @@ static int ib_uverbs_open(struct inode * + file->async_file = NULL; + kref_init(&file->ref); + mutex_init(&file->mutex); ++ mutex_init(&file->cleanup_mutex); + + filp->private_data = file; + kobject_get(&dev->kobj); +@@ -956,18 +957,20 @@ static int ib_uverbs_close(struct inode + { + struct ib_uverbs_file *file = filp->private_data; + struct ib_uverbs_device *dev = file->device; +- struct ib_ucontext *ucontext = NULL; ++ ++ mutex_lock(&file->cleanup_mutex); ++ if (file->ucontext) { ++ ib_uverbs_cleanup_ucontext(file, file->ucontext); ++ file->ucontext = NULL; ++ } ++ mutex_unlock(&file->cleanup_mutex); + + mutex_lock(&file->device->lists_mutex); +- ucontext = file->ucontext; +- file->ucontext = NULL; + if (!file->is_closed) { + list_del(&file->list); + file->is_closed = 1; + } + mutex_unlock(&file->device->lists_mutex); +- if (ucontext) +- ib_uverbs_cleanup_ucontext(file, ucontext); + + if (file->async_file) + kref_put(&file->async_file->ref, ib_uverbs_release_event_file); +@@ -1181,22 +1184,30 @@ static void ib_uverbs_free_hw_resources( + mutex_lock(&uverbs_dev->lists_mutex); + while (!list_empty(&uverbs_dev->uverbs_file_list)) { + struct ib_ucontext *ucontext; +- + file = list_first_entry(&uverbs_dev->uverbs_file_list, + struct ib_uverbs_file, list); + file->is_closed = 1; +- ucontext = file->ucontext; + list_del(&file->list); +- file->ucontext = NULL; + kref_get(&file->ref); + mutex_unlock(&uverbs_dev->lists_mutex); +- /* We must release the mutex before going ahead and calling +- * disassociate_ucontext. disassociate_ucontext might end up +- * indirectly calling uverbs_close, for example due to freeing +- * the resources (e.g mmput). +- */ ++ + ib_uverbs_event_handler(&file->event_handler, &event); ++ ++ mutex_lock(&file->cleanup_mutex); ++ ucontext = file->ucontext; ++ file->ucontext = NULL; ++ mutex_unlock(&file->cleanup_mutex); ++ ++ /* At this point ib_uverbs_close cannot be running ++ * ib_uverbs_cleanup_ucontext ++ */ + if (ucontext) { ++ /* We must release the mutex before going ahead and ++ * calling disassociate_ucontext. disassociate_ucontext ++ * might end up indirectly calling uverbs_close, ++ * for example due to freeing the resources ++ * (e.g mmput). ++ */ + ib_dev->disassociate_ucontext(ucontext); + ib_uverbs_cleanup_ucontext(file, ucontext); + } diff --git a/queue-4.7/iio-accel-bmc150-reset-chip-at-init-time.patch b/queue-4.7/iio-accel-bmc150-reset-chip-at-init-time.patch new file mode 100644 index 00000000000..191a0de1519 --- /dev/null +++ b/queue-4.7/iio-accel-bmc150-reset-chip-at-init-time.patch @@ -0,0 +1,53 @@ +From 1c500840934a138bd6b13556c210516e9301fbee Mon Sep 17 00:00:00 2001 +From: Olof Johansson +Date: Thu, 25 Aug 2016 09:45:33 -0700 +Subject: iio: accel: bmc150: reset chip at init time + +From: Olof Johansson + +commit 1c500840934a138bd6b13556c210516e9301fbee upstream. + +In at least one known setup, the chip comes up in a state where reading +the chip ID returns garbage unless it's been reset, due to noise on the +wires during system boot. + +All supported chips have the same reset method, and based on the +datasheets they all need 1.3 or 1.8ms to recover after reset. So, do +the conservative thing here and always reset the chip. + +Signed-off-by: Olof Johansson +Reviewed-by: Srinivas Pandruvada +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/accel/bmc150-accel-core.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/iio/accel/bmc150-accel-core.c ++++ b/drivers/iio/accel/bmc150-accel-core.c +@@ -67,6 +67,9 @@ + #define BMC150_ACCEL_REG_PMU_BW 0x10 + #define BMC150_ACCEL_DEF_BW 125 + ++#define BMC150_ACCEL_REG_RESET 0x14 ++#define BMC150_ACCEL_RESET_VAL 0xB6 ++ + #define BMC150_ACCEL_REG_INT_MAP_0 0x19 + #define BMC150_ACCEL_INT_MAP_0_BIT_SLOPE BIT(2) + +@@ -1497,6 +1500,14 @@ static int bmc150_accel_chip_init(struct + int ret, i; + unsigned int val; + ++ /* ++ * Reset chip to get it in a known good state. A delay of 1.8ms after ++ * reset is required according to the data sheets of supported chips. ++ */ ++ regmap_write(data->regmap, BMC150_ACCEL_REG_RESET, ++ BMC150_ACCEL_RESET_VAL); ++ usleep_range(1800, 2500); ++ + ret = regmap_read(data->regmap, BMC150_ACCEL_REG_CHIP_ID, &val); + if (ret < 0) { + dev_err(dev, "Error: Reading chip id\n"); diff --git a/queue-4.7/iio-accel-kxsd9-fix-raw-read-return.patch b/queue-4.7/iio-accel-kxsd9-fix-raw-read-return.patch new file mode 100644 index 00000000000..5ba7108546b --- /dev/null +++ b/queue-4.7/iio-accel-kxsd9-fix-raw-read-return.patch @@ -0,0 +1,32 @@ +From 7ac61a062f3147dc23e3f12b9dfe7c4dd35f9cb8 Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Tue, 16 Aug 2016 15:33:28 +0200 +Subject: iio: accel: kxsd9: Fix raw read return + +From: Linus Walleij + +commit 7ac61a062f3147dc23e3f12b9dfe7c4dd35f9cb8 upstream. + +Any readings from the raw interface of the KXSD9 driver will +return an empty string, because it does not return +IIO_VAL_INT but rather some random value from the accelerometer +to the caller. + +Signed-off-by: Linus Walleij +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/accel/kxsd9.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iio/accel/kxsd9.c ++++ b/drivers/iio/accel/kxsd9.c +@@ -160,6 +160,7 @@ static int kxsd9_read_raw(struct iio_dev + if (ret < 0) + goto error_ret; + *val = ret; ++ ret = IIO_VAL_INT; + break; + case IIO_CHAN_INFO_SCALE: + ret = spi_w8r8(st->us, KXSD9_READ(KXSD9_REG_CTRL_C)); diff --git a/queue-4.7/iio-accel-kxsd9-fix-scaling-bug.patch b/queue-4.7/iio-accel-kxsd9-fix-scaling-bug.patch new file mode 100644 index 00000000000..0ccf17b5db6 --- /dev/null +++ b/queue-4.7/iio-accel-kxsd9-fix-scaling-bug.patch @@ -0,0 +1,40 @@ +From 307fe9dd11ae44d4f8881ee449a7cbac36e1f5de Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Thu, 1 Sep 2016 11:44:35 +0200 +Subject: iio: accel: kxsd9: Fix scaling bug + +From: Linus Walleij + +commit 307fe9dd11ae44d4f8881ee449a7cbac36e1f5de upstream. + +All the scaling of the KXSD9 involves multiplication with a +fraction number < 1. + +However the scaling value returned from IIO_INFO_SCALE was +unpredictable as only the micros of the value was assigned, and +not the integer part, resulting in scaling like this: + +$cat in_accel_scale +-1057462640.011978 + +Fix this by assigning zero to the integer part. + +Tested-by: Jonathan Cameron +Signed-off-by: Linus Walleij +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/accel/kxsd9.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iio/accel/kxsd9.c ++++ b/drivers/iio/accel/kxsd9.c +@@ -166,6 +166,7 @@ static int kxsd9_read_raw(struct iio_dev + ret = spi_w8r8(st->us, KXSD9_READ(KXSD9_REG_CTRL_C)); + if (ret < 0) + goto error_ret; ++ *val = 0; + *val2 = kxsd9_micro_scales[ret & KXSD9_FS_MASK]; + ret = IIO_VAL_INT_PLUS_MICRO; + break; diff --git a/queue-4.7/iio-ad799x-fix-buffered-capture-for-ad7991-ad7995-ad7999.patch b/queue-4.7/iio-ad799x-fix-buffered-capture-for-ad7991-ad7995-ad7999.patch new file mode 100644 index 00000000000..132366e8ff7 --- /dev/null +++ b/queue-4.7/iio-ad799x-fix-buffered-capture-for-ad7991-ad7995-ad7999.patch @@ -0,0 +1,35 @@ +From 7d3cc21dab5313a02f2f3ca8164529b828a030d1 Mon Sep 17 00:00:00 2001 +From: Lars-Peter Clausen +Date: Mon, 11 Jul 2016 13:54:17 +0200 +Subject: iio: ad799x: Fix buffered capture for ad7991/ad7995/ad7999 + +From: Lars-Peter Clausen + +commit 7d3cc21dab5313a02f2f3ca8164529b828a030d1 upstream. + +The data buffer for captured mode for the ad799x driver is allocated in the +update_scan_mode() callback. This callback is not set in the iio_info +struct for the ad7791/ad7995/ad7999, which means that the data buffer is +not allocated when a captured transfer is started. As a result the driver +crashes when the first sample is received. To fix this properly set the +update_scan_mode() callback. + +Fixes: d8dca33027c1 ("staging:iio:ad799x: Preallocate sample buffer") +Signed-off-by: Lars-Peter Clausen +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/ad799x.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iio/adc/ad799x.c ++++ b/drivers/iio/adc/ad799x.c +@@ -533,6 +533,7 @@ static struct attribute_group ad799x_eve + static const struct iio_info ad7991_info = { + .read_raw = &ad799x_read_raw, + .driver_module = THIS_MODULE, ++ .update_scan_mode = ad799x_update_scan_mode, + }; + + static const struct iio_info ad7993_4_7_8_noirq_info = { diff --git a/queue-4.7/iio-adc-at91-unbreak-channel-adc-channel-3.patch b/queue-4.7/iio-adc-at91-unbreak-channel-adc-channel-3.patch new file mode 100644 index 00000000000..c541db4441e --- /dev/null +++ b/queue-4.7/iio-adc-at91-unbreak-channel-adc-channel-3.patch @@ -0,0 +1,42 @@ +From c2ab447454d498e709d9011c0f2d2945ee321f9b Mon Sep 17 00:00:00 2001 +From: Anders Darander +Date: Mon, 8 Aug 2016 14:42:16 +0200 +Subject: iio: adc: at91: unbreak channel adc channel 3 + +From: Anders Darander + +commit c2ab447454d498e709d9011c0f2d2945ee321f9b upstream. + +The driver always assumes that an input device has been created when +reading channel 3. This causes a kernel panic when dereferencing +st->ts_input. + +The change was introduced in +commit 84882b060301 ("iio: adc: at91_adc: Add support for touchscreens +without TSMR"). Earlier versions only entered that part of the if-else +statement if only the following flags are set: + +AT91_ADC_IER_XRDY | AT91_ADC_IER_YRDY | AT91_ADC_IER_PRDY + +Signed-off-by: Anders Darander +Acked-by: Alexandre Belloni +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/at91_adc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/iio/adc/at91_adc.c ++++ b/drivers/iio/adc/at91_adc.c +@@ -381,8 +381,8 @@ static irqreturn_t at91_adc_rl_interrupt + st->ts_bufferedmeasure = false; + input_report_key(st->ts_input, BTN_TOUCH, 0); + input_sync(st->ts_input); +- } else if (status & AT91_ADC_EOC(3)) { +- /* Conversion finished */ ++ } else if (status & AT91_ADC_EOC(3) && st->ts_input) { ++ /* Conversion finished and we've a touchscreen */ + if (st->ts_bufferedmeasure) { + /* + * Last measurement is always discarded, since it can diff --git a/queue-4.7/iio-adc-rockchip_saradc-reset-saradc-controller-before-programming-it.patch b/queue-4.7/iio-adc-rockchip_saradc-reset-saradc-controller-before-programming-it.patch new file mode 100644 index 00000000000..3b235daafbc --- /dev/null +++ b/queue-4.7/iio-adc-rockchip_saradc-reset-saradc-controller-before-programming-it.patch @@ -0,0 +1,128 @@ +From 543852af8e5902aee8f7c72c89e1513663e0f696 Mon Sep 17 00:00:00 2001 +From: Caesar Wang +Date: Wed, 27 Jul 2016 22:24:04 +0800 +Subject: iio: adc: rockchip_saradc: reset saradc controller before programming it + +From: Caesar Wang + +commit 543852af8e5902aee8f7c72c89e1513663e0f696 upstream. + +SARADC controller needs to be reset before programming it, otherwise +it will not function properly. + +Signed-off-by: Caesar Wang +Cc: Jonathan Cameron +Cc: Heiko Stuebner +Cc: Rob Herring +Cc: linux-iio@vger.kernel.org +Cc: linux-rockchip@lists.infradead.org +Tested-by: Guenter Roeck +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/devicetree/bindings/iio/adc/rockchip-saradc.txt | 7 ++ + drivers/iio/adc/Kconfig | 1 + drivers/iio/adc/rockchip_saradc.c | 30 ++++++++++ + 3 files changed, 38 insertions(+) + +--- a/Documentation/devicetree/bindings/iio/adc/rockchip-saradc.txt ++++ b/Documentation/devicetree/bindings/iio/adc/rockchip-saradc.txt +@@ -16,6 +16,11 @@ Required properties: + - vref-supply: The regulator supply ADC reference voltage. + - #io-channel-cells: Should be 1, see ../iio-bindings.txt + ++Optional properties: ++- resets: Must contain an entry for each entry in reset-names if need support ++ this option. See ../reset/reset.txt for details. ++- reset-names: Must include the name "saradc-apb". ++ + Example: + saradc: saradc@2006c000 { + compatible = "rockchip,saradc"; +@@ -23,6 +28,8 @@ Example: + interrupts = ; + clocks = <&cru SCLK_SARADC>, <&cru PCLK_SARADC>; + clock-names = "saradc", "apb_pclk"; ++ resets = <&cru SRST_SARADC>; ++ reset-names = "saradc-apb"; + #io-channel-cells = <1>; + vref-supply = <&vcc18>; + }; +--- a/drivers/iio/adc/Kconfig ++++ b/drivers/iio/adc/Kconfig +@@ -377,6 +377,7 @@ config QCOM_SPMI_VADC + config ROCKCHIP_SARADC + tristate "Rockchip SARADC driver" + depends on ARCH_ROCKCHIP || (ARM && COMPILE_TEST) ++ depends on RESET_CONTROLLER + help + Say yes here to build support for the SARADC found in SoCs from + Rockchip. +--- a/drivers/iio/adc/rockchip_saradc.c ++++ b/drivers/iio/adc/rockchip_saradc.c +@@ -21,6 +21,8 @@ + #include + #include + #include ++#include ++#include + #include + #include + +@@ -53,6 +55,7 @@ struct rockchip_saradc { + struct clk *clk; + struct completion completion; + struct regulator *vref; ++ struct reset_control *reset; + const struct rockchip_saradc_data *data; + u16 last_val; + }; +@@ -190,6 +193,16 @@ static const struct of_device_id rockchi + }; + MODULE_DEVICE_TABLE(of, rockchip_saradc_match); + ++/** ++ * Reset SARADC Controller. ++ */ ++static void rockchip_saradc_reset_controller(struct reset_control *reset) ++{ ++ reset_control_assert(reset); ++ usleep_range(10, 20); ++ reset_control_deassert(reset); ++} ++ + static int rockchip_saradc_probe(struct platform_device *pdev) + { + struct rockchip_saradc *info = NULL; +@@ -218,6 +231,20 @@ static int rockchip_saradc_probe(struct + if (IS_ERR(info->regs)) + return PTR_ERR(info->regs); + ++ /* ++ * The reset should be an optional property, as it should work ++ * with old devicetrees as well ++ */ ++ info->reset = devm_reset_control_get(&pdev->dev, "saradc-apb"); ++ if (IS_ERR(info->reset)) { ++ ret = PTR_ERR(info->reset); ++ if (ret != -ENOENT) ++ return ret; ++ ++ dev_dbg(&pdev->dev, "no reset control found\n"); ++ info->reset = NULL; ++ } ++ + init_completion(&info->completion); + + irq = platform_get_irq(pdev, 0); +@@ -252,6 +279,9 @@ static int rockchip_saradc_probe(struct + return PTR_ERR(info->vref); + } + ++ if (info->reset) ++ rockchip_saradc_reset_controller(info->reset); ++ + /* + * Use a default value for the converter clock. + * This may become user-configurable in the future. diff --git a/queue-4.7/iio-adc-ti_am335x_adc-increase-timeout-value-waiting-for-adc-sample.patch b/queue-4.7/iio-adc-ti_am335x_adc-increase-timeout-value-waiting-for-adc-sample.patch new file mode 100644 index 00000000000..e0d81800f54 --- /dev/null +++ b/queue-4.7/iio-adc-ti_am335x_adc-increase-timeout-value-waiting-for-adc-sample.patch @@ -0,0 +1,61 @@ +From 7175cce1c3f1d8c8840d2004f78f96a3904249b5 Mon Sep 17 00:00:00 2001 +From: Vignesh R +Date: Wed, 17 Aug 2016 17:43:01 +0530 +Subject: iio: adc: ti_am335x_adc: Increase timeout value waiting for ADC sample + +From: Vignesh R + +commit 7175cce1c3f1d8c8840d2004f78f96a3904249b5 upstream. + +Now that open delay and sample delay for each channel is configurable +via DT, the default IDLE_TIMEOUT value is not enough as this is +calculated based on hardcoded macros. This results in driver returning +EBUSY sometimes. Fix this by increasing the timeout +value based on maximum value possible to open delay and sample delays +for each channel. + +Fixes: 5dc11e810676e ("iio: adc: ti_am335x_adc: make sample delay, open delay, averaging DT parameters") +Signed-off-by: Vignesh R +Acked-by: Lee Jones +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/ti_am335x_adc.c | 2 +- + include/linux/mfd/ti_am335x_tscadc.h | 8 ++++---- + 2 files changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/iio/adc/ti_am335x_adc.c ++++ b/drivers/iio/adc/ti_am335x_adc.c +@@ -382,7 +382,7 @@ static int tiadc_read_raw(struct iio_dev + + am335x_tsc_se_set_once(adc_dev->mfd_tscadc, step_en); + +- timeout = jiffies + usecs_to_jiffies ++ timeout = jiffies + msecs_to_jiffies + (IDLE_TIMEOUT * adc_dev->channels); + /* Wait for Fifo threshold interrupt */ + while (1) { +--- a/include/linux/mfd/ti_am335x_tscadc.h ++++ b/include/linux/mfd/ti_am335x_tscadc.h +@@ -138,16 +138,16 @@ + /* + * time in us for processing a single channel, calculated as follows: + * +- * num cycles = open delay + (sample delay + conv time) * averaging ++ * max num cycles = open delay + (sample delay + conv time) * averaging + * +- * num cycles: 152 + (1 + 13) * 16 = 376 ++ * max num cycles: 262143 + (255 + 13) * 16 = 266431 + * + * clock frequency: 26MHz / 8 = 3.25MHz + * clock period: 1 / 3.25MHz = 308ns + * +- * processing time: 376 * 308ns = 116us ++ * max processing time: 266431 * 308ns = 83ms(approx) + */ +-#define IDLE_TIMEOUT 116 /* microsec */ ++#define IDLE_TIMEOUT 83 /* milliseconds */ + + #define TSCADC_CELLS 2 + diff --git a/queue-4.7/iio-adc-ti_am335x_adc-protect-fifo1-from-concurrent-access.patch b/queue-4.7/iio-adc-ti_am335x_adc-protect-fifo1-from-concurrent-access.patch new file mode 100644 index 00000000000..6243f986ced --- /dev/null +++ b/queue-4.7/iio-adc-ti_am335x_adc-protect-fifo1-from-concurrent-access.patch @@ -0,0 +1,87 @@ +From 90c43ec6997a892448f1f86180a515f59cafd8a3 Mon Sep 17 00:00:00 2001 +From: Vignesh R +Date: Wed, 17 Aug 2016 17:43:00 +0530 +Subject: iio: adc: ti_am335x_adc: Protect FIFO1 from concurrent access + +From: Vignesh R + +commit 90c43ec6997a892448f1f86180a515f59cafd8a3 upstream. + +It is possible that two or more ADC channels can be simultaneously +requested for raw samples, in which case there can be race in access to +FIFO data resulting in loss of samples. +If am335x_tsc_se_set_once() is called again from tiadc_read_raw(), when +ADC is still acquired to sample one of the channels, the second process +might be put into uninterruptible sleep state. Fix these issues, by +protecting FIFO access and channel configurations with a mutex. Since +tiadc_read_raw() might take anywhere between few microseconds to few +milliseconds to finish execution (depending on averaging and delay +values supplied via DT), its better to use mutex instead of spinlock. + +Fixes: 7ca6740cd1cd4 ("mfd: input: iio: ti_amm335x: Rework TSC/ADC synchronization") +Signed-off-by: Vignesh R +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/ti_am335x_adc.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/drivers/iio/adc/ti_am335x_adc.c ++++ b/drivers/iio/adc/ti_am335x_adc.c +@@ -32,6 +32,7 @@ + + struct tiadc_device { + struct ti_tscadc_dev *mfd_tscadc; ++ struct mutex fifo1_lock; /* to protect fifo access */ + int channels; + u8 channel_line[8]; + u8 channel_step[8]; +@@ -360,6 +361,7 @@ static int tiadc_read_raw(struct iio_dev + int *val, int *val2, long mask) + { + struct tiadc_device *adc_dev = iio_priv(indio_dev); ++ int ret = IIO_VAL_INT; + int i, map_val; + unsigned int fifo1count, read, stepid; + bool found = false; +@@ -373,6 +375,7 @@ static int tiadc_read_raw(struct iio_dev + if (!step_en) + return -EINVAL; + ++ mutex_lock(&adc_dev->fifo1_lock); + fifo1count = tiadc_readl(adc_dev, REG_FIFO1CNT); + while (fifo1count--) + tiadc_readl(adc_dev, REG_FIFO1); +@@ -389,7 +392,8 @@ static int tiadc_read_raw(struct iio_dev + + if (time_after(jiffies, timeout)) { + am335x_tsc_se_adc_done(adc_dev->mfd_tscadc); +- return -EAGAIN; ++ ret = -EAGAIN; ++ goto err_unlock; + } + } + map_val = adc_dev->channel_step[chan->scan_index]; +@@ -415,8 +419,11 @@ static int tiadc_read_raw(struct iio_dev + am335x_tsc_se_adc_done(adc_dev->mfd_tscadc); + + if (found == false) +- return -EBUSY; +- return IIO_VAL_INT; ++ ret = -EBUSY; ++ ++err_unlock: ++ mutex_unlock(&adc_dev->fifo1_lock); ++ return ret; + } + + static const struct iio_info tiadc_info = { +@@ -485,6 +492,7 @@ static int tiadc_probe(struct platform_d + + tiadc_step_config(indio_dev); + tiadc_writel(adc_dev, REG_FIFO1THR, FIFO1_THRESHOLD); ++ mutex_init(&adc_dev->fifo1_lock); + + err = tiadc_channel_init(indio_dev, adc_dev->channels); + if (err < 0) diff --git a/queue-4.7/iio-core-fix-iio_val_fractional-sign-handling.patch b/queue-4.7/iio-core-fix-iio_val_fractional-sign-handling.patch new file mode 100644 index 00000000000..4d944b29600 --- /dev/null +++ b/queue-4.7/iio-core-fix-iio_val_fractional-sign-handling.patch @@ -0,0 +1,43 @@ +From 171c0091837c81ed5c949fec6966bb5afff2d1cf Mon Sep 17 00:00:00 2001 +From: Gregor Boirie +Date: Fri, 2 Sep 2016 20:27:46 +0200 +Subject: iio:core: fix IIO_VAL_FRACTIONAL sign handling + +From: Gregor Boirie + +commit 171c0091837c81ed5c949fec6966bb5afff2d1cf upstream. + +7985e7c100 ("iio: Introduce a new fractional value type") introduced a +new IIO_VAL_FRACTIONAL value type meant to represent rational type numbers +expressed by a numerator and denominator combination. + +Formating of IIO_VAL_FRACTIONAL values relies upon do_div() usage. This +fails handling negative values properly since parameters are reevaluated +as unsigned values. +Fix this by using div_s64_rem() instead. Computed integer part will carry +properly signed value. Formatted fractional part will always be positive. + +Fixes: 7985e7c100 ("iio: Introduce a new fractional value type") +Signed-off-by: Gregor Boirie +Reviewed-by: Lars-Peter Clausen +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/industrialio-core.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/iio/industrialio-core.c ++++ b/drivers/iio/industrialio-core.c +@@ -532,9 +532,8 @@ ssize_t iio_format_value(char *buf, unsi + return sprintf(buf, "%d.%09u\n", vals[0], vals[1]); + case IIO_VAL_FRACTIONAL: + tmp = div_s64((s64)vals[0] * 1000000000LL, vals[1]); +- vals[1] = do_div(tmp, 1000000000LL); +- vals[0] = tmp; +- return sprintf(buf, "%d.%09u\n", vals[0], vals[1]); ++ vals[0] = (int)div_s64_rem(tmp, 1000000000, &vals[1]); ++ return sprintf(buf, "%d.%09u\n", vals[0], abs(vals[1])); + case IIO_VAL_FRACTIONAL_LOG2: + tmp = (s64)vals[0] * 1000000000LL >> vals[1]; + vals[1] = do_div(tmp, 1000000000LL); diff --git a/queue-4.7/iio-ensure-ret-is-initialized-to-zero-before-entering-do-loop.patch b/queue-4.7/iio-ensure-ret-is-initialized-to-zero-before-entering-do-loop.patch new file mode 100644 index 00000000000..f92d90d8b40 --- /dev/null +++ b/queue-4.7/iio-ensure-ret-is-initialized-to-zero-before-entering-do-loop.patch @@ -0,0 +1,45 @@ +From 5dba4b14bafe801083d01e1f400816df7e5a8f2e Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Mon, 5 Sep 2016 15:39:06 +0100 +Subject: iio: ensure ret is initialized to zero before entering do loop + +From: Colin Ian King + +commit 5dba4b14bafe801083d01e1f400816df7e5a8f2e upstream. + +A recent fix to iio_buffer_read_first_n_outer removed ret from being set by +a return from wait_event_interruptible and also added a continue in a loop +which causes the variable ret to not be set when it reaches the end of the +loop. Fix this by initializing ret to zero. + +Also remove extraneous white space at the end of the loop. + +Fixes: fcf68f3c0bb2a5 ("fix sched WARNING "do not call blocking ops when !TASK_RUNNING") +Signed-off-by: Colin Ian King +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/industrialio-buffer.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/iio/industrialio-buffer.c ++++ b/drivers/iio/industrialio-buffer.c +@@ -110,7 +110,7 @@ ssize_t iio_buffer_read_first_n_outer(st + DEFINE_WAIT_FUNC(wait, woken_wake_function); + size_t datum_size; + size_t to_wait; +- int ret; ++ int ret = 0; + + if (!indio_dev->info) + return -ENODEV; +@@ -153,7 +153,7 @@ ssize_t iio_buffer_read_first_n_outer(st + ret = rb->access->read_first_n(rb, n, buf); + if (ret == 0 && (filp->f_flags & O_NONBLOCK)) + ret = -EAGAIN; +- } while (ret == 0); ++ } while (ret == 0); + remove_wait_queue(&rb->pollq, &wait); + + return ret; diff --git a/queue-4.7/iio-fix-pressure-data-output-unit-in-hid-sensor-attributes.patch b/queue-4.7/iio-fix-pressure-data-output-unit-in-hid-sensor-attributes.patch new file mode 100644 index 00000000000..b7331d81550 --- /dev/null +++ b/queue-4.7/iio-fix-pressure-data-output-unit-in-hid-sensor-attributes.patch @@ -0,0 +1,38 @@ +From 36afb176d3c9580651d7f410ed7f000ec48b5137 Mon Sep 17 00:00:00 2001 +From: "Kweh, Hock Leong" +Date: Mon, 29 Aug 2016 18:50:56 +0800 +Subject: iio: fix pressure data output unit in hid-sensor-attributes + +From: Kweh, Hock Leong + +commit 36afb176d3c9580651d7f410ed7f000ec48b5137 upstream. + +According to IIO ABI definition, IIO_PRESSURE data output unit is +kilopascal: +http://lxr.free-electrons.com/source/Documentation/ABI/testing/sysfs-bus-iio + +This patch fix output unit of HID pressure sensor IIO driver from pascal to +kilopascal to follow IIO ABI definition. + +Signed-off-by: Kweh, Hock Leong +Reviewed-by: Srinivas Pandruvada +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/common/hid-sensors/hid-sensor-attributes.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/iio/common/hid-sensors/hid-sensor-attributes.c ++++ b/drivers/iio/common/hid-sensors/hid-sensor-attributes.c +@@ -56,8 +56,8 @@ static struct { + {HID_USAGE_SENSOR_ALS, 0, 1, 0}, + {HID_USAGE_SENSOR_ALS, HID_USAGE_SENSOR_UNITS_LUX, 1, 0}, + +- {HID_USAGE_SENSOR_PRESSURE, 0, 100000, 0}, +- {HID_USAGE_SENSOR_PRESSURE, HID_USAGE_SENSOR_UNITS_PASCAL, 1, 0}, ++ {HID_USAGE_SENSOR_PRESSURE, 0, 100, 0}, ++ {HID_USAGE_SENSOR_PRESSURE, HID_USAGE_SENSOR_UNITS_PASCAL, 0, 1000}, + }; + + static int pow_10(unsigned power) diff --git a/queue-4.7/iio-humidity-am2315-set-up-buffer-timestamps-for-non-zero-values.patch b/queue-4.7/iio-humidity-am2315-set-up-buffer-timestamps-for-non-zero-values.patch new file mode 100644 index 00000000000..b9348fd4e47 --- /dev/null +++ b/queue-4.7/iio-humidity-am2315-set-up-buffer-timestamps-for-non-zero-values.patch @@ -0,0 +1,33 @@ +From 3c68858df7c2f0c4c343bb4702733fe827491f9e Mon Sep 17 00:00:00 2001 +From: Alison Schofield +Date: Mon, 11 Jul 2016 08:26:13 -0700 +Subject: iio: humidity: am2315: set up buffer timestamps for non-zero values + +From: Alison Schofield + +commit 3c68858df7c2f0c4c343bb4702733fe827491f9e upstream. + +Use the iio_pollfunc_store_time parameter during triggered buffer +set-up to get valid timestamps. + +Signed-off-by: Alison Schofield +Cc: Daniel Baluta +Reviewed-By: Tiberiu Breana +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/humidity/am2315.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/humidity/am2315.c ++++ b/drivers/iio/humidity/am2315.c +@@ -244,7 +244,7 @@ static int am2315_probe(struct i2c_clien + indio_dev->channels = am2315_channels; + indio_dev->num_channels = ARRAY_SIZE(am2315_channels); + +- ret = iio_triggered_buffer_setup(indio_dev, NULL, ++ ret = iio_triggered_buffer_setup(indio_dev, iio_pollfunc_store_time, + am2315_trigger_handler, NULL); + if (ret < 0) { + dev_err(&client->dev, "iio triggered buffer setup failed\n"); diff --git a/queue-4.7/iio-humidity-hdc100x-fix-sensor-data-reads-of-temp-and-humidity.patch b/queue-4.7/iio-humidity-hdc100x-fix-sensor-data-reads-of-temp-and-humidity.patch new file mode 100644 index 00000000000..f405b733961 --- /dev/null +++ b/queue-4.7/iio-humidity-hdc100x-fix-sensor-data-reads-of-temp-and-humidity.patch @@ -0,0 +1,87 @@ +From 0d9dcf852334b796bacc7020364afba3122db81e Mon Sep 17 00:00:00 2001 +From: Alison Schofield +Date: Mon, 8 Aug 2016 11:14:36 -0700 +Subject: iio: humidity: hdc100x: fix sensor data reads of temp and humidity + +From: Alison Schofield + +commit 0d9dcf852334b796bacc7020364afba3122db81e upstream. + +Replace the i2c_smbus_read_byte commmands used to retrieve the sensor +data with an i2c_master_recv command. + +The smbus read byte method fails because the device does not expect a +stop condition after sending the first byte. When we issue the second +read, we are getting the first byte again. Net effect is that of the 14 +bits used for the measurement, the 8 most significant bits are correct, +the lower 6 are not. + +None of the smbus read protocols follow the pattern this device requires +(S Addr Rd [A] Data [A] Data NA P), hence the switch to an i2c receive +transaction. + +Applicable from original introduction of this driver, but will require +backporting due to churn in the code. + +Signed-off-by: Alison Schofield +Cc: Daniel Baluta +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/humidity/hdc100x.c | 27 +++++++-------------------- + 1 file changed, 7 insertions(+), 20 deletions(-) + +--- a/drivers/iio/humidity/hdc100x.c ++++ b/drivers/iio/humidity/hdc100x.c +@@ -142,7 +142,7 @@ static int hdc100x_get_measurement(struc + struct i2c_client *client = data->client; + int delay = data->adc_int_us[chan->address]; + int ret; +- int val; ++ __be16 val; + + /* start measurement */ + ret = i2c_smbus_write_byte(client, chan->address); +@@ -154,26 +154,13 @@ static int hdc100x_get_measurement(struc + /* wait for integration time to pass */ + usleep_range(delay, delay + 1000); + +- /* +- * i2c_smbus_read_word_data cannot() be used here due to the command +- * value not being understood and causes NAKs preventing any reading +- * from being accessed. +- */ +- ret = i2c_smbus_read_byte(client); ++ /* read measurement */ ++ ret = i2c_master_recv(data->client, (char *)&val, sizeof(val)); + if (ret < 0) { +- dev_err(&client->dev, "cannot read high byte measurement"); ++ dev_err(&client->dev, "cannot read sensor data\n"); + return ret; + } +- val = ret << 8; +- +- ret = i2c_smbus_read_byte(client); +- if (ret < 0) { +- dev_err(&client->dev, "cannot read low byte measurement"); +- return ret; +- } +- val |= ret; +- +- return val; ++ return be16_to_cpu(val); + } + + static int hdc100x_get_heater_status(struct hdc100x_data *data) +@@ -272,8 +259,8 @@ static int hdc100x_probe(struct i2c_clie + struct iio_dev *indio_dev; + struct hdc100x_data *data; + +- if (!i2c_check_functionality(client->adapter, +- I2C_FUNC_SMBUS_WORD_DATA | I2C_FUNC_SMBUS_BYTE)) ++ if (!i2c_check_functionality(client->adapter, I2C_FUNC_SMBUS_WORD_DATA | ++ I2C_FUNC_SMBUS_BYTE | I2C_FUNC_I2C)) + return -EOPNOTSUPP; + + indio_dev = devm_iio_device_alloc(&client->dev, sizeof(*data)); diff --git a/queue-4.7/iio-proximity-as3935-set-up-buffer-timestamps-for-non-zero-values.patch b/queue-4.7/iio-proximity-as3935-set-up-buffer-timestamps-for-non-zero-values.patch new file mode 100644 index 00000000000..b5fb16dc117 --- /dev/null +++ b/queue-4.7/iio-proximity-as3935-set-up-buffer-timestamps-for-non-zero-values.patch @@ -0,0 +1,32 @@ +From f8adf645db03345af2d9a8b6095b02327ea50885 Mon Sep 17 00:00:00 2001 +From: Alison Schofield +Date: Mon, 11 Jul 2016 08:26:56 -0700 +Subject: iio: proximity: as3935: set up buffer timestamps for non-zero values + +From: Alison Schofield + +commit f8adf645db03345af2d9a8b6095b02327ea50885 upstream. + +Use the iio_pollfunc_store_time parameter during triggered buffer +set-up to get valid timestamps. + +Signed-off-by: Alison Schofield +Cc: Daniel Baluta +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/proximity/as3935.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/proximity/as3935.c ++++ b/drivers/iio/proximity/as3935.c +@@ -392,7 +392,7 @@ static int as3935_probe(struct spi_devic + return ret; + } + +- ret = iio_triggered_buffer_setup(indio_dev, NULL, ++ ret = iio_triggered_buffer_setup(indio_dev, iio_pollfunc_store_time, + &as3935_trigger_handler, NULL); + + if (ret) { diff --git a/queue-4.7/iio-sw-trigger-fix-config-group-initialization.patch b/queue-4.7/iio-sw-trigger-fix-config-group-initialization.patch new file mode 100644 index 00000000000..c99bed7cb91 --- /dev/null +++ b/queue-4.7/iio-sw-trigger-fix-config-group-initialization.patch @@ -0,0 +1,36 @@ +From b2f0c09664b72b2f8c581383a9337ac3092e42c8 Mon Sep 17 00:00:00 2001 +From: Lars-Peter Clausen +Date: Mon, 11 Jul 2016 13:50:01 +0200 +Subject: iio: sw-trigger: Fix config group initialization + +From: Lars-Peter Clausen + +commit b2f0c09664b72b2f8c581383a9337ac3092e42c8 upstream. + +Use the IS_ENABLED() helper macro to ensure that the configfs group is +initialized either when configfs is built-in or when configfs is built as a +module. Otherwise software trigger creation will result in undefined +behaviour when configfs is built as a mdoule since the configfs group for +the trigger is not properly initialized. + +Fixes: b662f809d410 ("iio: core: Introduce IIO software triggers") +Signed-off-by: Lars-Peter Clausen +Acked-by: Daniel Baluta +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/iio/sw_trigger.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/iio/sw_trigger.h ++++ b/include/linux/iio/sw_trigger.h +@@ -62,7 +62,7 @@ void iio_swt_group_init_type_name(struct + const char *name, + struct config_item_type *type) + { +-#ifdef CONFIG_CONFIGFS_FS ++#if IS_ENABLED(CONFIG_CONFIGFS_FS) + config_group_init_type_name(&t->group, name, type); + #endif + } diff --git a/queue-4.7/iio-ti-ads1015-fix-a-wrong-pointer-definition.patch b/queue-4.7/iio-ti-ads1015-fix-a-wrong-pointer-definition.patch new file mode 100644 index 00000000000..9f11fd2b1bf --- /dev/null +++ b/queue-4.7/iio-ti-ads1015-fix-a-wrong-pointer-definition.patch @@ -0,0 +1,34 @@ +From 522caebb2c3684f4a1d154526fb5e33f1381e92a Mon Sep 17 00:00:00 2001 +From: Giorgio Dal Molin +Date: Tue, 16 Aug 2016 20:43:37 +0200 +Subject: iio:ti-ads1015: fix a wrong pointer definition. + +From: Giorgio Dal Molin + +commit 522caebb2c3684f4a1d154526fb5e33f1381e92a upstream. + +The call to i2c_get_clientdata(client) returns a struct iio_dev*, not +the needed struct ads1015_data*. We need here an intermediate step as +in the function: void ads1015_get_channels_config(struct i2c_client *client). + +Signed-off-by: Giorgio Dal Molin +Fixes: ecc24e72f437 ("iio: adc: Add TI ADS1015 ADC driver support") +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/ti-ads1015.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/iio/adc/ti-ads1015.c ++++ b/drivers/iio/adc/ti-ads1015.c +@@ -403,7 +403,8 @@ static const struct iio_info ads1015_inf + #ifdef CONFIG_OF + static int ads1015_get_channels_config_of(struct i2c_client *client) + { +- struct ads1015_data *data = i2c_get_clientdata(client); ++ struct iio_dev *indio_dev = i2c_get_clientdata(client); ++ struct ads1015_data *data = iio_priv(indio_dev); + struct device_node *node; + + if (!client->dev.of_node || diff --git a/queue-4.7/ipv6-don-t-unset-flowi6_proto-in-ipxip6_tnl_xmit.patch b/queue-4.7/ipv6-don-t-unset-flowi6_proto-in-ipxip6_tnl_xmit.patch new file mode 100644 index 00000000000..2d73fb59365 --- /dev/null +++ b/queue-4.7/ipv6-don-t-unset-flowi6_proto-in-ipxip6_tnl_xmit.patch @@ -0,0 +1,42 @@ +From ab34380162cbc9b5172afdadf5136643c687bb73 Mon Sep 17 00:00:00 2001 +From: Eli Cooper +Date: Fri, 26 Aug 2016 23:52:29 +0800 +Subject: ipv6: Don't unset flowi6_proto in ipxip6_tnl_xmit() + +From: Eli Cooper + +commit ab34380162cbc9b5172afdadf5136643c687bb73 upstream. + +Commit 8eb30be0352d0916 ("ipv6: Create ip6_tnl_xmit") unsets +flowi6_proto in ip4ip6_tnl_xmit() and ip6ip6_tnl_xmit(). +Since xfrm_selector_match() relies on this info, IPv6 packets +sent by an ip6tunnel cannot be properly selected by their +protocols after removing it. This patch puts flowi6_proto back. + +Fixes: 8eb30be0352d ("ipv6: Create ip6_tnl_xmit") +Signed-off-by: Eli Cooper +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/ip6_tunnel.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -1174,6 +1174,7 @@ ip4ip6_tnl_xmit(struct sk_buff *skb, str + encap_limit = t->parms.encap_limit; + + memcpy(&fl6, &t->fl.u.ip6, sizeof(fl6)); ++ fl6.flowi6_proto = IPPROTO_IPIP; + + dsfield = ipv4_get_dsfield(iph); + +@@ -1233,6 +1234,7 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, str + encap_limit = t->parms.encap_limit; + + memcpy(&fl6, &t->fl.u.ip6, sizeof(fl6)); ++ fl6.flowi6_proto = IPPROTO_IPV6; + + dsfield = ipv6_get_dsfield(ipv6h); + if (t->parms.flags & IP6_TNL_F_USE_ORIG_TCLASS) diff --git a/queue-4.7/kernfs-don-t-depend-on-d_find_any_alias-when-generating-notifications.patch b/queue-4.7/kernfs-don-t-depend-on-d_find_any_alias-when-generating-notifications.patch new file mode 100644 index 00000000000..7cab88af113 --- /dev/null +++ b/queue-4.7/kernfs-don-t-depend-on-d_find_any_alias-when-generating-notifications.patch @@ -0,0 +1,88 @@ +From df6a58c5c5aa8ecb1e088ecead3fa33ae70181f1 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Fri, 17 Jun 2016 17:51:17 -0400 +Subject: kernfs: don't depend on d_find_any_alias() when generating notifications + +From: Tejun Heo + +commit df6a58c5c5aa8ecb1e088ecead3fa33ae70181f1 upstream. + +kernfs_notify_workfn() sends out file modified events for the +scheduled kernfs_nodes. Because the modifications aren't from +userland, it doesn't have the matching file struct at hand and can't +use fsnotify_modify(). Instead, it looked up the inode and then used +d_find_any_alias() to find the dentry and used fsnotify_parent() and +fsnotify() directly to generate notifications. + +The assumption was that the relevant dentries would have been pinned +if there are listeners, which isn't true as inotify doesn't pin +dentries at all and watching the parent doesn't pin the child dentries +even for dnotify. This led to, for example, inotify watchers not +getting notifications if the system is under memory pressure and the +matching dentries got reclaimed. It can also be triggered through +/proc/sys/vm/drop_caches or a remount attempt which involves shrinking +dcache. + +fsnotify_parent() only uses the dentry to access the parent inode, +which kernfs can do easily. Update kernfs_notify_workfn() so that it +uses fsnotify() directly for both the parent and target inodes without +going through d_find_any_alias(). While at it, supply the target file +name to fsnotify() from kernfs_node->name. + +Signed-off-by: Tejun Heo +Reported-by: Evgeny Vereshchagin +Fixes: d911d9874801 ("kernfs: make kernfs_notify() trigger inotify events too") +Cc: John McCutchan +Cc: Robert Love +Cc: Eric Paris +Signed-off-by: Greg Kroah-Hartman + +--- + fs/kernfs/file.c | 28 +++++++++++++++++++++------- + 1 file changed, 21 insertions(+), 7 deletions(-) + +--- a/fs/kernfs/file.c ++++ b/fs/kernfs/file.c +@@ -840,21 +840,35 @@ repeat: + mutex_lock(&kernfs_mutex); + + list_for_each_entry(info, &kernfs_root(kn)->supers, node) { ++ struct kernfs_node *parent; + struct inode *inode; +- struct dentry *dentry; + ++ /* ++ * We want fsnotify_modify() on @kn but as the ++ * modifications aren't originating from userland don't ++ * have the matching @file available. Look up the inodes ++ * and generate the events manually. ++ */ + inode = ilookup(info->sb, kn->ino); + if (!inode) + continue; + +- dentry = d_find_any_alias(inode); +- if (dentry) { +- fsnotify_parent(NULL, dentry, FS_MODIFY); +- fsnotify(inode, FS_MODIFY, inode, FSNOTIFY_EVENT_INODE, +- NULL, 0); +- dput(dentry); ++ parent = kernfs_get_parent(kn); ++ if (parent) { ++ struct inode *p_inode; ++ ++ p_inode = ilookup(info->sb, parent->ino); ++ if (p_inode) { ++ fsnotify(p_inode, FS_MODIFY | FS_EVENT_ON_CHILD, ++ inode, FSNOTIFY_EVENT_INODE, kn->name, 0); ++ iput(p_inode); ++ } ++ ++ kernfs_put(parent); + } + ++ fsnotify(inode, FS_MODIFY, inode, FSNOTIFY_EVENT_INODE, ++ kn->name, 0); + iput(inode); + } + diff --git a/queue-4.7/kexec-fix-double-free-when-failing-to-relocate-the-purgatory.patch b/queue-4.7/kexec-fix-double-free-when-failing-to-relocate-the-purgatory.patch new file mode 100644 index 00000000000..85c83f3d6e9 --- /dev/null +++ b/queue-4.7/kexec-fix-double-free-when-failing-to-relocate-the-purgatory.patch @@ -0,0 +1,69 @@ +From 070c43eea5043e950daa423707ae3c77e2f48edb Mon Sep 17 00:00:00 2001 +From: Thiago Jung Bauermann +Date: Thu, 1 Sep 2016 16:14:44 -0700 +Subject: kexec: fix double-free when failing to relocate the purgatory + +From: Thiago Jung Bauermann + +commit 070c43eea5043e950daa423707ae3c77e2f48edb upstream. + +If kexec_apply_relocations fails, kexec_load_purgatory frees pi->sechdrs +and pi->purgatory_buf. This is redundant, because in case of error +kimage_file_prepare_segments calls kimage_file_post_load_cleanup, which +will also free those buffers. + +This causes two warnings like the following, one for pi->sechdrs and the +other for pi->purgatory_buf: + + kexec-bzImage64: Loading purgatory failed + ------------[ cut here ]------------ + WARNING: CPU: 1 PID: 2119 at mm/vmalloc.c:1490 __vunmap+0xc1/0xd0 + Trying to vfree() nonexistent vm area (ffffc90000e91000) + Modules linked in: + CPU: 1 PID: 2119 Comm: kexec Not tainted 4.8.0-rc3+ #5 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 + Call Trace: + dump_stack+0x4d/0x65 + __warn+0xcb/0xf0 + warn_slowpath_fmt+0x4f/0x60 + ? find_vmap_area+0x19/0x70 + ? kimage_file_post_load_cleanup+0x47/0xb0 + __vunmap+0xc1/0xd0 + vfree+0x2e/0x70 + kimage_file_post_load_cleanup+0x5e/0xb0 + SyS_kexec_file_load+0x448/0x680 + ? putname+0x54/0x60 + ? do_sys_open+0x190/0x1f0 + entry_SYSCALL_64_fastpath+0x13/0x8f + ---[ end trace 158bb74f5950ca2b ]--- + +Fix by setting pi->sechdrs an pi->purgatory_buf to NULL, since vfree +won't try to free a NULL pointer. + +Link: http://lkml.kernel.org/r/1472083546-23683-1-git-send-email-bauerman@linux.vnet.ibm.com +Signed-off-by: Thiago Jung Bauermann +Acked-by: Baoquan He +Cc: "Eric W. Biederman" +Cc: Vivek Goyal +Cc: Dave Young +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/kexec_file.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/kernel/kexec_file.c ++++ b/kernel/kexec_file.c +@@ -887,7 +887,10 @@ int kexec_load_purgatory(struct kimage * + return 0; + out: + vfree(pi->sechdrs); ++ pi->sechdrs = NULL; ++ + vfree(pi->purgatory_buf); ++ pi->purgatory_buf = NULL; + return ret; + } + diff --git a/queue-4.7/kvm-arm-unmap-shadow-pagetables-properly.patch b/queue-4.7/kvm-arm-unmap-shadow-pagetables-properly.patch new file mode 100644 index 00000000000..7fc789ba326 --- /dev/null +++ b/queue-4.7/kvm-arm-unmap-shadow-pagetables-properly.patch @@ -0,0 +1,92 @@ +From 293f293637b55db4f9f522a5a72514e98a541076 Mon Sep 17 00:00:00 2001 +From: Suzuki K Poulose +Date: Thu, 8 Sep 2016 16:25:49 +0100 +Subject: kvm-arm: Unmap shadow pagetables properly + +From: Suzuki K Poulose + +commit 293f293637b55db4f9f522a5a72514e98a541076 upstream. + +On arm/arm64, we depend on the kvm_unmap_hva* callbacks (via +mmu_notifiers::invalidate_*) to unmap the stage2 pagetables when +the userspace buffer gets unmapped. However, when the Hypervisor +process exits without explicit unmap of the guest buffers, the only +notifier we get is kvm_arch_flush_shadow_all() (via mmu_notifier::release +) which does nothing on arm. Later this causes us to access pages that +were already released [via exit_mmap() -> unmap_vmas()] when we actually +get to unmap the stage2 pagetable [via kvm_arch_destroy_vm() -> +kvm_free_stage2_pgd()]. This triggers crashes with CONFIG_DEBUG_PAGEALLOC, +which unmaps any free'd pages from the linear map. + + [ 757.644120] Unable to handle kernel paging request at virtual address + ffff800661e00000 + [ 757.652046] pgd = ffff20000b1a2000 + [ 757.655471] [ffff800661e00000] *pgd=00000047fffe3003, *pud=00000047fcd8c003, + *pmd=00000047fcc7c003, *pte=00e8004661e00712 + [ 757.666492] Internal error: Oops: 96000147 [#3] PREEMPT SMP + [ 757.672041] Modules linked in: + [ 757.675100] CPU: 7 PID: 3630 Comm: qemu-system-aar Tainted: G D + 4.8.0-rc1 #3 + [ 757.683240] Hardware name: AppliedMicro X-Gene Mustang Board/X-Gene Mustang Board, + BIOS 3.06.15 Aug 19 2016 + [ 757.692938] task: ffff80069cdd3580 task.stack: ffff8006adb7c000 + [ 757.698840] PC is at __flush_dcache_area+0x1c/0x40 + [ 757.703613] LR is at kvm_flush_dcache_pmd+0x60/0x70 + [ 757.708469] pc : [] lr : [] pstate: 20000145 + ... + [ 758.357249] [] __flush_dcache_area+0x1c/0x40 + [ 758.363059] [] unmap_stage2_range+0x458/0x5f0 + [ 758.368954] [] kvm_free_stage2_pgd+0x34/0x60 + [ 758.374761] [] kvm_arch_destroy_vm+0x20/0x68 + [ 758.380570] [] kvm_put_kvm+0x210/0x358 + [ 758.385860] [] kvm_vm_release+0x2c/0x40 + [ 758.391239] [] __fput+0x114/0x2e8 + [ 758.396096] [] ____fput+0xc/0x18 + [ 758.400869] [] task_work_run+0x108/0x138 + [ 758.406332] [] do_exit+0x48c/0x10e8 + [ 758.411363] [] do_group_exit+0x6c/0x130 + [ 758.416739] [] get_signal+0x284/0xa18 + [ 758.421943] [] do_signal+0x158/0x860 + [ 758.427060] [] do_notify_resume+0x6c/0x88 + [ 758.432608] [] work_pending+0x10/0x14 + [ 758.437812] Code: 9ac32042 8b010001 d1000443 8a230000 (d50b7e20) + +This patch fixes the issue by moving the kvm_free_stage2_pgd() to +kvm_arch_flush_shadow_all(). + +Tested-by: Itaru Kitayama +Reported-by: Itaru Kitayama +Reported-by: James Morse +Cc: Marc Zyngier +Cc: Catalin Marinas +Cc: Christoffer Dall +Signed-off-by: Suzuki K Poulose +Signed-off-by: Christoffer Dall +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/kvm/arm.c | 2 -- + arch/arm/kvm/mmu.c | 1 + + 2 files changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/arm/kvm/arm.c ++++ b/arch/arm/kvm/arm.c +@@ -157,8 +157,6 @@ void kvm_arch_destroy_vm(struct kvm *kvm + { + int i; + +- kvm_free_stage2_pgd(kvm); +- + for (i = 0; i < KVM_MAX_VCPUS; ++i) { + if (kvm->vcpus[i]) { + kvm_arch_vcpu_free(kvm->vcpus[i]); +--- a/arch/arm/kvm/mmu.c ++++ b/arch/arm/kvm/mmu.c +@@ -1909,6 +1909,7 @@ void kvm_arch_memslots_updated(struct kv + + void kvm_arch_flush_shadow_all(struct kvm *kvm) + { ++ kvm_free_stage2_pgd(kvm); + } + + void kvm_arch_flush_shadow_memslot(struct kvm *kvm, diff --git a/queue-4.7/kvm-s390-don-t-use-current-thread.fpu.-when-accessing-registers.patch b/queue-4.7/kvm-s390-don-t-use-current-thread.fpu.-when-accessing-registers.patch new file mode 100644 index 00000000000..605ea34541c --- /dev/null +++ b/queue-4.7/kvm-s390-don-t-use-current-thread.fpu.-when-accessing-registers.patch @@ -0,0 +1,55 @@ +From a7d4b8f2565ad0dfdff9a222d1d87990c73b36e8 Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Tue, 16 Aug 2016 14:38:24 +0200 +Subject: KVM: s390: don't use current->thread.fpu.* when accessing registers + +From: David Hildenbrand + +commit a7d4b8f2565ad0dfdff9a222d1d87990c73b36e8 upstream. + +As the meaning of these variables and pointers seems to change more +frequently, let's directly access our save area, instead of going via +current->thread. + +Right now, this is broken for set/get_fpu. They simply overwrite the +host registers, as the pointers to the current save area were turned +into the static host save area. + +Fixes: 3f6813b9a5e0 ("s390/fpu: allocate 'struct fpu' with the task_struct") +Reported-by: Hao QingFeng +Signed-off-by: David Hildenbrand +Signed-off-by: Christian Borntraeger +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kvm/kvm-s390.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -1951,9 +1951,10 @@ int kvm_arch_vcpu_ioctl_set_fpu(struct k + return -EINVAL; + current->thread.fpu.fpc = fpu->fpc; + if (MACHINE_HAS_VX) +- convert_fp_to_vx(current->thread.fpu.vxrs, (freg_t *)fpu->fprs); ++ convert_fp_to_vx((__vector128 *) vcpu->run->s.regs.vrs, ++ (freg_t *) fpu->fprs); + else +- memcpy(current->thread.fpu.fprs, &fpu->fprs, sizeof(fpu->fprs)); ++ memcpy(vcpu->run->s.regs.fprs, &fpu->fprs, sizeof(fpu->fprs)); + return 0; + } + +@@ -1962,9 +1963,10 @@ int kvm_arch_vcpu_ioctl_get_fpu(struct k + /* make sure we have the latest values */ + save_fpu_regs(); + if (MACHINE_HAS_VX) +- convert_vx_to_fp((freg_t *)fpu->fprs, current->thread.fpu.vxrs); ++ convert_vx_to_fp((freg_t *) fpu->fprs, ++ (__vector128 *) vcpu->run->s.regs.vrs); + else +- memcpy(fpu->fprs, current->thread.fpu.fprs, sizeof(fpu->fprs)); ++ memcpy(fpu->fprs, vcpu->run->s.regs.fprs, sizeof(fpu->fprs)); + fpu->fpc = current->thread.fpu.fpc; + return 0; + } diff --git a/queue-4.7/kvm-x86-correctly-reset-dest_map-vector-when-restoring-lapic-state.patch b/queue-4.7/kvm-x86-correctly-reset-dest_map-vector-when-restoring-lapic-state.patch new file mode 100644 index 00000000000..54f7f2b16d1 --- /dev/null +++ b/queue-4.7/kvm-x86-correctly-reset-dest_map-vector-when-restoring-lapic-state.patch @@ -0,0 +1,66 @@ +From b0eaf4506f5f95d15d6731d72c0ddf4a2179eefa Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Wed, 14 Sep 2016 23:39:12 +0200 +Subject: kvm: x86: correctly reset dest_map->vector when restoring LAPIC state +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Paolo Bonzini + +commit b0eaf4506f5f95d15d6731d72c0ddf4a2179eefa upstream. + +When userspace sends KVM_SET_LAPIC, KVM schedules a check between +the vCPU's IRR and ISR and the IOAPIC redirection table, in order +to re-establish the IOAPIC's dest_map (the list of CPUs servicing +the real-time clock interrupt with the corresponding vectors). + +However, __rtc_irq_eoi_tracking_restore_one was forgetting to +set dest_map->vectors. Because of this, the IOAPIC did not process +the real-time clock interrupt EOI, ioapic->rtc_status.pending_eoi +got stuck at a non-zero value, and further RTC interrupts were +reported to userspace as coalesced. + +Fixes: 9e4aabe2bb3454c83dac8139cf9974503ee044db +Fixes: 4d99ba898dd0c521ca6cdfdde55c9b58aea3cb3d +Cc: Joerg Roedel +Cc: David Gilbert +Reviewed-by: Radim Krčmář +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/ioapic.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/arch/x86/kvm/ioapic.c ++++ b/arch/x86/kvm/ioapic.c +@@ -109,6 +109,7 @@ static void __rtc_irq_eoi_tracking_resto + { + bool new_val, old_val; + struct kvm_ioapic *ioapic = vcpu->kvm->arch.vioapic; ++ struct dest_map *dest_map = &ioapic->rtc_status.dest_map; + union kvm_ioapic_redirect_entry *e; + + e = &ioapic->redirtbl[RTC_GSI]; +@@ -117,16 +118,17 @@ static void __rtc_irq_eoi_tracking_resto + return; + + new_val = kvm_apic_pending_eoi(vcpu, e->fields.vector); +- old_val = test_bit(vcpu->vcpu_id, ioapic->rtc_status.dest_map.map); ++ old_val = test_bit(vcpu->vcpu_id, dest_map->map); + + if (new_val == old_val) + return; + + if (new_val) { +- __set_bit(vcpu->vcpu_id, ioapic->rtc_status.dest_map.map); ++ __set_bit(vcpu->vcpu_id, dest_map->map); ++ dest_map->vectors[vcpu->vcpu_id] = e->fields.vector; + ioapic->rtc_status.pending_eoi++; + } else { +- __clear_bit(vcpu->vcpu_id, ioapic->rtc_status.dest_map.map); ++ __clear_bit(vcpu->vcpu_id, dest_map->map); + ioapic->rtc_status.pending_eoi--; + rtc_status_pending_eoi_check_valid(ioapic); + } diff --git a/queue-4.7/md-cluster-make-md-cluster-also-can-work-when-compiled-into-kernel.patch b/queue-4.7/md-cluster-make-md-cluster-also-can-work-when-compiled-into-kernel.patch new file mode 100644 index 00000000000..c844690e485 --- /dev/null +++ b/queue-4.7/md-cluster-make-md-cluster-also-can-work-when-compiled-into-kernel.patch @@ -0,0 +1,51 @@ +From 47a7b0d8888c04c9746812820b6e60553cc77bbc Mon Sep 17 00:00:00 2001 +From: Guoqing Jiang +Date: Sun, 4 Sep 2016 22:17:28 -0400 +Subject: md-cluster: make md-cluster also can work when compiled into kernel + +From: Guoqing Jiang + +commit 47a7b0d8888c04c9746812820b6e60553cc77bbc upstream. + +The md-cluster is compiled as module by default, +if it is compiled by built-in way, then we can't +make md-cluster works. + +[64782.630008] md/raid1:md127: active with 2 out of 2 mirrors +[64782.630528] md-cluster module not found. +[64782.630530] md127: Could not setup cluster service (-2) + +Fixes: edb39c9 ("Introduce md_cluster_operations to handle cluster functions") +Reported-by: Marc Smith +Reviewed-by: NeilBrown +Signed-off-by: Guoqing Jiang +Signed-off-by: Shaohua Li +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/md.c | 12 ++++-------- + 1 file changed, 4 insertions(+), 8 deletions(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -7599,16 +7599,12 @@ EXPORT_SYMBOL(unregister_md_cluster_oper + + int md_setup_cluster(struct mddev *mddev, int nodes) + { +- int err; +- +- err = request_module("md-cluster"); +- if (err) { +- pr_err("md-cluster module not found.\n"); +- return -ENOENT; +- } +- ++ if (!md_cluster_ops) ++ request_module("md-cluster"); + spin_lock(&pers_lock); ++ /* ensure module won't be unloaded */ + if (!md_cluster_ops || !try_module_get(md_cluster_mod)) { ++ pr_err("can't find md-cluster module or get it's reference.\n"); + spin_unlock(&pers_lock); + return -ENOENT; + } diff --git a/queue-4.7/memory-omap-gpmc-allow-probe-of-child-nodes-to-fail.patch b/queue-4.7/memory-omap-gpmc-allow-probe-of-child-nodes-to-fail.patch new file mode 100644 index 00000000000..031590f7dee --- /dev/null +++ b/queue-4.7/memory-omap-gpmc-allow-probe-of-child-nodes-to-fail.patch @@ -0,0 +1,84 @@ +From 23540d6e2f3193b946c4de43e3f9654fa6d23fe7 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Sun, 24 Jul 2016 14:10:58 +0200 +Subject: memory: omap-gpmc: allow probe of child nodes to fail + +From: Johan Hovold + +commit 23540d6e2f3193b946c4de43e3f9654fa6d23fe7 upstream. + +A recent commit (inadvertently?) changed how failed probe of a gpmc +child node was handled. Instead of proceeding with setting up any other +children as before, a single error now aborts the whole process. + +This change broke networking on some Overo boards due to probe failing +for an unrelated nand node. This second issue should obviously be +fixed, but let's restore the old behaviour of allowing child-node +probe to fail to avoid further similar breakage on other systems. + +Fixes: d2d00862dfbb ("memory: omap-gpmc: Support general purpose input +for WAITPINs") +Signed-off-by: Johan Hovold +Signed-off-by: Roger Quadros +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/memory/omap-gpmc.c | 21 +++++++-------------- + 1 file changed, 7 insertions(+), 14 deletions(-) + +--- a/drivers/memory/omap-gpmc.c ++++ b/drivers/memory/omap-gpmc.c +@@ -2250,7 +2250,7 @@ static int gpmc_probe_dt(struct platform + return 0; + } + +-static int gpmc_probe_dt_children(struct platform_device *pdev) ++static void gpmc_probe_dt_children(struct platform_device *pdev) + { + int ret; + struct device_node *child; +@@ -2265,11 +2265,11 @@ static int gpmc_probe_dt_children(struct + else + ret = gpmc_probe_generic_child(pdev, child); + +- if (ret) +- return ret; ++ if (ret) { ++ dev_err(&pdev->dev, "failed to probe DT child '%s': %d\n", ++ child->name, ret); ++ } + } +- +- return 0; + } + #else + static int gpmc_probe_dt(struct platform_device *pdev) +@@ -2277,9 +2277,8 @@ static int gpmc_probe_dt(struct platform + return 0; + } + +-static int gpmc_probe_dt_children(struct platform_device *pdev) ++static void gpmc_probe_dt_children(struct platform_device *pdev) + { +- return 0; + } + #endif + +@@ -2372,16 +2371,10 @@ static int gpmc_probe(struct platform_de + goto setup_irq_failed; + } + +- rc = gpmc_probe_dt_children(pdev); +- if (rc < 0) { +- dev_err(gpmc->dev, "failed to probe DT children\n"); +- goto dt_children_failed; +- } ++ gpmc_probe_dt_children(pdev); + + return 0; + +-dt_children_failed: +- gpmc_free_irq(gpmc); + setup_irq_failed: + gpmc_gpio_exit(gpmc); + gpio_init_failed: diff --git a/queue-4.7/mm-fix-cache-mode-of-dax-pmd-mappings.patch b/queue-4.7/mm-fix-cache-mode-of-dax-pmd-mappings.patch new file mode 100644 index 00000000000..2d52abae526 --- /dev/null +++ b/queue-4.7/mm-fix-cache-mode-of-dax-pmd-mappings.patch @@ -0,0 +1,125 @@ +From 9049771f7d5490a302589976984810064c83ab40 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Wed, 7 Sep 2016 08:51:21 -0700 +Subject: mm: fix cache mode of dax pmd mappings + +From: Dan Williams + +commit 9049771f7d5490a302589976984810064c83ab40 upstream. + +track_pfn_insert() in vmf_insert_pfn_pmd() is marking dax mappings as +uncacheable rendering them impractical for application usage. DAX-pte +mappings are cached and the goal of establishing DAX-pmd mappings is to +attain more performance, not dramatically less (3 orders of magnitude). + +track_pfn_insert() relies on a previous call to reserve_memtype() to +establish the expected page_cache_mode for the range. While memremap() +arranges for reserve_memtype() to be called, devm_memremap_pages() does +not. So, teach track_pfn_insert() and untrack_pfn() how to handle +tracking without a vma, and arrange for devm_memremap_pages() to +establish the write-back-cache reservation in the memtype tree. + +Cc: Matthew Wilcox +Cc: Ross Zwisler +Cc: Nilesh Choudhury +Cc: Kirill A. Shutemov +Reported-by: Toshi Kani +Reported-by: Kai Zhang +Acked-by: Andrew Morton +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/mm/pat.c | 17 ++++++++++------- + kernel/memremap.c | 9 +++++++++ + 2 files changed, 19 insertions(+), 7 deletions(-) + +--- a/arch/x86/mm/pat.c ++++ b/arch/x86/mm/pat.c +@@ -931,9 +931,10 @@ int track_pfn_copy(struct vm_area_struct + } + + /* +- * prot is passed in as a parameter for the new mapping. If the vma has a +- * linear pfn mapping for the entire range reserve the entire vma range with +- * single reserve_pfn_range call. ++ * prot is passed in as a parameter for the new mapping. If the vma has ++ * a linear pfn mapping for the entire range, or no vma is provided, ++ * reserve the entire pfn + size range with single reserve_pfn_range ++ * call. + */ + int track_pfn_remap(struct vm_area_struct *vma, pgprot_t *prot, + unsigned long pfn, unsigned long addr, unsigned long size) +@@ -942,11 +943,12 @@ int track_pfn_remap(struct vm_area_struc + enum page_cache_mode pcm; + + /* reserve the whole chunk starting from paddr */ +- if (addr == vma->vm_start && size == (vma->vm_end - vma->vm_start)) { ++ if (!vma || (addr == vma->vm_start ++ && size == (vma->vm_end - vma->vm_start))) { + int ret; + + ret = reserve_pfn_range(paddr, size, prot, 0); +- if (!ret) ++ if (ret == 0 && vma) + vma->vm_flags |= VM_PAT; + return ret; + } +@@ -1001,7 +1003,7 @@ void untrack_pfn(struct vm_area_struct * + resource_size_t paddr; + unsigned long prot; + +- if (!(vma->vm_flags & VM_PAT)) ++ if (vma && !(vma->vm_flags & VM_PAT)) + return; + + /* free the chunk starting from pfn or the whole chunk */ +@@ -1015,7 +1017,8 @@ void untrack_pfn(struct vm_area_struct * + size = vma->vm_end - vma->vm_start; + } + free_pfn_range(paddr, size); +- vma->vm_flags &= ~VM_PAT; ++ if (vma) ++ vma->vm_flags &= ~VM_PAT; + } + + /* +--- a/kernel/memremap.c ++++ b/kernel/memremap.c +@@ -253,6 +253,7 @@ static void devm_memremap_pages_release( + align_start = res->start & ~(SECTION_SIZE - 1); + align_size = ALIGN(resource_size(res), SECTION_SIZE); + arch_remove_memory(align_start, align_size); ++ untrack_pfn(NULL, PHYS_PFN(align_start), align_size); + pgmap_radix_release(res); + dev_WARN_ONCE(dev, pgmap->altmap && pgmap->altmap->alloc, + "%s: failed to free all reserved pages\n", __func__); +@@ -288,6 +289,7 @@ void *devm_memremap_pages(struct device + struct percpu_ref *ref, struct vmem_altmap *altmap) + { + resource_size_t key, align_start, align_size, align_end; ++ pgprot_t pgprot = PAGE_KERNEL; + struct dev_pagemap *pgmap; + struct page_map *page_map; + int error, nid, is_ram; +@@ -363,6 +365,11 @@ void *devm_memremap_pages(struct device + if (nid < 0) + nid = numa_mem_id(); + ++ error = track_pfn_remap(NULL, &pgprot, PHYS_PFN(align_start), 0, ++ align_size); ++ if (error) ++ goto err_pfn_remap; ++ + error = arch_add_memory(nid, align_start, align_size, true); + if (error) + goto err_add_memory; +@@ -383,6 +390,8 @@ void *devm_memremap_pages(struct device + return __va(res->start); + + err_add_memory: ++ untrack_pfn(NULL, PHYS_PFN(align_start), align_size); ++ err_pfn_remap: + err_radix: + pgmap_radix_release(res); + devres_free(page_map); diff --git a/queue-4.7/mm-introduce-get_task_exe_file.patch b/queue-4.7/mm-introduce-get_task_exe_file.patch new file mode 100644 index 00000000000..97de6223501 --- /dev/null +++ b/queue-4.7/mm-introduce-get_task_exe_file.patch @@ -0,0 +1,92 @@ +From cd81a9170e69e018bbaba547c1fd85a585f5697a Mon Sep 17 00:00:00 2001 +From: Mateusz Guzik +Date: Tue, 23 Aug 2016 16:20:38 +0200 +Subject: mm: introduce get_task_exe_file + +From: Mateusz Guzik + +commit cd81a9170e69e018bbaba547c1fd85a585f5697a upstream. + +For more convenient access if one has a pointer to the task. + +As a minor nit take advantage of the fact that only task lock + rcu are +needed to safely grab ->exe_file. This saves mm refcount dance. + +Use the helper in proc_exe_link. + +Signed-off-by: Mateusz Guzik +Acked-by: Konstantin Khlebnikov +Acked-by: Richard Guy Briggs +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +--- + fs/proc/base.c | 7 +------ + include/linux/mm.h | 1 + + kernel/fork.c | 23 +++++++++++++++++++++++ + 3 files changed, 25 insertions(+), 6 deletions(-) + +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -1552,18 +1552,13 @@ static const struct file_operations proc + static int proc_exe_link(struct dentry *dentry, struct path *exe_path) + { + struct task_struct *task; +- struct mm_struct *mm; + struct file *exe_file; + + task = get_proc_task(d_inode(dentry)); + if (!task) + return -ENOENT; +- mm = get_task_mm(task); ++ exe_file = get_task_exe_file(task); + put_task_struct(task); +- if (!mm) +- return -ENOENT; +- exe_file = get_mm_exe_file(mm); +- mmput(mm); + if (exe_file) { + *exe_path = exe_file->f_path; + path_get(&exe_file->f_path); +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -1975,6 +1975,7 @@ extern void mm_drop_all_locks(struct mm_ + + extern void set_mm_exe_file(struct mm_struct *mm, struct file *new_exe_file); + extern struct file *get_mm_exe_file(struct mm_struct *mm); ++extern struct file *get_task_exe_file(struct task_struct *task); + + extern bool may_expand_vm(struct mm_struct *, vm_flags_t, unsigned long npages); + extern void vm_stat_account(struct mm_struct *, vm_flags_t, long npages); +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -801,6 +801,29 @@ struct file *get_mm_exe_file(struct mm_s + EXPORT_SYMBOL(get_mm_exe_file); + + /** ++ * get_task_exe_file - acquire a reference to the task's executable file ++ * ++ * Returns %NULL if task's mm (if any) has no associated executable file or ++ * this is a kernel thread with borrowed mm (see the comment above get_task_mm). ++ * User must release file via fput(). ++ */ ++struct file *get_task_exe_file(struct task_struct *task) ++{ ++ struct file *exe_file = NULL; ++ struct mm_struct *mm; ++ ++ task_lock(task); ++ mm = task->mm; ++ if (mm) { ++ if (!(task->flags & PF_KTHREAD)) ++ exe_file = get_mm_exe_file(mm); ++ } ++ task_unlock(task); ++ return exe_file; ++} ++EXPORT_SYMBOL(get_task_exe_file); ++ ++/** + * get_task_mm - acquire a reference to the task's mm + * + * Returns %NULL if the task has no mm. Checks PF_KTHREAD (meaning diff --git a/queue-4.7/mm-mempolicy-task-mempolicy-must-be-null-before-dropping-final-reference.patch b/queue-4.7/mm-mempolicy-task-mempolicy-must-be-null-before-dropping-final-reference.patch new file mode 100644 index 00000000000..6288c5df921 --- /dev/null +++ b/queue-4.7/mm-mempolicy-task-mempolicy-must-be-null-before-dropping-final-reference.patch @@ -0,0 +1,111 @@ +From c11600e4fed67ae4cd6a8096936afd445410e8ed Mon Sep 17 00:00:00 2001 +From: David Rientjes +Date: Thu, 1 Sep 2016 16:15:07 -0700 +Subject: mm, mempolicy: task->mempolicy must be NULL before dropping final reference + +From: David Rientjes + +commit c11600e4fed67ae4cd6a8096936afd445410e8ed upstream. + +KASAN allocates memory from the page allocator as part of +kmem_cache_free(), and that can reference current->mempolicy through any +number of allocation functions. It needs to be NULL'd out before the +final reference is dropped to prevent a use-after-free bug: + + BUG: KASAN: use-after-free in alloc_pages_current+0x363/0x370 at addr ffff88010b48102c + CPU: 0 PID: 15425 Comm: trinity-c2 Not tainted 4.8.0-rc2+ #140 + ... + Call Trace: + dump_stack + kasan_object_err + kasan_report_error + __asan_report_load2_noabort + alloc_pages_current <-- use after free + depot_save_stack + save_stack + kasan_slab_free + kmem_cache_free + __mpol_put <-- free + do_exit + +This patch sets current->mempolicy to NULL before dropping the final +reference. + +Link: http://lkml.kernel.org/r/alpine.DEB.2.10.1608301442180.63329@chino.kir.corp.google.com +Fixes: cd11016e5f52 ("mm, kasan: stackdepot implementation. Enable stackdepot for SLAB") +Signed-off-by: David Rientjes +Reported-by: Vegard Nossum +Acked-by: Andrey Ryabinin +Cc: Alexander Potapenko +Cc: Dmitry Vyukov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/mempolicy.h | 4 ++++ + kernel/exit.c | 7 +------ + mm/mempolicy.c | 17 +++++++++++++++++ + 3 files changed, 22 insertions(+), 6 deletions(-) + +--- a/include/linux/mempolicy.h ++++ b/include/linux/mempolicy.h +@@ -195,6 +195,7 @@ static inline bool vma_migratable(struct + } + + extern int mpol_misplaced(struct page *, struct vm_area_struct *, unsigned long); ++extern void mpol_put_task_policy(struct task_struct *); + + #else + +@@ -297,5 +298,8 @@ static inline int mpol_misplaced(struct + return -1; /* no node preference */ + } + ++static inline void mpol_put_task_policy(struct task_struct *task) ++{ ++} + #endif /* CONFIG_NUMA */ + #endif +--- a/kernel/exit.c ++++ b/kernel/exit.c +@@ -768,12 +768,7 @@ void do_exit(long code) + TASKS_RCU(preempt_enable()); + exit_notify(tsk, group_dead); + proc_exit_connector(tsk); +-#ifdef CONFIG_NUMA +- task_lock(tsk); +- mpol_put(tsk->mempolicy); +- tsk->mempolicy = NULL; +- task_unlock(tsk); +-#endif ++ mpol_put_task_policy(tsk); + #ifdef CONFIG_FUTEX + if (unlikely(current->pi_state_cache)) + kfree(current->pi_state_cache); +--- a/mm/mempolicy.c ++++ b/mm/mempolicy.c +@@ -2334,6 +2334,23 @@ out: + return ret; + } + ++/* ++ * Drop the (possibly final) reference to task->mempolicy. It needs to be ++ * dropped after task->mempolicy is set to NULL so that any allocation done as ++ * part of its kmem_cache_free(), such as by KASAN, doesn't reference a freed ++ * policy. ++ */ ++void mpol_put_task_policy(struct task_struct *task) ++{ ++ struct mempolicy *pol; ++ ++ task_lock(task); ++ pol = task->mempolicy; ++ task->mempolicy = NULL; ++ task_unlock(task); ++ mpol_put(pol); ++} ++ + static void sp_delete(struct shared_policy *sp, struct sp_node *n) + { + pr_debug("deleting %lx-l%lx\n", n->start, n->end); diff --git a/queue-4.7/mm-oom-prevent-premature-oom-killer-invocation-for-high-order-request.patch b/queue-4.7/mm-oom-prevent-premature-oom-killer-invocation-for-high-order-request.patch new file mode 100644 index 00000000000..6b65c74db73 --- /dev/null +++ b/queue-4.7/mm-oom-prevent-premature-oom-killer-invocation-for-high-order-request.patch @@ -0,0 +1,123 @@ +From 6b4e3181d7bd5ca5ab6f45929e4a5ffa7ab4ab7f Mon Sep 17 00:00:00 2001 +From: Michal Hocko +Date: Thu, 1 Sep 2016 16:14:41 -0700 +Subject: mm, oom: prevent premature OOM killer invocation for high order request + +From: Michal Hocko + +commit 6b4e3181d7bd5ca5ab6f45929e4a5ffa7ab4ab7f upstream. + +There have been several reports about pre-mature OOM killer invocation +in 4.7 kernel when order-2 allocation request (for the kernel stack) +invoked OOM killer even during basic workloads (light IO or even kernel +compile on some filesystems). In all reported cases the memory is +fragmented and there are no order-2+ pages available. There is usually +a large amount of slab memory (usually dentries/inodes) and further +debugging has shown that there are way too many unmovable blocks which +are skipped during the compaction. Multiple reporters have confirmed +that the current linux-next which includes [1] and [2] helped and OOMs +are not reproducible anymore. + +A simpler fix for the late rc and stable is to simply ignore the +compaction feedback and retry as long as there is a reclaim progress and +we are not getting OOM for order-0 pages. We already do that for +CONFING_COMPACTION=n so let's reuse the same code when compaction is +enabled as well. + +[1] http://lkml.kernel.org/r/20160810091226.6709-1-vbabka@suse.cz +[2] http://lkml.kernel.org/r/f7a9ea9d-bb88-bfd6-e340-3a933559305a@suse.cz + +Fixes: 0a0337e0d1d1 ("mm, oom: rework oom detection") +Link: http://lkml.kernel.org/r/20160823074339.GB23577@dhcp22.suse.cz +Signed-off-by: Michal Hocko +Tested-by: Olaf Hering +Tested-by: Ralf-Peter Rohbeck +Cc: Markus Trippelsdorf +Cc: Arkadiusz Miskiewicz +Cc: Ralf-Peter Rohbeck +Cc: Jiri Slaby +Cc: Vlastimil Babka +Cc: Joonsoo Kim +Cc: Tetsuo Handa +Cc: David Rientjes +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/page_alloc.c | 50 ++------------------------------------------------ + 1 file changed, 2 insertions(+), 48 deletions(-) + +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -3254,53 +3254,6 @@ __alloc_pages_direct_compact(gfp_t gfp_m + return NULL; + } + +-static inline bool +-should_compact_retry(struct alloc_context *ac, int order, int alloc_flags, +- enum compact_result compact_result, enum migrate_mode *migrate_mode, +- int compaction_retries) +-{ +- int max_retries = MAX_COMPACT_RETRIES; +- +- if (!order) +- return false; +- +- /* +- * compaction considers all the zone as desperately out of memory +- * so it doesn't really make much sense to retry except when the +- * failure could be caused by weak migration mode. +- */ +- if (compaction_failed(compact_result)) { +- if (*migrate_mode == MIGRATE_ASYNC) { +- *migrate_mode = MIGRATE_SYNC_LIGHT; +- return true; +- } +- return false; +- } +- +- /* +- * make sure the compaction wasn't deferred or didn't bail out early +- * due to locks contention before we declare that we should give up. +- * But do not retry if the given zonelist is not suitable for +- * compaction. +- */ +- if (compaction_withdrawn(compact_result)) +- return compaction_zonelist_suitable(ac, order, alloc_flags); +- +- /* +- * !costly requests are much more important than __GFP_REPEAT +- * costly ones because they are de facto nofail and invoke OOM +- * killer to move on while costly can fail and users are ready +- * to cope with that. 1/4 retries is rather arbitrary but we +- * would need much more detailed feedback from compaction to +- * make a better decision. +- */ +- if (order > PAGE_ALLOC_COSTLY_ORDER) +- max_retries /= 4; +- if (compaction_retries <= max_retries) +- return true; +- +- return false; +-} + #else + static inline struct page * + __alloc_pages_direct_compact(gfp_t gfp_mask, unsigned int order, +@@ -3311,6 +3264,8 @@ __alloc_pages_direct_compact(gfp_t gfp_m + return NULL; + } + ++#endif /* CONFIG_COMPACTION */ ++ + static inline bool + should_compact_retry(struct alloc_context *ac, unsigned int order, int alloc_flags, + enum compact_result compact_result, +@@ -3337,7 +3292,6 @@ should_compact_retry(struct alloc_contex + } + return false; + } +-#endif /* CONFIG_COMPACTION */ + + /* Perform direct synchronous page reclaim */ + static int diff --git a/queue-4.7/net-macb-correct-caps-mask.patch b/queue-4.7/net-macb-correct-caps-mask.patch new file mode 100644 index 00000000000..3f06989b009 --- /dev/null +++ b/queue-4.7/net-macb-correct-caps-mask.patch @@ -0,0 +1,37 @@ +From c518189567eaf42b2ec50a4d982484c8e38799f8 Mon Sep 17 00:00:00 2001 +From: Harini Katakam +Date: Fri, 5 Aug 2016 10:31:58 +0530 +Subject: net: macb: Correct CAPS mask + +From: Harini Katakam + +commit c518189567eaf42b2ec50a4d982484c8e38799f8 upstream. + +USRIO and JUMBO CAPS have the same mask. +Fix the same. + +Fixes: ce721a702197 ("net: ethernet: cadence-macb: Add disabled usrio caps") +Signed-off-by: Harini Katakam +Acked-by: Nicolas Ferre +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/cadence/macb.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/cadence/macb.h ++++ b/drivers/net/ethernet/cadence/macb.h +@@ -403,11 +403,11 @@ + #define MACB_CAPS_USRIO_DEFAULT_IS_MII_GMII 0x00000004 + #define MACB_CAPS_NO_GIGABIT_HALF 0x00000008 + #define MACB_CAPS_USRIO_DISABLED 0x00000010 ++#define MACB_CAPS_JUMBO 0x00000020 + #define MACB_CAPS_FIFO_MODE 0x10000000 + #define MACB_CAPS_GIGABIT_MODE_AVAILABLE 0x20000000 + #define MACB_CAPS_SG_DISABLED 0x40000000 + #define MACB_CAPS_MACB_IS_GEM 0x80000000 +-#define MACB_CAPS_JUMBO 0x00000010 + + /* Bit manipulation macros */ + #define MACB_BIT(name) \ diff --git a/queue-4.7/net-thunderx-fix-oops-with-ethtool-register-dump.patch b/queue-4.7/net-thunderx-fix-oops-with-ethtool-register-dump.patch new file mode 100644 index 00000000000..94408979ba7 --- /dev/null +++ b/queue-4.7/net-thunderx-fix-oops-with-ethtool-register-dump.patch @@ -0,0 +1,50 @@ +From 1423661fed2c40d6d71b5e2e3aa390f85157f9d5 Mon Sep 17 00:00:00 2001 +From: David Daney +Date: Tue, 16 Aug 2016 13:30:36 -0700 +Subject: net: thunderx: Fix OOPs with ethtool --register-dump + +From: David Daney + +commit 1423661fed2c40d6d71b5e2e3aa390f85157f9d5 upstream. + +The ethtool_ops .get_regs function attempts to read the nonexistent +register NIC_QSET_SQ_0_7_CNM_CHG, which produces a "bus error" type +OOPs. + +Fix by not attempting to read, and removing the definition of, +NIC_QSET_SQ_0_7_CNM_CHG. A zero is written into the register dump to +keep the layout unchanged. + +Signed-off-by: David Daney +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/cavium/thunder/nic_reg.h | 1 - + drivers/net/ethernet/cavium/thunder/nicvf_ethtool.c | 5 ++++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/cavium/thunder/nic_reg.h ++++ b/drivers/net/ethernet/cavium/thunder/nic_reg.h +@@ -170,7 +170,6 @@ + #define NIC_QSET_SQ_0_7_DOOR (0x010838) + #define NIC_QSET_SQ_0_7_STATUS (0x010840) + #define NIC_QSET_SQ_0_7_DEBUG (0x010848) +-#define NIC_QSET_SQ_0_7_CNM_CHG (0x010860) + #define NIC_QSET_SQ_0_7_STAT_0_1 (0x010900) + + #define NIC_QSET_RBDR_0_1_CFG (0x010C00) +--- a/drivers/net/ethernet/cavium/thunder/nicvf_ethtool.c ++++ b/drivers/net/ethernet/cavium/thunder/nicvf_ethtool.c +@@ -382,7 +382,10 @@ static void nicvf_get_regs(struct net_de + p[i++] = nicvf_queue_reg_read(nic, NIC_QSET_SQ_0_7_DOOR, q); + p[i++] = nicvf_queue_reg_read(nic, NIC_QSET_SQ_0_7_STATUS, q); + p[i++] = nicvf_queue_reg_read(nic, NIC_QSET_SQ_0_7_DEBUG, q); +- p[i++] = nicvf_queue_reg_read(nic, NIC_QSET_SQ_0_7_CNM_CHG, q); ++ /* Padding, was NIC_QSET_SQ_0_7_CNM_CHG, which ++ * produces bus errors when read ++ */ ++ p[i++] = 0; + p[i++] = nicvf_queue_reg_read(nic, NIC_QSET_SQ_0_7_STAT_0_1, q); + reg_offset = NIC_QSET_SQ_0_7_STAT_0_1 | (1 << 3); + p[i++] = nicvf_queue_reg_read(nic, reg_offset, q); diff --git a/queue-4.7/nfsd-close-race-between-nfsd4_release_lockowner-and-nfsd4_lock.patch b/queue-4.7/nfsd-close-race-between-nfsd4_release_lockowner-and-nfsd4_lock.patch new file mode 100644 index 00000000000..2194cad6e4e --- /dev/null +++ b/queue-4.7/nfsd-close-race-between-nfsd4_release_lockowner-and-nfsd4_lock.patch @@ -0,0 +1,97 @@ +From 885848186fbc2d1d8fb6d2fdc2156638ae289a46 Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Wed, 13 Jul 2016 16:40:14 -0400 +Subject: nfsd: Close race between nfsd4_release_lockowner and nfsd4_lock + +From: Chuck Lever + +commit 885848186fbc2d1d8fb6d2fdc2156638ae289a46 upstream. + +nfsd4_release_lockowner finds a lock owner that has no lock state, +and drops cl_lock. Then release_lockowner picks up cl_lock and +unhashes the lock owner. + +During the window where cl_lock is dropped, I don't see anything +preventing a concurrent nfsd4_lock from finding that same lock owner +and adding lock state to it. + +Move release_lockowner() into nfsd4_release_lockowner and hang onto +the cl_lock until after the lock owner's state cannot be found +again. + +Found by inspection, we don't currently have a reproducer. + +Fixes: 2c41beb0e5cf ("nfsd: reduce cl_lock thrashing in ... ") +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs4state.c | 40 +++++++++++++++++----------------------- + 1 file changed, 17 insertions(+), 23 deletions(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -1200,27 +1200,6 @@ free_ol_stateid_reaplist(struct list_hea + } + } + +-static void release_lockowner(struct nfs4_lockowner *lo) +-{ +- struct nfs4_client *clp = lo->lo_owner.so_client; +- struct nfs4_ol_stateid *stp; +- struct list_head reaplist; +- +- INIT_LIST_HEAD(&reaplist); +- +- spin_lock(&clp->cl_lock); +- unhash_lockowner_locked(lo); +- while (!list_empty(&lo->lo_owner.so_stateids)) { +- stp = list_first_entry(&lo->lo_owner.so_stateids, +- struct nfs4_ol_stateid, st_perstateowner); +- WARN_ON(!unhash_lock_stateid(stp)); +- put_ol_stateid_locked(stp, &reaplist); +- } +- spin_unlock(&clp->cl_lock); +- free_ol_stateid_reaplist(&reaplist); +- nfs4_put_stateowner(&lo->lo_owner); +-} +- + static void release_open_stateid_locks(struct nfs4_ol_stateid *open_stp, + struct list_head *reaplist) + { +@@ -5976,6 +5955,7 @@ nfsd4_release_lockowner(struct svc_rqst + __be32 status; + struct nfsd_net *nn = net_generic(SVC_NET(rqstp), nfsd_net_id); + struct nfs4_client *clp; ++ LIST_HEAD (reaplist); + + dprintk("nfsd4_release_lockowner clientid: (%08x/%08x):\n", + clid->cl_boot, clid->cl_id); +@@ -6006,9 +5986,23 @@ nfsd4_release_lockowner(struct svc_rqst + nfs4_get_stateowner(sop); + break; + } ++ if (!lo) { ++ spin_unlock(&clp->cl_lock); ++ return status; ++ } ++ ++ unhash_lockowner_locked(lo); ++ while (!list_empty(&lo->lo_owner.so_stateids)) { ++ stp = list_first_entry(&lo->lo_owner.so_stateids, ++ struct nfs4_ol_stateid, ++ st_perstateowner); ++ WARN_ON(!unhash_lock_stateid(stp)); ++ put_ol_stateid_locked(stp, &reaplist); ++ } + spin_unlock(&clp->cl_lock); +- if (lo) +- release_lockowner(lo); ++ free_ol_stateid_reaplist(&reaplist); ++ nfs4_put_stateowner(&lo->lo_owner); ++ + return status; + } + diff --git a/queue-4.7/nfsv4.1-fix-oopsable-condition-in-server-callback-races.patch b/queue-4.7/nfsv4.1-fix-oopsable-condition-in-server-callback-races.patch new file mode 100644 index 00000000000..c4b05b75d9b --- /dev/null +++ b/queue-4.7/nfsv4.1-fix-oopsable-condition-in-server-callback-races.patch @@ -0,0 +1,89 @@ +From e09c978aae5bedfdb379be80363b024b7d82638b Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Sat, 27 Aug 2016 23:44:04 -0400 +Subject: NFSv4.1: Fix Oopsable condition in server callback races + +From: Trond Myklebust + +commit e09c978aae5bedfdb379be80363b024b7d82638b upstream. + +The slot table hasn't been an array since v3.7. Ensure that we +use nfs4_lookup_slot() to access the slot correctly. + +Fixes: 87dda67e7386 ("NFSv4.1: Allow SEQUENCE to resize the slot table...") +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/callback_proc.c | 5 +---- + fs/nfs/nfs4session.c | 33 +++++++++++++++++++++++++++++++++ + fs/nfs/nfs4session.h | 1 + + 3 files changed, 35 insertions(+), 4 deletions(-) + +--- a/fs/nfs/callback_proc.c ++++ b/fs/nfs/callback_proc.c +@@ -430,11 +430,8 @@ static bool referring_call_exists(struct + ((u32 *)&rclist->rcl_sessionid.data)[3], + ref->rc_sequenceid, ref->rc_slotid); + +- spin_lock(&tbl->slot_tbl_lock); +- status = (test_bit(ref->rc_slotid, tbl->used_slots) && +- tbl->slots[ref->rc_slotid].seq_nr == ++ status = nfs4_slot_seqid_in_use(tbl, ref->rc_slotid, + ref->rc_sequenceid); +- spin_unlock(&tbl->slot_tbl_lock); + if (status) + goto out; + } +--- a/fs/nfs/nfs4session.c ++++ b/fs/nfs/nfs4session.c +@@ -172,6 +172,39 @@ struct nfs4_slot *nfs4_lookup_slot(struc + return ERR_PTR(-E2BIG); + } + ++static int nfs4_slot_get_seqid(struct nfs4_slot_table *tbl, u32 slotid, ++ u32 *seq_nr) ++ __must_hold(&tbl->slot_tbl_lock) ++{ ++ struct nfs4_slot *slot; ++ ++ slot = nfs4_lookup_slot(tbl, slotid); ++ if (IS_ERR(slot)) ++ return PTR_ERR(slot); ++ *seq_nr = slot->seq_nr; ++ return 0; ++} ++ ++/* ++ * nfs4_slot_seqid_in_use - test if a slot sequence id is still in use ++ * ++ * Given a slot table, slot id and sequence number, determine if the ++ * RPC call in question is still in flight. This function is mainly ++ * intended for use by the callback channel. ++ */ ++bool nfs4_slot_seqid_in_use(struct nfs4_slot_table *tbl, u32 slotid, u32 seq_nr) ++{ ++ u32 cur_seq; ++ bool ret = false; ++ ++ spin_lock(&tbl->slot_tbl_lock); ++ if (nfs4_slot_get_seqid(tbl, slotid, &cur_seq) == 0 && ++ cur_seq == seq_nr && test_bit(slotid, tbl->used_slots)) ++ ret = true; ++ spin_unlock(&tbl->slot_tbl_lock); ++ return ret; ++} ++ + /* + * nfs4_alloc_slot - efficiently look for a free slot + * +--- a/fs/nfs/nfs4session.h ++++ b/fs/nfs/nfs4session.h +@@ -78,6 +78,7 @@ extern int nfs4_setup_slot_table(struct + extern void nfs4_shutdown_slot_table(struct nfs4_slot_table *tbl); + extern struct nfs4_slot *nfs4_alloc_slot(struct nfs4_slot_table *tbl); + extern struct nfs4_slot *nfs4_lookup_slot(struct nfs4_slot_table *tbl, u32 slotid); ++extern bool nfs4_slot_seqid_in_use(struct nfs4_slot_table *tbl, u32 slotid, u32 seq_nr); + extern bool nfs4_try_to_lock_slot(struct nfs4_slot_table *tbl, struct nfs4_slot *slot); + extern void nfs4_free_slot(struct nfs4_slot_table *tbl, struct nfs4_slot *slot); + extern void nfs4_slot_tbl_drain_complete(struct nfs4_slot_table *tbl); diff --git a/queue-4.7/nfsv4.1-fix-the-create_session-slot-number-accounting.patch b/queue-4.7/nfsv4.1-fix-the-create_session-slot-number-accounting.patch new file mode 100644 index 00000000000..46e9441bfa4 --- /dev/null +++ b/queue-4.7/nfsv4.1-fix-the-create_session-slot-number-accounting.patch @@ -0,0 +1,46 @@ +From b519d408ea32040b1c7e10b155a3ee9a36660947 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Sun, 11 Sep 2016 14:50:01 -0400 +Subject: NFSv4.1: Fix the CREATE_SESSION slot number accounting + +From: Trond Myklebust + +commit b519d408ea32040b1c7e10b155a3ee9a36660947 upstream. + +Ensure that we conform to the algorithm described in RFC5661, section +18.36.4 for when to bump the sequence id. In essence we do it for all +cases except when the RPC call timed out, or in case of the server returning +NFS4ERR_DELAY or NFS4ERR_STALE_CLIENTID. + +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4proc.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -7509,12 +7509,20 @@ static int _nfs4_proc_create_session(str + status = rpc_call_sync(session->clp->cl_rpcclient, &msg, RPC_TASK_TIMEOUT); + trace_nfs4_create_session(clp, status); + ++ switch (status) { ++ case -NFS4ERR_STALE_CLIENTID: ++ case -NFS4ERR_DELAY: ++ case -ETIMEDOUT: ++ case -EACCES: ++ case -EAGAIN: ++ goto out; ++ }; ++ ++ clp->cl_seqid++; + if (!status) { + /* Verify the session's negotiated channel_attrs values */ + status = nfs4_verify_channel_attrs(&args, &res); + /* Increment the clientid slot sequence id */ +- if (clp->cl_seqid == res.seqid) +- clp->cl_seqid++; + if (status) + goto out; + nfs4_update_session(session, &res); diff --git a/queue-4.7/nfsv4.x-fix-a-refcount-leak-in-nfs_callback_up_net.patch b/queue-4.7/nfsv4.x-fix-a-refcount-leak-in-nfs_callback_up_net.patch new file mode 100644 index 00000000000..d51f5284d46 --- /dev/null +++ b/queue-4.7/nfsv4.x-fix-a-refcount-leak-in-nfs_callback_up_net.patch @@ -0,0 +1,29 @@ +From 98b0f80c2396224bbbed81792b526e6c72ba9efa Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Mon, 29 Aug 2016 11:15:36 -0400 +Subject: NFSv4.x: Fix a refcount leak in nfs_callback_up_net + +From: Trond Myklebust + +commit 98b0f80c2396224bbbed81792b526e6c72ba9efa upstream. + +On error, the callers expect us to return without bumping +nn->cb_users[]. + +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/callback.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/nfs/callback.c ++++ b/fs/nfs/callback.c +@@ -275,6 +275,7 @@ static int nfs_callback_up_net(int minor + err_socks: + svc_rpcb_cleanup(serv, net); + err_bind: ++ nn->cb_users[minorversion]--; + dprintk("NFS: Couldn't create callback socket: err = %d; " + "net = %p\n", ret, net); + return ret; diff --git a/queue-4.7/perf-x86-amd-make-hw_cache_references-and-hw_cache_misses-measure-l2.patch b/queue-4.7/perf-x86-amd-make-hw_cache_references-and-hw_cache_misses-measure-l2.patch new file mode 100644 index 00000000000..15c10d61e79 --- /dev/null +++ b/queue-4.7/perf-x86-amd-make-hw_cache_references-and-hw_cache_misses-measure-l2.patch @@ -0,0 +1,67 @@ +From 080fe0b790ad438fc1b61621dac37c1964ce7f35 Mon Sep 17 00:00:00 2001 +From: Matt Fleming +Date: Wed, 24 Aug 2016 14:12:08 +0100 +Subject: perf/x86/amd: Make HW_CACHE_REFERENCES and HW_CACHE_MISSES measure L2 + +From: Matt Fleming + +commit 080fe0b790ad438fc1b61621dac37c1964ce7f35 upstream. + +While the Intel PMU monitors the LLC when perf enables the +HW_CACHE_REFERENCES and HW_CACHE_MISSES events, these events monitor +L1 instruction cache fetches (0x0080) and instruction cache misses +(0x0081) on the AMD PMU. + +This is extremely confusing when monitoring the same workload across +Intel and AMD machines, since parameters like, + + $ perf stat -e cache-references,cache-misses + +measure completely different things. + +Instead, make the AMD PMU measure instruction/data cache and TLB fill +requests to the L2 and instruction/data cache and TLB misses in the L2 +when HW_CACHE_REFERENCES and HW_CACHE_MISSES are enabled, +respectively. That way the events measure unified caches on both +platforms. + +Signed-off-by: Matt Fleming +Acked-by: Peter Zijlstra +Cc: Borislav Petkov +Cc: Linus Torvalds +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/1472044328-21302-1-git-send-email-matt@codeblueprint.co.uk +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/events/amd/core.c | 4 ++-- + arch/x86/kvm/pmu_amd.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/x86/events/amd/core.c ++++ b/arch/x86/events/amd/core.c +@@ -119,8 +119,8 @@ static const u64 amd_perfmon_event_map[P + { + [PERF_COUNT_HW_CPU_CYCLES] = 0x0076, + [PERF_COUNT_HW_INSTRUCTIONS] = 0x00c0, +- [PERF_COUNT_HW_CACHE_REFERENCES] = 0x0080, +- [PERF_COUNT_HW_CACHE_MISSES] = 0x0081, ++ [PERF_COUNT_HW_CACHE_REFERENCES] = 0x077d, ++ [PERF_COUNT_HW_CACHE_MISSES] = 0x077e, + [PERF_COUNT_HW_BRANCH_INSTRUCTIONS] = 0x00c2, + [PERF_COUNT_HW_BRANCH_MISSES] = 0x00c3, + [PERF_COUNT_HW_STALLED_CYCLES_FRONTEND] = 0x00d0, /* "Decoder empty" event */ +--- a/arch/x86/kvm/pmu_amd.c ++++ b/arch/x86/kvm/pmu_amd.c +@@ -23,8 +23,8 @@ + static struct kvm_event_hw_type_mapping amd_event_mapping[] = { + [0] = { 0x76, 0x00, PERF_COUNT_HW_CPU_CYCLES }, + [1] = { 0xc0, 0x00, PERF_COUNT_HW_INSTRUCTIONS }, +- [2] = { 0x80, 0x00, PERF_COUNT_HW_CACHE_REFERENCES }, +- [3] = { 0x81, 0x00, PERF_COUNT_HW_CACHE_MISSES }, ++ [2] = { 0x7d, 0x07, PERF_COUNT_HW_CACHE_REFERENCES }, ++ [3] = { 0x7e, 0x07, PERF_COUNT_HW_CACHE_MISSES }, + [4] = { 0xc2, 0x00, PERF_COUNT_HW_BRANCH_INSTRUCTIONS }, + [5] = { 0xc3, 0x00, PERF_COUNT_HW_BRANCH_MISSES }, + [6] = { 0xd0, 0x00, PERF_COUNT_HW_STALLED_CYCLES_FRONTEND }, diff --git a/queue-4.7/perf-x86-intel-cqm-check-cqm-mbm-enabled-state-in-event-init.patch b/queue-4.7/perf-x86-intel-cqm-check-cqm-mbm-enabled-state-in-event-init.patch new file mode 100644 index 00000000000..55c9731a9c6 --- /dev/null +++ b/queue-4.7/perf-x86-intel-cqm-check-cqm-mbm-enabled-state-in-event-init.patch @@ -0,0 +1,69 @@ +From 79d102cbfd2e9d94257fcc7c82807ef1cdf80322 Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Mon, 5 Sep 2016 17:30:07 +0200 +Subject: perf/x86/intel/cqm: Check cqm/mbm enabled state in event init + +From: Jiri Olsa + +commit 79d102cbfd2e9d94257fcc7c82807ef1cdf80322 upstream. + +Yanqiu Zhang reported kernel panic when using mbm event +on system where CQM is detected but without mbm event +support, like with perf: + + # perf stat -e 'intel_cqm/event=3/' -a + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 + IP: [] update_sample+0xbc/0xe0 + ... + + [] __intel_mbm_event_init+0x18/0x20 + [] flush_smp_call_function_queue+0x7b/0x160 + [] generic_smp_call_function_single_interrupt+0x13/0x60 + [] smp_call_function_interrupt+0x27/0x40 + [] call_function_interrupt+0x8c/0xa0 + ... + +The reason is that we currently allow to init mbm event +even if mbm support is not detected. Adding checks for +both cqm and mbm events and support into cqm's event_init. + +Fixes: 33c3cc7acfd9 ("perf/x86/mbm: Add Intel Memory B/W Monitoring enumeration and init") +Reported-by: Yanqiu Zhang +Signed-off-by: Jiri Olsa +Acked-by: Peter Zijlstra +Cc: Vikas Shivappa +Cc: Tony Luck +Link: http://lkml.kernel.org/r/1473089407-21857-1-git-send-email-jolsa@kernel.org +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/events/intel/cqm.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/arch/x86/events/intel/cqm.c ++++ b/arch/x86/events/intel/cqm.c +@@ -458,6 +458,11 @@ static void __intel_cqm_event_count(void + static void init_mbm_sample(u32 rmid, u32 evt_type); + static void __intel_mbm_event_count(void *info); + ++static bool is_cqm_event(int e) ++{ ++ return (e == QOS_L3_OCCUP_EVENT_ID); ++} ++ + static bool is_mbm_event(int e) + { + return (e >= QOS_MBM_TOTAL_EVENT_ID && e <= QOS_MBM_LOCAL_EVENT_ID); +@@ -1366,6 +1371,10 @@ static int intel_cqm_event_init(struct p + (event->attr.config > QOS_MBM_LOCAL_EVENT_ID)) + return -EINVAL; + ++ if ((is_cqm_event(event->attr.config) && !cqm_enabled) || ++ (is_mbm_event(event->attr.config) && !mbm_enabled)) ++ return -EINVAL; ++ + /* unsupported modes and filters */ + if (event->attr.exclude_user || + event->attr.exclude_kernel || diff --git a/queue-4.7/perf-x86-intel-fix-pebsv3-record-drain.patch b/queue-4.7/perf-x86-intel-fix-pebsv3-record-drain.patch new file mode 100644 index 00000000000..7062d797642 --- /dev/null +++ b/queue-4.7/perf-x86-intel-fix-pebsv3-record-drain.patch @@ -0,0 +1,82 @@ +From 8ef9b8455a2a3049efa9e46e8a6402b972a3eb41 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Wed, 7 Sep 2016 14:42:55 +0200 +Subject: perf/x86/intel: Fix PEBSv3 record drain + +From: Peter Zijlstra + +commit 8ef9b8455a2a3049efa9e46e8a6402b972a3eb41 upstream. + +Alexander hit the WARN_ON_ONCE(!event) on his Skylake while running +the perf fuzzer. + +This means the PEBSv3 record included a status bit for an inactive +event, something that _should_ not happen. + +Move the code that filters the status bits against our known PEBS +events up a spot to guarantee we only deal with events we know about. + +Further add "continue" statements to the WARN_ON_ONCE()s such that +we'll not die nor generate silly events in case we ever do hit them +again. + +Reported-by: Alexander Shishkin +Tested-by: Alexander Shishkin +Signed-off-by: Peter Zijlstra (Intel) +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Fixes: a3d86542de88 ("perf/x86/intel/pebs: Add PEBSv3 decoding") +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/events/intel/ds.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +--- a/arch/x86/events/intel/ds.c ++++ b/arch/x86/events/intel/ds.c +@@ -1274,18 +1274,18 @@ static void intel_pmu_drain_pebs_nhm(str + struct pebs_record_nhm *p = at; + u64 pebs_status; + +- /* PEBS v3 has accurate status bits */ ++ pebs_status = p->status & cpuc->pebs_enabled; ++ pebs_status &= (1ULL << x86_pmu.max_pebs_events) - 1; ++ ++ /* PEBS v3 has more accurate status bits */ + if (x86_pmu.intel_cap.pebs_format >= 3) { +- for_each_set_bit(bit, (unsigned long *)&p->status, +- MAX_PEBS_EVENTS) ++ for_each_set_bit(bit, (unsigned long *)&pebs_status, ++ x86_pmu.max_pebs_events) + counts[bit]++; + + continue; + } + +- pebs_status = p->status & cpuc->pebs_enabled; +- pebs_status &= (1ULL << x86_pmu.max_pebs_events) - 1; +- + /* + * On some CPUs the PEBS status can be zero when PEBS is + * racing with clearing of GLOBAL_STATUS. +@@ -1333,8 +1333,11 @@ static void intel_pmu_drain_pebs_nhm(str + continue; + + event = cpuc->events[bit]; +- WARN_ON_ONCE(!event); +- WARN_ON_ONCE(!event->attr.precise_ip); ++ if (WARN_ON_ONCE(!event)) ++ continue; ++ ++ if (WARN_ON_ONCE(!event->attr.precise_ip)) ++ continue; + + /* log dropped samples number */ + if (error[bit]) diff --git a/queue-4.7/perf-x86-intel-pt-do-validate-the-size-of-a-kernel-address-filter.patch b/queue-4.7/perf-x86-intel-pt-do-validate-the-size-of-a-kernel-address-filter.patch new file mode 100644 index 00000000000..2b94cdc4dd2 --- /dev/null +++ b/queue-4.7/perf-x86-intel-pt-do-validate-the-size-of-a-kernel-address-filter.patch @@ -0,0 +1,54 @@ +From 1155bafcb79208abc6ae234c6e135ac70607755c Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Thu, 15 Sep 2016 18:13:52 +0300 +Subject: perf/x86/intel/pt: Do validate the size of a kernel address filter + +From: Alexander Shishkin + +commit 1155bafcb79208abc6ae234c6e135ac70607755c upstream. + +Right now, the kernel address filters in PT are prone to integer overflow +that may happen in adding filter's size to its offset to obtain the end +of the range. Such an overflow would also throw a #GP in the PT event +configuration path. + +Fix this by explicitly validating the result of this calculation. + +Reported-by: Adrian Hunter +Signed-off-by: Alexander Shishkin +Acked-by: Peter Zijlstra +Cc: Arnaldo Carvalho de Melo +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: vince@deater.net +Link: http://lkml.kernel.org/r/20160915151352.21306-4-alexander.shishkin@linux.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/events/intel/pt.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/arch/x86/events/intel/pt.c ++++ b/arch/x86/events/intel/pt.c +@@ -1089,8 +1089,13 @@ static int pt_event_addr_filters_validat + if (!filter->range || !filter->size) + return -EOPNOTSUPP; + +- if (!filter->inode && !valid_kernel_ip(filter->offset)) +- return -EINVAL; ++ if (!filter->inode) { ++ if (!valid_kernel_ip(filter->offset)) ++ return -EINVAL; ++ ++ if (!valid_kernel_ip(filter->offset + filter->size)) ++ return -EINVAL; ++ } + + if (++range > pt_cap_get(PT_CAP_num_address_ranges)) + return -EOPNOTSUPP; diff --git a/queue-4.7/perf-x86-intel-pt-fix-an-off-by-one-in-address-filter-configuration.patch b/queue-4.7/perf-x86-intel-pt-fix-an-off-by-one-in-address-filter-configuration.patch new file mode 100644 index 00000000000..aed3f6cf64e --- /dev/null +++ b/queue-4.7/perf-x86-intel-pt-fix-an-off-by-one-in-address-filter-configuration.patch @@ -0,0 +1,57 @@ +From 95f60084acbcee6c466256cf26eb52191fad9edc Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Thu, 15 Sep 2016 18:13:50 +0300 +Subject: perf/x86/intel/pt: Fix an off-by-one in address filter configuration + +From: Alexander Shishkin + +commit 95f60084acbcee6c466256cf26eb52191fad9edc upstream. + +PT address filter configuration requires that a range is specified by +its first and last address, but at the moment we're obtaining the end +of the range by adding user specified size to its start, which is off +by one from what it actually needs to be. + +Fix this and make sure that zero-sized filters don't pass the filter +validation. + +Reported-by: Adrian Hunter +Signed-off-by: Alexander Shishkin +Acked-by: Peter Zijlstra +Cc: Arnaldo Carvalho de Melo +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: vince@deater.net +Link: http://lkml.kernel.org/r/20160915151352.21306-2-alexander.shishkin@linux.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/events/intel/pt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/events/intel/pt.c ++++ b/arch/x86/events/intel/pt.c +@@ -1081,7 +1081,7 @@ static int pt_event_addr_filters_validat + + list_for_each_entry(filter, filters, entry) { + /* PT doesn't support single address triggers */ +- if (!filter->range) ++ if (!filter->range || !filter->size) + return -EOPNOTSUPP; + + if (!filter->inode && !kernel_ip(filter->offset)) +@@ -1111,7 +1111,7 @@ static void pt_event_addr_filters_sync(s + } else { + /* apply the offset */ + msr_a = filter->offset + offs[range]; +- msr_b = filter->size + msr_a; ++ msr_b = filter->size + msr_a - 1; + } + + filters->filter[range].msr_a = msr_a; diff --git a/queue-4.7/perf-x86-intel-pt-fix-kernel-address-filter-s-offset-validation.patch b/queue-4.7/perf-x86-intel-pt-fix-kernel-address-filter-s-offset-validation.patch new file mode 100644 index 00000000000..803ea3bd9e1 --- /dev/null +++ b/queue-4.7/perf-x86-intel-pt-fix-kernel-address-filter-s-offset-validation.patch @@ -0,0 +1,60 @@ +From ddfdad991e55b65c1cc4ee29502f6dceee04455a Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Thu, 15 Sep 2016 18:13:51 +0300 +Subject: perf/x86/intel/pt: Fix kernel address filter's offset validation + +From: Alexander Shishkin + +commit ddfdad991e55b65c1cc4ee29502f6dceee04455a upstream. + +The kernel_ip() filter is used mostly by the DS/LBR code to look at the +branch addresses, but Intel PT also uses it to validate the address +filter offsets for kernel addresses, for which it is not sufficient: +supplying something in bits 64:48 that's not a sign extension of the lower +address bits (like 0xf00d000000000000) throws a #GP. + +This patch adds address validation for the user supplied kernel filters. + +Reported-by: Adrian Hunter +Signed-off-by: Alexander Shishkin +Acked-by: Peter Zijlstra +Cc: Arnaldo Carvalho de Melo +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: vince@deater.net +Link: http://lkml.kernel.org/r/20160915151352.21306-3-alexander.shishkin@linux.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/events/intel/pt.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/arch/x86/events/intel/pt.c ++++ b/arch/x86/events/intel/pt.c +@@ -1074,6 +1074,11 @@ static void pt_addr_filters_fini(struct + event->hw.addr_filters = NULL; + } + ++static inline bool valid_kernel_ip(unsigned long ip) ++{ ++ return virt_addr_valid(ip) && kernel_ip(ip); ++} ++ + static int pt_event_addr_filters_validate(struct list_head *filters) + { + struct perf_addr_filter *filter; +@@ -1084,7 +1089,7 @@ static int pt_event_addr_filters_validat + if (!filter->range || !filter->size) + return -EOPNOTSUPP; + +- if (!filter->inode && !kernel_ip(filter->offset)) ++ if (!filter->inode && !valid_kernel_ip(filter->offset)) + return -EINVAL; + + if (++range > pt_cap_get(PT_CAP_num_address_ranges)) diff --git a/queue-4.7/pinctrl-pistachio-fix-mfio-pll_lock-pinmux.patch b/queue-4.7/pinctrl-pistachio-fix-mfio-pll_lock-pinmux.patch new file mode 100644 index 00000000000..464db8bedb8 --- /dev/null +++ b/queue-4.7/pinctrl-pistachio-fix-mfio-pll_lock-pinmux.patch @@ -0,0 +1,52 @@ +From a32ac2912f97d7ea9b67eb67bb4aa30b9156a88e Mon Sep 17 00:00:00 2001 +From: James Hartley +Date: Fri, 19 Aug 2016 12:03:23 +0100 +Subject: pinctrl: pistachio: fix mfio pll_lock pinmux + +From: James Hartley + +commit a32ac2912f97d7ea9b67eb67bb4aa30b9156a88e upstream. + +A previous patch attempted to fix the pinmuxes for mfio 84 - 89, but it +omitted a change to pistachio_pin_group pistachio_groups, which results +in incorrect pll_lock signals being routed. + +Apply the correct mux settings throughout the driver. + +fixes: cefc03e5995e ("pinctrl: Add Pistachio SoC pin control driver") +fixes: e9adb336d0bf ("pinctrl: pistachio: fix mfio84-89 function description and pinmux.") +Signed-off-by: James Hartley +Reviewed-by: Sifan Naeem +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/pinctrl-pistachio.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/pinctrl/pinctrl-pistachio.c ++++ b/drivers/pinctrl/pinctrl-pistachio.c +@@ -809,17 +809,17 @@ static const struct pistachio_pin_group + PADS_FUNCTION_SELECT2, 12, 0x3), + MFIO_MUX_PIN_GROUP(83, MIPS_PLL_LOCK, MIPS_TRACE_DATA, USB_DEBUG, + PADS_FUNCTION_SELECT2, 14, 0x3), +- MFIO_MUX_PIN_GROUP(84, SYS_PLL_LOCK, MIPS_TRACE_DATA, USB_DEBUG, ++ MFIO_MUX_PIN_GROUP(84, AUDIO_PLL_LOCK, MIPS_TRACE_DATA, USB_DEBUG, + PADS_FUNCTION_SELECT2, 16, 0x3), +- MFIO_MUX_PIN_GROUP(85, WIFI_PLL_LOCK, MIPS_TRACE_DATA, SDHOST_DEBUG, ++ MFIO_MUX_PIN_GROUP(85, RPU_V_PLL_LOCK, MIPS_TRACE_DATA, SDHOST_DEBUG, + PADS_FUNCTION_SELECT2, 18, 0x3), +- MFIO_MUX_PIN_GROUP(86, BT_PLL_LOCK, MIPS_TRACE_DATA, SDHOST_DEBUG, ++ MFIO_MUX_PIN_GROUP(86, RPU_L_PLL_LOCK, MIPS_TRACE_DATA, SDHOST_DEBUG, + PADS_FUNCTION_SELECT2, 20, 0x3), +- MFIO_MUX_PIN_GROUP(87, RPU_V_PLL_LOCK, DREQ2, SOCIF_DEBUG, ++ MFIO_MUX_PIN_GROUP(87, SYS_PLL_LOCK, DREQ2, SOCIF_DEBUG, + PADS_FUNCTION_SELECT2, 22, 0x3), +- MFIO_MUX_PIN_GROUP(88, RPU_L_PLL_LOCK, DREQ3, SOCIF_DEBUG, ++ MFIO_MUX_PIN_GROUP(88, WIFI_PLL_LOCK, DREQ3, SOCIF_DEBUG, + PADS_FUNCTION_SELECT2, 24, 0x3), +- MFIO_MUX_PIN_GROUP(89, AUDIO_PLL_LOCK, DREQ4, DREQ5, ++ MFIO_MUX_PIN_GROUP(89, BT_PLL_LOCK, DREQ4, DREQ5, + PADS_FUNCTION_SELECT2, 26, 0x3), + PIN_GROUP(TCK, "tck"), + PIN_GROUP(TRSTN, "trstn"), diff --git a/queue-4.7/pinctrl-sunxi-fix-uart1-cts-rts-pins-at-pg-on-a23-a33.patch b/queue-4.7/pinctrl-sunxi-fix-uart1-cts-rts-pins-at-pg-on-a23-a33.patch new file mode 100644 index 00000000000..de3262e605c --- /dev/null +++ b/queue-4.7/pinctrl-sunxi-fix-uart1-cts-rts-pins-at-pg-on-a23-a33.patch @@ -0,0 +1,57 @@ +From 486095fae3a8a6b1ae07c51844699d9bd5cfbebc Mon Sep 17 00:00:00 2001 +From: Icenowy Zheng +Date: Tue, 23 Aug 2016 13:58:25 +0800 +Subject: pinctrl: sunxi: fix uart1 CTS/RTS pins at PG on A23/A33 + +From: Icenowy Zheng + +commit 486095fae3a8a6b1ae07c51844699d9bd5cfbebc upstream. + +PG8, PG9 is said to be the CTS/RTS pins for UART1 according to the A23/33 +datasheets. However, the function is wrongly named "uart2" in the pinctrl +driver. This patch fixes this by modifying them to be named "uart1". + +Signed-off-by: Icenowy Zheng +Acked-by: Maxime Ripard +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/sunxi/pinctrl-sun8i-a23.c | 4 ++-- + drivers/pinctrl/sunxi/pinctrl-sun8i-a33.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/pinctrl/sunxi/pinctrl-sun8i-a23.c ++++ b/drivers/pinctrl/sunxi/pinctrl-sun8i-a23.c +@@ -485,12 +485,12 @@ static const struct sunxi_desc_pin sun8i + SUNXI_PIN(SUNXI_PINCTRL_PIN(G, 8), + SUNXI_FUNCTION(0x0, "gpio_in"), + SUNXI_FUNCTION(0x1, "gpio_out"), +- SUNXI_FUNCTION(0x2, "uart2"), /* RTS */ ++ SUNXI_FUNCTION(0x2, "uart1"), /* RTS */ + SUNXI_FUNCTION_IRQ_BANK(0x4, 2, 8)), /* PG_EINT8 */ + SUNXI_PIN(SUNXI_PINCTRL_PIN(G, 9), + SUNXI_FUNCTION(0x0, "gpio_in"), + SUNXI_FUNCTION(0x1, "gpio_out"), +- SUNXI_FUNCTION(0x2, "uart2"), /* CTS */ ++ SUNXI_FUNCTION(0x2, "uart1"), /* CTS */ + SUNXI_FUNCTION_IRQ_BANK(0x4, 2, 9)), /* PG_EINT9 */ + SUNXI_PIN(SUNXI_PINCTRL_PIN(G, 10), + SUNXI_FUNCTION(0x0, "gpio_in"), +--- a/drivers/pinctrl/sunxi/pinctrl-sun8i-a33.c ++++ b/drivers/pinctrl/sunxi/pinctrl-sun8i-a33.c +@@ -407,12 +407,12 @@ static const struct sunxi_desc_pin sun8i + SUNXI_PIN(SUNXI_PINCTRL_PIN(G, 8), + SUNXI_FUNCTION(0x0, "gpio_in"), + SUNXI_FUNCTION(0x1, "gpio_out"), +- SUNXI_FUNCTION(0x2, "uart2"), /* RTS */ ++ SUNXI_FUNCTION(0x2, "uart1"), /* RTS */ + SUNXI_FUNCTION_IRQ_BANK(0x4, 1, 8)), /* PG_EINT8 */ + SUNXI_PIN(SUNXI_PINCTRL_PIN(G, 9), + SUNXI_FUNCTION(0x0, "gpio_in"), + SUNXI_FUNCTION(0x1, "gpio_out"), +- SUNXI_FUNCTION(0x2, "uart2"), /* CTS */ ++ SUNXI_FUNCTION(0x2, "uart1"), /* CTS */ + SUNXI_FUNCTION_IRQ_BANK(0x4, 1, 9)), /* PG_EINT9 */ + SUNXI_PIN(SUNXI_PINCTRL_PIN(G, 10), + SUNXI_FUNCTION(0x0, "gpio_in"), diff --git a/queue-4.7/pnfs-ensure-layoutget-and-layoutreturn-are-properly-serialised.patch b/queue-4.7/pnfs-ensure-layoutget-and-layoutreturn-are-properly-serialised.patch new file mode 100644 index 00000000000..fa2156b9c77 --- /dev/null +++ b/queue-4.7/pnfs-ensure-layoutget-and-layoutreturn-are-properly-serialised.patch @@ -0,0 +1,55 @@ +From bf0291dd2267a2b9a4cd74d65249553d11bb45d6 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Sat, 3 Sep 2016 10:39:51 -0400 +Subject: pNFS: Ensure LAYOUTGET and LAYOUTRETURN are properly serialised + +From: Trond Myklebust + +commit bf0291dd2267a2b9a4cd74d65249553d11bb45d6 upstream. + +According to RFC5661, the client is responsible for serialising +LAYOUTGET and LAYOUTRETURN to avoid ambiguity. Consider the case +where we send both in parallel. + +Client Server +====== ====== +LAYOUTGET(seqid=X) +LAYOUTRETURN(seqid=X) + LAYOUTGET return seqid=X+1 + LAYOUTRETURN return seqid=X+2 +Process LAYOUTRETURN + Forget layout stateid +Process LAYOUTGET + Set seqid=X+1 + +The client processes the layoutget/layoutreturn in the wrong order, +and since the result of the layoutreturn was to clear the only +existing layout segment, the client forgets the layout stateid. + +When the LAYOUTGET comes in, it is treated as having a completely +new stateid, and so the client sets the wrong sequence id... + +Fix is to check if there are outstanding LAYOUTGET requests +before we send the LAYOUTRETURN (note that LAYOUGET will already +wait if it sees an outstanding LAYOUTRETURN). + +Signed-off-by: Trond Myklebust +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/pnfs.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -876,6 +876,9 @@ void pnfs_clear_layoutreturn_waitbit(str + static bool + pnfs_prepare_layoutreturn(struct pnfs_layout_hdr *lo) + { ++ /* Serialise LAYOUTGET/LAYOUTRETURN */ ++ if (atomic_read(&lo->plh_outstanding) != 0) ++ return false; + if (test_and_set_bit(NFS_LAYOUT_RETURN, &lo->plh_flags)) + return false; + lo->plh_return_iomode = 0; diff --git a/queue-4.7/pnfs-flexfiles-fix-an-oopsable-condition-when-connection-to-the-ds-fails.patch b/queue-4.7/pnfs-flexfiles-fix-an-oopsable-condition-when-connection-to-the-ds-fails.patch new file mode 100644 index 00000000000..b97401b46c3 --- /dev/null +++ b/queue-4.7/pnfs-flexfiles-fix-an-oopsable-condition-when-connection-to-the-ds-fails.patch @@ -0,0 +1,155 @@ +From 3dc147359e3dcdf0648f1e2c11f62cfae3160df0 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Mon, 29 Aug 2016 15:12:54 -0400 +Subject: pNFS/flexfiles: Fix an Oopsable condition when connection to the DS fails + +From: Trond Myklebust + +commit 3dc147359e3dcdf0648f1e2c11f62cfae3160df0 upstream. + +If the attempt to connect to a DS fails inside ff_layout_pg_init_read or +ff_layout_pg_init_write, then we currently end up clearing the layout +segment carried by the struct nfs_pageio_descriptor, causing an Oops +when we later call into ff_layout_read_pagelist/ff_layout_write_pagelist. + +The fix is to ensure we return the layout and then retry. + +Fixes: 446ca2195303 ("pNFS/flexfiles: When initing reads or writes, we...") +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/flexfilelayout/flexfilelayout.c | 37 ++++++++++++++---------------- + fs/nfs/flexfilelayout/flexfilelayoutdev.c | 19 ++++++++------- + 2 files changed, 28 insertions(+), 28 deletions(-) + +--- a/fs/nfs/flexfilelayout/flexfilelayout.c ++++ b/fs/nfs/flexfilelayout/flexfilelayout.c +@@ -806,11 +806,14 @@ ff_layout_choose_best_ds_for_read(struct + { + struct nfs4_ff_layout_segment *fls = FF_LAYOUT_LSEG(lseg); + struct nfs4_pnfs_ds *ds; ++ bool fail_return = false; + int idx; + + /* mirrors are sorted by efficiency */ + for (idx = start_idx; idx < fls->mirror_array_cnt; idx++) { +- ds = nfs4_ff_layout_prepare_ds(lseg, idx, false); ++ if (idx+1 == fls->mirror_array_cnt) ++ fail_return = true; ++ ds = nfs4_ff_layout_prepare_ds(lseg, idx, fail_return); + if (ds) { + *best_idx = idx; + return ds; +@@ -859,6 +862,7 @@ ff_layout_pg_init_read(struct nfs_pageio + struct nfs4_pnfs_ds *ds; + int ds_idx; + ++retry: + /* Use full layout for now */ + if (!pgio->pg_lseg) + ff_layout_pg_get_read(pgio, req, false); +@@ -871,10 +875,13 @@ ff_layout_pg_init_read(struct nfs_pageio + + ds = ff_layout_choose_best_ds_for_read(pgio->pg_lseg, 0, &ds_idx); + if (!ds) { +- if (ff_layout_no_fallback_to_mds(pgio->pg_lseg)) +- goto out_pnfs; +- else ++ if (!ff_layout_no_fallback_to_mds(pgio->pg_lseg)) + goto out_mds; ++ pnfs_put_lseg(pgio->pg_lseg); ++ pgio->pg_lseg = NULL; ++ /* Sleep for 1 second before retrying */ ++ ssleep(1); ++ goto retry; + } + + mirror = FF_LAYOUT_COMP(pgio->pg_lseg, ds_idx); +@@ -890,12 +897,6 @@ out_mds: + pnfs_put_lseg(pgio->pg_lseg); + pgio->pg_lseg = NULL; + nfs_pageio_reset_read_mds(pgio); +- return; +- +-out_pnfs: +- pnfs_set_lo_fail(pgio->pg_lseg); +- pnfs_put_lseg(pgio->pg_lseg); +- pgio->pg_lseg = NULL; + } + + static void +@@ -909,6 +910,7 @@ ff_layout_pg_init_write(struct nfs_pagei + int i; + int status; + ++retry: + if (!pgio->pg_lseg) { + pgio->pg_lseg = pnfs_update_layout(pgio->pg_inode, + req->wb_context, +@@ -940,10 +942,13 @@ ff_layout_pg_init_write(struct nfs_pagei + for (i = 0; i < pgio->pg_mirror_count; i++) { + ds = nfs4_ff_layout_prepare_ds(pgio->pg_lseg, i, true); + if (!ds) { +- if (ff_layout_no_fallback_to_mds(pgio->pg_lseg)) +- goto out_pnfs; +- else ++ if (!ff_layout_no_fallback_to_mds(pgio->pg_lseg)) + goto out_mds; ++ pnfs_put_lseg(pgio->pg_lseg); ++ pgio->pg_lseg = NULL; ++ /* Sleep for 1 second before retrying */ ++ ssleep(1); ++ goto retry; + } + pgm = &pgio->pg_mirrors[i]; + mirror = FF_LAYOUT_COMP(pgio->pg_lseg, i); +@@ -956,12 +961,6 @@ out_mds: + pnfs_put_lseg(pgio->pg_lseg); + pgio->pg_lseg = NULL; + nfs_pageio_reset_write_mds(pgio); +- return; +- +-out_pnfs: +- pnfs_set_lo_fail(pgio->pg_lseg); +- pnfs_put_lseg(pgio->pg_lseg); +- pgio->pg_lseg = NULL; + } + + static unsigned int +--- a/fs/nfs/flexfilelayout/flexfilelayoutdev.c ++++ b/fs/nfs/flexfilelayout/flexfilelayoutdev.c +@@ -379,7 +379,7 @@ nfs4_ff_layout_prepare_ds(struct pnfs_la + + devid = &mirror->mirror_ds->id_node; + if (ff_layout_test_devid_unavailable(devid)) +- goto out; ++ goto out_fail; + + ds = mirror->mirror_ds->ds; + /* matching smp_wmb() in _nfs4_pnfs_v3/4_ds_connect */ +@@ -405,15 +405,16 @@ nfs4_ff_layout_prepare_ds(struct pnfs_la + mirror->mirror_ds->ds_versions[0].rsize = max_payload; + if (mirror->mirror_ds->ds_versions[0].wsize > max_payload) + mirror->mirror_ds->ds_versions[0].wsize = max_payload; +- } else { +- ff_layout_track_ds_error(FF_LAYOUT_FROM_HDR(lseg->pls_layout), +- mirror, lseg->pls_range.offset, +- lseg->pls_range.length, NFS4ERR_NXIO, +- OP_ILLEGAL, GFP_NOIO); +- if (fail_return || !ff_layout_has_available_ds(lseg)) +- pnfs_error_mark_layout_for_return(ino, lseg); +- ds = NULL; ++ goto out; + } ++ ff_layout_track_ds_error(FF_LAYOUT_FROM_HDR(lseg->pls_layout), ++ mirror, lseg->pls_range.offset, ++ lseg->pls_range.length, NFS4ERR_NXIO, ++ OP_ILLEGAL, GFP_NOIO); ++out_fail: ++ if (fail_return || !ff_layout_has_available_ds(lseg)) ++ pnfs_error_mark_layout_for_return(ino, lseg); ++ ds = NULL; + out: + return ds; + } diff --git a/queue-4.7/pnfs-the-client-must-not-do-i-o-to-the-ds-if-it-s-lease-has-expired.patch b/queue-4.7/pnfs-the-client-must-not-do-i-o-to-the-ds-if-it-s-lease-has-expired.patch new file mode 100644 index 00000000000..04f6d3d2fe2 --- /dev/null +++ b/queue-4.7/pnfs-the-client-must-not-do-i-o-to-the-ds-if-it-s-lease-has-expired.patch @@ -0,0 +1,34 @@ +From b88fa69eaa8649f11828158c7b65c4bcd886ebd5 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Tue, 23 Aug 2016 11:19:33 -0400 +Subject: pNFS: The client must not do I/O to the DS if it's lease has expired + +From: Trond Myklebust + +commit b88fa69eaa8649f11828158c7b65c4bcd886ebd5 upstream. + +Ensure that the client conforms to the normative behaviour described in +RFC5661 Section 12.7.2: "If a client believes its lease has expired, +it MUST NOT send I/O to the storage device until it has validated its +lease." + +So ensure that we wait for the lease to be validated before using +the layout. + +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/pnfs.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -1527,6 +1527,7 @@ pnfs_update_layout(struct inode *ino, + } + + lookup_again: ++ nfs4_client_recover_expired_lease(clp); + first = false; + spin_lock(&ino->i_lock); + lo = pnfs_find_alloc_layout(ino, ctx, gfp_flags); diff --git a/queue-4.7/powerpc-mm-don-t-alias-user-region-to-other-regions-below-page_offset.patch b/queue-4.7/powerpc-mm-don-t-alias-user-region-to-other-regions-below-page_offset.patch new file mode 100644 index 00000000000..5fa93bb5bdd --- /dev/null +++ b/queue-4.7/powerpc-mm-don-t-alias-user-region-to-other-regions-below-page_offset.patch @@ -0,0 +1,58 @@ +From f077aaf0754bcba0fffdbd925bc12f09cd1e38aa Mon Sep 17 00:00:00 2001 +From: Paul Mackerras +Date: Fri, 2 Sep 2016 21:47:59 +1000 +Subject: powerpc/mm: Don't alias user region to other regions below PAGE_OFFSET + +From: Paul Mackerras + +commit f077aaf0754bcba0fffdbd925bc12f09cd1e38aa upstream. + +In commit c60ac5693c47 ("powerpc: Update kernel VSID range", 2013-03-13) +we lost a check on the region number (the top four bits of the effective +address) for addresses below PAGE_OFFSET. That commit replaced a check +that the top 18 bits were all zero with a check that bits 46 - 59 were +zero (performed for all addresses, not just user addresses). + +This means that userspace can access an address like 0x1000_0xxx_xxxx_xxxx +and we will insert a valid SLB entry for it. The VSID used will be the +same as if the top 4 bits were 0, but the page size will be some random +value obtained by indexing beyond the end of the mm_ctx_high_slices_psize +array in the paca. If that page size is the same as would be used for +region 0, then userspace just has an alias of the region 0 space. If the +page size is different, then no HPTE will be found for the access, and +the process will get a SIGSEGV (since hash_page_mm() will refuse to create +a HPTE for the bogus address). + +The access beyond the end of the mm_ctx_high_slices_psize can be at most +5.5MB past the array, and so will be in RAM somewhere. Since the access +is a load performed in real mode, it won't fault or crash the kernel. +At most this bug could perhaps leak a little bit of information about +blocks of 32 bytes of memory located at offsets of i * 512kB past the +paca->mm_ctx_high_slices_psize array, for 1 <= i <= 11. + +Fixes: c60ac5693c47 ("powerpc: Update kernel VSID range") +Signed-off-by: Paul Mackerras +Reviewed-by: Aneesh Kumar K.V +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/mm/slb_low.S | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/mm/slb_low.S ++++ b/arch/powerpc/mm/slb_low.S +@@ -113,7 +113,12 @@ BEGIN_FTR_SECTION + END_MMU_FTR_SECTION_IFCLR(MMU_FTR_1T_SEGMENT) + b slb_finish_load_1T + +-0: ++0: /* ++ * For userspace addresses, make sure this is region 0. ++ */ ++ cmpdi r9, 0 ++ bne 8f ++ + /* when using slices, we extract the psize off the slice bitmaps + * and then we need to get the sllp encoding off the mmu_psize_defs + * array. diff --git a/queue-4.7/powerpc-powernv-drop-reference-added-by-kset_find_obj.patch b/queue-4.7/powerpc-powernv-drop-reference-added-by-kset_find_obj.patch new file mode 100644 index 00000000000..ffa48b267a6 --- /dev/null +++ b/queue-4.7/powerpc-powernv-drop-reference-added-by-kset_find_obj.patch @@ -0,0 +1,79 @@ +From a9cbf0b2195b695cbeeeecaa4e2770948c212e9a Mon Sep 17 00:00:00 2001 +From: Mukesh Ojha +Date: Mon, 22 Aug 2016 12:17:44 +0530 +Subject: powerpc/powernv : Drop reference added by kset_find_obj() + +From: Mukesh Ojha + +commit a9cbf0b2195b695cbeeeecaa4e2770948c212e9a upstream. + +In a situation, where Linux kernel gets notified about duplicate error log +from OPAL, it is been observed that kernel fails to remove sysfs entries +(/sys/firmware/opal/elog/0xXXXXXXXX) of such error logs. This is because, +we currently search the error log/dump kobject in the kset list via +'kset_find_obj()' routine. Which eventually increment the reference count +by one, once it founds the kobject. + +So, unless we decrement the reference count by one after it found the kobject, +we would not be able to release the kobject properly later. + +This patch adds the 'kobject_put()' which was missing earlier. + +Signed-off-by: Mukesh Ojha +Reviewed-by: Vasant Hegde +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/powernv/opal-dump.c | 7 ++++++- + arch/powerpc/platforms/powernv/opal-elog.c | 7 ++++++- + 2 files changed, 12 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/platforms/powernv/opal-dump.c ++++ b/arch/powerpc/platforms/powernv/opal-dump.c +@@ -370,6 +370,7 @@ static irqreturn_t process_dump(int irq, + uint32_t dump_id, dump_size, dump_type; + struct dump_obj *dump; + char name[22]; ++ struct kobject *kobj; + + rc = dump_read_info(&dump_id, &dump_size, &dump_type); + if (rc != OPAL_SUCCESS) +@@ -381,8 +382,12 @@ static irqreturn_t process_dump(int irq, + * that gracefully and not create two conflicting + * entries. + */ +- if (kset_find_obj(dump_kset, name)) ++ kobj = kset_find_obj(dump_kset, name); ++ if (kobj) { ++ /* Drop reference added by kset_find_obj() */ ++ kobject_put(kobj); + return 0; ++ } + + dump = create_dump_obj(dump_id, dump_size, dump_type); + if (!dump) +--- a/arch/powerpc/platforms/powernv/opal-elog.c ++++ b/arch/powerpc/platforms/powernv/opal-elog.c +@@ -247,6 +247,7 @@ static irqreturn_t elog_event(int irq, v + uint64_t elog_type; + int rc; + char name[2+16+1]; ++ struct kobject *kobj; + + rc = opal_get_elog_size(&id, &size, &type); + if (rc != OPAL_SUCCESS) { +@@ -269,8 +270,12 @@ static irqreturn_t elog_event(int irq, v + * that gracefully and not create two conflicting + * entries. + */ +- if (kset_find_obj(elog_kset, name)) ++ kobj = kset_find_obj(elog_kset, name); ++ if (kobj) { ++ /* Drop reference added by kset_find_obj() */ ++ kobject_put(kobj); + return IRQ_HANDLED; ++ } + + create_elog_obj(log_id, elog_size, elog_type); + diff --git a/queue-4.7/powerpc-powernv-fix-corrupted-pe-allocation-bitmap-on-releasing-pe.patch b/queue-4.7/powerpc-powernv-fix-corrupted-pe-allocation-bitmap-on-releasing-pe.patch new file mode 100644 index 00000000000..97ea22bcb89 --- /dev/null +++ b/queue-4.7/powerpc-powernv-fix-corrupted-pe-allocation-bitmap-on-releasing-pe.patch @@ -0,0 +1,42 @@ +From caa58f808834fca9a4443233fd09df5ab639690d Mon Sep 17 00:00:00 2001 +From: Gavin Shan +Date: Tue, 6 Sep 2016 14:17:18 +1000 +Subject: powerpc/powernv: Fix corrupted PE allocation bitmap on releasing PE + +From: Gavin Shan + +commit caa58f808834fca9a4443233fd09df5ab639690d upstream. + +In pnv_ioda_free_pe(), the PE object (including the associated PE +number) is cleared before resetting the corresponding bit in the +PE allocation bitmap. It means PE#0 is always released to the bitmap +wrongly. + +This fixes above issue by caching the PE number before the PE object +is cleared. + +Fixes: 1e9167726c41 ("powerpc/powernv: Use PE instead of number during setup and release" +Signed-off-by: Gavin Shan +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/powernv/pci-ioda.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/platforms/powernv/pci-ioda.c ++++ b/arch/powerpc/platforms/powernv/pci-ioda.c +@@ -156,11 +156,12 @@ static struct pnv_ioda_pe *pnv_ioda_allo + static void pnv_ioda_free_pe(struct pnv_ioda_pe *pe) + { + struct pnv_phb *phb = pe->phb; ++ unsigned int pe_num = pe->pe_number; + + WARN_ON(pe->pdev); + + memset(pe, 0, sizeof(struct pnv_ioda_pe)); +- clear_bit(pe->pe_number, phb->ioda.pe_alloc); ++ clear_bit(pe_num, phb->ioda.pe_alloc); + } + + /* The default M64 BAR is shared by all PEs */ diff --git a/queue-4.7/powerpc-sysdev-cpm-fix-gpio-save_regs-functions.patch b/queue-4.7/powerpc-sysdev-cpm-fix-gpio-save_regs-functions.patch new file mode 100644 index 00000000000..bb2a697e182 --- /dev/null +++ b/queue-4.7/powerpc-sysdev-cpm-fix-gpio-save_regs-functions.patch @@ -0,0 +1,87 @@ +From 41017a7579cf49cb5513e17df1570dc918760079 Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Thu, 11 Aug 2016 10:50:40 +0200 +Subject: powerpc: sysdev: cpm: fix gpio save_regs functions + +From: Christophe Leroy + +commit 41017a7579cf49cb5513e17df1570dc918760079 upstream. + +of_mm_gpiochip_add_data() calls mm_gc->save_regs() before +setting the data. Therefore ->save_regs() cannot use +gpiochip_get_data() + +[ 0.275940] Unable to handle kernel paging request for data at address 0x00000130 +[ 0.283120] Faulting instruction address: 0xc01b44cc +[ 0.288175] Oops: Kernel access of bad area, sig: 11 [#1] +[ 0.293343] PREEMPT CMPC885 +[ 0.296141] CPU: 0 PID: 1 Comm: swapper Not tainted 4.7.0-g65124df-dirty #68 +[ 0.304131] task: c6074000 ti: c6080000 task.ti: c6080000 +[ 0.309459] NIP: c01b44cc LR: c0011720 CTR: c0011708 +[ 0.314372] REGS: c6081d90 TRAP: 0300 Not tainted (4.7.0-g65124df-dirty) +[ 0.322267] MSR: 00009032 CR: 24000028 XER: 20000000 +[ 0.328813] DAR: 00000130 DSISR: c0000000 +GPR00: c01b6d0c c6081e40 c6074000 c6017000 c9028000 c601d028 c6081dd8 00000000 +GPR08: c601d028 00000000 ffffffff 00000001 24000044 00000000 c0002790 00000000 +GPR16: 00000000 00000000 00000000 00000000 00000000 00000000 c05643b0 00000083 +GPR24: c04a1a6c c0560000 c04a8308 c04c6480 c0012498 c6017000 c7ffcc78 c6017000 +[ 0.360806] NIP [c01b44cc] gpiochip_get_data+0x4/0xc +[ 0.365684] LR [c0011720] cpm1_gpio16_save_regs+0x18/0x44 +[ 0.370972] Call Trace: +[ 0.373451] [c6081e50] [c01b6d0c] of_mm_gpiochip_add_data+0x70/0xdc +[ 0.379624] [c6081e70] [c00124c0] cpm_init_par_io+0x28/0x118 +[ 0.385238] [c6081e80] [c04a8ac0] do_one_initcall+0xb0/0x17c +[ 0.390819] [c6081ef0] [c04a8cbc] kernel_init_freeable+0x130/0x1dc +[ 0.396924] [c6081f30] [c00027a4] kernel_init+0x14/0x110 +[ 0.402177] [c6081f40] [c000b424] ret_from_kernel_thread+0x5c/0x64 +[ 0.408233] Instruction dump: +[ 0.411168] 4182fafc 3f80c040 48234c6d 3bc0fff0 3b9c5ed0 4bfffaf4 81290020 712a0004 +[ 0.418825] 4182fb34 48234c51 4bfffb2c 81230004 <80690130> 4e800020 7c0802a6 9421ffe0 +[ 0.426763] ---[ end trace fe4113ee21d72ffa ]--- + +fixes: e65078f1f3490 ("powerpc: sysdev: cpm1: use gpiochip data pointer") +fixes: a14a2d484b386 ("powerpc: cpm_common: use gpiochip data pointer") +Signed-off-by: Christophe Leroy +Reviewed-by: Linus Walleij +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/sysdev/cpm1.c | 6 ++++-- + arch/powerpc/sysdev/cpm_common.c | 3 ++- + 2 files changed, 6 insertions(+), 3 deletions(-) + +--- a/arch/powerpc/sysdev/cpm1.c ++++ b/arch/powerpc/sysdev/cpm1.c +@@ -534,7 +534,8 @@ struct cpm1_gpio16_chip { + + static void cpm1_gpio16_save_regs(struct of_mm_gpio_chip *mm_gc) + { +- struct cpm1_gpio16_chip *cpm1_gc = gpiochip_get_data(&mm_gc->gc); ++ struct cpm1_gpio16_chip *cpm1_gc = ++ container_of(mm_gc, struct cpm1_gpio16_chip, mm_gc); + struct cpm_ioport16 __iomem *iop = mm_gc->regs; + + cpm1_gc->cpdata = in_be16(&iop->dat); +@@ -649,7 +650,8 @@ struct cpm1_gpio32_chip { + + static void cpm1_gpio32_save_regs(struct of_mm_gpio_chip *mm_gc) + { +- struct cpm1_gpio32_chip *cpm1_gc = gpiochip_get_data(&mm_gc->gc); ++ struct cpm1_gpio32_chip *cpm1_gc = ++ container_of(mm_gc, struct cpm1_gpio32_chip, mm_gc); + struct cpm_ioport32b __iomem *iop = mm_gc->regs; + + cpm1_gc->cpdata = in_be32(&iop->dat); +--- a/arch/powerpc/sysdev/cpm_common.c ++++ b/arch/powerpc/sysdev/cpm_common.c +@@ -82,7 +82,8 @@ struct cpm2_gpio32_chip { + + static void cpm2_gpio32_save_regs(struct of_mm_gpio_chip *mm_gc) + { +- struct cpm2_gpio32_chip *cpm2_gc = gpiochip_get_data(&mm_gc->gc); ++ struct cpm2_gpio32_chip *cpm2_gc = ++ container_of(mm_gc, struct cpm2_gpio32_chip, mm_gc); + struct cpm2_ioports __iomem *iop = mm_gc->regs; + + cpm2_gc->cpdata = in_be32(&iop->dat); diff --git a/queue-4.7/powerpc-tm-do-not-use-r13-for-tabort_syscall.patch b/queue-4.7/powerpc-tm-do-not-use-r13-for-tabort_syscall.patch new file mode 100644 index 00000000000..c0306d7f6b8 --- /dev/null +++ b/queue-4.7/powerpc-tm-do-not-use-r13-for-tabort_syscall.patch @@ -0,0 +1,54 @@ +From cc7786d3ee7e3c979799db834b528db2c0834c2e Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Mon, 25 Jul 2016 14:26:51 +1000 +Subject: powerpc/tm: do not use r13 for tabort_syscall + +From: Nicholas Piggin + +commit cc7786d3ee7e3c979799db834b528db2c0834c2e upstream. + +tabort_syscall runs with RI=1, so a nested recoverable machine +check will load the paca into r13 and overwrite what we loaded +it with, because exceptions returning to privileged mode do not +restore r13. + +Fixes: b4b56f9ecab4 (powerpc/tm: Abort syscalls in active transactions) +Signed-off-by: Nick Piggin +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/entry_64.S | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/arch/powerpc/kernel/entry_64.S ++++ b/arch/powerpc/kernel/entry_64.S +@@ -368,13 +368,13 @@ END_FTR_SECTION_IFSET(CPU_FTR_HAS_PPR) + tabort_syscall: + /* Firstly we need to enable TM in the kernel */ + mfmsr r10 +- li r13, 1 +- rldimi r10, r13, MSR_TM_LG, 63-MSR_TM_LG ++ li r9, 1 ++ rldimi r10, r9, MSR_TM_LG, 63-MSR_TM_LG + mtmsrd r10, 0 + + /* tabort, this dooms the transaction, nothing else */ +- li r13, (TM_CAUSE_SYSCALL|TM_CAUSE_PERSISTENT) +- TABORT(R13) ++ li r9, (TM_CAUSE_SYSCALL|TM_CAUSE_PERSISTENT) ++ TABORT(R9) + + /* + * Return directly to userspace. We have corrupted user register state, +@@ -382,8 +382,8 @@ tabort_syscall: + * resume after the tbegin of the aborted transaction with the + * checkpointed register state. + */ +- li r13, MSR_RI +- andc r10, r10, r13 ++ li r9, MSR_RI ++ andc r10, r10, r9 + mtmsrd r10, 1 + mtspr SPRN_SRR0, r11 + mtspr SPRN_SRR1, r12 diff --git a/queue-4.7/rapidio-tsi721-fix-incorrect-detection-of-address-translation-condition.patch b/queue-4.7/rapidio-tsi721-fix-incorrect-detection-of-address-translation-condition.patch new file mode 100644 index 00000000000..55d549ee520 --- /dev/null +++ b/queue-4.7/rapidio-tsi721-fix-incorrect-detection-of-address-translation-condition.patch @@ -0,0 +1,39 @@ +From b30069291dc7f9b9a073c33d619818fe4a8e50de Mon Sep 17 00:00:00 2001 +From: Alexandre Bounine +Date: Thu, 1 Sep 2016 16:15:18 -0700 +Subject: rapidio/tsi721: fix incorrect detection of address translation condition + +From: Alexandre Bounine + +commit b30069291dc7f9b9a073c33d619818fe4a8e50de upstream. + +Fix incorrect condition to identify involvment of a address translation +mechanism. + +This bug results in NULL pointer kernel crash dump in cases when mapping +of inbound RapidIO address range is requested within existing aprture. + +Link: http://lkml.kernel.org/r/20160901173144.2983-1-alexandre.bounine@idt.com +Signed-off-by: Alexandre Bounine +Cc: Matt Porter +Cc: Andre van Herk +Cc: Barry Wood +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/rapidio/devices/tsi721.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/rapidio/devices/tsi721.c ++++ b/drivers/rapidio/devices/tsi721.c +@@ -1148,7 +1148,7 @@ static int tsi721_rio_map_inb_mem(struct + } else if (ibw_start < (ib_win->rstart + ib_win->size) && + (ibw_start + ibw_size) > ib_win->rstart) { + /* Return error if address translation involved */ +- if (direct && ib_win->xlat) { ++ if (!direct || ib_win->xlat) { + ret = -EFAULT; + break; + } diff --git a/queue-4.7/revert-wext-fix-32-bit-iwpriv-compatibility-issue-with-64-bit-kernel.patch b/queue-4.7/revert-wext-fix-32-bit-iwpriv-compatibility-issue-with-64-bit-kernel.patch new file mode 100644 index 00000000000..5feb48f62c8 --- /dev/null +++ b/queue-4.7/revert-wext-fix-32-bit-iwpriv-compatibility-issue-with-64-bit-kernel.patch @@ -0,0 +1,63 @@ +From 4d0bd46a4d55383f7b925e6cf7865a77e0f0e020 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Mon, 8 Aug 2016 08:45:33 +0200 +Subject: Revert "wext: Fix 32 bit iwpriv compatibility issue with 64 bit Kernel" + +From: Johannes Berg + +commit 4d0bd46a4d55383f7b925e6cf7865a77e0f0e020 upstream. + +This reverts commit 3d5fdff46c4b2b9534fa2f9fc78e90a48e0ff724. + +Ben Hutchings pointed out that the commit isn't safe since it assumes +that the structure used by the driver is iw_point, when in fact there's +no way to know about that. + +Fortunately, the only driver in the tree that ever runs this code path +is the wilc1000 staging driver, so it doesn't really matter. + +Clearly I should have investigated this better before applying, sorry. + +Reported-by: Ben Hutchings +Fixes: 3d5fdff46c4b ("wext: Fix 32 bit iwpriv compatibility issue with 64 bit Kernel") +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/wext-core.c | 25 ++----------------------- + 1 file changed, 2 insertions(+), 23 deletions(-) + +--- a/net/wireless/wext-core.c ++++ b/net/wireless/wext-core.c +@@ -958,29 +958,8 @@ static int wireless_process_ioctl(struct + return private(dev, iwr, cmd, info, handler); + } + /* Old driver API : call driver ioctl handler */ +- if (dev->netdev_ops->ndo_do_ioctl) { +-#ifdef CONFIG_COMPAT +- if (info->flags & IW_REQUEST_FLAG_COMPAT) { +- int ret = 0; +- struct iwreq iwr_lcl; +- struct compat_iw_point *iwp_compat = (void *) &iwr->u.data; +- +- memcpy(&iwr_lcl, iwr, sizeof(struct iwreq)); +- iwr_lcl.u.data.pointer = compat_ptr(iwp_compat->pointer); +- iwr_lcl.u.data.length = iwp_compat->length; +- iwr_lcl.u.data.flags = iwp_compat->flags; +- +- ret = dev->netdev_ops->ndo_do_ioctl(dev, (void *) &iwr_lcl, cmd); +- +- iwp_compat->pointer = ptr_to_compat(iwr_lcl.u.data.pointer); +- iwp_compat->length = iwr_lcl.u.data.length; +- iwp_compat->flags = iwr_lcl.u.data.flags; +- +- return ret; +- } else +-#endif +- return dev->netdev_ops->ndo_do_ioctl(dev, ifr, cmd); +- } ++ if (dev->netdev_ops->ndo_do_ioctl) ++ return dev->netdev_ops->ndo_do_ioctl(dev, ifr, cmd); + return -EOPNOTSUPP; + } + diff --git a/queue-4.7/sched-core-fix-a-race-between-try_to_wake_up-and-a-woken-up-task.patch b/queue-4.7/sched-core-fix-a-race-between-try_to_wake_up-and-a-woken-up-task.patch new file mode 100644 index 00000000000..04575862997 --- /dev/null +++ b/queue-4.7/sched-core-fix-a-race-between-try_to_wake_up-and-a-woken-up-task.patch @@ -0,0 +1,146 @@ +From 135e8c9250dd5c8c9aae5984fde6f230d0cbfeaf Mon Sep 17 00:00:00 2001 +From: Balbir Singh +Date: Mon, 5 Sep 2016 13:16:40 +1000 +Subject: sched/core: Fix a race between try_to_wake_up() and a woken up task + +From: Balbir Singh + +commit 135e8c9250dd5c8c9aae5984fde6f230d0cbfeaf upstream. + +The origin of the issue I've seen is related to +a missing memory barrier between check for task->state and +the check for task->on_rq. + +The task being woken up is already awake from a schedule() +and is doing the following: + + do { + schedule() + set_current_state(TASK_(UN)INTERRUPTIBLE); + } while (!cond); + +The waker, actually gets stuck doing the following in +try_to_wake_up(): + + while (p->on_cpu) + cpu_relax(); + +Analysis: + +The instance I've seen involves the following race: + + CPU1 CPU2 + + while () { + if (cond) + break; + do { + schedule(); + set_current_state(TASK_UN..) + } while (!cond); + wakeup_routine() + spin_lock_irqsave(wait_lock) + raw_spin_lock_irqsave(wait_lock) wake_up_process() + } try_to_wake_up() + set_current_state(TASK_RUNNING); .. + list_del(&waiter.list); + +CPU2 wakes up CPU1, but before it can get the wait_lock and set +current state to TASK_RUNNING the following occurs: + + CPU3 + wakeup_routine() + raw_spin_lock_irqsave(wait_lock) + if (!list_empty) + wake_up_process() + try_to_wake_up() + raw_spin_lock_irqsave(p->pi_lock) + .. + if (p->on_rq && ttwu_wakeup()) + .. + while (p->on_cpu) + cpu_relax() + .. + +CPU3 tries to wake up the task on CPU1 again since it finds +it on the wait_queue, CPU1 is spinning on wait_lock, but immediately +after CPU2, CPU3 got it. + +CPU3 checks the state of p on CPU1, it is TASK_UNINTERRUPTIBLE and +the task is spinning on the wait_lock. Interestingly since p->on_rq +is checked under pi_lock, I've noticed that try_to_wake_up() finds +p->on_rq to be 0. This was the most confusing bit of the analysis, +but p->on_rq is changed under runqueue lock, rq_lock, the p->on_rq +check is not reliable without this fix IMHO. The race is visible +(based on the analysis) only when ttwu_queue() does a remote wakeup +via ttwu_queue_remote. In which case the p->on_rq change is not +done uder the pi_lock. + +The result is that after a while the entire system locks up on +the raw_spin_irqlock_save(wait_lock) and the holder spins infintely + +Reproduction of the issue: + +The issue can be reproduced after a long run on my system with 80 +threads and having to tweak available memory to very low and running +memory stress-ng mmapfork test. It usually takes a long time to +reproduce. I am trying to work on a test case that can reproduce +the issue faster, but thats work in progress. I am still testing the +changes on my still in a loop and the tests seem OK thus far. + +Big thanks to Benjamin and Nick for helping debug this as well. +Ben helped catch the missing barrier, Nick caught every missing +bit in my theory. + +Signed-off-by: Balbir Singh +[ Updated comment to clarify matching barriers. Many + architectures do not have a full barrier in switch_to() + so that cannot be relied upon. ] +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Benjamin Herrenschmidt +Cc: Alexey Kardashevskiy +Cc: Linus Torvalds +Cc: Nicholas Piggin +Cc: Nicholas Piggin +Cc: Oleg Nesterov +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/e02cce7b-d9ca-1ad0-7a61-ea97c7582b37@gmail.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/sched/core.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -2015,6 +2015,28 @@ try_to_wake_up(struct task_struct *p, un + success = 1; /* we're going to change ->state */ + cpu = task_cpu(p); + ++ /* ++ * Ensure we load p->on_rq _after_ p->state, otherwise it would ++ * be possible to, falsely, observe p->on_rq == 0 and get stuck ++ * in smp_cond_load_acquire() below. ++ * ++ * sched_ttwu_pending() try_to_wake_up() ++ * [S] p->on_rq = 1; [L] P->state ++ * UNLOCK rq->lock -----. ++ * \ ++ * +--- RMB ++ * schedule() / ++ * LOCK rq->lock -----' ++ * UNLOCK rq->lock ++ * ++ * [task p] ++ * [S] p->state = UNINTERRUPTIBLE [L] p->on_rq ++ * ++ * Pairs with the UNLOCK+LOCK on rq->lock from the ++ * last wakeup of our task and the schedule that got our task ++ * current. ++ */ ++ smp_rmb(); + if (p->on_rq && ttwu_remote(p, wake_flags)) + goto stat; + diff --git a/queue-4.7/serial-8250-added-acces-i-o-products-quad-and-octal-serial-cards.patch b/queue-4.7/serial-8250-added-acces-i-o-products-quad-and-octal-serial-cards.patch new file mode 100644 index 00000000000..886d554aae1 --- /dev/null +++ b/queue-4.7/serial-8250-added-acces-i-o-products-quad-and-octal-serial-cards.patch @@ -0,0 +1,175 @@ +From c8d192428f52f244130b84650ad616df09f2b1e1 Mon Sep 17 00:00:00 2001 +From: Jimi Damon +Date: Wed, 20 Jul 2016 17:00:40 -0700 +Subject: serial: 8250: added acces i/o products quad and octal serial cards + +From: Jimi Damon + +commit c8d192428f52f244130b84650ad616df09f2b1e1 upstream. + +Added devices ids for acces i/o products quad and octal serial cards +that make use of existing Pericom PI7C9X7954 and PI7C9X7958 +configurations . + +Signed-off-by: Jimi Damon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/8250/8250_pci.c | 139 +++++++++++++++++++++++++++++++++++++ + 1 file changed, 139 insertions(+) + +--- a/drivers/tty/serial/8250/8250_pci.c ++++ b/drivers/tty/serial/8250/8250_pci.c +@@ -1939,6 +1939,43 @@ pci_wch_ch38x_setup(struct serial_privat + #define PCI_DEVICE_ID_PERICOM_PI7C9X7954 0x7954 + #define PCI_DEVICE_ID_PERICOM_PI7C9X7958 0x7958 + ++#define PCI_VENDOR_ID_ACCESIO 0x494f ++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM_2SDB 0x1051 ++#define PCI_DEVICE_ID_ACCESIO_MPCIE_COM_2S 0x1053 ++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SDB 0x105C ++#define PCI_DEVICE_ID_ACCESIO_MPCIE_COM_4S 0x105E ++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM232_2DB 0x1091 ++#define PCI_DEVICE_ID_ACCESIO_MPCIE_COM232_2 0x1093 ++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM232_4DB 0x1099 ++#define PCI_DEVICE_ID_ACCESIO_MPCIE_COM232_4 0x109B ++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM_2SMDB 0x10D1 ++#define PCI_DEVICE_ID_ACCESIO_MPCIE_COM_2SM 0x10D3 ++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SMDB 0x10DA ++#define PCI_DEVICE_ID_ACCESIO_MPCIE_COM_4SM 0x10DC ++#define PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_1 0x1108 ++#define PCI_DEVICE_ID_ACCESIO_MPCIE_ICM422_2 0x1110 ++#define PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_2 0x1111 ++#define PCI_DEVICE_ID_ACCESIO_MPCIE_ICM422_4 0x1118 ++#define PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_4 0x1119 ++#define PCI_DEVICE_ID_ACCESIO_PCIE_ICM_2S 0x1152 ++#define PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4S 0x115A ++#define PCI_DEVICE_ID_ACCESIO_PCIE_ICM232_2 0x1190 ++#define PCI_DEVICE_ID_ACCESIO_MPCIE_ICM232_2 0x1191 ++#define PCI_DEVICE_ID_ACCESIO_PCIE_ICM232_4 0x1198 ++#define PCI_DEVICE_ID_ACCESIO_MPCIE_ICM232_4 0x1199 ++#define PCI_DEVICE_ID_ACCESIO_PCIE_ICM_2SM 0x11D0 ++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM422_4 0x105A ++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM485_4 0x105B ++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM422_8 0x106A ++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM485_8 0x106B ++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM232_4 0x1098 ++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM232_8 0x10A9 ++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SM 0x10D9 ++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM_8SM 0x10E9 ++#define PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4SM 0x11D8 ++ ++ ++ + /* Unknown vendors/cards - this should not be in linux/pci_ids.h */ + #define PCI_SUBDEVICE_ID_UNKNOWN_0x1584 0x1584 + #define PCI_SUBDEVICE_ID_UNKNOWN_0x1588 0x1588 +@@ -5093,6 +5130,108 @@ static struct pci_device_id serial_pci_t + 0, + 0, pbn_pericom_PI7C9X7958 }, + /* ++ * ACCES I/O Products quad ++ */ ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_2SDB, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM_2S, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SDB, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM_4S, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM232_2DB, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM232_2, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM232_4DB, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM232_4, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_2SMDB, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM_2SM, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SMDB, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM_4SM, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_1, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM422_2, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_2, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM422_4, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_4, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM_2S, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4S, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM232_2, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM232_2, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM232_4, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM232_4, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM_2SM, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7954 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM422_4, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7958 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM485_4, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7958 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM422_8, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7958 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM485_8, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7958 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM232_4, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7958 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM232_8, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7958 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SM, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7958 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_8SM, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7958 }, ++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4SM, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, ++ pbn_pericom_PI7C9X7958 }, ++ /* + * Topic TP560 Data/Fax/Voice 56k modem (reported by Evan Clarke) + */ + { PCI_VENDOR_ID_TOPIC, PCI_DEVICE_ID_TOPIC_TP560, diff --git a/queue-4.7/serial-8250_mid-fix-divide-error-bug-if-baud-rate-is-0.patch b/queue-4.7/serial-8250_mid-fix-divide-error-bug-if-baud-rate-is-0.patch new file mode 100644 index 00000000000..3ec12b0cad8 --- /dev/null +++ b/queue-4.7/serial-8250_mid-fix-divide-error-bug-if-baud-rate-is-0.patch @@ -0,0 +1,35 @@ +From 47b34d2ef266e2c283b514d65c8963c2ccd42474 Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Fri, 1 Jul 2016 17:21:49 +0300 +Subject: serial: 8250_mid: fix divide error bug if baud rate is 0 + +From: Andy Shevchenko + +commit 47b34d2ef266e2c283b514d65c8963c2ccd42474 upstream. + +Since the commit c1a67b48f6a5 ("serial: 8250_pci: replace switch-case by +formula for Intel MID"), the 8250 driver crashes in the byt_set_termios() +function with a divide error. This is caused by the fact that a baud rate of 0 +(B0) is not handled properly. Fix it by falling back to B9600 in this case. + +Reported-by: "Mendez Salinas, Fernando" +Fixes: c1a67b48f6a5 ("serial: 8250_pci: replace switch-case by formula for Intel MID") +Signed-off-by: Andy Shevchenko +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/8250/8250_mid.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/tty/serial/8250/8250_mid.c ++++ b/drivers/tty/serial/8250/8250_mid.c +@@ -154,6 +154,9 @@ static void mid8250_set_termios(struct u + unsigned long w = BIT(24) - 1; + unsigned long mul, div; + ++ /* Gracefully handle the B0 case: fall back to B9600 */ ++ fuart = fuart ? fuart : 9600 * 16; ++ + if (mid->board->freq < fuart) { + /* Find prescaler value that satisfies Fuart < Fref */ + if (mid->board->freq > baud) diff --git a/queue-4.7/series b/queue-4.7/series index d7bf1f6b74c..c3ead99d5d5 100644 --- a/queue-4.7/series +++ b/queue-4.7/series @@ -33,3 +33,107 @@ ipv6-addrconf-fix-dev-refcont-leak-when-dad-failed.patch tcp-fastopen-avoid-negative-sk_forward_alloc.patch net-mlx5e-fix-parsing-of-vlan-packets-when-updating-lro-header.patch tcp-cwnd-does-not-increase-in-tcp-yeah.patch +powerpc-tm-do-not-use-r13-for-tabort_syscall.patch +powerpc-powernv-drop-reference-added-by-kset_find_obj.patch +powerpc-sysdev-cpm-fix-gpio-save_regs-functions.patch +powerpc-mm-don-t-alias-user-region-to-other-regions-below-page_offset.patch +powerpc-powernv-fix-corrupted-pe-allocation-bitmap-on-releasing-pe.patch +kernfs-don-t-depend-on-d_find_any_alias-when-generating-notifications.patch +pnfs-flexfiles-fix-an-oopsable-condition-when-connection-to-the-ds-fails.patch +pnfs-the-client-must-not-do-i-o-to-the-ds-if-it-s-lease-has-expired.patch +nfsv4.1-fix-oopsable-condition-in-server-callback-races.patch +nfsv4.x-fix-a-refcount-leak-in-nfs_callback_up_net.patch +nfsd-close-race-between-nfsd4_release_lockowner-and-nfsd4_lock.patch +pnfs-ensure-layoutget-and-layoutreturn-are-properly-serialised.patch +nfsv4.1-fix-the-create_session-slot-number-accounting.patch +kexec-fix-double-free-when-failing-to-relocate-the-purgatory.patch +mm-oom-prevent-premature-oom-killer-invocation-for-high-order-request.patch +mm-mempolicy-task-mempolicy-must-be-null-before-dropping-final-reference.patch +ahci-disable-correct-irq-for-dummy-ports.patch +rapidio-tsi721-fix-incorrect-detection-of-address-translation-condition.patch +mm-introduce-get_task_exe_file.patch +audit-fix-exe_file-access-in-audit_exe_compare.patch +dm-flakey-fix-reads-to-be-issued-if-drop_writes-configured.patch +ib-hfi1-ib-qib-fix-qp_stats-sleep-with-rcu-read-lock-held.patch +ib-uverbs-fix-race-between-uverbs_close-and-remove_one.patch +ib-hfi1-reset-qsfp-on-every-run-through-channel-tuning.patch +mm-fix-cache-mode-of-dax-pmd-mappings.patch +x86-paravirt-do-not-trace-_paravirt_ident_-functions.patch +x86-amd-apply-erratum-665-on-machines-without-a-bios-fix.patch +kvm-s390-don-t-use-current-thread.fpu.-when-accessing-registers.patch +kvm-arm-unmap-shadow-pagetables-properly.patch +kvm-x86-correctly-reset-dest_map-vector-when-restoring-lapic-state.patch +iio-accel-kxsd9-fix-raw-read-return.patch +iio-sw-trigger-fix-config-group-initialization.patch +iio-proximity-as3935-set-up-buffer-timestamps-for-non-zero-values.patch +iio-adc-rockchip_saradc-reset-saradc-controller-before-programming-it.patch +iio-adc-ti_am335x_adc-protect-fifo1-from-concurrent-access.patch +iio-adc-ti_am335x_adc-increase-timeout-value-waiting-for-adc-sample.patch +iio-ti-ads1015-fix-a-wrong-pointer-definition.patch +iio-ad799x-fix-buffered-capture-for-ad7991-ad7995-ad7999.patch +iio-humidity-am2315-set-up-buffer-timestamps-for-non-zero-values.patch +iio-adc-at91-unbreak-channel-adc-channel-3.patch +iio-humidity-hdc100x-fix-sensor-data-reads-of-temp-and-humidity.patch +iio-accel-bmc150-reset-chip-at-init-time.patch +iio-fix-pressure-data-output-unit-in-hid-sensor-attributes.patch +iio-accel-kxsd9-fix-scaling-bug.patch +iio-core-fix-iio_val_fractional-sign-handling.patch +iio-ensure-ret-is-initialized-to-zero-before-entering-do-loop.patch +serial-8250_mid-fix-divide-error-bug-if-baud-rate-is-0.patch +serial-8250-added-acces-i-o-products-quad-and-octal-serial-cards.patch +usb-serial-simple-add-support-for-another-infineon-flashloader.patch +usb-gadget-udc-renesas-usb3-clear-vbout-bit-in-drd_con.patch +usb-renesas_usbhs-fix-clearing-the-brdy-bemp-sts-condition.patch +usb-chipidea-udc-fix-null-ptr-dereference-in-isr_setup_status_phase.patch +arm-dts-stih410-handle-interconnect-clock-required-by-ehci-ohci-usb.patch +usb-change-binterval-default-to-10-ms.patch +devpts-return-null-pts-priv-entry-for-non-devpts-nodes.patch +cxl-use-pcibios_free_controller_deferred-when-removing-vphbs.patch +net-thunderx-fix-oops-with-ethtool-register-dump.patch +net-macb-correct-caps-mask.patch +cpuset-make-sure-new-tasks-conform-to-the-current-config-of-the-cpuset.patch +arm-dts-rockchip-add-reset-node-for-the-exist-saradc-socs.patch +arm-am43xx-hwmod-fix-rstst-register-offset-for-pruss.patch +arm-imx6-add-missing-bm_clpcr_byp_mmdc_ch0_lpm_hs-setting-for-imx6ul.patch +arm-imx6-add-missing-bm_clpcr_bypass_pmic_ready-setting-for-imx6sx.patch +arm-kirkwood-ib62x0-fix-size-of-u-boot-environment-partition.patch +arm-omap3-hwmod-data-add-sysc-information-for-dsi.patch +arm-dts-kirkwood-fix-pcie-label-on-openrd.patch +arm-dts-imx6qdl-fix-spdif-regression.patch +arm-dts-armada-388-clearfog-number-lan-ports-properly.patch +arm-dts-overo-fix-gpmc-nand-cs0-range.patch +arm-dts-overo-fix-gpmc-nand-on-boards-with-ethernet.patch +arm-dts-stih407-family-provide-interconnect-clock-for-consumption-in-st-sdhci.patch +bus-arm-ccn-fix-pmu-handling-of-mn.patch +bus-arm-ccn-do-not-attempt-to-configure-xps-for-cycle-counter.patch +bus-arm-ccn-fix-xp-watchpoint-settings-bitmask.patch +dm-log-writes-fix-check-of-kthread_run-return-value.patch +dm-crypt-fix-free-of-bad-values-after-tfm-allocation-failure.patch +dm-log-writes-move-io-accounting-earlier-to-fix-error-path.patch +dm-crypt-fix-error-with-too-large-bios.patch +pinctrl-pistachio-fix-mfio-pll_lock-pinmux.patch +pinctrl-sunxi-fix-uart1-cts-rts-pins-at-pg-on-a23-a33.patch +memory-omap-gpmc-allow-probe-of-child-nodes-to-fail.patch +arm64-spinlocks-implement-smp_mb__before_spinlock-as-smp_mb.patch +crypto-cryptd-initialize-child-shash_desc-on-import.patch +btrfs-remove-root_log_ctx-from-ctx-list-before-btrfs_sync_log-returns.patch +fuse-direct-io-don-t-dirty-iter_bvec-pages.patch +xhci-fix-null-pointer-dereference-in-stop-command-timeout-function.patch +brcmfmac-avoid-potential-stack-overflow-in-brcmf_cfg80211_start_ap.patch +md-cluster-make-md-cluster-also-can-work-when-compiled-into-kernel.patch +ath9k-fix-using-sta-drv_priv-before-initializing-it.patch +ath9k-bring-back-direction-setting-in-ath9k_-start_stop.patch +perf-x86-intel-fix-pebsv3-record-drain.patch +perf-x86-intel-cqm-check-cqm-mbm-enabled-state-in-event-init.patch +perf-x86-amd-make-hw_cache_references-and-hw_cache_misses-measure-l2.patch +perf-x86-intel-pt-fix-an-off-by-one-in-address-filter-configuration.patch +perf-x86-intel-pt-fix-kernel-address-filter-s-offset-validation.patch +perf-x86-intel-pt-do-validate-the-size-of-a-kernel-address-filter.patch +revert-wext-fix-32-bit-iwpriv-compatibility-issue-with-64-bit-kernel.patch +sched-core-fix-a-race-between-try_to_wake_up-and-a-woken-up-task.patch +ipv6-don-t-unset-flowi6_proto-in-ipxip6_tnl_xmit.patch +efi-make-for_each_efi_memory_desc_in_map-cope-with-running-on-xen.patch +efi-libstub-allocate-headspace-in-efi_get_memory_map.patch +efi-libstub-introduce-exitbootservices-helper.patch +efi-libstub-use-efi_exit_boot_services-in-fdt.patch +x86-efi-use-efi_exit_boot_services.patch diff --git a/queue-4.7/usb-change-binterval-default-to-10-ms.patch b/queue-4.7/usb-change-binterval-default-to-10-ms.patch new file mode 100644 index 00000000000..e2ffc43fcd8 --- /dev/null +++ b/queue-4.7/usb-change-binterval-default-to-10-ms.patch @@ -0,0 +1,97 @@ +From 08c5cd37480f59ea39682f4585d92269be6b1424 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Fri, 16 Sep 2016 10:24:26 -0400 +Subject: USB: change bInterval default to 10 ms + +From: Alan Stern + +commit 08c5cd37480f59ea39682f4585d92269be6b1424 upstream. + +Some full-speed mceusb infrared transceivers contain invalid endpoint +descriptors for their interrupt endpoints, with bInterval set to 0. +In the past they have worked out okay with the mceusb driver, because +the driver sets the bInterval field in the descriptor to 1, +overwriting whatever value may have been there before. However, this +approach was never sanctioned by the USB core, and in fact it does not +work with xHCI controllers, because they use the bInterval value that +was present when the configuration was installed. + +Currently usbcore uses 32 ms as the default interval if the value in +the endpoint descriptor is invalid. It turns out that these IR +transceivers don't work properly unless the interval is set to 10 ms +or below. To work around this mceusb problem, this patch changes the +endpoint-descriptor parsing routine, making the default interval value +be 10 ms rather than 32 ms. + +Signed-off-by: Alan Stern +Tested-by: Wade Berrier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/config.c | 28 +++++++++++++++++----------- + 1 file changed, 17 insertions(+), 11 deletions(-) + +--- a/drivers/usb/core/config.c ++++ b/drivers/usb/core/config.c +@@ -240,8 +240,10 @@ static int usb_parse_endpoint(struct dev + memcpy(&endpoint->desc, d, n); + INIT_LIST_HEAD(&endpoint->urb_list); + +- /* Fix up bInterval values outside the legal range. Use 32 ms if no +- * proper value can be guessed. */ ++ /* ++ * Fix up bInterval values outside the legal range. ++ * Use 10 or 8 ms if no proper value can be guessed. ++ */ + i = 0; /* i = min, j = max, n = default */ + j = 255; + if (usb_endpoint_xfer_int(d)) { +@@ -250,13 +252,15 @@ static int usb_parse_endpoint(struct dev + case USB_SPEED_SUPER_PLUS: + case USB_SPEED_SUPER: + case USB_SPEED_HIGH: +- /* Many device manufacturers are using full-speed ++ /* ++ * Many device manufacturers are using full-speed + * bInterval values in high-speed interrupt endpoint +- * descriptors. Try to fix those and fall back to a +- * 32 ms default value otherwise. */ ++ * descriptors. Try to fix those and fall back to an ++ * 8-ms default value otherwise. ++ */ + n = fls(d->bInterval*8); + if (n == 0) +- n = 9; /* 32 ms = 2^(9-1) uframes */ ++ n = 7; /* 8 ms = 2^(7-1) uframes */ + j = 16; + + /* +@@ -271,10 +275,12 @@ static int usb_parse_endpoint(struct dev + } + break; + default: /* USB_SPEED_FULL or _LOW */ +- /* For low-speed, 10 ms is the official minimum. ++ /* ++ * For low-speed, 10 ms is the official minimum. + * But some "overclocked" devices might want faster +- * polling so we'll allow it. */ +- n = 32; ++ * polling so we'll allow it. ++ */ ++ n = 10; + break; + } + } else if (usb_endpoint_xfer_isoc(d)) { +@@ -282,10 +288,10 @@ static int usb_parse_endpoint(struct dev + j = 16; + switch (to_usb_device(ddev)->speed) { + case USB_SPEED_HIGH: +- n = 9; /* 32 ms = 2^(9-1) uframes */ ++ n = 7; /* 8 ms = 2^(7-1) uframes */ + break; + default: /* USB_SPEED_FULL */ +- n = 6; /* 32 ms = 2^(6-1) frames */ ++ n = 4; /* 8 ms = 2^(4-1) frames */ + break; + } + } diff --git a/queue-4.7/usb-chipidea-udc-fix-null-ptr-dereference-in-isr_setup_status_phase.patch b/queue-4.7/usb-chipidea-udc-fix-null-ptr-dereference-in-isr_setup_status_phase.patch new file mode 100644 index 00000000000..b6c073f0783 --- /dev/null +++ b/queue-4.7/usb-chipidea-udc-fix-null-ptr-dereference-in-isr_setup_status_phase.patch @@ -0,0 +1,48 @@ +From 6f3c4fb6d05e63c9c6d8968302491c3a5457be61 Mon Sep 17 00:00:00 2001 +From: Clemens Gruber +Date: Mon, 5 Sep 2016 19:29:58 +0200 +Subject: usb: chipidea: udc: fix NULL ptr dereference in isr_setup_status_phase + +From: Clemens Gruber + +commit 6f3c4fb6d05e63c9c6d8968302491c3a5457be61 upstream. + +Problems with the signal integrity of the high speed USB data lines or +noise on reference ground lines can cause the i.MX6 USB controller to +violate USB specs and exhibit unexpected behavior. + +It was observed that USBi_UI interrupts were triggered first and when +isr_setup_status_phase was called, ci->status was NULL, which lead to a +NULL pointer dereference kernel panic. + +This patch fixes the kernel panic, emits a warning once and returns +-EPIPE to halt the device and let the host get stalled. +It also adds a comment to point people, who are experiencing this issue, +to their USB hardware design. + +Signed-off-by: Clemens Gruber +Signed-off-by: Peter Chen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/chipidea/udc.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/usb/chipidea/udc.c ++++ b/drivers/usb/chipidea/udc.c +@@ -949,6 +949,15 @@ static int isr_setup_status_phase(struct + int retval; + struct ci_hw_ep *hwep; + ++ /* ++ * Unexpected USB controller behavior, caused by bad signal integrity ++ * or ground reference problems, can lead to isr_setup_status_phase ++ * being called with ci->status equal to NULL. ++ * If this situation occurs, you should review your USB hardware design. ++ */ ++ if (WARN_ON_ONCE(!ci->status)) ++ return -EPIPE; ++ + hwep = (ci->ep0_dir == TX) ? ci->ep0out : ci->ep0in; + ci->status->context = ci; + ci->status->complete = isr_setup_status_complete; diff --git a/queue-4.7/usb-gadget-udc-renesas-usb3-clear-vbout-bit-in-drd_con.patch b/queue-4.7/usb-gadget-udc-renesas-usb3-clear-vbout-bit-in-drd_con.patch new file mode 100644 index 00000000000..7a47793297b --- /dev/null +++ b/queue-4.7/usb-gadget-udc-renesas-usb3-clear-vbout-bit-in-drd_con.patch @@ -0,0 +1,40 @@ +From b2f1eaaee564c5593c303f4d15d827924cb6d20d Mon Sep 17 00:00:00 2001 +From: Yoshihiro Shimoda +Date: Tue, 23 Aug 2016 21:11:13 +0900 +Subject: usb: gadget: udc: renesas-usb3: clear VBOUT bit in DRD_CON + +From: Yoshihiro Shimoda + +commit b2f1eaaee564c5593c303f4d15d827924cb6d20d upstream. + +This driver should clear the bit. Otherwise, the VBUS will output +wrongly if the usb port on a board has VBUS output capability. + +Fixes: 746bfe63bba3 ("usb: gadget: renesas_usb3: add support for + Renesas USB3.0 peripheral controller") +Signed-off-by: Yoshihiro Shimoda +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/udc/renesas_usb3.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/gadget/udc/renesas_usb3.c ++++ b/drivers/usb/gadget/udc/renesas_usb3.c +@@ -106,6 +106,7 @@ + + /* DRD_CON */ + #define DRD_CON_PERI_CON BIT(24) ++#define DRD_CON_VBOUT BIT(0) + + /* USB_INT_ENA_1 and USB_INT_STA_1 */ + #define USB_INT_1_B3_PLLWKUP BIT(31) +@@ -363,6 +364,7 @@ static void usb3_init_epc_registers(stru + { + /* FIXME: How to change host / peripheral mode as well? */ + usb3_set_bit(usb3, DRD_CON_PERI_CON, USB3_DRD_CON); ++ usb3_clear_bit(usb3, DRD_CON_VBOUT, USB3_DRD_CON); + + usb3_write(usb3, ~0, USB3_USB_INT_STA_1); + usb3_enable_irq_1(usb3, USB_INT_1_VBUS_CNG); diff --git a/queue-4.7/usb-renesas_usbhs-fix-clearing-the-brdy-bemp-sts-condition.patch b/queue-4.7/usb-renesas_usbhs-fix-clearing-the-brdy-bemp-sts-condition.patch new file mode 100644 index 00000000000..a8e9048300f --- /dev/null +++ b/queue-4.7/usb-renesas_usbhs-fix-clearing-the-brdy-bemp-sts-condition.patch @@ -0,0 +1,56 @@ +From 519d8bd4b5d3d82c413eac5bb42b106bb4b9ec15 Mon Sep 17 00:00:00 2001 +From: Yoshihiro Shimoda +Date: Mon, 29 Aug 2016 18:00:38 +0900 +Subject: usb: renesas_usbhs: fix clearing the {BRDY,BEMP}STS condition + +From: Yoshihiro Shimoda + +commit 519d8bd4b5d3d82c413eac5bb42b106bb4b9ec15 upstream. + +The previous driver is possible to stop the transfer wrongly. +For example: + 1) An interrupt happens, but not BRDY interruption. + 2) Read INTSTS0. And than state->intsts0 is not set to BRDY. + 3) BRDY is set to 1 here. + 4) Read BRDYSTS. + 5) Clear the BRDYSTS. And then. the BRDY is cleared wrongly. + +Remarks: + - The INTSTS0.BRDY is read only. + - If any bits of BRDYSTS are set to 1, the BRDY is set to 1. + - If BRDYSTS is 0, the BRDY is set to 0. + +So, this patch adds condition to avoid such situation. (And about +NRDYSTS, this is not used for now. But, avoiding any side effects, +this patch doesn't touch it.) + +Fixes: d5c6a1e024dd ("usb: renesas_usbhs: fixup interrupt status clear method") +Signed-off-by: Yoshihiro Shimoda +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/renesas_usbhs/mod.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/usb/renesas_usbhs/mod.c ++++ b/drivers/usb/renesas_usbhs/mod.c +@@ -282,9 +282,16 @@ static irqreturn_t usbhs_interrupt(int i + if (usbhs_mod_is_host(priv)) + usbhs_write(priv, INTSTS1, ~irq_state.intsts1 & INTSTS1_MAGIC); + +- usbhs_write(priv, BRDYSTS, ~irq_state.brdysts); ++ /* ++ * The driver should not clear the xxxSTS after the line of ++ * "call irq callback functions" because each "if" statement is ++ * possible to call the callback function for avoiding any side effects. ++ */ ++ if (irq_state.intsts0 & BRDY) ++ usbhs_write(priv, BRDYSTS, ~irq_state.brdysts); + usbhs_write(priv, NRDYSTS, ~irq_state.nrdysts); +- usbhs_write(priv, BEMPSTS, ~irq_state.bempsts); ++ if (irq_state.intsts0 & BEMP) ++ usbhs_write(priv, BEMPSTS, ~irq_state.bempsts); + + /* + * call irq callback functions diff --git a/queue-4.7/usb-serial-simple-add-support-for-another-infineon-flashloader.patch b/queue-4.7/usb-serial-simple-add-support-for-another-infineon-flashloader.patch new file mode 100644 index 00000000000..31228144803 --- /dev/null +++ b/queue-4.7/usb-serial-simple-add-support-for-another-infineon-flashloader.patch @@ -0,0 +1,34 @@ +From f190fd92458da3e869b4e2c6289e2c617490ae53 Mon Sep 17 00:00:00 2001 +From: Daniele Palmas +Date: Fri, 2 Sep 2016 10:37:56 +0200 +Subject: USB: serial: simple: add support for another Infineon flashloader + +From: Daniele Palmas + +commit f190fd92458da3e869b4e2c6289e2c617490ae53 upstream. + +This patch adds support for Infineon flashloader 0x8087/0x0801. + +The flashloader is used in Telit LE940B modem family with Telit +flashing application. + +Signed-off-by: Daniele Palmas +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/usb-serial-simple.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/serial/usb-serial-simple.c ++++ b/drivers/usb/serial/usb-serial-simple.c +@@ -54,7 +54,8 @@ DEVICE(funsoft, FUNSOFT_IDS); + /* Infineon Flashloader driver */ + #define FLASHLOADER_IDS() \ + { USB_DEVICE_INTERFACE_CLASS(0x058b, 0x0041, USB_CLASS_CDC_DATA) }, \ +- { USB_DEVICE(0x8087, 0x0716) } ++ { USB_DEVICE(0x8087, 0x0716) }, \ ++ { USB_DEVICE(0x8087, 0x0801) } + DEVICE(flashloader, FLASHLOADER_IDS); + + /* Google Serial USB SubClass */ diff --git a/queue-4.7/x86-amd-apply-erratum-665-on-machines-without-a-bios-fix.patch b/queue-4.7/x86-amd-apply-erratum-665-on-machines-without-a-bios-fix.patch new file mode 100644 index 00000000000..9d7e7f66546 --- /dev/null +++ b/queue-4.7/x86-amd-apply-erratum-665-on-machines-without-a-bios-fix.patch @@ -0,0 +1,55 @@ +From d1992996753132e2dafe955cccb2fb0714d3cfc4 Mon Sep 17 00:00:00 2001 +From: Emanuel Czirai +Date: Fri, 2 Sep 2016 07:35:50 +0200 +Subject: x86/AMD: Apply erratum 665 on machines without a BIOS fix + +From: Emanuel Czirai + +commit d1992996753132e2dafe955cccb2fb0714d3cfc4 upstream. + +AMD F12h machines have an erratum which can cause DIV/IDIV to behave +unpredictably. The workaround is to set MSRC001_1029[31] but sometimes +there is no BIOS update containing that workaround so let's do it +ourselves unconditionally. It is simple enough. + +[ Borislav: Wrote commit message. ] + +Signed-off-by: Emanuel Czirai +Signed-off-by: Borislav Petkov +Cc: Yaowu Xu +Link: http://lkml.kernel.org/r/20160902053550.18097-1-bp@alien8.de +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/amd.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -669,6 +669,17 @@ static void init_amd_gh(struct cpuinfo_x + set_cpu_bug(c, X86_BUG_AMD_TLB_MMATCH); + } + ++#define MSR_AMD64_DE_CFG 0xC0011029 ++ ++static void init_amd_ln(struct cpuinfo_x86 *c) ++{ ++ /* ++ * Apply erratum 665 fix unconditionally so machines without a BIOS ++ * fix work. ++ */ ++ msr_set_bit(MSR_AMD64_DE_CFG, 31); ++} ++ + static void init_amd_bd(struct cpuinfo_x86 *c) + { + u64 value; +@@ -726,6 +737,7 @@ static void init_amd(struct cpuinfo_x86 + case 6: init_amd_k7(c); break; + case 0xf: init_amd_k8(c); break; + case 0x10: init_amd_gh(c); break; ++ case 0x12: init_amd_ln(c); break; + case 0x15: init_amd_bd(c); break; + } + diff --git a/queue-4.7/x86-efi-use-efi_exit_boot_services.patch b/queue-4.7/x86-efi-use-efi_exit_boot_services.patch new file mode 100644 index 00000000000..c651d3d43c1 --- /dev/null +++ b/queue-4.7/x86-efi-use-efi_exit_boot_services.patch @@ -0,0 +1,193 @@ +From d64934019f6cc39202e2f78063709f61ca5cb364 Mon Sep 17 00:00:00 2001 +From: Jeffrey Hugo +Date: Mon, 29 Aug 2016 14:38:54 -0600 +Subject: x86/efi: Use efi_exit_boot_services() + +From: Jeffrey Hugo + +commit d64934019f6cc39202e2f78063709f61ca5cb364 upstream. + +The eboot code directly calls ExitBootServices. This is inadvisable as the +UEFI spec details a complex set of errors, race conditions, and API +interactions that the caller of ExitBootServices must get correct. The +eboot code attempts allocations after calling ExitBootSerives which is +not permitted per the spec. Call the efi_exit_boot_services() helper +intead, which handles the allocation scenario properly. + +Signed-off-by: Jeffrey Hugo +Cc: Ard Biesheuvel +Cc: Mark Rutland +Cc: Leif Lindholm +Cc: Ingo Molnar +Signed-off-by: Matt Fleming +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/boot/compressed/eboot.c | 134 +++++++++++++++++++-------------------- + 1 file changed, 66 insertions(+), 68 deletions(-) + +--- a/arch/x86/boot/compressed/eboot.c ++++ b/arch/x86/boot/compressed/eboot.c +@@ -1006,85 +1006,87 @@ static efi_status_t alloc_e820ext(u32 nr + return status; + } + ++struct exit_boot_struct { ++ struct boot_params *boot_params; ++ struct efi_info *efi; ++ struct setup_data *e820ext; ++ __u32 e820ext_size; ++ bool is64; ++}; ++ ++static efi_status_t exit_boot_func(efi_system_table_t *sys_table_arg, ++ struct efi_boot_memmap *map, ++ void *priv) ++{ ++ static bool first = true; ++ const char *signature; ++ __u32 nr_desc; ++ efi_status_t status; ++ struct exit_boot_struct *p = priv; ++ ++ if (first) { ++ nr_desc = *map->buff_size / *map->desc_size; ++ if (nr_desc > ARRAY_SIZE(p->boot_params->e820_map)) { ++ u32 nr_e820ext = nr_desc - ++ ARRAY_SIZE(p->boot_params->e820_map); ++ ++ status = alloc_e820ext(nr_e820ext, &p->e820ext, ++ &p->e820ext_size); ++ if (status != EFI_SUCCESS) ++ return status; ++ } ++ first = false; ++ } ++ ++ signature = p->is64 ? EFI64_LOADER_SIGNATURE : EFI32_LOADER_SIGNATURE; ++ memcpy(&p->efi->efi_loader_signature, signature, sizeof(__u32)); ++ ++ p->efi->efi_systab = (unsigned long)sys_table_arg; ++ p->efi->efi_memdesc_size = *map->desc_size; ++ p->efi->efi_memdesc_version = *map->desc_ver; ++ p->efi->efi_memmap = (unsigned long)*map->map; ++ p->efi->efi_memmap_size = *map->map_size; ++ ++#ifdef CONFIG_X86_64 ++ p->efi->efi_systab_hi = (unsigned long)sys_table_arg >> 32; ++ p->efi->efi_memmap_hi = (unsigned long)*map->map >> 32; ++#endif ++ ++ return EFI_SUCCESS; ++} ++ + static efi_status_t exit_boot(struct boot_params *boot_params, + void *handle, bool is64) + { +- struct efi_info *efi = &boot_params->efi_info; + unsigned long map_sz, key, desc_size, buff_size; + efi_memory_desc_t *mem_map; + struct setup_data *e820ext; +- const char *signature; + __u32 e820ext_size; +- __u32 nr_desc, prev_nr_desc; + efi_status_t status; + __u32 desc_version; +- bool called_exit = false; +- u8 nr_entries; +- int i; + struct efi_boot_memmap map; ++ struct exit_boot_struct priv; + +- nr_desc = 0; +- e820ext = NULL; +- e820ext_size = 0; +- map.map = &mem_map; +- map.map_size = &map_sz; +- map.desc_size = &desc_size; +- map.desc_ver = &desc_version; +- map.key_ptr = &key; +- map.buff_size = &buff_size; +- +-get_map: +- status = efi_get_memory_map(sys_table, &map); ++ map.map = &mem_map; ++ map.map_size = &map_sz; ++ map.desc_size = &desc_size; ++ map.desc_ver = &desc_version; ++ map.key_ptr = &key; ++ map.buff_size = &buff_size; ++ priv.boot_params = boot_params; ++ priv.efi = &boot_params->efi_info; ++ priv.e820ext = NULL; ++ priv.e820ext_size = 0; ++ priv.is64 = is64; + ++ /* Might as well exit boot services now */ ++ status = efi_exit_boot_services(sys_table, handle, &map, &priv, ++ exit_boot_func); + if (status != EFI_SUCCESS) + return status; + +- prev_nr_desc = nr_desc; +- nr_desc = map_sz / desc_size; +- if (nr_desc > prev_nr_desc && +- nr_desc > ARRAY_SIZE(boot_params->e820_map)) { +- u32 nr_e820ext = nr_desc - ARRAY_SIZE(boot_params->e820_map); +- +- status = alloc_e820ext(nr_e820ext, &e820ext, &e820ext_size); +- if (status != EFI_SUCCESS) +- goto free_mem_map; +- +- efi_call_early(free_pool, mem_map); +- goto get_map; /* Allocated memory, get map again */ +- } +- +- signature = is64 ? EFI64_LOADER_SIGNATURE : EFI32_LOADER_SIGNATURE; +- memcpy(&efi->efi_loader_signature, signature, sizeof(__u32)); +- +- efi->efi_systab = (unsigned long)sys_table; +- efi->efi_memdesc_size = desc_size; +- efi->efi_memdesc_version = desc_version; +- efi->efi_memmap = (unsigned long)mem_map; +- efi->efi_memmap_size = map_sz; +- +-#ifdef CONFIG_X86_64 +- efi->efi_systab_hi = (unsigned long)sys_table >> 32; +- efi->efi_memmap_hi = (unsigned long)mem_map >> 32; +-#endif +- +- /* Might as well exit boot services now */ +- status = efi_call_early(exit_boot_services, handle, key); +- if (status != EFI_SUCCESS) { +- /* +- * ExitBootServices() will fail if any of the event +- * handlers change the memory map. In which case, we +- * must be prepared to retry, but only once so that +- * we're guaranteed to exit on repeated failures instead +- * of spinning forever. +- */ +- if (called_exit) +- goto free_mem_map; +- +- called_exit = true; +- efi_call_early(free_pool, mem_map); +- goto get_map; +- } +- ++ e820ext = priv.e820ext; ++ e820ext_size = priv.e820ext_size; + /* Historic? */ + boot_params->alt_mem_k = 32 * 1024; + +@@ -1093,10 +1095,6 @@ get_map: + return status; + + return EFI_SUCCESS; +- +-free_mem_map: +- efi_call_early(free_pool, mem_map); +- return status; + } + + /* diff --git a/queue-4.7/x86-paravirt-do-not-trace-_paravirt_ident_-functions.patch b/queue-4.7/x86-paravirt-do-not-trace-_paravirt_ident_-functions.patch new file mode 100644 index 00000000000..af4f2897172 --- /dev/null +++ b/queue-4.7/x86-paravirt-do-not-trace-_paravirt_ident_-functions.patch @@ -0,0 +1,86 @@ +From 15301a570754c7af60335d094dd2d1808b0641a5 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Wed, 25 May 2016 13:47:26 -0400 +Subject: x86/paravirt: Do not trace _paravirt_ident_*() functions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Steven Rostedt + +commit 15301a570754c7af60335d094dd2d1808b0641a5 upstream. + +Łukasz Daniluk reported that on a RHEL kernel that his machine would lock up +after enabling function tracer. I asked him to bisect the functions within +available_filter_functions, which he did and it came down to three: + + _paravirt_nop(), _paravirt_ident_32() and _paravirt_ident_64() + +It was found that this is only an issue when noreplace-paravirt is added +to the kernel command line. + +This means that those functions are most likely called within critical +sections of the funtion tracer, and must not be traced. + +In newer kenels _paravirt_nop() is defined within gcc asm(), and is no +longer an issue. But both _paravirt_ident_{32,64}() causes the +following splat when they are traced: + + mm/pgtable-generic.c:33: bad pmd ffff8800d2435150(0000000001d00054) + mm/pgtable-generic.c:33: bad pmd ffff8800d3624190(0000000001d00070) + mm/pgtable-generic.c:33: bad pmd ffff8800d36a5110(0000000001d00054) + mm/pgtable-generic.c:33: bad pmd ffff880118eb1450(0000000001d00054) + NMI watchdog: BUG: soft lockup - CPU#2 stuck for 22s! [systemd-journal:469] + Modules linked in: e1000e + CPU: 2 PID: 469 Comm: systemd-journal Not tainted 4.6.0-rc4-test+ #513 + Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v02.05 05/07/2012 + task: ffff880118f740c0 ti: ffff8800d4aec000 task.ti: ffff8800d4aec000 + RIP: 0010:[] [] queued_spin_lock_slowpath+0x118/0x1a0 + RSP: 0018:ffff8800d4aefb90 EFLAGS: 00000246 + RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88011eb16d40 + RDX: ffffffff82485760 RSI: 000000001f288820 RDI: ffffea0000008030 + RBP: ffff8800d4aefb90 R08: 00000000000c0000 R09: 0000000000000000 + R10: ffffffff821c8e0e R11: 0000000000000000 R12: ffff880000200fb8 + R13: 00007f7a4e3f7000 R14: ffffea000303f600 R15: ffff8800d4b562e0 + FS: 00007f7a4e3d7840(0000) GS:ffff88011eb00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007f7a4e3f7000 CR3: 00000000d3e71000 CR4: 00000000001406e0 + Call Trace: + _raw_spin_lock+0x27/0x30 + handle_pte_fault+0x13db/0x16b0 + handle_mm_fault+0x312/0x670 + __do_page_fault+0x1b1/0x4e0 + do_page_fault+0x22/0x30 + page_fault+0x28/0x30 + __vfs_read+0x28/0xe0 + vfs_read+0x86/0x130 + SyS_read+0x46/0xa0 + entry_SYSCALL_64_fastpath+0x1e/0xa8 + Code: 12 48 c1 ea 0c 83 e8 01 83 e2 30 48 98 48 81 c2 40 6d 01 00 48 03 14 c5 80 6a 5d 82 48 89 0a 8b 41 08 85 c0 75 09 f3 90 8b 41 08 <85> c0 74 f7 4c 8b 09 4d 85 c9 74 08 41 0f 18 09 eb 02 f3 90 8b + +Reported-by: Łukasz Daniluk +Signed-off-by: Steven Rostedt +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/paravirt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/paravirt.c ++++ b/arch/x86/kernel/paravirt.c +@@ -55,12 +55,12 @@ asm (".pushsection .entry.text, \"ax\"\n + ".popsection"); + + /* identity function, which can be inlined */ +-u32 _paravirt_ident_32(u32 x) ++u32 notrace _paravirt_ident_32(u32 x) + { + return x; + } + +-u64 _paravirt_ident_64(u64 x) ++u64 notrace _paravirt_ident_64(u64 x) + { + return x; + } diff --git a/queue-4.7/xhci-fix-null-pointer-dereference-in-stop-command-timeout-function.patch b/queue-4.7/xhci-fix-null-pointer-dereference-in-stop-command-timeout-function.patch new file mode 100644 index 00000000000..e6c4e14a379 --- /dev/null +++ b/queue-4.7/xhci-fix-null-pointer-dereference-in-stop-command-timeout-function.patch @@ -0,0 +1,48 @@ +From bcf42aa60c2832510b9be0f30c090bfd35bb172d Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Wed, 7 Sep 2016 17:26:33 +0300 +Subject: xhci: fix null pointer dereference in stop command timeout function + +From: Mathias Nyman + +commit bcf42aa60c2832510b9be0f30c090bfd35bb172d upstream. + +The stop endpoint command has its own 5 second timeout timer. +If the timeout function is triggered between USB3 and USB2 host +removal it will try to call usb_hc_died(xhci_to_hcd(xhci)->primary_hcd) + +the ->primary_hcd will be set to NULL at USB3 hcd removal. + +Fix this by first checking if the PCI host is being removed, and +also by using only xhci_to_hcd() as it will always return the primary +hcd. + +Signed-off-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-ring.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -840,6 +840,10 @@ void xhci_stop_endpoint_command_watchdog + spin_lock_irqsave(&xhci->lock, flags); + + ep->stop_cmds_pending--; ++ if (xhci->xhc_state & XHCI_STATE_REMOVING) { ++ spin_unlock_irqrestore(&xhci->lock, flags); ++ return; ++ } + if (xhci->xhc_state & XHCI_STATE_DYING) { + xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb, + "Stop EP timer ran, but another timer marked " +@@ -893,7 +897,7 @@ void xhci_stop_endpoint_command_watchdog + spin_unlock_irqrestore(&xhci->lock, flags); + xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb, + "Calling usb_hc_died()"); +- usb_hc_died(xhci_to_hcd(xhci)->primary_hcd); ++ usb_hc_died(xhci_to_hcd(xhci)); + xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb, + "xHCI host controller is dead."); + }