From: Greg Kroah-Hartman Date: Tue, 29 Nov 2016 15:33:15 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v4.4.36~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9c6fd700731e6abd98bcde2efab89ded6f2bdba2;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: apparmor-fix-change_hat-not-finding-hat-after-policy-replacement.patch cfg80211-limit-scan-results-cache-size.patch drm-radeon-ensure-vblank-interrupt-is-enabled-on-dpms-transition-to-on.patch fix-usb-cb-cbi-storage-devices-with-config_vmap_stack-y.patch iommu-vt-d-fix-iommu-lookup-for-sr-iov-virtual-functions.patch iommu-vt-d-fix-pasid-table-allocation.patch kvm-x86-check-for-pic-and-ioapic-presence-before-use.patch kvm-x86-drop-error-recovery-in-em_jmp_far-and-em_ret_far.patch mpi-fix-null-ptr-dereference-in-mpi_powm.patch nfsv4.x-hide-array-bounds-warning.patch parisc-also-flush-data-tlb-in-flush_icache_page_asm.patch parisc-fix-race-in-pci-dma.c.patch parisc-fix-races-in-parisc_setup_cache_timing.patch scsi-mpt3sas-fix-secure-erase-premature-termination.patch tile-avoid-using-clocksource_cyc2ns-with-absolute-cycle-count.patch usb-chipidea-move-the-lock-initialization-to-core-file.patch usb-serial-cp210x-add-id-for-the-zone-dpmx.patch usb-serial-ftdi_sio-add-support-for-ti-cc3200-launchpad.patch --- diff --git a/queue-4.4/apparmor-fix-change_hat-not-finding-hat-after-policy-replacement.patch b/queue-4.4/apparmor-fix-change_hat-not-finding-hat-after-policy-replacement.patch new file mode 100644 index 00000000000..7f6b6b5be83 --- /dev/null +++ b/queue-4.4/apparmor-fix-change_hat-not-finding-hat-after-policy-replacement.patch @@ -0,0 +1,48 @@ +From 3d40658c977769ce2138f286cf131537bf68bdfe Mon Sep 17 00:00:00 2001 +From: John Johansen +Date: Wed, 31 Aug 2016 21:10:06 -0700 +Subject: apparmor: fix change_hat not finding hat after policy replacement + +From: John Johansen + +commit 3d40658c977769ce2138f286cf131537bf68bdfe upstream. + +After a policy replacement, the task cred may be out of date and need +to be updated. However change_hat is using the stale profiles from +the out of date cred resulting in either: a stale profile being applied +or, incorrect failure when searching for a hat profile as it has been +migrated to the new parent profile. + +Fixes: 01e2b670aa898a39259bc85c78e3d74820f4d3b6 (failure to find hat) +Fixes: 898127c34ec03291c86f4ff3856d79e9e18952bc (stale policy being applied) +Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1000287 +Signed-off-by: John Johansen +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + security/apparmor/domain.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/security/apparmor/domain.c ++++ b/security/apparmor/domain.c +@@ -623,8 +623,8 @@ int aa_change_hat(const char *hats[], in + /* released below */ + cred = get_current_cred(); + cxt = cred_cxt(cred); +- profile = aa_cred_profile(cred); +- previous_profile = cxt->previous; ++ profile = aa_get_newest_profile(aa_cred_profile(cred)); ++ previous_profile = aa_get_newest_profile(cxt->previous); + + if (unconfined(profile)) { + info = "unconfined"; +@@ -720,6 +720,8 @@ audit: + out: + aa_put_profile(hat); + kfree(name); ++ aa_put_profile(profile); ++ aa_put_profile(previous_profile); + put_cred(cred); + + return error; diff --git a/queue-4.4/cfg80211-limit-scan-results-cache-size.patch b/queue-4.4/cfg80211-limit-scan-results-cache-size.patch new file mode 100644 index 00000000000..ce0cee09304 --- /dev/null +++ b/queue-4.4/cfg80211-limit-scan-results-cache-size.patch @@ -0,0 +1,159 @@ +From 9853a55ef1bb66d7411136046060bbfb69c714fa Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Tue, 15 Nov 2016 12:05:11 +0100 +Subject: cfg80211: limit scan results cache size + +From: Johannes Berg + +commit 9853a55ef1bb66d7411136046060bbfb69c714fa upstream. + +It's possible to make scanning consume almost arbitrary amounts +of memory, e.g. by sending beacon frames with random BSSIDs at +high rates while somebody is scanning. + +Limit the number of BSS table entries we're willing to cache to +1000, limiting maximum memory usage to maybe 4-5MB, but lower +in practice - that would be the case for having both full-sized +beacon and probe response frames for each entry; this seems not +possible in practice, so a limit of 1000 entries will likely be +closer to 0.5 MB. + +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/core.h | 1 + net/wireless/scan.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 70 insertions(+) + +--- a/net/wireless/core.h ++++ b/net/wireless/core.h +@@ -72,6 +72,7 @@ struct cfg80211_registered_device { + struct list_head bss_list; + struct rb_root bss_tree; + u32 bss_generation; ++ u32 bss_entries; + struct cfg80211_scan_request *scan_req; /* protected by RTNL */ + struct sk_buff *scan_msg; + struct cfg80211_sched_scan_request __rcu *sched_scan_req; +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -56,6 +56,19 @@ + * also linked into the probe response struct. + */ + ++/* ++ * Limit the number of BSS entries stored in mac80211. Each one is ++ * a bit over 4k at most, so this limits to roughly 4-5M of memory. ++ * If somebody wants to really attack this though, they'd likely ++ * use small beacons, and only one type of frame, limiting each of ++ * the entries to a much smaller size (in order to generate more ++ * entries in total, so overhead is bigger.) ++ */ ++static int bss_entries_limit = 1000; ++module_param(bss_entries_limit, int, 0644); ++MODULE_PARM_DESC(bss_entries_limit, ++ "limit to number of scan BSS entries (per wiphy, default 1000)"); ++ + #define IEEE80211_SCAN_RESULT_EXPIRE (30 * HZ) + + static void bss_free(struct cfg80211_internal_bss *bss) +@@ -136,6 +149,10 @@ static bool __cfg80211_unlink_bss(struct + + list_del_init(&bss->list); + rb_erase(&bss->rbn, &rdev->bss_tree); ++ rdev->bss_entries--; ++ WARN_ONCE((rdev->bss_entries == 0) ^ list_empty(&rdev->bss_list), ++ "rdev bss entries[%d]/list[empty:%d] corruption\n", ++ rdev->bss_entries, list_empty(&rdev->bss_list)); + bss_ref_put(rdev, bss); + return true; + } +@@ -162,6 +179,40 @@ static void __cfg80211_bss_expire(struct + rdev->bss_generation++; + } + ++static bool cfg80211_bss_expire_oldest(struct cfg80211_registered_device *rdev) ++{ ++ struct cfg80211_internal_bss *bss, *oldest = NULL; ++ bool ret; ++ ++ lockdep_assert_held(&rdev->bss_lock); ++ ++ list_for_each_entry(bss, &rdev->bss_list, list) { ++ if (atomic_read(&bss->hold)) ++ continue; ++ ++ if (!list_empty(&bss->hidden_list) && ++ !bss->pub.hidden_beacon_bss) ++ continue; ++ ++ if (oldest && time_before(oldest->ts, bss->ts)) ++ continue; ++ oldest = bss; ++ } ++ ++ if (WARN_ON(!oldest)) ++ return false; ++ ++ /* ++ * The callers make sure to increase rdev->bss_generation if anything ++ * gets removed (and a new entry added), so there's no need to also do ++ * it here. ++ */ ++ ++ ret = __cfg80211_unlink_bss(rdev, oldest); ++ WARN_ON(!ret); ++ return ret; ++} ++ + void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev, + bool send_message) + { +@@ -687,6 +738,7 @@ static bool cfg80211_combine_bsses(struc + const u8 *ie; + int i, ssidlen; + u8 fold = 0; ++ u32 n_entries = 0; + + ies = rcu_access_pointer(new->pub.beacon_ies); + if (WARN_ON(!ies)) +@@ -710,6 +762,12 @@ static bool cfg80211_combine_bsses(struc + /* This is the bad part ... */ + + list_for_each_entry(bss, &rdev->bss_list, list) { ++ /* ++ * we're iterating all the entries anyway, so take the ++ * opportunity to validate the list length accounting ++ */ ++ n_entries++; ++ + if (!ether_addr_equal(bss->pub.bssid, new->pub.bssid)) + continue; + if (bss->pub.channel != new->pub.channel) +@@ -738,6 +796,10 @@ static bool cfg80211_combine_bsses(struc + new->pub.beacon_ies); + } + ++ WARN_ONCE(n_entries != rdev->bss_entries, ++ "rdev bss entries[%d]/list[len:%d] corruption\n", ++ rdev->bss_entries, n_entries); ++ + return true; + } + +@@ -890,7 +952,14 @@ cfg80211_bss_update(struct cfg80211_regi + } + } + ++ if (rdev->bss_entries >= bss_entries_limit && ++ !cfg80211_bss_expire_oldest(rdev)) { ++ kfree(new); ++ goto drop; ++ } ++ + list_add_tail(&new->list, &rdev->bss_list); ++ rdev->bss_entries++; + rb_insert_bss(rdev, new); + found = new; + } diff --git a/queue-4.4/drm-radeon-ensure-vblank-interrupt-is-enabled-on-dpms-transition-to-on.patch b/queue-4.4/drm-radeon-ensure-vblank-interrupt-is-enabled-on-dpms-transition-to-on.patch new file mode 100644 index 00000000000..ecc12d5f623 --- /dev/null +++ b/queue-4.4/drm-radeon-ensure-vblank-interrupt-is-enabled-on-dpms-transition-to-on.patch @@ -0,0 +1,67 @@ +From michel@daenzer.net Tue Nov 29 16:29:26 2016 +From: Michel Dänzer +Date: Tue, 29 Nov 2016 18:40:20 +0900 +Subject: [PATCH] drm/radeon: Ensure vblank interrupt is enabled on DPMS transition to on +To: stable@vger.kernel.org +Cc: Max Staudt +Message-ID: <20161129094020.27353-1-michel@daenzer.net> + +From: Michel Dänzer + +NOTE: This patch only applies to 4.5.y or older kernels. With newer +kernels, this problem cannot happen because the driver now uses +drm_crtc_vblank_on/off instead of drm_vblank_pre/post_modeset[0]. I +consider this patch safer for older kernels than backporting the API +change, because drm_crtc_vblank_on/off had various issues in older +kernels, and I'm not sure all fixes for those have been backported to +all stable branches where this patch could be applied. + + --------------------- + +Fixes the vblank interrupt being disabled when it should be on, which +can cause at least the following symptoms: + +* Hangs when running 'xset dpms force off' in a GNOME session with + gnome-shell using DRI2. +* RandR 1.4 slave outputs freezing with garbage displayed using + xf86-video-ati 7.8.0 or newer. + +[0] See upstream commit: + +commit 777e3cbc791f131806d9bf24b3325637c7fc228d +Author: Daniel Vetter +Date: Thu Jan 21 11:08:57 2016 +0100 + + drm/radeon: Switch to drm_vblank_on/off + +Reported-and-Tested-by: Max Staudt +Reviewed-by: Daniel Vetter +Reviewed-by: Alex Deucher +Signed-off-by: Michel Dänzer +--- + drivers/gpu/drm/radeon/atombios_crtc.c | 2 ++ + drivers/gpu/drm/radeon/radeon_legacy_crtc.c | 2 ++ + 2 files changed, 4 insertions(+) + +--- a/drivers/gpu/drm/radeon/atombios_crtc.c ++++ b/drivers/gpu/drm/radeon/atombios_crtc.c +@@ -275,6 +275,8 @@ void atombios_crtc_dpms(struct drm_crtc + atombios_enable_crtc_memreq(crtc, ATOM_ENABLE); + atombios_blank_crtc(crtc, ATOM_DISABLE); + drm_vblank_post_modeset(dev, radeon_crtc->crtc_id); ++ /* Make sure vblank interrupt is still enabled if needed */ ++ radeon_irq_set(rdev); + radeon_crtc_load_lut(crtc); + break; + case DRM_MODE_DPMS_STANDBY: +--- a/drivers/gpu/drm/radeon/radeon_legacy_crtc.c ++++ b/drivers/gpu/drm/radeon/radeon_legacy_crtc.c +@@ -331,6 +331,8 @@ static void radeon_crtc_dpms(struct drm_ + WREG32_P(RADEON_CRTC_EXT_CNTL, crtc_ext_cntl, ~(mask | crtc_ext_cntl)); + } + drm_vblank_post_modeset(dev, radeon_crtc->crtc_id); ++ /* Make sure vblank interrupt is still enabled if needed */ ++ radeon_irq_set(rdev); + radeon_crtc_load_lut(crtc); + break; + case DRM_MODE_DPMS_STANDBY: diff --git a/queue-4.4/fix-usb-cb-cbi-storage-devices-with-config_vmap_stack-y.patch b/queue-4.4/fix-usb-cb-cbi-storage-devices-with-config_vmap_stack-y.patch new file mode 100644 index 00000000000..d6f2f32209f --- /dev/null +++ b/queue-4.4/fix-usb-cb-cbi-storage-devices-with-config_vmap_stack-y.patch @@ -0,0 +1,43 @@ +From 2ce9d2272b98743b911196c49e7af5841381c206 Mon Sep 17 00:00:00 2001 +From: Petr Vandrovec +Date: Thu, 10 Nov 2016 13:57:14 -0800 +Subject: Fix USB CB/CBI storage devices with CONFIG_VMAP_STACK=y + +From: Petr Vandrovec + +commit 2ce9d2272b98743b911196c49e7af5841381c206 upstream. + +Some code (all error handling) submits CDBs that are allocated +on the stack. This breaks with CB/CBI code that tries to create +URB directly from SCSI command buffer - which happens to be in +vmalloced memory with vmalloced kernel stacks. + +Let's make copy of the command in usb_stor_CB_transport. + +Signed-off-by: Petr Vandrovec +Acked-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/storage/transport.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/usb/storage/transport.c ++++ b/drivers/usb/storage/transport.c +@@ -919,10 +919,15 @@ int usb_stor_CB_transport(struct scsi_cm + + /* COMMAND STAGE */ + /* let's send the command via the control pipe */ ++ /* ++ * Command is sometime (f.e. after scsi_eh_prep_cmnd) on the stack. ++ * Stack may be vmallocated. So no DMA for us. Make a copy. ++ */ ++ memcpy(us->iobuf, srb->cmnd, srb->cmd_len); + result = usb_stor_ctrl_transfer(us, us->send_ctrl_pipe, + US_CBI_ADSC, + USB_TYPE_CLASS | USB_RECIP_INTERFACE, 0, +- us->ifnum, srb->cmnd, srb->cmd_len); ++ us->ifnum, us->iobuf, srb->cmd_len); + + /* check the return code for the command */ + usb_stor_dbg(us, "Call to usb_stor_ctrl_transfer() returned %d\n", diff --git a/queue-4.4/iommu-vt-d-fix-iommu-lookup-for-sr-iov-virtual-functions.patch b/queue-4.4/iommu-vt-d-fix-iommu-lookup-for-sr-iov-virtual-functions.patch new file mode 100644 index 00000000000..09c32b1cd3b --- /dev/null +++ b/queue-4.4/iommu-vt-d-fix-iommu-lookup-for-sr-iov-virtual-functions.patch @@ -0,0 +1,81 @@ +From 1c387188c60f53b338c20eee32db055dfe022a9b Mon Sep 17 00:00:00 2001 +From: Ashok Raj +Date: Fri, 21 Oct 2016 15:32:05 -0700 +Subject: iommu/vt-d: Fix IOMMU lookup for SR-IOV Virtual Functions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ashok Raj + +commit 1c387188c60f53b338c20eee32db055dfe022a9b upstream. + +The VT-d specification (§8.3.3) says: + ‘Virtual Functions’ of a ‘Physical Function’ are under the scope + of the same remapping unit as the ‘Physical Function’. + +The BIOS is not required to list all the possible VFs in the scope +tables, and arguably *shouldn't* make any attempt to do so, since there +could be a huge number of them. + +This has been broken basically for ever — the VF is never going to match +against a specific unit's scope, so it ends up being assigned to the +INCLUDE_ALL IOMMU. Which was always actually correct by coincidence, but +now we're looking at Root-Complex integrated devices with SR-IOV support +it's going to start being wrong. + +Fix it to simply use pci_physfn() before doing the lookup for PCI devices. + +Signed-off-by: Sainath Grandhi +Signed-off-by: Ashok Raj +Signed-off-by: David Woodhouse +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/dmar.c | 4 +++- + drivers/iommu/intel-iommu.c | 13 +++++++++++++ + 2 files changed, 16 insertions(+), 1 deletion(-) + +--- a/drivers/iommu/dmar.c ++++ b/drivers/iommu/dmar.c +@@ -326,7 +326,9 @@ static int dmar_pci_bus_notifier(struct + struct pci_dev *pdev = to_pci_dev(data); + struct dmar_pci_notify_info *info; + +- /* Only care about add/remove events for physical functions */ ++ /* Only care about add/remove events for physical functions. ++ * For VFs we actually do the lookup based on the corresponding ++ * PF in device_to_iommu() anyway. */ + if (pdev->is_virtfn) + return NOTIFY_DONE; + if (action != BUS_NOTIFY_ADD_DEVICE && +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -885,7 +885,13 @@ static struct intel_iommu *device_to_iom + return NULL; + + if (dev_is_pci(dev)) { ++ struct pci_dev *pf_pdev; ++ + pdev = to_pci_dev(dev); ++ /* VFs aren't listed in scope tables; we need to look up ++ * the PF instead to find the IOMMU. */ ++ pf_pdev = pci_physfn(pdev); ++ dev = &pf_pdev->dev; + segment = pci_domain_nr(pdev->bus); + } else if (has_acpi_companion(dev)) + dev = &ACPI_COMPANION(dev)->dev; +@@ -898,6 +904,13 @@ static struct intel_iommu *device_to_iom + for_each_active_dev_scope(drhd->devices, + drhd->devices_cnt, i, tmp) { + if (tmp == dev) { ++ /* For a VF use its original BDF# not that of the PF ++ * which we used for the IOMMU lookup. Strictly speaking ++ * we could do this for all PCI devices; we only need to ++ * get the BDF# from the scope table for ACPI matches. */ ++ if (pdev->is_virtfn) ++ goto got_pdev; ++ + *bus = drhd->devices[i].bus; + *devfn = drhd->devices[i].devfn; + goto out; diff --git a/queue-4.4/iommu-vt-d-fix-pasid-table-allocation.patch b/queue-4.4/iommu-vt-d-fix-pasid-table-allocation.patch new file mode 100644 index 00000000000..1f2f154f45c --- /dev/null +++ b/queue-4.4/iommu-vt-d-fix-pasid-table-allocation.patch @@ -0,0 +1,102 @@ +From 910170442944e1f8674fd5ddbeeb8ccd1877ea98 Mon Sep 17 00:00:00 2001 +From: David Woodhouse +Date: Mon, 12 Sep 2016 10:49:11 +0800 +Subject: iommu/vt-d: Fix PASID table allocation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: David Woodhouse + +commit 910170442944e1f8674fd5ddbeeb8ccd1877ea98 upstream. + +Somehow I ended up with an off-by-three error in calculating the size of +the PASID and PASID State tables, which triggers allocations failures as +those tables unfortunately have to be physically contiguous. + +In fact, even the *correct* maximum size of 8MiB is problematic and is +wont to lead to allocation failures. Since I have extracted a promise +that this *will* be fixed in hardware, I'm happy to limit it on the +current hardware to a maximum of 0x20000 PASIDs, which gives us 1MiB +tables — still not ideal, but better than before. + +Reported by Mika Kuoppala and also by +Xunlei Pang who submitted a simpler patch to fix +only the allocation (and not the free) to the "correct" limit... which +was still problematic. + +Signed-off-by: David Woodhouse +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/intel-svm.c | 26 ++++++++++++++++---------- + include/linux/intel-iommu.h | 1 + + 2 files changed, 17 insertions(+), 10 deletions(-) + +--- a/drivers/iommu/intel-svm.c ++++ b/drivers/iommu/intel-svm.c +@@ -39,10 +39,18 @@ int intel_svm_alloc_pasid_tables(struct + struct page *pages; + int order; + +- order = ecap_pss(iommu->ecap) + 7 - PAGE_SHIFT; +- if (order < 0) +- order = 0; ++ /* Start at 2 because it's defined as 2^(1+PSS) */ ++ iommu->pasid_max = 2 << ecap_pss(iommu->ecap); + ++ /* Eventually I'm promised we will get a multi-level PASID table ++ * and it won't have to be physically contiguous. Until then, ++ * limit the size because 8MiB contiguous allocations can be hard ++ * to come by. The limit of 0x20000, which is 1MiB for each of ++ * the PASID and PASID-state tables, is somewhat arbitrary. */ ++ if (iommu->pasid_max > 0x20000) ++ iommu->pasid_max = 0x20000; ++ ++ order = get_order(sizeof(struct pasid_entry) * iommu->pasid_max); + pages = alloc_pages(GFP_KERNEL | __GFP_ZERO, order); + if (!pages) { + pr_warn("IOMMU: %s: Failed to allocate PASID table\n", +@@ -53,6 +61,8 @@ int intel_svm_alloc_pasid_tables(struct + pr_info("%s: Allocated order %d PASID table.\n", iommu->name, order); + + if (ecap_dis(iommu->ecap)) { ++ /* Just making it explicit... */ ++ BUILD_BUG_ON(sizeof(struct pasid_entry) != sizeof(struct pasid_state_entry)); + pages = alloc_pages(GFP_KERNEL | __GFP_ZERO, order); + if (pages) + iommu->pasid_state_table = page_address(pages); +@@ -68,11 +78,7 @@ int intel_svm_alloc_pasid_tables(struct + + int intel_svm_free_pasid_tables(struct intel_iommu *iommu) + { +- int order; +- +- order = ecap_pss(iommu->ecap) + 7 - PAGE_SHIFT; +- if (order < 0) +- order = 0; ++ int order = get_order(sizeof(struct pasid_entry) * iommu->pasid_max); + + if (iommu->pasid_table) { + free_pages((unsigned long)iommu->pasid_table, order); +@@ -371,8 +377,8 @@ int intel_svm_bind_mm(struct device *dev + } + svm->iommu = iommu; + +- if (pasid_max > 2 << ecap_pss(iommu->ecap)) +- pasid_max = 2 << ecap_pss(iommu->ecap); ++ if (pasid_max > iommu->pasid_max) ++ pasid_max = iommu->pasid_max; + + /* Do not use PASID 0 in caching mode (virtualised IOMMU) */ + ret = idr_alloc(&iommu->pasid_idr, svm, +--- a/include/linux/intel-iommu.h ++++ b/include/linux/intel-iommu.h +@@ -429,6 +429,7 @@ struct intel_iommu { + struct page_req_dsc *prq; + unsigned char prq_name[16]; /* Name for PRQ interrupt */ + struct idr pasid_idr; ++ u32 pasid_max; + #endif + struct q_inval *qi; /* Queued invalidation info */ + u32 *iommu_state; /* Store iommu states between suspend and resume.*/ diff --git a/queue-4.4/kvm-x86-check-for-pic-and-ioapic-presence-before-use.patch b/queue-4.4/kvm-x86-check-for-pic-and-ioapic-presence-before-use.patch new file mode 100644 index 00000000000..70d1d98d432 --- /dev/null +++ b/queue-4.4/kvm-x86-check-for-pic-and-ioapic-presence-before-use.patch @@ -0,0 +1,92 @@ +From df492896e6dfb44fd1154f5402428d8e52705081 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= +Date: Wed, 23 Nov 2016 21:25:48 +0100 +Subject: KVM: x86: check for pic and ioapic presence before use +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Radim Krčmář + +commit df492896e6dfb44fd1154f5402428d8e52705081 upstream. + +Split irqchip allows pic and ioapic routes to be used without them being +created, which results in NULL access. Check for NULL and avoid it. +(The setup is too racy for a nicer solutions.) + +Found by syzkaller: + + general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN + Dumping ftrace buffer: + (ftrace buffer empty) + Modules linked in: + CPU: 3 PID: 11923 Comm: kworker/3:2 Not tainted 4.9.0-rc5+ #27 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 + Workqueue: events irqfd_inject + task: ffff88006a06c7c0 task.stack: ffff880068638000 + RIP: 0010:[...] [...] __lock_acquire+0xb35/0x3380 kernel/locking/lockdep.c:3221 + RSP: 0000:ffff88006863ea20 EFLAGS: 00010006 + RAX: dffffc0000000000 RBX: dffffc0000000000 RCX: 0000000000000000 + RDX: 0000000000000039 RSI: 0000000000000000 RDI: 1ffff1000d0c7d9e + RBP: ffff88006863ef58 R08: 0000000000000001 R09: 0000000000000000 + R10: 00000000000001c8 R11: 0000000000000000 R12: ffff88006a06c7c0 + R13: 0000000000000001 R14: ffffffff8baab1a0 R15: 0000000000000001 + FS: 0000000000000000(0000) GS:ffff88006d100000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00000000004abdd0 CR3: 000000003e2f2000 CR4: 00000000000026e0 + Stack: + ffffffff894d0098 1ffff1000d0c7d56 ffff88006863ecd0 dffffc0000000000 + ffff88006a06c7c0 0000000000000000 ffff88006863ecf8 0000000000000082 + 0000000000000000 ffffffff815dd7c1 ffffffff00000000 ffffffff00000000 + Call Trace: + [...] lock_acquire+0x2a2/0x790 kernel/locking/lockdep.c:3746 + [...] __raw_spin_lock include/linux/spinlock_api_smp.h:144 + [...] _raw_spin_lock+0x38/0x50 kernel/locking/spinlock.c:151 + [...] spin_lock include/linux/spinlock.h:302 + [...] kvm_ioapic_set_irq+0x4c/0x100 arch/x86/kvm/ioapic.c:379 + [...] kvm_set_ioapic_irq+0x8f/0xc0 arch/x86/kvm/irq_comm.c:52 + [...] kvm_set_irq+0x239/0x640 arch/x86/kvm/../../../virt/kvm/irqchip.c:101 + [...] irqfd_inject+0xb4/0x150 arch/x86/kvm/../../../virt/kvm/eventfd.c:60 + [...] process_one_work+0xb40/0x1ba0 kernel/workqueue.c:2096 + [...] worker_thread+0x214/0x18a0 kernel/workqueue.c:2230 + [...] kthread+0x328/0x3e0 kernel/kthread.c:209 + [...] ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:433 + +Reported-by: Dmitry Vyukov +Fixes: 49df6397edfc ("KVM: x86: Split the APIC from the rest of IRQCHIP.") +Signed-off-by: Radim Krčmář +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/irq_comm.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/arch/x86/kvm/irq_comm.c ++++ b/arch/x86/kvm/irq_comm.c +@@ -38,6 +38,15 @@ static int kvm_set_pic_irq(struct kvm_ke + bool line_status) + { + struct kvm_pic *pic = pic_irqchip(kvm); ++ ++ /* ++ * XXX: rejecting pic routes when pic isn't in use would be better, ++ * but the default routing table is installed while kvm->arch.vpic is ++ * NULL and KVM_CREATE_IRQCHIP can race with KVM_IRQ_LINE. ++ */ ++ if (!pic) ++ return -1; ++ + return kvm_pic_set_irq(pic, e->irqchip.pin, irq_source_id, level); + } + +@@ -46,6 +55,10 @@ static int kvm_set_ioapic_irq(struct kvm + bool line_status) + { + struct kvm_ioapic *ioapic = kvm->arch.vioapic; ++ ++ if (!ioapic) ++ return -1; ++ + return kvm_ioapic_set_irq(ioapic, e->irqchip.pin, irq_source_id, level, + line_status); + } diff --git a/queue-4.4/kvm-x86-drop-error-recovery-in-em_jmp_far-and-em_ret_far.patch b/queue-4.4/kvm-x86-drop-error-recovery-in-em_jmp_far-and-em_ret_far.patch new file mode 100644 index 00000000000..c2d3408965e --- /dev/null +++ b/queue-4.4/kvm-x86-drop-error-recovery-in-em_jmp_far-and-em_ret_far.patch @@ -0,0 +1,128 @@ +From 2117d5398c81554fbf803f5fd1dc55eb78216c0c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= +Date: Wed, 23 Nov 2016 21:15:00 +0100 +Subject: KVM: x86: drop error recovery in em_jmp_far and em_ret_far +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Radim Krčmář + +commit 2117d5398c81554fbf803f5fd1dc55eb78216c0c upstream. + +em_jmp_far and em_ret_far assumed that setting IP can only fail in 64 +bit mode, but syzkaller proved otherwise (and SDM agrees). +Code segment was restored upon failure, but it was left uninitialized +outside of long mode, which could lead to a leak of host kernel stack. +We could have fixed that by always saving and restoring the CS, but we +take a simpler approach and just break any guest that manages to fail +as the error recovery is error-prone and modern CPUs don't need emulator +for this. + +Found by syzkaller: + + WARNING: CPU: 2 PID: 3668 at arch/x86/kvm/emulate.c:2217 em_ret_far+0x428/0x480 + Kernel panic - not syncing: panic_on_warn set ... + + CPU: 2 PID: 3668 Comm: syz-executor Not tainted 4.9.0-rc4+ #49 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 + [...] + Call Trace: + [...] __dump_stack lib/dump_stack.c:15 + [...] dump_stack+0xb3/0x118 lib/dump_stack.c:51 + [...] panic+0x1b7/0x3a3 kernel/panic.c:179 + [...] __warn+0x1c4/0x1e0 kernel/panic.c:542 + [...] warn_slowpath_null+0x2c/0x40 kernel/panic.c:585 + [...] em_ret_far+0x428/0x480 arch/x86/kvm/emulate.c:2217 + [...] em_ret_far_imm+0x17/0x70 arch/x86/kvm/emulate.c:2227 + [...] x86_emulate_insn+0x87a/0x3730 arch/x86/kvm/emulate.c:5294 + [...] x86_emulate_instruction+0x520/0x1ba0 arch/x86/kvm/x86.c:5545 + [...] emulate_instruction arch/x86/include/asm/kvm_host.h:1116 + [...] complete_emulated_io arch/x86/kvm/x86.c:6870 + [...] complete_emulated_mmio+0x4e9/0x710 arch/x86/kvm/x86.c:6934 + [...] kvm_arch_vcpu_ioctl_run+0x3b7a/0x5a90 arch/x86/kvm/x86.c:6978 + [...] kvm_vcpu_ioctl+0x61e/0xdd0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2557 + [...] vfs_ioctl fs/ioctl.c:43 + [...] do_vfs_ioctl+0x18c/0x1040 fs/ioctl.c:679 + [...] SYSC_ioctl fs/ioctl.c:694 + [...] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 + [...] entry_SYSCALL_64_fastpath+0x1f/0xc2 + +Reported-by: Dmitry Vyukov +Fixes: d1442d85cc30 ("KVM: x86: Handle errors when RIP is set during far jumps") +Signed-off-by: Radim Krčmář +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/emulate.c | 36 +++++++++++------------------------- + 1 file changed, 11 insertions(+), 25 deletions(-) + +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -2093,16 +2093,10 @@ static int em_iret(struct x86_emulate_ct + static int em_jmp_far(struct x86_emulate_ctxt *ctxt) + { + int rc; +- unsigned short sel, old_sel; +- struct desc_struct old_desc, new_desc; +- const struct x86_emulate_ops *ops = ctxt->ops; ++ unsigned short sel; ++ struct desc_struct new_desc; + u8 cpl = ctxt->ops->cpl(ctxt); + +- /* Assignment of RIP may only fail in 64-bit mode */ +- if (ctxt->mode == X86EMUL_MODE_PROT64) +- ops->get_segment(ctxt, &old_sel, &old_desc, NULL, +- VCPU_SREG_CS); +- + memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2); + + rc = __load_segment_descriptor(ctxt, sel, VCPU_SREG_CS, cpl, +@@ -2112,12 +2106,10 @@ static int em_jmp_far(struct x86_emulate + return rc; + + rc = assign_eip_far(ctxt, ctxt->src.val, &new_desc); +- if (rc != X86EMUL_CONTINUE) { +- WARN_ON(ctxt->mode != X86EMUL_MODE_PROT64); +- /* assigning eip failed; restore the old cs */ +- ops->set_segment(ctxt, old_sel, &old_desc, 0, VCPU_SREG_CS); +- return rc; +- } ++ /* Error handling is not implemented. */ ++ if (rc != X86EMUL_CONTINUE) ++ return X86EMUL_UNHANDLEABLE; ++ + return rc; + } + +@@ -2177,14 +2169,8 @@ static int em_ret_far(struct x86_emulate + { + int rc; + unsigned long eip, cs; +- u16 old_cs; + int cpl = ctxt->ops->cpl(ctxt); +- struct desc_struct old_desc, new_desc; +- const struct x86_emulate_ops *ops = ctxt->ops; +- +- if (ctxt->mode == X86EMUL_MODE_PROT64) +- ops->get_segment(ctxt, &old_cs, &old_desc, NULL, +- VCPU_SREG_CS); ++ struct desc_struct new_desc; + + rc = emulate_pop(ctxt, &eip, ctxt->op_bytes); + if (rc != X86EMUL_CONTINUE) +@@ -2201,10 +2187,10 @@ static int em_ret_far(struct x86_emulate + if (rc != X86EMUL_CONTINUE) + return rc; + rc = assign_eip_far(ctxt, eip, &new_desc); +- if (rc != X86EMUL_CONTINUE) { +- WARN_ON(ctxt->mode != X86EMUL_MODE_PROT64); +- ops->set_segment(ctxt, old_cs, &old_desc, 0, VCPU_SREG_CS); +- } ++ /* Error handling is not implemented. */ ++ if (rc != X86EMUL_CONTINUE) ++ return X86EMUL_UNHANDLEABLE; ++ + return rc; + } + diff --git a/queue-4.4/mpi-fix-null-ptr-dereference-in-mpi_powm.patch b/queue-4.4/mpi-fix-null-ptr-dereference-in-mpi_powm.patch new file mode 100644 index 00000000000..548ea402023 --- /dev/null +++ b/queue-4.4/mpi-fix-null-ptr-dereference-in-mpi_powm.patch @@ -0,0 +1,100 @@ +From f5527fffff3f002b0a6b376163613b82f69de073 Mon Sep 17 00:00:00 2001 +From: Andrey Ryabinin +Date: Thu, 24 Nov 2016 13:23:10 +0000 +Subject: mpi: Fix NULL ptr dereference in mpi_powm() [ver #3] + +From: Andrey Ryabinin + +commit f5527fffff3f002b0a6b376163613b82f69de073 upstream. + +This fixes CVE-2016-8650. + +If mpi_powm() is given a zero exponent, it wants to immediately return +either 1 or 0, depending on the modulus. However, if the result was +initalised with zero limb space, no limbs space is allocated and a +NULL-pointer exception ensues. + +Fix this by allocating a minimal amount of limb space for the result when +the 0-exponent case when the result is 1 and not touching the limb space +when the result is 0. + +This affects the use of RSA keys and X.509 certificates that carry them. + +BUG: unable to handle kernel NULL pointer dereference at (null) +IP: [] mpi_powm+0x32/0x7e6 +PGD 0 +Oops: 0002 [#1] SMP +Modules linked in: +CPU: 3 PID: 3014 Comm: keyctl Not tainted 4.9.0-rc6-fscache+ #278 +Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014 +task: ffff8804011944c0 task.stack: ffff880401294000 +RIP: 0010:[] [] mpi_powm+0x32/0x7e6 +RSP: 0018:ffff880401297ad8 EFLAGS: 00010212 +RAX: 0000000000000000 RBX: ffff88040868bec0 RCX: ffff88040868bba0 +RDX: ffff88040868b260 RSI: ffff88040868bec0 RDI: ffff88040868bee0 +RBP: ffff880401297ba8 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000047 R11: ffffffff8183b210 R12: 0000000000000000 +R13: ffff8804087c7600 R14: 000000000000001f R15: ffff880401297c50 +FS: 00007f7a7918c700(0000) GS:ffff88041fb80000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000000 CR3: 0000000401250000 CR4: 00000000001406e0 +Stack: + ffff88040868bec0 0000000000000020 ffff880401297b00 ffffffff81376cd4 + 0000000000000100 ffff880401297b10 ffffffff81376d12 ffff880401297b30 + ffffffff81376f37 0000000000000100 0000000000000000 ffff880401297ba8 +Call Trace: + [] ? __sg_page_iter_next+0x43/0x66 + [] ? sg_miter_get_next_page+0x1b/0x5d + [] ? sg_miter_next+0x17/0xbd + [] ? mpi_read_raw_from_sgl+0xf2/0x146 + [] rsa_verify+0x9d/0xee + [] ? pkcs1pad_sg_set_buf+0x2e/0xbb + [] pkcs1pad_verify+0xc0/0xe1 + [] public_key_verify_signature+0x1b0/0x228 + [] x509_check_for_self_signed+0xa1/0xc4 + [] x509_cert_parse+0x167/0x1a1 + [] x509_key_preparse+0x21/0x1a1 + [] asymmetric_key_preparse+0x34/0x61 + [] key_create_or_update+0x145/0x399 + [] SyS_add_key+0x154/0x19e + [] do_syscall_64+0x80/0x191 + [] entry_SYSCALL64_slow_path+0x25/0x25 +Code: 56 41 55 41 54 53 48 81 ec a8 00 00 00 44 8b 71 04 8b 42 04 4c 8b 67 18 45 85 f6 89 45 80 0f 84 b4 06 00 00 85 c0 75 2f 41 ff ce <49> c7 04 24 01 00 00 00 b0 01 75 0b 48 8b 41 18 48 83 38 01 0f +RIP [] mpi_powm+0x32/0x7e6 + RSP +CR2: 0000000000000000 +---[ end trace d82015255d4a5d8d ]--- + +Basically, this is a backport of a libgcrypt patch: + + http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=patch;h=6e1adb05d290aeeb1c230c763970695f4a538526 + +Fixes: cdec9cb5167a ("crypto: GnuPG based MPI lib - source files (part 1)") +Signed-off-by: Andrey Ryabinin +Signed-off-by: David Howells +cc: Dmitry Kasatkin +cc: linux-ima-devel@lists.sourceforge.net +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + lib/mpi/mpi-pow.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/lib/mpi/mpi-pow.c ++++ b/lib/mpi/mpi-pow.c +@@ -64,8 +64,13 @@ int mpi_powm(MPI res, MPI base, MPI exp, + if (!esize) { + /* Exponent is zero, result is 1 mod MOD, i.e., 1 or 0 + * depending on if MOD equals 1. */ +- rp[0] = 1; + res->nlimbs = (msize == 1 && mod->d[0] == 1) ? 0 : 1; ++ if (res->nlimbs) { ++ if (mpi_resize(res, 1) < 0) ++ goto enomem; ++ rp = res->d; ++ rp[0] = 1; ++ } + res->sign = 0; + goto leave; + } diff --git a/queue-4.4/nfsv4.x-hide-array-bounds-warning.patch b/queue-4.4/nfsv4.x-hide-array-bounds-warning.patch new file mode 100644 index 00000000000..1c35c94a2b6 --- /dev/null +++ b/queue-4.4/nfsv4.x-hide-array-bounds-warning.patch @@ -0,0 +1,46 @@ +From d55b352b01bc78fbc3d1bb650140668b87e58bf9 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 22 Nov 2016 21:50:52 +0100 +Subject: NFSv4.x: hide array-bounds warning + +From: Arnd Bergmann + +commit d55b352b01bc78fbc3d1bb650140668b87e58bf9 upstream. + +A correct bugfix introduced a harmless warning that shows up with gcc-7: + +fs/nfs/callback.c: In function 'nfs_callback_up': +fs/nfs/callback.c:214:14: error: array subscript is outside array bounds [-Werror=array-bounds] + +What happens here is that the 'minorversion == 0' check tells the +compiler that we assume minorversion can be something other than 0, +but when CONFIG_NFS_V4_1 is disabled that would be invalid and +result in an out-of-bounds access. + +The added check for IS_ENABLED(CONFIG_NFS_V4_1) tells gcc that this +really can't happen, which makes the code slightly smaller and also +avoids the warning. + +The bugfix that introduced the warning is marked for stable backports, +we want this one backported to the same releases. + +Fixes: 98b0f80c2396 ("NFSv4.x: Fix a refcount leak in nfs_callback_up_net") +Signed-off-by: Arnd Bergmann +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/callback.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfs/callback.c ++++ b/fs/nfs/callback.c +@@ -261,7 +261,7 @@ static int nfs_callback_up_net(int minor + } + + ret = -EPROTONOSUPPORT; +- if (minorversion == 0) ++ if (!IS_ENABLED(CONFIG_NFS_V4_1) || minorversion == 0) + ret = nfs4_callback_up_net(serv, net); + else if (xprt->ops->bc_up) + ret = xprt->ops->bc_up(serv, net); diff --git a/queue-4.4/parisc-also-flush-data-tlb-in-flush_icache_page_asm.patch b/queue-4.4/parisc-also-flush-data-tlb-in-flush_icache_page_asm.patch new file mode 100644 index 00000000000..fb4e2611e57 --- /dev/null +++ b/queue-4.4/parisc-also-flush-data-tlb-in-flush_icache_page_asm.patch @@ -0,0 +1,141 @@ +From 5035b230e7b67ac12691ed3b5495bbb617027b68 Mon Sep 17 00:00:00 2001 +From: John David Anglin +Date: Thu, 24 Nov 2016 20:18:14 -0500 +Subject: parisc: Also flush data TLB in flush_icache_page_asm + +From: John David Anglin + +commit 5035b230e7b67ac12691ed3b5495bbb617027b68 upstream. + +This is the second issue I noticed in reviewing the parisc TLB code. + +The fic instruction may use either the instruction or data TLB in +flushing the instruction cache. Thus, on machines with a split TLB, we +should also flush the data TLB after setting up the temporary alias +registers. + +Although this has no functional impact, I changed the pdtlb and pitlb +instructions to consistently use the index register %r0. These +instructions do not support integer displacements. + +Tested on rp3440 and c8000. + +Signed-off-by: John David Anglin +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/kernel/pacache.S | 37 ++++++++++++++++++++++--------------- + 1 file changed, 22 insertions(+), 15 deletions(-) + +--- a/arch/parisc/kernel/pacache.S ++++ b/arch/parisc/kernel/pacache.S +@@ -96,7 +96,7 @@ fitmanyloop: /* Loop if LOOP >= 2 */ + + fitmanymiddle: /* Loop if LOOP >= 2 */ + addib,COND(>) -1, %r31, fitmanymiddle /* Adjusted inner loop decr */ +- pitlbe 0(%sr1, %r28) ++ pitlbe %r0(%sr1, %r28) + pitlbe,m %arg1(%sr1, %r28) /* Last pitlbe and addr adjust */ + addib,COND(>) -1, %r29, fitmanymiddle /* Middle loop decr */ + copy %arg3, %r31 /* Re-init inner loop count */ +@@ -139,7 +139,7 @@ fdtmanyloop: /* Loop if LOOP >= 2 */ + + fdtmanymiddle: /* Loop if LOOP >= 2 */ + addib,COND(>) -1, %r31, fdtmanymiddle /* Adjusted inner loop decr */ +- pdtlbe 0(%sr1, %r28) ++ pdtlbe %r0(%sr1, %r28) + pdtlbe,m %arg1(%sr1, %r28) /* Last pdtlbe and addr adjust */ + addib,COND(>) -1, %r29, fdtmanymiddle /* Middle loop decr */ + copy %arg3, %r31 /* Re-init inner loop count */ +@@ -620,12 +620,12 @@ ENTRY(copy_user_page_asm) + /* Purge any old translations */ + + #ifdef CONFIG_PA20 +- pdtlb,l 0(%r28) +- pdtlb,l 0(%r29) ++ pdtlb,l %r0(%r28) ++ pdtlb,l %r0(%r29) + #else + tlb_lock %r20,%r21,%r22 +- pdtlb 0(%r28) +- pdtlb 0(%r29) ++ pdtlb %r0(%r28) ++ pdtlb %r0(%r29) + tlb_unlock %r20,%r21,%r22 + #endif + +@@ -768,10 +768,10 @@ ENTRY(clear_user_page_asm) + /* Purge any old translation */ + + #ifdef CONFIG_PA20 +- pdtlb,l 0(%r28) ++ pdtlb,l %r0(%r28) + #else + tlb_lock %r20,%r21,%r22 +- pdtlb 0(%r28) ++ pdtlb %r0(%r28) + tlb_unlock %r20,%r21,%r22 + #endif + +@@ -852,10 +852,10 @@ ENTRY(flush_dcache_page_asm) + /* Purge any old translation */ + + #ifdef CONFIG_PA20 +- pdtlb,l 0(%r28) ++ pdtlb,l %r0(%r28) + #else + tlb_lock %r20,%r21,%r22 +- pdtlb 0(%r28) ++ pdtlb %r0(%r28) + tlb_unlock %r20,%r21,%r22 + #endif + +@@ -892,10 +892,10 @@ ENTRY(flush_dcache_page_asm) + sync + + #ifdef CONFIG_PA20 +- pdtlb,l 0(%r25) ++ pdtlb,l %r0(%r25) + #else + tlb_lock %r20,%r21,%r22 +- pdtlb 0(%r25) ++ pdtlb %r0(%r25) + tlb_unlock %r20,%r21,%r22 + #endif + +@@ -925,13 +925,18 @@ ENTRY(flush_icache_page_asm) + depwi 0, 31,PAGE_SHIFT, %r28 /* Clear any offset bits */ + #endif + +- /* Purge any old translation */ ++ /* Purge any old translation. Note that the FIC instruction ++ * may use either the instruction or data TLB. Given that we ++ * have a flat address space, it's not clear which TLB will be ++ * used. So, we purge both entries. */ + + #ifdef CONFIG_PA20 ++ pdtlb,l %r0(%r28) + pitlb,l %r0(%sr4,%r28) + #else + tlb_lock %r20,%r21,%r22 +- pitlb (%sr4,%r28) ++ pdtlb %r0(%r28) ++ pitlb %r0(%sr4,%r28) + tlb_unlock %r20,%r21,%r22 + #endif + +@@ -970,10 +975,12 @@ ENTRY(flush_icache_page_asm) + sync + + #ifdef CONFIG_PA20 ++ pdtlb,l %r0(%r28) + pitlb,l %r0(%sr4,%r25) + #else + tlb_lock %r20,%r21,%r22 +- pitlb (%sr4,%r25) ++ pdtlb %r0(%r28) ++ pitlb %r0(%sr4,%r25) + tlb_unlock %r20,%r21,%r22 + #endif + diff --git a/queue-4.4/parisc-fix-race-in-pci-dma.c.patch b/queue-4.4/parisc-fix-race-in-pci-dma.c.patch new file mode 100644 index 00000000000..44fd73e684c --- /dev/null +++ b/queue-4.4/parisc-fix-race-in-pci-dma.c.patch @@ -0,0 +1,42 @@ +From c0452fb9fb8f49c7d68ab9fa0ad092016be7b45f Mon Sep 17 00:00:00 2001 +From: John David Anglin +Date: Thu, 24 Nov 2016 20:06:32 -0500 +Subject: parisc: Fix race in pci-dma.c + +From: John David Anglin + +commit c0452fb9fb8f49c7d68ab9fa0ad092016be7b45f upstream. + +We are still troubled by occasional random segmentation faults and +memory memory corruption on SMP machines. The causes quite a few +package builds to fail on the Debian buildd machines for parisc. When +gcc-6 failed to build three times in a row, I looked again at the TLB +related code. I found a couple of issues. This is the first. + +In general, we need to ensure page table updates and corresponding TLB +purges are atomic. The attached patch fixes an instance in pci-dma.c +where the page table update was not guarded by the TLB lock. + +Tested on rp3440 and c8000. So far, no further random segmentation +faults have been observed. + +Signed-off-by: John David Anglin +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/kernel/pci-dma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/parisc/kernel/pci-dma.c ++++ b/arch/parisc/kernel/pci-dma.c +@@ -95,8 +95,8 @@ static inline int map_pte_uncached(pte_t + + if (!pte_none(*pte)) + printk(KERN_ERR "map_pte_uncached: page already exists\n"); +- set_pte(pte, __mk_pte(*paddr_ptr, PAGE_KERNEL_UNC)); + purge_tlb_start(flags); ++ set_pte(pte, __mk_pte(*paddr_ptr, PAGE_KERNEL_UNC)); + pdtlb_kernel(orig_vaddr); + purge_tlb_end(flags); + vaddr += PAGE_SIZE; diff --git a/queue-4.4/parisc-fix-races-in-parisc_setup_cache_timing.patch b/queue-4.4/parisc-fix-races-in-parisc_setup_cache_timing.patch new file mode 100644 index 00000000000..9c6e0e411f3 --- /dev/null +++ b/queue-4.4/parisc-fix-races-in-parisc_setup_cache_timing.patch @@ -0,0 +1,199 @@ +From 741dc7bf1c7c7d93b853bb55efe77baa27e1b0a9 Mon Sep 17 00:00:00 2001 +From: John David Anglin +Date: Sun, 20 Nov 2016 21:12:36 -0500 +Subject: parisc: Fix races in parisc_setup_cache_timing() + +From: John David Anglin + +commit 741dc7bf1c7c7d93b853bb55efe77baa27e1b0a9 upstream. + +Helge reported to me the following startup crash: + +[ 0.000000] Linux version 4.8.0-1-parisc64-smp (debian-kernel@lists.debian.org) (gcc version 5.4.1 20161019 (GCC) ) #1 SMP Debian 4.8.7-1 (2016-11-13) +[ 0.000000] The 64-bit Kernel has started... +[ 0.000000] Kernel default page size is 4 KB. Huge pages enabled with 1 MB physical and 2 MB virtual size. +[ 0.000000] Determining PDC firmware type: System Map. +[ 0.000000] model 9000/785/J5000 +[ 0.000000] Total Memory: 2048 MB +[ 0.000000] Memory: 2018528K/2097152K available (9272K kernel code, 3053K rwdata, 1319K rodata, 1024K init, 840K bss, 78624K reserved, 0K cma-reserved) +[ 0.000000] virtual kernel memory layout: +[ 0.000000] vmalloc : 0x0000000000008000 - 0x000000003f000000 (1007 MB) +[ 0.000000] memory : 0x0000000040000000 - 0x00000000c0000000 (2048 MB) +[ 0.000000] .init : 0x0000000040100000 - 0x0000000040200000 (1024 kB) +[ 0.000000] .data : 0x0000000040b0e000 - 0x0000000040f533e0 (4372 kB) +[ 0.000000] .text : 0x0000000040200000 - 0x0000000040b0e000 (9272 kB) +[ 0.768910] Brought up 1 CPUs +[ 0.992465] NET: Registered protocol family 16 +[ 2.429981] Releasing cpu 1 now, hpa=fffffffffffa2000 +[ 2.635751] CPU(s): 2 out of 2 PA8500 (PCX-W) at 440.000000 MHz online +[ 2.726692] Setting cache flush threshold to 1024 kB +[ 2.729932] Not-handled unaligned insn 0x43ffff80 +[ 2.798114] Setting TLB flush threshold to 140 kB +[ 2.928039] Unaligned handler failed, ret = -1 +[ 3.000419] _______________________________ +[ 3.000419] < Your System ate a SPARC! Gah! > +[ 3.000419] ------------------------------- +[ 3.000419] \ ^__^ +[ 3.000419] (__)\ )\/\ +[ 3.000419] U ||----w | +[ 3.000419] || || +[ 9.340055] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.8.0-1-parisc64-smp #1 Debian 4.8.7-1 +[ 9.448082] task: 00000000bfd48060 task.stack: 00000000bfd50000 +[ 9.528040] +[ 10.760029] IASQ: 0000000000000000 0000000000000000 IAOQ: 000000004025d154 000000004025d158 +[ 10.868052] IIR: 43ffff80 ISR: 0000000000340000 IOR: 000001ff54150960 +[ 10.960029] CPU: 1 CR30: 00000000bfd50000 CR31: 0000000011111111 +[ 11.052057] ORIG_R28: 000000004021e3b4 +[ 11.100045] IAOQ[0]: irq_exit+0x94/0x120 +[ 11.152062] IAOQ[1]: irq_exit+0x98/0x120 +[ 11.208031] RP(r2): irq_exit+0xb8/0x120 +[ 11.256074] Backtrace: +[ 11.288067] [<00000000402cd944>] cpu_startup_entry+0x1e4/0x598 +[ 11.368058] [<0000000040109528>] smp_callin+0x2c0/0x2f0 +[ 11.436308] [<00000000402b53fc>] update_curr+0x18c/0x2d0 +[ 11.508055] [<00000000402b73b8>] dequeue_entity+0x2c0/0x1030 +[ 11.584040] [<00000000402b3cc0>] set_next_entity+0x80/0xd30 +[ 11.660069] [<00000000402c1594>] pick_next_task_fair+0x614/0x720 +[ 11.740085] [<000000004020dd34>] __schedule+0x394/0xa60 +[ 11.808054] [<000000004020e488>] schedule+0x88/0x118 +[ 11.876039] [<0000000040283d3c>] rescuer_thread+0x4d4/0x5b0 +[ 11.948090] [<000000004028fc4c>] kthread+0x1ec/0x248 +[ 12.016053] [<0000000040205020>] end_fault_vector+0x20/0xc0 +[ 12.092239] [<00000000402050c0>] _switch_to_ret+0x0/0xf40 +[ 12.164044] +[ 12.184036] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.8.0-1-parisc64-smp #1 Debian 4.8.7-1 +[ 12.244040] Backtrace: +[ 12.244040] [<000000004021c480>] show_stack+0x68/0x80 +[ 12.244040] [<00000000406f332c>] dump_stack+0xec/0x168 +[ 12.244040] [<000000004021c74c>] die_if_kernel+0x25c/0x430 +[ 12.244040] [<000000004022d320>] handle_unaligned+0xb48/0xb50 +[ 12.244040] +[ 12.632066] ---[ end trace 9ca05a7215c7bbb2 ]--- +[ 12.692036] Kernel panic - not syncing: Attempted to kill the idle task! + +We have the insn 0x43ffff80 in IIR but from IAOQ we should have: + 4025d150: 0f f3 20 df ldd,s r19(r31),r31 + 4025d154: 0f 9f 00 9c ldw r31(ret0),ret0 + 4025d158: bf 80 20 58 cmpb,*<> r0,ret0,4025d18c + +Cpu0 has just completed running parisc_setup_cache_timing: + +[ 2.429981] Releasing cpu 1 now, hpa=fffffffffffa2000 +[ 2.635751] CPU(s): 2 out of 2 PA8500 (PCX-W) at 440.000000 MHz online +[ 2.726692] Setting cache flush threshold to 1024 kB +[ 2.729932] Not-handled unaligned insn 0x43ffff80 +[ 2.798114] Setting TLB flush threshold to 140 kB +[ 2.928039] Unaligned handler failed, ret = -1 + +From the backtrace, cpu1 is in smp_callin: + +void __init smp_callin(void) +{ + int slave_id = cpu_now_booting; + + smp_cpu_init(slave_id); + preempt_disable(); + + flush_cache_all_local(); /* start with known state */ + flush_tlb_all_local(NULL); + + local_irq_enable(); /* Interrupts have been off until now */ + + cpu_startup_entry(CPUHP_AP_ONLINE_IDLE); + +So, it has just flushed its caches and the TLB. It would seem either the +flushes in parisc_setup_cache_timing or smp_callin have corrupted kernel +memory. + +The attached patch reworks parisc_setup_cache_timing to remove the races +in setting the cache and TLB flush thresholds. It also corrects the +number of bytes flushed in the TLB calculation. + +The patch flushes the cache and TLB on cpu0 before starting the +secondary processors so that they are started from a known state. + +Tested with a few reboots on c8000. + +Signed-off-by: John David Anglin +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/kernel/cache.c | 31 ++++++++++++------------------- + arch/parisc/kernel/setup.c | 4 ++++ + 2 files changed, 16 insertions(+), 19 deletions(-) + +--- a/arch/parisc/kernel/cache.c ++++ b/arch/parisc/kernel/cache.c +@@ -351,6 +351,7 @@ void __init parisc_setup_cache_timing(vo + { + unsigned long rangetime, alltime; + unsigned long size, start; ++ unsigned long threshold; + + alltime = mfctl(16); + flush_data_cache(); +@@ -364,17 +365,12 @@ void __init parisc_setup_cache_timing(vo + printk(KERN_DEBUG "Whole cache flush %lu cycles, flushing %lu bytes %lu cycles\n", + alltime, size, rangetime); + +- /* Racy, but if we see an intermediate value, it's ok too... */ +- parisc_cache_flush_threshold = size * alltime / rangetime; +- +- parisc_cache_flush_threshold = L1_CACHE_ALIGN(parisc_cache_flush_threshold); +- if (!parisc_cache_flush_threshold) +- parisc_cache_flush_threshold = FLUSH_THRESHOLD; +- +- if (parisc_cache_flush_threshold > cache_info.dc_size) +- parisc_cache_flush_threshold = cache_info.dc_size; +- +- printk(KERN_INFO "Setting cache flush threshold to %lu kB\n", ++ threshold = L1_CACHE_ALIGN(size * alltime / rangetime); ++ if (threshold > cache_info.dc_size) ++ threshold = cache_info.dc_size; ++ if (threshold) ++ parisc_cache_flush_threshold = threshold; ++ printk(KERN_INFO "Cache flush threshold set to %lu KiB\n", + parisc_cache_flush_threshold/1024); + + /* calculate TLB flush threshold */ +@@ -383,7 +379,7 @@ void __init parisc_setup_cache_timing(vo + flush_tlb_all(); + alltime = mfctl(16) - alltime; + +- size = PAGE_SIZE; ++ size = 0; + start = (unsigned long) _text; + rangetime = mfctl(16); + while (start < (unsigned long) _end) { +@@ -396,13 +392,10 @@ void __init parisc_setup_cache_timing(vo + printk(KERN_DEBUG "Whole TLB flush %lu cycles, flushing %lu bytes %lu cycles\n", + alltime, size, rangetime); + +- parisc_tlb_flush_threshold = size * alltime / rangetime; +- parisc_tlb_flush_threshold *= num_online_cpus(); +- parisc_tlb_flush_threshold = PAGE_ALIGN(parisc_tlb_flush_threshold); +- if (!parisc_tlb_flush_threshold) +- parisc_tlb_flush_threshold = FLUSH_TLB_THRESHOLD; +- +- printk(KERN_INFO "Setting TLB flush threshold to %lu kB\n", ++ threshold = PAGE_ALIGN(num_online_cpus() * size * alltime / rangetime); ++ if (threshold) ++ parisc_tlb_flush_threshold = threshold; ++ printk(KERN_INFO "TLB flush threshold set to %lu KiB\n", + parisc_tlb_flush_threshold/1024); + } + +--- a/arch/parisc/kernel/setup.c ++++ b/arch/parisc/kernel/setup.c +@@ -334,6 +334,10 @@ static int __init parisc_init(void) + /* tell PDC we're Linux. Nevermind failure. */ + pdc_stable_write(0x40, &osid, sizeof(osid)); + ++ /* start with known state */ ++ flush_cache_all_local(); ++ flush_tlb_all_local(NULL); ++ + processor_init(); + #ifdef CONFIG_SMP + pr_info("CPU(s): %d out of %d %s at %d.%06d MHz online\n", diff --git a/queue-4.4/scsi-mpt3sas-fix-secure-erase-premature-termination.patch b/queue-4.4/scsi-mpt3sas-fix-secure-erase-premature-termination.patch new file mode 100644 index 00000000000..dbcee0498b5 --- /dev/null +++ b/queue-4.4/scsi-mpt3sas-fix-secure-erase-premature-termination.patch @@ -0,0 +1,73 @@ +From 18f6084a989ba1b38702f9af37a2e4049a924be6 Mon Sep 17 00:00:00 2001 +From: Andrey Grodzovsky +Date: Thu, 10 Nov 2016 09:35:27 -0500 +Subject: scsi: mpt3sas: Fix secure erase premature termination + +From: Andrey Grodzovsky + +commit 18f6084a989ba1b38702f9af37a2e4049a924be6 upstream. + +This is a work around for a bug with LSI Fusion MPT SAS2 when perfoming +secure erase. Due to the very long time the operation takes, commands +issued during the erase will time out and will trigger execution of the +abort hook. Even though the abort hook is called for the specific +command which timed out, this leads to entire device halt +(scsi_state terminated) and premature termination of the secure erase. + +Set device state to busy while ATA passthrough commands are in progress. + +[mkp: hand applied to 4.9/scsi-fixes, tweaked patch description] + +Signed-off-by: Andrey Grodzovsky +Acked-by: Sreekanth Reddy +Cc: +Cc: Sathya Prakash +Cc: Chaitra P B +Cc: Suganath Prabu Subramani +Cc: Sreekanth Reddy +Cc: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/mpt3sas/mpt3sas_scsih.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c +@@ -3831,7 +3831,10 @@ _scsih_eedp_error_handling(struct scsi_c + SAM_STAT_CHECK_CONDITION; + } + +- ++static inline bool ata_12_16_cmd(struct scsi_cmnd *scmd) ++{ ++ return (scmd->cmnd[0] == ATA_12 || scmd->cmnd[0] == ATA_16); ++} + + /** + * scsih_qcmd - main scsi request entry point +@@ -3859,6 +3862,13 @@ scsih_qcmd(struct Scsi_Host *shost, stru + if (ioc->logging_level & MPT_DEBUG_SCSI) + scsi_print_command(scmd); + ++ /* ++ * Lock the device for any subsequent command until command is ++ * done. ++ */ ++ if (ata_12_16_cmd(scmd)) ++ scsi_internal_device_block(scmd->device); ++ + sas_device_priv_data = scmd->device->hostdata; + if (!sas_device_priv_data || !sas_device_priv_data->sas_target) { + scmd->result = DID_NO_CONNECT << 16; +@@ -4431,6 +4441,9 @@ _scsih_io_done(struct MPT3SAS_ADAPTER *i + if (scmd == NULL) + return 1; + ++ if (ata_12_16_cmd(scmd)) ++ scsi_internal_device_unblock(scmd->device, SDEV_RUNNING); ++ + mpi_request = mpt3sas_base_get_msg_frame(ioc, smid); + + if (mpi_reply == NULL) { diff --git a/queue-4.4/series b/queue-4.4/series new file mode 100644 index 00000000000..d5e7fba74f4 --- /dev/null +++ b/queue-4.4/series @@ -0,0 +1,18 @@ +iommu-vt-d-fix-pasid-table-allocation.patch +iommu-vt-d-fix-iommu-lookup-for-sr-iov-virtual-functions.patch +kvm-x86-drop-error-recovery-in-em_jmp_far-and-em_ret_far.patch +kvm-x86-check-for-pic-and-ioapic-presence-before-use.patch +usb-chipidea-move-the-lock-initialization-to-core-file.patch +usb-serial-cp210x-add-id-for-the-zone-dpmx.patch +usb-serial-ftdi_sio-add-support-for-ti-cc3200-launchpad.patch +fix-usb-cb-cbi-storage-devices-with-config_vmap_stack-y.patch +scsi-mpt3sas-fix-secure-erase-premature-termination.patch +tile-avoid-using-clocksource_cyc2ns-with-absolute-cycle-count.patch +cfg80211-limit-scan-results-cache-size.patch +apparmor-fix-change_hat-not-finding-hat-after-policy-replacement.patch +nfsv4.x-hide-array-bounds-warning.patch +parisc-fix-races-in-parisc_setup_cache_timing.patch +parisc-fix-race-in-pci-dma.c.patch +parisc-also-flush-data-tlb-in-flush_icache_page_asm.patch +mpi-fix-null-ptr-dereference-in-mpi_powm.patch +drm-radeon-ensure-vblank-interrupt-is-enabled-on-dpms-transition-to-on.patch diff --git a/queue-4.4/tile-avoid-using-clocksource_cyc2ns-with-absolute-cycle-count.patch b/queue-4.4/tile-avoid-using-clocksource_cyc2ns-with-absolute-cycle-count.patch new file mode 100644 index 00000000000..501a2471041 --- /dev/null +++ b/queue-4.4/tile-avoid-using-clocksource_cyc2ns-with-absolute-cycle-count.patch @@ -0,0 +1,65 @@ +From e658a6f14d7c0243205f035979d0ecf6c12a036f Mon Sep 17 00:00:00 2001 +From: Chris Metcalf +Date: Wed, 16 Nov 2016 11:18:05 -0500 +Subject: tile: avoid using clocksource_cyc2ns with absolute cycle count + +From: Chris Metcalf + +commit e658a6f14d7c0243205f035979d0ecf6c12a036f upstream. + +For large values of "mult" and long uptimes, the intermediate +result of "cycles * mult" can overflow 64 bits. For example, +the tile platform calls clocksource_cyc2ns with a 1.2 GHz clock; +we have mult = 853, and after 208.5 days, we overflow 64 bits. + +Since clocksource_cyc2ns() is intended to be used for relative +cycle counts, not absolute cycle counts, performance is more +importance than accepting a wider range of cycle values. So, +just use mult_frac() directly in tile's sched_clock(). + +Commit 4cecf6d401a0 ("sched, x86: Avoid unnecessary overflow +in sched_clock") by Salman Qazi results in essentially the same +generated code for x86 as this change does for tile. In fact, +a follow-on change by Salman introduced mult_frac() and switched +to using it, so the C code was largely identical at that point too. + +Peter Zijlstra then added mul_u64_u32_shr() and switched x86 +to use it. This is, in principle, better; by optimizing the +64x64->64 multiplies to be 32x32->64 multiplies we can potentially +save some time. However, the compiler piplines the 64x64->64 +multiplies pretty well, and the conditional branch in the generic +mul_u64_u32_shr() causes some bubbles in execution, with the +result that it's pretty much a wash. If tilegx provided its own +implementation of mul_u64_u32_shr() without the conditional branch, +we could potentially save 3 cycles, but that seems like small gain +for a fair amount of additional build scaffolding; no other platform +currently provides a mul_u64_u32_shr() override, and tile doesn't +currently have an header to put the override in. + +Additionally, gcc currently has an optimization bug that prevents +it from recognizing the opportunity to use a 32x32->64 multiply, +and so the result would be no better than the existing mult_frac() +until such time as the compiler is fixed. + +For now, just using mult_frac() seems like the right answer. + +Signed-off-by: Chris Metcalf +Signed-off-by: Greg Kroah-Hartman + +--- + arch/tile/kernel/time.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/tile/kernel/time.c ++++ b/arch/tile/kernel/time.c +@@ -218,8 +218,8 @@ void do_timer_interrupt(struct pt_regs * + */ + unsigned long long sched_clock(void) + { +- return clocksource_cyc2ns(get_cycles(), +- sched_clock_mult, SCHED_CLOCK_SHIFT); ++ return mult_frac(get_cycles(), ++ sched_clock_mult, 1ULL << SCHED_CLOCK_SHIFT); + } + + int setup_profiling_timer(unsigned int multiplier) diff --git a/queue-4.4/usb-chipidea-move-the-lock-initialization-to-core-file.patch b/queue-4.4/usb-chipidea-move-the-lock-initialization-to-core-file.patch new file mode 100644 index 00000000000..33387c68471 --- /dev/null +++ b/queue-4.4/usb-chipidea-move-the-lock-initialization-to-core-file.patch @@ -0,0 +1,137 @@ +From a5d906bb261cde5f881a949d3b0fbaa285dcc574 Mon Sep 17 00:00:00 2001 +From: Peter Chen +Date: Tue, 15 Nov 2016 18:05:33 +0800 +Subject: usb: chipidea: move the lock initialization to core file + +From: Peter Chen + +commit a5d906bb261cde5f881a949d3b0fbaa285dcc574 upstream. + +This can fix below dump when the lock is accessed at host +mode due to it is not initialized. + +[ 46.119638] INFO: trying to register non-static key. +[ 46.124643] the code is fine but needs lockdep annotation. +[ 46.130144] turning off the locking correctness validator. +[ 46.135659] CPU: 0 PID: 690 Comm: cat Not tainted 4.9.0-rc3-00079-g4b75f1d #1210 +[ 46.143075] Hardware name: Freescale i.MX6 SoloX (Device Tree) +[ 46.148923] Backtrace: +[ 46.151448] [] (dump_backtrace) from [] (show_stack+0x18/0x1c) +[ 46.159038] r7:edf52000 +[ 46.161412] r6:60000193 +[ 46.163967] r5:00000000 +[ 46.165035] r4:c0e25c2c + +[ 46.169109] [] (show_stack) from [] (dump_stack+0xb4/0xe8) +[ 46.176362] [] (dump_stack) from [] (register_lock_class+0x4fc/0x56c) +[ 46.184554] r10:c0e25d24 +[ 46.187014] r9:edf53e70 +[ 46.189569] r8:c1642444 +[ 46.190637] r7:ee9da024 +[ 46.193191] r6:00000000 +[ 46.194258] r5:00000000 +[ 46.196812] r4:00000000 +[ 46.199185] r3:00000001 + +[ 46.203259] [] (register_lock_class) from [] (__lock_acquire+0x80/0x10f0) +[ 46.211797] r10:c0e25d24 +[ 46.214257] r9:edf53e70 +[ 46.216813] r8:ee9da024 +[ 46.217880] r7:c1642444 +[ 46.220435] r6:edcd1800 +[ 46.221502] r5:60000193 +[ 46.224057] r4:00000000 + +[ 46.227953] [] (__lock_acquire) from [] (lock_acquire+0x74/0x94) +[ 46.235710] r10:00000001 +[ 46.238169] r9:edf53e70 +[ 46.240723] r8:edf53f80 +[ 46.241790] r7:00000001 +[ 46.244344] r6:00000001 +[ 46.245412] r5:60000193 +[ 46.247966] r4:00000000 + +[ 46.251866] [] (lock_acquire) from [] (_raw_spin_lock_irqsave+0x40/0x54) +[ 46.260319] r7:ee1c6a00 +[ 46.262691] r6:c062a570 +[ 46.265247] r5:20000113 +[ 46.266314] r4:ee9da014 + +[ 46.270393] [] (_raw_spin_lock_irqsave) from [] (ci_port_test_show+0x2c/0x70) +[ 46.279280] r6:eebd2000 +[ 46.281652] r5:ee9da010 +[ 46.284207] r4:ee9da014 + +[ 46.286810] [] (ci_port_test_show) from [] (seq_read+0x1ac/0x4f8) +[ 46.294655] r9:edf53e70 +[ 46.297028] r8:edf53f80 +[ 46.299583] r7:ee1c6a00 +[ 46.300650] r6:00000001 +[ 46.303205] r5:00000000 +[ 46.304273] r4:eebd2000 +[ 46.306850] [] (seq_read) from [] (full_proxy_read+0x54/0x6c) +[ 46.314348] r10:00000000 +[ 46.316808] r9:c0a6ad30 +[ 46.319363] r8:edf53f80 +[ 46.320430] r7:00020000 +[ 46.322986] r6:b6de3000 +[ 46.324053] r5:ee1c6a00 +[ 46.326607] r4:c0248b58 + +[ 46.330505] [] (full_proxy_read) from [] (__vfs_read+0x34/0x118) +[ 46.338262] r9:edf52000 +[ 46.340635] r8:c0107fc4 +[ 46.343190] r7:00020000 +[ 46.344257] r6:edf53f80 +[ 46.346812] r5:c039e810 +[ 46.347879] r4:ee1c6a00 +[ 46.350447] [] (__vfs_read) from [] (vfs_read+0x8c/0x11c) +[ 46.357597] r9:edf52000 +[ 46.359969] r8:c0107fc4 +[ 46.362524] r7:edf53f80 +[ 46.363592] r6:b6de3000 +[ 46.366147] r5:ee1c6a00 +[ 46.367214] r4:00020000 +[ 46.369782] [] (vfs_read) from [] (SyS_read+0x4c/0xa8) +[ 46.376672] r8:c0107fc4 +[ 46.379045] r7:00020000 +[ 46.381600] r6:b6de3000 +[ 46.382667] r5:ee1c6a00 +[ 46.385222] r4:ee1c6a00 + +[ 46.387817] [] (SyS_read) from [] (ret_fast_syscall+0x0/0x1c) +[ 46.395314] r7:00000003 +[ 46.397687] r6:b6de3000 +[ 46.400243] r5:00020000 +[ 46.401310] r4:00020000 + +Fixes: 26c696c678c4 ("USB: Chipidea: rename struct ci13xxx variables from udc to ci") +Signed-off-by: Peter Chen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/chipidea/core.c | 1 + + drivers/usb/chipidea/udc.c | 2 -- + 2 files changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/usb/chipidea/core.c ++++ b/drivers/usb/chipidea/core.c +@@ -926,6 +926,7 @@ static int ci_hdrc_probe(struct platform + if (!ci) + return -ENOMEM; + ++ spin_lock_init(&ci->lock); + ci->dev = dev; + ci->platdata = dev_get_platdata(dev); + ci->imx28_write_fix = !!(ci->platdata->flags & +--- a/drivers/usb/chipidea/udc.c ++++ b/drivers/usb/chipidea/udc.c +@@ -1884,8 +1884,6 @@ static int udc_start(struct ci_hdrc *ci) + struct usb_otg_caps *otg_caps = &ci->platdata->ci_otg_caps; + int retval = 0; + +- spin_lock_init(&ci->lock); +- + ci->gadget.ops = &usb_gadget_ops; + ci->gadget.speed = USB_SPEED_UNKNOWN; + ci->gadget.max_speed = USB_SPEED_HIGH; diff --git a/queue-4.4/usb-serial-cp210x-add-id-for-the-zone-dpmx.patch b/queue-4.4/usb-serial-cp210x-add-id-for-the-zone-dpmx.patch new file mode 100644 index 00000000000..9a5ea880310 --- /dev/null +++ b/queue-4.4/usb-serial-cp210x-add-id-for-the-zone-dpmx.patch @@ -0,0 +1,32 @@ +From 2ab13292d7a314fa45de0acc808e41aaad31989c Mon Sep 17 00:00:00 2001 +From: Paul Jakma +Date: Wed, 16 Nov 2016 10:13:49 +0000 +Subject: USB: serial: cp210x: add ID for the Zone DPMX + +From: Paul Jakma + +commit 2ab13292d7a314fa45de0acc808e41aaad31989c upstream. + +The BRIM Brothers Zone DPMX is a bicycle powermeter. This ID is for the USB +serial interface in its charging dock for the control pods, via which some +settings for the pods can be modified. + +Signed-off-by: Paul Jakma +Cc: Barry Redmond +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/cp210x.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -130,6 +130,7 @@ static const struct usb_device_id id_tab + { USB_DEVICE(0x10C4, 0x88A4) }, /* MMB Networks ZigBee USB Device */ + { USB_DEVICE(0x10C4, 0x88A5) }, /* Planet Innovation Ingeni ZigBee USB Device */ + { USB_DEVICE(0x10C4, 0x8946) }, /* Ketra N1 Wireless Interface */ ++ { USB_DEVICE(0x10C4, 0x8962) }, /* Brim Brothers charging dock */ + { USB_DEVICE(0x10C4, 0x8977) }, /* CEL MeshWorks DevKit Device */ + { USB_DEVICE(0x10C4, 0x8998) }, /* KCF Technologies PRN */ + { USB_DEVICE(0x10C4, 0x8A2A) }, /* HubZ dual ZigBee and Z-Wave dongle */ diff --git a/queue-4.4/usb-serial-ftdi_sio-add-support-for-ti-cc3200-launchpad.patch b/queue-4.4/usb-serial-ftdi_sio-add-support-for-ti-cc3200-launchpad.patch new file mode 100644 index 00000000000..cb22558f9d9 --- /dev/null +++ b/queue-4.4/usb-serial-ftdi_sio-add-support-for-ti-cc3200-launchpad.patch @@ -0,0 +1,48 @@ +From 9bfef729a3d11f04d12788d749a3ce6b47645734 Mon Sep 17 00:00:00 2001 +From: Doug Brown +Date: Fri, 4 Nov 2016 21:18:20 -0700 +Subject: USB: serial: ftdi_sio: add support for TI CC3200 LaunchPad + +From: Doug Brown + +commit 9bfef729a3d11f04d12788d749a3ce6b47645734 upstream. + +This patch adds support for the TI CC3200 LaunchPad board, which uses a +custom USB vendor ID and product ID. Channel A is used for JTAG, and +channel B is used for a UART. + +Signed-off-by: Doug Brown +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ftdi_sio.c | 2 ++ + drivers/usb/serial/ftdi_sio_ids.h | 6 ++++++ + 2 files changed, 8 insertions(+) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -1012,6 +1012,8 @@ static const struct usb_device_id id_tab + { USB_DEVICE(ICPDAS_VID, ICPDAS_I7561U_PID) }, + { USB_DEVICE(ICPDAS_VID, ICPDAS_I7563U_PID) }, + { USB_DEVICE(WICED_VID, WICED_USB20706V2_PID) }, ++ { USB_DEVICE(TI_VID, TI_CC3200_LAUNCHPAD_PID), ++ .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, + { } /* Terminating entry */ + }; + +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -596,6 +596,12 @@ + #define STK541_PID 0x2109 /* Zigbee Controller */ + + /* ++ * Texas Instruments ++ */ ++#define TI_VID 0x0451 ++#define TI_CC3200_LAUNCHPAD_PID 0xC32A /* SimpleLink Wi-Fi CC3200 LaunchPad */ ++ ++/* + * Blackfin gnICE JTAG + * http://docs.blackfin.uclinux.org/doku.php?id=hw:jtag:gnice + */ diff --git a/queue-4.8/series b/queue-4.8/series new file mode 100644 index 00000000000..5e0617eb421 --- /dev/null +++ b/queue-4.8/series @@ -0,0 +1,36 @@ +iommu-vt-d-fix-pasid-table-allocation.patch +iommu-vt-d-fix-iommu-lookup-for-sr-iov-virtual-functions.patch +kvm-x86-fix-out-of-bounds-access-in-lapic.patch +kvm-x86-drop-error-recovery-in-em_jmp_far-and-em_ret_far.patch +kvm-x86-fix-out-of-bounds-accesses-of-rtc_eoi-map.patch +kvm-x86-check-for-pic-and-ioapic-presence-before-use.patch +usb-chipidea-move-the-lock-initialization-to-core-file.patch +usb-serial-cp210x-add-id-for-the-zone-dpmx.patch +usb-serial-ftdi_sio-add-support-for-ti-cc3200-launchpad.patch +fix-usb-cb-cbi-storage-devices-with-config_vmap_stack-y.patch +scsi-mpt3sas-fix-secure-erase-premature-termination.patch +tile-avoid-using-clocksource_cyc2ns-with-absolute-cycle-count.patch +cfg80211-limit-scan-results-cache-size.patch +drm-amdgpu-fix-power-state-when-port-pm-is-unavailable.patch +drm-radeon-fix-power-state-when-port-pm-is-unavailable-v2.patch +apparmor-fix-change_hat-not-finding-hat-after-policy-replacement.patch +nfsv4.x-hide-array-bounds-warning.patch +x86-fpu-fix-invalid-fpu-ptrace-state-after-execve.patch +x86-traps-ignore-high-word-of-regs-cs-in-early_fixup_exception.patch +perf-core-fix-address-filter-parser.patch +perf-x86-intel-cure-bogus-unwind-from-pebs-entries.patch +thermal-powerclamp-add-back-module-device-table.patch +parisc-fix-races-in-parisc_setup_cache_timing.patch +parisc-switch-to-generic-sched_clock-implementation.patch +parisc-fix-race-in-pci-dma.c.patch +parisc-also-flush-data-tlb-in-flush_icache_page_asm.patch +mmc-sdhci-of-esdhc-fixup-present_state-read.patch +mpi-fix-null-ptr-dereference-in-mpi_powm.patch +x.509-fix-double-free-in-x509_cert_parse.patch +xc2028-fix-use-after-free-bug-properly.patch +device-dax-check-devm_nsio_enable-return-value.patch +device-dax-fail-all-private-mapping-attempts.patch +powerpc-set-missing-wakeup-bit-in-lpcr-on-power9.patch +powerpc-mm-fixup-kernel-read-only-mapping.patch +powerpc-boot-fix-the-early-opal-console-wrappers.patch +can-bcm-fix-support-for-can-fd-frames.patch