From: Greg Kroah-Hartman Date: Sat, 13 Feb 2016 23:02:57 +0000 (-0800) Subject: 4.3-stable patches X-Git-Tag: v4.4.2~38 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9ef2909b978f8b59d16939e3550c7a1b75e4960f;p=thirdparty%2Fkernel%2Fstable-queue.git 4.3-stable patches added patches: c8sectpfe-remove-select-on-config_fw_loader_user_helper_fallback.patch dm-initialize-non-blk-mq-queue-data-before-queue-is-used.patch fix-calculation-of-meta_bg-descriptor-backups.patch i2c-at91-fix-write-transfers-by-clearing-pending-interrupt-first.patch i2c-at91-manage-unexpected-rxrdy-flag-when-starting-a-transfer.patch i2c-fix-wakeup-irq-parsing.patch i2c-mv64xxx-the-n-clockdiv-factor-is-0-based-on-sunxi-socs.patch i2c-rcar-disable-runtime-pm-correctly-in-slave-mode.patch i2c-rk3x-populate-correct-variable-for-sda_falling_time.patch integrity-prevent-loading-untrusted-certificates-on-the-ima-trusted-keyring.patch jbd2-fix-checkpoint-list-cleanup.patch jbd2-fix-null-committed-data-return-in-undo_access.patch jbd2-fix-unreclaimed-pages-after-truncate-in-data-journal-mode.patch media-i2c-don-t-export-ir-kbd-i2c-module-alias.patch media-v4l2-ctrls-fix-64bit-support-in-get_ctrl.patch media-v4l2-ctrls-fix-setting-autocluster-to-manual-with-vidioc_s_ctrl.patch media-vb2-dma-contig-fully-cache-synchronise-buffers-in-prepare-and-finish.patch media-vb2-dma-sg-fully-cache-synchronise-buffers-in-prepare-and-finish.patch mtd-blkdevs-fix-potential-deadlock-lockdep-warnings.patch mtd-jz4740_nand-fix-build-on-jz4740-after-removing-gpio.h.patch mtd-mtdpart-fix-add_mtd_partitions-error-path.patch mtd-nand-fix-shutdown-reboot-for-multi-chip-systems.patch mtd-ubi-don-t-leak-e-if-schedule_erase-fails.patch mtd-ubi-fixup-error-correction-in-do_sync_erase.patch parisc-drop-unused-madv_xxxk_pages-flags-from-asm-mman.h.patch parisc-fix-__arch_si_preamble_size.patch parisc-fix-syscall-restarts.patch parisc-fixes-and-cleanups-in-kernel-uapi-header-files.patch pci-fix-minimum-allocation-address-overwrite.patch pci-host-mark-pcie-pci-msi-irq-cascade-handlers-as-irqf_no_thread.patch pci-prevent-out-of-bounds-access-in-numa_node-override.patch pci-set-sr-iov-numvfs-to-zero-after-enumeration.patch pci-spear-fix-dw_pcie_cfg_read-write-usage.patch printk-prevent-userland-from-spoofing-kernel-messages.patch revert-dm-mpath-fix-stalls-when-handling-invalid-ioctls.patch revert-ivtv-avoid-going-past-input-audio-array.patch spi-atmel-fix-dma-setup-for-transfers-with-more-than-8-bits-per-word.patch spi-fix-parent-device-reference-leak.patch spi-omap2-mcspi-disable-other-channels-chconf_force-in-prepare_message.patch spi-spi-xilinx-fix-race-condition-on-last-word-read.patch spi-ti-qspi-fix-data-corruption-seen-on-r-w-stress-test.patch tpm-revert-the-list-handling-logic-fixed-in-398a1e7.patch tpm-tpm_crb-fix-unaligned-read-of-the-command-buffer-address.patch tpm_tis-free-irq-after-probing.patch tracefs-fix-refcount-imbalance-in-start_creating.patch tracing-fix-setting-of-start_index-in-find_next.patch tracing-stacktrace-show-entire-trace-if-passed-in-function-not-found.patch tracing-update-instance_rmdir-to-use-tracefs_remove_recursive.patch v4l2-compat-ioctl32-fix-alignment-for-arm64.patch v4l2-ctrls-arrays-are-also-considered-compound-controls.patch vivid-fix-iteration-in-driver-removal-path.patch vtpm-fix-memory-allocation-flag-for-rtce-buffer-at-kernel-boot.patch wlcore-wl12xx-spi-fix-null-pointer-dereference-oops.patch wlcore-wl12xx-spi-fix-oops-on-firmware-load.patch xtensa-fix-secondary-core-boot-in-smp.patch xtensa-fixes-for-configs-without-loop-option.patch --- diff --git a/queue-4.3/c8sectpfe-remove-select-on-config_fw_loader_user_helper_fallback.patch b/queue-4.3/c8sectpfe-remove-select-on-config_fw_loader_user_helper_fallback.patch new file mode 100644 index 00000000000..0887975ac3e --- /dev/null +++ b/queue-4.3/c8sectpfe-remove-select-on-config_fw_loader_user_helper_fallback.patch @@ -0,0 +1,34 @@ +From 79f5b6ae960d380c829fb67d5dadcd1d025d2775 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 19 Oct 2015 04:17:30 -0200 +Subject: [media] c8sectpfe: Remove select on CONFIG_FW_LOADER_USER_HELPER_FALLBACK + +From: Takashi Iwai + +commit 79f5b6ae960d380c829fb67d5dadcd1d025d2775 upstream. + +c8sectpfe driver selects CONFIG_FW_LOADER_USER_HELPER_FALLBACK by some +reason, but this option is known to be harmful, leading to minutes of +stalls at boot time. The option was intended for only compatibility +for an old exotic system that mandates the udev interaction, and not a +thing a driver selects by itself. Let's remove it. + +Fixes: 850a3f7d5911 ('[media] c8sectpfe: Add Kconfig and Makefile for the driver') + +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/platform/sti/c8sectpfe/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/media/platform/sti/c8sectpfe/Kconfig ++++ b/drivers/media/platform/sti/c8sectpfe/Kconfig +@@ -3,7 +3,6 @@ config DVB_C8SECTPFE + depends on PINCTRL && DVB_CORE && I2C + depends on ARCH_STI || ARCH_MULTIPLATFORM || COMPILE_TEST + select FW_LOADER +- select FW_LOADER_USER_HELPER_FALLBACK + select DEBUG_FS + select DVB_LNBP21 if MEDIA_SUBDRV_AUTOSELECT + select DVB_STV090x if MEDIA_SUBDRV_AUTOSELECT diff --git a/queue-4.3/dm-initialize-non-blk-mq-queue-data-before-queue-is-used.patch b/queue-4.3/dm-initialize-non-blk-mq-queue-data-before-queue-is-used.patch new file mode 100644 index 00000000000..bc7ceab6749 --- /dev/null +++ b/queue-4.3/dm-initialize-non-blk-mq-queue-data-before-queue-is-used.patch @@ -0,0 +1,61 @@ +From ad5f498f610fa3fd8bd265139098bc1405cd2783 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Tue, 27 Oct 2015 19:06:55 -0400 +Subject: dm: initialize non-blk-mq queue data before queue is used + +From: Mikulas Patocka + +commit ad5f498f610fa3fd8bd265139098bc1405cd2783 upstream. + +Commit bfebd1cdb497a57757c83f5fbf1a29931591e2a4 ("dm: add full blk-mq +support to request-based DM") moves the initialization of the fields +backing_dev_info.congested_fn, backing_dev_info.congested_data and +queuedata from the function dm_init_md_queue (that is called when the +device is created) to dm_init_old_md_queue (that is called after the +device type is determined). + +There is no locking when accessing these variables, thus it is possible +for other parts of the kernel to briefly see this data in a transient +state (e.g. queue->backing_dev_info.congested_fn initialized and +md->queue->backing_dev_info.congested_data uninitialized, resulting in +passing an incorrect parameter to the function dm_any_congested). + +This queue data is left initialized for blk-mq devices even though they +that don't use it. + +Fixes: bfebd1cdb497 ("dm: add full blk-mq support to request-based DM") +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -2198,6 +2198,13 @@ static void dm_init_md_queue(struct mapp + * This queue is new, so no concurrency on the queue_flags. + */ + queue_flag_clear_unlocked(QUEUE_FLAG_STACKABLE, md->queue); ++ ++ /* ++ * Initialize data that will only be used by a non-blk-mq DM queue ++ * - must do so here (in alloc_dev callchain) before queue is used ++ */ ++ md->queue->queuedata = md; ++ md->queue->backing_dev_info.congested_data = md; + } + + static void dm_init_old_md_queue(struct mapped_device *md) +@@ -2208,10 +2215,7 @@ static void dm_init_old_md_queue(struct + /* + * Initialize aspects of queue that aren't relevant for blk-mq + */ +- md->queue->queuedata = md; + md->queue->backing_dev_info.congested_fn = dm_any_congested; +- md->queue->backing_dev_info.congested_data = md; +- + blk_queue_bounce_limit(md->queue, BLK_BOUNCE_ANY); + } + diff --git a/queue-4.3/fix-calculation-of-meta_bg-descriptor-backups.patch b/queue-4.3/fix-calculation-of-meta_bg-descriptor-backups.patch new file mode 100644 index 00000000000..51e6d16ecee --- /dev/null +++ b/queue-4.3/fix-calculation-of-meta_bg-descriptor-backups.patch @@ -0,0 +1,53 @@ +From 904dad4742d211b7a8910e92695c0fa957483836 Mon Sep 17 00:00:00 2001 +From: Andy Leiserson +Date: Sun, 18 Oct 2015 00:36:29 -0400 +Subject: [PATCH] fix calculation of meta_bg descriptor backups + +From: Andy Leiserson + +commit 904dad4742d211b7a8910e92695c0fa957483836 upstream. + +"group" is the group where the backup will be placed, and is +initialized to zero in the declaration. This meant that backups for +meta_bg descriptors were erroneously written to the backup block group +descriptors in groups 1 and (desc_per_block-1). + +Reproduction information: + mke2fs -Fq -t ext4 -b 1024 -O ^resize_inode /tmp/foo.img 16G + truncate -s 24G /tmp/foo.img + losetup /dev/loop0 /tmp/foo.img + mount /dev/loop0 /mnt + resize2fs /dev/loop0 + umount /dev/loop0 + dd if=/dev/zero of=/dev/loop0 bs=1024 count=2 + e2fsck -fy /dev/loop0 + losetup -d /dev/loop0 + +Signed-off-by: Andy Leiserson +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/resize.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -1040,7 +1040,7 @@ exit_free: + * do not copy the full number of backups at this time. The resize + * which changed s_groups_count will backup again. + */ +-static void update_backups(struct super_block *sb, int blk_off, char *data, ++static void update_backups(struct super_block *sb, sector_t blk_off, char *data, + int size, int meta_bg) + { + struct ext4_sb_info *sbi = EXT4_SB(sb); +@@ -1065,7 +1065,7 @@ static void update_backups(struct super_ + group = ext4_list_backups(sb, &three, &five, &seven); + last = sbi->s_groups_count; + } else { +- group = ext4_meta_bg_first_group(sb, group) + 1; ++ group = ext4_get_group_number(sb, blk_off) + 1; + last = (ext4_group_t)(group + EXT4_DESC_PER_BLOCK(sb) - 2); + } + diff --git a/queue-4.3/i2c-at91-fix-write-transfers-by-clearing-pending-interrupt-first.patch b/queue-4.3/i2c-at91-fix-write-transfers-by-clearing-pending-interrupt-first.patch new file mode 100644 index 00000000000..d2a532dbff9 --- /dev/null +++ b/queue-4.3/i2c-at91-fix-write-transfers-by-clearing-pending-interrupt-first.patch @@ -0,0 +1,136 @@ +From 6f6ddbb09d2a5baded0e23add3ad2d9e9417ab30 Mon Sep 17 00:00:00 2001 +From: Cyrille Pitchen +Date: Wed, 21 Oct 2015 15:44:03 +0200 +Subject: i2c: at91: fix write transfers by clearing pending interrupt first + +From: Cyrille Pitchen + +commit 6f6ddbb09d2a5baded0e23add3ad2d9e9417ab30 upstream. + +In some cases a NACK interrupt may be pending in the Status Register (SR) +as a result of a previous transfer. However at91_do_twi_transfer() did not +read the SR to clear pending interruptions before starting a new transfer. +Hence a NACK interrupt rose as soon as it was enabled again at the I2C +controller level, resulting in a wrong sequence of operations and strange +patterns of behaviour on the I2C bus, such as a clock stretch followed by +a restart of the transfer. + +This first issue occurred with both DMA and PIO write transfers. + +Also when a NACK error was detected during a PIO write transfer, the +interrupt handler used to wrongly start a new transfer by writing into the +Transmit Holding Register (THR). Then the I2C slave was likely to reply +with a second NACK. + +This second issue is fixed in atmel_twi_interrupt() by handling the TXRDY +status bit only if both the TXCOMP and NACK status bits are cleared. + +Tested with a at24 eeprom on sama5d36ek board running a linux-4.1-at91 +kernel image. Adapted to linux-next. + +Reported-by: Peter Rosin +Signed-off-by: Cyrille Pitchen +Signed-off-by: Ludovic Desroches +Tested-by: Peter Rosin +Signed-off-by: Wolfram Sang +Fixes: 93563a6a71bb ("i2c: at91: fix a race condition when using the DMA controller") +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-at91.c | 58 ++++++++++++++++++++++++++++++++++++------ + 1 file changed, 50 insertions(+), 8 deletions(-) + +--- a/drivers/i2c/busses/i2c-at91.c ++++ b/drivers/i2c/busses/i2c-at91.c +@@ -465,19 +465,57 @@ static irqreturn_t atmel_twi_interrupt(i + + if (!irqstatus) + return IRQ_NONE; +- else if (irqstatus & AT91_TWI_RXRDY) +- at91_twi_read_next_byte(dev); +- else if (irqstatus & AT91_TWI_TXRDY) +- at91_twi_write_next_byte(dev); +- +- /* catch error flags */ +- dev->transfer_status |= status; + ++ /* ++ * When a NACK condition is detected, the I2C controller sets the NACK, ++ * TXCOMP and TXRDY bits all together in the Status Register (SR). ++ * ++ * 1 - Handling NACK errors with CPU write transfer. ++ * ++ * In such case, we should not write the next byte into the Transmit ++ * Holding Register (THR) otherwise the I2C controller would start a new ++ * transfer and the I2C slave is likely to reply by another NACK. ++ * ++ * 2 - Handling NACK errors with DMA write transfer. ++ * ++ * By setting the TXRDY bit in the SR, the I2C controller also triggers ++ * the DMA controller to write the next data into the THR. Then the ++ * result depends on the hardware version of the I2C controller. ++ * ++ * 2a - Without support of the Alternative Command mode. ++ * ++ * This is the worst case: the DMA controller is triggered to write the ++ * next data into the THR, hence starting a new transfer: the I2C slave ++ * is likely to reply by another NACK. ++ * Concurrently, this interrupt handler is likely to be called to manage ++ * the first NACK before the I2C controller detects the second NACK and ++ * sets once again the NACK bit into the SR. ++ * When handling the first NACK, this interrupt handler disables the I2C ++ * controller interruptions, especially the NACK interrupt. ++ * Hence, the NACK bit is pending into the SR. This is why we should ++ * read the SR to clear all pending interrupts at the beginning of ++ * at91_do_twi_transfer() before actually starting a new transfer. ++ * ++ * 2b - With support of the Alternative Command mode. ++ * ++ * When a NACK condition is detected, the I2C controller also locks the ++ * THR (and sets the LOCK bit in the SR): even though the DMA controller ++ * is triggered by the TXRDY bit to write the next data into the THR, ++ * this data actually won't go on the I2C bus hence a second NACK is not ++ * generated. ++ */ + if (irqstatus & (AT91_TWI_TXCOMP | AT91_TWI_NACK)) { + at91_disable_twi_interrupts(dev); + complete(&dev->cmd_complete); ++ } else if (irqstatus & AT91_TWI_RXRDY) { ++ at91_twi_read_next_byte(dev); ++ } else if (irqstatus & AT91_TWI_TXRDY) { ++ at91_twi_write_next_byte(dev); + } + ++ /* catch error flags */ ++ dev->transfer_status |= status; ++ + return IRQ_HANDLED; + } + +@@ -487,6 +525,7 @@ static int at91_do_twi_transfer(struct a + unsigned long time_left; + bool has_unre_flag = dev->pdata->has_unre_flag; + bool has_alt_cmd = dev->pdata->has_alt_cmd; ++ unsigned sr; + + /* + * WARNING: the TXCOMP bit in the Status Register is NOT a clear on +@@ -537,6 +576,9 @@ static int at91_do_twi_transfer(struct a + reinit_completion(&dev->cmd_complete); + dev->transfer_status = 0; + ++ /* Clear pending interrupts, such as NACK. */ ++ sr = at91_twi_read(dev, AT91_TWI_SR); ++ + if (dev->fifo_size) { + unsigned fifo_mr = at91_twi_read(dev, AT91_TWI_FMR); + +@@ -558,7 +600,7 @@ static int at91_do_twi_transfer(struct a + } else if (dev->msg->flags & I2C_M_RD) { + unsigned start_flags = AT91_TWI_START; + +- if (at91_twi_read(dev, AT91_TWI_SR) & AT91_TWI_RXRDY) { ++ if (sr & AT91_TWI_RXRDY) { + dev_err(dev->dev, "RXRDY still set!"); + at91_twi_read(dev, AT91_TWI_RHR); + } diff --git a/queue-4.3/i2c-at91-manage-unexpected-rxrdy-flag-when-starting-a-transfer.patch b/queue-4.3/i2c-at91-manage-unexpected-rxrdy-flag-when-starting-a-transfer.patch new file mode 100644 index 00000000000..6b850494f2d --- /dev/null +++ b/queue-4.3/i2c-at91-manage-unexpected-rxrdy-flag-when-starting-a-transfer.patch @@ -0,0 +1,107 @@ +From a9bed6b10bd117a300cceb9062003f7a2761ef99 Mon Sep 17 00:00:00 2001 +From: Ludovic Desroches +Date: Mon, 26 Oct 2015 10:38:27 +0100 +Subject: i2c: at91: manage unexpected RXRDY flag when starting a transfer + +From: Ludovic Desroches + +commit a9bed6b10bd117a300cceb9062003f7a2761ef99 upstream. + +In some cases, we could start a new i2c transfer with the RXRDY flag +set. It is not a clean state and it leads to print annoying error +messages even if there no real issue. The cause is only having garbage +data in the Receive Holding Register because of a weird behavior of the +RXRDY flag. + +Reported-by: Peter Rosin +Signed-off-by: Ludovic Desroches +Tested-by: Peter Rosin +Signed-off-by: Wolfram Sang +Fixes: 93563a6a71bb ("i2c: at91: fix a race condition when using the DMA controller") +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-at91.c | 36 ++++++++++++++++++++++++++---------- + 1 file changed, 26 insertions(+), 10 deletions(-) + +--- a/drivers/i2c/busses/i2c-at91.c ++++ b/drivers/i2c/busses/i2c-at91.c +@@ -347,8 +347,14 @@ error: + + static void at91_twi_read_next_byte(struct at91_twi_dev *dev) + { +- if (!dev->buf_len) ++ /* ++ * If we are in this case, it means there is garbage data in RHR, so ++ * delete them. ++ */ ++ if (!dev->buf_len) { ++ at91_twi_read(dev, AT91_TWI_RHR); + return; ++ } + + /* 8bit read works with and without FIFO */ + *dev->buf = readb_relaxed(dev->base + AT91_TWI_RHR); +@@ -465,6 +471,24 @@ static irqreturn_t atmel_twi_interrupt(i + + if (!irqstatus) + return IRQ_NONE; ++ /* ++ * In reception, the behavior of the twi device (before sama5d2) is ++ * weird. There is some magic about RXRDY flag! When a data has been ++ * almost received, the reception of a new one is anticipated if there ++ * is no stop command to send. That is the reason why ask for sending ++ * the stop command not on the last data but on the second last one. ++ * ++ * Unfortunately, we could still have the RXRDY flag set even if the ++ * transfer is done and we have read the last data. It might happen ++ * when the i2c slave device sends too quickly data after receiving the ++ * ack from the master. The data has been almost received before having ++ * the order to send stop. In this case, sending the stop command could ++ * cause a RXRDY interrupt with a TXCOMP one. It is better to manage ++ * the RXRDY interrupt first in order to not keep garbage data in the ++ * Receive Holding Register for the next transfer. ++ */ ++ if (irqstatus & AT91_TWI_RXRDY) ++ at91_twi_read_next_byte(dev); + + /* + * When a NACK condition is detected, the I2C controller sets the NACK, +@@ -507,8 +531,6 @@ static irqreturn_t atmel_twi_interrupt(i + if (irqstatus & (AT91_TWI_TXCOMP | AT91_TWI_NACK)) { + at91_disable_twi_interrupts(dev); + complete(&dev->cmd_complete); +- } else if (irqstatus & AT91_TWI_RXRDY) { +- at91_twi_read_next_byte(dev); + } else if (irqstatus & AT91_TWI_TXRDY) { + at91_twi_write_next_byte(dev); + } +@@ -525,7 +547,6 @@ static int at91_do_twi_transfer(struct a + unsigned long time_left; + bool has_unre_flag = dev->pdata->has_unre_flag; + bool has_alt_cmd = dev->pdata->has_alt_cmd; +- unsigned sr; + + /* + * WARNING: the TXCOMP bit in the Status Register is NOT a clear on +@@ -577,7 +598,7 @@ static int at91_do_twi_transfer(struct a + dev->transfer_status = 0; + + /* Clear pending interrupts, such as NACK. */ +- sr = at91_twi_read(dev, AT91_TWI_SR); ++ at91_twi_read(dev, AT91_TWI_SR); + + if (dev->fifo_size) { + unsigned fifo_mr = at91_twi_read(dev, AT91_TWI_FMR); +@@ -600,11 +621,6 @@ static int at91_do_twi_transfer(struct a + } else if (dev->msg->flags & I2C_M_RD) { + unsigned start_flags = AT91_TWI_START; + +- if (sr & AT91_TWI_RXRDY) { +- dev_err(dev->dev, "RXRDY still set!"); +- at91_twi_read(dev, AT91_TWI_RHR); +- } +- + /* if only one byte is to be read, immediately stop transfer */ + if (!has_alt_cmd && dev->buf_len <= 1 && + !(dev->msg->flags & I2C_M_RECV_LEN)) diff --git a/queue-4.3/i2c-fix-wakeup-irq-parsing.patch b/queue-4.3/i2c-fix-wakeup-irq-parsing.patch new file mode 100644 index 00000000000..34f9056908f --- /dev/null +++ b/queue-4.3/i2c-fix-wakeup-irq-parsing.patch @@ -0,0 +1,35 @@ +From c18fba23061f16dde128e10d4869ba4e88e0e81a Mon Sep 17 00:00:00 2001 +From: Grygorii Strashko +Date: Thu, 12 Nov 2015 15:42:26 +0200 +Subject: i2c: fix wakeup irq parsing + +From: Grygorii Strashko + +commit c18fba23061f16dde128e10d4869ba4e88e0e81a upstream. + +This patch fixes obvious copy-past error in wake up irq parsing +code which leads to the fact that dev_pm_set_wake_irq() will +be called with wrong IRQ number when "wakeup" IRQ is not +defined in DT. + +Fixes: 3fffd1283927 ("i2c: allow specifying separate wakeup interrupt in device tree") +Signed-off-by: Grygorii Strashko +Acked-by: Dmitry Torokhov +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/i2c-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/i2c/i2c-core.c ++++ b/drivers/i2c/i2c-core.c +@@ -679,7 +679,7 @@ static int i2c_device_probe(struct devic + if (wakeirq > 0 && wakeirq != client->irq) + status = dev_pm_set_dedicated_wake_irq(dev, wakeirq); + else if (client->irq > 0) +- status = dev_pm_set_wake_irq(dev, wakeirq); ++ status = dev_pm_set_wake_irq(dev, client->irq); + else + status = 0; + diff --git a/queue-4.3/i2c-mv64xxx-the-n-clockdiv-factor-is-0-based-on-sunxi-socs.patch b/queue-4.3/i2c-mv64xxx-the-n-clockdiv-factor-is-0-based-on-sunxi-socs.patch new file mode 100644 index 00000000000..eb086285485 --- /dev/null +++ b/queue-4.3/i2c-mv64xxx-the-n-clockdiv-factor-is-0-based-on-sunxi-socs.patch @@ -0,0 +1,94 @@ +From bba61f50f76574ca5b84b310925be7c2e8e64275 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sun, 27 Sep 2015 16:57:08 +0200 +Subject: i2c: mv64xxx: The n clockdiv factor is 0 based on sunxi SoCs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hans de Goede + +commit bba61f50f76574ca5b84b310925be7c2e8e64275 upstream. + +According to the datasheets the n factor for dividing the tclk is +2 to the power n on Allwinner SoCs, not 2 to the power n + 1 as it is +on other mv64xxx implementations. + +I've contacted Allwinner about this and they have confirmed that the +datasheet is correct. + +This commit fixes the clk-divider calculations for Allwinner SoCs +accordingly. + +Signed-off-by: Hans de Goede +Acked-by: Maxime Ripard +Tested-by: Olliver Schinagl +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-mv64xxx.c | 27 ++++++++++++++++++--------- + 1 file changed, 18 insertions(+), 9 deletions(-) + +--- a/drivers/i2c/busses/i2c-mv64xxx.c ++++ b/drivers/i2c/busses/i2c-mv64xxx.c +@@ -146,6 +146,8 @@ struct mv64xxx_i2c_data { + bool errata_delay; + struct reset_control *rstc; + bool irq_clear_inverted; ++ /* Clk div is 2 to the power n, not 2 to the power n + 1 */ ++ bool clk_n_base_0; + }; + + static struct mv64xxx_i2c_regs mv64xxx_i2c_regs_mv64xxx = { +@@ -757,25 +759,29 @@ MODULE_DEVICE_TABLE(of, mv64xxx_i2c_of_m + #ifdef CONFIG_OF + #ifdef CONFIG_HAVE_CLK + static int +-mv64xxx_calc_freq(const int tclk, const int n, const int m) ++mv64xxx_calc_freq(struct mv64xxx_i2c_data *drv_data, ++ const int tclk, const int n, const int m) + { +- return tclk / (10 * (m + 1) * (2 << n)); ++ if (drv_data->clk_n_base_0) ++ return tclk / (10 * (m + 1) * (1 << n)); ++ else ++ return tclk / (10 * (m + 1) * (2 << n)); + } + + static bool +-mv64xxx_find_baud_factors(const u32 req_freq, const u32 tclk, u32 *best_n, +- u32 *best_m) ++mv64xxx_find_baud_factors(struct mv64xxx_i2c_data *drv_data, ++ const u32 req_freq, const u32 tclk) + { + int freq, delta, best_delta = INT_MAX; + int m, n; + + for (n = 0; n <= 7; n++) + for (m = 0; m <= 15; m++) { +- freq = mv64xxx_calc_freq(tclk, n, m); ++ freq = mv64xxx_calc_freq(drv_data, tclk, n, m); + delta = req_freq - freq; + if (delta >= 0 && delta < best_delta) { +- *best_m = m; +- *best_n = n; ++ drv_data->freq_m = m; ++ drv_data->freq_n = n; + best_delta = delta; + } + if (best_delta == 0) +@@ -813,8 +819,11 @@ mv64xxx_of_config(struct mv64xxx_i2c_dat + if (of_property_read_u32(np, "clock-frequency", &bus_freq)) + bus_freq = 100000; /* 100kHz by default */ + +- if (!mv64xxx_find_baud_factors(bus_freq, tclk, +- &drv_data->freq_n, &drv_data->freq_m)) { ++ if (of_device_is_compatible(np, "allwinner,sun4i-a10-i2c") || ++ of_device_is_compatible(np, "allwinner,sun6i-a31-i2c")) ++ drv_data->clk_n_base_0 = true; ++ ++ if (!mv64xxx_find_baud_factors(drv_data, bus_freq, tclk)) { + rc = -EINVAL; + goto out; + } diff --git a/queue-4.3/i2c-rcar-disable-runtime-pm-correctly-in-slave-mode.patch b/queue-4.3/i2c-rcar-disable-runtime-pm-correctly-in-slave-mode.patch new file mode 100644 index 00000000000..41214241ffa --- /dev/null +++ b/queue-4.3/i2c-rcar-disable-runtime-pm-correctly-in-slave-mode.patch @@ -0,0 +1,44 @@ +From b4cd08aa1f53c831e67dc5c6bc9f9acff27abcba Mon Sep 17 00:00:00 2001 +From: Wolfram Sang +Date: Wed, 16 Dec 2015 20:05:18 +0100 +Subject: i2c: rcar: disable runtime PM correctly in slave mode + +From: Wolfram Sang + +commit b4cd08aa1f53c831e67dc5c6bc9f9acff27abcba upstream. + +When we also are I2C slave, we need to disable runtime PM because the +address detection mechanism needs to be active all the time. However, we +can reenable runtime PM once the slave instance was unregistered. So, +use pm_runtime_get_sync/put to achieve this, since it has proper +refcounting. pm_runtime_allow/forbid is like a global knob controllable +from userspace which is unsuitable here. + +Signed-off-by: Wolfram Sang +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-rcar.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/i2c/busses/i2c-rcar.c ++++ b/drivers/i2c/busses/i2c-rcar.c +@@ -575,7 +575,7 @@ static int rcar_reg_slave(struct i2c_cli + if (slave->flags & I2C_CLIENT_TEN) + return -EAFNOSUPPORT; + +- pm_runtime_forbid(rcar_i2c_priv_to_dev(priv)); ++ pm_runtime_get_sync(rcar_i2c_priv_to_dev(priv)); + + priv->slave = slave; + rcar_i2c_write(priv, ICSAR, slave->addr); +@@ -597,7 +597,7 @@ static int rcar_unreg_slave(struct i2c_c + + priv->slave = NULL; + +- pm_runtime_allow(rcar_i2c_priv_to_dev(priv)); ++ pm_runtime_put(rcar_i2c_priv_to_dev(priv)); + + return 0; + } diff --git a/queue-4.3/i2c-rk3x-populate-correct-variable-for-sda_falling_time.patch b/queue-4.3/i2c-rk3x-populate-correct-variable-for-sda_falling_time.patch new file mode 100644 index 00000000000..7f730393718 --- /dev/null +++ b/queue-4.3/i2c-rk3x-populate-correct-variable-for-sda_falling_time.patch @@ -0,0 +1,28 @@ +From 9abd29e7c13de24ce73213a425d9574b35ac0c6a Mon Sep 17 00:00:00 2001 +From: Wolfram Sang +Date: Wed, 25 Nov 2015 16:58:18 +0100 +Subject: i2c: rk3x: populate correct variable for sda_falling_time + +From: Wolfram Sang + +commit 9abd29e7c13de24ce73213a425d9574b35ac0c6a upstream. + +Signed-off-by: Wolfram Sang +Reviewed-by: Douglas Anderson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-rk3x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/i2c/busses/i2c-rk3x.c ++++ b/drivers/i2c/busses/i2c-rk3x.c +@@ -907,7 +907,7 @@ static int rk3x_i2c_probe(struct platfor + &i2c->scl_fall_ns)) + i2c->scl_fall_ns = 300; + if (of_property_read_u32(pdev->dev.of_node, "i2c-sda-falling-time-ns", +- &i2c->scl_fall_ns)) ++ &i2c->sda_fall_ns)) + i2c->sda_fall_ns = i2c->scl_fall_ns; + + strlcpy(i2c->adap.name, "rk3x-i2c", sizeof(i2c->adap.name)); diff --git a/queue-4.3/integrity-prevent-loading-untrusted-certificates-on-the-ima-trusted-keyring.patch b/queue-4.3/integrity-prevent-loading-untrusted-certificates-on-the-ima-trusted-keyring.patch new file mode 100644 index 00000000000..fd5349dec6d --- /dev/null +++ b/queue-4.3/integrity-prevent-loading-untrusted-certificates-on-the-ima-trusted-keyring.patch @@ -0,0 +1,36 @@ +From 72e1eed8abb11c79749266d433c817ce36732893 Mon Sep 17 00:00:00 2001 +From: Dmitry Kasatkin +Date: Thu, 10 Sep 2015 22:06:15 +0300 +Subject: integrity: prevent loading untrusted certificates on the IMA trusted keyring + +From: Dmitry Kasatkin + +commit 72e1eed8abb11c79749266d433c817ce36732893 upstream. + +If IMA_LOAD_X509 is enabled, either directly or indirectly via +IMA_APPRAISE_SIGNED_INIT, certificates are loaded onto the IMA +trusted keyring by the kernel via key_create_or_update(). When +the KEY_ALLOC_TRUSTED flag is provided, certificates are loaded +without first verifying the certificate is properly signed by a +trusted key on the system keyring. This patch removes the +KEY_ALLOC_TRUSTED flag. + +Signed-off-by: Dmitry Kasatkin +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman + +--- + security/integrity/digsig.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/security/integrity/digsig.c ++++ b/security/integrity/digsig.c +@@ -105,7 +105,7 @@ int __init integrity_load_x509(const uns + rc, + ((KEY_POS_ALL & ~KEY_POS_SETATTR) | + KEY_USR_VIEW | KEY_USR_READ), +- KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_TRUSTED); ++ KEY_ALLOC_NOT_IN_QUOTA); + if (IS_ERR(key)) { + rc = PTR_ERR(key); + pr_err("Problem loading X.509 certificate (%d): %s\n", diff --git a/queue-4.3/jbd2-fix-checkpoint-list-cleanup.patch b/queue-4.3/jbd2-fix-checkpoint-list-cleanup.patch new file mode 100644 index 00000000000..840311d5b7d --- /dev/null +++ b/queue-4.3/jbd2-fix-checkpoint-list-cleanup.patch @@ -0,0 +1,63 @@ +From 33d14975e5ac469963d5d63856b61698ad0bff07 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Sat, 17 Oct 2015 22:35:09 -0400 +Subject: jbd2: fix checkpoint list cleanup + +From: Jan Kara + +commit 33d14975e5ac469963d5d63856b61698ad0bff07 upstream. + +Unlike comments and expectation of callers journal_clean_one_cp_list() +returned 1 not only if it freed the transaction but also if it freed +some buffers in the transaction. That could make +__jbd2_journal_clean_checkpoint_list() skip processing +t_checkpoint_io_list and continue with processing the next transaction. +This is mostly a cosmetic issue since the only result is we can +sometimes free less memory than we could. But it's still worth fixing. +Fix journal_clean_one_cp_list() to return 1 only if the transaction was +really freed. + +Fixes: 50849db32a9f529235a84bcc84a6b8e631b1d0ec +Signed-off-by: Jan Kara +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jbd2/checkpoint.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/fs/jbd2/checkpoint.c ++++ b/fs/jbd2/checkpoint.c +@@ -427,7 +427,6 @@ static int journal_clean_one_cp_list(str + struct journal_head *last_jh; + struct journal_head *next_jh = jh; + int ret; +- int freed = 0; + + if (!jh) + return 0; +@@ -441,10 +440,9 @@ static int journal_clean_one_cp_list(str + else + ret = __jbd2_journal_remove_checkpoint(jh) + 1; + if (!ret) +- return freed; ++ return 0; + if (ret == 2) + return 1; +- freed = 1; + /* + * This function only frees up some memory + * if possible so we dont have an obligation +@@ -452,10 +450,10 @@ static int journal_clean_one_cp_list(str + * requested: + */ + if (need_resched()) +- return freed; ++ return 0; + } while (jh != last_jh); + +- return freed; ++ return 0; + } + + /* diff --git a/queue-4.3/jbd2-fix-null-committed-data-return-in-undo_access.patch b/queue-4.3/jbd2-fix-null-committed-data-return-in-undo_access.patch new file mode 100644 index 00000000000..e4dc3607a86 --- /dev/null +++ b/queue-4.3/jbd2-fix-null-committed-data-return-in-undo_access.patch @@ -0,0 +1,118 @@ +From 087ffd4eae9929afd06f6a709861df3c3508492a Mon Sep 17 00:00:00 2001 +From: Junxiao Bi +Date: Fri, 4 Dec 2015 12:29:28 -0500 +Subject: jbd2: fix null committed data return in undo_access + +From: Junxiao Bi + +commit 087ffd4eae9929afd06f6a709861df3c3508492a upstream. + +introduced jbd2_write_access_granted() to improve write|undo_access +speed, but missed to check the status of b_committed_data which caused +a kernel panic on ocfs2. + +[ 6538.405938] ------------[ cut here ]------------ +[ 6538.406686] kernel BUG at fs/ocfs2/suballoc.c:2400! +[ 6538.406686] invalid opcode: 0000 [#1] SMP +[ 6538.406686] Modules linked in: ocfs2 nfsd lockd grace nfs_acl auth_rpcgss sunrpc autofs4 ocfs2_dlmfs ocfs2_stack_o2cb ocfs2_dlm ocfs2_nodemanager ocfs2_stackglue configfs sd_mod sg ip6t_REJECT nf_reject_ipv6 nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i libcxgbi cxgb3 mdio ib_iser rdma_cm ib_cm iw_cm ib_sa ib_mad ib_core ib_addr ipv6 iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ppdev xen_kbdfront xen_netfront xen_fbfront parport_pc parport pcspkr i2c_piix4 acpi_cpufreq ext4 jbd2 mbcache xen_blkfront floppy pata_acpi ata_generic ata_piix cirrus ttm drm_kms_helper drm fb_sys_fops sysimgblt sysfillrect i2c_core syscopyarea dm_mirror dm_region_hash dm_log dm_mod +[ 6538.406686] CPU: 1 PID: 16265 Comm: mmap_truncate Not tainted 4.3.0 #1 +[ 6538.406686] Hardware name: Xen HVM domU, BIOS 4.3.1OVM 05/14/2014 +[ 6538.406686] task: ffff88007c2bab00 ti: ffff880075b78000 task.ti: ffff880075b78000 +[ 6538.406686] RIP: 0010:[] [] ocfs2_block_group_clear_bits+0x23b/0x250 [ocfs2] +[ 6538.406686] RSP: 0018:ffff880075b7b7f8 EFLAGS: 00010246 +[ 6538.406686] RAX: ffff8800760c5b40 RBX: ffff88006c06a000 RCX: ffffffffa06e6df0 +[ 6538.406686] RDX: 0000000000000000 RSI: ffff88007a6f6ea0 RDI: ffff88007a760430 +[ 6538.406686] RBP: ffff880075b7b878 R08: 0000000000000002 R09: 0000000000000001 +[ 6538.406686] R10: ffffffffa06769be R11: 0000000000000000 R12: 0000000000000001 +[ 6538.406686] R13: ffffffffa06a1750 R14: 0000000000000001 R15: ffff88007a6f6ea0 +[ 6538.406686] FS: 00007f17fde30720(0000) GS:ffff88007f040000(0000) knlGS:0000000000000000 +[ 6538.406686] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 6538.406686] CR2: 0000000000601730 CR3: 000000007aea0000 CR4: 00000000000406e0 +[ 6538.406686] Stack: +[ 6538.406686] ffff88007c2bb5b0 ffff880075b7b8e0 ffff88007a7604b0 ffff88006c640800 +[ 6538.406686] ffff88007a7604b0 ffff880075d77390 0000000075b7b878 ffffffffa06a309d +[ 6538.406686] ffff880075d752d8 ffff880075b7b990 ffff880075b7b898 0000000000000000 +[ 6538.406686] Call Trace: +[ 6538.406686] [] ? ocfs2_read_group_descriptor+0x6d/0xa0 [ocfs2] +[ 6538.406686] [] _ocfs2_free_suballoc_bits+0xe4/0x320 [ocfs2] +[ 6538.406686] [] ? ocfs2_put_slot+0xf0/0xf0 [ocfs2] +[ 6538.406686] [] _ocfs2_free_clusters+0xee/0x210 [ocfs2] +[ 6538.406686] [] ? ocfs2_put_slot+0xf0/0xf0 [ocfs2] +[ 6538.406686] [] ? ocfs2_put_slot+0xf0/0xf0 [ocfs2] +[ 6538.406686] [] ? ocfs2_extend_trans+0x50/0x1a0 [ocfs2] +[ 6538.406686] [] ocfs2_free_clusters+0x15/0x20 [ocfs2] +[ 6538.406686] [] ocfs2_replay_truncate_records+0xfc/0x290 [ocfs2] +[ 6538.406686] [] ? ocfs2_start_trans+0xec/0x1d0 [ocfs2] +[ 6538.406686] [] __ocfs2_flush_truncate_log+0x140/0x2d0 [ocfs2] +[ 6538.406686] [] ? ocfs2_reserve_blocks_for_rec_trunc.clone.0+0x44/0x170 [ocfs2] +[ 6538.406686] [] ocfs2_remove_btree_range+0x374/0x630 [ocfs2] +[ 6538.406686] [] ? jbd2_journal_stop+0x25b/0x470 [jbd2] +[ 6538.406686] [] ocfs2_commit_truncate+0x305/0x670 [ocfs2] +[ 6538.406686] [] ? ocfs2_journal_access_eb+0x20/0x20 [ocfs2] +[ 6538.406686] [] ocfs2_truncate_file+0x297/0x380 [ocfs2] +[ 6538.406686] [] ? jbd2_journal_begin_ordered_truncate+0x64/0xc0 [jbd2] +[ 6538.406686] [] ocfs2_setattr+0x572/0x860 [ocfs2] +[ 6538.406686] [] ? current_fs_time+0x3f/0x50 +[ 6538.406686] [] notify_change+0x1d7/0x340 +[ 6538.406686] [] ? generic_getxattr+0x79/0x80 +[ 6538.406686] [] do_truncate+0x66/0x90 +[ 6538.406686] [] ? __audit_syscall_entry+0xb0/0x110 +[ 6538.406686] [] do_sys_ftruncate.clone.0+0xf3/0x120 +[ 6538.406686] [] SyS_ftruncate+0xe/0x10 +[ 6538.406686] [] entry_SYSCALL_64_fastpath+0x12/0x71 +[ 6538.406686] Code: 28 48 81 ee b0 04 00 00 48 8b 92 50 fb ff ff 48 8b 80 b0 03 00 00 48 39 90 88 00 00 00 0f 84 30 fe ff ff 0f 0b eb fe 0f 0b eb fe <0f> 0b 0f 1f 00 eb fb 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 +[ 6538.406686] RIP [] ocfs2_block_group_clear_bits+0x23b/0x250 [ocfs2] +[ 6538.406686] RSP +[ 6538.691128] ---[ end trace 31cd7011d6770d7e ]--- +[ 6538.694492] Kernel panic - not syncing: Fatal exception +[ 6538.695484] Kernel Offset: disabled + +Fixes: de92c8caf16c("jbd2: speedup jbd2_journal_get_[write|undo]_access()") +Signed-off-by: Junxiao Bi +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jbd2/transaction.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/fs/jbd2/transaction.c ++++ b/fs/jbd2/transaction.c +@@ -1009,7 +1009,8 @@ out: + } + + /* Fast check whether buffer is already attached to the required transaction */ +-static bool jbd2_write_access_granted(handle_t *handle, struct buffer_head *bh) ++static bool jbd2_write_access_granted(handle_t *handle, struct buffer_head *bh, ++ bool undo) + { + struct journal_head *jh; + bool ret = false; +@@ -1036,6 +1037,9 @@ static bool jbd2_write_access_granted(ha + jh = READ_ONCE(bh->b_private); + if (!jh) + goto out; ++ /* For undo access buffer must have data copied */ ++ if (undo && !jh->b_committed_data) ++ goto out; + if (jh->b_transaction != handle->h_transaction && + jh->b_next_transaction != handle->h_transaction) + goto out; +@@ -1073,7 +1077,7 @@ int jbd2_journal_get_write_access(handle + struct journal_head *jh; + int rc; + +- if (jbd2_write_access_granted(handle, bh)) ++ if (jbd2_write_access_granted(handle, bh, false)) + return 0; + + jh = jbd2_journal_add_journal_head(bh); +@@ -1210,7 +1214,7 @@ int jbd2_journal_get_undo_access(handle_ + char *committed_data = NULL; + + JBUFFER_TRACE(jh, "entry"); +- if (jbd2_write_access_granted(handle, bh)) ++ if (jbd2_write_access_granted(handle, bh, true)) + return 0; + + jh = jbd2_journal_add_journal_head(bh); diff --git a/queue-4.3/jbd2-fix-unreclaimed-pages-after-truncate-in-data-journal-mode.patch b/queue-4.3/jbd2-fix-unreclaimed-pages-after-truncate-in-data-journal-mode.patch new file mode 100644 index 00000000000..5c0006777b4 --- /dev/null +++ b/queue-4.3/jbd2-fix-unreclaimed-pages-after-truncate-in-data-journal-mode.patch @@ -0,0 +1,62 @@ +From bc23f0c8d7ccd8d924c4e70ce311288cb3e61ea8 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Tue, 24 Nov 2015 15:34:35 -0500 +Subject: jbd2: Fix unreclaimed pages after truncate in data=journal mode + +From: Jan Kara + +commit bc23f0c8d7ccd8d924c4e70ce311288cb3e61ea8 upstream. + +Ted and Namjae have reported that truncated pages don't get timely +reclaimed after being truncated in data=journal mode. The following test +triggers the issue easily: + +for (i = 0; i < 1000; i++) { + pwrite(fd, buf, 1024*1024, 0); + fsync(fd); + fsync(fd); + ftruncate(fd, 0); +} + +The reason is that journal_unmap_buffer() finds that truncated buffers +are not journalled (jh->b_transaction == NULL), they are part of +checkpoint list of a transaction (jh->b_cp_transaction != NULL) and have +been already written out (!buffer_dirty(bh)). We clean such buffers but +we leave them in the checkpoint list. Since checkpoint transaction holds +a reference to the journal head, these buffers cannot be released until +the checkpoint transaction is cleaned up. And at that point we don't +call release_buffer_page() anymore so pages detached from mapping are +lingering in the system waiting for reclaim to find them and free them. + +Fix the problem by removing buffers from transaction checkpoint lists +when journal_unmap_buffer() finds out they don't have to be there +anymore. + +Reported-and-tested-by: Namjae Jeon +Fixes: de1b794130b130e77ffa975bb58cb843744f9ae5 +Signed-off-by: Jan Kara +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jbd2/transaction.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/jbd2/transaction.c ++++ b/fs/jbd2/transaction.c +@@ -2152,6 +2152,7 @@ static int journal_unmap_buffer(journal_ + + if (!buffer_dirty(bh)) { + /* bdflush has written it. We can drop it now */ ++ __jbd2_journal_remove_checkpoint(jh); + goto zap_buffer; + } + +@@ -2181,6 +2182,7 @@ static int journal_unmap_buffer(journal_ + /* The orphan record's transaction has + * committed. We can cleanse this buffer */ + clear_buffer_jbddirty(bh); ++ __jbd2_journal_remove_checkpoint(jh); + goto zap_buffer; + } + } diff --git a/queue-4.3/media-i2c-don-t-export-ir-kbd-i2c-module-alias.patch b/queue-4.3/media-i2c-don-t-export-ir-kbd-i2c-module-alias.patch new file mode 100644 index 00000000000..9586912697b --- /dev/null +++ b/queue-4.3/media-i2c-don-t-export-ir-kbd-i2c-module-alias.patch @@ -0,0 +1,45 @@ +From 329d88da4df9a96da43018aceabd3a06e6a7e7ae Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Wed, 27 Jan 2016 12:03:23 -0200 +Subject: [media] media: i2c: Don't export ir-kbd-i2c module alias + +From: Javier Martinez Canillas + +commit 329d88da4df9a96da43018aceabd3a06e6a7e7ae upstream. + +This is a partial revert of commit ed8d1cf07cb16d ("[media] Export I2C +module alias information in missing drivers") that exported the module +aliases for the I2C drivers that were missing to make autoload to work. + +But there is a bug report [0] that auto load of the ir-kbd-i2c driver +cause the Hauppauge HD-PVR driver to not behave correctly. + +This is a hdpvr latent bug that was just exposed by ir-kbd-i2c module +autoloading working and will also happen if the I2C driver is built-in +or a user calls modprobe to load the module and register the driver. + +But there is a regression experimented by users so until the real bug +is fixed, let's not export the module alias for the ir-kbd-i2c driver +even when this just masks the actual issue. + +[0]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=810726 + +Fixes: ed8d1cf07cb1 ("[media] Export I2C module alias information in missing drivers") + +Signed-off-by: Javier Martinez Canillas +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/i2c/ir-kbd-i2c.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/media/i2c/ir-kbd-i2c.c ++++ b/drivers/media/i2c/ir-kbd-i2c.c +@@ -478,7 +478,6 @@ static const struct i2c_device_id ir_kbd + { "ir_rx_z8f0811_hdpvr", 0 }, + { } + }; +-MODULE_DEVICE_TABLE(i2c, ir_kbd_id); + + static struct i2c_driver ir_kbd_driver = { + .driver = { diff --git a/queue-4.3/media-v4l2-ctrls-fix-64bit-support-in-get_ctrl.patch b/queue-4.3/media-v4l2-ctrls-fix-64bit-support-in-get_ctrl.patch new file mode 100644 index 00000000000..21eb96e3f2c --- /dev/null +++ b/queue-4.3/media-v4l2-ctrls-fix-64bit-support-in-get_ctrl.patch @@ -0,0 +1,53 @@ +From a8077734055f870ba630563868a6349671ca8dfc Mon Sep 17 00:00:00 2001 +From: Benoit Parrot +Date: Mon, 21 Sep 2015 13:03:21 -0300 +Subject: [media] media: v4l2-ctrls: Fix 64bit support in get_ctrl() + +From: Benoit Parrot + +commit a8077734055f870ba630563868a6349671ca8dfc upstream. + +When trying to use v4l2_ctrl_g_ctrl_int64() to retrieve a +V4L2_CTRL_TYPE_INTEGER64 type value the internal helper function +get_ctrl() would prematurely exit because for this control type +the 'is_int' flag is not set. This would result in v4l2_ctrl_g_ctrl_int64 +always returning 0. + +Also v4l2_ctrl_g_ctrl_int64() is reading and returning the 32bit value +member instead of the 64bit version, so fixing that as well. + +This patch extends the condition check to allow the V4L2_CTRL_TYPE_INTEGER64 +type to continue processing instead of exiting. + +Signed-off-by: Benoit Parrot +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/v4l2-core/v4l2-ctrls.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/media/v4l2-core/v4l2-ctrls.c ++++ b/drivers/media/v4l2-core/v4l2-ctrls.c +@@ -2884,7 +2884,7 @@ static int get_ctrl(struct v4l2_ctrl *ct + * cur_to_user() calls below would need to be modified not to access + * userspace memory when called from get_ctrl(). + */ +- if (!ctrl->is_int) ++ if (!ctrl->is_int && ctrl->type != V4L2_CTRL_TYPE_INTEGER64) + return -EINVAL; + + if (ctrl->flags & V4L2_CTRL_FLAG_WRITE_ONLY) +@@ -2942,9 +2942,9 @@ s64 v4l2_ctrl_g_ctrl_int64(struct v4l2_c + + /* It's a driver bug if this happens. */ + WARN_ON(ctrl->is_ptr || ctrl->type != V4L2_CTRL_TYPE_INTEGER64); +- c.value = 0; ++ c.value64 = 0; + get_ctrl(ctrl, &c); +- return c.value; ++ return c.value64; + } + EXPORT_SYMBOL(v4l2_ctrl_g_ctrl_int64); + diff --git a/queue-4.3/media-v4l2-ctrls-fix-setting-autocluster-to-manual-with-vidioc_s_ctrl.patch b/queue-4.3/media-v4l2-ctrls-fix-setting-autocluster-to-manual-with-vidioc_s_ctrl.patch new file mode 100644 index 00000000000..85835fe873b --- /dev/null +++ b/queue-4.3/media-v4l2-ctrls-fix-setting-autocluster-to-manual-with-vidioc_s_ctrl.patch @@ -0,0 +1,61 @@ +From 759b26a1d916400a1a20948eb964dea6ad0bd9e9 Mon Sep 17 00:00:00 2001 +From: Antonio Ospite +Date: Wed, 14 Oct 2015 10:57:32 -0300 +Subject: [media] media/v4l2-ctrls: fix setting autocluster to manual with VIDIOC_S_CTRL + +From: Antonio Ospite + +commit 759b26a1d916400a1a20948eb964dea6ad0bd9e9 upstream. + +Since commit 5d0360a4f027576e5419d4a7c711c9ca0f1be8ca it's not possible +anymore to set auto clusters from auto to manual using VIDIOC_S_CTRL. + +For example, setting autogain to manual with gspca/ov534 driver and this +sequence of commands does not work: + + v4l2-ctl --set-ctrl=gain_automatic=1 + v4l2-ctl --list-ctrls | grep gain_automatic + # The following does not work + v4l2-ctl --set-ctrl=gain_automatic=0 + v4l2-ctl --list-ctrls | grep gain_automatic + +Changing the value using VIDIOC_S_EXT_CTRLS (like qv4l2 does) works +fine. + +The apparent cause by looking at the changes in 5d0360a and comparing +with the code path for VIDIOC_S_EXT_CTRLS seems to be that the code in +v4l2-ctrls.c::set_ctrl() is not calling user_to_new() anymore after +calling update_from_auto_cluster(master). + +However the root cause of the problem is that calling +update_from_auto_cluster(master) overrides also the _master_ control +state calling cur_to_new() while it was supposed to only update the +volatile controls. + +Calling user_to_new() after update_from_auto_cluster(master) was just +masking the original bug by restoring the correct new value of the +master control before making the changes permanent. + +Fix the original bug by making update_from_auto_cluster() not override +the new master control value. + +Signed-off-by: Antonio Ospite +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/v4l2-core/v4l2-ctrls.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/v4l2-core/v4l2-ctrls.c ++++ b/drivers/media/v4l2-core/v4l2-ctrls.c +@@ -3043,7 +3043,7 @@ static void update_from_auto_cluster(str + { + int i; + +- for (i = 0; i < master->ncontrols; i++) ++ for (i = 1; i < master->ncontrols; i++) + cur_to_new(master->cluster[i]); + if (!call_op(master, g_volatile_ctrl)) + for (i = 1; i < master->ncontrols; i++) diff --git a/queue-4.3/media-vb2-dma-contig-fully-cache-synchronise-buffers-in-prepare-and-finish.patch b/queue-4.3/media-vb2-dma-contig-fully-cache-synchronise-buffers-in-prepare-and-finish.patch new file mode 100644 index 00000000000..394799bcb28 --- /dev/null +++ b/queue-4.3/media-vb2-dma-contig-fully-cache-synchronise-buffers-in-prepare-and-finish.patch @@ -0,0 +1,48 @@ +From d9a985883fa32453d099d6293188c11d75cef1fa Mon Sep 17 00:00:00 2001 +From: Tiffany Lin +Date: Thu, 24 Sep 2015 06:02:36 -0300 +Subject: [media] media: vb2 dma-contig: Fully cache synchronise buffers in prepare and finish + +From: Tiffany Lin + +commit d9a985883fa32453d099d6293188c11d75cef1fa upstream. + +In videobuf2 dma-contig memory type the prepare and finish ops, instead of +passing the number of entries in the original scatterlist as the "nents" +parameter to dma_sync_sg_for_device() and dma_sync_sg_for_cpu(), the value +returned by dma_map_sg() was used. Albeit this has been suggested in +comments of some implementations (which have since been corrected), this +is wrong. + +Fixes: 199d101efdba ("v4l: vb2-dma-contig: add prepare/finish to dma-contig allocator") + +Signed-off-by: Tiffany Lin +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/v4l2-core/videobuf2-dma-contig.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/media/v4l2-core/videobuf2-dma-contig.c ++++ b/drivers/media/v4l2-core/videobuf2-dma-contig.c +@@ -100,7 +100,8 @@ static void vb2_dc_prepare(void *buf_pri + if (!sgt || buf->db_attach) + return; + +- dma_sync_sg_for_device(buf->dev, sgt->sgl, sgt->nents, buf->dma_dir); ++ dma_sync_sg_for_device(buf->dev, sgt->sgl, sgt->orig_nents, ++ buf->dma_dir); + } + + static void vb2_dc_finish(void *buf_priv) +@@ -112,7 +113,7 @@ static void vb2_dc_finish(void *buf_priv + if (!sgt || buf->db_attach) + return; + +- dma_sync_sg_for_cpu(buf->dev, sgt->sgl, sgt->nents, buf->dma_dir); ++ dma_sync_sg_for_cpu(buf->dev, sgt->sgl, sgt->orig_nents, buf->dma_dir); + } + + /*********************************************/ diff --git a/queue-4.3/media-vb2-dma-sg-fully-cache-synchronise-buffers-in-prepare-and-finish.patch b/queue-4.3/media-vb2-dma-sg-fully-cache-synchronise-buffers-in-prepare-and-finish.patch new file mode 100644 index 00000000000..eb27ddceaf5 --- /dev/null +++ b/queue-4.3/media-vb2-dma-sg-fully-cache-synchronise-buffers-in-prepare-and-finish.patch @@ -0,0 +1,48 @@ +From 418dae2276065680bde7ae27d2c075e612a54de6 Mon Sep 17 00:00:00 2001 +From: Tiffany Lin +Date: Thu, 24 Sep 2015 06:02:36 -0300 +Subject: [media] media: vb2 dma-sg: Fully cache synchronise buffers in prepare and finish + +From: Tiffany Lin + +commit 418dae2276065680bde7ae27d2c075e612a54de6 upstream. + +In videobuf2 dma-sg memory types the prepare and finish ops, instead +of passing the number of entries in the original scatterlist as the +"nents" parameter to dma_sync_sg_for_device() and dma_sync_sg_for_cpu(), +the value returned by dma_map_sg() was used. Albeit this has been +suggested in comments of some implementations (which have since been +corrected), this is wrong. + +Fixes: d790b7eda953 ("vb2-dma-sg: move dma_(un)map_sg here") + +Signed-off-by: Tiffany Lin +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/v4l2-core/videobuf2-dma-sg.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/media/v4l2-core/videobuf2-dma-sg.c ++++ b/drivers/media/v4l2-core/videobuf2-dma-sg.c +@@ -210,7 +210,8 @@ static void vb2_dma_sg_prepare(void *buf + if (buf->db_attach) + return; + +- dma_sync_sg_for_device(buf->dev, sgt->sgl, sgt->nents, buf->dma_dir); ++ dma_sync_sg_for_device(buf->dev, sgt->sgl, sgt->orig_nents, ++ buf->dma_dir); + } + + static void vb2_dma_sg_finish(void *buf_priv) +@@ -222,7 +223,7 @@ static void vb2_dma_sg_finish(void *buf_ + if (buf->db_attach) + return; + +- dma_sync_sg_for_cpu(buf->dev, sgt->sgl, sgt->nents, buf->dma_dir); ++ dma_sync_sg_for_cpu(buf->dev, sgt->sgl, sgt->orig_nents, buf->dma_dir); + } + + static void *vb2_dma_sg_get_userptr(void *alloc_ctx, unsigned long vaddr, diff --git a/queue-4.3/mtd-blkdevs-fix-potential-deadlock-lockdep-warnings.patch b/queue-4.3/mtd-blkdevs-fix-potential-deadlock-lockdep-warnings.patch new file mode 100644 index 00000000000..3829cad8d7a --- /dev/null +++ b/queue-4.3/mtd-blkdevs-fix-potential-deadlock-lockdep-warnings.patch @@ -0,0 +1,169 @@ +From f3c63795e90f0c6238306883b6c72f14d5355721 Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Mon, 26 Oct 2015 10:20:23 -0700 +Subject: mtd: blkdevs: fix potential deadlock + lockdep warnings + +From: Brian Norris + +commit f3c63795e90f0c6238306883b6c72f14d5355721 upstream. + +Commit 073db4a51ee4 ("mtd: fix: avoid race condition when accessing +mtd->usecount") fixed a race condition but due to poor ordering of the +mutex acquisition, introduced a potential deadlock. + +The deadlock can occur, for example, when rmmod'ing the m25p80 module, which +will delete one or more MTDs, along with any corresponding mtdblock +devices. This could potentially race with an acquisition of the block +device as follows. + + -> blktrans_open() + -> mutex_lock(&dev->lock); + -> mutex_lock(&mtd_table_mutex); + + -> del_mtd_device() + -> mutex_lock(&mtd_table_mutex); + -> blktrans_notify_remove() -> del_mtd_blktrans_dev() + -> mutex_lock(&dev->lock); + +This is a classic (potential) ABBA deadlock, which can be fixed by +making the A->B ordering consistent everywhere. There was no real +purpose to the ordering in the original patch, AFAIR, so this shouldn't +be a problem. This ordering was actually already present in +del_mtd_blktrans_dev(), for one, where the function tried to ensure that +its caller already held mtd_table_mutex before it acquired &dev->lock: + + if (mutex_trylock(&mtd_table_mutex)) { + mutex_unlock(&mtd_table_mutex); + BUG(); + } + +So, reverse the ordering of acquisition of &dev->lock and &mtd_table_mutex so +we always acquire mtd_table_mutex first. + +Snippets of the lockdep output follow: + + # modprobe -r m25p80 + [ 53.419251] + [ 53.420838] ====================================================== + [ 53.427300] [ INFO: possible circular locking dependency detected ] + [ 53.433865] 4.3.0-rc6 #96 Not tainted + [ 53.437686] ------------------------------------------------------- + [ 53.444220] modprobe/372 is trying to acquire lock: + [ 53.449320] (&new->lock){+.+...}, at: [] del_mtd_blktrans_dev+0x80/0xdc + [ 53.457271] + [ 53.457271] but task is already holding lock: + [ 53.463372] (mtd_table_mutex){+.+.+.}, at: [] del_mtd_device+0x18/0x100 + [ 53.471321] + [ 53.471321] which lock already depends on the new lock. + [ 53.471321] + [ 53.479856] + [ 53.479856] the existing dependency chain (in reverse order) is: + [ 53.487660] + -> #1 (mtd_table_mutex){+.+.+.}: + [ 53.492331] [] blktrans_open+0x34/0x1a4 + [ 53.497879] [] __blkdev_get+0xc4/0x3b0 + [ 53.503364] [] blkdev_get+0x108/0x320 + [ 53.508743] [] do_dentry_open+0x218/0x314 + [ 53.514496] [] path_openat+0x4c0/0xf9c + [ 53.519959] [] do_filp_open+0x5c/0xc0 + [ 53.525336] [] do_sys_open+0xfc/0x1cc + [ 53.530716] [] ret_fast_syscall+0x0/0x1c + [ 53.536375] + -> #0 (&new->lock){+.+...}: + [ 53.540587] [] mutex_lock_nested+0x38/0x3cc + [ 53.546504] [] del_mtd_blktrans_dev+0x80/0xdc + [ 53.552606] [] blktrans_notify_remove+0x7c/0x84 + [ 53.558891] [] del_mtd_device+0x74/0x100 + [ 53.564544] [] del_mtd_partitions+0x80/0xc8 + [ 53.570451] [] mtd_device_unregister+0x24/0x48 + [ 53.576637] [] spi_drv_remove+0x1c/0x34 + [ 53.582207] [] __device_release_driver+0x88/0x114 + [ 53.588663] [] device_release_driver+0x20/0x2c + [ 53.594843] [] bus_remove_device+0xd8/0x108 + [ 53.600748] [] device_del+0x10c/0x210 + [ 53.606127] [] device_unregister+0xc/0x20 + [ 53.611849] [] __unregister+0x10/0x20 + [ 53.617211] [] device_for_each_child+0x50/0x7c + [ 53.623387] [] spi_unregister_master+0x58/0x8c + [ 53.629578] [] release_nodes+0x15c/0x1c8 + [ 53.635223] [] __device_release_driver+0x90/0x114 + [ 53.641689] [] driver_detach+0xb4/0xb8 + [ 53.647147] [] bus_remove_driver+0x4c/0xa0 + [ 53.652970] [] SyS_delete_module+0x11c/0x1e4 + [ 53.658976] [] ret_fast_syscall+0x0/0x1c + [ 53.664621] + [ 53.664621] other info that might help us debug this: + [ 53.664621] + [ 53.672979] Possible unsafe locking scenario: + [ 53.672979] + [ 53.679169] CPU0 CPU1 + [ 53.683900] ---- ---- + [ 53.688633] lock(mtd_table_mutex); + [ 53.692383] lock(&new->lock); + [ 53.698306] lock(mtd_table_mutex); + [ 53.704658] lock(&new->lock); + [ 53.707946] + [ 53.707946] *** DEADLOCK *** + +Fixes: 073db4a51ee4 ("mtd: fix: avoid race condition when accessing mtd->usecount") +Reported-by: Felipe Balbi +Tested-by: Felipe Balbi +Signed-off-by: Brian Norris +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/mtd_blkdevs.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/mtd/mtd_blkdevs.c ++++ b/drivers/mtd/mtd_blkdevs.c +@@ -192,8 +192,8 @@ static int blktrans_open(struct block_de + if (!dev) + return -ERESTARTSYS; /* FIXME: busy loop! -arnd*/ + +- mutex_lock(&dev->lock); + mutex_lock(&mtd_table_mutex); ++ mutex_lock(&dev->lock); + + if (dev->open) + goto unlock; +@@ -217,8 +217,8 @@ static int blktrans_open(struct block_de + + unlock: + dev->open++; +- mutex_unlock(&mtd_table_mutex); + mutex_unlock(&dev->lock); ++ mutex_unlock(&mtd_table_mutex); + blktrans_dev_put(dev); + return ret; + +@@ -228,8 +228,8 @@ error_release: + error_put: + module_put(dev->tr->owner); + kref_put(&dev->ref, blktrans_dev_release); +- mutex_unlock(&mtd_table_mutex); + mutex_unlock(&dev->lock); ++ mutex_unlock(&mtd_table_mutex); + blktrans_dev_put(dev); + return ret; + } +@@ -241,8 +241,8 @@ static void blktrans_release(struct gend + if (!dev) + return; + +- mutex_lock(&dev->lock); + mutex_lock(&mtd_table_mutex); ++ mutex_lock(&dev->lock); + + if (--dev->open) + goto unlock; +@@ -256,8 +256,8 @@ static void blktrans_release(struct gend + __put_mtd_device(dev->mtd); + } + unlock: +- mutex_unlock(&mtd_table_mutex); + mutex_unlock(&dev->lock); ++ mutex_unlock(&mtd_table_mutex); + blktrans_dev_put(dev); + } + diff --git a/queue-4.3/mtd-jz4740_nand-fix-build-on-jz4740-after-removing-gpio.h.patch b/queue-4.3/mtd-jz4740_nand-fix-build-on-jz4740-after-removing-gpio.h.patch new file mode 100644 index 00000000000..ed0e3124cd2 --- /dev/null +++ b/queue-4.3/mtd-jz4740_nand-fix-build-on-jz4740-after-removing-gpio.h.patch @@ -0,0 +1,46 @@ +From 96dd922c198286681fbbc15100e196e0f629e2fb Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Wed, 11 Nov 2015 15:36:16 -0800 +Subject: mtd: jz4740_nand: fix build on jz4740 after removing gpio.h + +From: Brian Norris + +commit 96dd922c198286681fbbc15100e196e0f629e2fb upstream. + +Fallout from commit 832f5dacfa0b ("MIPS: Remove all the uses of custom gpio.h") + +We see errors like this: + +drivers/mtd/nand/jz4740_nand.c: In function 'jz_nand_detect_bank': +drivers/mtd/nand/jz4740_nand.c:340:9: error: 'JZ_GPIO_MEM_CS0' undeclared (first use in this function) +drivers/mtd/nand/jz4740_nand.c:340:9: note: each undeclared identifier is reported only once for each function it appears in +drivers/mtd/nand/jz4740_nand.c:359:2: error: implicit declaration of function 'jz_gpio_set_function' [-Werror=implicit-function-declaration] +drivers/mtd/nand/jz4740_nand.c:359:29: error: 'JZ_GPIO_FUNC_MEM_CS0' undeclared (first use in this function) +drivers/mtd/nand/jz4740_nand.c:399:29: error: 'JZ_GPIO_FUNC_NONE' undeclared (first use in this function) +drivers/mtd/nand/jz4740_nand.c: In function 'jz_nand_probe': +drivers/mtd/nand/jz4740_nand.c:528:13: error: 'JZ_GPIO_MEM_CS0' undeclared (first use in this function) +drivers/mtd/nand/jz4740_nand.c: In function 'jz_nand_remove': +drivers/mtd/nand/jz4740_nand.c:555:14: error: 'JZ_GPIO_MEM_CS0' undeclared (first use in this function) + +Patched similarly to: + +https://patchwork.linux-mips.org/patch/11089/ + +Fixes: 832f5dacfa0b ("MIPS: Remove all the uses of custom gpio.h") +Signed-off-by: Brian Norris +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/jz4740_nand.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/mtd/nand/jz4740_nand.c ++++ b/drivers/mtd/nand/jz4740_nand.c +@@ -25,6 +25,7 @@ + + #include + ++#include + #include + + #define JZ_REG_NAND_CTRL 0x50 diff --git a/queue-4.3/mtd-mtdpart-fix-add_mtd_partitions-error-path.patch b/queue-4.3/mtd-mtdpart-fix-add_mtd_partitions-error-path.patch new file mode 100644 index 00000000000..bf0b67b72c3 --- /dev/null +++ b/queue-4.3/mtd-mtdpart-fix-add_mtd_partitions-error-path.patch @@ -0,0 +1,36 @@ +From e5bae86797141e4a95e42d825f737cb36d7b8c37 Mon Sep 17 00:00:00 2001 +From: Boris BREZILLON +Date: Thu, 30 Jul 2015 12:18:03 +0200 +Subject: mtd: mtdpart: fix add_mtd_partitions error path + +From: Boris BREZILLON + +commit e5bae86797141e4a95e42d825f737cb36d7b8c37 upstream. + +If we fail to allocate a partition structure in the middle of the partition +creation process, the already allocated partitions are never removed, which +means they are still present in the partition list and their resources are +never freed. + +Signed-off-by: Boris Brezillon +Signed-off-by: Brian Norris +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/mtdpart.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/mtd/mtdpart.c ++++ b/drivers/mtd/mtdpart.c +@@ -664,8 +664,10 @@ int add_mtd_partitions(struct mtd_info * + + for (i = 0; i < nbparts; i++) { + slave = allocate_partition(master, parts + i, i, cur_offset); +- if (IS_ERR(slave)) ++ if (IS_ERR(slave)) { ++ del_mtd_partitions(master); + return PTR_ERR(slave); ++ } + + mutex_lock(&mtd_partitions_mutex); + list_add(&slave->list, &mtd_partitions); diff --git a/queue-4.3/mtd-nand-fix-shutdown-reboot-for-multi-chip-systems.patch b/queue-4.3/mtd-nand-fix-shutdown-reboot-for-multi-chip-systems.patch new file mode 100644 index 00000000000..646b02d1243 --- /dev/null +++ b/queue-4.3/mtd-nand-fix-shutdown-reboot-for-multi-chip-systems.patch @@ -0,0 +1,52 @@ +From 9ca641b0f02a3a1eedbc8c296e695326da9bbaf9 Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Mon, 9 Nov 2015 16:37:28 -0800 +Subject: mtd: nand: fix shutdown/reboot for multi-chip systems + +From: Brian Norris + +commit 9ca641b0f02a3a1eedbc8c296e695326da9bbaf9 upstream. + +If multiple NAND chips are registered to the same controller, then when +rebooting the system, the first one will grab the controller lock, while +the second will wait forever for the first one to release it. i.e., a +classic deadlock. + +This problem was solved for a similar case (suspend/resume) back in +commit 6b0d9a841249 ("mtd: nand: fix multi-chip suspend problem"), and +the shutdown state really isn't much different for us, so rather than +adding a new special case to nand_get_device(), we can just overload the +FL_PM_SUSPENDED state. + +Now, multiple chips can "get" the same controller lock (preventing +further I/O), while we still allow other chips to pass through +nand_shutdown(). + +Original report: +http://thread.gmane.org/gmane.linux.drivers.mtd/59726 +http://lists.infradead.org/pipermail/linux-mtd/2015-July/059992.html + +Fixes: 72ea403669c7 ("mtd: nand: added nand_shutdown") +Reported-by: Andrew E. Mileski +Signed-off-by: Brian Norris +Cc: Scott Branden +Cc: Andrew E. Mileski +Acked-by: Scott Branden +Reviewed-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/nand_base.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mtd/nand/nand_base.c ++++ b/drivers/mtd/nand/nand_base.c +@@ -2964,7 +2964,7 @@ static void nand_resume(struct mtd_info + */ + static void nand_shutdown(struct mtd_info *mtd) + { +- nand_get_device(mtd, FL_SHUTDOWN); ++ nand_get_device(mtd, FL_PM_SUSPENDED); + } + + /* Set default functions */ diff --git a/queue-4.3/mtd-ubi-don-t-leak-e-if-schedule_erase-fails.patch b/queue-4.3/mtd-ubi-don-t-leak-e-if-schedule_erase-fails.patch new file mode 100644 index 00000000000..7564e3171ea --- /dev/null +++ b/queue-4.3/mtd-ubi-don-t-leak-e-if-schedule_erase-fails.patch @@ -0,0 +1,31 @@ +From 6b238de189f69dc77d660d4cce62eed15547f4c3 Mon Sep 17 00:00:00 2001 +From: Sebastian Siewior +Date: Thu, 26 Nov 2015 21:23:49 +0100 +Subject: mtd: ubi: don't leak e if schedule_erase() fails + +From: Sebastian Siewior + +commit 6b238de189f69dc77d660d4cce62eed15547f4c3 upstream. + +If __erase_worker() fails to erase the EB and schedule_erase() fails as +well to do anything about it then we go RO. But that is not a reason to +leak the e argument here. Therefore clean up e. + +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/ubi/wl.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/mtd/ubi/wl.c ++++ b/drivers/mtd/ubi/wl.c +@@ -1060,6 +1060,7 @@ static int __erase_worker(struct ubi_dev + /* Re-schedule the LEB for erasure */ + err1 = schedule_erase(ubi, e, vol_id, lnum, 0); + if (err1) { ++ wl_entry_destroy(ubi, e); + err = err1; + goto out_ro; + } diff --git a/queue-4.3/mtd-ubi-fixup-error-correction-in-do_sync_erase.patch b/queue-4.3/mtd-ubi-fixup-error-correction-in-do_sync_erase.patch new file mode 100644 index 00000000000..36442c7d179 --- /dev/null +++ b/queue-4.3/mtd-ubi-fixup-error-correction-in-do_sync_erase.patch @@ -0,0 +1,141 @@ +From 1a31b20cd81d5cbc7ec6e24cb08066009a1ca32d Mon Sep 17 00:00:00 2001 +From: Sebastian Siewior +Date: Thu, 26 Nov 2015 21:23:48 +0100 +Subject: mtd: ubi: fixup error correction in do_sync_erase() + +From: Sebastian Siewior + +commit 1a31b20cd81d5cbc7ec6e24cb08066009a1ca32d upstream. + +Since fastmap we gained do_sync_erase(). This function can return an error +and its error handling isn't obvious. First the memory allocation for +struct ubi_work can fail and as such struct ubi_wl_entry is leaked. +However if the memory allocation succeeds then the tail function takes +care of the struct ubi_wl_entry. A free here could result in a double +free. +To make the error handling simpler, I split the tail function into one +piece which does the work and another which frees the struct ubi_work +which is passed as argument. As result do_sync_erase() can keep the +struct on stack and we get rid of one error source. + +Fixes: 8199b901a ("UBI: Add fastmap support to the WL sub-system") +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/ubi/wl.c | 52 +++++++++++++++++++++++++++------------------------ + 1 file changed, 28 insertions(+), 24 deletions(-) + +--- a/drivers/mtd/ubi/wl.c ++++ b/drivers/mtd/ubi/wl.c +@@ -603,6 +603,7 @@ static int schedule_erase(struct ubi_dev + return 0; + } + ++static int __erase_worker(struct ubi_device *ubi, struct ubi_work *wl_wrk); + /** + * do_sync_erase - run the erase worker synchronously. + * @ubi: UBI device description object +@@ -615,20 +616,16 @@ static int schedule_erase(struct ubi_dev + static int do_sync_erase(struct ubi_device *ubi, struct ubi_wl_entry *e, + int vol_id, int lnum, int torture) + { +- struct ubi_work *wl_wrk; ++ struct ubi_work wl_wrk; + + dbg_wl("sync erase of PEB %i", e->pnum); + +- wl_wrk = kmalloc(sizeof(struct ubi_work), GFP_NOFS); +- if (!wl_wrk) +- return -ENOMEM; +- +- wl_wrk->e = e; +- wl_wrk->vol_id = vol_id; +- wl_wrk->lnum = lnum; +- wl_wrk->torture = torture; ++ wl_wrk.e = e; ++ wl_wrk.vol_id = vol_id; ++ wl_wrk.lnum = lnum; ++ wl_wrk.torture = torture; + +- return erase_worker(ubi, wl_wrk, 0); ++ return __erase_worker(ubi, &wl_wrk); + } + + /** +@@ -1014,7 +1011,7 @@ out_unlock: + } + + /** +- * erase_worker - physical eraseblock erase worker function. ++ * __erase_worker - physical eraseblock erase worker function. + * @ubi: UBI device description object + * @wl_wrk: the work object + * @shutdown: non-zero if the worker has to free memory and exit +@@ -1025,8 +1022,7 @@ out_unlock: + * needed. Returns zero in case of success and a negative error code in case of + * failure. + */ +-static int erase_worker(struct ubi_device *ubi, struct ubi_work *wl_wrk, +- int shutdown) ++static int __erase_worker(struct ubi_device *ubi, struct ubi_work *wl_wrk) + { + struct ubi_wl_entry *e = wl_wrk->e; + int pnum = e->pnum; +@@ -1034,21 +1030,11 @@ static int erase_worker(struct ubi_devic + int lnum = wl_wrk->lnum; + int err, available_consumed = 0; + +- if (shutdown) { +- dbg_wl("cancel erasure of PEB %d EC %d", pnum, e->ec); +- kfree(wl_wrk); +- wl_entry_destroy(ubi, e); +- return 0; +- } +- + dbg_wl("erase PEB %d EC %d LEB %d:%d", + pnum, e->ec, wl_wrk->vol_id, wl_wrk->lnum); + + err = sync_erase(ubi, e, wl_wrk->torture); + if (!err) { +- /* Fine, we've erased it successfully */ +- kfree(wl_wrk); +- + spin_lock(&ubi->wl_lock); + wl_tree_add(e, &ubi->free); + ubi->free_count++; +@@ -1066,7 +1052,6 @@ static int erase_worker(struct ubi_devic + } + + ubi_err(ubi, "failed to erase PEB %d, error %d", pnum, err); +- kfree(wl_wrk); + + if (err == -EINTR || err == -ENOMEM || err == -EAGAIN || + err == -EBUSY) { +@@ -1150,6 +1135,25 @@ out_ro: + return err; + } + ++static int erase_worker(struct ubi_device *ubi, struct ubi_work *wl_wrk, ++ int shutdown) ++{ ++ int ret; ++ ++ if (shutdown) { ++ struct ubi_wl_entry *e = wl_wrk->e; ++ ++ dbg_wl("cancel erasure of PEB %d EC %d", e->pnum, e->ec); ++ kfree(wl_wrk); ++ wl_entry_destroy(ubi, e); ++ return 0; ++ } ++ ++ ret = __erase_worker(ubi, wl_wrk); ++ kfree(wl_wrk); ++ return ret; ++} ++ + /** + * ubi_wl_put_peb - return a PEB to the wear-leveling sub-system. + * @ubi: UBI device description object diff --git a/queue-4.3/parisc-drop-unused-madv_xxxk_pages-flags-from-asm-mman.h.patch b/queue-4.3/parisc-drop-unused-madv_xxxk_pages-flags-from-asm-mman.h.patch new file mode 100644 index 00000000000..7bf0e348911 --- /dev/null +++ b/queue-4.3/parisc-drop-unused-madv_xxxk_pages-flags-from-asm-mman.h.patch @@ -0,0 +1,38 @@ +From dcbf0d299c00ed4f82ea8d6e359ad88a5182f9b8 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Sun, 22 Nov 2015 12:14:14 +0100 +Subject: parisc: Drop unused MADV_xxxK_PAGES flags from asm/mman.h + +From: Helge Deller + +commit dcbf0d299c00ed4f82ea8d6e359ad88a5182f9b8 upstream. + +Drop the MADV_xxK_PAGES flags, which were never used and were from a proposed +API which was never integrated into the generic Linux kernel code. + +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/include/uapi/asm/mman.h | 10 ---------- + 1 file changed, 10 deletions(-) + +--- a/arch/parisc/include/uapi/asm/mman.h ++++ b/arch/parisc/include/uapi/asm/mman.h +@@ -46,16 +46,6 @@ + #define MADV_DONTFORK 10 /* don't inherit across fork */ + #define MADV_DOFORK 11 /* do inherit across fork */ + +-/* The range 12-64 is reserved for page size specification. */ +-#define MADV_4K_PAGES 12 /* Use 4K pages */ +-#define MADV_16K_PAGES 14 /* Use 16K pages */ +-#define MADV_64K_PAGES 16 /* Use 64K pages */ +-#define MADV_256K_PAGES 18 /* Use 256K pages */ +-#define MADV_1M_PAGES 20 /* Use 1 Megabyte pages */ +-#define MADV_4M_PAGES 22 /* Use 4 Megabyte pages */ +-#define MADV_16M_PAGES 24 /* Use 16 Megabyte pages */ +-#define MADV_64M_PAGES 26 /* Use 64 Megabyte pages */ +- + #define MADV_MERGEABLE 65 /* KSM may merge identical pages */ + #define MADV_UNMERGEABLE 66 /* KSM may not merge identical pages */ + diff --git a/queue-4.3/parisc-fix-__arch_si_preamble_size.patch b/queue-4.3/parisc-fix-__arch_si_preamble_size.patch new file mode 100644 index 00000000000..7b2b873fb0f --- /dev/null +++ b/queue-4.3/parisc-fix-__arch_si_preamble_size.patch @@ -0,0 +1,38 @@ +From e60fc5aa608eb38b47ba4ee058f306f739eb70a0 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Sun, 10 Jan 2016 09:30:42 +0100 +Subject: parisc: Fix __ARCH_SI_PREAMBLE_SIZE + +From: Helge Deller + +commit e60fc5aa608eb38b47ba4ee058f306f739eb70a0 upstream. + +On a 64bit kernel build the compiler aligns the _sifields union in the +struct siginfo_t on a 64bit address. The __ARCH_SI_PREAMBLE_SIZE define +compensates for this alignment and thus fixes the wait testcase of the +strace package. + +The symptoms of a wrong __ARCH_SI_PREAMBLE_SIZE value is that +_sigchld.si_stime variable is missed to be copied and thus after a +copy_siginfo() will have uninitialized values. + +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/include/uapi/asm/siginfo.h | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/parisc/include/uapi/asm/siginfo.h ++++ b/arch/parisc/include/uapi/asm/siginfo.h +@@ -1,6 +1,10 @@ + #ifndef _PARISC_SIGINFO_H + #define _PARISC_SIGINFO_H + ++#if defined(__LP64__) ++#define __ARCH_SI_PREAMBLE_SIZE (4 * sizeof(int)) ++#endif ++ + #include + + #undef NSIGTRAP diff --git a/queue-4.3/parisc-fix-syscall-restarts.patch b/queue-4.3/parisc-fix-syscall-restarts.patch new file mode 100644 index 00000000000..c10ae42e67a --- /dev/null +++ b/queue-4.3/parisc-fix-syscall-restarts.patch @@ -0,0 +1,130 @@ +From 71a71fb5374a23be36a91981b5614590b9e722c3 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Mon, 21 Dec 2015 10:03:30 +0100 +Subject: parisc: Fix syscall restarts + +From: Helge Deller + +commit 71a71fb5374a23be36a91981b5614590b9e722c3 upstream. + +On parisc syscalls which are interrupted by signals sometimes failed to +restart and instead returned -ENOSYS which in the worst case lead to +userspace crashes. +A similiar problem existed on MIPS and was fixed by commit e967ef02 +("MIPS: Fix restart of indirect syscalls"). + +On parisc the current syscall restart code assumes that all syscall +callers load the syscall number in the delay slot of the ble +instruction. That's how it is e.g. done in the unistd.h header file: + ble 0x100(%sr2, %r0) + ldi #syscall_nr, %r20 +Because of that assumption the current code never restored %r20 before +returning to userspace. + +This assumption is at least not true for code which uses the glibc +syscall() function, which instead uses this syntax: + ble 0x100(%sr2, %r0) + copy regX, %r20 +where regX depend on how the compiler optimizes the code and register +usage. + +This patch fixes this problem by adding code to analyze how the syscall +number is loaded in the delay branch and - if needed - copy the syscall +number to regX prior returning to userspace for the syscall restart. + +Signed-off-by: Helge Deller +Cc: Mathieu Desnoyers +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/kernel/signal.c | 64 +++++++++++++++++++++++++++++++++++--------- + 1 file changed, 52 insertions(+), 12 deletions(-) + +--- a/arch/parisc/kernel/signal.c ++++ b/arch/parisc/kernel/signal.c +@@ -435,6 +435,55 @@ handle_signal(struct ksignal *ksig, stru + regs->gr[28]); + } + ++/* ++ * Check how the syscall number gets loaded into %r20 within ++ * the delay branch in userspace and adjust as needed. ++ */ ++ ++static void check_syscallno_in_delay_branch(struct pt_regs *regs) ++{ ++ u32 opcode, source_reg; ++ u32 __user *uaddr; ++ int err; ++ ++ /* Usually we don't have to restore %r20 (the system call number) ++ * because it gets loaded in the delay slot of the branch external ++ * instruction via the ldi instruction. ++ * In some cases a register-to-register copy instruction might have ++ * been used instead, in which case we need to copy the syscall ++ * number into the source register before returning to userspace. ++ */ ++ ++ /* A syscall is just a branch, so all we have to do is fiddle the ++ * return pointer so that the ble instruction gets executed again. ++ */ ++ regs->gr[31] -= 8; /* delayed branching */ ++ ++ /* Get assembler opcode of code in delay branch */ ++ uaddr = (unsigned int *) ((regs->gr[31] & ~3) + 4); ++ err = get_user(opcode, uaddr); ++ if (err) ++ return; ++ ++ /* Check if delay branch uses "ldi int,%r20" */ ++ if ((opcode & 0xffff0000) == 0x34140000) ++ return; /* everything ok, just return */ ++ ++ /* Check if delay branch uses "nop" */ ++ if (opcode == INSN_NOP) ++ return; ++ ++ /* Check if delay branch uses "copy %rX,%r20" */ ++ if ((opcode & 0xffe0ffff) == 0x08000254) { ++ source_reg = (opcode >> 16) & 31; ++ regs->gr[source_reg] = regs->gr[20]; ++ return; ++ } ++ ++ pr_warn("syscall restart: %s (pid %d): unexpected opcode 0x%08x\n", ++ current->comm, task_pid_nr(current), opcode); ++} ++ + static inline void + syscall_restart(struct pt_regs *regs, struct k_sigaction *ka) + { +@@ -457,10 +506,7 @@ syscall_restart(struct pt_regs *regs, st + } + /* fallthrough */ + case -ERESTARTNOINTR: +- /* A syscall is just a branch, so all +- * we have to do is fiddle the return pointer. +- */ +- regs->gr[31] -= 8; /* delayed branching */ ++ check_syscallno_in_delay_branch(regs); + break; + } + } +@@ -510,15 +556,9 @@ insert_restart_trampoline(struct pt_regs + } + case -ERESTARTNOHAND: + case -ERESTARTSYS: +- case -ERESTARTNOINTR: { +- /* Hooray for delayed branching. We don't +- * have to restore %r20 (the system call +- * number) because it gets loaded in the delay +- * slot of the branch external instruction. +- */ +- regs->gr[31] -= 8; ++ case -ERESTARTNOINTR: ++ check_syscallno_in_delay_branch(regs); + return; +- } + default: + break; + } diff --git a/queue-4.3/parisc-fixes-and-cleanups-in-kernel-uapi-header-files.patch b/queue-4.3/parisc-fixes-and-cleanups-in-kernel-uapi-header-files.patch new file mode 100644 index 00000000000..b9ded435753 --- /dev/null +++ b/queue-4.3/parisc-fixes-and-cleanups-in-kernel-uapi-header-files.patch @@ -0,0 +1,198 @@ +From d0cf62fb63f760e98244d31396b3b58f3a1e326b Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Fri, 6 Nov 2015 23:36:01 +0100 +Subject: parisc: Fixes and cleanups in kernel uapi header files + +From: Helge Deller + +commit d0cf62fb63f760e98244d31396b3b58f3a1e326b upstream. + +This patch fixes some bugs and partly cleans up the parisc uapi header +files to what glibc defined: +- compat_semid64_ds was wrong and did not take the endianess into + account +- ipc64_perm exported userspace types which broke building userspace + packages on debian (e.g. trinity) +- ipc64_perm needs to use a 32bit mode_t on 64bit kernel +- msqid64_ds and semid64_ds needs unsigned longs for various struct members +- shmid64_ds exported size_t instead of __kernel_size_t + +And finally add some compile-time checks for the sizes of those structs +to avoid future breakage. + +Runtime-tested with the Linux Test Project (LTP) testsuite. + +Reviewed-by: Arnd Bergmann +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/include/asm/compat.h | 4 ++-- + arch/parisc/include/uapi/asm/ipcbuf.h | 19 ++++++++++++------- + arch/parisc/include/uapi/asm/msgbuf.h | 10 +++++----- + arch/parisc/include/uapi/asm/posix_types.h | 2 ++ + arch/parisc/include/uapi/asm/sembuf.h | 6 +++--- + arch/parisc/include/uapi/asm/shmbuf.h | 8 ++++---- + arch/parisc/mm/init.c | 16 ++++++++++++++++ + 7 files changed, 44 insertions(+), 21 deletions(-) + +--- a/arch/parisc/include/asm/compat.h ++++ b/arch/parisc/include/asm/compat.h +@@ -206,10 +206,10 @@ struct compat_ipc64_perm { + + struct compat_semid64_ds { + struct compat_ipc64_perm sem_perm; +- compat_time_t sem_otime; + unsigned int __unused1; +- compat_time_t sem_ctime; ++ compat_time_t sem_otime; + unsigned int __unused2; ++ compat_time_t sem_ctime; + compat_ulong_t sem_nsems; + compat_ulong_t __unused3; + compat_ulong_t __unused4; +--- a/arch/parisc/include/uapi/asm/ipcbuf.h ++++ b/arch/parisc/include/uapi/asm/ipcbuf.h +@@ -1,6 +1,9 @@ + #ifndef __PARISC_IPCBUF_H__ + #define __PARISC_IPCBUF_H__ + ++#include ++#include ++ + /* + * The ipc64_perm structure for PA-RISC is almost identical to + * kern_ipc_perm as we have always had 32-bit UIDs and GIDs in the kernel. +@@ -10,16 +13,18 @@ + + struct ipc64_perm + { +- key_t key; +- uid_t uid; +- gid_t gid; +- uid_t cuid; +- gid_t cgid; ++ __kernel_key_t key; ++ __kernel_uid_t uid; ++ __kernel_gid_t gid; ++ __kernel_uid_t cuid; ++ __kernel_gid_t cgid; ++#if __BITS_PER_LONG != 64 + unsigned short int __pad1; +- mode_t mode; ++#endif ++ __kernel_mode_t mode; + unsigned short int __pad2; + unsigned short int seq; +- unsigned int __pad3; ++ unsigned int __pad3; + unsigned long long int __unused1; + unsigned long long int __unused2; + }; +--- a/arch/parisc/include/uapi/asm/msgbuf.h ++++ b/arch/parisc/include/uapi/asm/msgbuf.h +@@ -27,13 +27,13 @@ struct msqid64_ds { + unsigned int __pad3; + #endif + __kernel_time_t msg_ctime; /* last change time */ +- unsigned int msg_cbytes; /* current number of bytes on queue */ +- unsigned int msg_qnum; /* number of messages in queue */ +- unsigned int msg_qbytes; /* max number of bytes on queue */ ++ unsigned long msg_cbytes; /* current number of bytes on queue */ ++ unsigned long msg_qnum; /* number of messages in queue */ ++ unsigned long msg_qbytes; /* max number of bytes on queue */ + __kernel_pid_t msg_lspid; /* pid of last msgsnd */ + __kernel_pid_t msg_lrpid; /* last receive pid */ +- unsigned int __unused1; +- unsigned int __unused2; ++ unsigned long __unused1; ++ unsigned long __unused2; + }; + + #endif /* _PARISC_MSGBUF_H */ +--- a/arch/parisc/include/uapi/asm/posix_types.h ++++ b/arch/parisc/include/uapi/asm/posix_types.h +@@ -7,8 +7,10 @@ + * assume GCC is being used. + */ + ++#ifndef __LP64__ + typedef unsigned short __kernel_mode_t; + #define __kernel_mode_t __kernel_mode_t ++#endif + + typedef unsigned short __kernel_ipc_pid_t; + #define __kernel_ipc_pid_t __kernel_ipc_pid_t +--- a/arch/parisc/include/uapi/asm/sembuf.h ++++ b/arch/parisc/include/uapi/asm/sembuf.h +@@ -23,9 +23,9 @@ struct semid64_ds { + unsigned int __pad2; + #endif + __kernel_time_t sem_ctime; /* last change time */ +- unsigned int sem_nsems; /* no. of semaphores in array */ +- unsigned int __unused1; +- unsigned int __unused2; ++ unsigned long sem_nsems; /* no. of semaphores in array */ ++ unsigned long __unused1; ++ unsigned long __unused2; + }; + + #endif /* _PARISC_SEMBUF_H */ +--- a/arch/parisc/include/uapi/asm/shmbuf.h ++++ b/arch/parisc/include/uapi/asm/shmbuf.h +@@ -30,12 +30,12 @@ struct shmid64_ds { + #if __BITS_PER_LONG != 64 + unsigned int __pad4; + #endif +- size_t shm_segsz; /* size of segment (bytes) */ ++ __kernel_size_t shm_segsz; /* size of segment (bytes) */ + __kernel_pid_t shm_cpid; /* pid of creator */ + __kernel_pid_t shm_lpid; /* pid of last operator */ +- unsigned int shm_nattch; /* no. of current attaches */ +- unsigned int __unused1; +- unsigned int __unused2; ++ unsigned long shm_nattch; /* no. of current attaches */ ++ unsigned long __unused1; ++ unsigned long __unused2; + }; + + struct shminfo64 { +--- a/arch/parisc/mm/init.c ++++ b/arch/parisc/mm/init.c +@@ -23,6 +23,7 @@ + #include + #include /* for node_online_map */ + #include /* for release_pages and page_cache_release */ ++#include + + #include + #include +@@ -30,6 +31,7 @@ + #include + #include + #include ++#include + + extern int data_start; + extern void parisc_kernel_start(void); /* Kernel entry point in head.S */ +@@ -590,6 +592,20 @@ unsigned long pcxl_dma_start __read_most + + void __init mem_init(void) + { ++ /* Do sanity checks on IPC (compat) structures */ ++ BUILD_BUG_ON(sizeof(struct ipc64_perm) != 48); ++#ifndef CONFIG_64BIT ++ BUILD_BUG_ON(sizeof(struct semid64_ds) != 80); ++ BUILD_BUG_ON(sizeof(struct msqid64_ds) != 104); ++ BUILD_BUG_ON(sizeof(struct shmid64_ds) != 104); ++#endif ++#ifdef CONFIG_COMPAT ++ BUILD_BUG_ON(sizeof(struct compat_ipc64_perm) != sizeof(struct ipc64_perm)); ++ BUILD_BUG_ON(sizeof(struct compat_semid64_ds) != 80); ++ BUILD_BUG_ON(sizeof(struct compat_msqid64_ds) != 104); ++ BUILD_BUG_ON(sizeof(struct compat_shmid64_ds) != 104); ++#endif ++ + /* Do sanity checks on page table constants */ + BUILD_BUG_ON(PTE_ENTRY_SIZE != sizeof(pte_t)); + BUILD_BUG_ON(PMD_ENTRY_SIZE != sizeof(pmd_t)); diff --git a/queue-4.3/pci-fix-minimum-allocation-address-overwrite.patch b/queue-4.3/pci-fix-minimum-allocation-address-overwrite.patch new file mode 100644 index 00000000000..7bbd9d96442 --- /dev/null +++ b/queue-4.3/pci-fix-minimum-allocation-address-overwrite.patch @@ -0,0 +1,52 @@ +From 3460baa620685c20f5ee19afb6d99d26150c382c Mon Sep 17 00:00:00 2001 +From: Christoph Biedl +Date: Wed, 23 Dec 2015 16:51:57 +0100 +Subject: PCI: Fix minimum allocation address overwrite + +From: Christoph Biedl + +commit 3460baa620685c20f5ee19afb6d99d26150c382c upstream. + +Commit 36e097a8a297 ("PCI: Split out bridge window override of minimum +allocation address") claimed to do no functional changes but unfortunately +did: The "min" variable is altered. At least the AVM A1 PCMCIA adapter was +no longer detected, breaking ISDN operation. + +Use a local copy of "min" to restore the previous behaviour. + +[bhelgaas: avoid gcc "?:" extension for portability and readability] +Fixes: 36e097a8a297 ("PCI: Split out bridge window override of minimum allocation address") +Signed-off-by: Christoph Biedl +Signed-off-by: Bjorn Helgaas +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/bus.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/pci/bus.c ++++ b/drivers/pci/bus.c +@@ -140,6 +140,8 @@ static int pci_bus_alloc_from_region(str + type_mask |= IORESOURCE_TYPE_BITS; + + pci_bus_for_each_resource(bus, r, i) { ++ resource_size_t min_used = min; ++ + if (!r) + continue; + +@@ -163,12 +165,12 @@ static int pci_bus_alloc_from_region(str + * overrides "min". + */ + if (avail.start) +- min = avail.start; ++ min_used = avail.start; + + max = avail.end; + + /* Ok, try it out.. */ +- ret = allocate_resource(r, res, size, min, max, ++ ret = allocate_resource(r, res, size, min_used, max, + align, alignf, alignf_data); + if (ret == 0) + return 0; diff --git a/queue-4.3/pci-host-mark-pcie-pci-msi-irq-cascade-handlers-as-irqf_no_thread.patch b/queue-4.3/pci-host-mark-pcie-pci-msi-irq-cascade-handlers-as-irqf_no_thread.patch new file mode 100644 index 00000000000..2485b4b9415 --- /dev/null +++ b/queue-4.3/pci-host-mark-pcie-pci-msi-irq-cascade-handlers-as-irqf_no_thread.patch @@ -0,0 +1,160 @@ +From 8ff0ef996ca00028519c70e8d51d32bd37eb51dc Mon Sep 17 00:00:00 2001 +From: Grygorii Strashko +Date: Thu, 10 Dec 2015 21:18:20 +0200 +Subject: PCI: host: Mark PCIe/PCI (MSI) IRQ cascade handlers as IRQF_NO_THREAD +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Grygorii Strashko + +commit 8ff0ef996ca00028519c70e8d51d32bd37eb51dc upstream. + +On -RT and if kernel is booting with "threadirqs" cmd line parameter, +PCIe/PCI (MSI) IRQ cascade handlers (like dra7xx_pcie_msi_irq_handler()) +will be forced threaded and, as result, will generate warnings like this: + + WARNING: CPU: 1 PID: 82 at kernel/irq/handle.c:150 handle_irq_event_percpu+0x14c/0x174() + irq 460 handler irq_default_primary_handler+0x0/0x14 enabled interrupts + Backtrace: + (warn_slowpath_common) from (warn_slowpath_fmt+0x38/0x40) + (warn_slowpath_fmt) from (handle_irq_event_percpu+0x14c/0x174) + (handle_irq_event_percpu) from (handle_irq_event+0x84/0xb8) + (handle_irq_event) from (handle_simple_irq+0x90/0x118) + (handle_simple_irq) from (generic_handle_irq+0x30/0x44) + (generic_handle_irq) from (dra7xx_pcie_msi_irq_handler+0x7c/0x8c) + (dra7xx_pcie_msi_irq_handler) from (irq_forced_thread_fn+0x28/0x5c) + (irq_forced_thread_fn) from (irq_thread+0x128/0x204) + +This happens because all of them invoke generic_handle_irq() from the +requested handler. generic_handle_irq() grabs raw_locks and thus needs to +run in raw-IRQ context. + +This issue was originally reproduced on TI dra7-evem, but, as was +identified during discussion [1], other hosts can also suffer from this +issue. Fix all them at once by marking PCIe/PCI (MSI) IRQ cascade handlers +IRQF_NO_THREAD explicitly. + +[1] http://lkml.kernel.org/r/1448027966-21610-1-git-send-email-grygorii.strashko@ti.com + +[bhelgaas: add stable tag, fix typos] +Signed-off-by: Grygorii Strashko +Signed-off-by: Bjorn Helgaas +Acked-by: Lucas Stach (for imx6) +CC: Kishon Vijay Abraham I +CC: Jingoo Han +CC: Kukjin Kim +CC: Krzysztof Kozlowski +CC: Richard Zhu +CC: Thierry Reding +CC: Stephen Warren +CC: Alexandre Courbot +CC: Simon Horman +CC: Pratyush Anand +CC: Michal Simek +CC: "Sören Brinkmann" +CC: Sebastian Andrzej Siewior +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/host/pci-dra7xx.c | 3 ++- + drivers/pci/host/pci-exynos.c | 3 ++- + drivers/pci/host/pci-imx6.c | 3 ++- + drivers/pci/host/pci-tegra.c | 2 +- + drivers/pci/host/pcie-rcar.c | 6 ++++-- + drivers/pci/host/pcie-spear13xx.c | 3 ++- + drivers/pci/host/pcie-xilinx.c | 3 ++- + 7 files changed, 15 insertions(+), 8 deletions(-) + +--- a/drivers/pci/host/pci-dra7xx.c ++++ b/drivers/pci/host/pci-dra7xx.c +@@ -295,7 +295,8 @@ static int __init dra7xx_add_pcie_port(s + } + + ret = devm_request_irq(&pdev->dev, pp->irq, +- dra7xx_pcie_msi_irq_handler, IRQF_SHARED, ++ dra7xx_pcie_msi_irq_handler, ++ IRQF_SHARED | IRQF_NO_THREAD, + "dra7-pcie-msi", pp); + if (ret) { + dev_err(&pdev->dev, "failed to request irq\n"); +--- a/drivers/pci/host/pci-exynos.c ++++ b/drivers/pci/host/pci-exynos.c +@@ -523,7 +523,8 @@ static int __init exynos_add_pcie_port(s + + ret = devm_request_irq(&pdev->dev, pp->msi_irq, + exynos_pcie_msi_irq_handler, +- IRQF_SHARED, "exynos-pcie", pp); ++ IRQF_SHARED | IRQF_NO_THREAD, ++ "exynos-pcie", pp); + if (ret) { + dev_err(&pdev->dev, "failed to request msi irq\n"); + return ret; +--- a/drivers/pci/host/pci-imx6.c ++++ b/drivers/pci/host/pci-imx6.c +@@ -536,7 +536,8 @@ static int __init imx6_add_pcie_port(str + + ret = devm_request_irq(&pdev->dev, pp->msi_irq, + imx6_pcie_msi_handler, +- IRQF_SHARED, "mx6-pcie-msi", pp); ++ IRQF_SHARED | IRQF_NO_THREAD, ++ "mx6-pcie-msi", pp); + if (ret) { + dev_err(&pdev->dev, "failed to request MSI irq\n"); + return -ENODEV; +--- a/drivers/pci/host/pci-tegra.c ++++ b/drivers/pci/host/pci-tegra.c +@@ -1288,7 +1288,7 @@ static int tegra_pcie_enable_msi(struct + + msi->irq = err; + +- err = request_irq(msi->irq, tegra_pcie_msi_irq, 0, ++ err = request_irq(msi->irq, tegra_pcie_msi_irq, IRQF_NO_THREAD, + tegra_msi_irq_chip.name, pcie); + if (err < 0) { + dev_err(&pdev->dev, "failed to request IRQ: %d\n", err); +--- a/drivers/pci/host/pcie-rcar.c ++++ b/drivers/pci/host/pcie-rcar.c +@@ -694,14 +694,16 @@ static int rcar_pcie_enable_msi(struct r + + /* Two irqs are for MSI, but they are also used for non-MSI irqs */ + err = devm_request_irq(&pdev->dev, msi->irq1, rcar_pcie_msi_irq, +- IRQF_SHARED, rcar_msi_irq_chip.name, pcie); ++ IRQF_SHARED | IRQF_NO_THREAD, ++ rcar_msi_irq_chip.name, pcie); + if (err < 0) { + dev_err(&pdev->dev, "failed to request IRQ: %d\n", err); + goto err; + } + + err = devm_request_irq(&pdev->dev, msi->irq2, rcar_pcie_msi_irq, +- IRQF_SHARED, rcar_msi_irq_chip.name, pcie); ++ IRQF_SHARED | IRQF_NO_THREAD, ++ rcar_msi_irq_chip.name, pcie); + if (err < 0) { + dev_err(&pdev->dev, "failed to request IRQ: %d\n", err); + goto err; +--- a/drivers/pci/host/pcie-spear13xx.c ++++ b/drivers/pci/host/pcie-spear13xx.c +@@ -281,7 +281,8 @@ static int spear13xx_add_pcie_port(struc + return -ENODEV; + } + ret = devm_request_irq(dev, pp->irq, spear13xx_pcie_irq_handler, +- IRQF_SHARED, "spear1340-pcie", pp); ++ IRQF_SHARED | IRQF_NO_THREAD, ++ "spear1340-pcie", pp); + if (ret) { + dev_err(dev, "failed to request irq %d\n", pp->irq); + return ret; +--- a/drivers/pci/host/pcie-xilinx.c ++++ b/drivers/pci/host/pcie-xilinx.c +@@ -781,7 +781,8 @@ static int xilinx_pcie_parse_dt(struct x + + port->irq = irq_of_parse_and_map(node, 0); + err = devm_request_irq(dev, port->irq, xilinx_pcie_intr_handler, +- IRQF_SHARED, "xilinx-pcie", port); ++ IRQF_SHARED | IRQF_NO_THREAD, ++ "xilinx-pcie", port); + if (err) { + dev_err(dev, "unable to request irq %d\n", port->irq); + return err; diff --git a/queue-4.3/pci-prevent-out-of-bounds-access-in-numa_node-override.patch b/queue-4.3/pci-prevent-out-of-bounds-access-in-numa_node-override.patch new file mode 100644 index 00000000000..ef32af4971e --- /dev/null +++ b/queue-4.3/pci-prevent-out-of-bounds-access-in-numa_node-override.patch @@ -0,0 +1,41 @@ +From 3dcc8d39cf15fa3ceabedcffcbd3958fe953555a Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Mon, 9 Nov 2015 20:00:27 +0100 +Subject: PCI: Prevent out of bounds access in numa_node override + +From: Mathias Krause + +commit 3dcc8d39cf15fa3ceabedcffcbd3958fe953555a upstream. + +Commit 1266963170f5 ("PCI: Prevent out of bounds access in numa_node +override") missed that the user-provided node could also be negative. +Handle this case as well to avoid out-of-bounds accesses to the +node_states[] array. However, allow the special value -1, i.e. +NUMA_NO_NODE, to be able to set the 'no specific node' configuration. + +Fixes: 1266963170f5 ("PCI: Prevent out of bounds access in numa_node override") +Fixes: 63692df103e9 ("PCI: Allow numa_node override via sysfs") +Signed-off-by: Mathias Krause +Signed-off-by: Bjorn Helgaas +CC: Sasha Levin +CC: Prarit Bhargava +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/pci-sysfs.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/pci/pci-sysfs.c ++++ b/drivers/pci/pci-sysfs.c +@@ -216,7 +216,10 @@ static ssize_t numa_node_store(struct de + if (ret) + return ret; + +- if (node >= MAX_NUMNODES || !node_online(node)) ++ if ((node < 0 && node != NUMA_NO_NODE) || node >= MAX_NUMNODES) ++ return -EINVAL; ++ ++ if (node != NUMA_NO_NODE && !node_online(node)) + return -EINVAL; + + add_taint(TAINT_FIRMWARE_WORKAROUND, LOCKDEP_STILL_OK); diff --git a/queue-4.3/pci-set-sr-iov-numvfs-to-zero-after-enumeration.patch b/queue-4.3/pci-set-sr-iov-numvfs-to-zero-after-enumeration.patch new file mode 100644 index 00000000000..de69e93ae0f --- /dev/null +++ b/queue-4.3/pci-set-sr-iov-numvfs-to-zero-after-enumeration.patch @@ -0,0 +1,122 @@ +From ea9a8854161d9580cfabe011c0ae296ecc0e1d4f Mon Sep 17 00:00:00 2001 +From: Alexander Duyck +Date: Thu, 29 Oct 2015 16:20:50 -0500 +Subject: PCI: Set SR-IOV NumVFs to zero after enumeration + +From: Alexander Duyck + +commit ea9a8854161d9580cfabe011c0ae296ecc0e1d4f upstream. + +The enumeration path should leave NumVFs set to zero. But after +4449f079722c ("PCI: Calculate maximum number of buses required for VFs"), +we call virtfn_max_buses() in the enumeration path, which changes NumVFs. +This NumVFs change is visible via lspci and sysfs until a driver enables +SR-IOV. + +Iterate from TotalVFs down to zero so NumVFs is zero when we're finished +computing the maximum number of buses. Validate offset and stride in +the loop, so we can test it at every possible NumVFs setting. Rename +virtfn_max_buses() to compute_max_vf_buses() to hint that it does have a +side effect of updating iov->max_VF_buses. + +[bhelgaas: changelog, rename, allow numVF==1 && stride==0, rework loop, +reverse sense of error path] +Fixes: 4449f079722c ("PCI: Calculate maximum number of buses required for VFs") +Based-on-patch-by: Ethan Zhao +Signed-off-by: Alexander Duyck +Signed-off-by: Bjorn Helgaas +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/iov.c | 41 ++++++++++++++++++++++------------------- + 1 file changed, 22 insertions(+), 19 deletions(-) + +--- a/drivers/pci/iov.c ++++ b/drivers/pci/iov.c +@@ -54,24 +54,29 @@ static inline void pci_iov_set_numvfs(st + * The PF consumes one bus number. NumVFs, First VF Offset, and VF Stride + * determine how many additional bus numbers will be consumed by VFs. + * +- * Iterate over all valid NumVFs and calculate the maximum number of bus +- * numbers that could ever be required. ++ * Iterate over all valid NumVFs, validate offset and stride, and calculate ++ * the maximum number of bus numbers that could ever be required. + */ +-static inline u8 virtfn_max_buses(struct pci_dev *dev) ++static int compute_max_vf_buses(struct pci_dev *dev) + { + struct pci_sriov *iov = dev->sriov; +- int nr_virtfn; +- u8 max = 0; +- int busnr; ++ int nr_virtfn, busnr, rc = 0; + +- for (nr_virtfn = 1; nr_virtfn <= iov->total_VFs; nr_virtfn++) { ++ for (nr_virtfn = iov->total_VFs; nr_virtfn; nr_virtfn--) { + pci_iov_set_numvfs(dev, nr_virtfn); ++ if (!iov->offset || (nr_virtfn > 1 && !iov->stride)) { ++ rc = -EIO; ++ goto out; ++ } ++ + busnr = pci_iov_virtfn_bus(dev, nr_virtfn - 1); +- if (busnr > max) +- max = busnr; ++ if (busnr > iov->max_VF_buses) ++ iov->max_VF_buses = busnr; + } + +- return max; ++out: ++ pci_iov_set_numvfs(dev, 0); ++ return rc; + } + + static struct pci_bus *virtfn_add_bus(struct pci_bus *bus, int busnr) +@@ -384,7 +389,7 @@ static int sriov_init(struct pci_dev *de + int rc; + int nres; + u32 pgsz; +- u16 ctrl, total, offset, stride; ++ u16 ctrl, total; + struct pci_sriov *iov; + struct resource *res; + struct pci_dev *pdev; +@@ -414,11 +419,6 @@ static int sriov_init(struct pci_dev *de + + found: + pci_write_config_word(dev, pos + PCI_SRIOV_CTRL, ctrl); +- pci_write_config_word(dev, pos + PCI_SRIOV_NUM_VF, 0); +- pci_read_config_word(dev, pos + PCI_SRIOV_VF_OFFSET, &offset); +- pci_read_config_word(dev, pos + PCI_SRIOV_VF_STRIDE, &stride); +- if (!offset || (total > 1 && !stride)) +- return -EIO; + + pci_read_config_dword(dev, pos + PCI_SRIOV_SUP_PGSIZE, &pgsz); + i = PAGE_SHIFT > 12 ? PAGE_SHIFT - 12 : 0; +@@ -456,8 +456,6 @@ found: + iov->nres = nres; + iov->ctrl = ctrl; + iov->total_VFs = total; +- iov->offset = offset; +- iov->stride = stride; + iov->pgsz = pgsz; + iov->self = dev; + pci_read_config_dword(dev, pos + PCI_SRIOV_CAP, &iov->cap); +@@ -474,10 +472,15 @@ found: + + dev->sriov = iov; + dev->is_physfn = 1; +- iov->max_VF_buses = virtfn_max_buses(dev); ++ rc = compute_max_vf_buses(dev); ++ if (rc) ++ goto fail_max_buses; + + return 0; + ++fail_max_buses: ++ dev->sriov = NULL; ++ dev->is_physfn = 0; + failed: + for (i = 0; i < PCI_SRIOV_NUM_BARS; i++) { + res = &dev->resource[i + PCI_IOV_RESOURCES]; diff --git a/queue-4.3/pci-spear-fix-dw_pcie_cfg_read-write-usage.patch b/queue-4.3/pci-spear-fix-dw_pcie_cfg_read-write-usage.patch new file mode 100644 index 00000000000..2ec528d499d --- /dev/null +++ b/queue-4.3/pci-spear-fix-dw_pcie_cfg_read-write-usage.patch @@ -0,0 +1,85 @@ +From fa3b7cbab548b15da438b0cc13aa515f7f291f4d Mon Sep 17 00:00:00 2001 +From: Gabriele Paoloni +Date: Thu, 8 Oct 2015 14:27:38 -0500 +Subject: PCI: spear: Fix dw_pcie_cfg_read/write() usage + +From: Gabriele Paoloni + +commit fa3b7cbab548b15da438b0cc13aa515f7f291f4d upstream. + +The first argument of dw_pcie_cfg_read/write() is a 32-bit aligned address. +The second argument is the byte offset into a 32-bit word, and +dw_pcie_cfg_read/write() only look at the low two bits. + +SPEAr13xx used dw_pcie_cfg_read() and dw_pcie_cfg_write() incorrectly: it +passed important address bits in the second argument, where they were +ignored. + +Pass the complete 32-bit word address in the first argument and only the +2-bit offset into that word in the second argument. + +Without this fix, SPEAr13xx host will never work with few buggy gen1 card +which connects with only gen1 host and also with any endpoint which would +generate a read request of more than 128 bytes. + +[bhelgaas: changelog] +Reported-by: Bjorn Helgaas +Signed-off-by: Pratyush Anand +Signed-off-by: Bjorn Helgaas +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/host/pcie-spear13xx.c | 26 ++++++++++++++------------ + 1 file changed, 14 insertions(+), 12 deletions(-) + +--- a/drivers/pci/host/pcie-spear13xx.c ++++ b/drivers/pci/host/pcie-spear13xx.c +@@ -163,34 +163,36 @@ static int spear13xx_pcie_establish_link + * default value in capability register is 512 bytes. So force + * it to 128 here. + */ +- dw_pcie_cfg_read(pp->dbi_base, exp_cap_off + PCI_EXP_DEVCTL, 4, &val); ++ dw_pcie_cfg_read(pp->dbi_base + exp_cap_off + PCI_EXP_DEVCTL, ++ 0, 2, &val); + val &= ~PCI_EXP_DEVCTL_READRQ; +- dw_pcie_cfg_write(pp->dbi_base, exp_cap_off + PCI_EXP_DEVCTL, 4, val); ++ dw_pcie_cfg_write(pp->dbi_base + exp_cap_off + PCI_EXP_DEVCTL, ++ 0, 2, val); + +- dw_pcie_cfg_write(pp->dbi_base, PCI_VENDOR_ID, 2, 0x104A); +- dw_pcie_cfg_write(pp->dbi_base, PCI_DEVICE_ID, 2, 0xCD80); ++ dw_pcie_cfg_write(pp->dbi_base + PCI_VENDOR_ID, 0, 2, 0x104A); ++ dw_pcie_cfg_write(pp->dbi_base + PCI_VENDOR_ID, 2, 2, 0xCD80); + + /* + * if is_gen1 is set then handle it, so that some buggy card + * also works + */ + if (spear13xx_pcie->is_gen1) { +- dw_pcie_cfg_read(pp->dbi_base, exp_cap_off + PCI_EXP_LNKCAP, 4, +- &val); ++ dw_pcie_cfg_read(pp->dbi_base + exp_cap_off + PCI_EXP_LNKCAP, ++ 0, 4, &val); + if ((val & PCI_EXP_LNKCAP_SLS) != PCI_EXP_LNKCAP_SLS_2_5GB) { + val &= ~((u32)PCI_EXP_LNKCAP_SLS); + val |= PCI_EXP_LNKCAP_SLS_2_5GB; +- dw_pcie_cfg_write(pp->dbi_base, exp_cap_off + +- PCI_EXP_LNKCAP, 4, val); ++ dw_pcie_cfg_write(pp->dbi_base + exp_cap_off + ++ PCI_EXP_LNKCAP, 0, 4, val); + } + +- dw_pcie_cfg_read(pp->dbi_base, exp_cap_off + PCI_EXP_LNKCTL2, 4, +- &val); ++ dw_pcie_cfg_read(pp->dbi_base + exp_cap_off + PCI_EXP_LNKCTL2, ++ 0, 2, &val); + if ((val & PCI_EXP_LNKCAP_SLS) != PCI_EXP_LNKCAP_SLS_2_5GB) { + val &= ~((u32)PCI_EXP_LNKCAP_SLS); + val |= PCI_EXP_LNKCAP_SLS_2_5GB; +- dw_pcie_cfg_write(pp->dbi_base, exp_cap_off + +- PCI_EXP_LNKCTL2, 4, val); ++ dw_pcie_cfg_write(pp->dbi_base + exp_cap_off + ++ PCI_EXP_LNKCTL2, 0, 2, val); + } + } + diff --git a/queue-4.3/printk-prevent-userland-from-spoofing-kernel-messages.patch b/queue-4.3/printk-prevent-userland-from-spoofing-kernel-messages.patch new file mode 100644 index 00000000000..49ede598f59 --- /dev/null +++ b/queue-4.3/printk-prevent-userland-from-spoofing-kernel-messages.patch @@ -0,0 +1,87 @@ +From 3824657c522f19f85a76bd932821174a5557a382 Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Fri, 6 Nov 2015 16:30:38 -0800 +Subject: printk: prevent userland from spoofing kernel messages + +From: Mathias Krause + +commit 3824657c522f19f85a76bd932821174a5557a382 upstream. + +The following statement of ABI/testing/dev-kmsg is not quite right: + + It is not possible to inject messages from userspace with the + facility number LOG_KERN (0), to make sure that the origin of the + messages can always be reliably determined. + +Userland actually can inject messages with a facility of 0 by abusing the +fact that the facility is stored in a u8 data type. By using a facility +which is a multiple of 256 the assignment of msg->facility in log_store() +implicitly truncates it to 0, i.e. LOG_KERN, allowing users of /dev/kmsg +to spoof kernel messages as shown below: + +The following call... + # printf '<%d>Kernel panic - not syncing: beer empty\n' 0 >/dev/kmsg +...leads to the following log entry (dmesg -x | tail -n 1): + user :emerg : [ 66.137758] Kernel panic - not syncing: beer empty + +However, this call... + # printf '<%d>Kernel panic - not syncing: beer empty\n' 0x800 >/dev/kmsg +...leads to the slightly different log entry (note the kernel facility): + kern :emerg : [ 74.177343] Kernel panic - not syncing: beer empty + +Fix that by limiting the user provided facility to 8 bit right from the +beginning and catch the truncation early. + +Fixes: 7ff9554bb578 ("printk: convert byte-buffer to variable-length...") +Signed-off-by: Mathias Krause +Cc: Greg Kroah-Hartman +Cc: Petr Mladek +Cc: Alex Elder +Cc: Joe Perches +Cc: Kay Sievers +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/printk/printk.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/kernel/printk/printk.c ++++ b/kernel/printk/printk.c +@@ -269,6 +269,9 @@ static u32 clear_idx; + #define PREFIX_MAX 32 + #define LOG_LINE_MAX (1024 - PREFIX_MAX) + ++#define LOG_LEVEL(v) ((v) & 0x07) ++#define LOG_FACILITY(v) ((v) >> 3 & 0xff) ++ + /* record buffer */ + #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) + #define LOG_ALIGN 4 +@@ -611,7 +614,6 @@ struct devkmsg_user { + static ssize_t devkmsg_write(struct kiocb *iocb, struct iov_iter *from) + { + char *buf, *line; +- int i; + int level = default_message_loglevel; + int facility = 1; /* LOG_USER */ + size_t len = iov_iter_count(from); +@@ -641,12 +643,13 @@ static ssize_t devkmsg_write(struct kioc + line = buf; + if (line[0] == '<') { + char *endp = NULL; ++ unsigned int u; + +- i = simple_strtoul(line+1, &endp, 10); ++ u = simple_strtoul(line + 1, &endp, 10); + if (endp && endp[0] == '>') { +- level = i & 7; +- if (i >> 3) +- facility = i >> 3; ++ level = LOG_LEVEL(u); ++ if (LOG_FACILITY(u) != 0) ++ facility = LOG_FACILITY(u); + endp++; + len -= endp - line; + line = endp; diff --git a/queue-4.3/revert-dm-mpath-fix-stalls-when-handling-invalid-ioctls.patch b/queue-4.3/revert-dm-mpath-fix-stalls-when-handling-invalid-ioctls.patch new file mode 100644 index 00000000000..b6778e07268 --- /dev/null +++ b/queue-4.3/revert-dm-mpath-fix-stalls-when-handling-invalid-ioctls.patch @@ -0,0 +1,173 @@ +From 47796938c46b943d157ac8a6f9ed4e3b98b83cf4 Mon Sep 17 00:00:00 2001 +From: Mauricio Faria de Oliveira +Date: Thu, 29 Oct 2015 10:24:23 -0200 +Subject: Revert "dm mpath: fix stalls when handling invalid ioctls" + +From: Mauricio Faria de Oliveira + +commit 47796938c46b943d157ac8a6f9ed4e3b98b83cf4 upstream. + +This reverts commit a1989b330093578ea5470bea0a00f940c444c466. + +That commit introduced a regression at least for the case of the SG_IO ioctl() +running without CAP_SYS_RAWIO capability (e.g., unprivileged users) when there +are no active paths: the ioctl() fails with the ENOTTY errno immediately rather +than blocking due to queue_if_no_path until a path becomes active, for example. + +That case happens to be exercised by QEMU KVM guests with 'scsi-block' devices +(qemu "-device scsi-block" [1], libvirt "" [2]) +from multipath devices; which leads to SCSI/filesystem errors in such a guest. + +More general scenarios can hit that regression too. The following demonstration +employs a SG_IO ioctl() with a standard SCSI INQUIRY command for this objective +(some output & user changes omitted for brevity and comments added for clarity). + +Reverting that commit restores normal operation (queueing) in failing scenarios; +tested on linux-next (next-20151022). + +1) Test-case is based on sg_simple0 [3] (just SG_IO; remove SG_GET_VERSION_NUM) + + $ cat sg_simple0.c + ... see [3] ... + $ sed '/SG_GET_VERSION_NUM/,/}/d' sg_simple0.c > sgio_inquiry.c + $ gcc sgio_inquiry.c -o sgio_inquiry + +2) The ioctl() works fine with active paths present. + + # multipath -l 85ag56 + 85ag56 (...) dm-19 IBM ,2145 + size=60G features='1 queue_if_no_path' hwhandler='0' wp=rw + |-+- policy='service-time 0' prio=0 status=active + | |- 8:0:11:0 sdz 65:144 active undef running + | `- 9:0:9:0 sdbf 67:144 active undef running + `-+- policy='service-time 0' prio=0 status=enabled + |- 8:0:12:0 sdae 65:224 active undef running + `- 9:0:12:0 sdbo 68:32 active undef running + + $ ./sgio_inquiry /dev/mapper/85ag56 + Some of the INQUIRY command's response: + IBM 2145 0000 + INQUIRY duration=0 millisecs, resid=0 + +3) The ioctl() fails with ENOTTY errno with _no_ active paths present, + for unprivileged users (rather than blocking due to queue_if_no_path). + + # for path in $(multipath -l 85ag56 | grep -o 'sd[a-z]\+'); \ + do multipathd -k"fail path $path"; done + + # multipath -l 85ag56 + 85ag56 (...) dm-19 IBM ,2145 + size=60G features='1 queue_if_no_path' hwhandler='0' wp=rw + |-+- policy='service-time 0' prio=0 status=enabled + | |- 8:0:11:0 sdz 65:144 failed undef running + | `- 9:0:9:0 sdbf 67:144 failed undef running + `-+- policy='service-time 0' prio=0 status=enabled + |- 8:0:12:0 sdae 65:224 failed undef running + `- 9:0:12:0 sdbo 68:32 failed undef running + + $ ./sgio_inquiry /dev/mapper/85ag56 + sg_simple0: Inquiry SG_IO ioctl error: Inappropriate ioctl for device + +4) dmesg shows that scsi_verify_blk_ioctl() failed for SG_IO (0x2285); + it returns -ENOIOCTLCMD, later replaced with -ENOTTY in vfs_ioctl(). + + $ dmesg + <...> + [] device-mapper: multipath: Failing path 65:144. + [] device-mapper: multipath: Failing path 67:144. + [] device-mapper: multipath: Failing path 65:224. + [] device-mapper: multipath: Failing path 68:32. + [] sgio_inquiry: sending ioctl 2285 to a partition! + +5) The ioctl() only works if the SYS_CAP_RAWIO capability is present + (then queueing happens -- in this example, queue_if_no_path is set); + this is due to a conditional check in scsi_verify_blk_ioctl(). + + # capsh --drop=cap_sys_rawio -- -c './sgio_inquiry /dev/mapper/85ag56' + sg_simple0: Inquiry SG_IO ioctl error: Inappropriate ioctl for device + + # ./sgio_inquiry /dev/mapper/85ag56 & + [1] 72830 + + # cat /proc/72830/stack + [] 0xc00000171c0df700 + [] __switch_to+0x204/0x350 + [] msleep+0x5c/0x80 + [] dm_blk_ioctl+0x70/0x170 + [] blkdev_ioctl+0x2b0/0x9b0 + [] block_ioctl+0x64/0xd0 + [] do_vfs_ioctl+0x490/0x780 + [] SyS_ioctl+0xd4/0xf0 + [] system_call+0x38/0xd0 + +6) This is the function call chain exercised in this analysis: + +SYSCALL_DEFINE3(ioctl, <...>) @ fs/ioctl.c + -> do_vfs_ioctl() + -> vfs_ioctl() + ... + error = filp->f_op->unlocked_ioctl(filp, cmd, arg); + ... + -> dm_blk_ioctl() @ drivers/md/dm.c + -> multipath_ioctl() @ drivers/md/dm-mpath.c + ... + (bdev = NULL, due to no active paths) + ... + if (!bdev || <...>) { + int err = scsi_verify_blk_ioctl(NULL, cmd); + if (err) + r = err; + } + ... + -> scsi_verify_blk_ioctl() @ block/scsi_ioctl.c + ... + if (bd && bd == bd->bd_contains) // not taken (bd = NULL) + return 0; + ... + if (capable(CAP_SYS_RAWIO)) // not taken (unprivileged user) + return 0; + ... + printk_ratelimited(KERN_WARNING + "%s: sending ioctl %x to a partition!\n" <...>); + + return -ENOIOCTLCMD; + <- + ... + return r ? : <...> + <- + ... + if (error == -ENOIOCTLCMD) + error = -ENOTTY; + out: + return error; + ... + +Links: +[1] http://git.qemu.org/?p=qemu.git;a=commit;h=336a6915bc7089fb20fea4ba99972ad9a97c5f52 +[2] https://libvirt.org/formatdomain.html#elementsDisks (see 'disk' -> 'device') +[3] http://tldp.org/HOWTO/SCSI-Generic-HOWTO/pexample.html (Revision 1.2, 2002-05-03) + +Signed-off-by: Mauricio Faria de Oliveira +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-mpath.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/drivers/md/dm-mpath.c ++++ b/drivers/md/dm-mpath.c +@@ -1569,11 +1569,8 @@ static int multipath_ioctl(struct dm_tar + /* + * Only pass ioctls through if the device sizes match exactly. + */ +- if (!bdev || ti->len != i_size_read(bdev->bd_inode) >> SECTOR_SHIFT) { +- int err = scsi_verify_blk_ioctl(NULL, cmd); +- if (err) +- r = err; +- } ++ if (!r && ti->len != i_size_read(bdev->bd_inode) >> SECTOR_SHIFT) ++ r = scsi_verify_blk_ioctl(NULL, cmd); + + if (r == -ENOTCONN && !fatal_signal_pending(current)) { + spin_lock_irqsave(&m->lock, flags); diff --git a/queue-4.3/revert-ivtv-avoid-going-past-input-audio-array.patch b/queue-4.3/revert-ivtv-avoid-going-past-input-audio-array.patch new file mode 100644 index 00000000000..167254b592d --- /dev/null +++ b/queue-4.3/revert-ivtv-avoid-going-past-input-audio-array.patch @@ -0,0 +1,37 @@ +From 823873481b2a17ce5900899f8ef85118f8407b67 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Wed, 11 Nov 2015 09:22:36 -0200 +Subject: [media] Revert "[media] ivtv: avoid going past input/audio array" + +From: Mauro Carvalho Chehab + +commit 823873481b2a17ce5900899f8ef85118f8407b67 upstream. + +This patch broke ivtv logic, as reported at + https://bugzilla.redhat.com/show_bug.cgi?id=1278942 + +This reverts commit 09290cc885937cab3b2d60a6d48fe3d2d3e04061. + +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/pci/ivtv/ivtv-driver.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/media/pci/ivtv/ivtv-driver.c ++++ b/drivers/media/pci/ivtv/ivtv-driver.c +@@ -805,11 +805,11 @@ static void ivtv_init_struct2(struct ivt + { + int i; + +- for (i = 0; i < IVTV_CARD_MAX_VIDEO_INPUTS - 1; i++) ++ for (i = 0; i < IVTV_CARD_MAX_VIDEO_INPUTS; i++) + if (itv->card->video_inputs[i].video_type == 0) + break; + itv->nof_inputs = i; +- for (i = 0; i < IVTV_CARD_MAX_AUDIO_INPUTS - 1; i++) ++ for (i = 0; i < IVTV_CARD_MAX_AUDIO_INPUTS; i++) + if (itv->card->audio_inputs[i].audio_type == 0) + break; + itv->nof_audio_inputs = i; diff --git a/queue-4.3/series b/queue-4.3/series index 604aed1b32f..48bbfc39506 100644 --- a/queue-4.3/series +++ b/queue-4.3/series @@ -36,3 +36,59 @@ ocfs2-fix-bug-when-calculate-new-backup-super.patch ocfs2-dlm-ignore-cleaning-the-migration-mle-that-is-inuse.patch ocfs2-dlm-clear-refmap-bit-of-recovery-lock-while-doing-local-recovery-cleanup.patch sh64-fix-__nr_fgetxattr.patch +dm-initialize-non-blk-mq-queue-data-before-queue-is-used.patch +revert-dm-mpath-fix-stalls-when-handling-invalid-ioctls.patch +spi-omap2-mcspi-disable-other-channels-chconf_force-in-prepare_message.patch +spi-atmel-fix-dma-setup-for-transfers-with-more-than-8-bits-per-word.patch +spi-ti-qspi-fix-data-corruption-seen-on-r-w-stress-test.patch +spi-fix-parent-device-reference-leak.patch +wlcore-wl12xx-spi-fix-oops-on-firmware-load.patch +wlcore-wl12xx-spi-fix-null-pointer-dereference-oops.patch +spi-spi-xilinx-fix-race-condition-on-last-word-read.patch +tpm-tpm_crb-fix-unaligned-read-of-the-command-buffer-address.patch +vtpm-fix-memory-allocation-flag-for-rtce-buffer-at-kernel-boot.patch +tpm_tis-free-irq-after-probing.patch +tpm-revert-the-list-handling-logic-fixed-in-398a1e7.patch +integrity-prevent-loading-untrusted-certificates-on-the-ima-trusted-keyring.patch +mtd-mtdpart-fix-add_mtd_partitions-error-path.patch +mtd-blkdevs-fix-potential-deadlock-lockdep-warnings.patch +mtd-nand-fix-shutdown-reboot-for-multi-chip-systems.patch +mtd-jz4740_nand-fix-build-on-jz4740-after-removing-gpio.h.patch +mtd-ubi-fixup-error-correction-in-do_sync_erase.patch +mtd-ubi-don-t-leak-e-if-schedule_erase-fails.patch +pci-spear-fix-dw_pcie_cfg_read-write-usage.patch +pci-set-sr-iov-numvfs-to-zero-after-enumeration.patch +pci-prevent-out-of-bounds-access-in-numa_node-override.patch +pci-host-mark-pcie-pci-msi-irq-cascade-handlers-as-irqf_no_thread.patch +pci-fix-minimum-allocation-address-overwrite.patch +tracing-update-instance_rmdir-to-use-tracefs_remove_recursive.patch +tracing-fix-setting-of-start_index-in-find_next.patch +tracing-stacktrace-show-entire-trace-if-passed-in-function-not-found.patch +tracefs-fix-refcount-imbalance-in-start_creating.patch +jbd2-fix-checkpoint-list-cleanup.patch +jbd2-fix-unreclaimed-pages-after-truncate-in-data-journal-mode.patch +jbd2-fix-null-committed-data-return-in-undo_access.patch +fix-calculation-of-meta_bg-descriptor-backups.patch +printk-prevent-userland-from-spoofing-kernel-messages.patch +parisc-fixes-and-cleanups-in-kernel-uapi-header-files.patch +parisc-drop-unused-madv_xxxk_pages-flags-from-asm-mman.h.patch +parisc-fix-syscall-restarts.patch +parisc-fix-__arch_si_preamble_size.patch +xtensa-fixes-for-configs-without-loop-option.patch +xtensa-fix-secondary-core-boot-in-smp.patch +i2c-at91-fix-write-transfers-by-clearing-pending-interrupt-first.patch +i2c-at91-manage-unexpected-rxrdy-flag-when-starting-a-transfer.patch +i2c-fix-wakeup-irq-parsing.patch +media-i2c-don-t-export-ir-kbd-i2c-module-alias.patch +i2c-mv64xxx-the-n-clockdiv-factor-is-0-based-on-sunxi-socs.patch +i2c-rk3x-populate-correct-variable-for-sda_falling_time.patch +i2c-rcar-disable-runtime-pm-correctly-in-slave-mode.patch +vivid-fix-iteration-in-driver-removal-path.patch +v4l2-compat-ioctl32-fix-alignment-for-arm64.patch +c8sectpfe-remove-select-on-config_fw_loader_user_helper_fallback.patch +v4l2-ctrls-arrays-are-also-considered-compound-controls.patch +media-v4l2-ctrls-fix-64bit-support-in-get_ctrl.patch +media-vb2-dma-contig-fully-cache-synchronise-buffers-in-prepare-and-finish.patch +media-vb2-dma-sg-fully-cache-synchronise-buffers-in-prepare-and-finish.patch +media-v4l2-ctrls-fix-setting-autocluster-to-manual-with-vidioc_s_ctrl.patch +revert-ivtv-avoid-going-past-input-audio-array.patch diff --git a/queue-4.3/spi-atmel-fix-dma-setup-for-transfers-with-more-than-8-bits-per-word.patch b/queue-4.3/spi-atmel-fix-dma-setup-for-transfers-with-more-than-8-bits-per-word.patch new file mode 100644 index 00000000000..59e8bfc01b8 --- /dev/null +++ b/queue-4.3/spi-atmel-fix-dma-setup-for-transfers-with-more-than-8-bits-per-word.patch @@ -0,0 +1,34 @@ +From 06515f83908d038d9e12ffa3dcca27a1b67f2de0 Mon Sep 17 00:00:00 2001 +From: David Mosberger-Tang +Date: Tue, 20 Oct 2015 14:26:47 +0200 +Subject: spi: atmel: Fix DMA-setup for transfers with more than 8 bits per word + +From: David Mosberger-Tang + +commit 06515f83908d038d9e12ffa3dcca27a1b67f2de0 upstream. + +The DMA-slave configuration depends on the whether <= 8 or > 8 bits +are transferred per word, so we need to call +atmel_spi_dma_slave_config() with the correct value. + +Signed-off-by: David Mosberger +Signed-off-by: Nicolas Ferre +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-atmel.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/spi/spi-atmel.c ++++ b/drivers/spi/spi-atmel.c +@@ -773,7 +773,8 @@ static int atmel_spi_next_xfer_dma_submi + + *plen = len; + +- if (atmel_spi_dma_slave_config(as, &slave_config, 8)) ++ if (atmel_spi_dma_slave_config(as, &slave_config, ++ xfer->bits_per_word)) + goto err_exit; + + /* Send both scatterlists */ diff --git a/queue-4.3/spi-fix-parent-device-reference-leak.patch b/queue-4.3/spi-fix-parent-device-reference-leak.patch new file mode 100644 index 00000000000..36db37e0854 --- /dev/null +++ b/queue-4.3/spi-fix-parent-device-reference-leak.patch @@ -0,0 +1,36 @@ +From 157f38f993919b648187ba341bfb05d0e91ad2f6 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 14 Dec 2015 16:16:19 +0100 +Subject: spi: fix parent-device reference leak + +From: Johan Hovold + +commit 157f38f993919b648187ba341bfb05d0e91ad2f6 upstream. + +Fix parent-device reference leak due to SPI-core taking an unnecessary +reference to the parent when allocating the master structure, a +reference that was never released. + +Note that driver core takes its own reference to the parent when the +master device is registered. + +Fixes: 49dce689ad4e ("spi doesn't need class_device") +Signed-off-by: Johan Hovold +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/spi/spi.c ++++ b/drivers/spi/spi.c +@@ -1627,7 +1627,7 @@ struct spi_master *spi_alloc_master(stru + master->bus_num = -1; + master->num_chipselect = 1; + master->dev.class = &spi_master_class; +- master->dev.parent = get_device(dev); ++ master->dev.parent = dev; + spi_master_set_devdata(master, &master[1]); + + return master; diff --git a/queue-4.3/spi-omap2-mcspi-disable-other-channels-chconf_force-in-prepare_message.patch b/queue-4.3/spi-omap2-mcspi-disable-other-channels-chconf_force-in-prepare_message.patch new file mode 100644 index 00000000000..6411eccecd4 --- /dev/null +++ b/queue-4.3/spi-omap2-mcspi-disable-other-channels-chconf_force-in-prepare_message.patch @@ -0,0 +1,78 @@ +From 468a32082b04c7febccfcd55b06ecbc438fcddcc Mon Sep 17 00:00:00 2001 +From: Neil Armstrong +Date: Fri, 9 Oct 2015 15:47:41 +0200 +Subject: spi: omap2-mcspi: disable other channels CHCONF_FORCE in prepare_message + +From: Neil Armstrong + +commit 468a32082b04c7febccfcd55b06ecbc438fcddcc upstream. + +Since the "Switch driver to use transfer_one" change, the cs_change +behavior has changed and a channel chip select can still be +asserted when changing channel from a previous last transfer in a +message having the cs_change attribute. + +Since there is no sense having multiple chip select being asserted at the +same time, disable all the remaining forced chip selects in a the +prepare_message called right before a spi_transfer_one_message call. +It ignores the current channel configuration in order to keep the +possibility to leave the chip select asserted between messages. + +It fixes this bug on a DM8168 SoC ES2.1 Soc and an OMAP4 ES2.1 SoC. +It was hanging all the other channels transfers when a CHCONF_FORCE +is present on the wrong channel. + +Fixes: b28cb9414db9 ("spi: omap2-mcspi: Switch driver to use transfer_one") +Signed-off-by: Neil Armstrong +Reviewed-by: Michael Welling +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-omap2-mcspi.c | 28 ++++++++++++++++++++++++++++ + 1 file changed, 28 insertions(+) + +--- a/drivers/spi/spi-omap2-mcspi.c ++++ b/drivers/spi/spi-omap2-mcspi.c +@@ -1217,6 +1217,33 @@ out: + return status; + } + ++static int omap2_mcspi_prepare_message(struct spi_master *master, ++ struct spi_message *msg) ++{ ++ struct omap2_mcspi *mcspi = spi_master_get_devdata(master); ++ struct omap2_mcspi_regs *ctx = &mcspi->ctx; ++ struct omap2_mcspi_cs *cs; ++ ++ /* Only a single channel can have the FORCE bit enabled ++ * in its chconf0 register. ++ * Scan all channels and disable them except the current one. ++ * A FORCE can remain from a last transfer having cs_change enabled ++ */ ++ list_for_each_entry(cs, &ctx->cs, node) { ++ if (msg->spi->controller_state == cs) ++ continue; ++ ++ if ((cs->chconf0 & OMAP2_MCSPI_CHCONF_FORCE)) { ++ cs->chconf0 &= ~OMAP2_MCSPI_CHCONF_FORCE; ++ writel_relaxed(cs->chconf0, ++ cs->base + OMAP2_MCSPI_CHCONF0); ++ readl_relaxed(cs->base + OMAP2_MCSPI_CHCONF0); ++ } ++ } ++ ++ return 0; ++} ++ + static int omap2_mcspi_transfer_one(struct spi_master *master, + struct spi_device *spi, struct spi_transfer *t) + { +@@ -1344,6 +1371,7 @@ static int omap2_mcspi_probe(struct plat + master->bits_per_word_mask = SPI_BPW_RANGE_MASK(4, 32); + master->setup = omap2_mcspi_setup; + master->auto_runtime_pm = true; ++ master->prepare_message = omap2_mcspi_prepare_message; + master->transfer_one = omap2_mcspi_transfer_one; + master->set_cs = omap2_mcspi_set_cs; + master->cleanup = omap2_mcspi_cleanup; diff --git a/queue-4.3/spi-spi-xilinx-fix-race-condition-on-last-word-read.patch b/queue-4.3/spi-spi-xilinx-fix-race-condition-on-last-word-read.patch new file mode 100644 index 00000000000..7105c712178 --- /dev/null +++ b/queue-4.3/spi-spi-xilinx-fix-race-condition-on-last-word-read.patch @@ -0,0 +1,100 @@ +From eca37c7c117460e2fbe4e32c991bff32a961f688 Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda Delgado +Date: Wed, 28 Oct 2015 16:16:02 +0100 +Subject: spi/spi-xilinx: Fix race condition on last word read + +From: Ricardo Ribalda Delgado + +commit eca37c7c117460e2fbe4e32c991bff32a961f688 upstream. + +Some users have reported that in polled mode the driver fails randomly +to read the last word of the transfer. + +The end condition used for the transmissions (in polled and irq mode) +has been the TX_EMPTY flag. But Lars-Peter Clausen has identified a delay +from the TX_EMPTY to the actual end of the data rx. + +I believe that this race condition has not been detected until now +because of the latency added by the IRQ handler or the PCIe bridge. +This bugs affects setups with low latency access to the spi core. + +This patch replaces the readout logic: + +For all the words, except the last one, the TX_EMPTY flag is used (and +cached). + +If !TX_EMPY or is the last word. The status register is read and the +RX_EMPTY flag is used. + +The performance is not affected: there is an extra read of the +Status Register, but the readout can start as soon as there is a word +in the buffer. + +Reported-by: Edward Kigwana +Initial-fix-by: Lars-Peter Clausen +Signed-off-by: Ricardo Ribalda Delgado +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-xilinx.c | 38 ++++++++++++++++++++++++-------------- + 1 file changed, 24 insertions(+), 14 deletions(-) + +--- a/drivers/spi/spi-xilinx.c ++++ b/drivers/spi/spi-xilinx.c +@@ -270,6 +270,7 @@ static int xilinx_spi_txrx_bufs(struct s + + while (remaining_words) { + int n_words, tx_words, rx_words; ++ u32 sr; + + n_words = min(remaining_words, xspi->buffer_size); + +@@ -284,24 +285,33 @@ static int xilinx_spi_txrx_bufs(struct s + if (use_irq) { + xspi->write_fn(cr, xspi->regs + XSPI_CR_OFFSET); + wait_for_completion(&xspi->done); +- } else +- while (!(xspi->read_fn(xspi->regs + XSPI_SR_OFFSET) & +- XSPI_SR_TX_EMPTY_MASK)) +- ; +- +- /* A transmit has just completed. Process received data and +- * check for more data to transmit. Always inhibit the +- * transmitter while the Isr refills the transmit register/FIFO, +- * or make sure it is stopped if we're done. +- */ +- if (use_irq) ++ /* A transmit has just completed. Process received data ++ * and check for more data to transmit. Always inhibit ++ * the transmitter while the Isr refills the transmit ++ * register/FIFO, or make sure it is stopped if we're ++ * done. ++ */ + xspi->write_fn(cr | XSPI_CR_TRANS_INHIBIT, +- xspi->regs + XSPI_CR_OFFSET); ++ xspi->regs + XSPI_CR_OFFSET); ++ sr = XSPI_SR_TX_EMPTY_MASK; ++ } else ++ sr = xspi->read_fn(xspi->regs + XSPI_SR_OFFSET); + + /* Read out all the data from the Rx FIFO */ + rx_words = n_words; +- while (rx_words--) +- xilinx_spi_rx(xspi); ++ while (rx_words) { ++ if ((sr & XSPI_SR_TX_EMPTY_MASK) && (rx_words > 1)) { ++ xilinx_spi_rx(xspi); ++ rx_words--; ++ continue; ++ } ++ ++ sr = xspi->read_fn(xspi->regs + XSPI_SR_OFFSET); ++ if (!(sr & XSPI_SR_RX_EMPTY_MASK)) { ++ xilinx_spi_rx(xspi); ++ rx_words--; ++ } ++ } + + remaining_words -= n_words; + } diff --git a/queue-4.3/spi-ti-qspi-fix-data-corruption-seen-on-r-w-stress-test.patch b/queue-4.3/spi-ti-qspi-fix-data-corruption-seen-on-r-w-stress-test.patch new file mode 100644 index 00000000000..eea3ff49437 --- /dev/null +++ b/queue-4.3/spi-ti-qspi-fix-data-corruption-seen-on-r-w-stress-test.patch @@ -0,0 +1,55 @@ +From bc27a53928981662079aa243915b443370294a03 Mon Sep 17 00:00:00 2001 +From: Vignesh R +Date: Mon, 12 Oct 2015 13:22:02 +0530 +Subject: spi: ti-qspi: Fix data corruption seen on r/w stress test + +From: Vignesh R + +commit bc27a53928981662079aa243915b443370294a03 upstream. + +Writing invalid command to QSPI_SPI_CMD_REG will terminate current +transfer and de-assert the chip select. This has to be done before +calling spi_finalize_current_message(). Because +spi_finalize_current_message() will mark the end of current message +transfer and schedule the next transfer. If the chipselect is not +de-asserted before calling spi_finalize_current_message() then the next +transfer will overlap with the previous transfer leading to data +corruption. +__spi_pump_message() can be called either from kthread worker context or +directly from the calling process's context. It is possible that these +two calls can race against each other. But race is serialized by +checking whether master->cur_msg == NULL (pointer to msg being handled +by transfer_one() at present). The master->cur_msg is set to NULL when +spi_finalize_current_message() is called on that message, which means +calling spi_finalize_current_message() allows __spi_sync() to pump next +message in calling process context. +Now if spi-ti-qspi calls spi_finalize_current_message() before we +terminate transfer at hardware side, if __spi_pump_message() is called +from process context then the successive transactions can overlap. + +Fix this by moving writing invalid command to QSPI_SPI_CMD_REG to +before calling spi_finalize_current_message() call. + +Signed-off-by: Vignesh R +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-ti-qspi.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/spi/spi-ti-qspi.c ++++ b/drivers/spi/spi-ti-qspi.c +@@ -410,11 +410,10 @@ static int ti_qspi_start_transfer_one(st + + mutex_unlock(&qspi->list_lock); + ++ ti_qspi_write(qspi, qspi->cmd | QSPI_INVAL, QSPI_SPI_CMD_REG); + m->status = status; + spi_finalize_current_message(master); + +- ti_qspi_write(qspi, qspi->cmd | QSPI_INVAL, QSPI_SPI_CMD_REG); +- + return status; + } + diff --git a/queue-4.3/tpm-revert-the-list-handling-logic-fixed-in-398a1e7.patch b/queue-4.3/tpm-revert-the-list-handling-logic-fixed-in-398a1e7.patch new file mode 100644 index 00000000000..54ef471e26d --- /dev/null +++ b/queue-4.3/tpm-revert-the-list-handling-logic-fixed-in-398a1e7.patch @@ -0,0 +1,33 @@ +From b1a4144a695ff4a6834a2680600f36f991fa4926 Mon Sep 17 00:00:00 2001 +From: Jarkko Sakkinen +Date: Mon, 2 Nov 2015 19:55:29 +0200 +Subject: TPM: revert the list handling logic fixed in 398a1e7 + +From: Jarkko Sakkinen + +commit b1a4144a695ff4a6834a2680600f36f991fa4926 upstream. + +Mimi reported that afb5abc reverts the fix in 398a1e7. This patch +reverts it back. + +Fixes: afb5abc262e9 ("tpm: two-phase chip management functions") +Reported-by: Mimi Zohar +Signed-off-by: Jarkko Sakkinen +Acked-by: Peter Huewe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tpm/tpm-chip.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/char/tpm/tpm-chip.c ++++ b/drivers/char/tpm/tpm-chip.c +@@ -231,7 +231,7 @@ int tpm_chip_register(struct tpm_chip *c + + /* Make the chip available. */ + spin_lock(&driver_lock); +- list_add_rcu(&chip->list, &tpm_chip_list); ++ list_add_tail_rcu(&chip->list, &tpm_chip_list); + spin_unlock(&driver_lock); + + chip->flags |= TPM_CHIP_FLAG_REGISTERED; diff --git a/queue-4.3/tpm-tpm_crb-fix-unaligned-read-of-the-command-buffer-address.patch b/queue-4.3/tpm-tpm_crb-fix-unaligned-read-of-the-command-buffer-address.patch new file mode 100644 index 00000000000..68cb5df84ab --- /dev/null +++ b/queue-4.3/tpm-tpm_crb-fix-unaligned-read-of-the-command-buffer-address.patch @@ -0,0 +1,50 @@ +From 149789ce9d472e6b4fd99336e779ab843754a96c Mon Sep 17 00:00:00 2001 +From: Jarkko Sakkinen +Date: Tue, 15 Sep 2015 20:05:40 +0300 +Subject: tpm, tpm_crb: fix unaligned read of the command buffer address + +From: Jarkko Sakkinen + +commit 149789ce9d472e6b4fd99336e779ab843754a96c upstream. + +The command buffer address must be read with exactly two 32-bit reads. +Otherwise, on some HW platforms, it seems that HW will abort the read +operation, which causes CPU to fill the read bytes with 1's. Therefore, +we cannot rely on memcpy_fromio() but must call ioread32() two times +instead. + +Also, this matches the PC Client Platform TPM Profile specification, +which defines command buffer address with two 32-bit fields. + +Signed-off-by: Jarkko Sakkinen +Reviewed-by: Peter Huewe +Signed-off-by: Peter Huewe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tpm/tpm_crb.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/char/tpm/tpm_crb.c ++++ b/drivers/char/tpm/tpm_crb.c +@@ -68,7 +68,8 @@ struct crb_control_area { + u32 int_enable; + u32 int_sts; + u32 cmd_size; +- u64 cmd_pa; ++ u32 cmd_pa_low; ++ u32 cmd_pa_high; + u32 rsp_size; + u64 rsp_pa; + } __packed; +@@ -263,8 +264,8 @@ static int crb_acpi_add(struct acpi_devi + return -ENOMEM; + } + +- memcpy_fromio(&pa, &priv->cca->cmd_pa, 8); +- pa = le64_to_cpu(pa); ++ pa = ((u64) le32_to_cpu(ioread32(&priv->cca->cmd_pa_high)) << 32) | ++ (u64) le32_to_cpu(ioread32(&priv->cca->cmd_pa_low)); + priv->cmd = devm_ioremap_nocache(dev, pa, + ioread32(&priv->cca->cmd_size)); + if (!priv->cmd) { diff --git a/queue-4.3/tpm_tis-free-irq-after-probing.patch b/queue-4.3/tpm_tis-free-irq-after-probing.patch new file mode 100644 index 00000000000..27859b574c7 --- /dev/null +++ b/queue-4.3/tpm_tis-free-irq-after-probing.patch @@ -0,0 +1,35 @@ +From 2aef9da60bfdeb68dbcd4f114c098cbaa841b4ee Mon Sep 17 00:00:00 2001 +From: Martin Wilck +Date: Thu, 5 Nov 2015 17:19:09 +0100 +Subject: tpm_tis: free irq after probing + +From: Martin Wilck + +commit 2aef9da60bfdeb68dbcd4f114c098cbaa841b4ee upstream. + +Release IRQs used for probing only. Otherwise the TPM will end up +with all IRQs 3-15 assigned. + +Fixes: afb5abc262e9 ("tpm: two-phase chip management functions") +Signed-off-by: Martin Wilck +Reviewed-by: Jarkko Sakkinen +Tested-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Acked-by: Peter Huewe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tpm/tpm_tis.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/char/tpm/tpm_tis.c ++++ b/drivers/char/tpm/tpm_tis.c +@@ -805,6 +805,8 @@ static int tpm_tis_init(struct device *d + iowrite32(intmask, + chip->vendor.iobase + + TPM_INT_ENABLE(chip->vendor.locality)); ++ ++ devm_free_irq(dev, i, chip); + } + } + if (chip->vendor.irq) { diff --git a/queue-4.3/tracefs-fix-refcount-imbalance-in-start_creating.patch b/queue-4.3/tracefs-fix-refcount-imbalance-in-start_creating.patch new file mode 100644 index 00000000000..484e181a265 --- /dev/null +++ b/queue-4.3/tracefs-fix-refcount-imbalance-in-start_creating.patch @@ -0,0 +1,53 @@ +From d227c3ae4e94e5eb11dd780a811f59e1a7b74ccd Mon Sep 17 00:00:00 2001 +From: Daniel Borkmann +Date: Wed, 4 Nov 2015 23:33:17 +0100 +Subject: tracefs: Fix refcount imbalance in start_creating() + +From: Daniel Borkmann + +commit d227c3ae4e94e5eb11dd780a811f59e1a7b74ccd upstream. + +In tracefs' start_creating(), we pin the file system to safely access +its root. When we failed to create a file, we unpin the file system via +failed_creating() to release the mount count and eventually the reference +of the singleton vfsmount. + +However, when we run into an error during lookup_one_len() when still +in start_creating(), we only release the parent's mutex but not so the +reference on the mount. + +F.e., in securityfs_create_file(), after doing simple_pin_fs() when +lookup_one_len() fails there, we infact do simple_release_fs(). This +seems necessary here as well. + +Same issue seen in debugfs due to 190afd81e4a5 ("debugfs: split the +beginning and the end of __create_file() off"), which seemed to got +carried over into tracefs, too. Noticed during code review. + +Link: http://lkml.kernel.org/r/68efa86101b778cf7517ed7c6ad573bd69f60ec6.1446672850.git.daniel@iogearbox.net + +Fixes: 4282d60689d4 ("tracefs: Add new tracefs file system") +Signed-off-by: Daniel Borkmann +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + fs/tracefs/inode.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/fs/tracefs/inode.c ++++ b/fs/tracefs/inode.c +@@ -340,8 +340,12 @@ static struct dentry *start_creating(con + dput(dentry); + dentry = ERR_PTR(-EEXIST); + } +- if (IS_ERR(dentry)) ++ ++ if (IS_ERR(dentry)) { + mutex_unlock(&parent->d_inode->i_mutex); ++ simple_release_fs(&tracefs_mount, &tracefs_mount_count); ++ } ++ + return dentry; + } + diff --git a/queue-4.3/tracing-fix-setting-of-start_index-in-find_next.patch b/queue-4.3/tracing-fix-setting-of-start_index-in-find_next.patch new file mode 100644 index 00000000000..06109372821 --- /dev/null +++ b/queue-4.3/tracing-fix-setting-of-start_index-in-find_next.patch @@ -0,0 +1,66 @@ +From f36d1be2930ede0a1947686e1126ffda5d5ee1bb Mon Sep 17 00:00:00 2001 +From: Qiu Peiyang +Date: Thu, 31 Dec 2015 13:11:28 +0800 +Subject: tracing: Fix setting of start_index in find_next() + +From: Qiu Peiyang + +commit f36d1be2930ede0a1947686e1126ffda5d5ee1bb upstream. + +When we do cat /sys/kernel/debug/tracing/printk_formats, we hit kernel +panic at t_show. + +general protection fault: 0000 [#1] PREEMPT SMP +CPU: 0 PID: 2957 Comm: sh Tainted: G W O 3.14.55-x86_64-01062-gd4acdc7 #2 +RIP: 0010:[] + [] t_show+0x22/0xe0 +RSP: 0000:ffff88002b4ebe80 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000004 +RDX: 0000000000000004 RSI: ffffffff81fd26a6 RDI: ffff880032f9f7b1 +RBP: ffff88002b4ebe98 R08: 0000000000001000 R09: 000000000000ffec +R10: 0000000000000000 R11: 000000000000000f R12: ffff880004d9b6c0 +R13: 7365725f6d706400 R14: ffff880004d9b6c0 R15: ffffffff82020570 +FS: 0000000000000000(0000) GS:ffff88003aa00000(0063) knlGS:00000000f776bc40 +CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 +CR2: 00000000f6c02ff0 CR3: 000000002c2b3000 CR4: 00000000001007f0 +Call Trace: + [] seq_read+0x2f6/0x3e0 + [] vfs_read+0x9b/0x160 + [] SyS_read+0x49/0xb0 + [] ia32_do_call+0x13/0x13 + ---[ end trace 5bd9eb630614861e ]--- +Kernel panic - not syncing: Fatal exception + +When the first time find_next calls find_next_mod_format, it should +iterate the trace_bprintk_fmt_list to find the first print format of +the module. However in current code, start_index is smaller than *pos +at first, and code will not iterate the list. Latter container_of will +get the wrong address with former v, which will cause mod_fmt be a +meaningless object and so is the returned mod_fmt->fmt. + +This patch will fix it by correcting the start_index. After fixed, +when the first time calls find_next_mod_format, start_index will be +equal to *pos, and code will iterate the trace_bprintk_fmt_list to +get the right module printk format, so is the returned mod_fmt->fmt. + +Link: http://lkml.kernel.org/r/5684B900.9000309@intel.com + +Fixes: 102c9323c35a8 "tracing: Add __tracepoint_string() to export string pointers" +Signed-off-by: Qiu Peiyang +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace_printk.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/trace/trace_printk.c ++++ b/kernel/trace/trace_printk.c +@@ -267,6 +267,7 @@ static const char **find_next(void *v, l + if (*pos < last_index + start_index) + return __start___tracepoint_str + (*pos - last_index); + ++ start_index += last_index; + return find_next_mod_format(start_index, v, fmt, pos); + } + diff --git a/queue-4.3/tracing-stacktrace-show-entire-trace-if-passed-in-function-not-found.patch b/queue-4.3/tracing-stacktrace-show-entire-trace-if-passed-in-function-not-found.patch new file mode 100644 index 00000000000..b170c332942 --- /dev/null +++ b/queue-4.3/tracing-stacktrace-show-entire-trace-if-passed-in-function-not-found.patch @@ -0,0 +1,46 @@ +From 6ccd83714a009ee301b50c15f6c3a5dc1f30164c Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Fri, 29 Jan 2016 10:22:41 -0500 +Subject: tracing/stacktrace: Show entire trace if passed in function not found + +From: Steven Rostedt + +commit 6ccd83714a009ee301b50c15f6c3a5dc1f30164c upstream. + +When a max stack trace is discovered, the stack dump is saved. In order to +not record the overhead of the stack tracer, the ip of the traced function +is looked for within the dump. The trace is started from the location of +that function. But if for some reason the ip is not found, the entire stack +trace is then truncated. That's not very useful. Instead, print everything +if the ip of the traced function is not found within the trace. + +This issue showed up on s390. + +Link: http://lkml.kernel.org/r/20160129102241.1b3c9c04@gandalf.local.home + +Fixes: 72ac426a5bb0 ("tracing: Clean up stack tracing and fix fentry updates") +Reported-by: Heiko Carstens +Tested-by: Heiko Carstens +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace_stack.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/kernel/trace/trace_stack.c ++++ b/kernel/trace/trace_stack.c +@@ -120,6 +120,13 @@ check_stack(unsigned long ip, unsigned l + } + + /* ++ * Some archs may not have the passed in ip in the dump. ++ * If that happens, we need to show everything. ++ */ ++ if (i == stack_trace_max.nr_entries) ++ i = 0; ++ ++ /* + * Now find where in the stack these are. + */ + x = 0; diff --git a/queue-4.3/tracing-update-instance_rmdir-to-use-tracefs_remove_recursive.patch b/queue-4.3/tracing-update-instance_rmdir-to-use-tracefs_remove_recursive.patch new file mode 100644 index 00000000000..919e62ae7ae --- /dev/null +++ b/queue-4.3/tracing-update-instance_rmdir-to-use-tracefs_remove_recursive.patch @@ -0,0 +1,35 @@ +From 681a4a2f4529517422835b7395df07404dfe2278 Mon Sep 17 00:00:00 2001 +From: Jiaxing Wang +Date: Sun, 18 Oct 2015 19:58:08 +0800 +Subject: tracing: Update instance_rmdir() to use tracefs_remove_recursive + +From: Jiaxing Wang + +commit 681a4a2f4529517422835b7395df07404dfe2278 upstream. + +Update instancd_rmdir to use tracefs_remove_recursive instead of +debugfs_remove_recursive.This was left in the transition from debugfs +to tracefs. + +Link: http://lkml.kernel.org/r/1445169490-18315-2-git-send-email-hello.wjx@gmail.com + +Fixes: 8434dc9340cd2 ("tracing: Convert the tracing facility over to use tracefs") +Signed-off-by: Jiaxing Wang +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -6602,7 +6602,7 @@ static int instance_rmdir(const char *na + tracing_set_nop(tr); + event_trace_del_tracer(tr); + ftrace_destroy_function_files(tr); +- debugfs_remove_recursive(tr->dir); ++ tracefs_remove_recursive(tr->dir); + free_trace_buffers(tr); + + kfree(tr->name); diff --git a/queue-4.3/v4l2-compat-ioctl32-fix-alignment-for-arm64.patch b/queue-4.3/v4l2-compat-ioctl32-fix-alignment-for-arm64.patch new file mode 100644 index 00000000000..797f1bda55f --- /dev/null +++ b/queue-4.3/v4l2-compat-ioctl32-fix-alignment-for-arm64.patch @@ -0,0 +1,66 @@ +From 655e9780ab913a3a06d4a164d55e3b755524186d Mon Sep 17 00:00:00 2001 +From: Andrzej Hajda +Date: Mon, 31 Aug 2015 08:56:15 -0300 +Subject: [media] v4l2-compat-ioctl32: fix alignment for ARM64 + +From: Andrzej Hajda + +commit 655e9780ab913a3a06d4a164d55e3b755524186d upstream. + +Alignment/padding rules on AMD64 and ARM64 differs. To allow properly match +compatible ioctls on ARM64 kernels without breaking AMD64 some fields +should be aligned using compat_s64 type and in one case struct should be +unpacked. + +Signed-off-by: Andrzej Hajda +[hans.verkuil@cisco.com: use compat_u64 instead of compat_s64 in v4l2_input32] +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman + +Signed-off-by: Mauro Carvalho Chehab + +--- + drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c ++++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c +@@ -266,7 +266,7 @@ static int put_v4l2_create32(struct v4l2 + + struct v4l2_standard32 { + __u32 index; +- __u32 id[2]; /* __u64 would get the alignment wrong */ ++ compat_u64 id; + __u8 name[24]; + struct v4l2_fract frameperiod; /* Frames, not fields */ + __u32 framelines; +@@ -286,7 +286,7 @@ static int put_v4l2_standard32(struct v4 + { + if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_standard32)) || + put_user(kp->index, &up->index) || +- copy_to_user(up->id, &kp->id, sizeof(__u64)) || ++ put_user(kp->id, &up->id) || + copy_to_user(up->name, kp->name, 24) || + copy_to_user(&up->frameperiod, &kp->frameperiod, sizeof(kp->frameperiod)) || + put_user(kp->framelines, &up->framelines) || +@@ -587,10 +587,10 @@ struct v4l2_input32 { + __u32 type; /* Type of input */ + __u32 audioset; /* Associated audios (bitfield) */ + __u32 tuner; /* Associated tuner */ +- v4l2_std_id std; ++ compat_u64 std; + __u32 status; + __u32 reserved[4]; +-} __attribute__ ((packed)); ++}; + + /* The 64-bit v4l2_input struct has extra padding at the end of the struct. + Otherwise it is identical to the 32-bit version. */ +@@ -738,6 +738,7 @@ static int put_v4l2_ext_controls32(struc + struct v4l2_event32 { + __u32 type; + union { ++ compat_s64 value64; + __u8 data[64]; + } u; + __u32 pending; diff --git a/queue-4.3/v4l2-ctrls-arrays-are-also-considered-compound-controls.patch b/queue-4.3/v4l2-ctrls-arrays-are-also-considered-compound-controls.patch new file mode 100644 index 00000000000..7bfb3945cc6 --- /dev/null +++ b/queue-4.3/v4l2-ctrls-arrays-are-also-considered-compound-controls.patch @@ -0,0 +1,46 @@ +From 35204e2e84f2dae72012f8ca319659c12f428430 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Mon, 21 Sep 2015 06:14:16 -0300 +Subject: [media] v4l2-ctrls: arrays are also considered compound controls + +From: Hans Verkuil + +commit 35204e2e84f2dae72012f8ca319659c12f428430 upstream. + +Array controls weren't skipped when only V4L2_CTRL_FLAG_NEXT_CTRL was +provided (so no V4L2_CTRL_FLAG_NEXT_COMPOUND was set). This is wrong +since arrays are also considered compound controls (i.e. with more than +one value), and applications that do not know about arrays will not +be able to handle such controls. + +Fix the test to include arrays. + +Signed-off-by: Hans Verkuil +Reported-by: Ricardo Ribalda Delgado +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/v4l2-core/v4l2-ctrls.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/media/v4l2-core/v4l2-ctrls.c ++++ b/drivers/media/v4l2-core/v4l2-ctrls.c +@@ -2498,7 +2498,7 @@ int v4l2_query_ext_ctrl(struct v4l2_ctrl + /* We found a control with the given ID, so just get + the next valid one in the list. */ + list_for_each_entry_continue(ref, &hdl->ctrl_refs, node) { +- is_compound = ++ is_compound = ref->ctrl->is_array || + ref->ctrl->type >= V4L2_CTRL_COMPOUND_TYPES; + if (id < ref->ctrl->id && + (is_compound & mask) == match) +@@ -2512,7 +2512,7 @@ int v4l2_query_ext_ctrl(struct v4l2_ctrl + is one, otherwise the first 'if' above would have + been true. */ + list_for_each_entry(ref, &hdl->ctrl_refs, node) { +- is_compound = ++ is_compound = ref->ctrl->is_array || + ref->ctrl->type >= V4L2_CTRL_COMPOUND_TYPES; + if (id < ref->ctrl->id && + (is_compound & mask) == match) diff --git a/queue-4.3/vivid-fix-iteration-in-driver-removal-path.patch b/queue-4.3/vivid-fix-iteration-in-driver-removal-path.patch new file mode 100644 index 00000000000..19e2406d31b --- /dev/null +++ b/queue-4.3/vivid-fix-iteration-in-driver-removal-path.patch @@ -0,0 +1,41 @@ +From a5d42b8c3b3ddccd88dc1c70957177d31a6699fb Mon Sep 17 00:00:00 2001 +From: Ezequiel Garcia +Date: Mon, 28 Sep 2015 18:36:51 -0300 +Subject: [media] vivid: Fix iteration in driver removal path + +From: Ezequiel Garcia + +commit a5d42b8c3b3ddccd88dc1c70957177d31a6699fb upstream. + +When the diver is removed and all the resources are deallocated, +we should be iterating through the created devices only. + +Currently, the iteration ends when vivid_devs[i] is NULL. Since +the array contains VIVID_MAX_DEVS elements, it will oops if +n_devs=VIVID_MAX_DEVS because in that case, no element is NULL. + +Fixes: c88a96b023d8 ('[media] vivid: add core driver code') + +Signed-off-by: Ezequiel Garcia +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/platform/vivid/vivid-core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/media/platform/vivid/vivid-core.c ++++ b/drivers/media/platform/vivid/vivid-core.c +@@ -1341,8 +1341,11 @@ static int vivid_remove(struct platform_ + struct vivid_dev *dev; + unsigned i; + +- for (i = 0; vivid_devs[i]; i++) { ++ ++ for (i = 0; i < n_devs; i++) { + dev = vivid_devs[i]; ++ if (!dev) ++ continue; + + if (dev->has_vid_cap) { + v4l2_info(&dev->v4l2_dev, "unregistering %s\n", diff --git a/queue-4.3/vtpm-fix-memory-allocation-flag-for-rtce-buffer-at-kernel-boot.patch b/queue-4.3/vtpm-fix-memory-allocation-flag-for-rtce-buffer-at-kernel-boot.patch new file mode 100644 index 00000000000..9e43ee55cc9 --- /dev/null +++ b/queue-4.3/vtpm-fix-memory-allocation-flag-for-rtce-buffer-at-kernel-boot.patch @@ -0,0 +1,35 @@ +From 60ecd86c4d985750efa0ea3d8610972b09951715 Mon Sep 17 00:00:00 2001 +From: "Hon Ching \\(Vicky\\) Lo" +Date: Wed, 7 Oct 2015 20:11:51 -0400 +Subject: vTPM: fix memory allocation flag for rtce buffer at kernel boot + +From: Hon Ching \(Vicky\) Lo + +commit 60ecd86c4d985750efa0ea3d8610972b09951715 upstream. + +At ibm vtpm initialzation, tpm_ibmvtpm_probe() registers its interrupt +handler, ibmvtpm_interrupt, which calls ibmvtpm_crq_process to allocate +memory for rtce buffer. The current code uses 'GFP_KERNEL' as the +type of kernel memory allocation, which resulted a warning at +kernel/lockdep.c. This patch uses 'GFP_ATOMIC' instead so that the +allocation is high-priority and does not sleep. + +Signed-off-by: Hon Ching(Vicky) Lo +Signed-off-by: Peter Huewe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tpm/tpm_ibmvtpm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/char/tpm/tpm_ibmvtpm.c ++++ b/drivers/char/tpm/tpm_ibmvtpm.c +@@ -491,7 +491,7 @@ static void ibmvtpm_crq_process(struct i + } + ibmvtpm->rtce_size = be16_to_cpu(crq->len); + ibmvtpm->rtce_buf = kmalloc(ibmvtpm->rtce_size, +- GFP_KERNEL); ++ GFP_ATOMIC); + if (!ibmvtpm->rtce_buf) { + dev_err(ibmvtpm->dev, "Failed to allocate memory for rtce buffer\n"); + return; diff --git a/queue-4.3/wlcore-wl12xx-spi-fix-null-pointer-dereference-oops.patch b/queue-4.3/wlcore-wl12xx-spi-fix-null-pointer-dereference-oops.patch new file mode 100644 index 00000000000..aca6a7f4738 --- /dev/null +++ b/queue-4.3/wlcore-wl12xx-spi-fix-null-pointer-dereference-oops.patch @@ -0,0 +1,101 @@ +From e47301b06d5a65678690f04c2248fd181db1e59a Mon Sep 17 00:00:00 2001 +From: Uri Mashiach +Date: Thu, 24 Dec 2015 16:05:00 +0200 +Subject: wlcore/wl12xx: spi: fix NULL pointer dereference (Oops) + +From: Uri Mashiach + +commit e47301b06d5a65678690f04c2248fd181db1e59a upstream. + +Fix the below Oops when trying to modprobe wlcore_spi. +The oops occurs because the wl1271_power_{off,on}() +function doesn't check the power() function pointer. + +[ 23.401447] Unable to handle kernel NULL pointer dereference at +virtual address 00000000 +[ 23.409954] pgd = c0004000 +[ 23.412922] [00000000] *pgd=00000000 +[ 23.416693] Internal error: Oops: 80000007 [#1] SMP ARM +[ 23.422168] Modules linked in: wl12xx wlcore mac80211 cfg80211 +musb_dsps musb_hdrc usbcore usb_common snd_soc_simple_card evdev joydev +omap_rng wlcore_spi snd_soc_tlv320aic23_i2c rng_core snd_soc_tlv320aic23 +c_can_platform c_can can_dev snd_soc_davinci_mcasp snd_soc_edma +snd_soc_omap omap_wdt musb_am335x cpufreq_dt thermal_sys hwmon +[ 23.453253] CPU: 0 PID: 36 Comm: kworker/0:2 Not tainted +4.2.0-00002-g951efee-dirty #233 +[ 23.461720] Hardware name: Generic AM33XX (Flattened Device Tree) +[ 23.468123] Workqueue: events request_firmware_work_func +[ 23.473690] task: de32efc0 ti: de4ee000 task.ti: de4ee000 +[ 23.479341] PC is at 0x0 +[ 23.482112] LR is at wl12xx_set_power_on+0x28/0x124 [wlcore] +[ 23.488074] pc : [<00000000>] lr : [] psr: 60000013 +[ 23.488074] sp : de4efe50 ip : 00000002 fp : 00000000 +[ 23.500162] r10: de7cdd00 r9 : dc848800 r8 : bf27af00 +[ 23.505663] r7 : bf27a1a8 r6 : dcbd8a80 r5 : dce0e2e0 r4 : +dce0d2e0 +[ 23.512536] r3 : 00000000 r2 : 00000000 r1 : 00000001 r0 : +dc848810 +[ 23.519412] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM +Segment kernel +[ 23.527109] Control: 10c5387d Table: 9cb78019 DAC: 00000015 +[ 23.533160] Process kworker/0:2 (pid: 36, stack limit = 0xde4ee218) +[ 23.539760] Stack: (0xde4efe50 to 0xde4f0000) + +[...] + +[ 23.665030] [] (wl12xx_set_power_on [wlcore]) from +[] (wlcore_nvs_cb+0x118/0xa4c [wlcore]) +[ 23.675604] [] (wlcore_nvs_cb [wlcore]) from [] +(request_firmware_work_func+0x30/0x58) +[ 23.685784] [] (request_firmware_work_func) from +[] (process_one_work+0x1b4/0x4b4) +[ 23.695591] [] (process_one_work) from [] +(worker_thread+0x3c/0x4a4) +[ 23.704124] [] (worker_thread) from [] +(kthread+0xd4/0xf0) +[ 23.711747] [] (kthread) from [] +(ret_from_fork+0x14/0x3c) +[ 23.719357] Code: bad PC value +[ 23.722760] ---[ end trace 981be8510db9b3a9 ]--- + +Prevent oops by validationg power() pointer value before +calling the function. + +Signed-off-by: Uri Mashiach +Acked-by: Igor Grinberg +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ti/wlcore/io.h | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/ti/wlcore/io.h ++++ b/drivers/net/wireless/ti/wlcore/io.h +@@ -207,19 +207,23 @@ static inline int __must_check wlcore_wr + + static inline void wl1271_power_off(struct wl1271 *wl) + { +- int ret; ++ int ret = 0; + + if (!test_bit(WL1271_FLAG_GPIO_POWER, &wl->flags)) + return; + +- ret = wl->if_ops->power(wl->dev, false); ++ if (wl->if_ops->power) ++ ret = wl->if_ops->power(wl->dev, false); + if (!ret) + clear_bit(WL1271_FLAG_GPIO_POWER, &wl->flags); + } + + static inline int wl1271_power_on(struct wl1271 *wl) + { +- int ret = wl->if_ops->power(wl->dev, true); ++ int ret = 0; ++ ++ if (wl->if_ops->power) ++ ret = wl->if_ops->power(wl->dev, true); + if (ret == 0) + set_bit(WL1271_FLAG_GPIO_POWER, &wl->flags); + diff --git a/queue-4.3/wlcore-wl12xx-spi-fix-oops-on-firmware-load.patch b/queue-4.3/wlcore-wl12xx-spi-fix-oops-on-firmware-load.patch new file mode 100644 index 00000000000..2e0ab77b3ec --- /dev/null +++ b/queue-4.3/wlcore-wl12xx-spi-fix-oops-on-firmware-load.patch @@ -0,0 +1,117 @@ +From 9b2761cb72dc41e1948c8a5512b4efd384eda130 Mon Sep 17 00:00:00 2001 +From: Uri Mashiach +Date: Thu, 10 Dec 2015 15:12:56 +0200 +Subject: wlcore/wl12xx: spi: fix oops on firmware load + +From: Uri Mashiach + +commit 9b2761cb72dc41e1948c8a5512b4efd384eda130 upstream. + +The maximum chunks used by the function is +(SPI_AGGR_BUFFER_SIZE / WSPI_MAX_CHUNK_SIZE + 1). +The original commands array had space for +(SPI_AGGR_BUFFER_SIZE / WSPI_MAX_CHUNK_SIZE) commands. +When the last chunk is used (len > 4 * WSPI_MAX_CHUNK_SIZE), the last +command is stored outside the bounds of the commands array. + +Oops 5 (page fault) is generated during current wl1271 firmware load +attempt: + +root@debian-armhf:~# ifconfig wlan0 up +[ 294.312399] Unable to handle kernel paging request at virtual address +00203fc4 +[ 294.320173] pgd = de528000 +[ 294.323028] [00203fc4] *pgd=00000000 +[ 294.326916] Internal error: Oops: 5 [#1] SMP ARM +[ 294.331789] Modules linked in: bnep rfcomm bluetooth ipv6 arc4 wl12xx +wlcore mac80211 musb_dsps cfg80211 musb_hdrc usbcore usb_common +wlcore_spi omap_rng rng_core musb_am335x omap_wdt cpufreq_dt thermal_sys +hwmon +[ 294.351838] CPU: 0 PID: 1827 Comm: ifconfig Not tainted +4.2.0-00002-g3e9ad27-dirty #78 +[ 294.360154] Hardware name: Generic AM33XX (Flattened Device Tree) +[ 294.366557] task: dc9d6d40 ti: de550000 task.ti: de550000 +[ 294.372236] PC is at __spi_validate+0xa8/0x2ac +[ 294.376902] LR is at __spi_sync+0x78/0x210 +[ 294.381200] pc : [] lr : [] psr: 60000013 +[ 294.381200] sp : de551998 ip : de5519d8 fp : 00200000 +[ 294.393242] r10: de551c8c r9 : de5519d8 r8 : de3a9000 +[ 294.398730] r7 : de3a9258 r6 : de3a9400 r5 : de551a48 r4 : +00203fbc +[ 294.405577] r3 : 00000000 r2 : 00000000 r1 : 00000000 r0 : +de3a9000 +[ 294.412420] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM +Segment user +[ 294.419918] Control: 10c5387d Table: 9e528019 DAC: 00000015 +[ 294.425954] Process ifconfig (pid: 1827, stack limit = 0xde550218) +[ 294.432437] Stack: (0xde551998 to 0xde552000) + +... + +[ 294.883613] [] (__spi_validate) from [] +(__spi_sync+0x78/0x210) +[ 294.891670] [] (__spi_sync) from [] +(wl12xx_spi_raw_write+0xfc/0x148 [wlcore_spi]) +[ 294.901661] [] (wl12xx_spi_raw_write [wlcore_spi]) from +[] (wlcore_boot_upload_firmware+0x1ec/0x458 [wlcore]) +[ 294.914038] [] (wlcore_boot_upload_firmware [wlcore]) from +[] (wl12xx_boot+0xc10/0xfac [wl12xx]) +[ 294.925161] [] (wl12xx_boot [wl12xx]) from [] +(wl1271_op_add_interface+0x5b0/0x910 [wlcore]) +[ 294.936364] [] (wl1271_op_add_interface [wlcore]) from +[] (ieee80211_do_open+0x44c/0xf7c [mac80211]) +[ 294.947963] [] (ieee80211_do_open [mac80211]) from +[] (__dev_open+0xa8/0x110) +[ 294.957307] [] (__dev_open) from [] +(__dev_change_flags+0x88/0x148) +[ 294.965713] [] (__dev_change_flags) from [] +(dev_change_flags+0x18/0x48) +[ 294.974576] [] (dev_change_flags) from [] +(devinet_ioctl+0x6b4/0x7d0) +[ 294.983191] [] (devinet_ioctl) from [] +(sock_ioctl+0x1e4/0x2bc) +[ 294.991244] [] (sock_ioctl) from [] +(do_vfs_ioctl+0x420/0x6b0) +[ 294.999208] [] (do_vfs_ioctl) from [] +(SyS_ioctl+0x6c/0x7c) +[ 295.006880] [] (SyS_ioctl) from [] +(ret_fast_syscall+0x0/0x54) +[ 295.014835] Code: e1550004 e2444034 0a00007d e5953018 (e5942008) +[ 295.021544] ---[ end trace 66ed188198f4e24e ]--- + +Signed-off-by: Uri Mashiach +Acked-by: Igor Grinberg +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ti/wlcore/spi.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/ti/wlcore/spi.c ++++ b/drivers/net/wireless/ti/wlcore/spi.c +@@ -73,7 +73,10 @@ + */ + #define SPI_AGGR_BUFFER_SIZE (4 * PAGE_SIZE) + +-#define WSPI_MAX_NUM_OF_CHUNKS (SPI_AGGR_BUFFER_SIZE / WSPI_MAX_CHUNK_SIZE) ++/* Maximum number of SPI write chunks */ ++#define WSPI_MAX_NUM_OF_CHUNKS \ ++ ((SPI_AGGR_BUFFER_SIZE / WSPI_MAX_CHUNK_SIZE) + 1) ++ + + struct wl12xx_spi_glue { + struct device *dev; +@@ -268,9 +271,10 @@ static int __must_check wl12xx_spi_raw_w + void *buf, size_t len, bool fixed) + { + struct wl12xx_spi_glue *glue = dev_get_drvdata(child->parent); +- struct spi_transfer t[2 * (WSPI_MAX_NUM_OF_CHUNKS + 1)]; ++ /* SPI write buffers - 2 for each chunk */ ++ struct spi_transfer t[2 * WSPI_MAX_NUM_OF_CHUNKS]; + struct spi_message m; +- u32 commands[WSPI_MAX_NUM_OF_CHUNKS]; ++ u32 commands[WSPI_MAX_NUM_OF_CHUNKS]; /* 1 command per chunk */ + u32 *cmd; + u32 chunk_len; + int i; diff --git a/queue-4.3/xtensa-fix-secondary-core-boot-in-smp.patch b/queue-4.3/xtensa-fix-secondary-core-boot-in-smp.patch new file mode 100644 index 00000000000..c27a116d4c9 --- /dev/null +++ b/queue-4.3/xtensa-fix-secondary-core-boot-in-smp.patch @@ -0,0 +1,164 @@ +From ab45fb145096799dabd18afc58bb5f97171017cd Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Fri, 16 Oct 2015 17:01:04 +0300 +Subject: xtensa: fix secondary core boot in SMP + +From: Max Filippov + +commit ab45fb145096799dabd18afc58bb5f97171017cd upstream. + +There are multiple factors adding to the issue in different +configurations: + +- commit 17290231df16eeee ("xtensa: add fixup for double exception raised + in window overflow") added function window_overflow_restore_a0_fixup to + double exception vector overlapping reset vector location of secondary + processor cores. +- on MMUv2 cores RESET_VECTOR1_VADDR may point to uncached kernel memory + making code overlapping depend on cache type and size, so that without + cache or with WT cache reset vector code overwrites double exception + code, making issue even harder to detect. +- on MMUv3 cores RESET_VECTOR1_VADDR may point to unmapped area, as + MMUv3 cores change virtual address map to match MMUv2 layout, but + reset vector virtual address is given for the original MMUv3 mapping. +- physical memory region of the secondary reset vector is not reserved + in the physical memory map, and thus may be allocated and overwritten + at arbitrary moment. + +Fix it as follows: + +- move window_overflow_restore_a0_fixup code to .text section. +- define RESET_VECTOR1_VADDR so that it points to reset vector in the + cacheable MMUv2 map for cores with MMU. +- reserve reset vector region in the physical memory map. Drop separate + literal section and build mxhead.S with text section literals. + +Signed-off-by: Max Filippov +Signed-off-by: Greg Kroah-Hartman + +--- + arch/xtensa/include/asm/vectors.h | 9 +++++---- + arch/xtensa/kernel/Makefile | 1 + + arch/xtensa/kernel/setup.c | 9 ++++++++- + arch/xtensa/kernel/vectors.S | 4 +++- + arch/xtensa/kernel/vmlinux.lds.S | 12 ++---------- + 5 files changed, 19 insertions(+), 16 deletions(-) + +--- a/arch/xtensa/include/asm/vectors.h ++++ b/arch/xtensa/include/asm/vectors.h +@@ -48,6 +48,9 @@ + #define LOAD_MEMORY_ADDRESS 0xD0003000 + #endif + ++#define RESET_VECTOR1_VADDR (VIRTUAL_MEMORY_ADDRESS + \ ++ XCHAL_RESET_VECTOR1_PADDR) ++ + #else /* !defined(CONFIG_MMU) */ + /* MMU Not being used - Virtual == Physical */ + +@@ -60,6 +63,8 @@ + /* Loaded just above possibly live vectors */ + #define LOAD_MEMORY_ADDRESS (PLATFORM_DEFAULT_MEM_START + 0x3000) + ++#define RESET_VECTOR1_VADDR (XCHAL_RESET_VECTOR1_VADDR) ++ + #endif /* CONFIG_MMU */ + + #define XC_VADDR(offset) (VIRTUAL_MEMORY_ADDRESS + offset) +@@ -71,10 +76,6 @@ + VECBASE_RESET_VADDR) + #define RESET_VECTOR_VADDR XC_VADDR(RESET_VECTOR_VECOFS) + +-#define RESET_VECTOR1_VECOFS (XCHAL_RESET_VECTOR1_VADDR - \ +- VECBASE_RESET_VADDR) +-#define RESET_VECTOR1_VADDR XC_VADDR(RESET_VECTOR1_VECOFS) +- + #if defined(XCHAL_HAVE_VECBASE) && XCHAL_HAVE_VECBASE + + #define USER_VECTOR_VADDR XC_VADDR(XCHAL_USER_VECOFS) +--- a/arch/xtensa/kernel/Makefile ++++ b/arch/xtensa/kernel/Makefile +@@ -16,6 +16,7 @@ obj-$(CONFIG_SMP) += smp.o mxhead.o + obj-$(CONFIG_XTENSA_VARIANT_HAVE_PERF_EVENTS) += perf_event.o + + AFLAGS_head.o += -mtext-section-literals ++AFLAGS_mxhead.o += -mtext-section-literals + + # In the Xtensa architecture, assembly generates literals which must always + # precede the L32R instruction with a relative offset less than 256 kB. +--- a/arch/xtensa/kernel/setup.c ++++ b/arch/xtensa/kernel/setup.c +@@ -334,7 +334,10 @@ extern char _Level5InterruptVector_text_ + extern char _Level6InterruptVector_text_start; + extern char _Level6InterruptVector_text_end; + #endif +- ++#ifdef CONFIG_SMP ++extern char _SecondaryResetVector_text_start; ++extern char _SecondaryResetVector_text_end; ++#endif + + + #ifdef CONFIG_S32C1I_SELFTEST +@@ -506,6 +509,10 @@ void __init setup_arch(char **cmdline_p) + __pa(&_Level6InterruptVector_text_end), 0); + #endif + ++#ifdef CONFIG_SMP ++ mem_reserve(__pa(&_SecondaryResetVector_text_start), ++ __pa(&_SecondaryResetVector_text_end), 0); ++#endif + parse_early_param(); + bootmem_init(); + +--- a/arch/xtensa/kernel/vectors.S ++++ b/arch/xtensa/kernel/vectors.S +@@ -478,6 +478,9 @@ _DoubleExceptionVector_handle_exception: + + ENDPROC(_DoubleExceptionVector) + ++ .end literal_prefix ++ ++ .text + /* + * Fixup handler for TLB miss in double exception handler for window owerflow. + * We get here with windowbase set to the window that was being spilled and +@@ -587,7 +590,6 @@ ENTRY(window_overflow_restore_a0_fixup) + + ENDPROC(window_overflow_restore_a0_fixup) + +- .end literal_prefix + /* + * Debug interrupt vector + * +--- a/arch/xtensa/kernel/vmlinux.lds.S ++++ b/arch/xtensa/kernel/vmlinux.lds.S +@@ -166,8 +166,6 @@ SECTIONS + RELOCATE_ENTRY(_DebugInterruptVector_text, + .DebugInterruptVector.text); + #if defined(CONFIG_SMP) +- RELOCATE_ENTRY(_SecondaryResetVector_literal, +- .SecondaryResetVector.literal); + RELOCATE_ENTRY(_SecondaryResetVector_text, + .SecondaryResetVector.text); + #endif +@@ -282,17 +280,11 @@ SECTIONS + + #if defined(CONFIG_SMP) + +- SECTION_VECTOR (_SecondaryResetVector_literal, +- .SecondaryResetVector.literal, +- RESET_VECTOR1_VADDR - 4, +- SIZEOF(.DoubleExceptionVector.text), +- .DoubleExceptionVector.text) +- + SECTION_VECTOR (_SecondaryResetVector_text, + .SecondaryResetVector.text, + RESET_VECTOR1_VADDR, +- 4, +- .SecondaryResetVector.literal) ++ SIZEOF(.DoubleExceptionVector.text), ++ .DoubleExceptionVector.text) + + . = LOADADDR(.SecondaryResetVector.text)+SIZEOF(.SecondaryResetVector.text); + diff --git a/queue-4.3/xtensa-fixes-for-configs-without-loop-option.patch b/queue-4.3/xtensa-fixes-for-configs-without-loop-option.patch new file mode 100644 index 00000000000..20bb57c9f41 --- /dev/null +++ b/queue-4.3/xtensa-fixes-for-configs-without-loop-option.patch @@ -0,0 +1,169 @@ +From 5029615e25dc5040beb065f36743c127a8e51497 Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Thu, 24 Sep 2015 23:11:53 +0300 +Subject: xtensa: fixes for configs without loop option + +From: Max Filippov + +commit 5029615e25dc5040beb065f36743c127a8e51497 upstream. + +Build-time fixes: +- make lbeg/lend/lcount save/restore conditional on kernel entry; +- don't clear lcount in platform_restart functions unconditionally. + +Run-time fixes: +- use correct end of range register in __endla paired with __loopt, not + the unused temporary register. This fixes .bss zero-initialization. + Update comments in asmmacro.h; +- don't clobber a10 in the usercopy that leads to access to unmapped + memory. + +Signed-off-by: Max Filippov +Signed-off-by: Greg Kroah-Hartman + +--- + arch/xtensa/include/asm/asmmacro.h | 7 ++++--- + arch/xtensa/kernel/entry.S | 8 ++++++-- + arch/xtensa/kernel/head.S | 2 +- + arch/xtensa/lib/usercopy.S | 6 +++--- + arch/xtensa/platforms/iss/setup.c | 2 ++ + arch/xtensa/platforms/xt2000/setup.c | 2 ++ + arch/xtensa/platforms/xtfpga/setup.c | 2 ++ + 7 files changed, 20 insertions(+), 9 deletions(-) + +--- a/arch/xtensa/include/asm/asmmacro.h ++++ b/arch/xtensa/include/asm/asmmacro.h +@@ -35,9 +35,10 @@ + * __loop as + * restart loop. 'as' register must not have been modified! + * +- * __endla ar, at, incr ++ * __endla ar, as, incr + * ar start address (modified) +- * as scratch register used by macro ++ * as scratch register used by __loops/__loopi macros or ++ * end address used by __loopt macro + * inc increment + */ + +@@ -97,7 +98,7 @@ + .endm + + /* +- * loop from ar to ax ++ * loop from ar to as + */ + + .macro __loopt ar, as, at, incr_log2 +--- a/arch/xtensa/kernel/entry.S ++++ b/arch/xtensa/kernel/entry.S +@@ -367,8 +367,10 @@ common_exception: + s32i a2, a1, PT_SYSCALL + movi a2, 0 + s32i a3, a1, PT_EXCVADDR ++#if XCHAL_HAVE_LOOPS + xsr a2, lcount + s32i a2, a1, PT_LCOUNT ++#endif + + /* It is now save to restore the EXC_TABLE_FIXUP variable. */ + +@@ -429,11 +431,12 @@ common_exception: + rsync # PS.WOE => rsync => overflow + + /* Save lbeg, lend */ +- ++#if XCHAL_HAVE_LOOPS + rsr a4, lbeg + rsr a3, lend + s32i a4, a1, PT_LBEG + s32i a3, a1, PT_LEND ++#endif + + /* Save SCOMPARE1 */ + +@@ -724,13 +727,14 @@ common_exception_exit: + wsr a3, sar + + /* Restore LBEG, LEND, LCOUNT */ +- ++#if XCHAL_HAVE_LOOPS + l32i a2, a1, PT_LBEG + l32i a3, a1, PT_LEND + wsr a2, lbeg + l32i a2, a1, PT_LCOUNT + wsr a3, lend + wsr a2, lcount ++#endif + + /* We control single stepping through the ICOUNTLEVEL register. */ + +--- a/arch/xtensa/kernel/head.S ++++ b/arch/xtensa/kernel/head.S +@@ -249,7 +249,7 @@ ENTRY(_startup) + + __loopt a2, a3, a4, 2 + s32i a0, a2, 0 +- __endla a2, a4, 4 ++ __endla a2, a3, 4 + + #if XCHAL_DCACHE_IS_WRITEBACK + +--- a/arch/xtensa/lib/usercopy.S ++++ b/arch/xtensa/lib/usercopy.S +@@ -222,8 +222,8 @@ __xtensa_copy_user: + loopnez a7, .Loop2done + #else /* !XCHAL_HAVE_LOOPS */ + beqz a7, .Loop2done +- slli a10, a7, 4 +- add a10, a10, a3 # a10 = end of last 16B source chunk ++ slli a12, a7, 4 ++ add a12, a12, a3 # a12 = end of last 16B source chunk + #endif /* !XCHAL_HAVE_LOOPS */ + .Loop2: + EX(l32i, a7, a3, 4, l_fixup) +@@ -241,7 +241,7 @@ __xtensa_copy_user: + EX(s32i, a9, a5, 12, s_fixup) + addi a5, a5, 16 + #if !XCHAL_HAVE_LOOPS +- blt a3, a10, .Loop2 ++ blt a3, a12, .Loop2 + #endif /* !XCHAL_HAVE_LOOPS */ + .Loop2done: + bbci.l a4, 3, .L12 +--- a/arch/xtensa/platforms/iss/setup.c ++++ b/arch/xtensa/platforms/iss/setup.c +@@ -61,7 +61,9 @@ void platform_restart(void) + #if XCHAL_NUM_IBREAK > 0 + "wsr a2, ibreakenable\n\t" + #endif ++#if XCHAL_HAVE_LOOPS + "wsr a2, lcount\n\t" ++#endif + "movi a2, 0x1f\n\t" + "wsr a2, ps\n\t" + "isync\n\t" +--- a/arch/xtensa/platforms/xt2000/setup.c ++++ b/arch/xtensa/platforms/xt2000/setup.c +@@ -72,7 +72,9 @@ void platform_restart(void) + #if XCHAL_NUM_IBREAK > 0 + "wsr a2, ibreakenable\n\t" + #endif ++#if XCHAL_HAVE_LOOPS + "wsr a2, lcount\n\t" ++#endif + "movi a2, 0x1f\n\t" + "wsr a2, ps\n\t" + "isync\n\t" +--- a/arch/xtensa/platforms/xtfpga/setup.c ++++ b/arch/xtensa/platforms/xtfpga/setup.c +@@ -63,7 +63,9 @@ void platform_restart(void) + #if XCHAL_NUM_IBREAK > 0 + "wsr a2, ibreakenable\n\t" + #endif ++#if XCHAL_HAVE_LOOPS + "wsr a2, lcount\n\t" ++#endif + "movi a2, 0x1f\n\t" + "wsr a2, ps\n\t" + "isync\n\t"