From: Greg Kroah-Hartman Date: Sun, 17 Apr 2016 10:32:31 +0000 (-0700) Subject: 4.4-stable patches X-Git-Tag: v3.14.67~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a6a2399289d378d1c7a3d15f84ba3e1e21cf89d9;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: au0828-fix-au0828_v4l2_close-dev_state-race-condition.patch au0828-fix-dev_state-handling.patch cdc-acm-fix-null-pointer-reference.patch coda-fix-error-path-in-case-of-missing-pdata-on-non-dt-platform.patch iio-accel-bmc150-fix-endianness-when-reading-axes.patch iio-gyro-bmg160-fix-buffer-read-values.patch iio-gyro-bmg160-fix-endianness-when-reading-axes.patch iio-st_magn-always-define-st_magn_trigger_set_state.patch kvm-x86-inject-pending-interrupt-even-if-pending-nmi-exist.patch kvm-x86-reduce-default-value-of-halt_poll_ns-parameter.patch mac80211-avoid-excessive-stack-usage-in-sta_info.patch mac80211-fix-ibss-scan-parameters.patch mac80211-fix-txq-queue-related-crashes.patch mac80211-fix-unnecessary-frame-drops-in-mesh-fwding.patch mac80211-properly-deal-with-station-hashtable-insert-errors.patch mips-fix-msa-ld-unaligned-failure-cases.patch pcmcia-db1xxx_ss-fix-last-irq_to_gpio-user.patch pinctrl-freescale-imx-fix-bogus-check-of-of_iomap-return-value.patch pinctrl-nomadik-fix-pull-debug-print-inversion.patch pinctrl-pistachio-fix-mfio84-89-function-description-and-pinmux.patch pinctrl-sh-pfc-only-use-dummy-states-for-non-dt-platforms.patch pinctrl-sunxi-fix-a33-external-interrupts-not-working.patch rbd-use-gfp_noio-consistently-for-request-allocations.patch sd-fix-excessive-capacity-printing-on-devices-with-blocks-bigger-than-512-bytes.patch usb-renesas_usbhs-avoid-null-pointer-derefernce-in-usbhsf_pkt_handler.patch usb-renesas_usbhs-disable-tx-irq-before-starting-tx-dmac-transfer.patch usb-renesas_usbhs-fix-to-avoid-using-a-disabled-ep-in-usbhsg_queue_done.patch usb-uas-add-a-new-no_report_luns-quirk.patch usb-uas-limit-qdepth-at-the-scsi-host-level.patch v4l-vsp1-set-the-sru-ctrl0-register-when-starting-the-stream.patch virtio-virtio-1.0-cs04-spec-compliance-for-reset.patch --- diff --git a/queue-4.4/au0828-fix-au0828_v4l2_close-dev_state-race-condition.patch b/queue-4.4/au0828-fix-au0828_v4l2_close-dev_state-race-condition.patch new file mode 100644 index 00000000000..a15d06d3ada --- /dev/null +++ b/queue-4.4/au0828-fix-au0828_v4l2_close-dev_state-race-condition.patch @@ -0,0 +1,48 @@ +From ed940cd27416f9887864b95e1f8f8845aa9d6391 Mon Sep 17 00:00:00 2001 +From: Shuah Khan +Date: Tue, 22 Mar 2016 01:04:05 -0300 +Subject: [media] au0828: fix au0828_v4l2_close() dev_state race condition + +From: Shuah Khan + +commit ed940cd27416f9887864b95e1f8f8845aa9d6391 upstream. + +au0828_v4l2_close() check for dev_state == DEV_DISCONNECTED will fail to +detect the device disconnected state correctly, if au0828_v4l2_open() runs +to set the DEV_INITIALIZED bit. A loop test of bind/unbind found this bug +by increasing the likelihood of au0828_v4l2_open() occurring while unbind +is in progress. When au0828_v4l2_close() fails to detect that the device +is in disconnect state, it attempts to power down the device and fails with +the following general protection fault: + +[ 260.992962] Call Trace: +[ 260.993008] [] ? xc5000_sleep+0x8f/0xd0 [xc5000] +[ 260.993095] [] ? fe_standby+0x3c/0x50 [tuner] +[ 260.993186] [] au0828_v4l2_close+0x53c/0x620 [au0828] +[ 260.993298] [] v4l2_release+0xf0/0x210 [videodev] +[ 260.993382] [] __fput+0x1fc/0x6c0 +[ 260.993449] [] ____fput+0xe/0x10 +[ 260.993519] [] task_work_run+0x133/0x1f0 +[ 260.993602] [] exit_to_usermode_loop+0x140/0x170 +[ 260.993681] [] syscall_return_slowpath+0x16a/0x1a0 +[ 260.993754] [] entry_SYSCALL_64_fastpath+0xa6/0xa8 + +Signed-off-by: Shuah Khan +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/au0828/au0828-video.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/usb/au0828/au0828-video.c ++++ b/drivers/media/usb/au0828/au0828-video.c +@@ -1007,7 +1007,7 @@ static int au0828_v4l2_close(struct file + del_timer_sync(&dev->vbi_timeout); + } + +- if (dev->dev_state == DEV_DISCONNECTED) ++ if (dev->dev_state & DEV_DISCONNECTED) + goto end; + + if (dev->users == 1) { diff --git a/queue-4.4/au0828-fix-dev_state-handling.patch b/queue-4.4/au0828-fix-dev_state-handling.patch new file mode 100644 index 00000000000..8234d31a2c1 --- /dev/null +++ b/queue-4.4/au0828-fix-dev_state-handling.patch @@ -0,0 +1,360 @@ +From e8e3039f5b941f7825d335f8ca11c12a8104db11 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Tue, 22 Mar 2016 09:21:57 -0300 +Subject: [media] au0828: Fix dev_state handling + +From: Mauro Carvalho Chehab + +commit e8e3039f5b941f7825d335f8ca11c12a8104db11 upstream. + +The au0828 dev_state is actually a bit mask. It should not be +checking with "==" but, instead, with a logic and. There are some +places where it was doing it wrong. + +Fix that by replacing the dev_state set/clear/test with the +bitops. + +As reviewed by Shuah: + "Looks good. Tested running bind/unbind au0828 loop for 1000 times. + Didn't see any problems and the v4l2_querycap() problem has been + fixed with this patch. + + After the above test, ran bind/unbind snd_usb_audio 1000 times. + Didn't see any problems. Generated media graph and the graph + looks good." + +Reviewed-by: Shuah Khan +Tested-by: Shuah Khan +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/au0828/au0828-core.c | 2 - + drivers/media/usb/au0828/au0828-input.c | 4 +- + drivers/media/usb/au0828/au0828-video.c | 63 +++++++++++++++----------------- + drivers/media/usb/au0828/au0828.h | 9 ++-- + 4 files changed, 39 insertions(+), 39 deletions(-) + +--- a/drivers/media/usb/au0828/au0828-core.c ++++ b/drivers/media/usb/au0828/au0828-core.c +@@ -159,7 +159,7 @@ static void au0828_usb_disconnect(struct + Set the status so poll routines can check and avoid + access after disconnect. + */ +- dev->dev_state = DEV_DISCONNECTED; ++ set_bit(DEV_DISCONNECTED, &dev->dev_state); + + au0828_rc_unregister(dev); + /* Digital TV */ +--- a/drivers/media/usb/au0828/au0828-input.c ++++ b/drivers/media/usb/au0828/au0828-input.c +@@ -130,7 +130,7 @@ static int au0828_get_key_au8522(struct + bool first = true; + + /* do nothing if device is disconnected */ +- if (ir->dev->dev_state == DEV_DISCONNECTED) ++ if (test_bit(DEV_DISCONNECTED, &ir->dev->dev_state)) + return 0; + + /* Check IR int */ +@@ -260,7 +260,7 @@ static void au0828_rc_stop(struct rc_dev + cancel_delayed_work_sync(&ir->work); + + /* do nothing if device is disconnected */ +- if (ir->dev->dev_state != DEV_DISCONNECTED) { ++ if (!test_bit(DEV_DISCONNECTED, &ir->dev->dev_state)) { + /* Disable IR */ + au8522_rc_clear(ir, 0xe0, 1 << 4); + } +--- a/drivers/media/usb/au0828/au0828-video.c ++++ b/drivers/media/usb/au0828/au0828-video.c +@@ -104,14 +104,13 @@ static inline void print_err_status(stru + + static int check_dev(struct au0828_dev *dev) + { +- if (dev->dev_state & DEV_DISCONNECTED) { ++ if (test_bit(DEV_DISCONNECTED, &dev->dev_state)) { + pr_info("v4l2 ioctl: device not present\n"); + return -ENODEV; + } + +- if (dev->dev_state & DEV_MISCONFIGURED) { +- pr_info("v4l2 ioctl: device is misconfigured; " +- "close and open it again\n"); ++ if (test_bit(DEV_MISCONFIGURED, &dev->dev_state)) { ++ pr_info("v4l2 ioctl: device is misconfigured; close and open it again\n"); + return -EIO; + } + return 0; +@@ -519,8 +518,8 @@ static inline int au0828_isoc_copy(struc + if (!dev) + return 0; + +- if ((dev->dev_state & DEV_DISCONNECTED) || +- (dev->dev_state & DEV_MISCONFIGURED)) ++ if (test_bit(DEV_DISCONNECTED, &dev->dev_state) || ++ test_bit(DEV_MISCONFIGURED, &dev->dev_state)) + return 0; + + if (urb->status < 0) { +@@ -766,10 +765,10 @@ static int au0828_stream_interrupt(struc + int ret = 0; + + dev->stream_state = STREAM_INTERRUPT; +- if (dev->dev_state == DEV_DISCONNECTED) ++ if (test_bit(DEV_DISCONNECTED, &dev->dev_state)) + return -ENODEV; + else if (ret) { +- dev->dev_state = DEV_MISCONFIGURED; ++ set_bit(DEV_MISCONFIGURED, &dev->dev_state); + dprintk(1, "%s device is misconfigured!\n", __func__); + return ret; + } +@@ -958,7 +957,7 @@ static int au0828_v4l2_open(struct file + int ret; + + dprintk(1, +- "%s called std_set %d dev_state %d stream users %d users %d\n", ++ "%s called std_set %d dev_state %ld stream users %d users %d\n", + __func__, dev->std_set_in_tuner_core, dev->dev_state, + dev->streaming_users, dev->users); + +@@ -977,7 +976,7 @@ static int au0828_v4l2_open(struct file + au0828_analog_stream_enable(dev); + au0828_analog_stream_reset(dev); + dev->stream_state = STREAM_OFF; +- dev->dev_state |= DEV_INITIALIZED; ++ set_bit(DEV_INITIALIZED, &dev->dev_state); + } + dev->users++; + mutex_unlock(&dev->lock); +@@ -991,7 +990,7 @@ static int au0828_v4l2_close(struct file + struct video_device *vdev = video_devdata(filp); + + dprintk(1, +- "%s called std_set %d dev_state %d stream users %d users %d\n", ++ "%s called std_set %d dev_state %ld stream users %d users %d\n", + __func__, dev->std_set_in_tuner_core, dev->dev_state, + dev->streaming_users, dev->users); + +@@ -1007,7 +1006,7 @@ static int au0828_v4l2_close(struct file + del_timer_sync(&dev->vbi_timeout); + } + +- if (dev->dev_state & DEV_DISCONNECTED) ++ if (test_bit(DEV_DISCONNECTED, &dev->dev_state)) + goto end; + + if (dev->users == 1) { +@@ -1036,7 +1035,7 @@ static void au0828_init_tuner(struct au0 + .type = V4L2_TUNER_ANALOG_TV, + }; + +- dprintk(1, "%s called std_set %d dev_state %d\n", __func__, ++ dprintk(1, "%s called std_set %d dev_state %ld\n", __func__, + dev->std_set_in_tuner_core, dev->dev_state); + + if (dev->std_set_in_tuner_core) +@@ -1108,7 +1107,7 @@ static int vidioc_querycap(struct file * + struct video_device *vdev = video_devdata(file); + struct au0828_dev *dev = video_drvdata(file); + +- dprintk(1, "%s called std_set %d dev_state %d\n", __func__, ++ dprintk(1, "%s called std_set %d dev_state %ld\n", __func__, + dev->std_set_in_tuner_core, dev->dev_state); + + strlcpy(cap->driver, "au0828", sizeof(cap->driver)); +@@ -1151,7 +1150,7 @@ static int vidioc_g_fmt_vid_cap(struct f + { + struct au0828_dev *dev = video_drvdata(file); + +- dprintk(1, "%s called std_set %d dev_state %d\n", __func__, ++ dprintk(1, "%s called std_set %d dev_state %ld\n", __func__, + dev->std_set_in_tuner_core, dev->dev_state); + + f->fmt.pix.width = dev->width; +@@ -1170,7 +1169,7 @@ static int vidioc_try_fmt_vid_cap(struct + { + struct au0828_dev *dev = video_drvdata(file); + +- dprintk(1, "%s called std_set %d dev_state %d\n", __func__, ++ dprintk(1, "%s called std_set %d dev_state %ld\n", __func__, + dev->std_set_in_tuner_core, dev->dev_state); + + return au0828_set_format(dev, VIDIOC_TRY_FMT, f); +@@ -1182,7 +1181,7 @@ static int vidioc_s_fmt_vid_cap(struct f + struct au0828_dev *dev = video_drvdata(file); + int rc; + +- dprintk(1, "%s called std_set %d dev_state %d\n", __func__, ++ dprintk(1, "%s called std_set %d dev_state %ld\n", __func__, + dev->std_set_in_tuner_core, dev->dev_state); + + rc = check_dev(dev); +@@ -1204,7 +1203,7 @@ static int vidioc_s_std(struct file *fil + { + struct au0828_dev *dev = video_drvdata(file); + +- dprintk(1, "%s called std_set %d dev_state %d\n", __func__, ++ dprintk(1, "%s called std_set %d dev_state %ld\n", __func__, + dev->std_set_in_tuner_core, dev->dev_state); + + if (norm == dev->std) +@@ -1236,7 +1235,7 @@ static int vidioc_g_std(struct file *fil + { + struct au0828_dev *dev = video_drvdata(file); + +- dprintk(1, "%s called std_set %d dev_state %d\n", __func__, ++ dprintk(1, "%s called std_set %d dev_state %ld\n", __func__, + dev->std_set_in_tuner_core, dev->dev_state); + + *norm = dev->std; +@@ -1259,7 +1258,7 @@ static int vidioc_enum_input(struct file + [AU0828_VMUX_DEBUG] = "tv debug" + }; + +- dprintk(1, "%s called std_set %d dev_state %d\n", __func__, ++ dprintk(1, "%s called std_set %d dev_state %ld\n", __func__, + dev->std_set_in_tuner_core, dev->dev_state); + + tmp = input->index; +@@ -1289,7 +1288,7 @@ static int vidioc_g_input(struct file *f + { + struct au0828_dev *dev = video_drvdata(file); + +- dprintk(1, "%s called std_set %d dev_state %d\n", __func__, ++ dprintk(1, "%s called std_set %d dev_state %ld\n", __func__, + dev->std_set_in_tuner_core, dev->dev_state); + + *i = dev->ctrl_input; +@@ -1300,7 +1299,7 @@ static void au0828_s_input(struct au0828 + { + int i; + +- dprintk(1, "%s called std_set %d dev_state %d\n", __func__, ++ dprintk(1, "%s called std_set %d dev_state %ld\n", __func__, + dev->std_set_in_tuner_core, dev->dev_state); + + switch (AUVI_INPUT(index).type) { +@@ -1385,7 +1384,7 @@ static int vidioc_g_audio(struct file *f + { + struct au0828_dev *dev = video_drvdata(file); + +- dprintk(1, "%s called std_set %d dev_state %d\n", __func__, ++ dprintk(1, "%s called std_set %d dev_state %ld\n", __func__, + dev->std_set_in_tuner_core, dev->dev_state); + + a->index = dev->ctrl_ainput; +@@ -1405,7 +1404,7 @@ static int vidioc_s_audio(struct file *f + if (a->index != dev->ctrl_ainput) + return -EINVAL; + +- dprintk(1, "%s called std_set %d dev_state %d\n", __func__, ++ dprintk(1, "%s called std_set %d dev_state %ld\n", __func__, + dev->std_set_in_tuner_core, dev->dev_state); + return 0; + } +@@ -1417,7 +1416,7 @@ static int vidioc_g_tuner(struct file *f + if (t->index != 0) + return -EINVAL; + +- dprintk(1, "%s called std_set %d dev_state %d\n", __func__, ++ dprintk(1, "%s called std_set %d dev_state %ld\n", __func__, + dev->std_set_in_tuner_core, dev->dev_state); + + strcpy(t->name, "Auvitek tuner"); +@@ -1437,7 +1436,7 @@ static int vidioc_s_tuner(struct file *f + if (t->index != 0) + return -EINVAL; + +- dprintk(1, "%s called std_set %d dev_state %d\n", __func__, ++ dprintk(1, "%s called std_set %d dev_state %ld\n", __func__, + dev->std_set_in_tuner_core, dev->dev_state); + + au0828_init_tuner(dev); +@@ -1459,7 +1458,7 @@ static int vidioc_g_frequency(struct fil + + if (freq->tuner != 0) + return -EINVAL; +- dprintk(1, "%s called std_set %d dev_state %d\n", __func__, ++ dprintk(1, "%s called std_set %d dev_state %ld\n", __func__, + dev->std_set_in_tuner_core, dev->dev_state); + freq->frequency = dev->ctrl_freq; + return 0; +@@ -1474,7 +1473,7 @@ static int vidioc_s_frequency(struct fil + if (freq->tuner != 0) + return -EINVAL; + +- dprintk(1, "%s called std_set %d dev_state %d\n", __func__, ++ dprintk(1, "%s called std_set %d dev_state %ld\n", __func__, + dev->std_set_in_tuner_core, dev->dev_state); + + au0828_init_tuner(dev); +@@ -1500,7 +1499,7 @@ static int vidioc_g_fmt_vbi_cap(struct f + { + struct au0828_dev *dev = video_drvdata(file); + +- dprintk(1, "%s called std_set %d dev_state %d\n", __func__, ++ dprintk(1, "%s called std_set %d dev_state %ld\n", __func__, + dev->std_set_in_tuner_core, dev->dev_state); + + format->fmt.vbi.samples_per_line = dev->vbi_width; +@@ -1526,7 +1525,7 @@ static int vidioc_cropcap(struct file *f + if (cc->type != V4L2_BUF_TYPE_VIDEO_CAPTURE) + return -EINVAL; + +- dprintk(1, "%s called std_set %d dev_state %d\n", __func__, ++ dprintk(1, "%s called std_set %d dev_state %ld\n", __func__, + dev->std_set_in_tuner_core, dev->dev_state); + + cc->bounds.left = 0; +@@ -1548,7 +1547,7 @@ static int vidioc_g_register(struct file + { + struct au0828_dev *dev = video_drvdata(file); + +- dprintk(1, "%s called std_set %d dev_state %d\n", __func__, ++ dprintk(1, "%s called std_set %d dev_state %ld\n", __func__, + dev->std_set_in_tuner_core, dev->dev_state); + + reg->val = au0828_read(dev, reg->reg); +@@ -1561,7 +1560,7 @@ static int vidioc_s_register(struct file + { + struct au0828_dev *dev = video_drvdata(file); + +- dprintk(1, "%s called std_set %d dev_state %d\n", __func__, ++ dprintk(1, "%s called std_set %d dev_state %ld\n", __func__, + dev->std_set_in_tuner_core, dev->dev_state); + + return au0828_writereg(dev, reg->reg, reg->val); +--- a/drivers/media/usb/au0828/au0828.h ++++ b/drivers/media/usb/au0828/au0828.h +@@ -21,6 +21,7 @@ + + #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt + ++#include + #include + #include + #include +@@ -122,9 +123,9 @@ enum au0828_stream_state { + + /* device state */ + enum au0828_dev_state { +- DEV_INITIALIZED = 0x01, +- DEV_DISCONNECTED = 0x02, +- DEV_MISCONFIGURED = 0x04 ++ DEV_INITIALIZED = 0, ++ DEV_DISCONNECTED = 1, ++ DEV_MISCONFIGURED = 2 + }; + + struct au0828_dev; +@@ -248,7 +249,7 @@ struct au0828_dev { + int input_type; + int std_set_in_tuner_core; + unsigned int ctrl_input; +- enum au0828_dev_state dev_state; ++ long unsigned int dev_state; /* defined at enum au0828_dev_state */; + enum au0828_stream_state stream_state; + wait_queue_head_t open; + diff --git a/queue-4.4/cdc-acm-fix-null-pointer-reference.patch b/queue-4.4/cdc-acm-fix-null-pointer-reference.patch new file mode 100644 index 00000000000..7e418b3febb --- /dev/null +++ b/queue-4.4/cdc-acm-fix-null-pointer-reference.patch @@ -0,0 +1,47 @@ +From 29c6dd591bbd592472247441de9fa694acdabae8 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 7 Jan 2016 11:01:00 +0100 +Subject: cdc-acm: fix NULL pointer reference + +From: Oliver Neukum + +commit 29c6dd591bbd592472247441de9fa694acdabae8 upstream. + +The union descriptor must be checked. Its usage was conditional +before the parser was introduced. This is important, because +many RNDIS device, which also use the common parser, have +bogus extra descriptors. + +Signed-off-by: Oliver Neukum +Tested-by: Vasily Galkin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/usb/cdc_ether.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/net/usb/cdc_ether.c ++++ b/drivers/net/usb/cdc_ether.c +@@ -160,6 +160,12 @@ int usbnet_generic_cdc_bind(struct usbne + info->u = header.usb_cdc_union_desc; + info->header = header.usb_cdc_header_desc; + info->ether = header.usb_cdc_ether_desc; ++ if (!info->u) { ++ if (rndis) ++ goto skip; ++ else /* in that case a quirk is mandatory */ ++ goto bad_desc; ++ } + /* we need a master/control interface (what we're + * probed with) and a slave/data interface; union + * descriptors sort this all out. +@@ -256,7 +262,7 @@ skip: + goto bad_desc; + } + +- } else if (!info->header || !info->u || (!rndis && !info->ether)) { ++ } else if (!info->header || (!rndis && !info->ether)) { + dev_dbg(&intf->dev, "missing cdc %s%s%sdescriptor\n", + info->header ? "" : "header ", + info->u ? "" : "union ", diff --git a/queue-4.4/coda-fix-error-path-in-case-of-missing-pdata-on-non-dt-platform.patch b/queue-4.4/coda-fix-error-path-in-case-of-missing-pdata-on-non-dt-platform.patch new file mode 100644 index 00000000000..e616325d096 --- /dev/null +++ b/queue-4.4/coda-fix-error-path-in-case-of-missing-pdata-on-non-dt-platform.patch @@ -0,0 +1,45 @@ +From bc717d5e92c8c079280eb4acbe335c6f25041aa2 Mon Sep 17 00:00:00 2001 +From: Philipp Zabel +Date: Fri, 26 Feb 2016 08:21:35 -0300 +Subject: [media] coda: fix error path in case of missing pdata on non-DT platform + +From: Philipp Zabel + +commit bc717d5e92c8c079280eb4acbe335c6f25041aa2 upstream. + +If we bail out this early, v4l2_device_register() has not been called +yet, so no need to call v4l2_device_unregister(). + +Fixes: b7bd660a51f0 ("[media] coda: Call v4l2_device_unregister() from a single location") + +Reported-by: Michael Olbrich +Signed-off-by: Philipp Zabel +Reviewed-by: Fabio Estevam +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/platform/coda/coda-common.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/drivers/media/platform/coda/coda-common.c ++++ b/drivers/media/platform/coda/coda-common.c +@@ -2119,14 +2119,12 @@ static int coda_probe(struct platform_de + + pdev_id = of_id ? of_id->data : platform_get_device_id(pdev); + +- if (of_id) { ++ if (of_id) + dev->devtype = of_id->data; +- } else if (pdev_id) { ++ else if (pdev_id) + dev->devtype = &coda_devdata[pdev_id->driver_data]; +- } else { +- ret = -EINVAL; +- goto err_v4l2_register; +- } ++ else ++ return -EINVAL; + + spin_lock_init(&dev->irqlock); + INIT_LIST_HEAD(&dev->instances); diff --git a/queue-4.4/iio-accel-bmc150-fix-endianness-when-reading-axes.patch b/queue-4.4/iio-accel-bmc150-fix-endianness-when-reading-axes.patch new file mode 100644 index 00000000000..42f1f319260 --- /dev/null +++ b/queue-4.4/iio-accel-bmc150-fix-endianness-when-reading-axes.patch @@ -0,0 +1,69 @@ +From 2215f31dc6f88634c1916362e922b1ecdce0a6b3 Mon Sep 17 00:00:00 2001 +From: Irina Tirdea +Date: Tue, 29 Mar 2016 15:35:45 +0300 +Subject: iio: accel: bmc150: fix endianness when reading axes + +From: Irina Tirdea + +commit 2215f31dc6f88634c1916362e922b1ecdce0a6b3 upstream. + +For big endian platforms, reading the axes will return +invalid values. + +The device stores each axis value in a 16 bit little +endian register. The driver uses regmap_read_bulk to get +the axis value, resulting in a 16 bit little endian value. +This needs to be converted to cpu endianness to work +on big endian platforms. + +Fix endianness for big endian platforms by converting +the values for the axes read from little endian to +cpu. + +This is also partially fixed in commit b6fb9b6d6552 ("iio: +accel: bmc150: optimize transfers in trigger handler"). + +Signed-off-by: Irina Tirdea +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/accel/bmc150-accel-core.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/iio/accel/bmc150-accel-core.c ++++ b/drivers/iio/accel/bmc150-accel-core.c +@@ -547,7 +547,7 @@ static int bmc150_accel_get_axis(struct + { + int ret; + int axis = chan->scan_index; +- unsigned int raw_val; ++ __le16 raw_val; + + mutex_lock(&data->mutex); + ret = bmc150_accel_set_power_state(data, true); +@@ -557,14 +557,14 @@ static int bmc150_accel_get_axis(struct + } + + ret = regmap_bulk_read(data->regmap, BMC150_ACCEL_AXIS_TO_REG(axis), +- &raw_val, 2); ++ &raw_val, sizeof(raw_val)); + if (ret < 0) { + dev_err(data->dev, "Error reading axis %d\n", axis); + bmc150_accel_set_power_state(data, false); + mutex_unlock(&data->mutex); + return ret; + } +- *val = sign_extend32(raw_val >> chan->scan_type.shift, ++ *val = sign_extend32(le16_to_cpu(raw_val) >> chan->scan_type.shift, + chan->scan_type.realbits - 1); + ret = bmc150_accel_set_power_state(data, false); + mutex_unlock(&data->mutex); +@@ -988,6 +988,7 @@ static const struct iio_event_spec bmc15 + .realbits = (bits), \ + .storagebits = 16, \ + .shift = 16 - (bits), \ ++ .endianness = IIO_LE, \ + }, \ + .event_spec = &bmc150_accel_event, \ + .num_event_specs = 1 \ diff --git a/queue-4.4/iio-gyro-bmg160-fix-buffer-read-values.patch b/queue-4.4/iio-gyro-bmg160-fix-buffer-read-values.patch new file mode 100644 index 00000000000..364fef3d050 --- /dev/null +++ b/queue-4.4/iio-gyro-bmg160-fix-buffer-read-values.patch @@ -0,0 +1,36 @@ +From b475c59b113db1e66eb9527ffdec3c5241c847e5 Mon Sep 17 00:00:00 2001 +From: Irina Tirdea +Date: Mon, 28 Mar 2016 20:15:46 +0300 +Subject: iio: gyro: bmg160: fix buffer read values + +From: Irina Tirdea + +commit b475c59b113db1e66eb9527ffdec3c5241c847e5 upstream. + +When reading gyroscope axes using iio buffers, the values +returned are always 0. In the interrupt handler, the return +value of the read operation is returned to the user instead +of the value read. Return the value read to the user. + +This is also fixed in commit 82d8e5da1a33 ("iio: +accel: bmg160: optimize transfers in trigger handler"). + +Signed-off-by: Irina Tirdea +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/gyro/bmg160_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/gyro/bmg160_core.c ++++ b/drivers/iio/gyro/bmg160_core.c +@@ -780,7 +780,7 @@ static irqreturn_t bmg160_trigger_handle + mutex_unlock(&data->mutex); + goto err; + } +- data->buffer[i++] = ret; ++ data->buffer[i++] = val; + } + mutex_unlock(&data->mutex); + diff --git a/queue-4.4/iio-gyro-bmg160-fix-endianness-when-reading-axes.patch b/queue-4.4/iio-gyro-bmg160-fix-endianness-when-reading-axes.patch new file mode 100644 index 00000000000..09c4b53e5ee --- /dev/null +++ b/queue-4.4/iio-gyro-bmg160-fix-endianness-when-reading-axes.patch @@ -0,0 +1,70 @@ +From 95e7ff034175db7d8aefabe7716c4d42bea24fde Mon Sep 17 00:00:00 2001 +From: Irina Tirdea +Date: Tue, 29 Mar 2016 15:37:30 +0300 +Subject: iio: gyro: bmg160: fix endianness when reading axes + +From: Irina Tirdea + +commit 95e7ff034175db7d8aefabe7716c4d42bea24fde upstream. + +For big endian platforms, reading the axes will return +invalid values. + +The device stores each axis value in a 16 bit little +endian register. The driver uses regmap_read_bulk to get +the axis value, resulting in a 16 bit little endian value. +This needs to be converted to cpu endianness to work +on big endian platforms. + +Fix endianness for big endian platforms by converting +the values for the axes read from little endian to +cpu. + +This is also partially fixed in commit 82d8e5da1a33 ("iio: +accel: bmg160: optimize transfers in trigger handler"). + +Signed-off-by: Irina Tirdea +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/gyro/bmg160_core.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/iio/gyro/bmg160_core.c ++++ b/drivers/iio/gyro/bmg160_core.c +@@ -452,7 +452,7 @@ static int bmg160_get_temp(struct bmg160 + static int bmg160_get_axis(struct bmg160_data *data, int axis, int *val) + { + int ret; +- unsigned int raw_val; ++ __le16 raw_val; + + mutex_lock(&data->mutex); + ret = bmg160_set_power_state(data, true); +@@ -462,7 +462,7 @@ static int bmg160_get_axis(struct bmg160 + } + + ret = regmap_bulk_read(data->regmap, BMG160_AXIS_TO_REG(axis), &raw_val, +- 2); ++ sizeof(raw_val)); + if (ret < 0) { + dev_err(data->dev, "Error reading axis %d\n", axis); + bmg160_set_power_state(data, false); +@@ -470,7 +470,7 @@ static int bmg160_get_axis(struct bmg160 + return ret; + } + +- *val = sign_extend32(raw_val, 15); ++ *val = sign_extend32(le16_to_cpu(raw_val), 15); + ret = bmg160_set_power_state(data, false); + mutex_unlock(&data->mutex); + if (ret < 0) +@@ -733,6 +733,7 @@ static const struct iio_event_spec bmg16 + .sign = 's', \ + .realbits = 16, \ + .storagebits = 16, \ ++ .endianness = IIO_LE, \ + }, \ + .event_spec = &bmg160_event, \ + .num_event_specs = 1 \ diff --git a/queue-4.4/iio-st_magn-always-define-st_magn_trigger_set_state.patch b/queue-4.4/iio-st_magn-always-define-st_magn_trigger_set_state.patch new file mode 100644 index 00000000000..54f810eb679 --- /dev/null +++ b/queue-4.4/iio-st_magn-always-define-st_magn_trigger_set_state.patch @@ -0,0 +1,41 @@ +From 9b090a98e95c2530ef0ce474e3b6218621b8ae25 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 29 Mar 2016 22:27:27 +0200 +Subject: iio: st_magn: always define ST_MAGN_TRIGGER_SET_STATE + +From: Arnd Bergmann + +commit 9b090a98e95c2530ef0ce474e3b6218621b8ae25 upstream. + +When CONFIG_IIO_TRIGGER is enabled but CONFIG_IIO_BUFFER is +not, we get a build error in the st_magn driver: + +drivers/iio/magnetometer/st_magn_core.c:573:23: error: 'ST_MAGN_TRIGGER_SET_STATE' undeclared here (not in a function) + .set_trigger_state = ST_MAGN_TRIGGER_SET_STATE, + ^~~~~~~~~~~~~~~~~~~~~~~~~ + +Apparently, this ST_MAGN_TRIGGER_SET_STATE macro was meant to +be set to NULL when the definition is not available because +st_magn_buffer.c is not compiled, but the alternative definition +was not included in the original patch. This adds it. + +Signed-off-by: Arnd Bergmann +Fixes: 74f5683f35fe ("iio: st_magn: Add irq trigger handling") +Acked-by: Denis Ciocca +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/magnetometer/st_magn.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iio/magnetometer/st_magn.h ++++ b/drivers/iio/magnetometer/st_magn.h +@@ -44,6 +44,7 @@ static inline int st_magn_allocate_ring( + static inline void st_magn_deallocate_ring(struct iio_dev *indio_dev) + { + } ++#define ST_MAGN_TRIGGER_SET_STATE NULL + #endif /* CONFIG_IIO_BUFFER */ + + #endif /* ST_MAGN_H */ diff --git a/queue-4.4/kvm-x86-inject-pending-interrupt-even-if-pending-nmi-exist.patch b/queue-4.4/kvm-x86-inject-pending-interrupt-even-if-pending-nmi-exist.patch new file mode 100644 index 00000000000..3fe54f32bd0 --- /dev/null +++ b/queue-4.4/kvm-x86-inject-pending-interrupt-even-if-pending-nmi-exist.patch @@ -0,0 +1,72 @@ +From 321c5658c5e9192dea0d58ab67cf1791e45b2b26 Mon Sep 17 00:00:00 2001 +From: Yuki Shibuya +Date: Thu, 24 Mar 2016 05:17:03 +0000 +Subject: KVM: x86: Inject pending interrupt even if pending nmi exist + +From: Yuki Shibuya + +commit 321c5658c5e9192dea0d58ab67cf1791e45b2b26 upstream. + +Non maskable interrupts (NMI) are preferred to interrupts in current +implementation. If a NMI is pending and NMI is blocked by the result +of nmi_allowed(), pending interrupt is not injected and +enable_irq_window() is not executed, even if interrupts injection is +allowed. + +In old kernel (e.g. 2.6.32), schedule() is often called in NMI context. +In this case, interrupts are needed to execute iret that intends end +of NMI. The flag of blocking new NMI is not cleared until the guest +execute the iret, and interrupts are blocked by pending NMI. Due to +this, iret can't be invoked in the guest, and the guest is starved +until block is cleared by some events (e.g. canceling injection). + +This patch injects pending interrupts, when it's allowed, even if NMI +is blocked. And, If an interrupts is pending after executing +inject_pending_event(), enable_irq_window() is executed regardless of +NMI pending counter. + +Signed-off-by: Yuki Shibuya +Suggested-by: Paolo Bonzini +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -6024,12 +6024,10 @@ static int inject_pending_event(struct k + } + + /* try to inject new event if pending */ +- if (vcpu->arch.nmi_pending) { +- if (kvm_x86_ops->nmi_allowed(vcpu)) { +- --vcpu->arch.nmi_pending; +- vcpu->arch.nmi_injected = true; +- kvm_x86_ops->set_nmi(vcpu); +- } ++ if (vcpu->arch.nmi_pending && kvm_x86_ops->nmi_allowed(vcpu)) { ++ --vcpu->arch.nmi_pending; ++ vcpu->arch.nmi_injected = true; ++ kvm_x86_ops->set_nmi(vcpu); + } else if (kvm_cpu_has_injectable_intr(vcpu)) { + /* + * Because interrupts can be injected asynchronously, we are +@@ -6474,10 +6472,12 @@ static int vcpu_enter_guest(struct kvm_v + if (inject_pending_event(vcpu, req_int_win) != 0) + req_immediate_exit = true; + /* enable NMI/IRQ window open exits if needed */ +- else if (vcpu->arch.nmi_pending) +- kvm_x86_ops->enable_nmi_window(vcpu); +- else if (kvm_cpu_has_injectable_intr(vcpu) || req_int_win) +- kvm_x86_ops->enable_irq_window(vcpu); ++ else { ++ if (vcpu->arch.nmi_pending) ++ kvm_x86_ops->enable_nmi_window(vcpu); ++ if (kvm_cpu_has_injectable_intr(vcpu) || req_int_win) ++ kvm_x86_ops->enable_irq_window(vcpu); ++ } + + if (kvm_lapic_enabled(vcpu)) { + update_cr8_intercept(vcpu); diff --git a/queue-4.4/kvm-x86-reduce-default-value-of-halt_poll_ns-parameter.patch b/queue-4.4/kvm-x86-reduce-default-value-of-halt_poll_ns-parameter.patch new file mode 100644 index 00000000000..7cec1eb6336 --- /dev/null +++ b/queue-4.4/kvm-x86-reduce-default-value-of-halt_poll_ns-parameter.patch @@ -0,0 +1,47 @@ +From 14ebda3394fd3e5388747e742e510b0802a65d24 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Tue, 29 Mar 2016 17:56:57 +0200 +Subject: KVM: x86: reduce default value of halt_poll_ns parameter + +From: Paolo Bonzini + +commit 14ebda3394fd3e5388747e742e510b0802a65d24 upstream. + +Windows lets applications choose the frequency of the timer tick, +and in Windows 10 the maximum rate was changed from 1024 Hz to +2048 Hz. Unfortunately, because of the way the Windows API +works, most applications who need a higher rate than the default +64 Hz will just do + + timeGetDevCaps(&tc, sizeof(tc)); + timeBeginPeriod(tc.wPeriodMin); + +and pick the maximum rate. This causes very high CPU usage when +playing media or games on Windows 10, even if the guest does not +actually use the CPU very much, because the frequent timer tick +causes halt_poll_ns to kick in. + +There is no really good solution, especially because Microsoft +could sooner or later bump the limit to 4096 Hz, but for now +the best we can do is lower a bit the upper limit for +halt_poll_ns. :-( + +Reported-by: Jon Panozzo +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/kvm_host.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -41,7 +41,7 @@ + + #define KVM_PIO_PAGE_OFFSET 1 + #define KVM_COALESCED_MMIO_PAGE_OFFSET 2 +-#define KVM_HALT_POLL_NS_DEFAULT 500000 ++#define KVM_HALT_POLL_NS_DEFAULT 400000 + + #define KVM_IRQCHIP_NUM_PINS KVM_IOAPIC_NUM_PINS + diff --git a/queue-4.4/mac80211-avoid-excessive-stack-usage-in-sta_info.patch b/queue-4.4/mac80211-avoid-excessive-stack-usage-in-sta_info.patch new file mode 100644 index 00000000000..91d11ee2e57 --- /dev/null +++ b/queue-4.4/mac80211-avoid-excessive-stack-usage-in-sta_info.patch @@ -0,0 +1,96 @@ +From 0ef049dc1167fe834d0ad5d63f89eddc5c70f6e4 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 26 Jan 2016 23:05:31 +0100 +Subject: mac80211: avoid excessive stack usage in sta_info + +From: Arnd Bergmann + +commit 0ef049dc1167fe834d0ad5d63f89eddc5c70f6e4 upstream. + +When CONFIG_OPTIMIZE_INLINING is set, the sta_info_insert_finish +function consumes more stack than normally, exceeding the +1024 byte limit on ARM: + +net/mac80211/sta_info.c: In function 'sta_info_insert_finish': +net/mac80211/sta_info.c:561:1: error: the frame size of 1080 bytes is larger than 1024 bytes [-Werror=frame-larger-than=] + +It turns out that there are two functions that put a 'struct station_info' +on the stack: __sta_info_destroy_part2 and sta_info_insert_finish, and +this structure alone requires up to 792 bytes. + +Hoping that both are called rarely enough, this replaces the +on-stack structure with a dynamic allocation, which unfortunately +requires some suboptimal error handling for out-of-memory. + +The __sta_info_destroy_part2 function is actually affected by the +stack usage twice because it calls cfg80211_del_sta_sinfo(), which +has another instance of struct station_info on its stack. + +Signed-off-by: Arnd Bergmann +Fixes: 98b6218388e3 ("mac80211/cfg80211: add station events") +Fixes: 6f7a8d26e266 ("mac80211: send statistics with delete station event") +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/sta_info.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -484,11 +484,17 @@ static int sta_info_insert_finish(struct + { + struct ieee80211_local *local = sta->local; + struct ieee80211_sub_if_data *sdata = sta->sdata; +- struct station_info sinfo; ++ struct station_info *sinfo; + int err = 0; + + lockdep_assert_held(&local->sta_mtx); + ++ sinfo = kzalloc(sizeof(struct station_info), GFP_KERNEL); ++ if (!sinfo) { ++ err = -ENOMEM; ++ goto out_err; ++ } ++ + /* check if STA exists already */ + if (sta_info_get_bss(sdata, sta->sta.addr)) { + err = -EEXIST; +@@ -522,10 +528,9 @@ static int sta_info_insert_finish(struct + ieee80211_sta_debugfs_add(sta); + rate_control_add_sta_debugfs(sta); + +- memset(&sinfo, 0, sizeof(sinfo)); +- sinfo.filled = 0; +- sinfo.generation = local->sta_generation; +- cfg80211_new_sta(sdata->dev, sta->sta.addr, &sinfo, GFP_KERNEL); ++ sinfo->generation = local->sta_generation; ++ cfg80211_new_sta(sdata->dev, sta->sta.addr, sinfo, GFP_KERNEL); ++ kfree(sinfo); + + sta_dbg(sdata, "Inserted STA %pM\n", sta->sta.addr); + +@@ -885,7 +890,7 @@ static void __sta_info_destroy_part2(str + { + struct ieee80211_local *local = sta->local; + struct ieee80211_sub_if_data *sdata = sta->sdata; +- struct station_info sinfo = {}; ++ struct station_info *sinfo; + int ret; + + /* +@@ -923,8 +928,11 @@ static void __sta_info_destroy_part2(str + + sta_dbg(sdata, "Removed STA %pM\n", sta->sta.addr); + +- sta_set_sinfo(sta, &sinfo); +- cfg80211_del_sta_sinfo(sdata->dev, sta->sta.addr, &sinfo, GFP_KERNEL); ++ sinfo = kzalloc(sizeof(*sinfo), GFP_KERNEL); ++ if (sinfo) ++ sta_set_sinfo(sta, sinfo); ++ cfg80211_del_sta_sinfo(sdata->dev, sta->sta.addr, sinfo, GFP_KERNEL); ++ kfree(sinfo); + + rate_control_remove_sta_debugfs(sta); + ieee80211_sta_debugfs_remove(sta); diff --git a/queue-4.4/mac80211-fix-ibss-scan-parameters.patch b/queue-4.4/mac80211-fix-ibss-scan-parameters.patch new file mode 100644 index 00000000000..c81aa10f787 --- /dev/null +++ b/queue-4.4/mac80211-fix-ibss-scan-parameters.patch @@ -0,0 +1,67 @@ +From d321cd014e51baab475efbdec468255b9e0ec822 Mon Sep 17 00:00:00 2001 +From: Sara Sharon +Date: Mon, 25 Jan 2016 15:46:35 +0200 +Subject: mac80211: fix ibss scan parameters + +From: Sara Sharon + +commit d321cd014e51baab475efbdec468255b9e0ec822 upstream. + +When joining IBSS a full scan should be initiated in order to search +for existing cell, unless the fixed_channel parameter was set. +A default channel to create the IBSS on if no cell was found is +provided as well. +However - a scan is initiated only on the default channel provided +regardless of whether ifibss->fixed_channel is set or not, with the +obvious result of the cell not joining existing IBSS cell that is +on another channel. + +Fixes: 76bed0f43b27 ("mac80211: IBSS fix scan request") +Signed-off-by: Sara Sharon +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/ibss.c | 22 +++++++++++++++------- + 1 file changed, 15 insertions(+), 7 deletions(-) + +--- a/net/mac80211/ibss.c ++++ b/net/mac80211/ibss.c +@@ -7,6 +7,7 @@ + * Copyright 2007, Michael Wu + * Copyright 2009, Johannes Berg + * Copyright 2013-2014 Intel Mobile Communications GmbH ++ * Copyright(c) 2016 Intel Deutschland GmbH + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as +@@ -1484,14 +1485,21 @@ static void ieee80211_sta_find_ibss(stru + + sdata_info(sdata, "Trigger new scan to find an IBSS to join\n"); + +- num = ieee80211_ibss_setup_scan_channels(local->hw.wiphy, +- &ifibss->chandef, +- channels, +- ARRAY_SIZE(channels)); + scan_width = cfg80211_chandef_to_scan_width(&ifibss->chandef); +- ieee80211_request_ibss_scan(sdata, ifibss->ssid, +- ifibss->ssid_len, channels, num, +- scan_width); ++ ++ if (ifibss->fixed_channel) { ++ num = ieee80211_ibss_setup_scan_channels(local->hw.wiphy, ++ &ifibss->chandef, ++ channels, ++ ARRAY_SIZE(channels)); ++ ieee80211_request_ibss_scan(sdata, ifibss->ssid, ++ ifibss->ssid_len, channels, ++ num, scan_width); ++ } else { ++ ieee80211_request_ibss_scan(sdata, ifibss->ssid, ++ ifibss->ssid_len, NULL, ++ 0, scan_width); ++ } + } else { + int interval = IEEE80211_SCAN_INTERVAL; + diff --git a/queue-4.4/mac80211-fix-txq-queue-related-crashes.patch b/queue-4.4/mac80211-fix-txq-queue-related-crashes.patch new file mode 100644 index 00000000000..bcfeb5b2fe4 --- /dev/null +++ b/queue-4.4/mac80211-fix-txq-queue-related-crashes.patch @@ -0,0 +1,37 @@ +From 2a58d42c1e018ad514d4e23fd33fb2ded95d3ee6 Mon Sep 17 00:00:00 2001 +From: Michal Kazior +Date: Thu, 21 Jan 2016 14:23:07 +0100 +Subject: mac80211: fix txq queue related crashes + +From: Michal Kazior + +commit 2a58d42c1e018ad514d4e23fd33fb2ded95d3ee6 upstream. + +The driver can access the queue simultanously +while mac80211 tears down the interface. Without +spinlock protection this could lead to corrupting +sk_buff_head and subsequently to an invalid +pointer dereference. + +Fixes: ba8c3d6f16a1 ("mac80211: add an intermediate software queue implementation") +Signed-off-by: Michal Kazior +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/iface.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/mac80211/iface.c ++++ b/net/mac80211/iface.c +@@ -977,7 +977,10 @@ static void ieee80211_do_stop(struct iee + if (sdata->vif.txq) { + struct txq_info *txqi = to_txq_info(sdata->vif.txq); + ++ spin_lock_bh(&txqi->queue.lock); + ieee80211_purge_tx_queue(&local->hw, &txqi->queue); ++ spin_unlock_bh(&txqi->queue.lock); ++ + atomic_set(&sdata->txqs_len[txqi->txq.ac], 0); + } + diff --git a/queue-4.4/mac80211-fix-unnecessary-frame-drops-in-mesh-fwding.patch b/queue-4.4/mac80211-fix-unnecessary-frame-drops-in-mesh-fwding.patch new file mode 100644 index 00000000000..a7484a0d5ee --- /dev/null +++ b/queue-4.4/mac80211-fix-unnecessary-frame-drops-in-mesh-fwding.patch @@ -0,0 +1,67 @@ +From cf44012810ccdd8fd947518e965cb04b7b8498be Mon Sep 17 00:00:00 2001 +From: Michal Kazior +Date: Mon, 25 Jan 2016 14:43:24 +0100 +Subject: mac80211: fix unnecessary frame drops in mesh fwding + +From: Michal Kazior + +commit cf44012810ccdd8fd947518e965cb04b7b8498be upstream. + +The ieee80211_queue_stopped() expects hw queue +number but it was given raw WMM AC number instead. + +This could cause frame drops and problems with +traffic in some cases - most notably if driver +doesn't map AC numbers to queue numbers 1:1 and +uses ieee80211_stop_queues() and +ieee80211_wake_queue() only without ever calling +ieee80211_wake_queues(). + +On ath10k it was possible to hit this problem in +the following case: + + 1. wlan0 uses queue 0 + (ath10k maps queues per vif) + 2. offchannel uses queue 15 + 3. queues 1-14 are unused + 4. ieee80211_stop_queues() + 5. ieee80211_wake_queue(q=0) + 6. ieee80211_wake_queue(q=15) + (other queues are not woken up because both + driver and mac80211 know other queues are + unused) + 7. ieee80211_rx_h_mesh_fwding() + 8. ieee80211_select_queue_80211() returns 2 + 9. ieee80211_queue_stopped(q=2) returns true + 10. frame is dropped (oops!) + +Fixes: d3c1597b8d1b ("mac80211: fix forwarded mesh frame queue mapping") +Signed-off-by: Michal Kazior +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/rx.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -2250,7 +2250,7 @@ ieee80211_rx_h_mesh_fwding(struct ieee80 + struct ieee80211_local *local = rx->local; + struct ieee80211_sub_if_data *sdata = rx->sdata; + struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh; +- u16 q, hdrlen; ++ u16 ac, q, hdrlen; + + hdr = (struct ieee80211_hdr *) skb->data; + hdrlen = ieee80211_hdrlen(hdr->frame_control); +@@ -2319,7 +2319,8 @@ ieee80211_rx_h_mesh_fwding(struct ieee80 + ether_addr_equal(sdata->vif.addr, hdr->addr3)) + return RX_CONTINUE; + +- q = ieee80211_select_queue_80211(sdata, skb, hdr); ++ ac = ieee80211_select_queue_80211(sdata, skb, hdr); ++ q = sdata->vif.hw_queue[ac]; + if (ieee80211_queue_stopped(&local->hw, q)) { + IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_congestion); + return RX_DROP_MONITOR; diff --git a/queue-4.4/mac80211-properly-deal-with-station-hashtable-insert-errors.patch b/queue-4.4/mac80211-properly-deal-with-station-hashtable-insert-errors.patch new file mode 100644 index 00000000000..b4f3abded0e --- /dev/null +++ b/queue-4.4/mac80211-properly-deal-with-station-hashtable-insert-errors.patch @@ -0,0 +1,62 @@ +From 62b14b241ca6f790a17ccd9dd9f62ce1b006d406 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Thu, 31 Mar 2016 17:22:45 +0200 +Subject: mac80211: properly deal with station hashtable insert errors + +From: Johannes Berg + +commit 62b14b241ca6f790a17ccd9dd9f62ce1b006d406 upstream. + +The original hand-implemented hash-table in mac80211 couldn't result +in insertion errors, and while converting to rhashtable I evidently +forgot to check the errors. + +This surfaced now only because Ben is adding many identical keys and +that resulted in hidden insertion errors. + +Fixes: 7bedd0cfad4e1 ("mac80211: use rhashtable for station table") +Reported-by: Ben Greear +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/sta_info.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -256,11 +256,11 @@ void sta_info_free(struct ieee80211_loca + } + + /* Caller must hold local->sta_mtx */ +-static void sta_info_hash_add(struct ieee80211_local *local, +- struct sta_info *sta) ++static int sta_info_hash_add(struct ieee80211_local *local, ++ struct sta_info *sta) + { +- rhashtable_insert_fast(&local->sta_hash, &sta->hash_node, +- sta_rht_params); ++ return rhashtable_insert_fast(&local->sta_hash, &sta->hash_node, ++ sta_rht_params); + } + + static void sta_deliver_ps_frames(struct work_struct *wk) +@@ -503,7 +503,9 @@ static int sta_info_insert_finish(struct + set_sta_flag(sta, WLAN_STA_BLOCK_BA); + + /* make the station visible */ +- sta_info_hash_add(local, sta); ++ err = sta_info_hash_add(local, sta); ++ if (err) ++ goto out_drop_sta; + + list_add_tail_rcu(&sta->list, &local->sta_list); + +@@ -538,6 +540,7 @@ static int sta_info_insert_finish(struct + out_remove: + sta_info_hash_del(local, sta); + list_del_rcu(&sta->list); ++ out_drop_sta: + local->num_sta--; + synchronize_net(); + __cleanup_single_sta(sta); diff --git a/queue-4.4/mips-fix-msa-ld-unaligned-failure-cases.patch b/queue-4.4/mips-fix-msa-ld-unaligned-failure-cases.patch new file mode 100644 index 00000000000..c2c67ca80f4 --- /dev/null +++ b/queue-4.4/mips-fix-msa-ld-unaligned-failure-cases.patch @@ -0,0 +1,114 @@ +From fa8ff601d72bad3078ddf5ef17a5547700d06908 Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Wed, 3 Feb 2016 03:35:49 +0000 +Subject: MIPS: Fix MSA ld unaligned failure cases + +From: Paul Burton + +commit fa8ff601d72bad3078ddf5ef17a5547700d06908 upstream. + +Copying the content of an MSA vector from user memory may involve TLB +faults & mapping in pages. This will fail when preemption is disabled +due to an inability to acquire mmap_sem from do_page_fault, which meant +such vector loads to unmapped pages would always fail to be emulated. +Fix this by disabling preemption later only around the updating of +vector register state. + +This change does however introduce a race between performing the load +into thread context & the thread being preempted, saving its current +live context & clobbering the loaded value. This should be a rare +occureence, so optimise for the fast path by simply repeating the load if +we are preempted. + +Additionally if the copy failed then the failure path was taken with +preemption left disabled, leading to the kernel typically encountering +further issues around sleeping whilst atomic. The change to where +preemption is disabled avoids this issue. + +Fixes: e4aa1f153add "MIPS: MSA unaligned memory access support" +Reported-by: James Hogan +Signed-off-by: Paul Burton +Reviewed-by: James Hogan +Cc: Leonid Yegoshin +Cc: Maciej W. Rozycki +Cc: James Cowgill +Cc: Markos Chandras +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/12345/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/unaligned.c | 53 +++++++++++++++++++++++++------------------ + 1 file changed, 31 insertions(+), 22 deletions(-) + +--- a/arch/mips/kernel/unaligned.c ++++ b/arch/mips/kernel/unaligned.c +@@ -885,7 +885,7 @@ static void emulate_load_store_insn(stru + { + union mips_instruction insn; + unsigned long value; +- unsigned int res; ++ unsigned int res, preempted; + unsigned long origpc; + unsigned long orig31; + void __user *fault_addr = NULL; +@@ -1226,27 +1226,36 @@ static void emulate_load_store_insn(stru + if (!access_ok(VERIFY_READ, addr, sizeof(*fpr))) + goto sigbus; + +- /* +- * Disable preemption to avoid a race between copying +- * state from userland, migrating to another CPU and +- * updating the hardware vector register below. +- */ +- preempt_disable(); +- +- res = __copy_from_user_inatomic(fpr, addr, +- sizeof(*fpr)); +- if (res) +- goto fault; +- +- /* +- * Update the hardware register if it is in use by the +- * task in this quantum, in order to avoid having to +- * save & restore the whole vector context. +- */ +- if (test_thread_flag(TIF_USEDMSA)) +- write_msa_wr(wd, fpr, df); +- +- preempt_enable(); ++ do { ++ /* ++ * If we have live MSA context keep track of ++ * whether we get preempted in order to avoid ++ * the register context we load being clobbered ++ * by the live context as it's saved during ++ * preemption. If we don't have live context ++ * then it can't be saved to clobber the value ++ * we load. ++ */ ++ preempted = test_thread_flag(TIF_USEDMSA); ++ ++ res = __copy_from_user_inatomic(fpr, addr, ++ sizeof(*fpr)); ++ if (res) ++ goto fault; ++ ++ /* ++ * Update the hardware register if it is in use ++ * by the task in this quantum, in order to ++ * avoid having to save & restore the whole ++ * vector context. ++ */ ++ preempt_disable(); ++ if (test_thread_flag(TIF_USEDMSA)) { ++ write_msa_wr(wd, fpr, df); ++ preempted = 0; ++ } ++ preempt_enable(); ++ } while (preempted); + break; + + case msa_st_op: diff --git a/queue-4.4/pcmcia-db1xxx_ss-fix-last-irq_to_gpio-user.patch b/queue-4.4/pcmcia-db1xxx_ss-fix-last-irq_to_gpio-user.patch new file mode 100644 index 00000000000..890965090f8 --- /dev/null +++ b/queue-4.4/pcmcia-db1xxx_ss-fix-last-irq_to_gpio-user.patch @@ -0,0 +1,155 @@ +From e34b6fcf9b09ec9d93503edd5f81489791ffd602 Mon Sep 17 00:00:00 2001 +From: Manuel Lauss +Date: Wed, 2 Mar 2016 10:34:43 +0100 +Subject: pcmcia: db1xxx_ss: fix last irq_to_gpio user + +From: Manuel Lauss + +commit e34b6fcf9b09ec9d93503edd5f81489791ffd602 upstream. + +remove the usage of removed irq_to_gpio() function. On pre-DB1200 +boards, pass the actual carddetect GPIO number instead of the IRQ, +because we need the gpio to actually test card status (inserted or +not) and can get the irq number with gpio_to_irq() instead. + +Tested on DB1300 and DB1500, this patch fixes PCMCIA on the DB1500, +which used irq_to_gpio(). + +Fixes: 832f5dacfa0b ("MIPS: Remove all the uses of custom gpio.h") +Signed-off-by: Manuel Lauss +Acked-by: Arnd Bergmann +Reviewed-by: Linus Walleij +Cc: linux-pcmcia@lists.infradead.org +Cc: Linux-MIPS +Patchwork: https://patchwork.linux-mips.org/patch/12747/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/alchemy/devboards/db1000.c | 18 ++++++++---------- + arch/mips/alchemy/devboards/db1550.c | 4 ++-- + drivers/pcmcia/db1xxx_ss.c | 11 +++++++++-- + 3 files changed, 19 insertions(+), 14 deletions(-) + +--- a/arch/mips/alchemy/devboards/db1000.c ++++ b/arch/mips/alchemy/devboards/db1000.c +@@ -503,15 +503,15 @@ int __init db1000_dev_setup(void) + if (board == BCSR_WHOAMI_DB1500) { + c0 = AU1500_GPIO2_INT; + c1 = AU1500_GPIO5_INT; +- d0 = AU1500_GPIO0_INT; +- d1 = AU1500_GPIO3_INT; ++ d0 = 0; /* GPIO number, NOT irq! */ ++ d1 = 3; /* GPIO number, NOT irq! */ + s0 = AU1500_GPIO1_INT; + s1 = AU1500_GPIO4_INT; + } else if (board == BCSR_WHOAMI_DB1100) { + c0 = AU1100_GPIO2_INT; + c1 = AU1100_GPIO5_INT; +- d0 = AU1100_GPIO0_INT; +- d1 = AU1100_GPIO3_INT; ++ d0 = 0; /* GPIO number, NOT irq! */ ++ d1 = 3; /* GPIO number, NOT irq! */ + s0 = AU1100_GPIO1_INT; + s1 = AU1100_GPIO4_INT; + +@@ -545,15 +545,15 @@ int __init db1000_dev_setup(void) + } else if (board == BCSR_WHOAMI_DB1000) { + c0 = AU1000_GPIO2_INT; + c1 = AU1000_GPIO5_INT; +- d0 = AU1000_GPIO0_INT; +- d1 = AU1000_GPIO3_INT; ++ d0 = 0; /* GPIO number, NOT irq! */ ++ d1 = 3; /* GPIO number, NOT irq! */ + s0 = AU1000_GPIO1_INT; + s1 = AU1000_GPIO4_INT; + platform_add_devices(db1000_devs, ARRAY_SIZE(db1000_devs)); + } else if ((board == BCSR_WHOAMI_PB1500) || + (board == BCSR_WHOAMI_PB1500R2)) { + c0 = AU1500_GPIO203_INT; +- d0 = AU1500_GPIO201_INT; ++ d0 = 1; /* GPIO number, NOT irq! */ + s0 = AU1500_GPIO202_INT; + twosocks = 0; + flashsize = 64; +@@ -566,7 +566,7 @@ int __init db1000_dev_setup(void) + */ + } else if (board == BCSR_WHOAMI_PB1100) { + c0 = AU1100_GPIO11_INT; +- d0 = AU1100_GPIO9_INT; ++ d0 = 9; /* GPIO number, NOT irq! */ + s0 = AU1100_GPIO10_INT; + twosocks = 0; + flashsize = 64; +@@ -583,7 +583,6 @@ int __init db1000_dev_setup(void) + } else + return 0; /* unknown board, no further dev setup to do */ + +- irq_set_irq_type(d0, IRQ_TYPE_EDGE_BOTH); + irq_set_irq_type(c0, IRQ_TYPE_LEVEL_LOW); + irq_set_irq_type(s0, IRQ_TYPE_LEVEL_LOW); + +@@ -597,7 +596,6 @@ int __init db1000_dev_setup(void) + c0, d0, /*s0*/0, 0, 0); + + if (twosocks) { +- irq_set_irq_type(d1, IRQ_TYPE_EDGE_BOTH); + irq_set_irq_type(c1, IRQ_TYPE_LEVEL_LOW); + irq_set_irq_type(s1, IRQ_TYPE_LEVEL_LOW); + +--- a/arch/mips/alchemy/devboards/db1550.c ++++ b/arch/mips/alchemy/devboards/db1550.c +@@ -514,7 +514,7 @@ static void __init db1550_devices(void) + AU1000_PCMCIA_MEM_PHYS_ADDR + 0x000400000 - 1, + AU1000_PCMCIA_IO_PHYS_ADDR, + AU1000_PCMCIA_IO_PHYS_ADDR + 0x000010000 - 1, +- AU1550_GPIO3_INT, AU1550_GPIO0_INT, ++ AU1550_GPIO3_INT, 0, + /*AU1550_GPIO21_INT*/0, 0, 0); + + db1x_register_pcmcia_socket( +@@ -524,7 +524,7 @@ static void __init db1550_devices(void) + AU1000_PCMCIA_MEM_PHYS_ADDR + 0x004400000 - 1, + AU1000_PCMCIA_IO_PHYS_ADDR + 0x004000000, + AU1000_PCMCIA_IO_PHYS_ADDR + 0x004010000 - 1, +- AU1550_GPIO5_INT, AU1550_GPIO1_INT, ++ AU1550_GPIO5_INT, 1, + /*AU1550_GPIO22_INT*/0, 0, 1); + + platform_device_register(&db1550_nand_dev); +--- a/drivers/pcmcia/db1xxx_ss.c ++++ b/drivers/pcmcia/db1xxx_ss.c +@@ -56,6 +56,7 @@ struct db1x_pcmcia_sock { + int stschg_irq; /* card-status-change irq */ + int card_irq; /* card irq */ + int eject_irq; /* db1200/pb1200 have these */ ++ int insert_gpio; /* db1000 carddetect gpio */ + + #define BOARD_TYPE_DEFAULT 0 /* most boards */ + #define BOARD_TYPE_DB1200 1 /* IRQs aren't gpios */ +@@ -83,7 +84,7 @@ static int db1200_card_inserted(struct d + /* carddetect gpio: low-active */ + static int db1000_card_inserted(struct db1x_pcmcia_sock *sock) + { +- return !gpio_get_value(irq_to_gpio(sock->insert_irq)); ++ return !gpio_get_value(sock->insert_gpio); + } + + static int db1x_card_inserted(struct db1x_pcmcia_sock *sock) +@@ -457,9 +458,15 @@ static int db1x_pcmcia_socket_probe(stru + r = platform_get_resource_byname(pdev, IORESOURCE_IRQ, "card"); + sock->card_irq = r ? r->start : 0; + +- /* insert: irq which triggers on card insertion/ejection */ ++ /* insert: irq which triggers on card insertion/ejection ++ * BIG FAT NOTE: on DB1000/1100/1500/1550 we pass a GPIO here! ++ */ + r = platform_get_resource_byname(pdev, IORESOURCE_IRQ, "insert"); + sock->insert_irq = r ? r->start : -1; ++ if (sock->board_type == BOARD_TYPE_DEFAULT) { ++ sock->insert_gpio = r ? r->start : -1; ++ sock->insert_irq = r ? gpio_to_irq(r->start) : -1; ++ } + + /* stschg: irq which trigger on card status change (optional) */ + r = platform_get_resource_byname(pdev, IORESOURCE_IRQ, "stschg"); diff --git a/queue-4.4/pinctrl-freescale-imx-fix-bogus-check-of-of_iomap-return-value.patch b/queue-4.4/pinctrl-freescale-imx-fix-bogus-check-of-of_iomap-return-value.patch new file mode 100644 index 00000000000..0e8e0116796 --- /dev/null +++ b/queue-4.4/pinctrl-freescale-imx-fix-bogus-check-of-of_iomap-return-value.patch @@ -0,0 +1,55 @@ +From 9a4f424531dabd877259ae0071b8bcc4dede9eb5 Mon Sep 17 00:00:00 2001 +From: Vladimir Zapolskiy +Date: Wed, 9 Mar 2016 02:45:36 +0200 +Subject: pinctrl: freescale: imx: fix bogus check of of_iomap() return value + +From: Vladimir Zapolskiy + +commit 9a4f424531dabd877259ae0071b8bcc4dede9eb5 upstream. + +On error path of_iomap() returns NULL, hence IS_ERR() check is invalid +and may cause a NULL pointer dereference, the change fixes this +problem. + +While we are here invert a device node check to simplify the code. + +Fixes: 26d8cde5260b ("pinctrl: freescale: imx: add shared input select reg support") +Signed-off-by: Vladimir Zapolskiy +Acked-by: Shawn Guo +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/freescale/pinctrl-imx.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +--- a/drivers/pinctrl/freescale/pinctrl-imx.c ++++ b/drivers/pinctrl/freescale/pinctrl-imx.c +@@ -726,19 +726,18 @@ int imx_pinctrl_probe(struct platform_de + + if (of_property_read_bool(dev_np, "fsl,input-sel")) { + np = of_parse_phandle(dev_np, "fsl,input-sel", 0); +- if (np) { +- ipctl->input_sel_base = of_iomap(np, 0); +- if (IS_ERR(ipctl->input_sel_base)) { +- of_node_put(np); +- dev_err(&pdev->dev, +- "iomuxc input select base address not found\n"); +- return PTR_ERR(ipctl->input_sel_base); +- } +- } else { ++ if (!np) { + dev_err(&pdev->dev, "iomuxc fsl,input-sel property not found\n"); + return -EINVAL; + } ++ ++ ipctl->input_sel_base = of_iomap(np, 0); + of_node_put(np); ++ if (!ipctl->input_sel_base) { ++ dev_err(&pdev->dev, ++ "iomuxc input select base address not found\n"); ++ return -ENOMEM; ++ } + } + + imx_pinctrl_desc.name = dev_name(&pdev->dev); diff --git a/queue-4.4/pinctrl-nomadik-fix-pull-debug-print-inversion.patch b/queue-4.4/pinctrl-nomadik-fix-pull-debug-print-inversion.patch new file mode 100644 index 00000000000..d9e75163e75 --- /dev/null +++ b/queue-4.4/pinctrl-nomadik-fix-pull-debug-print-inversion.patch @@ -0,0 +1,30 @@ +From 6ee334559324a55725e22463de633b99ad99fcad Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Thu, 24 Mar 2016 13:15:45 +0100 +Subject: pinctrl: nomadik: fix pull debug print inversion + +From: Linus Walleij + +commit 6ee334559324a55725e22463de633b99ad99fcad upstream. + +Pull up was reported as pull down and vice versa. Fix this. + +Fixes: 8f1774a2a971 "pinctrl: nomadik: improve GPIO debug prints" +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/nomadik/pinctrl-nomadik.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pinctrl/nomadik/pinctrl-nomadik.c ++++ b/drivers/pinctrl/nomadik/pinctrl-nomadik.c +@@ -995,7 +995,7 @@ static void nmk_gpio_dbg_show_one(struct + int val; + + if (pull) +- pullidx = data_out ? 1 : 2; ++ pullidx = data_out ? 2 : 1; + + seq_printf(s, " gpio-%-3d (%-20.20s) in %s %s", + gpio, diff --git a/queue-4.4/pinctrl-pistachio-fix-mfio84-89-function-description-and-pinmux.patch b/queue-4.4/pinctrl-pistachio-fix-mfio84-89-function-description-and-pinmux.patch new file mode 100644 index 00000000000..881b56041b4 --- /dev/null +++ b/queue-4.4/pinctrl-pistachio-fix-mfio84-89-function-description-and-pinmux.patch @@ -0,0 +1,126 @@ +From e9adb336d0bf391be23e820975ca5cd12c31d781 Mon Sep 17 00:00:00 2001 +From: Govindraj Raja +Date: Fri, 4 Mar 2016 15:28:22 +0000 +Subject: pinctrl: pistachio: fix mfio84-89 function description and pinmux. + +From: Govindraj Raja + +commit e9adb336d0bf391be23e820975ca5cd12c31d781 upstream. + +mfio 84 to 89 are described wrongly, fix it to describe +the right pin and add them to right pin-mux group. + +The correct order is: + pll1_lock => mips_pll -- MFIO_83 + pll2_lock => audio_pll -- MFIO_84 + pll3_lock => rpu_v_pll -- MFIO_85 + pll4_lock => rpu_l_pll -- MFIO_86 + pll5_lock => sys_pll -- MFIO_87 + pll6_lock => wifi_pll -- MFIO_88 + pll7_lock => bt_pll -- MFIO_89 + +Cc: linux-gpio@vger.kernel.org +Cc: devicetree@vger.kernel.org +Cc: linux-mips@linux-mips.org +Cc: James Hartley +Fixes: cefc03e5995e("pinctrl: Add Pistachio SoC pin control driver") +Signed-off-by: Govindraj Raja +Acked-by: Andrew Bresticker +Acked-by: Rob Herring +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/devicetree/bindings/pinctrl/img,pistachio-pinctrl.txt | 12 ++--- + drivers/pinctrl/pinctrl-pistachio.c | 24 +++++----- + 2 files changed, 18 insertions(+), 18 deletions(-) + +--- a/Documentation/devicetree/bindings/pinctrl/img,pistachio-pinctrl.txt ++++ b/Documentation/devicetree/bindings/pinctrl/img,pistachio-pinctrl.txt +@@ -134,12 +134,12 @@ mfio80 ddr_debug, mips_trace_data, mips + mfio81 dreq0, mips_trace_data, eth_debug + mfio82 dreq1, mips_trace_data, eth_debug + mfio83 mips_pll_lock, mips_trace_data, usb_debug +-mfio84 sys_pll_lock, mips_trace_data, usb_debug +-mfio85 wifi_pll_lock, mips_trace_data, sdhost_debug +-mfio86 bt_pll_lock, mips_trace_data, sdhost_debug +-mfio87 rpu_v_pll_lock, dreq2, socif_debug +-mfio88 rpu_l_pll_lock, dreq3, socif_debug +-mfio89 audio_pll_lock, dreq4, dreq5 ++mfio84 audio_pll_lock, mips_trace_data, usb_debug ++mfio85 rpu_v_pll_lock, mips_trace_data, sdhost_debug ++mfio86 rpu_l_pll_lock, mips_trace_data, sdhost_debug ++mfio87 sys_pll_lock, dreq2, socif_debug ++mfio88 wifi_pll_lock, dreq3, socif_debug ++mfio89 bt_pll_lock, dreq4, dreq5 + tck + trstn + tdi +--- a/drivers/pinctrl/pinctrl-pistachio.c ++++ b/drivers/pinctrl/pinctrl-pistachio.c +@@ -469,27 +469,27 @@ static const char * const pistachio_mips + "mfio83", + }; + +-static const char * const pistachio_sys_pll_lock_groups[] = { ++static const char * const pistachio_audio_pll_lock_groups[] = { + "mfio84", + }; + +-static const char * const pistachio_wifi_pll_lock_groups[] = { ++static const char * const pistachio_rpu_v_pll_lock_groups[] = { + "mfio85", + }; + +-static const char * const pistachio_bt_pll_lock_groups[] = { ++static const char * const pistachio_rpu_l_pll_lock_groups[] = { + "mfio86", + }; + +-static const char * const pistachio_rpu_v_pll_lock_groups[] = { ++static const char * const pistachio_sys_pll_lock_groups[] = { + "mfio87", + }; + +-static const char * const pistachio_rpu_l_pll_lock_groups[] = { ++static const char * const pistachio_wifi_pll_lock_groups[] = { + "mfio88", + }; + +-static const char * const pistachio_audio_pll_lock_groups[] = { ++static const char * const pistachio_bt_pll_lock_groups[] = { + "mfio89", + }; + +@@ -559,12 +559,12 @@ enum pistachio_mux_option { + PISTACHIO_FUNCTION_DREQ4, + PISTACHIO_FUNCTION_DREQ5, + PISTACHIO_FUNCTION_MIPS_PLL_LOCK, ++ PISTACHIO_FUNCTION_AUDIO_PLL_LOCK, ++ PISTACHIO_FUNCTION_RPU_V_PLL_LOCK, ++ PISTACHIO_FUNCTION_RPU_L_PLL_LOCK, + PISTACHIO_FUNCTION_SYS_PLL_LOCK, + PISTACHIO_FUNCTION_WIFI_PLL_LOCK, + PISTACHIO_FUNCTION_BT_PLL_LOCK, +- PISTACHIO_FUNCTION_RPU_V_PLL_LOCK, +- PISTACHIO_FUNCTION_RPU_L_PLL_LOCK, +- PISTACHIO_FUNCTION_AUDIO_PLL_LOCK, + PISTACHIO_FUNCTION_DEBUG_RAW_CCA_IND, + PISTACHIO_FUNCTION_DEBUG_ED_SEC20_CCA_IND, + PISTACHIO_FUNCTION_DEBUG_ED_SEC40_CCA_IND, +@@ -620,12 +620,12 @@ static const struct pistachio_function p + FUNCTION(dreq4), + FUNCTION(dreq5), + FUNCTION(mips_pll_lock), ++ FUNCTION(audio_pll_lock), ++ FUNCTION(rpu_v_pll_lock), ++ FUNCTION(rpu_l_pll_lock), + FUNCTION(sys_pll_lock), + FUNCTION(wifi_pll_lock), + FUNCTION(bt_pll_lock), +- FUNCTION(rpu_v_pll_lock), +- FUNCTION(rpu_l_pll_lock), +- FUNCTION(audio_pll_lock), + FUNCTION(debug_raw_cca_ind), + FUNCTION(debug_ed_sec20_cca_ind), + FUNCTION(debug_ed_sec40_cca_ind), diff --git a/queue-4.4/pinctrl-sh-pfc-only-use-dummy-states-for-non-dt-platforms.patch b/queue-4.4/pinctrl-sh-pfc-only-use-dummy-states-for-non-dt-platforms.patch new file mode 100644 index 00000000000..02ab6da8134 --- /dev/null +++ b/queue-4.4/pinctrl-sh-pfc-only-use-dummy-states-for-non-dt-platforms.patch @@ -0,0 +1,43 @@ +From 0129801be4b87226bf502f18f5a9eabd356d1058 Mon Sep 17 00:00:00 2001 +From: Wolfram Sang +Date: Mon, 7 Mar 2016 19:40:57 +0100 +Subject: pinctrl: sh-pfc: only use dummy states for non-DT platforms + +From: Wolfram Sang + +commit 0129801be4b87226bf502f18f5a9eabd356d1058 upstream. + +If pinctrl_provide_dummies() is used unconditionally, then the dummy +state will be used even on DT platforms when the "init" state was +intentionally left out. Instead of "default", the dummy "init" state +will then be used during probe. Thus, when probing an I2C controller on +cold boot, communication triggered by bus notifiers broke because the +pins were not initialized. + +Do it like OMAP2: use the dummy state only for non-DT platforms. + +Fixes: ef0eebc05130 ("drivers/pinctrl: Add the concept of an "init" state") +Reported-by: Geert Uytterhoeven +Signed-off-by: Wolfram Sang +Acked-by: Sergei Shtylyov +Tested-by: Geert Uytterhoeven +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/sh-pfc/core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/pinctrl/sh-pfc/core.c ++++ b/drivers/pinctrl/sh-pfc/core.c +@@ -545,7 +545,9 @@ static int sh_pfc_probe(struct platform_ + return ret; + } + +- pinctrl_provide_dummies(); ++ /* Enable dummy states for those platforms without pinctrl support */ ++ if (!of_have_populated_dt()) ++ pinctrl_provide_dummies(); + + ret = sh_pfc_init_ranges(pfc); + if (ret < 0) diff --git a/queue-4.4/pinctrl-sunxi-fix-a33-external-interrupts-not-working.patch b/queue-4.4/pinctrl-sunxi-fix-a33-external-interrupts-not-working.patch new file mode 100644 index 00000000000..45c4b98b282 --- /dev/null +++ b/queue-4.4/pinctrl-sunxi-fix-a33-external-interrupts-not-working.patch @@ -0,0 +1,177 @@ +From 5e7515ba78fff2f5407eaa2f97c1d5c07801ac3d Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sat, 12 Mar 2016 19:44:57 +0100 +Subject: pinctrl: sunxi: Fix A33 external interrupts not working + +From: Hans de Goede + +commit 5e7515ba78fff2f5407eaa2f97c1d5c07801ac3d upstream. + +pinctrl-sun8i-a33.c (and the dts) declare only 2 interrupt banks, +where as the closely related a23 has 3 banks. This matches with the +datasheet for the A33 where only interrupt banks B and G are specified +where as the A23 has banks A, B and G. + +However the A33 being the A23 derative it is means that the interrupt +configure/status io-addresses for the 2 banks it has are not changed +from the A23, iow they have the same address as if bank A was still +present. Where as the sunxi pinctrl currently tries to use the A23 bank +A addresses for bank B, since the pinctrl code does not know about the +removed bank A. + +Add a irq_bank_base parameter and use this where appropriate to take +the missing bank A into account. + +This fixes external interrupts not working on the A33 (tested with +an i2c touchscreen controller which uses an external interrupt). + +Signed-off-by: Hans de Goede +Acked-by: Maxime Ripard +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/sunxi/pinctrl-sun8i-a33.c | 1 + + drivers/pinctrl/sunxi/pinctrl-sunxi.c | 17 ++++++++++------- + drivers/pinctrl/sunxi/pinctrl-sunxi.h | 21 +++++++++++---------- + 3 files changed, 22 insertions(+), 17 deletions(-) + +--- a/drivers/pinctrl/sunxi/pinctrl-sun8i-a33.c ++++ b/drivers/pinctrl/sunxi/pinctrl-sun8i-a33.c +@@ -485,6 +485,7 @@ static const struct sunxi_pinctrl_desc s + .pins = sun8i_a33_pins, + .npins = ARRAY_SIZE(sun8i_a33_pins), + .irq_banks = 2, ++ .irq_bank_base = 1, + }; + + static int sun8i_a33_pinctrl_probe(struct platform_device *pdev) +--- a/drivers/pinctrl/sunxi/pinctrl-sunxi.c ++++ b/drivers/pinctrl/sunxi/pinctrl-sunxi.c +@@ -578,7 +578,7 @@ static void sunxi_pinctrl_irq_release_re + static int sunxi_pinctrl_irq_set_type(struct irq_data *d, unsigned int type) + { + struct sunxi_pinctrl *pctl = irq_data_get_irq_chip_data(d); +- u32 reg = sunxi_irq_cfg_reg(d->hwirq); ++ u32 reg = sunxi_irq_cfg_reg(d->hwirq, pctl->desc->irq_bank_base); + u8 index = sunxi_irq_cfg_offset(d->hwirq); + unsigned long flags; + u32 regval; +@@ -625,7 +625,8 @@ static int sunxi_pinctrl_irq_set_type(st + static void sunxi_pinctrl_irq_ack(struct irq_data *d) + { + struct sunxi_pinctrl *pctl = irq_data_get_irq_chip_data(d); +- u32 status_reg = sunxi_irq_status_reg(d->hwirq); ++ u32 status_reg = sunxi_irq_status_reg(d->hwirq, ++ pctl->desc->irq_bank_base); + u8 status_idx = sunxi_irq_status_offset(d->hwirq); + + /* Clear the IRQ */ +@@ -635,7 +636,7 @@ static void sunxi_pinctrl_irq_ack(struct + static void sunxi_pinctrl_irq_mask(struct irq_data *d) + { + struct sunxi_pinctrl *pctl = irq_data_get_irq_chip_data(d); +- u32 reg = sunxi_irq_ctrl_reg(d->hwirq); ++ u32 reg = sunxi_irq_ctrl_reg(d->hwirq, pctl->desc->irq_bank_base); + u8 idx = sunxi_irq_ctrl_offset(d->hwirq); + unsigned long flags; + u32 val; +@@ -652,7 +653,7 @@ static void sunxi_pinctrl_irq_mask(struc + static void sunxi_pinctrl_irq_unmask(struct irq_data *d) + { + struct sunxi_pinctrl *pctl = irq_data_get_irq_chip_data(d); +- u32 reg = sunxi_irq_ctrl_reg(d->hwirq); ++ u32 reg = sunxi_irq_ctrl_reg(d->hwirq, pctl->desc->irq_bank_base); + u8 idx = sunxi_irq_ctrl_offset(d->hwirq); + unsigned long flags; + u32 val; +@@ -744,7 +745,7 @@ static void sunxi_pinctrl_irq_handler(st + if (bank == pctl->desc->irq_banks) + return; + +- reg = sunxi_irq_status_reg_from_bank(bank); ++ reg = sunxi_irq_status_reg_from_bank(bank, pctl->desc->irq_bank_base); + val = readl(pctl->membase + reg); + + if (val) { +@@ -1023,9 +1024,11 @@ int sunxi_pinctrl_init(struct platform_d + + for (i = 0; i < pctl->desc->irq_banks; i++) { + /* Mask and clear all IRQs before registering a handler */ +- writel(0, pctl->membase + sunxi_irq_ctrl_reg_from_bank(i)); ++ writel(0, pctl->membase + sunxi_irq_ctrl_reg_from_bank(i, ++ pctl->desc->irq_bank_base)); + writel(0xffffffff, +- pctl->membase + sunxi_irq_status_reg_from_bank(i)); ++ pctl->membase + sunxi_irq_status_reg_from_bank(i, ++ pctl->desc->irq_bank_base)); + + irq_set_chained_handler_and_data(pctl->irq[i], + sunxi_pinctrl_irq_handler, +--- a/drivers/pinctrl/sunxi/pinctrl-sunxi.h ++++ b/drivers/pinctrl/sunxi/pinctrl-sunxi.h +@@ -97,6 +97,7 @@ struct sunxi_pinctrl_desc { + int npins; + unsigned pin_base; + unsigned irq_banks; ++ unsigned irq_bank_base; + bool irq_read_needs_mux; + }; + +@@ -233,12 +234,12 @@ static inline u32 sunxi_pull_offset(u16 + return pin_num * PULL_PINS_BITS; + } + +-static inline u32 sunxi_irq_cfg_reg(u16 irq) ++static inline u32 sunxi_irq_cfg_reg(u16 irq, unsigned bank_base) + { + u8 bank = irq / IRQ_PER_BANK; + u8 reg = (irq % IRQ_PER_BANK) / IRQ_CFG_IRQ_PER_REG * 0x04; + +- return IRQ_CFG_REG + bank * IRQ_MEM_SIZE + reg; ++ return IRQ_CFG_REG + (bank_base + bank) * IRQ_MEM_SIZE + reg; + } + + static inline u32 sunxi_irq_cfg_offset(u16 irq) +@@ -247,16 +248,16 @@ static inline u32 sunxi_irq_cfg_offset(u + return irq_num * IRQ_CFG_IRQ_BITS; + } + +-static inline u32 sunxi_irq_ctrl_reg_from_bank(u8 bank) ++static inline u32 sunxi_irq_ctrl_reg_from_bank(u8 bank, unsigned bank_base) + { +- return IRQ_CTRL_REG + bank * IRQ_MEM_SIZE; ++ return IRQ_CTRL_REG + (bank_base + bank) * IRQ_MEM_SIZE; + } + +-static inline u32 sunxi_irq_ctrl_reg(u16 irq) ++static inline u32 sunxi_irq_ctrl_reg(u16 irq, unsigned bank_base) + { + u8 bank = irq / IRQ_PER_BANK; + +- return sunxi_irq_ctrl_reg_from_bank(bank); ++ return sunxi_irq_ctrl_reg_from_bank(bank, bank_base); + } + + static inline u32 sunxi_irq_ctrl_offset(u16 irq) +@@ -265,16 +266,16 @@ static inline u32 sunxi_irq_ctrl_offset( + return irq_num * IRQ_CTRL_IRQ_BITS; + } + +-static inline u32 sunxi_irq_status_reg_from_bank(u8 bank) ++static inline u32 sunxi_irq_status_reg_from_bank(u8 bank, unsigned bank_base) + { +- return IRQ_STATUS_REG + bank * IRQ_MEM_SIZE; ++ return IRQ_STATUS_REG + (bank_base + bank) * IRQ_MEM_SIZE; + } + +-static inline u32 sunxi_irq_status_reg(u16 irq) ++static inline u32 sunxi_irq_status_reg(u16 irq, unsigned bank_base) + { + u8 bank = irq / IRQ_PER_BANK; + +- return sunxi_irq_status_reg_from_bank(bank); ++ return sunxi_irq_status_reg_from_bank(bank, bank_base); + } + + static inline u32 sunxi_irq_status_offset(u16 irq) diff --git a/queue-4.4/rbd-use-gfp_noio-consistently-for-request-allocations.patch b/queue-4.4/rbd-use-gfp_noio-consistently-for-request-allocations.patch new file mode 100644 index 00000000000..775c592c4ea --- /dev/null +++ b/queue-4.4/rbd-use-gfp_noio-consistently-for-request-allocations.patch @@ -0,0 +1,58 @@ +From 2224d879c7c0f85c14183ef82eb48bd875ceb599 Mon Sep 17 00:00:00 2001 +From: David Disseldorp +Date: Tue, 5 Apr 2016 11:13:39 +0200 +Subject: rbd: use GFP_NOIO consistently for request allocations + +From: David Disseldorp + +commit 2224d879c7c0f85c14183ef82eb48bd875ceb599 upstream. + +As of 5a60e87603c4c533492c515b7f62578189b03c9c, RBD object request +allocations are made via rbd_obj_request_create() with GFP_NOIO. +However, subsequent OSD request allocations in rbd_osd_req_create*() +use GFP_ATOMIC. + +With heavy page cache usage (e.g. OSDs running on same host as krbd +client), rbd_osd_req_create() order-1 GFP_ATOMIC allocations have been +observed to fail, where direct reclaim would have allowed GFP_NOIO +allocations to succeed. + +Suggested-by: Vlastimil Babka +Suggested-by: Neil Brown +Signed-off-by: David Disseldorp +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/rbd.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/block/rbd.c ++++ b/drivers/block/rbd.c +@@ -1955,7 +1955,7 @@ static struct ceph_osd_request *rbd_osd_ + + osdc = &rbd_dev->rbd_client->client->osdc; + osd_req = ceph_osdc_alloc_request(osdc, snapc, num_ops, false, +- GFP_ATOMIC); ++ GFP_NOIO); + if (!osd_req) + return NULL; /* ENOMEM */ + +@@ -2004,7 +2004,7 @@ rbd_osd_req_create_copyup(struct rbd_obj + rbd_dev = img_request->rbd_dev; + osdc = &rbd_dev->rbd_client->client->osdc; + osd_req = ceph_osdc_alloc_request(osdc, snapc, num_osd_ops, +- false, GFP_ATOMIC); ++ false, GFP_NOIO); + if (!osd_req) + return NULL; /* ENOMEM */ + +@@ -2506,7 +2506,7 @@ static int rbd_img_request_fill(struct r + bio_chain_clone_range(&bio_list, + &bio_offset, + clone_size, +- GFP_ATOMIC); ++ GFP_NOIO); + if (!obj_request->bio_list) + goto out_unwind; + } else if (type == OBJ_REQUEST_PAGES) { diff --git a/queue-4.4/sd-fix-excessive-capacity-printing-on-devices-with-blocks-bigger-than-512-bytes.patch b/queue-4.4/sd-fix-excessive-capacity-printing-on-devices-with-blocks-bigger-than-512-bytes.patch new file mode 100644 index 00000000000..4328b251a51 --- /dev/null +++ b/queue-4.4/sd-fix-excessive-capacity-printing-on-devices-with-blocks-bigger-than-512-bytes.patch @@ -0,0 +1,121 @@ +From f08bb1e0dbdd0297258d0b8cd4dbfcc057e57b2a Mon Sep 17 00:00:00 2001 +From: "Martin K. Petersen" +Date: Mon, 28 Mar 2016 21:18:56 -0400 +Subject: sd: Fix excessive capacity printing on devices with blocks bigger than 512 bytes + +From: Martin K. Petersen + +commit f08bb1e0dbdd0297258d0b8cd4dbfcc057e57b2a upstream. + +During revalidate we check whether device capacity has changed before we +decide whether to output disk information or not. + +The check for old capacity failed to take into account that we scaled +sdkp->capacity based on the reported logical block size. And therefore +the capacity test would always fail for devices with sectors bigger than +512 bytes and we would print several copies of the same discovery +information. + +Avoid scaling sdkp->capacity and instead adjust the value on the fly +when setting the block device capacity and generating fake C/H/S +geometry. + +Signed-off-by: Martin K. Petersen +Reported-by: Hannes Reinecke +Reviewed-by: Hannes Reinicke +Reviewed-by: Ewan Milne +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/sd.c | 28 ++++++++-------------------- + drivers/scsi/sd.h | 7 ++++++- + 2 files changed, 14 insertions(+), 21 deletions(-) + +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -1275,18 +1275,19 @@ static int sd_getgeo(struct block_device + struct scsi_disk *sdkp = scsi_disk(bdev->bd_disk); + struct scsi_device *sdp = sdkp->device; + struct Scsi_Host *host = sdp->host; ++ sector_t capacity = logical_to_sectors(sdp, sdkp->capacity); + int diskinfo[4]; + + /* default to most commonly used values */ +- diskinfo[0] = 0x40; /* 1 << 6 */ +- diskinfo[1] = 0x20; /* 1 << 5 */ +- diskinfo[2] = sdkp->capacity >> 11; +- ++ diskinfo[0] = 0x40; /* 1 << 6 */ ++ diskinfo[1] = 0x20; /* 1 << 5 */ ++ diskinfo[2] = capacity >> 11; ++ + /* override with calculated, extended default, or driver values */ + if (host->hostt->bios_param) +- host->hostt->bios_param(sdp, bdev, sdkp->capacity, diskinfo); ++ host->hostt->bios_param(sdp, bdev, capacity, diskinfo); + else +- scsicam_bios_param(bdev, sdkp->capacity, diskinfo); ++ scsicam_bios_param(bdev, capacity, diskinfo); + + geo->heads = diskinfo[0]; + geo->sectors = diskinfo[1]; +@@ -2337,14 +2338,6 @@ got_data: + if (sdkp->capacity > 0xffffffff) + sdp->use_16_for_rw = 1; + +- /* Rescale capacity to 512-byte units */ +- if (sector_size == 4096) +- sdkp->capacity <<= 3; +- else if (sector_size == 2048) +- sdkp->capacity <<= 2; +- else if (sector_size == 1024) +- sdkp->capacity <<= 1; +- + blk_queue_physical_block_size(sdp->request_queue, + sdkp->physical_block_size); + sdkp->device->sector_size = sector_size; +@@ -2812,11 +2805,6 @@ static int sd_try_extended_inquiry(struc + return 0; + } + +-static inline u32 logical_to_sectors(struct scsi_device *sdev, u32 blocks) +-{ +- return blocks << (ilog2(sdev->sector_size) - 9); +-} +- + /** + * sd_revalidate_disk - called the first time a new disk is seen, + * performs disk spin up, read_capacity, etc. +@@ -2900,7 +2888,7 @@ static int sd_revalidate_disk(struct gen + /* Combine with controller limits */ + q->limits.max_sectors = min(rw_max, queue_max_hw_sectors(q)); + +- set_capacity(disk, sdkp->capacity); ++ set_capacity(disk, logical_to_sectors(sdp, sdkp->capacity)); + sd_config_write_same(sdkp); + kfree(buffer); + +--- a/drivers/scsi/sd.h ++++ b/drivers/scsi/sd.h +@@ -65,7 +65,7 @@ struct scsi_disk { + struct device dev; + struct gendisk *disk; + atomic_t openers; +- sector_t capacity; /* size in 512-byte sectors */ ++ sector_t capacity; /* size in logical blocks */ + u32 max_xfer_blocks; + u32 opt_xfer_blocks; + u32 max_ws_blocks; +@@ -146,6 +146,11 @@ static inline int scsi_medium_access_com + return 0; + } + ++static inline sector_t logical_to_sectors(struct scsi_device *sdev, sector_t blocks) ++{ ++ return blocks << (ilog2(sdev->sector_size) - 9); ++} ++ + /* + * A DIF-capable target device can be formatted with different + * protection schemes. Currently 0 through 3 are defined: diff --git a/queue-4.4/series b/queue-4.4/series index edc553188c7..1727a2260bb 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -77,3 +77,34 @@ ipv6-l2tp-fix-a-potential-issue-in-l2tp_ip6_recv.patch ip6_tunnel-set-rtnl_link_ops-before-calling-register_netdevice.patch ipv6-count-in-extension-headers-in-skb-network_header.patch mpls-find_outdev-check-for-err-ptr-in-addition-to-null-check.patch +usb-uas-limit-qdepth-at-the-scsi-host-level.patch +usb-uas-add-a-new-no_report_luns-quirk.patch +cdc-acm-fix-null-pointer-reference.patch +kvm-x86-inject-pending-interrupt-even-if-pending-nmi-exist.patch +kvm-x86-reduce-default-value-of-halt_poll_ns-parameter.patch +mips-fix-msa-ld-unaligned-failure-cases.patch +pinctrl-pistachio-fix-mfio84-89-function-description-and-pinmux.patch +pinctrl-sh-pfc-only-use-dummy-states-for-non-dt-platforms.patch +pinctrl-sunxi-fix-a33-external-interrupts-not-working.patch +pinctrl-nomadik-fix-pull-debug-print-inversion.patch +pinctrl-freescale-imx-fix-bogus-check-of-of_iomap-return-value.patch +au0828-fix-au0828_v4l2_close-dev_state-race-condition.patch +au0828-fix-dev_state-handling.patch +coda-fix-error-path-in-case-of-missing-pdata-on-non-dt-platform.patch +v4l-vsp1-set-the-sru-ctrl0-register-when-starting-the-stream.patch +pcmcia-db1xxx_ss-fix-last-irq_to_gpio-user.patch +rbd-use-gfp_noio-consistently-for-request-allocations.patch +virtio-virtio-1.0-cs04-spec-compliance-for-reset.patch +mac80211-properly-deal-with-station-hashtable-insert-errors.patch +mac80211-avoid-excessive-stack-usage-in-sta_info.patch +mac80211-fix-ibss-scan-parameters.patch +mac80211-fix-unnecessary-frame-drops-in-mesh-fwding.patch +mac80211-fix-txq-queue-related-crashes.patch +usb-renesas_usbhs-avoid-null-pointer-derefernce-in-usbhsf_pkt_handler.patch +usb-renesas_usbhs-disable-tx-irq-before-starting-tx-dmac-transfer.patch +usb-renesas_usbhs-fix-to-avoid-using-a-disabled-ep-in-usbhsg_queue_done.patch +iio-st_magn-always-define-st_magn_trigger_set_state.patch +iio-accel-bmc150-fix-endianness-when-reading-axes.patch +iio-gyro-bmg160-fix-buffer-read-values.patch +iio-gyro-bmg160-fix-endianness-when-reading-axes.patch +sd-fix-excessive-capacity-printing-on-devices-with-blocks-bigger-than-512-bytes.patch diff --git a/queue-4.4/usb-renesas_usbhs-avoid-null-pointer-derefernce-in-usbhsf_pkt_handler.patch b/queue-4.4/usb-renesas_usbhs-avoid-null-pointer-derefernce-in-usbhsf_pkt_handler.patch new file mode 100644 index 00000000000..1534968fa9c --- /dev/null +++ b/queue-4.4/usb-renesas_usbhs-avoid-null-pointer-derefernce-in-usbhsf_pkt_handler.patch @@ -0,0 +1,52 @@ +From 894f2fc44f2f3f48c36c973b1123f6ab298be160 Mon Sep 17 00:00:00 2001 +From: Yoshihiro Shimoda +Date: Thu, 10 Mar 2016 11:30:14 +0900 +Subject: usb: renesas_usbhs: avoid NULL pointer derefernce in usbhsf_pkt_handler() + +From: Yoshihiro Shimoda + +commit 894f2fc44f2f3f48c36c973b1123f6ab298be160 upstream. + +When unexpected situation happened (e.g. tx/rx irq happened while +DMAC is used), the usbhsf_pkt_handler() was possible to cause NULL +pointer dereference like the followings: + +Unable to handle kernel NULL pointer dereference at virtual address 00000000 +pgd = c0004000 +[00000000] *pgd=00000000 +Internal error: Oops: 80000007 [#1] SMP ARM +Modules linked in: usb_f_acm u_serial g_serial libcomposite +CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.5.0-rc6-00842-gac57066-dirty #63 +Hardware name: Generic R8A7790 (Flattened Device Tree) +task: c0729c00 ti: c0724000 task.ti: c0724000 +PC is at 0x0 +LR is at usbhsf_pkt_handler+0xac/0x118 +pc : [<00000000>] lr : [] psr: 60000193 +sp : c0725db8 ip : 00000000 fp : c0725df4 +r10: 00000001 r9 : 00000193 r8 : ef3ccab4 +r7 : ef3cca10 r6 : eea4586c r5 : 00000000 r4 : ef19ceb4 +r3 : 00000000 r2 : 0000009c r1 : c0725dc4 r0 : ef19ceb4 + +This patch adds a condition to avoid the dereference. + +Fixes: e73a989 ("usb: renesas_usbhs: add DMAEngine support") +Signed-off-by: Yoshihiro Shimoda +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/renesas_usbhs/fifo.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/renesas_usbhs/fifo.c ++++ b/drivers/usb/renesas_usbhs/fifo.c +@@ -190,7 +190,8 @@ static int usbhsf_pkt_handler(struct usb + goto __usbhs_pkt_handler_end; + } + +- ret = func(pkt, &is_done); ++ if (likely(func)) ++ ret = func(pkt, &is_done); + + if (is_done) + __usbhsf_pkt_del(pkt); diff --git a/queue-4.4/usb-renesas_usbhs-disable-tx-irq-before-starting-tx-dmac-transfer.patch b/queue-4.4/usb-renesas_usbhs-disable-tx-irq-before-starting-tx-dmac-transfer.patch new file mode 100644 index 00000000000..6622a157a01 --- /dev/null +++ b/queue-4.4/usb-renesas_usbhs-disable-tx-irq-before-starting-tx-dmac-transfer.patch @@ -0,0 +1,32 @@ +From 6490865c67825277b29638e839850882600b48ec Mon Sep 17 00:00:00 2001 +From: Yoshihiro Shimoda +Date: Thu, 10 Mar 2016 11:30:15 +0900 +Subject: usb: renesas_usbhs: disable TX IRQ before starting TX DMAC transfer + +From: Yoshihiro Shimoda + +commit 6490865c67825277b29638e839850882600b48ec upstream. + +This patch adds a code to surely disable TX IRQ of the pipe before +starting TX DMAC transfer. Otherwise, a lot of unnecessary TX IRQs +may happen in rare cases when DMAC is used. + +Fixes: e73a989 ("usb: renesas_usbhs: add DMAEngine support") +Signed-off-by: Yoshihiro Shimoda +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/renesas_usbhs/fifo.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/renesas_usbhs/fifo.c ++++ b/drivers/usb/renesas_usbhs/fifo.c +@@ -890,6 +890,7 @@ static int usbhsf_dma_prepare_push(struc + + pkt->trans = len; + ++ usbhsf_tx_irq_ctrl(pipe, 0); + INIT_WORK(&pkt->work, xfer_work); + schedule_work(&pkt->work); + diff --git a/queue-4.4/usb-renesas_usbhs-fix-to-avoid-using-a-disabled-ep-in-usbhsg_queue_done.patch b/queue-4.4/usb-renesas_usbhs-fix-to-avoid-using-a-disabled-ep-in-usbhsg_queue_done.patch new file mode 100644 index 00000000000..2a61b44aaf3 --- /dev/null +++ b/queue-4.4/usb-renesas_usbhs-fix-to-avoid-using-a-disabled-ep-in-usbhsg_queue_done.patch @@ -0,0 +1,49 @@ +From 4fccb0767fdbdb781a9c5b5c15ee7b219443c89d Mon Sep 17 00:00:00 2001 +From: Yoshihiro Shimoda +Date: Mon, 4 Apr 2016 20:40:20 +0900 +Subject: usb: renesas_usbhs: fix to avoid using a disabled ep in usbhsg_queue_done() + +From: Yoshihiro Shimoda + +commit 4fccb0767fdbdb781a9c5b5c15ee7b219443c89d upstream. + +This patch fixes an issue that usbhsg_queue_done() may cause kernel +panic when dma callback is running and usb_ep_disable() is called +by interrupt handler. (Especially, we can reproduce this issue using +g_audio with usb-dmac driver.) + +For example of a flow: + usbhsf_dma_complete (on tasklet) + --> usbhsf_pkt_handler (on tasklet) + --> usbhsg_queue_done (on tasklet) + *** interrupt happened and usb_ep_disable() is called *** + --> usbhsg_queue_pop (on tasklet) + Then, oops happened. + +Fixes: e73a989 ("usb: renesas_usbhs: add DMAEngine support") +Signed-off-by: Yoshihiro Shimoda +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/renesas_usbhs/mod_gadget.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/usb/renesas_usbhs/mod_gadget.c ++++ b/drivers/usb/renesas_usbhs/mod_gadget.c +@@ -158,10 +158,14 @@ static void usbhsg_queue_done(struct usb + struct usbhs_pipe *pipe = pkt->pipe; + struct usbhsg_uep *uep = usbhsg_pipe_to_uep(pipe); + struct usbhsg_request *ureq = usbhsg_pkt_to_ureq(pkt); ++ unsigned long flags; + + ureq->req.actual = pkt->actual; + +- usbhsg_queue_pop(uep, ureq, 0); ++ usbhs_lock(priv, flags); ++ if (uep) ++ __usbhsg_queue_pop(uep, ureq, 0); ++ usbhs_unlock(priv, flags); + } + + static void usbhsg_queue_push(struct usbhsg_uep *uep, diff --git a/queue-4.4/usb-uas-add-a-new-no_report_luns-quirk.patch b/queue-4.4/usb-uas-add-a-new-no_report_luns-quirk.patch new file mode 100644 index 00000000000..975c990d845 --- /dev/null +++ b/queue-4.4/usb-uas-add-a-new-no_report_luns-quirk.patch @@ -0,0 +1,122 @@ +From 1363074667a6b7d0507527742ccd7bbed5e3ceaa Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Tue, 12 Apr 2016 12:27:09 +0200 +Subject: USB: uas: Add a new NO_REPORT_LUNS quirk + +From: Hans de Goede + +commit 1363074667a6b7d0507527742ccd7bbed5e3ceaa upstream. + +Add a new NO_REPORT_LUNS quirk and set it for Seagate drives with +an usb-id of: 0bc2:331a, as these will fail to respond to a +REPORT_LUNS command. + +Reported-and-tested-by: David Webb +Signed-off-by: Hans de Goede +Acked-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/kernel-parameters.txt | 2 ++ + drivers/usb/storage/uas.c | 14 +++++++++++++- + drivers/usb/storage/unusual_uas.h | 7 +++++++ + drivers/usb/storage/usb.c | 5 ++++- + include/linux/usb_usual.h | 2 ++ + 5 files changed, 28 insertions(+), 2 deletions(-) + +--- a/Documentation/kernel-parameters.txt ++++ b/Documentation/kernel-parameters.txt +@@ -3928,6 +3928,8 @@ bytes respectively. Such letter suffixes + sector if the number is odd); + i = IGNORE_DEVICE (don't bind to this + device); ++ j = NO_REPORT_LUNS (don't use report luns ++ command, uas only); + l = NOT_LOCKABLE (don't try to lock and + unlock ejectable media); + m = MAX_SECTORS_64 (don't transfer more +--- a/drivers/usb/storage/uas.c ++++ b/drivers/usb/storage/uas.c +@@ -2,7 +2,7 @@ + * USB Attached SCSI + * Note that this is not the same as the USB Mass Storage driver + * +- * Copyright Hans de Goede for Red Hat, Inc. 2013 - 2014 ++ * Copyright Hans de Goede for Red Hat, Inc. 2013 - 2016 + * Copyright Matthew Wilcox for Intel Corp, 2010 + * Copyright Sarah Sharp for Intel Corp, 2010 + * +@@ -757,6 +757,17 @@ static int uas_eh_bus_reset_handler(stru + return SUCCESS; + } + ++static int uas_target_alloc(struct scsi_target *starget) ++{ ++ struct uas_dev_info *devinfo = (struct uas_dev_info *) ++ dev_to_shost(starget->dev.parent)->hostdata; ++ ++ if (devinfo->flags & US_FL_NO_REPORT_LUNS) ++ starget->no_report_luns = 1; ++ ++ return 0; ++} ++ + static int uas_slave_alloc(struct scsi_device *sdev) + { + struct uas_dev_info *devinfo = +@@ -807,6 +818,7 @@ static struct scsi_host_template uas_hos + .module = THIS_MODULE, + .name = "uas", + .queuecommand = uas_queuecommand, ++ .target_alloc = uas_target_alloc, + .slave_alloc = uas_slave_alloc, + .slave_configure = uas_slave_configure, + .eh_abort_handler = uas_eh_abort_handler, +--- a/drivers/usb/storage/unusual_uas.h ++++ b/drivers/usb/storage/unusual_uas.h +@@ -64,6 +64,13 @@ UNUSUAL_DEV(0x0bc2, 0x3312, 0x0000, 0x99 + USB_SC_DEVICE, USB_PR_DEVICE, NULL, + US_FL_NO_ATA_1X), + ++/* Reported-by: David Webb */ ++UNUSUAL_DEV(0x0bc2, 0x331a, 0x0000, 0x9999, ++ "Seagate", ++ "Expansion Desk", ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL, ++ US_FL_NO_REPORT_LUNS), ++ + /* Reported-by: Hans de Goede */ + UNUSUAL_DEV(0x0bc2, 0x3320, 0x0000, 0x9999, + "Seagate", +--- a/drivers/usb/storage/usb.c ++++ b/drivers/usb/storage/usb.c +@@ -482,7 +482,7 @@ void usb_stor_adjust_quirks(struct usb_d + US_FL_NO_READ_DISC_INFO | US_FL_NO_READ_CAPACITY_16 | + US_FL_INITIAL_READ10 | US_FL_WRITE_CACHE | + US_FL_NO_ATA_1X | US_FL_NO_REPORT_OPCODES | +- US_FL_MAX_SECTORS_240); ++ US_FL_MAX_SECTORS_240 | US_FL_NO_REPORT_LUNS); + + p = quirks; + while (*p) { +@@ -532,6 +532,9 @@ void usb_stor_adjust_quirks(struct usb_d + case 'i': + f |= US_FL_IGNORE_DEVICE; + break; ++ case 'j': ++ f |= US_FL_NO_REPORT_LUNS; ++ break; + case 'l': + f |= US_FL_NOT_LOCKABLE; + break; +--- a/include/linux/usb_usual.h ++++ b/include/linux/usb_usual.h +@@ -79,6 +79,8 @@ + /* Cannot handle MI_REPORT_SUPPORTED_OPERATION_CODES */ \ + US_FLAG(MAX_SECTORS_240, 0x08000000) \ + /* Sets max_sectors to 240 */ \ ++ US_FLAG(NO_REPORT_LUNS, 0x10000000) \ ++ /* Cannot handle REPORT_LUNS */ \ + + #define US_FLAG(name, value) US_FL_##name = value , + enum { US_DO_ALL_FLAGS }; diff --git a/queue-4.4/usb-uas-limit-qdepth-at-the-scsi-host-level.patch b/queue-4.4/usb-uas-limit-qdepth-at-the-scsi-host-level.patch new file mode 100644 index 00000000000..c93eaf82021 --- /dev/null +++ b/queue-4.4/usb-uas-limit-qdepth-at-the-scsi-host-level.patch @@ -0,0 +1,45 @@ +From 198de51dbc3454d95b015ca0a055b673f85f01bb Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Tue, 12 Apr 2016 12:27:08 +0200 +Subject: USB: uas: Limit qdepth at the scsi-host level + +From: Hans de Goede + +commit 198de51dbc3454d95b015ca0a055b673f85f01bb upstream. + +Commit 64d513ac31bd ("scsi: use host wide tags by default") causes +the SCSI core to queue more commands then we can handle on devices with +multiple LUNs, limit the queue depth at the scsi-host level instead of +per slave to fix this. + +BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1315013 +Signed-off-by: Hans de Goede +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/storage/uas.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/usb/storage/uas.c ++++ b/drivers/usb/storage/uas.c +@@ -800,7 +800,6 @@ static int uas_slave_configure(struct sc + if (devinfo->flags & US_FL_BROKEN_FUA) + sdev->broken_fua = 1; + +- scsi_change_queue_depth(sdev, devinfo->qdepth - 2); + return 0; + } + +@@ -932,6 +931,12 @@ static int uas_probe(struct usb_interfac + if (result) + goto set_alt0; + ++ /* ++ * 1 tag is reserved for untagged commands + ++ * 1 tag to avoid off by one errors in some bridge firmwares ++ */ ++ shost->can_queue = devinfo->qdepth - 2; ++ + usb_set_intfdata(intf, shost); + result = scsi_add_host(shost, &intf->dev); + if (result) diff --git a/queue-4.4/v4l-vsp1-set-the-sru-ctrl0-register-when-starting-the-stream.patch b/queue-4.4/v4l-vsp1-set-the-sru-ctrl0-register-when-starting-the-stream.patch new file mode 100644 index 00000000000..37781069de9 --- /dev/null +++ b/queue-4.4/v4l-vsp1-set-the-sru-ctrl0-register-when-starting-the-stream.patch @@ -0,0 +1,33 @@ +From f6acfcdc5b8cdc9ddd53a459361820b9efe958c4 Mon Sep 17 00:00:00 2001 +From: Laurent Pinchart +Date: Wed, 9 Sep 2015 11:38:56 -0300 +Subject: [media] v4l: vsp1: Set the SRU CTRL0 register when starting the stream + +From: Laurent Pinchart + +commit f6acfcdc5b8cdc9ddd53a459361820b9efe958c4 upstream. + +Commit 58f896d859ce ("[media] v4l: vsp1: sru: Make the intensity +controllable during streaming") refactored the stream start code and +removed the SRU CTRL0 register write by mistake. Add it back. + +Fixes: 58f896d859ce ("[media] v4l: vsp1: sru: Make the intensity controllable during streaming") + +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/platform/vsp1/vsp1_sru.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/media/platform/vsp1/vsp1_sru.c ++++ b/drivers/media/platform/vsp1/vsp1_sru.c +@@ -154,6 +154,7 @@ static int sru_s_stream(struct v4l2_subd + mutex_lock(sru->ctrls.lock); + ctrl0 |= vsp1_sru_read(sru, VI6_SRU_CTRL0) + & (VI6_SRU_CTRL0_PARAM0_MASK | VI6_SRU_CTRL0_PARAM1_MASK); ++ vsp1_sru_write(sru, VI6_SRU_CTRL0, ctrl0); + mutex_unlock(sru->ctrls.lock); + + vsp1_sru_write(sru, VI6_SRU_CTRL1, VI6_SRU_CTRL1_PARAM5); diff --git a/queue-4.4/virtio-virtio-1.0-cs04-spec-compliance-for-reset.patch b/queue-4.4/virtio-virtio-1.0-cs04-spec-compliance-for-reset.patch new file mode 100644 index 00000000000..465aba80104 --- /dev/null +++ b/queue-4.4/virtio-virtio-1.0-cs04-spec-compliance-for-reset.patch @@ -0,0 +1,48 @@ +From 05dbcb430795b2e1fb1d5c757f8619d3dbed0a1c Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Sun, 3 Apr 2016 15:23:37 +0300 +Subject: virtio: virtio 1.0 cs04 spec compliance for reset + +From: Michael S. Tsirkin + +commit 05dbcb430795b2e1fb1d5c757f8619d3dbed0a1c upstream. + +The spec says: after writing 0 to device_status, the driver MUST wait +for a read of device_status to return 0 before reinitializing the +device. + +Signed-off-by: Michael S. Tsirkin +Acked-by: Jason Wang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/virtio/virtio_pci_modern.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/virtio/virtio_pci_modern.c ++++ b/drivers/virtio/virtio_pci_modern.c +@@ -17,6 +17,7 @@ + * + */ + ++#include + #define VIRTIO_PCI_NO_LEGACY + #include "virtio_pci_common.h" + +@@ -271,9 +272,13 @@ static void vp_reset(struct virtio_devic + struct virtio_pci_device *vp_dev = to_vp_device(vdev); + /* 0 status means a reset. */ + vp_iowrite8(0, &vp_dev->common->device_status); +- /* Flush out the status write, and flush in device writes, +- * including MSI-X interrupts, if any. */ +- vp_ioread8(&vp_dev->common->device_status); ++ /* After writing 0 to device_status, the driver MUST wait for a read of ++ * device_status to return 0 before reinitializing the device. ++ * This will flush out the status write, and flush in device writes, ++ * including MSI-X interrupts, if any. ++ */ ++ while (vp_ioread8(&vp_dev->common->device_status)) ++ msleep(1); + /* Flush pending VQ/configuration callbacks. */ + vp_synchronize_vectors(vdev); + }