From: Greg Kroah-Hartman Date: Fri, 6 Nov 2015 00:37:53 +0000 (-0800) Subject: 4.1-stable patches X-Git-Tag: v3.10.93~36 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=af068d419b6db8c19a350e2a390df7aee2179509;p=thirdparty%2Fkernel%2Fstable-queue.git 4.1-stable patches added patches: alsa-hda-fix-deadlock-at-error-in-building-pcm.patch alsa-hda-fix-inverted-internal-mic-on-lenovo-g50-80.patch asoc-add-info-callback-for-sx_tlv-controls.patch asoc-wm8904-correct-number-of-eq-registers.patch drm-fix-mutex-leak-in-drm_dp_get_mst_branch_device.patch drm-i915-deny-wrapping-an-userptr-into-a-framebuffer.patch drm-i915-flush-pipecontrol-post-sync-writes.patch drm-i915-restore-lost-dpll-register-write-on-gen2-4.patch drm-nouveau-gem-return-only-valid-domain-when-there-s-only-one.patch drm-radeon-don-t-try-to-recreate-sysfs-entries-on-resume.patch drm-radeon-dpm-don-t-add-pwm-attributes-if-dpm-is-disabled.patch drm-radeon-fix-dpms-when-driver-backlight-control-is-disabled.patch drm-radeon-move-bl-encoder-assignment-into-bl-init.patch fault-inject-fix-inverted-interval-probability-values-in-printk.patch iommu-amd-don-t-clear-dte-flags-when-modifying-it.patch iommu-amd-fix-bug-when-faulting-a-prot_none-vma.patch iommu-vt-d-fix-range-computation-when-making-room-for-large-pages.patch iwlwifi-mvm-clear-csa-countdown-when-ap-is-stopped.patch iwlwifi-mvm-fix-d3-ccmp-tx-pn-assignment.patch iwlwifi-mvm-fix-d3-firmware-pn-programming.patch iwlwifi-mvm-flush-fw_dump_wk-when-mvm-fails-to-start.patch iwlwifi-mvm-init-card-correctly-on-ctkill-exit-check.patch iwlwifi-pci-add-a-few-more-pci-subvendor-ids-for-the-7265-series.patch kvm-arm-use-gic-support-unconditionally.patch mm-make-sendfile-2-killable.patch powerpc-rtas-validate-rtas.entry-before-calling-enter_rtas.patch rtl28xxu-fix-control-message-flaws.patch rtlwifi-rtl8821ae-fix-system-lockups-on-boot.patch si2157-bounds-check-firmware.patch si2168-bounds-check-firmware.patch x86-efi-fix-multiple-gop-device-support.patch x86-setup-extend-low-identity-map-to-cover-whole-kernel-range.patch --- diff --git a/queue-4.1/alsa-hda-fix-deadlock-at-error-in-building-pcm.patch b/queue-4.1/alsa-hda-fix-deadlock-at-error-in-building-pcm.patch new file mode 100644 index 00000000000..47d6662dcbe --- /dev/null +++ b/queue-4.1/alsa-hda-fix-deadlock-at-error-in-building-pcm.patch @@ -0,0 +1,65 @@ +From d289619a219dd01e255d7b5e30f9171b25efea48 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 20 Oct 2015 16:23:55 +0200 +Subject: ALSA: hda - Fix deadlock at error in building PCM + +From: Takashi Iwai + +commit d289619a219dd01e255d7b5e30f9171b25efea48 upstream. + +The HDA codec driver issues snd_hda_codec_reset() at the error path of +PCM build. This was needed in the earlier code base, but the recent +rewrite to use the standard bus binding made this a deadlock: + modprobe D 0000000000000005 0 720 716 0x00000080 + Call Trace: + [] schedule+0x3e/0x90 + [] schedule_preempt_disabled+0x15/0x20 + [] __mutex_lock_slowpath+0xb5/0x120 + [] mutex_lock+0x1b/0x30 + [] device_release_driver+0x1b/0x30 + [] bus_remove_device+0x105/0x180 + [] device_del+0x139/0x260 + [] snd_hdac_device_unregister+0x25/0x30 [snd_hda_core] + [] snd_hda_codec_reset+0x2a/0x70 [snd_hda_codec] + [] snd_hda_codec_build_pcms+0x18b/0x1b0 [snd_hda_codec] + [] hda_codec_driver_probe+0xbe/0x140 [snd_hda_codec] + [] driver_probe_device+0x1f4/0x460 + [] __driver_attach+0x90/0xa0 + [] bus_for_each_dev+0x64/0xa0 + [] driver_attach+0x1e/0x20 + [] bus_add_driver+0x1eb/0x280 + [] driver_register+0x60/0xe0 + [] __hda_codec_driver_register+0x5a/0x60 [snd_hda_codec] + [] realtek_driver_init+0x1e/0x1000 [snd_hda_codec_realtek] + [] do_one_initcall+0xb3/0x200 + [] do_init_module+0x60/0x1f8 + [] load_module+0x1653/0x1bd0 + [] SYSC_finit_module+0x98/0xc0 + [] SyS_finit_module+0xe/0x10 + [] entry_SYSCALL_64_fastpath+0x16/0x75 + +The simple fix is just to remove this call, since we don't need to +think about unbinding at there any longer. + +Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=948758 +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_codec.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/sound/pci/hda/hda_codec.c ++++ b/sound/pci/hda/hda_codec.c +@@ -3833,10 +3833,8 @@ int snd_hda_codec_build_pcms(struct hda_ + return -EINVAL; + + err = snd_hda_codec_parse_pcms(codec); +- if (err < 0) { +- snd_hda_codec_reset(codec); ++ if (err < 0) + return err; +- } + + /* attach a new PCM streams */ + list_for_each_entry(cpcm, &codec->pcm_list_head, list) { diff --git a/queue-4.1/alsa-hda-fix-inverted-internal-mic-on-lenovo-g50-80.patch b/queue-4.1/alsa-hda-fix-inverted-internal-mic-on-lenovo-g50-80.patch new file mode 100644 index 00000000000..2e94dc87199 --- /dev/null +++ b/queue-4.1/alsa-hda-fix-inverted-internal-mic-on-lenovo-g50-80.patch @@ -0,0 +1,34 @@ +From e8d65a8d985271a102f07c7456da5b86c19ffe16 Mon Sep 17 00:00:00 2001 +From: David Henningsson +Date: Tue, 13 Oct 2015 10:10:18 +0200 +Subject: ALSA: hda - Fix inverted internal mic on Lenovo G50-80 + +From: David Henningsson + +commit e8d65a8d985271a102f07c7456da5b86c19ffe16 upstream. + +Add the appropriate quirk to indicate the Lenovo G50-80 has a stereo +mic input where one channel has reverse polarity. + +Alsa-info available at: +https://launchpadlibrarian.net/220846272/AlsaInfo.txt + +BugLink: https://bugs.launchpad.net/bugs/1504778 +Signed-off-by: David Henningsson +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_conexant.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -819,6 +819,7 @@ static const struct snd_pci_quirk cxt506 + SND_PCI_QUIRK(0x17aa, 0x21da, "Lenovo X220", CXT_PINCFG_LENOVO_TP410), + SND_PCI_QUIRK(0x17aa, 0x21db, "Lenovo X220-tablet", CXT_PINCFG_LENOVO_TP410), + SND_PCI_QUIRK(0x17aa, 0x38af, "Lenovo IdeaPad Z560", CXT_FIXUP_MUTE_LED_EAPD), ++ SND_PCI_QUIRK(0x17aa, 0x390b, "Lenovo G50-80", CXT_FIXUP_STEREO_DMIC), + SND_PCI_QUIRK(0x17aa, 0x3975, "Lenovo U300s", CXT_FIXUP_STEREO_DMIC), + SND_PCI_QUIRK(0x17aa, 0x3977, "Lenovo IdeaPad U310", CXT_FIXUP_STEREO_DMIC), + SND_PCI_QUIRK(0x17aa, 0x397b, "Lenovo S205", CXT_FIXUP_STEREO_DMIC), diff --git a/queue-4.1/asoc-add-info-callback-for-sx_tlv-controls.patch b/queue-4.1/asoc-add-info-callback-for-sx_tlv-controls.patch new file mode 100644 index 00000000000..3622861f6d7 --- /dev/null +++ b/queue-4.1/asoc-add-info-callback-for-sx_tlv-controls.patch @@ -0,0 +1,102 @@ +From 34198710f55b5f359f43e67d9a08fe5aadfbca1b Mon Sep 17 00:00:00 2001 +From: Charles Keepax +Date: Wed, 14 Oct 2015 13:31:24 +0100 +Subject: ASoC: Add info callback for SX_TLV controls + +From: Charles Keepax + +commit 34198710f55b5f359f43e67d9a08fe5aadfbca1b upstream. + +SX_TLV controls are intended for situations where the register behind +the control has some non-zero value indicating the minimum gain +and then gains increasing from there and eventually overflowing through +zero. + +Currently every CODEC implementing these controls specifies the minimum +as the non-zero value for the minimum and the maximum as the number of +gain settings available. + +This means when the info callback subtracts the minimum value from the +maximum value to calculate the number of gain levels available it is +actually under reporting the available levels. This patch fixes this +issue by adding a new snd_soc_info_volsw_sx callback that does not +subtract the minimum value. + +Fixes: 1d99f2436d0d ("ASoC: core: Rework SOC_DOUBLE_R_SX_TLV add SOC_SINGLE_SX_TLV") +Signed-off-by: Charles Keepax +Acked-by: Brian Austin +Tested-by: Brian Austin +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + include/sound/soc.h | 6 ++++-- + sound/soc/soc-ops.c | 28 ++++++++++++++++++++++++++++ + 2 files changed, 32 insertions(+), 2 deletions(-) + +--- a/include/sound/soc.h ++++ b/include/sound/soc.h +@@ -85,7 +85,7 @@ + .access = SNDRV_CTL_ELEM_ACCESS_TLV_READ | \ + SNDRV_CTL_ELEM_ACCESS_READWRITE, \ + .tlv.p = (tlv_array),\ +- .info = snd_soc_info_volsw, \ ++ .info = snd_soc_info_volsw_sx, \ + .get = snd_soc_get_volsw_sx,\ + .put = snd_soc_put_volsw_sx, \ + .private_value = (unsigned long)&(struct soc_mixer_control) \ +@@ -155,7 +155,7 @@ + .access = SNDRV_CTL_ELEM_ACCESS_TLV_READ | \ + SNDRV_CTL_ELEM_ACCESS_READWRITE, \ + .tlv.p = (tlv_array), \ +- .info = snd_soc_info_volsw, \ ++ .info = snd_soc_info_volsw_sx, \ + .get = snd_soc_get_volsw_sx, \ + .put = snd_soc_put_volsw_sx, \ + .private_value = (unsigned long)&(struct soc_mixer_control) \ +@@ -563,6 +563,8 @@ int snd_soc_put_enum_double(struct snd_k + struct snd_ctl_elem_value *ucontrol); + int snd_soc_info_volsw(struct snd_kcontrol *kcontrol, + struct snd_ctl_elem_info *uinfo); ++int snd_soc_info_volsw_sx(struct snd_kcontrol *kcontrol, ++ struct snd_ctl_elem_info *uinfo); + #define snd_soc_info_bool_ext snd_ctl_boolean_mono_info + int snd_soc_get_volsw(struct snd_kcontrol *kcontrol, + struct snd_ctl_elem_value *ucontrol); +--- a/sound/soc/soc-ops.c ++++ b/sound/soc/soc-ops.c +@@ -207,6 +207,34 @@ int snd_soc_info_volsw(struct snd_kcontr + EXPORT_SYMBOL_GPL(snd_soc_info_volsw); + + /** ++ * snd_soc_info_volsw_sx - Mixer info callback for SX TLV controls ++ * @kcontrol: mixer control ++ * @uinfo: control element information ++ * ++ * Callback to provide information about a single mixer control, or a double ++ * mixer control that spans 2 registers of the SX TLV type. SX TLV controls ++ * have a range that represents both positive and negative values either side ++ * of zero but without a sign bit. ++ * ++ * Returns 0 for success. ++ */ ++int snd_soc_info_volsw_sx(struct snd_kcontrol *kcontrol, ++ struct snd_ctl_elem_info *uinfo) ++{ ++ struct soc_mixer_control *mc = ++ (struct soc_mixer_control *)kcontrol->private_value; ++ ++ snd_soc_info_volsw(kcontrol, uinfo); ++ /* Max represents the number of levels in an SX control not the ++ * maximum value, so add the minimum value back on ++ */ ++ uinfo->value.integer.max += mc->min; ++ ++ return 0; ++} ++EXPORT_SYMBOL_GPL(snd_soc_info_volsw_sx); ++ ++/** + * snd_soc_get_volsw - single mixer get callback + * @kcontrol: mixer control + * @ucontrol: control element information diff --git a/queue-4.1/asoc-wm8904-correct-number-of-eq-registers.patch b/queue-4.1/asoc-wm8904-correct-number-of-eq-registers.patch new file mode 100644 index 00000000000..a746b09a651 --- /dev/null +++ b/queue-4.1/asoc-wm8904-correct-number-of-eq-registers.patch @@ -0,0 +1,32 @@ +From 97aff2c03a1e4d343266adadb52313613efb027f Mon Sep 17 00:00:00 2001 +From: Charles Keepax +Date: Tue, 20 Oct 2015 10:25:58 +0100 +Subject: ASoC: wm8904: Correct number of EQ registers + +From: Charles Keepax + +commit 97aff2c03a1e4d343266adadb52313613efb027f upstream. + +There are 24 EQ registers not 25, I suspect this bug came about because +the registers start at EQ1 not zero. The bug is relatively harmless as +the extra register written is an unused one. + +Signed-off-by: Charles Keepax +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + include/sound/wm8904.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/sound/wm8904.h ++++ b/include/sound/wm8904.h +@@ -119,7 +119,7 @@ + #define WM8904_MIC_REGS 2 + #define WM8904_GPIO_REGS 4 + #define WM8904_DRC_REGS 4 +-#define WM8904_EQ_REGS 25 ++#define WM8904_EQ_REGS 24 + + /** + * DRC configurations are specified with a label and a set of register diff --git a/queue-4.1/drm-fix-mutex-leak-in-drm_dp_get_mst_branch_device.patch b/queue-4.1/drm-fix-mutex-leak-in-drm_dp_get_mst_branch_device.patch new file mode 100644 index 00000000000..22f3cd7e243 --- /dev/null +++ b/queue-4.1/drm-fix-mutex-leak-in-drm_dp_get_mst_branch_device.patch @@ -0,0 +1,50 @@ +From 30730c7f5943b3beace1e29f7f1476e05de3da14 Mon Sep 17 00:00:00 2001 +From: Adam Richter +Date: Fri, 16 Oct 2015 03:33:02 -0700 +Subject: drm: fix mutex leak in drm_dp_get_mst_branch_device + +From: Adam Richter + +commit 30730c7f5943b3beace1e29f7f1476e05de3da14 upstream. + +In Linux 4.3-rc5, there is an error case in drm_dp_get_branch_device +that returns without releasing mgr->lock, resulting a spew of kernel +messages about a kernel work function possibly having leaked a mutex +and presumably more serious adverse consequences later. This patch +changes the error to "goto out" to unlock the mutex before returning. + +[airlied: grabbed from drm-next as it fixes something we've seen] + +Signed-off-by: Adam J. Richter +Signed-off-by: Daniel Vetter +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_dp_mst_topology.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/drm_dp_mst_topology.c ++++ b/drivers/gpu/drm/drm_dp_mst_topology.c +@@ -1179,17 +1179,18 @@ static struct drm_dp_mst_branch *drm_dp_ + + list_for_each_entry(port, &mstb->ports, next) { + if (port->port_num == port_num) { +- if (!port->mstb) { ++ mstb = port->mstb; ++ if (!mstb) { + DRM_ERROR("failed to lookup MSTB with lct %d, rad %02x\n", lct, rad[0]); +- return NULL; ++ goto out; + } + +- mstb = port->mstb; + break; + } + } + } + kref_get(&mstb->kref); ++out: + mutex_unlock(&mgr->lock); + return mstb; + } diff --git a/queue-4.1/drm-i915-deny-wrapping-an-userptr-into-a-framebuffer.patch b/queue-4.1/drm-i915-deny-wrapping-an-userptr-into-a-framebuffer.patch new file mode 100644 index 00000000000..e6f6e23fb5d --- /dev/null +++ b/queue-4.1/drm-i915-deny-wrapping-an-userptr-into-a-framebuffer.patch @@ -0,0 +1,64 @@ +From cc917ab43541db3ff66d0136042686d40a1b4c9a Mon Sep 17 00:00:00 2001 +From: Chris Wilson +Date: Tue, 13 Oct 2015 14:22:26 +0100 +Subject: drm/i915: Deny wrapping an userptr into a framebuffer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chris Wilson + +commit cc917ab43541db3ff66d0136042686d40a1b4c9a upstream. + +Pinning a userptr onto the hardware raises interesting questions about +the lifetime of such a surface as the framebuffer extends that life +beyond the client's address space. That is the hardware will need to +keep scanning out from the backing storage even after the client wants +to remap its address space. As the hardware pins the backing storage, +the userptr becomes invalid and this raises a WARN when the clients +tries to unmap its address space. The situation can be even more +complicated when the buffer is passed between processes, between a +client and display server, where the lifetime and hardware access is +even more confusing. Deny it. + +Signed-off-by: Chris Wilson +Cc: Daniel Vetter +Cc: Tvrtko Ursulin +Cc: Michał Winiarski +Reviewed-by: Tvrtko Ursulin +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/i915_gem_userptr.c | 5 ++++- + drivers/gpu/drm/i915/intel_display.c | 5 +++++ + 2 files changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/i915_gem_userptr.c ++++ b/drivers/gpu/drm/i915/i915_gem_userptr.c +@@ -776,7 +776,10 @@ static const struct drm_i915_gem_object_ + * Also note, that the object created here is not currently a "first class" + * object, in that several ioctls are banned. These are the CPU access + * ioctls: mmap(), pwrite and pread. In practice, you are expected to use +- * direct access via your pointer rather than use those ioctls. ++ * direct access via your pointer rather than use those ioctls. Another ++ * restriction is that we do not allow userptr surfaces to be pinned to the ++ * hardware and so we reject any attempt to create a framebuffer out of a ++ * userptr. + * + * If you think this is a good interface to use to pass GPU memory between + * drivers, please use dma-buf instead. In fact, wherever possible use +--- a/drivers/gpu/drm/i915/intel_display.c ++++ b/drivers/gpu/drm/i915/intel_display.c +@@ -13214,6 +13214,11 @@ static int intel_user_framebuffer_create + struct intel_framebuffer *intel_fb = to_intel_framebuffer(fb); + struct drm_i915_gem_object *obj = intel_fb->obj; + ++ if (obj->userptr.mm) { ++ DRM_DEBUG("attempting to use a userptr for a framebuffer, denied\n"); ++ return -EINVAL; ++ } ++ + return drm_gem_handle_create(file, &obj->base, handle); + } + diff --git a/queue-4.1/drm-i915-flush-pipecontrol-post-sync-writes.patch b/queue-4.1/drm-i915-flush-pipecontrol-post-sync-writes.patch new file mode 100644 index 00000000000..b252b515101 --- /dev/null +++ b/queue-4.1/drm-i915-flush-pipecontrol-post-sync-writes.patch @@ -0,0 +1,61 @@ +From 40a24488f5250d63341e74b9994159afc4589606 Mon Sep 17 00:00:00 2001 +From: Chris Wilson +Date: Fri, 21 Aug 2015 16:08:41 +0100 +Subject: drm/i915: Flush pipecontrol post-sync writes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chris Wilson + +commit 40a24488f5250d63341e74b9994159afc4589606 upstream. + +In order to flush the results from in-batch pipecontrol writes (used for +example in glQuery) before declaring the batch complete (and so declaring +the query results coherent), we need to set the FlushEnable bit in our +flushing pipecontrol. The FlushEnable bit "waits until all previous +writes of immediate data from post-sync circles are complete before +executing the next command". + +I get GPU hangs on byt without flushing these writes (running ue4). +piglit has examples where the flush is required for correct rendering. + +Signed-off-by: Chris Wilson +Reviewed-by: Ville Syrjälä +Acked-by: Daniel Vetter +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_lrc.c | 1 + + drivers/gpu/drm/i915/intel_ringbuffer.c | 2 ++ + 2 files changed, 3 insertions(+) + +--- a/drivers/gpu/drm/i915/intel_lrc.c ++++ b/drivers/gpu/drm/i915/intel_lrc.c +@@ -1298,6 +1298,7 @@ static int gen8_emit_flush_render(struct + if (flush_domains) { + flags |= PIPE_CONTROL_RENDER_TARGET_CACHE_FLUSH; + flags |= PIPE_CONTROL_DEPTH_CACHE_FLUSH; ++ flags |= PIPE_CONTROL_FLUSH_ENABLE; + } + + if (invalidate_domains) { +--- a/drivers/gpu/drm/i915/intel_ringbuffer.c ++++ b/drivers/gpu/drm/i915/intel_ringbuffer.c +@@ -342,6 +342,7 @@ gen7_render_ring_flush(struct intel_engi + if (flush_domains) { + flags |= PIPE_CONTROL_RENDER_TARGET_CACHE_FLUSH; + flags |= PIPE_CONTROL_DEPTH_CACHE_FLUSH; ++ flags |= PIPE_CONTROL_FLUSH_ENABLE; + } + if (invalidate_domains) { + flags |= PIPE_CONTROL_TLB_INVALIDATE; +@@ -412,6 +413,7 @@ gen8_render_ring_flush(struct intel_engi + if (flush_domains) { + flags |= PIPE_CONTROL_RENDER_TARGET_CACHE_FLUSH; + flags |= PIPE_CONTROL_DEPTH_CACHE_FLUSH; ++ flags |= PIPE_CONTROL_FLUSH_ENABLE; + } + if (invalidate_domains) { + flags |= PIPE_CONTROL_TLB_INVALIDATE; diff --git a/queue-4.1/drm-i915-restore-lost-dpll-register-write-on-gen2-4.patch b/queue-4.1/drm-i915-restore-lost-dpll-register-write-on-gen2-4.patch new file mode 100644 index 00000000000..0942410d2f5 --- /dev/null +++ b/queue-4.1/drm-i915-restore-lost-dpll-register-write-on-gen2-4.patch @@ -0,0 +1,42 @@ +From 8e7a65aa70bcc1235a44e40ae0da5056525fe081 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Wed, 7 Oct 2015 22:08:24 +0300 +Subject: drm/i915: Restore lost DPLL register write on gen2-4 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= + +commit 8e7a65aa70bcc1235a44e40ae0da5056525fe081 upstream. + +We accidentally lost the initial DPLL register write in +1c4e02746147 drm/i915: Fix DVO 2x clock enable on 830M + +The "three times for luck" hack probably saved us from a total +disaster. But anyway, bring the initial write back so that the +code actually makes some sense. + +Reported-and-tested-by: Nick Bowler +References: http://mid.gmane.org/CAN_QmVyMaArxYgEcVVsGvsMo7-6ohZr8HmF5VhkkL4i9KOmrhw@mail.gmail.com +Cc: Nick Bowler +Signed-off-by: Ville Syrjälä +Reviewed-by: Daniel Vetter +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_display.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/i915/intel_display.c ++++ b/drivers/gpu/drm/i915/intel_display.c +@@ -1699,6 +1699,8 @@ static void i9xx_enable_pll(struct intel + I915_READ(DPLL(!crtc->pipe)) | DPLL_DVO_2X_MODE); + } + ++ I915_WRITE(reg, dpll); ++ + /* Wait for the clocks to stabilize. */ + POSTING_READ(reg); + udelay(150); diff --git a/queue-4.1/drm-nouveau-gem-return-only-valid-domain-when-there-s-only-one.patch b/queue-4.1/drm-nouveau-gem-return-only-valid-domain-when-there-s-only-one.patch new file mode 100644 index 00000000000..0a1a1e66646 --- /dev/null +++ b/queue-4.1/drm-nouveau-gem-return-only-valid-domain-when-there-s-only-one.patch @@ -0,0 +1,46 @@ +From 2a6c521bb41ce862e43db46f52e7681d33e8d771 Mon Sep 17 00:00:00 2001 +From: Ilia Mirkin +Date: Tue, 20 Oct 2015 01:15:39 -0400 +Subject: drm/nouveau/gem: return only valid domain when there's only one + +From: Ilia Mirkin + +commit 2a6c521bb41ce862e43db46f52e7681d33e8d771 upstream. + +On nv50+, we restrict the valid domains to just the one where the buffer +was originally created. However after the buffer is evicted to system +memory, we might move it back to a different domain that was not +originally valid. When sharing the buffer and retrieving its GEM_INFO +data, we still want the domain that will be valid for this buffer in a +pushbuf, not the one where it currently happens to be. + +This resolves fdo#92504 and several others. These are due to suspend +evicting all buffers, making it more likely that they temporarily end up +in the wrong place. + +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=92504 +Signed-off-by: Ilia Mirkin +Signed-off-by: Ben Skeggs +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/nouveau/nouveau_gem.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/nouveau/nouveau_gem.c ++++ b/drivers/gpu/drm/nouveau/nouveau_gem.c +@@ -227,11 +227,12 @@ nouveau_gem_info(struct drm_file *file_p + struct nouveau_bo *nvbo = nouveau_gem_object(gem); + struct nvkm_vma *vma; + +- if (nvbo->bo.mem.mem_type == TTM_PL_TT) ++ if (is_power_of_2(nvbo->valid_domains)) ++ rep->domain = nvbo->valid_domains; ++ else if (nvbo->bo.mem.mem_type == TTM_PL_TT) + rep->domain = NOUVEAU_GEM_DOMAIN_GART; + else + rep->domain = NOUVEAU_GEM_DOMAIN_VRAM; +- + rep->offset = nvbo->bo.offset; + if (cli->vm) { + vma = nouveau_bo_vma_find(nvbo, cli->vm); diff --git a/queue-4.1/drm-radeon-don-t-try-to-recreate-sysfs-entries-on-resume.patch b/queue-4.1/drm-radeon-don-t-try-to-recreate-sysfs-entries-on-resume.patch new file mode 100644 index 00000000000..201503259d4 --- /dev/null +++ b/queue-4.1/drm-radeon-don-t-try-to-recreate-sysfs-entries-on-resume.patch @@ -0,0 +1,88 @@ +From 49abb26651167c892393cd9f2ad23df429645ed9 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Fri, 23 Oct 2015 10:38:52 -0400 +Subject: drm/radeon: don't try to recreate sysfs entries on resume + +From: Alex Deucher + +commit 49abb26651167c892393cd9f2ad23df429645ed9 upstream. + +Fixes a harmless error message caused by: +51a4726b04e880fdd9b4e0e58b13f70b0a68a7f5 + +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/radeon.h | 1 + + drivers/gpu/drm/radeon/radeon_pm.c | 35 +++++++++++++++++++++-------------- + 2 files changed, 22 insertions(+), 14 deletions(-) + +--- a/drivers/gpu/drm/radeon/radeon.h ++++ b/drivers/gpu/drm/radeon/radeon.h +@@ -1656,6 +1656,7 @@ struct radeon_pm { + u8 fan_max_rpm; + /* dpm */ + bool dpm_enabled; ++ bool sysfs_initialized; + struct radeon_dpm dpm; + }; + +--- a/drivers/gpu/drm/radeon/radeon_pm.c ++++ b/drivers/gpu/drm/radeon/radeon_pm.c +@@ -1533,19 +1533,23 @@ int radeon_pm_late_init(struct radeon_de + + if (rdev->pm.pm_method == PM_METHOD_DPM) { + if (rdev->pm.dpm_enabled) { +- ret = device_create_file(rdev->dev, &dev_attr_power_dpm_state); +- if (ret) +- DRM_ERROR("failed to create device file for dpm state\n"); +- ret = device_create_file(rdev->dev, &dev_attr_power_dpm_force_performance_level); +- if (ret) +- DRM_ERROR("failed to create device file for dpm state\n"); +- /* XXX: these are noops for dpm but are here for backwards compat */ +- ret = device_create_file(rdev->dev, &dev_attr_power_profile); +- if (ret) +- DRM_ERROR("failed to create device file for power profile\n"); +- ret = device_create_file(rdev->dev, &dev_attr_power_method); +- if (ret) +- DRM_ERROR("failed to create device file for power method\n"); ++ if (!rdev->pm.sysfs_initialized) { ++ ret = device_create_file(rdev->dev, &dev_attr_power_dpm_state); ++ if (ret) ++ DRM_ERROR("failed to create device file for dpm state\n"); ++ ret = device_create_file(rdev->dev, &dev_attr_power_dpm_force_performance_level); ++ if (ret) ++ DRM_ERROR("failed to create device file for dpm state\n"); ++ /* XXX: these are noops for dpm but are here for backwards compat */ ++ ret = device_create_file(rdev->dev, &dev_attr_power_profile); ++ if (ret) ++ DRM_ERROR("failed to create device file for power profile\n"); ++ ret = device_create_file(rdev->dev, &dev_attr_power_method); ++ if (ret) ++ DRM_ERROR("failed to create device file for power method\n"); ++ if (!ret) ++ rdev->pm.sysfs_initialized = true; ++ } + + mutex_lock(&rdev->pm.mutex); + ret = radeon_dpm_late_enable(rdev); +@@ -1561,7 +1565,8 @@ int radeon_pm_late_init(struct radeon_de + } + } + } else { +- if (rdev->pm.num_power_states > 1) { ++ if ((rdev->pm.num_power_states > 1) && ++ (!rdev->pm.sysfs_initialized)) { + /* where's the best place to put these? */ + ret = device_create_file(rdev->dev, &dev_attr_power_profile); + if (ret) +@@ -1569,6 +1574,8 @@ int radeon_pm_late_init(struct radeon_de + ret = device_create_file(rdev->dev, &dev_attr_power_method); + if (ret) + DRM_ERROR("failed to create device file for power method\n"); ++ if (!ret) ++ rdev->pm.sysfs_initialized = true; + } + } + return ret; diff --git a/queue-4.1/drm-radeon-dpm-don-t-add-pwm-attributes-if-dpm-is-disabled.patch b/queue-4.1/drm-radeon-dpm-don-t-add-pwm-attributes-if-dpm-is-disabled.patch new file mode 100644 index 00000000000..05aa7df4e26 --- /dev/null +++ b/queue-4.1/drm-radeon-dpm-don-t-add-pwm-attributes-if-dpm-is-disabled.patch @@ -0,0 +1,41 @@ +From 2a7d44f47f53fa1be677f44c73d78b1bcf9c05d9 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Mon, 19 Oct 2015 09:30:42 -0400 +Subject: drm/radeon/dpm: don't add pwm attributes if DPM is disabled + +From: Alex Deucher + +commit 2a7d44f47f53fa1be677f44c73d78b1bcf9c05d9 upstream. + +PWM fan control is only available with DPM. If DPM disabled, +don't expose the PWM fan controls to avoid a crash. + +Bug: +https://bugs.freedesktop.org/show_bug.cgi?id=92524 + +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/radeon_pm.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/radeon/radeon_pm.c ++++ b/drivers/gpu/drm/radeon/radeon_pm.c +@@ -720,10 +720,14 @@ static umode_t hwmon_attributes_visible( + struct radeon_device *rdev = dev_get_drvdata(dev); + umode_t effective_mode = attr->mode; + +- /* Skip limit attributes if DPM is not enabled */ ++ /* Skip attributes if DPM is not enabled */ + if (rdev->pm.pm_method != PM_METHOD_DPM && + (attr == &sensor_dev_attr_temp1_crit.dev_attr.attr || +- attr == &sensor_dev_attr_temp1_crit_hyst.dev_attr.attr)) ++ attr == &sensor_dev_attr_temp1_crit_hyst.dev_attr.attr || ++ attr == &sensor_dev_attr_pwm1.dev_attr.attr || ++ attr == &sensor_dev_attr_pwm1_enable.dev_attr.attr || ++ attr == &sensor_dev_attr_pwm1_max.dev_attr.attr || ++ attr == &sensor_dev_attr_pwm1_min.dev_attr.attr)) + return 0; + + /* Skip fan attributes if fan is not present */ diff --git a/queue-4.1/drm-radeon-fix-dpms-when-driver-backlight-control-is-disabled.patch b/queue-4.1/drm-radeon-fix-dpms-when-driver-backlight-control-is-disabled.patch new file mode 100644 index 00000000000..9b9d366371a --- /dev/null +++ b/queue-4.1/drm-radeon-fix-dpms-when-driver-backlight-control-is-disabled.patch @@ -0,0 +1,61 @@ +From ae93580ee59c02395c1711d3e6b90546b8137b86 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Tue, 27 Oct 2015 10:56:44 -0400 +Subject: drm/radeon: fix dpms when driver backlight control is disabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +commit ae93580ee59c02395c1711d3e6b90546b8137b86 upstream. + +If driver backlight control is disabled, either by driver +parameter or default per-asic setting, revert to the old behavior. + +Fixes a regression in commit: +4281f46ef839050d2ef60348f661eb463c21cc2e + +Reviewed-by: Michel Dänzer +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/atombios_encoders.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/radeon/atombios_encoders.c ++++ b/drivers/gpu/drm/radeon/atombios_encoders.c +@@ -1624,9 +1624,14 @@ radeon_atom_encoder_dpms_avivo(struct dr + } else + atom_execute_table(rdev->mode_info.atom_context, index, (uint32_t *)&args); + if (radeon_encoder->devices & (ATOM_DEVICE_LCD_SUPPORT)) { +- struct radeon_encoder_atom_dig *dig = radeon_encoder->enc_priv; ++ if (rdev->mode_info.bl_encoder) { ++ struct radeon_encoder_atom_dig *dig = radeon_encoder->enc_priv; + +- atombios_set_backlight_level(radeon_encoder, dig->backlight_level); ++ atombios_set_backlight_level(radeon_encoder, dig->backlight_level); ++ } else { ++ args.ucAction = ATOM_LCD_BLON; ++ atom_execute_table(rdev->mode_info.atom_context, index, (uint32_t *)&args); ++ } + } + break; + case DRM_MODE_DPMS_STANDBY: +@@ -1706,8 +1711,13 @@ radeon_atom_encoder_dpms_dig(struct drm_ + if (ASIC_IS_DCE4(rdev)) + atombios_dig_encoder_setup(encoder, ATOM_ENCODER_CMD_DP_VIDEO_ON, 0); + } +- if (radeon_encoder->devices & (ATOM_DEVICE_LCD_SUPPORT)) +- atombios_set_backlight_level(radeon_encoder, dig->backlight_level); ++ if (radeon_encoder->devices & (ATOM_DEVICE_LCD_SUPPORT)) { ++ if (rdev->mode_info.bl_encoder) ++ atombios_set_backlight_level(radeon_encoder, dig->backlight_level); ++ else ++ atombios_dig_transmitter_setup(encoder, ++ ATOM_TRANSMITTER_ACTION_LCD_BLON, 0, 0); ++ } + if (ext_encoder) + atombios_external_encoder_setup(encoder, ext_encoder, ATOM_ENABLE); + break; diff --git a/queue-4.1/drm-radeon-move-bl-encoder-assignment-into-bl-init.patch b/queue-4.1/drm-radeon-move-bl-encoder-assignment-into-bl-init.patch new file mode 100644 index 00000000000..79694234faf --- /dev/null +++ b/queue-4.1/drm-radeon-move-bl-encoder-assignment-into-bl-init.patch @@ -0,0 +1,55 @@ +From 4cee6a9057d5e13911f0cb6e143d11dc1a3245dd Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Wed, 28 Oct 2015 14:26:32 -0400 +Subject: drm/radeon: move bl encoder assignment into bl init +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +commit 4cee6a9057d5e13911f0cb6e143d11dc1a3245dd upstream. + +So that the bl encoder will be null if the GPU does not +control the backlight. + +Reviewed-by: Michel Dänzer +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/atombios_encoders.c | 1 + + drivers/gpu/drm/radeon/radeon_encoders.c | 1 - + drivers/gpu/drm/radeon/radeon_legacy_encoders.c | 1 + + 3 files changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/radeon/atombios_encoders.c ++++ b/drivers/gpu/drm/radeon/atombios_encoders.c +@@ -237,6 +237,7 @@ void radeon_atom_backlight_init(struct r + backlight_update_status(bd); + + DRM_INFO("radeon atom DIG backlight initialized\n"); ++ rdev->mode_info.bl_encoder = radeon_encoder; + + return; + +--- a/drivers/gpu/drm/radeon/radeon_encoders.c ++++ b/drivers/gpu/drm/radeon/radeon_encoders.c +@@ -194,7 +194,6 @@ static void radeon_encoder_add_backlight + radeon_atom_backlight_init(radeon_encoder, connector); + else + radeon_legacy_backlight_init(radeon_encoder, connector); +- rdev->mode_info.bl_encoder = radeon_encoder; + } + } + +--- a/drivers/gpu/drm/radeon/radeon_legacy_encoders.c ++++ b/drivers/gpu/drm/radeon/radeon_legacy_encoders.c +@@ -441,6 +441,7 @@ void radeon_legacy_backlight_init(struct + backlight_update_status(bd); + + DRM_INFO("radeon legacy LVDS backlight initialized\n"); ++ rdev->mode_info.bl_encoder = radeon_encoder; + + return; + diff --git a/queue-4.1/fault-inject-fix-inverted-interval-probability-values-in-printk.patch b/queue-4.1/fault-inject-fix-inverted-interval-probability-values-in-printk.patch new file mode 100644 index 00000000000..f4c60f97f9b --- /dev/null +++ b/queue-4.1/fault-inject-fix-inverted-interval-probability-values-in-printk.patch @@ -0,0 +1,32 @@ +From bb387002693ed28b2bb0408c5dec65521b71e5f1 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Thu, 22 Oct 2015 13:32:27 -0700 +Subject: fault-inject: fix inverted interval/probability values in printk + +From: Florian Westphal + +commit bb387002693ed28b2bb0408c5dec65521b71e5f1 upstream. + +interval displays the probability and vice versa. + +Fixes: 6adc4a22f20bb ("fault-inject: add ratelimit option") +Acked-by: Akinobu Mita +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + lib/fault-inject.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/lib/fault-inject.c ++++ b/lib/fault-inject.c +@@ -44,7 +44,7 @@ static void fail_dump(struct fault_attr + printk(KERN_NOTICE "FAULT_INJECTION: forcing a failure.\n" + "name %pd, interval %lu, probability %lu, " + "space %d, times %d\n", attr->dname, +- attr->probability, attr->interval, ++ attr->interval, attr->probability, + atomic_read(&attr->space), + atomic_read(&attr->times)); + if (attr->verbose > 1) diff --git a/queue-4.1/iommu-amd-don-t-clear-dte-flags-when-modifying-it.patch b/queue-4.1/iommu-amd-don-t-clear-dte-flags-when-modifying-it.patch new file mode 100644 index 00000000000..bc966532312 --- /dev/null +++ b/queue-4.1/iommu-amd-don-t-clear-dte-flags-when-modifying-it.patch @@ -0,0 +1,47 @@ +From cbf3ccd09d683abf1cacd36e3640872ee912d99b Mon Sep 17 00:00:00 2001 +From: Joerg Roedel +Date: Tue, 20 Oct 2015 14:59:36 +0200 +Subject: iommu/amd: Don't clear DTE flags when modifying it + +From: Joerg Roedel + +commit cbf3ccd09d683abf1cacd36e3640872ee912d99b upstream. + +During device assignment/deassignment the flags in the DTE +get lost, which might cause spurious faults, for example +when the device tries to access the system management range. +Fix this by not clearing the flags with the rest of the DTE. + +Reported-by: G. Richard Bellamy +Tested-by: G. Richard Bellamy +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/amd_iommu.c | 4 ++-- + drivers/iommu/amd_iommu_types.h | 1 + + 2 files changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/iommu/amd_iommu.c ++++ b/drivers/iommu/amd_iommu.c +@@ -2099,8 +2099,8 @@ static void set_dte_entry(u16 devid, str + static void clear_dte_entry(u16 devid) + { + /* remove entry from the device table seen by the hardware */ +- amd_iommu_dev_table[devid].data[0] = IOMMU_PTE_P | IOMMU_PTE_TV; +- amd_iommu_dev_table[devid].data[1] = 0; ++ amd_iommu_dev_table[devid].data[0] = IOMMU_PTE_P | IOMMU_PTE_TV; ++ amd_iommu_dev_table[devid].data[1] &= DTE_FLAG_MASK; + + amd_iommu_apply_erratum_63(devid); + } +--- a/drivers/iommu/amd_iommu_types.h ++++ b/drivers/iommu/amd_iommu_types.h +@@ -295,6 +295,7 @@ + #define IOMMU_PTE_IR (1ULL << 61) + #define IOMMU_PTE_IW (1ULL << 62) + ++#define DTE_FLAG_MASK (0x3ffULL << 32) + #define DTE_FLAG_IOTLB (0x01UL << 32) + #define DTE_FLAG_GV (0x01ULL << 55) + #define DTE_GLX_SHIFT (56) diff --git a/queue-4.1/iommu-amd-fix-bug-when-faulting-a-prot_none-vma.patch b/queue-4.1/iommu-amd-fix-bug-when-faulting-a-prot_none-vma.patch new file mode 100644 index 00000000000..eb11f8b7a6d --- /dev/null +++ b/queue-4.1/iommu-amd-fix-bug-when-faulting-a-prot_none-vma.patch @@ -0,0 +1,45 @@ +From d14f6fced5f9360edca5a1325ddb7077aab1203b Mon Sep 17 00:00:00 2001 +From: Jay Cornwall +Date: Wed, 16 Sep 2015 14:10:03 -0500 +Subject: iommu/amd: Fix BUG when faulting a PROT_NONE VMA + +From: Jay Cornwall + +commit d14f6fced5f9360edca5a1325ddb7077aab1203b upstream. + +handle_mm_fault indirectly triggers a BUG in do_numa_page +when given a VMA without read/write/execute access. Check +this condition in do_fault. + +do_fault -> handle_mm_fault -> handle_pte_fault -> do_numa_page + + mm/memory.c + 3147 static int do_numa_page(struct mm_struct *mm, struct vm_area_struct *vma, + .... + 3159 /* A PROT_NONE fault should not end up here */ + 3160 BUG_ON(!(vma->vm_flags & (VM_READ | VM_EXEC | VM_WRITE))); + +Signed-off-by: Jay Cornwall +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/amd_iommu_v2.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/iommu/amd_iommu_v2.c ++++ b/drivers/iommu/amd_iommu_v2.c +@@ -508,6 +508,13 @@ static void do_fault(struct work_struct + goto out; + } + ++ if (!(vma->vm_flags & (VM_READ | VM_EXEC | VM_WRITE))) { ++ /* handle_mm_fault would BUG_ON() */ ++ up_read(&mm->mmap_sem); ++ handle_fault_error(fault); ++ goto out; ++ } ++ + ret = handle_mm_fault(mm, vma, address, write); + if (ret & VM_FAULT_ERROR) { + /* failed to service fault */ diff --git a/queue-4.1/iommu-vt-d-fix-range-computation-when-making-room-for-large-pages.patch b/queue-4.1/iommu-vt-d-fix-range-computation-when-making-room-for-large-pages.patch new file mode 100644 index 00000000000..12dac4c6276 --- /dev/null +++ b/queue-4.1/iommu-vt-d-fix-range-computation-when-making-room-for-large-pages.patch @@ -0,0 +1,63 @@ +From ba2374fd2bf379f933773811fdb06cb6a5445f41 Mon Sep 17 00:00:00 2001 +From: Christian Zander +Date: Wed, 10 Jun 2015 09:41:45 -0700 +Subject: iommu/vt-d: fix range computation when making room for large pages + +From: Christian Zander + +commit ba2374fd2bf379f933773811fdb06cb6a5445f41 upstream. + +In preparation for the installation of a large page, any small page +tables that may still exist in the target IOV address range are +removed. However, if a scatter/gather list entry is large enough to +fit more than one large page, the address space for any subsequent +large pages is not cleared of conflicting small page tables. + +This can cause legitimate mapping requests to fail with errors of the +form below, potentially followed by a series of IOMMU faults: + +ERROR: DMA PTE for vPFN 0xfde00 already set (to 7f83a4003 not 7e9e00083) + +In this example, a 4MiB scatter/gather list entry resulted in the +successful installation of a large page @ vPFN 0xfdc00, followed by +a failed attempt to install another large page @ vPFN 0xfde00, due to +the presence of a pointer to a small page table @ 0x7f83a4000. + +To address this problem, compute the number of large pages that fit +into a given scatter/gather list entry, and use it to derive the +last vPFN covered by the large page(s). + +Signed-off-by: Christian Zander +Signed-off-by: David Woodhouse +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/intel-iommu.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -2033,15 +2033,19 @@ static int __domain_mapping(struct dmar_ + return -ENOMEM; + /* It is large page*/ + if (largepage_lvl > 1) { ++ unsigned long nr_superpages, end_pfn; ++ + pteval |= DMA_PTE_LARGE_PAGE; + lvl_pages = lvl_to_nr_pages(largepage_lvl); ++ ++ nr_superpages = sg_res / lvl_pages; ++ end_pfn = iov_pfn + nr_superpages * lvl_pages - 1; ++ + /* + * Ensure that old small page tables are +- * removed to make room for superpage, +- * if they exist. ++ * removed to make room for superpage(s). + */ +- dma_pte_free_pagetable(domain, iov_pfn, +- iov_pfn + lvl_pages - 1); ++ dma_pte_free_pagetable(domain, iov_pfn, end_pfn); + } else { + pteval &= ~(uint64_t)DMA_PTE_LARGE_PAGE; + } diff --git a/queue-4.1/iwlwifi-mvm-clear-csa-countdown-when-ap-is-stopped.patch b/queue-4.1/iwlwifi-mvm-clear-csa-countdown-when-ap-is-stopped.patch new file mode 100644 index 00000000000..02fffe284f6 --- /dev/null +++ b/queue-4.1/iwlwifi-mvm-clear-csa-countdown-when-ap-is-stopped.patch @@ -0,0 +1,32 @@ +From e9cb0327b26dd7ba43a3b7a05b4b62219decf42d Mon Sep 17 00:00:00 2001 +From: Avraham Stern +Date: Mon, 31 Aug 2015 11:08:27 +0300 +Subject: iwlwifi: mvm: clear csa countdown when AP is stopped + +From: Avraham Stern + +commit e9cb0327b26dd7ba43a3b7a05b4b62219decf42d upstream. + +The csa_countdown flag was not cleared when the AP is stopped. +As a result, if the AP was stopped after csa_countdown had started, +all the folowing channel switch commands would fail. +Fix that by clearing the csa_countdown flag when the AP is stopped. + +Signed-off-by: Avraham Stern +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/iwlwifi/mvm/mac80211.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/iwlwifi/mvm/mac80211.c ++++ b/drivers/net/wireless/iwlwifi/mvm/mac80211.c +@@ -2277,6 +2277,7 @@ static void iwl_mvm_stop_ap_ibss(struct + iwl_mvm_remove_time_event(mvm, mvmvif, + &mvmvif->time_event_data); + RCU_INIT_POINTER(mvm->csa_vif, NULL); ++ mvmvif->csa_countdown = false; + } + + if (rcu_access_pointer(mvm->csa_tx_blocked_vif) == vif) { diff --git a/queue-4.1/iwlwifi-mvm-fix-d3-ccmp-tx-pn-assignment.patch b/queue-4.1/iwlwifi-mvm-fix-d3-ccmp-tx-pn-assignment.patch new file mode 100644 index 00000000000..186d4866d48 --- /dev/null +++ b/queue-4.1/iwlwifi-mvm-fix-d3-ccmp-tx-pn-assignment.patch @@ -0,0 +1,72 @@ +From 6645d5e441db9121793421d477255f4242b3dbf3 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Tue, 15 Sep 2015 09:58:53 +0200 +Subject: iwlwifi: mvm: fix D3 CCMP TX PN assignment + +From: Johannes Berg + +commit 6645d5e441db9121793421d477255f4242b3dbf3 upstream. + +When going into/coming out of D3, the TX PN must be programmed into +and restored from the firmware respectively. The restore was broken +due to my previous commit to move PN assignment into the driver. +Sending the PN to the firmware still worked since we now use the +counter that's shared with mac80211, but accessing it through the +mac80211 API makes no sense now. + +Fix this by reading/writing the counter directly. This actually +simplifies the code since we don't need to round-trip through the +key_seq structure. + +Fixes: ca8c0f4bede6 ("iwlwifi: mvm: move TX PN assignment for CCMP to the driver") +Reported-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/iwlwifi/mvm/d3.c | 15 +++++---------- + 1 file changed, 5 insertions(+), 10 deletions(-) + +--- a/drivers/net/wireless/iwlwifi/mvm/d3.c ++++ b/drivers/net/wireless/iwlwifi/mvm/d3.c +@@ -274,18 +274,13 @@ static void iwl_mvm_wowlan_program_keys( + break; + case WLAN_CIPHER_SUITE_CCMP: + if (sta) { +- u8 *pn = seq.ccmp.pn; ++ u64 pn64; + + aes_sc = data->rsc_tsc->all_tsc_rsc.aes.unicast_rsc; + aes_tx_sc = &data->rsc_tsc->all_tsc_rsc.aes.tsc; + +- ieee80211_get_key_tx_seq(key, &seq); +- aes_tx_sc->pn = cpu_to_le64((u64)pn[5] | +- ((u64)pn[4] << 8) | +- ((u64)pn[3] << 16) | +- ((u64)pn[2] << 24) | +- ((u64)pn[1] << 32) | +- ((u64)pn[0] << 40)); ++ pn64 = atomic64_read(&key->tx_pn); ++ aes_tx_sc->pn = cpu_to_le64(pn64); + } else { + aes_sc = data->rsc_tsc->all_tsc_rsc.aes.multicast_rsc; + } +@@ -1444,15 +1439,15 @@ static void iwl_mvm_d3_update_gtks(struc + + switch (key->cipher) { + case WLAN_CIPHER_SUITE_CCMP: +- iwl_mvm_aes_sc_to_seq(&sc->aes.tsc, &seq); + iwl_mvm_set_aes_rx_seq(sc->aes.unicast_rsc, key); ++ atomic64_set(&key->tx_pn, le64_to_cpu(sc->aes.tsc.pn)); + break; + case WLAN_CIPHER_SUITE_TKIP: + iwl_mvm_tkip_sc_to_seq(&sc->tkip.tsc, &seq); + iwl_mvm_set_tkip_rx_seq(sc->tkip.unicast_rsc, key); ++ ieee80211_set_key_tx_seq(key, &seq); + break; + } +- ieee80211_set_key_tx_seq(key, &seq); + + /* that's it for this key */ + return; diff --git a/queue-4.1/iwlwifi-mvm-fix-d3-firmware-pn-programming.patch b/queue-4.1/iwlwifi-mvm-fix-d3-firmware-pn-programming.patch new file mode 100644 index 00000000000..f49a228df12 --- /dev/null +++ b/queue-4.1/iwlwifi-mvm-fix-d3-firmware-pn-programming.patch @@ -0,0 +1,44 @@ +From 2cf5eb3ab7bb7f2e3a70edcef236cd62c87db030 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Tue, 15 Sep 2015 14:36:09 +0200 +Subject: iwlwifi: mvm: fix D3 firmware PN programming + +From: Johannes Berg + +commit 2cf5eb3ab7bb7f2e3a70edcef236cd62c87db030 upstream. + +The code to send the RX PN data (for each TID) to the firmware +has a devastating bug: it overwrites the data for TID 0 with +all the TID data, leaving the remaining TIDs zeroed. This will +allow replays to actually be accepted by the firmware, which +could allow waking up the system. + +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/iwlwifi/mvm/d3.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/net/wireless/iwlwifi/mvm/d3.c ++++ b/drivers/net/wireless/iwlwifi/mvm/d3.c +@@ -293,12 +293,12 @@ static void iwl_mvm_wowlan_program_keys( + u8 *pn = seq.ccmp.pn; + + ieee80211_get_key_rx_seq(key, i, &seq); +- aes_sc->pn = cpu_to_le64((u64)pn[5] | +- ((u64)pn[4] << 8) | +- ((u64)pn[3] << 16) | +- ((u64)pn[2] << 24) | +- ((u64)pn[1] << 32) | +- ((u64)pn[0] << 40)); ++ aes_sc[i].pn = cpu_to_le64((u64)pn[5] | ++ ((u64)pn[4] << 8) | ++ ((u64)pn[3] << 16) | ++ ((u64)pn[2] << 24) | ++ ((u64)pn[1] << 32) | ++ ((u64)pn[0] << 40)); + } + data->use_rsc_tsc = true; + break; diff --git a/queue-4.1/iwlwifi-mvm-flush-fw_dump_wk-when-mvm-fails-to-start.patch b/queue-4.1/iwlwifi-mvm-flush-fw_dump_wk-when-mvm-fails-to-start.patch new file mode 100644 index 00000000000..de341ce5d94 --- /dev/null +++ b/queue-4.1/iwlwifi-mvm-flush-fw_dump_wk-when-mvm-fails-to-start.patch @@ -0,0 +1,33 @@ +From dbf73d4a8bb8f4e1d1f3edd3be825692279e2ef3 Mon Sep 17 00:00:00 2001 +From: Andrei Otcheretianski +Date: Wed, 30 Sep 2015 12:26:23 +0200 +Subject: iwlwifi: mvm: flush fw_dump_wk when mvm fails to start + +From: Andrei Otcheretianski + +commit dbf73d4a8bb8f4e1d1f3edd3be825692279e2ef3 upstream. + +FW dump may be triggered when running init ucode, for example due to a +sysassert. In this case fw_dump_wk may run after mvm is freed, resulting +in a kernel panic. +Fix it by flushing the work. + +Fixes: 01b988a708af ("iwlwifi: mvm: allow to collect debug data when restart is disabled") +Signed-off-by: Andrei Otcheretianski +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/iwlwifi/mvm/ops.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/iwlwifi/mvm/ops.c ++++ b/drivers/net/wireless/iwlwifi/mvm/ops.c +@@ -589,6 +589,7 @@ iwl_op_mode_mvm_start(struct iwl_trans * + ieee80211_unregister_hw(mvm->hw); + iwl_mvm_leds_exit(mvm); + out_free: ++ flush_delayed_work(&mvm->fw_dump_wk); + iwl_phy_db_free(mvm->phy_db); + kfree(mvm->scan_cmd); + if (!cfg->no_power_up_nic_in_init || !mvm->nvm_file_name) diff --git a/queue-4.1/iwlwifi-mvm-init-card-correctly-on-ctkill-exit-check.patch b/queue-4.1/iwlwifi-mvm-init-card-correctly-on-ctkill-exit-check.patch new file mode 100644 index 00000000000..dea5148afca --- /dev/null +++ b/queue-4.1/iwlwifi-mvm-init-card-correctly-on-ctkill-exit-check.patch @@ -0,0 +1,59 @@ +From 1a3fe0b2b6778b7866e2b3f5c9a299d5e9bbd89c Mon Sep 17 00:00:00 2001 +From: Arik Nemtsov +Date: Wed, 30 Sep 2015 11:19:55 +0300 +Subject: iwlwifi: mvm: init card correctly on ctkill exit check + +From: Arik Nemtsov + +commit 1a3fe0b2b6778b7866e2b3f5c9a299d5e9bbd89c upstream. + +During the CT-kill exit flow, the card is powered up and partially +initialized to check if the temperature is already low enough. +Unfortunately the init bails early because the CT-kill flag is set. +Make the code bail early only for HW RF-kill, as was intended by the +author. CT-kill is self-imposed and is not really RF-kill. + +Fixes: 31b8b343e019 ("iwlwifi: fix RFkill while calibrating") +Signed-off-by: Arik Nemtsov +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/iwlwifi/mvm/fw.c | 4 ++-- + drivers/net/wireless/iwlwifi/mvm/mvm.h | 5 +++++ + 2 files changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/iwlwifi/mvm/fw.c ++++ b/drivers/net/wireless/iwlwifi/mvm/fw.c +@@ -364,7 +364,7 @@ int iwl_run_init_mvm_ucode(struct iwl_mv + * abort after reading the nvm in case RF Kill is on, we will complete + * the init seq later when RF kill will switch to off + */ +- if (iwl_mvm_is_radio_killed(mvm)) { ++ if (iwl_mvm_is_radio_hw_killed(mvm)) { + IWL_DEBUG_RF_KILL(mvm, + "jump over all phy activities due to RF kill\n"); + iwl_remove_notification(&mvm->notif_wait, &calib_wait); +@@ -397,7 +397,7 @@ int iwl_run_init_mvm_ucode(struct iwl_mv + ret = iwl_wait_notification(&mvm->notif_wait, &calib_wait, + MVM_UCODE_CALIB_TIMEOUT); + +- if (ret && iwl_mvm_is_radio_killed(mvm)) { ++ if (ret && iwl_mvm_is_radio_hw_killed(mvm)) { + IWL_DEBUG_RF_KILL(mvm, "RFKILL while calibrating.\n"); + ret = 1; + } +--- a/drivers/net/wireless/iwlwifi/mvm/mvm.h ++++ b/drivers/net/wireless/iwlwifi/mvm/mvm.h +@@ -870,6 +870,11 @@ static inline bool iwl_mvm_is_radio_kill + test_bit(IWL_MVM_STATUS_HW_CTKILL, &mvm->status); + } + ++static inline bool iwl_mvm_is_radio_hw_killed(struct iwl_mvm *mvm) ++{ ++ return test_bit(IWL_MVM_STATUS_HW_RFKILL, &mvm->status); ++} ++ + /* Must be called with rcu_read_lock() held and it can only be + * released when mvmsta is not needed anymore. + */ diff --git a/queue-4.1/iwlwifi-pci-add-a-few-more-pci-subvendor-ids-for-the-7265-series.patch b/queue-4.1/iwlwifi-pci-add-a-few-more-pci-subvendor-ids-for-the-7265-series.patch new file mode 100644 index 00000000000..b885dc4aa98 --- /dev/null +++ b/queue-4.1/iwlwifi-pci-add-a-few-more-pci-subvendor-ids-for-the-7265-series.patch @@ -0,0 +1,34 @@ +From f08f625876476b6c4a87834dc86e3b927f4697d2 Mon Sep 17 00:00:00 2001 +From: Luca Coelho +Date: Tue, 22 Sep 2015 09:44:39 +0300 +Subject: iwlwifi: pci: add a few more PCI subvendor IDs for the 7265 series + +From: Luca Coelho + +commit f08f625876476b6c4a87834dc86e3b927f4697d2 upstream. + +Add 3 new subdevice IDs for the 0x095A device ID and 2 for the 0x095B +device ID. + +Reported-by: Jeremy +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/iwlwifi/pcie/drv.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/wireless/iwlwifi/pcie/drv.c ++++ b/drivers/net/wireless/iwlwifi/pcie/drv.c +@@ -412,6 +412,11 @@ static const struct pci_device_id iwl_hw + {IWL_PCI_DEVICE(0x095A, 0x5590, iwl7265_2ac_cfg)}, + {IWL_PCI_DEVICE(0x095B, 0x5290, iwl7265_2ac_cfg)}, + {IWL_PCI_DEVICE(0x095A, 0x5490, iwl7265_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x095A, 0x5F10, iwl7265_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x095B, 0x5212, iwl7265_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x095B, 0x520A, iwl7265_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x095A, 0x9000, iwl7265_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x095A, 0x9400, iwl7265_2ac_cfg)}, + + /* 8000 Series */ + {IWL_PCI_DEVICE(0x24F3, 0x0010, iwl8260_2ac_cfg)}, diff --git a/queue-4.1/kvm-arm-use-gic-support-unconditionally.patch b/queue-4.1/kvm-arm-use-gic-support-unconditionally.patch new file mode 100644 index 00000000000..a524558fd05 --- /dev/null +++ b/queue-4.1/kvm-arm-use-gic-support-unconditionally.patch @@ -0,0 +1,40 @@ +From 4a5d69b73948d0e03cd38d77dc11edb2e707165f Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 12 Oct 2015 15:22:31 +0200 +Subject: KVM: arm: use GIC support unconditionally + +From: Arnd Bergmann + +commit 4a5d69b73948d0e03cd38d77dc11edb2e707165f upstream. + +The vgic code on ARM is built for all configurations that enable KVM, +but the parent_data field that it references is only present when +CONFIG_IRQ_DOMAIN_HIERARCHY is set: + +virt/kvm/arm/vgic.c: In function 'kvm_vgic_map_phys_irq': +virt/kvm/arm/vgic.c:1781:13: error: 'struct irq_data' has no member named 'parent_data' + +This flag is implied by the GIC driver, and indeed the VGIC code only +makes sense if a GIC is present. This changes the CONFIG_KVM symbol +to always select GIC, which avoids the issue. + +Fixes: 662d9715840 ("arm/arm64: KVM: Kill CONFIG_KVM_ARM_{VGIC,TIMER}") +Signed-off-by: Arnd Bergmann +Acked-by: Marc Zyngier +Signed-off-by: Christoffer Dall +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/kvm/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm/kvm/Kconfig ++++ b/arch/arm/kvm/Kconfig +@@ -21,6 +21,7 @@ config KVM + depends on MMU && OF + select PREEMPT_NOTIFIERS + select ANON_INODES ++ select ARM_GIC + select HAVE_KVM_CPU_RELAX_INTERCEPT + select HAVE_KVM_ARCH_TLB_FLUSH_ALL + select KVM_MMIO diff --git a/queue-4.1/mm-make-sendfile-2-killable.patch b/queue-4.1/mm-make-sendfile-2-killable.patch new file mode 100644 index 00000000000..5b33660316d --- /dev/null +++ b/queue-4.1/mm-make-sendfile-2-killable.patch @@ -0,0 +1,70 @@ +From 296291cdd1629c308114504b850dc343eabc2782 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 22 Oct 2015 13:32:21 -0700 +Subject: mm: make sendfile(2) killable + +From: Jan Kara + +commit 296291cdd1629c308114504b850dc343eabc2782 upstream. + +Currently a simple program below issues a sendfile(2) system call which +takes about 62 days to complete in my test KVM instance. + + int fd; + off_t off = 0; + + fd = open("file", O_RDWR | O_TRUNC | O_SYNC | O_CREAT, 0644); + ftruncate(fd, 2); + lseek(fd, 0, SEEK_END); + sendfile(fd, fd, &off, 0xfffffff); + +Now you should not ask kernel to do a stupid stuff like copying 256MB in +2-byte chunks and call fsync(2) after each chunk but if you do, sysadmin +should have a way to stop you. + +We actually do have a check for fatal_signal_pending() in +generic_perform_write() which triggers in this path however because we +always succeed in writing something before the check is done, we return +value > 0 from generic_perform_write() and thus the information about +signal gets lost. + +Fix the problem by doing the signal check before writing anything. That +way generic_perform_write() returns -EINTR, the error gets propagated up +and the sendfile loop terminates early. + +Signed-off-by: Jan Kara +Reported-by: Dmitry Vyukov +Cc: Al Viro +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/filemap.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/mm/filemap.c ++++ b/mm/filemap.c +@@ -2461,6 +2461,11 @@ again: + break; + } + ++ if (fatal_signal_pending(current)) { ++ status = -EINTR; ++ break; ++ } ++ + status = a_ops->write_begin(file, mapping, pos, bytes, flags, + &page, &fsdata); + if (unlikely(status < 0)) +@@ -2498,10 +2503,6 @@ again: + written += copied; + + balance_dirty_pages_ratelimited(mapping); +- if (fatal_signal_pending(current)) { +- status = -EINTR; +- break; +- } + } while (iov_iter_count(i)); + + return written ? written : status; diff --git a/queue-4.1/powerpc-rtas-validate-rtas.entry-before-calling-enter_rtas.patch b/queue-4.1/powerpc-rtas-validate-rtas.entry-before-calling-enter_rtas.patch new file mode 100644 index 00000000000..e96a8d7f3db --- /dev/null +++ b/queue-4.1/powerpc-rtas-validate-rtas.entry-before-calling-enter_rtas.patch @@ -0,0 +1,51 @@ +From 8832317f662c06f5c06e638f57bfe89a71c9b266 Mon Sep 17 00:00:00 2001 +From: Vasant Hegde +Date: Fri, 16 Oct 2015 15:53:29 +0530 +Subject: powerpc/rtas: Validate rtas.entry before calling enter_rtas() + +From: Vasant Hegde + +commit 8832317f662c06f5c06e638f57bfe89a71c9b266 upstream. + +Currently we do not validate rtas.entry before calling enter_rtas(). This +leads to a kernel oops when user space calls rtas system call on a powernv +platform (see below). This patch adds code to validate rtas.entry before +making enter_rtas() call. + + Oops: Exception in kernel mode, sig: 4 [#1] + SMP NR_CPUS=1024 NUMA PowerNV + task: c000000004294b80 ti: c0000007e1a78000 task.ti: c0000007e1a78000 + NIP: 0000000000000000 LR: 0000000000009c14 CTR: c000000000423140 + REGS: c0000007e1a7b920 TRAP: 0e40 Not tainted (3.18.17-340.el7_1.pkvm3_1_0.2400.1.ppc64le) + MSR: 1000000000081000 CR: 00000000 XER: 00000000 + CFAR: c000000000009c0c SOFTE: 0 + NIP [0000000000000000] (null) + LR [0000000000009c14] 0x9c14 + Call Trace: + [c0000007e1a7bba0] [c00000000041a7f4] avc_has_perm_noaudit+0x54/0x110 (unreliable) + [c0000007e1a7bd80] [c00000000002ddc0] ppc_rtas+0x150/0x2d0 + [c0000007e1a7be30] [c000000000009358] syscall_exit+0x0/0x98 + +Fixes: 55190f88789a ("powerpc: Add skeleton PowerNV platform") +Reported-by: NAGESWARA R. SASTRY +Signed-off-by: Vasant Hegde +[mpe: Reword change log, trim oops, and add stable + fixes] +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/rtas.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/powerpc/kernel/rtas.c ++++ b/arch/powerpc/kernel/rtas.c +@@ -1041,6 +1041,9 @@ asmlinkage int ppc_rtas(struct rtas_args + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; + ++ if (!rtas.entry) ++ return -EINVAL; ++ + if (copy_from_user(&args, uargs, 3 * sizeof(u32)) != 0) + return -EFAULT; + diff --git a/queue-4.1/rtl28xxu-fix-control-message-flaws.patch b/queue-4.1/rtl28xxu-fix-control-message-flaws.patch new file mode 100644 index 00000000000..bd6694444a1 --- /dev/null +++ b/queue-4.1/rtl28xxu-fix-control-message-flaws.patch @@ -0,0 +1,74 @@ +From d18ca5b7ceca0e9674cb4bb2ed476b0fcbb23ba2 Mon Sep 17 00:00:00 2001 +From: Antti Palosaari +Date: Tue, 6 Oct 2015 00:22:23 -0300 +Subject: [media] rtl28xxu: fix control message flaws + +From: Antti Palosaari + +commit d18ca5b7ceca0e9674cb4bb2ed476b0fcbb23ba2 upstream. + +Add lock to prevent concurrent access for control message as control +message function uses shared buffer. Without the lock there may be +remote control polling which messes the buffer causing IO errors. +Increase buffer size and add check for maximum supported message +length. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=103391 +Fixes: c56222a6b25c ("[media] rtl28xxu: move usb buffers to state") + +Signed-off-by: Antti Palosaari +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/dvb-usb-v2/rtl28xxu.c | 15 +++++++++++++-- + drivers/media/usb/dvb-usb-v2/rtl28xxu.h | 2 +- + 2 files changed, 14 insertions(+), 3 deletions(-) + +--- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c ++++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c +@@ -34,6 +34,14 @@ static int rtl28xxu_ctrl_msg(struct dvb_ + unsigned int pipe; + u8 requesttype; + ++ mutex_lock(&d->usb_mutex); ++ ++ if (req->size > sizeof(dev->buf)) { ++ dev_err(&d->intf->dev, "too large message %u\n", req->size); ++ ret = -EINVAL; ++ goto err_mutex_unlock; ++ } ++ + if (req->index & CMD_WR_FLAG) { + /* write */ + memcpy(dev->buf, req->data, req->size); +@@ -50,14 +58,17 @@ static int rtl28xxu_ctrl_msg(struct dvb_ + dvb_usb_dbg_usb_control_msg(d->udev, 0, requesttype, req->value, + req->index, dev->buf, req->size); + if (ret < 0) +- goto err; ++ goto err_mutex_unlock; + + /* read request, copy returned data to return buf */ + if (requesttype == (USB_TYPE_VENDOR | USB_DIR_IN)) + memcpy(req->data, dev->buf, req->size); + ++ mutex_unlock(&d->usb_mutex); ++ + return 0; +-err: ++err_mutex_unlock: ++ mutex_unlock(&d->usb_mutex); + dev_dbg(&d->intf->dev, "failed=%d\n", ret); + return ret; + } +--- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.h ++++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.h +@@ -69,7 +69,7 @@ + + + struct rtl28xxu_dev { +- u8 buf[28]; ++ u8 buf[128]; + u8 chip_id; + u8 tuner; + char *tuner_name; diff --git a/queue-4.1/rtlwifi-rtl8821ae-fix-system-lockups-on-boot.patch b/queue-4.1/rtlwifi-rtl8821ae-fix-system-lockups-on-boot.patch new file mode 100644 index 00000000000..5e69f60b319 --- /dev/null +++ b/queue-4.1/rtlwifi-rtl8821ae-fix-system-lockups-on-boot.patch @@ -0,0 +1,131 @@ +From 54328e64047a54b8fc2362c2e1f0fa16c90f739f Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Fri, 2 Oct 2015 11:44:30 -0500 +Subject: rtlwifi: rtl8821ae: Fix system lockups on boot + +From: Larry Finger + +commit 54328e64047a54b8fc2362c2e1f0fa16c90f739f upstream. + +In commit 1277fa2ab2f9 ("rtlwifi: Remove the clear interrupt routine from all +drivers"), the code that cleared all interrupt enable bits before setting them +was removed for all PCI drivers. This fixed an issue that caused TX to be +blocked for 3-5 seconds. On some RTL8821AE units, this change causes soft +lockups to occur on boot. For that reason, the portion of the earlier commit +that applied to rtl8821ae is reverted. Kernels 4.1 and newer are affected. + +See http://marc.info/?l=linux-wireless&m=144373370103285&w=2 and +https://bugzilla.opensuse.org/show_bug.cgi?id=944978 for two cases where +this regression affected user systems. Note that this bug does not appear on +any of the developer's setups. For those users whose systems are affected +by the TX blockage, but do not lock up on boot, a module parameter is added +to disable the interrupt clear + +Fixes: 1277fa2ab2f9 ("rtlwifi: Remove the clear interrupt routine from all drivers") +Signed-off-by: Larry Finger +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/rtlwifi/pci.h | 2 ++ + drivers/net/wireless/rtlwifi/rtl8821ae/hw.c | 17 +++++++++++++++++ + drivers/net/wireless/rtlwifi/rtl8821ae/sw.c | 5 +++++ + drivers/net/wireless/rtlwifi/wifi.h | 3 +++ + 4 files changed, 27 insertions(+) + +--- a/drivers/net/wireless/rtlwifi/pci.h ++++ b/drivers/net/wireless/rtlwifi/pci.h +@@ -247,6 +247,8 @@ struct rtl_pci { + /* MSI support */ + bool msi_support; + bool using_msi; ++ /* interrupt clear before set */ ++ bool int_clear; + }; + + struct mp_adapter { +--- a/drivers/net/wireless/rtlwifi/rtl8821ae/hw.c ++++ b/drivers/net/wireless/rtlwifi/rtl8821ae/hw.c +@@ -2253,11 +2253,28 @@ void rtl8821ae_set_qos(struct ieee80211_ + } + } + ++static void rtl8821ae_clear_interrupt(struct ieee80211_hw *hw) ++{ ++ struct rtl_priv *rtlpriv = rtl_priv(hw); ++ u32 tmp = rtl_read_dword(rtlpriv, REG_HISR); ++ ++ rtl_write_dword(rtlpriv, REG_HISR, tmp); ++ ++ tmp = rtl_read_dword(rtlpriv, REG_HISRE); ++ rtl_write_dword(rtlpriv, REG_HISRE, tmp); ++ ++ tmp = rtl_read_dword(rtlpriv, REG_HSISR); ++ rtl_write_dword(rtlpriv, REG_HSISR, tmp); ++} ++ + void rtl8821ae_enable_interrupt(struct ieee80211_hw *hw) + { + struct rtl_priv *rtlpriv = rtl_priv(hw); + struct rtl_pci *rtlpci = rtl_pcidev(rtl_pcipriv(hw)); + ++ if (!rtlpci->int_clear) ++ rtl8821ae_clear_interrupt(hw);/*clear it here first*/ ++ + rtl_write_dword(rtlpriv, REG_HIMR, rtlpci->irq_mask[0] & 0xFFFFFFFF); + rtl_write_dword(rtlpriv, REG_HIMRE, rtlpci->irq_mask[1] & 0xFFFFFFFF); + rtlpci->irq_enabled = true; +--- a/drivers/net/wireless/rtlwifi/rtl8821ae/sw.c ++++ b/drivers/net/wireless/rtlwifi/rtl8821ae/sw.c +@@ -96,6 +96,7 @@ int rtl8821ae_init_sw_vars(struct ieee80 + + rtl8821ae_bt_reg_init(hw); + rtlpci->msi_support = rtlpriv->cfg->mod_params->msi_support; ++ rtlpci->int_clear = rtlpriv->cfg->mod_params->int_clear; + rtlpriv->btcoexist.btc_ops = rtl_btc_get_ops_pointer(); + + rtlpriv->dm.dm_initialgain_enable = 1; +@@ -167,6 +168,7 @@ int rtl8821ae_init_sw_vars(struct ieee80 + rtlpriv->psc.swctrl_lps = rtlpriv->cfg->mod_params->swctrl_lps; + rtlpriv->psc.fwctrl_lps = rtlpriv->cfg->mod_params->fwctrl_lps; + rtlpci->msi_support = rtlpriv->cfg->mod_params->msi_support; ++ rtlpci->msi_support = rtlpriv->cfg->mod_params->int_clear; + if (rtlpriv->cfg->mod_params->disable_watchdog) + pr_info("watchdog disabled\n"); + rtlpriv->psc.reg_fwctrl_lps = 3; +@@ -308,6 +310,7 @@ static struct rtl_mod_params rtl8821ae_m + .swctrl_lps = false, + .fwctrl_lps = true, + .msi_support = true, ++ .int_clear = true, + .debug = DBG_EMERG, + .disable_watchdog = 0, + }; +@@ -437,6 +440,7 @@ module_param_named(fwlps, rtl8821ae_mod_ + module_param_named(msi, rtl8821ae_mod_params.msi_support, bool, 0444); + module_param_named(disable_watchdog, rtl8821ae_mod_params.disable_watchdog, + bool, 0444); ++module_param_named(int_clear, rtl8821ae_mod_params.int_clear, bool, 0444); + MODULE_PARM_DESC(swenc, "Set to 1 for software crypto (default 0)\n"); + MODULE_PARM_DESC(ips, "Set to 0 to not use link power save (default 1)\n"); + MODULE_PARM_DESC(swlps, "Set to 1 to use SW control power save (default 0)\n"); +@@ -444,6 +448,7 @@ MODULE_PARM_DESC(fwlps, "Set to 1 to use + MODULE_PARM_DESC(msi, "Set to 1 to use MSI interrupts mode (default 1)\n"); + MODULE_PARM_DESC(debug, "Set debug level (0-5) (default 0)"); + MODULE_PARM_DESC(disable_watchdog, "Set to 1 to disable the watchdog (default 0)\n"); ++MODULE_PARM_DESC(int_clear, "Set to 1 to disable interrupt clear before set (default 0)\n"); + + static SIMPLE_DEV_PM_OPS(rtlwifi_pm_ops, rtl_pci_suspend, rtl_pci_resume); + +--- a/drivers/net/wireless/rtlwifi/wifi.h ++++ b/drivers/net/wireless/rtlwifi/wifi.h +@@ -2233,6 +2233,9 @@ struct rtl_mod_params { + + /* default 0: 1 means disable */ + bool disable_watchdog; ++ ++ /* default 0: 1 means do not disable interrupts */ ++ bool int_clear; + }; + + struct rtl_hal_usbint_cfg { diff --git a/queue-4.1/series b/queue-4.1/series index a53ec4ba942..1d24221e402 100644 --- a/queue-4.1/series +++ b/queue-4.1/series @@ -1,3 +1,35 @@ ath9k-declare-required-extra-tx-headroom.patch iwlwifi-dvm-fix-d3-firmware-pn-programming.patch iwlwifi-fix-firmware-filename-for-3160.patch +rtlwifi-rtl8821ae-fix-system-lockups-on-boot.patch +iwlwifi-mvm-clear-csa-countdown-when-ap-is-stopped.patch +iwlwifi-mvm-fix-d3-ccmp-tx-pn-assignment.patch +iwlwifi-mvm-fix-d3-firmware-pn-programming.patch +iwlwifi-mvm-init-card-correctly-on-ctkill-exit-check.patch +iwlwifi-mvm-flush-fw_dump_wk-when-mvm-fails-to-start.patch +iwlwifi-pci-add-a-few-more-pci-subvendor-ids-for-the-7265-series.patch +iommu-vt-d-fix-range-computation-when-making-room-for-large-pages.patch +iommu-amd-fix-bug-when-faulting-a-prot_none-vma.patch +iommu-amd-don-t-clear-dte-flags-when-modifying-it.patch +powerpc-rtas-validate-rtas.entry-before-calling-enter_rtas.patch +drm-fix-mutex-leak-in-drm_dp_get_mst_branch_device.patch +si2157-bounds-check-firmware.patch +si2168-bounds-check-firmware.patch +rtl28xxu-fix-control-message-flaws.patch +kvm-arm-use-gic-support-unconditionally.patch +alsa-hda-fix-inverted-internal-mic-on-lenovo-g50-80.patch +alsa-hda-fix-deadlock-at-error-in-building-pcm.patch +asoc-add-info-callback-for-sx_tlv-controls.patch +asoc-wm8904-correct-number-of-eq-registers.patch +x86-efi-fix-multiple-gop-device-support.patch +x86-setup-extend-low-identity-map-to-cover-whole-kernel-range.patch +mm-make-sendfile-2-killable.patch +fault-inject-fix-inverted-interval-probability-values-in-printk.patch +drm-nouveau-gem-return-only-valid-domain-when-there-s-only-one.patch +drm-radeon-dpm-don-t-add-pwm-attributes-if-dpm-is-disabled.patch +drm-i915-flush-pipecontrol-post-sync-writes.patch +drm-i915-restore-lost-dpll-register-write-on-gen2-4.patch +drm-i915-deny-wrapping-an-userptr-into-a-framebuffer.patch +drm-radeon-don-t-try-to-recreate-sysfs-entries-on-resume.patch +drm-radeon-fix-dpms-when-driver-backlight-control-is-disabled.patch +drm-radeon-move-bl-encoder-assignment-into-bl-init.patch diff --git a/queue-4.1/si2157-bounds-check-firmware.patch b/queue-4.1/si2157-bounds-check-firmware.patch new file mode 100644 index 00000000000..06dc9e7d7b8 --- /dev/null +++ b/queue-4.1/si2157-bounds-check-firmware.patch @@ -0,0 +1,35 @@ +From a828d72df216c36e9c40b6c24dc4b17b6f7b5a76 Mon Sep 17 00:00:00 2001 +From: Laura Abbott +Date: Tue, 29 Sep 2015 21:10:10 -0300 +Subject: [media] si2157: Bounds check firmware + +From: Laura Abbott + +commit a828d72df216c36e9c40b6c24dc4b17b6f7b5a76 upstream. + +When reading the firmware and sending commands, the length +must be bounds checked to avoid overrunning the size of the command +buffer and smashing the stack if the firmware is not in the +expected format. Add the proper check. + +Signed-off-by: Laura Abbott +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/tuners/si2157.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/media/tuners/si2157.c ++++ b/drivers/media/tuners/si2157.c +@@ -165,6 +165,10 @@ static int si2157_init(struct dvb_fronte + + for (remaining = fw->size; remaining > 0; remaining -= 17) { + len = fw->data[fw->size - remaining]; ++ if (len > SI2157_ARGLEN) { ++ dev_err(&client->dev, "Bad firmware length\n"); ++ goto err_release_firmware; ++ } + memcpy(cmd.args, &fw->data[(fw->size - remaining) + 1], len); + cmd.wlen = len; + cmd.rlen = 1; diff --git a/queue-4.1/si2168-bounds-check-firmware.patch b/queue-4.1/si2168-bounds-check-firmware.patch new file mode 100644 index 00000000000..176be641683 --- /dev/null +++ b/queue-4.1/si2168-bounds-check-firmware.patch @@ -0,0 +1,44 @@ +From 47810b4341ac9d2f558894bc5995e6fa2a1298f9 Mon Sep 17 00:00:00 2001 +From: Laura Abbott +Date: Tue, 29 Sep 2015 21:10:09 -0300 +Subject: [media] si2168: Bounds check firmware + +From: Laura Abbott + +commit 47810b4341ac9d2f558894bc5995e6fa2a1298f9 upstream. + +When reading the firmware and sending commands, the length must +be bounds checked to avoid overrunning the size of the command +buffer and smashing the stack if the firmware is not in the expected +format: + +si2168 11-0064: found a 'Silicon Labs Si2168-B40' +si2168 11-0064: downloading firmware from file 'dvb-demod-si2168-b40-01.fw' +si2168 11-0064: firmware download failed -95 +Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffffa085708f + +Add the proper check. + +Reported-by: Stuart Auchterlonie +Reviewed-by: Antti Palosaari +Signed-off-by: Laura Abbott +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/dvb-frontends/si2168.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/media/dvb-frontends/si2168.c ++++ b/drivers/media/dvb-frontends/si2168.c +@@ -457,6 +457,10 @@ static int si2168_init(struct dvb_fronte + /* firmware is in the new format */ + for (remaining = fw->size; remaining > 0; remaining -= 17) { + len = fw->data[fw->size - remaining]; ++ if (len > SI2168_ARGLEN) { ++ ret = -EINVAL; ++ break; ++ } + memcpy(cmd.args, &fw->data[(fw->size - remaining) + 1], len); + cmd.wlen = len; + cmd.rlen = 1; diff --git a/queue-4.1/x86-efi-fix-multiple-gop-device-support.patch b/queue-4.1/x86-efi-fix-multiple-gop-device-support.patch new file mode 100644 index 00000000000..887b9f4579a --- /dev/null +++ b/queue-4.1/x86-efi-fix-multiple-gop-device-support.patch @@ -0,0 +1,92 @@ +From 8a53554e12e98d1759205afd7b8e9e2ea0936f48 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?K=C5=91v=C3=A1g=C3=B3=2C=20Zolt=C3=A1n?= + +Date: Mon, 12 Oct 2015 15:13:56 +0100 +Subject: x86/efi: Fix multiple GOP device support +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?K=C5=91v=C3=A1g=C3=B3=2C=20Zolt=C3=A1n?= + +commit 8a53554e12e98d1759205afd7b8e9e2ea0936f48 upstream. + +When multiple GOP devices exists, but none of them implements +ConOut, the code should just choose the first GOP (according to +the comments). But currently 'fb_base' will refer to the last GOP, +while other parameters to the first GOP, which will likely +result in a garbled display. + +I can reliably reproduce this bug using my ASRock Z87M Extreme4 +motherboard with CSM and integrated GPU disabled, and two PCIe +video cards (NVidia GT640 and GTX980), booting from efi-stub +(booting from grub works fine). On the primary display the +ASRock logo remains and on the secondary screen it is garbled +up completely. + +Signed-off-by: Kővágó, Zoltán +Signed-off-by: Matt Fleming +Cc: Linus Torvalds +Cc: Matthew Garrett +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/1444659236-24837-2-git-send-email-matt@codeblueprint.co.uk +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/boot/compressed/eboot.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/arch/x86/boot/compressed/eboot.c ++++ b/arch/x86/boot/compressed/eboot.c +@@ -667,6 +667,7 @@ setup_gop32(struct screen_info *si, efi_ + bool conout_found = false; + void *dummy = NULL; + u32 h = handles[i]; ++ u32 current_fb_base; + + status = efi_call_early(handle_protocol, h, + proto, (void **)&gop32); +@@ -678,7 +679,7 @@ setup_gop32(struct screen_info *si, efi_ + if (status == EFI_SUCCESS) + conout_found = true; + +- status = __gop_query32(gop32, &info, &size, &fb_base); ++ status = __gop_query32(gop32, &info, &size, ¤t_fb_base); + if (status == EFI_SUCCESS && (!first_gop || conout_found)) { + /* + * Systems that use the UEFI Console Splitter may +@@ -692,6 +693,7 @@ setup_gop32(struct screen_info *si, efi_ + pixel_format = info->pixel_format; + pixel_info = info->pixel_information; + pixels_per_scan_line = info->pixels_per_scan_line; ++ fb_base = current_fb_base; + + /* + * Once we've found a GOP supporting ConOut, +@@ -770,6 +772,7 @@ setup_gop64(struct screen_info *si, efi_ + bool conout_found = false; + void *dummy = NULL; + u64 h = handles[i]; ++ u32 current_fb_base; + + status = efi_call_early(handle_protocol, h, + proto, (void **)&gop64); +@@ -781,7 +784,7 @@ setup_gop64(struct screen_info *si, efi_ + if (status == EFI_SUCCESS) + conout_found = true; + +- status = __gop_query64(gop64, &info, &size, &fb_base); ++ status = __gop_query64(gop64, &info, &size, ¤t_fb_base); + if (status == EFI_SUCCESS && (!first_gop || conout_found)) { + /* + * Systems that use the UEFI Console Splitter may +@@ -795,6 +798,7 @@ setup_gop64(struct screen_info *si, efi_ + pixel_format = info->pixel_format; + pixel_info = info->pixel_information; + pixels_per_scan_line = info->pixels_per_scan_line; ++ fb_base = current_fb_base; + + /* + * Once we've found a GOP supporting ConOut, diff --git a/queue-4.1/x86-setup-extend-low-identity-map-to-cover-whole-kernel-range.patch b/queue-4.1/x86-setup-extend-low-identity-map-to-cover-whole-kernel-range.patch new file mode 100644 index 00000000000..d35f6a48879 --- /dev/null +++ b/queue-4.1/x86-setup-extend-low-identity-map-to-cover-whole-kernel-range.patch @@ -0,0 +1,111 @@ +From f5f3497cad8c8416a74b9aaceb127908755d020a Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Wed, 14 Oct 2015 13:30:45 +0200 +Subject: x86/setup: Extend low identity map to cover whole kernel range + +From: Paolo Bonzini + +commit f5f3497cad8c8416a74b9aaceb127908755d020a upstream. + +On 32-bit systems, the initial_page_table is reused by +efi_call_phys_prolog as an identity map to call +SetVirtualAddressMap. efi_call_phys_prolog takes care of +converting the current CPU's GDT to a physical address too. + +For PAE kernels the identity mapping is achieved by aliasing the +first PDPE for the kernel memory mapping into the first PDPE +of initial_page_table. This makes the EFI stub's trick "just work". + +However, for non-PAE kernels there is no guarantee that the identity +mapping in the initial_page_table extends as far as the GDT; in this +case, accesses to the GDT will cause a page fault (which quickly becomes +a triple fault). Fix this by copying the kernel mappings from +swapper_pg_dir to initial_page_table twice, both at PAGE_OFFSET and at +identity mapping. + +For some reason, this is only reproducible with QEMU's dynamic translation +mode, and not for example with KVM. However, even under KVM one can clearly +see that the page table is bogus: + + $ qemu-system-i386 -pflash OVMF.fd -M q35 vmlinuz0 -s -S -daemonize + $ gdb + (gdb) target remote localhost:1234 + (gdb) hb *0x02858f6f + Hardware assisted breakpoint 1 at 0x2858f6f + (gdb) c + Continuing. + + Breakpoint 1, 0x02858f6f in ?? () + (gdb) monitor info registers + ... + GDT= 0724e000 000000ff + IDT= fffbb000 000007ff + CR0=0005003b CR2=ff896000 CR3=032b7000 CR4=00000690 + ... + +The page directory is sane: + + (gdb) x/4wx 0x32b7000 + 0x32b7000: 0x03398063 0x03399063 0x0339a063 0x0339b063 + (gdb) x/4wx 0x3398000 + 0x3398000: 0x00000163 0x00001163 0x00002163 0x00003163 + (gdb) x/4wx 0x3399000 + 0x3399000: 0x00400003 0x00401003 0x00402003 0x00403003 + +but our particular page directory entry is empty: + + (gdb) x/1wx 0x32b7000 + (0x724e000 >> 22) * 4 + 0x32b7070: 0x00000000 + +[ It appears that you can skate past this issue if you don't receive + any interrupts while the bogus GDT pointer is loaded, or if you avoid + reloading the segment registers in general. + + Andy Lutomirski provides some additional insight: + + "AFAICT it's entirely permissible for the GDTR and/or LDT + descriptor to point to unmapped memory. Any attempt to use them + (segment loads, interrupts, IRET, etc) will try to access that memory + as if the access came from CPL 0 and, if the access fails, will + generate a valid page fault with CR2 pointing into the GDT or + LDT." + + Up until commit 23a0d4e8fa6d ("efi: Disable interrupts around EFI + calls, not in the epilog/prolog calls") interrupts were disabled + around the prolog and epilog calls, and the functional GDT was + re-installed before interrupts were re-enabled. + + Which explains why no one has hit this issue until now. ] + +Signed-off-by: Paolo Bonzini +Reported-by: Laszlo Ersek +Cc: Borislav Petkov +Cc: "H. Peter Anvin" +Cc: Thomas Gleixner +Cc: Ingo Molnar +Cc: Andy Lutomirski +Signed-off-by: Matt Fleming +[ Updated changelog. ] +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/setup.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -1194,6 +1194,14 @@ void __init setup_arch(char **cmdline_p) + clone_pgd_range(initial_page_table + KERNEL_PGD_BOUNDARY, + swapper_pg_dir + KERNEL_PGD_BOUNDARY, + KERNEL_PGD_PTRS); ++ ++ /* ++ * sync back low identity map too. It is used for example ++ * in the 32-bit EFI stub. ++ */ ++ clone_pgd_range(initial_page_table, ++ swapper_pg_dir + KERNEL_PGD_BOUNDARY, ++ KERNEL_PGD_PTRS); + #endif + + tboot_probe();