From: Greg Kroah-Hartman Date: Tue, 9 May 2017 09:40:55 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v4.4.68~38 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b74db2acb8b9b690eda0b5f1be2c43f65438a6ee;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: arm-dts-nsp-gpio-reboot-open-source.patch arm-dts-qcom-fix-ipq-board-clock-rates.patch arm-dts-sun7i-lamobo-r1-fix-cpu-port-rgmii-settings.patch arm-omap5-dra7-fix-hyp-mode-boot-for-thumb2-build.patch arm64-dts-r8a7795-mark-ethernetavb-device-node-disabled.patch arm64-improve-detection-of-user-non-user-mappings-in-set_pte-_at.patch brcmfmac-ensure-pointer-correctly-set-if-skb-data-location-changes.patch brcmfmac-make-skb-header-writable-before-use.patch clk-make-x86-conditional-on-config_common_clk.patch clk-rockchip-add-to-mux_pll_src_apll_dpll_gpll_usb480m_p-on-rk3036.patch cpupower-fix-turbo-frequency-reporting-for-pre-sandy-bridge-cores.patch crypto-caam-fix-error-path-for-ctx_dma-mapping-failure.patch hwmon-it87-fix-pwm4-detection-for-it8620-and-it8628.patch irqchip-mips-gic-fix-local-interrupts.patch iwlwifi-fix-module_firmware-for-6030.patch iwlwifi-mvm-don-t-restart-hw-if-suspend-fails-with-unified-image.patch iwlwifi-mvm-fix-pending-frame-counter-calculation.patch iwlwifi-mvm-fix-references-to-first_agg_queue-in-dqa-mode.patch iwlwifi-mvm-fix-reorder-timer-re-arming.patch iwlwifi-mvm-overwrite-skb-info-later.patch iwlwifi-mvm-pcie-adjust-a-msdu-tx_cmd-length-in-pcie.patch iwlwifi-mvm-synchronize-firmware-dma-paging-memory.patch iwlwifi-mvm-use-aux-queue-for-offchannel-frames-in-dqa.patch iwlwifi-mvm-writing-zero-bytes-to-debugfs-causes-a-crash.patch iwlwifi-pcie-don-t-increment-decrement-a-bool.patch iwlwifi-pcie-fix-the-set-of-dma-memory-mask.patch iwlwifi-pcie-trans-remove-unused-shift_param.patch kprobes-x86-fix-kernel-panic-when-certain-exception-handling-addresses-are-probed.patch kvm-nvmx-do-not-leak-pml-full-vmexit-to-l1.patch kvm-nvmx-initialize-pml-fields-in-vmcs02.patch leds-ktd2692-avoid-harmless-maybe-uninitialized-warning.patch mips-r2-on-r6-multu-maddu-msubu-emulation-bugfix.patch mwifiex-avoid-skipping-wep-key-deletion-for-ap.patch mwifiex-debugfs-fix-sometimes-off-by-1-ssid-print.patch mwifiex-remove-redundant-dma-padding-in-amsdu.patch perf-x86-intel-pt-add-format-strings-for-ptwrite-and-power-event-tracing.patch phy-qcom-usb-hs-add-depends-on-extcon.patch power-supply-bq24190_charger-call-power_supply_changed-for-relevant-component.patch power-supply-bq24190_charger-call-set_mode_host-on-pm_resume.patch power-supply-bq24190_charger-don-t-read-fault-register-outside-irq_handle_thread.patch power-supply-bq24190_charger-fix-irq-trigger-to-irqf_trigger_falling.patch power-supply-bq24190_charger-handle-fault-before-status-on-interrupt.patch power-supply-bq24190_charger-install-irq_handler_thread-at-end-of-probe.patch power-supply-lp8788-prevent-out-of-bounds-array-access.patch powerpc-correctly-disable-latent-entropy-gcc-plugin-on-prom_init.o.patch powerpc-ftrace-fix-confusing-help-text-for-disable_mprofile_kernel.patch powerpc-mm-fixup-wrong-lpcr_vrmasd-value.patch powerpc-powernv-fix-opal_exit-tracepoint-opcode.patch revert-kvm-nested-vmx-disable-perf-cpuid-reporting.patch scsi-mac_scsi-fix-mac_scsi-m-option-when-scsi-m.patch scsi-qla2xxx-fix-crash-in-qla2xxx_eh_abort-on-bad-ptr.patch scsi-scsi_dh_emc-return-success-in-clariion_std_inquiry.patch scsi-smartpqi-fix-time-handling.patch serial-8250_omap-fix-probe-and-remove-for-pm-runtime.patch tmp-use-pdev-for-parent-device-in-tpm_chip_alloc.patch tpm-fix-rc-value-check-in-tpm2_seal_trusted.patch usb-chipidea-handle-extcon-events-properly.patch usb-chipidea-only-read-write-otgsc-from-one-place.patch usb-dwc2-host-use-msleep-for-long-delay.patch usb-host-ehci-exynos-decrese-node-refcount-on-exynos_ehci_get_phy-error-paths.patch usb-host-ohci-exynos-decrese-node-refcount-on-exynos_ehci_get_phy-error-paths.patch usb-serial-ark3116-fix-open-error-handling.patch usb-serial-digi_acceleport-fix-incomplete-rx-sanity-check.patch usb-serial-ftdi_sio-fix-latency-timer-error-handling.patch usb-serial-io_edgeport-fix-descriptor-error-handling.patch usb-serial-io_edgeport-fix-epic-descriptor-handling.patch usb-serial-keyspan_pda-fix-receive-sanity-checks.patch usb-serial-mct_u232-fix-modem-status-error-handling.patch usb-serial-quatech2-fix-control-message-error-handling.patch usb-serial-sierra-fix-bogus-alternate-setting-assumption.patch usb-serial-ssu100-fix-control-message-error-handling.patch usb-serial-ti_usb_3410_5052-fix-control-message-error-handling.patch x86-ioapic-restore-io-apic-irq_chip-retrigger-callback.patch x86-mpx-re-add-mpx-to-selftests-makefile.patch x86-pci-calgary-fix-iommu_free-comparison-of-unsigned-expression-0.patch x86-platform-intel-mid-correct-msi-irq-line-for-watchdog-device.patch --- diff --git a/queue-4.9/arm-dts-nsp-gpio-reboot-open-source.patch b/queue-4.9/arm-dts-nsp-gpio-reboot-open-source.patch new file mode 100644 index 00000000000..055f2ad0d90 --- /dev/null +++ b/queue-4.9/arm-dts-nsp-gpio-reboot-open-source.patch @@ -0,0 +1,105 @@ +From acfa28b3649ec07775efaac0c00de2db39d71634 Mon Sep 17 00:00:00 2001 +From: Jon Mason +Date: Wed, 1 Mar 2017 18:02:28 -0500 +Subject: ARM: dts: NSP: GPIO reboot open-source + +From: Jon Mason + +commit acfa28b3649ec07775efaac0c00de2db39d71634 upstream. + +The libgpio code pre-sets the GPIO values for the gpio-reset in the +device tree. This results in the device being reset during bringup. +To prevent this pre-setting, use the "open-source" flag in the device +tree. + +Signed-off-by: Jon Mason +Fixes: b1aaf88 ("ARM: dts: NSP: Add GPIO reboot method to bcm958625hr DTS file") +Fixes: 10baed1 ("ARM: dts: NSP: Add GPIO reboot method to bcm958625xmc DTS file") +Fixes: 088e3148 ("ARM: dts: NSP: Add new DT file for bcm958522er") +Fixes: e3227c1 ("ARM: dts: NSP: Add new DT file for bcm958525er") +Fixes: 2f8bc00 ("ARM: dts: NSP: Add new DT file for bcm958622hr") +Fixes: d454c37 ("ARM: dts: NSP: Add new DT file for bcm958623hr") +Fixes: f27eacf ("ARM: dts: NSP: Add new DT file for bcm988312hr") +Signed-off-by: Florian Fainelli +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/bcm958522er.dts | 1 + + arch/arm/boot/dts/bcm958525er.dts | 1 + + arch/arm/boot/dts/bcm958525xmc.dts | 1 + + arch/arm/boot/dts/bcm958622hr.dts | 1 + + arch/arm/boot/dts/bcm958623hr.dts | 1 + + arch/arm/boot/dts/bcm958625hr.dts | 1 + + arch/arm/boot/dts/bcm988312hr.dts | 1 + + 7 files changed, 7 insertions(+) + +--- a/arch/arm/boot/dts/bcm958522er.dts ++++ b/arch/arm/boot/dts/bcm958522er.dts +@@ -55,6 +55,7 @@ + gpio-restart { + compatible = "gpio-restart"; + gpios = <&gpioa 15 GPIO_ACTIVE_LOW>; ++ open-source; + priority = <200>; + }; + }; +--- a/arch/arm/boot/dts/bcm958525er.dts ++++ b/arch/arm/boot/dts/bcm958525er.dts +@@ -55,6 +55,7 @@ + gpio-restart { + compatible = "gpio-restart"; + gpios = <&gpioa 15 GPIO_ACTIVE_LOW>; ++ open-source; + priority = <200>; + }; + }; +--- a/arch/arm/boot/dts/bcm958525xmc.dts ++++ b/arch/arm/boot/dts/bcm958525xmc.dts +@@ -55,6 +55,7 @@ + gpio-restart { + compatible = "gpio-restart"; + gpios = <&gpioa 31 GPIO_ACTIVE_LOW>; ++ open-source; + priority = <200>; + }; + }; +--- a/arch/arm/boot/dts/bcm958622hr.dts ++++ b/arch/arm/boot/dts/bcm958622hr.dts +@@ -55,6 +55,7 @@ + gpio-restart { + compatible = "gpio-restart"; + gpios = <&gpioa 15 GPIO_ACTIVE_LOW>; ++ open-source; + priority = <200>; + }; + }; +--- a/arch/arm/boot/dts/bcm958623hr.dts ++++ b/arch/arm/boot/dts/bcm958623hr.dts +@@ -55,6 +55,7 @@ + gpio-restart { + compatible = "gpio-restart"; + gpios = <&gpioa 15 GPIO_ACTIVE_LOW>; ++ open-source; + priority = <200>; + }; + }; +--- a/arch/arm/boot/dts/bcm958625hr.dts ++++ b/arch/arm/boot/dts/bcm958625hr.dts +@@ -55,6 +55,7 @@ + gpio-restart { + compatible = "gpio-restart"; + gpios = <&gpioa 15 GPIO_ACTIVE_LOW>; ++ open-source; + priority = <200>; + }; + }; +--- a/arch/arm/boot/dts/bcm988312hr.dts ++++ b/arch/arm/boot/dts/bcm988312hr.dts +@@ -55,6 +55,7 @@ + gpio-restart { + compatible = "gpio-restart"; + gpios = <&gpioa 15 GPIO_ACTIVE_LOW>; ++ open-source; + priority = <200>; + }; + }; diff --git a/queue-4.9/arm-dts-qcom-fix-ipq-board-clock-rates.patch b/queue-4.9/arm-dts-qcom-fix-ipq-board-clock-rates.patch new file mode 100644 index 00000000000..5a20c1a480c --- /dev/null +++ b/queue-4.9/arm-dts-qcom-fix-ipq-board-clock-rates.patch @@ -0,0 +1,40 @@ +From 06dbf468a2c42bf6c327a8eaf11ecb3ea96196f9 Mon Sep 17 00:00:00 2001 +From: Stephen Boyd +Date: Wed, 9 Nov 2016 17:13:57 -0800 +Subject: arm: dts: qcom: Fix ipq board clock rates + +From: Stephen Boyd + +commit 06dbf468a2c42bf6c327a8eaf11ecb3ea96196f9 upstream. + +The ipq board has these rates as 25MHz, and not 19.2 and 27. I +copy/pasted from other boards that have those rates but forgot +to fix the rates here. + +Fixes: 30fc4212d541 ("arm: dts: qcom: Add more board clocks") +Signed-off-by: Stephen Boyd +Signed-off-by: Andy Gross +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/qcom-ipq8064.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/qcom-ipq8064.dtsi ++++ b/arch/arm/boot/dts/qcom-ipq8064.dtsi +@@ -65,13 +65,13 @@ + cxo_board { + compatible = "fixed-clock"; + #clock-cells = <0>; +- clock-frequency = <19200000>; ++ clock-frequency = <25000000>; + }; + + pxo_board { + compatible = "fixed-clock"; + #clock-cells = <0>; +- clock-frequency = <27000000>; ++ clock-frequency = <25000000>; + }; + + sleep_clk: sleep_clk { diff --git a/queue-4.9/arm-dts-sun7i-lamobo-r1-fix-cpu-port-rgmii-settings.patch b/queue-4.9/arm-dts-sun7i-lamobo-r1-fix-cpu-port-rgmii-settings.patch new file mode 100644 index 00000000000..33888a7b177 --- /dev/null +++ b/queue-4.9/arm-dts-sun7i-lamobo-r1-fix-cpu-port-rgmii-settings.patch @@ -0,0 +1,35 @@ +From 0cdefd5b5485ee6eb3512a75739d09a4090176ed Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Sat, 18 Mar 2017 21:53:20 -0700 +Subject: ARM: dts: sun7i: lamobo-r1: Fix CPU port RGMII settings + +From: Florian Fainelli + +commit 0cdefd5b5485ee6eb3512a75739d09a4090176ed upstream. + +The CPU port of the BCM53125 is configured with RGMII (no delays) but +this should actually be RGMII with transmit delay (rgmii-txid) because +STMMAC takes care of inserting the transmitter delay. This fixes +occasional packet loss encountered. + +Fixes: d7b9eaff5f0c ("ARM: dts: sun7i: Add BCM53125 switch nodes to the lamobo-r1 board") +Reported-by: Hartmut Knaack +Signed-off-by: Florian Fainelli +Signed-off-by: Maxime Ripard +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/sun7i-a20-lamobo-r1.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/sun7i-a20-lamobo-r1.dts ++++ b/arch/arm/boot/dts/sun7i-a20-lamobo-r1.dts +@@ -167,7 +167,7 @@ + reg = <8>; + label = "cpu"; + ethernet = <&gmac>; +- phy-mode = "rgmii"; ++ phy-mode = "rgmii-txid"; + fixed-link { + speed = <1000>; + full-duplex; diff --git a/queue-4.9/arm-omap5-dra7-fix-hyp-mode-boot-for-thumb2-build.patch b/queue-4.9/arm-omap5-dra7-fix-hyp-mode-boot-for-thumb2-build.patch new file mode 100644 index 00000000000..ea9d28853f2 --- /dev/null +++ b/queue-4.9/arm-omap5-dra7-fix-hyp-mode-boot-for-thumb2-build.patch @@ -0,0 +1,40 @@ +From 448c077eeb02240c430db2a2c3bf5285a4c65d66 Mon Sep 17 00:00:00 2001 +From: Matthijs van Duin +Date: Thu, 16 Feb 2017 01:05:04 +0100 +Subject: ARM: OMAP5 / DRA7: Fix HYP mode boot for thumb2 build + +From: Matthijs van Duin + +commit 448c077eeb02240c430db2a2c3bf5285a4c65d66 upstream. + +'adr' yields a data-pointer, not a function-pointer. + +Fixes: 999f934de195 ("ARM: omap5/dra7xx: Enable booting secondary +CPU in HYP mode") +Signed-off-by: Matthijs van Duin +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-omap2/omap-headsmp.S | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/arm/mach-omap2/omap-headsmp.S ++++ b/arch/arm/mach-omap2/omap-headsmp.S +@@ -17,6 +17,7 @@ + + #include + #include ++#include + + #include "omap44xx.h" + +@@ -66,7 +67,7 @@ wait_2: ldr r2, =AUX_CORE_BOOT0_PA @ rea + cmp r0, r4 + bne wait_2 + ldr r12, =API_HYP_ENTRY +- adr r0, hyp_boot ++ badr r0, hyp_boot + smc #0 + hyp_boot: + b omap_secondary_startup diff --git a/queue-4.9/arm64-dts-r8a7795-mark-ethernetavb-device-node-disabled.patch b/queue-4.9/arm64-dts-r8a7795-mark-ethernetavb-device-node-disabled.patch new file mode 100644 index 00000000000..def50caeea4 --- /dev/null +++ b/queue-4.9/arm64-dts-r8a7795-mark-ethernetavb-device-node-disabled.patch @@ -0,0 +1,31 @@ +From 0d1390ff283f6c38595288e7f74da6829896b8b7 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Wed, 25 Jan 2017 14:19:30 +0100 +Subject: arm64: dts: r8a7795: Mark EthernetAVB device node disabled + +From: Geert Uytterhoeven + +commit 0d1390ff283f6c38595288e7f74da6829896b8b7 upstream. + +Device nodes representing I/O devices should be marked disabled in the +SoC-specific DTS, and overridden by board-specific DTSes where needed. + +Fixes: a92843c8a6f8c039 ("arm64: dts: r8a7795: add EthernetAVB device node") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Simon Horman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/boot/dts/renesas/r8a7795.dtsi | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm64/boot/dts/renesas/r8a7795.dtsi ++++ b/arch/arm64/boot/dts/renesas/r8a7795.dtsi +@@ -553,6 +553,7 @@ + phy-mode = "rgmii-id"; + #address-cells = <1>; + #size-cells = <0>; ++ status = "disabled"; + }; + + can0: can@e6c30000 { diff --git a/queue-4.9/arm64-improve-detection-of-user-non-user-mappings-in-set_pte-_at.patch b/queue-4.9/arm64-improve-detection-of-user-non-user-mappings-in-set_pte-_at.patch new file mode 100644 index 00000000000..ba4d4c532e8 --- /dev/null +++ b/queue-4.9/arm64-improve-detection-of-user-non-user-mappings-in-set_pte-_at.patch @@ -0,0 +1,78 @@ +From ec663d967b2276448a416406ca59ff247c0c80c5 Mon Sep 17 00:00:00 2001 +From: Catalin Marinas +Date: Fri, 27 Jan 2017 10:54:12 +0000 +Subject: arm64: Improve detection of user/non-user mappings in set_pte(_at) + +From: Catalin Marinas + +commit ec663d967b2276448a416406ca59ff247c0c80c5 upstream. + +Commit cab15ce604e5 ("arm64: Introduce execute-only page access +permissions") allowed a valid user PTE to have the PTE_USER bit clear. +As a consequence, the pte_valid_not_user() macro in set_pte() was +replaced with pte_valid_global() under the assumption that only user +pages have the nG bit set. EFI mappings, however, also have the nG bit +set and set_pte() wrongly ignores issuing the DSB+ISB. + +This patch reinstates the pte_valid_not_user() macro and adds the +PTE_UXN bit check since all kernel mappings have this bit set. For +clarity, pte_exec() is renamed to pte_user_exec() as it only checks for +the absence of PTE_UXN. Consequently, the user executable check in +set_pte_at() drops the pte_ng() test since pte_user_exec() is +sufficient. + +Fixes: cab15ce604e5 ("arm64: Introduce execute-only page access permissions") +Signed-off-by: Catalin Marinas +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/pgtable.h | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/arch/arm64/include/asm/pgtable.h ++++ b/arch/arm64/include/asm/pgtable.h +@@ -71,9 +71,8 @@ extern unsigned long empty_zero_page[PAG + #define pte_young(pte) (!!(pte_val(pte) & PTE_AF)) + #define pte_special(pte) (!!(pte_val(pte) & PTE_SPECIAL)) + #define pte_write(pte) (!!(pte_val(pte) & PTE_WRITE)) +-#define pte_exec(pte) (!(pte_val(pte) & PTE_UXN)) ++#define pte_user_exec(pte) (!(pte_val(pte) & PTE_UXN)) + #define pte_cont(pte) (!!(pte_val(pte) & PTE_CONT)) +-#define pte_ng(pte) (!!(pte_val(pte) & PTE_NG)) + + #ifdef CONFIG_ARM64_HW_AFDBM + #define pte_hw_dirty(pte) (pte_write(pte) && !(pte_val(pte) & PTE_RDONLY)) +@@ -84,8 +83,12 @@ extern unsigned long empty_zero_page[PAG + #define pte_dirty(pte) (pte_sw_dirty(pte) || pte_hw_dirty(pte)) + + #define pte_valid(pte) (!!(pte_val(pte) & PTE_VALID)) +-#define pte_valid_global(pte) \ +- ((pte_val(pte) & (PTE_VALID | PTE_NG)) == PTE_VALID) ++/* ++ * Execute-only user mappings do not have the PTE_USER bit set. All valid ++ * kernel mappings have the PTE_UXN bit set. ++ */ ++#define pte_valid_not_user(pte) \ ++ ((pte_val(pte) & (PTE_VALID | PTE_USER | PTE_UXN)) == (PTE_VALID | PTE_UXN)) + #define pte_valid_young(pte) \ + ((pte_val(pte) & (PTE_VALID | PTE_AF)) == (PTE_VALID | PTE_AF)) + +@@ -178,7 +181,7 @@ static inline void set_pte(pte_t *ptep, + * Only if the new pte is valid and kernel, otherwise TLB maintenance + * or update_mmu_cache() have the necessary barriers. + */ +- if (pte_valid_global(pte)) { ++ if (pte_valid_not_user(pte)) { + dsb(ishst); + isb(); + } +@@ -212,7 +215,7 @@ static inline void set_pte_at(struct mm_ + pte_val(pte) &= ~PTE_RDONLY; + else + pte_val(pte) |= PTE_RDONLY; +- if (pte_ng(pte) && pte_exec(pte) && !pte_special(pte)) ++ if (pte_user_exec(pte) && !pte_special(pte)) + __sync_icache_dcache(pte, addr); + } + diff --git a/queue-4.9/brcmfmac-ensure-pointer-correctly-set-if-skb-data-location-changes.patch b/queue-4.9/brcmfmac-ensure-pointer-correctly-set-if-skb-data-location-changes.patch new file mode 100644 index 00000000000..f7927bd3157 --- /dev/null +++ b/queue-4.9/brcmfmac-ensure-pointer-correctly-set-if-skb-data-location-changes.patch @@ -0,0 +1,44 @@ +From 455a1eb4654c24560eb9dfc634f29cba3d87601e Mon Sep 17 00:00:00 2001 +From: James Hughes +Date: Mon, 24 Apr 2017 12:40:50 +0100 +Subject: brcmfmac: Ensure pointer correctly set if skb data location changes + +From: James Hughes + +commit 455a1eb4654c24560eb9dfc634f29cba3d87601e upstream. + +The incoming skb header may be resized if header space is +insufficient, which might change the data adddress in the skb. +Ensure that a cached pointer to that data is correctly set by +moving assignment to after any possible changes. + +Signed-off-by: James Hughes +Acked-by: Arend van Spriel +Signed-off-by: Kalle Valo +Signed-off-by: Arend van Spriel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +@@ -198,7 +198,7 @@ static netdev_tx_t brcmf_netdev_start_xm + int ret; + struct brcmf_if *ifp = netdev_priv(ndev); + struct brcmf_pub *drvr = ifp->drvr; +- struct ethhdr *eh = (struct ethhdr *)(skb->data); ++ struct ethhdr *eh; + + brcmf_dbg(DATA, "Enter, bsscfgidx=%d\n", ifp->bsscfgidx); + +@@ -236,6 +236,8 @@ static netdev_tx_t brcmf_netdev_start_xm + goto done; + } + ++ eh = (struct ethhdr *)(skb->data); ++ + if (eh->h_proto == htons(ETH_P_PAE)) + atomic_inc(&ifp->pend_8021x_cnt); + diff --git a/queue-4.9/brcmfmac-make-skb-header-writable-before-use.patch b/queue-4.9/brcmfmac-make-skb-header-writable-before-use.patch new file mode 100644 index 00000000000..f19c7bc1983 --- /dev/null +++ b/queue-4.9/brcmfmac-make-skb-header-writable-before-use.patch @@ -0,0 +1,55 @@ +From 9cc4b7cb86cbcc6330a3faa8cd65268cd2d3c227 Mon Sep 17 00:00:00 2001 +From: James Hughes +Date: Tue, 25 Apr 2017 10:15:06 +0100 +Subject: brcmfmac: Make skb header writable before use + +From: James Hughes + +commit 9cc4b7cb86cbcc6330a3faa8cd65268cd2d3c227 upstream. + +The driver was making changes to the skb_header without +ensuring it was writable (i.e. uncloned). +This patch also removes some boiler plate header size +checking/adjustment code as that is also handled by the +skb_cow_header function used to make header writable. + +Signed-off-by: James Hughes +Acked-by: Arend van Spriel +Signed-off-by: Kalle Valo +Signed-off-by: Arend van Spriel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 19 ++++------------ + 1 file changed, 5 insertions(+), 14 deletions(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +@@ -211,22 +211,13 @@ static netdev_tx_t brcmf_netdev_start_xm + goto done; + } + +- /* Make sure there's enough room for any header */ +- if (skb_headroom(skb) < drvr->hdrlen) { +- struct sk_buff *skb2; +- +- brcmf_dbg(INFO, "%s: insufficient headroom\n", ++ /* Make sure there's enough writable headroom*/ ++ ret = skb_cow_head(skb, drvr->hdrlen); ++ if (ret < 0) { ++ brcmf_err("%s: skb_cow_head failed\n", + brcmf_ifname(ifp)); +- drvr->bus_if->tx_realloc++; +- skb2 = skb_realloc_headroom(skb, drvr->hdrlen); + dev_kfree_skb(skb); +- skb = skb2; +- if (skb == NULL) { +- brcmf_err("%s: skb_realloc_headroom failed\n", +- brcmf_ifname(ifp)); +- ret = -ENOMEM; +- goto done; +- } ++ goto done; + } + + /* validate length for ether packet */ diff --git a/queue-4.9/clk-make-x86-conditional-on-config_common_clk.patch b/queue-4.9/clk-make-x86-conditional-on-config_common_clk.patch new file mode 100644 index 00000000000..c80fc073ae9 --- /dev/null +++ b/queue-4.9/clk-make-x86-conditional-on-config_common_clk.patch @@ -0,0 +1,33 @@ +From f35b6542c3ac3f28056d298348a81f7d56d3a041 Mon Sep 17 00:00:00 2001 +From: Pierre-Louis Bossart +Date: Mon, 23 Jan 2017 12:07:41 -0600 +Subject: clk: Make x86/ conditional on CONFIG_COMMON_CLK + +From: Pierre-Louis Bossart + +commit f35b6542c3ac3f28056d298348a81f7d56d3a041 upstream. + +Fix Makefile for x86 support, dependency on CONFIG_COMMON_CLK +was not explicit + +Fixes: 701190fd7419 ('clk: x86: add support for Lynxpoint LPSS clocks') +Signed-off-by: Pierre-Louis Bossart +Acked-by: Andy Shevchenko +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/Makefile | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/clk/Makefile ++++ b/drivers/clk/Makefile +@@ -87,6 +87,8 @@ obj-y += ti/ + obj-$(CONFIG_CLK_UNIPHIER) += uniphier/ + obj-$(CONFIG_ARCH_U8500) += ux500/ + obj-$(CONFIG_COMMON_CLK_VERSATILE) += versatile/ ++ifeq ($(CONFIG_COMMON_CLK), y) + obj-$(CONFIG_X86) += x86/ ++endif + obj-$(CONFIG_ARCH_ZX) += zte/ + obj-$(CONFIG_ARCH_ZYNQ) += zynq/ diff --git a/queue-4.9/clk-rockchip-add-to-mux_pll_src_apll_dpll_gpll_usb480m_p-on-rk3036.patch b/queue-4.9/clk-rockchip-add-to-mux_pll_src_apll_dpll_gpll_usb480m_p-on-rk3036.patch new file mode 100644 index 00000000000..8405ea3ee71 --- /dev/null +++ b/queue-4.9/clk-rockchip-add-to-mux_pll_src_apll_dpll_gpll_usb480m_p-on-rk3036.patch @@ -0,0 +1,33 @@ +From 9b1b23f03abdd25ffde8bbfe5824b89bc0448c28 Mon Sep 17 00:00:00 2001 +From: Heiko Stuebner +Date: Wed, 1 Mar 2017 22:00:41 +0100 +Subject: clk: rockchip: add "," to mux_pll_src_apll_dpll_gpll_usb480m_p on rk3036 + +From: Heiko Stuebner + +commit 9b1b23f03abdd25ffde8bbfe5824b89bc0448c28 upstream. + +The mux_pll_src_apll_dpll_gpll_usb480m_p parent list was missing a "," +between the 3rd and 4th parent names, making them fall together and thus +lookups fail. Fix that. + +Fixes: 5190c08b2989 ("clk: rockchip: add clock controller for rk3036") +Signed-off-by: Heiko Stuebner +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/rockchip/clk-rk3036.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clk/rockchip/clk-rk3036.c ++++ b/drivers/clk/rockchip/clk-rk3036.c +@@ -127,7 +127,7 @@ PNAME(mux_ddrphy_p) = { "dpll_ddr", "gp + PNAME(mux_pll_src_3plls_p) = { "apll", "dpll", "gpll" }; + PNAME(mux_timer_p) = { "xin24m", "pclk_peri_src" }; + +-PNAME(mux_pll_src_apll_dpll_gpll_usb480m_p) = { "apll", "dpll", "gpll" "usb480m" }; ++PNAME(mux_pll_src_apll_dpll_gpll_usb480m_p) = { "apll", "dpll", "gpll", "usb480m" }; + + PNAME(mux_mmc_src_p) = { "apll", "dpll", "gpll", "xin24m" }; + PNAME(mux_i2s_pre_p) = { "i2s_src", "i2s_frac", "ext_i2s", "xin12m" }; diff --git a/queue-4.9/cpupower-fix-turbo-frequency-reporting-for-pre-sandy-bridge-cores.patch b/queue-4.9/cpupower-fix-turbo-frequency-reporting-for-pre-sandy-bridge-cores.patch new file mode 100644 index 00000000000..d3e031b4317 --- /dev/null +++ b/queue-4.9/cpupower-fix-turbo-frequency-reporting-for-pre-sandy-bridge-cores.patch @@ -0,0 +1,35 @@ +From 4cca0457686e4ee1677d69469e4ddfd94d389a80 Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Tue, 11 Apr 2017 00:29:44 +0100 +Subject: cpupower: Fix turbo frequency reporting for pre-Sandy Bridge cores + +From: Ben Hutchings + +commit 4cca0457686e4ee1677d69469e4ddfd94d389a80 upstream. + +The switch that conditionally sets CPUPOWER_CAP_HAS_TURBO_RATIO and +CPUPOWER_CAP_IS_SNB flags is missing a break, so all cores get both +flags set and an assumed base clock of 100 MHz for turbo values. + +Reported-by: GSR +Tested-by: GSR +References: https://bugs.debian.org/859978 +Fixes: 8fb2e440b223 (cpupower: Show Intel turbo ratio support via ...) +Signed-off-by: Ben Hutchings +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + tools/power/cpupower/utils/helpers/cpuid.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/tools/power/cpupower/utils/helpers/cpuid.c ++++ b/tools/power/cpupower/utils/helpers/cpuid.c +@@ -156,6 +156,7 @@ out: + */ + case 0x2C: /* Westmere EP - Gulftown */ + cpu_info->caps |= CPUPOWER_CAP_HAS_TURBO_RATIO; ++ break; + case 0x2A: /* SNB */ + case 0x2D: /* SNB Xeon */ + case 0x3A: /* IVB */ diff --git a/queue-4.9/crypto-caam-fix-error-path-for-ctx_dma-mapping-failure.patch b/queue-4.9/crypto-caam-fix-error-path-for-ctx_dma-mapping-failure.patch new file mode 100644 index 00000000000..efc87a3b2fb --- /dev/null +++ b/queue-4.9/crypto-caam-fix-error-path-for-ctx_dma-mapping-failure.patch @@ -0,0 +1,73 @@ +From 87ec02e7409d787348c244039aa3536a812dfa8b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Horia=20Geant=C4=83?= +Date: Fri, 10 Feb 2017 14:07:23 +0200 +Subject: crypto: caam - fix error path for ctx_dma mapping failure +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Horia Geantă + +commit 87ec02e7409d787348c244039aa3536a812dfa8b upstream. + +In case ctx_dma dma mapping fails, ahash_unmap_ctx() tries to +dma unmap an invalid address: +map_seq_out_ptr_ctx() / ctx_map_to_sec4_sg() -> goto unmap_ctx -> +-> ahash_unmap_ctx() -> dma unmap ctx_dma + +There is also possible to reach ahash_unmap_ctx() with ctx_dma +uninitialzed or to try to unmap the same address twice. + +Fix these by setting ctx_dma = 0 where needed: +-initialize ctx_dma in ahash_init() +-clear ctx_dma in case of mapping error (instead of holding +the error code returned by the dma map function) +-clear ctx_dma after each unmapping + +Fixes: 32686d34f8fb6 ("crypto: caam - ensure that we clean up after an error") +Signed-off-by: Horia Geantă +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/caam/caamhash.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/crypto/caam/caamhash.c ++++ b/drivers/crypto/caam/caamhash.c +@@ -154,6 +154,7 @@ static inline int map_seq_out_ptr_ctx(u3 + ctx_len, DMA_FROM_DEVICE); + if (dma_mapping_error(jrdev, state->ctx_dma)) { + dev_err(jrdev, "unable to map ctx\n"); ++ state->ctx_dma = 0; + return -ENOMEM; + } + +@@ -214,6 +215,7 @@ static inline int ctx_map_to_sec4_sg(u32 + state->ctx_dma = dma_map_single(jrdev, state->caam_ctx, ctx_len, flag); + if (dma_mapping_error(jrdev, state->ctx_dma)) { + dev_err(jrdev, "unable to map ctx\n"); ++ state->ctx_dma = 0; + return -ENOMEM; + } + +@@ -620,8 +622,10 @@ static inline void ahash_unmap_ctx(struc + struct caam_hash_ctx *ctx = crypto_ahash_ctx(ahash); + struct caam_hash_state *state = ahash_request_ctx(req); + +- if (state->ctx_dma) ++ if (state->ctx_dma) { + dma_unmap_single(dev, state->ctx_dma, ctx->ctx_len, flag); ++ state->ctx_dma = 0; ++ } + ahash_unmap(dev, edesc, req, dst_len); + } + +@@ -1605,6 +1609,7 @@ static int ahash_init(struct ahash_reque + state->finup = ahash_finup_first; + state->final = ahash_final_no_ctx; + ++ state->ctx_dma = 0; + state->current_buf = 0; + state->buf_dma = 0; + state->buflen_0 = 0; diff --git a/queue-4.9/hwmon-it87-fix-pwm4-detection-for-it8620-and-it8628.patch b/queue-4.9/hwmon-it87-fix-pwm4-detection-for-it8620-and-it8628.patch new file mode 100644 index 00000000000..058bbffa3f7 --- /dev/null +++ b/queue-4.9/hwmon-it87-fix-pwm4-detection-for-it8620-and-it8628.patch @@ -0,0 +1,32 @@ +From d66777caa57ffade6061782f3a4d4056f0b0c1ac Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Wed, 8 Feb 2017 14:05:56 -0800 +Subject: hwmon: (it87) Fix pwm4 detection for IT8620 and IT8628 + +From: Guenter Roeck + +commit d66777caa57ffade6061782f3a4d4056f0b0c1ac upstream. + +pwm4 is enabled if bit 2 of GPIO control register 4 is disabled, +not when it is enabled. Since the check is for the skip condition, +it is reversed. This applies to both IT8620 and IT8628. + +Fixes: 36c4d98a7883d ("hwmon: (it87) Add support for all pwm channels ...") +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwmon/it87.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwmon/it87.c ++++ b/drivers/hwmon/it87.c +@@ -2600,7 +2600,7 @@ static int __init it87_find(int sioaddr, + + /* Check for pwm4 */ + reg = superio_inb(sioaddr, IT87_SIO_GPIO4_REG); +- if (!(reg & BIT(2))) ++ if (reg & BIT(2)) + sio_data->skip_pwm |= BIT(3); + + /* Check for pwm2, fan2 */ diff --git a/queue-4.9/irqchip-mips-gic-fix-local-interrupts.patch b/queue-4.9/irqchip-mips-gic-fix-local-interrupts.patch new file mode 100644 index 00000000000..83fa0983c4a --- /dev/null +++ b/queue-4.9/irqchip-mips-gic-fix-local-interrupts.patch @@ -0,0 +1,84 @@ +From 4cfffcfa5106492f5785924ce2e9af49f075999b Mon Sep 17 00:00:00 2001 +From: Marcin Nowakowski +Date: Wed, 25 Jan 2017 15:08:25 +0100 +Subject: irqchip/mips-gic: Fix local interrupts + +From: Marcin Nowakowski + +commit 4cfffcfa5106492f5785924ce2e9af49f075999b upstream. + +Some local interrupts are not initialised properly at the moment and +cannot be used since the domain's alloc method is never called for them. + +This has been observed earlier and partially fixed in commit +e875bd66dfb ("irqchip/mips-gic: Fix local interrupts"), but that change +still relied on the interrupt to be requested by an external driver (eg. +drivers/clocksource/mips-gic-timer.c). + +This does however not solve the issue for interrupts that are not +referenced by any driver through the device tree and results in +request_irq() calls returning -ENOSYS. It can be observed when attempting +to use perf tool to access hardware performance counters. + +Fix this by explicitly calling irq_create_fwspec_mapping() for local +interrupts. + +Fixes: e875bd66dfb ("irqchip/mips-gic: Fix local interrupts") +Signed-off-by: Marcin Nowakowski +Cc: Paul Burton +Cc: Thomas Gleixner +Cc: Jason Cooper +Cc: Marc Zyngier +Cc: linux-mips@linux-mips.org +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/irqchip/irq-mips-gic.c | 29 +++++++++++++++++++++++++++++ + 1 file changed, 29 insertions(+) + +--- a/drivers/irqchip/irq-mips-gic.c ++++ b/drivers/irqchip/irq-mips-gic.c +@@ -968,6 +968,34 @@ static struct irq_domain_ops gic_ipi_dom + .match = gic_ipi_domain_match, + }; + ++static void __init gic_map_single_int(struct device_node *node, ++ unsigned int irq) ++{ ++ unsigned int linux_irq; ++ struct irq_fwspec local_int_fwspec = { ++ .fwnode = &node->fwnode, ++ .param_count = 3, ++ .param = { ++ [0] = GIC_LOCAL, ++ [1] = irq, ++ [2] = IRQ_TYPE_NONE, ++ }, ++ }; ++ ++ if (!gic_local_irq_is_routable(irq)) ++ return; ++ ++ linux_irq = irq_create_fwspec_mapping(&local_int_fwspec); ++ WARN_ON(!linux_irq); ++} ++ ++static void __init gic_map_interrupts(struct device_node *node) ++{ ++ gic_map_single_int(node, GIC_LOCAL_INT_TIMER); ++ gic_map_single_int(node, GIC_LOCAL_INT_PERFCTR); ++ gic_map_single_int(node, GIC_LOCAL_INT_FDC); ++} ++ + static void __init __gic_init(unsigned long gic_base_addr, + unsigned long gic_addrspace_size, + unsigned int cpu_vec, unsigned int irqbase, +@@ -1067,6 +1095,7 @@ static void __init __gic_init(unsigned l + } + + gic_basic_init(); ++ gic_map_interrupts(node); + } + + void __init gic_init(unsigned long gic_base_addr, diff --git a/queue-4.9/iwlwifi-fix-module_firmware-for-6030.patch b/queue-4.9/iwlwifi-fix-module_firmware-for-6030.patch new file mode 100644 index 00000000000..dcd43ad72d5 --- /dev/null +++ b/queue-4.9/iwlwifi-fix-module_firmware-for-6030.patch @@ -0,0 +1,33 @@ +From d8320d75b59ecdc1b8e60ac793d3a54d84333a18 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=BCrg=20Billeter?= +Date: Mon, 10 Oct 2016 18:30:00 +0200 +Subject: iwlwifi: fix MODULE_FIRMWARE for 6030 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jürg Billeter + +commit d8320d75b59ecdc1b8e60ac793d3a54d84333a18 upstream. + +IWL6000G2B_UCODE_API_MAX is not defined. ucode_api_max of +IWL_DEVICE_6030 uses IWL6000G2_UCODE_API_MAX. Use this also for +MODULE_FIRMWARE. + +Fixes: 9d9b21d1b616 ("iwlwifi: remove IWL_*_UCODE_API_OK") +Signed-off-by: Jürg Billeter +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/iwl-6000.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/intel/iwlwifi/iwl-6000.c ++++ b/drivers/net/wireless/intel/iwlwifi/iwl-6000.c +@@ -371,4 +371,4 @@ const struct iwl_cfg iwl6000_3agn_cfg = + MODULE_FIRMWARE(IWL6000_MODULE_FIRMWARE(IWL6000_UCODE_API_MAX)); + MODULE_FIRMWARE(IWL6050_MODULE_FIRMWARE(IWL6050_UCODE_API_MAX)); + MODULE_FIRMWARE(IWL6005_MODULE_FIRMWARE(IWL6000G2_UCODE_API_MAX)); +-MODULE_FIRMWARE(IWL6030_MODULE_FIRMWARE(IWL6000G2B_UCODE_API_MAX)); ++MODULE_FIRMWARE(IWL6030_MODULE_FIRMWARE(IWL6000G2_UCODE_API_MAX)); diff --git a/queue-4.9/iwlwifi-mvm-don-t-restart-hw-if-suspend-fails-with-unified-image.patch b/queue-4.9/iwlwifi-mvm-don-t-restart-hw-if-suspend-fails-with-unified-image.patch new file mode 100644 index 00000000000..9f289169f4f --- /dev/null +++ b/queue-4.9/iwlwifi-mvm-don-t-restart-hw-if-suspend-fails-with-unified-image.patch @@ -0,0 +1,44 @@ +From bac453ab3745eaa64137ea6e77e009b45954f0ae Mon Sep 17 00:00:00 2001 +From: Luca Coelho +Date: Fri, 7 Oct 2016 15:16:26 +0300 +Subject: iwlwifi: mvm: don't restart HW if suspend fails with unified image + +From: Luca Coelho + +commit bac453ab3745eaa64137ea6e77e009b45954f0ae upstream. + +For unified images, we shouldn't restart the HW if suspend fails. The +only reason for restarting the HW with non-unified images is to go +back to the D0 image. + +Fixes: 23ae61282b88 ("iwlwifi: mvm: Do not switch to D3 image on suspend") +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c +@@ -1262,12 +1262,15 @@ static int __iwl_mvm_suspend(struct ieee + iwl_trans_d3_suspend(mvm->trans, test, !unified_image); + out: + if (ret < 0) { +- iwl_mvm_ref(mvm, IWL_MVM_REF_UCODE_DOWN); +- if (mvm->restart_fw > 0) { +- mvm->restart_fw--; +- ieee80211_restart_hw(mvm->hw); +- } + iwl_mvm_free_nd(mvm); ++ ++ if (!unified_image) { ++ iwl_mvm_ref(mvm, IWL_MVM_REF_UCODE_DOWN); ++ if (mvm->restart_fw > 0) { ++ mvm->restart_fw--; ++ ieee80211_restart_hw(mvm->hw); ++ } ++ } + } + out_noreset: + mutex_unlock(&mvm->mutex); diff --git a/queue-4.9/iwlwifi-mvm-fix-pending-frame-counter-calculation.patch b/queue-4.9/iwlwifi-mvm-fix-pending-frame-counter-calculation.patch new file mode 100644 index 00000000000..5a6760eceba --- /dev/null +++ b/queue-4.9/iwlwifi-mvm-fix-pending-frame-counter-calculation.patch @@ -0,0 +1,146 @@ +From 94c3e614df2117626fccfac8f821c66e30556384 Mon Sep 17 00:00:00 2001 +From: Sara Sharon +Date: Wed, 7 Dec 2016 15:04:37 +0200 +Subject: iwlwifi: mvm: fix pending frame counter calculation + +From: Sara Sharon + +commit 94c3e614df2117626fccfac8f821c66e30556384 upstream. + +In DQA mode the check whether to decrement the pending frames +counter relies on the tid status and not on the txq id. +This may result in an inconsistent state of the pending frames +counter in case frame is queued on a non aggregation queue but +with this TID, and will be followed by a failure to remove the +station and later on SYSASSERT 0x3421 when trying to remove the +MAC. +Such frames are for example bar and qos NDPs. +Fix it by aligning the condition of incrementing the counter +with the condition of decrementing it - rely on TID state for +DQA mode. +Also, avoid internal error like this affecting station removal +for DQA mode - since we can know for sure it is an internal +error. + +Fixes: cf961e16620f ("iwlwifi: mvm: support dqa-mode agg on non-shared queue") +Signed-off-by: Sara Sharon +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 31 +++++++++++++++++---------- + drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 5 +++- + 2 files changed, 24 insertions(+), 12 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c +@@ -1466,6 +1466,7 @@ int iwl_mvm_rm_sta(struct iwl_mvm *mvm, + { + struct iwl_mvm_vif *mvmvif = iwl_mvm_vif_from_mac80211(vif); + struct iwl_mvm_sta *mvm_sta = iwl_mvm_sta_from_mac80211(sta); ++ u8 sta_id = mvm_sta->sta_id; + int ret; + + lockdep_assert_held(&mvm->mutex); +@@ -1474,7 +1475,7 @@ int iwl_mvm_rm_sta(struct iwl_mvm *mvm, + kfree(mvm_sta->dup_data); + + if ((vif->type == NL80211_IFTYPE_STATION && +- mvmvif->ap_sta_id == mvm_sta->sta_id) || ++ mvmvif->ap_sta_id == sta_id) || + iwl_mvm_is_dqa_supported(mvm)){ + ret = iwl_mvm_drain_sta(mvm, mvm_sta, true); + if (ret) +@@ -1497,6 +1498,15 @@ int iwl_mvm_rm_sta(struct iwl_mvm *mvm, + iwl_mvm_disable_sta_queues(mvm, vif, mvm_sta); + + /* ++ * If pending_frames is set at this point - it must be ++ * driver internal logic error, since queues are empty ++ * and removed successuly. ++ * warn on it but set it to 0 anyway to avoid station ++ * not being removed later in the function ++ */ ++ WARN_ON(atomic_xchg(&mvm->pending_frames[sta_id], 0)); ++ ++ /* + * If no traffic has gone through the reserved TXQ - it + * is still marked as IWL_MVM_QUEUE_RESERVED, and + * should be manually marked as free again +@@ -1506,7 +1516,7 @@ int iwl_mvm_rm_sta(struct iwl_mvm *mvm, + if (WARN((*status != IWL_MVM_QUEUE_RESERVED) && + (*status != IWL_MVM_QUEUE_FREE), + "sta_id %d reserved txq %d status %d", +- mvm_sta->sta_id, reserved_txq, *status)) { ++ sta_id, reserved_txq, *status)) { + spin_unlock_bh(&mvm->queue_info_lock); + return -EINVAL; + } +@@ -1516,7 +1526,7 @@ int iwl_mvm_rm_sta(struct iwl_mvm *mvm, + } + + if (vif->type == NL80211_IFTYPE_STATION && +- mvmvif->ap_sta_id == mvm_sta->sta_id) { ++ mvmvif->ap_sta_id == sta_id) { + /* if associated - we can't remove the AP STA now */ + if (vif->bss_conf.assoc) + return ret; +@@ -1525,7 +1535,7 @@ int iwl_mvm_rm_sta(struct iwl_mvm *mvm, + mvmvif->ap_sta_id = IWL_MVM_STATION_COUNT; + + /* clear d0i3_ap_sta_id if no longer relevant */ +- if (mvm->d0i3_ap_sta_id == mvm_sta->sta_id) ++ if (mvm->d0i3_ap_sta_id == sta_id) + mvm->d0i3_ap_sta_id = IWL_MVM_STATION_COUNT; + } + } +@@ -1534,7 +1544,7 @@ int iwl_mvm_rm_sta(struct iwl_mvm *mvm, + * This shouldn't happen - the TDLS channel switch should be canceled + * before the STA is removed. + */ +- if (WARN_ON_ONCE(mvm->tdls_cs.peer.sta_id == mvm_sta->sta_id)) { ++ if (WARN_ON_ONCE(mvm->tdls_cs.peer.sta_id == sta_id)) { + mvm->tdls_cs.peer.sta_id = IWL_MVM_STATION_COUNT; + cancel_delayed_work(&mvm->tdls_cs.dwork); + } +@@ -1544,21 +1554,20 @@ int iwl_mvm_rm_sta(struct iwl_mvm *mvm, + * calls the drain worker. + */ + spin_lock_bh(&mvm_sta->lock); ++ + /* + * There are frames pending on the AC queues for this station. + * We need to wait until all the frames are drained... + */ +- if (atomic_read(&mvm->pending_frames[mvm_sta->sta_id])) { +- rcu_assign_pointer(mvm->fw_id_to_mac_id[mvm_sta->sta_id], ++ if (atomic_read(&mvm->pending_frames[sta_id])) { ++ rcu_assign_pointer(mvm->fw_id_to_mac_id[sta_id], + ERR_PTR(-EBUSY)); + spin_unlock_bh(&mvm_sta->lock); + + /* disable TDLS sta queues on drain complete */ + if (sta->tdls) { +- mvm->tfd_drained[mvm_sta->sta_id] = +- mvm_sta->tfd_queue_msk; +- IWL_DEBUG_TDLS(mvm, "Draining TDLS sta %d\n", +- mvm_sta->sta_id); ++ mvm->tfd_drained[sta_id] = mvm_sta->tfd_queue_msk; ++ IWL_DEBUG_TDLS(mvm, "Draining TDLS sta %d\n", sta_id); + } + + ret = iwl_mvm_drain_sta(mvm, mvm_sta, true); +--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c +@@ -1008,7 +1008,10 @@ static int iwl_mvm_tx_mpdu(struct iwl_mv + spin_unlock(&mvmsta->lock); + + /* Increase pending frames count if this isn't AMPDU */ +- if (!is_ampdu) ++ if ((iwl_mvm_is_dqa_supported(mvm) && ++ mvmsta->tid_data[tx_cmd->tid_tspec].state != IWL_AGG_ON && ++ mvmsta->tid_data[tx_cmd->tid_tspec].state != IWL_AGG_STARTING) || ++ (!iwl_mvm_is_dqa_supported(mvm) && !is_ampdu)) + atomic_inc(&mvm->pending_frames[mvmsta->sta_id]); + + return 0; diff --git a/queue-4.9/iwlwifi-mvm-fix-references-to-first_agg_queue-in-dqa-mode.patch b/queue-4.9/iwlwifi-mvm-fix-references-to-first_agg_queue-in-dqa-mode.patch new file mode 100644 index 00000000000..05f544c58c6 --- /dev/null +++ b/queue-4.9/iwlwifi-mvm-fix-references-to-first_agg_queue-in-dqa-mode.patch @@ -0,0 +1,75 @@ +From c56108b58ab870892277940a1def0d6b153f3e26 Mon Sep 17 00:00:00 2001 +From: Sara Sharon +Date: Sun, 1 Jan 2017 18:42:23 +0200 +Subject: iwlwifi: mvm: fix references to first_agg_queue in DQA mode + +From: Sara Sharon + +commit c56108b58ab870892277940a1def0d6b153f3e26 upstream. + +In DQA mode, first_agg_queue is initialized to +IWL_MVM_DQA_MIN_DATA_QUEUE. This causes two bugs in the tx response +flow: + +1. When TX fails, we set IEEE80211_TX_STAT_AMPDU_NO_BACK regardless + if we actually have aggregation open on the queue. This causes + mac80211 to send a BAR frame even though there is no aggregation + open. + Fix that by simply checking the AMPDU flag that is set on by + mac80211 for AMPDU packets. + +2. When reclaiming frames in aggregation mode, we reclaim based on + scheduler ssn and not the SN. + The reason is that scheduler ssn may be ahead of SN due to a hole + in the BA window that was filled. + However, if we have aggregations open on IWL_MVM_DQA_BSS_CLIENT_QUEUE + the reclaim flow will still go to the code of non-aggregation + instead of the aggregation code since IWL_MVM_DQA_BSS_CLIENT_QUEUE + is smaller than IWL_MVM_DQA_MIN_DATA_QUEUE, although it is a valid + aggregation queue. + Fix that by always using the aggregation reclaim code by default in + DQA mode (currently it is implicitly used by default for all queues + except the reserved BSS queue). + +Fixes: cf961e16620f ("iwlwifi: mvm: support dqa-mode agg on non-shared queue") +Signed-off-by: Sara Sharon +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c +@@ -1278,8 +1278,6 @@ static void iwl_mvm_rx_tx_cmd_single(str + + memset(&info->status, 0, sizeof(info->status)); + +- info->flags &= ~IEEE80211_TX_CTL_AMPDU; +- + /* inform mac80211 about what happened with the frame */ + switch (status & TX_STATUS_MSK) { + case TX_STATUS_SUCCESS: +@@ -1302,10 +1300,11 @@ static void iwl_mvm_rx_tx_cmd_single(str + (void *)(uintptr_t)le32_to_cpu(tx_resp->initial_rate); + + /* Single frame failure in an AMPDU queue => send BAR */ +- if (txq_id >= mvm->first_agg_queue && ++ if (info->flags & IEEE80211_TX_CTL_AMPDU && + !(info->flags & IEEE80211_TX_STAT_ACK) && + !(info->flags & IEEE80211_TX_STAT_TX_FILTERED)) + info->flags |= IEEE80211_TX_STAT_AMPDU_NO_BACK; ++ info->flags &= ~IEEE80211_TX_CTL_AMPDU; + + /* W/A FW bug: seq_ctl is wrong when the status isn't success */ + if (status != TX_STATUS_SUCCESS) { +@@ -1340,7 +1339,7 @@ static void iwl_mvm_rx_tx_cmd_single(str + ieee80211_tx_status(mvm->hw, skb); + } + +- if (txq_id >= mvm->first_agg_queue) { ++ if (iwl_mvm_is_dqa_supported(mvm) || txq_id >= mvm->first_agg_queue) { + /* If this is an aggregation queue, we use the ssn since: + * ssn = wifi seq_num % 256. + * The seq_ctl is the sequence control of the packet to which diff --git a/queue-4.9/iwlwifi-mvm-fix-reorder-timer-re-arming.patch b/queue-4.9/iwlwifi-mvm-fix-reorder-timer-re-arming.patch new file mode 100644 index 00000000000..27b5fd41214 --- /dev/null +++ b/queue-4.9/iwlwifi-mvm-fix-reorder-timer-re-arming.patch @@ -0,0 +1,42 @@ +From 5351f9ab254c30d41659924265f1ecd7b4758d9e Mon Sep 17 00:00:00 2001 +From: Sara Sharon +Date: Tue, 3 Jan 2017 21:03:35 +0200 +Subject: iwlwifi: mvm: fix reorder timer re-arming + +From: Sara Sharon + +commit 5351f9ab254c30d41659924265f1ecd7b4758d9e upstream. + +When NSSN is behind the reorder buffer due to timeout +the reorder timer isn't getting re-armed until NSSN +catches up. Fix it. + +Fixes: 0690405fef29 ("iwlwifi: mvm: add reorder timeout per frame") + +Signed-off-by: Sara Sharon +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c +@@ -409,7 +409,7 @@ static void iwl_mvm_release_frames(struc + + /* ignore nssn smaller than head sn - this can happen due to timeout */ + if (iwl_mvm_is_sn_less(nssn, ssn, reorder_buf->buf_size)) +- return; ++ goto set_timer; + + while (iwl_mvm_is_sn_less(ssn, nssn, reorder_buf->buf_size)) { + int index = ssn % reorder_buf->buf_size; +@@ -432,6 +432,7 @@ static void iwl_mvm_release_frames(struc + } + reorder_buf->head_sn = nssn; + ++set_timer: + if (reorder_buf->num_stored && !reorder_buf->removed) { + u16 index = reorder_buf->head_sn % reorder_buf->buf_size; + diff --git a/queue-4.9/iwlwifi-mvm-overwrite-skb-info-later.patch b/queue-4.9/iwlwifi-mvm-overwrite-skb-info-later.patch new file mode 100644 index 00000000000..54ad1c81ccf --- /dev/null +++ b/queue-4.9/iwlwifi-mvm-overwrite-skb-info-later.patch @@ -0,0 +1,88 @@ +From bd05a5bd6b11d7fd26a668de83c5cb996de05f8f Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Fri, 2 Dec 2016 09:57:40 +0100 +Subject: iwlwifi: mvm: overwrite skb info later + +From: Johannes Berg + +commit bd05a5bd6b11d7fd26a668de83c5cb996de05f8f upstream. + +We don't really need clear the skb's status area nor store the +dev_cmd into it until we really commit to the frame by handing +it to the transport - defer those operations until just before +we do that. + +This doesn't entirely fix the bug with frames not getting sent +out after having been deferred due to DQA, because it doesn't +restore the info->driver_data[0] place that was already set to +zero (or another value) by the A-MSDU logic. + +Fixes: 24afba7690e4 ("iwlwifi: mvm: support bss dynamic alloc/dealloc of queues") +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c +@@ -459,7 +459,6 @@ iwl_mvm_set_tx_params(struct iwl_mvm *mv + struct ieee80211_sta *sta, u8 sta_id) + { + struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; +- struct ieee80211_tx_info *skb_info = IEEE80211_SKB_CB(skb); + struct iwl_device_cmd *dev_cmd; + struct iwl_tx_cmd *tx_cmd; + +@@ -479,12 +478,18 @@ iwl_mvm_set_tx_params(struct iwl_mvm *mv + + iwl_mvm_set_tx_cmd_rate(mvm, tx_cmd, info, sta, hdr->frame_control); + ++ return dev_cmd; ++} ++ ++static void iwl_mvm_skb_prepare_status(struct sk_buff *skb, ++ struct iwl_device_cmd *cmd) ++{ ++ struct ieee80211_tx_info *skb_info = IEEE80211_SKB_CB(skb); ++ + memset(&skb_info->status, 0, sizeof(skb_info->status)); + memset(skb_info->driver_data, 0, sizeof(skb_info->driver_data)); + +- skb_info->driver_data[1] = dev_cmd; +- +- return dev_cmd; ++ skb_info->driver_data[1] = cmd; + } + + static int iwl_mvm_get_ctrl_vif_queue(struct iwl_mvm *mvm, +@@ -598,6 +603,9 @@ int iwl_mvm_tx_skb_non_sta(struct iwl_mv + if (!dev_cmd) + return -1; + ++ /* From now on, we cannot access info->control */ ++ iwl_mvm_skb_prepare_status(skb, dev_cmd); ++ + tx_cmd = (struct iwl_tx_cmd *)dev_cmd->payload; + + /* Copy MAC header from skb into command buffer */ +@@ -908,7 +916,6 @@ static int iwl_mvm_tx_mpdu(struct iwl_mv + goto drop; + + tx_cmd = (struct iwl_tx_cmd *)dev_cmd->payload; +- /* From now on, we cannot access info->control */ + + /* + * we handle that entirely ourselves -- for uAPSD the firmware +@@ -1015,6 +1022,9 @@ static int iwl_mvm_tx_mpdu(struct iwl_mv + IWL_DEBUG_TX(mvm, "TX to [%d|%d] Q:%d - seq: 0x%x\n", mvmsta->sta_id, + tid, txq_id, IEEE80211_SEQ_TO_SN(seq_number)); + ++ /* From now on, we cannot access info->control */ ++ iwl_mvm_skb_prepare_status(skb, dev_cmd); ++ + if (iwl_trans_tx(mvm->trans, skb, dev_cmd, txq_id)) + goto drop_unlock_sta; + diff --git a/queue-4.9/iwlwifi-mvm-pcie-adjust-a-msdu-tx_cmd-length-in-pcie.patch b/queue-4.9/iwlwifi-mvm-pcie-adjust-a-msdu-tx_cmd-length-in-pcie.patch new file mode 100644 index 00000000000..642d759a289 --- /dev/null +++ b/queue-4.9/iwlwifi-mvm-pcie-adjust-a-msdu-tx_cmd-length-in-pcie.patch @@ -0,0 +1,199 @@ +From 05e5a7e58d3f8f597ebe6f78aaa13a2656b78239 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Fri, 2 Dec 2016 10:04:49 +0100 +Subject: iwlwifi: mvm/pcie: adjust A-MSDU tx_cmd length in PCIe + +From: Johannes Berg + +commit 05e5a7e58d3f8f597ebe6f78aaa13a2656b78239 upstream. + +Instead of setting the tx_cmd length in the mvm code, which is +complicated by the fact that DQA may want to temporarily store +the SKB on the side, adjust the length in the PCIe code which +also knows about this since it's responsible for duplicating +all those headers that are account for in this code. + +As the PCIe code already relies on the tx_cmd->len field, this +doesn't really introduce any new dependencies. + +To make this possible we need to move the memcpy() of the TX +command until after it was updated. + +This does even simplify the code though, since the PCIe code +already does a lot of manipulations to build A-MSDUs correctly +and changing the length becomes a simple operation to see how +much was added/removed, rather than predicting it. + +Fixes: 24afba7690e4 ("iwlwifi: mvm: support bss dynamic alloc/dealloc of queues") +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 38 ++------------------------- + drivers/net/wireless/intel/iwlwifi/pcie/tx.c | 23 +++++++++++++--- + 2 files changed, 22 insertions(+), 39 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c +@@ -202,7 +202,6 @@ void iwl_mvm_set_tx_cmd(struct iwl_mvm * + struct iwl_tx_cmd *tx_cmd, + struct ieee80211_tx_info *info, u8 sta_id) + { +- struct ieee80211_tx_info *skb_info = IEEE80211_SKB_CB(skb); + struct ieee80211_hdr *hdr = (void *)skb->data; + __le16 fc = hdr->frame_control; + u32 tx_flags = le32_to_cpu(tx_cmd->tx_flags); +@@ -284,9 +283,8 @@ void iwl_mvm_set_tx_cmd(struct iwl_mvm * + tx_flags |= TX_CMD_FLG_WRITE_TX_POWER; + + tx_cmd->tx_flags = cpu_to_le32(tx_flags); +- /* Total # bytes to be transmitted */ +- tx_cmd->len = cpu_to_le16((u16)skb->len + +- (uintptr_t)skb_info->driver_data[0]); ++ /* Total # bytes to be transmitted - PCIe code will adjust for A-MSDU */ ++ tx_cmd->len = cpu_to_le16((u16)skb->len); + tx_cmd->life_time = cpu_to_le32(TX_CMD_LIFE_TIME_INFINITE); + tx_cmd->sta_id = sta_id; + +@@ -555,9 +553,6 @@ int iwl_mvm_tx_skb_non_sta(struct iwl_mv + info.hw_queue != info.control.vif->cab_queue))) + return -1; + +- /* This holds the amsdu headers length */ +- skb_info->driver_data[0] = (void *)(uintptr_t)0; +- + queue = info.hw_queue; + + /* +@@ -644,7 +639,7 @@ static int iwl_mvm_tx_tso(struct iwl_mvm + unsigned int num_subframes, tcp_payload_len, subf_len, max_amsdu_len; + bool ipv4 = (skb->protocol == htons(ETH_P_IP)); + u16 ip_base_id = ipv4 ? ntohs(ip_hdr(skb)->id) : 0; +- u16 amsdu_add, snap_ip_tcp, pad, i = 0; ++ u16 snap_ip_tcp, pad, i = 0; + unsigned int dbg_max_amsdu_len; + netdev_features_t netdev_features = NETIF_F_CSUM_MASK | NETIF_F_SG; + u8 *qc, tid, txf; +@@ -746,21 +741,6 @@ static int iwl_mvm_tx_tso(struct iwl_mvm + + /* This skb fits in one single A-MSDU */ + if (num_subframes * mss >= tcp_payload_len) { +- struct ieee80211_tx_info *skb_info = IEEE80211_SKB_CB(skb); +- +- /* +- * Compute the length of all the data added for the A-MSDU. +- * This will be used to compute the length to write in the TX +- * command. We have: SNAP + IP + TCP for n -1 subframes and +- * ETH header for n subframes. Note that the original skb +- * already had one set of SNAP / IP / TCP headers. +- */ +- num_subframes = DIV_ROUND_UP(tcp_payload_len, mss); +- amsdu_add = num_subframes * sizeof(struct ethhdr) + +- (num_subframes - 1) * (snap_ip_tcp + pad); +- /* This holds the amsdu headers length */ +- skb_info->driver_data[0] = (void *)(uintptr_t)amsdu_add; +- + __skb_queue_tail(mpdus_skb, skb); + return 0; + } +@@ -799,14 +779,6 @@ segment: + ip_hdr(tmp)->id = htons(ip_base_id + i * num_subframes); + + if (tcp_payload_len > mss) { +- struct ieee80211_tx_info *skb_info = +- IEEE80211_SKB_CB(tmp); +- +- num_subframes = DIV_ROUND_UP(tcp_payload_len, mss); +- amsdu_add = num_subframes * sizeof(struct ethhdr) + +- (num_subframes - 1) * (snap_ip_tcp + pad); +- skb_info->driver_data[0] = +- (void *)(uintptr_t)amsdu_add; + skb_shinfo(tmp)->gso_size = mss; + } else { + qc = ieee80211_get_qos_ctl((void *)tmp->data); +@@ -1052,7 +1024,6 @@ int iwl_mvm_tx_skb(struct iwl_mvm *mvm, + struct ieee80211_sta *sta) + { + struct iwl_mvm_sta *mvmsta = iwl_mvm_sta_from_mac80211(sta); +- struct ieee80211_tx_info *skb_info = IEEE80211_SKB_CB(skb); + struct ieee80211_tx_info info; + struct sk_buff_head mpdus_skbs; + unsigned int payload_len; +@@ -1066,9 +1037,6 @@ int iwl_mvm_tx_skb(struct iwl_mvm *mvm, + + memcpy(&info, skb->cb, sizeof(info)); + +- /* This holds the amsdu headers length */ +- skb_info->driver_data[0] = (void *)(uintptr_t)0; +- + if (!skb_is_gso(skb)) + return iwl_mvm_tx_mpdu(mvm, skb, &info, sta); + +--- a/drivers/net/wireless/intel/iwlwifi/pcie/tx.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/tx.c +@@ -2096,6 +2096,7 @@ static int iwl_fill_data_tbs_amsdu(struc + struct iwl_cmd_meta *out_meta, + struct iwl_device_cmd *dev_cmd, u16 tb1_len) + { ++ struct iwl_tx_cmd *tx_cmd = (void *)dev_cmd->payload; + struct iwl_trans_pcie *trans_pcie = txq->trans_pcie; + struct ieee80211_hdr *hdr = (void *)skb->data; + unsigned int snap_ip_tcp_hdrlen, ip_hdrlen, total_len, hdr_room; +@@ -2145,6 +2146,13 @@ static int iwl_fill_data_tbs_amsdu(struc + */ + skb_pull(skb, hdr_len + iv_len); + ++ /* ++ * Remove the length of all the headers that we don't actually ++ * have in the MPDU by themselves, but that we duplicate into ++ * all the different MSDUs inside the A-MSDU. ++ */ ++ le16_add_cpu(&tx_cmd->len, -snap_ip_tcp_hdrlen); ++ + tso_start(skb, &tso); + + while (total_len) { +@@ -2155,7 +2163,7 @@ static int iwl_fill_data_tbs_amsdu(struc + unsigned int hdr_tb_len; + dma_addr_t hdr_tb_phys; + struct tcphdr *tcph; +- u8 *iph; ++ u8 *iph, *subf_hdrs_start = hdr_page->pos; + + total_len -= data_left; + +@@ -2216,6 +2224,8 @@ static int iwl_fill_data_tbs_amsdu(struc + hdr_tb_len, false); + trace_iwlwifi_dev_tx_tso_chunk(trans->dev, start_hdr, + hdr_tb_len); ++ /* add this subframe's headers' length to the tx_cmd */ ++ le16_add_cpu(&tx_cmd->len, hdr_page->pos - subf_hdrs_start); + + /* prepare the start_hdr for the next subframe */ + start_hdr = hdr_page->pos; +@@ -2408,9 +2418,10 @@ int iwl_trans_pcie_tx(struct iwl_trans * + tb1_len = len; + } + +- /* The first TB points to bi-directional DMA data */ +- memcpy(&txq->first_tb_bufs[txq->write_ptr], &dev_cmd->hdr, +- IWL_FIRST_TB_SIZE); ++ /* ++ * The first TB points to bi-directional DMA data, we'll ++ * memcpy the data into it later. ++ */ + iwl_pcie_txq_build_tfd(trans, txq, tb0_phys, + IWL_FIRST_TB_SIZE, true); + +@@ -2434,6 +2445,10 @@ int iwl_trans_pcie_tx(struct iwl_trans * + goto out_err; + } + ++ /* building the A-MSDU might have changed this data, so memcpy it now */ ++ memcpy(&txq->first_tb_bufs[txq->write_ptr], &dev_cmd->hdr, ++ IWL_FIRST_TB_SIZE); ++ + tfd = iwl_pcie_get_tfd(trans_pcie, txq, txq->write_ptr); + /* Set up entry for this TFD in Tx byte-count array */ + iwl_pcie_txq_update_byte_cnt_tbl(trans, txq, le16_to_cpu(tx_cmd->len), diff --git a/queue-4.9/iwlwifi-mvm-synchronize-firmware-dma-paging-memory.patch b/queue-4.9/iwlwifi-mvm-synchronize-firmware-dma-paging-memory.patch new file mode 100644 index 00000000000..e8a74d8fd83 --- /dev/null +++ b/queue-4.9/iwlwifi-mvm-synchronize-firmware-dma-paging-memory.patch @@ -0,0 +1,96 @@ +From 4b70f07686d75d1eb5d956812cc810944e0b29b2 Mon Sep 17 00:00:00 2001 +From: Sara Sharon +Date: Wed, 30 Nov 2016 16:49:11 +0200 +Subject: iwlwifi: mvm: synchronize firmware DMA paging memory + +From: Sara Sharon + +commit 4b70f07686d75d1eb5d956812cc810944e0b29b2 upstream. + +When driver needs to access the contents of a streaming DMA buffer +without unmapping it it should call dma_sync_single_for_cpu(). +Once the call has been made, the CPU "owns" the DMA buffer and can +work with it as needed. +Before the device accesses the buffer, however, ownership should be +transferred back to it with dma_sync_single_for_device(). +Both calls weren't performed by the driver, resulting with odd paging +errors on some platforms. Fix it. + +Fixes: a6c4fb4441f4 ("iwlwifi: mvm: Add FW paging mechanism for the UMAC on PCI") +Signed-off-by: Sara Sharon +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/mvm/fw-dbg.c | 4 ++++ + drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 23 ++++++++++++++++++++--- + 2 files changed, 24 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw-dbg.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw-dbg.c +@@ -784,12 +784,16 @@ void iwl_mvm_fw_error_dump(struct iwl_mv + struct iwl_fw_error_dump_paging *paging; + struct page *pages = + mvm->fw_paging_db[i].fw_paging_block; ++ dma_addr_t addr = mvm->fw_paging_db[i].fw_paging_phys; + + dump_data->type = cpu_to_le32(IWL_FW_ERROR_DUMP_PAGING); + dump_data->len = cpu_to_le32(sizeof(*paging) + + PAGING_BLOCK_SIZE); + paging = (void *)dump_data->data; + paging->index = cpu_to_le32(i); ++ dma_sync_single_for_cpu(mvm->trans->dev, addr, ++ PAGING_BLOCK_SIZE, ++ DMA_BIDIRECTIONAL); + memcpy(paging->data, page_address(pages), + PAGING_BLOCK_SIZE); + dump_data = iwl_fw_error_next_data(dump_data); +--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c +@@ -214,6 +214,10 @@ static int iwl_fill_paging_mem(struct iw + memcpy(page_address(mvm->fw_paging_db[0].fw_paging_block), + image->sec[sec_idx].data, + mvm->fw_paging_db[0].fw_paging_size); ++ dma_sync_single_for_device(mvm->trans->dev, ++ mvm->fw_paging_db[0].fw_paging_phys, ++ mvm->fw_paging_db[0].fw_paging_size, ++ DMA_BIDIRECTIONAL); + + IWL_DEBUG_FW(mvm, + "Paging: copied %d CSS bytes to first block\n", +@@ -228,9 +232,16 @@ static int iwl_fill_paging_mem(struct iw + * loop stop at num_of_paging_blk since that last block is not full. + */ + for (idx = 1; idx < mvm->num_of_paging_blk; idx++) { +- memcpy(page_address(mvm->fw_paging_db[idx].fw_paging_block), ++ struct iwl_fw_paging *block = &mvm->fw_paging_db[idx]; ++ ++ memcpy(page_address(block->fw_paging_block), + image->sec[sec_idx].data + offset, +- mvm->fw_paging_db[idx].fw_paging_size); ++ block->fw_paging_size); ++ dma_sync_single_for_device(mvm->trans->dev, ++ block->fw_paging_phys, ++ block->fw_paging_size, ++ DMA_BIDIRECTIONAL); ++ + + IWL_DEBUG_FW(mvm, + "Paging: copied %d paging bytes to block %d\n", +@@ -242,9 +253,15 @@ static int iwl_fill_paging_mem(struct iw + + /* copy the last paging block */ + if (mvm->num_of_pages_in_last_blk > 0) { +- memcpy(page_address(mvm->fw_paging_db[idx].fw_paging_block), ++ struct iwl_fw_paging *block = &mvm->fw_paging_db[idx]; ++ ++ memcpy(page_address(block->fw_paging_block), + image->sec[sec_idx].data + offset, + FW_PAGING_SIZE * mvm->num_of_pages_in_last_blk); ++ dma_sync_single_for_device(mvm->trans->dev, ++ block->fw_paging_phys, ++ block->fw_paging_size, ++ DMA_BIDIRECTIONAL); + + IWL_DEBUG_FW(mvm, + "Paging: copied %d pages in the last block %d\n", diff --git a/queue-4.9/iwlwifi-mvm-use-aux-queue-for-offchannel-frames-in-dqa.patch b/queue-4.9/iwlwifi-mvm-use-aux-queue-for-offchannel-frames-in-dqa.patch new file mode 100644 index 00000000000..0ed6f2c316f --- /dev/null +++ b/queue-4.9/iwlwifi-mvm-use-aux-queue-for-offchannel-frames-in-dqa.patch @@ -0,0 +1,49 @@ +From 6574dc943fc32a2fce69fab14891abca7eecb67c Mon Sep 17 00:00:00 2001 +From: Beni Lev +Date: Thu, 17 Nov 2016 14:03:17 +0200 +Subject: iwlwifi: mvm: Use aux queue for offchannel frames in dqa + +From: Beni Lev + +commit 6574dc943fc32a2fce69fab14891abca7eecb67c upstream. + +Since offchannel activity doesn't always require a BSS, e.g. ANQP +sessions, offchannel frames should not use the BSS queue, because it +might not be initialized. +Use the auxilary queue instead + +Fixes: e3118ad74d7e ("iwlwifi: mvm: support tdls in dqa mode") +Signed-off-by: Beni Lev +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c +@@ -568,9 +568,10 @@ int iwl_mvm_tx_skb_non_sta(struct iwl_mv + * (this is not possible for unicast packets as a TLDS discovery + * response are sent without a station entry); otherwise use the + * AUX station. +- * In DQA mode, if vif is of type STATION and frames are not multicast, +- * they should be sent from the BSS queue. For example, TDLS setup +- * frames should be sent on this queue, as they go through the AP. ++ * In DQA mode, if vif is of type STATION and frames are not multicast ++ * or offchannel, they should be sent from the BSS queue. ++ * For example, TDLS setup frames should be sent on this queue, ++ * as they go through the AP. + */ + sta_id = mvm->aux_sta.sta_id; + if (info.control.vif) { +@@ -592,7 +593,8 @@ int iwl_mvm_tx_skb_non_sta(struct iwl_mv + if (ap_sta_id != IWL_MVM_STATION_COUNT) + sta_id = ap_sta_id; + } else if (iwl_mvm_is_dqa_supported(mvm) && +- info.control.vif->type == NL80211_IFTYPE_STATION) { ++ info.control.vif->type == NL80211_IFTYPE_STATION && ++ queue != mvm->aux_queue) { + queue = IWL_MVM_DQA_BSS_CLIENT_QUEUE; + } + } diff --git a/queue-4.9/iwlwifi-mvm-writing-zero-bytes-to-debugfs-causes-a-crash.patch b/queue-4.9/iwlwifi-mvm-writing-zero-bytes-to-debugfs-causes-a-crash.patch new file mode 100644 index 00000000000..b9378b0a561 --- /dev/null +++ b/queue-4.9/iwlwifi-mvm-writing-zero-bytes-to-debugfs-causes-a-crash.patch @@ -0,0 +1,37 @@ +From 251fe09f13bfb54c1ede66ee8bf8ddd0061c4f7c Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 23 Mar 2017 13:40:00 +0300 +Subject: iwlwifi: mvm: writing zero bytes to debugfs causes a crash + +From: Dan Carpenter + +commit 251fe09f13bfb54c1ede66ee8bf8ddd0061c4f7c upstream. + +This is a static analysis fix. The warning is: + + drivers/net/wireless/intel/iwlwifi/mvm/fw-dbg.c:912 iwl_mvm_fw_dbg_collect() + warn: integer overflows 'sizeof(*desc) + len' + +I guess this code is supposed to take a NUL character, but if we write +zero bytes then it tries to write -1 characters and crashes. + +Fixes: c91b865cb14d ("iwlwifi: mvm: support description for user triggered fw dbg collection") +Signed-off-by: Dan Carpenter +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c +@@ -1056,6 +1056,8 @@ static ssize_t iwl_dbgfs_fw_dbg_collect_ + + if (ret) + return ret; ++ if (count == 0) ++ return 0; + + iwl_mvm_fw_dbg_collect(mvm, FW_DBG_TRIGGER_USER, buf, + (count - 1), NULL); diff --git a/queue-4.9/iwlwifi-pcie-don-t-increment-decrement-a-bool.patch b/queue-4.9/iwlwifi-pcie-don-t-increment-decrement-a-bool.patch new file mode 100644 index 00000000000..4f64dd53b30 --- /dev/null +++ b/queue-4.9/iwlwifi-pcie-don-t-increment-decrement-a-bool.patch @@ -0,0 +1,35 @@ +From 04fa3e680b4dd2fdd11d0152fb9b6067e7aac140 Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Sat, 7 Jan 2017 20:11:47 +0200 +Subject: iwlwifi: pcie: don't increment / decrement a bool + +From: Emmanuel Grumbach + +commit 04fa3e680b4dd2fdd11d0152fb9b6067e7aac140 upstream. + +David reported that the code I added uses the decrement +and increment operator on a boolean variable. + +Fix that. + +Fixes: 0cd58eaab148 ("iwlwifi: pcie: allow the op_mode to block the tx queues") +Reported-by: David Binderman +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/pcie/internal.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/intel/iwlwifi/pcie/internal.h ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/internal.h +@@ -279,7 +279,7 @@ struct iwl_txq { + bool frozen; + u8 active; + bool ampdu; +- bool block; ++ int block; + unsigned long wd_timeout; + struct sk_buff_head overflow_q; + diff --git a/queue-4.9/iwlwifi-pcie-fix-the-set-of-dma-memory-mask.patch b/queue-4.9/iwlwifi-pcie-fix-the-set-of-dma-memory-mask.patch new file mode 100644 index 00000000000..65d4d38b7ee --- /dev/null +++ b/queue-4.9/iwlwifi-pcie-fix-the-set-of-dma-memory-mask.patch @@ -0,0 +1,45 @@ +From 2c6262b754f3c3338cb40b23880a3ac1f4693b25 Mon Sep 17 00:00:00 2001 +From: Sara Sharon +Date: Wed, 7 Dec 2016 12:22:11 +0200 +Subject: iwlwifi: pcie: fix the set of DMA memory mask + +From: Sara Sharon + +commit 2c6262b754f3c3338cb40b23880a3ac1f4693b25 upstream. + +Our 9000 device supports 64 bit DMA address for RX only, and +not for TX. +Setting DMA mask to 64 for the whole device is erroneous - we +can do it only for a000 devices where device is capable of +both RX & TX DMA with 64 bit address space. + +Fixes: 96a6497bc3ed ("iwlwifi: pcie: add 9000 series multi queue rx DMA support") +Signed-off-by: Sara Sharon +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c +@@ -2929,16 +2929,12 @@ struct iwl_trans *iwl_trans_pcie_alloc(s + PCIE_LINK_STATE_CLKPM); + } + +- if (cfg->mq_rx_supported) +- addr_size = 64; +- else +- addr_size = 36; +- + if (cfg->use_tfh) { ++ addr_size = 64; + trans_pcie->max_tbs = IWL_TFH_NUM_TBS; + trans_pcie->tfd_size = sizeof(struct iwl_tfh_tfd); +- + } else { ++ addr_size = 36; + trans_pcie->max_tbs = IWL_NUM_OF_TBS; + trans_pcie->tfd_size = sizeof(struct iwl_tfd); + } diff --git a/queue-4.9/iwlwifi-pcie-trans-remove-unused-shift_param.patch b/queue-4.9/iwlwifi-pcie-trans-remove-unused-shift_param.patch new file mode 100644 index 00000000000..e0dd0fc4893 --- /dev/null +++ b/queue-4.9/iwlwifi-pcie-trans-remove-unused-shift_param.patch @@ -0,0 +1,61 @@ +From 3ce4a03852d6dd3fd28c2fb2ee9f89bb9ccf9a9b Mon Sep 17 00:00:00 2001 +From: Kirtika Ruchandani +Date: Tue, 8 Nov 2016 21:50:48 -0800 +Subject: iwlwifi: pcie: trans: Remove unused 'shift_param' +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kirtika Ruchandani + +commit 3ce4a03852d6dd3fd28c2fb2ee9f89bb9ccf9a9b upstream. + +shift_param is defined and set in iwl_pcie_load_cpu_sections but not +used. Fix this to avoid -Wunused-but-set-variable warning. + +The code using it turned into dead code with commit dcab8ecd5617 +("iwlwifi: mvm: support ucode load for family_8000 B0 only") which +added a separate function iwl_pcie_load_given_ucode_8000 (then 8000b) +for IWL_DEVICE_FAMILY_8000. Commit 76f8c0e17edc ("iwlwifi: pcie: +remove dead code") removed the dead code but left shift_param as is. + +iwlwifi/pcie/trans.c: In function ‘iwl_pcie_load_cpu_sections’: +iwlwifi/pcie/trans.c:871:6: warning: variable ‘shift_param’ set but not used [-Wunused-but-set-variable] + +Fixes: dcab8ecd5617 ("iwlwifi: mvm: support ucode load for family_8000 B0 only") +Fixes: 76f8c0e17edc ("iwlwifi: pcie: remove dead code") +Signed-off-by: Kirtika Ruchandani +Cc: Sara Sharon +Cc: Luca Coelho +Cc: Liad Kaufman +Cc: Emmanuel Grumbach +[removed some unnecessary braces] +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c +@@ -868,17 +868,13 @@ static int iwl_pcie_load_cpu_sections(st + int cpu, + int *first_ucode_section) + { +- int shift_param; + int i, ret = 0; + u32 last_read_idx = 0; + +- if (cpu == 1) { +- shift_param = 0; ++ if (cpu == 1) + *first_ucode_section = 0; +- } else { +- shift_param = 16; ++ else + (*first_ucode_section)++; +- } + + for (i = *first_ucode_section; i < IWL_UCODE_SECTION_MAX; i++) { + last_read_idx = i; diff --git a/queue-4.9/kprobes-x86-fix-kernel-panic-when-certain-exception-handling-addresses-are-probed.patch b/queue-4.9/kprobes-x86-fix-kernel-panic-when-certain-exception-handling-addresses-are-probed.patch new file mode 100644 index 00000000000..48e35c0ac28 --- /dev/null +++ b/queue-4.9/kprobes-x86-fix-kernel-panic-when-certain-exception-handling-addresses-are-probed.patch @@ -0,0 +1,87 @@ +From 75013fb16f8484898eaa8d0b08fed942d790f029 Mon Sep 17 00:00:00 2001 +From: Masami Hiramatsu +Date: Wed, 1 Mar 2017 01:23:24 +0900 +Subject: kprobes/x86: Fix kernel panic when certain exception-handling addresses are probed + +From: Masami Hiramatsu + +commit 75013fb16f8484898eaa8d0b08fed942d790f029 upstream. + +Fix to the exception table entry check by using probed address +instead of the address of copied instruction. + +This bug may cause unexpected kernel panic if user probe an address +where an exception can happen which should be fixup by __ex_table +(e.g. copy_from_user.) + +Unless user puts a kprobe on such address, this doesn't +cause any problem. + +This bug has been introduced years ago, by commit: + + 464846888d9a ("x86/kprobes: Fix a bug which can modify kernel code permanently"). + +Signed-off-by: Masami Hiramatsu +Cc: Borislav Petkov +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: 464846888d9a ("x86/kprobes: Fix a bug which can modify kernel code permanently") +Link: http://lkml.kernel.org/r/148829899399.28855.12581062400757221722.stgit@devbox +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/kprobes/common.h | 2 +- + arch/x86/kernel/kprobes/core.c | 6 +++--- + arch/x86/kernel/kprobes/opt.c | 2 +- + 3 files changed, 5 insertions(+), 5 deletions(-) + +--- a/arch/x86/kernel/kprobes/common.h ++++ b/arch/x86/kernel/kprobes/common.h +@@ -67,7 +67,7 @@ + #endif + + /* Ensure if the instruction can be boostable */ +-extern int can_boost(kprobe_opcode_t *instruction); ++extern int can_boost(kprobe_opcode_t *instruction, void *addr); + /* Recover instruction if given address is probed */ + extern unsigned long recover_probed_instruction(kprobe_opcode_t *buf, + unsigned long addr); +--- a/arch/x86/kernel/kprobes/core.c ++++ b/arch/x86/kernel/kprobes/core.c +@@ -166,12 +166,12 @@ NOKPROBE_SYMBOL(skip_prefixes); + * Returns non-zero if opcode is boostable. + * RIP relative instructions are adjusted at copying time in 64 bits mode + */ +-int can_boost(kprobe_opcode_t *opcodes) ++int can_boost(kprobe_opcode_t *opcodes, void *addr) + { + kprobe_opcode_t opcode; + kprobe_opcode_t *orig_opcodes = opcodes; + +- if (search_exception_tables((unsigned long)opcodes)) ++ if (search_exception_tables((unsigned long)addr)) + return 0; /* Page fault may occur on this address. */ + + retry: +@@ -416,7 +416,7 @@ static int arch_copy_kprobe(struct kprob + * __copy_instruction can modify the displacement of the instruction, + * but it doesn't affect boostable check. + */ +- if (can_boost(p->ainsn.insn)) ++ if (can_boost(p->ainsn.insn, p->addr)) + p->ainsn.boostable = 0; + else + p->ainsn.boostable = -1; +--- a/arch/x86/kernel/kprobes/opt.c ++++ b/arch/x86/kernel/kprobes/opt.c +@@ -178,7 +178,7 @@ static int copy_optimized_instructions(u + + while (len < RELATIVEJUMP_SIZE) { + ret = __copy_instruction(dest + len, src + len); +- if (!ret || !can_boost(dest + len)) ++ if (!ret || !can_boost(dest + len, src + len)) + return -EINVAL; + len += ret; + } diff --git a/queue-4.9/kvm-nvmx-do-not-leak-pml-full-vmexit-to-l1.patch b/queue-4.9/kvm-nvmx-do-not-leak-pml-full-vmexit-to-l1.patch new file mode 100644 index 00000000000..b6ffe5e7c25 --- /dev/null +++ b/queue-4.9/kvm-nvmx-do-not-leak-pml-full-vmexit-to-l1.patch @@ -0,0 +1,40 @@ +From ab007cc94ff9d82f5a8db8363b3becbd946e58cf Mon Sep 17 00:00:00 2001 +From: Ladi Prosek +Date: Fri, 31 Mar 2017 10:19:26 +0200 +Subject: KVM: nVMX: do not leak PML full vmexit to L1 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ladi Prosek + +commit ab007cc94ff9d82f5a8db8363b3becbd946e58cf upstream. + +The PML feature is not exposed to guests so we should not be forwarding +the vmexit either. + +This commit fixes BSOD 0x20001 (HYPERVISOR_ERROR) when running Hyper-V +enabled Windows Server 2016 in L1 on hardware that supports PML. + +Fixes: 843e4330573c ("KVM: VMX: Add PML support in VMX") +Signed-off-by: Ladi Prosek +Reviewed-by: David Hildenbrand +Signed-off-by: Radim Krčmář +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -8135,6 +8135,9 @@ static bool nested_vmx_exit_handled(stru + return nested_cpu_has2(vmcs12, SECONDARY_EXEC_XSAVES); + case EXIT_REASON_PREEMPTION_TIMER: + return false; ++ case EXIT_REASON_PML_FULL: ++ /* We don't expose PML support to L1. */ ++ return false; + default: + return true; + } diff --git a/queue-4.9/kvm-nvmx-initialize-pml-fields-in-vmcs02.patch b/queue-4.9/kvm-nvmx-initialize-pml-fields-in-vmcs02.patch new file mode 100644 index 00000000000..46e15f5c4de --- /dev/null +++ b/queue-4.9/kvm-nvmx-initialize-pml-fields-in-vmcs02.patch @@ -0,0 +1,46 @@ +From 1fb883bb827ee8efc1cc9ea0154f953f8a219d38 Mon Sep 17 00:00:00 2001 +From: Ladi Prosek +Date: Tue, 4 Apr 2017 14:18:53 +0200 +Subject: KVM: nVMX: initialize PML fields in vmcs02 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ladi Prosek + +commit 1fb883bb827ee8efc1cc9ea0154f953f8a219d38 upstream. + +L2 was running with uninitialized PML fields which led to incomplete +dirty bitmap logging. This manifested as all kinds of subtle erratic +behavior of the nested guest. + +Fixes: 843e4330573c ("KVM: VMX: Add PML support in VMX") +Signed-off-by: Ladi Prosek +Signed-off-by: Radim Krčmář +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -10071,6 +10071,18 @@ static void prepare_vmcs02(struct kvm_vc + + } + ++ if (enable_pml) { ++ /* ++ * Conceptually we want to copy the PML address and index from ++ * vmcs01 here, and then back to vmcs01 on nested vmexit. But, ++ * since we always flush the log on each vmexit, this happens ++ * to be equivalent to simply resetting the fields in vmcs02. ++ */ ++ ASSERT(vmx->pml_pg); ++ vmcs_write64(PML_ADDRESS, page_to_phys(vmx->pml_pg)); ++ vmcs_write16(GUEST_PML_INDEX, PML_ENTITY_NUM - 1); ++ } ++ + if (nested_cpu_has_ept(vmcs12)) { + kvm_mmu_unload(vcpu); + nested_ept_init_mmu_context(vcpu); diff --git a/queue-4.9/leds-ktd2692-avoid-harmless-maybe-uninitialized-warning.patch b/queue-4.9/leds-ktd2692-avoid-harmless-maybe-uninitialized-warning.patch new file mode 100644 index 00000000000..174dd8cffe5 --- /dev/null +++ b/queue-4.9/leds-ktd2692-avoid-harmless-maybe-uninitialized-warning.patch @@ -0,0 +1,52 @@ +From cbe99c538d1776009e8710755bb6e726f7fffa9b Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Wed, 25 Jan 2017 23:22:36 +0100 +Subject: leds: ktd2692: avoid harmless maybe-uninitialized warning + +From: Arnd Bergmann + +commit cbe99c538d1776009e8710755bb6e726f7fffa9b upstream. + +gcc gets confused about the control flow in ktd2692_parse_dt(), causing +it to warn about what seems like a potential bug: + +drivers/leds/leds-ktd2692.c: In function 'ktd2692_probe': +drivers/leds/leds-ktd2692.c:244:15: error: '*((void *)&led_cfg+8)' may be used uninitialized in this function [-Werror=maybe-uninitialized] +drivers/leds/leds-ktd2692.c:225:7: error: 'led_cfg.flash_max_microamp' may be used uninitialized in this function [-Werror=maybe-uninitialized] +drivers/leds/leds-ktd2692.c:232:3: error: 'led_cfg.movie_max_microamp' may be used uninitialized in this function [-Werror=maybe-uninitialized] + +The code is fine, and slightly reworking it in an equivalent way lets +gcc figure that out too, which gets rid of the warning. + +Fixes: 77e7915b15bb ("leds: ktd2692: Add missing of_node_put") +Signed-off-by: Arnd Bergmann +Acked-by: Pavel Machek +Signed-off-by: Jacek Anaszewski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/leds/leds-ktd2692.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/leds/leds-ktd2692.c ++++ b/drivers/leds/leds-ktd2692.c +@@ -270,15 +270,15 @@ static int ktd2692_parse_dt(struct ktd26 + return -ENXIO; + + led->ctrl_gpio = devm_gpiod_get(dev, "ctrl", GPIOD_ASIS); +- if (IS_ERR(led->ctrl_gpio)) { +- ret = PTR_ERR(led->ctrl_gpio); ++ ret = PTR_ERR_OR_ZERO(led->ctrl_gpio); ++ if (ret) { + dev_err(dev, "cannot get ctrl-gpios %d\n", ret); + return ret; + } + + led->aux_gpio = devm_gpiod_get(dev, "aux", GPIOD_ASIS); +- if (IS_ERR(led->aux_gpio)) { +- ret = PTR_ERR(led->aux_gpio); ++ ret = PTR_ERR_OR_ZERO(led->aux_gpio); ++ if (ret) { + dev_err(dev, "cannot get aux-gpios %d\n", ret); + return ret; + } diff --git a/queue-4.9/mips-r2-on-r6-multu-maddu-msubu-emulation-bugfix.patch b/queue-4.9/mips-r2-on-r6-multu-maddu-msubu-emulation-bugfix.patch new file mode 100644 index 00000000000..c6a810e5869 --- /dev/null +++ b/queue-4.9/mips-r2-on-r6-multu-maddu-msubu-emulation-bugfix.patch @@ -0,0 +1,68 @@ +From d65e5677ad5b3a49c43f60ec07644dc1f87bbd2e Mon Sep 17 00:00:00 2001 +From: Leonid Yegoshin +Date: Thu, 25 Aug 2016 10:37:38 -0700 +Subject: MIPS: R2-on-R6 MULTU/MADDU/MSUBU emulation bugfix + +From: Leonid Yegoshin + +commit d65e5677ad5b3a49c43f60ec07644dc1f87bbd2e upstream. + +MIPS instructions MULTU, MADDU and MSUBU emulation requires registers HI/LO +to be converted to signed 32bits before 64bit sign extension on MIPS64. + +Bug was found on running MIPS32 R2 test application on MIPS64 R6 kernel. + +Fixes: b0a668fb2038 ("MIPS: kernel: mips-r2-to-r6-emul: Add R2 emulator for MIPS R6") +Signed-off-by: Leonid Yegoshin +Reported-by: Nikola.Veljkovic@imgtec.com +Cc: paul.burton@imgtec.com +Cc: yamada.masahiro@socionext.com +Cc: akpm@linux-foundation.org +Cc: andrea.gelmini@gelma.net +Cc: macro@imgtec.com +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/14043/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/mips-r2-to-r6-emul.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/arch/mips/kernel/mips-r2-to-r6-emul.c ++++ b/arch/mips/kernel/mips-r2-to-r6-emul.c +@@ -433,8 +433,8 @@ static int multu_func(struct pt_regs *re + rs = regs->regs[MIPSInst_RS(ir)]; + res = (u64)rt * (u64)rs; + rt = res; +- regs->lo = (s64)rt; +- regs->hi = (s64)(res >> 32); ++ regs->lo = (s64)(s32)rt; ++ regs->hi = (s64)(s32)(res >> 32); + + MIPS_R2_STATS(muls); + +@@ -670,9 +670,9 @@ static int maddu_func(struct pt_regs *re + res += ((((s64)rt) << 32) | (u32)rs); + + rt = res; +- regs->lo = (s64)rt; ++ regs->lo = (s64)(s32)rt; + rs = res >> 32; +- regs->hi = (s64)rs; ++ regs->hi = (s64)(s32)rs; + + MIPS_R2_STATS(dsps); + +@@ -728,9 +728,9 @@ static int msubu_func(struct pt_regs *re + res = ((((s64)rt) << 32) | (u32)rs) - res; + + rt = res; +- regs->lo = (s64)rt; ++ regs->lo = (s64)(s32)rt; + rs = res >> 32; +- regs->hi = (s64)rs; ++ regs->hi = (s64)(s32)rs; + + MIPS_R2_STATS(dsps); + diff --git a/queue-4.9/mwifiex-avoid-skipping-wep-key-deletion-for-ap.patch b/queue-4.9/mwifiex-avoid-skipping-wep-key-deletion-for-ap.patch new file mode 100644 index 00000000000..381bbebea0a --- /dev/null +++ b/queue-4.9/mwifiex-avoid-skipping-wep-key-deletion-for-ap.patch @@ -0,0 +1,38 @@ +From a5b60de6972decc6b50a39abb376077c3c3621c8 Mon Sep 17 00:00:00 2001 +From: Ganapathi Bhat +Date: Fri, 3 Feb 2017 18:30:22 +0530 +Subject: mwifiex: Avoid skipping WEP key deletion for AP + +From: Ganapathi Bhat + +commit a5b60de6972decc6b50a39abb376077c3c3621c8 upstream. + +This patch fixes the issue specific to AP. AP is started with WEP +security and external station is connected to it. Data path works +in this case. Now if AP is restarted with WPA/WPA2 security, +station is able to connect but ping fails. + +Driver skips the deletion of WEP keys if interface type is AP. +Removing that redundant check resolves the issue. + +Fixes: e57f1734d87a ("mwifiex: add key material v2 support") +Signed-off-by: Ganapathi Bhat +Signed-off-by: Amitkumar Karwar +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/marvell/mwifiex/sta_ioctl.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c ++++ b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c +@@ -1159,8 +1159,6 @@ int mwifiex_set_encode(struct mwifiex_pr + encrypt_key.is_rx_seq_valid = true; + } + } else { +- if (GET_BSS_ROLE(priv) == MWIFIEX_BSS_ROLE_UAP) +- return 0; + encrypt_key.key_disable = true; + if (mac_addr) + memcpy(encrypt_key.mac_addr, mac_addr, ETH_ALEN); diff --git a/queue-4.9/mwifiex-debugfs-fix-sometimes-off-by-1-ssid-print.patch b/queue-4.9/mwifiex-debugfs-fix-sometimes-off-by-1-ssid-print.patch new file mode 100644 index 00000000000..fcf584ccf71 --- /dev/null +++ b/queue-4.9/mwifiex-debugfs-fix-sometimes-off-by-1-ssid-print.patch @@ -0,0 +1,51 @@ +From 6183468a23fc6b6903f8597982017ad2c7fdefcf Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Mon, 9 Jan 2017 15:33:50 -0800 +Subject: mwifiex: debugfs: Fix (sometimes) off-by-1 SSID print + +From: Brian Norris + +commit 6183468a23fc6b6903f8597982017ad2c7fdefcf upstream. + +Similar to commit fcd2042e8d36 ("mwifiex: printk() overflow with 32-byte +SSIDs"), we failed to account for the existence of 32-char SSIDs in our +debugfs code. Unlike in that case though, we zeroed out the containing +struct first, and I'm pretty sure we're guaranteed to have some padding +after the 'ssid.ssid' and 'ssid.ssid_len' fields (the struct is 33 bytes +long). + +So, this is the difference between: + + # cat /sys/kernel/debug/mwifiex/mlan0/info + ... + essid="0123456789abcdef0123456789abcdef " + ... + +and the correct output: + + # cat /sys/kernel/debug/mwifiex/mlan0/info + ... + essid="0123456789abcdef0123456789abcdef" + ... + +Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver") +Signed-off-by: Brian Norris +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/marvell/mwifiex/debugfs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/marvell/mwifiex/debugfs.c ++++ b/drivers/net/wireless/marvell/mwifiex/debugfs.c +@@ -114,7 +114,8 @@ mwifiex_info_read(struct file *file, cha + if (GET_BSS_ROLE(priv) == MWIFIEX_BSS_ROLE_STA) { + p += sprintf(p, "multicast_count=\"%d\"\n", + netdev_mc_count(netdev)); +- p += sprintf(p, "essid=\"%s\"\n", info.ssid.ssid); ++ p += sprintf(p, "essid=\"%.*s\"\n", info.ssid.ssid_len, ++ info.ssid.ssid); + p += sprintf(p, "bssid=\"%pM\"\n", info.bssid); + p += sprintf(p, "channel=\"%d\"\n", (int) info.bss_chan); + p += sprintf(p, "country_code = \"%s\"\n", info.country_code); diff --git a/queue-4.9/mwifiex-remove-redundant-dma-padding-in-amsdu.patch b/queue-4.9/mwifiex-remove-redundant-dma-padding-in-amsdu.patch new file mode 100644 index 00000000000..3e8a5fa5485 --- /dev/null +++ b/queue-4.9/mwifiex-remove-redundant-dma-padding-in-amsdu.patch @@ -0,0 +1,95 @@ +From 5f0a221f59ad6b72202ef9c6e232086de8c336f2 Mon Sep 17 00:00:00 2001 +From: Xinming Hu +Date: Wed, 11 Jan 2017 21:41:24 +0530 +Subject: mwifiex: remove redundant dma padding in AMSDU + +From: Xinming Hu + +commit 5f0a221f59ad6b72202ef9c6e232086de8c336f2 upstream. + +We already ensure 64 bytes alignment and add padding if required +during skb_aggr allocation. + +Alignment and padding in mwifiex_11n_form_amsdu_txpd() is redundant. +We may end up accessing more data than allocated size with this. + +This patch fixes following issue by removing redundant padding. + +[ 370.241338] skbuff: skb_over_panic: text:ffffffffc046946a len:3550 +put:72 head:ffff880000110000 data:ffff8800001100e4 tail:0xec2 end:0xec0 dev: +[ 370.241374] ------------[ cut here ]------------ +[ 370.241382] kernel BUG at net/core/skbuff.c:104! + 370.244032] Call Trace: +[ 370.244041] [] skb_put+0x44/0x45 +[ 370.244055] [] +mwifiex_11n_aggregate_pkt+0x1e9/0xa50 [mwifiex] +[ 370.244067] [] mwifiex_wmm_process_tx+0x44a/0x6b7 +[mwifiex] +[ 370.244074] [] ? 0xffffffffc0411eb8 +[ 370.244084] [] mwifiex_main_process+0x476/0x5a5 +[mwifiex] +[ 370.244098] [] mwifiex_main_process+0x5a3/0x5a5 +[mwifiex] +[ 370.244113] [] process_one_work+0x1a4/0x309 +[ 370.244123] [] worker_thread+0x20c/0x2ee +[ 370.244130] [] ? rescuer_thread+0x383/0x383 +[ 370.244136] [] ? rescuer_thread+0x383/0x383 +[ 370.244143] [] kthread+0x11c/0x124 +[ 370.244150] [] ? kthread_parkme+0x24/0x24 +[ 370.244157] [] ret_from_fork+0x3f/0x70 +[ 370.244168] [] ? kthread_parkme+0x24/0x24 + +Fixes: 84b313b35f8158d ("mwifiex: make tx packet 64 byte DMA aligned") +Signed-off-by: Xinming Hu +Signed-off-by: Amitkumar Karwar +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/marvell/mwifiex/11n_aggr.c | 19 +++++++------------ + 1 file changed, 7 insertions(+), 12 deletions(-) + +--- a/drivers/net/wireless/marvell/mwifiex/11n_aggr.c ++++ b/drivers/net/wireless/marvell/mwifiex/11n_aggr.c +@@ -101,13 +101,6 @@ mwifiex_11n_form_amsdu_txpd(struct mwifi + { + struct txpd *local_tx_pd; + struct mwifiex_txinfo *tx_info = MWIFIEX_SKB_TXCB(skb); +- unsigned int pad; +- int headroom = (priv->adapter->iface_type == +- MWIFIEX_USB) ? 0 : INTF_HEADER_LEN; +- +- pad = ((void *)skb->data - sizeof(*local_tx_pd) - +- headroom - NULL) & (MWIFIEX_DMA_ALIGN_SZ - 1); +- skb_push(skb, pad); + + skb_push(skb, sizeof(*local_tx_pd)); + +@@ -121,12 +114,10 @@ mwifiex_11n_form_amsdu_txpd(struct mwifi + local_tx_pd->bss_num = priv->bss_num; + local_tx_pd->bss_type = priv->bss_type; + /* Always zero as the data is followed by struct txpd */ +- local_tx_pd->tx_pkt_offset = cpu_to_le16(sizeof(struct txpd) + +- pad); ++ local_tx_pd->tx_pkt_offset = cpu_to_le16(sizeof(struct txpd)); + local_tx_pd->tx_pkt_type = cpu_to_le16(PKT_TYPE_AMSDU); + local_tx_pd->tx_pkt_length = cpu_to_le16(skb->len - +- sizeof(*local_tx_pd) - +- pad); ++ sizeof(*local_tx_pd)); + + if (tx_info->flags & MWIFIEX_BUF_FLAG_TDLS_PKT) + local_tx_pd->flags |= MWIFIEX_TXPD_FLAGS_TDLS_PACKET; +@@ -190,7 +181,11 @@ mwifiex_11n_aggregate_pkt(struct mwifiex + ra_list_flags); + return -1; + } +- skb_reserve(skb_aggr, MWIFIEX_MIN_DATA_HEADER_LEN); ++ ++ /* skb_aggr->data already 64 byte align, just reserve bus interface ++ * header and txpd. ++ */ ++ skb_reserve(skb_aggr, headroom + sizeof(struct txpd)); + tx_info_aggr = MWIFIEX_SKB_TXCB(skb_aggr); + + memset(tx_info_aggr, 0, sizeof(*tx_info_aggr)); diff --git a/queue-4.9/perf-x86-intel-pt-add-format-strings-for-ptwrite-and-power-event-tracing.patch b/queue-4.9/perf-x86-intel-pt-add-format-strings-for-ptwrite-and-power-event-tracing.patch new file mode 100644 index 00000000000..926fbafee51 --- /dev/null +++ b/queue-4.9/perf-x86-intel-pt-add-format-strings-for-ptwrite-and-power-event-tracing.patch @@ -0,0 +1,66 @@ +From 5443624bedd0d23e112d5f2a919435182875bce9 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Fri, 27 Jan 2017 17:16:43 +0200 +Subject: perf/x86/intel/pt: Add format strings for PTWRITE and power event tracing + +From: Alexander Shishkin + +commit 5443624bedd0d23e112d5f2a919435182875bce9 upstream. + +Commit: + + 8ee83b2ab3 ("perf/x86/intel/pt: Add support for PTWRITE and power event tracing") + +forgot to add format strings to the PT driver. So one could enable these features +by setting corresponding bits in the event config, but not by their mnemonic names. + +This patch adds the format strings. + +Signed-off-by: Alexander Shishkin +Signed-off-by: Peter Zijlstra (Intel) +Cc: Arnaldo Carvalho de Melo +Cc: Arnaldo Carvalho de Melo +Cc: Borislav Petkov +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: vince@deater.net +Fixes: 8ee83b2ab3 ("perf/x86/intel/pt: Add support for PTWRITE...") +Link: http://lkml.kernel.org/r/20170127151644.8585-2-alexander.shishkin@linux.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/events/intel/pt.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/arch/x86/events/intel/pt.c ++++ b/arch/x86/events/intel/pt.c +@@ -106,18 +106,24 @@ static struct attribute_group pt_cap_gro + }; + + PMU_FORMAT_ATTR(cyc, "config:1" ); ++PMU_FORMAT_ATTR(pwr_evt, "config:4" ); ++PMU_FORMAT_ATTR(fup_on_ptw, "config:5" ); + PMU_FORMAT_ATTR(mtc, "config:9" ); + PMU_FORMAT_ATTR(tsc, "config:10" ); + PMU_FORMAT_ATTR(noretcomp, "config:11" ); ++PMU_FORMAT_ATTR(ptw, "config:12" ); + PMU_FORMAT_ATTR(mtc_period, "config:14-17" ); + PMU_FORMAT_ATTR(cyc_thresh, "config:19-22" ); + PMU_FORMAT_ATTR(psb_period, "config:24-27" ); + + static struct attribute *pt_formats_attr[] = { + &format_attr_cyc.attr, ++ &format_attr_pwr_evt.attr, ++ &format_attr_fup_on_ptw.attr, + &format_attr_mtc.attr, + &format_attr_tsc.attr, + &format_attr_noretcomp.attr, ++ &format_attr_ptw.attr, + &format_attr_mtc_period.attr, + &format_attr_cyc_thresh.attr, + &format_attr_psb_period.attr, diff --git a/queue-4.9/phy-qcom-usb-hs-add-depends-on-extcon.patch b/queue-4.9/phy-qcom-usb-hs-add-depends-on-extcon.patch new file mode 100644 index 00000000000..daca8bca7d9 --- /dev/null +++ b/queue-4.9/phy-qcom-usb-hs-add-depends-on-extcon.patch @@ -0,0 +1,42 @@ +From 1a09b6a7c10e22c489a8b212dd6862b1fd9674ad Mon Sep 17 00:00:00 2001 +From: Stephen Boyd +Date: Thu, 9 Mar 2017 13:45:44 +0530 +Subject: phy: qcom-usb-hs: Add depends on EXTCON + +From: Stephen Boyd + +commit 1a09b6a7c10e22c489a8b212dd6862b1fd9674ad upstream. + +We get the following compile errors if EXTCON is enabled as a +module but this driver is builtin: + +drivers/built-in.o: In function `qcom_usb_hs_phy_power_off': +phy-qcom-usb-hs.c:(.text+0x1089): undefined reference to `extcon_unregister_notifier' +drivers/built-in.o: In function `qcom_usb_hs_phy_probe': +phy-qcom-usb-hs.c:(.text+0x11b5): undefined reference to `extcon_get_edev_by_phandle' +drivers/built-in.o: In function `qcom_usb_hs_phy_power_on': +phy-qcom-usb-hs.c:(.text+0x128e): undefined reference to `extcon_get_state' +phy-qcom-usb-hs.c:(.text+0x12a9): undefined reference to `extcon_register_notifier' + +so let's mark this as needing to follow the modular status of +the extcon framework. + +Fixes: 9994a33865f4 e2427b09ba929c2b9 (phy: Add support for Qualcomm's USB HS phy") +Signed-off-by: Stephen Boyd +Signed-off-by: Kishon Vijay Abraham I +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/phy/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/phy/Kconfig ++++ b/drivers/phy/Kconfig +@@ -456,6 +456,7 @@ config PHY_QCOM_UFS + config PHY_TUSB1210 + tristate "TI TUSB1210 ULPI PHY module" + depends on USB_ULPI_BUS ++ depends on EXTCON || !EXTCON # if EXTCON=m, this cannot be built-in + select GENERIC_PHY + help + Support for TI TUSB1210 USB ULPI PHY. diff --git a/queue-4.9/power-supply-bq24190_charger-call-power_supply_changed-for-relevant-component.patch b/queue-4.9/power-supply-bq24190_charger-call-power_supply_changed-for-relevant-component.patch new file mode 100644 index 00000000000..55e37b9e90f --- /dev/null +++ b/queue-4.9/power-supply-bq24190_charger-call-power_supply_changed-for-relevant-component.patch @@ -0,0 +1,143 @@ +From 2d9fee6a42ea170e4378b3363a7ad385d0e67281 Mon Sep 17 00:00:00 2001 +From: Liam Breck +Date: Wed, 18 Jan 2017 09:26:52 -0800 +Subject: power: supply: bq24190_charger: Call power_supply_changed() for relevant component + +From: Liam Breck + +commit 2d9fee6a42ea170e4378b3363a7ad385d0e67281 upstream. + +We wrongly get uevents for bq24190-charger and bq24190-battery on every +register change. + +Fix by checking the association with charger and battery before +emitting uevent(s). + +Fixes: d7bf353fd0aa3 ("bq24190_charger: Add support for TI BQ24190 Battery Charger") +Signed-off-by: Liam Breck +Acked-by: Mark Greer +Acked-by: Tony Lindgren +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/power/supply/bq24190_charger.c | 50 +++++++++++++++++---------------- + 1 file changed, 27 insertions(+), 23 deletions(-) + +--- a/drivers/power/supply/bq24190_charger.c ++++ b/drivers/power/supply/bq24190_charger.c +@@ -159,7 +159,6 @@ struct bq24190_dev_info { + unsigned int gpio_int; + unsigned int irq; + struct mutex f_reg_lock; +- bool first_time; + bool charger_health_valid; + bool battery_health_valid; + bool battery_status_valid; +@@ -1197,7 +1196,10 @@ static const struct power_supply_desc bq + static irqreturn_t bq24190_irq_handler_thread(int irq, void *data) + { + struct bq24190_dev_info *bdi = data; +- bool alert_userspace = false; ++ const u8 battery_mask_ss = BQ24190_REG_SS_CHRG_STAT_MASK; ++ const u8 battery_mask_f = BQ24190_REG_F_BAT_FAULT_MASK ++ | BQ24190_REG_F_NTC_FAULT_MASK; ++ bool alert_charger = false, alert_battery = false; + u8 ss_reg = 0, f_reg = 0; + int ret; + +@@ -1225,8 +1227,12 @@ static irqreturn_t bq24190_irq_handler_t + ret); + } + ++ if ((bdi->ss_reg & battery_mask_ss) != (ss_reg & battery_mask_ss)) ++ alert_battery = true; ++ if ((bdi->ss_reg & ~battery_mask_ss) != (ss_reg & ~battery_mask_ss)) ++ alert_charger = true; ++ + bdi->ss_reg = ss_reg; +- alert_userspace = true; + } + + mutex_lock(&bdi->f_reg_lock); +@@ -1239,33 +1245,23 @@ static irqreturn_t bq24190_irq_handler_t + } + + if (f_reg != bdi->f_reg) { ++ if ((bdi->f_reg & battery_mask_f) != (f_reg & battery_mask_f)) ++ alert_battery = true; ++ if ((bdi->f_reg & ~battery_mask_f) != (f_reg & ~battery_mask_f)) ++ alert_charger = true; ++ + bdi->f_reg = f_reg; + bdi->charger_health_valid = true; + bdi->battery_health_valid = true; + bdi->battery_status_valid = true; +- +- alert_userspace = true; + } + + mutex_unlock(&bdi->f_reg_lock); + +- /* +- * Sometimes bq24190 gives a steady trickle of interrupts even +- * though the watchdog timer is turned off and neither the STATUS +- * nor FAULT registers have changed. Weed out these sprurious +- * interrupts so userspace isn't alerted for no reason. +- * In addition, the chip always generates an interrupt after +- * register reset so we should ignore that one (the very first +- * interrupt received). +- */ +- if (alert_userspace) { +- if (!bdi->first_time) { +- power_supply_changed(bdi->charger); +- power_supply_changed(bdi->battery); +- } else { +- bdi->first_time = false; +- } +- } ++ if (alert_charger) ++ power_supply_changed(bdi->charger); ++ if (alert_battery) ++ power_supply_changed(bdi->battery); + + out: + pm_runtime_put_sync(bdi->dev); +@@ -1300,6 +1296,10 @@ static int bq24190_hw_init(struct bq2419 + goto out; + + ret = bq24190_set_mode_host(bdi); ++ if (ret < 0) ++ goto out; ++ ++ ret = bq24190_read(bdi, BQ24190_REG_SS, &bdi->ss_reg); + out: + pm_runtime_put_sync(bdi->dev); + return ret; +@@ -1375,7 +1375,8 @@ static int bq24190_probe(struct i2c_clie + bdi->model = id->driver_data; + strncpy(bdi->model_name, id->name, I2C_NAME_SIZE); + mutex_init(&bdi->f_reg_lock); +- bdi->first_time = true; ++ bdi->f_reg = 0; ++ bdi->ss_reg = BQ24190_REG_SS_VBUS_STAT_MASK; /* impossible state */ + bdi->charger_health_valid = false; + bdi->battery_health_valid = false; + bdi->battery_status_valid = false; +@@ -1489,6 +1490,8 @@ static int bq24190_pm_resume(struct devi + struct i2c_client *client = to_i2c_client(dev); + struct bq24190_dev_info *bdi = i2c_get_clientdata(client); + ++ bdi->f_reg = 0; ++ bdi->ss_reg = BQ24190_REG_SS_VBUS_STAT_MASK; /* impossible state */ + bdi->charger_health_valid = false; + bdi->battery_health_valid = false; + bdi->battery_status_valid = false; +@@ -1496,6 +1499,7 @@ static int bq24190_pm_resume(struct devi + pm_runtime_get_sync(bdi->dev); + bq24190_register_reset(bdi); + bq24190_set_mode_host(bdi); ++ bq24190_read(bdi, BQ24190_REG_SS, &bdi->ss_reg); + pm_runtime_put_sync(bdi->dev); + + /* Things may have changed while suspended so alert upper layer */ diff --git a/queue-4.9/power-supply-bq24190_charger-call-set_mode_host-on-pm_resume.patch b/queue-4.9/power-supply-bq24190_charger-call-set_mode_host-on-pm_resume.patch new file mode 100644 index 00000000000..7f5174f3033 --- /dev/null +++ b/queue-4.9/power-supply-bq24190_charger-call-set_mode_host-on-pm_resume.patch @@ -0,0 +1,34 @@ +From e05ad7e0741ce0505e1df157c62b22b95172bb97 Mon Sep 17 00:00:00 2001 +From: Liam Breck +Date: Wed, 18 Jan 2017 09:26:49 -0800 +Subject: power: supply: bq24190_charger: Call set_mode_host() on pm_resume() + +From: Liam Breck + +commit e05ad7e0741ce0505e1df157c62b22b95172bb97 upstream. + +pm_resume() does a register_reset() which clears charger host mode. + +Fix by calling set_mode_host() after the reset. + +Fixes: d7bf353fd0aa3 ("bq24190_charger: Add support for TI BQ24190 Battery Charger") +Signed-off-by: Liam Breck +Acked-by: Mark Greer +Acked-by: Tony Lindgren +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/power/supply/bq24190_charger.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/power/supply/bq24190_charger.c ++++ b/drivers/power/supply/bq24190_charger.c +@@ -1494,6 +1494,7 @@ static int bq24190_pm_resume(struct devi + + pm_runtime_get_sync(bdi->dev); + bq24190_register_reset(bdi); ++ bq24190_set_mode_host(bdi); + pm_runtime_put_sync(bdi->dev); + + /* Things may have changed while suspended so alert upper layer */ diff --git a/queue-4.9/power-supply-bq24190_charger-don-t-read-fault-register-outside-irq_handle_thread.patch b/queue-4.9/power-supply-bq24190_charger-don-t-read-fault-register-outside-irq_handle_thread.patch new file mode 100644 index 00000000000..56c2abf9672 --- /dev/null +++ b/queue-4.9/power-supply-bq24190_charger-don-t-read-fault-register-outside-irq_handle_thread.patch @@ -0,0 +1,212 @@ +From 68abfb8015832ddf728b911769659468efaf8bd9 Mon Sep 17 00:00:00 2001 +From: Liam Breck +Date: Wed, 18 Jan 2017 09:26:53 -0800 +Subject: power: supply: bq24190_charger: Don't read fault register outside irq_handle_thread() + +From: Liam Breck + +commit 68abfb8015832ddf728b911769659468efaf8bd9 upstream. + +Caching the fault register after a single I2C read may not keep an accurate +value. + +Fix by doing two reads in irq_handle_thread() and using the cached value +elsewhere. If a safety timer fault later clears itself, we apparently don't get +an interrupt (INT), however other interrupts would refresh the register cache. + +From the data sheet: "When a fault occurs, the charger device sends out INT + and keeps the fault state in REG09 until the host reads the fault register. + Before the host reads REG09 and all the faults are cleared, the charger + device would not send any INT upon new faults. In order to read the + current fault status, the host has to read REG09 two times consecutively. + The 1st reads fault register status from the last read [1] and the 2nd reads + the current fault register status." + +[1] presumably a typo; should be "last fault" + +Fixes: d7bf353fd0aa3 ("bq24190_charger: Add support for TI BQ24190 Battery Charger") +Signed-off-by: Liam Breck +Acked-by: Mark Greer +Acked-by: Tony Lindgren +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/power/supply/bq24190_charger.c | 94 +++++++++------------------------ + 1 file changed, 27 insertions(+), 67 deletions(-) + +--- a/drivers/power/supply/bq24190_charger.c ++++ b/drivers/power/supply/bq24190_charger.c +@@ -144,10 +144,7 @@ + * so the first read after a fault returns the latched value and subsequent + * reads return the current value. In order to return the fault status + * to the user, have the interrupt handler save the reg's value and retrieve +- * it in the appropriate health/status routine. Each routine has its own +- * flag indicating whether it should use the value stored by the last run +- * of the interrupt handler or do an actual reg read. That way each routine +- * can report back whatever fault may have occured. ++ * it in the appropriate health/status routine. + */ + struct bq24190_dev_info { + struct i2c_client *client; +@@ -159,9 +156,6 @@ struct bq24190_dev_info { + unsigned int gpio_int; + unsigned int irq; + struct mutex f_reg_lock; +- bool charger_health_valid; +- bool battery_health_valid; +- bool battery_status_valid; + u8 f_reg; + u8 ss_reg; + u8 watchdog; +@@ -635,21 +629,11 @@ static int bq24190_charger_get_health(st + union power_supply_propval *val) + { + u8 v; +- int health, ret; ++ int health; + + mutex_lock(&bdi->f_reg_lock); +- +- if (bdi->charger_health_valid) { +- v = bdi->f_reg; +- bdi->charger_health_valid = false; +- mutex_unlock(&bdi->f_reg_lock); +- } else { +- mutex_unlock(&bdi->f_reg_lock); +- +- ret = bq24190_read(bdi, BQ24190_REG_F, &v); +- if (ret < 0) +- return ret; +- } ++ v = bdi->f_reg; ++ mutex_unlock(&bdi->f_reg_lock); + + if (v & BQ24190_REG_F_BOOST_FAULT_MASK) { + /* +@@ -936,18 +920,8 @@ static int bq24190_battery_get_status(st + int status, ret; + + mutex_lock(&bdi->f_reg_lock); +- +- if (bdi->battery_status_valid) { +- chrg_fault = bdi->f_reg; +- bdi->battery_status_valid = false; +- mutex_unlock(&bdi->f_reg_lock); +- } else { +- mutex_unlock(&bdi->f_reg_lock); +- +- ret = bq24190_read(bdi, BQ24190_REG_F, &chrg_fault); +- if (ret < 0) +- return ret; +- } ++ chrg_fault = bdi->f_reg; ++ mutex_unlock(&bdi->f_reg_lock); + + chrg_fault &= BQ24190_REG_F_CHRG_FAULT_MASK; + chrg_fault >>= BQ24190_REG_F_CHRG_FAULT_SHIFT; +@@ -995,21 +969,11 @@ static int bq24190_battery_get_health(st + union power_supply_propval *val) + { + u8 v; +- int health, ret; ++ int health; + + mutex_lock(&bdi->f_reg_lock); +- +- if (bdi->battery_health_valid) { +- v = bdi->f_reg; +- bdi->battery_health_valid = false; +- mutex_unlock(&bdi->f_reg_lock); +- } else { +- mutex_unlock(&bdi->f_reg_lock); +- +- ret = bq24190_read(bdi, BQ24190_REG_F, &v); +- if (ret < 0) +- return ret; +- } ++ v = bdi->f_reg; ++ mutex_unlock(&bdi->f_reg_lock); + + if (v & BQ24190_REG_F_BAT_FAULT_MASK) { + health = POWER_SUPPLY_HEALTH_OVERVOLTAGE; +@@ -1201,7 +1165,7 @@ static irqreturn_t bq24190_irq_handler_t + | BQ24190_REG_F_NTC_FAULT_MASK; + bool alert_charger = false, alert_battery = false; + u8 ss_reg = 0, f_reg = 0; +- int ret; ++ int i, ret; + + pm_runtime_get_sync(bdi->dev); + +@@ -1231,33 +1195,35 @@ static irqreturn_t bq24190_irq_handler_t + alert_battery = true; + if ((bdi->ss_reg & ~battery_mask_ss) != (ss_reg & ~battery_mask_ss)) + alert_charger = true; +- + bdi->ss_reg = ss_reg; + } + +- mutex_lock(&bdi->f_reg_lock); +- +- ret = bq24190_read(bdi, BQ24190_REG_F, &f_reg); +- if (ret < 0) { +- mutex_unlock(&bdi->f_reg_lock); +- dev_err(bdi->dev, "Can't read F reg: %d\n", ret); +- goto out; +- } ++ i = 0; ++ do { ++ ret = bq24190_read(bdi, BQ24190_REG_F, &f_reg); ++ if (ret < 0) { ++ dev_err(bdi->dev, "Can't read F reg: %d\n", ret); ++ goto out; ++ } ++ } while (f_reg && ++i < 2); + + if (f_reg != bdi->f_reg) { ++ dev_info(bdi->dev, ++ "Fault: boost %d, charge %d, battery %d, ntc %d\n", ++ !!(f_reg & BQ24190_REG_F_BOOST_FAULT_MASK), ++ !!(f_reg & BQ24190_REG_F_CHRG_FAULT_MASK), ++ !!(f_reg & BQ24190_REG_F_BAT_FAULT_MASK), ++ !!(f_reg & BQ24190_REG_F_NTC_FAULT_MASK)); ++ ++ mutex_lock(&bdi->f_reg_lock); + if ((bdi->f_reg & battery_mask_f) != (f_reg & battery_mask_f)) + alert_battery = true; + if ((bdi->f_reg & ~battery_mask_f) != (f_reg & ~battery_mask_f)) + alert_charger = true; +- + bdi->f_reg = f_reg; +- bdi->charger_health_valid = true; +- bdi->battery_health_valid = true; +- bdi->battery_status_valid = true; ++ mutex_unlock(&bdi->f_reg_lock); + } + +- mutex_unlock(&bdi->f_reg_lock); +- + if (alert_charger) + power_supply_changed(bdi->charger); + if (alert_battery) +@@ -1377,9 +1343,6 @@ static int bq24190_probe(struct i2c_clie + mutex_init(&bdi->f_reg_lock); + bdi->f_reg = 0; + bdi->ss_reg = BQ24190_REG_SS_VBUS_STAT_MASK; /* impossible state */ +- bdi->charger_health_valid = false; +- bdi->battery_health_valid = false; +- bdi->battery_status_valid = false; + + i2c_set_clientdata(client, bdi); + +@@ -1492,9 +1455,6 @@ static int bq24190_pm_resume(struct devi + + bdi->f_reg = 0; + bdi->ss_reg = BQ24190_REG_SS_VBUS_STAT_MASK; /* impossible state */ +- bdi->charger_health_valid = false; +- bdi->battery_health_valid = false; +- bdi->battery_status_valid = false; + + pm_runtime_get_sync(bdi->dev); + bq24190_register_reset(bdi); diff --git a/queue-4.9/power-supply-bq24190_charger-fix-irq-trigger-to-irqf_trigger_falling.patch b/queue-4.9/power-supply-bq24190_charger-fix-irq-trigger-to-irqf_trigger_falling.patch new file mode 100644 index 00000000000..51d286b079b --- /dev/null +++ b/queue-4.9/power-supply-bq24190_charger-fix-irq-trigger-to-irqf_trigger_falling.patch @@ -0,0 +1,39 @@ +From 767eee362fd72bb2ca44cc80419ca4b38c6d8369 Mon Sep 17 00:00:00 2001 +From: Liam Breck +Date: Wed, 18 Jan 2017 09:26:48 -0800 +Subject: power: supply: bq24190_charger: Fix irq trigger to IRQF_TRIGGER_FALLING + +From: Liam Breck + +commit 767eee362fd72bb2ca44cc80419ca4b38c6d8369 upstream. + +The interrupt signal is TRIGGER_FALLING. This is is specified in the +data sheet PIN FUNCTIONS: "The INT pin sends active low, 256us +pulse to host to report charger device status and fault." + +Also the direction can be seen in the data sheet Figure 37 "BQ24190 +with D+/D- Detection and USB On-The-Go (OTG)" which shows a 10k +pull-up resistor installed for the sample configurations. + +Fixes: d7bf353fd0aa3 ("bq24190_charger: Add support for TI BQ24190 Battery Charger") +Signed-off-by: Liam Breck +Acked-by: Mark Greer +Acked-by: Tony Lindgren +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/power/supply/bq24190_charger.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/power/supply/bq24190_charger.c ++++ b/drivers/power/supply/bq24190_charger.c +@@ -1394,7 +1394,7 @@ static int bq24190_probe(struct i2c_clie + + ret = devm_request_threaded_irq(dev, bdi->irq, NULL, + bq24190_irq_handler_thread, +- IRQF_TRIGGER_RISING | IRQF_ONESHOT, ++ IRQF_TRIGGER_FALLING | IRQF_ONESHOT, + "bq24190-charger", bdi); + if (ret < 0) { + dev_err(dev, "Can't set up irq handler\n"); diff --git a/queue-4.9/power-supply-bq24190_charger-handle-fault-before-status-on-interrupt.patch b/queue-4.9/power-supply-bq24190_charger-handle-fault-before-status-on-interrupt.patch new file mode 100644 index 00000000000..2f0ff4f78c4 --- /dev/null +++ b/queue-4.9/power-supply-bq24190_charger-handle-fault-before-status-on-interrupt.patch @@ -0,0 +1,87 @@ +From ba52e75718784fda1b683ee0bfded72a0b83b047 Mon Sep 17 00:00:00 2001 +From: Liam Breck +Date: Wed, 18 Jan 2017 09:26:54 -0800 +Subject: power: supply: bq24190_charger: Handle fault before status on interrupt + +From: Liam Breck + +commit ba52e75718784fda1b683ee0bfded72a0b83b047 upstream. + +Reading both fault and status registers and logging any fault should +take priority over handling status register update. + +Fix by moving the status handling to later in interrupt routine. + +Fixes: d7bf353fd0aa3 ("bq24190_charger: Add support for TI BQ24190 Battery Charger") +Signed-off-by: Liam Breck +Acked-by: Mark Greer +Acked-by: Tony Lindgren +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/power/supply/bq24190_charger.c | 46 ++++++++++++++++----------------- + 1 file changed, 23 insertions(+), 23 deletions(-) + +--- a/drivers/power/supply/bq24190_charger.c ++++ b/drivers/power/supply/bq24190_charger.c +@@ -1175,29 +1175,6 @@ static irqreturn_t bq24190_irq_handler_t + goto out; + } + +- if (ss_reg != bdi->ss_reg) { +- /* +- * The device is in host mode so when PG_STAT goes from 1->0 +- * (i.e., power removed) HIZ needs to be disabled. +- */ +- if ((bdi->ss_reg & BQ24190_REG_SS_PG_STAT_MASK) && +- !(ss_reg & BQ24190_REG_SS_PG_STAT_MASK)) { +- ret = bq24190_write_mask(bdi, BQ24190_REG_ISC, +- BQ24190_REG_ISC_EN_HIZ_MASK, +- BQ24190_REG_ISC_EN_HIZ_SHIFT, +- 0); +- if (ret < 0) +- dev_err(bdi->dev, "Can't access ISC reg: %d\n", +- ret); +- } +- +- if ((bdi->ss_reg & battery_mask_ss) != (ss_reg & battery_mask_ss)) +- alert_battery = true; +- if ((bdi->ss_reg & ~battery_mask_ss) != (ss_reg & ~battery_mask_ss)) +- alert_charger = true; +- bdi->ss_reg = ss_reg; +- } +- + i = 0; + do { + ret = bq24190_read(bdi, BQ24190_REG_F, &f_reg); +@@ -1224,6 +1201,29 @@ static irqreturn_t bq24190_irq_handler_t + mutex_unlock(&bdi->f_reg_lock); + } + ++ if (ss_reg != bdi->ss_reg) { ++ /* ++ * The device is in host mode so when PG_STAT goes from 1->0 ++ * (i.e., power removed) HIZ needs to be disabled. ++ */ ++ if ((bdi->ss_reg & BQ24190_REG_SS_PG_STAT_MASK) && ++ !(ss_reg & BQ24190_REG_SS_PG_STAT_MASK)) { ++ ret = bq24190_write_mask(bdi, BQ24190_REG_ISC, ++ BQ24190_REG_ISC_EN_HIZ_MASK, ++ BQ24190_REG_ISC_EN_HIZ_SHIFT, ++ 0); ++ if (ret < 0) ++ dev_err(bdi->dev, "Can't access ISC reg: %d\n", ++ ret); ++ } ++ ++ if ((bdi->ss_reg & battery_mask_ss) != (ss_reg & battery_mask_ss)) ++ alert_battery = true; ++ if ((bdi->ss_reg & ~battery_mask_ss) != (ss_reg & ~battery_mask_ss)) ++ alert_charger = true; ++ bdi->ss_reg = ss_reg; ++ } ++ + if (alert_charger) + power_supply_changed(bdi->charger); + if (alert_battery) diff --git a/queue-4.9/power-supply-bq24190_charger-install-irq_handler_thread-at-end-of-probe.patch b/queue-4.9/power-supply-bq24190_charger-install-irq_handler_thread-at-end-of-probe.patch new file mode 100644 index 00000000000..ba370339b29 --- /dev/null +++ b/queue-4.9/power-supply-bq24190_charger-install-irq_handler_thread-at-end-of-probe.patch @@ -0,0 +1,100 @@ +From d62acc5ef0621463446091ebd7a345e06e9ab80c Mon Sep 17 00:00:00 2001 +From: Liam Breck +Date: Wed, 18 Jan 2017 09:26:50 -0800 +Subject: power: supply: bq24190_charger: Install irq_handler_thread() at end of probe() + +From: Liam Breck + +commit d62acc5ef0621463446091ebd7a345e06e9ab80c upstream. + +The device specific data is not fully initialized on +request_threaded_irq(). This may cause a crash when the IRQ handler +tries to reference them. + +Fix the issue by installing IRQ handler at the end of the probe. + +Fixes: d7bf353fd0aa3 ("bq24190_charger: Add support for TI BQ24190 Battery Charger") +Signed-off-by: Liam Breck +Acked-by: Mark Greer +Acked-by: Tony Lindgren +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/power/supply/bq24190_charger.c | 31 ++++++++++++++++--------------- + 1 file changed, 16 insertions(+), 15 deletions(-) + +--- a/drivers/power/supply/bq24190_charger.c ++++ b/drivers/power/supply/bq24190_charger.c +@@ -1392,22 +1392,13 @@ static int bq24190_probe(struct i2c_clie + return -EINVAL; + } + +- ret = devm_request_threaded_irq(dev, bdi->irq, NULL, +- bq24190_irq_handler_thread, +- IRQF_TRIGGER_FALLING | IRQF_ONESHOT, +- "bq24190-charger", bdi); +- if (ret < 0) { +- dev_err(dev, "Can't set up irq handler\n"); +- goto out1; +- } +- + pm_runtime_enable(dev); + pm_runtime_resume(dev); + + ret = bq24190_hw_init(bdi); + if (ret < 0) { + dev_err(dev, "Hardware init failed\n"); +- goto out2; ++ goto out1; + } + + charger_cfg.drv_data = bdi; +@@ -1418,7 +1409,7 @@ static int bq24190_probe(struct i2c_clie + if (IS_ERR(bdi->charger)) { + dev_err(dev, "Can't register charger\n"); + ret = PTR_ERR(bdi->charger); +- goto out2; ++ goto out1; + } + + battery_cfg.drv_data = bdi; +@@ -1427,24 +1418,34 @@ static int bq24190_probe(struct i2c_clie + if (IS_ERR(bdi->battery)) { + dev_err(dev, "Can't register battery\n"); + ret = PTR_ERR(bdi->battery); +- goto out3; ++ goto out2; + } + + ret = bq24190_sysfs_create_group(bdi); + if (ret) { + dev_err(dev, "Can't create sysfs entries\n"); ++ goto out3; ++ } ++ ++ ret = devm_request_threaded_irq(dev, bdi->irq, NULL, ++ bq24190_irq_handler_thread, ++ IRQF_TRIGGER_FALLING | IRQF_ONESHOT, ++ "bq24190-charger", bdi); ++ if (ret < 0) { ++ dev_err(dev, "Can't set up irq handler\n"); + goto out4; + } + + return 0; + + out4: +- power_supply_unregister(bdi->battery); ++ bq24190_sysfs_remove_group(bdi); + out3: +- power_supply_unregister(bdi->charger); ++ power_supply_unregister(bdi->battery); + out2: +- pm_runtime_disable(dev); ++ power_supply_unregister(bdi->charger); + out1: ++ pm_runtime_disable(dev); + if (bdi->gpio_int) + gpio_free(bdi->gpio_int); + diff --git a/queue-4.9/power-supply-lp8788-prevent-out-of-bounds-array-access.patch b/queue-4.9/power-supply-lp8788-prevent-out-of-bounds-array-access.patch new file mode 100644 index 00000000000..ac2fda0c8c3 --- /dev/null +++ b/queue-4.9/power-supply-lp8788-prevent-out-of-bounds-array-access.patch @@ -0,0 +1,39 @@ +From bdd9968d35f7fcdb76089347d1529bf079534214 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Giedrius=20Statkevi=C4=8Dius?= + +Date: Sat, 25 Mar 2017 18:00:49 +0200 +Subject: power: supply: lp8788: prevent out of bounds array access +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Giedrius Statkevičius + +commit bdd9968d35f7fcdb76089347d1529bf079534214 upstream. + +val might become 7 in which case stime[7] (array of length 7) would be +accessed during the scnprintf call later and that will cause issues. +Obviously, string concatenation is not intended here so just a comma needs +to be added to fix the issue. + +Fixes: 98a276649358 ("power_supply: Add new lp8788 charger driver") +Signed-off-by: Giedrius Statkevičius +Acked-by: Milo Kim +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/power/supply/lp8788-charger.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/power/supply/lp8788-charger.c ++++ b/drivers/power/supply/lp8788-charger.c +@@ -654,7 +654,7 @@ static ssize_t lp8788_show_eoc_time(stru + { + struct lp8788_charger *pchg = dev_get_drvdata(dev); + char *stime[] = { "400ms", "5min", "10min", "15min", +- "20min", "25min", "30min" "No timeout" }; ++ "20min", "25min", "30min", "No timeout" }; + u8 val; + + lp8788_read_byte(pchg->lp, LP8788_CHG_EOC, &val); diff --git a/queue-4.9/powerpc-correctly-disable-latent-entropy-gcc-plugin-on-prom_init.o.patch b/queue-4.9/powerpc-correctly-disable-latent-entropy-gcc-plugin-on-prom_init.o.patch new file mode 100644 index 00000000000..20bb5281ecd --- /dev/null +++ b/queue-4.9/powerpc-correctly-disable-latent-entropy-gcc-plugin-on-prom_init.o.patch @@ -0,0 +1,35 @@ +From eac6f8b0c7adb003776dbad9d037ee2fc64f9d62 Mon Sep 17 00:00:00 2001 +From: Andrew Donnellan +Date: Tue, 6 Dec 2016 17:27:59 +1100 +Subject: powerpc: Correctly disable latent entropy GCC plugin on prom_init.o + +From: Andrew Donnellan + +commit eac6f8b0c7adb003776dbad9d037ee2fc64f9d62 upstream. + +Commit 38addce8b600 ("gcc-plugins: Add latent_entropy plugin") excludes +certain powerpc early boot code from the latent entropy plugin by adding +appropriate CFLAGS. It looks like this was supposed to cover +prom_init.o, but ended up saying init.o (which doesn't exist) instead. +Fix the typo. + +Fixes: 38addce8b600 ("gcc-plugins: Add latent_entropy plugin") +Signed-off-by: Andrew Donnellan +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/kernel/Makefile ++++ b/arch/powerpc/kernel/Makefile +@@ -15,7 +15,7 @@ CFLAGS_btext.o += -fPIC + endif + + CFLAGS_cputable.o += $(DISABLE_LATENT_ENTROPY_PLUGIN) +-CFLAGS_init.o += $(DISABLE_LATENT_ENTROPY_PLUGIN) ++CFLAGS_prom_init.o += $(DISABLE_LATENT_ENTROPY_PLUGIN) + CFLAGS_btext.o += $(DISABLE_LATENT_ENTROPY_PLUGIN) + CFLAGS_prom.o += $(DISABLE_LATENT_ENTROPY_PLUGIN) + diff --git a/queue-4.9/powerpc-ftrace-fix-confusing-help-text-for-disable_mprofile_kernel.patch b/queue-4.9/powerpc-ftrace-fix-confusing-help-text-for-disable_mprofile_kernel.patch new file mode 100644 index 00000000000..ca5e3a060c0 --- /dev/null +++ b/queue-4.9/powerpc-ftrace-fix-confusing-help-text-for-disable_mprofile_kernel.patch @@ -0,0 +1,35 @@ +From 496e9cb5b2aa2ba303d2bbd08518f9be2219ab4b Mon Sep 17 00:00:00 2001 +From: Anton Blanchard +Date: Fri, 10 Feb 2017 12:16:59 +1100 +Subject: powerpc/ftrace: Fix confusing help text for DISABLE_MPROFILE_KERNEL + +From: Anton Blanchard + +commit 496e9cb5b2aa2ba303d2bbd08518f9be2219ab4b upstream. + +The final paragraph of the help text is reversed. We want to enable +this option by default, and disable it if the toolchain has a working +-mprofile-kernel. + +Fixes: 8c50b72a3b4f ("powerpc/ftrace: Add Kconfig & Make glue for mprofile-kernel") +Signed-off-by: Anton Blanchard +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/Kconfig | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/Kconfig ++++ b/arch/powerpc/Kconfig +@@ -388,8 +388,8 @@ config DISABLE_MPROFILE_KERNEL + be disabled also. + + If you have a toolchain which supports mprofile-kernel, then you can +- enable this. Otherwise leave it disabled. If you're not sure, say +- "N". ++ disable this. Otherwise leave it enabled. If you're not sure, say ++ "Y". + + config MPROFILE_KERNEL + depends on PPC64 && CPU_LITTLE_ENDIAN diff --git a/queue-4.9/powerpc-mm-fixup-wrong-lpcr_vrmasd-value.patch b/queue-4.9/powerpc-mm-fixup-wrong-lpcr_vrmasd-value.patch new file mode 100644 index 00000000000..04b7b32ffa8 --- /dev/null +++ b/queue-4.9/powerpc-mm-fixup-wrong-lpcr_vrmasd-value.patch @@ -0,0 +1,45 @@ +From 4ab2537c4204b976e4ca350bbdc193b4649cad28 Mon Sep 17 00:00:00 2001 +From: "Aneesh Kumar K.V" +Date: Thu, 8 Dec 2016 09:12:13 +0530 +Subject: powerpc/mm: Fixup wrong LPCR_VRMASD value + +From: Aneesh Kumar K.V + +commit 4ab2537c4204b976e4ca350bbdc193b4649cad28 upstream. + +In commit a4b349540a26af ("powerpc/mm: Cleanup LPCR defines") we updated +LPCR_VRMASD wrongly as below. + +-#define LPCR_VRMASD (0x1ful << (63-16)) ++#define LPCR_VRMASD_SH 47 ++#define LPCR_VRMASD (ASM_CONST(1) << LPCR_VRMASD_SH) + +We initialize the VRMA bits in LPCR to 0x00 in kvm. Hence using a +different mask value as above while updating lpcr should not have any +impact. + +This patch updates it to the correct value. + +Fixes: a4b349540a26 ("powerpc/mm: Cleanup LPCR defines") +Reported-by: Ram Pai +Signed-off-by: Aneesh Kumar K.V +Signed-off-by: Jia He +Acked-by: Paul Mackerras +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/reg.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/include/asm/reg.h ++++ b/arch/powerpc/include/asm/reg.h +@@ -337,7 +337,7 @@ + #define LPCR_DPFD_SH 52 + #define LPCR_DPFD (ASM_CONST(7) << LPCR_DPFD_SH) + #define LPCR_VRMASD_SH 47 +-#define LPCR_VRMASD (ASM_CONST(1) << LPCR_VRMASD_SH) ++#define LPCR_VRMASD (ASM_CONST(0x1f) << LPCR_VRMASD_SH) + #define LPCR_VRMA_L ASM_CONST(0x0008000000000000) + #define LPCR_VRMA_LP0 ASM_CONST(0x0001000000000000) + #define LPCR_VRMA_LP1 ASM_CONST(0x0000800000000000) diff --git a/queue-4.9/powerpc-powernv-fix-opal_exit-tracepoint-opcode.patch b/queue-4.9/powerpc-powernv-fix-opal_exit-tracepoint-opcode.patch new file mode 100644 index 00000000000..c48a560057c --- /dev/null +++ b/queue-4.9/powerpc-powernv-fix-opal_exit-tracepoint-opcode.patch @@ -0,0 +1,45 @@ +From a7e0fb6c2029a780444d09560f739e020d54fe4d Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Tue, 7 Feb 2017 21:01:01 +1100 +Subject: powerpc/powernv: Fix opal_exit tracepoint opcode + +From: Michael Ellerman + +commit a7e0fb6c2029a780444d09560f739e020d54fe4d upstream. + +Currently the opal_exit tracepoint usually shows the opcode as 0: + + -0 [047] d.h. 635.654292: opal_entry: opcode=63 + -0 [047] d.h. 635.654296: opal_exit: opcode=0 retval=0 + kopald-1209 [019] d... 636.420943: opal_entry: opcode=10 + kopald-1209 [019] d... 636.420959: opal_exit: opcode=0 retval=0 + +This is because we incorrectly load the opcode into r0 before calling +__trace_opal_exit(), whereas it expects the opcode in r3 (first function +parameter). In fact we are leaving the retval in r3, so opcode and +retval will always show the same value. + +Instead load the opcode into r3, resulting in: + + -0 [040] d.h. 636.618625: opal_entry: opcode=63 + -0 [040] d.h. 636.618627: opal_exit: opcode=63 retval=0 + +Fixes: c49f63530bb6 ("powernv: Add OPAL tracepoints") +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/powernv/opal-wrappers.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/platforms/powernv/opal-wrappers.S ++++ b/arch/powerpc/platforms/powernv/opal-wrappers.S +@@ -146,7 +146,7 @@ opal_tracepoint_entry: + opal_tracepoint_return: + std r3,STK_REG(R31)(r1) + mr r4,r3 +- ld r0,STK_REG(R23)(r1) ++ ld r3,STK_REG(R23)(r1) + bl __trace_opal_exit + ld r3,STK_REG(R31)(r1) + addi r1,r1,STACKFRAMESIZE diff --git a/queue-4.9/revert-kvm-nested-vmx-disable-perf-cpuid-reporting.patch b/queue-4.9/revert-kvm-nested-vmx-disable-perf-cpuid-reporting.patch new file mode 100644 index 00000000000..eb94b323f68 --- /dev/null +++ b/queue-4.9/revert-kvm-nested-vmx-disable-perf-cpuid-reporting.patch @@ -0,0 +1,55 @@ +From 0b4c208d443ba2af82b4c70f99ca8df31e9a0020 Mon Sep 17 00:00:00 2001 +From: Jim Mattson +Date: Tue, 20 Dec 2016 16:34:50 -0800 +Subject: Revert "KVM: nested VMX: disable perf cpuid reporting" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jim Mattson + +commit 0b4c208d443ba2af82b4c70f99ca8df31e9a0020 upstream. + +This reverts commit bc6134942dbbf31c25e9bd7c876be5da81c9e1ce. + +A CPUID instruction executed in VMX non-root mode always causes a +VM-exit, regardless of the leaf being queried. + +Fixes: bc6134942dbb ("KVM: nested VMX: disable perf cpuid reporting") +Signed-off-by: Jim Mattson +[The issue solved by bc6134942dbb has been resolved with ff651cb613b4 + ("KVM: nVMX: Add nested msr load/restore algorithm").] +Signed-off-by: Radim Krčmář +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/cpuid.c | 6 ------ + arch/x86/kvm/vmx.c | 2 -- + 2 files changed, 8 deletions(-) + +--- a/arch/x86/kvm/cpuid.c ++++ b/arch/x86/kvm/cpuid.c +@@ -846,12 +846,6 @@ void kvm_cpuid(struct kvm_vcpu *vcpu, u3 + if (!best) + best = check_cpuid_limit(vcpu, function, index); + +- /* +- * Perfmon not yet supported for L2 guest. +- */ +- if (is_guest_mode(vcpu) && function == 0xa) +- best = NULL; +- + if (best) { + *eax = best->eax; + *ebx = best->ebx; +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -8051,8 +8051,6 @@ static bool nested_vmx_exit_handled(stru + case EXIT_REASON_TASK_SWITCH: + return true; + case EXIT_REASON_CPUID: +- if (kvm_register_read(vcpu, VCPU_REGS_RAX) == 0xa) +- return false; + return true; + case EXIT_REASON_HLT: + return nested_cpu_has(vmcs12, CPU_BASED_HLT_EXITING); diff --git a/queue-4.9/scsi-mac_scsi-fix-mac_scsi-m-option-when-scsi-m.patch b/queue-4.9/scsi-mac_scsi-fix-mac_scsi-m-option-when-scsi-m.patch new file mode 100644 index 00000000000..26ba95b2152 --- /dev/null +++ b/queue-4.9/scsi-mac_scsi-fix-mac_scsi-m-option-when-scsi-m.patch @@ -0,0 +1,32 @@ +From 2559a1ef688f933835912c731bed2254146a9b04 Mon Sep 17 00:00:00 2001 +From: Finn Thain +Date: Thu, 23 Feb 2017 09:08:02 +1100 +Subject: scsi: mac_scsi: Fix MAC_SCSI=m option when SCSI=m + +From: Finn Thain + +commit 2559a1ef688f933835912c731bed2254146a9b04 upstream. + +The mac_scsi driver still gets disabled when SCSI=m. This should have +been fixed back when I enabled the tristate but I didn't see the bug. + +Fixes: 6e9ae6d560e1 ("[PATCH] mac_scsi: Add module option to Kconfig") +Signed-off-by: Finn Thain +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/Kconfig ++++ b/drivers/scsi/Kconfig +@@ -1497,7 +1497,7 @@ config ATARI_SCSI + + config MAC_SCSI + tristate "Macintosh NCR5380 SCSI" +- depends on MAC && SCSI=y ++ depends on MAC && SCSI + select SCSI_SPI_ATTRS + help + This is the NCR 5380 SCSI controller included on most of the 68030 diff --git a/queue-4.9/scsi-qla2xxx-fix-crash-in-qla2xxx_eh_abort-on-bad-ptr.patch b/queue-4.9/scsi-qla2xxx-fix-crash-in-qla2xxx_eh_abort-on-bad-ptr.patch new file mode 100644 index 00000000000..9af0941def5 --- /dev/null +++ b/queue-4.9/scsi-qla2xxx-fix-crash-in-qla2xxx_eh_abort-on-bad-ptr.patch @@ -0,0 +1,35 @@ +From 5f7c2beef819d9ea2d1b814edf6f5981420e9cf8 Mon Sep 17 00:00:00 2001 +From: Bill Kuzeja +Date: Tue, 14 Mar 2017 13:28:44 -0400 +Subject: scsi: qla2xxx: Fix crash in qla2xxx_eh_abort on bad ptr + +From: Bill Kuzeja + +commit 5f7c2beef819d9ea2d1b814edf6f5981420e9cf8 upstream. + +After a Qlogic card breaks when initializing (test case), the system can +crash in qla2xxx_eh_abort if processing anything but a scsi command type +srb. + +Fixes: 1535aa75a3d8 ("scsi: qla2xxx: fix invalid DMA access after command aborts in PCI device remove") +Signed-off-by: Bill Kuzeja +Acked-By: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_os.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -1464,7 +1464,8 @@ qla2x00_abort_all_cmds(scsi_qla_host_t * + /* Don't abort commands in adapter during EEH + * recovery as it's not accessible/responding. + */ +- if (GET_CMD_SP(sp) && !ha->flags.eeh_busy) { ++ if (GET_CMD_SP(sp) && !ha->flags.eeh_busy && ++ (sp->type == SRB_SCSI_CMD)) { + /* Get a reference to the sp and drop the lock. + * The reference ensures this sp->done() call + * - and not the call in qla2xxx_eh_abort() - diff --git a/queue-4.9/scsi-scsi_dh_emc-return-success-in-clariion_std_inquiry.patch b/queue-4.9/scsi-scsi_dh_emc-return-success-in-clariion_std_inquiry.patch new file mode 100644 index 00000000000..8b4af7f30d0 --- /dev/null +++ b/queue-4.9/scsi-scsi_dh_emc-return-success-in-clariion_std_inquiry.patch @@ -0,0 +1,32 @@ +From 4d7d39a18b8b81511f0b893b7d2203790bf8a58b Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 21 Feb 2017 21:46:37 +0300 +Subject: scsi: scsi_dh_emc: return success in clariion_std_inquiry() + +From: Dan Carpenter + +commit 4d7d39a18b8b81511f0b893b7d2203790bf8a58b upstream. + +We accidentally return an uninitialized variable on success. + +Fixes: b6ff1b14cdf4 ("[SCSI] scsi_dh: Update EMC handler") +Signed-off-by: Dan Carpenter +Reviewed-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/device_handler/scsi_dh_emc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/device_handler/scsi_dh_emc.c ++++ b/drivers/scsi/device_handler/scsi_dh_emc.c +@@ -461,7 +461,7 @@ static int clariion_prep_fn(struct scsi_ + static int clariion_std_inquiry(struct scsi_device *sdev, + struct clariion_dh_data *csdev) + { +- int err; ++ int err = SCSI_DH_OK; + char *sp_model; + + err = send_inquiry_cmd(sdev, 0, csdev); diff --git a/queue-4.9/scsi-smartpqi-fix-time-handling.patch b/queue-4.9/scsi-smartpqi-fix-time-handling.patch new file mode 100644 index 00000000000..24bbfb163ac --- /dev/null +++ b/queue-4.9/scsi-smartpqi-fix-time-handling.patch @@ -0,0 +1,53 @@ +From ed10858eadd4988260c6bc7d75fc25176342b5a7 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 17 Feb 2017 16:03:52 +0100 +Subject: scsi: smartpqi: fix time handling + +From: Arnd Bergmann + +commit ed10858eadd4988260c6bc7d75fc25176342b5a7 upstream. + +When we have turned off RTC support, the smartpqi driver fails to build: + +ERROR: "rtc_time64_to_tm" [drivers/scsi/smartpqi/smartpqi.ko] undefined! + +This is easily avoided by using the generic 'struct tm' based helper rather +than the RTC specific one. While fixing this, I noticed that even though +the driver uses time64_t for storing seconds, it gets them from the +old 32-bit struct timeval. To address this, we can simplify the code +by calling ktime_get_real_seconds() directly. + +Fixes: 6c223761eb54 ("smartpqi: initial commit of Microsemi smartpqi driver") +Signed-off-by: Arnd Bergmann +Acked-by: Don Brace +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/smartpqi/smartpqi_init.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/drivers/scsi/smartpqi/smartpqi_init.c ++++ b/drivers/scsi/smartpqi/smartpqi_init.c +@@ -533,8 +533,7 @@ static int pqi_write_current_time_to_hos + size_t buffer_length; + time64_t local_time; + unsigned int year; +- struct timeval time; +- struct rtc_time tm; ++ struct tm tm; + + buffer_length = sizeof(*buffer); + +@@ -551,9 +550,8 @@ static int pqi_write_current_time_to_hos + put_unaligned_le16(sizeof(buffer->time), + &buffer->time_length); + +- do_gettimeofday(&time); +- local_time = time.tv_sec - (sys_tz.tz_minuteswest * 60); +- rtc_time64_to_tm(local_time, &tm); ++ local_time = ktime_get_real_seconds(); ++ time64_to_tm(local_time, -sys_tz.tz_minuteswest * 60, &tm); + year = tm.tm_year + 1900; + + buffer->time[0] = bin2bcd(tm.tm_hour); diff --git a/queue-4.9/serial-8250_omap-fix-probe-and-remove-for-pm-runtime.patch b/queue-4.9/serial-8250_omap-fix-probe-and-remove-for-pm-runtime.patch new file mode 100644 index 00000000000..27443172b8e --- /dev/null +++ b/queue-4.9/serial-8250_omap-fix-probe-and-remove-for-pm-runtime.patch @@ -0,0 +1,59 @@ +From 4e0f5cc65098ea32a1e77baae74215b9bd5276b1 Mon Sep 17 00:00:00 2001 +From: Tony Lindgren +Date: Fri, 20 Jan 2017 12:22:31 -0800 +Subject: serial: 8250_omap: Fix probe and remove for PM runtime + +From: Tony Lindgren + +commit 4e0f5cc65098ea32a1e77baae74215b9bd5276b1 upstream. + +Otherwise the interconnect related code implementing PM runtime will +produce these errors on a failed probe: + +omap_uart 48066000.serial: omap_device: omap_device_enable() called from invalid state 1 +omap_uart 48066000.serial: use pm_runtime_put_sync_suspend() in driver? + +Note that we now also need to check for priv in omap8250_runtime_suspend() +as it has not yet been registered if probe fails. And we need to use +pm_runtime_put_sync() to properly idle the device like we already do +in omap8250_remove(). + +Fixes: 61929cf0169d ("tty: serial: Add 8250-core based omap driver") +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/8250/8250_omap.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/tty/serial/8250/8250_omap.c ++++ b/drivers/tty/serial/8250/8250_omap.c +@@ -1237,7 +1237,8 @@ static int omap8250_probe(struct platfor + pm_runtime_put_autosuspend(&pdev->dev); + return 0; + err: +- pm_runtime_put(&pdev->dev); ++ pm_runtime_dont_use_autosuspend(&pdev->dev); ++ pm_runtime_put_sync(&pdev->dev); + pm_runtime_disable(&pdev->dev); + return ret; + } +@@ -1246,6 +1247,7 @@ static int omap8250_remove(struct platfo + { + struct omap8250_priv *priv = platform_get_drvdata(pdev); + ++ pm_runtime_dont_use_autosuspend(&pdev->dev); + pm_runtime_put_sync(&pdev->dev); + pm_runtime_disable(&pdev->dev); + serial8250_unregister_port(priv->line); +@@ -1345,6 +1347,10 @@ static int omap8250_runtime_suspend(stru + struct omap8250_priv *priv = dev_get_drvdata(dev); + struct uart_8250_port *up; + ++ /* In case runtime-pm tries this before we are setup */ ++ if (!priv) ++ return 0; ++ + up = serial8250_get_port(priv->line); + /* + * When using 'no_console_suspend', the console UART must not be diff --git a/queue-4.9/series b/queue-4.9/series index 5c5db93ec49..9dca60c9182 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -1,2 +1,78 @@ 9p-fix-a-potential-acl-leak.patch drm-sti-fix-gdp-size-to-support-up-to-uhd-resolution.patch +irqchip-mips-gic-fix-local-interrupts.patch +hwmon-it87-fix-pwm4-detection-for-it8620-and-it8628.patch +tpm-fix-rc-value-check-in-tpm2_seal_trusted.patch +tmp-use-pdev-for-parent-device-in-tpm_chip_alloc.patch +crypto-caam-fix-error-path-for-ctx_dma-mapping-failure.patch +power-supply-lp8788-prevent-out-of-bounds-array-access.patch +cpupower-fix-turbo-frequency-reporting-for-pre-sandy-bridge-cores.patch +powerpc-mm-fixup-wrong-lpcr_vrmasd-value.patch +powerpc-powernv-fix-opal_exit-tracepoint-opcode.patch +powerpc-ftrace-fix-confusing-help-text-for-disable_mprofile_kernel.patch +powerpc-correctly-disable-latent-entropy-gcc-plugin-on-prom_init.o.patch +perf-x86-intel-pt-add-format-strings-for-ptwrite-and-power-event-tracing.patch +power-supply-bq24190_charger-fix-irq-trigger-to-irqf_trigger_falling.patch +power-supply-bq24190_charger-call-set_mode_host-on-pm_resume.patch +power-supply-bq24190_charger-install-irq_handler_thread-at-end-of-probe.patch +power-supply-bq24190_charger-call-power_supply_changed-for-relevant-component.patch +power-supply-bq24190_charger-don-t-read-fault-register-outside-irq_handle_thread.patch +power-supply-bq24190_charger-handle-fault-before-status-on-interrupt.patch +arm64-dts-r8a7795-mark-ethernetavb-device-node-disabled.patch +arm-dts-qcom-fix-ipq-board-clock-rates.patch +arm64-improve-detection-of-user-non-user-mappings-in-set_pte-_at.patch +leds-ktd2692-avoid-harmless-maybe-uninitialized-warning.patch +arm-dts-nsp-gpio-reboot-open-source.patch +arm-omap5-dra7-fix-hyp-mode-boot-for-thumb2-build.patch +arm-dts-sun7i-lamobo-r1-fix-cpu-port-rgmii-settings.patch +mwifiex-debugfs-fix-sometimes-off-by-1-ssid-print.patch +mwifiex-remove-redundant-dma-padding-in-amsdu.patch +mwifiex-avoid-skipping-wep-key-deletion-for-ap.patch +iwlwifi-fix-module_firmware-for-6030.patch +iwlwifi-mvm-don-t-restart-hw-if-suspend-fails-with-unified-image.patch +iwlwifi-mvm-overwrite-skb-info-later.patch +iwlwifi-pcie-don-t-increment-decrement-a-bool.patch +iwlwifi-pcie-trans-remove-unused-shift_param.patch +iwlwifi-pcie-fix-the-set-of-dma-memory-mask.patch +iwlwifi-mvm-fix-reorder-timer-re-arming.patch +iwlwifi-mvm-use-aux-queue-for-offchannel-frames-in-dqa.patch +iwlwifi-mvm-pcie-adjust-a-msdu-tx_cmd-length-in-pcie.patch +iwlwifi-mvm-fix-pending-frame-counter-calculation.patch +iwlwifi-mvm-fix-references-to-first_agg_queue-in-dqa-mode.patch +iwlwifi-mvm-synchronize-firmware-dma-paging-memory.patch +iwlwifi-mvm-writing-zero-bytes-to-debugfs-causes-a-crash.patch +x86-ioapic-restore-io-apic-irq_chip-retrigger-callback.patch +x86-pci-calgary-fix-iommu_free-comparison-of-unsigned-expression-0.patch +x86-mpx-re-add-mpx-to-selftests-makefile.patch +clk-make-x86-conditional-on-config_common_clk.patch +kprobes-x86-fix-kernel-panic-when-certain-exception-handling-addresses-are-probed.patch +x86-platform-intel-mid-correct-msi-irq-line-for-watchdog-device.patch +revert-kvm-nested-vmx-disable-perf-cpuid-reporting.patch +kvm-nvmx-initialize-pml-fields-in-vmcs02.patch +kvm-nvmx-do-not-leak-pml-full-vmexit-to-l1.patch +usb-dwc2-host-use-msleep-for-long-delay.patch +usb-host-ehci-exynos-decrese-node-refcount-on-exynos_ehci_get_phy-error-paths.patch +usb-host-ohci-exynos-decrese-node-refcount-on-exynos_ehci_get_phy-error-paths.patch +usb-chipidea-only-read-write-otgsc-from-one-place.patch +usb-chipidea-handle-extcon-events-properly.patch +usb-serial-keyspan_pda-fix-receive-sanity-checks.patch +usb-serial-digi_acceleport-fix-incomplete-rx-sanity-check.patch +usb-serial-ssu100-fix-control-message-error-handling.patch +usb-serial-io_edgeport-fix-epic-descriptor-handling.patch +usb-serial-ti_usb_3410_5052-fix-control-message-error-handling.patch +usb-serial-ark3116-fix-open-error-handling.patch +usb-serial-ftdi_sio-fix-latency-timer-error-handling.patch +usb-serial-quatech2-fix-control-message-error-handling.patch +usb-serial-mct_u232-fix-modem-status-error-handling.patch +usb-serial-io_edgeport-fix-descriptor-error-handling.patch +usb-serial-sierra-fix-bogus-alternate-setting-assumption.patch +clk-rockchip-add-to-mux_pll_src_apll_dpll_gpll_usb480m_p-on-rk3036.patch +phy-qcom-usb-hs-add-depends-on-extcon.patch +serial-8250_omap-fix-probe-and-remove-for-pm-runtime.patch +scsi-qla2xxx-fix-crash-in-qla2xxx_eh_abort-on-bad-ptr.patch +scsi-mac_scsi-fix-mac_scsi-m-option-when-scsi-m.patch +scsi-scsi_dh_emc-return-success-in-clariion_std_inquiry.patch +scsi-smartpqi-fix-time-handling.patch +mips-r2-on-r6-multu-maddu-msubu-emulation-bugfix.patch +brcmfmac-ensure-pointer-correctly-set-if-skb-data-location-changes.patch +brcmfmac-make-skb-header-writable-before-use.patch diff --git a/queue-4.9/tmp-use-pdev-for-parent-device-in-tpm_chip_alloc.patch b/queue-4.9/tmp-use-pdev-for-parent-device-in-tpm_chip_alloc.patch new file mode 100644 index 00000000000..95313a66bf3 --- /dev/null +++ b/queue-4.9/tmp-use-pdev-for-parent-device-in-tpm_chip_alloc.patch @@ -0,0 +1,61 @@ +From 2998b02b2fb58f36ccbc318b00513174e9947d8e Mon Sep 17 00:00:00 2001 +From: "Winkler, Tomas" +Date: Wed, 23 Nov 2016 12:04:13 +0200 +Subject: tmp: use pdev for parent device in tpm_chip_alloc + +From: Winkler, Tomas + +commit 2998b02b2fb58f36ccbc318b00513174e9947d8e upstream. + +The tpm stack uses pdev name convention for the parent device. +Fix that also in tpm_chip_alloc(). + +Fixes: 3897cd9c8d1d ("tpm: Split out the devm stuff from tpmm_chip_alloc")' +Signed-off-by: Tomas Winkler +Reviewed-by: Jarkko Sakkinen +Tested-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tpm/tpm-chip.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/char/tpm/tpm-chip.c ++++ b/drivers/char/tpm/tpm-chip.c +@@ -140,7 +140,7 @@ static void tpm_dev_release(struct devic + * Allocates a new struct tpm_chip instance and assigns a free + * device number for it. Must be paired with put_device(&chip->dev). + */ +-struct tpm_chip *tpm_chip_alloc(struct device *dev, ++struct tpm_chip *tpm_chip_alloc(struct device *pdev, + const struct tpm_class_ops *ops) + { + struct tpm_chip *chip; +@@ -159,7 +159,7 @@ struct tpm_chip *tpm_chip_alloc(struct d + rc = idr_alloc(&dev_nums_idr, NULL, 0, TPM_NUM_DEVICES, GFP_KERNEL); + mutex_unlock(&idr_lock); + if (rc < 0) { +- dev_err(dev, "No available tpm device numbers\n"); ++ dev_err(pdev, "No available tpm device numbers\n"); + kfree(chip); + return ERR_PTR(rc); + } +@@ -169,7 +169,7 @@ struct tpm_chip *tpm_chip_alloc(struct d + + chip->dev.class = tpm_class; + chip->dev.release = tpm_dev_release; +- chip->dev.parent = dev; ++ chip->dev.parent = pdev; + chip->dev.groups = chip->groups; + + if (chip->dev_num == 0) +@@ -181,7 +181,7 @@ struct tpm_chip *tpm_chip_alloc(struct d + if (rc) + goto out; + +- if (!dev) ++ if (!pdev) + chip->flags |= TPM_CHIP_FLAG_VIRTUAL; + + cdev_init(&chip->cdev, &tpm_fops); diff --git a/queue-4.9/tpm-fix-rc-value-check-in-tpm2_seal_trusted.patch b/queue-4.9/tpm-fix-rc-value-check-in-tpm2_seal_trusted.patch new file mode 100644 index 00000000000..54935c40729 --- /dev/null +++ b/queue-4.9/tpm-fix-rc-value-check-in-tpm2_seal_trusted.patch @@ -0,0 +1,49 @@ +From 7d761119a914ec0ac05ec2a5378d1f86e680967d Mon Sep 17 00:00:00 2001 +From: Jarkko Sakkinen +Date: Wed, 25 Jan 2017 23:00:22 +0200 +Subject: tpm: fix RC value check in tpm2_seal_trusted + +From: Jarkko Sakkinen + +commit 7d761119a914ec0ac05ec2a5378d1f86e680967d upstream. + +The error code handling is broken as any error code that has the same +bits set as TPM_RC_HASH passes. Implemented tpm2_rc_value() helper to +parse the error value from FMT0 and FMT1 error codes so that these types +of mistakes are prevented in the future. + +Fixes: 5ca4c20cfd37 ("keys, trusted: select hash algorithm for TPM2 chips") +Signed-off-by: Jarkko Sakkinen +Reviewed-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tpm/tpm.h | 5 +++++ + drivers/char/tpm/tpm2-cmd.c | 2 +- + 2 files changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/char/tpm/tpm.h ++++ b/drivers/char/tpm/tpm.h +@@ -518,6 +518,11 @@ static inline void tpm_add_ppi(struct tp + } + #endif + ++static inline inline u32 tpm2_rc_value(u32 rc) ++{ ++ return (rc & BIT(7)) ? rc & 0xff : rc; ++} ++ + int tpm2_pcr_read(struct tpm_chip *chip, int pcr_idx, u8 *res_buf); + int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, const u8 *hash); + int tpm2_get_random(struct tpm_chip *chip, u8 *out, size_t max); +--- a/drivers/char/tpm/tpm2-cmd.c ++++ b/drivers/char/tpm/tpm2-cmd.c +@@ -529,7 +529,7 @@ out: + tpm_buf_destroy(&buf); + + if (rc > 0) { +- if ((rc & TPM2_RC_HASH) == TPM2_RC_HASH) ++ if (tpm2_rc_value(rc) == TPM2_RC_HASH) + rc = -EINVAL; + else + rc = -EPERM; diff --git a/queue-4.9/usb-chipidea-handle-extcon-events-properly.patch b/queue-4.9/usb-chipidea-handle-extcon-events-properly.patch new file mode 100644 index 00000000000..b84816b8e13 --- /dev/null +++ b/queue-4.9/usb-chipidea-handle-extcon-events-properly.patch @@ -0,0 +1,128 @@ +From a89b94b53371bbfa582787c2fa3378000ea4263d Mon Sep 17 00:00:00 2001 +From: Stephen Boyd +Date: Wed, 28 Dec 2016 14:56:51 -0800 +Subject: usb: chipidea: Handle extcon events properly + +From: Stephen Boyd + +commit a89b94b53371bbfa582787c2fa3378000ea4263d upstream. + +We're currently emulating the vbus and id interrupts in the OTGSC +read API, but we also need to make sure that if we're handling +the events with extcon that we don't enable the interrupts for +those events in the hardware. Therefore, properly emulate this +register if we're using extcon, but don't enable the interrupts. +This allows me to get my cable connect/disconnect working +properly without getting spurious interrupts on my device that +uses an extcon for these two events. + +Acked-by: Peter Chen +Cc: Greg Kroah-Hartman +Cc: "Ivan T. Ivanov" +Fixes: 3ecb3e09b042 ("usb: chipidea: Use extcon framework for VBUS and ID detect") +Signed-off-by: Stephen Boyd +Signed-off-by: Peter Chen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/chipidea/otg.c | 46 ++++++++++++++++++++++++++++++++++++++----- + include/linux/usb/chipidea.h | 2 + + 2 files changed, 43 insertions(+), 5 deletions(-) + +--- a/drivers/usb/chipidea/otg.c ++++ b/drivers/usb/chipidea/otg.c +@@ -44,12 +44,15 @@ u32 hw_read_otgsc(struct ci_hdrc *ci, u3 + else + val &= ~OTGSC_BSVIS; + +- cable->changed = false; +- + if (cable->state) + val |= OTGSC_BSV; + else + val &= ~OTGSC_BSV; ++ ++ if (cable->enabled) ++ val |= OTGSC_BSVIE; ++ else ++ val &= ~OTGSC_BSVIE; + } + + cable = &ci->platdata->id_extcon; +@@ -59,15 +62,18 @@ u32 hw_read_otgsc(struct ci_hdrc *ci, u3 + else + val &= ~OTGSC_IDIS; + +- cable->changed = false; +- + if (cable->state) + val |= OTGSC_ID; + else + val &= ~OTGSC_ID; ++ ++ if (cable->enabled) ++ val |= OTGSC_IDIE; ++ else ++ val &= ~OTGSC_IDIE; + } + +- return val; ++ return val & mask; + } + + /** +@@ -77,6 +83,36 @@ u32 hw_read_otgsc(struct ci_hdrc *ci, u3 + */ + void hw_write_otgsc(struct ci_hdrc *ci, u32 mask, u32 data) + { ++ struct ci_hdrc_cable *cable; ++ ++ cable = &ci->platdata->vbus_extcon; ++ if (!IS_ERR(cable->edev)) { ++ if (data & mask & OTGSC_BSVIS) ++ cable->changed = false; ++ ++ /* Don't enable vbus interrupt if using external notifier */ ++ if (data & mask & OTGSC_BSVIE) { ++ cable->enabled = true; ++ data &= ~OTGSC_BSVIE; ++ } else if (mask & OTGSC_BSVIE) { ++ cable->enabled = false; ++ } ++ } ++ ++ cable = &ci->platdata->id_extcon; ++ if (!IS_ERR(cable->edev)) { ++ if (data & mask & OTGSC_IDIS) ++ cable->changed = false; ++ ++ /* Don't enable id interrupt if using external notifier */ ++ if (data & mask & OTGSC_IDIE) { ++ cable->enabled = true; ++ data &= ~OTGSC_IDIE; ++ } else if (mask & OTGSC_IDIE) { ++ cable->enabled = false; ++ } ++ } ++ + hw_write(ci, OP_OTGSC, mask | OTGSC_INT_STATUS_BITS, data); + } + +--- a/include/linux/usb/chipidea.h ++++ b/include/linux/usb/chipidea.h +@@ -14,6 +14,7 @@ struct ci_hdrc; + * struct ci_hdrc_cable - structure for external connector cable state tracking + * @state: current state of the line + * @changed: set to true when extcon event happen ++ * @enabled: set to true if we've enabled the vbus or id interrupt + * @edev: device which generate events + * @ci: driver state of the chipidea device + * @nb: hold event notification callback +@@ -22,6 +23,7 @@ struct ci_hdrc; + struct ci_hdrc_cable { + bool state; + bool changed; ++ bool enabled; + struct extcon_dev *edev; + struct ci_hdrc *ci; + struct notifier_block nb; diff --git a/queue-4.9/usb-chipidea-only-read-write-otgsc-from-one-place.patch b/queue-4.9/usb-chipidea-only-read-write-otgsc-from-one-place.patch new file mode 100644 index 00000000000..b66ff0a7760 --- /dev/null +++ b/queue-4.9/usb-chipidea-only-read-write-otgsc-from-one-place.patch @@ -0,0 +1,134 @@ +From f60f8ccd54e03c1afafb2b20ceb029a0eaf7a134 Mon Sep 17 00:00:00 2001 +From: Stephen Boyd +Date: Wed, 28 Dec 2016 14:56:50 -0800 +Subject: usb: chipidea: Only read/write OTGSC from one place + +From: Stephen Boyd + +commit f60f8ccd54e03c1afafb2b20ceb029a0eaf7a134 upstream. + +With the id and vbus detection done via extcon we need to make +sure we poll the status of OTGSC properly by considering what the +extcon is saying, and not just what the register is saying. Let's +move this hw_wait_reg() function to the only place it's used and +simplify it for polling the OTGSC register. Then we can make +certain we only use the hw_read_otgsc() API to read OTGSC, which +will make sure we properly handle extcon events. + +Acked-by: Peter Chen +Cc: Greg Kroah-Hartman +Cc: "Ivan T. Ivanov" +Fixes: 3ecb3e09b042 ("usb: chipidea: Use extcon framework for VBUS and ID detect") +Signed-off-by: Stephen Boyd +Signed-off-by: Peter Chen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/chipidea/ci.h | 3 --- + drivers/usb/chipidea/core.c | 32 -------------------------------- + drivers/usb/chipidea/otg.c | 34 ++++++++++++++++++++++++++++++---- + 3 files changed, 30 insertions(+), 39 deletions(-) + +--- a/drivers/usb/chipidea/ci.h ++++ b/drivers/usb/chipidea/ci.h +@@ -428,9 +428,6 @@ int hw_port_test_set(struct ci_hdrc *ci, + + u8 hw_port_test_get(struct ci_hdrc *ci); + +-int hw_wait_reg(struct ci_hdrc *ci, enum ci_hw_regs reg, u32 mask, +- u32 value, unsigned int timeout_ms); +- + void ci_platform_configure(struct ci_hdrc *ci); + + int dbg_create_files(struct ci_hdrc *ci); +--- a/drivers/usb/chipidea/core.c ++++ b/drivers/usb/chipidea/core.c +@@ -516,38 +516,6 @@ int hw_device_reset(struct ci_hdrc *ci) + return 0; + } + +-/** +- * hw_wait_reg: wait the register value +- * +- * Sometimes, it needs to wait register value before going on. +- * Eg, when switch to device mode, the vbus value should be lower +- * than OTGSC_BSV before connects to host. +- * +- * @ci: the controller +- * @reg: register index +- * @mask: mast bit +- * @value: the bit value to wait +- * @timeout_ms: timeout in millisecond +- * +- * This function returns an error code if timeout +- */ +-int hw_wait_reg(struct ci_hdrc *ci, enum ci_hw_regs reg, u32 mask, +- u32 value, unsigned int timeout_ms) +-{ +- unsigned long elapse = jiffies + msecs_to_jiffies(timeout_ms); +- +- while (hw_read(ci, reg, mask) != value) { +- if (time_after(jiffies, elapse)) { +- dev_err(ci->dev, "timeout waiting for %08x in %d\n", +- mask, reg); +- return -ETIMEDOUT; +- } +- msleep(20); +- } +- +- return 0; +-} +- + static irqreturn_t ci_irq(int irq, void *data) + { + struct ci_hdrc *ci = data; +--- a/drivers/usb/chipidea/otg.c ++++ b/drivers/usb/chipidea/otg.c +@@ -104,7 +104,31 @@ void ci_handle_vbus_change(struct ci_hdr + usb_gadget_vbus_disconnect(&ci->gadget); + } + +-#define CI_VBUS_STABLE_TIMEOUT_MS 5000 ++/** ++ * When we switch to device mode, the vbus value should be lower ++ * than OTGSC_BSV before connecting to host. ++ * ++ * @ci: the controller ++ * ++ * This function returns an error code if timeout ++ */ ++static int hw_wait_vbus_lower_bsv(struct ci_hdrc *ci) ++{ ++ unsigned long elapse = jiffies + msecs_to_jiffies(5000); ++ u32 mask = OTGSC_BSV; ++ ++ while (hw_read_otgsc(ci, mask)) { ++ if (time_after(jiffies, elapse)) { ++ dev_err(ci->dev, "timeout waiting for %08x in OTGSC\n", ++ mask); ++ return -ETIMEDOUT; ++ } ++ msleep(20); ++ } ++ ++ return 0; ++} ++ + static void ci_handle_id_switch(struct ci_hdrc *ci) + { + enum ci_role role = ci_otg_role(ci); +@@ -116,9 +140,11 @@ static void ci_handle_id_switch(struct c + ci_role_stop(ci); + + if (role == CI_ROLE_GADGET) +- /* wait vbus lower than OTGSC_BSV */ +- hw_wait_reg(ci, OP_OTGSC, OTGSC_BSV, 0, +- CI_VBUS_STABLE_TIMEOUT_MS); ++ /* ++ * wait vbus lower than OTGSC_BSV before connecting ++ * to host ++ */ ++ hw_wait_vbus_lower_bsv(ci); + + ci_role_start(ci, role); + } diff --git a/queue-4.9/usb-dwc2-host-use-msleep-for-long-delay.patch b/queue-4.9/usb-dwc2-host-use-msleep-for-long-delay.patch new file mode 100644 index 00000000000..0924249a430 --- /dev/null +++ b/queue-4.9/usb-dwc2-host-use-msleep-for-long-delay.patch @@ -0,0 +1,35 @@ +From d3fe81d2ccc41b355e494413115c0c7c18426fa1 Mon Sep 17 00:00:00 2001 +From: Nicholas Mc Guire +Date: Mon, 23 Jan 2017 15:00:40 -0800 +Subject: usb: dwc2: host: use msleep() for long delay + +From: Nicholas Mc Guire + +commit d3fe81d2ccc41b355e494413115c0c7c18426fa1 upstream. + +ulseep_range() uses hrtimers and provides no advantage over msleep() +for larger delays. Fix up the 100ms delays here passing the adjusted "min" +value to msleep(). This helps reduce the load on the hrtimer subsystem. + +Link: http://lkml.org/lkml/2017/1/11/377 +Fixes: commit 2938fc63e0c2 ("usb: dwc2: Properly account for the force mode delays") +Signed-off-by: Nicholas Mc Guire +Signed-off-by: John Youn +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc2/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/dwc2/core.c ++++ b/drivers/usb/dwc2/core.c +@@ -455,7 +455,7 @@ static void dwc2_clear_force_mode(struct + dwc2_writel(gusbcfg, hsotg->regs + GUSBCFG); + + if (dwc2_iddig_filter_enabled(hsotg)) +- usleep_range(100000, 110000); ++ msleep(100); + } + + /* diff --git a/queue-4.9/usb-host-ehci-exynos-decrese-node-refcount-on-exynos_ehci_get_phy-error-paths.patch b/queue-4.9/usb-host-ehci-exynos-decrese-node-refcount-on-exynos_ehci_get_phy-error-paths.patch new file mode 100644 index 00000000000..dd7efbf69ed --- /dev/null +++ b/queue-4.9/usb-host-ehci-exynos-decrese-node-refcount-on-exynos_ehci_get_phy-error-paths.patch @@ -0,0 +1,38 @@ +From 3f6026b1dcb3c8ee71198c485a72ac674c6890dd Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Sat, 7 Jan 2017 10:41:40 +0200 +Subject: usb: host: ehci-exynos: Decrese node refcount on exynos_ehci_get_phy() error paths + +From: Krzysztof Kozlowski + +commit 3f6026b1dcb3c8ee71198c485a72ac674c6890dd upstream. + +Returning from for_each_available_child_of_node() loop requires cleaning +up node refcount. Error paths lacked it so for example in case of +deferred probe, the refcount of phy node was left increased. + +Fixes: 6d40500ac9b6 ("usb: ehci/ohci-exynos: Fix of_node_put() for child when getting PHYs") +Signed-off-by: Krzysztof Kozlowski +Acked-by: Alan Stern +Reviewed-by: Javier Martinez Canillas +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/ehci-exynos.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/host/ehci-exynos.c ++++ b/drivers/usb/host/ehci-exynos.c +@@ -77,10 +77,12 @@ static int exynos_ehci_get_phy(struct de + if (IS_ERR(phy)) { + ret = PTR_ERR(phy); + if (ret == -EPROBE_DEFER) { ++ of_node_put(child); + return ret; + } else if (ret != -ENOSYS && ret != -ENODEV) { + dev_err(dev, + "Error retrieving usb2 phy: %d\n", ret); ++ of_node_put(child); + return ret; + } + } diff --git a/queue-4.9/usb-host-ohci-exynos-decrese-node-refcount-on-exynos_ehci_get_phy-error-paths.patch b/queue-4.9/usb-host-ohci-exynos-decrese-node-refcount-on-exynos_ehci_get_phy-error-paths.patch new file mode 100644 index 00000000000..8766bcd6242 --- /dev/null +++ b/queue-4.9/usb-host-ohci-exynos-decrese-node-refcount-on-exynos_ehci_get_phy-error-paths.patch @@ -0,0 +1,38 @@ +From 68bd6fc3cfa98ef253e17307ccafd8ef907b5556 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Sat, 7 Jan 2017 10:41:41 +0200 +Subject: usb: host: ohci-exynos: Decrese node refcount on exynos_ehci_get_phy() error paths + +From: Krzysztof Kozlowski + +commit 68bd6fc3cfa98ef253e17307ccafd8ef907b5556 upstream. + +Returning from for_each_available_child_of_node() loop requires cleaning +up node refcount. Error paths lacked it so for example in case of +deferred probe, the refcount of phy node was left increased. + +Fixes: 6d40500ac9b6 ("usb: ehci/ohci-exynos: Fix of_node_put() for child when getting PHYs") +Signed-off-by: Krzysztof Kozlowski +Acked-by: Alan Stern +Reviewed-by: Javier Martinez Canillas +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/ohci-exynos.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/host/ohci-exynos.c ++++ b/drivers/usb/host/ohci-exynos.c +@@ -66,10 +66,12 @@ static int exynos_ohci_get_phy(struct de + if (IS_ERR(phy)) { + ret = PTR_ERR(phy); + if (ret == -EPROBE_DEFER) { ++ of_node_put(child); + return ret; + } else if (ret != -ENOSYS && ret != -ENODEV) { + dev_err(dev, + "Error retrieving usb2 phy: %d\n", ret); ++ of_node_put(child); + return ret; + } + } diff --git a/queue-4.9/usb-serial-ark3116-fix-open-error-handling.patch b/queue-4.9/usb-serial-ark3116-fix-open-error-handling.patch new file mode 100644 index 00000000000..e651aed5c40 --- /dev/null +++ b/queue-4.9/usb-serial-ark3116-fix-open-error-handling.patch @@ -0,0 +1,81 @@ +From b631433b175f1002a31020e09bbfc2e5caecf290 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 12 Jan 2017 14:56:10 +0100 +Subject: USB: serial: ark3116: fix open error handling + +From: Johan Hovold + +commit b631433b175f1002a31020e09bbfc2e5caecf290 upstream. + +Fix open error handling which failed to detect errors when reading the +MSR and LSR registers, something which could lead to the shadow +registers being initialised from errnos. + +Note that calling the generic close implementation is sufficient in the +error paths as the interrupt urb has not yet been submitted and the +register updates have not been made. + +Fixes: f4c1e8d597d1 ("USB: ark3116: Make existing functions 16450-aware +and add close and release functions.") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ark3116.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +--- a/drivers/usb/serial/ark3116.c ++++ b/drivers/usb/serial/ark3116.c +@@ -373,23 +373,29 @@ static int ark3116_open(struct tty_struc + dev_dbg(&port->dev, + "%s - usb_serial_generic_open failed: %d\n", + __func__, result); +- goto err_out; ++ goto err_free; + } + + /* remove any data still left: also clears error state */ + ark3116_read_reg(serial, UART_RX, buf); + + /* read modem status */ +- priv->msr = ark3116_read_reg(serial, UART_MSR, buf); ++ result = ark3116_read_reg(serial, UART_MSR, buf); ++ if (result < 0) ++ goto err_close; ++ priv->msr = *buf; ++ + /* read line status */ +- priv->lsr = ark3116_read_reg(serial, UART_LSR, buf); ++ result = ark3116_read_reg(serial, UART_LSR, buf); ++ if (result < 0) ++ goto err_close; ++ priv->lsr = *buf; + + result = usb_submit_urb(port->interrupt_in_urb, GFP_KERNEL); + if (result) { + dev_err(&port->dev, "submit irq_in urb failed %d\n", + result); +- ark3116_close(port); +- goto err_out; ++ goto err_close; + } + + /* activate interrupts */ +@@ -402,8 +408,15 @@ static int ark3116_open(struct tty_struc + if (tty) + ark3116_set_termios(tty, port, NULL); + +-err_out: + kfree(buf); ++ ++ return 0; ++ ++err_close: ++ usb_serial_generic_close(port); ++err_free: ++ kfree(buf); ++ + return result; + } + diff --git a/queue-4.9/usb-serial-digi_acceleport-fix-incomplete-rx-sanity-check.patch b/queue-4.9/usb-serial-digi_acceleport-fix-incomplete-rx-sanity-check.patch new file mode 100644 index 00000000000..0dc22b39785 --- /dev/null +++ b/queue-4.9/usb-serial-digi_acceleport-fix-incomplete-rx-sanity-check.patch @@ -0,0 +1,81 @@ +From 1b0aed2b1600f6e5c7b9acfbd610a4e351ef5232 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 31 Jan 2017 17:17:28 +0100 +Subject: USB: serial: digi_acceleport: fix incomplete rx sanity check + +From: Johan Hovold + +commit 1b0aed2b1600f6e5c7b9acfbd610a4e351ef5232 upstream. + +Make sure the received data has the required headers before parsing it. + +Also drop the redundant urb-status check, which has already been handled +by the caller. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/digi_acceleport.c | 38 +++++++++++++++++++++-------------- + 1 file changed, 23 insertions(+), 15 deletions(-) + +--- a/drivers/usb/serial/digi_acceleport.c ++++ b/drivers/usb/serial/digi_acceleport.c +@@ -1398,25 +1398,30 @@ static int digi_read_inb_callback(struct + { + struct usb_serial_port *port = urb->context; + struct digi_port *priv = usb_get_serial_port_data(port); +- int opcode = ((unsigned char *)urb->transfer_buffer)[0]; +- int len = ((unsigned char *)urb->transfer_buffer)[1]; +- int port_status = ((unsigned char *)urb->transfer_buffer)[2]; +- unsigned char *data = ((unsigned char *)urb->transfer_buffer) + 3; ++ unsigned char *buf = urb->transfer_buffer; ++ int opcode; ++ int len; ++ int port_status; ++ unsigned char *data; + int flag, throttled; +- int status = urb->status; +- +- /* do not process callbacks on closed ports */ +- /* but do continue the read chain */ +- if (urb->status == -ENOENT) +- return 0; + + /* short/multiple packet check */ ++ if (urb->actual_length < 2) { ++ dev_warn(&port->dev, "short packet received\n"); ++ return -1; ++ } ++ ++ opcode = buf[0]; ++ len = buf[1]; ++ + if (urb->actual_length != len + 2) { +- dev_err(&port->dev, "%s: INCOMPLETE OR MULTIPLE PACKET, " +- "status=%d, port=%d, opcode=%d, len=%d, " +- "actual_length=%d, status=%d\n", __func__, status, +- priv->dp_port_num, opcode, len, urb->actual_length, +- port_status); ++ dev_err(&port->dev, "malformed packet received: port=%d, opcode=%d, len=%d, actual_length=%u\n", ++ priv->dp_port_num, opcode, len, urb->actual_length); ++ return -1; ++ } ++ ++ if (opcode == DIGI_CMD_RECEIVE_DATA && len < 1) { ++ dev_err(&port->dev, "malformed data packet received\n"); + return -1; + } + +@@ -1430,6 +1435,9 @@ static int digi_read_inb_callback(struct + + /* receive data */ + if (opcode == DIGI_CMD_RECEIVE_DATA) { ++ port_status = buf[2]; ++ data = &buf[3]; ++ + /* get flag from port_status */ + flag = 0; + diff --git a/queue-4.9/usb-serial-ftdi_sio-fix-latency-timer-error-handling.patch b/queue-4.9/usb-serial-ftdi_sio-fix-latency-timer-error-handling.patch new file mode 100644 index 00000000000..feda28664b1 --- /dev/null +++ b/queue-4.9/usb-serial-ftdi_sio-fix-latency-timer-error-handling.patch @@ -0,0 +1,42 @@ +From e3e574ad85a208cb179f33720bb5f12b453de33c Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 12 Jan 2017 14:56:12 +0100 +Subject: USB: serial: ftdi_sio: fix latency-timer error handling + +From: Johan Hovold + +commit e3e574ad85a208cb179f33720bb5f12b453de33c upstream. + +Make sure to detect short responses when reading the latency timer to +avoid using stale buffer data. + +Note that no heap data would currently leak through sysfs as +ASYNC_LOW_LATENCY is set by default. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ftdi_sio.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -1439,10 +1439,13 @@ static int read_latency_timer(struct usb + FTDI_SIO_GET_LATENCY_TIMER_REQUEST_TYPE, + 0, priv->interface, + buf, 1, WDR_TIMEOUT); +- if (rv < 0) ++ if (rv < 1) { + dev_err(&port->dev, "Unable to read latency timer: %i\n", rv); +- else ++ if (rv >= 0) ++ rv = -EIO; ++ } else { + priv->latency = buf[0]; ++ } + + kfree(buf); + diff --git a/queue-4.9/usb-serial-io_edgeport-fix-descriptor-error-handling.patch b/queue-4.9/usb-serial-io_edgeport-fix-descriptor-error-handling.patch new file mode 100644 index 00000000000..22683a77d1a --- /dev/null +++ b/queue-4.9/usb-serial-io_edgeport-fix-descriptor-error-handling.patch @@ -0,0 +1,83 @@ +From 3c0e25d883d06a1fbd1ad35257e8abaa57befb37 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 12 Jan 2017 14:56:14 +0100 +Subject: USB: serial: io_edgeport: fix descriptor error handling + +From: Johan Hovold + +commit 3c0e25d883d06a1fbd1ad35257e8abaa57befb37 upstream. + +Make sure to detect short control-message transfers and log an error +when reading incomplete manufacturer and boot descriptors. + +Note that the default all-zero descriptors will now be used after a +short transfer is detected instead of partially initialised ones. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/io_edgeport.c | 24 +++++++++++++++--------- + 1 file changed, 15 insertions(+), 9 deletions(-) + +--- a/drivers/usb/serial/io_edgeport.c ++++ b/drivers/usb/serial/io_edgeport.c +@@ -2105,8 +2105,7 @@ static int rom_write(struct usb_serial * + * rom_read + * reads a number of bytes from the Edgeport device starting at the given + * address. +- * If successful returns the number of bytes read, otherwise it returns +- * a negative error number of the problem. ++ * Returns zero on success or a negative error number. + ****************************************************************************/ + static int rom_read(struct usb_serial *serial, __u16 extAddr, + __u16 addr, __u16 length, __u8 *data) +@@ -2131,12 +2130,17 @@ static int rom_read(struct usb_serial *s + USB_REQUEST_ION_READ_ROM, + 0xC0, addr, extAddr, transfer_buffer, + current_length, 300); +- if (result < 0) ++ if (result < current_length) { ++ if (result >= 0) ++ result = -EIO; + break; ++ } + memcpy(data, transfer_buffer, current_length); + length -= current_length; + addr += current_length; + data += current_length; ++ ++ result = 0; + } + + kfree(transfer_buffer); +@@ -2590,9 +2594,10 @@ static void get_manufacturing_desc(struc + EDGE_MANUF_DESC_LEN, + (__u8 *)(&edge_serial->manuf_descriptor)); + +- if (response < 1) +- dev_err(dev, "error in getting manufacturer descriptor\n"); +- else { ++ if (response < 0) { ++ dev_err(dev, "error in getting manufacturer descriptor: %d\n", ++ response); ++ } else { + char string[30]; + dev_dbg(dev, "**Manufacturer Descriptor\n"); + dev_dbg(dev, " RomSize: %dK\n", +@@ -2649,9 +2654,10 @@ static void get_boot_desc(struct edgepor + EDGE_BOOT_DESC_LEN, + (__u8 *)(&edge_serial->boot_descriptor)); + +- if (response < 1) +- dev_err(dev, "error in getting boot descriptor\n"); +- else { ++ if (response < 0) { ++ dev_err(dev, "error in getting boot descriptor: %d\n", ++ response); ++ } else { + dev_dbg(dev, "**Boot Descriptor:\n"); + dev_dbg(dev, " BootCodeLength: %d\n", + le16_to_cpu(edge_serial->boot_descriptor.BootCodeLength)); diff --git a/queue-4.9/usb-serial-io_edgeport-fix-epic-descriptor-handling.patch b/queue-4.9/usb-serial-io_edgeport-fix-epic-descriptor-handling.patch new file mode 100644 index 00000000000..5a3b7b3674a --- /dev/null +++ b/queue-4.9/usb-serial-io_edgeport-fix-epic-descriptor-handling.patch @@ -0,0 +1,79 @@ +From e4457d9798adb96272468e93da663de9bd0a4198 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 12 Jan 2017 14:56:13 +0100 +Subject: USB: serial: io_edgeport: fix epic-descriptor handling + +From: Johan Hovold + +commit e4457d9798adb96272468e93da663de9bd0a4198 upstream. + +Use a dedicated buffer for the DMA transfer and make sure to detect +short transfers to avoid parsing a corrupt descriptor. + +Fixes: 6e8cf7751f9f ("USB: add EPIC support to the io_edgeport driver") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/io_edgeport.c | 24 ++++++++++++++++++------ + 1 file changed, 18 insertions(+), 6 deletions(-) + +--- a/drivers/usb/serial/io_edgeport.c ++++ b/drivers/usb/serial/io_edgeport.c +@@ -492,20 +492,24 @@ static int get_epic_descriptor(struct ed + int result; + struct usb_serial *serial = ep->serial; + struct edgeport_product_info *product_info = &ep->product_info; +- struct edge_compatibility_descriptor *epic = &ep->epic_descriptor; ++ struct edge_compatibility_descriptor *epic; + struct edge_compatibility_bits *bits; + struct device *dev = &serial->dev->dev; + + ep->is_epic = 0; ++ ++ epic = kmalloc(sizeof(*epic), GFP_KERNEL); ++ if (!epic) ++ return -ENOMEM; ++ + result = usb_control_msg(serial->dev, usb_rcvctrlpipe(serial->dev, 0), + USB_REQUEST_ION_GET_EPIC_DESC, + 0xC0, 0x00, 0x00, +- &ep->epic_descriptor, +- sizeof(struct edge_compatibility_descriptor), ++ epic, sizeof(*epic), + 300); +- +- if (result > 0) { ++ if (result == sizeof(*epic)) { + ep->is_epic = 1; ++ memcpy(&ep->epic_descriptor, epic, sizeof(*epic)); + memset(product_info, 0, sizeof(struct edgeport_product_info)); + + product_info->NumPorts = epic->NumPorts; +@@ -534,8 +538,16 @@ static int get_epic_descriptor(struct ed + dev_dbg(dev, " IOSPWriteLCR : %s\n", bits->IOSPWriteLCR ? "TRUE": "FALSE"); + dev_dbg(dev, " IOSPSetBaudRate : %s\n", bits->IOSPSetBaudRate ? "TRUE": "FALSE"); + dev_dbg(dev, " TrueEdgeport : %s\n", bits->TrueEdgeport ? "TRUE": "FALSE"); ++ ++ result = 0; ++ } else if (result >= 0) { ++ dev_warn(&serial->interface->dev, "short epic descriptor received: %d\n", ++ result); ++ result = -EIO; + } + ++ kfree(epic); ++ + return result; + } + +@@ -2782,7 +2794,7 @@ static int edge_startup(struct usb_seria + dev_info(&serial->dev->dev, "%s detected\n", edge_serial->name); + + /* Read the epic descriptor */ +- if (get_epic_descriptor(edge_serial) <= 0) { ++ if (get_epic_descriptor(edge_serial) < 0) { + /* memcpy descriptor to Supports structures */ + memcpy(&edge_serial->epic_descriptor.Supports, descriptor, + sizeof(struct edge_compatibility_bits)); diff --git a/queue-4.9/usb-serial-keyspan_pda-fix-receive-sanity-checks.patch b/queue-4.9/usb-serial-keyspan_pda-fix-receive-sanity-checks.patch new file mode 100644 index 00000000000..6c3124e70be --- /dev/null +++ b/queue-4.9/usb-serial-keyspan_pda-fix-receive-sanity-checks.patch @@ -0,0 +1,63 @@ +From c528fcb116e61afc379a2e0a0f70906b937f1e2c Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 31 Jan 2017 17:17:29 +0100 +Subject: USB: serial: keyspan_pda: fix receive sanity checks + +From: Johan Hovold + +commit c528fcb116e61afc379a2e0a0f70906b937f1e2c upstream. + +Make sure to check for short transfers before parsing the receive buffer +to avoid acting on stale data. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/keyspan_pda.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +--- a/drivers/usb/serial/keyspan_pda.c ++++ b/drivers/usb/serial/keyspan_pda.c +@@ -139,6 +139,7 @@ static void keyspan_pda_rx_interrupt(str + { + struct usb_serial_port *port = urb->context; + unsigned char *data = urb->transfer_buffer; ++ unsigned int len = urb->actual_length; + int retval; + int status = urb->status; + struct keyspan_pda_private *priv; +@@ -159,18 +160,26 @@ static void keyspan_pda_rx_interrupt(str + goto exit; + } + ++ if (len < 1) { ++ dev_warn(&port->dev, "short message received\n"); ++ goto exit; ++ } ++ + /* see if the message is data or a status interrupt */ + switch (data[0]) { + case 0: + /* rest of message is rx data */ +- if (urb->actual_length) { +- tty_insert_flip_string(&port->port, data + 1, +- urb->actual_length - 1); +- tty_flip_buffer_push(&port->port); +- } ++ if (len < 2) ++ break; ++ tty_insert_flip_string(&port->port, data + 1, len - 1); ++ tty_flip_buffer_push(&port->port); + break; + case 1: + /* status interrupt */ ++ if (len < 3) { ++ dev_warn(&port->dev, "short interrupt message received\n"); ++ break; ++ } + dev_dbg(&port->dev, "rx int, d1=%d, d2=%d\n", data[1], data[2]); + switch (data[1]) { + case 1: /* modemline change */ diff --git a/queue-4.9/usb-serial-mct_u232-fix-modem-status-error-handling.patch b/queue-4.9/usb-serial-mct_u232-fix-modem-status-error-handling.patch new file mode 100644 index 00000000000..9cd4de3191b --- /dev/null +++ b/queue-4.9/usb-serial-mct_u232-fix-modem-status-error-handling.patch @@ -0,0 +1,41 @@ +From 36356a669eddb32917fc4b5c2b9b8bf80ede69de Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 12 Jan 2017 14:56:16 +0100 +Subject: USB: serial: mct_u232: fix modem-status error handling + +From: Johan Hovold + +commit 36356a669eddb32917fc4b5c2b9b8bf80ede69de upstream. + +Make sure to detect short control-message transfers so that errors are +logged when reading the modem status at open. + +Note that while this also avoids initialising the modem status using +uninitialised heap data, these bits could not leak to user space as they +are currently not used. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/mct_u232.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/usb/serial/mct_u232.c ++++ b/drivers/usb/serial/mct_u232.c +@@ -322,8 +322,12 @@ static int mct_u232_get_modem_stat(struc + MCT_U232_GET_REQUEST_TYPE, + 0, 0, buf, MCT_U232_GET_MODEM_STAT_SIZE, + WDR_TIMEOUT); +- if (rc < 0) { ++ if (rc < MCT_U232_GET_MODEM_STAT_SIZE) { + dev_err(&port->dev, "Get MODEM STATus failed (error = %d)\n", rc); ++ ++ if (rc >= 0) ++ rc = -EIO; ++ + *msr = 0; + } else { + *msr = buf[0]; diff --git a/queue-4.9/usb-serial-quatech2-fix-control-message-error-handling.patch b/queue-4.9/usb-serial-quatech2-fix-control-message-error-handling.patch new file mode 100644 index 00000000000..3426272bdea --- /dev/null +++ b/queue-4.9/usb-serial-quatech2-fix-control-message-error-handling.patch @@ -0,0 +1,75 @@ +From 8c34cb8ddfe808d557b51da983ff10c02793beb2 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 12 Jan 2017 14:56:20 +0100 +Subject: USB: serial: quatech2: fix control-message error handling + +From: Johan Hovold + +commit 8c34cb8ddfe808d557b51da983ff10c02793beb2 upstream. + +Make sure to detect short control-message transfers when fetching +modem and line state in open and when retrieving registers. + +This specifically makes sure that an errno is returned to user space on +errors in TIOCMGET instead of a zero bitmask. + +Also drop the unused getdevice function which also lacked appropriate +error handling. + +Fixes: f7a33e608d9a ("USB: serial: add quatech2 usb to serial driver") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/quatech2.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +--- a/drivers/usb/serial/quatech2.c ++++ b/drivers/usb/serial/quatech2.c +@@ -188,22 +188,22 @@ static inline int qt2_setdevice(struct u + } + + +-static inline int qt2_getdevice(struct usb_device *dev, u8 *data) +-{ +- return usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), +- QT_SET_GET_DEVICE, 0xc0, 0, 0, +- data, 3, QT2_USB_TIMEOUT); +-} +- + static inline int qt2_getregister(struct usb_device *dev, + u8 uart, + u8 reg, + u8 *data) + { +- return usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), +- QT_SET_GET_REGISTER, 0xc0, reg, +- uart, data, sizeof(*data), QT2_USB_TIMEOUT); ++ int ret; + ++ ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), ++ QT_SET_GET_REGISTER, 0xc0, reg, ++ uart, data, sizeof(*data), QT2_USB_TIMEOUT); ++ if (ret < sizeof(*data)) { ++ if (ret >= 0) ++ ret = -EIO; ++ } ++ ++ return ret; + } + + static inline int qt2_setregister(struct usb_device *dev, +@@ -372,9 +372,11 @@ static int qt2_open(struct tty_struct *t + 0xc0, 0, + device_port, data, 2, QT2_USB_TIMEOUT); + +- if (status < 0) { ++ if (status < 2) { + dev_err(&port->dev, "%s - open port failed %i\n", __func__, + status); ++ if (status >= 0) ++ status = -EIO; + kfree(data); + return status; + } diff --git a/queue-4.9/usb-serial-sierra-fix-bogus-alternate-setting-assumption.patch b/queue-4.9/usb-serial-sierra-fix-bogus-alternate-setting-assumption.patch new file mode 100644 index 00000000000..c24be33e0d5 --- /dev/null +++ b/queue-4.9/usb-serial-sierra-fix-bogus-alternate-setting-assumption.patch @@ -0,0 +1,91 @@ +From 16620b483eaf7750413bae472f4363b6b959fcaa Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 6 Feb 2017 16:28:14 +0100 +Subject: USB: serial: sierra: fix bogus alternate-setting assumption + +From: Johan Hovold + +commit 16620b483eaf7750413bae472f4363b6b959fcaa upstream. + +Interface numbers do not change when enabling alternate settings as +comment and code in this driver suggested. + +Remove the confusing comment and redundant retrieval of the interface +number in probe, while simplifying and renaming the interface-number +helper. + +Fixes: 4db2299da213 ("sierra: driver interface blacklisting") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/sierra.c | 28 +++++----------------------- + 1 file changed, 5 insertions(+), 23 deletions(-) + +--- a/drivers/usb/serial/sierra.c ++++ b/drivers/usb/serial/sierra.c +@@ -137,24 +137,9 @@ static int is_himemory(const u8 ifnum, + return 0; + } + +-static int sierra_calc_interface(struct usb_serial *serial) ++static u8 sierra_interface_num(struct usb_serial *serial) + { +- int interface; +- struct usb_interface *p_interface; +- struct usb_host_interface *p_host_interface; +- +- /* Get the interface structure pointer from the serial struct */ +- p_interface = serial->interface; +- +- /* Get a pointer to the host interface structure */ +- p_host_interface = p_interface->cur_altsetting; +- +- /* read the interface descriptor for this active altsetting +- * to find out the interface number we are on +- */ +- interface = p_host_interface->desc.bInterfaceNumber; +- +- return interface; ++ return serial->interface->cur_altsetting->desc.bInterfaceNumber; + } + + static int sierra_probe(struct usb_serial *serial, +@@ -165,7 +150,7 @@ static int sierra_probe(struct usb_seria + u8 ifnum; + + udev = serial->dev; +- ifnum = sierra_calc_interface(serial); ++ ifnum = sierra_interface_num(serial); + + /* + * If this interface supports more than 1 alternate +@@ -178,9 +163,6 @@ static int sierra_probe(struct usb_seria + usb_set_interface(udev, ifnum, 1); + } + +- /* ifnum could have changed - by calling usb_set_interface */ +- ifnum = sierra_calc_interface(serial); +- + if (is_blacklisted(ifnum, + (struct sierra_iface_info *)id->driver_info)) { + dev_dbg(&serial->dev->dev, +@@ -342,7 +324,7 @@ static int sierra_send_setup(struct usb_ + + /* If composite device then properly report interface */ + if (serial->num_ports == 1) { +- interface = sierra_calc_interface(serial); ++ interface = sierra_interface_num(serial); + /* Control message is sent only to interfaces with + * interrupt_in endpoints + */ +@@ -916,7 +898,7 @@ static int sierra_port_probe(struct usb_ + /* Determine actual memory requirements */ + if (serial->num_ports == 1) { + /* Get interface number for composite device */ +- ifnum = sierra_calc_interface(serial); ++ ifnum = sierra_interface_num(serial); + himemoryp = &typeB_interface_list; + } else { + /* This is really the usb-serial port number of the interface diff --git a/queue-4.9/usb-serial-ssu100-fix-control-message-error-handling.patch b/queue-4.9/usb-serial-ssu100-fix-control-message-error-handling.patch new file mode 100644 index 00000000000..251e6e4da89 --- /dev/null +++ b/queue-4.9/usb-serial-ssu100-fix-control-message-error-handling.patch @@ -0,0 +1,78 @@ +From 1eac5c244f705182d1552a53e2f74e2775ed95d6 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 12 Jan 2017 14:56:22 +0100 +Subject: USB: serial: ssu100: fix control-message error handling + +From: Johan Hovold + +commit 1eac5c244f705182d1552a53e2f74e2775ed95d6 upstream. + +Make sure to detect short control-message transfers rather than continue +with zero-initialised data when retrieving modem status and during +device initialisation. + +Fixes: 52af95459939 ("USB: add USB serial ssu100 driver") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ssu100.c | 31 ++++++++++++++++++++++++------- + 1 file changed, 24 insertions(+), 7 deletions(-) + +--- a/drivers/usb/serial/ssu100.c ++++ b/drivers/usb/serial/ssu100.c +@@ -80,9 +80,17 @@ static inline int ssu100_setdevice(struc + + static inline int ssu100_getdevice(struct usb_device *dev, u8 *data) + { +- return usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), +- QT_SET_GET_DEVICE, 0xc0, 0, 0, +- data, 3, 300); ++ int ret; ++ ++ ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), ++ QT_SET_GET_DEVICE, 0xc0, 0, 0, ++ data, 3, 300); ++ if (ret < 3) { ++ if (ret >= 0) ++ ret = -EIO; ++ } ++ ++ return ret; + } + + static inline int ssu100_getregister(struct usb_device *dev, +@@ -90,10 +98,17 @@ static inline int ssu100_getregister(str + unsigned short reg, + u8 *data) + { +- return usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), +- QT_SET_GET_REGISTER, 0xc0, reg, +- uart, data, sizeof(*data), 300); ++ int ret; + ++ ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), ++ QT_SET_GET_REGISTER, 0xc0, reg, ++ uart, data, sizeof(*data), 300); ++ if (ret < sizeof(*data)) { ++ if (ret >= 0) ++ ret = -EIO; ++ } ++ ++ return ret; + } + + +@@ -289,8 +304,10 @@ static int ssu100_open(struct tty_struct + QT_OPEN_CLOSE_CHANNEL, + QT_TRANSFER_IN, 0x01, + 0, data, 2, 300); +- if (result < 0) { ++ if (result < 2) { + dev_dbg(&port->dev, "%s - open failed %i\n", __func__, result); ++ if (result >= 0) ++ result = -EIO; + kfree(data); + return result; + } diff --git a/queue-4.9/usb-serial-ti_usb_3410_5052-fix-control-message-error-handling.patch b/queue-4.9/usb-serial-ti_usb_3410_5052-fix-control-message-error-handling.patch new file mode 100644 index 00000000000..eb5626fc5d0 --- /dev/null +++ b/queue-4.9/usb-serial-ti_usb_3410_5052-fix-control-message-error-handling.patch @@ -0,0 +1,55 @@ +From 39712e8bfa8d3aa6ce1e60fc9d62c9b076c17a30 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 12 Jan 2017 14:56:23 +0100 +Subject: USB: serial: ti_usb_3410_5052: fix control-message error handling + +From: Johan Hovold + +commit 39712e8bfa8d3aa6ce1e60fc9d62c9b076c17a30 upstream. + +Make sure to detect and return an error on zero-length control-message +transfers when reading from the device. + +This addresses a potential failure to detect an empty transmit buffer +during close. + +Also remove a redundant check for short transfer when sending a command. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ti_usb_3410_5052.c | 12 ++++-------- + 1 file changed, 4 insertions(+), 8 deletions(-) + +--- a/drivers/usb/serial/ti_usb_3410_5052.c ++++ b/drivers/usb/serial/ti_usb_3410_5052.c +@@ -1556,13 +1556,10 @@ static int ti_command_out_sync(struct ti + (USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT), + value, moduleid, data, size, 1000); + +- if (status == size) +- status = 0; +- +- if (status > 0) +- status = -ECOMM; ++ if (status < 0) ++ return status; + +- return status; ++ return 0; + } + + +@@ -1578,8 +1575,7 @@ static int ti_command_in_sync(struct ti_ + + if (status == size) + status = 0; +- +- if (status > 0) ++ else if (status >= 0) + status = -ECOMM; + + return status; diff --git a/queue-4.9/x86-ioapic-restore-io-apic-irq_chip-retrigger-callback.patch b/queue-4.9/x86-ioapic-restore-io-apic-irq_chip-retrigger-callback.patch new file mode 100644 index 00000000000..6cd71b3d880 --- /dev/null +++ b/queue-4.9/x86-ioapic-restore-io-apic-irq_chip-retrigger-callback.patch @@ -0,0 +1,46 @@ +From a9b4f08770b415f30f2fb0f8329a370c8f554aa3 Mon Sep 17 00:00:00 2001 +From: Ruslan Ruslichenko +Date: Tue, 17 Jan 2017 16:13:52 +0200 +Subject: x86/ioapic: Restore IO-APIC irq_chip retrigger callback + +From: Ruslan Ruslichenko + +commit a9b4f08770b415f30f2fb0f8329a370c8f554aa3 upstream. + +commit d32932d02e18 removed the irq_retrigger callback from the IO-APIC +chip and did not add it to the new IO-APIC-IR irq chip. + +There is no harm because the interrupts are resent in software when the +retrigger callback is NULL, but it's less efficient. So restore them. + +[ tglx: Massaged changelog ] + +Fixes: d32932d02e18 ("x86/irq: Convert IOAPIC to use hierarchical irqdomain interfaces") +Signed-off-by: Ruslan Ruslichenko +Cc: xe-linux-external@cisco.com +Link: http://lkml.kernel.org/r/1484662432-13580-1-git-send-email-rruslich@cisco.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/apic/io_apic.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/x86/kernel/apic/io_apic.c ++++ b/arch/x86/kernel/apic/io_apic.c +@@ -1876,6 +1876,7 @@ static struct irq_chip ioapic_chip __rea + .irq_ack = irq_chip_ack_parent, + .irq_eoi = ioapic_ack_level, + .irq_set_affinity = ioapic_set_affinity, ++ .irq_retrigger = irq_chip_retrigger_hierarchy, + .flags = IRQCHIP_SKIP_SET_WAKE, + }; + +@@ -1887,6 +1888,7 @@ static struct irq_chip ioapic_ir_chip __ + .irq_ack = irq_chip_ack_parent, + .irq_eoi = ioapic_ir_ack_level, + .irq_set_affinity = ioapic_set_affinity, ++ .irq_retrigger = irq_chip_retrigger_hierarchy, + .flags = IRQCHIP_SKIP_SET_WAKE, + }; + diff --git a/queue-4.9/x86-mpx-re-add-mpx-to-selftests-makefile.patch b/queue-4.9/x86-mpx-re-add-mpx-to-selftests-makefile.patch new file mode 100644 index 00000000000..ab73bdff100 --- /dev/null +++ b/queue-4.9/x86-mpx-re-add-mpx-to-selftests-makefile.patch @@ -0,0 +1,39 @@ +From e64d5fbe56259c94df504af8ce804cfc6a022adb Mon Sep 17 00:00:00 2001 +From: Dave Hansen +Date: Wed, 1 Feb 2017 14:56:29 -0800 +Subject: x86/mpx: Re-add MPX to selftests Makefile + +From: Dave Hansen + +commit e64d5fbe56259c94df504af8ce804cfc6a022adb upstream. + +Ingo pointed out that the MPX tests were no longer in the selftests +Makefile. It appears that I shot myself in the foot on this one +and accidentally removed them when I added the pkeys tests, probably +from bungling a merge conflict. + +Reported-by: Ingo Molnar +Signed-off-by: Dave Hansen +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: 5f23f6d082a9 ("x86/pkeys: Add self-tests") +Link: http://lkml.kernel.org/r/20170201225629.C3070852@viggo.jf.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + tools/testing/selftests/x86/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/testing/selftests/x86/Makefile ++++ b/tools/testing/selftests/x86/Makefile +@@ -5,7 +5,7 @@ include ../lib.mk + .PHONY: all all_32 all_64 warn_32bit_failure clean + + TARGETS_C_BOTHBITS := single_step_syscall sysret_ss_attrs syscall_nt ptrace_syscall test_mremap_vdso \ +- check_initial_reg_state sigreturn ldt_gdt iopl \ ++ check_initial_reg_state sigreturn ldt_gdt iopl mpx-mini-test \ + protection_keys + TARGETS_C_32BIT_ONLY := entry_from_vm86 syscall_arg_fault test_syscall_vdso unwind_vdso \ + test_FCMOV test_FCOMI test_FISTTP \ diff --git a/queue-4.9/x86-pci-calgary-fix-iommu_free-comparison-of-unsigned-expression-0.patch b/queue-4.9/x86-pci-calgary-fix-iommu_free-comparison-of-unsigned-expression-0.patch new file mode 100644 index 00000000000..7344d804dbd --- /dev/null +++ b/queue-4.9/x86-pci-calgary-fix-iommu_free-comparison-of-unsigned-expression-0.patch @@ -0,0 +1,48 @@ +From 68dee8e2f2cacc54d038394e70d22411dee89da2 Mon Sep 17 00:00:00 2001 +From: Nikola Pajkovsky +Date: Tue, 15 Nov 2016 09:47:49 +0100 +Subject: x86/pci-calgary: Fix iommu_free() comparison of unsigned expression >= 0 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nikola Pajkovsky + +commit 68dee8e2f2cacc54d038394e70d22411dee89da2 upstream. + +commit 8fd524b355da ("x86: Kill bad_dma_address variable") has killed +bad_dma_address variable and used instead of macro DMA_ERROR_CODE +which is always zero. Since dma_addr is unsigned, the statement + + dma_addr >= DMA_ERROR_CODE + +is always true, and not needed. + +arch/x86/kernel/pci-calgary_64.c: In function ‘iommu_free’: +arch/x86/kernel/pci-calgary_64.c:299:2: warning: comparison of unsigned expression >= 0 is always true [-Wtype-limits] + if (unlikely((dma_addr >= DMA_ERROR_CODE) && (dma_addr < badend))) { + +Fixes: 8fd524b355da ("x86: Kill bad_dma_address variable") +Signed-off-by: Nikola Pajkovsky +Cc: iommu@lists.linux-foundation.org +Cc: Jon Mason +Cc: Muli Ben-Yehuda +Link: http://lkml.kernel.org/r/7612c0f9dd7c1290407dbf8e809def922006920b.1479161177.git.npajkovsky@suse.cz +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/pci-calgary_64.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/pci-calgary_64.c ++++ b/arch/x86/kernel/pci-calgary_64.c +@@ -296,7 +296,7 @@ static void iommu_free(struct iommu_tabl + + /* were we called with bad_dma_address? */ + badend = DMA_ERROR_CODE + (EMERGENCY_PAGES * PAGE_SIZE); +- if (unlikely((dma_addr >= DMA_ERROR_CODE) && (dma_addr < badend))) { ++ if (unlikely(dma_addr < badend)) { + WARN(1, KERN_ERR "Calgary: driver tried unmapping bad DMA " + "address 0x%Lx\n", dma_addr); + return; diff --git a/queue-4.9/x86-platform-intel-mid-correct-msi-irq-line-for-watchdog-device.patch b/queue-4.9/x86-platform-intel-mid-correct-msi-irq-line-for-watchdog-device.patch new file mode 100644 index 00000000000..1383edae8e4 --- /dev/null +++ b/queue-4.9/x86-platform-intel-mid-correct-msi-irq-line-for-watchdog-device.patch @@ -0,0 +1,44 @@ +From 80354c29025833acd72ddac1ffa21c6cb50128cd Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Sun, 12 Mar 2017 17:07:44 +0200 +Subject: x86/platform/intel-mid: Correct MSI IRQ line for watchdog device + +From: Andy Shevchenko + +commit 80354c29025833acd72ddac1ffa21c6cb50128cd upstream. + +The interrupt line used for the watchdog is 12, according to the official +Intel Edison BSP code. + +And indeed after fixing it we start getting an interrupt and thus the +watchdog starts working again: + + [ 191.699951] Kernel panic - not syncing: Kernel Watchdog + +Signed-off-by: Andy Shevchenko +Cc: Borislav Petkov +Cc: David Cohen +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: 78a3bb9e408b ("x86: intel-mid: add watchdog platform code for Merrifield") +Link: http://lkml.kernel.org/r/20170312150744.45493-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/platform/intel-mid/device_libs/platform_mrfld_wdt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/platform/intel-mid/device_libs/platform_mrfld_wdt.c ++++ b/arch/x86/platform/intel-mid/device_libs/platform_mrfld_wdt.c +@@ -19,7 +19,7 @@ + #include + #include + +-#define TANGIER_EXT_TIMER0_MSI 15 ++#define TANGIER_EXT_TIMER0_MSI 12 + + static struct platform_device wdt_dev = { + .name = "intel_mid_wdt",