From: Greg Kroah-Hartman Date: Tue, 1 Mar 2016 18:54:16 +0000 (-0800) Subject: 4.4-stable patches X-Git-Tag: v3.10.99~31 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e36f42cc38a50bb981d6ffb5f894cfa6766a23bf;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: coresight-checking-for-null-string-in-coresight_name_match.patch dm-fix-dm_rq_target_io-leak-on-faults-with-.request_fn-dm-w-blk-mq-paths.patch dm-snapshot-fix-hung-bios-when-copy-error-occurs.patch dm-space-map-metadata-remove-unused-variable-in-brb_pop.patch gspca-ov534-topro-prevent-a-division-by-0.patch locks-fix-unlock-when-fcntl_setlk-races-with-a-close.patch media-dvb-core-don-t-force-can_inversion_auto-in-oneshot-mode.patch mei-fix-fasync-return-value-on-error.patch mei-validate-request-value-in-client-notify-request-ioctl.patch namei-d_inode-of-a-pinned-dentry-is-stable-only-for-positives.patch rc-sunxi-cir-initialize-the-spinlock-properly.patch rtlwifi-rtl8188ee-fix-module-parameter-initialization.patch rtlwifi-rtl8192ce-fix-handling-of-module-parameters.patch rtlwifi-rtl8192cu-add-missing-parameter-setup.patch rtlwifi-rtl8192de-fix-incorrect-module-parameter-descriptions.patch rtlwifi-rtl8192se-fix-module-parameter-initialization.patch rtlwifi-rtl8723ae-fix-initialization-of-module-parameters.patch rtlwifi-rtl8723be-fix-module-parameter-initialization.patch rtlwifi-rtl_pci-fix-kernel-panic.patch si2157-return-einval-if-firmware-blob-is-too-big.patch tda1004x-only-update-the-frontend-properties-if-locked.patch um-link-with-lpthread.patch vb2-fix-a-regression-in-poll-behavior-for-output-streams.patch --- diff --git a/queue-4.4/coresight-checking-for-null-string-in-coresight_name_match.patch b/queue-4.4/coresight-checking-for-null-string-in-coresight_name_match.patch new file mode 100644 index 00000000000..7b0d2f3ff83 --- /dev/null +++ b/queue-4.4/coresight-checking-for-null-string-in-coresight_name_match.patch @@ -0,0 +1,35 @@ +From fadf3a44e974b030e7145218ad1ab25e3ef91738 Mon Sep 17 00:00:00 2001 +From: Mathieu Poirier +Date: Thu, 17 Dec 2015 08:47:02 -0700 +Subject: coresight: checking for NULL string in coresight_name_match() + +From: Mathieu Poirier + +commit fadf3a44e974b030e7145218ad1ab25e3ef91738 upstream. + +Connection child names associated to ports can sometimes be NULL, +which is the case when booting a system on QEMU or when the Coresight +power domain isn't switched on. + +This patch is adding a check to make sure a NULL string isn't fed +to strcmp(), something that avoid crashing the system. + +Reported-by: Tyler Baker +Signed-off-by: Mathieu Poirier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/coresight/coresight.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwtracing/coresight/coresight.c ++++ b/drivers/hwtracing/coresight/coresight.c +@@ -548,7 +548,7 @@ static int coresight_name_match(struct d + to_match = data; + i_csdev = to_coresight_device(dev); + +- if (!strcmp(to_match, dev_name(&i_csdev->dev))) ++ if (to_match && !strcmp(to_match, dev_name(&i_csdev->dev))) + return 1; + + return 0; diff --git a/queue-4.4/dm-fix-dm_rq_target_io-leak-on-faults-with-.request_fn-dm-w-blk-mq-paths.patch b/queue-4.4/dm-fix-dm_rq_target_io-leak-on-faults-with-.request_fn-dm-w-blk-mq-paths.patch new file mode 100644 index 00000000000..6c36f4c44b9 --- /dev/null +++ b/queue-4.4/dm-fix-dm_rq_target_io-leak-on-faults-with-.request_fn-dm-w-blk-mq-paths.patch @@ -0,0 +1,67 @@ +From 4328daa2e79ed904a42ce00a9f38b9c36b44b21a Mon Sep 17 00:00:00 2001 +From: Mike Snitzer +Date: Sun, 21 Feb 2016 19:09:22 -0500 +Subject: dm: fix dm_rq_target_io leak on faults with .request_fn DM w/ blk-mq paths + +From: Mike Snitzer + +commit 4328daa2e79ed904a42ce00a9f38b9c36b44b21a upstream. + +Using request-based DM mpath configured with the following stacking +(.request_fn DM mpath ontop of scsi-mq paths): + +echo Y > /sys/module/scsi_mod/parameters/use_blk_mq +echo N > /sys/module/dm_mod/parameters/use_blk_mq + +'struct dm_rq_target_io' would leak if a request is requeued before a +blk-mq clone is allocated (or fails to allocate). free_rq_tio() +wasn't being called. + +kmemleak reported: + +unreferenced object 0xffff8800b90b98c0 (size 112): + comm "kworker/7:1H", pid 5692, jiffies 4295056109 (age 78.589s) + hex dump (first 32 bytes): + 00 d0 5c 2c 03 88 ff ff 40 00 bf 01 00 c9 ff ff ..\,....@....... + e0 d9 b1 34 00 88 ff ff 00 00 00 00 00 00 00 00 ...4............ + backtrace: + [] kmemleak_alloc+0x4e/0xb0 + [] kmem_cache_alloc+0xc3/0x1e0 + [] mempool_alloc_slab+0x15/0x20 + [] mempool_alloc+0x6e/0x170 + [] dm_old_prep_fn+0x3c/0x180 [dm_mod] + [] blk_peek_request+0x168/0x290 + [] dm_request_fn+0xb2/0x1b0 [dm_mod] + [] __blk_run_queue+0x33/0x40 + [] blk_delay_work+0x25/0x40 + [] process_one_work+0x14f/0x3d0 + [] worker_thread+0x125/0x4b0 + [] kthread+0xd8/0xf0 + [] ret_from_fork+0x3f/0x70 + [] 0xffffffffffffffff + +crash> struct -o dm_rq_target_io +struct dm_rq_target_io { + ... +} +SIZE: 112 + +Fixes: e5863d9ad7 ("dm: allocate requests in target when stacking on blk-mq devices") +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -1191,6 +1191,8 @@ static void dm_unprep_request(struct req + + if (clone) + free_rq_clone(clone); ++ else if (!tio->md->queue->mq_ops) ++ free_rq_tio(tio); + } + + /* diff --git a/queue-4.4/dm-snapshot-fix-hung-bios-when-copy-error-occurs.patch b/queue-4.4/dm-snapshot-fix-hung-bios-when-copy-error-occurs.patch new file mode 100644 index 00000000000..62d40152adb --- /dev/null +++ b/queue-4.4/dm-snapshot-fix-hung-bios-when-copy-error-occurs.patch @@ -0,0 +1,135 @@ +From 385277bfb57faac44e92497104ba542cdd82d5fe Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Fri, 8 Jan 2016 19:07:55 -0500 +Subject: dm snapshot: fix hung bios when copy error occurs + +From: Mikulas Patocka + +commit 385277bfb57faac44e92497104ba542cdd82d5fe upstream. + +When there is an error copying a chunk dm-snapshot can incorrectly hold +associated bios indefinitely, resulting in hung IO. + +The function copy_callback sets pe->error if there was error copying the +chunk, and then calls complete_exception. complete_exception calls +pending_complete on error, otherwise it calls commit_exception with +commit_callback (and commit_callback calls complete_exception). + +The persistent exception store (dm-snap-persistent.c) assumes that calls +to prepare_exception and commit_exception are paired. +persistent_prepare_exception increases ps->pending_count and +persistent_commit_exception decreases it. + +If there is a copy error, persistent_prepare_exception is called but +persistent_commit_exception is not. This results in the variable +ps->pending_count never returning to zero and that causes some pending +exceptions (and their associated bios) to be held forever. + +Fix this by unconditionally calling commit_exception regardless of +whether the copy was successful. A new "valid" parameter is added to +commit_exception -- when the copy fails this parameter is set to zero so +that the chunk that failed to copy (and all following chunks) is not +recorded in the snapshot store. Also, remove commit_callback now that +it is merely a wrapper around pending_complete. + +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-exception-store.h | 2 +- + drivers/md/dm-snap-persistent.c | 5 ++++- + drivers/md/dm-snap-transient.c | 4 ++-- + drivers/md/dm-snap.c | 20 +++++--------------- + 4 files changed, 12 insertions(+), 19 deletions(-) + +--- a/drivers/md/dm-exception-store.h ++++ b/drivers/md/dm-exception-store.h +@@ -69,7 +69,7 @@ struct dm_exception_store_type { + * Update the metadata with this exception. + */ + void (*commit_exception) (struct dm_exception_store *store, +- struct dm_exception *e, ++ struct dm_exception *e, int valid, + void (*callback) (void *, int success), + void *callback_context); + +--- a/drivers/md/dm-snap-persistent.c ++++ b/drivers/md/dm-snap-persistent.c +@@ -695,7 +695,7 @@ static int persistent_prepare_exception( + } + + static void persistent_commit_exception(struct dm_exception_store *store, +- struct dm_exception *e, ++ struct dm_exception *e, int valid, + void (*callback) (void *, int success), + void *callback_context) + { +@@ -704,6 +704,9 @@ static void persistent_commit_exception( + struct core_exception ce; + struct commit_callback *cb; + ++ if (!valid) ++ ps->valid = 0; ++ + ce.old_chunk = e->old_chunk; + ce.new_chunk = e->new_chunk; + write_exception(ps, ps->current_committed++, &ce); +--- a/drivers/md/dm-snap-transient.c ++++ b/drivers/md/dm-snap-transient.c +@@ -52,12 +52,12 @@ static int transient_prepare_exception(s + } + + static void transient_commit_exception(struct dm_exception_store *store, +- struct dm_exception *e, ++ struct dm_exception *e, int valid, + void (*callback) (void *, int success), + void *callback_context) + { + /* Just succeed */ +- callback(callback_context, 1); ++ callback(callback_context, valid); + } + + static void transient_usage(struct dm_exception_store *store, +--- a/drivers/md/dm-snap.c ++++ b/drivers/md/dm-snap.c +@@ -1438,8 +1438,9 @@ static void __invalidate_snapshot(struct + dm_table_event(s->ti->table); + } + +-static void pending_complete(struct dm_snap_pending_exception *pe, int success) ++static void pending_complete(void *context, int success) + { ++ struct dm_snap_pending_exception *pe = context; + struct dm_exception *e; + struct dm_snapshot *s = pe->snap; + struct bio *origin_bios = NULL; +@@ -1509,24 +1510,13 @@ out: + free_pending_exception(pe); + } + +-static void commit_callback(void *context, int success) +-{ +- struct dm_snap_pending_exception *pe = context; +- +- pending_complete(pe, success); +-} +- + static void complete_exception(struct dm_snap_pending_exception *pe) + { + struct dm_snapshot *s = pe->snap; + +- if (unlikely(pe->copy_error)) +- pending_complete(pe, 0); +- +- else +- /* Update the metadata if we are persistent */ +- s->store->type->commit_exception(s->store, &pe->e, +- commit_callback, pe); ++ /* Update the metadata if we are persistent */ ++ s->store->type->commit_exception(s->store, &pe->e, !pe->copy_error, ++ pending_complete, pe); + } + + /* diff --git a/queue-4.4/dm-space-map-metadata-remove-unused-variable-in-brb_pop.patch b/queue-4.4/dm-space-map-metadata-remove-unused-variable-in-brb_pop.patch new file mode 100644 index 00000000000..165fc825c4b --- /dev/null +++ b/queue-4.4/dm-space-map-metadata-remove-unused-variable-in-brb_pop.patch @@ -0,0 +1,39 @@ +From 512167788a6fe9481a33a3cce5f80b684631a1bb Mon Sep 17 00:00:00 2001 +From: Mike Snitzer +Date: Mon, 14 Dec 2015 09:26:01 -0500 +Subject: dm space map metadata: remove unused variable in brb_pop() + +From: Mike Snitzer + +commit 512167788a6fe9481a33a3cce5f80b684631a1bb upstream. + +Remove the unused struct block_op pointer that was inadvertantly +introduced, via cut-and-paste of previous brb_op() code, as part of +commit 50dd842ad. + +(Cc'ing stable@ because commit 50dd842ad did) + +Fixes: 50dd842ad ("dm space map metadata: fix ref counting bug when bootstrapping a new space map") +Reported-by: David Binderman +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/persistent-data/dm-space-map-metadata.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/md/persistent-data/dm-space-map-metadata.c ++++ b/drivers/md/persistent-data/dm-space-map-metadata.c +@@ -152,12 +152,9 @@ static int brb_peek(struct bop_ring_buff + + static int brb_pop(struct bop_ring_buffer *brb) + { +- struct block_op *bop; +- + if (brb_empty(brb)) + return -ENODATA; + +- bop = brb->bops + brb->begin; + brb->begin = brb_next(brb, brb->begin); + + return 0; diff --git a/queue-4.4/gspca-ov534-topro-prevent-a-division-by-0.patch b/queue-4.4/gspca-ov534-topro-prevent-a-division-by-0.patch new file mode 100644 index 00000000000..71ca5e07f22 --- /dev/null +++ b/queue-4.4/gspca-ov534-topro-prevent-a-division-by-0.patch @@ -0,0 +1,109 @@ +From dcc7fdbec53a960588f2c40232db2c6466c09917 Mon Sep 17 00:00:00 2001 +From: Antonio Ospite +Date: Fri, 2 Oct 2015 17:33:13 -0300 +Subject: [media] gspca: ov534/topro: prevent a division by 0 + +From: Antonio Ospite + +commit dcc7fdbec53a960588f2c40232db2c6466c09917 upstream. + +v4l2-compliance sends a zeroed struct v4l2_streamparm in +v4l2-test-formats.cpp::testParmType(), and this results in a division by +0 in some gspca subdrivers: + + divide error: 0000 [#1] SMP + Modules linked in: gspca_ov534 gspca_main ... + CPU: 0 PID: 17201 Comm: v4l2-compliance Not tainted 4.3.0-rc2-ao2 #1 + Hardware name: System manufacturer System Product Name/M2N-E SLI, BIOS + ASUS M2N-E SLI ACPI BIOS Revision 1301 09/16/2010 + task: ffff8800818306c0 ti: ffff880095c4c000 task.ti: ffff880095c4c000 + RIP: 0010:[] [] sd_set_streamparm+0x12/0x60 [gspca_ov534] + RSP: 0018:ffff880095c4fce8 EFLAGS: 00010296 + RAX: 0000000000000000 RBX: ffff8800c9522000 RCX: ffffffffa077a140 + RDX: 0000000000000000 RSI: ffff880095e0c100 RDI: ffff8800c9522000 + RBP: ffff880095e0c100 R08: ffffffffa077a100 R09: 00000000000000cc + R10: ffff880067ec7740 R11: 0000000000000016 R12: ffffffffa07bb400 + R13: 0000000000000000 R14: ffff880081b6a800 R15: 0000000000000000 + FS: 00007fda0de78740(0000) GS:ffff88012fc00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00000000014630f8 CR3: 00000000cf349000 CR4: 00000000000006f0 + Stack: + ffffffffa07a6431 ffff8800c9522000 ffffffffa077656e 00000000c0cc5616 + ffff8800c9522000 ffffffffa07a5e20 ffff880095e0c100 0000000000000000 + ffff880067ec7740 ffffffffa077a140 ffff880067ec7740 0000000000000016 + Call Trace: + [] ? v4l_s_parm+0x21/0x50 [videodev] + [] ? vidioc_s_parm+0x4e/0x60 [gspca_main] + [] ? __video_do_ioctl+0x280/0x2f0 [videodev] + [] ? video_ioctl2+0x20/0x20 [videodev] + [] ? video_usercopy+0x319/0x4e0 [videodev] + [] ? page_add_new_anon_rmap+0x71/0xa0 + [] ? mem_cgroup_commit_charge+0x52/0x90 + [] ? handle_mm_fault+0xc18/0x1680 + [] ? v4l2_ioctl+0xac/0xd0 [videodev] + [] ? do_vfs_ioctl+0x28f/0x480 + [] ? SyS_ioctl+0x74/0x80 + [] ? entry_SYSCALL_64_fastpath+0x16/0x75 + Code: c7 93 d9 79 a0 5b 5d e9 f1 f3 9a e0 0f 1f 00 66 2e 0f 1f 84 00 + 00 00 00 00 66 66 66 66 90 53 31 d2 48 89 fb 48 83 ec 08 8b 46 10 + 76 0c 80 bf ac 0c 00 00 00 88 87 4e 0e 00 00 74 09 80 bf 4f + RIP [] sd_set_streamparm+0x12/0x60 [gspca_ov534] + RSP + ---[ end trace 279710c2c6c72080 ]--- + +Following what the doc says about a zeroed timeperframe (see +http://www.linuxtv.org/downloads/v4l-dvb-apis/vidioc-g-parm.html): + + ... + To reset manually applications can just set this field to zero. + +fix the issue by resetting the frame rate to a default value in case of +an unusable timeperframe. + +The fix is done in the subdrivers instead of gspca.c because only the +subdrivers have notion of a default frame rate to reset the camera to. + +Signed-off-by: Antonio Ospite +Reviewed-by: Hans de Goede +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/gspca/ov534.c | 9 +++++++-- + drivers/media/usb/gspca/topro.c | 6 +++++- + 2 files changed, 12 insertions(+), 3 deletions(-) + +--- a/drivers/media/usb/gspca/ov534.c ++++ b/drivers/media/usb/gspca/ov534.c +@@ -1491,8 +1491,13 @@ static void sd_set_streamparm(struct gsp + struct v4l2_fract *tpf = &cp->timeperframe; + struct sd *sd = (struct sd *) gspca_dev; + +- /* Set requested framerate */ +- sd->frame_rate = tpf->denominator / tpf->numerator; ++ if (tpf->numerator == 0 || tpf->denominator == 0) ++ /* Set default framerate */ ++ sd->frame_rate = 30; ++ else ++ /* Set requested framerate */ ++ sd->frame_rate = tpf->denominator / tpf->numerator; ++ + if (gspca_dev->streaming) + set_frame_rate(gspca_dev); + +--- a/drivers/media/usb/gspca/topro.c ++++ b/drivers/media/usb/gspca/topro.c +@@ -4802,7 +4802,11 @@ static void sd_set_streamparm(struct gsp + struct v4l2_fract *tpf = &cp->timeperframe; + int fr, i; + +- sd->framerate = tpf->denominator / tpf->numerator; ++ if (tpf->numerator == 0 || tpf->denominator == 0) ++ sd->framerate = 30; ++ else ++ sd->framerate = tpf->denominator / tpf->numerator; ++ + if (gspca_dev->streaming) + setframerate(gspca_dev, v4l2_ctrl_g_ctrl(gspca_dev->exposure)); + diff --git a/queue-4.4/locks-fix-unlock-when-fcntl_setlk-races-with-a-close.patch b/queue-4.4/locks-fix-unlock-when-fcntl_setlk-races-with-a-close.patch new file mode 100644 index 00000000000..d1c10353e44 --- /dev/null +++ b/queue-4.4/locks-fix-unlock-when-fcntl_setlk-races-with-a-close.patch @@ -0,0 +1,121 @@ +From 7f3697e24dc3820b10f445a4a7d914fc356012d1 Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Thu, 7 Jan 2016 16:38:10 -0500 +Subject: locks: fix unlock when fcntl_setlk races with a close + +From: Jeff Layton + +commit 7f3697e24dc3820b10f445a4a7d914fc356012d1 upstream. + +Dmitry reported that he was able to reproduce the WARN_ON_ONCE that +fires in locks_free_lock_context when the flc_posix list isn't empty. + +The problem turns out to be that we're basically rebuilding the +file_lock from scratch in fcntl_setlk when we discover that the setlk +has raced with a close. If the l_whence field is SEEK_CUR or SEEK_END, +then we may end up with fl_start and fl_end values that differ from +when the lock was initially set, if the file position or length of the +file has changed in the interim. + +Fix this by just reusing the same lock request structure, and simply +override fl_type value with F_UNLCK as appropriate. That ensures that +we really are unlocking the lock that was initially set. + +While we're there, make sure that we do pop a WARN_ON_ONCE if the +removal ever fails. Also return -EBADF in this event, since that's +what we would have returned if the close had happened earlier. + +Cc: Alexander Viro +Fixes: c293621bbf67 (stale POSIX lock handling) +Reported-by: Dmitry Vyukov +Signed-off-by: Jeff Layton +Acked-by: "J. Bruce Fields" +Signed-off-by: Greg Kroah-Hartman + +--- + fs/locks.c | 51 ++++++++++++++++++++++++++++++--------------------- + 1 file changed, 30 insertions(+), 21 deletions(-) + +--- a/fs/locks.c ++++ b/fs/locks.c +@@ -2182,7 +2182,6 @@ int fcntl_setlk(unsigned int fd, struct + goto out; + } + +-again: + error = flock_to_posix_lock(filp, file_lock, &flock); + if (error) + goto out; +@@ -2224,19 +2223,22 @@ again: + * Attempt to detect a close/fcntl race and recover by + * releasing the lock that was just acquired. + */ +- /* +- * we need that spin_lock here - it prevents reordering between +- * update of i_flctx->flc_posix and check for it done in close(). +- * rcu_read_lock() wouldn't do. +- */ +- spin_lock(¤t->files->file_lock); +- f = fcheck(fd); +- spin_unlock(¤t->files->file_lock); +- if (!error && f != filp && flock.l_type != F_UNLCK) { +- flock.l_type = F_UNLCK; +- goto again; ++ if (!error && file_lock->fl_type != F_UNLCK) { ++ /* ++ * We need that spin_lock here - it prevents reordering between ++ * update of i_flctx->flc_posix and check for it done in ++ * close(). rcu_read_lock() wouldn't do. ++ */ ++ spin_lock(¤t->files->file_lock); ++ f = fcheck(fd); ++ spin_unlock(¤t->files->file_lock); ++ if (f != filp) { ++ file_lock->fl_type = F_UNLCK; ++ error = do_lock_file_wait(filp, cmd, file_lock); ++ WARN_ON_ONCE(error); ++ error = -EBADF; ++ } + } +- + out: + locks_free_lock(file_lock); + return error; +@@ -2322,7 +2324,6 @@ int fcntl_setlk64(unsigned int fd, struc + goto out; + } + +-again: + error = flock64_to_posix_lock(filp, file_lock, &flock); + if (error) + goto out; +@@ -2364,14 +2365,22 @@ again: + * Attempt to detect a close/fcntl race and recover by + * releasing the lock that was just acquired. + */ +- spin_lock(¤t->files->file_lock); +- f = fcheck(fd); +- spin_unlock(¤t->files->file_lock); +- if (!error && f != filp && flock.l_type != F_UNLCK) { +- flock.l_type = F_UNLCK; +- goto again; ++ if (!error && file_lock->fl_type != F_UNLCK) { ++ /* ++ * We need that spin_lock here - it prevents reordering between ++ * update of i_flctx->flc_posix and check for it done in ++ * close(). rcu_read_lock() wouldn't do. ++ */ ++ spin_lock(¤t->files->file_lock); ++ f = fcheck(fd); ++ spin_unlock(¤t->files->file_lock); ++ if (f != filp) { ++ file_lock->fl_type = F_UNLCK; ++ error = do_lock_file_wait(filp, cmd, file_lock); ++ WARN_ON_ONCE(error); ++ error = -EBADF; ++ } + } +- + out: + locks_free_lock(file_lock); + return error; diff --git a/queue-4.4/media-dvb-core-don-t-force-can_inversion_auto-in-oneshot-mode.patch b/queue-4.4/media-dvb-core-don-t-force-can_inversion_auto-in-oneshot-mode.patch new file mode 100644 index 00000000000..6db55c89297 --- /dev/null +++ b/queue-4.4/media-dvb-core-don-t-force-can_inversion_auto-in-oneshot-mode.patch @@ -0,0 +1,44 @@ +From c9d57de6103e343f2d4e04ea8d9e417e10a24da7 Mon Sep 17 00:00:00 2001 +From: Malcolm Priestley +Date: Mon, 31 Aug 2015 06:13:45 -0300 +Subject: [media] media: dvb-core: Don't force CAN_INVERSION_AUTO in oneshot mode + +From: Malcolm Priestley + +commit c9d57de6103e343f2d4e04ea8d9e417e10a24da7 upstream. + +When in FE_TUNE_MODE_ONESHOT the frontend must report +the actual capabilities so user can take appropriate +action. + +With frontends that can't do auto inversion this is done +by dvb-core automatically so CAN_INVERSION_AUTO is valid. + +However, when in FE_TUNE_MODE_ONESHOT this is not true. + +So only set FE_CAN_INVERSION_AUTO in modes other than +FE_TUNE_MODE_ONESHOT + +Signed-off-by: Malcolm Priestley +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/dvb-core/dvb_frontend.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/media/dvb-core/dvb_frontend.c ++++ b/drivers/media/dvb-core/dvb_frontend.c +@@ -2313,9 +2313,9 @@ static int dvb_frontend_ioctl_legacy(str + dev_dbg(fe->dvb->device, "%s: current delivery system on cache: %d, V3 type: %d\n", + __func__, c->delivery_system, fe->ops.info.type); + +- /* Force the CAN_INVERSION_AUTO bit on. If the frontend doesn't +- * do it, it is done for it. */ +- info->caps |= FE_CAN_INVERSION_AUTO; ++ /* Set CAN_INVERSION_AUTO bit on in other than oneshot mode */ ++ if (!(fepriv->tune_mode_flags & FE_TUNE_MODE_ONESHOT)) ++ info->caps |= FE_CAN_INVERSION_AUTO; + err = 0; + break; + } diff --git a/queue-4.4/mei-fix-fasync-return-value-on-error.patch b/queue-4.4/mei-fix-fasync-return-value-on-error.patch new file mode 100644 index 00000000000..57c31bc3397 --- /dev/null +++ b/queue-4.4/mei-fix-fasync-return-value-on-error.patch @@ -0,0 +1,43 @@ +From ed6dc538e5a36a331b6256d54f435c80f6715460 Mon Sep 17 00:00:00 2001 +From: Tomas Winkler +Date: Thu, 7 Jan 2016 14:46:38 +0200 +Subject: mei: fix fasync return value on error + +From: Tomas Winkler + +commit ed6dc538e5a36a331b6256d54f435c80f6715460 upstream. + +fasync should return a negative value on error +and not poll mask POLLERR. + +Cc: Al Viro +Reported-by: Al Viro +Signed-off-by: Tomas Winkler +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/mei/main.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/misc/mei/main.c ++++ b/drivers/misc/mei/main.c +@@ -657,7 +657,9 @@ out: + * @file: pointer to file structure + * @band: band bitmap + * +- * Return: poll mask ++ * Return: negative on error, ++ * 0 if it did no changes, ++ * and positive a process was added or deleted + */ + static int mei_fasync(int fd, struct file *file, int band) + { +@@ -665,7 +667,7 @@ static int mei_fasync(int fd, struct fil + struct mei_cl *cl = file->private_data; + + if (!mei_cl_is_connected(cl)) +- return POLLERR; ++ return -ENODEV; + + return fasync_helper(fd, file, band, &cl->ev_async); + } diff --git a/queue-4.4/mei-validate-request-value-in-client-notify-request-ioctl.patch b/queue-4.4/mei-validate-request-value-in-client-notify-request-ioctl.patch new file mode 100644 index 00000000000..0071144ced5 --- /dev/null +++ b/queue-4.4/mei-validate-request-value-in-client-notify-request-ioctl.patch @@ -0,0 +1,39 @@ +From 7326fffb712f09a315bc73cc1ee63843f59b8bd4 Mon Sep 17 00:00:00 2001 +From: Alexander Usyskin +Date: Sun, 17 Jan 2016 12:25:01 +0200 +Subject: mei: validate request value in client notify request ioctl + +From: Alexander Usyskin + +commit 7326fffb712f09a315bc73cc1ee63843f59b8bd4 upstream. + +This patch address a possible security issue: + +The request field in client notify request ioctl comes from user space +as u32 and is downcasted to u8 with out validation. +Check request field to have approved values +MEI_HBM_NOTIFICATION_STAR/STOP + +Signed-off-by: Alexander Usyskin +Signed-off-by: Tomas Winkler +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/mei/main.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/misc/mei/main.c ++++ b/drivers/misc/mei/main.c +@@ -458,7 +458,11 @@ static int mei_ioctl_client_notify_reque + { + struct mei_cl *cl = file->private_data; + +- return mei_cl_notify_request(cl, file, request); ++ if (request != MEI_HBM_NOTIFICATION_START && ++ request != MEI_HBM_NOTIFICATION_STOP) ++ return -EINVAL; ++ ++ return mei_cl_notify_request(cl, file, (u8)request); + } + + /** diff --git a/queue-4.4/namei-d_inode-of-a-pinned-dentry-is-stable-only-for-positives.patch b/queue-4.4/namei-d_inode-of-a-pinned-dentry-is-stable-only-for-positives.patch new file mode 100644 index 00000000000..2acaec5f243 --- /dev/null +++ b/queue-4.4/namei-d_inode-of-a-pinned-dentry-is-stable-only-for-positives.patch @@ -0,0 +1,51 @@ +From d4565649b6d6923369112758212b851adc407f0c Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sat, 27 Feb 2016 19:23:16 -0500 +Subject: namei: ->d_inode of a pinned dentry is stable only for positives + +From: Al Viro + +commit d4565649b6d6923369112758212b851adc407f0c upstream. + +both do_last() and walk_component() risk picking a NULL inode out +of dentry about to become positive, *then* checking its flags and +seeing that it's not negative anymore and using (already stale by +then) value they'd fetched earlier. Usually ends up oopsing soon +after that... + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/namei.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -1742,11 +1742,11 @@ static int walk_component(struct nameida + if (err < 0) + return err; + +- inode = d_backing_inode(path.dentry); + seq = 0; /* we are already out of RCU mode */ + err = -ENOENT; + if (d_is_negative(path.dentry)) + goto out_path_put; ++ inode = d_backing_inode(path.dentry); + } + + if (flags & WALK_PUT) +@@ -3130,12 +3130,12 @@ retry_lookup: + return error; + + BUG_ON(nd->flags & LOOKUP_RCU); +- inode = d_backing_inode(path.dentry); + seq = 0; /* out of RCU mode, so the value doesn't matter */ + if (unlikely(d_is_negative(path.dentry))) { + path_to_nameidata(&path, nd); + return -ENOENT; + } ++ inode = d_backing_inode(path.dentry); + finish_lookup: + if (nd->depth) + put_link(nd); diff --git a/queue-4.4/rc-sunxi-cir-initialize-the-spinlock-properly.patch b/queue-4.4/rc-sunxi-cir-initialize-the-spinlock-properly.patch new file mode 100644 index 00000000000..a858854a4b1 --- /dev/null +++ b/queue-4.4/rc-sunxi-cir-initialize-the-spinlock-properly.patch @@ -0,0 +1,37 @@ +From 768acf46e1320d6c41ed1b7c4952bab41c1cde79 Mon Sep 17 00:00:00 2001 +From: Chen-Yu Tsai +Date: Tue, 22 Dec 2015 02:27:35 -0200 +Subject: [media] rc: sunxi-cir: Initialize the spinlock properly + +From: Chen-Yu Tsai + +commit 768acf46e1320d6c41ed1b7c4952bab41c1cde79 upstream. + +The driver allocates the spinlock but fails to initialize it correctly. +The kernel reports a BUG indicating bad spinlock magic when spinlock +debugging is enabled. + +Call spin_lock_init() on it to initialize it correctly. + +Fixes: b4e3e59fb59c ("[media] rc: add sunxi-ir driver") + +Signed-off-by: Chen-Yu Tsai +Acked-by: Hans de Goede +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/rc/sunxi-cir.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/media/rc/sunxi-cir.c ++++ b/drivers/media/rc/sunxi-cir.c +@@ -153,6 +153,8 @@ static int sunxi_ir_probe(struct platfor + if (!ir) + return -ENOMEM; + ++ spin_lock_init(&ir->ir_lock); ++ + if (of_device_is_compatible(dn, "allwinner,sun5i-a13-ir")) + ir->fifo_size = 64; + else diff --git a/queue-4.4/rtlwifi-rtl8188ee-fix-module-parameter-initialization.patch b/queue-4.4/rtlwifi-rtl8188ee-fix-module-parameter-initialization.patch new file mode 100644 index 00000000000..37c5e94f1e7 --- /dev/null +++ b/queue-4.4/rtlwifi-rtl8188ee-fix-module-parameter-initialization.patch @@ -0,0 +1,45 @@ +From 06f34572c6110e2e2d5e653a957f1d74db9e3f2b Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Mon, 14 Dec 2015 16:34:34 -0600 +Subject: rtlwifi: rtl8188ee: Fix module parameter initialization + +From: Larry Finger + +commit 06f34572c6110e2e2d5e653a957f1d74db9e3f2b upstream. + +In this driver, parameters disable_watchdog and sw_crypto are never +copied into the locations used in the main code. While modifying the +parameter handling, the copying of parameter msi_support is moved to +be with the rest. + +Signed-off-by: Larry Finger +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtlwifi/rtl8188ee/sw.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/sw.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/sw.c +@@ -88,8 +88,6 @@ int rtl88e_init_sw_vars(struct ieee80211 + u8 tid; + + rtl8188ee_bt_reg_init(hw); +- rtlpci->msi_support = rtlpriv->cfg->mod_params->msi_support; +- + rtlpriv->dm.dm_initialgain_enable = 1; + rtlpriv->dm.dm_flag = 0; + rtlpriv->dm.disable_framebursting = 0; +@@ -138,6 +136,11 @@ int rtl88e_init_sw_vars(struct ieee80211 + rtlpriv->psc.inactiveps = rtlpriv->cfg->mod_params->inactiveps; + rtlpriv->psc.swctrl_lps = rtlpriv->cfg->mod_params->swctrl_lps; + rtlpriv->psc.fwctrl_lps = rtlpriv->cfg->mod_params->fwctrl_lps; ++ rtlpci->msi_support = rtlpriv->cfg->mod_params->msi_support; ++ rtlpriv->cfg->mod_params->sw_crypto = ++ rtlpriv->cfg->mod_params->sw_crypto; ++ rtlpriv->cfg->mod_params->disable_watchdog = ++ rtlpriv->cfg->mod_params->disable_watchdog; + if (rtlpriv->cfg->mod_params->disable_watchdog) + pr_info("watchdog disabled\n"); + if (!rtlpriv->psc.inactiveps) diff --git a/queue-4.4/rtlwifi-rtl8192ce-fix-handling-of-module-parameters.patch b/queue-4.4/rtlwifi-rtl8192ce-fix-handling-of-module-parameters.patch new file mode 100644 index 00000000000..e189c8b0bc1 --- /dev/null +++ b/queue-4.4/rtlwifi-rtl8192ce-fix-handling-of-module-parameters.patch @@ -0,0 +1,31 @@ +From b24f19f16b9e43f54218c07609b783ea8625406a Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Mon, 14 Dec 2015 16:34:37 -0600 +Subject: rtlwifi: rtl8192ce: Fix handling of module parameters + +From: Larry Finger + +commit b24f19f16b9e43f54218c07609b783ea8625406a upstream. + +The module parameter for software encryption was never transferred to +the location used by the driver. + +Signed-off-by: Larry Finger +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtlwifi/rtl8192ce/sw.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/sw.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/sw.c +@@ -139,6 +139,8 @@ int rtl92c_init_sw_vars(struct ieee80211 + rtlpriv->psc.inactiveps = rtlpriv->cfg->mod_params->inactiveps; + rtlpriv->psc.swctrl_lps = rtlpriv->cfg->mod_params->swctrl_lps; + rtlpriv->psc.fwctrl_lps = rtlpriv->cfg->mod_params->fwctrl_lps; ++ rtlpriv->cfg->mod_params->sw_crypto = ++ rtlpriv->cfg->mod_params->sw_crypto; + if (!rtlpriv->psc.inactiveps) + pr_info("rtl8192ce: Power Save off (module option)\n"); + if (!rtlpriv->psc.fwctrl_lps) diff --git a/queue-4.4/rtlwifi-rtl8192cu-add-missing-parameter-setup.patch b/queue-4.4/rtlwifi-rtl8192cu-add-missing-parameter-setup.patch new file mode 100644 index 00000000000..1c2e6867cda --- /dev/null +++ b/queue-4.4/rtlwifi-rtl8192cu-add-missing-parameter-setup.patch @@ -0,0 +1,31 @@ +From b68d0ae7e58624c33f2eddab471fee55db27dbf9 Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Mon, 14 Dec 2015 16:34:38 -0600 +Subject: rtlwifi: rtl8192cu: Add missing parameter setup + +From: Larry Finger + +commit b68d0ae7e58624c33f2eddab471fee55db27dbf9 upstream. + +This driver fails to copy the module parameter for software encryption +to the locations used by the main code. + +Signed-off-by: Larry Finger +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtlwifi/rtl8192cu/sw.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/sw.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/sw.c +@@ -65,6 +65,8 @@ static int rtl92cu_init_sw_vars(struct i + rtlpriv->dm.disable_framebursting = false; + rtlpriv->dm.thermalvalue = 0; + rtlpriv->dbg.global_debuglevel = rtlpriv->cfg->mod_params->debug; ++ rtlpriv->cfg->mod_params->sw_crypto = ++ rtlpriv->cfg->mod_params->sw_crypto; + + /* for firmware buf */ + rtlpriv->rtlhal.pfirmware = vzalloc(0x4000); diff --git a/queue-4.4/rtlwifi-rtl8192de-fix-incorrect-module-parameter-descriptions.patch b/queue-4.4/rtlwifi-rtl8192de-fix-incorrect-module-parameter-descriptions.patch new file mode 100644 index 00000000000..02cecea4492 --- /dev/null +++ b/queue-4.4/rtlwifi-rtl8192de-fix-incorrect-module-parameter-descriptions.patch @@ -0,0 +1,32 @@ +From d4d60b4caaa5926e1b243070770968f05656107a Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Mon, 14 Dec 2015 16:34:35 -0600 +Subject: rtlwifi: rtl8192de: Fix incorrect module parameter descriptions + +From: Larry Finger + +commit d4d60b4caaa5926e1b243070770968f05656107a upstream. + +Two of the module parameters are listed with incorrect default values. + +Signed-off-by: Larry Finger +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtlwifi/rtl8192de/sw.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/sw.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/sw.c +@@ -376,8 +376,8 @@ module_param_named(swlps, rtl92de_mod_pa + module_param_named(fwlps, rtl92de_mod_params.fwctrl_lps, bool, 0444); + MODULE_PARM_DESC(swenc, "Set to 1 for software crypto (default 0)\n"); + MODULE_PARM_DESC(ips, "Set to 0 to not use link power save (default 1)\n"); +-MODULE_PARM_DESC(swlps, "Set to 1 to use SW control power save (default 0)\n"); +-MODULE_PARM_DESC(fwlps, "Set to 1 to use FW control power save (default 1)\n"); ++MODULE_PARM_DESC(swlps, "Set to 1 to use SW control power save (default 1)\n"); ++MODULE_PARM_DESC(fwlps, "Set to 1 to use FW control power save (default 0)\n"); + MODULE_PARM_DESC(debug, "Set debug level (0-5) (default 0)"); + + static SIMPLE_DEV_PM_OPS(rtlwifi_pm_ops, rtl_pci_suspend, rtl_pci_resume); diff --git a/queue-4.4/rtlwifi-rtl8192se-fix-module-parameter-initialization.patch b/queue-4.4/rtlwifi-rtl8192se-fix-module-parameter-initialization.patch new file mode 100644 index 00000000000..d06242f9f91 --- /dev/null +++ b/queue-4.4/rtlwifi-rtl8192se-fix-module-parameter-initialization.patch @@ -0,0 +1,43 @@ +From 7503efbd82c15c4070adffff1344e5169d3634b4 Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Mon, 14 Dec 2015 16:34:36 -0600 +Subject: rtlwifi: rtl8192se: Fix module parameter initialization + +From: Larry Finger + +commit 7503efbd82c15c4070adffff1344e5169d3634b4 upstream. + +Two of the module parameter descriptions show incorrect default values. +In addition the value for software encryption is not transferred to +the locations used by the driver. + +Signed-off-by: Larry Finger +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtlwifi/rtl8192se/sw.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192se/sw.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192se/sw.c +@@ -187,6 +187,8 @@ static int rtl92s_init_sw_vars(struct ie + rtlpriv->psc.inactiveps = rtlpriv->cfg->mod_params->inactiveps; + rtlpriv->psc.swctrl_lps = rtlpriv->cfg->mod_params->swctrl_lps; + rtlpriv->psc.fwctrl_lps = rtlpriv->cfg->mod_params->fwctrl_lps; ++ rtlpriv->cfg->mod_params->sw_crypto = ++ rtlpriv->cfg->mod_params->sw_crypto; + if (!rtlpriv->psc.inactiveps) + pr_info("Power Save off (module option)\n"); + if (!rtlpriv->psc.fwctrl_lps) +@@ -425,8 +427,8 @@ module_param_named(swlps, rtl92se_mod_pa + module_param_named(fwlps, rtl92se_mod_params.fwctrl_lps, bool, 0444); + MODULE_PARM_DESC(swenc, "Set to 1 for software crypto (default 0)\n"); + MODULE_PARM_DESC(ips, "Set to 0 to not use link power save (default 1)\n"); +-MODULE_PARM_DESC(swlps, "Set to 1 to use SW control power save (default 0)\n"); +-MODULE_PARM_DESC(fwlps, "Set to 1 to use FW control power save (default 1)\n"); ++MODULE_PARM_DESC(swlps, "Set to 1 to use SW control power save (default 1)\n"); ++MODULE_PARM_DESC(fwlps, "Set to 1 to use FW control power save (default 0)\n"); + MODULE_PARM_DESC(debug, "Set debug level (0-5) (default 0)"); + + static SIMPLE_DEV_PM_OPS(rtlwifi_pm_ops, rtl_pci_suspend, rtl_pci_resume); diff --git a/queue-4.4/rtlwifi-rtl8723ae-fix-initialization-of-module-parameters.patch b/queue-4.4/rtlwifi-rtl8723ae-fix-initialization-of-module-parameters.patch new file mode 100644 index 00000000000..f37da88a338 --- /dev/null +++ b/queue-4.4/rtlwifi-rtl8723ae-fix-initialization-of-module-parameters.patch @@ -0,0 +1,61 @@ +From 793b09994211fbe0b5cd5f7b6dd8cc9b6256c3c6 Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Mon, 14 Dec 2015 16:34:32 -0600 +Subject: rtlwifi: rtl8723ae: Fix initialization of module parameters + +From: Larry Finger + +commit 793b09994211fbe0b5cd5f7b6dd8cc9b6256c3c6 upstream. + +This driver has some errors in the handling of module parameters. These +include missing initialization for parameters msi_support and +disable_watchdog. In addition, neither of these parameters nor sw_crypto +are transferred into the locations used by the driver. A final fix is +adding parameter msi to the module named and description macros. + +Signed-off-by: Larry Finger +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtlwifi/rtl8723ae/sw.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/sw.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/sw.c +@@ -150,6 +150,11 @@ int rtl8723e_init_sw_vars(struct ieee802 + rtlpriv->psc.inactiveps = rtlpriv->cfg->mod_params->inactiveps; + rtlpriv->psc.swctrl_lps = rtlpriv->cfg->mod_params->swctrl_lps; + rtlpriv->psc.fwctrl_lps = rtlpriv->cfg->mod_params->fwctrl_lps; ++ rtlpci->msi_support = rtlpriv->cfg->mod_params->msi_support; ++ rtlpriv->cfg->mod_params->sw_crypto = ++ rtlpriv->cfg->mod_params->sw_crypto; ++ rtlpriv->cfg->mod_params->disable_watchdog = ++ rtlpriv->cfg->mod_params->disable_watchdog; + if (rtlpriv->cfg->mod_params->disable_watchdog) + pr_info("watchdog disabled\n"); + rtlpriv->psc.reg_fwctrl_lps = 3; +@@ -267,6 +272,8 @@ static struct rtl_mod_params rtl8723e_mo + .swctrl_lps = false, + .fwctrl_lps = true, + .debug = DBG_EMERG, ++ .msi_support = false, ++ .disable_watchdog = false, + }; + + static struct rtl_hal_cfg rtl8723e_hal_cfg = { +@@ -383,12 +390,14 @@ module_param_named(debug, rtl8723e_mod_p + module_param_named(ips, rtl8723e_mod_params.inactiveps, bool, 0444); + module_param_named(swlps, rtl8723e_mod_params.swctrl_lps, bool, 0444); + module_param_named(fwlps, rtl8723e_mod_params.fwctrl_lps, bool, 0444); ++module_param_named(msi, rtl8723e_mod_params.msi_support, bool, 0444); + module_param_named(disable_watchdog, rtl8723e_mod_params.disable_watchdog, + bool, 0444); + MODULE_PARM_DESC(swenc, "Set to 1 for software crypto (default 0)\n"); + MODULE_PARM_DESC(ips, "Set to 0 to not use link power save (default 1)\n"); + MODULE_PARM_DESC(swlps, "Set to 1 to use SW control power save (default 0)\n"); + MODULE_PARM_DESC(fwlps, "Set to 1 to use FW control power save (default 1)\n"); ++MODULE_PARM_DESC(msi, "Set to 1 to use MSI interrupts mode (default 0)\n"); + MODULE_PARM_DESC(debug, "Set debug level (0-5) (default 0)"); + MODULE_PARM_DESC(disable_watchdog, "Set to 1 to disable the watchdog (default 0)\n"); + diff --git a/queue-4.4/rtlwifi-rtl8723be-fix-module-parameter-initialization.patch b/queue-4.4/rtlwifi-rtl8723be-fix-module-parameter-initialization.patch new file mode 100644 index 00000000000..f44940331e6 --- /dev/null +++ b/queue-4.4/rtlwifi-rtl8723be-fix-module-parameter-initialization.patch @@ -0,0 +1,55 @@ +From 7079604ddb83f428359feace3aeaf8a9f435be4a Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Mon, 14 Dec 2015 16:34:31 -0600 +Subject: rtlwifi: rtl8723be: Fix module parameter initialization + +From: Larry Finger + +commit 7079604ddb83f428359feace3aeaf8a9f435be4a upstream. + +This driver has a number of errors in the module initialization. These +include the following: + +Parameter msi_support is stored in two places - one is removed. +Paramters sw_crypto and disable_watchdog were never stored in the final +locations, nor were they initialized properly. + +Signed-off-by: Larry Finger +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtlwifi/rtl8723be/sw.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8723be/sw.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8723be/sw.c +@@ -93,7 +93,6 @@ int rtl8723be_init_sw_vars(struct ieee80 + struct rtl_mac *mac = rtl_mac(rtl_priv(hw)); + + rtl8723be_bt_reg_init(hw); +- rtlpci->msi_support = rtlpriv->cfg->mod_params->msi_support; + rtlpriv->btcoexist.btc_ops = rtl_btc_get_ops_pointer(); + + rtlpriv->dm.dm_initialgain_enable = 1; +@@ -151,6 +150,10 @@ int rtl8723be_init_sw_vars(struct ieee80 + rtlpriv->psc.swctrl_lps = rtlpriv->cfg->mod_params->swctrl_lps; + rtlpriv->psc.fwctrl_lps = rtlpriv->cfg->mod_params->fwctrl_lps; + rtlpci->msi_support = rtlpriv->cfg->mod_params->msi_support; ++ rtlpriv->cfg->mod_params->sw_crypto = ++ rtlpriv->cfg->mod_params->sw_crypto; ++ rtlpriv->cfg->mod_params->disable_watchdog = ++ rtlpriv->cfg->mod_params->disable_watchdog; + if (rtlpriv->cfg->mod_params->disable_watchdog) + pr_info("watchdog disabled\n"); + rtlpriv->psc.reg_fwctrl_lps = 3; +@@ -267,6 +270,9 @@ static struct rtl_mod_params rtl8723be_m + .inactiveps = true, + .swctrl_lps = false, + .fwctrl_lps = true, ++ .msi_support = false, ++ .disable_watchdog = false, ++ .debug = DBG_EMERG, + }; + + static struct rtl_hal_cfg rtl8723be_hal_cfg = { diff --git a/queue-4.4/rtlwifi-rtl_pci-fix-kernel-panic.patch b/queue-4.4/rtlwifi-rtl_pci-fix-kernel-panic.patch new file mode 100644 index 00000000000..bc48fa24111 --- /dev/null +++ b/queue-4.4/rtlwifi-rtl_pci-fix-kernel-panic.patch @@ -0,0 +1,54 @@ +From f99551a2d39dc26ea03dc6761be11ac913eb2d57 Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Mon, 21 Dec 2015 17:05:08 -0600 +Subject: rtlwifi: rtl_pci: Fix kernel panic + +From: Larry Finger + +commit f99551a2d39dc26ea03dc6761be11ac913eb2d57 upstream. + +In commit 38506ecefab9 (rtlwifi: rtl_pci: Start modification for new +drivers), a bug was introduced that causes a NULL pointer dereference. +As this bug only affects the infrequently used RTL8192EE and only under +low-memory conditions, it has taken a long time for the bug to show up. + +The bug was reported on the linux-wireless mailing list and also at +https://bugs.launchpad.net/ubuntu/+source/ubuntu-release-upgrader/ as +bug #1527603 (kernel crashes due to rtl8192ee driver on ubuntu 15.10). + +Fixes: 38506ecefab9 ("rtlwifi: rtl_pci: Start modification for new drivers") +Signed-off-by: Larry Finger +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtlwifi/pci.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +--- a/drivers/net/wireless/realtek/rtlwifi/pci.c ++++ b/drivers/net/wireless/realtek/rtlwifi/pci.c +@@ -801,7 +801,9 @@ static void _rtl_pci_rx_interrupt(struct + hw_queue); + if (rx_remained_cnt == 0) + return; +- ++ buffer_desc = &rtlpci->rx_ring[rxring_idx].buffer_desc[ ++ rtlpci->rx_ring[rxring_idx].idx]; ++ pdesc = (struct rtl_rx_desc *)skb->data; + } else { /* rx descriptor */ + pdesc = &rtlpci->rx_ring[rxring_idx].desc[ + rtlpci->rx_ring[rxring_idx].idx]; +@@ -824,13 +826,6 @@ static void _rtl_pci_rx_interrupt(struct + new_skb = dev_alloc_skb(rtlpci->rxbuffersize); + if (unlikely(!new_skb)) + goto no_new; +- if (rtlpriv->use_new_trx_flow) { +- buffer_desc = +- &rtlpci->rx_ring[rxring_idx].buffer_desc +- [rtlpci->rx_ring[rxring_idx].idx]; +- /*means rx wifi info*/ +- pdesc = (struct rtl_rx_desc *)skb->data; +- } + memset(&rx_status , 0 , sizeof(rx_status)); + rtlpriv->cfg->ops->query_rx_desc(hw, &stats, + &rx_status, (u8 *)pdesc, skb); diff --git a/queue-4.4/series b/queue-4.4/series index a1c29884b47..c18fa6ff9d4 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -100,3 +100,26 @@ s390-compat-correct-restore-of-high-gprs-on-signal-return.patch s390-fpu-signals-vs.-floating-point-control-register.patch uml-flush-stdout-before-forking.patch uml-fix-hostfs-mknod.patch +um-link-with-lpthread.patch +locks-fix-unlock-when-fcntl_setlk-races-with-a-close.patch +rtlwifi-rtl_pci-fix-kernel-panic.patch +rtlwifi-rtl8192cu-add-missing-parameter-setup.patch +rtlwifi-rtl8192ce-fix-handling-of-module-parameters.patch +rtlwifi-rtl8192de-fix-incorrect-module-parameter-descriptions.patch +rtlwifi-rtl8723ae-fix-initialization-of-module-parameters.patch +rtlwifi-rtl8192se-fix-module-parameter-initialization.patch +rtlwifi-rtl8188ee-fix-module-parameter-initialization.patch +rtlwifi-rtl8723be-fix-module-parameter-initialization.patch +mei-fix-fasync-return-value-on-error.patch +mei-validate-request-value-in-client-notify-request-ioctl.patch +namei-d_inode-of-a-pinned-dentry-is-stable-only-for-positives.patch +rc-sunxi-cir-initialize-the-spinlock-properly.patch +media-dvb-core-don-t-force-can_inversion_auto-in-oneshot-mode.patch +si2157-return-einval-if-firmware-blob-is-too-big.patch +gspca-ov534-topro-prevent-a-division-by-0.patch +vb2-fix-a-regression-in-poll-behavior-for-output-streams.patch +tda1004x-only-update-the-frontend-properties-if-locked.patch +dm-space-map-metadata-remove-unused-variable-in-brb_pop.patch +dm-snapshot-fix-hung-bios-when-copy-error-occurs.patch +dm-fix-dm_rq_target_io-leak-on-faults-with-.request_fn-dm-w-blk-mq-paths.patch +coresight-checking-for-null-string-in-coresight_name_match.patch diff --git a/queue-4.4/si2157-return-einval-if-firmware-blob-is-too-big.patch b/queue-4.4/si2157-return-einval-if-firmware-blob-is-too-big.patch new file mode 100644 index 00000000000..e5ce5c8931b --- /dev/null +++ b/queue-4.4/si2157-return-einval-if-firmware-blob-is-too-big.patch @@ -0,0 +1,36 @@ +From d2cc2f0b35465951eaaf0387fd55e29835ed7ea6 Mon Sep 17 00:00:00 2001 +From: Laura Abbott +Date: Mon, 5 Oct 2015 19:33:29 -0300 +Subject: [media] si2157: return -EINVAL if firmware blob is too big + +From: Laura Abbott + +commit d2cc2f0b35465951eaaf0387fd55e29835ed7ea6 upstream. + +A previous patch added a check if the firmware is too big, but it didn't +set the return error code with the right value. + +[mchehab@osg.samsung.com: I ended by applying a v1 of Laura's patch, without + the proper return code. This patch contains the difference between v2 and v1 of + the Laura's "si2157: Bounds check firmware" patch] +Signed-off-by: Laura Abbott +Reviewed-by: Olli Salonen +Tested-by: Olli Salonen +Signed-off-by: Greg Kroah-Hartman + +Signed-off-by: Mauro Carvalho Chehab + +--- + drivers/media/tuners/si2157.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/media/tuners/si2157.c ++++ b/drivers/media/tuners/si2157.c +@@ -168,6 +168,7 @@ static int si2157_init(struct dvb_fronte + len = fw->data[fw->size - remaining]; + if (len > SI2157_ARGLEN) { + dev_err(&client->dev, "Bad firmware length\n"); ++ ret = -EINVAL; + goto err_release_firmware; + } + memcpy(cmd.args, &fw->data[(fw->size - remaining) + 1], len); diff --git a/queue-4.4/tda1004x-only-update-the-frontend-properties-if-locked.patch b/queue-4.4/tda1004x-only-update-the-frontend-properties-if-locked.patch new file mode 100644 index 00000000000..1feaa7f7044 --- /dev/null +++ b/queue-4.4/tda1004x-only-update-the-frontend-properties-if-locked.patch @@ -0,0 +1,48 @@ +From e8beb02343e7582980c6705816cd957cf4f74c7a Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Wed, 3 Feb 2016 17:33:48 -0200 +Subject: [media] tda1004x: only update the frontend properties if locked + +From: Mauro Carvalho Chehab + +commit e8beb02343e7582980c6705816cd957cf4f74c7a upstream. + +The tda1004x was updating the properties cache before locking. +If the device is not locked, the data at the registers are just +random values with no real meaning. + +This caused the driver to fail with libdvbv5, as such library +calls GET_PROPERTY from time to time, in order to return the +DVB stats. + +Tested with a saa7134 card 78: + ASUSTeK P7131 Dual, vendor PCI ID: 1043:4862 + +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/dvb-frontends/tda1004x.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/media/dvb-frontends/tda1004x.c ++++ b/drivers/media/dvb-frontends/tda1004x.c +@@ -903,9 +903,18 @@ static int tda1004x_get_fe(struct dvb_fr + { + struct dtv_frontend_properties *fe_params = &fe->dtv_property_cache; + struct tda1004x_state* state = fe->demodulator_priv; ++ int status; + + dprintk("%s\n", __func__); + ++ status = tda1004x_read_byte(state, TDA1004X_STATUS_CD); ++ if (status == -1) ++ return -EIO; ++ ++ /* Only update the properties cache if device is locked */ ++ if (!(status & 8)) ++ return 0; ++ + // inversion status + fe_params->inversion = INVERSION_OFF; + if (tda1004x_read_byte(state, TDA1004X_CONFC1) & 0x20) diff --git a/queue-4.4/um-link-with-lpthread.patch b/queue-4.4/um-link-with-lpthread.patch new file mode 100644 index 00000000000..53c3317135f --- /dev/null +++ b/queue-4.4/um-link-with-lpthread.patch @@ -0,0 +1,41 @@ +From a7df4716d19594b7b3f106f0bc0ca1c548e508e6 Mon Sep 17 00:00:00 2001 +From: Vegard Nossum +Date: Thu, 31 Dec 2015 17:06:17 +0100 +Subject: um: link with -lpthread + +From: Vegard Nossum + +commit a7df4716d19594b7b3f106f0bc0ca1c548e508e6 upstream. + +Similarly to commit fb1770aa78a43530940d0c2dd161e77bc705bdac, with gcc 5 +on Ubuntu and CONFIG_STATIC_LINK=y I was seeing these linker errors: + +/usr/lib/gcc/x86_64-linux-gnu/5/../../../x86_64-linux-gnu/librt.a(timer_create.o): In function `__timer_create_new': +(.text+0xcd): undefined reference to `pthread_once' +/usr/lib/gcc/x86_64-linux-gnu/5/../../../x86_64-linux-gnu/librt.a(timer_create.o): In function `__timer_create_new': +(.text+0x126): undefined reference to `pthread_attr_init' +/usr/lib/gcc/x86_64-linux-gnu/5/../../../x86_64-linux-gnu/librt.a(timer_create.o): In function `__timer_create_new': +(.text+0x168): undefined reference to `pthread_attr_setdetachstate' +[...] + +Obviously we also need -lpthread for librt.a. + +Signed-off-by: Vegard Nossum +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + scripts/link-vmlinux.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/scripts/link-vmlinux.sh ++++ b/scripts/link-vmlinux.sh +@@ -62,7 +62,7 @@ vmlinux_link() + -Wl,--start-group \ + ${KBUILD_VMLINUX_MAIN} \ + -Wl,--end-group \ +- -lutil -lrt ${1} ++ -lutil -lrt -lpthread ${1} + rm -f linux + fi + } diff --git a/queue-4.4/vb2-fix-a-regression-in-poll-behavior-for-output-streams.patch b/queue-4.4/vb2-fix-a-regression-in-poll-behavior-for-output-streams.patch new file mode 100644 index 00000000000..9f9c0f15ec4 --- /dev/null +++ b/queue-4.4/vb2-fix-a-regression-in-poll-behavior-for-output-streams.patch @@ -0,0 +1,44 @@ +From 4623e5967448444a4ea1e77beb58898c4af48693 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Thu, 29 Oct 2015 03:02:06 -0200 +Subject: [media] vb2: fix a regression in poll() behavior for output,streams + +From: Hans Verkuil + +commit 4623e5967448444a4ea1e77beb58898c4af48693 upstream. + +In the 3.17 kernel the poll() behavior changed for output streams: +as long as not all buffers were queued up poll() would return that +userspace can write. This is fine for the write() call, but when +using stream I/O this changed the behavior since the expectation +was that it would wait for buffers to become available for dequeuing. + +This patch only enables the check whether you can queue buffers +for file I/O only, and skips it for stream I/O. + +Signed-off-by: Hans Verkuil +Acked-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/v4l2-core/videobuf2-v4l2.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/media/v4l2-core/videobuf2-v4l2.c ++++ b/drivers/media/v4l2-core/videobuf2-v4l2.c +@@ -822,10 +822,10 @@ unsigned int vb2_poll(struct vb2_queue * + return res | POLLERR; + + /* +- * For output streams you can write as long as there are fewer buffers +- * queued than there are buffers available. ++ * For output streams you can call write() as long as there are fewer ++ * buffers queued than there are buffers available. + */ +- if (q->is_output && q->queued_count < q->num_buffers) ++ if (q->is_output && q->fileio && q->queued_count < q->num_buffers) + return res | POLLOUT | POLLWRNORM; + + if (list_empty(&q->done_list)) {