From: Greg Kroah-Hartman Date: Mon, 7 Dec 2015 08:14:42 +0000 (-0800) Subject: 4.2-stable patches X-Git-Tag: v3.10.94~18 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e72951d84768cf7ea64de7dbd5487adf2c98a5b6;p=thirdparty%2Fkernel%2Fstable-queue.git 4.2-stable patches added patches: arm64-fix-compat-register-mappings.patch arm64-page-align-sections-for-debug_rodata.patch ath10k-fix-invalid-nss-for-4x4-devices.patch ath10k-use-station-s-current-operating-mode-from-assoc-request.patch bluetooth-ath3k-add-new-ar3012-0930-021c-id.patch bluetooth-ath3k-add-support-of-ar3012-0cf3-817b-device.patch bluetooth-fix-removing-connection-parameters-when-unpairing.patch bluetooth-hidp-fix-device-disconnect-on-idle-timeout.patch can-sja1000-clear-interrupts-on-start.patch can-use-correct-type-in-sizeof-in-nla_put.patch clk-iproc-fix-pll-output-frequency-calculation.patch clk-versatile-icst-fix-memory-leak.patch fs-proc-core-debug-don-t-expose-absolute-kernel-addresses-via-wchan.patch iwlwifi-add-new-pci-ids-for-the-8260-series.patch iwlwifi-pcie-fix-again-prepare-card-flow.patch kvm-s390-avoid-memory-overwrites-on-emergency-signal-injection.patch kvm-s390-fix-wrong-lookup-of-vcpus-by-array-index.patch kvm-s390-sca-must-not-cross-page-boundaries.patch kvm-x86-add-read_phys-to-x86_emulate_ops.patch kvm-x86-allow-rsm-from-64-bit-mode.patch kvm-x86-handle-smbase-as-physical-address-in-rsm.patch kvm-x86-obey-kvm_x86_quirk_cd_nw_cleared-in-kvm_set_cr0.patch kvm-x86-set-kvm_req_event-when-updating-irr.patch kvm-x86-work-around-infinite-loop-in-microcode-when-ac-is-delivered.patch kvm-x86-zero-efer-on-init.patch mac80211-allow-null-chandef-in-tracing.patch mac80211-fix-divide-by-zero-when-noa-update.patch mac80211-fix-driver-rssi-event-calculations.patch mac80211-fix-local-deauth-while-associating.patch mfd-twl6040-fix-deferred-probe-handling-for-clk32k.patch mips-ath79-fix-the-ddr-control-initialization-on-ar71xx-and-ar934x.patch mips-cdmm-add-builtin_mips_cdmm_driver-macro.patch mips-kvm-fix-asid-restoration-logic.patch mips-kvm-fix-cache-immediate-offset-sign-extension.patch mips-kvm-uninit-vcpu-in-vcpu_create-error-path.patch mips-lantiq-add-clk_round_rate.patch mwifiex-fix-mwifiex_rdeeprom_read.patch net-mvneta-fix-cpu_map-registers-initialisation.patch net-mvneta-fix-error-path-for-building-skb.patch nfc-nci-extract-pipe-value-using-nci_hcp_msg_get_pipe.patch nfc-nci-fix-improper-management-of-hci-return-code.patch nfc-nci-fix-incorrect-data-chaining-when-sending-data.patch nl80211-fix-potential-memory-leak-from-parse_acl_data.patch staging-rtl8712-add-device-id-for-sitecom-wla2100.patch x86-cpu-call-verify_cpu-after-having-entered-long-mode-too.patch x86-cpu-fix-smap-check-in-pvops-environments.patch x86-fpu-fix-32-bit-signal-frame-handling.patch x86-fpu-fix-get_xsave_addr-behavior-under-virtualization.patch x86-irq-probe-for-pic-presence-before-allocating-descs-for-legacy-irqs.patch x86-mpx-do-proper-get_user-when-running-32-bit-binaries-on-64-bit-kernels.patch x86-mpx-fix-32-bit-address-space-calculation.patch x86-setup-extend-low-identity-map-to-cover-whole-kernel-range.patch x86-setup-fix-low-identity-map-for-2gb-kernel-range.patch --- diff --git a/queue-4.2/arm64-fix-compat-register-mappings.patch b/queue-4.2/arm64-fix-compat-register-mappings.patch new file mode 100644 index 00000000000..6b6c43dbe62 --- /dev/null +++ b/queue-4.2/arm64-fix-compat-register-mappings.patch @@ -0,0 +1,51 @@ +From 5accd17d0eb523350c9ef754d655e379c9bb93b3 Mon Sep 17 00:00:00 2001 +From: Robin Murphy +Date: Thu, 22 Oct 2015 15:41:52 +0100 +Subject: arm64: Fix compat register mappings + +From: Robin Murphy + +commit 5accd17d0eb523350c9ef754d655e379c9bb93b3 upstream. + +For reasons not entirely apparent, but now enshrined in history, the +architectural mapping of AArch32 banked registers to AArch64 registers +actually orders SP_ and LR_ backwards compared to the +intuitive r13/r14 order, for all modes except FIQ. + +Fix the compat__ macros accordingly, in the hope of avoiding +subtle bugs with KVM and AArch32 guests. + +Signed-off-by: Robin Murphy +Acked-by: Will Deacon +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/ptrace.h | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/arch/arm64/include/asm/ptrace.h ++++ b/arch/arm64/include/asm/ptrace.h +@@ -83,14 +83,14 @@ + #define compat_sp regs[13] + #define compat_lr regs[14] + #define compat_sp_hyp regs[15] +-#define compat_sp_irq regs[16] +-#define compat_lr_irq regs[17] +-#define compat_sp_svc regs[18] +-#define compat_lr_svc regs[19] +-#define compat_sp_abt regs[20] +-#define compat_lr_abt regs[21] +-#define compat_sp_und regs[22] +-#define compat_lr_und regs[23] ++#define compat_lr_irq regs[16] ++#define compat_sp_irq regs[17] ++#define compat_lr_svc regs[18] ++#define compat_sp_svc regs[19] ++#define compat_lr_abt regs[20] ++#define compat_sp_abt regs[21] ++#define compat_lr_und regs[22] ++#define compat_sp_und regs[23] + #define compat_r8_fiq regs[24] + #define compat_r9_fiq regs[25] + #define compat_r10_fiq regs[26] diff --git a/queue-4.2/arm64-page-align-sections-for-debug_rodata.patch b/queue-4.2/arm64-page-align-sections-for-debug_rodata.patch new file mode 100644 index 00000000000..8397c4aeca5 --- /dev/null +++ b/queue-4.2/arm64-page-align-sections-for-debug_rodata.patch @@ -0,0 +1,51 @@ +From cb083816ab5ac3d10a9417527f07fc5962cc3808 Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Mon, 26 Oct 2015 21:42:33 +0000 +Subject: arm64: page-align sections for DEBUG_RODATA + +From: Mark Rutland + +commit cb083816ab5ac3d10a9417527f07fc5962cc3808 upstream. + +A kernel built with DEBUG_RO_DATA && !CONFIG_DEBUG_ALIGN_RODATA doesn't +have .text aligned to a page boundary, though fixup_executable works at +page-granularity thanks to its use of create_mapping. If .text is not +page-aligned, the first page it exists in may be marked non-executable, +leading to failures when an attempt is made to execute code in said +page. + +This patch upgrades ALIGN_DEBUG_RO and ALIGN_DEBUG_RO_MIN to force page +alignment for DEBUG_RO_DATA && !CONFIG_DEBUG_ALIGN_RODATA kernels, +ensuring that all sections with specific RWX permission requirements are +mapped with the correct permissions. + +Signed-off-by: Mark Rutland +Reported-by: Jeremy Linton +Reviewed-by: Laura Abbott +Acked-by: Ard Biesheuvel +Cc: Suzuki Poulose +Cc: Will Deacon +Fixes: da141706aea52c1a ("arm64: add better page protections to arm64") +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/vmlinux.lds.S | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/arch/arm64/kernel/vmlinux.lds.S ++++ b/arch/arm64/kernel/vmlinux.lds.S +@@ -60,9 +60,12 @@ PECOFF_FILE_ALIGNMENT = 0x200; + #define PECOFF_EDATA_PADDING + #endif + +-#ifdef CONFIG_DEBUG_ALIGN_RODATA ++#if defined(CONFIG_DEBUG_ALIGN_RODATA) + #define ALIGN_DEBUG_RO . = ALIGN(1< +Date: Tue, 3 Nov 2015 11:51:33 +0530 +Subject: ath10k: fix invalid NSS for 4x4 devices + +From: Rajkumar Manoharan + +commit f680f70adbeab28b35f849016b964dd645db6237 upstream. + +The number of spatial streams that are derived from chain mask +for 4x4 devices is using wrong bitmask and conditional check. +This is affecting downlink throughput for QCA99x0 devices. Earlier +cfg_tx_chainmask is not filled by default until user configured it +and so get_nss_from_chainmask never be called. This issue is exposed +by recent commit 166de3f1895d ("ath10k: remove supported chain mask"). +By default maximum supported chain mask is filled in cfg_tx_chainmask. + +Fixes: 5572a95b4b ("ath10k: apply chainmask settings to vdev on creation") +Signed-off-by: Rajkumar Manoharan +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath10k/mac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -4022,7 +4022,7 @@ static int ath10k_config(struct ieee8021 + + static u32 get_nss_from_chainmask(u16 chain_mask) + { +- if ((chain_mask & 0x15) == 0x15) ++ if ((chain_mask & 0xf) == 0xf) + return 4; + else if ((chain_mask & 0x7) == 0x7) + return 3; diff --git a/queue-4.2/ath10k-use-station-s-current-operating-mode-from-assoc-request.patch b/queue-4.2/ath10k-use-station-s-current-operating-mode-from-assoc-request.patch new file mode 100644 index 00000000000..11617c74c93 --- /dev/null +++ b/queue-4.2/ath10k-use-station-s-current-operating-mode-from-assoc-request.patch @@ -0,0 +1,43 @@ +From 72f8cef5d1155209561b01e092ce1a04ad50c4cb Mon Sep 17 00:00:00 2001 +From: Vivek Natarajan +Date: Tue, 6 Oct 2015 15:19:34 +0300 +Subject: ath10k: use station's current operating mode from assoc request + +From: Vivek Natarajan + +commit 72f8cef5d1155209561b01e092ce1a04ad50c4cb upstream. + +The current number of spatial streams used by the client is advertised +as a separate IE in assoc request. Use this information to set +the NSS operating mode. + +Fixes: 45c9abc059fa ("ath10k: implement more versatile set_bitrate_mask"). +Signed-off-by: Vivek Natarajan +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath10k/mac.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -2070,7 +2070,8 @@ static void ath10k_peer_assoc_h_ht(struc + enum ieee80211_band band; + const u8 *ht_mcs_mask; + const u16 *vht_mcs_mask; +- int i, n, max_nss; ++ int i, n; ++ u8 max_nss; + u32 stbc; + + lockdep_assert_held(&ar->conf_mutex); +@@ -2155,7 +2156,7 @@ static void ath10k_peer_assoc_h_ht(struc + arg->peer_ht_rates.rates[i] = i; + } else { + arg->peer_ht_rates.num_rates = n; +- arg->peer_num_spatial_streams = max_nss; ++ arg->peer_num_spatial_streams = min(sta->rx_nss, max_nss); + } + + ath10k_dbg(ar, ATH10K_DBG_MAC, "mac ht peer %pM mcs cnt %d nss %d\n", diff --git a/queue-4.2/bluetooth-ath3k-add-new-ar3012-0930-021c-id.patch b/queue-4.2/bluetooth-ath3k-add-new-ar3012-0930-021c-id.patch new file mode 100644 index 00000000000..4198e52be82 --- /dev/null +++ b/queue-4.2/bluetooth-ath3k-add-new-ar3012-0930-021c-id.patch @@ -0,0 +1,57 @@ +From cd355ff071cd37e7197eccf9216770b2b29369f7 Mon Sep 17 00:00:00 2001 +From: Dmitry Tunin +Date: Mon, 5 Oct 2015 19:29:33 +0300 +Subject: Bluetooth: ath3k: Add new AR3012 0930:021c id + +From: Dmitry Tunin + +commit cd355ff071cd37e7197eccf9216770b2b29369f7 upstream. + +This adapter works with the existing linux-firmware. + +T: Bus=01 Lev=01 Prnt=01 Port=03 Cnt=02 Dev#= 3 Spd=12 MxCh= 0 +D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0930 ProdID=021c Rev=00.01 +C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA +I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb + +BugLink: https://bugs.launchpad.net/bugs/1502781 + +Signed-off-by: Dmitry Tunin +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bluetooth/ath3k.c | 2 ++ + drivers/bluetooth/btusb.c | 1 + + 2 files changed, 3 insertions(+) + +--- a/drivers/bluetooth/ath3k.c ++++ b/drivers/bluetooth/ath3k.c +@@ -93,6 +93,7 @@ static const struct usb_device_id ath3k_ + { USB_DEVICE(0x04CA, 0x300f) }, + { USB_DEVICE(0x04CA, 0x3010) }, + { USB_DEVICE(0x0930, 0x0219) }, ++ { USB_DEVICE(0x0930, 0x021c) }, + { USB_DEVICE(0x0930, 0x0220) }, + { USB_DEVICE(0x0930, 0x0227) }, + { USB_DEVICE(0x0b05, 0x17d0) }, +@@ -153,6 +154,7 @@ static const struct usb_device_id ath3k_ + { USB_DEVICE(0x04ca, 0x300f), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x0930, 0x021c), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x0227), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 }, +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -192,6 +192,7 @@ static const struct usb_device_id blackl + { USB_DEVICE(0x04ca, 0x300f), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x0930, 0x021c), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x0227), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 }, diff --git a/queue-4.2/bluetooth-ath3k-add-support-of-ar3012-0cf3-817b-device.patch b/queue-4.2/bluetooth-ath3k-add-support-of-ar3012-0cf3-817b-device.patch new file mode 100644 index 00000000000..b6ff8973fae --- /dev/null +++ b/queue-4.2/bluetooth-ath3k-add-support-of-ar3012-0cf3-817b-device.patch @@ -0,0 +1,55 @@ +From 18e0afab8ce3f1230ce3fef52b2e73374fd9c0e7 Mon Sep 17 00:00:00 2001 +From: Dmitry Tunin +Date: Fri, 16 Oct 2015 11:45:26 +0300 +Subject: Bluetooth: ath3k: Add support of AR3012 0cf3:817b device + +From: Dmitry Tunin + +commit 18e0afab8ce3f1230ce3fef52b2e73374fd9c0e7 upstream. + +T: Bus=04 Lev=02 Prnt=02 Port=04 Cnt=01 Dev#= 3 Spd=12 MxCh= 0 +D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0cf3 ProdID=817b Rev=00.02 +C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA +I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb + +BugLink: https://bugs.launchpad.net/bugs/1506615 + +Signed-off-by: Dmitry Tunin +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bluetooth/ath3k.c | 2 ++ + drivers/bluetooth/btusb.c | 1 + + 2 files changed, 3 insertions(+) + +--- a/drivers/bluetooth/ath3k.c ++++ b/drivers/bluetooth/ath3k.c +@@ -105,6 +105,7 @@ static const struct usb_device_id ath3k_ + { USB_DEVICE(0x0CF3, 0x311F) }, + { USB_DEVICE(0x0cf3, 0x3121) }, + { USB_DEVICE(0x0CF3, 0x817a) }, ++ { USB_DEVICE(0x0CF3, 0x817b) }, + { USB_DEVICE(0x0cf3, 0xe003) }, + { USB_DEVICE(0x0CF3, 0xE004) }, + { USB_DEVICE(0x0CF3, 0xE005) }, +@@ -166,6 +167,7 @@ static const struct usb_device_id ath3k_ + { USB_DEVICE(0x0cf3, 0x311F), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0CF3, 0x817a), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x0CF3, 0x817b), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0xe006), .driver_info = BTUSB_ATH3012 }, +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -204,6 +204,7 @@ static const struct usb_device_id blackl + { USB_DEVICE(0x0cf3, 0x311f), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0x817a), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x0cf3, 0x817b), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0xe003), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 }, diff --git a/queue-4.2/bluetooth-fix-removing-connection-parameters-when-unpairing.patch b/queue-4.2/bluetooth-fix-removing-connection-parameters-when-unpairing.patch new file mode 100644 index 00000000000..d0689dc8b7a --- /dev/null +++ b/queue-4.2/bluetooth-fix-removing-connection-parameters-when-unpairing.patch @@ -0,0 +1,62 @@ +From a6ad2a6b9cc1d9d791aee5462cfb8528f366f1d4 Mon Sep 17 00:00:00 2001 +From: Johan Hedberg +Date: Mon, 19 Oct 2015 10:51:47 +0300 +Subject: Bluetooth: Fix removing connection parameters when unpairing + +From: Johan Hedberg + +commit a6ad2a6b9cc1d9d791aee5462cfb8528f366f1d4 upstream. + +The commit 89cbb0638e9b7 introduced support for deferred connection +parameter removal when unpairing by removing them only once an +existing connection gets disconnected. However, it failed to address +the scenario when we're *not* connected and do an unpair operation. + +What makes things worse is that most user space BlueZ versions will +first issue a disconnect request and only then unpair, meaning the +buggy code will be triggered every time. This effectively causes the +kernel to resume scanning and reconnect to a device for which we've +removed all keys and GATT database information. + +This patch fixes the issue by adding the missing call to the +hci_conn_params_del() function to a branch which handles the case of +no existing connection. + +Signed-off-by: Johan Hedberg +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/mgmt.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -3090,6 +3090,11 @@ static int unpair_device(struct sock *sk + } else { + u8 addr_type; + ++ if (cp->addr.type == BDADDR_LE_PUBLIC) ++ addr_type = ADDR_LE_DEV_PUBLIC; ++ else ++ addr_type = ADDR_LE_DEV_RANDOM; ++ + conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, + &cp->addr.bdaddr); + if (conn) { +@@ -3105,13 +3110,10 @@ static int unpair_device(struct sock *sk + */ + if (!cp->disconnect) + conn = NULL; ++ } else { ++ hci_conn_params_del(hdev, &cp->addr.bdaddr, addr_type); + } + +- if (cp->addr.type == BDADDR_LE_PUBLIC) +- addr_type = ADDR_LE_DEV_PUBLIC; +- else +- addr_type = ADDR_LE_DEV_RANDOM; +- + hci_remove_irk(hdev, &cp->addr.bdaddr, addr_type); + + err = hci_remove_ltk(hdev, &cp->addr.bdaddr, addr_type); diff --git a/queue-4.2/bluetooth-hidp-fix-device-disconnect-on-idle-timeout.patch b/queue-4.2/bluetooth-hidp-fix-device-disconnect-on-idle-timeout.patch new file mode 100644 index 00000000000..3af2130a20c --- /dev/null +++ b/queue-4.2/bluetooth-hidp-fix-device-disconnect-on-idle-timeout.patch @@ -0,0 +1,75 @@ +From 660f0fc07d21114549c1862e67e78b1cf0c90c29 Mon Sep 17 00:00:00 2001 +From: David Herrmann +Date: Mon, 7 Sep 2015 12:05:41 +0200 +Subject: Bluetooth: hidp: fix device disconnect on idle timeout + +From: David Herrmann + +commit 660f0fc07d21114549c1862e67e78b1cf0c90c29 upstream. + +The HIDP specs define an idle-timeout which automatically disconnects a +device. This has always been implemented in the HIDP layer and forced a +synchronous shutdown of the hidp-scheduler. This works just fine, but +lacks a forced disconnect on the underlying l2cap channels. This has been +broken since: + + commit 5205185d461d5902325e457ca80bd421127b7308 + Author: David Herrmann + Date: Sat Apr 6 20:28:47 2013 +0200 + + Bluetooth: hidp: remove old session-management + +The old session-management always forced an l2cap error on the ctrl/intr +channels when shutting down. The new session-management skips this, as we +don't want to enforce channel policy on the caller. In other words, if +user-space removes an HIDP device, the underlying channels (which are +*owned* and *referenced* by user-space) are still left active. User-space +needs to call shutdown(2) or close(2) to release them. + +Unfortunately, this does not work with idle-timeouts. There is no way to +signal user-space that the HIDP layer has been stopped. The API simply +does not support any event-passing except for poll(2). Hence, we restore +old behavior and force EUNATCH on the sockets if the HIDP layer is +disconnected due to idle-timeouts (behavior of explicit disconnects +remains unmodified). User-space can still call + + getsockopt(..., SO_ERROR, ...) + +..to retrieve the EUNATCH error and clear sk_err. Hence, the channels can +still be re-used (which nobody does so far, though). Therefore, the API +still supports the new behavior, but with this patch it's also compatible +to the old implicit channel shutdown. + +Reported-by: Mark Haun +Reported-by: Luiz Augusto von Dentz +Signed-off-by: David Herrmann +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/hidp/core.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/net/bluetooth/hidp/core.c ++++ b/net/bluetooth/hidp/core.c +@@ -401,6 +401,20 @@ static void hidp_idle_timeout(unsigned l + { + struct hidp_session *session = (struct hidp_session *) arg; + ++ /* The HIDP user-space API only contains calls to add and remove ++ * devices. There is no way to forward events of any kind. Therefore, ++ * we have to forcefully disconnect a device on idle-timeouts. This is ++ * unfortunate and weird API design, but it is spec-compliant and ++ * required for backwards-compatibility. Hence, on idle-timeout, we ++ * signal driver-detach events, so poll() will be woken up with an ++ * error-condition on both sockets. ++ */ ++ ++ session->intr_sock->sk->sk_err = EUNATCH; ++ session->ctrl_sock->sk->sk_err = EUNATCH; ++ wake_up_interruptible(sk_sleep(session->intr_sock->sk)); ++ wake_up_interruptible(sk_sleep(session->ctrl_sock->sk)); ++ + hidp_session_terminate(session); + } + diff --git a/queue-4.2/can-sja1000-clear-interrupts-on-start.patch b/queue-4.2/can-sja1000-clear-interrupts-on-start.patch new file mode 100644 index 00000000000..5e7425a5ed2 --- /dev/null +++ b/queue-4.2/can-sja1000-clear-interrupts-on-start.patch @@ -0,0 +1,46 @@ +From 7cecd9ab80f43972c056dc068338f7bcc407b71c Mon Sep 17 00:00:00 2001 +From: Mirza Krak +Date: Tue, 10 Nov 2015 14:59:34 +0100 +Subject: can: sja1000: clear interrupts on start + +From: Mirza Krak + +commit 7cecd9ab80f43972c056dc068338f7bcc407b71c upstream. + +According to SJA1000 data sheet error-warning (EI) interrupt is not +cleared by setting the controller in to reset-mode. + +Then if we have the following case: +- system is suspended (echo mem > /sys/power/state) and SJA1000 is left + in operating state +- A bus error condition occurs which activates EI interrupt, system is + still suspended which means EI interrupt will be not be handled nor + cleared. + +If the above two events occur, on resume there is no way to return the +SJA1000 to operating state, except to cycle power to it. + +By simply reading the IR register on start we will clear any previous +conditions that could be present. + +Signed-off-by: Mirza Krak +Reported-by: Christian Magnusson +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/sja1000/sja1000.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/can/sja1000/sja1000.c ++++ b/drivers/net/can/sja1000/sja1000.c +@@ -218,6 +218,9 @@ static void sja1000_start(struct net_dev + priv->write_reg(priv, SJA1000_RXERR, 0x0); + priv->read_reg(priv, SJA1000_ECC); + ++ /* clear interrupt flags */ ++ priv->read_reg(priv, SJA1000_IR); ++ + /* leave reset mode */ + set_normal_mode(dev); + } diff --git a/queue-4.2/can-use-correct-type-in-sizeof-in-nla_put.patch b/queue-4.2/can-use-correct-type-in-sizeof-in-nla_put.patch new file mode 100644 index 00000000000..8575d209ae3 --- /dev/null +++ b/queue-4.2/can-use-correct-type-in-sizeof-in-nla_put.patch @@ -0,0 +1,33 @@ +From 562b103a21974c2f9cd67514d110f918bb3e1796 Mon Sep 17 00:00:00 2001 +From: Marek Vasut +Date: Fri, 30 Oct 2015 13:48:19 +0100 +Subject: can: Use correct type in sizeof() in nla_put() + +From: Marek Vasut + +commit 562b103a21974c2f9cd67514d110f918bb3e1796 upstream. + +The sizeof() is invoked on an incorrect variable, likely due to some +copy-paste error, and this might result in memory corruption. Fix this. + +Signed-off-by: Marek Vasut +Cc: Wolfgang Grandegger +Cc: netdev@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/can/dev.c ++++ b/drivers/net/can/dev.c +@@ -915,7 +915,7 @@ static int can_fill_info(struct sk_buff + nla_put(skb, IFLA_CAN_BITTIMING_CONST, + sizeof(*priv->bittiming_const), priv->bittiming_const)) || + +- nla_put(skb, IFLA_CAN_CLOCK, sizeof(cm), &priv->clock) || ++ nla_put(skb, IFLA_CAN_CLOCK, sizeof(priv->clock), &priv->clock) || + nla_put_u32(skb, IFLA_CAN_STATE, state) || + nla_put(skb, IFLA_CAN_CTRLMODE, sizeof(cm), &cm) || + nla_put_u32(skb, IFLA_CAN_RESTART_MS, priv->restart_ms) || diff --git a/queue-4.2/clk-iproc-fix-pll-output-frequency-calculation.patch b/queue-4.2/clk-iproc-fix-pll-output-frequency-calculation.patch new file mode 100644 index 00000000000..754329b21bf --- /dev/null +++ b/queue-4.2/clk-iproc-fix-pll-output-frequency-calculation.patch @@ -0,0 +1,64 @@ +From 63243a4da7d0dfa19dcacd0a529782eeb2f86f92 Mon Sep 17 00:00:00 2001 +From: Simran Rai +Date: Mon, 19 Oct 2015 15:27:19 -0700 +Subject: clk: iproc: Fix PLL output frequency calculation + +From: Simran Rai + +commit 63243a4da7d0dfa19dcacd0a529782eeb2f86f92 upstream. + +This patch affects the clocks that use fractional ndivider in their +PLL output frequency calculation. Instead of 2^20 divide factor, the +clock's ndiv integer shift was used. Fixed the bug by replacing ndiv +integer shift with 2^20 factor. + +Signed-off-by: Simran Rai +Signed-off-by: Ray Jui +Reviewed-by: Scott Branden +Fixes: 5fe225c105fd ("clk: iproc: add initial common clock support") +Signed-off-by: Michael Turquette +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/bcm/clk-iproc-pll.c | 13 +++++-------- + 1 file changed, 5 insertions(+), 8 deletions(-) + +--- a/drivers/clk/bcm/clk-iproc-pll.c ++++ b/drivers/clk/bcm/clk-iproc-pll.c +@@ -345,8 +345,8 @@ static unsigned long iproc_pll_recalc_ra + struct iproc_pll *pll = clk->pll; + const struct iproc_pll_ctrl *ctrl = pll->ctrl; + u32 val; +- u64 ndiv; +- unsigned int ndiv_int, ndiv_frac, pdiv; ++ u64 ndiv, ndiv_int, ndiv_frac; ++ unsigned int pdiv; + + if (parent_rate == 0) + return 0; +@@ -366,22 +366,19 @@ static unsigned long iproc_pll_recalc_ra + val = readl(pll->pll_base + ctrl->ndiv_int.offset); + ndiv_int = (val >> ctrl->ndiv_int.shift) & + bit_mask(ctrl->ndiv_int.width); +- ndiv = (u64)ndiv_int << ctrl->ndiv_int.shift; ++ ndiv = ndiv_int << 20; + + if (ctrl->flags & IPROC_CLK_PLL_HAS_NDIV_FRAC) { + val = readl(pll->pll_base + ctrl->ndiv_frac.offset); + ndiv_frac = (val >> ctrl->ndiv_frac.shift) & + bit_mask(ctrl->ndiv_frac.width); +- +- if (ndiv_frac != 0) +- ndiv = ((u64)ndiv_int << ctrl->ndiv_int.shift) | +- ndiv_frac; ++ ndiv += ndiv_frac; + } + + val = readl(pll->pll_base + ctrl->pdiv.offset); + pdiv = (val >> ctrl->pdiv.shift) & bit_mask(ctrl->pdiv.width); + +- clk->rate = (ndiv * parent_rate) >> ctrl->ndiv_int.shift; ++ clk->rate = (ndiv * parent_rate) >> 20; + + if (pdiv == 0) + clk->rate *= 2; diff --git a/queue-4.2/clk-versatile-icst-fix-memory-leak.patch b/queue-4.2/clk-versatile-icst-fix-memory-leak.patch new file mode 100644 index 00000000000..2072548218c --- /dev/null +++ b/queue-4.2/clk-versatile-icst-fix-memory-leak.patch @@ -0,0 +1,36 @@ +From 7bdccef34fc67d3fce6778a018601dd41e43c5ce Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Fri, 23 Oct 2015 11:36:01 +0200 +Subject: clk: versatile-icst: fix memory leak + +From: Linus Walleij + +commit 7bdccef34fc67d3fce6778a018601dd41e43c5ce upstream. + +A static code checker found a memory leak in the Versatile +ICST code. Fix it. + +Fixes: a183da637c52 "clk: versatile: respect parent rate in ICST clock" +Reported-by: Stephen Boyd +Signed-off-by: Linus Walleij +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/versatile/clk-icst.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/clk/versatile/clk-icst.c ++++ b/drivers/clk/versatile/clk-icst.c +@@ -156,8 +156,10 @@ struct clk *icst_clk_register(struct dev + icst->lockreg = base + desc->lock_offset; + + clk = clk_register(dev, &icst->hw); +- if (IS_ERR(clk)) ++ if (IS_ERR(clk)) { ++ kfree(pclone); + kfree(icst); ++ } + + return clk; + } diff --git a/queue-4.2/fs-proc-core-debug-don-t-expose-absolute-kernel-addresses-via-wchan.patch b/queue-4.2/fs-proc-core-debug-don-t-expose-absolute-kernel-addresses-via-wchan.patch new file mode 100644 index 00000000000..866edb4ea6a --- /dev/null +++ b/queue-4.2/fs-proc-core-debug-don-t-expose-absolute-kernel-addresses-via-wchan.patch @@ -0,0 +1,170 @@ +From b2f73922d119686323f14fbbe46587f863852328 Mon Sep 17 00:00:00 2001 +From: Ingo Molnar +Date: Wed, 30 Sep 2015 15:59:17 +0200 +Subject: fs/proc, core/debug: Don't expose absolute kernel addresses via wchan + +From: Ingo Molnar + +commit b2f73922d119686323f14fbbe46587f863852328 upstream. + +So the /proc/PID/stat 'wchan' field (the 30th field, which contains +the absolute kernel address of the kernel function a task is blocked in) +leaks absolute kernel addresses to unprivileged user-space: + + seq_put_decimal_ull(m, ' ', wchan); + +The absolute address might also leak via /proc/PID/wchan as well, if +KALLSYMS is turned off or if the symbol lookup fails for some reason: + +static int proc_pid_wchan(struct seq_file *m, struct pid_namespace *ns, + struct pid *pid, struct task_struct *task) +{ + unsigned long wchan; + char symname[KSYM_NAME_LEN]; + + wchan = get_wchan(task); + + if (lookup_symbol_name(wchan, symname) < 0) { + if (!ptrace_may_access(task, PTRACE_MODE_READ)) + return 0; + seq_printf(m, "%lu", wchan); + } else { + seq_printf(m, "%s", symname); + } + + return 0; +} + +This isn't ideal, because for example it trivially leaks the KASLR offset +to any local attacker: + + fomalhaut:~> printf "%016lx\n" $(cat /proc/$$/stat | cut -d' ' -f35) + ffffffff8123b380 + +Most real-life uses of wchan are symbolic: + + ps -eo pid:10,tid:10,wchan:30,comm + +and procps uses /proc/PID/wchan, not the absolute address in /proc/PID/stat: + + triton:~/tip> strace -f ps -eo pid:10,tid:10,wchan:30,comm 2>&1 | grep wchan | tail -1 + open("/proc/30833/wchan", O_RDONLY) = 6 + +There's one compatibility quirk here: procps relies on whether the +absolute value is non-zero - and we can provide that functionality +by outputing "0" or "1" depending on whether the task is blocked +(whether there's a wchan address). + +These days there appears to be very little legitimate reason +user-space would be interested in the absolute address. The +absolute address is mostly historic: from the days when we +didn't have kallsyms and user-space procps had to do the +decoding itself via the System.map. + +So this patch sets all numeric output to "0" or "1" and keeps only +symbolic output, in /proc/PID/wchan. + +( The absolute sleep address can generally still be profiled via + perf, by tasks with sufficient privileges. ) + +Reviewed-by: Thomas Gleixner +Acked-by: Kees Cook +Acked-by: Linus Torvalds +Cc: Al Viro +Cc: Alexander Potapenko +Cc: Andrey Konovalov +Cc: Andrey Ryabinin +Cc: Andy Lutomirski +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Denys Vlasenko +Cc: Dmitry Vyukov +Cc: Kostya Serebryany +Cc: Mike Galbraith +Cc: Peter Zijlstra +Cc: Peter Zijlstra +Cc: Sasha Levin +Cc: kasan-dev +Cc: linux-kernel@vger.kernel.org +Link: http://lkml.kernel.org/r/20150930135917.GA3285@gmail.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/filesystems/proc.txt | 5 +++-- + fs/proc/array.c | 16 ++++++++++++++-- + fs/proc/base.c | 9 +++------ + 3 files changed, 20 insertions(+), 10 deletions(-) + +--- a/Documentation/filesystems/proc.txt ++++ b/Documentation/filesystems/proc.txt +@@ -140,7 +140,8 @@ Table 1-1: Process specific entries in / + stat Process status + statm Process memory status information + status Process status in human readable form +- wchan If CONFIG_KALLSYMS is set, a pre-decoded wchan ++ wchan Present with CONFIG_KALLSYMS=y: it shows the kernel function ++ symbol the task is blocked in - or "0" if not blocked. + pagemap Page table + stack Report full stack trace, enable via CONFIG_STACKTRACE + smaps a extension based on maps, showing the memory consumption of +@@ -310,7 +311,7 @@ Table 1-4: Contents of the stat files (a + blocked bitmap of blocked signals + sigign bitmap of ignored signals + sigcatch bitmap of caught signals +- wchan address where process went to sleep ++ 0 (place holder, used to be the wchan address, use /proc/PID/wchan instead) + 0 (place holder) + 0 (place holder) + exit_signal signal to send to parent thread on exit +--- a/fs/proc/array.c ++++ b/fs/proc/array.c +@@ -372,7 +372,7 @@ int proc_pid_status(struct seq_file *m, + static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, + struct pid *pid, struct task_struct *task, int whole) + { +- unsigned long vsize, eip, esp, wchan = ~0UL; ++ unsigned long vsize, eip, esp, wchan = 0; + int priority, nice; + int tty_pgrp = -1, tty_nr = 0; + sigset_t sigign, sigcatch; +@@ -504,7 +504,19 @@ static int do_task_stat(struct seq_file + seq_put_decimal_ull(m, ' ', task->blocked.sig[0] & 0x7fffffffUL); + seq_put_decimal_ull(m, ' ', sigign.sig[0] & 0x7fffffffUL); + seq_put_decimal_ull(m, ' ', sigcatch.sig[0] & 0x7fffffffUL); +- seq_put_decimal_ull(m, ' ', wchan); ++ ++ /* ++ * We used to output the absolute kernel address, but that's an ++ * information leak - so instead we show a 0/1 flag here, to signal ++ * to user-space whether there's a wchan field in /proc/PID/wchan. ++ * ++ * This works with older implementations of procps as well. ++ */ ++ if (wchan) ++ seq_puts(m, " 1"); ++ else ++ seq_puts(m, " 0"); ++ + seq_put_decimal_ull(m, ' ', 0); + seq_put_decimal_ull(m, ' ', 0); + seq_put_decimal_ll(m, ' ', task->exit_signal); +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -430,13 +430,10 @@ static int proc_pid_wchan(struct seq_fil + + wchan = get_wchan(task); + +- if (lookup_symbol_name(wchan, symname) < 0) { +- if (!ptrace_may_access(task, PTRACE_MODE_READ)) +- return 0; +- seq_printf(m, "%lu", wchan); +- } else { ++ if (wchan && ptrace_may_access(task, PTRACE_MODE_READ) && !lookup_symbol_name(wchan, symname)) + seq_printf(m, "%s", symname); +- } ++ else ++ seq_putc(m, '0'); + + return 0; + } diff --git a/queue-4.2/iwlwifi-add-new-pci-ids-for-the-8260-series.patch b/queue-4.2/iwlwifi-add-new-pci-ids-for-the-8260-series.patch new file mode 100644 index 00000000000..bab76ea1796 --- /dev/null +++ b/queue-4.2/iwlwifi-add-new-pci-ids-for-the-8260-series.patch @@ -0,0 +1,76 @@ +From 4ab75944c4b324c1f5f01dbd4c4d122d2b9da187 Mon Sep 17 00:00:00 2001 +From: Oren Givon +Date: Wed, 28 Oct 2015 12:32:20 +0200 +Subject: iwlwifi: Add new PCI IDs for the 8260 series + +From: Oren Givon + +commit 4ab75944c4b324c1f5f01dbd4c4d122d2b9da187 upstream. + +Add some new PCI IDs for the 8260 series which were missing. +The following sub-system IDs were added: +0x0130, 0x1130, 0x0132, 0x1132, 0x1150, 0x8110, 0x9110, 0x8130, +0x9130, 0x8132, 0x9132, 0x8150, 0x9150, 0x0044, 0x0930 + +Signed-off-by: Oren Givon +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/iwlwifi/pcie/drv.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/iwlwifi/pcie/drv.c ++++ b/drivers/net/wireless/iwlwifi/pcie/drv.c +@@ -423,14 +423,21 @@ static const struct pci_device_id iwl_hw + /* 8000 Series */ + {IWL_PCI_DEVICE(0x24F3, 0x0010, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x1010, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x0130, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x1130, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x0132, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x1132, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0110, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x01F0, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x0012, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x1012, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x1110, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0050, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0250, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x1050, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0150, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x1150, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F4, 0x0030, iwl8260_2ac_cfg)}, +- {IWL_PCI_DEVICE(0x24F4, 0x1130, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F4, 0x1030, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0xC010, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0xC110, iwl8260_2ac_cfg)}, +@@ -438,18 +445,28 @@ static const struct pci_device_id iwl_hw + {IWL_PCI_DEVICE(0x24F3, 0xC050, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0xD050, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x8010, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x8110, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x9010, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x9110, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F4, 0x8030, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F4, 0x9030, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x8130, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x9130, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x8132, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x9132, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x8050, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x8150, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x9050, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x9150, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0004, iwl8260_2n_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x0044, iwl8260_2n_cfg)}, + {IWL_PCI_DEVICE(0x24F5, 0x0010, iwl4165_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F6, 0x0030, iwl4165_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0810, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0910, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0850, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0950, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x0930, iwl8260_2ac_cfg)}, + #endif /* CONFIG_IWLMVM */ + + {0} diff --git a/queue-4.2/iwlwifi-pcie-fix-again-prepare-card-flow.patch b/queue-4.2/iwlwifi-pcie-fix-again-prepare-card-flow.patch new file mode 100644 index 00000000000..dbf857824cf --- /dev/null +++ b/queue-4.2/iwlwifi-pcie-fix-again-prepare-card-flow.patch @@ -0,0 +1,48 @@ +From 03a19cbb91994212be72ce15ac3406fa9f8ba079 Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Wed, 21 Oct 2015 19:55:32 +0300 +Subject: iwlwifi: pcie: fix (again) prepare card flow + +From: Emmanuel Grumbach + +commit 03a19cbb91994212be72ce15ac3406fa9f8ba079 upstream. + +The hardware bug in the commit mentioned below forces us +not to re-enable the clock gating in the Host Cluster. +The impact on the power consumption is minimal and it allows +the WAKE_ME interrupt to propagate. + +Fixes: c9fdec9f3970 ("iwlwifi: pcie: fix prepare card flow") +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/iwlwifi/pcie/trans.c | 10 ++-------- + 1 file changed, 2 insertions(+), 8 deletions(-) + +--- a/drivers/net/wireless/iwlwifi/pcie/trans.c ++++ b/drivers/net/wireless/iwlwifi/pcie/trans.c +@@ -592,10 +592,8 @@ static int iwl_pcie_prepare_card_hw(stru + + do { + ret = iwl_pcie_set_hw_ready(trans); +- if (ret >= 0) { +- ret = 0; +- goto out; +- } ++ if (ret >= 0) ++ return 0; + + usleep_range(200, 1000); + t += 200; +@@ -605,10 +603,6 @@ static int iwl_pcie_prepare_card_hw(stru + + IWL_ERR(trans, "Couldn't prepare the card\n"); + +-out: +- iwl_clear_bit(trans, CSR_DBG_LINK_PWR_MGMT_REG, +- CSR_RESET_LINK_PWR_MGMT_DISABLED); +- + return ret; + } + diff --git a/queue-4.2/kvm-s390-avoid-memory-overwrites-on-emergency-signal-injection.patch b/queue-4.2/kvm-s390-avoid-memory-overwrites-on-emergency-signal-injection.patch new file mode 100644 index 00000000000..6b9b97d36e5 --- /dev/null +++ b/queue-4.2/kvm-s390-avoid-memory-overwrites-on-emergency-signal-injection.patch @@ -0,0 +1,38 @@ +From b85de33a1a3433487b6a721cfdce25ec8673e622 Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Thu, 5 Nov 2015 09:38:15 +0100 +Subject: KVM: s390: avoid memory overwrites on emergency signal injection + +From: David Hildenbrand + +commit b85de33a1a3433487b6a721cfdce25ec8673e622 upstream. + +Commit 383d0b050106 ("KVM: s390: handle pending local interrupts via +bitmap") introduced a possible memory overwrite from user space. + +User space could pass an invalid emergency signal code (sending VCPU) +and therefore exceed the bitmap. Let's take care of this case and +check that the id is in the valid range. + +Reviewed-by: Dominik Dingel +Signed-off-by: David Hildenbrand +Signed-off-by: Christian Borntraeger +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kvm/interrupt.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/s390/kvm/interrupt.c ++++ b/arch/s390/kvm/interrupt.c +@@ -1130,6 +1130,10 @@ static int __inject_sigp_emergency(struc + trace_kvm_s390_inject_vcpu(vcpu->vcpu_id, KVM_S390_INT_EMERGENCY, + irq->u.emerg.code, 0, 2); + ++ /* sending vcpu invalid */ ++ if (kvm_get_vcpu_by_id(vcpu->kvm, irq->u.emerg.code) == NULL) ++ return -EINVAL; ++ + set_bit(irq->u.emerg.code, li->sigp_emerg_pending); + set_bit(IRQ_PEND_EXT_EMERGENCY, &li->pending_irqs); + atomic_set_mask(CPUSTAT_EXT_INT, li->cpuflags); diff --git a/queue-4.2/kvm-s390-fix-wrong-lookup-of-vcpus-by-array-index.patch b/queue-4.2/kvm-s390-fix-wrong-lookup-of-vcpus-by-array-index.patch new file mode 100644 index 00000000000..3d7fc53bd8f --- /dev/null +++ b/queue-4.2/kvm-s390-fix-wrong-lookup-of-vcpus-by-array-index.patch @@ -0,0 +1,65 @@ +From 152e9f65d66f0a3891efc3869440becc0e7ff53f Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Thu, 5 Nov 2015 09:06:06 +0100 +Subject: KVM: s390: fix wrong lookup of VCPUs by array index + +From: David Hildenbrand + +commit 152e9f65d66f0a3891efc3869440becc0e7ff53f upstream. + +For now, VCPUs were always created sequentially with incrementing +VCPU ids. Therefore, the index in the VCPUs array matched the id. + +As sequential creation might change with cpu hotplug, let's use +the correct lookup function to find a VCPU by id, not array index. + +Let's also use kvm_lookup_vcpu() for validation of the sending VCPU +on external call injection. + +Reviewed-by: Christian Borntraeger +Signed-off-by: David Hildenbrand +Signed-off-by: Christian Borntraeger +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kvm/interrupt.c | 3 +-- + arch/s390/kvm/sigp.c | 8 ++------ + 2 files changed, 3 insertions(+), 8 deletions(-) + +--- a/arch/s390/kvm/interrupt.c ++++ b/arch/s390/kvm/interrupt.c +@@ -1051,8 +1051,7 @@ static int __inject_extcall(struct kvm_v + src_id, 0, 2); + + /* sending vcpu invalid */ +- if (src_id >= KVM_MAX_VCPUS || +- kvm_get_vcpu(vcpu->kvm, src_id) == NULL) ++ if (kvm_get_vcpu_by_id(vcpu->kvm, src_id) == NULL) + return -EINVAL; + + if (sclp.has_sigpif) +--- a/arch/s390/kvm/sigp.c ++++ b/arch/s390/kvm/sigp.c +@@ -294,12 +294,8 @@ static int handle_sigp_dst(struct kvm_vc + u16 cpu_addr, u32 parameter, u64 *status_reg) + { + int rc; +- struct kvm_vcpu *dst_vcpu; ++ struct kvm_vcpu *dst_vcpu = kvm_get_vcpu_by_id(vcpu->kvm, cpu_addr); + +- if (cpu_addr >= KVM_MAX_VCPUS) +- return SIGP_CC_NOT_OPERATIONAL; +- +- dst_vcpu = kvm_get_vcpu(vcpu->kvm, cpu_addr); + if (!dst_vcpu) + return SIGP_CC_NOT_OPERATIONAL; + +@@ -481,7 +477,7 @@ int kvm_s390_handle_sigp_pei(struct kvm_ + trace_kvm_s390_handle_sigp_pei(vcpu, order_code, cpu_addr); + + if (order_code == SIGP_EXTERNAL_CALL) { +- dest_vcpu = kvm_get_vcpu(vcpu->kvm, cpu_addr); ++ dest_vcpu = kvm_get_vcpu_by_id(vcpu->kvm, cpu_addr); + BUG_ON(dest_vcpu == NULL); + + kvm_s390_vcpu_wakeup(dest_vcpu); diff --git a/queue-4.2/kvm-s390-sca-must-not-cross-page-boundaries.patch b/queue-4.2/kvm-s390-sca-must-not-cross-page-boundaries.patch new file mode 100644 index 00000000000..59125fba064 --- /dev/null +++ b/queue-4.2/kvm-s390-sca-must-not-cross-page-boundaries.patch @@ -0,0 +1,54 @@ +From c5c2c393468576bad6d10b2b5fefff8cd25df3f4 Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Mon, 26 Oct 2015 08:41:29 +0100 +Subject: KVM: s390: SCA must not cross page boundaries + +From: David Hildenbrand + +commit c5c2c393468576bad6d10b2b5fefff8cd25df3f4 upstream. + +We seemed to have missed a few corner cases in commit f6c137ff00a4 +("KVM: s390: randomize sca address"). + +The SCA has a maximum size of 2112 bytes. By setting the sca_offset to +some unlucky numbers, we exceed the page. + +0x7c0 (1984) -> Fits exactly +0x7d0 (2000) -> 16 bytes out +0x7e0 (2016) -> 32 bytes out +0x7f0 (2032) -> 48 bytes out + +One VCPU entry is 32 bytes long. + +For the last two cases, we actually write data to the other page. +1. The address of the VCPU. +2. Injection/delivery/clearing of SIGP externall calls via SIGP IF. + +Especially the 2. happens regularly. So this could produce two problems: +1. The guest losing/getting external calls. +2. Random memory overwrites in the host. + +So this problem happens on every 127 + 128 created VM with 64 VCPUs. + +Acked-by: Christian Borntraeger +Signed-off-by: David Hildenbrand +Signed-off-by: Christian Borntraeger +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kvm/kvm-s390.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -1037,7 +1037,9 @@ int kvm_arch_init_vm(struct kvm *kvm, un + if (!kvm->arch.sca) + goto out_err; + spin_lock(&kvm_lock); +- sca_offset = (sca_offset + 16) & 0x7f0; ++ sca_offset += 16; ++ if (sca_offset + sizeof(struct sca_block) > PAGE_SIZE) ++ sca_offset = 0; + kvm->arch.sca = (struct sca_block *) ((char *) kvm->arch.sca + sca_offset); + spin_unlock(&kvm_lock); + diff --git a/queue-4.2/kvm-x86-add-read_phys-to-x86_emulate_ops.patch b/queue-4.2/kvm-x86-add-read_phys-to-x86_emulate_ops.patch new file mode 100644 index 00000000000..f68c8c0ed0b --- /dev/null +++ b/queue-4.2/kvm-x86-add-read_phys-to-x86_emulate_ops.patch @@ -0,0 +1,72 @@ +From 7a036a6f670f63b32c5ee126425f9109271ca13f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= +Date: Fri, 30 Oct 2015 16:36:24 +0100 +Subject: KVM: x86: add read_phys to x86_emulate_ops +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= + +commit 7a036a6f670f63b32c5ee126425f9109271ca13f upstream. + +We want to read the physical memory when emulating RSM. + +X86EMUL_IO_NEEDED is returned on all errors for consistency with other +helpers. + +Signed-off-by: Radim Krčmář +Tested-by: Laszlo Ersek +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/kvm_emulate.h | 10 ++++++++++ + arch/x86/kvm/x86.c | 10 ++++++++++ + 2 files changed, 20 insertions(+) + +--- a/arch/x86/include/asm/kvm_emulate.h ++++ b/arch/x86/include/asm/kvm_emulate.h +@@ -112,6 +112,16 @@ struct x86_emulate_ops { + struct x86_exception *fault); + + /* ++ * read_phys: Read bytes of standard (non-emulated/special) memory. ++ * Used for descriptor reading. ++ * @addr: [IN ] Physical address from which to read. ++ * @val: [OUT] Value read from memory. ++ * @bytes: [IN ] Number of bytes to read from memory. ++ */ ++ int (*read_phys)(struct x86_emulate_ctxt *ctxt, unsigned long addr, ++ void *val, unsigned int bytes); ++ ++ /* + * write_std: Write bytes of standard (non-emulated/special) memory. + * Used for descriptor writing. + * @addr: [IN ] Linear address to which to write. +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -4260,6 +4260,15 @@ static int kvm_read_guest_virt_system(st + return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, 0, exception); + } + ++static int kvm_read_guest_phys_system(struct x86_emulate_ctxt *ctxt, ++ unsigned long addr, void *val, unsigned int bytes) ++{ ++ struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt); ++ int r = kvm_vcpu_read_guest(vcpu, addr, val, bytes); ++ ++ return r < 0 ? X86EMUL_IO_NEEDED : X86EMUL_CONTINUE; ++} ++ + int kvm_write_guest_virt_system(struct x86_emulate_ctxt *ctxt, + gva_t addr, void *val, + unsigned int bytes, +@@ -4995,6 +5004,7 @@ static const struct x86_emulate_ops emul + .write_gpr = emulator_write_gpr, + .read_std = kvm_read_guest_virt_system, + .write_std = kvm_write_guest_virt_system, ++ .read_phys = kvm_read_guest_phys_system, + .fetch = kvm_fetch_guest_virt, + .read_emulated = emulator_read_emulated, + .write_emulated = emulator_write_emulated, diff --git a/queue-4.2/kvm-x86-allow-rsm-from-64-bit-mode.patch b/queue-4.2/kvm-x86-allow-rsm-from-64-bit-mode.patch new file mode 100644 index 00000000000..e0e825b4d87 --- /dev/null +++ b/queue-4.2/kvm-x86-allow-rsm-from-64-bit-mode.patch @@ -0,0 +1,80 @@ +From 89651a3decbe03754f304a0b248f27eeb9a37937 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Tue, 3 Nov 2015 13:43:05 +0100 +Subject: KVM: x86: allow RSM from 64-bit mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Paolo Bonzini + +commit 89651a3decbe03754f304a0b248f27eeb9a37937 upstream. + +The SDM says that exiting system management mode from 64-bit mode +is invalid, but that would be too good to be true. But actually, +most of the code is already there to support exiting from compat +mode (EFER.LME=1, EFER.LMA=0). Getting all the way from 64-bit +mode to real mode only requires clearing CS.L and CR4.PCIDE. + +Fixes: 660a5d517aaab9187f93854425c4c63f4a09195c +Tested-by: Laszlo Ersek +Cc: Radim Krčmář +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/emulate.c | 30 +++++++++++++++++++++++++----- + 1 file changed, 25 insertions(+), 5 deletions(-) + +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -2484,16 +2484,36 @@ static int em_rsm(struct x86_emulate_ctx + + /* + * Get back to real mode, to prepare a safe state in which to load +- * CR0/CR3/CR4/EFER. +- * +- * CR4.PCIDE must be zero, because it is a 64-bit mode only feature. ++ * CR0/CR3/CR4/EFER. It's all a bit more complicated if the vCPU ++ * supports long mode. + */ ++ cr4 = ctxt->ops->get_cr(ctxt, 4); ++ if (emulator_has_longmode(ctxt)) { ++ struct desc_struct cs_desc; ++ ++ /* Zero CR4.PCIDE before CR0.PG. */ ++ if (cr4 & X86_CR4_PCIDE) { ++ ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PCIDE); ++ cr4 &= ~X86_CR4_PCIDE; ++ } ++ ++ /* A 32-bit code segment is required to clear EFER.LMA. */ ++ memset(&cs_desc, 0, sizeof(cs_desc)); ++ cs_desc.type = 0xb; ++ cs_desc.s = cs_desc.g = cs_desc.p = 1; ++ ctxt->ops->set_segment(ctxt, 0, &cs_desc, 0, VCPU_SREG_CS); ++ } ++ ++ /* For the 64-bit case, this will clear EFER.LMA. */ + cr0 = ctxt->ops->get_cr(ctxt, 0); + if (cr0 & X86_CR0_PE) + ctxt->ops->set_cr(ctxt, 0, cr0 & ~(X86_CR0_PG | X86_CR0_PE)); +- cr4 = ctxt->ops->get_cr(ctxt, 4); ++ ++ /* Now clear CR4.PAE (which must be done before clearing EFER.LME). */ + if (cr4 & X86_CR4_PAE) + ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PAE); ++ ++ /* And finally go back to 32-bit mode. */ + efer = 0; + ctxt->ops->set_msr(ctxt, MSR_EFER, efer); + +@@ -4454,7 +4474,7 @@ static const struct opcode twobyte_table + F(DstMem | SrcReg | Src2CL | ModRM, em_shld), N, N, + /* 0xA8 - 0xAF */ + I(Stack | Src2GS, em_push_sreg), I(Stack | Src2GS, em_pop_sreg), +- II(No64 | EmulateOnUD | ImplicitOps, em_rsm, rsm), ++ II(EmulateOnUD | ImplicitOps, em_rsm, rsm), + F(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_bts), + F(DstMem | SrcReg | Src2ImmByte | ModRM, em_shrd), + F(DstMem | SrcReg | Src2CL | ModRM, em_shrd), diff --git a/queue-4.2/kvm-x86-handle-smbase-as-physical-address-in-rsm.patch b/queue-4.2/kvm-x86-handle-smbase-as-physical-address-in-rsm.patch new file mode 100644 index 00000000000..1c1ac23572c --- /dev/null +++ b/queue-4.2/kvm-x86-handle-smbase-as-physical-address-in-rsm.patch @@ -0,0 +1,49 @@ +From f40606b147dd5b4678cedc877a71deb520ca507e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= +Date: Fri, 30 Oct 2015 16:36:25 +0100 +Subject: KVM: x86: handle SMBASE as physical address in RSM +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= + +commit f40606b147dd5b4678cedc877a71deb520ca507e upstream. + +GET_SMSTATE depends on real mode to ensure that smbase+offset is treated +as a physical address, which has already caused a bug after shuffling +the code. Enforce physical addressing. + +Signed-off-by: Radim Krčmář +Reported-by: Laszlo Ersek +Tested-by: Laszlo Ersek +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/emulate.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -2272,8 +2272,8 @@ static int emulator_has_longmode(struct + #define GET_SMSTATE(type, smbase, offset) \ + ({ \ + type __val; \ +- int r = ctxt->ops->read_std(ctxt, smbase + offset, &__val, \ +- sizeof(__val), NULL); \ ++ int r = ctxt->ops->read_phys(ctxt, smbase + offset, &__val, \ ++ sizeof(__val)); \ + if (r != X86EMUL_CONTINUE) \ + return X86EMUL_UNHANDLEABLE; \ + __val; \ +@@ -2484,8 +2484,7 @@ static int em_rsm(struct x86_emulate_ctx + + /* + * Get back to real mode, to prepare a safe state in which to load +- * CR0/CR3/CR4/EFER. Also this will ensure that addresses passed +- * to read_std/write_std are not virtual. ++ * CR0/CR3/CR4/EFER. + * + * CR4.PCIDE must be zero, because it is a 64-bit mode only feature. + */ diff --git a/queue-4.2/kvm-x86-obey-kvm_x86_quirk_cd_nw_cleared-in-kvm_set_cr0.patch b/queue-4.2/kvm-x86-obey-kvm_x86_quirk_cd_nw_cleared-in-kvm_set_cr0.patch new file mode 100644 index 00000000000..b79438993fc --- /dev/null +++ b/queue-4.2/kvm-x86-obey-kvm_x86_quirk_cd_nw_cleared-in-kvm_set_cr0.patch @@ -0,0 +1,53 @@ +From 879ae1880449c88db11c1ebdaedc2da79b2fe73f Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Wed, 4 Nov 2015 12:54:41 +0100 +Subject: KVM: x86: obey KVM_X86_QUIRK_CD_NW_CLEARED in kvm_set_cr0() + +From: Laszlo Ersek + +commit 879ae1880449c88db11c1ebdaedc2da79b2fe73f upstream. + +Commit b18d5431acc7 ("KVM: x86: fix CR0.CD virtualization") was +technically correct, but it broke OVMF guests by slowing down various +parts of the firmware. + +Commit fb279950ba02 ("KVM: vmx: obey KVM_QUIRK_CD_NW_CLEARED") quirked the +first function modified by b18d5431acc7, vmx_get_mt_mask(), for OVMF's +sake. This restored the speed of the OVMF code that runs before +PlatformPei (including the memory intensive LZMA decompression in SEC). + +This patch extends the quirk to the second function modified by +b18d5431acc7, kvm_set_cr0(). It eliminates the intrusive slowdown that +hits the EFI_MP_SERVICES_PROTOCOL implementation of edk2's +UefiCpuPkg/CpuDxe -- which is built into OVMF --, when CpuDxe starts up +all APs at once for initialization, in order to count them. + +We also carry over the kvm_arch_has_noncoherent_dma() sub-condition from +the other half of the original commit b18d5431acc7. + +Fixes: b18d5431acc7a2fd22767925f3a6f597aa4bd29e +Cc: Jordan Justen +Cc: Alex Williamson +Reviewed-by: Xiao Guangrong +Tested-by: Janusz Mocek +Signed-off-by: Laszlo Ersek # +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -621,7 +621,9 @@ int kvm_set_cr0(struct kvm_vcpu *vcpu, u + if ((cr0 ^ old_cr0) & update_bits) + kvm_mmu_reset_context(vcpu); + +- if ((cr0 ^ old_cr0) & X86_CR0_CD) ++ if (((cr0 ^ old_cr0) & X86_CR0_CD) && ++ kvm_arch_has_noncoherent_dma(vcpu->kvm) && ++ !kvm_check_has_quirk(vcpu->kvm, KVM_X86_QUIRK_CD_NW_CLEARED)) + kvm_zap_gfn_range(vcpu->kvm, 0, ~0ULL); + + return 0; diff --git a/queue-4.2/kvm-x86-set-kvm_req_event-when-updating-irr.patch b/queue-4.2/kvm-x86-set-kvm_req_event-when-updating-irr.patch new file mode 100644 index 00000000000..268e8d3e356 --- /dev/null +++ b/queue-4.2/kvm-x86-set-kvm_req_event-when-updating-irr.patch @@ -0,0 +1,34 @@ +From c77f3fab441c3e466b4c3601a475fc31ce156b06 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= +Date: Thu, 8 Oct 2015 20:23:33 +0200 +Subject: kvm: x86: set KVM_REQ_EVENT when updating IRR +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= + +commit c77f3fab441c3e466b4c3601a475fc31ce156b06 upstream. + +After moving PIR to IRR, the interrupt needs to be delivered manually. + +Reported-by: Paolo Bonzini +Signed-off-by: Radim Krčmář +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/lapic.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -348,6 +348,8 @@ void kvm_apic_update_irr(struct kvm_vcpu + struct kvm_lapic *apic = vcpu->arch.apic; + + __kvm_apic_update_irr(pir, apic->regs); ++ ++ kvm_make_request(KVM_REQ_EVENT, vcpu); + } + EXPORT_SYMBOL_GPL(kvm_apic_update_irr); + diff --git a/queue-4.2/kvm-x86-work-around-infinite-loop-in-microcode-when-ac-is-delivered.patch b/queue-4.2/kvm-x86-work-around-infinite-loop-in-microcode-when-ac-is-delivered.patch new file mode 100644 index 00000000000..eb5230d62d8 --- /dev/null +++ b/queue-4.2/kvm-x86-work-around-infinite-loop-in-microcode-when-ac-is-delivered.patch @@ -0,0 +1,87 @@ +From 54a20552e1eae07aa240fa370a0293e006b5faed Mon Sep 17 00:00:00 2001 +From: Eric Northup +Date: Tue, 3 Nov 2015 18:03:53 +0100 +Subject: KVM: x86: work around infinite loop in microcode when #AC is delivered + +From: Eric Northup + +commit 54a20552e1eae07aa240fa370a0293e006b5faed upstream. + +It was found that a guest can DoS a host by triggering an infinite +stream of "alignment check" (#AC) exceptions. This causes the +microcode to enter an infinite loop where the core never receives +another interrupt. The host kernel panics pretty quickly due to the +effects (CVE-2015-5307). + +Signed-off-by: Eric Northup +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/uapi/asm/svm.h | 1 + + arch/x86/kvm/svm.c | 8 ++++++++ + arch/x86/kvm/vmx.c | 5 ++++- + 3 files changed, 13 insertions(+), 1 deletion(-) + +--- a/arch/x86/include/uapi/asm/svm.h ++++ b/arch/x86/include/uapi/asm/svm.h +@@ -100,6 +100,7 @@ + { SVM_EXIT_EXCP_BASE + UD_VECTOR, "UD excp" }, \ + { SVM_EXIT_EXCP_BASE + PF_VECTOR, "PF excp" }, \ + { SVM_EXIT_EXCP_BASE + NM_VECTOR, "NM excp" }, \ ++ { SVM_EXIT_EXCP_BASE + AC_VECTOR, "AC excp" }, \ + { SVM_EXIT_EXCP_BASE + MC_VECTOR, "MC excp" }, \ + { SVM_EXIT_INTR, "interrupt" }, \ + { SVM_EXIT_NMI, "nmi" }, \ +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -1106,6 +1106,7 @@ static void init_vmcb(struct vcpu_svm *s + set_exception_intercept(svm, PF_VECTOR); + set_exception_intercept(svm, UD_VECTOR); + set_exception_intercept(svm, MC_VECTOR); ++ set_exception_intercept(svm, AC_VECTOR); + + set_intercept(svm, INTERCEPT_INTR); + set_intercept(svm, INTERCEPT_NMI); +@@ -1794,6 +1795,12 @@ static int ud_interception(struct vcpu_s + return 1; + } + ++static int ac_interception(struct vcpu_svm *svm) ++{ ++ kvm_queue_exception_e(&svm->vcpu, AC_VECTOR, 0); ++ return 1; ++} ++ + static void svm_fpu_activate(struct kvm_vcpu *vcpu) + { + struct vcpu_svm *svm = to_svm(vcpu); +@@ -3368,6 +3375,7 @@ static int (*const svm_exit_handlers[])( + [SVM_EXIT_EXCP_BASE + PF_VECTOR] = pf_interception, + [SVM_EXIT_EXCP_BASE + NM_VECTOR] = nm_interception, + [SVM_EXIT_EXCP_BASE + MC_VECTOR] = mc_interception, ++ [SVM_EXIT_EXCP_BASE + AC_VECTOR] = ac_interception, + [SVM_EXIT_INTR] = intr_interception, + [SVM_EXIT_NMI] = nmi_interception, + [SVM_EXIT_SMI] = nop_on_interception, +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -1567,7 +1567,7 @@ static void update_exception_bitmap(stru + u32 eb; + + eb = (1u << PF_VECTOR) | (1u << UD_VECTOR) | (1u << MC_VECTOR) | +- (1u << NM_VECTOR) | (1u << DB_VECTOR); ++ (1u << NM_VECTOR) | (1u << DB_VECTOR) | (1u << AC_VECTOR); + if ((vcpu->guest_debug & + (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP)) == + (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP)) +@@ -5117,6 +5117,9 @@ static int handle_exception(struct kvm_v + return handle_rmode_exception(vcpu, ex_no, error_code); + + switch (ex_no) { ++ case AC_VECTOR: ++ kvm_queue_exception_e(vcpu, AC_VECTOR, error_code); ++ return 1; + case DB_VECTOR: + dr6 = vmcs_readl(EXIT_QUALIFICATION); + if (!(vcpu->guest_debug & diff --git a/queue-4.2/kvm-x86-zero-efer-on-init.patch b/queue-4.2/kvm-x86-zero-efer-on-init.patch new file mode 100644 index 00000000000..574d4d7b945 --- /dev/null +++ b/queue-4.2/kvm-x86-zero-efer-on-init.patch @@ -0,0 +1,84 @@ +From 5690891bcec5fcfda38da974ffa5488e36a59811 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Mon, 19 Oct 2015 11:30:19 +0200 +Subject: kvm: x86: zero EFER on INIT + +From: Paolo Bonzini + +commit 5690891bcec5fcfda38da974ffa5488e36a59811 upstream. + +Not zeroing EFER means that a 32-bit firmware cannot enter paging mode +without clearing EFER.LME first (which it should not know about). +Yang Zhang from Intel confirmed that the manual is wrong and EFER is +cleared to zero on INIT. + +Fixes: d28bc9dd25ce023270d2e039e7c98d38ecbf7758 +Cc: Yang Z Zhang +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/svm.c | 11 +++++------ + arch/x86/kvm/vmx.c | 3 +-- + 2 files changed, 6 insertions(+), 8 deletions(-) + +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -1085,7 +1085,7 @@ static u64 svm_compute_tsc_offset(struct + return target_tsc - tsc; + } + +-static void init_vmcb(struct vcpu_svm *svm, bool init_event) ++static void init_vmcb(struct vcpu_svm *svm) + { + struct vmcb_control_area *control = &svm->vmcb->control; + struct vmcb_save_area *save = &svm->vmcb->save; +@@ -1156,8 +1156,7 @@ static void init_vmcb(struct vcpu_svm *s + init_sys_seg(&save->ldtr, SEG_TYPE_LDT); + init_sys_seg(&save->tr, SEG_TYPE_BUSY_TSS16); + +- if (!init_event) +- svm_set_efer(&svm->vcpu, 0); ++ svm_set_efer(&svm->vcpu, 0); + save->dr6 = 0xffff0ff0; + kvm_set_rflags(&svm->vcpu, 2); + save->rip = 0x0000fff0; +@@ -1211,7 +1210,7 @@ static void svm_vcpu_reset(struct kvm_vc + if (kvm_vcpu_is_reset_bsp(&svm->vcpu)) + svm->vcpu.arch.apic_base |= MSR_IA32_APICBASE_BSP; + } +- init_vmcb(svm, init_event); ++ init_vmcb(svm); + + kvm_cpuid(vcpu, &eax, &dummy, &dummy, &dummy); + kvm_register_write(vcpu, VCPU_REGS_RDX, eax); +@@ -1267,7 +1266,7 @@ static struct kvm_vcpu *svm_create_vcpu( + clear_page(svm->vmcb); + svm->vmcb_pa = page_to_pfn(page) << PAGE_SHIFT; + svm->asid_generation = 0; +- init_vmcb(svm, false); ++ init_vmcb(svm); + + svm_init_osvw(&svm->vcpu); + +@@ -1889,7 +1888,7 @@ static int shutdown_interception(struct + * so reinitialize it. + */ + clear_page(svm->vmcb); +- init_vmcb(svm, false); ++ init_vmcb(svm); + + kvm_run->exit_reason = KVM_EXIT_SHUTDOWN; + return 0; +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -4780,8 +4780,7 @@ static void vmx_vcpu_reset(struct kvm_vc + vmx_set_cr0(vcpu, cr0); /* enter rmode */ + vmx->vcpu.arch.cr0 = cr0; + vmx_set_cr4(vcpu, 0); +- if (!init_event) +- vmx_set_efer(vcpu, 0); ++ vmx_set_efer(vcpu, 0); + vmx_fpu_activate(vcpu); + update_exception_bitmap(vcpu); + diff --git a/queue-4.2/mac80211-allow-null-chandef-in-tracing.patch b/queue-4.2/mac80211-allow-null-chandef-in-tracing.patch new file mode 100644 index 00000000000..1c77fcfccaa --- /dev/null +++ b/queue-4.2/mac80211-allow-null-chandef-in-tracing.patch @@ -0,0 +1,42 @@ +From 254d3dfe445f94a764e399ca12e04365ac9413ed Mon Sep 17 00:00:00 2001 +From: Arik Nemtsov +Date: Sun, 25 Oct 2015 10:59:41 +0200 +Subject: mac80211: allow null chandef in tracing + +From: Arik Nemtsov + +commit 254d3dfe445f94a764e399ca12e04365ac9413ed upstream. + +In TDLS channel-switch operations the chandef can sometimes be NULL. +Avoid an oops in the trace code for these cases and just print a +chandef full of zeros. + +Fixes: a7a6bdd0670fe ("mac80211: introduce TDLS channel switch ops") +Signed-off-by: Arik Nemtsov +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/trace.h | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/net/mac80211/trace.h ++++ b/net/mac80211/trace.h +@@ -33,11 +33,11 @@ + __field(u32, chan_width) \ + __field(u32, center_freq1) \ + __field(u32, center_freq2) +-#define CHANDEF_ASSIGN(c) \ +- __entry->control_freq = (c)->chan ? (c)->chan->center_freq : 0; \ +- __entry->chan_width = (c)->width; \ +- __entry->center_freq1 = (c)->center_freq1; \ +- __entry->center_freq2 = (c)->center_freq2; ++#define CHANDEF_ASSIGN(c) \ ++ __entry->control_freq = (c) ? ((c)->chan ? (c)->chan->center_freq : 0) : 0; \ ++ __entry->chan_width = (c) ? (c)->width : 0; \ ++ __entry->center_freq1 = (c) ? (c)->center_freq1 : 0; \ ++ __entry->center_freq2 = (c) ? (c)->center_freq2 : 0; + #define CHANDEF_PR_FMT " control:%d MHz width:%d center: %d/%d MHz" + #define CHANDEF_PR_ARG __entry->control_freq, __entry->chan_width, \ + __entry->center_freq1, __entry->center_freq2 diff --git a/queue-4.2/mac80211-fix-divide-by-zero-when-noa-update.patch b/queue-4.2/mac80211-fix-divide-by-zero-when-noa-update.patch new file mode 100644 index 00000000000..cf123016b82 --- /dev/null +++ b/queue-4.2/mac80211-fix-divide-by-zero-when-noa-update.patch @@ -0,0 +1,49 @@ +From 519ee6918b91abdc4bc9720deae17599a109eb40 Mon Sep 17 00:00:00 2001 +From: "Janusz.Dziedzic@tieto.com" +Date: Tue, 27 Oct 2015 08:35:11 +0100 +Subject: mac80211: fix divide by zero when NOA update + +From: "Janusz.Dziedzic@tieto.com" + +commit 519ee6918b91abdc4bc9720deae17599a109eb40 upstream. + +In case of one shot NOA the interval can be 0, catch that +instead of potentially (depending on the driver) crashing +like this: + +divide error: 0000 [#1] SMP +[...] +Call Trace: + +[] ieee80211_extend_absent_time+0x6c/0xb0 [mac80211] +[] ieee80211_update_p2p_noa+0xb7/0xe0 [mac80211] +[] ath9k_p2p_ps_timer+0x170/0x190 [ath9k] +[] ath_gen_timer_isr+0xc8/0xf0 [ath9k_hw] +[] ath9k_tasklet+0x296/0x2f0 [ath9k] +[] tasklet_action+0xe5/0xf0 +[...] + +Signed-off-by: Janusz Dziedzic +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/util.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/mac80211/util.c ++++ b/net/mac80211/util.c +@@ -2984,6 +2984,13 @@ ieee80211_extend_noa_desc(struct ieee802 + if (end > 0) + return false; + ++ /* One shot NOA */ ++ if (data->count[i] == 1) ++ return false; ++ ++ if (data->desc[i].interval == 0) ++ return false; ++ + /* End time is in the past, check for repetitions */ + skip = DIV_ROUND_UP(-end, data->desc[i].interval); + if (data->count[i] < 255) { diff --git a/queue-4.2/mac80211-fix-driver-rssi-event-calculations.patch b/queue-4.2/mac80211-fix-driver-rssi-event-calculations.patch new file mode 100644 index 00000000000..c303f414ed6 --- /dev/null +++ b/queue-4.2/mac80211-fix-driver-rssi-event-calculations.patch @@ -0,0 +1,33 @@ +From 8ec6d97871f37e4743678ea4a455bd59580aa0f4 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Fri, 28 Aug 2015 10:52:53 +0200 +Subject: mac80211: fix driver RSSI event calculations + +From: Johannes Berg + +commit 8ec6d97871f37e4743678ea4a455bd59580aa0f4 upstream. + +The ifmgd->ave_beacon_signal value cannot be taken as is for +comparisons, it must be divided by since it's represented +like that for better accuracy of the EWMA calculations. This +would lead to invalid driver RSSI events. Fix the used value. + +Fixes: 615f7b9bb1f8 ("mac80211: add driver RSSI threshold events") +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/mlme.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -3378,7 +3378,7 @@ static void ieee80211_rx_mgmt_beacon(str + + if (ifmgd->rssi_min_thold != ifmgd->rssi_max_thold && + ifmgd->count_beacon_signal >= IEEE80211_SIGNAL_AVE_MIN_COUNT) { +- int sig = ifmgd->ave_beacon_signal; ++ int sig = ifmgd->ave_beacon_signal / 16; + int last_sig = ifmgd->last_ave_beacon_signal; + struct ieee80211_event event = { + .type = RSSI_EVENT, diff --git a/queue-4.2/mac80211-fix-local-deauth-while-associating.patch b/queue-4.2/mac80211-fix-local-deauth-while-associating.patch new file mode 100644 index 00000000000..75a94fd4533 --- /dev/null +++ b/queue-4.2/mac80211-fix-local-deauth-while-associating.patch @@ -0,0 +1,50 @@ +From a64cba3c5330704a034bd3179270b8d04daf6987 Mon Sep 17 00:00:00 2001 +From: Andrei Otcheretianski +Date: Sun, 25 Oct 2015 10:59:38 +0200 +Subject: mac80211: Fix local deauth while associating + +From: Andrei Otcheretianski + +commit a64cba3c5330704a034bd3179270b8d04daf6987 upstream. + +Local request to deauthenticate wasn't handled while associating, thus +the association could continue even when the user space required to +disconnect. + +Signed-off-by: Andrei Otcheretianski +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/mlme.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -4999,6 +4999,25 @@ int ieee80211_mgd_deauth(struct ieee8021 + return 0; + } + ++ if (ifmgd->assoc_data && ++ ether_addr_equal(ifmgd->assoc_data->bss->bssid, req->bssid)) { ++ sdata_info(sdata, ++ "aborting association with %pM by local choice (Reason: %u=%s)\n", ++ req->bssid, req->reason_code, ++ ieee80211_get_reason_code_string(req->reason_code)); ++ ++ drv_mgd_prepare_tx(sdata->local, sdata); ++ ieee80211_send_deauth_disassoc(sdata, req->bssid, ++ IEEE80211_STYPE_DEAUTH, ++ req->reason_code, tx, ++ frame_buf); ++ ieee80211_destroy_assoc_data(sdata, false); ++ ieee80211_report_disconnect(sdata, frame_buf, ++ sizeof(frame_buf), true, ++ req->reason_code); ++ return 0; ++ } ++ + if (ifmgd->associated && + ether_addr_equal(ifmgd->associated->bssid, req->bssid)) { + sdata_info(sdata, diff --git a/queue-4.2/mfd-twl6040-fix-deferred-probe-handling-for-clk32k.patch b/queue-4.2/mfd-twl6040-fix-deferred-probe-handling-for-clk32k.patch new file mode 100644 index 00000000000..1027b69e41b --- /dev/null +++ b/queue-4.2/mfd-twl6040-fix-deferred-probe-handling-for-clk32k.patch @@ -0,0 +1,46 @@ +From 75c08f17ec87c2d742487bb87408d6feebc526bd Mon Sep 17 00:00:00 2001 +From: Tony Lindgren +Date: Fri, 18 Sep 2015 09:29:04 -0700 +Subject: mfd: twl6040: Fix deferred probe handling for clk32k + +From: Tony Lindgren + +commit 75c08f17ec87c2d742487bb87408d6feebc526bd upstream. + +Commit 68bab8662f49 ("mfd: twl6040: Optional clk32k clock handling") +added clock handling for the 32k clock from palmas-clk. However, that +patch did not consider a typical situation where twl6040 is built-in, +and palmas-clk is a loadable module like we have in omap2plus_defconfig. + +If palmas-clk is not loaded before twl6040 probes, we will get a +"clk32k is not handled" warning during booting. This means that any +drivers relying on this clock will mysteriously fail, including +omap5-uevm WLAN and audio. + +Note that for WLAN, we probably should also eventually get +the clk32kgaudio for MMC3 directly as that's shared between +audio and WLAN SDIO at least for omap5-uevm. It seems the +WLAN chip cannot get it as otherwise MMC3 won't get properly +probed. + +Fixes: 68bab8662f49 ("mfd: twl6040: Optional clk32k clock handling") +Signed-off-by: Tony Lindgren +Reviewed-by: Felipe Balbi +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mfd/twl6040.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/mfd/twl6040.c ++++ b/drivers/mfd/twl6040.c +@@ -647,6 +647,8 @@ static int twl6040_probe(struct i2c_clie + + twl6040->clk32k = devm_clk_get(&client->dev, "clk32k"); + if (IS_ERR(twl6040->clk32k)) { ++ if (PTR_ERR(twl6040->clk32k) == -EPROBE_DEFER) ++ return -EPROBE_DEFER; + dev_info(&client->dev, "clk32k is not handled\n"); + twl6040->clk32k = NULL; + } diff --git a/queue-4.2/mips-ath79-fix-the-ddr-control-initialization-on-ar71xx-and-ar934x.patch b/queue-4.2/mips-ath79-fix-the-ddr-control-initialization-on-ar71xx-and-ar934x.patch new file mode 100644 index 00000000000..b33c5e46ebb --- /dev/null +++ b/queue-4.2/mips-ath79-fix-the-ddr-control-initialization-on-ar71xx-and-ar934x.patch @@ -0,0 +1,41 @@ +From 5011a7e808c9fec643d752c5a495a48f27268a48 Mon Sep 17 00:00:00 2001 +From: Alban Bedel +Date: Tue, 17 Nov 2015 09:40:07 +0100 +Subject: MIPS: ath79: Fix the DDR control initialization on ar71xx and ar934x + +From: Alban Bedel + +commit 5011a7e808c9fec643d752c5a495a48f27268a48 upstream. + +The DDR control initialization needs to know the SoC type, however +ath79_detect_sys_type() was called after ath79_ddr_ctrl_init(). +Reverse the order to fix the DDR control initialization on ar71xx and +ar934x. + +Signed-off-by: Alban Bedel +Cc: Felix Fietkau +Cc: Qais Yousef +Cc: Andrew Bresticker +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/11500/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/ath79/setup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/ath79/setup.c ++++ b/arch/mips/ath79/setup.c +@@ -216,9 +216,9 @@ void __init plat_mem_setup(void) + AR71XX_RESET_SIZE); + ath79_pll_base = ioremap_nocache(AR71XX_PLL_BASE, + AR71XX_PLL_SIZE); ++ ath79_detect_sys_type(); + ath79_ddr_ctrl_init(); + +- ath79_detect_sys_type(); + if (mips_machtype != ATH79_MACH_GENERIC_OF) + detect_memory_region(0, ATH79_MEM_SIZE_MIN, ATH79_MEM_SIZE_MAX); + diff --git a/queue-4.2/mips-cdmm-add-builtin_mips_cdmm_driver-macro.patch b/queue-4.2/mips-cdmm-add-builtin_mips_cdmm_driver-macro.patch new file mode 100644 index 00000000000..ab4cb3ba90e --- /dev/null +++ b/queue-4.2/mips-cdmm-add-builtin_mips_cdmm_driver-macro.patch @@ -0,0 +1,46 @@ +From 1b4a5ddb127caf125e14551ebd334be1acf21805 Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Tue, 6 Oct 2015 15:12:05 +0100 +Subject: MIPS: CDMM: Add builtin_mips_cdmm_driver() macro + +From: James Hogan + +commit 1b4a5ddb127caf125e14551ebd334be1acf21805 upstream. + +Add helper macro builtin_mips_cdmm_driver() for builtin CDMM drivers +that don't do anything special in init and have no exit. The +module_mips_cdmm_driver() helper isn't really appropriate for drivers +that can't be built as a module. + +Signed-off-by: James Hogan +Cc: Greg Kroah-Hartman +Cc: Jiri Slaby +Cc: linux-mips@linux-mips.org +Patchwork: http://patchwork.linux-mips.org/patch/11264/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/include/asm/cdmm.h | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/arch/mips/include/asm/cdmm.h ++++ b/arch/mips/include/asm/cdmm.h +@@ -84,6 +84,17 @@ void mips_cdmm_driver_unregister(struct + module_driver(__mips_cdmm_driver, mips_cdmm_driver_register, \ + mips_cdmm_driver_unregister) + ++/* ++ * builtin_mips_cdmm_driver() - Helper macro for drivers that don't do anything ++ * special in init and have no exit. This eliminates some boilerplate. Each ++ * driver may only use this macro once, and calling it replaces device_initcall ++ * (or in some cases, the legacy __initcall). This is meant to be a direct ++ * parallel of module_mips_cdmm_driver() above but without the __exit stuff that ++ * is not used for builtin cases. ++ */ ++#define builtin_mips_cdmm_driver(__mips_cdmm_driver) \ ++ builtin_driver(__mips_cdmm_driver, mips_cdmm_driver_register) ++ + /* drivers/tty/mips_ejtag_fdc.c */ + + #ifdef CONFIG_MIPS_EJTAG_FDC_EARLYCON diff --git a/queue-4.2/mips-kvm-fix-asid-restoration-logic.patch b/queue-4.2/mips-kvm-fix-asid-restoration-logic.patch new file mode 100644 index 00000000000..db545c1fe4b --- /dev/null +++ b/queue-4.2/mips-kvm-fix-asid-restoration-logic.patch @@ -0,0 +1,64 @@ +From 002374f371bd02df864cce1fe85d90dc5b292837 Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Wed, 11 Nov 2015 14:21:18 +0000 +Subject: MIPS: KVM: Fix ASID restoration logic + +From: James Hogan + +commit 002374f371bd02df864cce1fe85d90dc5b292837 upstream. + +ASID restoration on guest resume should determine the guest execution +mode based on the guest Status register rather than bit 30 of the guest +PC. + +Fix the two places in locore.S that do this, loading the guest status +from the cop0 area. Note, this assembly is specific to the trap & +emulate implementation of KVM, so it doesn't need to check the +supervisor bit as that mode is not implemented in the guest. + +Fixes: b680f70fc111 ("KVM/MIPS32: Entry point for trampolining to...") +Signed-off-by: James Hogan +Cc: Ralf Baechle +Cc: Paolo Bonzini +Cc: Gleb Natapov +Cc: linux-mips@linux-mips.org +Cc: kvm@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kvm/locore.S | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +--- a/arch/mips/kvm/locore.S ++++ b/arch/mips/kvm/locore.S +@@ -165,9 +165,11 @@ FEXPORT(__kvm_mips_vcpu_run) + + FEXPORT(__kvm_mips_load_asid) + /* Set the ASID for the Guest Kernel */ +- INT_SLL t0, t0, 1 /* with kseg0 @ 0x40000000, kernel */ +- /* addresses shift to 0x80000000 */ +- bltz t0, 1f /* If kernel */ ++ PTR_L t0, VCPU_COP0(k1) ++ LONG_L t0, COP0_STATUS(t0) ++ andi t0, KSU_USER | ST0_ERL | ST0_EXL ++ xori t0, KSU_USER ++ bnez t0, 1f /* If kernel */ + INT_ADDIU t1, k1, VCPU_GUEST_KERNEL_ASID /* (BD) */ + INT_ADDIU t1, k1, VCPU_GUEST_USER_ASID /* else user */ + 1: +@@ -482,9 +484,11 @@ __kvm_mips_return_to_guest: + mtc0 t0, CP0_EPC + + /* Set the ASID for the Guest Kernel */ +- INT_SLL t0, t0, 1 /* with kseg0 @ 0x40000000, kernel */ +- /* addresses shift to 0x80000000 */ +- bltz t0, 1f /* If kernel */ ++ PTR_L t0, VCPU_COP0(k1) ++ LONG_L t0, COP0_STATUS(t0) ++ andi t0, KSU_USER | ST0_ERL | ST0_EXL ++ xori t0, KSU_USER ++ bnez t0, 1f /* If kernel */ + INT_ADDIU t1, k1, VCPU_GUEST_KERNEL_ASID /* (BD) */ + INT_ADDIU t1, k1, VCPU_GUEST_USER_ASID /* else user */ + 1: diff --git a/queue-4.2/mips-kvm-fix-cache-immediate-offset-sign-extension.patch b/queue-4.2/mips-kvm-fix-cache-immediate-offset-sign-extension.patch new file mode 100644 index 00000000000..48859ad870a --- /dev/null +++ b/queue-4.2/mips-kvm-fix-cache-immediate-offset-sign-extension.patch @@ -0,0 +1,38 @@ +From c5c2a3b998f1ff5a586f9d37e154070b8d550d17 Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Wed, 11 Nov 2015 14:21:19 +0000 +Subject: MIPS: KVM: Fix CACHE immediate offset sign extension + +From: James Hogan + +commit c5c2a3b998f1ff5a586f9d37e154070b8d550d17 upstream. + +The immediate field of the CACHE instruction is signed, so ensure that +it gets sign extended by casting it to an int16_t rather than just +masking the low 16 bits. + +Fixes: e685c689f3a8 ("KVM/MIPS32: Privileged instruction/target branch emulation.") +Signed-off-by: James Hogan +Cc: Ralf Baechle +Cc: Paolo Bonzini +Cc: Gleb Natapov +Cc: linux-mips@linux-mips.org +Cc: kvm@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kvm/emulate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/kvm/emulate.c ++++ b/arch/mips/kvm/emulate.c +@@ -1581,7 +1581,7 @@ enum emulation_result kvm_mips_emulate_c + + base = (inst >> 21) & 0x1f; + op_inst = (inst >> 16) & 0x1f; +- offset = inst & 0xffff; ++ offset = (int16_t)inst; + cache = (inst >> 16) & 0x3; + op = (inst >> 18) & 0x7; + diff --git a/queue-4.2/mips-kvm-uninit-vcpu-in-vcpu_create-error-path.patch b/queue-4.2/mips-kvm-uninit-vcpu-in-vcpu_create-error-path.patch new file mode 100644 index 00000000000..7f2e2906127 --- /dev/null +++ b/queue-4.2/mips-kvm-uninit-vcpu-in-vcpu_create-error-path.patch @@ -0,0 +1,48 @@ +From 585bb8f9a5e592f2ce7abbe5ed3112d5438d2754 Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Wed, 11 Nov 2015 14:21:20 +0000 +Subject: MIPS: KVM: Uninit VCPU in vcpu_create error path + +From: James Hogan + +commit 585bb8f9a5e592f2ce7abbe5ed3112d5438d2754 upstream. + +If either of the memory allocations in kvm_arch_vcpu_create() fail, the +vcpu which has been allocated and kvm_vcpu_init'd doesn't get uninit'd +in the error handling path. Add a call to kvm_vcpu_uninit() to fix this. + +Fixes: 669e846e6c4e ("KVM/MIPS32: MIPS arch specific APIs for KVM") +Signed-off-by: James Hogan +Cc: Ralf Baechle +Cc: Paolo Bonzini +Cc: Gleb Natapov +Cc: linux-mips@linux-mips.org +Cc: kvm@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kvm/mips.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/arch/mips/kvm/mips.c ++++ b/arch/mips/kvm/mips.c +@@ -278,7 +278,7 @@ struct kvm_vcpu *kvm_arch_vcpu_create(st + + if (!gebase) { + err = -ENOMEM; +- goto out_free_cpu; ++ goto out_uninit_cpu; + } + kvm_debug("Allocated %d bytes for KVM Exception Handlers @ %p\n", + ALIGN(size, PAGE_SIZE), gebase); +@@ -342,6 +342,9 @@ struct kvm_vcpu *kvm_arch_vcpu_create(st + out_free_gebase: + kfree(gebase); + ++out_uninit_cpu: ++ kvm_vcpu_uninit(vcpu); ++ + out_free_cpu: + kfree(vcpu); + diff --git a/queue-4.2/mips-lantiq-add-clk_round_rate.patch b/queue-4.2/mips-lantiq-add-clk_round_rate.patch new file mode 100644 index 00000000000..be494892891 --- /dev/null +++ b/queue-4.2/mips-lantiq-add-clk_round_rate.patch @@ -0,0 +1,52 @@ +From 4e7d30dba493b60a80e9b590add1b4402265cc83 Mon Sep 17 00:00:00 2001 +From: Hauke Mehrtens +Date: Sun, 25 Oct 2015 23:21:42 +0100 +Subject: MIPS: lantiq: add clk_round_rate() + +From: Hauke Mehrtens + +commit 4e7d30dba493b60a80e9b590add1b4402265cc83 upstream. + +This adds a basic implementation of clk_round_rate() +The clk_round_rate() function is called by multiple drivers and +subsystems now and the lantiq clk driver is supposed to export this, +but doesn't do so, this causes linking problems like this one: +ERROR: "clk_round_rate" [drivers/media/v4l2-core/videodev.ko] undefined! + +Signed-off-by: Hauke Mehrtens +Acked-by: John Crispin +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/11358/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/lantiq/clk.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +--- a/arch/mips/lantiq/clk.c ++++ b/arch/mips/lantiq/clk.c +@@ -99,6 +99,23 @@ int clk_set_rate(struct clk *clk, unsign + } + EXPORT_SYMBOL(clk_set_rate); + ++long clk_round_rate(struct clk *clk, unsigned long rate) ++{ ++ if (unlikely(!clk_good(clk))) ++ return 0; ++ if (clk->rates && *clk->rates) { ++ unsigned long *r = clk->rates; ++ ++ while (*r && (*r != rate)) ++ r++; ++ if (!*r) { ++ return clk->rate; ++ } ++ } ++ return rate; ++} ++EXPORT_SYMBOL(clk_round_rate); ++ + int clk_enable(struct clk *clk) + { + if (unlikely(!clk_good(clk))) diff --git a/queue-4.2/mwifiex-fix-mwifiex_rdeeprom_read.patch b/queue-4.2/mwifiex-fix-mwifiex_rdeeprom_read.patch new file mode 100644 index 00000000000..a13cbef54cf --- /dev/null +++ b/queue-4.2/mwifiex-fix-mwifiex_rdeeprom_read.patch @@ -0,0 +1,79 @@ +From 1f9c6e1bc1ba5f8a10fcd6e99d170954d7c6d382 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Mon, 21 Sep 2015 19:19:53 +0300 +Subject: mwifiex: fix mwifiex_rdeeprom_read() + +From: Dan Carpenter + +commit 1f9c6e1bc1ba5f8a10fcd6e99d170954d7c6d382 upstream. + +There were several bugs here. + +1) The done label was in the wrong place so we didn't copy any + information out when there was no command given. + +2) We were using PAGE_SIZE as the size of the buffer instead of + "PAGE_SIZE - pos". + +3) snprintf() returns the number of characters that would have been + printed if there were enough space. If there was not enough space + (and we had fixed the memory corruption bug #2) then it would result + in an information leak when we do simple_read_from_buffer(). I've + changed it to use scnprintf() instead. + +I also removed the initialization at the start of the function, because +I thought it made the code a little more clear. + +Fixes: 5e6e3a92b9a4 ('wireless: mwifiex: initial commit for Marvell mwifiex driver') +Signed-off-by: Dan Carpenter +Acked-by: Amitkumar Karwar +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/mwifiex/debugfs.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/net/wireless/mwifiex/debugfs.c ++++ b/drivers/net/wireless/mwifiex/debugfs.c +@@ -731,7 +731,7 @@ mwifiex_rdeeprom_read(struct file *file, + (struct mwifiex_private *) file->private_data; + unsigned long addr = get_zeroed_page(GFP_KERNEL); + char *buf = (char *) addr; +- int pos = 0, ret = 0, i; ++ int pos, ret, i; + u8 value[MAX_EEPROM_DATA]; + + if (!buf) +@@ -739,7 +739,7 @@ mwifiex_rdeeprom_read(struct file *file, + + if (saved_offset == -1) { + /* No command has been given */ +- pos += snprintf(buf, PAGE_SIZE, "0"); ++ pos = snprintf(buf, PAGE_SIZE, "0"); + goto done; + } + +@@ -748,17 +748,17 @@ mwifiex_rdeeprom_read(struct file *file, + (u16) saved_bytes, value); + if (ret) { + ret = -EINVAL; +- goto done; ++ goto out_free; + } + +- pos += snprintf(buf, PAGE_SIZE, "%d %d ", saved_offset, saved_bytes); ++ pos = snprintf(buf, PAGE_SIZE, "%d %d ", saved_offset, saved_bytes); + + for (i = 0; i < saved_bytes; i++) +- pos += snprintf(buf + strlen(buf), PAGE_SIZE, "%d ", value[i]); +- +- ret = simple_read_from_buffer(ubuf, count, ppos, buf, pos); ++ pos += scnprintf(buf + pos, PAGE_SIZE - pos, "%d ", value[i]); + + done: ++ ret = simple_read_from_buffer(ubuf, count, ppos, buf, pos); ++out_free: + free_page(addr); + return ret; + } diff --git a/queue-4.2/net-mvneta-fix-cpu_map-registers-initialisation.patch b/queue-4.2/net-mvneta-fix-cpu_map-registers-initialisation.patch new file mode 100644 index 00000000000..a236ea121ac --- /dev/null +++ b/queue-4.2/net-mvneta-fix-cpu_map-registers-initialisation.patch @@ -0,0 +1,40 @@ +From 2502d0ef272da7058ef303b849a2c8dc324c2e2e Mon Sep 17 00:00:00 2001 +From: Maxime Ripard +Date: Fri, 25 Sep 2015 18:09:35 +0200 +Subject: net: mvneta: Fix CPU_MAP registers initialisation + +From: Maxime Ripard + +commit 2502d0ef272da7058ef303b849a2c8dc324c2e2e upstream. + +The CPU_MAP register is duplicated for each CPUs at different addresses, +each instance being at a different address. + +However, the code so far was using CONFIG_NR_CPUS to initialise the CPU_MAP +registers for each registers, while the SoCs embed at most 4 CPUs. + +This is especially an issue with multi_v7_defconfig, where CONFIG_NR_CPUS +is currently set to 16, resulting in writes to registers that are not +CPU_MAP. + +Fixes: c5aff18204da ("net: mvneta: driver for Marvell Armada 370/XP network unit") +Signed-off-by: Maxime Ripard +Signed-off-by: Gregory CLEMENT +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/marvell/mvneta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -949,7 +949,7 @@ static void mvneta_defaults_set(struct m + /* Set CPU queue access map - all CPUs have access to all RX + * queues and to all TX queues + */ +- for (cpu = 0; cpu < CONFIG_NR_CPUS; cpu++) ++ for_each_present_cpu(cpu) + mvreg_write(pp, MVNETA_CPU_MAP(cpu), + (MVNETA_CPU_RXQ_ACCESS_ALL_MASK | + MVNETA_CPU_TXQ_ACCESS_ALL_MASK)); diff --git a/queue-4.2/net-mvneta-fix-error-path-for-building-skb.patch b/queue-4.2/net-mvneta-fix-error-path-for-building-skb.patch new file mode 100644 index 00000000000..872cb367fbf --- /dev/null +++ b/queue-4.2/net-mvneta-fix-error-path-for-building-skb.patch @@ -0,0 +1,49 @@ +From 26c17a179f3f64f92de6e837c14279a6431a7ab6 Mon Sep 17 00:00:00 2001 +From: Marcin Wojtas +Date: Mon, 30 Nov 2015 13:27:44 +0100 +Subject: net: mvneta: fix error path for building skb + +From: Marcin Wojtas + +commit 26c17a179f3f64f92de6e837c14279a6431a7ab6 upstream. + +In the actual RX processing, there is same error path for both descriptor +ring refilling and building skb fails. This is not correct, because after +successful refill, the ring is already updated with newly allocated +buffer. Then, in case of build_skb() fail, hitherto code left the original +buffer unmapped. + +This patch fixes above situation by swapping error check of skb build with +DMA-unmap of original buffer. + +Signed-off-by: Marcin Wojtas +Acked-by: Simon Guinot +Fixes a84e32894191 ("net: mvneta: fix refilling for Rx DMA buffers") +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/marvell/mvneta.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -1533,12 +1533,16 @@ static int mvneta_rx(struct mvneta_port + } + + skb = build_skb(data, pp->frag_size > PAGE_SIZE ? 0 : pp->frag_size); +- if (!skb) +- goto err_drop_frame; + ++ /* After refill old buffer has to be unmapped regardless ++ * the skb is successfully built or not. ++ */ + dma_unmap_single(dev->dev.parent, phys_addr, + MVNETA_RX_BUF_SIZE(pp->pkt_size), DMA_FROM_DEVICE); + ++ if (!skb) ++ goto err_drop_frame; ++ + rcvd_pkts++; + rcvd_bytes += rx_bytes; + diff --git a/queue-4.2/nfc-nci-extract-pipe-value-using-nci_hcp_msg_get_pipe.patch b/queue-4.2/nfc-nci-extract-pipe-value-using-nci_hcp_msg_get_pipe.patch new file mode 100644 index 00000000000..9bfdf867cb1 --- /dev/null +++ b/queue-4.2/nfc-nci-extract-pipe-value-using-nci_hcp_msg_get_pipe.patch @@ -0,0 +1,40 @@ +From e65917b6d54f8b47d8293ea96adfa604fd46cf0d Mon Sep 17 00:00:00 2001 +From: Christophe Ricard +Date: Sun, 25 Oct 2015 22:54:22 +0100 +Subject: NFC: nci: extract pipe value using NCI_HCP_MSG_GET_PIPE + +From: Christophe Ricard + +commit e65917b6d54f8b47d8293ea96adfa604fd46cf0d upstream. + +When receiving data in nci_hci_msg_rx_work, extract pipe +value using NCI_HCP_MSG_GET_PIPE macro. + +Signed-off-by: Christophe Ricard +Signed-off-by: Samuel Ortiz +Signed-off-by: Greg Kroah-Hartman + +--- + net/nfc/nci/hci.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/nfc/nci/hci.c ++++ b/net/nfc/nci/hci.c +@@ -402,7 +402,7 @@ static void nci_hci_msg_rx_work(struct w + u8 pipe, type, instruction; + + while ((skb = skb_dequeue(&hdev->msg_rx_queue)) != NULL) { +- pipe = skb->data[0]; ++ pipe = NCI_HCP_MSG_GET_PIPE(skb->data[0]); + skb_pull(skb, NCI_HCI_HCP_PACKET_HEADER_LEN); + message = (struct nci_hcp_message *)skb->data; + type = NCI_HCP_MSG_GET_TYPE(message->header); +@@ -439,7 +439,7 @@ void nci_hci_data_received_cb(void *cont + + /* it's the last fragment. Does it need re-aggregation? */ + if (skb_queue_len(&ndev->hci_dev->rx_hcp_frags)) { +- pipe = packet->header & NCI_HCI_FRAGMENT; ++ pipe = NCI_HCP_MSG_GET_PIPE(packet->header); + skb_queue_tail(&ndev->hci_dev->rx_hcp_frags, skb); + + msg_len = 0; diff --git a/queue-4.2/nfc-nci-fix-improper-management-of-hci-return-code.patch b/queue-4.2/nfc-nci-fix-improper-management-of-hci-return-code.patch new file mode 100644 index 00000000000..88e0b7e0c0a --- /dev/null +++ b/queue-4.2/nfc-nci-fix-improper-management-of-hci-return-code.patch @@ -0,0 +1,176 @@ +From d8cd37ed2fc871c66b4c79c59f651dc2cdf7091c Mon Sep 17 00:00:00 2001 +From: Christophe Ricard +Date: Sun, 25 Oct 2015 22:54:21 +0100 +Subject: NFC: nci: Fix improper management of HCI return code + +From: Christophe Ricard + +commit d8cd37ed2fc871c66b4c79c59f651dc2cdf7091c upstream. + +When sending HCI data over NCI, HCI return code is part +of the NCI data. In order to get correctly the HCI return +code, we assume the NCI communication is successful and +extract the return code for the nci_hci functions return code. + +This is done because nci_to_errno does not match hci return +code value. + +Signed-off-by: Christophe Ricard +Signed-off-by: Samuel Ortiz +Signed-off-by: Greg Kroah-Hartman + +--- + net/nfc/nci/hci.c | 64 ++++++++++++++++++++++++++++++++++++++++-------------- + 1 file changed, 48 insertions(+), 16 deletions(-) + +--- a/net/nfc/nci/hci.c ++++ b/net/nfc/nci/hci.c +@@ -101,6 +101,20 @@ struct nci_hcp_packet { + #define NCI_HCP_MSG_GET_CMD(header) (header & 0x3f) + #define NCI_HCP_MSG_GET_PIPE(header) (header & 0x7f) + ++static int nci_hci_result_to_errno(u8 result) ++{ ++ switch (result) { ++ case NCI_HCI_ANY_OK: ++ return 0; ++ case NCI_HCI_ANY_E_REG_PAR_UNKNOWN: ++ return -EOPNOTSUPP; ++ case NCI_HCI_ANY_E_TIMEOUT: ++ return -ETIME; ++ default: ++ return -1; ++ } ++} ++ + /* HCI core */ + static void nci_hci_reset_pipes(struct nci_hci_dev *hdev) + { +@@ -218,7 +232,8 @@ int nci_hci_send_cmd(struct nci_dev *nde + const u8 *param, size_t param_len, + struct sk_buff **skb) + { +- struct nci_conn_info *conn_info; ++ struct nci_hcp_message *message; ++ struct nci_conn_info *conn_info; + struct nci_data data; + int r; + u8 pipe = ndev->hci_dev->gate2pipe[gate]; +@@ -238,9 +253,15 @@ int nci_hci_send_cmd(struct nci_dev *nde + + r = nci_request(ndev, nci_hci_send_data_req, (unsigned long)&data, + msecs_to_jiffies(NCI_DATA_TIMEOUT)); ++ if (r == NCI_STATUS_OK) { ++ message = (struct nci_hcp_message *)conn_info->rx_skb->data; ++ r = nci_hci_result_to_errno( ++ NCI_HCP_MSG_GET_CMD(message->header)); ++ skb_pull(conn_info->rx_skb, NCI_HCI_HCP_MESSAGE_HEADER_LEN); + +- if (r == NCI_STATUS_OK && skb) +- *skb = conn_info->rx_skb; ++ if (!r && skb) ++ *skb = conn_info->rx_skb; ++ } + + return r; + } +@@ -334,9 +355,6 @@ static void nci_hci_resp_received(struct + struct nci_conn_info *conn_info; + u8 status = result; + +- if (result != NCI_HCI_ANY_OK) +- goto exit; +- + conn_info = ndev->hci_dev->conn_info; + if (!conn_info) { + status = NCI_STATUS_REJECTED; +@@ -346,7 +364,7 @@ static void nci_hci_resp_received(struct + conn_info->rx_skb = skb; + + exit: +- nci_req_complete(ndev, status); ++ nci_req_complete(ndev, NCI_STATUS_OK); + } + + /* Receive hcp message for pipe, with type and cmd. +@@ -401,7 +419,7 @@ void nci_hci_data_received_cb(void *cont + { + struct nci_dev *ndev = (struct nci_dev *)context; + struct nci_hcp_packet *packet; +- u8 pipe, type, instruction; ++ u8 pipe, type; + struct sk_buff *hcp_skb; + struct sk_buff *frag_skb; + int msg_len; +@@ -440,7 +458,7 @@ void nci_hci_data_received_cb(void *cont + *skb_put(hcp_skb, NCI_HCI_HCP_PACKET_HEADER_LEN) = pipe; + + skb_queue_walk(&ndev->hci_dev->rx_hcp_frags, frag_skb) { +- msg_len = frag_skb->len - NCI_HCI_HCP_PACKET_HEADER_LEN; ++ msg_len = frag_skb->len - NCI_HCI_HCP_PACKET_HEADER_LEN; + memcpy(skb_put(hcp_skb, msg_len), frag_skb->data + + NCI_HCI_HCP_PACKET_HEADER_LEN, msg_len); + } +@@ -458,11 +476,10 @@ void nci_hci_data_received_cb(void *cont + packet = (struct nci_hcp_packet *)hcp_skb->data; + type = NCI_HCP_MSG_GET_TYPE(packet->message.header); + if (type == NCI_HCI_HCP_RESPONSE) { +- pipe = packet->header; +- instruction = NCI_HCP_MSG_GET_CMD(packet->message.header); +- skb_pull(hcp_skb, NCI_HCI_HCP_PACKET_HEADER_LEN + +- NCI_HCI_HCP_MESSAGE_HEADER_LEN); +- nci_hci_hcp_message_rx(ndev, pipe, type, instruction, hcp_skb); ++ pipe = NCI_HCP_MSG_GET_PIPE(packet->header); ++ skb_pull(hcp_skb, NCI_HCI_HCP_PACKET_HEADER_LEN); ++ nci_hci_hcp_message_rx(ndev, pipe, type, ++ NCI_STATUS_OK, hcp_skb); + } else { + skb_queue_tail(&ndev->hci_dev->msg_rx_queue, hcp_skb); + schedule_work(&ndev->hci_dev->msg_rx_work); +@@ -494,6 +511,7 @@ EXPORT_SYMBOL(nci_hci_open_pipe); + int nci_hci_set_param(struct nci_dev *ndev, u8 gate, u8 idx, + const u8 *param, size_t param_len) + { ++ struct nci_hcp_message *message; + struct nci_conn_info *conn_info; + struct nci_data data; + int r; +@@ -526,6 +544,12 @@ int nci_hci_set_param(struct nci_dev *nd + r = nci_request(ndev, nci_hci_send_data_req, + (unsigned long)&data, + msecs_to_jiffies(NCI_DATA_TIMEOUT)); ++ if (r == NCI_STATUS_OK) { ++ message = (struct nci_hcp_message *)conn_info->rx_skb->data; ++ r = nci_hci_result_to_errno( ++ NCI_HCP_MSG_GET_CMD(message->header)); ++ skb_pull(conn_info->rx_skb, NCI_HCI_HCP_MESSAGE_HEADER_LEN); ++ } + + kfree(tmp); + return r; +@@ -535,6 +559,7 @@ EXPORT_SYMBOL(nci_hci_set_param); + int nci_hci_get_param(struct nci_dev *ndev, u8 gate, u8 idx, + struct sk_buff **skb) + { ++ struct nci_hcp_message *message; + struct nci_conn_info *conn_info; + struct nci_data data; + int r; +@@ -559,8 +584,15 @@ int nci_hci_get_param(struct nci_dev *nd + r = nci_request(ndev, nci_hci_send_data_req, (unsigned long)&data, + msecs_to_jiffies(NCI_DATA_TIMEOUT)); + +- if (r == NCI_STATUS_OK) +- *skb = conn_info->rx_skb; ++ if (r == NCI_STATUS_OK) { ++ message = (struct nci_hcp_message *)conn_info->rx_skb->data; ++ r = nci_hci_result_to_errno( ++ NCI_HCP_MSG_GET_CMD(message->header)); ++ skb_pull(conn_info->rx_skb, NCI_HCI_HCP_MESSAGE_HEADER_LEN); ++ ++ if (!r && skb) ++ *skb = conn_info->rx_skb; ++ } + + return r; + } diff --git a/queue-4.2/nfc-nci-fix-incorrect-data-chaining-when-sending-data.patch b/queue-4.2/nfc-nci-fix-incorrect-data-chaining-when-sending-data.patch new file mode 100644 index 00000000000..0bde242dbb9 --- /dev/null +++ b/queue-4.2/nfc-nci-fix-incorrect-data-chaining-when-sending-data.patch @@ -0,0 +1,66 @@ +From 500c4ef02277eaadbfe20537f963b6221f6ac007 Mon Sep 17 00:00:00 2001 +From: Christophe Ricard +Date: Sun, 25 Oct 2015 22:54:20 +0100 +Subject: NFC: nci: Fix incorrect data chaining when sending data + +From: Christophe Ricard + +commit 500c4ef02277eaadbfe20537f963b6221f6ac007 upstream. + +When sending HCI data over NCI, cmd information should be +present only on the first packet. +Each packet shall be specifically allocated and sent to the +NCI layer. + +Signed-off-by: Christophe Ricard +Signed-off-by: Samuel Ortiz +Signed-off-by: Greg Kroah-Hartman + +--- + net/nfc/nci/hci.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +--- a/net/nfc/nci/hci.c ++++ b/net/nfc/nci/hci.c +@@ -146,18 +146,18 @@ static int nci_hci_send_data(struct nci_ + if (!conn_info) + return -EPROTO; + +- skb = nci_skb_alloc(ndev, 2 + conn_info->max_pkt_payload_len + ++ i = 0; ++ skb = nci_skb_alloc(ndev, conn_info->max_pkt_payload_len + + NCI_DATA_HDR_SIZE, GFP_KERNEL); + if (!skb) + return -ENOMEM; + +- skb_reserve(skb, 2 + NCI_DATA_HDR_SIZE); ++ skb_reserve(skb, NCI_DATA_HDR_SIZE + 2); + *skb_push(skb, 1) = data_type; + +- i = 0; +- len = conn_info->max_pkt_payload_len; +- + do { ++ len = conn_info->max_pkt_payload_len; ++ + /* If last packet add NCI_HFP_NO_CHAINING */ + if (i + conn_info->max_pkt_payload_len - + (skb->len + 1) >= data_len) { +@@ -177,9 +177,15 @@ static int nci_hci_send_data(struct nci_ + return r; + + i += len; ++ + if (i < data_len) { +- skb_trim(skb, 0); +- skb_pull(skb, len); ++ skb = nci_skb_alloc(ndev, ++ conn_info->max_pkt_payload_len + ++ NCI_DATA_HDR_SIZE, GFP_KERNEL); ++ if (!skb) ++ return -ENOMEM; ++ ++ skb_reserve(skb, NCI_DATA_HDR_SIZE + 1); + } + } while (i < data_len); + diff --git a/queue-4.2/nl80211-fix-potential-memory-leak-from-parse_acl_data.patch b/queue-4.2/nl80211-fix-potential-memory-leak-from-parse_acl_data.patch new file mode 100644 index 00000000000..0608adca818 --- /dev/null +++ b/queue-4.2/nl80211-fix-potential-memory-leak-from-parse_acl_data.patch @@ -0,0 +1,50 @@ +From 4baf6bea37247e59f1971e8009d13aeda95edba2 Mon Sep 17 00:00:00 2001 +From: Ola Olsson +Date: Thu, 29 Oct 2015 07:04:58 +0100 +Subject: nl80211: Fix potential memory leak from parse_acl_data + +From: Ola Olsson + +commit 4baf6bea37247e59f1971e8009d13aeda95edba2 upstream. + +If parse_acl_data succeeds but the subsequent parsing of smps +attributes fails, there will be a memory leak due to early returns. +Fix that by moving the ACL parsing later. + +Fixes: 18998c381b19b ("cfg80211: allow requesting SMPS mode on ap start") +Signed-off-by: Ola Olsson +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/nl80211.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -3408,12 +3408,6 @@ static int nl80211_start_ap(struct sk_bu + wdev->iftype)) + return -EINVAL; + +- if (info->attrs[NL80211_ATTR_ACL_POLICY]) { +- params.acl = parse_acl_data(&rdev->wiphy, info); +- if (IS_ERR(params.acl)) +- return PTR_ERR(params.acl); +- } +- + if (info->attrs[NL80211_ATTR_SMPS_MODE]) { + params.smps_mode = + nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]); +@@ -3437,6 +3431,12 @@ static int nl80211_start_ap(struct sk_bu + params.smps_mode = NL80211_SMPS_OFF; + } + ++ if (info->attrs[NL80211_ATTR_ACL_POLICY]) { ++ params.acl = parse_acl_data(&rdev->wiphy, info); ++ if (IS_ERR(params.acl)) ++ return PTR_ERR(params.acl); ++ } ++ + wdev_lock(wdev); + err = rdev_start_ap(rdev, dev, ¶ms); + if (!err) { diff --git a/queue-4.2/series b/queue-4.2/series index 416148d1fd8..42ae20b1724 100644 --- a/queue-4.2/series +++ b/queue-4.2/series @@ -38,3 +38,56 @@ arm-at91-pm-at91_pm_suspend_in_sram-must-be-8-byte-aligned.patch arm-dts-fix-wlan-regression-on-omap5-uevm.patch arm-dts-sun6i-hummingbird-fix-vdd-cpu-and-vdd-gpu.patch arm-pxa-remove-incorrect-__init-annotation-on-pxa27x_set_pwrmode.patch +mips-lantiq-add-clk_round_rate.patch +mips-cdmm-add-builtin_mips_cdmm_driver-macro.patch +mips-ath79-fix-the-ddr-control-initialization-on-ar71xx-and-ar934x.patch +mips-kvm-fix-asid-restoration-logic.patch +mips-kvm-fix-cache-immediate-offset-sign-extension.patch +mips-kvm-uninit-vcpu-in-vcpu_create-error-path.patch +kvm-x86-set-kvm_req_event-when-updating-irr.patch +kvm-x86-zero-efer-on-init.patch +kvm-x86-add-read_phys-to-x86_emulate_ops.patch +kvm-x86-handle-smbase-as-physical-address-in-rsm.patch +kvm-x86-allow-rsm-from-64-bit-mode.patch +kvm-x86-obey-kvm_x86_quirk_cd_nw_cleared-in-kvm_set_cr0.patch +kvm-x86-work-around-infinite-loop-in-microcode-when-ac-is-delivered.patch +x86-setup-extend-low-identity-map-to-cover-whole-kernel-range.patch +x86-setup-fix-low-identity-map-for-2gb-kernel-range.patch +x86-irq-probe-for-pic-presence-before-allocating-descs-for-legacy-irqs.patch +x86-cpu-call-verify_cpu-after-having-entered-long-mode-too.patch +x86-cpu-fix-smap-check-in-pvops-environments.patch +x86-fpu-fix-get_xsave_addr-behavior-under-virtualization.patch +x86-fpu-fix-32-bit-signal-frame-handling.patch +x86-mpx-do-proper-get_user-when-running-32-bit-binaries-on-64-bit-kernels.patch +x86-mpx-fix-32-bit-address-space-calculation.patch +mac80211-fix-local-deauth-while-associating.patch +mac80211-fix-driver-rssi-event-calculations.patch +mac80211-allow-null-chandef-in-tracing.patch +mac80211-fix-divide-by-zero-when-noa-update.patch +nl80211-fix-potential-memory-leak-from-parse_acl_data.patch +nfc-nci-fix-incorrect-data-chaining-when-sending-data.patch +nfc-nci-fix-improper-management-of-hci-return-code.patch +nfc-nci-extract-pipe-value-using-nci_hcp_msg_get_pipe.patch +iwlwifi-pcie-fix-again-prepare-card-flow.patch +iwlwifi-add-new-pci-ids-for-the-8260-series.patch +net-mvneta-fix-cpu_map-registers-initialisation.patch +net-mvneta-fix-error-path-for-building-skb.patch +fs-proc-core-debug-don-t-expose-absolute-kernel-addresses-via-wchan.patch +clk-iproc-fix-pll-output-frequency-calculation.patch +clk-versatile-icst-fix-memory-leak.patch +mfd-twl6040-fix-deferred-probe-handling-for-clk32k.patch +mwifiex-fix-mwifiex_rdeeprom_read.patch +staging-rtl8712-add-device-id-for-sitecom-wla2100.patch +bluetooth-hidp-fix-device-disconnect-on-idle-timeout.patch +bluetooth-ath3k-add-new-ar3012-0930-021c-id.patch +bluetooth-ath3k-add-support-of-ar3012-0cf3-817b-device.patch +bluetooth-fix-removing-connection-parameters-when-unpairing.patch +can-use-correct-type-in-sizeof-in-nla_put.patch +can-sja1000-clear-interrupts-on-start.patch +arm64-fix-compat-register-mappings.patch +arm64-page-align-sections-for-debug_rodata.patch +ath10k-use-station-s-current-operating-mode-from-assoc-request.patch +ath10k-fix-invalid-nss-for-4x4-devices.patch +kvm-s390-sca-must-not-cross-page-boundaries.patch +kvm-s390-fix-wrong-lookup-of-vcpus-by-array-index.patch +kvm-s390-avoid-memory-overwrites-on-emergency-signal-injection.patch diff --git a/queue-4.2/staging-rtl8712-add-device-id-for-sitecom-wla2100.patch b/queue-4.2/staging-rtl8712-add-device-id-for-sitecom-wla2100.patch new file mode 100644 index 00000000000..8b445242522 --- /dev/null +++ b/queue-4.2/staging-rtl8712-add-device-id-for-sitecom-wla2100.patch @@ -0,0 +1,31 @@ +From 1e6e63283691a2a9048a35d9c6c59cf0abd342e4 Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Sun, 18 Oct 2015 22:14:48 -0500 +Subject: staging: rtl8712: Add device ID for Sitecom WLA2100 + +From: Larry Finger + +commit 1e6e63283691a2a9048a35d9c6c59cf0abd342e4 upstream. + +This adds the USB ID for the Sitecom WLA2100. The Windows 10 inf file +was checked to verify that the addition is correct. + +Reported-by: Frans van de Wiel +Signed-off-by: Larry Finger +Cc: Frans van de Wiel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/rtl8712/usb_intf.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/staging/rtl8712/usb_intf.c ++++ b/drivers/staging/rtl8712/usb_intf.c +@@ -144,6 +144,7 @@ static struct usb_device_id rtl871x_usb_ + {USB_DEVICE(0x0DF6, 0x0058)}, + {USB_DEVICE(0x0DF6, 0x0049)}, + {USB_DEVICE(0x0DF6, 0x004C)}, ++ {USB_DEVICE(0x0DF6, 0x006C)}, + {USB_DEVICE(0x0DF6, 0x0064)}, + /* Skyworth */ + {USB_DEVICE(0x14b2, 0x3300)}, diff --git a/queue-4.2/x86-cpu-call-verify_cpu-after-having-entered-long-mode-too.patch b/queue-4.2/x86-cpu-call-verify_cpu-after-having-entered-long-mode-too.patch new file mode 100644 index 00000000000..312f4df8ede --- /dev/null +++ b/queue-4.2/x86-cpu-call-verify_cpu-after-having-entered-long-mode-too.patch @@ -0,0 +1,118 @@ +From 04633df0c43d710e5f696b06539c100898678235 Mon Sep 17 00:00:00 2001 +From: Borislav Petkov +Date: Thu, 5 Nov 2015 16:57:56 +0100 +Subject: x86/cpu: Call verify_cpu() after having entered long mode too + +From: Borislav Petkov + +commit 04633df0c43d710e5f696b06539c100898678235 upstream. + +When we get loaded by a 64-bit bootloader, kernel entry point is +startup_64 in head_64.S. We don't trust any and all bootloaders because +some will fiddle with CPU configuration so we go ahead and massage each +CPU into sanity again. + +For example, some dell BIOSes have this XD disable feature which set +IA32_MISC_ENABLE[34] and disable NX. This might be some dumb workaround +for other OSes but Linux sure doesn't need it. + +A similar thing is present in the Surface 3 firmware - see +https://bugzilla.kernel.org/show_bug.cgi?id=106051 - which sets this bit +only on the BSP: + + # rdmsr -a 0x1a0 + 400850089 + 850089 + 850089 + 850089 + +I know, right?! + +There's not even an off switch in there. + +So fix all those cases by sanitizing the 64-bit entry point too. For +that, make verify_cpu() callable in 64-bit mode also. + +Requested-and-debugged-by: "H. Peter Anvin" +Reported-and-tested-by: Bastien Nocera +Signed-off-by: Borislav Petkov +Cc: Matt Fleming +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/1446739076-21303-1-git-send-email-bp@alien8.de +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/head_64.S | 8 ++++++++ + arch/x86/kernel/verify_cpu.S | 12 +++++++----- + 2 files changed, 15 insertions(+), 5 deletions(-) + +--- a/arch/x86/kernel/head_64.S ++++ b/arch/x86/kernel/head_64.S +@@ -65,6 +65,9 @@ startup_64: + * tables and then reload them. + */ + ++ /* Sanitize CPU configuration */ ++ call verify_cpu ++ + /* + * Compute the delta between the address I am compiled to run at and the + * address I am actually running at. +@@ -174,6 +177,9 @@ ENTRY(secondary_startup_64) + * after the boot processor executes this code. + */ + ++ /* Sanitize CPU configuration */ ++ call verify_cpu ++ + movq $(init_level4_pgt - __START_KERNEL_map), %rax + 1: + +@@ -288,6 +294,8 @@ ENTRY(secondary_startup_64) + pushq %rax # target address in negative space + lretq + ++#include "verify_cpu.S" ++ + #ifdef CONFIG_HOTPLUG_CPU + /* + * Boot CPU0 entry point. It's called from play_dead(). Everything has been set +--- a/arch/x86/kernel/verify_cpu.S ++++ b/arch/x86/kernel/verify_cpu.S +@@ -34,10 +34,11 @@ + #include + + verify_cpu: +- pushfl # Save caller passed flags +- pushl $0 # Kill any dangerous flags +- popfl ++ pushf # Save caller passed flags ++ push $0 # Kill any dangerous flags ++ popf + ++#ifndef __x86_64__ + pushfl # standard way to check for cpuid + popl %eax + movl %eax,%ebx +@@ -48,6 +49,7 @@ verify_cpu: + popl %eax + cmpl %eax,%ebx + jz verify_cpu_no_longmode # cpu has no cpuid ++#endif + + movl $0x0,%eax # See if cpuid 1 is implemented + cpuid +@@ -130,10 +132,10 @@ verify_cpu_sse_test: + jmp verify_cpu_sse_test # try again + + verify_cpu_no_longmode: +- popfl # Restore caller passed flags ++ popf # Restore caller passed flags + movl $1,%eax + ret + verify_cpu_sse_ok: +- popfl # Restore caller passed flags ++ popf # Restore caller passed flags + xorl %eax, %eax + ret diff --git a/queue-4.2/x86-cpu-fix-smap-check-in-pvops-environments.patch b/queue-4.2/x86-cpu-fix-smap-check-in-pvops-environments.patch new file mode 100644 index 00000000000..27cbc29e33a --- /dev/null +++ b/queue-4.2/x86-cpu-fix-smap-check-in-pvops-environments.patch @@ -0,0 +1,54 @@ +From 581b7f158fe0383b492acd1ce3fb4e99d4e57808 Mon Sep 17 00:00:00 2001 +From: Andrew Cooper +Date: Wed, 3 Jun 2015 10:31:14 +0100 +Subject: x86/cpu: Fix SMAP check in PVOPS environments + +From: Andrew Cooper + +commit 581b7f158fe0383b492acd1ce3fb4e99d4e57808 upstream. + +There appears to be no formal statement of what pv_irq_ops.save_fl() is +supposed to return precisely. Native returns the full flags, while lguest and +Xen only return the Interrupt Flag, and both have comments by the +implementations stating that only the Interrupt Flag is looked at. This may +have been true when initially implemented, but no longer is. + +To make matters worse, the Xen PVOP leaves the upper bits undefined, making +the BUG_ON() undefined behaviour. Experimentally, this now trips for 32bit PV +guests on Broadwell hardware. The BUG_ON() is consistent for an individual +build, but not consistent for all builds. It has also been a sitting timebomb +since SMAP support was introduced. + +Use native_save_fl() instead, which will obtain an accurate view of the AC +flag. + +Signed-off-by: Andrew Cooper +Reviewed-by: David Vrabel +Tested-by: Rusty Russell +Cc: Rusty Russell +Cc: Konrad Rzeszutek Wilk +Cc: Boris Ostrovsky +Cc: +Cc: Xen-devel +Link: http://lkml.kernel.org/r/1433323874-6927-1-git-send-email-andrew.cooper3@citrix.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/common.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -272,10 +272,9 @@ __setup("nosmap", setup_disable_smap); + + static __always_inline void setup_smap(struct cpuinfo_x86 *c) + { +- unsigned long eflags; ++ unsigned long eflags = native_save_fl(); + + /* This should have been cleared long ago */ +- raw_local_save_flags(eflags); + BUG_ON(eflags & X86_EFLAGS_AC); + + if (cpu_has(c, X86_FEATURE_SMAP)) { diff --git a/queue-4.2/x86-fpu-fix-32-bit-signal-frame-handling.patch b/queue-4.2/x86-fpu-fix-32-bit-signal-frame-handling.patch new file mode 100644 index 00000000000..37156da6ce8 --- /dev/null +++ b/queue-4.2/x86-fpu-fix-32-bit-signal-frame-handling.patch @@ -0,0 +1,105 @@ +From ab6b52947545a5355154f64f449f97af9d05845f Mon Sep 17 00:00:00 2001 +From: Dave Hansen +Date: Tue, 10 Nov 2015 16:23:54 -0800 +Subject: x86/fpu: Fix 32-bit signal frame handling + +From: Dave Hansen + +commit ab6b52947545a5355154f64f449f97af9d05845f upstream. + +(This should have gone to LKML originally. Sorry for the extra + noise, folks on the cc.) + +Background: + +Signal frames on x86 have two formats: + + 1. For 32-bit executables (whether on a real 32-bit kernel or + under 32-bit emulation on a 64-bit kernel) we have a + 'fpregset_t' that includes the "FSAVE" registers. + + 2. For 64-bit executables (on 64-bit kernels obviously), the + 'fpregset_t' is smaller and does not contain the "FSAVE" + state. + +When creating the signal frame, we have to be aware of whether +we are running a 32 or 64-bit executable so we create the +correct format signal frame. + +Problem: + +save_xstate_epilog() uses 'fx_sw_reserved_ia32' whenever it is +called for a 32-bit executable. This is for real 32-bit and +ia32 emulation. + +But, fpu__init_prepare_fx_sw_frame() only initializes +'fx_sw_reserved_ia32' when emulation is enabled, *NOT* for real +32-bit kernels. + +This leads to really wierd situations where 32-bit programs +lose their extended state when returning from a signal handler. +The kernel copies the uninitialized (zero) 'fx_sw_reserved_ia32' +out to userspace in save_xstate_epilog(). But when returning +from the signal, the kernel errors out in check_for_xstate() +when it does not see FP_XSTATE_MAGIC1 present (because it was +zeroed). This leads to the FPU/XSAVE state being initialized. + +For MPX, this leads to the most permissive state and means we +silently lose bounds violations. I think this would also mean +that we could lose *ANY* FPU/SSE/AVX state. I'm not sure why +no one has spotted this bug. + +I believe this was broken by: + + 72a671ced66d ("x86, fpu: Unify signal handling code paths for x86 and x86_64 kernels") + +way back in 2012. + +Signed-off-by: Dave Hansen +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: dave@sr71.net +Cc: fenghua.yu@intel.com +Cc: yu-cheng.yu@intel.com +Link: http://lkml.kernel.org/r/20151111002354.A0799571@viggo.jf.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/fpu/signal.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +--- a/arch/x86/kernel/fpu/signal.c ++++ b/arch/x86/kernel/fpu/signal.c +@@ -385,20 +385,19 @@ fpu__alloc_mathframe(unsigned long sp, i + */ + void fpu__init_prepare_fx_sw_frame(void) + { +- int fsave_header_size = sizeof(struct fregs_state); + int size = xstate_size + FP_XSTATE_MAGIC2_SIZE; + +- if (config_enabled(CONFIG_X86_32)) +- size += fsave_header_size; +- + fx_sw_reserved.magic1 = FP_XSTATE_MAGIC1; + fx_sw_reserved.extended_size = size; + fx_sw_reserved.xfeatures = xfeatures_mask; + fx_sw_reserved.xstate_size = xstate_size; + +- if (config_enabled(CONFIG_IA32_EMULATION)) { ++ if (config_enabled(CONFIG_IA32_EMULATION) || ++ config_enabled(CONFIG_X86_32)) { ++ int fsave_header_size = sizeof(struct fregs_state); ++ + fx_sw_reserved_ia32 = fx_sw_reserved; +- fx_sw_reserved_ia32.extended_size += fsave_header_size; ++ fx_sw_reserved_ia32.extended_size = size + fsave_header_size; + } + } + diff --git a/queue-4.2/x86-fpu-fix-get_xsave_addr-behavior-under-virtualization.patch b/queue-4.2/x86-fpu-fix-get_xsave_addr-behavior-under-virtualization.patch new file mode 100644 index 00000000000..bc1d4f1804f --- /dev/null +++ b/queue-4.2/x86-fpu-fix-get_xsave_addr-behavior-under-virtualization.patch @@ -0,0 +1,51 @@ +From a05917b6ba9dc9a95fc42bdcbe3a875e8ad83935 Mon Sep 17 00:00:00 2001 +From: Huaitong Han +Date: Fri, 6 Nov 2015 17:00:23 +0800 +Subject: x86/fpu: Fix get_xsave_addr() behavior under virtualization + +From: Huaitong Han + +commit a05917b6ba9dc9a95fc42bdcbe3a875e8ad83935 upstream. + +KVM uses the get_xsave_addr() function in a different fashion from +the native kernel, in that the 'xsave' parameter belongs to guest vcpu, +not the currently running task. + +But 'xsave' is replaced with current task's (host) xsave structure, so +get_xsave_addr() will incorrectly return the bad xsave address to KVM. + +Fix it so that the passed in 'xsave' address is used - as intended +originally. + +Signed-off-by: Huaitong Han +Reviewed-by: Dave Hansen +Cc: Andy Lutomirski +Cc: Paolo Bonzini +Cc: Borislav Petkov +Cc: Fenghua Yu +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Oleg Nesterov +Cc: Peter Zijlstra +Cc: Quentin Casasnovas +Cc: Thomas Gleixner +Cc: dave.hansen@intel.com +Link: http://lkml.kernel.org/r/1446800423-21622-1-git-send-email-huaitong.han@intel.com +[ Tidied up the changelog. ] +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/fpu/xstate.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/x86/kernel/fpu/xstate.c ++++ b/arch/x86/kernel/fpu/xstate.c +@@ -402,7 +402,6 @@ void *get_xsave_addr(struct xregs_state + if (!boot_cpu_has(X86_FEATURE_XSAVE)) + return NULL; + +- xsave = ¤t->thread.fpu.state.xsave; + /* + * We should not ever be requesting features that we + * have not enabled. Remember that pcntxt_mask is diff --git a/queue-4.2/x86-irq-probe-for-pic-presence-before-allocating-descs-for-legacy-irqs.patch b/queue-4.2/x86-irq-probe-for-pic-presence-before-allocating-descs-for-legacy-irqs.patch new file mode 100644 index 00000000000..a490001ae8d --- /dev/null +++ b/queue-4.2/x86-irq-probe-for-pic-presence-before-allocating-descs-for-legacy-irqs.patch @@ -0,0 +1,144 @@ +From 8c058b0b9c34d8c8d7912880956543769323e2d8 Mon Sep 17 00:00:00 2001 +From: Vitaly Kuznetsov +Date: Tue, 3 Nov 2015 10:40:14 +0100 +Subject: x86/irq: Probe for PIC presence before allocating descs for legacy IRQs + +From: Vitaly Kuznetsov + +commit 8c058b0b9c34d8c8d7912880956543769323e2d8 upstream. + +Commit d32932d02e18 ("x86/irq: Convert IOAPIC to use hierarchical irqdomain +interfaces") brought a regression for Hyper-V Gen2 instances. These +instances don't have i8259 legacy PIC but they use legacy IRQs for serial +port, rtc, and acpi. With this commit included we end up with these IRQs +not initialized. Earlier, there was a special workaround for legacy IRQs +in mp_map_pin_to_irq() doing mp_irqdomain_map() without looking at +nr_legacy_irqs() and now we fail in __irq_domain_alloc_irqs() when +irq_domain_alloc_descs() returns -EEXIST. + +The essence of the issue seems to be that early_irq_init() calls +arch_probe_nr_irqs() to figure out the number of legacy IRQs before +we probe for i8259 and gets 16. Later when init_8259A() is called we switch +to NULL legacy PIC and nr_legacy_irqs() starts to return 0 but we already +have 16 descs allocated. + +Solve the issue by separating i8259 probe from init and calling it in +arch_probe_nr_irqs() before we actually use nr_legacy_irqs() information. + +Fixes: d32932d02e18 ("x86/irq: Convert IOAPIC to use hierarchical irqdomain interfaces") +Signed-off-by: Vitaly Kuznetsov +Cc: Jiang Liu +Cc: K. Y. Srinivasan +Link: http://lkml.kernel.org/r/1446543614-3621-1-git-send-email-vkuznets@redhat.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/i8259.h | 1 + + arch/x86/kernel/apic/vector.c | 6 +++++- + arch/x86/kernel/i8259.c | 29 +++++++++++++++++++++-------- + 3 files changed, 27 insertions(+), 9 deletions(-) + +--- a/arch/x86/include/asm/i8259.h ++++ b/arch/x86/include/asm/i8259.h +@@ -60,6 +60,7 @@ struct legacy_pic { + void (*mask_all)(void); + void (*restore_mask)(void); + void (*init)(int auto_eoi); ++ int (*probe)(void); + int (*irq_pending)(unsigned int irq); + void (*make_irq)(unsigned int irq); + }; +--- a/arch/x86/kernel/apic/vector.c ++++ b/arch/x86/kernel/apic/vector.c +@@ -360,7 +360,11 @@ int __init arch_probe_nr_irqs(void) + if (nr < nr_irqs) + nr_irqs = nr; + +- return nr_legacy_irqs(); ++ /* ++ * We don't know if PIC is present at this point so we need to do ++ * probe() to get the right number of legacy IRQs. ++ */ ++ return legacy_pic->probe(); + } + + #ifdef CONFIG_X86_IO_APIC +--- a/arch/x86/kernel/i8259.c ++++ b/arch/x86/kernel/i8259.c +@@ -295,16 +295,11 @@ static void unmask_8259A(void) + raw_spin_unlock_irqrestore(&i8259A_lock, flags); + } + +-static void init_8259A(int auto_eoi) ++static int probe_8259A(void) + { + unsigned long flags; + unsigned char probe_val = ~(1 << PIC_CASCADE_IR); + unsigned char new_val; +- +- i8259A_auto_eoi = auto_eoi; +- +- raw_spin_lock_irqsave(&i8259A_lock, flags); +- + /* + * Check to see if we have a PIC. + * Mask all except the cascade and read +@@ -312,16 +307,28 @@ static void init_8259A(int auto_eoi) + * have a PIC, we will read 0xff as opposed to the + * value we wrote. + */ ++ raw_spin_lock_irqsave(&i8259A_lock, flags); ++ + outb(0xff, PIC_SLAVE_IMR); /* mask all of 8259A-2 */ + outb(probe_val, PIC_MASTER_IMR); + new_val = inb(PIC_MASTER_IMR); + if (new_val != probe_val) { + printk(KERN_INFO "Using NULL legacy PIC\n"); + legacy_pic = &null_legacy_pic; +- raw_spin_unlock_irqrestore(&i8259A_lock, flags); +- return; + } + ++ raw_spin_unlock_irqrestore(&i8259A_lock, flags); ++ return nr_legacy_irqs(); ++} ++ ++static void init_8259A(int auto_eoi) ++{ ++ unsigned long flags; ++ ++ i8259A_auto_eoi = auto_eoi; ++ ++ raw_spin_lock_irqsave(&i8259A_lock, flags); ++ + outb(0xff, PIC_MASTER_IMR); /* mask all of 8259A-1 */ + + /* +@@ -379,6 +386,10 @@ static int legacy_pic_irq_pending_noop(u + { + return 0; + } ++static int legacy_pic_probe(void) ++{ ++ return 0; ++} + + struct legacy_pic null_legacy_pic = { + .nr_legacy_irqs = 0, +@@ -388,6 +399,7 @@ struct legacy_pic null_legacy_pic = { + .mask_all = legacy_pic_noop, + .restore_mask = legacy_pic_noop, + .init = legacy_pic_int_noop, ++ .probe = legacy_pic_probe, + .irq_pending = legacy_pic_irq_pending_noop, + .make_irq = legacy_pic_uint_noop, + }; +@@ -400,6 +412,7 @@ struct legacy_pic default_legacy_pic = { + .mask_all = mask_8259A, + .restore_mask = unmask_8259A, + .init = init_8259A, ++ .probe = probe_8259A, + .irq_pending = i8259A_irq_pending, + .make_irq = make_8259A_irq, + }; diff --git a/queue-4.2/x86-mpx-do-proper-get_user-when-running-32-bit-binaries-on-64-bit-kernels.patch b/queue-4.2/x86-mpx-do-proper-get_user-when-running-32-bit-binaries-on-64-bit-kernels.patch new file mode 100644 index 00000000000..fde5d057ca2 --- /dev/null +++ b/queue-4.2/x86-mpx-do-proper-get_user-when-running-32-bit-binaries-on-64-bit-kernels.patch @@ -0,0 +1,90 @@ +From 46561c3959d6307d22139c24cd0bf196162e5681 Mon Sep 17 00:00:00 2001 +From: Dave Hansen +Date: Wed, 11 Nov 2015 10:19:31 -0800 +Subject: x86/mpx: Do proper get_user() when running 32-bit binaries on 64-bit kernels + +From: Dave Hansen + +commit 46561c3959d6307d22139c24cd0bf196162e5681 upstream. + +When you call get_user(foo, bar), you effectively do a + + copy_from_user(&foo, bar, sizeof(*bar)); + +Note that the sizeof() is implicit. + +When we reach out to userspace to try to zap an entire "bounds +table" we need to go read a "bounds directory entry" in order to +locate the table's address. The size of a "directory entry" +depends on the binary being run and is always the size of a +pointer. + +But, when we have a 64-bit kernel and a 32-bit application, the +directory entry is still only 32-bits long, but we fetch it with +a 64-bit pointer which makes get_user() does a 64-bit fetch. +Reading 4 extra bytes isn't harmful, unless we are at the end of +and run off the table. It might also cause the zero page to get +faulted in unnecessarily even if you are not at the end. + +Fix it up by doing a special 32-bit get_user() via a cast when +we have 32-bit userspace. + +Signed-off-by: Dave Hansen +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Dave Hansen +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/20151111181931.3ACF6822@viggo.jf.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/mm/mpx.c | 25 ++++++++++++++++++++++++- + 1 file changed, 24 insertions(+), 1 deletion(-) + +--- a/arch/x86/mm/mpx.c ++++ b/arch/x86/mm/mpx.c +@@ -622,6 +622,29 @@ static unsigned long mpx_bd_entry_to_bt_ + } + + /* ++ * We only want to do a 4-byte get_user() on 32-bit. Otherwise, ++ * we might run off the end of the bounds table if we are on ++ * a 64-bit kernel and try to get 8 bytes. ++ */ ++int get_user_bd_entry(struct mm_struct *mm, unsigned long *bd_entry_ret, ++ long __user *bd_entry_ptr) ++{ ++ u32 bd_entry_32; ++ int ret; ++ ++ if (is_64bit_mm(mm)) ++ return get_user(*bd_entry_ret, bd_entry_ptr); ++ ++ /* ++ * Note that get_user() uses the type of the *pointer* to ++ * establish the size of the get, not the destination. ++ */ ++ ret = get_user(bd_entry_32, (u32 __user *)bd_entry_ptr); ++ *bd_entry_ret = bd_entry_32; ++ return ret; ++} ++ ++/* + * Get the base of bounds tables pointed by specific bounds + * directory entry. + */ +@@ -641,7 +664,7 @@ static int get_bt_addr(struct mm_struct + int need_write = 0; + + pagefault_disable(); +- ret = get_user(bd_entry, bd_entry_ptr); ++ ret = get_user_bd_entry(mm, &bd_entry, bd_entry_ptr); + pagefault_enable(); + if (!ret) + break; diff --git a/queue-4.2/x86-mpx-fix-32-bit-address-space-calculation.patch b/queue-4.2/x86-mpx-fix-32-bit-address-space-calculation.patch new file mode 100644 index 00000000000..dac2327324f --- /dev/null +++ b/queue-4.2/x86-mpx-fix-32-bit-address-space-calculation.patch @@ -0,0 +1,81 @@ +From f3119b830264d89d216bfb378ab65065dffa02d9 Mon Sep 17 00:00:00 2001 +From: Dave Hansen +Date: Wed, 11 Nov 2015 10:19:34 -0800 +Subject: x86/mpx: Fix 32-bit address space calculation + +From: Dave Hansen + +commit f3119b830264d89d216bfb378ab65065dffa02d9 upstream. + +I received a bug report that running 32-bit MPX binaries on +64-bit kernels was broken. I traced it down to this little code +snippet. We were switching our "number of bounds directory +entries" calculation correctly. But, we didn't switch the other +side of the calculation: the virtual space size. + +This meant that we were calculating an absurd size for +bd_entry_virt_space() on 32-bit because we used the 64-bit +virt_space. + +This was _also_ broken for 32-bit kernels running on 64-bit +hardware since boot_cpu_data.x86_virt_bits=48 even when running +in 32-bit mode. + +Correct that and properly handle all 3 possible cases: + + 1. 32-bit binary on 64-bit kernel + 2. 64-bit binary on 64-bit kernel + 3. 32-bit binary on 32-bit kernel + +This manifested in having bounds tables not properly unmapped. +It "leaked" memory but had no functional impact otherwise. + +Signed-off-by: Dave Hansen +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Dave Hansen +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/20151111181934.FA7FAC34@viggo.jf.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/mm/mpx.c | 22 +++++++++++++++++----- + 1 file changed, 17 insertions(+), 5 deletions(-) + +--- a/arch/x86/mm/mpx.c ++++ b/arch/x86/mm/mpx.c +@@ -759,11 +759,23 @@ static unsigned long mpx_get_bt_entry_of + */ + static inline unsigned long bd_entry_virt_space(struct mm_struct *mm) + { +- unsigned long long virt_space = (1ULL << boot_cpu_data.x86_virt_bits); +- if (is_64bit_mm(mm)) +- return virt_space / MPX_BD_NR_ENTRIES_64; +- else +- return virt_space / MPX_BD_NR_ENTRIES_32; ++ unsigned long long virt_space; ++ unsigned long long GB = (1ULL << 30); ++ ++ /* ++ * This covers 32-bit emulation as well as 32-bit kernels ++ * running on 64-bit harware. ++ */ ++ if (!is_64bit_mm(mm)) ++ return (4ULL * GB) / MPX_BD_NR_ENTRIES_32; ++ ++ /* ++ * 'x86_virt_bits' returns what the hardware is capable ++ * of, and returns the full >32-bit adddress space when ++ * running 32-bit kernels on 64-bit hardware. ++ */ ++ virt_space = (1ULL << boot_cpu_data.x86_virt_bits); ++ return virt_space / MPX_BD_NR_ENTRIES_64; + } + + /* diff --git a/queue-4.2/x86-setup-extend-low-identity-map-to-cover-whole-kernel-range.patch b/queue-4.2/x86-setup-extend-low-identity-map-to-cover-whole-kernel-range.patch new file mode 100644 index 00000000000..ccc3e077375 --- /dev/null +++ b/queue-4.2/x86-setup-extend-low-identity-map-to-cover-whole-kernel-range.patch @@ -0,0 +1,112 @@ +From f5f3497cad8c8416a74b9aaceb127908755d020a Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Wed, 14 Oct 2015 13:30:45 +0200 +Subject: x86/setup: Extend low identity map to cover whole kernel range + +From: Paolo Bonzini + +commit f5f3497cad8c8416a74b9aaceb127908755d020a upstream. + +On 32-bit systems, the initial_page_table is reused by +efi_call_phys_prolog as an identity map to call +SetVirtualAddressMap. efi_call_phys_prolog takes care of +converting the current CPU's GDT to a physical address too. + +For PAE kernels the identity mapping is achieved by aliasing the +first PDPE for the kernel memory mapping into the first PDPE +of initial_page_table. This makes the EFI stub's trick "just work". + +However, for non-PAE kernels there is no guarantee that the identity +mapping in the initial_page_table extends as far as the GDT; in this +case, accesses to the GDT will cause a page fault (which quickly becomes +a triple fault). Fix this by copying the kernel mappings from +swapper_pg_dir to initial_page_table twice, both at PAGE_OFFSET and at +identity mapping. + +For some reason, this is only reproducible with QEMU's dynamic translation +mode, and not for example with KVM. However, even under KVM one can clearly +see that the page table is bogus: + + $ qemu-system-i386 -pflash OVMF.fd -M q35 vmlinuz0 -s -S -daemonize + $ gdb + (gdb) target remote localhost:1234 + (gdb) hb *0x02858f6f + Hardware assisted breakpoint 1 at 0x2858f6f + (gdb) c + Continuing. + + Breakpoint 1, 0x02858f6f in ?? () + (gdb) monitor info registers + ... + GDT= 0724e000 000000ff + IDT= fffbb000 000007ff + CR0=0005003b CR2=ff896000 CR3=032b7000 CR4=00000690 + ... + +The page directory is sane: + + (gdb) x/4wx 0x32b7000 + 0x32b7000: 0x03398063 0x03399063 0x0339a063 0x0339b063 + (gdb) x/4wx 0x3398000 + 0x3398000: 0x00000163 0x00001163 0x00002163 0x00003163 + (gdb) x/4wx 0x3399000 + 0x3399000: 0x00400003 0x00401003 0x00402003 0x00403003 + +but our particular page directory entry is empty: + + (gdb) x/1wx 0x32b7000 + (0x724e000 >> 22) * 4 + 0x32b7070: 0x00000000 + +[ It appears that you can skate past this issue if you don't receive + any interrupts while the bogus GDT pointer is loaded, or if you avoid + reloading the segment registers in general. + + Andy Lutomirski provides some additional insight: + + "AFAICT it's entirely permissible for the GDTR and/or LDT + descriptor to point to unmapped memory. Any attempt to use them + (segment loads, interrupts, IRET, etc) will try to access that memory + as if the access came from CPL 0 and, if the access fails, will + generate a valid page fault with CR2 pointing into the GDT or + LDT." + + Up until commit 23a0d4e8fa6d ("efi: Disable interrupts around EFI + calls, not in the epilog/prolog calls") interrupts were disabled + around the prolog and epilog calls, and the functional GDT was + re-installed before interrupts were re-enabled. + + Which explains why no one has hit this issue until now. ] + +Signed-off-by: Paolo Bonzini +Reported-by: Laszlo Ersek +Cc: +Cc: Borislav Petkov +Cc: "H. Peter Anvin" +Cc: Thomas Gleixner +Cc: Ingo Molnar +Cc: Andy Lutomirski +Signed-off-by: Matt Fleming +[ Updated changelog. ] +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/setup.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -1198,6 +1198,14 @@ void __init setup_arch(char **cmdline_p) + clone_pgd_range(initial_page_table + KERNEL_PGD_BOUNDARY, + swapper_pg_dir + KERNEL_PGD_BOUNDARY, + KERNEL_PGD_PTRS); ++ ++ /* ++ * sync back low identity map too. It is used for example ++ * in the 32-bit EFI stub. ++ */ ++ clone_pgd_range(initial_page_table, ++ swapper_pg_dir + KERNEL_PGD_BOUNDARY, ++ KERNEL_PGD_PTRS); + #endif + + tboot_probe(); diff --git a/queue-4.2/x86-setup-fix-low-identity-map-for-2gb-kernel-range.patch b/queue-4.2/x86-setup-fix-low-identity-map-for-2gb-kernel-range.patch new file mode 100644 index 00000000000..e4d1c874355 --- /dev/null +++ b/queue-4.2/x86-setup-fix-low-identity-map-for-2gb-kernel-range.patch @@ -0,0 +1,41 @@ +From 68accac392d859d24adcf1be3a90e41f978bd54c Mon Sep 17 00:00:00 2001 +From: Krzysztof Mazur +Date: Fri, 6 Nov 2015 14:18:36 +0100 +Subject: x86/setup: Fix low identity map for >= 2GB kernel range + +From: Krzysztof Mazur + +commit 68accac392d859d24adcf1be3a90e41f978bd54c upstream. + +The commit f5f3497cad8c extended the low identity mapping. However, if +the kernel uses more than 2 GB (VMSPLIT_2G_OPT or VMSPLIT_1G memory +split), the normal memory mapping is overwritten by the low identity +mapping causing a crash. To avoid overwritting, limit the low identity +map to cover only memory before kernel range (PAGE_OFFSET). + +Fixes: f5f3497cad8c "x86/setup: Extend low identity map to cover whole kernel range +Signed-off-by: Krzysztof Mazur +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Laszlo Ersek +Cc: Matt Fleming +Cc: Paolo Bonzini +Link: http://lkml.kernel.org/r/1446815916-22105-1-git-send-email-krzysiek@podlesie.net +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/setup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -1205,7 +1205,7 @@ void __init setup_arch(char **cmdline_p) + */ + clone_pgd_range(initial_page_table, + swapper_pg_dir + KERNEL_PGD_BOUNDARY, +- KERNEL_PGD_PTRS); ++ min(KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY)); + #endif + + tboot_probe();