From: Greg Kroah-Hartman Date: Mon, 8 Aug 2016 14:23:27 +0000 (+0200) Subject: 4.6-stable patches X-Git-Tag: v3.14.75~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e773fc6547be09343da7e2d6ecc6b4f70eca5540;p=thirdparty%2Fkernel%2Fstable-queue.git 4.6-stable patches added patches: adv7604-don-t-ignore-pad-number-in-subdev-dv-timings-pad-operations.patch cfg80211-handle-failed-skb-allocation.patch cpu-hotplug-keep-enough-storage-space-if-smp-n-to-avoid-array-out-of-bounds-scribble.patch i2c-mux-reg-wrong-condition-checked-for-of_address_to_resource-return-value.patch i2c-qup-fix-wrong-value-of-index-variable.patch intel_th-fix-a-deadlock-in-modprobing.patch intel_th-pci-add-kaby-lake-pch-h-support.patch libata-lite-on-cx1-jb256-hp-needs-lower-max_sectors.patch libceph-apply-new_state-before-new_up_client-on-incrementals.patch media-fix-airspy-usb-probe-error-path.patch net-mvneta-set-real-interrupt-per-packet-for-tx_done.patch posix_cpu_timer-exit-early-when-process-has-been-reaped.patch --- diff --git a/queue-4.6/adv7604-don-t-ignore-pad-number-in-subdev-dv-timings-pad-operations.patch b/queue-4.6/adv7604-don-t-ignore-pad-number-in-subdev-dv-timings-pad-operations.patch new file mode 100644 index 00000000000..946d433a9f3 --- /dev/null +++ b/queue-4.6/adv7604-don-t-ignore-pad-number-in-subdev-dv-timings-pad-operations.patch @@ -0,0 +1,124 @@ +From 6519c3d7b8621c9f4333c98ed4b703029b51ba79 Mon Sep 17 00:00:00 2001 +From: Laurent Pinchart +Date: Tue, 24 May 2016 09:09:33 -0300 +Subject: [media] adv7604: Don't ignore pad number in subdev DV timings pad operations + +From: Laurent Pinchart + +commit 6519c3d7b8621c9f4333c98ed4b703029b51ba79 upstream. + +The dv_timings_cap() and enum_dv_timings() pad operations take a pad +number as an input argument and return the DV timings capabilities and +list of supported DV timings for that pad. + +Commit bd3e275f3ec0 ("[media] media: i2c: adv7604: Use v4l2-dv-timings +helpers") broke this as it started ignoring the pad number, always +returning the information associated with the currently selected input. +Fix it. + +Fixes: bd3e275f3ec0 ("[media] media: i2c: adv7604: Use v4l2-dv-timings helpers") + +Signed-off-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/i2c/adv7604.c | 48 +++++++++++++++++++++++++++++++++----------- + 1 file changed, 36 insertions(+), 12 deletions(-) + +--- a/drivers/media/i2c/adv7604.c ++++ b/drivers/media/i2c/adv7604.c +@@ -779,11 +779,31 @@ static const struct v4l2_dv_timings_cap + V4L2_DV_BT_CAP_CUSTOM) + }; + +-static inline const struct v4l2_dv_timings_cap * +-adv76xx_get_dv_timings_cap(struct v4l2_subdev *sd) +-{ +- return is_digital_input(sd) ? &adv76xx_timings_cap_digital : +- &adv7604_timings_cap_analog; ++/* ++ * Return the DV timings capabilities for the requested sink pad. As a special ++ * case, pad value -1 returns the capabilities for the currently selected input. ++ */ ++static const struct v4l2_dv_timings_cap * ++adv76xx_get_dv_timings_cap(struct v4l2_subdev *sd, int pad) ++{ ++ if (pad == -1) { ++ struct adv76xx_state *state = to_state(sd); ++ ++ pad = state->selected_input; ++ } ++ ++ switch (pad) { ++ case ADV76XX_PAD_HDMI_PORT_A: ++ case ADV7604_PAD_HDMI_PORT_B: ++ case ADV7604_PAD_HDMI_PORT_C: ++ case ADV7604_PAD_HDMI_PORT_D: ++ return &adv76xx_timings_cap_digital; ++ ++ case ADV7604_PAD_VGA_RGB: ++ case ADV7604_PAD_VGA_COMP: ++ default: ++ return &adv7604_timings_cap_analog; ++ } + } + + +@@ -1329,7 +1349,7 @@ static int stdi2dv_timings(struct v4l2_s + const struct v4l2_bt_timings *bt = &v4l2_dv_timings_presets[i].bt; + + if (!v4l2_valid_dv_timings(&v4l2_dv_timings_presets[i], +- adv76xx_get_dv_timings_cap(sd), ++ adv76xx_get_dv_timings_cap(sd, -1), + adv76xx_check_dv_timings, NULL)) + continue; + if (vtotal(bt) != stdi->lcf + 1) +@@ -1430,18 +1450,22 @@ static int adv76xx_enum_dv_timings(struc + return -EINVAL; + + return v4l2_enum_dv_timings_cap(timings, +- adv76xx_get_dv_timings_cap(sd), adv76xx_check_dv_timings, NULL); ++ adv76xx_get_dv_timings_cap(sd, timings->pad), ++ adv76xx_check_dv_timings, NULL); + } + + static int adv76xx_dv_timings_cap(struct v4l2_subdev *sd, + struct v4l2_dv_timings_cap *cap) + { + struct adv76xx_state *state = to_state(sd); ++ unsigned int pad = cap->pad; + + if (cap->pad >= state->source_pad) + return -EINVAL; + +- *cap = *adv76xx_get_dv_timings_cap(sd); ++ *cap = *adv76xx_get_dv_timings_cap(sd, pad); ++ cap->pad = pad; ++ + return 0; + } + +@@ -1450,9 +1474,9 @@ static int adv76xx_dv_timings_cap(struct + static void adv76xx_fill_optional_dv_timings_fields(struct v4l2_subdev *sd, + struct v4l2_dv_timings *timings) + { +- v4l2_find_dv_timings_cap(timings, adv76xx_get_dv_timings_cap(sd), +- is_digital_input(sd) ? 250000 : 1000000, +- adv76xx_check_dv_timings, NULL); ++ v4l2_find_dv_timings_cap(timings, adv76xx_get_dv_timings_cap(sd, -1), ++ is_digital_input(sd) ? 250000 : 1000000, ++ adv76xx_check_dv_timings, NULL); + } + + static unsigned int adv7604_read_hdmi_pixelclock(struct v4l2_subdev *sd) +@@ -1620,7 +1644,7 @@ static int adv76xx_s_dv_timings(struct v + + bt = &timings->bt; + +- if (!v4l2_valid_dv_timings(timings, adv76xx_get_dv_timings_cap(sd), ++ if (!v4l2_valid_dv_timings(timings, adv76xx_get_dv_timings_cap(sd, -1), + adv76xx_check_dv_timings, NULL)) + return -ERANGE; + diff --git a/queue-4.6/cfg80211-handle-failed-skb-allocation.patch b/queue-4.6/cfg80211-handle-failed-skb-allocation.patch new file mode 100644 index 00000000000..6d5d6082a94 --- /dev/null +++ b/queue-4.6/cfg80211-handle-failed-skb-allocation.patch @@ -0,0 +1,32 @@ +From 16a910a6722b7a8680409e634c7c0dac073c01e4 Mon Sep 17 00:00:00 2001 +From: Gregory Greenman +Date: Tue, 5 Jul 2016 15:23:10 +0300 +Subject: cfg80211: handle failed skb allocation + +From: Gregory Greenman + +commit 16a910a6722b7a8680409e634c7c0dac073c01e4 upstream. + +Handle the case when dev_alloc_skb returns NULL. + +Fixes: 2b67f944f88c2 ("cfg80211: reuse existing page fragments in A-MSDU rx") +Signed-off-by: Gregory Greenman +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/util.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/wireless/util.c ++++ b/net/wireless/util.c +@@ -721,6 +721,8 @@ __ieee80211_amsdu_copy(struct sk_buff *s + * alignment since sizeof(struct ethhdr) is 14. + */ + frame = dev_alloc_skb(hlen + sizeof(struct ethhdr) + 2 + cur_len); ++ if (!frame) ++ return NULL; + + skb_reserve(frame, hlen + sizeof(struct ethhdr) + 2); + skb_copy_bits(skb, offset, skb_put(frame, cur_len), cur_len); diff --git a/queue-4.6/cpu-hotplug-keep-enough-storage-space-if-smp-n-to-avoid-array-out-of-bounds-scribble.patch b/queue-4.6/cpu-hotplug-keep-enough-storage-space-if-smp-n-to-avoid-array-out-of-bounds-scribble.patch new file mode 100644 index 00000000000..60834461571 --- /dev/null +++ b/queue-4.6/cpu-hotplug-keep-enough-storage-space-if-smp-n-to-avoid-array-out-of-bounds-scribble.patch @@ -0,0 +1,58 @@ +From a7c734140aa36413944eef0f8c660e0e2256357d Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Tue, 12 Jul 2016 21:59:23 +0200 +Subject: cpu/hotplug: Keep enough storage space if SMP=n to avoid array out of bounds scribble + +From: Thomas Gleixner + +commit a7c734140aa36413944eef0f8c660e0e2256357d upstream. + +Xiaolong Ye reported lock debug warnings triggered by the following commit: + + 8de4a0066106 ("perf/x86: Convert the core to the hotplug state machine") + +The bug is the following: the cpuhp_bp_states[] array is cut short when +CONFIG_SMP=n, but the dynamically registered callbacks are stored nevertheless +and happily scribble outside of the array bounds... + +We need to store them in case that the state is unregistered so we can invoke +the teardown function. That's independent of CONFIG_SMP. Make sure the array +is large enough. + +Reported-by: kernel test robot +Signed-off-by: Thomas Gleixner +Cc: Adam Borowski +Cc: Alexander Shishkin +Cc: Anna-Maria Gleixner +Cc: Arnaldo Carvalho de Melo +Cc: Arnaldo Carvalho de Melo +Cc: Borislav Petkov +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Sebastian Andrzej Siewior +Cc: Stephane Eranian +Cc: Vince Weaver +Cc: lkp@01.org +Cc: tipbuild@zytor.com +Fixes: cff7d378d3fd "cpu/hotplug: Convert to a state machine for the control processor" +Link: http://lkml.kernel.org/r/alpine.DEB.2.11.1607122144560.4083@nanos +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/cpu.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/cpu.c ++++ b/kernel/cpu.c +@@ -1218,6 +1218,8 @@ static struct cpuhp_step cpuhp_bp_states + .teardown = takedown_cpu, + .cant_stop = true, + }, ++#else ++ [CPUHP_BRINGUP_CPU] = { }, + #endif + }; + diff --git a/queue-4.6/i2c-mux-reg-wrong-condition-checked-for-of_address_to_resource-return-value.patch b/queue-4.6/i2c-mux-reg-wrong-condition-checked-for-of_address_to_resource-return-value.patch new file mode 100644 index 00000000000..1c12a093b44 --- /dev/null +++ b/queue-4.6/i2c-mux-reg-wrong-condition-checked-for-of_address_to_resource-return-value.patch @@ -0,0 +1,32 @@ +From 22ebf00eb56fe77922de8138aa9af9996582c2b3 Mon Sep 17 00:00:00 2001 +From: Lukasz Gemborowski +Date: Mon, 27 Jun 2016 12:57:47 +0200 +Subject: i2c: mux: reg: wrong condition checked for of_address_to_resource return value + +From: Lukasz Gemborowski + +commit 22ebf00eb56fe77922de8138aa9af9996582c2b3 upstream. + +of_address_to_resource return 0 on successful call but +devm_ioremap_resource is called only if it returns non-zero value + +Signed-off-by: Lukasz Gemborowski +Reviewed-by: Alexander Sverdlin +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/muxes/i2c-mux-reg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/i2c/muxes/i2c-mux-reg.c ++++ b/drivers/i2c/muxes/i2c-mux-reg.c +@@ -150,7 +150,7 @@ static int i2c_mux_reg_probe_dt(struct r + mux->data.idle_in_use = true; + + /* map address from "reg" if exists */ +- if (of_address_to_resource(np, 0, &res)) { ++ if (of_address_to_resource(np, 0, &res) == 0) { + mux->data.reg_size = resource_size(&res); + mux->data.reg = devm_ioremap_resource(&pdev->dev, &res); + if (IS_ERR(mux->data.reg)) diff --git a/queue-4.6/i2c-qup-fix-wrong-value-of-index-variable.patch b/queue-4.6/i2c-qup-fix-wrong-value-of-index-variable.patch new file mode 100644 index 00000000000..9a9bf75c5de --- /dev/null +++ b/queue-4.6/i2c-qup-fix-wrong-value-of-index-variable.patch @@ -0,0 +1,33 @@ +From d4f56c7773483b8829e89cfc739b7a5a071f6da0 Mon Sep 17 00:00:00 2001 +From: Sricharan R +Date: Fri, 10 Jun 2016 23:38:20 +0530 +Subject: i2c: qup: Fix wrong value of index variable + +From: Sricharan R + +commit d4f56c7773483b8829e89cfc739b7a5a071f6da0 upstream. + +index gets incremented during check to determine if the +messages can be transferred with dma. But not reset after +that, resulting in wrong start value in subsequent loop, +causing failure. Fix it. + +Signed-off-by: Sricharan R +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-qup.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/i2c/busses/i2c-qup.c ++++ b/drivers/i2c/busses/i2c-qup.c +@@ -1268,6 +1268,8 @@ static int qup_i2c_xfer_v2(struct i2c_ad + } + } + ++ idx = 0; ++ + do { + if (msgs[idx].len == 0) { + ret = -EINVAL; diff --git a/queue-4.6/intel_th-fix-a-deadlock-in-modprobing.patch b/queue-4.6/intel_th-fix-a-deadlock-in-modprobing.patch new file mode 100644 index 00000000000..85451d5721a --- /dev/null +++ b/queue-4.6/intel_th-fix-a-deadlock-in-modprobing.patch @@ -0,0 +1,93 @@ +From a36aa80f3cb2540fb1dbad6240852de4365a2e82 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Thu, 30 Jun 2016 11:51:44 +0300 +Subject: intel_th: Fix a deadlock in modprobing + +From: Alexander Shishkin + +commit a36aa80f3cb2540fb1dbad6240852de4365a2e82 upstream. + +Driver initialization tries to request a hub (GTH) driver module from +its probe callback, resulting in a deadlock. + +This patch solves the problem by adding a deferred work for requesting +the hub module. + +Signed-off-by: Alexander Shishkin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/intel_th/core.c | 35 +++++++++++++++++++++++++++++++++- + drivers/hwtracing/intel_th/intel_th.h | 3 ++ + 2 files changed, 37 insertions(+), 1 deletion(-) + +--- a/drivers/hwtracing/intel_th/core.c ++++ b/drivers/hwtracing/intel_th/core.c +@@ -440,6 +440,38 @@ static struct intel_th_subdevice { + }, + }; + ++#ifdef CONFIG_MODULES ++static void __intel_th_request_hub_module(struct work_struct *work) ++{ ++ struct intel_th *th = container_of(work, struct intel_th, ++ request_module_work); ++ ++ request_module("intel_th_%s", th->hub->name); ++} ++ ++static int intel_th_request_hub_module(struct intel_th *th) ++{ ++ INIT_WORK(&th->request_module_work, __intel_th_request_hub_module); ++ schedule_work(&th->request_module_work); ++ ++ return 0; ++} ++ ++static void intel_th_request_hub_module_flush(struct intel_th *th) ++{ ++ flush_work(&th->request_module_work); ++} ++#else ++static inline int intel_th_request_hub_module(struct intel_th *th) ++{ ++ return -EINVAL; ++} ++ ++static inline void intel_th_request_hub_module_flush(struct intel_th *th) ++{ ++} ++#endif /* CONFIG_MODULES */ ++ + static int intel_th_populate(struct intel_th *th, struct resource *devres, + unsigned int ndevres, int irq) + { +@@ -510,7 +542,7 @@ static int intel_th_populate(struct inte + /* need switch driver to be loaded to enumerate the rest */ + if (subdev->type == INTEL_TH_SWITCH && !req) { + th->hub = thdev; +- err = request_module("intel_th_%s", subdev->name); ++ err = intel_th_request_hub_module(th); + if (!err) + req++; + } +@@ -627,6 +659,7 @@ void intel_th_free(struct intel_th *th) + { + int i; + ++ intel_th_request_hub_module_flush(th); + for (i = 0; i < TH_SUBDEVICE_MAX; i++) + if (th->thdev[i] != th->hub) + intel_th_device_remove(th->thdev[i]); +--- a/drivers/hwtracing/intel_th/intel_th.h ++++ b/drivers/hwtracing/intel_th/intel_th.h +@@ -199,6 +199,9 @@ struct intel_th { + + int id; + int major; ++#ifdef CONFIG_MODULES ++ struct work_struct request_module_work; ++#endif /* CONFIG_MODULES */ + #ifdef CONFIG_INTEL_TH_DEBUG + struct dentry *dbg; + #endif diff --git a/queue-4.6/intel_th-pci-add-kaby-lake-pch-h-support.patch b/queue-4.6/intel_th-pci-add-kaby-lake-pch-h-support.patch new file mode 100644 index 00000000000..3ec4bf2fa82 --- /dev/null +++ b/queue-4.6/intel_th-pci-add-kaby-lake-pch-h-support.patch @@ -0,0 +1,32 @@ +From 7a1a47ce35821b40f5b2ce46379ba14393bc3873 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Tue, 28 Jun 2016 18:55:23 +0300 +Subject: intel_th: pci: Add Kaby Lake PCH-H support + +From: Alexander Shishkin + +commit 7a1a47ce35821b40f5b2ce46379ba14393bc3873 upstream. + +This adds Intel(R) Trace Hub PCI ID for Kaby Lake PCH-H. + +Signed-off-by: Alexander Shishkin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/intel_th/pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/hwtracing/intel_th/pci.c ++++ b/drivers/hwtracing/intel_th/pci.c +@@ -75,6 +75,11 @@ static const struct pci_device_id intel_ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x0a80), + .driver_data = (kernel_ulong_t)0, + }, ++ { ++ /* Kaby Lake PCH-H */ ++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0xa2a6), ++ .driver_data = (kernel_ulong_t)0, ++ }, + { 0 }, + }; + diff --git a/queue-4.6/libata-lite-on-cx1-jb256-hp-needs-lower-max_sectors.patch b/queue-4.6/libata-lite-on-cx1-jb256-hp-needs-lower-max_sectors.patch new file mode 100644 index 00000000000..fdc4707b429 --- /dev/null +++ b/queue-4.6/libata-lite-on-cx1-jb256-hp-needs-lower-max_sectors.patch @@ -0,0 +1,40 @@ +From 1488a1e3828d60d74c9b802a05e24c0487babe4e Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Mon, 18 Jul 2016 18:40:00 -0400 +Subject: libata: LITE-ON CX1-JB256-HP needs lower max_sectors + +From: Tejun Heo + +commit 1488a1e3828d60d74c9b802a05e24c0487babe4e upstream. + +Since 34b48db66e08 ("block: remove artifical max_hw_sectors cap"), +max_sectors is no longer limited to BLK_DEF_MAX_SECTORS and LITE-ON +CX1-JB256-HP keeps timing out with higher max_sectors. Revert it to +the previous value. + +Signed-off-by: Tejun Heo +Reported-by: dgerasimov@gmail.com +Link: https://bugzilla.kernel.org/show_bug.cgi?id=121671 +Fixes: 34b48db66e08 ("block: remove artifical max_hw_sectors cap") +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4141,6 +4141,12 @@ static const struct ata_blacklist_entry + */ + { "ST380013AS", "3.20", ATA_HORKAGE_MAX_SEC_1024 }, + ++ /* ++ * Device times out with higher max sects. ++ * https://bugzilla.kernel.org/show_bug.cgi?id=121671 ++ */ ++ { "LITEON CX1-JB256-HP", NULL, ATA_HORKAGE_MAX_SEC_1024 }, ++ + /* Devices we expect to fail diagnostics */ + + /* Devices where NCQ should be avoided */ diff --git a/queue-4.6/libceph-apply-new_state-before-new_up_client-on-incrementals.patch b/queue-4.6/libceph-apply-new_state-before-new_up_client-on-incrementals.patch new file mode 100644 index 00000000000..2f5e5129739 --- /dev/null +++ b/queue-4.6/libceph-apply-new_state-before-new_up_client-on-incrementals.patch @@ -0,0 +1,227 @@ +From 930c532869774ebf8af9efe9484c597f896a7d46 Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Tue, 19 Jul 2016 03:50:28 +0200 +Subject: libceph: apply new_state before new_up_client on incrementals + +From: Ilya Dryomov + +commit 930c532869774ebf8af9efe9484c597f896a7d46 upstream. + +Currently, osd_weight and osd_state fields are updated in the encoding +order. This is wrong, because an incremental map may look like e.g. + + new_up_client: { osd=6, addr=... } # set osd_state and addr + new_state: { osd=6, xorstate=EXISTS } # clear osd_state + +Suppose osd6's current osd_state is EXISTS (i.e. osd6 is down). After +applying new_up_client, osd_state is changed to EXISTS | UP. Carrying +on with the new_state update, we flip EXISTS and leave osd6 in a weird +"!EXISTS but UP" state. A non-existent OSD is considered down by the +mapping code + +2087 for (i = 0; i < pg->pg_temp.len; i++) { +2088 if (ceph_osd_is_down(osdmap, pg->pg_temp.osds[i])) { +2089 if (ceph_can_shift_osds(pi)) +2090 continue; +2091 +2092 temp->osds[temp->size++] = CRUSH_ITEM_NONE; + +and so requests get directed to the second OSD in the set instead of +the first, resulting in OSD-side errors like: + +[WRN] : client.4239 192.168.122.21:0/2444980242 misdirected client.4239.1:2827 pg 2.5df899f2 to osd.4 not [1,4,6] in e680/680 + +and hung rbds on the client: + +[ 493.566367] rbd: rbd0: write 400000 at 11cc00000 (0) +[ 493.566805] rbd: rbd0: result -6 xferred 400000 +[ 493.567011] blk_update_request: I/O error, dev rbd0, sector 9330688 + +The fix is to decouple application from the decoding and: +- apply new_weight first +- apply new_state before new_up_client +- twiddle osd_state flags if marking in +- clear out some of the state if osd is destroyed + +Fixes: http://tracker.ceph.com/issues/14901 + +Signed-off-by: Ilya Dryomov +Reviewed-by: Josh Durgin +Signed-off-by: Greg Kroah-Hartman + +--- + net/ceph/osdmap.c | 156 +++++++++++++++++++++++++++++++++++++++--------------- + 1 file changed, 113 insertions(+), 43 deletions(-) + +--- a/net/ceph/osdmap.c ++++ b/net/ceph/osdmap.c +@@ -1201,6 +1201,115 @@ struct ceph_osdmap *ceph_osdmap_decode(v + } + + /* ++ * Encoding order is (new_up_client, new_state, new_weight). Need to ++ * apply in the (new_weight, new_state, new_up_client) order, because ++ * an incremental map may look like e.g. ++ * ++ * new_up_client: { osd=6, addr=... } # set osd_state and addr ++ * new_state: { osd=6, xorstate=EXISTS } # clear osd_state ++ */ ++static int decode_new_up_state_weight(void **p, void *end, ++ struct ceph_osdmap *map) ++{ ++ void *new_up_client; ++ void *new_state; ++ void *new_weight_end; ++ u32 len; ++ ++ new_up_client = *p; ++ ceph_decode_32_safe(p, end, len, e_inval); ++ len *= sizeof(u32) + sizeof(struct ceph_entity_addr); ++ ceph_decode_need(p, end, len, e_inval); ++ *p += len; ++ ++ new_state = *p; ++ ceph_decode_32_safe(p, end, len, e_inval); ++ len *= sizeof(u32) + sizeof(u8); ++ ceph_decode_need(p, end, len, e_inval); ++ *p += len; ++ ++ /* new_weight */ ++ ceph_decode_32_safe(p, end, len, e_inval); ++ while (len--) { ++ s32 osd; ++ u32 w; ++ ++ ceph_decode_need(p, end, 2*sizeof(u32), e_inval); ++ osd = ceph_decode_32(p); ++ w = ceph_decode_32(p); ++ BUG_ON(osd >= map->max_osd); ++ pr_info("osd%d weight 0x%x %s\n", osd, w, ++ w == CEPH_OSD_IN ? "(in)" : ++ (w == CEPH_OSD_OUT ? "(out)" : "")); ++ map->osd_weight[osd] = w; ++ ++ /* ++ * If we are marking in, set the EXISTS, and clear the ++ * AUTOOUT and NEW bits. ++ */ ++ if (w) { ++ map->osd_state[osd] |= CEPH_OSD_EXISTS; ++ map->osd_state[osd] &= ~(CEPH_OSD_AUTOOUT | ++ CEPH_OSD_NEW); ++ } ++ } ++ new_weight_end = *p; ++ ++ /* new_state (up/down) */ ++ *p = new_state; ++ len = ceph_decode_32(p); ++ while (len--) { ++ s32 osd; ++ u8 xorstate; ++ int ret; ++ ++ osd = ceph_decode_32(p); ++ xorstate = ceph_decode_8(p); ++ if (xorstate == 0) ++ xorstate = CEPH_OSD_UP; ++ BUG_ON(osd >= map->max_osd); ++ if ((map->osd_state[osd] & CEPH_OSD_UP) && ++ (xorstate & CEPH_OSD_UP)) ++ pr_info("osd%d down\n", osd); ++ if ((map->osd_state[osd] & CEPH_OSD_EXISTS) && ++ (xorstate & CEPH_OSD_EXISTS)) { ++ pr_info("osd%d does not exist\n", osd); ++ map->osd_weight[osd] = CEPH_OSD_IN; ++ ret = set_primary_affinity(map, osd, ++ CEPH_OSD_DEFAULT_PRIMARY_AFFINITY); ++ if (ret) ++ return ret; ++ memset(map->osd_addr + osd, 0, sizeof(*map->osd_addr)); ++ map->osd_state[osd] = 0; ++ } else { ++ map->osd_state[osd] ^= xorstate; ++ } ++ } ++ ++ /* new_up_client */ ++ *p = new_up_client; ++ len = ceph_decode_32(p); ++ while (len--) { ++ s32 osd; ++ struct ceph_entity_addr addr; ++ ++ osd = ceph_decode_32(p); ++ ceph_decode_copy(p, &addr, sizeof(addr)); ++ ceph_decode_addr(&addr); ++ BUG_ON(osd >= map->max_osd); ++ pr_info("osd%d up\n", osd); ++ map->osd_state[osd] |= CEPH_OSD_EXISTS | CEPH_OSD_UP; ++ map->osd_addr[osd] = addr; ++ } ++ ++ *p = new_weight_end; ++ return 0; ++ ++e_inval: ++ return -EINVAL; ++} ++ ++/* + * decode and apply an incremental map update. + */ + struct ceph_osdmap *osdmap_apply_incremental(void **p, void *end, +@@ -1299,49 +1408,10 @@ struct ceph_osdmap *osdmap_apply_increme + __remove_pg_pool(&map->pg_pools, pi); + } + +- /* new_up */ +- ceph_decode_32_safe(p, end, len, e_inval); +- while (len--) { +- u32 osd; +- struct ceph_entity_addr addr; +- ceph_decode_32_safe(p, end, osd, e_inval); +- ceph_decode_copy_safe(p, end, &addr, sizeof(addr), e_inval); +- ceph_decode_addr(&addr); +- pr_info("osd%d up\n", osd); +- BUG_ON(osd >= map->max_osd); +- map->osd_state[osd] |= CEPH_OSD_UP | CEPH_OSD_EXISTS; +- map->osd_addr[osd] = addr; +- } +- +- /* new_state */ +- ceph_decode_32_safe(p, end, len, e_inval); +- while (len--) { +- u32 osd; +- u8 xorstate; +- ceph_decode_32_safe(p, end, osd, e_inval); +- xorstate = **(u8 **)p; +- (*p)++; /* clean flag */ +- if (xorstate == 0) +- xorstate = CEPH_OSD_UP; +- if (xorstate & CEPH_OSD_UP) +- pr_info("osd%d down\n", osd); +- if (osd < map->max_osd) +- map->osd_state[osd] ^= xorstate; +- } +- +- /* new_weight */ +- ceph_decode_32_safe(p, end, len, e_inval); +- while (len--) { +- u32 osd, off; +- ceph_decode_need(p, end, sizeof(u32)*2, e_inval); +- osd = ceph_decode_32(p); +- off = ceph_decode_32(p); +- pr_info("osd%d weight 0x%x %s\n", osd, off, +- off == CEPH_OSD_IN ? "(in)" : +- (off == CEPH_OSD_OUT ? "(out)" : "")); +- if (osd < map->max_osd) +- map->osd_weight[osd] = off; +- } ++ /* new_up_client, new_state, new_weight */ ++ err = decode_new_up_state_weight(p, end, map); ++ if (err) ++ goto bad; + + /* new_pg_temp */ + err = decode_new_pg_temp(p, end, map); diff --git a/queue-4.6/media-fix-airspy-usb-probe-error-path.patch b/queue-4.6/media-fix-airspy-usb-probe-error-path.patch new file mode 100644 index 00000000000..4bfd43a4258 --- /dev/null +++ b/queue-4.6/media-fix-airspy-usb-probe-error-path.patch @@ -0,0 +1,53 @@ +From aa93d1fee85c890a34f2510a310e55ee76a27848 Mon Sep 17 00:00:00 2001 +From: James Patrick-Evans +Date: Fri, 15 Jul 2016 16:40:45 +0100 +Subject: media: fix airspy usb probe error path + +From: James Patrick-Evans + +commit aa93d1fee85c890a34f2510a310e55ee76a27848 upstream. + +Fix a memory leak on probe error of the airspy usb device driver. + +The problem is triggered when more than 64 usb devices register with +v4l2 of type VFL_TYPE_SDR or VFL_TYPE_SUBDEV. + +The memory leak is caused by the probe function of the airspy driver +mishandeling errors and not freeing the corresponding control structures +when an error occours registering the device to v4l2 core. + +A badusb device can emulate 64 of these devices, and then through +continual emulated connect/disconnect of the 65th device, cause the +kernel to run out of RAM and crash the kernel, thus causing a local DOS +vulnerability. + +Fixes CVE-2016-5400 + +Signed-off-by: James Patrick-Evans +Reviewed-by: Kees Cook +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/airspy/airspy.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/media/usb/airspy/airspy.c ++++ b/drivers/media/usb/airspy/airspy.c +@@ -1072,7 +1072,7 @@ static int airspy_probe(struct usb_inter + if (ret) { + dev_err(s->dev, "Failed to register as video device (%d)\n", + ret); +- goto err_unregister_v4l2_dev; ++ goto err_free_controls; + } + dev_info(s->dev, "Registered as %s\n", + video_device_node_name(&s->vdev)); +@@ -1081,7 +1081,6 @@ static int airspy_probe(struct usb_inter + + err_free_controls: + v4l2_ctrl_handler_free(&s->hdl); +-err_unregister_v4l2_dev: + v4l2_device_unregister(&s->v4l2_dev); + err_free_mem: + kfree(s); diff --git a/queue-4.6/net-mvneta-set-real-interrupt-per-packet-for-tx_done.patch b/queue-4.6/net-mvneta-set-real-interrupt-per-packet-for-tx_done.patch new file mode 100644 index 00000000000..3c81edf2414 --- /dev/null +++ b/queue-4.6/net-mvneta-set-real-interrupt-per-packet-for-tx_done.patch @@ -0,0 +1,47 @@ +From 06708f81528725148473c0869d6af5f809c6824b Mon Sep 17 00:00:00 2001 +From: Dmitri Epshtein +Date: Wed, 6 Jul 2016 04:18:58 +0200 +Subject: net: mvneta: set real interrupt per packet for tx_done + +From: Dmitri Epshtein + +commit 06708f81528725148473c0869d6af5f809c6824b upstream. + +Commit aebea2ba0f74 ("net: mvneta: fix Tx interrupt delay") intended to +set coalescing threshold to a value guaranteeing interrupt generation +per each sent packet, so that buffers can be released with no delay. + +In fact setting threshold to '1' was wrong, because it causes interrupt +every two packets. According to the documentation a reason behind it is +following - interrupt occurs once sent buffers counter reaches a value, +which is higher than one specified in MVNETA_TXQ_SIZE_REG(q). This +behavior was confirmed during tests. Also when testing the SoC working +as a NAS device, better performance was observed with int-per-packet, +as it strongly depends on the fact that all transmitted packets are +released immediately. + +This commit enables NETA controller work in interrupt per sent packet mode +by setting coalescing threshold to 0. + +Signed-off-by: Dmitri Epshtein +Signed-off-by: Marcin Wojtas +Fixes aebea2ba0f74 ("net: mvneta: fix Tx interrupt delay") +Acked-by: Willy Tarreau +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/marvell/mvneta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -244,7 +244,7 @@ + /* Various constants */ + + /* Coalescing */ +-#define MVNETA_TXDONE_COAL_PKTS 1 ++#define MVNETA_TXDONE_COAL_PKTS 0 /* interrupt per packet */ + #define MVNETA_RX_COAL_PKTS 32 + #define MVNETA_RX_COAL_USEC 100 + diff --git a/queue-4.6/posix_cpu_timer-exit-early-when-process-has-been-reaped.patch b/queue-4.6/posix_cpu_timer-exit-early-when-process-has-been-reaped.patch new file mode 100644 index 00000000000..ffebdf9338e --- /dev/null +++ b/queue-4.6/posix_cpu_timer-exit-early-when-process-has-been-reaped.patch @@ -0,0 +1,41 @@ +From 2c13ce8f6b2f6fd9ba2f9261b1939fc0f62d1307 Mon Sep 17 00:00:00 2001 +From: Alexey Dobriyan +Date: Fri, 8 Jul 2016 01:39:11 +0300 +Subject: posix_cpu_timer: Exit early when process has been reaped + +From: Alexey Dobriyan + +commit 2c13ce8f6b2f6fd9ba2f9261b1939fc0f62d1307 upstream. + +Variable "now" seems to be genuinely used unintialized +if branch + + if (CPUCLOCK_PERTHREAD(timer->it_clock)) { + +is not taken and branch + + if (unlikely(sighand == NULL)) { + +is taken. In this case the process has been reaped and the timer is marked as +disarmed anyway. So none of the postprocessing of the sample is +required. Return right away. + +Signed-off-by: Alexey Dobriyan +Link: http://lkml.kernel.org/r/20160707223911.GA26483@p183.telecom.by +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/time/posix-cpu-timers.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/time/posix-cpu-timers.c ++++ b/kernel/time/posix-cpu-timers.c +@@ -777,6 +777,7 @@ static void posix_cpu_timer_get(struct k + timer->it.cpu.expires = 0; + sample_to_timespec(timer->it_clock, timer->it.cpu.expires, + &itp->it_value); ++ return; + } else { + cpu_timer_sample_group(timer->it_clock, p, &now); + unlock_task_sighand(p, &flags); diff --git a/queue-4.6/series b/queue-4.6/series index 6e43a0bbb7c..600ce5c88ee 100644 --- a/queue-4.6/series +++ b/queue-4.6/series @@ -80,3 +80,15 @@ irqchip-mips-gic-match-ipi-irq-domain-by-bus-token-only.patch qla2xxx-fix-null-pointer-deref-in-qla-interrupt.patch scsi-fix-new-bug-in-scsi_dev_info_list-string-matching.patch ipr-clear-interrupt-on-croc-crocodile-when-running-with-lsi.patch +media-fix-airspy-usb-probe-error-path.patch +posix_cpu_timer-exit-early-when-process-has-been-reaped.patch +cpu-hotplug-keep-enough-storage-space-if-smp-n-to-avoid-array-out-of-bounds-scribble.patch +adv7604-don-t-ignore-pad-number-in-subdev-dv-timings-pad-operations.patch +i2c-qup-fix-wrong-value-of-index-variable.patch +i2c-mux-reg-wrong-condition-checked-for-of_address_to_resource-return-value.patch +libata-lite-on-cx1-jb256-hp-needs-lower-max_sectors.patch +libceph-apply-new_state-before-new_up_client-on-incrementals.patch +net-mvneta-set-real-interrupt-per-packet-for-tx_done.patch +cfg80211-handle-failed-skb-allocation.patch +intel_th-pci-add-kaby-lake-pch-h-support.patch +intel_th-fix-a-deadlock-in-modprobing.patch