From: Greg Kroah-Hartman Date: Sat, 2 May 2015 18:16:10 +0000 (+0200) Subject: 4.0-stable patches X-Git-Tag: v3.10.77~22 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ea966c3fe91eeca45bb745392617b2a2627aef6b;p=thirdparty%2Fkernel%2Fstable-queue.git 4.0-stable patches added patches: c6x-time-ensure-consistency-in-__init.patch crypto-omap-aes-fix-support-for-unequal-lengths.patch drivers-platform-parse-irq-flags-from-resources.patch e1000-add-dummy-allocator-to-fix-race-condition-between-mtu-change-and-netpoll.patch ebpf-verifier-check-that-call-reg-with-arg_anything-is-initialized.patch lib-memzero_explicit-use-barrier-instead-of-optimizer_hide_var.patch mac80211-send-ap-probe-as-unicast-again.patch memstick-mspro_block-add-missing-curly-braces.patch mm-thp-really-limit-transparent-hugepage-allocation-to-local-node.patch wl18xx-show-rx_frames_per_rates-as-an-array-as-it-really-is.patch --- diff --git a/queue-4.0/c6x-time-ensure-consistency-in-__init.patch b/queue-4.0/c6x-time-ensure-consistency-in-__init.patch new file mode 100644 index 00000000000..743db423d78 --- /dev/null +++ b/queue-4.0/c6x-time-ensure-consistency-in-__init.patch @@ -0,0 +1,42 @@ +From f4831605f2dacd12730fe73961c77253cc2ea425 Mon Sep 17 00:00:00 2001 +From: Nishanth Menon +Date: Sat, 7 Mar 2015 03:39:05 -0600 +Subject: C6x: time: Ensure consistency in __init + +From: Nishanth Menon + +commit f4831605f2dacd12730fe73961c77253cc2ea425 upstream. + +time_init invokes timer64_init (which is __init annotation) +since all of these are invoked at init time, lets maintain +consistency by ensuring time_init is marked appropriately +as well. + +This fixes the following warning with CONFIG_DEBUG_SECTION_MISMATCH=y + +WARNING: vmlinux.o(.text+0x3bfc): Section mismatch in reference from the function time_init() to the function .init.text:timer64_init() +The function time_init() references +the function __init timer64_init(). +This is often because time_init lacks a __init +annotation or the annotation of timer64_init is wrong. + +Fixes: 546a39546c64 ("C6X: time management") +Signed-off-by: Nishanth Menon +Signed-off-by: Mark Salter +Signed-off-by: Greg Kroah-Hartman + +--- + arch/c6x/kernel/time.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/c6x/kernel/time.c ++++ b/arch/c6x/kernel/time.c +@@ -49,7 +49,7 @@ u64 sched_clock(void) + return (tsc * sched_clock_multiplier) >> SCHED_CLOCK_SHIFT; + } + +-void time_init(void) ++void __init time_init(void) + { + u64 tmp = (u64)NSEC_PER_SEC << SCHED_CLOCK_SHIFT; + diff --git a/queue-4.0/crypto-omap-aes-fix-support-for-unequal-lengths.patch b/queue-4.0/crypto-omap-aes-fix-support-for-unequal-lengths.patch new file mode 100644 index 00000000000..c26c33ab69d --- /dev/null +++ b/queue-4.0/crypto-omap-aes-fix-support-for-unequal-lengths.patch @@ -0,0 +1,66 @@ +From 6d7e7e02a044025237b6f62a20521170b794537f Mon Sep 17 00:00:00 2001 +From: "Vutla, Lokesh" +Date: Tue, 31 Mar 2015 09:52:25 +0530 +Subject: crypto: omap-aes - Fix support for unequal lengths + +From: "Vutla, Lokesh" + +commit 6d7e7e02a044025237b6f62a20521170b794537f upstream. + +For cases where total length of an input SGs is not same as +length of the input data for encryption, omap-aes driver +crashes. This happens in the case when IPsec is trying to use +omap-aes driver. + +To avoid this, we copy all the pages from the input SG list +into a contiguous buffer and prepare a single element SG list +for this buffer with length as the total bytes to crypt, which is +similar thing that is done in case of unaligned lengths. + +Fixes: 6242332ff2f3 ("crypto: omap-aes - Add support for cases of unaligned lengths") +Signed-off-by: Lokesh Vutla +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/omap-aes.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/drivers/crypto/omap-aes.c ++++ b/drivers/crypto/omap-aes.c +@@ -554,15 +554,23 @@ static int omap_aes_crypt_dma_stop(struc + return err; + } + +-static int omap_aes_check_aligned(struct scatterlist *sg) ++static int omap_aes_check_aligned(struct scatterlist *sg, int total) + { ++ int len = 0; ++ + while (sg) { + if (!IS_ALIGNED(sg->offset, 4)) + return -1; + if (!IS_ALIGNED(sg->length, AES_BLOCK_SIZE)) + return -1; ++ ++ len += sg->length; + sg = sg_next(sg); + } ++ ++ if (len != total) ++ return -1; ++ + return 0; + } + +@@ -633,8 +641,8 @@ static int omap_aes_handle_queue(struct + dd->in_sg = req->src; + dd->out_sg = req->dst; + +- if (omap_aes_check_aligned(dd->in_sg) || +- omap_aes_check_aligned(dd->out_sg)) { ++ if (omap_aes_check_aligned(dd->in_sg, dd->total) || ++ omap_aes_check_aligned(dd->out_sg, dd->total)) { + if (omap_aes_copy_sgs(dd)) + pr_err("Failed to copy SGs for unaligned cases\n"); + dd->sgs_copied = 1; diff --git a/queue-4.0/drivers-platform-parse-irq-flags-from-resources.patch b/queue-4.0/drivers-platform-parse-irq-flags-from-resources.patch new file mode 100644 index 00000000000..7b80c549ca7 --- /dev/null +++ b/queue-4.0/drivers-platform-parse-irq-flags-from-resources.patch @@ -0,0 +1,72 @@ +From 7085a7401ba54e92bbb5aa24d6f428071e18e509 Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Wed, 18 Feb 2015 17:12:18 +0100 +Subject: drivers: platform: parse IRQ flags from resources + +From: Linus Walleij + +commit 7085a7401ba54e92bbb5aa24d6f428071e18e509 upstream. + +This fixes a regression from the net subsystem: +After commit d52fdbb735c36a209f36a628d40ca9185b349ba7 +"smc91x: retrieve IRQ and trigger flags in a modern way" +a regression would appear on some legacy platforms such +as the ARM PXA Zylonite that specify IRQ resources like +this: + +static struct resource r = { + .start = X, + .end = X, + .flags = IORESOURCE_IRQ | IORESOURCE_IRQ_HIGHEDGE, +}; + +The previous code would retrieve the resource and parse +the high edge setting in the SMC91x driver, a use pattern +that means every driver specifying an IRQ flag from a +static resource need to parse resource flags and apply +them at runtime. + +As we switched the code to use IRQ descriptors to retrieve +the the trigger type like this: + + irqd_get_trigger_type(irq_get_irq_data(...)); + +the code would work for new platforms using e.g. device +tree as the backing irq descriptor would have its flags +properly set, whereas this kind of oldstyle static +resources at no point assign the trigger flags to the +corresponding IRQ descriptor. + +To make the behaviour identical on modern device tree +and legacy static platform data platforms, modify +platform_get_irq() to assign the trigger flags to the +irq descriptor when a client looks up an IRQ from static +resources. + +Fixes: d52fdbb735c3 ("smc91x: retrieve IRQ and trigger flags in a modern way") +Tested-by: Robert Jarzmik +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/platform.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/base/platform.c ++++ b/drivers/base/platform.c +@@ -101,6 +101,15 @@ int platform_get_irq(struct platform_dev + } + + r = platform_get_resource(dev, IORESOURCE_IRQ, num); ++ /* ++ * The resources may pass trigger flags to the irqs that need ++ * to be set up. It so happens that the trigger flags for ++ * IORESOURCE_BITS correspond 1-to-1 to the IRQF_TRIGGER* ++ * settings. ++ */ ++ if (r && r->flags & IORESOURCE_BITS) ++ irqd_set_trigger_type(irq_get_irq_data(r->start), ++ r->flags & IORESOURCE_BITS); + + return r ? r->start : -ENXIO; + #endif diff --git a/queue-4.0/e1000-add-dummy-allocator-to-fix-race-condition-between-mtu-change-and-netpoll.patch b/queue-4.0/e1000-add-dummy-allocator-to-fix-race-condition-between-mtu-change-and-netpoll.patch new file mode 100644 index 00000000000..a0e96942e11 --- /dev/null +++ b/queue-4.0/e1000-add-dummy-allocator-to-fix-race-condition-between-mtu-change-and-netpoll.patch @@ -0,0 +1,93 @@ +From 08e8331654d1d7b2c58045e549005bc356aa7810 Mon Sep 17 00:00:00 2001 +From: Sabrina Dubroca +Date: Thu, 26 Feb 2015 05:35:41 +0000 +Subject: e1000: add dummy allocator to fix race condition between mtu change and netpoll + +From: Sabrina Dubroca + +commit 08e8331654d1d7b2c58045e549005bc356aa7810 upstream. + +There is a race condition between e1000_change_mtu's cleanups and +netpoll, when we change the MTU across jumbo size: + +Changing MTU frees all the rx buffers: + e1000_change_mtu -> e1000_down -> e1000_clean_all_rx_rings -> + e1000_clean_rx_ring + +Then, close to the end of e1000_change_mtu: + pr_info -> ... -> netpoll_poll_dev -> e1000_clean -> + e1000_clean_rx_irq -> e1000_alloc_rx_buffers -> e1000_alloc_frag + +And when we come back to do the rest of the MTU change: + e1000_up -> e1000_configure -> e1000_configure_rx -> + e1000_alloc_jumbo_rx_buffers + +alloc_jumbo finds the buffers already != NULL, since data (shared with +page in e1000_rx_buffer->rxbuf) has been re-alloc'd, but it's garbage, +or at least not what is expected when in jumbo state. + +This results in an unusable adapter (packets don't get through), and a +NULL pointer dereference on the next call to e1000_clean_rx_ring +(other mtu change, link down, shutdown): + +BUG: unable to handle kernel NULL pointer dereference at (null) +IP: [] put_compound_page+0x7e/0x330 + + [...] + +Call Trace: + [] put_page+0x55/0x60 + [] e1000_clean_rx_ring+0x134/0x200 + [] e1000_clean_all_rx_rings+0x45/0x60 + [] e1000_down+0x1c0/0x1d0 + [] ? deactivate_slab+0x7f0/0x840 + [] e1000_change_mtu+0xdc/0x170 + [] dev_set_mtu+0xa0/0x140 + [] do_setlink+0x218/0xac0 + [] ? nla_parse+0xb9/0x120 + [] rtnl_newlink+0x6d0/0x890 + [] ? kvm_clock_read+0x20/0x40 + [] ? sched_clock_cpu+0xa8/0x100 + [] rtnetlink_rcv_msg+0x92/0x260 + +By setting the allocator to a dummy version, netpoll can't mess up our +rx buffers. The allocator is set back to a sane value in +e1000_configure_rx. + +Fixes: edbbb3ca1077 ("e1000: implement jumbo receive with partial descriptors") +Signed-off-by: Sabrina Dubroca +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/intel/e1000/e1000_main.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/e1000/e1000_main.c ++++ b/drivers/net/ethernet/intel/e1000/e1000_main.c +@@ -144,6 +144,11 @@ static bool e1000_clean_rx_irq(struct e1 + static bool e1000_clean_jumbo_rx_irq(struct e1000_adapter *adapter, + struct e1000_rx_ring *rx_ring, + int *work_done, int work_to_do); ++static void e1000_alloc_dummy_rx_buffers(struct e1000_adapter *adapter, ++ struct e1000_rx_ring *rx_ring, ++ int cleaned_count) ++{ ++} + static void e1000_alloc_rx_buffers(struct e1000_adapter *adapter, + struct e1000_rx_ring *rx_ring, + int cleaned_count); +@@ -3552,8 +3557,11 @@ static int e1000_change_mtu(struct net_d + msleep(1); + /* e1000_down has a dependency on max_frame_size */ + hw->max_frame_size = max_frame; +- if (netif_running(netdev)) ++ if (netif_running(netdev)) { ++ /* prevent buffers from being reallocated */ ++ adapter->alloc_rx_buf = e1000_alloc_dummy_rx_buffers; + e1000_down(adapter); ++ } + + /* NOTE: netdev_alloc_skb reserves 16 bytes, and typically NET_IP_ALIGN + * means we reserve 2 more, this pushes us to allocate from the next diff --git a/queue-4.0/ebpf-verifier-check-that-call-reg-with-arg_anything-is-initialized.patch b/queue-4.0/ebpf-verifier-check-that-call-reg-with-arg_anything-is-initialized.patch new file mode 100644 index 00000000000..c6c4a38b2db --- /dev/null +++ b/queue-4.0/ebpf-verifier-check-that-call-reg-with-arg_anything-is-initialized.patch @@ -0,0 +1,83 @@ +From 80f1d68ccba70b1060c9c7360ca83da430f66bed Mon Sep 17 00:00:00 2001 +From: Daniel Borkmann +Date: Thu, 12 Mar 2015 17:21:42 +0100 +Subject: ebpf: verifier: check that call reg with ARG_ANYTHING is initialized + +From: Daniel Borkmann + +commit 80f1d68ccba70b1060c9c7360ca83da430f66bed upstream. + +I noticed that a helper function with argument type ARG_ANYTHING does +not need to have an initialized value (register). + +This can worst case lead to unintented stack memory leakage in future +helper functions if they are not carefully designed, or unintended +application behaviour in case the application developer was not careful +enough to match a correct helper function signature in the API. + +The underlying issue is that ARG_ANYTHING should actually be split +into two different semantics: + + 1) ARG_DONTCARE for function arguments that the helper function + does not care about (in other words: the default for unused + function arguments), and + + 2) ARG_ANYTHING that is an argument actually being used by a + helper function and *guaranteed* to be an initialized register. + +The current risk is low: ARG_ANYTHING is only used for the 'flags' +argument (r4) in bpf_map_update_elem() that internally does strict +checking. + +Fixes: 17a5267067f3 ("bpf: verifier (add verifier core)") +Signed-off-by: Daniel Borkmann +Acked-by: Alexei Starovoitov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/bpf.h | 4 +++- + kernel/bpf/verifier.c | 5 ++++- + 2 files changed, 7 insertions(+), 2 deletions(-) + +--- a/include/linux/bpf.h ++++ b/include/linux/bpf.h +@@ -48,7 +48,7 @@ struct bpf_map *bpf_map_get(struct fd f) + + /* function argument constraints */ + enum bpf_arg_type { +- ARG_ANYTHING = 0, /* any argument is ok */ ++ ARG_DONTCARE = 0, /* unused argument in helper function */ + + /* the following constraints used to prototype + * bpf_map_lookup/update/delete_elem() functions +@@ -62,6 +62,8 @@ enum bpf_arg_type { + */ + ARG_PTR_TO_STACK, /* any pointer to eBPF program stack */ + ARG_CONST_STACK_SIZE, /* number of bytes accessed from stack */ ++ ++ ARG_ANYTHING, /* any (initialized) argument is ok */ + }; + + /* type of values returned from helper functions */ +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -755,7 +755,7 @@ static int check_func_arg(struct verifie + enum bpf_reg_type expected_type; + int err = 0; + +- if (arg_type == ARG_ANYTHING) ++ if (arg_type == ARG_DONTCARE) + return 0; + + if (reg->type == NOT_INIT) { +@@ -763,6 +763,9 @@ static int check_func_arg(struct verifie + return -EACCES; + } + ++ if (arg_type == ARG_ANYTHING) ++ return 0; ++ + if (arg_type == ARG_PTR_TO_STACK || arg_type == ARG_PTR_TO_MAP_KEY || + arg_type == ARG_PTR_TO_MAP_VALUE) { + expected_type = PTR_TO_STACK; diff --git a/queue-4.0/lib-memzero_explicit-use-barrier-instead-of-optimizer_hide_var.patch b/queue-4.0/lib-memzero_explicit-use-barrier-instead-of-optimizer_hide_var.patch new file mode 100644 index 00000000000..1c7d0ab5ba2 --- /dev/null +++ b/queue-4.0/lib-memzero_explicit-use-barrier-instead-of-optimizer_hide_var.patch @@ -0,0 +1,111 @@ +From 0b053c9518292705736329a8fe20ef4686ffc8e9 Mon Sep 17 00:00:00 2001 +From: mancha security +Date: Wed, 18 Mar 2015 18:47:25 +0100 +Subject: lib: memzero_explicit: use barrier instead of OPTIMIZER_HIDE_VAR + +From: mancha security + +commit 0b053c9518292705736329a8fe20ef4686ffc8e9 upstream. + +OPTIMIZER_HIDE_VAR(), as defined when using gcc, is insufficient to +ensure protection from dead store optimization. + +For the random driver and crypto drivers, calls are emitted ... + + $ gdb vmlinux + (gdb) disassemble memzero_explicit + Dump of assembler code for function memzero_explicit: + 0xffffffff813a18b0 <+0>: push %rbp + 0xffffffff813a18b1 <+1>: mov %rsi,%rdx + 0xffffffff813a18b4 <+4>: xor %esi,%esi + 0xffffffff813a18b6 <+6>: mov %rsp,%rbp + 0xffffffff813a18b9 <+9>: callq 0xffffffff813a7120 + 0xffffffff813a18be <+14>: pop %rbp + 0xffffffff813a18bf <+15>: retq + End of assembler dump. + + (gdb) disassemble extract_entropy + [...] + 0xffffffff814a5009 <+313>: mov %r12,%rdi + 0xffffffff814a500c <+316>: mov $0xa,%esi + 0xffffffff814a5011 <+321>: callq 0xffffffff813a18b0 + 0xffffffff814a5016 <+326>: mov -0x48(%rbp),%rax + [...] + +... but in case in future we might use facilities such as LTO, then +OPTIMIZER_HIDE_VAR() is not sufficient to protect gcc from a possible +eviction of the memset(). We have to use a compiler barrier instead. + +Minimal test example when we assume memzero_explicit() would *not* be +a call, but would have been *inlined* instead: + + static inline void memzero_explicit(void *s, size_t count) + { + memset(s, 0, count); + + } + + int main(void) + { + char buff[20]; + + snprintf(buff, sizeof(buff) - 1, "test"); + printf("%s", buff); + + memzero_explicit(buff, sizeof(buff)); + return 0; + } + +With := OPTIMIZER_HIDE_VAR(): + + (gdb) disassemble main + Dump of assembler code for function main: + [...] + 0x0000000000400464 <+36>: callq 0x400410 + 0x0000000000400469 <+41>: xor %eax,%eax + 0x000000000040046b <+43>: add $0x28,%rsp + 0x000000000040046f <+47>: retq + End of assembler dump. + +With := barrier(): + + (gdb) disassemble main + Dump of assembler code for function main: + [...] + 0x0000000000400464 <+36>: callq 0x400410 + 0x0000000000400469 <+41>: movq $0x0,(%rsp) + 0x0000000000400471 <+49>: movq $0x0,0x8(%rsp) + 0x000000000040047a <+58>: movl $0x0,0x10(%rsp) + 0x0000000000400482 <+66>: xor %eax,%eax + 0x0000000000400484 <+68>: add $0x28,%rsp + 0x0000000000400488 <+72>: retq + End of assembler dump. + +As can be seen, movq, movq, movl are being emitted inlined +via memset(). + +Reference: http://thread.gmane.org/gmane.linux.kernel.cryptoapi/13764/ +Fixes: d4c5efdb9777 ("random: add and use memzero_explicit() for clearing data") +Cc: Theodore Ts'o +Signed-off-by: mancha security +Signed-off-by: Daniel Borkmann +Acked-by: Hannes Frederic Sowa +Acked-by: Stephan Mueller +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + lib/string.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/lib/string.c ++++ b/lib/string.c +@@ -607,7 +607,7 @@ EXPORT_SYMBOL(memset); + void memzero_explicit(void *s, size_t count) + { + memset(s, 0, count); +- OPTIMIZER_HIDE_VAR(s); ++ barrier(); + } + EXPORT_SYMBOL(memzero_explicit); + diff --git a/queue-4.0/mac80211-send-ap-probe-as-unicast-again.patch b/queue-4.0/mac80211-send-ap-probe-as-unicast-again.patch new file mode 100644 index 00000000000..2120275fce8 --- /dev/null +++ b/queue-4.0/mac80211-send-ap-probe-as-unicast-again.patch @@ -0,0 +1,34 @@ +From a73f8e21f3f93159bc19e154e8f50891c22c11db Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Sat, 21 Mar 2015 07:41:04 +0100 +Subject: mac80211: send AP probe as unicast again + +From: Johannes Berg + +commit a73f8e21f3f93159bc19e154e8f50891c22c11db upstream. + +Louis reported that a static checker was complaining that +the 'dst' variable was set (multiple times) but not used. +This is due to a previous commit having removed the usage +(apparently erroneously), so add it back. + +Fixes: a344d6778a98 ("mac80211: allow drivers to support NL80211_SCAN_FLAG_RANDOM_ADDR") +Reported-by: Louis Langholtz +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/mlme.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -2260,7 +2260,7 @@ static void ieee80211_mgd_probe_ap_send( + else + ssid_len = ssid[1]; + +- ieee80211_send_probe_req(sdata, sdata->vif.addr, NULL, ++ ieee80211_send_probe_req(sdata, sdata->vif.addr, dst, + ssid + 2, ssid_len, NULL, + 0, (u32) -1, true, 0, + ifmgd->associated->channel, false); diff --git a/queue-4.0/memstick-mspro_block-add-missing-curly-braces.patch b/queue-4.0/memstick-mspro_block-add-missing-curly-braces.patch new file mode 100644 index 00000000000..65f10669d4d --- /dev/null +++ b/queue-4.0/memstick-mspro_block-add-missing-curly-braces.patch @@ -0,0 +1,43 @@ +From 13f6b191aaa11c7fd718d35a0c565f3c16bc1d99 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 16 Apr 2015 12:48:35 -0700 +Subject: memstick: mspro_block: add missing curly braces + +From: Dan Carpenter + +commit 13f6b191aaa11c7fd718d35a0c565f3c16bc1d99 upstream. + +Using the indenting we can see the curly braces were obviously intended. +This is a static checker fix, but my guess is that we don't read enough +bytes, because we don't calculate "t_len" correctly. + +Fixes: f1d82698029b ('memstick: use fully asynchronous request processing') +Signed-off-by: Dan Carpenter +Cc: Alex Dubov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/memstick/core/mspro_block.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/memstick/core/mspro_block.c ++++ b/drivers/memstick/core/mspro_block.c +@@ -758,7 +758,7 @@ static int mspro_block_complete_req(stru + + if (error || (card->current_mrq.tpc == MSPRO_CMD_STOP)) { + if (msb->data_dir == READ) { +- for (cnt = 0; cnt < msb->current_seg; cnt++) ++ for (cnt = 0; cnt < msb->current_seg; cnt++) { + t_len += msb->req_sg[cnt].length + / msb->page_size; + +@@ -766,6 +766,7 @@ static int mspro_block_complete_req(stru + t_len += msb->current_page - 1; + + t_len *= msb->page_size; ++ } + } + } else + t_len = blk_rq_bytes(msb->block_req); diff --git a/queue-4.0/mm-thp-really-limit-transparent-hugepage-allocation-to-local-node.patch b/queue-4.0/mm-thp-really-limit-transparent-hugepage-allocation-to-local-node.patch new file mode 100644 index 00000000000..126a89a302f --- /dev/null +++ b/queue-4.0/mm-thp-really-limit-transparent-hugepage-allocation-to-local-node.patch @@ -0,0 +1,87 @@ +From 5265047ac30191ea24b16503165000c225f54feb Mon Sep 17 00:00:00 2001 +From: David Rientjes +Date: Tue, 14 Apr 2015 15:46:58 -0700 +Subject: mm, thp: really limit transparent hugepage allocation to local node + +From: David Rientjes + +commit 5265047ac30191ea24b16503165000c225f54feb upstream. + +Commit 077fcf116c8c ("mm/thp: allocate transparent hugepages on local +node") restructured alloc_hugepage_vma() with the intent of only +allocating transparent hugepages locally when there was not an effective +interleave mempolicy. + +alloc_pages_exact_node() does not limit the allocation to the single node, +however, but rather prefers it. This is because __GFP_THISNODE is not set +which would cause the node-local nodemask to be passed. Without it, only +a nodemask that prefers the local node is passed. + +Fix this by passing __GFP_THISNODE and falling back to small pages when +the allocation fails. + +Commit 9f1b868a13ac ("mm: thp: khugepaged: add policy for finding target +node") suffers from a similar problem for khugepaged, which is also fixed. + +Fixes: 077fcf116c8c ("mm/thp: allocate transparent hugepages on local node") +Fixes: 9f1b868a13ac ("mm: thp: khugepaged: add policy for finding target node") +Signed-off-by: David Rientjes +Acked-by: Vlastimil Babka +Cc: Christoph Lameter +Cc: Pekka Enberg +Cc: Joonsoo Kim +Cc: Johannes Weiner +Cc: Mel Gorman +Cc: Pravin Shelar +Cc: Jarno Rajahalme +Cc: Li Zefan +Cc: Greg Thelen +Cc: Tejun Heo +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/huge_memory.c | 9 +++++++-- + mm/mempolicy.c | 3 ++- + 2 files changed, 9 insertions(+), 3 deletions(-) + +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -2316,8 +2316,14 @@ static struct page + struct vm_area_struct *vma, unsigned long address, + int node) + { ++ gfp_t flags; ++ + VM_BUG_ON_PAGE(*hpage, *hpage); + ++ /* Only allocate from the target node */ ++ flags = alloc_hugepage_gfpmask(khugepaged_defrag(), __GFP_OTHER_NODE) | ++ __GFP_THISNODE; ++ + /* + * Before allocating the hugepage, release the mmap_sem read lock. + * The allocation can take potentially a long time if it involves +@@ -2326,8 +2332,7 @@ static struct page + */ + up_read(&mm->mmap_sem); + +- *hpage = alloc_pages_exact_node(node, alloc_hugepage_gfpmask( +- khugepaged_defrag(), __GFP_OTHER_NODE), HPAGE_PMD_ORDER); ++ *hpage = alloc_pages_exact_node(node, flags, HPAGE_PMD_ORDER); + if (unlikely(!*hpage)) { + count_vm_event(THP_COLLAPSE_ALLOC_FAILED); + *hpage = ERR_PTR(-ENOMEM); +--- a/mm/mempolicy.c ++++ b/mm/mempolicy.c +@@ -1985,7 +1985,8 @@ retry_cpuset: + nmask = policy_nodemask(gfp, pol); + if (!nmask || node_isset(node, *nmask)) { + mpol_cond_put(pol); +- page = alloc_pages_exact_node(node, gfp, order); ++ page = alloc_pages_exact_node(node, ++ gfp | __GFP_THISNODE, order); + goto out; + } + } diff --git a/queue-4.0/series b/queue-4.0/series index c8bacbe5065..ba87618185e 100644 --- a/queue-4.0/series +++ b/queue-4.0/series @@ -206,3 +206,13 @@ nfs-remove-warn_on_once-from-nfs_direct_good_bytes.patch nfs-add-a-stub-for-getdevicelist.patch iommu-vt-d-allow-rmrr-on-graphics-devices-too.patch sched-deadline-always-enqueue-on-previous-rq-when-dl_task_timer-fires.patch +e1000-add-dummy-allocator-to-fix-race-condition-between-mtu-change-and-netpoll.patch +mac80211-send-ap-probe-as-unicast-again.patch +ebpf-verifier-check-that-call-reg-with-arg_anything-is-initialized.patch +mm-thp-really-limit-transparent-hugepage-allocation-to-local-node.patch +lib-memzero_explicit-use-barrier-instead-of-optimizer_hide_var.patch +wl18xx-show-rx_frames_per_rates-as-an-array-as-it-really-is.patch +crypto-omap-aes-fix-support-for-unequal-lengths.patch +c6x-time-ensure-consistency-in-__init.patch +memstick-mspro_block-add-missing-curly-braces.patch +drivers-platform-parse-irq-flags-from-resources.patch diff --git a/queue-4.0/wl18xx-show-rx_frames_per_rates-as-an-array-as-it-really-is.patch b/queue-4.0/wl18xx-show-rx_frames_per_rates-as-an-array-as-it-really-is.patch new file mode 100644 index 00000000000..755932ad04a --- /dev/null +++ b/queue-4.0/wl18xx-show-rx_frames_per_rates-as-an-array-as-it-really-is.patch @@ -0,0 +1,52 @@ +From a3fa71c40f1853d0c27e8f5bc01a722a705d9682 Mon Sep 17 00:00:00 2001 +From: Nicolas Iooss +Date: Fri, 13 Mar 2015 15:17:14 +0800 +Subject: wl18xx: show rx_frames_per_rates as an array as it really is + +From: Nicolas Iooss + +commit a3fa71c40f1853d0c27e8f5bc01a722a705d9682 upstream. + +In struct wl18xx_acx_rx_rate_stat, rx_frames_per_rates field is an +array, not a number. This means WL18XX_DEBUGFS_FWSTATS_FILE can't be +used to display this field in debugfs (it would display a pointer, not +the actual data). Use WL18XX_DEBUGFS_FWSTATS_FILE_ARRAY instead. + +This bug has been found by adding a __printf attribute to +wl1271_format_buffer. gcc complained about "format '%u' expects +argument of type 'unsigned int', but argument 5 has type 'u32 *'". + +Fixes: c5d94169e818 ("wl18xx: use new fw stats structures") +Signed-off-by: Nicolas Iooss +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ti/wl18xx/debugfs.c | 2 +- + drivers/net/wireless/ti/wlcore/debugfs.h | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/ti/wl18xx/debugfs.c ++++ b/drivers/net/wireless/ti/wl18xx/debugfs.c +@@ -139,7 +139,7 @@ WL18XX_DEBUGFS_FWSTATS_FILE(rx_filter, p + WL18XX_DEBUGFS_FWSTATS_FILE(rx_filter, accum_arp_pend_requests, "%u"); + WL18XX_DEBUGFS_FWSTATS_FILE(rx_filter, max_arp_queue_dep, "%u"); + +-WL18XX_DEBUGFS_FWSTATS_FILE(rx_rate, rx_frames_per_rates, "%u"); ++WL18XX_DEBUGFS_FWSTATS_FILE_ARRAY(rx_rate, rx_frames_per_rates, 50); + + WL18XX_DEBUGFS_FWSTATS_FILE_ARRAY(aggr_size, tx_agg_vs_rate, + AGGR_STATS_TX_AGG*AGGR_STATS_TX_RATE); +--- a/drivers/net/wireless/ti/wlcore/debugfs.h ++++ b/drivers/net/wireless/ti/wlcore/debugfs.h +@@ -26,8 +26,8 @@ + + #include "wlcore.h" + +-int wl1271_format_buffer(char __user *userbuf, size_t count, +- loff_t *ppos, char *fmt, ...); ++__printf(4, 5) int wl1271_format_buffer(char __user *userbuf, size_t count, ++ loff_t *ppos, char *fmt, ...); + + int wl1271_debugfs_init(struct wl1271 *wl); + void wl1271_debugfs_exit(struct wl1271 *wl);