From: Greg Kroah-Hartman Date: Fri, 6 Nov 2015 00:39:25 +0000 (-0800) Subject: 4.2-stable patches X-Git-Tag: v3.10.93~35 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f514fb28c8d578741cfca587c513cb4cc31b4d9f;p=thirdparty%2Fkernel%2Fstable-queue.git 4.2-stable patches added patches: alsa-hda-fix-deadlock-at-error-in-building-pcm.patch alsa-hda-fix-inverted-internal-mic-on-lenovo-g50-80.patch alsa-hdac-explicitly-add-io.h.patch asoc-add-info-callback-for-sx_tlv-controls.patch asoc-wm8904-correct-number-of-eq-registers.patch bus-arm-ccn-fix-irq-affinity-setting-on-cpu-migration.patch drm-amdgpu-add-missing-dpm-check-for-kv-dpm-late-init.patch drm-amdgpu-don-t-try-to-recreate-sysfs-entries-on-resume.patch drm-correct-arguments-to-list_tail_add-in-create-blob-ioctl.patch drm-crtc-integer-overflow-in-drm_property_create_blob.patch drm-fix-mutex-leak-in-drm_dp_get_mst_branch_device.patch drm-i915-deny-wrapping-an-userptr-into-a-framebuffer.patch drm-i915-flush-pipecontrol-post-sync-writes.patch drm-i915-restore-lost-dpll-register-write-on-gen2-4.patch drm-nouveau-gem-return-only-valid-domain-when-there-s-only-one.patch drm-radeon-don-t-try-to-recreate-sysfs-entries-on-resume.patch drm-radeon-dpm-don-t-add-pwm-attributes-if-dpm-is-disabled.patch drm-radeon-fix-dpms-when-driver-backlight-control-is-disabled.patch drm-radeon-move-bl-encoder-assignment-into-bl-init.patch fault-inject-fix-inverted-interval-probability-values-in-printk.patch iommu-amd-don-t-clear-dte-flags-when-modifying-it.patch iommu-amd-fix-bug-when-faulting-a-prot_none-vma.patch iommu-vt-d-fix-range-computation-when-making-room-for-large-pages.patch iwlwifi-mvm-clear-csa-countdown-when-ap-is-stopped.patch iwlwifi-mvm-fix-d3-ccmp-tx-pn-assignment.patch iwlwifi-mvm-fix-d3-firmware-pn-programming.patch iwlwifi-mvm-flush-fw_dump_wk-when-mvm-fails-to-start.patch iwlwifi-mvm-init-card-correctly-on-ctkill-exit-check.patch iwlwifi-pci-add-a-few-more-pci-subvendor-ids-for-the-7265-series.patch kvm-arm-use-gic-support-unconditionally.patch m88ds3103-use-own-reg-update_bits-implementation.patch mm-make-sendfile-2-killable.patch powerpc-rtas-validate-rtas.entry-before-calling-enter_rtas.patch rtl28xxu-fix-control-message-flaws.patch rtlwifi-rtl8821ae-fix-system-lockups-on-boot.patch si2157-bounds-check-firmware.patch si2168-bounds-check-firmware.patch tracing-have-stack-tracer-force-rcu-to-be-watching.patch x86-efi-fix-multiple-gop-device-support.patch x86-ioapic-prevent-null-pointer-dereference-in-setup_ioapic_dest.patch x86-setup-extend-low-identity-map-to-cover-whole-kernel-range.patch --- diff --git a/queue-4.2/alsa-hda-fix-deadlock-at-error-in-building-pcm.patch b/queue-4.2/alsa-hda-fix-deadlock-at-error-in-building-pcm.patch new file mode 100644 index 00000000000..eff6ddb96f1 --- /dev/null +++ b/queue-4.2/alsa-hda-fix-deadlock-at-error-in-building-pcm.patch @@ -0,0 +1,65 @@ +From d289619a219dd01e255d7b5e30f9171b25efea48 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 20 Oct 2015 16:23:55 +0200 +Subject: ALSA: hda - Fix deadlock at error in building PCM + +From: Takashi Iwai + +commit d289619a219dd01e255d7b5e30f9171b25efea48 upstream. + +The HDA codec driver issues snd_hda_codec_reset() at the error path of +PCM build. This was needed in the earlier code base, but the recent +rewrite to use the standard bus binding made this a deadlock: + modprobe D 0000000000000005 0 720 716 0x00000080 + Call Trace: + [] schedule+0x3e/0x90 + [] schedule_preempt_disabled+0x15/0x20 + [] __mutex_lock_slowpath+0xb5/0x120 + [] mutex_lock+0x1b/0x30 + [] device_release_driver+0x1b/0x30 + [] bus_remove_device+0x105/0x180 + [] device_del+0x139/0x260 + [] snd_hdac_device_unregister+0x25/0x30 [snd_hda_core] + [] snd_hda_codec_reset+0x2a/0x70 [snd_hda_codec] + [] snd_hda_codec_build_pcms+0x18b/0x1b0 [snd_hda_codec] + [] hda_codec_driver_probe+0xbe/0x140 [snd_hda_codec] + [] driver_probe_device+0x1f4/0x460 + [] __driver_attach+0x90/0xa0 + [] bus_for_each_dev+0x64/0xa0 + [] driver_attach+0x1e/0x20 + [] bus_add_driver+0x1eb/0x280 + [] driver_register+0x60/0xe0 + [] __hda_codec_driver_register+0x5a/0x60 [snd_hda_codec] + [] realtek_driver_init+0x1e/0x1000 [snd_hda_codec_realtek] + [] do_one_initcall+0xb3/0x200 + [] do_init_module+0x60/0x1f8 + [] load_module+0x1653/0x1bd0 + [] SYSC_finit_module+0x98/0xc0 + [] SyS_finit_module+0xe/0x10 + [] entry_SYSCALL_64_fastpath+0x16/0x75 + +The simple fix is just to remove this call, since we don't need to +think about unbinding at there any longer. + +Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=948758 +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_codec.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/sound/pci/hda/hda_codec.c ++++ b/sound/pci/hda/hda_codec.c +@@ -3438,10 +3438,8 @@ int snd_hda_codec_build_pcms(struct hda_ + int dev, err; + + err = snd_hda_codec_parse_pcms(codec); +- if (err < 0) { +- snd_hda_codec_reset(codec); ++ if (err < 0) + return err; +- } + + /* attach a new PCM streams */ + list_for_each_entry(cpcm, &codec->pcm_list_head, list) { diff --git a/queue-4.2/alsa-hda-fix-inverted-internal-mic-on-lenovo-g50-80.patch b/queue-4.2/alsa-hda-fix-inverted-internal-mic-on-lenovo-g50-80.patch new file mode 100644 index 00000000000..2e94dc87199 --- /dev/null +++ b/queue-4.2/alsa-hda-fix-inverted-internal-mic-on-lenovo-g50-80.patch @@ -0,0 +1,34 @@ +From e8d65a8d985271a102f07c7456da5b86c19ffe16 Mon Sep 17 00:00:00 2001 +From: David Henningsson +Date: Tue, 13 Oct 2015 10:10:18 +0200 +Subject: ALSA: hda - Fix inverted internal mic on Lenovo G50-80 + +From: David Henningsson + +commit e8d65a8d985271a102f07c7456da5b86c19ffe16 upstream. + +Add the appropriate quirk to indicate the Lenovo G50-80 has a stereo +mic input where one channel has reverse polarity. + +Alsa-info available at: +https://launchpadlibrarian.net/220846272/AlsaInfo.txt + +BugLink: https://bugs.launchpad.net/bugs/1504778 +Signed-off-by: David Henningsson +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_conexant.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -819,6 +819,7 @@ static const struct snd_pci_quirk cxt506 + SND_PCI_QUIRK(0x17aa, 0x21da, "Lenovo X220", CXT_PINCFG_LENOVO_TP410), + SND_PCI_QUIRK(0x17aa, 0x21db, "Lenovo X220-tablet", CXT_PINCFG_LENOVO_TP410), + SND_PCI_QUIRK(0x17aa, 0x38af, "Lenovo IdeaPad Z560", CXT_FIXUP_MUTE_LED_EAPD), ++ SND_PCI_QUIRK(0x17aa, 0x390b, "Lenovo G50-80", CXT_FIXUP_STEREO_DMIC), + SND_PCI_QUIRK(0x17aa, 0x3975, "Lenovo U300s", CXT_FIXUP_STEREO_DMIC), + SND_PCI_QUIRK(0x17aa, 0x3977, "Lenovo IdeaPad U310", CXT_FIXUP_STEREO_DMIC), + SND_PCI_QUIRK(0x17aa, 0x397b, "Lenovo S205", CXT_FIXUP_STEREO_DMIC), diff --git a/queue-4.2/alsa-hdac-explicitly-add-io.h.patch b/queue-4.2/alsa-hdac-explicitly-add-io.h.patch new file mode 100644 index 00000000000..bf7bbf4d840 --- /dev/null +++ b/queue-4.2/alsa-hdac-explicitly-add-io.h.patch @@ -0,0 +1,46 @@ +From 42f2bb1c494543084b764e1ca253c73db910daf2 Mon Sep 17 00:00:00 2001 +From: Vinod Koul +Date: Tue, 13 Oct 2015 14:57:49 +0530 +Subject: ALSA: hdac: Explicitly add io.h + +From: Vinod Koul + +commit 42f2bb1c494543084b764e1ca253c73db910daf2 upstream. + +Compiling the hdac extended core on arm fails with below error: + + sound/hda/ext/hdac_ext_bus.c: In function 'hdac_ext_writel': +>> sound/hda/ext/hdac_ext_bus.c:29:2: error: implicit declaration of +>> function ++'writel' [-Werror=implicit-function-declaration] + writel(value, addr); + ^ + sound/hda/ext/hdac_ext_bus.c: In function 'hdac_ext_readl': +>> sound/hda/ext/hdac_ext_bus.c:34:2: error: implicit declaration of +>> function ++'readl' [-Werror=implicit-function-declaration] + return readl(addr); + +This is fixed by explicitly including io.h + +Fixes: 99463b3a3994 - ('ALSA: hda: provide default bus io ops extended hdac') +Reported-by: kbuild test robot +Suggested-by: Mark Brown +Signed-off-by: Vinod Koul +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/hda/ext/hdac_ext_bus.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/hda/ext/hdac_ext_bus.c ++++ b/sound/hda/ext/hdac_ext_bus.c +@@ -19,6 +19,7 @@ + + #include + #include ++#include + #include + + MODULE_DESCRIPTION("HDA extended core"); diff --git a/queue-4.2/asoc-add-info-callback-for-sx_tlv-controls.patch b/queue-4.2/asoc-add-info-callback-for-sx_tlv-controls.patch new file mode 100644 index 00000000000..808ce720a7d --- /dev/null +++ b/queue-4.2/asoc-add-info-callback-for-sx_tlv-controls.patch @@ -0,0 +1,102 @@ +From 34198710f55b5f359f43e67d9a08fe5aadfbca1b Mon Sep 17 00:00:00 2001 +From: Charles Keepax +Date: Wed, 14 Oct 2015 13:31:24 +0100 +Subject: ASoC: Add info callback for SX_TLV controls + +From: Charles Keepax + +commit 34198710f55b5f359f43e67d9a08fe5aadfbca1b upstream. + +SX_TLV controls are intended for situations where the register behind +the control has some non-zero value indicating the minimum gain +and then gains increasing from there and eventually overflowing through +zero. + +Currently every CODEC implementing these controls specifies the minimum +as the non-zero value for the minimum and the maximum as the number of +gain settings available. + +This means when the info callback subtracts the minimum value from the +maximum value to calculate the number of gain levels available it is +actually under reporting the available levels. This patch fixes this +issue by adding a new snd_soc_info_volsw_sx callback that does not +subtract the minimum value. + +Fixes: 1d99f2436d0d ("ASoC: core: Rework SOC_DOUBLE_R_SX_TLV add SOC_SINGLE_SX_TLV") +Signed-off-by: Charles Keepax +Acked-by: Brian Austin +Tested-by: Brian Austin +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + include/sound/soc.h | 6 ++++-- + sound/soc/soc-ops.c | 28 ++++++++++++++++++++++++++++ + 2 files changed, 32 insertions(+), 2 deletions(-) + +--- a/include/sound/soc.h ++++ b/include/sound/soc.h +@@ -86,7 +86,7 @@ + .access = SNDRV_CTL_ELEM_ACCESS_TLV_READ | \ + SNDRV_CTL_ELEM_ACCESS_READWRITE, \ + .tlv.p = (tlv_array),\ +- .info = snd_soc_info_volsw, \ ++ .info = snd_soc_info_volsw_sx, \ + .get = snd_soc_get_volsw_sx,\ + .put = snd_soc_put_volsw_sx, \ + .private_value = (unsigned long)&(struct soc_mixer_control) \ +@@ -156,7 +156,7 @@ + .access = SNDRV_CTL_ELEM_ACCESS_TLV_READ | \ + SNDRV_CTL_ELEM_ACCESS_READWRITE, \ + .tlv.p = (tlv_array), \ +- .info = snd_soc_info_volsw, \ ++ .info = snd_soc_info_volsw_sx, \ + .get = snd_soc_get_volsw_sx, \ + .put = snd_soc_put_volsw_sx, \ + .private_value = (unsigned long)&(struct soc_mixer_control) \ +@@ -573,6 +573,8 @@ int snd_soc_put_enum_double(struct snd_k + struct snd_ctl_elem_value *ucontrol); + int snd_soc_info_volsw(struct snd_kcontrol *kcontrol, + struct snd_ctl_elem_info *uinfo); ++int snd_soc_info_volsw_sx(struct snd_kcontrol *kcontrol, ++ struct snd_ctl_elem_info *uinfo); + #define snd_soc_info_bool_ext snd_ctl_boolean_mono_info + int snd_soc_get_volsw(struct snd_kcontrol *kcontrol, + struct snd_ctl_elem_value *ucontrol); +--- a/sound/soc/soc-ops.c ++++ b/sound/soc/soc-ops.c +@@ -207,6 +207,34 @@ int snd_soc_info_volsw(struct snd_kcontr + EXPORT_SYMBOL_GPL(snd_soc_info_volsw); + + /** ++ * snd_soc_info_volsw_sx - Mixer info callback for SX TLV controls ++ * @kcontrol: mixer control ++ * @uinfo: control element information ++ * ++ * Callback to provide information about a single mixer control, or a double ++ * mixer control that spans 2 registers of the SX TLV type. SX TLV controls ++ * have a range that represents both positive and negative values either side ++ * of zero but without a sign bit. ++ * ++ * Returns 0 for success. ++ */ ++int snd_soc_info_volsw_sx(struct snd_kcontrol *kcontrol, ++ struct snd_ctl_elem_info *uinfo) ++{ ++ struct soc_mixer_control *mc = ++ (struct soc_mixer_control *)kcontrol->private_value; ++ ++ snd_soc_info_volsw(kcontrol, uinfo); ++ /* Max represents the number of levels in an SX control not the ++ * maximum value, so add the minimum value back on ++ */ ++ uinfo->value.integer.max += mc->min; ++ ++ return 0; ++} ++EXPORT_SYMBOL_GPL(snd_soc_info_volsw_sx); ++ ++/** + * snd_soc_get_volsw - single mixer get callback + * @kcontrol: mixer control + * @ucontrol: control element information diff --git a/queue-4.2/asoc-wm8904-correct-number-of-eq-registers.patch b/queue-4.2/asoc-wm8904-correct-number-of-eq-registers.patch new file mode 100644 index 00000000000..a746b09a651 --- /dev/null +++ b/queue-4.2/asoc-wm8904-correct-number-of-eq-registers.patch @@ -0,0 +1,32 @@ +From 97aff2c03a1e4d343266adadb52313613efb027f Mon Sep 17 00:00:00 2001 +From: Charles Keepax +Date: Tue, 20 Oct 2015 10:25:58 +0100 +Subject: ASoC: wm8904: Correct number of EQ registers + +From: Charles Keepax + +commit 97aff2c03a1e4d343266adadb52313613efb027f upstream. + +There are 24 EQ registers not 25, I suspect this bug came about because +the registers start at EQ1 not zero. The bug is relatively harmless as +the extra register written is an unused one. + +Signed-off-by: Charles Keepax +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + include/sound/wm8904.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/sound/wm8904.h ++++ b/include/sound/wm8904.h +@@ -119,7 +119,7 @@ + #define WM8904_MIC_REGS 2 + #define WM8904_GPIO_REGS 4 + #define WM8904_DRC_REGS 4 +-#define WM8904_EQ_REGS 25 ++#define WM8904_EQ_REGS 24 + + /** + * DRC configurations are specified with a label and a set of register diff --git a/queue-4.2/bus-arm-ccn-fix-irq-affinity-setting-on-cpu-migration.patch b/queue-4.2/bus-arm-ccn-fix-irq-affinity-setting-on-cpu-migration.patch new file mode 100644 index 00000000000..b2af4b21b39 --- /dev/null +++ b/queue-4.2/bus-arm-ccn-fix-irq-affinity-setting-on-cpu-migration.patch @@ -0,0 +1,35 @@ +From a0bcbe969f564d1ec08658170dda72a1b7e9053a Mon Sep 17 00:00:00 2001 +From: Pawel Moll +Date: Thu, 15 Oct 2015 14:32:46 +0100 +Subject: bus: arm-ccn: Fix irq affinity setting on CPU migration + +From: Pawel Moll + +commit a0bcbe969f564d1ec08658170dda72a1b7e9053a upstream. + +When PMU context is migrating between CPUs, interrupt affinity is set as +well. Only this should not happen when the CCN interrupt is not being +used at all (the driver is using a hrtimer tick instead). + +Fixed now. + +Signed-off-by: Pawel Moll +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bus/arm-ccn.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/bus/arm-ccn.c ++++ b/drivers/bus/arm-ccn.c +@@ -1188,7 +1188,8 @@ static int arm_ccn_pmu_cpu_notifier(stru + break; + perf_pmu_migrate_context(&dt->pmu, cpu, target); + cpumask_set_cpu(target, &dt->cpu); +- WARN_ON(irq_set_affinity(ccn->irq, &dt->cpu) != 0); ++ if (ccn->irq) ++ WARN_ON(irq_set_affinity(ccn->irq, &dt->cpu) != 0); + default: + break; + } diff --git a/queue-4.2/drm-amdgpu-add-missing-dpm-check-for-kv-dpm-late-init.patch b/queue-4.2/drm-amdgpu-add-missing-dpm-check-for-kv-dpm-late-init.patch new file mode 100644 index 00000000000..0ea85aeb315 --- /dev/null +++ b/queue-4.2/drm-amdgpu-add-missing-dpm-check-for-kv-dpm-late-init.patch @@ -0,0 +1,30 @@ +From 677c884ff6370add1360e2b9558285355ebe2b36 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Mon, 19 Oct 2015 15:54:21 -0400 +Subject: drm/amdgpu: add missing dpm check for KV dpm late init + +From: Alex Deucher + +commit 677c884ff6370add1360e2b9558285355ebe2b36 upstream. + +Skip dpm late init if dpm is disabled. + +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/kv_dpm.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/kv_dpm.c ++++ b/drivers/gpu/drm/amd/amdgpu/kv_dpm.c +@@ -2997,6 +2997,9 @@ static int kv_dpm_late_init(void *handle + struct amdgpu_device *adev = (struct amdgpu_device *)handle; + int ret; + ++ if (!amdgpu_dpm) ++ return 0; ++ + /* init the sysfs and debugfs files late */ + ret = amdgpu_pm_sysfs_init(adev); + if (ret) diff --git a/queue-4.2/drm-amdgpu-don-t-try-to-recreate-sysfs-entries-on-resume.patch b/queue-4.2/drm-amdgpu-don-t-try-to-recreate-sysfs-entries-on-resume.patch new file mode 100644 index 00000000000..88e563f1426 --- /dev/null +++ b/queue-4.2/drm-amdgpu-don-t-try-to-recreate-sysfs-entries-on-resume.patch @@ -0,0 +1,51 @@ +From c86f5ebfbd147d1a228ab89ee1658e18939bd7ad Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Fri, 23 Oct 2015 10:45:14 -0400 +Subject: drm/amdgpu: don't try to recreate sysfs entries on resume + +From: Alex Deucher + +commit c86f5ebfbd147d1a228ab89ee1658e18939bd7ad upstream. + +Fixes an error on resume caused by: +fa022a9b65d2886486a022fd66b20c823cd76ad9 + +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu.h | 1 + + drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c | 5 +++++ + 2 files changed, 6 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu.h +@@ -1583,6 +1583,7 @@ struct amdgpu_pm { + u8 fan_max_rpm; + /* dpm */ + bool dpm_enabled; ++ bool sysfs_initialized; + struct amdgpu_dpm dpm; + const struct firmware *fw; /* SMC firmware */ + uint32_t fw_version; +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c +@@ -693,6 +693,9 @@ int amdgpu_pm_sysfs_init(struct amdgpu_d + { + int ret; + ++ if (adev->pm.sysfs_initialized) ++ return 0; ++ + if (adev->pm.funcs->get_temperature == NULL) + return 0; + adev->pm.int_hwmon_dev = hwmon_device_register_with_groups(adev->dev, +@@ -721,6 +724,8 @@ int amdgpu_pm_sysfs_init(struct amdgpu_d + return ret; + } + ++ adev->pm.sysfs_initialized = true; ++ + return 0; + } + diff --git a/queue-4.2/drm-correct-arguments-to-list_tail_add-in-create-blob-ioctl.patch b/queue-4.2/drm-correct-arguments-to-list_tail_add-in-create-blob-ioctl.patch new file mode 100644 index 00000000000..04525b21de6 --- /dev/null +++ b/queue-4.2/drm-correct-arguments-to-list_tail_add-in-create-blob-ioctl.patch @@ -0,0 +1,43 @@ +From 8731b269f01e16193390c7276e70530366b8d626 Mon Sep 17 00:00:00 2001 +From: Maneet Singh +Date: Thu, 8 Oct 2015 10:10:24 -0400 +Subject: drm: Correct arguments to list_tail_add in create blob ioctl + +From: Maneet Singh + +commit 8731b269f01e16193390c7276e70530366b8d626 upstream. + +Arguments passed to list_add_tail were reversed resulting in deletion +of old blob property everytime the new one is added. + +Fixes + +commit e2f5d2ea479b9b2619965d43db70939589afe43a +Author: Daniel Stone +Date: Fri May 22 13:34:51 2015 +0100 + + drm/mode: Add user blob-creation ioctl + +Signed-off-by: Maneet Singh +[seanpaul tweaked commit subject a little] +Signed-off-by: Sean Paul +Reviewed-by: Daniel Stone +Reviewed-by: Jani Nikula +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_crtc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/drm_crtc.c ++++ b/drivers/gpu/drm/drm_crtc.c +@@ -4573,7 +4573,7 @@ int drm_mode_createblob_ioctl(struct drm + * not associated with any file_priv. */ + mutex_lock(&dev->mode_config.blob_lock); + out_resp->blob_id = blob->base.id; +- list_add_tail(&file_priv->blobs, &blob->head_file); ++ list_add_tail(&blob->head_file, &file_priv->blobs); + mutex_unlock(&dev->mode_config.blob_lock); + + return 0; diff --git a/queue-4.2/drm-crtc-integer-overflow-in-drm_property_create_blob.patch b/queue-4.2/drm-crtc-integer-overflow-in-drm_property_create_blob.patch new file mode 100644 index 00000000000..81df210f836 --- /dev/null +++ b/queue-4.2/drm-crtc-integer-overflow-in-drm_property_create_blob.patch @@ -0,0 +1,33 @@ +From 9ac0934bbe52290e4e4c2a58ec41cab9b6ca8c96 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 29 Oct 2015 16:37:54 +0300 +Subject: drm: crtc: integer overflow in drm_property_create_blob() + +From: Dan Carpenter + +commit 9ac0934bbe52290e4e4c2a58ec41cab9b6ca8c96 upstream. + +The size here comes from the user via the ioctl, it is a number between +1-u32max so the addition here could overflow on 32 bit systems. + +Fixes: f453ba046074 ('DRM: add mode setting support') +Signed-off-by: Dan Carpenter +Reviewed-by: Daniel Stone +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_crtc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/drm_crtc.c ++++ b/drivers/gpu/drm/drm_crtc.c +@@ -4221,7 +4221,7 @@ drm_property_create_blob(struct drm_devi + struct drm_property_blob *blob; + int ret; + +- if (!length) ++ if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob)) + return ERR_PTR(-EINVAL); + + blob = kzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL); diff --git a/queue-4.2/drm-fix-mutex-leak-in-drm_dp_get_mst_branch_device.patch b/queue-4.2/drm-fix-mutex-leak-in-drm_dp_get_mst_branch_device.patch new file mode 100644 index 00000000000..adbc1850e75 --- /dev/null +++ b/queue-4.2/drm-fix-mutex-leak-in-drm_dp_get_mst_branch_device.patch @@ -0,0 +1,50 @@ +From 30730c7f5943b3beace1e29f7f1476e05de3da14 Mon Sep 17 00:00:00 2001 +From: Adam Richter +Date: Fri, 16 Oct 2015 03:33:02 -0700 +Subject: drm: fix mutex leak in drm_dp_get_mst_branch_device + +From: Adam Richter + +commit 30730c7f5943b3beace1e29f7f1476e05de3da14 upstream. + +In Linux 4.3-rc5, there is an error case in drm_dp_get_branch_device +that returns without releasing mgr->lock, resulting a spew of kernel +messages about a kernel work function possibly having leaked a mutex +and presumably more serious adverse consequences later. This patch +changes the error to "goto out" to unlock the mutex before returning. + +[airlied: grabbed from drm-next as it fixes something we've seen] + +Signed-off-by: Adam J. Richter +Signed-off-by: Daniel Vetter +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_dp_mst_topology.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/drm_dp_mst_topology.c ++++ b/drivers/gpu/drm/drm_dp_mst_topology.c +@@ -1193,17 +1193,18 @@ static struct drm_dp_mst_branch *drm_dp_ + + list_for_each_entry(port, &mstb->ports, next) { + if (port->port_num == port_num) { +- if (!port->mstb) { ++ mstb = port->mstb; ++ if (!mstb) { + DRM_ERROR("failed to lookup MSTB with lct %d, rad %02x\n", lct, rad[0]); +- return NULL; ++ goto out; + } + +- mstb = port->mstb; + break; + } + } + } + kref_get(&mstb->kref); ++out: + mutex_unlock(&mgr->lock); + return mstb; + } diff --git a/queue-4.2/drm-i915-deny-wrapping-an-userptr-into-a-framebuffer.patch b/queue-4.2/drm-i915-deny-wrapping-an-userptr-into-a-framebuffer.patch new file mode 100644 index 00000000000..dc5f5a39a84 --- /dev/null +++ b/queue-4.2/drm-i915-deny-wrapping-an-userptr-into-a-framebuffer.patch @@ -0,0 +1,64 @@ +From cc917ab43541db3ff66d0136042686d40a1b4c9a Mon Sep 17 00:00:00 2001 +From: Chris Wilson +Date: Tue, 13 Oct 2015 14:22:26 +0100 +Subject: drm/i915: Deny wrapping an userptr into a framebuffer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chris Wilson + +commit cc917ab43541db3ff66d0136042686d40a1b4c9a upstream. + +Pinning a userptr onto the hardware raises interesting questions about +the lifetime of such a surface as the framebuffer extends that life +beyond the client's address space. That is the hardware will need to +keep scanning out from the backing storage even after the client wants +to remap its address space. As the hardware pins the backing storage, +the userptr becomes invalid and this raises a WARN when the clients +tries to unmap its address space. The situation can be even more +complicated when the buffer is passed between processes, between a +client and display server, where the lifetime and hardware access is +even more confusing. Deny it. + +Signed-off-by: Chris Wilson +Cc: Daniel Vetter +Cc: Tvrtko Ursulin +Cc: Michał Winiarski +Reviewed-by: Tvrtko Ursulin +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/i915_gem_userptr.c | 5 ++++- + drivers/gpu/drm/i915/intel_display.c | 5 +++++ + 2 files changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/i915_gem_userptr.c ++++ b/drivers/gpu/drm/i915/i915_gem_userptr.c +@@ -804,7 +804,10 @@ static const struct drm_i915_gem_object_ + * Also note, that the object created here is not currently a "first class" + * object, in that several ioctls are banned. These are the CPU access + * ioctls: mmap(), pwrite and pread. In practice, you are expected to use +- * direct access via your pointer rather than use those ioctls. ++ * direct access via your pointer rather than use those ioctls. Another ++ * restriction is that we do not allow userptr surfaces to be pinned to the ++ * hardware and so we reject any attempt to create a framebuffer out of a ++ * userptr. + * + * If you think this is a good interface to use to pass GPU memory between + * drivers, please use dma-buf instead. In fact, wherever possible use +--- a/drivers/gpu/drm/i915/intel_display.c ++++ b/drivers/gpu/drm/i915/intel_display.c +@@ -14072,6 +14072,11 @@ static int intel_user_framebuffer_create + struct intel_framebuffer *intel_fb = to_intel_framebuffer(fb); + struct drm_i915_gem_object *obj = intel_fb->obj; + ++ if (obj->userptr.mm) { ++ DRM_DEBUG("attempting to use a userptr for a framebuffer, denied\n"); ++ return -EINVAL; ++ } ++ + return drm_gem_handle_create(file, &obj->base, handle); + } + diff --git a/queue-4.2/drm-i915-flush-pipecontrol-post-sync-writes.patch b/queue-4.2/drm-i915-flush-pipecontrol-post-sync-writes.patch new file mode 100644 index 00000000000..d906597748a --- /dev/null +++ b/queue-4.2/drm-i915-flush-pipecontrol-post-sync-writes.patch @@ -0,0 +1,61 @@ +From 40a24488f5250d63341e74b9994159afc4589606 Mon Sep 17 00:00:00 2001 +From: Chris Wilson +Date: Fri, 21 Aug 2015 16:08:41 +0100 +Subject: drm/i915: Flush pipecontrol post-sync writes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chris Wilson + +commit 40a24488f5250d63341e74b9994159afc4589606 upstream. + +In order to flush the results from in-batch pipecontrol writes (used for +example in glQuery) before declaring the batch complete (and so declaring +the query results coherent), we need to set the FlushEnable bit in our +flushing pipecontrol. The FlushEnable bit "waits until all previous +writes of immediate data from post-sync circles are complete before +executing the next command". + +I get GPU hangs on byt without flushing these writes (running ue4). +piglit has examples where the flush is required for correct rendering. + +Signed-off-by: Chris Wilson +Reviewed-by: Ville Syrjälä +Acked-by: Daniel Vetter +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_lrc.c | 1 + + drivers/gpu/drm/i915/intel_ringbuffer.c | 2 ++ + 2 files changed, 3 insertions(+) + +--- a/drivers/gpu/drm/i915/intel_lrc.c ++++ b/drivers/gpu/drm/i915/intel_lrc.c +@@ -1250,6 +1250,7 @@ static int gen8_emit_flush_render(struct + if (flush_domains) { + flags |= PIPE_CONTROL_RENDER_TARGET_CACHE_FLUSH; + flags |= PIPE_CONTROL_DEPTH_CACHE_FLUSH; ++ flags |= PIPE_CONTROL_FLUSH_ENABLE; + } + + if (invalidate_domains) { +--- a/drivers/gpu/drm/i915/intel_ringbuffer.c ++++ b/drivers/gpu/drm/i915/intel_ringbuffer.c +@@ -342,6 +342,7 @@ gen7_render_ring_flush(struct intel_engi + if (flush_domains) { + flags |= PIPE_CONTROL_RENDER_TARGET_CACHE_FLUSH; + flags |= PIPE_CONTROL_DEPTH_CACHE_FLUSH; ++ flags |= PIPE_CONTROL_FLUSH_ENABLE; + } + if (invalidate_domains) { + flags |= PIPE_CONTROL_TLB_INVALIDATE; +@@ -412,6 +413,7 @@ gen8_render_ring_flush(struct intel_engi + if (flush_domains) { + flags |= PIPE_CONTROL_RENDER_TARGET_CACHE_FLUSH; + flags |= PIPE_CONTROL_DEPTH_CACHE_FLUSH; ++ flags |= PIPE_CONTROL_FLUSH_ENABLE; + } + if (invalidate_domains) { + flags |= PIPE_CONTROL_TLB_INVALIDATE; diff --git a/queue-4.2/drm-i915-restore-lost-dpll-register-write-on-gen2-4.patch b/queue-4.2/drm-i915-restore-lost-dpll-register-write-on-gen2-4.patch new file mode 100644 index 00000000000..829ed99f889 --- /dev/null +++ b/queue-4.2/drm-i915-restore-lost-dpll-register-write-on-gen2-4.patch @@ -0,0 +1,42 @@ +From 8e7a65aa70bcc1235a44e40ae0da5056525fe081 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Wed, 7 Oct 2015 22:08:24 +0300 +Subject: drm/i915: Restore lost DPLL register write on gen2-4 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= + +commit 8e7a65aa70bcc1235a44e40ae0da5056525fe081 upstream. + +We accidentally lost the initial DPLL register write in +1c4e02746147 drm/i915: Fix DVO 2x clock enable on 830M + +The "three times for luck" hack probably saved us from a total +disaster. But anyway, bring the initial write back so that the +code actually makes some sense. + +Reported-and-tested-by: Nick Bowler +References: http://mid.gmane.org/CAN_QmVyMaArxYgEcVVsGvsMo7-6ohZr8HmF5VhkkL4i9KOmrhw@mail.gmail.com +Cc: Nick Bowler +Signed-off-by: Ville Syrjälä +Reviewed-by: Daniel Vetter +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_display.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/i915/intel_display.c ++++ b/drivers/gpu/drm/i915/intel_display.c +@@ -1729,6 +1729,8 @@ static void i9xx_enable_pll(struct intel + I915_READ(DPLL(!crtc->pipe)) | DPLL_DVO_2X_MODE); + } + ++ I915_WRITE(reg, dpll); ++ + /* Wait for the clocks to stabilize. */ + POSTING_READ(reg); + udelay(150); diff --git a/queue-4.2/drm-nouveau-gem-return-only-valid-domain-when-there-s-only-one.patch b/queue-4.2/drm-nouveau-gem-return-only-valid-domain-when-there-s-only-one.patch new file mode 100644 index 00000000000..0a1a1e66646 --- /dev/null +++ b/queue-4.2/drm-nouveau-gem-return-only-valid-domain-when-there-s-only-one.patch @@ -0,0 +1,46 @@ +From 2a6c521bb41ce862e43db46f52e7681d33e8d771 Mon Sep 17 00:00:00 2001 +From: Ilia Mirkin +Date: Tue, 20 Oct 2015 01:15:39 -0400 +Subject: drm/nouveau/gem: return only valid domain when there's only one + +From: Ilia Mirkin + +commit 2a6c521bb41ce862e43db46f52e7681d33e8d771 upstream. + +On nv50+, we restrict the valid domains to just the one where the buffer +was originally created. However after the buffer is evicted to system +memory, we might move it back to a different domain that was not +originally valid. When sharing the buffer and retrieving its GEM_INFO +data, we still want the domain that will be valid for this buffer in a +pushbuf, not the one where it currently happens to be. + +This resolves fdo#92504 and several others. These are due to suspend +evicting all buffers, making it more likely that they temporarily end up +in the wrong place. + +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=92504 +Signed-off-by: Ilia Mirkin +Signed-off-by: Ben Skeggs +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/nouveau/nouveau_gem.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/nouveau/nouveau_gem.c ++++ b/drivers/gpu/drm/nouveau/nouveau_gem.c +@@ -227,11 +227,12 @@ nouveau_gem_info(struct drm_file *file_p + struct nouveau_bo *nvbo = nouveau_gem_object(gem); + struct nvkm_vma *vma; + +- if (nvbo->bo.mem.mem_type == TTM_PL_TT) ++ if (is_power_of_2(nvbo->valid_domains)) ++ rep->domain = nvbo->valid_domains; ++ else if (nvbo->bo.mem.mem_type == TTM_PL_TT) + rep->domain = NOUVEAU_GEM_DOMAIN_GART; + else + rep->domain = NOUVEAU_GEM_DOMAIN_VRAM; +- + rep->offset = nvbo->bo.offset; + if (cli->vm) { + vma = nouveau_bo_vma_find(nvbo, cli->vm); diff --git a/queue-4.2/drm-radeon-don-t-try-to-recreate-sysfs-entries-on-resume.patch b/queue-4.2/drm-radeon-don-t-try-to-recreate-sysfs-entries-on-resume.patch new file mode 100644 index 00000000000..19093615c70 --- /dev/null +++ b/queue-4.2/drm-radeon-don-t-try-to-recreate-sysfs-entries-on-resume.patch @@ -0,0 +1,88 @@ +From 49abb26651167c892393cd9f2ad23df429645ed9 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Fri, 23 Oct 2015 10:38:52 -0400 +Subject: drm/radeon: don't try to recreate sysfs entries on resume + +From: Alex Deucher + +commit 49abb26651167c892393cd9f2ad23df429645ed9 upstream. + +Fixes a harmless error message caused by: +51a4726b04e880fdd9b4e0e58b13f70b0a68a7f5 + +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/radeon.h | 1 + + drivers/gpu/drm/radeon/radeon_pm.c | 35 +++++++++++++++++++++-------------- + 2 files changed, 22 insertions(+), 14 deletions(-) + +--- a/drivers/gpu/drm/radeon/radeon.h ++++ b/drivers/gpu/drm/radeon/radeon.h +@@ -1658,6 +1658,7 @@ struct radeon_pm { + u8 fan_max_rpm; + /* dpm */ + bool dpm_enabled; ++ bool sysfs_initialized; + struct radeon_dpm dpm; + }; + +--- a/drivers/gpu/drm/radeon/radeon_pm.c ++++ b/drivers/gpu/drm/radeon/radeon_pm.c +@@ -1533,19 +1533,23 @@ int radeon_pm_late_init(struct radeon_de + + if (rdev->pm.pm_method == PM_METHOD_DPM) { + if (rdev->pm.dpm_enabled) { +- ret = device_create_file(rdev->dev, &dev_attr_power_dpm_state); +- if (ret) +- DRM_ERROR("failed to create device file for dpm state\n"); +- ret = device_create_file(rdev->dev, &dev_attr_power_dpm_force_performance_level); +- if (ret) +- DRM_ERROR("failed to create device file for dpm state\n"); +- /* XXX: these are noops for dpm but are here for backwards compat */ +- ret = device_create_file(rdev->dev, &dev_attr_power_profile); +- if (ret) +- DRM_ERROR("failed to create device file for power profile\n"); +- ret = device_create_file(rdev->dev, &dev_attr_power_method); +- if (ret) +- DRM_ERROR("failed to create device file for power method\n"); ++ if (!rdev->pm.sysfs_initialized) { ++ ret = device_create_file(rdev->dev, &dev_attr_power_dpm_state); ++ if (ret) ++ DRM_ERROR("failed to create device file for dpm state\n"); ++ ret = device_create_file(rdev->dev, &dev_attr_power_dpm_force_performance_level); ++ if (ret) ++ DRM_ERROR("failed to create device file for dpm state\n"); ++ /* XXX: these are noops for dpm but are here for backwards compat */ ++ ret = device_create_file(rdev->dev, &dev_attr_power_profile); ++ if (ret) ++ DRM_ERROR("failed to create device file for power profile\n"); ++ ret = device_create_file(rdev->dev, &dev_attr_power_method); ++ if (ret) ++ DRM_ERROR("failed to create device file for power method\n"); ++ if (!ret) ++ rdev->pm.sysfs_initialized = true; ++ } + + mutex_lock(&rdev->pm.mutex); + ret = radeon_dpm_late_enable(rdev); +@@ -1561,7 +1565,8 @@ int radeon_pm_late_init(struct radeon_de + } + } + } else { +- if (rdev->pm.num_power_states > 1) { ++ if ((rdev->pm.num_power_states > 1) && ++ (!rdev->pm.sysfs_initialized)) { + /* where's the best place to put these? */ + ret = device_create_file(rdev->dev, &dev_attr_power_profile); + if (ret) +@@ -1569,6 +1574,8 @@ int radeon_pm_late_init(struct radeon_de + ret = device_create_file(rdev->dev, &dev_attr_power_method); + if (ret) + DRM_ERROR("failed to create device file for power method\n"); ++ if (!ret) ++ rdev->pm.sysfs_initialized = true; + } + } + return ret; diff --git a/queue-4.2/drm-radeon-dpm-don-t-add-pwm-attributes-if-dpm-is-disabled.patch b/queue-4.2/drm-radeon-dpm-don-t-add-pwm-attributes-if-dpm-is-disabled.patch new file mode 100644 index 00000000000..05aa7df4e26 --- /dev/null +++ b/queue-4.2/drm-radeon-dpm-don-t-add-pwm-attributes-if-dpm-is-disabled.patch @@ -0,0 +1,41 @@ +From 2a7d44f47f53fa1be677f44c73d78b1bcf9c05d9 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Mon, 19 Oct 2015 09:30:42 -0400 +Subject: drm/radeon/dpm: don't add pwm attributes if DPM is disabled + +From: Alex Deucher + +commit 2a7d44f47f53fa1be677f44c73d78b1bcf9c05d9 upstream. + +PWM fan control is only available with DPM. If DPM disabled, +don't expose the PWM fan controls to avoid a crash. + +Bug: +https://bugs.freedesktop.org/show_bug.cgi?id=92524 + +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/radeon_pm.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/radeon/radeon_pm.c ++++ b/drivers/gpu/drm/radeon/radeon_pm.c +@@ -720,10 +720,14 @@ static umode_t hwmon_attributes_visible( + struct radeon_device *rdev = dev_get_drvdata(dev); + umode_t effective_mode = attr->mode; + +- /* Skip limit attributes if DPM is not enabled */ ++ /* Skip attributes if DPM is not enabled */ + if (rdev->pm.pm_method != PM_METHOD_DPM && + (attr == &sensor_dev_attr_temp1_crit.dev_attr.attr || +- attr == &sensor_dev_attr_temp1_crit_hyst.dev_attr.attr)) ++ attr == &sensor_dev_attr_temp1_crit_hyst.dev_attr.attr || ++ attr == &sensor_dev_attr_pwm1.dev_attr.attr || ++ attr == &sensor_dev_attr_pwm1_enable.dev_attr.attr || ++ attr == &sensor_dev_attr_pwm1_max.dev_attr.attr || ++ attr == &sensor_dev_attr_pwm1_min.dev_attr.attr)) + return 0; + + /* Skip fan attributes if fan is not present */ diff --git a/queue-4.2/drm-radeon-fix-dpms-when-driver-backlight-control-is-disabled.patch b/queue-4.2/drm-radeon-fix-dpms-when-driver-backlight-control-is-disabled.patch new file mode 100644 index 00000000000..9b9d366371a --- /dev/null +++ b/queue-4.2/drm-radeon-fix-dpms-when-driver-backlight-control-is-disabled.patch @@ -0,0 +1,61 @@ +From ae93580ee59c02395c1711d3e6b90546b8137b86 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Tue, 27 Oct 2015 10:56:44 -0400 +Subject: drm/radeon: fix dpms when driver backlight control is disabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +commit ae93580ee59c02395c1711d3e6b90546b8137b86 upstream. + +If driver backlight control is disabled, either by driver +parameter or default per-asic setting, revert to the old behavior. + +Fixes a regression in commit: +4281f46ef839050d2ef60348f661eb463c21cc2e + +Reviewed-by: Michel Dänzer +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/atombios_encoders.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/radeon/atombios_encoders.c ++++ b/drivers/gpu/drm/radeon/atombios_encoders.c +@@ -1624,9 +1624,14 @@ radeon_atom_encoder_dpms_avivo(struct dr + } else + atom_execute_table(rdev->mode_info.atom_context, index, (uint32_t *)&args); + if (radeon_encoder->devices & (ATOM_DEVICE_LCD_SUPPORT)) { +- struct radeon_encoder_atom_dig *dig = radeon_encoder->enc_priv; ++ if (rdev->mode_info.bl_encoder) { ++ struct radeon_encoder_atom_dig *dig = radeon_encoder->enc_priv; + +- atombios_set_backlight_level(radeon_encoder, dig->backlight_level); ++ atombios_set_backlight_level(radeon_encoder, dig->backlight_level); ++ } else { ++ args.ucAction = ATOM_LCD_BLON; ++ atom_execute_table(rdev->mode_info.atom_context, index, (uint32_t *)&args); ++ } + } + break; + case DRM_MODE_DPMS_STANDBY: +@@ -1706,8 +1711,13 @@ radeon_atom_encoder_dpms_dig(struct drm_ + if (ASIC_IS_DCE4(rdev)) + atombios_dig_encoder_setup(encoder, ATOM_ENCODER_CMD_DP_VIDEO_ON, 0); + } +- if (radeon_encoder->devices & (ATOM_DEVICE_LCD_SUPPORT)) +- atombios_set_backlight_level(radeon_encoder, dig->backlight_level); ++ if (radeon_encoder->devices & (ATOM_DEVICE_LCD_SUPPORT)) { ++ if (rdev->mode_info.bl_encoder) ++ atombios_set_backlight_level(radeon_encoder, dig->backlight_level); ++ else ++ atombios_dig_transmitter_setup(encoder, ++ ATOM_TRANSMITTER_ACTION_LCD_BLON, 0, 0); ++ } + if (ext_encoder) + atombios_external_encoder_setup(encoder, ext_encoder, ATOM_ENABLE); + break; diff --git a/queue-4.2/drm-radeon-move-bl-encoder-assignment-into-bl-init.patch b/queue-4.2/drm-radeon-move-bl-encoder-assignment-into-bl-init.patch new file mode 100644 index 00000000000..79694234faf --- /dev/null +++ b/queue-4.2/drm-radeon-move-bl-encoder-assignment-into-bl-init.patch @@ -0,0 +1,55 @@ +From 4cee6a9057d5e13911f0cb6e143d11dc1a3245dd Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Wed, 28 Oct 2015 14:26:32 -0400 +Subject: drm/radeon: move bl encoder assignment into bl init +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +commit 4cee6a9057d5e13911f0cb6e143d11dc1a3245dd upstream. + +So that the bl encoder will be null if the GPU does not +control the backlight. + +Reviewed-by: Michel Dänzer +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/atombios_encoders.c | 1 + + drivers/gpu/drm/radeon/radeon_encoders.c | 1 - + drivers/gpu/drm/radeon/radeon_legacy_encoders.c | 1 + + 3 files changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/radeon/atombios_encoders.c ++++ b/drivers/gpu/drm/radeon/atombios_encoders.c +@@ -237,6 +237,7 @@ void radeon_atom_backlight_init(struct r + backlight_update_status(bd); + + DRM_INFO("radeon atom DIG backlight initialized\n"); ++ rdev->mode_info.bl_encoder = radeon_encoder; + + return; + +--- a/drivers/gpu/drm/radeon/radeon_encoders.c ++++ b/drivers/gpu/drm/radeon/radeon_encoders.c +@@ -194,7 +194,6 @@ static void radeon_encoder_add_backlight + radeon_atom_backlight_init(radeon_encoder, connector); + else + radeon_legacy_backlight_init(radeon_encoder, connector); +- rdev->mode_info.bl_encoder = radeon_encoder; + } + } + +--- a/drivers/gpu/drm/radeon/radeon_legacy_encoders.c ++++ b/drivers/gpu/drm/radeon/radeon_legacy_encoders.c +@@ -441,6 +441,7 @@ void radeon_legacy_backlight_init(struct + backlight_update_status(bd); + + DRM_INFO("radeon legacy LVDS backlight initialized\n"); ++ rdev->mode_info.bl_encoder = radeon_encoder; + + return; + diff --git a/queue-4.2/fault-inject-fix-inverted-interval-probability-values-in-printk.patch b/queue-4.2/fault-inject-fix-inverted-interval-probability-values-in-printk.patch new file mode 100644 index 00000000000..f4c60f97f9b --- /dev/null +++ b/queue-4.2/fault-inject-fix-inverted-interval-probability-values-in-printk.patch @@ -0,0 +1,32 @@ +From bb387002693ed28b2bb0408c5dec65521b71e5f1 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Thu, 22 Oct 2015 13:32:27 -0700 +Subject: fault-inject: fix inverted interval/probability values in printk + +From: Florian Westphal + +commit bb387002693ed28b2bb0408c5dec65521b71e5f1 upstream. + +interval displays the probability and vice versa. + +Fixes: 6adc4a22f20bb ("fault-inject: add ratelimit option") +Acked-by: Akinobu Mita +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + lib/fault-inject.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/lib/fault-inject.c ++++ b/lib/fault-inject.c +@@ -44,7 +44,7 @@ static void fail_dump(struct fault_attr + printk(KERN_NOTICE "FAULT_INJECTION: forcing a failure.\n" + "name %pd, interval %lu, probability %lu, " + "space %d, times %d\n", attr->dname, +- attr->probability, attr->interval, ++ attr->interval, attr->probability, + atomic_read(&attr->space), + atomic_read(&attr->times)); + if (attr->verbose > 1) diff --git a/queue-4.2/iommu-amd-don-t-clear-dte-flags-when-modifying-it.patch b/queue-4.2/iommu-amd-don-t-clear-dte-flags-when-modifying-it.patch new file mode 100644 index 00000000000..6699cc0093c --- /dev/null +++ b/queue-4.2/iommu-amd-don-t-clear-dte-flags-when-modifying-it.patch @@ -0,0 +1,47 @@ +From cbf3ccd09d683abf1cacd36e3640872ee912d99b Mon Sep 17 00:00:00 2001 +From: Joerg Roedel +Date: Tue, 20 Oct 2015 14:59:36 +0200 +Subject: iommu/amd: Don't clear DTE flags when modifying it + +From: Joerg Roedel + +commit cbf3ccd09d683abf1cacd36e3640872ee912d99b upstream. + +During device assignment/deassignment the flags in the DTE +get lost, which might cause spurious faults, for example +when the device tries to access the system management range. +Fix this by not clearing the flags with the rest of the DTE. + +Reported-by: G. Richard Bellamy +Tested-by: G. Richard Bellamy +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/amd_iommu.c | 4 ++-- + drivers/iommu/amd_iommu_types.h | 1 + + 2 files changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/iommu/amd_iommu.c ++++ b/drivers/iommu/amd_iommu.c +@@ -1974,8 +1974,8 @@ static void set_dte_entry(u16 devid, str + static void clear_dte_entry(u16 devid) + { + /* remove entry from the device table seen by the hardware */ +- amd_iommu_dev_table[devid].data[0] = IOMMU_PTE_P | IOMMU_PTE_TV; +- amd_iommu_dev_table[devid].data[1] = 0; ++ amd_iommu_dev_table[devid].data[0] = IOMMU_PTE_P | IOMMU_PTE_TV; ++ amd_iommu_dev_table[devid].data[1] &= DTE_FLAG_MASK; + + amd_iommu_apply_erratum_63(devid); + } +--- a/drivers/iommu/amd_iommu_types.h ++++ b/drivers/iommu/amd_iommu_types.h +@@ -295,6 +295,7 @@ + #define IOMMU_PTE_IR (1ULL << 61) + #define IOMMU_PTE_IW (1ULL << 62) + ++#define DTE_FLAG_MASK (0x3ffULL << 32) + #define DTE_FLAG_IOTLB (0x01UL << 32) + #define DTE_FLAG_GV (0x01ULL << 55) + #define DTE_GLX_SHIFT (56) diff --git a/queue-4.2/iommu-amd-fix-bug-when-faulting-a-prot_none-vma.patch b/queue-4.2/iommu-amd-fix-bug-when-faulting-a-prot_none-vma.patch new file mode 100644 index 00000000000..f632358ae45 --- /dev/null +++ b/queue-4.2/iommu-amd-fix-bug-when-faulting-a-prot_none-vma.patch @@ -0,0 +1,45 @@ +From d14f6fced5f9360edca5a1325ddb7077aab1203b Mon Sep 17 00:00:00 2001 +From: Jay Cornwall +Date: Wed, 16 Sep 2015 14:10:03 -0500 +Subject: iommu/amd: Fix BUG when faulting a PROT_NONE VMA + +From: Jay Cornwall + +commit d14f6fced5f9360edca5a1325ddb7077aab1203b upstream. + +handle_mm_fault indirectly triggers a BUG in do_numa_page +when given a VMA without read/write/execute access. Check +this condition in do_fault. + +do_fault -> handle_mm_fault -> handle_pte_fault -> do_numa_page + + mm/memory.c + 3147 static int do_numa_page(struct mm_struct *mm, struct vm_area_struct *vma, + .... + 3159 /* A PROT_NONE fault should not end up here */ + 3160 BUG_ON(!(vma->vm_flags & (VM_READ | VM_EXEC | VM_WRITE))); + +Signed-off-by: Jay Cornwall +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/amd_iommu_v2.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/iommu/amd_iommu_v2.c ++++ b/drivers/iommu/amd_iommu_v2.c +@@ -516,6 +516,13 @@ static void do_fault(struct work_struct + goto out; + } + ++ if (!(vma->vm_flags & (VM_READ | VM_EXEC | VM_WRITE))) { ++ /* handle_mm_fault would BUG_ON() */ ++ up_read(&mm->mmap_sem); ++ handle_fault_error(fault); ++ goto out; ++ } ++ + ret = handle_mm_fault(mm, vma, address, write); + if (ret & VM_FAULT_ERROR) { + /* failed to service fault */ diff --git a/queue-4.2/iommu-vt-d-fix-range-computation-when-making-room-for-large-pages.patch b/queue-4.2/iommu-vt-d-fix-range-computation-when-making-room-for-large-pages.patch new file mode 100644 index 00000000000..708eb4ed3a8 --- /dev/null +++ b/queue-4.2/iommu-vt-d-fix-range-computation-when-making-room-for-large-pages.patch @@ -0,0 +1,63 @@ +From ba2374fd2bf379f933773811fdb06cb6a5445f41 Mon Sep 17 00:00:00 2001 +From: Christian Zander +Date: Wed, 10 Jun 2015 09:41:45 -0700 +Subject: iommu/vt-d: fix range computation when making room for large pages + +From: Christian Zander + +commit ba2374fd2bf379f933773811fdb06cb6a5445f41 upstream. + +In preparation for the installation of a large page, any small page +tables that may still exist in the target IOV address range are +removed. However, if a scatter/gather list entry is large enough to +fit more than one large page, the address space for any subsequent +large pages is not cleared of conflicting small page tables. + +This can cause legitimate mapping requests to fail with errors of the +form below, potentially followed by a series of IOMMU faults: + +ERROR: DMA PTE for vPFN 0xfde00 already set (to 7f83a4003 not 7e9e00083) + +In this example, a 4MiB scatter/gather list entry resulted in the +successful installation of a large page @ vPFN 0xfdc00, followed by +a failed attempt to install another large page @ vPFN 0xfde00, due to +the presence of a pointer to a small page table @ 0x7f83a4000. + +To address this problem, compute the number of large pages that fit +into a given scatter/gather list entry, and use it to derive the +last vPFN covered by the large page(s). + +Signed-off-by: Christian Zander +Signed-off-by: David Woodhouse +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/intel-iommu.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -2109,15 +2109,19 @@ static int __domain_mapping(struct dmar_ + return -ENOMEM; + /* It is large page*/ + if (largepage_lvl > 1) { ++ unsigned long nr_superpages, end_pfn; ++ + pteval |= DMA_PTE_LARGE_PAGE; + lvl_pages = lvl_to_nr_pages(largepage_lvl); ++ ++ nr_superpages = sg_res / lvl_pages; ++ end_pfn = iov_pfn + nr_superpages * lvl_pages - 1; ++ + /* + * Ensure that old small page tables are +- * removed to make room for superpage, +- * if they exist. ++ * removed to make room for superpage(s). + */ +- dma_pte_free_pagetable(domain, iov_pfn, +- iov_pfn + lvl_pages - 1); ++ dma_pte_free_pagetable(domain, iov_pfn, end_pfn); + } else { + pteval &= ~(uint64_t)DMA_PTE_LARGE_PAGE; + } diff --git a/queue-4.2/iwlwifi-mvm-clear-csa-countdown-when-ap-is-stopped.patch b/queue-4.2/iwlwifi-mvm-clear-csa-countdown-when-ap-is-stopped.patch new file mode 100644 index 00000000000..9c5c61b9bbe --- /dev/null +++ b/queue-4.2/iwlwifi-mvm-clear-csa-countdown-when-ap-is-stopped.patch @@ -0,0 +1,32 @@ +From e9cb0327b26dd7ba43a3b7a05b4b62219decf42d Mon Sep 17 00:00:00 2001 +From: Avraham Stern +Date: Mon, 31 Aug 2015 11:08:27 +0300 +Subject: iwlwifi: mvm: clear csa countdown when AP is stopped + +From: Avraham Stern + +commit e9cb0327b26dd7ba43a3b7a05b4b62219decf42d upstream. + +The csa_countdown flag was not cleared when the AP is stopped. +As a result, if the AP was stopped after csa_countdown had started, +all the folowing channel switch commands would fail. +Fix that by clearing the csa_countdown flag when the AP is stopped. + +Signed-off-by: Avraham Stern +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/iwlwifi/mvm/mac80211.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/iwlwifi/mvm/mac80211.c ++++ b/drivers/net/wireless/iwlwifi/mvm/mac80211.c +@@ -2373,6 +2373,7 @@ static void iwl_mvm_stop_ap_ibss(struct + iwl_mvm_remove_time_event(mvm, mvmvif, + &mvmvif->time_event_data); + RCU_INIT_POINTER(mvm->csa_vif, NULL); ++ mvmvif->csa_countdown = false; + } + + if (rcu_access_pointer(mvm->csa_tx_blocked_vif) == vif) { diff --git a/queue-4.2/iwlwifi-mvm-fix-d3-ccmp-tx-pn-assignment.patch b/queue-4.2/iwlwifi-mvm-fix-d3-ccmp-tx-pn-assignment.patch new file mode 100644 index 00000000000..eec95dbd8d3 --- /dev/null +++ b/queue-4.2/iwlwifi-mvm-fix-d3-ccmp-tx-pn-assignment.patch @@ -0,0 +1,72 @@ +From 6645d5e441db9121793421d477255f4242b3dbf3 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Tue, 15 Sep 2015 09:58:53 +0200 +Subject: iwlwifi: mvm: fix D3 CCMP TX PN assignment + +From: Johannes Berg + +commit 6645d5e441db9121793421d477255f4242b3dbf3 upstream. + +When going into/coming out of D3, the TX PN must be programmed into +and restored from the firmware respectively. The restore was broken +due to my previous commit to move PN assignment into the driver. +Sending the PN to the firmware still worked since we now use the +counter that's shared with mac80211, but accessing it through the +mac80211 API makes no sense now. + +Fix this by reading/writing the counter directly. This actually +simplifies the code since we don't need to round-trip through the +key_seq structure. + +Fixes: ca8c0f4bede6 ("iwlwifi: mvm: move TX PN assignment for CCMP to the driver") +Reported-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/iwlwifi/mvm/d3.c | 15 +++++---------- + 1 file changed, 5 insertions(+), 10 deletions(-) + +--- a/drivers/net/wireless/iwlwifi/mvm/d3.c ++++ b/drivers/net/wireless/iwlwifi/mvm/d3.c +@@ -274,18 +274,13 @@ static void iwl_mvm_wowlan_program_keys( + break; + case WLAN_CIPHER_SUITE_CCMP: + if (sta) { +- u8 *pn = seq.ccmp.pn; ++ u64 pn64; + + aes_sc = data->rsc_tsc->all_tsc_rsc.aes.unicast_rsc; + aes_tx_sc = &data->rsc_tsc->all_tsc_rsc.aes.tsc; + +- ieee80211_get_key_tx_seq(key, &seq); +- aes_tx_sc->pn = cpu_to_le64((u64)pn[5] | +- ((u64)pn[4] << 8) | +- ((u64)pn[3] << 16) | +- ((u64)pn[2] << 24) | +- ((u64)pn[1] << 32) | +- ((u64)pn[0] << 40)); ++ pn64 = atomic64_read(&key->tx_pn); ++ aes_tx_sc->pn = cpu_to_le64(pn64); + } else { + aes_sc = data->rsc_tsc->all_tsc_rsc.aes.multicast_rsc; + } +@@ -1446,15 +1441,15 @@ static void iwl_mvm_d3_update_gtks(struc + + switch (key->cipher) { + case WLAN_CIPHER_SUITE_CCMP: +- iwl_mvm_aes_sc_to_seq(&sc->aes.tsc, &seq); + iwl_mvm_set_aes_rx_seq(sc->aes.unicast_rsc, key); ++ atomic64_set(&key->tx_pn, le64_to_cpu(sc->aes.tsc.pn)); + break; + case WLAN_CIPHER_SUITE_TKIP: + iwl_mvm_tkip_sc_to_seq(&sc->tkip.tsc, &seq); + iwl_mvm_set_tkip_rx_seq(sc->tkip.unicast_rsc, key); ++ ieee80211_set_key_tx_seq(key, &seq); + break; + } +- ieee80211_set_key_tx_seq(key, &seq); + + /* that's it for this key */ + return; diff --git a/queue-4.2/iwlwifi-mvm-fix-d3-firmware-pn-programming.patch b/queue-4.2/iwlwifi-mvm-fix-d3-firmware-pn-programming.patch new file mode 100644 index 00000000000..f49a228df12 --- /dev/null +++ b/queue-4.2/iwlwifi-mvm-fix-d3-firmware-pn-programming.patch @@ -0,0 +1,44 @@ +From 2cf5eb3ab7bb7f2e3a70edcef236cd62c87db030 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Tue, 15 Sep 2015 14:36:09 +0200 +Subject: iwlwifi: mvm: fix D3 firmware PN programming + +From: Johannes Berg + +commit 2cf5eb3ab7bb7f2e3a70edcef236cd62c87db030 upstream. + +The code to send the RX PN data (for each TID) to the firmware +has a devastating bug: it overwrites the data for TID 0 with +all the TID data, leaving the remaining TIDs zeroed. This will +allow replays to actually be accepted by the firmware, which +could allow waking up the system. + +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/iwlwifi/mvm/d3.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/net/wireless/iwlwifi/mvm/d3.c ++++ b/drivers/net/wireless/iwlwifi/mvm/d3.c +@@ -293,12 +293,12 @@ static void iwl_mvm_wowlan_program_keys( + u8 *pn = seq.ccmp.pn; + + ieee80211_get_key_rx_seq(key, i, &seq); +- aes_sc->pn = cpu_to_le64((u64)pn[5] | +- ((u64)pn[4] << 8) | +- ((u64)pn[3] << 16) | +- ((u64)pn[2] << 24) | +- ((u64)pn[1] << 32) | +- ((u64)pn[0] << 40)); ++ aes_sc[i].pn = cpu_to_le64((u64)pn[5] | ++ ((u64)pn[4] << 8) | ++ ((u64)pn[3] << 16) | ++ ((u64)pn[2] << 24) | ++ ((u64)pn[1] << 32) | ++ ((u64)pn[0] << 40)); + } + data->use_rsc_tsc = true; + break; diff --git a/queue-4.2/iwlwifi-mvm-flush-fw_dump_wk-when-mvm-fails-to-start.patch b/queue-4.2/iwlwifi-mvm-flush-fw_dump_wk-when-mvm-fails-to-start.patch new file mode 100644 index 00000000000..8ffdffa0d47 --- /dev/null +++ b/queue-4.2/iwlwifi-mvm-flush-fw_dump_wk-when-mvm-fails-to-start.patch @@ -0,0 +1,33 @@ +From dbf73d4a8bb8f4e1d1f3edd3be825692279e2ef3 Mon Sep 17 00:00:00 2001 +From: Andrei Otcheretianski +Date: Wed, 30 Sep 2015 12:26:23 +0200 +Subject: iwlwifi: mvm: flush fw_dump_wk when mvm fails to start + +From: Andrei Otcheretianski + +commit dbf73d4a8bb8f4e1d1f3edd3be825692279e2ef3 upstream. + +FW dump may be triggered when running init ucode, for example due to a +sysassert. In this case fw_dump_wk may run after mvm is freed, resulting +in a kernel panic. +Fix it by flushing the work. + +Fixes: 01b988a708af ("iwlwifi: mvm: allow to collect debug data when restart is disabled") +Signed-off-by: Andrei Otcheretianski +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/iwlwifi/mvm/ops.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/iwlwifi/mvm/ops.c ++++ b/drivers/net/wireless/iwlwifi/mvm/ops.c +@@ -582,6 +582,7 @@ iwl_op_mode_mvm_start(struct iwl_trans * + ieee80211_unregister_hw(mvm->hw); + iwl_mvm_leds_exit(mvm); + out_free: ++ flush_delayed_work(&mvm->fw_dump_wk); + iwl_phy_db_free(mvm->phy_db); + kfree(mvm->scan_cmd); + if (!cfg->no_power_up_nic_in_init || !mvm->nvm_file_name) diff --git a/queue-4.2/iwlwifi-mvm-init-card-correctly-on-ctkill-exit-check.patch b/queue-4.2/iwlwifi-mvm-init-card-correctly-on-ctkill-exit-check.patch new file mode 100644 index 00000000000..98867a51ae3 --- /dev/null +++ b/queue-4.2/iwlwifi-mvm-init-card-correctly-on-ctkill-exit-check.patch @@ -0,0 +1,59 @@ +From 1a3fe0b2b6778b7866e2b3f5c9a299d5e9bbd89c Mon Sep 17 00:00:00 2001 +From: Arik Nemtsov +Date: Wed, 30 Sep 2015 11:19:55 +0300 +Subject: iwlwifi: mvm: init card correctly on ctkill exit check + +From: Arik Nemtsov + +commit 1a3fe0b2b6778b7866e2b3f5c9a299d5e9bbd89c upstream. + +During the CT-kill exit flow, the card is powered up and partially +initialized to check if the temperature is already low enough. +Unfortunately the init bails early because the CT-kill flag is set. +Make the code bail early only for HW RF-kill, as was intended by the +author. CT-kill is self-imposed and is not really RF-kill. + +Fixes: 31b8b343e019 ("iwlwifi: fix RFkill while calibrating") +Signed-off-by: Arik Nemtsov +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/iwlwifi/mvm/fw.c | 4 ++-- + drivers/net/wireless/iwlwifi/mvm/mvm.h | 5 +++++ + 2 files changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/iwlwifi/mvm/fw.c ++++ b/drivers/net/wireless/iwlwifi/mvm/fw.c +@@ -364,7 +364,7 @@ int iwl_run_init_mvm_ucode(struct iwl_mv + * abort after reading the nvm in case RF Kill is on, we will complete + * the init seq later when RF kill will switch to off + */ +- if (iwl_mvm_is_radio_killed(mvm)) { ++ if (iwl_mvm_is_radio_hw_killed(mvm)) { + IWL_DEBUG_RF_KILL(mvm, + "jump over all phy activities due to RF kill\n"); + iwl_remove_notification(&mvm->notif_wait, &calib_wait); +@@ -397,7 +397,7 @@ int iwl_run_init_mvm_ucode(struct iwl_mv + ret = iwl_wait_notification(&mvm->notif_wait, &calib_wait, + MVM_UCODE_CALIB_TIMEOUT); + +- if (ret && iwl_mvm_is_radio_killed(mvm)) { ++ if (ret && iwl_mvm_is_radio_hw_killed(mvm)) { + IWL_DEBUG_RF_KILL(mvm, "RFKILL while calibrating.\n"); + ret = 1; + } +--- a/drivers/net/wireless/iwlwifi/mvm/mvm.h ++++ b/drivers/net/wireless/iwlwifi/mvm/mvm.h +@@ -848,6 +848,11 @@ static inline bool iwl_mvm_is_radio_kill + test_bit(IWL_MVM_STATUS_HW_CTKILL, &mvm->status); + } + ++static inline bool iwl_mvm_is_radio_hw_killed(struct iwl_mvm *mvm) ++{ ++ return test_bit(IWL_MVM_STATUS_HW_RFKILL, &mvm->status); ++} ++ + /* Must be called with rcu_read_lock() held and it can only be + * released when mvmsta is not needed anymore. + */ diff --git a/queue-4.2/iwlwifi-pci-add-a-few-more-pci-subvendor-ids-for-the-7265-series.patch b/queue-4.2/iwlwifi-pci-add-a-few-more-pci-subvendor-ids-for-the-7265-series.patch new file mode 100644 index 00000000000..221814f1a70 --- /dev/null +++ b/queue-4.2/iwlwifi-pci-add-a-few-more-pci-subvendor-ids-for-the-7265-series.patch @@ -0,0 +1,34 @@ +From f08f625876476b6c4a87834dc86e3b927f4697d2 Mon Sep 17 00:00:00 2001 +From: Luca Coelho +Date: Tue, 22 Sep 2015 09:44:39 +0300 +Subject: iwlwifi: pci: add a few more PCI subvendor IDs for the 7265 series + +From: Luca Coelho + +commit f08f625876476b6c4a87834dc86e3b927f4697d2 upstream. + +Add 3 new subdevice IDs for the 0x095A device ID and 2 for the 0x095B +device ID. + +Reported-by: Jeremy +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/iwlwifi/pcie/drv.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/wireless/iwlwifi/pcie/drv.c ++++ b/drivers/net/wireless/iwlwifi/pcie/drv.c +@@ -414,6 +414,11 @@ static const struct pci_device_id iwl_hw + {IWL_PCI_DEVICE(0x095A, 0x5590, iwl7265_2ac_cfg)}, + {IWL_PCI_DEVICE(0x095B, 0x5290, iwl7265_2ac_cfg)}, + {IWL_PCI_DEVICE(0x095A, 0x5490, iwl7265_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x095A, 0x5F10, iwl7265_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x095B, 0x5212, iwl7265_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x095B, 0x520A, iwl7265_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x095A, 0x9000, iwl7265_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x095A, 0x9400, iwl7265_2ac_cfg)}, + + /* 8000 Series */ + {IWL_PCI_DEVICE(0x24F3, 0x0010, iwl8260_2ac_cfg)}, diff --git a/queue-4.2/kvm-arm-use-gic-support-unconditionally.patch b/queue-4.2/kvm-arm-use-gic-support-unconditionally.patch new file mode 100644 index 00000000000..a524558fd05 --- /dev/null +++ b/queue-4.2/kvm-arm-use-gic-support-unconditionally.patch @@ -0,0 +1,40 @@ +From 4a5d69b73948d0e03cd38d77dc11edb2e707165f Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 12 Oct 2015 15:22:31 +0200 +Subject: KVM: arm: use GIC support unconditionally + +From: Arnd Bergmann + +commit 4a5d69b73948d0e03cd38d77dc11edb2e707165f upstream. + +The vgic code on ARM is built for all configurations that enable KVM, +but the parent_data field that it references is only present when +CONFIG_IRQ_DOMAIN_HIERARCHY is set: + +virt/kvm/arm/vgic.c: In function 'kvm_vgic_map_phys_irq': +virt/kvm/arm/vgic.c:1781:13: error: 'struct irq_data' has no member named 'parent_data' + +This flag is implied by the GIC driver, and indeed the VGIC code only +makes sense if a GIC is present. This changes the CONFIG_KVM symbol +to always select GIC, which avoids the issue. + +Fixes: 662d9715840 ("arm/arm64: KVM: Kill CONFIG_KVM_ARM_{VGIC,TIMER}") +Signed-off-by: Arnd Bergmann +Acked-by: Marc Zyngier +Signed-off-by: Christoffer Dall +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/kvm/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm/kvm/Kconfig ++++ b/arch/arm/kvm/Kconfig +@@ -21,6 +21,7 @@ config KVM + depends on MMU && OF + select PREEMPT_NOTIFIERS + select ANON_INODES ++ select ARM_GIC + select HAVE_KVM_CPU_RELAX_INTERCEPT + select HAVE_KVM_ARCH_TLB_FLUSH_ALL + select KVM_MMIO diff --git a/queue-4.2/m88ds3103-use-own-reg-update_bits-implementation.patch b/queue-4.2/m88ds3103-use-own-reg-update_bits-implementation.patch new file mode 100644 index 00000000000..5e1a904fc80 --- /dev/null +++ b/queue-4.2/m88ds3103-use-own-reg-update_bits-implementation.patch @@ -0,0 +1,237 @@ +From 56ea37da3b93dfe46cb5c3ee0ee4cc44229ece47 Mon Sep 17 00:00:00 2001 +From: Antti Palosaari +Date: Sat, 3 Oct 2015 18:35:14 -0300 +Subject: [media] m88ds3103: use own reg update_bits() implementation + +From: Antti Palosaari + +commit 56ea37da3b93dfe46cb5c3ee0ee4cc44229ece47 upstream. + +Device stopped to tuning some channels after regmap conversion. +Reason is that regmap_update_bits() works a bit differently for +partially volatile registers than old homemade routine. Return +back to old routine in order to fix issue. + +Fixes: 478932b16052f5ded74685d096ae920cd17d6424 + +Reported-by: Mark Clarkstone +Tested-by: Mark Clarkstone +Signed-off-by: Antti Palosaari +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/dvb-frontends/m88ds3103.c | 73 ++++++++++++++++++++------------ + 1 file changed, 47 insertions(+), 26 deletions(-) + +--- a/drivers/media/dvb-frontends/m88ds3103.c ++++ b/drivers/media/dvb-frontends/m88ds3103.c +@@ -18,6 +18,27 @@ + + static struct dvb_frontend_ops m88ds3103_ops; + ++/* write single register with mask */ ++static int m88ds3103_update_bits(struct m88ds3103_dev *dev, ++ u8 reg, u8 mask, u8 val) ++{ ++ int ret; ++ u8 tmp; ++ ++ /* no need for read if whole reg is written */ ++ if (mask != 0xff) { ++ ret = regmap_bulk_read(dev->regmap, reg, &tmp, 1); ++ if (ret) ++ return ret; ++ ++ val &= mask; ++ tmp &= ~mask; ++ val |= tmp; ++ } ++ ++ return regmap_bulk_write(dev->regmap, reg, &val, 1); ++} ++ + /* write reg val table using reg addr auto increment */ + static int m88ds3103_wr_reg_val_tab(struct m88ds3103_dev *dev, + const struct m88ds3103_reg_val *tab, int tab_len) +@@ -394,10 +415,10 @@ static int m88ds3103_set_frontend(struct + u8tmp2 = 0x00; /* 0b00 */ + break; + } +- ret = regmap_update_bits(dev->regmap, 0x22, 0xc0, u8tmp1 << 6); ++ ret = m88ds3103_update_bits(dev, 0x22, 0xc0, u8tmp1 << 6); + if (ret) + goto err; +- ret = regmap_update_bits(dev->regmap, 0x24, 0xc0, u8tmp2 << 6); ++ ret = m88ds3103_update_bits(dev, 0x24, 0xc0, u8tmp2 << 6); + if (ret) + goto err; + } +@@ -455,13 +476,13 @@ static int m88ds3103_set_frontend(struct + if (ret) + goto err; + } +- ret = regmap_update_bits(dev->regmap, 0x9d, 0x08, 0x08); ++ ret = m88ds3103_update_bits(dev, 0x9d, 0x08, 0x08); + if (ret) + goto err; + ret = regmap_write(dev->regmap, 0xf1, 0x01); + if (ret) + goto err; +- ret = regmap_update_bits(dev->regmap, 0x30, 0x80, 0x80); ++ ret = m88ds3103_update_bits(dev, 0x30, 0x80, 0x80); + if (ret) + goto err; + } +@@ -498,7 +519,7 @@ static int m88ds3103_set_frontend(struct + switch (dev->cfg->ts_mode) { + case M88DS3103_TS_SERIAL: + case M88DS3103_TS_SERIAL_D7: +- ret = regmap_update_bits(dev->regmap, 0x29, 0x20, u8tmp1); ++ ret = m88ds3103_update_bits(dev, 0x29, 0x20, u8tmp1); + if (ret) + goto err; + u8tmp1 = 0; +@@ -567,11 +588,11 @@ static int m88ds3103_set_frontend(struct + if (ret) + goto err; + +- ret = regmap_update_bits(dev->regmap, 0x4d, 0x02, dev->cfg->spec_inv << 1); ++ ret = m88ds3103_update_bits(dev, 0x4d, 0x02, dev->cfg->spec_inv << 1); + if (ret) + goto err; + +- ret = regmap_update_bits(dev->regmap, 0x30, 0x10, dev->cfg->agc_inv << 4); ++ ret = m88ds3103_update_bits(dev, 0x30, 0x10, dev->cfg->agc_inv << 4); + if (ret) + goto err; + +@@ -625,13 +646,13 @@ static int m88ds3103_init(struct dvb_fro + dev->warm = false; + + /* wake up device from sleep */ +- ret = regmap_update_bits(dev->regmap, 0x08, 0x01, 0x01); ++ ret = m88ds3103_update_bits(dev, 0x08, 0x01, 0x01); + if (ret) + goto err; +- ret = regmap_update_bits(dev->regmap, 0x04, 0x01, 0x00); ++ ret = m88ds3103_update_bits(dev, 0x04, 0x01, 0x00); + if (ret) + goto err; +- ret = regmap_update_bits(dev->regmap, 0x23, 0x10, 0x00); ++ ret = m88ds3103_update_bits(dev, 0x23, 0x10, 0x00); + if (ret) + goto err; + +@@ -749,18 +770,18 @@ static int m88ds3103_sleep(struct dvb_fr + utmp = 0x29; + else + utmp = 0x27; +- ret = regmap_update_bits(dev->regmap, utmp, 0x01, 0x00); ++ ret = m88ds3103_update_bits(dev, utmp, 0x01, 0x00); + if (ret) + goto err; + + /* sleep */ +- ret = regmap_update_bits(dev->regmap, 0x08, 0x01, 0x00); ++ ret = m88ds3103_update_bits(dev, 0x08, 0x01, 0x00); + if (ret) + goto err; +- ret = regmap_update_bits(dev->regmap, 0x04, 0x01, 0x01); ++ ret = m88ds3103_update_bits(dev, 0x04, 0x01, 0x01); + if (ret) + goto err; +- ret = regmap_update_bits(dev->regmap, 0x23, 0x10, 0x10); ++ ret = m88ds3103_update_bits(dev, 0x23, 0x10, 0x10); + if (ret) + goto err; + +@@ -992,12 +1013,12 @@ static int m88ds3103_set_tone(struct dvb + } + + utmp = tone << 7 | dev->cfg->envelope_mode << 5; +- ret = regmap_update_bits(dev->regmap, 0xa2, 0xe0, utmp); ++ ret = m88ds3103_update_bits(dev, 0xa2, 0xe0, utmp); + if (ret) + goto err; + + utmp = 1 << 2; +- ret = regmap_update_bits(dev->regmap, 0xa1, reg_a1_mask, utmp); ++ ret = m88ds3103_update_bits(dev, 0xa1, reg_a1_mask, utmp); + if (ret) + goto err; + +@@ -1047,7 +1068,7 @@ static int m88ds3103_set_voltage(struct + voltage_dis ^= dev->cfg->lnb_en_pol; + + utmp = voltage_dis << 1 | voltage_sel << 0; +- ret = regmap_update_bits(dev->regmap, 0xa2, 0x03, utmp); ++ ret = m88ds3103_update_bits(dev, 0xa2, 0x03, utmp); + if (ret) + goto err; + +@@ -1080,7 +1101,7 @@ static int m88ds3103_diseqc_send_master_ + } + + utmp = dev->cfg->envelope_mode << 5; +- ret = regmap_update_bits(dev->regmap, 0xa2, 0xe0, utmp); ++ ret = m88ds3103_update_bits(dev, 0xa2, 0xe0, utmp); + if (ret) + goto err; + +@@ -1115,12 +1136,12 @@ static int m88ds3103_diseqc_send_master_ + } else { + dev_dbg(&client->dev, "diseqc tx timeout\n"); + +- ret = regmap_update_bits(dev->regmap, 0xa1, 0xc0, 0x40); ++ ret = m88ds3103_update_bits(dev, 0xa1, 0xc0, 0x40); + if (ret) + goto err; + } + +- ret = regmap_update_bits(dev->regmap, 0xa2, 0xc0, 0x80); ++ ret = m88ds3103_update_bits(dev, 0xa2, 0xc0, 0x80); + if (ret) + goto err; + +@@ -1152,7 +1173,7 @@ static int m88ds3103_diseqc_send_burst(s + } + + utmp = dev->cfg->envelope_mode << 5; +- ret = regmap_update_bits(dev->regmap, 0xa2, 0xe0, utmp); ++ ret = m88ds3103_update_bits(dev, 0xa2, 0xe0, utmp); + if (ret) + goto err; + +@@ -1194,12 +1215,12 @@ static int m88ds3103_diseqc_send_burst(s + } else { + dev_dbg(&client->dev, "diseqc tx timeout\n"); + +- ret = regmap_update_bits(dev->regmap, 0xa1, 0xc0, 0x40); ++ ret = m88ds3103_update_bits(dev, 0xa1, 0xc0, 0x40); + if (ret) + goto err; + } + +- ret = regmap_update_bits(dev->regmap, 0xa2, 0xc0, 0x80); ++ ret = m88ds3103_update_bits(dev, 0xa2, 0xc0, 0x80); + if (ret) + goto err; + +@@ -1435,13 +1456,13 @@ static int m88ds3103_probe(struct i2c_cl + goto err_kfree; + + /* sleep */ +- ret = regmap_update_bits(dev->regmap, 0x08, 0x01, 0x00); ++ ret = m88ds3103_update_bits(dev, 0x08, 0x01, 0x00); + if (ret) + goto err_kfree; +- ret = regmap_update_bits(dev->regmap, 0x04, 0x01, 0x01); ++ ret = m88ds3103_update_bits(dev, 0x04, 0x01, 0x01); + if (ret) + goto err_kfree; +- ret = regmap_update_bits(dev->regmap, 0x23, 0x10, 0x10); ++ ret = m88ds3103_update_bits(dev, 0x23, 0x10, 0x10); + if (ret) + goto err_kfree; + diff --git a/queue-4.2/mm-make-sendfile-2-killable.patch b/queue-4.2/mm-make-sendfile-2-killable.patch new file mode 100644 index 00000000000..e021b08006a --- /dev/null +++ b/queue-4.2/mm-make-sendfile-2-killable.patch @@ -0,0 +1,70 @@ +From 296291cdd1629c308114504b850dc343eabc2782 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 22 Oct 2015 13:32:21 -0700 +Subject: mm: make sendfile(2) killable + +From: Jan Kara + +commit 296291cdd1629c308114504b850dc343eabc2782 upstream. + +Currently a simple program below issues a sendfile(2) system call which +takes about 62 days to complete in my test KVM instance. + + int fd; + off_t off = 0; + + fd = open("file", O_RDWR | O_TRUNC | O_SYNC | O_CREAT, 0644); + ftruncate(fd, 2); + lseek(fd, 0, SEEK_END); + sendfile(fd, fd, &off, 0xfffffff); + +Now you should not ask kernel to do a stupid stuff like copying 256MB in +2-byte chunks and call fsync(2) after each chunk but if you do, sysadmin +should have a way to stop you. + +We actually do have a check for fatal_signal_pending() in +generic_perform_write() which triggers in this path however because we +always succeed in writing something before the check is done, we return +value > 0 from generic_perform_write() and thus the information about +signal gets lost. + +Fix the problem by doing the signal check before writing anything. That +way generic_perform_write() returns -EINTR, the error gets propagated up +and the sendfile loop terminates early. + +Signed-off-by: Jan Kara +Reported-by: Dmitry Vyukov +Cc: Al Viro +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/filemap.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/mm/filemap.c ++++ b/mm/filemap.c +@@ -2488,6 +2488,11 @@ again: + break; + } + ++ if (fatal_signal_pending(current)) { ++ status = -EINTR; ++ break; ++ } ++ + status = a_ops->write_begin(file, mapping, pos, bytes, flags, + &page, &fsdata); + if (unlikely(status < 0)) +@@ -2525,10 +2530,6 @@ again: + written += copied; + + balance_dirty_pages_ratelimited(mapping); +- if (fatal_signal_pending(current)) { +- status = -EINTR; +- break; +- } + } while (iov_iter_count(i)); + + return written ? written : status; diff --git a/queue-4.2/powerpc-rtas-validate-rtas.entry-before-calling-enter_rtas.patch b/queue-4.2/powerpc-rtas-validate-rtas.entry-before-calling-enter_rtas.patch new file mode 100644 index 00000000000..e96a8d7f3db --- /dev/null +++ b/queue-4.2/powerpc-rtas-validate-rtas.entry-before-calling-enter_rtas.patch @@ -0,0 +1,51 @@ +From 8832317f662c06f5c06e638f57bfe89a71c9b266 Mon Sep 17 00:00:00 2001 +From: Vasant Hegde +Date: Fri, 16 Oct 2015 15:53:29 +0530 +Subject: powerpc/rtas: Validate rtas.entry before calling enter_rtas() + +From: Vasant Hegde + +commit 8832317f662c06f5c06e638f57bfe89a71c9b266 upstream. + +Currently we do not validate rtas.entry before calling enter_rtas(). This +leads to a kernel oops when user space calls rtas system call on a powernv +platform (see below). This patch adds code to validate rtas.entry before +making enter_rtas() call. + + Oops: Exception in kernel mode, sig: 4 [#1] + SMP NR_CPUS=1024 NUMA PowerNV + task: c000000004294b80 ti: c0000007e1a78000 task.ti: c0000007e1a78000 + NIP: 0000000000000000 LR: 0000000000009c14 CTR: c000000000423140 + REGS: c0000007e1a7b920 TRAP: 0e40 Not tainted (3.18.17-340.el7_1.pkvm3_1_0.2400.1.ppc64le) + MSR: 1000000000081000 CR: 00000000 XER: 00000000 + CFAR: c000000000009c0c SOFTE: 0 + NIP [0000000000000000] (null) + LR [0000000000009c14] 0x9c14 + Call Trace: + [c0000007e1a7bba0] [c00000000041a7f4] avc_has_perm_noaudit+0x54/0x110 (unreliable) + [c0000007e1a7bd80] [c00000000002ddc0] ppc_rtas+0x150/0x2d0 + [c0000007e1a7be30] [c000000000009358] syscall_exit+0x0/0x98 + +Fixes: 55190f88789a ("powerpc: Add skeleton PowerNV platform") +Reported-by: NAGESWARA R. SASTRY +Signed-off-by: Vasant Hegde +[mpe: Reword change log, trim oops, and add stable + fixes] +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/rtas.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/powerpc/kernel/rtas.c ++++ b/arch/powerpc/kernel/rtas.c +@@ -1041,6 +1041,9 @@ asmlinkage int ppc_rtas(struct rtas_args + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; + ++ if (!rtas.entry) ++ return -EINVAL; ++ + if (copy_from_user(&args, uargs, 3 * sizeof(u32)) != 0) + return -EFAULT; + diff --git a/queue-4.2/rtl28xxu-fix-control-message-flaws.patch b/queue-4.2/rtl28xxu-fix-control-message-flaws.patch new file mode 100644 index 00000000000..58959a1a21d --- /dev/null +++ b/queue-4.2/rtl28xxu-fix-control-message-flaws.patch @@ -0,0 +1,74 @@ +From d18ca5b7ceca0e9674cb4bb2ed476b0fcbb23ba2 Mon Sep 17 00:00:00 2001 +From: Antti Palosaari +Date: Tue, 6 Oct 2015 00:22:23 -0300 +Subject: [media] rtl28xxu: fix control message flaws + +From: Antti Palosaari + +commit d18ca5b7ceca0e9674cb4bb2ed476b0fcbb23ba2 upstream. + +Add lock to prevent concurrent access for control message as control +message function uses shared buffer. Without the lock there may be +remote control polling which messes the buffer causing IO errors. +Increase buffer size and add check for maximum supported message +length. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=103391 +Fixes: c56222a6b25c ("[media] rtl28xxu: move usb buffers to state") + +Signed-off-by: Antti Palosaari +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/dvb-usb-v2/rtl28xxu.c | 15 +++++++++++++-- + drivers/media/usb/dvb-usb-v2/rtl28xxu.h | 2 +- + 2 files changed, 14 insertions(+), 3 deletions(-) + +--- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c ++++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c +@@ -34,6 +34,14 @@ static int rtl28xxu_ctrl_msg(struct dvb_ + unsigned int pipe; + u8 requesttype; + ++ mutex_lock(&d->usb_mutex); ++ ++ if (req->size > sizeof(dev->buf)) { ++ dev_err(&d->intf->dev, "too large message %u\n", req->size); ++ ret = -EINVAL; ++ goto err_mutex_unlock; ++ } ++ + if (req->index & CMD_WR_FLAG) { + /* write */ + memcpy(dev->buf, req->data, req->size); +@@ -50,14 +58,17 @@ static int rtl28xxu_ctrl_msg(struct dvb_ + dvb_usb_dbg_usb_control_msg(d->udev, 0, requesttype, req->value, + req->index, dev->buf, req->size); + if (ret < 0) +- goto err; ++ goto err_mutex_unlock; + + /* read request, copy returned data to return buf */ + if (requesttype == (USB_TYPE_VENDOR | USB_DIR_IN)) + memcpy(req->data, dev->buf, req->size); + ++ mutex_unlock(&d->usb_mutex); ++ + return 0; +-err: ++err_mutex_unlock: ++ mutex_unlock(&d->usb_mutex); + dev_dbg(&d->intf->dev, "failed=%d\n", ret); + return ret; + } +--- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.h ++++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.h +@@ -71,7 +71,7 @@ + + + struct rtl28xxu_dev { +- u8 buf[28]; ++ u8 buf[128]; + u8 chip_id; + u8 tuner; + char *tuner_name; diff --git a/queue-4.2/rtlwifi-rtl8821ae-fix-system-lockups-on-boot.patch b/queue-4.2/rtlwifi-rtl8821ae-fix-system-lockups-on-boot.patch new file mode 100644 index 00000000000..98d96289eb3 --- /dev/null +++ b/queue-4.2/rtlwifi-rtl8821ae-fix-system-lockups-on-boot.patch @@ -0,0 +1,131 @@ +From 54328e64047a54b8fc2362c2e1f0fa16c90f739f Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Fri, 2 Oct 2015 11:44:30 -0500 +Subject: rtlwifi: rtl8821ae: Fix system lockups on boot + +From: Larry Finger + +commit 54328e64047a54b8fc2362c2e1f0fa16c90f739f upstream. + +In commit 1277fa2ab2f9 ("rtlwifi: Remove the clear interrupt routine from all +drivers"), the code that cleared all interrupt enable bits before setting them +was removed for all PCI drivers. This fixed an issue that caused TX to be +blocked for 3-5 seconds. On some RTL8821AE units, this change causes soft +lockups to occur on boot. For that reason, the portion of the earlier commit +that applied to rtl8821ae is reverted. Kernels 4.1 and newer are affected. + +See http://marc.info/?l=linux-wireless&m=144373370103285&w=2 and +https://bugzilla.opensuse.org/show_bug.cgi?id=944978 for two cases where +this regression affected user systems. Note that this bug does not appear on +any of the developer's setups. For those users whose systems are affected +by the TX blockage, but do not lock up on boot, a module parameter is added +to disable the interrupt clear + +Fixes: 1277fa2ab2f9 ("rtlwifi: Remove the clear interrupt routine from all drivers") +Signed-off-by: Larry Finger +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/rtlwifi/pci.h | 2 ++ + drivers/net/wireless/rtlwifi/rtl8821ae/hw.c | 17 +++++++++++++++++ + drivers/net/wireless/rtlwifi/rtl8821ae/sw.c | 5 +++++ + drivers/net/wireless/rtlwifi/wifi.h | 3 +++ + 4 files changed, 27 insertions(+) + +--- a/drivers/net/wireless/rtlwifi/pci.h ++++ b/drivers/net/wireless/rtlwifi/pci.h +@@ -247,6 +247,8 @@ struct rtl_pci { + /* MSI support */ + bool msi_support; + bool using_msi; ++ /* interrupt clear before set */ ++ bool int_clear; + }; + + struct mp_adapter { +--- a/drivers/net/wireless/rtlwifi/rtl8821ae/hw.c ++++ b/drivers/net/wireless/rtlwifi/rtl8821ae/hw.c +@@ -2253,11 +2253,28 @@ void rtl8821ae_set_qos(struct ieee80211_ + } + } + ++static void rtl8821ae_clear_interrupt(struct ieee80211_hw *hw) ++{ ++ struct rtl_priv *rtlpriv = rtl_priv(hw); ++ u32 tmp = rtl_read_dword(rtlpriv, REG_HISR); ++ ++ rtl_write_dword(rtlpriv, REG_HISR, tmp); ++ ++ tmp = rtl_read_dword(rtlpriv, REG_HISRE); ++ rtl_write_dword(rtlpriv, REG_HISRE, tmp); ++ ++ tmp = rtl_read_dword(rtlpriv, REG_HSISR); ++ rtl_write_dword(rtlpriv, REG_HSISR, tmp); ++} ++ + void rtl8821ae_enable_interrupt(struct ieee80211_hw *hw) + { + struct rtl_priv *rtlpriv = rtl_priv(hw); + struct rtl_pci *rtlpci = rtl_pcidev(rtl_pcipriv(hw)); + ++ if (!rtlpci->int_clear) ++ rtl8821ae_clear_interrupt(hw);/*clear it here first*/ ++ + rtl_write_dword(rtlpriv, REG_HIMR, rtlpci->irq_mask[0] & 0xFFFFFFFF); + rtl_write_dword(rtlpriv, REG_HIMRE, rtlpci->irq_mask[1] & 0xFFFFFFFF); + rtlpci->irq_enabled = true; +--- a/drivers/net/wireless/rtlwifi/rtl8821ae/sw.c ++++ b/drivers/net/wireless/rtlwifi/rtl8821ae/sw.c +@@ -96,6 +96,7 @@ int rtl8821ae_init_sw_vars(struct ieee80 + + rtl8821ae_bt_reg_init(hw); + rtlpci->msi_support = rtlpriv->cfg->mod_params->msi_support; ++ rtlpci->int_clear = rtlpriv->cfg->mod_params->int_clear; + rtlpriv->btcoexist.btc_ops = rtl_btc_get_ops_pointer(); + + rtlpriv->dm.dm_initialgain_enable = 1; +@@ -167,6 +168,7 @@ int rtl8821ae_init_sw_vars(struct ieee80 + rtlpriv->psc.swctrl_lps = rtlpriv->cfg->mod_params->swctrl_lps; + rtlpriv->psc.fwctrl_lps = rtlpriv->cfg->mod_params->fwctrl_lps; + rtlpci->msi_support = rtlpriv->cfg->mod_params->msi_support; ++ rtlpci->msi_support = rtlpriv->cfg->mod_params->int_clear; + if (rtlpriv->cfg->mod_params->disable_watchdog) + pr_info("watchdog disabled\n"); + rtlpriv->psc.reg_fwctrl_lps = 3; +@@ -308,6 +310,7 @@ static struct rtl_mod_params rtl8821ae_m + .swctrl_lps = false, + .fwctrl_lps = true, + .msi_support = true, ++ .int_clear = true, + .debug = DBG_EMERG, + .disable_watchdog = 0, + }; +@@ -437,6 +440,7 @@ module_param_named(fwlps, rtl8821ae_mod_ + module_param_named(msi, rtl8821ae_mod_params.msi_support, bool, 0444); + module_param_named(disable_watchdog, rtl8821ae_mod_params.disable_watchdog, + bool, 0444); ++module_param_named(int_clear, rtl8821ae_mod_params.int_clear, bool, 0444); + MODULE_PARM_DESC(swenc, "Set to 1 for software crypto (default 0)\n"); + MODULE_PARM_DESC(ips, "Set to 0 to not use link power save (default 1)\n"); + MODULE_PARM_DESC(swlps, "Set to 1 to use SW control power save (default 0)\n"); +@@ -444,6 +448,7 @@ MODULE_PARM_DESC(fwlps, "Set to 1 to use + MODULE_PARM_DESC(msi, "Set to 1 to use MSI interrupts mode (default 1)\n"); + MODULE_PARM_DESC(debug, "Set debug level (0-5) (default 0)"); + MODULE_PARM_DESC(disable_watchdog, "Set to 1 to disable the watchdog (default 0)\n"); ++MODULE_PARM_DESC(int_clear, "Set to 1 to disable interrupt clear before set (default 0)\n"); + + static SIMPLE_DEV_PM_OPS(rtlwifi_pm_ops, rtl_pci_suspend, rtl_pci_resume); + +--- a/drivers/net/wireless/rtlwifi/wifi.h ++++ b/drivers/net/wireless/rtlwifi/wifi.h +@@ -2234,6 +2234,9 @@ struct rtl_mod_params { + + /* default 0: 1 means disable */ + bool disable_watchdog; ++ ++ /* default 0: 1 means do not disable interrupts */ ++ bool int_clear; + }; + + struct rtl_hal_usbint_cfg { diff --git a/queue-4.2/series b/queue-4.2/series index e91a9f54595..3b56191bbb7 100644 --- a/queue-4.2/series +++ b/queue-4.2/series @@ -3,3 +3,44 @@ ath9k-declare-required-extra-tx-headroom.patch mmc-core-fix-init_card-in-52mhz.patch iwlwifi-dvm-fix-d3-firmware-pn-programming.patch iwlwifi-fix-firmware-filename-for-3160.patch +rtlwifi-rtl8821ae-fix-system-lockups-on-boot.patch +iwlwifi-mvm-clear-csa-countdown-when-ap-is-stopped.patch +iwlwifi-mvm-fix-d3-ccmp-tx-pn-assignment.patch +iwlwifi-mvm-fix-d3-firmware-pn-programming.patch +iwlwifi-mvm-init-card-correctly-on-ctkill-exit-check.patch +iwlwifi-mvm-flush-fw_dump_wk-when-mvm-fails-to-start.patch +iwlwifi-pci-add-a-few-more-pci-subvendor-ids-for-the-7265-series.patch +iommu-vt-d-fix-range-computation-when-making-room-for-large-pages.patch +iommu-amd-fix-bug-when-faulting-a-prot_none-vma.patch +iommu-amd-don-t-clear-dte-flags-when-modifying-it.patch +powerpc-rtas-validate-rtas.entry-before-calling-enter_rtas.patch +drm-fix-mutex-leak-in-drm_dp_get_mst_branch_device.patch +drm-correct-arguments-to-list_tail_add-in-create-blob-ioctl.patch +drm-crtc-integer-overflow-in-drm_property_create_blob.patch +m88ds3103-use-own-reg-update_bits-implementation.patch +si2157-bounds-check-firmware.patch +si2168-bounds-check-firmware.patch +rtl28xxu-fix-control-message-flaws.patch +kvm-arm-use-gic-support-unconditionally.patch +alsa-hdac-explicitly-add-io.h.patch +alsa-hda-fix-inverted-internal-mic-on-lenovo-g50-80.patch +alsa-hda-fix-deadlock-at-error-in-building-pcm.patch +asoc-add-info-callback-for-sx_tlv-controls.patch +asoc-wm8904-correct-number-of-eq-registers.patch +x86-efi-fix-multiple-gop-device-support.patch +x86-setup-extend-low-identity-map-to-cover-whole-kernel-range.patch +x86-ioapic-prevent-null-pointer-dereference-in-setup_ioapic_dest.patch +mm-make-sendfile-2-killable.patch +fault-inject-fix-inverted-interval-probability-values-in-printk.patch +tracing-have-stack-tracer-force-rcu-to-be-watching.patch +bus-arm-ccn-fix-irq-affinity-setting-on-cpu-migration.patch +drm-nouveau-gem-return-only-valid-domain-when-there-s-only-one.patch +drm-radeon-dpm-don-t-add-pwm-attributes-if-dpm-is-disabled.patch +drm-amdgpu-add-missing-dpm-check-for-kv-dpm-late-init.patch +drm-i915-flush-pipecontrol-post-sync-writes.patch +drm-i915-restore-lost-dpll-register-write-on-gen2-4.patch +drm-i915-deny-wrapping-an-userptr-into-a-framebuffer.patch +drm-radeon-don-t-try-to-recreate-sysfs-entries-on-resume.patch +drm-amdgpu-don-t-try-to-recreate-sysfs-entries-on-resume.patch +drm-radeon-fix-dpms-when-driver-backlight-control-is-disabled.patch +drm-radeon-move-bl-encoder-assignment-into-bl-init.patch diff --git a/queue-4.2/si2157-bounds-check-firmware.patch b/queue-4.2/si2157-bounds-check-firmware.patch new file mode 100644 index 00000000000..6e55147149e --- /dev/null +++ b/queue-4.2/si2157-bounds-check-firmware.patch @@ -0,0 +1,35 @@ +From a828d72df216c36e9c40b6c24dc4b17b6f7b5a76 Mon Sep 17 00:00:00 2001 +From: Laura Abbott +Date: Tue, 29 Sep 2015 21:10:10 -0300 +Subject: [media] si2157: Bounds check firmware + +From: Laura Abbott + +commit a828d72df216c36e9c40b6c24dc4b17b6f7b5a76 upstream. + +When reading the firmware and sending commands, the length +must be bounds checked to avoid overrunning the size of the command +buffer and smashing the stack if the firmware is not in the +expected format. Add the proper check. + +Signed-off-by: Laura Abbott +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/tuners/si2157.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/media/tuners/si2157.c ++++ b/drivers/media/tuners/si2157.c +@@ -166,6 +166,10 @@ static int si2157_init(struct dvb_fronte + + for (remaining = fw->size; remaining > 0; remaining -= 17) { + len = fw->data[fw->size - remaining]; ++ if (len > SI2157_ARGLEN) { ++ dev_err(&client->dev, "Bad firmware length\n"); ++ goto err_release_firmware; ++ } + memcpy(cmd.args, &fw->data[(fw->size - remaining) + 1], len); + cmd.wlen = len; + cmd.rlen = 1; diff --git a/queue-4.2/si2168-bounds-check-firmware.patch b/queue-4.2/si2168-bounds-check-firmware.patch new file mode 100644 index 00000000000..84f29f3e811 --- /dev/null +++ b/queue-4.2/si2168-bounds-check-firmware.patch @@ -0,0 +1,44 @@ +From 47810b4341ac9d2f558894bc5995e6fa2a1298f9 Mon Sep 17 00:00:00 2001 +From: Laura Abbott +Date: Tue, 29 Sep 2015 21:10:09 -0300 +Subject: [media] si2168: Bounds check firmware + +From: Laura Abbott + +commit 47810b4341ac9d2f558894bc5995e6fa2a1298f9 upstream. + +When reading the firmware and sending commands, the length must +be bounds checked to avoid overrunning the size of the command +buffer and smashing the stack if the firmware is not in the expected +format: + +si2168 11-0064: found a 'Silicon Labs Si2168-B40' +si2168 11-0064: downloading firmware from file 'dvb-demod-si2168-b40-01.fw' +si2168 11-0064: firmware download failed -95 +Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffffa085708f + +Add the proper check. + +Reported-by: Stuart Auchterlonie +Reviewed-by: Antti Palosaari +Signed-off-by: Laura Abbott +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/dvb-frontends/si2168.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/media/dvb-frontends/si2168.c ++++ b/drivers/media/dvb-frontends/si2168.c +@@ -502,6 +502,10 @@ static int si2168_init(struct dvb_fronte + /* firmware is in the new format */ + for (remaining = fw->size; remaining > 0; remaining -= 17) { + len = fw->data[fw->size - remaining]; ++ if (len > SI2168_ARGLEN) { ++ ret = -EINVAL; ++ break; ++ } + memcpy(cmd.args, &fw->data[(fw->size - remaining) + 1], len); + cmd.wlen = len; + cmd.rlen = 1; diff --git a/queue-4.2/tracing-have-stack-tracer-force-rcu-to-be-watching.patch b/queue-4.2/tracing-have-stack-tracer-force-rcu-to-be-watching.patch new file mode 100644 index 00000000000..1d24c6d33db --- /dev/null +++ b/queue-4.2/tracing-have-stack-tracer-force-rcu-to-be-watching.patch @@ -0,0 +1,68 @@ +From a2d7629048322ae62bff57f34f5f995e25ed234c Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (Red Hat)" +Date: Tue, 20 Oct 2015 11:38:08 -0400 +Subject: tracing: Have stack tracer force RCU to be watching + +From: "Steven Rostedt (Red Hat)" + +commit a2d7629048322ae62bff57f34f5f995e25ed234c upstream. + +The stack tracer was triggering the WARN_ON() in module.c: + + static void module_assert_mutex_or_preempt(void) + { + #ifdef CONFIG_LOCKDEP + if (unlikely(!debug_locks)) + return; + + WARN_ON(!rcu_read_lock_sched_held() && + !lockdep_is_held(&module_mutex)); + #endif + } + +The reason is that the stack tracer traces all function calls, and some of +those calls happen while exiting or entering user space and idle. Some of +these functions are called after RCU had already stopped watching, as RCU +does not watch userspace or idle CPUs. + +If a max stack is hit, then the save_stack_trace() is called, which will +check module addresses and call module_assert_mutex_or_preempt(), and then +trigger the warning. Sad part is, the warning itself will also do a stack +trace and tigger the same warning. That probably should be fixed. + +The warning was added by 0be964be0d45 "module: Sanitize RCU usage and +locking" but this bug has probably been around longer. But it's unlikely to +cause much harm, but the new warning causes the system to lock up. + +Cc: Peter Zijlstra +Cc:"Paul E. McKenney" +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace_stack.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/kernel/trace/trace_stack.c ++++ b/kernel/trace/trace_stack.c +@@ -94,6 +94,12 @@ check_stack(unsigned long ip, unsigned l + local_irq_save(flags); + arch_spin_lock(&max_stack_lock); + ++ /* ++ * RCU may not be watching, make it see us. ++ * The stack trace code uses rcu_sched. ++ */ ++ rcu_irq_enter(); ++ + /* In case another CPU set the tracer_frame on us */ + if (unlikely(!frame_size)) + this_size -= tracer_frame; +@@ -174,6 +180,7 @@ check_stack(unsigned long ip, unsigned l + } + + out: ++ rcu_irq_exit(); + arch_spin_unlock(&max_stack_lock); + local_irq_restore(flags); + } diff --git a/queue-4.2/x86-efi-fix-multiple-gop-device-support.patch b/queue-4.2/x86-efi-fix-multiple-gop-device-support.patch new file mode 100644 index 00000000000..887b9f4579a --- /dev/null +++ b/queue-4.2/x86-efi-fix-multiple-gop-device-support.patch @@ -0,0 +1,92 @@ +From 8a53554e12e98d1759205afd7b8e9e2ea0936f48 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?K=C5=91v=C3=A1g=C3=B3=2C=20Zolt=C3=A1n?= + +Date: Mon, 12 Oct 2015 15:13:56 +0100 +Subject: x86/efi: Fix multiple GOP device support +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?K=C5=91v=C3=A1g=C3=B3=2C=20Zolt=C3=A1n?= + +commit 8a53554e12e98d1759205afd7b8e9e2ea0936f48 upstream. + +When multiple GOP devices exists, but none of them implements +ConOut, the code should just choose the first GOP (according to +the comments). But currently 'fb_base' will refer to the last GOP, +while other parameters to the first GOP, which will likely +result in a garbled display. + +I can reliably reproduce this bug using my ASRock Z87M Extreme4 +motherboard with CSM and integrated GPU disabled, and two PCIe +video cards (NVidia GT640 and GTX980), booting from efi-stub +(booting from grub works fine). On the primary display the +ASRock logo remains and on the secondary screen it is garbled +up completely. + +Signed-off-by: Kővágó, Zoltán +Signed-off-by: Matt Fleming +Cc: Linus Torvalds +Cc: Matthew Garrett +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/1444659236-24837-2-git-send-email-matt@codeblueprint.co.uk +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/boot/compressed/eboot.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/arch/x86/boot/compressed/eboot.c ++++ b/arch/x86/boot/compressed/eboot.c +@@ -667,6 +667,7 @@ setup_gop32(struct screen_info *si, efi_ + bool conout_found = false; + void *dummy = NULL; + u32 h = handles[i]; ++ u32 current_fb_base; + + status = efi_call_early(handle_protocol, h, + proto, (void **)&gop32); +@@ -678,7 +679,7 @@ setup_gop32(struct screen_info *si, efi_ + if (status == EFI_SUCCESS) + conout_found = true; + +- status = __gop_query32(gop32, &info, &size, &fb_base); ++ status = __gop_query32(gop32, &info, &size, ¤t_fb_base); + if (status == EFI_SUCCESS && (!first_gop || conout_found)) { + /* + * Systems that use the UEFI Console Splitter may +@@ -692,6 +693,7 @@ setup_gop32(struct screen_info *si, efi_ + pixel_format = info->pixel_format; + pixel_info = info->pixel_information; + pixels_per_scan_line = info->pixels_per_scan_line; ++ fb_base = current_fb_base; + + /* + * Once we've found a GOP supporting ConOut, +@@ -770,6 +772,7 @@ setup_gop64(struct screen_info *si, efi_ + bool conout_found = false; + void *dummy = NULL; + u64 h = handles[i]; ++ u32 current_fb_base; + + status = efi_call_early(handle_protocol, h, + proto, (void **)&gop64); +@@ -781,7 +784,7 @@ setup_gop64(struct screen_info *si, efi_ + if (status == EFI_SUCCESS) + conout_found = true; + +- status = __gop_query64(gop64, &info, &size, &fb_base); ++ status = __gop_query64(gop64, &info, &size, ¤t_fb_base); + if (status == EFI_SUCCESS && (!first_gop || conout_found)) { + /* + * Systems that use the UEFI Console Splitter may +@@ -795,6 +798,7 @@ setup_gop64(struct screen_info *si, efi_ + pixel_format = info->pixel_format; + pixel_info = info->pixel_information; + pixels_per_scan_line = info->pixels_per_scan_line; ++ fb_base = current_fb_base; + + /* + * Once we've found a GOP supporting ConOut, diff --git a/queue-4.2/x86-ioapic-prevent-null-pointer-dereference-in-setup_ioapic_dest.patch b/queue-4.2/x86-ioapic-prevent-null-pointer-dereference-in-setup_ioapic_dest.patch new file mode 100644 index 00000000000..850b1f4c147 --- /dev/null +++ b/queue-4.2/x86-ioapic-prevent-null-pointer-dereference-in-setup_ioapic_dest.patch @@ -0,0 +1,43 @@ +From ababae44108b0e94b58eef6cb5bd830bd040a47f Mon Sep 17 00:00:00 2001 +From: Werner Pawlitschko +Date: Tue, 27 Oct 2015 09:08:04 +0900 +Subject: x86/ioapic: Prevent NULL pointer dereference in setup_ioapic_dest() + +From: Werner Pawlitschko + +commit ababae44108b0e94b58eef6cb5bd830bd040a47f upstream. + +Commit 4857c91f0d19 changed the way how irq affinity is setup in +setup_ioapic_dest() from using the core helper function to +unconditionally calling the irq_set_affinity() callback of the +underlying irq chip. + +That results in a NULL pointer dereference for the rare case where the +underlying irq chip is lapic_chip which has no irq_set_affinity() +callback. lapic_chip is occasionally used for the timer interrupt (irq +0). + +The fix is simple: Check the availability of the callback instead of +calling it unconditionally. + +Fixes: 4857c91f0d19 "x86/ioapic: Force affinity setting in setup_ioapic_dest()" +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/apic/io_apic.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/x86/kernel/apic/io_apic.c ++++ b/arch/x86/kernel/apic/io_apic.c +@@ -2547,7 +2547,9 @@ void __init setup_ioapic_dest(void) + mask = apic->target_cpus(); + + chip = irq_data_get_irq_chip(idata); +- chip->irq_set_affinity(idata, mask, false); ++ /* Might be lapic_chip for irq 0 */ ++ if (chip->irq_set_affinity) ++ chip->irq_set_affinity(idata, mask, false); + } + } + #endif diff --git a/queue-4.2/x86-setup-extend-low-identity-map-to-cover-whole-kernel-range.patch b/queue-4.2/x86-setup-extend-low-identity-map-to-cover-whole-kernel-range.patch new file mode 100644 index 00000000000..d26049e43ab --- /dev/null +++ b/queue-4.2/x86-setup-extend-low-identity-map-to-cover-whole-kernel-range.patch @@ -0,0 +1,111 @@ +From f5f3497cad8c8416a74b9aaceb127908755d020a Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Wed, 14 Oct 2015 13:30:45 +0200 +Subject: x86/setup: Extend low identity map to cover whole kernel range + +From: Paolo Bonzini + +commit f5f3497cad8c8416a74b9aaceb127908755d020a upstream. + +On 32-bit systems, the initial_page_table is reused by +efi_call_phys_prolog as an identity map to call +SetVirtualAddressMap. efi_call_phys_prolog takes care of +converting the current CPU's GDT to a physical address too. + +For PAE kernels the identity mapping is achieved by aliasing the +first PDPE for the kernel memory mapping into the first PDPE +of initial_page_table. This makes the EFI stub's trick "just work". + +However, for non-PAE kernels there is no guarantee that the identity +mapping in the initial_page_table extends as far as the GDT; in this +case, accesses to the GDT will cause a page fault (which quickly becomes +a triple fault). Fix this by copying the kernel mappings from +swapper_pg_dir to initial_page_table twice, both at PAGE_OFFSET and at +identity mapping. + +For some reason, this is only reproducible with QEMU's dynamic translation +mode, and not for example with KVM. However, even under KVM one can clearly +see that the page table is bogus: + + $ qemu-system-i386 -pflash OVMF.fd -M q35 vmlinuz0 -s -S -daemonize + $ gdb + (gdb) target remote localhost:1234 + (gdb) hb *0x02858f6f + Hardware assisted breakpoint 1 at 0x2858f6f + (gdb) c + Continuing. + + Breakpoint 1, 0x02858f6f in ?? () + (gdb) monitor info registers + ... + GDT= 0724e000 000000ff + IDT= fffbb000 000007ff + CR0=0005003b CR2=ff896000 CR3=032b7000 CR4=00000690 + ... + +The page directory is sane: + + (gdb) x/4wx 0x32b7000 + 0x32b7000: 0x03398063 0x03399063 0x0339a063 0x0339b063 + (gdb) x/4wx 0x3398000 + 0x3398000: 0x00000163 0x00001163 0x00002163 0x00003163 + (gdb) x/4wx 0x3399000 + 0x3399000: 0x00400003 0x00401003 0x00402003 0x00403003 + +but our particular page directory entry is empty: + + (gdb) x/1wx 0x32b7000 + (0x724e000 >> 22) * 4 + 0x32b7070: 0x00000000 + +[ It appears that you can skate past this issue if you don't receive + any interrupts while the bogus GDT pointer is loaded, or if you avoid + reloading the segment registers in general. + + Andy Lutomirski provides some additional insight: + + "AFAICT it's entirely permissible for the GDTR and/or LDT + descriptor to point to unmapped memory. Any attempt to use them + (segment loads, interrupts, IRET, etc) will try to access that memory + as if the access came from CPL 0 and, if the access fails, will + generate a valid page fault with CR2 pointing into the GDT or + LDT." + + Up until commit 23a0d4e8fa6d ("efi: Disable interrupts around EFI + calls, not in the epilog/prolog calls") interrupts were disabled + around the prolog and epilog calls, and the functional GDT was + re-installed before interrupts were re-enabled. + + Which explains why no one has hit this issue until now. ] + +Signed-off-by: Paolo Bonzini +Reported-by: Laszlo Ersek +Cc: Borislav Petkov +Cc: "H. Peter Anvin" +Cc: Thomas Gleixner +Cc: Ingo Molnar +Cc: Andy Lutomirski +Signed-off-by: Matt Fleming +[ Updated changelog. ] +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/setup.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -1198,6 +1198,14 @@ void __init setup_arch(char **cmdline_p) + clone_pgd_range(initial_page_table + KERNEL_PGD_BOUNDARY, + swapper_pg_dir + KERNEL_PGD_BOUNDARY, + KERNEL_PGD_PTRS); ++ ++ /* ++ * sync back low identity map too. It is used for example ++ * in the 32-bit EFI stub. ++ */ ++ clone_pgd_range(initial_page_table, ++ swapper_pg_dir + KERNEL_PGD_BOUNDARY, ++ KERNEL_PGD_PTRS); + #endif + + tboot_probe();