From 01f47b59b070a5c79a548758812d536d44f064f6 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 30 Aug 2016 10:53:19 +0200 Subject: [PATCH] 4.7-stable patches added patches: alsa-hda-manage-power-well-properly-for-resume.patch alsa-usb-audio-add-a-sample-rate-quirk-for-creative-live-cam-socialize-hd-vf0610.patch alsa-usb-audio-add-quirk-for-elp-hd-usb-camera.patch arm64-define-at_vector_size_arch-for-arch_dlinfo.patch efi-capsule-allocate-whole-capsule-into-virtual-memory.patch libnvdimm-nd_blk-mask-off-reserved-status-bits.patch mm-slub.c-run-free_partial-outside-of-the-kmem_cache_node-list_lock.patch parisc-fix-order-of-erefused-define-in-errno.h.patch perf-intel-pt-fix-occasional-decoding-errors-when-tracing-system-wide.patch sunrpc-allow-for-upcalls-for-same-uid-but-different-gss-service.patch sunrpc-handle-eaddrnotavail-on-connection-failures.patch tracing-fix-tick_stop-tracepoint-symbols-for-user-export.patch vfio-pci-fix-null-pointer-oops-in-error-interrupt-setup-handling.patch virtio-fix-memory-leak-in-virtqueue_add.patch --- ...anage-power-well-properly-for-resume.patch | 119 ++++++++++++++ ...reative-live-cam-socialize-hd-vf0610.patch | 31 ++++ ...udio-add-quirk-for-elp-hd-usb-camera.patch | 31 ++++ ...-at_vector_size_arch-for-arch_dlinfo.patch | 52 ++++++ ...te-whole-capsule-into-virtual-memory.patch | 88 ++++++++++ ...nd_blk-mask-off-reserved-status-bits.patch | 54 +++++++ ...ide-of-the-kmem_cache_node-list_lock.patch | 123 ++++++++++++++ ...-order-of-erefused-define-in-errno.h.patch | 41 +++++ ...ding-errors-when-tracing-system-wide.patch | 59 +++++++ queue-4.7/series | 14 ++ ...r-same-uid-but-different-gss-service.patch | 59 +++++++ ...eaddrnotavail-on-connection-failures.patch | 36 +++++ ...p-tracepoint-symbols-for-user-export.patch | 77 +++++++++ ...ps-in-error-interrupt-setup-handling.patch | 153 ++++++++++++++++++ ...tio-fix-memory-leak-in-virtqueue_add.patch | 35 ++++ 15 files changed, 972 insertions(+) create mode 100644 queue-4.7/alsa-hda-manage-power-well-properly-for-resume.patch create mode 100644 queue-4.7/alsa-usb-audio-add-a-sample-rate-quirk-for-creative-live-cam-socialize-hd-vf0610.patch create mode 100644 queue-4.7/alsa-usb-audio-add-quirk-for-elp-hd-usb-camera.patch create mode 100644 queue-4.7/arm64-define-at_vector_size_arch-for-arch_dlinfo.patch create mode 100644 queue-4.7/efi-capsule-allocate-whole-capsule-into-virtual-memory.patch create mode 100644 queue-4.7/libnvdimm-nd_blk-mask-off-reserved-status-bits.patch create mode 100644 queue-4.7/mm-slub.c-run-free_partial-outside-of-the-kmem_cache_node-list_lock.patch create mode 100644 queue-4.7/parisc-fix-order-of-erefused-define-in-errno.h.patch create mode 100644 queue-4.7/perf-intel-pt-fix-occasional-decoding-errors-when-tracing-system-wide.patch create mode 100644 queue-4.7/sunrpc-allow-for-upcalls-for-same-uid-but-different-gss-service.patch create mode 100644 queue-4.7/sunrpc-handle-eaddrnotavail-on-connection-failures.patch create mode 100644 queue-4.7/tracing-fix-tick_stop-tracepoint-symbols-for-user-export.patch create mode 100644 queue-4.7/vfio-pci-fix-null-pointer-oops-in-error-interrupt-setup-handling.patch create mode 100644 queue-4.7/virtio-fix-memory-leak-in-virtqueue_add.patch diff --git a/queue-4.7/alsa-hda-manage-power-well-properly-for-resume.patch b/queue-4.7/alsa-hda-manage-power-well-properly-for-resume.patch new file mode 100644 index 00000000000..8a83a8564d6 --- /dev/null +++ b/queue-4.7/alsa-hda-manage-power-well-properly-for-resume.patch @@ -0,0 +1,119 @@ +From a52ff34e5ec61749c62c6618b76a9d6dbecee450 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 4 Aug 2016 22:38:36 +0200 +Subject: ALSA: hda - Manage power well properly for resume + +From: Takashi Iwai + +commit a52ff34e5ec61749c62c6618b76a9d6dbecee450 upstream. + +For SKL and later Intel chips, we control the power well per codec +basis via link_power callback since the commit [03b135cebc47: ALSA: +hda - remove dependency on i915 power well for SKL]. +However, there are a few exceptional cases where the gfx registers are +accessed from the audio driver: namely the wakeup override bit +toggling at (both system and runtime) resume. This seems causing a +kernel warning when accessed during the power well down (and likely +resulting in the bogus register accesses). + +This patch puts the proper power up / down sequence around the resume +code so that the wakeup bit is fiddled properly while the power is +up. (The other callback, sync_audio_rate, is used only in the PCM +callback, so it's guaranteed in the power-on.) + +Also, by this proper power up/down, the instantaneous flip of wakeup +bit in the resume callback that was introduced by the commit +[033ea349a7cd: ALSA: hda - Fix Skylake codec timeout] becomes +superfluous, as snd_hdac_display_power() already does it. So we can +clean it up together. + +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=96214 +Fixes: 03b135cebc47 ('ALSA: hda - remove dependency on i915 power well for SKL') +Tested-by: Hans de Goede +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_intel.c | 32 ++++++++++++++++++++------------ + 1 file changed, 20 insertions(+), 12 deletions(-) + +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -906,20 +906,23 @@ static int azx_resume(struct device *dev + struct snd_card *card = dev_get_drvdata(dev); + struct azx *chip; + struct hda_intel *hda; ++ struct hdac_bus *bus; + + if (!card) + return 0; + + chip = card->private_data; + hda = container_of(chip, struct hda_intel, chip); ++ bus = azx_bus(chip); + if (chip->disabled || hda->init_failed || !chip->running) + return 0; + +- if (chip->driver_caps & AZX_DCAPS_I915_POWERWELL +- && hda->need_i915_power) { +- snd_hdac_display_power(azx_bus(chip), true); +- snd_hdac_i915_set_bclk(azx_bus(chip)); ++ if (chip->driver_caps & AZX_DCAPS_I915_POWERWELL) { ++ snd_hdac_display_power(bus, true); ++ if (hda->need_i915_power) ++ snd_hdac_i915_set_bclk(bus); + } ++ + if (chip->msi) + if (pci_enable_msi(pci) < 0) + chip->msi = 0; +@@ -929,6 +932,11 @@ static int azx_resume(struct device *dev + + hda_intel_init_chip(chip, true); + ++ /* power down again for link-controlled chips */ ++ if ((chip->driver_caps & AZX_DCAPS_I915_POWERWELL) && ++ !hda->need_i915_power) ++ snd_hdac_display_power(bus, false); ++ + snd_power_change_state(card, SNDRV_CTL_POWER_D0); + + trace_azx_resume(chip); +@@ -1008,6 +1016,7 @@ static int azx_runtime_resume(struct dev + + chip = card->private_data; + hda = container_of(chip, struct hda_intel, chip); ++ bus = azx_bus(chip); + if (chip->disabled || hda->init_failed) + return 0; + +@@ -1015,15 +1024,9 @@ static int azx_runtime_resume(struct dev + return 0; + + if (chip->driver_caps & AZX_DCAPS_I915_POWERWELL) { +- bus = azx_bus(chip); +- if (hda->need_i915_power) { +- snd_hdac_display_power(bus, true); ++ snd_hdac_display_power(bus, true); ++ if (hda->need_i915_power) + snd_hdac_i915_set_bclk(bus); +- } else { +- /* toggle codec wakeup bit for STATESTS read */ +- snd_hdac_set_codec_wakeup(bus, true); +- snd_hdac_set_codec_wakeup(bus, false); +- } + } + + /* Read STATESTS before controller reset */ +@@ -1043,6 +1046,11 @@ static int azx_runtime_resume(struct dev + azx_writew(chip, WAKEEN, azx_readw(chip, WAKEEN) & + ~STATESTS_INT_MASK); + ++ /* power down again for link-controlled chips */ ++ if ((chip->driver_caps & AZX_DCAPS_I915_POWERWELL) && ++ !hda->need_i915_power) ++ snd_hdac_display_power(bus, false); ++ + trace_azx_runtime_resume(chip); + return 0; + } diff --git a/queue-4.7/alsa-usb-audio-add-a-sample-rate-quirk-for-creative-live-cam-socialize-hd-vf0610.patch b/queue-4.7/alsa-usb-audio-add-a-sample-rate-quirk-for-creative-live-cam-socialize-hd-vf0610.patch new file mode 100644 index 00000000000..b357fb38075 --- /dev/null +++ b/queue-4.7/alsa-usb-audio-add-a-sample-rate-quirk-for-creative-live-cam-socialize-hd-vf0610.patch @@ -0,0 +1,31 @@ +From 7627e40c66b5547e12b6c5673646ceea84797a74 Mon Sep 17 00:00:00 2001 +From: Piotr Karasinski +Date: Sat, 6 Aug 2016 21:23:05 +0200 +Subject: ALSA: usb-audio: Add a sample rate quirk for Creative Live! Cam Socialize HD (VF0610) + +From: Piotr Karasinski + +commit 7627e40c66b5547e12b6c5673646ceea84797a74 upstream. + +VF0610 does not support reading the sample rate which leads to many +lines of "cannot get freq at ep 0x82". This patch adds the USB ID +(0x041E:4080) to snd_usb_get_sample_rate_quirk() list. + +Signed-off-by: Piotr Karasinski +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/quirks.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -1128,6 +1128,7 @@ bool snd_usb_get_sample_rate_quirk(struc + { + /* devices which do not support reading the sample rate. */ + switch (chip->usb_id) { ++ case USB_ID(0x041E, 0x4080): /* Creative Live Cam VF0610 */ + case USB_ID(0x045E, 0x075D): /* MS Lifecam Cinema */ + case USB_ID(0x045E, 0x076D): /* MS Lifecam HD-5000 */ + case USB_ID(0x045E, 0x076E): /* MS Lifecam HD-5001 */ diff --git a/queue-4.7/alsa-usb-audio-add-quirk-for-elp-hd-usb-camera.patch b/queue-4.7/alsa-usb-audio-add-quirk-for-elp-hd-usb-camera.patch new file mode 100644 index 00000000000..fb87896995d --- /dev/null +++ b/queue-4.7/alsa-usb-audio-add-quirk-for-elp-hd-usb-camera.patch @@ -0,0 +1,31 @@ +From 41f5e3bdbf706a9e98194bf0c4b62a875c02f170 Mon Sep 17 00:00:00 2001 +From: "Vittorio Gambaletta (VittGam)" +Date: Mon, 8 Aug 2016 12:35:40 +0200 +Subject: ALSA: usb-audio: Add quirk for ELP HD USB Camera + +From: Vittorio Gambaletta (VittGam) + +commit 41f5e3bdbf706a9e98194bf0c4b62a875c02f170 upstream. + +The ELP HD USB Camera (05a3:9420) needs this quirk for suppressing +the unsupported sample rate inquiry. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=98481 +Signed-off-by: Vittorio Gambaletta +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/quirks.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -1139,6 +1139,7 @@ bool snd_usb_get_sample_rate_quirk(struc + case USB_ID(0x047F, 0xAA05): /* Plantronics DA45 */ + case USB_ID(0x04D8, 0xFEEA): /* Benchmark DAC1 Pre */ + case USB_ID(0x0556, 0x0014): /* Phoenix Audio TMX320VC */ ++ case USB_ID(0x05A3, 0x9420): /* ELP HD USB Camera */ + case USB_ID(0x074D, 0x3553): /* Outlaw RR2150 (Micronas UAC3553B) */ + case USB_ID(0x1de7, 0x0013): /* Phoenix Audio MT202exe */ + case USB_ID(0x1de7, 0x0014): /* Phoenix Audio TMX320 */ diff --git a/queue-4.7/arm64-define-at_vector_size_arch-for-arch_dlinfo.patch b/queue-4.7/arm64-define-at_vector_size_arch-for-arch_dlinfo.patch new file mode 100644 index 00000000000..a29d5dc136f --- /dev/null +++ b/queue-4.7/arm64-define-at_vector_size_arch-for-arch_dlinfo.patch @@ -0,0 +1,52 @@ +From 3146bc64d12377a74dbda12b96ea32da3774ae07 Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Mon, 25 Jul 2016 16:59:52 +0100 +Subject: arm64: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO + +From: James Hogan + +commit 3146bc64d12377a74dbda12b96ea32da3774ae07 upstream. + +AT_VECTOR_SIZE_ARCH should be defined with the maximum number of +NEW_AUX_ENT entries that ARCH_DLINFO can contain, but it wasn't defined +for arm64 at all even though ARCH_DLINFO will contain one NEW_AUX_ENT +for the VDSO address. + +This shouldn't be a problem as AT_VECTOR_SIZE_BASE includes space for +AT_BASE_PLATFORM which arm64 doesn't use, but lets define it now and add +the comment above ARCH_DLINFO as found in several other architectures to +remind future modifiers of ARCH_DLINFO to keep AT_VECTOR_SIZE_ARCH up to +date. + +Fixes: f668cd1673aa ("arm64: ELF definitions") +Signed-off-by: James Hogan +Cc: Catalin Marinas +Cc: Will Deacon +Cc: linux-arm-kernel@lists.infradead.org +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/elf.h | 1 + + arch/arm64/include/uapi/asm/auxvec.h | 2 ++ + 2 files changed, 3 insertions(+) + +--- a/arch/arm64/include/asm/elf.h ++++ b/arch/arm64/include/asm/elf.h +@@ -140,6 +140,7 @@ typedef struct user_fpsimd_state elf_fpr + + #define SET_PERSONALITY(ex) clear_thread_flag(TIF_32BIT); + ++/* update AT_VECTOR_SIZE_ARCH if the number of NEW_AUX_ENT entries changes */ + #define ARCH_DLINFO \ + do { \ + NEW_AUX_ENT(AT_SYSINFO_EHDR, \ +--- a/arch/arm64/include/uapi/asm/auxvec.h ++++ b/arch/arm64/include/uapi/asm/auxvec.h +@@ -19,4 +19,6 @@ + /* vDSO location */ + #define AT_SYSINFO_EHDR 33 + ++#define AT_VECTOR_SIZE_ARCH 1 /* entries in ARCH_DLINFO */ ++ + #endif diff --git a/queue-4.7/efi-capsule-allocate-whole-capsule-into-virtual-memory.patch b/queue-4.7/efi-capsule-allocate-whole-capsule-into-virtual-memory.patch new file mode 100644 index 00000000000..db6fe64f7f5 --- /dev/null +++ b/queue-4.7/efi-capsule-allocate-whole-capsule-into-virtual-memory.patch @@ -0,0 +1,88 @@ +From 6862e6ad95e984991a6ceec592cf67831658f928 Mon Sep 17 00:00:00 2001 +From: Austin Christ +Date: Thu, 11 Aug 2016 11:42:00 +0100 +Subject: efi/capsule: Allocate whole capsule into virtual memory + +From: Austin Christ + +commit 6862e6ad95e984991a6ceec592cf67831658f928 upstream. + +According to UEFI 2.6 section 7.5.3, the capsule should be in contiguous +virtual memory and firmware may consume the capsule immediately. To +correctly implement this functionality, the kernel driver needs to vmap +the entire capsule at the time it is made available to firmware. + +The virtual allocation of the capsule update has been changed from kmap, +which was only allocating the first page of the update, to vmap, and +allocates the entire data payload. + +Signed-off-by: Austin Christ +Signed-off-by: Matt Fleming +Reviewed-by: Matt Fleming +Reviewed-by: Lee, Chun-Yi +Cc: Andy Lutomirski +Cc: Ard Biesheuvel +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Bryan O'Donoghue +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Josh Poimboeuf +Cc: Kweh Hock Leong +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-efi@vger.kernel.org +Link: http://lkml.kernel.org/r/1470912120-22831-3-git-send-email-matt@codeblueprint.co.uk +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/firmware/efi/capsule-loader.c | 8 +++++--- + drivers/firmware/efi/capsule.c | 6 +++--- + 2 files changed, 8 insertions(+), 6 deletions(-) + +--- a/drivers/firmware/efi/capsule-loader.c ++++ b/drivers/firmware/efi/capsule-loader.c +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include + + #define NO_FURTHER_WRITE_ACTION -1 + +@@ -108,14 +109,15 @@ static ssize_t efi_capsule_submit_update + int ret; + void *cap_hdr_temp; + +- cap_hdr_temp = kmap(cap_info->pages[0]); ++ cap_hdr_temp = vmap(cap_info->pages, cap_info->index, ++ VM_MAP, PAGE_KERNEL); + if (!cap_hdr_temp) { +- pr_debug("%s: kmap() failed\n", __func__); ++ pr_debug("%s: vmap() failed\n", __func__); + return -EFAULT; + } + + ret = efi_capsule_update(cap_hdr_temp, cap_info->pages); +- kunmap(cap_info->pages[0]); ++ vunmap(cap_hdr_temp); + if (ret) { + pr_err("%s: efi_capsule_update() failed\n", __func__); + return ret; +--- a/drivers/firmware/efi/capsule.c ++++ b/drivers/firmware/efi/capsule.c +@@ -190,9 +190,9 @@ efi_capsule_update_locked(efi_capsule_he + * map the capsule described by @capsule with its data in @pages and + * send it to the firmware via the UpdateCapsule() runtime service. + * +- * @capsule must be a virtual mapping of the first page in @pages +- * (@pages[0]) in the kernel address space. That is, a +- * capsule_header_t that describes the entire contents of the capsule ++ * @capsule must be a virtual mapping of the complete capsule update in the ++ * kernel address space, as the capsule can be consumed immediately. ++ * A capsule_header_t that describes the entire contents of the capsule + * must be at the start of the first data page. + * + * Even though this function will validate that the firmware supports diff --git a/queue-4.7/libnvdimm-nd_blk-mask-off-reserved-status-bits.patch b/queue-4.7/libnvdimm-nd_blk-mask-off-reserved-status-bits.patch new file mode 100644 index 00000000000..7d2dff56759 --- /dev/null +++ b/queue-4.7/libnvdimm-nd_blk-mask-off-reserved-status-bits.patch @@ -0,0 +1,54 @@ +From 68202c9f0ad6e16ee806fbadbc5838d55fe5aa5c Mon Sep 17 00:00:00 2001 +From: Ross Zwisler +Date: Fri, 29 Jul 2016 14:59:12 -0600 +Subject: libnvdimm, nd_blk: mask off reserved status bits + +From: Ross Zwisler + +commit 68202c9f0ad6e16ee806fbadbc5838d55fe5aa5c upstream. + +The "NVDIMM Block Window Driver Writer's Guide": + + http://pmem.io/documents/NVDIMM_DriverWritersGuide-July-2016.pdf + +...defines the layout of the block window status register. For the July +2016 version of the spec linked to above, this happens in Figure 4 on +page 26. + +The only bits defined in this spec are bits 31, 5, 4, 2, 1 and 0. The +rest of the bits in the status register are reserved, and there is a +warning following the diagram that says: + + Note: The driver cannot assume the value of the RESERVED bits in the + status register are zero. These reserved bits need to be masked off, and + the driver must avoid checking the state of those bits. + +This change ensures that for hardware implementations that set these +reserved bits in the status register, the driver won't incorrectly fail the +block I/Os. + +Reviewed-by: Lee, Chun-Yi +Signed-off-by: Ross Zwisler +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/nfit.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/acpi/nfit.c ++++ b/drivers/acpi/nfit.c +@@ -1396,11 +1396,12 @@ static u32 read_blk_stat(struct nfit_blk + { + struct nfit_blk_mmio *mmio = &nfit_blk->mmio[DCR]; + u64 offset = nfit_blk->stat_offset + mmio->size * bw; ++ const u32 STATUS_MASK = 0x80000037; + + if (mmio->num_lines) + offset = to_interleave_offset(offset, mmio); + +- return readl(mmio->addr.base + offset); ++ return readl(mmio->addr.base + offset) & STATUS_MASK; + } + + static void write_blk_ctl(struct nfit_blk *nfit_blk, unsigned int bw, diff --git a/queue-4.7/mm-slub.c-run-free_partial-outside-of-the-kmem_cache_node-list_lock.patch b/queue-4.7/mm-slub.c-run-free_partial-outside-of-the-kmem_cache_node-list_lock.patch new file mode 100644 index 00000000000..b1cc0b6069c --- /dev/null +++ b/queue-4.7/mm-slub.c-run-free_partial-outside-of-the-kmem_cache_node-list_lock.patch @@ -0,0 +1,123 @@ +From 6039892396d845b18228935561960441900cffca Mon Sep 17 00:00:00 2001 +From: Chris Wilson +Date: Wed, 10 Aug 2016 16:27:58 -0700 +Subject: mm/slub.c: run free_partial() outside of the kmem_cache_node->list_lock + +From: Chris Wilson + +commit 6039892396d845b18228935561960441900cffca upstream. + +With debugobjects enabled and using SLAB_DESTROY_BY_RCU, when a +kmem_cache_node is destroyed the call_rcu() may trigger a slab +allocation to fill the debug object pool (__debug_object_init:fill_pool). + +Everywhere but during kmem_cache_destroy(), discard_slab() is performed +outside of the kmem_cache_node->list_lock and avoids a lockdep warning +about potential recursion: + + ============================================= + [ INFO: possible recursive locking detected ] + 4.8.0-rc1-gfxbench+ #1 Tainted: G U + --------------------------------------------- + rmmod/8895 is trying to acquire lock: + (&(&n->list_lock)->rlock){-.-...}, at: [] get_partial_node.isra.63+0x47/0x430 + + but task is already holding lock: + (&(&n->list_lock)->rlock){-.-...}, at: [] __kmem_cache_shutdown+0x54/0x320 + + other info that might help us debug this: + Possible unsafe locking scenario: + CPU0 + ---- + lock(&(&n->list_lock)->rlock); + lock(&(&n->list_lock)->rlock); + + *** DEADLOCK *** + May be due to missing lock nesting notation + 5 locks held by rmmod/8895: + #0: (&dev->mutex){......}, at: driver_detach+0x42/0xc0 + #1: (&dev->mutex){......}, at: driver_detach+0x50/0xc0 + #2: (cpu_hotplug.dep_map){++++++}, at: get_online_cpus+0x2d/0x80 + #3: (slab_mutex){+.+.+.}, at: kmem_cache_destroy+0x3c/0x220 + #4: (&(&n->list_lock)->rlock){-.-...}, at: __kmem_cache_shutdown+0x54/0x320 + + stack backtrace: + CPU: 6 PID: 8895 Comm: rmmod Tainted: G U 4.8.0-rc1-gfxbench+ #1 + Hardware name: Gigabyte Technology Co., Ltd. H87M-D3H/H87M-D3H, BIOS F11 08/18/2015 + Call Trace: + __lock_acquire+0x1646/0x1ad0 + lock_acquire+0xb2/0x200 + _raw_spin_lock+0x36/0x50 + get_partial_node.isra.63+0x47/0x430 + ___slab_alloc.constprop.67+0x1a7/0x3b0 + __slab_alloc.isra.64.constprop.66+0x43/0x80 + kmem_cache_alloc+0x236/0x2d0 + __debug_object_init+0x2de/0x400 + debug_object_activate+0x109/0x1e0 + __call_rcu.constprop.63+0x32/0x2f0 + call_rcu+0x12/0x20 + discard_slab+0x3d/0x40 + __kmem_cache_shutdown+0xdb/0x320 + shutdown_cache+0x19/0x60 + kmem_cache_destroy+0x1ae/0x220 + i915_gem_load_cleanup+0x14/0x40 [i915] + i915_driver_unload+0x151/0x180 [i915] + i915_pci_remove+0x14/0x20 [i915] + pci_device_remove+0x34/0xb0 + __device_release_driver+0x95/0x140 + driver_detach+0xb6/0xc0 + bus_remove_driver+0x53/0xd0 + driver_unregister+0x27/0x50 + pci_unregister_driver+0x25/0x70 + i915_exit+0x1a/0x1e2 [i915] + SyS_delete_module+0x193/0x1f0 + entry_SYSCALL_64_fastpath+0x1c/0xac + +Fixes: 52b4b950b507 ("mm: slab: free kmem_cache_node after destroy sysfs file") +Link: http://lkml.kernel.org/r/1470759070-18743-1-git-send-email-chris@chris-wilson.co.uk +Reported-by: Dave Gordon +Signed-off-by: Chris Wilson +Reviewed-by: Vladimir Davydov +Acked-by: Christoph Lameter +Cc: Pekka Enberg +Cc: David Rientjes +Cc: Joonsoo Kim +Cc: Dmitry Safonov +Cc: Daniel Vetter +Cc: Dave Gordon +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/slub.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -3479,6 +3479,7 @@ static void list_slab_objects(struct kme + */ + static void free_partial(struct kmem_cache *s, struct kmem_cache_node *n) + { ++ LIST_HEAD(discard); + struct page *page, *h; + + BUG_ON(irqs_disabled()); +@@ -3486,13 +3487,16 @@ static void free_partial(struct kmem_cac + list_for_each_entry_safe(page, h, &n->partial, lru) { + if (!page->inuse) { + remove_partial(n, page); +- discard_slab(s, page); ++ list_add(&page->lru, &discard); + } else { + list_slab_objects(s, page, + "Objects remaining in %s on __kmem_cache_shutdown()"); + } + } + spin_unlock_irq(&n->list_lock); ++ ++ list_for_each_entry_safe(page, h, &discard, lru) ++ discard_slab(s, page); + } + + /* diff --git a/queue-4.7/parisc-fix-order-of-erefused-define-in-errno.h.patch b/queue-4.7/parisc-fix-order-of-erefused-define-in-errno.h.patch new file mode 100644 index 00000000000..dac19c0e78a --- /dev/null +++ b/queue-4.7/parisc-fix-order-of-erefused-define-in-errno.h.patch @@ -0,0 +1,41 @@ +From 3eb53b20d7bd1374598cfb1feaa081fcac0e76cd Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Sat, 20 Aug 2016 11:51:38 +0200 +Subject: parisc: Fix order of EREFUSED define in errno.h + +From: Helge Deller + +commit 3eb53b20d7bd1374598cfb1feaa081fcac0e76cd upstream. + +When building gccgo in userspace, errno.h gets parsed and the go include file +sysinfo.go is generated. + +Since EREFUSED is defined to the same value as ECONNREFUSED, and ECONNREFUSED +is defined later on in errno.h, this leads to go complaining that EREFUSED +isn't defined yet. + +Fix this trivial problem by moving the define of EREFUSED down after +ECONNREFUSED in errno.h (and clean up the indenting while touching this line). + +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/include/uapi/asm/errno.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/parisc/include/uapi/asm/errno.h ++++ b/arch/parisc/include/uapi/asm/errno.h +@@ -97,10 +97,10 @@ + #define ENOTCONN 235 /* Transport endpoint is not connected */ + #define ESHUTDOWN 236 /* Cannot send after transport endpoint shutdown */ + #define ETOOMANYREFS 237 /* Too many references: cannot splice */ +-#define EREFUSED ECONNREFUSED /* for HP's NFS apparently */ + #define ETIMEDOUT 238 /* Connection timed out */ + #define ECONNREFUSED 239 /* Connection refused */ +-#define EREMOTERELEASE 240 /* Remote peer released connection */ ++#define EREFUSED ECONNREFUSED /* for HP's NFS apparently */ ++#define EREMOTERELEASE 240 /* Remote peer released connection */ + #define EHOSTDOWN 241 /* Host is down */ + #define EHOSTUNREACH 242 /* No route to host */ + diff --git a/queue-4.7/perf-intel-pt-fix-occasional-decoding-errors-when-tracing-system-wide.patch b/queue-4.7/perf-intel-pt-fix-occasional-decoding-errors-when-tracing-system-wide.patch new file mode 100644 index 00000000000..fe08642b55a --- /dev/null +++ b/queue-4.7/perf-intel-pt-fix-occasional-decoding-errors-when-tracing-system-wide.patch @@ -0,0 +1,59 @@ +From 3d918fb13abdbeca7947578f5d7e426eafad7f5e Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Mon, 15 Aug 2016 10:23:04 +0300 +Subject: perf intel-pt: Fix occasional decoding errors when tracing system-wide + +From: Adrian Hunter + +commit 3d918fb13abdbeca7947578f5d7e426eafad7f5e upstream. + +In order to successfully decode Intel PT traces, context switch events +are needed from the moment the trace starts. Currently that is ensured +by using the 'immediate' flag which enables the switch event when it is +opened. + +However, since commit 86c2786994bd ("perf intel-pt: Add support for +PERF_RECORD_SWITCH") that might not always happen. When tracing +system-wide the context switch event is added to the tracking event +which was not set as 'immediate'. Change that so it is. + +Signed-off-by: Adrian Hunter +Cc: Jiri Olsa +Fixes: 86c2786994bd ("perf intel-pt: Add support for PERF_RECORD_SWITCH") +Link: http://lkml.kernel.org/r/1471245784-22580-1-git-send-email-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman + +--- + tools/perf/arch/x86/util/intel-pt.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/tools/perf/arch/x86/util/intel-pt.c ++++ b/tools/perf/arch/x86/util/intel-pt.c +@@ -501,7 +501,7 @@ static int intel_pt_recording_options(st + struct intel_pt_recording *ptr = + container_of(itr, struct intel_pt_recording, itr); + struct perf_pmu *intel_pt_pmu = ptr->intel_pt_pmu; +- bool have_timing_info; ++ bool have_timing_info, need_immediate = false; + struct perf_evsel *evsel, *intel_pt_evsel = NULL; + const struct cpu_map *cpus = evlist->cpus; + bool privileged = geteuid() == 0 || perf_event_paranoid() < 0; +@@ -655,6 +655,7 @@ static int intel_pt_recording_options(st + ptr->have_sched_switch = 3; + } else { + opts->record_switch_events = true; ++ need_immediate = true; + if (cpu_wide) + ptr->have_sched_switch = 3; + else +@@ -700,6 +701,9 @@ static int intel_pt_recording_options(st + tracking_evsel->attr.freq = 0; + tracking_evsel->attr.sample_period = 1; + ++ if (need_immediate) ++ tracking_evsel->immediate = true; ++ + /* In per-cpu case, always need the time of mmap events etc */ + if (!cpu_map__empty(cpus)) { + perf_evsel__set_sample_bit(tracking_evsel, TIME); diff --git a/queue-4.7/series b/queue-4.7/series index f5cb6fb0043..39956ad25a7 100644 --- a/queue-4.7/series +++ b/queue-4.7/series @@ -2,3 +2,17 @@ x86-mm-disable-preemption-during-cr3-read-write.patch uprobes-x86-fix-rip-relative-handling-of-evex-encoded-instructions.patch x86-platform-uv-skip-uv-runtime-services-mapping-in-the-efi_runtime_disabled-case.patch tools-testing-nvdimm-fix-sigterm-vs-hotplug-crash.patch +sunrpc-handle-eaddrnotavail-on-connection-failures.patch +sunrpc-allow-for-upcalls-for-same-uid-but-different-gss-service.patch +alsa-usb-audio-add-a-sample-rate-quirk-for-creative-live-cam-socialize-hd-vf0610.patch +alsa-usb-audio-add-quirk-for-elp-hd-usb-camera.patch +alsa-hda-manage-power-well-properly-for-resume.patch +arm64-define-at_vector_size_arch-for-arch_dlinfo.patch +efi-capsule-allocate-whole-capsule-into-virtual-memory.patch +parisc-fix-order-of-erefused-define-in-errno.h.patch +virtio-fix-memory-leak-in-virtqueue_add.patch +mm-slub.c-run-free_partial-outside-of-the-kmem_cache_node-list_lock.patch +vfio-pci-fix-null-pointer-oops-in-error-interrupt-setup-handling.patch +tracing-fix-tick_stop-tracepoint-symbols-for-user-export.patch +perf-intel-pt-fix-occasional-decoding-errors-when-tracing-system-wide.patch +libnvdimm-nd_blk-mask-off-reserved-status-bits.patch diff --git a/queue-4.7/sunrpc-allow-for-upcalls-for-same-uid-but-different-gss-service.patch b/queue-4.7/sunrpc-allow-for-upcalls-for-same-uid-but-different-gss-service.patch new file mode 100644 index 00000000000..de0b0c3c132 --- /dev/null +++ b/queue-4.7/sunrpc-allow-for-upcalls-for-same-uid-but-different-gss-service.patch @@ -0,0 +1,59 @@ +From 9130b8dbc6ac20f2dc5846e1647f5b60eafab6e3 Mon Sep 17 00:00:00 2001 +From: Olga Kornievskaia +Date: Wed, 3 Aug 2016 20:19:48 -0400 +Subject: SUNRPC: allow for upcalls for same uid but different gss service + +From: Olga Kornievskaia + +commit 9130b8dbc6ac20f2dc5846e1647f5b60eafab6e3 upstream. + +It's possible to have simultaneous upcalls for the same UIDs but +different GSS service. In that case, we need to allow for the +upcall to gssd to proceed so that not the same context is used +by two different GSS services. Some servers lock the use of context +to the GSS service. + +Signed-off-by: Olga Kornievskaia +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/auth_gss/auth_gss.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/net/sunrpc/auth_gss/auth_gss.c ++++ b/net/sunrpc/auth_gss/auth_gss.c +@@ -340,12 +340,14 @@ gss_release_msg(struct gss_upcall_msg *g + } + + static struct gss_upcall_msg * +-__gss_find_upcall(struct rpc_pipe *pipe, kuid_t uid) ++__gss_find_upcall(struct rpc_pipe *pipe, kuid_t uid, const struct gss_auth *auth) + { + struct gss_upcall_msg *pos; + list_for_each_entry(pos, &pipe->in_downcall, list) { + if (!uid_eq(pos->uid, uid)) + continue; ++ if (auth && pos->auth->service != auth->service) ++ continue; + atomic_inc(&pos->count); + dprintk("RPC: %s found msg %p\n", __func__, pos); + return pos; +@@ -365,7 +367,7 @@ gss_add_msg(struct gss_upcall_msg *gss_m + struct gss_upcall_msg *old; + + spin_lock(&pipe->lock); +- old = __gss_find_upcall(pipe, gss_msg->uid); ++ old = __gss_find_upcall(pipe, gss_msg->uid, gss_msg->auth); + if (old == NULL) { + atomic_inc(&gss_msg->count); + list_add(&gss_msg->list, &pipe->in_downcall); +@@ -714,7 +716,7 @@ gss_pipe_downcall(struct file *filp, con + err = -ENOENT; + /* Find a matching upcall */ + spin_lock(&pipe->lock); +- gss_msg = __gss_find_upcall(pipe, uid); ++ gss_msg = __gss_find_upcall(pipe, uid, NULL); + if (gss_msg == NULL) { + spin_unlock(&pipe->lock); + goto err_put_ctx; diff --git a/queue-4.7/sunrpc-handle-eaddrnotavail-on-connection-failures.patch b/queue-4.7/sunrpc-handle-eaddrnotavail-on-connection-failures.patch new file mode 100644 index 00000000000..20bc4ddc046 --- /dev/null +++ b/queue-4.7/sunrpc-handle-eaddrnotavail-on-connection-failures.patch @@ -0,0 +1,36 @@ +From 1f4c17a03ba7f430d63dba8c8e08ff1e2712581d Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Mon, 1 Aug 2016 13:36:08 -0400 +Subject: SUNRPC: Handle EADDRNOTAVAIL on connection failures + +From: Trond Myklebust + +commit 1f4c17a03ba7f430d63dba8c8e08ff1e2712581d upstream. + +If the connect attempt immediately fails with an EADDRNOTAVAIL error, then +that means our choice of source port number was bad. +This error is expected when we set the SO_REUSEPORT socket option and we +have 2 sockets sharing the same source and destination address and port +combinations. + +Signed-off-by: Trond Myklebust +Fixes: 402e23b4ed9ed ("SUNRPC: Fix stupid typo in xs_sock_set_reuseport") +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/xprtsock.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/sunrpc/xprtsock.c ++++ b/net/sunrpc/xprtsock.c +@@ -2278,6 +2278,10 @@ static int xs_tcp_finish_connecting(stru + /* SYN_SENT! */ + if (xprt->reestablish_timeout < XS_TCP_INIT_REEST_TO) + xprt->reestablish_timeout = XS_TCP_INIT_REEST_TO; ++ break; ++ case -EADDRNOTAVAIL: ++ /* Source port number is unavailable. Try a new one! */ ++ transport->srcport = 0; + } + out: + return ret; diff --git a/queue-4.7/tracing-fix-tick_stop-tracepoint-symbols-for-user-export.patch b/queue-4.7/tracing-fix-tick_stop-tracepoint-symbols-for-user-export.patch new file mode 100644 index 00000000000..66a1b2830c6 --- /dev/null +++ b/queue-4.7/tracing-fix-tick_stop-tracepoint-symbols-for-user-export.patch @@ -0,0 +1,77 @@ +From c87edb36118664f1fa275107c1138b6f47793240 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (Red Hat)" +Date: Fri, 5 Aug 2016 12:41:52 -0400 +Subject: tracing: Fix tick_stop tracepoint symbols for user export + +From: Steven Rostedt (Red Hat) + +commit c87edb36118664f1fa275107c1138b6f47793240 upstream. + +The symbols used in the tick_stop tracepoint were not being converted +properly into integers in the trace_stop format file. Instead we had this: + +print fmt: "success=%d dependency=%s", REC->success, + __print_symbolic(REC->dependency, { 0, "NONE" }, + { (1 << TICK_DEP_BIT_POSIX_TIMER), "POSIX_TIMER" }, + { (1 << TICK_DEP_BIT_PERF_EVENTS), "PERF_EVENTS" }, + { (1 << TICK_DEP_BIT_SCHED), "SCHED" }, + { (1 << TICK_DEP_BIT_CLOCK_UNSTABLE), "CLOCK_UNSTABLE" }) + +User space tools have no idea how to parse "TICK_DEP_BIT_SCHED" or the other +symbols used to do the bit shifting. The reason is that the conversion was +done with using the TICK_DEP_MASK_* symbols which are just macros that +convert to the BIT shift itself (with the exception of NONE, which was +converted properly, because it doesn't use bits, and is defined as zero). + +The TICK_DEP_BIT_* needs to be denoted by TRACE_DEFINE_ENUM() in order to +have this properly converted for user space tools to parse this event. + +Cc: Frederic Weisbecker +Fixes: e6e6cc22e067 ("nohz: Use enum code for tick stop failure tracing message") +Reported-by: Luiz Capitulino +Tested-by: Luiz Capitulino +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + include/trace/events/timer.h | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/include/trace/events/timer.h ++++ b/include/trace/events/timer.h +@@ -330,24 +330,32 @@ TRACE_EVENT(itimer_expire, + #ifdef CONFIG_NO_HZ_COMMON + + #define TICK_DEP_NAMES \ +- tick_dep_name(NONE) \ ++ tick_dep_mask_name(NONE) \ + tick_dep_name(POSIX_TIMER) \ + tick_dep_name(PERF_EVENTS) \ + tick_dep_name(SCHED) \ + tick_dep_name_end(CLOCK_UNSTABLE) + + #undef tick_dep_name ++#undef tick_dep_mask_name + #undef tick_dep_name_end + +-#define tick_dep_name(sdep) TRACE_DEFINE_ENUM(TICK_DEP_MASK_##sdep); +-#define tick_dep_name_end(sdep) TRACE_DEFINE_ENUM(TICK_DEP_MASK_##sdep); ++/* The MASK will convert to their bits and they need to be processed too */ ++#define tick_dep_name(sdep) TRACE_DEFINE_ENUM(TICK_DEP_BIT_##sdep); \ ++ TRACE_DEFINE_ENUM(TICK_DEP_MASK_##sdep); ++#define tick_dep_name_end(sdep) TRACE_DEFINE_ENUM(TICK_DEP_BIT_##sdep); \ ++ TRACE_DEFINE_ENUM(TICK_DEP_MASK_##sdep); ++/* NONE only has a mask defined for it */ ++#define tick_dep_mask_name(sdep) TRACE_DEFINE_ENUM(TICK_DEP_MASK_##sdep); + + TICK_DEP_NAMES + + #undef tick_dep_name ++#undef tick_dep_mask_name + #undef tick_dep_name_end + + #define tick_dep_name(sdep) { TICK_DEP_MASK_##sdep, #sdep }, ++#define tick_dep_mask_name(sdep) { TICK_DEP_MASK_##sdep, #sdep }, + #define tick_dep_name_end(sdep) { TICK_DEP_MASK_##sdep, #sdep } + + #define show_tick_dep_name(val) \ diff --git a/queue-4.7/vfio-pci-fix-null-pointer-oops-in-error-interrupt-setup-handling.patch b/queue-4.7/vfio-pci-fix-null-pointer-oops-in-error-interrupt-setup-handling.patch new file mode 100644 index 00000000000..8c43ba51c63 --- /dev/null +++ b/queue-4.7/vfio-pci-fix-null-pointer-oops-in-error-interrupt-setup-handling.patch @@ -0,0 +1,153 @@ +From c8952a707556e04374d7b2fdb3a079d63ddf6f2f Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Mon, 8 Aug 2016 16:16:23 -0600 +Subject: vfio/pci: Fix NULL pointer oops in error interrupt setup handling + +From: Alex Williamson + +commit c8952a707556e04374d7b2fdb3a079d63ddf6f2f upstream. + +There are multiple cases in vfio_pci_set_ctx_trigger_single() where +we assume we can safely read from our data pointer without actually +checking whether the user has passed any data via the count field. +VFIO_IRQ_SET_DATA_NONE in particular is entirely broken since we +attempt to pull an int32_t file descriptor out before even checking +the data type. The other data types assume the data pointer contains +one element of their type as well. + +In part this is good news because we were previously restricted from +doing much sanitization of parameters because it was missed in the +past and we didn't want to break existing users. Clearly DATA_NONE +is completely broken, so it must not have any users and we can fix +it up completely. For DATA_BOOL and DATA_EVENTFD, we'll just +protect ourselves, returning error when count is zero since we +previously would have oopsed. + +Signed-off-by: Alex Williamson +Reported-by: Chris Thompson +Reviewed-by: Eric Auger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/vfio/pci/vfio_pci_intrs.c | 85 +++++++++++++++++++++----------------- + 1 file changed, 49 insertions(+), 36 deletions(-) + +--- a/drivers/vfio/pci/vfio_pci_intrs.c ++++ b/drivers/vfio/pci/vfio_pci_intrs.c +@@ -564,67 +564,80 @@ static int vfio_pci_set_msi_trigger(stru + } + + static int vfio_pci_set_ctx_trigger_single(struct eventfd_ctx **ctx, +- uint32_t flags, void *data) ++ unsigned int count, uint32_t flags, ++ void *data) + { +- int32_t fd = *(int32_t *)data; +- +- if (!(flags & VFIO_IRQ_SET_DATA_TYPE_MASK)) +- return -EINVAL; +- + /* DATA_NONE/DATA_BOOL enables loopback testing */ + if (flags & VFIO_IRQ_SET_DATA_NONE) { +- if (*ctx) +- eventfd_signal(*ctx, 1); +- return 0; ++ if (*ctx) { ++ if (count) { ++ eventfd_signal(*ctx, 1); ++ } else { ++ eventfd_ctx_put(*ctx); ++ *ctx = NULL; ++ } ++ return 0; ++ } + } else if (flags & VFIO_IRQ_SET_DATA_BOOL) { +- uint8_t trigger = *(uint8_t *)data; ++ uint8_t trigger; ++ ++ if (!count) ++ return -EINVAL; ++ ++ trigger = *(uint8_t *)data; + if (trigger && *ctx) + eventfd_signal(*ctx, 1); +- return 0; +- } + +- /* Handle SET_DATA_EVENTFD */ +- if (fd == -1) { +- if (*ctx) +- eventfd_ctx_put(*ctx); +- *ctx = NULL; + return 0; +- } else if (fd >= 0) { +- struct eventfd_ctx *efdctx; +- efdctx = eventfd_ctx_fdget(fd); +- if (IS_ERR(efdctx)) +- return PTR_ERR(efdctx); +- if (*ctx) +- eventfd_ctx_put(*ctx); +- *ctx = efdctx; ++ } else if (flags & VFIO_IRQ_SET_DATA_EVENTFD) { ++ int32_t fd; ++ ++ if (!count) ++ return -EINVAL; ++ ++ fd = *(int32_t *)data; ++ if (fd == -1) { ++ if (*ctx) ++ eventfd_ctx_put(*ctx); ++ *ctx = NULL; ++ } else if (fd >= 0) { ++ struct eventfd_ctx *efdctx; ++ ++ efdctx = eventfd_ctx_fdget(fd); ++ if (IS_ERR(efdctx)) ++ return PTR_ERR(efdctx); ++ ++ if (*ctx) ++ eventfd_ctx_put(*ctx); ++ ++ *ctx = efdctx; ++ } + return 0; +- } else +- return -EINVAL; ++ } ++ ++ return -EINVAL; + } + + static int vfio_pci_set_err_trigger(struct vfio_pci_device *vdev, + unsigned index, unsigned start, + unsigned count, uint32_t flags, void *data) + { +- if (index != VFIO_PCI_ERR_IRQ_INDEX) ++ if (index != VFIO_PCI_ERR_IRQ_INDEX || start != 0 || count > 1) + return -EINVAL; + +- /* +- * We should sanitize start & count, but that wasn't caught +- * originally, so this IRQ index must forever ignore them :-( +- */ +- +- return vfio_pci_set_ctx_trigger_single(&vdev->err_trigger, flags, data); ++ return vfio_pci_set_ctx_trigger_single(&vdev->err_trigger, ++ count, flags, data); + } + + static int vfio_pci_set_req_trigger(struct vfio_pci_device *vdev, + unsigned index, unsigned start, + unsigned count, uint32_t flags, void *data) + { +- if (index != VFIO_PCI_REQ_IRQ_INDEX || start != 0 || count != 1) ++ if (index != VFIO_PCI_REQ_IRQ_INDEX || start != 0 || count > 1) + return -EINVAL; + +- return vfio_pci_set_ctx_trigger_single(&vdev->req_trigger, flags, data); ++ return vfio_pci_set_ctx_trigger_single(&vdev->req_trigger, ++ count, flags, data); + } + + int vfio_pci_set_irqs_ioctl(struct vfio_pci_device *vdev, uint32_t flags, diff --git a/queue-4.7/virtio-fix-memory-leak-in-virtqueue_add.patch b/queue-4.7/virtio-fix-memory-leak-in-virtqueue_add.patch new file mode 100644 index 00000000000..60b2e8d8ce8 --- /dev/null +++ b/queue-4.7/virtio-fix-memory-leak-in-virtqueue_add.patch @@ -0,0 +1,35 @@ +From 58625edf9e2515ed41dac2a24fa8004030a87b87 Mon Sep 17 00:00:00 2001 +From: Wei Yongjun +Date: Tue, 2 Aug 2016 14:16:31 +0000 +Subject: virtio: fix memory leak in virtqueue_add() + +From: Wei Yongjun + +commit 58625edf9e2515ed41dac2a24fa8004030a87b87 upstream. + +When using the indirect buffers feature, 'desc' is allocated in +virtqueue_add() but isn't freed before leaving on a ring full error, +causing a memory leak. + +For example, it seems rather clear that this can trigger +with virtio net if mergeable buffers are not used. + +Signed-off-by: Wei Yongjun +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/virtio/virtio_ring.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/virtio/virtio_ring.c ++++ b/drivers/virtio/virtio_ring.c +@@ -316,6 +316,8 @@ static inline int virtqueue_add(struct v + * host should service the ring ASAP. */ + if (out_sgs) + vq->notify(&vq->vq); ++ if (indirect) ++ kfree(desc); + END_USE(vq); + return -ENOSPC; + } -- 2.47.2