From 1dbb00ed0b9525d9e8ff14d1319f61c124f72191 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 28 Apr 2017 18:46:36 +0200 Subject: [PATCH] next 3.18 and 4.4 patches --- ...rupted-in-ext4_expand_extra_isize_ea.patch | 91 +++++++++++++++++++ ...op-when-read-from-a-writemostly-disk.patch | 36 ++++++++ ...crash-registers-on-non-crashing-cpus.patch | 57 ++++++++++++ ...-atomicity-for-congestion-map-update.patch | 49 ++++++++++ ...flen-was-smaller-than-wmaxpacketsize.patch | 51 +++++++++++ .../xen-x86-don-t-lose-event-interrupts.patch | 46 ++++++++++ ...ap2-timer-add-probe-for-clocksources.patch | 56 ++++++++++++ .../clk-sunxi-add-apb0-gates-for-h3.patch | 56 ++++++++++++ ...fix-out-of-bound-read-in-__test_aead.patch | 52 +++++++++++ .../drm-amdgpu-fix-array-out-of-bounds.patch | 34 +++++++ ...rupted-in-ext4_expand_extra_isize_ea.patch | 91 +++++++++++++++++++ ...op-when-read-from-a-writemostly-disk.patch | 36 ++++++++ ...crash-registers-on-non-crashing-cpus.patch | 57 ++++++++++++ ..._unmap_single-on-uninitialized-ndata.patch | 64 +++++++++++++ ...race-condition-in-tcf_mirred_release.patch | 79 ++++++++++++++++ ...-atomicity-for-congestion-map-update.patch | 49 ++++++++++ ...the-supply-pointer-if-enabling-fails.patch | 36 ++++++++ ...flen-was-smaller-than-wmaxpacketsize.patch | 51 +++++++++++ .../xen-x86-don-t-lose-event-interrupts.patch | 46 ++++++++++ 19 files changed, 1037 insertions(+) create mode 100644 next-3.18/ext4-check-if-in-inode-xattr-is-corrupted-in-ext4_expand_extra_isize_ea.patch create mode 100644 next-3.18/md-raid1-fix-a-dead-loop-when-read-from-a-writemostly-disk.patch create mode 100644 next-3.18/mips-fix-crash-registers-on-non-crashing-cpus.patch create mode 100644 next-3.18/rds-fix-the-atomicity-for-congestion-map-update.patch create mode 100644 next-3.18/usb-gadget-f_midi-fixed-a-bug-when-buflen-was-smaller-than-wmaxpacketsize.patch create mode 100644 next-3.18/xen-x86-don-t-lose-event-interrupts.patch create mode 100644 next-4.4/arm-omap2-timer-add-probe-for-clocksources.patch create mode 100644 next-4.4/clk-sunxi-add-apb0-gates-for-h3.patch create mode 100644 next-4.4/crypto-testmgr-fix-out-of-bound-read-in-__test_aead.patch create mode 100644 next-4.4/drm-amdgpu-fix-array-out-of-bounds.patch create mode 100644 next-4.4/ext4-check-if-in-inode-xattr-is-corrupted-in-ext4_expand_extra_isize_ea.patch create mode 100644 next-4.4/md-raid1-fix-a-dead-loop-when-read-from-a-writemostly-disk.patch create mode 100644 next-4.4/mips-fix-crash-registers-on-non-crashing-cpus.patch create mode 100644 next-4.4/net-cavium-liquidio-avoid-dma_unmap_single-on-uninitialized-ndata.patch create mode 100644 next-4.4/net_sched-close-another-race-condition-in-tcf_mirred_release.patch create mode 100644 next-4.4/rds-fix-the-atomicity-for-congestion-map-update.patch create mode 100644 next-4.4/regulator-core-clear-the-supply-pointer-if-enabling-fails.patch create mode 100644 next-4.4/usb-gadget-f_midi-fixed-a-bug-when-buflen-was-smaller-than-wmaxpacketsize.patch create mode 100644 next-4.4/xen-x86-don-t-lose-event-interrupts.patch diff --git a/next-3.18/ext4-check-if-in-inode-xattr-is-corrupted-in-ext4_expand_extra_isize_ea.patch b/next-3.18/ext4-check-if-in-inode-xattr-is-corrupted-in-ext4_expand_extra_isize_ea.patch new file mode 100644 index 00000000000..43aa21fd263 --- /dev/null +++ b/next-3.18/ext4-check-if-in-inode-xattr-is-corrupted-in-ext4_expand_extra_isize_ea.patch @@ -0,0 +1,91 @@ +From 9e92f48c34eb2b9af9d12f892e2fe1fce5e8ce35 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Tue, 22 Mar 2016 16:13:15 -0400 +Subject: ext4: check if in-inode xattr is corrupted in ext4_expand_extra_isize_ea() + +From: Theodore Ts'o + +commit 9e92f48c34eb2b9af9d12f892e2fe1fce5e8ce35 upstream. + +We aren't checking to see if the in-inode extended attribute is +corrupted before we try to expand the inode's extra isize fields. + +This can lead to potential crashes caused by the BUG_ON() check in +ext4_xattr_shift_entries(). + +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/xattr.c | 32 ++++++++++++++++++++++++++++---- + 1 file changed, 28 insertions(+), 4 deletions(-) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -233,6 +233,27 @@ ext4_xattr_check_block(struct inode *ino + return error; + } + ++static int ++__xattr_check_inode(struct inode *inode, struct ext4_xattr_ibody_header *header, ++ void *end, const char *function, unsigned int line) ++{ ++ struct ext4_xattr_entry *entry = IFIRST(header); ++ int error = -EFSCORRUPTED; ++ ++ if (((void *) header >= end) || ++ (header->h_magic != le32_to_cpu(EXT4_XATTR_MAGIC))) ++ goto errout; ++ error = ext4_xattr_check_names(entry, end, entry); ++errout: ++ if (error) ++ __ext4_error_inode(inode, function, line, 0, ++ "corrupted in-inode xattr"); ++ return error; ++} ++ ++#define xattr_check_inode(inode, header, end) \ ++ __xattr_check_inode((inode), (header), (end), __func__, __LINE__) ++ + static inline int + ext4_xattr_check_entry(struct ext4_xattr_entry *entry, size_t size) + { +@@ -344,7 +365,7 @@ ext4_xattr_ibody_get(struct inode *inode + header = IHDR(inode, raw_inode); + entry = IFIRST(header); + end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size; +- error = ext4_xattr_check_names(entry, end, entry); ++ error = xattr_check_inode(inode, header, end); + if (error) + goto cleanup; + error = ext4_xattr_find_entry(&entry, name_index, name, +@@ -476,7 +497,7 @@ ext4_xattr_ibody_list(struct dentry *den + raw_inode = ext4_raw_inode(&iloc); + header = IHDR(inode, raw_inode); + end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size; +- error = ext4_xattr_check_names(IFIRST(header), end, IFIRST(header)); ++ error = xattr_check_inode(inode, header, end); + if (error) + goto cleanup; + error = ext4_xattr_list_entries(dentry, IFIRST(header), +@@ -993,8 +1014,7 @@ int ext4_xattr_ibody_find(struct inode * + is->s.here = is->s.first; + is->s.end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size; + if (ext4_test_inode_state(inode, EXT4_STATE_XATTR)) { +- error = ext4_xattr_check_names(IFIRST(header), is->s.end, +- IFIRST(header)); ++ error = xattr_check_inode(inode, header, is->s.end); + if (error) + return error; + /* Find the named attribute. */ +@@ -1291,6 +1311,10 @@ retry: + last = entry; + total_ino = sizeof(struct ext4_xattr_ibody_header); + ++ error = xattr_check_inode(inode, header, end); ++ if (error) ++ goto cleanup; ++ + free = ext4_xattr_free_space(last, &min_offs, base, &total_ino); + if (free >= new_extra_isize) { + entry = IFIRST(header); diff --git a/next-3.18/md-raid1-fix-a-dead-loop-when-read-from-a-writemostly-disk.patch b/next-3.18/md-raid1-fix-a-dead-loop-when-read-from-a-writemostly-disk.patch new file mode 100644 index 00000000000..16deb70dfe2 --- /dev/null +++ b/next-3.18/md-raid1-fix-a-dead-loop-when-read-from-a-writemostly-disk.patch @@ -0,0 +1,36 @@ +From 816b0acf3deb6d6be5d0519b286fdd4bafade905 Mon Sep 17 00:00:00 2001 +From: Wei Fang +Date: Mon, 21 Mar 2016 19:18:32 +0800 +Subject: md:raid1: fix a dead loop when read from a WriteMostly disk + +From: Wei Fang + +commit 816b0acf3deb6d6be5d0519b286fdd4bafade905 upstream. + +If first_bad == this_sector when we get the WriteMostly disk +in read_balance(), valid disk will be returned with zero +max_sectors. It'll lead to a dead loop in make_request(), and +OOM will happen because of endless allocation of struct bio. + +Since we can't get data from this disk in this case, so +continue for another disk. + +Signed-off-by: Wei Fang +Signed-off-by: Shaohua Li +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/raid1.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -563,7 +563,7 @@ static int read_balance(struct r1conf *c + if (best_dist_disk < 0) { + if (is_badblock(rdev, this_sector, sectors, + &first_bad, &bad_sectors)) { +- if (first_bad < this_sector) ++ if (first_bad <= this_sector) + /* Cannot use this */ + continue; + best_good_sectors = first_bad - this_sector; diff --git a/next-3.18/mips-fix-crash-registers-on-non-crashing-cpus.patch b/next-3.18/mips-fix-crash-registers-on-non-crashing-cpus.patch new file mode 100644 index 00000000000..201473268c4 --- /dev/null +++ b/next-3.18/mips-fix-crash-registers-on-non-crashing-cpus.patch @@ -0,0 +1,57 @@ +From c80e1b62ffca52e2d1d865ee58bc79c4c0c55005 Mon Sep 17 00:00:00 2001 +From: Corey Minyard +Date: Mon, 11 Apr 2016 09:10:19 -0500 +Subject: MIPS: Fix crash registers on non-crashing CPUs + +From: Corey Minyard + +commit c80e1b62ffca52e2d1d865ee58bc79c4c0c55005 upstream. + +As part of handling a crash on an SMP system, an IPI is send to +all other CPUs to save their current registers and stop. It was +using task_pt_regs(current) to get the registers, but that will +only be accurate if the CPU was interrupted running in userland. +Instead allow the architecture to pass in the registers (all +pass NULL now, but allow for the future) and then use get_irq_regs() +which should be accurate as we are in an interrupt. Fall back to +task_pt_regs(current) if nothing else is available. + +Signed-off-by: Corey Minyard +Cc: David Daney +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/13050/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/crash.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +--- a/arch/mips/kernel/crash.c ++++ b/arch/mips/kernel/crash.c +@@ -14,12 +14,22 @@ static int crashing_cpu = -1; + static cpumask_t cpus_in_crash = CPU_MASK_NONE; + + #ifdef CONFIG_SMP +-static void crash_shutdown_secondary(void *ignore) ++static void crash_shutdown_secondary(void *passed_regs) + { +- struct pt_regs *regs; ++ struct pt_regs *regs = passed_regs; + int cpu = smp_processor_id(); + +- regs = task_pt_regs(current); ++ /* ++ * If we are passed registers, use those. Otherwise get the ++ * regs from the last interrupt, which should be correct, as ++ * we are in an interrupt. But if the regs are not there, ++ * pull them from the top of the stack. They are probably ++ * wrong, but we need something to keep from crashing again. ++ */ ++ if (!regs) ++ regs = get_irq_regs(); ++ if (!regs) ++ regs = task_pt_regs(current); + + if (!cpu_online(cpu)) + return; diff --git a/next-3.18/rds-fix-the-atomicity-for-congestion-map-update.patch b/next-3.18/rds-fix-the-atomicity-for-congestion-map-update.patch new file mode 100644 index 00000000000..1a848b5645c --- /dev/null +++ b/next-3.18/rds-fix-the-atomicity-for-congestion-map-update.patch @@ -0,0 +1,49 @@ +From e47db94e10447fc467777a40302f2b393e9af2fa Mon Sep 17 00:00:00 2001 +From: "santosh.shilimkar@oracle.com" +Date: Thu, 14 Apr 2016 10:43:27 -0700 +Subject: RDS: Fix the atomicity for congestion map update + +From: santosh.shilimkar@oracle.com + +commit e47db94e10447fc467777a40302f2b393e9af2fa upstream. + +Two different threads with different rds sockets may be in +rds_recv_rcvbuf_delta() via receive path. If their ports +both map to the same word in the congestion map, then +using non-atomic ops to update it could cause the map to +be incorrect. Lets use atomics to avoid such an issue. + +Full credit to Wengang for +finding the issue, analysing it and also pointing out +to offending code with spin lock based fix. + +Reviewed-by: Leon Romanovsky +Signed-off-by: Wengang Wang +Signed-off-by: Santosh Shilimkar +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/rds/cong.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/rds/cong.c ++++ b/net/rds/cong.c +@@ -285,7 +285,7 @@ void rds_cong_set_bit(struct rds_cong_ma + i = be16_to_cpu(port) / RDS_CONG_MAP_PAGE_BITS; + off = be16_to_cpu(port) % RDS_CONG_MAP_PAGE_BITS; + +- __set_bit_le(off, (void *)map->m_page_addrs[i]); ++ set_bit_le(off, (void *)map->m_page_addrs[i]); + } + + void rds_cong_clear_bit(struct rds_cong_map *map, __be16 port) +@@ -299,7 +299,7 @@ void rds_cong_clear_bit(struct rds_cong_ + i = be16_to_cpu(port) / RDS_CONG_MAP_PAGE_BITS; + off = be16_to_cpu(port) % RDS_CONG_MAP_PAGE_BITS; + +- __clear_bit_le(off, (void *)map->m_page_addrs[i]); ++ clear_bit_le(off, (void *)map->m_page_addrs[i]); + } + + static int rds_cong_test_bit(struct rds_cong_map *map, __be16 port) diff --git a/next-3.18/usb-gadget-f_midi-fixed-a-bug-when-buflen-was-smaller-than-wmaxpacketsize.patch b/next-3.18/usb-gadget-f_midi-fixed-a-bug-when-buflen-was-smaller-than-wmaxpacketsize.patch new file mode 100644 index 00000000000..6b4eb6b6fe7 --- /dev/null +++ b/next-3.18/usb-gadget-f_midi-fixed-a-bug-when-buflen-was-smaller-than-wmaxpacketsize.patch @@ -0,0 +1,51 @@ +From 03d27ade4941076b34c823d63d91dc895731a595 Mon Sep 17 00:00:00 2001 +From: "Felipe F. Tonello" +Date: Wed, 9 Mar 2016 19:39:30 +0000 +Subject: usb: gadget: f_midi: Fixed a bug when buflen was smaller than wMaxPacketSize + +From: Felipe F. Tonello + +commit 03d27ade4941076b34c823d63d91dc895731a595 upstream. + +buflen by default (256) is smaller than wMaxPacketSize (512) in high-speed +devices. + +That caused the OUT endpoint to freeze if the host send any data packet of +length greater than 256 bytes. + +This is an example dump of what happended on that enpoint: +HOST: [DATA][Length=260][...] +DEVICE: [NAK] +HOST: [PING] +DEVICE: [NAK] +HOST: [PING] +DEVICE: [NAK] +... +HOST: [PING] +DEVICE: [NAK] + +This patch fixes this problem by setting the minimum usb_request's buffer size +for the OUT endpoint as its wMaxPacketSize. + +Acked-by: Michal Nazarewicz +Signed-off-by: Felipe F. Tonello +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/f_midi.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/gadget/function/f_midi.c ++++ b/drivers/usb/gadget/function/f_midi.c +@@ -357,7 +357,9 @@ static int f_midi_set_alt(struct usb_fun + /* allocate a bunch of read buffers and queue them all at once. */ + for (i = 0; i < midi->qlen && err == 0; i++) { + struct usb_request *req = +- midi_alloc_ep_req(midi->out_ep, midi->buflen); ++ midi_alloc_ep_req(midi->out_ep, ++ max_t(unsigned, midi->buflen, ++ bulk_out_desc.wMaxPacketSize)); + if (req == NULL) + return -ENOMEM; + diff --git a/next-3.18/xen-x86-don-t-lose-event-interrupts.patch b/next-3.18/xen-x86-don-t-lose-event-interrupts.patch new file mode 100644 index 00000000000..3b2595612c1 --- /dev/null +++ b/next-3.18/xen-x86-don-t-lose-event-interrupts.patch @@ -0,0 +1,46 @@ +From c06b6d70feb32d28f04ba37aa3df17973fd37b6b Mon Sep 17 00:00:00 2001 +From: Stefano Stabellini +Date: Fri, 15 Apr 2016 18:23:00 -0700 +Subject: xen/x86: don't lose event interrupts + +From: Stefano Stabellini + +commit c06b6d70feb32d28f04ba37aa3df17973fd37b6b upstream. + +On slow platforms with unreliable TSC, such as QEMU emulated machines, +it is possible for the kernel to request the next event in the past. In +that case, in the current implementation of xen_vcpuop_clockevent, we +simply return -ETIME. To be precise the Xen returns -ETIME and we pass +it on. However the result of this is a missed event, which simply causes +the kernel to hang. + +Instead it is better to always ask the hypervisor for a timer event, +even if the timeout is in the past. That way there are no lost +interrupts and the kernel survives. To do that, remove the +VCPU_SSHOTTMR_future flag. + +Signed-off-by: Stefano Stabellini +Acked-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/xen/time.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/x86/xen/time.c ++++ b/arch/x86/xen/time.c +@@ -362,11 +362,11 @@ static int xen_vcpuop_set_next_event(uns + WARN_ON(evt->mode != CLOCK_EVT_MODE_ONESHOT); + + single.timeout_abs_ns = get_abs_timeout(delta); +- single.flags = VCPU_SSHOTTMR_future; ++ /* Get an event anyway, even if the timeout is already expired */ ++ single.flags = 0; + + ret = HYPERVISOR_vcpu_op(VCPUOP_set_singleshot_timer, cpu, &single); +- +- BUG_ON(ret != 0 && ret != -ETIME); ++ BUG_ON(ret != 0); + + return ret; + } diff --git a/next-4.4/arm-omap2-timer-add-probe-for-clocksources.patch b/next-4.4/arm-omap2-timer-add-probe-for-clocksources.patch new file mode 100644 index 00000000000..6528a1876a4 --- /dev/null +++ b/next-4.4/arm-omap2-timer-add-probe-for-clocksources.patch @@ -0,0 +1,56 @@ +From 970f9091d25df14e9540ec7ff48a2f709e284cd1 Mon Sep 17 00:00:00 2001 +From: Tero Kristo +Date: Thu, 16 Jun 2016 15:25:18 +0300 +Subject: ARM: OMAP2+: timer: add probe for clocksources + +From: Tero Kristo + +commit 970f9091d25df14e9540ec7ff48a2f709e284cd1 upstream. + +A few platforms are currently missing clocksource_probe() completely +in their time_init functionality. On OMAP3430 for example, this is +causing cpuidle to be pretty much dead, as the counter32k is not +going to be registered and instead a gptimer is used as a clocksource. +This will tick in periodic mode, preventing any deeper idle states. + +While here, also drop one unnecessary check for populated DT before +existing clocksource_probe() call. + +Signed-off-by: Tero Kristo +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-omap2/timer.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/arch/arm/mach-omap2/timer.c ++++ b/arch/arm/mach-omap2/timer.c +@@ -496,8 +496,7 @@ void __init omap_init_time(void) + __omap_sync32k_timer_init(1, "timer_32k_ck", "ti,timer-alwon", + 2, "timer_sys_ck", NULL, false); + +- if (of_have_populated_dt()) +- clocksource_probe(); ++ clocksource_probe(); + } + + #if defined(CONFIG_ARCH_OMAP3) || defined(CONFIG_SOC_AM43XX) +@@ -505,6 +504,8 @@ void __init omap3_secure_sync32k_timer_i + { + __omap_sync32k_timer_init(12, "secure_32k_fck", "ti,timer-secure", + 2, "timer_sys_ck", NULL, false); ++ ++ clocksource_probe(); + } + #endif /* CONFIG_ARCH_OMAP3 */ + +@@ -513,6 +514,8 @@ void __init omap3_gptimer_timer_init(voi + { + __omap_sync32k_timer_init(2, "timer_sys_ck", NULL, + 1, "timer_sys_ck", "ti,timer-alwon", true); ++ ++ clocksource_probe(); + } + #endif + diff --git a/next-4.4/clk-sunxi-add-apb0-gates-for-h3.patch b/next-4.4/clk-sunxi-add-apb0-gates-for-h3.patch new file mode 100644 index 00000000000..827dbb6f1f9 --- /dev/null +++ b/next-4.4/clk-sunxi-add-apb0-gates-for-h3.patch @@ -0,0 +1,56 @@ +From 6e17b4181603d183d20c73f4535529ddf2a2a020 Mon Sep 17 00:00:00 2001 +From: Krzysztof Adamski +Date: Mon, 22 Feb 2016 14:03:25 +0100 +Subject: clk: sunxi: Add apb0 gates for H3 + +From: Krzysztof Adamski + +commit 6e17b4181603d183d20c73f4535529ddf2a2a020 upstream. + +This patch adds support for APB0 in H3. It seems to be compatible with +earlier SOCs. apb0 gates controls R_ block peripherals (R_PIO, R_IR, +etc). + +Since this gates behave just like any Allwinner clock gate, add a generic +compatible that can be reused if we don't have any clock to protect. + +Signed-off-by: Krzysztof Adamski +[Maxime: Removed the H3 compatible from the simple-gates driver, reworked + the commit log a bit] +Signed-off-by: Maxime Ripard +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/devicetree/bindings/clock/sunxi.txt | 2 ++ + drivers/clk/sunxi/clk-simple-gates.c | 2 ++ + 2 files changed, 4 insertions(+) + +--- a/Documentation/devicetree/bindings/clock/sunxi.txt ++++ b/Documentation/devicetree/bindings/clock/sunxi.txt +@@ -18,6 +18,7 @@ Required properties: + "allwinner,sun4i-a10-cpu-clk" - for the CPU multiplexer clock + "allwinner,sun4i-a10-axi-clk" - for the AXI clock + "allwinner,sun8i-a23-axi-clk" - for the AXI clock on A23 ++ "allwinner,sun4i-a10-gates-clk" - for generic gates on all compatible SoCs + "allwinner,sun4i-a10-axi-gates-clk" - for the AXI gates + "allwinner,sun4i-a10-ahb-clk" - for the AHB clock + "allwinner,sun5i-a13-ahb-clk" - for the AHB clock on A13 +@@ -43,6 +44,7 @@ Required properties: + "allwinner,sun6i-a31-apb0-gates-clk" - for the APB0 gates on A31 + "allwinner,sun7i-a20-apb0-gates-clk" - for the APB0 gates on A20 + "allwinner,sun8i-a23-apb0-gates-clk" - for the APB0 gates on A23 ++ "allwinner,sun8i-h3-apb0-gates-clk" - for the APB0 gates on H3 + "allwinner,sun9i-a80-apb0-gates-clk" - for the APB0 gates on A80 + "allwinner,sun4i-a10-apb1-clk" - for the APB1 clock + "allwinner,sun9i-a80-apb1-clk" - for the APB1 bus clock on A80 +--- a/drivers/clk/sunxi/clk-simple-gates.c ++++ b/drivers/clk/sunxi/clk-simple-gates.c +@@ -98,6 +98,8 @@ static void __init sunxi_simple_gates_in + sunxi_simple_gates_setup(node, NULL, 0); + } + ++CLK_OF_DECLARE(sun4i_a10_gates, "allwinner,sun4i-a10-gates-clk", ++ sunxi_simple_gates_init); + CLK_OF_DECLARE(sun4i_a10_apb0, "allwinner,sun4i-a10-apb0-gates-clk", + sunxi_simple_gates_init); + CLK_OF_DECLARE(sun4i_a10_apb1, "allwinner,sun4i-a10-apb1-gates-clk", diff --git a/next-4.4/crypto-testmgr-fix-out-of-bound-read-in-__test_aead.patch b/next-4.4/crypto-testmgr-fix-out-of-bound-read-in-__test_aead.patch new file mode 100644 index 00000000000..df71623550b --- /dev/null +++ b/next-4.4/crypto-testmgr-fix-out-of-bound-read-in-__test_aead.patch @@ -0,0 +1,52 @@ +From abfa7f4357e3640fdee87dfc276fd0f379fb5ae6 Mon Sep 17 00:00:00 2001 +From: Jerome Marchand +Date: Wed, 3 Feb 2016 13:58:12 +0100 +Subject: crypto: testmgr - fix out of bound read in __test_aead() + +From: Jerome Marchand + +commit abfa7f4357e3640fdee87dfc276fd0f379fb5ae6 upstream. + +__test_aead() reads MAX_IVLEN bytes from template[i].iv, but the +actual length of the initialisation vector can be shorter. +The length of the IV is already calculated earlier in the +function. Let's just reuses that. Also the IV length is currently +calculated several time for no reason. Let's fix that too. +This fix an out-of-bound error detected by KASan. + +Signed-off-by: Jerome Marchand +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/testmgr.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/crypto/testmgr.c ++++ b/crypto/testmgr.c +@@ -488,6 +488,8 @@ static int __test_aead(struct crypto_aea + aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG, + tcrypt_complete, &result); + ++ iv_len = crypto_aead_ivsize(tfm); ++ + for (i = 0, j = 0; i < tcount; i++) { + if (template[i].np) + continue; +@@ -508,7 +510,6 @@ static int __test_aead(struct crypto_aea + + memcpy(input, template[i].input, template[i].ilen); + memcpy(assoc, template[i].assoc, template[i].alen); +- iv_len = crypto_aead_ivsize(tfm); + if (template[i].iv) + memcpy(iv, template[i].iv, iv_len); + else +@@ -617,7 +618,7 @@ static int __test_aead(struct crypto_aea + j++; + + if (template[i].iv) +- memcpy(iv, template[i].iv, MAX_IVLEN); ++ memcpy(iv, template[i].iv, iv_len); + else + memset(iv, 0, MAX_IVLEN); + diff --git a/next-4.4/drm-amdgpu-fix-array-out-of-bounds.patch b/next-4.4/drm-amdgpu-fix-array-out-of-bounds.patch new file mode 100644 index 00000000000..054e57c58a2 --- /dev/null +++ b/next-4.4/drm-amdgpu-fix-array-out-of-bounds.patch @@ -0,0 +1,34 @@ +From 484f689fc9d4eb91c68f53e97dc355b1b06c3edb Mon Sep 17 00:00:00 2001 +From: tom will +Date: Mon, 16 May 2016 10:31:07 -0400 +Subject: drm/amdgpu: fix array out of bounds + +From: tom will + +commit 484f689fc9d4eb91c68f53e97dc355b1b06c3edb upstream. + +When the initial value of i is greater than zero, +it may cause endless loop, resulting in array out +of bounds, fix it. + +This is a port of the radeon fix to amdgpu. + +Signed-off-by: tom will +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/kv_dpm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/kv_dpm.c ++++ b/drivers/gpu/drm/amd/amdgpu/kv_dpm.c +@@ -2258,7 +2258,7 @@ static void kv_apply_state_adjust_rules( + if (pi->caps_stable_p_state) { + stable_p_state_sclk = (max_limits->sclk * 75) / 100; + +- for (i = table->count - 1; i >= 0; i++) { ++ for (i = table->count - 1; i >= 0; i--) { + if (stable_p_state_sclk >= table->entries[i].clk) { + stable_p_state_sclk = table->entries[i].clk; + break; diff --git a/next-4.4/ext4-check-if-in-inode-xattr-is-corrupted-in-ext4_expand_extra_isize_ea.patch b/next-4.4/ext4-check-if-in-inode-xattr-is-corrupted-in-ext4_expand_extra_isize_ea.patch new file mode 100644 index 00000000000..525e2dbdf55 --- /dev/null +++ b/next-4.4/ext4-check-if-in-inode-xattr-is-corrupted-in-ext4_expand_extra_isize_ea.patch @@ -0,0 +1,91 @@ +From 9e92f48c34eb2b9af9d12f892e2fe1fce5e8ce35 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Tue, 22 Mar 2016 16:13:15 -0400 +Subject: ext4: check if in-inode xattr is corrupted in ext4_expand_extra_isize_ea() + +From: Theodore Ts'o + +commit 9e92f48c34eb2b9af9d12f892e2fe1fce5e8ce35 upstream. + +We aren't checking to see if the in-inode extended attribute is +corrupted before we try to expand the inode's extra isize fields. + +This can lead to potential crashes caused by the BUG_ON() check in +ext4_xattr_shift_entries(). + +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/xattr.c | 32 ++++++++++++++++++++++++++++---- + 1 file changed, 28 insertions(+), 4 deletions(-) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -233,6 +233,27 @@ ext4_xattr_check_block(struct inode *ino + return error; + } + ++static int ++__xattr_check_inode(struct inode *inode, struct ext4_xattr_ibody_header *header, ++ void *end, const char *function, unsigned int line) ++{ ++ struct ext4_xattr_entry *entry = IFIRST(header); ++ int error = -EFSCORRUPTED; ++ ++ if (((void *) header >= end) || ++ (header->h_magic != le32_to_cpu(EXT4_XATTR_MAGIC))) ++ goto errout; ++ error = ext4_xattr_check_names(entry, end, entry); ++errout: ++ if (error) ++ __ext4_error_inode(inode, function, line, 0, ++ "corrupted in-inode xattr"); ++ return error; ++} ++ ++#define xattr_check_inode(inode, header, end) \ ++ __xattr_check_inode((inode), (header), (end), __func__, __LINE__) ++ + static inline int + ext4_xattr_check_entry(struct ext4_xattr_entry *entry, size_t size) + { +@@ -344,7 +365,7 @@ ext4_xattr_ibody_get(struct inode *inode + header = IHDR(inode, raw_inode); + entry = IFIRST(header); + end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size; +- error = ext4_xattr_check_names(entry, end, entry); ++ error = xattr_check_inode(inode, header, end); + if (error) + goto cleanup; + error = ext4_xattr_find_entry(&entry, name_index, name, +@@ -475,7 +496,7 @@ ext4_xattr_ibody_list(struct dentry *den + raw_inode = ext4_raw_inode(&iloc); + header = IHDR(inode, raw_inode); + end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size; +- error = ext4_xattr_check_names(IFIRST(header), end, IFIRST(header)); ++ error = xattr_check_inode(inode, header, end); + if (error) + goto cleanup; + error = ext4_xattr_list_entries(dentry, IFIRST(header), +@@ -991,8 +1012,7 @@ int ext4_xattr_ibody_find(struct inode * + is->s.here = is->s.first; + is->s.end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size; + if (ext4_test_inode_state(inode, EXT4_STATE_XATTR)) { +- error = ext4_xattr_check_names(IFIRST(header), is->s.end, +- IFIRST(header)); ++ error = xattr_check_inode(inode, header, is->s.end); + if (error) + return error; + /* Find the named attribute. */ +@@ -1293,6 +1313,10 @@ retry: + last = entry; + total_ino = sizeof(struct ext4_xattr_ibody_header); + ++ error = xattr_check_inode(inode, header, end); ++ if (error) ++ goto cleanup; ++ + free = ext4_xattr_free_space(last, &min_offs, base, &total_ino); + if (free >= isize_diff) { + entry = IFIRST(header); diff --git a/next-4.4/md-raid1-fix-a-dead-loop-when-read-from-a-writemostly-disk.patch b/next-4.4/md-raid1-fix-a-dead-loop-when-read-from-a-writemostly-disk.patch new file mode 100644 index 00000000000..234941eb745 --- /dev/null +++ b/next-4.4/md-raid1-fix-a-dead-loop-when-read-from-a-writemostly-disk.patch @@ -0,0 +1,36 @@ +From 816b0acf3deb6d6be5d0519b286fdd4bafade905 Mon Sep 17 00:00:00 2001 +From: Wei Fang +Date: Mon, 21 Mar 2016 19:18:32 +0800 +Subject: md:raid1: fix a dead loop when read from a WriteMostly disk + +From: Wei Fang + +commit 816b0acf3deb6d6be5d0519b286fdd4bafade905 upstream. + +If first_bad == this_sector when we get the WriteMostly disk +in read_balance(), valid disk will be returned with zero +max_sectors. It'll lead to a dead loop in make_request(), and +OOM will happen because of endless allocation of struct bio. + +Since we can't get data from this disk in this case, so +continue for another disk. + +Signed-off-by: Wei Fang +Signed-off-by: Shaohua Li +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/raid1.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -570,7 +570,7 @@ static int read_balance(struct r1conf *c + if (best_dist_disk < 0) { + if (is_badblock(rdev, this_sector, sectors, + &first_bad, &bad_sectors)) { +- if (first_bad < this_sector) ++ if (first_bad <= this_sector) + /* Cannot use this */ + continue; + best_good_sectors = first_bad - this_sector; diff --git a/next-4.4/mips-fix-crash-registers-on-non-crashing-cpus.patch b/next-4.4/mips-fix-crash-registers-on-non-crashing-cpus.patch new file mode 100644 index 00000000000..201473268c4 --- /dev/null +++ b/next-4.4/mips-fix-crash-registers-on-non-crashing-cpus.patch @@ -0,0 +1,57 @@ +From c80e1b62ffca52e2d1d865ee58bc79c4c0c55005 Mon Sep 17 00:00:00 2001 +From: Corey Minyard +Date: Mon, 11 Apr 2016 09:10:19 -0500 +Subject: MIPS: Fix crash registers on non-crashing CPUs + +From: Corey Minyard + +commit c80e1b62ffca52e2d1d865ee58bc79c4c0c55005 upstream. + +As part of handling a crash on an SMP system, an IPI is send to +all other CPUs to save their current registers and stop. It was +using task_pt_regs(current) to get the registers, but that will +only be accurate if the CPU was interrupted running in userland. +Instead allow the architecture to pass in the registers (all +pass NULL now, but allow for the future) and then use get_irq_regs() +which should be accurate as we are in an interrupt. Fall back to +task_pt_regs(current) if nothing else is available. + +Signed-off-by: Corey Minyard +Cc: David Daney +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/13050/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/crash.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +--- a/arch/mips/kernel/crash.c ++++ b/arch/mips/kernel/crash.c +@@ -14,12 +14,22 @@ static int crashing_cpu = -1; + static cpumask_t cpus_in_crash = CPU_MASK_NONE; + + #ifdef CONFIG_SMP +-static void crash_shutdown_secondary(void *ignore) ++static void crash_shutdown_secondary(void *passed_regs) + { +- struct pt_regs *regs; ++ struct pt_regs *regs = passed_regs; + int cpu = smp_processor_id(); + +- regs = task_pt_regs(current); ++ /* ++ * If we are passed registers, use those. Otherwise get the ++ * regs from the last interrupt, which should be correct, as ++ * we are in an interrupt. But if the regs are not there, ++ * pull them from the top of the stack. They are probably ++ * wrong, but we need something to keep from crashing again. ++ */ ++ if (!regs) ++ regs = get_irq_regs(); ++ if (!regs) ++ regs = task_pt_regs(current); + + if (!cpu_online(cpu)) + return; diff --git a/next-4.4/net-cavium-liquidio-avoid-dma_unmap_single-on-uninitialized-ndata.patch b/next-4.4/net-cavium-liquidio-avoid-dma_unmap_single-on-uninitialized-ndata.patch new file mode 100644 index 00000000000..d7742474fc9 --- /dev/null +++ b/next-4.4/net-cavium-liquidio-avoid-dma_unmap_single-on-uninitialized-ndata.patch @@ -0,0 +1,64 @@ +From 8e6ce7ebeb34f0992f56de078c3744fb383657fa Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Fri, 15 Jul 2016 16:42:16 -0700 +Subject: net: cavium: liquidio: Avoid dma_unmap_single on uninitialized ndata + +From: Florian Fainelli + +commit 8e6ce7ebeb34f0992f56de078c3744fb383657fa upstream. + +The label lio_xmit_failed is used 3 times through liquidio_xmit() but it +always makes a call to dma_unmap_single() using potentially +uninitialized variables from "ndata" variable. Out of the 3 gotos, 2 run +after ndata has been initialized, and had a prior dma_map_single() call. + +Fix this by adding a new error label: lio_xmit_dma_failed which does +this dma_unmap_single() and then processed with the lio_xmit_failed +fallthrough. + +Fixes: f21fb3ed364bb ("Add support of Cavium Liquidio ethernet adapters") +Reported-by: coverity (CID 1309740) +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/cavium/liquidio/lio_main.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/cavium/liquidio/lio_main.c ++++ b/drivers/net/ethernet/cavium/liquidio/lio_main.c +@@ -2823,7 +2823,7 @@ static int liquidio_xmit(struct sk_buff + if (!g) { + netif_info(lio, tx_err, lio->netdev, + "Transmit scatter gather: glist null!\n"); +- goto lio_xmit_failed; ++ goto lio_xmit_dma_failed; + } + + cmdsetup.s.gather = 1; +@@ -2894,7 +2894,7 @@ static int liquidio_xmit(struct sk_buff + else + status = octnet_send_nic_data_pkt(oct, &ndata, xmit_more); + if (status == IQ_SEND_FAILED) +- goto lio_xmit_failed; ++ goto lio_xmit_dma_failed; + + netif_info(lio, tx_queued, lio->netdev, "Transmit queued successfully\n"); + +@@ -2908,12 +2908,13 @@ static int liquidio_xmit(struct sk_buff + + return NETDEV_TX_OK; + ++lio_xmit_dma_failed: ++ dma_unmap_single(&oct->pci_dev->dev, ndata.cmd.dptr, ++ ndata.datasize, DMA_TO_DEVICE); + lio_xmit_failed: + stats->tx_dropped++; + netif_info(lio, tx_err, lio->netdev, "IQ%d Transmit dropped:%llu\n", + iq_no, stats->tx_dropped); +- dma_unmap_single(&oct->pci_dev->dev, ndata.cmd.dptr, +- ndata.datasize, DMA_TO_DEVICE); + recv_buffer_free(skb); + return NETDEV_TX_OK; + } diff --git a/next-4.4/net_sched-close-another-race-condition-in-tcf_mirred_release.patch b/next-4.4/net_sched-close-another-race-condition-in-tcf_mirred_release.patch new file mode 100644 index 00000000000..723591ca60e --- /dev/null +++ b/next-4.4/net_sched-close-another-race-condition-in-tcf_mirred_release.patch @@ -0,0 +1,79 @@ +From dc327f8931cb9d66191f489eb9a852fc04530546 Mon Sep 17 00:00:00 2001 +From: WANG Cong +Date: Mon, 16 May 2016 15:11:18 -0700 +Subject: net_sched: close another race condition in tcf_mirred_release() + +From: WANG Cong + +commit dc327f8931cb9d66191f489eb9a852fc04530546 upstream. + +We saw the following extra refcount release on veth device: + + kernel: [7957821.463992] unregister_netdevice: waiting for mesos50284 to become free. Usage count = -1 + +Since we heavily use mirred action to redirect packets to veth, I think +this is caused by the following race condition: + +CPU0: +tcf_mirred_release(): (in RCU callback) + struct net_device *dev = rcu_dereference_protected(m->tcfm_dev, 1); + +CPU1: +mirred_device_event(): + spin_lock_bh(&mirred_list_lock); + list_for_each_entry(m, &mirred_list, tcfm_list) { + if (rcu_access_pointer(m->tcfm_dev) == dev) { + dev_put(dev); + /* Note : no rcu grace period necessary, as + * net_device are already rcu protected. + */ + RCU_INIT_POINTER(m->tcfm_dev, NULL); + } + } + spin_unlock_bh(&mirred_list_lock); + +CPU0: +tcf_mirred_release(): + spin_lock_bh(&mirred_list_lock); + list_del(&m->tcfm_list); + spin_unlock_bh(&mirred_list_lock); + if (dev) // <======== Stil refers to the old m->tcfm_dev + dev_put(dev); // <======== dev_put() is called on it again + +The action init code path is good because it is impossible to modify +an action that is being removed. + +So, fix this by moving everything under the spinlock. + +Fixes: 2ee22a90c7af ("net_sched: act_mirred: remove spinlock in fast path") +Fixes: 6bd00b850635 ("act_mirred: fix a race condition on mirred_list") +Cc: Jamal Hadi Salim +Signed-off-by: Cong Wang +Acked-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/sched/act_mirred.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/sched/act_mirred.c ++++ b/net/sched/act_mirred.c +@@ -36,14 +36,15 @@ static DEFINE_SPINLOCK(mirred_list_lock) + static void tcf_mirred_release(struct tc_action *a, int bind) + { + struct tcf_mirred *m = to_mirred(a); +- struct net_device *dev = rcu_dereference_protected(m->tcfm_dev, 1); ++ struct net_device *dev; + + /* We could be called either in a RCU callback or with RTNL lock held. */ + spin_lock_bh(&mirred_list_lock); + list_del(&m->tcfm_list); +- spin_unlock_bh(&mirred_list_lock); ++ dev = rcu_dereference_protected(m->tcfm_dev, 1); + if (dev) + dev_put(dev); ++ spin_unlock_bh(&mirred_list_lock); + } + + static const struct nla_policy mirred_policy[TCA_MIRRED_MAX + 1] = { diff --git a/next-4.4/rds-fix-the-atomicity-for-congestion-map-update.patch b/next-4.4/rds-fix-the-atomicity-for-congestion-map-update.patch new file mode 100644 index 00000000000..462fa8e1095 --- /dev/null +++ b/next-4.4/rds-fix-the-atomicity-for-congestion-map-update.patch @@ -0,0 +1,49 @@ +From e47db94e10447fc467777a40302f2b393e9af2fa Mon Sep 17 00:00:00 2001 +From: "santosh.shilimkar@oracle.com" +Date: Thu, 14 Apr 2016 10:43:27 -0700 +Subject: RDS: Fix the atomicity for congestion map update + +From: santosh.shilimkar@oracle.com + +commit e47db94e10447fc467777a40302f2b393e9af2fa upstream. + +Two different threads with different rds sockets may be in +rds_recv_rcvbuf_delta() via receive path. If their ports +both map to the same word in the congestion map, then +using non-atomic ops to update it could cause the map to +be incorrect. Lets use atomics to avoid such an issue. + +Full credit to Wengang for +finding the issue, analysing it and also pointing out +to offending code with spin lock based fix. + +Reviewed-by: Leon Romanovsky +Signed-off-by: Wengang Wang +Signed-off-by: Santosh Shilimkar +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/rds/cong.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/rds/cong.c ++++ b/net/rds/cong.c +@@ -299,7 +299,7 @@ void rds_cong_set_bit(struct rds_cong_ma + i = be16_to_cpu(port) / RDS_CONG_MAP_PAGE_BITS; + off = be16_to_cpu(port) % RDS_CONG_MAP_PAGE_BITS; + +- __set_bit_le(off, (void *)map->m_page_addrs[i]); ++ set_bit_le(off, (void *)map->m_page_addrs[i]); + } + + void rds_cong_clear_bit(struct rds_cong_map *map, __be16 port) +@@ -313,7 +313,7 @@ void rds_cong_clear_bit(struct rds_cong_ + i = be16_to_cpu(port) / RDS_CONG_MAP_PAGE_BITS; + off = be16_to_cpu(port) % RDS_CONG_MAP_PAGE_BITS; + +- __clear_bit_le(off, (void *)map->m_page_addrs[i]); ++ clear_bit_le(off, (void *)map->m_page_addrs[i]); + } + + static int rds_cong_test_bit(struct rds_cong_map *map, __be16 port) diff --git a/next-4.4/regulator-core-clear-the-supply-pointer-if-enabling-fails.patch b/next-4.4/regulator-core-clear-the-supply-pointer-if-enabling-fails.patch new file mode 100644 index 00000000000..228843b59d3 --- /dev/null +++ b/next-4.4/regulator-core-clear-the-supply-pointer-if-enabling-fails.patch @@ -0,0 +1,36 @@ +From 8e5356a73604f53da6a1e0756727cb8f9f7bba17 Mon Sep 17 00:00:00 2001 +From: Jon Hunter +Date: Thu, 21 Apr 2016 17:11:58 +0100 +Subject: regulator: core: Clear the supply pointer if enabling fails + +From: Jon Hunter + +commit 8e5356a73604f53da6a1e0756727cb8f9f7bba17 upstream. + +During the resolution of a regulator's supply, we may attempt to enable +the supply if the regulator itself is already enabled. If enabling the +supply fails, then we will call _regulator_put() for the supply. +However, the pointer to the supply has not been cleared for the +regulator and this will cause a crash if we then unregister the +regulator and attempt to call regulator_put() a second time for the +supply. Fix this by clearing the supply pointer if enabling the supply +after fails when resolving the supply for a regulator. + +Signed-off-by: Jon Hunter +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/regulator/core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -1519,6 +1519,7 @@ static int regulator_resolve_supply(stru + ret = regulator_enable(rdev->supply); + if (ret < 0) { + _regulator_put(rdev->supply); ++ rdev->supply = NULL; + return ret; + } + } diff --git a/next-4.4/usb-gadget-f_midi-fixed-a-bug-when-buflen-was-smaller-than-wmaxpacketsize.patch b/next-4.4/usb-gadget-f_midi-fixed-a-bug-when-buflen-was-smaller-than-wmaxpacketsize.patch new file mode 100644 index 00000000000..b46ce59bb74 --- /dev/null +++ b/next-4.4/usb-gadget-f_midi-fixed-a-bug-when-buflen-was-smaller-than-wmaxpacketsize.patch @@ -0,0 +1,51 @@ +From 03d27ade4941076b34c823d63d91dc895731a595 Mon Sep 17 00:00:00 2001 +From: "Felipe F. Tonello" +Date: Wed, 9 Mar 2016 19:39:30 +0000 +Subject: usb: gadget: f_midi: Fixed a bug when buflen was smaller than wMaxPacketSize + +From: Felipe F. Tonello + +commit 03d27ade4941076b34c823d63d91dc895731a595 upstream. + +buflen by default (256) is smaller than wMaxPacketSize (512) in high-speed +devices. + +That caused the OUT endpoint to freeze if the host send any data packet of +length greater than 256 bytes. + +This is an example dump of what happended on that enpoint: +HOST: [DATA][Length=260][...] +DEVICE: [NAK] +HOST: [PING] +DEVICE: [NAK] +HOST: [PING] +DEVICE: [NAK] +... +HOST: [PING] +DEVICE: [NAK] + +This patch fixes this problem by setting the minimum usb_request's buffer size +for the OUT endpoint as its wMaxPacketSize. + +Acked-by: Michal Nazarewicz +Signed-off-by: Felipe F. Tonello +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/f_midi.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/gadget/function/f_midi.c ++++ b/drivers/usb/gadget/function/f_midi.c +@@ -361,7 +361,9 @@ static int f_midi_set_alt(struct usb_fun + /* allocate a bunch of read buffers and queue them all at once. */ + for (i = 0; i < midi->qlen && err == 0; i++) { + struct usb_request *req = +- midi_alloc_ep_req(midi->out_ep, midi->buflen); ++ midi_alloc_ep_req(midi->out_ep, ++ max_t(unsigned, midi->buflen, ++ bulk_out_desc.wMaxPacketSize)); + if (req == NULL) + return -ENOMEM; + diff --git a/next-4.4/xen-x86-don-t-lose-event-interrupts.patch b/next-4.4/xen-x86-don-t-lose-event-interrupts.patch new file mode 100644 index 00000000000..7dd140ac517 --- /dev/null +++ b/next-4.4/xen-x86-don-t-lose-event-interrupts.patch @@ -0,0 +1,46 @@ +From c06b6d70feb32d28f04ba37aa3df17973fd37b6b Mon Sep 17 00:00:00 2001 +From: Stefano Stabellini +Date: Fri, 15 Apr 2016 18:23:00 -0700 +Subject: xen/x86: don't lose event interrupts + +From: Stefano Stabellini + +commit c06b6d70feb32d28f04ba37aa3df17973fd37b6b upstream. + +On slow platforms with unreliable TSC, such as QEMU emulated machines, +it is possible for the kernel to request the next event in the past. In +that case, in the current implementation of xen_vcpuop_clockevent, we +simply return -ETIME. To be precise the Xen returns -ETIME and we pass +it on. However the result of this is a missed event, which simply causes +the kernel to hang. + +Instead it is better to always ask the hypervisor for a timer event, +even if the timeout is in the past. That way there are no lost +interrupts and the kernel survives. To do that, remove the +VCPU_SSHOTTMR_future flag. + +Signed-off-by: Stefano Stabellini +Acked-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/xen/time.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/x86/xen/time.c ++++ b/arch/x86/xen/time.c +@@ -343,11 +343,11 @@ static int xen_vcpuop_set_next_event(uns + WARN_ON(!clockevent_state_oneshot(evt)); + + single.timeout_abs_ns = get_abs_timeout(delta); +- single.flags = VCPU_SSHOTTMR_future; ++ /* Get an event anyway, even if the timeout is already expired */ ++ single.flags = 0; + + ret = HYPERVISOR_vcpu_op(VCPUOP_set_singleshot_timer, cpu, &single); +- +- BUG_ON(ret != 0 && ret != -ETIME); ++ BUG_ON(ret != 0); + + return ret; + } -- 2.47.2