From 4e0940c387bea4b6c418bfc98a128b4514f6a722 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 7 Dec 2015 00:30:59 -0800 Subject: [PATCH] 4.3-stable patches added patches: arm64-fix-compat-register-mappings.patch arm64-page-align-sections-for-debug_rodata.patch ath10k-add-ath10k_fw_feature_raw_mode_support-to.patch ath10k-fix-invalid-nss-for-4x4-devices.patch ath10k-use-station-s-current-operating-mode-from-assoc-request.patch bluetooth-ath3k-add-new-ar3012-0930-021c-id.patch bluetooth-ath3k-add-support-of-ar3012-0cf3-817b-device.patch bluetooth-fix-missing-hdev-locking-for-le-scan-cleanup.patch bluetooth-fix-removing-connection-parameters-when-unpairing.patch bluetooth-hidp-fix-device-disconnect-on-idle-timeout.patch can-sja1000-clear-interrupts-on-start.patch can-use-correct-type-in-sizeof-in-nla_put.patch clk-iproc-fix-pll-output-frequency-calculation.patch clk-versatile-icst-fix-memory-leak.patch fs-proc-core-debug-don-t-expose-absolute-kernel-addresses-via-wchan.patch iwlwifi-add-new-pci-ids-for-the-8260-series.patch iwlwifi-pcie-fix-again-prepare-card-flow.patch kvm-s390-avoid-memory-overwrites-on-emergency-signal-injection.patch kvm-s390-enable-simd-only-when-no-vcpus-were-created.patch kvm-s390-fix-wrong-lookup-of-vcpus-by-array-index.patch kvm-s390-sca-must-not-cross-page-boundaries.patch kvm-x86-add-read_phys-to-x86_emulate_ops.patch kvm-x86-allow-rsm-from-64-bit-mode.patch kvm-x86-handle-smbase-as-physical-address-in-rsm.patch kvm-x86-obey-kvm_x86_quirk_cd_nw_cleared-in-kvm_set_cr0.patch kvm-x86-set-kvm_req_event-when-updating-irr.patch kvm-x86-work-around-infinite-loop-in-microcode-when-ac-is-delivered.patch kvm-x86-zero-efer-on-init.patch mac80211-allow-null-chandef-in-tracing.patch mac80211-fix-divide-by-zero-when-noa-update.patch mac80211-fix-driver-rssi-event-calculations.patch mac80211-fix-local-deauth-while-associating.patch mfd-twl6040-fix-deferred-probe-handling-for-clk32k.patch mips-ath79-fix-the-ddr-control-initialization-on-ar71xx-and-ar934x.patch mips-cdmm-add-builtin_mips_cdmm_driver-macro.patch mips-kvm-fix-asid-restoration-logic.patch mips-kvm-fix-cache-immediate-offset-sign-extension.patch mips-kvm-uninit-vcpu-in-vcpu_create-error-path.patch mips-lantiq-add-clk_round_rate.patch mwifiex-avoid-memsetting-pcie-event-buffer.patch mwifiex-fix-mwifiex_rdeeprom_read.patch mwifiex-fix-null-pointer-dereference-during-hidden-ssid-scan.patch net-mvneta-fix-cpu_map-registers-initialisation.patch net-mvneta-fix-error-path-for-building-skb.patch nfc-nci-extract-pipe-value-using-nci_hcp_msg_get_pipe.patch nfc-nci-fix-improper-management-of-hci-return-code.patch nfc-nci-fix-incorrect-data-chaining-when-sending-data.patch nfc-st-nci-fix-incorrect-spi-buffer-size.patch nl80211-fix-potential-memory-leak-from-parse_acl_data.patch pinctrl-qcom-ssbi-fix-compilation-with-debug_fs-n.patch pinctrl-uniphier-set-input-enable-before-pin-muxing.patch revert-usb-dwc3-gadget-drop-unnecessary-loop-when-cleaning-up-trbs.patch s390-kernel-fix-ptrace-peek-poke-for-floating-point-registers.patch s390-pci-reshuffle-struct-used-to-write-debug-data.patch staging-rtl8712-add-device-id-for-sitecom-wla2100.patch usb-chipidea-otg-gadget-module-load-and-unload-support.patch usb-dwc3-add-dis_enblslpm_quirk.patch usb-dwc3-gadget-let-us-set-lower-max_speed.patch usb-dwc3-pci-add-platform-data-for-synopsys-haps.patch usb-dwc3-pci-add-the-pci-product-id-for-synopsys-usb-3.1.patch usb-dwc3-pci-add-the-synopsys-haps-axi-product-id.patch usb-dwc3-pci-set-enblslpm-quirk-for-synopsys-platforms.patch usb-dwc3-support-synopsys-usb-3.1-ip.patch usb-gadget-atmel_usba_udc-expose-correct-device-speed.patch usb-gadget-net2280-restore-ep_cfg-after-defect7374-workaround.patch x86-cpu-call-verify_cpu-after-having-entered-long-mode-too.patch x86-cpu-fix-smap-check-in-pvops-environments.patch x86-fpu-fix-32-bit-signal-frame-handling.patch x86-fpu-fix-get_xsave_addr-behavior-under-virtualization.patch x86-irq-probe-for-pic-presence-before-allocating-descs-for-legacy-irqs.patch x86-mpx-do-proper-get_user-when-running-32-bit-binaries-on-64-bit-kernels.patch x86-mpx-fix-32-bit-address-space-calculation.patch x86-setup-fix-low-identity-map-for-2gb-kernel-range.patch --- .../arm64-fix-compat-register-mappings.patch | 51 +++++ ...page-align-sections-for-debug_rodata.patch | 51 +++++ ...th10k_fw_feature_raw_mode_support-to.patch | 45 +++++ ...h10k-fix-invalid-nss-for-4x4-devices.patch | 37 ++++ ...nt-operating-mode-from-assoc-request.patch | 43 +++++ ...th-ath3k-add-new-ar3012-0930-021c-id.patch | 57 ++++++ ...d-support-of-ar3012-0cf3-817b-device.patch | 55 ++++++ ...ing-hdev-locking-for-le-scan-cleanup.patch | 167 +++++++++++++++++ ...connection-parameters-when-unpairing.patch | 62 ++++++ ...ix-device-disconnect-on-idle-timeout.patch | 75 ++++++++ ...an-sja1000-clear-interrupts-on-start.patch | 46 +++++ ...se-correct-type-in-sizeof-in-nla_put.patch | 33 ++++ ...fix-pll-output-frequency-calculation.patch | 64 +++++++ .../clk-versatile-icst-fix-memory-leak.patch | 36 ++++ ...-absolute-kernel-addresses-via-wchan.patch | 170 +++++++++++++++++ ...-add-new-pci-ids-for-the-8260-series.patch | 76 ++++++++ ...ifi-pcie-fix-again-prepare-card-flow.patch | 48 +++++ ...writes-on-emergency-signal-injection.patch | 38 ++++ ...simd-only-when-no-vcpus-were-created.patch | 47 +++++ ...wrong-lookup-of-vcpus-by-array-index.patch | 65 +++++++ ...0-sca-must-not-cross-page-boundaries.patch | 54 ++++++ ...x86-add-read_phys-to-x86_emulate_ops.patch | 72 +++++++ .../kvm-x86-allow-rsm-from-64-bit-mode.patch | 80 ++++++++ ...le-smbase-as-physical-address-in-rsm.patch | 49 +++++ ...6_quirk_cd_nw_cleared-in-kvm_set_cr0.patch | 53 ++++++ ...-set-kvm_req_event-when-updating-irr.patch | 34 ++++ ...op-in-microcode-when-ac-is-delivered.patch | 87 +++++++++ queue-4.3/kvm-x86-zero-efer-on-init.patch | 84 +++++++++ ...c80211-allow-null-chandef-in-tracing.patch | 42 +++++ ...1-fix-divide-by-zero-when-noa-update.patch | 49 +++++ ...1-fix-driver-rssi-event-calculations.patch | 33 ++++ ...1-fix-local-deauth-while-associating.patch | 50 +++++ ...x-deferred-probe-handling-for-clk32k.patch | 46 +++++ ...-initialization-on-ar71xx-and-ar934x.patch | 41 ++++ ...m-add-builtin_mips_cdmm_driver-macro.patch | 46 +++++ .../mips-kvm-fix-asid-restoration-logic.patch | 64 +++++++ ...ache-immediate-offset-sign-extension.patch | 38 ++++ ...ninit-vcpu-in-vcpu_create-error-path.patch | 48 +++++ .../mips-lantiq-add-clk_round_rate.patch | 52 ++++++ ...x-avoid-memsetting-pcie-event-buffer.patch | 36 ++++ .../mwifiex-fix-mwifiex_rdeeprom_read.patch | 79 ++++++++ ...-dereference-during-hidden-ssid-scan.patch | 38 ++++ ...fix-cpu_map-registers-initialisation.patch | 40 ++++ ...neta-fix-error-path-for-building-skb.patch | 49 +++++ ...ipe-value-using-nci_hcp_msg_get_pipe.patch | 40 ++++ ...proper-management-of-hci-return-code.patch | 176 ++++++++++++++++++ ...rect-data-chaining-when-sending-data.patch | 66 +++++++ ...st-nci-fix-incorrect-spi-buffer-size.patch | 41 ++++ ...tial-memory-leak-from-parse_acl_data.patch | 50 +++++ ...ssbi-fix-compilation-with-debug_fs-n.patch | 55 ++++++ ...r-set-input-enable-before-pin-muxing.patch | 63 +++++++ ...necessary-loop-when-cleaning-up-trbs.patch | 85 +++++++++ ...ek-poke-for-floating-point-registers.patch | 63 +++++++ ...ffle-struct-used-to-write-debug-data.patch | 42 +++++ queue-4.3/series | 73 ++++++++ ...12-add-device-id-for-sitecom-wla2100.patch | 31 +++ ...adget-module-load-and-unload-support.patch | 53 ++++++ .../usb-dwc3-add-dis_enblslpm_quirk.patch | 100 ++++++++++ ...c3-gadget-let-us-set-lower-max_speed.patch | 72 +++++++ ...-add-platform-data-for-synopsys-haps.patch | 43 +++++ ...-pci-product-id-for-synopsys-usb-3.1.patch | 41 ++++ ...add-the-synopsys-haps-axi-product-id.patch | 42 +++++ ...nblslpm-quirk-for-synopsys-platforms.patch | 31 +++ ...usb-dwc3-support-synopsys-usb-3.1-ip.patch | 99 ++++++++++ ...usba_udc-expose-correct-device-speed.patch | 42 +++++ ...e-ep_cfg-after-defect7374-workaround.patch | 34 ++++ ...u-after-having-entered-long-mode-too.patch | 118 ++++++++++++ ...fix-smap-check-in-pvops-environments.patch | 54 ++++++ ...fpu-fix-32-bit-signal-frame-handling.patch | 105 +++++++++++ ...e_addr-behavior-under-virtualization.patch | 51 +++++ ...ore-allocating-descs-for-legacy-irqs.patch | 144 ++++++++++++++ ...ng-32-bit-binaries-on-64-bit-kernels.patch | 90 +++++++++ ...fix-32-bit-address-space-calculation.patch | 81 ++++++++ ...ow-identity-map-for-2gb-kernel-range.patch | 41 ++++ 74 files changed, 4556 insertions(+) create mode 100644 queue-4.3/arm64-fix-compat-register-mappings.patch create mode 100644 queue-4.3/arm64-page-align-sections-for-debug_rodata.patch create mode 100644 queue-4.3/ath10k-add-ath10k_fw_feature_raw_mode_support-to.patch create mode 100644 queue-4.3/ath10k-fix-invalid-nss-for-4x4-devices.patch create mode 100644 queue-4.3/ath10k-use-station-s-current-operating-mode-from-assoc-request.patch create mode 100644 queue-4.3/bluetooth-ath3k-add-new-ar3012-0930-021c-id.patch create mode 100644 queue-4.3/bluetooth-ath3k-add-support-of-ar3012-0cf3-817b-device.patch create mode 100644 queue-4.3/bluetooth-fix-missing-hdev-locking-for-le-scan-cleanup.patch create mode 100644 queue-4.3/bluetooth-fix-removing-connection-parameters-when-unpairing.patch create mode 100644 queue-4.3/bluetooth-hidp-fix-device-disconnect-on-idle-timeout.patch create mode 100644 queue-4.3/can-sja1000-clear-interrupts-on-start.patch create mode 100644 queue-4.3/can-use-correct-type-in-sizeof-in-nla_put.patch create mode 100644 queue-4.3/clk-iproc-fix-pll-output-frequency-calculation.patch create mode 100644 queue-4.3/clk-versatile-icst-fix-memory-leak.patch create mode 100644 queue-4.3/fs-proc-core-debug-don-t-expose-absolute-kernel-addresses-via-wchan.patch create mode 100644 queue-4.3/iwlwifi-add-new-pci-ids-for-the-8260-series.patch create mode 100644 queue-4.3/iwlwifi-pcie-fix-again-prepare-card-flow.patch create mode 100644 queue-4.3/kvm-s390-avoid-memory-overwrites-on-emergency-signal-injection.patch create mode 100644 queue-4.3/kvm-s390-enable-simd-only-when-no-vcpus-were-created.patch create mode 100644 queue-4.3/kvm-s390-fix-wrong-lookup-of-vcpus-by-array-index.patch create mode 100644 queue-4.3/kvm-s390-sca-must-not-cross-page-boundaries.patch create mode 100644 queue-4.3/kvm-x86-add-read_phys-to-x86_emulate_ops.patch create mode 100644 queue-4.3/kvm-x86-allow-rsm-from-64-bit-mode.patch create mode 100644 queue-4.3/kvm-x86-handle-smbase-as-physical-address-in-rsm.patch create mode 100644 queue-4.3/kvm-x86-obey-kvm_x86_quirk_cd_nw_cleared-in-kvm_set_cr0.patch create mode 100644 queue-4.3/kvm-x86-set-kvm_req_event-when-updating-irr.patch create mode 100644 queue-4.3/kvm-x86-work-around-infinite-loop-in-microcode-when-ac-is-delivered.patch create mode 100644 queue-4.3/kvm-x86-zero-efer-on-init.patch create mode 100644 queue-4.3/mac80211-allow-null-chandef-in-tracing.patch create mode 100644 queue-4.3/mac80211-fix-divide-by-zero-when-noa-update.patch create mode 100644 queue-4.3/mac80211-fix-driver-rssi-event-calculations.patch create mode 100644 queue-4.3/mac80211-fix-local-deauth-while-associating.patch create mode 100644 queue-4.3/mfd-twl6040-fix-deferred-probe-handling-for-clk32k.patch create mode 100644 queue-4.3/mips-ath79-fix-the-ddr-control-initialization-on-ar71xx-and-ar934x.patch create mode 100644 queue-4.3/mips-cdmm-add-builtin_mips_cdmm_driver-macro.patch create mode 100644 queue-4.3/mips-kvm-fix-asid-restoration-logic.patch create mode 100644 queue-4.3/mips-kvm-fix-cache-immediate-offset-sign-extension.patch create mode 100644 queue-4.3/mips-kvm-uninit-vcpu-in-vcpu_create-error-path.patch create mode 100644 queue-4.3/mips-lantiq-add-clk_round_rate.patch create mode 100644 queue-4.3/mwifiex-avoid-memsetting-pcie-event-buffer.patch create mode 100644 queue-4.3/mwifiex-fix-mwifiex_rdeeprom_read.patch create mode 100644 queue-4.3/mwifiex-fix-null-pointer-dereference-during-hidden-ssid-scan.patch create mode 100644 queue-4.3/net-mvneta-fix-cpu_map-registers-initialisation.patch create mode 100644 queue-4.3/net-mvneta-fix-error-path-for-building-skb.patch create mode 100644 queue-4.3/nfc-nci-extract-pipe-value-using-nci_hcp_msg_get_pipe.patch create mode 100644 queue-4.3/nfc-nci-fix-improper-management-of-hci-return-code.patch create mode 100644 queue-4.3/nfc-nci-fix-incorrect-data-chaining-when-sending-data.patch create mode 100644 queue-4.3/nfc-st-nci-fix-incorrect-spi-buffer-size.patch create mode 100644 queue-4.3/nl80211-fix-potential-memory-leak-from-parse_acl_data.patch create mode 100644 queue-4.3/pinctrl-qcom-ssbi-fix-compilation-with-debug_fs-n.patch create mode 100644 queue-4.3/pinctrl-uniphier-set-input-enable-before-pin-muxing.patch create mode 100644 queue-4.3/revert-usb-dwc3-gadget-drop-unnecessary-loop-when-cleaning-up-trbs.patch create mode 100644 queue-4.3/s390-kernel-fix-ptrace-peek-poke-for-floating-point-registers.patch create mode 100644 queue-4.3/s390-pci-reshuffle-struct-used-to-write-debug-data.patch create mode 100644 queue-4.3/staging-rtl8712-add-device-id-for-sitecom-wla2100.patch create mode 100644 queue-4.3/usb-chipidea-otg-gadget-module-load-and-unload-support.patch create mode 100644 queue-4.3/usb-dwc3-add-dis_enblslpm_quirk.patch create mode 100644 queue-4.3/usb-dwc3-gadget-let-us-set-lower-max_speed.patch create mode 100644 queue-4.3/usb-dwc3-pci-add-platform-data-for-synopsys-haps.patch create mode 100644 queue-4.3/usb-dwc3-pci-add-the-pci-product-id-for-synopsys-usb-3.1.patch create mode 100644 queue-4.3/usb-dwc3-pci-add-the-synopsys-haps-axi-product-id.patch create mode 100644 queue-4.3/usb-dwc3-pci-set-enblslpm-quirk-for-synopsys-platforms.patch create mode 100644 queue-4.3/usb-dwc3-support-synopsys-usb-3.1-ip.patch create mode 100644 queue-4.3/usb-gadget-atmel_usba_udc-expose-correct-device-speed.patch create mode 100644 queue-4.3/usb-gadget-net2280-restore-ep_cfg-after-defect7374-workaround.patch create mode 100644 queue-4.3/x86-cpu-call-verify_cpu-after-having-entered-long-mode-too.patch create mode 100644 queue-4.3/x86-cpu-fix-smap-check-in-pvops-environments.patch create mode 100644 queue-4.3/x86-fpu-fix-32-bit-signal-frame-handling.patch create mode 100644 queue-4.3/x86-fpu-fix-get_xsave_addr-behavior-under-virtualization.patch create mode 100644 queue-4.3/x86-irq-probe-for-pic-presence-before-allocating-descs-for-legacy-irqs.patch create mode 100644 queue-4.3/x86-mpx-do-proper-get_user-when-running-32-bit-binaries-on-64-bit-kernels.patch create mode 100644 queue-4.3/x86-mpx-fix-32-bit-address-space-calculation.patch create mode 100644 queue-4.3/x86-setup-fix-low-identity-map-for-2gb-kernel-range.patch diff --git a/queue-4.3/arm64-fix-compat-register-mappings.patch b/queue-4.3/arm64-fix-compat-register-mappings.patch new file mode 100644 index 00000000000..6b6c43dbe62 --- /dev/null +++ b/queue-4.3/arm64-fix-compat-register-mappings.patch @@ -0,0 +1,51 @@ +From 5accd17d0eb523350c9ef754d655e379c9bb93b3 Mon Sep 17 00:00:00 2001 +From: Robin Murphy +Date: Thu, 22 Oct 2015 15:41:52 +0100 +Subject: arm64: Fix compat register mappings + +From: Robin Murphy + +commit 5accd17d0eb523350c9ef754d655e379c9bb93b3 upstream. + +For reasons not entirely apparent, but now enshrined in history, the +architectural mapping of AArch32 banked registers to AArch64 registers +actually orders SP_ and LR_ backwards compared to the +intuitive r13/r14 order, for all modes except FIQ. + +Fix the compat__ macros accordingly, in the hope of avoiding +subtle bugs with KVM and AArch32 guests. + +Signed-off-by: Robin Murphy +Acked-by: Will Deacon +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/ptrace.h | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/arch/arm64/include/asm/ptrace.h ++++ b/arch/arm64/include/asm/ptrace.h +@@ -83,14 +83,14 @@ + #define compat_sp regs[13] + #define compat_lr regs[14] + #define compat_sp_hyp regs[15] +-#define compat_sp_irq regs[16] +-#define compat_lr_irq regs[17] +-#define compat_sp_svc regs[18] +-#define compat_lr_svc regs[19] +-#define compat_sp_abt regs[20] +-#define compat_lr_abt regs[21] +-#define compat_sp_und regs[22] +-#define compat_lr_und regs[23] ++#define compat_lr_irq regs[16] ++#define compat_sp_irq regs[17] ++#define compat_lr_svc regs[18] ++#define compat_sp_svc regs[19] ++#define compat_lr_abt regs[20] ++#define compat_sp_abt regs[21] ++#define compat_lr_und regs[22] ++#define compat_sp_und regs[23] + #define compat_r8_fiq regs[24] + #define compat_r9_fiq regs[25] + #define compat_r10_fiq regs[26] diff --git a/queue-4.3/arm64-page-align-sections-for-debug_rodata.patch b/queue-4.3/arm64-page-align-sections-for-debug_rodata.patch new file mode 100644 index 00000000000..8397c4aeca5 --- /dev/null +++ b/queue-4.3/arm64-page-align-sections-for-debug_rodata.patch @@ -0,0 +1,51 @@ +From cb083816ab5ac3d10a9417527f07fc5962cc3808 Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Mon, 26 Oct 2015 21:42:33 +0000 +Subject: arm64: page-align sections for DEBUG_RODATA + +From: Mark Rutland + +commit cb083816ab5ac3d10a9417527f07fc5962cc3808 upstream. + +A kernel built with DEBUG_RO_DATA && !CONFIG_DEBUG_ALIGN_RODATA doesn't +have .text aligned to a page boundary, though fixup_executable works at +page-granularity thanks to its use of create_mapping. If .text is not +page-aligned, the first page it exists in may be marked non-executable, +leading to failures when an attempt is made to execute code in said +page. + +This patch upgrades ALIGN_DEBUG_RO and ALIGN_DEBUG_RO_MIN to force page +alignment for DEBUG_RO_DATA && !CONFIG_DEBUG_ALIGN_RODATA kernels, +ensuring that all sections with specific RWX permission requirements are +mapped with the correct permissions. + +Signed-off-by: Mark Rutland +Reported-by: Jeremy Linton +Reviewed-by: Laura Abbott +Acked-by: Ard Biesheuvel +Cc: Suzuki Poulose +Cc: Will Deacon +Fixes: da141706aea52c1a ("arm64: add better page protections to arm64") +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/vmlinux.lds.S | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/arch/arm64/kernel/vmlinux.lds.S ++++ b/arch/arm64/kernel/vmlinux.lds.S +@@ -60,9 +60,12 @@ PECOFF_FILE_ALIGNMENT = 0x200; + #define PECOFF_EDATA_PADDING + #endif + +-#ifdef CONFIG_DEBUG_ALIGN_RODATA ++#if defined(CONFIG_DEBUG_ALIGN_RODATA) + #define ALIGN_DEBUG_RO . = ALIGN(1< +Date: Wed, 9 Sep 2015 11:34:37 +0300 +Subject: ath10k: add ATH10K_FW_FEATURE_RAW_MODE_SUPPORT to + ath10k_core_fw_feature_str[] + +From: Kalle Valo + +commit 5af82fa66a7ee8dfc29fadb487a02e2ef14ea965 upstream. + +This was missed in the original commit adding the flag and ath10k only printed "bit10": + +ath10k_pci 0000:02:00.0: qca988x hw2.0 (0x4100016c, 0x043202ff) fw 10.2.4.70.6-2 api 3 +htt-ver 2.1 wmi-op 5 htt-op 2 cal otp max-sta 128 raw 0 hwcrypto 1 features no-p2p,bit10 + +Also add a build test to avoid this happening again. + +Fixes: ccec9038c721 ("ath10k: enable raw encap mode and software crypto engine") +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath10k/core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/wireless/ath/ath10k/core.c ++++ b/drivers/net/wireless/ath/ath10k/core.c +@@ -142,12 +142,17 @@ static const char *const ath10k_core_fw_ + [ATH10K_FW_FEATURE_IGNORE_OTP_RESULT] = "ignore-otp", + [ATH10K_FW_FEATURE_NO_NWIFI_DECAP_4ADDR_PADDING] = "no-4addr-pad", + [ATH10K_FW_FEATURE_SUPPORTS_SKIP_CLOCK_INIT] = "skip-clock-init", ++ [ATH10K_FW_FEATURE_RAW_MODE_SUPPORT] = "raw-mode", + }; + + static unsigned int ath10k_core_get_fw_feature_str(char *buf, + size_t buf_len, + enum ath10k_fw_features feat) + { ++ /* make sure that ath10k_core_fw_feature_str[] gets updated */ ++ BUILD_BUG_ON(ARRAY_SIZE(ath10k_core_fw_feature_str) != ++ ATH10K_FW_FEATURE_COUNT); ++ + if (feat >= ARRAY_SIZE(ath10k_core_fw_feature_str) || + WARN_ON(!ath10k_core_fw_feature_str[feat])) { + return scnprintf(buf, buf_len, "bit%d", feat); diff --git a/queue-4.3/ath10k-fix-invalid-nss-for-4x4-devices.patch b/queue-4.3/ath10k-fix-invalid-nss-for-4x4-devices.patch new file mode 100644 index 00000000000..2d639933ca9 --- /dev/null +++ b/queue-4.3/ath10k-fix-invalid-nss-for-4x4-devices.patch @@ -0,0 +1,37 @@ +From f680f70adbeab28b35f849016b964dd645db6237 Mon Sep 17 00:00:00 2001 +From: Rajkumar Manoharan +Date: Tue, 3 Nov 2015 11:51:33 +0530 +Subject: ath10k: fix invalid NSS for 4x4 devices + +From: Rajkumar Manoharan + +commit f680f70adbeab28b35f849016b964dd645db6237 upstream. + +The number of spatial streams that are derived from chain mask +for 4x4 devices is using wrong bitmask and conditional check. +This is affecting downlink throughput for QCA99x0 devices. Earlier +cfg_tx_chainmask is not filled by default until user configured it +and so get_nss_from_chainmask never be called. This issue is exposed +by recent commit 166de3f1895d ("ath10k: remove supported chain mask"). +By default maximum supported chain mask is filled in cfg_tx_chainmask. + +Fixes: 5572a95b4b ("ath10k: apply chainmask settings to vdev on creation") +Signed-off-by: Rajkumar Manoharan +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath10k/mac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -4056,7 +4056,7 @@ static int ath10k_config(struct ieee8021 + + static u32 get_nss_from_chainmask(u16 chain_mask) + { +- if ((chain_mask & 0x15) == 0x15) ++ if ((chain_mask & 0xf) == 0xf) + return 4; + else if ((chain_mask & 0x7) == 0x7) + return 3; diff --git a/queue-4.3/ath10k-use-station-s-current-operating-mode-from-assoc-request.patch b/queue-4.3/ath10k-use-station-s-current-operating-mode-from-assoc-request.patch new file mode 100644 index 00000000000..b5406b628a7 --- /dev/null +++ b/queue-4.3/ath10k-use-station-s-current-operating-mode-from-assoc-request.patch @@ -0,0 +1,43 @@ +From 72f8cef5d1155209561b01e092ce1a04ad50c4cb Mon Sep 17 00:00:00 2001 +From: Vivek Natarajan +Date: Tue, 6 Oct 2015 15:19:34 +0300 +Subject: ath10k: use station's current operating mode from assoc request + +From: Vivek Natarajan + +commit 72f8cef5d1155209561b01e092ce1a04ad50c4cb upstream. + +The current number of spatial streams used by the client is advertised +as a separate IE in assoc request. Use this information to set +the NSS operating mode. + +Fixes: 45c9abc059fa ("ath10k: implement more versatile set_bitrate_mask"). +Signed-off-by: Vivek Natarajan +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath10k/mac.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -2083,7 +2083,8 @@ static void ath10k_peer_assoc_h_ht(struc + enum ieee80211_band band; + const u8 *ht_mcs_mask; + const u16 *vht_mcs_mask; +- int i, n, max_nss; ++ int i, n; ++ u8 max_nss; + u32 stbc; + + lockdep_assert_held(&ar->conf_mutex); +@@ -2168,7 +2169,7 @@ static void ath10k_peer_assoc_h_ht(struc + arg->peer_ht_rates.rates[i] = i; + } else { + arg->peer_ht_rates.num_rates = n; +- arg->peer_num_spatial_streams = max_nss; ++ arg->peer_num_spatial_streams = min(sta->rx_nss, max_nss); + } + + ath10k_dbg(ar, ATH10K_DBG_MAC, "mac ht peer %pM mcs cnt %d nss %d\n", diff --git a/queue-4.3/bluetooth-ath3k-add-new-ar3012-0930-021c-id.patch b/queue-4.3/bluetooth-ath3k-add-new-ar3012-0930-021c-id.patch new file mode 100644 index 00000000000..a345624d8d9 --- /dev/null +++ b/queue-4.3/bluetooth-ath3k-add-new-ar3012-0930-021c-id.patch @@ -0,0 +1,57 @@ +From cd355ff071cd37e7197eccf9216770b2b29369f7 Mon Sep 17 00:00:00 2001 +From: Dmitry Tunin +Date: Mon, 5 Oct 2015 19:29:33 +0300 +Subject: Bluetooth: ath3k: Add new AR3012 0930:021c id + +From: Dmitry Tunin + +commit cd355ff071cd37e7197eccf9216770b2b29369f7 upstream. + +This adapter works with the existing linux-firmware. + +T: Bus=01 Lev=01 Prnt=01 Port=03 Cnt=02 Dev#= 3 Spd=12 MxCh= 0 +D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0930 ProdID=021c Rev=00.01 +C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA +I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb + +BugLink: https://bugs.launchpad.net/bugs/1502781 + +Signed-off-by: Dmitry Tunin +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bluetooth/ath3k.c | 2 ++ + drivers/bluetooth/btusb.c | 1 + + 2 files changed, 3 insertions(+) + +--- a/drivers/bluetooth/ath3k.c ++++ b/drivers/bluetooth/ath3k.c +@@ -93,6 +93,7 @@ static const struct usb_device_id ath3k_ + { USB_DEVICE(0x04CA, 0x300f) }, + { USB_DEVICE(0x04CA, 0x3010) }, + { USB_DEVICE(0x0930, 0x0219) }, ++ { USB_DEVICE(0x0930, 0x021c) }, + { USB_DEVICE(0x0930, 0x0220) }, + { USB_DEVICE(0x0930, 0x0227) }, + { USB_DEVICE(0x0b05, 0x17d0) }, +@@ -153,6 +154,7 @@ static const struct usb_device_id ath3k_ + { USB_DEVICE(0x04ca, 0x300f), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x0930, 0x021c), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x0227), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 }, +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -195,6 +195,7 @@ static const struct usb_device_id blackl + { USB_DEVICE(0x04ca, 0x300f), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x0930, 0x021c), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x0227), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 }, diff --git a/queue-4.3/bluetooth-ath3k-add-support-of-ar3012-0cf3-817b-device.patch b/queue-4.3/bluetooth-ath3k-add-support-of-ar3012-0cf3-817b-device.patch new file mode 100644 index 00000000000..9a3d1d9ebf2 --- /dev/null +++ b/queue-4.3/bluetooth-ath3k-add-support-of-ar3012-0cf3-817b-device.patch @@ -0,0 +1,55 @@ +From 18e0afab8ce3f1230ce3fef52b2e73374fd9c0e7 Mon Sep 17 00:00:00 2001 +From: Dmitry Tunin +Date: Fri, 16 Oct 2015 11:45:26 +0300 +Subject: Bluetooth: ath3k: Add support of AR3012 0cf3:817b device + +From: Dmitry Tunin + +commit 18e0afab8ce3f1230ce3fef52b2e73374fd9c0e7 upstream. + +T: Bus=04 Lev=02 Prnt=02 Port=04 Cnt=01 Dev#= 3 Spd=12 MxCh= 0 +D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0cf3 ProdID=817b Rev=00.02 +C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA +I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb + +BugLink: https://bugs.launchpad.net/bugs/1506615 + +Signed-off-by: Dmitry Tunin +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bluetooth/ath3k.c | 2 ++ + drivers/bluetooth/btusb.c | 1 + + 2 files changed, 3 insertions(+) + +--- a/drivers/bluetooth/ath3k.c ++++ b/drivers/bluetooth/ath3k.c +@@ -105,6 +105,7 @@ static const struct usb_device_id ath3k_ + { USB_DEVICE(0x0CF3, 0x311F) }, + { USB_DEVICE(0x0cf3, 0x3121) }, + { USB_DEVICE(0x0CF3, 0x817a) }, ++ { USB_DEVICE(0x0CF3, 0x817b) }, + { USB_DEVICE(0x0cf3, 0xe003) }, + { USB_DEVICE(0x0CF3, 0xE004) }, + { USB_DEVICE(0x0CF3, 0xE005) }, +@@ -166,6 +167,7 @@ static const struct usb_device_id ath3k_ + { USB_DEVICE(0x0cf3, 0x311F), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0CF3, 0x817a), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x0CF3, 0x817b), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0xe006), .driver_info = BTUSB_ATH3012 }, +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -207,6 +207,7 @@ static const struct usb_device_id blackl + { USB_DEVICE(0x0cf3, 0x311f), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0x817a), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x0cf3, 0x817b), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0xe003), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 }, diff --git a/queue-4.3/bluetooth-fix-missing-hdev-locking-for-le-scan-cleanup.patch b/queue-4.3/bluetooth-fix-missing-hdev-locking-for-le-scan-cleanup.patch new file mode 100644 index 00000000000..ef9484fb247 --- /dev/null +++ b/queue-4.3/bluetooth-fix-missing-hdev-locking-for-le-scan-cleanup.patch @@ -0,0 +1,167 @@ +From 8ce783dc5ea3af3a213ac9b4d9d2ccfeeb9c9058 Mon Sep 17 00:00:00 2001 +From: Johan Hedberg +Date: Wed, 21 Oct 2015 15:21:31 +0300 +Subject: Bluetooth: Fix missing hdev locking for LE scan cleanup + +From: Johan Hedberg + +commit 8ce783dc5ea3af3a213ac9b4d9d2ccfeeb9c9058 upstream. + +The hci_conn objects don't have a dedicated lock themselves but rely +on the caller to hold the hci_dev lock for most types of access. The +hci_conn_timeout() function has so far sent certain HCI commands based +on the hci_conn state which has been possible without holding the +hci_dev lock. + +The recent changes to do LE scanning before connect attempts added +even more operations to hci_conn and hci_dev from hci_conn_timeout, +thereby exposing potential race conditions with the hci_dev and +hci_conn states. + +As an example of such a race, here there's a timeout but an +l2cap_sock_connect() call manages to race with the cleanup routine: + +[Oct21 08:14] l2cap_chan_timeout: chan ee4b12c0 state BT_CONNECT +[ +0.000004] l2cap_chan_close: chan ee4b12c0 state BT_CONNECT +[ +0.000002] l2cap_chan_del: chan ee4b12c0, conn f3141580, err 111, state BT_CONNECT +[ +0.000002] l2cap_sock_teardown_cb: chan ee4b12c0 state BT_CONNECT +[ +0.000005] l2cap_chan_put: chan ee4b12c0 orig refcnt 4 +[ +0.000010] hci_conn_drop: hcon f53d56e0 orig refcnt 1 +[ +0.000013] l2cap_chan_put: chan ee4b12c0 orig refcnt 3 +[ +0.000063] hci_conn_timeout: hcon f53d56e0 state BT_CONNECT +[ +0.000049] hci_conn_params_del: addr ee:0d:30:09:53:1f (type 1) +[ +0.000002] hci_chan_list_flush: hcon f53d56e0 +[ +0.000001] hci_chan_del: hci0 hcon f53d56e0 chan f4e7ccc0 +[ +0.004528] l2cap_sock_create: sock e708fc00 +[ +0.000023] l2cap_chan_create: chan ee4b1770 +[ +0.000001] l2cap_chan_hold: chan ee4b1770 orig refcnt 1 +[ +0.000002] l2cap_sock_init: sk ee4b3390 +[ +0.000029] l2cap_sock_bind: sk ee4b3390 +[ +0.000010] l2cap_sock_setsockopt: sk ee4b3390 +[ +0.000037] l2cap_sock_connect: sk ee4b3390 +[ +0.000002] l2cap_chan_connect: 00:02:72:d9:e5:8b -> ee:0d:30:09:53:1f (type 2) psm 0x00 +[ +0.000002] hci_get_route: 00:02:72:d9:e5:8b -> ee:0d:30:09:53:1f +[ +0.000001] hci_dev_hold: hci0 orig refcnt 8 +[ +0.000003] hci_conn_hold: hcon f53d56e0 orig refcnt 0 + +Above the l2cap_chan_connect() shouldn't have been able to reach the +hci_conn f53d56e0 anymore but since hci_conn_timeout didn't do proper +locking that's not the case. The end result is a reference to hci_conn +that's not in the conn_hash list, resulting in list corruption when +trying to remove it later: + +[Oct21 08:15] l2cap_chan_timeout: chan ee4b1770 state BT_CONNECT +[ +0.000004] l2cap_chan_close: chan ee4b1770 state BT_CONNECT +[ +0.000003] l2cap_chan_del: chan ee4b1770, conn f3141580, err 111, state BT_CONNECT +[ +0.000001] l2cap_sock_teardown_cb: chan ee4b1770 state BT_CONNECT +[ +0.000005] l2cap_chan_put: chan ee4b1770 orig refcnt 4 +[ +0.000002] hci_conn_drop: hcon f53d56e0 orig refcnt 1 +[ +0.000015] l2cap_chan_put: chan ee4b1770 orig refcnt 3 +[ +0.000038] hci_conn_timeout: hcon f53d56e0 state BT_CONNECT +[ +0.000003] hci_chan_list_flush: hcon f53d56e0 +[ +0.000002] hci_conn_hash_del: hci0 hcon f53d56e0 +[ +0.000001] ------------[ cut here ]------------ +[ +0.000461] WARNING: CPU: 0 PID: 1782 at lib/list_debug.c:56 __list_del_entry+0x3f/0x71() +[ +0.000839] list_del corruption, f53d56e0->prev is LIST_POISON2 (00000200) + +The necessary fix is unfortunately more complicated than just adding +hci_dev_lock/unlock calls to the hci_conn_timeout() call path. +Particularly, the hci_conn_del() API, which expects the hci_dev lock to +be held, performs a cancel_delayed_work_sync(&hcon->disc_work) which +would lead to a deadlock if the hci_conn_timeout() call path tries to +acquire the same lock. + +This patch solves the problem by deferring the cleanup work to a +separate work callback. To protect against the hci_dev or hci_conn +going away meanwhile temporary references are taken with the help of +hci_dev_hold() and hci_conn_get(). + +Signed-off-by: Johan Hedberg +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/bluetooth/hci_core.h | 1 + net/bluetooth/hci_conn.c | 50 ++++++++++++++++++++++++++++++++------- + 2 files changed, 43 insertions(+), 8 deletions(-) + +--- a/include/net/bluetooth/hci_core.h ++++ b/include/net/bluetooth/hci_core.h +@@ -469,6 +469,7 @@ struct hci_conn { + struct delayed_work auto_accept_work; + struct delayed_work idle_work; + struct delayed_work le_conn_timeout; ++ struct work_struct le_scan_cleanup; + + struct device dev; + struct dentry *debugfs; +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -137,18 +137,51 @@ static void hci_conn_cleanup(struct hci_ + hci_conn_put(conn); + } + +-/* This function requires the caller holds hdev->lock */ ++static void le_scan_cleanup(struct work_struct *work) ++{ ++ struct hci_conn *conn = container_of(work, struct hci_conn, ++ le_scan_cleanup); ++ struct hci_dev *hdev = conn->hdev; ++ struct hci_conn *c = NULL; ++ ++ BT_DBG("%s hcon %p", hdev->name, conn); ++ ++ hci_dev_lock(hdev); ++ ++ /* Check that the hci_conn is still around */ ++ rcu_read_lock(); ++ list_for_each_entry_rcu(c, &hdev->conn_hash.list, list) { ++ if (c == conn) ++ break; ++ } ++ rcu_read_unlock(); ++ ++ if (c == conn) { ++ hci_connect_le_scan_cleanup(conn); ++ hci_conn_cleanup(conn); ++ } ++ ++ hci_dev_unlock(hdev); ++ hci_dev_put(hdev); ++ hci_conn_put(conn); ++} ++ + static void hci_connect_le_scan_remove(struct hci_conn *conn) + { +- hci_connect_le_scan_cleanup(conn); ++ BT_DBG("%s hcon %p", conn->hdev->name, conn); + +- /* We can't call hci_conn_del here since that would deadlock +- * with trying to call cancel_delayed_work_sync(&conn->disc_work). +- * Instead, call just hci_conn_cleanup() which contains the bare +- * minimum cleanup operations needed for a connection in this +- * state. ++ /* We can't call hci_conn_del/hci_conn_cleanup here since that ++ * could deadlock with another hci_conn_del() call that's holding ++ * hci_dev_lock and doing cancel_delayed_work_sync(&conn->disc_work). ++ * Instead, grab temporary extra references to the hci_dev and ++ * hci_conn and perform the necessary cleanup in a separate work ++ * callback. + */ +- hci_conn_cleanup(conn); ++ ++ hci_dev_hold(conn->hdev); ++ hci_conn_get(conn); ++ ++ schedule_work(&conn->le_scan_cleanup); + } + + static void hci_acl_create_connection(struct hci_conn *conn) +@@ -580,6 +613,7 @@ struct hci_conn *hci_conn_add(struct hci + INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept); + INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle); + INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout); ++ INIT_WORK(&conn->le_scan_cleanup, le_scan_cleanup); + + atomic_set(&conn->refcnt, 0); + diff --git a/queue-4.3/bluetooth-fix-removing-connection-parameters-when-unpairing.patch b/queue-4.3/bluetooth-fix-removing-connection-parameters-when-unpairing.patch new file mode 100644 index 00000000000..d0689dc8b7a --- /dev/null +++ b/queue-4.3/bluetooth-fix-removing-connection-parameters-when-unpairing.patch @@ -0,0 +1,62 @@ +From a6ad2a6b9cc1d9d791aee5462cfb8528f366f1d4 Mon Sep 17 00:00:00 2001 +From: Johan Hedberg +Date: Mon, 19 Oct 2015 10:51:47 +0300 +Subject: Bluetooth: Fix removing connection parameters when unpairing + +From: Johan Hedberg + +commit a6ad2a6b9cc1d9d791aee5462cfb8528f366f1d4 upstream. + +The commit 89cbb0638e9b7 introduced support for deferred connection +parameter removal when unpairing by removing them only once an +existing connection gets disconnected. However, it failed to address +the scenario when we're *not* connected and do an unpair operation. + +What makes things worse is that most user space BlueZ versions will +first issue a disconnect request and only then unpair, meaning the +buggy code will be triggered every time. This effectively causes the +kernel to resume scanning and reconnect to a device for which we've +removed all keys and GATT database information. + +This patch fixes the issue by adding the missing call to the +hci_conn_params_del() function to a branch which handles the case of +no existing connection. + +Signed-off-by: Johan Hedberg +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/mgmt.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -3090,6 +3090,11 @@ static int unpair_device(struct sock *sk + } else { + u8 addr_type; + ++ if (cp->addr.type == BDADDR_LE_PUBLIC) ++ addr_type = ADDR_LE_DEV_PUBLIC; ++ else ++ addr_type = ADDR_LE_DEV_RANDOM; ++ + conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, + &cp->addr.bdaddr); + if (conn) { +@@ -3105,13 +3110,10 @@ static int unpair_device(struct sock *sk + */ + if (!cp->disconnect) + conn = NULL; ++ } else { ++ hci_conn_params_del(hdev, &cp->addr.bdaddr, addr_type); + } + +- if (cp->addr.type == BDADDR_LE_PUBLIC) +- addr_type = ADDR_LE_DEV_PUBLIC; +- else +- addr_type = ADDR_LE_DEV_RANDOM; +- + hci_remove_irk(hdev, &cp->addr.bdaddr, addr_type); + + err = hci_remove_ltk(hdev, &cp->addr.bdaddr, addr_type); diff --git a/queue-4.3/bluetooth-hidp-fix-device-disconnect-on-idle-timeout.patch b/queue-4.3/bluetooth-hidp-fix-device-disconnect-on-idle-timeout.patch new file mode 100644 index 00000000000..3af2130a20c --- /dev/null +++ b/queue-4.3/bluetooth-hidp-fix-device-disconnect-on-idle-timeout.patch @@ -0,0 +1,75 @@ +From 660f0fc07d21114549c1862e67e78b1cf0c90c29 Mon Sep 17 00:00:00 2001 +From: David Herrmann +Date: Mon, 7 Sep 2015 12:05:41 +0200 +Subject: Bluetooth: hidp: fix device disconnect on idle timeout + +From: David Herrmann + +commit 660f0fc07d21114549c1862e67e78b1cf0c90c29 upstream. + +The HIDP specs define an idle-timeout which automatically disconnects a +device. This has always been implemented in the HIDP layer and forced a +synchronous shutdown of the hidp-scheduler. This works just fine, but +lacks a forced disconnect on the underlying l2cap channels. This has been +broken since: + + commit 5205185d461d5902325e457ca80bd421127b7308 + Author: David Herrmann + Date: Sat Apr 6 20:28:47 2013 +0200 + + Bluetooth: hidp: remove old session-management + +The old session-management always forced an l2cap error on the ctrl/intr +channels when shutting down. The new session-management skips this, as we +don't want to enforce channel policy on the caller. In other words, if +user-space removes an HIDP device, the underlying channels (which are +*owned* and *referenced* by user-space) are still left active. User-space +needs to call shutdown(2) or close(2) to release them. + +Unfortunately, this does not work with idle-timeouts. There is no way to +signal user-space that the HIDP layer has been stopped. The API simply +does not support any event-passing except for poll(2). Hence, we restore +old behavior and force EUNATCH on the sockets if the HIDP layer is +disconnected due to idle-timeouts (behavior of explicit disconnects +remains unmodified). User-space can still call + + getsockopt(..., SO_ERROR, ...) + +..to retrieve the EUNATCH error and clear sk_err. Hence, the channels can +still be re-used (which nobody does so far, though). Therefore, the API +still supports the new behavior, but with this patch it's also compatible +to the old implicit channel shutdown. + +Reported-by: Mark Haun +Reported-by: Luiz Augusto von Dentz +Signed-off-by: David Herrmann +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/hidp/core.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/net/bluetooth/hidp/core.c ++++ b/net/bluetooth/hidp/core.c +@@ -401,6 +401,20 @@ static void hidp_idle_timeout(unsigned l + { + struct hidp_session *session = (struct hidp_session *) arg; + ++ /* The HIDP user-space API only contains calls to add and remove ++ * devices. There is no way to forward events of any kind. Therefore, ++ * we have to forcefully disconnect a device on idle-timeouts. This is ++ * unfortunate and weird API design, but it is spec-compliant and ++ * required for backwards-compatibility. Hence, on idle-timeout, we ++ * signal driver-detach events, so poll() will be woken up with an ++ * error-condition on both sockets. ++ */ ++ ++ session->intr_sock->sk->sk_err = EUNATCH; ++ session->ctrl_sock->sk->sk_err = EUNATCH; ++ wake_up_interruptible(sk_sleep(session->intr_sock->sk)); ++ wake_up_interruptible(sk_sleep(session->ctrl_sock->sk)); ++ + hidp_session_terminate(session); + } + diff --git a/queue-4.3/can-sja1000-clear-interrupts-on-start.patch b/queue-4.3/can-sja1000-clear-interrupts-on-start.patch new file mode 100644 index 00000000000..5e7425a5ed2 --- /dev/null +++ b/queue-4.3/can-sja1000-clear-interrupts-on-start.patch @@ -0,0 +1,46 @@ +From 7cecd9ab80f43972c056dc068338f7bcc407b71c Mon Sep 17 00:00:00 2001 +From: Mirza Krak +Date: Tue, 10 Nov 2015 14:59:34 +0100 +Subject: can: sja1000: clear interrupts on start + +From: Mirza Krak + +commit 7cecd9ab80f43972c056dc068338f7bcc407b71c upstream. + +According to SJA1000 data sheet error-warning (EI) interrupt is not +cleared by setting the controller in to reset-mode. + +Then if we have the following case: +- system is suspended (echo mem > /sys/power/state) and SJA1000 is left + in operating state +- A bus error condition occurs which activates EI interrupt, system is + still suspended which means EI interrupt will be not be handled nor + cleared. + +If the above two events occur, on resume there is no way to return the +SJA1000 to operating state, except to cycle power to it. + +By simply reading the IR register on start we will clear any previous +conditions that could be present. + +Signed-off-by: Mirza Krak +Reported-by: Christian Magnusson +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/sja1000/sja1000.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/can/sja1000/sja1000.c ++++ b/drivers/net/can/sja1000/sja1000.c +@@ -218,6 +218,9 @@ static void sja1000_start(struct net_dev + priv->write_reg(priv, SJA1000_RXERR, 0x0); + priv->read_reg(priv, SJA1000_ECC); + ++ /* clear interrupt flags */ ++ priv->read_reg(priv, SJA1000_IR); ++ + /* leave reset mode */ + set_normal_mode(dev); + } diff --git a/queue-4.3/can-use-correct-type-in-sizeof-in-nla_put.patch b/queue-4.3/can-use-correct-type-in-sizeof-in-nla_put.patch new file mode 100644 index 00000000000..8575d209ae3 --- /dev/null +++ b/queue-4.3/can-use-correct-type-in-sizeof-in-nla_put.patch @@ -0,0 +1,33 @@ +From 562b103a21974c2f9cd67514d110f918bb3e1796 Mon Sep 17 00:00:00 2001 +From: Marek Vasut +Date: Fri, 30 Oct 2015 13:48:19 +0100 +Subject: can: Use correct type in sizeof() in nla_put() + +From: Marek Vasut + +commit 562b103a21974c2f9cd67514d110f918bb3e1796 upstream. + +The sizeof() is invoked on an incorrect variable, likely due to some +copy-paste error, and this might result in memory corruption. Fix this. + +Signed-off-by: Marek Vasut +Cc: Wolfgang Grandegger +Cc: netdev@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/can/dev.c ++++ b/drivers/net/can/dev.c +@@ -915,7 +915,7 @@ static int can_fill_info(struct sk_buff + nla_put(skb, IFLA_CAN_BITTIMING_CONST, + sizeof(*priv->bittiming_const), priv->bittiming_const)) || + +- nla_put(skb, IFLA_CAN_CLOCK, sizeof(cm), &priv->clock) || ++ nla_put(skb, IFLA_CAN_CLOCK, sizeof(priv->clock), &priv->clock) || + nla_put_u32(skb, IFLA_CAN_STATE, state) || + nla_put(skb, IFLA_CAN_CTRLMODE, sizeof(cm), &cm) || + nla_put_u32(skb, IFLA_CAN_RESTART_MS, priv->restart_ms) || diff --git a/queue-4.3/clk-iproc-fix-pll-output-frequency-calculation.patch b/queue-4.3/clk-iproc-fix-pll-output-frequency-calculation.patch new file mode 100644 index 00000000000..754329b21bf --- /dev/null +++ b/queue-4.3/clk-iproc-fix-pll-output-frequency-calculation.patch @@ -0,0 +1,64 @@ +From 63243a4da7d0dfa19dcacd0a529782eeb2f86f92 Mon Sep 17 00:00:00 2001 +From: Simran Rai +Date: Mon, 19 Oct 2015 15:27:19 -0700 +Subject: clk: iproc: Fix PLL output frequency calculation + +From: Simran Rai + +commit 63243a4da7d0dfa19dcacd0a529782eeb2f86f92 upstream. + +This patch affects the clocks that use fractional ndivider in their +PLL output frequency calculation. Instead of 2^20 divide factor, the +clock's ndiv integer shift was used. Fixed the bug by replacing ndiv +integer shift with 2^20 factor. + +Signed-off-by: Simran Rai +Signed-off-by: Ray Jui +Reviewed-by: Scott Branden +Fixes: 5fe225c105fd ("clk: iproc: add initial common clock support") +Signed-off-by: Michael Turquette +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/bcm/clk-iproc-pll.c | 13 +++++-------- + 1 file changed, 5 insertions(+), 8 deletions(-) + +--- a/drivers/clk/bcm/clk-iproc-pll.c ++++ b/drivers/clk/bcm/clk-iproc-pll.c +@@ -345,8 +345,8 @@ static unsigned long iproc_pll_recalc_ra + struct iproc_pll *pll = clk->pll; + const struct iproc_pll_ctrl *ctrl = pll->ctrl; + u32 val; +- u64 ndiv; +- unsigned int ndiv_int, ndiv_frac, pdiv; ++ u64 ndiv, ndiv_int, ndiv_frac; ++ unsigned int pdiv; + + if (parent_rate == 0) + return 0; +@@ -366,22 +366,19 @@ static unsigned long iproc_pll_recalc_ra + val = readl(pll->pll_base + ctrl->ndiv_int.offset); + ndiv_int = (val >> ctrl->ndiv_int.shift) & + bit_mask(ctrl->ndiv_int.width); +- ndiv = (u64)ndiv_int << ctrl->ndiv_int.shift; ++ ndiv = ndiv_int << 20; + + if (ctrl->flags & IPROC_CLK_PLL_HAS_NDIV_FRAC) { + val = readl(pll->pll_base + ctrl->ndiv_frac.offset); + ndiv_frac = (val >> ctrl->ndiv_frac.shift) & + bit_mask(ctrl->ndiv_frac.width); +- +- if (ndiv_frac != 0) +- ndiv = ((u64)ndiv_int << ctrl->ndiv_int.shift) | +- ndiv_frac; ++ ndiv += ndiv_frac; + } + + val = readl(pll->pll_base + ctrl->pdiv.offset); + pdiv = (val >> ctrl->pdiv.shift) & bit_mask(ctrl->pdiv.width); + +- clk->rate = (ndiv * parent_rate) >> ctrl->ndiv_int.shift; ++ clk->rate = (ndiv * parent_rate) >> 20; + + if (pdiv == 0) + clk->rate *= 2; diff --git a/queue-4.3/clk-versatile-icst-fix-memory-leak.patch b/queue-4.3/clk-versatile-icst-fix-memory-leak.patch new file mode 100644 index 00000000000..c88f31615fd --- /dev/null +++ b/queue-4.3/clk-versatile-icst-fix-memory-leak.patch @@ -0,0 +1,36 @@ +From 7bdccef34fc67d3fce6778a018601dd41e43c5ce Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Fri, 23 Oct 2015 11:36:01 +0200 +Subject: clk: versatile-icst: fix memory leak + +From: Linus Walleij + +commit 7bdccef34fc67d3fce6778a018601dd41e43c5ce upstream. + +A static code checker found a memory leak in the Versatile +ICST code. Fix it. + +Fixes: a183da637c52 "clk: versatile: respect parent rate in ICST clock" +Reported-by: Stephen Boyd +Signed-off-by: Linus Walleij +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/versatile/clk-icst.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/clk/versatile/clk-icst.c ++++ b/drivers/clk/versatile/clk-icst.c +@@ -157,8 +157,10 @@ struct clk *icst_clk_register(struct dev + icst->lockreg = base + desc->lock_offset; + + clk = clk_register(dev, &icst->hw); +- if (IS_ERR(clk)) ++ if (IS_ERR(clk)) { ++ kfree(pclone); + kfree(icst); ++ } + + return clk; + } diff --git a/queue-4.3/fs-proc-core-debug-don-t-expose-absolute-kernel-addresses-via-wchan.patch b/queue-4.3/fs-proc-core-debug-don-t-expose-absolute-kernel-addresses-via-wchan.patch new file mode 100644 index 00000000000..eea1bbe0e9c --- /dev/null +++ b/queue-4.3/fs-proc-core-debug-don-t-expose-absolute-kernel-addresses-via-wchan.patch @@ -0,0 +1,170 @@ +From b2f73922d119686323f14fbbe46587f863852328 Mon Sep 17 00:00:00 2001 +From: Ingo Molnar +Date: Wed, 30 Sep 2015 15:59:17 +0200 +Subject: fs/proc, core/debug: Don't expose absolute kernel addresses via wchan + +From: Ingo Molnar + +commit b2f73922d119686323f14fbbe46587f863852328 upstream. + +So the /proc/PID/stat 'wchan' field (the 30th field, which contains +the absolute kernel address of the kernel function a task is blocked in) +leaks absolute kernel addresses to unprivileged user-space: + + seq_put_decimal_ull(m, ' ', wchan); + +The absolute address might also leak via /proc/PID/wchan as well, if +KALLSYMS is turned off or if the symbol lookup fails for some reason: + +static int proc_pid_wchan(struct seq_file *m, struct pid_namespace *ns, + struct pid *pid, struct task_struct *task) +{ + unsigned long wchan; + char symname[KSYM_NAME_LEN]; + + wchan = get_wchan(task); + + if (lookup_symbol_name(wchan, symname) < 0) { + if (!ptrace_may_access(task, PTRACE_MODE_READ)) + return 0; + seq_printf(m, "%lu", wchan); + } else { + seq_printf(m, "%s", symname); + } + + return 0; +} + +This isn't ideal, because for example it trivially leaks the KASLR offset +to any local attacker: + + fomalhaut:~> printf "%016lx\n" $(cat /proc/$$/stat | cut -d' ' -f35) + ffffffff8123b380 + +Most real-life uses of wchan are symbolic: + + ps -eo pid:10,tid:10,wchan:30,comm + +and procps uses /proc/PID/wchan, not the absolute address in /proc/PID/stat: + + triton:~/tip> strace -f ps -eo pid:10,tid:10,wchan:30,comm 2>&1 | grep wchan | tail -1 + open("/proc/30833/wchan", O_RDONLY) = 6 + +There's one compatibility quirk here: procps relies on whether the +absolute value is non-zero - and we can provide that functionality +by outputing "0" or "1" depending on whether the task is blocked +(whether there's a wchan address). + +These days there appears to be very little legitimate reason +user-space would be interested in the absolute address. The +absolute address is mostly historic: from the days when we +didn't have kallsyms and user-space procps had to do the +decoding itself via the System.map. + +So this patch sets all numeric output to "0" or "1" and keeps only +symbolic output, in /proc/PID/wchan. + +( The absolute sleep address can generally still be profiled via + perf, by tasks with sufficient privileges. ) + +Reviewed-by: Thomas Gleixner +Acked-by: Kees Cook +Acked-by: Linus Torvalds +Cc: Al Viro +Cc: Alexander Potapenko +Cc: Andrey Konovalov +Cc: Andrey Ryabinin +Cc: Andy Lutomirski +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Denys Vlasenko +Cc: Dmitry Vyukov +Cc: Kostya Serebryany +Cc: Mike Galbraith +Cc: Peter Zijlstra +Cc: Peter Zijlstra +Cc: Sasha Levin +Cc: kasan-dev +Cc: linux-kernel@vger.kernel.org +Link: http://lkml.kernel.org/r/20150930135917.GA3285@gmail.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/filesystems/proc.txt | 5 +++-- + fs/proc/array.c | 16 ++++++++++++++-- + fs/proc/base.c | 9 +++------ + 3 files changed, 20 insertions(+), 10 deletions(-) + +--- a/Documentation/filesystems/proc.txt ++++ b/Documentation/filesystems/proc.txt +@@ -140,7 +140,8 @@ Table 1-1: Process specific entries in / + stat Process status + statm Process memory status information + status Process status in human readable form +- wchan If CONFIG_KALLSYMS is set, a pre-decoded wchan ++ wchan Present with CONFIG_KALLSYMS=y: it shows the kernel function ++ symbol the task is blocked in - or "0" if not blocked. + pagemap Page table + stack Report full stack trace, enable via CONFIG_STACKTRACE + smaps a extension based on maps, showing the memory consumption of +@@ -310,7 +311,7 @@ Table 1-4: Contents of the stat files (a + blocked bitmap of blocked signals + sigign bitmap of ignored signals + sigcatch bitmap of caught signals +- wchan address where process went to sleep ++ 0 (place holder, used to be the wchan address, use /proc/PID/wchan instead) + 0 (place holder) + 0 (place holder) + exit_signal signal to send to parent thread on exit +--- a/fs/proc/array.c ++++ b/fs/proc/array.c +@@ -375,7 +375,7 @@ int proc_pid_status(struct seq_file *m, + static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, + struct pid *pid, struct task_struct *task, int whole) + { +- unsigned long vsize, eip, esp, wchan = ~0UL; ++ unsigned long vsize, eip, esp, wchan = 0; + int priority, nice; + int tty_pgrp = -1, tty_nr = 0; + sigset_t sigign, sigcatch; +@@ -507,7 +507,19 @@ static int do_task_stat(struct seq_file + seq_put_decimal_ull(m, ' ', task->blocked.sig[0] & 0x7fffffffUL); + seq_put_decimal_ull(m, ' ', sigign.sig[0] & 0x7fffffffUL); + seq_put_decimal_ull(m, ' ', sigcatch.sig[0] & 0x7fffffffUL); +- seq_put_decimal_ull(m, ' ', wchan); ++ ++ /* ++ * We used to output the absolute kernel address, but that's an ++ * information leak - so instead we show a 0/1 flag here, to signal ++ * to user-space whether there's a wchan field in /proc/PID/wchan. ++ * ++ * This works with older implementations of procps as well. ++ */ ++ if (wchan) ++ seq_puts(m, " 1"); ++ else ++ seq_puts(m, " 0"); ++ + seq_put_decimal_ull(m, ' ', 0); + seq_put_decimal_ull(m, ' ', 0); + seq_put_decimal_ll(m, ' ', task->exit_signal); +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -430,13 +430,10 @@ static int proc_pid_wchan(struct seq_fil + + wchan = get_wchan(task); + +- if (lookup_symbol_name(wchan, symname) < 0) { +- if (!ptrace_may_access(task, PTRACE_MODE_READ)) +- return 0; +- seq_printf(m, "%lu", wchan); +- } else { ++ if (wchan && ptrace_may_access(task, PTRACE_MODE_READ) && !lookup_symbol_name(wchan, symname)) + seq_printf(m, "%s", symname); +- } ++ else ++ seq_putc(m, '0'); + + return 0; + } diff --git a/queue-4.3/iwlwifi-add-new-pci-ids-for-the-8260-series.patch b/queue-4.3/iwlwifi-add-new-pci-ids-for-the-8260-series.patch new file mode 100644 index 00000000000..bab76ea1796 --- /dev/null +++ b/queue-4.3/iwlwifi-add-new-pci-ids-for-the-8260-series.patch @@ -0,0 +1,76 @@ +From 4ab75944c4b324c1f5f01dbd4c4d122d2b9da187 Mon Sep 17 00:00:00 2001 +From: Oren Givon +Date: Wed, 28 Oct 2015 12:32:20 +0200 +Subject: iwlwifi: Add new PCI IDs for the 8260 series + +From: Oren Givon + +commit 4ab75944c4b324c1f5f01dbd4c4d122d2b9da187 upstream. + +Add some new PCI IDs for the 8260 series which were missing. +The following sub-system IDs were added: +0x0130, 0x1130, 0x0132, 0x1132, 0x1150, 0x8110, 0x9110, 0x8130, +0x9130, 0x8132, 0x9132, 0x8150, 0x9150, 0x0044, 0x0930 + +Signed-off-by: Oren Givon +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/iwlwifi/pcie/drv.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/iwlwifi/pcie/drv.c ++++ b/drivers/net/wireless/iwlwifi/pcie/drv.c +@@ -423,14 +423,21 @@ static const struct pci_device_id iwl_hw + /* 8000 Series */ + {IWL_PCI_DEVICE(0x24F3, 0x0010, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x1010, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x0130, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x1130, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x0132, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x1132, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0110, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x01F0, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x0012, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x1012, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x1110, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0050, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0250, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x1050, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0150, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x1150, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F4, 0x0030, iwl8260_2ac_cfg)}, +- {IWL_PCI_DEVICE(0x24F4, 0x1130, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F4, 0x1030, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0xC010, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0xC110, iwl8260_2ac_cfg)}, +@@ -438,18 +445,28 @@ static const struct pci_device_id iwl_hw + {IWL_PCI_DEVICE(0x24F3, 0xC050, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0xD050, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x8010, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x8110, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x9010, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x9110, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F4, 0x8030, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F4, 0x9030, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x8130, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x9130, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x8132, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x9132, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x8050, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x8150, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x9050, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x9150, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0004, iwl8260_2n_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x0044, iwl8260_2n_cfg)}, + {IWL_PCI_DEVICE(0x24F5, 0x0010, iwl4165_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F6, 0x0030, iwl4165_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0810, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0910, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0850, iwl8260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x24F3, 0x0950, iwl8260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x24F3, 0x0930, iwl8260_2ac_cfg)}, + #endif /* CONFIG_IWLMVM */ + + {0} diff --git a/queue-4.3/iwlwifi-pcie-fix-again-prepare-card-flow.patch b/queue-4.3/iwlwifi-pcie-fix-again-prepare-card-flow.patch new file mode 100644 index 00000000000..dbf857824cf --- /dev/null +++ b/queue-4.3/iwlwifi-pcie-fix-again-prepare-card-flow.patch @@ -0,0 +1,48 @@ +From 03a19cbb91994212be72ce15ac3406fa9f8ba079 Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Wed, 21 Oct 2015 19:55:32 +0300 +Subject: iwlwifi: pcie: fix (again) prepare card flow + +From: Emmanuel Grumbach + +commit 03a19cbb91994212be72ce15ac3406fa9f8ba079 upstream. + +The hardware bug in the commit mentioned below forces us +not to re-enable the clock gating in the Host Cluster. +The impact on the power consumption is minimal and it allows +the WAKE_ME interrupt to propagate. + +Fixes: c9fdec9f3970 ("iwlwifi: pcie: fix prepare card flow") +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/iwlwifi/pcie/trans.c | 10 ++-------- + 1 file changed, 2 insertions(+), 8 deletions(-) + +--- a/drivers/net/wireless/iwlwifi/pcie/trans.c ++++ b/drivers/net/wireless/iwlwifi/pcie/trans.c +@@ -592,10 +592,8 @@ static int iwl_pcie_prepare_card_hw(stru + + do { + ret = iwl_pcie_set_hw_ready(trans); +- if (ret >= 0) { +- ret = 0; +- goto out; +- } ++ if (ret >= 0) ++ return 0; + + usleep_range(200, 1000); + t += 200; +@@ -605,10 +603,6 @@ static int iwl_pcie_prepare_card_hw(stru + + IWL_ERR(trans, "Couldn't prepare the card\n"); + +-out: +- iwl_clear_bit(trans, CSR_DBG_LINK_PWR_MGMT_REG, +- CSR_RESET_LINK_PWR_MGMT_DISABLED); +- + return ret; + } + diff --git a/queue-4.3/kvm-s390-avoid-memory-overwrites-on-emergency-signal-injection.patch b/queue-4.3/kvm-s390-avoid-memory-overwrites-on-emergency-signal-injection.patch new file mode 100644 index 00000000000..452b9e4de37 --- /dev/null +++ b/queue-4.3/kvm-s390-avoid-memory-overwrites-on-emergency-signal-injection.patch @@ -0,0 +1,38 @@ +From b85de33a1a3433487b6a721cfdce25ec8673e622 Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Thu, 5 Nov 2015 09:38:15 +0100 +Subject: KVM: s390: avoid memory overwrites on emergency signal injection + +From: David Hildenbrand + +commit b85de33a1a3433487b6a721cfdce25ec8673e622 upstream. + +Commit 383d0b050106 ("KVM: s390: handle pending local interrupts via +bitmap") introduced a possible memory overwrite from user space. + +User space could pass an invalid emergency signal code (sending VCPU) +and therefore exceed the bitmap. Let's take care of this case and +check that the id is in the valid range. + +Reviewed-by: Dominik Dingel +Signed-off-by: David Hildenbrand +Signed-off-by: Christian Borntraeger +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kvm/interrupt.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/s390/kvm/interrupt.c ++++ b/arch/s390/kvm/interrupt.c +@@ -1136,6 +1136,10 @@ static int __inject_sigp_emergency(struc + trace_kvm_s390_inject_vcpu(vcpu->vcpu_id, KVM_S390_INT_EMERGENCY, + irq->u.emerg.code, 0); + ++ /* sending vcpu invalid */ ++ if (kvm_get_vcpu_by_id(vcpu->kvm, irq->u.emerg.code) == NULL) ++ return -EINVAL; ++ + set_bit(irq->u.emerg.code, li->sigp_emerg_pending); + set_bit(IRQ_PEND_EXT_EMERGENCY, &li->pending_irqs); + atomic_or(CPUSTAT_EXT_INT, li->cpuflags); diff --git a/queue-4.3/kvm-s390-enable-simd-only-when-no-vcpus-were-created.patch b/queue-4.3/kvm-s390-enable-simd-only-when-no-vcpus-were-created.patch new file mode 100644 index 00000000000..9176fd65546 --- /dev/null +++ b/queue-4.3/kvm-s390-enable-simd-only-when-no-vcpus-were-created.patch @@ -0,0 +1,47 @@ +From 5967c17b118a2bd1dd1d554cc4eee16233e52bec Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Fri, 6 Nov 2015 12:08:48 +0100 +Subject: KVM: s390: enable SIMD only when no VCPUs were created + +From: David Hildenbrand + +commit 5967c17b118a2bd1dd1d554cc4eee16233e52bec upstream. + +We should never allow to enable/disable any facilities for the guest +when other VCPUs were already created. + +kvm_arch_vcpu_(load|put) relies on SIMD not changing during runtime. +If somebody would create and run VCPUs and then decides to enable +SIMD, undefined behaviour could be possible (e.g. vector save area +not being set up). + +Acked-by: Christian Borntraeger +Acked-by: Cornelia Huck +Signed-off-by: David Hildenbrand +Signed-off-by: Christian Borntraeger +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kvm/kvm-s390.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -342,12 +342,16 @@ static int kvm_vm_ioctl_enable_cap(struc + r = 0; + break; + case KVM_CAP_S390_VECTOR_REGISTERS: +- if (MACHINE_HAS_VX) { ++ mutex_lock(&kvm->lock); ++ if (atomic_read(&kvm->online_vcpus)) { ++ r = -EBUSY; ++ } else if (MACHINE_HAS_VX) { + set_kvm_facility(kvm->arch.model.fac->mask, 129); + set_kvm_facility(kvm->arch.model.fac->list, 129); + r = 0; + } else + r = -EINVAL; ++ mutex_unlock(&kvm->lock); + VM_EVENT(kvm, 3, "ENABLE: CAP_S390_VECTOR_REGISTERS %s", + r ? "(not available)" : "(success)"); + break; diff --git a/queue-4.3/kvm-s390-fix-wrong-lookup-of-vcpus-by-array-index.patch b/queue-4.3/kvm-s390-fix-wrong-lookup-of-vcpus-by-array-index.patch new file mode 100644 index 00000000000..e5cd4999ff5 --- /dev/null +++ b/queue-4.3/kvm-s390-fix-wrong-lookup-of-vcpus-by-array-index.patch @@ -0,0 +1,65 @@ +From 152e9f65d66f0a3891efc3869440becc0e7ff53f Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Thu, 5 Nov 2015 09:06:06 +0100 +Subject: KVM: s390: fix wrong lookup of VCPUs by array index + +From: David Hildenbrand + +commit 152e9f65d66f0a3891efc3869440becc0e7ff53f upstream. + +For now, VCPUs were always created sequentially with incrementing +VCPU ids. Therefore, the index in the VCPUs array matched the id. + +As sequential creation might change with cpu hotplug, let's use +the correct lookup function to find a VCPU by id, not array index. + +Let's also use kvm_lookup_vcpu() for validation of the sending VCPU +on external call injection. + +Reviewed-by: Christian Borntraeger +Signed-off-by: David Hildenbrand +Signed-off-by: Christian Borntraeger +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kvm/interrupt.c | 3 +-- + arch/s390/kvm/sigp.c | 8 ++------ + 2 files changed, 3 insertions(+), 8 deletions(-) + +--- a/arch/s390/kvm/interrupt.c ++++ b/arch/s390/kvm/interrupt.c +@@ -1057,8 +1057,7 @@ static int __inject_extcall(struct kvm_v + src_id, 0); + + /* sending vcpu invalid */ +- if (src_id >= KVM_MAX_VCPUS || +- kvm_get_vcpu(vcpu->kvm, src_id) == NULL) ++ if (kvm_get_vcpu_by_id(vcpu->kvm, src_id) == NULL) + return -EINVAL; + + if (sclp.has_sigpif) +--- a/arch/s390/kvm/sigp.c ++++ b/arch/s390/kvm/sigp.c +@@ -291,12 +291,8 @@ static int handle_sigp_dst(struct kvm_vc + u16 cpu_addr, u32 parameter, u64 *status_reg) + { + int rc; +- struct kvm_vcpu *dst_vcpu; ++ struct kvm_vcpu *dst_vcpu = kvm_get_vcpu_by_id(vcpu->kvm, cpu_addr); + +- if (cpu_addr >= KVM_MAX_VCPUS) +- return SIGP_CC_NOT_OPERATIONAL; +- +- dst_vcpu = kvm_get_vcpu(vcpu->kvm, cpu_addr); + if (!dst_vcpu) + return SIGP_CC_NOT_OPERATIONAL; + +@@ -478,7 +474,7 @@ int kvm_s390_handle_sigp_pei(struct kvm_ + trace_kvm_s390_handle_sigp_pei(vcpu, order_code, cpu_addr); + + if (order_code == SIGP_EXTERNAL_CALL) { +- dest_vcpu = kvm_get_vcpu(vcpu->kvm, cpu_addr); ++ dest_vcpu = kvm_get_vcpu_by_id(vcpu->kvm, cpu_addr); + BUG_ON(dest_vcpu == NULL); + + kvm_s390_vcpu_wakeup(dest_vcpu); diff --git a/queue-4.3/kvm-s390-sca-must-not-cross-page-boundaries.patch b/queue-4.3/kvm-s390-sca-must-not-cross-page-boundaries.patch new file mode 100644 index 00000000000..5e734287ff7 --- /dev/null +++ b/queue-4.3/kvm-s390-sca-must-not-cross-page-boundaries.patch @@ -0,0 +1,54 @@ +From c5c2c393468576bad6d10b2b5fefff8cd25df3f4 Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Mon, 26 Oct 2015 08:41:29 +0100 +Subject: KVM: s390: SCA must not cross page boundaries + +From: David Hildenbrand + +commit c5c2c393468576bad6d10b2b5fefff8cd25df3f4 upstream. + +We seemed to have missed a few corner cases in commit f6c137ff00a4 +("KVM: s390: randomize sca address"). + +The SCA has a maximum size of 2112 bytes. By setting the sca_offset to +some unlucky numbers, we exceed the page. + +0x7c0 (1984) -> Fits exactly +0x7d0 (2000) -> 16 bytes out +0x7e0 (2016) -> 32 bytes out +0x7f0 (2032) -> 48 bytes out + +One VCPU entry is 32 bytes long. + +For the last two cases, we actually write data to the other page. +1. The address of the VCPU. +2. Injection/delivery/clearing of SIGP externall calls via SIGP IF. + +Especially the 2. happens regularly. So this could produce two problems: +1. The guest losing/getting external calls. +2. Random memory overwrites in the host. + +So this problem happens on every 127 + 128 created VM with 64 VCPUs. + +Acked-by: Christian Borntraeger +Signed-off-by: David Hildenbrand +Signed-off-by: Christian Borntraeger +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kvm/kvm-s390.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -1120,7 +1120,9 @@ int kvm_arch_init_vm(struct kvm *kvm, un + if (!kvm->arch.sca) + goto out_err; + spin_lock(&kvm_lock); +- sca_offset = (sca_offset + 16) & 0x7f0; ++ sca_offset += 16; ++ if (sca_offset + sizeof(struct sca_block) > PAGE_SIZE) ++ sca_offset = 0; + kvm->arch.sca = (struct sca_block *) ((char *) kvm->arch.sca + sca_offset); + spin_unlock(&kvm_lock); + diff --git a/queue-4.3/kvm-x86-add-read_phys-to-x86_emulate_ops.patch b/queue-4.3/kvm-x86-add-read_phys-to-x86_emulate_ops.patch new file mode 100644 index 00000000000..dd3a76192c8 --- /dev/null +++ b/queue-4.3/kvm-x86-add-read_phys-to-x86_emulate_ops.patch @@ -0,0 +1,72 @@ +From 7a036a6f670f63b32c5ee126425f9109271ca13f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= +Date: Fri, 30 Oct 2015 16:36:24 +0100 +Subject: KVM: x86: add read_phys to x86_emulate_ops +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= + +commit 7a036a6f670f63b32c5ee126425f9109271ca13f upstream. + +We want to read the physical memory when emulating RSM. + +X86EMUL_IO_NEEDED is returned on all errors for consistency with other +helpers. + +Signed-off-by: Radim Krčmář +Tested-by: Laszlo Ersek +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/kvm_emulate.h | 10 ++++++++++ + arch/x86/kvm/x86.c | 10 ++++++++++ + 2 files changed, 20 insertions(+) + +--- a/arch/x86/include/asm/kvm_emulate.h ++++ b/arch/x86/include/asm/kvm_emulate.h +@@ -112,6 +112,16 @@ struct x86_emulate_ops { + struct x86_exception *fault); + + /* ++ * read_phys: Read bytes of standard (non-emulated/special) memory. ++ * Used for descriptor reading. ++ * @addr: [IN ] Physical address from which to read. ++ * @val: [OUT] Value read from memory. ++ * @bytes: [IN ] Number of bytes to read from memory. ++ */ ++ int (*read_phys)(struct x86_emulate_ctxt *ctxt, unsigned long addr, ++ void *val, unsigned int bytes); ++ ++ /* + * write_std: Write bytes of standard (non-emulated/special) memory. + * Used for descriptor writing. + * @addr: [IN ] Linear address to which to write. +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -4059,6 +4059,15 @@ static int kvm_read_guest_virt_system(st + return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, 0, exception); + } + ++static int kvm_read_guest_phys_system(struct x86_emulate_ctxt *ctxt, ++ unsigned long addr, void *val, unsigned int bytes) ++{ ++ struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt); ++ int r = kvm_vcpu_read_guest(vcpu, addr, val, bytes); ++ ++ return r < 0 ? X86EMUL_IO_NEEDED : X86EMUL_CONTINUE; ++} ++ + int kvm_write_guest_virt_system(struct x86_emulate_ctxt *ctxt, + gva_t addr, void *val, + unsigned int bytes, +@@ -4794,6 +4803,7 @@ static const struct x86_emulate_ops emul + .write_gpr = emulator_write_gpr, + .read_std = kvm_read_guest_virt_system, + .write_std = kvm_write_guest_virt_system, ++ .read_phys = kvm_read_guest_phys_system, + .fetch = kvm_fetch_guest_virt, + .read_emulated = emulator_read_emulated, + .write_emulated = emulator_write_emulated, diff --git a/queue-4.3/kvm-x86-allow-rsm-from-64-bit-mode.patch b/queue-4.3/kvm-x86-allow-rsm-from-64-bit-mode.patch new file mode 100644 index 00000000000..e0e825b4d87 --- /dev/null +++ b/queue-4.3/kvm-x86-allow-rsm-from-64-bit-mode.patch @@ -0,0 +1,80 @@ +From 89651a3decbe03754f304a0b248f27eeb9a37937 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Tue, 3 Nov 2015 13:43:05 +0100 +Subject: KVM: x86: allow RSM from 64-bit mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Paolo Bonzini + +commit 89651a3decbe03754f304a0b248f27eeb9a37937 upstream. + +The SDM says that exiting system management mode from 64-bit mode +is invalid, but that would be too good to be true. But actually, +most of the code is already there to support exiting from compat +mode (EFER.LME=1, EFER.LMA=0). Getting all the way from 64-bit +mode to real mode only requires clearing CS.L and CR4.PCIDE. + +Fixes: 660a5d517aaab9187f93854425c4c63f4a09195c +Tested-by: Laszlo Ersek +Cc: Radim Krčmář +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/emulate.c | 30 +++++++++++++++++++++++++----- + 1 file changed, 25 insertions(+), 5 deletions(-) + +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -2484,16 +2484,36 @@ static int em_rsm(struct x86_emulate_ctx + + /* + * Get back to real mode, to prepare a safe state in which to load +- * CR0/CR3/CR4/EFER. +- * +- * CR4.PCIDE must be zero, because it is a 64-bit mode only feature. ++ * CR0/CR3/CR4/EFER. It's all a bit more complicated if the vCPU ++ * supports long mode. + */ ++ cr4 = ctxt->ops->get_cr(ctxt, 4); ++ if (emulator_has_longmode(ctxt)) { ++ struct desc_struct cs_desc; ++ ++ /* Zero CR4.PCIDE before CR0.PG. */ ++ if (cr4 & X86_CR4_PCIDE) { ++ ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PCIDE); ++ cr4 &= ~X86_CR4_PCIDE; ++ } ++ ++ /* A 32-bit code segment is required to clear EFER.LMA. */ ++ memset(&cs_desc, 0, sizeof(cs_desc)); ++ cs_desc.type = 0xb; ++ cs_desc.s = cs_desc.g = cs_desc.p = 1; ++ ctxt->ops->set_segment(ctxt, 0, &cs_desc, 0, VCPU_SREG_CS); ++ } ++ ++ /* For the 64-bit case, this will clear EFER.LMA. */ + cr0 = ctxt->ops->get_cr(ctxt, 0); + if (cr0 & X86_CR0_PE) + ctxt->ops->set_cr(ctxt, 0, cr0 & ~(X86_CR0_PG | X86_CR0_PE)); +- cr4 = ctxt->ops->get_cr(ctxt, 4); ++ ++ /* Now clear CR4.PAE (which must be done before clearing EFER.LME). */ + if (cr4 & X86_CR4_PAE) + ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PAE); ++ ++ /* And finally go back to 32-bit mode. */ + efer = 0; + ctxt->ops->set_msr(ctxt, MSR_EFER, efer); + +@@ -4454,7 +4474,7 @@ static const struct opcode twobyte_table + F(DstMem | SrcReg | Src2CL | ModRM, em_shld), N, N, + /* 0xA8 - 0xAF */ + I(Stack | Src2GS, em_push_sreg), I(Stack | Src2GS, em_pop_sreg), +- II(No64 | EmulateOnUD | ImplicitOps, em_rsm, rsm), ++ II(EmulateOnUD | ImplicitOps, em_rsm, rsm), + F(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_bts), + F(DstMem | SrcReg | Src2ImmByte | ModRM, em_shrd), + F(DstMem | SrcReg | Src2CL | ModRM, em_shrd), diff --git a/queue-4.3/kvm-x86-handle-smbase-as-physical-address-in-rsm.patch b/queue-4.3/kvm-x86-handle-smbase-as-physical-address-in-rsm.patch new file mode 100644 index 00000000000..1c1ac23572c --- /dev/null +++ b/queue-4.3/kvm-x86-handle-smbase-as-physical-address-in-rsm.patch @@ -0,0 +1,49 @@ +From f40606b147dd5b4678cedc877a71deb520ca507e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= +Date: Fri, 30 Oct 2015 16:36:25 +0100 +Subject: KVM: x86: handle SMBASE as physical address in RSM +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= + +commit f40606b147dd5b4678cedc877a71deb520ca507e upstream. + +GET_SMSTATE depends on real mode to ensure that smbase+offset is treated +as a physical address, which has already caused a bug after shuffling +the code. Enforce physical addressing. + +Signed-off-by: Radim Krčmář +Reported-by: Laszlo Ersek +Tested-by: Laszlo Ersek +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/emulate.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -2272,8 +2272,8 @@ static int emulator_has_longmode(struct + #define GET_SMSTATE(type, smbase, offset) \ + ({ \ + type __val; \ +- int r = ctxt->ops->read_std(ctxt, smbase + offset, &__val, \ +- sizeof(__val), NULL); \ ++ int r = ctxt->ops->read_phys(ctxt, smbase + offset, &__val, \ ++ sizeof(__val)); \ + if (r != X86EMUL_CONTINUE) \ + return X86EMUL_UNHANDLEABLE; \ + __val; \ +@@ -2484,8 +2484,7 @@ static int em_rsm(struct x86_emulate_ctx + + /* + * Get back to real mode, to prepare a safe state in which to load +- * CR0/CR3/CR4/EFER. Also this will ensure that addresses passed +- * to read_std/write_std are not virtual. ++ * CR0/CR3/CR4/EFER. + * + * CR4.PCIDE must be zero, because it is a 64-bit mode only feature. + */ diff --git a/queue-4.3/kvm-x86-obey-kvm_x86_quirk_cd_nw_cleared-in-kvm_set_cr0.patch b/queue-4.3/kvm-x86-obey-kvm_x86_quirk_cd_nw_cleared-in-kvm_set_cr0.patch new file mode 100644 index 00000000000..951f2dadd14 --- /dev/null +++ b/queue-4.3/kvm-x86-obey-kvm_x86_quirk_cd_nw_cleared-in-kvm_set_cr0.patch @@ -0,0 +1,53 @@ +From 879ae1880449c88db11c1ebdaedc2da79b2fe73f Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Wed, 4 Nov 2015 12:54:41 +0100 +Subject: KVM: x86: obey KVM_X86_QUIRK_CD_NW_CLEARED in kvm_set_cr0() + +From: Laszlo Ersek + +commit 879ae1880449c88db11c1ebdaedc2da79b2fe73f upstream. + +Commit b18d5431acc7 ("KVM: x86: fix CR0.CD virtualization") was +technically correct, but it broke OVMF guests by slowing down various +parts of the firmware. + +Commit fb279950ba02 ("KVM: vmx: obey KVM_QUIRK_CD_NW_CLEARED") quirked the +first function modified by b18d5431acc7, vmx_get_mt_mask(), for OVMF's +sake. This restored the speed of the OVMF code that runs before +PlatformPei (including the memory intensive LZMA decompression in SEC). + +This patch extends the quirk to the second function modified by +b18d5431acc7, kvm_set_cr0(). It eliminates the intrusive slowdown that +hits the EFI_MP_SERVICES_PROTOCOL implementation of edk2's +UefiCpuPkg/CpuDxe -- which is built into OVMF --, when CpuDxe starts up +all APs at once for initialization, in order to count them. + +We also carry over the kvm_arch_has_noncoherent_dma() sub-condition from +the other half of the original commit b18d5431acc7. + +Fixes: b18d5431acc7a2fd22767925f3a6f597aa4bd29e +Cc: Jordan Justen +Cc: Alex Williamson +Reviewed-by: Xiao Guangrong +Tested-by: Janusz Mocek +Signed-off-by: Laszlo Ersek # +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -622,7 +622,9 @@ int kvm_set_cr0(struct kvm_vcpu *vcpu, u + if ((cr0 ^ old_cr0) & update_bits) + kvm_mmu_reset_context(vcpu); + +- if ((cr0 ^ old_cr0) & X86_CR0_CD) ++ if (((cr0 ^ old_cr0) & X86_CR0_CD) && ++ kvm_arch_has_noncoherent_dma(vcpu->kvm) && ++ !kvm_check_has_quirk(vcpu->kvm, KVM_X86_QUIRK_CD_NW_CLEARED)) + kvm_zap_gfn_range(vcpu->kvm, 0, ~0ULL); + + return 0; diff --git a/queue-4.3/kvm-x86-set-kvm_req_event-when-updating-irr.patch b/queue-4.3/kvm-x86-set-kvm_req_event-when-updating-irr.patch new file mode 100644 index 00000000000..268e8d3e356 --- /dev/null +++ b/queue-4.3/kvm-x86-set-kvm_req_event-when-updating-irr.patch @@ -0,0 +1,34 @@ +From c77f3fab441c3e466b4c3601a475fc31ce156b06 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= +Date: Thu, 8 Oct 2015 20:23:33 +0200 +Subject: kvm: x86: set KVM_REQ_EVENT when updating IRR +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= + +commit c77f3fab441c3e466b4c3601a475fc31ce156b06 upstream. + +After moving PIR to IRR, the interrupt needs to be delivered manually. + +Reported-by: Paolo Bonzini +Signed-off-by: Radim Krčmář +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/lapic.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -348,6 +348,8 @@ void kvm_apic_update_irr(struct kvm_vcpu + struct kvm_lapic *apic = vcpu->arch.apic; + + __kvm_apic_update_irr(pir, apic->regs); ++ ++ kvm_make_request(KVM_REQ_EVENT, vcpu); + } + EXPORT_SYMBOL_GPL(kvm_apic_update_irr); + diff --git a/queue-4.3/kvm-x86-work-around-infinite-loop-in-microcode-when-ac-is-delivered.patch b/queue-4.3/kvm-x86-work-around-infinite-loop-in-microcode-when-ac-is-delivered.patch new file mode 100644 index 00000000000..4d00ba6bff0 --- /dev/null +++ b/queue-4.3/kvm-x86-work-around-infinite-loop-in-microcode-when-ac-is-delivered.patch @@ -0,0 +1,87 @@ +From 54a20552e1eae07aa240fa370a0293e006b5faed Mon Sep 17 00:00:00 2001 +From: Eric Northup +Date: Tue, 3 Nov 2015 18:03:53 +0100 +Subject: KVM: x86: work around infinite loop in microcode when #AC is delivered + +From: Eric Northup + +commit 54a20552e1eae07aa240fa370a0293e006b5faed upstream. + +It was found that a guest can DoS a host by triggering an infinite +stream of "alignment check" (#AC) exceptions. This causes the +microcode to enter an infinite loop where the core never receives +another interrupt. The host kernel panics pretty quickly due to the +effects (CVE-2015-5307). + +Signed-off-by: Eric Northup +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/uapi/asm/svm.h | 1 + + arch/x86/kvm/svm.c | 8 ++++++++ + arch/x86/kvm/vmx.c | 5 ++++- + 3 files changed, 13 insertions(+), 1 deletion(-) + +--- a/arch/x86/include/uapi/asm/svm.h ++++ b/arch/x86/include/uapi/asm/svm.h +@@ -100,6 +100,7 @@ + { SVM_EXIT_EXCP_BASE + UD_VECTOR, "UD excp" }, \ + { SVM_EXIT_EXCP_BASE + PF_VECTOR, "PF excp" }, \ + { SVM_EXIT_EXCP_BASE + NM_VECTOR, "NM excp" }, \ ++ { SVM_EXIT_EXCP_BASE + AC_VECTOR, "AC excp" }, \ + { SVM_EXIT_EXCP_BASE + MC_VECTOR, "MC excp" }, \ + { SVM_EXIT_INTR, "interrupt" }, \ + { SVM_EXIT_NMI, "nmi" }, \ +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -1107,6 +1107,7 @@ static void init_vmcb(struct vcpu_svm *s + set_exception_intercept(svm, PF_VECTOR); + set_exception_intercept(svm, UD_VECTOR); + set_exception_intercept(svm, MC_VECTOR); ++ set_exception_intercept(svm, AC_VECTOR); + + set_intercept(svm, INTERCEPT_INTR); + set_intercept(svm, INTERCEPT_NMI); +@@ -1795,6 +1796,12 @@ static int ud_interception(struct vcpu_s + return 1; + } + ++static int ac_interception(struct vcpu_svm *svm) ++{ ++ kvm_queue_exception_e(&svm->vcpu, AC_VECTOR, 0); ++ return 1; ++} ++ + static void svm_fpu_activate(struct kvm_vcpu *vcpu) + { + struct vcpu_svm *svm = to_svm(vcpu); +@@ -3370,6 +3377,7 @@ static int (*const svm_exit_handlers[])( + [SVM_EXIT_EXCP_BASE + PF_VECTOR] = pf_interception, + [SVM_EXIT_EXCP_BASE + NM_VECTOR] = nm_interception, + [SVM_EXIT_EXCP_BASE + MC_VECTOR] = mc_interception, ++ [SVM_EXIT_EXCP_BASE + AC_VECTOR] = ac_interception, + [SVM_EXIT_INTR] = intr_interception, + [SVM_EXIT_NMI] = nmi_interception, + [SVM_EXIT_SMI] = nop_on_interception, +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -1567,7 +1567,7 @@ static void update_exception_bitmap(stru + u32 eb; + + eb = (1u << PF_VECTOR) | (1u << UD_VECTOR) | (1u << MC_VECTOR) | +- (1u << NM_VECTOR) | (1u << DB_VECTOR); ++ (1u << NM_VECTOR) | (1u << DB_VECTOR) | (1u << AC_VECTOR); + if ((vcpu->guest_debug & + (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP)) == + (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP)) +@@ -5103,6 +5103,9 @@ static int handle_exception(struct kvm_v + return handle_rmode_exception(vcpu, ex_no, error_code); + + switch (ex_no) { ++ case AC_VECTOR: ++ kvm_queue_exception_e(vcpu, AC_VECTOR, error_code); ++ return 1; + case DB_VECTOR: + dr6 = vmcs_readl(EXIT_QUALIFICATION); + if (!(vcpu->guest_debug & diff --git a/queue-4.3/kvm-x86-zero-efer-on-init.patch b/queue-4.3/kvm-x86-zero-efer-on-init.patch new file mode 100644 index 00000000000..0a66c27ba8f --- /dev/null +++ b/queue-4.3/kvm-x86-zero-efer-on-init.patch @@ -0,0 +1,84 @@ +From 5690891bcec5fcfda38da974ffa5488e36a59811 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Mon, 19 Oct 2015 11:30:19 +0200 +Subject: kvm: x86: zero EFER on INIT + +From: Paolo Bonzini + +commit 5690891bcec5fcfda38da974ffa5488e36a59811 upstream. + +Not zeroing EFER means that a 32-bit firmware cannot enter paging mode +without clearing EFER.LME first (which it should not know about). +Yang Zhang from Intel confirmed that the manual is wrong and EFER is +cleared to zero on INIT. + +Fixes: d28bc9dd25ce023270d2e039e7c98d38ecbf7758 +Cc: Yang Z Zhang +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/svm.c | 11 +++++------ + arch/x86/kvm/vmx.c | 3 +-- + 2 files changed, 6 insertions(+), 8 deletions(-) + +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -1086,7 +1086,7 @@ static u64 svm_compute_tsc_offset(struct + return target_tsc - tsc; + } + +-static void init_vmcb(struct vcpu_svm *svm, bool init_event) ++static void init_vmcb(struct vcpu_svm *svm) + { + struct vmcb_control_area *control = &svm->vmcb->control; + struct vmcb_save_area *save = &svm->vmcb->save; +@@ -1157,8 +1157,7 @@ static void init_vmcb(struct vcpu_svm *s + init_sys_seg(&save->ldtr, SEG_TYPE_LDT); + init_sys_seg(&save->tr, SEG_TYPE_BUSY_TSS16); + +- if (!init_event) +- svm_set_efer(&svm->vcpu, 0); ++ svm_set_efer(&svm->vcpu, 0); + save->dr6 = 0xffff0ff0; + kvm_set_rflags(&svm->vcpu, 2); + save->rip = 0x0000fff0; +@@ -1212,7 +1211,7 @@ static void svm_vcpu_reset(struct kvm_vc + if (kvm_vcpu_is_reset_bsp(&svm->vcpu)) + svm->vcpu.arch.apic_base |= MSR_IA32_APICBASE_BSP; + } +- init_vmcb(svm, init_event); ++ init_vmcb(svm); + + kvm_cpuid(vcpu, &eax, &dummy, &dummy, &dummy); + kvm_register_write(vcpu, VCPU_REGS_RDX, eax); +@@ -1268,7 +1267,7 @@ static struct kvm_vcpu *svm_create_vcpu( + clear_page(svm->vmcb); + svm->vmcb_pa = page_to_pfn(page) << PAGE_SHIFT; + svm->asid_generation = 0; +- init_vmcb(svm, false); ++ init_vmcb(svm); + + svm_init_osvw(&svm->vcpu); + +@@ -1890,7 +1889,7 @@ static int shutdown_interception(struct + * so reinitialize it. + */ + clear_page(svm->vmcb); +- init_vmcb(svm, false); ++ init_vmcb(svm); + + kvm_run->exit_reason = KVM_EXIT_SHUTDOWN; + return 0; +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -4771,8 +4771,7 @@ static void vmx_vcpu_reset(struct kvm_vc + vmx_set_cr0(vcpu, cr0); /* enter rmode */ + vmx->vcpu.arch.cr0 = cr0; + vmx_set_cr4(vcpu, 0); +- if (!init_event) +- vmx_set_efer(vcpu, 0); ++ vmx_set_efer(vcpu, 0); + vmx_fpu_activate(vcpu); + update_exception_bitmap(vcpu); + diff --git a/queue-4.3/mac80211-allow-null-chandef-in-tracing.patch b/queue-4.3/mac80211-allow-null-chandef-in-tracing.patch new file mode 100644 index 00000000000..1c77fcfccaa --- /dev/null +++ b/queue-4.3/mac80211-allow-null-chandef-in-tracing.patch @@ -0,0 +1,42 @@ +From 254d3dfe445f94a764e399ca12e04365ac9413ed Mon Sep 17 00:00:00 2001 +From: Arik Nemtsov +Date: Sun, 25 Oct 2015 10:59:41 +0200 +Subject: mac80211: allow null chandef in tracing + +From: Arik Nemtsov + +commit 254d3dfe445f94a764e399ca12e04365ac9413ed upstream. + +In TDLS channel-switch operations the chandef can sometimes be NULL. +Avoid an oops in the trace code for these cases and just print a +chandef full of zeros. + +Fixes: a7a6bdd0670fe ("mac80211: introduce TDLS channel switch ops") +Signed-off-by: Arik Nemtsov +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/trace.h | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/net/mac80211/trace.h ++++ b/net/mac80211/trace.h +@@ -33,11 +33,11 @@ + __field(u32, chan_width) \ + __field(u32, center_freq1) \ + __field(u32, center_freq2) +-#define CHANDEF_ASSIGN(c) \ +- __entry->control_freq = (c)->chan ? (c)->chan->center_freq : 0; \ +- __entry->chan_width = (c)->width; \ +- __entry->center_freq1 = (c)->center_freq1; \ +- __entry->center_freq2 = (c)->center_freq2; ++#define CHANDEF_ASSIGN(c) \ ++ __entry->control_freq = (c) ? ((c)->chan ? (c)->chan->center_freq : 0) : 0; \ ++ __entry->chan_width = (c) ? (c)->width : 0; \ ++ __entry->center_freq1 = (c) ? (c)->center_freq1 : 0; \ ++ __entry->center_freq2 = (c) ? (c)->center_freq2 : 0; + #define CHANDEF_PR_FMT " control:%d MHz width:%d center: %d/%d MHz" + #define CHANDEF_PR_ARG __entry->control_freq, __entry->chan_width, \ + __entry->center_freq1, __entry->center_freq2 diff --git a/queue-4.3/mac80211-fix-divide-by-zero-when-noa-update.patch b/queue-4.3/mac80211-fix-divide-by-zero-when-noa-update.patch new file mode 100644 index 00000000000..47f414499a8 --- /dev/null +++ b/queue-4.3/mac80211-fix-divide-by-zero-when-noa-update.patch @@ -0,0 +1,49 @@ +From 519ee6918b91abdc4bc9720deae17599a109eb40 Mon Sep 17 00:00:00 2001 +From: "Janusz.Dziedzic@tieto.com" +Date: Tue, 27 Oct 2015 08:35:11 +0100 +Subject: mac80211: fix divide by zero when NOA update + +From: "Janusz.Dziedzic@tieto.com" + +commit 519ee6918b91abdc4bc9720deae17599a109eb40 upstream. + +In case of one shot NOA the interval can be 0, catch that +instead of potentially (depending on the driver) crashing +like this: + +divide error: 0000 [#1] SMP +[...] +Call Trace: + +[] ieee80211_extend_absent_time+0x6c/0xb0 [mac80211] +[] ieee80211_update_p2p_noa+0xb7/0xe0 [mac80211] +[] ath9k_p2p_ps_timer+0x170/0x190 [ath9k] +[] ath_gen_timer_isr+0xc8/0xf0 [ath9k_hw] +[] ath9k_tasklet+0x296/0x2f0 [ath9k] +[] tasklet_action+0xe5/0xf0 +[...] + +Signed-off-by: Janusz Dziedzic +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/util.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/mac80211/util.c ++++ b/net/mac80211/util.c +@@ -2951,6 +2951,13 @@ ieee80211_extend_noa_desc(struct ieee802 + if (end > 0) + return false; + ++ /* One shot NOA */ ++ if (data->count[i] == 1) ++ return false; ++ ++ if (data->desc[i].interval == 0) ++ return false; ++ + /* End time is in the past, check for repetitions */ + skip = DIV_ROUND_UP(-end, data->desc[i].interval); + if (data->count[i] < 255) { diff --git a/queue-4.3/mac80211-fix-driver-rssi-event-calculations.patch b/queue-4.3/mac80211-fix-driver-rssi-event-calculations.patch new file mode 100644 index 00000000000..0c6e1e52560 --- /dev/null +++ b/queue-4.3/mac80211-fix-driver-rssi-event-calculations.patch @@ -0,0 +1,33 @@ +From 8ec6d97871f37e4743678ea4a455bd59580aa0f4 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Fri, 28 Aug 2015 10:52:53 +0200 +Subject: mac80211: fix driver RSSI event calculations + +From: Johannes Berg + +commit 8ec6d97871f37e4743678ea4a455bd59580aa0f4 upstream. + +The ifmgd->ave_beacon_signal value cannot be taken as is for +comparisons, it must be divided by since it's represented +like that for better accuracy of the EWMA calculations. This +would lead to invalid driver RSSI events. Fix the used value. + +Fixes: 615f7b9bb1f8 ("mac80211: add driver RSSI threshold events") +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/mlme.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -3391,7 +3391,7 @@ static void ieee80211_rx_mgmt_beacon(str + + if (ifmgd->rssi_min_thold != ifmgd->rssi_max_thold && + ifmgd->count_beacon_signal >= IEEE80211_SIGNAL_AVE_MIN_COUNT) { +- int sig = ifmgd->ave_beacon_signal; ++ int sig = ifmgd->ave_beacon_signal / 16; + int last_sig = ifmgd->last_ave_beacon_signal; + struct ieee80211_event event = { + .type = RSSI_EVENT, diff --git a/queue-4.3/mac80211-fix-local-deauth-while-associating.patch b/queue-4.3/mac80211-fix-local-deauth-while-associating.patch new file mode 100644 index 00000000000..5e2a23574ae --- /dev/null +++ b/queue-4.3/mac80211-fix-local-deauth-while-associating.patch @@ -0,0 +1,50 @@ +From a64cba3c5330704a034bd3179270b8d04daf6987 Mon Sep 17 00:00:00 2001 +From: Andrei Otcheretianski +Date: Sun, 25 Oct 2015 10:59:38 +0200 +Subject: mac80211: Fix local deauth while associating + +From: Andrei Otcheretianski + +commit a64cba3c5330704a034bd3179270b8d04daf6987 upstream. + +Local request to deauthenticate wasn't handled while associating, thus +the association could continue even when the user space required to +disconnect. + +Signed-off-by: Andrei Otcheretianski +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/mlme.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -5028,6 +5028,25 @@ int ieee80211_mgd_deauth(struct ieee8021 + return 0; + } + ++ if (ifmgd->assoc_data && ++ ether_addr_equal(ifmgd->assoc_data->bss->bssid, req->bssid)) { ++ sdata_info(sdata, ++ "aborting association with %pM by local choice (Reason: %u=%s)\n", ++ req->bssid, req->reason_code, ++ ieee80211_get_reason_code_string(req->reason_code)); ++ ++ drv_mgd_prepare_tx(sdata->local, sdata); ++ ieee80211_send_deauth_disassoc(sdata, req->bssid, ++ IEEE80211_STYPE_DEAUTH, ++ req->reason_code, tx, ++ frame_buf); ++ ieee80211_destroy_assoc_data(sdata, false); ++ ieee80211_report_disconnect(sdata, frame_buf, ++ sizeof(frame_buf), true, ++ req->reason_code); ++ return 0; ++ } ++ + if (ifmgd->associated && + ether_addr_equal(ifmgd->associated->bssid, req->bssid)) { + sdata_info(sdata, diff --git a/queue-4.3/mfd-twl6040-fix-deferred-probe-handling-for-clk32k.patch b/queue-4.3/mfd-twl6040-fix-deferred-probe-handling-for-clk32k.patch new file mode 100644 index 00000000000..1027b69e41b --- /dev/null +++ b/queue-4.3/mfd-twl6040-fix-deferred-probe-handling-for-clk32k.patch @@ -0,0 +1,46 @@ +From 75c08f17ec87c2d742487bb87408d6feebc526bd Mon Sep 17 00:00:00 2001 +From: Tony Lindgren +Date: Fri, 18 Sep 2015 09:29:04 -0700 +Subject: mfd: twl6040: Fix deferred probe handling for clk32k + +From: Tony Lindgren + +commit 75c08f17ec87c2d742487bb87408d6feebc526bd upstream. + +Commit 68bab8662f49 ("mfd: twl6040: Optional clk32k clock handling") +added clock handling for the 32k clock from palmas-clk. However, that +patch did not consider a typical situation where twl6040 is built-in, +and palmas-clk is a loadable module like we have in omap2plus_defconfig. + +If palmas-clk is not loaded before twl6040 probes, we will get a +"clk32k is not handled" warning during booting. This means that any +drivers relying on this clock will mysteriously fail, including +omap5-uevm WLAN and audio. + +Note that for WLAN, we probably should also eventually get +the clk32kgaudio for MMC3 directly as that's shared between +audio and WLAN SDIO at least for omap5-uevm. It seems the +WLAN chip cannot get it as otherwise MMC3 won't get properly +probed. + +Fixes: 68bab8662f49 ("mfd: twl6040: Optional clk32k clock handling") +Signed-off-by: Tony Lindgren +Reviewed-by: Felipe Balbi +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mfd/twl6040.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/mfd/twl6040.c ++++ b/drivers/mfd/twl6040.c +@@ -647,6 +647,8 @@ static int twl6040_probe(struct i2c_clie + + twl6040->clk32k = devm_clk_get(&client->dev, "clk32k"); + if (IS_ERR(twl6040->clk32k)) { ++ if (PTR_ERR(twl6040->clk32k) == -EPROBE_DEFER) ++ return -EPROBE_DEFER; + dev_info(&client->dev, "clk32k is not handled\n"); + twl6040->clk32k = NULL; + } diff --git a/queue-4.3/mips-ath79-fix-the-ddr-control-initialization-on-ar71xx-and-ar934x.patch b/queue-4.3/mips-ath79-fix-the-ddr-control-initialization-on-ar71xx-and-ar934x.patch new file mode 100644 index 00000000000..b33c5e46ebb --- /dev/null +++ b/queue-4.3/mips-ath79-fix-the-ddr-control-initialization-on-ar71xx-and-ar934x.patch @@ -0,0 +1,41 @@ +From 5011a7e808c9fec643d752c5a495a48f27268a48 Mon Sep 17 00:00:00 2001 +From: Alban Bedel +Date: Tue, 17 Nov 2015 09:40:07 +0100 +Subject: MIPS: ath79: Fix the DDR control initialization on ar71xx and ar934x + +From: Alban Bedel + +commit 5011a7e808c9fec643d752c5a495a48f27268a48 upstream. + +The DDR control initialization needs to know the SoC type, however +ath79_detect_sys_type() was called after ath79_ddr_ctrl_init(). +Reverse the order to fix the DDR control initialization on ar71xx and +ar934x. + +Signed-off-by: Alban Bedel +Cc: Felix Fietkau +Cc: Qais Yousef +Cc: Andrew Bresticker +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/11500/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/ath79/setup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/ath79/setup.c ++++ b/arch/mips/ath79/setup.c +@@ -216,9 +216,9 @@ void __init plat_mem_setup(void) + AR71XX_RESET_SIZE); + ath79_pll_base = ioremap_nocache(AR71XX_PLL_BASE, + AR71XX_PLL_SIZE); ++ ath79_detect_sys_type(); + ath79_ddr_ctrl_init(); + +- ath79_detect_sys_type(); + if (mips_machtype != ATH79_MACH_GENERIC_OF) + detect_memory_region(0, ATH79_MEM_SIZE_MIN, ATH79_MEM_SIZE_MAX); + diff --git a/queue-4.3/mips-cdmm-add-builtin_mips_cdmm_driver-macro.patch b/queue-4.3/mips-cdmm-add-builtin_mips_cdmm_driver-macro.patch new file mode 100644 index 00000000000..ab4cb3ba90e --- /dev/null +++ b/queue-4.3/mips-cdmm-add-builtin_mips_cdmm_driver-macro.patch @@ -0,0 +1,46 @@ +From 1b4a5ddb127caf125e14551ebd334be1acf21805 Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Tue, 6 Oct 2015 15:12:05 +0100 +Subject: MIPS: CDMM: Add builtin_mips_cdmm_driver() macro + +From: James Hogan + +commit 1b4a5ddb127caf125e14551ebd334be1acf21805 upstream. + +Add helper macro builtin_mips_cdmm_driver() for builtin CDMM drivers +that don't do anything special in init and have no exit. The +module_mips_cdmm_driver() helper isn't really appropriate for drivers +that can't be built as a module. + +Signed-off-by: James Hogan +Cc: Greg Kroah-Hartman +Cc: Jiri Slaby +Cc: linux-mips@linux-mips.org +Patchwork: http://patchwork.linux-mips.org/patch/11264/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/include/asm/cdmm.h | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/arch/mips/include/asm/cdmm.h ++++ b/arch/mips/include/asm/cdmm.h +@@ -84,6 +84,17 @@ void mips_cdmm_driver_unregister(struct + module_driver(__mips_cdmm_driver, mips_cdmm_driver_register, \ + mips_cdmm_driver_unregister) + ++/* ++ * builtin_mips_cdmm_driver() - Helper macro for drivers that don't do anything ++ * special in init and have no exit. This eliminates some boilerplate. Each ++ * driver may only use this macro once, and calling it replaces device_initcall ++ * (or in some cases, the legacy __initcall). This is meant to be a direct ++ * parallel of module_mips_cdmm_driver() above but without the __exit stuff that ++ * is not used for builtin cases. ++ */ ++#define builtin_mips_cdmm_driver(__mips_cdmm_driver) \ ++ builtin_driver(__mips_cdmm_driver, mips_cdmm_driver_register) ++ + /* drivers/tty/mips_ejtag_fdc.c */ + + #ifdef CONFIG_MIPS_EJTAG_FDC_EARLYCON diff --git a/queue-4.3/mips-kvm-fix-asid-restoration-logic.patch b/queue-4.3/mips-kvm-fix-asid-restoration-logic.patch new file mode 100644 index 00000000000..db545c1fe4b --- /dev/null +++ b/queue-4.3/mips-kvm-fix-asid-restoration-logic.patch @@ -0,0 +1,64 @@ +From 002374f371bd02df864cce1fe85d90dc5b292837 Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Wed, 11 Nov 2015 14:21:18 +0000 +Subject: MIPS: KVM: Fix ASID restoration logic + +From: James Hogan + +commit 002374f371bd02df864cce1fe85d90dc5b292837 upstream. + +ASID restoration on guest resume should determine the guest execution +mode based on the guest Status register rather than bit 30 of the guest +PC. + +Fix the two places in locore.S that do this, loading the guest status +from the cop0 area. Note, this assembly is specific to the trap & +emulate implementation of KVM, so it doesn't need to check the +supervisor bit as that mode is not implemented in the guest. + +Fixes: b680f70fc111 ("KVM/MIPS32: Entry point for trampolining to...") +Signed-off-by: James Hogan +Cc: Ralf Baechle +Cc: Paolo Bonzini +Cc: Gleb Natapov +Cc: linux-mips@linux-mips.org +Cc: kvm@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kvm/locore.S | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +--- a/arch/mips/kvm/locore.S ++++ b/arch/mips/kvm/locore.S +@@ -165,9 +165,11 @@ FEXPORT(__kvm_mips_vcpu_run) + + FEXPORT(__kvm_mips_load_asid) + /* Set the ASID for the Guest Kernel */ +- INT_SLL t0, t0, 1 /* with kseg0 @ 0x40000000, kernel */ +- /* addresses shift to 0x80000000 */ +- bltz t0, 1f /* If kernel */ ++ PTR_L t0, VCPU_COP0(k1) ++ LONG_L t0, COP0_STATUS(t0) ++ andi t0, KSU_USER | ST0_ERL | ST0_EXL ++ xori t0, KSU_USER ++ bnez t0, 1f /* If kernel */ + INT_ADDIU t1, k1, VCPU_GUEST_KERNEL_ASID /* (BD) */ + INT_ADDIU t1, k1, VCPU_GUEST_USER_ASID /* else user */ + 1: +@@ -482,9 +484,11 @@ __kvm_mips_return_to_guest: + mtc0 t0, CP0_EPC + + /* Set the ASID for the Guest Kernel */ +- INT_SLL t0, t0, 1 /* with kseg0 @ 0x40000000, kernel */ +- /* addresses shift to 0x80000000 */ +- bltz t0, 1f /* If kernel */ ++ PTR_L t0, VCPU_COP0(k1) ++ LONG_L t0, COP0_STATUS(t0) ++ andi t0, KSU_USER | ST0_ERL | ST0_EXL ++ xori t0, KSU_USER ++ bnez t0, 1f /* If kernel */ + INT_ADDIU t1, k1, VCPU_GUEST_KERNEL_ASID /* (BD) */ + INT_ADDIU t1, k1, VCPU_GUEST_USER_ASID /* else user */ + 1: diff --git a/queue-4.3/mips-kvm-fix-cache-immediate-offset-sign-extension.patch b/queue-4.3/mips-kvm-fix-cache-immediate-offset-sign-extension.patch new file mode 100644 index 00000000000..48859ad870a --- /dev/null +++ b/queue-4.3/mips-kvm-fix-cache-immediate-offset-sign-extension.patch @@ -0,0 +1,38 @@ +From c5c2a3b998f1ff5a586f9d37e154070b8d550d17 Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Wed, 11 Nov 2015 14:21:19 +0000 +Subject: MIPS: KVM: Fix CACHE immediate offset sign extension + +From: James Hogan + +commit c5c2a3b998f1ff5a586f9d37e154070b8d550d17 upstream. + +The immediate field of the CACHE instruction is signed, so ensure that +it gets sign extended by casting it to an int16_t rather than just +masking the low 16 bits. + +Fixes: e685c689f3a8 ("KVM/MIPS32: Privileged instruction/target branch emulation.") +Signed-off-by: James Hogan +Cc: Ralf Baechle +Cc: Paolo Bonzini +Cc: Gleb Natapov +Cc: linux-mips@linux-mips.org +Cc: kvm@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kvm/emulate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/kvm/emulate.c ++++ b/arch/mips/kvm/emulate.c +@@ -1581,7 +1581,7 @@ enum emulation_result kvm_mips_emulate_c + + base = (inst >> 21) & 0x1f; + op_inst = (inst >> 16) & 0x1f; +- offset = inst & 0xffff; ++ offset = (int16_t)inst; + cache = (inst >> 16) & 0x3; + op = (inst >> 18) & 0x7; + diff --git a/queue-4.3/mips-kvm-uninit-vcpu-in-vcpu_create-error-path.patch b/queue-4.3/mips-kvm-uninit-vcpu-in-vcpu_create-error-path.patch new file mode 100644 index 00000000000..9ba4e68c0c4 --- /dev/null +++ b/queue-4.3/mips-kvm-uninit-vcpu-in-vcpu_create-error-path.patch @@ -0,0 +1,48 @@ +From 585bb8f9a5e592f2ce7abbe5ed3112d5438d2754 Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Wed, 11 Nov 2015 14:21:20 +0000 +Subject: MIPS: KVM: Uninit VCPU in vcpu_create error path + +From: James Hogan + +commit 585bb8f9a5e592f2ce7abbe5ed3112d5438d2754 upstream. + +If either of the memory allocations in kvm_arch_vcpu_create() fail, the +vcpu which has been allocated and kvm_vcpu_init'd doesn't get uninit'd +in the error handling path. Add a call to kvm_vcpu_uninit() to fix this. + +Fixes: 669e846e6c4e ("KVM/MIPS32: MIPS arch specific APIs for KVM") +Signed-off-by: James Hogan +Cc: Ralf Baechle +Cc: Paolo Bonzini +Cc: Gleb Natapov +Cc: linux-mips@linux-mips.org +Cc: kvm@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kvm/mips.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/arch/mips/kvm/mips.c ++++ b/arch/mips/kvm/mips.c +@@ -279,7 +279,7 @@ struct kvm_vcpu *kvm_arch_vcpu_create(st + + if (!gebase) { + err = -ENOMEM; +- goto out_free_cpu; ++ goto out_uninit_cpu; + } + kvm_debug("Allocated %d bytes for KVM Exception Handlers @ %p\n", + ALIGN(size, PAGE_SIZE), gebase); +@@ -343,6 +343,9 @@ struct kvm_vcpu *kvm_arch_vcpu_create(st + out_free_gebase: + kfree(gebase); + ++out_uninit_cpu: ++ kvm_vcpu_uninit(vcpu); ++ + out_free_cpu: + kfree(vcpu); + diff --git a/queue-4.3/mips-lantiq-add-clk_round_rate.patch b/queue-4.3/mips-lantiq-add-clk_round_rate.patch new file mode 100644 index 00000000000..be494892891 --- /dev/null +++ b/queue-4.3/mips-lantiq-add-clk_round_rate.patch @@ -0,0 +1,52 @@ +From 4e7d30dba493b60a80e9b590add1b4402265cc83 Mon Sep 17 00:00:00 2001 +From: Hauke Mehrtens +Date: Sun, 25 Oct 2015 23:21:42 +0100 +Subject: MIPS: lantiq: add clk_round_rate() + +From: Hauke Mehrtens + +commit 4e7d30dba493b60a80e9b590add1b4402265cc83 upstream. + +This adds a basic implementation of clk_round_rate() +The clk_round_rate() function is called by multiple drivers and +subsystems now and the lantiq clk driver is supposed to export this, +but doesn't do so, this causes linking problems like this one: +ERROR: "clk_round_rate" [drivers/media/v4l2-core/videodev.ko] undefined! + +Signed-off-by: Hauke Mehrtens +Acked-by: John Crispin +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/11358/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/lantiq/clk.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +--- a/arch/mips/lantiq/clk.c ++++ b/arch/mips/lantiq/clk.c +@@ -99,6 +99,23 @@ int clk_set_rate(struct clk *clk, unsign + } + EXPORT_SYMBOL(clk_set_rate); + ++long clk_round_rate(struct clk *clk, unsigned long rate) ++{ ++ if (unlikely(!clk_good(clk))) ++ return 0; ++ if (clk->rates && *clk->rates) { ++ unsigned long *r = clk->rates; ++ ++ while (*r && (*r != rate)) ++ r++; ++ if (!*r) { ++ return clk->rate; ++ } ++ } ++ return rate; ++} ++EXPORT_SYMBOL(clk_round_rate); ++ + int clk_enable(struct clk *clk) + { + if (unlikely(!clk_good(clk))) diff --git a/queue-4.3/mwifiex-avoid-memsetting-pcie-event-buffer.patch b/queue-4.3/mwifiex-avoid-memsetting-pcie-event-buffer.patch new file mode 100644 index 00000000000..6d4c2dee2b3 --- /dev/null +++ b/queue-4.3/mwifiex-avoid-memsetting-pcie-event-buffer.patch @@ -0,0 +1,36 @@ +From 14d9c11c91a606fed65eaae2455423a23bb4ae59 Mon Sep 17 00:00:00 2001 +From: Amitkumar Karwar +Date: Fri, 18 Sep 2015 06:32:10 -0700 +Subject: mwifiex: avoid memsetting PCIe event buffer + +From: Amitkumar Karwar + +commit 14d9c11c91a606fed65eaae2455423a23bb4ae59 upstream. + +Preallocated PCIe buffer is being reused for all PCIe interface +events. Physical address of the buffer is shared with firmware +so that it can perform DMA on it. As event length is specified +in the header, there should not be a problem if the buffer gets +overwritten. +We will save some cycles by avoiding memset everytime while +submitting the buffer to firmware. + +Fixes: 2728cecdc7d6bf3d21(mwifiex: corrections in PCIe event skb) +Signed-off-by: Amitkumar Karwar +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/mwifiex/pcie.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/net/wireless/mwifiex/pcie.c ++++ b/drivers/net/wireless/mwifiex/pcie.c +@@ -1815,7 +1815,6 @@ static int mwifiex_pcie_event_complete(s + if (!card->evt_buf_list[rdptr]) { + skb_push(skb, INTF_HEADER_LEN); + skb_put(skb, MAX_EVENT_SIZE - skb->len); +- memset(skb->data, 0, MAX_EVENT_SIZE); + if (mwifiex_map_pci_memory(adapter, skb, + MAX_EVENT_SIZE, + PCI_DMA_FROMDEVICE)) diff --git a/queue-4.3/mwifiex-fix-mwifiex_rdeeprom_read.patch b/queue-4.3/mwifiex-fix-mwifiex_rdeeprom_read.patch new file mode 100644 index 00000000000..a13cbef54cf --- /dev/null +++ b/queue-4.3/mwifiex-fix-mwifiex_rdeeprom_read.patch @@ -0,0 +1,79 @@ +From 1f9c6e1bc1ba5f8a10fcd6e99d170954d7c6d382 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Mon, 21 Sep 2015 19:19:53 +0300 +Subject: mwifiex: fix mwifiex_rdeeprom_read() + +From: Dan Carpenter + +commit 1f9c6e1bc1ba5f8a10fcd6e99d170954d7c6d382 upstream. + +There were several bugs here. + +1) The done label was in the wrong place so we didn't copy any + information out when there was no command given. + +2) We were using PAGE_SIZE as the size of the buffer instead of + "PAGE_SIZE - pos". + +3) snprintf() returns the number of characters that would have been + printed if there were enough space. If there was not enough space + (and we had fixed the memory corruption bug #2) then it would result + in an information leak when we do simple_read_from_buffer(). I've + changed it to use scnprintf() instead. + +I also removed the initialization at the start of the function, because +I thought it made the code a little more clear. + +Fixes: 5e6e3a92b9a4 ('wireless: mwifiex: initial commit for Marvell mwifiex driver') +Signed-off-by: Dan Carpenter +Acked-by: Amitkumar Karwar +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/mwifiex/debugfs.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/net/wireless/mwifiex/debugfs.c ++++ b/drivers/net/wireless/mwifiex/debugfs.c +@@ -731,7 +731,7 @@ mwifiex_rdeeprom_read(struct file *file, + (struct mwifiex_private *) file->private_data; + unsigned long addr = get_zeroed_page(GFP_KERNEL); + char *buf = (char *) addr; +- int pos = 0, ret = 0, i; ++ int pos, ret, i; + u8 value[MAX_EEPROM_DATA]; + + if (!buf) +@@ -739,7 +739,7 @@ mwifiex_rdeeprom_read(struct file *file, + + if (saved_offset == -1) { + /* No command has been given */ +- pos += snprintf(buf, PAGE_SIZE, "0"); ++ pos = snprintf(buf, PAGE_SIZE, "0"); + goto done; + } + +@@ -748,17 +748,17 @@ mwifiex_rdeeprom_read(struct file *file, + (u16) saved_bytes, value); + if (ret) { + ret = -EINVAL; +- goto done; ++ goto out_free; + } + +- pos += snprintf(buf, PAGE_SIZE, "%d %d ", saved_offset, saved_bytes); ++ pos = snprintf(buf, PAGE_SIZE, "%d %d ", saved_offset, saved_bytes); + + for (i = 0; i < saved_bytes; i++) +- pos += snprintf(buf + strlen(buf), PAGE_SIZE, "%d ", value[i]); +- +- ret = simple_read_from_buffer(ubuf, count, ppos, buf, pos); ++ pos += scnprintf(buf + pos, PAGE_SIZE - pos, "%d ", value[i]); + + done: ++ ret = simple_read_from_buffer(ubuf, count, ppos, buf, pos); ++out_free: + free_page(addr); + return ret; + } diff --git a/queue-4.3/mwifiex-fix-null-pointer-dereference-during-hidden-ssid-scan.patch b/queue-4.3/mwifiex-fix-null-pointer-dereference-during-hidden-ssid-scan.patch new file mode 100644 index 00000000000..b300bed6d55 --- /dev/null +++ b/queue-4.3/mwifiex-fix-null-pointer-dereference-during-hidden-ssid-scan.patch @@ -0,0 +1,38 @@ +From 17e524b1b60f4390d24a51d9524d1648cf5d1447 Mon Sep 17 00:00:00 2001 +From: Aniket Nagarnaik +Date: Fri, 18 Sep 2015 06:32:09 -0700 +Subject: mwifiex: fix NULL pointer dereference during hidden SSID scan + +From: Aniket Nagarnaik + +commit 17e524b1b60f4390d24a51d9524d1648cf5d1447 upstream. + +This NULL pointer dereference is observed during suspend resume +stress test. All pending commands are cancelled when system goes +into suspend state. There a corner case in which host may receive +response for last scan command after this and try to trigger extra +active scan for hidden SSIDs. + +The issue is fixed by adding a NULL check to skip that extra scan. + +Fixes: 2375fa2b36feaf34 (mwifiex: fix unable to connect hidden SSID..) +Signed-off-by: Aniket Nagarnaik +Signed-off-by: Amitkumar Karwar +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/mwifiex/scan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/mwifiex/scan.c ++++ b/drivers/net/wireless/mwifiex/scan.c +@@ -1889,7 +1889,7 @@ mwifiex_active_scan_req_for_passive_chan + u8 id = 0; + struct mwifiex_user_scan_cfg *user_scan_cfg; + +- if (adapter->active_scan_triggered) { ++ if (adapter->active_scan_triggered || !priv->scan_request) { + adapter->active_scan_triggered = false; + return 0; + } diff --git a/queue-4.3/net-mvneta-fix-cpu_map-registers-initialisation.patch b/queue-4.3/net-mvneta-fix-cpu_map-registers-initialisation.patch new file mode 100644 index 00000000000..a236ea121ac --- /dev/null +++ b/queue-4.3/net-mvneta-fix-cpu_map-registers-initialisation.patch @@ -0,0 +1,40 @@ +From 2502d0ef272da7058ef303b849a2c8dc324c2e2e Mon Sep 17 00:00:00 2001 +From: Maxime Ripard +Date: Fri, 25 Sep 2015 18:09:35 +0200 +Subject: net: mvneta: Fix CPU_MAP registers initialisation + +From: Maxime Ripard + +commit 2502d0ef272da7058ef303b849a2c8dc324c2e2e upstream. + +The CPU_MAP register is duplicated for each CPUs at different addresses, +each instance being at a different address. + +However, the code so far was using CONFIG_NR_CPUS to initialise the CPU_MAP +registers for each registers, while the SoCs embed at most 4 CPUs. + +This is especially an issue with multi_v7_defconfig, where CONFIG_NR_CPUS +is currently set to 16, resulting in writes to registers that are not +CPU_MAP. + +Fixes: c5aff18204da ("net: mvneta: driver for Marvell Armada 370/XP network unit") +Signed-off-by: Maxime Ripard +Signed-off-by: Gregory CLEMENT +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/marvell/mvneta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -949,7 +949,7 @@ static void mvneta_defaults_set(struct m + /* Set CPU queue access map - all CPUs have access to all RX + * queues and to all TX queues + */ +- for (cpu = 0; cpu < CONFIG_NR_CPUS; cpu++) ++ for_each_present_cpu(cpu) + mvreg_write(pp, MVNETA_CPU_MAP(cpu), + (MVNETA_CPU_RXQ_ACCESS_ALL_MASK | + MVNETA_CPU_TXQ_ACCESS_ALL_MASK)); diff --git a/queue-4.3/net-mvneta-fix-error-path-for-building-skb.patch b/queue-4.3/net-mvneta-fix-error-path-for-building-skb.patch new file mode 100644 index 00000000000..872cb367fbf --- /dev/null +++ b/queue-4.3/net-mvneta-fix-error-path-for-building-skb.patch @@ -0,0 +1,49 @@ +From 26c17a179f3f64f92de6e837c14279a6431a7ab6 Mon Sep 17 00:00:00 2001 +From: Marcin Wojtas +Date: Mon, 30 Nov 2015 13:27:44 +0100 +Subject: net: mvneta: fix error path for building skb + +From: Marcin Wojtas + +commit 26c17a179f3f64f92de6e837c14279a6431a7ab6 upstream. + +In the actual RX processing, there is same error path for both descriptor +ring refilling and building skb fails. This is not correct, because after +successful refill, the ring is already updated with newly allocated +buffer. Then, in case of build_skb() fail, hitherto code left the original +buffer unmapped. + +This patch fixes above situation by swapping error check of skb build with +DMA-unmap of original buffer. + +Signed-off-by: Marcin Wojtas +Acked-by: Simon Guinot +Fixes a84e32894191 ("net: mvneta: fix refilling for Rx DMA buffers") +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/marvell/mvneta.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -1533,12 +1533,16 @@ static int mvneta_rx(struct mvneta_port + } + + skb = build_skb(data, pp->frag_size > PAGE_SIZE ? 0 : pp->frag_size); +- if (!skb) +- goto err_drop_frame; + ++ /* After refill old buffer has to be unmapped regardless ++ * the skb is successfully built or not. ++ */ + dma_unmap_single(dev->dev.parent, phys_addr, + MVNETA_RX_BUF_SIZE(pp->pkt_size), DMA_FROM_DEVICE); + ++ if (!skb) ++ goto err_drop_frame; ++ + rcvd_pkts++; + rcvd_bytes += rx_bytes; + diff --git a/queue-4.3/nfc-nci-extract-pipe-value-using-nci_hcp_msg_get_pipe.patch b/queue-4.3/nfc-nci-extract-pipe-value-using-nci_hcp_msg_get_pipe.patch new file mode 100644 index 00000000000..9bfdf867cb1 --- /dev/null +++ b/queue-4.3/nfc-nci-extract-pipe-value-using-nci_hcp_msg_get_pipe.patch @@ -0,0 +1,40 @@ +From e65917b6d54f8b47d8293ea96adfa604fd46cf0d Mon Sep 17 00:00:00 2001 +From: Christophe Ricard +Date: Sun, 25 Oct 2015 22:54:22 +0100 +Subject: NFC: nci: extract pipe value using NCI_HCP_MSG_GET_PIPE + +From: Christophe Ricard + +commit e65917b6d54f8b47d8293ea96adfa604fd46cf0d upstream. + +When receiving data in nci_hci_msg_rx_work, extract pipe +value using NCI_HCP_MSG_GET_PIPE macro. + +Signed-off-by: Christophe Ricard +Signed-off-by: Samuel Ortiz +Signed-off-by: Greg Kroah-Hartman + +--- + net/nfc/nci/hci.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/nfc/nci/hci.c ++++ b/net/nfc/nci/hci.c +@@ -402,7 +402,7 @@ static void nci_hci_msg_rx_work(struct w + u8 pipe, type, instruction; + + while ((skb = skb_dequeue(&hdev->msg_rx_queue)) != NULL) { +- pipe = skb->data[0]; ++ pipe = NCI_HCP_MSG_GET_PIPE(skb->data[0]); + skb_pull(skb, NCI_HCI_HCP_PACKET_HEADER_LEN); + message = (struct nci_hcp_message *)skb->data; + type = NCI_HCP_MSG_GET_TYPE(message->header); +@@ -439,7 +439,7 @@ void nci_hci_data_received_cb(void *cont + + /* it's the last fragment. Does it need re-aggregation? */ + if (skb_queue_len(&ndev->hci_dev->rx_hcp_frags)) { +- pipe = packet->header & NCI_HCI_FRAGMENT; ++ pipe = NCI_HCP_MSG_GET_PIPE(packet->header); + skb_queue_tail(&ndev->hci_dev->rx_hcp_frags, skb); + + msg_len = 0; diff --git a/queue-4.3/nfc-nci-fix-improper-management-of-hci-return-code.patch b/queue-4.3/nfc-nci-fix-improper-management-of-hci-return-code.patch new file mode 100644 index 00000000000..88e0b7e0c0a --- /dev/null +++ b/queue-4.3/nfc-nci-fix-improper-management-of-hci-return-code.patch @@ -0,0 +1,176 @@ +From d8cd37ed2fc871c66b4c79c59f651dc2cdf7091c Mon Sep 17 00:00:00 2001 +From: Christophe Ricard +Date: Sun, 25 Oct 2015 22:54:21 +0100 +Subject: NFC: nci: Fix improper management of HCI return code + +From: Christophe Ricard + +commit d8cd37ed2fc871c66b4c79c59f651dc2cdf7091c upstream. + +When sending HCI data over NCI, HCI return code is part +of the NCI data. In order to get correctly the HCI return +code, we assume the NCI communication is successful and +extract the return code for the nci_hci functions return code. + +This is done because nci_to_errno does not match hci return +code value. + +Signed-off-by: Christophe Ricard +Signed-off-by: Samuel Ortiz +Signed-off-by: Greg Kroah-Hartman + +--- + net/nfc/nci/hci.c | 64 ++++++++++++++++++++++++++++++++++++++++-------------- + 1 file changed, 48 insertions(+), 16 deletions(-) + +--- a/net/nfc/nci/hci.c ++++ b/net/nfc/nci/hci.c +@@ -101,6 +101,20 @@ struct nci_hcp_packet { + #define NCI_HCP_MSG_GET_CMD(header) (header & 0x3f) + #define NCI_HCP_MSG_GET_PIPE(header) (header & 0x7f) + ++static int nci_hci_result_to_errno(u8 result) ++{ ++ switch (result) { ++ case NCI_HCI_ANY_OK: ++ return 0; ++ case NCI_HCI_ANY_E_REG_PAR_UNKNOWN: ++ return -EOPNOTSUPP; ++ case NCI_HCI_ANY_E_TIMEOUT: ++ return -ETIME; ++ default: ++ return -1; ++ } ++} ++ + /* HCI core */ + static void nci_hci_reset_pipes(struct nci_hci_dev *hdev) + { +@@ -218,7 +232,8 @@ int nci_hci_send_cmd(struct nci_dev *nde + const u8 *param, size_t param_len, + struct sk_buff **skb) + { +- struct nci_conn_info *conn_info; ++ struct nci_hcp_message *message; ++ struct nci_conn_info *conn_info; + struct nci_data data; + int r; + u8 pipe = ndev->hci_dev->gate2pipe[gate]; +@@ -238,9 +253,15 @@ int nci_hci_send_cmd(struct nci_dev *nde + + r = nci_request(ndev, nci_hci_send_data_req, (unsigned long)&data, + msecs_to_jiffies(NCI_DATA_TIMEOUT)); ++ if (r == NCI_STATUS_OK) { ++ message = (struct nci_hcp_message *)conn_info->rx_skb->data; ++ r = nci_hci_result_to_errno( ++ NCI_HCP_MSG_GET_CMD(message->header)); ++ skb_pull(conn_info->rx_skb, NCI_HCI_HCP_MESSAGE_HEADER_LEN); + +- if (r == NCI_STATUS_OK && skb) +- *skb = conn_info->rx_skb; ++ if (!r && skb) ++ *skb = conn_info->rx_skb; ++ } + + return r; + } +@@ -334,9 +355,6 @@ static void nci_hci_resp_received(struct + struct nci_conn_info *conn_info; + u8 status = result; + +- if (result != NCI_HCI_ANY_OK) +- goto exit; +- + conn_info = ndev->hci_dev->conn_info; + if (!conn_info) { + status = NCI_STATUS_REJECTED; +@@ -346,7 +364,7 @@ static void nci_hci_resp_received(struct + conn_info->rx_skb = skb; + + exit: +- nci_req_complete(ndev, status); ++ nci_req_complete(ndev, NCI_STATUS_OK); + } + + /* Receive hcp message for pipe, with type and cmd. +@@ -401,7 +419,7 @@ void nci_hci_data_received_cb(void *cont + { + struct nci_dev *ndev = (struct nci_dev *)context; + struct nci_hcp_packet *packet; +- u8 pipe, type, instruction; ++ u8 pipe, type; + struct sk_buff *hcp_skb; + struct sk_buff *frag_skb; + int msg_len; +@@ -440,7 +458,7 @@ void nci_hci_data_received_cb(void *cont + *skb_put(hcp_skb, NCI_HCI_HCP_PACKET_HEADER_LEN) = pipe; + + skb_queue_walk(&ndev->hci_dev->rx_hcp_frags, frag_skb) { +- msg_len = frag_skb->len - NCI_HCI_HCP_PACKET_HEADER_LEN; ++ msg_len = frag_skb->len - NCI_HCI_HCP_PACKET_HEADER_LEN; + memcpy(skb_put(hcp_skb, msg_len), frag_skb->data + + NCI_HCI_HCP_PACKET_HEADER_LEN, msg_len); + } +@@ -458,11 +476,10 @@ void nci_hci_data_received_cb(void *cont + packet = (struct nci_hcp_packet *)hcp_skb->data; + type = NCI_HCP_MSG_GET_TYPE(packet->message.header); + if (type == NCI_HCI_HCP_RESPONSE) { +- pipe = packet->header; +- instruction = NCI_HCP_MSG_GET_CMD(packet->message.header); +- skb_pull(hcp_skb, NCI_HCI_HCP_PACKET_HEADER_LEN + +- NCI_HCI_HCP_MESSAGE_HEADER_LEN); +- nci_hci_hcp_message_rx(ndev, pipe, type, instruction, hcp_skb); ++ pipe = NCI_HCP_MSG_GET_PIPE(packet->header); ++ skb_pull(hcp_skb, NCI_HCI_HCP_PACKET_HEADER_LEN); ++ nci_hci_hcp_message_rx(ndev, pipe, type, ++ NCI_STATUS_OK, hcp_skb); + } else { + skb_queue_tail(&ndev->hci_dev->msg_rx_queue, hcp_skb); + schedule_work(&ndev->hci_dev->msg_rx_work); +@@ -494,6 +511,7 @@ EXPORT_SYMBOL(nci_hci_open_pipe); + int nci_hci_set_param(struct nci_dev *ndev, u8 gate, u8 idx, + const u8 *param, size_t param_len) + { ++ struct nci_hcp_message *message; + struct nci_conn_info *conn_info; + struct nci_data data; + int r; +@@ -526,6 +544,12 @@ int nci_hci_set_param(struct nci_dev *nd + r = nci_request(ndev, nci_hci_send_data_req, + (unsigned long)&data, + msecs_to_jiffies(NCI_DATA_TIMEOUT)); ++ if (r == NCI_STATUS_OK) { ++ message = (struct nci_hcp_message *)conn_info->rx_skb->data; ++ r = nci_hci_result_to_errno( ++ NCI_HCP_MSG_GET_CMD(message->header)); ++ skb_pull(conn_info->rx_skb, NCI_HCI_HCP_MESSAGE_HEADER_LEN); ++ } + + kfree(tmp); + return r; +@@ -535,6 +559,7 @@ EXPORT_SYMBOL(nci_hci_set_param); + int nci_hci_get_param(struct nci_dev *ndev, u8 gate, u8 idx, + struct sk_buff **skb) + { ++ struct nci_hcp_message *message; + struct nci_conn_info *conn_info; + struct nci_data data; + int r; +@@ -559,8 +584,15 @@ int nci_hci_get_param(struct nci_dev *nd + r = nci_request(ndev, nci_hci_send_data_req, (unsigned long)&data, + msecs_to_jiffies(NCI_DATA_TIMEOUT)); + +- if (r == NCI_STATUS_OK) +- *skb = conn_info->rx_skb; ++ if (r == NCI_STATUS_OK) { ++ message = (struct nci_hcp_message *)conn_info->rx_skb->data; ++ r = nci_hci_result_to_errno( ++ NCI_HCP_MSG_GET_CMD(message->header)); ++ skb_pull(conn_info->rx_skb, NCI_HCI_HCP_MESSAGE_HEADER_LEN); ++ ++ if (!r && skb) ++ *skb = conn_info->rx_skb; ++ } + + return r; + } diff --git a/queue-4.3/nfc-nci-fix-incorrect-data-chaining-when-sending-data.patch b/queue-4.3/nfc-nci-fix-incorrect-data-chaining-when-sending-data.patch new file mode 100644 index 00000000000..0bde242dbb9 --- /dev/null +++ b/queue-4.3/nfc-nci-fix-incorrect-data-chaining-when-sending-data.patch @@ -0,0 +1,66 @@ +From 500c4ef02277eaadbfe20537f963b6221f6ac007 Mon Sep 17 00:00:00 2001 +From: Christophe Ricard +Date: Sun, 25 Oct 2015 22:54:20 +0100 +Subject: NFC: nci: Fix incorrect data chaining when sending data + +From: Christophe Ricard + +commit 500c4ef02277eaadbfe20537f963b6221f6ac007 upstream. + +When sending HCI data over NCI, cmd information should be +present only on the first packet. +Each packet shall be specifically allocated and sent to the +NCI layer. + +Signed-off-by: Christophe Ricard +Signed-off-by: Samuel Ortiz +Signed-off-by: Greg Kroah-Hartman + +--- + net/nfc/nci/hci.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +--- a/net/nfc/nci/hci.c ++++ b/net/nfc/nci/hci.c +@@ -146,18 +146,18 @@ static int nci_hci_send_data(struct nci_ + if (!conn_info) + return -EPROTO; + +- skb = nci_skb_alloc(ndev, 2 + conn_info->max_pkt_payload_len + ++ i = 0; ++ skb = nci_skb_alloc(ndev, conn_info->max_pkt_payload_len + + NCI_DATA_HDR_SIZE, GFP_KERNEL); + if (!skb) + return -ENOMEM; + +- skb_reserve(skb, 2 + NCI_DATA_HDR_SIZE); ++ skb_reserve(skb, NCI_DATA_HDR_SIZE + 2); + *skb_push(skb, 1) = data_type; + +- i = 0; +- len = conn_info->max_pkt_payload_len; +- + do { ++ len = conn_info->max_pkt_payload_len; ++ + /* If last packet add NCI_HFP_NO_CHAINING */ + if (i + conn_info->max_pkt_payload_len - + (skb->len + 1) >= data_len) { +@@ -177,9 +177,15 @@ static int nci_hci_send_data(struct nci_ + return r; + + i += len; ++ + if (i < data_len) { +- skb_trim(skb, 0); +- skb_pull(skb, len); ++ skb = nci_skb_alloc(ndev, ++ conn_info->max_pkt_payload_len + ++ NCI_DATA_HDR_SIZE, GFP_KERNEL); ++ if (!skb) ++ return -ENOMEM; ++ ++ skb_reserve(skb, NCI_DATA_HDR_SIZE + 1); + } + } while (i < data_len); + diff --git a/queue-4.3/nfc-st-nci-fix-incorrect-spi-buffer-size.patch b/queue-4.3/nfc-st-nci-fix-incorrect-spi-buffer-size.patch new file mode 100644 index 00000000000..eab4fac36f3 --- /dev/null +++ b/queue-4.3/nfc-st-nci-fix-incorrect-spi-buffer-size.patch @@ -0,0 +1,41 @@ +From a1269dd116319335db6d73013a31c038486c813e Mon Sep 17 00:00:00 2001 +From: Christophe Ricard +Date: Sun, 25 Oct 2015 22:54:19 +0100 +Subject: NFC: st-nci: Fix incorrect spi buffer size + +From: Christophe Ricard + +commit a1269dd116319335db6d73013a31c038486c813e upstream. + +When sending data over SPI, the maximum expected length is the maximum +nci packet payload + data header size + the frame head room (1 for the +ndlc header) + the frame trail room (0). + +Signed-off-by: Christophe Ricard +Signed-off-by: Samuel Ortiz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nfc/st-nci/spi.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/nfc/st-nci/spi.c ++++ b/drivers/nfc/st-nci/spi.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + #include + + #include "ndlc.h" +@@ -94,7 +95,8 @@ static int st_nci_spi_write(void *phy_id + struct st_nci_spi_phy *phy = phy_id; + struct spi_device *dev = phy->spi_dev; + struct sk_buff *skb_rx; +- u8 buf[ST_NCI_SPI_MAX_SIZE]; ++ u8 buf[ST_NCI_SPI_MAX_SIZE + NCI_DATA_HDR_SIZE + ++ ST_NCI_FRAME_HEADROOM + ST_NCI_FRAME_TAILROOM]; + struct spi_transfer spi_xfer = { + .tx_buf = skb->data, + .rx_buf = buf, diff --git a/queue-4.3/nl80211-fix-potential-memory-leak-from-parse_acl_data.patch b/queue-4.3/nl80211-fix-potential-memory-leak-from-parse_acl_data.patch new file mode 100644 index 00000000000..ad281188caf --- /dev/null +++ b/queue-4.3/nl80211-fix-potential-memory-leak-from-parse_acl_data.patch @@ -0,0 +1,50 @@ +From 4baf6bea37247e59f1971e8009d13aeda95edba2 Mon Sep 17 00:00:00 2001 +From: Ola Olsson +Date: Thu, 29 Oct 2015 07:04:58 +0100 +Subject: nl80211: Fix potential memory leak from parse_acl_data + +From: Ola Olsson + +commit 4baf6bea37247e59f1971e8009d13aeda95edba2 upstream. + +If parse_acl_data succeeds but the subsequent parsing of smps +attributes fails, there will be a memory leak due to early returns. +Fix that by moving the ACL parsing later. + +Fixes: 18998c381b19b ("cfg80211: allow requesting SMPS mode on ap start") +Signed-off-by: Ola Olsson +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/nl80211.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -3409,12 +3409,6 @@ static int nl80211_start_ap(struct sk_bu + wdev->iftype)) + return -EINVAL; + +- if (info->attrs[NL80211_ATTR_ACL_POLICY]) { +- params.acl = parse_acl_data(&rdev->wiphy, info); +- if (IS_ERR(params.acl)) +- return PTR_ERR(params.acl); +- } +- + if (info->attrs[NL80211_ATTR_SMPS_MODE]) { + params.smps_mode = + nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]); +@@ -3438,6 +3432,12 @@ static int nl80211_start_ap(struct sk_bu + params.smps_mode = NL80211_SMPS_OFF; + } + ++ if (info->attrs[NL80211_ATTR_ACL_POLICY]) { ++ params.acl = parse_acl_data(&rdev->wiphy, info); ++ if (IS_ERR(params.acl)) ++ return PTR_ERR(params.acl); ++ } ++ + wdev_lock(wdev); + err = rdev_start_ap(rdev, dev, ¶ms); + if (!err) { diff --git a/queue-4.3/pinctrl-qcom-ssbi-fix-compilation-with-debug_fs-n.patch b/queue-4.3/pinctrl-qcom-ssbi-fix-compilation-with-debug_fs-n.patch new file mode 100644 index 00000000000..8d3c1a263ca --- /dev/null +++ b/queue-4.3/pinctrl-qcom-ssbi-fix-compilation-with-debug_fs-n.patch @@ -0,0 +1,55 @@ +From 11091fb0a1227d569d09353e1ce1f88694a033dc Mon Sep 17 00:00:00 2001 +From: Jonas Gorski +Date: Sun, 11 Oct 2015 17:39:31 +0200 +Subject: pinctrl: qcom: ssbi: fix compilation with DEBUG_FS=n +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonas Gorski + +commit 11091fb0a1227d569d09353e1ce1f88694a033dc upstream. + +The DEBUG_FS=n #defines for the dbg_show functions were missed when +renaming the driver from msm_ to pm8xxx_, causing it to break the build +when DEBUG_FS isn't enabled: + + CC [M] drivers/pinctrl/qcom/pinctrl-ssbi-gpio.o +drivers/pinctrl/qcom/pinctrl-ssbi-gpio.c:597:14: error: ‘pm8xxx_gpio_dbg_show’ undeclared here (not in a function) + .dbg_show = pm8xxx_gpio_dbg_show, + +Fix this by renaming them correctly. + +Fixes: b4c45fe974bc ("pinctrl: qcom: ssbi: Family A gpio & mpp drivers") +Signed-off-by: Jonas Gorski +Reviewed-by: Bjorn Andersson +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/qcom/pinctrl-ssbi-gpio.c | 2 +- + drivers/pinctrl/qcom/pinctrl-ssbi-mpp.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/pinctrl/qcom/pinctrl-ssbi-gpio.c ++++ b/drivers/pinctrl/qcom/pinctrl-ssbi-gpio.c +@@ -584,7 +584,7 @@ static void pm8xxx_gpio_dbg_show(struct + } + + #else +-#define msm_gpio_dbg_show NULL ++#define pm8xxx_gpio_dbg_show NULL + #endif + + static struct gpio_chip pm8xxx_gpio_template = { +--- a/drivers/pinctrl/qcom/pinctrl-ssbi-mpp.c ++++ b/drivers/pinctrl/qcom/pinctrl-ssbi-mpp.c +@@ -639,7 +639,7 @@ static void pm8xxx_mpp_dbg_show(struct s + } + + #else +-#define msm_mpp_dbg_show NULL ++#define pm8xxx_mpp_dbg_show NULL + #endif + + static struct gpio_chip pm8xxx_mpp_template = { diff --git a/queue-4.3/pinctrl-uniphier-set-input-enable-before-pin-muxing.patch b/queue-4.3/pinctrl-uniphier-set-input-enable-before-pin-muxing.patch new file mode 100644 index 00000000000..0f890af3d32 --- /dev/null +++ b/queue-4.3/pinctrl-uniphier-set-input-enable-before-pin-muxing.patch @@ -0,0 +1,63 @@ +From bac7f4c1bf5e7c6ccd5bb71edc015b26c77f7460 Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada +Date: Tue, 20 Oct 2015 17:25:09 +0900 +Subject: pinctrl: uniphier: set input-enable before pin-muxing + +From: Masahiro Yamada + +commit bac7f4c1bf5e7c6ccd5bb71edc015b26c77f7460 upstream. + +While IECTRL is disabled, input signals are pulled-down internally. +If pin-muxing is set up first, glitch signals (Low to High transition) +might be input to hardware blocks. + +Bad case scenario: +[1] The hardware block is already running before pinctrl is handled. + (the reset is de-asserted by default or by a firmware, for example) +[2] The pin-muxing is set up. The input signals to hardware block + are pulled-down by the chip-internal biasing. +[3] The pins are input-enabled. The signals from the board reach the + hardware block. + +Actually, one invalid character is input to the UART blocks for such +SoCs as PH1-LD4, PH1-sLD8, where UART devices start to run at the +power on reset. + +To avoid such problems, pins should be input-enabled before muxing. + +Fixes: 6e9088920258 ("pinctrl: UniPhier: add UniPhier pinctrl core support") +Signed-off-by: Masahiro Yamada +Reported-by: Dai Okamura +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/uniphier/pinctrl-uniphier-core.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/pinctrl/uniphier/pinctrl-uniphier-core.c ++++ b/drivers/pinctrl/uniphier/pinctrl-uniphier-core.c +@@ -539,6 +539,12 @@ static int uniphier_pmx_set_one_mux(stru + unsigned reg, reg_end, shift, mask; + int ret; + ++ /* some pins need input-enabling */ ++ ret = uniphier_conf_pin_input_enable(pctldev, ++ &pctldev->desc->pins[pin], 1); ++ if (ret) ++ return ret; ++ + reg = UNIPHIER_PINCTRL_PINMUX_BASE + pin * mux_bits / 32 * reg_stride; + reg_end = reg + reg_stride; + shift = pin * mux_bits % 32; +@@ -563,9 +569,7 @@ static int uniphier_pmx_set_one_mux(stru + return ret; + } + +- /* some pins need input-enabling */ +- return uniphier_conf_pin_input_enable(pctldev, +- &pctldev->desc->pins[pin], 1); ++ return 0; + } + + static int uniphier_pmx_set_mux(struct pinctrl_dev *pctldev, diff --git a/queue-4.3/revert-usb-dwc3-gadget-drop-unnecessary-loop-when-cleaning-up-trbs.patch b/queue-4.3/revert-usb-dwc3-gadget-drop-unnecessary-loop-when-cleaning-up-trbs.patch new file mode 100644 index 00000000000..fd813e125f4 --- /dev/null +++ b/queue-4.3/revert-usb-dwc3-gadget-drop-unnecessary-loop-when-cleaning-up-trbs.patch @@ -0,0 +1,85 @@ +From d115d7050a0d2c4967532f18c9cb522fea6b7280 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Mon, 31 Aug 2015 19:48:28 +0300 +Subject: Revert "usb: dwc3: gadget: drop unnecessary loop when cleaning up TRBs" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= + +commit d115d7050a0d2c4967532f18c9cb522fea6b7280 upstream. + +This reverts commit 8f2c9544aba636134303105ecb164190a39dece4. + +As it breaks g_ether on my Baytrail FFRD8 device. Everything starts out +fine, but after a bit of data has been transferred it just stops +flowing. + +Note that I do get a bunch of these "NOHZ: local_softirq_pending 08" +when booting the machine, but I'm not really sure if they're related +to this problem. + +Cc: Felipe Balbi +Cc: Greg Kroah-Hartman +Cc: linux-usb@vger.kernel.org +Cc: stable@vger.kernel.org +Signed-off-by: Ville Syrjälä +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/gadget.c | 37 +++++++++++++++++++++---------------- + 1 file changed, 21 insertions(+), 16 deletions(-) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -1872,27 +1872,32 @@ static int dwc3_cleanup_done_reqs(struct + unsigned int i; + int ret; + +- req = next_request(&dep->req_queued); +- if (!req) { +- WARN_ON_ONCE(1); +- return 1; +- } +- i = 0; + do { +- slot = req->start_slot + i; +- if ((slot == DWC3_TRB_NUM - 1) && ++ req = next_request(&dep->req_queued); ++ if (!req) { ++ WARN_ON_ONCE(1); ++ return 1; ++ } ++ i = 0; ++ do { ++ slot = req->start_slot + i; ++ if ((slot == DWC3_TRB_NUM - 1) && + usb_endpoint_xfer_isoc(dep->endpoint.desc)) +- slot++; +- slot %= DWC3_TRB_NUM; +- trb = &dep->trb_pool[slot]; ++ slot++; ++ slot %= DWC3_TRB_NUM; ++ trb = &dep->trb_pool[slot]; ++ ++ ret = __dwc3_cleanup_done_trbs(dwc, dep, req, trb, ++ event, status); ++ if (ret) ++ break; ++ } while (++i < req->request.num_mapped_sgs); ++ ++ dwc3_gadget_giveback(dep, req, status); + +- ret = __dwc3_cleanup_done_trbs(dwc, dep, req, trb, +- event, status); + if (ret) + break; +- } while (++i < req->request.num_mapped_sgs); +- +- dwc3_gadget_giveback(dep, req, status); ++ } while (1); + + if (usb_endpoint_xfer_isoc(dep->endpoint.desc) && + list_empty(&dep->req_queued)) { diff --git a/queue-4.3/s390-kernel-fix-ptrace-peek-poke-for-floating-point-registers.patch b/queue-4.3/s390-kernel-fix-ptrace-peek-poke-for-floating-point-registers.patch new file mode 100644 index 00000000000..c5bfb04e7b4 --- /dev/null +++ b/queue-4.3/s390-kernel-fix-ptrace-peek-poke-for-floating-point-registers.patch @@ -0,0 +1,63 @@ +From 55a423b6f105fa323168f15f4bb67f23b21da44e Mon Sep 17 00:00:00 2001 +From: Martin Schwidefsky +Date: Tue, 27 Oct 2015 13:13:38 +0100 +Subject: s390/kernel: fix ptrace peek/poke for floating point registers + +From: Martin Schwidefsky + +commit 55a423b6f105fa323168f15f4bb67f23b21da44e upstream. + +git commit 155e839a814834a3b4b31e729f4716e59d3d2dd4 +"s390/kernel: dynamically allocate FP register save area" +introduced a regression in regard to ptrace. + +If the vector register extension is not present or unused the +ptrace peek of a floating pointer register return incorrect data +and the ptrace poke to a floating pointer register overwrites the +task structure starting at task->thread.fpu.fprs. + +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kernel/ptrace.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/s390/kernel/ptrace.c ++++ b/arch/s390/kernel/ptrace.c +@@ -244,7 +244,7 @@ static unsigned long __peek_user(struct + ((addr_t) child->thread.fpu.vxrs + 2*offset); + else + tmp = *(addr_t *) +- ((addr_t) &child->thread.fpu.fprs + offset); ++ ((addr_t) child->thread.fpu.fprs + offset); + + } else if (addr < (addr_t) (&dummy->regs.per_info + 1)) { + /* +@@ -388,7 +388,7 @@ static int __poke_user(struct task_struc + child->thread.fpu.vxrs + 2*offset) = data; + else + *(addr_t *)((addr_t) +- &child->thread.fpu.fprs + offset) = data; ++ child->thread.fpu.fprs + offset) = data; + + } else if (addr < (addr_t) (&dummy->regs.per_info + 1)) { + /* +@@ -622,7 +622,7 @@ static u32 __peek_user_compat(struct tas + ((addr_t) child->thread.fpu.vxrs + 2*offset); + else + tmp = *(__u32 *) +- ((addr_t) &child->thread.fpu.fprs + offset); ++ ((addr_t) child->thread.fpu.fprs + offset); + + } else if (addr < (addr_t) (&dummy32->regs.per_info + 1)) { + /* +@@ -747,7 +747,7 @@ static int __poke_user_compat(struct tas + child->thread.fpu.vxrs + 2*offset) = tmp; + else + *(__u32 *)((addr_t) +- &child->thread.fpu.fprs + offset) = tmp; ++ child->thread.fpu.fprs + offset) = tmp; + + } else if (addr < (addr_t) (&dummy32->regs.per_info + 1)) { + /* diff --git a/queue-4.3/s390-pci-reshuffle-struct-used-to-write-debug-data.patch b/queue-4.3/s390-pci-reshuffle-struct-used-to-write-debug-data.patch new file mode 100644 index 00000000000..a6f624f569d --- /dev/null +++ b/queue-4.3/s390-pci-reshuffle-struct-used-to-write-debug-data.patch @@ -0,0 +1,42 @@ +From 7cc8944e13c73374b6f33b39ca24c0891c87b077 Mon Sep 17 00:00:00 2001 +From: Sebastian Ott +Date: Fri, 9 Oct 2015 11:07:06 +0200 +Subject: s390/pci: reshuffle struct used to write debug data + +From: Sebastian Ott + +commit 7cc8944e13c73374b6f33b39ca24c0891c87b077 upstream. + +zpci_err_insn writes stale stack content to the debugfs. + +Ensure that the struct in zpci_err_insn is ordered in a way that +we don't have uninitialized holes in it. In addition to that +add the packed attribute. + +Fixes: 3d8258e (s390/pci: move debug messages to debugfs) +Signed-off-by: Sebastian Ott +Reviewed-by: Gerald Schaefer +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/pci/pci_insn.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/s390/pci/pci_insn.c ++++ b/arch/s390/pci/pci_insn.c +@@ -16,11 +16,11 @@ + static inline void zpci_err_insn(u8 cc, u8 status, u64 req, u64 offset) + { + struct { +- u8 cc; +- u8 status; + u64 req; + u64 offset; +- } data = {cc, status, req, offset}; ++ u8 cc; ++ u8 status; ++ } __packed data = {req, offset, cc, status}; + + zpci_err_hex(&data, sizeof(data)); + } diff --git a/queue-4.3/series b/queue-4.3/series index 2923a712def..ad6bbd2c6f7 100644 --- a/queue-4.3/series +++ b/queue-4.3/series @@ -28,3 +28,76 @@ arm-dts-add-vbus-regulator-to-usb2-phy-nodes-on-exynos3250-exynos4210-and-exynos arm-dts-fix-wlan-regression-on-omap5-uevm.patch arm-dts-sun6i-hummingbird-fix-vdd-cpu-and-vdd-gpu.patch arm-pxa-remove-incorrect-__init-annotation-on-pxa27x_set_pwrmode.patch +mips-lantiq-add-clk_round_rate.patch +mips-cdmm-add-builtin_mips_cdmm_driver-macro.patch +mips-ath79-fix-the-ddr-control-initialization-on-ar71xx-and-ar934x.patch +mips-kvm-fix-asid-restoration-logic.patch +mips-kvm-fix-cache-immediate-offset-sign-extension.patch +mips-kvm-uninit-vcpu-in-vcpu_create-error-path.patch +kvm-x86-set-kvm_req_event-when-updating-irr.patch +kvm-x86-zero-efer-on-init.patch +kvm-x86-add-read_phys-to-x86_emulate_ops.patch +kvm-x86-handle-smbase-as-physical-address-in-rsm.patch +kvm-x86-allow-rsm-from-64-bit-mode.patch +kvm-x86-obey-kvm_x86_quirk_cd_nw_cleared-in-kvm_set_cr0.patch +kvm-x86-work-around-infinite-loop-in-microcode-when-ac-is-delivered.patch +x86-setup-fix-low-identity-map-for-2gb-kernel-range.patch +x86-irq-probe-for-pic-presence-before-allocating-descs-for-legacy-irqs.patch +x86-cpu-call-verify_cpu-after-having-entered-long-mode-too.patch +x86-cpu-fix-smap-check-in-pvops-environments.patch +x86-fpu-fix-get_xsave_addr-behavior-under-virtualization.patch +x86-fpu-fix-32-bit-signal-frame-handling.patch +x86-mpx-do-proper-get_user-when-running-32-bit-binaries-on-64-bit-kernels.patch +x86-mpx-fix-32-bit-address-space-calculation.patch +mac80211-fix-local-deauth-while-associating.patch +mac80211-fix-driver-rssi-event-calculations.patch +mac80211-allow-null-chandef-in-tracing.patch +mac80211-fix-divide-by-zero-when-noa-update.patch +nl80211-fix-potential-memory-leak-from-parse_acl_data.patch +nfc-st-nci-fix-incorrect-spi-buffer-size.patch +nfc-nci-fix-incorrect-data-chaining-when-sending-data.patch +nfc-nci-fix-improper-management-of-hci-return-code.patch +nfc-nci-extract-pipe-value-using-nci_hcp_msg_get_pipe.patch +iwlwifi-pcie-fix-again-prepare-card-flow.patch +iwlwifi-add-new-pci-ids-for-the-8260-series.patch +net-mvneta-fix-cpu_map-registers-initialisation.patch +net-mvneta-fix-error-path-for-building-skb.patch +fs-proc-core-debug-don-t-expose-absolute-kernel-addresses-via-wchan.patch +clk-iproc-fix-pll-output-frequency-calculation.patch +clk-versatile-icst-fix-memory-leak.patch +mfd-twl6040-fix-deferred-probe-handling-for-clk32k.patch +mwifiex-fix-null-pointer-dereference-during-hidden-ssid-scan.patch +mwifiex-avoid-memsetting-pcie-event-buffer.patch +mwifiex-fix-mwifiex_rdeeprom_read.patch +staging-rtl8712-add-device-id-for-sitecom-wla2100.patch +bluetooth-hidp-fix-device-disconnect-on-idle-timeout.patch +bluetooth-ath3k-add-new-ar3012-0930-021c-id.patch +bluetooth-ath3k-add-support-of-ar3012-0cf3-817b-device.patch +bluetooth-fix-removing-connection-parameters-when-unpairing.patch +bluetooth-fix-missing-hdev-locking-for-le-scan-cleanup.patch +can-use-correct-type-in-sizeof-in-nla_put.patch +can-sja1000-clear-interrupts-on-start.patch +arm64-fix-compat-register-mappings.patch +arm64-page-align-sections-for-debug_rodata.patch +pinctrl-uniphier-set-input-enable-before-pin-muxing.patch +pinctrl-qcom-ssbi-fix-compilation-with-debug_fs-n.patch +ath10k-add-ath10k_fw_feature_raw_mode_support-to.patch +ath10k-use-station-s-current-operating-mode-from-assoc-request.patch +ath10k-fix-invalid-nss-for-4x4-devices.patch +s390-kernel-fix-ptrace-peek-poke-for-floating-point-registers.patch +s390-pci-reshuffle-struct-used-to-write-debug-data.patch +kvm-s390-sca-must-not-cross-page-boundaries.patch +kvm-s390-fix-wrong-lookup-of-vcpus-by-array-index.patch +kvm-s390-avoid-memory-overwrites-on-emergency-signal-injection.patch +kvm-s390-enable-simd-only-when-no-vcpus-were-created.patch +revert-usb-dwc3-gadget-drop-unnecessary-loop-when-cleaning-up-trbs.patch +usb-gadget-net2280-restore-ep_cfg-after-defect7374-workaround.patch +usb-gadget-atmel_usba_udc-expose-correct-device-speed.patch +usb-dwc3-gadget-let-us-set-lower-max_speed.patch +usb-chipidea-otg-gadget-module-load-and-unload-support.patch +usb-dwc3-pci-add-the-synopsys-haps-axi-product-id.patch +usb-dwc3-pci-add-the-pci-product-id-for-synopsys-usb-3.1.patch +usb-dwc3-support-synopsys-usb-3.1-ip.patch +usb-dwc3-pci-add-platform-data-for-synopsys-haps.patch +usb-dwc3-add-dis_enblslpm_quirk.patch +usb-dwc3-pci-set-enblslpm-quirk-for-synopsys-platforms.patch diff --git a/queue-4.3/staging-rtl8712-add-device-id-for-sitecom-wla2100.patch b/queue-4.3/staging-rtl8712-add-device-id-for-sitecom-wla2100.patch new file mode 100644 index 00000000000..8b445242522 --- /dev/null +++ b/queue-4.3/staging-rtl8712-add-device-id-for-sitecom-wla2100.patch @@ -0,0 +1,31 @@ +From 1e6e63283691a2a9048a35d9c6c59cf0abd342e4 Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Sun, 18 Oct 2015 22:14:48 -0500 +Subject: staging: rtl8712: Add device ID for Sitecom WLA2100 + +From: Larry Finger + +commit 1e6e63283691a2a9048a35d9c6c59cf0abd342e4 upstream. + +This adds the USB ID for the Sitecom WLA2100. The Windows 10 inf file +was checked to verify that the addition is correct. + +Reported-by: Frans van de Wiel +Signed-off-by: Larry Finger +Cc: Frans van de Wiel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/rtl8712/usb_intf.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/staging/rtl8712/usb_intf.c ++++ b/drivers/staging/rtl8712/usb_intf.c +@@ -144,6 +144,7 @@ static struct usb_device_id rtl871x_usb_ + {USB_DEVICE(0x0DF6, 0x0058)}, + {USB_DEVICE(0x0DF6, 0x0049)}, + {USB_DEVICE(0x0DF6, 0x004C)}, ++ {USB_DEVICE(0x0DF6, 0x006C)}, + {USB_DEVICE(0x0DF6, 0x0064)}, + /* Skyworth */ + {USB_DEVICE(0x14b2, 0x3300)}, diff --git a/queue-4.3/usb-chipidea-otg-gadget-module-load-and-unload-support.patch b/queue-4.3/usb-chipidea-otg-gadget-module-load-and-unload-support.patch new file mode 100644 index 00000000000..834a347980a --- /dev/null +++ b/queue-4.3/usb-chipidea-otg-gadget-module-load-and-unload-support.patch @@ -0,0 +1,53 @@ +From 85da852df66e5e0d3aba761b0fece7c958ff0685 Mon Sep 17 00:00:00 2001 +From: Li Jun +Date: Fri, 12 Dec 2014 09:11:42 +0800 +Subject: usb: chipidea: otg: gadget module load and unload support + +From: Li Jun + +commit 85da852df66e5e0d3aba761b0fece7c958ff0685 upstream. + +This patch is to support load and unload gadget driver in full OTG mode. + +Signed-off-by: Li Jun +Signed-off-by: Peter Chen +Tested-by: Jiada Wang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/chipidea/udc.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +--- a/drivers/usb/chipidea/udc.c ++++ b/drivers/usb/chipidea/udc.c +@@ -1751,6 +1751,22 @@ static int ci_udc_start(struct usb_gadge + return retval; + } + ++static void ci_udc_stop_for_otg_fsm(struct ci_hdrc *ci) ++{ ++ if (!ci_otg_is_fsm_mode(ci)) ++ return; ++ ++ mutex_lock(&ci->fsm.lock); ++ if (ci->fsm.otg->state == OTG_STATE_A_PERIPHERAL) { ++ ci->fsm.a_bidl_adis_tmout = 1; ++ ci_hdrc_otg_fsm_start(ci); ++ } else if (ci->fsm.otg->state == OTG_STATE_B_PERIPHERAL) { ++ ci->fsm.protocol = PROTO_UNDEF; ++ ci->fsm.otg->state = OTG_STATE_UNDEFINED; ++ } ++ mutex_unlock(&ci->fsm.lock); ++} ++ + /** + * ci_udc_stop: unregister a gadget driver + */ +@@ -1775,6 +1791,7 @@ static int ci_udc_stop(struct usb_gadget + ci->driver = NULL; + spin_unlock_irqrestore(&ci->lock, flags); + ++ ci_udc_stop_for_otg_fsm(ci); + return 0; + } + diff --git a/queue-4.3/usb-dwc3-add-dis_enblslpm_quirk.patch b/queue-4.3/usb-dwc3-add-dis_enblslpm_quirk.patch new file mode 100644 index 00000000000..fa5011d10f0 --- /dev/null +++ b/queue-4.3/usb-dwc3-add-dis_enblslpm_quirk.patch @@ -0,0 +1,100 @@ +From ec791d149bca4511e7d3a6a92bb3b030c5a443f9 Mon Sep 17 00:00:00 2001 +From: John Youn +Date: Fri, 2 Oct 2015 20:30:57 -0700 +Subject: usb: dwc3: Add dis_enblslpm_quirk + +From: John Youn + +commit ec791d149bca4511e7d3a6a92bb3b030c5a443f9 upstream. + +Add a quirk to clear the GUSB2PHYCFG.ENBLSLPM bit, which controls +whether the PHY receives the suspend signal from the controller. + +Signed-off-by: John Youn +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/devicetree/bindings/usb/dwc3.txt | 2 ++ + drivers/usb/dwc3/core.c | 6 ++++++ + drivers/usb/dwc3/core.h | 4 ++++ + drivers/usb/dwc3/platform_data.h | 1 + + 4 files changed, 13 insertions(+) + +--- a/Documentation/devicetree/bindings/usb/dwc3.txt ++++ b/Documentation/devicetree/bindings/usb/dwc3.txt +@@ -35,6 +35,8 @@ Optional properties: + LTSSM during USB3 Compliance mode. + - snps,dis_u3_susphy_quirk: when set core will disable USB3 suspend phy. + - snps,dis_u2_susphy_quirk: when set core will disable USB2 suspend phy. ++ - snps,dis_enblslpm_quirk: when set clears the enblslpm in GUSB2PHYCFG, ++ disabling the suspend signal to the PHY. + - snps,is-utmi-l1-suspend: true when DWC3 asserts output signal + utmi_l1_suspend_n, false when asserts utmi_sleep_n + - snps,hird-threshold: HIRD threshold +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -488,6 +488,9 @@ static int dwc3_phy_setup(struct dwc3 *d + if (dwc->dis_u2_susphy_quirk) + reg &= ~DWC3_GUSB2PHYCFG_SUSPHY; + ++ if (dwc->dis_enblslpm_quirk) ++ reg &= ~DWC3_GUSB2PHYCFG_ENBLSLPM; ++ + dwc3_writel(dwc->regs, DWC3_GUSB2PHYCFG(0), reg); + + return 0; +@@ -885,6 +888,8 @@ static int dwc3_probe(struct platform_de + "snps,dis_u3_susphy_quirk"); + dwc->dis_u2_susphy_quirk = of_property_read_bool(node, + "snps,dis_u2_susphy_quirk"); ++ dwc->dis_enblslpm_quirk = device_property_read_bool(dev, ++ "snps,dis_enblslpm_quirk"); + + dwc->tx_de_emphasis_quirk = of_property_read_bool(node, + "snps,tx_de_emphasis_quirk"); +@@ -915,6 +920,7 @@ static int dwc3_probe(struct platform_de + dwc->rx_detect_poll_quirk = pdata->rx_detect_poll_quirk; + dwc->dis_u3_susphy_quirk = pdata->dis_u3_susphy_quirk; + dwc->dis_u2_susphy_quirk = pdata->dis_u2_susphy_quirk; ++ dwc->dis_enblslpm_quirk = pdata->dis_enblslpm_quirk; + + dwc->tx_de_emphasis_quirk = pdata->tx_de_emphasis_quirk; + if (pdata->tx_de_emphasis) +--- a/drivers/usb/dwc3/core.h ++++ b/drivers/usb/dwc3/core.h +@@ -178,6 +178,7 @@ + #define DWC3_GUSB2PHYCFG_PHYSOFTRST (1 << 31) + #define DWC3_GUSB2PHYCFG_SUSPHY (1 << 6) + #define DWC3_GUSB2PHYCFG_ULPI_UTMI (1 << 4) ++#define DWC3_GUSB2PHYCFG_ENBLSLPM (1 << 8) + + /* Global USB2 PHY Vendor Control Register */ + #define DWC3_GUSB2PHYACC_NEWREGREQ (1 << 25) +@@ -715,6 +716,8 @@ struct dwc3_scratchpad_array { + * @rx_detect_poll_quirk: set if we enable rx_detect to polling lfps quirk + * @dis_u3_susphy_quirk: set if we disable usb3 suspend phy + * @dis_u2_susphy_quirk: set if we disable usb2 suspend phy ++ * @dis_enblslpm_quirk: set if we clear enblslpm in GUSB2PHYCFG, ++ * disabling the suspend signal to the PHY. + * @tx_de_emphasis_quirk: set if we enable Tx de-emphasis quirk + * @tx_de_emphasis: Tx de-emphasis value + * 0 - -6dB de-emphasis +@@ -859,6 +862,7 @@ struct dwc3 { + unsigned rx_detect_poll_quirk:1; + unsigned dis_u3_susphy_quirk:1; + unsigned dis_u2_susphy_quirk:1; ++ unsigned dis_enblslpm_quirk:1; + + unsigned tx_de_emphasis_quirk:1; + unsigned tx_de_emphasis:2; +--- a/drivers/usb/dwc3/platform_data.h ++++ b/drivers/usb/dwc3/platform_data.h +@@ -42,6 +42,7 @@ struct dwc3_platform_data { + unsigned rx_detect_poll_quirk:1; + unsigned dis_u3_susphy_quirk:1; + unsigned dis_u2_susphy_quirk:1; ++ unsigned dis_enblslpm_quirk:1; + + unsigned tx_de_emphasis_quirk:1; + unsigned tx_de_emphasis:2; diff --git a/queue-4.3/usb-dwc3-gadget-let-us-set-lower-max_speed.patch b/queue-4.3/usb-dwc3-gadget-let-us-set-lower-max_speed.patch new file mode 100644 index 00000000000..15bda16f48a --- /dev/null +++ b/queue-4.3/usb-dwc3-gadget-let-us-set-lower-max_speed.patch @@ -0,0 +1,72 @@ +From b9e51b2b1fda19143f48d182ed7a2943f21e1ae4 Mon Sep 17 00:00:00 2001 +From: Ben McCauley +Date: Mon, 16 Nov 2015 10:47:24 -0600 +Subject: usb: dwc3: gadget: let us set lower max_speed + +From: Ben McCauley + +commit b9e51b2b1fda19143f48d182ed7a2943f21e1ae4 upstream. + +In some SoCs, dwc3 is implemented as a USB2.0 only +core, meaning that it can't ever achieve SuperSpeed. + +Currect driver always sets gadget.max_speed to +USB_SPEED_SUPER unconditionally. This can causes +issues to some Host stacks where the host will issue +a GetBOS() request and we will reply with a BOS +containing Superspeed Capability Descriptor. + +At least Windows seems to be upset by this fact and +prints a warning that we should connect $this device +to another port. + +[ balbi@ti.com : rewrote entire commit, including +source code comment to make a lot clearer what the +problem is ] + +Signed-off-by: Ben McCauley +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/gadget.c | 24 +++++++++++++++++++++++- + 1 file changed, 23 insertions(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -2723,12 +2723,34 @@ int dwc3_gadget_init(struct dwc3 *dwc) + } + + dwc->gadget.ops = &dwc3_gadget_ops; +- dwc->gadget.max_speed = USB_SPEED_SUPER; + dwc->gadget.speed = USB_SPEED_UNKNOWN; + dwc->gadget.sg_supported = true; + dwc->gadget.name = "dwc3-gadget"; + + /* ++ * FIXME We might be setting max_speed to revision < DWC3_REVISION_220A) ++ dwc3_trace(trace_dwc3_gadget, ++ "Changing max_speed on rev %08x\n", ++ dwc->revision); ++ ++ dwc->gadget.max_speed = dwc->maximum_speed; ++ ++ /* + * Per databook, DWC3 needs buffer size to be aligned to MaxPacketSize + * on ep out. + */ diff --git a/queue-4.3/usb-dwc3-pci-add-platform-data-for-synopsys-haps.patch b/queue-4.3/usb-dwc3-pci-add-platform-data-for-synopsys-haps.patch new file mode 100644 index 00000000000..88dbdb32b33 --- /dev/null +++ b/queue-4.3/usb-dwc3-pci-add-platform-data-for-synopsys-haps.patch @@ -0,0 +1,43 @@ +From bb7f3d6d323a56b9c3b3e727380d1395a7f10107 Mon Sep 17 00:00:00 2001 +From: John Youn +Date: Sat, 26 Sep 2015 00:11:15 -0700 +Subject: usb: dwc3: pci: Add platform data for Synopsys HAPS + +From: John Youn + +commit bb7f3d6d323a56b9c3b3e727380d1395a7f10107 upstream. + +Add platform data and set usb3_lpm_capable and has_lpm_erratum. + +Signed-off-by: John Youn +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/dwc3-pci.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/drivers/usb/dwc3/dwc3-pci.c ++++ b/drivers/usb/dwc3/dwc3-pci.c +@@ -108,6 +108,21 @@ static int dwc3_pci_quirks(struct pci_de + } + } + ++ if (pdev->vendor == PCI_VENDOR_ID_SYNOPSYS && ++ (pdev->device == PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3 || ++ pdev->device == PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3_AXI || ++ pdev->device == PCI_DEVICE_ID_SYNOPSYS_HAPSUSB31)) { ++ ++ struct dwc3_platform_data pdata; ++ ++ memset(&pdata, 0, sizeof(pdata)); ++ pdata.usb3_lpm_capable = true; ++ pdata.has_lpm_erratum = true; ++ ++ return platform_device_add_data(pci_get_drvdata(pdev), &pdata, ++ sizeof(pdata)); ++ } ++ + return 0; + } + diff --git a/queue-4.3/usb-dwc3-pci-add-the-pci-product-id-for-synopsys-usb-3.1.patch b/queue-4.3/usb-dwc3-pci-add-the-pci-product-id-for-synopsys-usb-3.1.patch new file mode 100644 index 00000000000..1f481e0d03f --- /dev/null +++ b/queue-4.3/usb-dwc3-pci-add-the-pci-product-id-for-synopsys-usb-3.1.patch @@ -0,0 +1,41 @@ +From e8095a25364a30216ad40dbe8893ed5c3c235949 Mon Sep 17 00:00:00 2001 +From: John Youn +Date: Fri, 7 Aug 2015 11:47:25 -0700 +Subject: usb: dwc3: pci: Add the PCI Product ID for Synopsys USB 3.1 + +From: John Youn + +commit e8095a25364a30216ad40dbe8893ed5c3c235949 upstream. + +This adds the PCI product ID for the Synopsys USB 3.1 IP core +(DWC_usb31) on a HAPS-based PCI development platform. + +Signed-off-by: John Youn +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/dwc3-pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/dwc3/dwc3-pci.c ++++ b/drivers/usb/dwc3/dwc3-pci.c +@@ -28,6 +28,7 @@ + + #define PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3 0xabcd + #define PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3_AXI 0xabce ++#define PCI_DEVICE_ID_SYNOPSYS_HAPSUSB31 0xabcf + #define PCI_DEVICE_ID_INTEL_BYT 0x0f37 + #define PCI_DEVICE_ID_INTEL_MRFLD 0x119e + #define PCI_DEVICE_ID_INTEL_BSW 0x22B7 +@@ -183,6 +184,10 @@ static const struct pci_device_id dwc3_p + PCI_DEVICE(PCI_VENDOR_ID_SYNOPSYS, + PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3_AXI), + }, ++ { ++ PCI_DEVICE(PCI_VENDOR_ID_SYNOPSYS, ++ PCI_DEVICE_ID_SYNOPSYS_HAPSUSB31), ++ }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BSW), }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BYT), }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_MRFLD), }, diff --git a/queue-4.3/usb-dwc3-pci-add-the-synopsys-haps-axi-product-id.patch b/queue-4.3/usb-dwc3-pci-add-the-synopsys-haps-axi-product-id.patch new file mode 100644 index 00000000000..8a3696c364a --- /dev/null +++ b/queue-4.3/usb-dwc3-pci-add-the-synopsys-haps-axi-product-id.patch @@ -0,0 +1,42 @@ +From 41adc59caece02aa2e988a0e8f9fe8e6f426f82e Mon Sep 17 00:00:00 2001 +From: John Youn +Date: Fri, 7 Aug 2015 11:04:14 -0700 +Subject: usb: dwc3: pci: Add the Synopsys HAPS AXI Product ID + +From: John Youn + +commit 41adc59caece02aa2e988a0e8f9fe8e6f426f82e upstream. + +This ID is for the Synopsys DWC_usb3 core with AXI interface on PCIe +HAPS platform. This core has the debug registers mapped at a separate +BAR in order to support enhanced hibernation. + +Signed-off-by: John Youn +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/dwc3-pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/dwc3/dwc3-pci.c ++++ b/drivers/usb/dwc3/dwc3-pci.c +@@ -27,6 +27,7 @@ + #include "platform_data.h" + + #define PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3 0xabcd ++#define PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3_AXI 0xabce + #define PCI_DEVICE_ID_INTEL_BYT 0x0f37 + #define PCI_DEVICE_ID_INTEL_MRFLD 0x119e + #define PCI_DEVICE_ID_INTEL_BSW 0x22B7 +@@ -178,6 +179,10 @@ static const struct pci_device_id dwc3_p + PCI_DEVICE(PCI_VENDOR_ID_SYNOPSYS, + PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3), + }, ++ { ++ PCI_DEVICE(PCI_VENDOR_ID_SYNOPSYS, ++ PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3_AXI), ++ }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BSW), }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BYT), }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_MRFLD), }, diff --git a/queue-4.3/usb-dwc3-pci-set-enblslpm-quirk-for-synopsys-platforms.patch b/queue-4.3/usb-dwc3-pci-set-enblslpm-quirk-for-synopsys-platforms.patch new file mode 100644 index 00000000000..d7dd60401be --- /dev/null +++ b/queue-4.3/usb-dwc3-pci-set-enblslpm-quirk-for-synopsys-platforms.patch @@ -0,0 +1,31 @@ +From 94218ee31ba56fb3a8625978b393124ad660408e Mon Sep 17 00:00:00 2001 +From: John Youn +Date: Fri, 2 Oct 2015 20:32:17 -0700 +Subject: usb: dwc3: pci: Set enblslpm quirk for Synopsys platforms + +From: John Youn + +commit 94218ee31ba56fb3a8625978b393124ad660408e upstream. + +Certain Synopsys prototyping PHY boards are not able to meet timings +constraints for LPM. This allows the PHY to meet those timings by +leaving the PHY clock running during suspend. + +Signed-off-by: John Youn +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/dwc3-pci.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/dwc3/dwc3-pci.c ++++ b/drivers/usb/dwc3/dwc3-pci.c +@@ -118,6 +118,7 @@ static int dwc3_pci_quirks(struct pci_de + memset(&pdata, 0, sizeof(pdata)); + pdata.usb3_lpm_capable = true; + pdata.has_lpm_erratum = true; ++ pdata.dis_enblslpm_quirk = true; + + return platform_device_add_data(pci_get_drvdata(pdev), &pdata, + sizeof(pdata)); diff --git a/queue-4.3/usb-dwc3-support-synopsys-usb-3.1-ip.patch b/queue-4.3/usb-dwc3-support-synopsys-usb-3.1-ip.patch new file mode 100644 index 00000000000..ef0bca194f5 --- /dev/null +++ b/queue-4.3/usb-dwc3-support-synopsys-usb-3.1-ip.patch @@ -0,0 +1,99 @@ +From 690fb3718a70c66004342f6f5e2e8a5f95b977db Mon Sep 17 00:00:00 2001 +From: John Youn +Date: Fri, 4 Sep 2015 19:15:10 -0700 +Subject: usb: dwc3: Support Synopsys USB 3.1 IP + +From: John Youn + +commit 690fb3718a70c66004342f6f5e2e8a5f95b977db upstream. + +This patch allows the dwc3 driver to run on the new Synopsys USB 3.1 +IP core, albeit in USB 3.0 mode only. + +The Synopsys USB 3.1 IP (DWC_usb31) retains mostly the same register +interface and programming model as the existing USB 3.0 controller IP +(DWC_usb3). However the GSNPSID and version numbers are different. + +Add checking for the new ID to pass driver probe. + +Also, since the DWC_usb31 version number is lower in value than the +full GSNPSID of the DWC_usb3 IP, we set the high bit to identify +DWC_usb31 and to ensure the values are higher. + +Finally, add a documentation note about the revision numbering scheme. +Any future revision checks (for STARS, workarounds, and new features) +should take into consideration how it applies to both the 3.1/3.0 IP. + +Signed-off-by: John Youn +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/core.c | 10 ++++++++-- + drivers/usb/dwc3/core.h | 18 ++++++++++++++++++ + 2 files changed, 26 insertions(+), 2 deletions(-) + +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -507,12 +507,18 @@ static int dwc3_core_init(struct dwc3 *d + + reg = dwc3_readl(dwc->regs, DWC3_GSNPSID); + /* This should read as U3 followed by revision number */ +- if ((reg & DWC3_GSNPSID_MASK) != 0x55330000) { ++ if ((reg & DWC3_GSNPSID_MASK) == 0x55330000) { ++ /* Detected DWC_usb3 IP */ ++ dwc->revision = reg; ++ } else if ((reg & DWC3_GSNPSID_MASK) == 0x33310000) { ++ /* Detected DWC_usb31 IP */ ++ dwc->revision = dwc3_readl(dwc->regs, DWC3_VER_NUMBER); ++ dwc->revision |= DWC3_REVISION_IS_DWC31; ++ } else { + dev_err(dwc->dev, "this is not a DesignWare USB3 DRD Core\n"); + ret = -ENODEV; + goto err0; + } +- dwc->revision = reg; + + /* + * Write Linux Version Code to our GUID register so it's easy to figure +--- a/drivers/usb/dwc3/core.h ++++ b/drivers/usb/dwc3/core.h +@@ -108,6 +108,9 @@ + #define DWC3_GPRTBIMAP_FS0 0xc188 + #define DWC3_GPRTBIMAP_FS1 0xc18c + ++#define DWC3_VER_NUMBER 0xc1a0 ++#define DWC3_VER_TYPE 0xc1a4 ++ + #define DWC3_GUSB2PHYCFG(n) (0xc200 + (n * 0x04)) + #define DWC3_GUSB2I2CCTL(n) (0xc240 + (n * 0x04)) + +@@ -766,6 +769,14 @@ struct dwc3 { + u32 num_event_buffers; + u32 u1u2; + u32 maximum_speed; ++ ++ /* ++ * All 3.1 IP version constants are greater than the 3.0 IP ++ * version constants. This works for most version checks in ++ * dwc3. However, in the future, this may not apply as ++ * features may be developed on newer versions of the 3.0 IP ++ * that are not in the 3.1 IP. ++ */ + u32 revision; + + #define DWC3_REVISION_173A 0x5533173a +@@ -788,6 +799,13 @@ struct dwc3 { + #define DWC3_REVISION_270A 0x5533270a + #define DWC3_REVISION_280A 0x5533280a + ++/* ++ * NOTICE: we're using bit 31 as a "is usb 3.1" flag. This is really ++ * just so dwc31 revisions are always larger than dwc3. ++ */ ++#define DWC3_REVISION_IS_DWC31 0x80000000 ++#define DWC3_USB31_REVISION_110A (0x3131302a | DWC3_REVISION_IS_USB31) ++ + enum dwc3_ep0_next ep0_next_event; + enum dwc3_ep0_state ep0state; + enum dwc3_link_state link_state; diff --git a/queue-4.3/usb-gadget-atmel_usba_udc-expose-correct-device-speed.patch b/queue-4.3/usb-gadget-atmel_usba_udc-expose-correct-device-speed.patch new file mode 100644 index 00000000000..e6277699262 --- /dev/null +++ b/queue-4.3/usb-gadget-atmel_usba_udc-expose-correct-device-speed.patch @@ -0,0 +1,42 @@ +From d134c48d889ddceadf4c990e6f3df16b816ed5d4 Mon Sep 17 00:00:00 2001 +From: Douglas Gilbert +Date: Mon, 16 Nov 2015 19:22:08 +0100 +Subject: usb: gadget: atmel_usba_udc: Expose correct device speed + +From: Douglas Gilbert + +commit d134c48d889ddceadf4c990e6f3df16b816ed5d4 upstream. + +Following changes that appeared in lk 4.0.0, the gadget udc driver for +some ARM based Atmel SoCs (e.g. at91sam9x5 and sama5d3 families) +incorrectly deduced full-speed USB link speed even when the hardware +had negotiated a high-speed link. The fix is to make sure that the +UDPHS Interrupt Enable Register value does not mask the SPEED bit +in the Interrupt Status Register. + +For a mass storage gadget this problem lead to failures when the host +had a USB 3 port with the xhci_hcd driver. If the host was a USB 2 +port using the ehci_hcd driver then the mass storage gadget worked +(but probably at a lower speed than it should have). + +Signed-off-by: Douglas Gilbert +Reviewed-by: Boris Brezillon +Fixes: 9870d895ad87 ("usb: atmel_usba_udc: Mask status with enabled irqs") +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/udc/atmel_usba_udc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/gadget/udc/atmel_usba_udc.c ++++ b/drivers/usb/gadget/udc/atmel_usba_udc.c +@@ -1633,7 +1633,7 @@ static irqreturn_t usba_udc_irq(int irq, + spin_lock(&udc->lock); + + int_enb = usba_int_enb_get(udc); +- status = usba_readl(udc, INT_STA) & int_enb; ++ status = usba_readl(udc, INT_STA) & (int_enb | USBA_HIGH_SPEED); + DBG(DBG_INT, "irq, status=%#08x\n", status); + + if (status & USBA_DET_SUSPEND) { diff --git a/queue-4.3/usb-gadget-net2280-restore-ep_cfg-after-defect7374-workaround.patch b/queue-4.3/usb-gadget-net2280-restore-ep_cfg-after-defect7374-workaround.patch new file mode 100644 index 00000000000..5593f1accd1 --- /dev/null +++ b/queue-4.3/usb-gadget-net2280-restore-ep_cfg-after-defect7374-workaround.patch @@ -0,0 +1,34 @@ +From 81e9d14a53eb1abfbe6ac828a87a2deb4702b5f1 Mon Sep 17 00:00:00 2001 +From: Mian Yousaf Kaukab +Date: Mon, 19 Oct 2015 16:25:15 +0200 +Subject: usb: gadget: net2280: restore ep_cfg after defect7374 workaround + +From: Mian Yousaf Kaukab + +commit 81e9d14a53eb1abfbe6ac828a87a2deb4702b5f1 upstream. + +Defect 7374 workaround enables all GPEP as endpoint 0. Restore +endpoint number when defect 7374 workaround is disabled. Otherwise, +check to match USB endpoint number to hardware endpoint number in +net2280_enable() fails. + +Reported-by: Paul Jones +Signed-off-by: Mian Yousaf Kaukab +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/udc/net2280.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/gadget/udc/net2280.c ++++ b/drivers/usb/gadget/udc/net2280.c +@@ -1913,7 +1913,7 @@ static void defect7374_disable_data_eps( + + for (i = 1; i < 5; i++) { + ep = &dev->ep[i]; +- writel(0, &ep->cfg->ep_cfg); ++ writel(i, &ep->cfg->ep_cfg); + } + + /* CSROUT, CSRIN, PCIOUT, PCIIN, STATIN, RCIN */ diff --git a/queue-4.3/x86-cpu-call-verify_cpu-after-having-entered-long-mode-too.patch b/queue-4.3/x86-cpu-call-verify_cpu-after-having-entered-long-mode-too.patch new file mode 100644 index 00000000000..312f4df8ede --- /dev/null +++ b/queue-4.3/x86-cpu-call-verify_cpu-after-having-entered-long-mode-too.patch @@ -0,0 +1,118 @@ +From 04633df0c43d710e5f696b06539c100898678235 Mon Sep 17 00:00:00 2001 +From: Borislav Petkov +Date: Thu, 5 Nov 2015 16:57:56 +0100 +Subject: x86/cpu: Call verify_cpu() after having entered long mode too + +From: Borislav Petkov + +commit 04633df0c43d710e5f696b06539c100898678235 upstream. + +When we get loaded by a 64-bit bootloader, kernel entry point is +startup_64 in head_64.S. We don't trust any and all bootloaders because +some will fiddle with CPU configuration so we go ahead and massage each +CPU into sanity again. + +For example, some dell BIOSes have this XD disable feature which set +IA32_MISC_ENABLE[34] and disable NX. This might be some dumb workaround +for other OSes but Linux sure doesn't need it. + +A similar thing is present in the Surface 3 firmware - see +https://bugzilla.kernel.org/show_bug.cgi?id=106051 - which sets this bit +only on the BSP: + + # rdmsr -a 0x1a0 + 400850089 + 850089 + 850089 + 850089 + +I know, right?! + +There's not even an off switch in there. + +So fix all those cases by sanitizing the 64-bit entry point too. For +that, make verify_cpu() callable in 64-bit mode also. + +Requested-and-debugged-by: "H. Peter Anvin" +Reported-and-tested-by: Bastien Nocera +Signed-off-by: Borislav Petkov +Cc: Matt Fleming +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/1446739076-21303-1-git-send-email-bp@alien8.de +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/head_64.S | 8 ++++++++ + arch/x86/kernel/verify_cpu.S | 12 +++++++----- + 2 files changed, 15 insertions(+), 5 deletions(-) + +--- a/arch/x86/kernel/head_64.S ++++ b/arch/x86/kernel/head_64.S +@@ -65,6 +65,9 @@ startup_64: + * tables and then reload them. + */ + ++ /* Sanitize CPU configuration */ ++ call verify_cpu ++ + /* + * Compute the delta between the address I am compiled to run at and the + * address I am actually running at. +@@ -174,6 +177,9 @@ ENTRY(secondary_startup_64) + * after the boot processor executes this code. + */ + ++ /* Sanitize CPU configuration */ ++ call verify_cpu ++ + movq $(init_level4_pgt - __START_KERNEL_map), %rax + 1: + +@@ -288,6 +294,8 @@ ENTRY(secondary_startup_64) + pushq %rax # target address in negative space + lretq + ++#include "verify_cpu.S" ++ + #ifdef CONFIG_HOTPLUG_CPU + /* + * Boot CPU0 entry point. It's called from play_dead(). Everything has been set +--- a/arch/x86/kernel/verify_cpu.S ++++ b/arch/x86/kernel/verify_cpu.S +@@ -34,10 +34,11 @@ + #include + + verify_cpu: +- pushfl # Save caller passed flags +- pushl $0 # Kill any dangerous flags +- popfl ++ pushf # Save caller passed flags ++ push $0 # Kill any dangerous flags ++ popf + ++#ifndef __x86_64__ + pushfl # standard way to check for cpuid + popl %eax + movl %eax,%ebx +@@ -48,6 +49,7 @@ verify_cpu: + popl %eax + cmpl %eax,%ebx + jz verify_cpu_no_longmode # cpu has no cpuid ++#endif + + movl $0x0,%eax # See if cpuid 1 is implemented + cpuid +@@ -130,10 +132,10 @@ verify_cpu_sse_test: + jmp verify_cpu_sse_test # try again + + verify_cpu_no_longmode: +- popfl # Restore caller passed flags ++ popf # Restore caller passed flags + movl $1,%eax + ret + verify_cpu_sse_ok: +- popfl # Restore caller passed flags ++ popf # Restore caller passed flags + xorl %eax, %eax + ret diff --git a/queue-4.3/x86-cpu-fix-smap-check-in-pvops-environments.patch b/queue-4.3/x86-cpu-fix-smap-check-in-pvops-environments.patch new file mode 100644 index 00000000000..25e46a8da37 --- /dev/null +++ b/queue-4.3/x86-cpu-fix-smap-check-in-pvops-environments.patch @@ -0,0 +1,54 @@ +From 581b7f158fe0383b492acd1ce3fb4e99d4e57808 Mon Sep 17 00:00:00 2001 +From: Andrew Cooper +Date: Wed, 3 Jun 2015 10:31:14 +0100 +Subject: x86/cpu: Fix SMAP check in PVOPS environments + +From: Andrew Cooper + +commit 581b7f158fe0383b492acd1ce3fb4e99d4e57808 upstream. + +There appears to be no formal statement of what pv_irq_ops.save_fl() is +supposed to return precisely. Native returns the full flags, while lguest and +Xen only return the Interrupt Flag, and both have comments by the +implementations stating that only the Interrupt Flag is looked at. This may +have been true when initially implemented, but no longer is. + +To make matters worse, the Xen PVOP leaves the upper bits undefined, making +the BUG_ON() undefined behaviour. Experimentally, this now trips for 32bit PV +guests on Broadwell hardware. The BUG_ON() is consistent for an individual +build, but not consistent for all builds. It has also been a sitting timebomb +since SMAP support was introduced. + +Use native_save_fl() instead, which will obtain an accurate view of the AC +flag. + +Signed-off-by: Andrew Cooper +Reviewed-by: David Vrabel +Tested-by: Rusty Russell +Cc: Rusty Russell +Cc: Konrad Rzeszutek Wilk +Cc: Boris Ostrovsky +Cc: +Cc: Xen-devel +Link: http://lkml.kernel.org/r/1433323874-6927-1-git-send-email-andrew.cooper3@citrix.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/common.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -273,10 +273,9 @@ __setup("nosmap", setup_disable_smap); + + static __always_inline void setup_smap(struct cpuinfo_x86 *c) + { +- unsigned long eflags; ++ unsigned long eflags = native_save_fl(); + + /* This should have been cleared long ago */ +- raw_local_save_flags(eflags); + BUG_ON(eflags & X86_EFLAGS_AC); + + if (cpu_has(c, X86_FEATURE_SMAP)) { diff --git a/queue-4.3/x86-fpu-fix-32-bit-signal-frame-handling.patch b/queue-4.3/x86-fpu-fix-32-bit-signal-frame-handling.patch new file mode 100644 index 00000000000..37156da6ce8 --- /dev/null +++ b/queue-4.3/x86-fpu-fix-32-bit-signal-frame-handling.patch @@ -0,0 +1,105 @@ +From ab6b52947545a5355154f64f449f97af9d05845f Mon Sep 17 00:00:00 2001 +From: Dave Hansen +Date: Tue, 10 Nov 2015 16:23:54 -0800 +Subject: x86/fpu: Fix 32-bit signal frame handling + +From: Dave Hansen + +commit ab6b52947545a5355154f64f449f97af9d05845f upstream. + +(This should have gone to LKML originally. Sorry for the extra + noise, folks on the cc.) + +Background: + +Signal frames on x86 have two formats: + + 1. For 32-bit executables (whether on a real 32-bit kernel or + under 32-bit emulation on a 64-bit kernel) we have a + 'fpregset_t' that includes the "FSAVE" registers. + + 2. For 64-bit executables (on 64-bit kernels obviously), the + 'fpregset_t' is smaller and does not contain the "FSAVE" + state. + +When creating the signal frame, we have to be aware of whether +we are running a 32 or 64-bit executable so we create the +correct format signal frame. + +Problem: + +save_xstate_epilog() uses 'fx_sw_reserved_ia32' whenever it is +called for a 32-bit executable. This is for real 32-bit and +ia32 emulation. + +But, fpu__init_prepare_fx_sw_frame() only initializes +'fx_sw_reserved_ia32' when emulation is enabled, *NOT* for real +32-bit kernels. + +This leads to really wierd situations where 32-bit programs +lose their extended state when returning from a signal handler. +The kernel copies the uninitialized (zero) 'fx_sw_reserved_ia32' +out to userspace in save_xstate_epilog(). But when returning +from the signal, the kernel errors out in check_for_xstate() +when it does not see FP_XSTATE_MAGIC1 present (because it was +zeroed). This leads to the FPU/XSAVE state being initialized. + +For MPX, this leads to the most permissive state and means we +silently lose bounds violations. I think this would also mean +that we could lose *ANY* FPU/SSE/AVX state. I'm not sure why +no one has spotted this bug. + +I believe this was broken by: + + 72a671ced66d ("x86, fpu: Unify signal handling code paths for x86 and x86_64 kernels") + +way back in 2012. + +Signed-off-by: Dave Hansen +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: dave@sr71.net +Cc: fenghua.yu@intel.com +Cc: yu-cheng.yu@intel.com +Link: http://lkml.kernel.org/r/20151111002354.A0799571@viggo.jf.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/fpu/signal.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +--- a/arch/x86/kernel/fpu/signal.c ++++ b/arch/x86/kernel/fpu/signal.c +@@ -385,20 +385,19 @@ fpu__alloc_mathframe(unsigned long sp, i + */ + void fpu__init_prepare_fx_sw_frame(void) + { +- int fsave_header_size = sizeof(struct fregs_state); + int size = xstate_size + FP_XSTATE_MAGIC2_SIZE; + +- if (config_enabled(CONFIG_X86_32)) +- size += fsave_header_size; +- + fx_sw_reserved.magic1 = FP_XSTATE_MAGIC1; + fx_sw_reserved.extended_size = size; + fx_sw_reserved.xfeatures = xfeatures_mask; + fx_sw_reserved.xstate_size = xstate_size; + +- if (config_enabled(CONFIG_IA32_EMULATION)) { ++ if (config_enabled(CONFIG_IA32_EMULATION) || ++ config_enabled(CONFIG_X86_32)) { ++ int fsave_header_size = sizeof(struct fregs_state); ++ + fx_sw_reserved_ia32 = fx_sw_reserved; +- fx_sw_reserved_ia32.extended_size += fsave_header_size; ++ fx_sw_reserved_ia32.extended_size = size + fsave_header_size; + } + } + diff --git a/queue-4.3/x86-fpu-fix-get_xsave_addr-behavior-under-virtualization.patch b/queue-4.3/x86-fpu-fix-get_xsave_addr-behavior-under-virtualization.patch new file mode 100644 index 00000000000..bc1d4f1804f --- /dev/null +++ b/queue-4.3/x86-fpu-fix-get_xsave_addr-behavior-under-virtualization.patch @@ -0,0 +1,51 @@ +From a05917b6ba9dc9a95fc42bdcbe3a875e8ad83935 Mon Sep 17 00:00:00 2001 +From: Huaitong Han +Date: Fri, 6 Nov 2015 17:00:23 +0800 +Subject: x86/fpu: Fix get_xsave_addr() behavior under virtualization + +From: Huaitong Han + +commit a05917b6ba9dc9a95fc42bdcbe3a875e8ad83935 upstream. + +KVM uses the get_xsave_addr() function in a different fashion from +the native kernel, in that the 'xsave' parameter belongs to guest vcpu, +not the currently running task. + +But 'xsave' is replaced with current task's (host) xsave structure, so +get_xsave_addr() will incorrectly return the bad xsave address to KVM. + +Fix it so that the passed in 'xsave' address is used - as intended +originally. + +Signed-off-by: Huaitong Han +Reviewed-by: Dave Hansen +Cc: Andy Lutomirski +Cc: Paolo Bonzini +Cc: Borislav Petkov +Cc: Fenghua Yu +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Oleg Nesterov +Cc: Peter Zijlstra +Cc: Quentin Casasnovas +Cc: Thomas Gleixner +Cc: dave.hansen@intel.com +Link: http://lkml.kernel.org/r/1446800423-21622-1-git-send-email-huaitong.han@intel.com +[ Tidied up the changelog. ] +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/fpu/xstate.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/x86/kernel/fpu/xstate.c ++++ b/arch/x86/kernel/fpu/xstate.c +@@ -402,7 +402,6 @@ void *get_xsave_addr(struct xregs_state + if (!boot_cpu_has(X86_FEATURE_XSAVE)) + return NULL; + +- xsave = ¤t->thread.fpu.state.xsave; + /* + * We should not ever be requesting features that we + * have not enabled. Remember that pcntxt_mask is diff --git a/queue-4.3/x86-irq-probe-for-pic-presence-before-allocating-descs-for-legacy-irqs.patch b/queue-4.3/x86-irq-probe-for-pic-presence-before-allocating-descs-for-legacy-irqs.patch new file mode 100644 index 00000000000..700f5df86f6 --- /dev/null +++ b/queue-4.3/x86-irq-probe-for-pic-presence-before-allocating-descs-for-legacy-irqs.patch @@ -0,0 +1,144 @@ +From 8c058b0b9c34d8c8d7912880956543769323e2d8 Mon Sep 17 00:00:00 2001 +From: Vitaly Kuznetsov +Date: Tue, 3 Nov 2015 10:40:14 +0100 +Subject: x86/irq: Probe for PIC presence before allocating descs for legacy IRQs + +From: Vitaly Kuznetsov + +commit 8c058b0b9c34d8c8d7912880956543769323e2d8 upstream. + +Commit d32932d02e18 ("x86/irq: Convert IOAPIC to use hierarchical irqdomain +interfaces") brought a regression for Hyper-V Gen2 instances. These +instances don't have i8259 legacy PIC but they use legacy IRQs for serial +port, rtc, and acpi. With this commit included we end up with these IRQs +not initialized. Earlier, there was a special workaround for legacy IRQs +in mp_map_pin_to_irq() doing mp_irqdomain_map() without looking at +nr_legacy_irqs() and now we fail in __irq_domain_alloc_irqs() when +irq_domain_alloc_descs() returns -EEXIST. + +The essence of the issue seems to be that early_irq_init() calls +arch_probe_nr_irqs() to figure out the number of legacy IRQs before +we probe for i8259 and gets 16. Later when init_8259A() is called we switch +to NULL legacy PIC and nr_legacy_irqs() starts to return 0 but we already +have 16 descs allocated. + +Solve the issue by separating i8259 probe from init and calling it in +arch_probe_nr_irqs() before we actually use nr_legacy_irqs() information. + +Fixes: d32932d02e18 ("x86/irq: Convert IOAPIC to use hierarchical irqdomain interfaces") +Signed-off-by: Vitaly Kuznetsov +Cc: Jiang Liu +Cc: K. Y. Srinivasan +Link: http://lkml.kernel.org/r/1446543614-3621-1-git-send-email-vkuznets@redhat.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/i8259.h | 1 + + arch/x86/kernel/apic/vector.c | 6 +++++- + arch/x86/kernel/i8259.c | 29 +++++++++++++++++++++-------- + 3 files changed, 27 insertions(+), 9 deletions(-) + +--- a/arch/x86/include/asm/i8259.h ++++ b/arch/x86/include/asm/i8259.h +@@ -60,6 +60,7 @@ struct legacy_pic { + void (*mask_all)(void); + void (*restore_mask)(void); + void (*init)(int auto_eoi); ++ int (*probe)(void); + int (*irq_pending)(unsigned int irq); + void (*make_irq)(unsigned int irq); + }; +--- a/arch/x86/kernel/apic/vector.c ++++ b/arch/x86/kernel/apic/vector.c +@@ -361,7 +361,11 @@ int __init arch_probe_nr_irqs(void) + if (nr < nr_irqs) + nr_irqs = nr; + +- return nr_legacy_irqs(); ++ /* ++ * We don't know if PIC is present at this point so we need to do ++ * probe() to get the right number of legacy IRQs. ++ */ ++ return legacy_pic->probe(); + } + + #ifdef CONFIG_X86_IO_APIC +--- a/arch/x86/kernel/i8259.c ++++ b/arch/x86/kernel/i8259.c +@@ -295,16 +295,11 @@ static void unmask_8259A(void) + raw_spin_unlock_irqrestore(&i8259A_lock, flags); + } + +-static void init_8259A(int auto_eoi) ++static int probe_8259A(void) + { + unsigned long flags; + unsigned char probe_val = ~(1 << PIC_CASCADE_IR); + unsigned char new_val; +- +- i8259A_auto_eoi = auto_eoi; +- +- raw_spin_lock_irqsave(&i8259A_lock, flags); +- + /* + * Check to see if we have a PIC. + * Mask all except the cascade and read +@@ -312,16 +307,28 @@ static void init_8259A(int auto_eoi) + * have a PIC, we will read 0xff as opposed to the + * value we wrote. + */ ++ raw_spin_lock_irqsave(&i8259A_lock, flags); ++ + outb(0xff, PIC_SLAVE_IMR); /* mask all of 8259A-2 */ + outb(probe_val, PIC_MASTER_IMR); + new_val = inb(PIC_MASTER_IMR); + if (new_val != probe_val) { + printk(KERN_INFO "Using NULL legacy PIC\n"); + legacy_pic = &null_legacy_pic; +- raw_spin_unlock_irqrestore(&i8259A_lock, flags); +- return; + } + ++ raw_spin_unlock_irqrestore(&i8259A_lock, flags); ++ return nr_legacy_irqs(); ++} ++ ++static void init_8259A(int auto_eoi) ++{ ++ unsigned long flags; ++ ++ i8259A_auto_eoi = auto_eoi; ++ ++ raw_spin_lock_irqsave(&i8259A_lock, flags); ++ + outb(0xff, PIC_MASTER_IMR); /* mask all of 8259A-1 */ + + /* +@@ -379,6 +386,10 @@ static int legacy_pic_irq_pending_noop(u + { + return 0; + } ++static int legacy_pic_probe(void) ++{ ++ return 0; ++} + + struct legacy_pic null_legacy_pic = { + .nr_legacy_irqs = 0, +@@ -388,6 +399,7 @@ struct legacy_pic null_legacy_pic = { + .mask_all = legacy_pic_noop, + .restore_mask = legacy_pic_noop, + .init = legacy_pic_int_noop, ++ .probe = legacy_pic_probe, + .irq_pending = legacy_pic_irq_pending_noop, + .make_irq = legacy_pic_uint_noop, + }; +@@ -400,6 +412,7 @@ struct legacy_pic default_legacy_pic = { + .mask_all = mask_8259A, + .restore_mask = unmask_8259A, + .init = init_8259A, ++ .probe = probe_8259A, + .irq_pending = i8259A_irq_pending, + .make_irq = make_8259A_irq, + }; diff --git a/queue-4.3/x86-mpx-do-proper-get_user-when-running-32-bit-binaries-on-64-bit-kernels.patch b/queue-4.3/x86-mpx-do-proper-get_user-when-running-32-bit-binaries-on-64-bit-kernels.patch new file mode 100644 index 00000000000..ade10d2fc44 --- /dev/null +++ b/queue-4.3/x86-mpx-do-proper-get_user-when-running-32-bit-binaries-on-64-bit-kernels.patch @@ -0,0 +1,90 @@ +From 46561c3959d6307d22139c24cd0bf196162e5681 Mon Sep 17 00:00:00 2001 +From: Dave Hansen +Date: Wed, 11 Nov 2015 10:19:31 -0800 +Subject: x86/mpx: Do proper get_user() when running 32-bit binaries on 64-bit kernels + +From: Dave Hansen + +commit 46561c3959d6307d22139c24cd0bf196162e5681 upstream. + +When you call get_user(foo, bar), you effectively do a + + copy_from_user(&foo, bar, sizeof(*bar)); + +Note that the sizeof() is implicit. + +When we reach out to userspace to try to zap an entire "bounds +table" we need to go read a "bounds directory entry" in order to +locate the table's address. The size of a "directory entry" +depends on the binary being run and is always the size of a +pointer. + +But, when we have a 64-bit kernel and a 32-bit application, the +directory entry is still only 32-bits long, but we fetch it with +a 64-bit pointer which makes get_user() does a 64-bit fetch. +Reading 4 extra bytes isn't harmful, unless we are at the end of +and run off the table. It might also cause the zero page to get +faulted in unnecessarily even if you are not at the end. + +Fix it up by doing a special 32-bit get_user() via a cast when +we have 32-bit userspace. + +Signed-off-by: Dave Hansen +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Dave Hansen +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/20151111181931.3ACF6822@viggo.jf.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/mm/mpx.c | 25 ++++++++++++++++++++++++- + 1 file changed, 24 insertions(+), 1 deletion(-) + +--- a/arch/x86/mm/mpx.c ++++ b/arch/x86/mm/mpx.c +@@ -585,6 +585,29 @@ static unsigned long mpx_bd_entry_to_bt_ + } + + /* ++ * We only want to do a 4-byte get_user() on 32-bit. Otherwise, ++ * we might run off the end of the bounds table if we are on ++ * a 64-bit kernel and try to get 8 bytes. ++ */ ++int get_user_bd_entry(struct mm_struct *mm, unsigned long *bd_entry_ret, ++ long __user *bd_entry_ptr) ++{ ++ u32 bd_entry_32; ++ int ret; ++ ++ if (is_64bit_mm(mm)) ++ return get_user(*bd_entry_ret, bd_entry_ptr); ++ ++ /* ++ * Note that get_user() uses the type of the *pointer* to ++ * establish the size of the get, not the destination. ++ */ ++ ret = get_user(bd_entry_32, (u32 __user *)bd_entry_ptr); ++ *bd_entry_ret = bd_entry_32; ++ return ret; ++} ++ ++/* + * Get the base of bounds tables pointed by specific bounds + * directory entry. + */ +@@ -604,7 +627,7 @@ static int get_bt_addr(struct mm_struct + int need_write = 0; + + pagefault_disable(); +- ret = get_user(bd_entry, bd_entry_ptr); ++ ret = get_user_bd_entry(mm, &bd_entry, bd_entry_ptr); + pagefault_enable(); + if (!ret) + break; diff --git a/queue-4.3/x86-mpx-fix-32-bit-address-space-calculation.patch b/queue-4.3/x86-mpx-fix-32-bit-address-space-calculation.patch new file mode 100644 index 00000000000..dd1b5049201 --- /dev/null +++ b/queue-4.3/x86-mpx-fix-32-bit-address-space-calculation.patch @@ -0,0 +1,81 @@ +From f3119b830264d89d216bfb378ab65065dffa02d9 Mon Sep 17 00:00:00 2001 +From: Dave Hansen +Date: Wed, 11 Nov 2015 10:19:34 -0800 +Subject: x86/mpx: Fix 32-bit address space calculation + +From: Dave Hansen + +commit f3119b830264d89d216bfb378ab65065dffa02d9 upstream. + +I received a bug report that running 32-bit MPX binaries on +64-bit kernels was broken. I traced it down to this little code +snippet. We were switching our "number of bounds directory +entries" calculation correctly. But, we didn't switch the other +side of the calculation: the virtual space size. + +This meant that we were calculating an absurd size for +bd_entry_virt_space() on 32-bit because we used the 64-bit +virt_space. + +This was _also_ broken for 32-bit kernels running on 64-bit +hardware since boot_cpu_data.x86_virt_bits=48 even when running +in 32-bit mode. + +Correct that and properly handle all 3 possible cases: + + 1. 32-bit binary on 64-bit kernel + 2. 64-bit binary on 64-bit kernel + 3. 32-bit binary on 32-bit kernel + +This manifested in having bounds tables not properly unmapped. +It "leaked" memory but had no functional impact otherwise. + +Signed-off-by: Dave Hansen +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Dave Hansen +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/20151111181934.FA7FAC34@viggo.jf.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/mm/mpx.c | 22 +++++++++++++++++----- + 1 file changed, 17 insertions(+), 5 deletions(-) + +--- a/arch/x86/mm/mpx.c ++++ b/arch/x86/mm/mpx.c +@@ -722,11 +722,23 @@ static unsigned long mpx_get_bt_entry_of + */ + static inline unsigned long bd_entry_virt_space(struct mm_struct *mm) + { +- unsigned long long virt_space = (1ULL << boot_cpu_data.x86_virt_bits); +- if (is_64bit_mm(mm)) +- return virt_space / MPX_BD_NR_ENTRIES_64; +- else +- return virt_space / MPX_BD_NR_ENTRIES_32; ++ unsigned long long virt_space; ++ unsigned long long GB = (1ULL << 30); ++ ++ /* ++ * This covers 32-bit emulation as well as 32-bit kernels ++ * running on 64-bit harware. ++ */ ++ if (!is_64bit_mm(mm)) ++ return (4ULL * GB) / MPX_BD_NR_ENTRIES_32; ++ ++ /* ++ * 'x86_virt_bits' returns what the hardware is capable ++ * of, and returns the full >32-bit adddress space when ++ * running 32-bit kernels on 64-bit hardware. ++ */ ++ virt_space = (1ULL << boot_cpu_data.x86_virt_bits); ++ return virt_space / MPX_BD_NR_ENTRIES_64; + } + + /* diff --git a/queue-4.3/x86-setup-fix-low-identity-map-for-2gb-kernel-range.patch b/queue-4.3/x86-setup-fix-low-identity-map-for-2gb-kernel-range.patch new file mode 100644 index 00000000000..f6fd724fcc3 --- /dev/null +++ b/queue-4.3/x86-setup-fix-low-identity-map-for-2gb-kernel-range.patch @@ -0,0 +1,41 @@ +From 68accac392d859d24adcf1be3a90e41f978bd54c Mon Sep 17 00:00:00 2001 +From: Krzysztof Mazur +Date: Fri, 6 Nov 2015 14:18:36 +0100 +Subject: x86/setup: Fix low identity map for >= 2GB kernel range + +From: Krzysztof Mazur + +commit 68accac392d859d24adcf1be3a90e41f978bd54c upstream. + +The commit f5f3497cad8c extended the low identity mapping. However, if +the kernel uses more than 2 GB (VMSPLIT_2G_OPT or VMSPLIT_1G memory +split), the normal memory mapping is overwritten by the low identity +mapping causing a crash. To avoid overwritting, limit the low identity +map to cover only memory before kernel range (PAGE_OFFSET). + +Fixes: f5f3497cad8c "x86/setup: Extend low identity map to cover whole kernel range +Signed-off-by: Krzysztof Mazur +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Laszlo Ersek +Cc: Matt Fleming +Cc: Paolo Bonzini +Link: http://lkml.kernel.org/r/1446815916-22105-1-git-send-email-krzysiek@podlesie.net +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/setup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -1180,7 +1180,7 @@ void __init setup_arch(char **cmdline_p) + */ + clone_pgd_range(initial_page_table, + swapper_pg_dir + KERNEL_PGD_BOUNDARY, +- KERNEL_PGD_PTRS); ++ min(KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY)); + #endif + + tboot_probe(); -- 2.47.2