From 531ef98437f4982e03c20b0193bcb2daf3d02738 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 10 Nov 2014 14:58:30 +0900 Subject: [PATCH] 3.17-stable patches added patches: cgroup-kmemleak-add-kmemleak_free-for-cgroup-deallocations.patch cpc925_edac-report-ue-events-properly.patch e7xxx_edac-report-ce-events-properly.patch ext3-don-t-check-quota-format-when-there-are-no-quota-files.patch i3200_edac-report-ce-events-properly.patch i82860_edac-report-ce-events-properly.patch iwlwifi-configure-the-ltr.patch iwlwifi-dvm-drop-non-vo-frames-when-flushing.patch iwlwifi-mvm-bt-coex-update-the-mplut-boost-register-value.patch lib-bitmap.c-fix-undefined-shift-in-__bitmap_shift_-left-right.patch lib-scatterlist-fix-memory-leak-with-scsi-mq.patch mac80211-fix-typo-in-starting-baserate-for-rts_cts_rate_idx.patch mm-balloon_compaction-fix-deflation-when-compaction-is-disabled.patch mm-free-compound-page-with-correct-order.patch mm-memcontrol-fix-missed-end-writeback-page-accounting.patch mm-page-writeback-inline-account_page_dirtied-into-single-caller.patch mtd-cfi_cmdset_0001.c-fix-resume-for-lh28f640bf-chips.patch nfsd4-fix-crash-on-unknown-operation-number.patch nfsd4-fix-response-size-estimation-for-op_sequence.patch pci-rename-sysfs-enabled-file-back-to-enable.patch pm-sleep-fix-async-suspend_late-freeze_late-error-handling.patch pm-sleep-fix-recovery-during-resuming-from-hibernation.patch posix-timers-fix-stack-info-leak-in-timer_create.patch quota-properly-return-errors-from-dquot_writeback_dquots.patch revert-iwlwifi-mvm-treat-eapols-like-mgmt-frames-wrt-rate.patch scsi-fix-error-handling-in-scsi_ioctl_send_command.patch scsi-set-req_queue-for-the-blk-mq-case.patch sh-fix-sh770x-scif-memory-regions.patch staging-comedi-fix-memory-leak-bad-pointer-freeing-for-chanlist.patch staging-comedi-regression-channel-list-must-be-set-for-comedi_cmd-ioctl.patch tty-fix-high-cpu-load-if-tty-is-unreleaseable.patch tty-vt-don-t-set-font-mappings-on-vc-not-supporting-this.patch x86-apic-handle-a-bad-tsc-more-gracefully.patch xhci-disable-streams-on-asmedia-1042-xhci-controllers.patch xhci-no-switching-back-on-non-ult-haswell.patch zap_pte_range-update-addr-when-forcing-flush-after-tlb-batching-faiure.patch --- ...emleak_free-for-cgroup-deallocations.patch | 80 ++++ ...pc925_edac-report-ue-events-properly.patch | 31 ++ ...e7xxx_edac-report-ce-events-properly.patch | 31 ++ ...format-when-there-are-no-quota-files.patch | 37 ++ ...i3200_edac-report-ce-events-properly.patch | 36 ++ ...82860_edac-report-ce-events-properly.patch | 31 ++ queue-3.17/iwlwifi-configure-the-ltr.patch | 168 +++++++ ...dvm-drop-non-vo-frames-when-flushing.patch | 94 ++++ ...pdate-the-mplut-boost-register-value.patch | 44 ++ ...-shift-in-__bitmap_shift_-left-right.patch | 50 ++ ...terlist-fix-memory-leak-with-scsi-mq.patch | 38 ++ ...arting-baserate-for-rts_cts_rate_idx.patch | 45 ++ ...eflation-when-compaction-is-disabled.patch | 42 ++ ...ree-compound-page-with-correct-order.patch | 61 +++ ...missed-end-writeback-page-accounting.patch | 453 ++++++++++++++++++ ...ount_page_dirtied-into-single-caller.patch | 73 +++ ...01.c-fix-resume-for-lh28f640bf-chips.patch | 42 ++ ...ix-crash-on-unknown-operation-number.patch | 34 ++ ...onse-size-estimation-for-op_sequence.patch | 43 ++ ...me-sysfs-enabled-file-back-to-enable.patch | 61 +++ ...pend_late-freeze_late-error-handling.patch | 40 ++ ...ery-during-resuming-from-hibernation.patch | 40 ++ ...-fix-stack-info-leak-in-timer_create.patch | 45 ++ ...n-errors-from-dquot_writeback_dquots.patch | 33 ++ ...eat-eapols-like-mgmt-frames-wrt-rate.patch | 75 +++ ...-handling-in-scsi_ioctl_send_command.patch | 47 ++ ...si-set-req_queue-for-the-blk-mq-case.patch | 63 +++ queue-3.17/series | 36 ++ .../sh-fix-sh770x-scif-memory-regions.patch | 55 +++ ...eak-bad-pointer-freeing-for-chanlist.patch | 54 +++ ...ist-must-be-set-for-comedi_cmd-ioctl.patch | 76 +++ ...igh-cpu-load-if-tty-is-unreleaseable.patch | 49 ++ ...t-mappings-on-vc-not-supporting-this.patch | 44 ++ ...pic-handle-a-bad-tsc-more-gracefully.patch | 74 +++ ...ams-on-asmedia-1042-xhci-controllers.patch | 44 ++ ...no-switching-back-on-non-ult-haswell.patch | 43 ++ ...cing-flush-after-tlb-batching-faiure.patch | 43 ++ 37 files changed, 2355 insertions(+) create mode 100644 queue-3.17/cgroup-kmemleak-add-kmemleak_free-for-cgroup-deallocations.patch create mode 100644 queue-3.17/cpc925_edac-report-ue-events-properly.patch create mode 100644 queue-3.17/e7xxx_edac-report-ce-events-properly.patch create mode 100644 queue-3.17/ext3-don-t-check-quota-format-when-there-are-no-quota-files.patch create mode 100644 queue-3.17/i3200_edac-report-ce-events-properly.patch create mode 100644 queue-3.17/i82860_edac-report-ce-events-properly.patch create mode 100644 queue-3.17/iwlwifi-configure-the-ltr.patch create mode 100644 queue-3.17/iwlwifi-dvm-drop-non-vo-frames-when-flushing.patch create mode 100644 queue-3.17/iwlwifi-mvm-bt-coex-update-the-mplut-boost-register-value.patch create mode 100644 queue-3.17/lib-bitmap.c-fix-undefined-shift-in-__bitmap_shift_-left-right.patch create mode 100644 queue-3.17/lib-scatterlist-fix-memory-leak-with-scsi-mq.patch create mode 100644 queue-3.17/mac80211-fix-typo-in-starting-baserate-for-rts_cts_rate_idx.patch create mode 100644 queue-3.17/mm-balloon_compaction-fix-deflation-when-compaction-is-disabled.patch create mode 100644 queue-3.17/mm-free-compound-page-with-correct-order.patch create mode 100644 queue-3.17/mm-memcontrol-fix-missed-end-writeback-page-accounting.patch create mode 100644 queue-3.17/mm-page-writeback-inline-account_page_dirtied-into-single-caller.patch create mode 100644 queue-3.17/mtd-cfi_cmdset_0001.c-fix-resume-for-lh28f640bf-chips.patch create mode 100644 queue-3.17/nfsd4-fix-crash-on-unknown-operation-number.patch create mode 100644 queue-3.17/nfsd4-fix-response-size-estimation-for-op_sequence.patch create mode 100644 queue-3.17/pci-rename-sysfs-enabled-file-back-to-enable.patch create mode 100644 queue-3.17/pm-sleep-fix-async-suspend_late-freeze_late-error-handling.patch create mode 100644 queue-3.17/pm-sleep-fix-recovery-during-resuming-from-hibernation.patch create mode 100644 queue-3.17/posix-timers-fix-stack-info-leak-in-timer_create.patch create mode 100644 queue-3.17/quota-properly-return-errors-from-dquot_writeback_dquots.patch create mode 100644 queue-3.17/revert-iwlwifi-mvm-treat-eapols-like-mgmt-frames-wrt-rate.patch create mode 100644 queue-3.17/scsi-fix-error-handling-in-scsi_ioctl_send_command.patch create mode 100644 queue-3.17/scsi-set-req_queue-for-the-blk-mq-case.patch create mode 100644 queue-3.17/sh-fix-sh770x-scif-memory-regions.patch create mode 100644 queue-3.17/staging-comedi-fix-memory-leak-bad-pointer-freeing-for-chanlist.patch create mode 100644 queue-3.17/staging-comedi-regression-channel-list-must-be-set-for-comedi_cmd-ioctl.patch create mode 100644 queue-3.17/tty-fix-high-cpu-load-if-tty-is-unreleaseable.patch create mode 100644 queue-3.17/tty-vt-don-t-set-font-mappings-on-vc-not-supporting-this.patch create mode 100644 queue-3.17/x86-apic-handle-a-bad-tsc-more-gracefully.patch create mode 100644 queue-3.17/xhci-disable-streams-on-asmedia-1042-xhci-controllers.patch create mode 100644 queue-3.17/xhci-no-switching-back-on-non-ult-haswell.patch create mode 100644 queue-3.17/zap_pte_range-update-addr-when-forcing-flush-after-tlb-batching-faiure.patch diff --git a/queue-3.17/cgroup-kmemleak-add-kmemleak_free-for-cgroup-deallocations.patch b/queue-3.17/cgroup-kmemleak-add-kmemleak_free-for-cgroup-deallocations.patch new file mode 100644 index 00000000000..afe0e6b013e --- /dev/null +++ b/queue-3.17/cgroup-kmemleak-add-kmemleak_free-for-cgroup-deallocations.patch @@ -0,0 +1,80 @@ +From 401507d67d5c2854f5a88b3f93f64fc6f267bca5 Mon Sep 17 00:00:00 2001 +From: Wang Nan +Date: Wed, 29 Oct 2014 14:50:18 -0700 +Subject: cgroup/kmemleak: add kmemleak_free() for cgroup deallocations. + +From: Wang Nan + +commit 401507d67d5c2854f5a88b3f93f64fc6f267bca5 upstream. + +Commit ff7ee93f4715 ("cgroup/kmemleak: Annotate alloc_page() for cgroup +allocations") introduces kmemleak_alloc() for alloc_page_cgroup(), but +corresponding kmemleak_free() is missing, which makes kmemleak be +wrongly disabled after memory offlining. Log is pasted at the end of +this commit message. + +This patch add kmemleak_free() into free_page_cgroup(). During page +offlining, this patch removes corresponding entries in kmemleak rbtree. +After that, the freed memory can be allocated again by other subsystems +without killing kmemleak. + + bash # for x in 1 2 3 4; do echo offline > /sys/devices/system/memory/memory$x/state ; sleep 1; done ; dmesg | grep leak + + Offlined Pages 32768 + kmemleak: Cannot insert 0xffff880016969000 into the object search tree (overlaps existing) + CPU: 0 PID: 412 Comm: sleep Not tainted 3.17.0-rc5+ #86 + Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 + Call Trace: + dump_stack+0x46/0x58 + create_object+0x266/0x2c0 + kmemleak_alloc+0x26/0x50 + kmem_cache_alloc+0xd3/0x160 + __sigqueue_alloc+0x49/0xd0 + __send_signal+0xcb/0x410 + send_signal+0x45/0x90 + __group_send_sig_info+0x13/0x20 + do_notify_parent+0x1bb/0x260 + do_exit+0x767/0xa40 + do_group_exit+0x44/0xa0 + SyS_exit_group+0x17/0x20 + system_call_fastpath+0x16/0x1b + + kmemleak: Kernel memory leak detector disabled + kmemleak: Object 0xffff880016900000 (size 524288): + kmemleak: comm "swapper/0", pid 0, jiffies 4294667296 + kmemleak: min_count = 0 + kmemleak: count = 0 + kmemleak: flags = 0x1 + kmemleak: checksum = 0 + kmemleak: backtrace: + log_early+0x63/0x77 + kmemleak_alloc+0x4b/0x50 + init_section_page_cgroup+0x7f/0xf5 + page_cgroup_init+0xc5/0xd0 + start_kernel+0x333/0x408 + x86_64_start_reservations+0x2a/0x2c + x86_64_start_kernel+0xf5/0xfc + +Fixes: ff7ee93f4715 (cgroup/kmemleak: Annotate alloc_page() for cgroup allocations) +Signed-off-by: Wang Nan +Acked-by: Johannes Weiner +Acked-by: Michal Hocko +Cc: Steven Rostedt +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/page_cgroup.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/mm/page_cgroup.c ++++ b/mm/page_cgroup.c +@@ -171,6 +171,7 @@ static void free_page_cgroup(void *addr) + sizeof(struct page_cgroup) * PAGES_PER_SECTION; + + BUG_ON(PageReserved(page)); ++ kmemleak_free(addr); + free_pages_exact(addr, table_size); + } + } diff --git a/queue-3.17/cpc925_edac-report-ue-events-properly.patch b/queue-3.17/cpc925_edac-report-ue-events-properly.patch new file mode 100644 index 00000000000..4f76000edc4 --- /dev/null +++ b/queue-3.17/cpc925_edac-report-ue-events-properly.patch @@ -0,0 +1,31 @@ +From fa19ac4b92bc2b5024af3e868f41f81fa738567a Mon Sep 17 00:00:00 2001 +From: Jason Baron +Date: Wed, 15 Oct 2014 20:47:28 +0000 +Subject: cpc925_edac: Report UE events properly + +From: Jason Baron + +commit fa19ac4b92bc2b5024af3e868f41f81fa738567a upstream. + +Fix UE event being reported as HW_EVENT_ERR_CORRECTED. + +Signed-off-by: Jason Baron +Link: http://lkml.kernel.org/r/8beb13803500076fef827eab33d523e355d83759.1413405053.git.jbaron@akamai.com +Signed-off-by: Borislav Petkov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/edac/cpc925_edac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/edac/cpc925_edac.c ++++ b/drivers/edac/cpc925_edac.c +@@ -562,7 +562,7 @@ static void cpc925_mc_check(struct mem_c + + if (apiexcp & UECC_EXCP_DETECTED) { + cpc925_mc_printk(mci, KERN_INFO, "DRAM UECC Fault\n"); +- edac_mc_handle_error(HW_EVENT_ERR_CORRECTED, mci, 1, ++ edac_mc_handle_error(HW_EVENT_ERR_UNCORRECTED, mci, 1, + pfn, offset, 0, + csrow, -1, -1, + mci->ctl_name, ""); diff --git a/queue-3.17/e7xxx_edac-report-ce-events-properly.patch b/queue-3.17/e7xxx_edac-report-ce-events-properly.patch new file mode 100644 index 00000000000..f3fbaa687d1 --- /dev/null +++ b/queue-3.17/e7xxx_edac-report-ce-events-properly.patch @@ -0,0 +1,31 @@ +From 8030122a9ccf939186f8db96c318dbb99b5463f6 Mon Sep 17 00:00:00 2001 +From: Jason Baron +Date: Sat, 18 Oct 2014 16:06:32 +0200 +Subject: e7xxx_edac: Report CE events properly + +From: Jason Baron + +commit 8030122a9ccf939186f8db96c318dbb99b5463f6 upstream. + +Fix CE event being reported as HW_EVENT_ERR_UNCORRECTED. + +Signed-off-by: Jason Baron +Link: http://lkml.kernel.org/r/e6dd616f2cd51583a7e77af6f639b86313c74144.1413405053.git.jbaron@akamai.com +Signed-off-by: Borislav Petkov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/edac/e7xxx_edac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/edac/e7xxx_edac.c ++++ b/drivers/edac/e7xxx_edac.c +@@ -226,7 +226,7 @@ static void process_ce(struct mem_ctl_in + static void process_ce_no_info(struct mem_ctl_info *mci) + { + edac_dbg(3, "\n"); +- edac_mc_handle_error(HW_EVENT_ERR_UNCORRECTED, mci, 1, 0, 0, 0, -1, -1, -1, ++ edac_mc_handle_error(HW_EVENT_ERR_CORRECTED, mci, 1, 0, 0, 0, -1, -1, -1, + "e7xxx CE log register overflow", ""); + } + diff --git a/queue-3.17/ext3-don-t-check-quota-format-when-there-are-no-quota-files.patch b/queue-3.17/ext3-don-t-check-quota-format-when-there-are-no-quota-files.patch new file mode 100644 index 00000000000..c7597f44c04 --- /dev/null +++ b/queue-3.17/ext3-don-t-check-quota-format-when-there-are-no-quota-files.patch @@ -0,0 +1,37 @@ +From 7938db449bbc55bbeb164bec7af406212e7e98f1 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Tue, 16 Sep 2014 22:23:10 +0200 +Subject: ext3: Don't check quota format when there are no quota files + +From: Jan Kara + +commit 7938db449bbc55bbeb164bec7af406212e7e98f1 upstream. + +The check whether quota format is set even though there are no +quota files with journalled quota is pointless and it actually +makes it impossible to turn off journalled quotas (as there's +no way to unset journalled quota format). Just remove the check. + +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext3/super.c | 7 ------- + 1 file changed, 7 deletions(-) + +--- a/fs/ext3/super.c ++++ b/fs/ext3/super.c +@@ -1354,13 +1354,6 @@ set_qf_format: + "not specified."); + return 0; + } +- } else { +- if (sbi->s_jquota_fmt) { +- ext3_msg(sb, KERN_ERR, "error: journaled quota format " +- "specified with no journaling " +- "enabled."); +- return 0; +- } + } + #endif + return 1; diff --git a/queue-3.17/i3200_edac-report-ce-events-properly.patch b/queue-3.17/i3200_edac-report-ce-events-properly.patch new file mode 100644 index 00000000000..d34a82dc760 --- /dev/null +++ b/queue-3.17/i3200_edac-report-ce-events-properly.patch @@ -0,0 +1,36 @@ +From 8a3f075d6c9b3612b4a5fb2af8db82b38b20caf0 Mon Sep 17 00:00:00 2001 +From: Jason Baron +Date: Wed, 15 Oct 2014 20:47:21 +0000 +Subject: i3200_edac: Report CE events properly + +From: Jason Baron + +commit 8a3f075d6c9b3612b4a5fb2af8db82b38b20caf0 upstream. + +Fix CE event being reported as HW_EVENT_ERR_UNCORRECTED. + +Signed-off-by: Jason Baron +Link: http://lkml.kernel.org/r/d02465b4f30314b390c12c061502eda5e9d29c52.1413405053.git.jbaron@akamai.com +Signed-off-by: Borislav Petkov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/edac/i3200_edac.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/edac/i3200_edac.c ++++ b/drivers/edac/i3200_edac.c +@@ -242,11 +242,11 @@ static void i3200_process_error_info(str + -1, -1, + "i3000 UE", ""); + } else if (log & I3200_ECCERRLOG_CE) { +- edac_mc_handle_error(HW_EVENT_ERR_UNCORRECTED, mci, 1, ++ edac_mc_handle_error(HW_EVENT_ERR_CORRECTED, mci, 1, + 0, 0, eccerrlog_syndrome(log), + eccerrlog_row(channel, log), + -1, -1, +- "i3000 UE", ""); ++ "i3000 CE", ""); + } + } + } diff --git a/queue-3.17/i82860_edac-report-ce-events-properly.patch b/queue-3.17/i82860_edac-report-ce-events-properly.patch new file mode 100644 index 00000000000..ba7ae7c8415 --- /dev/null +++ b/queue-3.17/i82860_edac-report-ce-events-properly.patch @@ -0,0 +1,31 @@ +From ab0543de6ff0877474f57a5aafbb51a61e88676f Mon Sep 17 00:00:00 2001 +From: Jason Baron +Date: Wed, 15 Oct 2014 20:47:24 +0000 +Subject: i82860_edac: Report CE events properly + +From: Jason Baron + +commit ab0543de6ff0877474f57a5aafbb51a61e88676f upstream. + +Fix CE event being reported as HW_EVENT_ERR_UNCORRECTED. + +Signed-off-by: Jason Baron +Link: http://lkml.kernel.org/r/7aee8e244a32ff86b399a8f966c4aae70296aae0.1413405053.git.jbaron@akamai.com +Signed-off-by: Borislav Petkov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/edac/i82860_edac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/edac/i82860_edac.c ++++ b/drivers/edac/i82860_edac.c +@@ -124,7 +124,7 @@ static int i82860_process_error_info(str + dimm->location[0], dimm->location[1], -1, + "i82860 UE", ""); + else +- edac_mc_handle_error(HW_EVENT_ERR_UNCORRECTED, mci, 1, ++ edac_mc_handle_error(HW_EVENT_ERR_CORRECTED, mci, 1, + info->eap, 0, info->derrsyn, + dimm->location[0], dimm->location[1], -1, + "i82860 CE", ""); diff --git a/queue-3.17/iwlwifi-configure-the-ltr.patch b/queue-3.17/iwlwifi-configure-the-ltr.patch new file mode 100644 index 00000000000..8ae00cd6a78 --- /dev/null +++ b/queue-3.17/iwlwifi-configure-the-ltr.patch @@ -0,0 +1,168 @@ +From 9180ac50716a097a407c6d7e7e4589754a922260 Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Tue, 23 Sep 2014 23:02:41 +0300 +Subject: iwlwifi: configure the LTR + +From: Emmanuel Grumbach + +commit 9180ac50716a097a407c6d7e7e4589754a922260 upstream. + +The LTR is the handshake between the device and the root +complex about the latency allowed when the bus exits power +save. This configuration was missing and this led to high +latency in the link power up. The end user could experience +high latency in the network because of this. + +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/iwlwifi/iwl-trans.h | 2 + + drivers/net/wireless/iwlwifi/mvm/fw-api-power.h | 35 +++++++++++++++++++++++- + drivers/net/wireless/iwlwifi/mvm/fw-api.h | 1 + drivers/net/wireless/iwlwifi/mvm/fw.c | 9 ++++++ + drivers/net/wireless/iwlwifi/mvm/ops.c | 1 + drivers/net/wireless/iwlwifi/pcie/trans.c | 16 ++++++---- + 6 files changed, 56 insertions(+), 8 deletions(-) + +--- a/drivers/net/wireless/iwlwifi/iwl-trans.h ++++ b/drivers/net/wireless/iwlwifi/iwl-trans.h +@@ -548,6 +548,7 @@ enum iwl_trans_state { + * Set during transport allocation. + * @hw_id_str: a string with info about HW ID. Set during transport allocation. + * @pm_support: set to true in start_hw if link pm is supported ++ * @ltr_enabled: set to true if the LTR is enabled + * @dev_cmd_pool: pool for Tx cmd allocation - for internal use only. + * The user should use iwl_trans_{alloc,free}_tx_cmd. + * @dev_cmd_headroom: room needed for the transport's private use before the +@@ -574,6 +575,7 @@ struct iwl_trans { + u8 rx_mpdu_cmd, rx_mpdu_cmd_hdr_size; + + bool pm_support; ++ bool ltr_enabled; + + /* The following fields are internal only */ + struct kmem_cache *dev_cmd_pool; +--- a/drivers/net/wireless/iwlwifi/mvm/fw-api-power.h ++++ b/drivers/net/wireless/iwlwifi/mvm/fw-api-power.h +@@ -66,13 +66,46 @@ + + /* Power Management Commands, Responses, Notifications */ + ++/** ++ * enum iwl_ltr_config_flags - masks for LTR config command flags ++ * @LTR_CFG_FLAG_FEATURE_ENABLE: Feature operational status ++ * @LTR_CFG_FLAG_HW_DIS_ON_SHADOW_REG_ACCESS: allow LTR change on shadow ++ * memory access ++ * @LTR_CFG_FLAG_HW_EN_SHRT_WR_THROUGH: allow LTR msg send on ANY LTR ++ * reg change ++ * @LTR_CFG_FLAG_HW_DIS_ON_D0_2_D3: allow LTR msg send on transition from ++ * D0 to D3 ++ * @LTR_CFG_FLAG_SW_SET_SHORT: fixed static short LTR register ++ * @LTR_CFG_FLAG_SW_SET_LONG: fixed static short LONG register ++ * @LTR_CFG_FLAG_DENIE_C10_ON_PD: allow going into C10 on PD ++ */ ++enum iwl_ltr_config_flags { ++ LTR_CFG_FLAG_FEATURE_ENABLE = BIT(0), ++ LTR_CFG_FLAG_HW_DIS_ON_SHADOW_REG_ACCESS = BIT(1), ++ LTR_CFG_FLAG_HW_EN_SHRT_WR_THROUGH = BIT(2), ++ LTR_CFG_FLAG_HW_DIS_ON_D0_2_D3 = BIT(3), ++ LTR_CFG_FLAG_SW_SET_SHORT = BIT(4), ++ LTR_CFG_FLAG_SW_SET_LONG = BIT(5), ++ LTR_CFG_FLAG_DENIE_C10_ON_PD = BIT(6), ++}; ++ ++/** ++ * struct iwl_ltr_config_cmd - configures the LTR ++ * @flags: See %enum iwl_ltr_config_flags ++ */ ++struct iwl_ltr_config_cmd { ++ __le32 flags; ++ __le32 static_long; ++ __le32 static_short; ++} __packed; ++ + /* Radio LP RX Energy Threshold measured in dBm */ + #define POWER_LPRX_RSSI_THRESHOLD 75 + #define POWER_LPRX_RSSI_THRESHOLD_MAX 94 + #define POWER_LPRX_RSSI_THRESHOLD_MIN 30 + + /** +- * enum iwl_scan_flags - masks for power table command flags ++ * enum iwl_power_flags - masks for power table command flags + * @POWER_FLAGS_POWER_SAVE_ENA_MSK: '1' Allow to save power by turning off + * receiver and transmitter. '0' - does not allow. + * @POWER_FLAGS_POWER_MANAGEMENT_ENA_MSK: '0' Driver disables power management, +--- a/drivers/net/wireless/iwlwifi/mvm/fw-api.h ++++ b/drivers/net/wireless/iwlwifi/mvm/fw-api.h +@@ -148,6 +148,7 @@ enum { + /* Power - legacy power table command */ + POWER_TABLE_CMD = 0x77, + PSM_UAPSD_AP_MISBEHAVING_NOTIFICATION = 0x78, ++ LTR_CONFIG = 0xee, + + /* Thermal Throttling*/ + REPLY_THERMAL_MNG_BACKOFF = 0x7e, +--- a/drivers/net/wireless/iwlwifi/mvm/fw.c ++++ b/drivers/net/wireless/iwlwifi/mvm/fw.c +@@ -475,6 +475,15 @@ int iwl_mvm_up(struct iwl_mvm *mvm) + /* Initialize tx backoffs to the minimal possible */ + iwl_mvm_tt_tx_backoff(mvm, 0); + ++ if (mvm->trans->ltr_enabled) { ++ struct iwl_ltr_config_cmd cmd = { ++ .flags = cpu_to_le32(LTR_CFG_FLAG_FEATURE_ENABLE), ++ }; ++ ++ WARN_ON(iwl_mvm_send_cmd_pdu(mvm, LTR_CONFIG, 0, ++ sizeof(cmd), &cmd)); ++ } ++ + ret = iwl_mvm_power_update_device(mvm); + if (ret) + goto error; +--- a/drivers/net/wireless/iwlwifi/mvm/ops.c ++++ b/drivers/net/wireless/iwlwifi/mvm/ops.c +@@ -332,6 +332,7 @@ static const char *const iwl_mvm_cmd_str + CMD(REPLY_BEACON_FILTERING_CMD), + CMD(REPLY_THERMAL_MNG_BACKOFF), + CMD(MAC_PM_POWER_TABLE), ++ CMD(LTR_CONFIG), + CMD(BT_COEX_CI), + CMD(BT_COEX_UPDATE_SW_BOOST), + CMD(BT_COEX_UPDATE_CORUN_LUT), +--- a/drivers/net/wireless/iwlwifi/pcie/trans.c ++++ b/drivers/net/wireless/iwlwifi/pcie/trans.c +@@ -172,6 +172,7 @@ static void iwl_pcie_apm_config(struct i + { + struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans); + u16 lctl; ++ u16 cap; + + /* + * HW bug W/A for instability in PCIe bus L0S->L1 transition. +@@ -182,16 +183,17 @@ static void iwl_pcie_apm_config(struct i + * power savings, even without L1. + */ + pcie_capability_read_word(trans_pcie->pci_dev, PCI_EXP_LNKCTL, &lctl); +- if (lctl & PCI_EXP_LNKCTL_ASPM_L1) { +- /* L1-ASPM enabled; disable(!) L0S */ ++ if (lctl & PCI_EXP_LNKCTL_ASPM_L1) + iwl_set_bit(trans, CSR_GIO_REG, CSR_GIO_REG_VAL_L0S_ENABLED); +- dev_info(trans->dev, "L1 Enabled; Disabling L0S\n"); +- } else { +- /* L1-ASPM disabled; enable(!) L0S */ ++ else + iwl_clear_bit(trans, CSR_GIO_REG, CSR_GIO_REG_VAL_L0S_ENABLED); +- dev_info(trans->dev, "L1 Disabled; Enabling L0S\n"); +- } + trans->pm_support = !(lctl & PCI_EXP_LNKCTL_ASPM_L0S); ++ ++ pcie_capability_read_word(trans_pcie->pci_dev, PCI_EXP_DEVCTL2, &cap); ++ trans->ltr_enabled = cap & PCI_EXP_DEVCTL2_LTR_EN; ++ dev_info(trans->dev, "L1 %sabled - LTR %sabled\n", ++ (lctl & PCI_EXP_LNKCTL_ASPM_L1) ? "En" : "Dis", ++ trans->ltr_enabled ? "En" : "Dis"); + } + + /* diff --git a/queue-3.17/iwlwifi-dvm-drop-non-vo-frames-when-flushing.patch b/queue-3.17/iwlwifi-dvm-drop-non-vo-frames-when-flushing.patch new file mode 100644 index 00000000000..3bf75be3411 --- /dev/null +++ b/queue-3.17/iwlwifi-dvm-drop-non-vo-frames-when-flushing.patch @@ -0,0 +1,94 @@ +From a0855054e59b0c5b2b00237fdb5147f7bcc18efb Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Sun, 5 Oct 2014 09:11:14 +0300 +Subject: iwlwifi: dvm: drop non VO frames when flushing + +From: Emmanuel Grumbach + +commit a0855054e59b0c5b2b00237fdb5147f7bcc18efb upstream. + +When mac80211 wants to ensure that a frame is sent, it calls +the flush() callback. Until now, iwldvm implemented this by +waiting that all the frames are sent (ACKed or timeout). +In case of weak signal, this can take a significant amount +of time, delaying the next connection (in case of roaming). +Many users have reported that the flush would take too long +leading to the following error messages to be printed: + +iwlwifi 0000:03:00.0: fail to flush all tx fifo queues Q 2 +iwlwifi 0000:03:00.0: Current SW read_ptr 161 write_ptr 201 +iwl data: 00000000: 00 00 00 00 00 00 00 00 fe ff 01 00 00 00 00 00 +[snip] +iwlwifi 0000:03:00.0: FH TRBs(0) = 0x00000000 +[snip] +iwlwifi 0000:03:00.0: Q 0 is active and mapped to fifo 3 ra_tid 0x0000 [9,9] +[snip] + +Instead of waiting for these packets, simply drop them. This +significantly improves the responsiveness of the network. +Note that all the queues are flushed, but the VO one. This +is not typically used by the applications and it likely +contains management frames that are useful for connection +or roaming. + +This bug is tracked here: +https://bugzilla.kernel.org/show_bug.cgi?id=56581 + +But it is duplicated in distributions' trackers. +A simple search in Ubuntu's database led to these bugs: + +https://bugs.launchpad.net/ubuntu/+source/linux-firmware/+bug/1270808 +https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1305406 +https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1356236 +https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1360597 +https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1361809 + +Depends-on: 77be2c54c5bd ("mac80211: add vif to flush call") +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/iwlwifi/dvm/mac80211.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +--- a/drivers/net/wireless/iwlwifi/dvm/mac80211.c ++++ b/drivers/net/wireless/iwlwifi/dvm/mac80211.c +@@ -1095,6 +1095,7 @@ static void iwlagn_mac_flush(struct ieee + u32 queues, bool drop) + { + struct iwl_priv *priv = IWL_MAC80211_GET_DVM(hw); ++ u32 scd_queues; + + mutex_lock(&priv->mutex); + IWL_DEBUG_MAC80211(priv, "enter\n"); +@@ -1108,18 +1109,19 @@ static void iwlagn_mac_flush(struct ieee + goto done; + } + +- /* +- * mac80211 will not push any more frames for transmit +- * until the flush is completed +- */ +- if (drop) { +- IWL_DEBUG_MAC80211(priv, "send flush command\n"); +- if (iwlagn_txfifo_flush(priv, 0)) { +- IWL_ERR(priv, "flush request fail\n"); +- goto done; +- } ++ scd_queues = BIT(priv->cfg->base_params->num_of_queues) - 1; ++ scd_queues &= ~(BIT(IWL_IPAN_CMD_QUEUE_NUM) | ++ BIT(IWL_DEFAULT_CMD_QUEUE_NUM)); ++ ++ if (vif) ++ scd_queues &= ~BIT(vif->hw_queue[IEEE80211_AC_VO]); ++ ++ IWL_DEBUG_TX_QUEUES(priv, "Flushing SCD queues: 0x%x\n", scd_queues); ++ if (iwlagn_txfifo_flush(priv, scd_queues)) { ++ IWL_ERR(priv, "flush request fail\n"); ++ goto done; + } +- IWL_DEBUG_MAC80211(priv, "wait transmit/flush all frames\n"); ++ IWL_DEBUG_TX_QUEUES(priv, "wait transmit/flush all frames\n"); + iwl_trans_wait_tx_queue_empty(priv->trans, 0xffffffff); + done: + mutex_unlock(&priv->mutex); diff --git a/queue-3.17/iwlwifi-mvm-bt-coex-update-the-mplut-boost-register-value.patch b/queue-3.17/iwlwifi-mvm-bt-coex-update-the-mplut-boost-register-value.patch new file mode 100644 index 00000000000..d470db65768 --- /dev/null +++ b/queue-3.17/iwlwifi-mvm-bt-coex-update-the-mplut-boost-register-value.patch @@ -0,0 +1,44 @@ +From d14b28fd2c61af0bf310230472e342864d799c98 Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Mon, 22 Sep 2014 16:12:24 +0300 +Subject: iwlwifi: mvm: BT Coex - update the MPLUT Boost register value + +From: Emmanuel Grumbach + +commit d14b28fd2c61af0bf310230472e342864d799c98 upstream. + +Fixes: 2adc8949efab ("iwlwifi: mvm: BT Coex - fix boost register / LUT values") +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/iwlwifi/mvm/coex.c | 4 ++-- + drivers/net/wireless/iwlwifi/mvm/coex_legacy.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/iwlwifi/mvm/coex.c ++++ b/drivers/net/wireless/iwlwifi/mvm/coex.c +@@ -301,8 +301,8 @@ static const __le64 iwl_ci_mask[][3] = { + }; + + static const __le32 iwl_bt_mprio_lut[BT_COEX_MULTI_PRIO_LUT_SIZE] = { +- cpu_to_le32(0x28412201), +- cpu_to_le32(0x11118451), ++ cpu_to_le32(0x2e402280), ++ cpu_to_le32(0x7711a751), + }; + + struct corunning_block_luts { +--- a/drivers/net/wireless/iwlwifi/mvm/coex_legacy.c ++++ b/drivers/net/wireless/iwlwifi/mvm/coex_legacy.c +@@ -289,8 +289,8 @@ static const __le64 iwl_ci_mask[][3] = { + }; + + static const __le32 iwl_bt_mprio_lut[BT_COEX_MULTI_PRIO_LUT_SIZE] = { +- cpu_to_le32(0x28412201), +- cpu_to_le32(0x11118451), ++ cpu_to_le32(0x2e402280), ++ cpu_to_le32(0x7711a751), + }; + + struct corunning_block_luts { diff --git a/queue-3.17/lib-bitmap.c-fix-undefined-shift-in-__bitmap_shift_-left-right.patch b/queue-3.17/lib-bitmap.c-fix-undefined-shift-in-__bitmap_shift_-left-right.patch new file mode 100644 index 00000000000..5016017ebd3 --- /dev/null +++ b/queue-3.17/lib-bitmap.c-fix-undefined-shift-in-__bitmap_shift_-left-right.patch @@ -0,0 +1,50 @@ +From ea5d05b34aca25c066e0699512d0ffbd8ee6ac3e Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Wed, 29 Oct 2014 14:50:44 -0700 +Subject: lib/bitmap.c: fix undefined shift in __bitmap_shift_{left|right}() + +From: Jan Kara + +commit ea5d05b34aca25c066e0699512d0ffbd8ee6ac3e upstream. + +If __bitmap_shift_left() or __bitmap_shift_right() are asked to shift by +a multiple of BITS_PER_LONG, they will try to shift a long value by +BITS_PER_LONG bits which is undefined. Change the functions to avoid +the undefined shift. + +Coverity id: 1192175 +Coverity id: 1192174 +Signed-off-by: Jan Kara +Cc: Rasmus Villemoes +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + lib/bitmap.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/lib/bitmap.c ++++ b/lib/bitmap.c +@@ -131,7 +131,9 @@ void __bitmap_shift_right(unsigned long + lower = src[off + k]; + if (left && off + k == lim - 1) + lower &= mask; +- dst[k] = upper << (BITS_PER_LONG - rem) | lower >> rem; ++ dst[k] = lower >> rem; ++ if (rem) ++ dst[k] |= upper << (BITS_PER_LONG - rem); + if (left && k == lim - 1) + dst[k] &= mask; + } +@@ -172,7 +174,9 @@ void __bitmap_shift_left(unsigned long * + upper = src[k]; + if (left && k == lim - 1) + upper &= (1UL << left) - 1; +- dst[k + off] = lower >> (BITS_PER_LONG - rem) | upper << rem; ++ dst[k + off] = upper << rem; ++ if (rem) ++ dst[k + off] |= lower >> (BITS_PER_LONG - rem); + if (left && k + off == lim - 1) + dst[k + off] &= (1UL << left) - 1; + } diff --git a/queue-3.17/lib-scatterlist-fix-memory-leak-with-scsi-mq.patch b/queue-3.17/lib-scatterlist-fix-memory-leak-with-scsi-mq.patch new file mode 100644 index 00000000000..57e8c94802e --- /dev/null +++ b/queue-3.17/lib-scatterlist-fix-memory-leak-with-scsi-mq.patch @@ -0,0 +1,38 @@ +From c21e59d8dc04b2107bdb4ff0f412a9b7ae3349f3 Mon Sep 17 00:00:00 2001 +From: Tony Battersby +Date: Thu, 23 Oct 2014 15:10:21 -0400 +Subject: lib/scatterlist: fix memory leak with scsi-mq + +From: Tony Battersby + +commit c21e59d8dc04b2107bdb4ff0f412a9b7ae3349f3 upstream. + +Fix a memory leak with scsi-mq triggered by commands with large data +transfer length. + +Fixes: c53c6d6a68b1 ("scatterlist: allow chaining to preallocated chunks") +Signed-off-by: Tony Battersby +Reviewed-by: Martin K. Petersen +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + lib/scatterlist.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/lib/scatterlist.c ++++ b/lib/scatterlist.c +@@ -203,10 +203,10 @@ void __sg_free_table(struct sg_table *ta + } + + table->orig_nents -= sg_size; +- if (!skip_first_chunk) { +- free_fn(sgl, alloc_size); ++ if (skip_first_chunk) + skip_first_chunk = false; +- } ++ else ++ free_fn(sgl, alloc_size); + sgl = next; + } + diff --git a/queue-3.17/mac80211-fix-typo-in-starting-baserate-for-rts_cts_rate_idx.patch b/queue-3.17/mac80211-fix-typo-in-starting-baserate-for-rts_cts_rate_idx.patch new file mode 100644 index 00000000000..4879203bea8 --- /dev/null +++ b/queue-3.17/mac80211-fix-typo-in-starting-baserate-for-rts_cts_rate_idx.patch @@ -0,0 +1,45 @@ +From c7abf25af0f41be4b50d44c5b185d52eea360cb8 Mon Sep 17 00:00:00 2001 +From: Karl Beldan +Date: Mon, 13 Oct 2014 14:34:41 +0200 +Subject: mac80211: fix typo in starting baserate for rts_cts_rate_idx + +From: Karl Beldan + +commit c7abf25af0f41be4b50d44c5b185d52eea360cb8 upstream. + +It affects non-(V)HT rates and can lead to selecting an rts_cts rate +that is not a basic rate or way superior to the reference rate (ATM +rates[0] used for the 1st attempt of the protected frame data). + +E.g, assuming drivers register growing (bitrate) sorted tables of +ieee80211_rate-s, having : +- rates[0].idx == d'2 and basic_rates == b'10100 +will select rts_cts idx b'10011 & ~d'(BIT(2)-1), i.e. 1, likewise +- rates[0].idx == d'2 and basic_rates == b'10001 +will select rts_cts idx b'10000 +The first is not a basic rate and the second is > rates[0]. + +Also, wrt severity of the addressed misbehavior, ATM we only have one +rts_cts_rate_idx rather than one per rate table entry, so this idx might +still point to bitrates > rates[1..MAX_RATES]. + +Fixes: 5253ffb8c9e1 ("mac80211: always pick a basic rate to tx RTS/CTS for pre-HT rates") +Signed-off-by: Karl Beldan +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/rate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/rate.c ++++ b/net/mac80211/rate.c +@@ -448,7 +448,7 @@ static void rate_fixup_ratelist(struct i + */ + if (!(rates[0].flags & IEEE80211_TX_RC_MCS)) { + u32 basic_rates = vif->bss_conf.basic_rates; +- s8 baserate = basic_rates ? ffs(basic_rates - 1) : 0; ++ s8 baserate = basic_rates ? ffs(basic_rates) - 1 : 0; + + rate = &sband->bitrates[rates[0].idx]; + diff --git a/queue-3.17/mm-balloon_compaction-fix-deflation-when-compaction-is-disabled.patch b/queue-3.17/mm-balloon_compaction-fix-deflation-when-compaction-is-disabled.patch new file mode 100644 index 00000000000..c911cba1896 --- /dev/null +++ b/queue-3.17/mm-balloon_compaction-fix-deflation-when-compaction-is-disabled.patch @@ -0,0 +1,42 @@ +From 4d88e6f7d5ffc84e6094a47925870f4a130555c2 Mon Sep 17 00:00:00 2001 +From: Konstantin Khlebnikov +Date: Wed, 29 Oct 2014 14:51:02 -0700 +Subject: mm/balloon_compaction: fix deflation when compaction is disabled + +From: Konstantin Khlebnikov + +commit 4d88e6f7d5ffc84e6094a47925870f4a130555c2 upstream. + +If CONFIG_BALLOON_COMPACTION=n balloon_page_insert() does not link pages +with balloon and doesn't set PagePrivate flag, as a result +balloon_page_dequeue() cannot get any pages because it thinks that all +of them are isolated. Without balloon compaction nobody can isolate +ballooned pages. It's safe to remove this check. + +Fixes: d6d86c0a7f8d ("mm/balloon_compaction: redesign ballooned pages management"). +Signed-off-by: Konstantin Khlebnikov +Reported-by: Matt Mullins +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/balloon_compaction.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/mm/balloon_compaction.c ++++ b/mm/balloon_compaction.c +@@ -93,11 +93,13 @@ struct page *balloon_page_dequeue(struct + * to be released by the balloon driver. + */ + if (trylock_page(page)) { ++#ifdef CONFIG_BALLOON_COMPACTION + if (!PagePrivate(page)) { + /* raced with isolation */ + unlock_page(page); + continue; + } ++#endif + spin_lock_irqsave(&b_dev_info->pages_lock, flags); + balloon_page_delete(page); + spin_unlock_irqrestore(&b_dev_info->pages_lock, flags); diff --git a/queue-3.17/mm-free-compound-page-with-correct-order.patch b/queue-3.17/mm-free-compound-page-with-correct-order.patch new file mode 100644 index 00000000000..402675b9157 --- /dev/null +++ b/queue-3.17/mm-free-compound-page-with-correct-order.patch @@ -0,0 +1,61 @@ +From 5ddacbe92b806cd5b4f8f154e8e46ac267fff55c Mon Sep 17 00:00:00 2001 +From: Yu Zhao +Date: Wed, 29 Oct 2014 14:50:26 -0700 +Subject: mm: free compound page with correct order + +From: Yu Zhao + +commit 5ddacbe92b806cd5b4f8f154e8e46ac267fff55c upstream. + +Compound page should be freed by put_page() or free_pages() with correct +order. Not doing so will cause tail pages leaked. + +The compound order can be obtained by compound_order() or use +HPAGE_PMD_ORDER in our case. Some people would argue the latter is +faster but I prefer the former which is more general. + +This bug was observed not just on our servers (the worst case we saw is +11G leaked on a 48G machine) but also on our workstations running Ubuntu +based distro. + + $ cat /proc/vmstat | grep thp_zero_page_alloc + thp_zero_page_alloc 55 + thp_zero_page_alloc_failed 0 + +This means there is (thp_zero_page_alloc - 1) * (2M - 4K) memory leaked. + +Fixes: 97ae17497e99 ("thp: implement refcounting for huge zero page") +Signed-off-by: Yu Zhao +Acked-by: Kirill A. Shutemov +Cc: Andrea Arcangeli +Cc: Mel Gorman +Cc: David Rientjes +Cc: Bob Liu +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/huge_memory.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -200,7 +200,7 @@ retry: + preempt_disable(); + if (cmpxchg(&huge_zero_page, NULL, zero_page)) { + preempt_enable(); +- __free_page(zero_page); ++ __free_pages(zero_page, compound_order(zero_page)); + goto retry; + } + +@@ -232,7 +232,7 @@ static unsigned long shrink_huge_zero_pa + if (atomic_cmpxchg(&huge_zero_refcount, 1, 0) == 1) { + struct page *zero_page = xchg(&huge_zero_page, NULL); + BUG_ON(zero_page == NULL); +- __free_page(zero_page); ++ __free_pages(zero_page, compound_order(zero_page)); + return HPAGE_PMD_NR; + } + diff --git a/queue-3.17/mm-memcontrol-fix-missed-end-writeback-page-accounting.patch b/queue-3.17/mm-memcontrol-fix-missed-end-writeback-page-accounting.patch new file mode 100644 index 00000000000..bbe2e2c0373 --- /dev/null +++ b/queue-3.17/mm-memcontrol-fix-missed-end-writeback-page-accounting.patch @@ -0,0 +1,453 @@ +From d7365e783edb858279be1d03f61bc8d5d3383d90 Mon Sep 17 00:00:00 2001 +From: Johannes Weiner +Date: Wed, 29 Oct 2014 14:50:48 -0700 +Subject: mm: memcontrol: fix missed end-writeback page accounting + +From: Johannes Weiner + +commit d7365e783edb858279be1d03f61bc8d5d3383d90 upstream. + +Commit 0a31bc97c80c ("mm: memcontrol: rewrite uncharge API") changed +page migration to uncharge the old page right away. The page is locked, +unmapped, truncated, and off the LRU, but it could race with writeback +ending, which then doesn't unaccount the page properly: + +test_clear_page_writeback() migration + wait_on_page_writeback() + TestClearPageWriteback() + mem_cgroup_migrate() + clear PCG_USED + mem_cgroup_update_page_stat() + if (PageCgroupUsed(pc)) + decrease memcg pages under writeback + + release pc->mem_cgroup->move_lock + +The per-page statistics interface is heavily optimized to avoid a +function call and a lookup_page_cgroup() in the file unmap fast path, +which means it doesn't verify whether a page is still charged before +clearing PageWriteback() and it has to do it in the stat update later. + +Rework it so that it looks up the page's memcg once at the beginning of +the transaction and then uses it throughout. The charge will be +verified before clearing PageWriteback() and migration can't uncharge +the page as long as that is still set. The RCU lock will protect the +memcg past uncharge. + +As far as losing the optimization goes, the following test results are +from a microbenchmark that maps, faults, and unmaps a 4GB sparse file +three times in a nested fashion, so that there are two negative passes +that don't account but still go through the new transaction overhead. +There is no actual difference: + + old: 33.195102545 seconds time elapsed ( +- 0.01% ) + new: 33.199231369 seconds time elapsed ( +- 0.03% ) + +The time spent in page_remove_rmap()'s callees still adds up to the +same, but the time spent in the function itself seems reduced: + + # Children Self Command Shared Object Symbol + old: 0.12% 0.11% filemapstress [kernel.kallsyms] [k] page_remove_rmap + new: 0.12% 0.08% filemapstress [kernel.kallsyms] [k] page_remove_rmap + +Signed-off-by: Johannes Weiner +Acked-by: Michal Hocko +Cc: Vladimir Davydov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/memcontrol.h | 56 ++++++--------------- + mm/memcontrol.c | 115 ++++++++++++++++++++++++--------------------- + mm/page-writeback.c | 22 ++++---- + mm/rmap.c | 20 +++---- + 4 files changed, 100 insertions(+), 113 deletions(-) + +--- a/include/linux/memcontrol.h ++++ b/include/linux/memcontrol.h +@@ -139,48 +139,23 @@ static inline bool mem_cgroup_disabled(v + return false; + } + +-void __mem_cgroup_begin_update_page_stat(struct page *page, bool *locked, +- unsigned long *flags); ++struct mem_cgroup *mem_cgroup_begin_page_stat(struct page *page, bool *locked, ++ unsigned long *flags); ++void mem_cgroup_end_page_stat(struct mem_cgroup *memcg, bool locked, ++ unsigned long flags); ++void mem_cgroup_update_page_stat(struct mem_cgroup *memcg, ++ enum mem_cgroup_stat_index idx, int val); + +-extern atomic_t memcg_moving; +- +-static inline void mem_cgroup_begin_update_page_stat(struct page *page, +- bool *locked, unsigned long *flags) +-{ +- if (mem_cgroup_disabled()) +- return; +- rcu_read_lock(); +- *locked = false; +- if (atomic_read(&memcg_moving)) +- __mem_cgroup_begin_update_page_stat(page, locked, flags); +-} +- +-void __mem_cgroup_end_update_page_stat(struct page *page, +- unsigned long *flags); +-static inline void mem_cgroup_end_update_page_stat(struct page *page, +- bool *locked, unsigned long *flags) +-{ +- if (mem_cgroup_disabled()) +- return; +- if (*locked) +- __mem_cgroup_end_update_page_stat(page, flags); +- rcu_read_unlock(); +-} +- +-void mem_cgroup_update_page_stat(struct page *page, +- enum mem_cgroup_stat_index idx, +- int val); +- +-static inline void mem_cgroup_inc_page_stat(struct page *page, ++static inline void mem_cgroup_inc_page_stat(struct mem_cgroup *memcg, + enum mem_cgroup_stat_index idx) + { +- mem_cgroup_update_page_stat(page, idx, 1); ++ mem_cgroup_update_page_stat(memcg, idx, 1); + } + +-static inline void mem_cgroup_dec_page_stat(struct page *page, ++static inline void mem_cgroup_dec_page_stat(struct mem_cgroup *memcg, + enum mem_cgroup_stat_index idx) + { +- mem_cgroup_update_page_stat(page, idx, -1); ++ mem_cgroup_update_page_stat(memcg, idx, -1); + } + + unsigned long mem_cgroup_soft_limit_reclaim(struct zone *zone, int order, +@@ -315,13 +290,14 @@ mem_cgroup_print_oom_info(struct mem_cgr + { + } + +-static inline void mem_cgroup_begin_update_page_stat(struct page *page, ++static inline struct mem_cgroup *mem_cgroup_begin_page_stat(struct page *page, + bool *locked, unsigned long *flags) + { ++ return NULL; + } + +-static inline void mem_cgroup_end_update_page_stat(struct page *page, +- bool *locked, unsigned long *flags) ++static inline void mem_cgroup_end_page_stat(struct mem_cgroup *memcg, ++ bool locked, unsigned long flags) + { + } + +@@ -343,12 +319,12 @@ static inline bool mem_cgroup_oom_synchr + return false; + } + +-static inline void mem_cgroup_inc_page_stat(struct page *page, ++static inline void mem_cgroup_inc_page_stat(struct mem_cgroup *memcg, + enum mem_cgroup_stat_index idx) + { + } + +-static inline void mem_cgroup_dec_page_stat(struct page *page, ++static inline void mem_cgroup_dec_page_stat(struct mem_cgroup *memcg, + enum mem_cgroup_stat_index idx) + { + } +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -1545,12 +1545,8 @@ int mem_cgroup_swappiness(struct mem_cgr + * start move here. + */ + +-/* for quick checking without looking up memcg */ +-atomic_t memcg_moving __read_mostly; +- + static void mem_cgroup_start_move(struct mem_cgroup *memcg) + { +- atomic_inc(&memcg_moving); + atomic_inc(&memcg->moving_account); + synchronize_rcu(); + } +@@ -1561,10 +1557,8 @@ static void mem_cgroup_end_move(struct m + * Now, mem_cgroup_clear_mc() may call this function with NULL. + * We check NULL in callee rather than caller. + */ +- if (memcg) { +- atomic_dec(&memcg_moving); ++ if (memcg) + atomic_dec(&memcg->moving_account); +- } + } + + /* +@@ -2249,41 +2243,52 @@ cleanup: + return true; + } + +-/* +- * Used to update mapped file or writeback or other statistics. +- * +- * Notes: Race condition +- * +- * Charging occurs during page instantiation, while the page is +- * unmapped and locked in page migration, or while the page table is +- * locked in THP migration. No race is possible. +- * +- * Uncharge happens to pages with zero references, no race possible. +- * +- * Charge moving between groups is protected by checking mm->moving +- * account and taking the move_lock in the slowpath. +- */ +- +-void __mem_cgroup_begin_update_page_stat(struct page *page, +- bool *locked, unsigned long *flags) ++/** ++ * mem_cgroup_begin_page_stat - begin a page state statistics transaction ++ * @page: page that is going to change accounted state ++ * @locked: &memcg->move_lock slowpath was taken ++ * @flags: IRQ-state flags for &memcg->move_lock ++ * ++ * This function must mark the beginning of an accounted page state ++ * change to prevent double accounting when the page is concurrently ++ * being moved to another memcg: ++ * ++ * memcg = mem_cgroup_begin_page_stat(page, &locked, &flags); ++ * if (TestClearPageState(page)) ++ * mem_cgroup_update_page_stat(memcg, state, -1); ++ * mem_cgroup_end_page_stat(memcg, locked, flags); ++ * ++ * The RCU lock is held throughout the transaction. The fast path can ++ * get away without acquiring the memcg->move_lock (@locked is false) ++ * because page moving starts with an RCU grace period. ++ * ++ * The RCU lock also protects the memcg from being freed when the page ++ * state that is going to change is the only thing preventing the page ++ * from being uncharged. E.g. end-writeback clearing PageWriteback(), ++ * which allows migration to go ahead and uncharge the page before the ++ * account transaction might be complete. ++ */ ++struct mem_cgroup *mem_cgroup_begin_page_stat(struct page *page, ++ bool *locked, ++ unsigned long *flags) + { + struct mem_cgroup *memcg; + struct page_cgroup *pc; + ++ rcu_read_lock(); ++ ++ if (mem_cgroup_disabled()) ++ return NULL; ++ + pc = lookup_page_cgroup(page); + again: + memcg = pc->mem_cgroup; + if (unlikely(!memcg || !PageCgroupUsed(pc))) +- return; +- /* +- * If this memory cgroup is not under account moving, we don't +- * need to take move_lock_mem_cgroup(). Because we already hold +- * rcu_read_lock(), any calls to move_account will be delayed until +- * rcu_read_unlock(). +- */ +- VM_BUG_ON(!rcu_read_lock_held()); ++ return NULL; ++ ++ *locked = false; + if (atomic_read(&memcg->moving_account) <= 0) +- return; ++ return memcg; + + move_lock_mem_cgroup(memcg, flags); + if (memcg != pc->mem_cgroup || !PageCgroupUsed(pc)) { +@@ -2291,36 +2296,40 @@ again: + goto again; + } + *locked = true; ++ ++ return memcg; + } + +-void __mem_cgroup_end_update_page_stat(struct page *page, unsigned long *flags) ++/** ++ * mem_cgroup_end_page_stat - finish a page state statistics transaction ++ * @memcg: the memcg that was accounted against ++ * @locked: value received from mem_cgroup_begin_page_stat() ++ * @flags: value received from mem_cgroup_begin_page_stat() ++ */ ++void mem_cgroup_end_page_stat(struct mem_cgroup *memcg, bool locked, ++ unsigned long flags) + { +- struct page_cgroup *pc = lookup_page_cgroup(page); ++ if (memcg && locked) ++ move_unlock_mem_cgroup(memcg, &flags); + +- /* +- * It's guaranteed that pc->mem_cgroup never changes while +- * lock is held because a routine modifies pc->mem_cgroup +- * should take move_lock_mem_cgroup(). +- */ +- move_unlock_mem_cgroup(pc->mem_cgroup, flags); ++ rcu_read_unlock(); + } + +-void mem_cgroup_update_page_stat(struct page *page, ++/** ++ * mem_cgroup_update_page_stat - update page state statistics ++ * @memcg: memcg to account against ++ * @idx: page state item to account ++ * @val: number of pages (positive or negative) ++ * ++ * See mem_cgroup_begin_page_stat() for locking requirements. ++ */ ++void mem_cgroup_update_page_stat(struct mem_cgroup *memcg, + enum mem_cgroup_stat_index idx, int val) + { +- struct mem_cgroup *memcg; +- struct page_cgroup *pc = lookup_page_cgroup(page); +- unsigned long uninitialized_var(flags); +- +- if (mem_cgroup_disabled()) +- return; +- + VM_BUG_ON(!rcu_read_lock_held()); +- memcg = pc->mem_cgroup; +- if (unlikely(!memcg || !PageCgroupUsed(pc))) +- return; + +- this_cpu_add(memcg->stat->count[idx], val); ++ if (memcg) ++ this_cpu_add(memcg->stat->count[idx], val); + } + + /* +--- a/mm/page-writeback.c ++++ b/mm/page-writeback.c +@@ -2327,11 +2327,12 @@ EXPORT_SYMBOL(clear_page_dirty_for_io); + int test_clear_page_writeback(struct page *page) + { + struct address_space *mapping = page_mapping(page); +- int ret; +- bool locked; + unsigned long memcg_flags; ++ struct mem_cgroup *memcg; ++ bool locked; ++ int ret; + +- mem_cgroup_begin_update_page_stat(page, &locked, &memcg_flags); ++ memcg = mem_cgroup_begin_page_stat(page, &locked, &memcg_flags); + if (mapping) { + struct backing_dev_info *bdi = mapping->backing_dev_info; + unsigned long flags; +@@ -2352,22 +2353,23 @@ int test_clear_page_writeback(struct pag + ret = TestClearPageWriteback(page); + } + if (ret) { +- mem_cgroup_dec_page_stat(page, MEM_CGROUP_STAT_WRITEBACK); ++ mem_cgroup_dec_page_stat(memcg, MEM_CGROUP_STAT_WRITEBACK); + dec_zone_page_state(page, NR_WRITEBACK); + inc_zone_page_state(page, NR_WRITTEN); + } +- mem_cgroup_end_update_page_stat(page, &locked, &memcg_flags); ++ mem_cgroup_end_page_stat(memcg, locked, memcg_flags); + return ret; + } + + int __test_set_page_writeback(struct page *page, bool keep_write) + { + struct address_space *mapping = page_mapping(page); +- int ret; +- bool locked; + unsigned long memcg_flags; ++ struct mem_cgroup *memcg; ++ bool locked; ++ int ret; + +- mem_cgroup_begin_update_page_stat(page, &locked, &memcg_flags); ++ memcg = mem_cgroup_begin_page_stat(page, &locked, &memcg_flags); + if (mapping) { + struct backing_dev_info *bdi = mapping->backing_dev_info; + unsigned long flags; +@@ -2394,10 +2396,10 @@ int __test_set_page_writeback(struct pag + ret = TestSetPageWriteback(page); + } + if (!ret) { +- mem_cgroup_inc_page_stat(page, MEM_CGROUP_STAT_WRITEBACK); ++ mem_cgroup_inc_page_stat(memcg, MEM_CGROUP_STAT_WRITEBACK); + inc_zone_page_state(page, NR_WRITEBACK); + } +- mem_cgroup_end_update_page_stat(page, &locked, &memcg_flags); ++ mem_cgroup_end_page_stat(memcg, locked, memcg_flags); + return ret; + + } +--- a/mm/rmap.c ++++ b/mm/rmap.c +@@ -1042,15 +1042,16 @@ void page_add_new_anon_rmap(struct page + */ + void page_add_file_rmap(struct page *page) + { +- bool locked; ++ struct mem_cgroup *memcg; + unsigned long flags; ++ bool locked; + +- mem_cgroup_begin_update_page_stat(page, &locked, &flags); ++ memcg = mem_cgroup_begin_page_stat(page, &locked, &flags); + if (atomic_inc_and_test(&page->_mapcount)) { + __inc_zone_page_state(page, NR_FILE_MAPPED); +- mem_cgroup_inc_page_stat(page, MEM_CGROUP_STAT_FILE_MAPPED); ++ mem_cgroup_inc_page_stat(memcg, MEM_CGROUP_STAT_FILE_MAPPED); + } +- mem_cgroup_end_update_page_stat(page, &locked, &flags); ++ mem_cgroup_end_page_stat(memcg, locked, flags); + } + + /** +@@ -1061,9 +1062,10 @@ void page_add_file_rmap(struct page *pag + */ + void page_remove_rmap(struct page *page) + { ++ struct mem_cgroup *uninitialized_var(memcg); + bool anon = PageAnon(page); +- bool locked; + unsigned long flags; ++ bool locked; + + /* + * The anon case has no mem_cgroup page_stat to update; but may +@@ -1071,7 +1073,7 @@ void page_remove_rmap(struct page *page) + * we hold the lock against page_stat move: so avoid it on anon. + */ + if (!anon) +- mem_cgroup_begin_update_page_stat(page, &locked, &flags); ++ memcg = mem_cgroup_begin_page_stat(page, &locked, &flags); + + /* page still mapped by someone else? */ + if (!atomic_add_negative(-1, &page->_mapcount)) +@@ -1096,8 +1098,7 @@ void page_remove_rmap(struct page *page) + -hpage_nr_pages(page)); + } else { + __dec_zone_page_state(page, NR_FILE_MAPPED); +- mem_cgroup_dec_page_stat(page, MEM_CGROUP_STAT_FILE_MAPPED); +- mem_cgroup_end_update_page_stat(page, &locked, &flags); ++ mem_cgroup_dec_page_stat(memcg, MEM_CGROUP_STAT_FILE_MAPPED); + } + if (unlikely(PageMlocked(page))) + clear_page_mlock(page); +@@ -1110,10 +1111,9 @@ void page_remove_rmap(struct page *page) + * Leaving it set also helps swapoff to reinstate ptes + * faster for those pages still in swapcache. + */ +- return; + out: + if (!anon) +- mem_cgroup_end_update_page_stat(page, &locked, &flags); ++ mem_cgroup_end_page_stat(memcg, locked, flags); + } + + /* diff --git a/queue-3.17/mm-page-writeback-inline-account_page_dirtied-into-single-caller.patch b/queue-3.17/mm-page-writeback-inline-account_page_dirtied-into-single-caller.patch new file mode 100644 index 00000000000..fffef23dcc3 --- /dev/null +++ b/queue-3.17/mm-page-writeback-inline-account_page_dirtied-into-single-caller.patch @@ -0,0 +1,73 @@ +From 3a3c02ecf7f2852f122d6d16fb9b3d9cb0c6f201 Mon Sep 17 00:00:00 2001 +From: Johannes Weiner +Date: Wed, 29 Oct 2014 14:50:46 -0700 +Subject: mm: page-writeback: inline account_page_dirtied() into single caller + +From: Johannes Weiner + +commit 3a3c02ecf7f2852f122d6d16fb9b3d9cb0c6f201 upstream. + +A follow-up patch would have changed the call signature. To save the +trouble, just fold it instead. + +Signed-off-by: Johannes Weiner +Acked-by: Michal Hocko +Cc: Vladimir Davydov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/mm.h | 1 - + mm/page-writeback.c | 23 ++++------------------- + 2 files changed, 4 insertions(+), 20 deletions(-) + +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -1233,7 +1233,6 @@ int __set_page_dirty_no_writeback(struct + int redirty_page_for_writepage(struct writeback_control *wbc, + struct page *page); + void account_page_dirtied(struct page *page, struct address_space *mapping); +-void account_page_writeback(struct page *page); + int set_page_dirty(struct page *page); + int set_page_dirty_lock(struct page *page); + int clear_page_dirty_for_io(struct page *page); +--- a/mm/page-writeback.c ++++ b/mm/page-writeback.c +@@ -2116,23 +2116,6 @@ void account_page_dirtied(struct page *p + EXPORT_SYMBOL(account_page_dirtied); + + /* +- * Helper function for set_page_writeback family. +- * +- * The caller must hold mem_cgroup_begin/end_update_page_stat() lock +- * while calling this function. +- * See test_set_page_writeback for example. +- * +- * NOTE: Unlike account_page_dirtied this does not rely on being atomic +- * wrt interrupts. +- */ +-void account_page_writeback(struct page *page) +-{ +- mem_cgroup_inc_page_stat(page, MEM_CGROUP_STAT_WRITEBACK); +- inc_zone_page_state(page, NR_WRITEBACK); +-} +-EXPORT_SYMBOL(account_page_writeback); +- +-/* + * For address_spaces which do not use buffers. Just tag the page as dirty in + * its radix tree. + * +@@ -2410,8 +2393,10 @@ int __test_set_page_writeback(struct pag + } else { + ret = TestSetPageWriteback(page); + } +- if (!ret) +- account_page_writeback(page); ++ if (!ret) { ++ mem_cgroup_inc_page_stat(page, MEM_CGROUP_STAT_WRITEBACK); ++ inc_zone_page_state(page, NR_WRITEBACK); ++ } + mem_cgroup_end_update_page_stat(page, &locked, &memcg_flags); + return ret; + diff --git a/queue-3.17/mtd-cfi_cmdset_0001.c-fix-resume-for-lh28f640bf-chips.patch b/queue-3.17/mtd-cfi_cmdset_0001.c-fix-resume-for-lh28f640bf-chips.patch new file mode 100644 index 00000000000..adacdca384a --- /dev/null +++ b/queue-3.17/mtd-cfi_cmdset_0001.c-fix-resume-for-lh28f640bf-chips.patch @@ -0,0 +1,42 @@ +From 89cf38dd536a7301d6b5f5ddd73f42074c01bfaa Mon Sep 17 00:00:00 2001 +From: Dmitry Eremin-Solenikov +Date: Thu, 23 Oct 2014 01:23:01 +0200 +Subject: mtd: cfi_cmdset_0001.c: fix resume for LH28F640BF chips + +From: Dmitry Eremin-Solenikov + +commit 89cf38dd536a7301d6b5f5ddd73f42074c01bfaa upstream. + +After '#echo mem > /sys/power/state' some devices can not be properly resumed +because apparently the MTD Partition Configuration Register has been reset +to default thus the rootfs cannot be mounted cleanly on resume. +An example of this can be found in the SA-1100 Developer's Manual at 9.5.3.3 +where the second step of the Sleep Shutdown Sequence is described: +"An internal reset is applied to the SA-1100. All units are reset...". + +As workaround we refresh the PCR value as done initially on chip setup. + +This behavior and the fix are confirmed by our tests done on 2 different Zaurus +collie units with kernel 3.17. + +Fixes: 812c5fa82bae: ("mtd: cfi_cmdset_0001.c: add support for Sharp LH28F640BF NOR") +Signed-off-by: Dmitry Eremin-Solenikov +Signed-off-by: Andrea Adami +Signed-off-by: Brian Norris +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/chips/cfi_cmdset_0001.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/mtd/chips/cfi_cmdset_0001.c ++++ b/drivers/mtd/chips/cfi_cmdset_0001.c +@@ -2590,6 +2590,8 @@ static void cfi_intelext_resume(struct m + + /* Go to known state. Chip may have been power cycled */ + if (chip->state == FL_PM_SUSPENDED) { ++ /* Refresh LH28F640BF Partition Config. Register */ ++ fixup_LH28F640BF(mtd); + map_write(map, CMD(0xFF), cfi->chips[i].start); + chip->oldstate = chip->state = FL_READY; + wake_up(&chip->wq); diff --git a/queue-3.17/nfsd4-fix-crash-on-unknown-operation-number.patch b/queue-3.17/nfsd4-fix-crash-on-unknown-operation-number.patch new file mode 100644 index 00000000000..73196d27659 --- /dev/null +++ b/queue-3.17/nfsd4-fix-crash-on-unknown-operation-number.patch @@ -0,0 +1,34 @@ +From 51904b08072a8bf2b9ed74d1bd7a5300a614471d Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Wed, 22 Oct 2014 14:46:29 -0400 +Subject: nfsd4: fix crash on unknown operation number + +From: "J. Bruce Fields" + +commit 51904b08072a8bf2b9ed74d1bd7a5300a614471d upstream. + +Unknown operation numbers are caught in nfsd4_decode_compound() which +sets op->opnum to OP_ILLEGAL and op->status to nfserr_op_illegal. The +error causes the main loop in nfsd4_proc_compound() to skip most +processing. But nfsd4_proc_compound also peeks ahead at the next +operation in one case and doesn't take similar precautions there. + +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs4proc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -1229,7 +1229,8 @@ static bool need_wrongsec_check(struct s + */ + if (argp->opcnt == resp->opcnt) + return false; +- ++ if (next->opnum == OP_ILLEGAL) ++ return false; + nextd = OPDESC(next); + /* + * Rest of 2.6.3.1.1: certain operations will return WRONGSEC diff --git a/queue-3.17/nfsd4-fix-response-size-estimation-for-op_sequence.patch b/queue-3.17/nfsd4-fix-response-size-estimation-for-op_sequence.patch new file mode 100644 index 00000000000..c1a0662d632 --- /dev/null +++ b/queue-3.17/nfsd4-fix-response-size-estimation-for-op_sequence.patch @@ -0,0 +1,43 @@ +From d1d84c9626bb3a519863b3ffc40d347166f9fb83 Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Thu, 21 Aug 2014 15:04:31 -0400 +Subject: nfsd4: fix response size estimation for OP_SEQUENCE + +From: "J. Bruce Fields" + +commit d1d84c9626bb3a519863b3ffc40d347166f9fb83 upstream. + +We added this new estimator function but forgot to hook it up. The +effect is that NFSv4.1 (and greater) won't do zero-copy reads. + +The estimate was also wrong by 8 bytes. + +Fixes: ccae70a9ee41 "nfsd4: estimate sequence response size" +Reported-by: Chuck Lever +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs4proc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -1546,7 +1546,8 @@ static inline u32 nfsd4_rename_rsize(str + static inline u32 nfsd4_sequence_rsize(struct svc_rqst *rqstp, + struct nfsd4_op *op) + { +- return NFS4_MAX_SESSIONID_LEN + 20; ++ return (op_encode_hdr_size ++ + XDR_QUADLEN(NFS4_MAX_SESSIONID_LEN) + 5) * sizeof(__be32); + } + + static inline u32 nfsd4_setattr_rsize(struct svc_rqst *rqstp, struct nfsd4_op *op) +@@ -1850,6 +1851,7 @@ static struct nfsd4_operation nfsd4_ops[ + .op_func = (nfsd4op_func)nfsd4_sequence, + .op_flags = ALLOWED_WITHOUT_FH | ALLOWED_AS_FIRST_OP, + .op_name = "OP_SEQUENCE", ++ .op_rsize_bop = (nfsd4op_rsize)nfsd4_sequence_rsize, + }, + [OP_DESTROY_CLIENTID] = { + .op_func = (nfsd4op_func)nfsd4_destroy_clientid, diff --git a/queue-3.17/pci-rename-sysfs-enabled-file-back-to-enable.patch b/queue-3.17/pci-rename-sysfs-enabled-file-back-to-enable.patch new file mode 100644 index 00000000000..62230635b5f --- /dev/null +++ b/queue-3.17/pci-rename-sysfs-enabled-file-back-to-enable.patch @@ -0,0 +1,61 @@ +From d8e7d53a2fc14e0830ab728cb84ee19933d3ac8d Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 30 Oct 2014 09:30:28 -0700 +Subject: PCI: Rename sysfs 'enabled' file back to 'enable' + +From: Greg Kroah-Hartman + +commit d8e7d53a2fc14e0830ab728cb84ee19933d3ac8d upstream. + +Back in commit 5136b2da770d ("PCI: convert bus code to use dev_groups"), +I misstyped the 'enable' sysfs filename as 'enabled', which broke the +userspace API. This patch fixes that issue by renaming the file back. + +Fixes: 5136b2da770d ("PCI: convert bus code to use dev_groups") +Reported-by: Jeff Epler +Tested-by: Jeff Epler # on v3.14-rt +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Bjorn Helgaas + +--- + drivers/pci/pci-sysfs.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/pci/pci-sysfs.c ++++ b/drivers/pci/pci-sysfs.c +@@ -185,7 +185,7 @@ static ssize_t modalias_show(struct devi + } + static DEVICE_ATTR_RO(modalias); + +-static ssize_t enabled_store(struct device *dev, struct device_attribute *attr, ++static ssize_t enable_store(struct device *dev, struct device_attribute *attr, + const char *buf, size_t count) + { + struct pci_dev *pdev = to_pci_dev(dev); +@@ -210,7 +210,7 @@ static ssize_t enabled_store(struct devi + return result < 0 ? result : count; + } + +-static ssize_t enabled_show(struct device *dev, struct device_attribute *attr, ++static ssize_t enable_show(struct device *dev, struct device_attribute *attr, + char *buf) + { + struct pci_dev *pdev; +@@ -218,7 +218,7 @@ static ssize_t enabled_show(struct devic + pdev = to_pci_dev(dev); + return sprintf(buf, "%u\n", atomic_read(&pdev->enable_cnt)); + } +-static DEVICE_ATTR_RW(enabled); ++static DEVICE_ATTR_RW(enable); + + #ifdef CONFIG_NUMA + static ssize_t numa_node_show(struct device *dev, struct device_attribute *attr, +@@ -564,7 +564,7 @@ static struct attribute *pci_dev_attrs[] + #endif + &dev_attr_dma_mask_bits.attr, + &dev_attr_consistent_dma_mask_bits.attr, +- &dev_attr_enabled.attr, ++ &dev_attr_enable.attr, + &dev_attr_broken_parity_status.attr, + &dev_attr_msi_bus.attr, + #if defined(CONFIG_PM_RUNTIME) && defined(CONFIG_ACPI) diff --git a/queue-3.17/pm-sleep-fix-async-suspend_late-freeze_late-error-handling.patch b/queue-3.17/pm-sleep-fix-async-suspend_late-freeze_late-error-handling.patch new file mode 100644 index 00000000000..8c563581753 --- /dev/null +++ b/queue-3.17/pm-sleep-fix-async-suspend_late-freeze_late-error-handling.patch @@ -0,0 +1,40 @@ +From 246ef766743618a7cab059d6c4993270075b173e Mon Sep 17 00:00:00 2001 +From: Imre Deak +Date: Fri, 24 Oct 2014 20:29:09 +0300 +Subject: PM / Sleep: fix async suspend_late/freeze_late error handling + +From: Imre Deak + +commit 246ef766743618a7cab059d6c4993270075b173e upstream. + +If an asynchronous suspend_late or freeze_late callback fails +during the SUSPEND, FREEZE or QUIESCE phases, we don't propagate the +corresponding error correctly, in effect ignoring the error and +continuing the suspend-to-ram/hibernation. During suspend-to-ram this +could leave some devices without a valid saved context, leading to a +failure to reinitialize them during resume. During hibernation this +could leave some devices active interfeering with the creation / +restoration of the hibernation image. Also this could leave the +corresponding devices without a valid saved context and failure to +reinitialize them during resume. + +Fixes: de377b397272 (PM / sleep: Asynchronous threads for suspend_late) +Signed-off-by: Imre Deak +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/power/main.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/base/power/main.c ++++ b/drivers/base/power/main.c +@@ -1266,6 +1266,8 @@ static int dpm_suspend_late(pm_message_t + } + mutex_unlock(&dpm_list_mtx); + async_synchronize_full(); ++ if (!error) ++ error = async_error; + if (error) { + suspend_stats.failed_suspend_late++; + dpm_save_failed_step(SUSPEND_SUSPEND_LATE); diff --git a/queue-3.17/pm-sleep-fix-recovery-during-resuming-from-hibernation.patch b/queue-3.17/pm-sleep-fix-recovery-during-resuming-from-hibernation.patch new file mode 100644 index 00000000000..758d06a6b77 --- /dev/null +++ b/queue-3.17/pm-sleep-fix-recovery-during-resuming-from-hibernation.patch @@ -0,0 +1,40 @@ +From 94fb823fcb4892614f57e59601bb9d4920f24711 Mon Sep 17 00:00:00 2001 +From: Imre Deak +Date: Fri, 24 Oct 2014 20:29:10 +0300 +Subject: PM / Sleep: fix recovery during resuming from hibernation + +From: Imre Deak + +commit 94fb823fcb4892614f57e59601bb9d4920f24711 upstream. + +If a device's dev_pm_ops::freeze callback fails during the QUIESCE +phase, we don't rollback things correctly calling the thaw and complete +callbacks. This could leave some devices in a suspended state in case of +an error during resuming from hibernation. + +Signed-off-by: Imre Deak +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/power/hibernate.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/kernel/power/hibernate.c ++++ b/kernel/power/hibernate.c +@@ -502,8 +502,14 @@ int hibernation_restore(int platform_mod + error = dpm_suspend_start(PMSG_QUIESCE); + if (!error) { + error = resume_target_kernel(platform_mode); +- dpm_resume_end(PMSG_RECOVER); ++ /* ++ * The above should either succeed and jump to the new kernel, ++ * or return with an error. Otherwise things are just ++ * undefined, so let's be paranoid. ++ */ ++ BUG_ON(!error); + } ++ dpm_resume_end(PMSG_RECOVER); + pm_restore_gfp_mask(); + resume_console(); + pm_restore_console(); diff --git a/queue-3.17/posix-timers-fix-stack-info-leak-in-timer_create.patch b/queue-3.17/posix-timers-fix-stack-info-leak-in-timer_create.patch new file mode 100644 index 00000000000..ec768689023 --- /dev/null +++ b/queue-3.17/posix-timers-fix-stack-info-leak-in-timer_create.patch @@ -0,0 +1,45 @@ +From 6891c4509c792209c44ced55a60f13954cb50ef4 Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Sat, 4 Oct 2014 23:06:39 +0200 +Subject: posix-timers: Fix stack info leak in timer_create() + +From: Mathias Krause + +commit 6891c4509c792209c44ced55a60f13954cb50ef4 upstream. + +If userland creates a timer without specifying a sigevent info, we'll +create one ourself, using a stack local variable. Particularly will we +use the timer ID as sival_int. But as sigev_value is a union containing +a pointer and an int, that assignment will only partially initialize +sigev_value on systems where the size of a pointer is bigger than the +size of an int. On such systems we'll copy the uninitialized stack bytes +from the timer_create() call to userland when the timer actually fires +and we're going to deliver the signal. + +Initialize sigev_value with 0 to plug the stack info leak. + +Found in the PaX patch, written by the PaX Team. + +Fixes: 5a9fa7307285 ("posix-timers: kill ->it_sigev_signo and...") +Signed-off-by: Mathias Krause +Cc: Oleg Nesterov +Cc: Brad Spengler +Cc: PaX Team +Link: http://lkml.kernel.org/r/1412456799-32339-1-git-send-email-minipli@googlemail.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/time/posix-timers.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/time/posix-timers.c ++++ b/kernel/time/posix-timers.c +@@ -636,6 +636,7 @@ SYSCALL_DEFINE3(timer_create, const cloc + goto out; + } + } else { ++ memset(&event.sigev_value, 0, sizeof(event.sigev_value)); + event.sigev_notify = SIGEV_SIGNAL; + event.sigev_signo = SIGALRM; + event.sigev_value.sival_int = new_timer->it_id; diff --git a/queue-3.17/quota-properly-return-errors-from-dquot_writeback_dquots.patch b/queue-3.17/quota-properly-return-errors-from-dquot_writeback_dquots.patch new file mode 100644 index 00000000000..73ab364193d --- /dev/null +++ b/queue-3.17/quota-properly-return-errors-from-dquot_writeback_dquots.patch @@ -0,0 +1,33 @@ +From 474d2605d119479e5aa050f738632e63589d4bb5 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Wed, 22 Oct 2014 09:06:49 +0200 +Subject: quota: Properly return errors from dquot_writeback_dquots() + +From: Jan Kara + +commit 474d2605d119479e5aa050f738632e63589d4bb5 upstream. + +Due to a switched left and right side of an assignment, +dquot_writeback_dquots() never returned error. This could result in +errors during quota writeback to not be reported to userspace properly. +Fix it. + +Coverity-id: 1226884 +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/quota/dquot.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -634,7 +634,7 @@ int dquot_writeback_dquots(struct super_ + dqstats_inc(DQST_LOOKUPS); + err = sb->dq_op->write_dquot(dquot); + if (!ret && err) +- err = ret; ++ ret = err; + dqput(dquot); + spin_lock(&dq_list_lock); + } diff --git a/queue-3.17/revert-iwlwifi-mvm-treat-eapols-like-mgmt-frames-wrt-rate.patch b/queue-3.17/revert-iwlwifi-mvm-treat-eapols-like-mgmt-frames-wrt-rate.patch new file mode 100644 index 00000000000..a2440df8645 --- /dev/null +++ b/queue-3.17/revert-iwlwifi-mvm-treat-eapols-like-mgmt-frames-wrt-rate.patch @@ -0,0 +1,75 @@ +From 1ffde699aae127e7abdb98dbdedc2cc6a973a1a1 Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Mon, 20 Oct 2014 08:29:55 +0300 +Subject: Revert "iwlwifi: mvm: treat EAPOLs like mgmt frames wrt rate" + +From: Emmanuel Grumbach + +commit 1ffde699aae127e7abdb98dbdedc2cc6a973a1a1 upstream. + +This reverts commit aa11bbf3df026d6b1c6b528bef634fd9de7c2619. +This commit was causing connection issues and is not needed +if IWL_MVM_RS_RSSI_BASED_INIT_RATE is set to false by default. + +Regardless of the issues mentioned above, this patch added the +following WARNING: + +WARNING: CPU: 0 PID: 3946 at drivers/net/wireless/iwlwifi/mvm/tx.c:190 iwl_mvm_set_tx_params+0x60a/0x6f0 [iwlmvm]() +Got an HT rate for a non data frame 0x8 +CPU: 0 PID: 3946 Comm: wpa_supplicant Tainted: G O 3.17.0+ #6 +Hardware name: LENOVO 20ANCTO1WW/20ANCTO1WW, BIOS GLET71WW (2.25 ) 07/02/2014 + 0000000000000009 ffffffff814fa911 ffff8804288db8f8 ffffffff81064f52 + 0000000000001808 ffff8804288db948 ffff88040add8660 ffff8804291b5600 + 0000000000000000 ffffffff81064fb7 ffffffffa07b73d0 0000000000000020 +Call Trace: + [] ? dump_stack+0x41/0x51 + [] ? warn_slowpath_common+0x72/0x90 + [] ? warn_slowpath_fmt+0x47/0x50 + [] ? iwl_mvm_set_tx_params+0x60a/0x6f0 [iwlmvm] + [] ? iwl_mvm_tx_skb+0x48/0x3c0 [iwlmvm] + [] ? iwl_mvm_mac_tx+0x7b/0x180 [iwlmvm] + [] ? __ieee80211_tx+0x2b9/0x3c0 [mac80211] + [] ? ieee80211_tx+0xb3/0x100 [mac80211] + [] ? ieee80211_subif_start_xmit+0x459/0xca0 [mac80211] + [] ? dev_hard_start_xmit+0x337/0x5f0 + [] ? sch_direct_xmit+0x96/0x1f0 + [] ? __dev_queue_xmit+0x203/0x4f0 + [] ? ether_setup+0x70/0x70 + [] ? packet_sendmsg+0xf81/0x1110 + [] ? skb_free_datagram+0xc/0x40 + [] ? sock_sendmsg+0x88/0xc0 + [] ? move_addr_to_kernel.part.20+0x14/0x60 + [] ? __inode_wait_for_writeback+0x62/0xb0 + [] ? SYSC_sendto+0xf1/0x180 + [] ? __sys_recvmsg+0x39/0x70 + [] ? system_call_fastpath+0x1a/0x1f +---[ end trace cc19a150d311fc63 ]--- + +which was reported here: https://bugzilla.kernel.org/show_bug.cgi?id=85691 + +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/iwlwifi/mvm/tx.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/drivers/net/wireless/iwlwifi/mvm/tx.c ++++ b/drivers/net/wireless/iwlwifi/mvm/tx.c +@@ -168,14 +168,10 @@ static void iwl_mvm_set_tx_cmd_rate(stru + + /* + * for data packets, rate info comes from the table inside the fw. This +- * table is controlled by LINK_QUALITY commands. Exclude ctrl port +- * frames like EAPOLs which should be treated as mgmt frames. This +- * avoids them being sent initially in high rates which increases the +- * chances for completion of the 4-Way handshake. ++ * table is controlled by LINK_QUALITY commands + */ + +- if (ieee80211_is_data(fc) && sta && +- !(info->control.flags & IEEE80211_TX_CTRL_PORT_CTRL_PROTO)) { ++ if (ieee80211_is_data(fc) && sta) { + tx_cmd->initial_rate_index = 0; + tx_cmd->tx_flags |= cpu_to_le32(TX_CMD_FLG_STA_RATE); + return; diff --git a/queue-3.17/scsi-fix-error-handling-in-scsi_ioctl_send_command.patch b/queue-3.17/scsi-fix-error-handling-in-scsi_ioctl_send_command.patch new file mode 100644 index 00000000000..1a1eab260f7 --- /dev/null +++ b/queue-3.17/scsi-fix-error-handling-in-scsi_ioctl_send_command.patch @@ -0,0 +1,47 @@ +From 84ce0f0e94ac97217398b3b69c21c7a62ebeed05 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Wed, 22 Oct 2014 20:13:39 -0600 +Subject: scsi: Fix error handling in SCSI_IOCTL_SEND_COMMAND + +From: Jan Kara + +commit 84ce0f0e94ac97217398b3b69c21c7a62ebeed05 upstream. + +When sg_scsi_ioctl() fails to prepare request to submit in +blk_rq_map_kern() we jump to a label where we just end up copying +(luckily zeroed-out) kernel buffer to userspace instead of reporting +error. Fix the problem by jumping to the right label. + +CC: Jens Axboe +CC: linux-scsi@vger.kernel.org +Coverity-id: 1226871 +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +Fixed up the, now unused, out label. + +Signed-off-by: Jens Axboe + +--- + block/scsi_ioctl.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/block/scsi_ioctl.c ++++ b/block/scsi_ioctl.c +@@ -509,7 +509,7 @@ int sg_scsi_ioctl(struct request_queue * + + if (bytes && blk_rq_map_kern(q, rq, buffer, bytes, __GFP_WAIT)) { + err = DRIVER_ERROR << 24; +- goto out; ++ goto error; + } + + memset(sense, 0, sizeof(sense)); +@@ -518,7 +518,6 @@ int sg_scsi_ioctl(struct request_queue * + + blk_execute_rq(q, disk, rq, 0); + +-out: + err = rq->errors & 0xff; /* only 8 bit SCSI status */ + if (err) { + if (rq->sense_len && rq->sense) { diff --git a/queue-3.17/scsi-set-req_queue-for-the-blk-mq-case.patch b/queue-3.17/scsi-set-req_queue-for-the-blk-mq-case.patch new file mode 100644 index 00000000000..4e962ef7d71 --- /dev/null +++ b/queue-3.17/scsi-set-req_queue-for-the-blk-mq-case.patch @@ -0,0 +1,63 @@ +From b1dd2aac4cc0892b82ec60232ed37e3b0af776cc Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Sun, 19 Oct 2014 17:13:58 +0200 +Subject: scsi: set REQ_QUEUE for the blk-mq case + +From: Christoph Hellwig + +commit b1dd2aac4cc0892b82ec60232ed37e3b0af776cc upstream. + +To generate the right SPI tag messages we need to properly set +QUEUE_FLAG_QUEUED in the request_queue and mirror it to the +request. + +Signed-off-by: Christoph Hellwig +Reviewed-by: Martin K. Petersen +Acked-by: Jens Axboe +Reported-by: Meelis Roos +Tested-by: Meelis Roos +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/scsi_lib.c | 5 +++++ + include/scsi/scsi_tcq.h | 8 ++++---- + 2 files changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/scsi/scsi_lib.c ++++ b/drivers/scsi/scsi_lib.c +@@ -1887,6 +1887,11 @@ static int scsi_queue_rq(struct blk_mq_h + req->cmd_flags |= REQ_DONTPREP; + } + ++ if (blk_queue_tagged(q)) ++ req->cmd_flags |= REQ_QUEUED; ++ else ++ req->cmd_flags &= ~REQ_QUEUED; ++ + scsi_init_cmd_errh(cmd); + cmd->scsi_done = scsi_mq_done; + +--- a/include/scsi/scsi_tcq.h ++++ b/include/scsi/scsi_tcq.h +@@ -67,8 +67,9 @@ static inline void scsi_activate_tcq(str + if (!sdev->tagged_supported) + return; + +- if (!shost_use_blk_mq(sdev->host) && +- !blk_queue_tagged(sdev->request_queue)) ++ if (shost_use_blk_mq(sdev->host)) ++ queue_flag_set_unlocked(QUEUE_FLAG_QUEUED, sdev->request_queue); ++ else if (!blk_queue_tagged(sdev->request_queue)) + blk_queue_init_tags(sdev->request_queue, depth, + sdev->host->bqt); + +@@ -81,8 +82,7 @@ static inline void scsi_activate_tcq(str + **/ + static inline void scsi_deactivate_tcq(struct scsi_device *sdev, int depth) + { +- if (!shost_use_blk_mq(sdev->host) && +- blk_queue_tagged(sdev->request_queue)) ++ if (blk_queue_tagged(sdev->request_queue)) + blk_queue_free_tags(sdev->request_queue); + scsi_adjust_queue_depth(sdev, 0, depth); + } diff --git a/queue-3.17/series b/queue-3.17/series index fa1a66ec89e..293f35a63be 100644 --- a/queue-3.17/series +++ b/queue-3.17/series @@ -237,3 +237,39 @@ usb-do-not-allow-usb_alloc_streams-on-unconfigured-devices.patch usb-kobil_sct-fix-non-atomic-allocation-in-write-path.patch usb-remove-references-to-non-existent-plat_s5p-symbol.patch ima-check-xattr-value-length-and-type-in-the-ima_inode_setxattr.patch +sh-fix-sh770x-scif-memory-regions.patch +mm-free-compound-page-with-correct-order.patch +cgroup-kmemleak-add-kmemleak_free-for-cgroup-deallocations.patch +mm-page-writeback-inline-account_page_dirtied-into-single-caller.patch +mm-memcontrol-fix-missed-end-writeback-page-accounting.patch +lib-bitmap.c-fix-undefined-shift-in-__bitmap_shift_-left-right.patch +mm-balloon_compaction-fix-deflation-when-compaction-is-disabled.patch +xhci-no-switching-back-on-non-ult-haswell.patch +xhci-disable-streams-on-asmedia-1042-xhci-controllers.patch +scsi-fix-error-handling-in-scsi_ioctl_send_command.patch +lib-scatterlist-fix-memory-leak-with-scsi-mq.patch +scsi-set-req_queue-for-the-blk-mq-case.patch +i82860_edac-report-ce-events-properly.patch +i3200_edac-report-ce-events-properly.patch +e7xxx_edac-report-ce-events-properly.patch +cpc925_edac-report-ue-events-properly.patch +nfsd4-fix-response-size-estimation-for-op_sequence.patch +nfsd4-fix-crash-on-unknown-operation-number.patch +zap_pte_range-update-addr-when-forcing-flush-after-tlb-batching-faiure.patch +iwlwifi-mvm-bt-coex-update-the-mplut-boost-register-value.patch +iwlwifi-configure-the-ltr.patch +iwlwifi-dvm-drop-non-vo-frames-when-flushing.patch +revert-iwlwifi-mvm-treat-eapols-like-mgmt-frames-wrt-rate.patch +ext3-don-t-check-quota-format-when-there-are-no-quota-files.patch +pci-rename-sysfs-enabled-file-back-to-enable.patch +quota-properly-return-errors-from-dquot_writeback_dquots.patch +tty-vt-don-t-set-font-mappings-on-vc-not-supporting-this.patch +tty-fix-high-cpu-load-if-tty-is-unreleaseable.patch +pm-sleep-fix-async-suspend_late-freeze_late-error-handling.patch +pm-sleep-fix-recovery-during-resuming-from-hibernation.patch +staging-comedi-regression-channel-list-must-be-set-for-comedi_cmd-ioctl.patch +staging-comedi-fix-memory-leak-bad-pointer-freeing-for-chanlist.patch +mac80211-fix-typo-in-starting-baserate-for-rts_cts_rate_idx.patch +mtd-cfi_cmdset_0001.c-fix-resume-for-lh28f640bf-chips.patch +posix-timers-fix-stack-info-leak-in-timer_create.patch +x86-apic-handle-a-bad-tsc-more-gracefully.patch diff --git a/queue-3.17/sh-fix-sh770x-scif-memory-regions.patch b/queue-3.17/sh-fix-sh770x-scif-memory-regions.patch new file mode 100644 index 00000000000..88fe3168d1c --- /dev/null +++ b/queue-3.17/sh-fix-sh770x-scif-memory-regions.patch @@ -0,0 +1,55 @@ +From 5417421b270229bfce0795ccc99a4b481e4954ca Mon Sep 17 00:00:00 2001 +From: Andriy Skulysh +Date: Wed, 29 Oct 2014 14:50:59 -0700 +Subject: sh: fix sh770x SCIF memory regions + +From: Andriy Skulysh + +commit 5417421b270229bfce0795ccc99a4b481e4954ca upstream. + +Resources scif1_resources & scif2_resources overlap. Actual SCIF region +size is 0x10. + +This is regression from commit d850acf975be ("sh: Declare SCIF register +base and IRQ as resources") + +Signed-off-by: Andriy Skulysh +Acked-by: Laurent Pinchart +Cc: Geert Uytterhoeven +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/sh/kernel/cpu/sh3/setup-sh770x.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/sh/kernel/cpu/sh3/setup-sh770x.c ++++ b/arch/sh/kernel/cpu/sh3/setup-sh770x.c +@@ -118,7 +118,7 @@ static struct plat_sci_port scif0_platfo + }; + + static struct resource scif0_resources[] = { +- DEFINE_RES_MEM(0xfffffe80, 0x100), ++ DEFINE_RES_MEM(0xfffffe80, 0x10), + DEFINE_RES_IRQ(evt2irq(0x4e0)), + }; + +@@ -143,7 +143,7 @@ static struct plat_sci_port scif1_platfo + }; + + static struct resource scif1_resources[] = { +- DEFINE_RES_MEM(0xa4000150, 0x100), ++ DEFINE_RES_MEM(0xa4000150, 0x10), + DEFINE_RES_IRQ(evt2irq(0x900)), + }; + +@@ -169,7 +169,7 @@ static struct plat_sci_port scif2_platfo + }; + + static struct resource scif2_resources[] = { +- DEFINE_RES_MEM(0xa4000140, 0x100), ++ DEFINE_RES_MEM(0xa4000140, 0x10), + DEFINE_RES_IRQ(evt2irq(0x880)), + }; + diff --git a/queue-3.17/staging-comedi-fix-memory-leak-bad-pointer-freeing-for-chanlist.patch b/queue-3.17/staging-comedi-fix-memory-leak-bad-pointer-freeing-for-chanlist.patch new file mode 100644 index 00000000000..bf538672c32 --- /dev/null +++ b/queue-3.17/staging-comedi-fix-memory-leak-bad-pointer-freeing-for-chanlist.patch @@ -0,0 +1,54 @@ +From 238b5ad855924919e5b98d0c772d9dc78795639b Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Mon, 20 Oct 2014 15:10:40 +0100 +Subject: staging: comedi: fix memory leak / bad pointer freeing for chanlist + +From: Ian Abbott + +commit 238b5ad855924919e5b98d0c772d9dc78795639b upstream. + +As a follow-up to commit 6cab7a37f5c04 ("staging: comedi: (regression) +channel list must be set for COMEDI_CMD ioctl"), Hartley Sweeten pointed +out another couple of bugs stemming from commit 6cab7a37f5c04 ("staging: +comedi: comedi_fops: introduce __comedi_get_user_chanlist()"). + +Firstly, `do_cmdtest_ioctl()` never frees the kernel copy of the user +chanlist allocated by `__comedi_get_user_chanlist()`, so that memory is +leaked. Fix it by freeing the allocated kernel memory pointed to by +`cmd.chanlist` before that pointer is overwritten with its original +pointer to user memory before `cmd` is copied back to user-space. + +Secondly, if `__comedi_get_user_chanlist()` returns an error, +`cmd->chanlist` is left unchanged and in fact will be a pointer to user +memory. This causes `do_cmd_ioctl()` to `goto cleanup` and call +`do_become_nonbusy()` which would attempt to free the memory pointed to +by the user-space pointer. Fix it by setting `cmd->chanlist` to NULL at +the start of `__comedi_get_user_chanlist()`. + +Fixes: c6cd0eefb27b ("staging: comedi: comedi_fops: introduce __comedi_get_user_chanlist()") +Reported-by: H Hartley Sweeten +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/comedi_fops.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/staging/comedi/comedi_fops.c ++++ b/drivers/staging/comedi/comedi_fops.c +@@ -1462,6 +1462,7 @@ static int __comedi_get_user_chanlist(st + unsigned int *chanlist; + int ret; + ++ cmd->chanlist = NULL; + chanlist = memdup_user(user_chanlist, + cmd->chanlist_len * sizeof(unsigned int)); + if (IS_ERR(chanlist)) +@@ -1615,6 +1616,8 @@ static int do_cmdtest_ioctl(struct comed + + ret = s->do_cmdtest(dev, s, &cmd); + ++ kfree(cmd.chanlist); /* free kernel copy of user chanlist */ ++ + /* restore chanlist pointer before copying back */ + cmd.chanlist = (unsigned int __force *)user_chanlist; + diff --git a/queue-3.17/staging-comedi-regression-channel-list-must-be-set-for-comedi_cmd-ioctl.patch b/queue-3.17/staging-comedi-regression-channel-list-must-be-set-for-comedi_cmd-ioctl.patch new file mode 100644 index 00000000000..f8ab5d7e90b --- /dev/null +++ b/queue-3.17/staging-comedi-regression-channel-list-must-be-set-for-comedi_cmd-ioctl.patch @@ -0,0 +1,76 @@ +From 6cab7a37f5c048bb2a768f24b0ec748b052fda09 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Wed, 8 Oct 2014 16:09:14 +0100 +Subject: staging: comedi: (regression) channel list must be set for COMEDI_CMD ioctl + +From: Ian Abbott + +commit 6cab7a37f5c048bb2a768f24b0ec748b052fda09 upstream. + +`do_cmd_ioctl()`, the handler for the `COMEDI_CMD` ioctl can incorrectly +call the Comedi subdevice's `do_cmd()` handler with a NULL channel list +pointer. This is a regression as the `do_cmd()` handler has never been +expected to deal with that, leading to a kernel OOPS when it tries to +dereference it. + +A NULL channel list pointer is allowed for the `COMEDI_CMDTEST` ioctl, +handled by `do_cmdtest_ioctl()` and the subdevice's `do_cmdtest()` +handler, but not for the `COMEDI_CMD` ioctl and its handlers. + +Both `do_cmd_ioctl()` and `do_cmdtest_ioctl()` call +`__comedi_get_user_chanlist()` to copy the channel list from user memory +into dynamically allocated kernel memory and check it for consistency. +That function currently returns 0 if the `user_chanlist` parameter +(pointing to the channel list in user memory) is NULL. That's fine for +`do_cmdtest_ioctl()`, but `do_cmd_ioctl()` incorrectly assumes the +kernel copy of the channel list has been set-up correctly. + +Fix it by not allowing the `user_chanlist` parameter to be NULL in +`__comedi_get_user_chanlist()`, and only calling it from +`do_cmdtest_ioctl()` if the parameter is non-NULL. + +Thanks to Bernd Porr for reporting the bug via an initial patch sent +privately. + +Fixes: c6cd0eefb27b ("staging: comedi: comedi_fops: introduce __comedi_get_user_chanlist()") +Reported-by: Bernd Porr +Signed-off-by: Ian Abbott +Reviewed-by: H Hartley Sweeten +Cc: Bernd Porr +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/comedi_fops.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +--- a/drivers/staging/comedi/comedi_fops.c ++++ b/drivers/staging/comedi/comedi_fops.c +@@ -1462,10 +1462,6 @@ static int __comedi_get_user_chanlist(st + unsigned int *chanlist; + int ret; + +- /* user_chanlist could be NULL for do_cmdtest ioctls */ +- if (!user_chanlist) +- return 0; +- + chanlist = memdup_user(user_chanlist, + cmd->chanlist_len * sizeof(unsigned int)); + if (IS_ERR(chanlist)) +@@ -1609,10 +1605,13 @@ static int do_cmdtest_ioctl(struct comed + + s = &dev->subdevices[cmd.subdev]; + +- /* load channel/gain list */ +- ret = __comedi_get_user_chanlist(dev, s, user_chanlist, &cmd); +- if (ret) +- return ret; ++ /* user_chanlist can be NULL for COMEDI_CMDTEST ioctl */ ++ if (user_chanlist) { ++ /* load channel/gain list */ ++ ret = __comedi_get_user_chanlist(dev, s, user_chanlist, &cmd); ++ if (ret) ++ return ret; ++ } + + ret = s->do_cmdtest(dev, s, &cmd); + diff --git a/queue-3.17/tty-fix-high-cpu-load-if-tty-is-unreleaseable.patch b/queue-3.17/tty-fix-high-cpu-load-if-tty-is-unreleaseable.patch new file mode 100644 index 00000000000..26ca433dd10 --- /dev/null +++ b/queue-3.17/tty-fix-high-cpu-load-if-tty-is-unreleaseable.patch @@ -0,0 +1,49 @@ +From 37b164578826406a173ca7c20d9ba7430134d23e Mon Sep 17 00:00:00 2001 +From: Peter Hurley +Date: Thu, 16 Oct 2014 13:51:30 -0400 +Subject: tty: Fix high cpu load if tty is unreleaseable + +From: Peter Hurley + +commit 37b164578826406a173ca7c20d9ba7430134d23e upstream. + +Kernel oops can cause the tty to be unreleaseable (for example, if +n_tty_read() crashes while on the read_wait queue). This will cause +tty_release() to endlessly loop without sleeping. + +Use a killable sleep timeout which grows by 2n+1 jiffies over the interval +[0, 120 secs.) and then jumps to forever (but still killable). + +NB: killable just allows for the task to be rewoken manually, not +to be terminated. + +Signed-off-by: Peter Hurley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/tty_io.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -1686,6 +1686,7 @@ int tty_release(struct inode *inode, str + int pty_master, tty_closing, o_tty_closing, do_sleep; + int idx; + char buf[64]; ++ long timeout = 0; + + if (tty_paranoia_check(tty, inode, __func__)) + return 0; +@@ -1770,7 +1771,11 @@ int tty_release(struct inode *inode, str + __func__, tty_name(tty, buf)); + tty_unlock_pair(tty, o_tty); + mutex_unlock(&tty_mutex); +- schedule(); ++ schedule_timeout_killable(timeout); ++ if (timeout < 120 * HZ) ++ timeout = 2 * timeout + 1; ++ else ++ timeout = MAX_SCHEDULE_TIMEOUT; + } + + /* diff --git a/queue-3.17/tty-vt-don-t-set-font-mappings-on-vc-not-supporting-this.patch b/queue-3.17/tty-vt-don-t-set-font-mappings-on-vc-not-supporting-this.patch new file mode 100644 index 00000000000..ef50e2a3b67 --- /dev/null +++ b/queue-3.17/tty-vt-don-t-set-font-mappings-on-vc-not-supporting-this.patch @@ -0,0 +1,44 @@ +From 9e326f78713a4421fe11afc2ddeac07698fac131 Mon Sep 17 00:00:00 2001 +From: Imre Deak +Date: Thu, 2 Oct 2014 16:34:31 +0300 +Subject: tty/vt: don't set font mappings on vc not supporting this + +From: Imre Deak + +commit 9e326f78713a4421fe11afc2ddeac07698fac131 upstream. + +We can call this function for a dummy console that doesn't support +setting the font mapping, which will result in a null ptr BUG. So check +for this case and return error for consoles w/o font mapping support. + +Reference: https://bugzilla.kernel.org/show_bug.cgi?id=59321 +Signed-off-by: Imre Deak +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/vt/consolemap.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/tty/vt/consolemap.c ++++ b/drivers/tty/vt/consolemap.c +@@ -539,6 +539,12 @@ int con_set_unimap(struct vc_data *vc, u + + /* Save original vc_unipagdir_loc in case we allocate a new one */ + p = *vc->vc_uni_pagedir_loc; ++ ++ if (!p) { ++ err = -EINVAL; ++ ++ goto out_unlock; ++ } + + if (p->refcount > 1) { + int j, k; +@@ -623,6 +629,7 @@ int con_set_unimap(struct vc_data *vc, u + set_inverse_transl(vc, p, i); /* Update inverse translations */ + set_inverse_trans_unicode(vc, p); + ++out_unlock: + console_unlock(); + return err; + } diff --git a/queue-3.17/x86-apic-handle-a-bad-tsc-more-gracefully.patch b/queue-3.17/x86-apic-handle-a-bad-tsc-more-gracefully.patch new file mode 100644 index 00000000000..d88a406e164 --- /dev/null +++ b/queue-3.17/x86-apic-handle-a-bad-tsc-more-gracefully.patch @@ -0,0 +1,74 @@ +From b47dcbdc5161d3d5756f430191e2840d9b855492 Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Wed, 15 Oct 2014 10:12:07 -0700 +Subject: x86, apic: Handle a bad TSC more gracefully + +From: Andy Lutomirski + +commit b47dcbdc5161d3d5756f430191e2840d9b855492 upstream. + +If the TSC is unusable or disabled, then this patch fixes: + + - Confusion while trying to clear old APIC interrupts. + - Division by zero and incorrect programming of the TSC deadline + timer. + +This fixes boot if the CPU has a TSC deadline timer but a missing or +broken TSC. The failure to boot can be observed with qemu using +-cpu qemu64,-tsc,+tsc-deadline + +This also happens to me in nested KVM for unknown reasons. +With this patch, I can boot cleanly (although without a TSC). + +Signed-off-by: Andy Lutomirski +Cc: Bandan Das +Link: http://lkml.kernel.org/r/e2fa274e498c33988efac0ba8b7e3120f7f92d78.1413393027.git.luto@amacapital.net +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/apic/apic.c | 4 ++-- + arch/x86/kernel/tsc.c | 5 ++++- + 2 files changed, 6 insertions(+), 3 deletions(-) + +--- a/arch/x86/kernel/apic/apic.c ++++ b/arch/x86/kernel/apic/apic.c +@@ -1297,7 +1297,7 @@ void setup_local_APIC(void) + unsigned int value, queued; + int i, j, acked = 0; + unsigned long long tsc = 0, ntsc; +- long long max_loops = cpu_khz; ++ long long max_loops = cpu_khz ? cpu_khz : 1000000; + + if (cpu_has_tsc) + rdtscll(tsc); +@@ -1383,7 +1383,7 @@ void setup_local_APIC(void) + break; + } + if (queued) { +- if (cpu_has_tsc) { ++ if (cpu_has_tsc && cpu_khz) { + rdtscll(ntsc); + max_loops = (cpu_khz << 10) - (ntsc - tsc); + } else +--- a/arch/x86/kernel/tsc.c ++++ b/arch/x86/kernel/tsc.c +@@ -1166,14 +1166,17 @@ void __init tsc_init(void) + + x86_init.timers.tsc_pre_init(); + +- if (!cpu_has_tsc) ++ if (!cpu_has_tsc) { ++ setup_clear_cpu_cap(X86_FEATURE_TSC_DEADLINE_TIMER); + return; ++ } + + tsc_khz = x86_platform.calibrate_tsc(); + cpu_khz = tsc_khz; + + if (!tsc_khz) { + mark_tsc_unstable("could not calculate TSC khz"); ++ setup_clear_cpu_cap(X86_FEATURE_TSC_DEADLINE_TIMER); + return; + } + diff --git a/queue-3.17/xhci-disable-streams-on-asmedia-1042-xhci-controllers.patch b/queue-3.17/xhci-disable-streams-on-asmedia-1042-xhci-controllers.patch new file mode 100644 index 00000000000..a95f67291a1 --- /dev/null +++ b/queue-3.17/xhci-disable-streams-on-asmedia-1042-xhci-controllers.patch @@ -0,0 +1,44 @@ +From 2391eacbd00b706ff4902db7dbee21e33b6f1850 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Tue, 28 Oct 2014 11:05:29 +0100 +Subject: xhci: Disable streams on Asmedia 1042 xhci controllers + +From: Hans de Goede + +commit 2391eacbd00b706ff4902db7dbee21e33b6f1850 upstream. + +Streams seem to be broken on the Asmedia 1042. An uas capable Seagate disk +which is known to work fine with other controllers causes the system to freeze +when connected over usb-3 with this controller, where as it works fine with +uas in usb-2 ports, indicating a problem with streams. + +This is a bit bigger hammer then I would like to use for this, but for now it +will have to make do. I've ordered a pci-e usb controller card with an Asmedia +1042, once that arrives I'll try to get streams to work (with a quirk flag if +necessary) and then we can re-enable them. For now this at least makes uas +capable disk enclosures work again by forcing fallback to the usb-storage +driver. + +Reported-by: Bogdan Mihalcea +Cc: Bogdan Mihalcea +Signed-off-by: Hans de Goede +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-pci.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -146,6 +146,10 @@ static void xhci_pci_quirks(struct devic + pdev->device == 0x3432) + xhci->quirks |= XHCI_BROKEN_STREAMS; + ++ if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA && ++ pdev->device == 0x1042) ++ xhci->quirks |= XHCI_BROKEN_STREAMS; ++ + if (xhci->quirks & XHCI_RESET_ON_RESUME) + xhci_dbg_trace(xhci, trace_xhci_dbg_quirks, + "QUIRK: Resetting on resume"); diff --git a/queue-3.17/xhci-no-switching-back-on-non-ult-haswell.patch b/queue-3.17/xhci-no-switching-back-on-non-ult-haswell.patch new file mode 100644 index 00000000000..01e5af59bfe --- /dev/null +++ b/queue-3.17/xhci-no-switching-back-on-non-ult-haswell.patch @@ -0,0 +1,43 @@ +From b45abacde3d551c6696c6738bef4a1805d0bf27a Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Mon, 27 Oct 2014 14:53:29 +0100 +Subject: xhci: no switching back on non-ULT Haswell + +From: Oliver Neukum + +commit b45abacde3d551c6696c6738bef4a1805d0bf27a upstream. + +The switch back is limited to ULT even on HP. The contrary +finding arose by bad luck in BIOS versions for testing. +This fixes spontaneous resume from S3 on some HP laptops. + +Signed-off-by: Oliver Neukum +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-pci.c | 14 -------------- + 1 file changed, 14 deletions(-) + +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -126,20 +126,6 @@ static void xhci_pci_quirks(struct devic + xhci->quirks |= XHCI_AVOID_BEI; + } + if (pdev->vendor == PCI_VENDOR_ID_INTEL && +- (pdev->device == PCI_DEVICE_ID_INTEL_LYNXPOINT_XHCI || +- pdev->device == PCI_DEVICE_ID_INTEL_LYNXPOINT_LP_XHCI)) { +- /* Workaround for occasional spurious wakeups from S5 (or +- * any other sleep) on Haswell machines with LPT and LPT-LP +- * with the new Intel BIOS +- */ +- /* Limit the quirk to only known vendors, as this triggers +- * yet another BIOS bug on some other machines +- * https://bugzilla.kernel.org/show_bug.cgi?id=66171 +- */ +- if (pdev->subsystem_vendor == PCI_VENDOR_ID_HP) +- xhci->quirks |= XHCI_SPURIOUS_WAKEUP; +- } +- if (pdev->vendor == PCI_VENDOR_ID_INTEL && + pdev->device == PCI_DEVICE_ID_INTEL_LYNXPOINT_LP_XHCI) { + xhci->quirks |= XHCI_SPURIOUS_REBOOT; + } diff --git a/queue-3.17/zap_pte_range-update-addr-when-forcing-flush-after-tlb-batching-faiure.patch b/queue-3.17/zap_pte_range-update-addr-when-forcing-flush-after-tlb-batching-faiure.patch new file mode 100644 index 00000000000..ddc4b9648ba --- /dev/null +++ b/queue-3.17/zap_pte_range-update-addr-when-forcing-flush-after-tlb-batching-faiure.patch @@ -0,0 +1,43 @@ +From ce9ec37bddb633404a0c23e1acb181a264e7f7f2 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Tue, 28 Oct 2014 13:16:28 -0700 +Subject: zap_pte_range: update addr when forcing flush after TLB batching faiure + +From: Will Deacon + +commit ce9ec37bddb633404a0c23e1acb181a264e7f7f2 upstream. + +When unmapping a range of pages in zap_pte_range, the page being +unmapped is added to an mmu_gather_batch structure for asynchronous +freeing. If we run out of space in the batch structure before the range +has been completely unmapped, then we break out of the loop, force a +TLB flush and free the pages that we have batched so far. If there are +further pages to unmap, then we resume the loop where we left off. + +Unfortunately, we forget to update addr when we break out of the loop, +which causes us to truncate the range being invalidated as the end +address is exclusive. When we re-enter the loop at the same address, the +page has already been freed and the pte_present test will fail, meaning +that we do not reconsider the address for invalidation. + +This patch fixes the problem by incrementing addr by the PAGE_SIZE +before breaking out of the loop on batch failure. + +Signed-off-by: Will Deacon +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/memory.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -1147,6 +1147,7 @@ again: + print_bad_pte(vma, addr, ptent, page); + if (unlikely(!__tlb_remove_page(tlb, page))) { + force_flush = 1; ++ addr += PAGE_SIZE; + break; + } + continue; -- 2.47.3