From 89973a18624817957230f1b159e1e4be1dbf60c3 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 13 Feb 2016 14:58:38 -0800 Subject: [PATCH] 3.14-stable patches added patches: fix-calculation-of-meta_bg-descriptor-backups.patch jbd2-fix-unreclaimed-pages-after-truncate-in-data-journal-mode.patch media-vb2-dma-contig-fully-cache-synchronise-buffers-in-prepare-and-finish.patch mtd-mtdpart-fix-add_mtd_partitions-error-path.patch parisc-drop-unused-madv_xxxk_pages-flags-from-asm-mman.h.patch parisc-fix-__arch_si_preamble_size.patch parisc-fix-syscall-restarts.patch pci-fix-minimum-allocation-address-overwrite.patch revert-dm-mpath-fix-stalls-when-handling-invalid-ioctls.patch spi-atmel-fix-dma-setup-for-transfers-with-more-than-8-bits-per-word.patch spi-fix-parent-device-reference-leak.patch spi-ti-qspi-fix-data-corruption-seen-on-r-w-stress-test.patch tracing-fix-setting-of-start_index-in-find_next.patch v4l2-compat-ioctl32-fix-alignment-for-arm64.patch vtpm-fix-memory-allocation-flag-for-rtce-buffer-at-kernel-boot.patch wlcore-wl12xx-spi-fix-null-pointer-dereference-oops.patch wlcore-wl12xx-spi-fix-oops-on-firmware-load.patch --- ...lation-of-meta_bg-descriptor-backups.patch | 53 ++++++ ...-after-truncate-in-data-journal-mode.patch | 62 +++++++ ...ronise-buffers-in-prepare-and-finish.patch | 48 +++++ ...rt-fix-add_mtd_partitions-error-path.patch | 36 ++++ ...adv_xxxk_pages-flags-from-asm-mman.h.patch | 38 ++++ .../parisc-fix-__arch_si_preamble_size.patch | 38 ++++ queue-3.14/parisc-fix-syscall-restarts.patch | 130 +++++++++++++ ...minimum-allocation-address-overwrite.patch | 52 ++++++ ...-stalls-when-handling-invalid-ioctls.patch | 173 ++++++++++++++++++ queue-3.14/series | 17 ++ ...sfers-with-more-than-8-bits-per-word.patch | 34 ++++ ...spi-fix-parent-device-reference-leak.patch | 36 ++++ ...a-corruption-seen-on-r-w-stress-test.patch | 55 ++++++ ...-setting-of-start_index-in-find_next.patch | 66 +++++++ ...mpat-ioctl32-fix-alignment-for-arm64.patch | 66 +++++++ ...-flag-for-rtce-buffer-at-kernel-boot.patch | 35 ++++ ...pi-fix-null-pointer-dereference-oops.patch | 101 ++++++++++ ...wl12xx-spi-fix-oops-on-firmware-load.patch | 117 ++++++++++++ 18 files changed, 1157 insertions(+) create mode 100644 queue-3.14/fix-calculation-of-meta_bg-descriptor-backups.patch create mode 100644 queue-3.14/jbd2-fix-unreclaimed-pages-after-truncate-in-data-journal-mode.patch create mode 100644 queue-3.14/media-vb2-dma-contig-fully-cache-synchronise-buffers-in-prepare-and-finish.patch create mode 100644 queue-3.14/mtd-mtdpart-fix-add_mtd_partitions-error-path.patch create mode 100644 queue-3.14/parisc-drop-unused-madv_xxxk_pages-flags-from-asm-mman.h.patch create mode 100644 queue-3.14/parisc-fix-__arch_si_preamble_size.patch create mode 100644 queue-3.14/parisc-fix-syscall-restarts.patch create mode 100644 queue-3.14/pci-fix-minimum-allocation-address-overwrite.patch create mode 100644 queue-3.14/revert-dm-mpath-fix-stalls-when-handling-invalid-ioctls.patch create mode 100644 queue-3.14/spi-atmel-fix-dma-setup-for-transfers-with-more-than-8-bits-per-word.patch create mode 100644 queue-3.14/spi-fix-parent-device-reference-leak.patch create mode 100644 queue-3.14/spi-ti-qspi-fix-data-corruption-seen-on-r-w-stress-test.patch create mode 100644 queue-3.14/tracing-fix-setting-of-start_index-in-find_next.patch create mode 100644 queue-3.14/v4l2-compat-ioctl32-fix-alignment-for-arm64.patch create mode 100644 queue-3.14/vtpm-fix-memory-allocation-flag-for-rtce-buffer-at-kernel-boot.patch create mode 100644 queue-3.14/wlcore-wl12xx-spi-fix-null-pointer-dereference-oops.patch create mode 100644 queue-3.14/wlcore-wl12xx-spi-fix-oops-on-firmware-load.patch diff --git a/queue-3.14/fix-calculation-of-meta_bg-descriptor-backups.patch b/queue-3.14/fix-calculation-of-meta_bg-descriptor-backups.patch new file mode 100644 index 00000000000..9199d6ff753 --- /dev/null +++ b/queue-3.14/fix-calculation-of-meta_bg-descriptor-backups.patch @@ -0,0 +1,53 @@ +From 904dad4742d211b7a8910e92695c0fa957483836 Mon Sep 17 00:00:00 2001 +From: Andy Leiserson +Date: Sun, 18 Oct 2015 00:36:29 -0400 +Subject: [PATCH] fix calculation of meta_bg descriptor backups + +From: Andy Leiserson + +commit 904dad4742d211b7a8910e92695c0fa957483836 upstream. + +"group" is the group where the backup will be placed, and is +initialized to zero in the declaration. This meant that backups for +meta_bg descriptors were erroneously written to the backup block group +descriptors in groups 1 and (desc_per_block-1). + +Reproduction information: + mke2fs -Fq -t ext4 -b 1024 -O ^resize_inode /tmp/foo.img 16G + truncate -s 24G /tmp/foo.img + losetup /dev/loop0 /tmp/foo.img + mount /dev/loop0 /mnt + resize2fs /dev/loop0 + umount /dev/loop0 + dd if=/dev/zero of=/dev/loop0 bs=1024 count=2 + e2fsck -fy /dev/loop0 + losetup -d /dev/loop0 + +Signed-off-by: Andy Leiserson +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/resize.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -1030,7 +1030,7 @@ exit_free: + * do not copy the full number of backups at this time. The resize + * which changed s_groups_count will backup again. + */ +-static void update_backups(struct super_block *sb, int blk_off, char *data, ++static void update_backups(struct super_block *sb, sector_t blk_off, char *data, + int size, int meta_bg) + { + struct ext4_sb_info *sbi = EXT4_SB(sb); +@@ -1055,7 +1055,7 @@ static void update_backups(struct super_ + group = ext4_list_backups(sb, &three, &five, &seven); + last = sbi->s_groups_count; + } else { +- group = ext4_meta_bg_first_group(sb, group) + 1; ++ group = ext4_get_group_number(sb, blk_off) + 1; + last = (ext4_group_t)(group + EXT4_DESC_PER_BLOCK(sb) - 2); + } + diff --git a/queue-3.14/jbd2-fix-unreclaimed-pages-after-truncate-in-data-journal-mode.patch b/queue-3.14/jbd2-fix-unreclaimed-pages-after-truncate-in-data-journal-mode.patch new file mode 100644 index 00000000000..07b3e1416c8 --- /dev/null +++ b/queue-3.14/jbd2-fix-unreclaimed-pages-after-truncate-in-data-journal-mode.patch @@ -0,0 +1,62 @@ +From bc23f0c8d7ccd8d924c4e70ce311288cb3e61ea8 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Tue, 24 Nov 2015 15:34:35 -0500 +Subject: jbd2: Fix unreclaimed pages after truncate in data=journal mode + +From: Jan Kara + +commit bc23f0c8d7ccd8d924c4e70ce311288cb3e61ea8 upstream. + +Ted and Namjae have reported that truncated pages don't get timely +reclaimed after being truncated in data=journal mode. The following test +triggers the issue easily: + +for (i = 0; i < 1000; i++) { + pwrite(fd, buf, 1024*1024, 0); + fsync(fd); + fsync(fd); + ftruncate(fd, 0); +} + +The reason is that journal_unmap_buffer() finds that truncated buffers +are not journalled (jh->b_transaction == NULL), they are part of +checkpoint list of a transaction (jh->b_cp_transaction != NULL) and have +been already written out (!buffer_dirty(bh)). We clean such buffers but +we leave them in the checkpoint list. Since checkpoint transaction holds +a reference to the journal head, these buffers cannot be released until +the checkpoint transaction is cleaned up. And at that point we don't +call release_buffer_page() anymore so pages detached from mapping are +lingering in the system waiting for reclaim to find them and free them. + +Fix the problem by removing buffers from transaction checkpoint lists +when journal_unmap_buffer() finds out they don't have to be there +anymore. + +Reported-and-tested-by: Namjae Jeon +Fixes: de1b794130b130e77ffa975bb58cb843744f9ae5 +Signed-off-by: Jan Kara +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jbd2/transaction.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/jbd2/transaction.c ++++ b/fs/jbd2/transaction.c +@@ -2066,6 +2066,7 @@ static int journal_unmap_buffer(journal_ + + if (!buffer_dirty(bh)) { + /* bdflush has written it. We can drop it now */ ++ __jbd2_journal_remove_checkpoint(jh); + goto zap_buffer; + } + +@@ -2095,6 +2096,7 @@ static int journal_unmap_buffer(journal_ + /* The orphan record's transaction has + * committed. We can cleanse this buffer */ + clear_buffer_jbddirty(bh); ++ __jbd2_journal_remove_checkpoint(jh); + goto zap_buffer; + } + } diff --git a/queue-3.14/media-vb2-dma-contig-fully-cache-synchronise-buffers-in-prepare-and-finish.patch b/queue-3.14/media-vb2-dma-contig-fully-cache-synchronise-buffers-in-prepare-and-finish.patch new file mode 100644 index 00000000000..0da1da7adef --- /dev/null +++ b/queue-3.14/media-vb2-dma-contig-fully-cache-synchronise-buffers-in-prepare-and-finish.patch @@ -0,0 +1,48 @@ +From d9a985883fa32453d099d6293188c11d75cef1fa Mon Sep 17 00:00:00 2001 +From: Tiffany Lin +Date: Thu, 24 Sep 2015 06:02:36 -0300 +Subject: [media] media: vb2 dma-contig: Fully cache synchronise buffers in prepare and finish + +From: Tiffany Lin + +commit d9a985883fa32453d099d6293188c11d75cef1fa upstream. + +In videobuf2 dma-contig memory type the prepare and finish ops, instead of +passing the number of entries in the original scatterlist as the "nents" +parameter to dma_sync_sg_for_device() and dma_sync_sg_for_cpu(), the value +returned by dma_map_sg() was used. Albeit this has been suggested in +comments of some implementations (which have since been corrected), this +is wrong. + +Fixes: 199d101efdba ("v4l: vb2-dma-contig: add prepare/finish to dma-contig allocator") + +Signed-off-by: Tiffany Lin +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/v4l2-core/videobuf2-dma-contig.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/media/v4l2-core/videobuf2-dma-contig.c ++++ b/drivers/media/v4l2-core/videobuf2-dma-contig.c +@@ -117,7 +117,8 @@ static void vb2_dc_prepare(void *buf_pri + if (!sgt || buf->db_attach) + return; + +- dma_sync_sg_for_device(buf->dev, sgt->sgl, sgt->nents, buf->dma_dir); ++ dma_sync_sg_for_device(buf->dev, sgt->sgl, sgt->orig_nents, ++ buf->dma_dir); + } + + static void vb2_dc_finish(void *buf_priv) +@@ -129,7 +130,7 @@ static void vb2_dc_finish(void *buf_priv + if (!sgt || buf->db_attach) + return; + +- dma_sync_sg_for_cpu(buf->dev, sgt->sgl, sgt->nents, buf->dma_dir); ++ dma_sync_sg_for_cpu(buf->dev, sgt->sgl, sgt->orig_nents, buf->dma_dir); + } + + /*********************************************/ diff --git a/queue-3.14/mtd-mtdpart-fix-add_mtd_partitions-error-path.patch b/queue-3.14/mtd-mtdpart-fix-add_mtd_partitions-error-path.patch new file mode 100644 index 00000000000..57b6af41dfe --- /dev/null +++ b/queue-3.14/mtd-mtdpart-fix-add_mtd_partitions-error-path.patch @@ -0,0 +1,36 @@ +From e5bae86797141e4a95e42d825f737cb36d7b8c37 Mon Sep 17 00:00:00 2001 +From: Boris BREZILLON +Date: Thu, 30 Jul 2015 12:18:03 +0200 +Subject: mtd: mtdpart: fix add_mtd_partitions error path + +From: Boris BREZILLON + +commit e5bae86797141e4a95e42d825f737cb36d7b8c37 upstream. + +If we fail to allocate a partition structure in the middle of the partition +creation process, the already allocated partitions are never removed, which +means they are still present in the partition list and their resources are +never freed. + +Signed-off-by: Boris Brezillon +Signed-off-by: Brian Norris +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/mtdpart.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/mtd/mtdpart.c ++++ b/drivers/mtd/mtdpart.c +@@ -635,8 +635,10 @@ int add_mtd_partitions(struct mtd_info * + + for (i = 0; i < nbparts; i++) { + slave = allocate_partition(master, parts + i, i, cur_offset); +- if (IS_ERR(slave)) ++ if (IS_ERR(slave)) { ++ del_mtd_partitions(master); + return PTR_ERR(slave); ++ } + + mutex_lock(&mtd_partitions_mutex); + list_add(&slave->list, &mtd_partitions); diff --git a/queue-3.14/parisc-drop-unused-madv_xxxk_pages-flags-from-asm-mman.h.patch b/queue-3.14/parisc-drop-unused-madv_xxxk_pages-flags-from-asm-mman.h.patch new file mode 100644 index 00000000000..7bf0e348911 --- /dev/null +++ b/queue-3.14/parisc-drop-unused-madv_xxxk_pages-flags-from-asm-mman.h.patch @@ -0,0 +1,38 @@ +From dcbf0d299c00ed4f82ea8d6e359ad88a5182f9b8 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Sun, 22 Nov 2015 12:14:14 +0100 +Subject: parisc: Drop unused MADV_xxxK_PAGES flags from asm/mman.h + +From: Helge Deller + +commit dcbf0d299c00ed4f82ea8d6e359ad88a5182f9b8 upstream. + +Drop the MADV_xxK_PAGES flags, which were never used and were from a proposed +API which was never integrated into the generic Linux kernel code. + +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/include/uapi/asm/mman.h | 10 ---------- + 1 file changed, 10 deletions(-) + +--- a/arch/parisc/include/uapi/asm/mman.h ++++ b/arch/parisc/include/uapi/asm/mman.h +@@ -46,16 +46,6 @@ + #define MADV_DONTFORK 10 /* don't inherit across fork */ + #define MADV_DOFORK 11 /* do inherit across fork */ + +-/* The range 12-64 is reserved for page size specification. */ +-#define MADV_4K_PAGES 12 /* Use 4K pages */ +-#define MADV_16K_PAGES 14 /* Use 16K pages */ +-#define MADV_64K_PAGES 16 /* Use 64K pages */ +-#define MADV_256K_PAGES 18 /* Use 256K pages */ +-#define MADV_1M_PAGES 20 /* Use 1 Megabyte pages */ +-#define MADV_4M_PAGES 22 /* Use 4 Megabyte pages */ +-#define MADV_16M_PAGES 24 /* Use 16 Megabyte pages */ +-#define MADV_64M_PAGES 26 /* Use 64 Megabyte pages */ +- + #define MADV_MERGEABLE 65 /* KSM may merge identical pages */ + #define MADV_UNMERGEABLE 66 /* KSM may not merge identical pages */ + diff --git a/queue-3.14/parisc-fix-__arch_si_preamble_size.patch b/queue-3.14/parisc-fix-__arch_si_preamble_size.patch new file mode 100644 index 00000000000..7b2b873fb0f --- /dev/null +++ b/queue-3.14/parisc-fix-__arch_si_preamble_size.patch @@ -0,0 +1,38 @@ +From e60fc5aa608eb38b47ba4ee058f306f739eb70a0 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Sun, 10 Jan 2016 09:30:42 +0100 +Subject: parisc: Fix __ARCH_SI_PREAMBLE_SIZE + +From: Helge Deller + +commit e60fc5aa608eb38b47ba4ee058f306f739eb70a0 upstream. + +On a 64bit kernel build the compiler aligns the _sifields union in the +struct siginfo_t on a 64bit address. The __ARCH_SI_PREAMBLE_SIZE define +compensates for this alignment and thus fixes the wait testcase of the +strace package. + +The symptoms of a wrong __ARCH_SI_PREAMBLE_SIZE value is that +_sigchld.si_stime variable is missed to be copied and thus after a +copy_siginfo() will have uninitialized values. + +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/include/uapi/asm/siginfo.h | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/parisc/include/uapi/asm/siginfo.h ++++ b/arch/parisc/include/uapi/asm/siginfo.h +@@ -1,6 +1,10 @@ + #ifndef _PARISC_SIGINFO_H + #define _PARISC_SIGINFO_H + ++#if defined(__LP64__) ++#define __ARCH_SI_PREAMBLE_SIZE (4 * sizeof(int)) ++#endif ++ + #include + + #undef NSIGTRAP diff --git a/queue-3.14/parisc-fix-syscall-restarts.patch b/queue-3.14/parisc-fix-syscall-restarts.patch new file mode 100644 index 00000000000..c192a02da07 --- /dev/null +++ b/queue-3.14/parisc-fix-syscall-restarts.patch @@ -0,0 +1,130 @@ +From 71a71fb5374a23be36a91981b5614590b9e722c3 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Mon, 21 Dec 2015 10:03:30 +0100 +Subject: parisc: Fix syscall restarts + +From: Helge Deller + +commit 71a71fb5374a23be36a91981b5614590b9e722c3 upstream. + +On parisc syscalls which are interrupted by signals sometimes failed to +restart and instead returned -ENOSYS which in the worst case lead to +userspace crashes. +A similiar problem existed on MIPS and was fixed by commit e967ef02 +("MIPS: Fix restart of indirect syscalls"). + +On parisc the current syscall restart code assumes that all syscall +callers load the syscall number in the delay slot of the ble +instruction. That's how it is e.g. done in the unistd.h header file: + ble 0x100(%sr2, %r0) + ldi #syscall_nr, %r20 +Because of that assumption the current code never restored %r20 before +returning to userspace. + +This assumption is at least not true for code which uses the glibc +syscall() function, which instead uses this syntax: + ble 0x100(%sr2, %r0) + copy regX, %r20 +where regX depend on how the compiler optimizes the code and register +usage. + +This patch fixes this problem by adding code to analyze how the syscall +number is loaded in the delay branch and - if needed - copy the syscall +number to regX prior returning to userspace for the syscall restart. + +Signed-off-by: Helge Deller +Cc: Mathieu Desnoyers +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/kernel/signal.c | 64 +++++++++++++++++++++++++++++++++++--------- + 1 file changed, 52 insertions(+), 12 deletions(-) + +--- a/arch/parisc/kernel/signal.c ++++ b/arch/parisc/kernel/signal.c +@@ -442,6 +442,55 @@ handle_signal(unsigned long sig, siginfo + regs->gr[28]); + } + ++/* ++ * Check how the syscall number gets loaded into %r20 within ++ * the delay branch in userspace and adjust as needed. ++ */ ++ ++static void check_syscallno_in_delay_branch(struct pt_regs *regs) ++{ ++ u32 opcode, source_reg; ++ u32 __user *uaddr; ++ int err; ++ ++ /* Usually we don't have to restore %r20 (the system call number) ++ * because it gets loaded in the delay slot of the branch external ++ * instruction via the ldi instruction. ++ * In some cases a register-to-register copy instruction might have ++ * been used instead, in which case we need to copy the syscall ++ * number into the source register before returning to userspace. ++ */ ++ ++ /* A syscall is just a branch, so all we have to do is fiddle the ++ * return pointer so that the ble instruction gets executed again. ++ */ ++ regs->gr[31] -= 8; /* delayed branching */ ++ ++ /* Get assembler opcode of code in delay branch */ ++ uaddr = (unsigned int *) ((regs->gr[31] & ~3) + 4); ++ err = get_user(opcode, uaddr); ++ if (err) ++ return; ++ ++ /* Check if delay branch uses "ldi int,%r20" */ ++ if ((opcode & 0xffff0000) == 0x34140000) ++ return; /* everything ok, just return */ ++ ++ /* Check if delay branch uses "nop" */ ++ if (opcode == INSN_NOP) ++ return; ++ ++ /* Check if delay branch uses "copy %rX,%r20" */ ++ if ((opcode & 0xffe0ffff) == 0x08000254) { ++ source_reg = (opcode >> 16) & 31; ++ regs->gr[source_reg] = regs->gr[20]; ++ return; ++ } ++ ++ pr_warn("syscall restart: %s (pid %d): unexpected opcode 0x%08x\n", ++ current->comm, task_pid_nr(current), opcode); ++} ++ + static inline void + syscall_restart(struct pt_regs *regs, struct k_sigaction *ka) + { +@@ -464,10 +513,7 @@ syscall_restart(struct pt_regs *regs, st + } + /* fallthrough */ + case -ERESTARTNOINTR: +- /* A syscall is just a branch, so all +- * we have to do is fiddle the return pointer. +- */ +- regs->gr[31] -= 8; /* delayed branching */ ++ check_syscallno_in_delay_branch(regs); + break; + } + } +@@ -516,15 +562,9 @@ insert_restart_trampoline(struct pt_regs + } + case -ERESTARTNOHAND: + case -ERESTARTSYS: +- case -ERESTARTNOINTR: { +- /* Hooray for delayed branching. We don't +- * have to restore %r20 (the system call +- * number) because it gets loaded in the delay +- * slot of the branch external instruction. +- */ +- regs->gr[31] -= 8; ++ case -ERESTARTNOINTR: ++ check_syscallno_in_delay_branch(regs); + return; +- } + default: + break; + } diff --git a/queue-3.14/pci-fix-minimum-allocation-address-overwrite.patch b/queue-3.14/pci-fix-minimum-allocation-address-overwrite.patch new file mode 100644 index 00000000000..77d19c5c514 --- /dev/null +++ b/queue-3.14/pci-fix-minimum-allocation-address-overwrite.patch @@ -0,0 +1,52 @@ +From 3460baa620685c20f5ee19afb6d99d26150c382c Mon Sep 17 00:00:00 2001 +From: Christoph Biedl +Date: Wed, 23 Dec 2015 16:51:57 +0100 +Subject: PCI: Fix minimum allocation address overwrite + +From: Christoph Biedl + +commit 3460baa620685c20f5ee19afb6d99d26150c382c upstream. + +Commit 36e097a8a297 ("PCI: Split out bridge window override of minimum +allocation address") claimed to do no functional changes but unfortunately +did: The "min" variable is altered. At least the AVM A1 PCMCIA adapter was +no longer detected, breaking ISDN operation. + +Use a local copy of "min" to restore the previous behaviour. + +[bhelgaas: avoid gcc "?:" extension for portability and readability] +Fixes: 36e097a8a297 ("PCI: Split out bridge window override of minimum allocation address") +Signed-off-by: Christoph Biedl +Signed-off-by: Bjorn Helgaas +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/bus.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/pci/bus.c ++++ b/drivers/pci/bus.c +@@ -147,6 +147,8 @@ static int pci_bus_alloc_from_region(str + type_mask |= IORESOURCE_IO | IORESOURCE_MEM; + + pci_bus_for_each_resource(bus, r, i) { ++ resource_size_t min_used = min; ++ + if (!r) + continue; + +@@ -170,12 +172,12 @@ static int pci_bus_alloc_from_region(str + * overrides "min". + */ + if (avail.start) +- min = avail.start; ++ min_used = avail.start; + + max = avail.end; + + /* Ok, try it out.. */ +- ret = allocate_resource(r, res, size, min, max, ++ ret = allocate_resource(r, res, size, min_used, max, + align, alignf, alignf_data); + if (ret == 0) + return 0; diff --git a/queue-3.14/revert-dm-mpath-fix-stalls-when-handling-invalid-ioctls.patch b/queue-3.14/revert-dm-mpath-fix-stalls-when-handling-invalid-ioctls.patch new file mode 100644 index 00000000000..6721f0e7b3c --- /dev/null +++ b/queue-3.14/revert-dm-mpath-fix-stalls-when-handling-invalid-ioctls.patch @@ -0,0 +1,173 @@ +From 47796938c46b943d157ac8a6f9ed4e3b98b83cf4 Mon Sep 17 00:00:00 2001 +From: Mauricio Faria de Oliveira +Date: Thu, 29 Oct 2015 10:24:23 -0200 +Subject: Revert "dm mpath: fix stalls when handling invalid ioctls" + +From: Mauricio Faria de Oliveira + +commit 47796938c46b943d157ac8a6f9ed4e3b98b83cf4 upstream. + +This reverts commit a1989b330093578ea5470bea0a00f940c444c466. + +That commit introduced a regression at least for the case of the SG_IO ioctl() +running without CAP_SYS_RAWIO capability (e.g., unprivileged users) when there +are no active paths: the ioctl() fails with the ENOTTY errno immediately rather +than blocking due to queue_if_no_path until a path becomes active, for example. + +That case happens to be exercised by QEMU KVM guests with 'scsi-block' devices +(qemu "-device scsi-block" [1], libvirt "" [2]) +from multipath devices; which leads to SCSI/filesystem errors in such a guest. + +More general scenarios can hit that regression too. The following demonstration +employs a SG_IO ioctl() with a standard SCSI INQUIRY command for this objective +(some output & user changes omitted for brevity and comments added for clarity). + +Reverting that commit restores normal operation (queueing) in failing scenarios; +tested on linux-next (next-20151022). + +1) Test-case is based on sg_simple0 [3] (just SG_IO; remove SG_GET_VERSION_NUM) + + $ cat sg_simple0.c + ... see [3] ... + $ sed '/SG_GET_VERSION_NUM/,/}/d' sg_simple0.c > sgio_inquiry.c + $ gcc sgio_inquiry.c -o sgio_inquiry + +2) The ioctl() works fine with active paths present. + + # multipath -l 85ag56 + 85ag56 (...) dm-19 IBM ,2145 + size=60G features='1 queue_if_no_path' hwhandler='0' wp=rw + |-+- policy='service-time 0' prio=0 status=active + | |- 8:0:11:0 sdz 65:144 active undef running + | `- 9:0:9:0 sdbf 67:144 active undef running + `-+- policy='service-time 0' prio=0 status=enabled + |- 8:0:12:0 sdae 65:224 active undef running + `- 9:0:12:0 sdbo 68:32 active undef running + + $ ./sgio_inquiry /dev/mapper/85ag56 + Some of the INQUIRY command's response: + IBM 2145 0000 + INQUIRY duration=0 millisecs, resid=0 + +3) The ioctl() fails with ENOTTY errno with _no_ active paths present, + for unprivileged users (rather than blocking due to queue_if_no_path). + + # for path in $(multipath -l 85ag56 | grep -o 'sd[a-z]\+'); \ + do multipathd -k"fail path $path"; done + + # multipath -l 85ag56 + 85ag56 (...) dm-19 IBM ,2145 + size=60G features='1 queue_if_no_path' hwhandler='0' wp=rw + |-+- policy='service-time 0' prio=0 status=enabled + | |- 8:0:11:0 sdz 65:144 failed undef running + | `- 9:0:9:0 sdbf 67:144 failed undef running + `-+- policy='service-time 0' prio=0 status=enabled + |- 8:0:12:0 sdae 65:224 failed undef running + `- 9:0:12:0 sdbo 68:32 failed undef running + + $ ./sgio_inquiry /dev/mapper/85ag56 + sg_simple0: Inquiry SG_IO ioctl error: Inappropriate ioctl for device + +4) dmesg shows that scsi_verify_blk_ioctl() failed for SG_IO (0x2285); + it returns -ENOIOCTLCMD, later replaced with -ENOTTY in vfs_ioctl(). + + $ dmesg + <...> + [] device-mapper: multipath: Failing path 65:144. + [] device-mapper: multipath: Failing path 67:144. + [] device-mapper: multipath: Failing path 65:224. + [] device-mapper: multipath: Failing path 68:32. + [] sgio_inquiry: sending ioctl 2285 to a partition! + +5) The ioctl() only works if the SYS_CAP_RAWIO capability is present + (then queueing happens -- in this example, queue_if_no_path is set); + this is due to a conditional check in scsi_verify_blk_ioctl(). + + # capsh --drop=cap_sys_rawio -- -c './sgio_inquiry /dev/mapper/85ag56' + sg_simple0: Inquiry SG_IO ioctl error: Inappropriate ioctl for device + + # ./sgio_inquiry /dev/mapper/85ag56 & + [1] 72830 + + # cat /proc/72830/stack + [] 0xc00000171c0df700 + [] __switch_to+0x204/0x350 + [] msleep+0x5c/0x80 + [] dm_blk_ioctl+0x70/0x170 + [] blkdev_ioctl+0x2b0/0x9b0 + [] block_ioctl+0x64/0xd0 + [] do_vfs_ioctl+0x490/0x780 + [] SyS_ioctl+0xd4/0xf0 + [] system_call+0x38/0xd0 + +6) This is the function call chain exercised in this analysis: + +SYSCALL_DEFINE3(ioctl, <...>) @ fs/ioctl.c + -> do_vfs_ioctl() + -> vfs_ioctl() + ... + error = filp->f_op->unlocked_ioctl(filp, cmd, arg); + ... + -> dm_blk_ioctl() @ drivers/md/dm.c + -> multipath_ioctl() @ drivers/md/dm-mpath.c + ... + (bdev = NULL, due to no active paths) + ... + if (!bdev || <...>) { + int err = scsi_verify_blk_ioctl(NULL, cmd); + if (err) + r = err; + } + ... + -> scsi_verify_blk_ioctl() @ block/scsi_ioctl.c + ... + if (bd && bd == bd->bd_contains) // not taken (bd = NULL) + return 0; + ... + if (capable(CAP_SYS_RAWIO)) // not taken (unprivileged user) + return 0; + ... + printk_ratelimited(KERN_WARNING + "%s: sending ioctl %x to a partition!\n" <...>); + + return -ENOIOCTLCMD; + <- + ... + return r ? : <...> + <- + ... + if (error == -ENOIOCTLCMD) + error = -ENOTTY; + out: + return error; + ... + +Links: +[1] http://git.qemu.org/?p=qemu.git;a=commit;h=336a6915bc7089fb20fea4ba99972ad9a97c5f52 +[2] https://libvirt.org/formatdomain.html#elementsDisks (see 'disk' -> 'device') +[3] http://tldp.org/HOWTO/SCSI-Generic-HOWTO/pexample.html (Revision 1.2, 2002-05-03) + +Signed-off-by: Mauricio Faria de Oliveira +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-mpath.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/drivers/md/dm-mpath.c ++++ b/drivers/md/dm-mpath.c +@@ -1626,11 +1626,8 @@ static int multipath_ioctl(struct dm_tar + /* + * Only pass ioctls through if the device sizes match exactly. + */ +- if (!bdev || ti->len != i_size_read(bdev->bd_inode) >> SECTOR_SHIFT) { +- int err = scsi_verify_blk_ioctl(NULL, cmd); +- if (err) +- r = err; +- } ++ if (!r && ti->len != i_size_read(bdev->bd_inode) >> SECTOR_SHIFT) ++ r = scsi_verify_blk_ioctl(NULL, cmd); + + if (r == -ENOTCONN && !fatal_signal_pending(current)) + queue_work(kmultipathd, &m->process_queued_ios); diff --git a/queue-3.14/series b/queue-3.14/series index e81a4579c24..6c9bb1c1916 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -12,3 +12,20 @@ ocfs2-fix-sgid-not-inherited-issue.patch ocfs2-dlm-ignore-cleaning-the-migration-mle-that-is-inuse.patch ocfs2-dlm-clear-refmap-bit-of-recovery-lock-while-doing-local-recovery-cleanup.patch sh64-fix-__nr_fgetxattr.patch +revert-dm-mpath-fix-stalls-when-handling-invalid-ioctls.patch +spi-atmel-fix-dma-setup-for-transfers-with-more-than-8-bits-per-word.patch +spi-ti-qspi-fix-data-corruption-seen-on-r-w-stress-test.patch +spi-fix-parent-device-reference-leak.patch +wlcore-wl12xx-spi-fix-oops-on-firmware-load.patch +wlcore-wl12xx-spi-fix-null-pointer-dereference-oops.patch +vtpm-fix-memory-allocation-flag-for-rtce-buffer-at-kernel-boot.patch +mtd-mtdpart-fix-add_mtd_partitions-error-path.patch +pci-fix-minimum-allocation-address-overwrite.patch +tracing-fix-setting-of-start_index-in-find_next.patch +jbd2-fix-unreclaimed-pages-after-truncate-in-data-journal-mode.patch +fix-calculation-of-meta_bg-descriptor-backups.patch +parisc-drop-unused-madv_xxxk_pages-flags-from-asm-mman.h.patch +parisc-fix-syscall-restarts.patch +parisc-fix-__arch_si_preamble_size.patch +v4l2-compat-ioctl32-fix-alignment-for-arm64.patch +media-vb2-dma-contig-fully-cache-synchronise-buffers-in-prepare-and-finish.patch diff --git a/queue-3.14/spi-atmel-fix-dma-setup-for-transfers-with-more-than-8-bits-per-word.patch b/queue-3.14/spi-atmel-fix-dma-setup-for-transfers-with-more-than-8-bits-per-word.patch new file mode 100644 index 00000000000..45cd794e31d --- /dev/null +++ b/queue-3.14/spi-atmel-fix-dma-setup-for-transfers-with-more-than-8-bits-per-word.patch @@ -0,0 +1,34 @@ +From 06515f83908d038d9e12ffa3dcca27a1b67f2de0 Mon Sep 17 00:00:00 2001 +From: David Mosberger-Tang +Date: Tue, 20 Oct 2015 14:26:47 +0200 +Subject: spi: atmel: Fix DMA-setup for transfers with more than 8 bits per word + +From: David Mosberger-Tang + +commit 06515f83908d038d9e12ffa3dcca27a1b67f2de0 upstream. + +The DMA-slave configuration depends on the whether <= 8 or > 8 bits +are transferred per word, so we need to call +atmel_spi_dma_slave_config() with the correct value. + +Signed-off-by: David Mosberger +Signed-off-by: Nicolas Ferre +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-atmel.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/spi/spi-atmel.c ++++ b/drivers/spi/spi-atmel.c +@@ -593,7 +593,8 @@ static int atmel_spi_next_xfer_dma_submi + + *plen = len; + +- if (atmel_spi_dma_slave_config(as, &slave_config, 8)) ++ if (atmel_spi_dma_slave_config(as, &slave_config, ++ xfer->bits_per_word)) + goto err_exit; + + /* Send both scatterlists */ diff --git a/queue-3.14/spi-fix-parent-device-reference-leak.patch b/queue-3.14/spi-fix-parent-device-reference-leak.patch new file mode 100644 index 00000000000..026cda9e2e2 --- /dev/null +++ b/queue-3.14/spi-fix-parent-device-reference-leak.patch @@ -0,0 +1,36 @@ +From 157f38f993919b648187ba341bfb05d0e91ad2f6 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 14 Dec 2015 16:16:19 +0100 +Subject: spi: fix parent-device reference leak + +From: Johan Hovold + +commit 157f38f993919b648187ba341bfb05d0e91ad2f6 upstream. + +Fix parent-device reference leak due to SPI-core taking an unnecessary +reference to the parent when allocating the master structure, a +reference that was never released. + +Note that driver core takes its own reference to the parent when the +master device is registered. + +Fixes: 49dce689ad4e ("spi doesn't need class_device") +Signed-off-by: Johan Hovold +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/spi/spi.c ++++ b/drivers/spi/spi.c +@@ -1268,7 +1268,7 @@ struct spi_master *spi_alloc_master(stru + master->bus_num = -1; + master->num_chipselect = 1; + master->dev.class = &spi_master_class; +- master->dev.parent = get_device(dev); ++ master->dev.parent = dev; + spi_master_set_devdata(master, &master[1]); + + return master; diff --git a/queue-3.14/spi-ti-qspi-fix-data-corruption-seen-on-r-w-stress-test.patch b/queue-3.14/spi-ti-qspi-fix-data-corruption-seen-on-r-w-stress-test.patch new file mode 100644 index 00000000000..be6be3a6d3f --- /dev/null +++ b/queue-3.14/spi-ti-qspi-fix-data-corruption-seen-on-r-w-stress-test.patch @@ -0,0 +1,55 @@ +From bc27a53928981662079aa243915b443370294a03 Mon Sep 17 00:00:00 2001 +From: Vignesh R +Date: Mon, 12 Oct 2015 13:22:02 +0530 +Subject: spi: ti-qspi: Fix data corruption seen on r/w stress test + +From: Vignesh R + +commit bc27a53928981662079aa243915b443370294a03 upstream. + +Writing invalid command to QSPI_SPI_CMD_REG will terminate current +transfer and de-assert the chip select. This has to be done before +calling spi_finalize_current_message(). Because +spi_finalize_current_message() will mark the end of current message +transfer and schedule the next transfer. If the chipselect is not +de-asserted before calling spi_finalize_current_message() then the next +transfer will overlap with the previous transfer leading to data +corruption. +__spi_pump_message() can be called either from kthread worker context or +directly from the calling process's context. It is possible that these +two calls can race against each other. But race is serialized by +checking whether master->cur_msg == NULL (pointer to msg being handled +by transfer_one() at present). The master->cur_msg is set to NULL when +spi_finalize_current_message() is called on that message, which means +calling spi_finalize_current_message() allows __spi_sync() to pump next +message in calling process context. +Now if spi-ti-qspi calls spi_finalize_current_message() before we +terminate transfer at hardware side, if __spi_pump_message() is called +from process context then the successive transactions can overlap. + +Fix this by moving writing invalid command to QSPI_SPI_CMD_REG to +before calling spi_finalize_current_message() call. + +Signed-off-by: Vignesh R +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-ti-qspi.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/spi/spi-ti-qspi.c ++++ b/drivers/spi/spi-ti-qspi.c +@@ -364,11 +364,10 @@ static int ti_qspi_start_transfer_one(st + + mutex_unlock(&qspi->list_lock); + ++ ti_qspi_write(qspi, qspi->cmd | QSPI_INVAL, QSPI_SPI_CMD_REG); + m->status = status; + spi_finalize_current_message(master); + +- ti_qspi_write(qspi, qspi->cmd | QSPI_INVAL, QSPI_SPI_CMD_REG); +- + return status; + } + diff --git a/queue-3.14/tracing-fix-setting-of-start_index-in-find_next.patch b/queue-3.14/tracing-fix-setting-of-start_index-in-find_next.patch new file mode 100644 index 00000000000..ce027108f5d --- /dev/null +++ b/queue-3.14/tracing-fix-setting-of-start_index-in-find_next.patch @@ -0,0 +1,66 @@ +From f36d1be2930ede0a1947686e1126ffda5d5ee1bb Mon Sep 17 00:00:00 2001 +From: Qiu Peiyang +Date: Thu, 31 Dec 2015 13:11:28 +0800 +Subject: tracing: Fix setting of start_index in find_next() + +From: Qiu Peiyang + +commit f36d1be2930ede0a1947686e1126ffda5d5ee1bb upstream. + +When we do cat /sys/kernel/debug/tracing/printk_formats, we hit kernel +panic at t_show. + +general protection fault: 0000 [#1] PREEMPT SMP +CPU: 0 PID: 2957 Comm: sh Tainted: G W O 3.14.55-x86_64-01062-gd4acdc7 #2 +RIP: 0010:[] + [] t_show+0x22/0xe0 +RSP: 0000:ffff88002b4ebe80 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000004 +RDX: 0000000000000004 RSI: ffffffff81fd26a6 RDI: ffff880032f9f7b1 +RBP: ffff88002b4ebe98 R08: 0000000000001000 R09: 000000000000ffec +R10: 0000000000000000 R11: 000000000000000f R12: ffff880004d9b6c0 +R13: 7365725f6d706400 R14: ffff880004d9b6c0 R15: ffffffff82020570 +FS: 0000000000000000(0000) GS:ffff88003aa00000(0063) knlGS:00000000f776bc40 +CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 +CR2: 00000000f6c02ff0 CR3: 000000002c2b3000 CR4: 00000000001007f0 +Call Trace: + [] seq_read+0x2f6/0x3e0 + [] vfs_read+0x9b/0x160 + [] SyS_read+0x49/0xb0 + [] ia32_do_call+0x13/0x13 + ---[ end trace 5bd9eb630614861e ]--- +Kernel panic - not syncing: Fatal exception + +When the first time find_next calls find_next_mod_format, it should +iterate the trace_bprintk_fmt_list to find the first print format of +the module. However in current code, start_index is smaller than *pos +at first, and code will not iterate the list. Latter container_of will +get the wrong address with former v, which will cause mod_fmt be a +meaningless object and so is the returned mod_fmt->fmt. + +This patch will fix it by correcting the start_index. After fixed, +when the first time calls find_next_mod_format, start_index will be +equal to *pos, and code will iterate the trace_bprintk_fmt_list to +get the right module printk format, so is the returned mod_fmt->fmt. + +Link: http://lkml.kernel.org/r/5684B900.9000309@intel.com + +Fixes: 102c9323c35a8 "tracing: Add __tracepoint_string() to export string pointers" +Signed-off-by: Qiu Peiyang +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace_printk.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/trace/trace_printk.c ++++ b/kernel/trace/trace_printk.c +@@ -269,6 +269,7 @@ static const char **find_next(void *v, l + if (*pos < last_index + start_index) + return __start___tracepoint_str + (*pos - last_index); + ++ start_index += last_index; + return find_next_mod_format(start_index, v, fmt, pos); + } + diff --git a/queue-3.14/v4l2-compat-ioctl32-fix-alignment-for-arm64.patch b/queue-3.14/v4l2-compat-ioctl32-fix-alignment-for-arm64.patch new file mode 100644 index 00000000000..ca09907cfd4 --- /dev/null +++ b/queue-3.14/v4l2-compat-ioctl32-fix-alignment-for-arm64.patch @@ -0,0 +1,66 @@ +From 655e9780ab913a3a06d4a164d55e3b755524186d Mon Sep 17 00:00:00 2001 +From: Andrzej Hajda +Date: Mon, 31 Aug 2015 08:56:15 -0300 +Subject: [media] v4l2-compat-ioctl32: fix alignment for ARM64 + +From: Andrzej Hajda + +commit 655e9780ab913a3a06d4a164d55e3b755524186d upstream. + +Alignment/padding rules on AMD64 and ARM64 differs. To allow properly match +compatible ioctls on ARM64 kernels without breaking AMD64 some fields +should be aligned using compat_s64 type and in one case struct should be +unpacked. + +Signed-off-by: Andrzej Hajda +[hans.verkuil@cisco.com: use compat_u64 instead of compat_s64 in v4l2_input32] +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman + +Signed-off-by: Mauro Carvalho Chehab + +--- + drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c ++++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c +@@ -264,7 +264,7 @@ static int put_v4l2_create32(struct v4l2 + + struct v4l2_standard32 { + __u32 index; +- __u32 id[2]; /* __u64 would get the alignment wrong */ ++ compat_u64 id; + __u8 name[24]; + struct v4l2_fract frameperiod; /* Frames, not fields */ + __u32 framelines; +@@ -284,7 +284,7 @@ static int put_v4l2_standard32(struct v4 + { + if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_standard32)) || + put_user(kp->index, &up->index) || +- copy_to_user(up->id, &kp->id, sizeof(__u64)) || ++ put_user(kp->id, &up->id) || + copy_to_user(up->name, kp->name, 24) || + copy_to_user(&up->frameperiod, &kp->frameperiod, sizeof(kp->frameperiod)) || + put_user(kp->framelines, &up->framelines) || +@@ -576,10 +576,10 @@ struct v4l2_input32 { + __u32 type; /* Type of input */ + __u32 audioset; /* Associated audios (bitfield) */ + __u32 tuner; /* Associated tuner */ +- v4l2_std_id std; ++ compat_u64 std; + __u32 status; + __u32 reserved[4]; +-} __attribute__ ((packed)); ++}; + + /* The 64-bit v4l2_input struct has extra padding at the end of the struct. + Otherwise it is identical to the 32-bit version. */ +@@ -719,6 +719,7 @@ static int put_v4l2_ext_controls32(struc + struct v4l2_event32 { + __u32 type; + union { ++ compat_s64 value64; + __u8 data[64]; + } u; + __u32 pending; diff --git a/queue-3.14/vtpm-fix-memory-allocation-flag-for-rtce-buffer-at-kernel-boot.patch b/queue-3.14/vtpm-fix-memory-allocation-flag-for-rtce-buffer-at-kernel-boot.patch new file mode 100644 index 00000000000..6af7abe116b --- /dev/null +++ b/queue-3.14/vtpm-fix-memory-allocation-flag-for-rtce-buffer-at-kernel-boot.patch @@ -0,0 +1,35 @@ +From 60ecd86c4d985750efa0ea3d8610972b09951715 Mon Sep 17 00:00:00 2001 +From: "Hon Ching \\(Vicky\\) Lo" +Date: Wed, 7 Oct 2015 20:11:51 -0400 +Subject: vTPM: fix memory allocation flag for rtce buffer at kernel boot + +From: Hon Ching \(Vicky\) Lo + +commit 60ecd86c4d985750efa0ea3d8610972b09951715 upstream. + +At ibm vtpm initialzation, tpm_ibmvtpm_probe() registers its interrupt +handler, ibmvtpm_interrupt, which calls ibmvtpm_crq_process to allocate +memory for rtce buffer. The current code uses 'GFP_KERNEL' as the +type of kernel memory allocation, which resulted a warning at +kernel/lockdep.c. This patch uses 'GFP_ATOMIC' instead so that the +allocation is high-priority and does not sleep. + +Signed-off-by: Hon Ching(Vicky) Lo +Signed-off-by: Peter Huewe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tpm/tpm_ibmvtpm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/char/tpm/tpm_ibmvtpm.c ++++ b/drivers/char/tpm/tpm_ibmvtpm.c +@@ -490,7 +490,7 @@ static void ibmvtpm_crq_process(struct i + } + ibmvtpm->rtce_size = be16_to_cpu(crq->len); + ibmvtpm->rtce_buf = kmalloc(ibmvtpm->rtce_size, +- GFP_KERNEL); ++ GFP_ATOMIC); + if (!ibmvtpm->rtce_buf) { + dev_err(ibmvtpm->dev, "Failed to allocate memory for rtce buffer\n"); + return; diff --git a/queue-3.14/wlcore-wl12xx-spi-fix-null-pointer-dereference-oops.patch b/queue-3.14/wlcore-wl12xx-spi-fix-null-pointer-dereference-oops.patch new file mode 100644 index 00000000000..e6f0ed7288b --- /dev/null +++ b/queue-3.14/wlcore-wl12xx-spi-fix-null-pointer-dereference-oops.patch @@ -0,0 +1,101 @@ +From e47301b06d5a65678690f04c2248fd181db1e59a Mon Sep 17 00:00:00 2001 +From: Uri Mashiach +Date: Thu, 24 Dec 2015 16:05:00 +0200 +Subject: wlcore/wl12xx: spi: fix NULL pointer dereference (Oops) + +From: Uri Mashiach + +commit e47301b06d5a65678690f04c2248fd181db1e59a upstream. + +Fix the below Oops when trying to modprobe wlcore_spi. +The oops occurs because the wl1271_power_{off,on}() +function doesn't check the power() function pointer. + +[ 23.401447] Unable to handle kernel NULL pointer dereference at +virtual address 00000000 +[ 23.409954] pgd = c0004000 +[ 23.412922] [00000000] *pgd=00000000 +[ 23.416693] Internal error: Oops: 80000007 [#1] SMP ARM +[ 23.422168] Modules linked in: wl12xx wlcore mac80211 cfg80211 +musb_dsps musb_hdrc usbcore usb_common snd_soc_simple_card evdev joydev +omap_rng wlcore_spi snd_soc_tlv320aic23_i2c rng_core snd_soc_tlv320aic23 +c_can_platform c_can can_dev snd_soc_davinci_mcasp snd_soc_edma +snd_soc_omap omap_wdt musb_am335x cpufreq_dt thermal_sys hwmon +[ 23.453253] CPU: 0 PID: 36 Comm: kworker/0:2 Not tainted +4.2.0-00002-g951efee-dirty #233 +[ 23.461720] Hardware name: Generic AM33XX (Flattened Device Tree) +[ 23.468123] Workqueue: events request_firmware_work_func +[ 23.473690] task: de32efc0 ti: de4ee000 task.ti: de4ee000 +[ 23.479341] PC is at 0x0 +[ 23.482112] LR is at wl12xx_set_power_on+0x28/0x124 [wlcore] +[ 23.488074] pc : [<00000000>] lr : [] psr: 60000013 +[ 23.488074] sp : de4efe50 ip : 00000002 fp : 00000000 +[ 23.500162] r10: de7cdd00 r9 : dc848800 r8 : bf27af00 +[ 23.505663] r7 : bf27a1a8 r6 : dcbd8a80 r5 : dce0e2e0 r4 : +dce0d2e0 +[ 23.512536] r3 : 00000000 r2 : 00000000 r1 : 00000001 r0 : +dc848810 +[ 23.519412] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM +Segment kernel +[ 23.527109] Control: 10c5387d Table: 9cb78019 DAC: 00000015 +[ 23.533160] Process kworker/0:2 (pid: 36, stack limit = 0xde4ee218) +[ 23.539760] Stack: (0xde4efe50 to 0xde4f0000) + +[...] + +[ 23.665030] [] (wl12xx_set_power_on [wlcore]) from +[] (wlcore_nvs_cb+0x118/0xa4c [wlcore]) +[ 23.675604] [] (wlcore_nvs_cb [wlcore]) from [] +(request_firmware_work_func+0x30/0x58) +[ 23.685784] [] (request_firmware_work_func) from +[] (process_one_work+0x1b4/0x4b4) +[ 23.695591] [] (process_one_work) from [] +(worker_thread+0x3c/0x4a4) +[ 23.704124] [] (worker_thread) from [] +(kthread+0xd4/0xf0) +[ 23.711747] [] (kthread) from [] +(ret_from_fork+0x14/0x3c) +[ 23.719357] Code: bad PC value +[ 23.722760] ---[ end trace 981be8510db9b3a9 ]--- + +Prevent oops by validationg power() pointer value before +calling the function. + +Signed-off-by: Uri Mashiach +Acked-by: Igor Grinberg +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ti/wlcore/io.h | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/ti/wlcore/io.h ++++ b/drivers/net/wireless/ti/wlcore/io.h +@@ -203,19 +203,23 @@ static inline int __must_check wlcore_wr + + static inline void wl1271_power_off(struct wl1271 *wl) + { +- int ret; ++ int ret = 0; + + if (!test_bit(WL1271_FLAG_GPIO_POWER, &wl->flags)) + return; + +- ret = wl->if_ops->power(wl->dev, false); ++ if (wl->if_ops->power) ++ ret = wl->if_ops->power(wl->dev, false); + if (!ret) + clear_bit(WL1271_FLAG_GPIO_POWER, &wl->flags); + } + + static inline int wl1271_power_on(struct wl1271 *wl) + { +- int ret = wl->if_ops->power(wl->dev, true); ++ int ret = 0; ++ ++ if (wl->if_ops->power) ++ ret = wl->if_ops->power(wl->dev, true); + if (ret == 0) + set_bit(WL1271_FLAG_GPIO_POWER, &wl->flags); + diff --git a/queue-3.14/wlcore-wl12xx-spi-fix-oops-on-firmware-load.patch b/queue-3.14/wlcore-wl12xx-spi-fix-oops-on-firmware-load.patch new file mode 100644 index 00000000000..9ccd5592025 --- /dev/null +++ b/queue-3.14/wlcore-wl12xx-spi-fix-oops-on-firmware-load.patch @@ -0,0 +1,117 @@ +From 9b2761cb72dc41e1948c8a5512b4efd384eda130 Mon Sep 17 00:00:00 2001 +From: Uri Mashiach +Date: Thu, 10 Dec 2015 15:12:56 +0200 +Subject: wlcore/wl12xx: spi: fix oops on firmware load + +From: Uri Mashiach + +commit 9b2761cb72dc41e1948c8a5512b4efd384eda130 upstream. + +The maximum chunks used by the function is +(SPI_AGGR_BUFFER_SIZE / WSPI_MAX_CHUNK_SIZE + 1). +The original commands array had space for +(SPI_AGGR_BUFFER_SIZE / WSPI_MAX_CHUNK_SIZE) commands. +When the last chunk is used (len > 4 * WSPI_MAX_CHUNK_SIZE), the last +command is stored outside the bounds of the commands array. + +Oops 5 (page fault) is generated during current wl1271 firmware load +attempt: + +root@debian-armhf:~# ifconfig wlan0 up +[ 294.312399] Unable to handle kernel paging request at virtual address +00203fc4 +[ 294.320173] pgd = de528000 +[ 294.323028] [00203fc4] *pgd=00000000 +[ 294.326916] Internal error: Oops: 5 [#1] SMP ARM +[ 294.331789] Modules linked in: bnep rfcomm bluetooth ipv6 arc4 wl12xx +wlcore mac80211 musb_dsps cfg80211 musb_hdrc usbcore usb_common +wlcore_spi omap_rng rng_core musb_am335x omap_wdt cpufreq_dt thermal_sys +hwmon +[ 294.351838] CPU: 0 PID: 1827 Comm: ifconfig Not tainted +4.2.0-00002-g3e9ad27-dirty #78 +[ 294.360154] Hardware name: Generic AM33XX (Flattened Device Tree) +[ 294.366557] task: dc9d6d40 ti: de550000 task.ti: de550000 +[ 294.372236] PC is at __spi_validate+0xa8/0x2ac +[ 294.376902] LR is at __spi_sync+0x78/0x210 +[ 294.381200] pc : [] lr : [] psr: 60000013 +[ 294.381200] sp : de551998 ip : de5519d8 fp : 00200000 +[ 294.393242] r10: de551c8c r9 : de5519d8 r8 : de3a9000 +[ 294.398730] r7 : de3a9258 r6 : de3a9400 r5 : de551a48 r4 : +00203fbc +[ 294.405577] r3 : 00000000 r2 : 00000000 r1 : 00000000 r0 : +de3a9000 +[ 294.412420] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM +Segment user +[ 294.419918] Control: 10c5387d Table: 9e528019 DAC: 00000015 +[ 294.425954] Process ifconfig (pid: 1827, stack limit = 0xde550218) +[ 294.432437] Stack: (0xde551998 to 0xde552000) + +... + +[ 294.883613] [] (__spi_validate) from [] +(__spi_sync+0x78/0x210) +[ 294.891670] [] (__spi_sync) from [] +(wl12xx_spi_raw_write+0xfc/0x148 [wlcore_spi]) +[ 294.901661] [] (wl12xx_spi_raw_write [wlcore_spi]) from +[] (wlcore_boot_upload_firmware+0x1ec/0x458 [wlcore]) +[ 294.914038] [] (wlcore_boot_upload_firmware [wlcore]) from +[] (wl12xx_boot+0xc10/0xfac [wl12xx]) +[ 294.925161] [] (wl12xx_boot [wl12xx]) from [] +(wl1271_op_add_interface+0x5b0/0x910 [wlcore]) +[ 294.936364] [] (wl1271_op_add_interface [wlcore]) from +[] (ieee80211_do_open+0x44c/0xf7c [mac80211]) +[ 294.947963] [] (ieee80211_do_open [mac80211]) from +[] (__dev_open+0xa8/0x110) +[ 294.957307] [] (__dev_open) from [] +(__dev_change_flags+0x88/0x148) +[ 294.965713] [] (__dev_change_flags) from [] +(dev_change_flags+0x18/0x48) +[ 294.974576] [] (dev_change_flags) from [] +(devinet_ioctl+0x6b4/0x7d0) +[ 294.983191] [] (devinet_ioctl) from [] +(sock_ioctl+0x1e4/0x2bc) +[ 294.991244] [] (sock_ioctl) from [] +(do_vfs_ioctl+0x420/0x6b0) +[ 294.999208] [] (do_vfs_ioctl) from [] +(SyS_ioctl+0x6c/0x7c) +[ 295.006880] [] (SyS_ioctl) from [] +(ret_fast_syscall+0x0/0x54) +[ 295.014835] Code: e1550004 e2444034 0a00007d e5953018 (e5942008) +[ 295.021544] ---[ end trace 66ed188198f4e24e ]--- + +Signed-off-by: Uri Mashiach +Acked-by: Igor Grinberg +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ti/wlcore/spi.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/ti/wlcore/spi.c ++++ b/drivers/net/wireless/ti/wlcore/spi.c +@@ -72,7 +72,10 @@ + */ + #define SPI_AGGR_BUFFER_SIZE (4 * PAGE_SIZE) + +-#define WSPI_MAX_NUM_OF_CHUNKS (SPI_AGGR_BUFFER_SIZE / WSPI_MAX_CHUNK_SIZE) ++/* Maximum number of SPI write chunks */ ++#define WSPI_MAX_NUM_OF_CHUNKS \ ++ ((SPI_AGGR_BUFFER_SIZE / WSPI_MAX_CHUNK_SIZE) + 1) ++ + + struct wl12xx_spi_glue { + struct device *dev; +@@ -270,9 +273,10 @@ static int __must_check wl12xx_spi_raw_w + void *buf, size_t len, bool fixed) + { + struct wl12xx_spi_glue *glue = dev_get_drvdata(child->parent); +- struct spi_transfer t[2 * (WSPI_MAX_NUM_OF_CHUNKS + 1)]; ++ /* SPI write buffers - 2 for each chunk */ ++ struct spi_transfer t[2 * WSPI_MAX_NUM_OF_CHUNKS]; + struct spi_message m; +- u32 commands[WSPI_MAX_NUM_OF_CHUNKS]; ++ u32 commands[WSPI_MAX_NUM_OF_CHUNKS]; /* 1 command per chunk */ + u32 *cmd; + u32 chunk_len; + int i; -- 2.47.3