From 9547e94c272445cb0868e8614840bd7ad5dadfec Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Wed, 27 Mar 2019 14:31:16 -0400 Subject: [PATCH] patches for 4.4 Signed-off-by: Sasha Levin --- ...ionally-remove-callbacks-in-sync_fen.patch | 45 +++++ ...458-1-bl_switcher-add-gic-dependency.patch | 49 +++++ ...able-pxn-when-running-non-lpae-kerne.patch | 41 ++++ ...-rework-arm_cpu_suspend-dependencies.patch | 52 +++++ ...at_shmlba-definition-for-large-pages.patch | 36 ++++ ...ide-__efistub_-aliases-from-kallsyms.patch | 125 ++++++++++++ ...onfig-drop-config_rtc_lib-dependency.patch | 34 ++++ ...-incorrect-el0-check-in-inv_entry-ma.patch | 50 +++++ ...nel-include-_ac-definition-in-page.h.patch | 36 ++++ ...local-variable-shadow-in-__set_fixma.patch | 54 ++++++ ...e-various-nl80211-messages-correctly.patch | 109 +++++++++++ ...oresight_unregister-function-cleanup.patch | 48 +++++ ...ice_attr_ro-should-defined-as-static.patch | 59 ++++++ ...check-every-parameter-used-by-dma_xx.patch | 56 ++++++ .../coresight-fixing-lockdep-error.patch | 158 +++++++++++++++ ...e-reference-taken-by-bus_find_device.patch | 35 ++++ ...ht-remove-csdev-s-link-from-topology.patch | 86 +++++++++ ...le-unbalanced-hotplug-enable-disable.patch | 59 ++++++ ...disable_branch_profiling-for-all-arc.patch | 45 +++++ ...-sensor-hub.c-fix-wrong-do_div-usage.patch | 32 +++ ...6-fix-endianness-error-in-icmpv6_err.patch | 36 ++++ ...ning-target_metric-may-be-used-unini.patch | 42 ++++ ...llow-more-than-8-partitions-per-card.patch | 74 +++++++ ...ch-timeout-issue-caused-by-jiffies-p.patch | 34 ++++ ...-v4mapped-sockets-in-inet_diag_find_.patch | 54 ++++++ ...-refuse-to-begin-aux-transaction-aft.patch | 58 ++++++ ...ly-free-aux-pages-in-case-of-allocat.patch | 109 +++++++++++ ...l-flush_icache_range-on-pages-restor.patch | 88 +++++++++ ...-don-t-use-parameter-prefix-if-built.patch | 45 +++++ ...ew-task-s-load-avg-removed-from-sour.patch | 101 ++++++++++ queue-4.4/series | 50 +++++ .../staging-ashmem-add-missing-include.patch | 36 ++++ ...hmem-avoid-deadlock-with-mmap-shrink.patch | 76 ++++++++ ...ldfish-audio-fix-compiliation-on-arm.patch | 34 ++++ ...minimum-carveout-heap-allocation-ord.patch | 45 +++++ ...do-not-leak-the-chrdev-in-error-path.patch | 34 ++++ .../stm-class-fix-a-race-in-unlinking.patch | 140 ++++++++++++++ .../stm-class-fix-link-list-locking.patch | 168 ++++++++++++++++ ...fix-locking-in-unbinding-policy-path.patch | 68 +++++++ ...-fix-stm-device-initialization-order.patch | 64 ++++++ ...unbalanced-module-device-refcounting.patch | 108 +++++++++++ ...x-unlocking-braino-in-the-error-path.patch | 52 +++++ ...output-assignment-against-concurrenc.patch | 112 +++++++++++ ...revent-user-controllable-allocations.patch | 39 ++++ ...port-devices-with-multiple-instances.patch | 49 +++++ ...unicast-mac-address-to-mac-registers.patch | 55 ++++++ ...gfs-add-mutex-lock-before-unregister.patch | 65 +++++++ ...-free-response-queue-during-remote_n.patch | 53 +++++ ...o-fbdev-set-pixclock-0-in-goldfishfb.patch | 36 ++++ ...at_updater-deferrable-again-and-shut.patch | 182 ++++++++++++++++++ ...lize-inode-members-that-track-writeb.patch | 41 ++++ 51 files changed, 3357 insertions(+) create mode 100644 queue-4.4/android-unconditionally-remove-callbacks-in-sync_fen.patch create mode 100644 queue-4.4/arm-8458-1-bl_switcher-add-gic-dependency.patch create mode 100644 queue-4.4/arm-8494-1-mm-enable-pxn-when-running-non-lpae-kerne.patch create mode 100644 queue-4.4/arm-8510-1-rework-arm_cpu_suspend-dependencies.patch create mode 100644 queue-4.4/arm64-fix-compat_shmlba-definition-for-large-pages.patch create mode 100644 queue-4.4/arm64-hide-__efistub_-aliases-from-kallsyms.patch create mode 100644 queue-4.4/arm64-kconfig-drop-config_rtc_lib-dependency.patch create mode 100644 queue-4.4/arm64-kernel-fix-incorrect-el0-check-in-inv_entry-ma.patch create mode 100644 queue-4.4/arm64-kernel-include-_ac-definition-in-page.h.patch create mode 100644 queue-4.4/asm-generic-fix-local-variable-shadow-in-__set_fixma.patch create mode 100644 queue-4.4/cfg80211-size-various-nl80211-messages-correctly.patch create mode 100644 queue-4.4/coresight-coresight_unregister-function-cleanup.patch create mode 100644 queue-4.4/coresight-device_attr_ro-should-defined-as-static.patch create mode 100644 queue-4.4/coresight-etm4x-check-every-parameter-used-by-dma_xx.patch create mode 100644 queue-4.4/coresight-fixing-lockdep-error.patch create mode 100644 queue-4.4/coresight-release-reference-taken-by-bus_find_device.patch create mode 100644 queue-4.4/coresight-remove-csdev-s-link-from-topology.patch create mode 100644 queue-4.4/cpu-hotplug-handle-unbalanced-hotplug-enable-disable.patch create mode 100644 queue-4.4/efi-stub-define-disable_branch_profiling-for-all-arc.patch create mode 100644 queue-4.4/hid-sensor-hub.c-fix-wrong-do_div-usage.patch create mode 100644 queue-4.4/ipv6-fix-endianness-error-in-icmpv6_err.patch create mode 100644 queue-4.4/mac80211-fix-warning-target_metric-may-be-used-unini.patch create mode 100644 queue-4.4/mmc-block-allow-more-than-8-partitions-per-card.patch create mode 100644 queue-4.4/mmc-mmc-fix-switch-timeout-issue-caused-by-jiffies-p.patch create mode 100644 queue-4.4/net-diag-support-v4mapped-sockets-in-inet_diag_find_.patch create mode 100644 queue-4.4/perf-ring_buffer-refuse-to-begin-aux-transaction-aft.patch create mode 100644 queue-4.4/perf-synchronously-free-aux-pages-in-case-of-allocat.patch create mode 100644 queue-4.4/pm-hibernate-call-flush_icache_range-on-pages-restor.patch create mode 100644 queue-4.4/revert-mmc-block-don-t-use-parameter-prefix-if-built.patch create mode 100644 queue-4.4/sched-fair-fix-new-task-s-load-avg-removed-from-sour.patch create mode 100644 queue-4.4/staging-ashmem-add-missing-include.patch create mode 100644 queue-4.4/staging-ashmem-avoid-deadlock-with-mmap-shrink.patch create mode 100644 queue-4.4/staging-goldfish-audio-fix-compiliation-on-arm.patch create mode 100644 queue-4.4/staging-ion-set-minimum-carveout-heap-allocation-ord.patch create mode 100644 queue-4.4/stm-class-do-not-leak-the-chrdev-in-error-path.patch create mode 100644 queue-4.4/stm-class-fix-a-race-in-unlinking.patch create mode 100644 queue-4.4/stm-class-fix-link-list-locking.patch create mode 100644 queue-4.4/stm-class-fix-locking-in-unbinding-policy-path.patch create mode 100644 queue-4.4/stm-class-fix-stm-device-initialization-order.patch create mode 100644 queue-4.4/stm-class-fix-unbalanced-module-device-refcounting.patch create mode 100644 queue-4.4/stm-class-fix-unlocking-braino-in-the-error-path.patch create mode 100644 queue-4.4/stm-class-guard-output-assignment-against-concurrenc.patch create mode 100644 queue-4.4/stm-class-prevent-user-controllable-allocations.patch create mode 100644 queue-4.4/stm-class-support-devices-with-multiple-instances.patch create mode 100644 queue-4.4/stmmac-copy-unicast-mac-address-to-mac-registers.patch create mode 100644 queue-4.4/usb-gadget-configfs-add-mutex-lock-before-unregister.patch create mode 100644 queue-4.4/usb-gadget-rndis-free-response-queue-during-remote_n.patch create mode 100644 queue-4.4/video-fbdev-set-pixclock-0-in-goldfishfb.patch create mode 100644 queue-4.4/vmstat-make-vmstat_updater-deferrable-again-and-shut.patch create mode 100644 queue-4.4/writeback-initialize-inode-members-that-track-writeb.patch diff --git a/queue-4.4/android-unconditionally-remove-callbacks-in-sync_fen.patch b/queue-4.4/android-unconditionally-remove-callbacks-in-sync_fen.patch new file mode 100644 index 00000000000..ebca0dfc0da --- /dev/null +++ b/queue-4.4/android-unconditionally-remove-callbacks-in-sync_fen.patch @@ -0,0 +1,45 @@ +From 3d07d9cfa09d0dc2cad0d620c826ff26779b4dae Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Mon, 14 Dec 2015 17:34:08 -0800 +Subject: android: unconditionally remove callbacks in sync_fence_free() + +[ Upstream commit 699f685569434510d944e419f4048c4e3ba8d631 ] + +Using fence->status to determine whether or not there are callbacks +remaining on the sync_fence is racy since fence->status may have been +decremented to 0 on another CPU before fence_check_cb_func() has +completed. By unconditionally calling fence_remove_callback() for each +fence in the sync_fence, we guarantee that each callback has either +completed (since fence_remove_callback() grabs the fence lock) or been +removed. + +Signed-off-by: Andrew Bresticker +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/android/sync.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/staging/android/sync.c b/drivers/staging/android/sync.c +index f83e00c78051..50a9945da27e 100644 +--- a/drivers/staging/android/sync.c ++++ b/drivers/staging/android/sync.c +@@ -519,12 +519,10 @@ static const struct fence_ops android_fence_ops = { + static void sync_fence_free(struct kref *kref) + { + struct sync_fence *fence = container_of(kref, struct sync_fence, kref); +- int i, status = atomic_read(&fence->status); ++ int i; + + for (i = 0; i < fence->num_fences; ++i) { +- if (status) +- fence_remove_callback(fence->cbs[i].sync_pt, +- &fence->cbs[i].cb); ++ fence_remove_callback(fence->cbs[i].sync_pt, &fence->cbs[i].cb); + fence_put(fence->cbs[i].sync_pt); + } + +-- +2.19.1 + diff --git a/queue-4.4/arm-8458-1-bl_switcher-add-gic-dependency.patch b/queue-4.4/arm-8458-1-bl_switcher-add-gic-dependency.patch new file mode 100644 index 00000000000..bd682641e16 --- /dev/null +++ b/queue-4.4/arm-8458-1-bl_switcher-add-gic-dependency.patch @@ -0,0 +1,49 @@ +From e8c3cbce4003ec8f61049dc61633a1a49e48c335 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Thu, 19 Nov 2015 15:49:23 +0100 +Subject: ARM: 8458/1: bL_switcher: add GIC dependency + +[ Upstream commit 6c044fecdf78be3fda159a5036bb33700cdd5e59 ] + +It is not possible to build the bL_switcher code if the GIC +driver is disabled, because it relies on calling into some +gic specific interfaces, and that would result in this build +error: + +arch/arm/common/built-in.o: In function `bL_switch_to': +:(.text+0x1230): undefined reference to `gic_get_sgir_physaddr' +:(.text+0x1244): undefined reference to `gic_send_sgi' +:(.text+0x1268): undefined reference to `gic_migrate_target' +arch/arm/common/built-in.o: In function `bL_switcher_enable.part.4': +:(.text.unlikely+0x2f8): undefined reference to `gic_get_cpu_id' + +This adds a Kconfig dependency to ensure we only build the big-little +switcher if the GIC driver is present as well. + +Almost all ARMv7 platforms come with a GIC anyway, but it is possible +to build a kernel that disables all platforms. + +Signed-off-by: Arnd Bergmann +Acked-by: Nicolas Pitre +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig +index 3a0277c6c060..4cc908ee107f 100644 +--- a/arch/arm/Kconfig ++++ b/arch/arm/Kconfig +@@ -1422,7 +1422,7 @@ config BIG_LITTLE + + config BL_SWITCHER + bool "big.LITTLE switcher support" +- depends on BIG_LITTLE && MCPM && HOTPLUG_CPU ++ depends on BIG_LITTLE && MCPM && HOTPLUG_CPU && ARM_GIC + select ARM_CPU_SUSPEND + select CPU_PM + help +-- +2.19.1 + diff --git a/queue-4.4/arm-8494-1-mm-enable-pxn-when-running-non-lpae-kerne.patch b/queue-4.4/arm-8494-1-mm-enable-pxn-when-running-non-lpae-kerne.patch new file mode 100644 index 00000000000..e6ab530a581 --- /dev/null +++ b/queue-4.4/arm-8494-1-mm-enable-pxn-when-running-non-lpae-kerne.patch @@ -0,0 +1,41 @@ +From 2891fcf3b3b20211dabf0e9a95851d3c56618620 Mon Sep 17 00:00:00 2001 +From: Jungseung Lee +Date: Tue, 29 Dec 2015 05:47:00 +0100 +Subject: ARM: 8494/1: mm: Enable PXN when running non-LPAE kernel on LPAE + processor + +[ Upstream commit ad84f56bf6d620fe6ed4d57ce6ec9945684d7f35 ] + +The VMSA field of MMFR0 (bottom 4 bits) is incremented for each +added feature. PXN is supported if the value is >= 4 and LPAE +is supported if it is >= 5. + +In case a kernel with CONFIG_ARM_LPAE disabled is used on a +processor that supports LPAE, we can still use PXN in short +descriptors. So check for >= 4 not == 4. + +Signed-off-by: Jungseung Lee +Acked-by: Catalin Marinas +Signed-off-by: Ben Hutchings +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/mm/mmu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/mm/mmu.c b/arch/arm/mm/mmu.c +index e47cffd25c6c..aead23f15213 100644 +--- a/arch/arm/mm/mmu.c ++++ b/arch/arm/mm/mmu.c +@@ -572,7 +572,7 @@ static void __init build_mem_type_table(void) + * in the Short-descriptor translation table format descriptors. + */ + if (cpu_arch == CPU_ARCH_ARMv7 && +- (read_cpuid_ext(CPUID_EXT_MMFR0) & 0xF) == 4) { ++ (read_cpuid_ext(CPUID_EXT_MMFR0) & 0xF) >= 4) { + user_pmd_table |= PMD_PXNTABLE; + } + #endif +-- +2.19.1 + diff --git a/queue-4.4/arm-8510-1-rework-arm_cpu_suspend-dependencies.patch b/queue-4.4/arm-8510-1-rework-arm_cpu_suspend-dependencies.patch new file mode 100644 index 00000000000..d91b81a406c --- /dev/null +++ b/queue-4.4/arm-8510-1-rework-arm_cpu_suspend-dependencies.patch @@ -0,0 +1,52 @@ +From 3b3ec87f5ebfd85f74c5b66d2d299112701cbf21 Mon Sep 17 00:00:00 2001 +From: Lorenzo Pieralisi +Date: Mon, 1 Feb 2016 18:01:29 +0100 +Subject: ARM: 8510/1: rework ARM_CPU_SUSPEND dependencies + +[ Upstream commit 1b9bdf5c1661873a10e193b8cbb803a87fe5c4a1 ] + +The code enabled by the ARM_CPU_SUSPEND config option is used by +kernel subsystems for purposes that go beyond system suspend so its +config entry should be augmented to take more default options into +account and avoid forcing its selection to prevent dependencies +override. + +To achieve this goal, this patch reworks the ARM_CPU_SUSPEND config +entry and updates its default config value (by adding the BL_SWITCHER +option to it) and its dependencies (ARCH_SUSPEND_POSSIBLE), so that the +symbol is still selected by default by the subsystems requiring it and +at the same time enforcing the dependencies correctly. + +Signed-off-by: Lorenzo Pieralisi +Cc: Nicolas Pitre +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/Kconfig | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig +index 4cc908ee107f..737c8b0dda84 100644 +--- a/arch/arm/Kconfig ++++ b/arch/arm/Kconfig +@@ -1423,7 +1423,6 @@ config BIG_LITTLE + config BL_SWITCHER + bool "big.LITTLE switcher support" + depends on BIG_LITTLE && MCPM && HOTPLUG_CPU && ARM_GIC +- select ARM_CPU_SUSPEND + select CPU_PM + help + The big.LITTLE "switcher" provides the core functionality to +@@ -2141,7 +2140,8 @@ config ARCH_SUSPEND_POSSIBLE + def_bool y + + config ARM_CPU_SUSPEND +- def_bool PM_SLEEP ++ def_bool PM_SLEEP || BL_SWITCHER ++ depends on ARCH_SUSPEND_POSSIBLE + + config ARCH_HIBERNATION_POSSIBLE + bool +-- +2.19.1 + diff --git a/queue-4.4/arm64-fix-compat_shmlba-definition-for-large-pages.patch b/queue-4.4/arm64-fix-compat_shmlba-definition-for-large-pages.patch new file mode 100644 index 00000000000..ff805491fbc --- /dev/null +++ b/queue-4.4/arm64-fix-compat_shmlba-definition-for-large-pages.patch @@ -0,0 +1,36 @@ +From 40b4775c3d87d54a334d79d6e0ed5f6966eaa485 Mon Sep 17 00:00:00 2001 +From: Yury Norov +Date: Wed, 2 Dec 2015 14:00:10 +0000 +Subject: arm64: fix COMPAT_SHMLBA definition for large pages + +[ Upstream commit b9b7aebb42d1b1392f3111de61136bb6cf3aae3f ] + +ARM glibc uses (4 * __getpagesize()) for SHMLBA, which is correct for +4KB pages and works fine for 64KB pages, but the kernel uses a hardcoded +16KB that is too small for 64KB page based kernels. This changes the +definition to what user space sees when using 64KB pages. + +Acked-by: Arnd Bergmann +Signed-off-by: Yury Norov +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/shmparam.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/include/asm/shmparam.h b/arch/arm64/include/asm/shmparam.h +index 4df608a8459e..e368a55ebd22 100644 +--- a/arch/arm64/include/asm/shmparam.h ++++ b/arch/arm64/include/asm/shmparam.h +@@ -21,7 +21,7 @@ + * alignment value. Since we don't have aliasing D-caches, the rest of + * the time we can safely use PAGE_SIZE. + */ +-#define COMPAT_SHMLBA 0x4000 ++#define COMPAT_SHMLBA (4 * PAGE_SIZE) + + #include + +-- +2.19.1 + diff --git a/queue-4.4/arm64-hide-__efistub_-aliases-from-kallsyms.patch b/queue-4.4/arm64-hide-__efistub_-aliases-from-kallsyms.patch new file mode 100644 index 00000000000..98543d917c9 --- /dev/null +++ b/queue-4.4/arm64-hide-__efistub_-aliases-from-kallsyms.patch @@ -0,0 +1,125 @@ +From 9b1093f1ab327525288594ab8bf7b1d7d88f7fc9 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Fri, 15 Jan 2016 13:28:57 +0100 +Subject: arm64: hide __efistub_ aliases from kallsyms + +[ Upstream commit 75feee3d9d51775072d3a04f47d4a439a4c4590e ] + +Commit e8f3010f7326 ("arm64/efi: isolate EFI stub from the kernel +proper") isolated the EFI stub code from the kernel proper by prefixing +all of its symbols with __efistub_, and selectively allowing access to +core kernel symbols from the stub by emitting __efistub_ aliases for +functions and variables that the stub can access legally. + +As an unintended side effect, these aliases are emitted into the +kallsyms symbol table, which means they may turn up in backtraces, +e.g., + + ... + PC is at __efistub_memset+0x108/0x200 + LR is at fixup_init+0x3c/0x48 + ... + [] __efistub_memset+0x108/0x200 + [] free_initmem+0x2c/0x40 + [] kernel_init+0x20/0xe0 + [] ret_from_fork+0x10/0x40 + +The backtrace in question has nothing to do with the EFI stub, but +simply returns one of the several aliases of memset() that have been +recorded in the kallsyms table. This is undesirable, since it may +suggest to people who are not aware of this that the issue they are +seeing is somehow EFI related. + +So hide the __efistub_ aliases from kallsyms, by emitting them as +absolute linker symbols explicitly. The distinction between those +and section relative symbols is completely irrelevant to these +definitions, and to the final link we are performing when these +definitions are being taken into account (the distinction is only +relevant to symbols defined inside a section definition when performing +a partial link), and so the resulting values are identical to the +original ones. Since absolute symbols are ignored by kallsyms, this +will result in these values to be omitted from its symbol table. + +After this patch, the backtrace generated from the same address looks +like this: + ... + PC is at __memset+0x108/0x200 + LR is at fixup_init+0x3c/0x48 + ... + [] __memset+0x108/0x200 + [] free_initmem+0x2c/0x40 + [] kernel_init+0x20/0xe0 + [] ret_from_fork+0x10/0x40 + +Signed-off-by: Ard Biesheuvel +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/image.h | 40 ++++++++++++++++++++++++--------------- + 1 file changed, 25 insertions(+), 15 deletions(-) + +diff --git a/arch/arm64/kernel/image.h b/arch/arm64/kernel/image.h +index bc2abb8b1599..999633bd7294 100644 +--- a/arch/arm64/kernel/image.h ++++ b/arch/arm64/kernel/image.h +@@ -64,6 +64,16 @@ + + #ifdef CONFIG_EFI + ++/* ++ * Prevent the symbol aliases below from being emitted into the kallsyms ++ * table, by forcing them to be absolute symbols (which are conveniently ++ * ignored by scripts/kallsyms) rather than section relative symbols. ++ * The distinction is only relevant for partial linking, and only for symbols ++ * that are defined within a section declaration (which is not the case for ++ * the definitions below) so the resulting values will be identical. ++ */ ++#define KALLSYMS_HIDE(sym) ABSOLUTE(sym) ++ + /* + * The EFI stub has its own symbol namespace prefixed by __efistub_, to + * isolate it from the kernel proper. The following symbols are legally +@@ -73,25 +83,25 @@ + * linked at. The routines below are all implemented in assembler in a + * position independent manner + */ +-__efistub_memcmp = __pi_memcmp; +-__efistub_memchr = __pi_memchr; +-__efistub_memcpy = __pi_memcpy; +-__efistub_memmove = __pi_memmove; +-__efistub_memset = __pi_memset; +-__efistub_strlen = __pi_strlen; +-__efistub_strcmp = __pi_strcmp; +-__efistub_strncmp = __pi_strncmp; +-__efistub___flush_dcache_area = __pi___flush_dcache_area; ++__efistub_memcmp = KALLSYMS_HIDE(__pi_memcmp); ++__efistub_memchr = KALLSYMS_HIDE(__pi_memchr); ++__efistub_memcpy = KALLSYMS_HIDE(__pi_memcpy); ++__efistub_memmove = KALLSYMS_HIDE(__pi_memmove); ++__efistub_memset = KALLSYMS_HIDE(__pi_memset); ++__efistub_strlen = KALLSYMS_HIDE(__pi_strlen); ++__efistub_strcmp = KALLSYMS_HIDE(__pi_strcmp); ++__efistub_strncmp = KALLSYMS_HIDE(__pi_strncmp); ++__efistub___flush_dcache_area = KALLSYMS_HIDE(__pi___flush_dcache_area); + + #ifdef CONFIG_KASAN +-__efistub___memcpy = __pi_memcpy; +-__efistub___memmove = __pi_memmove; +-__efistub___memset = __pi_memset; ++__efistub___memcpy = KALLSYMS_HIDE(__pi_memcpy); ++__efistub___memmove = KALLSYMS_HIDE(__pi_memmove); ++__efistub___memset = KALLSYMS_HIDE(__pi_memset); + #endif + +-__efistub__text = _text; +-__efistub__end = _end; +-__efistub__edata = _edata; ++__efistub__text = KALLSYMS_HIDE(_text); ++__efistub__end = KALLSYMS_HIDE(_end); ++__efistub__edata = KALLSYMS_HIDE(_edata); + + #endif + +-- +2.19.1 + diff --git a/queue-4.4/arm64-kconfig-drop-config_rtc_lib-dependency.patch b/queue-4.4/arm64-kconfig-drop-config_rtc_lib-dependency.patch new file mode 100644 index 00000000000..bb76975b38f --- /dev/null +++ b/queue-4.4/arm64-kconfig-drop-config_rtc_lib-dependency.patch @@ -0,0 +1,34 @@ +From 88d12d1f9acea41a7f6abf53b1d8255207f6bbc5 Mon Sep 17 00:00:00 2001 +From: Ezequiel Garcia +Date: Wed, 27 Apr 2016 13:55:28 -0300 +Subject: arm64: kconfig: drop CONFIG_RTC_LIB dependency + +[ Upstream commit 99a507771fa57238dc7ffe674ae06090333d02c9 ] + +The rtc-lib dependency is not required, and seems it was just +copy-pasted from ARM's Kconfig. If platform requires rtc-lib, +they should select it individually. + +Reviewed-by: Arnd Bergmann +Signed-off-by: Ezequiel Garcia +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig +index 5b47218809e0..00c491750918 100644 +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -89,7 +89,6 @@ config ARM64 + select PERF_USE_VMALLOC + select POWER_RESET + select POWER_SUPPLY +- select RTC_LIB + select SPARSE_IRQ + select SYSCTL_EXCEPTION_TRACE + select HAVE_CONTEXT_TRACKING +-- +2.19.1 + diff --git a/queue-4.4/arm64-kernel-fix-incorrect-el0-check-in-inv_entry-ma.patch b/queue-4.4/arm64-kernel-fix-incorrect-el0-check-in-inv_entry-ma.patch new file mode 100644 index 00000000000..896e2e03e41 --- /dev/null +++ b/queue-4.4/arm64-kernel-fix-incorrect-el0-check-in-inv_entry-ma.patch @@ -0,0 +1,50 @@ +From 43e3b66af3871e40bb2bee7a8f0392e44ec7132b Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Fri, 18 Mar 2016 10:58:09 +0100 +Subject: arm64/kernel: fix incorrect EL0 check in inv_entry macro + +[ Upstream commit b660950c60a7278f9d8deb7c32a162031207c758 ] + +The implementation of macro inv_entry refers to its 'el' argument without +the required leading backslash, which results in an undefined symbol +'el' to be passed into the kernel_entry macro rather than the index of +the exception level as intended. + +This undefined symbol strangely enough does not result in build failures, +although it is visible in vmlinux: + + $ nm -n vmlinux |head + U el + 0000000000000000 A _kernel_flags_le_hi32 + 0000000000000000 A _kernel_offset_le_hi32 + 0000000000000000 A _kernel_size_le_hi32 + 000000000000000a A _kernel_flags_le_lo32 + ..... + +However, it does result in incorrect code being generated for invalid +exceptions taken from EL0, since the argument check in kernel_entry +assumes EL1 if its argument does not equal '0'. + +Signed-off-by: Ard Biesheuvel +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/entry.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S +index 3028d9b028c7..586326981769 100644 +--- a/arch/arm64/kernel/entry.S ++++ b/arch/arm64/kernel/entry.S +@@ -243,7 +243,7 @@ END(vectors) + * Invalid mode handlers + */ + .macro inv_entry, el, reason, regsize = 64 +- kernel_entry el, \regsize ++ kernel_entry \el, \regsize + mov x0, sp + mov x1, #\reason + mrs x2, esr_el1 +-- +2.19.1 + diff --git a/queue-4.4/arm64-kernel-include-_ac-definition-in-page.h.patch b/queue-4.4/arm64-kernel-include-_ac-definition-in-page.h.patch new file mode 100644 index 00000000000..c76b5f0aa6b --- /dev/null +++ b/queue-4.4/arm64-kernel-include-_ac-definition-in-page.h.patch @@ -0,0 +1,36 @@ +From b875c61b79d4f1c9a74bb8dc8bd8fa4cbdab9a4f Mon Sep 17 00:00:00 2001 +From: James Morse +Date: Wed, 27 Apr 2016 17:47:08 +0100 +Subject: arm64: kernel: Include _AC definition in page.h + +[ Upstream commit 812264550dcba6cdbe84bfac2f27e7d23b5b8733 ] + +page.h uses '_AC' in the definition of PAGE_SIZE, but doesn't include +linux/const.h where this is defined. This produces build warnings when only +asm/page.h is included by asm code. + +Signed-off-by: James Morse +Acked-by: Mark Rutland +Acked-by: Catalin Marinas +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/page.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm64/include/asm/page.h b/arch/arm64/include/asm/page.h +index 9b2f5a9d019d..fbafd0ad16df 100644 +--- a/arch/arm64/include/asm/page.h ++++ b/arch/arm64/include/asm/page.h +@@ -19,6 +19,8 @@ + #ifndef __ASM_PAGE_H + #define __ASM_PAGE_H + ++#include ++ + /* PAGE_SHIFT determines the page size */ + /* CONT_SHIFT determines the number of pages which can be tracked together */ + #ifdef CONFIG_ARM64_64K_PAGES +-- +2.19.1 + diff --git a/queue-4.4/asm-generic-fix-local-variable-shadow-in-__set_fixma.patch b/queue-4.4/asm-generic-fix-local-variable-shadow-in-__set_fixma.patch new file mode 100644 index 00000000000..7bc67837199 --- /dev/null +++ b/queue-4.4/asm-generic-fix-local-variable-shadow-in-__set_fixma.patch @@ -0,0 +1,54 @@ +From 7946bf63085a1c37d9b36f08e3c0e089df794e0d Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Mon, 25 Jan 2016 11:44:55 +0000 +Subject: asm-generic: Fix local variable shadow in __set_fixmap_offset + +[ Upstream commit 3694bd76781b76c4f8d2ecd85018feeb1609f0e5 ] + +Currently __set_fixmap_offset is a macro function which has a local +variable called 'addr'. If a caller passes a 'phys' parameter which is +derived from a variable also called 'addr', the local variable will +shadow this, and the compiler will complain about the use of an +uninitialized variable. To avoid the issue with namespace clashes, +'addr' is prefixed with a liberal sprinkling of underscores. + +Turning __set_fixmap_offset into a static inline breaks the build for +several architectures. Fixing this properly requires updates to a number +of architectures to make them agree on the prototype of __set_fixmap (it +could be done as a subsequent patch series). + +Signed-off-by: Mark Rutland +Cc: Arnd Bergmann +[catalin.marinas@arm.com: squashed the original function patch and macro fixup] +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + include/asm-generic/fixmap.h | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/include/asm-generic/fixmap.h b/include/asm-generic/fixmap.h +index 1cbb8338edf3..827e4d3bbc7a 100644 +--- a/include/asm-generic/fixmap.h ++++ b/include/asm-generic/fixmap.h +@@ -70,12 +70,12 @@ static inline unsigned long virt_to_fix(const unsigned long vaddr) + #endif + + /* Return a pointer with offset calculated */ +-#define __set_fixmap_offset(idx, phys, flags) \ +-({ \ +- unsigned long addr; \ +- __set_fixmap(idx, phys, flags); \ +- addr = fix_to_virt(idx) + ((phys) & (PAGE_SIZE - 1)); \ +- addr; \ ++#define __set_fixmap_offset(idx, phys, flags) \ ++({ \ ++ unsigned long ________addr; \ ++ __set_fixmap(idx, phys, flags); \ ++ ________addr = fix_to_virt(idx) + ((phys) & (PAGE_SIZE - 1)); \ ++ ________addr; \ + }) + + #define set_fixmap_offset(idx, phys) \ +-- +2.19.1 + diff --git a/queue-4.4/cfg80211-size-various-nl80211-messages-correctly.patch b/queue-4.4/cfg80211-size-various-nl80211-messages-correctly.patch new file mode 100644 index 00000000000..50deeca4d2f --- /dev/null +++ b/queue-4.4/cfg80211-size-various-nl80211-messages-correctly.patch @@ -0,0 +1,109 @@ +From ba7306fbf272d5613819f04965e95c03fa1e764c Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Mon, 9 Jan 2017 11:10:42 +0100 +Subject: cfg80211: size various nl80211 messages correctly + +[ Upstream commit 4ef8c1c93f848e360754f10eb2e7134c872b6597 ] + +Ilan reported that sometimes nl80211 messages weren't working if +the frames being transported got very large, which was really a +problem for userspace-to-kernel messages, but prompted me to look +at the code. + +Upon review, I found various places where variable-length data is +transported in an nl80211 message but the message isn't allocated +taking that into account. This shouldn't cause any problems since +the frames aren't really that long, apart in one place where two +(possibly very long frames) might not fit. + +Fix all the places (that I found) that get variable length data +from the driver and put it into a message to take the length of +the variable data into account. The 100 there is just a safe +constant for the remaining message overhead (it's usually around +50 for most messages.) + +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/nl80211.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 642a78079ae1..81013490a99f 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -11721,7 +11721,7 @@ static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev, + struct sk_buff *msg; + void *hdr; + +- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp); ++ msg = nlmsg_new(100 + len, gfp); + if (!msg) + return; + +@@ -11873,7 +11873,7 @@ void nl80211_send_connect_result(struct cfg80211_registered_device *rdev, + struct sk_buff *msg; + void *hdr; + +- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp); ++ msg = nlmsg_new(100 + req_ie_len + resp_ie_len, gfp); + if (!msg) + return; + +@@ -11913,7 +11913,7 @@ void nl80211_send_roamed(struct cfg80211_registered_device *rdev, + struct sk_buff *msg; + void *hdr; + +- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp); ++ msg = nlmsg_new(100 + req_ie_len + resp_ie_len, gfp); + if (!msg) + return; + +@@ -11951,7 +11951,7 @@ void nl80211_send_disconnected(struct cfg80211_registered_device *rdev, + struct sk_buff *msg; + void *hdr; + +- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); ++ msg = nlmsg_new(100 + ie_len, GFP_KERNEL); + if (!msg) + return; + +@@ -12028,7 +12028,7 @@ void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr, + + trace_cfg80211_notify_new_peer_candidate(dev, addr); + +- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp); ++ msg = nlmsg_new(100 + ie_len, gfp); + if (!msg) + return; + +@@ -12397,7 +12397,7 @@ int nl80211_send_mgmt(struct cfg80211_registered_device *rdev, + struct sk_buff *msg; + void *hdr; + +- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp); ++ msg = nlmsg_new(100 + len, gfp); + if (!msg) + return -ENOMEM; + +@@ -12440,7 +12440,7 @@ void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie, + + trace_cfg80211_mgmt_tx_status(wdev, cookie, ack); + +- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp); ++ msg = nlmsg_new(100 + len, gfp); + if (!msg) + return; + +@@ -13244,7 +13244,7 @@ void cfg80211_ft_event(struct net_device *netdev, + if (!ft_event->target_ap) + return; + +- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); ++ msg = nlmsg_new(100 + ft_event->ric_ies_len, GFP_KERNEL); + if (!msg) + return; + +-- +2.19.1 + diff --git a/queue-4.4/coresight-coresight_unregister-function-cleanup.patch b/queue-4.4/coresight-coresight_unregister-function-cleanup.patch new file mode 100644 index 00000000000..bda8e8c231e --- /dev/null +++ b/queue-4.4/coresight-coresight_unregister-function-cleanup.patch @@ -0,0 +1,48 @@ +From 6625ab3319db8e942a99634560beda2aaef8c89b Mon Sep 17 00:00:00 2001 +From: Mathieu Poirier +Date: Tue, 2 Feb 2016 14:13:57 -0700 +Subject: coresight: coresight_unregister() function cleanup + +[ Upstream commit fae54158792aec705620bdc3938d342879204f0c ] + +In its current form the code never frees csdev->refcnt allocated +in coresight_register(). There is also a problem with csdev->conns +that is freed before device_unregister() rather than in the device +release function. + +This patch addresses both issues by moving kfree(csdev->conns) to +coresight_device_release() and freeing csdev->refcnt, also in +the same function. + +Reported-by: Rabin Vincent +Signed-off-by: Mathieu Poirier +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/coresight.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/hwtracing/coresight/coresight.c b/drivers/hwtracing/coresight/coresight.c +index 84fc60318f79..a7d1edbf3340 100644 +--- a/drivers/hwtracing/coresight/coresight.c ++++ b/drivers/hwtracing/coresight/coresight.c +@@ -484,6 +484,8 @@ static void coresight_device_release(struct device *dev) + { + struct coresight_device *csdev = to_coresight_device(dev); + ++ kfree(csdev->conns); ++ kfree(csdev->refcnt); + kfree(csdev); + } + +@@ -716,7 +718,6 @@ EXPORT_SYMBOL_GPL(coresight_register); + + void coresight_unregister(struct coresight_device *csdev) + { +- kfree(csdev->conns); + device_unregister(&csdev->dev); + } + EXPORT_SYMBOL_GPL(coresight_unregister); +-- +2.19.1 + diff --git a/queue-4.4/coresight-device_attr_ro-should-defined-as-static.patch b/queue-4.4/coresight-device_attr_ro-should-defined-as-static.patch new file mode 100644 index 00000000000..74432b70765 --- /dev/null +++ b/queue-4.4/coresight-device_attr_ro-should-defined-as-static.patch @@ -0,0 +1,59 @@ +From d81faeaca54ee0a30246db002524edc05fcad84f Mon Sep 17 00:00:00 2001 +From: Eric Long +Date: Wed, 17 Feb 2016 17:51:43 -0700 +Subject: coresight: "DEVICE_ATTR_RO" should defined as static. + +[ Upstream commit bf16e5b8cdeabc1fe6565af0be475bb2084dc388 ] + +"DEVICE_ATTR_RO(name)" should be defined as static. And +there is an unnecessary space at the front of the code. + +The sparse tool output logs as the following: +coresight-etm4x.c:2224:1: warning: symbol 'dev_attr_trcoslsr' was +not declared. Should it be static? +coresight-etm4x.c:2225:1: warning: symbol 'dev_attr_trcpdcr' was +not declared. Should it be static? +coresight-etm4x.c:2226:1: warning: symbol 'dev_attr_trcpdsr' was +not declared. Should it be static? +And the smatch tool output logs as the following: +of_coresight.c:89 of_coresight_alloc_memory() warn: +inconsistent indenting + +Signed-off-by: Eric Long +Signed-off-by: Mathieu Poirier +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/coresight-etm4x.c | 2 +- + drivers/hwtracing/coresight/of_coresight.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwtracing/coresight/coresight-etm4x.c b/drivers/hwtracing/coresight/coresight-etm4x.c +index a6707642bb23..1ec6798b21e8 100644 +--- a/drivers/hwtracing/coresight/coresight-etm4x.c ++++ b/drivers/hwtracing/coresight/coresight-etm4x.c +@@ -2219,7 +2219,7 @@ static ssize_t name##_show(struct device *_dev, \ + return scnprintf(buf, PAGE_SIZE, "0x%x\n", \ + readl_relaxed(drvdata->base + offset)); \ + } \ +-DEVICE_ATTR_RO(name) ++static DEVICE_ATTR_RO(name) + + coresight_simple_func(trcoslsr, TRCOSLSR); + coresight_simple_func(trcpdcr, TRCPDCR); +diff --git a/drivers/hwtracing/coresight/of_coresight.c b/drivers/hwtracing/coresight/of_coresight.c +index 7d2bb1549608..fb7597b1c66f 100644 +--- a/drivers/hwtracing/coresight/of_coresight.c ++++ b/drivers/hwtracing/coresight/of_coresight.c +@@ -86,7 +86,7 @@ static int of_coresight_alloc_memory(struct device *dev, + return -ENOMEM; + + /* Children connected to this component via @outports */ +- pdata->child_names = devm_kzalloc(dev, pdata->nr_outport * ++ pdata->child_names = devm_kzalloc(dev, pdata->nr_outport * + sizeof(*pdata->child_names), + GFP_KERNEL); + if (!pdata->child_names) +-- +2.19.1 + diff --git a/queue-4.4/coresight-etm4x-check-every-parameter-used-by-dma_xx.patch b/queue-4.4/coresight-etm4x-check-every-parameter-used-by-dma_xx.patch new file mode 100644 index 00000000000..df2f3379d3c --- /dev/null +++ b/queue-4.4/coresight-etm4x-check-every-parameter-used-by-dma_xx.patch @@ -0,0 +1,56 @@ +From de75ae6e6787c7577f8c052373f7f51131bd7973 Mon Sep 17 00:00:00 2001 +From: Eric Long +Date: Wed, 17 Feb 2016 17:51:44 -0700 +Subject: coresight: etm4x: Check every parameter used by dma_xx_coherent. + +[ Upstream commit 61390593f72377c3a8f41ef998462e2d3985adac ] + +The dma_alloc_coherent return an "void *" not an "void __iomen *". +It uses the wrong parameters when calls dma_free_coherent function. + +The sparse tool output logs as the following: +coresight-tmc.c:199:23: expected void * +coresight-tmc.c:199:23: got void [noderef] *vaddr +coresight-tmc.c:336:30: warning: incorrect type in assignment +(different address spaces) +coresight-tmc.c:336:30: expected char *buf +coresight-tmc.c:336:30: got void [noderef] * +coresight-tmc.c:769:50: warning: incorrect type in argument 4 +(different base types) +coresight-tmc.c:769:50: expected unsigned long long +[unsigned] [usertype] dma_handle +coresight-tmc.c:769:50: got restricted gfp_t + +Signed-off-by: Eric Long +Signed-off-by: Mathieu Poirier +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/coresight-tmc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwtracing/coresight/coresight-tmc.c b/drivers/hwtracing/coresight/coresight-tmc.c +index a57c7ec1661f..62f9d7372e3a 100644 +--- a/drivers/hwtracing/coresight/coresight-tmc.c ++++ b/drivers/hwtracing/coresight/coresight-tmc.c +@@ -124,7 +124,7 @@ struct tmc_drvdata { + bool reading; + char *buf; + dma_addr_t paddr; +- void __iomem *vaddr; ++ void *vaddr; + u32 size; + bool enable; + enum tmc_config_type config_type; +@@ -766,7 +766,7 @@ static int tmc_probe(struct amba_device *adev, const struct amba_id *id) + err_devm_kzalloc: + if (drvdata->config_type == TMC_CONFIG_TYPE_ETR) + dma_free_coherent(dev, drvdata->size, +- &drvdata->paddr, GFP_KERNEL); ++ drvdata->vaddr, drvdata->paddr); + return ret; + } + +-- +2.19.1 + diff --git a/queue-4.4/coresight-fixing-lockdep-error.patch b/queue-4.4/coresight-fixing-lockdep-error.patch new file mode 100644 index 00000000000..a0f638413ec --- /dev/null +++ b/queue-4.4/coresight-fixing-lockdep-error.patch @@ -0,0 +1,158 @@ +From 474e88c98233b5698d11ca6e76839b1576681d38 Mon Sep 17 00:00:00 2001 +From: Mathieu Poirier +Date: Tue, 2 Feb 2016 14:13:56 -0700 +Subject: coresight: fixing lockdep error + +[ Upstream commit a9ddc71f5840c2711e530f2e055b278f79948b29 ] + +On some platform the following lockdep error occurs when doing simple +manipulations: + + [ 23.197021] + [ 23.198608] ====================================================== + [ 23.205078] [ INFO: possible circular locking dependency detected ] + [ 23.211639] 4.4.0-rc8-00025-gbbf360b #172 Not tainted + [ 23.216918] ------------------------------------------------------- + [ 23.223480] sh/858 is trying to acquire lock: + [ 23.228057] (coresight_mutex){+.+.+.}, at: [] coresight_enable+0x1c/0x1b4 + [ 23.236206] + [ 23.236206] but task is already holding lock: + [ 23.242309] (s_active#52){++++.+}, at: [] kernfs_fop_write+0x5c/0x1c0 + [ 23.250122] + [ 23.250122] which lock already depends on the new lock. + [ 23.250122] + [ 23.258697] + [ 23.258697] the existing dependency chain (in reverse order) is: + [ 23.266510] + -> #1 (s_active#52){++++.+}: + [ 23.270843] [] __kernfs_remove+0x294/0x35c + [ 23.276672] [] kernfs_remove_by_name_ns+0x44/0x8c + [ 23.283172] [] remove_files+0x3c/0x84 + [ 23.288543] [] sysfs_remove_group+0x48/0x9c + [ 23.294494] [] sysfs_remove_groups+0x2c/0x3c + [ 23.300506] [] device_remove_attrs+0x5c/0x74 + [ 23.306549] [] device_del+0x110/0x218 + [ 23.311950] [] device_unregister+0x2c/0x6c + [ 23.317779] [] coresight_unregister+0x30/0x40 + [ 23.323883] [] etm_probe+0x228/0x2e8 + [ 23.329193] [] amba_probe+0xe4/0x160 + [ 23.334503] [] driver_probe_device+0x23c/0x480 + [ 23.340728] [] __driver_attach+0x9c/0xa0 + [ 23.346374] [] bus_for_each_dev+0x70/0xa4 + [ 23.352142] [] driver_attach+0x24/0x28 + [ 23.357604] [] bus_add_driver+0x1e0/0x278 + [ 23.363372] [] driver_register+0x80/0x100 + [ 23.369110] [] amba_driver_register+0x58/0x5c + [ 23.375244] [] etm_driver_init+0x18/0x1c + [ 23.380889] [] do_one_initcall+0xc4/0x20c + [ 23.386657] [] kernel_init_freeable+0x160/0x208 + [ 23.392974] [] kernel_init+0x18/0xf0 + [ 23.398254] [] ret_from_fork+0x14/0x24 + [ 23.403747] + -> #0 (coresight_mutex){+.+.+.}: + [ 23.408447] [] lock_acquire+0xe4/0x210 + [ 23.413909] [] mutex_lock_nested+0x74/0x450 + [ 23.419860] [] coresight_enable+0x1c/0x1b4 + [ 23.425689] [] enable_source_store+0x58/0x68 + [ 23.431732] [] dev_attr_store+0x20/0x2c + [ 23.437286] [] sysfs_kf_write+0x50/0x54 + [ 23.442871] [] kernfs_fop_write+0xc4/0x1c0 + [ 23.448699] [] __vfs_write+0x34/0xe4 + [ 23.454040] [] vfs_write+0x98/0x174 + [ 23.459228] [] SyS_write+0x4c/0xa8 + [ 23.464355] [] ret_fast_syscall+0x0/0x1c + [ 23.470031] + [ 23.470031] other info that might help us debug this: + [ 23.470031] + [ 23.478393] Possible unsafe locking scenario: + [ 23.478393] + [ 23.484619] CPU0 CPU1 + [ 23.489349] ---- ---- + [ 23.494079] lock(s_active#52); + [ 23.497497] lock(coresight_mutex); + [ 23.503906] lock(s_active#52); + [ 23.509918] lock(coresight_mutex); + [ 23.513702] + [ 23.513702] *** DEADLOCK *** + [ 23.513702] + [ 23.519897] 3 locks held by sh/858: + [ 23.523529] #0: (sb_writers#7){.+.+.+}, at: [] __sb_start_write+0xa8/0xd4 + [ 23.531799] #1: (&of->mutex){+.+...}, at: [] kernfs_fop_write+0x54/0x1c0 + [ 23.539916] #2: (s_active#52){++++.+}, at: [] kernfs_fop_write+0x5c/0x1c0 + [ 23.548156] + [ 23.548156] stack backtrace: + [ 23.552734] CPU: 0 PID: 858 Comm: sh Not tainted 4.4.0-rc8-00025-gbbf360b #172 + [ 23.560302] Hardware name: Generic OMAP4 (Flattened Device Tree) + [ 23.566589] Backtrace: + [ 23.569152] [] (dump_backtrace) from [] (show_stack+0x18/0x1c) + [ 23.577087] r7:ed4b8570 r6:c0936400 r5:c07ae71c r4:00000000 + [ 23.583038] [] (show_stack) from [] (dump_stack+0x98/0xc0) + [ 23.590606] [] (dump_stack) from [] (print_circular_bug+0x21c/0x33c) + [ 23.599090] r5:c0939d60 r4:c0936400 + [ 23.602874] [] (print_circular_bug) from [] (__lock_acquire+0x1c98/0x1d88) + [ 23.611877] r10:00000003 r9:c0fd7a5c r8:ed4b8550 r7:ed4b8570 r6:ed4b8000 r5:c0ff69e4 + [ 23.620117] r4:c0936400 r3:ed4b8550 + [ 23.623901] [] (__lock_acquire) from [] (lock_acquire+0xe4/0x210) + [ 23.632080] r10:00000000 r9:00000000 r8:60000013 r7:c07cb7b4 r6:00000001 r5:00000000 + [ 23.640350] r4:00000000 + [ 23.643005] [] (lock_acquire) from [] (mutex_lock_nested+0x74/0x450) + [ 23.651458] r10:ecc0bf80 r9:edbe7dcc r8:ed4b8000 r7:c0fd7a5c r6:c0415d40 r5:00000000 + [ 23.659729] r4:c07cb780 + [ 23.662384] [] (mutex_lock_nested) from [] (coresight_enable+0x1c/0x1b4) + [ 23.671234] r10:ecc0bf80 r9:edbe7dcc r8:ed733c00 r7:00000000 r6:ed733c00 r5:00000002 + [ 23.679473] r4:ed762140 + [ 23.682128] [] (coresight_enable) from [] (enable_source_store+0x58/0x68) + [ 23.691070] r7:00000000 r6:ed733c00 r5:00000002 r4:ed762160 + [ 23.697052] [] (enable_source_store) from [] (dev_attr_store+0x20/0x2c) + [ 23.705780] r5:edbe7dc0 r4:c0415fd8 + [ 23.709533] [] (dev_attr_store) from [] (sysfs_kf_write+0x50/0x54) + [ 23.717834] r5:edbe7dc0 r4:c030b338 + [ 23.721618] [] (sysfs_kf_write) from [] (kernfs_fop_write+0xc4/0x1c0) + [ 23.730163] r7:00000000 r6:00000000 r5:00000002 r4:edbe7dc0 + [ 23.736145] [] (kernfs_fop_write) from [] (__vfs_write+0x34/0xe4) + [ 23.744323] r10:00000000 r9:ecc0a000 r8:c0010964 r7:ecc0bf80 r6:00000002 r5:c01d4ae4 + [ 23.752593] r4:ee385a40 + [ 23.755249] [] (__vfs_write) from [] (vfs_write+0x98/0x174) + [ 23.762908] r9:ecc0a000 r8:c0010964 r7:ecc0bf80 r6:000ab0d8 r5:00000002 r4:ee385a40 + [ 23.771057] [] (vfs_write) from [] (SyS_write+0x4c/0xa8) + [ 23.778442] r8:c0010964 r7:00000002 r6:000ab0d8 r5:ee385a40 r4:ee385a40 + [ 23.785522] [] (SyS_write) from [] (ret_fast_syscall+0x0/0x1c) + [ 23.793457] r7:00000004 r6:00000001 r5:000ab0d8 r4:00000002 + [ 23.799652] coresight-etb10 54162000.etb: ETB enabled + [ 23.805084] coresight-funnel 54164000.funnel: FUNNEL inport 0 enabled + [ 23.811859] coresight-replicator 44000000.ocp:replicator: REPLICATOR enabled + [ 23.819335] coresight-funnel 54158000.funnel: FUNNEL inport 0 enabled + [ 23.826110] coresight-etm3x 5414c000.ptm: ETM tracing enabled + +The locking in coresight_unregister() is not required as the only customers of +the function are drivers themselves when an initialisation failure has been +encoutered. + +Reported-by: Rabin Vincent +Signed-off-by: Mathieu Poirier +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/coresight.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/hwtracing/coresight/coresight.c b/drivers/hwtracing/coresight/coresight.c +index 902ee6efd09c..84fc60318f79 100644 +--- a/drivers/hwtracing/coresight/coresight.c ++++ b/drivers/hwtracing/coresight/coresight.c +@@ -716,12 +716,8 @@ EXPORT_SYMBOL_GPL(coresight_register); + + void coresight_unregister(struct coresight_device *csdev) + { +- mutex_lock(&coresight_mutex); +- + kfree(csdev->conns); + device_unregister(&csdev->dev); +- +- mutex_unlock(&coresight_mutex); + } + EXPORT_SYMBOL_GPL(coresight_unregister); + +-- +2.19.1 + diff --git a/queue-4.4/coresight-release-reference-taken-by-bus_find_device.patch b/queue-4.4/coresight-release-reference-taken-by-bus_find_device.patch new file mode 100644 index 00000000000..4317ad069f5 --- /dev/null +++ b/queue-4.4/coresight-release-reference-taken-by-bus_find_device.patch @@ -0,0 +1,35 @@ +From f3a304b7fc07a0f1d8afdb9cc92645e37df7a9d2 Mon Sep 17 00:00:00 2001 +From: Mathieu Poirier +Date: Tue, 2 Feb 2016 14:13:58 -0700 +Subject: coresight: release reference taken by 'bus_find_device()' + +[ Upstream commit f2dfab3568fc32afeac8b698481e80e7ab2dc658 ] + +The reference count taken by function bus_find_device() needs +to be released if a child device is found, something this patch +is adding. + +Reported-by: Rabin Vincent +Signed-off-by: Mathieu Poirier +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/coresight.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/hwtracing/coresight/coresight.c b/drivers/hwtracing/coresight/coresight.c +index a7d1edbf3340..5e2a2a5ad601 100644 +--- a/drivers/hwtracing/coresight/coresight.c ++++ b/drivers/hwtracing/coresight/coresight.c +@@ -573,6 +573,8 @@ static void coresight_fixup_device_conns(struct coresight_device *csdev) + + if (dev) { + conn->child_dev = to_coresight_device(dev); ++ /* and put reference from 'bus_find_device()' */ ++ put_device(dev); + } else { + csdev->orphan = true; + conn->child_dev = NULL; +-- +2.19.1 + diff --git a/queue-4.4/coresight-remove-csdev-s-link-from-topology.patch b/queue-4.4/coresight-remove-csdev-s-link-from-topology.patch new file mode 100644 index 00000000000..27bfb343313 --- /dev/null +++ b/queue-4.4/coresight-remove-csdev-s-link-from-topology.patch @@ -0,0 +1,86 @@ +From 3b1be5512461aff2f7bb60a391ce0369922f6d59 Mon Sep 17 00:00:00 2001 +From: Mathieu Poirier +Date: Tue, 2 Feb 2016 14:13:59 -0700 +Subject: coresight: remove csdev's link from topology + +[ Upstream commit ad725aee070caf8fa93d84d6fb78321f9642db18 ] + +In function 'coresight_unregister()', all references to the csdev that +is being taken away need to be removed from the topology. Otherwise +building the next coresight path from source to sink may use memory +that has been released. + +Signed-off-by: Mathieu Poirier +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/coresight.c | 46 +++++++++++++++++++++++++ + 1 file changed, 46 insertions(+) + +diff --git a/drivers/hwtracing/coresight/coresight.c b/drivers/hwtracing/coresight/coresight.c +index 5e2a2a5ad601..c6aea4795d0b 100644 +--- a/drivers/hwtracing/coresight/coresight.c ++++ b/drivers/hwtracing/coresight/coresight.c +@@ -582,6 +582,50 @@ static void coresight_fixup_device_conns(struct coresight_device *csdev) + } + } + ++static int coresight_remove_match(struct device *dev, void *data) ++{ ++ int i; ++ struct coresight_device *csdev, *iterator; ++ struct coresight_connection *conn; ++ ++ csdev = data; ++ iterator = to_coresight_device(dev); ++ ++ /* No need to check oneself */ ++ if (csdev == iterator) ++ return 0; ++ ++ /* ++ * Circle throuch all the connection of that component. If we find ++ * a connection whose name matches @csdev, remove it. ++ */ ++ for (i = 0; i < iterator->nr_outport; i++) { ++ conn = &iterator->conns[i]; ++ ++ if (conn->child_dev == NULL) ++ continue; ++ ++ if (!strcmp(dev_name(&csdev->dev), conn->child_name)) { ++ iterator->orphan = true; ++ conn->child_dev = NULL; ++ /* No need to continue */ ++ break; ++ } ++ } ++ ++ /* ++ * Returning '0' ensures that all known component on the ++ * bus will be checked. ++ */ ++ return 0; ++} ++ ++static void coresight_remove_conns(struct coresight_device *csdev) ++{ ++ bus_for_each_dev(&coresight_bustype, NULL, ++ csdev, coresight_remove_match); ++} ++ + /** + * coresight_timeout - loop until a bit has changed to a specific state. + * @addr: base address of the area of interest. +@@ -720,6 +764,8 @@ EXPORT_SYMBOL_GPL(coresight_register); + + void coresight_unregister(struct coresight_device *csdev) + { ++ /* Remove references of that device in the topology */ ++ coresight_remove_conns(csdev); + device_unregister(&csdev->dev); + } + EXPORT_SYMBOL_GPL(coresight_unregister); +-- +2.19.1 + diff --git a/queue-4.4/cpu-hotplug-handle-unbalanced-hotplug-enable-disable.patch b/queue-4.4/cpu-hotplug-handle-unbalanced-hotplug-enable-disable.patch new file mode 100644 index 00000000000..175d81079f8 --- /dev/null +++ b/queue-4.4/cpu-hotplug-handle-unbalanced-hotplug-enable-disable.patch @@ -0,0 +1,59 @@ +From bbe2c87d36fb253b9d025ffe8452afde01284514 Mon Sep 17 00:00:00 2001 +From: Lianwei Wang +Date: Thu, 9 Jun 2016 23:43:28 -0700 +Subject: cpu/hotplug: Handle unbalanced hotplug enable/disable + +[ Upstream commit 01b41159066531cc8d664362ff0cd89dd137bbfa ] + +When cpu_hotplug_enable() is called unbalanced w/o a preceeding +cpu_hotplug_disable() the code emits a warning, but happily decrements the +disabled counter. This causes the next operations to malfunction. + +Prevent the decrement and just emit a warning. + +Signed-off-by: Lianwei Wang +Cc: peterz@infradead.org +Cc: linux-pm@vger.kernel.org +Cc: oleg@redhat.com +Link: http://lkml.kernel.org/r/1465541008-12476-1-git-send-email-lianwei.wang@gmail.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Sasha Levin +--- + kernel/cpu.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/kernel/cpu.c b/kernel/cpu.c +index 40d20bf5de28..42ce0b0ae5c5 100644 +--- a/kernel/cpu.c ++++ b/kernel/cpu.c +@@ -183,10 +183,17 @@ void cpu_hotplug_disable(void) + } + EXPORT_SYMBOL_GPL(cpu_hotplug_disable); + ++static void __cpu_hotplug_enable(void) ++{ ++ if (WARN_ONCE(!cpu_hotplug_disabled, "Unbalanced cpu hotplug enable\n")) ++ return; ++ cpu_hotplug_disabled--; ++} ++ + void cpu_hotplug_enable(void) + { + cpu_maps_update_begin(); +- WARN_ON(--cpu_hotplug_disabled < 0); ++ __cpu_hotplug_enable(); + cpu_maps_update_done(); + } + EXPORT_SYMBOL_GPL(cpu_hotplug_enable); +@@ -626,7 +633,7 @@ void enable_nonboot_cpus(void) + + /* Allow everyone to use the CPU hotplug again */ + cpu_maps_update_begin(); +- WARN_ON(--cpu_hotplug_disabled < 0); ++ __cpu_hotplug_enable(); + if (cpumask_empty(frozen_cpus)) + goto out; + +-- +2.19.1 + diff --git a/queue-4.4/efi-stub-define-disable_branch_profiling-for-all-arc.patch b/queue-4.4/efi-stub-define-disable_branch_profiling-for-all-arc.patch new file mode 100644 index 00000000000..d8efa17efc1 --- /dev/null +++ b/queue-4.4/efi-stub-define-disable_branch_profiling-for-all-arc.patch @@ -0,0 +1,45 @@ +From 9f7f22fa0564842d239de686eb66a7ddd30abf50 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Wed, 23 Dec 2015 10:29:28 +0100 +Subject: efi: stub: define DISABLE_BRANCH_PROFILING for all architectures + +[ Upstream commit b523e185bba36164ca48a190f5468c140d815414 ] + +This moves the DISABLE_BRANCH_PROFILING define from the x86 specific +to the general CFLAGS definition for the stub. This fixes build errors +when building for arm64 with CONFIG_PROFILE_ALL_BRANCHES_ENABLED. + +Reviewed-by: Matt Fleming +Reported-by: Will Deacon +Signed-off-by: Ard Biesheuvel +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/libstub/Makefile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/firmware/efi/libstub/Makefile b/drivers/firmware/efi/libstub/Makefile +index 88bd6829a358..edb45f72b34c 100644 +--- a/drivers/firmware/efi/libstub/Makefile ++++ b/drivers/firmware/efi/libstub/Makefile +@@ -8,7 +8,7 @@ cflags-$(CONFIG_X86_32) := -march=i386 + cflags-$(CONFIG_X86_64) := -mcmodel=small + cflags-$(CONFIG_X86) += -m$(BITS) -D__KERNEL__ $(LINUX_INCLUDE) -O2 \ + -fPIC -fno-strict-aliasing -mno-red-zone \ +- -mno-mmx -mno-sse -DDISABLE_BRANCH_PROFILING ++ -mno-mmx -mno-sse + + cflags-$(CONFIG_ARM64) := $(subst -pg,,$(KBUILD_CFLAGS)) -fpie + cflags-$(CONFIG_ARM) := $(subst -pg,,$(KBUILD_CFLAGS)) \ +@@ -16,7 +16,7 @@ cflags-$(CONFIG_ARM) := $(subst -pg,,$(KBUILD_CFLAGS)) \ + + cflags-$(CONFIG_EFI_ARMSTUB) += -I$(srctree)/scripts/dtc/libfdt + +-KBUILD_CFLAGS := $(cflags-y) \ ++KBUILD_CFLAGS := $(cflags-y) -DDISABLE_BRANCH_PROFILING \ + $(call cc-option,-ffreestanding) \ + $(call cc-option,-fno-stack-protector) + +-- +2.19.1 + diff --git a/queue-4.4/hid-sensor-hub.c-fix-wrong-do_div-usage.patch b/queue-4.4/hid-sensor-hub.c-fix-wrong-do_div-usage.patch new file mode 100644 index 00000000000..1962d1876f1 --- /dev/null +++ b/queue-4.4/hid-sensor-hub.c-fix-wrong-do_div-usage.patch @@ -0,0 +1,32 @@ +From cf784aacc096dc61b0192fe500bfdb518663716b Mon Sep 17 00:00:00 2001 +From: Nicolas Pitre +Date: Tue, 3 Nov 2015 17:01:46 -0500 +Subject: hid-sensor-hub.c: fix wrong do_div() usage + +[ Upstream commit 8d43b49e7e0070f96ac46d30659a336c0224fa0b ] + +do_div() must only be used with a u64 dividend. + +Signed-off-by: Nicolas Pitre +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-sensor-hub.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c +index 92870cdb52d9..8efaa88329aa 100644 +--- a/drivers/hid/hid-sensor-hub.c ++++ b/drivers/hid/hid-sensor-hub.c +@@ -218,7 +218,8 @@ int sensor_hub_set_feature(struct hid_sensor_hub_device *hsdev, u32 report_id, + goto done_proc; + } + +- remaining_bytes = do_div(buffer_size, sizeof(__s32)); ++ remaining_bytes = buffer_size % sizeof(__s32); ++ buffer_size = buffer_size / sizeof(__s32); + if (buffer_size) { + for (i = 0; i < buffer_size; ++i) { + hid_set_field(report->field[field_index], i, +-- +2.19.1 + diff --git a/queue-4.4/ipv6-fix-endianness-error-in-icmpv6_err.patch b/queue-4.4/ipv6-fix-endianness-error-in-icmpv6_err.patch new file mode 100644 index 00000000000..6ad5ce9f1ec --- /dev/null +++ b/queue-4.4/ipv6-fix-endianness-error-in-icmpv6_err.patch @@ -0,0 +1,36 @@ +From a3d914e582a7a7d690428c844b83f624095996ba Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa +Date: Sat, 11 Jun 2016 20:32:06 +0200 +Subject: ipv6: fix endianness error in icmpv6_err + +[ Upstream commit dcb94b88c09ce82a80e188d49bcffdc83ba215a6 ] + +IPv6 ping socket error handler doesn't correctly convert the new 32 bit +mtu to host endianness before using. + +Cc: Lorenzo Colitti +Fixes: 6d0bfe22611602f ("net: ipv6: Add IPv6 support to the ping socket.") +Signed-off-by: Hannes Frederic Sowa +Acked-by: Lorenzo Colitti +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/icmp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c +index 0a37ddc7af51..3697cd08c515 100644 +--- a/net/ipv6/icmp.c ++++ b/net/ipv6/icmp.c +@@ -98,7 +98,7 @@ static void icmpv6_err(struct sk_buff *skb, struct inet6_skb_parm *opt, + + if (!(type & ICMPV6_INFOMSG_MASK)) + if (icmp6->icmp6_type == ICMPV6_ECHO_REQUEST) +- ping_err(skb, offset, info); ++ ping_err(skb, offset, ntohl(info)); + } + + static int icmpv6_rcv(struct sk_buff *skb); +-- +2.19.1 + diff --git a/queue-4.4/mac80211-fix-warning-target_metric-may-be-used-unini.patch b/queue-4.4/mac80211-fix-warning-target_metric-may-be-used-unini.patch new file mode 100644 index 00000000000..7f78805d027 --- /dev/null +++ b/queue-4.4/mac80211-fix-warning-target_metric-may-be-used-unini.patch @@ -0,0 +1,42 @@ +From 6974530abbff214d7930b1a121f54d4720b42861 Mon Sep 17 00:00:00 2001 +From: Jeff Mahoney +Date: Mon, 4 Apr 2016 14:15:23 -0400 +Subject: =?UTF-8?q?mac80211:=20fix=20"warning:=20=E2=80=98target=5Fmetric?= + =?UTF-8?q?=E2=80=99=20may=20be=20used=20uninitialized"?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit b4201cc4fc6e1c57d6d306b1f787865043d60129 ] + +This fixes: + +net/mac80211/mesh_hwmp.c:603:26: warning: ‘target_metric’ may be used uninitialized in this function + +target_metric is only consumed when reply = true so no bug exists here, +but not all versions of gcc realize it. Initialize to 0 to remove the +warning. + +Signed-off-by: Jeff Mahoney +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mesh_hwmp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c +index 33d5271a9e32..466922f09d04 100644 +--- a/net/mac80211/mesh_hwmp.c ++++ b/net/mac80211/mesh_hwmp.c +@@ -530,7 +530,7 @@ static void hwmp_preq_frame_process(struct ieee80211_sub_if_data *sdata, + const u8 *target_addr, *orig_addr; + const u8 *da; + u8 target_flags, ttl, flags; +- u32 orig_sn, target_sn, lifetime, target_metric; ++ u32 orig_sn, target_sn, lifetime, target_metric = 0; + bool reply = false; + bool forward = true; + bool root_is_gate; +-- +2.19.1 + diff --git a/queue-4.4/mmc-block-allow-more-than-8-partitions-per-card.patch b/queue-4.4/mmc-block-allow-more-than-8-partitions-per-card.patch new file mode 100644 index 00000000000..e4ee379cd87 --- /dev/null +++ b/queue-4.4/mmc-block-allow-more-than-8-partitions-per-card.patch @@ -0,0 +1,74 @@ +From e9932785f5b963b4950976da5cdff1611d7d460e Mon Sep 17 00:00:00 2001 +From: Colin Cross +Date: Thu, 22 Oct 2015 10:00:41 -0700 +Subject: mmc: block: Allow more than 8 partitions per card + +[ Upstream commit 382c55f88ffeb218c446bf0c46d0fc25d2795fe2 ] + +It is quite common for Android devices to utilize more +then 8 partitions on internal eMMC storage. + +The vanilla kernel can support this via +CONFIG_MMC_BLOCK_MINORS, however that solution caps the +system to 256 minors total, which limits the number of +mmc cards the system can support. + +This patch, which has been carried for quite awhile in +the AOSP common tree, provides an alternative solution +that doesn't seem to limit the total card count. So I +wanted to submit it for consideration upstream. + +This patch sets the GENHD_FL_EXT_DEVT flag, which will +allocate minor number in major 259 for partitions past +disk->minors. + +It also removes the use of disk_devt to determine devidx +from md->disk. md->disk->first_minor is always initialized +from devidx and can always be used to recover it. + +Cc: Ulf Hansson +Cc: Adrian Hunter +Cc: Ben Hutchings +Cc: Chuanxiao Dong +Cc: Shawn Lin +Cc: Austin S Hemmelgarn +Cc: Arnd Bergmann +Cc: Android Kernel Team +Cc: linux-mmc@vger.kernel.org +Signed-off-by: Colin Cross +[jstultz: Added context to commit message] +Signed-off-by: John Stultz +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/card/block.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c +index f2b733275a0a..c15b879c3070 100644 +--- a/drivers/mmc/card/block.c ++++ b/drivers/mmc/card/block.c +@@ -171,11 +171,7 @@ static struct mmc_blk_data *mmc_blk_get(struct gendisk *disk) + + static inline int mmc_get_devidx(struct gendisk *disk) + { +- int devmaj = MAJOR(disk_devt(disk)); +- int devidx = MINOR(disk_devt(disk)) / perdev_minors; +- +- if (!devmaj) +- devidx = disk->first_minor / perdev_minors; ++ int devidx = disk->first_minor / perdev_minors; + return devidx; + } + +@@ -2252,6 +2248,7 @@ static struct mmc_blk_data *mmc_blk_alloc_req(struct mmc_card *card, + md->disk->queue = md->queue.queue; + md->disk->driverfs_dev = parent; + set_disk_ro(md->disk, md->read_only || default_ro); ++ md->disk->flags = GENHD_FL_EXT_DEVT; + if (area_type & (MMC_BLK_DATA_AREA_RPMB | MMC_BLK_DATA_AREA_BOOT)) + md->disk->flags |= GENHD_FL_NO_PART_SCAN; + +-- +2.19.1 + diff --git a/queue-4.4/mmc-mmc-fix-switch-timeout-issue-caused-by-jiffies-p.patch b/queue-4.4/mmc-mmc-fix-switch-timeout-issue-caused-by-jiffies-p.patch new file mode 100644 index 00000000000..6105941c9d3 --- /dev/null +++ b/queue-4.4/mmc-mmc-fix-switch-timeout-issue-caused-by-jiffies-p.patch @@ -0,0 +1,34 @@ +From f473f662dbc59f645cacea775dab22680cc79754 Mon Sep 17 00:00:00 2001 +From: Chaotian Jing +Date: Thu, 19 May 2016 16:47:42 +0800 +Subject: mmc: mmc: fix switch timeout issue caused by jiffies precision + +[ Upstream commit 987aa5f8059613bf85cbb6f64ffbd34f5cb7a9d1 ] + +with CONFIG_HZ=100, the precision of jiffies is 10ms, and the +generic_cmd6_time of some card is also 10ms. then, may be current +time is only 5ms, but already timed out caused by jiffies precision. + +Signed-off-by: Chaotian Jing +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/core/mmc_ops.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mmc/core/mmc_ops.c b/drivers/mmc/core/mmc_ops.c +index 1f444269ebbe..76b49b9772d0 100644 +--- a/drivers/mmc/core/mmc_ops.c ++++ b/drivers/mmc/core/mmc_ops.c +@@ -542,7 +542,7 @@ int __mmc_switch(struct mmc_card *card, u8 set, u8 index, u8 value, + timeout_ms = MMC_OPS_TIMEOUT_MS; + + /* Must check status to be sure of no errors. */ +- timeout = jiffies + msecs_to_jiffies(timeout_ms); ++ timeout = jiffies + msecs_to_jiffies(timeout_ms) + 1; + do { + if (send_status) { + err = __mmc_send_status(card, &status, ignore_crc); +-- +2.19.1 + diff --git a/queue-4.4/net-diag-support-v4mapped-sockets-in-inet_diag_find_.patch b/queue-4.4/net-diag-support-v4mapped-sockets-in-inet_diag_find_.patch new file mode 100644 index 00000000000..5e04e0aac32 --- /dev/null +++ b/queue-4.4/net-diag-support-v4mapped-sockets-in-inet_diag_find_.patch @@ -0,0 +1,54 @@ +From 62404a8df58886fea913e94fd0a1751d0ccdf70f Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Wed, 20 Jan 2016 16:25:01 -0800 +Subject: net: diag: support v4mapped sockets in inet_diag_find_one_icsk() + +[ Upstream commit 7c1306723ee916ea9f1fa7d9e4c7a6d029ca7aaf ] + +Lorenzo reported that we could not properly find v4mapped sockets +in inet_diag_find_one_icsk(). This patch fixes the issue. + +Reported-by: Lorenzo Colitti +Signed-off-by: Eric Dumazet +Acked-by: Lorenzo Colitti +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/inet_diag.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c +index ab9f8a66615d..386443e780da 100644 +--- a/net/ipv4/inet_diag.c ++++ b/net/ipv4/inet_diag.c +@@ -366,13 +366,20 @@ int inet_diag_dump_one_icsk(struct inet_hashinfo *hashinfo, + req->id.idiag_dport, req->id.idiag_src[0], + req->id.idiag_sport, req->id.idiag_if); + #if IS_ENABLED(CONFIG_IPV6) +- else if (req->sdiag_family == AF_INET6) +- sk = inet6_lookup(net, hashinfo, +- (struct in6_addr *)req->id.idiag_dst, +- req->id.idiag_dport, +- (struct in6_addr *)req->id.idiag_src, +- req->id.idiag_sport, +- req->id.idiag_if); ++ else if (req->sdiag_family == AF_INET6) { ++ if (ipv6_addr_v4mapped((struct in6_addr *)req->id.idiag_dst) && ++ ipv6_addr_v4mapped((struct in6_addr *)req->id.idiag_src)) ++ sk = inet_lookup(net, hashinfo, req->id.idiag_dst[3], ++ req->id.idiag_dport, req->id.idiag_src[3], ++ req->id.idiag_sport, req->id.idiag_if); ++ else ++ sk = inet6_lookup(net, hashinfo, ++ (struct in6_addr *)req->id.idiag_dst, ++ req->id.idiag_dport, ++ (struct in6_addr *)req->id.idiag_src, ++ req->id.idiag_sport, ++ req->id.idiag_if); ++ } + #endif + else + goto out_nosk; +-- +2.19.1 + diff --git a/queue-4.4/perf-ring_buffer-refuse-to-begin-aux-transaction-aft.patch b/queue-4.4/perf-ring_buffer-refuse-to-begin-aux-transaction-aft.patch new file mode 100644 index 00000000000..674a7ff42d0 --- /dev/null +++ b/queue-4.4/perf-ring_buffer-refuse-to-begin-aux-transaction-aft.patch @@ -0,0 +1,58 @@ +From 46f60a062260188e6366329f7655243ebcaef5df Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Fri, 4 Mar 2016 15:42:45 +0200 +Subject: perf/ring_buffer: Refuse to begin AUX transaction after + rb->aux_mmap_count drops + +[ Upstream commit dcb10a967ce82d5ad20570693091139ae716ff76 ] + +When ring buffer's AUX area is unmapped and rb->aux_mmap_count drops to +zero, new AUX transactions into this buffer can still be started, +even though the buffer in en route to deallocation. + +This patch adds a check to perf_aux_output_begin() for rb->aux_mmap_count +being zero, in which case there is no point starting new transactions, +in other words, the ring buffers that pass a certain point in +perf_mmap_close will not have their events sending new data, which +clears path for freeing those buffers' pages right there and then, +provided that no active transactions are holding the AUX reference. + +Signed-off-by: Alexander Shishkin +Signed-off-by: Peter Zijlstra (Intel) +Cc: Arnaldo Carvalho de Melo +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: vince@deater.net +Link: http://lkml.kernel.org/r/1457098969-21595-2-git-send-email-alexander.shishkin@linux.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/events/ring_buffer.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/kernel/events/ring_buffer.c b/kernel/events/ring_buffer.c +index 94dc6b0763ab..7324d83d6bd8 100644 +--- a/kernel/events/ring_buffer.c ++++ b/kernel/events/ring_buffer.c +@@ -288,6 +288,13 @@ void *perf_aux_output_begin(struct perf_output_handle *handle, + if (!rb_has_aux(rb) || !atomic_inc_not_zero(&rb->aux_refcount)) + goto err; + ++ /* ++ * If rb::aux_mmap_count is zero (and rb_has_aux() above went through), ++ * the aux buffer is in perf_mmap_close(), about to get freed. ++ */ ++ if (!atomic_read(&rb->aux_mmap_count)) ++ goto err; ++ + /* + * Nesting is not supported for AUX area, make sure nested + * writers are caught early +-- +2.19.1 + diff --git a/queue-4.4/perf-synchronously-free-aux-pages-in-case-of-allocat.patch b/queue-4.4/perf-synchronously-free-aux-pages-in-case-of-allocat.patch new file mode 100644 index 00000000000..260aa439319 --- /dev/null +++ b/queue-4.4/perf-synchronously-free-aux-pages-in-case-of-allocat.patch @@ -0,0 +1,109 @@ +From 41c517657b6d380e8218d770ed5f4342e41706d2 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Tue, 19 Jan 2016 17:14:29 +0200 +Subject: perf: Synchronously free aux pages in case of allocation failure + +[ Upstream commit 45c815f06b80031659c63d7b93e580015d6024dd ] + +We are currently using asynchronous deallocation in the error path in +AUX mmap code, which is unnecessary and also presents a problem for users +that wish to probe for the biggest possible buffer size they can get: +they'll get -EINVAL on all subsequent attemts to allocate a smaller +buffer before the asynchronous deallocation callback frees up the pages +from the previous unsuccessful attempt. + +Currently, gdb does that for allocating AUX buffers for Intel PT traces. +More specifically, overwrite mode of AUX pmus that don't support hardware +sg (some implementations of Intel PT, for instance) is limited to only +one contiguous high order allocation for its buffer and there is no way +of knowing its size without trying. + +This patch changes error path freeing to be synchronous as there won't +be any contenders for the AUX pages at that point. + +Reported-by: Markus Metzger +Signed-off-by: Alexander Shishkin +Signed-off-by: Peter Zijlstra (Intel) +Cc: Arnaldo Carvalho de Melo +Cc: Arnaldo Carvalho de Melo +Cc: David Ahern +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: vince@deater.net +Link: http://lkml.kernel.org/r/1453216469-9509-1-git-send-email-alexander.shishkin@linux.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/events/ring_buffer.c | 40 ++++++++++++++++++------------------- + 1 file changed, 20 insertions(+), 20 deletions(-) + +diff --git a/kernel/events/ring_buffer.c b/kernel/events/ring_buffer.c +index 358bb53c1e74..94dc6b0763ab 100644 +--- a/kernel/events/ring_buffer.c ++++ b/kernel/events/ring_buffer.c +@@ -468,6 +468,25 @@ static void rb_free_aux_page(struct ring_buffer *rb, int idx) + __free_page(page); + } + ++static void __rb_free_aux(struct ring_buffer *rb) ++{ ++ int pg; ++ ++ if (rb->aux_priv) { ++ rb->free_aux(rb->aux_priv); ++ rb->free_aux = NULL; ++ rb->aux_priv = NULL; ++ } ++ ++ if (rb->aux_nr_pages) { ++ for (pg = 0; pg < rb->aux_nr_pages; pg++) ++ rb_free_aux_page(rb, pg); ++ ++ kfree(rb->aux_pages); ++ rb->aux_nr_pages = 0; ++ } ++} ++ + int rb_alloc_aux(struct ring_buffer *rb, struct perf_event *event, + pgoff_t pgoff, int nr_pages, long watermark, int flags) + { +@@ -556,30 +575,11 @@ int rb_alloc_aux(struct ring_buffer *rb, struct perf_event *event, + if (!ret) + rb->aux_pgoff = pgoff; + else +- rb_free_aux(rb); ++ __rb_free_aux(rb); + + return ret; + } + +-static void __rb_free_aux(struct ring_buffer *rb) +-{ +- int pg; +- +- if (rb->aux_priv) { +- rb->free_aux(rb->aux_priv); +- rb->free_aux = NULL; +- rb->aux_priv = NULL; +- } +- +- if (rb->aux_nr_pages) { +- for (pg = 0; pg < rb->aux_nr_pages; pg++) +- rb_free_aux_page(rb, pg); +- +- kfree(rb->aux_pages); +- rb->aux_nr_pages = 0; +- } +-} +- + void rb_free_aux(struct ring_buffer *rb) + { + if (atomic_dec_and_test(&rb->aux_refcount)) +-- +2.19.1 + diff --git a/queue-4.4/pm-hibernate-call-flush_icache_range-on-pages-restor.patch b/queue-4.4/pm-hibernate-call-flush_icache_range-on-pages-restor.patch new file mode 100644 index 00000000000..71af1d309f6 --- /dev/null +++ b/queue-4.4/pm-hibernate-call-flush_icache_range-on-pages-restor.patch @@ -0,0 +1,88 @@ +From e2d4d5e7d4087552f2c3f2430338dd6f747d9e4a Mon Sep 17 00:00:00 2001 +From: James Morse +Date: Wed, 27 Apr 2016 17:47:11 +0100 +Subject: PM / Hibernate: Call flush_icache_range() on pages restored in-place + +[ Upstream commit f6cf0545ec697ddc278b7457b7d0c0d86a2ea88e ] + +Some architectures require code written to memory as if it were data to be +'cleaned' from any data caches before the processor can fetch them as new +instructions. + +During resume from hibernate, the snapshot code copies some pages directly, +meaning these architectures do not get a chance to perform their cache +maintenance. Modify the read and decompress code to call +flush_icache_range() on all pages that are restored, so that the restored +in-place pages are guaranteed to be executable on these architectures. + +Signed-off-by: James Morse +Acked-by: Pavel Machek +Acked-by: Rafael J. Wysocki +Acked-by: Catalin Marinas +[will: make clean_pages_on_* static and remove initialisers] +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + kernel/power/swap.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/kernel/power/swap.c b/kernel/power/swap.c +index 12cd989dadf6..160e1006640d 100644 +--- a/kernel/power/swap.c ++++ b/kernel/power/swap.c +@@ -36,6 +36,14 @@ + + #define HIBERNATE_SIG "S1SUSPEND" + ++/* ++ * When reading an {un,}compressed image, we may restore pages in place, ++ * in which case some architectures need these pages cleaning before they ++ * can be executed. We don't know which pages these may be, so clean the lot. ++ */ ++static bool clean_pages_on_read; ++static bool clean_pages_on_decompress; ++ + /* + * The swap map is a data structure used for keeping track of each page + * written to a swap partition. It consists of many swap_map_page +@@ -241,6 +249,9 @@ static void hib_end_io(struct bio *bio) + + if (bio_data_dir(bio) == WRITE) + put_page(page); ++ else if (clean_pages_on_read) ++ flush_icache_range((unsigned long)page_address(page), ++ (unsigned long)page_address(page) + PAGE_SIZE); + + if (bio->bi_error && !hb->error) + hb->error = bio->bi_error; +@@ -1049,6 +1060,7 @@ static int load_image(struct swap_map_handle *handle, + + hib_init_batch(&hb); + ++ clean_pages_on_read = true; + printk(KERN_INFO "PM: Loading image data pages (%u pages)...\n", + nr_to_read); + m = nr_to_read / 10; +@@ -1124,6 +1136,10 @@ static int lzo_decompress_threadfn(void *data) + d->unc_len = LZO_UNC_SIZE; + d->ret = lzo1x_decompress_safe(d->cmp + LZO_HEADER, d->cmp_len, + d->unc, &d->unc_len); ++ if (clean_pages_on_decompress) ++ flush_icache_range((unsigned long)d->unc, ++ (unsigned long)d->unc + d->unc_len); ++ + atomic_set(&d->stop, 1); + wake_up(&d->done); + } +@@ -1189,6 +1205,8 @@ static int load_image_lzo(struct swap_map_handle *handle, + } + memset(crc, 0, offsetof(struct crc_data, go)); + ++ clean_pages_on_decompress = true; ++ + /* + * Start the decompression threads. + */ +-- +2.19.1 + diff --git a/queue-4.4/revert-mmc-block-don-t-use-parameter-prefix-if-built.patch b/queue-4.4/revert-mmc-block-don-t-use-parameter-prefix-if-built.patch new file mode 100644 index 00000000000..6c25b95ac04 --- /dev/null +++ b/queue-4.4/revert-mmc-block-don-t-use-parameter-prefix-if-built.patch @@ -0,0 +1,45 @@ +From a5b734deb77c8d001b93a7526f068b38f53cb290 Mon Sep 17 00:00:00 2001 +From: Ulf Hansson +Date: Thu, 11 Feb 2016 16:42:58 +0100 +Subject: Revert "mmc: block: don't use parameter prefix if built as module" + +[ Upstream commit a5ebb87db84392edfd3142c3a6a78431d820a789 ] + +This reverts commit 829b6962f7e3cfc06f7c5c26269fd47ad48cf503. + +Revert this change as it causes a sysfs path to change and therefore +introduces and ABI regression. More precisely Android's vold is not being +able to access /sys/module/mmcblk/parameters/perdev_minors any more, since +the path becomes changed to: "/sys/module/mmc_block/..." + +Fixes: 829b6962f7e3 ("mmc: block: don't use parameter prefix if built as +module") +Reported-by: John Stultz +Cc: Andy Shevchenko +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/card/block.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c +index c15b879c3070..f600bdcaf5b4 100644 +--- a/drivers/mmc/card/block.c ++++ b/drivers/mmc/card/block.c +@@ -47,13 +47,10 @@ + #include "queue.h" + + MODULE_ALIAS("mmc:block"); +- +-#ifdef KERNEL + #ifdef MODULE_PARAM_PREFIX + #undef MODULE_PARAM_PREFIX + #endif + #define MODULE_PARAM_PREFIX "mmcblk." +-#endif + + #define INAND_CMD38_ARG_EXT_CSD 113 + #define INAND_CMD38_ARG_ERASE 0x00 +-- +2.19.1 + diff --git a/queue-4.4/sched-fair-fix-new-task-s-load-avg-removed-from-sour.patch b/queue-4.4/sched-fair-fix-new-task-s-load-avg-removed-from-sour.patch new file mode 100644 index 00000000000..dd639c1644e --- /dev/null +++ b/queue-4.4/sched-fair-fix-new-task-s-load-avg-removed-from-sour.patch @@ -0,0 +1,101 @@ +From 43ce7d3e79e8d11c3be7c1f925371e7a596df5f6 Mon Sep 17 00:00:00 2001 +From: Yuyang Du +Date: Thu, 17 Dec 2015 07:34:27 +0800 +Subject: sched/fair: Fix new task's load avg removed from source CPU in + wake_up_new_task() + +[ Upstream commit 0905f04eb21fc1c2e690bed5d0418a061d56c225 ] + +If a newly created task is selected to go to a different CPU in fork +balance when it wakes up the first time, its load averages should +not be removed from the source CPU since they are never added to +it before. The same is also applicable to a never used group entity. + +Fix it in remove_entity_load_avg(): when entity's last_update_time +is 0, simply return. This should precisely identify the case in +question, because in other migrations, the last_update_time is set +to 0 after remove_entity_load_avg(). + +Reported-by: Steve Muckle +Signed-off-by: Yuyang Du +[peterz: cfs_rq_last_update_time] +Signed-off-by: Peter Zijlstra (Intel) +Cc: Dietmar Eggemann +Cc: Juri Lelli +Cc: Linus Torvalds +Cc: Mike Galbraith +Cc: Morten Rasmussen +Cc: Patrick Bellasi +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Vincent Guittot +Link: http://lkml.kernel.org/r/20151216233427.GJ28098@intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/sched/fair.c | 38 ++++++++++++++++++++++++++++---------- + 1 file changed, 28 insertions(+), 10 deletions(-) + +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index c2af250547bb..6051007918ad 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -2841,27 +2841,45 @@ dequeue_entity_load_avg(struct cfs_rq *cfs_rq, struct sched_entity *se) + max_t(s64, cfs_rq->runnable_load_sum - se->avg.load_sum, 0); + } + +-/* +- * Task first catches up with cfs_rq, and then subtract +- * itself from the cfs_rq (task must be off the queue now). +- */ +-void remove_entity_load_avg(struct sched_entity *se) +-{ +- struct cfs_rq *cfs_rq = cfs_rq_of(se); +- u64 last_update_time; +- + #ifndef CONFIG_64BIT ++static inline u64 cfs_rq_last_update_time(struct cfs_rq *cfs_rq) ++{ + u64 last_update_time_copy; ++ u64 last_update_time; + + do { + last_update_time_copy = cfs_rq->load_last_update_time_copy; + smp_rmb(); + last_update_time = cfs_rq->avg.last_update_time; + } while (last_update_time != last_update_time_copy); ++ ++ return last_update_time; ++} + #else +- last_update_time = cfs_rq->avg.last_update_time; ++static inline u64 cfs_rq_last_update_time(struct cfs_rq *cfs_rq) ++{ ++ return cfs_rq->avg.last_update_time; ++} + #endif + ++/* ++ * Task first catches up with cfs_rq, and then subtract ++ * itself from the cfs_rq (task must be off the queue now). ++ */ ++void remove_entity_load_avg(struct sched_entity *se) ++{ ++ struct cfs_rq *cfs_rq = cfs_rq_of(se); ++ u64 last_update_time; ++ ++ /* ++ * Newly created task or never used group entity should not be removed ++ * from its (source) cfs_rq ++ */ ++ if (se->avg.last_update_time == 0) ++ return; ++ ++ last_update_time = cfs_rq_last_update_time(cfs_rq); ++ + __update_load_avg(last_update_time, cpu_of(rq_of(cfs_rq)), &se->avg, 0, 0, NULL); + atomic_long_add(se->avg.load_avg, &cfs_rq->removed_load_avg); + atomic_long_add(se->avg.util_avg, &cfs_rq->removed_util_avg); +-- +2.19.1 + diff --git a/queue-4.4/series b/queue-4.4/series index 65ef14e97f9..dd8831e25aa 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -37,3 +37,53 @@ rtc-fix-overflow-when-converting-time64_t-to-rtc_time.patch ath10k-avoid-possible-string-overflow.patch bluetooth-check-l2cap-option-sizes-returned-from-l2cap_get_conf_opt.patch bluetooth-verify-that-l2cap_get_conf_opt-provides-large-enough-buffer.patch +sched-fair-fix-new-task-s-load-avg-removed-from-sour.patch +mmc-block-allow-more-than-8-partitions-per-card.patch +arm64-fix-compat_shmlba-definition-for-large-pages.patch +efi-stub-define-disable_branch_profiling-for-all-arc.patch +arm-8458-1-bl_switcher-add-gic-dependency.patch +arm-8494-1-mm-enable-pxn-when-running-non-lpae-kerne.patch +android-unconditionally-remove-callbacks-in-sync_fen.patch +vmstat-make-vmstat_updater-deferrable-again-and-shut.patch +hid-sensor-hub.c-fix-wrong-do_div-usage.patch +arm64-hide-__efistub_-aliases-from-kallsyms.patch +perf-synchronously-free-aux-pages-in-case-of-allocat.patch +net-diag-support-v4mapped-sockets-in-inet_diag_find_.patch +revert-mmc-block-don-t-use-parameter-prefix-if-built.patch +writeback-initialize-inode-members-that-track-writeb.patch +coresight-fixing-lockdep-error.patch +coresight-coresight_unregister-function-cleanup.patch +coresight-release-reference-taken-by-bus_find_device.patch +coresight-remove-csdev-s-link-from-topology.patch +stm-class-fix-locking-in-unbinding-policy-path.patch +stm-class-fix-link-list-locking.patch +stm-class-prevent-user-controllable-allocations.patch +stm-class-support-devices-with-multiple-instances.patch +stm-class-fix-unlocking-braino-in-the-error-path.patch +stm-class-guard-output-assignment-against-concurrenc.patch +stm-class-fix-unbalanced-module-device-refcounting.patch +stm-class-fix-a-race-in-unlinking.patch +coresight-device_attr_ro-should-defined-as-static.patch +coresight-etm4x-check-every-parameter-used-by-dma_xx.patch +asm-generic-fix-local-variable-shadow-in-__set_fixma.patch +staging-ashmem-avoid-deadlock-with-mmap-shrink.patch +staging-ashmem-add-missing-include.patch +staging-ion-set-minimum-carveout-heap-allocation-ord.patch +staging-goldfish-audio-fix-compiliation-on-arm.patch +arm-8510-1-rework-arm_cpu_suspend-dependencies.patch +arm64-kernel-fix-incorrect-el0-check-in-inv_entry-ma.patch +mac80211-fix-warning-target_metric-may-be-used-unini.patch +perf-ring_buffer-refuse-to-begin-aux-transaction-aft.patch +arm64-kernel-include-_ac-definition-in-page.h.patch +pm-hibernate-call-flush_icache_range-on-pages-restor.patch +stm-class-do-not-leak-the-chrdev-in-error-path.patch +stm-class-fix-stm-device-initialization-order.patch +ipv6-fix-endianness-error-in-icmpv6_err.patch +usb-gadget-configfs-add-mutex-lock-before-unregister.patch +usb-gadget-rndis-free-response-queue-during-remote_n.patch +cpu-hotplug-handle-unbalanced-hotplug-enable-disable.patch +video-fbdev-set-pixclock-0-in-goldfishfb.patch +arm64-kconfig-drop-config_rtc_lib-dependency.patch +mmc-mmc-fix-switch-timeout-issue-caused-by-jiffies-p.patch +cfg80211-size-various-nl80211-messages-correctly.patch +stmmac-copy-unicast-mac-address-to-mac-registers.patch diff --git a/queue-4.4/staging-ashmem-add-missing-include.patch b/queue-4.4/staging-ashmem-add-missing-include.patch new file mode 100644 index 00000000000..a1472952031 --- /dev/null +++ b/queue-4.4/staging-ashmem-add-missing-include.patch @@ -0,0 +1,36 @@ +From 4c73e39d9e2a69af7fa6dd3fcc7a3ddc4991ca24 Mon Sep 17 00:00:00 2001 +From: Rom Lemarchand +Date: Fri, 29 Jan 2016 22:07:31 -0800 +Subject: staging: ashmem: Add missing include + +[ Upstream commit 90a2f171383b5ae43b33ab4d9d566b9765622ac7 ] + +Include into ashmem.h to ensure referenced types +are defined + +Cc: Android Kernel Team +Cc: Greg KH +Signed-off-by: Rom Lemarchand +[jstultz: Minor commit message tweaks] +Signed-off-by: John Stultz +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/android/uapi/ashmem.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/staging/android/uapi/ashmem.h b/drivers/staging/android/uapi/ashmem.h +index ba4743c71d6b..13df42d200b7 100644 +--- a/drivers/staging/android/uapi/ashmem.h ++++ b/drivers/staging/android/uapi/ashmem.h +@@ -13,6 +13,7 @@ + #define _UAPI_LINUX_ASHMEM_H + + #include ++#include + + #define ASHMEM_NAME_LEN 256 + +-- +2.19.1 + diff --git a/queue-4.4/staging-ashmem-avoid-deadlock-with-mmap-shrink.patch b/queue-4.4/staging-ashmem-avoid-deadlock-with-mmap-shrink.patch new file mode 100644 index 00000000000..bc220a71ef3 --- /dev/null +++ b/queue-4.4/staging-ashmem-avoid-deadlock-with-mmap-shrink.patch @@ -0,0 +1,76 @@ +From 8ac6256d2d24ca82af05601971eb7d22ebcd14ef Mon Sep 17 00:00:00 2001 +From: Laura Abbott +Date: Fri, 29 Jan 2016 22:07:30 -0800 +Subject: staging: ashmem: Avoid deadlock with mmap/shrink + +[ Upstream commit 18e77054de741ef3ed2a2489bc9bf82a318b2d5e ] + +Both ashmem_mmap and ashmem_shrink take the ashmem_lock. It may +be possible for ashmem_mmap to invoke ashmem_shrink: + +-000|mutex_lock(lock = 0x0) +-001|ashmem_shrink(?, sc = 0x0) <--- try to take ashmem_mutex again +-002|shrink_slab(shrink = 0xDA5F1CC0, nr_pages_scanned = 0, lru_pages +-002|= +-002|124) +-003|try_to_free_pages(zonelist = 0x0, ?, ?, ?) +-004|__alloc_pages_nodemask(gfp_mask = 21200, order = 1, zonelist = +-004|0xC11D0940, +-005|new_slab(s = 0xE4841E80, ?, node = -1) +-006|__slab_alloc.isra.43.constprop.50(s = 0xE4841E80, gfpflags = +-006|2148925462, ad +-007|kmem_cache_alloc(s = 0xE4841E80, gfpflags = 208) +-008|shmem_alloc_inode(?) +-009|alloc_inode(sb = 0xE480E800) +-010|new_inode_pseudo(?) +-011|new_inode(?) +-012|shmem_get_inode(sb = 0xE480E800, dir = 0x0, ?, dev = 0, flags = +-012|187) +-013|shmem_file_setup(?, ?, flags = 187) +-014|ashmem_mmap(?, vma = 0xC5D64210) <---- Acquire ashmem_mutex +-015|mmap_region(file = 0xDF8E2C00, addr = 1772974080, len = 233472, +-015|flags = 57, +-016|sys_mmap_pgoff(addr = 0, len = 230400, prot = 3, flags = 1, fd = +-016|157, pgoff +-017|ret_fast_syscall(asm) +-->|exception +-018|NUR:0x40097508(asm) +---|end of frame + +Avoid this deadlock by using mutex_trylock in ashmem_shrink; if the mutex +is already held, do not attempt to shrink. + +Cc: Greg KH +Cc: Android Kernel Team +Reported-by: Matt Wagantall +Reported-by: Syed Rameez Mustafa +Reported-by: Osvaldo Banuelos +Reported-by: Subbaraman Narayanamurthy +Signed-off-by: Laura Abbott +[jstultz: Minor commit message tweaks] +Signed-off-by: John Stultz +Signed-off-by: Greg Kroah-Hartman + +Signed-off-by: Sasha Levin +--- + drivers/staging/android/ashmem.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c +index e9c74c41aece..b4c425383f99 100644 +--- a/drivers/staging/android/ashmem.c ++++ b/drivers/staging/android/ashmem.c +@@ -447,7 +447,9 @@ ashmem_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) + if (!(sc->gfp_mask & __GFP_FS)) + return SHRINK_STOP; + +- mutex_lock(&ashmem_mutex); ++ if (!mutex_trylock(&ashmem_mutex)) ++ return -1; ++ + list_for_each_entry_safe(range, next, &ashmem_lru_list, lru) { + loff_t start = range->pgstart * PAGE_SIZE; + loff_t end = (range->pgend + 1) * PAGE_SIZE; +-- +2.19.1 + diff --git a/queue-4.4/staging-goldfish-audio-fix-compiliation-on-arm.patch b/queue-4.4/staging-goldfish-audio-fix-compiliation-on-arm.patch new file mode 100644 index 00000000000..516a0455198 --- /dev/null +++ b/queue-4.4/staging-goldfish-audio-fix-compiliation-on-arm.patch @@ -0,0 +1,34 @@ +From 6336fe288d390ac998f03460b06dd296cb8d0677 Mon Sep 17 00:00:00 2001 +From: Greg Hackmann +Date: Fri, 26 Feb 2016 19:00:18 +0000 +Subject: staging: goldfish: audio: fix compiliation on arm + +[ Upstream commit 4532150762ceb0d6fd765ebcb3ba6966fbb8faab ] + +We do actually need slab.h, by luck we get it on other platforms but not +always on ARM. Include it properly. + +Signed-off-by: Greg Hackmann +Signed-off-by: Jin Qian +Signed-off-by: Alan +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/goldfish/goldfish_audio.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/staging/goldfish/goldfish_audio.c b/drivers/staging/goldfish/goldfish_audio.c +index b0927e49d0a8..6ca288bf4059 100644 +--- a/drivers/staging/goldfish/goldfish_audio.c ++++ b/drivers/staging/goldfish/goldfish_audio.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + #include + + MODULE_AUTHOR("Google, Inc."); +-- +2.19.1 + diff --git a/queue-4.4/staging-ion-set-minimum-carveout-heap-allocation-ord.patch b/queue-4.4/staging-ion-set-minimum-carveout-heap-allocation-ord.patch new file mode 100644 index 00000000000..0fc86cf904f --- /dev/null +++ b/queue-4.4/staging-ion-set-minimum-carveout-heap-allocation-ord.patch @@ -0,0 +1,45 @@ +From 862fc19b7663718ff190cc37cab0dfecff106cc4 Mon Sep 17 00:00:00 2001 +From: Rajmal Menariya +Date: Fri, 29 Jan 2016 22:07:35 -0800 +Subject: staging: ion: Set minimum carveout heap allocation order to + PAGE_SHIFT + +[ Upstream commit 1328d8efef17d5e16bd6e9cfe59130a833674534 ] + +In carveout heap, change minimum allocation order from 12 to +PAGE_SHIFT. After this change each bit in bitmap (genalloc - +General purpose special memory pool) represents one page size +memory. + +Cc: sprd-ind-kernel-group@googlegroups.com +Cc: sanjeev.yadav@spreadtrum.com +Cc: Colin Cross +Cc: Android Kernel Team +Cc: Greg KH +Cc: Sumit Semwal +Signed-off-by: Rajmal Menariya +[jstultz: Reworked commit message] +Signed-off-by: John Stultz +Acked-by: Laura Abbott +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/android/ion/ion_carveout_heap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/android/ion/ion_carveout_heap.c b/drivers/staging/android/ion/ion_carveout_heap.c +index 9156d8238c97..e702ce6461fc 100644 +--- a/drivers/staging/android/ion/ion_carveout_heap.c ++++ b/drivers/staging/android/ion/ion_carveout_heap.c +@@ -167,7 +167,7 @@ struct ion_heap *ion_carveout_heap_create(struct ion_platform_heap *heap_data) + if (!carveout_heap) + return ERR_PTR(-ENOMEM); + +- carveout_heap->pool = gen_pool_create(12, -1); ++ carveout_heap->pool = gen_pool_create(PAGE_SHIFT, -1); + if (!carveout_heap->pool) { + kfree(carveout_heap); + return ERR_PTR(-ENOMEM); +-- +2.19.1 + diff --git a/queue-4.4/stm-class-do-not-leak-the-chrdev-in-error-path.patch b/queue-4.4/stm-class-do-not-leak-the-chrdev-in-error-path.patch new file mode 100644 index 00000000000..0e47763c0ab --- /dev/null +++ b/queue-4.4/stm-class-do-not-leak-the-chrdev-in-error-path.patch @@ -0,0 +1,34 @@ +From f200741ac27f79e3164949e562976558e70407a3 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Fri, 4 Mar 2016 16:36:10 +0200 +Subject: stm class: Do not leak the chrdev in error path + +[ Upstream commit cbe4a61d1ddc4790d950ca8c33ef79ee68ef5e2b ] + +Currently, the error path of stm_register_device() forgets to unregister +the chrdev. Fix this. + +Reported-by: Alan Cox +Signed-off-by: Alexander Shishkin +Reviewed-by: Laurent Fert +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/stm/core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/hwtracing/stm/core.c b/drivers/hwtracing/stm/core.c +index 03b34dcff7f2..0c7f0bae001a 100644 +--- a/drivers/hwtracing/stm/core.c ++++ b/drivers/hwtracing/stm/core.c +@@ -686,6 +686,8 @@ int stm_register_device(struct device *parent, struct stm_data *stm_data, + return 0; + + err_device: ++ unregister_chrdev(stm->major, stm_data->name); ++ + /* matches device_initialize() above */ + put_device(&stm->dev); + err_free: +-- +2.19.1 + diff --git a/queue-4.4/stm-class-fix-a-race-in-unlinking.patch b/queue-4.4/stm-class-fix-a-race-in-unlinking.patch new file mode 100644 index 00000000000..ff659c7aa92 --- /dev/null +++ b/queue-4.4/stm-class-fix-a-race-in-unlinking.patch @@ -0,0 +1,140 @@ +From 579733ac3cd5b8c95931c59957d920833b66a6f1 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Mon, 15 Feb 2016 19:12:08 +0200 +Subject: stm class: Fix a race in unlinking + +[ Upstream commit b4ca34aaf78ed0cdfc15956d377064104257a437 ] + +There is a window in stm_source_link_drop(), during which the source's +link may change before locks are acquired. When this happens, it throws +a warning, since this is not an expected scenario. + +This patch handles the race in such a way that if the link appears to +have changed by the time we took the locks, it will release them and +repeat the whole unlinking procedure from the beginning, unless the +other contender beat us to it. + +Signed-off-by: Alexander Shishkin +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/stm/core.c | 54 ++++++++++++++++++++++++++++-------- + 1 file changed, 42 insertions(+), 12 deletions(-) + +diff --git a/drivers/hwtracing/stm/core.c b/drivers/hwtracing/stm/core.c +index cdc692d6cedd..03b34dcff7f2 100644 +--- a/drivers/hwtracing/stm/core.c ++++ b/drivers/hwtracing/stm/core.c +@@ -695,18 +695,26 @@ int stm_register_device(struct device *parent, struct stm_data *stm_data, + } + EXPORT_SYMBOL_GPL(stm_register_device); + +-static void __stm_source_link_drop(struct stm_source_device *src, +- struct stm_device *stm); ++static int __stm_source_link_drop(struct stm_source_device *src, ++ struct stm_device *stm); + + void stm_unregister_device(struct stm_data *stm_data) + { + struct stm_device *stm = stm_data->stm; + struct stm_source_device *src, *iter; +- int i; ++ int i, ret; + + mutex_lock(&stm->link_mutex); + list_for_each_entry_safe(src, iter, &stm->link_list, link_entry) { +- __stm_source_link_drop(src, stm); ++ ret = __stm_source_link_drop(src, stm); ++ /* ++ * src <-> stm link must not change under the same ++ * stm::link_mutex, so complain loudly if it has; ++ * also in this situation ret!=0 means this src is ++ * not connected to this stm and it should be otherwise ++ * safe to proceed with the tear-down of stm. ++ */ ++ WARN_ON_ONCE(ret); + } + mutex_unlock(&stm->link_mutex); + +@@ -825,22 +833,28 @@ static int stm_source_link_add(struct stm_source_device *src, + * + * Caller must hold stm::link_mutex. + */ +-static void __stm_source_link_drop(struct stm_source_device *src, +- struct stm_device *stm) ++static int __stm_source_link_drop(struct stm_source_device *src, ++ struct stm_device *stm) + { + struct stm_device *link; ++ int ret = 0; + + lockdep_assert_held(&stm->link_mutex); + +- if (src->data->unlink) +- src->data->unlink(src->data); +- + /* for stm::link_list modification, we hold both mutex and spinlock */ + spin_lock(&stm->link_lock); + spin_lock(&src->link_lock); + link = srcu_dereference_check(src->link, &stm_source_srcu, 1); +- if (WARN_ON_ONCE(link != stm)) ++ ++ /* ++ * The linked device may have changed since we last looked, because ++ * we weren't holding the src::link_lock back then; if this is the ++ * case, tell the caller to retry. ++ */ ++ if (link != stm) { ++ ret = -EAGAIN; + goto unlock; ++ } + + stm_output_free(link, &src->output); + list_del_init(&src->link_entry); +@@ -851,6 +865,11 @@ static void __stm_source_link_drop(struct stm_source_device *src, + unlock: + spin_unlock(&src->link_lock); + spin_unlock(&stm->link_lock); ++ ++ if (!ret && src->data->unlink) ++ src->data->unlink(src->data); ++ ++ return ret; + } + + /** +@@ -866,18 +885,29 @@ static void __stm_source_link_drop(struct stm_source_device *src, + static void stm_source_link_drop(struct stm_source_device *src) + { + struct stm_device *stm; +- int idx; ++ int idx, ret; + ++retry: + idx = srcu_read_lock(&stm_source_srcu); ++ /* ++ * The stm device will be valid for the duration of this ++ * read section, but the link may change before we grab ++ * the src::link_lock in __stm_source_link_drop(). ++ */ + stm = srcu_dereference(src->link, &stm_source_srcu); + ++ ret = 0; + if (stm) { + mutex_lock(&stm->link_mutex); +- __stm_source_link_drop(src, stm); ++ ret = __stm_source_link_drop(src, stm); + mutex_unlock(&stm->link_mutex); + } + + srcu_read_unlock(&stm_source_srcu, idx); ++ ++ /* if it did change, retry */ ++ if (ret == -EAGAIN) ++ goto retry; + } + + static ssize_t stm_source_link_show(struct device *dev, +-- +2.19.1 + diff --git a/queue-4.4/stm-class-fix-link-list-locking.patch b/queue-4.4/stm-class-fix-link-list-locking.patch new file mode 100644 index 00000000000..a56c8e129e1 --- /dev/null +++ b/queue-4.4/stm-class-fix-link-list-locking.patch @@ -0,0 +1,168 @@ +From 503f811643c4d333e13e11866428dd9dc7cd92d2 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Tue, 22 Dec 2015 17:25:19 +0200 +Subject: stm class: Fix link list locking + +[ Upstream commit c74f7e8281add80bdfa0ad2998b8df287b13df73 ] + +Currently, the list of stm_sources linked to an stm device is protected by +a spinlock, which also means that sources' .unlink() method is called under +this spinlock. However, this method may (and does) sleep, which means +trouble. + +This patch slightly reworks locking around stm::link_list so that bits that +might_sleep() are called with a mutex held instead. Modification of this +list requires both mutex and spinlock to be held, while looking at the list +can be done under either mutex or spinlock. + +Signed-off-by: Alexander Shishkin +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/stm/core.c | 38 +++++++++++++++++++++++++++--------- + drivers/hwtracing/stm/stm.h | 1 + + 2 files changed, 30 insertions(+), 9 deletions(-) + +diff --git a/drivers/hwtracing/stm/core.c b/drivers/hwtracing/stm/core.c +index 92ab51aa8a74..f286de2e86af 100644 +--- a/drivers/hwtracing/stm/core.c ++++ b/drivers/hwtracing/stm/core.c +@@ -647,6 +647,7 @@ int stm_register_device(struct device *parent, struct stm_data *stm_data, + if (err) + goto err_device; + ++ mutex_init(&stm->link_mutex); + spin_lock_init(&stm->link_lock); + INIT_LIST_HEAD(&stm->link_list); + +@@ -677,11 +678,11 @@ void stm_unregister_device(struct stm_data *stm_data) + struct stm_source_device *src, *iter; + int i; + +- spin_lock(&stm->link_lock); ++ mutex_lock(&stm->link_mutex); + list_for_each_entry_safe(src, iter, &stm->link_list, link_entry) { + __stm_source_link_drop(src, stm); + } +- spin_unlock(&stm->link_lock); ++ mutex_unlock(&stm->link_mutex); + + synchronize_srcu(&stm_source_srcu); + +@@ -700,6 +701,17 @@ void stm_unregister_device(struct stm_data *stm_data) + } + EXPORT_SYMBOL_GPL(stm_unregister_device); + ++/* ++ * stm::link_list access serialization uses a spinlock and a mutex; holding ++ * either of them guarantees that the list is stable; modification requires ++ * holding both of them. ++ * ++ * Lock ordering is as follows: ++ * stm::link_mutex ++ * stm::link_lock ++ * src::link_lock ++ */ ++ + /** + * stm_source_link_add() - connect an stm_source device to an stm device + * @src: stm_source device +@@ -716,6 +728,7 @@ static int stm_source_link_add(struct stm_source_device *src, + char *id; + int err; + ++ mutex_lock(&stm->link_mutex); + spin_lock(&stm->link_lock); + spin_lock(&src->link_lock); + +@@ -725,6 +738,7 @@ static int stm_source_link_add(struct stm_source_device *src, + + spin_unlock(&src->link_lock); + spin_unlock(&stm->link_lock); ++ mutex_unlock(&stm->link_mutex); + + id = kstrdup(src->data->name, GFP_KERNEL); + if (id) { +@@ -762,6 +776,7 @@ static int stm_source_link_add(struct stm_source_device *src, + stm_put_device(stm); + + fail_detach: ++ mutex_lock(&stm->link_mutex); + spin_lock(&stm->link_lock); + spin_lock(&src->link_lock); + +@@ -770,6 +785,7 @@ static int stm_source_link_add(struct stm_source_device *src, + + spin_unlock(&src->link_lock); + spin_unlock(&stm->link_lock); ++ mutex_unlock(&stm->link_mutex); + + return err; + } +@@ -782,13 +798,20 @@ static int stm_source_link_add(struct stm_source_device *src, + * If @stm is @src::link, disconnect them from one another and put the + * reference on the @stm device. + * +- * Caller must hold stm::link_lock. ++ * Caller must hold stm::link_mutex. + */ + static void __stm_source_link_drop(struct stm_source_device *src, + struct stm_device *stm) + { + struct stm_device *link; + ++ lockdep_assert_held(&stm->link_mutex); ++ ++ if (src->data->unlink) ++ src->data->unlink(src->data); ++ ++ /* for stm::link_list modification, we hold both mutex and spinlock */ ++ spin_lock(&stm->link_lock); + spin_lock(&src->link_lock); + link = srcu_dereference_check(src->link, &stm_source_srcu, 1); + if (WARN_ON_ONCE(link != stm)) { +@@ -797,13 +820,13 @@ static void __stm_source_link_drop(struct stm_source_device *src, + } + + stm_output_free(link, &src->output); +- /* caller must hold stm::link_lock */ + list_del_init(&src->link_entry); + /* matches stm_find_device() from stm_source_link_store() */ + stm_put_device(link); + rcu_assign_pointer(src->link, NULL); + + spin_unlock(&src->link_lock); ++ spin_unlock(&stm->link_lock); + } + + /** +@@ -825,12 +848,9 @@ static void stm_source_link_drop(struct stm_source_device *src) + stm = srcu_dereference(src->link, &stm_source_srcu); + + if (stm) { +- if (src->data->unlink) +- src->data->unlink(src->data); +- +- spin_lock(&stm->link_lock); ++ mutex_lock(&stm->link_mutex); + __stm_source_link_drop(src, stm); +- spin_unlock(&stm->link_lock); ++ mutex_unlock(&stm->link_mutex); + } + + srcu_read_unlock(&stm_source_srcu, idx); +diff --git a/drivers/hwtracing/stm/stm.h b/drivers/hwtracing/stm/stm.h +index 95ece0292c99..97ee02241440 100644 +--- a/drivers/hwtracing/stm/stm.h ++++ b/drivers/hwtracing/stm/stm.h +@@ -45,6 +45,7 @@ struct stm_device { + int major; + unsigned int sw_nmasters; + struct stm_data *data; ++ struct mutex link_mutex; + spinlock_t link_lock; + struct list_head link_list; + /* master allocation */ +-- +2.19.1 + diff --git a/queue-4.4/stm-class-fix-locking-in-unbinding-policy-path.patch b/queue-4.4/stm-class-fix-locking-in-unbinding-policy-path.patch new file mode 100644 index 00000000000..560aa0eaa62 --- /dev/null +++ b/queue-4.4/stm-class-fix-locking-in-unbinding-policy-path.patch @@ -0,0 +1,68 @@ +From 574faba4fb0d1b443a241e4381695e5cc3ae9da6 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Tue, 22 Dec 2015 17:25:18 +0200 +Subject: stm class: Fix locking in unbinding policy path + +[ Upstream commit 4c127fd16e6b33ecb7badc091480c84ea9aebeb6 ] + +Right now, if stm device removal has to unbind from a policy (that is, +an stm device that has STP policy, gets removed), it will trigger a +nested lock on the stm device's policy mutex. + +This patch fixes the problem by moving the locking from the policy +unbinding to policy removal (configfs path), where it's actually needed; +the other caller of the policy unbinding function already takes the +mutex around the call. + +Signed-off-by: Alexander Shishkin +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/stm/policy.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +diff --git a/drivers/hwtracing/stm/policy.c b/drivers/hwtracing/stm/policy.c +index 11ab6d01adf6..94d3abfb737a 100644 +--- a/drivers/hwtracing/stm/policy.c ++++ b/drivers/hwtracing/stm/policy.c +@@ -272,13 +272,17 @@ void stp_policy_unbind(struct stp_policy *policy) + { + struct stm_device *stm = policy->stm; + ++ /* ++ * stp_policy_release() will not call here if the policy is already ++ * unbound; other users should not either, as no link exists between ++ * this policy and anything else in that case ++ */ + if (WARN_ON_ONCE(!policy->stm)) + return; + +- mutex_lock(&stm->policy_mutex); +- stm->policy = NULL; +- mutex_unlock(&stm->policy_mutex); ++ lockdep_assert_held(&stm->policy_mutex); + ++ stm->policy = NULL; + policy->stm = NULL; + + stm_put_device(stm); +@@ -287,8 +291,16 @@ void stp_policy_unbind(struct stp_policy *policy) + static void stp_policy_release(struct config_item *item) + { + struct stp_policy *policy = to_stp_policy(item); ++ struct stm_device *stm = policy->stm; + ++ /* a policy *can* be unbound and still exist in configfs tree */ ++ if (!stm) ++ return; ++ ++ mutex_lock(&stm->policy_mutex); + stp_policy_unbind(policy); ++ mutex_unlock(&stm->policy_mutex); ++ + kfree(policy); + } + +-- +2.19.1 + diff --git a/queue-4.4/stm-class-fix-stm-device-initialization-order.patch b/queue-4.4/stm-class-fix-stm-device-initialization-order.patch new file mode 100644 index 00000000000..4db4971f96a --- /dev/null +++ b/queue-4.4/stm-class-fix-stm-device-initialization-order.patch @@ -0,0 +1,64 @@ +From 3e3511dab21ad155c06d9f5dafa89747771ae693 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Fri, 4 Mar 2016 16:48:14 +0200 +Subject: stm class: Fix stm device initialization order + +[ Upstream commit 389b6699a2aa0b457aa69986e9ddf39f3b4030fd ] + +Currently, stm_register_device() makes the device visible and then +proceeds to initializing spinlocks and other properties, which leaves +a window when the device can already be opened but is not yet fully +operational. + +Fix this by reversing the initialization order. + +Reported-by: Alan Cox +Signed-off-by: Alexander Shishkin +Reviewed-by: Laurent Fert +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/stm/core.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/drivers/hwtracing/stm/core.c b/drivers/hwtracing/stm/core.c +index 0c7f0bae001a..b6cc841de79d 100644 +--- a/drivers/hwtracing/stm/core.c ++++ b/drivers/hwtracing/stm/core.c +@@ -664,18 +664,11 @@ int stm_register_device(struct device *parent, struct stm_data *stm_data, + stm->dev.parent = parent; + stm->dev.release = stm_device_release; + +- err = kobject_set_name(&stm->dev.kobj, "%s", stm_data->name); +- if (err) +- goto err_device; +- +- err = device_add(&stm->dev); +- if (err) +- goto err_device; +- + mutex_init(&stm->link_mutex); + spin_lock_init(&stm->link_lock); + INIT_LIST_HEAD(&stm->link_list); + ++ /* initialize the object before it is accessible via sysfs */ + spin_lock_init(&stm->mc_lock); + mutex_init(&stm->policy_mutex); + stm->sw_nmasters = nmasters; +@@ -683,6 +676,14 @@ int stm_register_device(struct device *parent, struct stm_data *stm_data, + stm->data = stm_data; + stm_data->stm = stm; + ++ err = kobject_set_name(&stm->dev.kobj, "%s", stm_data->name); ++ if (err) ++ goto err_device; ++ ++ err = device_add(&stm->dev); ++ if (err) ++ goto err_device; ++ + return 0; + + err_device: +-- +2.19.1 + diff --git a/queue-4.4/stm-class-fix-unbalanced-module-device-refcounting.patch b/queue-4.4/stm-class-fix-unbalanced-module-device-refcounting.patch new file mode 100644 index 00000000000..b0fc4b188eb --- /dev/null +++ b/queue-4.4/stm-class-fix-unbalanced-module-device-refcounting.patch @@ -0,0 +1,108 @@ +From beb1788daaa21b442a9b0f76ba24255dac487c8c Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Mon, 15 Feb 2016 19:12:07 +0200 +Subject: stm class: Fix unbalanced module/device refcounting + +[ Upstream commit f7c81c7176c72c7899390754b4b038a64b296e4d ] + +STM code takes references to the stm device and its module for the +duration of the character device's existence or the stm_source link. +Dropping these references is not well balanced everywhere, which may +lead to leaks. + +This patch balances the acquisition and releasing of these two +references and annotates each site so that it's easier to verify +correctness by reading the code. + +Signed-off-by: Alexander Shishkin +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/stm/core.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/drivers/hwtracing/stm/core.c b/drivers/hwtracing/stm/core.c +index f8e46c38b565..cdc692d6cedd 100644 +--- a/drivers/hwtracing/stm/core.c ++++ b/drivers/hwtracing/stm/core.c +@@ -114,6 +114,7 @@ struct stm_device *stm_find_device(const char *buf) + + stm = to_stm_device(dev); + if (!try_module_get(stm->owner)) { ++ /* matches class_find_device() above */ + put_device(dev); + return NULL; + } +@@ -126,7 +127,7 @@ struct stm_device *stm_find_device(const char *buf) + * @stm: stm device, previously acquired by stm_find_device() + * + * This drops the module reference and device reference taken by +- * stm_find_device(). ++ * stm_find_device() or stm_char_open(). + */ + void stm_put_device(struct stm_device *stm) + { +@@ -369,6 +370,8 @@ static int stm_char_open(struct inode *inode, struct file *file) + return nonseekable_open(inode, file); + + err_free: ++ /* matches class_find_device() above */ ++ put_device(dev); + kfree(stmf); + + return err; +@@ -379,6 +382,11 @@ static int stm_char_release(struct inode *inode, struct file *file) + struct stm_file *stmf = file->private_data; + + stm_output_free(stmf->stm, &stmf->output); ++ ++ /* ++ * matches the stm_char_open()'s ++ * class_find_device() + try_module_get() ++ */ + stm_put_device(stmf->stm); + kfree(stmf); + +@@ -540,10 +548,8 @@ static int stm_char_policy_set_ioctl(struct stm_file *stmf, void __user *arg) + ret = stm->data->link(stm->data, stmf->output.master, + stmf->output.channel); + +- if (ret) { ++ if (ret) + stm_output_free(stmf->stm, &stmf->output); +- stm_put_device(stmf->stm); +- } + + err_free: + kfree(id); +@@ -680,6 +686,7 @@ int stm_register_device(struct device *parent, struct stm_data *stm_data, + return 0; + + err_device: ++ /* matches device_initialize() above */ + put_device(&stm->dev); + err_free: + vfree(stm); +@@ -792,7 +799,6 @@ static int stm_source_link_add(struct stm_source_device *src, + + fail_free_output: + stm_output_free(stm, &src->output); +- stm_put_device(stm); + + fail_detach: + mutex_lock(&stm->link_mutex); +@@ -906,8 +912,10 @@ static ssize_t stm_source_link_store(struct device *dev, + return -EINVAL; + + err = stm_source_link_add(src, link); +- if (err) ++ if (err) { ++ /* matches the stm_find_device() above */ + stm_put_device(link); ++ } + + return err ? : count; + } +-- +2.19.1 + diff --git a/queue-4.4/stm-class-fix-unlocking-braino-in-the-error-path.patch b/queue-4.4/stm-class-fix-unlocking-braino-in-the-error-path.patch new file mode 100644 index 00000000000..fcb640f3906 --- /dev/null +++ b/queue-4.4/stm-class-fix-unlocking-braino-in-the-error-path.patch @@ -0,0 +1,52 @@ +From 6f93407793e24d5c8670ae7884735c6c1c781754 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Mon, 15 Feb 2016 19:12:05 +0200 +Subject: stm class: Fix unlocking braino in the error path + +[ Upstream commit 1810f2c44817c74ca3d05d1e3981e3a2e2ceb6f5 ] + +If an illegal attempt is made to unlink stm source device from an +stm device, the stm device's link spinlock mistakenly remains locked. +While this really shouldn't happen (there's a warning in place), the +locking should remain in order so that we can still recover from this +situation if it indeed does happen. + +This patch unifies the unlocking in the exit path of +__stm_source_link_drop() to fix this. + +Reported-by: Laurent Fert +Signed-off-by: Alexander Shishkin +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/stm/core.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/hwtracing/stm/core.c b/drivers/hwtracing/stm/core.c +index e4fa583b57a6..d4deac108578 100644 +--- a/drivers/hwtracing/stm/core.c ++++ b/drivers/hwtracing/stm/core.c +@@ -817,10 +817,8 @@ static void __stm_source_link_drop(struct stm_source_device *src, + spin_lock(&stm->link_lock); + spin_lock(&src->link_lock); + link = srcu_dereference_check(src->link, &stm_source_srcu, 1); +- if (WARN_ON_ONCE(link != stm)) { +- spin_unlock(&src->link_lock); +- return; +- } ++ if (WARN_ON_ONCE(link != stm)) ++ goto unlock; + + stm_output_free(link, &src->output); + list_del_init(&src->link_entry); +@@ -828,6 +826,7 @@ static void __stm_source_link_drop(struct stm_source_device *src, + stm_put_device(link); + rcu_assign_pointer(src->link, NULL); + ++unlock: + spin_unlock(&src->link_lock); + spin_unlock(&stm->link_lock); + } +-- +2.19.1 + diff --git a/queue-4.4/stm-class-guard-output-assignment-against-concurrenc.patch b/queue-4.4/stm-class-guard-output-assignment-against-concurrenc.patch new file mode 100644 index 00000000000..36872b7f09d --- /dev/null +++ b/queue-4.4/stm-class-guard-output-assignment-against-concurrenc.patch @@ -0,0 +1,112 @@ +From 0ed6be72a6fbe5e6a86ef04e341227715c3a50ba Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Mon, 15 Feb 2016 19:12:06 +0200 +Subject: stm class: Guard output assignment against concurrency + +[ Upstream commit cde4ad8368840e414ecf67db258fe1dabaa5fd2e ] + +It is possible to concurrently assign the same output (a character +device writer or an stm_source device) to different stm devices, +which sets off a strategically placed warning in stm_output_assign(). + +To avoid this, use a spinlock to serialize (un)assignments between +outputs and stm devices. + +Signed-off-by: Alexander Shishkin +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/stm/core.c | 17 +++++++++++++++++ + drivers/hwtracing/stm/stm.h | 1 + + 2 files changed, 18 insertions(+) + +diff --git a/drivers/hwtracing/stm/core.c b/drivers/hwtracing/stm/core.c +index d4deac108578..f8e46c38b565 100644 +--- a/drivers/hwtracing/stm/core.c ++++ b/drivers/hwtracing/stm/core.c +@@ -186,6 +186,9 @@ static void stm_output_claim(struct stm_device *stm, struct stm_output *output) + { + struct stp_master *master = stm_master(stm, output->master); + ++ lockdep_assert_held(&stm->mc_lock); ++ lockdep_assert_held(&output->lock); ++ + if (WARN_ON_ONCE(master->nr_free < output->nr_chans)) + return; + +@@ -200,6 +203,9 @@ stm_output_disclaim(struct stm_device *stm, struct stm_output *output) + { + struct stp_master *master = stm_master(stm, output->master); + ++ lockdep_assert_held(&stm->mc_lock); ++ lockdep_assert_held(&output->lock); ++ + bitmap_release_region(&master->chan_map[0], output->channel, + ilog2(output->nr_chans)); + +@@ -292,6 +298,7 @@ static int stm_output_assign(struct stm_device *stm, unsigned int width, + } + + spin_lock(&stm->mc_lock); ++ spin_lock(&output->lock); + /* output is already assigned -- shouldn't happen */ + if (WARN_ON_ONCE(output->nr_chans)) + goto unlock; +@@ -308,6 +315,7 @@ static int stm_output_assign(struct stm_device *stm, unsigned int width, + + ret = 0; + unlock: ++ spin_unlock(&output->lock); + spin_unlock(&stm->mc_lock); + + return ret; +@@ -316,11 +324,18 @@ static int stm_output_assign(struct stm_device *stm, unsigned int width, + static void stm_output_free(struct stm_device *stm, struct stm_output *output) + { + spin_lock(&stm->mc_lock); ++ spin_lock(&output->lock); + if (output->nr_chans) + stm_output_disclaim(stm, output); ++ spin_unlock(&output->lock); + spin_unlock(&stm->mc_lock); + } + ++static void stm_output_init(struct stm_output *output) ++{ ++ spin_lock_init(&output->lock); ++} ++ + static int major_match(struct device *dev, const void *data) + { + unsigned int major = *(unsigned int *)data; +@@ -343,6 +358,7 @@ static int stm_char_open(struct inode *inode, struct file *file) + if (!stmf) + return -ENOMEM; + ++ stm_output_init(&stmf->output); + stmf->stm = to_stm_device(dev); + + if (!try_module_get(stmf->stm->owner)) +@@ -953,6 +969,7 @@ int stm_source_register_device(struct device *parent, + if (err) + goto err; + ++ stm_output_init(&src->output); + spin_lock_init(&src->link_lock); + INIT_LIST_HEAD(&src->link_entry); + src->data = data; +diff --git a/drivers/hwtracing/stm/stm.h b/drivers/hwtracing/stm/stm.h +index 97ee02241440..4e8c6926260f 100644 +--- a/drivers/hwtracing/stm/stm.h ++++ b/drivers/hwtracing/stm/stm.h +@@ -57,6 +57,7 @@ struct stm_device { + container_of((_d), struct stm_device, dev) + + struct stm_output { ++ spinlock_t lock; + unsigned int master; + unsigned int channel; + unsigned int nr_chans; +-- +2.19.1 + diff --git a/queue-4.4/stm-class-prevent-user-controllable-allocations.patch b/queue-4.4/stm-class-prevent-user-controllable-allocations.patch new file mode 100644 index 00000000000..4bec617944a --- /dev/null +++ b/queue-4.4/stm-class-prevent-user-controllable-allocations.patch @@ -0,0 +1,39 @@ +From 7e82a1e16fde722d7c8f9c17e2a6f6871d40d507 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Tue, 22 Dec 2015 17:25:21 +0200 +Subject: stm class: Prevent user-controllable allocations + +[ Upstream commit f08b18266c7116e2ec6885dd53a928f580060a71 ] + +Currently, the character device write method allocates a temporary buffer +for user's data, but the user's data size is not sanitized and can cause +arbitrarily large allocations via kzalloc() or an integer overflow that +will then result in overwriting kernel memory. + +This patch trims the input buffer size to avoid these issues. + +Reported-by: Sasha Levin +Signed-off-by: Alexander Shishkin +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/stm/core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/hwtracing/stm/core.c b/drivers/hwtracing/stm/core.c +index f286de2e86af..e4fa583b57a6 100644 +--- a/drivers/hwtracing/stm/core.c ++++ b/drivers/hwtracing/stm/core.c +@@ -410,6 +410,9 @@ static ssize_t stm_char_write(struct file *file, const char __user *buf, + char *kbuf; + int err; + ++ if (count + 1 > PAGE_SIZE) ++ count = PAGE_SIZE - 1; ++ + /* + * if no m/c have been assigned to this writer up to this + * point, use "default" policy entry +-- +2.19.1 + diff --git a/queue-4.4/stm-class-support-devices-with-multiple-instances.patch b/queue-4.4/stm-class-support-devices-with-multiple-instances.patch new file mode 100644 index 00000000000..44b4ee71f48 --- /dev/null +++ b/queue-4.4/stm-class-support-devices-with-multiple-instances.patch @@ -0,0 +1,49 @@ +From d4ce9f89ef9e6d2e088df31c9dc2d75ad763f556 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Mon, 15 Feb 2016 19:12:02 +0200 +Subject: stm class: Support devices with multiple instances + +[ Upstream commit 59be422e4ce10e3d49d4c9407a80fab8a9b7bc84 ] + +By convention, the name of the stm policy directory in configfs consists of +the device name to which it applies and the actual policy name, separated +by a dot. Now, some devices already have dots in their names that separate +name of the actual device from its instance identifier. Such devices will +result in two (or more, who can tell) dots in the policy directory name. + +Existing policy code, however, will treat the first dot as the one that +separates device name from policy name, therefore failing the above case. + +This patch makes the last dot in the directory name be the separator, thus +prohibiting dots from being used in policy names. + +Suggested-by: Chunyan Zhang +Signed-off-by: Alexander Shishkin +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/stm/policy.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/hwtracing/stm/policy.c b/drivers/hwtracing/stm/policy.c +index 94d3abfb737a..1db189657b2b 100644 +--- a/drivers/hwtracing/stm/policy.c ++++ b/drivers/hwtracing/stm/policy.c +@@ -332,10 +332,11 @@ stp_policies_make(struct config_group *group, const char *name) + + /* + * node must look like ., where +- * is the name of an existing stm device and +- * is an arbitrary string ++ * is the name of an existing stm device; may ++ * contain dots; ++ * is an arbitrary string; may not contain dots + */ +- p = strchr(devname, '.'); ++ p = strrchr(devname, '.'); + if (!p) { + kfree(devname); + return ERR_PTR(-EINVAL); +-- +2.19.1 + diff --git a/queue-4.4/stmmac-copy-unicast-mac-address-to-mac-registers.patch b/queue-4.4/stmmac-copy-unicast-mac-address-to-mac-registers.patch new file mode 100644 index 00000000000..a9516c1ff52 --- /dev/null +++ b/queue-4.4/stmmac-copy-unicast-mac-address-to-mac-registers.patch @@ -0,0 +1,55 @@ +From e368bf484b807a8f543f31858af9f6dda46e0c74 Mon Sep 17 00:00:00 2001 +From: Bhadram Varka +Date: Fri, 27 Oct 2017 08:22:02 +0530 +Subject: stmmac: copy unicast mac address to MAC registers + +[ Upstream commit a830405ee452ddc4101c3c9334e6fedd42c6b357 ] + +Currently stmmac driver not copying the valid ethernet +MAC address to MAC registers. This patch takes care +of updating the MAC register with MAC address. + +Signed-off-by: Bhadram Varka +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../net/ethernet/stmicro/stmmac/stmmac_main.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 7bba30f24135..059113dce6e0 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -2529,6 +2529,20 @@ static int stmmac_ioctl(struct net_device *dev, struct ifreq *rq, int cmd) + return ret; + } + ++static int stmmac_set_mac_address(struct net_device *ndev, void *addr) ++{ ++ struct stmmac_priv *priv = netdev_priv(ndev); ++ int ret = 0; ++ ++ ret = eth_mac_addr(ndev, addr); ++ if (ret) ++ return ret; ++ ++ priv->hw->mac->set_umac_addr(priv->hw, ndev->dev_addr, 0); ++ ++ return ret; ++} ++ + #ifdef CONFIG_DEBUG_FS + static struct dentry *stmmac_fs_dir; + +@@ -2730,7 +2744,7 @@ static const struct net_device_ops stmmac_netdev_ops = { + #ifdef CONFIG_NET_POLL_CONTROLLER + .ndo_poll_controller = stmmac_poll_controller, + #endif +- .ndo_set_mac_address = eth_mac_addr, ++ .ndo_set_mac_address = stmmac_set_mac_address, + }; + + /** +-- +2.19.1 + diff --git a/queue-4.4/usb-gadget-configfs-add-mutex-lock-before-unregister.patch b/queue-4.4/usb-gadget-configfs-add-mutex-lock-before-unregister.patch new file mode 100644 index 00000000000..2ed30ed90d9 --- /dev/null +++ b/queue-4.4/usb-gadget-configfs-add-mutex-lock-before-unregister.patch @@ -0,0 +1,65 @@ +From aac1985f1ea02002b2079463b731b798ede2cc2d Mon Sep 17 00:00:00 2001 +From: Winter Wang +Date: Wed, 27 Jul 2016 10:03:19 +0800 +Subject: usb: gadget: configfs: add mutex lock before unregister gadget + +[ Upstream commit cee51c33f52ebf673a088a428ac0fecc33ab77fa ] + +There may be a race condition if f_fs calls unregister_gadget_item in +ffs_closed() when unregister_gadget is called by UDC store at the same time. +this leads to a kernel NULL pointer dereference: + +[ 310.644928] Unable to handle kernel NULL pointer dereference at virtual address 00000004 +[ 310.645053] init: Service 'adbd' is being killed... +[ 310.658938] pgd = c9528000 +[ 310.662515] [00000004] *pgd=19451831, *pte=00000000, *ppte=00000000 +[ 310.669702] Internal error: Oops: 817 [#1] PREEMPT SMP ARM +[ 310.675211] Modules linked in: +[ 310.678294] CPU: 0 PID: 1537 Comm: ->transport Not tainted 4.1.15-03725-g793404c #2 +[ 310.685958] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) +[ 310.692493] task: c8e24200 ti: c945e000 task.ti: c945e000 +[ 310.697911] PC is at usb_gadget_unregister_driver+0xb4/0xd0 +[ 310.703502] LR is at __mutex_lock_slowpath+0x10c/0x16c +[ 310.708648] pc : [] lr : [] psr: 600f0113 + +[ 311.565585] [] (usb_gadget_unregister_driver) from [] (unregister_gadget_item+0x1c/0x34) +[ 311.575426] [] (unregister_gadget_item) from [] (ffs_closed+0x8c/0x9c) +[ 311.583702] [] (ffs_closed) from [] (ffs_data_reset+0xc/0xa0) +[ 311.591194] [] (ffs_data_reset) from [] (ffs_data_closed+0x90/0xd0) +[ 311.599208] [] (ffs_data_closed) from [] (ffs_ep0_release+0xc/0x14) +[ 311.607224] [] (ffs_ep0_release) from [] (__fput+0x80/0x1d0) +[ 311.614635] [] (__fput) from [] (task_work_run+0xb0/0xe8) +[ 311.621788] [] (task_work_run) from [] (do_work_pending+0x7c/0xa4) +[ 311.629718] [] (do_work_pending) from [] (work_pending+0xc/0x20) + +for functions using functionFS, i.e. android adbd will close /dev/usb-ffs/adb/ep0 +when usb IO thread fails, but switch adb from on to off also triggers write +"none" > UDC. These 2 operations both call unregister_gadget, which will lead +to the panic above. + +add a mutex before calling unregister_gadget for api used in f_fs. + +Signed-off-by: Winter Wang +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/configfs.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/gadget/configfs.c b/drivers/usb/gadget/configfs.c +index 6abb6a10ee82..d412e234f336 100644 +--- a/drivers/usb/gadget/configfs.c ++++ b/drivers/usb/gadget/configfs.c +@@ -1496,7 +1496,9 @@ void unregister_gadget_item(struct config_item *item) + { + struct gadget_info *gi = to_gadget_info(item); + ++ mutex_lock(&gi->lock); + unregister_gadget(gi); ++ mutex_unlock(&gi->lock); + } + EXPORT_SYMBOL_GPL(unregister_gadget_item); + +-- +2.19.1 + diff --git a/queue-4.4/usb-gadget-rndis-free-response-queue-during-remote_n.patch b/queue-4.4/usb-gadget-rndis-free-response-queue-during-remote_n.patch new file mode 100644 index 00000000000..5d92af43a1a --- /dev/null +++ b/queue-4.4/usb-gadget-rndis-free-response-queue-during-remote_n.patch @@ -0,0 +1,53 @@ +From b3731b5141c6e152890acb6ee9fa11a2b0d22062 Mon Sep 17 00:00:00 2001 +From: Xerox Lin +Date: Wed, 29 Jun 2016 14:34:21 +0530 +Subject: usb: gadget: rndis: free response queue during REMOTE_NDIS_RESET_MSG + +[ Upstream commit 207707d8fd48ebc977fb2b2794004a020e1ee08e ] + +When rndis data transfer is in progress, some Windows7 Host PC is not +sending the GET_ENCAPSULATED_RESPONSE command for receiving the response +for the previous SEND_ENCAPSULATED_COMMAND processed. + +The rndis function driver appends each response for the +SEND_ENCAPSULATED_COMMAND in a queue. As the above process got corrupted, +the Host sends a REMOTE_NDIS_RESET_MSG command to do a soft-reset. +As the rndis response queue is not freed, the previous response is sent +as a part of this REMOTE_NDIS_RESET_MSG's reset response and the Host +block any more Rndis transfers. + +Hence free the rndis response queue as a part of this soft-reset so that +the correct response for REMOTE_NDIS_RESET_MSG is sent properly during the +response command. + +Signed-off-by: Rajkumar Raghupathy +Signed-off-by: Xerox Lin +[AmitP: Cherry-picked this patch and folded other relevant + fixes from Android common kernel android-4.4] +Signed-off-by: Amit Pundir +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/rndis.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/usb/gadget/function/rndis.c b/drivers/usb/gadget/function/rndis.c +index 70d3917cc003..2582db38d6a6 100644 +--- a/drivers/usb/gadget/function/rndis.c ++++ b/drivers/usb/gadget/function/rndis.c +@@ -680,6 +680,12 @@ static int rndis_reset_response(struct rndis_params *params, + { + rndis_reset_cmplt_type *resp; + rndis_resp_t *r; ++ u8 *xbuf; ++ u32 length; ++ ++ /* drain the response queue */ ++ while ((xbuf = rndis_get_next_response(params, &length))) ++ rndis_free_response(params, xbuf); + + r = rndis_add_response(params, sizeof(rndis_reset_cmplt_type)); + if (!r) +-- +2.19.1 + diff --git a/queue-4.4/video-fbdev-set-pixclock-0-in-goldfishfb.patch b/queue-4.4/video-fbdev-set-pixclock-0-in-goldfishfb.patch new file mode 100644 index 00000000000..7c25698d0c3 --- /dev/null +++ b/queue-4.4/video-fbdev-set-pixclock-0-in-goldfishfb.patch @@ -0,0 +1,36 @@ +From 2b5cec2b9c9f966a917c78c5969ce72353b4d367 Mon Sep 17 00:00:00 2001 +From: Christoffer Dall +Date: Tue, 3 Jul 2018 17:43:09 +0200 +Subject: video: fbdev: Set pixclock = 0 in goldfishfb + +[ Upstream commit ace6033ec5c356615eaa3582fb1946e9eaff6662 ] + +User space Android code identifies pixclock == 0 as a sign for emulation +and will set the frame rate to 60 fps when reading this value, which is +the desired outcome. + +Signed-off-by: Christoffer Dall +Signed-off-by: Peter Maydell +Signed-off-by: Roman Kiryanov +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/goldfishfb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/goldfishfb.c b/drivers/video/fbdev/goldfishfb.c +index 14a93cb21310..66d58e93bc32 100644 +--- a/drivers/video/fbdev/goldfishfb.c ++++ b/drivers/video/fbdev/goldfishfb.c +@@ -234,7 +234,7 @@ static int goldfish_fb_probe(struct platform_device *pdev) + fb->fb.var.activate = FB_ACTIVATE_NOW; + fb->fb.var.height = readl(fb->reg_base + FB_GET_PHYS_HEIGHT); + fb->fb.var.width = readl(fb->reg_base + FB_GET_PHYS_WIDTH); +- fb->fb.var.pixclock = 10000; ++ fb->fb.var.pixclock = 0; + + fb->fb.var.red.offset = 11; + fb->fb.var.red.length = 5; +-- +2.19.1 + diff --git a/queue-4.4/vmstat-make-vmstat_updater-deferrable-again-and-shut.patch b/queue-4.4/vmstat-make-vmstat_updater-deferrable-again-and-shut.patch new file mode 100644 index 00000000000..28248d7ee6a --- /dev/null +++ b/queue-4.4/vmstat-make-vmstat_updater-deferrable-again-and-shut.patch @@ -0,0 +1,182 @@ +From 06ebb9e32fe88b5860812cb676c1e0018f43fe42 Mon Sep 17 00:00:00 2001 +From: Christoph Lameter +Date: Thu, 14 Jan 2016 15:21:40 -0800 +Subject: vmstat: make vmstat_updater deferrable again and shut down on idle + +[ Upstream commit 0eb77e9880321915322d42913c3b53241739c8aa ] + +Currently the vmstat updater is not deferrable as a result of commit +ba4877b9ca51 ("vmstat: do not use deferrable delayed work for +vmstat_update"). This in turn can cause multiple interruptions of the +applications because the vmstat updater may run at + +Make vmstate_update deferrable again and provide a function that folds +the differentials when the processor is going to idle mode thus +addressing the issue of the above commit in a clean way. + +Note that the shepherd thread will continue scanning the differentials +from another processor and will reenable the vmstat workers if it +detects any changes. + +Fixes: ba4877b9ca51 ("vmstat: do not use deferrable delayed work for vmstat_update") +Signed-off-by: Christoph Lameter +Cc: Michal Hocko +Cc: Johannes Weiner +Cc: Tetsuo Handa +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/vmstat.h | 2 ++ + kernel/sched/idle.c | 1 + + mm/vmstat.c | 69 +++++++++++++++++++++++++++--------------- + 3 files changed, 47 insertions(+), 25 deletions(-) + +diff --git a/include/linux/vmstat.h b/include/linux/vmstat.h +index 3e5d9075960f..73fae8c4a5fb 100644 +--- a/include/linux/vmstat.h ++++ b/include/linux/vmstat.h +@@ -189,6 +189,7 @@ extern void __inc_zone_state(struct zone *, enum zone_stat_item); + extern void dec_zone_state(struct zone *, enum zone_stat_item); + extern void __dec_zone_state(struct zone *, enum zone_stat_item); + ++void quiet_vmstat(void); + void cpu_vm_stats_fold(int cpu); + void refresh_zone_stat_thresholds(void); + +@@ -249,6 +250,7 @@ static inline void __dec_zone_page_state(struct page *page, + + static inline void refresh_zone_stat_thresholds(void) { } + static inline void cpu_vm_stats_fold(int cpu) { } ++static inline void quiet_vmstat(void) { } + + static inline void drain_zonestat(struct zone *zone, + struct per_cpu_pageset *pset) { } +diff --git a/kernel/sched/idle.c b/kernel/sched/idle.c +index bfd573122e0d..306a859b36f0 100644 +--- a/kernel/sched/idle.c ++++ b/kernel/sched/idle.c +@@ -219,6 +219,7 @@ static void cpu_idle_loop(void) + */ + + __current_set_polling(); ++ quiet_vmstat(); + tick_nohz_idle_enter(); + + while (!need_resched()) { +diff --git a/mm/vmstat.c b/mm/vmstat.c +index a2d70ef74db7..6af9bbad94c7 100644 +--- a/mm/vmstat.c ++++ b/mm/vmstat.c +@@ -460,7 +460,7 @@ static int fold_diff(int *diff) + * + * The function returns the number of global counters updated. + */ +-static int refresh_cpu_vm_stats(void) ++static int refresh_cpu_vm_stats(bool do_pagesets) + { + struct zone *zone; + int i; +@@ -484,33 +484,35 @@ static int refresh_cpu_vm_stats(void) + #endif + } + } +- cond_resched(); + #ifdef CONFIG_NUMA +- /* +- * Deal with draining the remote pageset of this +- * processor +- * +- * Check if there are pages remaining in this pageset +- * if not then there is nothing to expire. +- */ +- if (!__this_cpu_read(p->expire) || ++ if (do_pagesets) { ++ cond_resched(); ++ /* ++ * Deal with draining the remote pageset of this ++ * processor ++ * ++ * Check if there are pages remaining in this pageset ++ * if not then there is nothing to expire. ++ */ ++ if (!__this_cpu_read(p->expire) || + !__this_cpu_read(p->pcp.count)) +- continue; ++ continue; + +- /* +- * We never drain zones local to this processor. +- */ +- if (zone_to_nid(zone) == numa_node_id()) { +- __this_cpu_write(p->expire, 0); +- continue; +- } ++ /* ++ * We never drain zones local to this processor. ++ */ ++ if (zone_to_nid(zone) == numa_node_id()) { ++ __this_cpu_write(p->expire, 0); ++ continue; ++ } + +- if (__this_cpu_dec_return(p->expire)) +- continue; ++ if (__this_cpu_dec_return(p->expire)) ++ continue; + +- if (__this_cpu_read(p->pcp.count)) { +- drain_zone_pages(zone, this_cpu_ptr(&p->pcp)); +- changes++; ++ if (__this_cpu_read(p->pcp.count)) { ++ drain_zone_pages(zone, this_cpu_ptr(&p->pcp)); ++ changes++; ++ } + } + #endif + } +@@ -1393,7 +1395,7 @@ static cpumask_var_t cpu_stat_off; + + static void vmstat_update(struct work_struct *w) + { +- if (refresh_cpu_vm_stats()) { ++ if (refresh_cpu_vm_stats(true)) { + /* + * Counters were updated so we expect more updates + * to occur in the future. Keep on running the +@@ -1424,6 +1426,23 @@ static void vmstat_update(struct work_struct *w) + } + } + ++/* ++ * Switch off vmstat processing and then fold all the remaining differentials ++ * until the diffs stay at zero. The function is used by NOHZ and can only be ++ * invoked when tick processing is not active. ++ */ ++void quiet_vmstat(void) ++{ ++ if (system_state != SYSTEM_RUNNING) ++ return; ++ ++ do { ++ if (!cpumask_test_and_set_cpu(smp_processor_id(), cpu_stat_off)) ++ cancel_delayed_work(this_cpu_ptr(&vmstat_work)); ++ ++ } while (refresh_cpu_vm_stats(false)); ++} ++ + /* + * Check if the diffs for a certain cpu indicate that + * an update is needed. +@@ -1456,7 +1475,7 @@ static bool need_update(int cpu) + */ + static void vmstat_shepherd(struct work_struct *w); + +-static DECLARE_DELAYED_WORK(shepherd, vmstat_shepherd); ++static DECLARE_DEFERRABLE_WORK(shepherd, vmstat_shepherd); + + static void vmstat_shepherd(struct work_struct *w) + { +-- +2.19.1 + diff --git a/queue-4.4/writeback-initialize-inode-members-that-track-writeb.patch b/queue-4.4/writeback-initialize-inode-members-that-track-writeb.patch new file mode 100644 index 00000000000..164b6133038 --- /dev/null +++ b/queue-4.4/writeback-initialize-inode-members-that-track-writeb.patch @@ -0,0 +1,41 @@ +From 7ad1b3cfd1989edaa716a4bf979a5396a77a5a15 Mon Sep 17 00:00:00 2001 +From: Tahsin Erdogan +Date: Tue, 16 Feb 2016 13:34:39 -0800 +Subject: writeback: initialize inode members that track writeback history + +[ Upstream commit 3d65ae4634ed8350aee98a4e6f4e41fe40c7d282 ] + +inode struct members that track cgroup writeback information +should be reinitialized when inode gets allocated from +kmem_cache. Otherwise, their values remain and get used by the +new inode. + +Signed-off-by: Tahsin Erdogan +Acked-by: Tejun Heo +Fixes: d10c80955265 ("writeback: implement foreign cgroup inode bdi_writeback switching") +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/inode.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/inode.c b/fs/inode.c +index a39c2724d8a0..b5c3a6473aaa 100644 +--- a/fs/inode.c ++++ b/fs/inode.c +@@ -154,6 +154,12 @@ int inode_init_always(struct super_block *sb, struct inode *inode) + inode->i_rdev = 0; + inode->dirtied_when = 0; + ++#ifdef CONFIG_CGROUP_WRITEBACK ++ inode->i_wb_frn_winner = 0; ++ inode->i_wb_frn_avg_time = 0; ++ inode->i_wb_frn_history = 0; ++#endif ++ + if (security_inode_alloc(inode)) + goto out; + spin_lock_init(&inode->i_lock); +-- +2.19.1 + -- 2.47.3