From a1703d598ef46e2464349ae33d7ba39cb0cb035f Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 24 Oct 2014 13:12:17 +0800 Subject: [PATCH] 3.16-stable patches added patches: bluetooth-fix-hci-h5-corrupted-ack-value.patch bluetooth-fix-incorrect-le-coc-pdu-length-restriction-based-on-hci-mtu.patch bluetooth-fix-issue-with-usb-suspend-in-btusb-driver.patch bluetooth-fix-setting-correct-security-level-when-initiating-smp.patch fanotify-enable-close-on-exec-on-events-fd-when-requested-in-fanotify_init.patch futex-ensure-get_futex_key_refs-always-implies-a-barrier.patch ima-fix-fallback-to-use-new_sync_read.patch ima-provide-flag-to-identify-new-empty-files.patch iwlwifi-add-missing-pci-ids-for-the-7260-series.patch iwlwifi-mvm-disable-bt-co-running-by-default.patch kernel-add-support-for-gcc-5.patch mm-balloon_compaction-redesign-ballooned-pages-management.patch mm-clear-__gfp_fs-when-pf_memalloc_noio-is-set.patch pci-add-missing-mem_64-mask-in-pci_assign_unassigned_bridge_resources.patch pci-generate-uppercase-hex-for-modalias-interface-class.patch pci-increase-ibm-ipr-sas-crocodile-bars-to-at-least-system-page-size.patch pci-mvebu-fix-uninitialized-variable-in-mvebu_get_tgt_attr.patch pci-pciehp-prevent-null-dereference-during-probe.patch powerpc-eeh-clear-frozen-device-state-in-time.patch powerpc-iommu-ddw-fix-endianness.patch powerpc-powernv-fix-endian-bug-in-lpc-bus-debugfs-accessors.patch revert-ath9k_hw-reduce-ani-firstep-range-for-older-chips.patch rt2800-correct-bbp1_tx_power_ctrl-mask.patch rtc-cmos-fix-wakeup-from-s5-without-config_pm_sleep.patch --- ...tooth-fix-hci-h5-corrupted-ack-value.patch | 35 ++ ...-length-restriction-based-on-hci-mtu.patch | 43 ++ ...sue-with-usb-suspend-in-btusb-driver.patch | 56 +++ ...t-security-level-when-initiating-smp.patch | 44 ++ ...s-fd-when-requested-in-fanotify_init.patch | 112 +++++ ...ex_key_refs-always-implies-a-barrier.patch | 55 +++ ...ma-fix-fallback-to-use-new_sync_read.patch | 52 +++ ...ide-flag-to-identify-new-empty-files.patch | 79 ++++ ...-missing-pci-ids-for-the-7260-series.patch | 39 ++ ...mvm-disable-bt-co-running-by-default.patch | 29 ++ queue-3.16/kernel-add-support-for-gcc-5.patch | 95 ++++ ...-redesign-ballooned-pages-management.patch | 439 ++++++++++++++++++ ..._gfp_fs-when-pf_memalloc_noio-is-set.patch | 65 +++ ...i_assign_unassigned_bridge_resources.patch | 37 ++ ...ase-hex-for-modalias-interface-class.patch | 42 ++ ...le-bars-to-at-least-system-page-size.patch | 65 +++ ...lized-variable-in-mvebu_get_tgt_attr.patch | 60 +++ ...revent-null-dereference-during-probe.patch | 40 ++ ...eh-clear-frozen-device-state-in-time.patch | 66 +++ .../powerpc-iommu-ddw-fix-endianness.patch | 163 +++++++ ...ian-bug-in-lpc-bus-debugfs-accessors.patch | 43 ++ ...ce-ani-firstep-range-for-older-chips.patch | 37 ++ ...2800-correct-bbp1_tx_power_ctrl-mask.patch | 32 ++ ...keup-from-s5-without-config_pm_sleep.patch | 58 +++ queue-3.16/series | 24 + 25 files changed, 1810 insertions(+) create mode 100644 queue-3.16/bluetooth-fix-hci-h5-corrupted-ack-value.patch create mode 100644 queue-3.16/bluetooth-fix-incorrect-le-coc-pdu-length-restriction-based-on-hci-mtu.patch create mode 100644 queue-3.16/bluetooth-fix-issue-with-usb-suspend-in-btusb-driver.patch create mode 100644 queue-3.16/bluetooth-fix-setting-correct-security-level-when-initiating-smp.patch create mode 100644 queue-3.16/fanotify-enable-close-on-exec-on-events-fd-when-requested-in-fanotify_init.patch create mode 100644 queue-3.16/futex-ensure-get_futex_key_refs-always-implies-a-barrier.patch create mode 100644 queue-3.16/ima-fix-fallback-to-use-new_sync_read.patch create mode 100644 queue-3.16/ima-provide-flag-to-identify-new-empty-files.patch create mode 100644 queue-3.16/iwlwifi-add-missing-pci-ids-for-the-7260-series.patch create mode 100644 queue-3.16/iwlwifi-mvm-disable-bt-co-running-by-default.patch create mode 100644 queue-3.16/kernel-add-support-for-gcc-5.patch create mode 100644 queue-3.16/mm-balloon_compaction-redesign-ballooned-pages-management.patch create mode 100644 queue-3.16/mm-clear-__gfp_fs-when-pf_memalloc_noio-is-set.patch create mode 100644 queue-3.16/pci-add-missing-mem_64-mask-in-pci_assign_unassigned_bridge_resources.patch create mode 100644 queue-3.16/pci-generate-uppercase-hex-for-modalias-interface-class.patch create mode 100644 queue-3.16/pci-increase-ibm-ipr-sas-crocodile-bars-to-at-least-system-page-size.patch create mode 100644 queue-3.16/pci-mvebu-fix-uninitialized-variable-in-mvebu_get_tgt_attr.patch create mode 100644 queue-3.16/pci-pciehp-prevent-null-dereference-during-probe.patch create mode 100644 queue-3.16/powerpc-eeh-clear-frozen-device-state-in-time.patch create mode 100644 queue-3.16/powerpc-iommu-ddw-fix-endianness.patch create mode 100644 queue-3.16/powerpc-powernv-fix-endian-bug-in-lpc-bus-debugfs-accessors.patch create mode 100644 queue-3.16/revert-ath9k_hw-reduce-ani-firstep-range-for-older-chips.patch create mode 100644 queue-3.16/rt2800-correct-bbp1_tx_power_ctrl-mask.patch create mode 100644 queue-3.16/rtc-cmos-fix-wakeup-from-s5-without-config_pm_sleep.patch diff --git a/queue-3.16/bluetooth-fix-hci-h5-corrupted-ack-value.patch b/queue-3.16/bluetooth-fix-hci-h5-corrupted-ack-value.patch new file mode 100644 index 00000000000..0c87ae5fbed --- /dev/null +++ b/queue-3.16/bluetooth-fix-hci-h5-corrupted-ack-value.patch @@ -0,0 +1,35 @@ +From 4807b51895dce8aa650ebebc51fa4a795ed6b8b8 Mon Sep 17 00:00:00 2001 +From: Loic Poulain +Date: Fri, 8 Aug 2014 19:07:16 +0200 +Subject: Bluetooth: Fix HCI H5 corrupted ack value + +From: Loic Poulain + +commit 4807b51895dce8aa650ebebc51fa4a795ed6b8b8 upstream. + +In this expression: seq = (seq - 1) % 8 +seq (u8) is implicitly converted to an int in the arithmetic operation. +So if seq value is 0, operation is ((0 - 1) % 8) => (-1 % 8) => -1. +The new seq value is 0xff which is an invalid ACK value, we expect 0x07. +It leads to frequent dropped ACK and retransmission. +Fix this by using '&' binary operator instead of '%'. + +Signed-off-by: Loic Poulain +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bluetooth/hci_h5.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/bluetooth/hci_h5.c ++++ b/drivers/bluetooth/hci_h5.c +@@ -237,7 +237,7 @@ static void h5_pkt_cull(struct h5 *h5) + break; + + to_remove--; +- seq = (seq - 1) % 8; ++ seq = (seq - 1) & 0x07; + } + + if (seq != h5->rx_ack) diff --git a/queue-3.16/bluetooth-fix-incorrect-le-coc-pdu-length-restriction-based-on-hci-mtu.patch b/queue-3.16/bluetooth-fix-incorrect-le-coc-pdu-length-restriction-based-on-hci-mtu.patch new file mode 100644 index 00000000000..4ddd32491f2 --- /dev/null +++ b/queue-3.16/bluetooth-fix-incorrect-le-coc-pdu-length-restriction-based-on-hci-mtu.patch @@ -0,0 +1,43 @@ +From 72c6fb915ff2d30ae14053edee4f0d30019bad76 Mon Sep 17 00:00:00 2001 +From: Johan Hedberg +Date: Fri, 15 Aug 2014 21:06:51 +0300 +Subject: Bluetooth: Fix incorrect LE CoC PDU length restriction based on HCI MTU + +From: Johan Hedberg + +commit 72c6fb915ff2d30ae14053edee4f0d30019bad76 upstream. + +The l2cap_create_le_flowctl_pdu() function that l2cap_segment_le_sdu() +calls is perfectly capable of doing packet fragmentation if given bigger +PDUs than the HCI buffers allow. Forcing the PDU length based on the HCI +MTU (conn->mtu) would therefore needlessly strict operation on hardware +with limited LE buffers (e.g. both Intel and Broadcom seem to have this +set to just 27 bytes). + +This patch removes the restriction and makes it possible to send PDUs of +the full length that the remote MPS value allows. + +Signed-off-by: Johan Hedberg +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/l2cap_core.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -2400,12 +2400,8 @@ static int l2cap_segment_le_sdu(struct l + + BT_DBG("chan %p, msg %p, len %zu", chan, msg, len); + +- pdu_len = chan->conn->mtu - L2CAP_HDR_SIZE; +- +- pdu_len = min_t(size_t, pdu_len, chan->remote_mps); +- + sdu_len = len; +- pdu_len -= L2CAP_SDULEN_SIZE; ++ pdu_len = chan->remote_mps - L2CAP_SDULEN_SIZE; + + while (len > 0) { + if (len <= pdu_len) diff --git a/queue-3.16/bluetooth-fix-issue-with-usb-suspend-in-btusb-driver.patch b/queue-3.16/bluetooth-fix-issue-with-usb-suspend-in-btusb-driver.patch new file mode 100644 index 00000000000..f8f4661706b --- /dev/null +++ b/queue-3.16/bluetooth-fix-issue-with-usb-suspend-in-btusb-driver.patch @@ -0,0 +1,56 @@ +From 85560c4a828ec9c8573840c9b66487b6ae584768 Mon Sep 17 00:00:00 2001 +From: Champion Chen +Date: Sat, 6 Sep 2014 14:06:08 -0500 +Subject: Bluetooth: Fix issue with USB suspend in btusb driver + +From: Champion Chen + +commit 85560c4a828ec9c8573840c9b66487b6ae584768 upstream. + +Suspend could fail for some platforms because +btusb_suspend==> btusb_stop_traffic ==> usb_kill_anchored_urbs. + +When btusb_bulk_complete returns before system suspend and resubmits +an URB, the system cannot enter suspend state. + +Signed-off-by: Champion Chen +Signed-off-by: Larry Finger +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bluetooth/btusb.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -317,6 +317,9 @@ static void btusb_intr_complete(struct u + BT_ERR("%s corrupted event packet", hdev->name); + hdev->stat.err_rx++; + } ++ } else if (urb->status == -ENOENT) { ++ /* Avoid suspend failed when usb_kill_urb */ ++ return; + } + + if (!test_bit(BTUSB_INTR_RUNNING, &data->flags)) +@@ -405,6 +408,9 @@ static void btusb_bulk_complete(struct u + BT_ERR("%s corrupted ACL packet", hdev->name); + hdev->stat.err_rx++; + } ++ } else if (urb->status == -ENOENT) { ++ /* Avoid suspend failed when usb_kill_urb */ ++ return; + } + + if (!test_bit(BTUSB_BULK_RUNNING, &data->flags)) +@@ -499,6 +505,9 @@ static void btusb_isoc_complete(struct u + hdev->stat.err_rx++; + } + } ++ } else if (urb->status == -ENOENT) { ++ /* Avoid suspend failed when usb_kill_urb */ ++ return; + } + + if (!test_bit(BTUSB_ISOC_RUNNING, &data->flags)) diff --git a/queue-3.16/bluetooth-fix-setting-correct-security-level-when-initiating-smp.patch b/queue-3.16/bluetooth-fix-setting-correct-security-level-when-initiating-smp.patch new file mode 100644 index 00000000000..4ea75699e7f --- /dev/null +++ b/queue-3.16/bluetooth-fix-setting-correct-security-level-when-initiating-smp.patch @@ -0,0 +1,44 @@ +From 5eb596f55cacc2389554a8d7572d90d5e9d4269d Mon Sep 17 00:00:00 2001 +From: Johan Hedberg +Date: Thu, 18 Sep 2014 11:26:32 +0300 +Subject: Bluetooth: Fix setting correct security level when initiating SMP + +From: Johan Hedberg + +commit 5eb596f55cacc2389554a8d7572d90d5e9d4269d upstream. + +We can only determine the final security level when both pairing request +and response have been exchanged. When initiating pairing the starting +target security level is set to MEDIUM unless explicitly specified to be +HIGH, so that we can still perform pairing even if the remote doesn't +have MITM capabilities. However, once we've received the pairing +response we should re-consult the remote and local IO capabilities and +upgrade the target security level if necessary. + +Without this patch the resulting Long Term Key will occasionally be +reported to be unauthenticated when it in reality is an authenticated +one. + +Signed-off-by: Johan Hedberg +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/smp.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/bluetooth/smp.c ++++ b/net/bluetooth/smp.c +@@ -432,8 +432,11 @@ static int tk_request(struct l2cap_conn + } + + /* Not Just Works/Confirm results in MITM Authentication */ +- if (method != JUST_CFM) ++ if (method != JUST_CFM) { + set_bit(SMP_FLAG_MITM_AUTH, &smp->flags); ++ if (hcon->pending_sec_level < BT_SECURITY_HIGH) ++ hcon->pending_sec_level = BT_SECURITY_HIGH; ++ } + + /* If both devices have Keyoard-Display I/O, the master + * Confirms and the slave Enters the passkey. diff --git a/queue-3.16/fanotify-enable-close-on-exec-on-events-fd-when-requested-in-fanotify_init.patch b/queue-3.16/fanotify-enable-close-on-exec-on-events-fd-when-requested-in-fanotify_init.patch new file mode 100644 index 00000000000..9bb1351a782 --- /dev/null +++ b/queue-3.16/fanotify-enable-close-on-exec-on-events-fd-when-requested-in-fanotify_init.patch @@ -0,0 +1,112 @@ +From 0b37e097a648aa71d4db1ad108001e95b69a2da4 Mon Sep 17 00:00:00 2001 +From: Yann Droneaud +Date: Thu, 9 Oct 2014 15:24:40 -0700 +Subject: fanotify: enable close-on-exec on events' fd when requested in fanotify_init() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yann Droneaud + +commit 0b37e097a648aa71d4db1ad108001e95b69a2da4 upstream. + +According to commit 80af258867648 ("fanotify: groups can specify their +f_flags for new fd"), file descriptors created as part of file access +notification events inherit flags from the event_f_flags argument passed +to syscall fanotify_init(2)[1]. + +Unfortunately O_CLOEXEC is currently silently ignored. + +Indeed, event_f_flags are only given to dentry_open(), which only seems to +care about O_ACCMODE and O_PATH in do_dentry_open(), O_DIRECT in +open_check_o_direct() and O_LARGEFILE in generic_file_open(). + +It's a pity, since, according to some lookup on various search engines and +http://codesearch.debian.net/, there's already some userspace code which +use O_CLOEXEC: + +- in systemd's readahead[2]: + + fanotify_fd = fanotify_init(FAN_CLOEXEC|FAN_NONBLOCK, O_RDONLY|O_LARGEFILE|O_CLOEXEC|O_NOATIME); + +- in clsync[3]: + + #define FANOTIFY_EVFLAGS (O_LARGEFILE|O_RDONLY|O_CLOEXEC) + + int fanotify_d = fanotify_init(FANOTIFY_FLAGS, FANOTIFY_EVFLAGS); + +- in examples [4] from "Filesystem monitoring in the Linux + kernel" article[5] by Aleksander Morgado: + + if ((fanotify_fd = fanotify_init (FAN_CLOEXEC, + O_RDONLY | O_CLOEXEC | O_LARGEFILE)) < 0) + +Additionally, since commit 48149e9d3a7e ("fanotify: check file flags +passed in fanotify_init"). having O_CLOEXEC as part of fanotify_init() +second argument is expressly allowed. + +So it seems expected to set close-on-exec flag on the file descriptors if +userspace is allowed to request it with O_CLOEXEC. + +But Andrew Morton raised[6] the concern that enabling now close-on-exec +might break existing applications which ask for O_CLOEXEC but expect the +file descriptor to be inherited across exec(). + +In the other hand, as reported by Mihai Dontu[7] close-on-exec on the file +descriptor returned as part of file access notify can break applications +due to deadlock. So close-on-exec is needed for most applications. + +More, applications asking for close-on-exec are likely expecting it to be +enabled, relying on O_CLOEXEC being effective. If not, it might weaken +their security, as noted by Jan Kara[8]. + +So this patch replaces call to macro get_unused_fd() by a call to function +get_unused_fd_flags() with event_f_flags value as argument. This way +O_CLOEXEC flag in the second argument of fanotify_init(2) syscall is +interpreted and close-on-exec get enabled when requested. + +[1] http://man7.org/linux/man-pages/man2/fanotify_init.2.html +[2] http://cgit.freedesktop.org/systemd/systemd/tree/src/readahead/readahead-collect.c?id=v208#n294 +[3] https://github.com/xaionaro/clsync/blob/v0.2.1/sync.c#L1631 + https://github.com/xaionaro/clsync/blob/v0.2.1/configuration.h#L38 +[4] http://www.lanedo.com/~aleksander/fanotify/fanotify-example.c +[5] http://www.lanedo.com/2013/filesystem-monitoring-linux-kernel/ +[6] http://lkml.kernel.org/r/20141001153621.65e9258e65a6167bf2e4cb50@linux-foundation.org +[7] http://lkml.kernel.org/r/20141002095046.3715eb69@mdontu-l +[8] http://lkml.kernel.org/r/20141002104410.GB19748@quack.suse.cz + +Link: http://lkml.kernel.org/r/cover.1411562410.git.ydroneaud@opteya.com +Signed-off-by: Yann Droneaud +Reviewed-by: Jan Kara +Reviewed by: Heinrich Schuchardt +Tested-by: Heinrich Schuchardt +Cc: Mihai Don\u021bu +Cc: Pádraig Brady +Cc: Heinrich Schuchardt +Cc: Jan Kara +Cc: Valdis Kletnieks +Cc: Michael Kerrisk-manpages +Cc: Lino Sanfilippo +Cc: Richard Guy Briggs +Cc: Eric Paris +Cc: Al Viro +Cc: Michael Kerrisk +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/notify/fanotify/fanotify_user.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/notify/fanotify/fanotify_user.c ++++ b/fs/notify/fanotify/fanotify_user.c +@@ -78,7 +78,7 @@ static int create_fd(struct fsnotify_gro + + pr_debug("%s: group=%p event=%p\n", __func__, group, event); + +- client_fd = get_unused_fd(); ++ client_fd = get_unused_fd_flags(group->fanotify_data.f_flags); + if (client_fd < 0) + return client_fd; + diff --git a/queue-3.16/futex-ensure-get_futex_key_refs-always-implies-a-barrier.patch b/queue-3.16/futex-ensure-get_futex_key_refs-always-implies-a-barrier.patch new file mode 100644 index 00000000000..e24b53cf881 --- /dev/null +++ b/queue-3.16/futex-ensure-get_futex_key_refs-always-implies-a-barrier.patch @@ -0,0 +1,55 @@ +From 76835b0ebf8a7fe85beb03c75121419a7dec52f0 Mon Sep 17 00:00:00 2001 +From: Catalin Marinas +Date: Fri, 17 Oct 2014 17:38:49 +0100 +Subject: futex: Ensure get_futex_key_refs() always implies a barrier + +From: Catalin Marinas + +commit 76835b0ebf8a7fe85beb03c75121419a7dec52f0 upstream. + +Commit b0c29f79ecea (futexes: Avoid taking the hb->lock if there's +nothing to wake up) changes the futex code to avoid taking a lock when +there are no waiters. This code has been subsequently fixed in commit +11d4616bd07f (futex: revert back to the explicit waiter counting code). +Both the original commit and the fix-up rely on get_futex_key_refs() to +always imply a barrier. + +However, for private futexes, none of the cases in the switch statement +of get_futex_key_refs() would be hit and the function completes without +a memory barrier as required before checking the "waiters" in +futex_wake() -> hb_waiters_pending(). The consequence is a race with a +thread waiting on a futex on another CPU, allowing the waker thread to +read "waiters == 0" while the waiter thread to have read "futex_val == +locked" (in kernel). + +Without this fix, the problem (user space deadlocks) can be seen with +Android bionic's mutex implementation on an arm64 multi-cluster system. + +Signed-off-by: Catalin Marinas +Reported-by: Matteo Franchin +Fixes: b0c29f79ecea (futexes: Avoid taking the hb->lock if there's nothing to wake up) +Acked-by: Davidlohr Bueso +Tested-by: Mike Galbraith +Cc: Darren Hart +Cc: Thomas Gleixner +Cc: Peter Zijlstra +Cc: Ingo Molnar +Cc: Paul E. McKenney +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/futex.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -343,6 +343,8 @@ static void get_futex_key_refs(union fut + case FUT_OFF_MMSHARED: + futex_get_mm(key); /* implies MB (B) */ + break; ++ default: ++ smp_mb(); /* explicit MB (B) */ + } + } + diff --git a/queue-3.16/ima-fix-fallback-to-use-new_sync_read.patch b/queue-3.16/ima-fix-fallback-to-use-new_sync_read.patch new file mode 100644 index 00000000000..9b6a6728f36 --- /dev/null +++ b/queue-3.16/ima-fix-fallback-to-use-new_sync_read.patch @@ -0,0 +1,52 @@ +From 27cd1fc3ae5374a4a86662c67033f15ef27b2461 Mon Sep 17 00:00:00 2001 +From: Dmitry Kasatkin +Date: Mon, 23 Jun 2014 20:32:56 +0300 +Subject: ima: fix fallback to use new_sync_read() + +From: Dmitry Kasatkin + +commit 27cd1fc3ae5374a4a86662c67033f15ef27b2461 upstream. + +3.16 commit aad4f8bb42af06371aa0e85bf0cd9d52c0494985 +'switch simple generic_file_aio_read() users to ->read_iter()' +replaced ->aio_read with ->read_iter in most of the file systems +and introduced new_sync_read() as a replacement for do_sync_read(). + +Most of file systems set '->read' and ima_kernel_read is not affected. +When ->read is not set, this patch adopts fallback call changes from the +vfs_read. + +Signed-off-by: Dmitry Kasatkin +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman + +--- + security/integrity/ima/ima_crypto.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/security/integrity/ima/ima_crypto.c ++++ b/security/integrity/ima/ima_crypto.c +@@ -40,19 +40,19 @@ static int ima_kernel_read(struct file * + { + mm_segment_t old_fs; + char __user *buf = addr; +- ssize_t ret; ++ ssize_t ret = -EINVAL; + + if (!(file->f_mode & FMODE_READ)) + return -EBADF; +- if (!file->f_op->read && !file->f_op->aio_read) +- return -EINVAL; + + old_fs = get_fs(); + set_fs(get_ds()); + if (file->f_op->read) + ret = file->f_op->read(file, buf, count, &offset); +- else ++ else if (file->f_op->aio_read) + ret = do_sync_read(file, buf, count, &offset); ++ else if (file->f_op->read_iter) ++ ret = new_sync_read(file, buf, count, &offset); + set_fs(old_fs); + return ret; + } diff --git a/queue-3.16/ima-provide-flag-to-identify-new-empty-files.patch b/queue-3.16/ima-provide-flag-to-identify-new-empty-files.patch new file mode 100644 index 00000000000..1d400de65f8 --- /dev/null +++ b/queue-3.16/ima-provide-flag-to-identify-new-empty-files.patch @@ -0,0 +1,79 @@ +From b151d6b00bbb798c58f2f21305e7d43fa763f34f Mon Sep 17 00:00:00 2001 +From: Dmitry Kasatkin +Date: Fri, 27 Jun 2014 18:04:27 +0300 +Subject: ima: provide flag to identify new empty files + +From: Dmitry Kasatkin + +commit b151d6b00bbb798c58f2f21305e7d43fa763f34f upstream. + +On ima_file_free(), newly created empty files are not labeled with +an initial security.ima value, because the iversion did not change. +Commit dff6efc "fs: fix iversion handling" introduced a change in +iversion behavior. To verify this change use the shell command: + + $ (exec >foo) + $ getfattr -h -e hex -d -m security foo + +This patch defines the IMA_NEW_FILE flag. The flag is initially +set, when IMA detects that a new file is created, and subsequently +checked on the ima_file_free() hook to set the initial security.ima +value. + +Signed-off-by: Dmitry Kasatkin +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman + +--- + security/integrity/ima/ima_appraise.c | 7 +++++-- + security/integrity/ima/ima_main.c | 12 +++++++----- + security/integrity/integrity.h | 1 + + 3 files changed, 13 insertions(+), 7 deletions(-) + +--- a/security/integrity/ima/ima_appraise.c ++++ b/security/integrity/ima/ima_appraise.c +@@ -194,8 +194,11 @@ int ima_appraise_measurement(int func, s + goto out; + + cause = "missing-hash"; +- status = +- (inode->i_size == 0) ? INTEGRITY_PASS : INTEGRITY_NOLABEL; ++ status = INTEGRITY_NOLABEL; ++ if (inode->i_size == 0) { ++ iint->flags |= IMA_NEW_FILE; ++ status = INTEGRITY_PASS; ++ } + goto out; + } + +--- a/security/integrity/ima/ima_main.c ++++ b/security/integrity/ima/ima_main.c +@@ -128,11 +128,13 @@ static void ima_check_last_writer(struct + return; + + mutex_lock(&inode->i_mutex); +- if (atomic_read(&inode->i_writecount) == 1 && +- iint->version != inode->i_version) { +- iint->flags &= ~IMA_DONE_MASK; +- if (iint->flags & IMA_APPRAISE) +- ima_update_xattr(iint, file); ++ if (atomic_read(&inode->i_writecount) == 1) { ++ if ((iint->version != inode->i_version) || ++ (iint->flags & IMA_NEW_FILE)) { ++ iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE); ++ if (iint->flags & IMA_APPRAISE) ++ ima_update_xattr(iint, file); ++ } + } + mutex_unlock(&inode->i_mutex); + } +--- a/security/integrity/integrity.h ++++ b/security/integrity/integrity.h +@@ -31,6 +31,7 @@ + #define IMA_DIGSIG 0x01000000 + #define IMA_DIGSIG_REQUIRED 0x02000000 + #define IMA_PERMIT_DIRECTIO 0x04000000 ++#define IMA_NEW_FILE 0x08000000 + + #define IMA_DO_MASK (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \ + IMA_APPRAISE_SUBMASK) diff --git a/queue-3.16/iwlwifi-add-missing-pci-ids-for-the-7260-series.patch b/queue-3.16/iwlwifi-add-missing-pci-ids-for-the-7260-series.patch new file mode 100644 index 00000000000..c7ab843486c --- /dev/null +++ b/queue-3.16/iwlwifi-add-missing-pci-ids-for-the-7260-series.patch @@ -0,0 +1,39 @@ +From 4f08970f5284dce486f0e2290834aefb2a262189 Mon Sep 17 00:00:00 2001 +From: Oren Givon +Date: Wed, 17 Sep 2014 10:31:56 +0300 +Subject: iwlwifi: Add missing PCI IDs for the 7260 series + +From: Oren Givon + +commit 4f08970f5284dce486f0e2290834aefb2a262189 upstream. + +Add 4 missing PCI IDs for the 7260 series. + +Signed-off-by: Oren Givon +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/iwlwifi/pcie/drv.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/wireless/iwlwifi/pcie/drv.c ++++ b/drivers/net/wireless/iwlwifi/pcie/drv.c +@@ -273,6 +273,8 @@ static DEFINE_PCI_DEVICE_TABLE(iwl_hw_ca + {IWL_PCI_DEVICE(0x08B1, 0x4070, iwl7260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x08B1, 0x4072, iwl7260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x08B1, 0x4170, iwl7260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x08B1, 0x4C60, iwl7260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x08B1, 0x4C70, iwl7260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x08B1, 0x4060, iwl7260_2n_cfg)}, + {IWL_PCI_DEVICE(0x08B1, 0x406A, iwl7260_2n_cfg)}, + {IWL_PCI_DEVICE(0x08B1, 0x4160, iwl7260_2n_cfg)}, +@@ -316,6 +318,8 @@ static DEFINE_PCI_DEVICE_TABLE(iwl_hw_ca + {IWL_PCI_DEVICE(0x08B1, 0xC770, iwl7260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x08B1, 0xC760, iwl7260_2n_cfg)}, + {IWL_PCI_DEVICE(0x08B2, 0xC270, iwl7260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x08B1, 0xCC70, iwl7260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x08B1, 0xCC60, iwl7260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x08B2, 0xC272, iwl7260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x08B2, 0xC260, iwl7260_2n_cfg)}, + {IWL_PCI_DEVICE(0x08B2, 0xC26A, iwl7260_n_cfg)}, diff --git a/queue-3.16/iwlwifi-mvm-disable-bt-co-running-by-default.patch b/queue-3.16/iwlwifi-mvm-disable-bt-co-running-by-default.patch new file mode 100644 index 00000000000..9e70a1fdbda --- /dev/null +++ b/queue-3.16/iwlwifi-mvm-disable-bt-co-running-by-default.patch @@ -0,0 +1,29 @@ +From 9b60bb6d86496af1adc753795de2c12c4499868a Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Sun, 21 Sep 2014 12:45:34 +0300 +Subject: iwlwifi: mvm: disable BT Co-running by default + +From: Emmanuel Grumbach + +commit 9b60bb6d86496af1adc753795de2c12c4499868a upstream. + +The tables still contain dummy values. + +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/iwlwifi/mvm/constants.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/iwlwifi/mvm/constants.h ++++ b/drivers/net/wireless/iwlwifi/mvm/constants.h +@@ -80,7 +80,7 @@ + #define IWL_MVM_WOWLAN_PS_SNOOZE_WINDOW 25 + #define IWL_MVM_LOWLAT_QUOTA_MIN_PERCENT 64 + #define IWL_MVM_BT_COEX_SYNC2SCO 1 +-#define IWL_MVM_BT_COEX_CORUNNING 1 ++#define IWL_MVM_BT_COEX_CORUNNING 0 + #define IWL_MVM_BT_COEX_MPLUT 1 + + #endif /* __MVM_CONSTANTS_H */ diff --git a/queue-3.16/kernel-add-support-for-gcc-5.patch b/queue-3.16/kernel-add-support-for-gcc-5.patch new file mode 100644 index 00000000000..8e39ebce1fc --- /dev/null +++ b/queue-3.16/kernel-add-support-for-gcc-5.patch @@ -0,0 +1,95 @@ +From 71458cfc782eafe4b27656e078d379a34e472adf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Oct 2014 15:51:05 -0700 +Subject: kernel: add support for gcc 5 + +From: Sasha Levin + +commit 71458cfc782eafe4b27656e078d379a34e472adf upstream. + +We're missing include/linux/compiler-gcc5.h which is required now +because gcc branched off to v5 in trunk. + +Just copy the relevant bits out of include/linux/compiler-gcc4.h, +no new code is added as of now. + +This fixes a build error when using gcc 5. + +Signed-off-by: Sasha Levin +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/compiler-gcc5.h | 66 ++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 66 insertions(+) + +--- /dev/null ++++ b/include/linux/compiler-gcc5.h +@@ -0,0 +1,66 @@ ++#ifndef __LINUX_COMPILER_H ++#error "Please don't include directly, include instead." ++#endif ++ ++#define __used __attribute__((__used__)) ++#define __must_check __attribute__((warn_unused_result)) ++#define __compiler_offsetof(a, b) __builtin_offsetof(a, b) ++ ++/* Mark functions as cold. gcc will assume any path leading to a call ++ to them will be unlikely. This means a lot of manual unlikely()s ++ are unnecessary now for any paths leading to the usual suspects ++ like BUG(), printk(), panic() etc. [but let's keep them for now for ++ older compilers] ++ ++ Early snapshots of gcc 4.3 don't support this and we can't detect this ++ in the preprocessor, but we can live with this because they're unreleased. ++ Maketime probing would be overkill here. ++ ++ gcc also has a __attribute__((__hot__)) to move hot functions into ++ a special section, but I don't see any sense in this right now in ++ the kernel context */ ++#define __cold __attribute__((__cold__)) ++ ++#define __UNIQUE_ID(prefix) __PASTE(__PASTE(__UNIQUE_ID_, prefix), __COUNTER__) ++ ++#ifndef __CHECKER__ ++# define __compiletime_warning(message) __attribute__((warning(message))) ++# define __compiletime_error(message) __attribute__((error(message))) ++#endif /* __CHECKER__ */ ++ ++/* ++ * Mark a position in code as unreachable. This can be used to ++ * suppress control flow warnings after asm blocks that transfer ++ * control elsewhere. ++ * ++ * Early snapshots of gcc 4.5 don't support this and we can't detect ++ * this in the preprocessor, but we can live with this because they're ++ * unreleased. Really, we need to have autoconf for the kernel. ++ */ ++#define unreachable() __builtin_unreachable() ++ ++/* Mark a function definition as prohibited from being cloned. */ ++#define __noclone __attribute__((__noclone__)) ++ ++/* ++ * Tell the optimizer that something else uses this function or variable. ++ */ ++#define __visible __attribute__((externally_visible)) ++ ++/* ++ * GCC 'asm goto' miscompiles certain code sequences: ++ * ++ * http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58670 ++ * ++ * Work it around via a compiler barrier quirk suggested by Jakub Jelinek. ++ * Fixed in GCC 4.8.2 and later versions. ++ * ++ * (asm goto is automatically volatile - the naming reflects this.) ++ */ ++#define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0) ++ ++#ifdef CONFIG_ARCH_USE_BUILTIN_BSWAP ++#define __HAVE_BUILTIN_BSWAP32__ ++#define __HAVE_BUILTIN_BSWAP64__ ++#define __HAVE_BUILTIN_BSWAP16__ ++#endif /* CONFIG_ARCH_USE_BUILTIN_BSWAP */ diff --git a/queue-3.16/mm-balloon_compaction-redesign-ballooned-pages-management.patch b/queue-3.16/mm-balloon_compaction-redesign-ballooned-pages-management.patch new file mode 100644 index 00000000000..77e6f5fb1c3 --- /dev/null +++ b/queue-3.16/mm-balloon_compaction-redesign-ballooned-pages-management.patch @@ -0,0 +1,439 @@ +From d6d86c0a7f8ddc5b38cf089222cb1d9540762dc2 Mon Sep 17 00:00:00 2001 +From: Konstantin Khlebnikov +Date: Thu, 9 Oct 2014 15:29:27 -0700 +Subject: mm/balloon_compaction: redesign ballooned pages management + +From: Konstantin Khlebnikov + +commit d6d86c0a7f8ddc5b38cf089222cb1d9540762dc2 upstream. + +Sasha Levin reported KASAN splash inside isolate_migratepages_range(). +Problem is in the function __is_movable_balloon_page() which tests +AS_BALLOON_MAP in page->mapping->flags. This function has no protection +against anonymous pages. As result it tried to check address space flags +inside struct anon_vma. + +Further investigation shows more problems in current implementation: + +* Special branch in __unmap_and_move() never works: + balloon_page_movable() checks page flags and page_count. In + __unmap_and_move() page is locked, reference counter is elevated, thus + balloon_page_movable() always fails. As a result execution goes to the + normal migration path. virtballoon_migratepage() returns + MIGRATEPAGE_BALLOON_SUCCESS instead of MIGRATEPAGE_SUCCESS, + move_to_new_page() thinks this is an error code and assigns + newpage->mapping to NULL. Newly migrated page lose connectivity with + balloon an all ability for further migration. + +* lru_lock erroneously required in isolate_migratepages_range() for + isolation ballooned page. This function releases lru_lock periodically, + this makes migration mostly impossible for some pages. + +* balloon_page_dequeue have a tight race with balloon_page_isolate: + balloon_page_isolate could be executed in parallel with dequeue between + picking page from list and locking page_lock. Race is rare because they + use trylock_page() for locking. + +This patch fixes all of them. + +Instead of fake mapping with special flag this patch uses special state of +page->_mapcount: PAGE_BALLOON_MAPCOUNT_VALUE = -256. Buddy allocator uses +PAGE_BUDDY_MAPCOUNT_VALUE = -128 for similar purpose. Storing mark +directly in struct page makes everything safer and easier. + +PagePrivate is used to mark pages present in page list (i.e. not +isolated, like PageLRU for normal pages). It replaces special rules for +reference counter and makes balloon migration similar to migration of +normal pages. This flag is protected by page_lock together with link to +the balloon device. + +Signed-off-by: Konstantin Khlebnikov +Reported-by: Sasha Levin +Link: http://lkml.kernel.org/p/53E6CEAA.9020105@oracle.com +Cc: Rafael Aquini +Cc: Andrey Ryabinin +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/virtio/virtio_balloon.c | 15 ++--- + include/linux/balloon_compaction.h | 97 +++++++++---------------------------- + include/linux/migrate.h | 11 ---- + include/linux/mm.h | 19 +++++++ + mm/balloon_compaction.c | 26 ++++----- + mm/compaction.c | 2 + mm/migrate.c | 16 +----- + 7 files changed, 68 insertions(+), 118 deletions(-) + +--- a/drivers/virtio/virtio_balloon.c ++++ b/drivers/virtio/virtio_balloon.c +@@ -163,8 +163,8 @@ static void release_pages_by_pfn(const u + /* Find pfns pointing at start of each page, get pages and free them. */ + for (i = 0; i < num; i += VIRTIO_BALLOON_PAGES_PER_PAGE) { + struct page *page = balloon_pfn_to_page(pfns[i]); +- balloon_page_free(page); + adjust_managed_page_count(page, 1); ++ put_page(page); /* balloon reference */ + } + } + +@@ -395,6 +395,8 @@ static int virtballoon_migratepage(struc + if (!mutex_trylock(&vb->balloon_lock)) + return -EAGAIN; + ++ get_page(newpage); /* balloon reference */ ++ + /* balloon's page migration 1st step -- inflate "newpage" */ + spin_lock_irqsave(&vb_dev_info->pages_lock, flags); + balloon_page_insert(newpage, mapping, &vb_dev_info->pages); +@@ -404,12 +406,7 @@ static int virtballoon_migratepage(struc + set_page_pfns(vb->pfns, newpage); + tell_host(vb, vb->inflate_vq); + +- /* +- * balloon's page migration 2nd step -- deflate "page" +- * +- * It's safe to delete page->lru here because this page is at +- * an isolated migration list, and this step is expected to happen here +- */ ++ /* balloon's page migration 2nd step -- deflate "page" */ + balloon_page_delete(page); + vb->num_pfns = VIRTIO_BALLOON_PAGES_PER_PAGE; + set_page_pfns(vb->pfns, page); +@@ -417,7 +414,9 @@ static int virtballoon_migratepage(struc + + mutex_unlock(&vb->balloon_lock); + +- return MIGRATEPAGE_BALLOON_SUCCESS; ++ put_page(page); /* balloon reference */ ++ ++ return MIGRATEPAGE_SUCCESS; + } + + /* define the balloon_mapping->a_ops callback to allow balloon page migration */ +--- a/include/linux/balloon_compaction.h ++++ b/include/linux/balloon_compaction.h +@@ -27,10 +27,13 @@ + * counter raised only while it is under our special handling; + * + * iii. after the lockless scan step have selected a potential balloon page for +- * isolation, re-test the page->mapping flags and the page ref counter ++ * isolation, re-test the PageBalloon mark and the PagePrivate flag + * under the proper page lock, to ensure isolating a valid balloon page + * (not yet isolated, nor under release procedure) + * ++ * iv. isolation or dequeueing procedure must clear PagePrivate flag under ++ * page lock together with removing page from balloon device page list. ++ * + * The functions provided by this interface are placed to help on coping with + * the aforementioned balloon page corner case, as well as to ensure the simple + * set of exposed rules are satisfied while we are dealing with balloon pages +@@ -71,28 +74,6 @@ static inline void balloon_devinfo_free( + kfree(b_dev_info); + } + +-/* +- * balloon_page_free - release a balloon page back to the page free lists +- * @page: ballooned page to be set free +- * +- * This function must be used to properly set free an isolated/dequeued balloon +- * page at the end of a sucessful page migration, or at the balloon driver's +- * page release procedure. +- */ +-static inline void balloon_page_free(struct page *page) +-{ +- /* +- * Balloon pages always get an extra refcount before being isolated +- * and before being dequeued to help on sorting out fortuite colisions +- * between a thread attempting to isolate and another thread attempting +- * to release the very same balloon page. +- * +- * Before we handle the page back to Buddy, lets drop its extra refcnt. +- */ +- put_page(page); +- __free_page(page); +-} +- + #ifdef CONFIG_BALLOON_COMPACTION + extern bool balloon_page_isolate(struct page *page); + extern void balloon_page_putback(struct page *page); +@@ -108,74 +89,33 @@ static inline void balloon_mapping_free( + } + + /* +- * page_flags_cleared - helper to perform balloon @page ->flags tests. +- * +- * As balloon pages are obtained from buddy and we do not play with page->flags +- * at driver level (exception made when we get the page lock for compaction), +- * we can safely identify a ballooned page by checking if the +- * PAGE_FLAGS_CHECK_AT_PREP page->flags are all cleared. This approach also +- * helps us skip ballooned pages that are locked for compaction or release, thus +- * mitigating their racy check at balloon_page_movable() +- */ +-static inline bool page_flags_cleared(struct page *page) +-{ +- return !(page->flags & PAGE_FLAGS_CHECK_AT_PREP); +-} +- +-/* +- * __is_movable_balloon_page - helper to perform @page mapping->flags tests ++ * __is_movable_balloon_page - helper to perform @page PageBalloon tests + */ + static inline bool __is_movable_balloon_page(struct page *page) + { +- struct address_space *mapping = page->mapping; +- return mapping_balloon(mapping); ++ return PageBalloon(page); + } + + /* +- * balloon_page_movable - test page->mapping->flags to identify balloon pages +- * that can be moved by compaction/migration. +- * +- * This function is used at core compaction's page isolation scheme, therefore +- * most pages exposed to it are not enlisted as balloon pages and so, to avoid +- * undesired side effects like racing against __free_pages(), we cannot afford +- * holding the page locked while testing page->mapping->flags here. ++ * balloon_page_movable - test PageBalloon to identify balloon pages ++ * and PagePrivate to check that the page is not ++ * isolated and can be moved by compaction/migration. + * + * As we might return false positives in the case of a balloon page being just +- * released under us, the page->mapping->flags need to be re-tested later, +- * under the proper page lock, at the functions that will be coping with the +- * balloon page case. ++ * released under us, this need to be re-tested later, under the page lock. + */ + static inline bool balloon_page_movable(struct page *page) + { +- /* +- * Before dereferencing and testing mapping->flags, let's make sure +- * this is not a page that uses ->mapping in a different way +- */ +- if (page_flags_cleared(page) && !page_mapped(page) && +- page_count(page) == 1) +- return __is_movable_balloon_page(page); +- +- return false; ++ return PageBalloon(page) && PagePrivate(page); + } + + /* + * isolated_balloon_page - identify an isolated balloon page on private + * compaction/migration page lists. +- * +- * After a compaction thread isolates a balloon page for migration, it raises +- * the page refcount to prevent concurrent compaction threads from re-isolating +- * the same page. For that reason putback_movable_pages(), or other routines +- * that need to identify isolated balloon pages on private pagelists, cannot +- * rely on balloon_page_movable() to accomplish the task. + */ + static inline bool isolated_balloon_page(struct page *page) + { +- /* Already isolated balloon pages, by default, have a raised refcount */ +- if (page_flags_cleared(page) && !page_mapped(page) && +- page_count(page) >= 2) +- return __is_movable_balloon_page(page); +- +- return false; ++ return PageBalloon(page); + } + + /* +@@ -192,6 +132,8 @@ static inline void balloon_page_insert(s + struct address_space *mapping, + struct list_head *head) + { ++ __SetPageBalloon(page); ++ SetPagePrivate(page); + page->mapping = mapping; + list_add(&page->lru, head); + } +@@ -206,8 +148,12 @@ static inline void balloon_page_insert(s + */ + static inline void balloon_page_delete(struct page *page) + { ++ __ClearPageBalloon(page); + page->mapping = NULL; +- list_del(&page->lru); ++ if (PagePrivate(page)) { ++ ClearPagePrivate(page); ++ list_del(&page->lru); ++ } + } + + /* +@@ -258,6 +204,11 @@ static inline void balloon_page_delete(s + list_del(&page->lru); + } + ++static inline bool __is_movable_balloon_page(struct page *page) ++{ ++ return false; ++} ++ + static inline bool balloon_page_movable(struct page *page) + { + return false; +--- a/include/linux/migrate.h ++++ b/include/linux/migrate.h +@@ -13,18 +13,9 @@ typedef void free_page_t(struct page *pa + * Return values from addresss_space_operations.migratepage(): + * - negative errno on page migration failure; + * - zero on page migration success; +- * +- * The balloon page migration introduces this special case where a 'distinct' +- * return code is used to flag a successful page migration to unmap_and_move(). +- * This approach is necessary because page migration can race against balloon +- * deflation procedure, and for such case we could introduce a nasty page leak +- * if a successfully migrated balloon page gets released concurrently with +- * migration's unmap_and_move() wrap-up steps. + */ + #define MIGRATEPAGE_SUCCESS 0 +-#define MIGRATEPAGE_BALLOON_SUCCESS 1 /* special ret code for balloon page +- * sucessful migration case. +- */ ++ + enum migrate_reason { + MR_COMPACTION, + MR_MEMORY_FAILURE, +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -553,6 +553,25 @@ static inline void __ClearPageBuddy(stru + atomic_set(&page->_mapcount, -1); + } + ++#define PAGE_BALLOON_MAPCOUNT_VALUE (-256) ++ ++static inline int PageBalloon(struct page *page) ++{ ++ return atomic_read(&page->_mapcount) == PAGE_BALLOON_MAPCOUNT_VALUE; ++} ++ ++static inline void __SetPageBalloon(struct page *page) ++{ ++ VM_BUG_ON_PAGE(atomic_read(&page->_mapcount) != -1, page); ++ atomic_set(&page->_mapcount, PAGE_BALLOON_MAPCOUNT_VALUE); ++} ++ ++static inline void __ClearPageBalloon(struct page *page) ++{ ++ VM_BUG_ON_PAGE(!PageBalloon(page), page); ++ atomic_set(&page->_mapcount, -1); ++} ++ + void put_page(struct page *page); + void put_pages_list(struct list_head *pages); + +--- a/mm/balloon_compaction.c ++++ b/mm/balloon_compaction.c +@@ -93,17 +93,12 @@ struct page *balloon_page_dequeue(struct + * to be released by the balloon driver. + */ + if (trylock_page(page)) { ++ if (!PagePrivate(page)) { ++ /* raced with isolation */ ++ unlock_page(page); ++ continue; ++ } + spin_lock_irqsave(&b_dev_info->pages_lock, flags); +- /* +- * Raise the page refcount here to prevent any wrong +- * attempt to isolate this page, in case of coliding +- * with balloon_page_isolate() just after we release +- * the page lock. +- * +- * balloon_page_free() will take care of dropping +- * this extra refcount later. +- */ +- get_page(page); + balloon_page_delete(page); + spin_unlock_irqrestore(&b_dev_info->pages_lock, flags); + unlock_page(page); +@@ -187,7 +182,9 @@ static inline void __isolate_balloon_pag + { + struct balloon_dev_info *b_dev_info = page->mapping->private_data; + unsigned long flags; ++ + spin_lock_irqsave(&b_dev_info->pages_lock, flags); ++ ClearPagePrivate(page); + list_del(&page->lru); + b_dev_info->isolated_pages++; + spin_unlock_irqrestore(&b_dev_info->pages_lock, flags); +@@ -197,7 +194,9 @@ static inline void __putback_balloon_pag + { + struct balloon_dev_info *b_dev_info = page->mapping->private_data; + unsigned long flags; ++ + spin_lock_irqsave(&b_dev_info->pages_lock, flags); ++ SetPagePrivate(page); + list_add(&page->lru, &b_dev_info->pages); + b_dev_info->isolated_pages--; + spin_unlock_irqrestore(&b_dev_info->pages_lock, flags); +@@ -235,12 +234,11 @@ bool balloon_page_isolate(struct page *p + */ + if (likely(trylock_page(page))) { + /* +- * A ballooned page, by default, has just one refcount. ++ * A ballooned page, by default, has PagePrivate set. + * Prevent concurrent compaction threads from isolating +- * an already isolated balloon page by refcount check. ++ * an already isolated balloon page by clearing it. + */ +- if (__is_movable_balloon_page(page) && +- page_count(page) == 2) { ++ if (balloon_page_movable(page)) { + __isolate_balloon_page(page); + unlock_page(page); + return true; +--- a/mm/compaction.c ++++ b/mm/compaction.c +@@ -597,7 +597,7 @@ isolate_migratepages_range(struct zone * + */ + if (!PageLRU(page)) { + if (unlikely(balloon_page_movable(page))) { +- if (locked && balloon_page_isolate(page)) { ++ if (balloon_page_isolate(page)) { + /* Successfully isolated */ + goto isolate_success; + } +--- a/mm/migrate.c ++++ b/mm/migrate.c +@@ -879,7 +879,7 @@ static int __unmap_and_move(struct page + } + } + +- if (unlikely(balloon_page_movable(page))) { ++ if (unlikely(isolated_balloon_page(page))) { + /* + * A ballooned page does not need any special attention from + * physical to virtual reverse mapping procedures. +@@ -961,17 +961,6 @@ static int unmap_and_move(new_page_t get + + rc = __unmap_and_move(page, newpage, force, mode); + +- if (unlikely(rc == MIGRATEPAGE_BALLOON_SUCCESS)) { +- /* +- * A ballooned page has been migrated already. +- * Now, it's the time to wrap-up counters, +- * handle the page back to Buddy and return. +- */ +- dec_zone_page_state(page, NR_ISOLATED_ANON + +- page_is_file_cache(page)); +- balloon_page_free(page); +- return MIGRATEPAGE_SUCCESS; +- } + out: + if (rc != -EAGAIN) { + /* +@@ -994,6 +983,9 @@ out: + if (rc != MIGRATEPAGE_SUCCESS && put_new_page) { + ClearPageSwapBacked(newpage); + put_new_page(newpage, private); ++ } else if (unlikely(__is_movable_balloon_page(newpage))) { ++ /* drop our reference, page already in the balloon */ ++ put_page(newpage); + } else + putback_lru_page(newpage); + diff --git a/queue-3.16/mm-clear-__gfp_fs-when-pf_memalloc_noio-is-set.patch b/queue-3.16/mm-clear-__gfp_fs-when-pf_memalloc_noio-is-set.patch new file mode 100644 index 00000000000..5d5f547cf97 --- /dev/null +++ b/queue-3.16/mm-clear-__gfp_fs-when-pf_memalloc_noio-is-set.patch @@ -0,0 +1,65 @@ +From 934f3072c17cc8886f4c043b47eeeb1b12f8de33 Mon Sep 17 00:00:00 2001 +From: Junxiao Bi +Date: Thu, 9 Oct 2014 15:28:23 -0700 +Subject: mm: clear __GFP_FS when PF_MEMALLOC_NOIO is set + +From: Junxiao Bi + +commit 934f3072c17cc8886f4c043b47eeeb1b12f8de33 upstream. + +commit 21caf2fc1931 ("mm: teach mm by current context info to not do I/O +during memory allocation") introduces PF_MEMALLOC_NOIO flag to avoid doing +I/O inside memory allocation, __GFP_IO is cleared when this flag is set, +but __GFP_FS implies __GFP_IO, it should also be cleared. Or it may still +run into I/O, like in superblock shrinker. And this will make the kernel +run into the deadlock case described in that commit. + +See Dave Chinner's comment about io in superblock shrinker: + +Filesystem shrinkers do indeed perform IO from the superblock shrinker and +have for years. Even clean inodes can require IO before they can be freed +- e.g. on an orphan list, need truncation of post-eof blocks, need to +wait for ordered operations to complete before it can be freed, etc. + +IOWs, Ext4, btrfs and XFS all can issue and/or block on arbitrary amounts +of IO in the superblock shrinker context. XFS, in particular, has been +doing transactions and IO from the VFS inode cache shrinker since it was +first introduced.... + +Fix this by clearing __GFP_FS in memalloc_noio_flags(), this function has +masked all the gfp_mask that will be passed into fs for the processes +setting PF_MEMALLOC_NOIO in the direct reclaim path. + +v1 thread at: https://lkml.org/lkml/2014/9/3/32 + +Signed-off-by: Junxiao Bi +Cc: Dave Chinner +Cc: joyce.xue +Cc: Ming Lei +Cc: Trond Myklebust +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/sched.h | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -1947,11 +1947,13 @@ extern void thread_group_cputime_adjuste + #define tsk_used_math(p) ((p)->flags & PF_USED_MATH) + #define used_math() tsk_used_math(current) + +-/* __GFP_IO isn't allowed if PF_MEMALLOC_NOIO is set in current->flags */ ++/* __GFP_IO isn't allowed if PF_MEMALLOC_NOIO is set in current->flags ++ * __GFP_FS is also cleared as it implies __GFP_IO. ++ */ + static inline gfp_t memalloc_noio_flags(gfp_t flags) + { + if (unlikely(current->flags & PF_MEMALLOC_NOIO)) +- flags &= ~__GFP_IO; ++ flags &= ~(__GFP_IO | __GFP_FS); + return flags; + } + diff --git a/queue-3.16/pci-add-missing-mem_64-mask-in-pci_assign_unassigned_bridge_resources.patch b/queue-3.16/pci-add-missing-mem_64-mask-in-pci_assign_unassigned_bridge_resources.patch new file mode 100644 index 00000000000..9eb8d2402ee --- /dev/null +++ b/queue-3.16/pci-add-missing-mem_64-mask-in-pci_assign_unassigned_bridge_resources.patch @@ -0,0 +1,37 @@ +From d61b0e87d2dfba3706dbbd6c7c6fd41c3d845685 Mon Sep 17 00:00:00 2001 +From: Yinghai Lu +Date: Fri, 22 Aug 2014 18:15:07 -0700 +Subject: PCI: Add missing MEM_64 mask in pci_assign_unassigned_bridge_resources() + +From: Yinghai Lu + +commit d61b0e87d2dfba3706dbbd6c7c6fd41c3d845685 upstream. + +In 5b28541552ef ("PCI: Restrict 64-bit prefetchable bridge windows to +64-bit resources"), we added IORESOURCE_MEM_64 to the mask in +pci_assign_unassigned_root_bus_resources(), but not to the mask in +pci_assign_unassigned_bridge_resources(). + +Add IORESOURCE_MEM_64 to the pci_assign_unassigned_bridge_resources() type +mask. + +Fixes: 5b28541552ef ("PCI: Restrict 64-bit prefetchable bridge windows to 64-bit resources") +Signed-off-by: Yinghai Lu +Signed-off-by: Bjorn Helgaas +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/setup-bus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pci/setup-bus.c ++++ b/drivers/pci/setup-bus.c +@@ -1652,7 +1652,7 @@ void pci_assign_unassigned_bridge_resour + struct pci_dev_resource *fail_res; + int retval; + unsigned long type_mask = IORESOURCE_IO | IORESOURCE_MEM | +- IORESOURCE_PREFETCH; ++ IORESOURCE_PREFETCH | IORESOURCE_MEM_64; + + again: + __pci_bus_size_bridges(parent, &add_list); diff --git a/queue-3.16/pci-generate-uppercase-hex-for-modalias-interface-class.patch b/queue-3.16/pci-generate-uppercase-hex-for-modalias-interface-class.patch new file mode 100644 index 00000000000..3e02192dee4 --- /dev/null +++ b/queue-3.16/pci-generate-uppercase-hex-for-modalias-interface-class.patch @@ -0,0 +1,42 @@ +From 89ec3dcf17fd3fa009ecf8faaba36828dd6bc416 Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda Delgado +Date: Wed, 27 Aug 2014 14:57:57 +0200 +Subject: PCI: Generate uppercase hex for modalias interface class + +From: Ricardo Ribalda Delgado + +commit 89ec3dcf17fd3fa009ecf8faaba36828dd6bc416 upstream. + +Some implementations of modprobe fail to load the driver for a PCI device +automatically because the "interface" part of the modalias from the kernel +is lowercase, and the modalias from file2alias is uppercase. + +The "interface" is the low-order byte of the Class Code, defined in PCI +r3.0, Appendix D. Most interface types defined in the spec do not use +alpha characters, so they won't be affected. For example, 00h, 01h, 10h, +20h, etc. are unaffected. + +Print the "interface" byte of the Class Code in uppercase hex, as we +already do for the Vendor ID, Device ID, Class, etc. + +[bhelgaas: changelog] +Signed-off-by: Ricardo Ribalda Delgado +Signed-off-by: Bjorn Helgaas +Acked-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/pci-sysfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pci/pci-sysfs.c ++++ b/drivers/pci/pci-sysfs.c +@@ -177,7 +177,7 @@ static ssize_t modalias_show(struct devi + { + struct pci_dev *pci_dev = to_pci_dev(dev); + +- return sprintf(buf, "pci:v%08Xd%08Xsv%08Xsd%08Xbc%02Xsc%02Xi%02x\n", ++ return sprintf(buf, "pci:v%08Xd%08Xsv%08Xsd%08Xbc%02Xsc%02Xi%02X\n", + pci_dev->vendor, pci_dev->device, + pci_dev->subsystem_vendor, pci_dev->subsystem_device, + (u8)(pci_dev->class >> 16), (u8)(pci_dev->class >> 8), diff --git a/queue-3.16/pci-increase-ibm-ipr-sas-crocodile-bars-to-at-least-system-page-size.patch b/queue-3.16/pci-increase-ibm-ipr-sas-crocodile-bars-to-at-least-system-page-size.patch new file mode 100644 index 00000000000..b1cf3173c33 --- /dev/null +++ b/queue-3.16/pci-increase-ibm-ipr-sas-crocodile-bars-to-at-least-system-page-size.patch @@ -0,0 +1,65 @@ +From 9fe373f9997b48fcd6222b95baf4a20c134b587a Mon Sep 17 00:00:00 2001 +From: Douglas Lehr +Date: Thu, 21 Aug 2014 09:26:52 +1000 +Subject: PCI: Increase IBM ipr SAS Crocodile BARs to at least system page size + +From: Douglas Lehr + +commit 9fe373f9997b48fcd6222b95baf4a20c134b587a upstream. + +The Crocodile chip occasionally comes up with 4k and 8k BAR sizes. Due to +an erratum, setting the SR-IOV page size causes the physical function BARs +to expand to the system page size. Since ppc64 uses 64k pages, when Linux +tries to assign the smaller resource sizes to the now 64k BARs the address +will be truncated and the BARs will overlap. + +Force Linux to allocate the resource as a full page, which avoids the +overlap. + +[bhelgaas: print expanded resource, too] +Signed-off-by: Douglas Lehr +Signed-off-by: Anton Blanchard +Signed-off-by: Bjorn Helgaas +Acked-by: Milton Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/quirks.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -24,6 +24,7 @@ + #include + #include + #include ++#include + #include /* isa_dma_bridge_buggy */ + #include "pci.h" + +@@ -287,6 +288,25 @@ static void quirk_citrine(struct pci_dev + } + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_IBM, PCI_DEVICE_ID_IBM_CITRINE, quirk_citrine); + ++/* On IBM Crocodile ipr SAS adapters, expand BAR to system page size */ ++static void quirk_extend_bar_to_page(struct pci_dev *dev) ++{ ++ int i; ++ ++ for (i = 0; i < PCI_STD_RESOURCE_END; i++) { ++ struct resource *r = &dev->resource[i]; ++ ++ if (r->flags & IORESOURCE_MEM && resource_size(r) < PAGE_SIZE) { ++ r->end = PAGE_SIZE - 1; ++ r->start = 0; ++ r->flags |= IORESOURCE_UNSET; ++ dev_info(&dev->dev, "expanded BAR %d to page size: %pR\n", ++ i, r); ++ } ++ } ++} ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_IBM, 0x034a, quirk_extend_bar_to_page); ++ + /* + * S3 868 and 968 chips report region size equal to 32M, but they decode 64M. + * If it's needed, re-allocate the region. diff --git a/queue-3.16/pci-mvebu-fix-uninitialized-variable-in-mvebu_get_tgt_attr.patch b/queue-3.16/pci-mvebu-fix-uninitialized-variable-in-mvebu_get_tgt_attr.patch new file mode 100644 index 00000000000..405aaea652f --- /dev/null +++ b/queue-3.16/pci-mvebu-fix-uninitialized-variable-in-mvebu_get_tgt_attr.patch @@ -0,0 +1,60 @@ +From 56fab6e189441d714a2bfc8a64f3df9c0749dff7 Mon Sep 17 00:00:00 2001 +From: Thomas Petazzoni +Date: Wed, 17 Sep 2014 17:58:27 +0200 +Subject: PCI: mvebu: Fix uninitialized variable in mvebu_get_tgt_attr() + +From: Thomas Petazzoni + +commit 56fab6e189441d714a2bfc8a64f3df9c0749dff7 upstream. + +Geert Uytterhoeven reported a warning when building pci-mvebu: + + drivers/pci/host/pci-mvebu.c: In function 'mvebu_get_tgt_attr': + drivers/pci/host/pci-mvebu.c:887:39: warning: 'rtype' may be used uninitialized in this function [-Wmaybe-uninitialized] + if (slot == PCI_SLOT(devfn) && type == rtype) { + ^ + +And indeed, the code of mvebu_get_tgt_attr() may lead to the usage of rtype +when being uninitialized, even though it would only happen if we had +entries other than I/O space and 32 bits memory space. + +This commit fixes that by simply skipping the current DT range being +considered, if it doesn't match the resource type we're looking for. + +Reported-by: Geert Uytterhoeven +Signed-off-by: Thomas Petazzoni +Signed-off-by: Bjorn Helgaas +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/host/pci-mvebu.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/pci/host/pci-mvebu.c ++++ b/drivers/pci/host/pci-mvebu.c +@@ -873,7 +873,7 @@ static int mvebu_get_tgt_attr(struct dev + rangesz = pna + na + ns; + nranges = rlen / sizeof(__be32) / rangesz; + +- for (i = 0; i < nranges; i++) { ++ for (i = 0; i < nranges; i++, range += rangesz) { + u32 flags = of_read_number(range, 1); + u32 slot = of_read_number(range + 1, 1); + u64 cpuaddr = of_read_number(range + na, pna); +@@ -883,14 +883,14 @@ static int mvebu_get_tgt_attr(struct dev + rtype = IORESOURCE_IO; + else if (DT_FLAGS_TO_TYPE(flags) == DT_TYPE_MEM32) + rtype = IORESOURCE_MEM; ++ else ++ continue; + + if (slot == PCI_SLOT(devfn) && type == rtype) { + *tgt = DT_CPUADDR_TO_TARGET(cpuaddr); + *attr = DT_CPUADDR_TO_ATTR(cpuaddr); + return 0; + } +- +- range += rangesz; + } + + return -ENOENT; diff --git a/queue-3.16/pci-pciehp-prevent-null-dereference-during-probe.patch b/queue-3.16/pci-pciehp-prevent-null-dereference-during-probe.patch new file mode 100644 index 00000000000..25dde3ecb93 --- /dev/null +++ b/queue-3.16/pci-pciehp-prevent-null-dereference-during-probe.patch @@ -0,0 +1,40 @@ +From bceee4a97eb58bd0e80e39eff11b506ddd9e7ad3 Mon Sep 17 00:00:00 2001 +From: Andreas Noever +Date: Tue, 16 Sep 2014 15:16:02 -0600 +Subject: PCI: pciehp: Prevent NULL dereference during probe + +From: Andreas Noever + +commit bceee4a97eb58bd0e80e39eff11b506ddd9e7ad3 upstream. + +pciehp assumes that dev->subordinate, the struct pci_bus for a bridge's +secondary bus, exists. But we do not create that bus if we run out of bus +numbers during enumeration. This leads to a NULL dereference in +init_slot() (and other places). + +Change pciehp_probe() to return -ENODEV when no secondary bus is present. + +Signed-off-by: Andreas Noever +Signed-off-by: Bjorn Helgaas +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/hotplug/pciehp_core.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/pci/hotplug/pciehp_core.c ++++ b/drivers/pci/hotplug/pciehp_core.c +@@ -255,6 +255,13 @@ static int pciehp_probe(struct pcie_devi + else if (pciehp_acpi_slot_detection_check(dev->port)) + goto err_out_none; + ++ if (!dev->port->subordinate) { ++ /* Can happen if we run out of bus numbers during probe */ ++ dev_err(&dev->device, ++ "Hotplug bridge without secondary bus, ignoring\n"); ++ goto err_out_none; ++ } ++ + ctrl = pcie_init(dev); + if (!ctrl) { + dev_err(&dev->device, "Controller initialization failed\n"); diff --git a/queue-3.16/powerpc-eeh-clear-frozen-device-state-in-time.patch b/queue-3.16/powerpc-eeh-clear-frozen-device-state-in-time.patch new file mode 100644 index 00000000000..9d4cf8e362c --- /dev/null +++ b/queue-3.16/powerpc-eeh-clear-frozen-device-state-in-time.patch @@ -0,0 +1,66 @@ +From 22fca17924094113fe79c1db5135290e1a84ad4b Mon Sep 17 00:00:00 2001 +From: Gavin Shan +Date: Tue, 30 Sep 2014 12:38:59 +1000 +Subject: powerpc/eeh: Clear frozen device state in time + +From: Gavin Shan + +commit 22fca17924094113fe79c1db5135290e1a84ad4b upstream. + +The problem was reported by Carol: In the scenario of passing mlx4 +adapter to guest, EEH error could be recovered successfully. When +returning the device back to host, the driver (mlx4_core.ko) +couldn't be loaded successfully because of error number -5 (-EIO) +returned from mlx4_get_ownership(), which hits offlined PCI device. +The root cause is that we missed to put the affected devices into +normal state on clearing PE isolated state right after PE reset. + +The patch fixes above issue by putting the affected devices to +normal state when clearing PE isolated state in eeh_pe_state_clear(). + +Reported-by: Carol L. Soto +Signed-off-by: Gavin Shan +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/eeh_pe.c | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +--- a/arch/powerpc/kernel/eeh_pe.c ++++ b/arch/powerpc/kernel/eeh_pe.c +@@ -570,6 +570,8 @@ static void *__eeh_pe_state_clear(void * + { + struct eeh_pe *pe = (struct eeh_pe *)data; + int state = *((int *)flag); ++ struct eeh_dev *edev, *tmp; ++ struct pci_dev *pdev; + + /* Keep the state of permanently removed PE intact */ + if ((pe->freeze_count > EEH_MAX_ALLOWED_FREEZES) && +@@ -578,9 +580,22 @@ static void *__eeh_pe_state_clear(void * + + pe->state &= ~state; + +- /* Clear check count since last isolation */ +- if (state & EEH_PE_ISOLATED) +- pe->check_count = 0; ++ /* ++ * Special treatment on clearing isolated state. Clear ++ * check count since last isolation and put all affected ++ * devices to normal state. ++ */ ++ if (!(state & EEH_PE_ISOLATED)) ++ return NULL; ++ ++ pe->check_count = 0; ++ eeh_pe_for_each_dev(pe, edev, tmp) { ++ pdev = eeh_dev_to_pci_dev(edev); ++ if (!pdev) ++ continue; ++ ++ pdev->error_state = pci_channel_io_normal; ++ } + + return NULL; + } diff --git a/queue-3.16/powerpc-iommu-ddw-fix-endianness.patch b/queue-3.16/powerpc-iommu-ddw-fix-endianness.patch new file mode 100644 index 00000000000..548f3d19ade --- /dev/null +++ b/queue-3.16/powerpc-iommu-ddw-fix-endianness.patch @@ -0,0 +1,163 @@ +From 9410e0185e65394c0c6d046033904b53b97a9423 Mon Sep 17 00:00:00 2001 +From: Alexey Kardashevskiy +Date: Thu, 25 Sep 2014 16:39:18 +1000 +Subject: powerpc/iommu/ddw: Fix endianness + +From: Alexey Kardashevskiy + +commit 9410e0185e65394c0c6d046033904b53b97a9423 upstream. + +rtas_call() accepts and returns values in CPU endianness. +The ddw_query_response and ddw_create_response structs members are +defined and treated as BE but as they are passed to rtas_call() as +(u32 *) and they get byteswapped automatically, the data is CPU-endian. +This fixes ddw_query_response and ddw_create_response definitions and use. + +of_read_number() is designed to work with device tree cells - it assumes +the input is big-endian and returns data in CPU-endian. However due +to the ddw_create_response struct fix, create.addr_hi/lo are already +CPU-endian so do not byteswap them. + +ddw_avail is a pointer to the "ibm,ddw-applicable" property which contains +3 cells which are big-endian as it is a device tree. rtas_call() accepts +a RTAS token in CPU-endian. This makes use of of_property_read_u32_array +to byte swap and avoid the need for a number of be32_to_cpu calls. + +Cc: Benjamin Herrenschmidt +[aik: folded Anton's patch with of_property_read_u32_array] +Signed-off-by: Alexey Kardashevskiy +Acked-by: Anton Blanchard +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/pseries/iommu.c | 51 ++++++++++++++++++--------------- + 1 file changed, 28 insertions(+), 23 deletions(-) + +--- a/arch/powerpc/platforms/pseries/iommu.c ++++ b/arch/powerpc/platforms/pseries/iommu.c +@@ -329,16 +329,16 @@ struct direct_window { + + /* Dynamic DMA Window support */ + struct ddw_query_response { +- __be32 windows_available; +- __be32 largest_available_block; +- __be32 page_size; +- __be32 migration_capable; ++ u32 windows_available; ++ u32 largest_available_block; ++ u32 page_size; ++ u32 migration_capable; + }; + + struct ddw_create_response { +- __be32 liobn; +- __be32 addr_hi; +- __be32 addr_lo; ++ u32 liobn; ++ u32 addr_hi; ++ u32 addr_lo; + }; + + static LIST_HEAD(direct_window_list); +@@ -725,16 +725,18 @@ static void remove_ddw(struct device_nod + { + struct dynamic_dma_window_prop *dwp; + struct property *win64; +- const u32 *ddw_avail; ++ u32 ddw_avail[3]; + u64 liobn; +- int len, ret = 0; ++ int ret = 0; ++ ++ ret = of_property_read_u32_array(np, "ibm,ddw-applicable", ++ &ddw_avail[0], 3); + +- ddw_avail = of_get_property(np, "ibm,ddw-applicable", &len); + win64 = of_find_property(np, DIRECT64_PROPNAME, NULL); + if (!win64) + return; + +- if (!ddw_avail || len < 3 * sizeof(u32) || win64->length < sizeof(*dwp)) ++ if (ret || win64->length < sizeof(*dwp)) + goto delprop; + + dwp = win64->value; +@@ -872,8 +874,9 @@ static int create_ddw(struct pci_dev *de + + do { + /* extra outputs are LIOBN and dma-addr (hi, lo) */ +- ret = rtas_call(ddw_avail[1], 5, 4, (u32 *)create, cfg_addr, +- BUID_HI(buid), BUID_LO(buid), page_shift, window_shift); ++ ret = rtas_call(ddw_avail[1], 5, 4, (u32 *)create, ++ cfg_addr, BUID_HI(buid), BUID_LO(buid), ++ page_shift, window_shift); + } while (rtas_busy_delay(ret)); + dev_info(&dev->dev, + "ibm,create-pe-dma-window(%x) %x %x %x %x %x returned %d " +@@ -910,7 +913,7 @@ static u64 enable_ddw(struct pci_dev *de + int page_shift; + u64 dma_addr, max_addr; + struct device_node *dn; +- const u32 *uninitialized_var(ddw_avail); ++ u32 ddw_avail[3]; + struct direct_window *window; + struct property *win64; + struct dynamic_dma_window_prop *ddwprop; +@@ -942,8 +945,9 @@ static u64 enable_ddw(struct pci_dev *de + * for the given node in that order. + * the property is actually in the parent, not the PE + */ +- ddw_avail = of_get_property(pdn, "ibm,ddw-applicable", &len); +- if (!ddw_avail || len < 3 * sizeof(u32)) ++ ret = of_property_read_u32_array(pdn, "ibm,ddw-applicable", ++ &ddw_avail[0], 3); ++ if (ret) + goto out_failed; + + /* +@@ -966,11 +970,11 @@ static u64 enable_ddw(struct pci_dev *de + dev_dbg(&dev->dev, "no free dynamic windows"); + goto out_failed; + } +- if (be32_to_cpu(query.page_size) & 4) { ++ if (query.page_size & 4) { + page_shift = 24; /* 16MB */ +- } else if (be32_to_cpu(query.page_size) & 2) { ++ } else if (query.page_size & 2) { + page_shift = 16; /* 64kB */ +- } else if (be32_to_cpu(query.page_size) & 1) { ++ } else if (query.page_size & 1) { + page_shift = 12; /* 4kB */ + } else { + dev_dbg(&dev->dev, "no supported direct page size in mask %x", +@@ -980,7 +984,7 @@ static u64 enable_ddw(struct pci_dev *de + /* verify the window * number of ptes will map the partition */ + /* check largest block * page size > max memory hotplug addr */ + max_addr = memory_hotplug_max(); +- if (be32_to_cpu(query.largest_available_block) < (max_addr >> page_shift)) { ++ if (query.largest_available_block < (max_addr >> page_shift)) { + dev_dbg(&dev->dev, "can't map partiton max 0x%llx with %u " + "%llu-sized pages\n", max_addr, query.largest_available_block, + 1ULL << page_shift); +@@ -1006,8 +1010,9 @@ static u64 enable_ddw(struct pci_dev *de + if (ret != 0) + goto out_free_prop; + +- ddwprop->liobn = create.liobn; +- ddwprop->dma_base = cpu_to_be64(of_read_number(&create.addr_hi, 2)); ++ ddwprop->liobn = cpu_to_be32(create.liobn); ++ ddwprop->dma_base = cpu_to_be64(((u64)create.addr_hi << 32) | ++ create.addr_lo); + ddwprop->tce_shift = cpu_to_be32(page_shift); + ddwprop->window_shift = cpu_to_be32(len); + +@@ -1039,7 +1044,7 @@ static u64 enable_ddw(struct pci_dev *de + list_add(&window->list, &direct_window_list); + spin_unlock(&direct_window_list_lock); + +- dma_addr = of_read_number(&create.addr_hi, 2); ++ dma_addr = be64_to_cpu(ddwprop->dma_base); + goto out_unlock; + + out_free_window: diff --git a/queue-3.16/powerpc-powernv-fix-endian-bug-in-lpc-bus-debugfs-accessors.patch b/queue-3.16/powerpc-powernv-fix-endian-bug-in-lpc-bus-debugfs-accessors.patch new file mode 100644 index 00000000000..b2b3eebcdc0 --- /dev/null +++ b/queue-3.16/powerpc-powernv-fix-endian-bug-in-lpc-bus-debugfs-accessors.patch @@ -0,0 +1,43 @@ +From bf7588a0859580a45c63cb082825d77c13eca357 Mon Sep 17 00:00:00 2001 +From: Benjamin Herrenschmidt +Date: Fri, 3 Oct 2014 17:12:25 +1000 +Subject: powerpc/powernv: Fix endian bug in LPC bus debugfs accessors + +From: Benjamin Herrenschmidt + +commit bf7588a0859580a45c63cb082825d77c13eca357 upstream. + +When reading from the LPC, the OPAL FW calls return the value via pointer +to a uint32_t which is always returned big endian. Our internal inb/outb +implementation byteswaps that fine but our debugfs code is still broken. + +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/powernv/opal-lpc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/platforms/powernv/opal-lpc.c ++++ b/arch/powerpc/platforms/powernv/opal-lpc.c +@@ -191,6 +191,7 @@ static ssize_t lpc_debug_read(struct fil + { + struct lpc_debugfs_entry *lpc = filp->private_data; + u32 data, pos, len, todo; ++ __be32 bedata; + int rc; + + if (!access_ok(VERIFY_WRITE, ubuf, count)) +@@ -213,9 +214,10 @@ static ssize_t lpc_debug_read(struct fil + len = 2; + } + rc = opal_lpc_read(opal_lpc_chip_id, lpc->lpc_type, pos, +- &data, len); ++ &bedata, len); + if (rc) + return -ENXIO; ++ data = be32_to_cpu(bedata); + switch(len) { + case 4: + rc = __put_user((u32)data, (u32 __user *)ubuf); diff --git a/queue-3.16/revert-ath9k_hw-reduce-ani-firstep-range-for-older-chips.patch b/queue-3.16/revert-ath9k_hw-reduce-ani-firstep-range-for-older-chips.patch new file mode 100644 index 00000000000..f86e2b4f22b --- /dev/null +++ b/queue-3.16/revert-ath9k_hw-reduce-ani-firstep-range-for-older-chips.patch @@ -0,0 +1,37 @@ +From 171cdab8c78bb169d9693d587e1d02d2dd5a0274 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Mon, 29 Sep 2014 20:45:40 +0200 +Subject: Revert "ath9k_hw: reduce ANI firstep range for older chips" + +From: Felix Fietkau + +commit 171cdab8c78bb169d9693d587e1d02d2dd5a0274 upstream. + +This reverts commit 09efc56345be4146ab9fc87a55c837ed5d6ea1ab + +I've received reports that this change is decreasing throughput in some +rare conditions on an AR9280 based device + +Signed-off-by: Felix Fietkau +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/ar5008_phy.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ath9k/ar5008_phy.c ++++ b/drivers/net/wireless/ath/ath9k/ar5008_phy.c +@@ -1004,9 +1004,11 @@ static bool ar5008_hw_ani_control_new(st + case ATH9K_ANI_FIRSTEP_LEVEL:{ + u32 level = param; + +- value = level; ++ value = level * 2; + REG_RMW_FIELD(ah, AR_PHY_FIND_SIG, + AR_PHY_FIND_SIG_FIRSTEP, value); ++ REG_RMW_FIELD(ah, AR_PHY_FIND_SIG_LOW, ++ AR_PHY_FIND_SIG_FIRSTEP_LOW, value); + + if (level != aniState->firstepLevel) { + ath_dbg(common, ANI, diff --git a/queue-3.16/rt2800-correct-bbp1_tx_power_ctrl-mask.patch b/queue-3.16/rt2800-correct-bbp1_tx_power_ctrl-mask.patch new file mode 100644 index 00000000000..496841c1eca --- /dev/null +++ b/queue-3.16/rt2800-correct-bbp1_tx_power_ctrl-mask.patch @@ -0,0 +1,32 @@ +From 01f7feeaf4528bec83798316b3c811701bac5d3e Mon Sep 17 00:00:00 2001 +From: Stanislaw Gruszka +Date: Wed, 24 Sep 2014 11:24:54 +0200 +Subject: rt2800: correct BBP1_TX_POWER_CTRL mask + +From: Stanislaw Gruszka + +commit 01f7feeaf4528bec83798316b3c811701bac5d3e upstream. + +Two bits control TX power on BBP_R1 register. Correct the mask, +otherwise we clear additional bit on BBP_R1 register, what can have +unknown, possible negative effect. + +Signed-off-by: Stanislaw Gruszka +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/rt2x00/rt2800.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/rt2x00/rt2800.h ++++ b/drivers/net/wireless/rt2x00/rt2800.h +@@ -2039,7 +2039,7 @@ struct mac_iveiv_entry { + * 2 - drop tx power by 12dBm, + * 3 - increase tx power by 6dBm + */ +-#define BBP1_TX_POWER_CTRL FIELD8(0x07) ++#define BBP1_TX_POWER_CTRL FIELD8(0x03) + #define BBP1_TX_ANTENNA FIELD8(0x18) + + /* diff --git a/queue-3.16/rtc-cmos-fix-wakeup-from-s5-without-config_pm_sleep.patch b/queue-3.16/rtc-cmos-fix-wakeup-from-s5-without-config_pm_sleep.patch new file mode 100644 index 00000000000..11fb12767d0 --- /dev/null +++ b/queue-3.16/rtc-cmos-fix-wakeup-from-s5-without-config_pm_sleep.patch @@ -0,0 +1,58 @@ +From a882b14fe84951e236cd074e93575adc8a4be32e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20Gl=C3=B6ckner?= +Date: Mon, 13 Oct 2014 15:53:16 -0700 +Subject: rtc-cmos: fix wakeup from S5 without CONFIG_PM_SLEEP +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Daniel=20Gl=C3=B6ckner?= + +commit a882b14fe84951e236cd074e93575adc8a4be32e upstream. + +Commit b5ada4600dfd ("drivers/rtc/rtc-cmos.c: fix compilation warning +when !CONFIG_PM_SLEEP") broke wakeup from S5 by making cmos_poweroff a +nop unless CONFIG_PM_SLEEP was defined. + +Fix this by restricting the #ifdef to cmos_resume and restoring the old +dependency on CONFIG_PM for cmos_suspend and cmos_poweroff. + +Signed-off-by: Daniel Glöckner +Cc: Mika Westerberg +Cc: Alessandro Zummo +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/rtc/rtc-cmos.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/rtc/rtc-cmos.c ++++ b/drivers/rtc/rtc-cmos.c +@@ -856,7 +856,7 @@ static void __exit cmos_do_remove(struct + cmos->dev = NULL; + } + +-#ifdef CONFIG_PM_SLEEP ++#ifdef CONFIG_PM + + static int cmos_suspend(struct device *dev) + { +@@ -907,6 +907,8 @@ static inline int cmos_poweroff(struct d + return cmos_suspend(dev); + } + ++#ifdef CONFIG_PM_SLEEP ++ + static int cmos_resume(struct device *dev) + { + struct cmos_rtc *cmos = dev_get_drvdata(dev); +@@ -954,6 +956,7 @@ static int cmos_resume(struct device *de + return 0; + } + ++#endif + #else + + static inline int cmos_poweroff(struct device *dev) diff --git a/queue-3.16/series b/queue-3.16/series index e2f220fb833..72f60d4350b 100644 --- a/queue-3.16/series +++ b/queue-3.16/series @@ -55,3 +55,27 @@ nfsv4.1-fix-an-nfsv4.1-state-renewal-regression.patch nfsd4-reserve-adequate-space-for-lock-op.patch nfs-fix-an-uninitialised-pointer-oops-in-the-writeback-error-path.patch nfs-fix-a-bogus-warning-in-nfs_generic_pgio.patch +iwlwifi-mvm-disable-bt-co-running-by-default.patch +iwlwifi-add-missing-pci-ids-for-the-7260-series.patch +pci-pciehp-prevent-null-dereference-during-probe.patch +pci-mvebu-fix-uninitialized-variable-in-mvebu_get_tgt_attr.patch +pci-add-missing-mem_64-mask-in-pci_assign_unassigned_bridge_resources.patch +pci-increase-ibm-ipr-sas-crocodile-bars-to-at-least-system-page-size.patch +pci-generate-uppercase-hex-for-modalias-interface-class.patch +rt2800-correct-bbp1_tx_power_ctrl-mask.patch +revert-ath9k_hw-reduce-ani-firstep-range-for-older-chips.patch +bluetooth-fix-hci-h5-corrupted-ack-value.patch +bluetooth-fix-incorrect-le-coc-pdu-length-restriction-based-on-hci-mtu.patch +bluetooth-fix-issue-with-usb-suspend-in-btusb-driver.patch +bluetooth-fix-setting-correct-security-level-when-initiating-smp.patch +mm-clear-__gfp_fs-when-pf_memalloc_noio-is-set.patch +fanotify-enable-close-on-exec-on-events-fd-when-requested-in-fanotify_init.patch +kernel-add-support-for-gcc-5.patch +rtc-cmos-fix-wakeup-from-s5-without-config_pm_sleep.patch +mm-balloon_compaction-redesign-ballooned-pages-management.patch +futex-ensure-get_futex_key_refs-always-implies-a-barrier.patch +powerpc-powernv-fix-endian-bug-in-lpc-bus-debugfs-accessors.patch +powerpc-iommu-ddw-fix-endianness.patch +powerpc-eeh-clear-frozen-device-state-in-time.patch +ima-fix-fallback-to-use-new_sync_read.patch +ima-provide-flag-to-identify-new-empty-files.patch -- 2.47.3