From a9d25d1ce48d0b78dfd7865c341a332e21affc0c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 9 Nov 2016 11:27:07 +0100 Subject: [PATCH] 4.8-stable patches added patches: arm-fix-oops-when-using-older-armv4t-cpus.patch btrfs-qgroup-prevent-qgroup-reserved-from-going-subzero.patch cpufreq-intel_pstate-set-p-state-upfront-in-performance-mode.patch hid-usbhid-add-aten-cs962-to-list-of-quirky-devices.patch kvm-x86-check-memopp-before-dereference-cve-2016-8630.patch omapfb-fix-return-value-check-in-dsi_bind.patch pwm-unexport-children-before-chip-removal.patch tty-vt-fix-bogus-division-in-csi_j.patch uapi-add-missing-install-of-sync_file.h.patch ubi-fastmap-fix-add_vol-return-value-test-in-ubi_attach_fastmap.patch ubi-fastmap-scrub-peb-when-bitflips-are-detected-in-a-free-peb-ec-header.patch usb-chipidea-host-fix-null-ptr-dereference-during-shutdown.patch usb-dwc3-fix-size-used-in-dma_free_coherent.patch usb-musb-fix-hardirq-safe-hardirq-unsafe-lock-order-error.patch v4l-vsp1-prevent-pipelines-from-running-when-not-streaming.patch video-fbdev-pxafb-potential-null-dereference-on-error.patch --- ...ix-oops-when-using-older-armv4t-cpus.patch | 212 ++++++++++++++++++ ...t-qgroup-reserved-from-going-subzero.patch | 69 ++++++ ...-p-state-upfront-in-performance-mode.patch | 87 +++++++ ...aten-cs962-to-list-of-quirky-devices.patch | 41 ++++ ...opp-before-dereference-cve-2016-8630.patch | 35 +++ ...b-fix-return-value-check-in-dsi_bind.patch | 42 ++++ ...nexport-children-before-chip-removal.patch | 83 +++++++ queue-4.8/series | 16 ++ .../tty-vt-fix-bogus-division-in-csi_j.patch | 39 ++++ ...i-add-missing-install-of-sync_file.h.patch | 39 ++++ ...urn-value-test-in-ubi_attach_fastmap.patch | 49 ++++ ...are-detected-in-a-free-peb-ec-header.patch | 40 ++++ ...null-ptr-dereference-during-shutdown.patch | 37 +++ ...3-fix-size-used-in-dma_free_coherent.patch | 63 ++++++ ...safe-hardirq-unsafe-lock-order-error.patch | 87 +++++++ ...ines-from-running-when-not-streaming.patch | 47 ++++ ...-potential-null-dereference-on-error.patch | 33 +++ 17 files changed, 1019 insertions(+) create mode 100644 queue-4.8/arm-fix-oops-when-using-older-armv4t-cpus.patch create mode 100644 queue-4.8/btrfs-qgroup-prevent-qgroup-reserved-from-going-subzero.patch create mode 100644 queue-4.8/cpufreq-intel_pstate-set-p-state-upfront-in-performance-mode.patch create mode 100644 queue-4.8/hid-usbhid-add-aten-cs962-to-list-of-quirky-devices.patch create mode 100644 queue-4.8/kvm-x86-check-memopp-before-dereference-cve-2016-8630.patch create mode 100644 queue-4.8/omapfb-fix-return-value-check-in-dsi_bind.patch create mode 100644 queue-4.8/pwm-unexport-children-before-chip-removal.patch create mode 100644 queue-4.8/tty-vt-fix-bogus-division-in-csi_j.patch create mode 100644 queue-4.8/uapi-add-missing-install-of-sync_file.h.patch create mode 100644 queue-4.8/ubi-fastmap-fix-add_vol-return-value-test-in-ubi_attach_fastmap.patch create mode 100644 queue-4.8/ubi-fastmap-scrub-peb-when-bitflips-are-detected-in-a-free-peb-ec-header.patch create mode 100644 queue-4.8/usb-chipidea-host-fix-null-ptr-dereference-during-shutdown.patch create mode 100644 queue-4.8/usb-dwc3-fix-size-used-in-dma_free_coherent.patch create mode 100644 queue-4.8/usb-musb-fix-hardirq-safe-hardirq-unsafe-lock-order-error.patch create mode 100644 queue-4.8/v4l-vsp1-prevent-pipelines-from-running-when-not-streaming.patch create mode 100644 queue-4.8/video-fbdev-pxafb-potential-null-dereference-on-error.patch diff --git a/queue-4.8/arm-fix-oops-when-using-older-armv4t-cpus.patch b/queue-4.8/arm-fix-oops-when-using-older-armv4t-cpus.patch new file mode 100644 index 00000000000..10513386a76 --- /dev/null +++ b/queue-4.8/arm-fix-oops-when-using-older-armv4t-cpus.patch @@ -0,0 +1,212 @@ +From 04946fb60fb157faafa01658dff3131d49f49ccb Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Tue, 18 Oct 2016 10:24:49 +0100 +Subject: ARM: fix oops when using older ARMv4T CPUs + +From: Russell King + +commit 04946fb60fb157faafa01658dff3131d49f49ccb upstream. + +Alexander Shiyan reports that CLPS711x fails at boot time in the data +exception handler due to a NULL pointer dereference. This is caused by +the late-v4t abort handler overwriting R9 (which becomes zero). Fix +this by making the abort handler save and restore R9. + +Unable to handle kernel NULL pointer dereference at virtual address 00000008 +pgd = c3b58000 +[00000008] *pgd=800000000, *pte=00000000, *ppte=feff4140 +Internal error: Oops: 63c11817 [#1] PREEMPT ARM +CPU: 0 PID: 448 Comm: ash Not tainted 4.8.1+ #1 +Hardware name: Cirrus Logic CLPS711X (Device Tree Support) +task: c39e03a0 ti: c3b4e000 task.ti: c3b4e000 +PC is at __dabt_svc+0x4c/0x60 +LR is at do_page_fault+0x144/0x2ac +pc : [] lr : [] psr: 60000093 +sp : c3b4fe6c ip : 00000001 fp : b6f1bf88 +r10: c387a5a0 r9 : 00000000 r8 : e4e0e001 +r7 : bee3ef83 r6 : 00100000 r5 : 80000013 r4 : c022fcf8 +r3 : 00000000 r2 : 00000008 r1 : bf000000 r0 : 00000000 +Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user +Control: 0000217f Table: c3b58055 DAC: 00000055 +Process ash (pid: 448, stack limit = 0xc3b4e190) +Stack: (0xc3b4fe6c to 0xc3b50000) +fe60: bee3ef83 c05168d1 ffffffff 00000000 c3adfe80 +fe80: c3a03300 00000000 c3b4fed0 c3a03400 bee3ef83 c387a5a0 b6f1bf88 00000001 +fea0: c3b4febc 00000076 c022fcf8 80000013 ffffffff 0000003f bf000000 bee3ef83 +fec0: 00000004 00000000 c3adfe80 c00e432c 00000812 00000005 00000001 00000006 +fee0: b6f1b000 00000000 00010000 0003c944 0004d000 0004d439 00010000 b6f1b000 +ff00: 00000005 00000000 00015ecc c3b4fed0 0000000a 00000000 00000000 c00a1dc0 +ff20: befff000 c3a03300 c3b4e000 c0507cd8 c0508024 fffffff8 c3a03300 00000000 +ff40: c0516a58 c00a35bc c39e03a0 000001c0 bea84ce8 0004e008 c3b3a000 c00a3ac0 +ff60: c3b40374 c3b3a000 bea84d11 00000000 c0500188 bea84d11 bea84ce8 00000001 +ff80: 0000000b c000a304 c3b4e000 00000000 bea84ce4 c00a3cd0 00000000 bea84d11 +ffa0: bea84ce8 c000a160 bea84d11 bea84ce8 bea84d11 bea84ce8 0004e008 0004d450 +ffc0: bea84d11 bea84ce8 00000001 0000000b b6f45ee4 00000000 b6f5ff70 bea84ce4 +ffe0: b6f2f130 bea84cb0 b6f2f194 b6ef29f4 a0000010 bea84d11 02c7cffa 02c7cffd +[] (__dabt_svc) from [] (__copy_to_user_std+0xf8/0x330) +[] (__copy_to_user_std) from [] ++(load_elf_binary+0x920/0x107c) +[] (load_elf_binary) from [] ++(search_binary_handler+0x80/0x16c) +[] (search_binary_handler) from [] ++(do_execveat_common+0x418/0x600) +[] (do_execveat_common) from [] (do_execve+0x28/0x30) +[] (do_execve) from [] (ret_fast_syscall+0x0/0x30) +Code: e1a0200d eb00136b e321f093 e59d104c (e5891008) +---[ end trace 4b4f8086ebef98c5 ]--- + +Fixes: e6978e4bf181 ("ARM: save and reset the address limit when entering an exception") +Reported-by: Alexander Shiyan +Tested-by: Alexander Shiyan +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mm/abort-lv4t.S | 34 ++++++++++++++++++++++++---------- + 1 file changed, 24 insertions(+), 10 deletions(-) + +--- a/arch/arm/mm/abort-lv4t.S ++++ b/arch/arm/mm/abort-lv4t.S +@@ -7,7 +7,7 @@ + * : r4 = aborted context pc + * : r5 = aborted context psr + * +- * Returns : r4-r5, r10-r11, r13 preserved ++ * Returns : r4-r5, r9-r11, r13 preserved + * + * Purpose : obtain information about current aborted instruction. + * Note: we read user space. This means we might cause a data +@@ -48,7 +48,10 @@ ENTRY(v4t_late_abort) + /* c */ b do_DataAbort @ ldc rd, [rn], #m @ Same as ldr rd, [rn], #m + /* d */ b do_DataAbort @ ldc rd, [rn, #m] + /* e */ b .data_unknown +-/* f */ ++/* f */ b .data_unknown ++ ++.data_unknown_r9: ++ ldr r9, [sp], #4 + .data_unknown: @ Part of jumptable + mov r0, r4 + mov r1, r8 +@@ -57,6 +60,7 @@ ENTRY(v4t_late_abort) + .data_arm_ldmstm: + tst r8, #1 << 21 @ check writeback bit + beq do_DataAbort @ no writeback -> no fixup ++ str r9, [sp, #-4]! + mov r7, #0x11 + orr r7, r7, #0x1100 + and r6, r8, r7 +@@ -75,12 +79,14 @@ ENTRY(v4t_late_abort) + subne r7, r7, r6, lsl #2 @ Undo increment + addeq r7, r7, r6, lsl #2 @ Undo decrement + str r7, [r2, r9, lsr #14] @ Put register 'Rn' ++ ldr r9, [sp], #4 + b do_DataAbort + + .data_arm_lateldrhpre: + tst r8, #1 << 21 @ Check writeback bit + beq do_DataAbort @ No writeback -> no fixup + .data_arm_lateldrhpost: ++ str r9, [sp, #-4]! + and r9, r8, #0x00f @ get Rm / low nibble of immediate value + tst r8, #1 << 22 @ if (immediate offset) + andne r6, r8, #0xf00 @ { immediate high nibble +@@ -93,6 +99,7 @@ ENTRY(v4t_late_abort) + subne r7, r7, r6 @ Undo incrmenet + addeq r7, r7, r6 @ Undo decrement + str r7, [r2, r9, lsr #14] @ Put register 'Rn' ++ ldr r9, [sp], #4 + b do_DataAbort + + .data_arm_lateldrpreconst: +@@ -101,12 +108,14 @@ ENTRY(v4t_late_abort) + .data_arm_lateldrpostconst: + movs r6, r8, lsl #20 @ Get offset + beq do_DataAbort @ zero -> no fixup ++ str r9, [sp, #-4]! + and r9, r8, #15 << 16 @ Extract 'n' from instruction + ldr r7, [r2, r9, lsr #14] @ Get register 'Rn' + tst r8, #1 << 23 @ Check U bit + subne r7, r7, r6, lsr #20 @ Undo increment + addeq r7, r7, r6, lsr #20 @ Undo decrement + str r7, [r2, r9, lsr #14] @ Put register 'Rn' ++ ldr r9, [sp], #4 + b do_DataAbort + + .data_arm_lateldrprereg: +@@ -115,6 +124,7 @@ ENTRY(v4t_late_abort) + .data_arm_lateldrpostreg: + and r7, r8, #15 @ Extract 'm' from instruction + ldr r6, [r2, r7, lsl #2] @ Get register 'Rm' ++ str r9, [sp, #-4]! + mov r9, r8, lsr #7 @ get shift count + ands r9, r9, #31 + and r7, r8, #0x70 @ get shift type +@@ -126,33 +136,33 @@ ENTRY(v4t_late_abort) + b .data_arm_apply_r6_and_rn + b .data_arm_apply_r6_and_rn @ 1: LSL #0 + nop +- b .data_unknown @ 2: MUL? ++ b .data_unknown_r9 @ 2: MUL? + nop +- b .data_unknown @ 3: MUL? ++ b .data_unknown_r9 @ 3: MUL? + nop + mov r6, r6, lsr r9 @ 4: LSR #!0 + b .data_arm_apply_r6_and_rn + mov r6, r6, lsr #32 @ 5: LSR #32 + b .data_arm_apply_r6_and_rn +- b .data_unknown @ 6: MUL? ++ b .data_unknown_r9 @ 6: MUL? + nop +- b .data_unknown @ 7: MUL? ++ b .data_unknown_r9 @ 7: MUL? + nop + mov r6, r6, asr r9 @ 8: ASR #!0 + b .data_arm_apply_r6_and_rn + mov r6, r6, asr #32 @ 9: ASR #32 + b .data_arm_apply_r6_and_rn +- b .data_unknown @ A: MUL? ++ b .data_unknown_r9 @ A: MUL? + nop +- b .data_unknown @ B: MUL? ++ b .data_unknown_r9 @ B: MUL? + nop + mov r6, r6, ror r9 @ C: ROR #!0 + b .data_arm_apply_r6_and_rn + mov r6, r6, rrx @ D: RRX + b .data_arm_apply_r6_and_rn +- b .data_unknown @ E: MUL? ++ b .data_unknown_r9 @ E: MUL? + nop +- b .data_unknown @ F: MUL? ++ b .data_unknown_r9 @ F: MUL? + + .data_thumb_abort: + ldrh r8, [r4] @ read instruction +@@ -190,6 +200,7 @@ ENTRY(v4t_late_abort) + .data_thumb_pushpop: + tst r8, #1 << 10 + beq .data_unknown ++ str r9, [sp, #-4]! + and r6, r8, #0x55 @ hweight8(r8) + R bit + and r9, r8, #0xaa + add r6, r6, r9, lsr #1 +@@ -204,9 +215,11 @@ ENTRY(v4t_late_abort) + addeq r7, r7, r6, lsl #2 @ increment SP if PUSH + subne r7, r7, r6, lsl #2 @ decrement SP if POP + str r7, [r2, #13 << 2] ++ ldr r9, [sp], #4 + b do_DataAbort + + .data_thumb_ldmstm: ++ str r9, [sp, #-4]! + and r6, r8, #0x55 @ hweight8(r8) + and r9, r8, #0xaa + add r6, r6, r9, lsr #1 +@@ -219,4 +232,5 @@ ENTRY(v4t_late_abort) + and r6, r6, #15 @ number of regs to transfer + sub r7, r7, r6, lsl #2 @ always decrement + str r7, [r2, r9, lsr #6] ++ ldr r9, [sp], #4 + b do_DataAbort diff --git a/queue-4.8/btrfs-qgroup-prevent-qgroup-reserved-from-going-subzero.patch b/queue-4.8/btrfs-qgroup-prevent-qgroup-reserved-from-going-subzero.patch new file mode 100644 index 00000000000..794637bbb96 --- /dev/null +++ b/queue-4.8/btrfs-qgroup-prevent-qgroup-reserved-from-going-subzero.patch @@ -0,0 +1,69 @@ +From 0b34c261e235a5c74dcf78bd305845bd15fe2b42 Mon Sep 17 00:00:00 2001 +From: Goldwyn Rodrigues +Date: Fri, 30 Sep 2016 10:40:52 -0500 +Subject: btrfs: qgroup: Prevent qgroup->reserved from going subzero + +From: Goldwyn Rodrigues + +commit 0b34c261e235a5c74dcf78bd305845bd15fe2b42 upstream. + +While free'ing qgroup->reserved resources, we much check if +the page has not been invalidated by a truncate operation +by checking if the page is still dirty before reducing the +qgroup resources. Resources in such a case are free'd when +the entire extent is released by delayed_ref. + +This fixes a double accounting while releasing resources +in case of truncating a file, reproduced by the following testcase. + +SCRATCH_DEV=/dev/vdb +SCRATCH_MNT=/mnt +mkfs.btrfs -f $SCRATCH_DEV +mount -t btrfs $SCRATCH_DEV $SCRATCH_MNT +cd $SCRATCH_MNT +btrfs quota enable $SCRATCH_MNT +btrfs subvolume create a +btrfs qgroup limit 500m a $SCRATCH_MNT +sync +for c in {1..15}; do +dd if=/dev/zero bs=1M count=40 of=$SCRATCH_MNT/a/file; +done + +sleep 10 +sync +sleep 5 + +touch $SCRATCH_MNT/a/newfile + +echo "Removing file" +rm $SCRATCH_MNT/a/file + +Fixes: b9d0b38928 ("btrfs: Add handler for invalidate page") +Signed-off-by: Goldwyn Rodrigues +Reviewed-by: Qu Wenruo +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/inode.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -8915,9 +8915,14 @@ again: + * So even we call qgroup_free_data(), it won't decrease reserved + * space. + * 2) Not written to disk +- * This means the reserved space should be freed here. ++ * This means the reserved space should be freed here. However, ++ * if a truncate invalidates the page (by clearing PageDirty) ++ * and the page is accounted for while allocating extent ++ * in btrfs_check_data_free_space() we let delayed_ref to ++ * free the entire extent. + */ +- btrfs_qgroup_free_data(inode, page_start, PAGE_SIZE); ++ if (PageDirty(page)) ++ btrfs_qgroup_free_data(inode, page_start, PAGE_SIZE); + if (!inode_evicting) { + clear_extent_bit(tree, page_start, page_end, + EXTENT_LOCKED | EXTENT_DIRTY | diff --git a/queue-4.8/cpufreq-intel_pstate-set-p-state-upfront-in-performance-mode.patch b/queue-4.8/cpufreq-intel_pstate-set-p-state-upfront-in-performance-mode.patch new file mode 100644 index 00000000000..39897122bd8 --- /dev/null +++ b/queue-4.8/cpufreq-intel_pstate-set-p-state-upfront-in-performance-mode.patch @@ -0,0 +1,87 @@ +From a6c6ead14183ea4ec8ce7551e1f3451024b9c4db Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Wed, 19 Oct 2016 02:57:22 +0200 +Subject: cpufreq: intel_pstate: Set P-state upfront in performance mode + +From: Rafael J. Wysocki + +commit a6c6ead14183ea4ec8ce7551e1f3451024b9c4db upstream. + +After commit a4675fbc4a7a (cpufreq: intel_pstate: Replace timers with +utilization update callbacks) the cpufreq governor callbacks may not +be invoked on NOHZ_FULL CPUs and, in particular, switching to the +"performance" policy via sysfs may not have any effect on them. That +is a problem, because it usually is desirable to squeeze the last +bit of performance out of those CPUs, so work around it by setting +the maximum P-state (within the limits) in intel_pstate_set_policy() +upfront when the policy is CPUFREQ_POLICY_PERFORMANCE. + +Fixes: a4675fbc4a7a (cpufreq: intel_pstate: Replace timers with utilization update callbacks) +Signed-off-by: Rafael J. Wysocki +Acked-by: Srinivas Pandruvada +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cpufreq/intel_pstate.c | 29 +++++++++++++++++++++++++---- + 1 file changed, 25 insertions(+), 4 deletions(-) + +--- a/drivers/cpufreq/intel_pstate.c ++++ b/drivers/cpufreq/intel_pstate.c +@@ -1133,10 +1133,8 @@ static void intel_pstate_get_min_max(str + *min = clamp_t(int, min_perf, cpu->pstate.min_pstate, max_perf); + } + +-static void intel_pstate_set_min_pstate(struct cpudata *cpu) ++static void intel_pstate_set_pstate(struct cpudata *cpu, int pstate) + { +- int pstate = cpu->pstate.min_pstate; +- + trace_cpu_frequency(pstate * cpu->pstate.scaling, cpu->cpu); + cpu->pstate.current_pstate = pstate; + /* +@@ -1148,6 +1146,20 @@ static void intel_pstate_set_min_pstate( + pstate_funcs.get_val(cpu, pstate)); + } + ++static void intel_pstate_set_min_pstate(struct cpudata *cpu) ++{ ++ intel_pstate_set_pstate(cpu, cpu->pstate.min_pstate); ++} ++ ++static void intel_pstate_max_within_limits(struct cpudata *cpu) ++{ ++ int min_pstate, max_pstate; ++ ++ update_turbo_state(); ++ intel_pstate_get_min_max(cpu, &min_pstate, &max_pstate); ++ intel_pstate_set_pstate(cpu, max_pstate); ++} ++ + static void intel_pstate_get_cpu_pstates(struct cpudata *cpu) + { + cpu->pstate.min_pstate = pstate_funcs.get_min(); +@@ -1465,7 +1477,7 @@ static int intel_pstate_set_policy(struc + pr_debug("set_policy cpuinfo.max %u policy->max %u\n", + policy->cpuinfo.max_freq, policy->max); + +- cpu = all_cpu_data[0]; ++ cpu = all_cpu_data[policy->cpu]; + if (cpu->pstate.max_pstate_physical > cpu->pstate.max_pstate && + policy->max < policy->cpuinfo.max_freq && + policy->max > cpu->pstate.max_pstate * cpu->pstate.scaling) { +@@ -1509,6 +1521,15 @@ static int intel_pstate_set_policy(struc + limits->max_perf = round_up(limits->max_perf, FRAC_BITS); + + out: ++ if (policy->policy == CPUFREQ_POLICY_PERFORMANCE) { ++ /* ++ * NOHZ_FULL CPUs need this as the governor callback may not ++ * be invoked on them. ++ */ ++ intel_pstate_clear_update_util_hook(policy->cpu); ++ intel_pstate_max_within_limits(cpu); ++ } ++ + intel_pstate_set_update_util_hook(policy->cpu); + + intel_pstate_hwp_set_policy(policy); diff --git a/queue-4.8/hid-usbhid-add-aten-cs962-to-list-of-quirky-devices.patch b/queue-4.8/hid-usbhid-add-aten-cs962-to-list-of-quirky-devices.patch new file mode 100644 index 00000000000..147c6c14f59 --- /dev/null +++ b/queue-4.8/hid-usbhid-add-aten-cs962-to-list-of-quirky-devices.patch @@ -0,0 +1,41 @@ +From cf0ea4da4c7df11f7a508b2f37518e0f117f3791 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 3 Nov 2016 12:31:41 +0100 +Subject: HID: usbhid: add ATEN CS962 to list of quirky devices + +From: Oliver Neukum + +commit cf0ea4da4c7df11f7a508b2f37518e0f117f3791 upstream. + +Like many similar devices it needs a quirk to work. +Issuing the request gets the device into an irrecoverable state. + +Signed-off-by: Oliver Neukum +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/usbhid/hid-quirks.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -179,6 +179,7 @@ + #define USB_DEVICE_ID_ATEN_4PORTKVM 0x2205 + #define USB_DEVICE_ID_ATEN_4PORTKVMC 0x2208 + #define USB_DEVICE_ID_ATEN_CS682 0x2213 ++#define USB_DEVICE_ID_ATEN_CS692 0x8021 + + #define USB_VENDOR_ID_ATMEL 0x03eb + #define USB_DEVICE_ID_ATMEL_MULTITOUCH 0x211c +--- a/drivers/hid/usbhid/hid-quirks.c ++++ b/drivers/hid/usbhid/hid-quirks.c +@@ -63,6 +63,7 @@ static const struct hid_blacklist { + { USB_VENDOR_ID_ATEN, USB_DEVICE_ID_ATEN_4PORTKVM, HID_QUIRK_NOGET }, + { USB_VENDOR_ID_ATEN, USB_DEVICE_ID_ATEN_4PORTKVMC, HID_QUIRK_NOGET }, + { USB_VENDOR_ID_ATEN, USB_DEVICE_ID_ATEN_CS682, HID_QUIRK_NOGET }, ++ { USB_VENDOR_ID_ATEN, USB_DEVICE_ID_ATEN_CS692, HID_QUIRK_NOGET }, + { USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_FIGHTERSTICK, HID_QUIRK_NOGET }, + { USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_COMBATSTICK, HID_QUIRK_NOGET }, + { USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_FLIGHT_SIM_ECLIPSE_YOKE, HID_QUIRK_NOGET }, diff --git a/queue-4.8/kvm-x86-check-memopp-before-dereference-cve-2016-8630.patch b/queue-4.8/kvm-x86-check-memopp-before-dereference-cve-2016-8630.patch new file mode 100644 index 00000000000..fe21dcfc3ab --- /dev/null +++ b/queue-4.8/kvm-x86-check-memopp-before-dereference-cve-2016-8630.patch @@ -0,0 +1,35 @@ +From d9092f52d7e61dd1557f2db2400ddb430e85937e Mon Sep 17 00:00:00 2001 +From: Owen Hofmann +Date: Thu, 27 Oct 2016 11:25:52 -0700 +Subject: kvm: x86: Check memopp before dereference (CVE-2016-8630) + +From: Owen Hofmann + +commit d9092f52d7e61dd1557f2db2400ddb430e85937e upstream. + +Commit 41061cdb98 ("KVM: emulate: do not initialize memopp") removes a +check for non-NULL under incorrect assumptions. An undefined instruction +with a ModR/M byte with Mod=0 and R/M-5 (e.g. 0xc7 0x15) will attempt +to dereference a null pointer here. + +Fixes: 41061cdb98a0bec464278b4db8e894a3121671f5 +Message-Id: <1477592752-126650-2-git-send-email-osh@google.com> +Signed-off-by: Owen Hofmann +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/emulate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -5045,7 +5045,7 @@ done_prefixes: + /* Decode and fetch the destination operand: register or memory. */ + rc = decode_operand(ctxt, &ctxt->dst, (ctxt->d >> DstShift) & OpMask); + +- if (ctxt->rip_relative) ++ if (ctxt->rip_relative && likely(ctxt->memopp)) + ctxt->memopp->addr.mem.ea = address_mask(ctxt, + ctxt->memopp->addr.mem.ea + ctxt->_eip); + diff --git a/queue-4.8/omapfb-fix-return-value-check-in-dsi_bind.patch b/queue-4.8/omapfb-fix-return-value-check-in-dsi_bind.patch new file mode 100644 index 00000000000..e9868af2430 --- /dev/null +++ b/queue-4.8/omapfb-fix-return-value-check-in-dsi_bind.patch @@ -0,0 +1,42 @@ +From 43da7575cdecaf5af2d6b3f3a9e4e6c9144be428 Mon Sep 17 00:00:00 2001 +From: Wei Yongjun +Date: Sat, 17 Sep 2016 15:53:34 +0000 +Subject: omapfb: fix return value check in dsi_bind() + +From: Wei Yongjun + +commit 43da7575cdecaf5af2d6b3f3a9e4e6c9144be428 upstream. + +Fix the retrn value check which testing the wrong variable +in dsi_bind(). + +Fixes: f76ee892a99e ("omapfb: copy omapdss & displays for omapfb") +Signed-off-by: Wei Yongjun +Reviewed-by: Peter Ujfalusi +Signed-off-by: Tomi Valkeinen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/fbdev/omap2/omapfb/dss/dsi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/video/fbdev/omap2/omapfb/dss/dsi.c ++++ b/drivers/video/fbdev/omap2/omapfb/dss/dsi.c +@@ -5348,7 +5348,7 @@ static int dsi_bind(struct device *dev, + + dsi->phy_base = devm_ioremap(&dsidev->dev, res->start, + resource_size(res)); +- if (!dsi->proto_base) { ++ if (!dsi->phy_base) { + DSSERR("can't ioremap DSI PHY\n"); + return -ENOMEM; + } +@@ -5368,7 +5368,7 @@ static int dsi_bind(struct device *dev, + + dsi->pll_base = devm_ioremap(&dsidev->dev, res->start, + resource_size(res)); +- if (!dsi->proto_base) { ++ if (!dsi->pll_base) { + DSSERR("can't ioremap DSI PLL\n"); + return -ENOMEM; + } diff --git a/queue-4.8/pwm-unexport-children-before-chip-removal.patch b/queue-4.8/pwm-unexport-children-before-chip-removal.patch new file mode 100644 index 00000000000..da6260e674f --- /dev/null +++ b/queue-4.8/pwm-unexport-children-before-chip-removal.patch @@ -0,0 +1,83 @@ +From 0733424c9ba9f42242409d1ece780777272f7ea1 Mon Sep 17 00:00:00 2001 +From: David Hsu +Date: Tue, 9 Aug 2016 14:57:46 -0700 +Subject: pwm: Unexport children before chip removal + +From: David Hsu + +commit 0733424c9ba9f42242409d1ece780777272f7ea1 upstream. + +Exported pwm channels aren't removed before the pwmchip and are +leaked. This results in invalid sysfs files. This fix removes +all exported pwm channels before chip removal. + +Signed-off-by: David Hsu +Fixes: 76abbdde2d95 ("pwm: Add sysfs interface") +Signed-off-by: Thierry Reding +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pwm/core.c | 2 ++ + drivers/pwm/sysfs.c | 18 ++++++++++++++++++ + include/linux/pwm.h | 5 +++++ + 3 files changed, 25 insertions(+) + +--- a/drivers/pwm/core.c ++++ b/drivers/pwm/core.c +@@ -339,6 +339,8 @@ int pwmchip_remove(struct pwm_chip *chip + unsigned int i; + int ret = 0; + ++ pwmchip_sysfs_unexport_children(chip); ++ + mutex_lock(&pwm_lock); + + for (i = 0; i < chip->npwm; i++) { +--- a/drivers/pwm/sysfs.c ++++ b/drivers/pwm/sysfs.c +@@ -409,6 +409,24 @@ void pwmchip_sysfs_unexport(struct pwm_c + } + } + ++void pwmchip_sysfs_unexport_children(struct pwm_chip *chip) ++{ ++ struct device *parent; ++ unsigned int i; ++ ++ parent = class_find_device(&pwm_class, NULL, chip, ++ pwmchip_sysfs_match); ++ if (!parent) ++ return; ++ ++ for (i = 0; i < chip->npwm; i++) { ++ struct pwm_device *pwm = &chip->pwms[i]; ++ ++ if (test_bit(PWMF_EXPORTED, &pwm->flags)) ++ pwm_unexport_child(parent, pwm); ++ } ++} ++ + static int __init pwm_sysfs_init(void) + { + return class_register(&pwm_class); +--- a/include/linux/pwm.h ++++ b/include/linux/pwm.h +@@ -641,6 +641,7 @@ static inline void pwm_remove_table(stru + #ifdef CONFIG_PWM_SYSFS + void pwmchip_sysfs_export(struct pwm_chip *chip); + void pwmchip_sysfs_unexport(struct pwm_chip *chip); ++void pwmchip_sysfs_unexport_children(struct pwm_chip *chip); + #else + static inline void pwmchip_sysfs_export(struct pwm_chip *chip) + { +@@ -649,6 +650,10 @@ static inline void pwmchip_sysfs_export( + static inline void pwmchip_sysfs_unexport(struct pwm_chip *chip) + { + } ++ ++static inline void pwmchip_sysfs_unexport_children(struct pwm_chip *chip) ++{ ++} + #endif /* CONFIG_PWM_SYSFS */ + + #endif /* __LINUX_PWM_H */ diff --git a/queue-4.8/series b/queue-4.8/series index 3f46212f973..f767481b88a 100644 --- a/queue-4.8/series +++ b/queue-4.8/series @@ -120,3 +120,19 @@ drm-i915-fbc-fix-cfb-size-calculation-for-gen8.patch drm-i915-wait-for-fences-on-new-fb-not-old.patch i2c-mark-device-nodes-only-in-case-of-successful-instantiation.patch netfilter-xt_nflog-fix-unexpected-truncated-packet.patch +ubi-fastmap-scrub-peb-when-bitflips-are-detected-in-a-free-peb-ec-header.patch +uapi-add-missing-install-of-sync_file.h.patch +video-fbdev-pxafb-potential-null-dereference-on-error.patch +omapfb-fix-return-value-check-in-dsi_bind.patch +pwm-unexport-children-before-chip-removal.patch +usb-dwc3-fix-size-used-in-dma_free_coherent.patch +usb-chipidea-host-fix-null-ptr-dereference-during-shutdown.patch +usb-musb-fix-hardirq-safe-hardirq-unsafe-lock-order-error.patch +v4l-vsp1-prevent-pipelines-from-running-when-not-streaming.patch +tty-vt-fix-bogus-division-in-csi_j.patch +arm-fix-oops-when-using-older-armv4t-cpus.patch +kvm-x86-check-memopp-before-dereference-cve-2016-8630.patch +btrfs-qgroup-prevent-qgroup-reserved-from-going-subzero.patch +ubi-fastmap-fix-add_vol-return-value-test-in-ubi_attach_fastmap.patch +cpufreq-intel_pstate-set-p-state-upfront-in-performance-mode.patch +hid-usbhid-add-aten-cs962-to-list-of-quirky-devices.patch diff --git a/queue-4.8/tty-vt-fix-bogus-division-in-csi_j.patch b/queue-4.8/tty-vt-fix-bogus-division-in-csi_j.patch new file mode 100644 index 00000000000..c9632bf95df --- /dev/null +++ b/queue-4.8/tty-vt-fix-bogus-division-in-csi_j.patch @@ -0,0 +1,39 @@ +From 42acfc6615f47e465731c263bee0c799edb098f2 Mon Sep 17 00:00:00 2001 +From: Jiri Slaby +Date: Mon, 3 Oct 2016 11:00:17 +0200 +Subject: tty: vt, fix bogus division in csi_J +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jiri Slaby + +commit 42acfc6615f47e465731c263bee0c799edb098f2 upstream. + +In csi_J(3), the third parameter of scr_memsetw (vc_screenbuf_size) is +divided by 2 inappropriatelly. But scr_memsetw expects size, not +count, because it divides the size by 2 on its own before doing actual +memset-by-words. + +So remove the bogus division. + +Signed-off-by: Jiri Slaby +Cc: Petr Písař +Fixes: f8df13e0a9 (tty: Clean console safely) +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/vt/vt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/vt/vt.c ++++ b/drivers/tty/vt/vt.c +@@ -1181,7 +1181,7 @@ static void csi_J(struct vc_data *vc, in + break; + case 3: /* erase scroll-back buffer (and whole display) */ + scr_memsetw(vc->vc_screenbuf, vc->vc_video_erase_char, +- vc->vc_screenbuf_size >> 1); ++ vc->vc_screenbuf_size); + set_origin(vc); + if (con_is_visible(vc)) + update_screen(vc); diff --git a/queue-4.8/uapi-add-missing-install-of-sync_file.h.patch b/queue-4.8/uapi-add-missing-install-of-sync_file.h.patch new file mode 100644 index 00000000000..651b5e91ce5 --- /dev/null +++ b/queue-4.8/uapi-add-missing-install-of-sync_file.h.patch @@ -0,0 +1,39 @@ +From 58f0f9f75c1b94dabbfc3daa333a4e68536b0a42 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Emilio=20L=C3=B3pez?= +Date: Tue, 27 Sep 2016 11:31:42 -0300 +Subject: uapi: add missing install of sync_file.h +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Emilio López + +commit 58f0f9f75c1b94dabbfc3daa333a4e68536b0a42 upstream. + +As part of the sync framework destaging, the sync_file.h header +was moved, but an entry was not added on Kbuild to install it. +This patch resolves this omission so that "make headers_install" +installs this header. + +Fixes: 460bfc41fd52 ("dma-buf/sync_file: de-stage sync_file headers") +Reported-by: Michael Ellerman +Reviewed-by: Gustavo Padovan +Signed-off-by: Emilio López +Signed-off-by: Sean Paul +Link: http://patchwork.freedesktop.org/patch/msgid/20160927143142.8975-1-emilio.lopez@collabora.co.uk +Signed-off-by: Greg Kroah-Hartman + +--- + include/uapi/linux/Kbuild | 1 + + 1 file changed, 1 insertion(+) + +--- a/include/uapi/linux/Kbuild ++++ b/include/uapi/linux/Kbuild +@@ -396,6 +396,7 @@ header-y += string.h + header-y += suspend_ioctls.h + header-y += swab.h + header-y += synclink.h ++header-y += sync_file.h + header-y += sysctl.h + header-y += sysinfo.h + header-y += target_core_user.h diff --git a/queue-4.8/ubi-fastmap-fix-add_vol-return-value-test-in-ubi_attach_fastmap.patch b/queue-4.8/ubi-fastmap-fix-add_vol-return-value-test-in-ubi_attach_fastmap.patch new file mode 100644 index 00000000000..2815534130d --- /dev/null +++ b/queue-4.8/ubi-fastmap-fix-add_vol-return-value-test-in-ubi_attach_fastmap.patch @@ -0,0 +1,49 @@ +From 40b6e61ac72e99672e47cdb99c8d7d226004169b Mon Sep 17 00:00:00 2001 +From: Boris Brezillon +Date: Fri, 28 Oct 2016 11:08:44 +0200 +Subject: ubi: fastmap: Fix add_vol() return value test in ubi_attach_fastmap() + +From: Boris Brezillon + +commit 40b6e61ac72e99672e47cdb99c8d7d226004169b upstream. + +Commit e96a8a3bb671 ("UBI: Fastmap: Do not add vol if it already +exists") introduced a bug by changing the possible error codes returned +by add_vol(): +- this function no longer returns NULL in case of allocation failure + but return ERR_PTR(-ENOMEM) +- when a duplicate entry in the volume RB tree is found it returns + ERR_PTR(-EEXIST) instead of ERR_PTR(-EINVAL) + +Fix the tests done on add_vol() return val to match this new behavior. + +Fixes: e96a8a3bb671 ("UBI: Fastmap: Do not add vol if it already exists") +Reported-by: Dan Carpenter +Signed-off-by: Boris Brezillon +Acked-by: Sheng Yong +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/ubi/fastmap.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/mtd/ubi/fastmap.c ++++ b/drivers/mtd/ubi/fastmap.c +@@ -751,11 +751,11 @@ static int ubi_attach_fastmap(struct ubi + fmvhdr->vol_type, + be32_to_cpu(fmvhdr->last_eb_bytes)); + +- if (!av) +- goto fail_bad; +- if (PTR_ERR(av) == -EINVAL) { +- ubi_err(ubi, "volume (ID %i) already exists", +- fmvhdr->vol_id); ++ if (IS_ERR(av)) { ++ if (PTR_ERR(av) == -EEXIST) ++ ubi_err(ubi, "volume (ID %i) already exists", ++ fmvhdr->vol_id); ++ + goto fail_bad; + } + diff --git a/queue-4.8/ubi-fastmap-scrub-peb-when-bitflips-are-detected-in-a-free-peb-ec-header.patch b/queue-4.8/ubi-fastmap-scrub-peb-when-bitflips-are-detected-in-a-free-peb-ec-header.patch new file mode 100644 index 00000000000..e38132e2e3b --- /dev/null +++ b/queue-4.8/ubi-fastmap-scrub-peb-when-bitflips-are-detected-in-a-free-peb-ec-header.patch @@ -0,0 +1,40 @@ +From ecbfa8eabae9cd73522d1d3d15869703c263d859 Mon Sep 17 00:00:00 2001 +From: Boris Brezillon +Date: Fri, 16 Sep 2016 16:59:12 +0200 +Subject: UBI: fastmap: scrub PEB when bitflips are detected in a free PEB EC header + +From: Boris Brezillon + +commit ecbfa8eabae9cd73522d1d3d15869703c263d859 upstream. + +scan_pool() does not mark the PEB for scrubing when bitflips are +detected in the EC header of a free PEB (VID header region left to +0xff). +Make sure we scrub the PEB in this case. + +Signed-off-by: Boris Brezillon +Fixes: dbb7d2a88d2a ("UBI: Add fastmap core") +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/ubi/fastmap.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/mtd/ubi/fastmap.c ++++ b/drivers/mtd/ubi/fastmap.c +@@ -515,10 +515,11 @@ static int scan_pool(struct ubi_device * + unsigned long long ec = be64_to_cpu(ech->ec); + unmap_peb(ai, pnum); + dbg_bld("Adding PEB to free: %i", pnum); ++ + if (err == UBI_IO_FF_BITFLIPS) +- add_aeb(ai, free, pnum, ec, 1); +- else +- add_aeb(ai, free, pnum, ec, 0); ++ scrub = 1; ++ ++ add_aeb(ai, free, pnum, ec, scrub); + continue; + } else if (err == 0 || err == UBI_IO_BITFLIPS) { + dbg_bld("Found non empty PEB:%i in pool", pnum); diff --git a/queue-4.8/usb-chipidea-host-fix-null-ptr-dereference-during-shutdown.patch b/queue-4.8/usb-chipidea-host-fix-null-ptr-dereference-during-shutdown.patch new file mode 100644 index 00000000000..e7b59f7be7f --- /dev/null +++ b/queue-4.8/usb-chipidea-host-fix-null-ptr-dereference-during-shutdown.patch @@ -0,0 +1,37 @@ +From 991d5add50a5bb6ab8f12f2129f5c7487f6baaf6 Mon Sep 17 00:00:00 2001 +From: Stefan Wahren +Date: Sat, 10 Sep 2016 12:53:21 +0000 +Subject: usb: chipidea: host: fix NULL ptr dereference during shutdown + +From: Stefan Wahren + +commit 991d5add50a5bb6ab8f12f2129f5c7487f6baaf6 upstream. + +After commit b09b5224fe86 ("usb: chipidea: implement platform shutdown +callback") and commit 43a404577a93 ("usb: chipidea: host: set host to +be null after hcd is freed") a NULL pointer dereference is caused +on i.MX23 during shutdown. So ensure that role is set to CI_ROLE_END and +we finish interrupt handling before the hcd is deallocated. This avoids +the NULL pointer dereference. + +Suggested-by: Alan Stern +Signed-off-by: Stefan Wahren +Fixes: b09b5224fe86 ("usb: chipidea: implement platform shutdown callback") +Signed-off-by: Peter Chen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/chipidea/host.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/chipidea/host.c ++++ b/drivers/usb/chipidea/host.c +@@ -185,6 +185,8 @@ static void host_stop(struct ci_hdrc *ci + + if (hcd) { + usb_remove_hcd(hcd); ++ ci->role = CI_ROLE_END; ++ synchronize_irq(ci->irq); + usb_put_hcd(hcd); + if (ci->platdata->reg_vbus && !ci_otg_is_fsm_mode(ci) && + (ci->platdata->flags & CI_HDRC_TURN_VBUS_EARLY_ON)) diff --git a/queue-4.8/usb-dwc3-fix-size-used-in-dma_free_coherent.patch b/queue-4.8/usb-dwc3-fix-size-used-in-dma_free_coherent.patch new file mode 100644 index 00000000000..96052cd26e9 --- /dev/null +++ b/queue-4.8/usb-dwc3-fix-size-used-in-dma_free_coherent.patch @@ -0,0 +1,63 @@ +From 51fbc7c06c8900370c6da5fc4a4685add8fa4fb0 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Fri, 7 Oct 2016 22:12:39 +0200 +Subject: usb: dwc3: Fix size used in dma_free_coherent() + +From: Christophe JAILLET + +commit 51fbc7c06c8900370c6da5fc4a4685add8fa4fb0 upstream. + +In commit 2abd9d5fa60f9 ("usb: dwc3: ep0: Add chained TRB support"), the +size of the memory allocated with 'dma_alloc_coherent()' has been modified +but the corresponding calls to 'dma_free_coherent()' have not been updated +accordingly. + +This has been spotted with coccinelle, using the following script: +//////////////////// +@r@ +expression x0, x1, y0, y1, z0, z1, t0, t1, ret; +@@ + +* ret = dma_alloc_coherent(x0, y0, z0, t0); + ... +* dma_free_coherent(x1, y1, ret, t1); + +@script:python@ +y0 << r.y0; +y1 << r.y1; + +@@ +if y1.find(y0) == -1: + print "WARNING: sizes look different: '%s' vs '%s'" % (y0, y1) +//////////////////// + +Fixes: 2abd9d5fa60f9 ("usb: dwc3: ep0: Add chained TRB support") + +Signed-off-by: Christophe JAILLET +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/gadget.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -3055,7 +3055,7 @@ err3: + kfree(dwc->setup_buf); + + err2: +- dma_free_coherent(dwc->dev, sizeof(*dwc->ep0_trb), ++ dma_free_coherent(dwc->dev, sizeof(*dwc->ep0_trb) * 2, + dwc->ep0_trb, dwc->ep0_trb_addr); + + err1: +@@ -3080,7 +3080,7 @@ void dwc3_gadget_exit(struct dwc3 *dwc) + kfree(dwc->setup_buf); + kfree(dwc->zlp_buf); + +- dma_free_coherent(dwc->dev, sizeof(*dwc->ep0_trb), ++ dma_free_coherent(dwc->dev, sizeof(*dwc->ep0_trb) * 2, + dwc->ep0_trb, dwc->ep0_trb_addr); + + dma_free_coherent(dwc->dev, sizeof(*dwc->ctrl_req), diff --git a/queue-4.8/usb-musb-fix-hardirq-safe-hardirq-unsafe-lock-order-error.patch b/queue-4.8/usb-musb-fix-hardirq-safe-hardirq-unsafe-lock-order-error.patch new file mode 100644 index 00000000000..1dec5a6d879 --- /dev/null +++ b/queue-4.8/usb-musb-fix-hardirq-safe-hardirq-unsafe-lock-order-error.patch @@ -0,0 +1,87 @@ +From d8e5f0eca1e88215e45aca27115ea747e6164da1 Mon Sep 17 00:00:00 2001 +From: Tony Lindgren +Date: Wed, 19 Oct 2016 12:03:39 -0500 +Subject: usb: musb: Fix hardirq-safe hardirq-unsafe lock order error + +From: Tony Lindgren + +commit d8e5f0eca1e88215e45aca27115ea747e6164da1 upstream. + +If we configure musb with 2430 glue as a peripheral, and then rmmod +omap2430 module, we'll get the following error: + +[ INFO: HARDIRQ-safe -> HARDIRQ-unsafe lock order detected ] +... +rmmod/413 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire: + (&phy->mutex){+.+.+.}, at: [] phy_power_off+0x1c/0xb8 +[ 204.678710] + and this task is already holding: + (&(&musb->lock)->rlock){-.-...}, at: [] + musb_gadget_stop+0x24/0xec [musb_hdrc] +which would create a new lock dependency: + (&(&musb->lock)->rlock){-.-...} -> (&phy->mutex){+.+.+.} +... + +This is because some glue layers expect musb_platform_enable/disable +to be called with spinlock held, and 2430 glue layer has USB PHY on +the I2C bus using a mutex. + +We could fix the glue layers to take the spinlock, but we still have +a problem of musb_plaform_enable/disable being called in an unbalanced +manner. So that would still lead into USB PHY enable/disable related +problems for omap2430 glue layer. + +While it makes sense to only enable USB PHY when needed from PM point +of view, in this case we just can't do it yet without breaking things. +So let's just revert phy_enable/disable related changes instead and +reconsider this after we have fixed musb_platform_enable/disable to +be balanced. + +Fixes: a83e17d0f73b ("usb: musb: Improve PM runtime and phy handling for 2430 glue layer") +Reviewed-by: Laurent Pinchart +Signed-off-by: Tony Lindgren +Signed-off-by: Bin Liu +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/musb/omap2430.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/drivers/usb/musb/omap2430.c ++++ b/drivers/usb/musb/omap2430.c +@@ -337,6 +337,7 @@ static int omap2430_musb_init(struct mus + } + musb->isr = omap2430_musb_interrupt; + phy_init(musb->phy); ++ phy_power_on(musb->phy); + + l = musb_readl(musb->mregs, OTG_INTERFSEL); + +@@ -373,8 +374,6 @@ static void omap2430_musb_enable(struct + struct musb_hdrc_platform_data *pdata = dev_get_platdata(dev); + struct omap_musb_board_data *data = pdata->board_data; + +- if (!WARN_ON(!musb->phy)) +- phy_power_on(musb->phy); + + omap2430_set_power(musb, true, glue->cable_connected); + +@@ -413,9 +412,6 @@ static void omap2430_musb_disable(struct + struct device *dev = musb->controller; + struct omap2430_glue *glue = dev_get_drvdata(dev->parent); + +- if (!WARN_ON(!musb->phy)) +- phy_power_off(musb->phy); +- + if (glue->status != MUSB_UNKNOWN) + omap_control_usb_set_mode(glue->control_otghs, + USB_MODE_DISCONNECT); +@@ -429,6 +425,7 @@ static int omap2430_musb_exit(struct mus + struct omap2430_glue *glue = dev_get_drvdata(dev->parent); + + omap2430_low_level_exit(musb); ++ phy_power_off(musb->phy); + phy_exit(musb->phy); + musb->phy = NULL; + cancel_work_sync(&glue->omap_musb_mailbox_work); diff --git a/queue-4.8/v4l-vsp1-prevent-pipelines-from-running-when-not-streaming.patch b/queue-4.8/v4l-vsp1-prevent-pipelines-from-running-when-not-streaming.patch new file mode 100644 index 00000000000..73ebf625442 --- /dev/null +++ b/queue-4.8/v4l-vsp1-prevent-pipelines-from-running-when-not-streaming.patch @@ -0,0 +1,47 @@ +From e4e70a147a48618a36ae1b81c641516cb9d45993 Mon Sep 17 00:00:00 2001 +From: Laurent Pinchart +Date: Fri, 8 Jul 2016 06:20:51 -0300 +Subject: [media] v4l: vsp1: Prevent pipelines from running when not streaming + +From: Laurent Pinchart + +commit e4e70a147a48618a36ae1b81c641516cb9d45993 upstream. + +Pipelines can only be run if all their video nodes are streaming. Commit +b4dfb9b35a19 ("[media] v4l: vsp1: Stop the pipeline upon the first +STREAMOFF") fixed the pipeline stop sequence, but introduced a race +condition that makes it possible to run a pipeline after stopping the +stream on a video node by queuing a buffer on the other side of the +pipeline. + +Fix this by clearing the buffers ready flag when stopping the stream, +which will prevent the QBUF handler from running the pipeline. + +Fixes: b4dfb9b35a19 ("[media] v4l: vsp1: Stop the pipeline upon the first STREAMOFF") + +Reported-by: Kieran Bingham +Tested-by: Kieran Bingham +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/platform/vsp1/vsp1_video.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/media/platform/vsp1/vsp1_video.c ++++ b/drivers/media/platform/vsp1/vsp1_video.c +@@ -675,6 +675,13 @@ static void vsp1_video_stop_streaming(st + unsigned long flags; + int ret; + ++ /* Clear the buffers ready flag to make sure the device won't be started ++ * by a QBUF on the video node on the other side of the pipeline. ++ */ ++ spin_lock_irqsave(&video->irqlock, flags); ++ pipe->buffers_ready &= ~(1 << video->pipe_index); ++ spin_unlock_irqrestore(&video->irqlock, flags); ++ + mutex_lock(&pipe->lock); + if (--pipe->stream_count == pipe->num_inputs) { + /* Stop the pipeline. */ diff --git a/queue-4.8/video-fbdev-pxafb-potential-null-dereference-on-error.patch b/queue-4.8/video-fbdev-pxafb-potential-null-dereference-on-error.patch new file mode 100644 index 00000000000..e4b5965e1d8 --- /dev/null +++ b/queue-4.8/video-fbdev-pxafb-potential-null-dereference-on-error.patch @@ -0,0 +1,33 @@ +From e0299908d606a99e7ffb467bc3c11dfe54133af3 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 15 Jul 2016 14:07:32 +0300 +Subject: video: fbdev: pxafb: potential NULL dereference on error + +From: Dan Carpenter + +commit e0299908d606a99e7ffb467bc3c11dfe54133af3 upstream. + +If we "goto out;" then it calls display_timings_release(timings); +Since "timings" is NULL, that's going to oops. Just return directly. + +Fixes: 420a488278e8 ('video: fbdev: pxafb: initial devicetree conversion') +Signed-off-by: Dan Carpenter +Acked-by: Robert Jarzmik +Signed-off-by: Tomi Valkeinen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/fbdev/pxafb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/video/fbdev/pxafb.c ++++ b/drivers/video/fbdev/pxafb.c +@@ -2125,7 +2125,7 @@ static int of_get_pxafb_display(struct d + + timings = of_get_display_timings(disp); + if (!timings) +- goto out; ++ return -EINVAL; + + ret = -ENOMEM; + info->modes = kmalloc_array(timings->num_timings, -- 2.47.3