From b407c9447307356449e8c69f044f191ddaae560d Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 18 Jun 2016 10:02:47 -0700 Subject: [PATCH] 4.6-stable patches added patches: alsa-hda-add-pci-id-for-kabylake.patch alsa-hda-fix-headset-mic-detection-problem-for-dell-machine.patch alsa-hda-realtek-add-support-for-new-codecs-alc700-alc701-alc703.patch alsa-hda-realtek-add-t560-docking-unit-fixup.patch alsa-hda-realtek-alc256-speaker-noise-issue.patch arm-fix-ptrace_setvfpregs-on-smp-systems.patch arm64-mm-always-take-dirty-state-from-new-pte-in-ptep_set_access_flags.patch arm64-provide-model-name-in-proc-cpuinfo-for-per_linux32-tasks.patch crypto-ccp-fix-aes-xts-error-for-request-sizes-above-4096.patch crypto-public_key-select-crypto_akcipher.patch drivers-perf-arm_pmu-defer-the-setting-of-__oprofile_cpu_pmu.patch ecryptfs-forbid-opening-files-without-mmap-handler.patch fix-d_walk-non-delayed-__d_free-race.patch gpio-bail-out-silently-on-null-descriptors.patch gpio-bcm-kona-fix-bcm_kona_gpio_reset-warnings.patch gpiolib-fix-null-pointer-deference.patch gpiolib-fix-unaligned-used-of-reference-counters.patch irqchip-gic-v3-fix-icc_sgi1r_el1.intid-decoding-mask.patch kvm-arm-arm64-vgic-v2-clear-all-dirty-lrs.patch kvm-arm-arm64-vgic-v3-clear-all-dirty-lrs.patch kvm-irqfd-fix-null-pointer-dereference-in-kvm_irq_map_gsi.patch kvm-x86-fix-oops-after-invalid-kvm_set_debugregs.patch memcg-add-rcu-locking-around-css_for_each_descendant_pre-in-memcg_offline_kmem.patch mm-thp-broken-page-count-after-commit-aa88b68c3b1d.patch parisc-fix-pagefault-crash-in-unaligned-__get_user-call.patch pinctrl-mediatek-fix-dual-edge-code-defect.patch powerpc-fix-definition-of-siar-and-sdar-registers.patch powerpc-mm-hash-fix-the-reference-bit-update-when-handling-hash-fault.patch powerpc-pseries-add-power8nvl-support-to-ibm-client-architecture-support-call.patch powerpc-pseries-eeh-handle-rtas-delay-requests-in-configure_bridge.patch powerpc-use-privileged-spr-number-for-mmcr2.patch proc-prevent-stacking-filesystems-on-top.patch s390-bpf-fix-recache-skb-data-hlen-for-skb_vlan_push-pop.patch s390-bpf-reduce-maximum-program-size-to-64-kb.patch sched-panic-on-corrupted-stack-end.patch wext-fix-32-bit-iwpriv-compatibility-issue-with-64-bit-kernel.patch x86-entry-traps-don-t-force-in_interrupt-to-return-true-in-ist-handlers.patch --- .../alsa-hda-add-pci-id-for-kabylake.patch | 48 ++++++ ...c-detection-problem-for-dell-machine.patch | 33 ++++ ...-for-new-codecs-alc700-alc701-alc703.patch | 72 +++++++++ ...-realtek-add-t560-docking-unit-fixup.patch | 31 ++++ ...a-realtek-alc256-speaker-noise-issue.patch | 143 ++++++++++++++++++ ...fix-ptrace_setvfpregs-on-smp-systems.patch | 41 +++++ ...rom-new-pte-in-ptep_set_access_flags.patch | 56 +++++++ ...n-proc-cpuinfo-for-per_linux32-tasks.patch | 81 ++++++++++ ...s-error-for-request-sizes-above-4096.patch | 67 ++++++++ ...to-public_key-select-crypto_akcipher.patch | 37 +++++ ...er-the-setting-of-__oprofile_cpu_pmu.patch | 49 ++++++ ...d-opening-files-without-mmap-handler.patch | 59 ++++++++ ...fix-d_walk-non-delayed-__d_free-race.patch | 56 +++++++ ...ail-out-silently-on-null-descriptors.patch | 60 ++++++++ ...ona-fix-bcm_kona_gpio_reset-warnings.patch | 51 +++++++ .../gpiolib-fix-null-pointer-deference.patch | 44 ++++++ ...unaligned-used-of-reference-counters.patch | 58 +++++++ ...ix-icc_sgi1r_el1.intid-decoding-mask.patch | 30 ++++ ...rm-arm64-vgic-v2-clear-all-dirty-lrs.patch | 39 +++++ ...rm-arm64-vgic-v3-clear-all-dirty-lrs.patch | 39 +++++ ...inter-dereference-in-kvm_irq_map_gsi.patch | 79 ++++++++++ ...oops-after-invalid-kvm_set_debugregs.patch | 83 ++++++++++ ...descendant_pre-in-memcg_offline_kmem.patch | 75 +++++++++ ...page-count-after-commit-aa88b68c3b1d.patch | 68 +++++++++ ...t-crash-in-unaligned-__get_user-call.patch | 109 +++++++++++++ ...l-mediatek-fix-dual-edge-code-defect.patch | 38 +++++ ...efinition-of-siar-and-sdar-registers.patch | 46 ++++++ ...-bit-update-when-handling-hash-fault.patch | 99 ++++++++++++ ...ibm-client-architecture-support-call.patch | 35 +++++ ...s-delay-requests-in-configure_bridge.patch | 95 ++++++++++++ ...-use-privileged-spr-number-for-mmcr2.patch | 35 +++++ ...-prevent-stacking-filesystems-on-top.patch | 41 +++++ ...-skb-data-hlen-for-skb_vlan_push-pop.patch | 61 ++++++++ ...reduce-maximum-program-size-to-64-kb.patch | 38 +++++ .../sched-panic-on-corrupted-stack-end.patch | 37 +++++ queue-4.6/series | 37 +++++ ...mpatibility-issue-with-64-bit-kernel.patch | 68 +++++++++ ...rrupt-to-return-true-in-ist-handlers.patch | 96 ++++++++++++ 38 files changed, 2234 insertions(+) create mode 100644 queue-4.6/alsa-hda-add-pci-id-for-kabylake.patch create mode 100644 queue-4.6/alsa-hda-fix-headset-mic-detection-problem-for-dell-machine.patch create mode 100644 queue-4.6/alsa-hda-realtek-add-support-for-new-codecs-alc700-alc701-alc703.patch create mode 100644 queue-4.6/alsa-hda-realtek-add-t560-docking-unit-fixup.patch create mode 100644 queue-4.6/alsa-hda-realtek-alc256-speaker-noise-issue.patch create mode 100644 queue-4.6/arm-fix-ptrace_setvfpregs-on-smp-systems.patch create mode 100644 queue-4.6/arm64-mm-always-take-dirty-state-from-new-pte-in-ptep_set_access_flags.patch create mode 100644 queue-4.6/arm64-provide-model-name-in-proc-cpuinfo-for-per_linux32-tasks.patch create mode 100644 queue-4.6/crypto-ccp-fix-aes-xts-error-for-request-sizes-above-4096.patch create mode 100644 queue-4.6/crypto-public_key-select-crypto_akcipher.patch create mode 100644 queue-4.6/drivers-perf-arm_pmu-defer-the-setting-of-__oprofile_cpu_pmu.patch create mode 100644 queue-4.6/ecryptfs-forbid-opening-files-without-mmap-handler.patch create mode 100644 queue-4.6/fix-d_walk-non-delayed-__d_free-race.patch create mode 100644 queue-4.6/gpio-bail-out-silently-on-null-descriptors.patch create mode 100644 queue-4.6/gpio-bcm-kona-fix-bcm_kona_gpio_reset-warnings.patch create mode 100644 queue-4.6/gpiolib-fix-null-pointer-deference.patch create mode 100644 queue-4.6/gpiolib-fix-unaligned-used-of-reference-counters.patch create mode 100644 queue-4.6/irqchip-gic-v3-fix-icc_sgi1r_el1.intid-decoding-mask.patch create mode 100644 queue-4.6/kvm-arm-arm64-vgic-v2-clear-all-dirty-lrs.patch create mode 100644 queue-4.6/kvm-arm-arm64-vgic-v3-clear-all-dirty-lrs.patch create mode 100644 queue-4.6/kvm-irqfd-fix-null-pointer-dereference-in-kvm_irq_map_gsi.patch create mode 100644 queue-4.6/kvm-x86-fix-oops-after-invalid-kvm_set_debugregs.patch create mode 100644 queue-4.6/memcg-add-rcu-locking-around-css_for_each_descendant_pre-in-memcg_offline_kmem.patch create mode 100644 queue-4.6/mm-thp-broken-page-count-after-commit-aa88b68c3b1d.patch create mode 100644 queue-4.6/parisc-fix-pagefault-crash-in-unaligned-__get_user-call.patch create mode 100644 queue-4.6/pinctrl-mediatek-fix-dual-edge-code-defect.patch create mode 100644 queue-4.6/powerpc-fix-definition-of-siar-and-sdar-registers.patch create mode 100644 queue-4.6/powerpc-mm-hash-fix-the-reference-bit-update-when-handling-hash-fault.patch create mode 100644 queue-4.6/powerpc-pseries-add-power8nvl-support-to-ibm-client-architecture-support-call.patch create mode 100644 queue-4.6/powerpc-pseries-eeh-handle-rtas-delay-requests-in-configure_bridge.patch create mode 100644 queue-4.6/powerpc-use-privileged-spr-number-for-mmcr2.patch create mode 100644 queue-4.6/proc-prevent-stacking-filesystems-on-top.patch create mode 100644 queue-4.6/s390-bpf-fix-recache-skb-data-hlen-for-skb_vlan_push-pop.patch create mode 100644 queue-4.6/s390-bpf-reduce-maximum-program-size-to-64-kb.patch create mode 100644 queue-4.6/sched-panic-on-corrupted-stack-end.patch create mode 100644 queue-4.6/wext-fix-32-bit-iwpriv-compatibility-issue-with-64-bit-kernel.patch create mode 100644 queue-4.6/x86-entry-traps-don-t-force-in_interrupt-to-return-true-in-ist-handlers.patch diff --git a/queue-4.6/alsa-hda-add-pci-id-for-kabylake.patch b/queue-4.6/alsa-hda-add-pci-id-for-kabylake.patch new file mode 100644 index 00000000000..c21b315cd8a --- /dev/null +++ b/queue-4.6/alsa-hda-add-pci-id-for-kabylake.patch @@ -0,0 +1,48 @@ +From 35639a0e98391036a4c7f23253c321d6621a8897 Mon Sep 17 00:00:00 2001 +From: Vinod Koul +Date: Thu, 9 Jun 2016 11:32:14 +0530 +Subject: ALSA: hda - Add PCI ID for Kabylake + +From: Vinod Koul + +commit 35639a0e98391036a4c7f23253c321d6621a8897 upstream. + +Kabylake shows up as PCI ID 0xa171. And Kabylake-LP as 0x9d71. +Since these are similar to Skylake add these to SKL_PLUS macro + +Signed-off-by: Vinod Koul +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_intel.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -365,8 +365,11 @@ enum { + + #define IS_SKL(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0xa170) + #define IS_SKL_LP(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0x9d70) ++#define IS_KBL(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0xa171) ++#define IS_KBL_LP(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0x9d71) + #define IS_BXT(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0x5a98) +-#define IS_SKL_PLUS(pci) (IS_SKL(pci) || IS_SKL_LP(pci) || IS_BXT(pci)) ++#define IS_SKL_PLUS(pci) (IS_SKL(pci) || IS_SKL_LP(pci) || IS_BXT(pci)) || \ ++ IS_KBL(pci) || IS_KBL_LP(pci) + + static char *driver_short_names[] = { + [AZX_DRIVER_ICH] = "HDA Intel", +@@ -2181,6 +2184,12 @@ static const struct pci_device_id azx_id + /* Sunrise Point-LP */ + { PCI_DEVICE(0x8086, 0x9d70), + .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_SKYLAKE }, ++ /* Kabylake */ ++ { PCI_DEVICE(0x8086, 0xa171), ++ .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_SKYLAKE }, ++ /* Kabylake-LP */ ++ { PCI_DEVICE(0x8086, 0x9d71), ++ .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_SKYLAKE }, + /* Broxton-P(Apollolake) */ + { PCI_DEVICE(0x8086, 0x5a98), + .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_BROXTON }, diff --git a/queue-4.6/alsa-hda-fix-headset-mic-detection-problem-for-dell-machine.patch b/queue-4.6/alsa-hda-fix-headset-mic-detection-problem-for-dell-machine.patch new file mode 100644 index 00000000000..9688abbfc4e --- /dev/null +++ b/queue-4.6/alsa-hda-fix-headset-mic-detection-problem-for-dell-machine.patch @@ -0,0 +1,33 @@ +From f90d83b301701026b2e4c437a3613f377f63290e Mon Sep 17 00:00:00 2001 +From: AceLan Kao +Date: Fri, 3 Jun 2016 14:45:25 +0800 +Subject: ALSA: hda - Fix headset mic detection problem for Dell machine + +From: AceLan Kao + +commit f90d83b301701026b2e4c437a3613f377f63290e upstream. + +Add the pin configuration value of this machine into the pin_quirk +table to make DELL1_MIC_NO_PRESENCE apply to this machine. + +Signed-off-by: AceLan Kao +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -5775,6 +5775,10 @@ static const struct snd_hda_pin_quirk al + {0x12, 0x90a60180}, + {0x14, 0x90170130}, + {0x21, 0x02211040}), ++ SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell Inspiron 5565", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, ++ {0x12, 0x90a60180}, ++ {0x14, 0x90170120}, ++ {0x21, 0x02211030}), + SND_HDA_PIN_QUIRK(0x10ec0256, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, + {0x12, 0x90a60160}, + {0x14, 0x90170120}, diff --git a/queue-4.6/alsa-hda-realtek-add-support-for-new-codecs-alc700-alc701-alc703.patch b/queue-4.6/alsa-hda-realtek-add-support-for-new-codecs-alc700-alc701-alc703.patch new file mode 100644 index 00000000000..e91dd704094 --- /dev/null +++ b/queue-4.6/alsa-hda-realtek-add-support-for-new-codecs-alc700-alc701-alc703.patch @@ -0,0 +1,72 @@ +From 6fbae35a3170c3e2b1b9d7b9cc943cbe48771362 Mon Sep 17 00:00:00 2001 +From: Kailang Yang +Date: Mon, 30 May 2016 16:44:20 +0800 +Subject: ALSA: hda/realtek - Add support for new codecs ALC700/ALC701/ALC703 + +From: Kailang Yang + +commit 6fbae35a3170c3e2b1b9d7b9cc943cbe48771362 upstream. + +Support new codecs for ALC700/ALC701/ALC703. + +Signed-off-by: Kailang Yang +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -346,6 +346,9 @@ static void alc_fill_eapd_coef(struct hd + case 0x10ec0234: + case 0x10ec0274: + case 0x10ec0294: ++ case 0x10ec0700: ++ case 0x10ec0701: ++ case 0x10ec0703: + alc_update_coef_idx(codec, 0x10, 1<<15, 0); + break; + case 0x10ec0662: +@@ -2655,6 +2658,7 @@ enum { + ALC269_TYPE_ALC256, + ALC269_TYPE_ALC225, + ALC269_TYPE_ALC294, ++ ALC269_TYPE_ALC700, + }; + + /* +@@ -2686,6 +2690,7 @@ static int alc269_parse_auto_config(stru + case ALC269_TYPE_ALC256: + case ALC269_TYPE_ALC225: + case ALC269_TYPE_ALC294: ++ case ALC269_TYPE_ALC700: + ssids = alc269_ssids; + break; + default: +@@ -6099,6 +6104,14 @@ static int patch_alc269(struct hda_codec + case 0x10ec0294: + spec->codec_variant = ALC269_TYPE_ALC294; + break; ++ case 0x10ec0700: ++ case 0x10ec0701: ++ case 0x10ec0703: ++ spec->codec_variant = ALC269_TYPE_ALC700; ++ spec->gen.mixer_nid = 0; /* ALC700 does not have any loopback mixer path */ ++ alc_update_coef_idx(codec, 0x4a, 0, 1 << 15); /* Combo jack auto trigger control */ ++ break; ++ + } + + if (snd_hda_codec_read(codec, 0x51, 0, AC_VERB_PARAMETERS, 0) == 0x10ec5505) { +@@ -7054,6 +7067,9 @@ static const struct hda_device_id snd_hd + HDA_CODEC_ENTRY(0x10ec0670, "ALC670", patch_alc662), + HDA_CODEC_ENTRY(0x10ec0671, "ALC671", patch_alc662), + HDA_CODEC_ENTRY(0x10ec0680, "ALC680", patch_alc680), ++ HDA_CODEC_ENTRY(0x10ec0700, "ALC700", patch_alc269), ++ HDA_CODEC_ENTRY(0x10ec0701, "ALC701", patch_alc269), ++ HDA_CODEC_ENTRY(0x10ec0703, "ALC703", patch_alc269), + HDA_CODEC_ENTRY(0x10ec0867, "ALC891", patch_alc882), + HDA_CODEC_ENTRY(0x10ec0880, "ALC880", patch_alc880), + HDA_CODEC_ENTRY(0x10ec0882, "ALC882", patch_alc882), diff --git a/queue-4.6/alsa-hda-realtek-add-t560-docking-unit-fixup.patch b/queue-4.6/alsa-hda-realtek-add-t560-docking-unit-fixup.patch new file mode 100644 index 00000000000..41d3fcd7157 --- /dev/null +++ b/queue-4.6/alsa-hda-realtek-add-t560-docking-unit-fixup.patch @@ -0,0 +1,31 @@ +From dab38e43b298501a4e8807b56117c029e2e98383 Mon Sep 17 00:00:00 2001 +From: Torsten Hilbrich +Date: Tue, 7 Jun 2016 13:14:21 +0200 +Subject: ALSA: hda/realtek: Add T560 docking unit fixup + +From: Torsten Hilbrich + +commit dab38e43b298501a4e8807b56117c029e2e98383 upstream. + +Tested with Lenovo Ultradock. Fixes the non-working headphone jack on +the docking unit. + +Signed-off-by: Torsten Hilbrich +Tested-by: Torsten Hilbrich +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -5634,6 +5634,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x17aa, 0x2218, "Thinkpad X1 Carbon 2nd", ALC292_FIXUP_TPT440_DOCK), + SND_PCI_QUIRK(0x17aa, 0x2223, "ThinkPad T550", ALC292_FIXUP_TPT440_DOCK), + SND_PCI_QUIRK(0x17aa, 0x2226, "ThinkPad X250", ALC292_FIXUP_TPT440_DOCK), ++ SND_PCI_QUIRK(0x17aa, 0x2231, "Thinkpad T560", ALC292_FIXUP_TPT460), + SND_PCI_QUIRK(0x17aa, 0x2233, "Thinkpad", ALC292_FIXUP_TPT460), + SND_PCI_QUIRK(0x17aa, 0x30bb, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), + SND_PCI_QUIRK(0x17aa, 0x30e2, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), diff --git a/queue-4.6/alsa-hda-realtek-alc256-speaker-noise-issue.patch b/queue-4.6/alsa-hda-realtek-alc256-speaker-noise-issue.patch new file mode 100644 index 00000000000..4c3eb1d99f0 --- /dev/null +++ b/queue-4.6/alsa-hda-realtek-alc256-speaker-noise-issue.patch @@ -0,0 +1,143 @@ +From e69e7e03ed225abf3e1c43545aa3bcb68dc81d5f Mon Sep 17 00:00:00 2001 +From: Kailang Yang +Date: Mon, 30 May 2016 15:58:28 +0800 +Subject: ALSA: hda/realtek - ALC256 speaker noise issue + +From: Kailang Yang + +commit e69e7e03ed225abf3e1c43545aa3bcb68dc81d5f upstream. + +That is some different register for ALC255 and ALC256. +ALC256 can't fit with some ALC255 register. +This issue is cause from LDO output voltage control. +This patch is updated the right LDO register value. + +Signed-off-by: Kailang Yang +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 52 +++++++++++++++++++++++++++++++++++++----- + 1 file changed, 47 insertions(+), 5 deletions(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -3618,13 +3618,20 @@ static void alc269_fixup_hp_line1_mic1_l + static void alc_headset_mode_unplugged(struct hda_codec *codec) + { + static struct coef_fw coef0255[] = { +- WRITE_COEF(0x1b, 0x0c0b), /* LDO and MISC control */ + WRITE_COEF(0x45, 0xd089), /* UAJ function set to menual mode */ + UPDATE_COEFEX(0x57, 0x05, 1<<14, 0), /* Direct Drive HP Amp control(Set to verb control)*/ + WRITE_COEF(0x06, 0x6104), /* Set MIC2 Vref gate with HP */ + WRITE_COEFEX(0x57, 0x03, 0x8aa6), /* Direct Drive HP Amp control */ + {} + }; ++ static struct coef_fw coef0255_1[] = { ++ WRITE_COEF(0x1b, 0x0c0b), /* LDO and MISC control */ ++ {} ++ }; ++ static struct coef_fw coef0256[] = { ++ WRITE_COEF(0x1b, 0x0c4b), /* LDO and MISC control */ ++ {} ++ }; + static struct coef_fw coef0233[] = { + WRITE_COEF(0x1b, 0x0c0b), + WRITE_COEF(0x45, 0xc429), +@@ -3677,7 +3684,11 @@ static void alc_headset_mode_unplugged(s + + switch (codec->core.vendor_id) { + case 0x10ec0255: ++ alc_process_coef_fw(codec, coef0255_1); ++ alc_process_coef_fw(codec, coef0255); ++ break; + case 0x10ec0256: ++ alc_process_coef_fw(codec, coef0256); + alc_process_coef_fw(codec, coef0255); + break; + case 0x10ec0233: +@@ -3896,6 +3907,12 @@ static void alc_headset_mode_ctia(struct + WRITE_COEFEX(0x57, 0x03, 0x8ea6), + {} + }; ++ static struct coef_fw coef0256[] = { ++ WRITE_COEF(0x45, 0xd489), /* Set to CTIA type */ ++ WRITE_COEF(0x1b, 0x0c6b), ++ WRITE_COEFEX(0x57, 0x03, 0x8ea6), ++ {} ++ }; + static struct coef_fw coef0233[] = { + WRITE_COEF(0x45, 0xd429), + WRITE_COEF(0x1b, 0x0c2b), +@@ -3936,9 +3953,11 @@ static void alc_headset_mode_ctia(struct + + switch (codec->core.vendor_id) { + case 0x10ec0255: +- case 0x10ec0256: + alc_process_coef_fw(codec, coef0255); + break; ++ case 0x10ec0256: ++ alc_process_coef_fw(codec, coef0256); ++ break; + case 0x10ec0233: + case 0x10ec0283: + alc_process_coef_fw(codec, coef0233); +@@ -3978,6 +3997,12 @@ static void alc_headset_mode_omtp(struct + WRITE_COEFEX(0x57, 0x03, 0x8ea6), + {} + }; ++ static struct coef_fw coef0256[] = { ++ WRITE_COEF(0x45, 0xe489), /* Set to OMTP Type */ ++ WRITE_COEF(0x1b, 0x0c6b), ++ WRITE_COEFEX(0x57, 0x03, 0x8ea6), ++ {} ++ }; + static struct coef_fw coef0233[] = { + WRITE_COEF(0x45, 0xe429), + WRITE_COEF(0x1b, 0x0c2b), +@@ -4018,9 +4043,11 @@ static void alc_headset_mode_omtp(struct + + switch (codec->core.vendor_id) { + case 0x10ec0255: +- case 0x10ec0256: + alc_process_coef_fw(codec, coef0255); + break; ++ case 0x10ec0256: ++ alc_process_coef_fw(codec, coef0256); ++ break; + case 0x10ec0233: + case 0x10ec0283: + alc_process_coef_fw(codec, coef0233); +@@ -4266,7 +4293,7 @@ static void alc_fixup_headset_mode_no_hp + static void alc255_set_default_jack_type(struct hda_codec *codec) + { + /* Set to iphone type */ +- static struct coef_fw fw[] = { ++ static struct coef_fw alc255fw[] = { + WRITE_COEF(0x1b, 0x880b), + WRITE_COEF(0x45, 0xd089), + WRITE_COEF(0x1b, 0x080b), +@@ -4274,7 +4301,22 @@ static void alc255_set_default_jack_type + WRITE_COEF(0x1b, 0x0c0b), + {} + }; +- alc_process_coef_fw(codec, fw); ++ static struct coef_fw alc256fw[] = { ++ WRITE_COEF(0x1b, 0x884b), ++ WRITE_COEF(0x45, 0xd089), ++ WRITE_COEF(0x1b, 0x084b), ++ WRITE_COEF(0x46, 0x0004), ++ WRITE_COEF(0x1b, 0x0c4b), ++ {} ++ }; ++ switch (codec->core.vendor_id) { ++ case 0x10ec0255: ++ alc_process_coef_fw(codec, alc255fw); ++ break; ++ case 0x10ec0256: ++ alc_process_coef_fw(codec, alc256fw); ++ break; ++ } + msleep(30); + } + diff --git a/queue-4.6/arm-fix-ptrace_setvfpregs-on-smp-systems.patch b/queue-4.6/arm-fix-ptrace_setvfpregs-on-smp-systems.patch new file mode 100644 index 00000000000..17523d1d281 --- /dev/null +++ b/queue-4.6/arm-fix-ptrace_setvfpregs-on-smp-systems.patch @@ -0,0 +1,41 @@ +From e2dfb4b880146bfd4b6aa8e138c0205407cebbaf Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Mon, 30 May 2016 23:14:56 +0100 +Subject: ARM: fix PTRACE_SETVFPREGS on SMP systems + +From: Russell King + +commit e2dfb4b880146bfd4b6aa8e138c0205407cebbaf upstream. + +PTRACE_SETVFPREGS fails to properly mark the VFP register set to be +reloaded, because it undoes one of the effects of vfp_flush_hwstate(). + +Specifically vfp_flush_hwstate() sets thread->vfpstate.hard.cpu to +an invalid CPU number, but vfp_set() overwrites this with the original +CPU number, thereby rendering the hardware state as apparently "valid", +even though the software state is more recent. + +Fix this by reverting the previous change. + +Fixes: 8130b9d7b9d8 ("ARM: 7308/1: vfp: flush thread hwstate before copying ptrace registers") +Acked-by: Will Deacon +Tested-by: Simon Marchi +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/kernel/ptrace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/kernel/ptrace.c ++++ b/arch/arm/kernel/ptrace.c +@@ -733,8 +733,8 @@ static int vfp_set(struct task_struct *t + if (ret) + return ret; + +- vfp_flush_hwstate(thread); + thread->vfpstate.hard = new_vfp; ++ vfp_flush_hwstate(thread); + + return 0; + } diff --git a/queue-4.6/arm64-mm-always-take-dirty-state-from-new-pte-in-ptep_set_access_flags.patch b/queue-4.6/arm64-mm-always-take-dirty-state-from-new-pte-in-ptep_set_access_flags.patch new file mode 100644 index 00000000000..2ae50bf3a1e --- /dev/null +++ b/queue-4.6/arm64-mm-always-take-dirty-state-from-new-pte-in-ptep_set_access_flags.patch @@ -0,0 +1,56 @@ +From 0106d456c4cb1770253fefc0ab23c9ca760b43f7 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Tue, 7 Jun 2016 17:55:15 +0100 +Subject: arm64: mm: always take dirty state from new pte in ptep_set_access_flags + +From: Will Deacon + +commit 0106d456c4cb1770253fefc0ab23c9ca760b43f7 upstream. + +Commit 66dbd6e61a52 ("arm64: Implement ptep_set_access_flags() for +hardware AF/DBM") ensured that pte flags are updated atomically in the +face of potential concurrent, hardware-assisted updates. However, Alex +reports that: + + | This patch breaks swapping for me. + | In the broken case, you'll see either systemd cpu time spike (because + | it's stuck in a page fault loop) or the system hang (because the + | application owning the screen is stuck in a page fault loop). + +It turns out that this is because the 'dirty' argument to +ptep_set_access_flags is always 0 for read faults, and so we can't use +it to set PTE_RDONLY. The failing sequence is: + + 1. We put down a PTE_WRITE | PTE_DIRTY | PTE_AF pte + 2. Memory pressure -> pte_mkold(pte) -> clear PTE_AF + 3. A read faults due to the missing access flag + 4. ptep_set_access_flags is called with dirty = 0, due to the read fault + 5. pte is then made PTE_WRITE | PTE_DIRTY | PTE_AF | PTE_RDONLY (!) + 6. A write faults, but pte_write is true so we get stuck + +The solution is to check the new page table entry (as would be done by +the generic, non-atomic definition of ptep_set_access_flags that just +calls set_pte_at) to establish the dirty state. + +Fixes: 66dbd6e61a52 ("arm64: Implement ptep_set_access_flags() for hardware AF/DBM") +Reviewed-by: Catalin Marinas +Reported-by: Alexander Graf +Tested-by: Alexander Graf +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/mm/fault.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/mm/fault.c ++++ b/arch/arm64/mm/fault.c +@@ -109,7 +109,7 @@ int ptep_set_access_flags(struct vm_area + * PTE_RDONLY is cleared by default in the asm below, so set it in + * back if necessary (read-only or clean PTE). + */ +- if (!pte_write(entry) || !dirty) ++ if (!pte_write(entry) || !pte_sw_dirty(entry)) + pte_val(entry) |= PTE_RDONLY; + + /* diff --git a/queue-4.6/arm64-provide-model-name-in-proc-cpuinfo-for-per_linux32-tasks.patch b/queue-4.6/arm64-provide-model-name-in-proc-cpuinfo-for-per_linux32-tasks.patch new file mode 100644 index 00000000000..0570d37fea6 --- /dev/null +++ b/queue-4.6/arm64-provide-model-name-in-proc-cpuinfo-for-per_linux32-tasks.patch @@ -0,0 +1,81 @@ +From e47b020a323d1b2a7b1e9aac86e99eae19463630 Mon Sep 17 00:00:00 2001 +From: Catalin Marinas +Date: Tue, 31 May 2016 15:55:03 +0100 +Subject: arm64: Provide "model name" in /proc/cpuinfo for PER_LINUX32 tasks + +From: Catalin Marinas + +commit e47b020a323d1b2a7b1e9aac86e99eae19463630 upstream. + +This patch brings the PER_LINUX32 /proc/cpuinfo format more in line with +the 32-bit ARM one by providing an additional line: + +model name : ARMv8 Processor rev X (v8l) + +Acked-by: Will Deacon +Signed-off-by: Catalin Marinas +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/elf.h | 4 ++-- + arch/arm64/kernel/cpuinfo.c | 8 +++++++- + 2 files changed, 9 insertions(+), 3 deletions(-) + +--- a/arch/arm64/include/asm/elf.h ++++ b/arch/arm64/include/asm/elf.h +@@ -160,14 +160,14 @@ extern int arch_setup_additional_pages(s + #define STACK_RND_MASK (0x3ffff >> (PAGE_SHIFT - 12)) + #endif + +-#ifdef CONFIG_COMPAT +- + #ifdef __AARCH64EB__ + #define COMPAT_ELF_PLATFORM ("v8b") + #else + #define COMPAT_ELF_PLATFORM ("v8l") + #endif + ++#ifdef CONFIG_COMPAT ++ + #define COMPAT_ELF_ET_DYN_BASE (2 * TASK_SIZE_32 / 3) + + /* AArch32 registers. */ +--- a/arch/arm64/kernel/cpuinfo.c ++++ b/arch/arm64/kernel/cpuinfo.c +@@ -22,6 +22,8 @@ + + #include + #include ++#include ++#include + #include + #include + #include +@@ -104,6 +106,7 @@ static const char *const compat_hwcap2_s + static int c_show(struct seq_file *m, void *v) + { + int i, j; ++ bool compat = personality(current->personality) == PER_LINUX32; + + for_each_online_cpu(i) { + struct cpuinfo_arm64 *cpuinfo = &per_cpu(cpu_data, i); +@@ -115,6 +118,9 @@ static int c_show(struct seq_file *m, vo + * "processor". Give glibc what it expects. + */ + seq_printf(m, "processor\t: %d\n", i); ++ if (compat) ++ seq_printf(m, "model name\t: ARMv8 Processor rev %d (%s)\n", ++ MIDR_REVISION(midr), COMPAT_ELF_PLATFORM); + + seq_printf(m, "BogoMIPS\t: %lu.%02lu\n", + loops_per_jiffy / (500000UL/HZ), +@@ -127,7 +133,7 @@ static int c_show(struct seq_file *m, vo + * software which does already (at least for 32-bit). + */ + seq_puts(m, "Features\t:"); +- if (personality(current->personality) == PER_LINUX32) { ++ if (compat) { + #ifdef CONFIG_COMPAT + for (j = 0; compat_hwcap_str[j]; j++) + if (compat_elf_hwcap & (1 << j)) diff --git a/queue-4.6/crypto-ccp-fix-aes-xts-error-for-request-sizes-above-4096.patch b/queue-4.6/crypto-ccp-fix-aes-xts-error-for-request-sizes-above-4096.patch new file mode 100644 index 00000000000..e9f6cb27452 --- /dev/null +++ b/queue-4.6/crypto-ccp-fix-aes-xts-error-for-request-sizes-above-4096.patch @@ -0,0 +1,67 @@ +From ab6a11a7c8ef47f996974dd3c648c2c0b1a36ab1 Mon Sep 17 00:00:00 2001 +From: Tom Lendacky +Date: Fri, 20 May 2016 17:33:03 -0500 +Subject: crypto: ccp - Fix AES XTS error for request sizes above 4096 + +From: Tom Lendacky + +commit ab6a11a7c8ef47f996974dd3c648c2c0b1a36ab1 upstream. + +The ccp-crypto module for AES XTS support has a bug that can allow requests +greater than 4096 bytes in size to be passed to the CCP hardware. The CCP +hardware does not support request sizes larger than 4096, resulting in +incorrect output. The request should actually be handled by the fallback +mechanism instantiated by the ccp-crypto module. + +Add a check to insure the request size is less than or equal to the maximum +supported size and use the fallback mechanism if it is not. + +Signed-off-by: Tom Lendacky +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/ccp/ccp-crypto-aes-xts.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/drivers/crypto/ccp/ccp-crypto-aes-xts.c ++++ b/drivers/crypto/ccp/ccp-crypto-aes-xts.c +@@ -122,6 +122,7 @@ static int ccp_aes_xts_crypt(struct ablk + struct ccp_ctx *ctx = crypto_tfm_ctx(req->base.tfm); + struct ccp_aes_req_ctx *rctx = ablkcipher_request_ctx(req); + unsigned int unit; ++ u32 unit_size; + int ret; + + if (!ctx->u.aes.key_len) +@@ -133,11 +134,17 @@ static int ccp_aes_xts_crypt(struct ablk + if (!req->info) + return -EINVAL; + +- for (unit = 0; unit < ARRAY_SIZE(unit_size_map); unit++) +- if (!(req->nbytes & (unit_size_map[unit].size - 1))) +- break; ++ unit_size = CCP_XTS_AES_UNIT_SIZE__LAST; ++ if (req->nbytes <= unit_size_map[0].size) { ++ for (unit = 0; unit < ARRAY_SIZE(unit_size_map); unit++) { ++ if (!(req->nbytes & (unit_size_map[unit].size - 1))) { ++ unit_size = unit_size_map[unit].value; ++ break; ++ } ++ } ++ } + +- if ((unit_size_map[unit].value == CCP_XTS_AES_UNIT_SIZE__LAST) || ++ if ((unit_size == CCP_XTS_AES_UNIT_SIZE__LAST) || + (ctx->u.aes.key_len != AES_KEYSIZE_128)) { + /* Use the fallback to process the request for any + * unsupported unit sizes or key sizes +@@ -158,7 +165,7 @@ static int ccp_aes_xts_crypt(struct ablk + rctx->cmd.engine = CCP_ENGINE_XTS_AES_128; + rctx->cmd.u.xts.action = (encrypt) ? CCP_AES_ACTION_ENCRYPT + : CCP_AES_ACTION_DECRYPT; +- rctx->cmd.u.xts.unit_size = unit_size_map[unit].value; ++ rctx->cmd.u.xts.unit_size = unit_size; + rctx->cmd.u.xts.key = &ctx->u.aes.key_sg; + rctx->cmd.u.xts.key_len = ctx->u.aes.key_len; + rctx->cmd.u.xts.iv = &rctx->iv_sg; diff --git a/queue-4.6/crypto-public_key-select-crypto_akcipher.patch b/queue-4.6/crypto-public_key-select-crypto_akcipher.patch new file mode 100644 index 00000000000..6dfd12c2345 --- /dev/null +++ b/queue-4.6/crypto-public_key-select-crypto_akcipher.patch @@ -0,0 +1,37 @@ +From bad6a185b4d6f81d0ed2b6e4c16307969f160b95 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Wed, 18 May 2016 16:55:56 +0200 +Subject: crypto: public_key: select CRYPTO_AKCIPHER + +From: Arnd Bergmann + +commit bad6a185b4d6f81d0ed2b6e4c16307969f160b95 upstream. + +In some rare randconfig builds, we can end up with +ASYMMETRIC_PUBLIC_KEY_SUBTYPE enabled but CRYPTO_AKCIPHER disabled, +which fails to link because of the reference to crypto_alloc_akcipher: + +crypto/built-in.o: In function `public_key_verify_signature': +:(.text+0x110e4): undefined reference to `crypto_alloc_akcipher' + +This adds a Kconfig 'select' statement to ensure the dependency +is always there. + +Signed-off-by: Arnd Bergmann +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/asymmetric_keys/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/crypto/asymmetric_keys/Kconfig ++++ b/crypto/asymmetric_keys/Kconfig +@@ -13,6 +13,7 @@ config ASYMMETRIC_PUBLIC_KEY_SUBTYPE + tristate "Asymmetric public-key crypto algorithm subtype" + select MPILIB + select CRYPTO_HASH_INFO ++ select CRYPTO_AKCIPHER + help + This option provides support for asymmetric public key type handling. + If signature generation and/or verification are to be used, diff --git a/queue-4.6/drivers-perf-arm_pmu-defer-the-setting-of-__oprofile_cpu_pmu.patch b/queue-4.6/drivers-perf-arm_pmu-defer-the-setting-of-__oprofile_cpu_pmu.patch new file mode 100644 index 00000000000..5450faf99aa --- /dev/null +++ b/queue-4.6/drivers-perf-arm_pmu-defer-the-setting-of-__oprofile_cpu_pmu.patch @@ -0,0 +1,49 @@ +From 0f254c7671e851243412bce6c2e618732831d0f8 Mon Sep 17 00:00:00 2001 +From: Julien Grall +Date: Tue, 31 May 2016 12:41:22 +0100 +Subject: drivers/perf: arm_pmu: Defer the setting of __oprofile_cpu_pmu + +From: Julien Grall + +commit 0f254c7671e851243412bce6c2e618732831d0f8 upstream. + +The global variable __oprofile_cpu_pmu is set before the PMU is fully +initialized. If an error occurs before the end of the initialization, +the PMU will be freed and the variable will contain an invalid pointer. + +This will result in a kernel crash when perf will be used. + +Fix it by moving the setting of __oprofile_cpu_pmu when the PMU is fully +initialized (i.e when it is no longer possible to fail). + +Signed-off-by: Julien Grall +Acked-by: Mark Rutland +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/perf/arm_pmu.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/perf/arm_pmu.c ++++ b/drivers/perf/arm_pmu.c +@@ -987,9 +987,6 @@ int arm_pmu_device_probe(struct platform + + armpmu_init(pmu); + +- if (!__oprofile_cpu_pmu) +- __oprofile_cpu_pmu = pmu; +- + pmu->plat_device = pdev; + + if (node && (of_id = of_match_node(of_table, pdev->dev.of_node))) { +@@ -1025,6 +1022,9 @@ int arm_pmu_device_probe(struct platform + if (ret) + goto out_destroy; + ++ if (!__oprofile_cpu_pmu) ++ __oprofile_cpu_pmu = pmu; ++ + pr_info("enabled with %s PMU driver, %d counters available\n", + pmu->name, pmu->num_events); + diff --git a/queue-4.6/ecryptfs-forbid-opening-files-without-mmap-handler.patch b/queue-4.6/ecryptfs-forbid-opening-files-without-mmap-handler.patch new file mode 100644 index 00000000000..3b3c20f6c93 --- /dev/null +++ b/queue-4.6/ecryptfs-forbid-opening-files-without-mmap-handler.patch @@ -0,0 +1,59 @@ +From 2f36db71009304b3f0b95afacd8eba1f9f046b87 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Wed, 1 Jun 2016 11:55:06 +0200 +Subject: ecryptfs: forbid opening files without mmap handler + +From: Jann Horn + +commit 2f36db71009304b3f0b95afacd8eba1f9f046b87 upstream. + +This prevents users from triggering a stack overflow through a recursive +invocation of pagefault handling that involves mapping procfs files into +virtual memory. + +Signed-off-by: Jann Horn +Acked-by: Tyler Hicks +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ecryptfs/kthread.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/fs/ecryptfs/kthread.c ++++ b/fs/ecryptfs/kthread.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + #include "ecryptfs_kernel.h" + + struct ecryptfs_open_req { +@@ -147,7 +148,7 @@ int ecryptfs_privileged_open(struct file + flags |= IS_RDONLY(d_inode(lower_dentry)) ? O_RDONLY : O_RDWR; + (*lower_file) = dentry_open(&req.path, flags, cred); + if (!IS_ERR(*lower_file)) +- goto out; ++ goto have_file; + if ((flags & O_ACCMODE) == O_RDONLY) { + rc = PTR_ERR((*lower_file)); + goto out; +@@ -165,8 +166,16 @@ int ecryptfs_privileged_open(struct file + mutex_unlock(&ecryptfs_kthread_ctl.mux); + wake_up(&ecryptfs_kthread_ctl.wait); + wait_for_completion(&req.done); +- if (IS_ERR(*lower_file)) ++ if (IS_ERR(*lower_file)) { + rc = PTR_ERR(*lower_file); ++ goto out; ++ } ++have_file: ++ if ((*lower_file)->f_op->mmap == NULL) { ++ fput(*lower_file); ++ *lower_file = NULL; ++ rc = -EMEDIUMTYPE; ++ } + out: + return rc; + } diff --git a/queue-4.6/fix-d_walk-non-delayed-__d_free-race.patch b/queue-4.6/fix-d_walk-non-delayed-__d_free-race.patch new file mode 100644 index 00000000000..816cdd0841a --- /dev/null +++ b/queue-4.6/fix-d_walk-non-delayed-__d_free-race.patch @@ -0,0 +1,56 @@ +From 3d56c25e3bb0726a5c5e16fc2d9e38f8ed763085 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Tue, 7 Jun 2016 21:26:55 -0400 +Subject: fix d_walk()/non-delayed __d_free() race + +From: Al Viro + +commit 3d56c25e3bb0726a5c5e16fc2d9e38f8ed763085 upstream. + +Ascend-to-parent logics in d_walk() depends on all encountered child +dentries not getting freed without an RCU delay. Unfortunately, in +quite a few cases it is not true, with hard-to-hit oopsable race as +the result. + +Fortunately, the fix is simiple; right now the rule is "if it ever +been hashed, freeing must be delayed" and changing it to "if it +ever had a parent, freeing must be delayed" closes that hole and +covers all cases the old rule used to cover. Moreover, pipes and +sockets remain _not_ covered, so we do not introduce RCU delay in +the cases which are the reason for having that delay conditional +in the first place. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/dcache.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/dcache.c ++++ b/fs/dcache.c +@@ -1619,7 +1619,7 @@ struct dentry *d_alloc(struct dentry * p + struct dentry *dentry = __d_alloc(parent->d_sb, name); + if (!dentry) + return NULL; +- ++ dentry->d_flags |= DCACHE_RCUACCESS; + spin_lock(&parent->d_lock); + /* + * don't need child lock because it is not subject +@@ -2338,7 +2338,6 @@ static void __d_rehash(struct dentry * e + { + BUG_ON(!d_unhashed(entry)); + hlist_bl_lock(b); +- entry->d_flags |= DCACHE_RCUACCESS; + hlist_bl_add_head_rcu(&entry->d_hash, b); + hlist_bl_unlock(b); + } +@@ -2637,6 +2636,7 @@ static void __d_move(struct dentry *dent + /* ... and switch them in the tree */ + if (IS_ROOT(dentry)) { + /* splicing a tree */ ++ dentry->d_flags |= DCACHE_RCUACCESS; + dentry->d_parent = target->d_parent; + target->d_parent = target; + list_del_init(&target->d_child); diff --git a/queue-4.6/gpio-bail-out-silently-on-null-descriptors.patch b/queue-4.6/gpio-bail-out-silently-on-null-descriptors.patch new file mode 100644 index 00000000000..9b4c4899009 --- /dev/null +++ b/queue-4.6/gpio-bail-out-silently-on-null-descriptors.patch @@ -0,0 +1,60 @@ +From 54d77198fdfbc4f0fe11b4252c1d9c97d51a3264 Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Mon, 30 May 2016 16:48:39 +0200 +Subject: gpio: bail out silently on NULL descriptors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Walleij + +commit 54d77198fdfbc4f0fe11b4252c1d9c97d51a3264 upstream. + +In fdeb8e1547cb9dd39d5d7223b33f3565cf86c28e +("gpio: reflect base and ngpio into gpio_device") +assumed that GPIO descriptors are either valid or error +pointers, but gpiod_get_[index_]optional() actually return +NULL descriptors and then all subsequent calls should just +bail out. + +Cc: Sergei Shtylyov +Cc: Florian Fainelli +Cc: Andrew Lunn +Fixes: fdeb8e1547cb ("gpio: reflect base and ngpio into gpio_device") +Reported-by: Uwe Kleine-König +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpiolib.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -1339,10 +1339,13 @@ done: + /* + * This descriptor validation needs to be inserted verbatim into each + * function taking a descriptor, so we need to use a preprocessor +- * macro to avoid endless duplication. ++ * macro to avoid endless duplication. If the desc is NULL it is an ++ * optional GPIO and calls should just bail out. + */ + #define VALIDATE_DESC(desc) do { \ +- if (!desc || !desc->gdev) { \ ++ if (!desc) \ ++ return 0; \ ++ if (!desc->gdev) { \ + pr_warn("%s: invalid GPIO\n", __func__); \ + return -EINVAL; \ + } \ +@@ -1353,7 +1356,9 @@ done: + } } while (0) + + #define VALIDATE_DESC_VOID(desc) do { \ +- if (!desc || !desc->gdev) { \ ++ if (!desc) \ ++ return; \ ++ if (!desc->gdev) { \ + pr_warn("%s: invalid GPIO\n", __func__); \ + return; \ + } \ diff --git a/queue-4.6/gpio-bcm-kona-fix-bcm_kona_gpio_reset-warnings.patch b/queue-4.6/gpio-bcm-kona-fix-bcm_kona_gpio_reset-warnings.patch new file mode 100644 index 00000000000..e1bf0c0b1d1 --- /dev/null +++ b/queue-4.6/gpio-bcm-kona-fix-bcm_kona_gpio_reset-warnings.patch @@ -0,0 +1,51 @@ +From b66b2a0adf0e48973b582e055758b9907a7eee7c Mon Sep 17 00:00:00 2001 +From: Ben Dooks +Date: Tue, 7 Jun 2016 17:22:17 +0100 +Subject: gpio: bcm-kona: fix bcm_kona_gpio_reset() warnings + +From: Ben Dooks + +commit b66b2a0adf0e48973b582e055758b9907a7eee7c upstream. + +The bcm_kona_gpio_reset() calls bcm_kona_gpio_write_lock_regs() +with what looks like the wrong parameter. The write_lock_regs +function takes a pointer to the registers, not the bcm_kona_gpio +structure. + +Fix the warning, and probably bug by changing the function to +pass reg_base instead of kona_gpio, fixing the following warning: + +drivers/gpio/gpio-bcm-kona.c:550:47: warning: incorrect type in argument 1 + (different address spaces) + expected void [noderef] *reg_base + got struct bcm_kona_gpio *kona_gpio + warning: incorrect type in argument 1 (different address spaces) + expected void [noderef] *reg_base + got struct bcm_kona_gpio *kona_gpio + +Signed-off-by: Ben Dooks +Acked-by: Ray Jui +Reviewed-by: Markus Mayer +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpio-bcm-kona.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpio/gpio-bcm-kona.c ++++ b/drivers/gpio/gpio-bcm-kona.c +@@ -546,11 +546,11 @@ static void bcm_kona_gpio_reset(struct b + /* disable interrupts and clear status */ + for (i = 0; i < kona_gpio->num_bank; i++) { + /* Unlock the entire bank first */ +- bcm_kona_gpio_write_lock_regs(kona_gpio, i, UNLOCK_CODE); ++ bcm_kona_gpio_write_lock_regs(reg_base, i, UNLOCK_CODE); + writel(0xffffffff, reg_base + GPIO_INT_MASK(i)); + writel(0xffffffff, reg_base + GPIO_INT_STATUS(i)); + /* Now re-lock the bank */ +- bcm_kona_gpio_write_lock_regs(kona_gpio, i, LOCK_CODE); ++ bcm_kona_gpio_write_lock_regs(reg_base, i, LOCK_CODE); + } + } + diff --git a/queue-4.6/gpiolib-fix-null-pointer-deference.patch b/queue-4.6/gpiolib-fix-null-pointer-deference.patch new file mode 100644 index 00000000000..efd12a3a67c --- /dev/null +++ b/queue-4.6/gpiolib-fix-null-pointer-deference.patch @@ -0,0 +1,44 @@ +From 11f33a6d15bfa397867ac0d7f3481b6dd683286f Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda Delgado +Date: Fri, 3 Jun 2016 19:10:01 +0200 +Subject: gpiolib: Fix NULL pointer deference + +From: Ricardo Ribalda Delgado + +commit 11f33a6d15bfa397867ac0d7f3481b6dd683286f upstream. + +Under some circumstances, a gpiochip might be half cleaned from the +gpio_device list. + +This patch makes sure that the chip pointer is still valid, before +calling the match function. + +[ 104.088296] BUG: unable to handle kernel NULL pointer dereference at +0000000000000090 +[ 104.089772] IP: [] of_gpiochip_find_and_xlate+0x15/0x80 +[ 104.128273] Call Trace: +[ 104.129802] [] ? of_parse_own_gpio+0x1f0/0x1f0 +[ 104.131353] [] gpiochip_find+0x60/0x90 +[ 104.132868] [] of_get_named_gpiod_flags+0x9a/0x120 +... +[ 104.141586] [] gpio_led_probe+0x11b/0x360 + +Signed-off-by: Ricardo Ribalda Delgado +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpiolib.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -841,7 +841,7 @@ struct gpio_chip *gpiochip_find(void *da + + spin_lock_irqsave(&gpio_lock, flags); + list_for_each_entry(gdev, &gpio_devices, list) +- if (match(gdev->chip, data)) ++ if (gdev->chip && match(gdev->chip, data)) + break; + + /* No match? */ diff --git a/queue-4.6/gpiolib-fix-unaligned-used-of-reference-counters.patch b/queue-4.6/gpiolib-fix-unaligned-used-of-reference-counters.patch new file mode 100644 index 00000000000..c2ba41928e6 --- /dev/null +++ b/queue-4.6/gpiolib-fix-unaligned-used-of-reference-counters.patch @@ -0,0 +1,58 @@ +From f4833b8cc7edab57d3f3033e549111a546c2e02b Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda Delgado +Date: Fri, 3 Jun 2016 19:10:02 +0200 +Subject: gpiolib: Fix unaligned used of reference counters + +From: Ricardo Ribalda Delgado + +commit f4833b8cc7edab57d3f3033e549111a546c2e02b upstream. + +gpiolib relies on the reference counters to clean up the gpio_device +structure. + +Although the number of get/put is properly aligned on gpiolib.c +itself, it does not take into consideration how the referece counters +are affected by other external functions such as cdev_add and device_add. + +Because of this, after the last call to put_device, the reference counter +has a value of +3, therefore never calling gpiodevice_release. + +Due to the fact that some of the device has already been cleaned on +gpiochip_remove, the library will end up OOPsing the kernel (e.g. a call +to of_gpiochip_find_and_xlate). + +Signed-off-by: Ricardo Ribalda Delgado +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpiolib.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -438,7 +438,6 @@ static void gpiodevice_release(struct de + { + struct gpio_device *gdev = dev_get_drvdata(dev); + +- cdev_del(&gdev->chrdev); + list_del(&gdev->list); + ida_simple_remove(&gpio_ida, gdev->id); + kfree(gdev->label); +@@ -471,7 +470,6 @@ static int gpiochip_setup_dev(struct gpi + + /* From this point, the .release() function cleans up gpio_device */ + gdev->dev.release = gpiodevice_release; +- get_device(&gdev->dev); + pr_debug("%s: registered GPIOs %d to %d on device: %s (%s)\n", + __func__, gdev->base, gdev->base + gdev->ngpio - 1, + dev_name(&gdev->dev), gdev->chip->label ? : "generic"); +@@ -742,6 +740,8 @@ void gpiochip_remove(struct gpio_chip *c + * be removed, else it will be dangling until the last user is + * gone. + */ ++ cdev_del(&gdev->chrdev); ++ device_del(&gdev->dev); + put_device(&gdev->dev); + } + EXPORT_SYMBOL_GPL(gpiochip_remove); diff --git a/queue-4.6/irqchip-gic-v3-fix-icc_sgi1r_el1.intid-decoding-mask.patch b/queue-4.6/irqchip-gic-v3-fix-icc_sgi1r_el1.intid-decoding-mask.patch new file mode 100644 index 00000000000..c9ba02dfd20 --- /dev/null +++ b/queue-4.6/irqchip-gic-v3-fix-icc_sgi1r_el1.intid-decoding-mask.patch @@ -0,0 +1,30 @@ +From dd5f1b049dc139876801db3cdd0f20d21fd428cc Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Thu, 2 Jun 2016 09:00:28 +0100 +Subject: irqchip/gic-v3: Fix ICC_SGI1R_EL1.INTID decoding mask + +From: Marc Zyngier + +commit dd5f1b049dc139876801db3cdd0f20d21fd428cc upstream. + +The INTID mask is wrong, and is made a signed value, which has +nteresting effects in the KVM emulation. Let's sanitize it. + +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/irqchip/arm-gic-v3.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/irqchip/arm-gic-v3.h ++++ b/include/linux/irqchip/arm-gic-v3.h +@@ -301,7 +301,7 @@ + #define ICC_SGI1R_AFFINITY_1_SHIFT 16 + #define ICC_SGI1R_AFFINITY_1_MASK (0xff << ICC_SGI1R_AFFINITY_1_SHIFT) + #define ICC_SGI1R_SGI_ID_SHIFT 24 +-#define ICC_SGI1R_SGI_ID_MASK (0xff << ICC_SGI1R_SGI_ID_SHIFT) ++#define ICC_SGI1R_SGI_ID_MASK (0xfULL << ICC_SGI1R_SGI_ID_SHIFT) + #define ICC_SGI1R_AFFINITY_2_SHIFT 32 + #define ICC_SGI1R_AFFINITY_2_MASK (0xffULL << ICC_SGI1R_AFFINITY_1_SHIFT) + #define ICC_SGI1R_IRQ_ROUTING_MODE_BIT 40 diff --git a/queue-4.6/kvm-arm-arm64-vgic-v2-clear-all-dirty-lrs.patch b/queue-4.6/kvm-arm-arm64-vgic-v2-clear-all-dirty-lrs.patch new file mode 100644 index 00000000000..08b4eb771fd --- /dev/null +++ b/queue-4.6/kvm-arm-arm64-vgic-v2-clear-all-dirty-lrs.patch @@ -0,0 +1,39 @@ +From 4d3afc9bad2b67b118a0cc204dc94703f7a44e74 Mon Sep 17 00:00:00 2001 +From: Christoffer Dall +Date: Wed, 25 May 2016 15:26:33 +0100 +Subject: KVM: arm/arm64: vgic-v2: Clear all dirty LRs + +From: Christoffer Dall + +commit 4d3afc9bad2b67b118a0cc204dc94703f7a44e74 upstream. + +When saving the state of the list registers, it is critical to +reset them zero, as we could otherwise leave unexpected EOI +interrupts pending for virtual level interrupts. + +Signed-off-by: Christoffer Dall +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/arm/hyp/vgic-v2-sr.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/virt/kvm/arm/hyp/vgic-v2-sr.c ++++ b/virt/kvm/arm/hyp/vgic-v2-sr.c +@@ -93,12 +93,11 @@ static void __hyp_text save_lrs(struct k + if (!(vcpu->arch.vgic_cpu.live_lrs & (1UL << i))) + continue; + +- if (cpu_if->vgic_elrsr & (1UL << i)) { ++ if (cpu_if->vgic_elrsr & (1UL << i)) + cpu_if->vgic_lr[i] &= ~GICH_LR_STATE; +- continue; +- } ++ else ++ cpu_if->vgic_lr[i] = readl_relaxed(base + GICH_LR0 + (i * 4)); + +- cpu_if->vgic_lr[i] = readl_relaxed(base + GICH_LR0 + (i * 4)); + writel_relaxed(0, base + GICH_LR0 + (i * 4)); + } + } diff --git a/queue-4.6/kvm-arm-arm64-vgic-v3-clear-all-dirty-lrs.patch b/queue-4.6/kvm-arm-arm64-vgic-v3-clear-all-dirty-lrs.patch new file mode 100644 index 00000000000..dc197f5bc0b --- /dev/null +++ b/queue-4.6/kvm-arm-arm64-vgic-v3-clear-all-dirty-lrs.patch @@ -0,0 +1,39 @@ +From fa89c77e891917b5913f9be080f9131a9457bb3e Mon Sep 17 00:00:00 2001 +From: Christoffer Dall +Date: Wed, 25 May 2016 15:26:34 +0100 +Subject: KVM: arm/arm64: vgic-v3: Clear all dirty LRs + +From: Christoffer Dall + +commit fa89c77e891917b5913f9be080f9131a9457bb3e upstream. + +When saving the state of the list registers, it is critical to +reset them zero, as we could otherwise leave unexpected EOI +interrupts pending for virtual level interrupts. + +Signed-off-by: Christoffer Dall +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kvm/hyp/vgic-v3-sr.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/arch/arm64/kvm/hyp/vgic-v3-sr.c ++++ b/arch/arm64/kvm/hyp/vgic-v3-sr.c +@@ -190,12 +190,11 @@ void __hyp_text __vgic_v3_save_state(str + if (!(vcpu->arch.vgic_cpu.live_lrs & (1UL << i))) + continue; + +- if (cpu_if->vgic_elrsr & (1 << i)) { ++ if (cpu_if->vgic_elrsr & (1 << i)) + cpu_if->vgic_lr[i] &= ~ICH_LR_STATE; +- continue; +- } ++ else ++ cpu_if->vgic_lr[i] = __gic_v3_get_lr(i); + +- cpu_if->vgic_lr[i] = __gic_v3_get_lr(i); + __gic_v3_set_lr(0, i); + } + diff --git a/queue-4.6/kvm-irqfd-fix-null-pointer-dereference-in-kvm_irq_map_gsi.patch b/queue-4.6/kvm-irqfd-fix-null-pointer-dereference-in-kvm_irq_map_gsi.patch new file mode 100644 index 00000000000..a6239843038 --- /dev/null +++ b/queue-4.6/kvm-irqfd-fix-null-pointer-dereference-in-kvm_irq_map_gsi.patch @@ -0,0 +1,79 @@ +From c622a3c21ede892e370b56e1ceb9eb28f8bbda6b Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Wed, 1 Jun 2016 14:09:21 +0200 +Subject: KVM: irqfd: fix NULL pointer dereference in kvm_irq_map_gsi +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Paolo Bonzini + +commit c622a3c21ede892e370b56e1ceb9eb28f8bbda6b upstream. + +Found by syzkaller: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000120 + IP: [] kvm_irq_map_gsi+0x12/0x90 [kvm] + PGD 6f80b067 PUD b6535067 PMD 0 + Oops: 0000 [#1] SMP + CPU: 3 PID: 4988 Comm: a.out Not tainted 4.4.9-300.fc23.x86_64 #1 + [...] + Call Trace: + [] irqfd_update+0x32/0xc0 [kvm] + [] kvm_irqfd+0x3dc/0x5b0 [kvm] + [] kvm_vm_ioctl+0x164/0x6f0 [kvm] + [] do_vfs_ioctl+0x298/0x480 + [] SyS_ioctl+0x79/0x90 + [] tracesys_phase2+0x84/0x89 + Code: b5 71 a7 e0 5b 41 5c 41 5d 5d f3 c3 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 8b 8f 10 2e 00 00 31 c0 48 89 e5 <39> 91 20 01 00 00 76 6a 48 63 d2 48 8b 94 d1 28 01 00 00 48 85 + RIP [] kvm_irq_map_gsi+0x12/0x90 [kvm] + RSP + CR2: 0000000000000120 + +Testcase: + + #include + #include + #include + #include + #include + #include + #include + + long r[26]; + + int main() + { + memset(r, -1, sizeof(r)); + r[2] = open("/dev/kvm", 0); + r[3] = ioctl(r[2], KVM_CREATE_VM, 0); + + struct kvm_irqfd ifd; + ifd.fd = syscall(SYS_eventfd2, 5, 0); + ifd.gsi = 3; + ifd.flags = 2; + ifd.resamplefd = ifd.fd; + r[25] = ioctl(r[3], KVM_IRQFD, &ifd); + return 0; + } + +Reported-by: Dmitry Vyukov +Signed-off-by: Paolo Bonzini +Signed-off-by: Radim Krčmář +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/irqchip.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/virt/kvm/irqchip.c ++++ b/virt/kvm/irqchip.c +@@ -40,7 +40,7 @@ int kvm_irq_map_gsi(struct kvm *kvm, + + irq_rt = srcu_dereference_check(kvm->irq_routing, &kvm->irq_srcu, + lockdep_is_held(&kvm->irq_lock)); +- if (gsi < irq_rt->nr_rt_entries) { ++ if (irq_rt && gsi < irq_rt->nr_rt_entries) { + hlist_for_each_entry(e, &irq_rt->map[gsi], link) { + entries[n] = *e; + ++n; diff --git a/queue-4.6/kvm-x86-fix-oops-after-invalid-kvm_set_debugregs.patch b/queue-4.6/kvm-x86-fix-oops-after-invalid-kvm_set_debugregs.patch new file mode 100644 index 00000000000..1f1c175ad7c --- /dev/null +++ b/queue-4.6/kvm-x86-fix-oops-after-invalid-kvm_set_debugregs.patch @@ -0,0 +1,83 @@ +From d14bdb553f9196169f003058ae1cdabe514470e6 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Wed, 1 Jun 2016 14:09:23 +0200 +Subject: KVM: x86: fix OOPS after invalid KVM_SET_DEBUGREGS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Paolo Bonzini + +commit d14bdb553f9196169f003058ae1cdabe514470e6 upstream. + +MOV to DR6 or DR7 causes a #GP if an attempt is made to write a 1 to +any of bits 63:32. However, this is not detected at KVM_SET_DEBUGREGS +time, and the next KVM_RUN oopses: + + general protection fault: 0000 [#1] SMP + CPU: 2 PID: 14987 Comm: a.out Not tainted 4.4.9-300.fc23.x86_64 #1 + Hardware name: LENOVO 2325F51/2325F51, BIOS G2ET32WW (1.12 ) 05/30/2012 + [...] + Call Trace: + [] kvm_arch_vcpu_ioctl_run+0x141d/0x14e0 [kvm] + [] kvm_vcpu_ioctl+0x33d/0x620 [kvm] + [] do_vfs_ioctl+0x298/0x480 + [] SyS_ioctl+0x79/0x90 + [] entry_SYSCALL_64_fastpath+0x12/0x71 + Code: 55 83 ff 07 48 89 e5 77 27 89 ff ff 24 fd 90 87 80 81 0f 23 fe 5d c3 0f 23 c6 5d c3 0f 23 ce 5d c3 0f 23 d6 5d c3 0f 23 de 5d c3 <0f> 23 f6 5d c3 0f 0b 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 + RIP [] native_set_debugreg+0x2b/0x40 + RSP + +Testcase (beautified/reduced from syzkaller output): + + #include + #include + #include + #include + #include + #include + #include + + long r[8]; + + int main() + { + struct kvm_debugregs dr = { 0 }; + + r[2] = open("/dev/kvm", O_RDONLY); + r[3] = ioctl(r[2], KVM_CREATE_VM, 0); + r[4] = ioctl(r[3], KVM_CREATE_VCPU, 7); + + memcpy(&dr, + "\x5d\x6a\x6b\xe8\x57\x3b\x4b\x7e\xcf\x0d\xa1\x72" + "\xa3\x4a\x29\x0c\xfc\x6d\x44\x00\xa7\x52\xc7\xd8" + "\x00\xdb\x89\x9d\x78\xb5\x54\x6b\x6b\x13\x1c\xe9" + "\x5e\xd3\x0e\x40\x6f\xb4\x66\xf7\x5b\xe3\x36\xcb", + 48); + r[7] = ioctl(r[4], KVM_SET_DEBUGREGS, &dr); + r[6] = ioctl(r[4], KVM_RUN, 0); + } + +Reported-by: Dmitry Vyukov +Signed-off-by: Paolo Bonzini +Signed-off-by: Radim Krčmář +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -3032,6 +3032,11 @@ static int kvm_vcpu_ioctl_x86_set_debugr + if (dbgregs->flags) + return -EINVAL; + ++ if (dbgregs->dr6 & ~0xffffffffull) ++ return -EINVAL; ++ if (dbgregs->dr7 & ~0xffffffffull) ++ return -EINVAL; ++ + memcpy(vcpu->arch.db, dbgregs->db, sizeof(vcpu->arch.db)); + kvm_update_dr0123(vcpu); + vcpu->arch.dr6 = dbgregs->dr6; diff --git a/queue-4.6/memcg-add-rcu-locking-around-css_for_each_descendant_pre-in-memcg_offline_kmem.patch b/queue-4.6/memcg-add-rcu-locking-around-css_for_each_descendant_pre-in-memcg_offline_kmem.patch new file mode 100644 index 00000000000..67afa59981e --- /dev/null +++ b/queue-4.6/memcg-add-rcu-locking-around-css_for_each_descendant_pre-in-memcg_offline_kmem.patch @@ -0,0 +1,75 @@ +From 3a06bb78ceeceacc86a1e31133a7944013f9775b Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Fri, 3 Jun 2016 14:55:44 -0700 +Subject: memcg: add RCU locking around css_for_each_descendant_pre() in memcg_offline_kmem() + +From: Tejun Heo + +commit 3a06bb78ceeceacc86a1e31133a7944013f9775b upstream. + +memcg_offline_kmem() may be called from memcg_free_kmem() after a css +init failure. memcg_free_kmem() is a ->css_free callback which is +called without cgroup_mutex and memcg_offline_kmem() ends up using +css_for_each_descendant_pre() without any locking. Fix it by adding rcu +read locking around it. + + mkdir: cannot create directory `65530': No space left on device + =============================== + [ INFO: suspicious RCU usage. ] + 4.6.0-work+ #321 Not tainted + ------------------------------- + kernel/cgroup.c:4008 cgroup_mutex or RCU read lock required! + [ 527.243970] other info that might help us debug this: + [ 527.244715] + rcu_scheduler_active = 1, debug_locks = 0 + 2 locks held by kworker/0:5/1664: + #0: ("cgroup_destroy"){.+.+..}, at: [] process_one_work+0x165/0x4a0 + #1: ((&css->destroy_work)#3){+.+...}, at: [] process_one_work+0x165/0x4a0 + [ 527.248098] stack backtrace: + CPU: 0 PID: 1664 Comm: kworker/0:5 Not tainted 4.6.0-work+ #321 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.9.1-1.fc24 04/01/2014 + Workqueue: cgroup_destroy css_free_work_fn + Call Trace: + dump_stack+0x68/0xa1 + lockdep_rcu_suspicious+0xd7/0x110 + css_next_descendant_pre+0x7d/0xb0 + memcg_offline_kmem.part.44+0x4a/0xc0 + mem_cgroup_css_free+0x1ec/0x200 + css_free_work_fn+0x49/0x5e0 + process_one_work+0x1c5/0x4a0 + worker_thread+0x49/0x490 + kthread+0xea/0x100 + ret_from_fork+0x1f/0x40 + +Link: http://lkml.kernel.org/r/20160526203018.GG23194@mtj.duckdns.org +Signed-off-by: Tejun Heo +Acked-by: Vladimir Davydov +Acked-by: Johannes Weiner +Cc: Michal Hocko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/memcontrol.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -2877,6 +2877,7 @@ static void memcg_offline_kmem(struct me + * ordering is imposed by list_lru_node->lock taken by + * memcg_drain_all_list_lrus(). + */ ++ rcu_read_lock(); /* can be called from css_free w/o cgroup_mutex */ + css_for_each_descendant_pre(css, &memcg->css) { + child = mem_cgroup_from_css(css); + BUG_ON(child->kmemcg_id != kmemcg_id); +@@ -2884,6 +2885,8 @@ static void memcg_offline_kmem(struct me + if (!memcg->use_hierarchy) + break; + } ++ rcu_read_unlock(); ++ + memcg_drain_all_list_lrus(kmemcg_id, parent->kmemcg_id); + + memcg_free_cache_id(kmemcg_id); diff --git a/queue-4.6/mm-thp-broken-page-count-after-commit-aa88b68c3b1d.patch b/queue-4.6/mm-thp-broken-page-count-after-commit-aa88b68c3b1d.patch new file mode 100644 index 00000000000..70a4f828e6f --- /dev/null +++ b/queue-4.6/mm-thp-broken-page-count-after-commit-aa88b68c3b1d.patch @@ -0,0 +1,68 @@ +From 770a5370226cb207461bbad902543381c1fad521 Mon Sep 17 00:00:00 2001 +From: Gerald Schaefer +Date: Wed, 8 Jun 2016 15:33:50 -0700 +Subject: mm: thp: broken page count after commit aa88b68c3b1d + +From: Gerald Schaefer + +commit 770a5370226cb207461bbad902543381c1fad521 upstream. + +Christian Borntraeger reported a kernel panic after corrupt page counts, +and it turned out to be a regression introduced with commit aa88b68c3b1d +("thp: keep huge zero page pinned until tlb flush"), at least on s390. + +put_huge_zero_page() was moved over from zap_huge_pmd() to +release_pages(), and it was replaced by tlb_remove_page(). However, +release_pages() might not always be triggered by (the arch-specific) +tlb_remove_page(). + +On s390 we call free_page_and_swap_cache() from tlb_remove_page(), and +not tlb_flush_mmu() -> free_pages_and_swap_cache() like the generic +version, because we don't use the MMU-gather logic. Although both +functions have very similar names, they are doing very unsimilar things, +in particular free_page_xxx is just doing a put_page(), while +free_pages_xxx calls release_pages(). + +This of course results in very harmful put_page()s on the huge zero +page, on architectures where tlb_remove_page() is implemented in this +way. It seems to affect only s390 and sh, but sh doesn't have THP +support, so the problem (currently) probably only exists on s390. + +The following quick hack fixed the issue: + +Link: http://lkml.kernel.org/r/20160602172141.75c006a9@thinkpad +Signed-off-by: Gerald Schaefer +Reported-by: Christian Borntraeger +Tested-by: Christian Borntraeger +Cc: "Kirill A. Shutemov" +Cc: Andrea Arcangeli +Cc: "Aneesh Kumar K.V" +Cc: Mel Gorman +Cc: Hugh Dickins +Cc: Johannes Weiner +Cc: Dave Hansen +Cc: Vlastimil Babka +Cc: Martin Schwidefsky +Cc: Heiko Carstens +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/swap_state.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/mm/swap_state.c ++++ b/mm/swap_state.c +@@ -252,7 +252,10 @@ static inline void free_swap_cache(struc + void free_page_and_swap_cache(struct page *page) + { + free_swap_cache(page); +- put_page(page); ++ if (is_huge_zero_page(page)) ++ put_huge_zero_page(); ++ else ++ put_page(page); + } + + /* diff --git a/queue-4.6/parisc-fix-pagefault-crash-in-unaligned-__get_user-call.patch b/queue-4.6/parisc-fix-pagefault-crash-in-unaligned-__get_user-call.patch new file mode 100644 index 00000000000..a48e1079223 --- /dev/null +++ b/queue-4.6/parisc-fix-pagefault-crash-in-unaligned-__get_user-call.patch @@ -0,0 +1,109 @@ +From 8b78f260887df532da529f225c49195d18fef36b Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Sat, 4 Jun 2016 17:21:33 +0200 +Subject: parisc: Fix pagefault crash in unaligned __get_user() call + +From: Helge Deller + +commit 8b78f260887df532da529f225c49195d18fef36b upstream. + +One of the debian buildd servers had this crash in the syslog without +any other information: + + Unaligned handler failed, ret = -2 + clock_adjtime (pid 22578): Unaligned data reference (code 28) + CPU: 1 PID: 22578 Comm: clock_adjtime Tainted: G E 4.5.0-2-parisc64-smp #1 Debian 4.5.4-1 + task: 000000007d9960f8 ti: 00000001bde7c000 task.ti: 00000001bde7c000 + + YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI + PSW: 00001000000001001111100000001111 Tainted: G E + r00-03 000000ff0804f80f 00000001bde7c2b0 00000000402d2be8 00000001bde7c2b0 + r04-07 00000000409e1fd0 00000000fa6f7fff 00000001bde7c148 00000000fa6f7fff + r08-11 0000000000000000 00000000ffffffff 00000000fac9bb7b 000000000002b4d4 + r12-15 000000000015241c 000000000015242c 000000000000002d 00000000fac9bb7b + r16-19 0000000000028800 0000000000000001 0000000000000070 00000001bde7c218 + r20-23 0000000000000000 00000001bde7c210 0000000000000002 0000000000000000 + r24-27 0000000000000000 0000000000000000 00000001bde7c148 00000000409e1fd0 + r28-31 0000000000000001 00000001bde7c320 00000001bde7c350 00000001bde7c218 + sr00-03 0000000001200000 0000000001200000 0000000000000000 0000000001200000 + sr04-07 0000000000000000 0000000000000000 0000000000000000 0000000000000000 + + IASQ: 0000000000000000 0000000000000000 IAOQ: 00000000402d2e84 00000000402d2e88 + IIR: 0ca0d089 ISR: 0000000001200000 IOR: 00000000fa6f7fff + CPU: 1 CR30: 00000001bde7c000 CR31: ffffffffffffffff + ORIG_R28: 00000002369fe628 + IAOQ[0]: compat_get_timex+0x2dc/0x3c0 + IAOQ[1]: compat_get_timex+0x2e0/0x3c0 + RP(r2): compat_get_timex+0x40/0x3c0 + Backtrace: + [<00000000402d4608>] compat_SyS_clock_adjtime+0x40/0xc0 + [<0000000040205024>] syscall_exit+0x0/0x14 + +This means the userspace program clock_adjtime called the clock_adjtime() +syscall and then crashed inside the compat_get_timex() function. +Syscalls should never crash programs, but instead return EFAULT. + +The IIR register contains the executed instruction, which disassebles +into "ldw 0(sr3,r5),r9". +This load-word instruction is part of __get_user() which tried to read the word +at %r5/IOR (0xfa6f7fff). This means the unaligned handler jumped in. The +unaligned handler is able to emulate all ldw instructions, but it fails if it +fails to read the source e.g. because of page fault. + +The following program reproduces the problem: + +#define _GNU_SOURCE +#include +#include +#include + +int main(void) { + /* allocate 8k */ + char *ptr = mmap(NULL, 2*4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); + /* free second half (upper 4k) and make it invalid. */ + munmap(ptr+4096, 4096); + /* syscall where first int is unaligned and clobbers into invalid memory region */ + /* syscall should return EFAULT */ + return syscall(__NR_clock_adjtime, 0, ptr+4095); +} + +To fix this issue we simply need to check if the faulting instruction address +is in the exception fixup table when the unaligned handler failed. If it +is, call the fixup routine instead of crashing. + +While looking at the unaligned handler I found another issue as well: The +target register should not be modified if the handler was unsuccessful. + +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/kernel/unaligned.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/arch/parisc/kernel/unaligned.c ++++ b/arch/parisc/kernel/unaligned.c +@@ -666,7 +666,7 @@ void handle_unaligned(struct pt_regs *re + break; + } + +- if (modify && R1(regs->iir)) ++ if (ret == 0 && modify && R1(regs->iir)) + regs->gr[R1(regs->iir)] = newbase; + + +@@ -677,6 +677,14 @@ void handle_unaligned(struct pt_regs *re + + if (ret) + { ++ /* ++ * The unaligned handler failed. ++ * If we were called by __get_user() or __put_user() jump ++ * to it's exception fixup handler instead of crashing. ++ */ ++ if (!user_mode(regs) && fixup_exception(regs)) ++ return; ++ + printk(KERN_CRIT "Unaligned handler failed, ret = %d\n", ret); + die_if_kernel("Unaligned data reference", regs, 28); + diff --git a/queue-4.6/pinctrl-mediatek-fix-dual-edge-code-defect.patch b/queue-4.6/pinctrl-mediatek-fix-dual-edge-code-defect.patch new file mode 100644 index 00000000000..6cb807ed4ac --- /dev/null +++ b/queue-4.6/pinctrl-mediatek-fix-dual-edge-code-defect.patch @@ -0,0 +1,38 @@ +From 5edf673d07fdcb6498be24914f3f38f8d8843199 Mon Sep 17 00:00:00 2001 +From: "hongkun.cao" +Date: Sat, 21 May 2016 15:23:39 +0800 +Subject: pinctrl: mediatek: fix dual-edge code defect + +From: hongkun.cao + +commit 5edf673d07fdcb6498be24914f3f38f8d8843199 upstream. + +When a dual-edge irq is triggered, an incorrect irq will be reported on +condition that the external signal is not stable and this incorrect irq +has been registered. +Correct the register offset. + +Signed-off-by: Hongkun Cao +Reviewed-by: Matthias Brugger +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/mediatek/pinctrl-mtk-common.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/pinctrl/mediatek/pinctrl-mtk-common.c ++++ b/drivers/pinctrl/mediatek/pinctrl-mtk-common.c +@@ -1256,9 +1256,10 @@ static void mtk_eint_irq_handler(struct + const struct mtk_desc_pin *pin; + + chained_irq_enter(chip, desc); +- for (eint_num = 0; eint_num < pctl->devdata->ap_num; eint_num += 32) { ++ for (eint_num = 0; ++ eint_num < pctl->devdata->ap_num; ++ eint_num += 32, reg += 4) { + status = readl(reg); +- reg += 4; + while (status) { + offset = __ffs(status); + index = eint_num + offset; diff --git a/queue-4.6/powerpc-fix-definition-of-siar-and-sdar-registers.patch b/queue-4.6/powerpc-fix-definition-of-siar-and-sdar-registers.patch new file mode 100644 index 00000000000..c963e1568b9 --- /dev/null +++ b/queue-4.6/powerpc-fix-definition-of-siar-and-sdar-registers.patch @@ -0,0 +1,46 @@ +From d23fac2b27d94aeb7b65536a50d32bfdc21fe01e Mon Sep 17 00:00:00 2001 +From: Thomas Huth +Date: Thu, 12 May 2016 13:26:44 +0200 +Subject: powerpc: Fix definition of SIAR and SDAR registers + +From: Thomas Huth + +commit d23fac2b27d94aeb7b65536a50d32bfdc21fe01e upstream. + +The SIAR and SDAR registers are available twice, one time as SPRs +780 / 781 (unprivileged, but read-only), and one time as the SPRs +796 / 797 (privileged, but read and write). The Linux kernel code +currently uses the unprivileged SPRs - while this is OK for reading, +writing to that register of course does not work. +Since the KVM code tries to write to this register, too (see the mtspr +in book3s_hv_rmhandlers.S), the contents of this register sometimes get +lost for the guests, e.g. during migration of a VM. +To fix this issue, simply switch to the privileged SPR numbers instead. + +Signed-off-by: Thomas Huth +Acked-by: Paul Mackerras +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/reg.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/include/asm/reg.h ++++ b/arch/powerpc/include/asm/reg.h +@@ -752,13 +752,13 @@ + #define SPRN_PMC6 792 + #define SPRN_PMC7 793 + #define SPRN_PMC8 794 +-#define SPRN_SIAR 780 +-#define SPRN_SDAR 781 + #define SPRN_SIER 784 + #define SIER_SIPR 0x2000000 /* Sampled MSR_PR */ + #define SIER_SIHV 0x1000000 /* Sampled MSR_HV */ + #define SIER_SIAR_VALID 0x0400000 /* SIAR contents valid */ + #define SIER_SDAR_VALID 0x0200000 /* SDAR contents valid */ ++#define SPRN_SIAR 796 ++#define SPRN_SDAR 797 + #define SPRN_TACR 888 + #define SPRN_TCSCR 889 + #define SPRN_CSIGR 890 diff --git a/queue-4.6/powerpc-mm-hash-fix-the-reference-bit-update-when-handling-hash-fault.patch b/queue-4.6/powerpc-mm-hash-fix-the-reference-bit-update-when-handling-hash-fault.patch new file mode 100644 index 00000000000..2704c18b8d9 --- /dev/null +++ b/queue-4.6/powerpc-mm-hash-fix-the-reference-bit-update-when-handling-hash-fault.patch @@ -0,0 +1,99 @@ +From dc47c0c1f8099fccb2c1e2f3775855066a9e4484 Mon Sep 17 00:00:00 2001 +From: "Aneesh Kumar K.V" +Date: Tue, 31 May 2016 11:56:30 +0530 +Subject: powerpc/mm/hash: Fix the reference bit update when handling hash fault + +From: Aneesh Kumar K.V + +commit dc47c0c1f8099fccb2c1e2f3775855066a9e4484 upstream. + +When we converted the asm routines to C functions, we missed updating +HPTE_R_R based on _PAGE_ACCESSED. ASM code used to copy over the lower +bits from pte via. + +andi. r3,r30,0x1fe /* Get basic set of flags */ + +We also update the code such that we won't update the Change bit ('C' +bit) always. This was added by commit c5cf0e30bf3d8 ("powerpc: Fix +buglet with MMU hash management"). + +With hash64, we need to make sure that hardware doesn't do a pte update +directly. This is because we do end up with entries in TLB with no hash +page table entry. This happens because when we find a hash bucket full, +we "evict" a more/less random entry from it. When we do that we don't +invalidate the TLB (hpte_remove) because we assume the old translation +is still technically "valid". For more info look at commit +0608d692463("powerpc/mm: Always invalidate tlb on hpte invalidate and +update"). + +Thus it's critical that valid hash PTEs always have reference bit set +and writeable ones have change bit set. We do this by hashing a +non-dirty linux PTE as read-only and always setting _PAGE_ACCESSED (and +thus R) when hashing anything else in. Any attempt by Linux at clearing +those bits also removes the corresponding hash entry. + +Commit 5cf0e30bf3d8 did that for 'C' bit by enabling 'C' bit always. +We don't really need to do that because we never map a RW pte entry +without setting 'C' bit. On READ fault on a RW pte entry, we still map +it READ only, hence a store update in the page will still cause a hash +pte fault. + +This patch reverts the part of commit c5cf0e30bf3d8 ("[PATCH] powerpc: +Fix buglet with MMU hash management") and retain the updatepp part. + +- If we hit the updatepp path on native, the old code without that + commit, would fail to set C bcause native_hpte_updatepp() + was implemented to filter the same bits as H_PROTECT and not let C + through thus we would "upgrade" a RO HPTE to RW without setting C + thus causing the bug. So the real fix in that commit was the change + to native_hpte_updatepp + +Fixes: 89ff725051d1 ("powerpc/mm: Convert __hash_page_64K to C") +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Aneesh Kumar K.V +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/mm/hash_utils_64.c | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/mm/hash_utils_64.c ++++ b/arch/powerpc/mm/hash_utils_64.c +@@ -159,6 +159,19 @@ static struct mmu_psize_def mmu_psize_de + }, + }; + ++/* ++ * 'R' and 'C' update notes: ++ * - Under pHyp or KVM, the updatepp path will not set C, thus it *will* ++ * create writeable HPTEs without C set, because the hcall H_PROTECT ++ * that we use in that case will not update C ++ * - The above is however not a problem, because we also don't do that ++ * fancy "no flush" variant of eviction and we use H_REMOVE which will ++ * do the right thing and thus we don't have the race I described earlier ++ * ++ * - Under bare metal, we do have the race, so we need R and C set ++ * - We make sure R is always set and never lost ++ * - C is _PAGE_DIRTY, and *should* always be set for a writeable mapping ++ */ + unsigned long htab_convert_pte_flags(unsigned long pteflags) + { + unsigned long rflags = 0; +@@ -180,9 +193,14 @@ unsigned long htab_convert_pte_flags(uns + rflags |= 0x1; + } + /* +- * Always add "C" bit for perf. Memory coherence is always enabled ++ * We can't allow hardware to update hpte bits. Hence always ++ * set 'R' bit and set 'C' if it is a write fault ++ * Memory coherence is always enabled + */ +- rflags |= HPTE_R_C | HPTE_R_M; ++ rflags |= HPTE_R_R | HPTE_R_M; ++ ++ if (pteflags & _PAGE_DIRTY) ++ rflags |= HPTE_R_C; + /* + * Add in WIG bits + */ diff --git a/queue-4.6/powerpc-pseries-add-power8nvl-support-to-ibm-client-architecture-support-call.patch b/queue-4.6/powerpc-pseries-add-power8nvl-support-to-ibm-client-architecture-support-call.patch new file mode 100644 index 00000000000..46e70d2d709 --- /dev/null +++ b/queue-4.6/powerpc-pseries-add-power8nvl-support-to-ibm-client-architecture-support-call.patch @@ -0,0 +1,35 @@ +From 7cc851039d643a2ee7df4d18177150f2c3a484f5 Mon Sep 17 00:00:00 2001 +From: Thomas Huth +Date: Tue, 31 May 2016 07:51:17 +0200 +Subject: powerpc/pseries: Add POWER8NVL support to ibm,client-architecture-support call + +From: Thomas Huth + +commit 7cc851039d643a2ee7df4d18177150f2c3a484f5 upstream. + +If we do not provide the PVR for POWER8NVL, a guest on this system +currently ends up in PowerISA 2.06 compatibility mode on KVM, since QEMU +does not provide a generic PowerISA 2.07 mode yet. So some new +instructions from POWER8 (like "mtvsrd") get disabled for the guest, +resulting in crashes when using code compiled explicitly for +POWER8 (e.g. with the "-mcpu=power8" option of GCC). + +Fixes: ddee09c099c3 ("powerpc: Add PVR for POWER8NVL processor") +Signed-off-by: Thomas Huth +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/prom_init.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/powerpc/kernel/prom_init.c ++++ b/arch/powerpc/kernel/prom_init.c +@@ -656,6 +656,7 @@ unsigned char ibm_architecture_vec[] = { + W(0xffff0000), W(0x003e0000), /* POWER6 */ + W(0xffff0000), W(0x003f0000), /* POWER7 */ + W(0xffff0000), W(0x004b0000), /* POWER8E */ ++ W(0xffff0000), W(0x004c0000), /* POWER8NVL */ + W(0xffff0000), W(0x004d0000), /* POWER8 */ + W(0xffffffff), W(0x0f000004), /* all 2.07-compliant */ + W(0xffffffff), W(0x0f000003), /* all 2.06-compliant */ diff --git a/queue-4.6/powerpc-pseries-eeh-handle-rtas-delay-requests-in-configure_bridge.patch b/queue-4.6/powerpc-pseries-eeh-handle-rtas-delay-requests-in-configure_bridge.patch new file mode 100644 index 00000000000..c8417987654 --- /dev/null +++ b/queue-4.6/powerpc-pseries-eeh-handle-rtas-delay-requests-in-configure_bridge.patch @@ -0,0 +1,95 @@ +From 871e178e0f2c4fa788f694721a10b4758d494ce1 Mon Sep 17 00:00:00 2001 +From: Russell Currey +Date: Thu, 7 Apr 2016 16:28:26 +1000 +Subject: powerpc/pseries/eeh: Handle RTAS delay requests in configure_bridge + +From: Russell Currey + +commit 871e178e0f2c4fa788f694721a10b4758d494ce1 upstream. + +In the "ibm,configure-pe" and "ibm,configure-bridge" RTAS calls, the +spec states that values of 9900-9905 can be returned, indicating that +software should delay for 10^x (where x is the last digit, i.e. 990x) +milliseconds and attempt the call again. Currently, the kernel doesn't +know about this, and respecting it fixes some PCI failures when the +hypervisor is busy. + +The delay is capped at 0.2 seconds. + +Signed-off-by: Russell Currey +Acked-by: Gavin Shan +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/pseries/eeh_pseries.c | 51 +++++++++++++++++++-------- + 1 file changed, 36 insertions(+), 15 deletions(-) + +--- a/arch/powerpc/platforms/pseries/eeh_pseries.c ++++ b/arch/powerpc/platforms/pseries/eeh_pseries.c +@@ -615,29 +615,50 @@ static int pseries_eeh_configure_bridge( + { + int config_addr; + int ret; ++ /* Waiting 0.2s maximum before skipping configuration */ ++ int max_wait = 200; + + /* Figure out the PE address */ + config_addr = pe->config_addr; + if (pe->addr) + config_addr = pe->addr; + +- /* Use new configure-pe function, if supported */ +- if (ibm_configure_pe != RTAS_UNKNOWN_SERVICE) { +- ret = rtas_call(ibm_configure_pe, 3, 1, NULL, +- config_addr, BUID_HI(pe->phb->buid), +- BUID_LO(pe->phb->buid)); +- } else if (ibm_configure_bridge != RTAS_UNKNOWN_SERVICE) { +- ret = rtas_call(ibm_configure_bridge, 3, 1, NULL, +- config_addr, BUID_HI(pe->phb->buid), +- BUID_LO(pe->phb->buid)); +- } else { +- return -EFAULT; +- } ++ while (max_wait > 0) { ++ /* Use new configure-pe function, if supported */ ++ if (ibm_configure_pe != RTAS_UNKNOWN_SERVICE) { ++ ret = rtas_call(ibm_configure_pe, 3, 1, NULL, ++ config_addr, BUID_HI(pe->phb->buid), ++ BUID_LO(pe->phb->buid)); ++ } else if (ibm_configure_bridge != RTAS_UNKNOWN_SERVICE) { ++ ret = rtas_call(ibm_configure_bridge, 3, 1, NULL, ++ config_addr, BUID_HI(pe->phb->buid), ++ BUID_LO(pe->phb->buid)); ++ } else { ++ return -EFAULT; ++ } ++ ++ if (!ret) ++ return ret; ++ ++ /* ++ * If RTAS returns a delay value that's above 100ms, cut it ++ * down to 100ms in case firmware made a mistake. For more ++ * on how these delay values work see rtas_busy_delay_time ++ */ ++ if (ret > RTAS_EXTENDED_DELAY_MIN+2 && ++ ret <= RTAS_EXTENDED_DELAY_MAX) ++ ret = RTAS_EXTENDED_DELAY_MIN+2; + +- if (ret) +- pr_warn("%s: Unable to configure bridge PHB#%d-PE#%x (%d)\n", +- __func__, pe->phb->global_number, pe->addr, ret); ++ max_wait -= rtas_busy_delay_time(ret); ++ ++ if (max_wait < 0) ++ break; ++ ++ rtas_busy_delay(ret); ++ } + ++ pr_warn("%s: Unable to configure bridge PHB#%d-PE#%x (%d)\n", ++ __func__, pe->phb->global_number, pe->addr, ret); + return ret; + } + diff --git a/queue-4.6/powerpc-use-privileged-spr-number-for-mmcr2.patch b/queue-4.6/powerpc-use-privileged-spr-number-for-mmcr2.patch new file mode 100644 index 00000000000..ae4914adabb --- /dev/null +++ b/queue-4.6/powerpc-use-privileged-spr-number-for-mmcr2.patch @@ -0,0 +1,35 @@ +From 8dd75ccb571f3c92c48014b3dabd3d51a115ab41 Mon Sep 17 00:00:00 2001 +From: Thomas Huth +Date: Thu, 12 May 2016 13:29:11 +0200 +Subject: powerpc: Use privileged SPR number for MMCR2 + +From: Thomas Huth + +commit 8dd75ccb571f3c92c48014b3dabd3d51a115ab41 upstream. + +We are already using the privileged versions of MMCR0, MMCR1 +and MMCRA in the kernel, so for MMCR2, we should better use +the privileged versions, too, to be consistent. + +Fixes: 240686c13687 ("powerpc: Initialise PMU related regs on Power8") +Suggested-by: Paul Mackerras +Signed-off-by: Thomas Huth +Acked-by: Paul Mackerras +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/reg.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/include/asm/reg.h ++++ b/arch/powerpc/include/asm/reg.h +@@ -715,7 +715,7 @@ + #define MMCR0_FCWAIT 0x00000002UL /* freeze counter in WAIT state */ + #define MMCR0_FCHV 0x00000001UL /* freeze conditions in hypervisor mode */ + #define SPRN_MMCR1 798 +-#define SPRN_MMCR2 769 ++#define SPRN_MMCR2 785 + #define SPRN_MMCRA 0x312 + #define MMCRA_SDSYNC 0x80000000UL /* SDAR synced with SIAR */ + #define MMCRA_SDAR_DCACHE_MISS 0x40000000UL diff --git a/queue-4.6/proc-prevent-stacking-filesystems-on-top.patch b/queue-4.6/proc-prevent-stacking-filesystems-on-top.patch new file mode 100644 index 00000000000..83e1e0e55f5 --- /dev/null +++ b/queue-4.6/proc-prevent-stacking-filesystems-on-top.patch @@ -0,0 +1,41 @@ +From e54ad7f1ee263ffa5a2de9c609d58dfa27b21cd9 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Wed, 1 Jun 2016 11:55:05 +0200 +Subject: proc: prevent stacking filesystems on top + +From: Jann Horn + +commit e54ad7f1ee263ffa5a2de9c609d58dfa27b21cd9 upstream. + +This prevents stacking filesystems (ecryptfs and overlayfs) from using +procfs as lower filesystem. There is too much magic going on inside +procfs, and there is no good reason to stack stuff on top of procfs. + +(For example, procfs does access checks in VFS open handlers, and +ecryptfs by design calls open handlers from a kernel thread that doesn't +drop privileges or so.) + +Signed-off-by: Jann Horn +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/proc/root.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/proc/root.c ++++ b/fs/proc/root.c +@@ -121,6 +121,13 @@ static struct dentry *proc_mount(struct + if (IS_ERR(sb)) + return ERR_CAST(sb); + ++ /* ++ * procfs isn't actually a stacking filesystem; however, there is ++ * too much magic going on inside it to permit stacking things on ++ * top of it ++ */ ++ sb->s_stack_depth = FILESYSTEM_MAX_STACK_DEPTH; ++ + if (!proc_parse_options(options, ns)) { + deactivate_locked_super(sb); + return ERR_PTR(-EINVAL); diff --git a/queue-4.6/s390-bpf-fix-recache-skb-data-hlen-for-skb_vlan_push-pop.patch b/queue-4.6/s390-bpf-fix-recache-skb-data-hlen-for-skb_vlan_push-pop.patch new file mode 100644 index 00000000000..c29565b5dc2 --- /dev/null +++ b/queue-4.6/s390-bpf-fix-recache-skb-data-hlen-for-skb_vlan_push-pop.patch @@ -0,0 +1,61 @@ +From 6edf0aa4f8bbdfbb4d6d786892fa02728d05dc36 Mon Sep 17 00:00:00 2001 +From: Michael Holzheu +Date: Wed, 11 May 2016 21:13:13 +0200 +Subject: s390/bpf: fix recache skb->data/hlen for skb_vlan_push/pop + +From: Michael Holzheu + +commit 6edf0aa4f8bbdfbb4d6d786892fa02728d05dc36 upstream. + +In case of usage of skb_vlan_push/pop, in the prologue we store +the SKB pointer on the stack and restore it after BPF_JMP_CALL +to skb_vlan_push/pop. + +Unfortunately currently there are two bugs in the code: + + 1) The wrong stack slot (offset 170 instead of 176) is used + 2) The wrong register (W1 instead of B1) is saved + +So fix this and use correct stack slot and register. + +Fixes: 9db7f2b81880 ("s390/bpf: recache skb->data/hlen for skb_vlan_push/pop") +Signed-off-by: Michael Holzheu +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/net/bpf_jit.h | 4 ++-- + arch/s390/net/bpf_jit_comp.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/s390/net/bpf_jit.h ++++ b/arch/s390/net/bpf_jit.h +@@ -37,7 +37,7 @@ extern u8 sk_load_word[], sk_load_half[] + * | | | + * +---------------+ | + * | 8 byte skbp | | +- * R15+170 -> +---------------+ | ++ * R15+176 -> +---------------+ | + * | 8 byte hlen | | + * R15+168 -> +---------------+ | + * | 4 byte align | | +@@ -58,7 +58,7 @@ extern u8 sk_load_word[], sk_load_half[] + #define STK_OFF (STK_SPACE - STK_160_UNUSED) + #define STK_OFF_TMP 160 /* Offset of tmp buffer on stack */ + #define STK_OFF_HLEN 168 /* Offset of SKB header length on stack */ +-#define STK_OFF_SKBP 170 /* Offset of SKB pointer on stack */ ++#define STK_OFF_SKBP 176 /* Offset of SKB pointer on stack */ + + #define STK_OFF_R6 (160 - 11 * 8) /* Offset of r6 on stack */ + #define STK_OFF_TCCNT (160 - 12 * 8) /* Offset of tail_call_cnt on stack */ +--- a/arch/s390/net/bpf_jit_comp.c ++++ b/arch/s390/net/bpf_jit_comp.c +@@ -446,7 +446,7 @@ static void bpf_jit_prologue(struct bpf_ + emit_load_skb_data_hlen(jit); + if (jit->seen & SEEN_SKB_CHANGE) + /* stg %b1,ST_OFF_SKBP(%r0,%r15) */ +- EMIT6_DISP_LH(0xe3000000, 0x0024, REG_W1, REG_0, REG_15, ++ EMIT6_DISP_LH(0xe3000000, 0x0024, BPF_REG_1, REG_0, REG_15, + STK_OFF_SKBP); + } + diff --git a/queue-4.6/s390-bpf-reduce-maximum-program-size-to-64-kb.patch b/queue-4.6/s390-bpf-reduce-maximum-program-size-to-64-kb.patch new file mode 100644 index 00000000000..e53d9c13e92 --- /dev/null +++ b/queue-4.6/s390-bpf-reduce-maximum-program-size-to-64-kb.patch @@ -0,0 +1,38 @@ +From 0fa963553a5c28d8f8aabd8878326d3f782045fc Mon Sep 17 00:00:00 2001 +From: Michael Holzheu +Date: Thu, 12 May 2016 18:10:48 +0200 +Subject: s390/bpf: reduce maximum program size to 64 KB + +From: Michael Holzheu + +commit 0fa963553a5c28d8f8aabd8878326d3f782045fc upstream. + +The s390 BFP compiler currently uses relative branch instructions +that only support jumps up to 64 KB. Examples are "j", "jnz", "cgrj", +etc. Currently the maximum size of s390 BPF programs is set +to 0x7ffff. If branches over 64 KB are generated the, kernel can +crash due to incorrect code. + +So fix this an reduce the maximum size to 64 KB. Programs larger than +that will be interpreted. + +Fixes: ce2b6ad9c185 ("s390/bpf: increase BPF_SIZE_MAX") +Signed-off-by: Michael Holzheu +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/net/bpf_jit_comp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/s390/net/bpf_jit_comp.c ++++ b/arch/s390/net/bpf_jit_comp.c +@@ -45,7 +45,7 @@ struct bpf_jit { + int labels[1]; /* Labels for local jumps */ + }; + +-#define BPF_SIZE_MAX 0x7ffff /* Max size for program (20 bit signed displ) */ ++#define BPF_SIZE_MAX 0xffff /* Max size for program (16 bit branches) */ + + #define SEEN_SKB 1 /* skb access */ + #define SEEN_MEM 2 /* use mem[] for temporary storage */ diff --git a/queue-4.6/sched-panic-on-corrupted-stack-end.patch b/queue-4.6/sched-panic-on-corrupted-stack-end.patch new file mode 100644 index 00000000000..1a46833b66d --- /dev/null +++ b/queue-4.6/sched-panic-on-corrupted-stack-end.patch @@ -0,0 +1,37 @@ +From 29d6455178a09e1dc340380c582b13356227e8df Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Wed, 1 Jun 2016 11:55:07 +0200 +Subject: sched: panic on corrupted stack end + +From: Jann Horn + +commit 29d6455178a09e1dc340380c582b13356227e8df upstream. + +Until now, hitting this BUG_ON caused a recursive oops (because oops +handling involves do_exit(), which calls into the scheduler, which in +turn raises an oops), which caused stuff below the stack to be +overwritten until a panic happened (e.g. via an oops in interrupt +context, caused by the overwritten CPU index in the thread_info). + +Just panic directly. + +Signed-off-by: Jann Horn +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/sched/core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -3047,7 +3047,8 @@ static noinline void __schedule_bug(stru + static inline void schedule_debug(struct task_struct *prev) + { + #ifdef CONFIG_SCHED_STACK_END_CHECK +- BUG_ON(task_stack_end_corrupted(prev)); ++ if (task_stack_end_corrupted(prev)) ++ panic("corrupted stack end detected inside scheduler\n"); + #endif + + if (unlikely(in_atomic_preempt_off())) { diff --git a/queue-4.6/series b/queue-4.6/series index ae7b13d7ef2..6d8a6339992 100644 --- a/queue-4.6/series +++ b/queue-4.6/series @@ -24,3 +24,40 @@ tcp-record-tlp-and-er-timer-stats-in-v6-stats.patch bridge-don-t-insert-unnecessary-local-fdb-entry-on-changing-mac-address.patch l2tp-fix-configuration-passed-to-setup_udp_tunnel_sock.patch ipv6-skip-xfrm-lookup-if-dst_entry-in-socket-cache-is-valid.patch +kvm-arm-arm64-vgic-v2-clear-all-dirty-lrs.patch +kvm-arm-arm64-vgic-v3-clear-all-dirty-lrs.patch +kvm-x86-fix-oops-after-invalid-kvm_set_debugregs.patch +kvm-irqfd-fix-null-pointer-dereference-in-kvm_irq_map_gsi.patch +drivers-perf-arm_pmu-defer-the-setting-of-__oprofile_cpu_pmu.patch +alsa-hda-add-pci-id-for-kabylake.patch +alsa-hda-fix-headset-mic-detection-problem-for-dell-machine.patch +alsa-hda-realtek-alc256-speaker-noise-issue.patch +alsa-hda-realtek-add-support-for-new-codecs-alc700-alc701-alc703.patch +alsa-hda-realtek-add-t560-docking-unit-fixup.patch +arm-fix-ptrace_setvfpregs-on-smp-systems.patch +gpio-bail-out-silently-on-null-descriptors.patch +gpio-bcm-kona-fix-bcm_kona_gpio_reset-warnings.patch +gpiolib-fix-null-pointer-deference.patch +gpiolib-fix-unaligned-used-of-reference-counters.patch +s390-bpf-fix-recache-skb-data-hlen-for-skb_vlan_push-pop.patch +s390-bpf-reduce-maximum-program-size-to-64-kb.patch +irqchip-gic-v3-fix-icc_sgi1r_el1.intid-decoding-mask.patch +crypto-public_key-select-crypto_akcipher.patch +crypto-ccp-fix-aes-xts-error-for-request-sizes-above-4096.patch +arm64-provide-model-name-in-proc-cpuinfo-for-per_linux32-tasks.patch +arm64-mm-always-take-dirty-state-from-new-pte-in-ptep_set_access_flags.patch +powerpc-pseries-eeh-handle-rtas-delay-requests-in-configure_bridge.patch +powerpc-fix-definition-of-siar-and-sdar-registers.patch +powerpc-use-privileged-spr-number-for-mmcr2.patch +powerpc-pseries-add-power8nvl-support-to-ibm-client-architecture-support-call.patch +powerpc-mm-hash-fix-the-reference-bit-update-when-handling-hash-fault.patch +pinctrl-mediatek-fix-dual-edge-code-defect.patch +parisc-fix-pagefault-crash-in-unaligned-__get_user-call.patch +memcg-add-rcu-locking-around-css_for_each_descendant_pre-in-memcg_offline_kmem.patch +ecryptfs-forbid-opening-files-without-mmap-handler.patch +wext-fix-32-bit-iwpriv-compatibility-issue-with-64-bit-kernel.patch +mm-thp-broken-page-count-after-commit-aa88b68c3b1d.patch +x86-entry-traps-don-t-force-in_interrupt-to-return-true-in-ist-handlers.patch +proc-prevent-stacking-filesystems-on-top.patch +sched-panic-on-corrupted-stack-end.patch +fix-d_walk-non-delayed-__d_free-race.patch diff --git a/queue-4.6/wext-fix-32-bit-iwpriv-compatibility-issue-with-64-bit-kernel.patch b/queue-4.6/wext-fix-32-bit-iwpriv-compatibility-issue-with-64-bit-kernel.patch new file mode 100644 index 00000000000..36ed2c5abf1 --- /dev/null +++ b/queue-4.6/wext-fix-32-bit-iwpriv-compatibility-issue-with-64-bit-kernel.patch @@ -0,0 +1,68 @@ +From 3d5fdff46c4b2b9534fa2f9fc78e90a48e0ff724 Mon Sep 17 00:00:00 2001 +From: Prasun Maiti +Date: Mon, 6 Jun 2016 20:04:19 +0530 +Subject: wext: Fix 32 bit iwpriv compatibility issue with 64 bit Kernel + +From: Prasun Maiti + +commit 3d5fdff46c4b2b9534fa2f9fc78e90a48e0ff724 upstream. + +iwpriv app uses iw_point structure to send data to Kernel. The iw_point +structure holds a pointer. For compatibility Kernel converts the pointer +as required for WEXT IOCTLs (SIOCIWFIRST to SIOCIWLAST). Some drivers +may use iw_handler_def.private_args to populate iwpriv commands instead +of iw_handler_def.private. For those case, the IOCTLs from +SIOCIWFIRSTPRIV to SIOCIWLASTPRIV will follow the path ndo_do_ioctl(). +Accordingly when the filled up iw_point structure comes from 32 bit +iwpriv to 64 bit Kernel, Kernel will not convert the pointer and sends +it to driver. So, the driver may get the invalid data. + +The pointer conversion for the IOCTLs (SIOCIWFIRSTPRIV to +SIOCIWLASTPRIV), which follow the path ndo_do_ioctl(), is mandatory. +This patch adds pointer conversion from 32 bit to 64 bit and vice versa, +if the ioctl comes from 32 bit iwpriv to 64 bit Kernel. + +Signed-off-by: Prasun Maiti +Signed-off-by: Ujjal Roy +Tested-by: Dibyajyoti Ghosh +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/wext-core.c | 25 +++++++++++++++++++++++-- + 1 file changed, 23 insertions(+), 2 deletions(-) + +--- a/net/wireless/wext-core.c ++++ b/net/wireless/wext-core.c +@@ -955,8 +955,29 @@ static int wireless_process_ioctl(struct + return private(dev, iwr, cmd, info, handler); + } + /* Old driver API : call driver ioctl handler */ +- if (dev->netdev_ops->ndo_do_ioctl) +- return dev->netdev_ops->ndo_do_ioctl(dev, ifr, cmd); ++ if (dev->netdev_ops->ndo_do_ioctl) { ++#ifdef CONFIG_COMPAT ++ if (info->flags & IW_REQUEST_FLAG_COMPAT) { ++ int ret = 0; ++ struct iwreq iwr_lcl; ++ struct compat_iw_point *iwp_compat = (void *) &iwr->u.data; ++ ++ memcpy(&iwr_lcl, iwr, sizeof(struct iwreq)); ++ iwr_lcl.u.data.pointer = compat_ptr(iwp_compat->pointer); ++ iwr_lcl.u.data.length = iwp_compat->length; ++ iwr_lcl.u.data.flags = iwp_compat->flags; ++ ++ ret = dev->netdev_ops->ndo_do_ioctl(dev, (void *) &iwr_lcl, cmd); ++ ++ iwp_compat->pointer = ptr_to_compat(iwr_lcl.u.data.pointer); ++ iwp_compat->length = iwr_lcl.u.data.length; ++ iwp_compat->flags = iwr_lcl.u.data.flags; ++ ++ return ret; ++ } else ++#endif ++ return dev->netdev_ops->ndo_do_ioctl(dev, ifr, cmd); ++ } + return -EOPNOTSUPP; + } + diff --git a/queue-4.6/x86-entry-traps-don-t-force-in_interrupt-to-return-true-in-ist-handlers.patch b/queue-4.6/x86-entry-traps-don-t-force-in_interrupt-to-return-true-in-ist-handlers.patch new file mode 100644 index 00000000000..4231bb03312 --- /dev/null +++ b/queue-4.6/x86-entry-traps-don-t-force-in_interrupt-to-return-true-in-ist-handlers.patch @@ -0,0 +1,96 @@ +From aaee8c3c5cce2d9107310dd9f3026b4f901d441c Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Tue, 24 May 2016 15:54:04 -0700 +Subject: x86/entry/traps: Don't force in_interrupt() to return true in IST handlers + +From: Andy Lutomirski + +commit aaee8c3c5cce2d9107310dd9f3026b4f901d441c upstream. + +Forcing in_interrupt() to return true if we're not in a bona fide +interrupt confuses the softirq code. This fixes warnings like: + + NOHZ: local_softirq_pending 282 + +... which can happen when running things like selftests/x86. + +This will change perf's static percpu buffer usage in IST context. +I think this is okay, and it's changing the behavior to match +historical (pre-4.0) behavior. + +Signed-off-by: Andy Lutomirski +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Oleg Nesterov +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: 959274753857 ("x86, traps: Track entry into and exit from IST context") +Link: http://lkml.kernel.org/r/cdc215f94d118d691d73df35275022331156fb45.1464130360.git.luto@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/traps.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +--- a/arch/x86/kernel/traps.c ++++ b/arch/x86/kernel/traps.c +@@ -95,6 +95,12 @@ static inline void cond_local_irq_disabl + local_irq_disable(); + } + ++/* ++ * In IST context, we explicitly disable preemption. This serves two ++ * purposes: it makes it much less likely that we would accidentally ++ * schedule in IST context and it will force a warning if we somehow ++ * manage to schedule by accident. ++ */ + void ist_enter(struct pt_regs *regs) + { + if (user_mode(regs)) { +@@ -109,13 +115,7 @@ void ist_enter(struct pt_regs *regs) + rcu_nmi_enter(); + } + +- /* +- * We are atomic because we're on the IST stack; or we're on +- * x86_32, in which case we still shouldn't schedule; or we're +- * on x86_64 and entered from user mode, in which case we're +- * still atomic unless ist_begin_non_atomic is called. +- */ +- preempt_count_add(HARDIRQ_OFFSET); ++ preempt_disable(); + + /* This code is a bit fragile. Test it. */ + RCU_LOCKDEP_WARN(!rcu_is_watching(), "ist_enter didn't work"); +@@ -123,7 +123,7 @@ void ist_enter(struct pt_regs *regs) + + void ist_exit(struct pt_regs *regs) + { +- preempt_count_sub(HARDIRQ_OFFSET); ++ preempt_enable_no_resched(); + + if (!user_mode(regs)) + rcu_nmi_exit(); +@@ -154,7 +154,7 @@ void ist_begin_non_atomic(struct pt_regs + BUG_ON((unsigned long)(current_top_of_stack() - + current_stack_pointer()) >= THREAD_SIZE); + +- preempt_count_sub(HARDIRQ_OFFSET); ++ preempt_enable_no_resched(); + } + + /** +@@ -164,7 +164,7 @@ void ist_begin_non_atomic(struct pt_regs + */ + void ist_end_non_atomic(void) + { +- preempt_count_add(HARDIRQ_OFFSET); ++ preempt_disable(); + } + + static nokprobe_inline int -- 2.47.3