From d34bfebbd66a628812c6c3902cca7c283032cf13 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 13 Feb 2016 14:50:02 -0800 Subject: [PATCH] 3.10-stable patches added patches: fix-calculation-of-meta_bg-descriptor-backups.patch jbd2-fix-unreclaimed-pages-after-truncate-in-data-journal-mode.patch media-vb2-dma-contig-fully-cache-synchronise-buffers-in-prepare-and-finish.patch mtd-mtdpart-fix-add_mtd_partitions-error-path.patch parisc-drop-unused-madv_xxxk_pages-flags-from-asm-mman.h.patch parisc-fix-__arch_si_preamble_size.patch parisc-fix-syscall-restarts.patch revert-dm-mpath-fix-stalls-when-handling-invalid-ioctls.patch spi-atmel-fix-dma-setup-for-transfers-with-more-than-8-bits-per-word.patch spi-fix-parent-device-reference-leak.patch v4l2-compat-ioctl32-fix-alignment-for-arm64.patch vtpm-fix-memory-allocation-flag-for-rtce-buffer-at-kernel-boot.patch wlcore-wl12xx-spi-fix-null-pointer-dereference-oops.patch wlcore-wl12xx-spi-fix-oops-on-firmware-load.patch --- ...lation-of-meta_bg-descriptor-backups.patch | 53 ++++++ ...-after-truncate-in-data-journal-mode.patch | 62 +++++++ ...ronise-buffers-in-prepare-and-finish.patch | 48 +++++ ...rt-fix-add_mtd_partitions-error-path.patch | 36 ++++ ...adv_xxxk_pages-flags-from-asm-mman.h.patch | 38 ++++ .../parisc-fix-__arch_si_preamble_size.patch | 38 ++++ queue-3.10/parisc-fix-syscall-restarts.patch | 130 +++++++++++++ ...-stalls-when-handling-invalid-ioctls.patch | 173 ++++++++++++++++++ queue-3.10/series | 14 ++ ...sfers-with-more-than-8-bits-per-word.patch | 34 ++++ ...spi-fix-parent-device-reference-leak.patch | 36 ++++ ...mpat-ioctl32-fix-alignment-for-arm64.patch | 66 +++++++ ...-flag-for-rtce-buffer-at-kernel-boot.patch | 35 ++++ ...pi-fix-null-pointer-dereference-oops.patch | 101 ++++++++++ ...wl12xx-spi-fix-oops-on-firmware-load.patch | 117 ++++++++++++ 15 files changed, 981 insertions(+) create mode 100644 queue-3.10/fix-calculation-of-meta_bg-descriptor-backups.patch create mode 100644 queue-3.10/jbd2-fix-unreclaimed-pages-after-truncate-in-data-journal-mode.patch create mode 100644 queue-3.10/media-vb2-dma-contig-fully-cache-synchronise-buffers-in-prepare-and-finish.patch create mode 100644 queue-3.10/mtd-mtdpart-fix-add_mtd_partitions-error-path.patch create mode 100644 queue-3.10/parisc-drop-unused-madv_xxxk_pages-flags-from-asm-mman.h.patch create mode 100644 queue-3.10/parisc-fix-__arch_si_preamble_size.patch create mode 100644 queue-3.10/parisc-fix-syscall-restarts.patch create mode 100644 queue-3.10/revert-dm-mpath-fix-stalls-when-handling-invalid-ioctls.patch create mode 100644 queue-3.10/spi-atmel-fix-dma-setup-for-transfers-with-more-than-8-bits-per-word.patch create mode 100644 queue-3.10/spi-fix-parent-device-reference-leak.patch create mode 100644 queue-3.10/v4l2-compat-ioctl32-fix-alignment-for-arm64.patch create mode 100644 queue-3.10/vtpm-fix-memory-allocation-flag-for-rtce-buffer-at-kernel-boot.patch create mode 100644 queue-3.10/wlcore-wl12xx-spi-fix-null-pointer-dereference-oops.patch create mode 100644 queue-3.10/wlcore-wl12xx-spi-fix-oops-on-firmware-load.patch diff --git a/queue-3.10/fix-calculation-of-meta_bg-descriptor-backups.patch b/queue-3.10/fix-calculation-of-meta_bg-descriptor-backups.patch new file mode 100644 index 00000000000..b281a8931f7 --- /dev/null +++ b/queue-3.10/fix-calculation-of-meta_bg-descriptor-backups.patch @@ -0,0 +1,53 @@ +From 904dad4742d211b7a8910e92695c0fa957483836 Mon Sep 17 00:00:00 2001 +From: Andy Leiserson +Date: Sun, 18 Oct 2015 00:36:29 -0400 +Subject: [PATCH] fix calculation of meta_bg descriptor backups + +From: Andy Leiserson + +commit 904dad4742d211b7a8910e92695c0fa957483836 upstream. + +"group" is the group where the backup will be placed, and is +initialized to zero in the declaration. This meant that backups for +meta_bg descriptors were erroneously written to the backup block group +descriptors in groups 1 and (desc_per_block-1). + +Reproduction information: + mke2fs -Fq -t ext4 -b 1024 -O ^resize_inode /tmp/foo.img 16G + truncate -s 24G /tmp/foo.img + losetup /dev/loop0 /tmp/foo.img + mount /dev/loop0 /mnt + resize2fs /dev/loop0 + umount /dev/loop0 + dd if=/dev/zero of=/dev/loop0 bs=1024 count=2 + e2fsck -fy /dev/loop0 + losetup -d /dev/loop0 + +Signed-off-by: Andy Leiserson +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/resize.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -1025,7 +1025,7 @@ exit_free: + * do not copy the full number of backups at this time. The resize + * which changed s_groups_count will backup again. + */ +-static void update_backups(struct super_block *sb, int blk_off, char *data, ++static void update_backups(struct super_block *sb, sector_t blk_off, char *data, + int size, int meta_bg) + { + struct ext4_sb_info *sbi = EXT4_SB(sb); +@@ -1050,7 +1050,7 @@ static void update_backups(struct super_ + group = ext4_list_backups(sb, &three, &five, &seven); + last = sbi->s_groups_count; + } else { +- group = ext4_meta_bg_first_group(sb, group) + 1; ++ group = ext4_get_group_number(sb, blk_off) + 1; + last = (ext4_group_t)(group + EXT4_DESC_PER_BLOCK(sb) - 2); + } + diff --git a/queue-3.10/jbd2-fix-unreclaimed-pages-after-truncate-in-data-journal-mode.patch b/queue-3.10/jbd2-fix-unreclaimed-pages-after-truncate-in-data-journal-mode.patch new file mode 100644 index 00000000000..877c5b1d0f5 --- /dev/null +++ b/queue-3.10/jbd2-fix-unreclaimed-pages-after-truncate-in-data-journal-mode.patch @@ -0,0 +1,62 @@ +From bc23f0c8d7ccd8d924c4e70ce311288cb3e61ea8 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Tue, 24 Nov 2015 15:34:35 -0500 +Subject: jbd2: Fix unreclaimed pages after truncate in data=journal mode + +From: Jan Kara + +commit bc23f0c8d7ccd8d924c4e70ce311288cb3e61ea8 upstream. + +Ted and Namjae have reported that truncated pages don't get timely +reclaimed after being truncated in data=journal mode. The following test +triggers the issue easily: + +for (i = 0; i < 1000; i++) { + pwrite(fd, buf, 1024*1024, 0); + fsync(fd); + fsync(fd); + ftruncate(fd, 0); +} + +The reason is that journal_unmap_buffer() finds that truncated buffers +are not journalled (jh->b_transaction == NULL), they are part of +checkpoint list of a transaction (jh->b_cp_transaction != NULL) and have +been already written out (!buffer_dirty(bh)). We clean such buffers but +we leave them in the checkpoint list. Since checkpoint transaction holds +a reference to the journal head, these buffers cannot be released until +the checkpoint transaction is cleaned up. And at that point we don't +call release_buffer_page() anymore so pages detached from mapping are +lingering in the system waiting for reclaim to find them and free them. + +Fix the problem by removing buffers from transaction checkpoint lists +when journal_unmap_buffer() finds out they don't have to be there +anymore. + +Reported-and-tested-by: Namjae Jeon +Fixes: de1b794130b130e77ffa975bb58cb843744f9ae5 +Signed-off-by: Jan Kara +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jbd2/transaction.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/jbd2/transaction.c ++++ b/fs/jbd2/transaction.c +@@ -1936,6 +1936,7 @@ static int journal_unmap_buffer(journal_ + + if (!buffer_dirty(bh)) { + /* bdflush has written it. We can drop it now */ ++ __jbd2_journal_remove_checkpoint(jh); + goto zap_buffer; + } + +@@ -1965,6 +1966,7 @@ static int journal_unmap_buffer(journal_ + /* The orphan record's transaction has + * committed. We can cleanse this buffer */ + clear_buffer_jbddirty(bh); ++ __jbd2_journal_remove_checkpoint(jh); + goto zap_buffer; + } + } diff --git a/queue-3.10/media-vb2-dma-contig-fully-cache-synchronise-buffers-in-prepare-and-finish.patch b/queue-3.10/media-vb2-dma-contig-fully-cache-synchronise-buffers-in-prepare-and-finish.patch new file mode 100644 index 00000000000..0da1da7adef --- /dev/null +++ b/queue-3.10/media-vb2-dma-contig-fully-cache-synchronise-buffers-in-prepare-and-finish.patch @@ -0,0 +1,48 @@ +From d9a985883fa32453d099d6293188c11d75cef1fa Mon Sep 17 00:00:00 2001 +From: Tiffany Lin +Date: Thu, 24 Sep 2015 06:02:36 -0300 +Subject: [media] media: vb2 dma-contig: Fully cache synchronise buffers in prepare and finish + +From: Tiffany Lin + +commit d9a985883fa32453d099d6293188c11d75cef1fa upstream. + +In videobuf2 dma-contig memory type the prepare and finish ops, instead of +passing the number of entries in the original scatterlist as the "nents" +parameter to dma_sync_sg_for_device() and dma_sync_sg_for_cpu(), the value +returned by dma_map_sg() was used. Albeit this has been suggested in +comments of some implementations (which have since been corrected), this +is wrong. + +Fixes: 199d101efdba ("v4l: vb2-dma-contig: add prepare/finish to dma-contig allocator") + +Signed-off-by: Tiffany Lin +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/v4l2-core/videobuf2-dma-contig.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/media/v4l2-core/videobuf2-dma-contig.c ++++ b/drivers/media/v4l2-core/videobuf2-dma-contig.c +@@ -117,7 +117,8 @@ static void vb2_dc_prepare(void *buf_pri + if (!sgt || buf->db_attach) + return; + +- dma_sync_sg_for_device(buf->dev, sgt->sgl, sgt->nents, buf->dma_dir); ++ dma_sync_sg_for_device(buf->dev, sgt->sgl, sgt->orig_nents, ++ buf->dma_dir); + } + + static void vb2_dc_finish(void *buf_priv) +@@ -129,7 +130,7 @@ static void vb2_dc_finish(void *buf_priv + if (!sgt || buf->db_attach) + return; + +- dma_sync_sg_for_cpu(buf->dev, sgt->sgl, sgt->nents, buf->dma_dir); ++ dma_sync_sg_for_cpu(buf->dev, sgt->sgl, sgt->orig_nents, buf->dma_dir); + } + + /*********************************************/ diff --git a/queue-3.10/mtd-mtdpart-fix-add_mtd_partitions-error-path.patch b/queue-3.10/mtd-mtdpart-fix-add_mtd_partitions-error-path.patch new file mode 100644 index 00000000000..5784a99bd42 --- /dev/null +++ b/queue-3.10/mtd-mtdpart-fix-add_mtd_partitions-error-path.patch @@ -0,0 +1,36 @@ +From e5bae86797141e4a95e42d825f737cb36d7b8c37 Mon Sep 17 00:00:00 2001 +From: Boris BREZILLON +Date: Thu, 30 Jul 2015 12:18:03 +0200 +Subject: mtd: mtdpart: fix add_mtd_partitions error path + +From: Boris BREZILLON + +commit e5bae86797141e4a95e42d825f737cb36d7b8c37 upstream. + +If we fail to allocate a partition structure in the middle of the partition +creation process, the already allocated partitions are never removed, which +means they are still present in the partition list and their resources are +never freed. + +Signed-off-by: Boris Brezillon +Signed-off-by: Brian Norris +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/mtdpart.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/mtd/mtdpart.c ++++ b/drivers/mtd/mtdpart.c +@@ -634,8 +634,10 @@ int add_mtd_partitions(struct mtd_info * + + for (i = 0; i < nbparts; i++) { + slave = allocate_partition(master, parts + i, i, cur_offset); +- if (IS_ERR(slave)) ++ if (IS_ERR(slave)) { ++ del_mtd_partitions(master); + return PTR_ERR(slave); ++ } + + mutex_lock(&mtd_partitions_mutex); + list_add(&slave->list, &mtd_partitions); diff --git a/queue-3.10/parisc-drop-unused-madv_xxxk_pages-flags-from-asm-mman.h.patch b/queue-3.10/parisc-drop-unused-madv_xxxk_pages-flags-from-asm-mman.h.patch new file mode 100644 index 00000000000..7bf0e348911 --- /dev/null +++ b/queue-3.10/parisc-drop-unused-madv_xxxk_pages-flags-from-asm-mman.h.patch @@ -0,0 +1,38 @@ +From dcbf0d299c00ed4f82ea8d6e359ad88a5182f9b8 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Sun, 22 Nov 2015 12:14:14 +0100 +Subject: parisc: Drop unused MADV_xxxK_PAGES flags from asm/mman.h + +From: Helge Deller + +commit dcbf0d299c00ed4f82ea8d6e359ad88a5182f9b8 upstream. + +Drop the MADV_xxK_PAGES flags, which were never used and were from a proposed +API which was never integrated into the generic Linux kernel code. + +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/include/uapi/asm/mman.h | 10 ---------- + 1 file changed, 10 deletions(-) + +--- a/arch/parisc/include/uapi/asm/mman.h ++++ b/arch/parisc/include/uapi/asm/mman.h +@@ -46,16 +46,6 @@ + #define MADV_DONTFORK 10 /* don't inherit across fork */ + #define MADV_DOFORK 11 /* do inherit across fork */ + +-/* The range 12-64 is reserved for page size specification. */ +-#define MADV_4K_PAGES 12 /* Use 4K pages */ +-#define MADV_16K_PAGES 14 /* Use 16K pages */ +-#define MADV_64K_PAGES 16 /* Use 64K pages */ +-#define MADV_256K_PAGES 18 /* Use 256K pages */ +-#define MADV_1M_PAGES 20 /* Use 1 Megabyte pages */ +-#define MADV_4M_PAGES 22 /* Use 4 Megabyte pages */ +-#define MADV_16M_PAGES 24 /* Use 16 Megabyte pages */ +-#define MADV_64M_PAGES 26 /* Use 64 Megabyte pages */ +- + #define MADV_MERGEABLE 65 /* KSM may merge identical pages */ + #define MADV_UNMERGEABLE 66 /* KSM may not merge identical pages */ + diff --git a/queue-3.10/parisc-fix-__arch_si_preamble_size.patch b/queue-3.10/parisc-fix-__arch_si_preamble_size.patch new file mode 100644 index 00000000000..7b2b873fb0f --- /dev/null +++ b/queue-3.10/parisc-fix-__arch_si_preamble_size.patch @@ -0,0 +1,38 @@ +From e60fc5aa608eb38b47ba4ee058f306f739eb70a0 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Sun, 10 Jan 2016 09:30:42 +0100 +Subject: parisc: Fix __ARCH_SI_PREAMBLE_SIZE + +From: Helge Deller + +commit e60fc5aa608eb38b47ba4ee058f306f739eb70a0 upstream. + +On a 64bit kernel build the compiler aligns the _sifields union in the +struct siginfo_t on a 64bit address. The __ARCH_SI_PREAMBLE_SIZE define +compensates for this alignment and thus fixes the wait testcase of the +strace package. + +The symptoms of a wrong __ARCH_SI_PREAMBLE_SIZE value is that +_sigchld.si_stime variable is missed to be copied and thus after a +copy_siginfo() will have uninitialized values. + +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/include/uapi/asm/siginfo.h | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/parisc/include/uapi/asm/siginfo.h ++++ b/arch/parisc/include/uapi/asm/siginfo.h +@@ -1,6 +1,10 @@ + #ifndef _PARISC_SIGINFO_H + #define _PARISC_SIGINFO_H + ++#if defined(__LP64__) ++#define __ARCH_SI_PREAMBLE_SIZE (4 * sizeof(int)) ++#endif ++ + #include + + #undef NSIGTRAP diff --git a/queue-3.10/parisc-fix-syscall-restarts.patch b/queue-3.10/parisc-fix-syscall-restarts.patch new file mode 100644 index 00000000000..e14da0844d3 --- /dev/null +++ b/queue-3.10/parisc-fix-syscall-restarts.patch @@ -0,0 +1,130 @@ +From 71a71fb5374a23be36a91981b5614590b9e722c3 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Mon, 21 Dec 2015 10:03:30 +0100 +Subject: parisc: Fix syscall restarts + +From: Helge Deller + +commit 71a71fb5374a23be36a91981b5614590b9e722c3 upstream. + +On parisc syscalls which are interrupted by signals sometimes failed to +restart and instead returned -ENOSYS which in the worst case lead to +userspace crashes. +A similiar problem existed on MIPS and was fixed by commit e967ef02 +("MIPS: Fix restart of indirect syscalls"). + +On parisc the current syscall restart code assumes that all syscall +callers load the syscall number in the delay slot of the ble +instruction. That's how it is e.g. done in the unistd.h header file: + ble 0x100(%sr2, %r0) + ldi #syscall_nr, %r20 +Because of that assumption the current code never restored %r20 before +returning to userspace. + +This assumption is at least not true for code which uses the glibc +syscall() function, which instead uses this syntax: + ble 0x100(%sr2, %r0) + copy regX, %r20 +where regX depend on how the compiler optimizes the code and register +usage. + +This patch fixes this problem by adding code to analyze how the syscall +number is loaded in the delay branch and - if needed - copy the syscall +number to regX prior returning to userspace for the syscall restart. + +Signed-off-by: Helge Deller +Cc: Mathieu Desnoyers +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/kernel/signal.c | 64 +++++++++++++++++++++++++++++++++++--------- + 1 file changed, 52 insertions(+), 12 deletions(-) + +--- a/arch/parisc/kernel/signal.c ++++ b/arch/parisc/kernel/signal.c +@@ -449,6 +449,55 @@ handle_signal(unsigned long sig, siginfo + regs->gr[28]); + } + ++/* ++ * Check how the syscall number gets loaded into %r20 within ++ * the delay branch in userspace and adjust as needed. ++ */ ++ ++static void check_syscallno_in_delay_branch(struct pt_regs *regs) ++{ ++ u32 opcode, source_reg; ++ u32 __user *uaddr; ++ int err; ++ ++ /* Usually we don't have to restore %r20 (the system call number) ++ * because it gets loaded in the delay slot of the branch external ++ * instruction via the ldi instruction. ++ * In some cases a register-to-register copy instruction might have ++ * been used instead, in which case we need to copy the syscall ++ * number into the source register before returning to userspace. ++ */ ++ ++ /* A syscall is just a branch, so all we have to do is fiddle the ++ * return pointer so that the ble instruction gets executed again. ++ */ ++ regs->gr[31] -= 8; /* delayed branching */ ++ ++ /* Get assembler opcode of code in delay branch */ ++ uaddr = (unsigned int *) ((regs->gr[31] & ~3) + 4); ++ err = get_user(opcode, uaddr); ++ if (err) ++ return; ++ ++ /* Check if delay branch uses "ldi int,%r20" */ ++ if ((opcode & 0xffff0000) == 0x34140000) ++ return; /* everything ok, just return */ ++ ++ /* Check if delay branch uses "nop" */ ++ if (opcode == INSN_NOP) ++ return; ++ ++ /* Check if delay branch uses "copy %rX,%r20" */ ++ if ((opcode & 0xffe0ffff) == 0x08000254) { ++ source_reg = (opcode >> 16) & 31; ++ regs->gr[source_reg] = regs->gr[20]; ++ return; ++ } ++ ++ pr_warn("syscall restart: %s (pid %d): unexpected opcode 0x%08x\n", ++ current->comm, task_pid_nr(current), opcode); ++} ++ + static inline void + syscall_restart(struct pt_regs *regs, struct k_sigaction *ka) + { +@@ -471,10 +520,7 @@ syscall_restart(struct pt_regs *regs, st + } + /* fallthrough */ + case -ERESTARTNOINTR: +- /* A syscall is just a branch, so all +- * we have to do is fiddle the return pointer. +- */ +- regs->gr[31] -= 8; /* delayed branching */ ++ check_syscallno_in_delay_branch(regs); + break; + } + } +@@ -523,15 +569,9 @@ insert_restart_trampoline(struct pt_regs + } + case -ERESTARTNOHAND: + case -ERESTARTSYS: +- case -ERESTARTNOINTR: { +- /* Hooray for delayed branching. We don't +- * have to restore %r20 (the system call +- * number) because it gets loaded in the delay +- * slot of the branch external instruction. +- */ +- regs->gr[31] -= 8; ++ case -ERESTARTNOINTR: ++ check_syscallno_in_delay_branch(regs); + return; +- } + default: + break; + } diff --git a/queue-3.10/revert-dm-mpath-fix-stalls-when-handling-invalid-ioctls.patch b/queue-3.10/revert-dm-mpath-fix-stalls-when-handling-invalid-ioctls.patch new file mode 100644 index 00000000000..7542772a653 --- /dev/null +++ b/queue-3.10/revert-dm-mpath-fix-stalls-when-handling-invalid-ioctls.patch @@ -0,0 +1,173 @@ +From 47796938c46b943d157ac8a6f9ed4e3b98b83cf4 Mon Sep 17 00:00:00 2001 +From: Mauricio Faria de Oliveira +Date: Thu, 29 Oct 2015 10:24:23 -0200 +Subject: Revert "dm mpath: fix stalls when handling invalid ioctls" + +From: Mauricio Faria de Oliveira + +commit 47796938c46b943d157ac8a6f9ed4e3b98b83cf4 upstream. + +This reverts commit a1989b330093578ea5470bea0a00f940c444c466. + +That commit introduced a regression at least for the case of the SG_IO ioctl() +running without CAP_SYS_RAWIO capability (e.g., unprivileged users) when there +are no active paths: the ioctl() fails with the ENOTTY errno immediately rather +than blocking due to queue_if_no_path until a path becomes active, for example. + +That case happens to be exercised by QEMU KVM guests with 'scsi-block' devices +(qemu "-device scsi-block" [1], libvirt "" [2]) +from multipath devices; which leads to SCSI/filesystem errors in such a guest. + +More general scenarios can hit that regression too. The following demonstration +employs a SG_IO ioctl() with a standard SCSI INQUIRY command for this objective +(some output & user changes omitted for brevity and comments added for clarity). + +Reverting that commit restores normal operation (queueing) in failing scenarios; +tested on linux-next (next-20151022). + +1) Test-case is based on sg_simple0 [3] (just SG_IO; remove SG_GET_VERSION_NUM) + + $ cat sg_simple0.c + ... see [3] ... + $ sed '/SG_GET_VERSION_NUM/,/}/d' sg_simple0.c > sgio_inquiry.c + $ gcc sgio_inquiry.c -o sgio_inquiry + +2) The ioctl() works fine with active paths present. + + # multipath -l 85ag56 + 85ag56 (...) dm-19 IBM ,2145 + size=60G features='1 queue_if_no_path' hwhandler='0' wp=rw + |-+- policy='service-time 0' prio=0 status=active + | |- 8:0:11:0 sdz 65:144 active undef running + | `- 9:0:9:0 sdbf 67:144 active undef running + `-+- policy='service-time 0' prio=0 status=enabled + |- 8:0:12:0 sdae 65:224 active undef running + `- 9:0:12:0 sdbo 68:32 active undef running + + $ ./sgio_inquiry /dev/mapper/85ag56 + Some of the INQUIRY command's response: + IBM 2145 0000 + INQUIRY duration=0 millisecs, resid=0 + +3) The ioctl() fails with ENOTTY errno with _no_ active paths present, + for unprivileged users (rather than blocking due to queue_if_no_path). + + # for path in $(multipath -l 85ag56 | grep -o 'sd[a-z]\+'); \ + do multipathd -k"fail path $path"; done + + # multipath -l 85ag56 + 85ag56 (...) dm-19 IBM ,2145 + size=60G features='1 queue_if_no_path' hwhandler='0' wp=rw + |-+- policy='service-time 0' prio=0 status=enabled + | |- 8:0:11:0 sdz 65:144 failed undef running + | `- 9:0:9:0 sdbf 67:144 failed undef running + `-+- policy='service-time 0' prio=0 status=enabled + |- 8:0:12:0 sdae 65:224 failed undef running + `- 9:0:12:0 sdbo 68:32 failed undef running + + $ ./sgio_inquiry /dev/mapper/85ag56 + sg_simple0: Inquiry SG_IO ioctl error: Inappropriate ioctl for device + +4) dmesg shows that scsi_verify_blk_ioctl() failed for SG_IO (0x2285); + it returns -ENOIOCTLCMD, later replaced with -ENOTTY in vfs_ioctl(). + + $ dmesg + <...> + [] device-mapper: multipath: Failing path 65:144. + [] device-mapper: multipath: Failing path 67:144. + [] device-mapper: multipath: Failing path 65:224. + [] device-mapper: multipath: Failing path 68:32. + [] sgio_inquiry: sending ioctl 2285 to a partition! + +5) The ioctl() only works if the SYS_CAP_RAWIO capability is present + (then queueing happens -- in this example, queue_if_no_path is set); + this is due to a conditional check in scsi_verify_blk_ioctl(). + + # capsh --drop=cap_sys_rawio -- -c './sgio_inquiry /dev/mapper/85ag56' + sg_simple0: Inquiry SG_IO ioctl error: Inappropriate ioctl for device + + # ./sgio_inquiry /dev/mapper/85ag56 & + [1] 72830 + + # cat /proc/72830/stack + [] 0xc00000171c0df700 + [] __switch_to+0x204/0x350 + [] msleep+0x5c/0x80 + [] dm_blk_ioctl+0x70/0x170 + [] blkdev_ioctl+0x2b0/0x9b0 + [] block_ioctl+0x64/0xd0 + [] do_vfs_ioctl+0x490/0x780 + [] SyS_ioctl+0xd4/0xf0 + [] system_call+0x38/0xd0 + +6) This is the function call chain exercised in this analysis: + +SYSCALL_DEFINE3(ioctl, <...>) @ fs/ioctl.c + -> do_vfs_ioctl() + -> vfs_ioctl() + ... + error = filp->f_op->unlocked_ioctl(filp, cmd, arg); + ... + -> dm_blk_ioctl() @ drivers/md/dm.c + -> multipath_ioctl() @ drivers/md/dm-mpath.c + ... + (bdev = NULL, due to no active paths) + ... + if (!bdev || <...>) { + int err = scsi_verify_blk_ioctl(NULL, cmd); + if (err) + r = err; + } + ... + -> scsi_verify_blk_ioctl() @ block/scsi_ioctl.c + ... + if (bd && bd == bd->bd_contains) // not taken (bd = NULL) + return 0; + ... + if (capable(CAP_SYS_RAWIO)) // not taken (unprivileged user) + return 0; + ... + printk_ratelimited(KERN_WARNING + "%s: sending ioctl %x to a partition!\n" <...>); + + return -ENOIOCTLCMD; + <- + ... + return r ? : <...> + <- + ... + if (error == -ENOIOCTLCMD) + error = -ENOTTY; + out: + return error; + ... + +Links: +[1] http://git.qemu.org/?p=qemu.git;a=commit;h=336a6915bc7089fb20fea4ba99972ad9a97c5f52 +[2] https://libvirt.org/formatdomain.html#elementsDisks (see 'disk' -> 'device') +[3] http://tldp.org/HOWTO/SCSI-Generic-HOWTO/pexample.html (Revision 1.2, 2002-05-03) + +Signed-off-by: Mauricio Faria de Oliveira +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-mpath.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/drivers/md/dm-mpath.c ++++ b/drivers/md/dm-mpath.c +@@ -1608,11 +1608,8 @@ static int multipath_ioctl(struct dm_tar + /* + * Only pass ioctls through if the device sizes match exactly. + */ +- if (!bdev || ti->len != i_size_read(bdev->bd_inode) >> SECTOR_SHIFT) { +- int err = scsi_verify_blk_ioctl(NULL, cmd); +- if (err) +- r = err; +- } ++ if (!r && ti->len != i_size_read(bdev->bd_inode) >> SECTOR_SHIFT) ++ r = scsi_verify_blk_ioctl(NULL, cmd); + + if (r == -ENOTCONN && !fatal_signal_pending(current)) + queue_work(kmultipathd, &m->process_queued_ios); diff --git a/queue-3.10/series b/queue-3.10/series index dff47c627f7..7517c6fe4a5 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -8,3 +8,17 @@ kernel-signal.c-unexport-sigsuspend.patch ocfs2-dlm-ignore-cleaning-the-migration-mle-that-is-inuse.patch ocfs2-dlm-clear-refmap-bit-of-recovery-lock-while-doing-local-recovery-cleanup.patch sh64-fix-__nr_fgetxattr.patch +revert-dm-mpath-fix-stalls-when-handling-invalid-ioctls.patch +spi-atmel-fix-dma-setup-for-transfers-with-more-than-8-bits-per-word.patch +spi-fix-parent-device-reference-leak.patch +wlcore-wl12xx-spi-fix-oops-on-firmware-load.patch +wlcore-wl12xx-spi-fix-null-pointer-dereference-oops.patch +vtpm-fix-memory-allocation-flag-for-rtce-buffer-at-kernel-boot.patch +mtd-mtdpart-fix-add_mtd_partitions-error-path.patch +jbd2-fix-unreclaimed-pages-after-truncate-in-data-journal-mode.patch +fix-calculation-of-meta_bg-descriptor-backups.patch +parisc-drop-unused-madv_xxxk_pages-flags-from-asm-mman.h.patch +parisc-fix-syscall-restarts.patch +parisc-fix-__arch_si_preamble_size.patch +v4l2-compat-ioctl32-fix-alignment-for-arm64.patch +media-vb2-dma-contig-fully-cache-synchronise-buffers-in-prepare-and-finish.patch diff --git a/queue-3.10/spi-atmel-fix-dma-setup-for-transfers-with-more-than-8-bits-per-word.patch b/queue-3.10/spi-atmel-fix-dma-setup-for-transfers-with-more-than-8-bits-per-word.patch new file mode 100644 index 00000000000..8e03bdc1853 --- /dev/null +++ b/queue-3.10/spi-atmel-fix-dma-setup-for-transfers-with-more-than-8-bits-per-word.patch @@ -0,0 +1,34 @@ +From 06515f83908d038d9e12ffa3dcca27a1b67f2de0 Mon Sep 17 00:00:00 2001 +From: David Mosberger-Tang +Date: Tue, 20 Oct 2015 14:26:47 +0200 +Subject: spi: atmel: Fix DMA-setup for transfers with more than 8 bits per word + +From: David Mosberger-Tang + +commit 06515f83908d038d9e12ffa3dcca27a1b67f2de0 upstream. + +The DMA-slave configuration depends on the whether <= 8 or > 8 bits +are transferred per word, so we need to call +atmel_spi_dma_slave_config() with the correct value. + +Signed-off-by: David Mosberger +Signed-off-by: Nicolas Ferre +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-atmel.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/spi/spi-atmel.c ++++ b/drivers/spi/spi-atmel.c +@@ -594,7 +594,8 @@ static int atmel_spi_next_xfer_dma_submi + + *plen = len; + +- if (atmel_spi_dma_slave_config(as, &slave_config, 8)) ++ if (atmel_spi_dma_slave_config(as, &slave_config, ++ xfer->bits_per_word)) + goto err_exit; + + /* Send both scatterlists */ diff --git a/queue-3.10/spi-fix-parent-device-reference-leak.patch b/queue-3.10/spi-fix-parent-device-reference-leak.patch new file mode 100644 index 00000000000..5d3cced0d07 --- /dev/null +++ b/queue-3.10/spi-fix-parent-device-reference-leak.patch @@ -0,0 +1,36 @@ +From 157f38f993919b648187ba341bfb05d0e91ad2f6 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 14 Dec 2015 16:16:19 +0100 +Subject: spi: fix parent-device reference leak + +From: Johan Hovold + +commit 157f38f993919b648187ba341bfb05d0e91ad2f6 upstream. + +Fix parent-device reference leak due to SPI-core taking an unnecessary +reference to the parent when allocating the master structure, a +reference that was never released. + +Note that driver core takes its own reference to the parent when the +master device is registered. + +Fixes: 49dce689ad4e ("spi doesn't need class_device") +Signed-off-by: Johan Hovold +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/spi/spi.c ++++ b/drivers/spi/spi.c +@@ -1047,7 +1047,7 @@ struct spi_master *spi_alloc_master(stru + master->bus_num = -1; + master->num_chipselect = 1; + master->dev.class = &spi_master_class; +- master->dev.parent = get_device(dev); ++ master->dev.parent = dev; + spi_master_set_devdata(master, &master[1]); + + return master; diff --git a/queue-3.10/v4l2-compat-ioctl32-fix-alignment-for-arm64.patch b/queue-3.10/v4l2-compat-ioctl32-fix-alignment-for-arm64.patch new file mode 100644 index 00000000000..ca09907cfd4 --- /dev/null +++ b/queue-3.10/v4l2-compat-ioctl32-fix-alignment-for-arm64.patch @@ -0,0 +1,66 @@ +From 655e9780ab913a3a06d4a164d55e3b755524186d Mon Sep 17 00:00:00 2001 +From: Andrzej Hajda +Date: Mon, 31 Aug 2015 08:56:15 -0300 +Subject: [media] v4l2-compat-ioctl32: fix alignment for ARM64 + +From: Andrzej Hajda + +commit 655e9780ab913a3a06d4a164d55e3b755524186d upstream. + +Alignment/padding rules on AMD64 and ARM64 differs. To allow properly match +compatible ioctls on ARM64 kernels without breaking AMD64 some fields +should be aligned using compat_s64 type and in one case struct should be +unpacked. + +Signed-off-by: Andrzej Hajda +[hans.verkuil@cisco.com: use compat_u64 instead of compat_s64 in v4l2_input32] +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman + +Signed-off-by: Mauro Carvalho Chehab + +--- + drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c ++++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c +@@ -264,7 +264,7 @@ static int put_v4l2_create32(struct v4l2 + + struct v4l2_standard32 { + __u32 index; +- __u32 id[2]; /* __u64 would get the alignment wrong */ ++ compat_u64 id; + __u8 name[24]; + struct v4l2_fract frameperiod; /* Frames, not fields */ + __u32 framelines; +@@ -284,7 +284,7 @@ static int put_v4l2_standard32(struct v4 + { + if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_standard32)) || + put_user(kp->index, &up->index) || +- copy_to_user(up->id, &kp->id, sizeof(__u64)) || ++ put_user(kp->id, &up->id) || + copy_to_user(up->name, kp->name, 24) || + copy_to_user(&up->frameperiod, &kp->frameperiod, sizeof(kp->frameperiod)) || + put_user(kp->framelines, &up->framelines) || +@@ -576,10 +576,10 @@ struct v4l2_input32 { + __u32 type; /* Type of input */ + __u32 audioset; /* Associated audios (bitfield) */ + __u32 tuner; /* Associated tuner */ +- v4l2_std_id std; ++ compat_u64 std; + __u32 status; + __u32 reserved[4]; +-} __attribute__ ((packed)); ++}; + + /* The 64-bit v4l2_input struct has extra padding at the end of the struct. + Otherwise it is identical to the 32-bit version. */ +@@ -719,6 +719,7 @@ static int put_v4l2_ext_controls32(struc + struct v4l2_event32 { + __u32 type; + union { ++ compat_s64 value64; + __u8 data[64]; + } u; + __u32 pending; diff --git a/queue-3.10/vtpm-fix-memory-allocation-flag-for-rtce-buffer-at-kernel-boot.patch b/queue-3.10/vtpm-fix-memory-allocation-flag-for-rtce-buffer-at-kernel-boot.patch new file mode 100644 index 00000000000..63f1b4240c7 --- /dev/null +++ b/queue-3.10/vtpm-fix-memory-allocation-flag-for-rtce-buffer-at-kernel-boot.patch @@ -0,0 +1,35 @@ +From 60ecd86c4d985750efa0ea3d8610972b09951715 Mon Sep 17 00:00:00 2001 +From: "Hon Ching \\(Vicky\\) Lo" +Date: Wed, 7 Oct 2015 20:11:51 -0400 +Subject: vTPM: fix memory allocation flag for rtce buffer at kernel boot + +From: Hon Ching \(Vicky\) Lo + +commit 60ecd86c4d985750efa0ea3d8610972b09951715 upstream. + +At ibm vtpm initialzation, tpm_ibmvtpm_probe() registers its interrupt +handler, ibmvtpm_interrupt, which calls ibmvtpm_crq_process to allocate +memory for rtce buffer. The current code uses 'GFP_KERNEL' as the +type of kernel memory allocation, which resulted a warning at +kernel/lockdep.c. This patch uses 'GFP_ATOMIC' instead so that the +allocation is high-priority and does not sleep. + +Signed-off-by: Hon Ching(Vicky) Lo +Signed-off-by: Peter Huewe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tpm/tpm_ibmvtpm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/char/tpm/tpm_ibmvtpm.c ++++ b/drivers/char/tpm/tpm_ibmvtpm.c +@@ -529,7 +529,7 @@ static void ibmvtpm_crq_process(struct i + } + ibmvtpm->rtce_size = be16_to_cpu(crq->len); + ibmvtpm->rtce_buf = kmalloc(ibmvtpm->rtce_size, +- GFP_KERNEL); ++ GFP_ATOMIC); + if (!ibmvtpm->rtce_buf) { + dev_err(ibmvtpm->dev, "Failed to allocate memory for rtce buffer\n"); + return; diff --git a/queue-3.10/wlcore-wl12xx-spi-fix-null-pointer-dereference-oops.patch b/queue-3.10/wlcore-wl12xx-spi-fix-null-pointer-dereference-oops.patch new file mode 100644 index 00000000000..e6f0ed7288b --- /dev/null +++ b/queue-3.10/wlcore-wl12xx-spi-fix-null-pointer-dereference-oops.patch @@ -0,0 +1,101 @@ +From e47301b06d5a65678690f04c2248fd181db1e59a Mon Sep 17 00:00:00 2001 +From: Uri Mashiach +Date: Thu, 24 Dec 2015 16:05:00 +0200 +Subject: wlcore/wl12xx: spi: fix NULL pointer dereference (Oops) + +From: Uri Mashiach + +commit e47301b06d5a65678690f04c2248fd181db1e59a upstream. + +Fix the below Oops when trying to modprobe wlcore_spi. +The oops occurs because the wl1271_power_{off,on}() +function doesn't check the power() function pointer. + +[ 23.401447] Unable to handle kernel NULL pointer dereference at +virtual address 00000000 +[ 23.409954] pgd = c0004000 +[ 23.412922] [00000000] *pgd=00000000 +[ 23.416693] Internal error: Oops: 80000007 [#1] SMP ARM +[ 23.422168] Modules linked in: wl12xx wlcore mac80211 cfg80211 +musb_dsps musb_hdrc usbcore usb_common snd_soc_simple_card evdev joydev +omap_rng wlcore_spi snd_soc_tlv320aic23_i2c rng_core snd_soc_tlv320aic23 +c_can_platform c_can can_dev snd_soc_davinci_mcasp snd_soc_edma +snd_soc_omap omap_wdt musb_am335x cpufreq_dt thermal_sys hwmon +[ 23.453253] CPU: 0 PID: 36 Comm: kworker/0:2 Not tainted +4.2.0-00002-g951efee-dirty #233 +[ 23.461720] Hardware name: Generic AM33XX (Flattened Device Tree) +[ 23.468123] Workqueue: events request_firmware_work_func +[ 23.473690] task: de32efc0 ti: de4ee000 task.ti: de4ee000 +[ 23.479341] PC is at 0x0 +[ 23.482112] LR is at wl12xx_set_power_on+0x28/0x124 [wlcore] +[ 23.488074] pc : [<00000000>] lr : [] psr: 60000013 +[ 23.488074] sp : de4efe50 ip : 00000002 fp : 00000000 +[ 23.500162] r10: de7cdd00 r9 : dc848800 r8 : bf27af00 +[ 23.505663] r7 : bf27a1a8 r6 : dcbd8a80 r5 : dce0e2e0 r4 : +dce0d2e0 +[ 23.512536] r3 : 00000000 r2 : 00000000 r1 : 00000001 r0 : +dc848810 +[ 23.519412] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM +Segment kernel +[ 23.527109] Control: 10c5387d Table: 9cb78019 DAC: 00000015 +[ 23.533160] Process kworker/0:2 (pid: 36, stack limit = 0xde4ee218) +[ 23.539760] Stack: (0xde4efe50 to 0xde4f0000) + +[...] + +[ 23.665030] [] (wl12xx_set_power_on [wlcore]) from +[] (wlcore_nvs_cb+0x118/0xa4c [wlcore]) +[ 23.675604] [] (wlcore_nvs_cb [wlcore]) from [] +(request_firmware_work_func+0x30/0x58) +[ 23.685784] [] (request_firmware_work_func) from +[] (process_one_work+0x1b4/0x4b4) +[ 23.695591] [] (process_one_work) from [] +(worker_thread+0x3c/0x4a4) +[ 23.704124] [] (worker_thread) from [] +(kthread+0xd4/0xf0) +[ 23.711747] [] (kthread) from [] +(ret_from_fork+0x14/0x3c) +[ 23.719357] Code: bad PC value +[ 23.722760] ---[ end trace 981be8510db9b3a9 ]--- + +Prevent oops by validationg power() pointer value before +calling the function. + +Signed-off-by: Uri Mashiach +Acked-by: Igor Grinberg +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ti/wlcore/io.h | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/ti/wlcore/io.h ++++ b/drivers/net/wireless/ti/wlcore/io.h +@@ -203,19 +203,23 @@ static inline int __must_check wlcore_wr + + static inline void wl1271_power_off(struct wl1271 *wl) + { +- int ret; ++ int ret = 0; + + if (!test_bit(WL1271_FLAG_GPIO_POWER, &wl->flags)) + return; + +- ret = wl->if_ops->power(wl->dev, false); ++ if (wl->if_ops->power) ++ ret = wl->if_ops->power(wl->dev, false); + if (!ret) + clear_bit(WL1271_FLAG_GPIO_POWER, &wl->flags); + } + + static inline int wl1271_power_on(struct wl1271 *wl) + { +- int ret = wl->if_ops->power(wl->dev, true); ++ int ret = 0; ++ ++ if (wl->if_ops->power) ++ ret = wl->if_ops->power(wl->dev, true); + if (ret == 0) + set_bit(WL1271_FLAG_GPIO_POWER, &wl->flags); + diff --git a/queue-3.10/wlcore-wl12xx-spi-fix-oops-on-firmware-load.patch b/queue-3.10/wlcore-wl12xx-spi-fix-oops-on-firmware-load.patch new file mode 100644 index 00000000000..9ccd5592025 --- /dev/null +++ b/queue-3.10/wlcore-wl12xx-spi-fix-oops-on-firmware-load.patch @@ -0,0 +1,117 @@ +From 9b2761cb72dc41e1948c8a5512b4efd384eda130 Mon Sep 17 00:00:00 2001 +From: Uri Mashiach +Date: Thu, 10 Dec 2015 15:12:56 +0200 +Subject: wlcore/wl12xx: spi: fix oops on firmware load + +From: Uri Mashiach + +commit 9b2761cb72dc41e1948c8a5512b4efd384eda130 upstream. + +The maximum chunks used by the function is +(SPI_AGGR_BUFFER_SIZE / WSPI_MAX_CHUNK_SIZE + 1). +The original commands array had space for +(SPI_AGGR_BUFFER_SIZE / WSPI_MAX_CHUNK_SIZE) commands. +When the last chunk is used (len > 4 * WSPI_MAX_CHUNK_SIZE), the last +command is stored outside the bounds of the commands array. + +Oops 5 (page fault) is generated during current wl1271 firmware load +attempt: + +root@debian-armhf:~# ifconfig wlan0 up +[ 294.312399] Unable to handle kernel paging request at virtual address +00203fc4 +[ 294.320173] pgd = de528000 +[ 294.323028] [00203fc4] *pgd=00000000 +[ 294.326916] Internal error: Oops: 5 [#1] SMP ARM +[ 294.331789] Modules linked in: bnep rfcomm bluetooth ipv6 arc4 wl12xx +wlcore mac80211 musb_dsps cfg80211 musb_hdrc usbcore usb_common +wlcore_spi omap_rng rng_core musb_am335x omap_wdt cpufreq_dt thermal_sys +hwmon +[ 294.351838] CPU: 0 PID: 1827 Comm: ifconfig Not tainted +4.2.0-00002-g3e9ad27-dirty #78 +[ 294.360154] Hardware name: Generic AM33XX (Flattened Device Tree) +[ 294.366557] task: dc9d6d40 ti: de550000 task.ti: de550000 +[ 294.372236] PC is at __spi_validate+0xa8/0x2ac +[ 294.376902] LR is at __spi_sync+0x78/0x210 +[ 294.381200] pc : [] lr : [] psr: 60000013 +[ 294.381200] sp : de551998 ip : de5519d8 fp : 00200000 +[ 294.393242] r10: de551c8c r9 : de5519d8 r8 : de3a9000 +[ 294.398730] r7 : de3a9258 r6 : de3a9400 r5 : de551a48 r4 : +00203fbc +[ 294.405577] r3 : 00000000 r2 : 00000000 r1 : 00000000 r0 : +de3a9000 +[ 294.412420] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM +Segment user +[ 294.419918] Control: 10c5387d Table: 9e528019 DAC: 00000015 +[ 294.425954] Process ifconfig (pid: 1827, stack limit = 0xde550218) +[ 294.432437] Stack: (0xde551998 to 0xde552000) + +... + +[ 294.883613] [] (__spi_validate) from [] +(__spi_sync+0x78/0x210) +[ 294.891670] [] (__spi_sync) from [] +(wl12xx_spi_raw_write+0xfc/0x148 [wlcore_spi]) +[ 294.901661] [] (wl12xx_spi_raw_write [wlcore_spi]) from +[] (wlcore_boot_upload_firmware+0x1ec/0x458 [wlcore]) +[ 294.914038] [] (wlcore_boot_upload_firmware [wlcore]) from +[] (wl12xx_boot+0xc10/0xfac [wl12xx]) +[ 294.925161] [] (wl12xx_boot [wl12xx]) from [] +(wl1271_op_add_interface+0x5b0/0x910 [wlcore]) +[ 294.936364] [] (wl1271_op_add_interface [wlcore]) from +[] (ieee80211_do_open+0x44c/0xf7c [mac80211]) +[ 294.947963] [] (ieee80211_do_open [mac80211]) from +[] (__dev_open+0xa8/0x110) +[ 294.957307] [] (__dev_open) from [] +(__dev_change_flags+0x88/0x148) +[ 294.965713] [] (__dev_change_flags) from [] +(dev_change_flags+0x18/0x48) +[ 294.974576] [] (dev_change_flags) from [] +(devinet_ioctl+0x6b4/0x7d0) +[ 294.983191] [] (devinet_ioctl) from [] +(sock_ioctl+0x1e4/0x2bc) +[ 294.991244] [] (sock_ioctl) from [] +(do_vfs_ioctl+0x420/0x6b0) +[ 294.999208] [] (do_vfs_ioctl) from [] +(SyS_ioctl+0x6c/0x7c) +[ 295.006880] [] (SyS_ioctl) from [] +(ret_fast_syscall+0x0/0x54) +[ 295.014835] Code: e1550004 e2444034 0a00007d e5953018 (e5942008) +[ 295.021544] ---[ end trace 66ed188198f4e24e ]--- + +Signed-off-by: Uri Mashiach +Acked-by: Igor Grinberg +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ti/wlcore/spi.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/ti/wlcore/spi.c ++++ b/drivers/net/wireless/ti/wlcore/spi.c +@@ -72,7 +72,10 @@ + */ + #define SPI_AGGR_BUFFER_SIZE (4 * PAGE_SIZE) + +-#define WSPI_MAX_NUM_OF_CHUNKS (SPI_AGGR_BUFFER_SIZE / WSPI_MAX_CHUNK_SIZE) ++/* Maximum number of SPI write chunks */ ++#define WSPI_MAX_NUM_OF_CHUNKS \ ++ ((SPI_AGGR_BUFFER_SIZE / WSPI_MAX_CHUNK_SIZE) + 1) ++ + + struct wl12xx_spi_glue { + struct device *dev; +@@ -270,9 +273,10 @@ static int __must_check wl12xx_spi_raw_w + void *buf, size_t len, bool fixed) + { + struct wl12xx_spi_glue *glue = dev_get_drvdata(child->parent); +- struct spi_transfer t[2 * (WSPI_MAX_NUM_OF_CHUNKS + 1)]; ++ /* SPI write buffers - 2 for each chunk */ ++ struct spi_transfer t[2 * WSPI_MAX_NUM_OF_CHUNKS]; + struct spi_message m; +- u32 commands[WSPI_MAX_NUM_OF_CHUNKS]; ++ u32 commands[WSPI_MAX_NUM_OF_CHUNKS]; /* 1 command per chunk */ + u32 *cmd; + u32 chunk_len; + int i; -- 2.47.3