From f2847ecf36ab18873f2f8d018a9f6d679703e960 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 17 Oct 2015 17:32:53 -0700 Subject: [PATCH] 4.2-stable patches added patches: arm64-efi-fix-boot-crash-by-not-padding-between-efi_memory_runtime-regions.patch arm64-ftrace-fix-function_graph-tracer-panic.patch arm64-readahead-fault-retry-breaks-mmap-file-read-random-detection.patch clk-samsung-fix-cpu-clock-s-flags-checking.patch clk-ti-clk-7xx-remove-hardwired-abe-clock-configuration.patch clk-ti-fix-dual-registration-of-uart4_ick.patch clocksource-fix-abs-usage-w-64bit-values.patch cpufreq-acpi_cpufreq-prevent-crash-on-reading-freqdomain_cpus.patch dm-cache-fix-null-pointer-when-switching-from-cleaner-policy.patch dm-fix-ab-ba-deadlock-in-__dm_destroy.patch drivers-tty-require-read-access-for-controlling-terminal.patch genirq-fix-race-in-register_irq_proc.patch igb-do-not-re-init-sr-iov-during-probe.patch m68k-define-asmlinkage_protect.patch md-bitmap-don-t-pass-1-to-bitmap_storage_alloc.patch mmc-sdhci-pxav3-disable-clock-inversion-for-hs-mmc-cards.patch mmc-sdhci-pxav3-fix-error-handling-of-armada_38x_quirks.patch mmc-sdhci-pxav3-remove-broken-clock-base-quirk-for-armada-38x-sdhci-driver.patch namei-results-of-d_is_negative-should-be-checked-after-dentry-revalidation.patch net-xen-netfront-only-napi_synchronize-if-running.patch nfs-filelayout-fix-null-reference-caused-by-double-freeing-of-fh_array.patch serial-8250-add-uart_config-entry-for-port_rt2880.patch staging-speakup-fix-speakup-r-regression.patch tty-fix-stall-caused-by-missing-memory-barrier-in-drivers-tty-n_tty.c.patch xen-blkback-free-requests-on-disconnection.patch --- ...g-between-efi_memory_runtime-regions.patch | 194 ++++++++++++++++++ ...race-fix-function_graph-tracer-panic.patch | 112 ++++++++++ ...eaks-mmap-file-read-random-detection.patch | 48 +++++ ...msung-fix-cpu-clock-s-flags-checking.patch | 78 +++++++ ...ve-hardwired-abe-clock-configuration.patch | 60 ++++++ ...i-fix-dual-registration-of-uart4_ick.patch | 51 +++++ ...ksource-fix-abs-usage-w-64bit-values.patch | 38 ++++ ...ent-crash-on-reading-freqdomain_cpus.patch | 60 ++++++ ...r-when-switching-from-cleaner-policy.patch | 37 ++++ ...m-fix-ab-ba-deadlock-in-__dm_destroy.patch | 63 ++++++ ...read-access-for-controlling-terminal.patch | 80 ++++++++ ...genirq-fix-race-in-register_irq_proc.patch | 76 +++++++ ...b-do-not-re-init-sr-iov-during-probe.patch | 47 +++++ .../m68k-define-asmlinkage_protect.patch | 70 +++++++ ...don-t-pass-1-to-bitmap_storage_alloc.patch | 34 +++ ...ble-clock-inversion-for-hs-mmc-cards.patch | 33 +++ ...-error-handling-of-armada_38x_quirks.patch | 30 +++ ...se-quirk-for-armada-38x-sdhci-driver.patch | 33 +++ ...be-checked-after-dentry-revalidation.patch | 74 +++++++ ...ont-only-napi_synchronize-if-running.patch | 54 +++++ ...caused-by-double-freeing-of-fh_array.patch | 143 +++++++++++++ ...dd-uart_config-entry-for-port_rt2880.patch | 38 ++++ queue-4.2/series | 25 +++ ...ing-speakup-fix-speakup-r-regression.patch | 37 ++++ ...emory-barrier-in-drivers-tty-n_tty.c.patch | 140 +++++++++++++ ...kback-free-requests-on-disconnection.patch | 128 ++++++++++++ 26 files changed, 1783 insertions(+) create mode 100644 queue-4.2/arm64-efi-fix-boot-crash-by-not-padding-between-efi_memory_runtime-regions.patch create mode 100644 queue-4.2/arm64-ftrace-fix-function_graph-tracer-panic.patch create mode 100644 queue-4.2/arm64-readahead-fault-retry-breaks-mmap-file-read-random-detection.patch create mode 100644 queue-4.2/clk-samsung-fix-cpu-clock-s-flags-checking.patch create mode 100644 queue-4.2/clk-ti-clk-7xx-remove-hardwired-abe-clock-configuration.patch create mode 100644 queue-4.2/clk-ti-fix-dual-registration-of-uart4_ick.patch create mode 100644 queue-4.2/clocksource-fix-abs-usage-w-64bit-values.patch create mode 100644 queue-4.2/cpufreq-acpi_cpufreq-prevent-crash-on-reading-freqdomain_cpus.patch create mode 100644 queue-4.2/dm-cache-fix-null-pointer-when-switching-from-cleaner-policy.patch create mode 100644 queue-4.2/dm-fix-ab-ba-deadlock-in-__dm_destroy.patch create mode 100644 queue-4.2/drivers-tty-require-read-access-for-controlling-terminal.patch create mode 100644 queue-4.2/genirq-fix-race-in-register_irq_proc.patch create mode 100644 queue-4.2/igb-do-not-re-init-sr-iov-during-probe.patch create mode 100644 queue-4.2/m68k-define-asmlinkage_protect.patch create mode 100644 queue-4.2/md-bitmap-don-t-pass-1-to-bitmap_storage_alloc.patch create mode 100644 queue-4.2/mmc-sdhci-pxav3-disable-clock-inversion-for-hs-mmc-cards.patch create mode 100644 queue-4.2/mmc-sdhci-pxav3-fix-error-handling-of-armada_38x_quirks.patch create mode 100644 queue-4.2/mmc-sdhci-pxav3-remove-broken-clock-base-quirk-for-armada-38x-sdhci-driver.patch create mode 100644 queue-4.2/namei-results-of-d_is_negative-should-be-checked-after-dentry-revalidation.patch create mode 100644 queue-4.2/net-xen-netfront-only-napi_synchronize-if-running.patch create mode 100644 queue-4.2/nfs-filelayout-fix-null-reference-caused-by-double-freeing-of-fh_array.patch create mode 100644 queue-4.2/serial-8250-add-uart_config-entry-for-port_rt2880.patch create mode 100644 queue-4.2/staging-speakup-fix-speakup-r-regression.patch create mode 100644 queue-4.2/tty-fix-stall-caused-by-missing-memory-barrier-in-drivers-tty-n_tty.c.patch create mode 100644 queue-4.2/xen-blkback-free-requests-on-disconnection.patch diff --git a/queue-4.2/arm64-efi-fix-boot-crash-by-not-padding-between-efi_memory_runtime-regions.patch b/queue-4.2/arm64-efi-fix-boot-crash-by-not-padding-between-efi_memory_runtime-regions.patch new file mode 100644 index 00000000000..9b0526fdfac --- /dev/null +++ b/queue-4.2/arm64-efi-fix-boot-crash-by-not-padding-between-efi_memory_runtime-regions.patch @@ -0,0 +1,194 @@ +From 0ce3cc008ec04258b6a6314b09f1a6012810881a Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Fri, 25 Sep 2015 23:02:19 +0100 +Subject: arm64/efi: Fix boot crash by not padding between EFI_MEMORY_RUNTIME regions + +From: Ard Biesheuvel + +commit 0ce3cc008ec04258b6a6314b09f1a6012810881a upstream. + +The new Properties Table feature introduced in UEFIv2.5 may +split memory regions that cover PE/COFF memory images into +separate code and data regions. Since these regions only differ +in the type (runtime code vs runtime data) and the permission +bits, but not in the memory type attributes (UC/WC/WT/WB), the +spec does not require them to be aligned to 64 KB. + +Since the relative offset of PE/COFF .text and .data segments +cannot be changed on the fly, this means that we can no longer +pad out those regions to be mappable using 64 KB pages. +Unfortunately, there is no annotation in the UEFI memory map +that identifies data regions that were split off from a code +region, so we must apply this logic to all adjacent runtime +regions whose attributes only differ in the permission bits. + +So instead of rounding each memory region to 64 KB alignment at +both ends, only round down regions that are not directly +preceded by another runtime region with the same type +attributes. Since the UEFI spec does not mandate that the memory +map be sorted, this means we also need to sort it first. + +Note that this change will result in all EFI_MEMORY_RUNTIME +regions whose start addresses are not aligned to the OS page +size to be mapped with executable permissions (i.e., on kernels +compiled with 64 KB pages). However, since these mappings are +only active during the time that UEFI Runtime Services are being +invoked, the window for abuse is rather small. + +Tested-by: Mark Salter +Tested-by: Mark Rutland [UEFI 2.4 only] +Signed-off-by: Ard Biesheuvel +Signed-off-by: Matt Fleming +Reviewed-by: Mark Salter +Reviewed-by: Mark Rutland +Cc: Catalin Marinas +Cc: Leif Lindholm +Cc: Linus Torvalds +Cc: Mike Galbraith +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Will Deacon +Cc: linux-kernel@vger.kernel.org +Link: http://lkml.kernel.org/r/1443218539-7610-3-git-send-email-matt@codeblueprint.co.uk +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/efi.c | 3 - + drivers/firmware/efi/libstub/arm-stub.c | 86 ++++++++++++++++++++++++++------ + 2 files changed, 74 insertions(+), 15 deletions(-) + +--- a/arch/arm64/kernel/efi.c ++++ b/arch/arm64/kernel/efi.c +@@ -258,7 +258,8 @@ static bool __init efi_virtmap_init(void + */ + if (!is_normal_ram(md)) + prot = __pgprot(PROT_DEVICE_nGnRE); +- else if (md->type == EFI_RUNTIME_SERVICES_CODE) ++ else if (md->type == EFI_RUNTIME_SERVICES_CODE || ++ !PAGE_ALIGNED(md->phys_addr)) + prot = PAGE_KERNEL_EXEC; + else + prot = PAGE_KERNEL; +--- a/drivers/firmware/efi/libstub/arm-stub.c ++++ b/drivers/firmware/efi/libstub/arm-stub.c +@@ -13,6 +13,7 @@ + */ + + #include ++#include + #include + + #include "efistub.h" +@@ -305,6 +306,44 @@ fail: + */ + #define EFI_RT_VIRTUAL_BASE 0x40000000 + ++static int cmp_mem_desc(const void *l, const void *r) ++{ ++ const efi_memory_desc_t *left = l, *right = r; ++ ++ return (left->phys_addr > right->phys_addr) ? 1 : -1; ++} ++ ++/* ++ * Returns whether region @left ends exactly where region @right starts, ++ * or false if either argument is NULL. ++ */ ++static bool regions_are_adjacent(efi_memory_desc_t *left, ++ efi_memory_desc_t *right) ++{ ++ u64 left_end; ++ ++ if (left == NULL || right == NULL) ++ return false; ++ ++ left_end = left->phys_addr + left->num_pages * EFI_PAGE_SIZE; ++ ++ return left_end == right->phys_addr; ++} ++ ++/* ++ * Returns whether region @left and region @right have compatible memory type ++ * mapping attributes, and are both EFI_MEMORY_RUNTIME regions. ++ */ ++static bool regions_have_compatible_memory_type_attrs(efi_memory_desc_t *left, ++ efi_memory_desc_t *right) ++{ ++ static const u64 mem_type_mask = EFI_MEMORY_WB | EFI_MEMORY_WT | ++ EFI_MEMORY_WC | EFI_MEMORY_UC | ++ EFI_MEMORY_RUNTIME; ++ ++ return ((left->attribute ^ right->attribute) & mem_type_mask) == 0; ++} ++ + /* + * efi_get_virtmap() - create a virtual mapping for the EFI memory map + * +@@ -317,33 +356,52 @@ void efi_get_virtmap(efi_memory_desc_t * + int *count) + { + u64 efi_virt_base = EFI_RT_VIRTUAL_BASE; +- efi_memory_desc_t *out = runtime_map; ++ efi_memory_desc_t *in, *prev = NULL, *out = runtime_map; + int l; + +- for (l = 0; l < map_size; l += desc_size) { +- efi_memory_desc_t *in = (void *)memory_map + l; ++ /* ++ * To work around potential issues with the Properties Table feature ++ * introduced in UEFI 2.5, which may split PE/COFF executable images ++ * in memory into several RuntimeServicesCode and RuntimeServicesData ++ * regions, we need to preserve the relative offsets between adjacent ++ * EFI_MEMORY_RUNTIME regions with the same memory type attributes. ++ * The easiest way to find adjacent regions is to sort the memory map ++ * before traversing it. ++ */ ++ sort(memory_map, map_size / desc_size, desc_size, cmp_mem_desc, NULL); ++ ++ for (l = 0; l < map_size; l += desc_size, prev = in) { + u64 paddr, size; + ++ in = (void *)memory_map + l; + if (!(in->attribute & EFI_MEMORY_RUNTIME)) + continue; + ++ paddr = in->phys_addr; ++ size = in->num_pages * EFI_PAGE_SIZE; ++ + /* + * Make the mapping compatible with 64k pages: this allows + * a 4k page size kernel to kexec a 64k page size kernel and + * vice versa. + */ +- paddr = round_down(in->phys_addr, SZ_64K); +- size = round_up(in->num_pages * EFI_PAGE_SIZE + +- in->phys_addr - paddr, SZ_64K); ++ if (!regions_are_adjacent(prev, in) || ++ !regions_have_compatible_memory_type_attrs(prev, in)) { + +- /* +- * Avoid wasting memory on PTEs by choosing a virtual base that +- * is compatible with section mappings if this region has the +- * appropriate size and physical alignment. (Sections are 2 MB +- * on 4k granule kernels) +- */ +- if (IS_ALIGNED(in->phys_addr, SZ_2M) && size >= SZ_2M) +- efi_virt_base = round_up(efi_virt_base, SZ_2M); ++ paddr = round_down(in->phys_addr, SZ_64K); ++ size += in->phys_addr - paddr; ++ ++ /* ++ * Avoid wasting memory on PTEs by choosing a virtual ++ * base that is compatible with section mappings if this ++ * region has the appropriate size and physical ++ * alignment. (Sections are 2 MB on 4k granule kernels) ++ */ ++ if (IS_ALIGNED(in->phys_addr, SZ_2M) && size >= SZ_2M) ++ efi_virt_base = round_up(efi_virt_base, SZ_2M); ++ else ++ efi_virt_base = round_up(efi_virt_base, SZ_64K); ++ } + + in->virt_addr = efi_virt_base + in->phys_addr - paddr; + efi_virt_base += size; diff --git a/queue-4.2/arm64-ftrace-fix-function_graph-tracer-panic.patch b/queue-4.2/arm64-ftrace-fix-function_graph-tracer-panic.patch new file mode 100644 index 00000000000..d993586f36c --- /dev/null +++ b/queue-4.2/arm64-ftrace-fix-function_graph-tracer-panic.patch @@ -0,0 +1,112 @@ +From ee556d00cf20012e889344a0adbbf809ab5015a3 Mon Sep 17 00:00:00 2001 +From: Li Bin +Date: Wed, 30 Sep 2015 10:49:55 +0800 +Subject: arm64: ftrace: fix function_graph tracer panic + +From: Li Bin + +commit ee556d00cf20012e889344a0adbbf809ab5015a3 upstream. + +When function graph tracer is enabled, the following operation +will trigger panic: + +mount -t debugfs nodev /sys/kernel +echo next_tgid > /sys/kernel/tracing/set_ftrace_filter +echo function_graph > /sys/kernel/tracing/current_tracer +ls /proc/ + +------------[ cut here ]------------ +[ 198.501417] Unable to handle kernel paging request at virtual address cb88537fdc8ba316 +[ 198.506126] pgd = ffffffc008f79000 +[ 198.509363] [cb88537fdc8ba316] *pgd=00000000488c6003, *pud=00000000488c6003, *pmd=0000000000000000 +[ 198.517726] Internal error: Oops: 94000005 [#1] SMP +[ 198.518798] Modules linked in: +[ 198.520582] CPU: 1 PID: 1388 Comm: ls Tainted: G +[ 198.521800] Hardware name: linux,dummy-virt (DT) +[ 198.522852] task: ffffffc0fa9e8000 ti: ffffffc0f9ab0000 task.ti: ffffffc0f9ab0000 +[ 198.524306] PC is at next_tgid+0x30/0x100 +[ 198.525205] LR is at return_to_handler+0x0/0x20 +[ 198.526090] pc : [] lr : [] pstate: 60000145 +[ 198.527392] sp : ffffffc0f9ab3d40 +[ 198.528084] x29: ffffffc0f9ab3d40 x28: ffffffc0f9ab0000 +[ 198.529406] x27: ffffffc000d6a000 x26: ffffffc000b786e8 +[ 198.530659] x25: ffffffc0002a1900 x24: ffffffc0faf16c00 +[ 198.531942] x23: ffffffc0f9ab3ea0 x22: 0000000000000002 +[ 198.533202] x21: ffffffc000d85050 x20: 0000000000000002 +[ 198.534446] x19: 0000000000000002 x18: 0000000000000000 +[ 198.535719] x17: 000000000049fa08 x16: ffffffc000242efc +[ 198.537030] x15: 0000007fa472b54c x14: ffffffffff000000 +[ 198.538347] x13: ffffffc0fada84a0 x12: 0000000000000001 +[ 198.539634] x11: ffffffc0f9ab3d70 x10: ffffffc0f9ab3d70 +[ 198.540915] x9 : ffffffc0000907c0 x8 : ffffffc0f9ab3d40 +[ 198.542215] x7 : 0000002e330f08f0 x6 : 0000000000000015 +[ 198.543508] x5 : 0000000000000f08 x4 : ffffffc0f9835ec0 +[ 198.544792] x3 : cb88537fdc8ba316 x2 : cb88537fdc8ba306 +[ 198.546108] x1 : 0000000000000002 x0 : ffffffc000d85050 +[ 198.547432] +[ 198.547920] Process ls (pid: 1388, stack limit = 0xffffffc0f9ab0020) +[ 198.549170] Stack: (0xffffffc0f9ab3d40 to 0xffffffc0f9ab4000) +[ 198.582568] Call trace: +[ 198.583313] [] next_tgid+0x30/0x100 +[ 198.584359] [] ftrace_graph_caller+0x6c/0x70 +[ 198.585503] [] ftrace_graph_caller+0x6c/0x70 +[ 198.586574] [] ftrace_graph_caller+0x6c/0x70 +[ 198.587660] [] ftrace_graph_caller+0x6c/0x70 +[ 198.588896] Code: aa0003f5 2a0103f4 b4000102 91004043 (885f7c60) +[ 198.591092] ---[ end trace 6a346f8f20949ac8 ]--- + +This is because when using function graph tracer, if the traced +function return value is in multi regs ([x0-x7]), return_to_handler +may corrupt them. So in return_to_handler, the parameter regs should +be protected properly. + +Signed-off-by: Li Bin +Acked-by: AKASHI Takahiro +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/entry-ftrace.S | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +--- a/arch/arm64/kernel/entry-ftrace.S ++++ b/arch/arm64/kernel/entry-ftrace.S +@@ -178,6 +178,24 @@ ENTRY(ftrace_stub) + ENDPROC(ftrace_stub) + + #ifdef CONFIG_FUNCTION_GRAPH_TRACER ++ /* save return value regs*/ ++ .macro save_return_regs ++ sub sp, sp, #64 ++ stp x0, x1, [sp] ++ stp x2, x3, [sp, #16] ++ stp x4, x5, [sp, #32] ++ stp x6, x7, [sp, #48] ++ .endm ++ ++ /* restore return value regs*/ ++ .macro restore_return_regs ++ ldp x0, x1, [sp] ++ ldp x2, x3, [sp, #16] ++ ldp x4, x5, [sp, #32] ++ ldp x6, x7, [sp, #48] ++ add sp, sp, #64 ++ .endm ++ + /* + * void ftrace_graph_caller(void) + * +@@ -204,11 +222,11 @@ ENDPROC(ftrace_graph_caller) + * only when CONFIG_HAVE_FUNCTION_GRAPH_FP_TEST is enabled. + */ + ENTRY(return_to_handler) +- str x0, [sp, #-16]! ++ save_return_regs + mov x0, x29 // parent's fp + bl ftrace_return_to_handler// addr = ftrace_return_to_hander(fp); + mov x30, x0 // restore the original return address +- ldr x0, [sp], #16 ++ restore_return_regs + ret + END(return_to_handler) + #endif /* CONFIG_FUNCTION_GRAPH_TRACER */ diff --git a/queue-4.2/arm64-readahead-fault-retry-breaks-mmap-file-read-random-detection.patch b/queue-4.2/arm64-readahead-fault-retry-breaks-mmap-file-read-random-detection.patch new file mode 100644 index 00000000000..9b9c8cb2758 --- /dev/null +++ b/queue-4.2/arm64-readahead-fault-retry-breaks-mmap-file-read-random-detection.patch @@ -0,0 +1,48 @@ +From 569ba74a7ba69f46ce2950bf085b37fea2408385 Mon Sep 17 00:00:00 2001 +From: Mark Salyzyn +Date: Mon, 21 Sep 2015 21:39:50 +0100 +Subject: arm64: readahead: fault retry breaks mmap file read random detection + +From: Mark Salyzyn + +commit 569ba74a7ba69f46ce2950bf085b37fea2408385 upstream. + +This is the arm64 portion of commit 45cac65b0fcd ("readahead: fault +retry breaks mmap file read random detection"), which was absent from +the initial port and has since gone unnoticed. The original commit says: + +> .fault now can retry. The retry can break state machine of .fault. In +> filemap_fault, if page is miss, ra->mmap_miss is increased. In the second +> try, since the page is in page cache now, ra->mmap_miss is decreased. And +> these are done in one fault, so we can't detect random mmap file access. +> +> Add a new flag to indicate .fault is tried once. In the second try, skip +> ra->mmap_miss decreasing. The filemap_fault state machine is ok with it. + +With this change, Mark reports that: + +> Random read improves by 250%, sequential read improves by 40%, and +> random write by 400% to an eMMC device with dm crypto wrapped around it. + +Cc: Shaohua Li +Cc: Rik van Riel +Cc: Wu Fengguang +Signed-off-by: Mark Salyzyn +Signed-off-by: Riley Andrews +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/mm/fault.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm64/mm/fault.c ++++ b/arch/arm64/mm/fault.c +@@ -278,6 +278,7 @@ retry: + * starvation. + */ + mm_flags &= ~FAULT_FLAG_ALLOW_RETRY; ++ mm_flags |= FAULT_FLAG_TRIED; + goto retry; + } + } diff --git a/queue-4.2/clk-samsung-fix-cpu-clock-s-flags-checking.patch b/queue-4.2/clk-samsung-fix-cpu-clock-s-flags-checking.patch new file mode 100644 index 00000000000..ed2b2d14a72 --- /dev/null +++ b/queue-4.2/clk-samsung-fix-cpu-clock-s-flags-checking.patch @@ -0,0 +1,78 @@ +From 9e294bf88a583825a413df408b9fe9e658fb93ac Mon Sep 17 00:00:00 2001 +From: Bartlomiej Zolnierkiewicz +Date: Fri, 28 Aug 2015 13:49:35 +0200 +Subject: clk: samsung: fix cpu clock's flags checking + +From: Bartlomiej Zolnierkiewicz + +commit 9e294bf88a583825a413df408b9fe9e658fb93ac upstream. + +CLK_CPU_HAS_DIV1 and CLK_CPU_NEEDS_DEBUG_ALT_DIV masks were +incorrectly used as a bit numbers. Fix it. + +Tested on Exynos4210 based Origen board and on Exynos5250 based +Arndale board. + +Cc: Tomasz Figa +Cc: Michael Turquette +Cc: Thomas Abraham +Fixes: ddeac8d96 ("clk: samsung: add infrastructure to register cpu clocks") +Reported-by: Dan Carpenter +Reviewed-by: Krzysztof Kozlowski +Reviewed-by: Javier Martinez Canillas +Acked-by: Sylwester Nawrocki +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/samsung/clk-cpu.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/clk/samsung/clk-cpu.c ++++ b/drivers/clk/samsung/clk-cpu.c +@@ -161,7 +161,7 @@ static int exynos_cpuclk_pre_rate_change + * the values for DIV_COPY and DIV_HPM dividers need not be set. + */ + div0 = cfg_data->div0; +- if (test_bit(CLK_CPU_HAS_DIV1, &cpuclk->flags)) { ++ if (cpuclk->flags & CLK_CPU_HAS_DIV1) { + div1 = cfg_data->div1; + if (readl(base + E4210_SRC_CPU) & E4210_MUX_HPM_MASK) + div1 = readl(base + E4210_DIV_CPU1) & +@@ -182,7 +182,7 @@ static int exynos_cpuclk_pre_rate_change + alt_div = DIV_ROUND_UP(alt_prate, tmp_rate) - 1; + WARN_ON(alt_div >= MAX_DIV); + +- if (test_bit(CLK_CPU_NEEDS_DEBUG_ALT_DIV, &cpuclk->flags)) { ++ if (cpuclk->flags & CLK_CPU_NEEDS_DEBUG_ALT_DIV) { + /* + * In Exynos4210, ATB clock parent is also mout_core. So + * ATB clock also needs to be mantained at safe speed. +@@ -203,7 +203,7 @@ static int exynos_cpuclk_pre_rate_change + writel(div0, base + E4210_DIV_CPU0); + wait_until_divider_stable(base + E4210_DIV_STAT_CPU0, DIV_MASK_ALL); + +- if (test_bit(CLK_CPU_HAS_DIV1, &cpuclk->flags)) { ++ if (cpuclk->flags & CLK_CPU_HAS_DIV1) { + writel(div1, base + E4210_DIV_CPU1); + wait_until_divider_stable(base + E4210_DIV_STAT_CPU1, + DIV_MASK_ALL); +@@ -222,7 +222,7 @@ static int exynos_cpuclk_post_rate_chang + unsigned long mux_reg; + + /* find out the divider values to use for clock data */ +- if (test_bit(CLK_CPU_NEEDS_DEBUG_ALT_DIV, &cpuclk->flags)) { ++ if (cpuclk->flags & CLK_CPU_NEEDS_DEBUG_ALT_DIV) { + while ((cfg_data->prate * 1000) != ndata->new_rate) { + if (cfg_data->prate == 0) + return -EINVAL; +@@ -237,7 +237,7 @@ static int exynos_cpuclk_post_rate_chang + writel(mux_reg & ~(1 << 16), base + E4210_SRC_CPU); + wait_until_mux_stable(base + E4210_STAT_CPU, 16, 1); + +- if (test_bit(CLK_CPU_NEEDS_DEBUG_ALT_DIV, &cpuclk->flags)) { ++ if (cpuclk->flags & CLK_CPU_NEEDS_DEBUG_ALT_DIV) { + div |= (cfg_data->div0 & E4210_DIV0_ATB_MASK); + div_mask |= E4210_DIV0_ATB_MASK; + } diff --git a/queue-4.2/clk-ti-clk-7xx-remove-hardwired-abe-clock-configuration.patch b/queue-4.2/clk-ti-clk-7xx-remove-hardwired-abe-clock-configuration.patch new file mode 100644 index 00000000000..038cb7aa285 --- /dev/null +++ b/queue-4.2/clk-ti-clk-7xx-remove-hardwired-abe-clock-configuration.patch @@ -0,0 +1,60 @@ +From 4b3061b39132cba0c31b0eb767a9faeedf9437fc Mon Sep 17 00:00:00 2001 +From: Peter Ujfalusi +Date: Mon, 24 Aug 2015 10:35:02 +0300 +Subject: clk: ti: clk-7xx: Remove hardwired ABE clock configuration + +From: Peter Ujfalusi + +commit 4b3061b39132cba0c31b0eb767a9faeedf9437fc upstream. + +The ABE related clocks should be configured via DT and not have it wired +inside of the kernel. + +Fixes: a74c52def9ab ("clk: ti: clk-7xx: Correct ABE DPLL configuration") +Signed-off-by: Peter Ujfalusi +Signed-off-by: Tero Kristo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/ti/clk-7xx.c | 18 +----------------- + 1 file changed, 1 insertion(+), 17 deletions(-) + +--- a/drivers/clk/ti/clk-7xx.c ++++ b/drivers/clk/ti/clk-7xx.c +@@ -16,7 +16,6 @@ + #include + #include + +-#define DRA7_DPLL_ABE_DEFFREQ 180633600 + #define DRA7_DPLL_GMAC_DEFFREQ 1000000000 + #define DRA7_DPLL_USB_DEFFREQ 960000000 + +@@ -312,27 +311,12 @@ static struct ti_dt_clk dra7xx_clks[] = + int __init dra7xx_dt_clk_init(void) + { + int rc; +- struct clk *abe_dpll_mux, *sys_clkin2, *dpll_ck, *hdcp_ck; ++ struct clk *dpll_ck, *hdcp_ck; + + ti_dt_clocks_register(dra7xx_clks); + + omap2_clk_disable_autoidle_all(); + +- abe_dpll_mux = clk_get_sys(NULL, "abe_dpll_sys_clk_mux"); +- sys_clkin2 = clk_get_sys(NULL, "sys_clkin2"); +- dpll_ck = clk_get_sys(NULL, "dpll_abe_ck"); +- +- rc = clk_set_parent(abe_dpll_mux, sys_clkin2); +- if (!rc) +- rc = clk_set_rate(dpll_ck, DRA7_DPLL_ABE_DEFFREQ); +- if (rc) +- pr_err("%s: failed to configure ABE DPLL!\n", __func__); +- +- dpll_ck = clk_get_sys(NULL, "dpll_abe_m2x2_ck"); +- rc = clk_set_rate(dpll_ck, DRA7_DPLL_ABE_DEFFREQ * 2); +- if (rc) +- pr_err("%s: failed to configure ABE DPLL m2x2!\n", __func__); +- + dpll_ck = clk_get_sys(NULL, "dpll_gmac_ck"); + rc = clk_set_rate(dpll_ck, DRA7_DPLL_GMAC_DEFFREQ); + if (rc) diff --git a/queue-4.2/clk-ti-fix-dual-registration-of-uart4_ick.patch b/queue-4.2/clk-ti-fix-dual-registration-of-uart4_ick.patch new file mode 100644 index 00000000000..53eeb12417e --- /dev/null +++ b/queue-4.2/clk-ti-fix-dual-registration-of-uart4_ick.patch @@ -0,0 +1,51 @@ +From 19e79687de22f23bcfb5e79cce3daba20af228d1 Mon Sep 17 00:00:00 2001 +From: Ben Dooks +Date: Tue, 29 Sep 2015 15:01:08 +0100 +Subject: clk: ti: fix dual-registration of uart4_ick + +From: Ben Dooks + +commit 19e79687de22f23bcfb5e79cce3daba20af228d1 upstream. + +On the OMAP AM3517 platform the uart4_ick gets registered +twice, causing any power management to /dev/ttyO3 to fail +when trying to wake the device up. + +This solves the following oops: + +[] Unhandled fault: external abort on non-linefetch (0x1028) at 0xfa09e008 +[] PC is at serial_omap_pm+0x48/0x15c +[] LR is at _raw_spin_unlock_irqrestore+0x30/0x5c + +Fixes: aafd900cab87 ("CLK: TI: add omap3 clock init file") +Cc: mturquette@baylibre.com +Cc: sboyd@codeaurora.org +Cc: linux-clk@vger.kernel.org +Cc: linux-omap@vger.kernel.org +Cc: linux-kernel@lists.codethink.co.uk +Signed-off-by: Ben Dooks +Signed-off-by: Tero Kristo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/ti/clk-3xxx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clk/ti/clk-3xxx.c ++++ b/drivers/clk/ti/clk-3xxx.c +@@ -163,7 +163,6 @@ static struct ti_dt_clk omap3xxx_clks[] + DT_CLK(NULL, "gpio2_ick", "gpio2_ick"), + DT_CLK(NULL, "wdt3_ick", "wdt3_ick"), + DT_CLK(NULL, "uart3_ick", "uart3_ick"), +- DT_CLK(NULL, "uart4_ick", "uart4_ick"), + DT_CLK(NULL, "gpt9_ick", "gpt9_ick"), + DT_CLK(NULL, "gpt8_ick", "gpt8_ick"), + DT_CLK(NULL, "gpt7_ick", "gpt7_ick"), +@@ -308,6 +307,7 @@ static struct ti_dt_clk am35xx_clks[] = + static struct ti_dt_clk omap36xx_clks[] = { + DT_CLK(NULL, "omap_192m_alwon_fck", "omap_192m_alwon_fck"), + DT_CLK(NULL, "uart4_fck", "uart4_fck"), ++ DT_CLK(NULL, "uart4_ick", "uart4_ick"), + { .node_name = NULL }, + }; + diff --git a/queue-4.2/clocksource-fix-abs-usage-w-64bit-values.patch b/queue-4.2/clocksource-fix-abs-usage-w-64bit-values.patch new file mode 100644 index 00000000000..53427f69b20 --- /dev/null +++ b/queue-4.2/clocksource-fix-abs-usage-w-64bit-values.patch @@ -0,0 +1,38 @@ +From 67dfae0cd72fec5cd158b6e5fb1647b7dbe0834c Mon Sep 17 00:00:00 2001 +From: John Stultz +Date: Mon, 14 Sep 2015 18:05:20 -0700 +Subject: clocksource: Fix abs() usage w/ 64bit values + +From: John Stultz + +commit 67dfae0cd72fec5cd158b6e5fb1647b7dbe0834c upstream. + +This patch fixes one cases where abs() was being used with 64-bit +nanosecond values, where the result may be capped at 32-bits. + +This potentially could cause watchdog false negatives on 32-bit +systems, so this patch addresses the issue by using abs64(). + +Signed-off-by: John Stultz +Cc: Prarit Bhargava +Cc: Richard Cochran +Cc: Ingo Molnar +Link: http://lkml.kernel.org/r/1442279124-7309-2-git-send-email-john.stultz@linaro.org +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/time/clocksource.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/time/clocksource.c ++++ b/kernel/time/clocksource.c +@@ -217,7 +217,7 @@ static void clocksource_watchdog(unsigne + continue; + + /* Check the deviation from the watchdog clocksource. */ +- if ((abs(cs_nsec - wd_nsec) > WATCHDOG_THRESHOLD)) { ++ if (abs64(cs_nsec - wd_nsec) > WATCHDOG_THRESHOLD) { + pr_warn("timekeeping watchdog: Marking clocksource '%s' as unstable because the skew is too large:\n", + cs->name); + pr_warn(" '%s' wd_now: %llx wd_last: %llx mask: %llx\n", diff --git a/queue-4.2/cpufreq-acpi_cpufreq-prevent-crash-on-reading-freqdomain_cpus.patch b/queue-4.2/cpufreq-acpi_cpufreq-prevent-crash-on-reading-freqdomain_cpus.patch new file mode 100644 index 00000000000..2a306d56101 --- /dev/null +++ b/queue-4.2/cpufreq-acpi_cpufreq-prevent-crash-on-reading-freqdomain_cpus.patch @@ -0,0 +1,60 @@ +From e25303676e18a7947185a34e26dd08cf0c0ea573 Mon Sep 17 00:00:00 2001 +From: Srinivas Pandruvada +Date: Wed, 7 Oct 2015 13:50:43 -0700 +Subject: cpufreq: acpi_cpufreq: prevent crash on reading freqdomain_cpus + +From: Srinivas Pandruvada + +commit e25303676e18a7947185a34e26dd08cf0c0ea573 upstream. + +When freqdomain_cpus attribute is read from an offlined cpu, it will +cause crash. This change prevents calling cpufreq_show_cpus when +policy driver_data is NULL. + +Crash info: + +[ 170.814949] BUG: unable to handle kernel NULL pointer dereference at 0000000000000018 +[ 170.814990] IP: [] _find_next_bit.part.0+0x10/0x70 +[ 170.815021] PGD 227d30067 PUD 229e56067 PMD 0 +[ 170.815043] Oops: 0000 [#2] SMP +[ 170.816022] CPU: 3 PID: 3121 Comm: cat Tainted: G D OE 4.3.0-rc3+ #33 +... +... +[ 170.816657] Call Trace: +[ 170.816672] [] ? find_next_bit+0x15/0x20 +[ 170.816696] [] cpufreq_show_cpus+0x5c/0xd0 +[ 170.816722] [] show_freqdomain_cpus+0x19/0x20 [acpi_cpufreq] +[ 170.816749] [] show+0x3b/0x60 +[ 170.816769] [] sysfs_kf_seq_show+0xbc/0x130 +[ 170.816793] [] kernfs_seq_show+0x23/0x30 +[ 170.816816] [] seq_read+0xec/0x390 +[ 170.816837] [] kernfs_fop_read+0x10a/0x160 +[ 170.816861] [] __vfs_read+0x37/0x100 +[ 170.816883] [] ? security_file_permission+0xa0/0xc0 +[ 170.816909] [] vfs_read+0x83/0x130 +[ 170.816930] [] SyS_read+0x55/0xc0 +... +... +[ 170.817185] ---[ end trace bc6eadf82b2b965a ]--- + +Signed-off-by: Srinivas Pandruvada +Acked-by: Viresh Kumar +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cpufreq/acpi-cpufreq.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/cpufreq/acpi-cpufreq.c ++++ b/drivers/cpufreq/acpi-cpufreq.c +@@ -146,6 +146,9 @@ static ssize_t show_freqdomain_cpus(stru + { + struct acpi_cpufreq_data *data = per_cpu(acfreq_data, policy->cpu); + ++ if (unlikely(!data)) ++ return -ENODEV; ++ + return cpufreq_show_cpus(data->freqdomain_cpus, buf); + } + diff --git a/queue-4.2/dm-cache-fix-null-pointer-when-switching-from-cleaner-policy.patch b/queue-4.2/dm-cache-fix-null-pointer-when-switching-from-cleaner-policy.patch new file mode 100644 index 00000000000..bb9a47c94fd --- /dev/null +++ b/queue-4.2/dm-cache-fix-null-pointer-when-switching-from-cleaner-policy.patch @@ -0,0 +1,37 @@ +From 2bffa1503c5c06192eb1459180fac4416575a966 Mon Sep 17 00:00:00 2001 +From: Joe Thornber +Date: Fri, 9 Oct 2015 14:03:38 +0100 +Subject: dm cache: fix NULL pointer when switching from cleaner policy + +From: Joe Thornber + +commit 2bffa1503c5c06192eb1459180fac4416575a966 upstream. + +The cleaner policy doesn't make use of the per cache block hint space in +the metadata (unlike the other policies). When switching from the +cleaner policy to mq or smq a NULL pointer crash (in dm_tm_new_block) +was observed. The crash was caused by bugs in dm-cache-metadata.c +when trying to skip creation of the hint btree. + +The minimal fix is to change hint size for the cleaner policy to 4 bytes +(only hint size supported). + +Signed-off-by: Joe Thornber +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-cache-policy-cleaner.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/dm-cache-policy-cleaner.c ++++ b/drivers/md/dm-cache-policy-cleaner.c +@@ -436,7 +436,7 @@ static struct dm_cache_policy *wb_create + static struct dm_cache_policy_type wb_policy_type = { + .name = "cleaner", + .version = {1, 0, 0}, +- .hint_size = 0, ++ .hint_size = 4, + .owner = THIS_MODULE, + .create = wb_create + }; diff --git a/queue-4.2/dm-fix-ab-ba-deadlock-in-__dm_destroy.patch b/queue-4.2/dm-fix-ab-ba-deadlock-in-__dm_destroy.patch new file mode 100644 index 00000000000..006ae30f7bf --- /dev/null +++ b/queue-4.2/dm-fix-ab-ba-deadlock-in-__dm_destroy.patch @@ -0,0 +1,63 @@ +From 2a708cff93f1845b9239bc7d6310aef54e716c6a Mon Sep 17 00:00:00 2001 +From: Junichi Nomura +Date: Thu, 1 Oct 2015 08:31:51 +0000 +Subject: dm: fix AB-BA deadlock in __dm_destroy() + +From: Junichi Nomura + +commit 2a708cff93f1845b9239bc7d6310aef54e716c6a upstream. + +__dm_destroy() takes io_barrier SRCU lock (dm_get_live_table) and +suspend_lock in reverse order. Doing so can cause AB-BA deadlock: + + __dm_destroy dm_swap_table + --------------------------------------------------- + mutex_lock(suspend_lock) + dm_get_live_table() + srcu_read_lock(io_barrier) + dm_sync_table() + synchronize_srcu(io_barrier) + .. waiting for dm_put_live_table() + mutex_lock(suspend_lock) + .. waiting for suspend_lock + +Fix this by taking the locks in proper order. + +Signed-off-by: Jun'ichi Nomura +Fixes: ab7c7bb6f4ab ("dm: hold suspend_lock while suspending device during device deletion") +Acked-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -2952,8 +2952,6 @@ static void __dm_destroy(struct mapped_d + + might_sleep(); + +- map = dm_get_live_table(md, &srcu_idx); +- + spin_lock(&_minor_lock); + idr_replace(&_minor_idr, MINOR_ALLOCED, MINOR(disk_devt(dm_disk(md)))); + set_bit(DMF_FREEING, &md->flags); +@@ -2967,14 +2965,14 @@ static void __dm_destroy(struct mapped_d + * do not race with internal suspend. + */ + mutex_lock(&md->suspend_lock); ++ map = dm_get_live_table(md, &srcu_idx); + if (!dm_suspended_md(md)) { + dm_table_presuspend_targets(map); + dm_table_postsuspend_targets(map); + } +- mutex_unlock(&md->suspend_lock); +- + /* dm_put_live_table must be before msleep, otherwise deadlock is possible */ + dm_put_live_table(md, srcu_idx); ++ mutex_unlock(&md->suspend_lock); + + /* + * Rare, but there may be I/O requests still going to complete, diff --git a/queue-4.2/drivers-tty-require-read-access-for-controlling-terminal.patch b/queue-4.2/drivers-tty-require-read-access-for-controlling-terminal.patch new file mode 100644 index 00000000000..c696a44b10c --- /dev/null +++ b/queue-4.2/drivers-tty-require-read-access-for-controlling-terminal.patch @@ -0,0 +1,80 @@ +From 0c55627167870255158db1cde0d28366f91c8872 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Sun, 4 Oct 2015 19:29:12 +0200 +Subject: drivers/tty: require read access for controlling terminal + +From: Jann Horn + +commit 0c55627167870255158db1cde0d28366f91c8872 upstream. + +This is mostly a hardening fix, given that write-only access to other +users' ttys is usually only given through setgid tty executables. + +Signed-off-by: Jann Horn +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/tty_io.c | 31 +++++++++++++++++++++++++++---- + 1 file changed, 27 insertions(+), 4 deletions(-) + +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -2136,8 +2136,24 @@ retry_open: + if (!noctty && + current->signal->leader && + !current->signal->tty && +- tty->session == NULL) +- __proc_set_tty(tty); ++ tty->session == NULL) { ++ /* ++ * Don't let a process that only has write access to the tty ++ * obtain the privileges associated with having a tty as ++ * controlling terminal (being able to reopen it with full ++ * access through /dev/tty, being able to perform pushback). ++ * Many distributions set the group of all ttys to "tty" and ++ * grant write-only access to all terminals for setgid tty ++ * binaries, which should not imply full privileges on all ttys. ++ * ++ * This could theoretically break old code that performs open() ++ * on a write-only file descriptor. In that case, it might be ++ * necessary to also permit this if ++ * inode_permission(inode, MAY_READ) == 0. ++ */ ++ if (filp->f_mode & FMODE_READ) ++ __proc_set_tty(tty); ++ } + spin_unlock_irq(¤t->sighand->siglock); + read_unlock(&tasklist_lock); + tty_unlock(tty); +@@ -2426,7 +2442,7 @@ static int fionbio(struct file *file, in + * Takes ->siglock() when updating signal->tty + */ + +-static int tiocsctty(struct tty_struct *tty, int arg) ++static int tiocsctty(struct tty_struct *tty, struct file *file, int arg) + { + int ret = 0; + +@@ -2460,6 +2476,13 @@ static int tiocsctty(struct tty_struct * + goto unlock; + } + } ++ ++ /* See the comment in tty_open(). */ ++ if ((file->f_mode & FMODE_READ) == 0 && !capable(CAP_SYS_ADMIN)) { ++ ret = -EPERM; ++ goto unlock; ++ } ++ + proc_set_tty(tty); + unlock: + read_unlock(&tasklist_lock); +@@ -2852,7 +2875,7 @@ long tty_ioctl(struct file *file, unsign + no_tty(); + return 0; + case TIOCSCTTY: +- return tiocsctty(tty, arg); ++ return tiocsctty(tty, file, arg); + case TIOCGPGRP: + return tiocgpgrp(tty, real_tty, p); + case TIOCSPGRP: diff --git a/queue-4.2/genirq-fix-race-in-register_irq_proc.patch b/queue-4.2/genirq-fix-race-in-register_irq_proc.patch new file mode 100644 index 00000000000..b5b8362347c --- /dev/null +++ b/queue-4.2/genirq-fix-race-in-register_irq_proc.patch @@ -0,0 +1,76 @@ +From 95c2b17534654829db428f11bcf4297c059a2a7e Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Sat, 26 Sep 2015 12:23:56 +0100 +Subject: genirq: Fix race in register_irq_proc() + +From: Ben Hutchings + +commit 95c2b17534654829db428f11bcf4297c059a2a7e upstream. + +Per-IRQ directories in procfs are created only when a handler is first +added to the irqdesc, not when the irqdesc is created. In the case of +a shared IRQ, multiple tasks can race to create a directory. This +race condition seems to have been present forever, but is easier to +hit with async probing. + +Signed-off-by: Ben Hutchings +Link: http://lkml.kernel.org/r/1443266636.2004.2.camel@decadent.org.uk +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/irq/proc.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +--- a/kernel/irq/proc.c ++++ b/kernel/irq/proc.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + + #include "internals.h" + +@@ -323,18 +324,29 @@ void register_handler_proc(unsigned int + + void register_irq_proc(unsigned int irq, struct irq_desc *desc) + { ++ static DEFINE_MUTEX(register_lock); + char name [MAX_NAMELEN]; + +- if (!root_irq_dir || (desc->irq_data.chip == &no_irq_chip) || desc->dir) ++ if (!root_irq_dir || (desc->irq_data.chip == &no_irq_chip)) + return; + ++ /* ++ * irq directories are registered only when a handler is ++ * added, not when the descriptor is created, so multiple ++ * tasks might try to register at the same time. ++ */ ++ mutex_lock(®ister_lock); ++ ++ if (desc->dir) ++ goto out_unlock; ++ + memset(name, 0, MAX_NAMELEN); + sprintf(name, "%d", irq); + + /* create /proc/irq/1234 */ + desc->dir = proc_mkdir(name, root_irq_dir); + if (!desc->dir) +- return; ++ goto out_unlock; + + #ifdef CONFIG_SMP + /* create /proc/irq//smp_affinity */ +@@ -355,6 +367,9 @@ void register_irq_proc(unsigned int irq, + + proc_create_data("spurious", 0444, desc->dir, + &irq_spurious_proc_fops, (void *)(long)irq); ++ ++out_unlock: ++ mutex_unlock(®ister_lock); + } + + void unregister_irq_proc(unsigned int irq, struct irq_desc *desc) diff --git a/queue-4.2/igb-do-not-re-init-sr-iov-during-probe.patch b/queue-4.2/igb-do-not-re-init-sr-iov-during-probe.patch new file mode 100644 index 00000000000..955ff04b178 --- /dev/null +++ b/queue-4.2/igb-do-not-re-init-sr-iov-during-probe.patch @@ -0,0 +1,47 @@ +From 6423fc34160939142d72ffeaa2db6408317f54df Mon Sep 17 00:00:00 2001 +From: Stefan Assmann +Date: Fri, 10 Jul 2015 15:01:12 +0200 +Subject: igb: do not re-init SR-IOV during probe + +From: Stefan Assmann + +commit 6423fc34160939142d72ffeaa2db6408317f54df upstream. + +During driver probing the following code path is triggered. +igb_probe +->igb_sw_init + ->igb_probe_vfs + ->igb_pci_enable_sriov + ->igb_sriov_reinit + +Doing the SR-IOV re-init is not necessary during probing since we're +starting from scratch. Here we can call igb_enable_sriov() right away. + +Running igb_sriov_reinit() during igb_probe() also seems to cause +occasional packet loss on some onboard 82576 NICs. Reproduced on +Dell and HP servers with onboard 82576 NICs. +Example: +Intel Corporation 82576 Gigabit Network Connection [8086:10c9] (rev 01) +Subsystem: Dell Device [1028:0481] + +Signed-off-by: Stefan Assmann +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Cc: Daniel J Blueman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/intel/igb/igb_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -2851,7 +2851,7 @@ static void igb_probe_vfs(struct igb_ada + return; + + pci_sriov_set_totalvfs(pdev, 7); +- igb_pci_enable_sriov(pdev, max_vfs); ++ igb_enable_sriov(pdev, max_vfs); + + #endif /* CONFIG_PCI_IOV */ + } diff --git a/queue-4.2/m68k-define-asmlinkage_protect.patch b/queue-4.2/m68k-define-asmlinkage_protect.patch new file mode 100644 index 00000000000..e284c30de41 --- /dev/null +++ b/queue-4.2/m68k-define-asmlinkage_protect.patch @@ -0,0 +1,70 @@ +From 8474ba74193d302e8340dddd1e16c85cc4b98caf Mon Sep 17 00:00:00 2001 +From: Andreas Schwab +Date: Wed, 23 Sep 2015 23:12:09 +0200 +Subject: m68k: Define asmlinkage_protect + +From: Andreas Schwab + +commit 8474ba74193d302e8340dddd1e16c85cc4b98caf upstream. + +Make sure the compiler does not modify arguments of syscall functions. +This can happen if the compiler generates a tailcall to another +function. For example, without asmlinkage_protect sys_openat is compiled +into this function: + +sys_openat: + clr.l %d0 + move.w 18(%sp),%d0 + move.l %d0,16(%sp) + jbra do_sys_open + +Note how the fourth argument is modified in place, modifying the register +%d4 that gets restored from this stack slot when the function returns to +user-space. The caller may expect the register to be unmodified across +system calls. + +Signed-off-by: Andreas Schwab +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Greg Kroah-Hartman + +--- + arch/m68k/include/asm/linkage.h | 30 ++++++++++++++++++++++++++++++ + 1 file changed, 30 insertions(+) + +--- a/arch/m68k/include/asm/linkage.h ++++ b/arch/m68k/include/asm/linkage.h +@@ -4,4 +4,34 @@ + #define __ALIGN .align 4 + #define __ALIGN_STR ".align 4" + ++/* ++ * Make sure the compiler doesn't do anything stupid with the ++ * arguments on the stack - they are owned by the *caller*, not ++ * the callee. This just fools gcc into not spilling into them, ++ * and keeps it from doing tailcall recursion and/or using the ++ * stack slots for temporaries, since they are live and "used" ++ * all the way to the end of the function. ++ */ ++#define asmlinkage_protect(n, ret, args...) \ ++ __asmlinkage_protect##n(ret, ##args) ++#define __asmlinkage_protect_n(ret, args...) \ ++ __asm__ __volatile__ ("" : "=r" (ret) : "0" (ret), ##args) ++#define __asmlinkage_protect0(ret) \ ++ __asmlinkage_protect_n(ret) ++#define __asmlinkage_protect1(ret, arg1) \ ++ __asmlinkage_protect_n(ret, "m" (arg1)) ++#define __asmlinkage_protect2(ret, arg1, arg2) \ ++ __asmlinkage_protect_n(ret, "m" (arg1), "m" (arg2)) ++#define __asmlinkage_protect3(ret, arg1, arg2, arg3) \ ++ __asmlinkage_protect_n(ret, "m" (arg1), "m" (arg2), "m" (arg3)) ++#define __asmlinkage_protect4(ret, arg1, arg2, arg3, arg4) \ ++ __asmlinkage_protect_n(ret, "m" (arg1), "m" (arg2), "m" (arg3), \ ++ "m" (arg4)) ++#define __asmlinkage_protect5(ret, arg1, arg2, arg3, arg4, arg5) \ ++ __asmlinkage_protect_n(ret, "m" (arg1), "m" (arg2), "m" (arg3), \ ++ "m" (arg4), "m" (arg5)) ++#define __asmlinkage_protect6(ret, arg1, arg2, arg3, arg4, arg5, arg6) \ ++ __asmlinkage_protect_n(ret, "m" (arg1), "m" (arg2), "m" (arg3), \ ++ "m" (arg4), "m" (arg5), "m" (arg6)) ++ + #endif diff --git a/queue-4.2/md-bitmap-don-t-pass-1-to-bitmap_storage_alloc.patch b/queue-4.2/md-bitmap-don-t-pass-1-to-bitmap_storage_alloc.patch new file mode 100644 index 00000000000..db9b0dffce2 --- /dev/null +++ b/queue-4.2/md-bitmap-don-t-pass-1-to-bitmap_storage_alloc.patch @@ -0,0 +1,34 @@ +From da6fb7a9e5bd6f04f7e15070f630bdf1ea502841 Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Thu, 1 Oct 2015 16:03:38 +1000 +Subject: md/bitmap: don't pass -1 to bitmap_storage_alloc. + +From: NeilBrown + +commit da6fb7a9e5bd6f04f7e15070f630bdf1ea502841 upstream. + +Passing -1 to bitmap_storage_alloc() causes page->index to be set to +-1, which is quite problematic. + +So only pass ->cluster_slot if mddev_is_clustered(). + +Fixes: b97e92574c0b ("Use separate bitmaps for each nodes in the cluster") +Signed-off-by: NeilBrown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/bitmap.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/md/bitmap.c ++++ b/drivers/md/bitmap.c +@@ -1997,7 +1997,8 @@ int bitmap_resize(struct bitmap *bitmap, + if (bitmap->mddev->bitmap_info.offset || bitmap->mddev->bitmap_info.file) + ret = bitmap_storage_alloc(&store, chunks, + !bitmap->mddev->bitmap_info.external, +- bitmap->cluster_slot); ++ mddev_is_clustered(bitmap->mddev) ++ ? bitmap->cluster_slot : 0); + if (ret) + goto err; + diff --git a/queue-4.2/mmc-sdhci-pxav3-disable-clock-inversion-for-hs-mmc-cards.patch b/queue-4.2/mmc-sdhci-pxav3-disable-clock-inversion-for-hs-mmc-cards.patch new file mode 100644 index 00000000000..5d05d574d18 --- /dev/null +++ b/queue-4.2/mmc-sdhci-pxav3-disable-clock-inversion-for-hs-mmc-cards.patch @@ -0,0 +1,33 @@ +From fa7964147da57b2d40c2db2b6ed98fb7dc934bff Mon Sep 17 00:00:00 2001 +From: Nadav Haklai +Date: Tue, 6 Oct 2015 03:22:36 +0200 +Subject: mmc: sdhci-pxav3: disable clock inversion for HS MMC cards + +From: Nadav Haklai + +commit fa7964147da57b2d40c2db2b6ed98fb7dc934bff upstream. + +According to 'FE-2946959' erratum the clock inversion option is +needed to support slow frequencies when the card input hold time +requirement is high. This setting is not required for high speed +MMC and might cause timing violation. + +Signed-off-by: Nadav Haklai +Reviewed-by: Gregory CLEMENT +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +diff --git a/drivers/mmc/host/sdhci-pxav3.c b/drivers/mmc/host/sdhci-pxav3.c +index 976cddd6d157..89a9e49e2ea8 100644 +--- a/drivers/mmc/host/sdhci-pxav3.c ++++ b/drivers/mmc/host/sdhci-pxav3.c +@@ -291,6 +291,9 @@ static void pxav3_set_uhs_signaling(struct sdhci_host *host, unsigned int uhs) + uhs == MMC_TIMING_UHS_DDR50) { + reg_val &= ~SDIO3_CONF_CLK_INV; + reg_val |= SDIO3_CONF_SD_FB_CLK; ++ } else if (uhs == MMC_TIMING_MMC_HS) { ++ reg_val &= ~SDIO3_CONF_CLK_INV; ++ reg_val &= ~SDIO3_CONF_SD_FB_CLK; + } else { + reg_val |= SDIO3_CONF_CLK_INV; + reg_val &= ~SDIO3_CONF_SD_FB_CLK; diff --git a/queue-4.2/mmc-sdhci-pxav3-fix-error-handling-of-armada_38x_quirks.patch b/queue-4.2/mmc-sdhci-pxav3-fix-error-handling-of-armada_38x_quirks.patch new file mode 100644 index 00000000000..b8b20c15888 --- /dev/null +++ b/queue-4.2/mmc-sdhci-pxav3-fix-error-handling-of-armada_38x_quirks.patch @@ -0,0 +1,30 @@ +From 2162d9f41e7c4778b96b8e3b97adcedbadc861f1 Mon Sep 17 00:00:00 2001 +From: Marcin Wojtas +Date: Tue, 6 Oct 2015 03:22:37 +0200 +Subject: mmc: sdhci-pxav3: fix error handling of armada_38x_quirks + +From: Marcin Wojtas + +commit 2162d9f41e7c4778b96b8e3b97adcedbadc861f1 upstream. + +In case of armada_38x_quirks error, all clocks should be cleaned-up, same +as after mv_conf_mbus_windows failure. + +Signed-off-by: Marcin Wojtas +Reviewed-by: Gregory CLEMENT +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +diff --git a/drivers/mmc/host/sdhci-pxav3.c b/drivers/mmc/host/sdhci-pxav3.c +index 89a9e49e2ea8..f5edf9d3a18a 100644 +--- a/drivers/mmc/host/sdhci-pxav3.c ++++ b/drivers/mmc/host/sdhci-pxav3.c +@@ -402,7 +402,7 @@ static int sdhci_pxav3_probe(struct platform_device *pdev) + if (of_device_is_compatible(np, "marvell,armada-380-sdhci")) { + ret = armada_38x_quirks(pdev, host); + if (ret < 0) +- goto err_clk_get; ++ goto err_mbus_win; + ret = mv_conf_mbus_windows(pdev, mv_mbus_dram_info()); + if (ret < 0) + goto err_mbus_win; diff --git a/queue-4.2/mmc-sdhci-pxav3-remove-broken-clock-base-quirk-for-armada-38x-sdhci-driver.patch b/queue-4.2/mmc-sdhci-pxav3-remove-broken-clock-base-quirk-for-armada-38x-sdhci-driver.patch new file mode 100644 index 00000000000..6fe8cc5a976 --- /dev/null +++ b/queue-4.2/mmc-sdhci-pxav3-remove-broken-clock-base-quirk-for-armada-38x-sdhci-driver.patch @@ -0,0 +1,33 @@ +From 5de76bfcb1e5ac66c57b99e8e193dacac7416f0e Mon Sep 17 00:00:00 2001 +From: Nadav Haklai +Date: Tue, 6 Oct 2015 03:22:35 +0200 +Subject: mmc: sdhci-pxav3: remove broken clock base quirk for Armada 38x sdhci driver + +From: Nadav Haklai + +commit 5de76bfcb1e5ac66c57b99e8e193dacac7416f0e upstream. + +shci-pxav3 driver is enabling by default the +SDHCI_QUIRK_CAP_CLOCK_BASE_BROKEN quirk. However this quirk is not +required for Armada 38x and leads to wrong clock setting in the divider. + +Signed-off-by: Nadav Haklai +Signed-off-by: Marcin Wojtas +Reviewed-by: Gregory CLEMENT +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci-pxav3.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/mmc/host/sdhci-pxav3.c ++++ b/drivers/mmc/host/sdhci-pxav3.c +@@ -135,6 +135,7 @@ static int armada_38x_quirks(struct plat + struct sdhci_pxa *pxa = pltfm_host->priv; + struct resource *res; + ++ host->quirks &= ~SDHCI_QUIRK_CAP_CLOCK_BASE_BROKEN; + host->quirks |= SDHCI_QUIRK_MISSING_CAPS; + res = platform_get_resource_byname(pdev, IORESOURCE_MEM, + "conf-sdio3"); diff --git a/queue-4.2/namei-results-of-d_is_negative-should-be-checked-after-dentry-revalidation.patch b/queue-4.2/namei-results-of-d_is_negative-should-be-checked-after-dentry-revalidation.patch new file mode 100644 index 00000000000..cdfd4f68068 --- /dev/null +++ b/queue-4.2/namei-results-of-d_is_negative-should-be-checked-after-dentry-revalidation.patch @@ -0,0 +1,74 @@ +From daf3761c9fcde0f4ca64321cbed6c1c86d304193 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Fri, 9 Oct 2015 13:44:34 -0400 +Subject: namei: results of d_is_negative() should be checked after dentry revalidation + +From: Trond Myklebust + +commit daf3761c9fcde0f4ca64321cbed6c1c86d304193 upstream. + +Leandro Awa writes: + "After switching to version 4.1.6, our parallelized and distributed + workflows now fail consistently with errors of the form: + + T34: ./regex.c:39:22: error: config.h: No such file or directory + + From our 'git bisect' testing, the following commit appears to be the + possible cause of the behavior we've been seeing: commit 766c4cbfacd8" + +Al Viro says: + "What happens is that 766c4cbfacd8 got the things subtly wrong. + + We used to treat d_is_negative() after lookup_fast() as "fall with + ENOENT". That was wrong - checking ->d_flags outside of ->d_seq + protection is unreliable and failing with hard error on what should've + fallen back to non-RCU pathname resolution is a bug. + + Unfortunately, we'd pulled the test too far up and ran afoul of + another kind of staleness. The dentry might have been absolutely + stable from the RCU point of view (and we might be on UP, etc), but + stale from the remote fs point of view. If ->d_revalidate() returns + "it's actually stale", dentry gets thrown away and the original code + wouldn't even have looked at its ->d_flags. + + What we need is to check ->d_flags where 766c4cbfacd8 does (prior to + ->d_seq validation) but only use the result in cases where we do not + discard this dentry outright" + +Reported-by: Leandro Awa +Link: https://bugzilla.kernel.org/show_bug.cgi?id=104911 +Fixes: 766c4cbfacd8 ("namei: d_is_negative() should be checked...") +Tested-by: Leandro Awa +Signed-off-by: Trond Myklebust +Acked-by: Al Viro +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/namei.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -1558,8 +1558,6 @@ static int lookup_fast(struct nameidata + negative = d_is_negative(dentry); + if (read_seqcount_retry(&dentry->d_seq, seq)) + return -ECHILD; +- if (negative) +- return -ENOENT; + + /* + * This sequence count validates that the parent had no +@@ -1580,6 +1578,12 @@ static int lookup_fast(struct nameidata + goto unlazy; + } + } ++ /* ++ * Note: do negative dentry check after revalidation in ++ * case that drops it. ++ */ ++ if (negative) ++ return -ENOENT; + path->mnt = mnt; + path->dentry = dentry; + if (likely(__follow_mount_rcu(nd, path, inode, seqp))) diff --git a/queue-4.2/net-xen-netfront-only-napi_synchronize-if-running.patch b/queue-4.2/net-xen-netfront-only-napi_synchronize-if-running.patch new file mode 100644 index 00000000000..aa5db53c52e --- /dev/null +++ b/queue-4.2/net-xen-netfront-only-napi_synchronize-if-running.patch @@ -0,0 +1,54 @@ +From 274b045509175db0405c784be85e8cce116e6f7d Mon Sep 17 00:00:00 2001 +From: Chas Williams <3chas3@gmail.com> +Date: Thu, 27 Aug 2015 12:28:46 -0400 +Subject: net/xen-netfront: only napi_synchronize() if running + +From: Chas Williams <3chas3@gmail.com> + +commit 274b045509175db0405c784be85e8cce116e6f7d upstream. + +If an interface isn't running napi_synchronize() will hang forever. + +[ 392.248403] rmmod R running task 0 359 343 0x00000000 +[ 392.257671] ffff88003760fc88 ffff880037193b40 ffff880037193160 ffff88003760fc88 +[ 392.267644] ffff880037610000 ffff88003760fcd8 0000000100014c22 ffffffff81f75c40 +[ 392.277524] 0000000000bc7010 ffff88003760fca8 ffffffff81796927 ffffffff81f75c40 +[ 392.287323] Call Trace: +[ 392.291599] [] schedule+0x37/0x90 +[ 392.298553] [] schedule_timeout+0x14b/0x280 +[ 392.306421] [] ? irq_free_descs+0x69/0x80 +[ 392.314006] [] ? internal_add_timer+0xb0/0xb0 +[ 392.322125] [] msleep+0x37/0x50 +[ 392.329037] [] xennet_disconnect_backend.isra.24+0xda/0x390 [xen_netfront] +[ 392.339658] [] xennet_remove+0x2c/0x80 [xen_netfront] +[ 392.348516] [] xenbus_dev_remove+0x59/0xc0 +[ 392.356257] [] __device_release_driver+0x87/0x120 +[ 392.364645] [] driver_detach+0xb8/0xc0 +[ 392.371989] [] bus_remove_driver+0x59/0xe0 +[ 392.379883] [] driver_unregister+0x30/0x70 +[ 392.387495] [] xenbus_unregister_driver+0x12/0x20 +[ 392.395908] [] netif_exit+0x10/0x775 [xen_netfront] +[ 392.404877] [] SyS_delete_module+0x1d8/0x230 +[ 392.412804] [] system_call_fastpath+0x12/0x71 + +Signed-off-by: Chas Williams <3chas3@gmail.com> +Signed-off-by: David S. Miller +Cc: "Kamata, Munehisa" +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/xen-netfront.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -1348,7 +1348,8 @@ static void xennet_disconnect_backend(st + queue->tx_evtchn = queue->rx_evtchn = 0; + queue->tx_irq = queue->rx_irq = 0; + +- napi_synchronize(&queue->napi); ++ if (netif_running(info->netdev)) ++ napi_synchronize(&queue->napi); + + xennet_release_tx_bufs(queue); + xennet_release_rx_bufs(queue); diff --git a/queue-4.2/nfs-filelayout-fix-null-reference-caused-by-double-freeing-of-fh_array.patch b/queue-4.2/nfs-filelayout-fix-null-reference-caused-by-double-freeing-of-fh_array.patch new file mode 100644 index 00000000000..2a0ec0aad87 --- /dev/null +++ b/queue-4.2/nfs-filelayout-fix-null-reference-caused-by-double-freeing-of-fh_array.patch @@ -0,0 +1,143 @@ +From 3ec0c97959abff33a42db9081c22132bcff5b4f2 Mon Sep 17 00:00:00 2001 +From: Kinglong Mee +Date: Mon, 14 Sep 2015 20:12:21 +0800 +Subject: nfs/filelayout: Fix NULL reference caused by double freeing of fh_array + +From: Kinglong Mee + +commit 3ec0c97959abff33a42db9081c22132bcff5b4f2 upstream. + +If filelayout_decode_layout fail, _filelayout_free_lseg will causes +a double freeing of fh_array. + +[ 1179.279800] BUG: unable to handle kernel NULL pointer dereference at (null) +[ 1179.280198] IP: [] filelayout_free_fh_array.isra.11+0x1d/0x70 [nfs_layout_nfsv41_files] +[ 1179.281010] PGD 0 +[ 1179.281443] Oops: 0000 [#1] +[ 1179.281831] Modules linked in: nfs_layout_nfsv41_files(OE) nfsv4(OE) nfs(OE) fscache(E) xfs libcrc32c coretemp nfsd crct10dif_pclmul ppdev crc32_pclmul crc32c_intel auth_rpcgss ghash_clmulni_intel nfs_acl lockd vmw_balloon grace sunrpc parport_pc vmw_vmci parport shpchp i2c_piix4 vmwgfx drm_kms_helper ttm drm serio_raw mptspi scsi_transport_spi mptscsih e1000 mptbase ata_generic pata_acpi [last unloaded: fscache] +[ 1179.283891] CPU: 0 PID: 13336 Comm: cat Tainted: G OE 4.3.0-rc1-pnfs+ #244 +[ 1179.284323] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/20/2014 +[ 1179.285206] task: ffff8800501d48c0 ti: ffff88003e3c4000 task.ti: ffff88003e3c4000 +[ 1179.285668] RIP: 0010:[] [] filelayout_free_fh_array.isra.11+0x1d/0x70 [nfs_layout_nfsv41_files] +[ 1179.286612] RSP: 0018:ffff88003e3c77f8 EFLAGS: 00010202 +[ 1179.287092] RAX: 0000000000000000 RBX: ffff88001fe78900 RCX: 0000000000000000 +[ 1179.287731] RDX: ffffea0000f40760 RSI: ffff88001fe789c8 RDI: ffff88001fe789c0 +[ 1179.288383] RBP: ffff88003e3c7810 R08: ffffea0000f40760 R09: 0000000000000000 +[ 1179.289170] R10: 0000000000000000 R11: 0000000000000001 R12: ffff88001fe789c8 +[ 1179.289959] R13: ffff88001fe789c0 R14: ffff88004ec05a80 R15: ffff88004f935b88 +[ 1179.290791] FS: 00007f4e66bb5700(0000) GS:ffffffff81c29000(0000) knlGS:0000000000000000 +[ 1179.291580] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 1179.292209] CR2: 0000000000000000 CR3: 00000000203f8000 CR4: 00000000001406f0 +[ 1179.292731] Stack: +[ 1179.293195] ffff88001fe78900 00000000000000d0 ffff88001fe78178 ffff88003e3c7868 +[ 1179.293676] ffffffffa0272737 0000000000000001 0000000000000001 ffff88001fe78800 +[ 1179.294151] 00000000614fffce ffffffff81727671 ffff88001fe78100 ffff88001fe78100 +[ 1179.294623] Call Trace: +[ 1179.295092] [] filelayout_alloc_lseg+0xa7/0x2d0 [nfs_layout_nfsv41_files] +[ 1179.295625] [] ? out_of_line_wait_on_bit+0x81/0xb0 +[ 1179.296133] [] pnfs_layout_process+0xae/0x320 [nfsv4] +[ 1179.296632] [] nfs4_proc_layoutget+0x2b1/0x360 [nfsv4] +[ 1179.297134] [] pnfs_update_layout+0x853/0xb30 [nfsv4] +[ 1179.297632] [] ? nfs_get_lock_context+0x74/0x170 [nfs] +[ 1179.298158] [] filelayout_pg_init_read+0x37/0x50 [nfs_layout_nfsv41_files] +[ 1179.298834] [] __nfs_pageio_add_request+0x119/0x460 [nfs] +[ 1179.299385] [] ? nfs_create_request.part.9+0x37/0x2e0 [nfs] +[ 1179.299872] [] nfs_pageio_add_request+0xa3/0x1b0 [nfs] +[ 1179.300362] [] readpage_async_filler+0x85/0x260 [nfs] +[ 1179.300907] [] read_cache_pages+0x91/0xd0 +[ 1179.301391] [] ? nfs_read_completion+0x220/0x220 [nfs] +[ 1179.301867] [] nfs_readpages+0x128/0x200 [nfs] +[ 1179.302330] [] __do_page_cache_readahead+0x203/0x280 +[ 1179.302784] [] ? __do_page_cache_readahead+0xd8/0x280 +[ 1179.303413] [] ondemand_readahead+0x1a6/0x2f0 +[ 1179.303855] [] page_cache_sync_readahead+0x31/0x50 +[ 1179.304286] [] generic_file_read_iter+0x4a6/0x5c0 +[ 1179.304711] [] ? __nfs_revalidate_mapping+0x1f6/0x240 [nfs] +[ 1179.305132] [] nfs_file_read+0x52/0xa0 [nfs] +[ 1179.305540] [] __vfs_read+0xcc/0x100 +[ 1179.305936] [] vfs_read+0x85/0x130 +[ 1179.306326] [] SyS_read+0x58/0xd0 +[ 1179.306708] [] entry_SYSCALL_64_fastpath+0x12/0x76 +[ 1179.307094] Code: c4 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 55 41 54 53 8b 07 49 89 f4 85 c0 74 47 48 8b 06 49 89 fd <48> 8b 38 48 85 ff 74 22 31 db eb 0c 48 63 d3 48 8b 3c d0 48 85 +[ 1179.308357] RIP [] filelayout_free_fh_array.isra.11+0x1d/0x70 [nfs_layout_nfsv41_files] +[ 1179.309177] RSP +[ 1179.309582] CR2: 0000000000000000 + +Signed-off-by: Kinglong Mee +Signed-off-by: Trond Myklebust +Cc: William Dauchy +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/filelayout/filelayout.c | 31 ++++++++++++------------------- + 1 file changed, 12 insertions(+), 19 deletions(-) + +--- a/fs/nfs/filelayout/filelayout.c ++++ b/fs/nfs/filelayout/filelayout.c +@@ -629,23 +629,18 @@ out_put: + goto out; + } + +-static void filelayout_free_fh_array(struct nfs4_filelayout_segment *fl) ++static void _filelayout_free_lseg(struct nfs4_filelayout_segment *fl) + { + int i; + +- for (i = 0; i < fl->num_fh; i++) { +- if (!fl->fh_array[i]) +- break; +- kfree(fl->fh_array[i]); ++ if (fl->fh_array) { ++ for (i = 0; i < fl->num_fh; i++) { ++ if (!fl->fh_array[i]) ++ break; ++ kfree(fl->fh_array[i]); ++ } ++ kfree(fl->fh_array); + } +- kfree(fl->fh_array); +- fl->fh_array = NULL; +-} +- +-static void +-_filelayout_free_lseg(struct nfs4_filelayout_segment *fl) +-{ +- filelayout_free_fh_array(fl); + kfree(fl); + } + +@@ -716,21 +711,21 @@ filelayout_decode_layout(struct pnfs_lay + /* Do we want to use a mempool here? */ + fl->fh_array[i] = kmalloc(sizeof(struct nfs_fh), gfp_flags); + if (!fl->fh_array[i]) +- goto out_err_free; ++ goto out_err; + + p = xdr_inline_decode(&stream, 4); + if (unlikely(!p)) +- goto out_err_free; ++ goto out_err; + fl->fh_array[i]->size = be32_to_cpup(p++); + if (sizeof(struct nfs_fh) < fl->fh_array[i]->size) { + printk(KERN_ERR "NFS: Too big fh %d received %d\n", + i, fl->fh_array[i]->size); +- goto out_err_free; ++ goto out_err; + } + + p = xdr_inline_decode(&stream, fl->fh_array[i]->size); + if (unlikely(!p)) +- goto out_err_free; ++ goto out_err; + memcpy(fl->fh_array[i]->data, p, fl->fh_array[i]->size); + dprintk("DEBUG: %s: fh len %d\n", __func__, + fl->fh_array[i]->size); +@@ -739,8 +734,6 @@ filelayout_decode_layout(struct pnfs_lay + __free_page(scratch); + return 0; + +-out_err_free: +- filelayout_free_fh_array(fl); + out_err: + __free_page(scratch); + return -EIO; diff --git a/queue-4.2/serial-8250-add-uart_config-entry-for-port_rt2880.patch b/queue-4.2/serial-8250-add-uart_config-entry-for-port_rt2880.patch new file mode 100644 index 00000000000..7d3be841aad --- /dev/null +++ b/queue-4.2/serial-8250-add-uart_config-entry-for-port_rt2880.patch @@ -0,0 +1,38 @@ +From 3c5a0357fdb3a9116a48dbdb0abb91fd23fbff80 Mon Sep 17 00:00:00 2001 +From: Mans Rullgard +Date: Fri, 2 Oct 2015 17:50:31 +0100 +Subject: serial: 8250: add uart_config entry for PORT_RT2880 + +From: Mans Rullgard + +commit 3c5a0357fdb3a9116a48dbdb0abb91fd23fbff80 upstream. + +This adds an entry to the uart_config table for PORT_RT2880 +enabling rx/tx FIFOs. The UART is actually a Palmchip BK-3103 +which is found in several devices from Alchemy/RMI, Ralink, and +Sigma Designs. + +Signed-off-by: Mans Rullgard +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/8250/8250_core.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/tty/serial/8250/8250_core.c ++++ b/drivers/tty/serial/8250/8250_core.c +@@ -326,6 +326,14 @@ configured less than Maximum supported f + UART_FCR7_64BYTE, + .flags = UART_CAP_FIFO, + }, ++ [PORT_RT2880] = { ++ .name = "Palmchip BK-3103", ++ .fifo_size = 16, ++ .tx_loadsz = 16, ++ .fcr = UART_FCR_ENABLE_FIFO | UART_FCR_R_TRIG_10, ++ .rxtrig_bytes = {1, 4, 8, 14}, ++ .flags = UART_CAP_FIFO, ++ }, + }; + + /* Uart divisor latch read */ diff --git a/queue-4.2/series b/queue-4.2/series index f4dc45d2c87..289877575b4 100644 --- a/queue-4.2/series +++ b/queue-4.2/series @@ -225,3 +225,28 @@ mmc-core-don-t-return-an-error-for-cd-wp-gpios-when-gpiolib-is-unset.patch mmc-core-fix-dead-loop-of-mmc_retune.patch dcache-handle-escaped-paths-in-prepend_path.patch vfs-test-for-and-handle-paths-that-are-unreachable-from-their-mnt_root.patch +arm64-efi-fix-boot-crash-by-not-padding-between-efi_memory_runtime-regions.patch +arm64-ftrace-fix-function_graph-tracer-panic.patch +arm64-readahead-fault-retry-breaks-mmap-file-read-random-detection.patch +m68k-define-asmlinkage_protect.patch +xen-blkback-free-requests-on-disconnection.patch +net-xen-netfront-only-napi_synchronize-if-running.patch +igb-do-not-re-init-sr-iov-during-probe.patch +genirq-fix-race-in-register_irq_proc.patch +clocksource-fix-abs-usage-w-64bit-values.patch +md-bitmap-don-t-pass-1-to-bitmap_storage_alloc.patch +nfs-filelayout-fix-null-reference-caused-by-double-freeing-of-fh_array.patch +mmc-sdhci-pxav3-remove-broken-clock-base-quirk-for-armada-38x-sdhci-driver.patch +mmc-sdhci-pxav3-disable-clock-inversion-for-hs-mmc-cards.patch +mmc-sdhci-pxav3-fix-error-handling-of-armada_38x_quirks.patch +cpufreq-acpi_cpufreq-prevent-crash-on-reading-freqdomain_cpus.patch +clk-ti-fix-dual-registration-of-uart4_ick.patch +clk-ti-clk-7xx-remove-hardwired-abe-clock-configuration.patch +clk-samsung-fix-cpu-clock-s-flags-checking.patch +namei-results-of-d_is_negative-should-be-checked-after-dentry-revalidation.patch +dm-fix-ab-ba-deadlock-in-__dm_destroy.patch +dm-cache-fix-null-pointer-when-switching-from-cleaner-policy.patch +staging-speakup-fix-speakup-r-regression.patch +tty-fix-stall-caused-by-missing-memory-barrier-in-drivers-tty-n_tty.c.patch +drivers-tty-require-read-access-for-controlling-terminal.patch +serial-8250-add-uart_config-entry-for-port_rt2880.patch diff --git a/queue-4.2/staging-speakup-fix-speakup-r-regression.patch b/queue-4.2/staging-speakup-fix-speakup-r-regression.patch new file mode 100644 index 00000000000..52590cb859b --- /dev/null +++ b/queue-4.2/staging-speakup-fix-speakup-r-regression.patch @@ -0,0 +1,37 @@ +From b1d562acc78f0af46de0dfe447410bc40bdb7ece Mon Sep 17 00:00:00 2001 +From: "covici@ccs.covici.com" +Date: Wed, 20 May 2015 05:44:11 -0400 +Subject: staging: speakup: fix speakup-r regression + +From: "covici@ccs.covici.com" + +commit b1d562acc78f0af46de0dfe447410bc40bdb7ece upstream. + +Here is a patch to make speakup-r work again. + +It broke in 3.6 due to commit 4369c64c79a22b98d3b7eff9d089196cd878a10a +"Input: Send events one packet at a time) + +The problem was that the fakekey.c routine to fake a down arrow no +longer functioned properly and putting the input_sync fixed it. + +Fixes: 4369c64c79a22b98d3b7eff9d089196cd878a10a +Acked-by: Samuel Thibault +Signed-off-by: John Covici +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/speakup/fakekey.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/staging/speakup/fakekey.c ++++ b/drivers/staging/speakup/fakekey.c +@@ -81,6 +81,7 @@ void speakup_fake_down_arrow(void) + __this_cpu_write(reporting_keystroke, true); + input_report_key(virt_keyboard, KEY_DOWN, PRESSED); + input_report_key(virt_keyboard, KEY_DOWN, RELEASED); ++ input_sync(virt_keyboard); + __this_cpu_write(reporting_keystroke, false); + + /* reenable preemption */ diff --git a/queue-4.2/tty-fix-stall-caused-by-missing-memory-barrier-in-drivers-tty-n_tty.c.patch b/queue-4.2/tty-fix-stall-caused-by-missing-memory-barrier-in-drivers-tty-n_tty.c.patch new file mode 100644 index 00000000000..49283ec3f7f --- /dev/null +++ b/queue-4.2/tty-fix-stall-caused-by-missing-memory-barrier-in-drivers-tty-n_tty.c.patch @@ -0,0 +1,140 @@ +From e81107d4c6bd098878af9796b24edc8d4a9524fd Mon Sep 17 00:00:00 2001 +From: Kosuke Tatsukawa +Date: Fri, 2 Oct 2015 08:27:05 +0000 +Subject: tty: fix stall caused by missing memory barrier in drivers/tty/n_tty.c + +From: Kosuke Tatsukawa + +commit e81107d4c6bd098878af9796b24edc8d4a9524fd upstream. + +My colleague ran into a program stall on a x86_64 server, where +n_tty_read() was waiting for data even if there was data in the buffer +in the pty. kernel stack for the stuck process looks like below. + #0 [ffff88303d107b58] __schedule at ffffffff815c4b20 + #1 [ffff88303d107bd0] schedule at ffffffff815c513e + #2 [ffff88303d107bf0] schedule_timeout at ffffffff815c7818 + #3 [ffff88303d107ca0] wait_woken at ffffffff81096bd2 + #4 [ffff88303d107ce0] n_tty_read at ffffffff8136fa23 + #5 [ffff88303d107dd0] tty_read at ffffffff81368013 + #6 [ffff88303d107e20] __vfs_read at ffffffff811a3704 + #7 [ffff88303d107ec0] vfs_read at ffffffff811a3a57 + #8 [ffff88303d107f00] sys_read at ffffffff811a4306 + #9 [ffff88303d107f50] entry_SYSCALL_64_fastpath at ffffffff815c86d7 + +There seems to be two problems causing this issue. + +First, in drivers/tty/n_tty.c, __receive_buf() stores the data and +updates ldata->commit_head using smp_store_release() and then checks +the wait queue using waitqueue_active(). However, since there is no +memory barrier, __receive_buf() could return without calling +wake_up_interactive_poll(), and at the same time, n_tty_read() could +start to wait in wait_woken() as in the following chart. + + __receive_buf() n_tty_read() +------------------------------------------------------------------------ +if (waitqueue_active(&tty->read_wait)) +/* Memory operations issued after the + RELEASE may be completed before the + RELEASE operation has completed */ + add_wait_queue(&tty->read_wait, &wait); + ... + if (!input_available_p(tty, 0)) { +smp_store_release(&ldata->commit_head, + ldata->read_head); + ... + timeout = wait_woken(&wait, + TASK_INTERRUPTIBLE, timeout); +------------------------------------------------------------------------ + +The second problem is that n_tty_read() also lacks a memory barrier +call and could also cause __receive_buf() to return without calling +wake_up_interactive_poll(), and n_tty_read() to wait in wait_woken() +as in the chart below. + + __receive_buf() n_tty_read() +------------------------------------------------------------------------ + spin_lock_irqsave(&q->lock, flags); + /* from add_wait_queue() */ + ... + if (!input_available_p(tty, 0)) { + /* Memory operations issued after the + RELEASE may be completed before the + RELEASE operation has completed */ +smp_store_release(&ldata->commit_head, + ldata->read_head); +if (waitqueue_active(&tty->read_wait)) + __add_wait_queue(q, wait); + spin_unlock_irqrestore(&q->lock,flags); + /* from add_wait_queue() */ + ... + timeout = wait_woken(&wait, + TASK_INTERRUPTIBLE, timeout); +------------------------------------------------------------------------ + +There are also other places in drivers/tty/n_tty.c which have similar +calls to waitqueue_active(), so instead of adding many memory barrier +calls, this patch simply removes the call to waitqueue_active(), +leaving just wake_up*() behind. + +This fixes both problems because, even though the memory access before +or after the spinlocks in both wake_up*() and add_wait_queue() can +sneak into the critical section, it cannot go past it and the critical +section assures that they will be serialized (please see "INTER-CPU +ACQUIRING BARRIER EFFECTS" in Documentation/memory-barriers.txt for a +better explanation). Moreover, the resulting code is much simpler. + +Latency measurement using a ping-pong test over a pty doesn't show any +visible performance drop. + +Signed-off-by: Kosuke Tatsukawa +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/n_tty.c | 15 +++++---------- + 1 file changed, 5 insertions(+), 10 deletions(-) + +--- a/drivers/tty/n_tty.c ++++ b/drivers/tty/n_tty.c +@@ -343,8 +343,7 @@ static void n_tty_packet_mode_flush(stru + spin_lock_irqsave(&tty->ctrl_lock, flags); + tty->ctrl_status |= TIOCPKT_FLUSHREAD; + spin_unlock_irqrestore(&tty->ctrl_lock, flags); +- if (waitqueue_active(&tty->link->read_wait)) +- wake_up_interruptible(&tty->link->read_wait); ++ wake_up_interruptible(&tty->link->read_wait); + } + } + +@@ -1382,8 +1381,7 @@ handle_newline: + put_tty_queue(c, ldata); + smp_store_release(&ldata->canon_head, ldata->read_head); + kill_fasync(&tty->fasync, SIGIO, POLL_IN); +- if (waitqueue_active(&tty->read_wait)) +- wake_up_interruptible_poll(&tty->read_wait, POLLIN); ++ wake_up_interruptible_poll(&tty->read_wait, POLLIN); + return 0; + } + } +@@ -1667,8 +1665,7 @@ static void __receive_buf(struct tty_str + + if ((read_cnt(ldata) >= ldata->minimum_to_wake) || L_EXTPROC(tty)) { + kill_fasync(&tty->fasync, SIGIO, POLL_IN); +- if (waitqueue_active(&tty->read_wait)) +- wake_up_interruptible_poll(&tty->read_wait, POLLIN); ++ wake_up_interruptible_poll(&tty->read_wait, POLLIN); + } + } + +@@ -1887,10 +1884,8 @@ static void n_tty_set_termios(struct tty + } + + /* The termios change make the tty ready for I/O */ +- if (waitqueue_active(&tty->write_wait)) +- wake_up_interruptible(&tty->write_wait); +- if (waitqueue_active(&tty->read_wait)) +- wake_up_interruptible(&tty->read_wait); ++ wake_up_interruptible(&tty->write_wait); ++ wake_up_interruptible(&tty->read_wait); + } + + /** diff --git a/queue-4.2/xen-blkback-free-requests-on-disconnection.patch b/queue-4.2/xen-blkback-free-requests-on-disconnection.patch new file mode 100644 index 00000000000..9332600319a --- /dev/null +++ b/queue-4.2/xen-blkback-free-requests-on-disconnection.patch @@ -0,0 +1,128 @@ +From f929d42ceb18a8acfd47e0e7b7d90b5d49bd9258 Mon Sep 17 00:00:00 2001 +From: Roger Pau Monne +Date: Fri, 4 Sep 2015 12:08:07 +0200 +Subject: xen/blkback: free requests on disconnection +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Roger Pau Monne + +commit f929d42ceb18a8acfd47e0e7b7d90b5d49bd9258 upstream. + +This is due to commit 86839c56dee28c315a4c19b7bfee450ccd84cd25 +"xen/block: add multi-page ring support" + +When using an guest under UEFI - after the domain is destroyed +the following warning comes from blkback. + +------------[ cut here ]------------ +WARNING: CPU: 2 PID: 95 at +/home/julien/works/linux/drivers/block/xen-blkback/xenbus.c:274 +xen_blkif_deferred_free+0x1f4/0x1f8() +Modules linked in: +CPU: 2 PID: 95 Comm: kworker/2:1 Tainted: G W 4.2.0 #85 +Hardware name: APM X-Gene Mustang board (DT) +Workqueue: events xen_blkif_deferred_free +Call trace: +[] dump_backtrace+0x0/0x124 +[] show_stack+0x10/0x1c +[] dump_stack+0x78/0x98 +[] warn_slowpath_common+0x9c/0xd4 +[] warn_slowpath_null+0x14/0x20 +[] xen_blkif_deferred_free+0x1f0/0x1f8 +[] process_one_work+0x160/0x3b4 +[] worker_thread+0x140/0x494 +[] kthread+0xd8/0xf0 +---[ end trace 6f859b7883c88cdd ]--- + +Request allocation has been moved to connect_ring, which is called every +time blkback connects to the frontend (this can happen multiple times during +a blkback instance life cycle). On the other hand, request freeing has not +been moved, so it's only called when destroying the backend instance. Due to +this mismatch, blkback can allocate the request pool multiple times, without +freeing it. + +In order to fix it, move the freeing of requests to xen_blkif_disconnect to +restore the symmetry between request allocation and freeing. + +Reported-by: Julien Grall +Signed-off-by: Roger Pau Monné +Tested-by: Julien Grall +Cc: Konrad Rzeszutek Wilk +Cc: Boris Ostrovsky +Cc: David Vrabel +Cc: xen-devel@lists.xenproject.org +Signed-off-by: Konrad Rzeszutek Wilk +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/xen-blkback/xenbus.c | 38 +++++++++++++++++++------------------ + 1 file changed, 20 insertions(+), 18 deletions(-) + +--- a/drivers/block/xen-blkback/xenbus.c ++++ b/drivers/block/xen-blkback/xenbus.c +@@ -212,6 +212,9 @@ static int xen_blkif_map(struct xen_blki + + static int xen_blkif_disconnect(struct xen_blkif *blkif) + { ++ struct pending_req *req, *n; ++ int i = 0, j; ++ + if (blkif->xenblkd) { + kthread_stop(blkif->xenblkd); + wake_up(&blkif->shutdown_wq); +@@ -238,13 +241,28 @@ static int xen_blkif_disconnect(struct x + /* Remove all persistent grants and the cache of ballooned pages. */ + xen_blkbk_free_caches(blkif); + ++ /* Check that there is no request in use */ ++ list_for_each_entry_safe(req, n, &blkif->pending_free, free_list) { ++ list_del(&req->free_list); ++ ++ for (j = 0; j < MAX_INDIRECT_SEGMENTS; j++) ++ kfree(req->segments[j]); ++ ++ for (j = 0; j < MAX_INDIRECT_PAGES; j++) ++ kfree(req->indirect_pages[j]); ++ ++ kfree(req); ++ i++; ++ } ++ ++ WARN_ON(i != (XEN_BLKIF_REQS_PER_PAGE * blkif->nr_ring_pages)); ++ blkif->nr_ring_pages = 0; ++ + return 0; + } + + static void xen_blkif_free(struct xen_blkif *blkif) + { +- struct pending_req *req, *n; +- int i = 0, j; + + xen_blkif_disconnect(blkif); + xen_vbd_free(&blkif->vbd); +@@ -257,22 +275,6 @@ static void xen_blkif_free(struct xen_bl + BUG_ON(!list_empty(&blkif->free_pages)); + BUG_ON(!RB_EMPTY_ROOT(&blkif->persistent_gnts)); + +- /* Check that there is no request in use */ +- list_for_each_entry_safe(req, n, &blkif->pending_free, free_list) { +- list_del(&req->free_list); +- +- for (j = 0; j < MAX_INDIRECT_SEGMENTS; j++) +- kfree(req->segments[j]); +- +- for (j = 0; j < MAX_INDIRECT_PAGES; j++) +- kfree(req->indirect_pages[j]); +- +- kfree(req); +- i++; +- } +- +- WARN_ON(i != (XEN_BLKIF_REQS_PER_PAGE * blkif->nr_ring_pages)); +- + kmem_cache_free(xen_blkif_cachep, blkif); + } + -- 2.47.3