From: Greg Kroah-Hartman Date: Mon, 12 Jun 2017 09:19:18 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v3.18.57~20 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=93512781f4f96bc403a37b81da22ac37118ecfec;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: btrfs-fix-memory-leak-in-update_space_info-failure-path.patch btrfs-use-correct-types-for-page-indices-in-btrfs_page_exists_in_range.patch cpufreq-cpufreq_register_driver-should-return-enodev-if-init-fails.patch cpuset-consider-dying-css-as-offline.patch cxl-fix-error-path-on-bad-ioctl.patch dmaengine-ep93xx-always-start-from-base0.patch dmaengine-ep93xx-don-t-drain-the-transfers-in-terminate_all.patch dmaengine-usb-dmac-fix-dmaor-ae-bit-definition.patch drivers-char-random-add-get_random_long.patch drm-msm-expose-our-reservation-object-when-exporting-a-dmabuf.patch ext4-fix-fdatasync-2-after-extent-manipulation-operations.patch ext4-fix-seek_hole.patch ext4-keep-existing-extra-fields-when-inode-expands.patch fix-ufs_isblockset.patch iio-light-ltr501-fix-interchanged-als-ps-register-field.patch iio-proximity-as3935-fix-as3935_int-mask.patch input-elantech-add-fujitsu-lifebook-e546-e557-to-force-crc_enabled.patch random-properly-align-get_random_int_hash.patch stackprotector-increase-the-per-task-stack-canary-s-random-range-from-32-bits-to-64-bits-on-64-bit-platforms.patch staging-lustre-lov-remove-set_fs-call-from-lov_getstripe.patch target-re-add-check-to-reject-control-writes-with-overflow-data.patch ufs-restore-maintaining-i_blocks.patch ufs-restore-proper-tail-allocation.patch ufs-set-correct-s_maxsize.patch ufs_extend_tail-fix-the-braino-in-calling-conventions-of-ufs_new_fragments.patch ufs_getfrag_block-we-only-grab-truncate_mutex-on-block-creation-path.patch usb-chipidea-debug-check-before-accessing-ci_role.patch usb-chipidea-udc-fix-null-pointer-dereference-if-udc_start-failed.patch usb-gadget-f_mass_storage-serialize-wake-and-sleep-execution.patch xen-netfront-cast-grant-table-reference-first-to-type-int.patch xen-netfront-do-not-cast-grant-table-reference-to-signed-short.patch xen-privcmd-support-correctly-64kb-page-granularity-when-mapping-memory.patch --- diff --git a/queue-4.4/btrfs-fix-memory-leak-in-update_space_info-failure-path.patch b/queue-4.4/btrfs-fix-memory-leak-in-update_space_info-failure-path.patch new file mode 100644 index 00000000000..c3e521e204b --- /dev/null +++ b/queue-4.4/btrfs-fix-memory-leak-in-update_space_info-failure-path.patch @@ -0,0 +1,32 @@ +From 896533a7da929136d0432713f02a3edffece2826 Mon Sep 17 00:00:00 2001 +From: Jeff Mahoney +Date: Wed, 17 May 2017 09:49:37 -0400 +Subject: btrfs: fix memory leak in update_space_info failure path + +From: Jeff Mahoney + +commit 896533a7da929136d0432713f02a3edffece2826 upstream. + +If we fail to add the space_info kobject, we'll leak the memory +for the percpu counter. + +Fixes: 6ab0a2029c (btrfs: publish allocation data in sysfs) +Signed-off-by: Jeff Mahoney +Reviewed-by: Liu Bo +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/extent-tree.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -3854,6 +3854,7 @@ static int update_space_info(struct btrf + info->space_info_kobj, "%s", + alloc_name(found->flags)); + if (ret) { ++ percpu_counter_destroy(&found->total_bytes_pinned); + kfree(found); + return ret; + } diff --git a/queue-4.4/btrfs-use-correct-types-for-page-indices-in-btrfs_page_exists_in_range.patch b/queue-4.4/btrfs-use-correct-types-for-page-indices-in-btrfs_page_exists_in_range.patch new file mode 100644 index 00000000000..09e7383dffa --- /dev/null +++ b/queue-4.4/btrfs-use-correct-types-for-page-indices-in-btrfs_page_exists_in_range.patch @@ -0,0 +1,64 @@ +From cc2b702c52094b637a351d7491ac5200331d0445 Mon Sep 17 00:00:00 2001 +From: David Sterba +Date: Fri, 12 May 2017 01:03:52 +0200 +Subject: btrfs: use correct types for page indices in btrfs_page_exists_in_range + +From: David Sterba + +commit cc2b702c52094b637a351d7491ac5200331d0445 upstream. + +Variables start_idx and end_idx are supposed to hold a page index +derived from the file offsets. The int type is not the right one though, +offsets larger than 1 << 44 will get silently trimmed off the high bits. +(1 << 44 is 16TiB) + +What can go wrong, if start is below the boundary and end gets trimmed: +- if there's a page after start, we'll find it (radix_tree_gang_lookup_slot) +- the final check "if (page->index <= end_idx)" will unexpectedly fail + +The function will return false, ie. "there's no page in the range", +although there is at least one. + +btrfs_page_exists_in_range is used to prevent races in: + +* in hole punching, where we make sure there are not pages in the + truncated range, otherwise we'll wait for them to finish and redo + truncation, but we're going to replace the pages with holes anyway so + the only problem is the intermediate state + +* lock_extent_direct: we want to make sure there are no pages before we + lock and start DIO, to prevent stale data reads + +For practical occurence of the bug, there are several constaints. The +file must be quite large, the affected range must cross the 16TiB +boundary and the internal state of the file pages and pending operations +must match. Also, we must not have started any ordered data in the +range, otherwise we don't even reach the buggy function check. + +DIO locking tries hard in several places to avoid deadlocks with +buffered IO and avoids waiting for ranges. The worst consequence seems +to be stale data read. + +CC: Liu Bo +Fixes: fc4adbff823f7 ("btrfs: Drop EXTENT_UPTODATE check in hole punching and direct locking") +Reviewed-by: Liu Bo +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/inode.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -7318,8 +7318,8 @@ bool btrfs_page_exists_in_range(struct i + int found = false; + void **pagep = NULL; + struct page *page = NULL; +- int start_idx; +- int end_idx; ++ unsigned long start_idx; ++ unsigned long end_idx; + + start_idx = start >> PAGE_CACHE_SHIFT; + diff --git a/queue-4.4/cpufreq-cpufreq_register_driver-should-return-enodev-if-init-fails.patch b/queue-4.4/cpufreq-cpufreq_register_driver-should-return-enodev-if-init-fails.patch new file mode 100644 index 00000000000..ed865ab815e --- /dev/null +++ b/queue-4.4/cpufreq-cpufreq_register_driver-should-return-enodev-if-init-fails.patch @@ -0,0 +1,33 @@ +From 6c77003677d5f1ce15f26d24360cb66c0bc07bb3 Mon Sep 17 00:00:00 2001 +From: David Arcari +Date: Fri, 26 May 2017 11:37:31 -0400 +Subject: cpufreq: cpufreq_register_driver() should return -ENODEV if init fails + +From: David Arcari + +commit 6c77003677d5f1ce15f26d24360cb66c0bc07bb3 upstream. + +For a driver that does not set the CPUFREQ_STICKY flag, if all of the +->init() calls fail, cpufreq_register_driver() should return an error. +This will prevent the driver from loading. + +Fixes: ce1bcfe94db8 (cpufreq: check cpufreq_policy_list instead of scanning policies for all CPUs) +Signed-off-by: David Arcari +Acked-by: Viresh Kumar +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cpufreq/cpufreq.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/cpufreq/cpufreq.c ++++ b/drivers/cpufreq/cpufreq.c +@@ -2451,6 +2451,7 @@ int cpufreq_register_driver(struct cpufr + if (!(cpufreq_driver->flags & CPUFREQ_STICKY) && + list_empty(&cpufreq_policy_list)) { + /* if all ->init() calls failed, unregister */ ++ ret = -ENODEV; + pr_debug("%s: No CPU initialized for driver %s\n", __func__, + driver_data->name); + goto err_if_unreg; diff --git a/queue-4.4/cpuset-consider-dying-css-as-offline.patch b/queue-4.4/cpuset-consider-dying-css-as-offline.patch new file mode 100644 index 00000000000..7d6ee226745 --- /dev/null +++ b/queue-4.4/cpuset-consider-dying-css-as-offline.patch @@ -0,0 +1,79 @@ +From 41c25707d21716826e3c1f60967f5550610ec1c9 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Wed, 24 May 2017 12:03:48 -0400 +Subject: cpuset: consider dying css as offline + +From: Tejun Heo + +commit 41c25707d21716826e3c1f60967f5550610ec1c9 upstream. + +In most cases, a cgroup controller don't care about the liftimes of +cgroups. For the controller, a css becomes online when ->css_online() +is called on it and offline when ->css_offline() is called. + +However, cpuset is special in that the user interface it exposes cares +whether certain cgroups exist or not. Combined with the RCU delay +between cgroup removal and css offlining, this can lead to user +visible behavior oddities where operations which should succeed after +cgroup removals fail for some time period. The effects of cgroup +removals are delayed when seen from userland. + +This patch adds css_is_dying() which tests whether offline is pending +and updates is_cpuset_online() so that the function returns false also +while offline is pending. This gets rid of the userland visible +delays. + +Signed-off-by: Tejun Heo +Reported-by: Daniel Jordan +Link: http://lkml.kernel.org/r/327ca1f5-7957-fbb9-9e5f-9ba149d40ba2@oracle.com +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/cgroup.h | 20 ++++++++++++++++++++ + kernel/cpuset.c | 4 ++-- + 2 files changed, 22 insertions(+), 2 deletions(-) + +--- a/include/linux/cgroup.h ++++ b/include/linux/cgroup.h +@@ -340,6 +340,26 @@ static inline bool css_tryget_online(str + } + + /** ++ * css_is_dying - test whether the specified css is dying ++ * @css: target css ++ * ++ * Test whether @css is in the process of offlining or already offline. In ++ * most cases, ->css_online() and ->css_offline() callbacks should be ++ * enough; however, the actual offline operations are RCU delayed and this ++ * test returns %true also when @css is scheduled to be offlined. ++ * ++ * This is useful, for example, when the use case requires synchronous ++ * behavior with respect to cgroup removal. cgroup removal schedules css ++ * offlining but the css can seem alive while the operation is being ++ * delayed. If the delay affects user visible semantics, this test can be ++ * used to resolve the situation. ++ */ ++static inline bool css_is_dying(struct cgroup_subsys_state *css) ++{ ++ return !(css->flags & CSS_NO_REF) && percpu_ref_is_dying(&css->refcnt); ++} ++ ++/** + * css_put - put a css reference + * @css: target css + * +--- a/kernel/cpuset.c ++++ b/kernel/cpuset.c +@@ -173,9 +173,9 @@ typedef enum { + } cpuset_flagbits_t; + + /* convenient tests for these bits */ +-static inline bool is_cpuset_online(const struct cpuset *cs) ++static inline bool is_cpuset_online(struct cpuset *cs) + { +- return test_bit(CS_ONLINE, &cs->flags); ++ return test_bit(CS_ONLINE, &cs->flags) && !css_is_dying(&cs->css); + } + + static inline int is_cpu_exclusive(const struct cpuset *cs) diff --git a/queue-4.4/cxl-fix-error-path-on-bad-ioctl.patch b/queue-4.4/cxl-fix-error-path-on-bad-ioctl.patch new file mode 100644 index 00000000000..0e9e95d7032 --- /dev/null +++ b/queue-4.4/cxl-fix-error-path-on-bad-ioctl.patch @@ -0,0 +1,40 @@ +From cec422c11caeeccae709e9942058b6b644ce434c Mon Sep 17 00:00:00 2001 +From: Frederic Barrat +Date: Tue, 6 Jun 2017 11:43:41 +0200 +Subject: cxl: Fix error path on bad ioctl + +From: Frederic Barrat + +commit cec422c11caeeccae709e9942058b6b644ce434c upstream. + +Fix error path if we can't copy user structure on CXL_IOCTL_START_WORK +ioctl. We shouldn't unlock the context status mutex as it was not +locked (yet). + +Fixes: 0712dc7e73e5 ("cxl: Fix issues when unmapping contexts") +Signed-off-by: Frederic Barrat +Reviewed-by: Vaibhav Jain +Reviewed-by: Andrew Donnellan +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/cxl/file.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/drivers/misc/cxl/file.c ++++ b/drivers/misc/cxl/file.c +@@ -158,11 +158,8 @@ static long afu_ioctl_start_work(struct + + /* Do this outside the status_mutex to avoid a circular dependency with + * the locking in cxl_mmap_fault() */ +- if (copy_from_user(&work, uwork, +- sizeof(struct cxl_ioctl_start_work))) { +- rc = -EFAULT; +- goto out; +- } ++ if (copy_from_user(&work, uwork, sizeof(work))) ++ return -EFAULT; + + mutex_lock(&ctx->status_mutex); + if (ctx->status != OPENED) { diff --git a/queue-4.4/dmaengine-ep93xx-always-start-from-base0.patch b/queue-4.4/dmaengine-ep93xx-always-start-from-base0.patch new file mode 100644 index 00000000000..d11e26e5f41 --- /dev/null +++ b/queue-4.4/dmaengine-ep93xx-always-start-from-base0.patch @@ -0,0 +1,34 @@ +From 0037ae47812b1f431cc602100d1d51f37d77b61e Mon Sep 17 00:00:00 2001 +From: Alexander Sverdlin +Date: Mon, 22 May 2017 16:05:22 +0200 +Subject: dmaengine: ep93xx: Always start from BASE0 + +From: Alexander Sverdlin + +commit 0037ae47812b1f431cc602100d1d51f37d77b61e upstream. + +The current buffer is being reset to zero on device_free_chan_resources() +but not on device_terminate_all(). It could happen that HW is restarted and +expects BASE0 to be used, but the driver is not synchronized and will start +from BASE1. One solution is to reset the buffer explicitly in +m2p_hw_setup(). + +Signed-off-by: Alexander Sverdlin +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/ep93xx_dma.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/dma/ep93xx_dma.c ++++ b/drivers/dma/ep93xx_dma.c +@@ -325,6 +325,8 @@ static int m2p_hw_setup(struct ep93xx_dm + | M2P_CONTROL_ENABLE; + m2p_set_control(edmac, control); + ++ edmac->buffer = 0; ++ + return 0; + } + diff --git a/queue-4.4/dmaengine-ep93xx-don-t-drain-the-transfers-in-terminate_all.patch b/queue-4.4/dmaengine-ep93xx-don-t-drain-the-transfers-in-terminate_all.patch new file mode 100644 index 00000000000..716366a2dc9 --- /dev/null +++ b/queue-4.4/dmaengine-ep93xx-don-t-drain-the-transfers-in-terminate_all.patch @@ -0,0 +1,160 @@ +From 98f9de366fccee7572c646af226b2d4b4841e3b5 Mon Sep 17 00:00:00 2001 +From: Alexander Sverdlin +Date: Mon, 22 May 2017 16:05:23 +0200 +Subject: dmaengine: ep93xx: Don't drain the transfers in terminate_all() + +From: Alexander Sverdlin + +commit 98f9de366fccee7572c646af226b2d4b4841e3b5 upstream. + +Draining the transfers in terminate_all callback happens with IRQs disabled, +therefore induces huge latency: + + irqsoff latency trace v1.1.5 on 4.11.0 + -------------------------------------------------------------------- + latency: 39770 us, #57/57, CPU#0 | (M:preempt VP:0, KP:0, SP:0 HP:0) + ----------------- + | task: process-129 (uid:0 nice:0 policy:2 rt_prio:50) + ----------------- + => started at: _snd_pcm_stream_lock_irqsave + => ended at: snd_pcm_stream_unlock_irqrestore + + _------=> CPU# + / _-----=> irqs-off + | / _----=> need-resched + || / _---=> hardirq/softirq + ||| / _--=> preempt-depth + |||| / delay + cmd pid ||||| time | caller + \ / ||||| \ | / +process-129 0d.s. 3us : _snd_pcm_stream_lock_irqsave +process-129 0d.s1 9us : snd_pcm_stream_lock <-_snd_pcm_stream_lock_irqsave +process-129 0d.s1 15us : preempt_count_add <-snd_pcm_stream_lock +process-129 0d.s2 22us : preempt_count_add <-snd_pcm_stream_lock +process-129 0d.s3 32us : snd_pcm_update_hw_ptr0 <-snd_pcm_period_elapsed +process-129 0d.s3 41us : soc_pcm_pointer <-snd_pcm_update_hw_ptr0 +process-129 0d.s3 50us : dmaengine_pcm_pointer <-soc_pcm_pointer +process-129 0d.s3 58us+: snd_dmaengine_pcm_pointer_no_residue <-dmaengine_pcm_pointer +process-129 0d.s3 96us : update_audio_tstamp <-snd_pcm_update_hw_ptr0 +process-129 0d.s3 103us : snd_pcm_update_state <-snd_pcm_update_hw_ptr0 +process-129 0d.s3 112us : xrun <-snd_pcm_update_state +process-129 0d.s3 119us : snd_pcm_stop <-xrun +process-129 0d.s3 126us : snd_pcm_action <-snd_pcm_stop +process-129 0d.s3 134us : snd_pcm_action_single <-snd_pcm_action +process-129 0d.s3 141us : snd_pcm_pre_stop <-snd_pcm_action_single +process-129 0d.s3 150us : snd_pcm_do_stop <-snd_pcm_action_single +process-129 0d.s3 157us : soc_pcm_trigger <-snd_pcm_do_stop +process-129 0d.s3 166us : snd_dmaengine_pcm_trigger <-soc_pcm_trigger +process-129 0d.s3 175us : ep93xx_dma_terminate_all <-snd_dmaengine_pcm_trigger +process-129 0d.s3 182us : preempt_count_add <-ep93xx_dma_terminate_all +process-129 0d.s4 189us*: m2p_hw_shutdown <-ep93xx_dma_terminate_all +process-129 0d.s4 39472us : m2p_hw_setup <-ep93xx_dma_terminate_all + + ... rest skipped... + +process-129 0d.s. 40080us : + => ep93xx_dma_tasklet + => tasklet_action + => __do_softirq + => irq_exit + => __handle_domain_irq + => vic_handle_irq + => __irq_usr + => 0xb66c6668 + +Just abort the transfers and warn if the HW state is not what we expect. +Move draining into device_synchronize callback. + +Signed-off-by: Alexander Sverdlin +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/ep93xx_dma.c | 37 +++++++++++++++++++++++++++++++++---- + 1 file changed, 33 insertions(+), 4 deletions(-) + +--- a/drivers/dma/ep93xx_dma.c ++++ b/drivers/dma/ep93xx_dma.c +@@ -201,6 +201,7 @@ struct ep93xx_dma_engine { + struct dma_device dma_dev; + bool m2m; + int (*hw_setup)(struct ep93xx_dma_chan *); ++ void (*hw_synchronize)(struct ep93xx_dma_chan *); + void (*hw_shutdown)(struct ep93xx_dma_chan *); + void (*hw_submit)(struct ep93xx_dma_chan *); + int (*hw_interrupt)(struct ep93xx_dma_chan *); +@@ -335,21 +336,27 @@ static inline u32 m2p_channel_state(stru + return (readl(edmac->regs + M2P_STATUS) >> 4) & 0x3; + } + +-static void m2p_hw_shutdown(struct ep93xx_dma_chan *edmac) ++static void m2p_hw_synchronize(struct ep93xx_dma_chan *edmac) + { ++ unsigned long flags; + u32 control; + ++ spin_lock_irqsave(&edmac->lock, flags); + control = readl(edmac->regs + M2P_CONTROL); + control &= ~(M2P_CONTROL_STALLINT | M2P_CONTROL_NFBINT); + m2p_set_control(edmac, control); ++ spin_unlock_irqrestore(&edmac->lock, flags); + + while (m2p_channel_state(edmac) >= M2P_STATE_ON) +- cpu_relax(); ++ schedule(); ++} + ++static void m2p_hw_shutdown(struct ep93xx_dma_chan *edmac) ++{ + m2p_set_control(edmac, 0); + +- while (m2p_channel_state(edmac) == M2P_STATE_STALL) +- cpu_relax(); ++ while (m2p_channel_state(edmac) != M2P_STATE_IDLE) ++ dev_warn(chan2dev(edmac), "M2P: Not yet IDLE\n"); + } + + static void m2p_fill_desc(struct ep93xx_dma_chan *edmac) +@@ -1165,6 +1172,26 @@ fail: + } + + /** ++ * ep93xx_dma_synchronize - Synchronizes the termination of transfers to the ++ * current context. ++ * @chan: channel ++ * ++ * Synchronizes the DMA channel termination to the current context. When this ++ * function returns it is guaranteed that all transfers for previously issued ++ * descriptors have stopped and and it is safe to free the memory associated ++ * with them. Furthermore it is guaranteed that all complete callback functions ++ * for a previously submitted descriptor have finished running and it is safe to ++ * free resources accessed from within the complete callbacks. ++ */ ++static void ep93xx_dma_synchronize(struct dma_chan *chan) ++{ ++ struct ep93xx_dma_chan *edmac = to_ep93xx_dma_chan(chan); ++ ++ if (edmac->edma->hw_synchronize) ++ edmac->edma->hw_synchronize(edmac); ++} ++ ++/** + * ep93xx_dma_terminate_all - terminate all transactions + * @chan: channel + * +@@ -1327,6 +1354,7 @@ static int __init ep93xx_dma_probe(struc + dma_dev->device_prep_slave_sg = ep93xx_dma_prep_slave_sg; + dma_dev->device_prep_dma_cyclic = ep93xx_dma_prep_dma_cyclic; + dma_dev->device_config = ep93xx_dma_slave_config; ++ dma_dev->device_synchronize = ep93xx_dma_synchronize; + dma_dev->device_terminate_all = ep93xx_dma_terminate_all; + dma_dev->device_issue_pending = ep93xx_dma_issue_pending; + dma_dev->device_tx_status = ep93xx_dma_tx_status; +@@ -1344,6 +1372,7 @@ static int __init ep93xx_dma_probe(struc + } else { + dma_cap_set(DMA_PRIVATE, dma_dev->cap_mask); + ++ edma->hw_synchronize = m2p_hw_synchronize; + edma->hw_setup = m2p_hw_setup; + edma->hw_shutdown = m2p_hw_shutdown; + edma->hw_submit = m2p_hw_submit; diff --git a/queue-4.4/dmaengine-usb-dmac-fix-dmaor-ae-bit-definition.patch b/queue-4.4/dmaengine-usb-dmac-fix-dmaor-ae-bit-definition.patch new file mode 100644 index 00000000000..f69b2a10af9 --- /dev/null +++ b/queue-4.4/dmaengine-usb-dmac-fix-dmaor-ae-bit-definition.patch @@ -0,0 +1,34 @@ +From 9a445bbb1607d9f14556a532453dd86d1b7e381e Mon Sep 17 00:00:00 2001 +From: Hiroyuki Yokoyama +Date: Mon, 15 May 2017 17:49:52 +0900 +Subject: dmaengine: usb-dmac: Fix DMAOR AE bit definition + +From: Hiroyuki Yokoyama + +commit 9a445bbb1607d9f14556a532453dd86d1b7e381e upstream. + +This patch fixes the register definition of AE (Address Error flag) bit. + +Fixes: 0c1c8ff32fa2 ("dmaengine: usb-dmac: Add Renesas USB DMA Controller (USB-DMAC) driver") +Signed-off-by: Hiroyuki Yokoyama +[Shimoda: add Fixes and Cc tags in the commit log] +Signed-off-by: Yoshihiro Shimoda +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/sh/usb-dmac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/dma/sh/usb-dmac.c ++++ b/drivers/dma/sh/usb-dmac.c +@@ -117,7 +117,7 @@ struct usb_dmac { + #define USB_DMASWR 0x0008 + #define USB_DMASWR_SWR (1 << 0) + #define USB_DMAOR 0x0060 +-#define USB_DMAOR_AE (1 << 2) ++#define USB_DMAOR_AE (1 << 1) + #define USB_DMAOR_DME (1 << 0) + + #define USB_DMASAR 0x0000 diff --git a/queue-4.4/drivers-char-random-add-get_random_long.patch b/queue-4.4/drivers-char-random-add-get_random_long.patch new file mode 100644 index 00000000000..b50f5cf3b6a --- /dev/null +++ b/queue-4.4/drivers-char-random-add-get_random_long.patch @@ -0,0 +1,103 @@ +From ec9ee4acd97c0039a61c0ae4f12705767ae62153 Mon Sep 17 00:00:00 2001 +From: Daniel Cashman +Date: Fri, 26 Feb 2016 15:19:34 -0800 +Subject: drivers: char: random: add get_random_long() + +From: Daniel Cashman + +commit ec9ee4acd97c0039a61c0ae4f12705767ae62153 upstream. + +Commit d07e22597d1d ("mm: mmap: add new /proc tunable for mmap_base +ASLR") added the ability to choose from a range of values to use for +entropy count in generating the random offset to the mmap_base address. + +The maximum value on this range was set to 32 bits for 64-bit x86 +systems, but this value could be increased further, requiring more than +the 32 bits of randomness provided by get_random_int(), as is already +possible for arm64. Add a new function: get_random_long() which more +naturally fits with the mmap usage of get_random_int() but operates +exactly the same as get_random_int(). + +Also, fix the shifting constant in mmap_rnd() to be an unsigned long so +that values greater than 31 bits generate an appropriate mask without +overflow. This is especially important on x86, as its shift instruction +uses a 5-bit mask for the shift operand, which meant that any value for +mmap_rnd_bits over 31 acts as a no-op and effectively disables mmap_base +randomization. + +Finally, replace calls to get_random_int() with get_random_long() where +appropriate. + +This patch (of 2): + +Add get_random_long(). + +Signed-off-by: Daniel Cashman +Acked-by: Kees Cook +Cc: "Theodore Ts'o" +Cc: Arnd Bergmann +Cc: Greg Kroah-Hartman +Cc: Catalin Marinas +Cc: Will Deacon +Cc: Ralf Baechle +Cc: Benjamin Herrenschmidt +Cc: Paul Mackerras +Cc: Michael Ellerman +Cc: David S. Miller +Cc: Thomas Gleixner +Cc: Ingo Molnar +Cc: H. Peter Anvin +Cc: Al Viro +Cc: Nick Kralevich +Cc: Jeff Vander Stoep +Cc: Mark Salyzyn +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/random.c | 22 ++++++++++++++++++++++ + include/linux/random.h | 1 + + 2 files changed, 23 insertions(+) + +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -1825,6 +1825,28 @@ unsigned int get_random_int(void) + EXPORT_SYMBOL(get_random_int); + + /* ++ * Same as get_random_int(), but returns unsigned long. ++ */ ++unsigned long get_random_long(void) ++{ ++ __u32 *hash; ++ unsigned long ret; ++ ++ if (arch_get_random_long(&ret)) ++ return ret; ++ ++ hash = get_cpu_var(get_random_int_hash); ++ ++ hash[0] += current->pid + jiffies + random_get_entropy(); ++ md5_transform(hash, random_int_secret); ++ ret = *(unsigned long *)hash; ++ put_cpu_var(get_random_int_hash); ++ ++ return ret; ++} ++EXPORT_SYMBOL(get_random_long); ++ ++/* + * randomize_range() returns a start address such that + * + * [...... .....] +--- a/include/linux/random.h ++++ b/include/linux/random.h +@@ -34,6 +34,7 @@ extern const struct file_operations rand + #endif + + unsigned int get_random_int(void); ++unsigned long get_random_long(void); + unsigned long randomize_range(unsigned long start, unsigned long end, unsigned long len); + + u32 prandom_u32(void); diff --git a/queue-4.4/drm-msm-expose-our-reservation-object-when-exporting-a-dmabuf.patch b/queue-4.4/drm-msm-expose-our-reservation-object-when-exporting-a-dmabuf.patch new file mode 100644 index 00000000000..4d19248d166 --- /dev/null +++ b/queue-4.4/drm-msm-expose-our-reservation-object-when-exporting-a-dmabuf.patch @@ -0,0 +1,61 @@ +From 43523eba79bda8f5b4c27f8ffe20ea078d20113a Mon Sep 17 00:00:00 2001 +From: Eric Anholt +Date: Wed, 12 Apr 2017 12:11:58 -0700 +Subject: drm/msm: Expose our reservation object when exporting a dmabuf. + +From: Eric Anholt + +commit 43523eba79bda8f5b4c27f8ffe20ea078d20113a upstream. + +Without this, polling on the dma-buf (and presumably other devices +synchronizing against our rendering) would return immediately, even +while the BO was busy. + +Signed-off-by: Eric Anholt +Reviewed-by: Daniel Vetter +Cc: Rob Clark +Cc: linux-arm-msm@vger.kernel.org +Cc: freedreno@lists.freedesktop.org +Reviewed-by: Rob Clark +Signed-off-by: Rob Clark +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/msm/msm_drv.c | 1 + + drivers/gpu/drm/msm/msm_drv.h | 1 + + drivers/gpu/drm/msm/msm_gem_prime.c | 7 +++++++ + 3 files changed, 9 insertions(+) + +--- a/drivers/gpu/drm/msm/msm_drv.c ++++ b/drivers/gpu/drm/msm/msm_drv.c +@@ -986,6 +986,7 @@ static struct drm_driver msm_driver = { + .prime_fd_to_handle = drm_gem_prime_fd_to_handle, + .gem_prime_export = drm_gem_prime_export, + .gem_prime_import = drm_gem_prime_import, ++ .gem_prime_res_obj = msm_gem_prime_res_obj, + .gem_prime_pin = msm_gem_prime_pin, + .gem_prime_unpin = msm_gem_prime_unpin, + .gem_prime_get_sg_table = msm_gem_prime_get_sg_table, +--- a/drivers/gpu/drm/msm/msm_drv.h ++++ b/drivers/gpu/drm/msm/msm_drv.h +@@ -212,6 +212,7 @@ struct sg_table *msm_gem_prime_get_sg_ta + void *msm_gem_prime_vmap(struct drm_gem_object *obj); + void msm_gem_prime_vunmap(struct drm_gem_object *obj, void *vaddr); + int msm_gem_prime_mmap(struct drm_gem_object *obj, struct vm_area_struct *vma); ++struct reservation_object *msm_gem_prime_res_obj(struct drm_gem_object *obj); + struct drm_gem_object *msm_gem_prime_import_sg_table(struct drm_device *dev, + struct dma_buf_attachment *attach, struct sg_table *sg); + int msm_gem_prime_pin(struct drm_gem_object *obj); +--- a/drivers/gpu/drm/msm/msm_gem_prime.c ++++ b/drivers/gpu/drm/msm/msm_gem_prime.c +@@ -70,3 +70,10 @@ void msm_gem_prime_unpin(struct drm_gem_ + if (!obj->import_attach) + msm_gem_put_pages(obj); + } ++ ++struct reservation_object *msm_gem_prime_res_obj(struct drm_gem_object *obj) ++{ ++ struct msm_gem_object *msm_obj = to_msm_bo(obj); ++ ++ return msm_obj->resv; ++} diff --git a/queue-4.4/ext4-fix-fdatasync-2-after-extent-manipulation-operations.patch b/queue-4.4/ext4-fix-fdatasync-2-after-extent-manipulation-operations.patch new file mode 100644 index 00000000000..52edbddb285 --- /dev/null +++ b/queue-4.4/ext4-fix-fdatasync-2-after-extent-manipulation-operations.patch @@ -0,0 +1,68 @@ +From 67a7d5f561f469ad2fa5154d2888258ab8e6df7c Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 29 May 2017 13:24:55 -0400 +Subject: ext4: fix fdatasync(2) after extent manipulation operations + +From: Jan Kara + +commit 67a7d5f561f469ad2fa5154d2888258ab8e6df7c upstream. + +Currently, extent manipulation operations such as hole punch, range +zeroing, or extent shifting do not record the fact that file data has +changed and thus fdatasync(2) has a work to do. As a result if we crash +e.g. after a punch hole and fdatasync, user can still possibly see the +punched out data after journal replay. Test generic/392 fails due to +these problems. + +Fix the problem by properly marking that file data has changed in these +operations. + +Fixes: a4bb6b64e39abc0e41ca077725f2a72c868e7622 +Signed-off-by: Jan Kara +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/extents.c | 5 +++++ + fs/ext4/inode.c | 2 ++ + 2 files changed, 7 insertions(+) + +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -4902,6 +4902,8 @@ static long ext4_zero_range(struct file + + /* Zero out partial block at the edges of the range */ + ret = ext4_zero_partial_blocks(handle, inode, offset, len); ++ if (ret >= 0) ++ ext4_update_inode_fsync_trans(handle, inode, 1); + + if (file->f_flags & O_SYNC) + ext4_handle_sync(handle); +@@ -5597,6 +5599,7 @@ int ext4_collapse_range(struct inode *in + ext4_handle_sync(handle); + inode->i_mtime = inode->i_ctime = ext4_current_time(inode); + ext4_mark_inode_dirty(handle, inode); ++ ext4_update_inode_fsync_trans(handle, inode, 1); + + out_stop: + ext4_journal_stop(handle); +@@ -5770,6 +5773,8 @@ int ext4_insert_range(struct inode *inod + up_write(&EXT4_I(inode)->i_data_sem); + if (IS_SYNC(inode)) + ext4_handle_sync(handle); ++ if (ret >= 0) ++ ext4_update_inode_fsync_trans(handle, inode, 1); + + out_stop: + ext4_journal_stop(handle); +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -3793,6 +3793,8 @@ int ext4_punch_hole(struct inode *inode, + + inode->i_mtime = inode->i_ctime = ext4_current_time(inode); + ext4_mark_inode_dirty(handle, inode); ++ if (ret >= 0) ++ ext4_update_inode_fsync_trans(handle, inode, 1); + out_stop: + ext4_journal_stop(handle); + out_dio: diff --git a/queue-4.4/ext4-fix-seek_hole.patch b/queue-4.4/ext4-fix-seek_hole.patch new file mode 100644 index 00000000000..dfec92de692 --- /dev/null +++ b/queue-4.4/ext4-fix-seek_hole.patch @@ -0,0 +1,143 @@ +From 7d95eddf313c88b24f99d4ca9c2411a4b82fef33 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Sun, 21 May 2017 22:33:23 -0400 +Subject: ext4: fix SEEK_HOLE + +From: Jan Kara + +commit 7d95eddf313c88b24f99d4ca9c2411a4b82fef33 upstream. + +Currently, SEEK_HOLE implementation in ext4 may both return that there's +a hole at some offset although that offset already has data and skip +some holes during a search for the next hole. The first problem is +demostrated by: + +xfs_io -c "falloc 0 256k" -c "pwrite 0 56k" -c "seek -h 0" file +wrote 57344/57344 bytes at offset 0 +56 KiB, 14 ops; 0.0000 sec (2.054 GiB/sec and 538461.5385 ops/sec) +Whence Result +HOLE 0 + +Where we can see that SEEK_HOLE wrongly returned offset 0 as containing +a hole although we have written data there. The second problem can be +demonstrated by: + +xfs_io -c "falloc 0 256k" -c "pwrite 0 56k" -c "pwrite 128k 8k" + -c "seek -h 0" file + +wrote 57344/57344 bytes at offset 0 +56 KiB, 14 ops; 0.0000 sec (1.978 GiB/sec and 518518.5185 ops/sec) +wrote 8192/8192 bytes at offset 131072 +8 KiB, 2 ops; 0.0000 sec (2 GiB/sec and 500000.0000 ops/sec) +Whence Result +HOLE 139264 + +Where we can see that hole at offsets 56k..128k has been ignored by the +SEEK_HOLE call. + +The underlying problem is in the ext4_find_unwritten_pgoff() which is +just buggy. In some cases it fails to update returned offset when it +finds a hole (when no pages are found or when the first found page has +higher index than expected), in some cases conditions for detecting hole +are just missing (we fail to detect a situation where indices of +returned pages are not contiguous). + +Fix ext4_find_unwritten_pgoff() to properly detect non-contiguous page +indices and also handle all cases where we got less pages then expected +in one place and handle it properly there. + +Fixes: c8c0df241cc2719b1262e627f999638411934f60 +CC: Zheng Liu +Signed-off-by: Jan Kara +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/file.c | 50 ++++++++++++++------------------------------------ + 1 file changed, 14 insertions(+), 36 deletions(-) + +--- a/fs/ext4/file.c ++++ b/fs/ext4/file.c +@@ -463,47 +463,27 @@ static int ext4_find_unwritten_pgoff(str + num = min_t(pgoff_t, end - index, PAGEVEC_SIZE); + nr_pages = pagevec_lookup(&pvec, inode->i_mapping, index, + (pgoff_t)num); +- if (nr_pages == 0) { +- if (whence == SEEK_DATA) +- break; +- +- BUG_ON(whence != SEEK_HOLE); +- /* +- * If this is the first time to go into the loop and +- * offset is not beyond the end offset, it will be a +- * hole at this offset +- */ +- if (lastoff == startoff || lastoff < endoff) +- found = 1; ++ if (nr_pages == 0) + break; +- } +- +- /* +- * If this is the first time to go into the loop and +- * offset is smaller than the first page offset, it will be a +- * hole at this offset. +- */ +- if (lastoff == startoff && whence == SEEK_HOLE && +- lastoff < page_offset(pvec.pages[0])) { +- found = 1; +- break; +- } + + for (i = 0; i < nr_pages; i++) { + struct page *page = pvec.pages[i]; + struct buffer_head *bh, *head; + + /* +- * If the current offset is not beyond the end of given +- * range, it will be a hole. ++ * If current offset is smaller than the page offset, ++ * there is a hole at this offset. + */ +- if (lastoff < endoff && whence == SEEK_HOLE && +- page->index > end) { ++ if (whence == SEEK_HOLE && lastoff < endoff && ++ lastoff < page_offset(pvec.pages[i])) { + found = 1; + *offset = lastoff; + goto out; + } + ++ if (page->index > end) ++ goto out; ++ + lock_page(page); + + if (unlikely(page->mapping != inode->i_mapping)) { +@@ -543,20 +523,18 @@ static int ext4_find_unwritten_pgoff(str + unlock_page(page); + } + +- /* +- * The no. of pages is less than our desired, that would be a +- * hole in there. +- */ +- if (nr_pages < num && whence == SEEK_HOLE) { +- found = 1; +- *offset = lastoff; ++ /* The no. of pages is less than our desired, we are done. */ ++ if (nr_pages < num) + break; +- } + + index = pvec.pages[i - 1]->index + 1; + pagevec_release(&pvec); + } while (index <= end); + ++ if (whence == SEEK_HOLE && lastoff < endoff) { ++ found = 1; ++ *offset = lastoff; ++ } + out: + pagevec_release(&pvec); + return found; diff --git a/queue-4.4/ext4-keep-existing-extra-fields-when-inode-expands.patch b/queue-4.4/ext4-keep-existing-extra-fields-when-inode-expands.patch new file mode 100644 index 00000000000..0763a882d48 --- /dev/null +++ b/queue-4.4/ext4-keep-existing-extra-fields-when-inode-expands.patch @@ -0,0 +1,35 @@ +From 887a9730614727c4fff7cb756711b190593fc1df Mon Sep 17 00:00:00 2001 +From: Konstantin Khlebnikov +Date: Sun, 21 May 2017 22:36:23 -0400 +Subject: ext4: keep existing extra fields when inode expands + +From: Konstantin Khlebnikov + +commit 887a9730614727c4fff7cb756711b190593fc1df upstream. + +ext4_expand_extra_isize() should clear only space between old and new +size. + +Fixes: 6dd4ee7cab7e # v2.6.23 +Signed-off-by: Konstantin Khlebnikov +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/inode.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -5162,8 +5162,9 @@ static int ext4_expand_extra_isize(struc + /* No extended attributes present */ + if (!ext4_test_inode_state(inode, EXT4_STATE_XATTR) || + header->h_magic != cpu_to_le32(EXT4_XATTR_MAGIC)) { +- memset((void *)raw_inode + EXT4_GOOD_OLD_INODE_SIZE, 0, +- new_extra_isize); ++ memset((void *)raw_inode + EXT4_GOOD_OLD_INODE_SIZE + ++ EXT4_I(inode)->i_extra_isize, 0, ++ new_extra_isize - EXT4_I(inode)->i_extra_isize); + EXT4_I(inode)->i_extra_isize = new_extra_isize; + return 0; + } diff --git a/queue-4.4/fix-ufs_isblockset.patch b/queue-4.4/fix-ufs_isblockset.patch new file mode 100644 index 00000000000..19e8f6e3b08 --- /dev/null +++ b/queue-4.4/fix-ufs_isblockset.patch @@ -0,0 +1,41 @@ +From 414cf7186dbec29bd946c138d6b5c09da5955a08 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Thu, 8 Jun 2017 18:15:18 -0400 +Subject: fix ufs_isblockset() + +From: Al Viro + +commit 414cf7186dbec29bd946c138d6b5c09da5955a08 upstream. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ufs/util.h | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/fs/ufs/util.h ++++ b/fs/ufs/util.h +@@ -473,15 +473,19 @@ static inline unsigned _ubh_find_last_ze + static inline int _ubh_isblockset_(struct ufs_sb_private_info * uspi, + struct ufs_buffer_head * ubh, unsigned begin, unsigned block) + { ++ u8 mask; + switch (uspi->s_fpb) { + case 8: + return (*ubh_get_addr (ubh, begin + block) == 0xff); + case 4: +- return (*ubh_get_addr (ubh, begin + (block >> 1)) == (0x0f << ((block & 0x01) << 2))); ++ mask = 0x0f << ((block & 0x01) << 2); ++ return (*ubh_get_addr (ubh, begin + (block >> 1)) & mask) == mask; + case 2: +- return (*ubh_get_addr (ubh, begin + (block >> 2)) == (0x03 << ((block & 0x03) << 1))); ++ mask = 0x03 << ((block & 0x03) << 1); ++ return (*ubh_get_addr (ubh, begin + (block >> 2)) & mask) == mask; + case 1: +- return (*ubh_get_addr (ubh, begin + (block >> 3)) == (0x01 << (block & 0x07))); ++ mask = 0x01 << (block & 0x07); ++ return (*ubh_get_addr (ubh, begin + (block >> 3)) & mask) == mask; + } + return 0; + } diff --git a/queue-4.4/iio-light-ltr501-fix-interchanged-als-ps-register-field.patch b/queue-4.4/iio-light-ltr501-fix-interchanged-als-ps-register-field.patch new file mode 100644 index 00000000000..017091aa15f --- /dev/null +++ b/queue-4.4/iio-light-ltr501-fix-interchanged-als-ps-register-field.patch @@ -0,0 +1,42 @@ +From 7cc3bff4efe6164a0c8163331c8aa55454799f42 Mon Sep 17 00:00:00 2001 +From: Franziska Naepelt +Date: Wed, 17 May 2017 12:41:19 +0200 +Subject: iio: light: ltr501 Fix interchanged als/ps register field + +From: Franziska Naepelt + +commit 7cc3bff4efe6164a0c8163331c8aa55454799f42 upstream. + +The register mapping for the IIO driver for the Liteon Light and Proximity +sensor LTR501 interrupt mode is interchanged (ALS/PS). +There is a register called INTERRUPT register (address 0x8F) +Bit 0 represents PS measurement trigger. +Bit 1 represents ALS measurement trigger. +This two bit fields are interchanged within the driver. +see datasheet page 24: +http://optoelectronics.liteon.com/upload/download/DS86-2012-0006/S_110_LTR-501ALS-01_PrelimDS_ver1%5B1%5D.pdf + +Signed-off-by: Franziska Naepelt +Fixes: 7ac702b3144b6 ("iio: ltr501: Add interrupt support") +Acked-by: Peter Meerwald-Stadler +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/light/ltr501.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/iio/light/ltr501.c ++++ b/drivers/iio/light/ltr501.c +@@ -74,9 +74,9 @@ static const int int_time_mapping[] = {1 + static const struct reg_field reg_field_it = + REG_FIELD(LTR501_ALS_MEAS_RATE, 3, 4); + static const struct reg_field reg_field_als_intr = +- REG_FIELD(LTR501_INTR, 0, 0); +-static const struct reg_field reg_field_ps_intr = + REG_FIELD(LTR501_INTR, 1, 1); ++static const struct reg_field reg_field_ps_intr = ++ REG_FIELD(LTR501_INTR, 0, 0); + static const struct reg_field reg_field_als_rate = + REG_FIELD(LTR501_ALS_MEAS_RATE, 0, 2); + static const struct reg_field reg_field_ps_rate = diff --git a/queue-4.4/iio-proximity-as3935-fix-as3935_int-mask.patch b/queue-4.4/iio-proximity-as3935-fix-as3935_int-mask.patch new file mode 100644 index 00000000000..aba5c11a6c0 --- /dev/null +++ b/queue-4.4/iio-proximity-as3935-fix-as3935_int-mask.patch @@ -0,0 +1,36 @@ +From 275292d3a3d62670b1b13484707b74e5239b4bb0 Mon Sep 17 00:00:00 2001 +From: Matt Ranostay +Date: Thu, 27 Apr 2017 00:52:32 -0700 +Subject: iio: proximity: as3935: fix AS3935_INT mask + +From: Matt Ranostay + +commit 275292d3a3d62670b1b13484707b74e5239b4bb0 upstream. + +AS3935 interrupt mask has been incorrect so valid lightning events +would never trigger an buffer event. Also noise interrupt should be +BIT(0). + +Fixes: 24ddb0e4bba4 ("iio: Add AS3935 lightning sensor support") +Signed-off-by: Matt Ranostay +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/proximity/as3935.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/iio/proximity/as3935.c ++++ b/drivers/iio/proximity/as3935.c +@@ -40,9 +40,9 @@ + #define AS3935_AFE_PWR_BIT BIT(0) + + #define AS3935_INT 0x03 +-#define AS3935_INT_MASK 0x07 ++#define AS3935_INT_MASK 0x0f + #define AS3935_EVENT_INT BIT(3) +-#define AS3935_NOISE_INT BIT(1) ++#define AS3935_NOISE_INT BIT(0) + + #define AS3935_DATA 0x07 + #define AS3935_DATA_MASK 0x3F diff --git a/queue-4.4/input-elantech-add-fujitsu-lifebook-e546-e557-to-force-crc_enabled.patch b/queue-4.4/input-elantech-add-fujitsu-lifebook-e546-e557-to-force-crc_enabled.patch new file mode 100644 index 00000000000..3e9330e7c7a --- /dev/null +++ b/queue-4.4/input-elantech-add-fujitsu-lifebook-e546-e557-to-force-crc_enabled.patch @@ -0,0 +1,66 @@ +From 47eb0c8b4d9eb6368941c6a9bb443f00847a46d7 Mon Sep 17 00:00:00 2001 +From: Ulrik De Bie +Date: Wed, 7 Jun 2017 10:30:57 -0700 +Subject: Input: elantech - add Fujitsu Lifebook E546/E557 to force crc_enabled + +From: Ulrik De Bie + +commit 47eb0c8b4d9eb6368941c6a9bb443f00847a46d7 upstream. + +The Lifebook E546 and E557 touchpad were also not functioning and +worked after running: + + echo "1" > /sys/devices/platform/i8042/serio2/crc_enabled + +Add them to the list of machines that need this workaround. + +Signed-off-by: Ulrik De Bie +Reviewed-by: Arjan Opmeer +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/mouse/elantech.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/drivers/input/mouse/elantech.c ++++ b/drivers/input/mouse/elantech.c +@@ -1122,8 +1122,10 @@ static int elantech_get_resolution_v4(st + * Asus UX32VD 0x361f02 00, 15, 0e clickpad + * Avatar AVIU-145A2 0x361f00 ? clickpad + * Fujitsu LIFEBOOK E544 0x470f00 d0, 12, 09 2 hw buttons ++ * Fujitsu LIFEBOOK E546 0x470f00 50, 12, 09 2 hw buttons + * Fujitsu LIFEBOOK E547 0x470f00 50, 12, 09 2 hw buttons + * Fujitsu LIFEBOOK E554 0x570f01 40, 14, 0c 2 hw buttons ++ * Fujitsu LIFEBOOK E557 0x570f01 40, 14, 0c 2 hw buttons + * Fujitsu T725 0x470f01 05, 12, 09 2 hw buttons + * Fujitsu H730 0x570f00 c0, 14, 0c 3 hw buttons (**) + * Gigabyte U2442 0x450f01 58, 17, 0c 2 hw buttons +@@ -1529,6 +1531,13 @@ static const struct dmi_system_id elante + }, + }, + { ++ /* Fujitsu LIFEBOOK E546 does not work with crc_enabled == 0 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK E546"), ++ }, ++ }, ++ { + /* Fujitsu LIFEBOOK E547 does not work with crc_enabled == 0 */ + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), +@@ -1550,6 +1559,13 @@ static const struct dmi_system_id elante + }, + }, + { ++ /* Fujitsu LIFEBOOK E557 does not work with crc_enabled == 0 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK E557"), ++ }, ++ }, ++ { + /* Fujitsu LIFEBOOK U745 does not work with crc_enabled == 0 */ + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), diff --git a/queue-4.4/random-properly-align-get_random_int_hash.patch b/queue-4.4/random-properly-align-get_random_int_hash.patch new file mode 100644 index 00000000000..64c12c069e8 --- /dev/null +++ b/queue-4.4/random-properly-align-get_random_int_hash.patch @@ -0,0 +1,40 @@ +From b1132deac01c2332d234fa821a70022796b79182 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Wed, 4 May 2016 21:08:39 -0400 +Subject: random: properly align get_random_int_hash + +From: Eric Biggers + +commit b1132deac01c2332d234fa821a70022796b79182 upstream. + +get_random_long() reads from the get_random_int_hash array using an +unsigned long pointer. For this code to be guaranteed correct on all +architectures, the array must be aligned to an unsigned long boundary. + +Signed-off-by: Eric Biggers +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/random.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -1798,13 +1798,15 @@ int random_int_secret_init(void) + return 0; + } + ++static DEFINE_PER_CPU(__u32 [MD5_DIGEST_WORDS], get_random_int_hash) ++ __aligned(sizeof(unsigned long)); ++ + /* + * Get a random word for internal kernel use only. Similar to urandom but + * with the goal of minimal entropy pool depletion. As a result, the random + * value is not cryptographically secure but for several uses the cost of + * depleting entropy is too high + */ +-static DEFINE_PER_CPU(__u32 [MD5_DIGEST_WORDS], get_random_int_hash); + unsigned int get_random_int(void) + { + __u32 *hash; diff --git a/queue-4.4/series b/queue-4.4/series index 66c54357617..7c22fb44ed0 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -28,3 +28,35 @@ kvm-async_pf-fix-rcu_irq_enter-with-irqs-enabled.patch kvm-cpuid-fix-read-write-out-of-bounds-vulnerability-in-cpuid-emulation.patch arm-kvm-allow-unaligned-accesses-at-hyp.patch kvm-async_pf-avoid-async-pf-injection-when-in-guest-mode.patch +dmaengine-usb-dmac-fix-dmaor-ae-bit-definition.patch +dmaengine-ep93xx-always-start-from-base0.patch +dmaengine-ep93xx-don-t-drain-the-transfers-in-terminate_all.patch +xen-privcmd-support-correctly-64kb-page-granularity-when-mapping-memory.patch +xen-netfront-do-not-cast-grant-table-reference-to-signed-short.patch +xen-netfront-cast-grant-table-reference-first-to-type-int.patch +ext4-fix-seek_hole.patch +ext4-keep-existing-extra-fields-when-inode-expands.patch +ext4-fix-fdatasync-2-after-extent-manipulation-operations.patch +usb-gadget-f_mass_storage-serialize-wake-and-sleep-execution.patch +usb-chipidea-udc-fix-null-pointer-dereference-if-udc_start-failed.patch +usb-chipidea-debug-check-before-accessing-ci_role.patch +staging-lustre-lov-remove-set_fs-call-from-lov_getstripe.patch +iio-light-ltr501-fix-interchanged-als-ps-register-field.patch +iio-proximity-as3935-fix-as3935_int-mask.patch +drivers-char-random-add-get_random_long.patch +random-properly-align-get_random_int_hash.patch +stackprotector-increase-the-per-task-stack-canary-s-random-range-from-32-bits-to-64-bits-on-64-bit-platforms.patch +cpufreq-cpufreq_register_driver-should-return-enodev-if-init-fails.patch +target-re-add-check-to-reject-control-writes-with-overflow-data.patch +drm-msm-expose-our-reservation-object-when-exporting-a-dmabuf.patch +input-elantech-add-fujitsu-lifebook-e546-e557-to-force-crc_enabled.patch +cpuset-consider-dying-css-as-offline.patch +ufs-restore-proper-tail-allocation.patch +fix-ufs_isblockset.patch +ufs-restore-maintaining-i_blocks.patch +ufs-set-correct-s_maxsize.patch +ufs_extend_tail-fix-the-braino-in-calling-conventions-of-ufs_new_fragments.patch +ufs_getfrag_block-we-only-grab-truncate_mutex-on-block-creation-path.patch +cxl-fix-error-path-on-bad-ioctl.patch +btrfs-use-correct-types-for-page-indices-in-btrfs_page_exists_in_range.patch +btrfs-fix-memory-leak-in-update_space_info-failure-path.patch diff --git a/queue-4.4/stackprotector-increase-the-per-task-stack-canary-s-random-range-from-32-bits-to-64-bits-on-64-bit-platforms.patch b/queue-4.4/stackprotector-increase-the-per-task-stack-canary-s-random-range-from-32-bits-to-64-bits-on-64-bit-platforms.patch new file mode 100644 index 00000000000..c17465a3063 --- /dev/null +++ b/queue-4.4/stackprotector-increase-the-per-task-stack-canary-s-random-range-from-32-bits-to-64-bits-on-64-bit-platforms.patch @@ -0,0 +1,41 @@ +From 5ea30e4e58040cfd6434c2f33dc3ea76e2c15b05 Mon Sep 17 00:00:00 2001 +From: Daniel Micay +Date: Thu, 4 May 2017 09:32:09 -0400 +Subject: stackprotector: Increase the per-task stack canary's random range from 32 bits to 64 bits on 64-bit platforms + +From: Daniel Micay + +commit 5ea30e4e58040cfd6434c2f33dc3ea76e2c15b05 upstream. + +The stack canary is an 'unsigned long' and should be fully initialized to +random data rather than only 32 bits of random data. + +Signed-off-by: Daniel Micay +Acked-by: Arjan van de Ven +Acked-by: Rik van Riel +Acked-by: Kees Cook +Cc: Arjan van Ven +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: kernel-hardening@lists.openwall.com +Cc: stable@vger.kernel.org +Link: http://lkml.kernel.org/r/20170504133209.3053-1-danielmicay@gmail.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/fork.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -368,7 +368,7 @@ static struct task_struct *dup_task_stru + set_task_stack_end_magic(tsk); + + #ifdef CONFIG_CC_STACKPROTECTOR +- tsk->stack_canary = get_random_int(); ++ tsk->stack_canary = get_random_long(); + #endif + + /* diff --git a/queue-4.4/staging-lustre-lov-remove-set_fs-call-from-lov_getstripe.patch b/queue-4.4/staging-lustre-lov-remove-set_fs-call-from-lov_getstripe.patch new file mode 100644 index 00000000000..b9260aba114 --- /dev/null +++ b/queue-4.4/staging-lustre-lov-remove-set_fs-call-from-lov_getstripe.patch @@ -0,0 +1,58 @@ +From 0a33252e060e97ed3fbdcec9517672f1e91aaef3 Mon Sep 17 00:00:00 2001 +From: Oleg Drokin +Date: Fri, 26 May 2017 23:40:33 -0400 +Subject: staging/lustre/lov: remove set_fs() call from lov_getstripe() + +From: Oleg Drokin + +commit 0a33252e060e97ed3fbdcec9517672f1e91aaef3 upstream. + +lov_getstripe() calls set_fs(KERNEL_DS) so that it can handle a struct +lov_user_md pointer from user- or kernel-space. This changes the +behavior of copy_from_user() on SPARC and may result in a misaligned +access exception which in turn oopses the kernel. In fact the +relevant argument to lov_getstripe() is never called with a +kernel-space pointer and so changing the address limits is unnecessary +and so we remove the calls to save, set, and restore the address +limits. + +Signed-off-by: John L. Hammond +Reviewed-on: http://review.whamcloud.com/6150 +Intel-bug-id: https://jira.hpdd.intel.com/browse/LU-3221 +Reviewed-by: Andreas Dilger +Reviewed-by: Li Wei +Signed-off-by: Oleg Drokin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/lustre/lustre/lov/lov_pack.c | 9 --------- + 1 file changed, 9 deletions(-) + +--- a/drivers/staging/lustre/lustre/lov/lov_pack.c ++++ b/drivers/staging/lustre/lustre/lov/lov_pack.c +@@ -399,18 +399,10 @@ int lov_getstripe(struct obd_export *exp + struct lov_mds_md *lmmk = NULL; + int rc, lmm_size; + int lum_size; +- mm_segment_t seg; + + if (!lsm) + return -ENODATA; + +- /* +- * "Switch to kernel segment" to allow copying from kernel space by +- * copy_{to,from}_user(). +- */ +- seg = get_fs(); +- set_fs(KERNEL_DS); +- + /* we only need the header part from user space to get lmm_magic and + * lmm_stripe_count, (the header part is common to v1 and v3) */ + lum_size = sizeof(struct lov_user_md_v1); +@@ -485,6 +477,5 @@ int lov_getstripe(struct obd_export *exp + + obd_free_diskmd(exp, &lmmk); + out_set: +- set_fs(seg); + return rc; + } diff --git a/queue-4.4/target-re-add-check-to-reject-control-writes-with-overflow-data.patch b/queue-4.4/target-re-add-check-to-reject-control-writes-with-overflow-data.patch new file mode 100644 index 00000000000..a856f3f8481 --- /dev/null +++ b/queue-4.4/target-re-add-check-to-reject-control-writes-with-overflow-data.patch @@ -0,0 +1,73 @@ +From 4ff83daa0200affe1894bd33d17bac404e3d78d4 Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Thu, 11 May 2017 01:07:24 -0700 +Subject: target: Re-add check to reject control WRITEs with overflow data + +From: Nicholas Bellinger + +commit 4ff83daa0200affe1894bd33d17bac404e3d78d4 upstream. + +During v4.3 when the overflow/underflow check was relaxed by +commit c72c525022: + + commit c72c5250224d475614a00c1d7e54a67f77cd3410 + Author: Roland Dreier + Date: Wed Jul 22 15:08:18 2015 -0700 + + target: allow underflow/overflow for PR OUT etc. commands + +to allow underflow/overflow for Windows compliance + FCP, a +consequence was to allow control CDBs to process overflow +data for iscsi-target with immediate data as well. + +As per Roland's original change, continue to allow underflow +cases for control CDBs to make Windows compliance + FCP happy, +but until overflow for control CDBs is supported tree-wide, +explicitly reject all control WRITEs with overflow following +pre v4.3.y logic. + +Reported-by: Bart Van Assche +Cc: Roland Dreier +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_transport.c | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -1154,15 +1154,28 @@ target_cmd_size_check(struct se_cmd *cmd + if (cmd->unknown_data_length) { + cmd->data_length = size; + } else if (size != cmd->data_length) { +- pr_warn("TARGET_CORE[%s]: Expected Transfer Length:" ++ pr_warn_ratelimited("TARGET_CORE[%s]: Expected Transfer Length:" + " %u does not match SCSI CDB Length: %u for SAM Opcode:" + " 0x%02x\n", cmd->se_tfo->get_fabric_name(), + cmd->data_length, size, cmd->t_task_cdb[0]); + +- if (cmd->data_direction == DMA_TO_DEVICE && +- cmd->se_cmd_flags & SCF_SCSI_DATA_CDB) { +- pr_err("Rejecting underflow/overflow WRITE data\n"); +- return TCM_INVALID_CDB_FIELD; ++ if (cmd->data_direction == DMA_TO_DEVICE) { ++ if (cmd->se_cmd_flags & SCF_SCSI_DATA_CDB) { ++ pr_err_ratelimited("Rejecting underflow/overflow" ++ " for WRITE data CDB\n"); ++ return TCM_INVALID_CDB_FIELD; ++ } ++ /* ++ * Some fabric drivers like iscsi-target still expect to ++ * always reject overflow writes. Reject this case until ++ * full fabric driver level support for overflow writes ++ * is introduced tree-wide. ++ */ ++ if (size > cmd->data_length) { ++ pr_err_ratelimited("Rejecting overflow for" ++ " WRITE control CDB\n"); ++ return TCM_INVALID_CDB_FIELD; ++ } + } + /* + * Reject READ_* or WRITE_* with overflow/underflow for diff --git a/queue-4.4/ufs-restore-maintaining-i_blocks.patch b/queue-4.4/ufs-restore-maintaining-i_blocks.patch new file mode 100644 index 00000000000..0f138b925d5 --- /dev/null +++ b/queue-4.4/ufs-restore-maintaining-i_blocks.patch @@ -0,0 +1,104 @@ +From eb315d2ae614493fd1ebb026c75a80573d84f7ad Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Thu, 8 Jun 2017 21:15:03 -0400 +Subject: ufs: restore maintaining ->i_blocks + +From: Al Viro + +commit eb315d2ae614493fd1ebb026c75a80573d84f7ad upstream. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/stat.c | 1 + + fs/ufs/balloc.c | 26 +++++++++++++++++++++++++- + 2 files changed, 26 insertions(+), 1 deletion(-) + +--- a/fs/stat.c ++++ b/fs/stat.c +@@ -454,6 +454,7 @@ void __inode_add_bytes(struct inode *ino + inode->i_bytes -= 512; + } + } ++EXPORT_SYMBOL(__inode_add_bytes); + + void inode_add_bytes(struct inode *inode, loff_t bytes) + { +--- a/fs/ufs/balloc.c ++++ b/fs/ufs/balloc.c +@@ -81,7 +81,8 @@ void ufs_free_fragments(struct inode *in + ufs_error (sb, "ufs_free_fragments", + "bit already cleared for fragment %u", i); + } +- ++ ++ inode_sub_bytes(inode, count << uspi->s_fshift); + fs32_add(sb, &ucg->cg_cs.cs_nffree, count); + uspi->cs_total.cs_nffree += count; + fs32_add(sb, &UFS_SB(sb)->fs_cs(cgno).cs_nffree, count); +@@ -183,6 +184,7 @@ do_more: + ufs_error(sb, "ufs_free_blocks", "freeing free fragment"); + } + ubh_setblock(UCPI_UBH(ucpi), ucpi->c_freeoff, blkno); ++ inode_sub_bytes(inode, uspi->s_fpb << uspi->s_fshift); + if ((UFS_SB(sb)->s_flags & UFS_CG_MASK) == UFS_CG_44BSD) + ufs_clusteracct (sb, ucpi, blkno, 1); + +@@ -494,6 +496,20 @@ u64 ufs_new_fragments(struct inode *inod + return 0; + } + ++static bool try_add_frags(struct inode *inode, unsigned frags) ++{ ++ unsigned size = frags * i_blocksize(inode); ++ spin_lock(&inode->i_lock); ++ __inode_add_bytes(inode, size); ++ if (unlikely((u32)inode->i_blocks != inode->i_blocks)) { ++ __inode_sub_bytes(inode, size); ++ spin_unlock(&inode->i_lock); ++ return false; ++ } ++ spin_unlock(&inode->i_lock); ++ return true; ++} ++ + static u64 ufs_add_fragments(struct inode *inode, u64 fragment, + unsigned oldcount, unsigned newcount) + { +@@ -530,6 +546,9 @@ static u64 ufs_add_fragments(struct inod + for (i = oldcount; i < newcount; i++) + if (ubh_isclr (UCPI_UBH(ucpi), ucpi->c_freeoff, fragno + i)) + return 0; ++ ++ if (!try_add_frags(inode, count)) ++ return 0; + /* + * Block can be extended + */ +@@ -647,6 +666,7 @@ cg_found: + ubh_setbit (UCPI_UBH(ucpi), ucpi->c_freeoff, goal + i); + i = uspi->s_fpb - count; + ++ inode_sub_bytes(inode, i << uspi->s_fshift); + fs32_add(sb, &ucg->cg_cs.cs_nffree, i); + uspi->cs_total.cs_nffree += i; + fs32_add(sb, &UFS_SB(sb)->fs_cs(cgno).cs_nffree, i); +@@ -657,6 +677,8 @@ cg_found: + result = ufs_bitmap_search (sb, ucpi, goal, allocsize); + if (result == INVBLOCK) + return 0; ++ if (!try_add_frags(inode, count)) ++ return 0; + for (i = 0; i < count; i++) + ubh_clrbit (UCPI_UBH(ucpi), ucpi->c_freeoff, result + i); + +@@ -716,6 +738,8 @@ norot: + return INVBLOCK; + ucpi->c_rotor = result; + gotit: ++ if (!try_add_frags(inode, uspi->s_fpb)) ++ return 0; + blkno = ufs_fragstoblks(result); + ubh_clrblock (UCPI_UBH(ucpi), ucpi->c_freeoff, blkno); + if ((UFS_SB(sb)->s_flags & UFS_CG_MASK) == UFS_CG_44BSD) diff --git a/queue-4.4/ufs-restore-proper-tail-allocation.patch b/queue-4.4/ufs-restore-proper-tail-allocation.patch new file mode 100644 index 00000000000..c857c9d5cd4 --- /dev/null +++ b/queue-4.4/ufs-restore-proper-tail-allocation.patch @@ -0,0 +1,27 @@ +From 8785d84d002c2ce0f68fbcd6c2c86be859802c7e Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Thu, 8 Jun 2017 02:42:03 -0400 +Subject: ufs: restore proper tail allocation + +From: Al Viro + +commit 8785d84d002c2ce0f68fbcd6c2c86be859802c7e upstream. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ufs/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ufs/inode.c ++++ b/fs/ufs/inode.c +@@ -284,7 +284,7 @@ ufs_inode_getfrag(struct inode *inode, u + goal += uspi->s_fpb; + } + tmp = ufs_new_fragments(inode, p, ufs_blknum(new_fragment), +- goal, uspi->s_fpb, err, locked_page); ++ goal, nfrags, err, locked_page); + + if (!tmp) { + *err = -ENOSPC; diff --git a/queue-4.4/ufs-set-correct-s_maxsize.patch b/queue-4.4/ufs-set-correct-s_maxsize.patch new file mode 100644 index 00000000000..3cf60397429 --- /dev/null +++ b/queue-4.4/ufs-set-correct-s_maxsize.patch @@ -0,0 +1,50 @@ +From 6b0d144fa758869bdd652c50aa41aaf601232550 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Thu, 8 Jun 2017 21:15:45 -0400 +Subject: ufs: set correct ->s_maxsize + +From: Al Viro + +commit 6b0d144fa758869bdd652c50aa41aaf601232550 upstream. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ufs/super.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +--- a/fs/ufs/super.c ++++ b/fs/ufs/super.c +@@ -746,6 +746,23 @@ static void ufs_put_super(struct super_b + return; + } + ++static u64 ufs_max_bytes(struct super_block *sb) ++{ ++ struct ufs_sb_private_info *uspi = UFS_SB(sb)->s_uspi; ++ int bits = uspi->s_apbshift; ++ u64 res; ++ ++ if (bits > 21) ++ res = ~0ULL; ++ else ++ res = UFS_NDADDR + (1LL << bits) + (1LL << (2*bits)) + ++ (1LL << (3*bits)); ++ ++ if (res >= (MAX_LFS_FILESIZE >> uspi->s_bshift)) ++ return MAX_LFS_FILESIZE; ++ return res << uspi->s_bshift; ++} ++ + static int ufs_fill_super(struct super_block *sb, void *data, int silent) + { + struct ufs_sb_info * sbi; +@@ -1212,6 +1229,7 @@ magic_found: + "fast symlink size (%u)\n", uspi->s_maxsymlinklen); + uspi->s_maxsymlinklen = maxsymlen; + } ++ sb->s_maxbytes = ufs_max_bytes(sb); + sb->s_max_links = UFS_LINK_MAX; + + inode = ufs_iget(sb, UFS_ROOTINO); diff --git a/queue-4.4/ufs_extend_tail-fix-the-braino-in-calling-conventions-of-ufs_new_fragments.patch b/queue-4.4/ufs_extend_tail-fix-the-braino-in-calling-conventions-of-ufs_new_fragments.patch new file mode 100644 index 00000000000..8f9c1ead761 --- /dev/null +++ b/queue-4.4/ufs_extend_tail-fix-the-braino-in-calling-conventions-of-ufs_new_fragments.patch @@ -0,0 +1,31 @@ +From 940ef1a0ed939c2ca029fca715e25e7778ce1e34 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Thu, 8 Jun 2017 23:27:12 -0400 +Subject: ufs_extend_tail(): fix the braino in calling conventions of ufs_new_fragments() + +From: Al Viro + +commit 940ef1a0ed939c2ca029fca715e25e7778ce1e34 upstream. + +... and it really needs splitting into "new" and "extend" cases, but that's for +later + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ufs/inode.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/ufs/inode.c ++++ b/fs/ufs/inode.c +@@ -235,7 +235,8 @@ ufs_extend_tail(struct inode *inode, u64 + + p = ufs_get_direct_data_ptr(uspi, ufsi, block); + tmp = ufs_new_fragments(inode, p, lastfrag, ufs_data_ptr_to_cpu(sb, p), +- new_size, err, locked_page); ++ new_size - (lastfrag & uspi->s_fpbmask), err, ++ locked_page); + return tmp != 0; + } + diff --git a/queue-4.4/ufs_getfrag_block-we-only-grab-truncate_mutex-on-block-creation-path.patch b/queue-4.4/ufs_getfrag_block-we-only-grab-truncate_mutex-on-block-creation-path.patch new file mode 100644 index 00000000000..0926fb5f5e3 --- /dev/null +++ b/queue-4.4/ufs_getfrag_block-we-only-grab-truncate_mutex-on-block-creation-path.patch @@ -0,0 +1,29 @@ +From 006351ac8ead0d4a67dd3845e3ceffe650a23212 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Thu, 8 Jun 2017 23:28:53 -0400 +Subject: ufs_getfrag_block(): we only grab ->truncate_mutex on block creation path + +From: Al Viro + +commit 006351ac8ead0d4a67dd3845e3ceffe650a23212 upstream. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ufs/inode.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/ufs/inode.c ++++ b/fs/ufs/inode.c +@@ -403,7 +403,9 @@ static int ufs_getfrag_block(struct inod + + if (!create) { + phys64 = ufs_frag_map(inode, offsets, depth); +- goto out; ++ if (phys64) ++ map_bh(bh_result, sb, phys64 + frag); ++ return 0; + } + + /* This code entered only while writing ....? */ diff --git a/queue-4.4/usb-chipidea-debug-check-before-accessing-ci_role.patch b/queue-4.4/usb-chipidea-debug-check-before-accessing-ci_role.patch new file mode 100644 index 00000000000..98e91e4c818 --- /dev/null +++ b/queue-4.4/usb-chipidea-debug-check-before-accessing-ci_role.patch @@ -0,0 +1,31 @@ +From 0340ff83cd4475261e7474033a381bc125b45244 Mon Sep 17 00:00:00 2001 +From: Michael Thalmeier +Date: Thu, 18 May 2017 16:14:14 +0200 +Subject: usb: chipidea: debug: check before accessing ci_role + +From: Michael Thalmeier + +commit 0340ff83cd4475261e7474033a381bc125b45244 upstream. + +ci_role BUGs when the role is >= CI_ROLE_END. + +Signed-off-by: Michael Thalmeier +Signed-off-by: Peter Chen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/chipidea/debug.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/chipidea/debug.c ++++ b/drivers/usb/chipidea/debug.c +@@ -295,7 +295,8 @@ static int ci_role_show(struct seq_file + { + struct ci_hdrc *ci = s->private; + +- seq_printf(s, "%s\n", ci_role(ci)->name); ++ if (ci->role != CI_ROLE_END) ++ seq_printf(s, "%s\n", ci_role(ci)->name); + + return 0; + } diff --git a/queue-4.4/usb-chipidea-udc-fix-null-pointer-dereference-if-udc_start-failed.patch b/queue-4.4/usb-chipidea-udc-fix-null-pointer-dereference-if-udc_start-failed.patch new file mode 100644 index 00000000000..aae846cd0cf --- /dev/null +++ b/queue-4.4/usb-chipidea-udc-fix-null-pointer-dereference-if-udc_start-failed.patch @@ -0,0 +1,83 @@ +From aa1f058d7d9244423b8c5a75b9484b1115df7f02 Mon Sep 17 00:00:00 2001 +From: Jisheng Zhang +Date: Mon, 24 Apr 2017 12:35:51 +0000 +Subject: usb: chipidea: udc: fix NULL pointer dereference if udc_start failed + +From: Jisheng Zhang + +commit aa1f058d7d9244423b8c5a75b9484b1115df7f02 upstream. + +Fix below NULL pointer dereference. we set ci->roles[CI_ROLE_GADGET] +too early in ci_hdrc_gadget_init(), if udc_start() fails due to some +reason, the ci->roles[CI_ROLE_GADGET] check in ci_hdrc_gadget_destroy +can't protect us. + +We fix this issue by only setting ci->roles[CI_ROLE_GADGET] if +udc_start() succeed. + +[ 1.398550] Unable to handle kernel NULL pointer dereference at +virtual address 00000000 +... +[ 1.448600] PC is at dma_pool_free+0xb8/0xf0 +[ 1.453012] LR is at dma_pool_free+0x28/0xf0 +[ 2.113369] [] dma_pool_free+0xb8/0xf0 +[ 2.118857] [] destroy_eps+0x4c/0x68 +[ 2.124165] [] ci_hdrc_gadget_destroy+0x28/0x50 +[ 2.130461] [] ci_hdrc_probe+0x588/0x7e8 +[ 2.136129] [] platform_drv_probe+0x50/0xb8 +[ 2.142066] [] driver_probe_device+0x1fc/0x2a8 +[ 2.148270] [] __device_attach_driver+0x9c/0xf8 +[ 2.154563] [] bus_for_each_drv+0x58/0x98 +[ 2.160317] [] __device_attach+0xc4/0x138 +[ 2.166072] [] device_initial_probe+0x10/0x18 +[ 2.172185] [] bus_probe_device+0x94/0xa0 +[ 2.177940] [] device_add+0x3f0/0x560 +[ 2.183337] [] platform_device_add+0x180/0x240 +[ 2.189541] [] ci_hdrc_add_device+0x440/0x4f8 +[ 2.195654] [] ci_hdrc_usb2_probe+0x13c/0x2d8 +[ 2.201769] [] platform_drv_probe+0x50/0xb8 +[ 2.207705] [] driver_probe_device+0x1fc/0x2a8 +[ 2.213910] [] __driver_attach+0xac/0xb0 +[ 2.219575] [] bus_for_each_dev+0x60/0xa0 +[ 2.225329] [] driver_attach+0x20/0x28 +[ 2.230816] [] bus_add_driver+0x1d0/0x238 +[ 2.236571] [] driver_register+0x60/0xf8 +[ 2.242237] [] __platform_driver_register+0x44/0x50 +[ 2.248891] [] ci_hdrc_usb2_driver_init+0x18/0x20 +[ 2.255365] [] do_one_initcall+0x38/0x128 +[ 2.261121] [] kernel_init_freeable+0x1ac/0x250 +[ 2.267414] [] kernel_init+0x10/0x100 +[ 2.272810] [] ret_from_fork+0x10/0x50 + +Fixes: 3f124d233e97 ("usb: chipidea: add role init and destroy APIs") +Signed-off-by: Jisheng Zhang +Signed-off-by: Peter Chen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/chipidea/udc.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/usb/chipidea/udc.c ++++ b/drivers/usb/chipidea/udc.c +@@ -1982,6 +1982,7 @@ static void udc_id_switch_for_host(struc + int ci_hdrc_gadget_init(struct ci_hdrc *ci) + { + struct ci_role_driver *rdrv; ++ int ret; + + if (!hw_read(ci, CAP_DCCPARAMS, DCCPARAMS_DC)) + return -ENXIO; +@@ -1994,7 +1995,10 @@ int ci_hdrc_gadget_init(struct ci_hdrc * + rdrv->stop = udc_id_switch_for_host; + rdrv->irq = udc_irq; + rdrv->name = "gadget"; +- ci->roles[CI_ROLE_GADGET] = rdrv; + +- return udc_start(ci); ++ ret = udc_start(ci); ++ if (!ret) ++ ci->roles[CI_ROLE_GADGET] = rdrv; ++ ++ return ret; + } diff --git a/queue-4.4/usb-gadget-f_mass_storage-serialize-wake-and-sleep-execution.patch b/queue-4.4/usb-gadget-f_mass_storage-serialize-wake-and-sleep-execution.patch new file mode 100644 index 00000000000..c32ae685f85 --- /dev/null +++ b/queue-4.4/usb-gadget-f_mass_storage-serialize-wake-and-sleep-execution.patch @@ -0,0 +1,98 @@ +From dc9217b69dd6089dcfeb86ed4b3c671504326087 Mon Sep 17 00:00:00 2001 +From: Thinh Nguyen +Date: Thu, 11 May 2017 17:26:48 -0700 +Subject: usb: gadget: f_mass_storage: Serialize wake and sleep execution + +From: Thinh Nguyen + +commit dc9217b69dd6089dcfeb86ed4b3c671504326087 upstream. + +f_mass_storage has a memorry barrier issue with the sleep and wake +functions that can cause a deadlock. This results in intermittent hangs +during MSC file transfer. The host will reset the device after receiving +no response to resume the transfer. This issue is seen when dwc3 is +processing 2 transfer-in-progress events at the same time, invoking +completion handlers for CSW and CBW. Also this issue occurs depending on +the system timing and latency. + +To increase the chance to hit this issue, you can force dwc3 driver to +wait and process those 2 events at once by adding a small delay (~100us) +in dwc3_check_event_buf() whenever the request is for CSW and read the +event count again. Avoid debugging with printk and ftrace as extra +delays and memory barrier will mask this issue. + +Scenario which can lead to failure: +----------------------------------- +1) The main thread sleeps and waits for the next command in + get_next_command(). +2) bulk_in_complete() wakes up main thread for CSW. +3) bulk_out_complete() tries to wake up the running main thread for CBW. +4) thread_wakeup_needed is not loaded with correct value in + sleep_thread(). +5) Main thread goes to sleep again. + +The pattern is shown below. Note the 2 critical variables. + * common->thread_wakeup_needed + * bh->state + + CPU 0 (sleep_thread) CPU 1 (wakeup_thread) + ============================== =============================== + + bh->state = BH_STATE_FULL; + smp_wmb(); + thread_wakeup_needed = 0; thread_wakeup_needed = 1; + smp_rmb(); + if (bh->state != BH_STATE_FULL) + sleep again ... + +As pointed out by Alan Stern, this is an R-pattern issue. The issue can +be seen when there are two wakeups in quick succession. The +thread_wakeup_needed can be overwritten in sleep_thread, and the read of +the bh->state maybe reordered before the write to thread_wakeup_needed. + +This patch applies full memory barrier smp_mb() in both sleep_thread() +and wakeup_thread() to ensure the order which the thread_wakeup_needed +and bh->state are written and loaded. + +However, a better solution in the future would be to use wait_queue +method that takes care of managing memory barrier between waker and +waiter. + +Acked-by: Alan Stern +Signed-off-by: Thinh Nguyen +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/f_mass_storage.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/drivers/usb/gadget/function/f_mass_storage.c ++++ b/drivers/usb/gadget/function/f_mass_storage.c +@@ -399,7 +399,11 @@ static int fsg_set_halt(struct fsg_dev * + /* Caller must hold fsg->lock */ + static void wakeup_thread(struct fsg_common *common) + { +- smp_wmb(); /* ensure the write of bh->state is complete */ ++ /* ++ * Ensure the reading of thread_wakeup_needed ++ * and the writing of bh->state are completed ++ */ ++ smp_mb(); + /* Tell the main thread that something has happened */ + common->thread_wakeup_needed = 1; + if (common->thread_task) +@@ -630,7 +634,12 @@ static int sleep_thread(struct fsg_commo + } + __set_current_state(TASK_RUNNING); + common->thread_wakeup_needed = 0; +- smp_rmb(); /* ensure the latest bh->state is visible */ ++ ++ /* ++ * Ensure the writing of thread_wakeup_needed ++ * and the reading of bh->state are completed ++ */ ++ smp_mb(); + return rc; + } + diff --git a/queue-4.4/xen-netfront-cast-grant-table-reference-first-to-type-int.patch b/queue-4.4/xen-netfront-cast-grant-table-reference-first-to-type-int.patch new file mode 100644 index 00000000000..fdd2216f7d2 --- /dev/null +++ b/queue-4.4/xen-netfront-cast-grant-table-reference-first-to-type-int.patch @@ -0,0 +1,42 @@ +From 269ebce4531b8edc4224259a02143181a1c1d77c Mon Sep 17 00:00:00 2001 +From: Dongli Zhang +Date: Wed, 2 Nov 2016 09:04:33 +0800 +Subject: xen-netfront: cast grant table reference first to type int + +From: Dongli Zhang + +commit 269ebce4531b8edc4224259a02143181a1c1d77c upstream. + +IS_ERR_VALUE() in commit 87557efc27f6a50140fb20df06a917f368ce3c66 +("xen-netfront: do not cast grant table reference to signed short") would +not return true for error code unless we cast ref first to type int. + +Signed-off-by: Dongli Zhang +Signed-off-by: David S. Miller +Cc: Blake Cooper +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/xen-netfront.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -304,7 +304,7 @@ static void xennet_alloc_rx_buffers(stru + queue->rx_skbs[id] = skb; + + ref = gnttab_claim_grant_reference(&queue->gref_rx_head); +- WARN_ON_ONCE(IS_ERR_VALUE((unsigned long)ref)); ++ WARN_ON_ONCE(IS_ERR_VALUE((unsigned long)(int)ref)); + queue->grant_rx_ref[id] = ref; + + page = skb_frag_page(&skb_shinfo(skb)->frags[0]); +@@ -437,7 +437,7 @@ static void xennet_tx_setup_grant(unsign + id = get_id_from_freelist(&queue->tx_skb_freelist, queue->tx_skbs); + tx = RING_GET_REQUEST(&queue->tx, queue->tx.req_prod_pvt++); + ref = gnttab_claim_grant_reference(&queue->gref_tx_head); +- WARN_ON_ONCE(IS_ERR_VALUE((unsigned long)ref)); ++ WARN_ON_ONCE(IS_ERR_VALUE((unsigned long)(int)ref)); + + gnttab_grant_foreign_access_ref(ref, queue->info->xbdev->otherend_id, + gfn, GNTMAP_readonly); diff --git a/queue-4.4/xen-netfront-do-not-cast-grant-table-reference-to-signed-short.patch b/queue-4.4/xen-netfront-do-not-cast-grant-table-reference-to-signed-short.patch new file mode 100644 index 00000000000..7e2bd23ec11 --- /dev/null +++ b/queue-4.4/xen-netfront-do-not-cast-grant-table-reference-to-signed-short.patch @@ -0,0 +1,44 @@ +From 87557efc27f6a50140fb20df06a917f368ce3c66 Mon Sep 17 00:00:00 2001 +From: Dongli Zhang +Date: Mon, 31 Oct 2016 13:38:29 +0800 +Subject: xen-netfront: do not cast grant table reference to signed short + +From: Dongli Zhang + +commit 87557efc27f6a50140fb20df06a917f368ce3c66 upstream. + +While grant reference is of type uint32_t, xen-netfront erroneously casts +it to signed short in BUG_ON(). + +This would lead to the xen domU panic during boot-up or migration when it +is attached with lots of paravirtual devices. + +Signed-off-by: Dongli Zhang +Signed-off-by: David S. Miller +Cc: Blake Cooper +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/xen-netfront.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -304,7 +304,7 @@ static void xennet_alloc_rx_buffers(stru + queue->rx_skbs[id] = skb; + + ref = gnttab_claim_grant_reference(&queue->gref_rx_head); +- BUG_ON((signed short)ref < 0); ++ WARN_ON_ONCE(IS_ERR_VALUE((unsigned long)ref)); + queue->grant_rx_ref[id] = ref; + + page = skb_frag_page(&skb_shinfo(skb)->frags[0]); +@@ -437,7 +437,7 @@ static void xennet_tx_setup_grant(unsign + id = get_id_from_freelist(&queue->tx_skb_freelist, queue->tx_skbs); + tx = RING_GET_REQUEST(&queue->tx, queue->tx.req_prod_pvt++); + ref = gnttab_claim_grant_reference(&queue->gref_tx_head); +- BUG_ON((signed short)ref < 0); ++ WARN_ON_ONCE(IS_ERR_VALUE((unsigned long)ref)); + + gnttab_grant_foreign_access_ref(ref, queue->info->xbdev->otherend_id, + gfn, GNTMAP_readonly); diff --git a/queue-4.4/xen-privcmd-support-correctly-64kb-page-granularity-when-mapping-memory.patch b/queue-4.4/xen-privcmd-support-correctly-64kb-page-granularity-when-mapping-memory.patch new file mode 100644 index 00000000000..faa3f632a3a --- /dev/null +++ b/queue-4.4/xen-privcmd-support-correctly-64kb-page-granularity-when-mapping-memory.patch @@ -0,0 +1,43 @@ +From 753c09b5652bb4fe53e2db648002ec64b32b8827 Mon Sep 17 00:00:00 2001 +From: Julien Grall +Date: Wed, 31 May 2017 14:03:57 +0100 +Subject: xen/privcmd: Support correctly 64KB page granularity when mapping memory + +From: Julien Grall + +commit 753c09b5652bb4fe53e2db648002ec64b32b8827 upstream. + +Commit 5995a68 "xen/privcmd: Add support for Linux 64KB page granularity" did +not go far enough to support 64KB in mmap_batch_fn. + +The variable 'nr' is the number of 4KB chunk to map. However, when Linux +is using 64KB page granularity the array of pages (vma->vm_private_data) +contain one page per 64KB. Fix it by incrementing st->index correctly. + +Furthermore, st->va is not correctly incremented as PAGE_SIZE != +XEN_PAGE_SIZE. + +Fixes: 5995a68 ("xen/privcmd: Add support for Linux 64KB page granularity") +Reported-by: Feng Kan +Signed-off-by: Julien Grall +Reviewed-by: Boris Ostrovsky +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/privcmd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/xen/privcmd.c ++++ b/drivers/xen/privcmd.c +@@ -335,8 +335,8 @@ static int mmap_batch_fn(void *data, int + st->global_error = 1; + } + } +- st->va += PAGE_SIZE * nr; +- st->index += nr; ++ st->va += XEN_PAGE_SIZE * nr; ++ st->index += nr / XEN_PFN_PER_PAGE; + + return 0; + }