diff options
Diffstat (limited to '1001_linux-4.0.2.patch')
-rw-r--r-- | 1001_linux-4.0.2.patch | 16857 |
1 files changed, 16857 insertions, 0 deletions
diff --git a/1001_linux-4.0.2.patch b/1001_linux-4.0.2.patch new file mode 100644 index 00000000..5650c4e7 --- /dev/null +++ b/1001_linux-4.0.2.patch @@ -0,0 +1,16857 @@ +From 7bebf970047f59c16ddd5660b54562c8bcd40074 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20P=C3=B6hn?= <sebastian.poehn@gmail.com> +Date: Mon, 20 Apr 2015 09:19:20 +0200 +Subject: [PATCH 001/219] ip_forward: Drop frames with attached skb->sk +Cc: mpagano@gentoo.org + +[ Upstream commit 2ab957492d13bb819400ac29ae55911d50a82a13 ] + +Initial discussion was: +[FYI] xfrm: Don't lookup sk_policy for timewait sockets + +Forwarded frames should not have a socket attached. Especially +tw sockets will lead to panics later-on in the stack. + +This was observed with TPROXY assigning a tw socket and broken +policy routing (misconfigured). As a result frame enters +forwarding path instead of input. We cannot solve this in +TPROXY as it cannot know that policy routing is broken. + +v2: +Remove useless comment + +Signed-off-by: Sebastian Poehn <sebastian.poehn@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + net/ipv4/ip_forward.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/ipv4/ip_forward.c b/net/ipv4/ip_forward.c +index d9bc28a..53bd53f 100644 +--- a/net/ipv4/ip_forward.c ++++ b/net/ipv4/ip_forward.c +@@ -82,6 +82,9 @@ int ip_forward(struct sk_buff *skb) + if (skb->pkt_type != PACKET_HOST) + goto drop; + ++ if (unlikely(skb->sk)) ++ goto drop; ++ + if (skb_warn_if_lro(skb)) + goto drop; + +-- +2.3.6 + + +From 8a6846e3226bb475db9686590da85bcc609c75a9 Mon Sep 17 00:00:00 2001 +From: Tom Herbert <tom@herbertland.com> +Date: Mon, 20 Apr 2015 14:10:04 -0700 +Subject: [PATCH 002/219] net: add skb_checksum_complete_unset +Cc: mpagano@gentoo.org + +[ Upstream commit 4e18b9adf2f910ec4d30b811a74a5b626e6c6125 ] + +This function changes ip_summed to CHECKSUM_NONE if CHECKSUM_COMPLETE +is set. This is called to discard checksum-complete when packet +is being modified and checksum is not pulled for headers in a layer. + +Signed-off-by: Tom Herbert <tom@herbertland.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + include/linux/skbuff.h | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h +index f54d665..b5c204c 100644 +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -3013,6 +3013,18 @@ static inline bool __skb_checksum_validate_needed(struct sk_buff *skb, + */ + #define CHECKSUM_BREAK 76 + ++/* Unset checksum-complete ++ * ++ * Unset checksum complete can be done when packet is being modified ++ * (uncompressed for instance) and checksum-complete value is ++ * invalidated. ++ */ ++static inline void skb_checksum_complete_unset(struct sk_buff *skb) ++{ ++ if (skb->ip_summed == CHECKSUM_COMPLETE) ++ skb->ip_summed = CHECKSUM_NONE; ++} ++ + /* Validate (init) checksum based on checksum complete. + * + * Return values: +-- +2.3.6 + + +From 5a248fca60021d0e35a9de9bd0620eff840365ca Mon Sep 17 00:00:00 2001 +From: Tom Herbert <tom@herbertland.com> +Date: Mon, 20 Apr 2015 14:10:05 -0700 +Subject: [PATCH 003/219] ppp: call skb_checksum_complete_unset in + ppp_receive_frame +Cc: mpagano@gentoo.org + +[ Upstream commit 3dfb05340ec6676e6fc71a9ae87bbbe66d3c2998 ] + +Call checksum_complete_unset in PPP receive to discard checksum-complete +value. PPP does not pull checksum for headers and also modifies packet +as in VJ compression. + +Signed-off-by: Tom Herbert <tom@herbertland.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/net/ppp/ppp_generic.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c +index af034db..9d15566 100644 +--- a/drivers/net/ppp/ppp_generic.c ++++ b/drivers/net/ppp/ppp_generic.c +@@ -1716,6 +1716,7 @@ ppp_receive_frame(struct ppp *ppp, struct sk_buff *skb, struct channel *pch) + { + /* note: a 0-length skb is used as an error indication */ + if (skb->len > 0) { ++ skb_checksum_complete_unset(skb); + #ifdef CONFIG_PPP_MULTILINK + /* XXX do channel-level decompression here */ + if (PPP_PROTO(skb) == PPP_MP) +-- +2.3.6 + + +From e1b095eb7de9dc2235c86e15be6b9d0bff56a6ab Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <edumazet@google.com> +Date: Tue, 21 Apr 2015 18:32:24 -0700 +Subject: [PATCH 004/219] tcp: fix possible deadlock in tcp_send_fin() +Cc: mpagano@gentoo.org + +[ Upstream commit d83769a580f1132ac26439f50068a29b02be535e ] + +Using sk_stream_alloc_skb() in tcp_send_fin() is dangerous in +case a huge process is killed by OOM, and tcp_mem[2] is hit. + +To be able to free memory we need to make progress, so this +patch allows FIN packets to not care about tcp_mem[2], if +skb allocation succeeded. + +In a follow-up patch, we might abort tcp_send_fin() infinite loop +in case TIF_MEMDIE is set on this thread, as memory allocator +did its best getting extra memory already. + +This patch reverts d22e15371811 ("tcp: fix tcp fin memory accounting") + +Fixes: d22e15371811 ("tcp: fix tcp fin memory accounting") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + net/ipv4/tcp_output.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index d520492..f911dc2 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -2751,6 +2751,21 @@ begin_fwd: + } + } + ++/* We allow to exceed memory limits for FIN packets to expedite ++ * connection tear down and (memory) recovery. ++ * Otherwise tcp_send_fin() could loop forever. ++ */ ++static void sk_forced_wmem_schedule(struct sock *sk, int size) ++{ ++ int amt, status; ++ ++ if (size <= sk->sk_forward_alloc) ++ return; ++ amt = sk_mem_pages(size); ++ sk->sk_forward_alloc += amt * SK_MEM_QUANTUM; ++ sk_memory_allocated_add(sk, amt, &status); ++} ++ + /* Send a fin. The caller locks the socket for us. This cannot be + * allowed to fail queueing a FIN frame under any circumstances. + */ +@@ -2773,11 +2788,14 @@ void tcp_send_fin(struct sock *sk) + } else { + /* Socket is locked, keep trying until memory is available. */ + for (;;) { +- skb = sk_stream_alloc_skb(sk, 0, sk->sk_allocation); ++ skb = alloc_skb_fclone(MAX_TCP_HEADER, ++ sk->sk_allocation); + if (skb) + break; + yield(); + } ++ skb_reserve(skb, MAX_TCP_HEADER); ++ sk_forced_wmem_schedule(sk, skb->truesize); + /* FIN eats a sequence byte, write_seq advanced by tcp_queue_skb(). */ + tcp_init_nondata_skb(skb, tp->write_seq, + TCPHDR_ACK | TCPHDR_FIN); +-- +2.3.6 + + +From 7e72469760dd73a44e8cfd6105bf695b7572e246 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <edumazet@google.com> +Date: Thu, 23 Apr 2015 10:42:39 -0700 +Subject: [PATCH 005/219] tcp: avoid looping in tcp_send_fin() +Cc: mpagano@gentoo.org + +[ Upstream commit 845704a535e9b3c76448f52af1b70e4422ea03fd ] + +Presence of an unbound loop in tcp_send_fin() had always been hard +to explain when analyzing crash dumps involving gigantic dying processes +with millions of sockets. + +Lets try a different strategy : + +In case of memory pressure, try to add the FIN flag to last packet +in write queue, even if packet was already sent. TCP stack will +be able to deliver this FIN after a timeout event. Note that this +FIN being delivered by a retransmit, it also carries a Push flag +given our current implementation. + +By checking sk_under_memory_pressure(), we anticipate that cooking +many FIN packets might deplete tcp memory. + +In the case we could not allocate a packet, even with __GFP_WAIT +allocation, then not sending a FIN seems quite reasonable if it allows +to get rid of this socket, free memory, and not block the process from +eventually doing other useful work. + +Signed-off-by: Eric Dumazet <edumazet@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + net/ipv4/tcp_output.c | 50 +++++++++++++++++++++++++++++--------------------- + 1 file changed, 29 insertions(+), 21 deletions(-) + +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index f911dc2..9d48dc4 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -2753,7 +2753,8 @@ begin_fwd: + + /* We allow to exceed memory limits for FIN packets to expedite + * connection tear down and (memory) recovery. +- * Otherwise tcp_send_fin() could loop forever. ++ * Otherwise tcp_send_fin() could be tempted to either delay FIN ++ * or even be forced to close flow without any FIN. + */ + static void sk_forced_wmem_schedule(struct sock *sk, int size) + { +@@ -2766,33 +2767,40 @@ static void sk_forced_wmem_schedule(struct sock *sk, int size) + sk_memory_allocated_add(sk, amt, &status); + } + +-/* Send a fin. The caller locks the socket for us. This cannot be +- * allowed to fail queueing a FIN frame under any circumstances. ++/* Send a FIN. The caller locks the socket for us. ++ * We should try to send a FIN packet really hard, but eventually give up. + */ + void tcp_send_fin(struct sock *sk) + { ++ struct sk_buff *skb, *tskb = tcp_write_queue_tail(sk); + struct tcp_sock *tp = tcp_sk(sk); +- struct sk_buff *skb = tcp_write_queue_tail(sk); +- int mss_now; + +- /* Optimization, tack on the FIN if we have a queue of +- * unsent frames. But be careful about outgoing SACKS +- * and IP options. ++ /* Optimization, tack on the FIN if we have one skb in write queue and ++ * this skb was not yet sent, or we are under memory pressure. ++ * Note: in the latter case, FIN packet will be sent after a timeout, ++ * as TCP stack thinks it has already been transmitted. + */ +- mss_now = tcp_current_mss(sk); +- +- if (tcp_send_head(sk) != NULL) { +- TCP_SKB_CB(skb)->tcp_flags |= TCPHDR_FIN; +- TCP_SKB_CB(skb)->end_seq++; ++ if (tskb && (tcp_send_head(sk) || sk_under_memory_pressure(sk))) { ++coalesce: ++ TCP_SKB_CB(tskb)->tcp_flags |= TCPHDR_FIN; ++ TCP_SKB_CB(tskb)->end_seq++; + tp->write_seq++; ++ if (!tcp_send_head(sk)) { ++ /* This means tskb was already sent. ++ * Pretend we included the FIN on previous transmit. ++ * We need to set tp->snd_nxt to the value it would have ++ * if FIN had been sent. This is because retransmit path ++ * does not change tp->snd_nxt. ++ */ ++ tp->snd_nxt++; ++ return; ++ } + } else { +- /* Socket is locked, keep trying until memory is available. */ +- for (;;) { +- skb = alloc_skb_fclone(MAX_TCP_HEADER, +- sk->sk_allocation); +- if (skb) +- break; +- yield(); ++ skb = alloc_skb_fclone(MAX_TCP_HEADER, sk->sk_allocation); ++ if (unlikely(!skb)) { ++ if (tskb) ++ goto coalesce; ++ return; + } + skb_reserve(skb, MAX_TCP_HEADER); + sk_forced_wmem_schedule(sk, skb->truesize); +@@ -2801,7 +2809,7 @@ void tcp_send_fin(struct sock *sk) + TCPHDR_ACK | TCPHDR_FIN); + tcp_queue_skb(sk, skb); + } +- __tcp_push_pending_frames(sk, mss_now, TCP_NAGLE_OFF); ++ __tcp_push_pending_frames(sk, tcp_current_mss(sk), TCP_NAGLE_OFF); + } + + /* We get here when a process closes a file descriptor (either due to +-- +2.3.6 + + +From e591662c1a5fb0e9ee486bf8edbed14d0507cfb4 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <edumazet@google.com> +Date: Wed, 22 Apr 2015 07:33:36 -0700 +Subject: [PATCH 006/219] net: do not deplete pfmemalloc reserve +Cc: mpagano@gentoo.org + +[ Upstream commit 79930f5892e134c6da1254389577fffb8bd72c66 ] + +build_skb() should look at the page pfmemalloc status. +If set, this means page allocator allocated this page in the +expectation it would help to free other pages. Networking +stack can do that only if skb->pfmemalloc is also set. + +Also, we must refrain using high order pages from the pfmemalloc +reserve, so __page_frag_refill() must also use __GFP_NOMEMALLOC for +them. Under memory pressure, using order-0 pages is probably the best +strategy. + +Signed-off-by: Eric Dumazet <edumazet@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + net/core/skbuff.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index 98d45fe..5ec3742 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -311,7 +311,11 @@ struct sk_buff *build_skb(void *data, unsigned int frag_size) + + memset(skb, 0, offsetof(struct sk_buff, tail)); + skb->truesize = SKB_TRUESIZE(size); +- skb->head_frag = frag_size != 0; ++ if (frag_size) { ++ skb->head_frag = 1; ++ if (virt_to_head_page(data)->pfmemalloc) ++ skb->pfmemalloc = 1; ++ } + atomic_set(&skb->users, 1); + skb->head = data; + skb->data = data; +@@ -348,7 +352,8 @@ static struct page *__page_frag_refill(struct netdev_alloc_cache *nc, + gfp_t gfp = gfp_mask; + + if (order) { +- gfp_mask |= __GFP_COMP | __GFP_NOWARN | __GFP_NORETRY; ++ gfp_mask |= __GFP_COMP | __GFP_NOWARN | __GFP_NORETRY | ++ __GFP_NOMEMALLOC; + page = alloc_pages_node(NUMA_NO_NODE, gfp_mask, order); + nc->frag.size = PAGE_SIZE << (page ? order : 0); + } +-- +2.3.6 + + +From f009181dcccd55398f872d090fa2e1780b4ca270 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <edumazet@google.com> +Date: Fri, 24 Apr 2015 16:05:01 -0700 +Subject: [PATCH 007/219] net: fix crash in build_skb() +Cc: mpagano@gentoo.org + +[ Upstream commit 2ea2f62c8bda242433809c7f4e9eae1c52c40bbe ] + +When I added pfmemalloc support in build_skb(), I forgot netlink +was using build_skb() with a vmalloc() area. + +In this patch I introduce __build_skb() for netlink use, +and build_skb() is a wrapper handling both skb->head_frag and +skb->pfmemalloc + +This means netlink no longer has to hack skb->head_frag + +[ 1567.700067] kernel BUG at arch/x86/mm/physaddr.c:26! +[ 1567.700067] invalid opcode: 0000 [#1] PREEMPT SMP KASAN +[ 1567.700067] Dumping ftrace buffer: +[ 1567.700067] (ftrace buffer empty) +[ 1567.700067] Modules linked in: +[ 1567.700067] CPU: 9 PID: 16186 Comm: trinity-c182 Not tainted 4.0.0-next-20150424-sasha-00037-g4796e21 #2167 +[ 1567.700067] task: ffff880127efb000 ti: ffff880246770000 task.ti: ffff880246770000 +[ 1567.700067] RIP: __phys_addr (arch/x86/mm/physaddr.c:26 (discriminator 3)) +[ 1567.700067] RSP: 0018:ffff8802467779d8 EFLAGS: 00010202 +[ 1567.700067] RAX: 000041000ed8e000 RBX: ffffc9008ed8e000 RCX: 000000000000002c +[ 1567.700067] RDX: 0000000000000004 RSI: 0000000000000000 RDI: ffffffffb3fd6049 +[ 1567.700067] RBP: ffff8802467779f8 R08: 0000000000000019 R09: ffff8801d0168000 +[ 1567.700067] R10: ffff8801d01680c7 R11: ffffed003a02d019 R12: ffffc9000ed8e000 +[ 1567.700067] R13: 0000000000000f40 R14: 0000000000001180 R15: ffffc9000ed8e000 +[ 1567.700067] FS: 00007f2a7da3f700(0000) GS:ffff8801d1000000(0000) knlGS:0000000000000000 +[ 1567.700067] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 1567.700067] CR2: 0000000000738308 CR3: 000000022e329000 CR4: 00000000000007e0 +[ 1567.700067] Stack: +[ 1567.700067] ffffc9000ed8e000 ffff8801d0168000 ffffc9000ed8e000 ffff8801d0168000 +[ 1567.700067] ffff880246777a28 ffffffffad7c0a21 0000000000001080 ffff880246777c08 +[ 1567.700067] ffff88060d302e68 ffff880246777b58 ffff880246777b88 ffffffffad9a6821 +[ 1567.700067] Call Trace: +[ 1567.700067] build_skb (include/linux/mm.h:508 net/core/skbuff.c:316) +[ 1567.700067] netlink_sendmsg (net/netlink/af_netlink.c:1633 net/netlink/af_netlink.c:2329) +[ 1567.774369] ? sched_clock_cpu (kernel/sched/clock.c:311) +[ 1567.774369] ? netlink_unicast (net/netlink/af_netlink.c:2273) +[ 1567.774369] ? netlink_unicast (net/netlink/af_netlink.c:2273) +[ 1567.774369] sock_sendmsg (net/socket.c:614 net/socket.c:623) +[ 1567.774369] sock_write_iter (net/socket.c:823) +[ 1567.774369] ? sock_sendmsg (net/socket.c:806) +[ 1567.774369] __vfs_write (fs/read_write.c:479 fs/read_write.c:491) +[ 1567.774369] ? get_lock_stats (kernel/locking/lockdep.c:249) +[ 1567.774369] ? default_llseek (fs/read_write.c:487) +[ 1567.774369] ? vtime_account_user (kernel/sched/cputime.c:701) +[ 1567.774369] ? rw_verify_area (fs/read_write.c:406 (discriminator 4)) +[ 1567.774369] vfs_write (fs/read_write.c:539) +[ 1567.774369] SyS_write (fs/read_write.c:586 fs/read_write.c:577) +[ 1567.774369] ? SyS_read (fs/read_write.c:577) +[ 1567.774369] ? __this_cpu_preempt_check (lib/smp_processor_id.c:63) +[ 1567.774369] ? trace_hardirqs_on_caller (kernel/locking/lockdep.c:2594 kernel/locking/lockdep.c:2636) +[ 1567.774369] ? trace_hardirqs_on_thunk (arch/x86/lib/thunk_64.S:42) +[ 1567.774369] system_call_fastpath (arch/x86/kernel/entry_64.S:261) + +Fixes: 79930f5892e ("net: do not deplete pfmemalloc reserve") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Reported-by: Sasha Levin <sasha.levin@oracle.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + include/linux/skbuff.h | 1 + + net/core/skbuff.c | 31 ++++++++++++++++++++++--------- + net/netlink/af_netlink.c | 6 ++---- + 3 files changed, 25 insertions(+), 13 deletions(-) + +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h +index b5c204c..bdccc4b 100644 +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -769,6 +769,7 @@ bool skb_try_coalesce(struct sk_buff *to, struct sk_buff *from, + + struct sk_buff *__alloc_skb(unsigned int size, gfp_t priority, int flags, + int node); ++struct sk_buff *__build_skb(void *data, unsigned int frag_size); + struct sk_buff *build_skb(void *data, unsigned int frag_size); + static inline struct sk_buff *alloc_skb(unsigned int size, + gfp_t priority) +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index 5ec3742..e9f9a15 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -280,13 +280,14 @@ nodata: + EXPORT_SYMBOL(__alloc_skb); + + /** +- * build_skb - build a network buffer ++ * __build_skb - build a network buffer + * @data: data buffer provided by caller +- * @frag_size: size of fragment, or 0 if head was kmalloced ++ * @frag_size: size of data, or 0 if head was kmalloced + * + * Allocate a new &sk_buff. Caller provides space holding head and + * skb_shared_info. @data must have been allocated by kmalloc() only if +- * @frag_size is 0, otherwise data should come from the page allocator. ++ * @frag_size is 0, otherwise data should come from the page allocator ++ * or vmalloc() + * The return is the new skb buffer. + * On a failure the return is %NULL, and @data is not freed. + * Notes : +@@ -297,7 +298,7 @@ EXPORT_SYMBOL(__alloc_skb); + * before giving packet to stack. + * RX rings only contains data buffers, not full skbs. + */ +-struct sk_buff *build_skb(void *data, unsigned int frag_size) ++struct sk_buff *__build_skb(void *data, unsigned int frag_size) + { + struct skb_shared_info *shinfo; + struct sk_buff *skb; +@@ -311,11 +312,6 @@ struct sk_buff *build_skb(void *data, unsigned int frag_size) + + memset(skb, 0, offsetof(struct sk_buff, tail)); + skb->truesize = SKB_TRUESIZE(size); +- if (frag_size) { +- skb->head_frag = 1; +- if (virt_to_head_page(data)->pfmemalloc) +- skb->pfmemalloc = 1; +- } + atomic_set(&skb->users, 1); + skb->head = data; + skb->data = data; +@@ -332,6 +328,23 @@ struct sk_buff *build_skb(void *data, unsigned int frag_size) + + return skb; + } ++ ++/* build_skb() is wrapper over __build_skb(), that specifically ++ * takes care of skb->head and skb->pfmemalloc ++ * This means that if @frag_size is not zero, then @data must be backed ++ * by a page fragment, not kmalloc() or vmalloc() ++ */ ++struct sk_buff *build_skb(void *data, unsigned int frag_size) ++{ ++ struct sk_buff *skb = __build_skb(data, frag_size); ++ ++ if (skb && frag_size) { ++ skb->head_frag = 1; ++ if (virt_to_head_page(data)->pfmemalloc) ++ skb->pfmemalloc = 1; ++ } ++ return skb; ++} + EXPORT_SYMBOL(build_skb); + + struct netdev_alloc_cache { +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index 05919bf..d1d7a81 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -1616,13 +1616,11 @@ static struct sk_buff *netlink_alloc_large_skb(unsigned int size, + if (data == NULL) + return NULL; + +- skb = build_skb(data, size); ++ skb = __build_skb(data, size); + if (skb == NULL) + vfree(data); +- else { +- skb->head_frag = 0; ++ else + skb->destructor = netlink_skb_destructor; +- } + + return skb; + } +-- +2.3.6 + + +From f80e3eb94b7d4b5b9ebf999da1f50cd5b263a23d Mon Sep 17 00:00:00 2001 +From: Alexey Khoroshilov <khoroshilov@ispras.ru> +Date: Sat, 25 Apr 2015 04:07:03 +0300 +Subject: [PATCH 008/219] pxa168: fix double deallocation of managed resources +Cc: mpagano@gentoo.org + +[ Upstream commit 0e03fd3e335d272bee88fe733d5fd13f5c5b7140 ] + +Commit 43d3ddf87a57 ("net: pxa168_eth: add device tree support") starts +to use managed resources by adding devm_clk_get() and +devm_ioremap_resource(), but it leaves explicit iounmap() and clock_put() +in pxa168_eth_remove() and in failure handling code of pxa168_eth_probe(). +As a result double free can happen. + +The patch removes explicit resource deallocation. Also it converts +clk_disable() to clk_disable_unprepare() to make it symmetrical with +clk_prepare_enable(). + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/net/ethernet/marvell/pxa168_eth.c | 16 +++++----------- + 1 file changed, 5 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/pxa168_eth.c b/drivers/net/ethernet/marvell/pxa168_eth.c +index af829c5..7ace07d 100644 +--- a/drivers/net/ethernet/marvell/pxa168_eth.c ++++ b/drivers/net/ethernet/marvell/pxa168_eth.c +@@ -1508,7 +1508,8 @@ static int pxa168_eth_probe(struct platform_device *pdev) + np = of_parse_phandle(pdev->dev.of_node, "phy-handle", 0); + if (!np) { + dev_err(&pdev->dev, "missing phy-handle\n"); +- return -EINVAL; ++ err = -EINVAL; ++ goto err_netdev; + } + of_property_read_u32(np, "reg", &pep->phy_addr); + pep->phy_intf = of_get_phy_mode(pdev->dev.of_node); +@@ -1526,7 +1527,7 @@ static int pxa168_eth_probe(struct platform_device *pdev) + pep->smi_bus = mdiobus_alloc(); + if (pep->smi_bus == NULL) { + err = -ENOMEM; +- goto err_base; ++ goto err_netdev; + } + pep->smi_bus->priv = pep; + pep->smi_bus->name = "pxa168_eth smi"; +@@ -1551,13 +1552,10 @@ err_mdiobus: + mdiobus_unregister(pep->smi_bus); + err_free_mdio: + mdiobus_free(pep->smi_bus); +-err_base: +- iounmap(pep->base); + err_netdev: + free_netdev(dev); + err_clk: +- clk_disable(clk); +- clk_put(clk); ++ clk_disable_unprepare(clk); + return err; + } + +@@ -1574,13 +1572,9 @@ static int pxa168_eth_remove(struct platform_device *pdev) + if (pep->phy) + phy_disconnect(pep->phy); + if (pep->clk) { +- clk_disable(pep->clk); +- clk_put(pep->clk); +- pep->clk = NULL; ++ clk_disable_unprepare(pep->clk); + } + +- iounmap(pep->base); +- pep->base = NULL; + mdiobus_unregister(pep->smi_bus); + mdiobus_free(pep->smi_bus); + unregister_netdev(dev); +-- +2.3.6 + + +From b32dec8a9f5834b14daaa75bd3e49f3b54272d65 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <edumazet@google.com> +Date: Sat, 25 Apr 2015 09:35:24 -0700 +Subject: [PATCH 009/219] net: rfs: fix crash in get_rps_cpus() +Cc: mpagano@gentoo.org + +[ Upstream commit a31196b07f8034eba6a3487a1ad1bb5ec5cd58a5 ] + +Commit 567e4b79731c ("net: rfs: add hash collision detection") had one +mistake : + +RPS_NO_CPU is no longer the marker for invalid cpu in set_rps_cpu() +and get_rps_cpu(), as @next_cpu was the result of an AND with +rps_cpu_mask + +This bug showed up on a host with 72 cpus : +next_cpu was 0x7f, and the code was trying to access percpu data of an +non existent cpu. + +In a follow up patch, we might get rid of compares against nr_cpu_ids, +if we init the tables with 0. This is silly to test for a very unlikely +condition that exists only shortly after table initialization, as +we got rid of rps_reset_sock_flow() and similar functions that were +writing this RPS_NO_CPU magic value at flow dismantle : When table is +old enough, it never contains this value anymore. + +Fixes: 567e4b79731c ("net: rfs: add hash collision detection") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Cc: Tom Herbert <tom@herbertland.com> +Cc: Ben Hutchings <ben@decadent.org.uk> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + Documentation/networking/scaling.txt | 2 +- + net/core/dev.c | 12 ++++++------ + 2 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/Documentation/networking/scaling.txt b/Documentation/networking/scaling.txt +index 99ca40e..5c204df 100644 +--- a/Documentation/networking/scaling.txt ++++ b/Documentation/networking/scaling.txt +@@ -282,7 +282,7 @@ following is true: + + - The current CPU's queue head counter >= the recorded tail counter + value in rps_dev_flow[i] +-- The current CPU is unset (equal to RPS_NO_CPU) ++- The current CPU is unset (>= nr_cpu_ids) + - The current CPU is offline + + After this check, the packet is sent to the (possibly updated) current +diff --git a/net/core/dev.c b/net/core/dev.c +index 45109b7..22a53ac 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -3041,7 +3041,7 @@ static struct rps_dev_flow * + set_rps_cpu(struct net_device *dev, struct sk_buff *skb, + struct rps_dev_flow *rflow, u16 next_cpu) + { +- if (next_cpu != RPS_NO_CPU) { ++ if (next_cpu < nr_cpu_ids) { + #ifdef CONFIG_RFS_ACCEL + struct netdev_rx_queue *rxqueue; + struct rps_dev_flow_table *flow_table; +@@ -3146,7 +3146,7 @@ static int get_rps_cpu(struct net_device *dev, struct sk_buff *skb, + * If the desired CPU (where last recvmsg was done) is + * different from current CPU (one in the rx-queue flow + * table entry), switch if one of the following holds: +- * - Current CPU is unset (equal to RPS_NO_CPU). ++ * - Current CPU is unset (>= nr_cpu_ids). + * - Current CPU is offline. + * - The current CPU's queue tail has advanced beyond the + * last packet that was enqueued using this table entry. +@@ -3154,14 +3154,14 @@ static int get_rps_cpu(struct net_device *dev, struct sk_buff *skb, + * have been dequeued, thus preserving in order delivery. + */ + if (unlikely(tcpu != next_cpu) && +- (tcpu == RPS_NO_CPU || !cpu_online(tcpu) || ++ (tcpu >= nr_cpu_ids || !cpu_online(tcpu) || + ((int)(per_cpu(softnet_data, tcpu).input_queue_head - + rflow->last_qtail)) >= 0)) { + tcpu = next_cpu; + rflow = set_rps_cpu(dev, skb, rflow, next_cpu); + } + +- if (tcpu != RPS_NO_CPU && cpu_online(tcpu)) { ++ if (tcpu < nr_cpu_ids && cpu_online(tcpu)) { + *rflowp = rflow; + cpu = tcpu; + goto done; +@@ -3202,14 +3202,14 @@ bool rps_may_expire_flow(struct net_device *dev, u16 rxq_index, + struct rps_dev_flow_table *flow_table; + struct rps_dev_flow *rflow; + bool expire = true; +- int cpu; ++ unsigned int cpu; + + rcu_read_lock(); + flow_table = rcu_dereference(rxqueue->rps_flow_table); + if (flow_table && flow_id <= flow_table->mask) { + rflow = &flow_table->flows[flow_id]; + cpu = ACCESS_ONCE(rflow->cpu); +- if (rflow->filter == filter_id && cpu != RPS_NO_CPU && ++ if (rflow->filter == filter_id && cpu < nr_cpu_ids && + ((int)(per_cpu(softnet_data, cpu).input_queue_head - + rflow->last_qtail) < + (int)(10 * flow_table->mask))) +-- +2.3.6 + + +From 36fb8ea94764c1435bc5357057373c73f1055be9 Mon Sep 17 00:00:00 2001 +From: Amir Vadai <amirv@mellanox.com> +Date: Mon, 27 Apr 2015 13:40:56 +0300 +Subject: [PATCH 010/219] net/mlx4_en: Prevent setting invalid RSS hash + function +Cc: mpagano@gentoo.org + +[ Upstream commit b37069090b7c5615610a8aa6b36533d67b364d38 ] + +mlx4_en_check_rxfh_func() was checking for hardware support before +setting a known RSS hash function, but didn't do any check before +setting unknown RSS hash function. Need to make it fail on such values. +In this occasion, moved the actual setting of the new value from the +check function into mlx4_en_set_rxfh(). + +Fixes: 947cbb0 ("net/mlx4_en: Support for configurable RSS hash function") +Signed-off-by: Amir Vadai <amirv@mellanox.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 29 ++++++++++++++----------- + 1 file changed, 16 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c +index a7b58ba..3dccf01 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c +@@ -981,20 +981,21 @@ static int mlx4_en_check_rxfh_func(struct net_device *dev, u8 hfunc) + struct mlx4_en_priv *priv = netdev_priv(dev); + + /* check if requested function is supported by the device */ +- if ((hfunc == ETH_RSS_HASH_TOP && +- !(priv->mdev->dev->caps.flags2 & MLX4_DEV_CAP_FLAG2_RSS_TOP)) || +- (hfunc == ETH_RSS_HASH_XOR && +- !(priv->mdev->dev->caps.flags2 & MLX4_DEV_CAP_FLAG2_RSS_XOR))) +- return -EINVAL; ++ if (hfunc == ETH_RSS_HASH_TOP) { ++ if (!(priv->mdev->dev->caps.flags2 & MLX4_DEV_CAP_FLAG2_RSS_TOP)) ++ return -EINVAL; ++ if (!(dev->features & NETIF_F_RXHASH)) ++ en_warn(priv, "Toeplitz hash function should be used in conjunction with RX hashing for optimal performance\n"); ++ return 0; ++ } else if (hfunc == ETH_RSS_HASH_XOR) { ++ if (!(priv->mdev->dev->caps.flags2 & MLX4_DEV_CAP_FLAG2_RSS_XOR)) ++ return -EINVAL; ++ if (dev->features & NETIF_F_RXHASH) ++ en_warn(priv, "Enabling both XOR Hash function and RX Hashing can limit RPS functionality\n"); ++ return 0; ++ } + +- priv->rss_hash_fn = hfunc; +- if (hfunc == ETH_RSS_HASH_TOP && !(dev->features & NETIF_F_RXHASH)) +- en_warn(priv, +- "Toeplitz hash function should be used in conjunction with RX hashing for optimal performance\n"); +- if (hfunc == ETH_RSS_HASH_XOR && (dev->features & NETIF_F_RXHASH)) +- en_warn(priv, +- "Enabling both XOR Hash function and RX Hashing can limit RPS functionality\n"); +- return 0; ++ return -EINVAL; + } + + static int mlx4_en_get_rxfh(struct net_device *dev, u32 *ring_index, u8 *key, +@@ -1068,6 +1069,8 @@ static int mlx4_en_set_rxfh(struct net_device *dev, const u32 *ring_index, + priv->prof->rss_rings = rss_rings; + if (key) + memcpy(priv->rss_key, key, MLX4_EN_RSS_KEY_SIZE); ++ if (hfunc != ETH_RSS_HASH_NO_CHANGE) ++ priv->rss_hash_fn = hfunc; + + if (port_up) { + err = mlx4_en_start_port(dev); +-- +2.3.6 + + +From 8336ee9076303fbdb38e89f18e921ec238d9c48c Mon Sep 17 00:00:00 2001 +From: Gu Zheng <guz.fnst@cn.fujitsu.com> +Date: Fri, 3 Apr 2015 08:44:47 +0800 +Subject: [PATCH 011/219] md: fix md io stats accounting broken +Cc: mpagano@gentoo.org + +commit 74672d069b298b03e9f657fd70915e055739882e upstream. + +Simon reported the md io stats accounting issue: +" +I'm seeing "iostat -x -k 1" print this after a RAID1 rebuild on 4.0-rc5. +It's not abnormal other than it's 3-disk, with one being SSD (sdc) and +the other two being write-mostly: + +Device: rrqm/s wrqm/s r/s w/s rkB/s wkB/s avgrq-sz avgqu-sz await r_await w_await svctm %util +sda 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 +sdb 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 +sdc 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 +md0 0.00 0.00 0.00 0.00 0.00 0.00 0.00 345.00 0.00 0.00 0.00 0.00 100.00 +md2 0.00 0.00 0.00 0.00 0.00 0.00 0.00 58779.00 0.00 0.00 0.00 0.00 100.00 +md1 0.00 0.00 0.00 0.00 0.00 0.00 0.00 12.00 0.00 0.00 0.00 0.00 100.00 +" +The cause is commit "18c0b223cf9901727ef3b02da6711ac930b4e5d4" uses the +generic_start_io_acct to account the disk stats rather than the open code, +but it also introduced the increase to .in_flight[rw] which is needless to +md. So we re-use the open code here to fix it. + +Reported-by: Simon Kirby <sim@hostway.ca> +Signed-off-by: Gu Zheng <guz.fnst@cn.fujitsu.com> +Signed-off-by: NeilBrown <neilb@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/md/md.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 717daad..e617878 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -249,6 +249,7 @@ static void md_make_request(struct request_queue *q, struct bio *bio) + const int rw = bio_data_dir(bio); + struct mddev *mddev = q->queuedata; + unsigned int sectors; ++ int cpu; + + if (mddev == NULL || mddev->pers == NULL + || !mddev->ready) { +@@ -284,7 +285,10 @@ static void md_make_request(struct request_queue *q, struct bio *bio) + sectors = bio_sectors(bio); + mddev->pers->make_request(mddev, bio); + +- generic_start_io_acct(rw, sectors, &mddev->gendisk->part0); ++ cpu = part_stat_lock(); ++ part_stat_inc(cpu, &mddev->gendisk->part0, ios[rw]); ++ part_stat_add(cpu, &mddev->gendisk->part0, sectors[rw], sectors); ++ part_stat_unlock(); + + if (atomic_dec_and_test(&mddev->active_io) && mddev->suspended) + wake_up(&mddev->sb_wait); +-- +2.3.6 + + +From bbe33d7992b2dd4a79499aeb384a4597b73451eb Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski <luto@amacapital.net> +Date: Tue, 27 Jan 2015 16:06:02 -0800 +Subject: [PATCH 012/219] x86/asm/decoder: Fix and enforce max instruction size + in the insn decoder +Cc: mpagano@gentoo.org + +commit 91e5ed49fca09c2b83b262b9757d1376ee2b46c3 upstream. + +x86 instructions cannot exceed 15 bytes, and the instruction +decoder should enforce that. Prior to 6ba48ff46f76, the +instruction length limit was implicitly set to 16, which was an +approximation of 15, but there is currently no limit at all. + +Fix MAX_INSN_SIZE (it should be 15, not 16), and fix the decoder +to reject instructions that exceed MAX_INSN_SIZE. + +Other than potentially confusing some of the decoder sanity +checks, I'm not aware of any actual problems that omitting this +check would cause, nor am I aware of any practical problems +caused by the MAX_INSN_SIZE error. + +Signed-off-by: Andy Lutomirski <luto@amacapital.net> +Acked-by: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com> +Cc: Dave Hansen <dave.hansen@linux.intel.com> +Fixes: 6ba48ff46f76 ("x86: Remove arbitrary instruction size limit ... +Link: http://lkml.kernel.org/r/f8f0bc9b8c58cfd6830f7d88400bf1396cbdcd0f.1422403511.git.luto@amacapital.net +Signed-off-by: Ingo Molnar <mingo@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/x86/include/asm/insn.h | 2 +- + arch/x86/lib/insn.c | 7 +++++++ + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/include/asm/insn.h b/arch/x86/include/asm/insn.h +index 47f29b1..e7814b7 100644 +--- a/arch/x86/include/asm/insn.h ++++ b/arch/x86/include/asm/insn.h +@@ -69,7 +69,7 @@ struct insn { + const insn_byte_t *next_byte; + }; + +-#define MAX_INSN_SIZE 16 ++#define MAX_INSN_SIZE 15 + + #define X86_MODRM_MOD(modrm) (((modrm) & 0xc0) >> 6) + #define X86_MODRM_REG(modrm) (((modrm) & 0x38) >> 3) +diff --git a/arch/x86/lib/insn.c b/arch/x86/lib/insn.c +index 1313ae6..85994f5 100644 +--- a/arch/x86/lib/insn.c ++++ b/arch/x86/lib/insn.c +@@ -52,6 +52,13 @@ + */ + void insn_init(struct insn *insn, const void *kaddr, int buf_len, int x86_64) + { ++ /* ++ * Instructions longer than MAX_INSN_SIZE (15 bytes) are invalid ++ * even if the input buffer is long enough to hold them. ++ */ ++ if (buf_len > MAX_INSN_SIZE) ++ buf_len = MAX_INSN_SIZE; ++ + memset(insn, 0, sizeof(*insn)); + insn->kaddr = kaddr; + insn->end_kaddr = kaddr + buf_len; +-- +2.3.6 + + +From 3fbb83fdcd2be33c3091f2c1094c37b5054da9f8 Mon Sep 17 00:00:00 2001 +From: Marcelo Tosatti <mtosatti@redhat.com> +Date: Mon, 23 Mar 2015 20:21:51 -0300 +Subject: [PATCH 013/219] x86: kvm: Revert "remove sched notifier for cross-cpu + migrations" +Cc: mpagano@gentoo.org + +commit 0a4e6be9ca17c54817cf814b4b5aa60478c6df27 upstream. + +The following point: + + 2. per-CPU pvclock time info is updated if the + underlying CPU changes. + +Is not true anymore since "KVM: x86: update pvclock area conditionally, +on cpu migration". + +Add task migration notification back. + +Problem noticed by Andy Lutomirski. + +Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/x86/include/asm/pvclock.h | 1 + + arch/x86/kernel/pvclock.c | 44 ++++++++++++++++++++++++++++++++++++++++++ + arch/x86/vdso/vclock_gettime.c | 16 +++++++-------- + include/linux/sched.h | 8 ++++++++ + kernel/sched/core.c | 15 ++++++++++++++ + 5 files changed, 76 insertions(+), 8 deletions(-) + +diff --git a/arch/x86/include/asm/pvclock.h b/arch/x86/include/asm/pvclock.h +index d6b078e..25b1cc0 100644 +--- a/arch/x86/include/asm/pvclock.h ++++ b/arch/x86/include/asm/pvclock.h +@@ -95,6 +95,7 @@ unsigned __pvclock_read_cycles(const struct pvclock_vcpu_time_info *src, + + struct pvclock_vsyscall_time_info { + struct pvclock_vcpu_time_info pvti; ++ u32 migrate_count; + } __attribute__((__aligned__(SMP_CACHE_BYTES))); + + #define PVTI_SIZE sizeof(struct pvclock_vsyscall_time_info) +diff --git a/arch/x86/kernel/pvclock.c b/arch/x86/kernel/pvclock.c +index 2f355d2..e5ecd20 100644 +--- a/arch/x86/kernel/pvclock.c ++++ b/arch/x86/kernel/pvclock.c +@@ -141,7 +141,46 @@ void pvclock_read_wallclock(struct pvclock_wall_clock *wall_clock, + set_normalized_timespec(ts, now.tv_sec, now.tv_nsec); + } + ++static struct pvclock_vsyscall_time_info *pvclock_vdso_info; ++ ++static struct pvclock_vsyscall_time_info * ++pvclock_get_vsyscall_user_time_info(int cpu) ++{ ++ if (!pvclock_vdso_info) { ++ BUG(); ++ return NULL; ++ } ++ ++ return &pvclock_vdso_info[cpu]; ++} ++ ++struct pvclock_vcpu_time_info *pvclock_get_vsyscall_time_info(int cpu) ++{ ++ return &pvclock_get_vsyscall_user_time_info(cpu)->pvti; ++} ++ + #ifdef CONFIG_X86_64 ++static int pvclock_task_migrate(struct notifier_block *nb, unsigned long l, ++ void *v) ++{ ++ struct task_migration_notifier *mn = v; ++ struct pvclock_vsyscall_time_info *pvti; ++ ++ pvti = pvclock_get_vsyscall_user_time_info(mn->from_cpu); ++ ++ /* this is NULL when pvclock vsyscall is not initialized */ ++ if (unlikely(pvti == NULL)) ++ return NOTIFY_DONE; ++ ++ pvti->migrate_count++; ++ ++ return NOTIFY_DONE; ++} ++ ++static struct notifier_block pvclock_migrate = { ++ .notifier_call = pvclock_task_migrate, ++}; ++ + /* + * Initialize the generic pvclock vsyscall state. This will allocate + * a/some page(s) for the per-vcpu pvclock information, set up a +@@ -155,12 +194,17 @@ int __init pvclock_init_vsyscall(struct pvclock_vsyscall_time_info *i, + + WARN_ON (size != PVCLOCK_VSYSCALL_NR_PAGES*PAGE_SIZE); + ++ pvclock_vdso_info = i; ++ + for (idx = 0; idx <= (PVCLOCK_FIXMAP_END-PVCLOCK_FIXMAP_BEGIN); idx++) { + __set_fixmap(PVCLOCK_FIXMAP_BEGIN + idx, + __pa(i) + (idx*PAGE_SIZE), + PAGE_KERNEL_VVAR); + } + ++ ++ register_task_migration_notifier(&pvclock_migrate); ++ + return 0; + } + #endif +diff --git a/arch/x86/vdso/vclock_gettime.c b/arch/x86/vdso/vclock_gettime.c +index 9793322..3093376 100644 +--- a/arch/x86/vdso/vclock_gettime.c ++++ b/arch/x86/vdso/vclock_gettime.c +@@ -82,18 +82,15 @@ static notrace cycle_t vread_pvclock(int *mode) + cycle_t ret; + u64 last; + u32 version; ++ u32 migrate_count; + u8 flags; + unsigned cpu, cpu1; + + + /* +- * Note: hypervisor must guarantee that: +- * 1. cpu ID number maps 1:1 to per-CPU pvclock time info. +- * 2. that per-CPU pvclock time info is updated if the +- * underlying CPU changes. +- * 3. that version is increased whenever underlying CPU +- * changes. +- * ++ * When looping to get a consistent (time-info, tsc) pair, we ++ * also need to deal with the possibility we can switch vcpus, ++ * so make sure we always re-fetch time-info for the current vcpu. + */ + do { + cpu = __getcpu() & VGETCPU_CPU_MASK; +@@ -104,6 +101,8 @@ static notrace cycle_t vread_pvclock(int *mode) + + pvti = get_pvti(cpu); + ++ migrate_count = pvti->migrate_count; ++ + version = __pvclock_read_cycles(&pvti->pvti, &ret, &flags); + + /* +@@ -115,7 +114,8 @@ static notrace cycle_t vread_pvclock(int *mode) + cpu1 = __getcpu() & VGETCPU_CPU_MASK; + } while (unlikely(cpu != cpu1 || + (pvti->pvti.version & 1) || +- pvti->pvti.version != version)); ++ pvti->pvti.version != version || ++ pvti->migrate_count != migrate_count)); + + if (unlikely(!(flags & PVCLOCK_TSC_STABLE_BIT))) + *mode = VCLOCK_NONE; +diff --git a/include/linux/sched.h b/include/linux/sched.h +index a419b65..51348f7 100644 +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -176,6 +176,14 @@ extern void get_iowait_load(unsigned long *nr_waiters, unsigned long *load); + extern void calc_global_load(unsigned long ticks); + extern void update_cpu_load_nohz(void); + ++/* Notifier for when a task gets migrated to a new CPU */ ++struct task_migration_notifier { ++ struct task_struct *task; ++ int from_cpu; ++ int to_cpu; ++}; ++extern void register_task_migration_notifier(struct notifier_block *n); ++ + extern unsigned long get_parent_ip(unsigned long addr); + + extern void dump_cpu_task(int cpu); +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index 62671f5..3d5f6f6 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -996,6 +996,13 @@ void check_preempt_curr(struct rq *rq, struct task_struct *p, int flags) + rq_clock_skip_update(rq, true); + } + ++static ATOMIC_NOTIFIER_HEAD(task_migration_notifier); ++ ++void register_task_migration_notifier(struct notifier_block *n) ++{ ++ atomic_notifier_chain_register(&task_migration_notifier, n); ++} ++ + #ifdef CONFIG_SMP + void set_task_cpu(struct task_struct *p, unsigned int new_cpu) + { +@@ -1026,10 +1033,18 @@ void set_task_cpu(struct task_struct *p, unsigned int new_cpu) + trace_sched_migrate_task(p, new_cpu); + + if (task_cpu(p) != new_cpu) { ++ struct task_migration_notifier tmn; ++ + if (p->sched_class->migrate_task_rq) + p->sched_class->migrate_task_rq(p, new_cpu); + p->se.nr_migrations++; + perf_sw_event_sched(PERF_COUNT_SW_CPU_MIGRATIONS, 1, 0); ++ ++ tmn.task = p; ++ tmn.from_cpu = task_cpu(p); ++ tmn.to_cpu = new_cpu; ++ ++ atomic_notifier_call_chain(&task_migration_notifier, 0, &tmn); + } + + __set_task_cpu(p, new_cpu); +-- +2.3.6 + + +From 82a7e6737ca5b18841f7130821dbec007d736b0b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com> +Date: Thu, 2 Apr 2015 20:44:23 +0200 +Subject: [PATCH 014/219] x86: vdso: fix pvclock races with task migration +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Cc: mpagano@gentoo.org + +commit 80f7fdb1c7f0f9266421f823964fd1962681f6ce upstream. + +If we were migrated right after __getcpu, but before reading the +migration_count, we wouldn't notice that we read TSC of a different +VCPU, nor that KVM's bug made pvti invalid, as only migration_count +on source VCPU is increased. + +Change vdso instead of updating migration_count on destination. + +Signed-off-by: Radim Krčmář <rkrcmar@redhat.com> +Fixes: 0a4e6be9ca17 ("x86: kvm: Revert "remove sched notifier for cross-cpu migrations"") +Message-Id: <1428000263-11892-1-git-send-email-rkrcmar@redhat.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/x86/vdso/vclock_gettime.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/arch/x86/vdso/vclock_gettime.c b/arch/x86/vdso/vclock_gettime.c +index 3093376..40d2473 100644 +--- a/arch/x86/vdso/vclock_gettime.c ++++ b/arch/x86/vdso/vclock_gettime.c +@@ -99,21 +99,25 @@ static notrace cycle_t vread_pvclock(int *mode) + * __getcpu() calls (Gleb). + */ + +- pvti = get_pvti(cpu); ++ /* Make sure migrate_count will change if we leave the VCPU. */ ++ do { ++ pvti = get_pvti(cpu); ++ migrate_count = pvti->migrate_count; + +- migrate_count = pvti->migrate_count; ++ cpu1 = cpu; ++ cpu = __getcpu() & VGETCPU_CPU_MASK; ++ } while (unlikely(cpu != cpu1)); + + version = __pvclock_read_cycles(&pvti->pvti, &ret, &flags); + + /* + * Test we're still on the cpu as well as the version. +- * We could have been migrated just after the first +- * vgetcpu but before fetching the version, so we +- * wouldn't notice a version change. ++ * - We must read TSC of pvti's VCPU. ++ * - KVM doesn't follow the versioning protocol, so data could ++ * change before version if we left the VCPU. + */ +- cpu1 = __getcpu() & VGETCPU_CPU_MASK; +- } while (unlikely(cpu != cpu1 || +- (pvti->pvti.version & 1) || ++ smp_rmb(); ++ } while (unlikely((pvti->pvti.version & 1) || + pvti->pvti.version != version || + pvti->migrate_count != migrate_count)); + +-- +2.3.6 + + +From 0e625b6df5ac57968c7ab197e916ea03f70e4a24 Mon Sep 17 00:00:00 2001 +From: Len Brown <len.brown@intel.com> +Date: Wed, 15 Jan 2014 00:37:34 -0500 +Subject: [PATCH 015/219] sched/idle/x86: Restore mwait_idle() to fix boot + hangs, to improve power savings and to improve performance +Cc: mpagano@gentoo.org + +commit b253149b843f89cd300cbdbea27ce1f847506f99 upstream. + +In Linux-3.9 we removed the mwait_idle() loop: + + 69fb3676df33 ("x86 idle: remove mwait_idle() and "idle=mwait" cmdline param") + +The reasoning was that modern machines should be sufficiently +happy during the boot process using the default_idle() HALT +loop, until cpuidle loads and either acpi_idle or intel_idle +invoke the newer MWAIT-with-hints idle loop. + +But two machines reported problems: + + 1. Certain Core2-era machines support MWAIT-C1 and HALT only. + MWAIT-C1 is preferred for optimal power and performance. + But if they support just C1, cpuidle never loads and + so they use the boot-time default idle loop forever. + + 2. Some laptops will boot-hang if HALT is used, + but will boot successfully if MWAIT is used. + This appears to be a hidden assumption in BIOS SMI, + that is presumably valid on the proprietary OS + where the BIOS was validated. + + https://bugzilla.kernel.org/show_bug.cgi?id=60770 + +So here we effectively revert the patch above, restoring +the mwait_idle() loop. However, we don't bother restoring +the idle=mwait cmdline parameter, since it appears to add +no value. + +Maintainer notes: + + For 3.9, simply revert 69fb3676df + for 3.10, patch -F3 applies, fuzz needed due to __cpuinit use in + context For 3.11, 3.12, 3.13, this patch applies cleanly + +Tested-by: Mike Galbraith <bitbucket@online.de> +Signed-off-by: Len Brown <len.brown@intel.com> +Acked-by: Mike Galbraith <bitbucket@online.de> +Cc: Borislav Petkov <bp@alien8.de> +Cc: H. Peter Anvin <hpa@zytor.com> +Cc: Ian Malone <ibmalone@gmail.com> +Cc: Josh Boyer <jwboyer@redhat.com> +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Cc: Mike Galbraith <efault@gmx.de> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: Thomas Gleixner <tglx@linutronix.de> +Link: http://lkml.kernel.org/r/345254a551eb5a6a866e048d7ab570fd2193aca4.1389763084.git.len.brown@intel.com +[ Ported to recent kernels. ] +Signed-off-by: Ingo Molnar <mingo@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/x86/include/asm/mwait.h | 8 ++++++++ + arch/x86/kernel/process.c | 47 ++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 55 insertions(+) + +diff --git a/arch/x86/include/asm/mwait.h b/arch/x86/include/asm/mwait.h +index a1410db..653dfa7 100644 +--- a/arch/x86/include/asm/mwait.h ++++ b/arch/x86/include/asm/mwait.h +@@ -30,6 +30,14 @@ static inline void __mwait(unsigned long eax, unsigned long ecx) + :: "a" (eax), "c" (ecx)); + } + ++static inline void __sti_mwait(unsigned long eax, unsigned long ecx) ++{ ++ trace_hardirqs_on(); ++ /* "mwait %eax, %ecx;" */ ++ asm volatile("sti; .byte 0x0f, 0x01, 0xc9;" ++ :: "a" (eax), "c" (ecx)); ++} ++ + /* + * This uses new MONITOR/MWAIT instructions on P4 processors with PNI, + * which can obviate IPI to trigger checking of need_resched. +diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c +index 046e2d6..65e1a90 100644 +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -24,6 +24,7 @@ + #include <asm/syscalls.h> + #include <asm/idle.h> + #include <asm/uaccess.h> ++#include <asm/mwait.h> + #include <asm/i387.h> + #include <asm/fpu-internal.h> + #include <asm/debugreg.h> +@@ -399,6 +400,49 @@ static void amd_e400_idle(void) + default_idle(); + } + ++/* ++ * Intel Core2 and older machines prefer MWAIT over HALT for C1. ++ * We can't rely on cpuidle installing MWAIT, because it will not load ++ * on systems that support only C1 -- so the boot default must be MWAIT. ++ * ++ * Some AMD machines are the opposite, they depend on using HALT. ++ * ++ * So for default C1, which is used during boot until cpuidle loads, ++ * use MWAIT-C1 on Intel HW that has it, else use HALT. ++ */ ++static int prefer_mwait_c1_over_halt(const struct cpuinfo_x86 *c) ++{ ++ if (c->x86_vendor != X86_VENDOR_INTEL) ++ return 0; ++ ++ if (!cpu_has(c, X86_FEATURE_MWAIT)) ++ return 0; ++ ++ return 1; ++} ++ ++/* ++ * MONITOR/MWAIT with no hints, used for default default C1 state. ++ * This invokes MWAIT with interrutps enabled and no flags, ++ * which is backwards compatible with the original MWAIT implementation. ++ */ ++ ++static void mwait_idle(void) ++{ ++ if (!need_resched()) { ++ if (this_cpu_has(X86_BUG_CLFLUSH_MONITOR)) ++ clflush((void *)¤t_thread_info()->flags); ++ ++ __monitor((void *)¤t_thread_info()->flags, 0, 0); ++ smp_mb(); ++ if (!need_resched()) ++ __sti_mwait(0, 0); ++ else ++ local_irq_enable(); ++ } else ++ local_irq_enable(); ++} ++ + void select_idle_routine(const struct cpuinfo_x86 *c) + { + #ifdef CONFIG_SMP +@@ -412,6 +456,9 @@ void select_idle_routine(const struct cpuinfo_x86 *c) + /* E400: APIC timer interrupt does not wake up CPU from C1e */ + pr_info("using AMD E400 aware idle routine\n"); + x86_idle = amd_e400_idle; ++ } else if (prefer_mwait_c1_over_halt(c)) { ++ pr_info("using mwait in idle threads\n"); ++ x86_idle = mwait_idle; + } else + x86_idle = default_idle; + } +-- +2.3.6 + + +From aaa51337c5819599af0d1f6aba6a31639dd1c0a6 Mon Sep 17 00:00:00 2001 +From: Mike Galbraith <bitbucket@online.de> +Date: Sat, 18 Jan 2014 17:14:44 +0100 +Subject: [PATCH 016/219] sched/idle/x86: Optimize unnecessary mwait_idle() + resched IPIs +Cc: mpagano@gentoo.org + +commit f8e617f4582995f7c25ef25b4167213120ad122b upstream. + +To fully take advantage of MWAIT, apparently the CLFLUSH instruction needs +another quirk on certain CPUs: proper barriers around it on certain machines. + +On a Q6600 SMP system, pipe-test scheduling performance, cross core, +improves significantly: + + 3.8.13 487.2 KHz 1.000 + 3.13.0-master 415.5 KHz .852 + 3.13.0-master+ 415.2 KHz .852 + restore mwait_idle + 3.13.0-master++ 488.5 KHz 1.002 + restore mwait_idle + IPI fix + +Since X86_BUG_CLFLUSH_MONITOR is already a quirk, don't create a separate +quirk for the extra smp_mb()s. + +Signed-off-by: Mike Galbraith <bitbucket@online.de> +Cc: Borislav Petkov <bp@alien8.de> +Cc: H. Peter Anvin <hpa@zytor.com> +Cc: Ian Malone <ibmalone@gmail.com> +Cc: Josh Boyer <jwboyer@redhat.com> +Cc: Len Brown <len.brown@intel.com> +Cc: Len Brown <lenb@kernel.org> +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Cc: Mike Galbraith <efault@gmx.de> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: Thomas Gleixner <tglx@linutronix.de> +Link: http://lkml.kernel.org/r/1390061684.5566.4.camel@marge.simpson.net +[ Ported to recent kernel, added comments about the quirk. ] +Signed-off-by: Ingo Molnar <mingo@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/x86/kernel/process.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c +index 65e1a90..a388bb8 100644 +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -429,18 +429,22 @@ static int prefer_mwait_c1_over_halt(const struct cpuinfo_x86 *c) + + static void mwait_idle(void) + { +- if (!need_resched()) { +- if (this_cpu_has(X86_BUG_CLFLUSH_MONITOR)) ++ if (!current_set_polling_and_test()) { ++ if (this_cpu_has(X86_BUG_CLFLUSH_MONITOR)) { ++ smp_mb(); /* quirk */ + clflush((void *)¤t_thread_info()->flags); ++ smp_mb(); /* quirk */ ++ } + + __monitor((void *)¤t_thread_info()->flags, 0, 0); +- smp_mb(); + if (!need_resched()) + __sti_mwait(0, 0); + else + local_irq_enable(); +- } else ++ } else { + local_irq_enable(); ++ } ++ __current_clr_polling(); + } + + void select_idle_routine(const struct cpuinfo_x86 *c) +-- +2.3.6 + + +From 6e4dd840cca3053125c3f55650df1a9313b91615 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra <peterz@infradead.org> +Date: Sat, 11 Apr 2015 12:16:22 +0200 +Subject: [PATCH 017/219] perf/x86/intel: Fix Core2,Atom,NHM,WSM cycles:pp + events +Cc: mpagano@gentoo.org + +commit 517e6341fa123ec3a2f9ea78ad547be910529881 upstream. + +Ingo reported that cycles:pp didn't work for him on some machines. + +It turns out that in this commit: + + af4bdcf675cf perf/x86/intel: Disallow flags for most Core2/Atom/Nehalem/Westmere events + +Andi forgot to explicitly allow that event when he +disabled event flags for PEBS on those uarchs. + +Reported-by: Ingo Molnar <mingo@kernel.org> +Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> +Cc: Arnaldo Carvalho de Melo <acme@redhat.com> +Cc: Jiri Olsa <jolsa@redhat.com> +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Cc: Peter Zijlstra <peterz@infradead.org> +Fixes: af4bdcf675cf ("perf/x86/intel: Disallow flags for most Core2/Atom/Nehalem/Westmere events") +Signed-off-by: Ingo Molnar <mingo@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/x86/kernel/cpu/perf_event_intel_ds.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/arch/x86/kernel/cpu/perf_event_intel_ds.c b/arch/x86/kernel/cpu/perf_event_intel_ds.c +index 0739833..666bcf1 100644 +--- a/arch/x86/kernel/cpu/perf_event_intel_ds.c ++++ b/arch/x86/kernel/cpu/perf_event_intel_ds.c +@@ -557,6 +557,8 @@ struct event_constraint intel_core2_pebs_event_constraints[] = { + INTEL_FLAGS_UEVENT_CONSTRAINT(0x00c5, 0x1), /* BR_INST_RETIRED.MISPRED */ + INTEL_FLAGS_UEVENT_CONSTRAINT(0x1fc7, 0x1), /* SIMD_INST_RETURED.ANY */ + INTEL_FLAGS_EVENT_CONSTRAINT(0xcb, 0x1), /* MEM_LOAD_RETIRED.* */ ++ /* INST_RETIRED.ANY_P, inv=1, cmask=16 (cycles:p). */ ++ INTEL_FLAGS_EVENT_CONSTRAINT(0x108000c0, 0x01), + EVENT_CONSTRAINT_END + }; + +@@ -564,6 +566,8 @@ struct event_constraint intel_atom_pebs_event_constraints[] = { + INTEL_FLAGS_UEVENT_CONSTRAINT(0x00c0, 0x1), /* INST_RETIRED.ANY */ + INTEL_FLAGS_UEVENT_CONSTRAINT(0x00c5, 0x1), /* MISPREDICTED_BRANCH_RETIRED */ + INTEL_FLAGS_EVENT_CONSTRAINT(0xcb, 0x1), /* MEM_LOAD_RETIRED.* */ ++ /* INST_RETIRED.ANY_P, inv=1, cmask=16 (cycles:p). */ ++ INTEL_FLAGS_EVENT_CONSTRAINT(0x108000c0, 0x01), + EVENT_CONSTRAINT_END + }; + +@@ -587,6 +591,8 @@ struct event_constraint intel_nehalem_pebs_event_constraints[] = { + INTEL_FLAGS_UEVENT_CONSTRAINT(0x20c8, 0xf), /* ITLB_MISS_RETIRED */ + INTEL_FLAGS_EVENT_CONSTRAINT(0xcb, 0xf), /* MEM_LOAD_RETIRED.* */ + INTEL_FLAGS_EVENT_CONSTRAINT(0xf7, 0xf), /* FP_ASSIST.* */ ++ /* INST_RETIRED.ANY_P, inv=1, cmask=16 (cycles:p). */ ++ INTEL_FLAGS_EVENT_CONSTRAINT(0x108000c0, 0x0f), + EVENT_CONSTRAINT_END + }; + +@@ -602,6 +608,8 @@ struct event_constraint intel_westmere_pebs_event_constraints[] = { + INTEL_FLAGS_UEVENT_CONSTRAINT(0x20c8, 0xf), /* ITLB_MISS_RETIRED */ + INTEL_FLAGS_EVENT_CONSTRAINT(0xcb, 0xf), /* MEM_LOAD_RETIRED.* */ + INTEL_FLAGS_EVENT_CONSTRAINT(0xf7, 0xf), /* FP_ASSIST.* */ ++ /* INST_RETIRED.ANY_P, inv=1, cmask=16 (cycles:p). */ ++ INTEL_FLAGS_EVENT_CONSTRAINT(0x108000c0, 0x0f), + EVENT_CONSTRAINT_END + }; + +-- +2.3.6 + + +From 5c966c4f563f8b10e276e43579c0f27ea2a3cef2 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds <torvalds@linux-foundation.org> +Date: Thu, 23 Apr 2015 08:33:59 -0700 +Subject: [PATCH 018/219] x86: fix special __probe_kernel_write() tail zeroing + case +Cc: mpagano@gentoo.org + +commit d869844bd081081bf537e806a44811884230643e upstream. + +Commit cae2a173fe94 ("x86: clean up/fix 'copy_in_user()' tail zeroing") +fixed the failure case tail zeroing of one special case of the x86-64 +generic user-copy routine, namely when used for the user-to-user case +("copy_in_user()"). + +But in the process it broke an even more unusual case: using the user +copy routine for kernel-to-kernel copying. + +Now, normally kernel-kernel copies are obviously done using memcpy(), +but we have a couple of special cases when we use the user-copy +functions. One is when we pass a kernel buffer to a regular user-buffer +routine, using set_fs(KERNEL_DS). That's a "normal" case, and continued +to work fine, because it never takes any faults (with the possible +exception of a silent and successful vmalloc fault). + +But Jan Beulich pointed out another, very unusual, special case: when we +use the user-copy routines not because it's a path that expects a user +pointer, but for a couple of ftrace/kgdb cases that want to do a kernel +copy, but do so using "unsafe" buffers, and use the user-copy routine to +gracefully handle faults. IOW, for probe_kernel_write(). + +And that broke for the case of a faulting kernel destination, because we +saw the kernel destination and wanted to try to clear the tail of the +buffer. Which doesn't work, since that's what faults. + +This only triggers for things like kgdb and ftrace users (eg trying +setting a breakpoint on read-only memory), but it's definitely a bug. +The fix is to not compare against the kernel address start (TASK_SIZE), +but instead use the same limits "access_ok()" uses. + +Reported-and-tested-by: Jan Beulich <jbeulich@suse.com> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/x86/lib/usercopy_64.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/lib/usercopy_64.c b/arch/x86/lib/usercopy_64.c +index 1f33b3d..0a42327 100644 +--- a/arch/x86/lib/usercopy_64.c ++++ b/arch/x86/lib/usercopy_64.c +@@ -82,7 +82,7 @@ copy_user_handle_tail(char *to, char *from, unsigned len) + clac(); + + /* If the destination is a kernel buffer, we always clear the end */ +- if ((unsigned long)to >= TASK_SIZE_MAX) ++ if (!__addr_ok(to)) + memset(to, 0, len); + return len; + } +-- +2.3.6 + + +From 47b34f8519e8a009d3ba8506ea8c5e7fe4314a6d Mon Sep 17 00:00:00 2001 +From: Nadav Amit <namit@cs.technion.ac.il> +Date: Sun, 12 Apr 2015 21:47:15 +0300 +Subject: [PATCH 019/219] KVM: x86: Fix MSR_IA32_BNDCFGS in msrs_to_save +Cc: mpagano@gentoo.org + +commit 9e9c3fe40bcd28e3f98f0ad8408435f4503f2781 upstream. + +kvm_init_msr_list is currently called before hardware_setup. As a result, +vmx_mpx_supported always returns false when kvm_init_msr_list checks whether to +save MSR_IA32_BNDCFGS. + +Move kvm_init_msr_list after vmx_hardware_setup is called to fix this issue. + +Signed-off-by: Nadav Amit <namit@cs.technion.ac.il> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +Message-Id: <1428864435-4732-1-git-send-email-namit@cs.technion.ac.il> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/x86/kvm/x86.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 32bf19e..e222ba5 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -5775,7 +5775,6 @@ int kvm_arch_init(void *opaque) + kvm_set_mmio_spte_mask(); + + kvm_x86_ops = ops; +- kvm_init_msr_list(); + + kvm_mmu_set_mask_ptes(PT_USER_MASK, PT_ACCESSED_MASK, + PT_DIRTY_MASK, PT64_NX_MASK, 0); +@@ -7209,7 +7208,14 @@ void kvm_arch_hardware_disable(void) + + int kvm_arch_hardware_setup(void) + { +- return kvm_x86_ops->hardware_setup(); ++ int r; ++ ++ r = kvm_x86_ops->hardware_setup(); ++ if (r != 0) ++ return r; ++ ++ kvm_init_msr_list(); ++ return 0; + } + + void kvm_arch_hardware_unsetup(void) +-- +2.3.6 + + +From 7362dcdba904cf6a1c3791c253f25f85390d45c0 Mon Sep 17 00:00:00 2001 +From: Filipe Manana <fdmanana@suse.com> +Date: Mon, 23 Mar 2015 14:07:40 +0000 +Subject: [PATCH 020/219] Btrfs: fix log tree corruption when fs mounted with + -o discard +Cc: mpagano@gentoo.org + +commit dcc82f4783ad91d4ab654f89f37ae9291cdc846a upstream. + +While committing a transaction we free the log roots before we write the +new super block. Freeing the log roots implies marking the disk location +of every node/leaf (metadata extent) as pinned before the new super block +is written. This is to prevent the disk location of log metadata extents +from being reused before the new super block is written, otherwise we +would have a corrupted log tree if before the new super block is written +a crash/reboot happens and the location of any log tree metadata extent +ended up being reused and rewritten. + +Even though we pinned the log tree's metadata extents, we were issuing a +discard against them if the fs was mounted with the -o discard option, +resulting in corruption of the log tree if a crash/reboot happened before +writing the new super block - the next time the fs was mounted, during +the log replay process we would find nodes/leafs of the log btree with +a content full of zeroes, causing the process to fail and require the +use of the tool btrfs-zero-log to wipeout the log tree (and all data +previously fsynced becoming lost forever). + +Fix this by not doing a discard when pinning an extent. The discard will +be done later when it's safe (after the new super block is committed) at +extent-tree.c:btrfs_finish_extent_commit(). + +Fixes: e688b7252f78 (Btrfs: fix extent pinning bugs in the tree log) +Signed-off-by: Filipe Manana <fdmanana@suse.com> +Signed-off-by: Chris Mason <clm@fb.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + fs/btrfs/extent-tree.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c +index 8b353ad..0a795c9 100644 +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -6956,12 +6956,11 @@ static int __btrfs_free_reserved_extent(struct btrfs_root *root, + return -ENOSPC; + } + +- if (btrfs_test_opt(root, DISCARD)) +- ret = btrfs_discard_extent(root, start, len, NULL); +- + if (pin) + pin_down_extent(root, cache, start, len, 1); + else { ++ if (btrfs_test_opt(root, DISCARD)) ++ ret = btrfs_discard_extent(root, start, len, NULL); + btrfs_add_free_space(cache, start, len); + btrfs_update_reserved_bytes(cache, len, RESERVE_FREE, delalloc); + } +-- +2.3.6 + + +From 1f6719c298def2c3440dc5e9ca9532053877fff7 Mon Sep 17 00:00:00 2001 +From: David Sterba <dsterba@suse.cz> +Date: Wed, 25 Mar 2015 19:26:41 +0100 +Subject: [PATCH 021/219] btrfs: don't accept bare namespace as a valid xattr +Cc: mpagano@gentoo.org + +commit 3c3b04d10ff1811a27f86684ccd2f5ba6983211d upstream. + +Due to insufficient check in btrfs_is_valid_xattr, this unexpectedly +works: + + $ touch file + $ setfattr -n user. -v 1 file + $ getfattr -d file +user.="1" + +ie. the missing attribute name after the namespace. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=94291 +Reported-by: William Douglas <william.douglas@intel.com> +Signed-off-by: David Sterba <dsterba@suse.cz> +Signed-off-by: Chris Mason <clm@fb.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + fs/btrfs/xattr.c | 53 +++++++++++++++++++++++++++++++++++++++-------------- + 1 file changed, 39 insertions(+), 14 deletions(-) + +diff --git a/fs/btrfs/xattr.c b/fs/btrfs/xattr.c +index 883b936..45ea704 100644 +--- a/fs/btrfs/xattr.c ++++ b/fs/btrfs/xattr.c +@@ -364,22 +364,42 @@ const struct xattr_handler *btrfs_xattr_handlers[] = { + /* + * Check if the attribute is in a supported namespace. + * +- * This applied after the check for the synthetic attributes in the system ++ * This is applied after the check for the synthetic attributes in the system + * namespace. + */ +-static bool btrfs_is_valid_xattr(const char *name) ++static int btrfs_is_valid_xattr(const char *name) + { +- return !strncmp(name, XATTR_SECURITY_PREFIX, +- XATTR_SECURITY_PREFIX_LEN) || +- !strncmp(name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN) || +- !strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN) || +- !strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN) || +- !strncmp(name, XATTR_BTRFS_PREFIX, XATTR_BTRFS_PREFIX_LEN); ++ int len = strlen(name); ++ int prefixlen = 0; ++ ++ if (!strncmp(name, XATTR_SECURITY_PREFIX, ++ XATTR_SECURITY_PREFIX_LEN)) ++ prefixlen = XATTR_SECURITY_PREFIX_LEN; ++ else if (!strncmp(name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN)) ++ prefixlen = XATTR_SYSTEM_PREFIX_LEN; ++ else if (!strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN)) ++ prefixlen = XATTR_TRUSTED_PREFIX_LEN; ++ else if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) ++ prefixlen = XATTR_USER_PREFIX_LEN; ++ else if (!strncmp(name, XATTR_BTRFS_PREFIX, XATTR_BTRFS_PREFIX_LEN)) ++ prefixlen = XATTR_BTRFS_PREFIX_LEN; ++ else ++ return -EOPNOTSUPP; ++ ++ /* ++ * The name cannot consist of just prefix ++ */ ++ if (len <= prefixlen) ++ return -EINVAL; ++ ++ return 0; + } + + ssize_t btrfs_getxattr(struct dentry *dentry, const char *name, + void *buffer, size_t size) + { ++ int ret; ++ + /* + * If this is a request for a synthetic attribute in the system.* + * namespace use the generic infrastructure to resolve a handler +@@ -388,8 +408,9 @@ ssize_t btrfs_getxattr(struct dentry *dentry, const char *name, + if (!strncmp(name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN)) + return generic_getxattr(dentry, name, buffer, size); + +- if (!btrfs_is_valid_xattr(name)) +- return -EOPNOTSUPP; ++ ret = btrfs_is_valid_xattr(name); ++ if (ret) ++ return ret; + return __btrfs_getxattr(dentry->d_inode, name, buffer, size); + } + +@@ -397,6 +418,7 @@ int btrfs_setxattr(struct dentry *dentry, const char *name, const void *value, + size_t size, int flags) + { + struct btrfs_root *root = BTRFS_I(dentry->d_inode)->root; ++ int ret; + + /* + * The permission on security.* and system.* is not checked +@@ -413,8 +435,9 @@ int btrfs_setxattr(struct dentry *dentry, const char *name, const void *value, + if (!strncmp(name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN)) + return generic_setxattr(dentry, name, value, size, flags); + +- if (!btrfs_is_valid_xattr(name)) +- return -EOPNOTSUPP; ++ ret = btrfs_is_valid_xattr(name); ++ if (ret) ++ return ret; + + if (!strncmp(name, XATTR_BTRFS_PREFIX, XATTR_BTRFS_PREFIX_LEN)) + return btrfs_set_prop(dentry->d_inode, name, +@@ -430,6 +453,7 @@ int btrfs_setxattr(struct dentry *dentry, const char *name, const void *value, + int btrfs_removexattr(struct dentry *dentry, const char *name) + { + struct btrfs_root *root = BTRFS_I(dentry->d_inode)->root; ++ int ret; + + /* + * The permission on security.* and system.* is not checked +@@ -446,8 +470,9 @@ int btrfs_removexattr(struct dentry *dentry, const char *name) + if (!strncmp(name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN)) + return generic_removexattr(dentry, name); + +- if (!btrfs_is_valid_xattr(name)) +- return -EOPNOTSUPP; ++ ret = btrfs_is_valid_xattr(name); ++ if (ret) ++ return ret; + + if (!strncmp(name, XATTR_BTRFS_PREFIX, XATTR_BTRFS_PREFIX_LEN)) + return btrfs_set_prop(dentry->d_inode, name, +-- +2.3.6 + + +From 9301d5068d8732a0f2d787240270a1426d09ecf5 Mon Sep 17 00:00:00 2001 +From: Filipe Manana <fdmanana@suse.com> +Date: Mon, 30 Mar 2015 18:23:59 +0100 +Subject: [PATCH 022/219] Btrfs: fix inode eviction infinite loop after cloning + into it +Cc: mpagano@gentoo.org + +commit ccccf3d67294714af2d72a6fd6fd7d73b01c9329 upstream. + +If we attempt to clone a 0 length region into a file we can end up +inserting a range in the inode's extent_io tree with a start offset +that is greater then the end offset, which triggers immediately the +following warning: + +[ 3914.619057] WARNING: CPU: 17 PID: 4199 at fs/btrfs/extent_io.c:435 insert_state+0x4b/0x10b [btrfs]() +[ 3914.620886] BTRFS: end < start 4095 4096 +(...) +[ 3914.638093] Call Trace: +[ 3914.638636] [<ffffffff81425fd9>] dump_stack+0x4c/0x65 +[ 3914.639620] [<ffffffff81045390>] warn_slowpath_common+0xa1/0xbb +[ 3914.640789] [<ffffffffa03ca44f>] ? insert_state+0x4b/0x10b [btrfs] +[ 3914.642041] [<ffffffff810453f0>] warn_slowpath_fmt+0x46/0x48 +[ 3914.643236] [<ffffffffa03ca44f>] insert_state+0x4b/0x10b [btrfs] +[ 3914.644441] [<ffffffffa03ca729>] __set_extent_bit+0x107/0x3f4 [btrfs] +[ 3914.645711] [<ffffffffa03cb256>] lock_extent_bits+0x65/0x1bf [btrfs] +[ 3914.646914] [<ffffffff8142b2fb>] ? _raw_spin_unlock+0x28/0x33 +[ 3914.648058] [<ffffffffa03cbac4>] ? test_range_bit+0xcc/0xde [btrfs] +[ 3914.650105] [<ffffffffa03cb3c3>] lock_extent+0x13/0x15 [btrfs] +[ 3914.651361] [<ffffffffa03db39e>] lock_extent_range+0x3d/0xcd [btrfs] +[ 3914.652761] [<ffffffffa03de1fe>] btrfs_ioctl_clone+0x278/0x388 [btrfs] +[ 3914.654128] [<ffffffff811226dd>] ? might_fault+0x58/0xb5 +[ 3914.655320] [<ffffffffa03e0909>] btrfs_ioctl+0xb51/0x2195 [btrfs] +(...) +[ 3914.669271] ---[ end trace 14843d3e2e622fc1 ]--- + +This later makes the inode eviction handler enter an infinite loop that +keeps dumping the following warning over and over: + +[ 3915.117629] WARNING: CPU: 22 PID: 4228 at fs/btrfs/extent_io.c:435 insert_state+0x4b/0x10b [btrfs]() +[ 3915.119913] BTRFS: end < start 4095 4096 +(...) +[ 3915.137394] Call Trace: +[ 3915.137913] [<ffffffff81425fd9>] dump_stack+0x4c/0x65 +[ 3915.139154] [<ffffffff81045390>] warn_slowpath_common+0xa1/0xbb +[ 3915.140316] [<ffffffffa03ca44f>] ? insert_state+0x4b/0x10b [btrfs] +[ 3915.141505] [<ffffffff810453f0>] warn_slowpath_fmt+0x46/0x48 +[ 3915.142709] [<ffffffffa03ca44f>] insert_state+0x4b/0x10b [btrfs] +[ 3915.143849] [<ffffffffa03ca729>] __set_extent_bit+0x107/0x3f4 [btrfs] +[ 3915.145120] [<ffffffffa038c1e3>] ? btrfs_kill_super+0x17/0x23 [btrfs] +[ 3915.146352] [<ffffffff811548f6>] ? deactivate_locked_super+0x3b/0x50 +[ 3915.147565] [<ffffffffa03cb256>] lock_extent_bits+0x65/0x1bf [btrfs] +[ 3915.148785] [<ffffffff8142b7e2>] ? _raw_write_unlock+0x28/0x33 +[ 3915.149931] [<ffffffffa03bc325>] btrfs_evict_inode+0x196/0x482 [btrfs] +[ 3915.151154] [<ffffffff81168904>] evict+0xa0/0x148 +[ 3915.152094] [<ffffffff811689e5>] dispose_list+0x39/0x43 +[ 3915.153081] [<ffffffff81169564>] evict_inodes+0xdc/0xeb +[ 3915.154062] [<ffffffff81154418>] generic_shutdown_super+0x49/0xef +[ 3915.155193] [<ffffffff811546d1>] kill_anon_super+0x13/0x1e +[ 3915.156274] [<ffffffffa038c1e3>] btrfs_kill_super+0x17/0x23 [btrfs] +(...) +[ 3915.167404] ---[ end trace 14843d3e2e622fc2 ]--- + +So just bail out of the clone ioctl if the length of the region to clone +is zero, without locking any extent range, in order to prevent this issue +(same behaviour as a pwrite with a 0 length for example). + +This is trivial to reproduce. For example, the steps for the test I just +made for fstests: + + mkfs.btrfs -f SCRATCH_DEV + mount SCRATCH_DEV $SCRATCH_MNT + + touch $SCRATCH_MNT/foo + touch $SCRATCH_MNT/bar + + $CLONER_PROG -s 0 -d 4096 -l 0 $SCRATCH_MNT/foo $SCRATCH_MNT/bar + umount $SCRATCH_MNT + +A test case for fstests follows soon. + +Signed-off-by: Filipe Manana <fdmanana@suse.com> +Reviewed-by: Omar Sandoval <osandov@osandov.com> +Signed-off-by: Chris Mason <clm@fb.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + fs/btrfs/ioctl.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c +index 74609b9..a09d3b8 100644 +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -3626,6 +3626,11 @@ static noinline long btrfs_ioctl_clone(struct file *file, unsigned long srcfd, + if (off + len == src->i_size) + len = ALIGN(src->i_size, bs) - off; + ++ if (len == 0) { ++ ret = 0; ++ goto out_unlock; ++ } ++ + /* verify the end result is block aligned */ + if (!IS_ALIGNED(off, bs) || !IS_ALIGNED(off + len, bs) || + !IS_ALIGNED(destoff, bs)) +-- +2.3.6 + + +From 68ea2629745f61ddf8a603970e74b294737bc5d7 Mon Sep 17 00:00:00 2001 +From: Filipe Manana <fdmanana@suse.com> +Date: Mon, 30 Mar 2015 18:26:47 +0100 +Subject: [PATCH 023/219] Btrfs: fix inode eviction infinite loop after + extent_same ioctl +Cc: mpagano@gentoo.org + +commit 113e8283869b9855c8b999796aadd506bbac155f upstream. + +If we pass a length of 0 to the extent_same ioctl, we end up locking an +extent range with a start offset greater then its end offset (if the +destination file's offset is greater than zero). This results in a warning +from extent_io.c:insert_state through the following call chain: + + btrfs_extent_same() + btrfs_double_lock() + lock_extent_range() + lock_extent(inode->io_tree, offset, offset + len - 1) + lock_extent_bits() + __set_extent_bit() + insert_state() + --> WARN_ON(end < start) + +This leads to an infinite loop when evicting the inode. This is the same +problem that my previous patch titled +"Btrfs: fix inode eviction infinite loop after cloning into it" addressed +but for the extent_same ioctl instead of the clone ioctl. + +Signed-off-by: Filipe Manana <fdmanana@suse.com> +Reviewed-by: Omar Sandoval <osandov@osandov.com> +Signed-off-by: Chris Mason <clm@fb.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + fs/btrfs/ioctl.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c +index a09d3b8..f23d4be 100644 +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -2897,6 +2897,9 @@ static int btrfs_extent_same(struct inode *src, u64 loff, u64 len, + if (src == dst) + return -EINVAL; + ++ if (len == 0) ++ return 0; ++ + btrfs_double_lock(src, loff, dst, dst_loff, len); + + ret = extent_same_check_offsets(src, loff, len); +-- +2.3.6 + + +From 5683056e4853891106ae0a99938c96dfdc8fa881 Mon Sep 17 00:00:00 2001 +From: Gerald Schaefer <gerald.schaefer@de.ibm.com> +Date: Tue, 14 Apr 2015 15:42:30 -0700 +Subject: [PATCH 024/219] mm/hugetlb: use pmd_page() in follow_huge_pmd() +Cc: mpagano@gentoo.org + +commit 97534127012f0e396eddea4691f4c9b170aed74b upstream. + +Commit 61f77eda9bbf ("mm/hugetlb: reduce arch dependent code around +follow_huge_*") broke follow_huge_pmd() on s390, where pmd and pte +layout differ and using pte_page() on a huge pmd will return wrong +results. Using pmd_page() instead fixes this. + +All architectures that were touched by that commit have pmd_page() +defined, so this should not break anything on other architectures. + +Fixes: 61f77eda "mm/hugetlb: reduce arch dependent code around follow_huge_*" +Signed-off-by: Gerald Schaefer <gerald.schaefer@de.ibm.com> +Acked-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com> +Cc: Hugh Dickins <hughd@google.com> +Cc: Michal Hocko <mhocko@suse.cz> +Cc: Andrea Arcangeli <aarcange@redhat.com> +Cc: Martin Schwidefsky <schwidefsky@de.ibm.com> +Acked-by: David Rientjes <rientjes@google.com> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + mm/hugetlb.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/mm/hugetlb.c b/mm/hugetlb.c +index c41b2a0..caad3c5 100644 +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -3735,8 +3735,7 @@ retry: + if (!pmd_huge(*pmd)) + goto out; + if (pmd_present(*pmd)) { +- page = pte_page(*(pte_t *)pmd) + +- ((address & ~PMD_MASK) >> PAGE_SHIFT); ++ page = pmd_page(*pmd) + ((address & ~PMD_MASK) >> PAGE_SHIFT); + if (flags & FOLL_GET) + get_page(page); + } else { +-- +2.3.6 + + +From 5cb46afa0f6d4c48714951dc856c404d79315a39 Mon Sep 17 00:00:00 2001 +From: Scott Wood <scottwood@freescale.com> +Date: Fri, 10 Apr 2015 19:37:34 -0500 +Subject: [PATCH 025/219] powerpc/hugetlb: Call mm_dec_nr_pmds() in + hugetlb_free_pmd_range() +Cc: mpagano@gentoo.org + +commit 50c6a665b383cb5839e45d04e36faeeefaffa052 upstream. + +Commit dc6c9a35b66b5 ("mm: account pmd page tables to the process") +added a counter that is incremented whenever a PMD is allocated and +decremented whenever a PMD is freed. For hugepages on PPC, common code +is used to allocated PMDs, but arch-specific code is used to free PMDs. + +This results in kernel output such as "BUG: non-zero nr_pmds on freeing +mm: 1" when using hugepages. + +Update the PPC hugepage PMD freeing code to decrement the count, just +as the above commit did for free_pmd_range(). + +Fixes: dc6c9a35b66b5 ("mm: account pmd page tables to the process") +Signed-off-by: Scott Wood <scottwood@freescale.com> +Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/powerpc/mm/hugetlbpage.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/mm/hugetlbpage.c b/arch/powerpc/mm/hugetlbpage.c +index 7e408bf..cecbe00 100644 +--- a/arch/powerpc/mm/hugetlbpage.c ++++ b/arch/powerpc/mm/hugetlbpage.c +@@ -581,6 +581,7 @@ static void hugetlb_free_pmd_range(struct mmu_gather *tlb, pud_t *pud, + pmd = pmd_offset(pud, start); + pud_clear(pud); + pmd_free_tlb(tlb, pmd, start); ++ mm_dec_nr_pmds(tlb->mm); + } + + static void hugetlb_free_pud_range(struct mmu_gather *tlb, pgd_t *pgd, +-- +2.3.6 + + +From 9297ed24421df19f5c5085d65ee2575a63524447 Mon Sep 17 00:00:00 2001 +From: Andrzej Pietrasiewicz <andrzej.p@samsung.com> +Date: Tue, 3 Mar 2015 10:52:05 +0100 +Subject: [PATCH 026/219] usb: gadget: printer: enqueue printer's response for + setup request +Cc: mpagano@gentoo.org + +commit eb132ccbdec5df46e29c9814adf76075ce83576b upstream. + +Function-specific setup requests should be handled in such a way, that +apart from filling in the data buffer, the requests are also actually +enqueued: if function-specific setup is called from composte_setup(), +the "usb_ep_queue()" block of code in composite_setup() is skipped. + +The printer function lacks this part and it results in e.g. get device id +requests failing: the host expects some response, the device prepares it +but does not equeue it for sending to the host, so the host finally asserts +timeout. + +This patch adds enqueueing the prepared responses. + +Fixes: 2e87edf49227: "usb: gadget: make g_printer use composite" +Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com> +Signed-off-by: Felipe Balbi <balbi@ti.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/usb/gadget/legacy/printer.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/usb/gadget/legacy/printer.c b/drivers/usb/gadget/legacy/printer.c +index 9054598..6385c19 100644 +--- a/drivers/usb/gadget/legacy/printer.c ++++ b/drivers/usb/gadget/legacy/printer.c +@@ -1031,6 +1031,15 @@ unknown: + break; + } + /* host either stalls (value < 0) or reports success */ ++ if (value >= 0) { ++ req->length = value; ++ req->zero = value < wLength; ++ value = usb_ep_queue(cdev->gadget->ep0, req, GFP_ATOMIC); ++ if (value < 0) { ++ ERROR(dev, "%s:%d Error!\n", __func__, __LINE__); ++ req->status = 0; ++ } ++ } + return value; + } + +-- +2.3.6 + + +From bcdd54ffac32205938fa2cdd656604973275214b Mon Sep 17 00:00:00 2001 +From: David Hildenbrand <dahi@linux.vnet.ibm.com> +Date: Wed, 4 Feb 2015 15:53:42 +0100 +Subject: [PATCH 027/219] KVM: s390: fix handling of write errors in the tpi + handler +Cc: mpagano@gentoo.org + +commit 261520dcfcba93ca5dfe671b88ffab038cd940c8 upstream. + +If the I/O interrupt could not be written to the guest provided +area (e.g. access exception), a program exception was injected into the +guest but "inti" wasn't freed, therefore resulting in a memory leak. + +In addition, the I/O interrupt wasn't reinjected. Therefore the dequeued +interrupt is lost. + +This patch fixes the problem while cleaning up the function and making the +cc and rc logic easier to handle. + +Signed-off-by: David Hildenbrand <dahi@linux.vnet.ibm.com> +Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/s390/kvm/priv.c | 40 +++++++++++++++++++++++----------------- + 1 file changed, 23 insertions(+), 17 deletions(-) + +diff --git a/arch/s390/kvm/priv.c b/arch/s390/kvm/priv.c +index 3511169..767149a 100644 +--- a/arch/s390/kvm/priv.c ++++ b/arch/s390/kvm/priv.c +@@ -229,18 +229,19 @@ static int handle_tpi(struct kvm_vcpu *vcpu) + struct kvm_s390_interrupt_info *inti; + unsigned long len; + u32 tpi_data[3]; +- int cc, rc; ++ int rc; + u64 addr; + +- rc = 0; + addr = kvm_s390_get_base_disp_s(vcpu); + if (addr & 3) + return kvm_s390_inject_program_int(vcpu, PGM_SPECIFICATION); +- cc = 0; ++ + inti = kvm_s390_get_io_int(vcpu->kvm, vcpu->arch.sie_block->gcr[6], 0); +- if (!inti) +- goto no_interrupt; +- cc = 1; ++ if (!inti) { ++ kvm_s390_set_psw_cc(vcpu, 0); ++ return 0; ++ } ++ + tpi_data[0] = inti->io.subchannel_id << 16 | inti->io.subchannel_nr; + tpi_data[1] = inti->io.io_int_parm; + tpi_data[2] = inti->io.io_int_word; +@@ -251,30 +252,35 @@ static int handle_tpi(struct kvm_vcpu *vcpu) + */ + len = sizeof(tpi_data) - 4; + rc = write_guest(vcpu, addr, &tpi_data, len); +- if (rc) +- return kvm_s390_inject_prog_cond(vcpu, rc); ++ if (rc) { ++ rc = kvm_s390_inject_prog_cond(vcpu, rc); ++ goto reinject_interrupt; ++ } + } else { + /* + * Store the three-word I/O interruption code into + * the appropriate lowcore area. + */ + len = sizeof(tpi_data); +- if (write_guest_lc(vcpu, __LC_SUBCHANNEL_ID, &tpi_data, len)) ++ if (write_guest_lc(vcpu, __LC_SUBCHANNEL_ID, &tpi_data, len)) { ++ /* failed writes to the low core are not recoverable */ + rc = -EFAULT; ++ goto reinject_interrupt; ++ } + } ++ ++ /* irq was successfully handed to the guest */ ++ kfree(inti); ++ kvm_s390_set_psw_cc(vcpu, 1); ++ return 0; ++reinject_interrupt: + /* + * If we encounter a problem storing the interruption code, the + * instruction is suppressed from the guest's view: reinject the + * interrupt. + */ +- if (!rc) +- kfree(inti); +- else +- kvm_s390_reinject_io_int(vcpu->kvm, inti); +-no_interrupt: +- /* Set condition code and we're done. */ +- if (!rc) +- kvm_s390_set_psw_cc(vcpu, cc); ++ kvm_s390_reinject_io_int(vcpu->kvm, inti); ++ /* don't set the cc, a pgm irq was injected or we drop to user space */ + return rc ? -EFAULT : 0; + } + +-- +2.3.6 + + +From 98529eff3f93a3179a35f9ae459e21f64e8be813 Mon Sep 17 00:00:00 2001 +From: David Hildenbrand <dahi@linux.vnet.ibm.com> +Date: Wed, 4 Feb 2015 15:59:11 +0100 +Subject: [PATCH 028/219] KVM: s390: reinjection of irqs can fail in the tpi + handler +Cc: mpagano@gentoo.org + +commit 15462e37ca848abac7477dece65f8af25febd744 upstream. + +The reinjection of an I/O interrupt can fail if the list is at the limit +and between the dequeue and the reinjection, another I/O interrupt is +injected (e.g. if user space floods kvm with I/O interrupts). + +This patch avoids this memory leak and returns -EFAULT in this special +case. This error is not recoverable, so let's fail hard. This can later +be avoided by not dequeuing the interrupt but working directly on the +locked list. + +Signed-off-by: David Hildenbrand <dahi@linux.vnet.ibm.com> +Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/s390/kvm/interrupt.c | 4 ++-- + arch/s390/kvm/kvm-s390.h | 4 ++-- + arch/s390/kvm/priv.c | 5 ++++- + 3 files changed, 8 insertions(+), 5 deletions(-) + +diff --git a/arch/s390/kvm/interrupt.c b/arch/s390/kvm/interrupt.c +index 073b5f3..e7a46e8 100644 +--- a/arch/s390/kvm/interrupt.c ++++ b/arch/s390/kvm/interrupt.c +@@ -1332,10 +1332,10 @@ int kvm_s390_inject_vm(struct kvm *kvm, + return rc; + } + +-void kvm_s390_reinject_io_int(struct kvm *kvm, ++int kvm_s390_reinject_io_int(struct kvm *kvm, + struct kvm_s390_interrupt_info *inti) + { +- __inject_vm(kvm, inti); ++ return __inject_vm(kvm, inti); + } + + int s390int_to_s390irq(struct kvm_s390_interrupt *s390int, +diff --git a/arch/s390/kvm/kvm-s390.h b/arch/s390/kvm/kvm-s390.h +index c34109a..6995a30 100644 +--- a/arch/s390/kvm/kvm-s390.h ++++ b/arch/s390/kvm/kvm-s390.h +@@ -151,8 +151,8 @@ int __must_check kvm_s390_inject_vcpu(struct kvm_vcpu *vcpu, + int __must_check kvm_s390_inject_program_int(struct kvm_vcpu *vcpu, u16 code); + struct kvm_s390_interrupt_info *kvm_s390_get_io_int(struct kvm *kvm, + u64 cr6, u64 schid); +-void kvm_s390_reinject_io_int(struct kvm *kvm, +- struct kvm_s390_interrupt_info *inti); ++int kvm_s390_reinject_io_int(struct kvm *kvm, ++ struct kvm_s390_interrupt_info *inti); + int kvm_s390_mask_adapter(struct kvm *kvm, unsigned int id, bool masked); + + /* implemented in intercept.c */ +diff --git a/arch/s390/kvm/priv.c b/arch/s390/kvm/priv.c +index 767149a..613e9f0 100644 +--- a/arch/s390/kvm/priv.c ++++ b/arch/s390/kvm/priv.c +@@ -279,7 +279,10 @@ reinject_interrupt: + * instruction is suppressed from the guest's view: reinject the + * interrupt. + */ +- kvm_s390_reinject_io_int(vcpu->kvm, inti); ++ if (kvm_s390_reinject_io_int(vcpu->kvm, inti)) { ++ kfree(inti); ++ rc = -EFAULT; ++ } + /* don't set the cc, a pgm irq was injected or we drop to user space */ + return rc ? -EFAULT : 0; + } +-- +2.3.6 + + +From 7f1a4ebee923455bb5f50ab4ce832194dff859a7 Mon Sep 17 00:00:00 2001 +From: Ekaterina Tumanova <tumanova@linux.vnet.ibm.com> +Date: Tue, 3 Mar 2015 09:54:41 +0100 +Subject: [PATCH 029/219] KVM: s390: Zero out current VMDB of STSI before + including level3 data. +Cc: mpagano@gentoo.org + +commit b75f4c9afac2604feb971441116c07a24ecca1ec upstream. + +s390 documentation requires words 0 and 10-15 to be reserved and stored as +zeros. As we fill out all other fields, we can memset the full structure. + +Signed-off-by: Ekaterina Tumanova <tumanova@linux.vnet.ibm.com> +Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com> +Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/s390/kvm/priv.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/s390/kvm/priv.c b/arch/s390/kvm/priv.c +index 613e9f0..b982fbc 100644 +--- a/arch/s390/kvm/priv.c ++++ b/arch/s390/kvm/priv.c +@@ -476,6 +476,7 @@ static void handle_stsi_3_2_2(struct kvm_vcpu *vcpu, struct sysinfo_3_2_2 *mem) + for (n = mem->count - 1; n > 0 ; n--) + memcpy(&mem->vm[n], &mem->vm[n - 1], sizeof(mem->vm[0])); + ++ memset(&mem->vm[0], 0, sizeof(mem->vm[0])); + mem->vm[0].cpus_total = cpus; + mem->vm[0].cpus_configured = cpus; + mem->vm[0].cpus_standby = 0; +-- +2.3.6 + + +From 4756129f7d1bf8fa4ff6011a39f729f5d3bc64c4 Mon Sep 17 00:00:00 2001 +From: Jens Freimann <jfrei@linux.vnet.ibm.com> +Date: Mon, 16 Mar 2015 12:17:13 +0100 +Subject: [PATCH 030/219] KVM: s390: fix get_all_floating_irqs +Cc: mpagano@gentoo.org + +commit 94aa033efcac47b09db22cb561e135baf37b7887 upstream. + +This fixes a bug introduced with commit c05c4186bbe4 ("KVM: s390: +add floating irq controller"). + +get_all_floating_irqs() does copy_to_user() while holding +a spin lock. Let's fix this by filling a temporary buffer +first and copy it to userspace after giving up the lock. + +Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com> +Signed-off-by: Jens Freimann <jfrei@linux.vnet.ibm.com> +Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com> +Acked-by: Cornelia Huck <cornelia.huck@de.ibm.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + Documentation/virtual/kvm/devices/s390_flic.txt | 3 ++ + arch/s390/kvm/interrupt.c | 58 ++++++++++++++----------- + 2 files changed, 35 insertions(+), 26 deletions(-) + +diff --git a/Documentation/virtual/kvm/devices/s390_flic.txt b/Documentation/virtual/kvm/devices/s390_flic.txt +index 4ceef53..d1ad9d5 100644 +--- a/Documentation/virtual/kvm/devices/s390_flic.txt ++++ b/Documentation/virtual/kvm/devices/s390_flic.txt +@@ -27,6 +27,9 @@ Groups: + Copies all floating interrupts into a buffer provided by userspace. + When the buffer is too small it returns -ENOMEM, which is the indication + for userspace to try again with a bigger buffer. ++ -ENOBUFS is returned when the allocation of a kernelspace buffer has ++ failed. ++ -EFAULT is returned when copying data to userspace failed. + All interrupts remain pending, i.e. are not deleted from the list of + currently pending interrupts. + attr->addr contains the userspace address of the buffer into which all +diff --git a/arch/s390/kvm/interrupt.c b/arch/s390/kvm/interrupt.c +index e7a46e8..e7bc2fd 100644 +--- a/arch/s390/kvm/interrupt.c ++++ b/arch/s390/kvm/interrupt.c +@@ -17,6 +17,7 @@ + #include <linux/signal.h> + #include <linux/slab.h> + #include <linux/bitmap.h> ++#include <linux/vmalloc.h> + #include <asm/asm-offsets.h> + #include <asm/uaccess.h> + #include <asm/sclp.h> +@@ -1455,61 +1456,66 @@ void kvm_s390_clear_float_irqs(struct kvm *kvm) + spin_unlock(&fi->lock); + } + +-static inline int copy_irq_to_user(struct kvm_s390_interrupt_info *inti, +- u8 *addr) ++static void inti_to_irq(struct kvm_s390_interrupt_info *inti, ++ struct kvm_s390_irq *irq) + { +- struct kvm_s390_irq __user *uptr = (struct kvm_s390_irq __user *) addr; +- struct kvm_s390_irq irq = {0}; +- +- irq.type = inti->type; ++ irq->type = inti->type; + switch (inti->type) { + case KVM_S390_INT_PFAULT_INIT: + case KVM_S390_INT_PFAULT_DONE: + case KVM_S390_INT_VIRTIO: + case KVM_S390_INT_SERVICE: +- irq.u.ext = inti->ext; ++ irq->u.ext = inti->ext; + break; + case KVM_S390_INT_IO_MIN...KVM_S390_INT_IO_MAX: +- irq.u.io = inti->io; ++ irq->u.io = inti->io; + break; + case KVM_S390_MCHK: +- irq.u.mchk = inti->mchk; ++ irq->u.mchk = inti->mchk; + break; +- default: +- return -EINVAL; + } +- +- if (copy_to_user(uptr, &irq, sizeof(irq))) +- return -EFAULT; +- +- return 0; + } + +-static int get_all_floating_irqs(struct kvm *kvm, __u8 *buf, __u64 len) ++static int get_all_floating_irqs(struct kvm *kvm, u8 __user *usrbuf, u64 len) + { + struct kvm_s390_interrupt_info *inti; + struct kvm_s390_float_interrupt *fi; ++ struct kvm_s390_irq *buf; ++ int max_irqs; + int ret = 0; + int n = 0; + ++ if (len > KVM_S390_FLIC_MAX_BUFFER || len == 0) ++ return -EINVAL; ++ ++ /* ++ * We are already using -ENOMEM to signal ++ * userspace it may retry with a bigger buffer, ++ * so we need to use something else for this case ++ */ ++ buf = vzalloc(len); ++ if (!buf) ++ return -ENOBUFS; ++ ++ max_irqs = len / sizeof(struct kvm_s390_irq); ++ + fi = &kvm->arch.float_int; + spin_lock(&fi->lock); +- + list_for_each_entry(inti, &fi->list, list) { +- if (len < sizeof(struct kvm_s390_irq)) { ++ if (n == max_irqs) { + /* signal userspace to try again */ + ret = -ENOMEM; + break; + } +- ret = copy_irq_to_user(inti, buf); +- if (ret) +- break; +- buf += sizeof(struct kvm_s390_irq); +- len -= sizeof(struct kvm_s390_irq); ++ inti_to_irq(inti, &buf[n]); + n++; + } +- + spin_unlock(&fi->lock); ++ if (!ret && n > 0) { ++ if (copy_to_user(usrbuf, buf, sizeof(struct kvm_s390_irq) * n)) ++ ret = -EFAULT; ++ } ++ vfree(buf); + + return ret < 0 ? ret : n; + } +@@ -1520,7 +1526,7 @@ static int flic_get_attr(struct kvm_device *dev, struct kvm_device_attr *attr) + + switch (attr->group) { + case KVM_DEV_FLIC_GET_ALL_IRQS: +- r = get_all_floating_irqs(dev->kvm, (u8 *) attr->addr, ++ r = get_all_floating_irqs(dev->kvm, (u8 __user *) attr->addr, + attr->attr); + break; + default: +-- +2.3.6 + + +From 654de1f9fd289e10a3de1daf0806051f05f57d92 Mon Sep 17 00:00:00 2001 +From: Heiko Carstens <heiko.carstens@de.ibm.com> +Date: Wed, 25 Mar 2015 10:13:33 +0100 +Subject: [PATCH 031/219] s390/hibernate: fix save and restore of kernel text + section +Cc: mpagano@gentoo.org + +commit d74419495633493c9cd3f2bbeb7f3529d0edded6 upstream. + +Sebastian reported a crash caused by a jump label mismatch after resume. +This happens because we do not save the kernel text section during suspend +and therefore also do not restore it during resume, but use the kernel image +that restores the old system. + +This means that after a suspend/resume cycle we lost all modifications done +to the kernel text section. +The reason for this is the pfn_is_nosave() function, which incorrectly +returns that read-only pages don't need to be saved. This is incorrect since +we mark the kernel text section read-only. +We still need to make sure to not save and restore pages contained within +NSS and DCSS segment. +To fix this add an extra case for the kernel text section and only save +those pages if they are not contained within an NSS segment. + +Fixes the following crash (and the above bugs as well): + +Jump label code mismatch at netif_receive_skb_internal+0x28/0xd0 +Found: c0 04 00 00 00 00 +Expected: c0 f4 00 00 00 11 +New: c0 04 00 00 00 00 +Kernel panic - not syncing: Corrupted kernel text +CPU: 0 PID: 9 Comm: migration/0 Not tainted 3.19.0-01975-gb1b096e70f23 #4 +Call Trace: + [<0000000000113972>] show_stack+0x72/0xf0 + [<000000000081f15e>] dump_stack+0x6e/0x90 + [<000000000081c4e8>] panic+0x108/0x2b0 + [<000000000081be64>] jump_label_bug.isra.2+0x104/0x108 + [<0000000000112176>] __jump_label_transform+0x9e/0xd0 + [<00000000001121e6>] __sm_arch_jump_label_transform+0x3e/0x50 + [<00000000001d1136>] multi_cpu_stop+0x12e/0x170 + [<00000000001d1472>] cpu_stopper_thread+0xb2/0x168 + [<000000000015d2ac>] smpboot_thread_fn+0x134/0x1b0 + [<0000000000158baa>] kthread+0x10a/0x110 + [<0000000000824a86>] kernel_thread_starter+0x6/0xc + +Reported-and-tested-by: Sebastian Ott <sebott@linux.vnet.ibm.com> +Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com> +Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/s390/kernel/suspend.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/s390/kernel/suspend.c b/arch/s390/kernel/suspend.c +index 1c4c5ac..d3236c9 100644 +--- a/arch/s390/kernel/suspend.c ++++ b/arch/s390/kernel/suspend.c +@@ -138,6 +138,8 @@ int pfn_is_nosave(unsigned long pfn) + { + unsigned long nosave_begin_pfn = PFN_DOWN(__pa(&__nosave_begin)); + unsigned long nosave_end_pfn = PFN_DOWN(__pa(&__nosave_end)); ++ unsigned long eshared_pfn = PFN_DOWN(__pa(&_eshared)) - 1; ++ unsigned long stext_pfn = PFN_DOWN(__pa(&_stext)); + + /* Always save lowcore pages (LC protection might be enabled). */ + if (pfn <= LC_PAGES) +@@ -145,6 +147,8 @@ int pfn_is_nosave(unsigned long pfn) + if (pfn >= nosave_begin_pfn && pfn < nosave_end_pfn) + return 1; + /* Skip memory holes and read-only pages (NSS, DCSS, ...). */ ++ if (pfn >= stext_pfn && pfn <= eshared_pfn) ++ return ipl_info.type == IPL_TYPE_NSS ? 1 : 0; + if (tprot(PFN_PHYS(pfn))) + return 1; + return 0; +-- +2.3.6 + + +From 15254fde3f5d723bd591a73d88296e9aecdd6bb7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com> +Date: Wed, 8 Apr 2015 14:16:48 +0200 +Subject: [PATCH 032/219] KVM: use slowpath for cross page cached accesses +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Cc: mpagano@gentoo.org + +commit ca3f0874723fad81d0c701b63ae3a17a408d5f25 upstream. + +kvm_write_guest_cached() does not mark all written pages as dirty and +code comments in kvm_gfn_to_hva_cache_init() talk about NULL memslot +with cross page accesses. Fix all the easy way. + +The check is '<= 1' to have the same result for 'len = 0' cache anywhere +in the page. (nr_pages_needed is 0 on page boundary.) + +Fixes: 8f964525a121 ("KVM: Allow cross page reads and writes from cached translations.") +Signed-off-by: Radim Krčmář <rkrcmar@redhat.com> +Message-Id: <20150408121648.GA3519@potion.brq.redhat.com> +Reviewed-by: Wanpeng Li <wanpeng.li@linux.intel.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + virt/kvm/kvm_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c +index cc6a25d..f8f3f5f 100644 +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -1653,8 +1653,8 @@ int kvm_gfn_to_hva_cache_init(struct kvm *kvm, struct gfn_to_hva_cache *ghc, + ghc->generation = slots->generation; + ghc->len = len; + ghc->memslot = gfn_to_memslot(kvm, start_gfn); +- ghc->hva = gfn_to_hva_many(ghc->memslot, start_gfn, &nr_pages_avail); +- if (!kvm_is_error_hva(ghc->hva) && nr_pages_avail >= nr_pages_needed) { ++ ghc->hva = gfn_to_hva_many(ghc->memslot, start_gfn, NULL); ++ if (!kvm_is_error_hva(ghc->hva) && nr_pages_needed <= 1) { + ghc->hva += offset; + } else { + /* +-- +2.3.6 + + +From fb124f8c695ec8ddc72f19a8b3247b5ee872422f Mon Sep 17 00:00:00 2001 +From: Andre Przywara <andre.przywara@arm.com> +Date: Fri, 10 Apr 2015 16:17:59 +0100 +Subject: [PATCH 033/219] KVM: arm/arm64: check IRQ number on userland + injection +Cc: mpagano@gentoo.org + +commit fd1d0ddf2ae92fb3df42ed476939861806c5d785 upstream. + +When userland injects a SPI via the KVM_IRQ_LINE ioctl we currently +only check it against a fixed limit, which historically is set +to 127. With the new dynamic IRQ allocation the effective limit may +actually be smaller (64). +So when now a malicious or buggy userland injects a SPI in that +range, we spill over on our VGIC bitmaps and bytemaps memory. +I could trigger a host kernel NULL pointer dereference with current +mainline by injecting some bogus IRQ number from a hacked kvmtool: +----------------- +.... +DEBUG: kvm_vgic_inject_irq(kvm, cpu=0, irq=114, level=1) +DEBUG: vgic_update_irq_pending(kvm, cpu=0, irq=114, level=1) +DEBUG: IRQ #114 still in the game, writing to bytemap now... +Unable to handle kernel NULL pointer dereference at virtual address 00000000 +pgd = ffffffc07652e000 +[00000000] *pgd=00000000f658b003, *pud=00000000f658b003, *pmd=0000000000000000 +Internal error: Oops: 96000006 [#1] PREEMPT SMP +Modules linked in: +CPU: 1 PID: 1053 Comm: lkvm-msi-irqinj Not tainted 4.0.0-rc7+ #3027 +Hardware name: FVP Base (DT) +task: ffffffc0774e9680 ti: ffffffc0765a8000 task.ti: ffffffc0765a8000 +PC is at kvm_vgic_inject_irq+0x234/0x310 +LR is at kvm_vgic_inject_irq+0x30c/0x310 +pc : [<ffffffc0000ae0a8>] lr : [<ffffffc0000ae180>] pstate: 80000145 +..... + +So this patch fixes this by checking the SPI number against the +actual limit. Also we remove the former legacy hard limit of +127 in the ioctl code. + +Signed-off-by: Andre Przywara <andre.przywara@arm.com> +Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org> +[maz: wrap KVM_ARM_IRQ_GIC_MAX with #ifndef __KERNEL__, +as suggested by Christopher Covington] +Signed-off-by: Marc Zyngier <marc.zyngier@arm.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/arm/include/uapi/asm/kvm.h | 8 +++++++- + arch/arm/kvm/arm.c | 3 +-- + arch/arm64/include/uapi/asm/kvm.h | 8 +++++++- + virt/kvm/arm/vgic.c | 3 +++ + 4 files changed, 18 insertions(+), 4 deletions(-) + +diff --git a/arch/arm/include/uapi/asm/kvm.h b/arch/arm/include/uapi/asm/kvm.h +index 0db25bc..3a42ac6 100644 +--- a/arch/arm/include/uapi/asm/kvm.h ++++ b/arch/arm/include/uapi/asm/kvm.h +@@ -195,8 +195,14 @@ struct kvm_arch_memory_slot { + #define KVM_ARM_IRQ_CPU_IRQ 0 + #define KVM_ARM_IRQ_CPU_FIQ 1 + +-/* Highest supported SPI, from VGIC_NR_IRQS */ ++/* ++ * This used to hold the highest supported SPI, but it is now obsolete ++ * and only here to provide source code level compatibility with older ++ * userland. The highest SPI number can be set via KVM_DEV_ARM_VGIC_GRP_NR_IRQS. ++ */ ++#ifndef __KERNEL__ + #define KVM_ARM_IRQ_GIC_MAX 127 ++#endif + + /* PSCI interface */ + #define KVM_PSCI_FN_BASE 0x95c1ba5e +diff --git a/arch/arm/kvm/arm.c b/arch/arm/kvm/arm.c +index 5560f74..b652af5 100644 +--- a/arch/arm/kvm/arm.c ++++ b/arch/arm/kvm/arm.c +@@ -651,8 +651,7 @@ int kvm_vm_ioctl_irq_line(struct kvm *kvm, struct kvm_irq_level *irq_level, + if (!irqchip_in_kernel(kvm)) + return -ENXIO; + +- if (irq_num < VGIC_NR_PRIVATE_IRQS || +- irq_num > KVM_ARM_IRQ_GIC_MAX) ++ if (irq_num < VGIC_NR_PRIVATE_IRQS) + return -EINVAL; + + return kvm_vgic_inject_irq(kvm, 0, irq_num, level); +diff --git a/arch/arm64/include/uapi/asm/kvm.h b/arch/arm64/include/uapi/asm/kvm.h +index 3ef77a4..bc49a18 100644 +--- a/arch/arm64/include/uapi/asm/kvm.h ++++ b/arch/arm64/include/uapi/asm/kvm.h +@@ -188,8 +188,14 @@ struct kvm_arch_memory_slot { + #define KVM_ARM_IRQ_CPU_IRQ 0 + #define KVM_ARM_IRQ_CPU_FIQ 1 + +-/* Highest supported SPI, from VGIC_NR_IRQS */ ++/* ++ * This used to hold the highest supported SPI, but it is now obsolete ++ * and only here to provide source code level compatibility with older ++ * userland. The highest SPI number can be set via KVM_DEV_ARM_VGIC_GRP_NR_IRQS. ++ */ ++#ifndef __KERNEL__ + #define KVM_ARM_IRQ_GIC_MAX 127 ++#endif + + /* PSCI interface */ + #define KVM_PSCI_FN_BASE 0x95c1ba5e +diff --git a/virt/kvm/arm/vgic.c b/virt/kvm/arm/vgic.c +index c9f60f5..e5abe7c 100644 +--- a/virt/kvm/arm/vgic.c ++++ b/virt/kvm/arm/vgic.c +@@ -1371,6 +1371,9 @@ int kvm_vgic_inject_irq(struct kvm *kvm, int cpuid, unsigned int irq_num, + goto out; + } + ++ if (irq_num >= kvm->arch.vgic.nr_irqs) ++ return -EINVAL; ++ + vcpu_id = vgic_update_irq_pending(kvm, cpuid, irq_num, level); + if (vcpu_id >= 0) { + /* kick the specified vcpu */ +-- +2.3.6 + + +From 9656af0b6cee1496640cfd6dc321e216ff650d37 Mon Sep 17 00:00:00 2001 +From: Ben Serebrin <serebrin@google.com> +Date: Thu, 16 Apr 2015 11:58:05 -0700 +Subject: [PATCH 034/219] KVM: VMX: Preserve host CR4.MCE value while in guest + mode. +Cc: mpagano@gentoo.org + +commit 085e68eeafbf76e21848ad5bafaecec88a11dd64 upstream. + +The host's decision to enable machine check exceptions should remain +in force during non-root mode. KVM was writing 0 to cr4 on VCPU reset +and passed a slightly-modified 0 to the vmcs.guest_cr4 value. + +Tested: Built. +On earlier version, tested by injecting machine check +while a guest is spinning. + +Before the change, if guest CR4.MCE==0, then the machine check is +escalated to Catastrophic Error (CATERR) and the machine dies. +If guest CR4.MCE==1, then the machine check causes VMEXIT and is +handled normally by host Linux. After the change, injecting a machine +check causes normal Linux machine check handling. + +Signed-off-by: Ben Serebrin <serebrin@google.com> +Reviewed-by: Venkatesh Srinivas <venkateshs@google.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/x86/kvm/vmx.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index ae4f6d3..a60bd3a 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -3621,8 +3621,16 @@ static void vmx_set_cr3(struct kvm_vcpu *vcpu, unsigned long cr3) + + static int vmx_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4) + { +- unsigned long hw_cr4 = cr4 | (to_vmx(vcpu)->rmode.vm86_active ? +- KVM_RMODE_VM_CR4_ALWAYS_ON : KVM_PMODE_VM_CR4_ALWAYS_ON); ++ /* ++ * Pass through host's Machine Check Enable value to hw_cr4, which ++ * is in force while we are in guest mode. Do not let guests control ++ * this bit, even if host CR4.MCE == 0. ++ */ ++ unsigned long hw_cr4 = ++ (cr4_read_shadow() & X86_CR4_MCE) | ++ (cr4 & ~X86_CR4_MCE) | ++ (to_vmx(vcpu)->rmode.vm86_active ? ++ KVM_RMODE_VM_CR4_ALWAYS_ON : KVM_PMODE_VM_CR4_ALWAYS_ON); + + if (cr4 & X86_CR4_VMXE) { + /* +-- +2.3.6 + + +From 7e5ed3d726c9333bdb3f23c3de7ff2f9e9902508 Mon Sep 17 00:00:00 2001 +From: James Hogan <james.hogan@imgtec.com> +Date: Fri, 6 Feb 2015 11:11:56 +0000 +Subject: [PATCH 035/219] MIPS: KVM: Handle MSA Disabled exceptions from guest +Cc: mpagano@gentoo.org + +commit 98119ad53376885819d93dfb8737b6a9a61ca0ba upstream. + +Guest user mode can generate a guest MSA Disabled exception on an MSA +capable core by simply trying to execute an MSA instruction. Since this +exception is unknown to KVM it will be passed on to the guest kernel. +However guest Linux kernels prior to v3.15 do not set up an exception +handler for the MSA Disabled exception as they don't support any MSA +capable cores. This results in a guest OS panic. + +Since an older processor ID may be being emulated, and MSA support is +not advertised to the guest, the correct behaviour is to generate a +Reserved Instruction exception in the guest kernel so it can send the +guest process an illegal instruction signal (SIGILL), as would happen +with a non-MSA-capable core. + +Fix this as minimally as reasonably possible by preventing +kvm_mips_check_privilege() from relaying MSA Disabled exceptions from +guest user mode to the guest kernel, and handling the MSA Disabled +exception by emulating a Reserved Instruction exception in the guest, +via a new handle_msa_disabled() KVM callback. + +Signed-off-by: James Hogan <james.hogan@imgtec.com> +Cc: Paolo Bonzini <pbonzini@redhat.com> +Cc: Paul Burton <paul.burton@imgtec.com> +Cc: Ralf Baechle <ralf@linux-mips.org> +Cc: Gleb Natapov <gleb@kernel.org> +Cc: linux-mips@linux-mips.org +Cc: kvm@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/mips/include/asm/kvm_host.h | 2 ++ + arch/mips/kvm/emulate.c | 1 + + arch/mips/kvm/mips.c | 4 ++++ + arch/mips/kvm/trap_emul.c | 28 ++++++++++++++++++++++++++++ + 4 files changed, 35 insertions(+) + +diff --git a/arch/mips/include/asm/kvm_host.h b/arch/mips/include/asm/kvm_host.h +index ac4fc71..f722b05 100644 +--- a/arch/mips/include/asm/kvm_host.h ++++ b/arch/mips/include/asm/kvm_host.h +@@ -322,6 +322,7 @@ enum mips_mmu_types { + #define T_TRAP 13 /* Trap instruction */ + #define T_VCEI 14 /* Virtual coherency exception */ + #define T_FPE 15 /* Floating point exception */ ++#define T_MSADIS 21 /* MSA disabled exception */ + #define T_WATCH 23 /* Watch address reference */ + #define T_VCED 31 /* Virtual coherency data */ + +@@ -578,6 +579,7 @@ struct kvm_mips_callbacks { + int (*handle_syscall)(struct kvm_vcpu *vcpu); + int (*handle_res_inst)(struct kvm_vcpu *vcpu); + int (*handle_break)(struct kvm_vcpu *vcpu); ++ int (*handle_msa_disabled)(struct kvm_vcpu *vcpu); + int (*vm_init)(struct kvm *kvm); + int (*vcpu_init)(struct kvm_vcpu *vcpu); + int (*vcpu_setup)(struct kvm_vcpu *vcpu); +diff --git a/arch/mips/kvm/emulate.c b/arch/mips/kvm/emulate.c +index fb3e8df..838d3a6 100644 +--- a/arch/mips/kvm/emulate.c ++++ b/arch/mips/kvm/emulate.c +@@ -2176,6 +2176,7 @@ enum emulation_result kvm_mips_check_privilege(unsigned long cause, + case T_SYSCALL: + case T_BREAK: + case T_RES_INST: ++ case T_MSADIS: + break; + + case T_COP_UNUSABLE: +diff --git a/arch/mips/kvm/mips.c b/arch/mips/kvm/mips.c +index c9eccf5..f5e7dda 100644 +--- a/arch/mips/kvm/mips.c ++++ b/arch/mips/kvm/mips.c +@@ -1119,6 +1119,10 @@ int kvm_mips_handle_exit(struct kvm_run *run, struct kvm_vcpu *vcpu) + ret = kvm_mips_callbacks->handle_break(vcpu); + break; + ++ case T_MSADIS: ++ ret = kvm_mips_callbacks->handle_msa_disabled(vcpu); ++ break; ++ + default: + kvm_err("Exception Code: %d, not yet handled, @ PC: %p, inst: 0x%08x BadVaddr: %#lx Status: %#lx\n", + exccode, opc, kvm_get_inst(opc, vcpu), badvaddr, +diff --git a/arch/mips/kvm/trap_emul.c b/arch/mips/kvm/trap_emul.c +index fd7257b..4372cc8 100644 +--- a/arch/mips/kvm/trap_emul.c ++++ b/arch/mips/kvm/trap_emul.c +@@ -330,6 +330,33 @@ static int kvm_trap_emul_handle_break(struct kvm_vcpu *vcpu) + return ret; + } + ++static int kvm_trap_emul_handle_msa_disabled(struct kvm_vcpu *vcpu) ++{ ++ struct kvm_run *run = vcpu->run; ++ uint32_t __user *opc = (uint32_t __user *) vcpu->arch.pc; ++ unsigned long cause = vcpu->arch.host_cp0_cause; ++ enum emulation_result er = EMULATE_DONE; ++ int ret = RESUME_GUEST; ++ ++ /* No MSA supported in guest, guest reserved instruction exception */ ++ er = kvm_mips_emulate_ri_exc(cause, opc, run, vcpu); ++ ++ switch (er) { ++ case EMULATE_DONE: ++ ret = RESUME_GUEST; ++ break; ++ ++ case EMULATE_FAIL: ++ run->exit_reason = KVM_EXIT_INTERNAL_ERROR; ++ ret = RESUME_HOST; ++ break; ++ ++ default: ++ BUG(); ++ } ++ return ret; ++} ++ + static int kvm_trap_emul_vm_init(struct kvm *kvm) + { + return 0; +@@ -470,6 +497,7 @@ static struct kvm_mips_callbacks kvm_trap_emul_callbacks = { + .handle_syscall = kvm_trap_emul_handle_syscall, + .handle_res_inst = kvm_trap_emul_handle_res_inst, + .handle_break = kvm_trap_emul_handle_break, ++ .handle_msa_disabled = kvm_trap_emul_handle_msa_disabled, + + .vm_init = kvm_trap_emul_vm_init, + .vcpu_init = kvm_trap_emul_vcpu_init, +-- +2.3.6 + + +From facbd0f25d07e3448d472d679aafefe7580990b2 Mon Sep 17 00:00:00 2001 +From: James Hogan <james.hogan@imgtec.com> +Date: Wed, 25 Feb 2015 13:08:05 +0000 +Subject: [PATCH 036/219] MIPS: lose_fpu(): Disable FPU when MSA enabled +Cc: mpagano@gentoo.org + +commit acaf6a97d623af123314c2f8ce4cf7254f6b2fc1 upstream. + +The lose_fpu() function only disables the FPU in CP0_Status.CU1 if the +FPU is in use and MSA isn't enabled. + +This isn't necessarily a problem because KSTK_STATUS(current), the +version of CP0_Status stored on the kernel stack on entry from user +mode, does always get updated and gets restored when returning to user +mode, but I don't think it was intended, and it is inconsistent with the +case of only the FPU being in use. Sometimes leaving the FPU enabled may +also mask kernel bugs where FPU operations are executed when the FPU +might not be enabled. + +So lets disable the FPU in the MSA case too. + +Fixes: 33c771ba5c5d ("MIPS: save/disable MSA in lose_fpu") +Signed-off-by: James Hogan <james.hogan@imgtec.com> +Cc: Ralf Baechle <ralf@linux-mips.org> +Cc: Paul Burton <paul.burton@imgtec.com> +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/9323/ +Signed-off-by: Ralf Baechle <ralf@linux-mips.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/mips/include/asm/fpu.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/mips/include/asm/fpu.h b/arch/mips/include/asm/fpu.h +index dd083e9..9f26b07 100644 +--- a/arch/mips/include/asm/fpu.h ++++ b/arch/mips/include/asm/fpu.h +@@ -170,6 +170,7 @@ static inline void lose_fpu(int save) + } + disable_msa(); + clear_thread_flag(TIF_USEDMSA); ++ __disable_fpu(); + } else if (is_fpu_owner()) { + if (save) + _save_fp(current); +-- +2.3.6 + + +From 0668432d35a9e96ee500cbe1b3f7df6c4fe29b09 Mon Sep 17 00:00:00 2001 +From: Markos Chandras <markos.chandras@imgtec.com> +Date: Fri, 27 Feb 2015 07:51:32 +0000 +Subject: [PATCH 037/219] MIPS: Malta: Detect and fix bad memsize values +Cc: mpagano@gentoo.org + +commit f7f8aea4b97c4d48e42f02cb37026bee445f239f upstream. + +memsize denotes the amount of RAM we can access from kseg{0,1} and +that should be up to 256M. In case the bootloader reports a value +higher than that (perhaps reporting all the available RAM) it's best +if we fix it ourselves and just warn the user about that. This is +usually a problem with the bootloader and/or its environment. + +[ralf@linux-mips.org: Remove useless parens as suggested bei Sergei. +Reformat long pr_warn statement to fit into 80 column limit.] + +Signed-off-by: Markos Chandras <markos.chandras@imgtec.com> +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/9362/ +Signed-off-by: Ralf Baechle <ralf@linux-mips.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/mips/mti-malta/malta-memory.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/arch/mips/mti-malta/malta-memory.c b/arch/mips/mti-malta/malta-memory.c +index 8fddd2cd..efe366d 100644 +--- a/arch/mips/mti-malta/malta-memory.c ++++ b/arch/mips/mti-malta/malta-memory.c +@@ -53,6 +53,12 @@ fw_memblock_t * __init fw_getmdesc(int eva) + pr_warn("memsize not set in YAMON, set to default (32Mb)\n"); + physical_memsize = 0x02000000; + } else { ++ if (memsize > (256 << 20)) { /* memsize should be capped to 256M */ ++ pr_warn("Unsupported memsize value (0x%lx) detected! " ++ "Using 0x10000000 (256M) instead\n", ++ memsize); ++ memsize = 256 << 20; ++ } + /* If ememsize is set, then set physical_memsize to that */ + physical_memsize = ememsize ? : memsize; + } +-- +2.3.6 + + +From e52a20fcbf2ae06dc538b953c065bd6ae0b5f4ad Mon Sep 17 00:00:00 2001 +From: Markos Chandras <markos.chandras@imgtec.com> +Date: Mon, 9 Mar 2015 14:54:49 +0000 +Subject: [PATCH 038/219] MIPS: asm: asm-eva: Introduce kernel load/store + variants +Cc: mpagano@gentoo.org + +commit 60cd7e08e453bc6828ac4b539f949e4acd80f143 upstream. + +Introduce new macros for kernel load/store variants which will be +used to perform regular kernel space load/store operations in EVA +mode. + +Signed-off-by: Markos Chandras <markos.chandras@imgtec.com> +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/9500/ +Signed-off-by: Ralf Baechle <ralf@linux-mips.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/mips/include/asm/asm-eva.h | 137 +++++++++++++++++++++++++++------------- + 1 file changed, 93 insertions(+), 44 deletions(-) + +diff --git a/arch/mips/include/asm/asm-eva.h b/arch/mips/include/asm/asm-eva.h +index e41c56e..1e38f0e 100644 +--- a/arch/mips/include/asm/asm-eva.h ++++ b/arch/mips/include/asm/asm-eva.h +@@ -11,6 +11,36 @@ + #define __ASM_ASM_EVA_H + + #ifndef __ASSEMBLY__ ++ ++/* Kernel variants */ ++ ++#define kernel_cache(op, base) "cache " op ", " base "\n" ++#define kernel_ll(reg, addr) "ll " reg ", " addr "\n" ++#define kernel_sc(reg, addr) "sc " reg ", " addr "\n" ++#define kernel_lw(reg, addr) "lw " reg ", " addr "\n" ++#define kernel_lwl(reg, addr) "lwl " reg ", " addr "\n" ++#define kernel_lwr(reg, addr) "lwr " reg ", " addr "\n" ++#define kernel_lh(reg, addr) "lh " reg ", " addr "\n" ++#define kernel_lb(reg, addr) "lb " reg ", " addr "\n" ++#define kernel_lbu(reg, addr) "lbu " reg ", " addr "\n" ++#define kernel_sw(reg, addr) "sw " reg ", " addr "\n" ++#define kernel_swl(reg, addr) "swl " reg ", " addr "\n" ++#define kernel_swr(reg, addr) "swr " reg ", " addr "\n" ++#define kernel_sh(reg, addr) "sh " reg ", " addr "\n" ++#define kernel_sb(reg, addr) "sb " reg ", " addr "\n" ++ ++#ifdef CONFIG_32BIT ++/* ++ * No 'sd' or 'ld' instructions in 32-bit but the code will ++ * do the correct thing ++ */ ++#define kernel_sd(reg, addr) user_sw(reg, addr) ++#define kernel_ld(reg, addr) user_lw(reg, addr) ++#else ++#define kernel_sd(reg, addr) "sd " reg", " addr "\n" ++#define kernel_ld(reg, addr) "ld " reg", " addr "\n" ++#endif /* CONFIG_32BIT */ ++ + #ifdef CONFIG_EVA + + #define __BUILD_EVA_INSN(insn, reg, addr) \ +@@ -41,37 +71,60 @@ + + #else + +-#define user_cache(op, base) "cache " op ", " base "\n" +-#define user_ll(reg, addr) "ll " reg ", " addr "\n" +-#define user_sc(reg, addr) "sc " reg ", " addr "\n" +-#define user_lw(reg, addr) "lw " reg ", " addr "\n" +-#define user_lwl(reg, addr) "lwl " reg ", " addr "\n" +-#define user_lwr(reg, addr) "lwr " reg ", " addr "\n" +-#define user_lh(reg, addr) "lh " reg ", " addr "\n" +-#define user_lb(reg, addr) "lb " reg ", " addr "\n" +-#define user_lbu(reg, addr) "lbu " reg ", " addr "\n" +-#define user_sw(reg, addr) "sw " reg ", " addr "\n" +-#define user_swl(reg, addr) "swl " reg ", " addr "\n" +-#define user_swr(reg, addr) "swr " reg ", " addr "\n" +-#define user_sh(reg, addr) "sh " reg ", " addr "\n" +-#define user_sb(reg, addr) "sb " reg ", " addr "\n" ++#define user_cache(op, base) kernel_cache(op, base) ++#define user_ll(reg, addr) kernel_ll(reg, addr) ++#define user_sc(reg, addr) kernel_sc(reg, addr) ++#define user_lw(reg, addr) kernel_lw(reg, addr) ++#define user_lwl(reg, addr) kernel_lwl(reg, addr) ++#define user_lwr(reg, addr) kernel_lwr(reg, addr) ++#define user_lh(reg, addr) kernel_lh(reg, addr) ++#define user_lb(reg, addr) kernel_lb(reg, addr) ++#define user_lbu(reg, addr) kernel_lbu(reg, addr) ++#define user_sw(reg, addr) kernel_sw(reg, addr) ++#define user_swl(reg, addr) kernel_swl(reg, addr) ++#define user_swr(reg, addr) kernel_swr(reg, addr) ++#define user_sh(reg, addr) kernel_sh(reg, addr) ++#define user_sb(reg, addr) kernel_sb(reg, addr) + + #ifdef CONFIG_32BIT +-/* +- * No 'sd' or 'ld' instructions in 32-bit but the code will +- * do the correct thing +- */ +-#define user_sd(reg, addr) user_sw(reg, addr) +-#define user_ld(reg, addr) user_lw(reg, addr) ++#define user_sd(reg, addr) kernel_sw(reg, addr) ++#define user_ld(reg, addr) kernel_lw(reg, addr) + #else +-#define user_sd(reg, addr) "sd " reg", " addr "\n" +-#define user_ld(reg, addr) "ld " reg", " addr "\n" ++#define user_sd(reg, addr) kernel_sd(reg, addr) ++#define user_ld(reg, addr) kernel_ld(reg, addr) + #endif /* CONFIG_32BIT */ + + #endif /* CONFIG_EVA */ + + #else /* __ASSEMBLY__ */ + ++#define kernel_cache(op, base) cache op, base ++#define kernel_ll(reg, addr) ll reg, addr ++#define kernel_sc(reg, addr) sc reg, addr ++#define kernel_lw(reg, addr) lw reg, addr ++#define kernel_lwl(reg, addr) lwl reg, addr ++#define kernel_lwr(reg, addr) lwr reg, addr ++#define kernel_lh(reg, addr) lh reg, addr ++#define kernel_lb(reg, addr) lb reg, addr ++#define kernel_lbu(reg, addr) lbu reg, addr ++#define kernel_sw(reg, addr) sw reg, addr ++#define kernel_swl(reg, addr) swl reg, addr ++#define kernel_swr(reg, addr) swr reg, addr ++#define kernel_sh(reg, addr) sh reg, addr ++#define kernel_sb(reg, addr) sb reg, addr ++ ++#ifdef CONFIG_32BIT ++/* ++ * No 'sd' or 'ld' instructions in 32-bit but the code will ++ * do the correct thing ++ */ ++#define kernel_sd(reg, addr) user_sw(reg, addr) ++#define kernel_ld(reg, addr) user_lw(reg, addr) ++#else ++#define kernel_sd(reg, addr) sd reg, addr ++#define kernel_ld(reg, addr) ld reg, addr ++#endif /* CONFIG_32BIT */ ++ + #ifdef CONFIG_EVA + + #define __BUILD_EVA_INSN(insn, reg, addr) \ +@@ -101,31 +154,27 @@ + #define user_sd(reg, addr) user_sw(reg, addr) + #else + +-#define user_cache(op, base) cache op, base +-#define user_ll(reg, addr) ll reg, addr +-#define user_sc(reg, addr) sc reg, addr +-#define user_lw(reg, addr) lw reg, addr +-#define user_lwl(reg, addr) lwl reg, addr +-#define user_lwr(reg, addr) lwr reg, addr +-#define user_lh(reg, addr) lh reg, addr +-#define user_lb(reg, addr) lb reg, addr +-#define user_lbu(reg, addr) lbu reg, addr +-#define user_sw(reg, addr) sw reg, addr +-#define user_swl(reg, addr) swl reg, addr +-#define user_swr(reg, addr) swr reg, addr +-#define user_sh(reg, addr) sh reg, addr +-#define user_sb(reg, addr) sb reg, addr ++#define user_cache(op, base) kernel_cache(op, base) ++#define user_ll(reg, addr) kernel_ll(reg, addr) ++#define user_sc(reg, addr) kernel_sc(reg, addr) ++#define user_lw(reg, addr) kernel_lw(reg, addr) ++#define user_lwl(reg, addr) kernel_lwl(reg, addr) ++#define user_lwr(reg, addr) kernel_lwr(reg, addr) ++#define user_lh(reg, addr) kernel_lh(reg, addr) ++#define user_lb(reg, addr) kernel_lb(reg, addr) ++#define user_lbu(reg, addr) kernel_lbu(reg, addr) ++#define user_sw(reg, addr) kernel_sw(reg, addr) ++#define user_swl(reg, addr) kernel_swl(reg, addr) ++#define user_swr(reg, addr) kernel_swr(reg, addr) ++#define user_sh(reg, addr) kernel_sh(reg, addr) ++#define user_sb(reg, addr) kernel_sb(reg, addr) + + #ifdef CONFIG_32BIT +-/* +- * No 'sd' or 'ld' instructions in 32-bit but the code will +- * do the correct thing +- */ +-#define user_sd(reg, addr) user_sw(reg, addr) +-#define user_ld(reg, addr) user_lw(reg, addr) ++#define user_sd(reg, addr) kernel_sw(reg, addr) ++#define user_ld(reg, addr) kernel_lw(reg, addr) + #else +-#define user_sd(reg, addr) sd reg, addr +-#define user_ld(reg, addr) ld reg, addr ++#define user_sd(reg, addr) kernel_sd(reg, addr) ++#define user_ld(reg, addr) kernel_sd(reg, addr) + #endif /* CONFIG_32BIT */ + + #endif /* CONFIG_EVA */ +-- +2.3.6 + + +From 88a82d60a26013483a22b19035517fec54b7dee5 Mon Sep 17 00:00:00 2001 +From: Markos Chandras <markos.chandras@imgtec.com> +Date: Mon, 9 Mar 2015 14:54:50 +0000 +Subject: [PATCH 039/219] MIPS: unaligned: Prevent EVA instructions on kernel + unaligned accesses +Cc: mpagano@gentoo.org + +commit eeb538950367e3966cbf0237ab1a1dc30e059818 upstream. + +Commit c1771216ab48 ("MIPS: kernel: unaligned: Handle unaligned +accesses for EVA") allowed unaligned accesses to be emulated for +EVA. However, when emulating regular load/store unaligned accesses, +we need to use the appropriate "address space" instructions for that. +Previously, an unaligned load/store instruction in kernel space would +have used the corresponding EVA instructions to emulate it which led to +segmentation faults because of the address translation that happens +with EVA instructions. This is now fixed by using the EVA instruction +only when emulating EVA unaligned accesses. + +Signed-off-by: Markos Chandras <markos.chandras@imgtec.com> +Fixes: c1771216ab48 ("MIPS: kernel: unaligned: Handle unaligned accesses for EVA") +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/9501/ +Signed-off-by: Ralf Baechle <ralf@linux-mips.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/mips/kernel/unaligned.c | 172 +++++++++++++++++++++++-------------------- + 1 file changed, 94 insertions(+), 78 deletions(-) + +diff --git a/arch/mips/kernel/unaligned.c b/arch/mips/kernel/unaligned.c +index bbb6969..7a5707e 100644 +--- a/arch/mips/kernel/unaligned.c ++++ b/arch/mips/kernel/unaligned.c +@@ -109,10 +109,10 @@ static u32 unaligned_action; + extern void show_registers(struct pt_regs *regs); + + #ifdef __BIG_ENDIAN +-#define LoadHW(addr, value, res) \ ++#define _LoadHW(addr, value, res, type) \ + __asm__ __volatile__ (".set\tnoat\n" \ +- "1:\t"user_lb("%0", "0(%2)")"\n" \ +- "2:\t"user_lbu("$1", "1(%2)")"\n\t" \ ++ "1:\t"type##_lb("%0", "0(%2)")"\n" \ ++ "2:\t"type##_lbu("$1", "1(%2)")"\n\t"\ + "sll\t%0, 0x8\n\t" \ + "or\t%0, $1\n\t" \ + "li\t%1, 0\n" \ +@@ -130,10 +130,10 @@ extern void show_registers(struct pt_regs *regs); + : "r" (addr), "i" (-EFAULT)); + + #ifndef CONFIG_CPU_MIPSR6 +-#define LoadW(addr, value, res) \ ++#define _LoadW(addr, value, res, type) \ + __asm__ __volatile__ ( \ +- "1:\t"user_lwl("%0", "(%2)")"\n" \ +- "2:\t"user_lwr("%0", "3(%2)")"\n\t" \ ++ "1:\t"type##_lwl("%0", "(%2)")"\n" \ ++ "2:\t"type##_lwr("%0", "3(%2)")"\n\t"\ + "li\t%1, 0\n" \ + "3:\n\t" \ + ".insn\n\t" \ +@@ -149,18 +149,18 @@ extern void show_registers(struct pt_regs *regs); + : "r" (addr), "i" (-EFAULT)); + #else + /* MIPSR6 has no lwl instruction */ +-#define LoadW(addr, value, res) \ ++#define _LoadW(addr, value, res, type) \ + __asm__ __volatile__ ( \ + ".set\tpush\n" \ + ".set\tnoat\n\t" \ +- "1:"user_lb("%0", "0(%2)")"\n\t" \ +- "2:"user_lbu("$1", "1(%2)")"\n\t" \ ++ "1:"type##_lb("%0", "0(%2)")"\n\t" \ ++ "2:"type##_lbu("$1", "1(%2)")"\n\t" \ + "sll\t%0, 0x8\n\t" \ + "or\t%0, $1\n\t" \ +- "3:"user_lbu("$1", "2(%2)")"\n\t" \ ++ "3:"type##_lbu("$1", "2(%2)")"\n\t" \ + "sll\t%0, 0x8\n\t" \ + "or\t%0, $1\n\t" \ +- "4:"user_lbu("$1", "3(%2)")"\n\t" \ ++ "4:"type##_lbu("$1", "3(%2)")"\n\t" \ + "sll\t%0, 0x8\n\t" \ + "or\t%0, $1\n\t" \ + "li\t%1, 0\n" \ +@@ -181,11 +181,11 @@ extern void show_registers(struct pt_regs *regs); + : "r" (addr), "i" (-EFAULT)); + #endif /* CONFIG_CPU_MIPSR6 */ + +-#define LoadHWU(addr, value, res) \ ++#define _LoadHWU(addr, value, res, type) \ + __asm__ __volatile__ ( \ + ".set\tnoat\n" \ +- "1:\t"user_lbu("%0", "0(%2)")"\n" \ +- "2:\t"user_lbu("$1", "1(%2)")"\n\t" \ ++ "1:\t"type##_lbu("%0", "0(%2)")"\n" \ ++ "2:\t"type##_lbu("$1", "1(%2)")"\n\t"\ + "sll\t%0, 0x8\n\t" \ + "or\t%0, $1\n\t" \ + "li\t%1, 0\n" \ +@@ -204,10 +204,10 @@ extern void show_registers(struct pt_regs *regs); + : "r" (addr), "i" (-EFAULT)); + + #ifndef CONFIG_CPU_MIPSR6 +-#define LoadWU(addr, value, res) \ ++#define _LoadWU(addr, value, res, type) \ + __asm__ __volatile__ ( \ +- "1:\t"user_lwl("%0", "(%2)")"\n" \ +- "2:\t"user_lwr("%0", "3(%2)")"\n\t" \ ++ "1:\t"type##_lwl("%0", "(%2)")"\n" \ ++ "2:\t"type##_lwr("%0", "3(%2)")"\n\t"\ + "dsll\t%0, %0, 32\n\t" \ + "dsrl\t%0, %0, 32\n\t" \ + "li\t%1, 0\n" \ +@@ -224,7 +224,7 @@ extern void show_registers(struct pt_regs *regs); + : "=&r" (value), "=r" (res) \ + : "r" (addr), "i" (-EFAULT)); + +-#define LoadDW(addr, value, res) \ ++#define _LoadDW(addr, value, res) \ + __asm__ __volatile__ ( \ + "1:\tldl\t%0, (%2)\n" \ + "2:\tldr\t%0, 7(%2)\n\t" \ +@@ -243,18 +243,18 @@ extern void show_registers(struct pt_regs *regs); + : "r" (addr), "i" (-EFAULT)); + #else + /* MIPSR6 has not lwl and ldl instructions */ +-#define LoadWU(addr, value, res) \ ++#define _LoadWU(addr, value, res, type) \ + __asm__ __volatile__ ( \ + ".set\tpush\n\t" \ + ".set\tnoat\n\t" \ +- "1:"user_lbu("%0", "0(%2)")"\n\t" \ +- "2:"user_lbu("$1", "1(%2)")"\n\t" \ ++ "1:"type##_lbu("%0", "0(%2)")"\n\t" \ ++ "2:"type##_lbu("$1", "1(%2)")"\n\t" \ + "sll\t%0, 0x8\n\t" \ + "or\t%0, $1\n\t" \ +- "3:"user_lbu("$1", "2(%2)")"\n\t" \ ++ "3:"type##_lbu("$1", "2(%2)")"\n\t" \ + "sll\t%0, 0x8\n\t" \ + "or\t%0, $1\n\t" \ +- "4:"user_lbu("$1", "3(%2)")"\n\t" \ ++ "4:"type##_lbu("$1", "3(%2)")"\n\t" \ + "sll\t%0, 0x8\n\t" \ + "or\t%0, $1\n\t" \ + "li\t%1, 0\n" \ +@@ -274,7 +274,7 @@ extern void show_registers(struct pt_regs *regs); + : "=&r" (value), "=r" (res) \ + : "r" (addr), "i" (-EFAULT)); + +-#define LoadDW(addr, value, res) \ ++#define _LoadDW(addr, value, res) \ + __asm__ __volatile__ ( \ + ".set\tpush\n\t" \ + ".set\tnoat\n\t" \ +@@ -323,12 +323,12 @@ extern void show_registers(struct pt_regs *regs); + #endif /* CONFIG_CPU_MIPSR6 */ + + +-#define StoreHW(addr, value, res) \ ++#define _StoreHW(addr, value, res, type) \ + __asm__ __volatile__ ( \ + ".set\tnoat\n" \ +- "1:\t"user_sb("%1", "1(%2)")"\n" \ ++ "1:\t"type##_sb("%1", "1(%2)")"\n" \ + "srl\t$1, %1, 0x8\n" \ +- "2:\t"user_sb("$1", "0(%2)")"\n" \ ++ "2:\t"type##_sb("$1", "0(%2)")"\n" \ + ".set\tat\n\t" \ + "li\t%0, 0\n" \ + "3:\n\t" \ +@@ -345,10 +345,10 @@ extern void show_registers(struct pt_regs *regs); + : "r" (value), "r" (addr), "i" (-EFAULT)); + + #ifndef CONFIG_CPU_MIPSR6 +-#define StoreW(addr, value, res) \ ++#define _StoreW(addr, value, res, type) \ + __asm__ __volatile__ ( \ +- "1:\t"user_swl("%1", "(%2)")"\n" \ +- "2:\t"user_swr("%1", "3(%2)")"\n\t" \ ++ "1:\t"type##_swl("%1", "(%2)")"\n" \ ++ "2:\t"type##_swr("%1", "3(%2)")"\n\t"\ + "li\t%0, 0\n" \ + "3:\n\t" \ + ".insn\n\t" \ +@@ -363,7 +363,7 @@ extern void show_registers(struct pt_regs *regs); + : "=r" (res) \ + : "r" (value), "r" (addr), "i" (-EFAULT)); + +-#define StoreDW(addr, value, res) \ ++#define _StoreDW(addr, value, res) \ + __asm__ __volatile__ ( \ + "1:\tsdl\t%1,(%2)\n" \ + "2:\tsdr\t%1, 7(%2)\n\t" \ +@@ -382,17 +382,17 @@ extern void show_registers(struct pt_regs *regs); + : "r" (value), "r" (addr), "i" (-EFAULT)); + #else + /* MIPSR6 has no swl and sdl instructions */ +-#define StoreW(addr, value, res) \ ++#define _StoreW(addr, value, res, type) \ + __asm__ __volatile__ ( \ + ".set\tpush\n\t" \ + ".set\tnoat\n\t" \ +- "1:"user_sb("%1", "3(%2)")"\n\t" \ ++ "1:"type##_sb("%1", "3(%2)")"\n\t" \ + "srl\t$1, %1, 0x8\n\t" \ +- "2:"user_sb("$1", "2(%2)")"\n\t" \ ++ "2:"type##_sb("$1", "2(%2)")"\n\t" \ + "srl\t$1, $1, 0x8\n\t" \ +- "3:"user_sb("$1", "1(%2)")"\n\t" \ ++ "3:"type##_sb("$1", "1(%2)")"\n\t" \ + "srl\t$1, $1, 0x8\n\t" \ +- "4:"user_sb("$1", "0(%2)")"\n\t" \ ++ "4:"type##_sb("$1", "0(%2)")"\n\t" \ + ".set\tpop\n\t" \ + "li\t%0, 0\n" \ + "10:\n\t" \ +@@ -456,10 +456,10 @@ extern void show_registers(struct pt_regs *regs); + + #else /* __BIG_ENDIAN */ + +-#define LoadHW(addr, value, res) \ ++#define _LoadHW(addr, value, res, type) \ + __asm__ __volatile__ (".set\tnoat\n" \ +- "1:\t"user_lb("%0", "1(%2)")"\n" \ +- "2:\t"user_lbu("$1", "0(%2)")"\n\t" \ ++ "1:\t"type##_lb("%0", "1(%2)")"\n" \ ++ "2:\t"type##_lbu("$1", "0(%2)")"\n\t"\ + "sll\t%0, 0x8\n\t" \ + "or\t%0, $1\n\t" \ + "li\t%1, 0\n" \ +@@ -477,10 +477,10 @@ extern void show_registers(struct pt_regs *regs); + : "r" (addr), "i" (-EFAULT)); + + #ifndef CONFIG_CPU_MIPSR6 +-#define LoadW(addr, value, res) \ ++#define _LoadW(addr, value, res, type) \ + __asm__ __volatile__ ( \ +- "1:\t"user_lwl("%0", "3(%2)")"\n" \ +- "2:\t"user_lwr("%0", "(%2)")"\n\t" \ ++ "1:\t"type##_lwl("%0", "3(%2)")"\n" \ ++ "2:\t"type##_lwr("%0", "(%2)")"\n\t"\ + "li\t%1, 0\n" \ + "3:\n\t" \ + ".insn\n\t" \ +@@ -496,18 +496,18 @@ extern void show_registers(struct pt_regs *regs); + : "r" (addr), "i" (-EFAULT)); + #else + /* MIPSR6 has no lwl instruction */ +-#define LoadW(addr, value, res) \ ++#define _LoadW(addr, value, res, type) \ + __asm__ __volatile__ ( \ + ".set\tpush\n" \ + ".set\tnoat\n\t" \ +- "1:"user_lb("%0", "3(%2)")"\n\t" \ +- "2:"user_lbu("$1", "2(%2)")"\n\t" \ ++ "1:"type##_lb("%0", "3(%2)")"\n\t" \ ++ "2:"type##_lbu("$1", "2(%2)")"\n\t" \ + "sll\t%0, 0x8\n\t" \ + "or\t%0, $1\n\t" \ +- "3:"user_lbu("$1", "1(%2)")"\n\t" \ ++ "3:"type##_lbu("$1", "1(%2)")"\n\t" \ + "sll\t%0, 0x8\n\t" \ + "or\t%0, $1\n\t" \ +- "4:"user_lbu("$1", "0(%2)")"\n\t" \ ++ "4:"type##_lbu("$1", "0(%2)")"\n\t" \ + "sll\t%0, 0x8\n\t" \ + "or\t%0, $1\n\t" \ + "li\t%1, 0\n" \ +@@ -529,11 +529,11 @@ extern void show_registers(struct pt_regs *regs); + #endif /* CONFIG_CPU_MIPSR6 */ + + +-#define LoadHWU(addr, value, res) \ ++#define _LoadHWU(addr, value, res, type) \ + __asm__ __volatile__ ( \ + ".set\tnoat\n" \ +- "1:\t"user_lbu("%0", "1(%2)")"\n" \ +- "2:\t"user_lbu("$1", "0(%2)")"\n\t" \ ++ "1:\t"type##_lbu("%0", "1(%2)")"\n" \ ++ "2:\t"type##_lbu("$1", "0(%2)")"\n\t"\ + "sll\t%0, 0x8\n\t" \ + "or\t%0, $1\n\t" \ + "li\t%1, 0\n" \ +@@ -552,10 +552,10 @@ extern void show_registers(struct pt_regs *regs); + : "r" (addr), "i" (-EFAULT)); + + #ifndef CONFIG_CPU_MIPSR6 +-#define LoadWU(addr, value, res) \ ++#define _LoadWU(addr, value, res, type) \ + __asm__ __volatile__ ( \ +- "1:\t"user_lwl("%0", "3(%2)")"\n" \ +- "2:\t"user_lwr("%0", "(%2)")"\n\t" \ ++ "1:\t"type##_lwl("%0", "3(%2)")"\n" \ ++ "2:\t"type##_lwr("%0", "(%2)")"\n\t"\ + "dsll\t%0, %0, 32\n\t" \ + "dsrl\t%0, %0, 32\n\t" \ + "li\t%1, 0\n" \ +@@ -572,7 +572,7 @@ extern void show_registers(struct pt_regs *regs); + : "=&r" (value), "=r" (res) \ + : "r" (addr), "i" (-EFAULT)); + +-#define LoadDW(addr, value, res) \ ++#define _LoadDW(addr, value, res) \ + __asm__ __volatile__ ( \ + "1:\tldl\t%0, 7(%2)\n" \ + "2:\tldr\t%0, (%2)\n\t" \ +@@ -591,18 +591,18 @@ extern void show_registers(struct pt_regs *regs); + : "r" (addr), "i" (-EFAULT)); + #else + /* MIPSR6 has not lwl and ldl instructions */ +-#define LoadWU(addr, value, res) \ ++#define _LoadWU(addr, value, res, type) \ + __asm__ __volatile__ ( \ + ".set\tpush\n\t" \ + ".set\tnoat\n\t" \ +- "1:"user_lbu("%0", "3(%2)")"\n\t" \ +- "2:"user_lbu("$1", "2(%2)")"\n\t" \ ++ "1:"type##_lbu("%0", "3(%2)")"\n\t" \ ++ "2:"type##_lbu("$1", "2(%2)")"\n\t" \ + "sll\t%0, 0x8\n\t" \ + "or\t%0, $1\n\t" \ +- "3:"user_lbu("$1", "1(%2)")"\n\t" \ ++ "3:"type##_lbu("$1", "1(%2)")"\n\t" \ + "sll\t%0, 0x8\n\t" \ + "or\t%0, $1\n\t" \ +- "4:"user_lbu("$1", "0(%2)")"\n\t" \ ++ "4:"type##_lbu("$1", "0(%2)")"\n\t" \ + "sll\t%0, 0x8\n\t" \ + "or\t%0, $1\n\t" \ + "li\t%1, 0\n" \ +@@ -622,7 +622,7 @@ extern void show_registers(struct pt_regs *regs); + : "=&r" (value), "=r" (res) \ + : "r" (addr), "i" (-EFAULT)); + +-#define LoadDW(addr, value, res) \ ++#define _LoadDW(addr, value, res) \ + __asm__ __volatile__ ( \ + ".set\tpush\n\t" \ + ".set\tnoat\n\t" \ +@@ -670,12 +670,12 @@ extern void show_registers(struct pt_regs *regs); + : "r" (addr), "i" (-EFAULT)); + #endif /* CONFIG_CPU_MIPSR6 */ + +-#define StoreHW(addr, value, res) \ ++#define _StoreHW(addr, value, res, type) \ + __asm__ __volatile__ ( \ + ".set\tnoat\n" \ +- "1:\t"user_sb("%1", "0(%2)")"\n" \ ++ "1:\t"type##_sb("%1", "0(%2)")"\n" \ + "srl\t$1,%1, 0x8\n" \ +- "2:\t"user_sb("$1", "1(%2)")"\n" \ ++ "2:\t"type##_sb("$1", "1(%2)")"\n" \ + ".set\tat\n\t" \ + "li\t%0, 0\n" \ + "3:\n\t" \ +@@ -691,10 +691,10 @@ extern void show_registers(struct pt_regs *regs); + : "=r" (res) \ + : "r" (value), "r" (addr), "i" (-EFAULT)); + #ifndef CONFIG_CPU_MIPSR6 +-#define StoreW(addr, value, res) \ ++#define _StoreW(addr, value, res, type) \ + __asm__ __volatile__ ( \ +- "1:\t"user_swl("%1", "3(%2)")"\n" \ +- "2:\t"user_swr("%1", "(%2)")"\n\t" \ ++ "1:\t"type##_swl("%1", "3(%2)")"\n" \ ++ "2:\t"type##_swr("%1", "(%2)")"\n\t"\ + "li\t%0, 0\n" \ + "3:\n\t" \ + ".insn\n\t" \ +@@ -709,7 +709,7 @@ extern void show_registers(struct pt_regs *regs); + : "=r" (res) \ + : "r" (value), "r" (addr), "i" (-EFAULT)); + +-#define StoreDW(addr, value, res) \ ++#define _StoreDW(addr, value, res) \ + __asm__ __volatile__ ( \ + "1:\tsdl\t%1, 7(%2)\n" \ + "2:\tsdr\t%1, (%2)\n\t" \ +@@ -728,17 +728,17 @@ extern void show_registers(struct pt_regs *regs); + : "r" (value), "r" (addr), "i" (-EFAULT)); + #else + /* MIPSR6 has no swl and sdl instructions */ +-#define StoreW(addr, value, res) \ ++#define _StoreW(addr, value, res, type) \ + __asm__ __volatile__ ( \ + ".set\tpush\n\t" \ + ".set\tnoat\n\t" \ +- "1:"user_sb("%1", "0(%2)")"\n\t" \ ++ "1:"type##_sb("%1", "0(%2)")"\n\t" \ + "srl\t$1, %1, 0x8\n\t" \ +- "2:"user_sb("$1", "1(%2)")"\n\t" \ ++ "2:"type##_sb("$1", "1(%2)")"\n\t" \ + "srl\t$1, $1, 0x8\n\t" \ +- "3:"user_sb("$1", "2(%2)")"\n\t" \ ++ "3:"type##_sb("$1", "2(%2)")"\n\t" \ + "srl\t$1, $1, 0x8\n\t" \ +- "4:"user_sb("$1", "3(%2)")"\n\t" \ ++ "4:"type##_sb("$1", "3(%2)")"\n\t" \ + ".set\tpop\n\t" \ + "li\t%0, 0\n" \ + "10:\n\t" \ +@@ -757,7 +757,7 @@ extern void show_registers(struct pt_regs *regs); + : "r" (value), "r" (addr), "i" (-EFAULT) \ + : "memory"); + +-#define StoreDW(addr, value, res) \ ++#define _StoreDW(addr, value, res) \ + __asm__ __volatile__ ( \ + ".set\tpush\n\t" \ + ".set\tnoat\n\t" \ +@@ -801,6 +801,22 @@ extern void show_registers(struct pt_regs *regs); + #endif /* CONFIG_CPU_MIPSR6 */ + #endif + ++#define LoadHWU(addr, value, res) _LoadHWU(addr, value, res, kernel) ++#define LoadHWUE(addr, value, res) _LoadHWU(addr, value, res, user) ++#define LoadWU(addr, value, res) _LoadWU(addr, value, res, kernel) ++#define LoadWUE(addr, value, res) _LoadWU(addr, value, res, user) ++#define LoadHW(addr, value, res) _LoadHW(addr, value, res, kernel) ++#define LoadHWE(addr, value, res) _LoadHW(addr, value, res, user) ++#define LoadW(addr, value, res) _LoadW(addr, value, res, kernel) ++#define LoadWE(addr, value, res) _LoadW(addr, value, res, user) ++#define LoadDW(addr, value, res) _LoadDW(addr, value, res) ++ ++#define StoreHW(addr, value, res) _StoreHW(addr, value, res, kernel) ++#define StoreHWE(addr, value, res) _StoreHW(addr, value, res, user) ++#define StoreW(addr, value, res) _StoreW(addr, value, res, kernel) ++#define StoreWE(addr, value, res) _StoreW(addr, value, res, user) ++#define StoreDW(addr, value, res) _StoreDW(addr, value, res) ++ + static void emulate_load_store_insn(struct pt_regs *regs, + void __user *addr, unsigned int __user *pc) + { +@@ -872,7 +888,7 @@ static void emulate_load_store_insn(struct pt_regs *regs, + set_fs(seg); + goto sigbus; + } +- LoadHW(addr, value, res); ++ LoadHWE(addr, value, res); + if (res) { + set_fs(seg); + goto fault; +@@ -885,7 +901,7 @@ static void emulate_load_store_insn(struct pt_regs *regs, + set_fs(seg); + goto sigbus; + } +- LoadW(addr, value, res); ++ LoadWE(addr, value, res); + if (res) { + set_fs(seg); + goto fault; +@@ -898,7 +914,7 @@ static void emulate_load_store_insn(struct pt_regs *regs, + set_fs(seg); + goto sigbus; + } +- LoadHWU(addr, value, res); ++ LoadHWUE(addr, value, res); + if (res) { + set_fs(seg); + goto fault; +@@ -913,7 +929,7 @@ static void emulate_load_store_insn(struct pt_regs *regs, + } + compute_return_epc(regs); + value = regs->regs[insn.spec3_format.rt]; +- StoreHW(addr, value, res); ++ StoreHWE(addr, value, res); + if (res) { + set_fs(seg); + goto fault; +@@ -926,7 +942,7 @@ static void emulate_load_store_insn(struct pt_regs *regs, + } + compute_return_epc(regs); + value = regs->regs[insn.spec3_format.rt]; +- StoreW(addr, value, res); ++ StoreWE(addr, value, res); + if (res) { + set_fs(seg); + goto fault; +-- +2.3.6 + + +From ae0a145ca5b6c135e068a08f859e3f10ad2242d9 Mon Sep 17 00:00:00 2001 +From: Markos Chandras <markos.chandras@imgtec.com> +Date: Mon, 9 Mar 2015 14:54:51 +0000 +Subject: [PATCH 040/219] MIPS: unaligned: Surround load/store macros in do {} + while statements +Cc: mpagano@gentoo.org + +commit 3563c32d6532ece53c9dd8905a8e41983ef9952f upstream. + +It's best to surround such complex macros with do {} while statements +so they can appear as independent logical blocks when used within other +control blocks. + +Signed-off-by: Markos Chandras <markos.chandras@imgtec.com> +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/9502/ +Signed-off-by: Ralf Baechle <ralf@linux-mips.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/mips/kernel/unaligned.c | 116 +++++++++++++++++++++++++++++++++---------- + 1 file changed, 90 insertions(+), 26 deletions(-) + +diff --git a/arch/mips/kernel/unaligned.c b/arch/mips/kernel/unaligned.c +index 7a5707e..ab47590 100644 +--- a/arch/mips/kernel/unaligned.c ++++ b/arch/mips/kernel/unaligned.c +@@ -110,6 +110,7 @@ extern void show_registers(struct pt_regs *regs); + + #ifdef __BIG_ENDIAN + #define _LoadHW(addr, value, res, type) \ ++do { \ + __asm__ __volatile__ (".set\tnoat\n" \ + "1:\t"type##_lb("%0", "0(%2)")"\n" \ + "2:\t"type##_lbu("$1", "1(%2)")"\n\t"\ +@@ -127,10 +128,12 @@ extern void show_registers(struct pt_regs *regs); + STR(PTR)"\t2b, 4b\n\t" \ + ".previous" \ + : "=&r" (value), "=r" (res) \ +- : "r" (addr), "i" (-EFAULT)); ++ : "r" (addr), "i" (-EFAULT)); \ ++} while(0) + + #ifndef CONFIG_CPU_MIPSR6 + #define _LoadW(addr, value, res, type) \ ++do { \ + __asm__ __volatile__ ( \ + "1:\t"type##_lwl("%0", "(%2)")"\n" \ + "2:\t"type##_lwr("%0", "3(%2)")"\n\t"\ +@@ -146,10 +149,13 @@ extern void show_registers(struct pt_regs *regs); + STR(PTR)"\t2b, 4b\n\t" \ + ".previous" \ + : "=&r" (value), "=r" (res) \ +- : "r" (addr), "i" (-EFAULT)); ++ : "r" (addr), "i" (-EFAULT)); \ ++} while(0) ++ + #else + /* MIPSR6 has no lwl instruction */ + #define _LoadW(addr, value, res, type) \ ++do { \ + __asm__ __volatile__ ( \ + ".set\tpush\n" \ + ".set\tnoat\n\t" \ +@@ -178,10 +184,13 @@ extern void show_registers(struct pt_regs *regs); + STR(PTR)"\t4b, 11b\n\t" \ + ".previous" \ + : "=&r" (value), "=r" (res) \ +- : "r" (addr), "i" (-EFAULT)); ++ : "r" (addr), "i" (-EFAULT)); \ ++} while(0) ++ + #endif /* CONFIG_CPU_MIPSR6 */ + + #define _LoadHWU(addr, value, res, type) \ ++do { \ + __asm__ __volatile__ ( \ + ".set\tnoat\n" \ + "1:\t"type##_lbu("%0", "0(%2)")"\n" \ +@@ -201,10 +210,12 @@ extern void show_registers(struct pt_regs *regs); + STR(PTR)"\t2b, 4b\n\t" \ + ".previous" \ + : "=&r" (value), "=r" (res) \ +- : "r" (addr), "i" (-EFAULT)); ++ : "r" (addr), "i" (-EFAULT)); \ ++} while(0) + + #ifndef CONFIG_CPU_MIPSR6 + #define _LoadWU(addr, value, res, type) \ ++do { \ + __asm__ __volatile__ ( \ + "1:\t"type##_lwl("%0", "(%2)")"\n" \ + "2:\t"type##_lwr("%0", "3(%2)")"\n\t"\ +@@ -222,9 +233,11 @@ extern void show_registers(struct pt_regs *regs); + STR(PTR)"\t2b, 4b\n\t" \ + ".previous" \ + : "=&r" (value), "=r" (res) \ +- : "r" (addr), "i" (-EFAULT)); ++ : "r" (addr), "i" (-EFAULT)); \ ++} while(0) + + #define _LoadDW(addr, value, res) \ ++do { \ + __asm__ __volatile__ ( \ + "1:\tldl\t%0, (%2)\n" \ + "2:\tldr\t%0, 7(%2)\n\t" \ +@@ -240,10 +253,13 @@ extern void show_registers(struct pt_regs *regs); + STR(PTR)"\t2b, 4b\n\t" \ + ".previous" \ + : "=&r" (value), "=r" (res) \ +- : "r" (addr), "i" (-EFAULT)); ++ : "r" (addr), "i" (-EFAULT)); \ ++} while(0) ++ + #else + /* MIPSR6 has not lwl and ldl instructions */ + #define _LoadWU(addr, value, res, type) \ ++do { \ + __asm__ __volatile__ ( \ + ".set\tpush\n\t" \ + ".set\tnoat\n\t" \ +@@ -272,9 +288,11 @@ extern void show_registers(struct pt_regs *regs); + STR(PTR)"\t4b, 11b\n\t" \ + ".previous" \ + : "=&r" (value), "=r" (res) \ +- : "r" (addr), "i" (-EFAULT)); ++ : "r" (addr), "i" (-EFAULT)); \ ++} while(0) + + #define _LoadDW(addr, value, res) \ ++do { \ + __asm__ __volatile__ ( \ + ".set\tpush\n\t" \ + ".set\tnoat\n\t" \ +@@ -319,11 +337,14 @@ extern void show_registers(struct pt_regs *regs); + STR(PTR)"\t8b, 11b\n\t" \ + ".previous" \ + : "=&r" (value), "=r" (res) \ +- : "r" (addr), "i" (-EFAULT)); ++ : "r" (addr), "i" (-EFAULT)); \ ++} while(0) ++ + #endif /* CONFIG_CPU_MIPSR6 */ + + + #define _StoreHW(addr, value, res, type) \ ++do { \ + __asm__ __volatile__ ( \ + ".set\tnoat\n" \ + "1:\t"type##_sb("%1", "1(%2)")"\n" \ +@@ -342,10 +363,12 @@ extern void show_registers(struct pt_regs *regs); + STR(PTR)"\t2b, 4b\n\t" \ + ".previous" \ + : "=r" (res) \ +- : "r" (value), "r" (addr), "i" (-EFAULT)); ++ : "r" (value), "r" (addr), "i" (-EFAULT));\ ++} while(0) + + #ifndef CONFIG_CPU_MIPSR6 + #define _StoreW(addr, value, res, type) \ ++do { \ + __asm__ __volatile__ ( \ + "1:\t"type##_swl("%1", "(%2)")"\n" \ + "2:\t"type##_swr("%1", "3(%2)")"\n\t"\ +@@ -361,9 +384,11 @@ extern void show_registers(struct pt_regs *regs); + STR(PTR)"\t2b, 4b\n\t" \ + ".previous" \ + : "=r" (res) \ +- : "r" (value), "r" (addr), "i" (-EFAULT)); ++ : "r" (value), "r" (addr), "i" (-EFAULT)); \ ++} while(0) + + #define _StoreDW(addr, value, res) \ ++do { \ + __asm__ __volatile__ ( \ + "1:\tsdl\t%1,(%2)\n" \ + "2:\tsdr\t%1, 7(%2)\n\t" \ +@@ -379,10 +404,13 @@ extern void show_registers(struct pt_regs *regs); + STR(PTR)"\t2b, 4b\n\t" \ + ".previous" \ + : "=r" (res) \ +- : "r" (value), "r" (addr), "i" (-EFAULT)); ++ : "r" (value), "r" (addr), "i" (-EFAULT)); \ ++} while(0) ++ + #else + /* MIPSR6 has no swl and sdl instructions */ + #define _StoreW(addr, value, res, type) \ ++do { \ + __asm__ __volatile__ ( \ + ".set\tpush\n\t" \ + ".set\tnoat\n\t" \ +@@ -409,9 +437,11 @@ extern void show_registers(struct pt_regs *regs); + ".previous" \ + : "=&r" (res) \ + : "r" (value), "r" (addr), "i" (-EFAULT) \ +- : "memory"); ++ : "memory"); \ ++} while(0) + + #define StoreDW(addr, value, res) \ ++do { \ + __asm__ __volatile__ ( \ + ".set\tpush\n\t" \ + ".set\tnoat\n\t" \ +@@ -451,12 +481,15 @@ extern void show_registers(struct pt_regs *regs); + ".previous" \ + : "=&r" (res) \ + : "r" (value), "r" (addr), "i" (-EFAULT) \ +- : "memory"); ++ : "memory"); \ ++} while(0) ++ + #endif /* CONFIG_CPU_MIPSR6 */ + + #else /* __BIG_ENDIAN */ + + #define _LoadHW(addr, value, res, type) \ ++do { \ + __asm__ __volatile__ (".set\tnoat\n" \ + "1:\t"type##_lb("%0", "1(%2)")"\n" \ + "2:\t"type##_lbu("$1", "0(%2)")"\n\t"\ +@@ -474,10 +507,12 @@ extern void show_registers(struct pt_regs *regs); + STR(PTR)"\t2b, 4b\n\t" \ + ".previous" \ + : "=&r" (value), "=r" (res) \ +- : "r" (addr), "i" (-EFAULT)); ++ : "r" (addr), "i" (-EFAULT)); \ ++} while(0) + + #ifndef CONFIG_CPU_MIPSR6 + #define _LoadW(addr, value, res, type) \ ++do { \ + __asm__ __volatile__ ( \ + "1:\t"type##_lwl("%0", "3(%2)")"\n" \ + "2:\t"type##_lwr("%0", "(%2)")"\n\t"\ +@@ -493,10 +528,13 @@ extern void show_registers(struct pt_regs *regs); + STR(PTR)"\t2b, 4b\n\t" \ + ".previous" \ + : "=&r" (value), "=r" (res) \ +- : "r" (addr), "i" (-EFAULT)); ++ : "r" (addr), "i" (-EFAULT)); \ ++} while(0) ++ + #else + /* MIPSR6 has no lwl instruction */ + #define _LoadW(addr, value, res, type) \ ++do { \ + __asm__ __volatile__ ( \ + ".set\tpush\n" \ + ".set\tnoat\n\t" \ +@@ -525,11 +563,14 @@ extern void show_registers(struct pt_regs *regs); + STR(PTR)"\t4b, 11b\n\t" \ + ".previous" \ + : "=&r" (value), "=r" (res) \ +- : "r" (addr), "i" (-EFAULT)); ++ : "r" (addr), "i" (-EFAULT)); \ ++} while(0) ++ + #endif /* CONFIG_CPU_MIPSR6 */ + + + #define _LoadHWU(addr, value, res, type) \ ++do { \ + __asm__ __volatile__ ( \ + ".set\tnoat\n" \ + "1:\t"type##_lbu("%0", "1(%2)")"\n" \ +@@ -549,10 +590,12 @@ extern void show_registers(struct pt_regs *regs); + STR(PTR)"\t2b, 4b\n\t" \ + ".previous" \ + : "=&r" (value), "=r" (res) \ +- : "r" (addr), "i" (-EFAULT)); ++ : "r" (addr), "i" (-EFAULT)); \ ++} while(0) + + #ifndef CONFIG_CPU_MIPSR6 + #define _LoadWU(addr, value, res, type) \ ++do { \ + __asm__ __volatile__ ( \ + "1:\t"type##_lwl("%0", "3(%2)")"\n" \ + "2:\t"type##_lwr("%0", "(%2)")"\n\t"\ +@@ -570,9 +613,11 @@ extern void show_registers(struct pt_regs *regs); + STR(PTR)"\t2b, 4b\n\t" \ + ".previous" \ + : "=&r" (value), "=r" (res) \ +- : "r" (addr), "i" (-EFAULT)); ++ : "r" (addr), "i" (-EFAULT)); \ ++} while(0) + + #define _LoadDW(addr, value, res) \ ++do { \ + __asm__ __volatile__ ( \ + "1:\tldl\t%0, 7(%2)\n" \ + "2:\tldr\t%0, (%2)\n\t" \ +@@ -588,10 +633,13 @@ extern void show_registers(struct pt_regs *regs); + STR(PTR)"\t2b, 4b\n\t" \ + ".previous" \ + : "=&r" (value), "=r" (res) \ +- : "r" (addr), "i" (-EFAULT)); ++ : "r" (addr), "i" (-EFAULT)); \ ++} while(0) ++ + #else + /* MIPSR6 has not lwl and ldl instructions */ + #define _LoadWU(addr, value, res, type) \ ++do { \ + __asm__ __volatile__ ( \ + ".set\tpush\n\t" \ + ".set\tnoat\n\t" \ +@@ -620,9 +668,11 @@ extern void show_registers(struct pt_regs *regs); + STR(PTR)"\t4b, 11b\n\t" \ + ".previous" \ + : "=&r" (value), "=r" (res) \ +- : "r" (addr), "i" (-EFAULT)); ++ : "r" (addr), "i" (-EFAULT)); \ ++} while(0) + + #define _LoadDW(addr, value, res) \ ++do { \ + __asm__ __volatile__ ( \ + ".set\tpush\n\t" \ + ".set\tnoat\n\t" \ +@@ -667,10 +717,12 @@ extern void show_registers(struct pt_regs *regs); + STR(PTR)"\t8b, 11b\n\t" \ + ".previous" \ + : "=&r" (value), "=r" (res) \ +- : "r" (addr), "i" (-EFAULT)); ++ : "r" (addr), "i" (-EFAULT)); \ ++} while(0) + #endif /* CONFIG_CPU_MIPSR6 */ + + #define _StoreHW(addr, value, res, type) \ ++do { \ + __asm__ __volatile__ ( \ + ".set\tnoat\n" \ + "1:\t"type##_sb("%1", "0(%2)")"\n" \ +@@ -689,9 +741,12 @@ extern void show_registers(struct pt_regs *regs); + STR(PTR)"\t2b, 4b\n\t" \ + ".previous" \ + : "=r" (res) \ +- : "r" (value), "r" (addr), "i" (-EFAULT)); ++ : "r" (value), "r" (addr), "i" (-EFAULT));\ ++} while(0) ++ + #ifndef CONFIG_CPU_MIPSR6 + #define _StoreW(addr, value, res, type) \ ++do { \ + __asm__ __volatile__ ( \ + "1:\t"type##_swl("%1", "3(%2)")"\n" \ + "2:\t"type##_swr("%1", "(%2)")"\n\t"\ +@@ -707,9 +762,11 @@ extern void show_registers(struct pt_regs *regs); + STR(PTR)"\t2b, 4b\n\t" \ + ".previous" \ + : "=r" (res) \ +- : "r" (value), "r" (addr), "i" (-EFAULT)); ++ : "r" (value), "r" (addr), "i" (-EFAULT)); \ ++} while(0) + + #define _StoreDW(addr, value, res) \ ++do { \ + __asm__ __volatile__ ( \ + "1:\tsdl\t%1, 7(%2)\n" \ + "2:\tsdr\t%1, (%2)\n\t" \ +@@ -725,10 +782,13 @@ extern void show_registers(struct pt_regs *regs); + STR(PTR)"\t2b, 4b\n\t" \ + ".previous" \ + : "=r" (res) \ +- : "r" (value), "r" (addr), "i" (-EFAULT)); ++ : "r" (value), "r" (addr), "i" (-EFAULT)); \ ++} while(0) ++ + #else + /* MIPSR6 has no swl and sdl instructions */ + #define _StoreW(addr, value, res, type) \ ++do { \ + __asm__ __volatile__ ( \ + ".set\tpush\n\t" \ + ".set\tnoat\n\t" \ +@@ -755,9 +815,11 @@ extern void show_registers(struct pt_regs *regs); + ".previous" \ + : "=&r" (res) \ + : "r" (value), "r" (addr), "i" (-EFAULT) \ +- : "memory"); ++ : "memory"); \ ++} while(0) + + #define _StoreDW(addr, value, res) \ ++do { \ + __asm__ __volatile__ ( \ + ".set\tpush\n\t" \ + ".set\tnoat\n\t" \ +@@ -797,7 +859,9 @@ extern void show_registers(struct pt_regs *regs); + ".previous" \ + : "=&r" (res) \ + : "r" (value), "r" (addr), "i" (-EFAULT) \ +- : "memory"); ++ : "memory"); \ ++} while(0) ++ + #endif /* CONFIG_CPU_MIPSR6 */ + #endif + +-- +2.3.6 + + +From e239cb24f08477d187a5bb831088de60f70e3ade Mon Sep 17 00:00:00 2001 +From: Markos Chandras <markos.chandras@imgtec.com> +Date: Mon, 9 Mar 2015 14:54:52 +0000 +Subject: [PATCH 041/219] MIPS: unaligned: Fix regular load/store instruction + emulation for EVA +Cc: mpagano@gentoo.org + +commit 6eae35485b26f9e51ab896eb8a936bed9908fdf6 upstream. + +When emulating a regular lh/lw/lhu/sh/sw we need to use the appropriate +instruction if we are in EVA mode. This is necessary for userspace +applications which trigger alignment exceptions. In such case, the +userspace load/store instruction needs to be emulated with the correct +eva/non-eva instruction by the kernel emulator. + +Signed-off-by: Markos Chandras <markos.chandras@imgtec.com> +Fixes: c1771216ab48 ("MIPS: kernel: unaligned: Handle unaligned accesses for EVA") +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/9503/ +Signed-off-by: Ralf Baechle <ralf@linux-mips.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/mips/kernel/unaligned.c | 52 +++++++++++++++++++++++++++++++++++++++----- + 1 file changed, 47 insertions(+), 5 deletions(-) + +diff --git a/arch/mips/kernel/unaligned.c b/arch/mips/kernel/unaligned.c +index ab47590..7659da2 100644 +--- a/arch/mips/kernel/unaligned.c ++++ b/arch/mips/kernel/unaligned.c +@@ -1023,7 +1023,15 @@ static void emulate_load_store_insn(struct pt_regs *regs, + if (!access_ok(VERIFY_READ, addr, 2)) + goto sigbus; + +- LoadHW(addr, value, res); ++ if (config_enabled(CONFIG_EVA)) { ++ if (segment_eq(get_fs(), get_ds())) ++ LoadHW(addr, value, res); ++ else ++ LoadHWE(addr, value, res); ++ } else { ++ LoadHW(addr, value, res); ++ } ++ + if (res) + goto fault; + compute_return_epc(regs); +@@ -1034,7 +1042,15 @@ static void emulate_load_store_insn(struct pt_regs *regs, + if (!access_ok(VERIFY_READ, addr, 4)) + goto sigbus; + +- LoadW(addr, value, res); ++ if (config_enabled(CONFIG_EVA)) { ++ if (segment_eq(get_fs(), get_ds())) ++ LoadW(addr, value, res); ++ else ++ LoadWE(addr, value, res); ++ } else { ++ LoadW(addr, value, res); ++ } ++ + if (res) + goto fault; + compute_return_epc(regs); +@@ -1045,7 +1061,15 @@ static void emulate_load_store_insn(struct pt_regs *regs, + if (!access_ok(VERIFY_READ, addr, 2)) + goto sigbus; + +- LoadHWU(addr, value, res); ++ if (config_enabled(CONFIG_EVA)) { ++ if (segment_eq(get_fs(), get_ds())) ++ LoadHWU(addr, value, res); ++ else ++ LoadHWUE(addr, value, res); ++ } else { ++ LoadHWU(addr, value, res); ++ } ++ + if (res) + goto fault; + compute_return_epc(regs); +@@ -1104,7 +1128,16 @@ static void emulate_load_store_insn(struct pt_regs *regs, + + compute_return_epc(regs); + value = regs->regs[insn.i_format.rt]; +- StoreHW(addr, value, res); ++ ++ if (config_enabled(CONFIG_EVA)) { ++ if (segment_eq(get_fs(), get_ds())) ++ StoreHW(addr, value, res); ++ else ++ StoreHWE(addr, value, res); ++ } else { ++ StoreHW(addr, value, res); ++ } ++ + if (res) + goto fault; + break; +@@ -1115,7 +1148,16 @@ static void emulate_load_store_insn(struct pt_regs *regs, + + compute_return_epc(regs); + value = regs->regs[insn.i_format.rt]; +- StoreW(addr, value, res); ++ ++ if (config_enabled(CONFIG_EVA)) { ++ if (segment_eq(get_fs(), get_ds())) ++ StoreW(addr, value, res); ++ else ++ StoreWE(addr, value, res); ++ } else { ++ StoreW(addr, value, res); ++ } ++ + if (res) + goto fault; + break; +-- +2.3.6 + + +From 9da8705189d48b9d74724d5ae37c5a3a486fcfef Mon Sep 17 00:00:00 2001 +From: Huacai Chen <chenhc@lemote.com> +Date: Thu, 12 Mar 2015 11:51:06 +0800 +Subject: [PATCH 042/219] MIPS: Loongson-3: Add IRQF_NO_SUSPEND to Cascade + irqaction +Cc: mpagano@gentoo.org + +commit 0add9c2f1cff9f3f1f2eb7e9babefa872a9d14b9 upstream. + +HPET irq is routed to i8259 and then to MIPS CPU irq (cascade). After +commit a3e6c1eff5 (MIPS: IRQ: Fix disable_irq on CPU IRQs), if without +IRQF_NO_SUSPEND in cascade_irqaction, HPET interrupts will lost during +suspend. The result is machine cannot be waken up. + +Signed-off-by: Huacai Chen <chenhc@lemote.com> +Cc: Steven J. Hill <Steven.Hill@imgtec.com> +Cc: linux-mips@linux-mips.org +Cc: Fuxin Zhang <zhangfx@lemote.com> +Cc: Zhangjin Wu <wuzhangjin@gmail.com> +Patchwork: https://patchwork.linux-mips.org/patch/9528/ +Signed-off-by: Ralf Baechle <ralf@linux-mips.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/mips/loongson/loongson-3/irq.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/mips/loongson/loongson-3/irq.c b/arch/mips/loongson/loongson-3/irq.c +index 21221ed..0f75b6b 100644 +--- a/arch/mips/loongson/loongson-3/irq.c ++++ b/arch/mips/loongson/loongson-3/irq.c +@@ -44,6 +44,7 @@ void mach_irq_dispatch(unsigned int pending) + + static struct irqaction cascade_irqaction = { + .handler = no_action, ++ .flags = IRQF_NO_SUSPEND, + .name = "cascade", + }; + +-- +2.3.6 + + +From 6fbe5c7cd4d50582ba22c0a979131e347ec7b132 Mon Sep 17 00:00:00 2001 +From: Huacai Chen <chenhc@lemote.com> +Date: Sun, 29 Mar 2015 10:54:05 +0800 +Subject: [PATCH 043/219] MIPS: Hibernate: flush TLB entries earlier +Cc: mpagano@gentoo.org + +commit a843d00d038b11267279e3b5388222320f9ddc1d upstream. + +We found that TLB mismatch not only happens after kernel resume, but +also happens during snapshot restore. So move it to the beginning of +swsusp_arch_suspend(). + +Signed-off-by: Huacai Chen <chenhc@lemote.com> +Cc: Steven J. Hill <Steven.Hill@imgtec.com> +Cc: linux-mips@linux-mips.org +Cc: Fuxin Zhang <zhangfx@lemote.com> +Cc: Zhangjin Wu <wuzhangjin@gmail.com> +Patchwork: https://patchwork.linux-mips.org/patch/9621/ +Signed-off-by: Ralf Baechle <ralf@linux-mips.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/mips/power/hibernate.S | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/mips/power/hibernate.S b/arch/mips/power/hibernate.S +index 32a7c82..e7567c8 100644 +--- a/arch/mips/power/hibernate.S ++++ b/arch/mips/power/hibernate.S +@@ -30,6 +30,8 @@ LEAF(swsusp_arch_suspend) + END(swsusp_arch_suspend) + + LEAF(swsusp_arch_resume) ++ /* Avoid TLB mismatch during and after kernel resume */ ++ jal local_flush_tlb_all + PTR_L t0, restore_pblist + 0: + PTR_L t1, PBE_ADDRESS(t0) /* source */ +@@ -43,7 +45,6 @@ LEAF(swsusp_arch_resume) + bne t1, t3, 1b + PTR_L t0, PBE_NEXT(t0) + bnez t0, 0b +- jal local_flush_tlb_all /* Avoid TLB mismatch after kernel resume */ + PTR_LA t0, saved_regs + PTR_L ra, PT_R31(t0) + PTR_L sp, PT_R29(t0) +-- +2.3.6 + + +From f0ce3bf7fa069f614101c819576cb0344076e95c Mon Sep 17 00:00:00 2001 +From: Sudip Mukherjee <sudipm.mukherjee@gmail.com> +Date: Tue, 24 Mar 2015 16:29:32 +0530 +Subject: [PATCH 044/219] staging: panel: fix lcd type +Cc: mpagano@gentoo.org + +commit 2c20d92dad5db6440cfa88d811b69fd605240ce4 upstream. + +the lcd type as defined in the Kconfig is not matching in the code. +as a result the rs, rw and en pins were getting interchanged. +Kconfig defines the value of PANEL_LCD to be 1 if we select custom +configuration but in the code LCD_TYPE_CUSTOM is defined as 5. + +my hardware is LCD_TYPE_CUSTOM, but the pins were assigned to it +as pins of LCD_TYPE_OLD, and it was not working. +Now values are corrected with referenece to the values defined in +Kconfig and it is working. +checked on JHD204A lcd with LCD_TYPE_CUSTOM configuration. + +Signed-off-by: Sudip Mukherjee <sudip@vectorindia.org> +Acked-by: Willy Tarreau <w@1wt.eu> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/staging/panel/panel.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/staging/panel/panel.c b/drivers/staging/panel/panel.c +index 6ed35b6..04fc217 100644 +--- a/drivers/staging/panel/panel.c ++++ b/drivers/staging/panel/panel.c +@@ -335,11 +335,11 @@ static unsigned char lcd_bits[LCD_PORTS][LCD_BITS][BIT_STATES]; + * LCD types + */ + #define LCD_TYPE_NONE 0 +-#define LCD_TYPE_OLD 1 +-#define LCD_TYPE_KS0074 2 +-#define LCD_TYPE_HANTRONIX 3 +-#define LCD_TYPE_NEXCOM 4 +-#define LCD_TYPE_CUSTOM 5 ++#define LCD_TYPE_CUSTOM 1 ++#define LCD_TYPE_OLD 2 ++#define LCD_TYPE_KS0074 3 ++#define LCD_TYPE_HANTRONIX 4 ++#define LCD_TYPE_NEXCOM 5 + + /* + * keypad types +@@ -502,7 +502,7 @@ MODULE_PARM_DESC(keypad_type, + static int lcd_type = NOT_SET; + module_param(lcd_type, int, 0000); + MODULE_PARM_DESC(lcd_type, +- "LCD type: 0=none, 1=old //, 2=serial ks0074, 3=hantronix //, 4=nexcom //, 5=compiled-in"); ++ "LCD type: 0=none, 1=compiled-in, 2=old, 3=serial ks0074, 4=hantronix, 5=nexcom"); + + static int lcd_height = NOT_SET; + module_param(lcd_height, int, 0000); +-- +2.3.6 + + +From da01c0cfb196bef048fcb16727d646138d257ce3 Mon Sep 17 00:00:00 2001 +From: Alistair Strachan <alistair.strachan@imgtec.com> +Date: Tue, 24 Mar 2015 14:51:31 -0700 +Subject: [PATCH 045/219] staging: android: sync: Fix memory corruption in + sync_timeline_signal(). +Cc: mpagano@gentoo.org + +commit 8e43c9c75faf2902955bd2ecd7a50a8cc41cb00a upstream. + +The android_fence_release() function checks for active sync points +by calling list_empty() on the list head embedded on the sync +point. However, it is only valid to use list_empty() on nodes that +have been initialized with INIT_LIST_HEAD() or list_del_init(). + +Because the list entry has likely been removed from the active list +by sync_timeline_signal(), there is a good chance that this +WARN_ON_ONCE() will be hit due to dangling pointers pointing at +freed memory (even though the sync drivers did nothing wrong) +and memory corruption will ensue as the list entry is removed for +a second time, corrupting the active list. + +This problem can be reproduced quite easily with CONFIG_DEBUG_LIST=y +and fences with more than one sync point. + +Signed-off-by: Alistair Strachan <alistair.strachan@imgtec.com> +Cc: Maarten Lankhorst <maarten.lankhorst@canonical.com> +Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Cc: Colin Cross <ccross@google.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/staging/android/sync.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/android/sync.c b/drivers/staging/android/sync.c +index 7bdb62b..f83e00c 100644 +--- a/drivers/staging/android/sync.c ++++ b/drivers/staging/android/sync.c +@@ -114,7 +114,7 @@ void sync_timeline_signal(struct sync_timeline *obj) + list_for_each_entry_safe(pt, next, &obj->active_list_head, + active_list) { + if (fence_is_signaled_locked(&pt->base)) +- list_del(&pt->active_list); ++ list_del_init(&pt->active_list); + } + + spin_unlock_irqrestore(&obj->child_list_lock, flags); +-- +2.3.6 + + +From c373916a7434a49607ece05dbf0f60c697ad7291 Mon Sep 17 00:00:00 2001 +From: Malcolm Priestley <tvboxspy@gmail.com> +Date: Wed, 1 Apr 2015 22:32:52 +0100 +Subject: [PATCH 046/219] staging: vt6655: use ieee80211_tx_info to select + packet type. +Cc: mpagano@gentoo.org + +commit a6388e68321a1e0a0f408379c2a36396807745b3 upstream. + +Information for packet type is in ieee80211_tx_info + +band IEEE80211_BAND_5GHZ for PK_TYPE_11A. + +IEEE80211_TX_RC_USE_CTS_PROTECT via tx_rate flags selects PK_TYPE_11GB + +This ensures that the packet is always the right type. + +Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/staging/vt6655/rxtx.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/drivers/staging/vt6655/rxtx.c b/drivers/staging/vt6655/rxtx.c +index 07ce3fd..fdf5c56 100644 +--- a/drivers/staging/vt6655/rxtx.c ++++ b/drivers/staging/vt6655/rxtx.c +@@ -1308,10 +1308,18 @@ int vnt_generate_fifo_header(struct vnt_private *priv, u32 dma_idx, + priv->hw->conf.chandef.chan->hw_value); + } + +- if (current_rate > RATE_11M) +- pkt_type = (u8)priv->byPacketType; +- else ++ if (current_rate > RATE_11M) { ++ if (info->band == IEEE80211_BAND_5GHZ) { ++ pkt_type = PK_TYPE_11A; ++ } else { ++ if (tx_rate->flags & IEEE80211_TX_RC_USE_CTS_PROTECT) ++ pkt_type = PK_TYPE_11GB; ++ else ++ pkt_type = PK_TYPE_11GA; ++ } ++ } else { + pkt_type = PK_TYPE_11B; ++ } + + /*Set fifo controls */ + if (pkt_type == PK_TYPE_11A) +-- +2.3.6 + + +From a89d16cbd3a2838b54e404d7f8dd0af60667fa21 Mon Sep 17 00:00:00 2001 +From: NeilBrown <neilb@suse.de> +Date: Fri, 10 Apr 2015 13:19:04 +1000 +Subject: [PATCH 047/219] md/raid0: fix bug with chunksize not a power of 2. +Cc: mpagano@gentoo.org + +commit 47d68979cc968535cb87f3e5f2e6a3533ea48fbd upstream. + +Since commit 20d0189b1012a37d2533a87fb451f7852f2418d1 +in v3.14-rc1 RAID0 has performed incorrect calculations +when the chunksize is not a power of 2. + +This happens because "sector_div()" modifies its first argument, but +this wasn't taken into account in the patch. + +So restore that first arg before re-using the variable. + +Reported-by: Joe Landman <joe.landman@gmail.com> +Reported-by: Dave Chinner <david@fromorbit.com> +Fixes: 20d0189b1012a37d2533a87fb451f7852f2418d1 +Signed-off-by: NeilBrown <neilb@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/md/raid0.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/md/raid0.c b/drivers/md/raid0.c +index 3ed9f42..3b5d7f7 100644 +--- a/drivers/md/raid0.c ++++ b/drivers/md/raid0.c +@@ -313,7 +313,7 @@ static struct strip_zone *find_zone(struct r0conf *conf, + + /* + * remaps the bio to the target device. we separate two flows. +- * power 2 flow and a general flow for the sake of perfromance ++ * power 2 flow and a general flow for the sake of performance + */ + static struct md_rdev *map_sector(struct mddev *mddev, struct strip_zone *zone, + sector_t sector, sector_t *sector_offset) +@@ -524,6 +524,7 @@ static void raid0_make_request(struct mddev *mddev, struct bio *bio) + split = bio; + } + ++ sector = bio->bi_iter.bi_sector; + zone = find_zone(mddev->private, §or); + tmp_dev = map_sector(mddev, zone, sector, §or); + split->bi_bdev = tmp_dev->bdev; +-- +2.3.6 + + +From a3ec48fa3f64ea293bfe691a02c17c0a7d2887e1 Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig <hch@infradead.org> +Date: Wed, 15 Apr 2015 09:44:37 -0700 +Subject: [PATCH 048/219] megaraid_sas: use raw_smp_processor_id() +Cc: mpagano@gentoo.org + +commit 16b8528d20607925899b1df93bfd8fbab98d267c upstream. + +We only want to steer the I/O completion towards a queue, but don't +actually access any per-CPU data, so the raw_ version is fine to use +and avoids the warnings when using smp_processor_id(). + +Signed-off-by: Christoph Hellwig <hch@lst.de> +Reported-by: Andy Lutomirski <luto@kernel.org> +Tested-by: Andy Lutomirski <luto@kernel.org> +Acked-by: Sumit Saxena <sumit.saxena@avagotech.com> +Signed-off-by: James Bottomley <JBottomley@Odin.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/scsi/megaraid/megaraid_sas_fusion.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/scsi/megaraid/megaraid_sas_fusion.c b/drivers/scsi/megaraid/megaraid_sas_fusion.c +index 675b5e7..5a0800d 100644 +--- a/drivers/scsi/megaraid/megaraid_sas_fusion.c ++++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c +@@ -1584,11 +1584,11 @@ megasas_build_ldio_fusion(struct megasas_instance *instance, + fp_possible = io_info.fpOkForIo; + } + +- /* Use smp_processor_id() for now until cmd->request->cpu is CPU ++ /* Use raw_smp_processor_id() for now until cmd->request->cpu is CPU + id by default, not CPU group id, otherwise all MSI-X queues won't + be utilized */ + cmd->request_desc->SCSIIO.MSIxIndex = instance->msix_vectors ? +- smp_processor_id() % instance->msix_vectors : 0; ++ raw_smp_processor_id() % instance->msix_vectors : 0; + + if (fp_possible) { + megasas_set_pd_lba(io_request, scp->cmd_len, &io_info, scp, +@@ -1693,7 +1693,10 @@ megasas_build_dcdb_fusion(struct megasas_instance *instance, + << MR_RAID_CTX_RAID_FLAGS_IO_SUB_TYPE_SHIFT; + cmd->request_desc->SCSIIO.DevHandle = io_request->DevHandle; + cmd->request_desc->SCSIIO.MSIxIndex = +- instance->msix_vectors ? smp_processor_id() % instance->msix_vectors : 0; ++ instance->msix_vectors ? ++ raw_smp_processor_id() % ++ instance->msix_vectors : ++ 0; + os_timeout_value = scmd->request->timeout / HZ; + + if (instance->secure_jbod_support && +-- +2.3.6 + + +From e654ded279c44285d07a31fe6d6c6fb74a9b5465 Mon Sep 17 00:00:00 2001 +From: Sudeep Holla <sudeep.holla@arm.com> +Date: Tue, 17 Mar 2015 17:28:46 +0000 +Subject: [PATCH 049/219] drivers/base: cacheinfo: validate device node for all + the caches +Cc: mpagano@gentoo.org + +commit 8a7d95f95c95f396decbd4cda6d4903fc4664946 upstream. + +On architectures that depend on DT for obtaining cache hierarcy, we need +to validate the device node for all the cache indices, failing to do so +might result in wrong information being exposed to the userspace. + +This is quite possible on initial/incomplete versions of the device +trees. In such cases, it's better to bail out if all the required device +nodes are not present. + +This patch adds checks for the validation of device node for all the +caches and doesn't initialise the cacheinfo if there's any error. + +Reported-by: Mark Rutland <mark.rutland@arm.com> +Acked-by: Mark Rutland <mark.rutland@arm.com> +Signed-off-by: Sudeep Holla <sudeep.holla@arm.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/base/cacheinfo.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/base/cacheinfo.c b/drivers/base/cacheinfo.c +index 6e64563..9c2ba1c 100644 +--- a/drivers/base/cacheinfo.c ++++ b/drivers/base/cacheinfo.c +@@ -62,15 +62,21 @@ static int cache_setup_of_node(unsigned int cpu) + return -ENOENT; + } + +- while (np && index < cache_leaves(cpu)) { ++ while (index < cache_leaves(cpu)) { + this_leaf = this_cpu_ci->info_list + index; + if (this_leaf->level != 1) + np = of_find_next_cache_node(np); + else + np = of_node_get(np);/* cpu node itself */ ++ if (!np) ++ break; + this_leaf->of_node = np; + index++; + } ++ ++ if (index != cache_leaves(cpu)) /* not all OF nodes populated */ ++ return -ENOENT; ++ + return 0; + } + +@@ -189,8 +195,11 @@ static int detect_cache_attributes(unsigned int cpu) + * will be set up here only if they are not populated already + */ + ret = cache_shared_cpu_map_setup(cpu); +- if (ret) ++ if (ret) { ++ pr_warn("Unable to detect cache hierarcy from DT for CPU %d\n", ++ cpu); + goto free_ci; ++ } + return 0; + + free_ci: +-- +2.3.6 + + +From 766f84104c3a294da5c4f1660589b3d167c5b1c6 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum <oneukum@suse.de> +Date: Fri, 20 Mar 2015 14:29:34 +0100 +Subject: [PATCH 050/219] cdc-wdm: fix endianness bug in debug statements +Cc: mpagano@gentoo.org + +commit 323ece54e0761198946ecd0c2091f1d2bfdfcb64 upstream. + +Values directly from descriptors given in debug statements +must be converted to native endianness. + +Signed-off-by: Oliver Neukum <oneukum@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/usb/class/cdc-wdm.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c +index a051a7a..a81f9dd 100644 +--- a/drivers/usb/class/cdc-wdm.c ++++ b/drivers/usb/class/cdc-wdm.c +@@ -245,7 +245,7 @@ static void wdm_int_callback(struct urb *urb) + case USB_CDC_NOTIFY_RESPONSE_AVAILABLE: + dev_dbg(&desc->intf->dev, + "NOTIFY_RESPONSE_AVAILABLE received: index %d len %d", +- dr->wIndex, dr->wLength); ++ le16_to_cpu(dr->wIndex), le16_to_cpu(dr->wLength)); + break; + + case USB_CDC_NOTIFY_NETWORK_CONNECTION: +@@ -262,7 +262,9 @@ static void wdm_int_callback(struct urb *urb) + clear_bit(WDM_POLL_RUNNING, &desc->flags); + dev_err(&desc->intf->dev, + "unknown notification %d received: index %d len %d\n", +- dr->bNotificationType, dr->wIndex, dr->wLength); ++ dr->bNotificationType, ++ le16_to_cpu(dr->wIndex), ++ le16_to_cpu(dr->wLength)); + goto exit; + } + +@@ -408,7 +410,7 @@ static ssize_t wdm_write + USB_RECIP_INTERFACE); + req->bRequest = USB_CDC_SEND_ENCAPSULATED_COMMAND; + req->wValue = 0; +- req->wIndex = desc->inum; ++ req->wIndex = desc->inum; /* already converted */ + req->wLength = cpu_to_le16(count); + set_bit(WDM_IN_USE, &desc->flags); + desc->outbuf = buf; +@@ -422,7 +424,7 @@ static ssize_t wdm_write + rv = usb_translate_errors(rv); + } else { + dev_dbg(&desc->intf->dev, "Tx URB has been submitted index=%d", +- req->wIndex); ++ le16_to_cpu(req->wIndex)); + } + out: + usb_autopm_put_interface(desc->intf); +@@ -820,7 +822,7 @@ static int wdm_create(struct usb_interface *intf, struct usb_endpoint_descriptor + desc->irq->bRequestType = (USB_DIR_IN | USB_TYPE_CLASS | USB_RECIP_INTERFACE); + desc->irq->bRequest = USB_CDC_GET_ENCAPSULATED_RESPONSE; + desc->irq->wValue = 0; +- desc->irq->wIndex = desc->inum; ++ desc->irq->wIndex = desc->inum; /* already converted */ + desc->irq->wLength = cpu_to_le16(desc->wMaxCommand); + + usb_fill_control_urb( +-- +2.3.6 + + +From 7df0c5a403d2e9a1698a6ebdcf6e37a0639aad85 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven <geert+renesas@glider.be> +Date: Wed, 18 Feb 2015 17:34:59 +0100 +Subject: [PATCH 051/219] mmc: tmio: Remove bogus un-initialization in + tmio_mmc_host_free() +Cc: mpagano@gentoo.org + +commit 13a6a2ed1f5e77ae47c2b1a8e3bf22b2fa2d56ba upstream. + +If CONFIG_DEBUG_SLAB=y: + + sh_mobile_sdhi ee100000.sd: Got CD GPIO + sh_mobile_sdhi ee100000.sd: Got WP GPIO + platform ee100000.sd: Driver sh_mobile_sdhi requests probe deferral + ... + Slab corruption (Not tainted): kmalloc-1024 start=ed8b3c00, len=1024 + 2d0: 00 00 00 00 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b ....kkkkkkkkkkkk + Prev obj: start=ed8b3800, len=1024 + 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk + 010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk + +Struct tmio_mmc_host is embedded inside struct mmc_host, and thus is +freed by the call to mmc_free_host(). Hence it must not be written to +afterwards, as that will corrupt freed (and perhaps already reused) +memory. + +Fixes: 94b110aff8679b14 ("mmc: tmio: add tmio_mmc_host_alloc/free()") +Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be> +Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/mmc/host/tmio_mmc_pio.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/mmc/host/tmio_mmc_pio.c b/drivers/mmc/host/tmio_mmc_pio.c +index a31c357..dba7e1c 100644 +--- a/drivers/mmc/host/tmio_mmc_pio.c ++++ b/drivers/mmc/host/tmio_mmc_pio.c +@@ -1073,8 +1073,6 @@ EXPORT_SYMBOL(tmio_mmc_host_alloc); + void tmio_mmc_host_free(struct tmio_mmc_host *host) + { + mmc_free_host(host->mmc); +- +- host->mmc = NULL; + } + EXPORT_SYMBOL(tmio_mmc_host_free); + +-- +2.3.6 + + +From 85895968a9444e810f96cc951c6b5fc7dd183296 Mon Sep 17 00:00:00 2001 +From: Chen-Yu Tsai <wens@csie.org> +Date: Tue, 3 Mar 2015 09:44:40 +0800 +Subject: [PATCH 052/219] mmc: sunxi: Use devm_reset_control_get_optional() for + reset control +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Cc: mpagano@gentoo.org + +commit 9e71c589e44ddf2b86f361c81e360c6b0d0354b1 upstream. + +The reset control for the sunxi mmc controller is optional. Some +newer platforms (sun6i, sun8i, sun9i) have it, while older ones +(sun4i, sun5i, sun7i) don't. + +Use the properly stubbed _optional version so the driver does not +fail to compile when RESET_CONTROLLER=n. + +This patch also adds a check for deferred probing on the reset +control. + +Signed-off-by: Chen-Yu Tsai <wens@csie.org> +Acked-by: David Lanzendörfer <david.lanzendoerfer@o2s.ch> +Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/mmc/host/sunxi-mmc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/sunxi-mmc.c b/drivers/mmc/host/sunxi-mmc.c +index e8a4218..459ed1b 100644 +--- a/drivers/mmc/host/sunxi-mmc.c ++++ b/drivers/mmc/host/sunxi-mmc.c +@@ -930,7 +930,9 @@ static int sunxi_mmc_resource_request(struct sunxi_mmc_host *host, + return PTR_ERR(host->clk_sample); + } + +- host->reset = devm_reset_control_get(&pdev->dev, "ahb"); ++ host->reset = devm_reset_control_get_optional(&pdev->dev, "ahb"); ++ if (PTR_ERR(host->reset) == -EPROBE_DEFER) ++ return PTR_ERR(host->reset); + + ret = clk_prepare_enable(host->clk_ahb); + if (ret) { +-- +2.3.6 + + +From 662552a3bf88447e8985bdad78fc7e548487416b Mon Sep 17 00:00:00 2001 +From: Lucas Stach <l.stach@pengutronix.de> +Date: Wed, 1 Apr 2015 10:46:15 +0200 +Subject: [PATCH 053/219] spi: imx: read back the RX/TX watermark levels + earlier +Cc: mpagano@gentoo.org + +commit f511ab09dfb0fe7b2335eccac51ff9f001a32e4a upstream. + +They are used to decide if the controller can do DMA on a buffer +of a specific length and thus are needed before any transfer is attempted. + +This fixes a memory leak where the SPI core uses the drivers can_dma() +callback to determine if a buffer needs to be mapped. As the watermark +levels aren't correct at that point the driver falsely claims to be able to +DMA the buffer when it fact it isn't. +After the transfer has been done the core uses the same callback to +determine if it needs to unmap the buffers. As the driver now correctly +claims to not being able to DMA the buffer the core doesn't attempt to +unmap the buffer which leaves the SGT leaking. + +Fixes: f62caccd12c17e4 (spi: spi-imx: add DMA support) +Signed-off-by: Lucas Stach <l.stach@pengutronix.de> +Signed-off-by: Mark Brown <broonie@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/spi/spi-imx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c +index 6fea4af..aea3a67 100644 +--- a/drivers/spi/spi-imx.c ++++ b/drivers/spi/spi-imx.c +@@ -370,8 +370,6 @@ static int __maybe_unused mx51_ecspi_config(struct spi_imx_data *spi_imx, + if (spi_imx->dma_is_inited) { + dma = readl(spi_imx->base + MX51_ECSPI_DMA); + +- spi_imx->tx_wml = spi_imx_get_fifosize(spi_imx) / 2; +- spi_imx->rx_wml = spi_imx_get_fifosize(spi_imx) / 2; + spi_imx->rxt_wml = spi_imx_get_fifosize(spi_imx) / 2; + rx_wml_cfg = spi_imx->rx_wml << MX51_ECSPI_DMA_RX_WML_OFFSET; + tx_wml_cfg = spi_imx->tx_wml << MX51_ECSPI_DMA_TX_WML_OFFSET; +@@ -868,6 +866,8 @@ static int spi_imx_sdma_init(struct device *dev, struct spi_imx_data *spi_imx, + master->max_dma_len = MAX_SDMA_BD_BYTES; + spi_imx->bitbang.master->flags = SPI_MASTER_MUST_RX | + SPI_MASTER_MUST_TX; ++ spi_imx->tx_wml = spi_imx_get_fifosize(spi_imx) / 2; ++ spi_imx->rx_wml = spi_imx_get_fifosize(spi_imx) / 2; + spi_imx->dma_is_inited = 1; + + return 0; +-- +2.3.6 + + +From 721669bff3eaa852476783845293dca50431ce5b Mon Sep 17 00:00:00 2001 +From: Ian Abbott <abbotti@mev.co.uk> +Date: Mon, 23 Mar 2015 17:50:27 +0000 +Subject: [PATCH 054/219] spi: spidev: fix possible arithmetic overflow for + multi-transfer message +Cc: mpagano@gentoo.org + +commit f20fbaad7620af2df36a1f9d1c9ecf48ead5b747 upstream. + +`spidev_message()` sums the lengths of the individual SPI transfers to +determine the overall SPI message length. It restricts the total +length, returning an error if too long, but it does not check for +arithmetic overflow. For example, if the SPI message consisted of two +transfers and the first has a length of 10 and the second has a length +of (__u32)(-1), the total length would be seen as 9, even though the +second transfer is actually very long. If the second transfer specifies +a null `rx_buf` and a non-null `tx_buf`, the `copy_from_user()` could +overrun the spidev's pre-allocated tx buffer before it reaches an +invalid user memory address. Fix it by checking that neither the total +nor the individual transfer lengths exceed the maximum allowed value. + +Thanks to Dan Carpenter for reporting the potential integer overflow. + +Signed-off-by: Ian Abbott <abbotti@mev.co.uk> +Signed-off-by: Mark Brown <broonie@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/spi/spidev.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/spi/spidev.c b/drivers/spi/spidev.c +index 4eb7a98..7bf5186 100644 +--- a/drivers/spi/spidev.c ++++ b/drivers/spi/spidev.c +@@ -245,7 +245,10 @@ static int spidev_message(struct spidev_data *spidev, + k_tmp->len = u_tmp->len; + + total += k_tmp->len; +- if (total > bufsiz) { ++ /* Check total length of transfers. Also check each ++ * transfer length to avoid arithmetic overflow. ++ */ ++ if (total > bufsiz || k_tmp->len > bufsiz) { + status = -EMSGSIZE; + goto done; + } +-- +2.3.6 + + +From 855715fa0e283d4ff8280c79ac2c531116bc3290 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski <k.kozlowski@samsung.com> +Date: Thu, 12 Mar 2015 08:43:59 +0100 +Subject: [PATCH 055/219] compal-laptop: Fix leaking hwmon device +Cc: mpagano@gentoo.org + +commit ad774702f1705c04e5fa492b793d8d477a504fa6 upstream. + +The commit c2be45f09bb0 ("compal-laptop: Use +devm_hwmon_device_register_with_groups") wanted to change the +registering of hwmon device to resource-managed version. It mostly did +it except the main thing - it forgot to use devm-like function so the +hwmon device leaked after device removal or probe failure. + +Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com> +Fixes: c2be45f09bb0 ("compal-laptop: Use devm_hwmon_device_register_with_groups") +Acked-by: Guenter Roeck <linux@roeck-us.net> +Acked-by: Darren Hart <dvhart@linux.intel.com> +Signed-off-by: Sebastian Reichel <sre@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/platform/x86/compal-laptop.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/platform/x86/compal-laptop.c b/drivers/platform/x86/compal-laptop.c +index 15c0fab..eb9885e 100644 +--- a/drivers/platform/x86/compal-laptop.c ++++ b/drivers/platform/x86/compal-laptop.c +@@ -1026,9 +1026,9 @@ static int compal_probe(struct platform_device *pdev) + if (err) + return err; + +- hwmon_dev = hwmon_device_register_with_groups(&pdev->dev, +- "compal", data, +- compal_hwmon_groups); ++ hwmon_dev = devm_hwmon_device_register_with_groups(&pdev->dev, ++ "compal", data, ++ compal_hwmon_groups); + if (IS_ERR(hwmon_dev)) { + err = PTR_ERR(hwmon_dev); + goto remove; +-- +2.3.6 + + +From 7d91365ba6ce7256b1afb1197aecf3dd0dca6e65 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski <k.kozlowski@samsung.com> +Date: Thu, 12 Mar 2015 08:44:00 +0100 +Subject: [PATCH 056/219] compal-laptop: Check return value of + power_supply_register +Cc: mpagano@gentoo.org + +commit 1915a718b1872edffcb13e5436a9f7302d3d36f0 upstream. + +The return value of power_supply_register() call was not checked and +even on error probe() function returned 0. If registering failed then +during unbind the driver tried to unregister power supply which was not +actually registered. + +This could lead to memory corruption because power_supply_unregister() +unconditionally cleans up given power supply. + +Fix this by checking return status of power_supply_register() call. In +case of failure, clean up sysfs entries and fail the probe. + +Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com> +Fixes: 9be0fcb5ed46 ("compal-laptop: add JHL90, battery & hwmon interface") +Signed-off-by: Sebastian Reichel <sre@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/platform/x86/compal-laptop.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/compal-laptop.c b/drivers/platform/x86/compal-laptop.c +index eb9885e..bceb30b 100644 +--- a/drivers/platform/x86/compal-laptop.c ++++ b/drivers/platform/x86/compal-laptop.c +@@ -1036,7 +1036,9 @@ static int compal_probe(struct platform_device *pdev) + + /* Power supply */ + initialize_power_supply_data(data); +- power_supply_register(&compal_device->dev, &data->psy); ++ err = power_supply_register(&compal_device->dev, &data->psy); ++ if (err < 0) ++ goto remove; + + platform_set_drvdata(pdev, data); + +-- +2.3.6 + + +From 676ee802b67bf6ea0287ab5b25ae3f551cf27f74 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt <rostedt@goodmis.org> +Date: Tue, 17 Mar 2015 10:40:38 -0400 +Subject: [PATCH 057/219] ring-buffer: Replace this_cpu_*() with __this_cpu_*() +Cc: mpagano@gentoo.org + +commit 80a9b64e2c156b6523e7a01f2ba6e5d86e722814 upstream. + +It has come to my attention that this_cpu_read/write are horrible on +architectures other than x86. Worse yet, they actually disable +preemption or interrupts! This caused some unexpected tracing results +on ARM. + + 101.356868: preempt_count_add <-ring_buffer_lock_reserve + 101.356870: preempt_count_sub <-ring_buffer_lock_reserve + +The ring_buffer_lock_reserve has recursion protection that requires +accessing a per cpu variable. But since preempt_disable() is traced, it +too got traced while accessing the variable that is suppose to prevent +recursion like this. + +The generic version of this_cpu_read() and write() are: + + #define this_cpu_generic_read(pcp) \ + ({ typeof(pcp) ret__; \ + preempt_disable(); \ + ret__ = *this_cpu_ptr(&(pcp)); \ + preempt_enable(); \ + ret__; \ + }) + + #define this_cpu_generic_to_op(pcp, val, op) \ + do { \ + unsigned long flags; \ + raw_local_irq_save(flags); \ + *__this_cpu_ptr(&(pcp)) op val; \ + raw_local_irq_restore(flags); \ + } while (0) + +Which is unacceptable for locations that know they are within preempt +disabled or interrupt disabled locations. + +Paul McKenney stated that __this_cpu_() versions produce much better code on +other architectures than this_cpu_() does, if we know that the call is done in +a preempt disabled location. + +I also changed the recursive_unlock() to use two local variables instead +of accessing the per_cpu variable twice. + +Link: http://lkml.kernel.org/r/20150317114411.GE3589@linux.vnet.ibm.com +Link: http://lkml.kernel.org/r/20150317104038.312e73d1@gandalf.local.home + +Acked-by: Christoph Lameter <cl@linux.com> +Reported-by: Uwe Kleine-Koenig <u.kleine-koenig@pengutronix.de> +Tested-by: Uwe Kleine-Koenig <u.kleine-koenig@pengutronix.de> +Signed-off-by: Steven Rostedt <rostedt@goodmis.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + kernel/trace/ring_buffer.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c +index 5040d44..922048a 100644 +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -2679,7 +2679,7 @@ static DEFINE_PER_CPU(unsigned int, current_context); + + static __always_inline int trace_recursive_lock(void) + { +- unsigned int val = this_cpu_read(current_context); ++ unsigned int val = __this_cpu_read(current_context); + int bit; + + if (in_interrupt()) { +@@ -2696,18 +2696,17 @@ static __always_inline int trace_recursive_lock(void) + return 1; + + val |= (1 << bit); +- this_cpu_write(current_context, val); ++ __this_cpu_write(current_context, val); + + return 0; + } + + static __always_inline void trace_recursive_unlock(void) + { +- unsigned int val = this_cpu_read(current_context); ++ unsigned int val = __this_cpu_read(current_context); + +- val--; +- val &= this_cpu_read(current_context); +- this_cpu_write(current_context, val); ++ val &= val & (val - 1); ++ __this_cpu_write(current_context, val); + } + + #else +-- +2.3.6 + + +From 85020c092b437aaceec966678ec5fd9f7792b547 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski <k.kozlowski@samsung.com> +Date: Fri, 20 Feb 2015 14:32:22 +0100 +Subject: [PATCH 058/219] power_supply: twl4030_madc: Check return value of + power_supply_register +Cc: mpagano@gentoo.org + +commit 68c3ed6fa7e0d69529ced772d650ab128916a81d upstream. + +The return value of power_supply_register() call was not checked and +even on error probe() function returned 0. If registering failed then +during unbind the driver tried to unregister power supply which was not +actually registered. + +This could lead to memory corruption because power_supply_unregister() +unconditionally cleans up given power supply. + +Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com> +Fixes: da0a00ebc239 ("power: Add twl4030_madc battery driver.") +Signed-off-by: Sebastian Reichel <sre@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/power/twl4030_madc_battery.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/power/twl4030_madc_battery.c b/drivers/power/twl4030_madc_battery.c +index 7ef445a..cf90760 100644 +--- a/drivers/power/twl4030_madc_battery.c ++++ b/drivers/power/twl4030_madc_battery.c +@@ -192,6 +192,7 @@ static int twl4030_madc_battery_probe(struct platform_device *pdev) + { + struct twl4030_madc_battery *twl4030_madc_bat; + struct twl4030_madc_bat_platform_data *pdata = pdev->dev.platform_data; ++ int ret = 0; + + twl4030_madc_bat = kzalloc(sizeof(*twl4030_madc_bat), GFP_KERNEL); + if (!twl4030_madc_bat) +@@ -216,9 +217,11 @@ static int twl4030_madc_battery_probe(struct platform_device *pdev) + + twl4030_madc_bat->pdata = pdata; + platform_set_drvdata(pdev, twl4030_madc_bat); +- power_supply_register(&pdev->dev, &twl4030_madc_bat->psy); ++ ret = power_supply_register(&pdev->dev, &twl4030_madc_bat->psy); ++ if (ret < 0) ++ kfree(twl4030_madc_bat); + +- return 0; ++ return ret; + } + + static int twl4030_madc_battery_remove(struct platform_device *pdev) +-- +2.3.6 + + +From e7b8d14c9be1ddb14796569a636807647e30724c Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski <k.kozlowski@samsung.com> +Date: Fri, 20 Feb 2015 14:32:25 +0100 +Subject: [PATCH 059/219] power_supply: lp8788-charger: Fix leaked power supply + on probe fail +Cc: mpagano@gentoo.org + +commit a7117f81e8391e035c49b3440792f7e6cea28173 upstream. + +Driver forgot to unregister charger power supply if registering of +battery supply failed in probe(). In such case the memory associated +with power supply leaked. + +Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com> +Fixes: 98a276649358 ("power_supply: Add new lp8788 charger driver") +Signed-off-by: Sebastian Reichel <sre@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/power/lp8788-charger.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/power/lp8788-charger.c b/drivers/power/lp8788-charger.c +index 21fc233..176dab2 100644 +--- a/drivers/power/lp8788-charger.c ++++ b/drivers/power/lp8788-charger.c +@@ -417,8 +417,10 @@ static int lp8788_psy_register(struct platform_device *pdev, + pchg->battery.num_properties = ARRAY_SIZE(lp8788_battery_prop); + pchg->battery.get_property = lp8788_battery_get_property; + +- if (power_supply_register(&pdev->dev, &pchg->battery)) ++ if (power_supply_register(&pdev->dev, &pchg->battery)) { ++ power_supply_unregister(&pchg->charger); + return -EPERM; ++ } + + return 0; + } +-- +2.3.6 + + +From a8cb866f5168eaec313528f7059b0025b859cccf Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski <k.kozlowski@samsung.com> +Date: Fri, 20 Feb 2015 14:32:23 +0100 +Subject: [PATCH 060/219] power_supply: ipaq_micro_battery: Fix leaking + workqueue +Cc: mpagano@gentoo.org + +commit f852ec461e24504690445e7d281cbe806df5ccef upstream. + +Driver allocates singlethread workqueue in probe but it is not destroyed +during removal. + +Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com> +Fixes: 00a588f9d27f ("power: add driver for battery reading on iPaq h3xxx") +Signed-off-by: Sebastian Reichel <sre@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/power/ipaq_micro_battery.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/power/ipaq_micro_battery.c b/drivers/power/ipaq_micro_battery.c +index 9d69460..698cf16 100644 +--- a/drivers/power/ipaq_micro_battery.c ++++ b/drivers/power/ipaq_micro_battery.c +@@ -251,6 +251,7 @@ static int micro_batt_remove(struct platform_device *pdev) + power_supply_unregister(µ_ac_power); + power_supply_unregister(µ_batt_power); + cancel_delayed_work_sync(&mb->update); ++ destroy_workqueue(mb->wq); + + return 0; + } +-- +2.3.6 + + +From 640e9bd83b3a3bc313eb0ade22effbab5c135a76 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski <k.kozlowski@samsung.com> +Date: Fri, 20 Feb 2015 14:32:24 +0100 +Subject: [PATCH 061/219] power_supply: ipaq_micro_battery: Check return values + in probe +Cc: mpagano@gentoo.org + +commit a2c1d531854c4319610f1d83351213b47a633969 upstream. + +The return values of create_singlethread_workqueue() and +power_supply_register() calls were not checked and even on error probe() +function returned 0. + +1. If allocation of workqueue failed (returning NULL) then further + accesses could lead to NULL pointer dereference. The + queue_delayed_work() expects workqueue to be non-NULL. + +2. If registration of power supply failed then during unbind the driver + tried to unregister power supply which was not actually registered. + This could lead to memory corruption because + power_supply_unregister() unconditionally cleans up given power + supply. + +Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com> +Fixes: 00a588f9d27f ("power: add driver for battery reading on iPaq h3xxx") +Signed-off-by: Sebastian Reichel <sre@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/power/ipaq_micro_battery.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/drivers/power/ipaq_micro_battery.c b/drivers/power/ipaq_micro_battery.c +index 698cf16..96b15e0 100644 +--- a/drivers/power/ipaq_micro_battery.c ++++ b/drivers/power/ipaq_micro_battery.c +@@ -226,6 +226,7 @@ static struct power_supply micro_ac_power = { + static int micro_batt_probe(struct platform_device *pdev) + { + struct micro_battery *mb; ++ int ret; + + mb = devm_kzalloc(&pdev->dev, sizeof(*mb), GFP_KERNEL); + if (!mb) +@@ -233,14 +234,30 @@ static int micro_batt_probe(struct platform_device *pdev) + + mb->micro = dev_get_drvdata(pdev->dev.parent); + mb->wq = create_singlethread_workqueue("ipaq-battery-wq"); ++ if (!mb->wq) ++ return -ENOMEM; ++ + INIT_DELAYED_WORK(&mb->update, micro_battery_work); + platform_set_drvdata(pdev, mb); + queue_delayed_work(mb->wq, &mb->update, 1); +- power_supply_register(&pdev->dev, µ_batt_power); +- power_supply_register(&pdev->dev, µ_ac_power); ++ ++ ret = power_supply_register(&pdev->dev, µ_batt_power); ++ if (ret < 0) ++ goto batt_err; ++ ++ ret = power_supply_register(&pdev->dev, µ_ac_power); ++ if (ret < 0) ++ goto ac_err; + + dev_info(&pdev->dev, "iPAQ micro battery driver\n"); + return 0; ++ ++ac_err: ++ power_supply_unregister(µ_ac_power); ++batt_err: ++ cancel_delayed_work_sync(&mb->update); ++ destroy_workqueue(mb->wq); ++ return ret; + } + + static int micro_batt_remove(struct platform_device *pdev) +-- +2.3.6 + + +From 4fc2e2c56db0c05c62444ed7bc8d285704155386 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum <oneukum@suse.de> +Date: Wed, 25 Mar 2015 15:13:36 +0100 +Subject: [PATCH 062/219] HID: add HP OEM mouse to quirk ALWAYS_POLL +Cc: mpagano@gentoo.org + +commit 7a8e53c414c8183e8735e3b08d9a776200e6e665 upstream. + +This mouse needs QUIRK_ALWAYS_POLL. + +Signed-off-by: Oliver Neukum <oneukum@suse.de> +Signed-off-by: Jiri Kosina <jkosina@suse.cz> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/hid/hid-ids.h | 3 +++ + drivers/hid/usbhid/hid-quirks.c | 1 + + 2 files changed, 4 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index 9c47867..7ace715 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -459,6 +459,9 @@ + #define USB_DEVICE_ID_UGCI_FLYING 0x0020 + #define USB_DEVICE_ID_UGCI_FIGHTING 0x0030 + ++#define USB_VENDOR_ID_HP 0x03f0 ++#define USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE 0x0a4a ++ + #define USB_VENDOR_ID_HUION 0x256c + #define USB_DEVICE_ID_HUION_TABLET 0x006e + +diff --git a/drivers/hid/usbhid/hid-quirks.c b/drivers/hid/usbhid/hid-quirks.c +index a821277..fe6c60d 100644 +--- a/drivers/hid/usbhid/hid-quirks.c ++++ b/drivers/hid/usbhid/hid-quirks.c +@@ -78,6 +78,7 @@ static const struct hid_blacklist { + { USB_VENDOR_ID_ELO, USB_DEVICE_ID_ELO_TS2700, HID_QUIRK_NOGET }, + { USB_VENDOR_ID_FORMOSA, USB_DEVICE_ID_FORMOSA_IR_RECEIVER, HID_QUIRK_NO_INIT_REPORTS }, + { USB_VENDOR_ID_FREESCALE, USB_DEVICE_ID_FREESCALE_MX28, HID_QUIRK_NOGET }, ++ { USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE, HID_QUIRK_ALWAYS_POLL }, + { USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_C077, HID_QUIRK_ALWAYS_POLL }, + { USB_VENDOR_ID_MGE, USB_DEVICE_ID_MGE_UPS, HID_QUIRK_NOGET }, + { USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_3, HID_QUIRK_NO_INIT_REPORTS }, +-- +2.3.6 + + +From 66997b1d6c47e793556da41877262f5ac92e8d4d Mon Sep 17 00:00:00 2001 +From: Oliver Neukum <oneukum@suse.de> +Date: Wed, 25 Mar 2015 15:38:31 +0100 +Subject: [PATCH 063/219] HID: add quirk for PIXART OEM mouse used by HP +Cc: mpagano@gentoo.org + +commit b70b82580248b5393241c986082842ec05a2b7d7 upstream. + +This mouse is also known under other IDs. It needs the quirk or will disconnect +in runlevel 1 or 3. + +Signed-off-by: Oliver Neukum <oneukum@suse.de> +Signed-off-by: Jiri Kosina <jkosina@suse.cz> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/usbhid/hid-quirks.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index 7ace715..7fe5590 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -461,6 +461,7 @@ + + #define USB_VENDOR_ID_HP 0x03f0 + #define USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE 0x0a4a ++#define USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE 0x134a + + #define USB_VENDOR_ID_HUION 0x256c + #define USB_DEVICE_ID_HUION_TABLET 0x006e +diff --git a/drivers/hid/usbhid/hid-quirks.c b/drivers/hid/usbhid/hid-quirks.c +index fe6c60d..4e3ae9f 100644 +--- a/drivers/hid/usbhid/hid-quirks.c ++++ b/drivers/hid/usbhid/hid-quirks.c +@@ -79,6 +79,7 @@ static const struct hid_blacklist { + { USB_VENDOR_ID_FORMOSA, USB_DEVICE_ID_FORMOSA_IR_RECEIVER, HID_QUIRK_NO_INIT_REPORTS }, + { USB_VENDOR_ID_FREESCALE, USB_DEVICE_ID_FREESCALE_MX28, HID_QUIRK_NOGET }, + { USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE, HID_QUIRK_ALWAYS_POLL }, ++ { USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE, HID_QUIRK_ALWAYS_POLL }, + { USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_C077, HID_QUIRK_ALWAYS_POLL }, + { USB_VENDOR_ID_MGE, USB_DEVICE_ID_MGE_UPS, HID_QUIRK_NOGET }, + { USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_3, HID_QUIRK_NO_INIT_REPORTS }, +-- +2.3.6 + + +From 3bc3783ea692a04256e2cf027bfd98bf7b8d82a6 Mon Sep 17 00:00:00 2001 +From: Andrew Elble <aweits@rit.edu> +Date: Mon, 23 Feb 2015 08:51:24 -0500 +Subject: [PATCH 064/219] NFS: fix BUG() crash in notify_change() with patch to + chown_common() +Cc: mpagano@gentoo.org + +commit c1b8940b42bb6487b10f2267a96b486276ce9ff7 upstream. + +We have observed a BUG() crash in fs/attr.c:notify_change(). The crash +occurs during an rsync into a filesystem that is exported via NFS. + +1.) fs/attr.c:notify_change() modifies the caller's version of attr. +2.) 6de0ec00ba8d ("VFS: make notify_change pass ATTR_KILL_S*ID to + setattr operations") introduced a BUG() restriction such that "no + function will ever call notify_change() with both ATTR_MODE and + ATTR_KILL_S*ID set". Under some circumstances though, it will have + assisted in setting the caller's version of attr to this very + combination. +3.) 27ac0ffeac80 ("locks: break delegations on any attribute + modification") introduced code to handle breaking + delegations. This can result in notify_change() being re-called. attr + _must_ be explicitly reset to avoid triggering the BUG() established + in #2. +4.) The path that that triggers this is via fs/open.c:chmod_common(). + The combination of attr flags set here and in the first call to + notify_change() along with a later failed break_deleg_wait() + results in notify_change() being called again via retry_deleg + without resetting attr. + +Solution is to move retry_deleg in chmod_common() a bit further up to +ensure attr is completely reset. + +There are other places where this seemingly could occur, such as +fs/utimes.c:utimes_common(), but the attr flags are not initially +set in such a way to trigger this. + +Fixes: 27ac0ffeac80 ("locks: break delegations on any attribute modification") +Reported-by: Eric Meddaugh <etmsys@rit.edu> +Tested-by: Eric Meddaugh <etmsys@rit.edu> +Signed-off-by: Andrew Elble <aweits@rit.edu> +Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + fs/open.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/open.c b/fs/open.c +index 33f9cbf..44a3be1 100644 +--- a/fs/open.c ++++ b/fs/open.c +@@ -570,6 +570,7 @@ static int chown_common(struct path *path, uid_t user, gid_t group) + uid = make_kuid(current_user_ns(), user); + gid = make_kgid(current_user_ns(), group); + ++retry_deleg: + newattrs.ia_valid = ATTR_CTIME; + if (user != (uid_t) -1) { + if (!uid_valid(uid)) +@@ -586,7 +587,6 @@ static int chown_common(struct path *path, uid_t user, gid_t group) + if (!S_ISDIR(inode->i_mode)) + newattrs.ia_valid |= + ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_KILL_PRIV; +-retry_deleg: + mutex_lock(&inode->i_mutex); + error = security_path_chown(path, uid, gid); + if (!error) +-- +2.3.6 + + +From 46d09e1c86167373dcb343cfd6c901c78624ff01 Mon Sep 17 00:00:00 2001 +From: Russell King <rmk+kernel@arm.linux.org.uk> +Date: Wed, 1 Apr 2015 16:20:39 +0100 +Subject: [PATCH 065/219] ARM: fix broken hibernation +Cc: mpagano@gentoo.org + +commit 767bf7e7a1e82a81c59778348d156993d0a6175d upstream. + +Normally, when a CPU wants to clear a cache line to zero in the external +L2 cache, it would generate bus cycles to write each word as it would do +with any other data access. + +However, a Cortex A9 connected to a L2C-310 has a specific feature where +the CPU can detect this operation, and signal that it wants to zero an +entire cache line. This feature, known as Full Line of Zeros (FLZ), +involves a non-standard AXI signalling mechanism which only the L2C-310 +can properly interpret. + +There are separate enable bits in both the L2C-310 and the Cortex A9 - +the L2C-310 needs to be enabled and have the FLZ enable bit set in the +auxiliary control register before the Cortex A9 has this feature +enabled. + +Unfortunately, the suspend code was not respecting this - it's not +obvious from the code: + +swsusp_arch_suspend() + cpu_suspend() /* saves the Cortex A9 auxiliary control register */ + arch_save_image() + soft_restart() /* turns off FLZ in Cortex A9, and disables L2C */ + cpu_resume() /* restores the Cortex A9 registers, inc auxcr */ + +At this point, we end up with the L2C disabled, but the Cortex A9 with +FLZ enabled - which means any memset() or zeroing of a full cache line +will fail to take effect. + +A similar issue exists in the resume path, but it's slightly more +complex: + +swsusp_arch_suspend() + cpu_suspend() /* saves the Cortex A9 auxiliary control register */ + arch_save_image() /* image with A9 auxcr saved */ +... +swsusp_arch_resume() + call_with_stack() + arch_restore_image() /* restores image with A9 auxcr saved above */ + soft_restart() /* turns off FLZ in Cortex A9, and disables L2C */ + cpu_resume() /* restores the Cortex A9 registers, inc auxcr */ + +Again, here we end up with the L2C disabled, but Cortex A9 FLZ enabled. + +There's no need to turn off the L2C in either of these two paths; there +are benefits from not doing so - for example, the page copies will be +faster with the L2C enabled. + +Hence, fix this by providing a variant of soft_restart() which can be +used without turning the L2 cache controller off, and use it in both +of these paths to keep the L2C enabled across the respective resume +transitions. + +Fixes: 8ef418c7178f ("ARM: l2c: trial at enabling some Cortex-A9 optimisations") +Reported-by: Sean Cross <xobs@kosagi.com> +Tested-by: Sean Cross <xobs@kosagi.com> +Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/arm/kernel/hibernate.c | 5 +++-- + arch/arm/kernel/process.c | 10 ++++++++-- + arch/arm/kernel/reboot.h | 6 ++++++ + 3 files changed, 17 insertions(+), 4 deletions(-) + create mode 100644 arch/arm/kernel/reboot.h + +diff --git a/arch/arm/kernel/hibernate.c b/arch/arm/kernel/hibernate.c +index c4cc50e..cfb354f 100644 +--- a/arch/arm/kernel/hibernate.c ++++ b/arch/arm/kernel/hibernate.c +@@ -22,6 +22,7 @@ + #include <asm/suspend.h> + #include <asm/memory.h> + #include <asm/sections.h> ++#include "reboot.h" + + int pfn_is_nosave(unsigned long pfn) + { +@@ -61,7 +62,7 @@ static int notrace arch_save_image(unsigned long unused) + + ret = swsusp_save(); + if (ret == 0) +- soft_restart(virt_to_phys(cpu_resume)); ++ _soft_restart(virt_to_phys(cpu_resume), false); + return ret; + } + +@@ -86,7 +87,7 @@ static void notrace arch_restore_image(void *unused) + for (pbe = restore_pblist; pbe; pbe = pbe->next) + copy_page(pbe->orig_address, pbe->address); + +- soft_restart(virt_to_phys(cpu_resume)); ++ _soft_restart(virt_to_phys(cpu_resume), false); + } + + static u64 resume_stack[PAGE_SIZE/2/sizeof(u64)] __nosavedata; +diff --git a/arch/arm/kernel/process.c b/arch/arm/kernel/process.c +index fdfa3a7..2bf1a16 100644 +--- a/arch/arm/kernel/process.c ++++ b/arch/arm/kernel/process.c +@@ -41,6 +41,7 @@ + #include <asm/system_misc.h> + #include <asm/mach/time.h> + #include <asm/tls.h> ++#include "reboot.h" + + #ifdef CONFIG_CC_STACKPROTECTOR + #include <linux/stackprotector.h> +@@ -95,7 +96,7 @@ static void __soft_restart(void *addr) + BUG(); + } + +-void soft_restart(unsigned long addr) ++void _soft_restart(unsigned long addr, bool disable_l2) + { + u64 *stack = soft_restart_stack + ARRAY_SIZE(soft_restart_stack); + +@@ -104,7 +105,7 @@ void soft_restart(unsigned long addr) + local_fiq_disable(); + + /* Disable the L2 if we're the last man standing. */ +- if (num_online_cpus() == 1) ++ if (disable_l2) + outer_disable(); + + /* Change to the new stack and continue with the reset. */ +@@ -114,6 +115,11 @@ void soft_restart(unsigned long addr) + BUG(); + } + ++void soft_restart(unsigned long addr) ++{ ++ _soft_restart(addr, num_online_cpus() == 1); ++} ++ + /* + * Function pointers to optional machine specific functions + */ +diff --git a/arch/arm/kernel/reboot.h b/arch/arm/kernel/reboot.h +new file mode 100644 +index 0000000..c87f058 +--- /dev/null ++++ b/arch/arm/kernel/reboot.h +@@ -0,0 +1,6 @@ ++#ifndef REBOOT_H ++#define REBOOT_H ++ ++extern void _soft_restart(unsigned long addr, bool disable_l2); ++ ++#endif +-- +2.3.6 + + +From c5528d2a0edcbbc3ceba739ec70133e2594486c4 Mon Sep 17 00:00:00 2001 +From: Andrey Ryabinin <a.ryabinin@samsung.com> +Date: Fri, 20 Mar 2015 15:42:27 +0100 +Subject: [PATCH 066/219] ARM: 8320/1: fix integer overflow in ELF_ET_DYN_BASE +Cc: mpagano@gentoo.org + +commit 8defb3367fcd19d1af64c07792aade0747b54e0f upstream. + +Usually ELF_ET_DYN_BASE is 2/3 of TASK_SIZE. With 3G/1G user/kernel +split this is not so, because 2*TASK_SIZE overflows 32 bits, +so the actual value of ELF_ET_DYN_BASE is: + (2 * TASK_SIZE / 3) = 0x2a000000 + +When ASLR is disabled PIE binaries will load at ELF_ET_DYN_BASE address. +On 32bit platforms AddressSanitzer uses addresses [0x20000000 - 0x40000000] +for shadow memory [1]. So ASan doesn't work for PIE binaries when ASLR disabled +as it fails to map shadow memory. +Also after Kees's 'split ET_DYN ASLR from mmap ASLR' patchset PIE binaries +has a high chance of loading somewhere in between [0x2a000000 - 0x40000000] +even if ASLR enabled. This makes ASan with PIE absolutely incompatible. + +Fix overflow by dividing TASK_SIZE prior to multiplying. +After this patch ELF_ET_DYN_BASE equals to (for CONFIG_VMSPLIT_3G=y): + (TASK_SIZE / 3 * 2) = 0x7f555554 + +[1] https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm#Mapping + +Signed-off-by: Andrey Ryabinin <a.ryabinin@samsung.com> +Reported-by: Maria Guseva <m.guseva@samsung.com> +Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/arm/include/asm/elf.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/include/asm/elf.h b/arch/arm/include/asm/elf.h +index afb9caf..674d03f 100644 +--- a/arch/arm/include/asm/elf.h ++++ b/arch/arm/include/asm/elf.h +@@ -115,7 +115,7 @@ int dump_task_regs(struct task_struct *t, elf_gregset_t *elfregs); + the loader. We need to make sure that it is out of the way of the program + that it will "exec", and that there is sufficient room for the brk. */ + +-#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3) ++#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2) + + /* When the program starts, a1 contains a pointer to a function to be + registered with atexit, as per the SVR4 ABI. A value of 0 means we +-- +2.3.6 + + +From 6ec6b63f4e9d59f78b61944f8c533d9ff029f46f Mon Sep 17 00:00:00 2001 +From: Gregory CLEMENT <gregory.clement@free-electrons.com> +Date: Fri, 30 Jan 2015 12:34:25 +0100 +Subject: [PATCH 067/219] ARM: mvebu: Disable CPU Idle on Armada 38x +Cc: mpagano@gentoo.org + +commit 548ae94c1cc7fc120848757249b9a542b1080ffb upstream. + +On Armada 38x SoCs, under heavy I/O load, the system hangs when CPU +Idle is enabled. Waiting for a solution to this issue, this patch +disables the CPU Idle support for this SoC. + +As CPU Hot plug support also uses some of the CPU Idle functions it is +also affected by the same issue. This patch disables it also for the +Armada 38x SoCs. + +Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com> +Tested-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/arm/mach-mvebu/pmsu.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/mach-mvebu/pmsu.c b/arch/arm/mach-mvebu/pmsu.c +index 8b9f5e2..4f4e222 100644 +--- a/arch/arm/mach-mvebu/pmsu.c ++++ b/arch/arm/mach-mvebu/pmsu.c +@@ -415,6 +415,9 @@ static __init int armada_38x_cpuidle_init(void) + void __iomem *mpsoc_base; + u32 reg; + ++ pr_warn("CPU idle is currently broken on Armada 38x: disabling"); ++ return 0; ++ + np = of_find_compatible_node(NULL, NULL, + "marvell,armada-380-coherency-fabric"); + if (!np) +@@ -476,6 +479,16 @@ static int __init mvebu_v7_cpu_pm_init(void) + return 0; + of_node_put(np); + ++ /* ++ * Currently the CPU idle support for Armada 38x is broken, as ++ * the CPU hotplug uses some of the CPU idle functions it is ++ * broken too, so let's disable it ++ */ ++ if (of_machine_is_compatible("marvell,armada380")) { ++ cpu_hotplug_disable(); ++ pr_warn("CPU hotplug support is currently broken on Armada 38x: disabling"); ++ } ++ + if (of_machine_is_compatible("marvell,armadaxp")) + ret = armada_xp_cpuidle_init(); + else if (of_machine_is_compatible("marvell,armada370")) +@@ -489,7 +502,8 @@ static int __init mvebu_v7_cpu_pm_init(void) + return ret; + + mvebu_v7_pmsu_enable_l2_powerdown_onidle(); +- platform_device_register(&mvebu_v7_cpuidle_device); ++ if (mvebu_v7_cpuidle_device.name) ++ platform_device_register(&mvebu_v7_cpuidle_device); + cpu_pm_register_notifier(&mvebu_v7_cpu_pm_notifier); + + return 0; +-- +2.3.6 + + +From 3c9d536953582615eb9054c38a5e4de6c711ccb5 Mon Sep 17 00:00:00 2001 +From: Charles Keepax <ckeepax@opensource.wolfsonmicro.com> +Date: Fri, 27 Mar 2015 01:58:08 +0900 +Subject: [PATCH 068/219] ARM: S3C64XX: Use fixed IRQ bases to avoid conflicts + on Cragganmore +Cc: mpagano@gentoo.org + +commit 4e330ae4ab2915444f1e6dca1358a910aa259362 upstream. + +There are two PMICs on Cragganmore, currently one dynamically assign +its IRQ base and the other uses a fixed base. It is possible for the +statically assigned PMIC to fail if its IRQ is taken by the dynamically +assigned one. Fix this by statically assigning both the IRQ bases. + +Signed-off-by: Charles Keepax <ckeepax@opensource.wolfsonmicro.com> +Signed-off-by: Kukjin Kim <kgene@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/arm/mach-s3c64xx/crag6410.h | 1 + + arch/arm/mach-s3c64xx/mach-crag6410.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/arch/arm/mach-s3c64xx/crag6410.h b/arch/arm/mach-s3c64xx/crag6410.h +index 7bc6668..dcbe17f 100644 +--- a/arch/arm/mach-s3c64xx/crag6410.h ++++ b/arch/arm/mach-s3c64xx/crag6410.h +@@ -14,6 +14,7 @@ + #include <mach/gpio-samsung.h> + + #define GLENFARCLAS_PMIC_IRQ_BASE IRQ_BOARD_START ++#define BANFF_PMIC_IRQ_BASE (IRQ_BOARD_START + 64) + + #define PCA935X_GPIO_BASE GPIO_BOARD_START + #define CODEC_GPIO_BASE (GPIO_BOARD_START + 8) +diff --git a/arch/arm/mach-s3c64xx/mach-crag6410.c b/arch/arm/mach-s3c64xx/mach-crag6410.c +index 10b913b..65c426b 100644 +--- a/arch/arm/mach-s3c64xx/mach-crag6410.c ++++ b/arch/arm/mach-s3c64xx/mach-crag6410.c +@@ -554,6 +554,7 @@ static struct wm831x_touch_pdata touch_pdata = { + + static struct wm831x_pdata crag_pmic_pdata = { + .wm831x_num = 1, ++ .irq_base = BANFF_PMIC_IRQ_BASE, + .gpio_base = BANFF_PMIC_GPIO_BASE, + .soft_shutdown = true, + +-- +2.3.6 + + +From 64d90ab58af7a385a7955061e0a319f7f939ddff Mon Sep 17 00:00:00 2001 +From: Nicolas Ferre <nicolas.ferre@atmel.com> +Date: Tue, 31 Mar 2015 10:56:10 +0200 +Subject: [PATCH 069/219] ARM: at91/dt: sama5d3 xplained: add phy address for + macb1 +Cc: mpagano@gentoo.org + +commit 98b80987c940956da48f0c703f60340128bb8521 upstream. + +After 57a38effa598 (net: phy: micrel: disable broadcast for KSZ8081/KSZ8091) +the macb1 interface refuses to work properly because it tries +to cling to address 0 which isn't able to communicate in broadcast with +the mac anymore. The micrel phy on the board is actually configured +to show up at address 1. +Adding the phy node and its real address fixes the issue. + +Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com> +Cc: Johan Hovold <johan@kernel.org> +Signed-off-by: Olof Johansson <olof@lixom.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/arm/boot/dts/at91-sama5d3_xplained.dts | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/arch/arm/boot/dts/at91-sama5d3_xplained.dts b/arch/arm/boot/dts/at91-sama5d3_xplained.dts +index fec1fca..6c4bc53 100644 +--- a/arch/arm/boot/dts/at91-sama5d3_xplained.dts ++++ b/arch/arm/boot/dts/at91-sama5d3_xplained.dts +@@ -167,7 +167,13 @@ + + macb1: ethernet@f802c000 { + phy-mode = "rmii"; ++ #address-cells = <1>; ++ #size-cells = <0>; + status = "okay"; ++ ++ ethernet-phy@1 { ++ reg = <0x1>; ++ }; + }; + + dbgu: serial@ffffee00 { +-- +2.3.6 + + +From 5b126c3890f31b1b0e2bbfd94aace90169664e69 Mon Sep 17 00:00:00 2001 +From: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com> +Date: Tue, 17 Feb 2015 19:52:04 +0100 +Subject: [PATCH 070/219] ARM: dts: dove: Fix uart[23] reg property +Cc: mpagano@gentoo.org + +commit a74cd13b807029397f7232449df929bac11fb228 upstream. + +Fix Dove's register addresses of uart2 and uart3 nodes that seem to +be broken since ages due to a copy-and-paste error. + +Signed-off-by: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com> +Acked-by: Gregory CLEMENT <gregory.clement@free-electrons.com> +Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/arm/boot/dts/dove.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/boot/dts/dove.dtsi b/arch/arm/boot/dts/dove.dtsi +index a5441d5..3cc8b83 100644 +--- a/arch/arm/boot/dts/dove.dtsi ++++ b/arch/arm/boot/dts/dove.dtsi +@@ -154,7 +154,7 @@ + + uart2: serial@12200 { + compatible = "ns16550a"; +- reg = <0x12000 0x100>; ++ reg = <0x12200 0x100>; + reg-shift = <2>; + interrupts = <9>; + clocks = <&core_clk 0>; +@@ -163,7 +163,7 @@ + + uart3: serial@12300 { + compatible = "ns16550a"; +- reg = <0x12100 0x100>; ++ reg = <0x12300 0x100>; + reg-shift = <2>; + interrupts = <10>; + clocks = <&core_clk 0>; +-- +2.3.6 + + +From 422be9a5e09ea7d6e84ad2c3d05dfdf01e4a7a3f Mon Sep 17 00:00:00 2001 +From: Andreas Faerber <afaerber@suse.de> +Date: Wed, 18 Mar 2015 01:25:18 +0900 +Subject: [PATCH 071/219] ARM: dts: fix mmc node updates for exynos5250-spring +Cc: mpagano@gentoo.org + +commit 7e9e20b1faab02357501553d7f4e3efec1b4cfd3 upstream. + +Resolve a merge conflict with mmc refactoring aaa25a5a33cb ("ARM: dts: +unuse the slot-node and deprecate the supports-highspeed for dw-mmc in +exynos") by dropping the slot@0 nodes, moving its bus-width property to +the mmc node and replacing supports-highspeed with cap-{mmc,sd}-highspeed, +matching exynos5250-snow. + +Cc: Jaehoon Chung <jh80.chung@samsung.com> +Fixes: 53dd4138bb0a ("ARM: dts: Add exynos5250-spring device tree") +Signed-off-by: Andreas Faerber <afaerber@suse.de> +Reviewed-by: Javier Martinez Canillas <javier.martinez@collabora.co.uk> +Signed-off-by: Kukjin Kim <kgene@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/arm/boot/dts/exynos5250-spring.dts | 16 ++++------------ + 1 file changed, 4 insertions(+), 12 deletions(-) + +diff --git a/arch/arm/boot/dts/exynos5250-spring.dts b/arch/arm/boot/dts/exynos5250-spring.dts +index f027754..c41600e 100644 +--- a/arch/arm/boot/dts/exynos5250-spring.dts ++++ b/arch/arm/boot/dts/exynos5250-spring.dts +@@ -429,7 +429,6 @@ + &mmc_0 { + status = "okay"; + num-slots = <1>; +- supports-highspeed; + broken-cd; + card-detect-delay = <200>; + samsung,dw-mshc-ciu-div = <3>; +@@ -437,11 +436,8 @@ + samsung,dw-mshc-ddr-timing = <1 2>; + pinctrl-names = "default"; + pinctrl-0 = <&sd0_clk &sd0_cmd &sd0_cd &sd0_bus4 &sd0_bus8>; +- +- slot@0 { +- reg = <0>; +- bus-width = <8>; +- }; ++ bus-width = <8>; ++ cap-mmc-highspeed; + }; + + /* +@@ -451,7 +447,6 @@ + &mmc_1 { + status = "okay"; + num-slots = <1>; +- supports-highspeed; + broken-cd; + card-detect-delay = <200>; + samsung,dw-mshc-ciu-div = <3>; +@@ -459,11 +454,8 @@ + samsung,dw-mshc-ddr-timing = <1 2>; + pinctrl-names = "default"; + pinctrl-0 = <&sd1_clk &sd1_cmd &sd1_cd &sd1_bus4>; +- +- slot@0 { +- reg = <0>; +- bus-width = <4>; +- }; ++ bus-width = <4>; ++ cap-sd-highspeed; + }; + + &pinctrl_0 { +-- +2.3.6 + + +From 55db0145ac65aec05c736cddb3a6717b83619d7e Mon Sep 17 00:00:00 2001 +From: Felipe Balbi <balbi@ti.com> +Date: Mon, 30 Dec 2013 12:33:53 -0600 +Subject: [PATCH 072/219] usb: musb: core: fix TX/RX endpoint order +Cc: mpagano@gentoo.org + +commit e3c93e1a3f35be4cf1493d3ccfb0c6d9209e4922 upstream. + +As per Mentor Graphics' documentation, we should +always handle TX endpoints before RX endpoints. + +This patch fixes that error while also updating +some hard-to-read comments which were scattered +around musb_interrupt(). + +This patch should be backported as far back as +possible since this error has been in the driver +since it's conception. + +Signed-off-by: Felipe Balbi <balbi@ti.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/usb/musb/musb_core.c | 44 ++++++++++++++++++++++++++------------------ + 1 file changed, 26 insertions(+), 18 deletions(-) + +diff --git a/drivers/usb/musb/musb_core.c b/drivers/usb/musb/musb_core.c +index 067920f..461bfe8 100644 +--- a/drivers/usb/musb/musb_core.c ++++ b/drivers/usb/musb/musb_core.c +@@ -1597,16 +1597,30 @@ irqreturn_t musb_interrupt(struct musb *musb) + is_host_active(musb) ? "host" : "peripheral", + musb->int_usb, musb->int_tx, musb->int_rx); + +- /* the core can interrupt us for multiple reasons; docs have +- * a generic interrupt flowchart to follow ++ /** ++ * According to Mentor Graphics' documentation, flowchart on page 98, ++ * IRQ should be handled as follows: ++ * ++ * . Resume IRQ ++ * . Session Request IRQ ++ * . VBUS Error IRQ ++ * . Suspend IRQ ++ * . Connect IRQ ++ * . Disconnect IRQ ++ * . Reset/Babble IRQ ++ * . SOF IRQ (we're not using this one) ++ * . Endpoint 0 IRQ ++ * . TX Endpoints ++ * . RX Endpoints ++ * ++ * We will be following that flowchart in order to avoid any problems ++ * that might arise with internal Finite State Machine. + */ ++ + if (musb->int_usb) + retval |= musb_stage0_irq(musb, musb->int_usb, + devctl); + +- /* "stage 1" is handling endpoint irqs */ +- +- /* handle endpoint 0 first */ + if (musb->int_tx & 1) { + if (is_host_active(musb)) + retval |= musb_h_ep0_irq(musb); +@@ -1614,37 +1628,31 @@ irqreturn_t musb_interrupt(struct musb *musb) + retval |= musb_g_ep0_irq(musb); + } + +- /* RX on endpoints 1-15 */ +- reg = musb->int_rx >> 1; ++ reg = musb->int_tx >> 1; + ep_num = 1; + while (reg) { + if (reg & 1) { +- /* musb_ep_select(musb->mregs, ep_num); */ +- /* REVISIT just retval = ep->rx_irq(...) */ + retval = IRQ_HANDLED; + if (is_host_active(musb)) +- musb_host_rx(musb, ep_num); ++ musb_host_tx(musb, ep_num); + else +- musb_g_rx(musb, ep_num); ++ musb_g_tx(musb, ep_num); + } +- + reg >>= 1; + ep_num++; + } + +- /* TX on endpoints 1-15 */ +- reg = musb->int_tx >> 1; ++ reg = musb->int_rx >> 1; + ep_num = 1; + while (reg) { + if (reg & 1) { +- /* musb_ep_select(musb->mregs, ep_num); */ +- /* REVISIT just retval |= ep->tx_irq(...) */ + retval = IRQ_HANDLED; + if (is_host_active(musb)) +- musb_host_tx(musb, ep_num); ++ musb_host_rx(musb, ep_num); + else +- musb_g_tx(musb, ep_num); ++ musb_g_rx(musb, ep_num); + } ++ + reg >>= 1; + ep_num++; + } +-- +2.3.6 + + +From 968986cb57477f487045baa184eee0cf7a82b2e3 Mon Sep 17 00:00:00 2001 +From: Axel Lin <axel.lin@ingics.com> +Date: Thu, 12 Mar 2015 09:15:28 +0800 +Subject: [PATCH 073/219] usb: phy: Find the right match in devm_usb_phy_match +Cc: mpagano@gentoo.org + +commit 869aee0f31429fa9d94d5aef539602b73ae0cf4b upstream. + +The res parameter passed to devm_usb_phy_match() is the location where the +pointer to the usb_phy is stored, hence it needs to be dereferenced before +comparing to the match data in order to find the correct match. + +Fixes: 410219dcd2ba ("usb: otg: utils: devres: Add API's to associate a device with the phy") +Signed-off-by: Axel Lin <axel.lin@ingics.com> +Signed-off-by: Felipe Balbi <balbi@ti.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/usb/phy/phy.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/phy/phy.c b/drivers/usb/phy/phy.c +index 2f9735b..d1cd6b5 100644 +--- a/drivers/usb/phy/phy.c ++++ b/drivers/usb/phy/phy.c +@@ -81,7 +81,9 @@ static void devm_usb_phy_release(struct device *dev, void *res) + + static int devm_usb_phy_match(struct device *dev, void *res, void *match_data) + { +- return res == match_data; ++ struct usb_phy **phy = res; ++ ++ return *phy == match_data; + } + + /** +-- +2.3.6 + + +From c3f787950225dc61f2a4342601d78d1052d0f8ef Mon Sep 17 00:00:00 2001 +From: Felipe Balbi <balbi@ti.com> +Date: Fri, 13 Feb 2015 14:34:25 -0600 +Subject: [PATCH 074/219] usb: define a generic USB_RESUME_TIMEOUT macro +Cc: mpagano@gentoo.org + +commit 62f0342de1f012f3e90607d39e20fce811391169 upstream. + +Every USB Host controller should use this new +macro to define for how long resume signalling +should be driven on the bus. + +Currently, almost every single USB controller +is using a 20ms timeout for resume signalling. + +That's problematic for two reasons: + +a) sometimes that 20ms timer expires a little +before 20ms, which makes us fail certification + +b) some (many) devices actually need more than +20ms resume signalling. + +Sure, in case of (b) we can state that the device +is against the USB spec, but the fact is that +we have no control over which device the certification +lab will use. We also have no control over which host +they will use. Most likely they'll be using a Windows +PC which, again, we have no control over how that +USB stack is written and how long resume signalling +they are using. + +At the end of the day, we must make sure Linux passes +electrical compliance when working as Host or as Device +and currently we don't pass compliance as host because +we're driving resume signallig for exactly 20ms and +that confuses certification test setup resulting in +Certification failure. + +Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Acked-by: Peter Chen <peter.chen@freescale.com> +Signed-off-by: Felipe Balbi <balbi@ti.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + include/linux/usb.h | 26 ++++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +diff --git a/include/linux/usb.h b/include/linux/usb.h +index 7ee1b5c..447fe29 100644 +--- a/include/linux/usb.h ++++ b/include/linux/usb.h +@@ -205,6 +205,32 @@ void usb_put_intf(struct usb_interface *intf); + #define USB_MAXINTERFACES 32 + #define USB_MAXIADS (USB_MAXINTERFACES/2) + ++/* ++ * USB Resume Timer: Every Host controller driver should drive the resume ++ * signalling on the bus for the amount of time defined by this macro. ++ * ++ * That way we will have a 'stable' behavior among all HCDs supported by Linux. ++ * ++ * Note that the USB Specification states we should drive resume for *at least* ++ * 20 ms, but it doesn't give an upper bound. This creates two possible ++ * situations which we want to avoid: ++ * ++ * (a) sometimes an msleep(20) might expire slightly before 20 ms, which causes ++ * us to fail USB Electrical Tests, thus failing Certification ++ * ++ * (b) Some (many) devices actually need more than 20 ms of resume signalling, ++ * and while we can argue that's against the USB Specification, we don't have ++ * control over which devices a certification laboratory will be using for ++ * certification. If CertLab uses a device which was tested against Windows and ++ * that happens to have relaxed resume signalling rules, we might fall into ++ * situations where we fail interoperability and electrical tests. ++ * ++ * In order to avoid both conditions, we're using a 40 ms resume timeout, which ++ * should cope with both LPJ calibration errors and devices not following every ++ * detail of the USB Specification. ++ */ ++#define USB_RESUME_TIMEOUT 40 /* ms */ ++ + /** + * struct usb_interface_cache - long-term representation of a device interface + * @num_altsetting: number of altsettings defined. +-- +2.3.6 + + +From 913916432e9f24d403a51dae54b905b07e509dd9 Mon Sep 17 00:00:00 2001 +From: Felipe Balbi <balbi@ti.com> +Date: Fri, 13 Feb 2015 14:46:27 -0600 +Subject: [PATCH 075/219] usb: musb: use new USB_RESUME_TIMEOUT +Cc: mpagano@gentoo.org + +commit 309be239369609929d5d3833ee043f7c5afc95d1 upstream. + +Make sure we're using the new macro, so our +resume signaling will always pass certification. + +Based on original work by Bin Liu <Bin Liu <b-liu@ti.com>> + +Cc: Bin Liu <b-liu@ti.com> +Signed-off-by: Felipe Balbi <balbi@ti.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/usb/musb/musb_core.c | 7 ++++--- + drivers/usb/musb/musb_virthub.c | 2 +- + 2 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/usb/musb/musb_core.c b/drivers/usb/musb/musb_core.c +index 461bfe8..ec0ee3b 100644 +--- a/drivers/usb/musb/musb_core.c ++++ b/drivers/usb/musb/musb_core.c +@@ -99,6 +99,7 @@ + #include <linux/platform_device.h> + #include <linux/io.h> + #include <linux/dma-mapping.h> ++#include <linux/usb.h> + + #include "musb_core.h" + +@@ -562,7 +563,7 @@ static irqreturn_t musb_stage0_irq(struct musb *musb, u8 int_usb, + (USB_PORT_STAT_C_SUSPEND << 16) + | MUSB_PORT_STAT_RESUME; + musb->rh_timer = jiffies +- + msecs_to_jiffies(20); ++ + msecs_to_jiffies(USB_RESUME_TIMEOUT); + musb->need_finish_resume = 1; + + musb->xceiv->otg->state = OTG_STATE_A_HOST; +@@ -2471,7 +2472,7 @@ static int musb_resume(struct device *dev) + if (musb->need_finish_resume) { + musb->need_finish_resume = 0; + schedule_delayed_work(&musb->finish_resume_work, +- msecs_to_jiffies(20)); ++ msecs_to_jiffies(USB_RESUME_TIMEOUT)); + } + + /* +@@ -2514,7 +2515,7 @@ static int musb_runtime_resume(struct device *dev) + if (musb->need_finish_resume) { + musb->need_finish_resume = 0; + schedule_delayed_work(&musb->finish_resume_work, +- msecs_to_jiffies(20)); ++ msecs_to_jiffies(USB_RESUME_TIMEOUT)); + } + + return 0; +diff --git a/drivers/usb/musb/musb_virthub.c b/drivers/usb/musb/musb_virthub.c +index 294e159..5428ed1 100644 +--- a/drivers/usb/musb/musb_virthub.c ++++ b/drivers/usb/musb/musb_virthub.c +@@ -136,7 +136,7 @@ void musb_port_suspend(struct musb *musb, bool do_suspend) + /* later, GetPortStatus will stop RESUME signaling */ + musb->port1_status |= MUSB_PORT_STAT_RESUME; + schedule_delayed_work(&musb->finish_resume_work, +- msecs_to_jiffies(20)); ++ msecs_to_jiffies(USB_RESUME_TIMEOUT)); + } + } + +-- +2.3.6 + + +From 0e33853a595e4947e416e86c966a2f532084b3ae Mon Sep 17 00:00:00 2001 +From: Felipe Balbi <balbi@ti.com> +Date: Fri, 13 Feb 2015 14:57:54 -0600 +Subject: [PATCH 076/219] usb: host: oxu210hp: use new USB_RESUME_TIMEOUT +Cc: mpagano@gentoo.org + +commit 84c0d178eb9f3a3ae4d63dc97a440266cf17f7f5 upstream. + +Make sure we're using the new macro, so our +resume signaling will always pass certification. + +Signed-off-by: Felipe Balbi <balbi@ti.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/usb/host/oxu210hp-hcd.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/usb/host/oxu210hp-hcd.c b/drivers/usb/host/oxu210hp-hcd.c +index ef7efb2..28a2866 100644 +--- a/drivers/usb/host/oxu210hp-hcd.c ++++ b/drivers/usb/host/oxu210hp-hcd.c +@@ -2500,11 +2500,12 @@ static irqreturn_t oxu210_hcd_irq(struct usb_hcd *hcd) + || oxu->reset_done[i] != 0) + continue; + +- /* start 20 msec resume signaling from this port, +- * and make hub_wq collect PORT_STAT_C_SUSPEND to ++ /* start USB_RESUME_TIMEOUT resume signaling from this ++ * port, and make hub_wq collect PORT_STAT_C_SUSPEND to + * stop that signaling. + */ +- oxu->reset_done[i] = jiffies + msecs_to_jiffies(20); ++ oxu->reset_done[i] = jiffies + ++ msecs_to_jiffies(USB_RESUME_TIMEOUT); + oxu_dbg(oxu, "port %d remote wakeup\n", i + 1); + mod_timer(&hcd->rh_timer, oxu->reset_done[i]); + } +-- +2.3.6 + + +From 9aeb024dc65fa1c9520c655a36d52d48e4285ab1 Mon Sep 17 00:00:00 2001 +From: Felipe Balbi <balbi@ti.com> +Date: Fri, 13 Feb 2015 14:55:34 -0600 +Subject: [PATCH 077/219] usb: host: fusbh200: use new USB_RESUME_TIMEOUT +Cc: mpagano@gentoo.org + +commit 595227db1f2d98bfc33f02a55842f268e12b247d upstream. + +Make sure we're using the new macro, so our +resume signaling will always pass certification. + +Signed-off-by: Felipe Balbi <balbi@ti.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/usb/host/fusbh200-hcd.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/usb/host/fusbh200-hcd.c b/drivers/usb/host/fusbh200-hcd.c +index a83eefe..ba77e2e 100644 +--- a/drivers/usb/host/fusbh200-hcd.c ++++ b/drivers/usb/host/fusbh200-hcd.c +@@ -1550,10 +1550,9 @@ static int fusbh200_hub_control ( + if ((temp & PORT_PE) == 0) + goto error; + +- /* resume signaling for 20 msec */ + fusbh200_writel(fusbh200, temp | PORT_RESUME, status_reg); + fusbh200->reset_done[wIndex] = jiffies +- + msecs_to_jiffies(20); ++ + msecs_to_jiffies(USB_RESUME_TIMEOUT); + break; + case USB_PORT_FEAT_C_SUSPEND: + clear_bit(wIndex, &fusbh200->port_c_suspend); +-- +2.3.6 + + +From c8d7235af46783ee3e312ea5c877ac73de8c435d Mon Sep 17 00:00:00 2001 +From: Felipe Balbi <balbi@ti.com> +Date: Fri, 13 Feb 2015 14:44:17 -0600 +Subject: [PATCH 078/219] usb: host: uhci: use new USB_RESUME_TIMEOUT +Cc: mpagano@gentoo.org + +commit b8fb6f79f76f478acbbffccc966daa878f172a0a upstream. + +Make sure we're using the new macro, so our +resume signaling will always pass certification. + +Signed-off-by: Felipe Balbi <balbi@ti.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/usb/host/uhci-hub.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/host/uhci-hub.c b/drivers/usb/host/uhci-hub.c +index 19ba5ea..7b3d1af 100644 +--- a/drivers/usb/host/uhci-hub.c ++++ b/drivers/usb/host/uhci-hub.c +@@ -166,7 +166,7 @@ static void uhci_check_ports(struct uhci_hcd *uhci) + /* Port received a wakeup request */ + set_bit(port, &uhci->resuming_ports); + uhci->ports_timeout = jiffies + +- msecs_to_jiffies(25); ++ msecs_to_jiffies(USB_RESUME_TIMEOUT); + usb_hcd_start_port_resume( + &uhci_to_hcd(uhci)->self, port); + +@@ -338,7 +338,8 @@ static int uhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue, + uhci_finish_suspend(uhci, port, port_addr); + + /* USB v2.0 7.1.7.5 */ +- uhci->ports_timeout = jiffies + msecs_to_jiffies(50); ++ uhci->ports_timeout = jiffies + ++ msecs_to_jiffies(USB_RESUME_TIMEOUT); + break; + case USB_PORT_FEAT_POWER: + /* UHCI has no power switching */ +-- +2.3.6 + + +From fb4655758ba685c5aa07b9af45b18895e3df2a26 Mon Sep 17 00:00:00 2001 +From: Felipe Balbi <balbi@ti.com> +Date: Fri, 13 Feb 2015 14:54:38 -0600 +Subject: [PATCH 079/219] usb: host: fotg210: use new USB_RESUME_TIMEOUT +Cc: mpagano@gentoo.org + +commit 7e136bb71a08e8b8be3bc492f041d9b0bea3856d upstream. + +Make sure we're using the new macro, so our +resume signaling will always pass certification. + +Signed-off-by: Felipe Balbi <balbi@ti.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/usb/host/fotg210-hcd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/host/fotg210-hcd.c b/drivers/usb/host/fotg210-hcd.c +index 475b21f..7a6681f 100644 +--- a/drivers/usb/host/fotg210-hcd.c ++++ b/drivers/usb/host/fotg210-hcd.c +@@ -1595,7 +1595,7 @@ static int fotg210_hub_control( + /* resume signaling for 20 msec */ + fotg210_writel(fotg210, temp | PORT_RESUME, status_reg); + fotg210->reset_done[wIndex] = jiffies +- + msecs_to_jiffies(20); ++ + msecs_to_jiffies(USB_RESUME_TIMEOUT); + break; + case USB_PORT_FEAT_C_SUSPEND: + clear_bit(wIndex, &fotg210->port_c_suspend); +-- +2.3.6 + + +From 14c69a53b6c0640d94796b04762ed943e9cf3918 Mon Sep 17 00:00:00 2001 +From: Felipe Balbi <balbi@ti.com> +Date: Fri, 13 Feb 2015 14:58:53 -0600 +Subject: [PATCH 080/219] usb: host: r8a66597: use new USB_RESUME_TIMEOUT +Cc: mpagano@gentoo.org + +commit 7a606ac29752a3e571b83f9b3fceb1eaa1d37781 upstream. + +While this driver was already using a 50ms resume +timeout, let's make sure everybody uses the same +macro so it's easy to fix later should anything +go wrong. + +It also gives a more "stable" expectation to Linux +users. + +Signed-off-by: Felipe Balbi <balbi@ti.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/usb/host/r8a66597-hcd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/host/r8a66597-hcd.c b/drivers/usb/host/r8a66597-hcd.c +index bdc82fe..54a4170 100644 +--- a/drivers/usb/host/r8a66597-hcd.c ++++ b/drivers/usb/host/r8a66597-hcd.c +@@ -2301,7 +2301,7 @@ static int r8a66597_bus_resume(struct usb_hcd *hcd) + rh->port &= ~USB_PORT_STAT_SUSPEND; + rh->port |= USB_PORT_STAT_C_SUSPEND << 16; + r8a66597_mdfy(r8a66597, RESUME, RESUME | UACT, dvstctr_reg); +- msleep(50); ++ msleep(USB_RESUME_TIMEOUT); + r8a66597_mdfy(r8a66597, UACT, RESUME | UACT, dvstctr_reg); + } + +-- +2.3.6 + + +From 34f698795e94955800a8ba8acdea4a725211a20a Mon Sep 17 00:00:00 2001 +From: Felipe Balbi <balbi@ti.com> +Date: Fri, 13 Feb 2015 14:50:10 -0600 +Subject: [PATCH 081/219] usb: host: isp116x: use new USB_RESUME_TIMEOUT +Cc: mpagano@gentoo.org + +commit 8c0ae6574ccfd3d619876a65829aad74c9d22ba5 upstream. + +Make sure we're using the new macro, so our +resume signaling will always pass certification. + +Signed-off-by: Felipe Balbi <balbi@ti.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/usb/host/isp116x-hcd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/host/isp116x-hcd.c b/drivers/usb/host/isp116x-hcd.c +index 113d0cc..9ef5644 100644 +--- a/drivers/usb/host/isp116x-hcd.c ++++ b/drivers/usb/host/isp116x-hcd.c +@@ -1490,7 +1490,7 @@ static int isp116x_bus_resume(struct usb_hcd *hcd) + spin_unlock_irq(&isp116x->lock); + + hcd->state = HC_STATE_RESUMING; +- msleep(20); ++ msleep(USB_RESUME_TIMEOUT); + + /* Go operational */ + spin_lock_irq(&isp116x->lock); +-- +2.3.6 + + +From 9a0a677ad3526bf0914aecab14423c761e5af9e7 Mon Sep 17 00:00:00 2001 +From: Felipe Balbi <balbi@ti.com> +Date: Fri, 13 Feb 2015 14:39:13 -0600 +Subject: [PATCH 082/219] usb: host: xhci: use new USB_RESUME_TIMEOUT +Cc: mpagano@gentoo.org + +commit b9e451885deb6262dbaf5cd14aa77d192d9ac759 upstream. + +Make sure we're using the new macro, so our +resume signaling will always pass certification. + +Acked-by: Mathias Nyman <mathias.nyman@linux.intel.com> +Signed-off-by: Felipe Balbi <balbi@ti.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/usb/host/xhci-ring.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c +index 73485fa..eeedde8 100644 +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -1574,7 +1574,7 @@ static void handle_port_status(struct xhci_hcd *xhci, + } else { + xhci_dbg(xhci, "resume HS port %d\n", port_id); + bus_state->resume_done[faked_port_index] = jiffies + +- msecs_to_jiffies(20); ++ msecs_to_jiffies(USB_RESUME_TIMEOUT); + set_bit(faked_port_index, &bus_state->resuming_ports); + mod_timer(&hcd->rh_timer, + bus_state->resume_done[faked_port_index]); +-- +2.3.6 + + +From 426c93ea979c24f4f011351af58d5f5319514493 Mon Sep 17 00:00:00 2001 +From: Felipe Balbi <balbi@ti.com> +Date: Fri, 13 Feb 2015 14:42:25 -0600 +Subject: [PATCH 083/219] usb: host: ehci: use new USB_RESUME_TIMEOUT +Cc: mpagano@gentoo.org + +commit ea16328f80ca8d74434352157f37ef60e2f55ce2 upstream. + +Make sure we're using the new macro, so our +resume signaling will always pass certification. + +Signed-off-by: Felipe Balbi <balbi@ti.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/usb/host/ehci-hcd.c | 10 +++++----- + drivers/usb/host/ehci-hub.c | 9 ++++++--- + 2 files changed, 11 insertions(+), 8 deletions(-) + +diff --git a/drivers/usb/host/ehci-hcd.c b/drivers/usb/host/ehci-hcd.c +index 85e56d1..f4d88df 100644 +--- a/drivers/usb/host/ehci-hcd.c ++++ b/drivers/usb/host/ehci-hcd.c +@@ -792,12 +792,12 @@ static irqreturn_t ehci_irq (struct usb_hcd *hcd) + ehci->reset_done[i] == 0)) + continue; + +- /* start 20 msec resume signaling from this port, +- * and make hub_wq collect PORT_STAT_C_SUSPEND to +- * stop that signaling. Use 5 ms extra for safety, +- * like usb_port_resume() does. ++ /* start USB_RESUME_TIMEOUT msec resume signaling from ++ * this port, and make hub_wq collect ++ * PORT_STAT_C_SUSPEND to stop that signaling. + */ +- ehci->reset_done[i] = jiffies + msecs_to_jiffies(25); ++ ehci->reset_done[i] = jiffies + ++ msecs_to_jiffies(USB_RESUME_TIMEOUT); + set_bit(i, &ehci->resuming_ports); + ehci_dbg (ehci, "port %d remote wakeup\n", i + 1); + usb_hcd_start_port_resume(&hcd->self, i); +diff --git a/drivers/usb/host/ehci-hub.c b/drivers/usb/host/ehci-hub.c +index 87cf86f..7354d01 100644 +--- a/drivers/usb/host/ehci-hub.c ++++ b/drivers/usb/host/ehci-hub.c +@@ -471,10 +471,13 @@ static int ehci_bus_resume (struct usb_hcd *hcd) + ehci_writel(ehci, temp, &ehci->regs->port_status [i]); + } + +- /* msleep for 20ms only if code is trying to resume port */ ++ /* ++ * msleep for USB_RESUME_TIMEOUT ms only if code is trying to resume ++ * port ++ */ + if (resume_needed) { + spin_unlock_irq(&ehci->lock); +- msleep(20); ++ msleep(USB_RESUME_TIMEOUT); + spin_lock_irq(&ehci->lock); + if (ehci->shutdown) + goto shutdown; +@@ -942,7 +945,7 @@ int ehci_hub_control( + temp &= ~PORT_WAKE_BITS; + ehci_writel(ehci, temp | PORT_RESUME, status_reg); + ehci->reset_done[wIndex] = jiffies +- + msecs_to_jiffies(20); ++ + msecs_to_jiffies(USB_RESUME_TIMEOUT); + set_bit(wIndex, &ehci->resuming_ports); + usb_hcd_start_port_resume(&hcd->self, wIndex); + break; +-- +2.3.6 + + +From 6a0ecbeea7d077ae4e49c3a1ef03a38bb91c5218 Mon Sep 17 00:00:00 2001 +From: Felipe Balbi <balbi@ti.com> +Date: Fri, 13 Feb 2015 15:00:38 -0600 +Subject: [PATCH 084/219] usb: host: sl811: use new USB_RESUME_TIMEOUT +Cc: mpagano@gentoo.org + +commit 08debfb13b199716da6153940c31968c556b195d upstream. + +Make sure we're using the new macro, so our +resume signaling will always pass certification. + +Signed-off-by: Felipe Balbi <balbi@ti.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/usb/host/sl811-hcd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/host/sl811-hcd.c b/drivers/usb/host/sl811-hcd.c +index 4f4ba1e..9118cd8 100644 +--- a/drivers/usb/host/sl811-hcd.c ++++ b/drivers/usb/host/sl811-hcd.c +@@ -1259,7 +1259,7 @@ sl811h_hub_control( + sl811_write(sl811, SL11H_CTLREG1, sl811->ctrl1); + + mod_timer(&sl811->timer, jiffies +- + msecs_to_jiffies(20)); ++ + msecs_to_jiffies(USB_RESUME_TIMEOUT)); + break; + case USB_PORT_FEAT_POWER: + port_power(sl811, 0); +-- +2.3.6 + + +From 8271acf33346951d281a428ae8a40f20750e789f Mon Sep 17 00:00:00 2001 +From: Felipe Balbi <balbi@ti.com> +Date: Fri, 13 Feb 2015 15:03:13 -0600 +Subject: [PATCH 085/219] usb: dwc2: hcd: use new USB_RESUME_TIMEOUT +Cc: mpagano@gentoo.org + +commit 74bd7b69801819707713b88e9d0bc074efa2f5e7 upstream. + +Make sure we're using the new macro, so our +resume signaling will always pass certification. + +Signed-off-by: Felipe Balbi <balbi@ti.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/usb/dwc2/hcd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/dwc2/hcd.c b/drivers/usb/dwc2/hcd.c +index c78c874..758b7e0 100644 +--- a/drivers/usb/dwc2/hcd.c ++++ b/drivers/usb/dwc2/hcd.c +@@ -1521,7 +1521,7 @@ static int dwc2_hcd_hub_control(struct dwc2_hsotg *hsotg, u16 typereq, + dev_dbg(hsotg->dev, + "ClearPortFeature USB_PORT_FEAT_SUSPEND\n"); + writel(0, hsotg->regs + PCGCTL); +- usleep_range(20000, 40000); ++ msleep(USB_RESUME_TIMEOUT); + + hprt0 = dwc2_read_hprt0(hsotg); + hprt0 |= HPRT0_RES; +-- +2.3.6 + + +From b6053a1546ea879b47c346628cf40401bcf9e27e Mon Sep 17 00:00:00 2001 +From: Felipe Balbi <balbi@ti.com> +Date: Fri, 13 Feb 2015 15:04:06 -0600 +Subject: [PATCH 086/219] usb: isp1760: hcd: use new USB_RESUME_TIMEOUT +Cc: mpagano@gentoo.org + +commit 59c9904cce77b55892e15f40791f1e66e4d3a1e6 upstream. + +Make sure we're using the new macro, so our +resume signaling will always pass certification. + +Signed-off-by: Felipe Balbi <balbi@ti.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/usb/isp1760/isp1760-hcd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/isp1760/isp1760-hcd.c b/drivers/usb/isp1760/isp1760-hcd.c +index 3cb98b1..7911b6b 100644 +--- a/drivers/usb/isp1760/isp1760-hcd.c ++++ b/drivers/usb/isp1760/isp1760-hcd.c +@@ -1869,7 +1869,7 @@ static int isp1760_hub_control(struct usb_hcd *hcd, u16 typeReq, + reg_write32(hcd->regs, HC_PORTSC1, + temp | PORT_RESUME); + priv->reset_done = jiffies + +- msecs_to_jiffies(20); ++ msecs_to_jiffies(USB_RESUME_TIMEOUT); + } + break; + case USB_PORT_FEAT_C_SUSPEND: +-- +2.3.6 + + +From 1eeba7304a3e8070983c3a9f757a6b51236a64de Mon Sep 17 00:00:00 2001 +From: Felipe Balbi <balbi@ti.com> +Date: Fri, 13 Feb 2015 15:38:33 -0600 +Subject: [PATCH 087/219] usb: core: hub: use new USB_RESUME_TIMEOUT +Cc: mpagano@gentoo.org + +commit bbc78c07a51f6fd29c227b1220a9016e585358ba upstream. + +Make sure we're using the new macro, so our +resume signaling will always pass certification. + +Signed-off-by: Felipe Balbi <balbi@ti.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/usb/core/hub.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index d7c3d5a..3b71516 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -3406,10 +3406,10 @@ int usb_port_resume(struct usb_device *udev, pm_message_t msg) + if (status) { + dev_dbg(&port_dev->dev, "can't resume, status %d\n", status); + } else { +- /* drive resume for at least 20 msec */ ++ /* drive resume for USB_RESUME_TIMEOUT msec */ + dev_dbg(&udev->dev, "usb %sresume\n", + (PMSG_IS_AUTO(msg) ? "auto-" : "")); +- msleep(25); ++ msleep(USB_RESUME_TIMEOUT); + + /* Virtual root hubs can trigger on GET_PORT_STATUS to + * stop resume signaling. Then finish the resume +-- +2.3.6 + + +From f5a652339c3ff18b6184d0ee02f7f0eef2ebe681 Mon Sep 17 00:00:00 2001 +From: Boris Brezillon <boris.brezillon@free-electrons.com> +Date: Sun, 29 Mar 2015 03:45:33 +0200 +Subject: [PATCH 088/219] clk: at91: usb: propagate rate modification to the + parent clk +Cc: mpagano@gentoo.org + +commit 4591243102faa8de92da320edea47219901461e9 upstream. + +The at91sam9n12 and at91sam9x5 usb clocks do not propagate rate +modification requests to their parents. +This causes a bug when the PLLB is left uninitialized by the bootloader +(PLL multiplier set to 0, or in other words, PLL rate = 0 Hz). + +Implement the determinate_rate method and propagate the change rate +request to the parent clk. + +Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com> +Reported-by: Bo Shen <voice.shen@atmel.com> +Tested-by: Bo Shen <voice.shen@atmel.com> +Signed-off-by: Michael Turquette <mturquette@linaro.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/clk/at91/clk-usb.c | 64 +++++++++++++++++++++++++++++++++++----------- + 1 file changed, 49 insertions(+), 15 deletions(-) + +diff --git a/drivers/clk/at91/clk-usb.c b/drivers/clk/at91/clk-usb.c +index a23ac0c..0b7c3e8 100644 +--- a/drivers/clk/at91/clk-usb.c ++++ b/drivers/clk/at91/clk-usb.c +@@ -56,22 +56,55 @@ static unsigned long at91sam9x5_clk_usb_recalc_rate(struct clk_hw *hw, + return DIV_ROUND_CLOSEST(parent_rate, (usbdiv + 1)); + } + +-static long at91sam9x5_clk_usb_round_rate(struct clk_hw *hw, unsigned long rate, +- unsigned long *parent_rate) ++static long at91sam9x5_clk_usb_determine_rate(struct clk_hw *hw, ++ unsigned long rate, ++ unsigned long min_rate, ++ unsigned long max_rate, ++ unsigned long *best_parent_rate, ++ struct clk_hw **best_parent_hw) + { +- unsigned long div; ++ struct clk *parent = NULL; ++ long best_rate = -EINVAL; ++ unsigned long tmp_rate; ++ int best_diff = -1; ++ int tmp_diff; ++ int i; + +- if (!rate) +- return -EINVAL; ++ for (i = 0; i < __clk_get_num_parents(hw->clk); i++) { ++ int div; + +- if (rate >= *parent_rate) +- return *parent_rate; ++ parent = clk_get_parent_by_index(hw->clk, i); ++ if (!parent) ++ continue; ++ ++ for (div = 1; div < SAM9X5_USB_MAX_DIV + 2; div++) { ++ unsigned long tmp_parent_rate; ++ ++ tmp_parent_rate = rate * div; ++ tmp_parent_rate = __clk_round_rate(parent, ++ tmp_parent_rate); ++ tmp_rate = DIV_ROUND_CLOSEST(tmp_parent_rate, div); ++ if (tmp_rate < rate) ++ tmp_diff = rate - tmp_rate; ++ else ++ tmp_diff = tmp_rate - rate; ++ ++ if (best_diff < 0 || best_diff > tmp_diff) { ++ best_rate = tmp_rate; ++ best_diff = tmp_diff; ++ *best_parent_rate = tmp_parent_rate; ++ *best_parent_hw = __clk_get_hw(parent); ++ } ++ ++ if (!best_diff || tmp_rate < rate) ++ break; ++ } + +- div = DIV_ROUND_CLOSEST(*parent_rate, rate); +- if (div > SAM9X5_USB_MAX_DIV + 1) +- div = SAM9X5_USB_MAX_DIV + 1; ++ if (!best_diff) ++ break; ++ } + +- return DIV_ROUND_CLOSEST(*parent_rate, div); ++ return best_rate; + } + + static int at91sam9x5_clk_usb_set_parent(struct clk_hw *hw, u8 index) +@@ -121,7 +154,7 @@ static int at91sam9x5_clk_usb_set_rate(struct clk_hw *hw, unsigned long rate, + + static const struct clk_ops at91sam9x5_usb_ops = { + .recalc_rate = at91sam9x5_clk_usb_recalc_rate, +- .round_rate = at91sam9x5_clk_usb_round_rate, ++ .determine_rate = at91sam9x5_clk_usb_determine_rate, + .get_parent = at91sam9x5_clk_usb_get_parent, + .set_parent = at91sam9x5_clk_usb_set_parent, + .set_rate = at91sam9x5_clk_usb_set_rate, +@@ -159,7 +192,7 @@ static const struct clk_ops at91sam9n12_usb_ops = { + .disable = at91sam9n12_clk_usb_disable, + .is_enabled = at91sam9n12_clk_usb_is_enabled, + .recalc_rate = at91sam9x5_clk_usb_recalc_rate, +- .round_rate = at91sam9x5_clk_usb_round_rate, ++ .determine_rate = at91sam9x5_clk_usb_determine_rate, + .set_rate = at91sam9x5_clk_usb_set_rate, + }; + +@@ -179,7 +212,8 @@ at91sam9x5_clk_register_usb(struct at91_pmc *pmc, const char *name, + init.ops = &at91sam9x5_usb_ops; + init.parent_names = parent_names; + init.num_parents = num_parents; +- init.flags = CLK_SET_RATE_GATE | CLK_SET_PARENT_GATE; ++ init.flags = CLK_SET_RATE_GATE | CLK_SET_PARENT_GATE | ++ CLK_SET_RATE_PARENT; + + usb->hw.init = &init; + usb->pmc = pmc; +@@ -207,7 +241,7 @@ at91sam9n12_clk_register_usb(struct at91_pmc *pmc, const char *name, + init.ops = &at91sam9n12_usb_ops; + init.parent_names = &parent_name; + init.num_parents = 1; +- init.flags = CLK_SET_RATE_GATE; ++ init.flags = CLK_SET_RATE_GATE | CLK_SET_RATE_PARENT; + + usb->hw.init = &init; + usb->pmc = pmc; +-- +2.3.6 + + +From ffa5893889612e5d65e456c0b433d0160d46c4eb Mon Sep 17 00:00:00 2001 +From: Yves-Alexis Perez <corsac@debian.org> +Date: Sat, 11 Apr 2015 09:31:35 +0200 +Subject: [PATCH 089/219] ALSA: hda - Add dock support for ThinkPad X250 + (17aa:2226) +Cc: mpagano@gentoo.org + +commit c0278669fb61596cc1a10ab8686d27c37269c37b upstream. + +This model uses the same dock port as the previous generation. + +Signed-off-by: Yves-Alexis Perez <corsac@debian.org> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index f9d12c0..3ad85c7 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -5047,6 +5047,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x17aa, 0x2212, "Thinkpad T440", ALC292_FIXUP_TPT440_DOCK), + SND_PCI_QUIRK(0x17aa, 0x2214, "Thinkpad X240", ALC292_FIXUP_TPT440_DOCK), + SND_PCI_QUIRK(0x17aa, 0x2215, "Thinkpad", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), ++ SND_PCI_QUIRK(0x17aa, 0x2226, "ThinkPad X250", ALC292_FIXUP_TPT440_DOCK), + SND_PCI_QUIRK(0x17aa, 0x3977, "IdeaPad S210", ALC283_FIXUP_INT_MIC), + SND_PCI_QUIRK(0x17aa, 0x3978, "IdeaPad Y410P", ALC269_FIXUP_NO_SHUTUP), + SND_PCI_QUIRK(0x17aa, 0x5013, "Thinkpad", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), +-- +2.3.6 + + +From 0b586ed327f10ed037bf84381cbdb16754d7bdfd Mon Sep 17 00:00:00 2001 +From: Adam Honse <calcprogrammer1@gmail.com> +Date: Sun, 12 Apr 2015 01:03:07 -0500 +Subject: [PATCH 090/219] ALSA: usb-audio: Don't attempt to get Microsoft + Lifecam Cinema sample rate +Cc: mpagano@gentoo.org + +commit eef0342cf32689f77d78ee3302999e5caaa6a8f3 upstream. + +Adds Microsoft LifeCam Cinema USB ID to the snd_usb_get_sample_rate_quirk list as the Lifecam Cinema does not appear to support getting the sample rate. + +Fixes the issue where the LifeCam Cinema would wait for USB timeout and log the message "cannot get freq at ep 0x82" when accessed. + +Addresses bug report https://bugzilla.kernel.org/show_bug.cgi?id=95961. + +Signed-off-by: Adam Honse <calcprogrammer1@gmail.com> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + sound/usb/quirks.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c +index 9a28365..32631a8 100644 +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -1115,6 +1115,7 @@ bool snd_usb_get_sample_rate_quirk(struct snd_usb_audio *chip) + { + /* devices which do not support reading the sample rate. */ + switch (chip->usb_id) { ++ case USB_ID(0x045E, 0x075D): /* MS Lifecam Cinema */ + case USB_ID(0x045E, 0x076D): /* MS Lifecam HD-5000 */ + case USB_ID(0x04D8, 0xFEEA): /* Benchmark DAC1 Pre */ + return true; +-- +2.3.6 + + +From 15c97265c67f27eef7d92262964a43e0aff8df61 Mon Sep 17 00:00:00 2001 +From: Michael Gernoth <michael@gernoth.net> +Date: Thu, 9 Apr 2015 23:42:15 +0200 +Subject: [PATCH 091/219] ALSA: emu10k1: don't deadlock in proc-functions +Cc: mpagano@gentoo.org + +commit 91bf0c2dcb935a87e5c0795f5047456b965fd143 upstream. + +The functions snd_emu10k1_proc_spdif_read and snd_emu1010_fpga_read +acquire the emu_lock before accessing the FPGA. The function used +to access the FPGA (snd_emu1010_fpga_read) also tries to take +the emu_lock which causes a deadlock. +Remove the outer locking in the proc-functions (guarding only the +already safe fpga read) to prevent this deadlock. + +[removed superfluous flags variables too -- tiwai] + +Signed-off-by: Michael Gernoth <michael@gernoth.net> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + sound/pci/emu10k1/emuproc.c | 12 ------------ + 1 file changed, 12 deletions(-) + +diff --git a/sound/pci/emu10k1/emuproc.c b/sound/pci/emu10k1/emuproc.c +index 2ca9f2e..53745f4 100644 +--- a/sound/pci/emu10k1/emuproc.c ++++ b/sound/pci/emu10k1/emuproc.c +@@ -241,31 +241,22 @@ static void snd_emu10k1_proc_spdif_read(struct snd_info_entry *entry, + struct snd_emu10k1 *emu = entry->private_data; + u32 value; + u32 value2; +- unsigned long flags; + u32 rate; + + if (emu->card_capabilities->emu_model) { +- spin_lock_irqsave(&emu->emu_lock, flags); + snd_emu1010_fpga_read(emu, 0x38, &value); +- spin_unlock_irqrestore(&emu->emu_lock, flags); + if ((value & 0x1) == 0) { +- spin_lock_irqsave(&emu->emu_lock, flags); + snd_emu1010_fpga_read(emu, 0x2a, &value); + snd_emu1010_fpga_read(emu, 0x2b, &value2); +- spin_unlock_irqrestore(&emu->emu_lock, flags); + rate = 0x1770000 / (((value << 5) | value2)+1); + snd_iprintf(buffer, "ADAT Locked : %u\n", rate); + } else { + snd_iprintf(buffer, "ADAT Unlocked\n"); + } +- spin_lock_irqsave(&emu->emu_lock, flags); + snd_emu1010_fpga_read(emu, 0x20, &value); +- spin_unlock_irqrestore(&emu->emu_lock, flags); + if ((value & 0x4) == 0) { +- spin_lock_irqsave(&emu->emu_lock, flags); + snd_emu1010_fpga_read(emu, 0x28, &value); + snd_emu1010_fpga_read(emu, 0x29, &value2); +- spin_unlock_irqrestore(&emu->emu_lock, flags); + rate = 0x1770000 / (((value << 5) | value2)+1); + snd_iprintf(buffer, "SPDIF Locked : %d\n", rate); + } else { +@@ -410,14 +401,11 @@ static void snd_emu_proc_emu1010_reg_read(struct snd_info_entry *entry, + { + struct snd_emu10k1 *emu = entry->private_data; + u32 value; +- unsigned long flags; + int i; + snd_iprintf(buffer, "EMU1010 Registers:\n\n"); + + for(i = 0; i < 0x40; i+=1) { +- spin_lock_irqsave(&emu->emu_lock, flags); + snd_emu1010_fpga_read(emu, i, &value); +- spin_unlock_irqrestore(&emu->emu_lock, flags); + snd_iprintf(buffer, "%02X: %08X, %02X\n", i, value, (value >> 8) & 0x7f); + } + } +-- +2.3.6 + + +From 0933e9dd839f4d37d408d9365266940928a73a8c Mon Sep 17 00:00:00 2001 +From: Jo-Philipp Wich <jow@openwrt.org> +Date: Mon, 13 Apr 2015 12:47:26 +0200 +Subject: [PATCH 092/219] ALSA: hda/realtek - Enable the ALC292 dock fixup on + the Thinkpad T450 +Cc: mpagano@gentoo.org + +commit f2aa111041ce36b94e651d882458dea502e76721 upstream. + +The Lenovo Thinkpad T450 requires the ALC292_FIXUP_TPT440_DOCK as well in +order to get working sound output on the docking stations headphone jack. + +Patch tested on a Thinkpad T450 (20BVCTO1WW) using kernel 4.0-rc7 in +conjunction with a ThinkPad Ultradock. + +Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 3ad85c7..f37e4ea 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -5054,6 +5054,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x17aa, 0x501a, "Thinkpad", ALC283_FIXUP_INT_MIC), + SND_PCI_QUIRK(0x17aa, 0x501e, "Thinkpad L440", ALC292_FIXUP_TPT440_DOCK), + SND_PCI_QUIRK(0x17aa, 0x5026, "Thinkpad", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), ++ SND_PCI_QUIRK(0x17aa, 0x5034, "Thinkpad T450", ALC292_FIXUP_TPT440_DOCK), + SND_PCI_QUIRK(0x17aa, 0x5036, "Thinkpad T450s", ALC292_FIXUP_TPT440_DOCK), + SND_PCI_QUIRK(0x17aa, 0x5109, "Thinkpad", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), + SND_PCI_QUIRK(0x17aa, 0x3bf8, "Quanta FL1", ALC269_FIXUP_PCM_44K), +-- +2.3.6 + + +From cb927a0ae496171966921e084eb7f6c2dc04e43b Mon Sep 17 00:00:00 2001 +From: David Henningsson <david.henningsson@canonical.com> +Date: Tue, 21 Apr 2015 10:48:46 +0200 +Subject: [PATCH 093/219] ALSA: hda - fix "num_steps = 0" error on ALC256 +Cc: mpagano@gentoo.org + +commit 7d1b6e29327428993ba568bdd8c66734070f45e0 upstream. + +The ALC256 does not have a mixer nid at 0x0b, and there's no +loopback path (the output pins are directly connected to the DACs). + +This commit fixes an "num_steps = 0 for NID=0xb (ctl = Beep Playback Volume)" +error (and as a result, problems with amixer/alsamixer). + +If there's pcbeep functionality, it certainly isn't controlled by setting an +amp on 0x0b, so disable beep functionality (at least for now). + +BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1446517 +Signed-off-by: David Henningsson <david.henningsson@canonical.com> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + sound/pci/hda/patch_realtek.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index f37e4ea..b46bb84 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -5565,6 +5565,7 @@ static int patch_alc269(struct hda_codec *codec) + break; + case 0x10ec0256: + spec->codec_variant = ALC269_TYPE_ALC256; ++ spec->gen.mixer_nid = 0; /* ALC256 does not have any loopback mixer path */ + break; + } + +@@ -5578,8 +5579,8 @@ static int patch_alc269(struct hda_codec *codec) + if (err < 0) + goto error; + +- if (!spec->gen.no_analog && spec->gen.beep_nid) +- set_beep_amp(spec, 0x0b, 0x04, HDA_INPUT); ++ if (!spec->gen.no_analog && spec->gen.beep_nid && spec->gen.mixer_nid) ++ set_beep_amp(spec, spec->gen.mixer_nid, 0x04, HDA_INPUT); + + codec->patch_ops = alc_patch_ops; + #ifdef CONFIG_PM +-- +2.3.6 + + +From c7a98726965179726bbd105e5ff6465c1d09ace1 Mon Sep 17 00:00:00 2001 +From: Kailang Yang <kailang@realtek.com> +Date: Thu, 23 Apr 2015 15:10:53 +0800 +Subject: [PATCH 094/219] ALSA: hda/realtek - Fix Headphone Mic doesn't + recording for ALC256 +Cc: mpagano@gentoo.org + +commit d32b66668c702aed0e330dc5ca186afbadcdacf8 upstream. + +Switch default pcbeep path to Line in path. + +Signed-off-by: Kailang Yang <kailang@realtek.com> +Tested-by: Hui Wang <hui.wang@canonical.com> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index b46bb84..2210e1b 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -5566,6 +5566,7 @@ static int patch_alc269(struct hda_codec *codec) + case 0x10ec0256: + spec->codec_variant = ALC269_TYPE_ALC256; + spec->gen.mixer_nid = 0; /* ALC256 does not have any loopback mixer path */ ++ alc_update_coef_idx(codec, 0x36, 1 << 13, 1 << 5); /* Switch pcbeep path to Line in path*/ + break; + } + +-- +2.3.6 + + +From ca7d80c841febeb3688d5ed57660d37b4baedad5 Mon Sep 17 00:00:00 2001 +From: Hui Wang <hui.wang@canonical.com> +Date: Fri, 24 Apr 2015 13:39:59 +0800 +Subject: [PATCH 095/219] ALSA: hda - fix headset mic detection problem for one + more machine +Cc: mpagano@gentoo.org + +commit e8191a8e475551b277d85cd76c3f0f52fdf42e86 upstream. + +We have two machines with alc256 codec in the pin quirk table, so +moving the common pins to ALC256_STANDARD_PINS. + +BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1447909 +Signed-off-by: Hui Wang <hui.wang@canonical.com> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + sound/pci/hda/patch_realtek.c | 24 +++++++++++++++--------- + 1 file changed, 15 insertions(+), 9 deletions(-) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 2210e1b..2fd490b 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -5144,6 +5144,16 @@ static const struct hda_model_fixup alc269_fixup_models[] = { + {0x1b, 0x411111f0}, \ + {0x1e, 0x411111f0} + ++#define ALC256_STANDARD_PINS \ ++ {0x12, 0x90a60140}, \ ++ {0x14, 0x90170110}, \ ++ {0x19, 0x411111f0}, \ ++ {0x1a, 0x411111f0}, \ ++ {0x1b, 0x411111f0}, \ ++ {0x1d, 0x40700001}, \ ++ {0x1e, 0x411111f0}, \ ++ {0x21, 0x02211020} ++ + #define ALC282_STANDARD_PINS \ + {0x14, 0x90170110}, \ + {0x18, 0x411111f0}, \ +@@ -5237,15 +5247,11 @@ static const struct snd_hda_pin_quirk alc269_pin_fixup_tbl[] = { + {0x1d, 0x40700001}, + {0x21, 0x02211050}), + SND_HDA_PIN_QUIRK(0x10ec0256, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, +- {0x12, 0x90a60140}, +- {0x13, 0x40000000}, +- {0x14, 0x90170110}, +- {0x19, 0x411111f0}, +- {0x1a, 0x411111f0}, +- {0x1b, 0x411111f0}, +- {0x1d, 0x40700001}, +- {0x1e, 0x411111f0}, +- {0x21, 0x02211020}), ++ ALC256_STANDARD_PINS, ++ {0x13, 0x40000000}), ++ SND_HDA_PIN_QUIRK(0x10ec0256, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, ++ ALC256_STANDARD_PINS, ++ {0x13, 0x411111f0}), + SND_HDA_PIN_QUIRK(0x10ec0280, 0x103c, "HP", ALC280_FIXUP_HP_GPIO4, + {0x12, 0x90a60130}, + {0x13, 0x40000000}, +-- +2.3.6 + + +From 53c20b74579ec9bb7b45b2208fce79df09e8bdfb Mon Sep 17 00:00:00 2001 +From: Ulrik De Bie <ulrik.debie-os@e2big.org> +Date: Mon, 6 Apr 2015 15:35:38 -0700 +Subject: [PATCH 096/219] Input: elantech - fix absolute mode setting on some + ASUS laptops +Cc: mpagano@gentoo.org + +commit bd884149aca61de269fd9bad83fe2a4232ffab21 upstream. + +On ASUS TP500LN and X750JN, the touchpad absolute mode is reset each +time set_rate is done. + +In order to fix this, we will verify the firmware version, and if it +matches the one in those laptops, the set_rate function is overloaded +with a function elantech_set_rate_restore_reg_07 that performs the +set_rate with the original function, followed by a restore of reg_07 +(the register that sets the absolute mode on elantech v4 hardware). + +Also the ASUS TP500LN and X750JN firmware version, capabilities, and +button constellation is added to elantech.c + +Reported-and-tested-by: George Moutsopoulos <gmoutso@yahoo.co.uk> +Signed-off-by: Ulrik De Bie <ulrik.debie-os@e2big.org> +Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/input/mouse/elantech.c | 22 ++++++++++++++++++++++ + drivers/input/mouse/elantech.h | 1 + + 2 files changed, 23 insertions(+) + +diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c +index 6e22682..991dc6b 100644 +--- a/drivers/input/mouse/elantech.c ++++ b/drivers/input/mouse/elantech.c +@@ -893,6 +893,21 @@ static psmouse_ret_t elantech_process_byte(struct psmouse *psmouse) + } + + /* ++ * This writes the reg_07 value again to the hardware at the end of every ++ * set_rate call because the register loses its value. reg_07 allows setting ++ * absolute mode on v4 hardware ++ */ ++static void elantech_set_rate_restore_reg_07(struct psmouse *psmouse, ++ unsigned int rate) ++{ ++ struct elantech_data *etd = psmouse->private; ++ ++ etd->original_set_rate(psmouse, rate); ++ if (elantech_write_reg(psmouse, 0x07, etd->reg_07)) ++ psmouse_err(psmouse, "restoring reg_07 failed\n"); ++} ++ ++/* + * Put the touchpad into absolute mode + */ + static int elantech_set_absolute_mode(struct psmouse *psmouse) +@@ -1094,6 +1109,8 @@ static int elantech_get_resolution_v4(struct psmouse *psmouse, + * Asus K53SV 0x450f01 78, 15, 0c 2 hw buttons + * Asus G46VW 0x460f02 00, 18, 0c 2 hw buttons + * Asus G750JX 0x360f00 00, 16, 0c 2 hw buttons ++ * Asus TP500LN 0x381f17 10, 14, 0e clickpad ++ * Asus X750JN 0x381f17 10, 14, 0e clickpad + * Asus UX31 0x361f00 20, 15, 0e clickpad + * Asus UX32VD 0x361f02 00, 15, 0e clickpad + * Avatar AVIU-145A2 0x361f00 ? clickpad +@@ -1635,6 +1652,11 @@ int elantech_init(struct psmouse *psmouse) + goto init_fail; + } + ++ if (etd->fw_version == 0x381f17) { ++ etd->original_set_rate = psmouse->set_rate; ++ psmouse->set_rate = elantech_set_rate_restore_reg_07; ++ } ++ + if (elantech_set_input_params(psmouse)) { + psmouse_err(psmouse, "failed to query touchpad range.\n"); + goto init_fail; +diff --git a/drivers/input/mouse/elantech.h b/drivers/input/mouse/elantech.h +index 6f3afec..f965d15 100644 +--- a/drivers/input/mouse/elantech.h ++++ b/drivers/input/mouse/elantech.h +@@ -142,6 +142,7 @@ struct elantech_data { + struct finger_pos mt[ETP_MAX_FINGERS]; + unsigned char parity[256]; + int (*send_cmd)(struct psmouse *psmouse, unsigned char c, unsigned char *param); ++ void (*original_set_rate)(struct psmouse *psmouse, unsigned int rate); + }; + + #ifdef CONFIG_MOUSE_PS2_ELANTECH +-- +2.3.6 + + +From 93ab611572eae4cb426cf006c70a7c7216603cfe Mon Sep 17 00:00:00 2001 +From: Hans de Goede <hdegoede@redhat.com> +Date: Wed, 8 Apr 2015 09:26:42 -0700 +Subject: [PATCH 097/219] Input: alps - fix touchpad buttons getting stuck when + used with trackpoint +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Cc: mpagano@gentoo.org + +commit 6bcca19f5dcedc3a006ca0bcc3699a437cadee74 upstream. + +When the left touchpad button gets pressed, and then the trackpoint is +moved, and then the button is released, the following happens: + +1) touchpad packet is received, touchpad evdev node reports BTN_LEFT 1 + +2) pointing stick packet is received, the hw will report a BTN_LEFT 1 in + this packet because when the trackstick is active it communicates the + combined touchpad + pointing stick buttons in the trackstick packet, + since alps_report_bare_ps2_packet passes NULL (*) for the dev2 parameter + to alps_report_buttons the combining is not detected and the + pointing stick evdev node will also report BTN_LEFT 1 + +3) on release of the button a pointing stick packet with BTN_LEFT 0 is + received and the pointing stick evdev node will report BTN_LEFT 0 + +Note how because of the passing as NULL for dev2 the touchpad evdev node +will never send BTN_LEFT 0 in this scenario leading to a stuck mouse button. + +This is a regression in 4.0 introduced by commit 04aae283ba6a8 +("Input: ALPS - do not mix trackstick and external PS/2 mouse data") + +This commit fixes this by passing in the touchpad evdev as dev2 parameter +when calling alps_report_buttons for the pointingstick on alps v2 devices, +so that alps_report_buttons correctly detect that we're already reporting +the button as pressed via the touchpad evdev node, and will also send the +release event there. + +Reported-by: Hans de Bruin <jmdebruin@xmsnet.nl> +Signed-off-by: Hans de Goede <hdegoede@redhat.com> +Acked-by: Pali Rohár <pali.rohar@gmail.com> +Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/input/mouse/alps.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/input/mouse/alps.c b/drivers/input/mouse/alps.c +index 27bcdbc..ea6cb64 100644 +--- a/drivers/input/mouse/alps.c ++++ b/drivers/input/mouse/alps.c +@@ -1159,13 +1159,14 @@ static void alps_report_bare_ps2_packet(struct psmouse *psmouse, + bool report_buttons) + { + struct alps_data *priv = psmouse->private; +- struct input_dev *dev; ++ struct input_dev *dev, *dev2 = NULL; + + /* Figure out which device to use to report the bare packet */ + if (priv->proto_version == ALPS_PROTO_V2 && + (priv->flags & ALPS_DUALPOINT)) { + /* On V2 devices the DualPoint Stick reports bare packets */ + dev = priv->dev2; ++ dev2 = psmouse->dev; + } else if (unlikely(IS_ERR_OR_NULL(priv->dev3))) { + /* Register dev3 mouse if we received PS/2 packet first time */ + if (!IS_ERR(priv->dev3)) +@@ -1177,7 +1178,7 @@ static void alps_report_bare_ps2_packet(struct psmouse *psmouse, + } + + if (report_buttons) +- alps_report_buttons(dev, NULL, ++ alps_report_buttons(dev, dev2, + packet[0] & 1, packet[0] & 2, packet[0] & 4); + + input_report_rel(dev, REL_X, +-- +2.3.6 + + +From 9a7fcd609f2e3eaf2d661ee26ab7601e450cd7a2 Mon Sep 17 00:00:00 2001 +From: Johan Hovold <johan@kernel.org> +Date: Wed, 25 Mar 2015 12:07:05 +0100 +Subject: [PATCH 098/219] mfd: core: Fix platform-device name collisions +Cc: mpagano@gentoo.org + +commit a77c50b44cfb663ad03faba9800fec19bdf83577 upstream. + +Since commit 6e3f62f0793e ("mfd: core: Fix platform-device id +generation") we honour PLATFORM_DEVID_AUTO and PLATFORM_DEVID_NONE when +registering mfd-devices. + +Unfortunately, some mfd-drivers rely on the old behaviour of generating +platform-device ids by adding the cell id also to the special value of +PLATFORM_DEVID_NONE. The resulting platform ids are not only used to +generate device-unique names, but are also used instead of the cell id +to identify cells when probing subdevices. + +These drivers should be updated to use PLATFORM_DEVID_AUTO, which would +also allow more than one device to be registered without resorting to +hacks (see for example wm831x), but lets fix the regression first by +partially reverting the above mentioned commit with respect to +PLATFORM_DEVID_NONE. + +Fixes: 6e3f62f0793e ("mfd: core: Fix platform-device id generation") +Reported-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> +Signed-off-by: Johan Hovold <johan@kernel.org> +Acked-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> +Signed-off-by: Lee Jones <lee.jones@linaro.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/mfd/mfd-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mfd/mfd-core.c b/drivers/mfd/mfd-core.c +index 2a87f69..1aed3b7 100644 +--- a/drivers/mfd/mfd-core.c ++++ b/drivers/mfd/mfd-core.c +@@ -128,7 +128,7 @@ static int mfd_add_device(struct device *parent, int id, + int platform_id; + int r; + +- if (id < 0) ++ if (id == PLATFORM_DEVID_AUTO) + platform_id = id; + else + platform_id = id + cell->id; +-- +2.3.6 + + +From 671ea8186b4d894fef503c13745152d9827d7a1b Mon Sep 17 00:00:00 2001 +From: Michael Davidson <md@google.com> +Date: Tue, 14 Apr 2015 15:47:38 -0700 +Subject: [PATCH 099/219] fs/binfmt_elf.c: fix bug in loading of PIE binaries +Cc: mpagano@gentoo.org + +commit a87938b2e246b81b4fb713edb371a9fa3c5c3c86 upstream. + +With CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE enabled, and a normal top-down +address allocation strategy, load_elf_binary() will attempt to map a PIE +binary into an address range immediately below mm->mmap_base. + +Unfortunately, load_elf_ binary() does not take account of the need to +allocate sufficient space for the entire binary which means that, while +the first PT_LOAD segment is mapped below mm->mmap_base, the subsequent +PT_LOAD segment(s) end up being mapped above mm->mmap_base into the are +that is supposed to be the "gap" between the stack and the binary. + +Since the size of the "gap" on x86_64 is only guaranteed to be 128MB this +means that binaries with large data segments > 128MB can end up mapping +part of their data segment over their stack resulting in corruption of the +stack (and the data segment once the binary starts to run). + +Any PIE binary with a data segment > 128MB is vulnerable to this although +address randomization means that the actual gap between the stack and the +end of the binary is normally greater than 128MB. The larger the data +segment of the binary the higher the probability of failure. + +Fix this by calculating the total size of the binary in the same way as +load_elf_interp(). + +Signed-off-by: Michael Davidson <md@google.com> +Cc: Alexander Viro <viro@zeniv.linux.org.uk> +Cc: Jiri Kosina <jkosina@suse.cz> +Cc: Kees Cook <keescook@chromium.org> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + fs/binfmt_elf.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c +index 995986b..d925f55 100644 +--- a/fs/binfmt_elf.c ++++ b/fs/binfmt_elf.c +@@ -862,6 +862,7 @@ static int load_elf_binary(struct linux_binprm *bprm) + i < loc->elf_ex.e_phnum; i++, elf_ppnt++) { + int elf_prot = 0, elf_flags; + unsigned long k, vaddr; ++ unsigned long total_size = 0; + + if (elf_ppnt->p_type != PT_LOAD) + continue; +@@ -924,10 +925,16 @@ static int load_elf_binary(struct linux_binprm *bprm) + #else + load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr); + #endif ++ total_size = total_mapping_size(elf_phdata, ++ loc->elf_ex.e_phnum); ++ if (!total_size) { ++ error = -EINVAL; ++ goto out_free_dentry; ++ } + } + + error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt, +- elf_prot, elf_flags, 0); ++ elf_prot, elf_flags, total_size); + if (BAD_ADDR(error)) { + retval = IS_ERR((void *)error) ? + PTR_ERR((void*)error) : -EINVAL; +-- +2.3.6 + + +From 12ea13bf83f15c5cf59b4039295f98b0d7a83881 Mon Sep 17 00:00:00 2001 +From: Oleg Nesterov <oleg@redhat.com> +Date: Thu, 16 Apr 2015 12:47:29 -0700 +Subject: [PATCH 100/219] ptrace: fix race between ptrace_resume() and + wait_task_stopped() +Cc: mpagano@gentoo.org + +commit b72c186999e689cb0b055ab1c7b3cd8fffbeb5ed upstream. + +ptrace_resume() is called when the tracee is still __TASK_TRACED. We set +tracee->exit_code and then wake_up_state() changes tracee->state. If the +tracer's sub-thread does wait() in between, task_stopped_code(ptrace => T) +wrongly looks like another report from tracee. + +This confuses debugger, and since wait_task_stopped() clears ->exit_code +the tracee can miss a signal. + +Test-case: + + #include <stdio.h> + #include <unistd.h> + #include <sys/wait.h> + #include <sys/ptrace.h> + #include <pthread.h> + #include <assert.h> + + int pid; + + void *waiter(void *arg) + { + int stat; + + for (;;) { + assert(pid == wait(&stat)); + assert(WIFSTOPPED(stat)); + if (WSTOPSIG(stat) == SIGHUP) + continue; + + assert(WSTOPSIG(stat) == SIGCONT); + printf("ERR! extra/wrong report:%x\n", stat); + } + } + + int main(void) + { + pthread_t thread; + + pid = fork(); + if (!pid) { + assert(ptrace(PTRACE_TRACEME, 0,0,0) == 0); + for (;;) + kill(getpid(), SIGHUP); + } + + assert(pthread_create(&thread, NULL, waiter, NULL) == 0); + + for (;;) + ptrace(PTRACE_CONT, pid, 0, SIGCONT); + + return 0; + } + +Note for stable: the bug is very old, but without 9899d11f6544 "ptrace: +ensure arch_ptrace/ptrace_request can never race with SIGKILL" the fix +should use lock_task_sighand(child). + +Signed-off-by: Oleg Nesterov <oleg@redhat.com> +Reported-by: Pavel Labath <labath@google.com> +Tested-by: Pavel Labath <labath@google.com> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + kernel/ptrace.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/kernel/ptrace.c b/kernel/ptrace.c +index 227fec3..9a34bd8 100644 +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +@@ -697,6 +697,8 @@ static int ptrace_peek_siginfo(struct task_struct *child, + static int ptrace_resume(struct task_struct *child, long request, + unsigned long data) + { ++ bool need_siglock; ++ + if (!valid_signal(data)) + return -EIO; + +@@ -724,8 +726,26 @@ static int ptrace_resume(struct task_struct *child, long request, + user_disable_single_step(child); + } + ++ /* ++ * Change ->exit_code and ->state under siglock to avoid the race ++ * with wait_task_stopped() in between; a non-zero ->exit_code will ++ * wrongly look like another report from tracee. ++ * ++ * Note that we need siglock even if ->exit_code == data and/or this ++ * status was not reported yet, the new status must not be cleared by ++ * wait_task_stopped() after resume. ++ * ++ * If data == 0 we do not care if wait_task_stopped() reports the old ++ * status and clears the code too; this can't race with the tracee, it ++ * takes siglock after resume. ++ */ ++ need_siglock = data && !thread_group_empty(current); ++ if (need_siglock) ++ spin_lock_irq(&child->sighand->siglock); + child->exit_code = data; + wake_up_state(child, __TASK_TRACED); ++ if (need_siglock) ++ spin_unlock_irq(&child->sighand->siglock); + + return 0; + } +-- +2.3.6 + + +From 64b22d90114136c3f66fef541c844bc2deb539c5 Mon Sep 17 00:00:00 2001 +From: Len Brown <len.brown@intel.com> +Date: Tue, 24 Mar 2015 23:23:20 -0400 +Subject: [PATCH 101/219] intel_idle: Update support for Silvermont Core in + Baytrail SOC +Cc: mpagano@gentoo.org + +commit d7ef76717322c8e2df7d4360b33faa9466cb1a0d upstream. + +On some Silvermont-Core/Baytrail-SOC systems, +C1E latency is higher than original specifications. +Although C1E is still enumerated in CPUID.MWAIT.EDX, +we delete the state from intel_idle to avoid latency impact. + +Under some conditions, the latency of the C6N-BYT and C6S-BYT states +may exceed the specified values of 40 and 140 usec, respectively. +Increase those values to 300 and 500 usec; to assure +that the hardware does not violate constraints that may be set +by the Linux PM_QOS sub-system. + +Also increase the C7-BYT target residency to 4.0 ms from 1.5 ms. + +Signed-off-by: Len Brown <len.brown@intel.com> +Cc: Kumar P Mahesh <mahesh.kumar.p@intel.com> +Cc: Alan Cox <alan@linux.intel.com> +Cc: Mika Westerberg <mika.westerberg@linux.intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/idle/intel_idle.c | 14 +++----------- + 1 file changed, 3 insertions(+), 11 deletions(-) + +diff --git a/drivers/idle/intel_idle.c b/drivers/idle/intel_idle.c +index b0e5852..44d1d79 100644 +--- a/drivers/idle/intel_idle.c ++++ b/drivers/idle/intel_idle.c +@@ -218,18 +218,10 @@ static struct cpuidle_state byt_cstates[] = { + .enter = &intel_idle, + .enter_freeze = intel_idle_freeze, }, + { +- .name = "C1E-BYT", +- .desc = "MWAIT 0x01", +- .flags = MWAIT2flg(0x01), +- .exit_latency = 15, +- .target_residency = 30, +- .enter = &intel_idle, +- .enter_freeze = intel_idle_freeze, }, +- { + .name = "C6N-BYT", + .desc = "MWAIT 0x58", + .flags = MWAIT2flg(0x58) | CPUIDLE_FLAG_TLB_FLUSHED, +- .exit_latency = 40, ++ .exit_latency = 300, + .target_residency = 275, + .enter = &intel_idle, + .enter_freeze = intel_idle_freeze, }, +@@ -237,7 +229,7 @@ static struct cpuidle_state byt_cstates[] = { + .name = "C6S-BYT", + .desc = "MWAIT 0x52", + .flags = MWAIT2flg(0x52) | CPUIDLE_FLAG_TLB_FLUSHED, +- .exit_latency = 140, ++ .exit_latency = 500, + .target_residency = 560, + .enter = &intel_idle, + .enter_freeze = intel_idle_freeze, }, +@@ -246,7 +238,7 @@ static struct cpuidle_state byt_cstates[] = { + .desc = "MWAIT 0x60", + .flags = MWAIT2flg(0x60) | CPUIDLE_FLAG_TLB_FLUSHED, + .exit_latency = 1200, +- .target_residency = 1500, ++ .target_residency = 4000, + .enter = &intel_idle, + .enter_freeze = intel_idle_freeze, }, + { +-- +2.3.6 + + +From 6181a6b2238de82fed39b0568645ea6a1ff2c6fd Mon Sep 17 00:00:00 2001 +From: Nicolas Ferre <nicolas.ferre@atmel.com> +Date: Tue, 31 Mar 2015 15:02:05 +0200 +Subject: [PATCH 102/219] net/macb: fix the peripheral version test +Cc: mpagano@gentoo.org + +commit 361918970b7426bba97a64678ef2b2679c37199b upstream. + +We currently need two checks of the peripheral version in MACB_MID register. +One of them got out of sync after modification by 8a013a9c71b2 (net: macb: +Include multi queue support for xilinx ZynqMP ethernet version). +Fix this in macb_configure_caps() so that xilinx ZynqMP will be considered +as a GEM flavor. + +Fixes: 8a013a9c71b2 ("net: macb: Include multi queue support for xilinx ZynqMP +ethernet version") + +Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com> +Cc: Michal Simek <michal.simek@xilinx.com> +Cc: Punnaiah Choudary Kalluri <punnaia@xilinx.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/net/ethernet/cadence/macb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cadence/macb.c b/drivers/net/ethernet/cadence/macb.c +index 81d4153..77bf133 100644 +--- a/drivers/net/ethernet/cadence/macb.c ++++ b/drivers/net/ethernet/cadence/macb.c +@@ -2165,7 +2165,7 @@ static void macb_configure_caps(struct macb *bp) + } + } + +- if (MACB_BFEXT(IDNUM, macb_readl(bp, MID)) == 0x2) ++ if (MACB_BFEXT(IDNUM, macb_readl(bp, MID)) >= 0x2) + bp->caps |= MACB_CAPS_MACB_IS_GEM; + + if (macb_is_gem(bp)) { +-- +2.3.6 + + +From 95df5a6b8698921ca30cd55853446016a2acb891 Mon Sep 17 00:00:00 2001 +From: Christophe Ricard <christophe.ricard@gmail.com> +Date: Tue, 31 Mar 2015 08:02:15 +0200 +Subject: [PATCH 103/219] NFC: st21nfcb: Retry i2c_master_send if it returns a + negative value +Cc: mpagano@gentoo.org + +commit d4a41d10b2cb5890aeda6b2912973b2a754b05b1 upstream. + +i2c_master_send may return many negative values different than +-EREMOTEIO. +In case an i2c transaction is NACK'ed, on raspberry pi B+ +kernel 3.18, -EIO is generated instead. + +Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com> +Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/nfc/st21nfcb/i2c.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/nfc/st21nfcb/i2c.c b/drivers/nfc/st21nfcb/i2c.c +index eb88693..7b53a5c 100644 +--- a/drivers/nfc/st21nfcb/i2c.c ++++ b/drivers/nfc/st21nfcb/i2c.c +@@ -109,7 +109,7 @@ static int st21nfcb_nci_i2c_write(void *phy_id, struct sk_buff *skb) + return phy->ndlc->hard_fault; + + r = i2c_master_send(client, skb->data, skb->len); +- if (r == -EREMOTEIO) { /* Retry, chip was in standby */ ++ if (r < 0) { /* Retry, chip was in standby */ + usleep_range(1000, 4000); + r = i2c_master_send(client, skb->data, skb->len); + } +@@ -148,7 +148,7 @@ static int st21nfcb_nci_i2c_read(struct st21nfcb_i2c_phy *phy, + struct i2c_client *client = phy->i2c_dev; + + r = i2c_master_recv(client, buf, ST21NFCB_NCI_I2C_MIN_SIZE); +- if (r == -EREMOTEIO) { /* Retry, chip was in standby */ ++ if (r < 0) { /* Retry, chip was in standby */ + usleep_range(1000, 4000); + r = i2c_master_recv(client, buf, ST21NFCB_NCI_I2C_MIN_SIZE); + } +-- +2.3.6 + + +From 9e2d43e521a469a50ef03b55cef24e7d260bbdbb Mon Sep 17 00:00:00 2001 +From: Larry Finger <Larry.Finger@lwfinger.net> +Date: Mon, 23 Mar 2015 18:14:10 -0500 +Subject: [PATCH 104/219] rtlwifi: rtl8192cu: Add new USB ID +Cc: mpagano@gentoo.org + +commit 2f92b314f4daff2117847ac5343c54d3d041bf78 upstream. + +USB ID 2001:330d is used for a D-Link DWA-131. + +Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/net/wireless/rtlwifi/rtl8192cu/sw.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c b/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c +index 90a714c..6fde250 100644 +--- a/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c ++++ b/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c +@@ -377,6 +377,7 @@ static struct usb_device_id rtl8192c_usb_ids[] = { + {RTL_USB_DEVICE(0x2001, 0x3307, rtl92cu_hal_cfg)}, /*D-Link-Cameo*/ + {RTL_USB_DEVICE(0x2001, 0x3309, rtl92cu_hal_cfg)}, /*D-Link-Alpha*/ + {RTL_USB_DEVICE(0x2001, 0x330a, rtl92cu_hal_cfg)}, /*D-Link-Alpha*/ ++ {RTL_USB_DEVICE(0x2001, 0x330d, rtl92cu_hal_cfg)}, /*D-Link DWA-131 */ + {RTL_USB_DEVICE(0x2019, 0xab2b, rtl92cu_hal_cfg)}, /*Planex -Abocom*/ + {RTL_USB_DEVICE(0x20f4, 0x624d, rtl92cu_hal_cfg)}, /*TRENDNet*/ + {RTL_USB_DEVICE(0x2357, 0x0100, rtl92cu_hal_cfg)}, /*TP-Link WN8200ND*/ +-- +2.3.6 + + +From a9fe1b9caf0ea4ccada73ce243b23fd6a7e896d3 Mon Sep 17 00:00:00 2001 +From: Marek Vasut <marex@denx.de> +Date: Thu, 26 Mar 2015 02:16:06 +0100 +Subject: [PATCH 105/219] rtlwifi: rtl8192cu: Add new device ID +Cc: mpagano@gentoo.org + +commit 9374e7d2fdcad3c36dafc8d3effd554bc702c4b6 upstream. + +Add new ID for ASUS N10 WiFi dongle. + +Signed-off-by: Marek Vasut <marex@denx.de> +Tested-by: Marek Vasut <marex@denx.de> +Cc: Larry Finger <Larry.Finger@lwfinger.net> +Cc: John W. Linville <linville@tuxdriver.com> +Acked-by: Larry Finger <Larry.Finger@lwfinger.net> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/net/wireless/rtlwifi/rtl8192cu/sw.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c b/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c +index 6fde250..23806c2 100644 +--- a/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c ++++ b/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c +@@ -321,6 +321,7 @@ static struct usb_device_id rtl8192c_usb_ids[] = { + {RTL_USB_DEVICE(0x07b8, 0x8188, rtl92cu_hal_cfg)}, /*Abocom - Abocom*/ + {RTL_USB_DEVICE(0x07b8, 0x8189, rtl92cu_hal_cfg)}, /*Funai - Abocom*/ + {RTL_USB_DEVICE(0x0846, 0x9041, rtl92cu_hal_cfg)}, /*NetGear WNA1000M*/ ++ {RTL_USB_DEVICE(0x0b05, 0x17ba, rtl92cu_hal_cfg)}, /*ASUS-Edimax*/ + {RTL_USB_DEVICE(0x0bda, 0x5088, rtl92cu_hal_cfg)}, /*Thinkware-CC&C*/ + {RTL_USB_DEVICE(0x0df6, 0x0052, rtl92cu_hal_cfg)}, /*Sitecom - Edimax*/ + {RTL_USB_DEVICE(0x0df6, 0x005c, rtl92cu_hal_cfg)}, /*Sitecom - Edimax*/ +-- +2.3.6 + + +From 3536e283ea6797daac8054aebea238cafe9a464c Mon Sep 17 00:00:00 2001 +From: Lukas Czerner <lczerner@redhat.com> +Date: Fri, 3 Apr 2015 10:46:58 -0400 +Subject: [PATCH 106/219] ext4: make fsync to sync parent dir in no-journal for + real this time +Cc: mpagano@gentoo.org + +commit e12fb97222fc41e8442896934f76d39ef99b590a upstream. + +Previously commit 14ece1028b3ed53ffec1b1213ffc6acaf79ad77c added a +support for for syncing parent directory of newly created inodes to +make sure that the inode is not lost after a power failure in +no-journal mode. + +However this does not work in majority of cases, namely: + - if the directory has inline data + - if the directory is already indexed + - if the directory already has at least one block and: + - the new entry fits into it + - or we've successfully converted it to indexed + +So in those cases we might lose the inode entirely even after fsync in +the no-journal mode. This also includes ext2 default mode obviously. + +I've noticed this while running xfstest generic/321 and even though the +test should fail (we need to run fsck after a crash in no-journal mode) +I could not find a newly created entries even when if it was fsynced +before. + +Fix this by adjusting the ext4_add_entry() successful exit paths to set +the inode EXT4_STATE_NEWENTRY so that fsync has the chance to fsync the +parent directory as well. + +Signed-off-by: Lukas Czerner <lczerner@redhat.com> +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Reviewed-by: Jan Kara <jack@suse.cz> +Cc: Frank Mayhar <fmayhar@google.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + fs/ext4/namei.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index 28fe71a..aae7011 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -1865,7 +1865,7 @@ static int ext4_add_entry(handle_t *handle, struct dentry *dentry, + struct inode *inode) + { + struct inode *dir = dentry->d_parent->d_inode; +- struct buffer_head *bh; ++ struct buffer_head *bh = NULL; + struct ext4_dir_entry_2 *de; + struct ext4_dir_entry_tail *t; + struct super_block *sb; +@@ -1889,14 +1889,14 @@ static int ext4_add_entry(handle_t *handle, struct dentry *dentry, + return retval; + if (retval == 1) { + retval = 0; +- return retval; ++ goto out; + } + } + + if (is_dx(dir)) { + retval = ext4_dx_add_entry(handle, dentry, inode); + if (!retval || (retval != ERR_BAD_DX_DIR)) +- return retval; ++ goto out; + ext4_clear_inode_flag(dir, EXT4_INODE_INDEX); + dx_fallback++; + ext4_mark_inode_dirty(handle, dir); +@@ -1908,14 +1908,15 @@ static int ext4_add_entry(handle_t *handle, struct dentry *dentry, + return PTR_ERR(bh); + + retval = add_dirent_to_buf(handle, dentry, inode, NULL, bh); +- if (retval != -ENOSPC) { +- brelse(bh); +- return retval; +- } ++ if (retval != -ENOSPC) ++ goto out; + + if (blocks == 1 && !dx_fallback && +- EXT4_HAS_COMPAT_FEATURE(sb, EXT4_FEATURE_COMPAT_DIR_INDEX)) +- return make_indexed_dir(handle, dentry, inode, bh); ++ EXT4_HAS_COMPAT_FEATURE(sb, EXT4_FEATURE_COMPAT_DIR_INDEX)) { ++ retval = make_indexed_dir(handle, dentry, inode, bh); ++ bh = NULL; /* make_indexed_dir releases bh */ ++ goto out; ++ } + brelse(bh); + } + bh = ext4_append(handle, dir, &block); +@@ -1931,6 +1932,7 @@ static int ext4_add_entry(handle_t *handle, struct dentry *dentry, + } + + retval = add_dirent_to_buf(handle, dentry, inode, de, bh); ++out: + brelse(bh); + if (retval == 0) + ext4_set_inode_state(inode, EXT4_STATE_NEWENTRY); +-- +2.3.6 + + +From 1527fbabfa4fdb32f66b47dd48518572fb4e0eaa Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" <ebiederm@xmission.com> +Date: Wed, 24 Dec 2014 07:20:01 -0600 +Subject: [PATCH 107/219] mnt: Improve the umount_tree flags +Cc: mpagano@gentoo.org + +commit e819f152104c9f7c9fe50e1aecce6f5d4bf06d65 upstream. + +- Remove the unneeded declaration from pnode.h +- Mark umount_tree static as it has no callers outside of namespace.c +- Define an enumeration of umount_tree's flags. +- Pass umount_tree's flags in by name + +This removes the magic numbers 0, 1 and 2 making the code a little +clearer and makes it possible for there to be lazy unmounts that don't +propagate. Which is what __detach_mounts actually wants for example. + +Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + fs/namespace.c | 31 ++++++++++++++++--------------- + fs/pnode.h | 1 - + 2 files changed, 16 insertions(+), 16 deletions(-) + +diff --git a/fs/namespace.c b/fs/namespace.c +index 82ef140..712b3c5 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -1319,14 +1319,15 @@ static inline void namespace_lock(void) + down_write(&namespace_sem); + } + ++enum umount_tree_flags { ++ UMOUNT_SYNC = 1, ++ UMOUNT_PROPAGATE = 2, ++}; + /* + * mount_lock must be held + * namespace_sem must be held for write +- * how = 0 => just this tree, don't propagate +- * how = 1 => propagate; we know that nobody else has reference to any victims +- * how = 2 => lazy umount + */ +-void umount_tree(struct mount *mnt, int how) ++static void umount_tree(struct mount *mnt, enum umount_tree_flags how) + { + HLIST_HEAD(tmp_list); + struct mount *p; +@@ -1339,7 +1340,7 @@ void umount_tree(struct mount *mnt, int how) + hlist_for_each_entry(p, &tmp_list, mnt_hash) + list_del_init(&p->mnt_child); + +- if (how) ++ if (how & UMOUNT_PROPAGATE) + propagate_umount(&tmp_list); + + while (!hlist_empty(&tmp_list)) { +@@ -1349,7 +1350,7 @@ void umount_tree(struct mount *mnt, int how) + list_del_init(&p->mnt_list); + __touch_mnt_namespace(p->mnt_ns); + p->mnt_ns = NULL; +- if (how < 2) ++ if (how & UMOUNT_SYNC) + p->mnt.mnt_flags |= MNT_SYNC_UMOUNT; + + pin_insert_group(&p->mnt_umount, &p->mnt_parent->mnt, &unmounted); +@@ -1447,14 +1448,14 @@ static int do_umount(struct mount *mnt, int flags) + + if (flags & MNT_DETACH) { + if (!list_empty(&mnt->mnt_list)) +- umount_tree(mnt, 2); ++ umount_tree(mnt, UMOUNT_PROPAGATE); + retval = 0; + } else { + shrink_submounts(mnt); + retval = -EBUSY; + if (!propagate_mount_busy(mnt, 2)) { + if (!list_empty(&mnt->mnt_list)) +- umount_tree(mnt, 1); ++ umount_tree(mnt, UMOUNT_PROPAGATE|UMOUNT_SYNC); + retval = 0; + } + } +@@ -1486,7 +1487,7 @@ void __detach_mounts(struct dentry *dentry) + lock_mount_hash(); + while (!hlist_empty(&mp->m_list)) { + mnt = hlist_entry(mp->m_list.first, struct mount, mnt_mp_list); +- umount_tree(mnt, 2); ++ umount_tree(mnt, UMOUNT_PROPAGATE); + } + unlock_mount_hash(); + put_mountpoint(mp); +@@ -1648,7 +1649,7 @@ struct mount *copy_tree(struct mount *mnt, struct dentry *dentry, + out: + if (res) { + lock_mount_hash(); +- umount_tree(res, 0); ++ umount_tree(res, UMOUNT_SYNC); + unlock_mount_hash(); + } + return q; +@@ -1672,7 +1673,7 @@ void drop_collected_mounts(struct vfsmount *mnt) + { + namespace_lock(); + lock_mount_hash(); +- umount_tree(real_mount(mnt), 0); ++ umount_tree(real_mount(mnt), UMOUNT_SYNC); + unlock_mount_hash(); + namespace_unlock(); + } +@@ -1855,7 +1856,7 @@ static int attach_recursive_mnt(struct mount *source_mnt, + out_cleanup_ids: + while (!hlist_empty(&tree_list)) { + child = hlist_entry(tree_list.first, struct mount, mnt_hash); +- umount_tree(child, 0); ++ umount_tree(child, UMOUNT_SYNC); + } + unlock_mount_hash(); + cleanup_group_ids(source_mnt, NULL); +@@ -2035,7 +2036,7 @@ static int do_loopback(struct path *path, const char *old_name, + err = graft_tree(mnt, parent, mp); + if (err) { + lock_mount_hash(); +- umount_tree(mnt, 0); ++ umount_tree(mnt, UMOUNT_SYNC); + unlock_mount_hash(); + } + out2: +@@ -2406,7 +2407,7 @@ void mark_mounts_for_expiry(struct list_head *mounts) + while (!list_empty(&graveyard)) { + mnt = list_first_entry(&graveyard, struct mount, mnt_expire); + touch_mnt_namespace(mnt->mnt_ns); +- umount_tree(mnt, 1); ++ umount_tree(mnt, UMOUNT_PROPAGATE|UMOUNT_SYNC); + } + unlock_mount_hash(); + namespace_unlock(); +@@ -2477,7 +2478,7 @@ static void shrink_submounts(struct mount *mnt) + m = list_first_entry(&graveyard, struct mount, + mnt_expire); + touch_mnt_namespace(m->mnt_ns); +- umount_tree(m, 1); ++ umount_tree(m, UMOUNT_PROPAGATE|UMOUNT_SYNC); + } + } + } +diff --git a/fs/pnode.h b/fs/pnode.h +index 4a24635..16afc3d 100644 +--- a/fs/pnode.h ++++ b/fs/pnode.h +@@ -47,7 +47,6 @@ int get_dominating_id(struct mount *mnt, const struct path *root); + unsigned int mnt_get_count(struct mount *mnt); + void mnt_set_mountpoint(struct mount *, struct mountpoint *, + struct mount *); +-void umount_tree(struct mount *, int); + struct mount *copy_tree(struct mount *, struct dentry *, int); + bool is_path_reachable(struct mount *, struct dentry *, + const struct path *root); +-- +2.3.6 + + +From a15f7b5e276d1b8f71d3d64d7f3f509e77bee5e4 Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" <ebiederm@xmission.com> +Date: Wed, 24 Dec 2014 07:35:10 -0600 +Subject: [PATCH 108/219] mnt: Don't propagate umounts in __detach_mounts +Cc: mpagano@gentoo.org + +commit 8318e667f176f7ea34451a1a530634e293f216ac upstream. + +Invoking mount propagation from __detach_mounts is inefficient and +wrong. + +It is inefficient because __detach_mounts already walks the list of +mounts that where something needs to be done, and mount propagation +walks some subset of those mounts again. + +It is actively wrong because if the dentry that is passed to +__detach_mounts is not part of the path to a mount that mount should +not be affected. + +change_mnt_propagation(p,MS_PRIVATE) modifies the mount propagation +tree of a master mount so it's slaves are connected to another master +if possible. Which means even removing a mount from the middle of a +mount tree with __detach_mounts will not deprive any mount propagated +mount events. + +Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + fs/namespace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/namespace.c b/fs/namespace.c +index 712b3c5..616a694 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -1487,7 +1487,7 @@ void __detach_mounts(struct dentry *dentry) + lock_mount_hash(); + while (!hlist_empty(&mp->m_list)) { + mnt = hlist_entry(mp->m_list.first, struct mount, mnt_mp_list); +- umount_tree(mnt, UMOUNT_PROPAGATE); ++ umount_tree(mnt, 0); + } + unlock_mount_hash(); + put_mountpoint(mp); +-- +2.3.6 + + +From 953bab2cb35f8f6f2a0183c1b27ff7466f72bccc Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" <ebiederm@xmission.com> +Date: Thu, 18 Dec 2014 13:10:48 -0600 +Subject: [PATCH 109/219] mnt: In umount_tree reuse mnt_list instead of + mnt_hash +Cc: mpagano@gentoo.org + +commit c003b26ff98ca04a180ff34c38c007a3998d62f9 upstream. + +umount_tree builds a list of mounts that need to be unmounted. +Utilize mnt_list for this purpose instead of mnt_hash. This begins to +allow keeping a mount on the mnt_hash after it is unmounted, which is +necessary for a properly functioning MNT_LOCKED implementation. + +The fact that mnt_list is an ordinary list makding available list_move +is nice bonus. + +Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + fs/namespace.c | 20 +++++++++++--------- + fs/pnode.c | 6 +++--- + fs/pnode.h | 2 +- + 3 files changed, 15 insertions(+), 13 deletions(-) + +diff --git a/fs/namespace.c b/fs/namespace.c +index 616a694..18df0af 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -1329,23 +1329,25 @@ enum umount_tree_flags { + */ + static void umount_tree(struct mount *mnt, enum umount_tree_flags how) + { +- HLIST_HEAD(tmp_list); ++ LIST_HEAD(tmp_list); + struct mount *p; + +- for (p = mnt; p; p = next_mnt(p, mnt)) { +- hlist_del_init_rcu(&p->mnt_hash); +- hlist_add_head(&p->mnt_hash, &tmp_list); +- } ++ /* Gather the mounts to umount */ ++ for (p = mnt; p; p = next_mnt(p, mnt)) ++ list_move(&p->mnt_list, &tmp_list); + +- hlist_for_each_entry(p, &tmp_list, mnt_hash) ++ /* Hide the mounts from lookup_mnt and mnt_mounts */ ++ list_for_each_entry(p, &tmp_list, mnt_list) { ++ hlist_del_init_rcu(&p->mnt_hash); + list_del_init(&p->mnt_child); ++ } + ++ /* Add propogated mounts to the tmp_list */ + if (how & UMOUNT_PROPAGATE) + propagate_umount(&tmp_list); + +- while (!hlist_empty(&tmp_list)) { +- p = hlist_entry(tmp_list.first, struct mount, mnt_hash); +- hlist_del_init_rcu(&p->mnt_hash); ++ while (!list_empty(&tmp_list)) { ++ p = list_first_entry(&tmp_list, struct mount, mnt_list); + list_del_init(&p->mnt_expire); + list_del_init(&p->mnt_list); + __touch_mnt_namespace(p->mnt_ns); +diff --git a/fs/pnode.c b/fs/pnode.c +index 260ac8f..bf012af 100644 +--- a/fs/pnode.c ++++ b/fs/pnode.c +@@ -384,7 +384,7 @@ static void __propagate_umount(struct mount *mnt) + if (child && list_empty(&child->mnt_mounts)) { + list_del_init(&child->mnt_child); + hlist_del_init_rcu(&child->mnt_hash); +- hlist_add_before_rcu(&child->mnt_hash, &mnt->mnt_hash); ++ list_move_tail(&child->mnt_list, &mnt->mnt_list); + } + } + } +@@ -396,11 +396,11 @@ static void __propagate_umount(struct mount *mnt) + * + * vfsmount lock must be held for write + */ +-int propagate_umount(struct hlist_head *list) ++int propagate_umount(struct list_head *list) + { + struct mount *mnt; + +- hlist_for_each_entry(mnt, list, mnt_hash) ++ list_for_each_entry(mnt, list, mnt_list) + __propagate_umount(mnt); + return 0; + } +diff --git a/fs/pnode.h b/fs/pnode.h +index 16afc3d..aa6d65d 100644 +--- a/fs/pnode.h ++++ b/fs/pnode.h +@@ -40,7 +40,7 @@ static inline void set_mnt_shared(struct mount *mnt) + void change_mnt_propagation(struct mount *, int); + int propagate_mnt(struct mount *, struct mountpoint *, struct mount *, + struct hlist_head *); +-int propagate_umount(struct hlist_head *); ++int propagate_umount(struct list_head *); + int propagate_mount_busy(struct mount *, int); + void mnt_release_group_id(struct mount *); + int get_dominating_id(struct mount *mnt, const struct path *root); +-- +2.3.6 + + +From 7052e71b2d085f76800115d4a212dcaf82b86262 Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" <ebiederm@xmission.com> +Date: Mon, 22 Dec 2014 18:30:08 -0600 +Subject: [PATCH 110/219] mnt: Add MNT_UMOUNT flag +Cc: mpagano@gentoo.org + +commit 590ce4bcbfb4e0462a720a4ad901e84416080bba upstream. + +In some instances it is necessary to know if the the unmounting +process has begun on a mount. Add MNT_UMOUNT to make that reliably +testable. + +This fix gets used in fixing locked mounts in MNT_DETACH + +Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + fs/namespace.c | 4 +++- + fs/pnode.c | 1 + + include/linux/mount.h | 1 + + 3 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/namespace.c b/fs/namespace.c +index 18df0af..9f3c7e5 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -1333,8 +1333,10 @@ static void umount_tree(struct mount *mnt, enum umount_tree_flags how) + struct mount *p; + + /* Gather the mounts to umount */ +- for (p = mnt; p; p = next_mnt(p, mnt)) ++ for (p = mnt; p; p = next_mnt(p, mnt)) { ++ p->mnt.mnt_flags |= MNT_UMOUNT; + list_move(&p->mnt_list, &tmp_list); ++ } + + /* Hide the mounts from lookup_mnt and mnt_mounts */ + list_for_each_entry(p, &tmp_list, mnt_list) { +diff --git a/fs/pnode.c b/fs/pnode.c +index bf012af..ac3aa0d 100644 +--- a/fs/pnode.c ++++ b/fs/pnode.c +@@ -384,6 +384,7 @@ static void __propagate_umount(struct mount *mnt) + if (child && list_empty(&child->mnt_mounts)) { + list_del_init(&child->mnt_child); + hlist_del_init_rcu(&child->mnt_hash); ++ child->mnt.mnt_flags |= MNT_UMOUNT; + list_move_tail(&child->mnt_list, &mnt->mnt_list); + } + } +diff --git a/include/linux/mount.h b/include/linux/mount.h +index c2c561d..564beee 100644 +--- a/include/linux/mount.h ++++ b/include/linux/mount.h +@@ -61,6 +61,7 @@ struct mnt_namespace; + #define MNT_DOOMED 0x1000000 + #define MNT_SYNC_UMOUNT 0x2000000 + #define MNT_MARKED 0x4000000 ++#define MNT_UMOUNT 0x8000000 + + struct vfsmount { + struct dentry *mnt_root; /* root of the mounted tree */ +-- +2.3.6 + + +From 7a9742a65c02e30a62ae42c765eb4dff26b51cc9 Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" <ebiederm@xmission.com> +Date: Mon, 22 Dec 2014 19:12:07 -0600 +Subject: [PATCH 111/219] mnt: Delay removal from the mount hash. +Cc: mpagano@gentoo.org + +commit 411a938b5abc9cb126c41cccf5975ae464fe0f3e upstream. + +- Modify __lookup_mnt_hash_last to ignore mounts that have MNT_UMOUNTED set. +- Don't remove mounts from the mount hash table in propogate_umount +- Don't remove mounts from the mount hash table in umount_tree before + the entire list of mounts to be umounted is selected. +- Remove mounts from the mount hash table as the last thing that + happens in the case where a mount has a parent in umount_tree. + Mounts without parents are not hashed (by definition). + +This paves the way for delaying removal from the mount hash table even +farther and fixing the MNT_LOCKED vs MNT_DETACH issue. + +Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + fs/namespace.c | 13 ++++++++----- + fs/pnode.c | 1 - + 2 files changed, 8 insertions(+), 6 deletions(-) + +diff --git a/fs/namespace.c b/fs/namespace.c +index 9f3c7e5..6c477be 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -632,14 +632,17 @@ struct mount *__lookup_mnt(struct vfsmount *mnt, struct dentry *dentry) + */ + struct mount *__lookup_mnt_last(struct vfsmount *mnt, struct dentry *dentry) + { +- struct mount *p, *res; +- res = p = __lookup_mnt(mnt, dentry); ++ struct mount *p, *res = NULL; ++ p = __lookup_mnt(mnt, dentry); + if (!p) + goto out; ++ if (!(p->mnt.mnt_flags & MNT_UMOUNT)) ++ res = p; + hlist_for_each_entry_continue(p, mnt_hash) { + if (&p->mnt_parent->mnt != mnt || p->mnt_mountpoint != dentry) + break; +- res = p; ++ if (!(p->mnt.mnt_flags & MNT_UMOUNT)) ++ res = p; + } + out: + return res; +@@ -1338,9 +1341,8 @@ static void umount_tree(struct mount *mnt, enum umount_tree_flags how) + list_move(&p->mnt_list, &tmp_list); + } + +- /* Hide the mounts from lookup_mnt and mnt_mounts */ ++ /* Hide the mounts from mnt_mounts */ + list_for_each_entry(p, &tmp_list, mnt_list) { +- hlist_del_init_rcu(&p->mnt_hash); + list_del_init(&p->mnt_child); + } + +@@ -1367,6 +1369,7 @@ static void umount_tree(struct mount *mnt, enum umount_tree_flags how) + p->mnt_mountpoint = p->mnt.mnt_root; + p->mnt_parent = p; + p->mnt_mp = NULL; ++ hlist_del_init_rcu(&p->mnt_hash); + } + change_mnt_propagation(p, MS_PRIVATE); + } +diff --git a/fs/pnode.c b/fs/pnode.c +index ac3aa0d..c27ae38 100644 +--- a/fs/pnode.c ++++ b/fs/pnode.c +@@ -383,7 +383,6 @@ static void __propagate_umount(struct mount *mnt) + */ + if (child && list_empty(&child->mnt_mounts)) { + list_del_init(&child->mnt_child); +- hlist_del_init_rcu(&child->mnt_hash); + child->mnt.mnt_flags |= MNT_UMOUNT; + list_move_tail(&child->mnt_list, &mnt->mnt_list); + } +-- +2.3.6 + + +From 397dd1fc1225b478824134ddd5540f889b13809d Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" <ebiederm@xmission.com> +Date: Sat, 3 Jan 2015 05:39:35 -0600 +Subject: [PATCH 112/219] mnt: On an unmount propagate clearing of MNT_LOCKED +Cc: mpagano@gentoo.org + +commit 5d88457eb5b86b475422dc882f089203faaeedb5 upstream. + +A prerequisite of calling umount_tree is that the point where the tree +is mounted at is valid to unmount. + +If we are propagating the effect of the unmount clear MNT_LOCKED in +every instance where the same filesystem is mounted on the same +mountpoint in the mount tree, as we know (by virtue of the fact +that umount_tree was called) that it is safe to reveal what +is at that mountpoint. + +Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + fs/namespace.c | 3 +++ + fs/pnode.c | 20 ++++++++++++++++++++ + fs/pnode.h | 1 + + 3 files changed, 24 insertions(+) + +diff --git a/fs/namespace.c b/fs/namespace.c +index 6c477be..7d9a69d 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -1335,6 +1335,9 @@ static void umount_tree(struct mount *mnt, enum umount_tree_flags how) + LIST_HEAD(tmp_list); + struct mount *p; + ++ if (how & UMOUNT_PROPAGATE) ++ propagate_mount_unlock(mnt); ++ + /* Gather the mounts to umount */ + for (p = mnt; p; p = next_mnt(p, mnt)) { + p->mnt.mnt_flags |= MNT_UMOUNT; +diff --git a/fs/pnode.c b/fs/pnode.c +index c27ae38..8989029 100644 +--- a/fs/pnode.c ++++ b/fs/pnode.c +@@ -362,6 +362,26 @@ int propagate_mount_busy(struct mount *mnt, int refcnt) + } + + /* ++ * Clear MNT_LOCKED when it can be shown to be safe. ++ * ++ * mount_lock lock must be held for write ++ */ ++void propagate_mount_unlock(struct mount *mnt) ++{ ++ struct mount *parent = mnt->mnt_parent; ++ struct mount *m, *child; ++ ++ BUG_ON(parent == mnt); ++ ++ for (m = propagation_next(parent, parent); m; ++ m = propagation_next(m, parent)) { ++ child = __lookup_mnt_last(&m->mnt, mnt->mnt_mountpoint); ++ if (child) ++ child->mnt.mnt_flags &= ~MNT_LOCKED; ++ } ++} ++ ++/* + * NOTE: unmounting 'mnt' naturally propagates to all other mounts its + * parent propagates to. + */ +diff --git a/fs/pnode.h b/fs/pnode.h +index aa6d65d..af47d4b 100644 +--- a/fs/pnode.h ++++ b/fs/pnode.h +@@ -42,6 +42,7 @@ int propagate_mnt(struct mount *, struct mountpoint *, struct mount *, + struct hlist_head *); + int propagate_umount(struct list_head *); + int propagate_mount_busy(struct mount *, int); ++void propagate_mount_unlock(struct mount *); + void mnt_release_group_id(struct mount *); + int get_dominating_id(struct mount *mnt, const struct path *root); + unsigned int mnt_get_count(struct mount *mnt); +-- +2.3.6 + + +From 928116b22b1eb446c59a0fb93857d7a6d80930af Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" <ebiederm@xmission.com> +Date: Mon, 5 Jan 2015 13:38:04 -0600 +Subject: [PATCH 113/219] mnt: Don't propagate unmounts to locked mounts +Cc: mpagano@gentoo.org + +commit 0c56fe31420ca599c90240315f7959bf1b4eb6ce upstream. + +If the first mount in shared subtree is locked don't unmount the +shared subtree. + +This is ensured by walking through the mounts parents before children +and marking a mount as unmountable if it is not locked or it is locked +but it's parent is marked. + +This allows recursive mount detach to propagate through a set of +mounts when unmounting them would not reveal what is under any locked +mount. + +Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + fs/pnode.c | 32 +++++++++++++++++++++++++++++--- + fs/pnode.h | 1 + + 2 files changed, 30 insertions(+), 3 deletions(-) + +diff --git a/fs/pnode.c b/fs/pnode.c +index 8989029..6367e1e 100644 +--- a/fs/pnode.c ++++ b/fs/pnode.c +@@ -382,6 +382,26 @@ void propagate_mount_unlock(struct mount *mnt) + } + + /* ++ * Mark all mounts that the MNT_LOCKED logic will allow to be unmounted. ++ */ ++static void mark_umount_candidates(struct mount *mnt) ++{ ++ struct mount *parent = mnt->mnt_parent; ++ struct mount *m; ++ ++ BUG_ON(parent == mnt); ++ ++ for (m = propagation_next(parent, parent); m; ++ m = propagation_next(m, parent)) { ++ struct mount *child = __lookup_mnt_last(&m->mnt, ++ mnt->mnt_mountpoint); ++ if (child && (!IS_MNT_LOCKED(child) || IS_MNT_MARKED(m))) { ++ SET_MNT_MARK(child); ++ } ++ } ++} ++ ++/* + * NOTE: unmounting 'mnt' naturally propagates to all other mounts its + * parent propagates to. + */ +@@ -398,10 +418,13 @@ static void __propagate_umount(struct mount *mnt) + struct mount *child = __lookup_mnt_last(&m->mnt, + mnt->mnt_mountpoint); + /* +- * umount the child only if the child has no +- * other children ++ * umount the child only if the child has no children ++ * and the child is marked safe to unmount. + */ +- if (child && list_empty(&child->mnt_mounts)) { ++ if (!child || !IS_MNT_MARKED(child)) ++ continue; ++ CLEAR_MNT_MARK(child); ++ if (list_empty(&child->mnt_mounts)) { + list_del_init(&child->mnt_child); + child->mnt.mnt_flags |= MNT_UMOUNT; + list_move_tail(&child->mnt_list, &mnt->mnt_list); +@@ -420,6 +443,9 @@ int propagate_umount(struct list_head *list) + { + struct mount *mnt; + ++ list_for_each_entry_reverse(mnt, list, mnt_list) ++ mark_umount_candidates(mnt); ++ + list_for_each_entry(mnt, list, mnt_list) + __propagate_umount(mnt); + return 0; +diff --git a/fs/pnode.h b/fs/pnode.h +index af47d4b..0fcdbe7 100644 +--- a/fs/pnode.h ++++ b/fs/pnode.h +@@ -19,6 +19,7 @@ + #define IS_MNT_MARKED(m) ((m)->mnt.mnt_flags & MNT_MARKED) + #define SET_MNT_MARK(m) ((m)->mnt.mnt_flags |= MNT_MARKED) + #define CLEAR_MNT_MARK(m) ((m)->mnt.mnt_flags &= ~MNT_MARKED) ++#define IS_MNT_LOCKED(m) ((m)->mnt.mnt_flags & MNT_LOCKED) + + #define CL_EXPIRE 0x01 + #define CL_SLAVE 0x02 +-- +2.3.6 + + +From 92e35ac5954f9f7829ad88066930a4b2b58fe4dd Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" <ebiederm@xmission.com> +Date: Mon, 29 Dec 2014 13:03:41 -0600 +Subject: [PATCH 114/219] mnt: Factor out unhash_mnt from detach_mnt and + umount_tree +Cc: mpagano@gentoo.org + +commit 7bdb11de8ee4f4ae195e2fa19efd304e0b36c63b upstream. + +Create a function unhash_mnt that contains the common code between +detach_mnt and umount_tree, and use unhash_mnt in place of the common +code. This add a unncessary list_del_init(mnt->mnt_child) into +umount_tree but given that mnt_child is already empty this extra +line is a noop. + +Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + fs/namespace.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +diff --git a/fs/namespace.c b/fs/namespace.c +index 7d9a69d..0e95c84 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -798,10 +798,8 @@ static void __touch_mnt_namespace(struct mnt_namespace *ns) + /* + * vfsmount lock must be held for write + */ +-static void detach_mnt(struct mount *mnt, struct path *old_path) ++static void unhash_mnt(struct mount *mnt) + { +- old_path->dentry = mnt->mnt_mountpoint; +- old_path->mnt = &mnt->mnt_parent->mnt; + mnt->mnt_parent = mnt; + mnt->mnt_mountpoint = mnt->mnt.mnt_root; + list_del_init(&mnt->mnt_child); +@@ -814,6 +812,16 @@ static void detach_mnt(struct mount *mnt, struct path *old_path) + /* + * vfsmount lock must be held for write + */ ++static void detach_mnt(struct mount *mnt, struct path *old_path) ++{ ++ old_path->dentry = mnt->mnt_mountpoint; ++ old_path->mnt = &mnt->mnt_parent->mnt; ++ unhash_mnt(mnt); ++} ++ ++/* ++ * vfsmount lock must be held for write ++ */ + void mnt_set_mountpoint(struct mount *mnt, + struct mountpoint *mp, + struct mount *child_mnt) +@@ -1364,15 +1372,10 @@ static void umount_tree(struct mount *mnt, enum umount_tree_flags how) + + pin_insert_group(&p->mnt_umount, &p->mnt_parent->mnt, &unmounted); + if (mnt_has_parent(p)) { +- hlist_del_init(&p->mnt_mp_list); +- put_mountpoint(p->mnt_mp); + mnt_add_count(p->mnt_parent, -1); + /* old mountpoint will be dropped when we can do that */ + p->mnt_ex_mountpoint = p->mnt_mountpoint; +- p->mnt_mountpoint = p->mnt.mnt_root; +- p->mnt_parent = p; +- p->mnt_mp = NULL; +- hlist_del_init_rcu(&p->mnt_hash); ++ unhash_mnt(p); + } + change_mnt_propagation(p, MS_PRIVATE); + } +-- +2.3.6 + + +From 2db706971b3f28b3d59a9af231578803da85def8 Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" <ebiederm@xmission.com> +Date: Thu, 15 Jan 2015 22:58:33 -0600 +Subject: [PATCH 115/219] mnt: Factor umount_mnt from umount_tree +Cc: mpagano@gentoo.org + +commit 6a46c5735c29175da55b2fa9d53775182422cdd7 upstream. + +For future use factor out a function umount_mnt from umount_tree. +This function unhashes a mount and remembers where the mount +was mounted so that eventually when the code makes it to a +sleeping context the mountpoint can be dput. + +Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + fs/namespace.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/fs/namespace.c b/fs/namespace.c +index 0e95c84..c905e48 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -822,6 +822,16 @@ static void detach_mnt(struct mount *mnt, struct path *old_path) + /* + * vfsmount lock must be held for write + */ ++static void umount_mnt(struct mount *mnt) ++{ ++ /* old mountpoint will be dropped when we can do that */ ++ mnt->mnt_ex_mountpoint = mnt->mnt_mountpoint; ++ unhash_mnt(mnt); ++} ++ ++/* ++ * vfsmount lock must be held for write ++ */ + void mnt_set_mountpoint(struct mount *mnt, + struct mountpoint *mp, + struct mount *child_mnt) +@@ -1373,9 +1383,7 @@ static void umount_tree(struct mount *mnt, enum umount_tree_flags how) + pin_insert_group(&p->mnt_umount, &p->mnt_parent->mnt, &unmounted); + if (mnt_has_parent(p)) { + mnt_add_count(p->mnt_parent, -1); +- /* old mountpoint will be dropped when we can do that */ +- p->mnt_ex_mountpoint = p->mnt_mountpoint; +- unhash_mnt(p); ++ umount_mnt(p); + } + change_mnt_propagation(p, MS_PRIVATE); + } +-- +2.3.6 + + +From 20e62ee6fa3da23a792ca31d4b68069060317260 Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" <ebiederm@xmission.com> +Date: Tue, 23 Dec 2014 21:37:03 -0600 +Subject: [PATCH 116/219] mnt: Honor MNT_LOCKED when detaching mounts +Cc: mpagano@gentoo.org + +commit ce07d891a0891d3c0d0c2d73d577490486b809e1 upstream. + +Modify umount(MNT_DETACH) to keep mounts in the hash table that are +locked to their parent mounts, when the parent is lazily unmounted. + +In mntput_no_expire detach the children from the hash table, depending +on mnt_pin_kill in cleanup_mnt to decrement the mnt_count of the children. + +In __detach_mounts if there are any mounts that have been unmounted +but still are on the list of mounts of a mountpoint, remove their +children from the mount hash table and those children to the unmounted +list so they won't linger potentially indefinitely waiting for their +final mntput, now that the mounts serve no purpose. + +Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + fs/namespace.c | 29 ++++++++++++++++++++++++++--- + fs/pnode.h | 2 ++ + 2 files changed, 28 insertions(+), 3 deletions(-) + +diff --git a/fs/namespace.c b/fs/namespace.c +index c905e48..24de1e9 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -1099,6 +1099,13 @@ static void mntput_no_expire(struct mount *mnt) + rcu_read_unlock(); + + list_del(&mnt->mnt_instance); ++ ++ if (unlikely(!list_empty(&mnt->mnt_mounts))) { ++ struct mount *p, *tmp; ++ list_for_each_entry_safe(p, tmp, &mnt->mnt_mounts, mnt_child) { ++ umount_mnt(p); ++ } ++ } + unlock_mount_hash(); + + if (likely(!(mnt->mnt.mnt_flags & MNT_INTERNAL))) { +@@ -1372,6 +1379,7 @@ static void umount_tree(struct mount *mnt, enum umount_tree_flags how) + propagate_umount(&tmp_list); + + while (!list_empty(&tmp_list)) { ++ bool disconnect; + p = list_first_entry(&tmp_list, struct mount, mnt_list); + list_del_init(&p->mnt_expire); + list_del_init(&p->mnt_list); +@@ -1380,10 +1388,18 @@ static void umount_tree(struct mount *mnt, enum umount_tree_flags how) + if (how & UMOUNT_SYNC) + p->mnt.mnt_flags |= MNT_SYNC_UMOUNT; + +- pin_insert_group(&p->mnt_umount, &p->mnt_parent->mnt, &unmounted); ++ disconnect = !IS_MNT_LOCKED_AND_LAZY(p); ++ ++ pin_insert_group(&p->mnt_umount, &p->mnt_parent->mnt, ++ disconnect ? &unmounted : NULL); + if (mnt_has_parent(p)) { + mnt_add_count(p->mnt_parent, -1); +- umount_mnt(p); ++ if (!disconnect) { ++ /* Don't forget about p */ ++ list_add_tail(&p->mnt_child, &p->mnt_parent->mnt_mounts); ++ } else { ++ umount_mnt(p); ++ } + } + change_mnt_propagation(p, MS_PRIVATE); + } +@@ -1508,7 +1524,14 @@ void __detach_mounts(struct dentry *dentry) + lock_mount_hash(); + while (!hlist_empty(&mp->m_list)) { + mnt = hlist_entry(mp->m_list.first, struct mount, mnt_mp_list); +- umount_tree(mnt, 0); ++ if (mnt->mnt.mnt_flags & MNT_UMOUNT) { ++ struct mount *p, *tmp; ++ list_for_each_entry_safe(p, tmp, &mnt->mnt_mounts, mnt_child) { ++ hlist_add_head(&p->mnt_umount.s_list, &unmounted); ++ umount_mnt(p); ++ } ++ } ++ else umount_tree(mnt, 0); + } + unlock_mount_hash(); + put_mountpoint(mp); +diff --git a/fs/pnode.h b/fs/pnode.h +index 0fcdbe7..7114ce6 100644 +--- a/fs/pnode.h ++++ b/fs/pnode.h +@@ -20,6 +20,8 @@ + #define SET_MNT_MARK(m) ((m)->mnt.mnt_flags |= MNT_MARKED) + #define CLEAR_MNT_MARK(m) ((m)->mnt.mnt_flags &= ~MNT_MARKED) + #define IS_MNT_LOCKED(m) ((m)->mnt.mnt_flags & MNT_LOCKED) ++#define IS_MNT_LOCKED_AND_LAZY(m) \ ++ (((m)->mnt.mnt_flags & (MNT_LOCKED|MNT_SYNC_UMOUNT)) == MNT_LOCKED) + + #define CL_EXPIRE 0x01 + #define CL_SLAVE 0x02 +-- +2.3.6 + + +From c076cbf218f3cb83dffe6982587d2b9751318962 Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" <ebiederm@xmission.com> +Date: Mon, 19 Jan 2015 11:48:45 -0600 +Subject: [PATCH 117/219] mnt: Fix the error check in __detach_mounts +Cc: mpagano@gentoo.org + +commit f53e57975151f54ad8caa1b0ac8a78091cd5700a upstream. + +lookup_mountpoint can return either NULL or an error value. +Update the test in __detach_mounts to test for an error value +to avoid pathological cases causing a NULL pointer dereferences. + +The callers of __detach_mounts should prevent it from ever being +called on an unlinked dentry but don't take any chances. + +Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + fs/namespace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/namespace.c b/fs/namespace.c +index 24de1e9..9e33895 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -1518,7 +1518,7 @@ void __detach_mounts(struct dentry *dentry) + + namespace_lock(); + mp = lookup_mountpoint(dentry); +- if (!mp) ++ if (IS_ERR_OR_NULL(mp)) + goto out_unlock; + + lock_mount_hash(); +-- +2.3.6 + + +From 84b78514033ff22c443473214ab6d0508394cf7a Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" <ebiederm@xmission.com> +Date: Wed, 1 Apr 2015 18:30:06 -0500 +Subject: [PATCH 118/219] mnt: Update detach_mounts to leave mounts connected +Cc: mpagano@gentoo.org + +commit e0c9c0afd2fc958ffa34b697972721d81df8a56f upstream. + +Now that it is possible to lazily unmount an entire mount tree and +leave the individual mounts connected to each other add a new flag +UMOUNT_CONNECTED to umount_tree to force this behavior and use +this flag in detach_mounts. + +This closes a bug where the deletion of a file or directory could +trigger an unmount and reveal data under a mount point. + +Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + fs/namespace.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/fs/namespace.c b/fs/namespace.c +index 9e33895..4622ee3 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -1350,6 +1350,7 @@ static inline void namespace_lock(void) + enum umount_tree_flags { + UMOUNT_SYNC = 1, + UMOUNT_PROPAGATE = 2, ++ UMOUNT_CONNECTED = 4, + }; + /* + * mount_lock must be held +@@ -1388,7 +1389,10 @@ static void umount_tree(struct mount *mnt, enum umount_tree_flags how) + if (how & UMOUNT_SYNC) + p->mnt.mnt_flags |= MNT_SYNC_UMOUNT; + +- disconnect = !IS_MNT_LOCKED_AND_LAZY(p); ++ disconnect = !(((how & UMOUNT_CONNECTED) && ++ mnt_has_parent(p) && ++ (p->mnt_parent->mnt.mnt_flags & MNT_UMOUNT)) || ++ IS_MNT_LOCKED_AND_LAZY(p)); + + pin_insert_group(&p->mnt_umount, &p->mnt_parent->mnt, + disconnect ? &unmounted : NULL); +@@ -1531,7 +1535,7 @@ void __detach_mounts(struct dentry *dentry) + umount_mnt(p); + } + } +- else umount_tree(mnt, 0); ++ else umount_tree(mnt, UMOUNT_CONNECTED); + } + unlock_mount_hash(); + put_mountpoint(mp); +-- +2.3.6 + + +From 85c75cd8131b5aa9fe4efc6400ae1d0631497720 Mon Sep 17 00:00:00 2001 +From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> +Date: Wed, 18 Mar 2015 08:17:14 +0200 +Subject: [PATCH 119/219] tpm: fix: sanitized code paths in tpm_chip_register() +Cc: mpagano@gentoo.org + +commit 34d47b6322087665be33ca3aa81775b143a4d7ac upstream. + +I started to work with PPI interface so that it would be available +under character device sysfs directory and realized that chip +registeration was still too messy. + +In TPM 1.x in some rare scenarios (errors that almost never occur) +wrong order in deinitialization steps was taken in teardown. I +reproduced these scenarios by manually inserting error codes in the +place of the corresponding function calls. + +The key problem is that the teardown is messy with two separate code +paths (this was inherited when moving code from tpm-interface.c). + +Moved TPM 1.x specific register/unregister functionality to own helper +functions and added single code path for teardown in tpm_chip_register(). +Now the code paths have been fixed and it should be easier to review +later on this part of the code. + +Fixes: 7a1d7e6dd76a ("tpm: TPM 2.0 baseline support") +Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> +Tested-by: Scot Doyle <lkml14@scotdoyle.com> +Reviewed-by: Peter Huewe <peterhuewe@gmx.de> +Signed-off-by: Peter Huewe <peterhuewe@gmx.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/char/tpm/tpm-chip.c | 66 ++++++++++++++++++++++++++++----------------- + 1 file changed, 42 insertions(+), 24 deletions(-) + +diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c +index e096e9c..283f00a 100644 +--- a/drivers/char/tpm/tpm-chip.c ++++ b/drivers/char/tpm/tpm-chip.c +@@ -170,6 +170,41 @@ static void tpm_dev_del_device(struct tpm_chip *chip) + device_unregister(&chip->dev); + } + ++static int tpm1_chip_register(struct tpm_chip *chip) ++{ ++ int rc; ++ ++ if (chip->flags & TPM_CHIP_FLAG_TPM2) ++ return 0; ++ ++ rc = tpm_sysfs_add_device(chip); ++ if (rc) ++ return rc; ++ ++ rc = tpm_add_ppi(chip); ++ if (rc) { ++ tpm_sysfs_del_device(chip); ++ return rc; ++ } ++ ++ chip->bios_dir = tpm_bios_log_setup(chip->devname); ++ ++ return 0; ++} ++ ++static void tpm1_chip_unregister(struct tpm_chip *chip) ++{ ++ if (chip->flags & TPM_CHIP_FLAG_TPM2) ++ return; ++ ++ if (chip->bios_dir) ++ tpm_bios_log_teardown(chip->bios_dir); ++ ++ tpm_remove_ppi(chip); ++ ++ tpm_sysfs_del_device(chip); ++} ++ + /* + * tpm_chip_register() - create a character device for the TPM chip + * @chip: TPM chip to use. +@@ -185,22 +220,13 @@ int tpm_chip_register(struct tpm_chip *chip) + { + int rc; + +- /* Populate sysfs for TPM1 devices. */ +- if (!(chip->flags & TPM_CHIP_FLAG_TPM2)) { +- rc = tpm_sysfs_add_device(chip); +- if (rc) +- goto del_misc; +- +- rc = tpm_add_ppi(chip); +- if (rc) +- goto del_sysfs; +- +- chip->bios_dir = tpm_bios_log_setup(chip->devname); +- } ++ rc = tpm1_chip_register(chip); ++ if (rc) ++ return rc; + + rc = tpm_dev_add_device(chip); + if (rc) +- return rc; ++ goto out_err; + + /* Make the chip available. */ + spin_lock(&driver_lock); +@@ -210,10 +236,8 @@ int tpm_chip_register(struct tpm_chip *chip) + chip->flags |= TPM_CHIP_FLAG_REGISTERED; + + return 0; +-del_sysfs: +- tpm_sysfs_del_device(chip); +-del_misc: +- tpm_dev_del_device(chip); ++out_err: ++ tpm1_chip_unregister(chip); + return rc; + } + EXPORT_SYMBOL_GPL(tpm_chip_register); +@@ -238,13 +262,7 @@ void tpm_chip_unregister(struct tpm_chip *chip) + spin_unlock(&driver_lock); + synchronize_rcu(); + +- if (!(chip->flags & TPM_CHIP_FLAG_TPM2)) { +- if (chip->bios_dir) +- tpm_bios_log_teardown(chip->bios_dir); +- tpm_remove_ppi(chip); +- tpm_sysfs_del_device(chip); +- } +- ++ tpm1_chip_unregister(chip); + tpm_dev_del_device(chip); + } + EXPORT_SYMBOL_GPL(tpm_chip_unregister); +-- +2.3.6 + + +From b0566aa080d2ab7f5810f5bdea53c02dfc78ff16 Mon Sep 17 00:00:00 2001 +From: Vinson Lee <vlee@twitter.com> +Date: Mon, 9 Feb 2015 16:29:37 -0800 +Subject: [PATCH 120/219] perf symbols: Define STT_GNU_IFUNC for glibc 2.9 and + older. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Cc: mpagano@gentoo.org + +commit 4e31050f482c02c822b150d71cf1ea5be7c9d6e4 upstream. + +The token STT_GNU_IFUNC is not available with glibc 2.9 and older. +Define this token if it is not already defined. + +This patch fixes this build errors with older versions of glibc. + + CC util/symbol-elf.o +util/symbol-elf.c: In function ‘elf_sym__is_function’: +util/symbol-elf.c:75: error: ‘STT_GNU_IFUNC’ undeclared (first use in this function) +util/symbol-elf.c:75: error: (Each undeclared identifier is reported only once +util/symbol-elf.c:75: error: for each function it appears in.) +make: *** [util/symbol-elf.o] Error 1 + +Signed-off-by: Vinson Lee <vlee@twitter.com> +Acked-by: Namhyung Kim <namhyung@kernel.org> +Cc: Adrian Hunter <adrian.hunter@intel.com> +Cc: Anton Blanchard <anton@samba.org> +Cc: Avi Kivity <avi@cloudius-systems.com> +Cc: Jiri Olsa <jolsa@redhat.com> +Cc: Paul Mackerras <paulus@samba.org> +Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> +Cc: Stephane Eranian <eranian@google.com> +Cc: Waiman Long <Waiman.Long@hp.com> +Link: http://lkml.kernel.org/r/1423528286-13630-1-git-send-email-vlee@twopensource.com +Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + tools/perf/util/symbol-elf.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/tools/perf/util/symbol-elf.c b/tools/perf/util/symbol-elf.c +index 33b7a2a..9bdf007 100644 +--- a/tools/perf/util/symbol-elf.c ++++ b/tools/perf/util/symbol-elf.c +@@ -74,6 +74,10 @@ static inline uint8_t elf_sym__type(const GElf_Sym *sym) + return GELF_ST_TYPE(sym->st_info); + } + ++#ifndef STT_GNU_IFUNC ++#define STT_GNU_IFUNC 10 ++#endif ++ + static inline int elf_sym__is_function(const GElf_Sym *sym) + { + return (elf_sym__type(sym) == STT_FUNC || +-- +2.3.6 + + +From eefadbaae8af748e25d6fb903b56c6d3e38215b8 Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" <hjl.tools@gmail.com> +Date: Tue, 17 Mar 2015 15:27:48 -0700 +Subject: [PATCH 121/219] perf tools: Fix perf-read-vdsox32 not building and + lib64 install dir +Cc: mpagano@gentoo.org + +commit 76aea7731e7050c066943a1d7456ec6510702601 upstream. + +Commit: + + c6e5e9fbc3ea ("perf tools: Fix building error in x86_64 when dwarf unwind is on") + +removed the definition of IS_X86_64 but not all places using it, with +the consequence that perf-read-vdsox32 would not be built anymore, and +the default lib install directory was 'lib' instead of 'lib64'. + +Also needs to go to v3.19. + +Signed-off-by: H.J. Lu <hjl.tools@gmail.com> +Acked-by: Adrian Hunter <adrian.hunter@intel.com> +Acked-by: Jiri Olsa <jolsa@kernel.org> +Link: http://lkml.kernel.org/r/CAMe9rOqpGVq3D88w+D15ef7sv6G6k57ZeTvxBm46=WFgzo9p1w@mail.gmail.com +Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + tools/perf/config/Makefile | 4 ++-- + tools/perf/tests/make | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/tools/perf/config/Makefile b/tools/perf/config/Makefile +index cc22408..0884d31 100644 +--- a/tools/perf/config/Makefile ++++ b/tools/perf/config/Makefile +@@ -651,7 +651,7 @@ ifeq (${IS_64_BIT}, 1) + NO_PERF_READ_VDSO32 := 1 + endif + endif +- ifneq (${IS_X86_64}, 1) ++ ifneq ($(ARCH), x86) + NO_PERF_READ_VDSOX32 := 1 + endif + ifndef NO_PERF_READ_VDSOX32 +@@ -699,7 +699,7 @@ sysconfdir = $(prefix)/etc + ETC_PERFCONFIG = etc/perfconfig + endif + ifndef lib +-ifeq ($(IS_X86_64),1) ++ifeq ($(ARCH)$(IS_64_BIT), x861) + lib = lib64 + else + lib = lib +diff --git a/tools/perf/tests/make b/tools/perf/tests/make +index 75709d2..bff8532 100644 +--- a/tools/perf/tests/make ++++ b/tools/perf/tests/make +@@ -5,7 +5,7 @@ include config/Makefile.arch + + # FIXME looks like x86 is the only arch running tests ;-) + # we need some IS_(32/64) flag to make this generic +-ifeq ($(IS_X86_64),1) ++ifeq ($(ARCH)$(IS_64_BIT), x861) + lib = lib64 + else + lib = lib +-- +2.3.6 + + +From a245448568a6f791b7d4617e622adf6e7118d174 Mon Sep 17 00:00:00 2001 +From: Vinson Lee <vlee@twitter.com> +Date: Mon, 23 Mar 2015 12:09:16 -0700 +Subject: [PATCH 122/219] perf tools: Work around lack of sched_getcpu in glibc + < 2.6. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Cc: mpagano@gentoo.org + +commit e1e455f4f4d35850c30235747620d0d078fe9f64 upstream. + +This patch fixes this build error with glibc < 2.6. + + CC util/cloexec.o +cc1: warnings being treated as errors +util/cloexec.c: In function ‘perf_flag_probe’: +util/cloexec.c:24: error: implicit declaration of function +‘sched_getcpu’ +util/cloexec.c:24: error: nested extern declaration of ‘sched_getcpu’ +make: *** [util/cloexec.o] Error 1 + +Signed-off-by: Vinson Lee <vlee@twitter.com> +Acked-by: Jiri Olsa <jolsa@kernel.org> +Acked-by: Namhyung Kim <namhyung@kernel.org> +Cc: Adrian Hunter <adrian.hunter@intel.com> +Cc: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com> +Cc: Paul Mackerras <paulus@samba.org> +Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> +Cc: Yann Droneaud <ydroneaud@opteya.com> +Link: http://lkml.kernel.org/r/1427137761-16119-1-git-send-email-vlee@twopensource.com +Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + tools/perf/util/cloexec.c | 6 ++++++ + tools/perf/util/cloexec.h | 6 ++++++ + 2 files changed, 12 insertions(+) + +diff --git a/tools/perf/util/cloexec.c b/tools/perf/util/cloexec.c +index 6da965b..85b5238 100644 +--- a/tools/perf/util/cloexec.c ++++ b/tools/perf/util/cloexec.c +@@ -7,6 +7,12 @@ + + static unsigned long flag = PERF_FLAG_FD_CLOEXEC; + ++int __weak sched_getcpu(void) ++{ ++ errno = ENOSYS; ++ return -1; ++} ++ + static int perf_flag_probe(void) + { + /* use 'safest' configuration as used in perf_evsel__fallback() */ +diff --git a/tools/perf/util/cloexec.h b/tools/perf/util/cloexec.h +index 94a5a7d..68888c2 100644 +--- a/tools/perf/util/cloexec.h ++++ b/tools/perf/util/cloexec.h +@@ -3,4 +3,10 @@ + + unsigned long perf_event_open_cloexec_flag(void); + ++#ifdef __GLIBC_PREREQ ++#if !__GLIBC_PREREQ(2, 6) ++extern int sched_getcpu(void) __THROW; ++#endif ++#endif ++ + #endif /* __PERF_CLOEXEC_H */ +-- +2.3.6 + + +From beda5943f15926783dc6768e8f821266ae6e8fb3 Mon Sep 17 00:00:00 2001 +From: Anton Blanchard <anton@samba.org> +Date: Tue, 14 Apr 2015 07:51:03 +1000 +Subject: [PATCH 123/219] powerpc/perf: Cap 64bit userspace backtraces to + PERF_MAX_STACK_DEPTH +Cc: mpagano@gentoo.org + +commit 9a5cbce421a283e6aea3c4007f141735bf9da8c3 upstream. + +We cap 32bit userspace backtraces to PERF_MAX_STACK_DEPTH +(currently 127), but we forgot to do the same for 64bit backtraces. + +Signed-off-by: Anton Blanchard <anton@samba.org> +Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/powerpc/perf/callchain.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/perf/callchain.c b/arch/powerpc/perf/callchain.c +index 2396dda..ead5535 100644 +--- a/arch/powerpc/perf/callchain.c ++++ b/arch/powerpc/perf/callchain.c +@@ -243,7 +243,7 @@ static void perf_callchain_user_64(struct perf_callchain_entry *entry, + sp = regs->gpr[1]; + perf_callchain_store(entry, next_ip); + +- for (;;) { ++ while (entry->nr < PERF_MAX_STACK_DEPTH) { + fp = (unsigned long __user *) sp; + if (!valid_user_sp(sp, 1) || read_user_stack_64(fp, &next_sp)) + return; +-- +2.3.6 + + +From f0289e90ac96271337d6d0f9c9a6ceb2aea62a05 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org> +Date: Tue, 24 Mar 2015 09:57:55 -0400 +Subject: [PATCH 124/219] tools lib traceevent kbuffer: Remove extra update to + data pointer in PADDING +Cc: mpagano@gentoo.org + +commit c5e691928bf166ac03430e957038b60adba3cf6c upstream. + +When a event PADDING is hit (a deleted event that is still in the ring +buffer), translate_data() sets the length of the padding and also updates +the data pointer which is passed back to the caller. + +This is unneeded because the caller also updates the data pointer with +the passed back length. translate_data() should not update the pointer, +only set the length. + +Signed-off-by: Steven Rostedt <rostedt@goodmis.org> +Cc: Andrew Morton <akpm@linux-foundation.org> +Cc: Jiri Olsa <jolsa@redhat.com> +Cc: Namhyung Kim <namhyung@kernel.org> +Link: http://lkml.kernel.org/r/20150324135923.461431960@goodmis.org +Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + tools/lib/traceevent/kbuffer-parse.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/tools/lib/traceevent/kbuffer-parse.c b/tools/lib/traceevent/kbuffer-parse.c +index dcc6652..deb3569 100644 +--- a/tools/lib/traceevent/kbuffer-parse.c ++++ b/tools/lib/traceevent/kbuffer-parse.c +@@ -372,7 +372,6 @@ translate_data(struct kbuffer *kbuf, void *data, void **rptr, + switch (type_len) { + case KBUFFER_TYPE_PADDING: + *length = read_4(kbuf, data); +- data += *length; + break; + + case KBUFFER_TYPE_TIME_EXTEND: +-- +2.3.6 + + +From e5e82af52cd373fed10be67faba90cd2eed6fb17 Mon Sep 17 00:00:00 2001 +From: Thomas D <whissi@whissi.de> +Date: Mon, 5 Jan 2015 21:37:23 +0100 +Subject: [PATCH 125/219] tools/power turbostat: Use $(CURDIR) instead of + $(PWD) and add support for O= option in Makefile +Cc: mpagano@gentoo.org + +commit f82263c6989c31ae9b94cecddffb29dcbec38710 upstream. + +Since commit ee0778a30153 +("tools/power: turbostat: make Makefile a bit more capable") +turbostat's Makefile is using + + [...] + BUILD_OUTPUT := $(PWD) + [...] + +which obviously causes trouble when building "turbostat" with + + make -C /usr/src/linux/tools/power/x86/turbostat ARCH=x86 turbostat + +because GNU make does not update nor guarantee that $PWD is set. + +This patch changes the Makefile to use $CURDIR instead, which GNU make +guarantees to set and update (i.e. when using "make -C ...") and also +adds support for the O= option (see "make help" in your root of your +kernel source tree for more details). + +Link: https://bugs.gentoo.org/show_bug.cgi?id=533918 +Fixes: ee0778a30153 ("tools/power: turbostat: make Makefile a bit more capable") +Signed-off-by: Thomas D. <whissi@whissi.de> +Cc: Mark Asselstine <mark.asselstine@windriver.com> +Signed-off-by: Len Brown <len.brown@intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + tools/power/x86/turbostat/Makefile | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/tools/power/x86/turbostat/Makefile b/tools/power/x86/turbostat/Makefile +index d1b3a36..4039854 100644 +--- a/tools/power/x86/turbostat/Makefile ++++ b/tools/power/x86/turbostat/Makefile +@@ -1,8 +1,12 @@ + CC = $(CROSS_COMPILE)gcc +-BUILD_OUTPUT := $(PWD) ++BUILD_OUTPUT := $(CURDIR) + PREFIX := /usr + DESTDIR := + ++ifeq ("$(origin O)", "command line") ++ BUILD_OUTPUT := $(O) ++endif ++ + turbostat : turbostat.c + CFLAGS += -Wall + CFLAGS += -DMSRHEADER='"../../../../arch/x86/include/uapi/asm/msr-index.h"' +-- +2.3.6 + + +From 67e9563f2e494959696ff3128cf9d5fb1b3dbad7 Mon Sep 17 00:00:00 2001 +From: Brian Norris <computersforpeace@gmail.com> +Date: Sat, 28 Feb 2015 02:23:25 -0800 +Subject: [PATCH 126/219] UBI: account for bitflips in both the VID header and + data +Cc: mpagano@gentoo.org + +commit 8eef7d70f7c6772c3490f410ee2bceab3b543fa1 upstream. + +We are completely discarding the earlier value of 'bitflips', which +could reflect a bitflip found in ubi_io_read_vid_hdr(). Let's use the +bitwise OR of header and data 'bitflip' statuses instead. + +Coverity CID #1226856 + +Signed-off-by: Brian Norris <computersforpeace@gmail.com> +Signed-off-by: Richard Weinberger <richard@nod.at> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/mtd/ubi/attach.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mtd/ubi/attach.c b/drivers/mtd/ubi/attach.c +index 9d2e16f..b5e1548 100644 +--- a/drivers/mtd/ubi/attach.c ++++ b/drivers/mtd/ubi/attach.c +@@ -410,7 +410,7 @@ int ubi_compare_lebs(struct ubi_device *ubi, const struct ubi_ainf_peb *aeb, + second_is_newer = !second_is_newer; + } else { + dbg_bld("PEB %d CRC is OK", pnum); +- bitflips = !!err; ++ bitflips |= !!err; + } + mutex_unlock(&ubi->buf_mutex); + +-- +2.3.6 + + +From 921b47c10b2b18b3562152aa0eacc1b2e56c6996 Mon Sep 17 00:00:00 2001 +From: Brian Norris <computersforpeace@gmail.com> +Date: Sat, 28 Feb 2015 02:23:26 -0800 +Subject: [PATCH 127/219] UBI: fix out of bounds write +Cc: mpagano@gentoo.org + +commit d74adbdb9abf0d2506a6c4afa534d894f28b763f upstream. + +If aeb->len >= vol->reserved_pebs, we should not be writing aeb into the +PEB->LEB mapping. + +Caught by Coverity, CID #711212. + +Signed-off-by: Brian Norris <computersforpeace@gmail.com> +Signed-off-by: Richard Weinberger <richard@nod.at> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/mtd/ubi/eba.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/mtd/ubi/eba.c b/drivers/mtd/ubi/eba.c +index 16e34b3..8c9a710 100644 +--- a/drivers/mtd/ubi/eba.c ++++ b/drivers/mtd/ubi/eba.c +@@ -1419,7 +1419,8 @@ int ubi_eba_init(struct ubi_device *ubi, struct ubi_attach_info *ai) + * during re-size. + */ + ubi_move_aeb_to_list(av, aeb, &ai->erase); +- vol->eba_tbl[aeb->lnum] = aeb->pnum; ++ else ++ vol->eba_tbl[aeb->lnum] = aeb->pnum; + } + } + +-- +2.3.6 + + +From 5a156e848f96a0f0024ef94a3e19979f8f7e9dbc Mon Sep 17 00:00:00 2001 +From: Brian Norris <computersforpeace@gmail.com> +Date: Sat, 28 Feb 2015 02:23:27 -0800 +Subject: [PATCH 128/219] UBI: initialize LEB number variable +Cc: mpagano@gentoo.org + +commit f16db8071ce18819fbd705ddcc91c6f392fb61f8 upstream. + +In some of the 'out_not_moved' error paths, lnum may be used +uninitialized. Don't ignore the warning; let's fix it. + +This uninitialized variable doesn't have much visible effect in the end, +since we just schedule the PEB for erasure, and its LEB number doesn't +really matter (it just gets printed in debug messages). But let's get it +straight anyway. + +Coverity CID #113449 + +Signed-off-by: Brian Norris <computersforpeace@gmail.com> +Signed-off-by: Richard Weinberger <richard@nod.at> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/mtd/ubi/wl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mtd/ubi/wl.c b/drivers/mtd/ubi/wl.c +index 8f7bde6..0bd92d8 100644 +--- a/drivers/mtd/ubi/wl.c ++++ b/drivers/mtd/ubi/wl.c +@@ -1002,7 +1002,7 @@ static int wear_leveling_worker(struct ubi_device *ubi, struct ubi_work *wrk, + int shutdown) + { + int err, scrubbing = 0, torture = 0, protect = 0, erroneous = 0; +- int vol_id = -1, uninitialized_var(lnum); ++ int vol_id = -1, lnum = -1; + #ifdef CONFIG_MTD_UBI_FASTMAP + int anchor = wrk->anchor; + #endif +-- +2.3.6 + + +From 075831830ff0277572a93633cce3807394955358 Mon Sep 17 00:00:00 2001 +From: Brian Norris <computersforpeace@gmail.com> +Date: Sat, 28 Feb 2015 02:23:28 -0800 +Subject: [PATCH 129/219] UBI: fix check for "too many bytes" +Cc: mpagano@gentoo.org + +commit 299d0c5b27346a77a0777c993372bf8777d4f2e5 upstream. + +The comparison from the previous line seems to have been erroneously +(partially) copied-and-pasted onto the next. The second line should be +checking req.bytes, not req.lnum. + +Coverity CID #139400 + +Signed-off-by: Brian Norris <computersforpeace@gmail.com> +[rw: Fixed comparison] +Signed-off-by: Richard Weinberger <richard@nod.at> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/mtd/ubi/cdev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mtd/ubi/cdev.c b/drivers/mtd/ubi/cdev.c +index d647e50..d16fccf 100644 +--- a/drivers/mtd/ubi/cdev.c ++++ b/drivers/mtd/ubi/cdev.c +@@ -455,7 +455,7 @@ static long vol_cdev_ioctl(struct file *file, unsigned int cmd, + /* Validate the request */ + err = -EINVAL; + if (req.lnum < 0 || req.lnum >= vol->reserved_pebs || +- req.bytes < 0 || req.lnum >= vol->usable_leb_size) ++ req.bytes < 0 || req.bytes > vol->usable_leb_size) + break; + + err = get_exclusive(desc); +-- +2.3.6 + + +From 1d05935b31efb2e398e1772b76a6513b9484574a Mon Sep 17 00:00:00 2001 +From: "K. Y. Srinivasan" <kys@microsoft.com> +Date: Fri, 27 Mar 2015 00:27:18 -0700 +Subject: [PATCH 130/219] scsi: storvsc: Fix a bug in copy_from_bounce_buffer() +Cc: mpagano@gentoo.org + +commit 8de580742fee8bc34d116f57a20b22b9a5f08403 upstream. + +We may exit this function without properly freeing up the maapings +we may have acquired. Fix the bug. + +Signed-off-by: K. Y. Srinivasan <kys@microsoft.com> +Reviewed-by: Long Li <longli@microsoft.com> +Signed-off-by: James Bottomley <JBottomley@Odin.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/scsi/storvsc_drv.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c +index efc6e44..bf8c5c1 100644 +--- a/drivers/scsi/storvsc_drv.c ++++ b/drivers/scsi/storvsc_drv.c +@@ -746,21 +746,22 @@ static unsigned int copy_to_bounce_buffer(struct scatterlist *orig_sgl, + if (bounce_sgl[j].length == PAGE_SIZE) { + /* full..move to next entry */ + sg_kunmap_atomic(bounce_addr); ++ bounce_addr = 0; + j++; ++ } + +- /* if we need to use another bounce buffer */ +- if (srclen || i != orig_sgl_count - 1) +- bounce_addr = sg_kmap_atomic(bounce_sgl,j); ++ /* if we need to use another bounce buffer */ ++ if (srclen && bounce_addr == 0) ++ bounce_addr = sg_kmap_atomic(bounce_sgl, j); + +- } else if (srclen == 0 && i == orig_sgl_count - 1) { +- /* unmap the last bounce that is < PAGE_SIZE */ +- sg_kunmap_atomic(bounce_addr); +- } + } + + sg_kunmap_atomic(src_addr - orig_sgl[i].offset); + } + ++ if (bounce_addr) ++ sg_kunmap_atomic(bounce_addr); ++ + local_irq_restore(flags); + + return total_copied; +-- +2.3.6 + + +From 7f61df07930dae7b1a94f088365362a191d2f4ec Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger <nab@linux-iscsi.org> +Date: Thu, 26 Feb 2015 22:19:15 -0800 +Subject: [PATCH 131/219] iscsi-target: Convert iscsi_thread_set usage to + kthread.h +Cc: mpagano@gentoo.org + +commit 88dcd2dab5c23b1c9cfc396246d8f476c872f0ca upstream. + +This patch converts iscsi-target code to use modern kthread.h API +callers for creating RX/TX threads for each new iscsi_conn descriptor, +and releasing associated RX/TX threads during connection shutdown. + +This is done using iscsit_start_kthreads() -> kthread_run() to start +new kthreads from within iscsi_post_login_handler(), and invoking +kthread_stop() from existing iscsit_close_connection() code. + +Also, convert iscsit_logout_post_handler_closesession() code to use +cmpxchg when determing when iscsit_cause_connection_reinstatement() +needs to sleep waiting for completion. + +Reported-by: Sagi Grimberg <sagig@mellanox.com> +Tested-by: Sagi Grimberg <sagig@mellanox.com> +Cc: Slava Shwartsman <valyushash@gmail.com> +Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/target/iscsi/iscsi_target.c | 104 +++++++++++++----------------- + drivers/target/iscsi/iscsi_target_erl0.c | 13 ++-- + drivers/target/iscsi/iscsi_target_login.c | 59 +++++++++++++++-- + include/target/iscsi/iscsi_target_core.h | 7 ++ + 4 files changed, 114 insertions(+), 69 deletions(-) + +diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c +index 77d6425..5e35612 100644 +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -537,7 +537,7 @@ static struct iscsit_transport iscsi_target_transport = { + + static int __init iscsi_target_init_module(void) + { +- int ret = 0; ++ int ret = 0, size; + + pr_debug("iSCSI-Target "ISCSIT_VERSION"\n"); + +@@ -546,6 +546,7 @@ static int __init iscsi_target_init_module(void) + pr_err("Unable to allocate memory for iscsit_global\n"); + return -1; + } ++ spin_lock_init(&iscsit_global->ts_bitmap_lock); + mutex_init(&auth_id_lock); + spin_lock_init(&sess_idr_lock); + idr_init(&tiqn_idr); +@@ -555,15 +556,11 @@ static int __init iscsi_target_init_module(void) + if (ret < 0) + goto out; + +- ret = iscsi_thread_set_init(); +- if (ret < 0) ++ size = BITS_TO_LONGS(ISCSIT_BITMAP_BITS) * sizeof(long); ++ iscsit_global->ts_bitmap = vzalloc(size); ++ if (!iscsit_global->ts_bitmap) { ++ pr_err("Unable to allocate iscsit_global->ts_bitmap\n"); + goto configfs_out; +- +- if (iscsi_allocate_thread_sets(TARGET_THREAD_SET_COUNT) != +- TARGET_THREAD_SET_COUNT) { +- pr_err("iscsi_allocate_thread_sets() returned" +- " unexpected value!\n"); +- goto ts_out1; + } + + lio_qr_cache = kmem_cache_create("lio_qr_cache", +@@ -572,7 +569,7 @@ static int __init iscsi_target_init_module(void) + if (!lio_qr_cache) { + pr_err("nable to kmem_cache_create() for" + " lio_qr_cache\n"); +- goto ts_out2; ++ goto bitmap_out; + } + + lio_dr_cache = kmem_cache_create("lio_dr_cache", +@@ -617,10 +614,8 @@ dr_out: + kmem_cache_destroy(lio_dr_cache); + qr_out: + kmem_cache_destroy(lio_qr_cache); +-ts_out2: +- iscsi_deallocate_thread_sets(); +-ts_out1: +- iscsi_thread_set_free(); ++bitmap_out: ++ vfree(iscsit_global->ts_bitmap); + configfs_out: + iscsi_target_deregister_configfs(); + out: +@@ -630,8 +625,6 @@ out: + + static void __exit iscsi_target_cleanup_module(void) + { +- iscsi_deallocate_thread_sets(); +- iscsi_thread_set_free(); + iscsit_release_discovery_tpg(); + iscsit_unregister_transport(&iscsi_target_transport); + kmem_cache_destroy(lio_qr_cache); +@@ -641,6 +634,7 @@ static void __exit iscsi_target_cleanup_module(void) + + iscsi_target_deregister_configfs(); + ++ vfree(iscsit_global->ts_bitmap); + kfree(iscsit_global); + } + +@@ -3715,17 +3709,16 @@ static int iscsit_send_reject( + + void iscsit_thread_get_cpumask(struct iscsi_conn *conn) + { +- struct iscsi_thread_set *ts = conn->thread_set; + int ord, cpu; + /* +- * thread_id is assigned from iscsit_global->ts_bitmap from +- * within iscsi_thread_set.c:iscsi_allocate_thread_sets() ++ * bitmap_id is assigned from iscsit_global->ts_bitmap from ++ * within iscsit_start_kthreads() + * +- * Here we use thread_id to determine which CPU that this +- * iSCSI connection's iscsi_thread_set will be scheduled to ++ * Here we use bitmap_id to determine which CPU that this ++ * iSCSI connection's RX/TX threads will be scheduled to + * execute upon. + */ +- ord = ts->thread_id % cpumask_weight(cpu_online_mask); ++ ord = conn->bitmap_id % cpumask_weight(cpu_online_mask); + for_each_online_cpu(cpu) { + if (ord-- == 0) { + cpumask_set_cpu(cpu, conn->conn_cpumask); +@@ -3914,7 +3907,7 @@ check_rsp_state: + switch (state) { + case ISTATE_SEND_LOGOUTRSP: + if (!iscsit_logout_post_handler(cmd, conn)) +- goto restart; ++ return -ECONNRESET; + /* fall through */ + case ISTATE_SEND_STATUS: + case ISTATE_SEND_ASYNCMSG: +@@ -3942,8 +3935,6 @@ check_rsp_state: + + err: + return -1; +-restart: +- return -EAGAIN; + } + + static int iscsit_handle_response_queue(struct iscsi_conn *conn) +@@ -3970,21 +3961,13 @@ static int iscsit_handle_response_queue(struct iscsi_conn *conn) + int iscsi_target_tx_thread(void *arg) + { + int ret = 0; +- struct iscsi_conn *conn; +- struct iscsi_thread_set *ts = arg; ++ struct iscsi_conn *conn = arg; + /* + * Allow ourselves to be interrupted by SIGINT so that a + * connection recovery / failure event can be triggered externally. + */ + allow_signal(SIGINT); + +-restart: +- conn = iscsi_tx_thread_pre_handler(ts); +- if (!conn) +- goto out; +- +- ret = 0; +- + while (!kthread_should_stop()) { + /* + * Ensure that both TX and RX per connection kthreads +@@ -3993,11 +3976,9 @@ restart: + iscsit_thread_check_cpumask(conn, current, 1); + + wait_event_interruptible(conn->queues_wq, +- !iscsit_conn_all_queues_empty(conn) || +- ts->status == ISCSI_THREAD_SET_RESET); ++ !iscsit_conn_all_queues_empty(conn)); + +- if ((ts->status == ISCSI_THREAD_SET_RESET) || +- signal_pending(current)) ++ if (signal_pending(current)) + goto transport_err; + + get_immediate: +@@ -4008,15 +3989,14 @@ get_immediate: + ret = iscsit_handle_response_queue(conn); + if (ret == 1) + goto get_immediate; +- else if (ret == -EAGAIN) +- goto restart; ++ else if (ret == -ECONNRESET) ++ goto out; + else if (ret < 0) + goto transport_err; + } + + transport_err: + iscsit_take_action_for_connection_exit(conn); +- goto restart; + out: + return 0; + } +@@ -4111,8 +4091,7 @@ int iscsi_target_rx_thread(void *arg) + int ret; + u8 buffer[ISCSI_HDR_LEN], opcode; + u32 checksum = 0, digest = 0; +- struct iscsi_conn *conn = NULL; +- struct iscsi_thread_set *ts = arg; ++ struct iscsi_conn *conn = arg; + struct kvec iov; + /* + * Allow ourselves to be interrupted by SIGINT so that a +@@ -4120,11 +4099,6 @@ int iscsi_target_rx_thread(void *arg) + */ + allow_signal(SIGINT); + +-restart: +- conn = iscsi_rx_thread_pre_handler(ts); +- if (!conn) +- goto out; +- + if (conn->conn_transport->transport_type == ISCSI_INFINIBAND) { + struct completion comp; + int rc; +@@ -4134,7 +4108,7 @@ restart: + if (rc < 0) + goto transport_err; + +- goto out; ++ goto transport_err; + } + + while (!kthread_should_stop()) { +@@ -4210,8 +4184,6 @@ transport_err: + if (!signal_pending(current)) + atomic_set(&conn->transport_failed, 1); + iscsit_take_action_for_connection_exit(conn); +- goto restart; +-out: + return 0; + } + +@@ -4273,7 +4245,24 @@ int iscsit_close_connection( + if (conn->conn_transport->transport_type == ISCSI_TCP) + complete(&conn->conn_logout_comp); + +- iscsi_release_thread_set(conn); ++ if (!strcmp(current->comm, ISCSI_RX_THREAD_NAME)) { ++ if (conn->tx_thread && ++ cmpxchg(&conn->tx_thread_active, true, false)) { ++ send_sig(SIGINT, conn->tx_thread, 1); ++ kthread_stop(conn->tx_thread); ++ } ++ } else if (!strcmp(current->comm, ISCSI_TX_THREAD_NAME)) { ++ if (conn->rx_thread && ++ cmpxchg(&conn->rx_thread_active, true, false)) { ++ send_sig(SIGINT, conn->rx_thread, 1); ++ kthread_stop(conn->rx_thread); ++ } ++ } ++ ++ spin_lock(&iscsit_global->ts_bitmap_lock); ++ bitmap_release_region(iscsit_global->ts_bitmap, conn->bitmap_id, ++ get_order(1)); ++ spin_unlock(&iscsit_global->ts_bitmap_lock); + + iscsit_stop_timers_for_cmds(conn); + iscsit_stop_nopin_response_timer(conn); +@@ -4551,15 +4540,13 @@ static void iscsit_logout_post_handler_closesession( + struct iscsi_conn *conn) + { + struct iscsi_session *sess = conn->sess; +- +- iscsi_set_thread_clear(conn, ISCSI_CLEAR_TX_THREAD); +- iscsi_set_thread_set_signal(conn, ISCSI_SIGNAL_TX_THREAD); ++ int sleep = cmpxchg(&conn->tx_thread_active, true, false); + + atomic_set(&conn->conn_logout_remove, 0); + complete(&conn->conn_logout_comp); + + iscsit_dec_conn_usage_count(conn); +- iscsit_stop_session(sess, 1, 1); ++ iscsit_stop_session(sess, sleep, sleep); + iscsit_dec_session_usage_count(sess); + target_put_session(sess->se_sess); + } +@@ -4567,13 +4554,12 @@ static void iscsit_logout_post_handler_closesession( + static void iscsit_logout_post_handler_samecid( + struct iscsi_conn *conn) + { +- iscsi_set_thread_clear(conn, ISCSI_CLEAR_TX_THREAD); +- iscsi_set_thread_set_signal(conn, ISCSI_SIGNAL_TX_THREAD); ++ int sleep = cmpxchg(&conn->tx_thread_active, true, false); + + atomic_set(&conn->conn_logout_remove, 0); + complete(&conn->conn_logout_comp); + +- iscsit_cause_connection_reinstatement(conn, 1); ++ iscsit_cause_connection_reinstatement(conn, sleep); + iscsit_dec_conn_usage_count(conn); + } + +diff --git a/drivers/target/iscsi/iscsi_target_erl0.c b/drivers/target/iscsi/iscsi_target_erl0.c +index bdd8731..e008ed2 100644 +--- a/drivers/target/iscsi/iscsi_target_erl0.c ++++ b/drivers/target/iscsi/iscsi_target_erl0.c +@@ -860,7 +860,10 @@ void iscsit_connection_reinstatement_rcfr(struct iscsi_conn *conn) + } + spin_unlock_bh(&conn->state_lock); + +- iscsi_thread_set_force_reinstatement(conn); ++ if (conn->tx_thread && conn->tx_thread_active) ++ send_sig(SIGINT, conn->tx_thread, 1); ++ if (conn->rx_thread && conn->rx_thread_active) ++ send_sig(SIGINT, conn->rx_thread, 1); + + sleep: + wait_for_completion(&conn->conn_wait_rcfr_comp); +@@ -885,10 +888,10 @@ void iscsit_cause_connection_reinstatement(struct iscsi_conn *conn, int sleep) + return; + } + +- if (iscsi_thread_set_force_reinstatement(conn) < 0) { +- spin_unlock_bh(&conn->state_lock); +- return; +- } ++ if (conn->tx_thread && conn->tx_thread_active) ++ send_sig(SIGINT, conn->tx_thread, 1); ++ if (conn->rx_thread && conn->rx_thread_active) ++ send_sig(SIGINT, conn->rx_thread, 1); + + atomic_set(&conn->connection_reinstatement, 1); + if (!sleep) { +diff --git a/drivers/target/iscsi/iscsi_target_login.c b/drivers/target/iscsi/iscsi_target_login.c +index 153fb66..345f073 100644 +--- a/drivers/target/iscsi/iscsi_target_login.c ++++ b/drivers/target/iscsi/iscsi_target_login.c +@@ -699,6 +699,51 @@ static void iscsi_post_login_start_timers(struct iscsi_conn *conn) + iscsit_start_nopin_timer(conn); + } + ++int iscsit_start_kthreads(struct iscsi_conn *conn) ++{ ++ int ret = 0; ++ ++ spin_lock(&iscsit_global->ts_bitmap_lock); ++ conn->bitmap_id = bitmap_find_free_region(iscsit_global->ts_bitmap, ++ ISCSIT_BITMAP_BITS, get_order(1)); ++ spin_unlock(&iscsit_global->ts_bitmap_lock); ++ ++ if (conn->bitmap_id < 0) { ++ pr_err("bitmap_find_free_region() failed for" ++ " iscsit_start_kthreads()\n"); ++ return -ENOMEM; ++ } ++ ++ conn->tx_thread = kthread_run(iscsi_target_tx_thread, conn, ++ "%s", ISCSI_TX_THREAD_NAME); ++ if (IS_ERR(conn->tx_thread)) { ++ pr_err("Unable to start iscsi_target_tx_thread\n"); ++ ret = PTR_ERR(conn->tx_thread); ++ goto out_bitmap; ++ } ++ conn->tx_thread_active = true; ++ ++ conn->rx_thread = kthread_run(iscsi_target_rx_thread, conn, ++ "%s", ISCSI_RX_THREAD_NAME); ++ if (IS_ERR(conn->rx_thread)) { ++ pr_err("Unable to start iscsi_target_rx_thread\n"); ++ ret = PTR_ERR(conn->rx_thread); ++ goto out_tx; ++ } ++ conn->rx_thread_active = true; ++ ++ return 0; ++out_tx: ++ kthread_stop(conn->tx_thread); ++ conn->tx_thread_active = false; ++out_bitmap: ++ spin_lock(&iscsit_global->ts_bitmap_lock); ++ bitmap_release_region(iscsit_global->ts_bitmap, conn->bitmap_id, ++ get_order(1)); ++ spin_unlock(&iscsit_global->ts_bitmap_lock); ++ return ret; ++} ++ + int iscsi_post_login_handler( + struct iscsi_np *np, + struct iscsi_conn *conn, +@@ -709,7 +754,7 @@ int iscsi_post_login_handler( + struct se_session *se_sess = sess->se_sess; + struct iscsi_portal_group *tpg = sess->tpg; + struct se_portal_group *se_tpg = &tpg->tpg_se_tpg; +- struct iscsi_thread_set *ts; ++ int rc; + + iscsit_inc_conn_usage_count(conn); + +@@ -724,7 +769,6 @@ int iscsi_post_login_handler( + /* + * SCSI Initiator -> SCSI Target Port Mapping + */ +- ts = iscsi_get_thread_set(); + if (!zero_tsih) { + iscsi_set_session_parameters(sess->sess_ops, + conn->param_list, 0); +@@ -751,9 +795,11 @@ int iscsi_post_login_handler( + sess->sess_ops->InitiatorName); + spin_unlock_bh(&sess->conn_lock); + +- iscsi_post_login_start_timers(conn); ++ rc = iscsit_start_kthreads(conn); ++ if (rc) ++ return rc; + +- iscsi_activate_thread_set(conn, ts); ++ iscsi_post_login_start_timers(conn); + /* + * Determine CPU mask to ensure connection's RX and TX kthreads + * are scheduled on the same CPU. +@@ -810,8 +856,11 @@ int iscsi_post_login_handler( + " iSCSI Target Portal Group: %hu\n", tpg->nsessions, tpg->tpgt); + spin_unlock_bh(&se_tpg->session_lock); + ++ rc = iscsit_start_kthreads(conn); ++ if (rc) ++ return rc; ++ + iscsi_post_login_start_timers(conn); +- iscsi_activate_thread_set(conn, ts); + /* + * Determine CPU mask to ensure connection's RX and TX kthreads + * are scheduled on the same CPU. +diff --git a/include/target/iscsi/iscsi_target_core.h b/include/target/iscsi/iscsi_target_core.h +index d3583d3..dd0f3ab 100644 +--- a/include/target/iscsi/iscsi_target_core.h ++++ b/include/target/iscsi/iscsi_target_core.h +@@ -602,6 +602,11 @@ struct iscsi_conn { + struct iscsi_session *sess; + /* Pointer to thread_set in use for this conn's threads */ + struct iscsi_thread_set *thread_set; ++ int bitmap_id; ++ int rx_thread_active; ++ struct task_struct *rx_thread; ++ int tx_thread_active; ++ struct task_struct *tx_thread; + /* list_head for session connection list */ + struct list_head conn_list; + } ____cacheline_aligned; +@@ -871,10 +876,12 @@ struct iscsit_global { + /* Unique identifier used for the authentication daemon */ + u32 auth_id; + u32 inactive_ts; ++#define ISCSIT_BITMAP_BITS 262144 + /* Thread Set bitmap count */ + int ts_bitmap_count; + /* Thread Set bitmap pointer */ + unsigned long *ts_bitmap; ++ spinlock_t ts_bitmap_lock; + /* Used for iSCSI discovery session authentication */ + struct iscsi_node_acl discovery_acl; + struct iscsi_portal_group *discovery_tpg; +-- +2.3.6 + + +From ca7767a3f859d6e5487ddcf7a23515e19188b922 Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger <nab@linux-iscsi.org> +Date: Tue, 7 Apr 2015 21:53:27 +0000 +Subject: [PATCH 132/219] target: Fix COMPARE_AND_WRITE with SG_TO_MEM_NOALLOC + handling +Cc: mpagano@gentoo.org + +commit c8e639852ad720499912acedfd6b072325fd2807 upstream. + +This patch fixes a bug for COMPARE_AND_WRITE handling with +fabrics using SCF_PASSTHROUGH_SG_TO_MEM_NOALLOC. + +It adds the missing allocation for cmd->t_bidi_data_sg within +transport_generic_new_cmd() that is used by COMPARE_AND_WRITE +for the initial READ payload, even if the fabric is already +providing a pre-allocated buffer for cmd->t_data_sg. + +Also, fix zero-length COMPARE_AND_WRITE handling within the +compare_and_write_callback() and target_complete_ok_work() +to queue the response, skipping the initial READ. + +This fixes COMPARE_AND_WRITE emulation with loopback, vhost, +and xen-backend fabric drivers using SG_TO_MEM_NOALLOC. + +Reported-by: Christoph Hellwig <hch@lst.de> +Cc: Christoph Hellwig <hch@lst.de> +Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/target/target_core_sbc.c | 15 +++++++++----- + drivers/target/target_core_transport.c | 37 ++++++++++++++++++++++++++++++---- + include/target/target_core_base.h | 2 +- + 3 files changed, 44 insertions(+), 10 deletions(-) + +diff --git a/drivers/target/target_core_sbc.c b/drivers/target/target_core_sbc.c +index 3e72974..755bd9b3 100644 +--- a/drivers/target/target_core_sbc.c ++++ b/drivers/target/target_core_sbc.c +@@ -312,7 +312,7 @@ sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *o + return 0; + } + +-static sense_reason_t xdreadwrite_callback(struct se_cmd *cmd) ++static sense_reason_t xdreadwrite_callback(struct se_cmd *cmd, bool success) + { + unsigned char *buf, *addr; + struct scatterlist *sg; +@@ -376,7 +376,7 @@ sbc_execute_rw(struct se_cmd *cmd) + cmd->data_direction); + } + +-static sense_reason_t compare_and_write_post(struct se_cmd *cmd) ++static sense_reason_t compare_and_write_post(struct se_cmd *cmd, bool success) + { + struct se_device *dev = cmd->se_dev; + +@@ -399,7 +399,7 @@ static sense_reason_t compare_and_write_post(struct se_cmd *cmd) + return TCM_NO_SENSE; + } + +-static sense_reason_t compare_and_write_callback(struct se_cmd *cmd) ++static sense_reason_t compare_and_write_callback(struct se_cmd *cmd, bool success) + { + struct se_device *dev = cmd->se_dev; + struct scatterlist *write_sg = NULL, *sg; +@@ -414,11 +414,16 @@ static sense_reason_t compare_and_write_callback(struct se_cmd *cmd) + + /* + * Handle early failure in transport_generic_request_failure(), +- * which will not have taken ->caw_mutex yet.. ++ * which will not have taken ->caw_sem yet.. + */ +- if (!cmd->t_data_sg || !cmd->t_bidi_data_sg) ++ if (!success && (!cmd->t_data_sg || !cmd->t_bidi_data_sg)) + return TCM_NO_SENSE; + /* ++ * Handle special case for zero-length COMPARE_AND_WRITE ++ */ ++ if (!cmd->data_length) ++ goto out; ++ /* + * Immediately exit + release dev->caw_sem if command has already + * been failed with a non-zero SCSI status. + */ +diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c +index ac3cbab..f786de0 100644 +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -1615,11 +1615,11 @@ void transport_generic_request_failure(struct se_cmd *cmd, + transport_complete_task_attr(cmd); + /* + * Handle special case for COMPARE_AND_WRITE failure, where the +- * callback is expected to drop the per device ->caw_mutex. ++ * callback is expected to drop the per device ->caw_sem. + */ + if ((cmd->se_cmd_flags & SCF_COMPARE_AND_WRITE) && + cmd->transport_complete_callback) +- cmd->transport_complete_callback(cmd); ++ cmd->transport_complete_callback(cmd, false); + + switch (sense_reason) { + case TCM_NON_EXISTENT_LUN: +@@ -1975,8 +1975,12 @@ static void target_complete_ok_work(struct work_struct *work) + if (cmd->transport_complete_callback) { + sense_reason_t rc; + +- rc = cmd->transport_complete_callback(cmd); ++ rc = cmd->transport_complete_callback(cmd, true); + if (!rc && !(cmd->se_cmd_flags & SCF_COMPARE_AND_WRITE_POST)) { ++ if ((cmd->se_cmd_flags & SCF_COMPARE_AND_WRITE) && ++ !cmd->data_length) ++ goto queue_rsp; ++ + return; + } else if (rc) { + ret = transport_send_check_condition_and_sense(cmd, +@@ -1990,6 +1994,7 @@ static void target_complete_ok_work(struct work_struct *work) + } + } + ++queue_rsp: + switch (cmd->data_direction) { + case DMA_FROM_DEVICE: + spin_lock(&cmd->se_lun->lun_sep_lock); +@@ -2094,6 +2099,16 @@ static inline void transport_reset_sgl_orig(struct se_cmd *cmd) + static inline void transport_free_pages(struct se_cmd *cmd) + { + if (cmd->se_cmd_flags & SCF_PASSTHROUGH_SG_TO_MEM_NOALLOC) { ++ /* ++ * Release special case READ buffer payload required for ++ * SG_TO_MEM_NOALLOC to function with COMPARE_AND_WRITE ++ */ ++ if (cmd->se_cmd_flags & SCF_COMPARE_AND_WRITE) { ++ transport_free_sgl(cmd->t_bidi_data_sg, ++ cmd->t_bidi_data_nents); ++ cmd->t_bidi_data_sg = NULL; ++ cmd->t_bidi_data_nents = 0; ++ } + transport_reset_sgl_orig(cmd); + return; + } +@@ -2246,6 +2261,7 @@ sense_reason_t + transport_generic_new_cmd(struct se_cmd *cmd) + { + int ret = 0; ++ bool zero_flag = !(cmd->se_cmd_flags & SCF_SCSI_DATA_CDB); + + /* + * Determine is the TCM fabric module has already allocated physical +@@ -2254,7 +2270,6 @@ transport_generic_new_cmd(struct se_cmd *cmd) + */ + if (!(cmd->se_cmd_flags & SCF_PASSTHROUGH_SG_TO_MEM_NOALLOC) && + cmd->data_length) { +- bool zero_flag = !(cmd->se_cmd_flags & SCF_SCSI_DATA_CDB); + + if ((cmd->se_cmd_flags & SCF_BIDI) || + (cmd->se_cmd_flags & SCF_COMPARE_AND_WRITE)) { +@@ -2285,6 +2300,20 @@ transport_generic_new_cmd(struct se_cmd *cmd) + cmd->data_length, zero_flag); + if (ret < 0) + return TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE; ++ } else if ((cmd->se_cmd_flags & SCF_COMPARE_AND_WRITE) && ++ cmd->data_length) { ++ /* ++ * Special case for COMPARE_AND_WRITE with fabrics ++ * using SCF_PASSTHROUGH_SG_TO_MEM_NOALLOC. ++ */ ++ u32 caw_length = cmd->t_task_nolb * ++ cmd->se_dev->dev_attrib.block_size; ++ ++ ret = target_alloc_sgl(&cmd->t_bidi_data_sg, ++ &cmd->t_bidi_data_nents, ++ caw_length, zero_flag); ++ if (ret < 0) ++ return TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE; + } + /* + * If this command is not a write we can execute it right here, +diff --git a/include/target/target_core_base.h b/include/target/target_core_base.h +index 672150b..985ca4c 100644 +--- a/include/target/target_core_base.h ++++ b/include/target/target_core_base.h +@@ -524,7 +524,7 @@ struct se_cmd { + sense_reason_t (*execute_cmd)(struct se_cmd *); + sense_reason_t (*execute_rw)(struct se_cmd *, struct scatterlist *, + u32, enum dma_data_direction); +- sense_reason_t (*transport_complete_callback)(struct se_cmd *); ++ sense_reason_t (*transport_complete_callback)(struct se_cmd *, bool); + + unsigned char *t_task_cdb; + unsigned char __t_task_cdb[TCM_MAX_COMMAND_SIZE]; +-- +2.3.6 + + +From 54afccf4a4f42da1ef3eca9b56ed8dd25a8d7f1c Mon Sep 17 00:00:00 2001 +From: Akinobu Mita <akinobu.mita@gmail.com> +Date: Mon, 13 Apr 2015 23:21:56 +0900 +Subject: [PATCH 133/219] target/file: Fix BUG() when CONFIG_DEBUG_SG=y and DIF + protection enabled +Cc: mpagano@gentoo.org + +commit 38da0f49e8aa1649af397d53f88e163d0e60c058 upstream. + +When CONFIG_DEBUG_SG=y and DIF protection support enabled, kernel +BUG()s are triggered due to the following two issues: + +1) prot_sg is not initialized by sg_init_table(). + +When CONFIG_DEBUG_SG=y, scatterlist helpers check sg entry has a +correct magic value. + +2) vmalloc'ed buffer is passed to sg_set_buf(). + +sg_set_buf() uses virt_to_page() to convert virtual address to struct +page, but it doesn't work with vmalloc address. vmalloc_to_page() +should be used instead. As prot_buf isn't usually too large, so +fix it by allocating prot_buf by kmalloc instead of vmalloc. + +Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com> +Cc: Sagi Grimberg <sagig@mellanox.com> +Cc: "Martin K. Petersen" <martin.petersen@oracle.com> +Cc: Christoph Hellwig <hch@lst.de> +Cc: "James E.J. Bottomley" <James.Bottomley@HansenPartnership.com> +Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/target/target_core_file.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/drivers/target/target_core_file.c b/drivers/target/target_core_file.c +index 44620fb..8ca1883 100644 +--- a/drivers/target/target_core_file.c ++++ b/drivers/target/target_core_file.c +@@ -274,7 +274,7 @@ static int fd_do_prot_rw(struct se_cmd *cmd, struct fd_prot *fd_prot, + se_dev->prot_length; + + if (!is_write) { +- fd_prot->prot_buf = vzalloc(prot_size); ++ fd_prot->prot_buf = kzalloc(prot_size, GFP_KERNEL); + if (!fd_prot->prot_buf) { + pr_err("Unable to allocate fd_prot->prot_buf\n"); + return -ENOMEM; +@@ -286,9 +286,10 @@ static int fd_do_prot_rw(struct se_cmd *cmd, struct fd_prot *fd_prot, + fd_prot->prot_sg_nents, GFP_KERNEL); + if (!fd_prot->prot_sg) { + pr_err("Unable to allocate fd_prot->prot_sg\n"); +- vfree(fd_prot->prot_buf); ++ kfree(fd_prot->prot_buf); + return -ENOMEM; + } ++ sg_init_table(fd_prot->prot_sg, fd_prot->prot_sg_nents); + size = prot_size; + + for_each_sg(fd_prot->prot_sg, sg, fd_prot->prot_sg_nents, i) { +@@ -318,7 +319,7 @@ static int fd_do_prot_rw(struct se_cmd *cmd, struct fd_prot *fd_prot, + + if (is_write || ret < 0) { + kfree(fd_prot->prot_sg); +- vfree(fd_prot->prot_buf); ++ kfree(fd_prot->prot_buf); + } + + return ret; +@@ -658,11 +659,11 @@ fd_execute_rw(struct se_cmd *cmd, struct scatterlist *sgl, u32 sgl_nents, + 0, fd_prot.prot_sg, 0); + if (rc) { + kfree(fd_prot.prot_sg); +- vfree(fd_prot.prot_buf); ++ kfree(fd_prot.prot_buf); + return rc; + } + kfree(fd_prot.prot_sg); +- vfree(fd_prot.prot_buf); ++ kfree(fd_prot.prot_buf); + } + } else { + memset(&fd_prot, 0, sizeof(struct fd_prot)); +@@ -678,7 +679,7 @@ fd_execute_rw(struct se_cmd *cmd, struct scatterlist *sgl, u32 sgl_nents, + 0, fd_prot.prot_sg, 0); + if (rc) { + kfree(fd_prot.prot_sg); +- vfree(fd_prot.prot_buf); ++ kfree(fd_prot.prot_buf); + return rc; + } + } +@@ -714,7 +715,7 @@ fd_execute_rw(struct se_cmd *cmd, struct scatterlist *sgl, u32 sgl_nents, + + if (ret < 0) { + kfree(fd_prot.prot_sg); +- vfree(fd_prot.prot_buf); ++ kfree(fd_prot.prot_buf); + return TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE; + } + +-- +2.3.6 + + +From 1d6b56f309d72a9ce2be3129f41c4a1138693091 Mon Sep 17 00:00:00 2001 +From: Akinobu Mita <akinobu.mita@gmail.com> +Date: Mon, 13 Apr 2015 23:21:58 +0900 +Subject: [PATCH 134/219] target/file: Fix UNMAP with DIF protection support +Cc: mpagano@gentoo.org + +commit 64d240b721b21e266ffde645ec965c3b6d1c551f upstream. + +When UNMAP command is issued with DIF protection support enabled, +the protection info for the unmapped region is remain unchanged. +So READ command for the region causes data integrity failure. + +This fixes it by invalidating protection info for the unmapped region +by filling with 0xff pattern. This change also adds helper function +fd_do_prot_fill() in order to reduce code duplication with existing +fd_format_prot(). + +Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com> +Reviewed-by: Sagi Grimberg <sagig@mellanox.com> +Reviewed-by: "Martin K. Petersen" <martin.petersen@oracle.com> +Cc: Christoph Hellwig <hch@lst.de> +Cc: "James E.J. Bottomley" <James.Bottomley@HansenPartnership.com> +Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/target/target_core_file.c | 86 +++++++++++++++++++++++++++------------ + 1 file changed, 61 insertions(+), 25 deletions(-) + +diff --git a/drivers/target/target_core_file.c b/drivers/target/target_core_file.c +index 8ca1883..7e12909 100644 +--- a/drivers/target/target_core_file.c ++++ b/drivers/target/target_core_file.c +@@ -550,6 +550,56 @@ fd_execute_write_same(struct se_cmd *cmd) + return 0; + } + ++static int ++fd_do_prot_fill(struct se_device *se_dev, sector_t lba, sector_t nolb, ++ void *buf, size_t bufsize) ++{ ++ struct fd_dev *fd_dev = FD_DEV(se_dev); ++ struct file *prot_fd = fd_dev->fd_prot_file; ++ sector_t prot_length, prot; ++ loff_t pos = lba * se_dev->prot_length; ++ ++ if (!prot_fd) { ++ pr_err("Unable to locate fd_dev->fd_prot_file\n"); ++ return -ENODEV; ++ } ++ ++ prot_length = nolb * se_dev->prot_length; ++ ++ for (prot = 0; prot < prot_length;) { ++ sector_t len = min_t(sector_t, bufsize, prot_length - prot); ++ ssize_t ret = kernel_write(prot_fd, buf, len, pos + prot); ++ ++ if (ret != len) { ++ pr_err("vfs_write to prot file failed: %zd\n", ret); ++ return ret < 0 ? ret : -ENODEV; ++ } ++ prot += ret; ++ } ++ ++ return 0; ++} ++ ++static int ++fd_do_prot_unmap(struct se_cmd *cmd, sector_t lba, sector_t nolb) ++{ ++ void *buf; ++ int rc; ++ ++ buf = (void *)__get_free_page(GFP_KERNEL); ++ if (!buf) { ++ pr_err("Unable to allocate FILEIO prot buf\n"); ++ return -ENOMEM; ++ } ++ memset(buf, 0xff, PAGE_SIZE); ++ ++ rc = fd_do_prot_fill(cmd->se_dev, lba, nolb, buf, PAGE_SIZE); ++ ++ free_page((unsigned long)buf); ++ ++ return rc; ++} ++ + static sense_reason_t + fd_do_unmap(struct se_cmd *cmd, void *priv, sector_t lba, sector_t nolb) + { +@@ -557,6 +607,12 @@ fd_do_unmap(struct se_cmd *cmd, void *priv, sector_t lba, sector_t nolb) + struct inode *inode = file->f_mapping->host; + int ret; + ++ if (cmd->se_dev->dev_attrib.pi_prot_type) { ++ ret = fd_do_prot_unmap(cmd, lba, nolb); ++ if (ret) ++ return TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE; ++ } ++ + if (S_ISBLK(inode->i_mode)) { + /* The backend is block device, use discard */ + struct block_device *bdev = inode->i_bdev; +@@ -879,48 +935,28 @@ static int fd_init_prot(struct se_device *dev) + + static int fd_format_prot(struct se_device *dev) + { +- struct fd_dev *fd_dev = FD_DEV(dev); +- struct file *prot_fd = fd_dev->fd_prot_file; +- sector_t prot_length, prot; + unsigned char *buf; +- loff_t pos = 0; + int unit_size = FDBD_FORMAT_UNIT_SIZE * dev->dev_attrib.block_size; +- int rc, ret = 0, size, len; ++ int ret; + + if (!dev->dev_attrib.pi_prot_type) { + pr_err("Unable to format_prot while pi_prot_type == 0\n"); + return -ENODEV; + } +- if (!prot_fd) { +- pr_err("Unable to locate fd_dev->fd_prot_file\n"); +- return -ENODEV; +- } + + buf = vzalloc(unit_size); + if (!buf) { + pr_err("Unable to allocate FILEIO prot buf\n"); + return -ENOMEM; + } +- prot_length = (dev->transport->get_blocks(dev) + 1) * dev->prot_length; +- size = prot_length; + + pr_debug("Using FILEIO prot_length: %llu\n", +- (unsigned long long)prot_length); ++ (unsigned long long)(dev->transport->get_blocks(dev) + 1) * ++ dev->prot_length); + + memset(buf, 0xff, unit_size); +- for (prot = 0; prot < prot_length; prot += unit_size) { +- len = min(unit_size, size); +- rc = kernel_write(prot_fd, buf, len, pos); +- if (rc != len) { +- pr_err("vfs_write to prot file failed: %d\n", rc); +- ret = -ENODEV; +- goto out; +- } +- pos += len; +- size -= len; +- } +- +-out: ++ ret = fd_do_prot_fill(dev, 0, dev->transport->get_blocks(dev) + 1, ++ buf, unit_size); + vfree(buf); + return ret; + } +-- +2.3.6 + + +From 53e5aa168e3ba918741417ac2177db04a84f77c1 Mon Sep 17 00:00:00 2001 +From: Akinobu Mita <akinobu.mita@gmail.com> +Date: Mon, 13 Apr 2015 23:21:57 +0900 +Subject: [PATCH 135/219] target/file: Fix SG table for prot_buf initialization +Cc: mpagano@gentoo.org + +commit c836777830428372074d5129ac513e1472c99791 upstream. + +In fd_do_prot_rw(), it allocates prot_buf which is used to copy from +se_cmd->t_prot_sg by sbc_dif_copy_prot(). The SG table for prot_buf +is also initialized by allocating 'se_cmd->t_prot_nents' entries of +scatterlist and setting the data length of each entry to PAGE_SIZE +at most. + +However if se_cmd->t_prot_sg contains a clustered entry (i.e. +sg->length > PAGE_SIZE), the SG table for prot_buf can't be +initialized correctly and sbc_dif_copy_prot() can't copy to prot_buf. +(This actually happened with TCM loopback fabric module) + +As prot_buf is allocated by kzalloc() and it's physically contiguous, +we only need a single scatterlist entry. + +Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com> +Cc: Sagi Grimberg <sagig@mellanox.com> +Cc: "Martin K. Petersen" <martin.petersen@oracle.com> +Cc: Christoph Hellwig <hch@lst.de> +Cc: "James E.J. Bottomley" <James.Bottomley@HansenPartnership.com> +Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/target/target_core_file.c | 21 ++++++--------------- + 1 file changed, 6 insertions(+), 15 deletions(-) + +diff --git a/drivers/target/target_core_file.c b/drivers/target/target_core_file.c +index 7e12909..cbb0cc2 100644 +--- a/drivers/target/target_core_file.c ++++ b/drivers/target/target_core_file.c +@@ -264,11 +264,10 @@ static int fd_do_prot_rw(struct se_cmd *cmd, struct fd_prot *fd_prot, + struct se_device *se_dev = cmd->se_dev; + struct fd_dev *dev = FD_DEV(se_dev); + struct file *prot_fd = dev->fd_prot_file; +- struct scatterlist *sg; + loff_t pos = (cmd->t_task_lba * se_dev->prot_length); + unsigned char *buf; +- u32 prot_size, len, size; +- int rc, ret = 1, i; ++ u32 prot_size; ++ int rc, ret = 1; + + prot_size = (cmd->data_length / se_dev->dev_attrib.block_size) * + se_dev->prot_length; +@@ -281,24 +280,16 @@ static int fd_do_prot_rw(struct se_cmd *cmd, struct fd_prot *fd_prot, + } + buf = fd_prot->prot_buf; + +- fd_prot->prot_sg_nents = cmd->t_prot_nents; +- fd_prot->prot_sg = kzalloc(sizeof(struct scatterlist) * +- fd_prot->prot_sg_nents, GFP_KERNEL); ++ fd_prot->prot_sg_nents = 1; ++ fd_prot->prot_sg = kzalloc(sizeof(struct scatterlist), ++ GFP_KERNEL); + if (!fd_prot->prot_sg) { + pr_err("Unable to allocate fd_prot->prot_sg\n"); + kfree(fd_prot->prot_buf); + return -ENOMEM; + } + sg_init_table(fd_prot->prot_sg, fd_prot->prot_sg_nents); +- size = prot_size; +- +- for_each_sg(fd_prot->prot_sg, sg, fd_prot->prot_sg_nents, i) { +- +- len = min_t(u32, PAGE_SIZE, size); +- sg_set_buf(sg, buf, len); +- size -= len; +- buf += len; +- } ++ sg_set_buf(fd_prot->prot_sg, buf, prot_size); + } + + if (is_write) { +-- +2.3.6 + + +From 6c617001eadca79dc3c26a6e2d2844ad48c1a178 Mon Sep 17 00:00:00 2001 +From: Sagi Grimberg <sagig@mellanox.com> +Date: Sun, 29 Mar 2015 15:52:03 +0300 +Subject: [PATCH 136/219] iser-target: Fix session hang in case of an rdma read + DIF error +Cc: mpagano@gentoo.org + +commit 364189f0ada5478e4faf8a552d6071a650d757cd upstream. + +This hang was a result of a missing command put when +a DIF error occurred during a rdma read (and we sent +an CHECK_CONDITION error without passing it to the +backend). + +Signed-off-by: Sagi Grimberg <sagig@mellanox.com> +Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/infiniband/ulp/isert/ib_isert.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/ulp/isert/ib_isert.c b/drivers/infiniband/ulp/isert/ib_isert.c +index 075b19c..4b8d518 100644 +--- a/drivers/infiniband/ulp/isert/ib_isert.c ++++ b/drivers/infiniband/ulp/isert/ib_isert.c +@@ -1861,11 +1861,13 @@ isert_completion_rdma_read(struct iser_tx_desc *tx_desc, + cmd->i_state = ISTATE_RECEIVED_LAST_DATAOUT; + spin_unlock_bh(&cmd->istate_lock); + +- if (ret) ++ if (ret) { ++ target_put_sess_cmd(se_cmd->se_sess, se_cmd); + transport_send_check_condition_and_sense(se_cmd, + se_cmd->pi_err, 0); +- else ++ } else { + target_execute_cmd(se_cmd); ++ } + } + + static void +-- +2.3.6 + + +From c1398bc9478760e098fd1a36c9d67eeaf1bc5813 Mon Sep 17 00:00:00 2001 +From: Sagi Grimberg <sagig@mellanox.com> +Date: Sun, 29 Mar 2015 15:52:04 +0300 +Subject: [PATCH 137/219] iser-target: Fix possible deadlock in RDMA_CM + connection error +Cc: mpagano@gentoo.org + +commit 4a579da2586bd3b79b025947ea24ede2bbfede62 upstream. + +Before we reach to connection established we may get an +error event. In this case the core won't teardown this +connection (never established it), so we take care of freeing +it ourselves. + +Signed-off-by: Sagi Grimberg <sagig@mellanox.com> +Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/infiniband/ulp/isert/ib_isert.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/drivers/infiniband/ulp/isert/ib_isert.c b/drivers/infiniband/ulp/isert/ib_isert.c +index 4b8d518..147029a 100644 +--- a/drivers/infiniband/ulp/isert/ib_isert.c ++++ b/drivers/infiniband/ulp/isert/ib_isert.c +@@ -222,7 +222,7 @@ fail: + static void + isert_free_rx_descriptors(struct isert_conn *isert_conn) + { +- struct ib_device *ib_dev = isert_conn->conn_cm_id->device; ++ struct ib_device *ib_dev = isert_conn->conn_device->ib_device; + struct iser_rx_desc *rx_desc; + int i; + +@@ -719,8 +719,8 @@ out: + static void + isert_connect_release(struct isert_conn *isert_conn) + { +- struct ib_device *ib_dev = isert_conn->conn_cm_id->device; + struct isert_device *device = isert_conn->conn_device; ++ struct ib_device *ib_dev = device->ib_device; + + isert_dbg("conn %p\n", isert_conn); + +@@ -728,7 +728,8 @@ isert_connect_release(struct isert_conn *isert_conn) + isert_conn_free_fastreg_pool(isert_conn); + + isert_free_rx_descriptors(isert_conn); +- rdma_destroy_id(isert_conn->conn_cm_id); ++ if (isert_conn->conn_cm_id) ++ rdma_destroy_id(isert_conn->conn_cm_id); + + if (isert_conn->conn_qp) { + struct isert_comp *comp = isert_conn->conn_qp->recv_cq->cq_context; +@@ -878,12 +879,15 @@ isert_disconnected_handler(struct rdma_cm_id *cma_id, + return 0; + } + +-static void ++static int + isert_connect_error(struct rdma_cm_id *cma_id) + { + struct isert_conn *isert_conn = cma_id->qp->qp_context; + ++ isert_conn->conn_cm_id = NULL; + isert_put_conn(isert_conn); ++ ++ return -1; + } + + static int +@@ -912,7 +916,7 @@ isert_cma_handler(struct rdma_cm_id *cma_id, struct rdma_cm_event *event) + case RDMA_CM_EVENT_REJECTED: /* FALLTHRU */ + case RDMA_CM_EVENT_UNREACHABLE: /* FALLTHRU */ + case RDMA_CM_EVENT_CONNECT_ERROR: +- isert_connect_error(cma_id); ++ ret = isert_connect_error(cma_id); + break; + default: + isert_err("Unhandled RDMA CMA event: %d\n", event->event); +-- +2.3.6 + + +From 1ed449ae56cbf5db4f3ea0560a5bfbe95e30e89a Mon Sep 17 00:00:00 2001 +From: Alexander Ploumistos <alex.ploumistos@gmail.com> +Date: Fri, 13 Feb 2015 21:05:11 +0200 +Subject: [PATCH 138/219] Bluetooth: ath3k: Add support Atheros AR5B195 combo + Mini PCIe card +Cc: mpagano@gentoo.org + +commit 2eeff0b4317a02f0e281df891d990194f0737aae upstream. + +Add 04f2:aff1 to ath3k.c supported devices list and btusb.c blacklist, so +that the device can load the ath3k firmware and re-enumerate itself as an +AR3011 device. + +T: Bus=05 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=12 MxCh= 0 +D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=04f2 ProdID=aff1 Rev= 0.01 +C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms + +Signed-off-by: Alexander Ploumistos <alexpl@fedoraproject.org> +Signed-off-by: Marcel Holtmann <marcel@holtmann.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/bluetooth/ath3k.c | 1 + + drivers/bluetooth/btusb.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c +index de4c849..288547a 100644 +--- a/drivers/bluetooth/ath3k.c ++++ b/drivers/bluetooth/ath3k.c +@@ -65,6 +65,7 @@ static const struct usb_device_id ath3k_table[] = { + /* Atheros AR3011 with sflash firmware*/ + { USB_DEVICE(0x0489, 0xE027) }, + { USB_DEVICE(0x0489, 0xE03D) }, ++ { USB_DEVICE(0x04F2, 0xAFF1) }, + { USB_DEVICE(0x0930, 0x0215) }, + { USB_DEVICE(0x0CF3, 0x3002) }, + { USB_DEVICE(0x0CF3, 0xE019) }, +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index 8bfc4c2..2c527da 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -159,6 +159,7 @@ static const struct usb_device_id blacklist_table[] = { + /* Atheros 3011 with sflash firmware */ + { USB_DEVICE(0x0489, 0xe027), .driver_info = BTUSB_IGNORE }, + { USB_DEVICE(0x0489, 0xe03d), .driver_info = BTUSB_IGNORE }, ++ { USB_DEVICE(0x04f2, 0xaff1), .driver_info = BTUSB_IGNORE }, + { USB_DEVICE(0x0930, 0x0215), .driver_info = BTUSB_IGNORE }, + { USB_DEVICE(0x0cf3, 0x3002), .driver_info = BTUSB_IGNORE }, + { USB_DEVICE(0x0cf3, 0xe019), .driver_info = BTUSB_IGNORE }, +-- +2.3.6 + + +From 929315920e42097f53f97bfc88c6da4a41e19f66 Mon Sep 17 00:00:00 2001 +From: Bo Yan <byan@nvidia.com> +Date: Tue, 31 Mar 2015 21:30:48 +0100 +Subject: [PATCH 139/219] arm64: fix midr range for Cortex-A57 erratum 832075 +Cc: mpagano@gentoo.org + +commit 6d1966dfd6e0ad2f8aa4b664ae1a62e33abe1998 upstream. + +Register MIDR_EL1 is masked to get variant and revision fields, then +compared against midr_range_min and midr_range_max when checking +whether CPU is affected by any particular erratum. However, variant +and revision fields in MIDR_EL1 are separated by 16 bits, so the min +and max of midr range should be constructed accordingly, otherwise +the patch will not be applied when variant field is non-0. + +Acked-by: Andre Przywara <andre.przywara@arm.com> +Reviewed-by: Paul Walmsley <paul@pwsan.com> +Signed-off-by: Bo Yan <byan@nvidia.com> +[will: use MIDR_VARIANT_SHIFT to construct upper bound] +Signed-off-by: Will Deacon <will.deacon@arm.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/arm64/kernel/cpu_errata.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c +index fa62637..7c48494 100644 +--- a/arch/arm64/kernel/cpu_errata.c ++++ b/arch/arm64/kernel/cpu_errata.c +@@ -88,7 +88,8 @@ struct arm64_cpu_capabilities arm64_errata[] = { + /* Cortex-A57 r0p0 - r1p2 */ + .desc = "ARM erratum 832075", + .capability = ARM64_WORKAROUND_DEVICE_LOAD_ACQUIRE, +- MIDR_RANGE(MIDR_CORTEX_A57, 0x00, 0x12), ++ MIDR_RANGE(MIDR_CORTEX_A57, 0x00, ++ (1 << MIDR_VARIANT_SHIFT) | 2), + }, + #endif + { +-- +2.3.6 + + +From 28a75aebb66869d9b48970bc9ad2c50d06ca2368 Mon Sep 17 00:00:00 2001 +From: Mark Rutland <mark.rutland@arm.com> +Date: Tue, 24 Mar 2015 13:50:27 +0000 +Subject: [PATCH 140/219] arm64: head.S: ensure visibility of page tables +Cc: mpagano@gentoo.org + +commit 91d57155dc5ab4b311624b7ee570339b6af19ad5 upstream. + +After writing the page tables, we use __inval_cache_range to invalidate +any stale cache entries. Strongly Ordered memory accesses are not +ordered w.r.t. cache maintenance instructions, and hence explicit memory +barriers are required to provide this ordering. However, +__inval_cache_range was written to be used on Normal Cacheable memory +once the MMU and caches are on, and does not have any barriers prior to +the DC instructions. + +This patch adds a DMB between the page tables being written and the +corresponding cachelines being invalidated, ensuring that the +invalidation makes the new data visible to subsequent cacheable +accesses. A barrier is not required before the prior invalidate as we do +not access the page table memory area prior to this, and earlier +barriers in preserve_boot_args and set_cpu_boot_mode_flag ensures +ordering w.r.t. any stores performed prior to entering Linux. + +Signed-off-by: Mark Rutland <mark.rutland@arm.com> +Cc: Catalin Marinas <catalin.marinas@arm.com> +Cc: Will Deacon <will.deacon@arm.com> +Fixes: c218bca74eeafa2f ("arm64: Relax the kernel cache requirements for boot") +Signed-off-by: Will Deacon <will.deacon@arm.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/arm64/kernel/head.S | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S +index 07f9305..c237ffb 100644 +--- a/arch/arm64/kernel/head.S ++++ b/arch/arm64/kernel/head.S +@@ -426,6 +426,7 @@ __create_page_tables: + */ + mov x0, x25 + add x1, x26, #SWAPPER_DIR_SIZE ++ dmb sy + bl __inval_cache_range + + mov lr, x27 +-- +2.3.6 + + +From 3b4f68e9d08a42860dd7491e973a1ba2abcf4ea7 Mon Sep 17 00:00:00 2001 +From: Steve Capper <steve.capper@linaro.org> +Date: Mon, 16 Mar 2015 09:30:39 +0000 +Subject: [PATCH 141/219] arm64: Adjust EFI libstub object include logic +Cc: mpagano@gentoo.org + +commit ad08fd494bf00c03ae372e0bbd9cefa37bf608d6 upstream. + +Commit f4f75ad5 ("efi: efistub: Convert into static library") +introduced a static library for EFI stub, libstub. + +The EFI libstub directory is referenced by the kernel build system via +a obj subdirectory rule in: +drivers/firmware/efi/Makefile + +Unfortunately, arm64 also references the EFI libstub via: +libs-$(CONFIG_EFI_STUB) += drivers/firmware/efi/libstub/ + +If we're unlucky, the kernel build system can enter libstub via two +simultaneous threads resulting in build failures such as: + +fixdep: error opening depfile: drivers/firmware/efi/libstub/.efi-stub-helper.o.d: No such file or directory +scripts/Makefile.build:257: recipe for target 'drivers/firmware/efi/libstub/efi-stub-helper.o' failed +make[1]: *** [drivers/firmware/efi/libstub/efi-stub-helper.o] Error 2 +Makefile:939: recipe for target 'drivers/firmware/efi/libstub' failed +make: *** [drivers/firmware/efi/libstub] Error 2 +make: *** Waiting for unfinished jobs.... + +This patch adjusts the arm64 Makefile to reference the compiled library +explicitly (as is currently done in x86), rather than the directory. + +Fixes: f4f75ad5 efi: efistub: Convert into static library +Signed-off-by: Steve Capper <steve.capper@linaro.org> +Signed-off-by: Will Deacon <will.deacon@arm.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/arm64/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile +index 69ceedc..4d2a925 100644 +--- a/arch/arm64/Makefile ++++ b/arch/arm64/Makefile +@@ -48,7 +48,7 @@ core-$(CONFIG_KVM) += arch/arm64/kvm/ + core-$(CONFIG_XEN) += arch/arm64/xen/ + core-$(CONFIG_CRYPTO) += arch/arm64/crypto/ + libs-y := arch/arm64/lib/ $(libs-y) +-libs-$(CONFIG_EFI_STUB) += drivers/firmware/efi/libstub/ ++core-$(CONFIG_EFI_STUB) += $(objtree)/drivers/firmware/efi/libstub/lib.a + + # Default target when executing plain make + KBUILD_IMAGE := Image.gz +-- +2.3.6 + + +From f5fc6d70222ede94eb601c8f2697df1a9bcd9535 Mon Sep 17 00:00:00 2001 +From: Mark Rutland <mark.rutland@arm.com> +Date: Fri, 13 Mar 2015 16:14:34 +0000 +Subject: [PATCH 142/219] arm64: apply alternatives for !SMP kernels +Cc: mpagano@gentoo.org + +commit 137650aad96c9594683445e41afa8ac5a2097520 upstream. + +Currently we only perform alternative patching for kernels built with +CONFIG_SMP, as we call apply_alternatives_all() in smp.c, which is only +built for CONFIG_SMP. Thus !SMP kernels may not have necessary +alternatives patched in. + +This patch ensures that we call apply_alternatives_all() once all CPUs +are booted, even for !SMP kernels, by having the smp_init_cpus() stub +call this for !SMP kernels via up_late_init. A new wrapper, +do_post_cpus_up_work, is added so we can hook other calls here later +(e.g. boot mode logging). + +Cc: Andre Przywara <andre.przywara@arm.com> +Cc: Catalin Marinas <catalin.marinas@arm.com> +Fixes: e039ee4ee3fcf174 ("arm64: add alternative runtime patching") +Tested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> +Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> +Signed-off-by: Mark Rutland <mark.rutland@arm.com> +Signed-off-by: Will Deacon <will.deacon@arm.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/arm64/Kconfig | 4 ++++ + arch/arm64/include/asm/smp_plat.h | 2 ++ + arch/arm64/kernel/setup.c | 12 ++++++++++++ + arch/arm64/kernel/smp.c | 2 +- + 4 files changed, 19 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig +index 1b8e973..0d46deb 100644 +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -470,6 +470,10 @@ config HOTPLUG_CPU + + source kernel/Kconfig.preempt + ++config UP_LATE_INIT ++ def_bool y ++ depends on !SMP ++ + config HZ + int + default 100 +diff --git a/arch/arm64/include/asm/smp_plat.h b/arch/arm64/include/asm/smp_plat.h +index 59e2823..8dcd61e 100644 +--- a/arch/arm64/include/asm/smp_plat.h ++++ b/arch/arm64/include/asm/smp_plat.h +@@ -40,4 +40,6 @@ static inline u32 mpidr_hash_size(void) + extern u64 __cpu_logical_map[NR_CPUS]; + #define cpu_logical_map(cpu) __cpu_logical_map[cpu] + ++void __init do_post_cpus_up_work(void); ++ + #endif /* __ASM_SMP_PLAT_H */ +diff --git a/arch/arm64/kernel/setup.c b/arch/arm64/kernel/setup.c +index e8420f6..781f469 100644 +--- a/arch/arm64/kernel/setup.c ++++ b/arch/arm64/kernel/setup.c +@@ -207,6 +207,18 @@ static void __init smp_build_mpidr_hash(void) + } + #endif + ++void __init do_post_cpus_up_work(void) ++{ ++ apply_alternatives_all(); ++} ++ ++#ifdef CONFIG_UP_LATE_INIT ++void __init up_late_init(void) ++{ ++ do_post_cpus_up_work(); ++} ++#endif /* CONFIG_UP_LATE_INIT */ ++ + static void __init setup_processor(void) + { + struct cpu_info *cpu_info; +diff --git a/arch/arm64/kernel/smp.c b/arch/arm64/kernel/smp.c +index 328b8ce..4257369 100644 +--- a/arch/arm64/kernel/smp.c ++++ b/arch/arm64/kernel/smp.c +@@ -309,7 +309,7 @@ void cpu_die(void) + void __init smp_cpus_done(unsigned int max_cpus) + { + pr_info("SMP: Total of %d processors activated.\n", num_online_cpus()); +- apply_alternatives_all(); ++ do_post_cpus_up_work(); + } + + void __init smp_prepare_boot_cpu(void) +-- +2.3.6 + + +From d56f1962494430ce86e221537a2116a8ff0dca7e Mon Sep 17 00:00:00 2001 +From: Will Deacon <will.deacon@arm.com> +Date: Mon, 23 Mar 2015 19:07:02 +0000 +Subject: [PATCH 143/219] arm64: errata: add workaround for cortex-a53 erratum + #845719 +Cc: mpagano@gentoo.org + +commit 905e8c5dcaa147163672b06fe9dcb5abaacbc711 upstream. + +When running a compat (AArch32) userspace on Cortex-A53, a load at EL0 +from a virtual address that matches the bottom 32 bits of the virtual +address used by a recent load at (AArch64) EL1 might return incorrect +data. + +This patch works around the issue by writing to the contextidr_el1 +register on the exception return path when returning to a 32-bit task. +This workaround is patched in at runtime based on the MIDR value of the +processor. + +Reviewed-by: Marc Zyngier <marc.zyngier@arm.com> +Tested-by: Mark Rutland <mark.rutland@arm.com> +Signed-off-by: Will Deacon <will.deacon@arm.com> +Signed-off-by: Kevin Hilman <khilman@linaro.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/arm64/Kconfig | 21 +++++++++++++++++++++ + arch/arm64/include/asm/cpufeature.h | 3 ++- + arch/arm64/kernel/cpu_errata.c | 8 ++++++++ + arch/arm64/kernel/entry.S | 20 ++++++++++++++++++++ + 4 files changed, 51 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig +index 0d46deb..a6186c2 100644 +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -361,6 +361,27 @@ config ARM64_ERRATUM_832075 + + If unsure, say Y. + ++config ARM64_ERRATUM_845719 ++ bool "Cortex-A53: 845719: a load might read incorrect data" ++ depends on COMPAT ++ default y ++ help ++ This option adds an alternative code sequence to work around ARM ++ erratum 845719 on Cortex-A53 parts up to r0p4. ++ ++ When running a compat (AArch32) userspace on an affected Cortex-A53 ++ part, a load at EL0 from a virtual address that matches the bottom 32 ++ bits of the virtual address used by a recent load at (AArch64) EL1 ++ might return incorrect data. ++ ++ The workaround is to write the contextidr_el1 register on exception ++ return to a 32-bit task. ++ Please note that this does not necessarily enable the workaround, ++ as it depends on the alternative framework, which will only patch ++ the kernel if an affected CPU is detected. ++ ++ If unsure, say Y. ++ + endmenu + + +diff --git a/arch/arm64/include/asm/cpufeature.h b/arch/arm64/include/asm/cpufeature.h +index b6c16d5..3f0c53c 100644 +--- a/arch/arm64/include/asm/cpufeature.h ++++ b/arch/arm64/include/asm/cpufeature.h +@@ -23,8 +23,9 @@ + + #define ARM64_WORKAROUND_CLEAN_CACHE 0 + #define ARM64_WORKAROUND_DEVICE_LOAD_ACQUIRE 1 ++#define ARM64_WORKAROUND_845719 2 + +-#define ARM64_NCAPS 2 ++#define ARM64_NCAPS 3 + + #ifndef __ASSEMBLY__ + +diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c +index 7c48494..ad6d523 100644 +--- a/arch/arm64/kernel/cpu_errata.c ++++ b/arch/arm64/kernel/cpu_errata.c +@@ -92,6 +92,14 @@ struct arm64_cpu_capabilities arm64_errata[] = { + (1 << MIDR_VARIANT_SHIFT) | 2), + }, + #endif ++#ifdef CONFIG_ARM64_ERRATUM_845719 ++ { ++ /* Cortex-A53 r0p[01234] */ ++ .desc = "ARM erratum 845719", ++ .capability = ARM64_WORKAROUND_845719, ++ MIDR_RANGE(MIDR_CORTEX_A53, 0x00, 0x04), ++ }, ++#endif + { + } + }; +diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S +index cf21bb3..959fe87 100644 +--- a/arch/arm64/kernel/entry.S ++++ b/arch/arm64/kernel/entry.S +@@ -21,8 +21,10 @@ + #include <linux/init.h> + #include <linux/linkage.h> + ++#include <asm/alternative-asm.h> + #include <asm/assembler.h> + #include <asm/asm-offsets.h> ++#include <asm/cpufeature.h> + #include <asm/errno.h> + #include <asm/esr.h> + #include <asm/thread_info.h> +@@ -120,6 +122,24 @@ + ct_user_enter + ldr x23, [sp, #S_SP] // load return stack pointer + msr sp_el0, x23 ++ ++#ifdef CONFIG_ARM64_ERRATUM_845719 ++ alternative_insn \ ++ "nop", \ ++ "tbz x22, #4, 1f", \ ++ ARM64_WORKAROUND_845719 ++#ifdef CONFIG_PID_IN_CONTEXTIDR ++ alternative_insn \ ++ "nop; nop", \ ++ "mrs x29, contextidr_el1; msr contextidr_el1, x29; 1:", \ ++ ARM64_WORKAROUND_845719 ++#else ++ alternative_insn \ ++ "nop", \ ++ "msr contextidr_el1, xzr; 1:", \ ++ ARM64_WORKAROUND_845719 ++#endif ++#endif + .endif + msr elr_el1, x21 // set up the return data + msr spsr_el1, x22 +-- +2.3.6 + + +From aa54f8fb00ef9c739f564672048ec0fcc08a61dc Mon Sep 17 00:00:00 2001 +From: Gavin Shan <gwshan@linux.vnet.ibm.com> +Date: Fri, 27 Mar 2015 11:29:00 +1100 +Subject: [PATCH 144/219] powerpc/powernv: Don't map M64 segments using M32DT +Cc: mpagano@gentoo.org + +commit 027fa02f84e851e21daffdf8900d6117071890f8 upstream. + +If M64 has been supported, the prefetchable 64-bits memory resources +shouldn't be mapped to the corresponding PE# via M32DT. Unfortunately, +we're doing that in pnv_ioda_setup_pe_seg() wrongly. The issue was +introduced by commit 262af55 ("powerpc/powernv: Enable M64 aperatus +for PHB3"). The patch fixes the issue by simply skipping M64 resources +when updating to M32DT. + +Signed-off-by: Gavin Shan <gwshan@linux.vnet.ibm.com> +Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/powerpc/platforms/powernv/pci-ioda.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/platforms/powernv/pci-ioda.c b/arch/powerpc/platforms/powernv/pci-ioda.c +index 6c9ff2b..1d9369e 100644 +--- a/arch/powerpc/platforms/powernv/pci-ioda.c ++++ b/arch/powerpc/platforms/powernv/pci-ioda.c +@@ -1777,7 +1777,8 @@ static void pnv_ioda_setup_pe_seg(struct pci_controller *hose, + region.start += phb->ioda.io_segsize; + index++; + } +- } else if (res->flags & IORESOURCE_MEM) { ++ } else if ((res->flags & IORESOURCE_MEM) && ++ !pnv_pci_is_mem_pref_64(res->flags)) { + region.start = res->start - + hose->mem_offset[0] - + phb->ioda.m32_pci_base; +-- +2.3.6 + + +From 7ef1951eca49005fdbb4768574b7076cae1eeb4c Mon Sep 17 00:00:00 2001 +From: Dave Olson <olson@cumulusnetworks.com> +Date: Thu, 2 Apr 2015 21:28:45 -0700 +Subject: [PATCH 145/219] powerpc: Fix missing L2 cache size in + /sys/devices/system/cpu +Cc: mpagano@gentoo.org + +commit f7e9e358362557c3aa2c1ec47490f29fe880a09e upstream. + +This problem appears to have been introduced in 2.6.29 by commit +93197a36a9c1 "Rewrite sysfs processor cache info code". + +This caused lscpu to error out on at least e500v2 devices, eg: + + error: cannot open /sys/devices/system/cpu/cpu0/cache/index2/size: No such file or directory + +Some embedded powerpc systems use cache-size in DTS for the unified L2 +cache size, not d-cache-size, so we need to allow for both DTS names. +Added a new CACHE_TYPE_UNIFIED_D cache_type_info structure to handle +this. + +Fixes: 93197a36a9c1 ("powerpc: Rewrite sysfs processor cache info code") +Signed-off-by: Dave Olson <olson@cumulusnetworks.com> +Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/powerpc/kernel/cacheinfo.c | 44 +++++++++++++++++++++++++++++++---------- + 1 file changed, 34 insertions(+), 10 deletions(-) + +diff --git a/arch/powerpc/kernel/cacheinfo.c b/arch/powerpc/kernel/cacheinfo.c +index ae77b7e..c641983 100644 +--- a/arch/powerpc/kernel/cacheinfo.c ++++ b/arch/powerpc/kernel/cacheinfo.c +@@ -61,12 +61,22 @@ struct cache_type_info { + }; + + /* These are used to index the cache_type_info array. */ +-#define CACHE_TYPE_UNIFIED 0 +-#define CACHE_TYPE_INSTRUCTION 1 +-#define CACHE_TYPE_DATA 2 ++#define CACHE_TYPE_UNIFIED 0 /* cache-size, cache-block-size, etc. */ ++#define CACHE_TYPE_UNIFIED_D 1 /* d-cache-size, d-cache-block-size, etc */ ++#define CACHE_TYPE_INSTRUCTION 2 ++#define CACHE_TYPE_DATA 3 + + static const struct cache_type_info cache_type_info[] = { + { ++ /* Embedded systems that use cache-size, cache-block-size, ++ * etc. for the Unified (typically L2) cache. */ ++ .name = "Unified", ++ .size_prop = "cache-size", ++ .line_size_props = { "cache-line-size", ++ "cache-block-size", }, ++ .nr_sets_prop = "cache-sets", ++ }, ++ { + /* PowerPC Processor binding says the [di]-cache-* + * must be equal on unified caches, so just use + * d-cache properties. */ +@@ -293,7 +303,8 @@ static struct cache *cache_find_first_sibling(struct cache *cache) + { + struct cache *iter; + +- if (cache->type == CACHE_TYPE_UNIFIED) ++ if (cache->type == CACHE_TYPE_UNIFIED || ++ cache->type == CACHE_TYPE_UNIFIED_D) + return cache; + + list_for_each_entry(iter, &cache_list, list) +@@ -324,16 +335,29 @@ static bool cache_node_is_unified(const struct device_node *np) + return of_get_property(np, "cache-unified", NULL); + } + +-static struct cache *cache_do_one_devnode_unified(struct device_node *node, +- int level) ++/* ++ * Unified caches can have two different sets of tags. Most embedded ++ * use cache-size, etc. for the unified cache size, but open firmware systems ++ * use d-cache-size, etc. Check on initialization for which type we have, and ++ * return the appropriate structure type. Assume it's embedded if it isn't ++ * open firmware. If it's yet a 3rd type, then there will be missing entries ++ * in /sys/devices/system/cpu/cpu0/cache/index2/, and this code will need ++ * to be extended further. ++ */ ++static int cache_is_unified_d(const struct device_node *np) + { +- struct cache *cache; ++ return of_get_property(np, ++ cache_type_info[CACHE_TYPE_UNIFIED_D].size_prop, NULL) ? ++ CACHE_TYPE_UNIFIED_D : CACHE_TYPE_UNIFIED; ++} + ++/* ++ */ ++static struct cache *cache_do_one_devnode_unified(struct device_node *node, int level) ++{ + pr_debug("creating L%d ucache for %s\n", level, node->full_name); + +- cache = new_cache(CACHE_TYPE_UNIFIED, level, node); +- +- return cache; ++ return new_cache(cache_is_unified_d(node), level, node); + } + + static struct cache *cache_do_one_devnode_split(struct device_node *node, +-- +2.3.6 + + +From 9fb1018337f9767398e0d62e5dce8499fd0f2bf0 Mon Sep 17 00:00:00 2001 +From: Michael Ellerman <mpe@ellerman.id.au> +Date: Fri, 3 Apr 2015 14:11:53 +1100 +Subject: [PATCH 146/219] powerpc/cell: Fix crash in iic_setup_cpu() after + per_cpu changes +Cc: mpagano@gentoo.org + +commit b0dd00addc5035f87ec9c5820dacc1ebc7fcb3e6 upstream. + +The conversion from __get_cpu_var() to this_cpu_ptr() in iic_setup_cpu() +is wrong. It causes an oops at boot. + +We need the per-cpu address of struct cpu_iic, not cpu_iic.regs->prio. + +Sparse noticed this, because we pass a non-iomem pointer to out_be64(), +but we obviously don't check the sparse results often enough. + +Fixes: 69111bac42f5 ("powerpc: Replace __get_cpu_var uses") +Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/powerpc/platforms/cell/interrupt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/platforms/cell/interrupt.c b/arch/powerpc/platforms/cell/interrupt.c +index 4c11421..3af8324 100644 +--- a/arch/powerpc/platforms/cell/interrupt.c ++++ b/arch/powerpc/platforms/cell/interrupt.c +@@ -163,7 +163,7 @@ static unsigned int iic_get_irq(void) + + void iic_setup_cpu(void) + { +- out_be64(this_cpu_ptr(&cpu_iic.regs->prio), 0xff); ++ out_be64(&this_cpu_ptr(&cpu_iic)->regs->prio, 0xff); + } + + u8 iic_get_target_id(int cpu) +-- +2.3.6 + + +From 94a5f3b014e7d81936ae02cc095cdf895f94fb19 Mon Sep 17 00:00:00 2001 +From: Michael Ellerman <mpe@ellerman.id.au> +Date: Fri, 3 Apr 2015 14:11:54 +1100 +Subject: [PATCH 147/219] powerpc/cell: Fix cell iommu after it_page_shift + changes +Cc: mpagano@gentoo.org + +commit 7261b956b276aa97fbf60d00f1d7717d2ea6ee78 upstream. + +The patch to add it_page_shift incorrectly changed the increment of +uaddr to use it_page_shift, rather then (1 << it_page_shift). + +This broke booting on at least some Cell blades, as the iommu was +basically non-functional. + +Fixes: 3a553170d35d ("powerpc/iommu: Add it_page_shift field to determine iommu page size") +Signed-off-by: Michael Ellerman <michael@ellerman.id.au> +Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/powerpc/platforms/cell/iommu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/platforms/cell/iommu.c b/arch/powerpc/platforms/cell/iommu.c +index c7c8720..63db1b0 100644 +--- a/arch/powerpc/platforms/cell/iommu.c ++++ b/arch/powerpc/platforms/cell/iommu.c +@@ -197,7 +197,7 @@ static int tce_build_cell(struct iommu_table *tbl, long index, long npages, + + io_pte = (unsigned long *)tbl->it_base + (index - tbl->it_offset); + +- for (i = 0; i < npages; i++, uaddr += tbl->it_page_shift) ++ for (i = 0; i < npages; i++, uaddr += (1 << tbl->it_page_shift)) + io_pte[i] = base_pte | (__pa(uaddr) & CBE_IOPTE_RPN_Mask); + + mb(); +-- +2.3.6 + + +From 755b29de0d793e3915b35f35c716705d9910109f Mon Sep 17 00:00:00 2001 +From: Pascal Huerst <pascal.huerst@gmail.com> +Date: Thu, 2 Apr 2015 10:17:40 +0200 +Subject: [PATCH 148/219] ASoC: cs4271: Increase delay time after reset +Cc: mpagano@gentoo.org + +commit 74ff960222d90999508b4ba0d3449f796695b6d5 upstream. + +The delay time after a reset in the codec probe callback was too short, +and did not work on certain hw because the codec needs more time to +power on. This increases the delay time from 1us to 1ms. + +Signed-off-by: Pascal Huerst <pascal.huerst@gmail.com> +Acked-by: Brian Austin <brian.austin@cirrus.com> +Signed-off-by: Mark Brown <broonie@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + sound/soc/codecs/cs4271.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/cs4271.c b/sound/soc/codecs/cs4271.c +index 7d3a6ac..e770ee6 100644 +--- a/sound/soc/codecs/cs4271.c ++++ b/sound/soc/codecs/cs4271.c +@@ -561,10 +561,10 @@ static int cs4271_codec_probe(struct snd_soc_codec *codec) + if (gpio_is_valid(cs4271->gpio_nreset)) { + /* Reset codec */ + gpio_direction_output(cs4271->gpio_nreset, 0); +- udelay(1); ++ mdelay(1); + gpio_set_value(cs4271->gpio_nreset, 1); + /* Give the codec time to wake up */ +- udelay(1); ++ mdelay(1); + } + + ret = regmap_update_bits(cs4271->regmap, CS4271_MODE2, +-- +2.3.6 + + +From d9493a0723e5a23b0250f43ea5e6d8ed66e1a343 Mon Sep 17 00:00:00 2001 +From: Sergej Sawazki <ce3a@gmx.de> +Date: Tue, 24 Mar 2015 21:13:22 +0100 +Subject: [PATCH 149/219] ASoC: wm8741: Fix rates constraints values +Cc: mpagano@gentoo.org + +commit 8787041d9bb832b9449b1eb878cedcebce42c61a upstream. + +The WM8741 DAC supports the following typical audio sampling rates: + 44.1kHz, 88.2kHz, 176.4kHz (eg: with a master clock of 22.5792MHz) + 32kHz, 48kHz, 96kHz, 192kHz (eg: with a master clock of 24.576MHz) + +For the rates lists, we should use 82000 instead of 88235, 176400 +instead of 1764000 and 192000 instead of 19200 (seems to be a typo). + +Signed-off-by: Sergej Sawazki <ce3a@gmx.de> +Acked-by: Charles Keepax <ckeepax@opensource.wolfsonmicro.com> +Signed-off-by: Mark Brown <broonie@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + sound/soc/codecs/wm8741.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/sound/soc/codecs/wm8741.c b/sound/soc/codecs/wm8741.c +index 31bb480..9e71c76 100644 +--- a/sound/soc/codecs/wm8741.c ++++ b/sound/soc/codecs/wm8741.c +@@ -123,7 +123,7 @@ static struct { + }; + + static const unsigned int rates_11289[] = { +- 44100, 88235, ++ 44100, 88200, + }; + + static const struct snd_pcm_hw_constraint_list constraints_11289 = { +@@ -150,7 +150,7 @@ static const struct snd_pcm_hw_constraint_list constraints_16384 = { + }; + + static const unsigned int rates_16934[] = { +- 44100, 88235, ++ 44100, 88200, + }; + + static const struct snd_pcm_hw_constraint_list constraints_16934 = { +@@ -168,7 +168,7 @@ static const struct snd_pcm_hw_constraint_list constraints_18432 = { + }; + + static const unsigned int rates_22579[] = { +- 44100, 88235, 1764000 ++ 44100, 88200, 176400 + }; + + static const struct snd_pcm_hw_constraint_list constraints_22579 = { +@@ -186,7 +186,7 @@ static const struct snd_pcm_hw_constraint_list constraints_24576 = { + }; + + static const unsigned int rates_36864[] = { +- 48000, 96000, 19200 ++ 48000, 96000, 192000 + }; + + static const struct snd_pcm_hw_constraint_list constraints_36864 = { +-- +2.3.6 + + +From f7a469cdb54b146db35083f167e9f844ffc31f0c Mon Sep 17 00:00:00 2001 +From: Manish Badarkhe <manishvb@ti.com> +Date: Thu, 26 Mar 2015 15:38:25 +0200 +Subject: [PATCH 150/219] ASoC: davinci-evm: drop un-necessary remove function +Cc: mpagano@gentoo.org + +commit a57069e33fbc6625f39e1b09c88ea44629a35206 upstream. + +As davinci card gets registered using 'devm_' api +there is no need to unregister the card in 'remove' +function. +Hence drop the 'remove' function. + +Fixes: ee2f615d6e59c (ASoC: davinci-evm: Add device tree binding) +Signed-off-by: Manish Badarkhe <manishvb@ti.com> +Signed-off-by: Jyri Sarha <jsarha@ti.com> +Signed-off-by: Mark Brown <broonie@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + sound/soc/davinci/davinci-evm.c | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/sound/soc/davinci/davinci-evm.c b/sound/soc/davinci/davinci-evm.c +index b6bb594..8c2b9be 100644 +--- a/sound/soc/davinci/davinci-evm.c ++++ b/sound/soc/davinci/davinci-evm.c +@@ -425,18 +425,8 @@ static int davinci_evm_probe(struct platform_device *pdev) + return ret; + } + +-static int davinci_evm_remove(struct platform_device *pdev) +-{ +- struct snd_soc_card *card = platform_get_drvdata(pdev); +- +- snd_soc_unregister_card(card); +- +- return 0; +-} +- + static struct platform_driver davinci_evm_driver = { + .probe = davinci_evm_probe, +- .remove = davinci_evm_remove, + .driver = { + .name = "davinci_evm", + .pm = &snd_soc_pm_ops, +-- +2.3.6 + + +From f646e040a619bcea31a6cab378ccaccb6f4cb659 Mon Sep 17 00:00:00 2001 +From: Howard Mitchell <hm@hmbedded.co.uk> +Date: Thu, 19 Mar 2015 12:08:30 +0000 +Subject: [PATCH 151/219] ASoC: pcm512x: Add 'Analogue' prefix to analogue + volume controls +Cc: mpagano@gentoo.org + +commit 4d9b13c7cc803fbde59d7e998f7de2b9a2101c7e upstream. + +This is to ensure that 'alsactl restore' does not apply default +initialisation as the chip reset defaults are preferred. + +Signed-off-by: Howard Mitchell <hm@hmbedded.co.uk> +Signed-off-by: Mark Brown <broonie@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + sound/soc/codecs/pcm512x.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/pcm512x.c b/sound/soc/codecs/pcm512x.c +index 474cae8..b48624c 100644 +--- a/sound/soc/codecs/pcm512x.c ++++ b/sound/soc/codecs/pcm512x.c +@@ -304,9 +304,9 @@ static const struct soc_enum pcm512x_veds = + static const struct snd_kcontrol_new pcm512x_controls[] = { + SOC_DOUBLE_R_TLV("Digital Playback Volume", PCM512x_DIGITAL_VOLUME_2, + PCM512x_DIGITAL_VOLUME_3, 0, 255, 1, digital_tlv), +-SOC_DOUBLE_TLV("Playback Volume", PCM512x_ANALOG_GAIN_CTRL, ++SOC_DOUBLE_TLV("Analogue Playback Volume", PCM512x_ANALOG_GAIN_CTRL, + PCM512x_LAGN_SHIFT, PCM512x_RAGN_SHIFT, 1, 1, analog_tlv), +-SOC_DOUBLE_TLV("Playback Boost Volume", PCM512x_ANALOG_GAIN_BOOST, ++SOC_DOUBLE_TLV("Analogue Playback Boost Volume", PCM512x_ANALOG_GAIN_BOOST, + PCM512x_AGBL_SHIFT, PCM512x_AGBR_SHIFT, 1, 0, boost_tlv), + SOC_DOUBLE("Digital Playback Switch", PCM512x_MUTE, PCM512x_RQML_SHIFT, + PCM512x_RQMR_SHIFT, 1, 1), +-- +2.3.6 + + +From 43ebd1a85ee86416c2d45a3834e7425c396890e9 Mon Sep 17 00:00:00 2001 +From: Howard Mitchell <hm@hmbedded.co.uk> +Date: Fri, 20 Mar 2015 21:13:45 +0000 +Subject: [PATCH 152/219] ASoC: pcm512x: Fix divide by zero issue +Cc: mpagano@gentoo.org + +commit f073faa73626f41db7050a69edd5074c53ce6d6c upstream. + +If den=1 and pllin_rate>20MHz then den and num are adjusted to 0 +causing a divide by zero error a few lines further on. Therefore +this patch correctly scales num and den such that +pllin_rate/den < 20MHz as required in the device data sheet. + +Signed-off-by: Howard Mitchell <hm@hmbedded.co.uk> +Signed-off-by: Mark Brown <broonie@sirena.org.uk> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + sound/soc/codecs/pcm512x.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/pcm512x.c b/sound/soc/codecs/pcm512x.c +index b48624c..8c09e3f 100644 +--- a/sound/soc/codecs/pcm512x.c ++++ b/sound/soc/codecs/pcm512x.c +@@ -576,8 +576,8 @@ static int pcm512x_find_pll_coeff(struct snd_soc_dai *dai, + + /* pllin_rate / P (or here, den) cannot be greater than 20 MHz */ + if (pllin_rate / den > 20000000 && num < 8) { +- num *= 20000000 / (pllin_rate / den); +- den *= 20000000 / (pllin_rate / den); ++ num *= DIV_ROUND_UP(pllin_rate / den, 20000000); ++ den *= DIV_ROUND_UP(pllin_rate / den, 20000000); + } + dev_dbg(dev, "num / den = %lu / %lu\n", num, den); + +-- +2.3.6 + + +From 650a628d5725e7eb8ed5f979fee058795cb06355 Mon Sep 17 00:00:00 2001 +From: Lv Zheng <lv.zheng@intel.com> +Date: Mon, 13 Apr 2015 11:48:58 +0800 +Subject: [PATCH 153/219] ACPICA: Utilities: split IO address types from data + type models. +Cc: mpagano@gentoo.org + +commit 2b8760100e1de69b6ff004c986328a82947db4ad upstream. + +ACPICA commit aacf863cfffd46338e268b7415f7435cae93b451 + +It is reported that on a physically 64-bit addressed machine, 32-bit kernel +can trigger crashes in accessing the memory regions that are beyond the +32-bit boundary. The region field's start address should still be 32-bit +compliant, but after a calculation (adding some offsets), it may exceed the +32-bit boundary. This case is rare and buggy, but there are real BIOSes +leaked with such issues (see References below). + +This patch fixes this gap by always defining IO addresses as 64-bit, and +allows OSPMs to optimize it for a real 32-bit machine to reduce the size of +the internal objects. + +Internal acpi_physical_address usages in the structures that can be fixed +by this change include: + 1. struct acpi_object_region: + acpi_physical_address address; + 2. struct acpi_address_range: + acpi_physical_address start_address; + acpi_physical_address end_address; + 3. struct acpi_mem_space_context; + acpi_physical_address address; + 4. struct acpi_table_desc + acpi_physical_address address; +See known issues 1 for other usages. + +Note that acpi_io_address which is used for ACPI_PROCESSOR may also suffer +from same problem, so this patch changes it accordingly. + +For iasl, it will enforce acpi_physical_address as 32-bit to generate +32-bit OSPM compatible tables on 32-bit platforms, we need to define +ACPI_32BIT_PHYSICAL_ADDRESS for it in acenv.h. + +Known issues: + 1. Cleanup of mapped virtual address + In struct acpi_mem_space_context, acpi_physical_address is used as a virtual + address: + acpi_physical_address mapped_physical_address; + It is better to introduce acpi_virtual_address or use acpi_size instead. + This patch doesn't make such a change. Because this should be done along + with a change to acpi_os_map_memory()/acpi_os_unmap_memory(). + There should be no functional problem to leave this unchanged except + that only this structure is enlarged unexpectedly. + +Link: https://github.com/acpica/acpica/commit/aacf863c +Reference: https://bugzilla.kernel.org/show_bug.cgi?id=87971 +Reference: https://bugzilla.kernel.org/show_bug.cgi?id=79501 +Reported-and-tested-by: Paul Menzel <paulepanter@users.sourceforge.net> +Reported-and-tested-by: Sial Nije <sialnije@gmail.com> +Signed-off-by: Lv Zheng <lv.zheng@intel.com> +Signed-off-by: Bob Moore <robert.moore@intel.com> +Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + include/acpi/actypes.h | 20 ++++++++++++++++++++ + include/acpi/platform/acenv.h | 1 + + 2 files changed, 21 insertions(+) + +diff --git a/include/acpi/actypes.h b/include/acpi/actypes.h +index b034f10..658c42e 100644 +--- a/include/acpi/actypes.h ++++ b/include/acpi/actypes.h +@@ -199,9 +199,29 @@ typedef int s32; + typedef s32 acpi_native_int; + + typedef u32 acpi_size; ++ ++#ifdef ACPI_32BIT_PHYSICAL_ADDRESS ++ ++/* ++ * OSPMs can define this to shrink the size of the structures for 32-bit ++ * none PAE environment. ASL compiler may always define this to generate ++ * 32-bit OSPM compliant tables. ++ */ + typedef u32 acpi_io_address; + typedef u32 acpi_physical_address; + ++#else /* ACPI_32BIT_PHYSICAL_ADDRESS */ ++ ++/* ++ * It is reported that, after some calculations, the physical addresses can ++ * wrap over the 32-bit boundary on 32-bit PAE environment. ++ * https://bugzilla.kernel.org/show_bug.cgi?id=87971 ++ */ ++typedef u64 acpi_io_address; ++typedef u64 acpi_physical_address; ++ ++#endif /* ACPI_32BIT_PHYSICAL_ADDRESS */ ++ + #define ACPI_MAX_PTR ACPI_UINT32_MAX + #define ACPI_SIZE_MAX ACPI_UINT32_MAX + +diff --git a/include/acpi/platform/acenv.h b/include/acpi/platform/acenv.h +index ad74dc5..ecdf940 100644 +--- a/include/acpi/platform/acenv.h ++++ b/include/acpi/platform/acenv.h +@@ -76,6 +76,7 @@ + #define ACPI_LARGE_NAMESPACE_NODE + #define ACPI_DATA_TABLE_DISASSEMBLY + #define ACPI_SINGLE_THREADED ++#define ACPI_32BIT_PHYSICAL_ADDRESS + #endif + + /* acpi_exec configuration. Multithreaded with full AML debugger */ +-- +2.3.6 + + +From 5980bf8bc5dbb8e5338a3db6e311539eeb6242da Mon Sep 17 00:00:00 2001 +From: Octavian Purdila <octavian.purdila@intel.com> +Date: Mon, 13 Apr 2015 11:49:05 +0800 +Subject: [PATCH 154/219] ACPICA: Tables: Don't release ACPI_MTX_TABLES in + acpi_tb_install_standard_table(). +Cc: mpagano@gentoo.org + +commit 77ddc2fe08329e375505bc36a3df3233fe57317b upstream. + +ACPICA commit c70434d4da13e65b6163c79a5aa16b40193631c7 + +ACPI_MTX_TABLES is acquired and released by the callers of +acpi_tb_install_standard_table() so releasing it in the function itself is +causing the following error in Linux kernel if the table is reloaded: + +ACPI Error: Mutex [0x2] is not acquired, cannot release (20141107/utmutex-321) +Call Trace: + [<ffffffff81b0bd48>] dump_stack+0x4f/0x7b + [<ffffffff81546bf5>] acpi_ut_release_mutex+0x47/0x67 + [<ffffffff81544357>] acpi_load_table+0x73/0xcb + +Link: https://github.com/acpica/acpica/commit/c70434d4 +Signed-off-by: Octavian Purdila <octavian.purdila@intel.com> +Signed-off-by: Lv Zheng <lv.zheng@intel.com> +Signed-off-by: Bob Moore <robert.moore@intel.com> +Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/acpi/acpica/tbinstal.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/acpi/acpica/tbinstal.c b/drivers/acpi/acpica/tbinstal.c +index 9bad45e..7fbc2b9 100644 +--- a/drivers/acpi/acpica/tbinstal.c ++++ b/drivers/acpi/acpica/tbinstal.c +@@ -346,7 +346,6 @@ acpi_tb_install_standard_table(acpi_physical_address address, + */ + acpi_tb_uninstall_table(&new_table_desc); + *table_index = i; +- (void)acpi_ut_release_mutex(ACPI_MTX_TABLES); + return_ACPI_STATUS(AE_OK); + } + } +-- +2.3.6 + + +From afaed716d9f945416e6f0967384714ee3b066020 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com> +Date: Wed, 15 Apr 2015 04:00:27 +0200 +Subject: [PATCH 155/219] ACPICA: Store GPE register enable masks upfront +Cc: mpagano@gentoo.org + +commit 0ee0d34985ceffe4036319e1e46df8bff591b9e3 upstream. + +It is reported that ACPI interrupts do not work any more on +Dell Latitude D600 after commit c50f13c672df (ACPICA: Save +current masks of enabled GPEs after enable register writes). +The problem turns out to be related to the fact that the +enable_mask and enable_for_run GPE bit masks are not in +sync (in the absence of any system suspend/resume events) +for at least one GPE register on that machine. + +Address this problem by writing the enable_for_run mask into +enable_mask as soon as enable_for_run is updated instead of +doing that only after the subsequent register write has +succeeded. For consistency, update acpi_hw_gpe_enable_write() +to store the bit mask to be written into the GPE register +in enable_mask unconditionally before the write. + +Since the ACPI_GPE_SAVE_MASK flag is not necessary any more after +that, drop it along with the symbols depending on it. + +Reported-and-tested-by: Jim Bos <jim876@xs4all.nl> +Fixes: c50f13c672df (ACPICA: Save current masks of enabled GPEs after enable register writes) +Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/acpi/acpica/evgpe.c | 5 +++-- + drivers/acpi/acpica/hwgpe.c | 11 ++++------- + include/acpi/actypes.h | 4 ---- + 3 files changed, 7 insertions(+), 13 deletions(-) + +diff --git a/drivers/acpi/acpica/evgpe.c b/drivers/acpi/acpica/evgpe.c +index 5ed064e..ccf7932 100644 +--- a/drivers/acpi/acpica/evgpe.c ++++ b/drivers/acpi/acpica/evgpe.c +@@ -92,6 +92,7 @@ acpi_ev_update_gpe_enable_mask(struct acpi_gpe_event_info *gpe_event_info) + ACPI_SET_BIT(gpe_register_info->enable_for_run, + (u8)register_bit); + } ++ gpe_register_info->enable_mask = gpe_register_info->enable_for_run; + + return_ACPI_STATUS(AE_OK); + } +@@ -123,7 +124,7 @@ acpi_status acpi_ev_enable_gpe(struct acpi_gpe_event_info *gpe_event_info) + + /* Enable the requested GPE */ + +- status = acpi_hw_low_set_gpe(gpe_event_info, ACPI_GPE_ENABLE_SAVE); ++ status = acpi_hw_low_set_gpe(gpe_event_info, ACPI_GPE_ENABLE); + return_ACPI_STATUS(status); + } + +@@ -202,7 +203,7 @@ acpi_ev_remove_gpe_reference(struct acpi_gpe_event_info *gpe_event_info) + if (ACPI_SUCCESS(status)) { + status = + acpi_hw_low_set_gpe(gpe_event_info, +- ACPI_GPE_DISABLE_SAVE); ++ ACPI_GPE_DISABLE); + } + + if (ACPI_FAILURE(status)) { +diff --git a/drivers/acpi/acpica/hwgpe.c b/drivers/acpi/acpica/hwgpe.c +index 84bc550..af6514e 100644 +--- a/drivers/acpi/acpica/hwgpe.c ++++ b/drivers/acpi/acpica/hwgpe.c +@@ -89,6 +89,8 @@ u32 acpi_hw_get_gpe_register_bit(struct acpi_gpe_event_info *gpe_event_info) + * RETURN: Status + * + * DESCRIPTION: Enable or disable a single GPE in the parent enable register. ++ * The enable_mask field of the involved GPE register must be ++ * updated by the caller if necessary. + * + ******************************************************************************/ + +@@ -119,7 +121,7 @@ acpi_hw_low_set_gpe(struct acpi_gpe_event_info *gpe_event_info, u32 action) + /* Set or clear just the bit that corresponds to this GPE */ + + register_bit = acpi_hw_get_gpe_register_bit(gpe_event_info); +- switch (action & ~ACPI_GPE_SAVE_MASK) { ++ switch (action) { + case ACPI_GPE_CONDITIONAL_ENABLE: + + /* Only enable if the corresponding enable_mask bit is set */ +@@ -149,9 +151,6 @@ acpi_hw_low_set_gpe(struct acpi_gpe_event_info *gpe_event_info, u32 action) + /* Write the updated enable mask */ + + status = acpi_hw_write(enable_mask, &gpe_register_info->enable_address); +- if (ACPI_SUCCESS(status) && (action & ACPI_GPE_SAVE_MASK)) { +- gpe_register_info->enable_mask = (u8)enable_mask; +- } + return (status); + } + +@@ -286,10 +285,8 @@ acpi_hw_gpe_enable_write(u8 enable_mask, + { + acpi_status status; + ++ gpe_register_info->enable_mask = enable_mask; + status = acpi_hw_write(enable_mask, &gpe_register_info->enable_address); +- if (ACPI_SUCCESS(status)) { +- gpe_register_info->enable_mask = enable_mask; +- } + return (status); + } + +diff --git a/include/acpi/actypes.h b/include/acpi/actypes.h +index 658c42e..0d58525 100644 +--- a/include/acpi/actypes.h ++++ b/include/acpi/actypes.h +@@ -756,10 +756,6 @@ typedef u32 acpi_event_status; + #define ACPI_GPE_ENABLE 0 + #define ACPI_GPE_DISABLE 1 + #define ACPI_GPE_CONDITIONAL_ENABLE 2 +-#define ACPI_GPE_SAVE_MASK 4 +- +-#define ACPI_GPE_ENABLE_SAVE (ACPI_GPE_ENABLE | ACPI_GPE_SAVE_MASK) +-#define ACPI_GPE_DISABLE_SAVE (ACPI_GPE_DISABLE | ACPI_GPE_SAVE_MASK) + + /* + * GPE info flags - Per GPE +-- +2.3.6 + + +From 7b2f4da529f27b81d06a9c5d49803dc4b1d5eea3 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com> +Date: Sat, 18 Apr 2015 01:25:46 +0200 +Subject: [PATCH 156/219] ACPI / scan: Annotate physical_node_lock in + acpi_scan_is_offline() +Cc: mpagano@gentoo.org + +commit 4c533c801d1c9b5c38458a0e7516e0cf50643782 upstream. + +acpi_scan_is_offline() may be called under the physical_node_lock +lock of the given device object's parent, so prevent lockdep from +complaining about that by annotating that instance with +SINGLE_DEPTH_NESTING. + +Fixes: caa73ea158de (ACPI / hotplug / driver core: Handle containers in a special way) +Reported-and-tested-by: Xie XiuQi <xiexiuqi@huawei.com> +Reviewed-by: Toshi Kani <toshi.kani@hp.com> +Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/acpi/scan.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/acpi/scan.c b/drivers/acpi/scan.c +index bbca783..349f4fd 100644 +--- a/drivers/acpi/scan.c ++++ b/drivers/acpi/scan.c +@@ -298,7 +298,11 @@ bool acpi_scan_is_offline(struct acpi_device *adev, bool uevent) + struct acpi_device_physical_node *pn; + bool offline = true; + +- mutex_lock(&adev->physical_node_lock); ++ /* ++ * acpi_container_offline() calls this for all of the container's ++ * children under the container's physical_node_lock lock. ++ */ ++ mutex_lock_nested(&adev->physical_node_lock, SINGLE_DEPTH_NESTING); + + list_for_each_entry(pn, &adev->physical_node_list, node) + if (device_supports_offline(pn->dev) && !pn->dev->offline) { +-- +2.3.6 + + +From 042741ecc3287d365daab83a5fd287aee607ea32 Mon Sep 17 00:00:00 2001 +From: Max Filippov <jcmvbkbc@gmail.com> +Date: Fri, 27 Feb 2015 06:28:00 +0300 +Subject: [PATCH 157/219] xtensa: xtfpga: fix hardware lockup caused by LCD + driver +Cc: mpagano@gentoo.org + +commit 4949009eb8d40a441dcddcd96e101e77d31cf1b2 upstream. + +LCD driver is always built for the XTFPGA platform, but its base address +is not configurable, and is wrong for ML605/KC705. Its initialization +locks up KC705 board hardware. + +Make the whole driver optional, and its base address and bus width +configurable. Implement 4-bit bus access method. + +Signed-off-by: Max Filippov <jcmvbkbc@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/xtensa/Kconfig | 30 ++++++++++++ + arch/xtensa/platforms/xtfpga/Makefile | 3 +- + .../platforms/xtfpga/include/platform/hardware.h | 3 -- + .../xtensa/platforms/xtfpga/include/platform/lcd.h | 15 ++++++ + arch/xtensa/platforms/xtfpga/lcd.c | 55 +++++++++++++--------- + 5 files changed, 81 insertions(+), 25 deletions(-) + +diff --git a/arch/xtensa/Kconfig b/arch/xtensa/Kconfig +index e31d494..87be10e 100644 +--- a/arch/xtensa/Kconfig ++++ b/arch/xtensa/Kconfig +@@ -428,6 +428,36 @@ config DEFAULT_MEM_SIZE + + If unsure, leave the default value here. + ++config XTFPGA_LCD ++ bool "Enable XTFPGA LCD driver" ++ depends on XTENSA_PLATFORM_XTFPGA ++ default n ++ help ++ There's a 2x16 LCD on most of XTFPGA boards, kernel may output ++ progress messages there during bootup/shutdown. It may be useful ++ during board bringup. ++ ++ If unsure, say N. ++ ++config XTFPGA_LCD_BASE_ADDR ++ hex "XTFPGA LCD base address" ++ depends on XTFPGA_LCD ++ default "0x0d0c0000" ++ help ++ Base address of the LCD controller inside KIO region. ++ Different boards from XTFPGA family have LCD controller at different ++ addresses. Please consult prototyping user guide for your board for ++ the correct address. Wrong address here may lead to hardware lockup. ++ ++config XTFPGA_LCD_8BIT_ACCESS ++ bool "Use 8-bit access to XTFPGA LCD" ++ depends on XTFPGA_LCD ++ default n ++ help ++ LCD may be connected with 4- or 8-bit interface, 8-bit access may ++ only be used with 8-bit interface. Please consult prototyping user ++ guide for your board for the correct interface width. ++ + endmenu + + menu "Executable file formats" +diff --git a/arch/xtensa/platforms/xtfpga/Makefile b/arch/xtensa/platforms/xtfpga/Makefile +index b9ae206..7839d38 100644 +--- a/arch/xtensa/platforms/xtfpga/Makefile ++++ b/arch/xtensa/platforms/xtfpga/Makefile +@@ -6,4 +6,5 @@ + # + # Note 2! The CFLAGS definitions are in the main makefile... + +-obj-y = setup.o lcd.o ++obj-y += setup.o ++obj-$(CONFIG_XTFPGA_LCD) += lcd.o +diff --git a/arch/xtensa/platforms/xtfpga/include/platform/hardware.h b/arch/xtensa/platforms/xtfpga/include/platform/hardware.h +index 6edd20b..4e0af26 100644 +--- a/arch/xtensa/platforms/xtfpga/include/platform/hardware.h ++++ b/arch/xtensa/platforms/xtfpga/include/platform/hardware.h +@@ -40,9 +40,6 @@ + + /* UART */ + #define DUART16552_PADDR (XCHAL_KIO_PADDR + 0x0D050020) +-/* LCD instruction and data addresses. */ +-#define LCD_INSTR_ADDR ((char *)IOADDR(0x0D040000)) +-#define LCD_DATA_ADDR ((char *)IOADDR(0x0D040004)) + + /* Misc. */ + #define XTFPGA_FPGAREGS_VADDR IOADDR(0x0D020000) +diff --git a/arch/xtensa/platforms/xtfpga/include/platform/lcd.h b/arch/xtensa/platforms/xtfpga/include/platform/lcd.h +index 0e43564..4c8541e 100644 +--- a/arch/xtensa/platforms/xtfpga/include/platform/lcd.h ++++ b/arch/xtensa/platforms/xtfpga/include/platform/lcd.h +@@ -11,10 +11,25 @@ + #ifndef __XTENSA_XTAVNET_LCD_H + #define __XTENSA_XTAVNET_LCD_H + ++#ifdef CONFIG_XTFPGA_LCD + /* Display string STR at position POS on the LCD. */ + void lcd_disp_at_pos(char *str, unsigned char pos); + + /* Shift the contents of the LCD display left or right. */ + void lcd_shiftleft(void); + void lcd_shiftright(void); ++#else ++static inline void lcd_disp_at_pos(char *str, unsigned char pos) ++{ ++} ++ ++static inline void lcd_shiftleft(void) ++{ ++} ++ ++static inline void lcd_shiftright(void) ++{ ++} ++#endif ++ + #endif +diff --git a/arch/xtensa/platforms/xtfpga/lcd.c b/arch/xtensa/platforms/xtfpga/lcd.c +index 2872301..4dc0c1b 100644 +--- a/arch/xtensa/platforms/xtfpga/lcd.c ++++ b/arch/xtensa/platforms/xtfpga/lcd.c +@@ -1,50 +1,63 @@ + /* +- * Driver for the LCD display on the Tensilica LX60 Board. ++ * Driver for the LCD display on the Tensilica XTFPGA board family. ++ * http://www.mytechcorp.com/cfdata/productFile/File1/MOC-16216B-B-A0A04.pdf + * + * This file is subject to the terms and conditions of the GNU General Public + * License. See the file "COPYING" in the main directory of this archive + * for more details. + * + * Copyright (C) 2001, 2006 Tensilica Inc. ++ * Copyright (C) 2015 Cadence Design Systems Inc. + */ + +-/* +- * +- * FIXME: this code is from the examples from the LX60 user guide. +- * +- * The lcd_pause function does busy waiting, which is probably not +- * great. Maybe the code could be changed to use kernel timers, or +- * change the hardware to not need to wait. +- */ +- ++#include <linux/delay.h> + #include <linux/init.h> + #include <linux/io.h> + + #include <platform/hardware.h> + #include <platform/lcd.h> +-#include <linux/delay.h> + +-#define LCD_PAUSE_ITERATIONS 4000 ++/* LCD instruction and data addresses. */ ++#define LCD_INSTR_ADDR ((char *)IOADDR(CONFIG_XTFPGA_LCD_BASE_ADDR)) ++#define LCD_DATA_ADDR (LCD_INSTR_ADDR + 4) ++ + #define LCD_CLEAR 0x1 + #define LCD_DISPLAY_ON 0xc + + /* 8bit and 2 lines display */ + #define LCD_DISPLAY_MODE8BIT 0x38 ++#define LCD_DISPLAY_MODE4BIT 0x28 + #define LCD_DISPLAY_POS 0x80 + #define LCD_SHIFT_LEFT 0x18 + #define LCD_SHIFT_RIGHT 0x1c + ++static void lcd_put_byte(u8 *addr, u8 data) ++{ ++#ifdef CONFIG_XTFPGA_LCD_8BIT_ACCESS ++ ACCESS_ONCE(*addr) = data; ++#else ++ ACCESS_ONCE(*addr) = data & 0xf0; ++ ACCESS_ONCE(*addr) = (data << 4) & 0xf0; ++#endif ++} ++ + static int __init lcd_init(void) + { +- *LCD_INSTR_ADDR = LCD_DISPLAY_MODE8BIT; ++ ACCESS_ONCE(*LCD_INSTR_ADDR) = LCD_DISPLAY_MODE8BIT; + mdelay(5); +- *LCD_INSTR_ADDR = LCD_DISPLAY_MODE8BIT; ++ ACCESS_ONCE(*LCD_INSTR_ADDR) = LCD_DISPLAY_MODE8BIT; + udelay(200); +- *LCD_INSTR_ADDR = LCD_DISPLAY_MODE8BIT; ++ ACCESS_ONCE(*LCD_INSTR_ADDR) = LCD_DISPLAY_MODE8BIT; ++ udelay(50); ++#ifndef CONFIG_XTFPGA_LCD_8BIT_ACCESS ++ ACCESS_ONCE(*LCD_INSTR_ADDR) = LCD_DISPLAY_MODE4BIT; ++ udelay(50); ++ lcd_put_byte(LCD_INSTR_ADDR, LCD_DISPLAY_MODE4BIT); + udelay(50); +- *LCD_INSTR_ADDR = LCD_DISPLAY_ON; ++#endif ++ lcd_put_byte(LCD_INSTR_ADDR, LCD_DISPLAY_ON); + udelay(50); +- *LCD_INSTR_ADDR = LCD_CLEAR; ++ lcd_put_byte(LCD_INSTR_ADDR, LCD_CLEAR); + mdelay(10); + lcd_disp_at_pos("XTENSA LINUX", 0); + return 0; +@@ -52,10 +65,10 @@ static int __init lcd_init(void) + + void lcd_disp_at_pos(char *str, unsigned char pos) + { +- *LCD_INSTR_ADDR = LCD_DISPLAY_POS | pos; ++ lcd_put_byte(LCD_INSTR_ADDR, LCD_DISPLAY_POS | pos); + udelay(100); + while (*str != 0) { +- *LCD_DATA_ADDR = *str; ++ lcd_put_byte(LCD_DATA_ADDR, *str); + udelay(200); + str++; + } +@@ -63,13 +76,13 @@ void lcd_disp_at_pos(char *str, unsigned char pos) + + void lcd_shiftleft(void) + { +- *LCD_INSTR_ADDR = LCD_SHIFT_LEFT; ++ lcd_put_byte(LCD_INSTR_ADDR, LCD_SHIFT_LEFT); + udelay(50); + } + + void lcd_shiftright(void) + { +- *LCD_INSTR_ADDR = LCD_SHIFT_RIGHT; ++ lcd_put_byte(LCD_INSTR_ADDR, LCD_SHIFT_RIGHT); + udelay(50); + } + +-- +2.3.6 + + +From 3d421b4703e664742e5f8b80c8f61d64d6435fa2 Mon Sep 17 00:00:00 2001 +From: Max Filippov <jcmvbkbc@gmail.com> +Date: Fri, 27 Feb 2015 11:02:38 +0300 +Subject: [PATCH 158/219] xtensa: provide __NR_sync_file_range2 instead of + __NR_sync_file_range +Cc: mpagano@gentoo.org + +commit 01e84c70fe40c8111f960987bcf7f931842e6d07 upstream. + +xtensa actually uses sync_file_range2 implementation, so it should +define __NR_sync_file_range2 as other architectures that use that +function. That fixes userspace interface (that apparently never worked) +and avoids special-casing xtensa in libc implementations. +See the thread ending at +http://lists.busybox.net/pipermail/uclibc/2015-February/048833.html +for more details. + +Signed-off-by: Max Filippov <jcmvbkbc@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/xtensa/include/uapi/asm/unistd.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/xtensa/include/uapi/asm/unistd.h b/arch/xtensa/include/uapi/asm/unistd.h +index db5bb72..62d8465 100644 +--- a/arch/xtensa/include/uapi/asm/unistd.h ++++ b/arch/xtensa/include/uapi/asm/unistd.h +@@ -715,7 +715,7 @@ __SYSCALL(323, sys_process_vm_writev, 6) + __SYSCALL(324, sys_name_to_handle_at, 5) + #define __NR_open_by_handle_at 325 + __SYSCALL(325, sys_open_by_handle_at, 3) +-#define __NR_sync_file_range 326 ++#define __NR_sync_file_range2 326 + __SYSCALL(326, sys_sync_file_range2, 6) + #define __NR_perf_event_open 327 + __SYSCALL(327, sys_perf_event_open, 5) +-- +2.3.6 + + +From 63c94a9787fee217938e65b3e11bed2b7179481f Mon Sep 17 00:00:00 2001 +From: Max Filippov <jcmvbkbc@gmail.com> +Date: Fri, 3 Apr 2015 09:56:21 +0300 +Subject: [PATCH 159/219] xtensa: ISS: fix locking in TAP network adapter +Cc: mpagano@gentoo.org + +commit 24e94454c8cb6a13634f5a2f5a01da53a546a58d upstream. + +- don't lock lp->lock in the iss_net_timer for the call of iss_net_poll, + it will lock it itself; +- invert order of lp->lock and opened_lock acquisition in the + iss_net_open to make it consistent with iss_net_poll; +- replace spin_lock with spin_lock_bh when acquiring locks used in + iss_net_timer from non-atomic context; +- replace spin_lock_irqsave with spin_lock_bh in the iss_net_start_xmit + as the driver doesn't use lp->lock in the hard IRQ context; +- replace __SPIN_LOCK_UNLOCKED(lp.lock) with spin_lock_init, otherwise + lockdep is unhappy about using non-static key. + +Signed-off-by: Max Filippov <jcmvbkbc@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/xtensa/platforms/iss/network.c | 29 +++++++++++++++-------------- + 1 file changed, 15 insertions(+), 14 deletions(-) + +diff --git a/arch/xtensa/platforms/iss/network.c b/arch/xtensa/platforms/iss/network.c +index d05f8fe..17b1ef3 100644 +--- a/arch/xtensa/platforms/iss/network.c ++++ b/arch/xtensa/platforms/iss/network.c +@@ -349,8 +349,8 @@ static void iss_net_timer(unsigned long priv) + { + struct iss_net_private *lp = (struct iss_net_private *)priv; + +- spin_lock(&lp->lock); + iss_net_poll(); ++ spin_lock(&lp->lock); + mod_timer(&lp->timer, jiffies + lp->timer_val); + spin_unlock(&lp->lock); + } +@@ -361,7 +361,7 @@ static int iss_net_open(struct net_device *dev) + struct iss_net_private *lp = netdev_priv(dev); + int err; + +- spin_lock(&lp->lock); ++ spin_lock_bh(&lp->lock); + + err = lp->tp.open(lp); + if (err < 0) +@@ -376,9 +376,11 @@ static int iss_net_open(struct net_device *dev) + while ((err = iss_net_rx(dev)) > 0) + ; + +- spin_lock(&opened_lock); ++ spin_unlock_bh(&lp->lock); ++ spin_lock_bh(&opened_lock); + list_add(&lp->opened_list, &opened); +- spin_unlock(&opened_lock); ++ spin_unlock_bh(&opened_lock); ++ spin_lock_bh(&lp->lock); + + init_timer(&lp->timer); + lp->timer_val = ISS_NET_TIMER_VALUE; +@@ -387,7 +389,7 @@ static int iss_net_open(struct net_device *dev) + mod_timer(&lp->timer, jiffies + lp->timer_val); + + out: +- spin_unlock(&lp->lock); ++ spin_unlock_bh(&lp->lock); + return err; + } + +@@ -395,7 +397,7 @@ static int iss_net_close(struct net_device *dev) + { + struct iss_net_private *lp = netdev_priv(dev); + netif_stop_queue(dev); +- spin_lock(&lp->lock); ++ spin_lock_bh(&lp->lock); + + spin_lock(&opened_lock); + list_del(&opened); +@@ -405,18 +407,17 @@ static int iss_net_close(struct net_device *dev) + + lp->tp.close(lp); + +- spin_unlock(&lp->lock); ++ spin_unlock_bh(&lp->lock); + return 0; + } + + static int iss_net_start_xmit(struct sk_buff *skb, struct net_device *dev) + { + struct iss_net_private *lp = netdev_priv(dev); +- unsigned long flags; + int len; + + netif_stop_queue(dev); +- spin_lock_irqsave(&lp->lock, flags); ++ spin_lock_bh(&lp->lock); + + len = lp->tp.write(lp, &skb); + +@@ -438,7 +439,7 @@ static int iss_net_start_xmit(struct sk_buff *skb, struct net_device *dev) + pr_err("%s: %s failed(%d)\n", dev->name, __func__, len); + } + +- spin_unlock_irqrestore(&lp->lock, flags); ++ spin_unlock_bh(&lp->lock); + + dev_kfree_skb(skb); + return NETDEV_TX_OK; +@@ -466,9 +467,9 @@ static int iss_net_set_mac(struct net_device *dev, void *addr) + + if (!is_valid_ether_addr(hwaddr->sa_data)) + return -EADDRNOTAVAIL; +- spin_lock(&lp->lock); ++ spin_lock_bh(&lp->lock); + memcpy(dev->dev_addr, hwaddr->sa_data, ETH_ALEN); +- spin_unlock(&lp->lock); ++ spin_unlock_bh(&lp->lock); + return 0; + } + +@@ -520,11 +521,11 @@ static int iss_net_configure(int index, char *init) + *lp = (struct iss_net_private) { + .device_list = LIST_HEAD_INIT(lp->device_list), + .opened_list = LIST_HEAD_INIT(lp->opened_list), +- .lock = __SPIN_LOCK_UNLOCKED(lp.lock), + .dev = dev, + .index = index, +- }; ++ }; + ++ spin_lock_init(&lp->lock); + /* + * If this name ends up conflicting with an existing registered + * netdevice, that is OK, register_netdev{,ice}() will notice this +-- +2.3.6 + + +From 6d4724e609d9640755996c9dc8f3f4ee79790957 Mon Sep 17 00:00:00 2001 +From: Gregory CLEMENT <gregory.clement@free-electrons.com> +Date: Thu, 2 Apr 2015 17:11:11 +0200 +Subject: [PATCH 160/219] gpio: mvebu: Fix mask/unmask managment per irq chip + type +Cc: mpagano@gentoo.org + +commit 61819549f572edd7fce53f228c0d8420cdc85f71 upstream. + +Level IRQ handlers and edge IRQ handler are managed by tow different +sets of registers. But currently the driver uses the same mask for the +both registers. It lead to issues with the following scenario: + +First, an IRQ is requested on a GPIO to be triggered on front. After, +this an other IRQ is requested for a GPIO of the same bank but +triggered on level. Then the first one will be also setup to be +triggered on level. It leads to an interrupt storm. + +The different kind of handler are already associated with two +different irq chip type. With this patch the driver uses a private +mask for each one which solves this issue. + +It has been tested on an Armada XP based board and on an Armada 375 +board. For the both boards, with this patch is applied, there is no +such interrupt storm when running the previous scenario. + +This bug was already fixed but in a different way in the legacy +version of this driver by Evgeniy Dushistov: +9ece8839b1277fb9128ff6833411614ab6c88d68 "ARM: orion: Fix for certain +sequence of request_irq can cause irq storm". The fact the new version +of the gpio drive could be affected had been discussed there: +http://thread.gmane.org/gmane.linux.ports.arm.kernel/344670/focus=364012 + +Reported-by: Evgeniy A. Dushistov <dushistov@mail.ru> +Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com> +Signed-off-by: Linus Walleij <linus.walleij@linaro.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/gpio/gpio-mvebu.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +diff --git a/drivers/gpio/gpio-mvebu.c b/drivers/gpio/gpio-mvebu.c +index d0bc123..1a54205 100644 +--- a/drivers/gpio/gpio-mvebu.c ++++ b/drivers/gpio/gpio-mvebu.c +@@ -320,11 +320,13 @@ static void mvebu_gpio_edge_irq_mask(struct irq_data *d) + { + struct irq_chip_generic *gc = irq_data_get_irq_chip_data(d); + struct mvebu_gpio_chip *mvchip = gc->private; ++ struct irq_chip_type *ct = irq_data_get_chip_type(d); + u32 mask = 1 << (d->irq - gc->irq_base); + + irq_gc_lock(gc); +- gc->mask_cache &= ~mask; +- writel_relaxed(gc->mask_cache, mvebu_gpioreg_edge_mask(mvchip)); ++ ct->mask_cache_priv &= ~mask; ++ ++ writel_relaxed(ct->mask_cache_priv, mvebu_gpioreg_edge_mask(mvchip)); + irq_gc_unlock(gc); + } + +@@ -332,11 +334,13 @@ static void mvebu_gpio_edge_irq_unmask(struct irq_data *d) + { + struct irq_chip_generic *gc = irq_data_get_irq_chip_data(d); + struct mvebu_gpio_chip *mvchip = gc->private; ++ struct irq_chip_type *ct = irq_data_get_chip_type(d); ++ + u32 mask = 1 << (d->irq - gc->irq_base); + + irq_gc_lock(gc); +- gc->mask_cache |= mask; +- writel_relaxed(gc->mask_cache, mvebu_gpioreg_edge_mask(mvchip)); ++ ct->mask_cache_priv |= mask; ++ writel_relaxed(ct->mask_cache_priv, mvebu_gpioreg_edge_mask(mvchip)); + irq_gc_unlock(gc); + } + +@@ -344,11 +348,13 @@ static void mvebu_gpio_level_irq_mask(struct irq_data *d) + { + struct irq_chip_generic *gc = irq_data_get_irq_chip_data(d); + struct mvebu_gpio_chip *mvchip = gc->private; ++ struct irq_chip_type *ct = irq_data_get_chip_type(d); ++ + u32 mask = 1 << (d->irq - gc->irq_base); + + irq_gc_lock(gc); +- gc->mask_cache &= ~mask; +- writel_relaxed(gc->mask_cache, mvebu_gpioreg_level_mask(mvchip)); ++ ct->mask_cache_priv &= ~mask; ++ writel_relaxed(ct->mask_cache_priv, mvebu_gpioreg_level_mask(mvchip)); + irq_gc_unlock(gc); + } + +@@ -356,11 +362,13 @@ static void mvebu_gpio_level_irq_unmask(struct irq_data *d) + { + struct irq_chip_generic *gc = irq_data_get_irq_chip_data(d); + struct mvebu_gpio_chip *mvchip = gc->private; ++ struct irq_chip_type *ct = irq_data_get_chip_type(d); ++ + u32 mask = 1 << (d->irq - gc->irq_base); + + irq_gc_lock(gc); +- gc->mask_cache |= mask; +- writel_relaxed(gc->mask_cache, mvebu_gpioreg_level_mask(mvchip)); ++ ct->mask_cache_priv |= mask; ++ writel_relaxed(ct->mask_cache_priv, mvebu_gpioreg_level_mask(mvchip)); + irq_gc_unlock(gc); + } + +-- +2.3.6 + + +From fb8e85723598714f519a827184910324690e2896 Mon Sep 17 00:00:00 2001 +From: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> +Date: Fri, 27 Mar 2015 17:27:10 +0100 +Subject: [PATCH 161/219] clk: samsung: exynos4: Disable ARMCLK down feature on + Exynos4210 SoC +Cc: mpagano@gentoo.org + +commit 3a9e9cb65be84d6c64fbe9c69a73c15d59f29454 upstream. + +Commit 42773b28e71d ("clk: samsung: exynos4: Enable ARMCLK +down feature") enabled ARMCLK down feature on all Exynos4 +SoCs. Unfortunately on Exynos4210 SoC ARMCLK down feature +causes a lockup when ondemand cpufreq governor is used. +Fix it by limiting ARMCLK down feature to Exynos4x12 SoCs. + +This patch was tested on: +- Exynos4210 SoC based Trats board +- Exynos4210 SoC based Origen board +- Exynos4412 SoC based Trats2 board +- Exynos4412 SoC based Odroid-U3 board + +Cc: Daniel Drake <drake@endlessm.com> +Cc: Tomasz Figa <t.figa@samsung.com> +Cc: Kukjin Kim <kgene@kernel.org> +Fixes: 42773b28e71d ("clk: samsung: exynos4: Enable ARMCLK down feature") +Reviewed-by: Krzysztof Kozlowski <k.kozlowski@samsung.com> +Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> +Signed-off-by: Michael Turquette <mturquette@linaro.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/clk/samsung/clk-exynos4.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/drivers/clk/samsung/clk-exynos4.c b/drivers/clk/samsung/clk-exynos4.c +index 51462e8..714d6ba 100644 +--- a/drivers/clk/samsung/clk-exynos4.c ++++ b/drivers/clk/samsung/clk-exynos4.c +@@ -1354,7 +1354,7 @@ static struct samsung_pll_clock exynos4x12_plls[nr_plls] __initdata = { + VPLL_LOCK, VPLL_CON0, NULL), + }; + +-static void __init exynos4_core_down_clock(enum exynos4_soc soc) ++static void __init exynos4x12_core_down_clock(void) + { + unsigned int tmp; + +@@ -1373,11 +1373,9 @@ static void __init exynos4_core_down_clock(enum exynos4_soc soc) + __raw_writel(tmp, reg_base + PWR_CTRL1); + + /* +- * Disable the clock up feature on Exynos4x12, in case it was +- * enabled by bootloader. ++ * Disable the clock up feature in case it was enabled by bootloader. + */ +- if (exynos4_soc == EXYNOS4X12) +- __raw_writel(0x0, reg_base + E4X12_PWR_CTRL2); ++ __raw_writel(0x0, reg_base + E4X12_PWR_CTRL2); + } + + /* register exynos4 clocks */ +@@ -1474,7 +1472,8 @@ static void __init exynos4_clk_init(struct device_node *np, + samsung_clk_register_alias(ctx, exynos4_aliases, + ARRAY_SIZE(exynos4_aliases)); + +- exynos4_core_down_clock(soc); ++ if (soc == EXYNOS4X12) ++ exynos4x12_core_down_clock(); + exynos4_clk_sleep_init(); + + samsung_clk_of_add_provider(np, ctx); +-- +2.3.6 + + +From 41761ed1e3b457699c416c4e5eea1c86aa2d307c Mon Sep 17 00:00:00 2001 +From: Thierry Reding <treding@nvidia.com> +Date: Mon, 23 Mar 2015 10:57:46 +0100 +Subject: [PATCH 162/219] clk: tegra: Register the proper number of resets +Cc: mpagano@gentoo.org + +commit 5e43e259171e1eee8bc074d9c44be434e685087b upstream. + +The number of resets controls is 32 times the number of peripheral +register banks rather than 32 times the number of clocks. This reduces +(drastically) the number of reset controls registered from 10080 (315 +clocks * 32) to 224 (6 peripheral register banks * 32). + +This also fixes a potential crash because trying to use any of the +excess reset controls (224-10079) would have caused accesses beyond +the array bounds of the peripheral register banks definition array. + +Cc: Peter De Schrijver <pdeschrijver@nvidia.com> +Cc: Prashant Gaikwad <pgaikwad@nvidia.com> +Fixes: 6d5b988e7dc5 ("clk: tegra: implement a reset driver") +Signed-off-by: Thierry Reding <treding@nvidia.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/clk/tegra/clk.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/tegra/clk.c b/drivers/clk/tegra/clk.c +index 9ddb754..7a1df61 100644 +--- a/drivers/clk/tegra/clk.c ++++ b/drivers/clk/tegra/clk.c +@@ -272,7 +272,7 @@ void __init tegra_add_of_provider(struct device_node *np) + of_clk_add_provider(np, of_clk_src_onecell_get, &clk_data); + + rst_ctlr.of_node = np; +- rst_ctlr.nr_resets = clk_num * 32; ++ rst_ctlr.nr_resets = periph_banks * 32; + reset_controller_register(&rst_ctlr); + } + +-- +2.3.6 + + +From 7c646709786798cd41b4e2feb7f9136214169c92 Mon Sep 17 00:00:00 2001 +From: Thierry Reding <treding@nvidia.com> +Date: Thu, 26 Mar 2015 17:53:01 +0100 +Subject: [PATCH 163/219] clk: tegra: Use the proper parent for plld_dsi +Cc: mpagano@gentoo.org + +commit c1d676cec572544616273d5853cb7cc38fbaa62b upstream. + +The current parent, plld_out0, does not exist. The proper name is +pll_d_out0. While at it, rename the plld_dsi clock to pll_d_dsi_out to +be more consistent with other clock names. + +Fixes: b270491eb9a0 ("clk: tegra: Define PLLD_DSI and remove dsia(b)_mux") +Signed-off-by: Thierry Reding <treding@nvidia.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/clk/tegra/clk-tegra124.c | 14 ++++++++------ + include/dt-bindings/clock/tegra124-car-common.h | 2 +- + 2 files changed, 9 insertions(+), 7 deletions(-) + +diff --git a/drivers/clk/tegra/clk-tegra124.c b/drivers/clk/tegra/clk-tegra124.c +index 9a893f2..23ce0af 100644 +--- a/drivers/clk/tegra/clk-tegra124.c ++++ b/drivers/clk/tegra/clk-tegra124.c +@@ -1110,16 +1110,18 @@ static __init void tegra124_periph_clk_init(void __iomem *clk_base, + 1, 2); + clks[TEGRA124_CLK_XUSB_SS_DIV2] = clk; + +- clk = clk_register_gate(NULL, "plld_dsi", "plld_out0", 0, ++ clk = clk_register_gate(NULL, "pll_d_dsi_out", "pll_d_out0", 0, + clk_base + PLLD_MISC, 30, 0, &pll_d_lock); +- clks[TEGRA124_CLK_PLLD_DSI] = clk; ++ clks[TEGRA124_CLK_PLL_D_DSI_OUT] = clk; + +- clk = tegra_clk_register_periph_gate("dsia", "plld_dsi", 0, clk_base, +- 0, 48, periph_clk_enb_refcnt); ++ clk = tegra_clk_register_periph_gate("dsia", "pll_d_dsi_out", 0, ++ clk_base, 0, 48, ++ periph_clk_enb_refcnt); + clks[TEGRA124_CLK_DSIA] = clk; + +- clk = tegra_clk_register_periph_gate("dsib", "plld_dsi", 0, clk_base, +- 0, 82, periph_clk_enb_refcnt); ++ clk = tegra_clk_register_periph_gate("dsib", "pll_d_dsi_out", 0, ++ clk_base, 0, 82, ++ periph_clk_enb_refcnt); + clks[TEGRA124_CLK_DSIB] = clk; + + /* emc mux */ +diff --git a/include/dt-bindings/clock/tegra124-car-common.h b/include/dt-bindings/clock/tegra124-car-common.h +index ae2eb17..a215609 100644 +--- a/include/dt-bindings/clock/tegra124-car-common.h ++++ b/include/dt-bindings/clock/tegra124-car-common.h +@@ -297,7 +297,7 @@ + #define TEGRA124_CLK_PLL_C4 270 + #define TEGRA124_CLK_PLL_DP 271 + #define TEGRA124_CLK_PLL_E_MUX 272 +-#define TEGRA124_CLK_PLLD_DSI 273 ++#define TEGRA124_CLK_PLL_D_DSI_OUT 273 + /* 274 */ + /* 275 */ + /* 276 */ +-- +2.3.6 + + +From 1d77b1031e7230917ed6c8fd1ac82f18a9c33c9d Mon Sep 17 00:00:00 2001 +From: Stephen Boyd <sboyd@codeaurora.org> +Date: Mon, 23 Feb 2015 13:30:28 -0800 +Subject: [PATCH 164/219] clk: qcom: Fix i2c frequency table +Cc: mpagano@gentoo.org + +commit 0bf0ff82c34da02ee5795101b328225a2d519594 upstream. + +PXO is 25MHz, not 27MHz. Fix the table. + +Fixes: 24d8fba44af3 "clk: qcom: Add support for IPQ8064's global +clock controller (GCC)" + +Signed-off-by: Stephen Boyd <sboyd@codeaurora.org> +Reviewed-by: Andy Gross <agross@codeaurora.org> +Tested-by: Andy Gross <agross@codeaurora.org> +Signed-off-by: Michael Turquette <mturquette@linaro.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/clk/qcom/gcc-ipq806x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/qcom/gcc-ipq806x.c b/drivers/clk/qcom/gcc-ipq806x.c +index cbdc31d..a015bb0 100644 +--- a/drivers/clk/qcom/gcc-ipq806x.c ++++ b/drivers/clk/qcom/gcc-ipq806x.c +@@ -525,8 +525,8 @@ static struct freq_tbl clk_tbl_gsbi_qup[] = { + { 10800000, P_PXO, 1, 2, 5 }, + { 15060000, P_PLL8, 1, 2, 51 }, + { 24000000, P_PLL8, 4, 1, 4 }, ++ { 25000000, P_PXO, 1, 0, 0 }, + { 25600000, P_PLL8, 1, 1, 15 }, +- { 27000000, P_PXO, 1, 0, 0 }, + { 48000000, P_PLL8, 4, 1, 2 }, + { 51200000, P_PLL8, 1, 2, 15 }, + { } +-- +2.3.6 + + +From 6761ec536ade4be25c5b846e71f96c8ecdc08347 Mon Sep 17 00:00:00 2001 +From: Stephen Boyd <sboyd@codeaurora.org> +Date: Fri, 6 Mar 2015 15:41:53 -0800 +Subject: [PATCH 165/219] clk: qcom: Properly change rates for ahbix clock +Cc: mpagano@gentoo.org + +commit 9d3745d44a7faa7d24db7facb1949a1378162f3e upstream. + +The ahbix clock can never be turned off in practice. To change the +rates we need to switch the mux off the M/N counter to an always on +source (XO), reprogram the M/N counter to get the rate we want and +finally switch back to the M/N counter. Add a new ops structure +for this type of clock so that we can set the rate properly. + +Fixes: c99e515a92e9 "clk: qcom: Add IPQ806X LPASS clock controller (LCC) driver" +Tested-by: Kenneth Westfield <kwestfie@codeaurora.org> +Signed-off-by: Stephen Boyd <sboyd@codeaurora.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/clk/qcom/clk-rcg.c | 62 ++++++++++++++++++++++++++++++++++++++++++ + drivers/clk/qcom/clk-rcg.h | 1 + + drivers/clk/qcom/lcc-ipq806x.c | 5 ++-- + 3 files changed, 65 insertions(+), 3 deletions(-) + +diff --git a/drivers/clk/qcom/clk-rcg.c b/drivers/clk/qcom/clk-rcg.c +index 0039bd7..466f30c 100644 +--- a/drivers/clk/qcom/clk-rcg.c ++++ b/drivers/clk/qcom/clk-rcg.c +@@ -495,6 +495,57 @@ static int clk_rcg_bypass_set_rate(struct clk_hw *hw, unsigned long rate, + return __clk_rcg_set_rate(rcg, rcg->freq_tbl); + } + ++/* ++ * This type of clock has a glitch-free mux that switches between the output of ++ * the M/N counter and an always on clock source (XO). When clk_set_rate() is ++ * called we need to make sure that we don't switch to the M/N counter if it ++ * isn't clocking because the mux will get stuck and the clock will stop ++ * outputting a clock. This can happen if the framework isn't aware that this ++ * clock is on and so clk_set_rate() doesn't turn on the new parent. To fix ++ * this we switch the mux in the enable/disable ops and reprogram the M/N ++ * counter in the set_rate op. We also make sure to switch away from the M/N ++ * counter in set_rate if software thinks the clock is off. ++ */ ++static int clk_rcg_lcc_set_rate(struct clk_hw *hw, unsigned long rate, ++ unsigned long parent_rate) ++{ ++ struct clk_rcg *rcg = to_clk_rcg(hw); ++ const struct freq_tbl *f; ++ int ret; ++ u32 gfm = BIT(10); ++ ++ f = qcom_find_freq(rcg->freq_tbl, rate); ++ if (!f) ++ return -EINVAL; ++ ++ /* Switch to XO to avoid glitches */ ++ regmap_update_bits(rcg->clkr.regmap, rcg->ns_reg, gfm, 0); ++ ret = __clk_rcg_set_rate(rcg, f); ++ /* Switch back to M/N if it's clocking */ ++ if (__clk_is_enabled(hw->clk)) ++ regmap_update_bits(rcg->clkr.regmap, rcg->ns_reg, gfm, gfm); ++ ++ return ret; ++} ++ ++static int clk_rcg_lcc_enable(struct clk_hw *hw) ++{ ++ struct clk_rcg *rcg = to_clk_rcg(hw); ++ u32 gfm = BIT(10); ++ ++ /* Use M/N */ ++ return regmap_update_bits(rcg->clkr.regmap, rcg->ns_reg, gfm, gfm); ++} ++ ++static void clk_rcg_lcc_disable(struct clk_hw *hw) ++{ ++ struct clk_rcg *rcg = to_clk_rcg(hw); ++ u32 gfm = BIT(10); ++ ++ /* Use XO */ ++ regmap_update_bits(rcg->clkr.regmap, rcg->ns_reg, gfm, 0); ++} ++ + static int __clk_dyn_rcg_set_rate(struct clk_hw *hw, unsigned long rate) + { + struct clk_dyn_rcg *rcg = to_clk_dyn_rcg(hw); +@@ -543,6 +594,17 @@ const struct clk_ops clk_rcg_bypass_ops = { + }; + EXPORT_SYMBOL_GPL(clk_rcg_bypass_ops); + ++const struct clk_ops clk_rcg_lcc_ops = { ++ .enable = clk_rcg_lcc_enable, ++ .disable = clk_rcg_lcc_disable, ++ .get_parent = clk_rcg_get_parent, ++ .set_parent = clk_rcg_set_parent, ++ .recalc_rate = clk_rcg_recalc_rate, ++ .determine_rate = clk_rcg_determine_rate, ++ .set_rate = clk_rcg_lcc_set_rate, ++}; ++EXPORT_SYMBOL_GPL(clk_rcg_lcc_ops); ++ + const struct clk_ops clk_dyn_rcg_ops = { + .enable = clk_enable_regmap, + .is_enabled = clk_is_enabled_regmap, +diff --git a/drivers/clk/qcom/clk-rcg.h b/drivers/clk/qcom/clk-rcg.h +index 687e41f..d09d06b 100644 +--- a/drivers/clk/qcom/clk-rcg.h ++++ b/drivers/clk/qcom/clk-rcg.h +@@ -96,6 +96,7 @@ struct clk_rcg { + + extern const struct clk_ops clk_rcg_ops; + extern const struct clk_ops clk_rcg_bypass_ops; ++extern const struct clk_ops clk_rcg_lcc_ops; + + #define to_clk_rcg(_hw) container_of(to_clk_regmap(_hw), struct clk_rcg, clkr) + +diff --git a/drivers/clk/qcom/lcc-ipq806x.c b/drivers/clk/qcom/lcc-ipq806x.c +index c9ff27b..19378b0 100644 +--- a/drivers/clk/qcom/lcc-ipq806x.c ++++ b/drivers/clk/qcom/lcc-ipq806x.c +@@ -386,13 +386,12 @@ static struct clk_rcg ahbix_clk = { + .freq_tbl = clk_tbl_ahbix, + .clkr = { + .enable_reg = 0x38, +- .enable_mask = BIT(10), /* toggle the gfmux to select mn/pxo */ ++ .enable_mask = BIT(11), + .hw.init = &(struct clk_init_data){ + .name = "ahbix", + .parent_names = lcc_pxo_pll4, + .num_parents = 2, +- .ops = &clk_rcg_ops, +- .flags = CLK_SET_RATE_GATE, ++ .ops = &clk_rcg_lcc_ops, + }, + }, + }; +-- +2.3.6 + + +From 0602addf5fe488d8ced792e6a8f7da073516d33b Mon Sep 17 00:00:00 2001 +From: Archit Taneja <architt@codeaurora.org> +Date: Wed, 4 Mar 2015 15:19:35 +0530 +Subject: [PATCH 166/219] clk: qcom: fix RCG M/N counter configuration +Cc: mpagano@gentoo.org + +commit 0b21503dbbfa669dbd847b33578d4041513cddb2 upstream. + +Currently, a RCG's M/N counter (used for fraction division) is +set to either 'bypass' (counter disabled) or 'dual edge' (counter +enabled) based on whether the corresponding rcg struct has a mnd +field specified and a non-zero N. + +In the case where M and N are the same value, the M/N counter is +still enabled by code even though no division takes place. +Leaving the RCG in such a state can result in improper behavior. +This was observed with the DSI pixel clock RCG when M and N were +both set to 1. + +Add an additional check (M != N) to enable the M/N counter only +when it's needed for fraction division. + +Signed-off-by: Archit Taneja <architt@codeaurora.org> +Fixes: bcd61c0f535a (clk: qcom: Add support for root clock +generators (RCGs)) +Signed-off-by: Stephen Boyd <sboyd@codeaurora.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/clk/qcom/clk-rcg2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/qcom/clk-rcg2.c b/drivers/clk/qcom/clk-rcg2.c +index 742acfa..381f274 100644 +--- a/drivers/clk/qcom/clk-rcg2.c ++++ b/drivers/clk/qcom/clk-rcg2.c +@@ -243,7 +243,7 @@ static int clk_rcg2_configure(struct clk_rcg2 *rcg, const struct freq_tbl *f) + mask |= CFG_SRC_SEL_MASK | CFG_MODE_MASK; + cfg = f->pre_div << CFG_SRC_DIV_SHIFT; + cfg |= rcg->parent_map[f->src] << CFG_SRC_SEL_SHIFT; +- if (rcg->mnd_width && f->n) ++ if (rcg->mnd_width && f->n && (f->m != f->n)) + cfg |= CFG_MODE_DUAL_EDGE; + ret = regmap_update_bits(rcg->clkr.regmap, + rcg->cmd_rcgr + CFG_REG, mask, cfg); +-- +2.3.6 + + +From ea8ae530984cacf55cebc6a12bc43061f1dd41ed Mon Sep 17 00:00:00 2001 +From: Stephen Boyd <sboyd@codeaurora.org> +Date: Thu, 26 Feb 2015 19:34:35 -0800 +Subject: [PATCH 167/219] clk: qcom: Fix ipq806x LCC frequency tables +Cc: mpagano@gentoo.org + +commit b3261d768bcdd4b368179ed85becf38c95461848 upstream. + +These frequency tables list the wrong rates. Either they don't +have the correct frequency at all, or they're specified in kHz +instead of Hz. Fix it. + +Fixes: c99e515a92e9 "clk: qcom: Add IPQ806X LPASS clock controller (LCC) driver" +Tested-by: Kenneth Westfield <kwestfie@codeaurora.org> +Signed-off-by: Stephen Boyd <sboyd@codeaurora.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/clk/qcom/lcc-ipq806x.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/clk/qcom/lcc-ipq806x.c b/drivers/clk/qcom/lcc-ipq806x.c +index 19378b0..a6d3a67 100644 +--- a/drivers/clk/qcom/lcc-ipq806x.c ++++ b/drivers/clk/qcom/lcc-ipq806x.c +@@ -294,14 +294,14 @@ static struct clk_regmap_mux pcm_clk = { + }; + + static struct freq_tbl clk_tbl_aif_osr[] = { +- { 22050, P_PLL4, 1, 147, 20480 }, +- { 32000, P_PLL4, 1, 1, 96 }, +- { 44100, P_PLL4, 1, 147, 10240 }, +- { 48000, P_PLL4, 1, 1, 64 }, +- { 88200, P_PLL4, 1, 147, 5120 }, +- { 96000, P_PLL4, 1, 1, 32 }, +- { 176400, P_PLL4, 1, 147, 2560 }, +- { 192000, P_PLL4, 1, 1, 16 }, ++ { 2822400, P_PLL4, 1, 147, 20480 }, ++ { 4096000, P_PLL4, 1, 1, 96 }, ++ { 5644800, P_PLL4, 1, 147, 10240 }, ++ { 6144000, P_PLL4, 1, 1, 64 }, ++ { 11289600, P_PLL4, 1, 147, 5120 }, ++ { 12288000, P_PLL4, 1, 1, 32 }, ++ { 22579200, P_PLL4, 1, 147, 2560 }, ++ { 24576000, P_PLL4, 1, 1, 16 }, + { }, + }; + +@@ -360,7 +360,7 @@ static struct clk_branch spdif_clk = { + }; + + static struct freq_tbl clk_tbl_ahbix[] = { +- { 131072, P_PLL4, 1, 1, 3 }, ++ { 131072000, P_PLL4, 1, 1, 3 }, + { }, + }; + +-- +2.3.6 + + +From b1c9b99dda6dfe49023214a772ff59debfaa6824 Mon Sep 17 00:00:00 2001 +From: Ben Collins <ben.c@servergy.com> +Date: Fri, 3 Apr 2015 16:09:46 +0000 +Subject: [PATCH 168/219] dm crypt: fix deadlock when async crypto algorithm + returns -EBUSY +Cc: mpagano@gentoo.org + +commit 0618764cb25f6fa9fb31152995de42a8a0496475 upstream. + +I suspect this doesn't show up for most anyone because software +algorithms typically don't have a sense of being too busy. However, +when working with the Freescale CAAM driver it will return -EBUSY on +occasion under heavy -- which resulted in dm-crypt deadlock. + +After checking the logic in some other drivers, the scheme for +crypt_convert() and it's callback, kcryptd_async_done(), were not +correctly laid out to properly handle -EBUSY or -EINPROGRESS. + +Fix this by using the completion for both -EBUSY and -EINPROGRESS. Now +crypt_convert()'s use of completion is comparable to +af_alg_wait_for_completion(). Similarly, kcryptd_async_done() follows +the pattern used in af_alg_complete(). + +Before this fix dm-crypt would lockup within 1-2 minutes running with +the CAAM driver. Fix was regression tested against software algorithms +on PPC32 and x86_64, and things seem perfectly happy there as well. + +Signed-off-by: Ben Collins <ben.c@servergy.com> +Signed-off-by: Mike Snitzer <snitzer@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/md/dm-crypt.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c +index 713a962..41473929 100644 +--- a/drivers/md/dm-crypt.c ++++ b/drivers/md/dm-crypt.c +@@ -925,11 +925,10 @@ static int crypt_convert(struct crypt_config *cc, + + switch (r) { + /* async */ ++ case -EINPROGRESS: + case -EBUSY: + wait_for_completion(&ctx->restart); + reinit_completion(&ctx->restart); +- /* fall through*/ +- case -EINPROGRESS: + ctx->req = NULL; + ctx->cc_sector++; + continue; +@@ -1346,10 +1345,8 @@ static void kcryptd_async_done(struct crypto_async_request *async_req, + struct dm_crypt_io *io = container_of(ctx, struct dm_crypt_io, ctx); + struct crypt_config *cc = io->cc; + +- if (error == -EINPROGRESS) { +- complete(&ctx->restart); ++ if (error == -EINPROGRESS) + return; +- } + + if (!error && cc->iv_gen_ops && cc->iv_gen_ops->post) + error = cc->iv_gen_ops->post(cc, iv_of_dmreq(cc, dmreq), dmreq); +@@ -1360,12 +1357,15 @@ static void kcryptd_async_done(struct crypto_async_request *async_req, + crypt_free_req(cc, req_of_dmreq(cc, dmreq), io->base_bio); + + if (!atomic_dec_and_test(&ctx->cc_pending)) +- return; ++ goto done; + + if (bio_data_dir(io->base_bio) == READ) + kcryptd_crypt_read_done(io); + else + kcryptd_crypt_write_io_submit(io, 1); ++done: ++ if (!completion_done(&ctx->restart)) ++ complete(&ctx->restart); + } + + static void kcryptd_crypt(struct work_struct *work) +-- +2.3.6 + + +From 39b991a4765e2f7bd2faa383c66df5237117a8bb Mon Sep 17 00:00:00 2001 +From: Ken Xue <Ken.Xue@amd.com> +Date: Mon, 9 Mar 2015 17:10:13 +0800 +Subject: [PATCH 169/219] serial: 8250_dw: add support for AMD SOC Carrizo +Cc: mpagano@gentoo.org + +commit 5ef86b74209db33c133b5f18738dd8f3189b63a1 upstream. + +Add ACPI identifier for UART on AMD SOC Carrizo. + +Signed-off-by: Ken Xue <Ken.Xue@amd.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/tty/serial/8250/8250_dw.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/tty/serial/8250/8250_dw.c b/drivers/tty/serial/8250/8250_dw.c +index 6ae5b85..7a80250 100644 +--- a/drivers/tty/serial/8250/8250_dw.c ++++ b/drivers/tty/serial/8250/8250_dw.c +@@ -629,6 +629,7 @@ static const struct acpi_device_id dw8250_acpi_match[] = { + { "80860F0A", 0 }, + { "8086228A", 0 }, + { "APMC0D08", 0}, ++ { "AMD0020", 0 }, + { }, + }; + MODULE_DEVICE_TABLE(acpi, dw8250_acpi_match); +-- +2.3.6 + + +From 8067aec1b07ce3f80c8209eb3589abdf38753ac1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <u.kleine-koenig@pengutronix.de> +Date: Tue, 24 Feb 2015 11:17:05 +0100 +Subject: [PATCH 170/219] serial: imx: Fix clearing of receiver overrun flag +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Cc: mpagano@gentoo.org + +commit 91555ce9012557b2d621d7b0b6ec694218a2a9bc upstream. + +The writeable bits in the USR2 register are all "write 1 to +clear" so only write the bits that actually should be cleared. + +Fixes: f1f836e4209e ("serial: imx: Add Rx Fifo overrun error message") +Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/tty/serial/imx.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/tty/serial/imx.c b/drivers/tty/serial/imx.c +index 0eb29b1..2306191 100644 +--- a/drivers/tty/serial/imx.c ++++ b/drivers/tty/serial/imx.c +@@ -818,7 +818,7 @@ static irqreturn_t imx_int(int irq, void *dev_id) + if (sts2 & USR2_ORE) { + dev_err(sport->port.dev, "Rx FIFO overrun\n"); + sport->port.icount.overrun++; +- writel(sts2 | USR2_ORE, sport->port.membase + USR2); ++ writel(USR2_ORE, sport->port.membase + USR2); + } + + return IRQ_HANDLED; +@@ -1181,10 +1181,12 @@ static int imx_startup(struct uart_port *port) + imx_uart_dma_init(sport); + + spin_lock_irqsave(&sport->port.lock, flags); ++ + /* + * Finally, clear and enable interrupts + */ + writel(USR1_RTSD, sport->port.membase + USR1); ++ writel(USR2_ORE, sport->port.membase + USR2); + + if (sport->dma_is_inited && !sport->dma_is_enabled) + imx_enable_dma(sport); +@@ -1199,10 +1201,6 @@ static int imx_startup(struct uart_port *port) + + writel(temp, sport->port.membase + UCR1); + +- /* Clear any pending ORE flag before enabling interrupt */ +- temp = readl(sport->port.membase + USR2); +- writel(temp | USR2_ORE, sport->port.membase + USR2); +- + temp = readl(sport->port.membase + UCR4); + temp |= UCR4_OREN; + writel(temp, sport->port.membase + UCR4); +-- +2.3.6 + + +From cc1064fc8f1d71f9c3429e6bdd8129629fc39784 Mon Sep 17 00:00:00 2001 +From: Peter Hurley <peter@hurleysoftware.com> +Date: Mon, 9 Mar 2015 14:05:01 -0400 +Subject: [PATCH 171/219] serial: 8250: Check UART_SCR is writable +Cc: mpagano@gentoo.org + +commit f01a0bd8921b9d6668d41fae3198970e6318f532 upstream. + +Au1x00/RT2800+ doesn't implement the 8250 scratch register (and +this may be true of other h/w currently supported by the 8250 driver); +read back the canary value written to the scratch register to enable +the console h/w restart after resume from system suspend. + +Fixes: 4516d50aabedb ("serial: 8250: Use canary to restart console ...") +Reported-by: Mason <slash.tmp@free.fr> +Signed-off-by: Peter Hurley <peter@hurleysoftware.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/tty/serial/8250/8250_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/8250/8250_core.c b/drivers/tty/serial/8250/8250_core.c +index deae122..d465ace 100644 +--- a/drivers/tty/serial/8250/8250_core.c ++++ b/drivers/tty/serial/8250/8250_core.c +@@ -3444,7 +3444,8 @@ void serial8250_suspend_port(int line) + port->type != PORT_8250) { + unsigned char canary = 0xa5; + serial_out(up, UART_SCR, canary); +- up->canary = canary; ++ if (serial_in(up, UART_SCR) == canary) ++ up->canary = canary; + } + + uart_suspend_port(&serial8250_reg, port); +-- +2.3.6 + + +From 5cd06dd45f7cc5c15517266a61f8051ec16912ff Mon Sep 17 00:00:00 2001 +From: "Martin K. Petersen" <martin.petersen@oracle.com> +Date: Tue, 14 Apr 2015 16:56:23 -0400 +Subject: [PATCH 172/219] sd: Unregister integrity profile +Cc: mpagano@gentoo.org + +commit e727c42bd55794765c460b7ac2b6cc969f2a9698 upstream. + +The new integrity code did not correctly unregister the profile for SD +disks. Call blk_integrity_unregister() when we release a disk. + +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +Reported-by: Sagi Grimberg <sagig@dev.mellanox.co.il> +Tested-by: Sagi Grimberg <sagig@mellanox.com> +Signed-off-by: James Bottomley <JBottomley@Odin.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/scsi/sd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c +index 6b78476..3290a3e 100644 +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -3100,6 +3100,7 @@ static void scsi_disk_release(struct device *dev) + ida_remove(&sd_index_ida, sdkp->index); + spin_unlock(&sd_index_lock); + ++ blk_integrity_unregister(disk); + disk->private_data = NULL; + put_disk(disk); + put_device(&sdkp->device->sdev_gendev); +-- +2.3.6 + + +From 5c87838eadeb1a63546e36f76917241d8fa6ea52 Mon Sep 17 00:00:00 2001 +From: "Martin K. Petersen" <martin.petersen@oracle.com> +Date: Tue, 14 Apr 2015 17:11:03 -0400 +Subject: [PATCH 173/219] sd: Fix missing ATO tag check +Cc: mpagano@gentoo.org + +commit e557990e358934fb168d30371c9c0f63e314c6b8 upstream. + +3aec2f41a8bae introduced a merge error where we would end up check for +sdkp instead of sdkp->ATO. Fix this so we register app tag capability +correctly. + +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +Reviewed-by: Sagi Grimberg <sagig@mellanox.com> +Signed-off-by: James Bottomley <JBottomley@Odin.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/scsi/sd_dif.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/sd_dif.c b/drivers/scsi/sd_dif.c +index 14c7d42..5c06d29 100644 +--- a/drivers/scsi/sd_dif.c ++++ b/drivers/scsi/sd_dif.c +@@ -77,7 +77,7 @@ void sd_dif_config_host(struct scsi_disk *sdkp) + + disk->integrity->flags |= BLK_INTEGRITY_DEVICE_CAPABLE; + +- if (!sdkp) ++ if (!sdkp->ATO) + return; + + if (type == SD_DIF_TYPE3_PROTECTION) +-- +2.3.6 + + +From b9b4320c38bf2fadfd9299c36165c46f131200e0 Mon Sep 17 00:00:00 2001 +From: "K. Y. Srinivasan" <kys@microsoft.com> +Date: Fri, 27 Feb 2015 11:26:04 -0800 +Subject: [PATCH 174/219] Drivers: hv: vmbus: Fix a bug in the error path in + vmbus_open() +Cc: mpagano@gentoo.org + +commit 40384e4bbeb9f2651fe9bffc0062d9f31ef625bf upstream. + +Correctly rollback state if the failure occurs after we have handed over +the ownership of the buffer to the host. + +Signed-off-by: K. Y. Srinivasan <kys@microsoft.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/hv/channel.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c +index 2978f5e..00bc30e 100644 +--- a/drivers/hv/channel.c ++++ b/drivers/hv/channel.c +@@ -135,7 +135,7 @@ int vmbus_open(struct vmbus_channel *newchannel, u32 send_ringbuffer_size, + GFP_KERNEL); + if (!open_info) { + err = -ENOMEM; +- goto error0; ++ goto error_gpadl; + } + + init_completion(&open_info->waitevent); +@@ -151,7 +151,7 @@ int vmbus_open(struct vmbus_channel *newchannel, u32 send_ringbuffer_size, + + if (userdatalen > MAX_USER_DEFINED_BYTES) { + err = -EINVAL; +- goto error0; ++ goto error_gpadl; + } + + if (userdatalen) +@@ -195,6 +195,9 @@ error1: + list_del(&open_info->msglistentry); + spin_unlock_irqrestore(&vmbus_connection.channelmsg_lock, flags); + ++error_gpadl: ++ vmbus_teardown_gpadl(newchannel, newchannel->ringbuffer_gpadlhandle); ++ + error0: + free_pages((unsigned long)out, + get_order(send_ringbuffer_size + recv_ringbuffer_size)); +-- +2.3.6 + + +From 1f77a24829ac6dbe9a942752ee15054d403653d9 Mon Sep 17 00:00:00 2001 +From: James Bottomley <JBottomley@Odin.com> +Date: Wed, 15 Apr 2015 22:16:01 -0700 +Subject: [PATCH 175/219] mvsas: fix panic on expander attached SATA devices +Cc: mpagano@gentoo.org + +commit 56cbd0ccc1b508de19561211d7ab9e1c77e6b384 upstream. + +mvsas is giving a General protection fault when it encounters an expander +attached ATA device. Analysis of mvs_task_prep_ata() shows that the driver is +assuming all ATA devices are locally attached and obtaining the phy mask by +indexing the local phy table (in the HBA structure) with the phy id. Since +expanders have many more phys than the HBA, this is causing the index into the +HBA phy table to overflow and returning rubbish as the pointer. + +mvs_task_prep_ssp() instead does the phy mask using the port properties. +Mirror this in mvs_task_prep_ata() to fix the panic. + +Reported-by: Adam Talbot <ajtalbot1@gmail.com> +Tested-by: Adam Talbot <ajtalbot1@gmail.com> +Signed-off-by: James Bottomley <JBottomley@Odin.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/scsi/mvsas/mv_sas.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/scsi/mvsas/mv_sas.c b/drivers/scsi/mvsas/mv_sas.c +index 2d5ab6d..454536c 100644 +--- a/drivers/scsi/mvsas/mv_sas.c ++++ b/drivers/scsi/mvsas/mv_sas.c +@@ -441,14 +441,11 @@ static u32 mvs_get_ncq_tag(struct sas_task *task, u32 *tag) + static int mvs_task_prep_ata(struct mvs_info *mvi, + struct mvs_task_exec_info *tei) + { +- struct sas_ha_struct *sha = mvi->sas; + struct sas_task *task = tei->task; + struct domain_device *dev = task->dev; + struct mvs_device *mvi_dev = dev->lldd_dev; + struct mvs_cmd_hdr *hdr = tei->hdr; + struct asd_sas_port *sas_port = dev->port; +- struct sas_phy *sphy = dev->phy; +- struct asd_sas_phy *sas_phy = sha->sas_phy[sphy->number]; + struct mvs_slot_info *slot; + void *buf_prd; + u32 tag = tei->tag, hdr_tag; +@@ -468,7 +465,7 @@ static int mvs_task_prep_ata(struct mvs_info *mvi, + slot->tx = mvi->tx_prod; + del_q = TXQ_MODE_I | tag | + (TXQ_CMD_STP << TXQ_CMD_SHIFT) | +- (MVS_PHY_ID << TXQ_PHY_SHIFT) | ++ ((sas_port->phy_mask & TXQ_PHY_MASK) << TXQ_PHY_SHIFT) | + (mvi_dev->taskfileset << TXQ_SRS_SHIFT); + mvi->tx[mvi->tx_prod] = cpu_to_le32(del_q); + +-- +2.3.6 + + +From 287189f739322ef2f2b7698e613c85e7be8c9b9c Mon Sep 17 00:00:00 2001 +From: Sifan Naeem <sifan.naeem@imgtec.com> +Date: Tue, 10 Feb 2015 07:41:56 -0300 +Subject: [PATCH 176/219] rc: img-ir: fix error in parameters passed to + irq_free() +Cc: mpagano@gentoo.org + +commit 80ccf4ad06dc9d2f06a8347b2d309cdc959f72b3 upstream. + +img_ir_remove() passes a pointer to the ISR function as the 2nd +parameter to irq_free() instead of a pointer to the device data +structure. +This issue causes unloading img-ir module to fail with the below +warning after building and loading img-ir as a module. + +WARNING: CPU: 2 PID: 155 at ../kernel/irq/manage.c:1278 +__free_irq+0xb4/0x214() Trying to free already-free IRQ 58 +Modules linked in: img_ir(-) +CPU: 2 PID: 155 Comm: rmmod Not tainted 3.14.0 #55 ... +Call Trace: +... +[<8048d420>] __free_irq+0xb4/0x214 +[<8048d6b4>] free_irq+0xac/0xf4 +[<c009b130>] img_ir_remove+0x54/0xd4 [img_ir] [<8073ded0>] +platform_drv_remove+0x30/0x54 ... + +Fixes: 160a8f8aec4d ("[media] rc: img-ir: add base driver") + +Signed-off-by: Sifan Naeem <sifan.naeem@imgtec.com> +Acked-by: James Hogan <james.hogan@imgtec.com> +Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/media/rc/img-ir/img-ir-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/rc/img-ir/img-ir-core.c b/drivers/media/rc/img-ir/img-ir-core.c +index 77c78de..7020659 100644 +--- a/drivers/media/rc/img-ir/img-ir-core.c ++++ b/drivers/media/rc/img-ir/img-ir-core.c +@@ -146,7 +146,7 @@ static int img_ir_remove(struct platform_device *pdev) + { + struct img_ir_priv *priv = platform_get_drvdata(pdev); + +- free_irq(priv->irq, img_ir_isr); ++ free_irq(priv->irq, priv); + img_ir_remove_hw(priv); + img_ir_remove_raw(priv); + +-- +2.3.6 + + +From ecfdbe6a56ddd74036337f651bb2bd933341faa7 Mon Sep 17 00:00:00 2001 +From: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar> +Date: Tue, 10 Mar 2015 11:37:14 -0300 +Subject: [PATCH 177/219] stk1160: Make sure current buffer is released +Cc: mpagano@gentoo.org + +commit aeff09276748b66072f2db2e668cec955cf41959 upstream. + +The available (i.e. not used) buffers are returned by stk1160_clear_queue(), +on the stop_streaming() path. However, this is insufficient and the current +buffer must be released as well. Fix it. + +Signed-off-by: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar> +Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> +Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/media/usb/stk1160/stk1160-v4l.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/usb/stk1160/stk1160-v4l.c b/drivers/media/usb/stk1160/stk1160-v4l.c +index 65a326c..749ad56 100644 +--- a/drivers/media/usb/stk1160/stk1160-v4l.c ++++ b/drivers/media/usb/stk1160/stk1160-v4l.c +@@ -240,6 +240,11 @@ static int stk1160_stop_streaming(struct stk1160 *dev) + if (mutex_lock_interruptible(&dev->v4l_lock)) + return -ERESTARTSYS; + ++ /* ++ * Once URBs are cancelled, the URB complete handler ++ * won't be running. This is required to safely release the ++ * current buffer (dev->isoc_ctl.buf). ++ */ + stk1160_cancel_isoc(dev); + + /* +@@ -620,8 +625,16 @@ void stk1160_clear_queue(struct stk1160 *dev) + stk1160_info("buffer [%p/%d] aborted\n", + buf, buf->vb.v4l2_buf.index); + } +- /* It's important to clear current buffer */ +- dev->isoc_ctl.buf = NULL; ++ ++ /* It's important to release the current buffer */ ++ if (dev->isoc_ctl.buf) { ++ buf = dev->isoc_ctl.buf; ++ dev->isoc_ctl.buf = NULL; ++ ++ vb2_buffer_done(&buf->vb, VB2_BUF_STATE_ERROR); ++ stk1160_info("buffer [%p/%d] aborted\n", ++ buf, buf->vb.v4l2_buf.index); ++ } + spin_unlock_irqrestore(&dev->buf_lock, flags); + } + +-- +2.3.6 + + +From d9bc10f7ccda1d662f3cd98f0949a03fe27b69e4 Mon Sep 17 00:00:00 2001 +From: Yann Droneaud <ydroneaud@opteya.com> +Date: Mon, 13 Apr 2015 14:56:22 +0200 +Subject: [PATCH 178/219] IB/core: disallow registering 0-sized memory region +Cc: mpagano@gentoo.org + +commit 8abaae62f3fdead8f4ce0ab46b4ab93dee39bab2 upstream. + +If ib_umem_get() is called with a size equal to 0 and an +non-page aligned address, one page will be pinned and a +0-sized umem will be returned to the caller. + +This should not be allowed: it's not expected for a memory +region to have a size equal to 0. + +This patch adds a check to explicitly refuse to register +a 0-sized region. + +Link: http://mid.gmane.org/cover.1428929103.git.ydroneaud@opteya.com +Cc: Shachar Raindel <raindel@mellanox.com> +Cc: Jack Morgenstein <jackm@mellanox.com> +Cc: Or Gerlitz <ogerlitz@mellanox.com> +Signed-off-by: Yann Droneaud <ydroneaud@opteya.com> +Signed-off-by: Doug Ledford <dledford@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/infiniband/core/umem.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c +index 8c014b5..9ac4068 100644 +--- a/drivers/infiniband/core/umem.c ++++ b/drivers/infiniband/core/umem.c +@@ -99,6 +99,9 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr, + if (dmasync) + dma_set_attr(DMA_ATTR_WRITE_BARRIER, &attrs); + ++ if (!size) ++ return ERR_PTR(-EINVAL); ++ + /* + * If the combination of the addr and size requested for this memory + * region causes an integer overflow, return error. +-- +2.3.6 + + +From d0ddb13fc24a64a940e8050ea076e59bb04597f4 Mon Sep 17 00:00:00 2001 +From: Yann Droneaud <ydroneaud@opteya.com> +Date: Mon, 13 Apr 2015 14:56:23 +0200 +Subject: [PATCH 179/219] IB/core: don't disallow registering region starting + at 0x0 +Cc: mpagano@gentoo.org + +commit 66578b0b2f69659f00b6169e6fe7377c4b100d18 upstream. + +In a call to ib_umem_get(), if address is 0x0 and size is +already page aligned, check added in commit 8494057ab5e4 +("IB/uverbs: Prevent integer overflow in ib_umem_get address +arithmetic") will refuse to register a memory region that +could otherwise be valid (provided vm.mmap_min_addr sysctl +and mmap_low_allowed SELinux knobs allow userspace to map +something at address 0x0). + +This patch allows back such registration: ib_umem_get() +should probably don't care of the base address provided it +can be pinned with get_user_pages(). + +There's two possible overflows, in (addr + size) and in +PAGE_ALIGN(addr + size), this patch keep ensuring none +of them happen while allowing to pin memory at address +0x0. Anyway, the case of size equal 0 is no more (partially) +handled as 0-length memory region are disallowed by an +earlier check. + +Link: http://mid.gmane.org/cover.1428929103.git.ydroneaud@opteya.com +Cc: Shachar Raindel <raindel@mellanox.com> +Cc: Jack Morgenstein <jackm@mellanox.com> +Cc: Or Gerlitz <ogerlitz@mellanox.com> +Signed-off-by: Yann Droneaud <ydroneaud@opteya.com> +Reviewed-by: Sagi Grimberg <sagig@mellanox.com> +Reviewed-by: Haggai Eran <haggaie@mellanox.com> +Signed-off-by: Doug Ledford <dledford@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/infiniband/core/umem.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c +index 9ac4068..38acb3c 100644 +--- a/drivers/infiniband/core/umem.c ++++ b/drivers/infiniband/core/umem.c +@@ -106,8 +106,8 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr, + * If the combination of the addr and size requested for this memory + * region causes an integer overflow, return error. + */ +- if ((PAGE_ALIGN(addr + size) <= size) || +- (PAGE_ALIGN(addr + size) <= addr)) ++ if (((addr + size) < addr) || ++ PAGE_ALIGN(addr + size) < (addr + size)) + return ERR_PTR(-EINVAL); + + if (!can_do_mlock()) +-- +2.3.6 + + +From 7fc80a4ea6d5b307470a6bb165b293e334b22c20 Mon Sep 17 00:00:00 2001 +From: Erez Shitrit <erezsh@mellanox.com> +Date: Thu, 2 Apr 2015 13:39:05 +0300 +Subject: [PATCH 180/219] IB/mlx4: Fix WQE LSO segment calculation +Cc: mpagano@gentoo.org + +commit ca9b590caa17bcbbea119594992666e96cde9c2f upstream. + +The current code decreases from the mss size (which is the gso_size +from the kernel skb) the size of the packet headers. + +It shouldn't do that because the mss that comes from the stack +(e.g IPoIB) includes only the tcp payload without the headers. + +The result is indication to the HW that each packet that the HW sends +is smaller than what it could be, and too many packets will be sent +for big messages. + +An easy way to demonstrate one more aspect of the problem is by +configuring the ipoib mtu to be less than 2*hlen (2*56) and then +run app sending big TCP messages. This will tell the HW to send packets +with giant (negative value which under unsigned arithmetics becomes +a huge positive one) length and the QP moves to SQE state. + +Fixes: b832be1e4007 ('IB/mlx4: Add IPoIB LSO support') +Reported-by: Matthew Finlay <matt@mellanox.com> +Signed-off-by: Erez Shitrit <erezsh@mellanox.com> +Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com> +Signed-off-by: Doug Ledford <dledford@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/infiniband/hw/mlx4/qp.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c +index ed2bd67..fbde33a 100644 +--- a/drivers/infiniband/hw/mlx4/qp.c ++++ b/drivers/infiniband/hw/mlx4/qp.c +@@ -2605,8 +2605,7 @@ static int build_lso_seg(struct mlx4_wqe_lso_seg *wqe, struct ib_send_wr *wr, + + memcpy(wqe->header, wr->wr.ud.header, wr->wr.ud.hlen); + +- *lso_hdr_sz = cpu_to_be32((wr->wr.ud.mss - wr->wr.ud.hlen) << 16 | +- wr->wr.ud.hlen); ++ *lso_hdr_sz = cpu_to_be32(wr->wr.ud.mss << 16 | wr->wr.ud.hlen); + *lso_seg_len = halign; + return 0; + } +-- +2.3.6 + + +From 6fb5785d6c07d834567ccf3f3ba2df9c3803b28b Mon Sep 17 00:00:00 2001 +From: Sagi Grimberg <sagig@mellanox.com> +Date: Tue, 14 Apr 2015 18:08:13 +0300 +Subject: [PATCH 181/219] IB/iser: Fix wrong calculation of protection buffer + length +Cc: mpagano@gentoo.org + +commit a065fe6aa25ba6ba93c02dc13486131bb3c64d5f upstream. + +This length miss-calculation may cause a silent data corruption +in the DIX case and cause the device to reference unmapped area. + +Fixes: d77e65350f2d ('libiscsi, iser: Adjust data_length to include protection information') +Signed-off-by: Sagi Grimberg <sagig@mellanox.com> +Signed-off-by: Doug Ledford <dledford@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/infiniband/ulp/iser/iser_initiator.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/ulp/iser/iser_initiator.c b/drivers/infiniband/ulp/iser/iser_initiator.c +index 20e859a..76eb57b 100644 +--- a/drivers/infiniband/ulp/iser/iser_initiator.c ++++ b/drivers/infiniband/ulp/iser/iser_initiator.c +@@ -409,8 +409,8 @@ int iser_send_command(struct iscsi_conn *conn, + if (scsi_prot_sg_count(sc)) { + prot_buf->buf = scsi_prot_sglist(sc); + prot_buf->size = scsi_prot_sg_count(sc); +- prot_buf->data_len = data_buf->data_len >> +- ilog2(sc->device->sector_size) * 8; ++ prot_buf->data_len = (data_buf->data_len >> ++ ilog2(sc->device->sector_size)) * 8; + } + + if (hdr->flags & ISCSI_FLAG_CMD_READ) { +-- +2.3.6 + + +From c62b024af945d20e01c3e8c416b9e00d137e6f02 Mon Sep 17 00:00:00 2001 +From: Rabin Vincent <rabin@rab.in> +Date: Mon, 13 Apr 2015 22:30:12 +0200 +Subject: [PATCH 182/219] tracing: Handle ftrace_dump() atomic context in + graph_trace_open() +Cc: mpagano@gentoo.org + +commit ef99b88b16bee753fa51207abdc58ae660453ec6 upstream. + +graph_trace_open() can be called in atomic context from ftrace_dump(). +Use GFP_ATOMIC for the memory allocations when that's the case, in order +to avoid the following splat. + + BUG: sleeping function called from invalid context at mm/slab.c:2849 + in_atomic(): 1, irqs_disabled(): 128, pid: 0, name: swapper/0 + Backtrace: + .. + [<8004dc94>] (__might_sleep) from [<801371f4>] (kmem_cache_alloc_trace+0x160/0x238) + r7:87800040 r6:000080d0 r5:810d16e8 r4:000080d0 + [<80137094>] (kmem_cache_alloc_trace) from [<800cbd60>] (graph_trace_open+0x30/0xd0) + r10:00000100 r9:809171a8 r8:00008e28 r7:810d16f0 r6:00000001 r5:810d16e8 + r4:810d16f0 + [<800cbd30>] (graph_trace_open) from [<800c79c4>] (trace_init_global_iter+0x50/0x9c) + r8:00008e28 r7:808c853c r6:00000001 r5:810d16e8 r4:810d16f0 r3:800cbd30 + [<800c7974>] (trace_init_global_iter) from [<800c7aa0>] (ftrace_dump+0x90/0x2ec) + r4:810d2580 r3:00000000 + [<800c7a10>] (ftrace_dump) from [<80414b2c>] (sysrq_ftrace_dump+0x1c/0x20) + r10:00000100 r9:809171a8 r8:808f6e7c r7:00000001 r6:00000007 r5:0000007a + r4:808d5394 + [<80414b10>] (sysrq_ftrace_dump) from [<800169b8>] (return_to_handler+0x0/0x18) + [<80415498>] (__handle_sysrq) from [<800169b8>] (return_to_handler+0x0/0x18) + r8:808c8100 r7:808c8444 r6:00000101 r5:00000010 r4:84eb3210 + [<80415668>] (handle_sysrq) from [<800169b8>] (return_to_handler+0x0/0x18) + [<8042a760>] (pl011_int) from [<800169b8>] (return_to_handler+0x0/0x18) + r10:809171bc r9:809171a8 r8:00000001 r7:00000026 r6:808c6000 r5:84f01e60 + r4:8454fe00 + [<8007782c>] (handle_irq_event_percpu) from [<80077b44>] (handle_irq_event+0x4c/0x6c) + r10:808c7ef0 r9:87283e00 r8:00000001 r7:00000000 r6:8454fe00 r5:84f01e60 + r4:84f01e00 + [<80077af8>] (handle_irq_event) from [<8007aa28>] (handle_fasteoi_irq+0xf0/0x1ac) + r6:808f52a4 r5:84f01e60 r4:84f01e00 r3:00000000 + [<8007a938>] (handle_fasteoi_irq) from [<80076dc0>] (generic_handle_irq+0x3c/0x4c) + r6:00000026 r5:00000000 r4:00000026 r3:8007a938 + [<80076d84>] (generic_handle_irq) from [<80077128>] (__handle_domain_irq+0x8c/0xfc) + r4:808c1e38 r3:0000002e + [<8007709c>] (__handle_domain_irq) from [<800087b8>] (gic_handle_irq+0x34/0x6c) + r10:80917748 r9:00000001 r8:88802100 r7:808c7ef0 r6:808c8fb0 r5:00000015 + r4:8880210c r3:808c7ef0 + [<80008784>] (gic_handle_irq) from [<80014044>] (__irq_svc+0x44/0x7c) + +Link: http://lkml.kernel.org/r/1428953721-31349-1-git-send-email-rabin@rab.in +Link: http://lkml.kernel.org/r/1428957012-2319-1-git-send-email-rabin@rab.in + +Signed-off-by: Rabin Vincent <rabin@rab.in> +Signed-off-by: Steven Rostedt <rostedt@goodmis.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + kernel/trace/trace_functions_graph.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/kernel/trace/trace_functions_graph.c b/kernel/trace/trace_functions_graph.c +index 2d25ad1..b6fce36 100644 +--- a/kernel/trace/trace_functions_graph.c ++++ b/kernel/trace/trace_functions_graph.c +@@ -1309,15 +1309,19 @@ void graph_trace_open(struct trace_iterator *iter) + { + /* pid and depth on the last trace processed */ + struct fgraph_data *data; ++ gfp_t gfpflags; + int cpu; + + iter->private = NULL; + +- data = kzalloc(sizeof(*data), GFP_KERNEL); ++ /* We can be called in atomic context via ftrace_dump() */ ++ gfpflags = (in_atomic() || irqs_disabled()) ? GFP_ATOMIC : GFP_KERNEL; ++ ++ data = kzalloc(sizeof(*data), gfpflags); + if (!data) + goto out_err; + +- data->cpu_data = alloc_percpu(struct fgraph_cpu_data); ++ data->cpu_data = alloc_percpu_gfp(struct fgraph_cpu_data, gfpflags); + if (!data->cpu_data) + goto out_err_free; + +-- +2.3.6 + + +From aaeb6f4d936e550fef1f068d2e883a23f757d5f5 Mon Sep 17 00:00:00 2001 +From: Joonsoo Kim <iamjoonsoo.kim@lge.com> +Date: Thu, 16 Apr 2015 13:44:44 +0900 +Subject: [PATCH 183/219] tracing: Fix incorrect enabling of trace events by + boot cmdline +Cc: mpagano@gentoo.org + +commit 84fce9db4d7eaebd6cb2ee30c15da6d4e4daf846 upstream. + +There is a problem that trace events are not properly enabled with +boot cmdline. The problem is that if we pass "trace_event=kmem:mm_page_alloc" +to the boot cmdline, it enables all kmem trace events, and not just +the page_alloc event. + +This is caused by the parsing mechanism. When we parse the cmdline, the buffer +contents is modified due to tokenization. And, if we use this buffer +again, we will get the wrong result. + +Unfortunately, this buffer is be accessed three times to set trace events +properly at boot time. So, we need to handle this situation. + +There is already code handling ",", but we need another for ":". +This patch adds it. + +Link: http://lkml.kernel.org/r/1429159484-22977-1-git-send-email-iamjoonsoo.kim@lge.com + +Signed-off-by: Joonsoo Kim <iamjoonsoo.kim@lge.com> +[ added missing return ret; ] +Signed-off-by: Steven Rostedt <rostedt@goodmis.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + kernel/trace/trace_events.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c +index db54dda..a9c10a3 100644 +--- a/kernel/trace/trace_events.c ++++ b/kernel/trace/trace_events.c +@@ -565,6 +565,7 @@ static int __ftrace_set_clr_event(struct trace_array *tr, const char *match, + static int ftrace_set_clr_event(struct trace_array *tr, char *buf, int set) + { + char *event = NULL, *sub = NULL, *match; ++ int ret; + + /* + * The buf format can be <subsystem>:<event-name> +@@ -590,7 +591,13 @@ static int ftrace_set_clr_event(struct trace_array *tr, char *buf, int set) + event = NULL; + } + +- return __ftrace_set_clr_event(tr, match, sub, event, set); ++ ret = __ftrace_set_clr_event(tr, match, sub, event, set); ++ ++ /* Put back the colon to allow this to be called again */ ++ if (buf) ++ *(buf - 1) = ':'; ++ ++ return ret; + } + + /** +-- +2.3.6 + + +From c5bc4117a935b13fdc40db4753b9d32307d2e304 Mon Sep 17 00:00:00 2001 +From: Wolfram Sang <wsa+renesas@sang-engineering.com> +Date: Thu, 23 Apr 2015 10:29:09 +0200 +Subject: [PATCH 184/219] i2c: mux: use proper dev when removing "channel-X" + symlinks +Cc: mpagano@gentoo.org + +commit 133778482ec6c8fde69406be380333963627c17a upstream. + +Those symlinks are created for the mux_dev, so we need to remove it from +there. Currently, it breaks for muxes where the mux_dev is not the device +of the parent adapter like this: + +[ 78.234644] WARNING: CPU: 0 PID: 365 at fs/sysfs/dir.c:31 sysfs_warn_dup+0x5c/0x78() +[ 78.242438] sysfs: cannot create duplicate filename '/devices/platform/i2cbus@8/channel-0' + +Remove confusing comments while we are here. + +Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com> +Signed-off-by: Wolfram Sang <wsa@the-dreams.de> +Fixes: c9449affad2ae0 +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/i2c/i2c-mux.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/i2c/i2c-mux.c b/drivers/i2c/i2c-mux.c +index 593f7ca..06cc1ff 100644 +--- a/drivers/i2c/i2c-mux.c ++++ b/drivers/i2c/i2c-mux.c +@@ -32,8 +32,9 @@ struct i2c_mux_priv { + struct i2c_algorithm algo; + + struct i2c_adapter *parent; +- void *mux_priv; /* the mux chip/device */ +- u32 chan_id; /* the channel id */ ++ struct device *mux_dev; ++ void *mux_priv; ++ u32 chan_id; + + int (*select)(struct i2c_adapter *, void *mux_priv, u32 chan_id); + int (*deselect)(struct i2c_adapter *, void *mux_priv, u32 chan_id); +@@ -119,6 +120,7 @@ struct i2c_adapter *i2c_add_mux_adapter(struct i2c_adapter *parent, + + /* Set up private adapter data */ + priv->parent = parent; ++ priv->mux_dev = mux_dev; + priv->mux_priv = mux_priv; + priv->chan_id = chan_id; + priv->select = select; +@@ -203,7 +205,7 @@ void i2c_del_mux_adapter(struct i2c_adapter *adap) + char symlink_name[20]; + + snprintf(symlink_name, sizeof(symlink_name), "channel-%u", priv->chan_id); +- sysfs_remove_link(&adap->dev.parent->kobj, symlink_name); ++ sysfs_remove_link(&priv->mux_dev->kobj, symlink_name); + + sysfs_remove_link(&priv->adap.dev.kobj, "mux_device"); + i2c_del_adapter(adap); +-- +2.3.6 + + +From 7a86d818f4f71fdd0e1d16c07026e2b9a52be2d6 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov <dmitry.torokhov@gmail.com> +Date: Mon, 20 Apr 2015 15:14:47 -0700 +Subject: [PATCH 185/219] i2c: rk3x: report number of messages transmitted +Cc: mpagano@gentoo.org + +commit c6cbfb91b878224e78408a2e15901c79de77115a upstream. + +master_xfer() method should return number of i2c messages transferred, +but on Rockchip we were usually returning just 1, which caused trouble +with users that actually check number of transferred messages vs. +checking for negative error codes. + +Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> +Signed-off-by: Wolfram Sang <wsa@the-dreams.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/i2c/busses/i2c-rk3x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-rk3x.c b/drivers/i2c/busses/i2c-rk3x.c +index 5f96b1b..019d542 100644 +--- a/drivers/i2c/busses/i2c-rk3x.c ++++ b/drivers/i2c/busses/i2c-rk3x.c +@@ -833,7 +833,7 @@ static int rk3x_i2c_xfer(struct i2c_adapter *adap, + clk_disable(i2c->clk); + spin_unlock_irqrestore(&i2c->lock, flags); + +- return ret; ++ return ret < 0 ? ret : num; + } + + static u32 rk3x_i2c_func(struct i2c_adapter *adap) +-- +2.3.6 + + +From 184848b540e3c7df18a22b983319fa4f64acec15 Mon Sep 17 00:00:00 2001 +From: Charles Keepax <ckeepax@opensource.wolfsonmicro.com> +Date: Thu, 16 Apr 2015 13:05:19 +0100 +Subject: [PATCH 186/219] i2c: Mark adapter devices with + pm_runtime_no_callbacks +Cc: mpagano@gentoo.org + +commit 6ada5c1e1b077ab98fc144d7ac132b4dcc0148ec upstream. + +Commit 523c5b89640e ("i2c: Remove support for legacy PM") removed the PM +ops from the bus type, which causes the pm operations on the s3c2410 +adapter device to fail (-ENOSUPP in rpm_callback). The adapter device +doesn't get bound to a driver and as such can't have its own pm_runtime +callbacks. Previously this was fine as the bus callbacks would have been +used, but now this can cause devices which use PM runtime and are +attached over I2C to fail to resume. + +This commit fixes this issue by marking all adapter devices with +pm_runtime_no_callbacks, since they can't have any. + +Signed-off-by: Charles Keepax <ckeepax@opensource.wolfsonmicro.com> +Acked-by: Beata Michalska <b.michalska@samsung.com> +Signed-off-by: Wolfram Sang <wsa@the-dreams.de> +Fixes: 523c5b89640e +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/i2c/i2c-core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/i2c/i2c-core.c b/drivers/i2c/i2c-core.c +index edf274c..526c5a5 100644 +--- a/drivers/i2c/i2c-core.c ++++ b/drivers/i2c/i2c-core.c +@@ -1410,6 +1410,8 @@ static int i2c_register_adapter(struct i2c_adapter *adap) + + dev_dbg(&adap->dev, "adapter [%s] registered\n", adap->name); + ++ pm_runtime_no_callbacks(&adap->dev); ++ + #ifdef CONFIG_I2C_COMPAT + res = class_compat_create_link(i2c_adapter_compat_class, &adap->dev, + adap->dev.parent); +-- +2.3.6 + + +From 00b2c92fe1b560e1a984edf0671f0feb7886a7ed Mon Sep 17 00:00:00 2001 +From: Mark Brown <broonie@kernel.org> +Date: Wed, 15 Apr 2015 19:18:39 +0100 +Subject: [PATCH 187/219] i2c: core: Export bus recovery functions +Cc: mpagano@gentoo.org + +commit c1c21f4e60ed4523292f1a89ff45a208bddd3849 upstream. + +Current -next fails to link an ARM allmodconfig because drivers that use +the core recovery functions can be built as modules but those functions +are not exported: + +ERROR: "i2c_generic_gpio_recovery" [drivers/i2c/busses/i2c-davinci.ko] undefined! +ERROR: "i2c_generic_scl_recovery" [drivers/i2c/busses/i2c-davinci.ko] undefined! +ERROR: "i2c_recover_bus" [drivers/i2c/busses/i2c-davinci.ko] undefined! + +Add exports to fix this. + +Fixes: 5f9296ba21b3c (i2c: Add bus recovery infrastructure) +Signed-off-by: Mark Brown <broonie@kernel.org> +Signed-off-by: Wolfram Sang <wsa@the-dreams.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/i2c/i2c-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/i2c/i2c-core.c b/drivers/i2c/i2c-core.c +index 526c5a5..8143162 100644 +--- a/drivers/i2c/i2c-core.c ++++ b/drivers/i2c/i2c-core.c +@@ -596,6 +596,7 @@ int i2c_generic_scl_recovery(struct i2c_adapter *adap) + adap->bus_recovery_info->set_scl(adap, 1); + return i2c_generic_recovery(adap); + } ++EXPORT_SYMBOL_GPL(i2c_generic_scl_recovery); + + int i2c_generic_gpio_recovery(struct i2c_adapter *adap) + { +@@ -610,6 +611,7 @@ int i2c_generic_gpio_recovery(struct i2c_adapter *adap) + + return ret; + } ++EXPORT_SYMBOL_GPL(i2c_generic_gpio_recovery); + + int i2c_recover_bus(struct i2c_adapter *adap) + { +@@ -619,6 +621,7 @@ int i2c_recover_bus(struct i2c_adapter *adap) + dev_dbg(&adap->dev, "Trying i2c bus recovery\n"); + return adap->bus_recovery_info->recover_bus(adap); + } ++EXPORT_SYMBOL_GPL(i2c_recover_bus); + + static int i2c_device_probe(struct device *dev) + { +-- +2.3.6 + + +From 87479d71ffe1c2b63f7621fefbdc1cedd95dd49d Mon Sep 17 00:00:00 2001 +From: Alex Deucher <alexander.deucher@amd.com> +Date: Tue, 24 Feb 2015 11:29:21 -0500 +Subject: [PATCH 188/219] drm/radeon: fix doublescan modes (v2) +Cc: mpagano@gentoo.org + +commit fd99a0943ffaa0320ea4f69d09ed188f950c0432 upstream. + +Use the correct flags for atom. + +v2: handle DRM_MODE_FLAG_DBLCLK + +Signed-off-by: Alex Deucher <alexander.deucher@amd.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/gpu/drm/radeon/atombios_crtc.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/atombios_crtc.c b/drivers/gpu/drm/radeon/atombios_crtc.c +index 86807ee..9bd5611 100644 +--- a/drivers/gpu/drm/radeon/atombios_crtc.c ++++ b/drivers/gpu/drm/radeon/atombios_crtc.c +@@ -330,8 +330,10 @@ atombios_set_crtc_dtd_timing(struct drm_crtc *crtc, + misc |= ATOM_COMPOSITESYNC; + if (mode->flags & DRM_MODE_FLAG_INTERLACE) + misc |= ATOM_INTERLACE; +- if (mode->flags & DRM_MODE_FLAG_DBLSCAN) ++ if (mode->flags & DRM_MODE_FLAG_DBLCLK) + misc |= ATOM_DOUBLE_CLOCK_MODE; ++ if (mode->flags & DRM_MODE_FLAG_DBLSCAN) ++ misc |= ATOM_H_REPLICATIONBY2 | ATOM_V_REPLICATIONBY2; + + args.susModeMiscInfo.usAccess = cpu_to_le16(misc); + args.ucCRTC = radeon_crtc->crtc_id; +@@ -374,8 +376,10 @@ static void atombios_crtc_set_timing(struct drm_crtc *crtc, + misc |= ATOM_COMPOSITESYNC; + if (mode->flags & DRM_MODE_FLAG_INTERLACE) + misc |= ATOM_INTERLACE; +- if (mode->flags & DRM_MODE_FLAG_DBLSCAN) ++ if (mode->flags & DRM_MODE_FLAG_DBLCLK) + misc |= ATOM_DOUBLE_CLOCK_MODE; ++ if (mode->flags & DRM_MODE_FLAG_DBLSCAN) ++ misc |= ATOM_H_REPLICATIONBY2 | ATOM_V_REPLICATIONBY2; + + args.susModeMiscInfo.usAccess = cpu_to_le16(misc); + args.ucCRTC = radeon_crtc->crtc_id; +-- +2.3.6 + + +From 7b645d942ed7101136f35bad5f6cb225c6e2adaa Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski <k.kozlowski@samsung.com> +Date: Tue, 7 Apr 2015 22:28:50 +0900 +Subject: [PATCH 189/219] drm/exynos: Enable DP clock to fix display on + Exynos5250 and other +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Cc: mpagano@gentoo.org + +commit 1c363c7cccf64128087002b0779986ad16aff6dc upstream. + +After adding display power domain for Exynos5250 in commit +2d2c9a8d0a4f ("ARM: dts: add display power domain for exynos5250") the +display on Chromebook Snow and others stopped working after boot. + +The reason for this suggested Andrzej Hajda: the DP clock was disabled. +This clock is required by Display Port and is enabled by bootloader. +However when FIMD driver probing was deferred, the display power domain +was turned off. This effectively reset the value of DP clock enable +register. + +When exynos-dp is later probed, the clock is not enabled and display is +not properly configured: + +exynos-dp 145b0000.dp-controller: Timeout of video streamclk ok +exynos-dp 145b0000.dp-controller: unable to config video + +Fixes: 2d2c9a8d0a4f ("ARM: dts: add display power domain for exynos5250") + +Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com> +Reported-by: Javier Martinez Canillas <javier.martinez@collabora.co.uk> +Tested-by: Javier Martinez Canillas <javier.martinez@collabora.co.uk> +Tested-by: Andreas Färber <afaerber@suse.de> +Signed-off-by: Inki Dae <inki.dae@samsung.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/gpu/drm/exynos/exynos_dp_core.c | 10 ++++++++++ + drivers/gpu/drm/exynos/exynos_drm_fimd.c | 19 +++++++++++++++++++ + drivers/gpu/drm/exynos/exynos_drm_fimd.h | 15 +++++++++++++++ + include/video/samsung_fimd.h | 6 ++++++ + 4 files changed, 50 insertions(+) + create mode 100644 drivers/gpu/drm/exynos/exynos_drm_fimd.h + +diff --git a/drivers/gpu/drm/exynos/exynos_dp_core.c b/drivers/gpu/drm/exynos/exynos_dp_core.c +index bf17a60..1dbfba5 100644 +--- a/drivers/gpu/drm/exynos/exynos_dp_core.c ++++ b/drivers/gpu/drm/exynos/exynos_dp_core.c +@@ -32,10 +32,16 @@ + #include <drm/bridge/ptn3460.h> + + #include "exynos_dp_core.h" ++#include "exynos_drm_fimd.h" + + #define ctx_from_connector(c) container_of(c, struct exynos_dp_device, \ + connector) + ++static inline struct exynos_drm_crtc *dp_to_crtc(struct exynos_dp_device *dp) ++{ ++ return to_exynos_crtc(dp->encoder->crtc); ++} ++ + static inline struct exynos_dp_device * + display_to_dp(struct exynos_drm_display *d) + { +@@ -1070,6 +1076,8 @@ static void exynos_dp_poweron(struct exynos_dp_device *dp) + } + } + ++ fimd_dp_clock_enable(dp_to_crtc(dp), true); ++ + clk_prepare_enable(dp->clock); + exynos_dp_phy_init(dp); + exynos_dp_init_dp(dp); +@@ -1094,6 +1102,8 @@ static void exynos_dp_poweroff(struct exynos_dp_device *dp) + exynos_dp_phy_exit(dp); + clk_disable_unprepare(dp->clock); + ++ fimd_dp_clock_enable(dp_to_crtc(dp), false); ++ + if (dp->panel) { + if (drm_panel_unprepare(dp->panel)) + DRM_ERROR("failed to turnoff the panel\n"); +diff --git a/drivers/gpu/drm/exynos/exynos_drm_fimd.c b/drivers/gpu/drm/exynos/exynos_drm_fimd.c +index 33a10ce..5d58f6c 100644 +--- a/drivers/gpu/drm/exynos/exynos_drm_fimd.c ++++ b/drivers/gpu/drm/exynos/exynos_drm_fimd.c +@@ -32,6 +32,7 @@ + #include "exynos_drm_fbdev.h" + #include "exynos_drm_crtc.h" + #include "exynos_drm_iommu.h" ++#include "exynos_drm_fimd.h" + + /* + * FIMD stands for Fully Interactive Mobile Display and +@@ -1233,6 +1234,24 @@ static int fimd_remove(struct platform_device *pdev) + return 0; + } + ++void fimd_dp_clock_enable(struct exynos_drm_crtc *crtc, bool enable) ++{ ++ struct fimd_context *ctx = crtc->ctx; ++ u32 val; ++ ++ /* ++ * Only Exynos 5250, 5260, 5410 and 542x requires enabling DP/MIE ++ * clock. On these SoCs the bootloader may enable it but any ++ * power domain off/on will reset it to disable state. ++ */ ++ if (ctx->driver_data != &exynos5_fimd_driver_data) ++ return; ++ ++ val = enable ? DP_MIE_CLK_DP_ENABLE : DP_MIE_CLK_DISABLE; ++ writel(DP_MIE_CLK_DP_ENABLE, ctx->regs + DP_MIE_CLKCON); ++} ++EXPORT_SYMBOL_GPL(fimd_dp_clock_enable); ++ + struct platform_driver fimd_driver = { + .probe = fimd_probe, + .remove = fimd_remove, +diff --git a/drivers/gpu/drm/exynos/exynos_drm_fimd.h b/drivers/gpu/drm/exynos/exynos_drm_fimd.h +new file mode 100644 +index 0000000..b4fcaa5 +--- /dev/null ++++ b/drivers/gpu/drm/exynos/exynos_drm_fimd.h +@@ -0,0 +1,15 @@ ++/* ++ * Copyright (c) 2015 Samsung Electronics Co., Ltd. ++ * ++ * This program is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License as published by the ++ * Free Software Foundation; either version 2 of the License, or (at your ++ * option) any later version. ++ */ ++ ++#ifndef _EXYNOS_DRM_FIMD_H_ ++#define _EXYNOS_DRM_FIMD_H_ ++ ++extern void fimd_dp_clock_enable(struct exynos_drm_crtc *crtc, bool enable); ++ ++#endif /* _EXYNOS_DRM_FIMD_H_ */ +diff --git a/include/video/samsung_fimd.h b/include/video/samsung_fimd.h +index a20e4a3..847a0a2 100644 +--- a/include/video/samsung_fimd.h ++++ b/include/video/samsung_fimd.h +@@ -436,6 +436,12 @@ + #define BLENDCON_NEW_8BIT_ALPHA_VALUE (1 << 0) + #define BLENDCON_NEW_4BIT_ALPHA_VALUE (0 << 0) + ++/* Display port clock control */ ++#define DP_MIE_CLKCON 0x27c ++#define DP_MIE_CLK_DISABLE 0x0 ++#define DP_MIE_CLK_DP_ENABLE 0x2 ++#define DP_MIE_CLK_MIE_ENABLE 0x3 ++ + /* Notes on per-window bpp settings + * + * Value Win0 Win1 Win2 Win3 Win 4 +-- +2.3.6 + + +From 9dc473bad145b361c179c4f115ea781b8b73448d Mon Sep 17 00:00:00 2001 +From: Daniel Vetter <daniel.vetter@ffwll.ch> +Date: Wed, 1 Apr 2015 13:43:46 +0200 +Subject: [PATCH 190/219] drm/i915: Dont enable CS_PARSER_ERROR interrupts at + all +Cc: mpagano@gentoo.org + +commit 37ef01ab5d24d1d520dc79f6a98099d451c2a901 upstream. + +We stopped handling them in + +commit aaecdf611a05cac26a94713bad25297e60225c29 +Author: Daniel Vetter <daniel.vetter@ffwll.ch> +Date: Tue Nov 4 15:52:22 2014 +0100 + + drm/i915: Stop gathering error states for CS error interrupts + +but just clearing is apparently not enough: A sufficiently dead gpu +left behind by firmware (*cough* coreboot *cough*) can keep the gpu in +an endless loop of such interrupts, eventually leading to the nmi +firing. And definitely to what looks like a machine hang. + +Since we don't even enable these interrupts on gen5+ let's do the same +on earlier platforms. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=93171 +Tested-by: Mono <mono-for-kernel-org@donderklumpen.de> +Tested-by: info@gluglug.org.uk +Reviewed-by: Mika Kuoppala <mika.kuoppala@intel.com> +Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> +Signed-off-by: Jani Nikula <jani.nikula@intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/gpu/drm/i915/i915_irq.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/i915/i915_irq.c b/drivers/gpu/drm/i915/i915_irq.c +index ede5bbb..07320cb 100644 +--- a/drivers/gpu/drm/i915/i915_irq.c ++++ b/drivers/gpu/drm/i915/i915_irq.c +@@ -3718,14 +3718,12 @@ static int i8xx_irq_postinstall(struct drm_device *dev) + ~(I915_DISPLAY_PIPE_A_EVENT_INTERRUPT | + I915_DISPLAY_PIPE_B_EVENT_INTERRUPT | + I915_DISPLAY_PLANE_A_FLIP_PENDING_INTERRUPT | +- I915_DISPLAY_PLANE_B_FLIP_PENDING_INTERRUPT | +- I915_RENDER_COMMAND_PARSER_ERROR_INTERRUPT); ++ I915_DISPLAY_PLANE_B_FLIP_PENDING_INTERRUPT); + I915_WRITE16(IMR, dev_priv->irq_mask); + + I915_WRITE16(IER, + I915_DISPLAY_PIPE_A_EVENT_INTERRUPT | + I915_DISPLAY_PIPE_B_EVENT_INTERRUPT | +- I915_RENDER_COMMAND_PARSER_ERROR_INTERRUPT | + I915_USER_INTERRUPT); + POSTING_READ16(IER); + +@@ -3887,14 +3885,12 @@ static int i915_irq_postinstall(struct drm_device *dev) + I915_DISPLAY_PIPE_A_EVENT_INTERRUPT | + I915_DISPLAY_PIPE_B_EVENT_INTERRUPT | + I915_DISPLAY_PLANE_A_FLIP_PENDING_INTERRUPT | +- I915_DISPLAY_PLANE_B_FLIP_PENDING_INTERRUPT | +- I915_RENDER_COMMAND_PARSER_ERROR_INTERRUPT); ++ I915_DISPLAY_PLANE_B_FLIP_PENDING_INTERRUPT); + + enable_mask = + I915_ASLE_INTERRUPT | + I915_DISPLAY_PIPE_A_EVENT_INTERRUPT | + I915_DISPLAY_PIPE_B_EVENT_INTERRUPT | +- I915_RENDER_COMMAND_PARSER_ERROR_INTERRUPT | + I915_USER_INTERRUPT; + + if (I915_HAS_HOTPLUG(dev)) { +-- +2.3.6 + + +From 244f81177e5bc0ecb2f5507ef4371dc4752fea94 Mon Sep 17 00:00:00 2001 +From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com> +Date: Wed, 18 Feb 2015 15:19:33 +0200 +Subject: [PATCH 191/219] drm: adv7511: Fix DDC error interrupt handling +Cc: mpagano@gentoo.org + +commit 2e96206c4f952295e11c311fbb2a7aa2105024af upstream. + +The DDC error interrupt bit is located in REG_INT1, not REG_INT0. Update +both the interrupt wait code and the interrupt sources reset code +accordingly. + +Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/gpu/drm/i2c/adv7511.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/i2c/adv7511.c b/drivers/gpu/drm/i2c/adv7511.c +index fa140e0..5109c21 100644 +--- a/drivers/gpu/drm/i2c/adv7511.c ++++ b/drivers/gpu/drm/i2c/adv7511.c +@@ -467,14 +467,16 @@ static int adv7511_get_edid_block(void *data, u8 *buf, unsigned int block, + block); + ret = adv7511_wait_for_interrupt(adv7511, + ADV7511_INT0_EDID_READY | +- ADV7511_INT1_DDC_ERROR, 200); ++ (ADV7511_INT1_DDC_ERROR << 8), 200); + + if (!(ret & ADV7511_INT0_EDID_READY)) + return -EIO; + } + + regmap_write(adv7511->regmap, ADV7511_REG_INT(0), +- ADV7511_INT0_EDID_READY | ADV7511_INT1_DDC_ERROR); ++ ADV7511_INT0_EDID_READY); ++ regmap_write(adv7511->regmap, ADV7511_REG_INT(1), ++ ADV7511_INT1_DDC_ERROR); + + /* Break this apart, hopefully more I2C controllers will + * support 64 byte transfers than 256 byte transfers +@@ -528,7 +530,9 @@ static int adv7511_get_modes(struct drm_encoder *encoder, + /* Reading the EDID only works if the device is powered */ + if (adv7511->dpms_mode != DRM_MODE_DPMS_ON) { + regmap_write(adv7511->regmap, ADV7511_REG_INT(0), +- ADV7511_INT0_EDID_READY | ADV7511_INT1_DDC_ERROR); ++ ADV7511_INT0_EDID_READY); ++ regmap_write(adv7511->regmap, ADV7511_REG_INT(1), ++ ADV7511_INT1_DDC_ERROR); + regmap_update_bits(adv7511->regmap, ADV7511_REG_POWER, + ADV7511_POWER_POWER_DOWN, 0); + adv7511->current_edid_segment = -1; +@@ -563,7 +567,9 @@ static void adv7511_encoder_dpms(struct drm_encoder *encoder, int mode) + adv7511->current_edid_segment = -1; + + regmap_write(adv7511->regmap, ADV7511_REG_INT(0), +- ADV7511_INT0_EDID_READY | ADV7511_INT1_DDC_ERROR); ++ ADV7511_INT0_EDID_READY); ++ regmap_write(adv7511->regmap, ADV7511_REG_INT(1), ++ ADV7511_INT1_DDC_ERROR); + regmap_update_bits(adv7511->regmap, ADV7511_REG_POWER, + ADV7511_POWER_POWER_DOWN, 0); + /* +-- +2.3.6 + + +From 74ed38596ea50609c61bd10f048f97d6161e73b4 Mon Sep 17 00:00:00 2001 +From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com> +Date: Wed, 18 Feb 2015 15:19:33 +0200 +Subject: [PATCH 192/219] drm: adv7511: Fix nested sleep when reading EDID +Cc: mpagano@gentoo.org + +commit a5241289c4139f0521b89e34a70f5f998463ae15 upstream. + +The EDID read code waits for the read completion interrupt to occur +using wait_event_interruptible(). The condition passed to the macro +reads I2C registers. This results in sleeping with the task state set +to TASK_INTERRUPTIBLE, triggering a WARN_ON() introduced in commit +8eb23b9f35aae ("sched: Debug nested sleeps"). + +Fix this by reworking the EDID read code. Instead of checking whether +the read is complete through I2C reads, handle the interrupt registers +in the interrupt handler and update a new edid_read flag accordingly. As +a side effect both the IRQ and polling code paths now process the +interrupt sources through the same code path, simplifying the code. + +Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/gpu/drm/i2c/adv7511.c | 96 +++++++++++++++++++++---------------------- + 1 file changed, 46 insertions(+), 50 deletions(-) + +diff --git a/drivers/gpu/drm/i2c/adv7511.c b/drivers/gpu/drm/i2c/adv7511.c +index 5109c21..60ab1f7 100644 +--- a/drivers/gpu/drm/i2c/adv7511.c ++++ b/drivers/gpu/drm/i2c/adv7511.c +@@ -33,6 +33,7 @@ struct adv7511 { + + unsigned int current_edid_segment; + uint8_t edid_buf[256]; ++ bool edid_read; + + wait_queue_head_t wq; + struct drm_encoder *encoder; +@@ -379,69 +380,71 @@ static bool adv7511_hpd(struct adv7511 *adv7511) + return false; + } + +-static irqreturn_t adv7511_irq_handler(int irq, void *devid) +-{ +- struct adv7511 *adv7511 = devid; +- +- if (adv7511_hpd(adv7511)) +- drm_helper_hpd_irq_event(adv7511->encoder->dev); +- +- wake_up_all(&adv7511->wq); +- +- return IRQ_HANDLED; +-} +- +-static unsigned int adv7511_is_interrupt_pending(struct adv7511 *adv7511, +- unsigned int irq) ++static int adv7511_irq_process(struct adv7511 *adv7511) + { + unsigned int irq0, irq1; +- unsigned int pending; + int ret; + + ret = regmap_read(adv7511->regmap, ADV7511_REG_INT(0), &irq0); + if (ret < 0) +- return 0; ++ return ret; ++ + ret = regmap_read(adv7511->regmap, ADV7511_REG_INT(1), &irq1); + if (ret < 0) +- return 0; ++ return ret; ++ ++ regmap_write(adv7511->regmap, ADV7511_REG_INT(0), irq0); ++ regmap_write(adv7511->regmap, ADV7511_REG_INT(1), irq1); ++ ++ if (irq0 & ADV7511_INT0_HDP) ++ drm_helper_hpd_irq_event(adv7511->encoder->dev); ++ ++ if (irq0 & ADV7511_INT0_EDID_READY || irq1 & ADV7511_INT1_DDC_ERROR) { ++ adv7511->edid_read = true; + +- pending = (irq1 << 8) | irq0; ++ if (adv7511->i2c_main->irq) ++ wake_up_all(&adv7511->wq); ++ } + +- return pending & irq; ++ return 0; + } + +-static int adv7511_wait_for_interrupt(struct adv7511 *adv7511, int irq, +- int timeout) ++static irqreturn_t adv7511_irq_handler(int irq, void *devid) ++{ ++ struct adv7511 *adv7511 = devid; ++ int ret; ++ ++ ret = adv7511_irq_process(adv7511); ++ return ret < 0 ? IRQ_NONE : IRQ_HANDLED; ++} ++ ++/* ----------------------------------------------------------------------------- ++ * EDID retrieval ++ */ ++ ++static int adv7511_wait_for_edid(struct adv7511 *adv7511, int timeout) + { +- unsigned int pending; + int ret; + + if (adv7511->i2c_main->irq) { + ret = wait_event_interruptible_timeout(adv7511->wq, +- adv7511_is_interrupt_pending(adv7511, irq), +- msecs_to_jiffies(timeout)); +- if (ret <= 0) +- return 0; +- pending = adv7511_is_interrupt_pending(adv7511, irq); ++ adv7511->edid_read, msecs_to_jiffies(timeout)); + } else { +- if (timeout < 25) +- timeout = 25; +- do { +- pending = adv7511_is_interrupt_pending(adv7511, irq); +- if (pending) ++ for (; timeout > 0; timeout -= 25) { ++ ret = adv7511_irq_process(adv7511); ++ if (ret < 0) ++ break; ++ ++ if (adv7511->edid_read) + break; ++ + msleep(25); +- timeout -= 25; +- } while (timeout >= 25); ++ } + } + +- return pending; ++ return adv7511->edid_read ? 0 : -EIO; + } + +-/* ----------------------------------------------------------------------------- +- * EDID retrieval +- */ +- + static int adv7511_get_edid_block(void *data, u8 *buf, unsigned int block, + size_t len) + { +@@ -463,21 +466,14 @@ static int adv7511_get_edid_block(void *data, u8 *buf, unsigned int block, + return ret; + + if (status != 2) { ++ adv7511->edid_read = false; + regmap_write(adv7511->regmap, ADV7511_REG_EDID_SEGMENT, + block); +- ret = adv7511_wait_for_interrupt(adv7511, +- ADV7511_INT0_EDID_READY | +- (ADV7511_INT1_DDC_ERROR << 8), 200); +- +- if (!(ret & ADV7511_INT0_EDID_READY)) +- return -EIO; ++ ret = adv7511_wait_for_edid(adv7511, 200); ++ if (ret < 0) ++ return ret; + } + +- regmap_write(adv7511->regmap, ADV7511_REG_INT(0), +- ADV7511_INT0_EDID_READY); +- regmap_write(adv7511->regmap, ADV7511_REG_INT(1), +- ADV7511_INT1_DDC_ERROR); +- + /* Break this apart, hopefully more I2C controllers will + * support 64 byte transfers than 256 byte transfers + */ +-- +2.3.6 + + +From 959905cf28ee80f8830b717f4e1ac28a61732974 Mon Sep 17 00:00:00 2001 +From: Imre Deak <imre.deak@intel.com> +Date: Wed, 15 Apr 2015 16:52:30 -0700 +Subject: [PATCH 193/219] drm/i915: vlv: fix save/restore of GFX_MAX_REQ_COUNT + reg +Cc: mpagano@gentoo.org + +commit b5f1c97f944482e98e6e39208af356630389d1ea upstream. + +Due this typo we don't save/restore the GFX_MAX_REQ_COUNT register across +suspend/resume, so fix this. + +This was introduced in + +commit ddeea5b0c36f3665446518c609be91f9336ef674 +Author: Imre Deak <imre.deak@intel.com> +Date: Mon May 5 15:19:56 2014 +0300 + + drm/i915: vlv: add runtime PM support + +I noticed this only by reading the code. To my knowledge it shouldn't +cause any real problems at the moment, since the power well backing this +register remains on across a runtime s/r. This may change once +system-wide s0ix functionality is enabled in the kernel. + +v2: +- resend after a missing git add -u :/ + +Signed-off-by: Imre Deak <imre.deak@intel.com> +Tested-By: PRC QA PRTS (Patch Regression Test System Contact: shuang.he@intel.com) +Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com> +Reviewed-by: Mika Kuoppala <mika.kuoppala@intel.com> +Signed-off-by: Jani Nikula <jani.nikula@intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/gpu/drm/i915/i915_drv.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/i915/i915_drv.c b/drivers/gpu/drm/i915/i915_drv.c +index 5c66b56..ec4d932 100644 +--- a/drivers/gpu/drm/i915/i915_drv.c ++++ b/drivers/gpu/drm/i915/i915_drv.c +@@ -1042,7 +1042,7 @@ static void vlv_save_gunit_s0ix_state(struct drm_i915_private *dev_priv) + s->lra_limits[i] = I915_READ(GEN7_LRA_LIMITS_BASE + i * 4); + + s->media_max_req_count = I915_READ(GEN7_MEDIA_MAX_REQ_COUNT); +- s->gfx_max_req_count = I915_READ(GEN7_MEDIA_MAX_REQ_COUNT); ++ s->gfx_max_req_count = I915_READ(GEN7_GFX_MAX_REQ_COUNT); + + s->render_hwsp = I915_READ(RENDER_HWS_PGA_GEN7); + s->ecochk = I915_READ(GAM_ECOCHK); +@@ -1124,7 +1124,7 @@ static void vlv_restore_gunit_s0ix_state(struct drm_i915_private *dev_priv) + I915_WRITE(GEN7_LRA_LIMITS_BASE + i * 4, s->lra_limits[i]); + + I915_WRITE(GEN7_MEDIA_MAX_REQ_COUNT, s->media_max_req_count); +- I915_WRITE(GEN7_MEDIA_MAX_REQ_COUNT, s->gfx_max_req_count); ++ I915_WRITE(GEN7_GFX_MAX_REQ_COUNT, s->gfx_max_req_count); + + I915_WRITE(RENDER_HWS_PGA_GEN7, s->render_hwsp); + I915_WRITE(GAM_ECOCHK, s->ecochk); +-- +2.3.6 + + +From 0f14e0aa4e606b77387e807b89a0ee8faf10accb Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov <dmitry.torokhov@gmail.com> +Date: Tue, 21 Apr 2015 09:49:11 -0700 +Subject: [PATCH 194/219] drm/i915: cope with large i2c transfers +Cc: mpagano@gentoo.org + +commit 9535c4757b881e06fae72a857485ad57c422b8d2 upstream. + +The hardware, according to the specs, is limited to 256 byte transfers, +and current driver has no protections in case users attempt to do larger +transfers. The code will just stomp over status register and mayhem +ensues. + +Let's split larger transfers into digestable chunks. Doing this allows +Atmel MXT driver on Pixel 1 function properly (it hasn't since commit +9d8dc3e529a19e427fd379118acd132520935c5d "Input: atmel_mxt_ts - +implement T44 message handling" which tries to consume multiple +touchscreen/touchpad reports in a single transaction). + +Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk> +Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> +Signed-off-by: Jani Nikula <jani.nikula@intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/gpu/drm/i915/i915_reg.h | 1 + + drivers/gpu/drm/i915/intel_i2c.c | 66 ++++++++++++++++++++++++++++++++++------ + 2 files changed, 57 insertions(+), 10 deletions(-) + +diff --git a/drivers/gpu/drm/i915/i915_reg.h b/drivers/gpu/drm/i915/i915_reg.h +index 33b3d0a2..f536ff2 100644 +--- a/drivers/gpu/drm/i915/i915_reg.h ++++ b/drivers/gpu/drm/i915/i915_reg.h +@@ -1740,6 +1740,7 @@ enum punit_power_well { + #define GMBUS_CYCLE_INDEX (2<<25) + #define GMBUS_CYCLE_STOP (4<<25) + #define GMBUS_BYTE_COUNT_SHIFT 16 ++#define GMBUS_BYTE_COUNT_MAX 256U + #define GMBUS_SLAVE_INDEX_SHIFT 8 + #define GMBUS_SLAVE_ADDR_SHIFT 1 + #define GMBUS_SLAVE_READ (1<<0) +diff --git a/drivers/gpu/drm/i915/intel_i2c.c b/drivers/gpu/drm/i915/intel_i2c.c +index b31088a..56e437e 100644 +--- a/drivers/gpu/drm/i915/intel_i2c.c ++++ b/drivers/gpu/drm/i915/intel_i2c.c +@@ -270,18 +270,17 @@ gmbus_wait_idle(struct drm_i915_private *dev_priv) + } + + static int +-gmbus_xfer_read(struct drm_i915_private *dev_priv, struct i2c_msg *msg, +- u32 gmbus1_index) ++gmbus_xfer_read_chunk(struct drm_i915_private *dev_priv, ++ unsigned short addr, u8 *buf, unsigned int len, ++ u32 gmbus1_index) + { + int reg_offset = dev_priv->gpio_mmio_base; +- u16 len = msg->len; +- u8 *buf = msg->buf; + + I915_WRITE(GMBUS1 + reg_offset, + gmbus1_index | + GMBUS_CYCLE_WAIT | + (len << GMBUS_BYTE_COUNT_SHIFT) | +- (msg->addr << GMBUS_SLAVE_ADDR_SHIFT) | ++ (addr << GMBUS_SLAVE_ADDR_SHIFT) | + GMBUS_SLAVE_READ | GMBUS_SW_RDY); + while (len) { + int ret; +@@ -303,11 +302,35 @@ gmbus_xfer_read(struct drm_i915_private *dev_priv, struct i2c_msg *msg, + } + + static int +-gmbus_xfer_write(struct drm_i915_private *dev_priv, struct i2c_msg *msg) ++gmbus_xfer_read(struct drm_i915_private *dev_priv, struct i2c_msg *msg, ++ u32 gmbus1_index) + { +- int reg_offset = dev_priv->gpio_mmio_base; +- u16 len = msg->len; + u8 *buf = msg->buf; ++ unsigned int rx_size = msg->len; ++ unsigned int len; ++ int ret; ++ ++ do { ++ len = min(rx_size, GMBUS_BYTE_COUNT_MAX); ++ ++ ret = gmbus_xfer_read_chunk(dev_priv, msg->addr, ++ buf, len, gmbus1_index); ++ if (ret) ++ return ret; ++ ++ rx_size -= len; ++ buf += len; ++ } while (rx_size != 0); ++ ++ return 0; ++} ++ ++static int ++gmbus_xfer_write_chunk(struct drm_i915_private *dev_priv, ++ unsigned short addr, u8 *buf, unsigned int len) ++{ ++ int reg_offset = dev_priv->gpio_mmio_base; ++ unsigned int chunk_size = len; + u32 val, loop; + + val = loop = 0; +@@ -319,8 +342,8 @@ gmbus_xfer_write(struct drm_i915_private *dev_priv, struct i2c_msg *msg) + I915_WRITE(GMBUS3 + reg_offset, val); + I915_WRITE(GMBUS1 + reg_offset, + GMBUS_CYCLE_WAIT | +- (msg->len << GMBUS_BYTE_COUNT_SHIFT) | +- (msg->addr << GMBUS_SLAVE_ADDR_SHIFT) | ++ (chunk_size << GMBUS_BYTE_COUNT_SHIFT) | ++ (addr << GMBUS_SLAVE_ADDR_SHIFT) | + GMBUS_SLAVE_WRITE | GMBUS_SW_RDY); + while (len) { + int ret; +@@ -337,6 +360,29 @@ gmbus_xfer_write(struct drm_i915_private *dev_priv, struct i2c_msg *msg) + if (ret) + return ret; + } ++ ++ return 0; ++} ++ ++static int ++gmbus_xfer_write(struct drm_i915_private *dev_priv, struct i2c_msg *msg) ++{ ++ u8 *buf = msg->buf; ++ unsigned int tx_size = msg->len; ++ unsigned int len; ++ int ret; ++ ++ do { ++ len = min(tx_size, GMBUS_BYTE_COUNT_MAX); ++ ++ ret = gmbus_xfer_write_chunk(dev_priv, msg->addr, buf, len); ++ if (ret) ++ return ret; ++ ++ buf += len; ++ tx_size -= len; ++ } while (tx_size != 0); ++ + return 0; + } + +-- +2.3.6 + + +From f5e360ea796b5833aa7ddf281ed49d72f9eba1e3 Mon Sep 17 00:00:00 2001 +From: Al Viro <viro@zeniv.linux.org.uk> +Date: Fri, 24 Apr 2015 15:47:07 -0400 +Subject: [PATCH 195/219] RCU pathwalk breakage when running into a symlink + overmounting something +Cc: mpagano@gentoo.org + +commit 3cab989afd8d8d1bc3d99fef0e7ed87c31e7b647 upstream. + +Calling unlazy_walk() in walk_component() and do_last() when we find +a symlink that needs to be followed doesn't acquire a reference to vfsmount. +That's fine when the symlink is on the same vfsmount as the parent directory +(which is almost always the case), but it's not always true - one _can_ +manage to bind a symlink on top of something. And in such cases we end up +with excessive mntput(). + +Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + fs/namei.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/fs/namei.c b/fs/namei.c +index c83145a..caa38a2 100644 +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -1591,7 +1591,8 @@ static inline int walk_component(struct nameidata *nd, struct path *path, + + if (should_follow_link(path->dentry, follow)) { + if (nd->flags & LOOKUP_RCU) { +- if (unlikely(unlazy_walk(nd, path->dentry))) { ++ if (unlikely(nd->path.mnt != path->mnt || ++ unlazy_walk(nd, path->dentry))) { + err = -ECHILD; + goto out_err; + } +@@ -3047,7 +3048,8 @@ finish_lookup: + + if (should_follow_link(path->dentry, !symlink_ok)) { + if (nd->flags & LOOKUP_RCU) { +- if (unlikely(unlazy_walk(nd, path->dentry))) { ++ if (unlikely(nd->path.mnt != path->mnt || ++ unlazy_walk(nd, path->dentry))) { + error = -ECHILD; + goto out; + } +-- +2.3.6 + + +From 04dcce2b2b45c99fdaebd0baa19640674ea388f4 Mon Sep 17 00:00:00 2001 +From: Nicolas Iooss <nicolas.iooss_linux@m4x.org> +Date: Thu, 16 Apr 2015 18:48:39 +0800 +Subject: [PATCH 196/219] Revert "nfs: replace nfs_add_stats with nfs_inc_stats + when add one" +Cc: mpagano@gentoo.org + +commit 3708f842e107b9b79d54a75d152e666b693649e8 upstream. + +This reverts commit 5a254d08b086d80cbead2ebcee6d2a4b3a15587a. + +Since commit 5a254d08b086 ("nfs: replace nfs_add_stats with +nfs_inc_stats when add one"), nfs_readpage and nfs_do_writepage use +nfs_inc_stats to increment NFSIOS_READPAGES and NFSIOS_WRITEPAGES +instead of nfs_add_stats. + +However nfs_inc_stats does not do the same thing as nfs_add_stats with +value 1 because these functions work on distinct stats: +nfs_inc_stats increments stats from "enum nfs_stat_eventcounters" (in +server->io_stats->events) and nfs_add_stats those from "enum +nfs_stat_bytecounters" (in server->io_stats->bytes). + +Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org> +Fixes: 5a254d08b086 ("nfs: replace nfs_add_stats with nfs_inc_stats...") +Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + fs/nfs/read.c | 2 +- + fs/nfs/write.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/nfs/read.c b/fs/nfs/read.c +index 568ecf0..848d8b1 100644 +--- a/fs/nfs/read.c ++++ b/fs/nfs/read.c +@@ -284,7 +284,7 @@ int nfs_readpage(struct file *file, struct page *page) + dprintk("NFS: nfs_readpage (%p %ld@%lu)\n", + page, PAGE_CACHE_SIZE, page_file_index(page)); + nfs_inc_stats(inode, NFSIOS_VFSREADPAGE); +- nfs_inc_stats(inode, NFSIOS_READPAGES); ++ nfs_add_stats(inode, NFSIOS_READPAGES, 1); + + /* + * Try to flush any pending writes to the file.. +diff --git a/fs/nfs/write.c b/fs/nfs/write.c +index 849ed78..41b3f1096 100644 +--- a/fs/nfs/write.c ++++ b/fs/nfs/write.c +@@ -580,7 +580,7 @@ static int nfs_do_writepage(struct page *page, struct writeback_control *wbc, st + int ret; + + nfs_inc_stats(inode, NFSIOS_VFSWRITEPAGE); +- nfs_inc_stats(inode, NFSIOS_WRITEPAGES); ++ nfs_add_stats(inode, NFSIOS_WRITEPAGES, 1); + + nfs_pageio_cond_complete(pgio, page_file_index(page)); + ret = nfs_page_async_flush(pgio, page, wbc->sync_mode == WB_SYNC_NONE); +-- +2.3.6 + + +From 2556cb4a63a559a09112aba49d0112bd7dc4d2d6 Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" <bfields@redhat.com> +Date: Fri, 3 Apr 2015 16:24:27 -0400 +Subject: [PATCH 197/219] nfsd4: disallow ALLOCATE with special stateids +Cc: mpagano@gentoo.org + +commit 5ba4a25ab7b13be528b23f85182f4d09cf7f71ad upstream. + +vfs_fallocate will hit a NULL dereference if the client tries an +ALLOCATE or DEALLOCATE with a special stateid. Fix that. (We also +depend on the open to have broken any conflicting leases or delegations +for us.) + +(If it turns out we need to allow special stateid's then we could do a +temporary open here in the special-stateid case, as we do for read and +write. For now I'm assuming it's not necessary.) + +Fixes: 95d871f03cae "nfsd: Add ALLOCATE support" +Cc: Anna Schumaker <Anna.Schumaker@Netapp.com> +Signed-off-by: J. Bruce Fields <bfields@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + fs/nfsd/nfs4proc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c +index 92b9d97..5912967 100644 +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -1030,6 +1030,8 @@ nfsd4_fallocate(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, + dprintk("NFSD: nfsd4_fallocate: couldn't process stateid!\n"); + return status; + } ++ if (!file) ++ return nfserr_bad_stateid; + + status = nfsd4_vfs_fallocate(rqstp, &cstate->current_fh, file, + fallocate->falloc_offset, +-- +2.3.6 + + +From e2efc21fbad9a8d055586716fad4d4baaf210b56 Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" <bfields@redhat.com> +Date: Fri, 3 Apr 2015 17:19:41 -0400 +Subject: [PATCH 198/219] nfsd4: fix READ permission checking +Cc: mpagano@gentoo.org + +commit 6e4891dc289cd191d46ab7ba1dcb29646644f9ca upstream. + +In the case we already have a struct file (derived from a stateid), we +still need to do permission-checking; otherwise an unauthorized user +could gain access to a file by sniffing or guessing somebody else's +stateid. + +Fixes: dc97618ddda9 "nfsd4: separate splice and readv cases" +Signed-off-by: J. Bruce Fields <bfields@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + fs/nfsd/nfs4xdr.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c +index 5fb7e78..5b33ce1 100644 +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -3422,6 +3422,7 @@ nfsd4_encode_read(struct nfsd4_compoundres *resp, __be32 nfserr, + unsigned long maxcount; + struct xdr_stream *xdr = &resp->xdr; + struct file *file = read->rd_filp; ++ struct svc_fh *fhp = read->rd_fhp; + int starting_len = xdr->buf->len; + struct raparms *ra; + __be32 *p; +@@ -3445,12 +3446,15 @@ nfsd4_encode_read(struct nfsd4_compoundres *resp, __be32 nfserr, + maxcount = min_t(unsigned long, maxcount, (xdr->buf->buflen - xdr->buf->len)); + maxcount = min_t(unsigned long, maxcount, read->rd_length); + +- if (!read->rd_filp) { ++ if (read->rd_filp) ++ err = nfsd_permission(resp->rqstp, fhp->fh_export, ++ fhp->fh_dentry, ++ NFSD_MAY_READ|NFSD_MAY_OWNER_OVERRIDE); ++ else + err = nfsd_get_tmp_read_open(resp->rqstp, read->rd_fhp, + &file, &ra); +- if (err) +- goto err_truncate; +- } ++ if (err) ++ goto err_truncate; + + if (file->f_op->splice_read && test_bit(RQ_SPLICE_OK, &resp->rqstp->rq_flags)) + err = nfsd4_encode_splice_read(resp, read, file, maxcount); +-- +2.3.6 + + +From 6fd154a83b18bc81aa3f1071e74c36d9076ff4b9 Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" <bfields@redhat.com> +Date: Tue, 21 Apr 2015 15:25:39 -0400 +Subject: [PATCH 199/219] nfsd4: disallow SEEK with special stateids +Cc: mpagano@gentoo.org + +commit 980608fb50aea34993ba956b71cd4602aa42b14b upstream. + +If the client uses a special stateid then we'll pass a NULL file to +vfs_llseek. + +Fixes: 24bab491220f " NFSD: Implement SEEK" +Cc: Anna Schumaker <Anna.Schumaker@Netapp.com> +Reported-by: Christoph Hellwig <hch@infradead.org> +Signed-off-by: J. Bruce Fields <bfields@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + fs/nfsd/nfs4proc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c +index 5912967..5416968 100644 +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -1071,6 +1071,8 @@ nfsd4_seek(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, + dprintk("NFSD: nfsd4_seek: couldn't process stateid!\n"); + return status; + } ++ if (!file) ++ return nfserr_bad_stateid; + + switch (seek->seek_whence) { + case NFS4_CONTENT_DATA: +-- +2.3.6 + + +From 1f8303c597803d7d7c6943708dff333dbbc009a1 Mon Sep 17 00:00:00 2001 +From: Mark Salter <msalter@redhat.com> +Date: Mon, 6 Apr 2015 09:46:00 -0400 +Subject: [PATCH 200/219] nfsd: eliminate NFSD_DEBUG +Cc: mpagano@gentoo.org + +commit 135dd002c23054aaa056ea3162c1e0356905c195 upstream. + +Commit f895b252d4edf ("sunrpc: eliminate RPC_DEBUG") introduced +use of IS_ENABLED() in a uapi header which leads to a build +failure for userspace apps trying to use <linux/nfsd/debug.h>: + + linux/nfsd/debug.h:18:15: error: missing binary operator before token "(" + #if IS_ENABLED(CONFIG_SUNRPC_DEBUG) + ^ + +Since this was only used to define NFSD_DEBUG if CONFIG_SUNRPC_DEBUG +is enabled, replace instances of NFSD_DEBUG with CONFIG_SUNRPC_DEBUG. + +Fixes: f895b252d4edf "sunrpc: eliminate RPC_DEBUG" +Signed-off-by: Mark Salter <msalter@redhat.com> +Reviewed-by: Jeff Layton <jlayton@primarydata.com> +Signed-off-by: J. Bruce Fields <bfields@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + fs/lockd/svcsubs.c | 2 +- + fs/nfsd/nfs4state.c | 2 +- + fs/nfsd/nfsd.h | 2 +- + include/uapi/linux/nfsd/debug.h | 8 -------- + 4 files changed, 3 insertions(+), 11 deletions(-) + +diff --git a/fs/lockd/svcsubs.c b/fs/lockd/svcsubs.c +index 665ef5a..a563ddb 100644 +--- a/fs/lockd/svcsubs.c ++++ b/fs/lockd/svcsubs.c +@@ -31,7 +31,7 @@ + static struct hlist_head nlm_files[FILE_NRHASH]; + static DEFINE_MUTEX(nlm_file_mutex); + +-#ifdef NFSD_DEBUG ++#ifdef CONFIG_SUNRPC_DEBUG + static inline void nlm_debug_print_fh(char *msg, struct nfs_fh *f) + { + u32 *fhp = (u32*)f->data; +diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c +index 8ba1d88..ee1cccd 100644 +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -1139,7 +1139,7 @@ hash_sessionid(struct nfs4_sessionid *sessionid) + return sid->sequence % SESSION_HASH_SIZE; + } + +-#ifdef NFSD_DEBUG ++#ifdef CONFIG_SUNRPC_DEBUG + static inline void + dump_sessionid(const char *fn, struct nfs4_sessionid *sessionid) + { +diff --git a/fs/nfsd/nfsd.h b/fs/nfsd/nfsd.h +index 565c4da..cf98052 100644 +--- a/fs/nfsd/nfsd.h ++++ b/fs/nfsd/nfsd.h +@@ -24,7 +24,7 @@ + #include "export.h" + + #undef ifdebug +-#ifdef NFSD_DEBUG ++#ifdef CONFIG_SUNRPC_DEBUG + # define ifdebug(flag) if (nfsd_debug & NFSDDBG_##flag) + #else + # define ifdebug(flag) if (0) +diff --git a/include/uapi/linux/nfsd/debug.h b/include/uapi/linux/nfsd/debug.h +index 0bf130a..28ec6c9 100644 +--- a/include/uapi/linux/nfsd/debug.h ++++ b/include/uapi/linux/nfsd/debug.h +@@ -12,14 +12,6 @@ + #include <linux/sunrpc/debug.h> + + /* +- * Enable debugging for nfsd. +- * Requires RPC_DEBUG. +- */ +-#if IS_ENABLED(CONFIG_SUNRPC_DEBUG) +-# define NFSD_DEBUG 1 +-#endif +- +-/* + * knfsd debug flags + */ + #define NFSDDBG_SOCK 0x0001 +-- +2.3.6 + + +From d5d30089c2a59d079a074eb37c8c223b81664ceb Mon Sep 17 00:00:00 2001 +From: Giuseppe Cantavenera <giuseppe.cantavenera.ext@nokia.com> +Date: Mon, 20 Apr 2015 18:00:08 +0200 +Subject: [PATCH 201/219] nfsd: fix nsfd startup race triggering BUG_ON +Cc: mpagano@gentoo.org + +commit bb7ffbf29e76b89a86ca4c3ee0d4690641f2f772 upstream. + +nfsd triggered a BUG_ON in net_generic(...) when rpc_pipefs_event(...) +in fs/nfsd/nfs4recover.c was called before assigning ntfsd_net_id. +The following was observed on a MIPS 32-core processor: +kernel: Call Trace: +kernel: [<ffffffffc00bc5e4>] rpc_pipefs_event+0x7c/0x158 [nfsd] +kernel: [<ffffffff8017a2a0>] notifier_call_chain+0x70/0xb8 +kernel: [<ffffffff8017a4e4>] __blocking_notifier_call_chain+0x4c/0x70 +kernel: [<ffffffff8053aff8>] rpc_fill_super+0xf8/0x1a0 +kernel: [<ffffffff8022204c>] mount_ns+0xb4/0xf0 +kernel: [<ffffffff80222b48>] mount_fs+0x50/0x1f8 +kernel: [<ffffffff8023dc00>] vfs_kern_mount+0x58/0xf0 +kernel: [<ffffffff802404ac>] do_mount+0x27c/0xa28 +kernel: [<ffffffff80240cf0>] SyS_mount+0x98/0xe8 +kernel: [<ffffffff80135d24>] handle_sys64+0x44/0x68 +kernel: +kernel: + Code: 0040f809 00000000 2e020001 <00020336> 3c12c00d + 3c02801a de100000 6442eb98 0040f809 +kernel: ---[ end trace 7471374335809536 ]--- + +Fixed this behaviour by calling register_pernet_subsys(&nfsd_net_ops) before +registering rpc_pipefs_event(...) with the notifier chain. + +Signed-off-by: Giuseppe Cantavenera <giuseppe.cantavenera.ext@nokia.com> +Signed-off-by: Lorenzo Restelli <lorenzo.restelli.ext@nokia.com> +Reviewed-by: Kinlong Mee <kinglongmee@gmail.com> +Signed-off-by: J. Bruce Fields <bfields@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + fs/nfsd/nfsctl.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/fs/nfsd/nfsctl.c b/fs/nfsd/nfsctl.c +index aa47d75..9690cb4 100644 +--- a/fs/nfsd/nfsctl.c ++++ b/fs/nfsd/nfsctl.c +@@ -1250,15 +1250,15 @@ static int __init init_nfsd(void) + int retval; + printk(KERN_INFO "Installing knfsd (copyright (C) 1996 okir@monad.swb.de).\n"); + +- retval = register_cld_notifier(); +- if (retval) +- return retval; + retval = register_pernet_subsys(&nfsd_net_ops); + if (retval < 0) +- goto out_unregister_notifier; +- retval = nfsd4_init_slabs(); ++ return retval; ++ retval = register_cld_notifier(); + if (retval) + goto out_unregister_pernet; ++ retval = nfsd4_init_slabs(); ++ if (retval) ++ goto out_unregister_notifier; + retval = nfsd4_init_pnfs(); + if (retval) + goto out_free_slabs; +@@ -1290,10 +1290,10 @@ out_exit_pnfs: + nfsd4_exit_pnfs(); + out_free_slabs: + nfsd4_free_slabs(); +-out_unregister_pernet: +- unregister_pernet_subsys(&nfsd_net_ops); + out_unregister_notifier: + unregister_cld_notifier(); ++out_unregister_pernet: ++ unregister_pernet_subsys(&nfsd_net_ops); + return retval; + } + +@@ -1308,8 +1308,8 @@ static void __exit exit_nfsd(void) + nfsd4_exit_pnfs(); + nfsd_fault_inject_cleanup(); + unregister_filesystem(&nfsd_fs_type); +- unregister_pernet_subsys(&nfsd_net_ops); + unregister_cld_notifier(); ++ unregister_pernet_subsys(&nfsd_net_ops); + } + + MODULE_AUTHOR("Olaf Kirch <okir@monad.swb.de>"); +-- +2.3.6 + + +From c59908b7a9d4b76f72367f055559663e1da274fc Mon Sep 17 00:00:00 2001 +From: Jeff Layton <jlayton@poochiereds.net> +Date: Fri, 20 Mar 2015 15:15:14 -0400 +Subject: [PATCH 202/219] nfs: fix high load average due to callback thread + sleeping +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Cc: mpagano@gentoo.org + +commit 5d05e54af3cdbb13cf19c557ff2184781b91a22c upstream. + +Chuck pointed out a problem that crept in with commit 6ffa30d3f734 (nfs: +don't call blocking operations while !TASK_RUNNING). Linux counts tasks +in uninterruptible sleep against the load average, so this caused the +system's load average to be pinned at at least 1 when there was a +NFSv4.1+ mount active. + +Not a huge problem, but it's probably worth fixing before we get too +many complaints about it. This patch converts the code back to use +TASK_INTERRUPTIBLE sleep, simply has it flush any signals on each loop +iteration. In practice no one should really be signalling this thread at +all, so I think this is reasonably safe. + +With this change, there's also no need to game the hung task watchdog so +we can also convert the schedule_timeout call back to a normal schedule. + +Reported-by: Chuck Lever <chuck.lever@oracle.com> +Signed-off-by: Jeff Layton <jeff.layton@primarydata.com> +Tested-by: Chuck Lever <chuck.lever@oracle.com> +Fixes: commit 6ffa30d3f734 (“nfs: don't call blocking . . .”) +Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + fs/nfs/callback.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fs/nfs/callback.c b/fs/nfs/callback.c +index 351be920..8d129bb 100644 +--- a/fs/nfs/callback.c ++++ b/fs/nfs/callback.c +@@ -128,7 +128,7 @@ nfs41_callback_svc(void *vrqstp) + if (try_to_freeze()) + continue; + +- prepare_to_wait(&serv->sv_cb_waitq, &wq, TASK_UNINTERRUPTIBLE); ++ prepare_to_wait(&serv->sv_cb_waitq, &wq, TASK_INTERRUPTIBLE); + spin_lock_bh(&serv->sv_cb_lock); + if (!list_empty(&serv->sv_cb_list)) { + req = list_first_entry(&serv->sv_cb_list, +@@ -142,10 +142,10 @@ nfs41_callback_svc(void *vrqstp) + error); + } else { + spin_unlock_bh(&serv->sv_cb_lock); +- /* schedule_timeout to game the hung task watchdog */ +- schedule_timeout(60 * HZ); ++ schedule(); + finish_wait(&serv->sv_cb_waitq, &wq); + } ++ flush_signals(current); + } + return 0; + } +-- +2.3.6 + + +From dcd8d0c80e86b8821c5a453b5bf782328d8580e1 Mon Sep 17 00:00:00 2001 +From: Peng Tao <tao.peng@primarydata.com> +Date: Thu, 9 Apr 2015 23:02:16 +0800 +Subject: [PATCH 203/219] nfs: fix DIO good bytes calculation +Cc: mpagano@gentoo.org + +commit 1ccbad9f9f9bd36db26a10f0b17fbaf12b3ae93a upstream. + +For direct read that has IO size larger than rsize, we'll split +it into several READ requests and nfs_direct_good_bytes() would +count completed bytes incorrectly by eating last zero count reply. + +Fix it by handling mirror and non-mirror cases differently such that +we only count mirrored writes differently. + +This fixes 5fadeb47("nfs: count DIO good bytes correctly with mirroring"). + +Reported-by: Jean Spector <jean@primarydata.com> +Signed-off-by: Peng Tao <tao.peng@primarydata.com> +Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + fs/nfs/direct.c | 29 +++++++++++++++++------------ + 1 file changed, 17 insertions(+), 12 deletions(-) + +diff --git a/fs/nfs/direct.c b/fs/nfs/direct.c +index e907c8c..5e451a7 100644 +--- a/fs/nfs/direct.c ++++ b/fs/nfs/direct.c +@@ -131,20 +131,25 @@ nfs_direct_good_bytes(struct nfs_direct_req *dreq, struct nfs_pgio_header *hdr) + + WARN_ON_ONCE(hdr->pgio_mirror_idx >= dreq->mirror_count); + +- count = dreq->mirrors[hdr->pgio_mirror_idx].count; +- if (count + dreq->io_start < hdr->io_start + hdr->good_bytes) { +- count = hdr->io_start + hdr->good_bytes - dreq->io_start; +- dreq->mirrors[hdr->pgio_mirror_idx].count = count; +- } +- +- /* update the dreq->count by finding the minimum agreed count from all +- * mirrors */ +- count = dreq->mirrors[0].count; ++ if (dreq->mirror_count == 1) { ++ dreq->mirrors[hdr->pgio_mirror_idx].count += hdr->good_bytes; ++ dreq->count += hdr->good_bytes; ++ } else { ++ /* mirrored writes */ ++ count = dreq->mirrors[hdr->pgio_mirror_idx].count; ++ if (count + dreq->io_start < hdr->io_start + hdr->good_bytes) { ++ count = hdr->io_start + hdr->good_bytes - dreq->io_start; ++ dreq->mirrors[hdr->pgio_mirror_idx].count = count; ++ } ++ /* update the dreq->count by finding the minimum agreed count from all ++ * mirrors */ ++ count = dreq->mirrors[0].count; + +- for (i = 1; i < dreq->mirror_count; i++) +- count = min(count, dreq->mirrors[i].count); ++ for (i = 1; i < dreq->mirror_count; i++) ++ count = min(count, dreq->mirrors[i].count); + +- dreq->count = count; ++ dreq->count = count; ++ } + } + + /* +-- +2.3.6 + + +From 5efdfc74ab7d8ccfce9f8517012e3962939c91fc Mon Sep 17 00:00:00 2001 +From: Peng Tao <tao.peng@primarydata.com> +Date: Thu, 9 Apr 2015 23:02:17 +0800 +Subject: [PATCH 204/219] nfs: remove WARN_ON_ONCE from nfs_direct_good_bytes +Cc: mpagano@gentoo.org + +commit 05f54903d9d370a4cd302a85681304d3ec59e5c1 upstream. + +For flexfiles driver, we might choose to read from mirror index other +than 0 while mirror_count is always 1 for read. + +Reported-by: Jean Spector <jean@primarydata.com> +Cc: Weston Andros Adamson <dros@primarydata.com> +Signed-off-by: Peng Tao <tao.peng@primarydata.com> +Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + fs/nfs/direct.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/fs/nfs/direct.c b/fs/nfs/direct.c +index 5e451a7..ab21ef1 100644 +--- a/fs/nfs/direct.c ++++ b/fs/nfs/direct.c +@@ -129,8 +129,6 @@ nfs_direct_good_bytes(struct nfs_direct_req *dreq, struct nfs_pgio_header *hdr) + int i; + ssize_t count; + +- WARN_ON_ONCE(hdr->pgio_mirror_idx >= dreq->mirror_count); +- + if (dreq->mirror_count == 1) { + dreq->mirrors[hdr->pgio_mirror_idx].count += hdr->good_bytes; + dreq->count += hdr->good_bytes; +-- +2.3.6 + + +From ecb403f5eaf05dd7a9160fae030d55e23a5a4445 Mon Sep 17 00:00:00 2001 +From: Anna Schumaker <Anna.Schumaker@netapp.com> +Date: Tue, 14 Apr 2015 10:34:20 -0400 +Subject: [PATCH 205/219] NFS: Add a stub for GETDEVICELIST +Cc: mpagano@gentoo.org + +commit 7c61f0d3897eeeff6f3294adb9f910ddefa8035a upstream. + +d4b18c3e (pnfs: remove GETDEVICELIST implementation) removed the +GETDEVICELIST operation from the NFS client, but left a "hole" in the +nfs4_procedures array. This caused /proc/self/mountstats to report an +operation named "51" where GETDEVICELIST used to be. This patch adds a +stub to fix mountstats. + +Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com> +Fixes: d4b18c3e (pnfs: remove GETDEVICELIST implementation) +Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + fs/nfs/nfs4xdr.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c +index 5c399ec..d494ea2 100644 +--- a/fs/nfs/nfs4xdr.c ++++ b/fs/nfs/nfs4xdr.c +@@ -7365,6 +7365,11 @@ nfs4_stat_to_errno(int stat) + .p_name = #proc, \ + } + ++#define STUB(proc) \ ++[NFSPROC4_CLNT_##proc] = { \ ++ .p_name = #proc, \ ++} ++ + struct rpc_procinfo nfs4_procedures[] = { + PROC(READ, enc_read, dec_read), + PROC(WRITE, enc_write, dec_write), +@@ -7417,6 +7422,7 @@ struct rpc_procinfo nfs4_procedures[] = { + PROC(SECINFO_NO_NAME, enc_secinfo_no_name, dec_secinfo_no_name), + PROC(TEST_STATEID, enc_test_stateid, dec_test_stateid), + PROC(FREE_STATEID, enc_free_stateid, dec_free_stateid), ++ STUB(GETDEVICELIST), + PROC(BIND_CONN_TO_SESSION, + enc_bind_conn_to_session, dec_bind_conn_to_session), + PROC(DESTROY_CLIENTID, enc_destroy_clientid, dec_destroy_clientid), +-- +2.3.6 + + +From a0e97e698901d058b984bcf1c13693f7a33375b3 Mon Sep 17 00:00:00 2001 +From: Juri Lelli <juri.lelli@arm.com> +Date: Tue, 31 Mar 2015 09:53:36 +0100 +Subject: [PATCH 206/219] sched/deadline: Always enqueue on previous rq when + dl_task_timer() fires +Cc: mpagano@gentoo.org + +commit 4cd57f97135840f637431c92380c8da3edbe44ed upstream. + +dl_task_timer() may fire on a different rq from where a task was removed +after throttling. Since the call path is: + + dl_task_timer() -> + enqueue_task_dl() -> + enqueue_dl_entity() -> + replenish_dl_entity() + +and replenish_dl_entity() uses dl_se's rq, we can't use current's rq +in dl_task_timer(), but we need to lock the task's previous one. + +Tested-by: Wanpeng Li <wanpeng.li@linux.intel.com> +Signed-off-by: Juri Lelli <juri.lelli@arm.com> +Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> +Acked-by: Kirill Tkhai <ktkhai@parallels.com> +Cc: Juri Lelli <juri.lelli@gmail.com> +Fixes: 3960c8c0c789 ("sched: Make dl_task_time() use task_rq_lock()") +Link: http://lkml.kernel.org/r/1427792017-7356-1-git-send-email-juri.lelli@arm.com +Signed-off-by: Ingo Molnar <mingo@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + kernel/sched/deadline.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c +index 3fa8fa6..f670cbb 100644 +--- a/kernel/sched/deadline.c ++++ b/kernel/sched/deadline.c +@@ -514,7 +514,7 @@ static enum hrtimer_restart dl_task_timer(struct hrtimer *timer) + unsigned long flags; + struct rq *rq; + +- rq = task_rq_lock(current, &flags); ++ rq = task_rq_lock(p, &flags); + + /* + * We need to take care of several possible races here: +@@ -569,7 +569,7 @@ static enum hrtimer_restart dl_task_timer(struct hrtimer *timer) + push_dl_task(rq); + #endif + unlock: +- task_rq_unlock(rq, current, &flags); ++ task_rq_unlock(rq, p, &flags); + + return HRTIMER_NORESTART; + } +-- +2.3.6 + + +From 9279e1f98b13d5e5b40805114896ec33313ad019 Mon Sep 17 00:00:00 2001 +From: Sabrina Dubroca <sd@queasysnail.net> +Date: Thu, 26 Feb 2015 05:35:41 +0000 +Subject: [PATCH 207/219] e1000: add dummy allocator to fix race condition + between mtu change and netpoll +Cc: mpagano@gentoo.org + +commit 08e8331654d1d7b2c58045e549005bc356aa7810 upstream. + +There is a race condition between e1000_change_mtu's cleanups and +netpoll, when we change the MTU across jumbo size: + +Changing MTU frees all the rx buffers: + e1000_change_mtu -> e1000_down -> e1000_clean_all_rx_rings -> + e1000_clean_rx_ring + +Then, close to the end of e1000_change_mtu: + pr_info -> ... -> netpoll_poll_dev -> e1000_clean -> + e1000_clean_rx_irq -> e1000_alloc_rx_buffers -> e1000_alloc_frag + +And when we come back to do the rest of the MTU change: + e1000_up -> e1000_configure -> e1000_configure_rx -> + e1000_alloc_jumbo_rx_buffers + +alloc_jumbo finds the buffers already != NULL, since data (shared with +page in e1000_rx_buffer->rxbuf) has been re-alloc'd, but it's garbage, +or at least not what is expected when in jumbo state. + +This results in an unusable adapter (packets don't get through), and a +NULL pointer dereference on the next call to e1000_clean_rx_ring +(other mtu change, link down, shutdown): + +BUG: unable to handle kernel NULL pointer dereference at (null) +IP: [<ffffffff81194d6e>] put_compound_page+0x7e/0x330 + + [...] + +Call Trace: + [<ffffffff81195445>] put_page+0x55/0x60 + [<ffffffff815d9f44>] e1000_clean_rx_ring+0x134/0x200 + [<ffffffff815da055>] e1000_clean_all_rx_rings+0x45/0x60 + [<ffffffff815df5e0>] e1000_down+0x1c0/0x1d0 + [<ffffffff811e2260>] ? deactivate_slab+0x7f0/0x840 + [<ffffffff815e21bc>] e1000_change_mtu+0xdc/0x170 + [<ffffffff81647050>] dev_set_mtu+0xa0/0x140 + [<ffffffff81664218>] do_setlink+0x218/0xac0 + [<ffffffff814459e9>] ? nla_parse+0xb9/0x120 + [<ffffffff816652d0>] rtnl_newlink+0x6d0/0x890 + [<ffffffff8104f000>] ? kvm_clock_read+0x20/0x40 + [<ffffffff810a2068>] ? sched_clock_cpu+0xa8/0x100 + [<ffffffff81663802>] rtnetlink_rcv_msg+0x92/0x260 + +By setting the allocator to a dummy version, netpoll can't mess up our +rx buffers. The allocator is set back to a sane value in +e1000_configure_rx. + +Fixes: edbbb3ca1077 ("e1000: implement jumbo receive with partial descriptors") +Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> +Tested-by: Aaron Brown <aaron.f.brown@intel.com> +Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/net/ethernet/intel/e1000/e1000_main.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/e1000/e1000_main.c b/drivers/net/ethernet/intel/e1000/e1000_main.c +index 7f997d3..a71c446 100644 +--- a/drivers/net/ethernet/intel/e1000/e1000_main.c ++++ b/drivers/net/ethernet/intel/e1000/e1000_main.c +@@ -144,6 +144,11 @@ static bool e1000_clean_rx_irq(struct e1000_adapter *adapter, + static bool e1000_clean_jumbo_rx_irq(struct e1000_adapter *adapter, + struct e1000_rx_ring *rx_ring, + int *work_done, int work_to_do); ++static void e1000_alloc_dummy_rx_buffers(struct e1000_adapter *adapter, ++ struct e1000_rx_ring *rx_ring, ++ int cleaned_count) ++{ ++} + static void e1000_alloc_rx_buffers(struct e1000_adapter *adapter, + struct e1000_rx_ring *rx_ring, + int cleaned_count); +@@ -3552,8 +3557,11 @@ static int e1000_change_mtu(struct net_device *netdev, int new_mtu) + msleep(1); + /* e1000_down has a dependency on max_frame_size */ + hw->max_frame_size = max_frame; +- if (netif_running(netdev)) ++ if (netif_running(netdev)) { ++ /* prevent buffers from being reallocated */ ++ adapter->alloc_rx_buf = e1000_alloc_dummy_rx_buffers; + e1000_down(adapter); ++ } + + /* NOTE: netdev_alloc_skb reserves 16 bytes, and typically NET_IP_ALIGN + * means we reserve 2 more, this pushes us to allocate from the next +-- +2.3.6 + + +From dada7797e4595606cf730600d8c9a03955a8264b Mon Sep 17 00:00:00 2001 +From: Johannes Berg <johannes.berg@intel.com> +Date: Sat, 21 Mar 2015 07:41:04 +0100 +Subject: [PATCH 208/219] mac80211: send AP probe as unicast again +Cc: mpagano@gentoo.org + +commit a73f8e21f3f93159bc19e154e8f50891c22c11db upstream. + +Louis reported that a static checker was complaining that +the 'dst' variable was set (multiple times) but not used. +This is due to a previous commit having removed the usage +(apparently erroneously), so add it back. + +Fixes: a344d6778a98 ("mac80211: allow drivers to support NL80211_SCAN_FLAG_RANDOM_ADDR") +Reported-by: Louis Langholtz <lou_langholtz@me.com> +Signed-off-by: Johannes Berg <johannes.berg@intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + net/mac80211/mlme.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index 142f66a..0ca013d 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -2260,7 +2260,7 @@ static void ieee80211_mgd_probe_ap_send(struct ieee80211_sub_if_data *sdata) + else + ssid_len = ssid[1]; + +- ieee80211_send_probe_req(sdata, sdata->vif.addr, NULL, ++ ieee80211_send_probe_req(sdata, sdata->vif.addr, dst, + ssid + 2, ssid_len, NULL, + 0, (u32) -1, true, 0, + ifmgd->associated->channel, false); +-- +2.3.6 + + +From e86ecd8a7bbc590987b4046c523d8caaef8f8b5f Mon Sep 17 00:00:00 2001 +From: Daniel Borkmann <daniel@iogearbox.net> +Date: Thu, 12 Mar 2015 17:21:42 +0100 +Subject: [PATCH 209/219] ebpf: verifier: check that call reg with ARG_ANYTHING + is initialized +Cc: mpagano@gentoo.org + +commit 80f1d68ccba70b1060c9c7360ca83da430f66bed upstream. + +I noticed that a helper function with argument type ARG_ANYTHING does +not need to have an initialized value (register). + +This can worst case lead to unintented stack memory leakage in future +helper functions if they are not carefully designed, or unintended +application behaviour in case the application developer was not careful +enough to match a correct helper function signature in the API. + +The underlying issue is that ARG_ANYTHING should actually be split +into two different semantics: + + 1) ARG_DONTCARE for function arguments that the helper function + does not care about (in other words: the default for unused + function arguments), and + + 2) ARG_ANYTHING that is an argument actually being used by a + helper function and *guaranteed* to be an initialized register. + +The current risk is low: ARG_ANYTHING is only used for the 'flags' +argument (r4) in bpf_map_update_elem() that internally does strict +checking. + +Fixes: 17a5267067f3 ("bpf: verifier (add verifier core)") +Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> +Acked-by: Alexei Starovoitov <ast@plumgrid.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + include/linux/bpf.h | 4 +++- + kernel/bpf/verifier.c | 5 ++++- + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/include/linux/bpf.h b/include/linux/bpf.h +index bbfceb7..33b52fb 100644 +--- a/include/linux/bpf.h ++++ b/include/linux/bpf.h +@@ -48,7 +48,7 @@ struct bpf_map *bpf_map_get(struct fd f); + + /* function argument constraints */ + enum bpf_arg_type { +- ARG_ANYTHING = 0, /* any argument is ok */ ++ ARG_DONTCARE = 0, /* unused argument in helper function */ + + /* the following constraints used to prototype + * bpf_map_lookup/update/delete_elem() functions +@@ -62,6 +62,8 @@ enum bpf_arg_type { + */ + ARG_PTR_TO_STACK, /* any pointer to eBPF program stack */ + ARG_CONST_STACK_SIZE, /* number of bytes accessed from stack */ ++ ++ ARG_ANYTHING, /* any (initialized) argument is ok */ + }; + + /* type of values returned from helper functions */ +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 36508e6..5d8ea3d 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -755,7 +755,7 @@ static int check_func_arg(struct verifier_env *env, u32 regno, + enum bpf_reg_type expected_type; + int err = 0; + +- if (arg_type == ARG_ANYTHING) ++ if (arg_type == ARG_DONTCARE) + return 0; + + if (reg->type == NOT_INIT) { +@@ -763,6 +763,9 @@ static int check_func_arg(struct verifier_env *env, u32 regno, + return -EACCES; + } + ++ if (arg_type == ARG_ANYTHING) ++ return 0; ++ + if (arg_type == ARG_PTR_TO_STACK || arg_type == ARG_PTR_TO_MAP_KEY || + arg_type == ARG_PTR_TO_MAP_VALUE) { + expected_type = PTR_TO_STACK; +-- +2.3.6 + + +From 0b97a15f6fedf422d276245866319990c2c771c5 Mon Sep 17 00:00:00 2001 +From: David Rientjes <rientjes@google.com> +Date: Tue, 14 Apr 2015 15:46:58 -0700 +Subject: [PATCH 210/219] mm, thp: really limit transparent hugepage allocation + to local node +Cc: mpagano@gentoo.org + +commit 5265047ac30191ea24b16503165000c225f54feb upstream. + +Commit 077fcf116c8c ("mm/thp: allocate transparent hugepages on local +node") restructured alloc_hugepage_vma() with the intent of only +allocating transparent hugepages locally when there was not an effective +interleave mempolicy. + +alloc_pages_exact_node() does not limit the allocation to the single node, +however, but rather prefers it. This is because __GFP_THISNODE is not set +which would cause the node-local nodemask to be passed. Without it, only +a nodemask that prefers the local node is passed. + +Fix this by passing __GFP_THISNODE and falling back to small pages when +the allocation fails. + +Commit 9f1b868a13ac ("mm: thp: khugepaged: add policy for finding target +node") suffers from a similar problem for khugepaged, which is also fixed. + +Fixes: 077fcf116c8c ("mm/thp: allocate transparent hugepages on local node") +Fixes: 9f1b868a13ac ("mm: thp: khugepaged: add policy for finding target node") +Signed-off-by: David Rientjes <rientjes@google.com> +Acked-by: Vlastimil Babka <vbabka@suse.cz> +Cc: Christoph Lameter <cl@linux.com> +Cc: Pekka Enberg <penberg@kernel.org> +Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> +Cc: Johannes Weiner <hannes@cmpxchg.org> +Cc: Mel Gorman <mgorman@suse.de> +Cc: Pravin Shelar <pshelar@nicira.com> +Cc: Jarno Rajahalme <jrajahalme@nicira.com> +Cc: Li Zefan <lizefan@huawei.com> +Cc: Greg Thelen <gthelen@google.com> +Cc: Tejun Heo <tj@kernel.org> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + mm/huge_memory.c | 9 +++++++-- + mm/mempolicy.c | 3 ++- + 2 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/mm/huge_memory.c b/mm/huge_memory.c +index 6817b03..956d4db 100644 +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -2316,8 +2316,14 @@ static struct page + struct vm_area_struct *vma, unsigned long address, + int node) + { ++ gfp_t flags; ++ + VM_BUG_ON_PAGE(*hpage, *hpage); + ++ /* Only allocate from the target node */ ++ flags = alloc_hugepage_gfpmask(khugepaged_defrag(), __GFP_OTHER_NODE) | ++ __GFP_THISNODE; ++ + /* + * Before allocating the hugepage, release the mmap_sem read lock. + * The allocation can take potentially a long time if it involves +@@ -2326,8 +2332,7 @@ static struct page + */ + up_read(&mm->mmap_sem); + +- *hpage = alloc_pages_exact_node(node, alloc_hugepage_gfpmask( +- khugepaged_defrag(), __GFP_OTHER_NODE), HPAGE_PMD_ORDER); ++ *hpage = alloc_pages_exact_node(node, flags, HPAGE_PMD_ORDER); + if (unlikely(!*hpage)) { + count_vm_event(THP_COLLAPSE_ALLOC_FAILED); + *hpage = ERR_PTR(-ENOMEM); +diff --git a/mm/mempolicy.c b/mm/mempolicy.c +index 4721046..de5dc5e 100644 +--- a/mm/mempolicy.c ++++ b/mm/mempolicy.c +@@ -1985,7 +1985,8 @@ retry_cpuset: + nmask = policy_nodemask(gfp, pol); + if (!nmask || node_isset(node, *nmask)) { + mpol_cond_put(pol); +- page = alloc_pages_exact_node(node, gfp, order); ++ page = alloc_pages_exact_node(node, ++ gfp | __GFP_THISNODE, order); + goto out; + } + } +-- +2.3.6 + + +From 2649caa31cc3143b2ad3039ac581dacd7529a631 Mon Sep 17 00:00:00 2001 +From: mancha security <mancha1@zoho.com> +Date: Wed, 18 Mar 2015 18:47:25 +0100 +Subject: [PATCH 211/219] lib: memzero_explicit: use barrier instead of + OPTIMIZER_HIDE_VAR +Cc: mpagano@gentoo.org + +commit 0b053c9518292705736329a8fe20ef4686ffc8e9 upstream. + +OPTIMIZER_HIDE_VAR(), as defined when using gcc, is insufficient to +ensure protection from dead store optimization. + +For the random driver and crypto drivers, calls are emitted ... + + $ gdb vmlinux + (gdb) disassemble memzero_explicit + Dump of assembler code for function memzero_explicit: + 0xffffffff813a18b0 <+0>: push %rbp + 0xffffffff813a18b1 <+1>: mov %rsi,%rdx + 0xffffffff813a18b4 <+4>: xor %esi,%esi + 0xffffffff813a18b6 <+6>: mov %rsp,%rbp + 0xffffffff813a18b9 <+9>: callq 0xffffffff813a7120 <memset> + 0xffffffff813a18be <+14>: pop %rbp + 0xffffffff813a18bf <+15>: retq + End of assembler dump. + + (gdb) disassemble extract_entropy + [...] + 0xffffffff814a5009 <+313>: mov %r12,%rdi + 0xffffffff814a500c <+316>: mov $0xa,%esi + 0xffffffff814a5011 <+321>: callq 0xffffffff813a18b0 <memzero_explicit> + 0xffffffff814a5016 <+326>: mov -0x48(%rbp),%rax + [...] + +... but in case in future we might use facilities such as LTO, then +OPTIMIZER_HIDE_VAR() is not sufficient to protect gcc from a possible +eviction of the memset(). We have to use a compiler barrier instead. + +Minimal test example when we assume memzero_explicit() would *not* be +a call, but would have been *inlined* instead: + + static inline void memzero_explicit(void *s, size_t count) + { + memset(s, 0, count); + <foo> + } + + int main(void) + { + char buff[20]; + + snprintf(buff, sizeof(buff) - 1, "test"); + printf("%s", buff); + + memzero_explicit(buff, sizeof(buff)); + return 0; + } + +With <foo> := OPTIMIZER_HIDE_VAR(): + + (gdb) disassemble main + Dump of assembler code for function main: + [...] + 0x0000000000400464 <+36>: callq 0x400410 <printf@plt> + 0x0000000000400469 <+41>: xor %eax,%eax + 0x000000000040046b <+43>: add $0x28,%rsp + 0x000000000040046f <+47>: retq + End of assembler dump. + +With <foo> := barrier(): + + (gdb) disassemble main + Dump of assembler code for function main: + [...] + 0x0000000000400464 <+36>: callq 0x400410 <printf@plt> + 0x0000000000400469 <+41>: movq $0x0,(%rsp) + 0x0000000000400471 <+49>: movq $0x0,0x8(%rsp) + 0x000000000040047a <+58>: movl $0x0,0x10(%rsp) + 0x0000000000400482 <+66>: xor %eax,%eax + 0x0000000000400484 <+68>: add $0x28,%rsp + 0x0000000000400488 <+72>: retq + End of assembler dump. + +As can be seen, movq, movq, movl are being emitted inlined +via memset(). + +Reference: http://thread.gmane.org/gmane.linux.kernel.cryptoapi/13764/ +Fixes: d4c5efdb9777 ("random: add and use memzero_explicit() for clearing data") +Cc: Theodore Ts'o <tytso@mit.edu> +Signed-off-by: mancha security <mancha1@zoho.com> +Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> +Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> +Acked-by: Stephan Mueller <smueller@chronox.de> +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + lib/string.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/string.c b/lib/string.c +index ce81aae..a579201 100644 +--- a/lib/string.c ++++ b/lib/string.c +@@ -607,7 +607,7 @@ EXPORT_SYMBOL(memset); + void memzero_explicit(void *s, size_t count) + { + memset(s, 0, count); +- OPTIMIZER_HIDE_VAR(s); ++ barrier(); + } + EXPORT_SYMBOL(memzero_explicit); + +-- +2.3.6 + + +From 1cd176dfd9e5e4d0cae0545fa8c56ecd582b2e9a Mon Sep 17 00:00:00 2001 +From: Nicolas Iooss <nicolas.iooss_linux@m4x.org> +Date: Fri, 13 Mar 2015 15:17:14 +0800 +Subject: [PATCH 212/219] wl18xx: show rx_frames_per_rates as an array as it + really is +Cc: mpagano@gentoo.org + +commit a3fa71c40f1853d0c27e8f5bc01a722a705d9682 upstream. + +In struct wl18xx_acx_rx_rate_stat, rx_frames_per_rates field is an +array, not a number. This means WL18XX_DEBUGFS_FWSTATS_FILE can't be +used to display this field in debugfs (it would display a pointer, not +the actual data). Use WL18XX_DEBUGFS_FWSTATS_FILE_ARRAY instead. + +This bug has been found by adding a __printf attribute to +wl1271_format_buffer. gcc complained about "format '%u' expects +argument of type 'unsigned int', but argument 5 has type 'u32 *'". + +Fixes: c5d94169e818 ("wl18xx: use new fw stats structures") +Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/net/wireless/ti/wl18xx/debugfs.c | 2 +- + drivers/net/wireless/ti/wlcore/debugfs.h | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ti/wl18xx/debugfs.c b/drivers/net/wireless/ti/wl18xx/debugfs.c +index c93fae9..5fbd223 100644 +--- a/drivers/net/wireless/ti/wl18xx/debugfs.c ++++ b/drivers/net/wireless/ti/wl18xx/debugfs.c +@@ -139,7 +139,7 @@ WL18XX_DEBUGFS_FWSTATS_FILE(rx_filter, protection_filter, "%u"); + WL18XX_DEBUGFS_FWSTATS_FILE(rx_filter, accum_arp_pend_requests, "%u"); + WL18XX_DEBUGFS_FWSTATS_FILE(rx_filter, max_arp_queue_dep, "%u"); + +-WL18XX_DEBUGFS_FWSTATS_FILE(rx_rate, rx_frames_per_rates, "%u"); ++WL18XX_DEBUGFS_FWSTATS_FILE_ARRAY(rx_rate, rx_frames_per_rates, 50); + + WL18XX_DEBUGFS_FWSTATS_FILE_ARRAY(aggr_size, tx_agg_vs_rate, + AGGR_STATS_TX_AGG*AGGR_STATS_TX_RATE); +diff --git a/drivers/net/wireless/ti/wlcore/debugfs.h b/drivers/net/wireless/ti/wlcore/debugfs.h +index 0f2cfb0..bf14676 100644 +--- a/drivers/net/wireless/ti/wlcore/debugfs.h ++++ b/drivers/net/wireless/ti/wlcore/debugfs.h +@@ -26,8 +26,8 @@ + + #include "wlcore.h" + +-int wl1271_format_buffer(char __user *userbuf, size_t count, +- loff_t *ppos, char *fmt, ...); ++__printf(4, 5) int wl1271_format_buffer(char __user *userbuf, size_t count, ++ loff_t *ppos, char *fmt, ...); + + int wl1271_debugfs_init(struct wl1271 *wl); + void wl1271_debugfs_exit(struct wl1271 *wl); +-- +2.3.6 + + +From 8a7e1640e89ee191d677e2d994476ce68e2160ea Mon Sep 17 00:00:00 2001 +From: "Vutla, Lokesh" <lokeshvutla@ti.com> +Date: Tue, 31 Mar 2015 09:52:25 +0530 +Subject: [PATCH 213/219] crypto: omap-aes - Fix support for unequal lengths +Cc: mpagano@gentoo.org + +commit 6d7e7e02a044025237b6f62a20521170b794537f upstream. + +For cases where total length of an input SGs is not same as +length of the input data for encryption, omap-aes driver +crashes. This happens in the case when IPsec is trying to use +omap-aes driver. + +To avoid this, we copy all the pages from the input SG list +into a contiguous buffer and prepare a single element SG list +for this buffer with length as the total bytes to crypt, which is +similar thing that is done in case of unaligned lengths. + +Fixes: 6242332ff2f3 ("crypto: omap-aes - Add support for cases of unaligned lengths") +Signed-off-by: Lokesh Vutla <lokeshvutla@ti.com> +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/crypto/omap-aes.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/drivers/crypto/omap-aes.c b/drivers/crypto/omap-aes.c +index 42f95a4..9a28b7e 100644 +--- a/drivers/crypto/omap-aes.c ++++ b/drivers/crypto/omap-aes.c +@@ -554,15 +554,23 @@ static int omap_aes_crypt_dma_stop(struct omap_aes_dev *dd) + return err; + } + +-static int omap_aes_check_aligned(struct scatterlist *sg) ++static int omap_aes_check_aligned(struct scatterlist *sg, int total) + { ++ int len = 0; ++ + while (sg) { + if (!IS_ALIGNED(sg->offset, 4)) + return -1; + if (!IS_ALIGNED(sg->length, AES_BLOCK_SIZE)) + return -1; ++ ++ len += sg->length; + sg = sg_next(sg); + } ++ ++ if (len != total) ++ return -1; ++ + return 0; + } + +@@ -633,8 +641,8 @@ static int omap_aes_handle_queue(struct omap_aes_dev *dd, + dd->in_sg = req->src; + dd->out_sg = req->dst; + +- if (omap_aes_check_aligned(dd->in_sg) || +- omap_aes_check_aligned(dd->out_sg)) { ++ if (omap_aes_check_aligned(dd->in_sg, dd->total) || ++ omap_aes_check_aligned(dd->out_sg, dd->total)) { + if (omap_aes_copy_sgs(dd)) + pr_err("Failed to copy SGs for unaligned cases\n"); + dd->sgs_copied = 1; +-- +2.3.6 + + +From 78775b31ea25fc6d25f2444c634b2eec0ed90bca Mon Sep 17 00:00:00 2001 +From: Nishanth Menon <nm@ti.com> +Date: Sat, 7 Mar 2015 03:39:05 -0600 +Subject: [PATCH 214/219] C6x: time: Ensure consistency in __init +Cc: mpagano@gentoo.org + +commit f4831605f2dacd12730fe73961c77253cc2ea425 upstream. + +time_init invokes timer64_init (which is __init annotation) +since all of these are invoked at init time, lets maintain +consistency by ensuring time_init is marked appropriately +as well. + +This fixes the following warning with CONFIG_DEBUG_SECTION_MISMATCH=y + +WARNING: vmlinux.o(.text+0x3bfc): Section mismatch in reference from the function time_init() to the function .init.text:timer64_init() +The function time_init() references +the function __init timer64_init(). +This is often because time_init lacks a __init +annotation or the annotation of timer64_init is wrong. + +Fixes: 546a39546c64 ("C6X: time management") +Signed-off-by: Nishanth Menon <nm@ti.com> +Signed-off-by: Mark Salter <msalter@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + arch/c6x/kernel/time.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/c6x/kernel/time.c b/arch/c6x/kernel/time.c +index 356ee84..04845aa 100644 +--- a/arch/c6x/kernel/time.c ++++ b/arch/c6x/kernel/time.c +@@ -49,7 +49,7 @@ u64 sched_clock(void) + return (tsc * sched_clock_multiplier) >> SCHED_CLOCK_SHIFT; + } + +-void time_init(void) ++void __init time_init(void) + { + u64 tmp = (u64)NSEC_PER_SEC << SCHED_CLOCK_SHIFT; + +-- +2.3.6 + + +From df0bffebd40ba332f01193e2b6694042a0a2f56c Mon Sep 17 00:00:00 2001 +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Thu, 16 Apr 2015 12:48:35 -0700 +Subject: [PATCH 215/219] memstick: mspro_block: add missing curly braces +Cc: mpagano@gentoo.org + +commit 13f6b191aaa11c7fd718d35a0c565f3c16bc1d99 upstream. + +Using the indenting we can see the curly braces were obviously intended. +This is a static checker fix, but my guess is that we don't read enough +bytes, because we don't calculate "t_len" correctly. + +Fixes: f1d82698029b ('memstick: use fully asynchronous request processing') +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Cc: Alex Dubov <oakad@yahoo.com> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/memstick/core/mspro_block.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/memstick/core/mspro_block.c b/drivers/memstick/core/mspro_block.c +index fc145d2..922a750 100644 +--- a/drivers/memstick/core/mspro_block.c ++++ b/drivers/memstick/core/mspro_block.c +@@ -758,7 +758,7 @@ static int mspro_block_complete_req(struct memstick_dev *card, int error) + + if (error || (card->current_mrq.tpc == MSPRO_CMD_STOP)) { + if (msb->data_dir == READ) { +- for (cnt = 0; cnt < msb->current_seg; cnt++) ++ for (cnt = 0; cnt < msb->current_seg; cnt++) { + t_len += msb->req_sg[cnt].length + / msb->page_size; + +@@ -766,6 +766,7 @@ static int mspro_block_complete_req(struct memstick_dev *card, int error) + t_len += msb->current_page - 1; + + t_len *= msb->page_size; ++ } + } + } else + t_len = blk_rq_bytes(msb->block_req); +-- +2.3.6 + + +From 6361409a1274060993b246c688c24a7c863c7eeb Mon Sep 17 00:00:00 2001 +From: Linus Walleij <linus.walleij@linaro.org> +Date: Wed, 18 Feb 2015 17:12:18 +0100 +Subject: [PATCH 216/219] drivers: platform: parse IRQ flags from resources +Cc: mpagano@gentoo.org + +commit 7085a7401ba54e92bbb5aa24d6f428071e18e509 upstream. + +This fixes a regression from the net subsystem: +After commit d52fdbb735c36a209f36a628d40ca9185b349ba7 +"smc91x: retrieve IRQ and trigger flags in a modern way" +a regression would appear on some legacy platforms such +as the ARM PXA Zylonite that specify IRQ resources like +this: + +static struct resource r = { + .start = X, + .end = X, + .flags = IORESOURCE_IRQ | IORESOURCE_IRQ_HIGHEDGE, +}; + +The previous code would retrieve the resource and parse +the high edge setting in the SMC91x driver, a use pattern +that means every driver specifying an IRQ flag from a +static resource need to parse resource flags and apply +them at runtime. + +As we switched the code to use IRQ descriptors to retrieve +the the trigger type like this: + + irqd_get_trigger_type(irq_get_irq_data(...)); + +the code would work for new platforms using e.g. device +tree as the backing irq descriptor would have its flags +properly set, whereas this kind of oldstyle static +resources at no point assign the trigger flags to the +corresponding IRQ descriptor. + +To make the behaviour identical on modern device tree +and legacy static platform data platforms, modify +platform_get_irq() to assign the trigger flags to the +irq descriptor when a client looks up an IRQ from static +resources. + +Fixes: d52fdbb735c3 ("smc91x: retrieve IRQ and trigger flags in a modern way") +Tested-by: Robert Jarzmik <robert.jarzmik@free.fr> +Signed-off-by: Linus Walleij <linus.walleij@linaro.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/base/platform.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/base/platform.c b/drivers/base/platform.c +index 9421fed..e68ab79 100644 +--- a/drivers/base/platform.c ++++ b/drivers/base/platform.c +@@ -101,6 +101,15 @@ int platform_get_irq(struct platform_device *dev, unsigned int num) + } + + r = platform_get_resource(dev, IORESOURCE_IRQ, num); ++ /* ++ * The resources may pass trigger flags to the irqs that need ++ * to be set up. It so happens that the trigger flags for ++ * IORESOURCE_BITS correspond 1-to-1 to the IRQF_TRIGGER* ++ * settings. ++ */ ++ if (r && r->flags & IORESOURCE_BITS) ++ irqd_set_trigger_type(irq_get_irq_data(r->start), ++ r->flags & IORESOURCE_BITS); + + return r ? r->start : -ENXIO; + #endif +-- +2.3.6 + + +From 4c0a56b2ee7b3a3741339e943acd2692c146fcb1 Mon Sep 17 00:00:00 2001 +From: Junjie Mao <junjie_mao@yeah.net> +Date: Wed, 28 Jan 2015 10:02:44 +0800 +Subject: [PATCH 217/219] driver core: bus: Goto appropriate labels on failure + in bus_add_device +Cc: mpagano@gentoo.org + +commit 1c34203a1496d1849ba978021b878b3447d433c8 upstream. + +It is not necessary to call device_remove_groups() when device_add_groups() +fails. + +The group added by device_add_groups() should be removed if sysfs_create_link() +fails. + +Fixes: fa6fdb33b486 ("driver core: bus_type: add dev_groups") +Signed-off-by: Junjie Mao <junjie_mao@yeah.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/base/bus.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/base/bus.c b/drivers/base/bus.c +index 876bae5..79bc203 100644 +--- a/drivers/base/bus.c ++++ b/drivers/base/bus.c +@@ -515,11 +515,11 @@ int bus_add_device(struct device *dev) + goto out_put; + error = device_add_groups(dev, bus->dev_groups); + if (error) +- goto out_groups; ++ goto out_id; + error = sysfs_create_link(&bus->p->devices_kset->kobj, + &dev->kobj, dev_name(dev)); + if (error) +- goto out_id; ++ goto out_groups; + error = sysfs_create_link(&dev->kobj, + &dev->bus->p->subsys.kobj, "subsystem"); + if (error) +-- +2.3.6 + + +From cf1cab07a20abcfa17f0cf431d103471ebd7b33c Mon Sep 17 00:00:00 2001 +From: Florian Westphal <fw@strlen.de> +Date: Wed, 1 Apr 2015 22:36:27 +0200 +Subject: [PATCH 218/219] netfilter: bridge: really save frag_max_size between + PRE and POST_ROUTING +Cc: mpagano@gentoo.org + +commit 0b67c43ce36a9964f1d5e3f973ee19eefd3f9f8f upstream. + +We also need to save/store in forward, else br_parse_ip_options call +will zero frag_max_size as well. + +Fixes: 93fdd47e5 ('bridge: Save frag_max_size between PRE_ROUTING and POST_ROUTING') +Signed-off-by: Florian Westphal <fw@strlen.de> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + net/bridge/br_netfilter.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c +index 0ee453f..f371cbf 100644 +--- a/net/bridge/br_netfilter.c ++++ b/net/bridge/br_netfilter.c +@@ -651,6 +651,13 @@ static int br_nf_forward_finish(struct sk_buff *skb) + struct net_device *in; + + if (!IS_ARP(skb) && !IS_VLAN_ARP(skb)) { ++ int frag_max_size; ++ ++ if (skb->protocol == htons(ETH_P_IP)) { ++ frag_max_size = IPCB(skb)->frag_max_size; ++ BR_INPUT_SKB_CB(skb)->frag_max_size = frag_max_size; ++ } ++ + in = nf_bridge->physindev; + if (nf_bridge->mask & BRNF_PKT_TYPE) { + skb->pkt_type = PACKET_OTHERHOST; +@@ -710,8 +717,14 @@ static unsigned int br_nf_forward_ip(const struct nf_hook_ops *ops, + nf_bridge->mask |= BRNF_PKT_TYPE; + } + +- if (pf == NFPROTO_IPV4 && br_parse_ip_options(skb)) +- return NF_DROP; ++ if (pf == NFPROTO_IPV4) { ++ int frag_max = BR_INPUT_SKB_CB(skb)->frag_max_size; ++ ++ if (br_parse_ip_options(skb)) ++ return NF_DROP; ++ ++ IPCB(skb)->frag_max_size = frag_max; ++ } + + /* The physdev module checks on this */ + nf_bridge->mask |= BRNF_BRIDGED; +-- +2.3.6 + + +From 072cab659c9368586d6417cfd6ec2d2c68469c67 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Date: Wed, 6 May 2015 22:04:23 +0200 +Subject: [PATCH 219/219] Linux 4.0.2 +Cc: mpagano@gentoo.org + +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index f499cd2..0649a60 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 0 +-SUBLEVEL = 1 ++SUBLEVEL = 2 + EXTRAVERSION = + NAME = Hurr durr I'ma sheep + +-- +2.3.6 + |