commit 584fd7872c1bc29d3b752bebb6a5b470018f83e8 Author: Greg Kroah-Hartman Date: Thu Jan 12 11:41:42 2017 +0100 Linux 4.9.3 commit 3999c535da7add2f5283303d77eb56434e660fd6 Author: Felipe Balbi Date: Wed Sep 28 12:33:31 2016 +0300 usb: gadget: composite: always set ep->mult to a sensible value commit eaa496ffaaf19591fe471a36cef366146eeb9153 upstream. ep->mult is supposed to be set to Isochronous and Interrupt Endapoint's multiplier value. This value is computed from different places depending on the link speed. If we're dealing with HighSpeed, then it's part of bits [12:11] of wMaxPacketSize. This case wasn't taken into consideration before. While at that, also make sure the ep->mult defaults to one so drivers can use it unconditionally and assume they'll never multiply ep->maxpacket to zero. Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 7ff469ceba2652241778e75f263205fe7932b376 Author: Greg Kroah-Hartman Date: Thu Jan 12 08:51:32 2017 +0100 Revert "usb: gadget: composite: always set ep->mult to a sensible value" This reverts commit eab1c4e2d0ad4509ccb8476a604074547dc202e0 which is commit eaa496ffaaf19591fe471a36cef366146eeb9153 upstream as it was incorrectly backported. Reported-by: Bin Liu Cc: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit ec3d5c521af86e53690c8850def2d2f6a35e7756 Author: Greg Kroah-Hartman Date: Thu Jan 12 08:29:09 2017 +0100 Revert "rtlwifi: Fix enter/exit power_save" This reverts commit 98068574928f499b30f136ff57ef9a03cc575a36, which is commit ba9f93f82abafe2552eac942ebb11c2df4f8dd7f upstream as it causes problems. Reported-by: Dmitry Osipenko Cc: Ping-Ke Shih Cc: Larry Finger Cc: Kalle Valo Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org commit cf365b117388a50902d56988e69dd6f70b7662fc Author: Thomas Gleixner Date: Thu Dec 15 12:10:37 2016 +0100 tick/broadcast: Prevent NULL pointer dereference commit c1a9eeb938b5433947e5ea22f89baff3182e7075 upstream. When a disfunctional timer, e.g. dummy timer, is installed, the tick core tries to setup the broadcast timer. If no broadcast device is installed, the kernel crashes with a NULL pointer dereference in tick_broadcast_setup_oneshot() because the function has no sanity check. Reported-by: Mason Signed-off-by: Thomas Gleixner Cc: Mark Rutland Cc: Anna-Maria Gleixner Cc: Richard Cochran Cc: Sebastian Andrzej Siewior Cc: Daniel Lezcano Cc: Peter Zijlstra , Cc: Sebastian Frias Cc: Thibaud Cornic Cc: Robin Murphy Link: http://lkml.kernel.org/r/1147ef90-7877-e4d2-bb2b-5c4fa8d3144b@free.fr Signed-off-by: Greg Kroah-Hartman commit 34db201f0de7138d3646946f5d33e178c93efca6 Author: Thomas Gleixner Date: Thu Dec 15 12:01:05 2016 +0100 clocksource/dummy_timer: Move hotplug callback after the real timers commit 9bf11ecce5a2758e5a097c2f3a13d08552d0d6f9 upstream. When the dummy timer callback is invoked before the real timer callbacks, then it tries to install that timer for the starting CPU. If the platform does not have a broadcast timer installed the installation fails with a kernel crash. The crash happens due to a unconditional deference of the non available broadcast device. This needs to be fixed in the timer core code. But even when this is fixed in the core code then installing the dummy timer before the real timers is a pointless exercise. Move it to the end of the callback list. Fixes: 00c1d17aab51 ("clocksource/dummy_timer: Convert to hotplug state machine") Reported-and-tested-by: Mason Signed-off-by: Thomas Gleixner Cc: Mark Rutland Cc: Anna-Maria Gleixner Cc: Richard Cochran Cc: Sebastian Andrzej Siewior Cc: Daniel Lezcano Cc: Peter Zijlstra , Cc: Sebastian Frias Cc: Thibaud Cornic Cc: Robin Murphy Link: http://lkml.kernel.org/r/1147ef90-7877-e4d2-bb2b-5c4fa8d3144b@free.fr Signed-off-by: Greg Kroah-Hartman commit 1b9c2556809ad30ef8e28398d77b6b007e7be6c0 Author: Carlos Maiolino Date: Mon Jan 9 16:39:03 2017 +0100 xfs: fix max_retries _show and _store functions commit ff97f2399edac1e0fb3fa7851d5fbcbdf04717cf upstream. max_retries _show and _store functions should test against cfg->max_retries, not cfg->retry_timeout Signed-off-by: Carlos Maiolino Reviewed-by: Eric Sandeen Signed-off-by: Darrick J. Wong Cc: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit 91192ae41e6f638d580bd0e3e6fd2d311eaf5adf Author: Christoph Hellwig Date: Mon Jan 9 16:39:02 2017 +0100 xfs: fix crash and data corruption due to removal of busy COW extents commit a1b7a4dea6166cf46be895bce4aac67ea5160fe8 upstream. There is a race window between write_cache_pages calling clear_page_dirty_for_io and XFS calling set_page_writeback, in which the mapping for an inode is tagged neither as dirty, nor as writeback. If the COW shrinker hits in exactly that window we'll remove the delayed COW extents and writepages trying to write it back, which in release kernels will manifest as corruption of the bmap btree, and in debug kernels will trip the ASSERT about now calling xfs_bmapi_write with the COWFORK flag for holes. A complex customer load manages to hit this window fairly reliably, probably by always having COW writeback in flight while the cow shrinker runs. This patch adds another check for having the I_DIRTY_PAGES flag set, which is still set during this race window. While this fixes the problem I'm still not overly happy about the way the COW shrinker works as it still seems a bit fragile. Signed-off-by: Christoph Hellwig Signed-off-by: Darrick J. Wong Cc: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit b96e4e87d2b0fee921ceafa4f5ae1c90e9121db4 Author: Darrick J. Wong Date: Mon Jan 9 16:39:01 2017 +0100 xfs: use the actual AG length when reserving blocks commit 20e73b000bcded44a91b79429d8fa743247602ad upstream. We need to use the actual AG length when making per-AG reservations, since we could otherwise end up reserving more blocks out of the last AG than there are actual blocks. Complained-about-by: Brian Foster Signed-off-by: Darrick J. Wong Reviewed-by: Christoph Hellwig Cc: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit d9c7c9fa600acb0d587678cc71565316d11ec7ad Author: Darrick J. Wong Date: Mon Jan 9 16:39:00 2017 +0100 xfs: fix double-cleanup when CUI recovery fails commit 7a21272b088894070391a94fdd1c67014020fa1d upstream. Dan Carpenter reported a double-free of rcur if _defer_finish fails while we're recovering CUI items. Fix the error recovery to prevent this. Reported-by: Dan Carpenter Signed-off-by: Darrick J. Wong Cc: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit aa38f370b25acc478be36e237e882e78f71c67e5 Author: Darrick J. Wong Date: Mon Jan 9 16:38:59 2017 +0100 xfs: use GPF_NOFS when allocating btree cursors commit b24a978c377be5f14e798cb41238e66fe51aab2f upstream. Use NOFS for allocating btree cursors, since they can be called under the ilock. Signed-off-by: Darrick J. Wong Reviewed-by: Dave Chinner Signed-off-by: Dave Chinner Cc: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit 3c382dda47e4b51de6d67847ddfc9c10962c4ca3 Author: Eric Sandeen Date: Mon Jan 9 16:38:58 2017 +0100 xfs: ignore leaf attr ichdr.count in verifier during log replay commit 2e1d23370e75d7d89350d41b4ab58c7f6a0e26b2 upstream. When we create a new attribute, we first create a shortform attribute, and try to fit the new attribute into it. If that fails, we copy the (empty) attribute into a leaf attribute, and do the copy again. Thus there can be a transient state where we have an empty leaf attribute. If we encounter this during log replay, the verifier will fail. So add a test to ignore this part of the leaf attr verification during log replay. Thanks as usual to dchinner for spotting the problem. Signed-off-by: Eric Sandeen Reviewed-by: Christoph Hellwig Signed-off-by: Dave Chinner Cc: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit c00203386d50c1d2f2621163b9d7a533de4819fc Author: Darrick J. Wong Date: Mon Jan 9 16:38:57 2017 +0100 xfs: don't cap maximum dedupe request length commit 1bb33a98702d8360947f18a44349df75ba555d5d upstream. After various discussions on linux-fsdevel, it has been decided that it is not necessary to cap the length of a dedupe request, and that correctly-written userspace client programs will be able to absorb the change. Therefore, remove the length clamping behavior. Signed-off-by: Darrick J. Wong Reviewed-by: Dave Chinner Signed-off-by: Dave Chinner Cc: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit f8b20705a383357ddca04ea648a7ac8fccd438ef Author: Darrick J. Wong Date: Mon Jan 9 16:38:56 2017 +0100 xfs: don't allow di_size with high bit set commit ef388e2054feedaeb05399ed654bdb06f385d294 upstream. The on-disk field di_size is used to set i_size, which is a signed integer of loff_t. If the high bit of di_size is set, we'll end up with a negative i_size, which will cause all sorts of problems. Since the VFS won't let us create a file with such length, we should catch them here in the verifier too. Signed-off-by: Darrick J. Wong Reviewed-by: Dave Chinner Signed-off-by: Dave Chinner Cc: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit 12815dd15c480c0d595401e4eec54542025607f6 Author: Darrick J. Wong Date: Mon Jan 9 16:38:55 2017 +0100 xfs: error out if trying to add attrs and anextents > 0 commit 0f352f8ee8412bd9d34fb2a6411241da61175c0e upstream. We shouldn't assert if somehow we end up trying to add an attr fork to an inode that apparently already has attr extents because this is an indication of on-disk corruption. Instead, return an error code to userspace. Signed-off-by: Darrick J. Wong Reviewed-by: Dave Chinner Signed-off-by: Dave Chinner Cc: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit cd4bf1d416ef199223fa41eb8225f2a137c0be99 Author: Darrick J. Wong Date: Mon Jan 9 16:38:54 2017 +0100 xfs: don't crash if reading a directory results in an unexpected hole commit 96a3aefb8ffde23180130460b0b2407b328eb727 upstream. In xfs_dir3_data_read, we can encounter the situation where err == 0 and *bpp == NULL if the given bno offset happens to be a hole; this leads to a crash if we try to set the buffer type after the _da_read_buf call. Holes can happen due to corrupt or malicious entries in the bmbt data, so be a little more careful when we're handling buffers. Signed-off-by: Darrick J. Wong Reviewed-by: Dave Chinner Signed-off-by: Dave Chinner Cc: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit b88398de18331ed448739866bf9fe3743e7c1bbf Author: Darrick J. Wong Date: Mon Jan 9 16:38:53 2017 +0100 xfs: complain if we don't get nextents bmap records commit 356a3225222e5bc4df88aef3419fb6424f18ab69 upstream. When reading into memory all extents of a btree-format inode fork, complain if the number of extents we find is not the same as the number of extents reported in the inode core. This is needed to stop an IO action from accessing the garbage areas of the in-core fork. [dchinner: removed redundant assert] Signed-off-by: Darrick J. Wong Reviewed-by: Dave Chinner Signed-off-by: Dave Chinner Cc: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit 4bb31bccea381ebadf0e1bc4433026613c15ce68 Author: Darrick J. Wong Date: Mon Jan 9 16:38:52 2017 +0100 xfs: check for bogus values in btree block headers commit bb3be7e7c1c18e1b141d4cadeb98cc89ecf78099 upstream. When we're reading a btree block, make sure that what we retrieved matches the owner and level; and has a plausible number of records. Signed-off-by: Darrick J. Wong Reviewed-by: Dave Chinner Signed-off-by: Dave Chinner Cc: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit b85f32481d93a23488d208fca4558e84515dc0f4 Author: Darrick J. Wong Date: Mon Jan 9 16:38:51 2017 +0100 xfs: forbid AG btrees with level == 0 commit d2a047f31e86941fa896e0e3271536d50aba415e upstream. There is no such thing as a zero-level AG btree since even a single-node zero-records btree has one level. Btree cursor constructors read cur_nlevels straight from disk and then access things like cur_bufs[cur_nlevels - 1] which is /really/ bad if cur_nlevels is zero! Therefore, strengthen the verifiers to prevent this possibility. Signed-off-by: Darrick J. Wong Reviewed-by: Dave Chinner Signed-off-by: Dave Chinner Cc: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit 4081d4a79a95252486569b014b9a666ad5bfdbee Author: Eric Sandeen Date: Mon Jan 9 16:38:50 2017 +0100 xfs: handle cow fork in xfs_bmap_trace_exlist commit c44a1f22626c153976289e1cd67bdcdfefc16e1f upstream. By inspection, xfs_bmap_trace_exlist isn't handling cow forks, and will trace the data fork instead. Fix this by setting state appropriately if whichfork == XFS_COW_FORK. ()___() < @ @ > | | {o_o} (|) Signed-off-by: Eric Sandeen Reviewed-by: Christoph Hellwig Signed-off-by: Dave Chinner Cc: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit a585e1c4ec939d1cc5ce8776c606733d046072da Author: Eric Sandeen Date: Mon Jan 9 16:38:49 2017 +0100 xfs: pass state not whichfork to trace_xfs_extlist commit 7710517fc37b1899722707883b54694ea710b3c0 upstream. When xfs_bmap_trace_exlist called trace_xfs_extlist, it sent in the "whichfork" var instead of the bmap "state" as expected (even though state was already set up for this purpose). As a result, the xfs_bmap_class in tracing code used "whichfork" not state in xfs_iext_state_to_fork(), and got the wrong ifork pointer. It all goes downhill from there, including an ASSERT when ifp_bytes is empty by the time it reaches xfs_iext_get_ext(): XFS: Assertion failed: idx < ifp->if_bytes / sizeof(xfs_bmbt_rec_t) Signed-off-by: Eric Sandeen Reviewed-by: Christoph Hellwig Signed-off-by: Dave Chinner Cc: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit bdbfd4ee6bc7aa37062f0222a143b3c3fee7282e Author: Eric Sandeen Date: Mon Jan 9 16:38:48 2017 +0100 xfs: Move AGI buffer type setting to xfs_read_agi commit 200237d6746faaeaf7f4ff4abbf13f3917cee60a upstream. We've missed properly setting the buffer type for an AGI transaction in 3 spots now, so just move it into xfs_read_agi() and set it if we are in a transaction to avoid the problem in the future. This is similar to how it is done in i.e. the dir3 and attr3 read functions. Signed-off-by: Eric Sandeen Reviewed-by: Brian Foster Reviewed-by: Christoph Hellwig Signed-off-by: Dave Chinner Cc: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit 06ac11df915d5d607780b86fa7d98f1ab57dab16 Author: Brian Foster Date: Mon Jan 9 16:38:47 2017 +0100 xfs: pass post-eof speculative prealloc blocks to bmapi commit f782088c9e5d08e9494c63e68b4e85716df3e5f8 upstream. xfs_file_iomap_begin_delay() implements post-eof speculative preallocation by extending the block count of the requested delayed allocation. Now that xfs_bmapi_reserve_delalloc() has been updated to handle prealloc blocks separately and tag the inode, update xfs_file_iomap_begin_delay() to use the new parameter and rely on the former to tag the inode. Note that this patch does not change behavior. Signed-off-by: Brian Foster Reviewed-by: Dave Chinner Signed-off-by: Dave Chinner Cc: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit 553937d3cce8d3806655771099928ab5525fa7e4 Author: Christoph Hellwig Date: Mon Jan 9 16:38:46 2017 +0100 xfs: use new extent lookup helpers xfs_file_iomap_begin_delay commit 656152e552e5cbe0c11ad261b524376217c2fb13 upstream. And only lookup the previous extent inside xfs_iomap_prealloc_size if we actually need it. Signed-off-by: Christoph Hellwig Reviewed-by: Brian Foster Signed-off-by: Dave Chinner Cc: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit 3d6e3b12bb4eac5cadb4733530c1967fe9e3d6a9 Author: Brian Foster Date: Mon Jan 9 16:38:45 2017 +0100 xfs: clean up cow fork reservation and tag inodes correctly commit 0260d8ff5f76617e3a55a1c471383ecb4404c3ad upstream. COW fork reservation is implemented via delayed allocation. The code is modeled after the traditional delalloc allocation code, but is slightly different in terms of how preallocation occurs. Rather than post-eof speculative preallocation, COW fork preallocation is implemented via a COW extent size hint that is designed to minimize fragmentation as a reflinked file is split over time. xfs_reflink_reserve_cow() still uses logic that is oriented towards dealing with post-eof speculative preallocation, however, and is stale or not necessarily correct. First, the EOF alignment to the COW extent size hint is implemented in xfs_bmapi_reserve_delalloc() (which does so correctly by aligning the start and end offsets) and so is not necessary in xfs_reflink_reserve_cow(). The backoff and retry logic on ENOSPC is also ineffective for the same reason, as xfs_bmapi_reserve_delalloc() will simply perform the same allocation request on the retry. Finally, since the COW extent size hint aligns the start and end offset of the range to allocate, the end_fsb != orig_end_fsb logic is not sufficient. Indeed, if a write request happens to end on an aligned offset, it is possible that we do not tag the inode for COW preallocation even though xfs_bmapi_reserve_delalloc() may have preallocated at the start offset. Kill the unnecessary, duplicate code in xfs_reflink_reserve_cow(). Remove the inode tag logic as well since xfs_bmapi_reserve_delalloc() has been updated to tag the inode correctly. Signed-off-by: Brian Foster Reviewed-by: Dave Chinner Signed-off-by: Dave Chinner Cc: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit 4a323331d8c963aaba4f19f84f16c052bd7eb156 Author: Christoph Hellwig Date: Mon Jan 9 16:38:44 2017 +0100 xfs: use new extent lookup helpers in __xfs_reflink_reserve_cow commit 2755fc4438501c8c28e7783df890e889f6772bee upstream. Signed-off-by: Christoph Hellwig Reviewed-by: Brian Foster Signed-off-by: Dave Chinner Cc: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit cf168f2ff8bae8a4eb966c3c0f055086c1fae87d Author: Brian Foster Date: Mon Jan 9 16:38:43 2017 +0100 xfs: track preallocation separately in xfs_bmapi_reserve_delalloc() commit 974ae922efd93b07b6cdf989ae959883f6f05fd8 upstream. Speculative preallocation is currently processed entirely by the callers of xfs_bmapi_reserve_delalloc(). The caller determines how much preallocation to include, adjusts the extent length and passes down the resulting request. While this works fine for post-eof speculative preallocation, it is not as reliable for COW fork preallocation. COW fork preallocation is implemented via the cowextszhint, which aligns the start offset as well as the length of the extent. Further, it is difficult for the caller to accurately identify when preallocation occurs because the returned extent could have been merged with neighboring extents in the fork. To simplify this situation and facilitate further COW fork preallocation enhancements, update xfs_bmapi_reserve_delalloc() to take a separate preallocation parameter to incorporate into the allocation request. The preallocation blocks value is tacked onto the end of the request and adjusted to accommodate neighboring extents and extent size limits. Since xfs_bmapi_reserve_delalloc() now knows precisely how much preallocation was included in the allocation, it can also tag the inodes appropriately to support preallocation reclaim. Note that xfs_bmapi_reserve_delalloc() callers are not yet updated to use the preallocation mechanism. This patch should not change behavior outside of correctly tagging reflink inodes when start offset preallocation occurs (which the caller does not handle correctly). Signed-off-by: Brian Foster Reviewed-by: Dave Chinner Signed-off-by: Dave Chinner Cc: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit cf4fb510473b4529a0969b1d0af898b7a844bc36 Author: Christoph Hellwig Date: Mon Jan 9 16:38:42 2017 +0100 xfs: remove prev argument to xfs_bmapi_reserve_delalloc commit 65c5f419788d623a0410eca1866134f5e4628594 upstream. We can easily lookup the previous extent for the cases where we need it, which saves the callers from looking it up for us later in the series. Signed-off-by: Christoph Hellwig Reviewed-by: Brian Foster Signed-off-by: Dave Chinner Cc: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit 3903257660338c41c22a2464407c8ff93c42e00b Author: Darrick J. Wong Date: Mon Jan 9 16:38:41 2017 +0100 xfs: always succeed when deduping zero bytes commit fba3e594ef0ad911fa8f559732d588172f212d71 upstream. It turns out that btrfs and xfs had differing interpretations of what to do when the dedupe length is zero. Change xfs to follow btrfs' semantics so that the userland interface is consistent. Signed-off-by: Darrick J. Wong Reviewed-by: Dave Chinner Signed-off-by: Dave Chinner Cc: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit 2b7dae91a1341302077798ddc38e8bfd8a012cf1 Author: Darrick J. Wong Date: Mon Jan 9 16:38:40 2017 +0100 xfs: factor rmap btree size into the indlen calculations commit fd26a88093bab6529ea2de819114ca92dbd1d71d upstream. When we're estimating the amount of space it's going to take to satisfy a delalloc reservation, we need to include the space that we might need to grow the rmapbt. This helps us to avoid running out of space later when _iomap_write_allocate needs more space than we reserved. Eryu Guan observed this happening on generic/224 when sunit/swidth were set. Reported-by: Eryu Guan Signed-off-by: Darrick J. Wong Reviewed-by: Dave Chinner Signed-off-by: Dave Chinner Cc: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit 49dc19915d3b0893a698a2d78f732beaff119a4d Author: Christoph Hellwig Date: Mon Jan 9 16:38:39 2017 +0100 xfs: new inode extent list lookup helpers commit 93533c7855c3c78c8a900cac65c8d669bb14935d upstream. xfs_iext_lookup_extent looks up a single extent at the passed in offset, and returns the extent covering the area, or the one behind it in case of a hole, as well as the index of the returned extent in arguments, as well as a simple bool as return value that is set to false if no extent could be found because the offset is behind EOF. It is a simpler replacement for xfs_bmap_search_extent that leaves looking up the rarely needed previous extent to the caller and has a nicer calling convention. xfs_iext_get_extent is a helper for iterating over the extent list, it takes an extent index as input, and returns the extent at that index in it's expanded form in an argument if it exists. The actual return value is a bool whether the index is valid or not. Signed-off-by: Christoph Hellwig Reviewed-by: Brian Foster Signed-off-by: Dave Chinner Cc: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit b49ef758f6003a7ed0afb37b33fc96e238752497 Author: Brian Foster Date: Mon Jan 9 16:38:38 2017 +0100 xfs: fix unbalanced inode reclaim flush locking commit 98efe8af1c9ffac47e842b7a75ded903e2f028da upstream. Filesystem shutdown testing on an older distro kernel has uncovered an imbalanced locking pattern for the inode flush lock in xfs_reclaim_inode(). Specifically, there is a double unlock sequence between the call to xfs_iflush_abort() and xfs_reclaim_inode() at the "reclaim:" label. This actually does not cause obvious problems on current kernels due to the current flush lock implementation. Older kernels use a counting based flush lock mechanism, however, which effectively breaks the lock indefinitely when an already unlocked flush lock is repeatedly unlocked. Though this only currently occurs on filesystem shutdown, it has reproduced the effect of elevating an fs shutdown to a system-wide crash or hang. As it turns out, the flush lock is not actually required for the reclaim logic in xfs_reclaim_inode() because by that time we have already cycled the flush lock once while holding ILOCK_EXCL. Therefore, remove the additional flush lock/unlock cycle around the 'reclaim:' label and update branches into this label to release the flush lock where appropriate. Add an assert to xfs_ifunlock() to help prevent future occurences of the same problem. Reported-by: Zorro Lang Signed-off-by: Brian Foster Reviewed-by: Dave Chinner Signed-off-by: Dave Chinner Cc: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit 63fa793e757dfc08c09865d68936ce3d67a00047 Author: Darrick J. Wong Date: Mon Jan 9 16:38:37 2017 +0100 xfs: check minimum block size for CRC filesystems commit bec9d48d7a303a5bb95c05961ff07ec7eeb59058 upstream. Check the minimum block size on v5 filesystems. [dchinner: cleaned up XFS_MIN_CRC_BLOCKSIZE check] Signed-off-by: Darrick J. Wong Reviewed-by: Dave Chinner Signed-off-by: Dave Chinner Cc: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit f380ee72a7a498c934afe3aa67a50242b935f540 Author: Eric Sandeen Date: Mon Jan 9 16:38:36 2017 +0100 xfs: provide helper for counting extents from if_bytes commit 5d829300bee000980a09ac2ccb761cb25867b67c upstream. The open-coded pattern: ifp->if_bytes / (uint)sizeof(xfs_bmbt_rec_t) is all over the xfs code; provide a new helper xfs_iext_count(ifp) to count the number of inline extents in an inode fork. [dchinner: pick up several missed conversions] Signed-off-by: Eric Sandeen Reviewed-by: Brian Foster Signed-off-by: Dave Chinner Cc: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit 3978c5bb004312fd267aed7279fe64b119e126b0 Author: Brian Foster Date: Mon Jan 9 16:38:35 2017 +0100 xfs: don't BUG() on mixed direct and mapped I/O commit 04197b341f23b908193308b8d63d17ff23232598 upstream. We've had reports of generic/095 causing XFS to BUG() in __xfs_get_blocks() due to the existence of delalloc blocks on a direct I/O read. generic/095 issues a mix of various types of I/O, including direct and memory mapped I/O to a single file. This is clearly not supported behavior and is known to lead to such problems. E.g., the lack of exclusion between the direct I/O and write fault paths means that a write fault can allocate delalloc blocks in a region of a file that was previously a hole after the direct read has attempted to flush/inval the file range, but before it actually reads the block mapping. In turn, the direct read discovers a delalloc extent and cannot proceed. While the appropriate solution here is to not mix direct and memory mapped I/O to the same regions of the same file, the current BUG_ON() behavior is probably overkill as it can crash the entire system. Instead, localize the failure to the I/O in question by returning an error for a direct I/O that cannot be handled safely due to delalloc blocks. Be careful to allow the case of a direct write to post-eof delalloc blocks. This can occur due to speculative preallocation and is safe as post-eof blocks are not accompanied by dirty pages in pagecache (conversely, preallocation within eof must have been zeroed, and thus dirtied, before the inode size could have been increased beyond said blocks). Finally, provide an additional warning if a direct I/O write occurs while the file is memory mapped. This may not catch all problematic scenarios, but provides a hint that some known-to-be-problematic I/O methods are in use. Signed-off-by: Brian Foster Reviewed-by: Dave Chinner Signed-off-by: Dave Chinner Cc: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit 2f092422e1ce1f155c6a9da147a78759f0e04f40 Author: Brian Foster Date: Mon Jan 9 16:38:34 2017 +0100 xfs: don't skip cow forks w/ delalloc blocks in cowblocks scan commit 399372349a7f9b2d7e56e4fa4467c69822d07024 upstream. The cowblocks background scanner currently clears the cowblocks tag for inodes without any real allocations in the cow fork. This excludes inodes with only delalloc blocks in the cow fork. While we might never expect to clear delalloc blocks from the cow fork in the background scanner, it is not necessarily correct to clear the cowblocks tag from such inodes. For example, if the background scanner happens to process an inode between a buffered write and writeback, the scanner catches the inode in a state after delalloc blocks have been allocated to the cow fork but before the delalloc blocks have been converted to real blocks by writeback. The background scanner then incorrectly clears the cowblocks tag, even if part of the aforementioned delalloc reservation will not be remapped to the data fork (i.e., extra blocks due to the cowextsize hint). This means that any such additional blocks in the cow fork might never be reclaimed by the background scanner and could persist until the inode itself is reclaimed. To address this problem, only skip and clear inodes without any cow fork allocations whatsoever from the background scanner. While we generally do not want to cancel delalloc reservations from the background scanner, the pagecache dirty check following the cowblocks check should prevent that situation. If we do end up with delalloc cow fork blocks without a dirty address space mapping, this is probably an indication that something has gone wrong and the blocks should be reclaimed, as they may never be converted to a real allocation. Signed-off-by: Brian Foster Reviewed-by: Darrick J. Wong Signed-off-by: Dave Chinner Cc: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit a11f90ca5f306a1c38db4f24db8bff97ffb87bd2 Author: Darrick J. Wong Date: Mon Jan 9 16:38:33 2017 +0100 xfs: check return value of _trans_reserve_quota_nblks commit 4fd29ec47212c8cbf98916af519019ccc5e58e49 upstream. Check the return value of xfs_trans_reserve_quota_nblks for errors. Signed-off-by: Darrick J. Wong Reviewed-by: Dave Chinner Signed-off-by: Dave Chinner Cc: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit ae8b6cb40cb29dfa760641ce55d5b9c0c153a1f2 Author: Eric Sandeen Date: Mon Jan 9 16:38:32 2017 +0100 xfs: don't call xfs_sb_quota_from_disk twice commit e6fc6fcf4447c9266038c55c25e4c7c14bee110c upstream. Source xfsprogs commit: ee3754254e8c186c99b6cdd4d59f741759d04acb Kernel commit 5ef828c4 ("xfs: avoid false quotacheck after unclean shutdown") made xfs_sb_from_disk() also call xfs_sb_quota_from_disk by default. However, when this was merged to libxfs, existing separate calls to libxfs_sb_quota_from_disk remained, and calling it twice in a row on a V4 superblock leads to issues, because: if (sbp->sb_qflags & XFS_PQUOTA_ACCT) { ... sbp->sb_pquotino = sbp->sb_gquotino; sbp->sb_gquotino = NULLFSINO; and after the second call, we have set both pquotino and gquotino to NULLFSINO. Fix this by making it safe to call twice, and also remove the extra calls to libxfs_sb_quota_from_disk. This is only spotted when running xfstests with "-m crc=0" because the sb_from_disk change came about after V5 became default, and the above behavior only exists on a V4 superblock. Reported-by: Eryu Guan Signed-off-by: Eric Sandeen Reviewed-by: Carlos Maiolino Signed-off-by: Dave Chinner Cc: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit 56d22b9125421217fdea41250cce9dfa0013b483 Author: Josh Zimmerman Date: Thu Oct 27 14:50:09 2016 -0700 tpm_tis: Check return values from get_burstcount. commit 26a137e31ffe6fbfdb008554a8d9b3d55bd5c86e upstream. If the TPM we're connecting to uses a static burst count, it will report a burst count of zero throughout the response read. However, get_burstcount assumes that a response of zero indicates that the TPM is not ready to receive more data. In this case, it returns a negative error code, which is passed on to tpm_tis_{write,read}_bytes as a u16, causing them to read/write far too many bytes. This patch checks for negative return codes and bails out from recv_data and tpm_tis_send_data. Fixes: 1107d065fdf1 (tpm_tis: Introduce intermediate layer for TPM access) Signed-off-by: Josh Zimmerman Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen Signed-off-by: Greg Kroah-Hartman commit 4ffac6f06dfa77ead74d448d07079e37339e4da0 Author: Paulo Zanoni Date: Tue Nov 8 18:22:11 2016 -0200 drm/i915/gen9: fix the WM memory bandwidth WA for Y tiling cases commit 2ef32dee97fcf41987722a37eb6ff1a983915e99 upstream. The previous spec version said "double Ytile planes minimum lines", and I interpreted this as referring to what the spec calls "Y tile minimum", but in fact it was referring to what the spec calls "Minimum Scanlines for Y tile". I noticed that Mahesh Kumar had a different interpretation, so I sent and email to the spec authors and got clarification on the correct meaning. Also, BSpec was updated and should be clear now. Fixes: ee3d532fcb64 ("drm/i915/gen9: unconditionally apply the memory bandwidth WA") Cc: stable@vger.kernel.org Cc: Mahesh Kumar Signed-off-by: Paulo Zanoni Reviewed-by: Matt Roper Link: http://patchwork.freedesktop.org/patch/msgid/1478636531-6081-1-git-send-email-paulo.r.zanoni@intel.com Signed-off-by: Greg Kroah-Hartman commit f482823e99f045bc5f1bd54626188219dfd1ad46 Author: Paulo Zanoni Date: Tue Oct 11 15:25:38 2016 -0300 drm/i915/gen9: unconditionally apply the memory bandwidth WA commit ee3d532fcb64872bc20be0ee58f7afdb9fa82abe upstream. Mahesh Kumar is already working on a proper implementation for the workaround, but while we still don't have it, let's just unconditionally apply the workaround for everybody and we hope we can close all those numerous bugzilla tickets. Also, I'm not sure how easy it will be to backport the final implementation to the stable Kernels, and this patch here is probably easier to backport. At the present moment I still don't have confirmation that this patch fixes any of the bugs listed below, but we should definitely try testing all of them again. v2: s/intel_needs_memory_bw_wa/skl_needs_memory_bw_wa/ (Lyude). v3: Rebase (dev -> dev_priv change on ilk_wm_max_level). Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=94337 Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=94605 Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=94884 Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=95010 Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=96226 Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=96828 Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=97450 Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=97830 Cc: Mahesh Kumar Cc: Lyude Cc: Dhinakaran Pandiyan Signed-off-by: Paulo Zanoni Reviewed-by: Lyude Link: http://patchwork.freedesktop.org/patch/msgid/1476210338-9797-1-git-send-email-paulo.r.zanoni@intel.com Signed-off-by: Greg Kroah-Hartman commit 2bdb638de2fc9c2c1aa15ecdf28e295786a02ea1 Author: Paulo Zanoni Date: Tue Dec 13 18:57:44 2016 -0200 drm/i915: disable PSR by default on HSW/BDW commit 1c4672ce4eeaeaadeea8adabaad21262b7172607 upstream. We've been ignoring the poor bugzilla reporters that say PSR causes system lockups and all other sorts of problems. The earliest bug report is from April, so I think we can use the "revert the offending commit if no fixes are presented within 8 months" rule here. Fixes: 9b58e352b463 ("drm/i915: Enable PSR by default on Haswell and Broadwell.") Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=97602 Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=97515 Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=96736 Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=96704 Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=96569 Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=95176 Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=94985 Cc: Rodrigo Vivi Cc: Jim Bride Signed-off-by: Paulo Zanoni Acked-by: Rodrigo Vivi Reviewed-by: Rodrigo Vivi Acked-by: Jani Nikula Link: http://patchwork.freedesktop.org/patch/msgid/1481662664-18986-1-git-send-email-paulo.r.zanoni@intel.com (cherry picked from commit 2ee7dc497e348eecbb82adbb1ea9e9a7e29fe921) Signed-off-by: Jani Nikula Signed-off-by: Paulo Zanoni Signed-off-by: Greg Kroah-Hartman commit 9ab30a6529b5d853f45b77593caada1a44156ed8 Author: Michel Dänzer Date: Thu Oct 27 15:37:44 2016 +0900 drm/radeon: Always store CRTC relative radeon_crtc->cursor_x/y values commit 4349bd775cc8fd75cb648e3a2036a690f497de5c upstream. We were storing viewport relative coordinates for AVIVO/DCE display engines. However, radeon_crtc_cursor_set2 and radeon_cursor_reset pass radeon_crtc->cursor_x/y as the x/y parameters of radeon_cursor_move_locked, which would break if the CRTC isn't located at (0, 0). Cc: stable@vger.kernel.org Signed-off-by: Michel Dänzer Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 5417f59cb9962a847a3148ff3fa959b7f7502559 Author: Sebastian Ott Date: Mon Nov 7 15:06:03 2016 +0100 s390/pci: fix dma address calculation in map_sg commit 6b7df3ce92ac82ec3f4a2953b6fed77da7b38aaa upstream. __s390_dma_map_sg maps a dma-contiguous area. Although we only map whole pages we have to take into account that the area doesn't start or stop at a page boundary because we use the dma address to loop over the individual sg entries. Failing to do that might lead to an access of the wrong sg entry. Fixes: ee877b81c6b9 ("s390/pci_dma: improve map_sg") Reported-and-tested-by: Christoph Raisch Signed-off-by: Sebastian Ott Reviewed-by: Gerald Schaefer Signed-off-by: Martin Schwidefsky Signed-off-by: Greg Kroah-Hartman commit dae9151a88f775f88dd43595b8288f9aac13eedb Author: Heiko Carstens Date: Sat Dec 3 09:50:16 2016 +0100 s390/topology: always use s390 specific sched_domain_topology_level commit ebb299a51059017ec253bd30781a83d1f6e11b24 upstream. The s390 specific sched_domain_topology_level should always be used, not only if the machine provides topology information. Luckily this odd behaviour, that was by accident introduced with git commit d05d15da18f5 ("s390/topology: delay initialization of topology cpu masks") has currently no side effect. Fixes: d05d15da18f5 ("s390/topology: delay initialization of topology cpumasks") Signed-off-by: Heiko Carstens Signed-off-by: Martin Schwidefsky Signed-off-by: Greg Kroah-Hartman commit b3539f813578419c6b386a669405284df5c5950d Author: Johan Hovold Date: Tue Nov 1 16:26:03 2016 +0100 powerpc/pci/rpadlpar: Fix device reference leaks commit 99e5cde5eae78bef95bfe7c16ccda87fb070149b upstream. Make sure to drop any device reference taken by vio_find_node() when adding and removing virtual I/O slots. Fixes: 5eeb8c63a38f ("[PATCH] PCI Hotplug: rpaphp: Move VIO registration") Signed-off-by: Johan Hovold Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman commit 1aaa777ec0095f66d9717d07c224b374fbb5f08a Author: Alexey Kardashevskiy Date: Mon Oct 24 18:04:17 2016 +1100 PCI: Enable access to non-standard VPD for Chelsio devices (cxgb3) commit 1c7de2b4ff886a45fbd2f4c3d4627e0f37a9dd77 upstream. There is at least one Chelsio 10Gb card which uses VPD area to store some non-standard blocks (example below). However pci_vpd_size() returns the length of the first block only assuming that there can be only one VPD "End Tag". Since 4e1a635552d3 ("vfio/pci: Use kernel VPD access functions"), VFIO blocks access beyond that offset, which prevents the guest "cxgb3" driver from probing the device. The host system does not have this problem as its driver accesses the config space directly without pci_read_vpd(). Add a quirk to override the VPD size to a bigger value. The maximum size is taken from EEPROMSIZE in drivers/net/ethernet/chelsio/cxgb3/common.h. We do not read the tag as the cxgb3 driver does as the driver supports writing to EEPROM/VPD and when it writes, it only checks for 8192 bytes boundary. The quirk is registered for all devices supported by the cxgb3 driver. This adds a quirk to the PCI layer (not to the cxgb3 driver) as the cxgb3 driver itself accesses VPD directly and the problem only exists with the vfio-pci driver (when cxgb3 is not running on the host and may not be even loaded) which blocks accesses beyond the first block of VPD data. However vfio-pci itself does not have quirks mechanism so we add it to PCI. This is the controller: Ethernet controller [0200]: Chelsio Communications Inc T310 10GbE Single Port Adapter [1425:0030] This is what I parsed from its VPD: === b'\x82*\x0010 Gigabit Ethernet-SR PCI Express Adapter\x90J\x00EC\x07D76809 FN\x0746K' 0000 Large item 42 bytes; name 0x2 Identifier String b'10 Gigabit Ethernet-SR PCI Express Adapter' 002d Large item 74 bytes; name 0x10 #00 [EC] len=7: b'D76809 ' #0a [FN] len=7: b'46K7897' #14 [PN] len=7: b'46K7897' #1e [MN] len=4: b'1037' #25 [FC] len=4: b'5769' #2c [SN] len=12: b'YL102035603V' #3b [NA] len=12: b'00145E992ED1' 007a Small item 1 bytes; name 0xf End Tag 0c00 Large item 16 bytes; name 0x2 Identifier String b'S310E-SR-X ' 0c13 Large item 234 bytes; name 0x10 #00 [PN] len=16: b'TBD ' #13 [EC] len=16: b'110107730D2 ' #26 [SN] len=16: b'97YL102035603V ' #39 [NA] len=12: b'00145E992ED1' #48 [V0] len=6: b'175000' #51 [V1] len=6: b'266666' #5a [V2] len=6: b'266666' #63 [V3] len=6: b'2000 ' #6c [V4] len=2: b'1 ' #71 [V5] len=6: b'c2 ' #7a [V6] len=6: b'0 ' #83 [V7] len=2: b'1 ' #88 [V8] len=2: b'0 ' #8d [V9] len=2: b'0 ' #92 [VA] len=2: b'0 ' #97 [RV] len=80: b's\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'... 0d00 Large item 252 bytes; name 0x11 #00 [VC] len=16: b'122310_1222 dp ' #13 [VD] len=16: b'610-0001-00 H1\x00\x00' #26 [VE] len=16: b'122310_1353 fp ' #39 [VF] len=16: b'610-0001-00 H1\x00\x00' #4c [RW] len=173: b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'... 0dff Small item 0 bytes; name 0xf End Tag 10f3 Large item 13315 bytes; name 0x62 !!! unknown item name 98: b'\xd0\x03\x00@`\x0c\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00' === Signed-off-by: Alexey Kardashevskiy Signed-off-by: Bjorn Helgaas Signed-off-by: Greg Kroah-Hartman commit c444cc34534b779d2f2b0edda17444c7a6aab9b5 Author: Noa Osherovich Date: Tue Nov 15 10:00:00 2016 +0200 PCI: Support INTx masking on ConnectX-4 with firmware x.14.1100+ commit 1600f62534b7b3da7978b43b52231a54c24df287 upstream. Mellanox devices were marked as having INTx masking ability broken. As a result, the VFIO driver fails to start when more than one device function is passed-through to a VM if both have the same INTx pin. Prior to Connect-IB, Mellanox devices exposed to the operating system one PCI function per all ports. Starting from Connect-IB, the devices are function-per-port. When passing the second function to a VM, VFIO will fail to start. Exclude ConnectX-4, ConnectX4-Lx and Connect-IB from the list of Mellanox devices marked as having broken INTx masking: - ConnectX-4 and ConnectX4-LX firmware version is checked. If INTx masking is supported, we unmark the broken INTx masking. - Connect-IB does not support INTx currently so will not cause any problem. [bhelgaas: call pci_disable_device() always, after iounmap()] Fixes: 11e42532ada3 ("PCI: Assume all Mellanox devices have broken INTx masking") Signed-off-by: Noa Osherovich Signed-off-by: Bjorn Helgaas Reviewed-by: Or Gerlitz Reviewed-by: Gavin Shan Signed-off-by: Greg Kroah-Hartman commit e2822904ace59b89c054123534b6da6bb82c72c6 Author: Noa Osherovich Date: Tue Nov 15 09:59:59 2016 +0200 PCI: Convert Mellanox broken INTx quirks to be for listed devices only commit d76d2fe05fd93673d184af77255bbbc63780f4ea upstream. Change Mellanox's broken_intx_masking() quirk from an "all Mellanox devices" to a quirk for listed devices only. [bhelgaas: remove #defines, reorder to keep other quirks together] Signed-off-by: Noa Osherovich Signed-off-by: Bjorn Helgaas Reviewed-by: Or Gerlitz Reviewed-by: Gavin Shan Signed-off-by: Greg Kroah-Hartman commit 890661544739d929cf4c5d9bce460f66ff18cb6c Author: Noa Osherovich Date: Tue Nov 15 09:59:58 2016 +0200 PCI: Convert broken INTx masking quirks from HEADER to FINAL commit b88214ce4d7064992452765028bd50702414f15f upstream. Convert all quirk_broken_intx_masking() quirks from HEADER to FINAL. The quirk sets dev->broken_intx_masking, which is only used by pci_intx_mask_supported(), which is not needed until after FINAL quirks have been run. [bhelgaas: changelog] Signed-off-by: Noa Osherovich Signed-off-by: Bjorn Helgaas Reviewed-by: Gavin Shan Signed-off-by: Greg Kroah-Hartman commit 04b97a6be2eddd984ea176bc470d87248d9213d9 Author: Noa Osherovich Date: Thu Nov 17 16:06:56 2016 -0600 PCI: Add Mellanox device IDs commit 7254383341bc6e1a61996accd836009f0c922b21 upstream. Add Mellanox device IDs for use by the mlx4 driver and INTx quirks. [bhelgaas: sorted and adapted from http://lkml.kernel.org/r/1478011644-12080-1-git-send-email-noaos@mellanox.com] Signed-off-by: Noa Osherovich Signed-off-by: Bjorn Helgaas Signed-off-by: Greg Kroah-Hartman commit 090cce6f6f88ecf34cee068080800a27b70e993c Author: Brian Norris Date: Wed Dec 7 15:06:00 2016 -0600 PCI: rockchip: Correct the use of FTS mask commit a45e2611b9bbd81288d97d02ce7e74a60a698d43 upstream. We're trying to mask out bits[23:8] while retaining [32:24, 7:0], but we're doing the inverse. That doesn't have too much effect, since we're setting all the [23:8] bits to 1, and the other bits are only relevant for modes we're currently not using. But we should get this right. Fixes: ca1989084054 ("PCI: rockchip: Fix wrong transmitted FTS count") Signed-off-by: Brian Norris Signed-off-by: Bjorn Helgaas Acked-by: Shawn Lin Signed-off-by: Greg Kroah-Hartman commit 6e4bcf8539afce37430c4e56b1520535f0f5ea7a Author: Shawn Lin Date: Wed Dec 7 15:05:59 2016 -0600 PCI: rockchip: Fix negotiated lanes calculation commit 45e9320f3a4ef9588ee50a2eb1891c4bfdbb07df upstream. The calculation of negotiated lanes is wrong: it should be shifted by PCIE_CORE_PL_CONF_LANE_SHIFT, but it is shifted by PCIE_CORE_PL_CONF_LANE_MASK instead. Let's fix it. Fixes: e77f847df54c ("PCI: rockchip: Add Rockchip PCIe controller support") Signed-off-by: Shawn Lin Signed-off-by: Bjorn Helgaas Signed-off-by: Greg Kroah-Hartman commit 257349bedca317b10b25d489082bd32a38480aae Author: Dan Carpenter Date: Fri Nov 18 09:30:24 2016 -0200 staging: media: davinci_vpfe: unlock on error in vpfe_reqbufs() commit c4a407b91f4b644145492e28723f9f880efb1da0 upstream. We should unlock before returning this error code in vpfe_reqbufs(). Fixes: 622897da67b3 ("[media] davinci: vpfe: add v4l2 video driver support") Signed-off-by: Dan Carpenter Signed-off-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit a299abd230818ceb4e68520ba2f442194267cc50 Author: Arnd Bergmann Date: Wed Nov 2 14:52:15 2016 +0100 f2fs: hide a maybe-uninitialized warning commit 230436b3ef3fd7d4a1da19edf5e87bb2d74e0fc2 upstream. gcc is unsure about the use of last_ofs_in_node, which might happen without a prior initialization: fs/f2fs//git/arm-soc/fs/f2fs/data.c: In function ‘f2fs_map_blocks’: fs/f2fs/data.c:799:54: warning: ‘last_ofs_in_node’ may be used uninitialized in this function [-Wmaybe-uninitialized] if (prealloc && dn.ofs_in_node != last_ofs_in_node + 1) { As pointed out by Chao Yu, the code is actually correct as 'prealloc' is only set if the last_ofs_in_node has been set, the two always get updated together. This initializes last_ofs_in_node to dn.ofs_in_node for each new dnode at the start of the 'next_block' loop, which at that point is a correct initialization as well. I assume that compilers that correctly track the contents of the variables and do not warn about the condition also figure out that they can eliminate the extra assignment here. Fixes: 46008c6d4232 ("f2fs: support in batch multi blocks preallocation") Signed-off-by: Arnd Bergmann Signed-off-by: Jaegeuk Kim Signed-off-by: Greg Kroah-Hartman commit 725ba1a3ebc49478f76dea369563a79c86546fbd Author: Jaegeuk Kim Date: Thu Oct 20 19:09:57 2016 -0700 f2fs: remove percpu_count due to performance regression commit 35782b233f37e48ecc469d9c7232f3f6a7fad41a upstream. This patch removes percpu_count usage due to performance regression in iozone. Fixes: 523be8a6b3 ("f2fs: use percpu_counter for page counters") Signed-off-by: Jaegeuk Kim Signed-off-by: Greg Kroah-Hartman commit 5cc85ef4ffe6c3f1d35b75975c5731248c5af4a7 Author: NeilBrown Date: Mon Dec 5 16:40:50 2016 +1100 md: fix refcount problem on mddev when stopping array. commit e2342ca832726a840ca6bd196dd2cc073815b08a upstream. md_open() gets a counted reference on an mddev using mddev_find(). If it ends up returning an error, it must drop this reference. There are two error paths where the reference is not dropped. One only happens if the process is signalled and an awkward time, which is quite unlikely. The other was introduced recently in commit af8d8e6f0. Change the code to ensure the drop the reference when returning an error, and make it harded to re-introduce this sort of bug in the future. Reported-by: Marc Smith Fixes: af8d8e6f0315 ("md: changes for MD_STILL_CLOSED flag") Signed-off-by: NeilBrown Acked-by: Guoqing Jiang Signed-off-by: Shaohua Li Signed-off-by: Greg Kroah-Hartman commit 60a931c20d1a401b79ff742142225c300d545af0 Author: Shaohua Li Date: Thu Dec 8 15:48:18 2016 -0800 md: MD_RECOVERY_NEEDED is set for mddev->recovery commit 82a301cb0ea2df8a5c88213094a01660067c7fb4 upstream. Fixes: 90f5f7ad4f38("md: Wait for md_check_recovery before attempting device removal.") Reviewed-by: NeilBrown Signed-off-by: Shaohua Li Signed-off-by: Greg Kroah-Hartman commit d33a490770e5b5bde66b2773b6e0162039dae11a Author: Ard Biesheuvel Date: Tue Oct 11 19:15:13 2016 +0100 crypto: arm64/aes-ce - fix for big endian commit 1803b9a52c4e5a5dbb8a27126f6bc06939359753 upstream. The core AES cipher implementation that uses ARMv8 Crypto Extensions instructions erroneously loads the round keys as 64-bit quantities, which causes the algorithm to fail when built for big endian. In addition, the key schedule generation routine fails to take endianness into account as well, when loading the combining the input key with the round constants. So fix both issues. Fixes: 12ac3efe74f8 ("arm64/crypto: use crypto instructions to generate AES key schedule") Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit eb64cbc5665d6756cebe85977e493fe0507f0bdb Author: Ard Biesheuvel Date: Tue Oct 11 19:15:19 2016 +0100 crypto: arm64/aes-xts-ce: fix for big endian commit caf4b9e2b326cc2a5005a5c557274306536ace61 upstream. Emit the XTS tweak literal constants in the appropriate order for a single 128-bit scalar literal load. Fixes: 49788fe2a128 ("arm64/crypto: AES-ECB/CBC/CTR/XTS using ARMv8 NEON and Crypto Extensions") Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit c3edfe038a75ff264fd97cf29f7773e3143df14f Author: Ard Biesheuvel Date: Tue Oct 11 19:15:15 2016 +0100 crypto: arm64/sha1-ce - fix for big endian commit ee71e5f1e7d25543ee63a80451871f8985b8d431 upstream. The SHA1 digest is an array of 5 32-bit quantities, so we should refer to them as such in order for this code to work correctly when built for big endian. So replace 16 byte scalar loads and stores with 4x4 vector ones where appropriate. Fixes: 2c98833a42cd ("arm64/crypto: SHA-1 using ARMv8 Crypto Extensions") Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 39b7e1c2fdda93d632c38b457f865dcacc8fa01a Author: Ard Biesheuvel Date: Tue Oct 11 19:15:18 2016 +0100 crypto: arm64/aes-neon - fix for big endian commit a2c435cc99862fd3d165e1b66bf48ac72c839c62 upstream. The AES implementation using pure NEON instructions relies on the generic AES key schedule generation routines, which store the round keys as arrays of 32-bit quantities stored in memory using native endianness. This means we should refer to these round keys using 4x4 loads rather than 16x1 loads. In addition, the ShiftRows tables are loading using a single scalar load, which is also affected by endianness, so emit these tables in the correct order depending on whether we are building for big endian or not. Fixes: 49788fe2a128 ("arm64/crypto: AES-ECB/CBC/CTR/XTS using ARMv8 NEON and Crypto Extensions") Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit d018dc9540f729699f6f96802e67c1dac1a4769d Author: Ard Biesheuvel Date: Tue Oct 11 19:15:17 2016 +0100 crypto: arm64/aes-ccm-ce: fix for big endian commit 56e4e76c68fcb51547b5299e5b66a135935ff414 upstream. The AES-CCM implementation that uses ARMv8 Crypto Extensions instructions refers to the AES round keys as pairs of 64-bit quantities, which causes failures when building the code for big endian. In addition, it byte swaps the input counter unconditionally, while this is only required for little endian builds. So fix both issues. Fixes: 12ac3efe74f8 ("arm64/crypto: use crypto instructions to generate AES key schedule") Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit e6ce55f7be903ec5cecfa0953fb4960d72b961a7 Author: Ard Biesheuvel Date: Tue Oct 11 19:15:20 2016 +0100 crypto: arm/aes-ce - fix for big endian commit 58010fa6f71c9577922b22e46014b95a4ec80fa0 upstream. The AES key schedule generation is mostly endian agnostic, with the exception of the rotation and the incorporation of the round constant at the start of each round. So implement a big endian specific version of that part to make the whole routine big endian compatible. Fixes: 86464859cc77 ("crypto: arm - AES in ECB/CBC/CTR/XTS modes using ARMv8 Crypto Extensions") Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit a7c9666735f4953199bdebdbc04a85e34fff97a2 Author: Ard Biesheuvel Date: Tue Oct 11 19:15:14 2016 +0100 crypto: arm64/ghash-ce - fix for big endian commit 9c433ad5083fd4a4a3c721d86cbfbd0b2a2326a5 upstream. The GHASH key and digest are both pairs of 64-bit quantities, but the GHASH code does not always refer to them as such, causing failures when built for big endian. So replace the 16x1 loads and stores with 2x8 ones. Fixes: b913a6404ce2 ("arm64/crypto: improve performance of GHASH algorithm") Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit cdeaed7dda7bc0946d9fbf5ea75821c130f95a4b Author: Ard Biesheuvel Date: Tue Oct 11 19:15:16 2016 +0100 crypto: arm64/sha2-ce - fix for big endian commit 174122c39c369ed924d2608fc0be0171997ce800 upstream. The SHA256 digest is an array of 8 32-bit quantities, so we should refer to them as such in order for this code to work correctly when built for big endian. So replace 16 byte scalar loads and stores with 4x32 vector ones where appropriate. Fixes: 6ba6c74dfc6b ("arm64/crypto: SHA-224/SHA-256 using ARMv8 Crypto Extensions") Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit a05aa258b237535df67926204b359b1dacc03ed1 Author: Dan Carpenter Date: Fri Nov 18 14:11:00 2016 +0300 s390/crypto: unlock on error in prng_tdes_read() commit 9e6e7c74315095fd40f41003850690c711e44420 upstream. We added some new locking but forgot to unlock on error. Fixes: 57127645d79d ("s390/zcrypt: Introduce new SHA-512 based Pseudo Random Generator.") Signed-off-by: Dan Carpenter Signed-off-by: Martin Schwidefsky Signed-off-by: Greg Kroah-Hartman commit 5d7d362abc408e69ee229459fba21f833f2f5bf1 Author: Ming Ling Date: Mon Dec 12 16:42:26 2016 -0800 mm, compaction: fix NR_ISOLATED_* stats for pfn based migration commit 6afcf8ef0ca0a69d014f8edb613d94821f0ae700 upstream. Since commit bda807d44454 ("mm: migrate: support non-lru movable page migration") isolate_migratepages_block) can isolate !PageLRU pages which would acct_isolated account as NR_ISOLATED_*. Accounting these non-lru pages NR_ISOLATED_{ANON,FILE} doesn't make any sense and it can misguide heuristics based on those counters such as pgdat_reclaimable_pages resp. too_many_isolated which would lead to unexpected stalls during the direct reclaim without any good reason. Note that __alloc_contig_migrate_range can isolate a lot of pages at once. On mobile devices such as 512M ram android Phone, it may use a big zram swap. In some cases zram(zsmalloc) uses too many non-lru but migratedable pages, such as: MemTotal: 468148 kB Normal free:5620kB Free swap:4736kB Total swap:409596kB ZRAM: 164616kB(zsmalloc non-lru pages) active_anon:60700kB inactive_anon:60744kB active_file:34420kB inactive_file:37532kB Fix this by only accounting lru pages to NR_ISOLATED_* in isolate_migratepages_block right after they were isolated and we still know they were on LRU. Drop acct_isolated because it is called after the fact and we've lost that information. Batching per-cpu counter doesn't make much improvement anyway. Also make sure that we uncharge only LRU pages when putting them back on the LRU in putback_movable_pages resp. when unmap_and_move migrates the page. [mhocko@suse.com: replace acct_isolated() with direct counting] Fixes: bda807d44454 ("mm: migrate: support non-lru movable page migration") Link: http://lkml.kernel.org/r/20161019080240.9682-1-mhocko@kernel.org Signed-off-by: Ming Ling Signed-off-by: Michal Hocko Acked-by: Minchan Kim Acked-by: Vlastimil Babka Cc: Mel Gorman Cc: Joonsoo Kim Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit dc1b6d0aed97a5e7c95afd1a2eff20151f440513 Author: Johannes Weiner Date: Mon Dec 12 16:43:35 2016 -0800 mm: khugepaged: fix radix tree node leak in shmem collapse error path commit 59749e6ce53735d8b696763742225f126e94603f upstream. The radix tree counts valid entries in each tree node. Entries stored in the tree cannot be removed by simpling storing NULL in the slot or the internal counters will be off and the node never gets freed again. When collapsing a shmem page fails, restore the holes that were filled with radix_tree_insert() with a proper radix tree deletion. Fixes: f3f0e1d2150b ("khugepaged: add support of collapse for tmpfs/shmem pages") Link: http://lkml.kernel.org/r/20161117191138.22769-3-hannes@cmpxchg.org Signed-off-by: Johannes Weiner Reported-by: Jan Kara Acked-by: Kirill A. Shutemov Reviewed-by: Jan Kara Cc: Hugh Dickins Cc: Matthew Wilcox Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 058a4a534c2392ce6a70ea8372b635de2af1d48f Author: Johannes Weiner Date: Mon Dec 12 16:43:32 2016 -0800 mm: khugepaged: close use-after-free race during shmem collapsing commit 91a45f71078a6569ec3ca5bef74e1ab58121d80e upstream. Patch series "mm: workingset: radix tree subtleties & single-page file refaults", v3. This is another revision of the radix tree / workingset patches based on feedback from Jan and Kirill. This is a follow-up to d3798ae8c6f3 ("mm: filemap: don't plant shadow entries without radix tree node"). That patch fixed an issue that was caused mainly by the page cache sneaking special shadow page entries into the radix tree and relying on subtleties in the radix tree code to make that work. The fix also had to stop tracking refaults for single-page files because shadow pages stored as direct pointers in radix_tree_root->rnode weren't properly handled during tree extension. These patches make the radix tree code explicitely support and track such special entries, to eliminate the subtleties and to restore the thrash detection for single-page files. This patch (of 9): When a radix tree iteration drops the tree lock, another thread might swoop in and free the node holding the current slot. The iteration needs to do another tree lookup from the current index to continue. [kirill.shutemov@linux.intel.com: re-lookup for replacement] Fixes: f3f0e1d2150b ("khugepaged: add support of collapse for tmpfs/shmem pages") Link: http://lkml.kernel.org/r/20161117191138.22769-2-hannes@cmpxchg.org Signed-off-by: Johannes Weiner Acked-by: Kirill A. Shutemov Reviewed-by: Jan Kara Cc: Hugh Dickins Cc: Matthew Wilcox Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit cd6d9ffffc4c2ce545e9d8dfcc7fe562cb02b4ea Author: Mauro Carvalho Chehab Date: Mon Nov 14 14:32:27 2016 -0200 docs-rst: fix LaTeX \DURole renewcommand with Sphinx 1.3+ commit e2a91f4f42018994d7424d405900d17eba6555d0 upstream. PDF build on Kernel 4.9-rc? returns an error with Sphinx 1.3.x and Sphinx 1.4.x, when trying to solve some cross-references. The solution is to redefine the \DURole macro. However, this is redefined too late. Move such redefinition to LaTeX preamble and bind it to just the Sphinx versions where the error is known to be present. Tested by building the documentation on interactive mode: make PDFLATEX=xelatex -C Documentation/output/./latex Fixes: e61a39baf74d ("[media] index.rst: Fix LaTeX error in interactive mode on Sphinx 1.4.x") Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Jonathan Corbet Signed-off-by: Greg Kroah-Hartman commit 66c6770379368ba0738a61c2317edc0ca324b902 Author: Aneesh Kumar K.V Date: Mon Dec 12 16:41:56 2016 -0800 mm/hugetlb.c: use the right pte val for compare in hugetlb_cow commit 3999f52e3198e76607446ab1a4610c1ddc406c56 upstream. We cannot use the pte value used in set_pte_at for pte_same comparison, because archs like ppc64, filter/add new pte flag in set_pte_at. Instead fetch the pte value inside hugetlb_cow. We are comparing pte value to make sure the pte didn't change since we dropped the page table lock. hugetlb_cow get called with page table lock held, and we can take a copy of the pte value before we drop the page table lock. With hugetlbfs, we optimize the MAP_PRIVATE write fault path with no previous mapping (huge_pte_none entries), by forcing a cow in the fault path. This avoid take an addition fault to covert a read-only mapping to read/write. Here we were comparing a recently instantiated pte (via set_pte_at) to the pte values from linux page table. As explained above on ppc64 such pte_same check returned wrong result, resulting in us taking an additional fault on ppc64. Fixes: 6a119eae942c ("powerpc/mm: Add a _PAGE_PTE bit") Link: http://lkml.kernel.org/r/20161018154245.18023-1-aneesh.kumar@linux.vnet.ibm.com Signed-off-by: Aneesh Kumar K.V Reported-by: Jan Stancek Acked-by: Hillf Danton Cc: Mike Kravetz Cc: Scott Wood Cc: Michael Ellerman Cc: Kirill A. Shutemov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 17df3e74fb5174bc9fc078fd640dc3b2762f0ca1 Author: Bjorn Andersson Date: Thu Dec 1 16:59:55 2016 -0800 rpmsg: qcom_smd: Correct return value for O_NONBLOCK commit 1d74e7ed5dc1903ac081574a9b6aa94e7ba4ad45 upstream. qcom_smd_send() should return -EAGAIN for non-blocking channels with insufficient space, so that we can propagate this event to user space. Fixes: 53e2822e56c7 ("rpmsg: Introduce Qualcomm SMD backend") Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit 1d8286ccbcc6f2f5abca386430825e4c3983edc7 Author: Dan Carpenter Date: Mon Nov 14 14:31:34 2016 +0300 mmc: mmc_test: Uninitialized return value commit 16652a936e96f5dae53c3fbd38a570497baadaa8 upstream. We never set "ret" to RESULT_OK. Fixes: 9f9c4180f88d ("mmc: mmc_test: add test for non-blocking transfers") Signed-off-by: Dan Carpenter Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit 74e365e69687bb250fa71ba5ba389cd2680d843f Author: Guilherme G. Piccoli Date: Wed Dec 14 16:01:12 2016 -0200 genirq/affinity: Fix node generation from cpumask commit c0af52437254fda8b0cdbaae5a9b6d9327f1fcd5 upstream. Commit 34c3d9819fda ("genirq/affinity: Provide smarter irq spreading infrastructure") introduced a better IRQ spreading mechanism, taking account of the available NUMA nodes in the machine. Problem is that the algorithm of retrieving the nodemask iterates "linearly" based on the number of online nodes - some architectures present non-linear node distribution among the nodemask, like PowerPC. If this is the case, the algorithm lead to a wrong node count number and therefore to a bad/incomplete IRQ affinity distribution. For example, this problem were found in a machine with 128 CPUs and two nodes, namely nodes 0 and 8 (instead of 0 and 1, if it was linearly distributed). This led to a wrong affinity distribution which then led to a bad mq allocation for nvme driver. Finally, we take the opportunity to fix a comment regarding the affinity distribution when we have _more_ nodes than vectors. Fixes: 34c3d9819fda ("genirq/affinity: Provide smarter irq spreading infrastructure") Reported-by: Gabriel Krisman Bertazi Signed-off-by: Guilherme G. Piccoli Reviewed-by: Christoph Hellwig Reviewed-by: Gabriel Krisman Bertazi Reviewed-by: Gavin Shan Cc: linux-pci@vger.kernel.org Cc: linuxppc-dev@lists.ozlabs.org Cc: hch@lst.de Link: http://lkml.kernel.org/r/1481738472-2671-1-git-send-email-gpiccoli@linux.vnet.ibm.com Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 65f796837e0051e11334b0c075b153d5d3d4d2c5 Author: Tony Lindgren Date: Mon Dec 5 16:38:16 2016 -0800 PM / wakeirq: Fix dedicated wakeirq for drivers not using autosuspend commit bed570307ed78f21b77cb04a1df781dee4a8f05a upstream. I noticed some wakeirq flakeyness with consumer drivers not using autosuspend. For drivers not using autosuspend, the wakeirq may never get unmasked in rpm_suspend() because of irq desc->depth. We are configuring dedicated wakeirqs to start with IRQ_NOAUTOEN as we naturally don't want them running until rpm_suspend() is called. However, when a consumer driver initially calls pm_runtime_get(), we now wrongly start with disable_irq_nosync() call on the dedicated wakeirq that is disabled to start with. This causes desc->depth to toggle between 1 and 2 instead of the usual 0 and 1. This can prevent enable_irq() from unmasking the wakeirq as that only happens at desc->depth 1. This does not necessarily show up with drivers using autosuspend as there is time for disable_irq_nosync() before rpm_suspend() gets called after the autosuspend timeout. Let's fix the issue by adding wirq->status that lazily gets set on the first rpm_suspend(). We also need PM runtime core private functions for dev_pm_enable_wake_irq_check() and dev_pm_disable_wake_irq_check() so we can enable the dedicated wakeirq on the first rpm_suspend(). While at it, let's also fix the comments for dev_pm_enable_wake_irq() and dev_pm_disable_wake_irq(). Those can still be used by the consumer drivers as needed because the IRQ core manages the interrupt usecount for us. Fixes: 4990d4fe327b (PM / Wakeirq: Add automated device wake IRQ handling) Signed-off-by: Tony Lindgren Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 3b198ddd5855a5073bac27571394963b87d26613 Author: Florian Fainelli Date: Mon Oct 31 14:17:35 2016 -0700 irqchip/bcm7038-l1: Implement irq_cpu_offline() callback commit 34c535793bcbf9263cf22f8a52101f796cdfab8e upstream. We did not implement an irq_cpu_offline callback for our irqchip, yet we support setting a given IRQ's affinity. This resulted in interrupts whose affinity mask included CPUs being taken offline not to work correctly once the CPU had been put offline. Fixes: 5f7f0317ed28 ("IRQCHIP: Add new driver for BCM7038-style level 1 interrupt controllers") Signed-off-by: Florian Fainelli Cc: linux-mips@linux-mips.org Cc: jason@lakedaemon.net Cc: marc.zyngier@arm.com Cc: cernekee@gmail.com Cc: jaedon.shin@gmail.com Cc: ralf@linux-mips.org Cc: justinpopo6@gmail.com Link: http://lkml.kernel.org/r/1477948656-12966-2-git-send-email-f.fainelli@gmail.com Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 5cbea795f4d13184ff42307daea5a7dc7c046e5f Author: Jan Beulich Date: Tue Nov 8 00:43:54 2016 -0700 PCI/MSI: Check for NULL affinity mask in pci_irq_get_affinity() commit d1d111e073840b8dbc1ae90ba3fc274736451bdc upstream. If msi_setup_entry() fails to allocate an affinity mask, it logs a message but continues on and allocates an MSI entry with entry->affinity == NULL. Check for this case in pci_irq_get_affinity() so we don't try to dereference a NULL pointer. [bhelgaas: changelog] Fixes: ee8d41e53efe "pci/msi: Retrieve affinity for a vector" Signed-off-by: Jan Beulich Signed-off-by: Bjorn Helgaas Reviewed-by: Christoph Hellwig CC: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 825e6a0f7c51cc2c7e56604d2ea89c86aebef914 Author: Eric Richter Date: Thu Oct 13 17:47:36 2016 -0500 ima: fix memory leak in ima_release_policy commit 9a11a18902bc3b904353063763d06480620245a6 upstream. When the "policy" securityfs file is opened for read, it is opened as a sequential file. However, when it is eventually released, there is no cleanup for the sequential file, therefore some memory is leaked. This patch adds a call to seq_release() in ima_release_policy() to clean up the memory when the file is opened for read. Fixes: 80eae209d63a IMA: allow reading back the current policy Reported-by: Colin Ian King Signed-off-by: Eric Richter Tested-by: Colin Ian King Signed-off-by: Mimi Zohar Signed-off-by: Greg Kroah-Hartman commit c4c11b4bdbf684540f9baf9f17fc1c7fb688f1fb Author: Dan Carpenter Date: Wed Dec 14 15:05:38 2016 -0800 relay: check array offset before using it commit 9a29d0fbc2d9ad99fb8a981ab72548cc360e9d4c upstream. Smatch complains that we started using the array offset before we checked that it was valid. Fixes: 017c59c042d0 ('relay: Use per CPU constructs for the relay channel buffer pointers') Link: http://lkml.kernel.org/r/20161013084947.GC16198@mwanda Signed-off-by: Dan Carpenter Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 3dd50a5e2be97d1c68545a44851be97294bfdcc7 Author: Bart Van Assche Date: Fri Nov 18 15:40:31 2016 -0800 sbp-target: Fix second argument of percpu_ida_alloc() commit 8456066a57940b3884aa080c58b166567dc9de39 upstream. Pass a task state as second argument to percpu_ida_alloc(). Fixes: commit 5a3ee221b543 ("sbp-target: Conversion to percpu_ida tag pre-allocation") Signed-off-by: Bart Van Assche Cc: Chris Boot Signed-off-by: Greg Kroah-Hartman commit 0e79a6b4567704970076a5b933bc1736234610ec Author: Dan Carpenter Date: Tue Dec 13 15:27:04 2016 +0300 target/iscsi: Fix double free in lio_target_tiqn_addtpg() commit a91918cd3ea11f91c68e08e1e8ce1b560447a80e upstream. This iscsit_tpg_add_portal_group() function is only called from lio_target_tiqn_addtpg(). Both functions free the "tpg" pointer on error so it's a double free bug. The memory is allocated in the caller so it should be freed in the caller and not here. Fixes: e48354ce078c ("iscsi-target: Add iSCSI fabric support for target v4.1") Signed-off-by: Dan Carpenter Reviewed-by: David Disseldorp [ bvanassche: Added "Fix" at start of patch title ] Signed-off-by: Bart Van Assche Signed-off-by: Greg Kroah-Hartman commit 962a12f8e523b984d77cb5063a722a8d9536cffc Author: Arnd Bergmann Date: Wed Nov 16 16:08:34 2016 +0100 scsi: mvsas: fix command_active typo commit af15769ffab13d777e55fdef09d0762bf0c249c4 upstream. gcc-7 notices that the condition in mvs_94xx_command_active looks suspicious: drivers/scsi/mvsas/mv_94xx.c: In function 'mvs_94xx_command_active': drivers/scsi/mvsas/mv_94xx.c:671:15: error: '<<' in boolean context, did you mean '<' ? [-Werror=int-in-bool-context] This was introduced when the mv_printk() statement got added, and leads to the condition being ignored. This is probably harmless. Changing '&&' to '&' makes the code look reasonable, as we check the command bit before setting and printing it. Fixes: a4632aae8b66 ("[SCSI] mvsas: Add new macros and functions") Signed-off-by: Arnd Bergmann Reviewed-by: Johannes Thumshirn Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 5157e98aa024c5ef3d5c3b27cb7203f34073ed26 Author: Ondrej Zary Date: Fri Nov 11 10:00:20 2016 +1100 scsi: g_NCR5380: Fix release_region in error handling commit 7b93ca43b7e21fbe6fb1a6f4ecce4a2f70f424a0 upstream. When a SW-configurable card is specified but not found, the driver releases wrong region, causing the following message in kernel log: Trying to free nonexistent resource <0000000000000000-000000000000000f> Fix it by assigning base earlier. Signed-off-by: Ondrej Zary Fixes: a8cfbcaec0c1 ("scsi: g_NCR5380: Stop using scsi_module.c") Signed-off-by: Finn Thain Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit d451b3cc89c7f0c037281272d70539cd612ba539 Author: Charles Keepax Date: Fri Oct 21 14:18:48 2016 +0100 ASoC: samsung: i2s: Fixup last IRQ unsafe spin lock call commit 5faf071d08ddd1c1be66deaa93a09ccf43f5b538 upstream. Unfortunately, I seem to have missed a case where an IRQ safe spinlock was required, in samsung_i2s_dai_remove, when I fixed up the other calls in this patch: 316fa9e09ad7 ("ASoC: samsung: Use IRQ safe spin lock calls") This causes a lockdep warning when unbinding and rebinding the audio card: [ 104.357664] CPU0 CPU1 [ 104.362174] ---- ---- [ 104.366692] lock(&(&pri_dai->spinlock)->rlock); [ 104.371372] local_irq_disable(); [ 104.377283] lock(&(&substream->self_group.lock)->rlock); [ 104.385259] lock(&(&pri_dai->spinlock)->rlock); [ 104.392469] [ 104.395072] lock(&(&substream->self_group.lock)->rlock); [ 104.400710] [ 104.400710] *** DEADLOCK *** Fixes: ce8bcdbb61d9 ("ASoC: samsung: i2s: Protect more registers with a spinlock") Signed-off-by: Charles Keepax Reviewed-by: Krzysztof Kozlowski Reviewed-by: Sylwester Nawrocki Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 574bac4f402239d8dc5cb15952a93eba0602c646 Author: Dan Carpenter Date: Thu Oct 13 11:55:48 2016 +0300 ASoC: Intel: Skylake: Fix a shift wrapping bug commit c8eabf821cac120afb78ca251b07cbf520406a7e upstream. "*val" is a u64. It definitely looks like we intend to use the high 32 bits as well. Fixes: 700a9a63f9c1 ("ASoC: Intel: Skylake: Add module instance id generation APIs") Signed-off-by: Dan Carpenter Acked-by: Vinod Koul Tested-by: Kranthi G Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit d61a969f0e941de5ec682d6236cc9d5fa54bf85b Author: Takashi Iwai Date: Tue Nov 22 18:11:08 2016 +0100 ASoC: cht_bsw_rt5645: Fix leftover kmalloc commit a823a17981a73faa115bc0f7eda0190763075e2c upstream. cht_bsw_rt5645 driver allocates the own codec_id string but doesn't release it. For simplicity, put the string in cht_mc_private; then the string is allocated in a shot and released altogether. Fixes: c8560b7c917f ("ASoC: cht_bsw_rt5645: Fix writing to string literal") Signed-off-by: Takashi Iwai Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 311742c40da94fed4e4492c38ed456963ed4ecd6 Author: Arnd Bergmann Date: Tue Nov 8 14:38:52 2016 +0100 ASoC: lpass-platform: initialize dma channel number commit 3b89e4b77ef9c2f985964fab17032db98f074ed0 upstream. A bugfix accidentally removed the implicit initialization of the dma channel number, causing undefined behavior when v->alloc_dma_channel is NULL: sound/soc/qcom/lpass-platform.c: In function ‘lpass_platform_pcmops_open’: sound/soc/qcom/lpass-platform.c:83:29: error: ‘dma_ch’ may be used uninitialized in this function [-Werror=maybe-uninitialized] This adds back an explicit initialization to zero, restoring the previous behavior for that case. Fixes: 022d00ee0b55 ("ASoC: lpass-platform: Fix broken pcm data usage") Signed-off-by: Arnd Bergmann Acked-by: Kenneth Westfield Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit afd7e2b4258aa4b01720a2d65846030b3a06689f Author: Xunlei Pang Date: Mon Dec 5 20:09:07 2016 +0800 iommu/vt-d: Flush old iommu caches for kdump when the device gets context mapped commit aec0e86172a79eb5e44aff1055bb953fe4d47c59 upstream. We met the DMAR fault both on hpsa P420i and P421 SmartArray controllers under kdump, it can be steadily reproduced on several different machines, the dmesg log is like: HP HPSA Driver (v 3.4.16-0) hpsa 0000:02:00.0: using doorbell to reset controller hpsa 0000:02:00.0: board ready after hard reset. hpsa 0000:02:00.0: Waiting for controller to respond to no-op DMAR: Setting identity map for device 0000:02:00.0 [0xe8000 - 0xe8fff] DMAR: Setting identity map for device 0000:02:00.0 [0xf4000 - 0xf4fff] DMAR: Setting identity map for device 0000:02:00.0 [0xbdf6e000 - 0xbdf6efff] DMAR: Setting identity map for device 0000:02:00.0 [0xbdf6f000 - 0xbdf7efff] DMAR: Setting identity map for device 0000:02:00.0 [0xbdf7f000 - 0xbdf82fff] DMAR: Setting identity map for device 0000:02:00.0 [0xbdf83000 - 0xbdf84fff] DMAR: DRHD: handling fault status reg 2 DMAR: [DMA Read] Request device [02:00.0] fault addr fffff000 [fault reason 06] PTE Read access is not set hpsa 0000:02:00.0: controller message 03:00 timed out hpsa 0000:02:00.0: no-op failed; re-trying After some debugging, we found that the fault addr is from DMA initiated at the driver probe stage after reset(not in-flight DMA), and the corresponding pte entry value is correct, the fault is likely due to the old iommu caches of the in-flight DMA before it. Thus we need to flush the old cache after context mapping is setup for the device, where the device is supposed to finish reset at its driver probe stage and no in-flight DMA exists hereafter. I'm not sure if the hardware is responsible for invalidating all the related caches allocated in the iommu hardware before, but seems not the case for hpsa, actually many device drivers have problems in properly resetting the hardware. Anyway flushing (again) by software in kdump kernel when the device gets context mapped which is a quite infrequent operation does little harm. With this patch, the problematic machine can survive the kdump tests. CC: Myron Stowe CC: Joseph Szczypek CC: Don Brace CC: Baoquan He CC: Dave Young Fixes: 091d42e43d21 ("iommu/vt-d: Copy translation tables from old kernel") Fixes: dbcd861f252d ("iommu/vt-d: Do not re-use domain-ids from the old kernel") Fixes: cf484d0e6939 ("iommu/vt-d: Mark copied context entries") Signed-off-by: Xunlei Pang Tested-by: Don Brace Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit ef41459ab279edd5fa11da4efac4aa0155c06a35 Author: Jacob Pan Date: Tue Dec 6 10:14:23 2016 -0800 iommu/vt-d: Fix pasid table size encoding commit 65ca7f5f7d1cdde6c25172fe6107cd16902f826f upstream. Different encodings are used to represent supported PASID bits and number of PASID table entries. The current code assigns ecap_pss directly to extended context table entry PTS which is wrong and could result in writing non-zero bits to the reserved fields. IOMMU fault reason 11 will be reported when reserved bits are nonzero. This patch converts ecap_pss to extend context entry pts encoding based on VT-d spec. Chapter 9.4 as follows: - number of PASID bits = ecap_pss + 1 - number of PASID table entries = 2^(pts + 5) Software assigned limit of pasid_max value is also respected to match the allocation limitation of PASID table. cc: Mika Kuoppala cc: Ashok Raj Signed-off-by: Jacob Pan Tested-by: Mika Kuoppala Fixes: 2f26e0a9c9860 ('iommu/vt-d: Add basic SVM PASID support') Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit 2148835de3c2410bfb6c64037187a1b72f6d6488 Author: Huang Rui Date: Mon Dec 12 07:28:26 2016 -0500 iommu/amd: Fix the left value check of cmd buffer commit 432abf68a79332282329286d190e21fe3ac02a31 upstream. The generic command buffer entry is 128 bits (16 bytes), so the offset of tail and head pointer should be 16 bytes aligned and increased with 0x10 per command. When cmd buf is full, head = (tail + 0x10) % CMD_BUFFER_SIZE. So when left space of cmd buf should be able to store only two command, we should be issued one COMPLETE_WAIT additionally to wait all older commands completed. Then the left space should be increased after IOMMU fetching from cmd buf. So left check value should be left <= 0x20 (two commands). Signed-off-by: Huang Rui Fixes: ac0ea6e92b222 ('x86/amd-iommu: Improve handling of full command buffer') Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit 48ffae87e91346382790af10d793cba4d2e1d341 Author: Dan Carpenter Date: Thu Nov 24 14:05:44 2016 +0300 iommu/amd: Missing error code in amd_iommu_init_device() commit 24c790fbf5d8f54c8c82979db11edea8855b74bf upstream. We should set "ret" to -EINVAL if iommu_group_get() fails. Fixes: 55c99a4dc50f ("iommu/amd: Use iommu_attach_group()") Signed-off-by: Dan Carpenter Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit 54eed7ab1367f3d802ba516a60967e8547224a55 Author: Chris Brandt Date: Thu Dec 15 12:00:27 2016 -0500 clk: renesas: mstp: Support 8-bit registers for r7s72100 commit e2a33c34ddff22ee208d80abdd12b88a98d6cb60 upstream. The RZ/A1 is different than the other Renesas SOCs because the MSTP registers are 8-bit instead of 32-bit and if you try writing values as 32-bit nothing happens...meaning this driver never worked for r7s72100. Fixes: b6face404f38 ("ARM: shmobile: r7s72100: add essential clock nodes to dtsi") Signed-off-by: Chris Brandt Reviewed-by: Geert Uytterhoeven Tested-by: Geert Uytterhoeven Acked-by: Kuninori Morimoto Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit 5dd700e897e4d1f74fde0826ed2ed7db08c47327 Author: Vladimir Zapolskiy Date: Mon Sep 26 03:03:42 2016 +0300 clk: imx31: fix rewritten input argument of mx31_clocks_init() commit bae203d58b7dce89664071b3fafe20cedaa3e4f6 upstream. Function mx31_clocks_init() is called during clock intialization on legacy boards with reference clock frequency passed as its input argument, this can be verified by examination of the function declaration found in arch/arm/mach-imx/common.h and actual function users which include that header file. Inside CCF driver the function ignores its input argument, by chance the used value in the function body is the same as input arguments on side of all callers. Fixes: d9388c843237 ("clk: imx31: Do not call mxc_timer_init twice when booting with DT") Signed-off-by: Vladimir Zapolskiy Reviewed-by: Uwe Kleine-König Acked-by: Stephen Boyd Signed-off-by: Shawn Guo Signed-off-by: Greg Kroah-Hartman commit 6c9f628468723e85fa59651e258bd462091692ad Author: Chen-Yu Tsai Date: Fri Nov 11 18:05:58 2016 +0800 clk: sunxi-ng: sun8i-h3: Set CLK_SET_RATE_PARENT for audio module clocks commit 0f6f9302b819ca352cfd4f42c18ec08d521f9cae upstream. The audio module clocks are supposed to be set according to the sample rate of the audio stream. The audio PLL provides the clock signal for these module clocks, and only it is freely tunable. Set CLK_SET_RATE_PARENT for the audio module clocks so their users can properly tune the clock rate. Fixes: 0577e4853bfb ("clk: sunxi-ng: Add H3 clocks") Signed-off-by: Chen-Yu Tsai Signed-off-by: Maxime Ripard Signed-off-by: Greg Kroah-Hartman commit 36a6f7005f38b86b938ab3b697ca61a6693eec1e Author: Chen-Yu Tsai Date: Fri Nov 11 18:05:57 2016 +0800 clk: sunxi-ng: sun8i-a23: Set CLK_SET_RATE_PARENT for audio module clocks commit 937ff9ded8b6ebe8963ade55bdd77a61ded88075 upstream. The audio module clocks are supposed to be set according to the sample rate of the audio stream. The audio PLL provides the clock signal for these module clocks, and only it is freely tunable. Set CLK_SET_RATE_PARENT for the audio module clocks so their users can properly tune the clock rate. Fixes: 5690879d93e8 ("clk: sunxi-ng: Add A23 CCU") Signed-off-by: Chen-Yu Tsai Signed-off-by: Maxime Ripard Signed-off-by: Greg Kroah-Hartman commit 7af503c02b33504c82a88bc165e5ef77239faebd Author: Grygorii Strashko Date: Tue Nov 29 17:07:57 2016 -0600 clk: ti: dra7: fix "failed to lookup clock node gmac_gmii_ref_clk_div" boot message commit f8d17344a60921c2387759fc0a85aa64299d1ec6 upstream. Prevent creating clk alias for non existing gmac_gmii_ref_clk_div clock and, this way, eliminate excessive error message during boot: "ti_dt_clocks_register: failed to lookup clock node gmac_gmii_ref_clk_div" Fixes: c097338ebd3f ("ARM: dts: dra7: cpsw: fix clocks tree") Signed-off-by: Grygorii Strashko Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit 411873a0390e8378bb47e1d5e03fb0b95fd2efb4 Author: Pan Bian Date: Thu Dec 1 14:25:44 2016 +0800 clk: clk-wm831x: fix a logic error commit 20979202ee6e4c68dab7bcf408787225a656d18e upstream. Fix bug https://bugzilla.kernel.org/show_bug.cgi?id=188561. Function wm831x_clkout_is_prepared() returns "true" when it fails to read CLOCK_CONTROL_1. "true" means the device is already prepared. So return "true" on the read failure seems improper. Signed-off-by: Pan Bian Acked-by: Charles Keepax Fixes: f05259a6ffa4 ("clk: wm831x: Add initial WM831x clock driver") Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit e3b665ef41106381a7ad3e6bbdf2ebba7682cc25 Author: Stephen Boyd Date: Wed Nov 9 17:08:28 2016 -0800 clk: qcom: ipq806x: Fix board clk rates commit cbf2e548ca8ad4bb274d014e9a70bd841d29948e upstream. The clocks on these boards run at 25 MHz, not 19.2 and 27 like other platforms. Unfortunately I copy/pasted from other similar SoCs but forgot this one is different. Fix it. Fixes: a085f877a882 ("clk: qcom: Move cxo/pxo/xo into dt files") Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit 447433e5f804b1a73beb9b1051b9f847541442f0 Author: Dan Carpenter Date: Wed Nov 16 17:23:22 2016 -0800 Input: synaptics-rmi4 - unlock on error commit 792f497b22afd0563b94dd8fa129a05f762a2c25 upstream. We should unlock before returning on this error path. Fixes: 3a762dbd5347 ('[media] Input: synaptics-rmi4 - add support for F54 diagnostics') Signed-off-by: Dan Carpenter Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 584cb7dd15a3779a8f9a4ac2ec117f1f73bda83d Author: Michael Walle Date: Mon Jan 2 17:53:39 2017 +0100 hwmon: (lm90) fix temp1_max_alarm attribute commit e9572fdd13e299cfba03abbfd2786c84ac055249 upstream. Since commit commit eb1c8f4325d5 ("hwmon: (lm90) Convert to use new hwmon registration API") the temp1_max_alarm and temp1_crit_alarm attributes are mapped to the same alarm bit. Fix the typo. Fixes: eb1c8f4325d5 ("hwmon: (lm90) Convert to use new hwmon registration API") Signed-off-by: Micehael Walle Signed-off-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit 2aca9a4fe104e6e8d7ddca7042fe6d5379ead7f9 Author: Guenter Roeck Date: Sun Dec 11 13:27:42 2016 -0800 hwmon: (g762) Fix overflows and crash seen when writing limit attributes commit 4fccd4a1e8944033bcd7693ea4e8fb478cd2059a upstream. Fix overflows seen when writing into fan speed limit attributes. Also fix crash due to division by zero, seen when certain very large values (such as 2147483648, or 0x80000000) are written into fan speed limit attributes. Fixes: 594fbe713bf60 ("Add support for GMT G762/G763 PWM fan controllers") Cc: Arnaud Ebalard Reviewed-by: Jean Delvare Signed-off-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit 81616a9f751e9b08a90d13c79e6ca73a74c4b446 Author: Guenter Roeck Date: Sun Dec 4 18:15:25 2016 -0800 hwmon: (nct7802) Fix overflows seen when writing into limit attributes commit c0d04e9112ad59d73f23f3b0f6726c5e798dfcbf upstream. Fix overflows seen when writing voltage and temperature limit attributes. The value passed to DIV_ROUND_CLOSEST() needs to be clamped, and the value parameter passed to nct7802_write_fan_min() is an unsigned long. Also, writing values larger than 2700000 into a fan limit attribute results in writing 0 into the chip's limit registers. The exact behavior when writing this value is unspecified. For consistency, report a limit of 1350000 if the chip register reads 0. This may be wrong, and the chip behavior should be verified with the actual chip, but it is better than reporting a value of 0 (which, when written, results in writing a value of 0x1fff into the chip register). Fixes: 3434f3783580 ("hwmon: Driver for Nuvoton NCT7802Y") Reviewed-by: Jean Delvare Signed-off-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit a69a6ebd036a6c7edf89db09ca358927c158dbe4 Author: Guenter Roeck Date: Sun Nov 20 10:37:39 2016 -0800 hwmon: (ds620) Fix overflows seen when writing temperature limits commit e36ce99ee0815d7919a7b589bfb66f3de50b6bc7 upstream. Module test reports: temp1_max: Suspected overflow: [160000 vs. 0] temp1_min: Suspected overflow: [160000 vs. 0] This is seen because the values passed when writing temperature limits are unbound. Reviewed-by: Jean Delvare Fixes: 6099469805c2 ("hwmon: Support for Dallas Semiconductor DS620") Signed-off-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit 29e7b170db90a852b51409a76870cdbe57341a9b Author: Jared Bents Date: Fri Nov 18 22:20:38 2016 -0600 hwmon: (amc6821) sign extension temperature commit 4538bfbf2d9f1fc48c07ac0cc0ee58716fe7fe96 upstream. Converts the unsigned temperature values from the i2c read to be sign extended as defined in the datasheet so that negative temperatures are properly read. Fixes: 28e6274d8fa67 ("hwmon: (amc6821) Avoid forward declaration") Signed-off-by: Jared Bents Signed-off-by: Matt Weber [groeck: Dropped unnecessary continuation line] Signed-off-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit af3cd3f0a805ab701f1e56ed93c676c77b7d2169 Author: Javier Martinez Canillas Date: Mon Nov 7 17:31:44 2016 -0300 hwmon: (scpi) Fix module autoload commit 13edb767aa609b6efb7c0c2b57fbd72a6ded0eed upstream. If the driver is built as a module, autoload won't work because the module alias information is not filled. So user-space can't match the registered device with the corresponding module. Export the module alias information using the MODULE_DEVICE_TABLE() macro. Before this patch: $ modinfo drivers/hwmon/scpi-hwmon.ko | grep alias $ After this patch: $ modinfo drivers/hwmon/scpi-hwmon.ko | grep alias alias: of:N*T*Carm,scpi-sensorsC* alias: of:N*T*Carm,scpi-sensors Signed-off-by: Javier Martinez Canillas Fixes: ea98b29a05e9c ("hwmon: Support sensors exported via ARM SCP interface") Signed-off-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit 7a13086bd4575738f385d062e3676e3b13af966c Author: Micha? K?pie? Date: Fri Dec 23 10:00:08 2016 +0100 platform/x86: fujitsu-laptop: use brightness_set_blocking for LED-setting callbacks commit a608a9d52fa4168efd478d684039ed545a69dbcd upstream. All LED-setting functions in fujitsu-laptop are currently assigned to the brightness_set callback, which is incorrect because they can sleep (due to their use of call_fext_func(), which in turn issues ACPI calls) and the documentation (in include/linux/leds.h) clearly states they must not. Assign them to brightness_set_blocking instead and change them to match the expected function prototype. This change makes it possible to use Fujitsu-specific LEDs with "heavy" triggers, like disk-activity or phy0rx. Fixes: 3a407086090b ("fujitsu-laptop: Add BL power, LED control and radio state information") Fixes: 4f62568c1fcf ("fujitsu-laptop: Support radio LED") Fixes: d6b88f64b0d4 ("fujitsu-laptop: Add support for eco LED") Signed-off-by: Michał Kępień Acked-by: Jonathan Woithe Signed-off-by: Andy Shevchenko Signed-off-by: Greg Kroah-Hartman commit 36c1bc65d211b929dda601f78c444c228d8df27f Author: Andy Lutomirski Date: Thu Dec 15 10:14:42 2016 -0800 x86/cpu: Probe CPUID leaf 6 even when cpuid_level == 6 commit 3df8d9208569ef0b2313e516566222d745f3b94b upstream. A typo (or mis-merge?) resulted in leaf 6 only being probed if cpuid_level >= 7. Fixes: 2ccd71f1b278 ("x86/cpufeature: Move some of the scattered feature bits to x86_capability") Signed-off-by: Andy Lutomirski Acked-by: Borislav Petkov Cc: Brian Gerst Link: http://lkml.kernel.org/r/6ea30c0e9daec21e488b54761881a6dfcf3e04d0.1481825597.git.luto@kernel.org Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit bedcab8723cec3bf367ed28b6baa5350d54ef701 Author: Dmitry Safonov Date: Thu Oct 27 17:15:15 2016 +0300 x86/prctl/uapi: Remove #ifdef for CHECKPOINT_RESTORE commit a01aa6c9f40fe03c82032e7f8b3bcf1e6c93ac0e upstream. As userspace knows nothing about kernel config, thus #ifdefs around ABI prctl constants makes them invisible to userspace. Let it be clean'n'simple: remove #ifdefs. If kernel has CONFIG_CHECKPOINT_RESTORE disabled, sys_prctl() will return -EINVAL for those prctls. Reported-by: Paul Bolle Signed-off-by: Dmitry Safonov Acked-by: Andy Lutomirski Cc: 0x7f454c46@gmail.com Cc: Borislav Petkov Cc: Brian Gerst Cc: Cyrill Gorcunov Cc: Denys Vlasenko Cc: H. Peter Anvin Cc: Josh Poimboeuf Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: linux-mm@kvack.org Cc: oleg@redhat.com Fixes: 2eefd8789698 ("x86/arch_prctl/vdso: Add ARCH_MAP_VDSO_*") Link: http://lkml.kernel.org/r/20161027141516.28447-2-dsafonov@virtuozzo.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit e641c92fd2ae2c4a54810cae66c161c9cc5b06a4 Author: Arnd Bergmann Date: Thu Oct 20 22:07:53 2016 +0200 debugfs: improve DEFINE_DEBUGFS_ATTRIBUTE for !CONFIG_DEBUG_FS commit 7f847dd31736f1284538e54f46cf10e63929eb7f upstream. The slp_s0_residency_usec debugfs file currently uses DEFINE_DEBUGFS_ATTRIBUTE(), but that macro cannot really be used to define files outside of the debugfs code, as it has no reference to the get/set functions if CONFIG_DEBUG_FS is not defined: drivers/platform/x86/intel_pmc_core.c:80:12: error: ‘pmc_core_dev_state_get’ defined but not used [-Werror=unused-function] This fixes the macro to always contain the reference, and instead rely on the stubbed-out debugfs_create_file to not actually refer to its arguments so the compiler can still drop the reference. This works because the attribute definition is always 'static', and the dead-code removal silently drops all static symbols that are not used. Fixes: c64688081490 ("debugfs: add support for self-protecting attribute file fops") Fixes: df2294fb6428 ("intel_pmc_core: Convert to DEFINE_DEBUGFS_ATTRIBUTE") Signed-off-by: Arnd Bergmann [nicstange@gmail.com: Add dummy implementations of debugfs_attr_read() and debugfs_attr_write() in order to protect against possibly broken dead code elimination and to improve readability. Correct CONFIG_DEBUGFS_FS -> CONFIG_DEBUG_FS typo in changelog.] Signed-off-by: Nicolai Stange Reviewed-by: Andy Shevchenko Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit 629138cd28becfed37527a02219150e1c2aa580a Author: Geert Uytterhoeven Date: Mon Oct 3 13:03:38 2016 +0200 clk: renesas: cpg-mssr: Fix inverted debug check commit bc4725d9029e2c8205fbaf1105e193d1c4e463bb upstream. The intention was to enable the checks if debugging is enabled, not disabled. Fixes: f793d1e51705b276 ("clk: shmobile: Add new CPG/MSSR driver core") Signed-off-by: Geert Uytterhoeven Signed-off-by: Greg Kroah-Hartman commit 47e3472507f0fe563da9291785c1f01693ee22e4 Author: Dan Carpenter Date: Tue Oct 18 15:33:18 2016 +0100 efi/efivar_ssdt_load: Don't return success on allocation failure commit a75dcb5848359f488c32c0aef8711d9bd37a77b8 upstream. We should return -ENOMEM here, instead of success. Signed-off-by: Dan Carpenter Signed-off-by: Ard Biesheuvel Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: linux-efi@vger.kernel.org Fixes: 475fb4e8b2f4 ("efi / ACPI: load SSTDs from EFI variables") Link: http://lkml.kernel.org/r/20161018143318.15673-9-matt@codeblueprint.co.uk Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 4e1dfb0035e1625cb46e229034887bbc4b159d4f Author: Guenter Roeck Date: Sun Oct 30 09:09:18 2016 -0700 cris: Only build flash rescue image if CONFIG_ETRAX_AXISFLASHMAP is selected commit 328cf6927bb72cadefddebbc9a23c793108147a2 upstream. If CONFIG_ETRAX_AXISFLASHMAP is not configured, the flash rescue image object file is empty. With recent versions of binutils, this results in the following build error. cris-linux-objcopy: error: the input file 'arch/cris/boot/rescue/rescue.o' has no sections This is seen, for example, when trying to build cris:allnoconfig with recently generated toolchains. Since it does not make sense to build a flash rescue image if there is no flash, only build it if CONFIG_ETRAX_AXISFLASHMAP is enabled. Reported-by: kbuild test robot Fixes: 66ab3a74c5ce ("CRIS: Merge machine dependent boot/compressed ..") Signed-off-by: Guenter Roeck Signed-off-by: Jesper Nilsson Signed-off-by: Greg Kroah-Hartman commit 15e0355a1ec51e1eaf140dddeaf55d70eb91d183 Author: Nicolas Iooss Date: Sat Oct 29 13:17:37 2016 +0200 ath10k: use the right length of "background" commit 31b239824ece321c09bdb8e61e1d14814eaba38b upstream. The word "background" contains 10 characters so the third argument of strncmp() need to be 10 in order to match this prefix correctly. Signed-off-by: Nicolas Iooss Fixes: 855aed1220d2 ("ath10k: add spectral scan feature") Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit ac86312e0870ad6d35b97cc79964acbf58e99424 Author: Milo Kim Date: Tue Nov 15 22:02:11 2016 +0900 mfd: tps65217: Fix page fault on unloading modules commit 40a50f8b307de8d08f3fa37c312fc16a7dd233e5 upstream. TPS65217 IRQ domain should be removed and initialised as NULL when the module is unloaded for the next use. When tps65217.ko is loaded again, it causes the page fault. This patch fixes the error below. root@arm:~# lsmod | grep "tps" tps65217_charger 3538 0 tps65218_pwrbutton 2974 0 tps65217 6710 1 tps65217_charger root@arm:~# modprobe -r tps65217_charger root@arm:~# modprobe tps65217.ko [ 71.990277] Unable to handle kernel paging request at virtual address bf055944 [ 71.998063] pgd = dd3a4000 [ 72.000904] [bf055944] *pgd=9e6f7811, *pte=00000000, *ppte=00000000 [ 72.007567] Internal error: Oops: 7 [#1] SMP ARM [ 72.012404] Modules linked in: tps65217(+) evdev musb_dsps musb_hdrc udc_core tps65218_pwrbutton usbcore phy_am335] [ 72.055700] CPU: 0 PID: 243 Comm: modprobe Not tainted 4.9.0-rc5-next-20161114 #3 [ 72.063531] Hardware name: Generic AM33XX (Flattened Device Tree) [ 72.069899] task: de714380 task.stack: de7e6000 [ 72.074655] PC is at irq_find_matching_fwspec+0x88/0x100 [ 72.080211] LR is at 0xde7e79d8 [ 72.083496] pc : [] lr : [] psr: 200e0013 [ 72.083496] sp : de7e7a78 ip : 00000000 fp : dd138a68 [ 72.095506] r10: c0ca04f8 r9 : 00000018 r8 : de7e7ab8 [ 72.100973] r7 : 00000001 r6 : c0c4517c r5 : df963f68 r4 : de321980 [ 72.107797] r3 : bf055940 r2 : de714380 r1 : 00000000 r0 : 00000000 [ 72.114633] Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none [ 72.122084] Control: 10c5387d Table: 9d3a4019 DAC: 00000051 [ 72.128097] Process modprobe (pid: 243, stack limit = 0xde7e6218) [ 72.134489] Stack: (0xde7e7a78 to 0xde7e8000) [ 72.139060] 7a60: df963f68 de7e7ab8 [ 72.147643] 7a80: 00000000 dd0e1000 dd491e20 c01a6ea0 600e0013 c01a5dc0 dd138a68 c0c45138 [ 72.156216] 7aa0: df963f68 00000000 df963f68 dd0e1010 00000000 c01a71a4 df963f68 00000001 [ 72.164800] 7ac0: 00000002 de7e7ac0 c80048b8 dd0adf00 df963f68 c0c4517c 00000000 de7e7b50 [ 72.173369] 7ae0: 00000018 c0ca04f8 dd138a68 c01a5dc0 df963f68 dd0e1010 00000000 dd0e1000 [ 72.181942] 7b00: dd491e20 c0653a70 df963f58 00000001 00000002 00000000 00000000 00000000 [ 72.190522] 7b20: 600e0093 c0cbf8f0 c0c0512c c0193674 00000001 00000080 00000000 c0554984 [ 72.199096] 7b40: 00000000 00000000 800e0013 c0553858 df963f68 00000000 00000000 00000000 [ 72.207674] 7b60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 72.216239] 7b80: 00000000 00000000 00000000 00000000 00000000 00000000 dd0e1000 c0544d24 [ 72.224816] 7ba0: dd491e10 dd0e1010 dd16e800 bf1d517c bf1d5620 dd0e1010 c1497ed4 bf1d5620 [ 72.233398] 7bc0: dd0e1010 fffffdfb bf1d5620 bf1d5620 00000000 c054537c c0545330 dd0e1010 [ 72.241967] 7be0: c1497ed4 00000000 bf1d5620 c05433ac 00000000 00000000 de7e7c28 c0543570 [ 72.250537] 7c00: 00000001 c1497e90 00000000 c0541884 de080cd4 dd44b7d4 dd0e1010 dd0e1010 [ 72.259109] 7c20: dd0e1044 c05430c8 dd0e1010 00000001 dd0e1010 dd0e1018 dd0e1010 c0c9e328 [ 72.267676] 7c40: de5d4020 c0542760 dd0e1018 dd0e1010 00000000 c0540ba8 dd138a40 c048dec4 [ 72.276253] 7c60: 00000000 dd0e1000 00000001 dd0e1000 dd0e1010 dd0e1000 bf233de0 dd138a40 [ 72.284829] 7c80: dd0e1010 c05450a0 000000bf 00000000 dd138a60 00000001 dd0e1000 c0571240 [ 72.293398] 7ca0: 00000000 dd1ce9c0 00000040 dd1ce9cc bf233de0 00000003 de5d4020 ffffffff [ 72.301969] 7cc0: 00000004 dd0adf00 00000000 c0571408 00000000 00000000 dd0adf00 de5d4020 [ 72.310543] 7ce0: c057146c dd1ce9c0 bf233d14 de5d4020 de7fb3d0 00000004 bf233d14 ffffffff [ 72.319120] 7d00: 00000018 dd49bf30 c01cedc0 c05714d0 00000000 00000000 dd0adf00 de322810 [ 72.327692] 7d20: de322810 00000000 dd033000 000000f0 00000001 bf2333fc 00000000 00000000 [ 72.336269] 7d40: dd0adf00 de5d4020 000000b6 bf233e40 de5d4020 bf233968 de5d4004 de5d4000 [ 72.344848] 7d60: bf233314 c06148ac de5d4020 c1497ed4 00000000 bf233e40 00000000 c05433ac [ 72.353422] 7d80: 00000000 de5d4020 bf233e40 de5d4054 00000000 bf236000 00000000 c0543538 [ 72.362002] 7da0: 00000000 bf233e40 c0543484 c05417e4 de1442a4 de5d04d0 bf233e40 de321300 [ 72.370582] 7dc0: c0caa5a4 c05429fc bf233be0 bf233e40 c0cbfa44 bf233e40 c0cbfa44 dd2f7740 [ 72.379148] 7de0: bf233f00 c05442f0 bf233e8c bf233e24 c0cbfa44 c0615ae0 00000000 bf233f00 [ 72.387718] 7e00: c0cbfa44 c010186c 200f0013 c0191650 de714380 00000000 600f0013 00000040 [ 72.396286] 7e20: dd2f7740 c018f1ac 00000001 c0c8356c 024000c0 c01a8854 c0c56e0e c028225c [ 72.404863] 7e40: dd2f7740 c0191984 de714380 dd2f7740 00000001 bf233f00 bf233f00 c0cbfa44 [ 72.413440] 7e60: dd2f7740 bf233f00 00000001 dd49bf08 dd49bf30 c0230998 00000001 c0c8356c [ 72.421997] 7e80: c0c4c536 c0cbfa44 c0c0512c c01d2070 bf233f0c 00007fff bf233f00 c01cf5b8 [ 72.430570] 7ea0: 00000000 c1475134 c01cee34 bf23411c bf233f48 bf234054 bf234150 00000000 [ 72.439144] 7ec0: 024002c2 de7fbf40 0009bc20 c02776ac ff800000 00000000 00000000 bf233670 [ 72.447723] 7ee0: 00000004 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 72.456298] 7f00: 00000000 00000000 00000000 00000000 c01d2590 0000aa41 00000000 00000000 [ 72.464862] 7f20: 000b2549 e12c3a41 00000051 de7e6000 0009bc20 c01d2630 00000530 e12b9000 [ 72.473438] 7f40: 0000aa41 e12c1434 e12c1211 e12c336c 00001150 00001620 00000000 00000000 [ 72.482003] 7f60: 00000000 000010fc 00000035 00000036 0000001d 0000001a 00000017 00000000 [ 72.490564] 7f80: de7e6000 3ba39a00 0009b008 0009b718 00000080 c0107704 de7e6000 00000000 [ 72.499141] 7fa0: 0009f609 c0107560 3ba39a00 0009b008 000a7b08 0000aa41 0009bc20 0000aa41 [ 72.507717] 7fc0: 3ba39a00 0009b008 0009b718 00000080 00000001 00000008 0009ab14 0009f609 [ 72.516290] 7fe0: bea31ab8 bea31aa8 0001e5eb b6e83b42 800f0030 000a7b08 0000ffff 0840ffff [ 72.524883] [] (irq_find_matching_fwspec) from [] (irq_create_fwspec_mapping+0x28/0x2e0) [ 72.535174] [] (irq_create_fwspec_mapping) from [] (irq_create_of_mapping+0x4c/0x54) [ 72.545115] [] (irq_create_of_mapping) from [] (of_irq_get+0x58/0x68) [ 72.553699] [] (of_irq_get) from [] (platform_get_irq+0x1c/0xec) [ 72.561828] [] (platform_get_irq) from [] (tps6521x_pb_probe+0xd0/0x1a8 [tps65218_pwrbutton]) [ 72.572581] [] (tps6521x_pb_probe [tps65218_pwrbutton]) from [] (platform_drv_probe+0x4c/0xac) [ 72.583426] [] (platform_drv_probe) from [] (driver_probe_device+0x204/0x2dc) [ 72.592729] [] (driver_probe_device) from [] (bus_for_each_drv+0x58/0x8c) [ 72.601657] [] (bus_for_each_drv) from [] (__device_attach+0xb0/0x114) [ 72.610324] [] (__device_attach) from [] (bus_probe_device+0x88/0x90) [ 72.618898] [] (bus_probe_device) from [] (device_add+0x3b8/0x560) [ 72.627203] [] (device_add) from [] (platform_device_add+0xa8/0x208) [ 72.635693] [] (platform_device_add) from [] (mfd_add_device+0x240/0x338) [ 72.644634] [] (mfd_add_device) from [] (mfd_add_devices+0xa0/0x104) [ 72.653120] [] (mfd_add_devices) from [] (devm_mfd_add_devices+0x60/0xa8) [ 72.662077] [] (devm_mfd_add_devices) from [] (tps65217_probe+0xe8/0x2ec [tps65217]) [ 72.672026] [] (tps65217_probe [tps65217]) from [] (i2c_device_probe+0x168/0x1f4) [ 72.681695] [] (i2c_device_probe) from [] (driver_probe_device+0x204/0x2dc) [ 72.690816] [] (driver_probe_device) from [] (__driver_attach+0xb4/0xb8) [ 72.699657] [] (__driver_attach) from [] (bus_for_each_dev+0x60/0x94) [ 72.708224] [] (bus_for_each_dev) from [] (bus_add_driver+0x18c/0x214) [ 72.716892] [] (bus_add_driver) from [] (driver_register+0x78/0xf8) [ 72.725280] [] (driver_register) from [] (i2c_register_driver+0x38/0x80) [ 72.734120] [] (i2c_register_driver) from [] (do_one_initcall+0x3c/0x178) [ 72.743055] [] (do_one_initcall) from [] (do_init_module+0x5c/0x1d0) [ 72.751537] [] (do_init_module) from [] (load_module+0x1d10/0x21c0) [ 72.759933] [] (load_module) from [] (SyS_init_module+0x110/0x154) [ 72.768242] [] (SyS_init_module) from [] (ret_fast_syscall+0x0/0x1c) [ 72.776725] Code: e5944000 e1540006 0a00001b e594300c (e593c004) [ 72.783181] ---[ end trace 0278ec325f4689b8 ]--- Fixes: 6556bdacf646 ("mfd: tps65217: Add support for IRQs") Signed-off-by: Milo Kim Signed-off-by: Lee Jones Signed-off-by: Greg Kroah-Hartman commit a24f1f3520e61d46ca7867871d12345b4e5c2215 Author: Mohammed Shafi Shajakhan Date: Wed Nov 9 03:40:57 2016 +0200 ath10k: fix failure to send NULL func frame for 10.4 commit fcf7cf1551cae54e747a771f5808240f2a37708f upstream. This partially reverts 'commit 2cdce425aa33 ("ath10k: Fix broken NULL func data frame status for 10.4")' Unfortunately this breaks sending NULL func and the existing issue of obtaining proper tx status for NULL function will be fixed. Also update the comments for feature flag added to be useless and not working Fixes: 2cdce425aa33 "ath10k: Fix broken NULL func data frame status for 10.4" Signed-off-by: Mohammed Shafi Shajakhan Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit 45816391e1a5f32e25b8eb2f0c18033ea4b4b6a4 Author: Vamsi Krishna Date: Fri Dec 2 23:59:08 2016 +0200 nl80211: Use different attrs for BSSID and random MAC addr in scan req commit 2fa436b3a2a7009c11a3bc03fe0ff4c26e80fd87 upstream. NL80211_ATTR_MAC was used to set both the specific BSSID to be scanned and the random MAC address to be used when privacy is enabled. When both the features are enabled, both the BSSID and the local MAC address were getting same value causing Probe Request frames to go with unintended DA. Hence, this has been fixed by using a different NL80211_ATTR_BSSID attribute to set the specific BSSID (which was the more recent addition in cfg80211) for a scan. Backwards compatibility with old userspace software is maintained to some extent by allowing NL80211_ATTR_MAC to be used to set the specific BSSID when scanning without enabling random MAC address use. Scanning with random source MAC address was introduced by commit ad2b26abc157 ("cfg80211: allow drivers to support random MAC addresses for scan") and the issue was introduced with the addition of the second user for the same attribute in commit 818965d39177 ("cfg80211: Allow a scan request for a specific BSSID"). Fixes: 818965d39177 ("cfg80211: Allow a scan request for a specific BSSID") Signed-off-by: Vamsi Krishna Signed-off-by: Jouni Malinen Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit cd84516473a78a6932b1e034e71742e14842e8dc Author: Johannes Berg Date: Tue Oct 18 23:12:08 2016 +0300 mac80211: fix tid_agg_rx NULL dereference commit 1c3d185a9a0b136a58e73b02912d593d0303d1da upstream. On drivers setting the SUPPORTS_REORDERING_BUFFER hardware flag, we crash when the peer sends an AddBA request while we already have a session open on the seame TID; this is because on those drivers, the tid_agg_rx is left NULL even though the session is valid, and the agg_session_valid bit is set. To fix this, store the dialog tokens outside the tid_agg_rx to be able to compare them to the received AddBA request. Fixes: f89e07d4cf26 ("mac80211: agg-rx: refuse ADDBA Request with timeout update") Reported-by: Emmanuel Grumbach Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 1d9c33f1b45ccc1dfbf55c97d7e1d02155e05787 Author: Daniel Vetter Date: Tue Dec 13 20:54:14 2016 +0100 drm/i915: tune down the fast link training vs boot fail commit 2c57b18adb93fc070039538f1ce375d3d3e99bbb upstream. It's been unfixed since a while and no one is immediately working on this. And we have the FIXME already. And now also a task in the DP team's backlog. Cc: Linus Torvalds Cc: stable@vger.kernel.org Cc: Ville Syrjälä References: https://lists.freedesktop.org/archives/intel-gfx/2016-July/101951.html Acked-by: Ville Syrjälä [danvet: Adjust comment per Ville's feedback.] Signed-off-by: Daniel Vetter Link: http://patchwork.freedesktop.org/patch/msgid/20161213195414.28923-1-daniel.vetter@ffwll.ch Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 2dd85aeb5bc99e3763dd192cdb95ff405a102c8a) Signed-off-by: Jani Nikula commit 8b4879154a67442705bb1af6610832ee06689785 Author: Matthew Auld Date: Wed Oct 19 22:29:53 2016 +0100 drm/i915/dp: add lane_count check in intel_dp_check_link_status commit d4cb3fd9b548b8bfe2a712ec920b9ebabd3547ab upstream. Currently it's entirely possible to go through the link training step without first determining the lane_count, which is silly since we end up doing a bunch of aux transfers of size = 0, as highlighted by WARN_ON(!msg->buffer != !msg->size), and can only ever result in a 'failed to update link training' message. This can be observed during intel_dp_long_pulse where we can do the link training step, but before we have had a chance to set the link params. To avoid this we add an extra check for the lane_count in intel_dp_check_link_status, which should prevent us from doing the link training step prematurely. v2: add WARN_ON_ONCE and FIXME comment (Ville) References: https://bugs.freedesktop.org/show_bug.cgi?id=97344 Cc: Ville Syrjälä Cc: Mika Kahola Signed-off-by: Matthew Auld Link: http://patchwork.freedesktop.org/patch/msgid/1476912593-10019-1-git-send-email-matthew.auld@intel.com Signed-off-by: Ville Syrjälä Signed-off-by: Greg Kroah-Hartman commit 5af6f56bb16ca7a90220f2757cbfa05e02d11976 Author: Felipe Balbi Date: Tue Dec 20 14:14:40 2016 +0200 usb: dwc3: gadget: always unmap EP0 requests commit d62145929992f331fdde924d5963ab49588ccc7d upstream. commit 0416e494ce7d ("usb: dwc3: ep0: correct cache sync issue in case of ep0_bounced") introduced a bug where we would leak DMA resources which would cause us to starve the system of them resulting in failing DMA transfers. Fix the bug by making sure that we always unmap EP0 requests since those are *always* mapped. Fixes: 0416e494ce7d ("usb: dwc3: ep0: correct cache sync issue in case of ep0_bounced") Cc: Tested-by: Tomasz Medrek Reported-by: Janusz Dziedzic Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit c008309f53e57af31c4a7210b4e2c68b1412c899 Author: Felipe Balbi Date: Tue Dec 20 14:08:48 2016 +0200 usb: dwc3: ep0: explicitly call dwc3_ep0_prepare_one_trb() commit 19ec31230eb3084431bc2e565fd085f79f564274 upstream. Let's call dwc3_ep0_prepare_one_trb() explicitly because there are occasions where we will need more than one TRB to handle an EP0 transfer. A follow-up patch will fix one bug related to multiple-TRB Data Phases when it comes to mapping/unmapping requests for DMA. Reported-by: Janusz Dziedzic Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 5f7fd4d2f94d41ec3a7d31c5731e70a6d200c74f Author: Felipe Balbi Date: Tue Dec 20 13:57:32 2016 +0200 usb: dwc3: ep0: add dwc3_ep0_prepare_one_trb() commit 7931ec86c1b738e4e90e58c6d95e5f720d45ee56 upstream. For now this is just a cleanup patch, no functional changes. We will be using the new function to fix a bug introduced long ago by commit 0416e494ce7d ("usb: dwc3: ep0: correct cache sync issue in case of ep0_bounced") and further worsened by commit c0bd5456a470 ("usb: dwc3: ep0: handle non maxpacket aligned transfers > 512") Reported-by: Janusz Dziedzic Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 96a0c8ee7ce6a32c455ff87d4fc4a69fc87c70d1 Author: Linus Walleij Date: Fri Dec 30 23:54:18 2016 +0100 iio: accel: st_accel: fix LIS3LV02 reading and scaling commit 65e4345c8ef8811bbb4860fe5f2df10646b7f2e1 upstream. The LIS3LV02 has a special bit that need to be set to get the read values left aligned. Before this patch we get gibberish like this: iio_generic_buffer -a -c10 -n lis3lv02dl_accel (...) 0.000000 -0.010042 -0.642688 19155832931907 0.000000 -0.010042 -0.642688 19155858751073 Which is because we read a raw value for 1g as 64 which is the nominal 1024 for 1g shifted 4 bits to the left by being right-aligned rather than left aligned. Since all other sensors are left aligned, add some code to set the special DAS (data alignment setting) bit to 1 so that the right value is now read like this: iio_generic_buffer -a -c10 -n lis3lv02dl_accel (...) 0.000000 -0.147095 -10.120135 24761614364956 -0.029419 -0.176514 -10.120135 24761631624540 The scaling was weird as well: we have a gain of 1000 for 1g and 3000 for 6g. I don't even remember how I came up with the old values but they are wrong. Fixes: 3acddf74f807 ("iio: st-sensors: add support for lis3lv02d accelerometer") Cc: Lorenzo Bianconi Cc: Giuseppe Barba Cc: Denis Ciocca Signed-off-by: Linus Walleij Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit a673f99884e355284eba0d6ffa82bc8ec5365554 Author: Eva Rachel Retuya Date: Sun Oct 9 00:05:39 2016 +0800 staging: iio: ad7606: fix improper setting of oversampling pins commit b321a38d2407c7e425c54bc09be909a34e49f740 upstream. The oversampling ratio is controlled using the oversampling pins, OS [2:0] with OS2 being the MSB control bit, and OS0 the LSB control bit. The gpio connected to the OS2 pin is not being set correctly, only OS0 and OS1 pins are being set. Fix the typo to allow proper control of the oversampling pins. Signed-off-by: Eva Rachel Retuya Fixes: b9618c0 ("staging: IIO: ADC: New driver for AD7606/AD7606-6/AD7606-4") Acked-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit fc322290fc06e53aa515f7db575f9a6c3eb84029 Author: Alexander Usyskin Date: Wed Dec 14 17:56:52 2016 +0200 mei: move write cb to completion on credentials failures commit e09ee853c92011860a4bd2fbdf6126f60fc16bd3 upstream. The credentials handling was pushed to the write handlers but error handling wasn't done properly. Move write callbacks to completion queue to destroy them and to notify a blocked writer about the failure Fixes: 136698e535cd1 (mei: push credentials inside the irq write handler) Signed-off-by: Alexander Usyskin Signed-off-by: Tomas Winkler Signed-off-by: Greg Kroah-Hartman commit 5d46c4e9a05e4e6cebddf49f7483127390306f5c Author: Alexander Usyskin Date: Wed Dec 14 17:56:51 2016 +0200 mei: bus: fix mei_cldev_enable KDoc commit 5026c9cb0744a9cd40242743ca91a5d712f468c6 upstream. Adjust function name in KDoc. Fixes: d49dc5e76fc9 (mei: bus: use mei_cldev_ prefix for the API functions) Signed-off-by: Alexander Usyskin Signed-off-by: Tomas Winkler Signed-off-by: Greg Kroah-Hartman commit af776953108b860bf6b4ccb7040969b93fb75080 Author: Alexander Usyskin Date: Fri Nov 11 03:00:09 2016 +0200 mei: fix parameter rename KDoc commit 967b274e02e18c9fbb4d19b96a89bd0afbc77b7a upstream. Parameter renaming to fop_type was not reflected in KDoc Fixes: 3030dc0564594 (mei: add wrapper for queuing control commands) Signed-off-by: Alexander Usyskin Signed-off-by: Tomas Winkler Signed-off-by: Greg Kroah-Hartman commit c1ec6ba3d7c71a28d9a14f4abb1999fd5db80e2f Author: Johan Hovold Date: Tue Jan 3 16:39:46 2017 +0100 USB: serial: io_ti: bind to interface after fw download commit e35d6d7c4e6532a89732cf4bace0e910ee684c88 upstream. Bind to the interface, but do not register any ports, after having downloaded the firmware. The device will still disconnect and re-enumerate, but this way we avoid an error messages from being logged as part of the process: io_ti: probe of 1-1.3:1.0 failed with error -5 Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit fb0a00fb0843136baee7812b7319c2b4db2592aa Author: Wei Yongjun Date: Sat Oct 29 23:36:24 2016 -0200 dibusb: fix possible memory leak in dibusb_rc_query() commit 1f5ecaf985c46889278f51fcb7bc143f60f4eb14 upstream. 'buf' is malloced in dibusb_rc_query() and should be freed before leaving from the error handling cases, otherwise it will cause memory leak. Fixes: ff1c123545d7 ("[media] dibusb: handle error code on RC query") Signed-off-by: Wei Yongjun Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 5f6136debf7eefa8e585c2fa52b72403f324fe77 Author: Chen-Yu Tsai Date: Tue Nov 15 21:51:04 2016 +0800 ARM: dts: sun7i: bananapi-m1-plus: Enable USB PHY for USB host support commit 0cff18cbab4f55581d9da86e4286655d9723d7d2 upstream. The 2 USB host ports are directly tied to the 2 USB hosts in the SoC. The 2 host pairs were already enabled, but the USB PHY wasn't. VBUS on the 2 ports are always on. Enable the USB PHY. Fixes: 04c85ecad32a ("ARM: dts: sun7i: Add dts file for Bananapi M1 Plus board") Signed-off-by: Chen-Yu Tsai Signed-off-by: Maxime Ripard Signed-off-by: Greg Kroah-Hartman commit 5ef54ae37b130ba8c01b90e451d059c9fa2dbfa3 Author: Kefeng Wang Date: Sat Sep 24 17:14:21 2016 +0800 arm64: dts: hip06: Correct hardware pin number of usb node commit 4d75a171b67ffc3f4dadbd654c9d281091300eb2 upstream. The ohci/ehci hardware pin number should be 640/641, correct them. Fixes: commit aa8d3e74f54d ("arm64: dts: Add initial dts for Hisilicon Hip06 D03 board") Signed-off-by: Kefeng Wang Signed-off-by: Wei Xu Signed-off-by: Greg Kroah-Hartman commit 93f6891a383f92f88793da1e46cb018bdef8c18a Author: Johan Hovold Date: Tue Nov 1 11:40:25 2016 +0100 USB: phy: am335x-control: fix device and of_node leaks commit 015105b12183556771e111e93f5266851e7c5582 upstream. Make sure to drop the references taken by of_parse_phandle() and bus_find_device() before returning from am335x_get_phy_control(). Note that there is no guarantee that the devres-managed struct phy_control will be valid for the lifetime of the sibling phy device regardless of this change. Fixes: 3bb869c8b3f1 ("usb: phy: Add AM335x PHY driver") Acked-by: Bin Liu Signed-off-by: Johan Hovold Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit d387f98cb0c1e70ad45daacfb96acec4a5e0cb60 Author: Geert Uytterhoeven Date: Mon Nov 7 20:07:07 2016 +0100 ARM: dts: r8a7794: Correct hsusb parent clock commit dc8ee9dbdba509fb58e23ba79f2e6059fe5d8b3b upstream. The parent clock of the HSUSB clock is the HP clock, not the MP clock. Fixes: c7bab9f929e51761 ("ARM: shmobile: r8a7794: Add USB clocks to device tree") Signed-off-by: Geert Uytterhoeven Acked-by: Yoshihiro Shimoda Signed-off-by: Simon Horman Signed-off-by: Greg Kroah-Hartman commit a10a1b797a0fc6b352c69826c5e9cf09e2056250 Author: Peter Chen Date: Tue Nov 8 10:08:24 2016 +0800 usb: gadget: fix request length error for isoc transfer commit 982555fc26f9d8bcdbd5f9db0378fe0682eb4188 upstream. For isoc endpoint descriptor, the wMaxPacketSize is not real max packet size (see Table 9-13. Standard Endpoint Descriptor, USB 2.0 specifcation), it may contain the number of packet, so the real max packet should be ep->desc->wMaxPacketSize && 0x7ff. Cc: Felipe F. Tonello Cc: Felipe Balbi Fixes: 16b114a6d797 ("usb: gadget: fix usb_ep_align_maybe endianness and new usb_ep_aligna") Signed-off-by: Peter Chen Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit b429e37b80fd6738ce3d1d6450cc5b4f40ac12a4 Author: Bart Van Assche Date: Fri Nov 18 15:42:41 2016 -0800 usb: gadget: Fix second argument of percpu_ida_alloc() commit 03274445c01562d5352ea522431ab8c6175e2bbf upstream. Pass a task state as second argument to percpu_ida_alloc(). Fixes: commit 71e7ae8e1fb2 ("usb-gadget/tcm: Conversion to percpu_ida tag pre-allocation") Signed-off-by: Bart Van Assche Cc: Nicholas Bellinger Cc: Andrzej Pietrasiewicz Cc: Sebastian Andrzej Siewior Cc: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 8da83724d4918b35700fcbce4bfeac39fa2138f5 Author: Pan Bian Date: Tue Nov 29 16:55:02 2016 +0100 USB: serial: kl5kusb105: abort on open exception path commit 3c3dd1e058cb01e835dcade4b54a6f13ffaeaf7c upstream. Function klsi_105_open() calls usb_control_msg() (to "enable read") and checks its return value. When the return value is unexpected, it only assigns the error code to the return variable retval, but does not terminate the exception path. This patch fixes the bug by inserting "goto err_generic_close;" when the call to usb_control_msg() fails. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Pan Bian [johan: rebase on prerequisite fix and amend commit message] Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit e7c72dccd7250c8379fef1cc2551c3c55009a4e4 Author: Takashi Iwai Date: Tue Nov 29 22:28:40 2016 +0100 ALSA: usb-audio: Fix bogus error return in snd_usb_create_stream() commit 4763601a56f155ddf94ef35fc2c41504a2de15f5 upstream. The function returns -EINVAL even if it builds the stream properly. The bogus error code sneaked in during the code refactoring, but it wasn't noticed until now since the returned error code itself is ignored in anyway. Kill it here, but there is no behavior change by this patch, obviously. Fixes: e5779998bf8b ('ALSA: usb-audio: refactor code') Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 2eb09ccfa45b4367a7f416936cf757b95063d015 Author: Jérémy Lefaure Date: Tue Jan 3 18:13:52 2017 -0600 usb: musb: blackfin: add bfin_fifo_offset in bfin_ops commit 5563bb5743cb09bde0d0f4660a5e5b19c26903bf upstream. The function bfin_fifo_offset is defined but not used: drivers/usb/musb/blackfin.c:36:12: warning: ‘bfin_fifo_offset’ defined but not used [-Wunused-function] static u32 bfin_fifo_offset(u8 epnum) ^~~~~~~~~~~~~~~~ Adding bfin_fifo_offset to bfin_ops fixes this warning and allows musb core to call this function instead of default_fifo_offset. Fixes: cc92f6818f6e ("usb: musb: Populate new IO functions for blackfin") Signed-off-by: Jérémy Lefaure Signed-off-by: Bin Liu Signed-off-by: Greg Kroah-Hartman commit 64244edf304bf06389e2b95ebd17fcc6e86e553c Author: Felix Hädicke Date: Thu Dec 29 23:02:11 2016 +0100 usb: gadget: udc: core: fix return code of usb_gadget_probe_driver() commit 7b01738112608ce47083178ae2b9ebadf02d32cc upstream. This fixes a regression which was introduced by commit f1bddbb, by reverting a small fragment of commit 855ed04. If the following conditions were met, usb_gadget_probe_driver() returned 0, although the call was unsuccessful: 1. A particular UDC was specified by thge gadget driver (using member "udc_name" of struct usb_gadget_driver). 2. The UDC with this name is available. 3. Another gadget driver is already bound to this gadget. 4. The gadget driver has the "match_existing_only" flag set. In this case, the return code variable "ret" is set to 0, the return code of a strcmp() call (to check for the second condition). This also fixes an oops which could occur in the following scenario: 1. Two usb gadget instances were configured using configfs. 2. The first gadget configuration was bound to a UDC (using the configfs attribute "UDC"). 3. It was tried to bind the second gadget configuration to the same UDC in the same way. This operation was then wrongly reported as being successful. 4. The second gadget configuration's "UDC" attribute is cleared, to unbind the (not really bound) second gadget configuration from the UDC. ] __list_del_entry+0x29/0xc0 PGD 41b4c5067 PUD 41a598067 PMD 0 Oops: 0000 [#1] SMP Modules linked in: cdc_acm usb_f_fs usb_f_serial usb_f_acm u_serial libcomposite configfs dummy_hcd bnep intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm snd_hda_codec_hdmi irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd snd_hda_codec_realtek snd_hda_codec_generic serio_raw uvcvideo videobuf2_vmalloc btusb snd_usb_audio snd_hda_intel videobuf2_memops btrtl snd_hda_codec snd_hda_core snd_usbmidi_lib btbcm videobuf2_v4l2 btintel snd_hwdep videobuf2_core snd_seq_midi bluetooth snd_seq_midi_event videodev xpad efi_pstore snd_pcm_oss rfkill joydev media crc16 ff_memless snd_mixer_oss snd_rawmidi nls_ascii snd_pcm snd_seq snd_seq_device nls_cp437 mei_me snd_timer vfat sg udc_core lpc_ich fat efivars mfd_core mei snd soundcore battery nuvoton_cir rc_core evdev intel_smartconnect ie31200_edac edac_core shpchp tpm_tis tpm_tis_core tpm parport_pc ppdev lp parport efivarfs autofs4 btrfs xor raid6_pq hid_logitech_hidpp hid_logitech_dj hid_generic usbhid hid uas usb_storage sr_mod cdrom sd_mod ahci libahci nouveau i915 crc32c_intel i2c_algo_bit psmouse ttm xhci_pci libata scsi_mod ehci_pci drm_kms_helper xhci_hcd ehci_hcd r8169 mii usbcore drm nvme nvme_core fjes button [last unloaded: net2280] CPU: 5 PID: 829 Comm: bash Not tainted 4.9.0-rc7 #1 Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./Z77 Extreme3, BIOS P1.50 07/11/2013 task: ffff880419ce4040 task.stack: ffffc90002ed4000 RIP: 0010:[] [] __list_del_entry+0x29/0xc0 RSP: 0018:ffffc90002ed7d68 EFLAGS: 00010207 RAX: 0000000000000000 RBX: ffff88041787ec30 RCX: dead000000000200 RDX: 0000000000000000 RSI: ffff880417482002 RDI: ffff88041787ec30 RBP: ffffc90002ed7d68 R08: 0000000000000000 R09: 0000000000000010 R10: 0000000000000000 R11: ffff880419ce4040 R12: ffff88041787eb68 R13: ffff88041787eaa8 R14: ffff88041560a2c0 R15: 0000000000000001 FS: 00007fe4e49b8700(0000) GS:ffff88042f340000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000041b4c4000 CR4: 00000000001406e0 Stack: ffffc90002ed7d80 ffffffff94f5e68d ffffffffc0ae5ef0 ffffc90002ed7da0 ffffffffc0ae22aa ffff88041787e800 ffff88041787e800 ffffc90002ed7dc0 ffffffffc0d7a727 ffffffff952273fa ffff88041aba5760 ffffc90002ed7df8 Call Trace: [] list_del+0xd/0x30 [] usb_gadget_unregister_driver+0xaa/0xc0 [udc_core] [] unregister_gadget+0x27/0x60 [libcomposite] [] ? mutex_lock+0x1a/0x30 [] gadget_dev_desc_UDC_store+0x88/0xe0 [libcomposite] [] configfs_write_file+0xa0/0x100 [configfs] [] __vfs_write+0x37/0x160 [] ? __fd_install+0x30/0xd0 [] ? _raw_spin_unlock+0xe/0x10 [] vfs_write+0xb8/0x1b0 [] SyS_write+0x58/0xc0 [] ? __close_fd+0x94/0xc0 [] entry_SYSCALL_64_fastpath+0x1e/0xad Code: 66 90 55 48 8b 07 48 b9 00 01 00 00 00 00 ad de 48 8b 57 08 48 89 e5 48 39 c8 74 29 48 b9 00 02 00 00 00 00 ad de 48 39 ca 74 3a <4c> 8b 02 4c 39 c7 75 52 4c 8b 40 08 4c 39 c7 75 66 48 89 50 08 RIP [] __list_del_entry+0x29/0xc0 RSP CR2: 0000000000000000 ---[ end trace 99fc090ab3ff6cbc ]--- Fixes: f1bddbb ("usb: gadget: Fix binding to UDC via configfs interface") Signed-off-by: Felix Hädicke Tested-by: Krzysztof Opasiak Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 8ecf70fb0889754e27bbc2852fa331734dc4d61a Author: Geert Uytterhoeven Date: Wed Dec 14 15:37:30 2016 +0100 usb: hub: Move hub_port_disable() to fix warning if PM is disabled commit 3bc02bce908c7250781376052248f5cd60a4e3d4 upstream. If CONFIG_PM=n: drivers/usb/core/hub.c:107: warning: ‘hub_usb3_port_prepare_disable’ declared inline after being called drivers/usb/core/hub.c:107: warning: previous declaration of ‘hub_usb3_port_prepare_disable’ was here To fix this, move hub_port_disable() after hub_usb3_port_prepare_disable(), and adjust forward declarations. Fixes: 37be66767e3cae4f ("usb: hub: Fix auto-remount of safely removed or ejected USB-3 devices") Signed-off-by: Geert Uytterhoeven Signed-off-by: Greg Kroah-Hartman commit d7550d7d6ae2c769a32a48d7a02c351dc61efe3f Author: Tony Lindgren Date: Tue Jan 3 18:13:48 2017 -0600 usb: musb: Fix trying to free already-free IRQ 4 commit 8c300fe282fa254ea730c92cb0983e2642dc1fff upstream. When unloading omap2430, we can get the following splat: WARNING: CPU: 1 PID: 295 at kernel/irq/manage.c:1478 __free_irq+0xa8/0x2c8 Trying to free already-free IRQ 4 ... [] (free_irq) from [] (musbhs_dma_controller_destroy+0x28/0xb0 [musb_hdrc]) [] (musbhs_dma_controller_destroy [musb_hdrc]) from [] (musb_remove+0xf0/0x12c [musb_hdrc]) [] (musb_remove [musb_hdrc]) from [] (platform_drv_remove+0x24/0x3c) ... This is because the irq number in use is 260 nowadays, and the dma controller is using u8 instead of int. Fixes: 6995eb68aab7 ("USB: musb: enable low level DMA operation for Blackfin") Signed-off-by: Tony Lindgren [b-liu@ti.com: added Fixes tag] Signed-off-by: Bin Liu Signed-off-by: Greg Kroah-Hartman commit 5e3c2920e9f2f21d132df92318c5df2751da0b1f Author: Roger Quadros Date: Tue Jan 3 14:32:09 2017 +0200 usb: dwc3: gadget: Fix full speed mode commit 9418ee15f718939aa7e650fd586d73765eb21f20 upstream. DCFG.DEVSPD == 0x3 is not valid and we need to set DCFG.DEVSPD to 0x1 for full speed mode. Same goes for DSTS.CONNECTSPD. Old databooks had 0x3 for full speed in 48MHz mode for USB1.1 transceivers which was never supported. Newer databooks don't mention 0x3 at all. Cc: John Youn Signed-off-by: Roger Quadros Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 81f1f24d1873f56c6810fcc1ca5d2ae965c01dfc Author: Hans de Goede Date: Tue Dec 27 13:13:42 2016 +0200 usb: dwc3: pci: Fix dr_mode misspelling commit 51c1685d956221576e165dd88a20063b169bae5a upstream. usb_get_dr_mode() expects the device-property to be spelled "dr_mode" not "dr-mode". Spelling it properly fixes the following warning showing up in dmesg: [ 8704.500545] dwc3 dwc3.2.auto: Configuration mismatch. dr_mode forced to gadget Signed-off-by: Hans de Goede Signed-off-by: Greg Kroah-Hartman commit 6af3ba285acb67b092f6f40033f6ab848eba1a15 Author: Heikki Krogerus Date: Fri Apr 1 17:13:12 2016 +0300 usb: dwc3: pci: add Intel Gemini Lake PCI ID commit 8f8983a5683623b62b339d159573f95a1fce44f3 upstream. Intel Gemini Lake SoC has the same DWC3 than Broxton. Add the new ID to the supported Devices. Signed-off-by: Heikki Krogerus Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 63d92d10a8208afeed87522a4b4b09e309c8622a Author: OGAWA Hirofumi Date: Tue Jan 3 18:28:51 2017 +0200 xhci: Fix race related to abort operation commit 1c111b6c3844a142e03bcfc2fa17bfbdea08e9dc upstream. Current abort operation has race. xhci_handle_command_timeout() xhci_abort_cmd_ring() xhci_write_64(CMD_RING_ABORT) xhci_handshake(5s) do { check CMD_RING_RUNNING udelay(1) ... COMP_CMD_ABORT event COMP_CMD_STOP event xhci_handle_stopped_cmd_ring() restart cmd_ring CMD_RING_RUNNING become 1 again } while () return -ETIMEDOUT xhci_write_64(CMD_RING_ABORT) /* can abort random command */ To do abort operation correctly, we have to wait both of COMP_CMD_STOP event and negation of CMD_RING_RUNNING. But like above, while timeout handler is waiting negation of CMD_RING_RUNNING, event handler can restart cmd_ring. So timeout handler never be notice negation of CMD_RING_RUNNING, and retry of CMD_RING_ABORT can abort random command (BTW, I guess retry of CMD_RING_ABORT was workaround of this race). To fix this race, this moves xhci_handle_stopped_cmd_ring() to xhci_abort_cmd_ring(). And timeout handler waits COMP_CMD_STOP event. At this point, timeout handler is owner of cmd_ring, and safely restart cmd_ring by using xhci_handle_stopped_cmd_ring(). [FWIW, as bonus, this way would be easily extend to add CMD_RING_PAUSE operation] [locks edited as patch is rebased on other locking fixes -Mathias] Signed-off-by: OGAWA Hirofumi Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman commit 799dfdeb33a0f8d08c4a6d6781b20a4011825ee4 Author: OGAWA Hirofumi Date: Tue Jan 3 18:28:50 2017 +0200 xhci: Use delayed_work instead of timer for command timeout commit cb4d5ce588c5ff68e0fdd30370a0e6bc2c0a736b upstream. This is preparation to fix abort operation race (See "xhci: Fix race related to abort operation"). To make timeout sleepable, use delayed_work instead of timer. [change a newly added pending timer fix to pending work -Mathias] Signed-off-by: OGAWA Hirofumi Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman commit 6db52153fea3c4cca32712106202955d034e7fad Author: Dan Carpenter Date: Thu Nov 10 22:33:17 2016 +0300 usb: xhci-mem: use passed in GFP flags instead of GFP_KERNEL commit c95a9f83711bf53faeb4ed9bbb63a3f065613dfb upstream. We normally use the passed in gfp flags for allocations, it's just these two which were missed. Fixes: 22d45f01a836 ("usb/xhci: replace pci_*_consistent() with dma_*_coherent()") Cc: Mathias Nyman Signed-off-by: Dan Carpenter Acked-by: Sebastian Andrzej Siewior Signed-off-by: Greg Kroah-Hartman commit 1bd67e85edf1826afbc592028bce941e0425f2dc Author: Johan Hovold Date: Tue Jan 3 16:39:53 2017 +0100 USB: serial: mos7720: fix parallel probe commit fde1faf872ed86d88e245191bc15a8e57368cd1c upstream. A static usb-serial-driver structure that is used to initialise the interrupt URB was modified during probe depending on the currently probed device type, something which could break a parallel probe of a device of a different type. Fix this up by overriding the default completion callback for MCS7715 devices in attach() instead. We may want to use two usb-serial driver instances for the two types later. Fixes: fb088e335d78 ("USB: serial: add support for serial port on the moschip 7715") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 6ea44fb2183c6e4c4c7888e35498717f9d637c39 Author: Johan Hovold Date: Tue Jan 3 16:39:52 2017 +0100 USB: serial: mos7720: fix parport use-after-free on probe errors commit 75dd211e773afcbc264677b0749d1cf7d937ab2d upstream. Do not submit the interrupt URB until after the parport has been successfully registered to avoid another use-after-free in the completion handler when accessing the freed parport private data in case of a racing completion. Fixes: b69578df7e98 ("USB: usbserial: mos7720: add support for parallel port on moschip 7715") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit e7cf756c89326f8dcee8a109d092d73acc59d72e Author: Johan Hovold Date: Tue Jan 3 16:39:51 2017 +0100 USB: serial: mos7720: fix use-after-free on probe errors commit 91a1ff4d53c5184d383d0baeeaeab6f9736f2ff3 upstream. The interrupt URB was submitted on probe but never stopped on probe errors. This can lead to use-after-free issues in the completion handler when accessing the freed usb-serial struct: Unable to handle kernel paging request at virtual address 6b6b6be7 ... [] (mos7715_interrupt_callback [mos7720]) from [] (__usb_hcd_giveback_urb+0x80/0x140) [] (__usb_hcd_giveback_urb) from [] (usb_hcd_giveback_urb+0x50/0x138) [] (usb_hcd_giveback_urb) from [] (musb_giveback+0xc8/0x1cc) Fixes: b69578df7e98 ("USB: usbserial: mos7720: add support for parallel port on moschip 7715") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit ac81f1fa956f217b5a111631b81e7d7c9b6ebd73 Author: Johan Hovold Date: Tue Jan 3 16:39:50 2017 +0100 USB: serial: mos7720: fix NULL-deref at open commit b05aebc25fdc5aeeac3ee29f0dc9f58dd07c13cc upstream. Fix NULL-pointer dereference at port open if a device lacks the expected bulk in and out endpoints. Unable to handle kernel NULL pointer dereference at virtual address 00000030 ... [] (mos7720_open [mos7720]) from [] (serial_port_activate+0x68/0x98 [usbserial]) [] (serial_port_activate [usbserial]) from [] (tty_port_open+0x9c/0xe8) [] (tty_port_open) from [] (serial_open+0x48/0x6c [usbserial]) [] (serial_open [usbserial]) from [] (tty_open+0xcc/0x5cc) Fixes: 0f64478cbc7a ("USB: add USB serial mos7720 driver") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit bd52ddb0996af221523f7572840c6875bc0d4b8b Author: Johan Hovold Date: Tue Jan 3 16:39:55 2017 +0100 USB: serial: mos7840: fix NULL-deref at open commit 5c75633ef751dd4cd8f443dc35152c1ae563162e upstream. Fix NULL-pointer dereference in open() should the device lack the expected endpoints: Unable to handle kernel NULL pointer dereference at virtual address 00000030 ... PC is at mos7840_open+0x88/0x8dc [mos7840] Note that we continue to treat the interrupt-in endpoint as optional for now. Fixes: 3f5429746d91 ("USB: Moschip 7840 USB-Serial Driver") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 9de856caff86c18f092a03a16f06f1422796be94 Author: Johan Hovold Date: Tue Jan 3 16:39:49 2017 +0100 USB: serial: kobil_sct: fix NULL-deref in write commit 21ce57840243c7b70fbc1ebd3dceeb70bb6e9e09 upstream. Fix NULL-pointer dereference in write() should the device lack the expected interrupt-out endpoint: Unable to handle kernel NULL pointer dereference at virtual address 00000054 ... PC is at kobil_write+0x144/0x2a0 [kobil_sct] Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit b2aa55142ea5cff7217f2633e85602d2279ff92e Author: Johan Hovold Date: Tue Jan 3 16:39:40 2017 +0100 USB: serial: cyberjack: fix NULL-deref at open commit 3dca01114dcecb1cf324534cd8d75fd1306a516b upstream. Fix NULL-pointer dereference when clearing halt at open should the device lack a bulk-out endpoint. Unable to handle kernel NULL pointer dereference at virtual address 00000030 ... PC is at cyberjack_open+0x40/0x9c [cyberjack] Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 4de811c61ac562295adae03c06f581c167efd307 Author: Johan Hovold Date: Tue Jan 3 16:39:59 2017 +0100 USB: serial: oti6858: fix NULL-deref at open commit 5afeef2366db14587b65558bbfd5a067542e07fb upstream. Fix NULL-pointer dereference in open() should the device lack the expected endpoints: Unable to handle kernel NULL pointer dereference at virtual address 00000030 ... PC is at oti6858_open+0x30/0x1d0 [oti6858] Note that a missing interrupt-in endpoint would have caused open() to fail. Fixes: 49cdee0ed0fc ("USB: oti6858 usb-serial driver (in Nokia CA-42 cable)") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 65914eeb39f47f44766b62a008e632b077b21100 Author: Johan Hovold Date: Tue Jan 3 16:39:42 2017 +0100 USB: serial: io_edgeport: fix NULL-deref at open commit 0dd408425eb21ddf26a692b3c8044c9e7d1a7948 upstream. Fix NULL-pointer dereference when initialising URBs at open should a non-EPIC device lack a bulk-in or interrupt-in endpoint. Unable to handle kernel NULL pointer dereference at virtual address 00000028 ... PC is at edge_open+0x24c/0x3e8 [io_edgeport] Note that the EPIC-device probe path has the required sanity checks so this makes those checks partially redundant. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 2e5167b239e62bce68e839dc53fffa8d8d2dd7e4 Author: Johan Hovold Date: Tue Jan 3 16:40:03 2017 +0100 USB: serial: ti_usb_3410_5052: fix NULL-deref at open commit ef079936d3cd09e63612834fe2698eeada0d8e3f upstream. Fix NULL-pointer dereference in open() should a malicious device lack the expected endpoints: Unable to handle kernel NULL pointer dereference at virtual address 00000030 .. [] (ti_open [ti_usb_3410_5052]) from [] (serial_port_activate+0x68/0x98 [usbserial]) Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 0556702bf34e6c464b7ca0e14f66a87e8959aea0 Author: Johan Hovold Date: Tue Jan 3 16:39:41 2017 +0100 USB: serial: garmin_gps: fix memory leak on failed URB submit commit c4ac4496e835b78a45dfbf74f6173932217e4116 upstream. Make sure to free the URB transfer buffer in case submission fails (e.g. due to a disconnect). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 9401cc62b7f5acbb65d689e4da2b1b00c85861c3 Author: Johan Hovold Date: Tue Jan 3 16:39:47 2017 +0100 USB: serial: iuu_phoenix: fix NULL-deref at open commit 90507d54f712d81b74815ef3a4bbb555cd9fab2f upstream. Fix NULL-pointer dereference at open should the device lack a bulk-in or bulk-out endpoint: Unable to handle kernel NULL pointer dereference at virtual address 00000030 ... PC is at iuu_open+0x78/0x59c [iuu_phoenix] Fixes: 07c3b1a10016 ("USB: remove broken usb-serial num_endpoints check") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 69017618a61ea173bea773a4934a63030ac9998f Author: Johan Hovold Date: Tue Jan 3 16:39:45 2017 +0100 USB: serial: io_ti: fix I/O after disconnect commit 2330d0a853da260d8a9834a70df448032b9ff623 upstream. Cancel the heartbeat work on driver unbind in order to avoid I/O after disconnect in case the port is held open. Note that the cancel in release() is still needed to stop the heartbeat after late probe errors. Fixes: 26c78daade0f ("USB: io_ti: Add heartbeat to keep idle EP/416 ports from disconnecting") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit a66274a9b2f4d570cdb4f44417bfc7efd97a8bab Author: Johan Hovold Date: Tue Jan 3 16:39:44 2017 +0100 USB: serial: io_ti: fix another NULL-deref at open commit 4f9785cc99feeb3673993b471f646b4dbaec2cc1 upstream. In case a device is left in "boot-mode" we must not register any port devices in order to avoid a NULL-pointer dereference on open due to missing endpoints. This could be used by a malicious device to trigger an OOPS: Unable to handle kernel NULL pointer dereference at virtual address 00000030 ... [] (edge_open [io_ti]) from [] (serial_port_activate+0x68/0x98 [usbserial]) [] (serial_port_activate [usbserial]) from [] (tty_port_open+0x9c/0xe8) [] (tty_port_open) from [] (serial_open+0x48/0x6c [usbserial]) [] (serial_open [usbserial]) from [] (tty_open+0xcc/0x5cc) Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 32631d1a739f919db4dea05c98543fa4fcfcb7c6 Author: Johan Hovold Date: Tue Jan 3 16:39:43 2017 +0100 USB: serial: io_ti: fix NULL-deref at open commit a323fefc6f5079844dc62ffeb54f491d0242ca35 upstream. Fix NULL-pointer dereference when clearing halt at open should a malicious device lack the expected endpoints when in download mode. Unable to handle kernel NULL pointer dereference at virtual address 00000030 ... [] (edge_open [io_ti]) from [] (serial_port_activate+0x68/0x98 [usbserial]) [] (serial_port_activate [usbserial]) from [] (tty_port_open+0x9c/0xe8) [] (tty_port_open) from [] (serial_open+0x48/0x6c [usbserial]) [] (serial_open [usbserial]) from [] (tty_open+0xcc/0x5cc) Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit b5264ea24484c8d34a0db7ed9085ab41cfc00576 Author: Johan Hovold Date: Tue Jan 3 16:40:02 2017 +0100 USB: serial: spcp8x5: fix NULL-deref at open commit cc0909248258f679c4bb4cd315565d40abaf6bc6 upstream. Fix NULL-pointer dereference in open() should the device lack the expected endpoints: Unable to handle kernel NULL pointer dereference at virtual address 00000030 ... PC is at spcp8x5_open+0x30/0xd0 [spcp8x5] Fixes: 619a6f1d1423 ("USB: add usb-serial spcp8x5 driver") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit dda7611ec4a5ced89cebb3a9c48afc9c846a1f83 Author: Johan Hovold Date: Tue Jan 3 16:39:48 2017 +0100 USB: serial: keyspan_pda: verify endpoints at probe commit 5d9b0f859babe96175cd33d7162a9463a875ffde upstream. Check for the expected endpoints in attach() and fail loudly if not present. Note that failing to do this appears to be benign since da280e348866 ("USB: keyspan_pda: clean up write-urb busy handling") which prevents a NULL-pointer dereference in write() by never marking a non-existent write-urb as free. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 69c415ed5c98c03e7f12c5e2cd7d7e5f7708e4f4 Author: Johan Hovold Date: Tue Jan 3 16:40:00 2017 +0100 USB: serial: pl2303: fix NULL-deref at open commit 76ab439ed1b68778e9059c79ecc5d14de76c89a8 upstream. Fix NULL-pointer dereference in open() should a type-0 or type-1 device lack the expected endpoints: Unable to handle kernel NULL pointer dereference at virtual address 00000030 ... PC is at pl2303_open+0x38/0xec [pl2303] Note that a missing interrupt-in endpoint would have caused open() to fail. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 2a4ae7bc3d8d8e4b92dbac37c90ba1708e7e5c80 Author: Johan Hovold Date: Tue Jan 3 16:40:01 2017 +0100 USB: serial: quatech2: fix sleep-while-atomic in close commit f09d1886a41e9063b43da493ef0e845ac8afd2fa upstream. The write URB was being killed using the synchronous interface while holding a spin lock in close(). Simply drop the lock and busy-flag update, something which would have been taken care of by the completion handler if the URB was in flight. Fixes: f7a33e608d9a ("USB: serial: add quatech2 usb to serial driver") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 6ae3e89aa6b1cc3ae129922c7132ffea0aa6b19c Author: Johan Hovold Date: Tue Jan 3 16:39:58 2017 +0100 USB: serial: omninet: fix NULL-derefs at open and disconnect commit a5bc01949e3b19d8a23b5eabc6fc71bb50dc820e upstream. Fix NULL-pointer dereferences at open() and disconnect() should the device lack the expected bulk-out endpoints: Unable to handle kernel NULL pointer dereference at virtual address 000000b4 ... [c0170ff0>] (__lock_acquire) from [] (lock_acquire+0x108/0x264) [] (lock_acquire) from [] (_raw_spin_lock_irqsave+0x58/0x6c) [] (_raw_spin_lock_irqsave) from [] (tty_port_tty_set+0x28/0xa4) [] (tty_port_tty_set) from [] (omninet_open+0x30/0x40 [omninet]) [] (omninet_open [omninet]) from [] (serial_port_activate+0x68/0x98 [usbserial]) Unable to handle kernel NULL pointer dereference at virtual address 00000234 ... [] (omninet_disconnect [omninet]) from [] (usb_serial_disconnect+0xe4/0x100 [usbserial]) Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 9acba5179d6c08f5499de52cb543d2b2fbb98cc2 Author: Pan Bian Date: Tue Jan 3 18:28:45 2017 +0200 usb: return error code when platform_get_irq fails commit 28bedb5ae463b9f7e5195cbc93f1795e374bdef8 upstream. In function xhci_mtk_probe(), variable ret takes the return value. Its value should be negative on failures. However, when the call to function platform_get_irq() fails, it does not set the error code, and 0 will be returned. 0 indicates no error. As a result, the callers of function xhci_mtk_probe() will not be able to detect the error. This patch fixes the bug by assigning the return value of platform_get_irq() to variable ret if it fails. Signed-off-by: Pan Bian Reviewed-by: Matthias Brugger Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman commit cb02cce9a7f8eea6f6c8432f296074d20829ff0f Author: Lu Baolu Date: Tue Jan 3 18:28:49 2017 +0200 usb: xhci: hold lock over xhci_abort_cmd_ring() commit 4dea70778c0f48b4385c7720c363ec8d37a401b4 upstream. In command timer function, xhci_handle_command_timeout(), xhci->lock is unlocked before call into xhci_abort_cmd_ring(). This might cause race between the timer function and the event handler. The xhci_abort_cmd_ring() function sets the CMD_RING_ABORT bit in the command register and polling it until the setting takes effect. A stop command ring event might be handled between writing the abort bit and polling for it. The event handler will restart the command ring, which causes the failure of polling, and we ever believed that we failed to stop it. As a bonus, this also fixes some issues of calling functions without locking in xhci_handle_command_timeout(). Signed-off-by: Lu Baolu Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman commit 9e6c400bb58220c46a2e5e616a1fbf756f011489 Author: Mathias Nyman Date: Tue Jan 3 18:28:48 2017 +0200 xhci: Handle command completion and timeout race commit a5a1b9514154437aa1ed35c291191f82fd3e941a upstream. If we get a command completion event at the same time as the command timeout work starts on another cpu we might end up aborting the wrong command. If the command completion takes the xhci lock before the timeout work, it will handle the command, pick the next command, mark it as current_cmd, and re-queue the timeout work. When the timeout work finally gets the lock It will start aborting the wrong command. This case can be resolved by checking if the timeout work is pending inside the timeout function itself. A new timeout work can only be pending if the command completed and a new command was queued. If there are no more commands pending then command completion will set the current_cmd to NULL, which is already handled in the timeout work. Reported-by: Baolin Wang Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman commit 78ccc1966c9e3dc379a89fb3efb06db35a297680 Author: Baolin Wang Date: Tue Jan 3 18:28:47 2017 +0200 usb: host: xhci: Fix possible wild pointer when handling abort command commit 2a7cfdf37b7c08ac29df4c62ea5ccb01474b6597 upstream. When current command was supposed to be aborted, host will free the command in handle_cmd_completion() function. But it might be still referenced by xhci->current_cmd, which need to set NULL. Signed-off-by: Baolin Wang Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman commit a2118d0974095b994a8aa7b32a6a213b961f4f3e Author: Lu Baolu Date: Tue Jan 3 18:28:44 2017 +0200 usb: xhci: fix return value of xhci_setup_device() commit 90797aee5d6902b49a453c97d83c326408aeb5a8 upstream. xhci_setup_device() should return failure with correct error number when xhci host has died, removed or halted. During usb device enumeration, if usb host is not accessible (died, removed or halted), the hc_driver->address_device() should return a corresponding error code to usb core. But current xhci driver just returns success. This misleads usb core to continue the enumeration by reading the device descriptor, which will result in failure, and users will get a misleading message like "device descriptor read/8, error -110". Signed-off-by: Lu Baolu Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman commit 3bf5e7410178eb0f95f2c51c984d67b77a8e61d3 Author: Mathias Nyman Date: Tue Jan 3 18:28:43 2017 +0200 xhci: free xhci virtual devices with leaf nodes first commit ee8665e28e8d90ce69d4abe5a469c14a8707ae0e upstream. the tt_info provided by a HS hub might be in use to by a child device Make sure we free the devices in the correct order. This is needed in special cases such as when xhci controller is reset when resuming from hibernate, and all virt_devices are freed. Also free the virt_devices starting from max slot_id as children more commonly have higher slot_id than parent. Reported-by: Guenter Roeck Tested-by: Guenter Roeck Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman commit 40359f91569496e77494116dddf8dd317f29d9e5 Author: Wan Ahmad Zainie Date: Tue Jan 3 18:28:52 2017 +0200 usb: xhci: apply XHCI_PME_STUCK_QUIRK to Intel Apollo Lake commit 6c97cfc1a097b1e0786c836e92b7a72b4d031e25 upstream. Intel Apollo Lake also requires XHCI_PME_STUCK_QUIRK. Adding its PCI ID to quirk. Signed-off-by: Wan Ahmad Zainie Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman commit 9da8e3e48e8805810096f1fbd9e764c0baece561 Author: Lu Baolu Date: Tue Jan 3 18:28:46 2017 +0200 usb: xhci: fix possible wild pointer commit 2b985467371a58ae44d76c7ba12b0951fee6ed98 upstream. handle_cmd_completion() frees a command structure which might be still referenced by xhci->current_cmd. This might cause problem when xhci->current_cmd is accessed after that. A real-life case could be like this. The host takes a very long time to respond to a command, and the command timer is fired at the same time when the command completion event arrives. The command completion handler frees xhci->current_cmd before the timer function can grab xhci->lock. Afterward, timer function grabs the lock and go ahead with checking and setting members of xhci->current_cmd. Signed-off-by: Lu Baolu Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman commit 9bdd47c53b7cf79f68ef5038e9494261f060f64e Author: Felipe Balbi Date: Fri Dec 23 14:40:40 2016 +0200 usb: dwc3: core: avoid Overflow events commit e71d363d9c611c99fb78f53bfee99616e7fe352c upstream. Now that we're handling so many transfers at a time and for some dwc3 revisions LPM events *must* be enabled, we can fall into a situation where too many events fire and we start receiving Overflow events. Let's do what XHCI does and allocate a full page for the Event Ring, this will avoid any future issues. Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 2b95c939cb88c3182e9dd681d4cf40b70985b8a5 Author: Krzysztof Opasiak Date: Tue Dec 20 19:52:16 2016 +0100 usb: gadget: composite: Test get_alt() presence instead of set_alt() commit 7e4da3fcf7c9fe042f2f7cb7bf23861a899b4a8f upstream. By convention (according to doc) if function does not provide get_alt() callback composite framework should assume that it has only altsetting 0 and should respond with error if host tries to set other one. After commit dd4dff8b035f ("USB: composite: Fix bug: should test set_alt function pointer before use it") we started checking set_alt() callback instead of get_alt(). This check is useless as we check if set_alt() is set inside usb_add_function() and fail if it's NULL. Let's fix this check and move comment about why we check the get method instead of set a little bit closer to prevent future false fixes. Fixes: dd4dff8b035f ("USB: composite: Fix bug: should test set_alt function pointer before use it") Signed-off-by: Krzysztof Opasiak Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 735daeec9e6062cad8aab412d0c04d26ae8e13e7 Author: Alan Stern Date: Wed Dec 14 14:55:56 2016 -0500 USB: dummy-hcd: fix bug in stop_activity (handle ep0) commit bcdbeb844773333d2d1c08004f3b3e25921040e5 upstream. The stop_activity() routine in dummy-hcd is supposed to unlink all active requests for every endpoint, among other things. But it doesn't handle ep0. As a result, fuzz testing can generate a WARNING like the following: WARNING: CPU: 0 PID: 4410 at drivers/usb/gadget/udc/dummy_hcd.c:672 dummy_free_request+0x153/0x170 Modules linked in: CPU: 0 PID: 4410 Comm: syz-executor Not tainted 4.9.0-rc7+ #32 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 ffff88006a64ed10 ffffffff81f96b8a ffffffff41b58ab3 1ffff1000d4c9d35 ffffed000d4c9d2d ffff880065f8ac00 0000000041b58ab3 ffffffff8598b510 ffffffff81f968f8 0000000041b58ab3 ffffffff859410e0 ffffffff813f0590 Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [] dump_stack+0x292/0x398 lib/dump_stack.c:51 [] __warn+0x19f/0x1e0 kernel/panic.c:550 [] warn_slowpath_null+0x2c/0x40 kernel/panic.c:585 [] dummy_free_request+0x153/0x170 drivers/usb/gadget/udc/dummy_hcd.c:672 [] usb_ep_free_request+0xc0/0x420 drivers/usb/gadget/udc/core.c:195 [] gadgetfs_unbind+0x131/0x190 drivers/usb/gadget/legacy/inode.c:1612 [] usb_gadget_remove_driver+0x10f/0x2b0 drivers/usb/gadget/udc/core.c:1228 [] usb_gadget_unregister_driver+0x154/0x240 drivers/usb/gadget/udc/core.c:1357 This patch fixes the problem by iterating over all the endpoints in the driver's ep array instead of iterating over the gadget's ep_list, which explicitly leaves out ep0. Signed-off-by: Alan Stern Reported-by: Andrey Konovalov Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 05b0f2fc3c2f9efda47439557e0d51faca7e43ed Author: Alan Stern Date: Mon Dec 19 12:03:41 2016 -0500 USB: fix problems with duplicate endpoint addresses commit 0a8fd1346254974c3a852338508e4a4cddbb35f1 upstream. When checking a new device's descriptors, the USB core does not check for duplicate endpoint addresses. This can cause a problem when the sysfs files for those endpoints are created; trying to create multiple files with the same name will provoke a WARNING: WARNING: CPU: 2 PID: 865 at fs/sysfs/dir.c:31 sysfs_warn_dup+0x8a/0xa0 sysfs: cannot create duplicate filename '/devices/platform/dummy_hcd.0/usb2/2-1/2-1:64.0/ep_05' Kernel panic - not syncing: panic_on_warn set ... CPU: 2 PID: 865 Comm: kworker/2:1 Not tainted 4.9.0-rc7+ #34 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Workqueue: usb_hub_wq hub_event ffff88006bee64c8 ffffffff81f96b8a ffffffff00000001 1ffff1000d7dcc2c ffffed000d7dcc24 0000000000000001 0000000041b58ab3 ffffffff8598b510 ffffffff81f968f8 ffffffff850fee20 ffffffff85cff020 dffffc0000000000 Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [] dump_stack+0x292/0x398 lib/dump_stack.c:51 [] panic+0x1cb/0x3a9 kernel/panic.c:179 [] __warn+0x1c4/0x1e0 kernel/panic.c:542 [] warn_slowpath_fmt+0xc5/0x110 kernel/panic.c:565 [] sysfs_warn_dup+0x8a/0xa0 fs/sysfs/dir.c:30 [] sysfs_create_dir_ns+0x178/0x1d0 fs/sysfs/dir.c:59 [< inline >] create_dir lib/kobject.c:71 [] kobject_add_internal+0x227/0xa60 lib/kobject.c:229 [< inline >] kobject_add_varg lib/kobject.c:366 [] kobject_add+0x139/0x220 lib/kobject.c:411 [] device_add+0x353/0x1660 drivers/base/core.c:1088 [] device_register+0x1d/0x20 drivers/base/core.c:1206 [] usb_create_ep_devs+0x163/0x260 drivers/usb/core/endpoint.c:195 [] create_intf_ep_devs+0x13b/0x200 drivers/usb/core/message.c:1030 [] usb_set_configuration+0x1083/0x18d0 drivers/usb/core/message.c:1937 [] generic_probe+0x6e/0xe0 drivers/usb/core/generic.c:172 [] usb_probe_device+0xaa/0xe0 drivers/usb/core/driver.c:263 This patch prevents the problem by checking for duplicate endpoint addresses during enumeration and skipping any duplicates. Signed-off-by: Alan Stern Reported-by: Andrey Konovalov Tested-by: Andrey Konovalov Signed-off-by: Greg Kroah-Hartman commit da4543b3bce001ccc8a283ed64933dea13fb7b77 Author: Alan Stern Date: Fri Dec 9 15:24:24 2016 -0500 USB: gadgetfs: fix checks of wTotalLength in config descriptors commit 1c069b057dcf64fada952eaa868d35f02bb0cfc2 upstream. Andrey Konovalov's fuzz testing of gadgetfs showed that we should improve the driver's checks for valid configuration descriptors passed in by the user. In particular, the driver needs to verify that the wTotalLength value in the descriptor is not too short (smaller than USB_DT_CONFIG_SIZE). And the check for whether wTotalLength is too large has to be changed, because the driver assumes there is always enough room remaining in the buffer to hold a device descriptor (at least USB_DT_DEVICE_SIZE bytes). This patch adds the additional check and fixes the existing check. It may do a little more than strictly necessary, but one extra check won't hurt. Signed-off-by: Alan Stern CC: Andrey Konovalov Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 46427c247b6204f95d7406df9f43843306b0b7ab Author: Alan Stern Date: Fri Dec 9 15:18:43 2016 -0500 USB: gadgetfs: fix use-after-free bug commit add333a81a16abbd4f106266a2553677a165725f upstream. Andrey Konovalov reports that fuzz testing with syzkaller causes a KASAN use-after-free bug report in gadgetfs: BUG: KASAN: use-after-free in gadgetfs_setup+0x208a/0x20e0 at addr ffff88003dfe5bf2 Read of size 2 by task syz-executor0/22994 CPU: 3 PID: 22994 Comm: syz-executor0 Not tainted 4.9.0-rc7+ #16 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 ffff88006df06a18 ffffffff81f96aba ffffffffe0528500 1ffff1000dbe0cd6 ffffed000dbe0cce ffff88006df068f0 0000000041b58ab3 ffffffff8598b4c8 ffffffff81f96828 1ffff1000dbe0ccd ffff88006df06708 ffff88006df06748 Call Trace: [ 201.343209] [< inline >] __dump_stack lib/dump_stack.c:15 [ 201.343209] [] dump_stack+0x292/0x398 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:159 [< inline >] print_address_description mm/kasan/report.c:197 [] kasan_report_error+0x1f0/0x4e0 mm/kasan/report.c:286 [< inline >] kasan_report mm/kasan/report.c:306 [] __asan_report_load_n_noabort+0x3a/0x40 mm/kasan/report.c:337 [< inline >] config_buf drivers/usb/gadget/legacy/inode.c:1298 [] gadgetfs_setup+0x208a/0x20e0 drivers/usb/gadget/legacy/inode.c:1368 [] dummy_timer+0x11f0/0x36d0 drivers/usb/gadget/udc/dummy_hcd.c:1858 [] call_timer_fn+0x241/0x800 kernel/time/timer.c:1308 [< inline >] expire_timers kernel/time/timer.c:1348 [] __run_timers+0xa06/0xec0 kernel/time/timer.c:1641 [] run_timer_softirq+0x21/0x80 kernel/time/timer.c:1654 [] __do_softirq+0x2fb/0xb63 kernel/softirq.c:284 The cause of the bug is subtle. The dev_config() routine gets called twice by the fuzzer. The first time, the user data contains both a full-speed configuration descriptor and a high-speed config descriptor, causing dev->hs_config to be set. But it also contains an invalid device descriptor, so the buffer containing the descriptors is deallocated and dev_config() returns an error. The second time dev_config() is called, the user data contains only a full-speed config descriptor. But dev->hs_config still has the stale pointer remaining from the first call, causing the routine to think that there is a valid high-speed config. Later on, when the driver dereferences the stale pointer to copy that descriptor, we get a use-after-free access. The fix is simple: Clear dev->hs_config if the passed-in data does not contain a high-speed config descriptor. Signed-off-by: Alan Stern Reported-by: Andrey Konovalov Tested-by: Andrey Konovalov Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit b946777664dba9e3d5712073c173544c12762351 Author: Alan Stern Date: Fri Dec 9 15:17:46 2016 -0500 USB: gadgetfs: fix unbounded memory allocation bug commit faab50984fe6636e616c7cc3d30308ba391d36fd upstream. Andrey Konovalov reports that fuzz testing with syzkaller causes a KASAN warning in gadgetfs: BUG: KASAN: slab-out-of-bounds in dev_config+0x86f/0x1190 at addr ffff88003c47e160 Write of size 65537 by task syz-executor0/6356 CPU: 3 PID: 6356 Comm: syz-executor0 Not tainted 4.9.0-rc7+ #19 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 ffff88003c107ad8 ffffffff81f96aba ffffffff3dc11ef0 1ffff10007820eee ffffed0007820ee6 ffff88003dc11f00 0000000041b58ab3 ffffffff8598b4c8 ffffffff81f96828 ffffffff813fb4a0 ffff88003b6eadc0 ffff88003c107738 Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [] dump_stack+0x292/0x398 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:159 [< inline >] print_address_description mm/kasan/report.c:197 [] kasan_report_error+0x1f0/0x4e0 mm/kasan/report.c:286 [] kasan_report+0x35/0x40 mm/kasan/report.c:306 [< inline >] check_memory_region_inline mm/kasan/kasan.c:308 [] check_memory_region+0x139/0x190 mm/kasan/kasan.c:315 [] kasan_check_write+0x14/0x20 mm/kasan/kasan.c:326 [< inline >] copy_from_user arch/x86/include/asm/uaccess.h:689 [< inline >] ep0_write drivers/usb/gadget/legacy/inode.c:1135 [] dev_config+0x86f/0x1190 drivers/usb/gadget/legacy/inode.c:1759 [] __vfs_write+0x5d5/0x760 fs/read_write.c:510 [] vfs_write+0x170/0x4e0 fs/read_write.c:560 [< inline >] SYSC_write fs/read_write.c:607 [] SyS_write+0xfb/0x230 fs/read_write.c:599 [] entry_SYSCALL_64_fastpath+0x1f/0xc2 Indeed, there is a comment saying that the value of len is restricted to a 16-bit integer, but the code doesn't actually do this. This patch fixes the warning. It replaces the comment with a computation that forces the amount of data copied from the user in ep0_write() to be no larger than the wLength size for the control transfer, which is a 16-bit quantity. Signed-off-by: Alan Stern Reported-by: Andrey Konovalov Tested-by: Andrey Konovalov Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 404954e5b8a675ea5b4ef4dc4c5a74b1ff3ad410 Author: Greg Kroah-Hartman Date: Tue Dec 6 08:36:29 2016 +0100 usb: gadgetfs: restrict upper bound on device configuration size commit 0994b0a257557e18ee8f0b7c5f0f73fe2b54eec1 upstream. Andrey Konovalov reported that we were not properly checking the upper limit before of a device configuration size before calling memdup_user(), which could cause some problems. So set the upper limit to PAGE_SIZE * 4, which should be good enough for all devices. Reported-by: Andrey Konovalov Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 72271ae49d6bf4011f5861fcae9e29dfbf87fb65 Author: Oliver Neukum Date: Mon Jan 2 15:26:17 2017 +0100 usb: storage: unusual_uas: Add JMicron JMS56x to unusual device commit 674aea07e38200ea6f31ff6d5f200f0cf6cdb325 upstream. This device gives the following error on detection. xhci_hcd 0000:00:11.0: ERROR Transfer event for disabled endpoint or incorrect stream ring The same error is not seen when it is added to unusual_device list with US_FL_NO_REPORT_OPCODES passed. Signed-off-by: George Cherian Signed-off-by: Oliver Neukum Signed-off-by: Greg Kroah-Hartman commit 4a37dbe68289b5bddb43656385a230d13d56f6dc Author: Bin Liu Date: Tue Jan 3 18:13:47 2017 -0600 usb: musb: dsps: implement clear_ep_rxintr() callback commit c48400baa02155a5ddad63e8554602e48782278c upstream. During dma teardown for dequque urb, if musb load is high, musb might generate bogus rx ep interrupt even when the rx fifo is flushed. In such case any of the follow log messages could happen. musb_host_rx 1853: BOGUS RX2 ready, csr 0000, count 0 musb_host_rx 1936: RX3 dma busy, csr 2020 As mentioned in the current inline comment, clearing ep interrupt in the teardown path avoids the bogus interrupt, so implement clear_ep_rxintr() callback. This bug seems to be existing since the initial driver for musb support, but I only validated the fix back to v4.1, so only cc stable for v4.1+. Signed-off-by: Bin Liu Signed-off-by: Greg Kroah-Hartman commit 5de2dd7f1be18c1ee72c4aa4aeccb191982c1e7c Author: Bin Liu Date: Tue Jan 3 18:13:46 2017 -0600 usb: musb: core: add clear_ep_rxintr() to musb_platform_ops commit 6def85a396ce7796bd9f4561c6ae8138833f7a52 upstream. During dma teardown for dequque urb, if musb load is high, musb might generate bogus rx ep interrupt even when the rx fifo is flushed. In such case any of the follow log messages could happen. musb_host_rx 1853: BOGUS RX2 ready, csr 0000, count 0 musb_host_rx 1936: RX3 dma busy, csr 2020 As mentioned in the current inline comment, clearing ep interrupt in the teardown path avoids the bogus interrupt. Clearing ep interrupt is platform dependent, so this patch adds a platform callback to allow glue driver to clear the ep interrupt. This bug seems to be existing since the initial driver for musb support, but I only validated the fix back to v4.1, so only cc stable for v4.1+. Signed-off-by: Bin Liu Signed-off-by: Greg Kroah-Hartman commit 84fd8feb5bb50508ba336c7eaf2f377e0b241521 Author: James Hogan Date: Tue Jan 3 17:43:01 2017 +0000 KVM: MIPS: Flush KVM entry code from icache globally commit 32eb12a6c11034867401d56b012e3c15d5f8141e upstream. Flush the KVM entry code from the icache on all CPUs, not just the one that built the entry code. Signed-off-by: James Hogan Cc: Paolo Bonzini Cc: "Radim Krčmář" Cc: Ralf Baechle Cc: linux-mips@linux-mips.org Cc: kvm@vger.kernel.org Signed-off-by: Radim Krčmář Signed-off-by: Greg Kroah-Hartman commit 26a401a6a52f7b838ce65b3b48e314c0a4aaa348 Author: James Hogan Date: Tue Jan 3 17:43:00 2017 +0000 KVM: MIPS: Don't clobber CP0_Status.UX commit 4c881451d3017033597ea186cf79ae41a73e1ef8 upstream. On 64-bit kernels, MIPS KVM will clear CP0_Status.UX to prevent the guest (running in user mode) from accessing the 64-bit memory segments. However the previous value of CP0_Status.UX is never restored when exiting from the guest. If the user process uses 64-bit addressing (the n64 ABI) this can result in address error exceptions from the kernel if it needs to deliver a signal before returning to user mode, as the kernel will need to write a sigframe to high user addresses on the user stack which are disallowed by CP0_Status.UX=0. This is fixed by explicitly setting SX and UX again when exiting from the guest, and explicitly clearing those bits when returning to the guest. Having the SX and UX bits set when handling guest exits (rather than only when exiting to userland) will be helpful when we support VZ, since we shouldn't need to directly read or write guest memory, so it will be valid for cache management IPIs to access host user addresses. Signed-off-by: James Hogan Cc: Paolo Bonzini Cc: "Radim Krčmář" Cc: Ralf Baechle Cc: linux-mips@linux-mips.org Cc: kvm@vger.kernel.org Signed-off-by: Radim Krčmář Signed-off-by: Greg Kroah-Hartman commit f39969ab0418a9ef7da3f6e571359449b3497d83 Author: Xiao Guangrong Date: Sat Dec 24 10:00:42 2016 +0100 KVM: x86: reset MMU on KVM_SET_VCPU_EVENTS commit 6ef4e07ecd2db21025c446327ecf34414366498b upstream. Otherwise, mismatch between the smm bit in hflags and the MMU role can cause a NULL pointer dereference. Signed-off-by: Xiao Guangrong Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit fe4fc2d67d0bfa0a1b5178e4f3c0f3ae7b29f737 Author: Ville Syrjälä Date: Wed Dec 21 16:45:47 2016 +0200 drm/i915: Initialize overlay->last_flip properly commit a6d3e7d35d088b2aabad1688b740e17bfdf566c5 upstream. Initialize overlay->last_flip properly instead of leaving it zeroed. Cc: Chris Wilson Fixes: 0d9bdd886f29 ("drm/i915: Convert intel_overlay to request tracking") Reviewed-by: Chris Wilson Signed-off-by: Ville Syrjälä Link: http://patchwork.freedesktop.org/patch/msgid/20161221144547.27319-1-ville.syrjala@linux.intel.com (cherry picked from commit 330afdb1df0f3fb48583105493a8f4f8d9e3af36) Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit f0f7f38e80688776a21e6a91025a4851c06c6ee3 Author: Ville Syrjälä Date: Tue Dec 20 18:51:17 2016 +0200 drm/i915: Force VDD off on the new power seqeuencer before starting to use it commit 8581f1b5ee0837e55197f036406bc99746ac94b2 upstream. Apparently some VLV BIOSen like to leave the VDD force bit enabled even for power seqeuncers that aren't properly hooked up to any port. That will result in a imbalance in the AUX power domain refcount when we stat to use said power sequencer as edp_panel_vdd_on() will not grab the power domain reference if it sees that the VDD is already on. To fix this let's make sure we turn off the VDD force bit when we initialize the power sequencer registers. That is, unless it's being done from the init path since there we are actually initializing the registers for the current power sequencer and we don't want to turn VDD off needlessly as that would require waiting for the power cycle delay before we turn it back on. This fixes the following kind of warnings: WARNING: CPU: 0 PID: 123 at ../drivers/gpu/drm/i915/intel_runtime_pm.c:1455 intel_display_power_put+0x13a/0x170 [i915]() WARN_ON(!power_domains->domain_use_count[domain]) ... v2: Fix typos in comment (David) Cc: Matwey V. Kornilov Tested-by: Matwey V. Kornilov Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=98695 Signed-off-by: Ville Syrjälä Link: http://patchwork.freedesktop.org/patch/msgid/20161220165117.24801-1-ville.syrjala@linux.intel.com Reviewed-by: David Weinehall (cherry picked from commit 5d5ab2d26f32bdaa5872b938658e0bf8d341bc4c) Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit 73d4256359899b239a8bb58546369afebeb4fc40 Author: Ville Syrjälä Date: Wed Dec 7 19:28:03 2016 +0200 drm/i915: Fix oops in overlay due to frontbuffer tracking commit 9169757ae67bc927750ae907624e65cc15b4fe5a upstream. The vma will be NULL if the overlay was previously off, so dereferencing it will oops. Check for NULL before doing that. Cc: Chris Wilson Cc: Joonas Lahtinen Fixes: 9b3b7841b86d ("drm/i915/overlay: Use VMA as the primary tracker for images") Signed-off-by: Ville Syrjälä Link: http://patchwork.freedesktop.org/patch/msgid/1481131693-27993-2-git-send-email-ville.syrjala@linux.intel.com Reviewed-by: Chris Wilson (cherry picked from commit 4a15cdbbc55463e55a7cdcf33f84ccc742ca9c29) Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit 5652dd3f005d7947c588ced586e09c48d68be7ae Author: Ville Syrjälä Date: Wed Dec 7 17:56:47 2016 +0000 drm/i915: Fix oopses in the overlay code due to i915_gem_active stuff commit b72eb5ffa6d8601d9ba72619d75fb5b27723743a upstream. The i915_gem_active stuff doesn't like a NULL ->retire hook, but the overlay code can set it to NULL. That obviously ends up oopsing. Fix it by introducing a new helper to assign the retirement callback that will switch out the NULL function pointer with i915_gem_retire_noop. Cc: Chris Wilson Cc: Joonas Lahtinen Fixes: 0d9bdd886f29 ("drm/i915: Convert intel_overlay to request tracking") Signed-off-by: Ville Syrjälä Signed-off-by: Chris Wilson Link: http://patchwork.freedesktop.org/patch/msgid/20161207175647.10018-1-chris@chris-wilson.co.uk (cherry picked from commit ecd9caa0522db5a6b03ac8858c42067ef9d8323b) Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit 8f8157c2a72af9cbd0e868ef64b90565b818a445 Author: Kees Cook Date: Fri Dec 16 11:36:06 2016 -0800 gcc-plugins: update gcc-common.h for gcc-7 commit 81d873a87114b05dbb74d1fbf0c4322ba4bfdee4 upstream. This updates gcc-common.h from Emese Revfy for gcc 7. This fixes issues seen by Kugan and Arnd. Build tested with gcc 5.4 and 7 snapshot. Signed-off-by: Kees Cook Signed-off-by: Greg Kroah-Hartman commit 8c775affbbd69486588ee3105e7fe357874d33fb Author: Michal Marek Date: Tue Jan 3 13:49:42 2017 +0100 asm-prototypes: Clear any CPP defines before declaring the functions commit c7858bf16c0b2cc62f475f31e6df28c3a68da1d6 upstream. The asm-prototypes.h file is used to provide dummy function declarations for genksyms, when processing asm files with EXPORT_SYMBOL. Make sure that any architecture defines get out of our way. x86 currently has an issue with memcpy on 64bit with CONFIG_KMEMCHECK=y and with memset/__memset on 32bit: $ cat init/test.c #include $ make -s init/test.o In file included from ./arch/x86/include/asm/string.h:4:0, from ./include/linux/string.h:18, from ./include/linux/bitmap.h:8, from ./include/linux/cpumask.h:11, from ./arch/x86/include/asm/cpumask.h:4, from ./arch/x86/include/asm/msr.h:10, from ./arch/x86/include/asm/processor.h:20, from ./arch/x86/include/asm/cpufeature.h:4, from ./arch/x86/include/asm/thread_info.h:52, from ./include/linux/thread_info.h:25, from ./arch/x86/include/asm/preempt.h:6, from ./include/linux/preempt.h:59, from ./include/linux/spinlock.h:50, from ./include/linux/seqlock.h:35, from ./include/linux/time.h:5, from ./include/uapi/linux/timex.h:56, from ./include/linux/timex.h:56, from ./include/linux/sched.h:19, from ./include/linux/uaccess.h:4, from ./arch/x86/include/asm/asm-prototypes.h:2, from init/test.c:1: ./arch/x86/include/asm/string_64.h:52:47: error: expected declaration specifiers or ‘...’ before ‘(’ token #define memcpy(dst, src, len) __inline_memcpy((dst), (src), (len)) ./include/asm-generic/asm-prototypes.h:6:14: note: in expansion of macro ‘memcpy’ extern void *memcpy(void *, const void *, __kernel_size_t); ^ ... During real build, this manifests itself by genksyms segfaulting. Fixes: 334bb7738764 ("x86/kbuild: enable modversions for symbols exported from asm") Reported-and-tested-by: Borislav Petkov Cc: Adam Borowski Signed-off-by: Michal Marek Signed-off-by: Greg Kroah-Hartman commit 5e7598a625eead50e6d783797de828fe22e86f25 Author: Johannes Berg Date: Mon Jan 2 11:19:29 2017 +0100 mac80211: initialize fast-xmit 'info' later commit 35f432a03e41d3bf08c51ede917f94e2288fbe8c upstream. In ieee80211_xmit_fast(), 'info' is initialized to point to the skb that's passed in, but that skb may later be replaced by a clone (if it was shared), leading to an invalid pointer. This can lead to use-after-free and also later crashes since the real SKB's info->hw_queue doesn't get initialized properly. Fix this by assigning info only later, when it's needed, after the skb replacement (may have) happened. Reported-by: Ben Greear Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 3c4eef31670361212d4f762c9420fa9a4ff160c0 Author: Shyam Sundar S K Date: Thu Dec 8 17:31:14 2016 +0530 pinctrl/amd: Set the level based on ACPI tables commit 2983f296f2327bc517e3b29344fce82271160197 upstream. In the function amd_gpio_irq_set_type, read the values from the ACPI table to set the level and drop the settings passed by the client. Reviewed-by: Pankaj Sen Reviewed-by: Nitesh Kumar Agrawal Reviewed-by: Shah, Nehal-bakulchandra Signed-off-by: Shyam-sundar S-k Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit c7b1b7951d9d08a7b9ec19354fa8f33b5d1e9ddb Author: Bartosz Golaszewski Date: Wed Dec 7 16:22:16 2016 +0100 ARM: davinci: da850: don't add emac clock to lookup table twice commit ef37427ac5677331145ab27a17e6f5f1b43f0c11 upstream. Similarly to the aemif clock - this screws up the linked list of clock children. Create a separate clock for mdio inheriting the rate from emac_clk. Signed-off-by: Bartosz Golaszewski [nsekhar@ti.com: add a comment over mdio_clk to explaing its existence + commit headline updates] Signed-off-by: Sekhar Nori Signed-off-by: Greg Kroah-Hartman commit 5f390df2baf73050b7af522ded2b2e070d21caa2 Author: Srinivas Pandruvada Date: Tue Dec 27 08:57:59 2016 -0800 HID: sensor-hub: Move the memset to sensor_hub_get_feature() commit 143fca77cce906d35f7a60ccef648e888df589f2 upstream. While applying patch d443a0aa3a29: "HID: hid-sensor-hub: clear memory to avoid random data", there was some issues in applying correct version of the patch. This resulted in the breakage of sensor functions as all request like power-up will be reset by the memset() in the function sensor_hub_set_feature(). The reset of caller buffer should be in the function sensor_hub_get_feature(), not in the sensor_hub_set_feature(). Fixes: d443a0aa3a29 ("HID: hid-sensor-hub: clear memory to avoid random data") Signed-off-by: Srinivas Pandruvada Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit 0c8033357b1d8fc4bba43cf1f87d2f61f3dd3fd2 Author: Helge Deller Date: Mon Dec 26 12:46:01 2016 +0100 parisc: Mark cr16 clocksource unstable on SMP systems commit 41744213602a206f24adcb4a2b7551db3c700e72 upstream. The cr16 interval timer of each CPU is not syncronized to other cr16 timers in other CPUs in a SMP system. So, delay the registration of the cr16 clocksource until all CPUs have been detected and then - if we are on a SMP machine - mark the cr16 clocksource as unstable and lower it's rating before registering it at the clocksource framework. This patch fixes the stalled CPU warnings which we have seen since introduction of the cr16 clocksource. Signed-off-by: Helge Deller Signed-off-by: Greg Kroah-Hartman commit e569eef6298adbcc98ca029cc6763b1d854b1bed Author: Helge Deller Date: Mon Jan 2 17:43:15 2017 +0100 parisc: Add line-break when printing segfault info commit b4a9eb4cd5966c8aad3d007d206a2cbda97d6928 upstream. Add a leading line break else printed line gets too long. Signed-off-by: Helge Deller Signed-off-by: Greg Kroah-Hartman commit d259b685373231b8c85f95633e0a702352077ef6 Author: Eric Biggers Date: Mon Dec 19 14:20:13 2016 -0800 fscrypt: fix renaming and linking special files commit 42d97eb0ade31e1bc537d086842f5d6e766d9d51 upstream. Attempting to link a device node, named pipe, or socket file into an encrypted directory through rename(2) or link(2) always failed with EPERM. This happened because fscrypt_has_permitted_context() saw that the file was unencrypted and forbid creating the link. This behavior was unexpected because such files are never encrypted; only regular files, directories, and symlinks can be encrypted. To fix this, make fscrypt_has_permitted_context() always return true on special files. This will be covered by a test in my encryption xfstests patchset. Fixes: 9bd8212f981e ("ext4 crypto: add encryption policy and password salt support") Signed-off-by: Eric Biggers Reviewed-by: Richard Weinberger Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman commit be4e3aec56679ecf0c7d4130c976c838a4855ef8 Author: Ioan-Adrian Ratiu Date: Thu Jan 5 00:37:46 2017 +0200 ALSA: usb-audio: Fix irq/process data synchronization commit 1d0f953086f090a022f2c0e1448300c15372db46 upstream. Commit 16200948d83 ("ALSA: usb-audio: Fix race at stopping the stream") was incomplete causing another more severe kernel panic, so it got reverted. This fixes both the original problem and its fallout kernel race/crash. The original fix is to move the endpoint member NULL clearing logic inside wait_clear_urbs() so the irq triggering the urb completion doesn't call retire_capture/playback_urb() after the NULL clearing and generate a panic. However this creates a new race between snd_usb_endpoint_start()'s call to wait_clear_urbs() and the irq urb completion handler which again calls retire_capture/playback_urb() leading to a new NULL dereference. We keep the EP deactivation code in snd_usb_endpoint_start() because removing it will break the EP reference counting (see [1] [2] for info), however we don't need the "can_sleep" mechanism anymore because a new function was introduced (snd_usb_endpoint_sync_pending_stop()) which synchronizes pending stops and gets called inside the pcm prepare callback. It also makes sense to remove can_sleep because it was also removed from deactivate_urbs() signature in [3] so we benefit from more simplification. [1] commit 015618b90 ("ALSA: snd-usb: Fix URB cancellation at stream start") [2] commit e9ba389c5 ("ALSA: usb-audio: Fix scheduling-while-atomic bug in PCM capture stream") [3] commit ccc1696d5 ("ALSA: usb-audio: simplify endpoint deactivation code") Fixes: f8114f8583bb ("Revert "ALSA: usb-audio: Fix race at stopping the stream"") Signed-off-by: Ioan-Adrian Ratiu Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 5b2c3cafcafc38a9cdf789d7d3a515eae88bdb3b Author: Takashi Iwai Date: Wed Jan 4 21:38:16 2017 +0100 ALSA: hda - Apply asus-mode8 fixup to ASUS X71SL commit c7efff9284dfde95a11aaa811c9d8ec8167f0f6e upstream. Although the old quirk table showed ASUS X71SL with ALC663 codec being compatible with asus-mode3 fixup, the bugzilla reporter explained that asus-model8 fits better for the dual headphone controls. So be it. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=191781 Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 71c88fc3bde7582c551aaa0a2db0aefb3c98aa62 Author: Takashi Iwai Date: Tue Dec 6 16:20:36 2016 +0100 ALSA: hda - Fix up GPIO for ASUS ROG Ranger commit 85bcf96caba8b4a7c0805555638629ba3c67ea0c upstream. ASUS ROG Ranger VIII with ALC1150 codec requires the extra GPIO pin to up for the front panel. Just use the existing fixup for setting up the GPIO pins. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=189411 Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 755259ba2a3a40f67d36325a1b34d8f0a1d63894 Author: Florian Fainelli Date: Wed Dec 14 17:13:24 2016 -0800 staging: octeon: Call SET_NETDEV_DEV() commit e7c9a3d9e432200fd4c17855c2c23ac784d6e833 upstream. The Octeon driver calls into PHYLIB which now checks for net_device->dev.parent, so make sure we do set it before calling into any MDIO/PHYLIB related function. Fixes: ec988ad78ed6 ("phy: Don't increment MDIO bus refcount unless it's a different owner") Reported-by: Aaro Koskinen Signed-off-by: Florian Fainelli Signed-off-by: Greg Kroah-Hartman commit ea991c8354c3dab7f7fe6c3a747bc473b9c935e2 Author: Marcin Niestroj Date: Thu Dec 8 15:22:58 2016 +0100 iio: bmi160: Fix time needed to sleep after command execution commit 01d1f7a99e457952aa51849ed7c1cc4ced7bca4b upstream. Datasheet specifies typical and maximum execution times for which CMD register is occupied after previous command execution. We took these values as minimum and maximum time for usleep_range() call before making a new command execution. To be sure, that the CMD register is no longer occupied we need to wait *at least* the maximum time specified by datasheet. Signed-off-by: Marcin Niestroj Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 7090b8da3836ea69c79da8d71141a318269c26a8 Author: Akinobu Mita Date: Thu Dec 29 02:16:36 2016 +0900 iio: max44000: correct value in illuminance_integration_time_available commit b4e8a0eb718749455601fa7b283febc42cca8957 upstream. According to the datasheet, the shortest available integration time for ALS ADC conversion is 1.5625ms but illuminance_integration_time_available sysfs file shows wrong value. Cc: Crestez Dan Leonard Cc: Jonathan Cameron Cc: Hartmut Knaack Cc: Lars-Peter Clausen Cc: Peter Meerwald-Stadler Signed-off-by: Akinobu Mita Fixes: d5d8f49b6 ("max44000: Expose ambient sensor scaling") Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit cf49219364fd1529567fba45b22eee98b4f0e6c5 Author: Lorenzo Bianconi Date: Wed Nov 16 22:15:28 2016 +0100 iio: common: st_sensors: fix channel data parsing commit 65c8aea07de11b6507efa175edb44bd8b4488218 upstream. Using realbits as i2c/spi read len, when that value is not byte aligned (e.g 12 bits), lead to skip msb part of out data registers. Fix this taking into account scan_type.shift in addition to scan_type.realbits as read length: read_len = DIV_ROUND_UP(realbits + shift, 8) This fix has been tested on 8, 12, 16, 24 bit sensors Fixes: e7385de5291e ("iio:st_sensors: align on storagebits boundaries") Signed-off-by: Lorenzo Bianconi Tested-by: Linus Walleij Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman