linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review
@ 2016-06-09 21:13 Kamal Mostafa
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 001/206] ath10k: fix firmware assert in monitor mode Kamal Mostafa
                   ` (205 more replies)
  0 siblings, 206 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:13 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team; +Cc: Kamal Mostafa

This is the start of the review cycle for the Linux 4.2.8-ckt12 stable
kernel.

This version contains 206 new patches, summarized below.  The new patches
are posted as replies to this message and also available in this git branch:

https://git.launchpad.net/~canonical-kernel/linux/+git/linux-stable-ckt/log/?h=linux-4.2.y-review

git://git.launchpad.net/~canonical-kernel/linux/+git/linux-stable-ckt  linux-4.2.y-review

The review period for version 4.2.8-ckt12 will be open for the next three
days.  To report a problem, please reply to the relevant follow-up patch
message.

For more information about the Linux 4.2.y-ckt extended stable kernel
series, see https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable .

 -Kamal

--
 Documentation/accounting/getdelays.c               |   5 +-
 Documentation/serial/driver                        |   5 -
 Documentation/serial/tty.txt                       |   3 -
 Makefile                                           |   7 +-
 arch/alpha/kernel/pci-sysfs.c                      |   4 +-
 arch/arm/Kconfig.debug                             |   8 -
 arch/arm/boot/dts/Makefile                         |   1 +
 arch/arm/boot/dts/armada-385-linksys.dtsi          |   6 +-
 arch/arm/boot/dts/armada-xp-linksys-mamba.dts      |   4 +-
 arch/arm/boot/dts/exynos4210-trats.dts             |   2 +
 arch/arm/kvm/mmu.c                                 |  17 ++-
 arch/arm/mach-omap2/omap_hwmod.c                   |  12 +-
 arch/arm64/include/asm/pgtable-hwdef.h             |   1 -
 arch/arm64/include/asm/pgtable.h                   |   4 +-
 arch/arm64/kernel/setup.c                          |   3 +-
 arch/arm64/kvm/inject_fault.c                      |   2 +-
 arch/metag/include/asm/atomic_lnkget.h             |   2 +-
 arch/mips/ath79/common.c                           |  16 +-
 arch/mips/ath79/early_printk.c                     |   6 +-
 arch/mips/boot/dts/brcm/bcm7435.dtsi               |   2 +-
 arch/mips/include/asm/cacheflush.h                 |   6 -
 arch/mips/include/asm/kvm_host.h                   |   2 +-
 arch/mips/include/asm/msa.h                        |  13 ++
 arch/mips/include/asm/pgtable.h                    |  26 +++-
 arch/mips/include/uapi/asm/siginfo.h               |  22 ++-
 arch/mips/kernel/bmips_vec.S                       |   9 +-
 arch/mips/kernel/branch.c                          |  18 +--
 arch/mips/kernel/cpu-probe.c                       |   5 +-
 arch/mips/kernel/mips-r2-to-r6-emul.c              | 105 ++++++-------
 arch/mips/kernel/process.c                         |  46 +++---
 arch/mips/kernel/ptrace.c                          |  27 +++-
 arch/mips/kernel/setup.c                           |   3 +
 arch/mips/kernel/traps.c                           |   8 +-
 arch/mips/kvm/emulate.c                            |  89 ++++++-----
 arch/mips/kvm/trap_emul.c                          |   2 +-
 arch/mips/lib/ashldi3.c                            |   2 +-
 arch/mips/lib/ashrdi3.c                            |   2 +-
 arch/mips/lib/cmpdi2.c                             |   2 +-
 arch/mips/lib/lshrdi3.c                            |   2 +-
 arch/mips/lib/ucmpdi2.c                            |   2 +-
 arch/mips/loongson64/loongson-3/numa.c             |   6 +-
 arch/mips/math-emu/cp1emu.c                        |  19 ++-
 arch/mips/mm/c-r4k.c                               |  13 +-
 arch/mips/mm/cache.c                               |  29 ++--
 arch/powerpc/kernel/eeh.c                          |   2 +-
 arch/powerpc/kernel/eeh_driver.c                   |  26 +++-
 arch/powerpc/kernel/exceptions-64s.S               |  16 +-
 arch/powerpc/lib/sstep.c                           |   4 +
 arch/s390/mm/vmem.c                                |   2 +-
 arch/x86/kvm/mtrr.c                                |   2 -
 arch/x86/kvm/vmx.c                                 |   2 +-
 arch/x86/pci/fixup.c                               |   7 +
 arch/x86/pci/xen.c                                 |   7 +-
 block/blk-mq.c                                     |   2 +-
 drivers/acpi/osl.c                                 |  16 +-
 drivers/acpi/sysfs.c                               |   7 +-
 drivers/ata/sata_dwc_460ex.c                       |   4 +-
 drivers/base/power/main.c                          |   5 +-
 drivers/base/power/runtime.c                       |   9 +-
 drivers/base/regmap/regcache.c                     |   2 +-
 drivers/bluetooth/hci_vhci.c                       |  28 +++-
 drivers/char/Kconfig                               |   1 -
 drivers/clk/qcom/gcc-msm8916.c                     |   2 +
 drivers/cpufreq/cpufreq_userspace.c                |  43 +++++-
 drivers/cpuidle/cpuidle.c                          |   4 +-
 drivers/crypto/caam/jr.c                           |   2 +-
 drivers/crypto/s5p-sss.c                           |  53 +++++--
 drivers/edac/edac_mc.c                             |   2 +-
 drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c     |  10 +-
 drivers/gpu/drm/amd/amdgpu/amdgpu_dpm.c            |   2 +-
 drivers/gpu/drm/drm_fb_helper.c                    |   5 +-
 drivers/gpu/drm/gma500/mdfld_dsi_pkg_sender.c      |   2 +-
 drivers/gpu/drm/i915/i915_drv.c                    |   4 +-
 drivers/gpu/drm/i915/i915_irq.c                    |   4 +-
 drivers/gpu/drm/i915/intel_dp_mst.c                |   7 +-
 drivers/gpu/drm/i915/intel_dsi.c                   |  10 +-
 drivers/gpu/drm/i915/intel_fbdev.c                 |   6 +-
 drivers/gpu/drm/i915/intel_pm.c                    |   2 +
 drivers/hv/ring_buffer.c                           | 165 ++++++---------------
 drivers/hwmon/ads7828.c                            |  10 ++
 drivers/hwspinlock/hwspinlock_core.c               |   2 +-
 drivers/infiniband/core/iwpm_util.c                |   1 +
 drivers/infiniband/hw/cxgb3/cxio_hal.c             |   2 +-
 drivers/infiniband/ulp/srp/ib_srp.c                |   2 +-
 drivers/input/joystick/xpad.c                      |   4 +
 drivers/input/misc/pwm-beeper.c                    |  69 ++++++---
 drivers/input/misc/uinput.c                        |   6 +
 drivers/iommu/dmar.c                               |  47 +++---
 drivers/irqchip/irq-gic-v3.c                       |  19 +++
 drivers/irqchip/irq-gic.c                          |   8 +
 drivers/mcb/mcb-parse.c                            |   2 +-
 drivers/media/pci/cx23885/cx23885-av.c             |   2 +-
 drivers/media/platform/am437x/am437x-vpfe.c        |   4 +-
 drivers/media/v4l2-core/v4l2-compat-ioctl32.c      |   3 +-
 drivers/mfd/intel_quark_i2c_gpio.c                 |  51 +++----
 drivers/mfd/lp8788-irq.c                           |   2 +-
 drivers/mfd/omap-usb-tll.c                         |  13 +-
 drivers/misc/cxl/fault.c                           |   2 +-
 drivers/misc/mei/amthif.c                          |   4 +-
 drivers/misc/mei/client.c                          |   4 +
 drivers/misc/mei/hbm.c                             |   3 +-
 drivers/misc/mei/interrupt.c                       |   6 +-
 drivers/misc/mei/mei_dev.h                         |   2 +
 drivers/mmc/card/block.c                           |   5 +-
 drivers/mmc/core/core.c                            |   4 +-
 drivers/mmc/core/mmc.c                             |   7 +
 drivers/mmc/host/sdhci-acpi.c                      |   6 +-
 drivers/mmc/host/sdhci-pci.c                       |   5 +-
 drivers/mtd/ubi/eba.c                              |  21 ++-
 drivers/mtd/ubi/fastmap.c                          |   1 +
 drivers/mtd/ubi/ubi.h                              |   2 +
 drivers/net/can/dev.c                              |  56 ++++++-
 drivers/net/can/m_can/m_can.c                      |   2 +-
 drivers/net/ethernet/ibm/ehea/ehea_main.c          |   9 +-
 drivers/net/ethernet/intel/i40e/i40e_hmc.c         |   2 +-
 drivers/net/tun.c                                  |   6 +-
 drivers/net/wireless/ath/ath10k/core.c             |   8 +-
 drivers/net/wireless/ath/ath10k/debug.c            |   7 +-
 drivers/net/wireless/ath/ath10k/mac.c              |  13 +-
 drivers/net/wireless/ath/ath5k/led.c               |   2 +-
 drivers/net/wireless/ath/ath9k/init.c              |   7 +
 drivers/net/wireless/ath/ath9k/pci.c               |  10 ++
 drivers/net/wireless/rtlwifi/base.c                |   4 +-
 .../wireless/rtlwifi/btcoexist/halbtc8723b2ant.c   |   9 +-
 .../net/wireless/rtlwifi/btcoexist/halbtcoutsrc.c  |  27 +++-
 .../net/wireless/rtlwifi/btcoexist/halbtcoutsrc.h  |   2 +-
 drivers/net/wireless/rtlwifi/btcoexist/rtl_btc.c   |   5 +-
 drivers/net/wireless/rtlwifi/pci.c                 |   2 +-
 drivers/net/wireless/rtlwifi/rtl8723be/hw.c        |   5 +
 drivers/net/wireless/rtlwifi/rtl8723be/sw.c        |   3 +
 drivers/net/wireless/rtlwifi/wifi.h                |   3 +
 drivers/pci/pci-sysfs.c                            |   7 +-
 drivers/pci/probe.c                                |   6 +-
 drivers/pinctrl/samsung/pinctrl-exynos5440.c       |  15 +-
 drivers/platform/x86/dell-rbtn.c                   |  56 +++++++
 drivers/power/ipaq_micro_battery.c                 |   2 +-
 drivers/scsi/aacraid/aacraid.h                     |   1 +
 drivers/scsi/aacraid/comminit.c                    |  24 +++
 drivers/scsi/aacraid/commsup.c                     |  12 +-
 drivers/scsi/scsi_scan.c                           |   1 +
 drivers/scsi/scsi_sysfs.c                          |   6 +-
 drivers/staging/comedi/drivers/das1800.c           |  22 +--
 drivers/thunderbolt/eeprom.c                       |   1 +
 drivers/tty/n_gsm.c                                |   4 +-
 drivers/tty/n_hdlc.c                               |   4 +-
 drivers/tty/n_tty.c                                |  72 +++++----
 drivers/tty/pty.c                                  |   4 +-
 drivers/tty/serial/8250/8250_pci.c                 |   3 +
 drivers/tty/serial/ucc_uart.c                      |   3 +
 drivers/tty/tty_buffer.c                           |  44 ++----
 drivers/tty/tty_io.c                               |   2 +-
 drivers/tty/tty_port.c                             |   2 +-
 drivers/tty/vt/vt.c                                |   5 +-
 drivers/usb/core/driver.c                          |  40 ++---
 drivers/usb/core/hcd.c                             |  15 +-
 drivers/usb/core/hub.c                             |   8 +-
 drivers/usb/gadget/function/f_fs.c                 |   2 +-
 drivers/usb/gadget/function/f_mass_storage.c       |  37 ++---
 drivers/usb/gadget/function/f_mass_storage.h       |   2 -
 drivers/usb/gadget/legacy/acm_ms.c                 |   4 -
 drivers/usb/gadget/legacy/mass_storage.c           |   4 -
 drivers/usb/gadget/legacy/multi.c                  |  12 --
 drivers/usb/host/Kconfig                           |   3 +-
 drivers/usb/misc/usbtest.c                         |  37 +++--
 drivers/usb/serial/cp210x.c                        |   2 +-
 drivers/usb/serial/io_edgeport.c                   |  56 ++++---
 drivers/usb/serial/keyspan.c                       |   4 +
 drivers/usb/serial/mxuport.c                       |  10 ++
 drivers/usb/serial/option.c                        | 155 ++++++++++++++++++-
 drivers/usb/serial/quatech2.c                      |   1 +
 drivers/xen/events/events_base.c                   |   6 +-
 fs/affs/super.c                                    |   5 +-
 fs/btrfs/ctree.h                                   |   1 +
 fs/btrfs/file.c                                    |   2 +-
 fs/btrfs/inode.c                                   |   2 +-
 fs/btrfs/ioctl.c                                   |  21 +++
 fs/cifs/cifs_spnego.c                              |  67 +++++++++
 fs/cifs/cifsfs.c                                   |   4 +-
 fs/cifs/cifsproto.h                                |   2 +
 fs/cifs/sess.c                                     | 139 +++++++++--------
 fs/cifs/smb2glob.h                                 |   1 +
 fs/cifs/smb2inode.c                                |   8 +-
 fs/cifs/smb2pdu.c                                  |  16 ++
 fs/cifs/smb2proto.h                                |   2 +
 fs/ext4/ialloc.c                                   |  10 +-
 fs/ext4/mballoc.c                                  |  10 +-
 fs/ext4/namei.c                                    |   2 +-
 fs/hpfs/super.c                                    |  42 ++++--
 fs/nfs/nfs4proc.c                                  |   4 +
 fs/xfs/xfs_fsops.c                                 |   4 +-
 fs/xfs/xfs_inode.c                                 |  26 +++-
 fs/xfs/xfs_super.c                                 |  10 ++
 include/asm-generic/preempt.h                      |   4 +-
 include/asm-generic/qspinlock.h                    |  27 +++-
 include/asm-generic/siginfo.h                      |  15 --
 include/linux/can/dev.h                            |  22 ++-
 include/linux/device.h                             |   7 +-
 include/linux/iio/buffer.h                         |   2 +
 include/linux/lsm_hooks.h                          |   1 -
 include/linux/mm.h                                 |   2 +-
 include/linux/signal.h                             |  15 ++
 include/linux/sunrpc/msg_prot.h                    |   4 +-
 include/linux/tty.h                                |   4 +-
 include/linux/usb.h                                |   5 +-
 include/linux/usb/hcd.h                            |   1 +
 include/scsi/scsi_device.h                         |   1 +
 include/uapi/linux/libc-compat.h                   |   2 +-
 kernel/exit.c                                      |  29 ++--
 kernel/sched/loadavg.c                             |  11 +-
 kernel/trace/ring_buffer.c                         |  35 ++---
 lib/dma-debug.c                                    |   2 +-
 mm/page_alloc.c                                    |   2 +-
 net/batman-adv/routing.c                           |   4 +-
 net/ipv6/addrconf.c                                |  10 +-
 net/netlink/af_netlink.c                           |   7 +-
 net/sunrpc/auth_gss/svcauth_gss.c                  |   4 +-
 net/tipc/netlink_compat.c                          |   2 +-
 scripts/Makefile.extrawarn                         |   1 +
 security/security.c                                |   1 -
 sound/pci/hda/patch_realtek.c                      |   3 +-
 sound/soc/codecs/ak4642.c                          |   2 +
 tools/perf/tests/vmlinux-kallsyms.c                |   8 +-
 tools/perf/util/perf_regs.c                        |   8 +-
 223 files changed, 1858 insertions(+), 989 deletions(-)

Adrian Hunter (3):
      mmc: mmc: Fix partition switch timeout for some eMMCs
      mmc: sdhci-pci: Remove MMC_CAP_BUS_WIDTH_TEST for Intel controllers
      mmc: sdhci-acpi: Remove MMC_CAP_BUS_WIDTH_TEST for Intel controllers

Akshay Bhat (1):
      hwmon: (ads7828) Enable internal reference

Alan Stern (2):
      USB: leave LPM alone if possible when binding/unbinding interface drivers
      usb: misc: usbtest: format the data pattern according to max packet size

Alex Deucher (1):
      drm/amdgpu: use drm_mode_vrefresh() rather than mode->vrefresh

Alex Williamson (2):
      iommu/vt-d: Ratelimit fault handler
      iommu/vt-d: Improve fault handler error messages

Alexander Usyskin (2):
      mei: fix NULL dereferencing during FW initiated disconnection
      mei: amthif: discard not read messages

Andreas Noever (1):
      thunderbolt: Fix double free of drom buffer

Andreas Werner (1):
      mcb: Fixed bar number assignment for the gdd

Andrew F. Davis (1):
      regmap: cache: Fix typo in cache_bypass parameter description

Andrew Jeffery (1):
      pinctrl: exynos5440: Use off-stack memory for pinctrl_gpio_range

Andy Gross (1):
      clk: qcom: msm8916: Fix crypto clock flags

Andy Honig (1):
      KVM: MTRR: remove MSR 0x2f8

Andy Shevchenko (1):
      mfd: intel_quark_i2c_gpio: Remove clock tree on error path

Aneesh Kumar K.V (1):
      cxl: Fix DAR check & use REGION_ID instead of opencoding

Anilkumar Kolli (2):
      ath10k: fix debugfs pktlog_filter write
      ath10k: fix kernel panic, move arvifs list head init before htt init

Arnaldo Carvalho de Melo (1):
      perf test: Ignore kcore files in the "vmlinux matches kallsyms" test

Arnd Bergmann (5):
      gcov: disable tree-loop-im to reduce stack usage
      kbuild: move -Wunused-const-variable to W=1 warning level
      am437x-vfpe: fix typo in vpfe_get_app_input_index
      ARM: debug: remove extraneous DEBUG_HI3716_UART option
      driver-core: use 'dev' argument in dev_dbg_ratelimited stub

Bart Van Assche (1):
      IB/srp: Print "ib_srp: " prefix once

Bartlomiej Zolnierkiewicz (1):
      blk-mq: fix undefined behaviour in order_to_size()

Bjorn Helgaas (2):
      PCI: Supply CPU physical address (not bus address) to iomem_is_exclusive()
      alpha/PCI: Call iomem_is_exclusive() for IORESOURCE_MEM, but not IORESOURCE_IO

Brian Bloniarz (1):
      Fix OpenSSH pty regression on close

Bruce Rogers (1):
      KVM: x86: fix ordering of cr0 initialization code in vmx_cpu_reset

Cameron Gutman (1):
      Input: xpad - prevent spurious input from wired Xbox 360 controllers

Catalin Marinas (1):
      arm64: Ensure pmd_present() returns false after pmd_mknotpresent()

Catalin Vasile (1):
      crypto: caam - fix caam_jr_alloc() ret code

Chris Bainbridge (1):
      usb: core: hub: hub_port_init lock controller instead of bus

Chris Wilson (1):
      drm/i915: Exit cherryview_irq_handler() after one pass

Christopher Oo (1):
      Drivers: hv_vmbus: Fix signal to host condition

Chuck Lever (2):
      NFS: Fix an LOCK/OPEN race when unlinking an open file
      sunrpc: Update RPCBIND_MAXNETIDLEN

Dan Carpenter (6):
      power: ipaq-micro-battery: freeing the wrong variable
      mfd: lp8788-irq: Uninitialized variable in irq handler
      am437x-vpfe: fix an uninitialized variable bug
      cx23885: uninitialized variable in cx23885_av_work_handler()
      ACPI / sysfs: fix error code in get_status()
      i40e: fix an uninitialized variable bug

Daniel Borkmann (1):
      ipv6, token: allow for clearing the current device token

Daniel Lezcano (1):
      cpuidle: Fix cpuidle_state_is_coupled() argument in cpuidle_enter()

Dave Chinner (4):
      xfs: Don't wrap growfs AGFL indexes
      xfs: xfs_iflush_cluster fails to abort on error
      xfs: fix inode validity check in xfs_iflush_cluster
      xfs: skip stale inodes in xfs_iflush_cluster

Dave Gerlach (1):
      cpuidle: Indicate when a device has been unregistered

David Müller (1):
      serial: 8250_pci: fix divide error bug if baud rate is 0

Emmanouil Maroudas (1):
      EDAC: Increment correct counter in edac_inc_ue_error()

Eric Sandeen (1):
      xfs: disallow rw remount on fs with unknown ro-compat features

Felix Fietkau (1):
      MIPS: ath79: fix regression in PCI window initialization

Florian Fainelli (6):
      MIPS: BMIPS: Fix PRID_IMP_BMIPS5000 masking for BMIPS5200
      MIPS: BMIPS: BMIPS5000 has I cache filing from D cache
      MIPS: BMIPS: Clear MIPS_CACHE_ALIASES earlier
      MIPS: BMIPS: local_r4k___flush_cache_all needs to blast S-cache
      MIPS: BMIPS: Pretty print BMIPS5200 processor name
      MIPS: BMIPS: Adjust mips-hpt-frequency for BCM7435

Florian Westphal (1):
      batman-adv: fix skb deref after free

Gabriele Mazzotta (1):
      dell-rbtn: Ignore ACPI notifications if device is suspended

Gavin Shan (2):
      powerpc/eeh: Don't report error in eeh_pe_reset_and_recover()
      powerpc/eeh: Restore initial state in eeh_pe_reset_and_recover()

Geert Uytterhoeven (2):
      serial: doc: Un-document non-existing uart_write_console()
      char: Drop bogus dependency of DEVPORT on !M68K

Guilherme G. Piccoli (1):
      Revert "powerpc/eeh: Fix crash in eeh_add_device_early() on Cell"

H Hartley Sweeten (1):
      staging: comedi: das1800: fix possible NULL dereference

Hari Bathini (1):
      powerpc/book3s64: Fix branching to OOL handlers in relocatable kernel

Harvey Hunt (1):
      MIPS: lib: Mark intrinsics notrace

Heiko Carstens (1):
      s390/vmem: fix identity mapping

Heinrich Schuchardt (1):
      ARM: dts: kirkwood: add kirkwood-ds112.dtb to Makefile

Herbert Xu (1):
      netlink: Fix dump skb leak/double free

Honggang Li (1):
      RDMA/cxgb3: device driver frees DMA memory with different size

Huacai Chen (2):
      MIPS: Reserve nosave data for hibernation
      MIPS: Loongson-3: Reserve 32MB for RS780E integrated GPU

Imre Kaloz (1):
      ARM: mvebu: fix GPIO config on the Linksys boards

Itai Handler (1):
      drm/gma500: Fix possible out of bounds read

James Hogan (8):
      MIPS: Fix siginfo.h to use strict posix types
      MIPS: Don't unwind to user mode with EVA
      MIPS: Avoid using unwind_stack() with usermode
      MIPS: KVM: Fix timer IRQ race when freezing timer
      MIPS: KVM: Fix timer IRQ race when writing CP0_Compare
      SIGNAL: Move generic copy_siginfo() to signal.h
      MIPS: Fix uapi include in exported asm/siginfo.h
      metag: Fix atomic_*_return inline asm constraints

Jan Kara (1):
      ext4: fix oops on corrupted filesystem

Jani Nikula (1):
      drm/i915/dsi: fix CHV dsi encoder hardware state readout on port C

Jason Wang (1):
      tuntap: correctly wake up process during uninit

Jiri Slaby (4):
      Bluetooth: vhci: fix open_timeout vs. hdev race
      Bluetooth: vhci: purge unhandled skbs
      TTY: n_gsm, fix false positive WARN_ON
      tty: vt, return error when con_startup fails

Johan Hovold (5):
      USB: serial: io_edgeport: fix memory leaks in attach error path
      USB: serial: io_edgeport: fix memory leaks in probe error path
      USB: serial: keyspan: fix use-after-free in probe error path
      USB: serial: mxuport: fix use-after-free in probe error path
      USB: serial: quatech2: fix use-after-free in probe error path

Johannes Thumshirn (2):
      scsi: Add intermediate STARGET_REMOVE state to scsi_target_state
      Revert "scsi: fix soft lockup in scsi_remove_target() on module removal"

Joseph Salisbury (1):
      ath5k: Change led pin configuration for compaq c700 laptop

Julien Grall (1):
      arm64: cpuinfo: Missing NULL terminator in compat_hwcap_str

K. Y. Srinivasan (1):
      Drivers: hv: vmbus: Fix signaling logic in hv_need_to_signal_on_read()

Kai-Heng Feng (1):
      ALSA: hda - Fix headphone noise on Dell XPS 13 9360

Konstantin Shkolnyy (1):
      USB: serial: cp210x: fix hardware flow-control disable

Krzysztof Kozlowski (1):
      crypto: s5p-sss - Fix missed interrupts when working with 8 kB blocks

Larry Finger (2):
      rtlwifi: rtl8723be: Add antenna select module parameter
      rtlwifi: btcoexist: Implement antenna selection

Lars-Peter Clausen (1):
      usb: gadget: f_fs: Fix EFAULT generation for async read operations

Lei Liu (1):
      USB: serial: option: add even more ZTE device ids

Lennart Sorensen (1):
      powerpc/sstep: Fix sstep.c compile on powerpcspe

Leonid Yegoshin (1):
      MIPS64: R6: R2 emulation bugfix

Luis de Bethencourt (1):
      iio: buffer: add missing descriptions in iio_buffer_access_funcs

Luke Dashjr (1):
      btrfs: bugfix: handle FS_IOC32_{GETFLAGS,SETFLAGS,GETVERSION} in btrfs_ioctl

Lv Zheng (1):
      ACPI / osi: Fix an issue that acpi_osi=!* cannot disable ACPICA internal strings

Lyude (4):
      drm/i915: Fix race condition in intel_dp_destroy_mst_connector()
      drm/i915: Call intel_dp_mst_resume() before resuming displays
      drm/i915/fbdev: Fix num_connector references in intel_fb_initial_config()
      drm/fb_helper: Fix references to dev->mode_config.num_connector

Maciej W. Rozycki (3):
      MIPS: ptrace: Fix FP context restoration FCSR regression
      MIPS: ptrace: Prevent writes to read-only FCSR bits
      MIPS: MSA: Fix a link error on `_init_msa_upper' with older GCC

Manfred Schlaegl (1):
      Input: pwm-beeper - fix - scheduling while atomic

Mans Rullgard (1):
      ata: sata_dwc_460ex: remove incorrect locking

Marc Zyngier (2):
      arm/arm64: KVM: Enforce Break-Before-Make on Stage-2 page tables
      irqchip/gic-v3: Configure all interrupts as non-secure Group-1

Marek Szyprowski (1):
      ARM: dts: exynos: Add interrupt line to MAX8997 PMIC on exynos4210-trats

Mario Kleiner (1):
      drm/amdgpu: Fix hdmi deep color support.

Mark Bloch (1):
      IB/IWPM: Fix a potential skb leak

Mark Brown (1):
      ASoC: ak4642: Enable cache usage to fix crashes on resume

Mathias Nyman (1):
      usb: misc: usbtest: fix pattern tests for scatterlists.

Matt Evans (1):
      kvm: arm64: Fix EC field in inject_abt64

Matt Gumbel (1):
      mmc: longer timeout for long read time quirk

Matthew Wilcox (1):
      drivers/hwspinlock: use correct radix tree API

Matthias Schiffer (1):
      MIPS: ath79: make bootconsole wait for both THRE and TEMT

Michal Nazarewicz (1):
      usb: f_mass_storage: test whether thread is running before starting another

Mikulas Patocka (3):
      hpfs: fix remount failure when there are no options changed
      affs: fix remount failure when there are no options changed
      hpfs: implement the show_options method

Naveen N. Rao (1):
      perf tools: Fix perf regs mask generation

Nicolai Stange (2):
      ext4: address UBSAN warning in mb_find_order_for_block()
      ext4: silence UBSAN in ext4_mb_init()

Nicolas Dichtel (2):
      taskstats: fix nl parsing in accounting/getdelays.c
      uapi glibc compat: fix compilation when !__USE_MISC in glibc

Oleg Nesterov (1):
      wait/ptrace: assume __WALL if the child is traced

Oliver Hartkopp (1):
      can: fix handling of unmodifiable configuration options

Paolo Abeni (1):
      security: drop the unused hook skb_owned_by

Paul Burton (7):
      MIPS: Handle highmem pages in __update_cache
      MIPS: Sync icache & dcache in set_pte_at
      MIPS: math-emu: Fix jalr emulation when rd == $0
      MIPS: Disable preemption during prctl(PR_SET_FP_MODE, ...)
      MIPS: Force CPUs to lose FP context during mode switches
      MIPS: math-emu: Fix BC1{EQ,NE}Z emulation
      MIPS: Fix BC1{EQ,NE}Z return offset calculation

Peter Hurley (1):
      tty: Abstract tty buffer work

Peter Zijlstra (2):
      locking,qspinlock: Fix spin_is_locked() and spin_unlock_wait()
      sched/preempt: Fix preempt_count manipulations

Prarit Bhargava (2):
      PCI: Disable all BAR sizing for devices with non-compliant BARs
      x86/PCI: Mark Broadwell-EP Home Agent 1 as having non-compliant BARs

Rafael J. Wysocki (1):
      PM / sleep: Handle failures in device_suspend_late() consistently

Raghava Aditya Renukunta (3):
      aacraid: Relinquish CPU during timeout wait
      aacraid: Fix for aac_command_thread hang
      aacraid: Fix for KDUMP driver hang

Rajkumar Manoharan (2):
      ath10k: fix firmware assert in monitor mode
      ath10k: fix rx_channel during hw reconfigure

Richard Alpe (1):
      tipc: fix nametable publication field in nl compat

Richard Weinberger (1):
      UBI: Fix static volume checks when Fastmap is used

Ricky Liang (1):
      Input: uinput - handle compat ioctl for UI_SET_PHYS

Roger Quadros (1):
      mfd: omap-usb-tll: Fix scheduling while atomic BUG

Ross Lagerwall (1):
      xen/events: Don't move disabled irqs

Sachin Prabhu (1):
      cifs: Create dedicated keyring for spnego operations

Sai Gurrappadi (1):
      cpufreq: Fix GOV_LIMITS handling for the userspace governor

Schemmel Hans-Christoph (1):
      USB: serial: option: add support for Cinterion PH8 and AHxx

Stefan Bader (1):
      mm: use phys_addr_t for reserve_bootmem_region() arguments

Stefan Metzmacher (4):
      fs/cifs: correctly to anonymous authentication via NTLMSSP
      fs/cifs: correctly to anonymous authentication for the LANMAN authentication
      fs/cifs: correctly to anonymous authentication for the NTLM(v1) authentication
      fs/cifs: correctly to anonymous authentication for the NTLM(v2) authentication

Stefano Stabellini (1):
      xen/x86: actually allocate legacy interrupts on PV guests

Stephen Boyd (1):
      mfd: intel_quark_i2c_gpio: Use clkdev_create()

Steve French (1):
      remove directory incorrectly tries to set delete on close on non-empty directories

Steven Rostedt (Red Hat) (2):
      ring-buffer: Use long for nr_pages to avoid overflow failures
      ring-buffer: Prevent overflow of size in ring_buffer_resize()

Suman Anna (1):
      ARM: OMAP2+: hwmod: fix _idle() hwmod state sanity check sequence

Takashi Iwai (1):
      Bluetooth: vhci: Fix race at creating hci device

Theodore Ts'o (1):
      ext4: fix hang when processing corrupted orphaned inode list

Tiffany Lin (1):
      [media] media: v4l2-compat-ioctl32: fix missing reserved field copy in put_v4l2_create32

Tomáš Trnka (1):
      sunrpc: fix stripping of padded MIC tokens

Ulf Hansson (1):
      PM / Runtime: Fix error path in pm_runtime_force_resume()

Vik Heyndrickx (1):
      sched/loadavg: Fix loadavg artifacts on fully idle and on fully loaded systems

Ville Syrjälä (2):
      drm/i915: Don't leave old junk in ilk active watermarks on readout
      dma-debug: avoid spinlock recursion when disabling dma-debug

Vitaly Kuznetsov (1):
      Drivers: hv: ring_buffer.c: fix comment style

Vittorio Gambaletta (VittGam) (2):
      ath9k: Add a module parameter to invert LED polarity.
      ath9k: Fix LED polarity for some Mini PCI AR9220 MB92 cards.

Will Deacon (1):
      irqchip/gic: Ensure ordering between read of INTACK and shared data

Yoshihiro Shimoda (1):
      usb: host: xhci-rcar: Avoid long wait in xhci_reset()

Zhao Qiang (1):
      QE-UART: add "fsl,t1040-ucc-uart" to of_device_id

lei liu (1):
      USB: serial: option: add more ZTE device ids

wang yanqing (2):
      rtlwifi: Fix logic error in enter/exit power-save mode
      rtlwifi: pci: use dev_kfree_skb_irq instead of kfree_skb in rtl_pci_reset_trx_ring

xypron.glpk@gmx.de (1):
      net: ehea: avoid null pointer dereference

^ permalink raw reply	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 001/206] ath10k: fix firmware assert in monitor mode
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
@ 2016-06-09 21:13 ` Kamal Mostafa
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 002/206] drm/i915: Fix race condition in intel_dp_destroy_mst_connector() Kamal Mostafa
                   ` (204 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:13 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Rajkumar Manoharan, Kalle Valo, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Rajkumar Manoharan <rmanohar@qti.qualcomm.com>

commit 8a75fc54745fd3ce9062ab1cc6429a9da9ac2a68 upstream.

commit 166de3f1895d ("ath10k: remove supported chain mask") had revealed
an issue on monitor mode. Configuring NSS upon monitor interface
creation is causing target assert in all qca9888x and qca6174 firmware.
Firmware assert issue can be reproduced by below sequence even after
reverting commit 166de3f1895d ("ath10k: remove supported chain mask").

ip link set wlan0 down
iw wlan0 set type monitor
iw phy0 set antenna 7
ip link set wlan0 up

This issue is originally reported on qca9888 with 10.1 firmware.

Fixes: 5572a95b4b ("ath10k: apply chainmask settings to vdev on creation")
Reported-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
Signed-off-by: Rajkumar Manoharan <rmanohar@qti.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/net/wireless/ath/ath10k/mac.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
index a5ea8a9..9301716 100644
--- a/drivers/net/wireless/ath/ath10k/mac.c
+++ b/drivers/net/wireless/ath/ath10k/mac.c
@@ -4194,7 +4194,10 @@ static int ath10k_add_interface(struct ieee80211_hw *hw,
 		goto err_vdev_delete;
 	}
 
-	if (ar->cfg_tx_chainmask) {
+	/* Configuring number of spatial stream for monitor interface is causing
+	 * target assert in qca9888 and qca6174.
+	 */
+	if (ar->cfg_tx_chainmask && (vif->type != NL80211_IFTYPE_MONITOR)) {
 		u16 nss = get_nss_from_chainmask(ar->cfg_tx_chainmask);
 
 		vdev_param = ar->wmi.vdev_param->nss;
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 002/206] drm/i915: Fix race condition in intel_dp_destroy_mst_connector()
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 001/206] ath10k: fix firmware assert in monitor mode Kamal Mostafa
@ 2016-06-09 21:13 ` Kamal Mostafa
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 003/206] ath10k: fix debugfs pktlog_filter write Kamal Mostafa
                   ` (203 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:13 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Lyude, Rob Clark, Daniel Vetter, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Lyude <cpaul@redhat.com>

commit 1f7717552ef1306be3b7ed28c66c6eff550e3a23 upstream.

After unplugging a DP MST display from the system, we have to go through
and destroy all of the DRM connectors associated with it since none of
them are valid anymore. Unfortunately, intel_dp_destroy_mst_connector()
doesn't do a good enough job of ensuring that throughout the destruction
process that no modesettings can be done with the connectors. As it is
right now, intel_dp_destroy_mst_connector() works like this:

* Take all modeset locks
* Clear the configuration of the crtc on the connector, if there is one
* Drop all modeset locks, this is required because of circular
  dependency issues that arise with trying to remove the connector from
  sysfs with modeset locks held
* Unregister the connector
* Take all modeset locks, again
* Do the rest of the required cleaning for destroying the connector
* Finally drop all modeset locks for good

This only works sometimes. During the destruction process, it's very
possible that a userspace application will attempt to do a modesetting
using the connector. When we drop the modeset locks, an ioctl handler
such as drm_mode_setcrtc has the oppurtunity to take all of the modeset
locks from us. When this happens, one thing leads to another and
eventually we end up committing a mode with the non-existent connector:

	[drm:intel_dp_link_training_clock_recovery [i915]] *ERROR* failed to enable link training
	[drm:intel_dp_aux_ch] dp_aux_ch timeout status 0x7cf0001f
	[drm:intel_dp_start_link_train [i915]] *ERROR* failed to start channel equalization
	[drm:intel_dp_aux_ch] dp_aux_ch timeout status 0x7cf0001f
	[drm:intel_mst_pre_enable_dp [i915]] *ERROR* failed to allocate vcpi

And in some cases, such as with the T460s using an MST dock, this
results in breaking modesetting and/or panicking the system.

To work around this, we now unregister the connector at the very
beginning of intel_dp_destroy_mst_connector(), grab all the modesetting
locks, and then hold them until we finish the rest of the function.

Signed-off-by: Lyude <cpaul@redhat.com>
Signed-off-by: Rob Clark <rclark@redhat.com>
Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: http://patchwork.freedesktop.org/patch/msgid/1458155884-13877-1-git-send-email-cpaul@redhat.com
[ kamal: backport to 4.2-stable: context ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/gpu/drm/i915/intel_dp_mst.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/drivers/gpu/drm/i915/intel_dp_mst.c b/drivers/gpu/drm/i915/intel_dp_mst.c
index 8c127201..7feec0f 100644
--- a/drivers/gpu/drm/i915/intel_dp_mst.c
+++ b/drivers/gpu/drm/i915/intel_dp_mst.c
@@ -470,14 +470,13 @@ static void intel_dp_destroy_mst_connector(struct drm_dp_mst_topology_mgr *mgr,
 {
 	struct intel_connector *intel_connector = to_intel_connector(connector);
 	struct drm_device *dev = connector->dev;
-	/* need to nuke the connector */
-	mutex_lock(&dev->mode_config.mutex);
-	intel_connector_dpms(connector, DRM_MODE_DPMS_OFF);
-	mutex_unlock(&dev->mode_config.mutex);
 
 	intel_connector->unregister(intel_connector);
 
+	/* need to nuke the connector */
 	mutex_lock(&dev->mode_config.mutex);
+	intel_connector_dpms(connector, DRM_MODE_DPMS_OFF);
+
 	intel_connector_remove_from_fbdev(intel_connector);
 	drm_connector_cleanup(connector);
 	mutex_unlock(&dev->mode_config.mutex);
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 003/206] ath10k: fix debugfs pktlog_filter write
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 001/206] ath10k: fix firmware assert in monitor mode Kamal Mostafa
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 002/206] drm/i915: Fix race condition in intel_dp_destroy_mst_connector() Kamal Mostafa
@ 2016-06-09 21:13 ` Kamal Mostafa
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 004/206] drm/i915: Call intel_dp_mst_resume() before resuming displays Kamal Mostafa
                   ` (202 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:13 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Anilkumar Kolli, Kalle Valo, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Anilkumar Kolli <akolli@qti.qualcomm.com>

commit 9ddc486aa09a3413a6c492fcf160ce61bfccb7b1 upstream.

It is observed that, we are disabling the packet log if we write same
value to the pktlog_filter for the second time. Always enable pktlogs
on non zero filter.

Fixes: 90174455ae05 ("ath10k: add support to configure pktlog filter")
Signed-off-by: Anilkumar Kolli <akolli@qti.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/net/wireless/ath/ath10k/debug.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/ath/ath10k/debug.c b/drivers/net/wireless/ath/ath10k/debug.c
index 8fa606a..bfb605b 100644
--- a/drivers/net/wireless/ath/ath10k/debug.c
+++ b/drivers/net/wireless/ath/ath10k/debug.c
@@ -2004,7 +2004,12 @@ static ssize_t ath10k_write_pktlog_filter(struct file *file,
 		goto out;
 	}
 
-	if (filter && (filter != ar->debug.pktlog_filter)) {
+	if (filter == ar->debug.pktlog_filter) {
+		ret = count;
+		goto out;
+	}
+
+	if (filter) {
 		ret = ath10k_wmi_pdev_pktlog_enable(ar, filter);
 		if (ret) {
 			ath10k_warn(ar, "failed to enable pktlog filter %x: %d\n",
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 004/206] drm/i915: Call intel_dp_mst_resume() before resuming displays
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (2 preceding siblings ...)
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 003/206] ath10k: fix debugfs pktlog_filter write Kamal Mostafa
@ 2016-06-09 21:13 ` Kamal Mostafa
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 005/206] ARM: mvebu: fix GPIO config on the Linksys boards Kamal Mostafa
                   ` (201 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:13 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team; +Cc: Lyude, Daniel Vetter, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Lyude <cpaul@redhat.com>

commit a16b7658f4e0d4aec9bc3e75a5f0cc3f7a3a0422 upstream.

Since we need MST devices ready before we try to resume displays,
calling this after intel_display_resume() can result in some issues with
various laptop docks where the monitor won't turn back on after
suspending the system.

This order was originally changed in

	commit e7d6f7d70829 ("drm/i915: resume MST after reading back hw state")

In order to fix some unclaimed register errors, however the actual cause
of those has since been fixed.

Signed-off-by: Lyude <cpaul@redhat.com>
[danvet: Resolve conflicts with locking changes.]
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
[ kamal: backport to 4.2-stable: context ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/gpu/drm/i915/i915_drv.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/i915/i915_drv.c b/drivers/gpu/drm/i915/i915_drv.c
index 9d42aeb..2188b7f 100644
--- a/drivers/gpu/drm/i915/i915_drv.c
+++ b/drivers/gpu/drm/i915/i915_drv.c
@@ -762,12 +762,12 @@ static int i915_drm_resume(struct drm_device *dev)
 		dev_priv->display.hpd_irq_setup(dev);
 	spin_unlock_irq(&dev_priv->irq_lock);
 
+	intel_dp_mst_resume(dev);
+
 	drm_modeset_lock_all(dev);
 	intel_modeset_setup_hw_state(dev, true);
 	drm_modeset_unlock_all(dev);
 
-	intel_dp_mst_resume(dev);
-
 	/*
 	 * ... but also need to make sure that hotplug processing
 	 * doesn't cause havoc. Like in the driver load code we don't
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 005/206] ARM: mvebu: fix GPIO config on the Linksys boards
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (3 preceding siblings ...)
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 004/206] drm/i915: Call intel_dp_mst_resume() before resuming displays Kamal Mostafa
@ 2016-06-09 21:13 ` Kamal Mostafa
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 006/206] drm/i915: Exit cherryview_irq_handler() after one pass Kamal Mostafa
                   ` (200 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:13 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Imre Kaloz, Gregory CLEMENT, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Imre Kaloz <kaloz@openwrt.org>

commit 9800917cf92f5b5fe5cae706cb70db8d014f663c upstream.

Some of the GPIO configs were wrong in the submitted DTS files,
this patch fixes all affected boards.

Signed-off-by: Imre Kaloz <kaloz@openwrt.org>

Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/arm/boot/dts/armada-385-linksys.dtsi     | 6 +++---
 arch/arm/boot/dts/armada-xp-linksys-mamba.dts | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/arch/arm/boot/dts/armada-385-linksys.dtsi b/arch/arm/boot/dts/armada-385-linksys.dtsi
index 1ce7a1e..cb37e88 100644
--- a/arch/arm/boot/dts/armada-385-linksys.dtsi
+++ b/arch/arm/boot/dts/armada-385-linksys.dtsi
@@ -243,7 +243,7 @@
 		button@2 {
 			label = "Factory Reset Button";
 			linux,code = <KEY_RESTART>;
-			gpios = <&gpio1 15 GPIO_ACTIVE_LOW>;
+			gpios = <&gpio0 29 GPIO_ACTIVE_LOW>;
 		};
 	};
 
@@ -258,7 +258,7 @@
 		};
 
 		sata {
-			gpios = <&gpio1 22 GPIO_ACTIVE_HIGH>;
+			gpios = <&gpio1 22 GPIO_ACTIVE_LOW>;
 			default-state = "off";
 		};
 	};
@@ -311,7 +311,7 @@
 
 &pinctrl {
 	keys_pin: keys-pin {
-		marvell,pins = "mpp24", "mpp47";
+		marvell,pins = "mpp24", "mpp29";
 		marvell,function = "gpio";
 	};
 
diff --git a/arch/arm/boot/dts/armada-xp-linksys-mamba.dts b/arch/arm/boot/dts/armada-xp-linksys-mamba.dts
index fdd187c..e767735 100644
--- a/arch/arm/boot/dts/armada-xp-linksys-mamba.dts
+++ b/arch/arm/boot/dts/armada-xp-linksys-mamba.dts
@@ -302,13 +302,13 @@
 		button@1 {
 			label = "WPS";
 			linux,code = <KEY_WPS_BUTTON>;
-			gpios = <&gpio1 0 GPIO_ACTIVE_HIGH>;
+			gpios = <&gpio1 0 GPIO_ACTIVE_LOW>;
 		};
 
 		button@2 {
 			label = "Factory Reset Button";
 			linux,code = <KEY_RESTART>;
-			gpios = <&gpio1 1 GPIO_ACTIVE_HIGH>;
+			gpios = <&gpio1 1 GPIO_ACTIVE_LOW>;
 		};
 	};
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 006/206] drm/i915: Exit cherryview_irq_handler() after one pass
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (4 preceding siblings ...)
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 005/206] ARM: mvebu: fix GPIO config on the Linksys boards Kamal Mostafa
@ 2016-06-09 21:13 ` Kamal Mostafa
  2016-06-10  8:37   ` Ursulin, Tvrtko
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 007/206] ath5k: Change led pin configuration for compaq c700 laptop Kamal Mostafa
                   ` (199 subsequent siblings)
  205 siblings, 1 reply; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:13 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Chris Wilson, Ville Syrjälä, Antti Koskipää,
	Tvrtko Ursulin, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Chris Wilson <chris@chris-wilson.co.uk>

commit 579de73b048a0a4c66c25a033ac76a2836e0cf73 upstream.

This effectively reverts

commit 8e5fd599eb219f1054e39b40d18b217af669eea9
Author: Ville Syrjälä <ville.syrjala@linux.intel.com>
Date:   Wed Apr 9 13:28:50 2014 +0300

    drm/i915/chv: Make CHV irq handler loop until all interrupts are consumed

as under continuous execlists load we can saturate the IRQ handler,
destablising the tsc clock and triggering the NMI watchdog to declare a hung
CPU.

[  552.756051] clocksource: timekeeping watchdog on CPU0: Marking clocksource 'tsc' as unstable because the skew is too large:
[  552.756080] clocksource:                       'refined-jiffies' wd_now: 10003b480 wd_last: 10003b28c mask: ffffffff
[  552.756091] clocksource:                       'tsc' cs_now: d55d31aa50 cs_last: d17446166c mask: ffffffffffffffff
[  552.756210] clocksource: Switched to clocksource refined-jiffies
[  575.217870] NMI watchdog: Watchdog detected hard LOCKUP on cpu 1
[  575.217893] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.5.0-rc7+ #18
[  575.217905] Hardware name:                  /NUC5CPYB, BIOS PYBSWCEL.86A.0027.2015.0507.1758 05/07/2015
[  575.217915]  0000000000000000 ffff88027fd05bc0 ffffffff81288c6d 0000000000000000
[  575.217935]  0000000000000001 ffff88027fd05be0 ffffffff810e72d1 0000000000000000
[  575.217951]  ffff88027fd05c80 ffff88027fd05c20 ffffffff81114b60 0000000181015f1e
[  575.217967] Call Trace:
[  575.217973]  <NMI>  [<ffffffff81288c6d>] dump_stack+0x4f/0x72
[  575.217994]  [<ffffffff810e72d1>] watchdog_overflow_callback+0x151/0x160
[  575.218003]  [<ffffffff81114b60>] __perf_event_overflow+0xa0/0x1e0
[  575.218016]  [<ffffffff811154c4>] perf_event_overflow+0x14/0x20
[  575.218028]  [<ffffffff8101d2ca>] intel_pmu_handle_irq+0x1da/0x460
[  575.218042]  [<ffffffff814a8aae>] ? poll_idle+0x3e/0x70
[  575.218052]  [<ffffffff814a8aae>] ? poll_idle+0x3e/0x70
[  575.218064]  [<ffffffff81014ae8>] perf_event_nmi_handler+0x28/0x50
[  575.218075]  [<ffffffff81007540>] nmi_handle+0x60/0x130
[  575.218086]  [<ffffffff814a8aae>] ? poll_idle+0x3e/0x70
[  575.218096]  [<ffffffff810079c0>] do_nmi+0x140/0x470
[  575.218108]  [<ffffffff81559ec7>] end_repeat_nmi+0x1a/0x1e
[  575.218119]  [<ffffffff814a8aae>] ? poll_idle+0x3e/0x70
[  575.218129]  [<ffffffff814a8aae>] ? poll_idle+0x3e/0x70
[  575.218139]  [<ffffffff814a8aae>] ? poll_idle+0x3e/0x70
[  575.218148]  <<EOE>>  [<ffffffff814a8353>] cpuidle_enter_state+0xf3/0x2f0
[  575.218164]  [<ffffffff814a8587>] cpuidle_enter+0x17/0x20
[  575.218175]  [<ffffffff810aaa3a>] call_cpuidle+0x2a/0x40
[  575.218185]  [<ffffffff810aade3>] cpu_startup_entry+0x273/0x330
[  575.218196]  [<ffffffff81033a1e>] start_secondary+0x10e/0x130

However, not servicing all available IIR within the handler does hurt the
throughput of pathological nop execbuf by about 20%, with a similar effect
upon the dispatch latency of a series of execbuf.

v2: use do {} while(0) for a smaller patch, and easier to revert again

I have reasonable confidence that we do not miss GT interrupts (as
execlists provides a stress case with a failure mechanism easily
detected by igt), however I have less confidence about all the other
sources of interrupts and worry that may lose a display hotplug
interrupt, for example.

Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=93467
Testcase: igt/gem_exec_nop/basic # requires NMI watchdog
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
Cc: Antti Koskipää <antti.koskipaa@linux.intel.com>
Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/1457946117-6714-1-git-send-email-chris@chris-wilson.co.uk
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/gpu/drm/i915/i915_irq.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/i915/i915_irq.c b/drivers/gpu/drm/i915/i915_irq.c
index 6a51bc6..6f453fe 100644
--- a/drivers/gpu/drm/i915/i915_irq.c
+++ b/drivers/gpu/drm/i915/i915_irq.c
@@ -1837,7 +1837,7 @@ static irqreturn_t cherryview_irq_handler(int irq, void *arg)
 	if (!intel_irqs_enabled(dev_priv))
 		return IRQ_NONE;
 
-	for (;;) {
+	do {
 		master_ctl = I915_READ(GEN8_MASTER_IRQ) & ~GEN8_MASTER_IRQ_CONTROL;
 		iir = I915_READ(VLV_IIR);
 
@@ -1865,7 +1865,7 @@ static irqreturn_t cherryview_irq_handler(int irq, void *arg)
 
 		I915_WRITE(GEN8_MASTER_IRQ, DE_MASTER_IRQ_CONTROL);
 		POSTING_READ(GEN8_MASTER_IRQ);
-	}
+	} while (0);
 
 	return ret;
 }
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 007/206] ath5k: Change led pin configuration for compaq c700 laptop
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (5 preceding siblings ...)
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 006/206] drm/i915: Exit cherryview_irq_handler() after one pass Kamal Mostafa
@ 2016-06-09 21:13 ` Kamal Mostafa
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 008/206] xfs: disallow rw remount on fs with unknown ro-compat features Kamal Mostafa
                   ` (198 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:13 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Joseph Salisbury, Kalle Valo, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Joseph Salisbury <joseph.salisbury@canonical.com>

commit 7b9bc799a445aea95f64f15e0083cb19b5789abe upstream.

BugLink: http://bugs.launchpad.net/bugs/972604

Commit 09c9bae26b0d3c9472cb6ae45010460a2cee8b8d ("ath5k: add led pin
configuration for compaq c700 laptop") added a pin configuration for the Compaq
c700 laptop.  However, the polarity of the led pin is reversed.  It should be
red for wifi off and blue for wifi on, but it is the opposite.  This bug was
reported in the following bug report:
http://pad.lv/972604

Fixes: 09c9bae26b0d3c9472cb6ae45010460a2cee8b8d ("ath5k: add led pin configuration for compaq c700 laptop")
Signed-off-by: Joseph Salisbury <joseph.salisbury@canonical.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/net/wireless/ath/ath5k/led.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/ath/ath5k/led.c b/drivers/net/wireless/ath/ath5k/led.c
index 803030f..6a2a168 100644
--- a/drivers/net/wireless/ath/ath5k/led.c
+++ b/drivers/net/wireless/ath/ath5k/led.c
@@ -77,7 +77,7 @@ static const struct pci_device_id ath5k_led_devices[] = {
 	/* HP Compaq CQ60-206US (ddreggors@jumptv.com) */
 	{ ATH_SDEVICE(PCI_VENDOR_ID_HP, 0x0137a), ATH_LED(3, 1) },
 	/* HP Compaq C700 (nitrousnrg@gmail.com) */
-	{ ATH_SDEVICE(PCI_VENDOR_ID_HP, 0x0137b), ATH_LED(3, 1) },
+	{ ATH_SDEVICE(PCI_VENDOR_ID_HP, 0x0137b), ATH_LED(3, 0) },
 	/* LiteOn AR5BXB63 (magooz@salug.it) */
 	{ ATH_SDEVICE(PCI_VENDOR_ID_ATHEROS, 0x3067), ATH_LED(3, 0) },
 	/* IBM-specific AR5212 (all others) */
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 008/206] xfs: disallow rw remount on fs with unknown ro-compat features
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (6 preceding siblings ...)
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 007/206] ath5k: Change led pin configuration for compaq c700 laptop Kamal Mostafa
@ 2016-06-09 21:13 ` Kamal Mostafa
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 009/206] xfs: Don't wrap growfs AGFL indexes Kamal Mostafa
                   ` (197 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:13 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Eric Sandeen, Dave Chinner, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Eric Sandeen <sandeen@redhat.com>

commit d0a58e833931234c44e515b5b8bede32bd4e6eed upstream.

Today, a kernel which refuses to mount a filesystem read-write
due to unknown ro-compat features can still transition to read-write
via the remount path.  The old kernel is most likely none the wiser,
because it's unaware of the new feature, and isn't using it.  However,
writing to the filesystem may well corrupt metadata related to that
new feature, and moving to a newer kernel which understand the feature
will have problems.

Right now the only ro-compat feature we have is the free inode btree,
which showed up in v3.16.  It would be good to push this back to
all the active stable kernels, I think, so that if anyone is using
newer mkfs (which enables the finobt feature) with older kernel
releases, they'll be protected.

Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Reviewed-by: Bill O'Donnell <billodo@redhat.com>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 fs/xfs/xfs_super.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/fs/xfs/xfs_super.c b/fs/xfs/xfs_super.c
index bbd9b1f..a214629 100644
--- a/fs/xfs/xfs_super.c
+++ b/fs/xfs/xfs_super.c
@@ -1240,6 +1240,16 @@ xfs_fs_remount(
 			return -EINVAL;
 		}
 
+		if (XFS_SB_VERSION_NUM(sbp) == XFS_SB_VERSION_5 &&
+		    xfs_sb_has_ro_compat_feature(sbp,
+					XFS_SB_FEAT_RO_COMPAT_UNKNOWN)) {
+			xfs_warn(mp,
+"ro->rw transition prohibited on unknown (0x%x) ro-compat filesystem",
+				(sbp->sb_features_ro_compat &
+					XFS_SB_FEAT_RO_COMPAT_UNKNOWN));
+			return -EINVAL;
+		}
+
 		mp->m_flags &= ~XFS_MOUNT_RDONLY;
 
 		/*
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 009/206] xfs: Don't wrap growfs AGFL indexes
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (7 preceding siblings ...)
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 008/206] xfs: disallow rw remount on fs with unknown ro-compat features Kamal Mostafa
@ 2016-06-09 21:13 ` Kamal Mostafa
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 010/206] rtlwifi: rtl8723be: Add antenna select module parameter Kamal Mostafa
                   ` (196 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:13 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Dave Chinner, Dave Chinner, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Dave Chinner <dchinner@redhat.com>

commit ad747e3b299671e1a53db74963cc6c5f6cdb9f6d upstream.

Commit 96f859d ("libxfs: pack the agfl header structure so
XFS_AGFL_SIZE is correct") allowed the freelist to use the empty
slot at the end of the freelist on 64 bit systems that was not
being used due to sizeof() rounding up the structure size.

This has caused versions of xfs_repair prior to 4.5.0 (which also
has the fix) to report this as a corruption once the filesystem has
been grown. Older kernels can also have problems (seen from a whacky
container/vm management environment) mounting filesystems grown on a
system with a newer kernel than the vm/container it is deployed on.

To avoid this problem, change the initial free list indexes not to
wrap across the end of the AGFL, hence avoiding the initialisation
of agf_fllast to the last index in the AGFL.

Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 fs/xfs/xfs_fsops.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/xfs/xfs_fsops.c b/fs/xfs/xfs_fsops.c
index 9b3438a..df4bc93 100644
--- a/fs/xfs/xfs_fsops.c
+++ b/fs/xfs/xfs_fsops.c
@@ -243,8 +243,8 @@ xfs_growfs_data_private(
 		agf->agf_roots[XFS_BTNUM_CNTi] = cpu_to_be32(XFS_CNT_BLOCK(mp));
 		agf->agf_levels[XFS_BTNUM_BNOi] = cpu_to_be32(1);
 		agf->agf_levels[XFS_BTNUM_CNTi] = cpu_to_be32(1);
-		agf->agf_flfirst = 0;
-		agf->agf_fllast = cpu_to_be32(XFS_AGFL_SIZE(mp) - 1);
+		agf->agf_flfirst = cpu_to_be32(1);
+		agf->agf_fllast = 0;
 		agf->agf_flcount = 0;
 		tmpsize = agsize - XFS_PREALLOC_BLOCKS(mp);
 		agf->agf_freeblks = cpu_to_be32(tmpsize);
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 010/206] rtlwifi: rtl8723be: Add antenna select module parameter
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (8 preceding siblings ...)
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 009/206] xfs: Don't wrap growfs AGFL indexes Kamal Mostafa
@ 2016-06-09 21:13 ` Kamal Mostafa
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 011/206] rtlwifi: btcoexist: Implement antenna selection Kamal Mostafa
                   ` (195 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:13 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team; +Cc: Larry Finger, Kalle Valo, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Larry Finger <Larry.Finger@lwfinger.net>

commit c18d8f5095715c56bb3cd9cba64242542632054b upstream.

A number of new laptops have been delivered with only a single antenna.
In principle, this is OK; however, a problem arises when the on-board
EEPROM is programmed to use the other antenna connection. The option
of opening the computer and moving the connector is not always possible
as it will void the warranty in some cases. In addition, this solution
breaks the Windows driver when the box dual boots Linux and Windows.

A fix involving a new module parameter has been developed.  This commit
adds the new parameter and implements the changes needed for the driver.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[ kamal: backport to 4.2-stable: files moved ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/net/wireless/rtlwifi/rtl8723be/hw.c | 5 +++++
 drivers/net/wireless/rtlwifi/rtl8723be/sw.c | 3 +++
 drivers/net/wireless/rtlwifi/wifi.h         | 3 +++
 3 files changed, 11 insertions(+)

diff --git a/drivers/net/wireless/rtlwifi/rtl8723be/hw.c b/drivers/net/wireless/rtlwifi/rtl8723be/hw.c
index c983d2f..5a3df91 100644
--- a/drivers/net/wireless/rtlwifi/rtl8723be/hw.c
+++ b/drivers/net/wireless/rtlwifi/rtl8723be/hw.c
@@ -2684,6 +2684,7 @@ void rtl8723be_read_bt_coexist_info_from_hwpg(struct ieee80211_hw *hw,
 					      bool auto_load_fail, u8 *hwinfo)
 {
 	struct rtl_priv *rtlpriv = rtl_priv(hw);
+	struct rtl_mod_params *mod_params = rtlpriv->cfg->mod_params;
 	u8 value;
 	u32 tmpu_32;
 
@@ -2702,6 +2703,10 @@ void rtl8723be_read_bt_coexist_info_from_hwpg(struct ieee80211_hw *hw,
 		rtlpriv->btcoexist.btc_info.ant_num = ANT_X2;
 	}
 
+	/* override ant_num / ant_path */
+	if (mod_params->ant_sel)
+		rtlpriv->btcoexist.btc_info.ant_num =
+			(mod_params->ant_sel == 1 ? ANT_X2 : ANT_X1);
 }
 
 void rtl8723be_bt_reg_init(struct ieee80211_hw *hw)
diff --git a/drivers/net/wireless/rtlwifi/rtl8723be/sw.c b/drivers/net/wireless/rtlwifi/rtl8723be/sw.c
index 9df94b2..8de5626 100644
--- a/drivers/net/wireless/rtlwifi/rtl8723be/sw.c
+++ b/drivers/net/wireless/rtlwifi/rtl8723be/sw.c
@@ -273,6 +273,7 @@ static struct rtl_mod_params rtl8723be_mod_params = {
 	.msi_support = false,
 	.disable_watchdog = false,
 	.debug = DBG_EMERG,
+	.ant_sel = 0,
 };
 
 static struct rtl_hal_cfg rtl8723be_hal_cfg = {
@@ -394,6 +395,7 @@ module_param_named(fwlps, rtl8723be_mod_params.fwctrl_lps, bool, 0444);
 module_param_named(msi, rtl8723be_mod_params.msi_support, bool, 0444);
 module_param_named(disable_watchdog, rtl8723be_mod_params.disable_watchdog,
 		   bool, 0444);
+module_param_named(ant_sel, rtl8723be_mod_params.ant_sel, int, 0444);
 MODULE_PARM_DESC(swenc, "Set to 1 for software crypto (default 0)\n");
 MODULE_PARM_DESC(ips, "Set to 0 to not use link power save (default 1)\n");
 MODULE_PARM_DESC(swlps, "Set to 1 to use SW control power save (default 0)\n");
@@ -402,6 +404,7 @@ MODULE_PARM_DESC(msi, "Set to 1 to use MSI interrupts mode (default 0)\n");
 MODULE_PARM_DESC(debug, "Set debug level (0-5) (default 0)");
 MODULE_PARM_DESC(disable_watchdog,
 		 "Set to 1 to disable the watchdog (default 0)\n");
+MODULE_PARM_DESC(ant_sel, "Set to 1 or 2 to force antenna number (default 0)\n");
 
 static SIMPLE_DEV_PM_OPS(rtlwifi_pm_ops, rtl_pci_suspend, rtl_pci_resume);
 
diff --git a/drivers/net/wireless/rtlwifi/wifi.h b/drivers/net/wireless/rtlwifi/wifi.h
index 0a3570a..d593474 100644
--- a/drivers/net/wireless/rtlwifi/wifi.h
+++ b/drivers/net/wireless/rtlwifi/wifi.h
@@ -2237,6 +2237,9 @@ struct rtl_mod_params {
 
 	/* default 0: 1 means do not disable interrupts */
 	bool int_clear;
+
+	/* select antenna */
+	int ant_sel;
 };
 
 struct rtl_hal_usbint_cfg {
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 011/206] rtlwifi: btcoexist: Implement antenna selection
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (9 preceding siblings ...)
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 010/206] rtlwifi: rtl8723be: Add antenna select module parameter Kamal Mostafa
@ 2016-06-09 21:13 ` Kamal Mostafa
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 012/206] drm/gma500: Fix possible out of bounds read Kamal Mostafa
                   ` (194 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:13 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team; +Cc: Larry Finger, Kalle Valo, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Larry Finger <Larry.Finger@lwfinger.net>

commit baa1702290953295e421f0f433e2b1ff4815827c upstream.

The previous patch added an option to rtl8723be to manually select the
antenna for those cases when only a single antenna is present, and the
on-board EEPROM is incorrectly programmed. This patch implements the
necessary changes in the Bluetooth coexistence driver.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[ kamal: backport to 4.2-stable: files moved ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 .../wireless/rtlwifi/btcoexist/halbtc8723b2ant.c   |  9 ++++++--
 .../net/wireless/rtlwifi/btcoexist/halbtcoutsrc.c  | 27 +++++++++++++++++++++-
 .../net/wireless/rtlwifi/btcoexist/halbtcoutsrc.h  |  2 +-
 drivers/net/wireless/rtlwifi/btcoexist/rtl_btc.c   |  5 +++-
 4 files changed, 38 insertions(+), 5 deletions(-)

diff --git a/drivers/net/wireless/rtlwifi/btcoexist/halbtc8723b2ant.c b/drivers/net/wireless/rtlwifi/btcoexist/halbtc8723b2ant.c
index f2b9d11..e85f165 100644
--- a/drivers/net/wireless/rtlwifi/btcoexist/halbtc8723b2ant.c
+++ b/drivers/net/wireless/rtlwifi/btcoexist/halbtc8723b2ant.c
@@ -1203,7 +1203,6 @@ static void btc8723b2ant_set_ant_path(struct btc_coexist *btcoexist,
 
 		/* Force GNT_BT to low */
 		btcoexist->btc_write_1byte_bitmask(btcoexist, 0x765, 0x18, 0x0);
-		btcoexist->btc_write_2byte(btcoexist, 0x948, 0x0);
 
 		if (board_info->btdm_ant_pos == BTC_ANTENNA_AT_MAIN_PORT) {
 			/* tell firmware "no antenna inverse" */
@@ -1211,19 +1210,25 @@ static void btc8723b2ant_set_ant_path(struct btc_coexist *btcoexist,
 			h2c_parameter[1] = 1;  /* ext switch type */
 			btcoexist->btc_fill_h2c(btcoexist, 0x65, 2,
 						h2c_parameter);
+			btcoexist->btc_write_2byte(btcoexist, 0x948, 0x0);
 		} else {
 			/* tell firmware "antenna inverse" */
 			h2c_parameter[0] = 1;
 			h2c_parameter[1] = 1;  /* ext switch type */
 			btcoexist->btc_fill_h2c(btcoexist, 0x65, 2,
 						h2c_parameter);
+			btcoexist->btc_write_2byte(btcoexist, 0x948, 0x280);
 		}
 	}
 
 	/* ext switch setting */
 	if (use_ext_switch) {
 		/* fixed internal switch S1->WiFi, S0->BT */
-		btcoexist->btc_write_2byte(btcoexist, 0x948, 0x0);
+		if (board_info->btdm_ant_pos == BTC_ANTENNA_AT_MAIN_PORT)
+			btcoexist->btc_write_2byte(btcoexist, 0x948, 0x0);
+		else
+			btcoexist->btc_write_2byte(btcoexist, 0x948, 0x280);
+
 		switch (antpos_type) {
 		case BTC_ANT_WIFI_AT_MAIN:
 			/* ext switch main at wifi */
diff --git a/drivers/net/wireless/rtlwifi/btcoexist/halbtcoutsrc.c b/drivers/net/wireless/rtlwifi/btcoexist/halbtcoutsrc.c
index b2791c8..babd149 100644
--- a/drivers/net/wireless/rtlwifi/btcoexist/halbtcoutsrc.c
+++ b/drivers/net/wireless/rtlwifi/btcoexist/halbtcoutsrc.c
@@ -965,13 +965,38 @@ void exhalbtc_set_chip_type(u8 chip_type)
 	}
 }
 
-void exhalbtc_set_ant_num(u8 type, u8 ant_num)
+void exhalbtc_set_ant_num(struct rtl_priv *rtlpriv, u8 type, u8 ant_num)
 {
 	if (BT_COEX_ANT_TYPE_PG == type) {
 		gl_bt_coexist.board_info.pg_ant_num = ant_num;
 		gl_bt_coexist.board_info.btdm_ant_num = ant_num;
+		/* The antenna position:
+		 * Main (default) or Aux for pgAntNum=2 && btdmAntNum =1.
+		 * The antenna position should be determined by
+		 * auto-detect mechanism.
+		 * The following is assumed to main,
+		 * and those must be modified
+		 * if y auto-detect mechanism is ready
+		 */
+		if ((gl_bt_coexist.board_info.pg_ant_num == 2) &&
+		    (gl_bt_coexist.board_info.btdm_ant_num == 1))
+			gl_bt_coexist.board_info.btdm_ant_pos =
+						       BTC_ANTENNA_AT_MAIN_PORT;
+		else
+			gl_bt_coexist.board_info.btdm_ant_pos =
+						       BTC_ANTENNA_AT_MAIN_PORT;
 	} else if (BT_COEX_ANT_TYPE_ANTDIV == type) {
 		gl_bt_coexist.board_info.btdm_ant_num = ant_num;
+		gl_bt_coexist.board_info.btdm_ant_pos =
+						       BTC_ANTENNA_AT_MAIN_PORT;
+	} else if (type == BT_COEX_ANT_TYPE_DETECTED) {
+		gl_bt_coexist.board_info.btdm_ant_num = ant_num;
+		if (rtlpriv->cfg->mod_params->ant_sel == 1)
+			gl_bt_coexist.board_info.btdm_ant_pos =
+				BTC_ANTENNA_AT_AUX_PORT;
+		else
+			gl_bt_coexist.board_info.btdm_ant_pos =
+				BTC_ANTENNA_AT_MAIN_PORT;
 	}
 }
 
diff --git a/drivers/net/wireless/rtlwifi/btcoexist/halbtcoutsrc.h b/drivers/net/wireless/rtlwifi/btcoexist/halbtcoutsrc.h
index 0a903ea..f41ca57 100644
--- a/drivers/net/wireless/rtlwifi/btcoexist/halbtcoutsrc.h
+++ b/drivers/net/wireless/rtlwifi/btcoexist/halbtcoutsrc.h
@@ -535,7 +535,7 @@ void exhalbtc_set_bt_patch_version(u16 bt_hci_version, u16 bt_patch_version);
 void exhalbtc_update_min_bt_rssi(char bt_rssi);
 void exhalbtc_set_bt_exist(bool bt_exist);
 void exhalbtc_set_chip_type(u8 chip_type);
-void exhalbtc_set_ant_num(u8 type, u8 ant_num);
+void exhalbtc_set_ant_num(struct rtl_priv *rtlpriv, u8 type, u8 ant_num);
 void exhalbtc_display_bt_coex_info(struct btc_coexist *btcoexist);
 void exhalbtc_signal_compensation(struct btc_coexist *btcoexist,
 				  u8 *rssi_wifi, u8 *rssi_bt);
diff --git a/drivers/net/wireless/rtlwifi/btcoexist/rtl_btc.c b/drivers/net/wireless/rtlwifi/btcoexist/rtl_btc.c
index b9b0cb7..d3fd921 100644
--- a/drivers/net/wireless/rtlwifi/btcoexist/rtl_btc.c
+++ b/drivers/net/wireless/rtlwifi/btcoexist/rtl_btc.c
@@ -72,7 +72,10 @@ void rtl_btc_init_hal_vars(struct rtl_priv *rtlpriv)
 		 __func__, bt_type);
 	exhalbtc_set_chip_type(bt_type);
 
-	exhalbtc_set_ant_num(BT_COEX_ANT_TYPE_PG, ant_num);
+	if (rtlpriv->cfg->mod_params->ant_sel == 1)
+		exhalbtc_set_ant_num(rtlpriv, BT_COEX_ANT_TYPE_DETECTED, 1);
+	else
+		exhalbtc_set_ant_num(rtlpriv, BT_COEX_ANT_TYPE_PG, ant_num);
 }
 
 void rtl_btc_init_hw_config(struct rtl_priv *rtlpriv)
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 012/206] drm/gma500: Fix possible out of bounds read
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (10 preceding siblings ...)
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 011/206] rtlwifi: btcoexist: Implement antenna selection Kamal Mostafa
@ 2016-06-09 21:13 ` Kamal Mostafa
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 013/206] Bluetooth: vhci: fix open_timeout vs. hdev race Kamal Mostafa
                   ` (193 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:13 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Itai Handler, Patrik Jakobsson, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Itai Handler <itai_handler@hotmail.com>

commit 7ccca1d5bf69fdd1d3c5fcf84faf1659a6e0ad11 upstream.

Fix possible out of bounds read, by adding missing comma.
The code may read pass the end of the dsi_errors array
when the most significant bit (bit #31) in the intr_stat register
is set.
This bug has been detected using CppCheck (static analysis tool).

Signed-off-by: Itai Handler <itai_handler@hotmail.com>
Signed-off-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/gpu/drm/gma500/mdfld_dsi_pkg_sender.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/gma500/mdfld_dsi_pkg_sender.c b/drivers/gpu/drm/gma500/mdfld_dsi_pkg_sender.c
index 6b43ae3..1616af2 100644
--- a/drivers/gpu/drm/gma500/mdfld_dsi_pkg_sender.c
+++ b/drivers/gpu/drm/gma500/mdfld_dsi_pkg_sender.c
@@ -72,7 +72,7 @@ static const char *const dsi_errors[] = {
 	"RX Prot Violation",
 	"HS Generic Write FIFO Full",
 	"LP Generic Write FIFO Full",
-	"Generic Read Data Avail"
+	"Generic Read Data Avail",
 	"Special Packet Sent",
 	"Tearing Effect",
 };
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 013/206] Bluetooth: vhci: fix open_timeout vs. hdev race
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (11 preceding siblings ...)
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 012/206] drm/gma500: Fix possible out of bounds read Kamal Mostafa
@ 2016-06-09 21:13 ` Kamal Mostafa
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 014/206] Bluetooth: vhci: purge unhandled skbs Kamal Mostafa
                   ` (192 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:13 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Jiri Slaby, Marcel Holtmann, Dmitry Vyukov, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Jiri Slaby <jslaby@suse.cz>

commit 373a32c848ae3a1c03618517cce85f9211a6facf upstream.

Both vhci_get_user and vhci_release race with open_timeout work. They
both contain cancel_delayed_work_sync, but do not test whether the
work actually created hdev or not. Since the work can be in progress
and _sync will wait for finishing it, we can have data->hdev allocated
when cancel_delayed_work_sync returns. But the call sites do 'if
(data->hdev)' *before* cancel_delayed_work_sync.

As a result:
* vhci_get_user allocates a second hdev and puts it into
  data->hdev. The former is leaked.
* vhci_release does not release data->hdev properly as it thinks there
  is none.

Fix both cases by moving the actual test *after* the call to
cancel_delayed_work_sync.

This can be hit by this program:
	#include <err.h>
	#include <fcntl.h>
	#include <stdio.h>
	#include <stdlib.h>
	#include <time.h>
	#include <unistd.h>

	#include <sys/stat.h>
	#include <sys/types.h>

	int main(int argc, char **argv)
	{
		int fd;

		srand(time(NULL));

		while (1) {
			const int delta = (rand() % 200 - 100) * 100;

			fd = open("/dev/vhci", O_RDWR);
			if (fd < 0)
				err(1, "open");

			usleep(1000000 + delta);

			close(fd);
		}

		return 0;
	}

And the result is:
BUG: KASAN: use-after-free in skb_queue_tail+0x13e/0x150 at addr ffff88006b0c1228
Read of size 8 by task kworker/u13:1/32068
=============================================================================
BUG kmalloc-192 (Tainted: G            E     ): kasan: bad access detected
-----------------------------------------------------------------------------

Disabling lock debugging due to kernel taint
INFO: Allocated in vhci_open+0x50/0x330 [hci_vhci] age=260 cpu=3 pid=32040
...
	kmem_cache_alloc_trace+0x150/0x190
	vhci_open+0x50/0x330 [hci_vhci]
	misc_open+0x35b/0x4e0
	chrdev_open+0x23b/0x510
...
INFO: Freed in vhci_release+0xa4/0xd0 [hci_vhci] age=9 cpu=2 pid=32040
...
	__slab_free+0x204/0x310
	vhci_release+0xa4/0xd0 [hci_vhci]
...
INFO: Slab 0xffffea0001ac3000 objects=16 used=13 fp=0xffff88006b0c1e00 flags=0x5fffff80004080
INFO: Object 0xffff88006b0c1200 @offset=4608 fp=0xffff88006b0c0600
Bytes b4 ffff88006b0c11f0: 09 df 00 00 01 00 00 00 00 00 00 00 00 00 00 00  ................
Object ffff88006b0c1200: 00 06 0c 6b 00 88 ff ff 00 00 00 00 00 00 00 00  ...k............
Object ffff88006b0c1210: 10 12 0c 6b 00 88 ff ff 10 12 0c 6b 00 88 ff ff  ...k.......k....
Object ffff88006b0c1220: c0 46 c2 6b 00 88 ff ff c0 46 c2 6b 00 88 ff ff  .F.k.....F.k....
Object ffff88006b0c1230: 01 00 00 00 01 00 00 00 e0 ff ff ff 0f 00 00 00  ................
Object ffff88006b0c1240: 40 12 0c 6b 00 88 ff ff 40 12 0c 6b 00 88 ff ff  @..k....@..k....
Object ffff88006b0c1250: 50 0d 6e a0 ff ff ff ff 00 02 00 00 00 00 ad de  P.n.............
Object ffff88006b0c1260: 00 00 00 00 00 00 00 00 ab 62 02 00 01 00 00 00  .........b......
Object ffff88006b0c1270: 90 b9 19 81 ff ff ff ff 38 12 0c 6b 00 88 ff ff  ........8..k....
Object ffff88006b0c1280: 03 00 20 00 ff ff ff ff ff ff ff ff 00 00 00 00  .. .............
Object ffff88006b0c1290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object ffff88006b0c12a0: 00 00 00 00 00 00 00 00 00 80 cd 3d 00 88 ff ff  ...........=....
Object ffff88006b0c12b0: 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00  . ..............
Redzone ffff88006b0c12c0: bb bb bb bb bb bb bb bb                          ........
Padding ffff88006b0c13f8: 00 00 00 00 00 00 00 00                          ........
CPU: 3 PID: 32068 Comm: kworker/u13:1 Tainted: G    B       E      4.4.6-0-default #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.1-0-g4adadbd-20151112_172657-sheep25 04/01/2014
Workqueue: hci0 hci_cmd_work [bluetooth]
 00000000ffffffff ffffffff81926cfa ffff88006be37c68 ffff88006bc27180
 ffff88006b0c1200 ffff88006b0c1234 ffffffff81577993 ffffffff82489320
 ffff88006bc24240 0000000000000046 ffff88006a100000 000000026e51eb80
Call Trace:
...
 [<ffffffff81ec8ebe>] ? skb_queue_tail+0x13e/0x150
 [<ffffffffa06e027c>] ? vhci_send_frame+0xac/0x100 [hci_vhci]
 [<ffffffffa0c61268>] ? hci_send_frame+0x188/0x320 [bluetooth]
 [<ffffffffa0c61515>] ? hci_cmd_work+0x115/0x310 [bluetooth]
 [<ffffffff811a1375>] ? process_one_work+0x815/0x1340
 [<ffffffff811a1f85>] ? worker_thread+0xe5/0x11f0
 [<ffffffff811a1ea0>] ? process_one_work+0x1340/0x1340
 [<ffffffff811b3c68>] ? kthread+0x1c8/0x230
...
Memory state around the buggy address:
 ffff88006b0c1100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88006b0c1180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88006b0c1200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                  ^
 ffff88006b0c1280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff88006b0c1300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

Fixes: 23424c0d31 (Bluetooth: Add support creating virtual AMP controllers)
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Cc: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/bluetooth/hci_vhci.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c
index 78653db..e1974a6 100644
--- a/drivers/bluetooth/hci_vhci.c
+++ b/drivers/bluetooth/hci_vhci.c
@@ -197,13 +197,13 @@ static inline ssize_t vhci_get_user(struct vhci_data *data,
 		break;
 
 	case HCI_VENDOR_PKT:
+		cancel_delayed_work_sync(&data->open_timeout);
+
 		if (data->hdev) {
 			kfree_skb(skb);
 			return -EBADFD;
 		}
 
-		cancel_delayed_work_sync(&data->open_timeout);
-
 		opcode = *((__u8 *) skb->data);
 		skb_pull(skb, 1);
 
@@ -341,10 +341,12 @@ static int vhci_open(struct inode *inode, struct file *file)
 static int vhci_release(struct inode *inode, struct file *file)
 {
 	struct vhci_data *data = file->private_data;
-	struct hci_dev *hdev = data->hdev;
+	struct hci_dev *hdev;
 
 	cancel_delayed_work_sync(&data->open_timeout);
 
+	hdev = data->hdev;
+
 	if (hdev) {
 		hci_unregister_dev(hdev);
 		hci_free_dev(hdev);
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 014/206] Bluetooth: vhci: purge unhandled skbs
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (12 preceding siblings ...)
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 013/206] Bluetooth: vhci: fix open_timeout vs. hdev race Kamal Mostafa
@ 2016-06-09 21:13 ` Kamal Mostafa
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 015/206] cpuidle: Indicate when a device has been unregistered Kamal Mostafa
                   ` (191 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:13 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Jiri Slaby, Marcel Holtmann, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Jiri Slaby <jslaby@suse.cz>

commit 13407376b255325fa817798800117a839f3aa055 upstream.

The write handler allocates skbs and queues them into data->readq.
Read side should read them, if there is any. If there is none, skbs
should be dropped by hdev->flush. But this happens only if the device
is HCI_UP, i.e. hdev->power_on work was triggered already. When it was
not, skbs stay allocated in the queue when /dev/vhci is closed. So
purge the queue in ->release.

Program to reproduce:
	#include <err.h>
	#include <fcntl.h>
	#include <stdio.h>
	#include <unistd.h>

	#include <sys/stat.h>
	#include <sys/types.h>
	#include <sys/uio.h>

	int main()
	{
		char buf[] = { 0xff, 0 };
		struct iovec iov = {
			.iov_base = buf,
			.iov_len = sizeof(buf),
		};
		int fd;

		while (1) {
			fd = open("/dev/vhci", O_RDWR);
			if (fd < 0)
				err(1, "open");

			usleep(50);

			if (writev(fd, &iov, 1) < 0)
				err(1, "writev");

			usleep(50);

			close(fd);
		}

		return 0;
	}

Result:
kmemleak: 4609 new suspected memory leaks
unreferenced object 0xffff88059f4d5440 (size 232):
  comm "vhci", pid 1084, jiffies 4294912542 (age 37569.296s)
  hex dump (first 32 bytes):
    20 f0 23 87 05 88 ff ff 20 f0 23 87 05 88 ff ff   .#..... .#.....
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
...
    [<ffffffff81ece010>] __alloc_skb+0x0/0x5a0
    [<ffffffffa021886c>] vhci_create_device+0x5c/0x580 [hci_vhci]
    [<ffffffffa0219436>] vhci_write+0x306/0x4c8 [hci_vhci]

Fixes: 23424c0d31 (Bluetooth: Add support creating virtual AMP controllers)
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/bluetooth/hci_vhci.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c
index e1974a6..a269b34 100644
--- a/drivers/bluetooth/hci_vhci.c
+++ b/drivers/bluetooth/hci_vhci.c
@@ -352,6 +352,7 @@ static int vhci_release(struct inode *inode, struct file *file)
 		hci_free_dev(hdev);
 	}
 
+	skb_queue_purge(&data->readq);
 	file->private_data = NULL;
 	kfree(data);
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 015/206] cpuidle: Indicate when a device has been unregistered
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (13 preceding siblings ...)
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 014/206] Bluetooth: vhci: purge unhandled skbs Kamal Mostafa
@ 2016-06-09 21:13 ` Kamal Mostafa
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 016/206] mfd: intel_quark_i2c_gpio: Use clkdev_create() Kamal Mostafa
                   ` (190 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:13 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Dave Gerlach, Rafael J . Wysocki, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Dave Gerlach <d-gerlach@ti.com>

commit c998c07836f985b24361629dc98506ec7893e7a0 upstream.

Currently the 'registered' member of the cpuidle_device struct is set
to 1 during cpuidle_register_device. In this same function there are
checks to see if the device is already registered to prevent duplicate
calls to register the device, but this value is never set to 0 even on
unregister of the device. Because of this, any attempt to call
cpuidle_register_device after a call to cpuidle_unregister_device will
fail which shouldn't be the case.

To prevent this, set registered to 0 when the device is unregistered.

Fixes: c878a52d3c7c (cpuidle: Check if device is already registered)
Signed-off-by: Dave Gerlach <d-gerlach@ti.com>
Acked-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/cpuidle/cpuidle.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/cpuidle/cpuidle.c b/drivers/cpuidle/cpuidle.c
index 48b7228..f4db470 100644
--- a/drivers/cpuidle/cpuidle.c
+++ b/drivers/cpuidle/cpuidle.c
@@ -429,6 +429,8 @@ static void __cpuidle_unregister_device(struct cpuidle_device *dev)
 	list_del(&dev->device_list);
 	per_cpu(cpuidle_devices, dev->cpu) = NULL;
 	module_put(drv->owner);
+
+	dev->registered = 0;
 }
 
 static void __cpuidle_device_init(struct cpuidle_device *dev)
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 016/206] mfd: intel_quark_i2c_gpio: Use clkdev_create()
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (14 preceding siblings ...)
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 015/206] cpuidle: Indicate when a device has been unregistered Kamal Mostafa
@ 2016-06-09 21:13 ` Kamal Mostafa
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 017/206] mfd: intel_quark_i2c_gpio: Remove clock tree on error path Kamal Mostafa
                   ` (189 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:13 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Andy Shevchenko, Russell King, Stephen Boyd, Lee Jones, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Stephen Boyd <sboyd@codeaurora.org>

commit c4726abce63bf9b1887ce68fdf012a823bd94ec3 upstream.

Convert this driver to use clkdev_create() instead of
clk_register_clkdevs(). The latter API is only used by this driver,
although this driver only allocates one clk to add anyway.
Furthermore, this driver allocates the clk_lookup structure with
devm, but clkdev_drop() will free that structure when passed,
leading to a double free when this driver is removed. Clean it
all up and pave the way for the removal of clk_register_clkdevs().

Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Russell King <linux@arm.linux.org.uk>
Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/mfd/intel_quark_i2c_gpio.c | 26 +++++++++-----------------
 1 file changed, 9 insertions(+), 17 deletions(-)

diff --git a/drivers/mfd/intel_quark_i2c_gpio.c b/drivers/mfd/intel_quark_i2c_gpio.c
index 1ce1603..cbbf84b 100644
--- a/drivers/mfd/intel_quark_i2c_gpio.c
+++ b/drivers/mfd/intel_quark_i2c_gpio.c
@@ -48,8 +48,6 @@
 /* The Quark I2C controller source clock */
 #define INTEL_QUARK_I2C_CLK_HZ	33000000
 
-#define INTEL_QUARK_I2C_NCLK	1
-
 struct intel_quark_mfd {
 	struct pci_dev		*pdev;
 	struct clk		*i2c_clk;
@@ -114,30 +112,24 @@ MODULE_DEVICE_TABLE(pci, intel_quark_mfd_ids);
 static int intel_quark_register_i2c_clk(struct intel_quark_mfd *quark_mfd)
 {
 	struct pci_dev *pdev = quark_mfd->pdev;
-	struct clk_lookup *i2c_clk_lookup;
 	struct clk *i2c_clk;
-	int ret;
-
-	i2c_clk_lookup = devm_kcalloc(&pdev->dev, INTEL_QUARK_I2C_NCLK,
-				      sizeof(*i2c_clk_lookup), GFP_KERNEL);
-	if (!i2c_clk_lookup)
-		return -ENOMEM;
-
-	i2c_clk_lookup[0].dev_id = INTEL_QUARK_I2C_CONTROLLER_CLK;
 
 	i2c_clk = clk_register_fixed_rate(&pdev->dev,
 					  INTEL_QUARK_I2C_CONTROLLER_CLK, NULL,
 					  CLK_IS_ROOT, INTEL_QUARK_I2C_CLK_HZ);
+	if (IS_ERR(i2c_clk))
+		return PTR_ERR(i2c_clk);
 
-	quark_mfd->i2c_clk_lookup = i2c_clk_lookup;
 	quark_mfd->i2c_clk = i2c_clk;
+	quark_mfd->i2c_clk_lookup = clkdev_create(i2c_clk, NULL,
+						INTEL_QUARK_I2C_CONTROLLER_CLK);
 
-	ret = clk_register_clkdevs(i2c_clk, i2c_clk_lookup,
-				   INTEL_QUARK_I2C_NCLK);
-	if (ret)
-		dev_err(&pdev->dev, "Fixed clk register failed: %d\n", ret);
+	if (!quark_mfd->i2c_clk_lookup) {
+		dev_err(&pdev->dev, "Fixed clk register failed\n");
+		return -ENOMEM;
+	}
 
-	return ret;
+	return 0;
 }
 
 static void intel_quark_unregister_i2c_clk(struct pci_dev *pdev)
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 017/206] mfd: intel_quark_i2c_gpio: Remove clock tree on error path
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (15 preceding siblings ...)
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 016/206] mfd: intel_quark_i2c_gpio: Use clkdev_create() Kamal Mostafa
@ 2016-06-09 21:13 ` Kamal Mostafa
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 018/206] [media] media: v4l2-compat-ioctl32: fix missing reserved field copy in put_v4l2_create32 Kamal Mostafa
                   ` (188 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:13 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Andy Shevchenko, Lee Jones, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>

commit 7f0c5ae18d649ed2f4978cbf07c02a0ff732f23e upstream.

There is a potential resource leak in case when ->probe() fails. We have to
unregister and remove clock tree which is done here.

This is a follow up to previously pushed commit c4726abce63b ("mfd:
intel_quark_i2c_gpio: Use clkdev_create()") that prevents double free() when
clkdev_drop() followed by kfree() in devm_kcalloc() release stage.

I leave Fixes tag here, but the backporting will require to backport the commit
c4726abce63b ("mfd: intel_quark_i2c_gpio: Use clkdev_create()") first.

Fixes: 60ae5b9f5cdd (mfd: intel_quark_i2c_gpio: Add Intel Quark X1000 I2C-GPIO MFD Driver)
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Acked-by: Stephen Boyd <sboyd@codeaurora.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/mfd/intel_quark_i2c_gpio.c | 25 +++++++++++++++++--------
 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/drivers/mfd/intel_quark_i2c_gpio.c b/drivers/mfd/intel_quark_i2c_gpio.c
index cbbf84b..340ff40 100644
--- a/drivers/mfd/intel_quark_i2c_gpio.c
+++ b/drivers/mfd/intel_quark_i2c_gpio.c
@@ -125,6 +125,7 @@ static int intel_quark_register_i2c_clk(struct intel_quark_mfd *quark_mfd)
 						INTEL_QUARK_I2C_CONTROLLER_CLK);
 
 	if (!quark_mfd->i2c_clk_lookup) {
+		clk_unregister(quark_mfd->i2c_clk);
 		dev_err(&pdev->dev, "Fixed clk register failed\n");
 		return -ENOMEM;
 	}
@@ -136,7 +137,7 @@ static void intel_quark_unregister_i2c_clk(struct pci_dev *pdev)
 {
 	struct intel_quark_mfd *quark_mfd = dev_get_drvdata(&pdev->dev);
 
-	if (!quark_mfd->i2c_clk || !quark_mfd->i2c_clk_lookup)
+	if (!quark_mfd->i2c_clk_lookup)
 		return;
 
 	clkdev_drop(quark_mfd->i2c_clk_lookup);
@@ -232,26 +233,34 @@ static int intel_quark_mfd_probe(struct pci_dev *pdev,
 	quark_mfd = devm_kzalloc(&pdev->dev, sizeof(*quark_mfd), GFP_KERNEL);
 	if (!quark_mfd)
 		return -ENOMEM;
+
 	quark_mfd->pdev = pdev;
+	dev_set_drvdata(&pdev->dev, quark_mfd);
 
 	ret = intel_quark_register_i2c_clk(quark_mfd);
 	if (ret)
 		return ret;
 
-	dev_set_drvdata(&pdev->dev, quark_mfd);
-
 	ret = intel_quark_i2c_setup(pdev, &intel_quark_mfd_cells[MFD_I2C_BAR]);
 	if (ret)
-		return ret;
+		goto err_unregister_i2c_clk;
 
 	ret = intel_quark_gpio_setup(pdev,
 				     &intel_quark_mfd_cells[MFD_GPIO_BAR]);
 	if (ret)
-		return ret;
+		goto err_unregister_i2c_clk;
 
-	return mfd_add_devices(&pdev->dev, 0, intel_quark_mfd_cells,
-			       ARRAY_SIZE(intel_quark_mfd_cells), NULL, 0,
-			       NULL);
+	ret = mfd_add_devices(&pdev->dev, 0, intel_quark_mfd_cells,
+			      ARRAY_SIZE(intel_quark_mfd_cells), NULL, 0,
+			      NULL);
+	if (ret)
+		goto err_unregister_i2c_clk;
+
+	return 0;
+
+err_unregister_i2c_clk:
+	intel_quark_unregister_i2c_clk(pdev);
+	return ret;
 }
 
 static void intel_quark_mfd_remove(struct pci_dev *pdev)
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 018/206] [media] media: v4l2-compat-ioctl32: fix missing reserved field copy in put_v4l2_create32
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (16 preceding siblings ...)
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 017/206] mfd: intel_quark_i2c_gpio: Remove clock tree on error path Kamal Mostafa
@ 2016-06-09 21:13 ` Kamal Mostafa
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 019/206] scsi: Add intermediate STARGET_REMOVE state to scsi_target_state Kamal Mostafa
                   ` (187 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:13 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Tiffany Lin, Hans Verkuil, Mauro Carvalho Chehab, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Tiffany Lin <tiffany.lin@mediatek.com>

commit baf43c6eace43868e490f18560287fa3481b2159 upstream.

In v4l2-compliance utility, test VIDIOC_CREATE_BUFS will check whether reserved
filed of v4l2_create_buffers filled with zero
Reserved field is filled with zero in v4l_create_bufs.
This patch copy reserved field of v4l2_create_buffer from kernel space to user
space

Signed-off-by: Tiffany Lin <tiffany.lin@mediatek.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
index 73138a3..da9883a 100644
--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
@@ -259,7 +259,8 @@ static int put_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user
 static int put_v4l2_create32(struct v4l2_create_buffers *kp, struct v4l2_create_buffers32 __user *up)
 {
 	if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_create_buffers32)) ||
-	    copy_to_user(up, kp, offsetof(struct v4l2_create_buffers32, format)))
+	    copy_to_user(up, kp, offsetof(struct v4l2_create_buffers32, format)) ||
+	    copy_to_user(up->reserved, kp->reserved, sizeof(kp->reserved)))
 		return -EFAULT;
 	return __put_v4l2_format32(&kp->format, &up->format);
 }
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 019/206] scsi: Add intermediate STARGET_REMOVE state to scsi_target_state
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (17 preceding siblings ...)
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 018/206] [media] media: v4l2-compat-ioctl32: fix missing reserved field copy in put_v4l2_create32 Kamal Mostafa
@ 2016-06-09 21:13 ` Kamal Mostafa
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 020/206] Revert "scsi: fix soft lockup in scsi_remove_target() on module removal" Kamal Mostafa
                   ` (186 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:13 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Johannes Thumshirn, Martin K . Petersen, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Johannes Thumshirn <jthumshirn@suse.de>

commit f05795d3d771f30a7bdc3a138bf714b06d42aa95 upstream.

Add intermediate STARGET_REMOVE state to scsi_target_state to avoid
running into the BUG_ON() in scsi_target_reap(). The STARGET_REMOVE
state is only valid in the path from scsi_remove_target() to
scsi_target_destroy() indicating this target is going to be removed.

This re-fixes the problem introduced in commits bc3f02a795d3 ("[SCSI]
scsi_remove_target: fix softlockup regression on hot remove") and
40998193560d ("scsi: restart list search after unlock in
scsi_remove_target") in a more comprehensive way.

[mkp: Included James' fix for scsi_target_destroy()]

Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
Fixes: 40998193560dab6c3ce8d25f4fa58a23e252ef38
Reported-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Tested-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Reviewed-by: Ewan D. Milne <emilne@redhat.com>
Reviewed-by: Hannes Reinecke <hare@suse.com>
Reviewed-by: James Bottomley <jejb@linux.vnet.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/scsi/scsi_scan.c   | 1 +
 drivers/scsi/scsi_sysfs.c  | 2 ++
 include/scsi/scsi_device.h | 1 +
 3 files changed, 4 insertions(+)

diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c
index f9f3f82..f16829f 100644
--- a/drivers/scsi/scsi_scan.c
+++ b/drivers/scsi/scsi_scan.c
@@ -314,6 +314,7 @@ static void scsi_target_destroy(struct scsi_target *starget)
 	struct Scsi_Host *shost = dev_to_shost(dev->parent);
 	unsigned long flags;
 
+	BUG_ON(starget->state == STARGET_DEL);
 	starget->state = STARGET_DEL;
 	transport_destroy_device(dev);
 	spin_lock_irqsave(shost->host_lock, flags);
diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c
index 168a509..c6126e0 100644
--- a/drivers/scsi/scsi_sysfs.c
+++ b/drivers/scsi/scsi_sysfs.c
@@ -1155,11 +1155,13 @@ restart:
 	spin_lock_irqsave(shost->host_lock, flags);
 	list_for_each_entry(starget, &shost->__targets, siblings) {
 		if (starget->state == STARGET_DEL ||
+		    starget->state == STARGET_REMOVE ||
 		    starget == last_target)
 			continue;
 		if (starget->dev.parent == dev || &starget->dev == dev) {
 			kref_get(&starget->reap_ref);
 			last_target = starget;
+			starget->state = STARGET_REMOVE;
 			spin_unlock_irqrestore(shost->host_lock, flags);
 			__scsi_remove_target(starget);
 			scsi_target_reap(starget);
diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h
index ae84b22..0403c1b 100644
--- a/include/scsi/scsi_device.h
+++ b/include/scsi/scsi_device.h
@@ -259,6 +259,7 @@ scmd_printk(const char *, const struct scsi_cmnd *, const char *, ...);
 enum scsi_target_state {
 	STARGET_CREATED = 1,
 	STARGET_RUNNING,
+	STARGET_REMOVE,
 	STARGET_DEL,
 };
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 020/206] Revert "scsi: fix soft lockup in scsi_remove_target() on module removal"
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (18 preceding siblings ...)
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 019/206] scsi: Add intermediate STARGET_REMOVE state to scsi_target_state Kamal Mostafa
@ 2016-06-09 21:13 ` Kamal Mostafa
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 021/206] drm/i915/dsi: fix CHV dsi encoder hardware state readout on port C Kamal Mostafa
                   ` (185 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:13 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Johannes Thumshirn, Martin K . Petersen, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Johannes Thumshirn <jthumshirn@suse.de>

commit 305c2e71b3d733ec065cb716c76af7d554bd5571 upstream.

Now that we've done a more comprehensive fix with the intermediate
target state we can remove the previous hack introduced with commit
90a88d6ef88e ("scsi: fix soft lockup in scsi_remove_target() on module
removal").

Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
Reviewed-by: Ewan D. Milne <emilne@redhat.com>
Reviewed-by: Hannes Reinecke <hare@suse.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/scsi/scsi_sysfs.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c
index c6126e0..64f11fa 100644
--- a/drivers/scsi/scsi_sysfs.c
+++ b/drivers/scsi/scsi_sysfs.c
@@ -1148,19 +1148,17 @@ static void __scsi_remove_target(struct scsi_target *starget)
 void scsi_remove_target(struct device *dev)
 {
 	struct Scsi_Host *shost = dev_to_shost(dev->parent);
-	struct scsi_target *starget, *last_target = NULL;
+	struct scsi_target *starget;
 	unsigned long flags;
 
 restart:
 	spin_lock_irqsave(shost->host_lock, flags);
 	list_for_each_entry(starget, &shost->__targets, siblings) {
 		if (starget->state == STARGET_DEL ||
-		    starget->state == STARGET_REMOVE ||
-		    starget == last_target)
+		    starget->state == STARGET_REMOVE)
 			continue;
 		if (starget->dev.parent == dev || &starget->dev == dev) {
 			kref_get(&starget->reap_ref);
-			last_target = starget;
 			starget->state = STARGET_REMOVE;
 			spin_unlock_irqrestore(shost->host_lock, flags);
 			__scsi_remove_target(starget);
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 021/206] drm/i915/dsi: fix CHV dsi encoder hardware state readout on port C
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (19 preceding siblings ...)
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 020/206] Revert "scsi: fix soft lockup in scsi_remove_target() on module removal" Kamal Mostafa
@ 2016-06-09 21:13 ` Kamal Mostafa
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 022/206] usb: f_mass_storage: test whether thread is running before starting another Kamal Mostafa
                   ` (184 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:13 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team; +Cc: Jani Nikula, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Jani Nikula <jani.nikula@intel.com>

commit e6f577893d0a4c1f62585bc426ab32d88593d7da upstream.

Due to "some hardware limitation" the DPI enable bit in port C control
register does not get set on VLV. As a workaround we check the status in
pipe B conf register instead. The workaround was added in

commit c0beefd29fcb1ca998f0f9ba41be8539f8eeba9b
Author: Gaurav K Singh <gaurav.k.singh@intel.com>
Date:   Tue Dec 9 10:59:20 2014 +0530

    drm/i915: Software workaround for getting the HW status of DSI Port C on BYT

Empirical evidence (on Surface 3 with DSI on port C per VBT) shows that
this is the case also on CHV, so extend the workaround to CHV. We still
have the device ready register check in place, so this should not get
confused with e.g. HDMI on pipe B.

This fixes a number of state checker warnings on CHV DSI port C.

Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/1460724451-13810-1-git-send-email-jani.nikula@intel.com
[ kamal: backport to 4.2-stable: context ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/gpu/drm/i915/intel_dsi.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/drivers/gpu/drm/i915/intel_dsi.c b/drivers/gpu/drm/i915/intel_dsi.c
index 68b25dd..d03690e 100644
--- a/drivers/gpu/drm/i915/intel_dsi.c
+++ b/drivers/gpu/drm/i915/intel_dsi.c
@@ -600,12 +600,12 @@ static bool intel_dsi_get_hw_state(struct intel_encoder *encoder,
 		dpi_enabled = I915_READ(MIPI_PORT_CTRL(port)) &
 							DPI_ENABLE;
 
-		/* Due to some hardware limitations on BYT, MIPI Port C DPI
-		 * Enable bit does not get set. To check whether DSI Port C
-		 * was enabled in BIOS, check the Pipe B enable bit
+		/*
+		 * Due to some hardware limitations on VLV/CHV, the DPI enable
+		 * bit in port C control register does not get set. As a
+		 * workaround, check pipe B conf instead.
 		 */
-		if (IS_VALLEYVIEW(dev) && !IS_CHERRYVIEW(dev) &&
-		    (port == PORT_C))
+		if ((IS_VALLEYVIEW(dev) || IS_CHERRYVIEW(dev)) && port == PORT_C)
 			dpi_enabled = I915_READ(PIPECONF(PIPE_B)) &
 							PIPECONF_ENABLE;
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 022/206] usb: f_mass_storage: test whether thread is running before starting another
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (20 preceding siblings ...)
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 021/206] drm/i915/dsi: fix CHV dsi encoder hardware state readout on port C Kamal Mostafa
@ 2016-06-09 21:13 ` Kamal Mostafa
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 023/206] hwmon: (ads7828) Enable internal reference Kamal Mostafa
                   ` (183 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:13 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Michal Nazarewicz, Alan Stern, Felipe Balbi, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Michal Nazarewicz <mina86@mina86.com>

commit f78bbcae86e676fad9e6c6bb6cd9d9868ba23696 upstream.

When binding the function to usb_configuration, check whether the thread
is running before starting another one.  Without that, when function
instance is added to multiple configurations, fsg_bing starts multiple
threads with all but the latest one being forgotten by the driver.  This
leads to obvious thread leaks, possible lockups when trying to halt the
machine and possible more issues.

This fixes issues with legacy/multi¹ gadget as well as configfs gadgets
when mass_storage function is added to multiple configurations.

This change also simplifies API since the legacy gadgets no longer need
to worry about starting the thread by themselves (which was where bug
in legacy/multi was in the first place).

N.B., this patch doesn’t address adding single mass_storage function
instance to a single configuration twice.  Thankfully, there’s no
legitimate reason for such setup plus, if I’m not mistaken, configfs
gadget doesn’t even allow it to be expressed.

¹ I have no example failure though.  Conclusion that legacy/multi has
  a bug is based purely on me reading the code.

Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Michal Nazarewicz <mina86@mina86.com>
Tested-by: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
Cc: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
[ kamal: backport to 4.2-stable: fsg_bind() decl 'common';
  no change to nokia.c (no fsg_opts) ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>

squash! 334f47b
---
 drivers/usb/gadget/function/f_mass_storage.c | 37 ++++++++++++----------------
 drivers/usb/gadget/function/f_mass_storage.h |  2 --
 drivers/usb/gadget/legacy/acm_ms.c           |  4 ---
 drivers/usb/gadget/legacy/mass_storage.c     |  4 ---
 drivers/usb/gadget/legacy/multi.c            | 12 ---------
 5 files changed, 16 insertions(+), 43 deletions(-)

diff --git a/drivers/usb/gadget/function/f_mass_storage.c b/drivers/usb/gadget/function/f_mass_storage.c
index f936268..99ae086 100644
--- a/drivers/usb/gadget/function/f_mass_storage.c
+++ b/drivers/usb/gadget/function/f_mass_storage.c
@@ -2998,25 +2998,6 @@ void fsg_common_set_inquiry_string(struct fsg_common *common, const char *vn,
 }
 EXPORT_SYMBOL_GPL(fsg_common_set_inquiry_string);
 
-int fsg_common_run_thread(struct fsg_common *common)
-{
-	common->state = FSG_STATE_IDLE;
-	/* Tell the thread to start working */
-	common->thread_task =
-		kthread_create(fsg_main_thread, common, "file-storage");
-	if (IS_ERR(common->thread_task)) {
-		common->state = FSG_STATE_TERMINATED;
-		return PTR_ERR(common->thread_task);
-	}
-
-	DBG(common, "I/O thread pid: %d\n", task_pid_nr(common->thread_task));
-
-	wake_up_process(common->thread_task);
-
-	return 0;
-}
-EXPORT_SYMBOL_GPL(fsg_common_run_thread);
-
 static void fsg_common_release(struct kref *ref)
 {
 	struct fsg_common *common = container_of(ref, struct fsg_common, ref);
@@ -3025,6 +3006,7 @@ static void fsg_common_release(struct kref *ref)
 	if (common->state != FSG_STATE_TERMINATED) {
 		raise_exception(common, FSG_STATE_EXIT);
 		wait_for_completion(&common->thread_notifier);
+		common->thread_task = NULL;
 	}
 
 	if (likely(common->luns)) {
@@ -3056,6 +3038,7 @@ static void fsg_common_release(struct kref *ref)
 static int fsg_bind(struct usb_configuration *c, struct usb_function *f)
 {
 	struct fsg_dev		*fsg = fsg_from_func(f);
+	struct fsg_common       *common = fsg->common;
 	struct usb_gadget	*gadget = c->cdev->gadget;
 	int			i;
 	struct usb_ep		*ep;
@@ -3070,9 +3053,21 @@ static int fsg_bind(struct usb_configuration *c, struct usb_function *f)
 		if (ret)
 			return ret;
 		fsg_common_set_inquiry_string(fsg->common, NULL, NULL);
-		ret = fsg_common_run_thread(fsg->common);
-		if (ret)
+	}
+
+	if (!common->thread_task) {
+		common->state = FSG_STATE_IDLE;
+		common->thread_task =
+			kthread_create(fsg_main_thread, common, "file-storage");
+		if (IS_ERR(common->thread_task)) {
+			int ret = PTR_ERR(common->thread_task);
+			common->thread_task = NULL;
+			common->state = FSG_STATE_TERMINATED;
 			return ret;
+		}
+		DBG(common, "I/O thread pid: %d\n",
+		    task_pid_nr(common->thread_task));
+		wake_up_process(common->thread_task);
 	}
 
 	fsg->gadget = gadget;
diff --git a/drivers/usb/gadget/function/f_mass_storage.h b/drivers/usb/gadget/function/f_mass_storage.h
index b4866fc..44f2337 100644
--- a/drivers/usb/gadget/function/f_mass_storage.h
+++ b/drivers/usb/gadget/function/f_mass_storage.h
@@ -157,8 +157,6 @@ int fsg_common_create_luns(struct fsg_common *common, struct fsg_config *cfg);
 void fsg_common_set_inquiry_string(struct fsg_common *common, const char *vn,
 				   const char *pn);
 
-int fsg_common_run_thread(struct fsg_common *common);
-
 void fsg_config_from_params(struct fsg_config *cfg,
 			    const struct fsg_module_parameters *params,
 			    unsigned int fsg_num_buffers);
diff --git a/drivers/usb/gadget/legacy/acm_ms.c b/drivers/usb/gadget/legacy/acm_ms.c
index 1194b09..5c72379 100644
--- a/drivers/usb/gadget/legacy/acm_ms.c
+++ b/drivers/usb/gadget/legacy/acm_ms.c
@@ -147,10 +147,6 @@ static int acm_ms_do_config(struct usb_configuration *c)
 	if (status < 0)
 		goto put_msg;
 
-	status = fsg_common_run_thread(opts->common);
-	if (status)
-		goto remove_acm;
-
 	status = usb_add_function(c, f_msg);
 	if (status)
 		goto remove_acm;
diff --git a/drivers/usb/gadget/legacy/mass_storage.c b/drivers/usb/gadget/legacy/mass_storage.c
index e7bfb08..5038475 100644
--- a/drivers/usb/gadget/legacy/mass_storage.c
+++ b/drivers/usb/gadget/legacy/mass_storage.c
@@ -146,10 +146,6 @@ static int msg_do_config(struct usb_configuration *c)
 	if (IS_ERR(f_msg))
 		return PTR_ERR(f_msg);
 
-	ret = fsg_common_run_thread(opts->common);
-	if (ret)
-		goto put_func;
-
 	ret = usb_add_function(c, f_msg);
 	if (ret)
 		goto put_func;
diff --git a/drivers/usb/gadget/legacy/multi.c b/drivers/usb/gadget/legacy/multi.c
index b21b51f..163a700 100644
--- a/drivers/usb/gadget/legacy/multi.c
+++ b/drivers/usb/gadget/legacy/multi.c
@@ -151,7 +151,6 @@ static struct usb_function *f_msg_rndis;
 
 static int rndis_do_config(struct usb_configuration *c)
 {
-	struct fsg_opts *fsg_opts;
 	int ret;
 
 	if (gadget_is_otg(c->cdev->gadget)) {
@@ -183,11 +182,6 @@ static int rndis_do_config(struct usb_configuration *c)
 		goto err_fsg;
 	}
 
-	fsg_opts = fsg_opts_from_func_inst(fi_msg);
-	ret = fsg_common_run_thread(fsg_opts->common);
-	if (ret)
-		goto err_run;
-
 	ret = usb_add_function(c, f_msg_rndis);
 	if (ret)
 		goto err_run;
@@ -239,7 +233,6 @@ static struct usb_function *f_msg_multi;
 
 static int cdc_do_config(struct usb_configuration *c)
 {
-	struct fsg_opts *fsg_opts;
 	int ret;
 
 	if (gadget_is_otg(c->cdev->gadget)) {
@@ -272,11 +265,6 @@ static int cdc_do_config(struct usb_configuration *c)
 		goto err_fsg;
 	}
 
-	fsg_opts = fsg_opts_from_func_inst(fi_msg);
-	ret = fsg_common_run_thread(fsg_opts->common);
-	if (ret)
-		goto err_run;
-
 	ret = usb_add_function(c, f_msg_multi);
 	if (ret)
 		goto err_run;
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 023/206] hwmon: (ads7828) Enable internal reference
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (21 preceding siblings ...)
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 022/206] usb: f_mass_storage: test whether thread is running before starting another Kamal Mostafa
@ 2016-06-09 21:13 ` Kamal Mostafa
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 024/206] ath10k: fix rx_channel during hw reconfigure Kamal Mostafa
                   ` (182 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:13 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Akshay Bhat, Guenter Roeck, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Akshay Bhat <akshay.bhat@timesys.com>

commit 7a18afe8097731b8ffb6cb5b2b3b418ded77c105 upstream.

On ads7828 the internal reference defaults to off upon power up. When
using internal reference, it needs to be turned on and the voltage needs
to settle before normal conversion cycle can be started. Hence perform a
dummy read in the probe to enable the internal reference allowing the
voltage to settle before performing a normal read.

Without this fix, the first read from the ADC when using internal
reference always returns incorrect data.

Signed-off-by: Akshay Bhat <akshay.bhat@timesys.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/hwmon/ads7828.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/drivers/hwmon/ads7828.c b/drivers/hwmon/ads7828.c
index 6c99ee7..ee396ff 100644
--- a/drivers/hwmon/ads7828.c
+++ b/drivers/hwmon/ads7828.c
@@ -120,6 +120,7 @@ static int ads7828_probe(struct i2c_client *client,
 	unsigned int vref_mv = ADS7828_INT_VREF_MV;
 	bool diff_input = false;
 	bool ext_vref = false;
+	unsigned int regval;
 
 	data = devm_kzalloc(dev, sizeof(struct ads7828_data), GFP_KERNEL);
 	if (!data)
@@ -154,6 +155,15 @@ static int ads7828_probe(struct i2c_client *client,
 	if (!diff_input)
 		data->cmd_byte |= ADS7828_CMD_SD_SE;
 
+	/*
+	 * Datasheet specifies internal reference voltage is disabled by
+	 * default. The internal reference voltage needs to be enabled and
+	 * voltage needs to settle before getting valid ADC data. So perform a
+	 * dummy read to enable the internal reference voltage.
+	 */
+	if (!ext_vref)
+		regmap_read(data->regmap, data->cmd_byte, &regval);
+
 	hwmon_dev = devm_hwmon_device_register_with_groups(dev, client->name,
 							   data,
 							   ads7828_groups);
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 024/206] ath10k: fix rx_channel during hw reconfigure
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (22 preceding siblings ...)
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 023/206] hwmon: (ads7828) Enable internal reference Kamal Mostafa
@ 2016-06-09 21:13 ` Kamal Mostafa
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 025/206] Bluetooth: vhci: Fix race at creating hci device Kamal Mostafa
                   ` (181 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:13 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Rajkumar Manoharan, Kalle Valo, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Rajkumar Manoharan <rmanohar@qti.qualcomm.com>

commit 1ce8c1484e80010a6e4b9611c65668ff77556f45 upstream.

Upon firmware assert, restart work will be triggered so that mac80211
will reconfigure the driver. An issue is reported that after restart
work, survey dump data do not contain in-use (SURVEY_INFO_IN_USE) info
for operating channel. During reconfigure, since mac80211 already has
valid channel context for given radio, channel context iteration return
num_chanctx > 0. Hence rx_channel is always NULL. Fix this by assigning
channel context to rx_channel when driver restart is in progress.

Signed-off-by: Rajkumar Manoharan <rmanohar@qti.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/net/wireless/ath/ath10k/mac.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
index 9301716..fb84cf0 100644
--- a/drivers/net/wireless/ath/ath10k/mac.c
+++ b/drivers/net/wireless/ath/ath10k/mac.c
@@ -6123,7 +6123,13 @@ ath10k_mac_update_rx_channel(struct ath10k *ar,
 			def = &vifs[0].new_ctx->def;
 
 		ar->rx_channel = def->chan;
-	} else if (ctx && ath10k_mac_num_chanctxs(ar) == 0) {
+	} else if ((ctx && ath10k_mac_num_chanctxs(ar) == 0) ||
+		   (ctx && (ar->state == ATH10K_STATE_RESTARTED))) {
+		/* During driver restart due to firmware assert, since mac80211
+		 * already has valid channel context for given radio, channel
+		 * context iteration return num_chanctx > 0. So fix rx_channel
+		 * when restart is in progress.
+		 */
 		ar->rx_channel = ctx->def.chan;
 	} else {
 		ar->rx_channel = NULL;
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 025/206] Bluetooth: vhci: Fix race at creating hci device
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (23 preceding siblings ...)
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 024/206] ath10k: fix rx_channel during hw reconfigure Kamal Mostafa
@ 2016-06-09 21:13 ` Kamal Mostafa
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 026/206] powerpc/book3s64: Fix branching to OOL handlers in relocatable kernel Kamal Mostafa
                   ` (180 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:13 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Takashi Iwai, Marcel Holtmann, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Takashi Iwai <tiwai@suse.de>

commit c7c999cb18da88a881e10e07f0724ad0bfaff770 upstream.

hci_vhci driver creates a hci device object dynamically upon each
HCI_VENDOR_PKT write.  Although it checks the already created object
and returns an error, it's still racy and may build multiple hci_dev
objects concurrently when parallel writes are performed, as the device
tracks only a single hci_dev object.

This patch introduces a mutex to protect against the concurrent device
creations.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/bluetooth/hci_vhci.c | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c
index a269b34..4c4aa7d 100644
--- a/drivers/bluetooth/hci_vhci.c
+++ b/drivers/bluetooth/hci_vhci.c
@@ -50,6 +50,7 @@ struct vhci_data {
 	wait_queue_head_t read_wait;
 	struct sk_buff_head readq;
 
+	struct mutex open_mutex;
 	struct delayed_work open_timeout;
 };
 
@@ -95,12 +96,15 @@ static int vhci_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
 	return 0;
 }
 
-static int vhci_create_device(struct vhci_data *data, __u8 opcode)
+static int __vhci_create_device(struct vhci_data *data, __u8 opcode)
 {
 	struct hci_dev *hdev;
 	struct sk_buff *skb;
 	__u8 dev_type;
 
+	if (data->hdev)
+		return -EBADFD;
+
 	/* bits 0-1 are dev_type (BR/EDR or AMP) */
 	dev_type = opcode & 0x03;
 
@@ -159,6 +163,17 @@ static int vhci_create_device(struct vhci_data *data, __u8 opcode)
 	return 0;
 }
 
+static int vhci_create_device(struct vhci_data *data, __u8 opcode)
+{
+	int err;
+
+	mutex_lock(&data->open_mutex);
+	err = __vhci_create_device(data, opcode);
+	mutex_unlock(&data->open_mutex);
+
+	return err;
+}
+
 static inline ssize_t vhci_get_user(struct vhci_data *data,
 				    struct iov_iter *from)
 {
@@ -199,11 +214,6 @@ static inline ssize_t vhci_get_user(struct vhci_data *data,
 	case HCI_VENDOR_PKT:
 		cancel_delayed_work_sync(&data->open_timeout);
 
-		if (data->hdev) {
-			kfree_skb(skb);
-			return -EBADFD;
-		}
-
 		opcode = *((__u8 *) skb->data);
 		skb_pull(skb, 1);
 
@@ -328,6 +338,7 @@ static int vhci_open(struct inode *inode, struct file *file)
 	skb_queue_head_init(&data->readq);
 	init_waitqueue_head(&data->read_wait);
 
+	mutex_init(&data->open_mutex);
 	INIT_DELAYED_WORK(&data->open_timeout, vhci_open_timeout);
 
 	file->private_data = data;
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 026/206] powerpc/book3s64: Fix branching to OOL handlers in relocatable kernel
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (24 preceding siblings ...)
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 025/206] Bluetooth: vhci: Fix race at creating hci device Kamal Mostafa
@ 2016-06-09 21:13 ` Kamal Mostafa
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 027/206] PM / Runtime: Fix error path in pm_runtime_force_resume() Kamal Mostafa
                   ` (179 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:13 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Hari Bathini, Mahesh Salgaonkar, Michael Ellerman, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Hari Bathini <hbathini@linux.vnet.ibm.com>

commit 8ed8ab40047a570fdd8043a40c104a57248dd3fd upstream.

Some of the interrupt vectors on 64-bit POWER server processors are only
32 bytes long (8 instructions), which is not enough for the full
first-level interrupt handler. For these we need to branch to an
out-of-line (OOL) handler. But when we are running a relocatable kernel,
interrupt vectors till __end_interrupts marker are copied down to real
address 0x100. So, branching to labels (ie. OOL handlers) outside this
section must be handled differently (see LOAD_HANDLER()), considering
relocatable kernel, which would need at least 4 instructions.

However, branching from interrupt vector means that we corrupt the
CFAR (come-from address register) on POWER7 and later processors as
mentioned in commit 1707dd16. So, EXCEPTION_PROLOG_0 (6 instructions)
that contains the part up to the point where the CFAR is saved in the
PACA should be part of the short interrupt vectors before we branch out
to OOL handlers.

But as mentioned already, there are interrupt vectors on 64-bit POWER
server processors that are only 32 bytes long (like vectors 0x4f00,
0x4f20, etc.), which cannot accomodate the above two cases at the same
time owing to space constraint. Currently, in these interrupt vectors,
we simply branch out to OOL handlers, without using LOAD_HANDLER(),
which leaves us vulnerable when running a relocatable kernel (eg. kdump
case). While this has been the case for sometime now and kdump is used
widely, we were fortunate not to see any problems so far, for three
reasons:

  1. In almost all cases, production kernel (relocatable) is used for
     kdump as well, which would mean that crashed kernel's OOL handler
     would be at the same place where we end up branching to, from short
     interrupt vector of kdump kernel.
  2. Also, OOL handler was unlikely the reason for crash in almost all
     the kdump scenarios, which meant we had a sane OOL handler from
     crashed kernel that we branched to.
  3. On most 64-bit POWER server processors, page size is large enough
     that marking interrupt vector code as executable (see commit
     429d2e83) leads to marking OOL handler code from crashed kernel,
     that sits right below interrupt vector code from kdump kernel, as
     executable as well.

Let us fix this by moving the __end_interrupts marker down past OOL
handlers to make sure that we also copy OOL handlers to real address
0x100 when running a relocatable kernel.

This fix has been tested successfully in kdump scenario, on an LPAR with
4K page size by using different default/production kernel and kdump
kernel.

Also tested by manually corrupting the OOL handlers in the first kernel
and then kdump'ing, and then causing the OOL handlers to fire - mpe.

Fixes: c1fb6816fb1b ("powerpc: Add relocation on exception vector handlers")
Signed-off-by: Hari Bathini <hbathini@linux.vnet.ibm.com>
Signed-off-by: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/powerpc/kernel/exceptions-64s.S | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S
index 0a0399c2..b81ccc5 100644
--- a/arch/powerpc/kernel/exceptions-64s.S
+++ b/arch/powerpc/kernel/exceptions-64s.S
@@ -962,11 +962,6 @@ hv_facility_unavailable_relon_trampoline:
 #endif
 	STD_RELON_EXCEPTION_PSERIES(0x5700, 0x1700, altivec_assist)
 
-	/* Other future vectors */
-	.align	7
-	.globl	__end_interrupts
-__end_interrupts:
-
 	.align	7
 system_call_entry:
 	b	system_call_common
@@ -1253,6 +1248,17 @@ __end_handlers:
 	STD_RELON_EXCEPTION_PSERIES_OOL(0xf60, facility_unavailable)
 	STD_RELON_EXCEPTION_HV_OOL(0xf80, hv_facility_unavailable)
 
+	/*
+	 * The __end_interrupts marker must be past the out-of-line (OOL)
+	 * handlers, so that they are copied to real address 0x100 when running
+	 * a relocatable kernel. This ensures they can be reached from the short
+	 * trampoline handlers (like 0x4f00, 0x4f20, etc.) which branch
+	 * directly, without using LOAD_HANDLER().
+	 */
+	.align	7
+	.globl	__end_interrupts
+__end_interrupts:
+
 #if defined(CONFIG_PPC_PSERIES) || defined(CONFIG_PPC_POWERNV)
 /*
  * Data area reserved for FWNMI option.
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 027/206] PM / Runtime: Fix error path in pm_runtime_force_resume()
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (25 preceding siblings ...)
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 026/206] powerpc/book3s64: Fix branching to OOL handlers in relocatable kernel Kamal Mostafa
@ 2016-06-09 21:13 ` Kamal Mostafa
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 028/206] crypto: s5p-sss - Fix missed interrupts when working with 8 kB blocks Kamal Mostafa
                   ` (178 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:13 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Ulf Hansson, Rafael J . Wysocki, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Ulf Hansson <ulf.hansson@linaro.org>

commit 0ae3aeefabbeef26294e7a349b51f1c761d46c9f upstream.

As pm_runtime_set_active() may fail because the device's parent isn't
active, we can end up executing the ->runtime_resume() callback for the
device when it isn't allowed.

Fix this by invoking pm_runtime_set_active() before running the callback
and let's also deal with the error code.

Fixes: 37f204164dfb (PM: Add pm_runtime_suspend|resume_force functions)
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/base/power/runtime.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c
index e1a10a0..9796a1a 100644
--- a/drivers/base/power/runtime.c
+++ b/drivers/base/power/runtime.c
@@ -1468,11 +1468,16 @@ int pm_runtime_force_resume(struct device *dev)
 		goto out;
 	}
 
-	ret = callback(dev);
+	ret = pm_runtime_set_active(dev);
 	if (ret)
 		goto out;
 
-	pm_runtime_set_active(dev);
+	ret = callback(dev);
+	if (ret) {
+		pm_runtime_set_suspended(dev);
+		goto out;
+	}
+
 	pm_runtime_mark_last_busy(dev);
 out:
 	pm_runtime_enable(dev);
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 028/206] crypto: s5p-sss - Fix missed interrupts when working with 8 kB blocks
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (26 preceding siblings ...)
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 027/206] PM / Runtime: Fix error path in pm_runtime_force_resume() Kamal Mostafa
@ 2016-06-09 21:13 ` Kamal Mostafa
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 029/206] ath9k: Add a module parameter to invert LED polarity Kamal Mostafa
                   ` (177 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:13 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Krzysztof Kozlowski, Herbert Xu, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Krzysztof Kozlowski <k.kozlowski@samsung.com>

commit 79152e8d085fd64484afd473ef6830b45518acba upstream.

The tcrypt testing module on Exynos5422-based Odroid XU3/4 board failed on
testing 8 kB size blocks:

	$ sudo modprobe tcrypt sec=1 mode=500
	testing speed of async ecb(aes) (ecb-aes-s5p) encryption
	test 0 (128 bit key, 16 byte blocks): 21971 operations in 1 seconds (351536 bytes)
	test 1 (128 bit key, 64 byte blocks): 21731 operations in 1 seconds (1390784 bytes)
	test 2 (128 bit key, 256 byte blocks): 21932 operations in 1 seconds (5614592 bytes)
	test 3 (128 bit key, 1024 byte blocks): 21685 operations in 1 seconds (22205440 bytes)
	test 4 (128 bit key, 8192 byte blocks):

This was caused by a race issue of missed BRDMA_DONE ("Block cipher
Receiving DMA") interrupt. Device starts processing the data in DMA mode
immediately after setting length of DMA block: receiving (FCBRDMAL) or
transmitting (FCBTDMAL). The driver sets these lengths from interrupt
handler through s5p_set_dma_indata() function (or xxx_setdata()).

However the interrupt handler was first dealing with receive buffer
(dma-unmap old, dma-map new, set receive block length which starts the
operation), then with transmit buffer and finally was clearing pending
interrupts (FCINTPEND). Because of the time window between setting
receive buffer length and clearing pending interrupts, the operation on
receive buffer could end already and driver would miss new interrupt.

User manual for Exynos5422 confirms in example code that setting DMA
block lengths should be the last operation.

The tcrypt hang could be also observed in following blocked-task dmesg:

INFO: task modprobe:258 blocked for more than 120 seconds.
      Not tainted 4.6.0-rc4-next-20160419-00005-g9eac8b7b7753-dirty #42
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
modprobe        D c06b09d8     0   258    256 0x00000000
[<c06b09d8>] (__schedule) from [<c06b0f24>] (schedule+0x40/0xac)
[<c06b0f24>] (schedule) from [<c06b49f8>] (schedule_timeout+0x124/0x178)
[<c06b49f8>] (schedule_timeout) from [<c06b17fc>] (wait_for_common+0xb8/0x144)
[<c06b17fc>] (wait_for_common) from [<bf0013b8>] (test_acipher_speed+0x49c/0x740 [tcrypt])
[<bf0013b8>] (test_acipher_speed [tcrypt]) from [<bf003e8c>] (do_test+0x2240/0x30ec [tcrypt])
[<bf003e8c>] (do_test [tcrypt]) from [<bf008048>] (tcrypt_mod_init+0x48/0xa4 [tcrypt])
[<bf008048>] (tcrypt_mod_init [tcrypt]) from [<c010177c>] (do_one_initcall+0x3c/0x16c)
[<c010177c>] (do_one_initcall) from [<c0191ff0>] (do_init_module+0x5c/0x1ac)
[<c0191ff0>] (do_init_module) from [<c0185610>] (load_module+0x1a30/0x1d08)
[<c0185610>] (load_module) from [<c0185ab0>] (SyS_finit_module+0x8c/0x98)
[<c0185ab0>] (SyS_finit_module) from [<c01078c0>] (ret_fast_syscall+0x0/0x3c)

Fixes: a49e490c7a8a ("crypto: s5p-sss - add S5PV210 advanced crypto engine support")
Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
[ kamal: backport to 4.2-stable: context ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/crypto/s5p-sss.c | 53 +++++++++++++++++++++++++++++++++++-------------
 1 file changed, 39 insertions(+), 14 deletions(-)

diff --git a/drivers/crypto/s5p-sss.c b/drivers/crypto/s5p-sss.c
index f214a87..8a9256b 100644
--- a/drivers/crypto/s5p-sss.c
+++ b/drivers/crypto/s5p-sss.c
@@ -313,43 +313,55 @@ static int s5p_set_indata(struct s5p_aes_dev *dev, struct scatterlist *sg)
 	return err;
 }
 
-static void s5p_aes_tx(struct s5p_aes_dev *dev)
+/*
+ * Returns true if new transmitting (output) data is ready and its
+ * address+length have to be written to device (by calling
+ * s5p_set_dma_outdata()). False otherwise.
+ */
+static bool s5p_aes_tx(struct s5p_aes_dev *dev)
 {
 	int err = 0;
+	bool ret = false;
 
 	s5p_unset_outdata(dev);
 
 	if (!sg_is_last(dev->sg_dst)) {
 		err = s5p_set_outdata(dev, sg_next(dev->sg_dst));
-		if (err) {
+		if (err)
 			s5p_aes_complete(dev, err);
-			return;
-		}
-
-		s5p_set_dma_outdata(dev, dev->sg_dst);
+		else
+			ret = true;
 	} else {
 		s5p_aes_complete(dev, err);
 
 		dev->busy = true;
 		tasklet_schedule(&dev->tasklet);
 	}
+
+	return ret;
 }
 
-static void s5p_aes_rx(struct s5p_aes_dev *dev)
+/*
+ * Returns true if new receiving (input) data is ready and its
+ * address+length have to be written to device (by calling
+ * s5p_set_dma_indata()). False otherwise.
+ */
+static bool s5p_aes_rx(struct s5p_aes_dev *dev)
 {
 	int err;
+	bool ret = false;
 
 	s5p_unset_indata(dev);
 
 	if (!sg_is_last(dev->sg_src)) {
 		err = s5p_set_indata(dev, sg_next(dev->sg_src));
-		if (err) {
+		if (err)
 			s5p_aes_complete(dev, err);
-			return;
-		}
-
-		s5p_set_dma_indata(dev, dev->sg_src);
+		else
+			ret = true;
 	}
+
+	return ret;
 }
 
 static irqreturn_t s5p_aes_interrupt(int irq, void *dev_id)
@@ -358,19 +370,32 @@ static irqreturn_t s5p_aes_interrupt(int irq, void *dev_id)
 	struct s5p_aes_dev     *dev  = platform_get_drvdata(pdev);
 	uint32_t                status;
 	unsigned long           flags;
+	bool			set_dma_tx = false;
+	bool			set_dma_rx = false;
 
 	spin_lock_irqsave(&dev->lock, flags);
 
 	if (irq == dev->irq_fc) {
 		status = SSS_READ(dev, FCINTSTAT);
 		if (status & SSS_FCINTSTAT_BRDMAINT)
-			s5p_aes_rx(dev);
+			set_dma_rx = s5p_aes_rx(dev);
 		if (status & SSS_FCINTSTAT_BTDMAINT)
-			s5p_aes_tx(dev);
+			set_dma_tx = s5p_aes_tx(dev);
 
 		SSS_WRITE(dev, FCINTPEND, status);
 	}
 
+	/*
+	 * Writing length of DMA block (either receiving or transmitting)
+	 * will start the operation immediately, so this should be done
+	 * at the end (even after clearing pending interrupts to not miss the
+	 * interrupt).
+	 */
+	if (set_dma_tx)
+		s5p_set_dma_outdata(dev, dev->sg_dst);
+	if (set_dma_rx)
+		s5p_set_dma_indata(dev, dev->sg_src);
+
 	spin_unlock_irqrestore(&dev->lock, flags);
 
 	return IRQ_HANDLED;
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 029/206] ath9k: Add a module parameter to invert LED polarity.
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (27 preceding siblings ...)
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 028/206] crypto: s5p-sss - Fix missed interrupts when working with 8 kB blocks Kamal Mostafa
@ 2016-06-09 21:13 ` Kamal Mostafa
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 030/206] ath9k: Fix LED polarity for some Mini PCI AR9220 MB92 cards Kamal Mostafa
                   ` (176 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:13 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: linux-wireless, ath9k-devel, ath9k-devel, Vittorio Gambaletta,
	Kalle Valo, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: "Vittorio Gambaletta (VittGam)" <linux-wireless@vittgam.net>

commit cd84042ce9040ad038e958bc67a46fcfc015c736 upstream.

The LED can be active high instead of active low on some hardware.

Add the led_active_high module parameter. It defaults to -1 to obey
platform data as before.

Setting the parameter to 1 or 0 will force the LED respectively
active high or active low.

Cc: <linux-wireless@vger.kernel.org>
Cc: <ath9k-devel@qca.qualcomm.com>
Cc: <ath9k-devel@lists.ath9k.org>
Signed-off-by: Vittorio Gambaletta <linuxbugs@vittgam.net>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/net/wireless/ath/ath9k/init.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/net/wireless/ath/ath9k/init.c b/drivers/net/wireless/ath/ath9k/init.c
index fc6dc52..6a571d8 100644
--- a/drivers/net/wireless/ath/ath9k/init.c
+++ b/drivers/net/wireless/ath/ath9k/init.c
@@ -49,6 +49,10 @@ int ath9k_led_blink;
 module_param_named(blink, ath9k_led_blink, int, 0444);
 MODULE_PARM_DESC(blink, "Enable LED blink on activity");
 
+static int ath9k_led_active_high = -1;
+module_param_named(led_active_high, ath9k_led_active_high, int, 0444);
+MODULE_PARM_DESC(led_active_high, "Invert LED polarity");
+
 static int ath9k_btcoex_enable;
 module_param_named(btcoex_enable, ath9k_btcoex_enable, int, 0444);
 MODULE_PARM_DESC(btcoex_enable, "Enable wifi-BT coexistence");
@@ -600,6 +604,9 @@ static int ath9k_init_softc(u16 devid, struct ath_softc *sc,
 	if (ret)
 		return ret;
 
+	if (ath9k_led_active_high != -1)
+		ah->config.led_active_high = ath9k_led_active_high == 1;
+
 	/*
 	 * Enable WLAN/BT RX Antenna diversity only when:
 	 *
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 030/206] ath9k: Fix LED polarity for some Mini PCI AR9220 MB92 cards.
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (28 preceding siblings ...)
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 029/206] ath9k: Add a module parameter to invert LED polarity Kamal Mostafa
@ 2016-06-09 21:13 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 031/206] pinctrl: exynos5440: Use off-stack memory for pinctrl_gpio_range Kamal Mostafa
                   ` (175 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:13 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: linux-wireless, ath9k-devel, ath9k-devel, Vittorio Gambaletta,
	Kalle Valo, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: "Vittorio Gambaletta (VittGam)" <linux-wireless@vittgam.net>

commit 0f9edcdd88a993914fa1d1dc369b35dc503979db upstream.

The Wistron DNMA-92 and Compex WLM200NX have inverted LED polarity
(active high instead of active low).

The same PCI Subsystem ID is used by both cards, which are based on
the same Atheros MB92 design.

Cc: <linux-wireless@vger.kernel.org>
Cc: <ath9k-devel@qca.qualcomm.com>
Cc: <ath9k-devel@lists.ath9k.org>
Signed-off-by: Vittorio Gambaletta <linuxbugs@vittgam.net>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/net/wireless/ath/ath9k/pci.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/drivers/net/wireless/ath/ath9k/pci.c b/drivers/net/wireless/ath/ath9k/pci.c
index e6fef1b..7cdaf40 100644
--- a/drivers/net/wireless/ath/ath9k/pci.c
+++ b/drivers/net/wireless/ath/ath9k/pci.c
@@ -28,6 +28,16 @@ static const struct pci_device_id ath_pci_id_table[] = {
 	{ PCI_VDEVICE(ATHEROS, 0x0024) }, /* PCI-E */
 	{ PCI_VDEVICE(ATHEROS, 0x0027) }, /* PCI   */
 	{ PCI_VDEVICE(ATHEROS, 0x0029) }, /* PCI   */
+
+#ifdef CONFIG_ATH9K_PCOEM
+	/* Mini PCI AR9220 MB92 cards: Compex WLM200NX, Wistron DNMA-92 */
+	{ PCI_DEVICE_SUB(PCI_VENDOR_ID_ATHEROS,
+			 0x0029,
+			 PCI_VENDOR_ID_ATHEROS,
+			 0x2096),
+	  .driver_data = ATH9K_PCI_LED_ACT_HI },
+#endif
+
 	{ PCI_VDEVICE(ATHEROS, 0x002A) }, /* PCI-E */
 
 #ifdef CONFIG_ATH9K_PCOEM
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 031/206] pinctrl: exynos5440: Use off-stack memory for pinctrl_gpio_range
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (29 preceding siblings ...)
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 030/206] ath9k: Fix LED polarity for some Mini PCI AR9220 MB92 cards Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 032/206] btrfs: bugfix: handle FS_IOC32_{GETFLAGS,SETFLAGS,GETVERSION} in btrfs_ioctl Kamal Mostafa
                   ` (174 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Andrew Jeffery, Linus Walleij, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Andrew Jeffery <andrew@aj.id.au>

commit 71324fdc72ef0163e57631aa814a9a81e9e4770b upstream.

The range is registered into a linked list which can be referenced
throughout the lifetime of the driver. Ensure the range's memory is useful
for the same lifetime by adding it to the driver's private data structure.

The bug was introduced in the driver's initial commit, which was present in
v3.10.

Fixes: f0b9a7e521fa ("pinctrl: exynos5440: add pinctrl driver for Samsung EXYNOS5440 SoC")
Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Acked-by: Tomasz Figa <tomasz.figa@gmail.com>
Reviewed-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/pinctrl/samsung/pinctrl-exynos5440.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/drivers/pinctrl/samsung/pinctrl-exynos5440.c b/drivers/pinctrl/samsung/pinctrl-exynos5440.c
index f5619fb..1882353 100644
--- a/drivers/pinctrl/samsung/pinctrl-exynos5440.c
+++ b/drivers/pinctrl/samsung/pinctrl-exynos5440.c
@@ -109,6 +109,7 @@ struct exynos5440_pmx_func {
  * @nr_groups: number of pin groups available.
  * @pmx_functions: list of pin functions parsed from device tree.
  * @nr_functions: number of pin functions available.
+ * @range: gpio range to register with pinctrl
  */
 struct exynos5440_pinctrl_priv_data {
 	void __iomem			*reg_base;
@@ -119,6 +120,7 @@ struct exynos5440_pinctrl_priv_data {
 	unsigned int			nr_groups;
 	const struct exynos5440_pmx_func	*pmx_functions;
 	unsigned int			nr_functions;
+	struct pinctrl_gpio_range	range;
 };
 
 /**
@@ -769,7 +771,6 @@ static int exynos5440_pinctrl_register(struct platform_device *pdev,
 	struct pinctrl_desc *ctrldesc;
 	struct pinctrl_dev *pctl_dev;
 	struct pinctrl_pin_desc *pindesc, *pdesc;
-	struct pinctrl_gpio_range grange;
 	char *pin_names;
 	int pin, ret;
 
@@ -827,12 +828,12 @@ static int exynos5440_pinctrl_register(struct platform_device *pdev,
 		return PTR_ERR(pctl_dev);
 	}
 
-	grange.name = "exynos5440-pctrl-gpio-range";
-	grange.id = 0;
-	grange.base = 0;
-	grange.npins = EXYNOS5440_MAX_PINS;
-	grange.gc = priv->gc;
-	pinctrl_add_gpio_range(pctl_dev, &grange);
+	priv->range.name = "exynos5440-pctrl-gpio-range";
+	priv->range.id = 0;
+	priv->range.base = 0;
+	priv->range.npins = EXYNOS5440_MAX_PINS;
+	priv->range.gc = priv->gc;
+	pinctrl_add_gpio_range(pctl_dev, &priv->range);
 	return 0;
 }
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 032/206] btrfs: bugfix: handle FS_IOC32_{GETFLAGS,SETFLAGS,GETVERSION} in btrfs_ioctl
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (30 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 031/206] pinctrl: exynos5440: Use off-stack memory for pinctrl_gpio_range Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 033/206] usb: core: hub: hub_port_init lock controller instead of bus Kamal Mostafa
                   ` (173 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Luke Dashjr, David Sterba, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Luke Dashjr <luke@dashjr.org>

commit 4c63c2454eff996c5e27991221106eb511f7db38 upstream.

32-bit ioctl uses these rather than the regular FS_IOC_* versions. They can
be handled in btrfs using the same code. Without this, 32-bit {ch,ls}attr
fail.

Signed-off-by: Luke Dashjr <luke-jr+git@utopios.org>
Reviewed-by: Josef Bacik <jbacik@fb.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 fs/btrfs/ctree.h |  1 +
 fs/btrfs/file.c  |  2 +-
 fs/btrfs/inode.c |  2 +-
 fs/btrfs/ioctl.c | 21 +++++++++++++++++++++
 4 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
index 6bd8ea5..293d340 100644
--- a/fs/btrfs/ctree.h
+++ b/fs/btrfs/ctree.h
@@ -3959,6 +3959,7 @@ void btrfs_test_inode_set_ops(struct inode *inode);
 
 /* ioctl.c */
 long btrfs_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
+long btrfs_compat_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
 void btrfs_update_iflags(struct inode *inode);
 void btrfs_inherit_iflags(struct inode *inode, struct inode *dir);
 int btrfs_is_empty_uuid(u8 *uuid);
diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c
index dfb6609..f95fe3d 100644
--- a/fs/btrfs/file.c
+++ b/fs/btrfs/file.c
@@ -2826,7 +2826,7 @@ const struct file_operations btrfs_file_operations = {
 	.fallocate	= btrfs_fallocate,
 	.unlocked_ioctl	= btrfs_ioctl,
 #ifdef CONFIG_COMPAT
-	.compat_ioctl	= btrfs_ioctl,
+	.compat_ioctl	= btrfs_compat_ioctl,
 #endif
 };
 
diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
index 504eddf..c8b6b3f 100644
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -9933,7 +9933,7 @@ static const struct file_operations btrfs_dir_file_operations = {
 	.iterate	= btrfs_real_readdir,
 	.unlocked_ioctl	= btrfs_ioctl,
 #ifdef CONFIG_COMPAT
-	.compat_ioctl	= btrfs_ioctl,
+	.compat_ioctl	= btrfs_compat_ioctl,
 #endif
 	.release        = btrfs_release_file,
 	.fsync		= btrfs_sync_file,
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
index fc784e9..51e896f 100644
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -5640,3 +5640,24 @@ long btrfs_ioctl(struct file *file, unsigned int
 
 	return -ENOTTY;
 }
+
+#ifdef CONFIG_COMPAT
+long btrfs_compat_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+{
+	switch (cmd) {
+	case FS_IOC32_GETFLAGS:
+		cmd = FS_IOC_GETFLAGS;
+		break;
+	case FS_IOC32_SETFLAGS:
+		cmd = FS_IOC_SETFLAGS;
+		break;
+	case FS_IOC32_GETVERSION:
+		cmd = FS_IOC_GETVERSION;
+		break;
+	default:
+		return -ENOIOCTLCMD;
+	}
+
+	return btrfs_ioctl(file, cmd, (unsigned long) compat_ptr(arg));
+}
+#endif
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 033/206] usb: core: hub: hub_port_init lock controller instead of bus
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (31 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 032/206] btrfs: bugfix: handle FS_IOC32_{GETFLAGS,SETFLAGS,GETVERSION} in btrfs_ioctl Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 034/206] serial: 8250_pci: fix divide error bug if baud rate is 0 Kamal Mostafa
                   ` (172 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Chris Bainbridge, Greg Kroah-Hartman, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Chris Bainbridge <chris.bainbridge@gmail.com>

commit feb26ac31a2a5cb88d86680d9a94916a6343e9e6 upstream.

The XHCI controller presents two USB buses to the system - one for USB2
and one for USB3. The hub init code (hub_port_init) is reentrant but
only locks one bus per thread, leading to a race condition failure when
two threads attempt to simultaneously initialise a USB2 and USB3 device:

[    8.034843] xhci_hcd 0000:00:14.0: Timeout while waiting for setup device command
[   13.183701] usb 3-3: device descriptor read/all, error -110

On a test system this failure occurred on 6% of all boots.

The call traces at the point of failure are:

Call Trace:
 [<ffffffff81b9bab7>] schedule+0x37/0x90
 [<ffffffff817da7cd>] usb_kill_urb+0x8d/0xd0
 [<ffffffff8111e5e0>] ? wake_up_atomic_t+0x30/0x30
 [<ffffffff817dafbe>] usb_start_wait_urb+0xbe/0x150
 [<ffffffff817db10c>] usb_control_msg+0xbc/0xf0
 [<ffffffff817d07de>] hub_port_init+0x51e/0xb70
 [<ffffffff817d4697>] hub_event+0x817/0x1570
 [<ffffffff810f3e6f>] process_one_work+0x1ff/0x620
 [<ffffffff810f3dcf>] ? process_one_work+0x15f/0x620
 [<ffffffff810f4684>] worker_thread+0x64/0x4b0
 [<ffffffff810f4620>] ? rescuer_thread+0x390/0x390
 [<ffffffff810fa7f5>] kthread+0x105/0x120
 [<ffffffff810fa6f0>] ? kthread_create_on_node+0x200/0x200
 [<ffffffff81ba183f>] ret_from_fork+0x3f/0x70
 [<ffffffff810fa6f0>] ? kthread_create_on_node+0x200/0x200

Call Trace:
 [<ffffffff817fd36d>] xhci_setup_device+0x53d/0xa40
 [<ffffffff817fd87e>] xhci_address_device+0xe/0x10
 [<ffffffff817d047f>] hub_port_init+0x1bf/0xb70
 [<ffffffff811247ed>] ? trace_hardirqs_on+0xd/0x10
 [<ffffffff817d4697>] hub_event+0x817/0x1570
 [<ffffffff810f3e6f>] process_one_work+0x1ff/0x620
 [<ffffffff810f3dcf>] ? process_one_work+0x15f/0x620
 [<ffffffff810f4684>] worker_thread+0x64/0x4b0
 [<ffffffff810f4620>] ? rescuer_thread+0x390/0x390
 [<ffffffff810fa7f5>] kthread+0x105/0x120
 [<ffffffff810fa6f0>] ? kthread_create_on_node+0x200/0x200
 [<ffffffff81ba183f>] ret_from_fork+0x3f/0x70
 [<ffffffff810fa6f0>] ? kthread_create_on_node+0x200/0x200

Which results from the two call chains:

hub_port_init
 usb_get_device_descriptor
  usb_get_descriptor
   usb_control_msg
    usb_internal_control_msg
     usb_start_wait_urb
      usb_submit_urb / wait_for_completion_timeout / usb_kill_urb

hub_port_init
 hub_set_address
  xhci_address_device
   xhci_setup_device

Mathias Nyman explains the current behaviour violates the XHCI spec:

 hub_port_reset() will end up moving the corresponding xhci device slot
 to default state.

 As hub_port_reset() is called several times in hub_port_init() it
 sounds reasonable that we could end up with two threads having their
 xhci device slots in default state at the same time, which according to
 xhci 4.5.3 specs still is a big no no:

 "Note: Software shall not transition more than one Device Slot to the
  Default State at a time"

 So both threads fail at their next task after this.
 One fails to read the descriptor, and the other fails addressing the
 device.

Fix this in hub_port_init by locking the USB controller (instead of an
individual bus) to prevent simultaneous initialisation of both buses.

Fixes: 638139eb95d2 ("usb: hub: allow to process more usb hub events in parallel")
Link: https://lkml.org/lkml/2016/2/8/312
Link: https://lkml.org/lkml/2016/2/4/748
Signed-off-by: Chris Bainbridge <chris.bainbridge@gmail.com>
Acked-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/usb/core/hcd.c  | 15 +++++++++++++--
 drivers/usb/core/hub.c  |  8 ++++----
 include/linux/usb.h     |  3 +--
 include/linux/usb/hcd.h |  1 +
 4 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
index cbcd092..935175d 100644
--- a/drivers/usb/core/hcd.c
+++ b/drivers/usb/core/hcd.c
@@ -915,7 +915,7 @@ static void usb_bus_init (struct usb_bus *bus)
 	bus->bandwidth_allocated = 0;
 	bus->bandwidth_int_reqs  = 0;
 	bus->bandwidth_isoc_reqs = 0;
-	mutex_init(&bus->usb_address0_mutex);
+	mutex_init(&bus->devnum_next_mutex);
 
 	INIT_LIST_HEAD (&bus->bus_list);
 }
@@ -2446,6 +2446,14 @@ struct usb_hcd *usb_create_shared_hcd(const struct hc_driver *driver,
 		return NULL;
 	}
 	if (primary_hcd == NULL) {
+		hcd->address0_mutex = kmalloc(sizeof(*hcd->address0_mutex),
+				GFP_KERNEL);
+		if (!hcd->address0_mutex) {
+			kfree(hcd);
+			dev_dbg(dev, "hcd address0 mutex alloc failed\n");
+			return NULL;
+		}
+		mutex_init(hcd->address0_mutex);
 		hcd->bandwidth_mutex = kmalloc(sizeof(*hcd->bandwidth_mutex),
 				GFP_KERNEL);
 		if (!hcd->bandwidth_mutex) {
@@ -2457,6 +2465,7 @@ struct usb_hcd *usb_create_shared_hcd(const struct hc_driver *driver,
 		dev_set_drvdata(dev, hcd);
 	} else {
 		mutex_lock(&usb_port_peer_mutex);
+		hcd->address0_mutex = primary_hcd->address0_mutex;
 		hcd->bandwidth_mutex = primary_hcd->bandwidth_mutex;
 		hcd->primary_hcd = primary_hcd;
 		primary_hcd->primary_hcd = primary_hcd;
@@ -2523,8 +2532,10 @@ static void hcd_release(struct kref *kref)
 	struct usb_hcd *hcd = container_of (kref, struct usb_hcd, kref);
 
 	mutex_lock(&usb_port_peer_mutex);
-	if (usb_hcd_is_primary_hcd(hcd))
+	if (usb_hcd_is_primary_hcd(hcd)) {
+		kfree(hcd->address0_mutex);
 		kfree(hcd->bandwidth_mutex);
+	}
 	if (hcd->shared_hcd) {
 		struct usb_hcd *peer = hcd->shared_hcd;
 
diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
index 6c4fe67..be65a94 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -2067,7 +2067,7 @@ static void choose_devnum(struct usb_device *udev)
 	struct usb_bus	*bus = udev->bus;
 
 	/* be safe when more hub events are proceed in parallel */
-	mutex_lock(&bus->usb_address0_mutex);
+	mutex_lock(&bus->devnum_next_mutex);
 	if (udev->wusb) {
 		devnum = udev->portnum + 1;
 		BUG_ON(test_bit(devnum, bus->devmap.devicemap));
@@ -2085,7 +2085,7 @@ static void choose_devnum(struct usb_device *udev)
 		set_bit(devnum, bus->devmap.devicemap);
 		udev->devnum = devnum;
 	}
-	mutex_unlock(&bus->usb_address0_mutex);
+	mutex_unlock(&bus->devnum_next_mutex);
 }
 
 static void release_devnum(struct usb_device *udev)
@@ -4263,7 +4263,7 @@ hub_port_init (struct usb_hub *hub, struct usb_device *udev, int port1,
 	if (oldspeed == USB_SPEED_LOW)
 		delay = HUB_LONG_RESET_TIME;
 
-	mutex_lock(&hdev->bus->usb_address0_mutex);
+	mutex_lock(hcd->address0_mutex);
 
 	/* Reset the device; full speed may morph to high speed */
 	/* FIXME a USB 2.0 device may morph into SuperSpeed on reset. */
@@ -4545,7 +4545,7 @@ fail:
 		hub_port_disable(hub, port1, 0);
 		update_devnum(udev, devnum);	/* for disconnect processing */
 	}
-	mutex_unlock(&hdev->bus->usb_address0_mutex);
+	mutex_unlock(hcd->address0_mutex);
 	return retval;
 }
 
diff --git a/include/linux/usb.h b/include/linux/usb.h
index 447fe29..95e98d3 100644
--- a/include/linux/usb.h
+++ b/include/linux/usb.h
@@ -367,14 +367,13 @@ struct usb_bus {
 
 	int devnum_next;		/* Next open device number in
 					 * round-robin allocation */
+	struct mutex devnum_next_mutex; /* devnum_next mutex */
 
 	struct usb_devmap devmap;	/* device address allocation map */
 	struct usb_device *root_hub;	/* Root hub */
 	struct usb_bus *hs_companion;	/* Companion EHCI bus, if any */
 	struct list_head bus_list;	/* list of busses */
 
-	struct mutex usb_address0_mutex; /* unaddressed device mutex */
-
 	int bandwidth_allocated;	/* on this bus: how much of the time
 					 * reserved for periodic (intr/iso)
 					 * requests is used, on average?
diff --git a/include/linux/usb/hcd.h b/include/linux/usb/hcd.h
index c9aa779..0579a7a 100644
--- a/include/linux/usb/hcd.h
+++ b/include/linux/usb/hcd.h
@@ -169,6 +169,7 @@ struct usb_hcd {
 	 * bandwidth_mutex should be dropped after a successful control message
 	 * to the device, or resetting the bandwidth after a failed attempt.
 	 */
+	struct mutex		*address0_mutex;
 	struct mutex		*bandwidth_mutex;
 	struct usb_hcd		*shared_hcd;
 	struct usb_hcd		*primary_hcd;
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 034/206] serial: 8250_pci: fix divide error bug if baud rate is 0
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (32 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 033/206] usb: core: hub: hub_port_init lock controller instead of bus Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 035/206] TTY: n_gsm, fix false positive WARN_ON Kamal Mostafa
                   ` (171 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: David Müller, Greg Kroah-Hartman, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: =?UTF-8?q?David=20M=C3=BCller?= <d.mueller@elsoft.ch>

commit 6f210c18c1c0f016772c8cd51ae12a02bfb9e7ef upstream.

Since commit 21947ba654a6 ("serial: 8250_pci: replace switch-case by
formula"), the 8250 driver crashes in the byt_set_termios() function
with a divide error. This is caused by the fact that a baud rate of 0 (B0)
is not handled properly. Fix it by falling back to B9600 in this case.

Signed-off-by: David Müller <d.mueller@elsoft.ch>
Fixes: 21947ba654a6 ("serial: 8250_pci: replace switch-case by formula")
Suggested-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/tty/serial/8250/8250_pci.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/tty/serial/8250/8250_pci.c b/drivers/tty/serial/8250/8250_pci.c
index 78aeb11..9850bbf 100644
--- a/drivers/tty/serial/8250/8250_pci.c
+++ b/drivers/tty/serial/8250/8250_pci.c
@@ -1402,6 +1402,9 @@ byt_set_termios(struct uart_port *p, struct ktermios *termios,
 	unsigned long m, n;
 	u32 reg;
 
+	/* Gracefully handle the B0 case: fall back to B9600 */
+	fuart = fuart ? fuart : 9600 * 16;
+
 	/* Get Fuart closer to Fref */
 	fuart *= rounddown_pow_of_two(fref / fuart);
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 035/206] TTY: n_gsm, fix false positive WARN_ON
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (33 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 034/206] serial: 8250_pci: fix divide error bug if baud rate is 0 Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 036/206] staging: comedi: das1800: fix possible NULL dereference Kamal Mostafa
                   ` (170 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Alan Cox, Jiri Slaby, Greg Kroah-Hartman, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Jiri Slaby <jslaby@suse.cz>

commit d175feca89a1c162f60f4e3560ca7bc9437c65eb upstream.

Dmitry reported, that the current cleanup code in n_gsm can trigger a
warning:
WARNING: CPU: 2 PID: 24238 at drivers/tty/n_gsm.c:2048 gsm_cleanup_mux+0x166/0x6b0()
...
Call Trace:
...
 [<ffffffff81247ab9>] warn_slowpath_null+0x29/0x30 kernel/panic.c:490
 [<ffffffff828d0456>] gsm_cleanup_mux+0x166/0x6b0 drivers/tty/n_gsm.c:2048
 [<ffffffff828d4d87>] gsmld_open+0x5b7/0x7a0 drivers/tty/n_gsm.c:2386
 [<ffffffff828b9078>] tty_ldisc_open.isra.2+0x78/0xd0 drivers/tty/tty_ldisc.c:447
 [<ffffffff828b973a>] tty_set_ldisc+0x1ca/0xa70 drivers/tty/tty_ldisc.c:567
 [<     inline     >] tiocsetd drivers/tty/tty_io.c:2650
 [<ffffffff828a14ea>] tty_ioctl+0xb2a/0x2140 drivers/tty/tty_io.c:2883
...

But this is a legal path when open fails to find a space in the
gsm_mux array and tries to clean up. So make it a standard test
instead of a warning.

Reported-by: "Dmitry Vyukov" <dvyukov@google.com>
Cc: Alan Cox <alan@linux.intel.com>
Link: http://lkml.kernel.org/r/CACT4Y+bHQbAB68VFi7Romcs-Z9ZW3kQRvcq+BvHH1oa5NcAdLA@mail.gmail.com
Fixes: 5a640967 ("tty/n_gsm.c: fix a memory leak in gsmld_open()")
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/tty/n_gsm.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c
index 382d3fc..25444a1 100644
--- a/drivers/tty/n_gsm.c
+++ b/drivers/tty/n_gsm.c
@@ -2045,7 +2045,9 @@ static void gsm_cleanup_mux(struct gsm_mux *gsm)
 		}
 	}
 	spin_unlock(&gsm_mux_lock);
-	WARN_ON(i == MAX_MUX);
+	/* open failed before registering => nothing to do */
+	if (i == MAX_MUX)
+		return;
 
 	/* In theory disconnecting DLCI 0 is sufficient but for some
 	   modems this is apparently not the case. */
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 036/206] staging: comedi: das1800: fix possible NULL dereference
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (34 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 035/206] TTY: n_gsm, fix false positive WARN_ON Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 037/206] arm/arm64: KVM: Enforce Break-Before-Make on Stage-2 page tables Kamal Mostafa
                   ` (169 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: H Hartley Sweeten, Greg Kroah-Hartman, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: H Hartley Sweeten <hsweeten@visionengravers.com>

commit d375278d666760e195693b57415ba0a125cadd55 upstream.

DMA is optional with this driver. If it was not enabled the devpriv->dma
pointer will be NULL.

Fix the possible NULL pointer dereference when trying to disable the DMA
channels in das1800_ai_cancel() and tidy up the comments to fix the
checkpatch.pl issues:
WARNING: line over 80 characters

It's probably harmless in das1800_ai_setup_dma() because the 'desc' pointer
will not be used if DMA is disabled but fix it there also.

Fixes: 99dfc3357e98 ("staging: comedi: das1800: remove depends on ISA_DMA_API limitation")
Signed-off-by: H Hartley Sweeten <hsweeten@visionengravers.com>
Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/staging/comedi/drivers/das1800.c | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/drivers/staging/comedi/drivers/das1800.c b/drivers/staging/comedi/drivers/das1800.c
index 94078118..3be1096 100644
--- a/drivers/staging/comedi/drivers/das1800.c
+++ b/drivers/staging/comedi/drivers/das1800.c
@@ -567,14 +567,17 @@ static int das1800_cancel(struct comedi_device *dev, struct comedi_subdevice *s)
 	struct comedi_isadma_desc *desc;
 	int i;
 
-	outb(0x0, dev->iobase + DAS1800_STATUS);	/* disable conversions */
-	outb(0x0, dev->iobase + DAS1800_CONTROL_B);	/* disable interrupts and dma */
-	outb(0x0, dev->iobase + DAS1800_CONTROL_A);	/* disable and clear fifo and stop triggering */
-
-	for (i = 0; i < 2; i++) {
-		desc = &dma->desc[i];
-		if (desc->chan)
-			comedi_isadma_disable(desc->chan);
+	/* disable and stop conversions */
+	outb(0x0, dev->iobase + DAS1800_STATUS);
+	outb(0x0, dev->iobase + DAS1800_CONTROL_B);
+	outb(0x0, dev->iobase + DAS1800_CONTROL_A);
+
+	if (dma) {
+		for (i = 0; i < 2; i++) {
+			desc = &dma->desc[i];
+			if (desc->chan)
+				comedi_isadma_disable(desc->chan);
+		}
 	}
 
 	return 0;
@@ -934,13 +937,14 @@ static void das1800_ai_setup_dma(struct comedi_device *dev,
 {
 	struct das1800_private *devpriv = dev->private;
 	struct comedi_isadma *dma = devpriv->dma;
-	struct comedi_isadma_desc *desc = &dma->desc[0];
+	struct comedi_isadma_desc *desc;
 	unsigned int bytes;
 
 	if ((devpriv->irq_dma_bits & DMA_ENABLED) == 0)
 		return;
 
 	dma->cur_dma = 0;
+	desc = &dma->desc[0];
 
 	/* determine a dma transfer size to fill buffer in 0.3 sec */
 	bytes = das1800_ai_transfer_size(dev, s, desc->maxsize, 300000000);
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 037/206] arm/arm64: KVM: Enforce Break-Before-Make on Stage-2 page tables
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (35 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 036/206] staging: comedi: das1800: fix possible NULL dereference Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 038/206] KVM: x86: fix ordering of cr0 initialization code in vmx_cpu_reset Kamal Mostafa
                   ` (168 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Marc Zyngier, Christoffer Dall, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Marc Zyngier <marc.zyngier@arm.com>

commit d4b9e0790aa764c0b01e18d4e8d33e93ba36d51f upstream.

The ARM architecture mandates that when changing a page table entry
from a valid entry to another valid entry, an invalid entry is first
written, TLB invalidated, and only then the new entry being written.

The current code doesn't respect this, directly writing the new
entry and only then invalidating TLBs. Let's fix it up.

Reported-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/arm/kvm/mmu.c | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/arch/arm/kvm/mmu.c b/arch/arm/kvm/mmu.c
index 61d96a6..12d727fa 100644
--- a/arch/arm/kvm/mmu.c
+++ b/arch/arm/kvm/mmu.c
@@ -886,11 +886,14 @@ static int stage2_set_pmd_huge(struct kvm *kvm, struct kvm_mmu_memory_cache
 	VM_BUG_ON(pmd_present(*pmd) && pmd_pfn(*pmd) != pmd_pfn(*new_pmd));
 
 	old_pmd = *pmd;
-	kvm_set_pmd(pmd, *new_pmd);
-	if (pmd_present(old_pmd))
+	if (pmd_present(old_pmd)) {
+		pmd_clear(pmd);
 		kvm_tlb_flush_vmid_ipa(kvm, addr);
-	else
+	} else {
 		get_page(virt_to_page(pmd));
+	}
+
+	kvm_set_pmd(pmd, *new_pmd);
 	return 0;
 }
 
@@ -939,12 +942,14 @@ static int stage2_set_pte(struct kvm *kvm, struct kvm_mmu_memory_cache *cache,
 
 	/* Create 2nd stage page table mapping - Level 3 */
 	old_pte = *pte;
-	kvm_set_pte(pte, *new_pte);
-	if (pte_present(old_pte))
+	if (pte_present(old_pte)) {
+		kvm_set_pte(pte, __pte(0));
 		kvm_tlb_flush_vmid_ipa(kvm, addr);
-	else
+	} else {
 		get_page(virt_to_page(pte));
+	}
 
+	kvm_set_pte(pte, *new_pte);
 	return 0;
 }
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 038/206] KVM: x86: fix ordering of cr0 initialization code in vmx_cpu_reset
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (36 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 037/206] arm/arm64: KVM: Enforce Break-Before-Make on Stage-2 page tables Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 039/206] aacraid: Relinquish CPU during timeout wait Kamal Mostafa
                   ` (167 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Bruce Rogers, Radim Krčmář, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Bruce Rogers <brogers@suse.com>

commit f24632475d4ffed5626abbfab7ef30a128dd1474 upstream.

Commit d28bc9dd25ce reversed the order of two lines which initialize cr0,
allowing the current (old) cr0 value to mess up vcpu initialization.
This was observed in the checks for cr0 X86_CR0_WP bit in the context of
kvm_mmu_reset_context(). Besides, setting vcpu->arch.cr0 after vmx_set_cr0()
is completely redundant. Change the order back to ensure proper vcpu
initialization.

The combination of booting with ovmf firmware when guest vcpus > 1 and kvm's
ept=N option being set results in a VM-entry failure. This patch fixes that.

Fixes: d28bc9dd25ce ("KVM: x86: INIT and reset sequences are different")
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/x86/kvm/vmx.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index c832c7d..8f30efc 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -4795,8 +4795,8 @@ static void vmx_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event)
 		vmcs_write16(VIRTUAL_PROCESSOR_ID, vmx->vpid);
 
 	cr0 = X86_CR0_NW | X86_CR0_CD | X86_CR0_ET;
-	vmx_set_cr0(vcpu, cr0); /* enter rmode */
 	vmx->vcpu.arch.cr0 = cr0;
+	vmx_set_cr0(vcpu, cr0); /* enter rmode */
 	vmx_set_cr4(vcpu, 0);
 	vmx_set_efer(vcpu, 0);
 	vmx_fpu_activate(vcpu);
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 039/206] aacraid: Relinquish CPU during timeout wait
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (37 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 038/206] KVM: x86: fix ordering of cr0 initialization code in vmx_cpu_reset Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 040/206] aacraid: Fix for aac_command_thread hang Kamal Mostafa
                   ` (166 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Raghava Aditya Renukunta, Martin K . Petersen, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>

commit 07beca2be24cc710461c0b131832524c9ee08910 upstream.

aac_fib_send has a special function case for initial commands during
driver initialization using wait < 0(pseudo sync mode). In this case,
the command does not sleep but rather spins checking for timeout.This
loop is calls cpu_relax() in an attempt to allow other processes/threads
to use the CPU, but this function does not relinquish the CPU and so the
command will hog the processor. This was observed in a KDUMP
"crashkernel" and that prevented the "command thread" (which is
responsible for completing the command from being timed out) from
starting because it could not get the CPU.

Fixed by replacing "cpu_relax()" call with "schedule()"
Signed-off-by: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/scsi/aacraid/commsup.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/scsi/aacraid/commsup.c b/drivers/scsi/aacraid/commsup.c
index 4b79d95..e7344ae 100644
--- a/drivers/scsi/aacraid/commsup.c
+++ b/drivers/scsi/aacraid/commsup.c
@@ -611,10 +611,10 @@ int aac_fib_send(u16 command, struct fib *fibptr, unsigned long size,
 					}
 					return -EFAULT;
 				}
-				/* We used to udelay() here but that absorbed
-				 * a CPU when a timeout occured. Not very
-				 * useful. */
-				cpu_relax();
+				/*
+				 * Allow other processes / CPUS to use core
+				 */
+				schedule();
 			}
 		} else if (down_interruptible(&fibptr->event_wait)) {
 			/* Do nothing ... satisfy
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 040/206] aacraid: Fix for aac_command_thread hang
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (38 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 039/206] aacraid: Relinquish CPU during timeout wait Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 041/206] aacraid: Fix for KDUMP driver hang Kamal Mostafa
                   ` (165 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Raghava Aditya Renukunta, Martin K . Petersen, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>

commit fc4bf75ea300a5e62a2419f89dd0e22189dd7ab7 upstream.

Typically under error conditions, it is possible for aac_command_thread()
to miss the wakeup from kthread_stop() and go back to sleep, causing it
to hang aac_shutdown.

In the observed scenario, the adapter is not functioning correctly and so
aac_fib_send() never completes (or time-outs depending on how it was
called). Shortly after aac_command_thread() starts it performs
aac_fib_send(SendHostTime) which hangs. When aac_probe_one
/aac_get_adapter_info send time outs, kthread_stop is called which breaks
the command thread out of it's hang.

The code will still go back to sleep in schedule_timeout() without
checking kthread_should_stop() so it causes aac_probe_one to hang until
the schedule_timeout() which is 30 minutes.

Fixed by: Adding another kthread_should_stop() before schedule_timeout()
Signed-off-by: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/scsi/aacraid/commsup.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/scsi/aacraid/commsup.c b/drivers/scsi/aacraid/commsup.c
index e7344ae..9410ffe 100644
--- a/drivers/scsi/aacraid/commsup.c
+++ b/drivers/scsi/aacraid/commsup.c
@@ -1999,6 +1999,10 @@ int aac_command_thread(void *data)
 		if (difference <= 0)
 			difference = 1;
 		set_current_state(TASK_INTERRUPTIBLE);
+
+		if (kthread_should_stop())
+			break;
+
 		schedule_timeout(difference);
 
 		if (kthread_should_stop())
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 041/206] aacraid: Fix for KDUMP driver hang
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (39 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 040/206] aacraid: Fix for aac_command_thread hang Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 042/206] ext4: fix hang when processing corrupted orphaned inode list Kamal Mostafa
                   ` (164 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Raghava Aditya Renukunta, Martin K . Petersen, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>

commit 78cbccd3bd683c295a44af8050797dc4a41376ff upstream.

When KDUMP is triggered the driver first talks to the firmware in INTX
mode, but the adapter firmware is still in MSIX mode. Therefore the first
driver command hangs since the driver is waiting for an INTX response and
firmware gives a MSIX response. If when the OS is installed on a RAID
drive created by the adapter KDUMP will hang since the driver does not
receive a response in sync mode.

Fixed by: Change the firmware to INTX mode if it is in MSIX mode before
sending the first sync command.

Signed-off-by: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/scsi/aacraid/aacraid.h  |  1 +
 drivers/scsi/aacraid/comminit.c | 24 ++++++++++++++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/drivers/scsi/aacraid/aacraid.h b/drivers/scsi/aacraid/aacraid.h
index 18c9c06..3e8e92b 100644
--- a/drivers/scsi/aacraid/aacraid.h
+++ b/drivers/scsi/aacraid/aacraid.h
@@ -29,6 +29,7 @@ enum {
 #define AAC_INT_MODE_MSI		(1<<1)
 #define AAC_INT_MODE_AIF		(1<<2)
 #define AAC_INT_MODE_SYNC		(1<<3)
+#define AAC_INT_MODE_MSIX		(1<<16)
 
 #define AAC_INT_ENABLE_TYPE1_INTX	0xfffffffb
 #define AAC_INT_ENABLE_TYPE1_MSIX	0xfffffffa
diff --git a/drivers/scsi/aacraid/comminit.c b/drivers/scsi/aacraid/comminit.c
index 45db84a..e736ecb 100644
--- a/drivers/scsi/aacraid/comminit.c
+++ b/drivers/scsi/aacraid/comminit.c
@@ -37,6 +37,7 @@
 #include <linux/spinlock.h>
 #include <linux/slab.h>
 #include <linux/blkdev.h>
+#include <linux/delay.h>
 #include <linux/completion.h>
 #include <linux/mm.h>
 #include <scsi/scsi_host.h>
@@ -49,6 +50,20 @@ struct aac_common aac_config = {
 	.irq_mod = 1
 };
 
+static inline int aac_is_msix_mode(struct aac_dev *dev)
+{
+	u32 status;
+
+	status = src_readl(dev, MUnit.OMR);
+	return (status & AAC_INT_MODE_MSIX);
+}
+
+static inline void aac_change_to_intx(struct aac_dev *dev)
+{
+	aac_src_access_devreg(dev, AAC_DISABLE_MSIX);
+	aac_src_access_devreg(dev, AAC_ENABLE_INTX);
+}
+
 static int aac_alloc_comm(struct aac_dev *dev, void **commaddr, unsigned long commsize, unsigned long commalign)
 {
 	unsigned char *base;
@@ -358,6 +373,15 @@ struct aac_dev *aac_init_adapter(struct aac_dev *dev)
 	dev->comm_interface = AAC_COMM_PRODUCER;
 	dev->raw_io_interface = dev->raw_io_64 = 0;
 
+
+	/*
+	 * Enable INTX mode, if not done already Enabled
+	 */
+	if (aac_is_msix_mode(dev)) {
+		aac_change_to_intx(dev);
+		dev_info(&dev->pdev->dev, "Changed firmware to INTX mode");
+	}
+
 	if ((!aac_adapter_sync_cmd(dev, GET_ADAPTER_PROPERTIES,
 		0, 0, 0, 0, 0, 0,
 		status+0, status+1, status+2, status+3, NULL)) &&
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 042/206] ext4: fix hang when processing corrupted orphaned inode list
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (40 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 041/206] aacraid: Fix for KDUMP driver hang Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 043/206] MIPS: ath79: make bootconsole wait for both THRE and TEMT Kamal Mostafa
                   ` (163 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team; +Cc: Theodore Ts'o, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Theodore Ts'o <tytso@mit.edu>

commit c9eb13a9105e2e418f72e46a2b6da3f49e696902 upstream.

If the orphaned inode list contains inode #5, ext4_iget() returns a
bad inode (since the bootloader inode should never be referenced
directly).  Because of the bad inode, we end up processing the inode
repeatedly and this hangs the machine.

This can be reproduced via:

   mke2fs -t ext4 /tmp/foo.img 100
   debugfs -w -R "ssv last_orphan 5" /tmp/foo.img
   mount -o loop /tmp/foo.img /mnt

(But don't do this if you are using an unpatched kernel if you care
about the system staying functional.  :-)

This bug was found by the port of American Fuzzy Lop into the kernel
to find file system problems[1].  (Since it *only* happens if inode #5
shows up on the orphan list --- 3, 7, 8, etc. won't do it, it's not
surprising that AFL needed two hours before it found it.)

[1] http://events.linuxfoundation.org/sites/events/files/slides/AFL%20filesystem%20fuzzing%2C%20Vault%202016_0.pdf

Reported by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 fs/ext4/ialloc.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c
index 173c1ae..556ea2a 100644
--- a/fs/ext4/ialloc.c
+++ b/fs/ext4/ialloc.c
@@ -1137,11 +1137,13 @@ struct inode *ext4_orphan_get(struct super_block *sb, unsigned long ino)
 		goto iget_failed;
 
 	/*
-	 * If the orphans has i_nlinks > 0 then it should be able to be
-	 * truncated, otherwise it won't be removed from the orphan list
-	 * during processing and an infinite loop will result.
+	 * If the orphans has i_nlinks > 0 then it should be able to
+	 * be truncated, otherwise it won't be removed from the orphan
+	 * list during processing and an infinite loop will result.
+	 * Similarly, it must not be a bad inode.
 	 */
-	if (inode->i_nlink && !ext4_can_truncate(inode))
+	if ((inode->i_nlink && !ext4_can_truncate(inode)) ||
+	    is_bad_inode(inode))
 		goto bad_orphan;
 
 	if (NEXT_ORPHAN(inode) > max_ino)
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 043/206] MIPS: ath79: make bootconsole wait for both THRE and TEMT
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (41 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 042/206] ext4: fix hang when processing corrupted orphaned inode list Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 044/206] Drivers: hv_vmbus: Fix signal to host condition Kamal Mostafa
                   ` (162 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Matthias Schiffer, Greg Kroah-Hartman, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Matthias Schiffer <mschiffer@universe-factory.net>

commit f5b556c94c8490d42fea79d7b4ae0ecbc291e69d upstream.

This makes the ath79 bootconsole behave the same way as the generic 8250
bootconsole.

Also waiting for TEMT (transmit buffer is empty) instead of just THRE
(transmit buffer is not full) ensures that all characters have been
transmitted before the real serial driver starts reconfiguring the serial
controller (which would sometimes result in garbage being transmitted.)
This change does not cause a visible performance loss.

In addition, this seems to fix a hang observed in certain configurations on
many AR7xxx/AR9xxx SoCs during autoconfig of the real serial driver.

A more complete follow-up patch will disable 8250 autoconfig for ath79
altogether (the serial controller is detected as a 16550A, which is not
fully compatible with the ath79 serial, and the autoconfig may lead to
undefined behavior on ath79.)

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/mips/ath79/early_printk.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/arch/mips/ath79/early_printk.c b/arch/mips/ath79/early_printk.c
index b955faf..d1adc59 100644
--- a/arch/mips/ath79/early_printk.c
+++ b/arch/mips/ath79/early_printk.c
@@ -31,13 +31,15 @@ static inline void prom_putchar_wait(void __iomem *reg, u32 mask, u32 val)
 	} while (1);
 }
 
+#define BOTH_EMPTY (UART_LSR_TEMT | UART_LSR_THRE)
+
 static void prom_putchar_ar71xx(unsigned char ch)
 {
 	void __iomem *base = (void __iomem *)(KSEG1ADDR(AR71XX_UART_BASE));
 
-	prom_putchar_wait(base + UART_LSR * 4, UART_LSR_THRE, UART_LSR_THRE);
+	prom_putchar_wait(base + UART_LSR * 4, BOTH_EMPTY, BOTH_EMPTY);
 	__raw_writel(ch, base + UART_TX * 4);
-	prom_putchar_wait(base + UART_LSR * 4, UART_LSR_THRE, UART_LSR_THRE);
+	prom_putchar_wait(base + UART_LSR * 4, BOTH_EMPTY, BOTH_EMPTY);
 }
 
 static void prom_putchar_ar933x(unsigned char ch)
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 044/206] Drivers: hv_vmbus: Fix signal to host condition
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (42 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 043/206] MIPS: ath79: make bootconsole wait for both THRE and TEMT Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 045/206] Drivers: hv: ring_buffer.c: fix comment style Kamal Mostafa
                   ` (161 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Christopher Oo, K . Y . Srinivasan, Greg Kroah-Hartman, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Christopher Oo <t-chriso@microsoft.com>

commit a5cca686ce0ef4909deaee4ed46dd991e3a9ece4 upstream.

Fixes a bug where previously hv_ringbuffer_read would pass in the old
number of bytes available to read instead of the expected old read index
when calculating when to signal to the host that the ringbuffer is empty.
Since the previous write size is already saved, also changes the
hv_need_to_signal_on_read to use the previously read value rather than
recalculating it.

Signed-off-by: Christopher Oo <t-chriso@microsoft.com>
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/hv/ring_buffer.c | 14 +++-----------
 1 file changed, 3 insertions(+), 11 deletions(-)

diff --git a/drivers/hv/ring_buffer.c b/drivers/hv/ring_buffer.c
index 6361d12..70a1a9a 100644
--- a/drivers/hv/ring_buffer.c
+++ b/drivers/hv/ring_buffer.c
@@ -103,10 +103,9 @@ static bool hv_need_to_signal(u32 old_write, struct hv_ring_buffer_info *rbi)
  *    there is room for the producer to send the pending packet.
  */
 
-static bool hv_need_to_signal_on_read(u32 old_rd,
-					 struct hv_ring_buffer_info *rbi)
+static bool hv_need_to_signal_on_read(u32 prev_write_sz,
+				      struct hv_ring_buffer_info *rbi)
 {
-	u32 prev_write_sz;
 	u32 cur_write_sz;
 	u32 r_size;
 	u32 write_loc = rbi->ring_buffer->write_index;
@@ -123,10 +122,6 @@ static bool hv_need_to_signal_on_read(u32 old_rd,
 	cur_write_sz = write_loc >= read_loc ? r_size - (write_loc - read_loc) :
 			read_loc - write_loc;
 
-	prev_write_sz = write_loc >= old_rd ? r_size - (write_loc - old_rd) :
-			old_rd - write_loc;
-
-
 	if ((prev_write_sz < pending_sz) && (cur_write_sz >= pending_sz))
 		return true;
 
@@ -517,7 +512,6 @@ int hv_ringbuffer_read(struct hv_ring_buffer_info *inring_info, void *buffer,
 	u32 next_read_location = 0;
 	u64 prev_indices = 0;
 	unsigned long flags;
-	u32 old_read;
 
 	if (buflen <= 0)
 		return -EINVAL;
@@ -528,8 +522,6 @@ int hv_ringbuffer_read(struct hv_ring_buffer_info *inring_info, void *buffer,
 				&bytes_avail_toread,
 				&bytes_avail_towrite);
 
-	old_read = bytes_avail_toread;
-
 	/* Make sure there is something to read */
 	if (bytes_avail_toread < buflen) {
 		spin_unlock_irqrestore(&inring_info->ring_lock, flags);
@@ -560,7 +552,7 @@ int hv_ringbuffer_read(struct hv_ring_buffer_info *inring_info, void *buffer,
 
 	spin_unlock_irqrestore(&inring_info->ring_lock, flags);
 
-	*signal = hv_need_to_signal_on_read(old_read, inring_info);
+	*signal = hv_need_to_signal_on_read(bytes_avail_towrite, inring_info);
 
 	return 0;
 }
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 045/206] Drivers: hv: ring_buffer.c: fix comment style
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (43 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 044/206] Drivers: hv_vmbus: Fix signal to host condition Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 046/206] Drivers: hv: vmbus: Fix signaling logic in hv_need_to_signal_on_read() Kamal Mostafa
                   ` (160 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Vitaly Kuznetsov, K . Y . Srinivasan, Greg Kroah-Hartman, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Vitaly Kuznetsov <vkuznets@redhat.com>

commit 822f18d4d3e9d4efb4996bbe562d0f99ab82d7dd upstream.

Convert 6+-string comments repeating function names to normal kernel-style
comments and fix a couple of other comment style issues. No textual or
functional changes intended.

Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/hv/ring_buffer.c | 135 +++++++++--------------------------------------
 1 file changed, 26 insertions(+), 109 deletions(-)

diff --git a/drivers/hv/ring_buffer.c b/drivers/hv/ring_buffer.c
index 70a1a9a..7bca513 100644
--- a/drivers/hv/ring_buffer.c
+++ b/drivers/hv/ring_buffer.c
@@ -112,9 +112,7 @@ static bool hv_need_to_signal_on_read(u32 prev_write_sz,
 	u32 read_loc = rbi->ring_buffer->read_index;
 	u32 pending_sz = rbi->ring_buffer->pending_send_sz;
 
-	/*
-	 * If the other end is not blocked on write don't bother.
-	 */
+	/* If the other end is not blocked on write don't bother. */
 	if (pending_sz == 0)
 		return false;
 
@@ -128,12 +126,7 @@ static bool hv_need_to_signal_on_read(u32 prev_write_sz,
 	return false;
 }
 
-/*
- * hv_get_next_write_location()
- *
- * Get the next write location for the specified ring buffer
- *
- */
+/* Get the next write location for the specified ring buffer. */
 static inline u32
 hv_get_next_write_location(struct hv_ring_buffer_info *ring_info)
 {
@@ -142,12 +135,7 @@ hv_get_next_write_location(struct hv_ring_buffer_info *ring_info)
 	return next;
 }
 
-/*
- * hv_set_next_write_location()
- *
- * Set the next write location for the specified ring buffer
- *
- */
+/* Set the next write location for the specified ring buffer. */
 static inline void
 hv_set_next_write_location(struct hv_ring_buffer_info *ring_info,
 		     u32 next_write_location)
@@ -155,11 +143,7 @@ hv_set_next_write_location(struct hv_ring_buffer_info *ring_info,
 	ring_info->ring_buffer->write_index = next_write_location;
 }
 
-/*
- * hv_get_next_read_location()
- *
- * Get the next read location for the specified ring buffer
- */
+/* Get the next read location for the specified ring buffer. */
 static inline u32
 hv_get_next_read_location(struct hv_ring_buffer_info *ring_info)
 {
@@ -169,10 +153,8 @@ hv_get_next_read_location(struct hv_ring_buffer_info *ring_info)
 }
 
 /*
- * hv_get_next_readlocation_withoffset()
- *
  * Get the next read location + offset for the specified ring buffer.
- * This allows the caller to skip
+ * This allows the caller to skip.
  */
 static inline u32
 hv_get_next_readlocation_withoffset(struct hv_ring_buffer_info *ring_info,
@@ -186,13 +168,7 @@ hv_get_next_readlocation_withoffset(struct hv_ring_buffer_info *ring_info,
 	return next;
 }
 
-/*
- *
- * hv_set_next_read_location()
- *
- * Set the next read location for the specified ring buffer
- *
- */
+/* Set the next read location for the specified ring buffer. */
 static inline void
 hv_set_next_read_location(struct hv_ring_buffer_info *ring_info,
 		    u32 next_read_location)
@@ -201,12 +177,7 @@ hv_set_next_read_location(struct hv_ring_buffer_info *ring_info,
 }
 
 
-/*
- *
- * hv_get_ring_buffer()
- *
- * Get the start of the ring buffer
- */
+/* Get the start of the ring buffer. */
 static inline void *
 hv_get_ring_buffer(struct hv_ring_buffer_info *ring_info)
 {
@@ -214,25 +185,14 @@ hv_get_ring_buffer(struct hv_ring_buffer_info *ring_info)
 }
 
 
-/*
- *
- * hv_get_ring_buffersize()
- *
- * Get the size of the ring buffer
- */
+/* Get the size of the ring buffer. */
 static inline u32
 hv_get_ring_buffersize(struct hv_ring_buffer_info *ring_info)
 {
 	return ring_info->ring_datasize;
 }
 
-/*
- *
- * hv_get_ring_bufferindices()
- *
- * Get the read and write indices as u64 of the specified ring buffer
- *
- */
+/* Get the read and write indices as u64 of the specified ring buffer. */
 static inline u64
 hv_get_ring_bufferindices(struct hv_ring_buffer_info *ring_info)
 {
@@ -240,12 +200,8 @@ hv_get_ring_bufferindices(struct hv_ring_buffer_info *ring_info)
 }
 
 /*
- *
- * hv_copyfrom_ringbuffer()
- *
  * Helper routine to copy to source from ring buffer.
  * Assume there is enough room. Handles wrap-around in src case only!!
- *
  */
 static u32 hv_copyfrom_ringbuffer(
 	struct hv_ring_buffer_info	*ring_info,
@@ -277,12 +233,8 @@ static u32 hv_copyfrom_ringbuffer(
 
 
 /*
- *
- * hv_copyto_ringbuffer()
- *
  * Helper routine to copy from source to ring buffer.
  * Assume there is enough room. Handles wrap-around in dest case only!!
- *
  */
 static u32 hv_copyto_ringbuffer(
 	struct hv_ring_buffer_info	*ring_info,
@@ -308,13 +260,7 @@ static u32 hv_copyto_ringbuffer(
 	return start_write_offset;
 }
 
-/*
- *
- * hv_ringbuffer_get_debuginfo()
- *
- * Get various debug metrics for the specified ring buffer
- *
- */
+/* Get various debug metrics for the specified ring buffer. */
 void hv_ringbuffer_get_debuginfo(struct hv_ring_buffer_info *ring_info,
 			    struct hv_ring_buffer_debug_info *debug_info)
 {
@@ -337,13 +283,7 @@ void hv_ringbuffer_get_debuginfo(struct hv_ring_buffer_info *ring_info,
 	}
 }
 
-/*
- *
- * hv_ringbuffer_init()
- *
- *Initialize the ring buffer
- *
- */
+/* Initialize the ring buffer. */
 int hv_ringbuffer_init(struct hv_ring_buffer_info *ring_info,
 		   void *buffer, u32 buflen)
 {
@@ -356,9 +296,7 @@ int hv_ringbuffer_init(struct hv_ring_buffer_info *ring_info,
 	ring_info->ring_buffer->read_index =
 		ring_info->ring_buffer->write_index = 0;
 
-	/*
-	 * Set the feature bit for enabling flow control.
-	 */
+	/* Set the feature bit for enabling flow control. */
 	ring_info->ring_buffer->feature_bits.value = 1;
 
 	ring_info->ring_size = buflen;
@@ -369,24 +307,12 @@ int hv_ringbuffer_init(struct hv_ring_buffer_info *ring_info,
 	return 0;
 }
 
-/*
- *
- * hv_ringbuffer_cleanup()
- *
- * Cleanup the ring buffer
- *
- */
+/* Cleanup the ring buffer. */
 void hv_ringbuffer_cleanup(struct hv_ring_buffer_info *ring_info)
 {
 }
 
-/*
- *
- * hv_ringbuffer_write()
- *
- * Write to the ring buffer
- *
- */
+/* Write to the ring buffer. */
 int hv_ringbuffer_write(struct hv_ring_buffer_info *outring_info,
 		    struct kvec *kv_list, u32 kv_count, bool *signal)
 {
@@ -411,10 +337,11 @@ int hv_ringbuffer_write(struct hv_ring_buffer_info *outring_info,
 				&bytes_avail_toread,
 				&bytes_avail_towrite);
 
-
-	/* If there is only room for the packet, assume it is full. */
-	/* Otherwise, the next time around, we think the ring buffer */
-	/* is empty since the read index == write index */
+	/*
+	 * If there is only room for the packet, assume it is full.
+	 * Otherwise, the next time around, we think the ring buffer
+	 * is empty since the read index == write index.
+	 */
 	if (bytes_avail_towrite <= totalbytes_towrite) {
 		spin_unlock_irqrestore(&outring_info->ring_lock, flags);
 		return -EAGAIN;
@@ -454,13 +381,7 @@ int hv_ringbuffer_write(struct hv_ring_buffer_info *outring_info,
 }
 
 
-/*
- *
- * hv_ringbuffer_peek()
- *
- * Read without advancing the read index
- *
- */
+/* Read without advancing the read index. */
 int hv_ringbuffer_peek(struct hv_ring_buffer_info *Inring_info,
 		   void *Buffer, u32 buflen)
 {
@@ -497,13 +418,7 @@ int hv_ringbuffer_peek(struct hv_ring_buffer_info *Inring_info,
 }
 
 
-/*
- *
- * hv_ringbuffer_read()
- *
- * Read and advance the read index
- *
- */
+/* Read and advance the read index. */
 int hv_ringbuffer_read(struct hv_ring_buffer_info *inring_info, void *buffer,
 		   u32 buflen, u32 offset, bool *signal)
 {
@@ -542,9 +457,11 @@ int hv_ringbuffer_read(struct hv_ring_buffer_info *inring_info, void *buffer,
 						sizeof(u64),
 						next_read_location);
 
-	/* Make sure all reads are done before we update the read index since */
-	/* the writer may start writing to the read area once the read index */
-	/*is updated */
+	/*
+	 * Make sure all reads are done before we update the read index since
+	 * the writer may start writing to the read area once the read index
+	 * is updated.
+	 */
 	mb();
 
 	/* Update the read index */
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 046/206] Drivers: hv: vmbus: Fix signaling logic in hv_need_to_signal_on_read()
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (44 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 045/206] Drivers: hv: ring_buffer.c: fix comment style Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 047/206] mei: fix NULL dereferencing during FW initiated disconnection Kamal Mostafa
                   ` (159 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: K . Y . Srinivasan, Greg Kroah-Hartman, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: "K. Y. Srinivasan" <kys@microsoft.com>

commit a389fcfd2cb57793931a9fb98fed076aae50bb6c upstream.

On the consumer side, we have interrupt driven flow management of the
producer. It is sufficient to base the signaling decision on the
amount of space that is available to write after the read is complete.
The current code samples the previous available space and uses this
in making the signaling decision. This state can be stale and is
unnecessary. Since the state can be stale, we end up not signaling
the host (when we should) and this can result in a hang. Fix this
problem by removing the unnecessary check. I would like to thank
Arseney Romanenko <arseneyr@microsoft.com> for pointing out this issue.

Also, issue a full memory barrier before making the signaling descision
to correctly deal with potential reordering of the write (read index)
followed by the read of pending_sz.

Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Tested-by: Dexuan Cui <decui@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/hv/ring_buffer.c | 26 ++++++++++++++++++++------
 1 file changed, 20 insertions(+), 6 deletions(-)

diff --git a/drivers/hv/ring_buffer.c b/drivers/hv/ring_buffer.c
index 7bca513..14d45c7 100644
--- a/drivers/hv/ring_buffer.c
+++ b/drivers/hv/ring_buffer.c
@@ -103,15 +103,29 @@ static bool hv_need_to_signal(u32 old_write, struct hv_ring_buffer_info *rbi)
  *    there is room for the producer to send the pending packet.
  */
 
-static bool hv_need_to_signal_on_read(u32 prev_write_sz,
-				      struct hv_ring_buffer_info *rbi)
+static bool hv_need_to_signal_on_read(struct hv_ring_buffer_info *rbi)
 {
 	u32 cur_write_sz;
 	u32 r_size;
-	u32 write_loc = rbi->ring_buffer->write_index;
+	u32 write_loc;
 	u32 read_loc = rbi->ring_buffer->read_index;
-	u32 pending_sz = rbi->ring_buffer->pending_send_sz;
+	u32 pending_sz;
 
+	/*
+	 * Issue a full memory barrier before making the signaling decision.
+	 * Here is the reason for having this barrier:
+	 * If the reading of the pend_sz (in this function)
+	 * were to be reordered and read before we commit the new read
+	 * index (in the calling function)  we could
+	 * have a problem. If the host were to set the pending_sz after we
+	 * have sampled pending_sz and go to sleep before we commit the
+	 * read index, we could miss sending the interrupt. Issue a full
+	 * memory barrier to address this.
+	 */
+	mb();
+
+	pending_sz = rbi->ring_buffer->pending_send_sz;
+	write_loc = rbi->ring_buffer->write_index;
 	/* If the other end is not blocked on write don't bother. */
 	if (pending_sz == 0)
 		return false;
@@ -120,7 +134,7 @@ static bool hv_need_to_signal_on_read(u32 prev_write_sz,
 	cur_write_sz = write_loc >= read_loc ? r_size - (write_loc - read_loc) :
 			read_loc - write_loc;
 
-	if ((prev_write_sz < pending_sz) && (cur_write_sz >= pending_sz))
+	if (cur_write_sz >= pending_sz)
 		return true;
 
 	return false;
@@ -469,7 +483,7 @@ int hv_ringbuffer_read(struct hv_ring_buffer_info *inring_info, void *buffer,
 
 	spin_unlock_irqrestore(&inring_info->ring_lock, flags);
 
-	*signal = hv_need_to_signal_on_read(bytes_avail_towrite, inring_info);
+	*signal = hv_need_to_signal_on_read(inring_info);
 
 	return 0;
 }
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 047/206] mei: fix NULL dereferencing during FW initiated disconnection
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (45 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 046/206] Drivers: hv: vmbus: Fix signaling logic in hv_need_to_signal_on_read() Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 048/206] mei: amthif: discard not read messages Kamal Mostafa
                   ` (158 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Alexander Usyskin, Tomas Winkler, Greg Kroah-Hartman, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Alexander Usyskin <alexander.usyskin@intel.com>

commit 6a8d648c8d1824117a9e9edb948ed1611fb013c0 upstream.

In the case when disconnection is initiated from the FW
the driver is flushing items from the write control list while
iterating over it:

mei_irq_write_handler()
    list_for_each_entry_safe(ctrl_wr_list)         <-- outer loop
         mei_cl_irq_disconnect_rsp()
             mei_cl_set_disconnected()
                 mei_io_list_flush(ctrl_wr_list)   <-- destorying list

We move the list flushing to the completion routine.

Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/misc/mei/client.c    | 4 ++++
 drivers/misc/mei/hbm.c       | 3 +--
 drivers/misc/mei/interrupt.c | 5 +----
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/drivers/misc/mei/client.c b/drivers/misc/mei/client.c
index 6decbe1..b364117 100644
--- a/drivers/misc/mei/client.c
+++ b/drivers/misc/mei/client.c
@@ -1490,6 +1490,10 @@ void mei_cl_complete(struct mei_cl *cl, struct mei_cl_cb *cb)
 			wake_up(&cl->wait);
 
 		break;
+	case MEI_FOP_DISCONNECT_RSP:
+		mei_io_cb_free(cb);
+		mei_cl_set_disconnected(cl);
+		break;
 	default:
 		BUG_ON(0);
 	}
diff --git a/drivers/misc/mei/hbm.c b/drivers/misc/mei/hbm.c
index a4f2831..070c9bc 100644
--- a/drivers/misc/mei/hbm.c
+++ b/drivers/misc/mei/hbm.c
@@ -687,8 +687,7 @@ static int mei_hbm_fw_disconnect_req(struct mei_device *dev,
 		cb = mei_io_cb_init(cl, MEI_FOP_DISCONNECT_RSP, NULL);
 		if (!cb)
 			return -ENOMEM;
-		cl_dbg(dev, cl, "add disconnect response as first\n");
-		list_add(&cb->list, &dev->ctrl_wr_list.list);
+		list_add_tail(&cb->list, &dev->ctrl_wr_list.list);
 	}
 	return 0;
 }
diff --git a/drivers/misc/mei/interrupt.c b/drivers/misc/mei/interrupt.c
index 3f34052..15dbac8 100644
--- a/drivers/misc/mei/interrupt.c
+++ b/drivers/misc/mei/interrupt.c
@@ -180,10 +180,7 @@ static int mei_cl_irq_disconnect_rsp(struct mei_cl *cl, struct mei_cl_cb *cb,
 		return -EMSGSIZE;
 
 	ret = mei_hbm_cl_disconnect_rsp(dev, cl);
-	mei_cl_set_disconnected(cl);
-	mei_io_cb_free(cb);
-	mei_me_cl_put(cl->me_cl);
-	cl->me_cl = NULL;
+	list_move_tail(&cb->list, &cmpl_list->list);
 
 	return ret;
 }
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 048/206] mei: amthif: discard not read messages
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (46 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 047/206] mei: fix NULL dereferencing during FW initiated disconnection Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 049/206] tty: Abstract tty buffer work Kamal Mostafa
                   ` (157 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Alexander Usyskin, Tomas Winkler, Greg Kroah-Hartman, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Alexander Usyskin <alexander.usyskin@intel.com>

commit 9d04ee11db7bf0d848266cbfd7db336097a0e239 upstream.

When a message is received and amthif client is not in reading state
the message is ignored and left dangling in the queue. This may happen
after one of the amthif host connections is closed w/o completing the
reading. Another client will pick up a wrong message on next read
attempt which will lead to link reset.
To prevent this the driver has to properly discard the message when
amthif client is not in reading state.

Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/misc/mei/amthif.c    | 4 +++-
 drivers/misc/mei/interrupt.c | 1 -
 drivers/misc/mei/mei_dev.h   | 2 ++
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/misc/mei/amthif.c b/drivers/misc/mei/amthif.c
index 1e42781..eee1a96 100644
--- a/drivers/misc/mei/amthif.c
+++ b/drivers/misc/mei/amthif.c
@@ -417,8 +417,10 @@ int mei_amthif_irq_read_msg(struct mei_cl *cl,
 
 	dev = cl->dev;
 
-	if (dev->iamthif_state != MEI_IAMTHIF_READING)
+	if (dev->iamthif_state != MEI_IAMTHIF_READING) {
+		mei_irq_discard_msg(dev, mei_hdr);
 		return 0;
+	}
 
 	ret = mei_cl_irq_read_msg(cl, mei_hdr, cmpl_list);
 	if (ret)
diff --git a/drivers/misc/mei/interrupt.c b/drivers/misc/mei/interrupt.c
index 15dbac8..c879823 100644
--- a/drivers/misc/mei/interrupt.c
+++ b/drivers/misc/mei/interrupt.c
@@ -75,7 +75,6 @@ static inline int mei_cl_hbm_equal(struct mei_cl *cl,
  * @dev: mei device
  * @hdr: message header
  */
-static inline
 void mei_irq_discard_msg(struct mei_device *dev, struct mei_msg_hdr *hdr)
 {
 	/*
diff --git a/drivers/misc/mei/mei_dev.h b/drivers/misc/mei/mei_dev.h
index bc65fb4..aa040f9 100644
--- a/drivers/misc/mei/mei_dev.h
+++ b/drivers/misc/mei/mei_dev.h
@@ -768,6 +768,8 @@ bool mei_hbuf_acquire(struct mei_device *dev);
 
 bool mei_write_is_idle(struct mei_device *dev);
 
+void mei_irq_discard_msg(struct mei_device *dev, struct mei_msg_hdr *hdr);
+
 #if IS_ENABLED(CONFIG_DEBUG_FS)
 int mei_dbgfs_register(struct mei_device *dev, const char *name);
 void mei_dbgfs_deregister(struct mei_device *dev);
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 049/206] tty: Abstract tty buffer work
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (47 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 048/206] mei: amthif: discard not read messages Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 050/206] Fix OpenSSH pty regression on close Kamal Mostafa
                   ` (156 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Peter Hurley, Greg Kroah-Hartman, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Peter Hurley <peter@hurleysoftware.com>

commit e176058f0de53c2346734e5254835e0045364001 upstream.

Introduce API functions to restart and cancel tty buffer work, rather
than manipulate buffer work directly.

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/tty/n_tty.c      |  2 +-
 drivers/tty/tty_buffer.c | 10 ++++++++++
 drivers/tty/tty_io.c     |  2 +-
 drivers/tty/tty_port.c   |  2 +-
 include/linux/tty.h      |  2 ++
 5 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
index a0398a8..4e27ab9 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -201,7 +201,7 @@ static void n_tty_kick_worker(struct tty_struct *tty)
 		 */
 		WARN_RATELIMIT(test_bit(TTY_LDISC_HALTED, &tty->flags),
 			       "scheduling buffer work for halted ldisc\n");
-		queue_work(system_unbound_wq, &tty->port->buf.work);
+		tty_buffer_restart_work(tty->port);
 	}
 }
 
diff --git a/drivers/tty/tty_buffer.c b/drivers/tty/tty_buffer.c
index 6059177..a0ee0bf 100644
--- a/drivers/tty/tty_buffer.c
+++ b/drivers/tty/tty_buffer.c
@@ -577,3 +577,13 @@ void tty_buffer_set_lock_subclass(struct tty_port *port)
 {
 	lockdep_set_subclass(&port->buf.lock, TTY_LOCK_SLAVE);
 }
+
+bool tty_buffer_restart_work(struct tty_port *port)
+{
+	return queue_work(system_unbound_wq, &port->buf.work);
+}
+
+bool tty_buffer_cancel_work(struct tty_port *port)
+{
+	return cancel_work_sync(&port->buf.work);
+}
diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
index d5f54a1..876def68 100644
--- a/drivers/tty/tty_io.c
+++ b/drivers/tty/tty_io.c
@@ -1690,7 +1690,7 @@ static void release_tty(struct tty_struct *tty, int idx)
 	tty->port->itty = NULL;
 	if (tty->link)
 		tty->link->port->itty = NULL;
-	cancel_work_sync(&tty->port->buf.work);
+	tty_buffer_cancel_work(tty->port);
 
 	tty_kref_put(tty->link);
 	tty_kref_put(tty);
diff --git a/drivers/tty/tty_port.c b/drivers/tty/tty_port.c
index 40b3183..892affc 100644
--- a/drivers/tty/tty_port.c
+++ b/drivers/tty/tty_port.c
@@ -131,7 +131,7 @@ EXPORT_SYMBOL(tty_port_free_xmit_buf);
  */
 void tty_port_destroy(struct tty_port *port)
 {
-	cancel_work_sync(&port->buf.work);
+	tty_buffer_cancel_work(port);
 	tty_buffer_free_all(port);
 }
 EXPORT_SYMBOL(tty_port_destroy);
diff --git a/include/linux/tty.h b/include/linux/tty.h
index 245524a2..223d905 100644
--- a/include/linux/tty.h
+++ b/include/linux/tty.h
@@ -467,6 +467,8 @@ extern void tty_buffer_free_all(struct tty_port *port);
 extern void tty_buffer_flush(struct tty_struct *tty, struct tty_ldisc *ld);
 extern void tty_buffer_init(struct tty_port *port);
 extern void tty_buffer_set_lock_subclass(struct tty_port *port);
+extern bool tty_buffer_restart_work(struct tty_port *port);
+extern bool tty_buffer_cancel_work(struct tty_port *port);
 extern speed_t tty_termios_baud_rate(struct ktermios *termios);
 extern speed_t tty_termios_input_baud_rate(struct ktermios *termios);
 extern void tty_termios_encode_baud_rate(struct ktermios *termios,
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 050/206] Fix OpenSSH pty regression on close
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (48 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 049/206] tty: Abstract tty buffer work Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 051/206] QE-UART: add "fsl,t1040-ucc-uart" to of_device_id Kamal Mostafa
                   ` (155 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Brian Bloniarz, Greg Kroah-Hartman, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Brian Bloniarz <brian.bloniarz@gmail.com>

commit 0f40fbbcc34e093255a2b2d70b6b0fb48c3f39aa upstream.

OpenSSH expects the (non-blocking) read() of pty master to return
EAGAIN only if it has received all of the slave-side output after
it has received SIGCHLD. This used to work on pre-3.12 kernels.

This fix effectively forces non-blocking read() and poll() to
block for parallel i/o to complete for all ttys. It also unwinds
these changes:

1) f8747d4a466ab2cafe56112c51b3379f9fdb7a12
   tty: Fix pty master read() after slave closes

2) 52bce7f8d4fc633c9a9d0646eef58ba6ae9a3b73
   pty, n_tty: Simplify input processing on final close

3) 1a48632ffed61352a7810ce089dc5a8bcd505a60
   pty: Fix input race when closing

Inspired by analysis and patch from Marc Aurele La France <tsi@tuyoix.net>

Reported-by: Volth <openssh@volth.com>
Reported-by: Marc Aurele La France <tsi@tuyoix.net>
BugLink: https://bugzilla.mindrot.org/show_bug.cgi?id=52
BugLink: https://bugzilla.mindrot.org/show_bug.cgi?id=2492
Signed-off-by: Brian Bloniarz <brian.bloniarz@gmail.com>
Reviewed-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 Documentation/serial/tty.txt |  3 --
 drivers/tty/n_hdlc.c         |  4 +--
 drivers/tty/n_tty.c          | 70 +++++++++++++++++++++-----------------------
 drivers/tty/pty.c            |  4 +--
 drivers/tty/tty_buffer.c     | 34 ++++-----------------
 include/linux/tty.h          |  2 +-
 6 files changed, 43 insertions(+), 74 deletions(-)

diff --git a/Documentation/serial/tty.txt b/Documentation/serial/tty.txt
index 973c8ad..849e81a 100644
--- a/Documentation/serial/tty.txt
+++ b/Documentation/serial/tty.txt
@@ -195,9 +195,6 @@ TTY_IO_ERROR		If set, causes all subsequent userspace read/write
 
 TTY_OTHER_CLOSED	Device is a pty and the other side has closed.
 
-TTY_OTHER_DONE		Device is a pty and the other side has closed and
-			all pending input processing has been completed.
-
 TTY_NO_WRITE_SPLIT	Prevent driver from splitting up writes into
 			smaller chunks.
 
diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c
index bbc4ce6..644ddb8 100644
--- a/drivers/tty/n_hdlc.c
+++ b/drivers/tty/n_hdlc.c
@@ -600,7 +600,7 @@ static ssize_t n_hdlc_tty_read(struct tty_struct *tty, struct file *file,
 	add_wait_queue(&tty->read_wait, &wait);
 
 	for (;;) {
-		if (test_bit(TTY_OTHER_DONE, &tty->flags)) {
+		if (test_bit(TTY_OTHER_CLOSED, &tty->flags)) {
 			ret = -EIO;
 			break;
 		}
@@ -828,7 +828,7 @@ static unsigned int n_hdlc_tty_poll(struct tty_struct *tty, struct file *filp,
 		/* set bits for operations that won't block */
 		if (n_hdlc->rx_buf_list.head)
 			mask |= POLLIN | POLLRDNORM;	/* readable */
-		if (test_bit(TTY_OTHER_DONE, &tty->flags))
+		if (test_bit(TTY_OTHER_CLOSED, &tty->flags))
 			mask |= POLLHUP;
 		if (tty_hung_up_p(filp))
 			mask |= POLLHUP;
diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
index 4e27ab9..a717fdb 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -1959,18 +1959,6 @@ static inline int input_available_p(struct tty_struct *tty, int poll)
 		return ldata->commit_head - ldata->read_tail >= amt;
 }
 
-static inline int check_other_done(struct tty_struct *tty)
-{
-	int done = test_bit(TTY_OTHER_DONE, &tty->flags);
-	if (done) {
-		/* paired with cmpxchg() in check_other_closed(); ensures
-		 * read buffer head index is not stale
-		 */
-		smp_mb__after_atomic();
-	}
-	return done;
-}
-
 /**
  *	copy_from_read_buf	-	copy read data directly
  *	@tty: terminal device
@@ -2188,7 +2176,7 @@ static ssize_t n_tty_read(struct tty_struct *tty, struct file *file,
 	struct n_tty_data *ldata = tty->disc_data;
 	unsigned char __user *b = buf;
 	DEFINE_WAIT_FUNC(wait, woken_wake_function);
-	int c, done;
+	int c;
 	int minimum, time;
 	ssize_t retval = 0;
 	long timeout;
@@ -2256,32 +2244,35 @@ static ssize_t n_tty_read(struct tty_struct *tty, struct file *file,
 		    ((minimum - (b - buf)) >= 1))
 			ldata->minimum_to_wake = (minimum - (b - buf));
 
-		done = check_other_done(tty);
-
 		if (!input_available_p(tty, 0)) {
-			if (done) {
-				retval = -EIO;
-				break;
-			}
-			if (tty_hung_up_p(file))
-				break;
-			if (!timeout)
-				break;
-			if (file->f_flags & O_NONBLOCK) {
-				retval = -EAGAIN;
-				break;
-			}
-			if (signal_pending(current)) {
-				retval = -ERESTARTSYS;
-				break;
-			}
 			up_read(&tty->termios_rwsem);
+			tty_buffer_flush_work(tty->port);
+			down_read(&tty->termios_rwsem);
+			if (!input_available_p(tty, 0)) {
+				if (test_bit(TTY_OTHER_CLOSED, &tty->flags)) {
+					retval = -EIO;
+					break;
+				}
+				if (tty_hung_up_p(file))
+					break;
+				if (!timeout)
+					break;
+				if (file->f_flags & O_NONBLOCK) {
+					retval = -EAGAIN;
+					break;
+				}
+				if (signal_pending(current)) {
+					retval = -ERESTARTSYS;
+					break;
+				}
+				up_read(&tty->termios_rwsem);
 
-			timeout = wait_woken(&wait, TASK_INTERRUPTIBLE,
-					     timeout);
+				timeout = wait_woken(&wait, TASK_INTERRUPTIBLE,
+						timeout);
 
-			down_read(&tty->termios_rwsem);
-			continue;
+				down_read(&tty->termios_rwsem);
+				continue;
+			}
 		}
 
 		if (ldata->icanon && !L_EXTPROC(tty)) {
@@ -2463,12 +2454,17 @@ static unsigned int n_tty_poll(struct tty_struct *tty, struct file *file,
 
 	poll_wait(file, &tty->read_wait, wait);
 	poll_wait(file, &tty->write_wait, wait);
-	if (check_other_done(tty))
-		mask |= POLLHUP;
 	if (input_available_p(tty, 1))
 		mask |= POLLIN | POLLRDNORM;
+	else {
+		tty_buffer_flush_work(tty->port);
+		if (input_available_p(tty, 1))
+			mask |= POLLIN | POLLRDNORM;
+	}
 	if (tty->packet && tty->link->ctrl_status)
 		mask |= POLLPRI | POLLIN | POLLRDNORM;
+	if (test_bit(TTY_OTHER_CLOSED, &tty->flags))
+		mask |= POLLHUP;
 	if (tty_hung_up_p(file))
 		mask |= POLLHUP;
 	if (!(mask & (POLLHUP | POLLIN | POLLRDNORM))) {
diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c
index 254c183..b1f78aa 100644
--- a/drivers/tty/pty.c
+++ b/drivers/tty/pty.c
@@ -54,7 +54,7 @@ static void pty_close(struct tty_struct *tty, struct file *filp)
 	if (!tty->link)
 		return;
 	set_bit(TTY_OTHER_CLOSED, &tty->link->flags);
-	tty_flip_buffer_push(tty->link->port);
+	wake_up_interruptible(&tty->link->read_wait);
 	wake_up_interruptible(&tty->link->write_wait);
 	if (tty->driver->subtype == PTY_TYPE_MASTER) {
 		set_bit(TTY_OTHER_CLOSED, &tty->flags);
@@ -242,9 +242,7 @@ static int pty_open(struct tty_struct *tty, struct file *filp)
 		goto out;
 
 	clear_bit(TTY_IO_ERROR, &tty->flags);
-	/* TTY_OTHER_CLOSED must be cleared before TTY_OTHER_DONE */
 	clear_bit(TTY_OTHER_CLOSED, &tty->link->flags);
-	clear_bit(TTY_OTHER_DONE, &tty->link->flags);
 	set_bit(TTY_THROTTLED, &tty->flags);
 	return 0;
 
diff --git a/drivers/tty/tty_buffer.c b/drivers/tty/tty_buffer.c
index a0ee0bf..d7b9a52 100644
--- a/drivers/tty/tty_buffer.c
+++ b/drivers/tty/tty_buffer.c
@@ -37,29 +37,6 @@
 
 #define TTY_BUFFER_PAGE	(((PAGE_SIZE - sizeof(struct tty_buffer)) / 2) & ~0xFF)
 
-/*
- * If all tty flip buffers have been processed by flush_to_ldisc() or
- * dropped by tty_buffer_flush(), check if the linked pty has been closed.
- * If so, wake the reader/poll to process
- */
-static inline void check_other_closed(struct tty_struct *tty)
-{
-	unsigned long flags, old;
-
-	/* transition from TTY_OTHER_CLOSED => TTY_OTHER_DONE must be atomic */
-	for (flags = ACCESS_ONCE(tty->flags);
-	     test_bit(TTY_OTHER_CLOSED, &flags);
-	     ) {
-		old = flags;
-		__set_bit(TTY_OTHER_DONE, &flags);
-		flags = cmpxchg(&tty->flags, old, flags);
-		if (old == flags) {
-			wake_up_interruptible(&tty->read_wait);
-			break;
-		}
-	}
-}
-
 /**
  *	tty_buffer_lock_exclusive	-	gain exclusive access to buffer
  *	tty_buffer_unlock_exclusive	-	release exclusive access
@@ -251,8 +228,6 @@ void tty_buffer_flush(struct tty_struct *tty, struct tty_ldisc *ld)
 	if (ld && ld->ops->flush_buffer)
 		ld->ops->flush_buffer(tty);
 
-	check_other_closed(tty);
-
 	atomic_dec(&buf->priority);
 	mutex_unlock(&buf->lock);
 }
@@ -496,10 +471,8 @@ static void flush_to_ldisc(struct work_struct *work)
 		smp_rmb();
 		count = head->commit - head->read;
 		if (!count) {
-			if (next == NULL) {
-				check_other_closed(tty);
+			if (next == NULL)
 				break;
-			}
 			buf->head = next;
 			tty_buffer_free(port, head);
 			continue;
@@ -587,3 +560,8 @@ bool tty_buffer_cancel_work(struct tty_port *port)
 {
 	return cancel_work_sync(&port->buf.work);
 }
+
+void tty_buffer_flush_work(struct tty_port *port)
+{
+	flush_work(&port->buf.work);
+}
diff --git a/include/linux/tty.h b/include/linux/tty.h
index 223d905..d28c904 100644
--- a/include/linux/tty.h
+++ b/include/linux/tty.h
@@ -339,7 +339,6 @@ struct tty_file_private {
 #define TTY_EXCLUSIVE 		3	/* Exclusive open mode */
 #define TTY_DEBUG 		4	/* Debugging */
 #define TTY_DO_WRITE_WAKEUP 	5	/* Call write_wakeup after queuing new */
-#define TTY_OTHER_DONE		6	/* Closed pty has completed input processing */
 #define TTY_LDISC_OPEN	 	11	/* Line discipline is open */
 #define TTY_PTY_LOCK 		16	/* pty private */
 #define TTY_NO_WRITE_SPLIT 	17	/* Preserve write boundaries to driver */
@@ -469,6 +468,7 @@ extern void tty_buffer_init(struct tty_port *port);
 extern void tty_buffer_set_lock_subclass(struct tty_port *port);
 extern bool tty_buffer_restart_work(struct tty_port *port);
 extern bool tty_buffer_cancel_work(struct tty_port *port);
+extern void tty_buffer_flush_work(struct tty_port *port);
 extern speed_t tty_termios_baud_rate(struct ktermios *termios);
 extern speed_t tty_termios_input_baud_rate(struct ktermios *termios);
 extern void tty_termios_encode_baud_rate(struct ktermios *termios,
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 051/206] QE-UART: add "fsl,t1040-ucc-uart" to of_device_id
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (49 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 050/206] Fix OpenSSH pty regression on close Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 052/206] thunderbolt: Fix double free of drom buffer Kamal Mostafa
                   ` (154 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Zhao Qiang, Greg Kroah-Hartman, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Zhao Qiang <qiang.zhao@nxp.com>

commit 11ca2b7ab432eb90906168c327733575e68d388f upstream.

New bindings use "fsl,t1040-ucc-uart" as the compatible for qe-uart.
So add it.

Signed-off-by: Zhao Qiang <qiang.zhao@nxp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/tty/serial/ucc_uart.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/tty/serial/ucc_uart.c b/drivers/tty/serial/ucc_uart.c
index 7d2532b..100c241 100644
--- a/drivers/tty/serial/ucc_uart.c
+++ b/drivers/tty/serial/ucc_uart.c
@@ -1478,6 +1478,9 @@ static const struct of_device_id ucc_uart_match[] = {
 		.type = "serial",
 		.compatible = "ucc_uart",
 	},
+	{
+		.compatible = "fsl,t1040-ucc-uart",
+	},
 	{},
 };
 MODULE_DEVICE_TABLE(of, ucc_uart_match);
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 052/206] thunderbolt: Fix double free of drom buffer
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (50 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 051/206] QE-UART: add "fsl,t1040-ucc-uart" to of_device_id Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 053/206] USB: serial: option: add support for Cinterion PH8 and AHxx Kamal Mostafa
                   ` (153 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Andreas Noever, Bjorn Helgaas, Lukas Wunner, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Andreas Noever <andreas.noever@gmail.com>

commit 2ffa9a5d76a75abbc1f95c17959fced666095bdd upstream.

If tb_drom_read() fails, sw->drom is freed but not set to NULL.  sw->drom
is then freed again in the error path of tb_switch_alloc().

The bug can be triggered by unplugging a thunderbolt device shortly after
it is detected by the thunderbolt driver.

Clear sw->drom if tb_drom_read() fails.

[bhelgaas: add Fixes:, stable versions of interest]
Fixes: 343fcb8c70d7 ("thunderbolt: Fix nontrivial endpoint devices.")
Signed-off-by: Andreas Noever <andreas.noever@gmail.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
CC: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/thunderbolt/eeprom.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/thunderbolt/eeprom.c b/drivers/thunderbolt/eeprom.c
index 0dde34e..545c60c 100644
--- a/drivers/thunderbolt/eeprom.c
+++ b/drivers/thunderbolt/eeprom.c
@@ -444,6 +444,7 @@ int tb_drom_read(struct tb_switch *sw)
 	return tb_drom_parse_entries(sw);
 err:
 	kfree(sw->drom);
+	sw->drom = NULL;
 	return -EIO;
 
 }
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 053/206] USB: serial: option: add support for Cinterion PH8 and AHxx
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (51 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 052/206] thunderbolt: Fix double free of drom buffer Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 054/206] USB: leave LPM alone if possible when binding/unbinding interface drivers Kamal Mostafa
                   ` (152 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Hans-Christoph Schemmel, Johan Hovold, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Schemmel Hans-Christoph <Hans-Christoph.Schemmel@gemalto.com>

commit 444f94e9e625f6ec6bbe2cb232a6451c637f35a3 upstream.

Added support for Gemalto's Cinterion PH8 and AHxx products
with 2 RmNet Interfaces and products with 1 RmNet + 1 USB Audio interface.

In addition some minor renaming and formatting.

Signed-off-by: Hans-Christoph Schemmel <hans-christoph.schemmel@gemalto.com>
[johan: sort current entries and trim trailing whitespace ]
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/usb/serial/option.c | 26 ++++++++++++++++++++------
 1 file changed, 20 insertions(+), 6 deletions(-)

diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
index 94e520d..6bed9a4 100644
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -378,18 +378,22 @@ static void option_instat_callback(struct urb *urb);
 #define HAIER_PRODUCT_CE81B			0x10f8
 #define HAIER_PRODUCT_CE100			0x2009
 
-/* Cinterion (formerly Siemens) products */
-#define SIEMENS_VENDOR_ID				0x0681
-#define CINTERION_VENDOR_ID				0x1e2d
+/* Gemalto's Cinterion products (formerly Siemens) */
+#define SIEMENS_VENDOR_ID			0x0681
+#define CINTERION_VENDOR_ID			0x1e2d
+#define CINTERION_PRODUCT_HC25_MDMNET		0x0040
 #define CINTERION_PRODUCT_HC25_MDM		0x0047
-#define CINTERION_PRODUCT_HC25_MDMNET	0x0040
+#define CINTERION_PRODUCT_HC28_MDMNET		0x004A /* same for HC28J */
 #define CINTERION_PRODUCT_HC28_MDM		0x004C
-#define CINTERION_PRODUCT_HC28_MDMNET	0x004A /* same for HC28J */
 #define CINTERION_PRODUCT_EU3_E			0x0051
 #define CINTERION_PRODUCT_EU3_P			0x0052
 #define CINTERION_PRODUCT_PH8			0x0053
 #define CINTERION_PRODUCT_AHXX			0x0055
 #define CINTERION_PRODUCT_PLXX			0x0060
+#define CINTERION_PRODUCT_PH8_2RMNET		0x0082
+#define CINTERION_PRODUCT_PH8_AUDIO		0x0083
+#define CINTERION_PRODUCT_AHXX_2RMNET		0x0084
+#define CINTERION_PRODUCT_AHXX_AUDIO		0x0085
 
 /* Olivetti products */
 #define OLIVETTI_VENDOR_ID			0x0b3c
@@ -641,6 +645,10 @@ static const struct option_blacklist_info telit_le922_blacklist_usbcfg3 = {
 	.reserved = BIT(1) | BIT(2) | BIT(3),
 };
 
+static const struct option_blacklist_info cinterion_rmnet2_blacklist = {
+	.reserved = BIT(4) | BIT(5),
+};
+
 static const struct usb_device_id option_ids[] = {
 	{ USB_DEVICE(OPTION_VENDOR_ID, OPTION_PRODUCT_COLT) },
 	{ USB_DEVICE(OPTION_VENDOR_ID, OPTION_PRODUCT_RICOLA) },
@@ -1724,7 +1732,13 @@ static const struct usb_device_id option_ids[] = {
 	{ USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_AHXX, 0xff) },
 	{ USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_PLXX),
 		.driver_info = (kernel_ulong_t)&net_intf4_blacklist },
-	{ USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_HC28_MDM) }, 
+	{ USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_PH8_2RMNET, 0xff),
+		.driver_info = (kernel_ulong_t)&cinterion_rmnet2_blacklist },
+	{ USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_PH8_AUDIO, 0xff),
+		.driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+	{ USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_AHXX_2RMNET, 0xff) },
+	{ USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_AHXX_AUDIO, 0xff) },
+	{ USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_HC28_MDM) },
 	{ USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_HC28_MDMNET) },
 	{ USB_DEVICE(SIEMENS_VENDOR_ID, CINTERION_PRODUCT_HC25_MDM) },
 	{ USB_DEVICE(SIEMENS_VENDOR_ID, CINTERION_PRODUCT_HC25_MDMNET) },
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 054/206] USB: leave LPM alone if possible when binding/unbinding interface drivers
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (52 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 053/206] USB: serial: option: add support for Cinterion PH8 and AHxx Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 055/206] usb: misc: usbtest: format the data pattern according to max packet size Kamal Mostafa
                   ` (151 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Alan Stern, Mathias Nyman, Greg Kroah-Hartman, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Alan Stern <stern@rowland.harvard.edu>

commit 6fb650d43da3e7054984dc548eaa88765a94d49f upstream.

When a USB driver is bound to an interface (either through probing or
by claiming it) or is unbound from an interface, the USB core always
disables Link Power Management during the transition and then
re-enables it afterward.  The reason is because the driver might want
to prevent hub-initiated link power transitions, in which case the HCD
would have to recalculate the various LPM parameters.  This
recalculation takes place when LPM is re-enabled and the new
parameters are sent to the device and its parent hub.

However, if the driver does not want to prevent hub-initiated link
power transitions then none of this work is necessary.  The parameters
don't need to be recalculated, and LPM doesn't need to be disabled and
re-enabled.

It turns out that disabling and enabling LPM can be time-consuming,
enough so that it interferes with user programs that want to claim and
release interfaces rapidly via usbfs.  Since the usbfs kernel driver
doesn't set the disable_hub_initiated_lpm flag, we can speed things up
and get the user programs to work by leaving LPM alone whenever the
flag isn't set.

And while we're improving the way disable_hub_initiated_lpm gets used,
let's also fix its kerneldoc.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Tested-by: Matthew Giassa <matthew@giassa.net>
CC: Mathias Nyman <mathias.nyman@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/usb/core/driver.c | 40 +++++++++++++++++++++++-----------------
 include/linux/usb.h       |  2 +-
 2 files changed, 24 insertions(+), 18 deletions(-)

diff --git a/drivers/usb/core/driver.c b/drivers/usb/core/driver.c
index 7792c0e..68323c2 100644
--- a/drivers/usb/core/driver.c
+++ b/drivers/usb/core/driver.c
@@ -283,7 +283,7 @@ static int usb_probe_interface(struct device *dev)
 	struct usb_device *udev = interface_to_usbdev(intf);
 	const struct usb_device_id *id;
 	int error = -ENODEV;
-	int lpm_disable_error;
+	int lpm_disable_error = -ENODEV;
 
 	dev_dbg(dev, "%s\n", __func__);
 
@@ -331,12 +331,14 @@ static int usb_probe_interface(struct device *dev)
 	 * setting during probe, that should also be fine.  usb_set_interface()
 	 * will attempt to disable LPM, and fail if it can't disable it.
 	 */
-	lpm_disable_error = usb_unlocked_disable_lpm(udev);
-	if (lpm_disable_error && driver->disable_hub_initiated_lpm) {
-		dev_err(&intf->dev, "%s Failed to disable LPM for driver %s\n.",
-				__func__, driver->name);
-		error = lpm_disable_error;
-		goto err;
+	if (driver->disable_hub_initiated_lpm) {
+		lpm_disable_error = usb_unlocked_disable_lpm(udev);
+		if (lpm_disable_error) {
+			dev_err(&intf->dev, "%s Failed to disable LPM for driver %s\n.",
+					__func__, driver->name);
+			error = lpm_disable_error;
+			goto err;
+		}
 	}
 
 	/* Carry out a deferred switch to altsetting 0 */
@@ -386,7 +388,8 @@ static int usb_unbind_interface(struct device *dev)
 	struct usb_interface *intf = to_usb_interface(dev);
 	struct usb_host_endpoint *ep, **eps = NULL;
 	struct usb_device *udev;
-	int i, j, error, r, lpm_disable_error;
+	int i, j, error, r;
+	int lpm_disable_error = -ENODEV;
 
 	intf->condition = USB_INTERFACE_UNBINDING;
 
@@ -394,12 +397,13 @@ static int usb_unbind_interface(struct device *dev)
 	udev = interface_to_usbdev(intf);
 	error = usb_autoresume_device(udev);
 
-	/* Hub-initiated LPM policy may change, so attempt to disable LPM until
+	/* If hub-initiated LPM policy may change, attempt to disable LPM until
 	 * the driver is unbound.  If LPM isn't disabled, that's fine because it
 	 * wouldn't be enabled unless all the bound interfaces supported
 	 * hub-initiated LPM.
 	 */
-	lpm_disable_error = usb_unlocked_disable_lpm(udev);
+	if (driver->disable_hub_initiated_lpm)
+		lpm_disable_error = usb_unlocked_disable_lpm(udev);
 
 	/*
 	 * Terminate all URBs for this interface unless the driver
@@ -502,7 +506,7 @@ int usb_driver_claim_interface(struct usb_driver *driver,
 	struct device *dev;
 	struct usb_device *udev;
 	int retval = 0;
-	int lpm_disable_error;
+	int lpm_disable_error = -ENODEV;
 
 	if (!iface)
 		return -ENODEV;
@@ -519,12 +523,14 @@ int usb_driver_claim_interface(struct usb_driver *driver,
 
 	iface->condition = USB_INTERFACE_BOUND;
 
-	/* Disable LPM until this driver is bound. */
-	lpm_disable_error = usb_unlocked_disable_lpm(udev);
-	if (lpm_disable_error && driver->disable_hub_initiated_lpm) {
-		dev_err(&iface->dev, "%s Failed to disable LPM for driver %s\n.",
-				__func__, driver->name);
-		return -ENOMEM;
+	/* See the comment about disabling LPM in usb_probe_interface(). */
+	if (driver->disable_hub_initiated_lpm) {
+		lpm_disable_error = usb_unlocked_disable_lpm(udev);
+		if (lpm_disable_error) {
+			dev_err(&iface->dev, "%s Failed to disable LPM for driver %s\n.",
+					__func__, driver->name);
+			return -ENOMEM;
+		}
 	}
 
 	/* Claimed interfaces are initially inactive (suspended) and
diff --git a/include/linux/usb.h b/include/linux/usb.h
index 95e98d3..cb79359 100644
--- a/include/linux/usb.h
+++ b/include/linux/usb.h
@@ -1059,7 +1059,7 @@ struct usbdrv_wrap {
  *	for interfaces bound to this driver.
  * @soft_unbind: if set to 1, the USB core will not kill URBs and disable
  *	endpoints before calling the driver's disconnect method.
- * @disable_hub_initiated_lpm: if set to 0, the USB core will not allow hubs
+ * @disable_hub_initiated_lpm: if set to 1, the USB core will not allow hubs
  *	to initiate lower power link state transitions when an idle timeout
  *	occurs.  Device-initiated USB 3.0 link PM will still be allowed.
  *
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 055/206] usb: misc: usbtest: format the data pattern according to max packet size
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (53 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 054/206] USB: leave LPM alone if possible when binding/unbinding interface drivers Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 056/206] usb: misc: usbtest: fix pattern tests for scatterlists Kamal Mostafa
                   ` (150 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Peter Chen, Alan Stern, Felipe Balbi, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Alan Stern <stern@rowland.harvard.edu>

commit b9a6e8e1001e28fecbd74c073f5503dac2790563 upstream.

With this change, the host and gadget doesn't need to agree with transfer
length for comparing the data, since they doesn't know each other's
transfer size, but know max packet size.

Signed-off-by: Peter Chen <peter.chen@freescale.com>
Acked-by: Michal Nazarewicz <mina86@mina86.com>
(Fixed the 'line over 80 characters warning' by Peter Chen)
Tested-by: Peter Chen <peter.chen@freescale.com>
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Felipe Balbi <balbi@ti.com>

Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/usb/misc/usbtest.c | 35 ++++++++++++++++++++++++++---------
 1 file changed, 26 insertions(+), 9 deletions(-)

diff --git a/drivers/usb/misc/usbtest.c b/drivers/usb/misc/usbtest.c
index 0bbafe7..46bb062 100644
--- a/drivers/usb/misc/usbtest.c
+++ b/drivers/usb/misc/usbtest.c
@@ -303,11 +303,20 @@ static unsigned mod_pattern;
 module_param_named(pattern, mod_pattern, uint, S_IRUGO | S_IWUSR);
 MODULE_PARM_DESC(mod_pattern, "i/o pattern (0 == zeroes)");
 
-static inline void simple_fill_buf(struct urb *urb)
+static unsigned get_maxpacket(struct usb_device *udev, int pipe)
+{
+	struct usb_host_endpoint	*ep;
+
+	ep = usb_pipe_endpoint(udev, pipe);
+	return le16_to_cpup(&ep->desc.wMaxPacketSize);
+}
+
+static void simple_fill_buf(struct urb *urb)
 {
 	unsigned	i;
 	u8		*buf = urb->transfer_buffer;
 	unsigned	len = urb->transfer_buffer_length;
+	unsigned	maxpacket;
 
 	switch (pattern) {
 	default:
@@ -316,8 +325,9 @@ static inline void simple_fill_buf(struct urb *urb)
 		memset(buf, 0, len);
 		break;
 	case 1:			/* mod63 */
+		maxpacket = get_maxpacket(urb->dev, urb->pipe);
 		for (i = 0; i < len; i++)
-			*buf++ = (u8) (i % 63);
+			*buf++ = (u8) ((i % maxpacket) % 63);
 		break;
 	}
 }
@@ -349,6 +359,7 @@ static int simple_check_buf(struct usbtest_dev *tdev, struct urb *urb)
 	u8		expected;
 	u8		*buf = urb->transfer_buffer;
 	unsigned	len = urb->actual_length;
+	unsigned	maxpacket = get_maxpacket(urb->dev, urb->pipe);
 
 	int ret = check_guard_bytes(tdev, urb);
 	if (ret)
@@ -366,7 +377,7 @@ static int simple_check_buf(struct usbtest_dev *tdev, struct urb *urb)
 		 * with set_interface or set_config.
 		 */
 		case 1:			/* mod63 */
-			expected = i % 63;
+			expected = (i % maxpacket) % 63;
 			break;
 		/* always fail unsupported patterns */
 		default:
@@ -478,11 +489,13 @@ static void free_sglist(struct scatterlist *sg, int nents)
 }
 
 static struct scatterlist *
-alloc_sglist(int nents, int max, int vary)
+alloc_sglist(int nents, int max, int vary, struct usbtest_dev *dev, int pipe)
 {
 	struct scatterlist	*sg;
 	unsigned		i;
 	unsigned		size = max;
+	unsigned		maxpacket =
+		get_maxpacket(interface_to_usbdev(dev->intf), pipe);
 
 	if (max == 0)
 		return NULL;
@@ -511,7 +524,7 @@ alloc_sglist(int nents, int max, int vary)
 			break;
 		case 1:
 			for (j = 0; j < size; j++)
-				*buf++ = (u8) (j % 63);
+				*buf++ = (u8) ((j % maxpacket) % 63);
 			break;
 		}
 
@@ -2175,7 +2188,8 @@ usbtest_ioctl(struct usb_interface *intf, unsigned int code, void *buf)
 			"TEST 5:  write %d sglists %d entries of %d bytes\n",
 				param->iterations,
 				param->sglen, param->length);
-		sg = alloc_sglist(param->sglen, param->length, 0);
+		sg = alloc_sglist(param->sglen, param->length,
+				0, dev, dev->out_pipe);
 		if (!sg) {
 			retval = -ENOMEM;
 			break;
@@ -2193,7 +2207,8 @@ usbtest_ioctl(struct usb_interface *intf, unsigned int code, void *buf)
 			"TEST 6:  read %d sglists %d entries of %d bytes\n",
 				param->iterations,
 				param->sglen, param->length);
-		sg = alloc_sglist(param->sglen, param->length, 0);
+		sg = alloc_sglist(param->sglen, param->length,
+				0, dev, dev->in_pipe);
 		if (!sg) {
 			retval = -ENOMEM;
 			break;
@@ -2210,7 +2225,8 @@ usbtest_ioctl(struct usb_interface *intf, unsigned int code, void *buf)
 			"TEST 7:  write/%d %d sglists %d entries 0..%d bytes\n",
 				param->vary, param->iterations,
 				param->sglen, param->length);
-		sg = alloc_sglist(param->sglen, param->length, param->vary);
+		sg = alloc_sglist(param->sglen, param->length,
+				param->vary, dev, dev->out_pipe);
 		if (!sg) {
 			retval = -ENOMEM;
 			break;
@@ -2227,7 +2243,8 @@ usbtest_ioctl(struct usb_interface *intf, unsigned int code, void *buf)
 			"TEST 8:  read/%d %d sglists %d entries 0..%d bytes\n",
 				param->vary, param->iterations,
 				param->sglen, param->length);
-		sg = alloc_sglist(param->sglen, param->length, param->vary);
+		sg = alloc_sglist(param->sglen, param->length,
+				param->vary, dev, dev->in_pipe);
 		if (!sg) {
 			retval = -ENOMEM;
 			break;
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 056/206] usb: misc: usbtest: fix pattern tests for scatterlists.
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (54 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 055/206] usb: misc: usbtest: format the data pattern according to max packet size Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 057/206] mcb: Fixed bar number assignment for the gdd Kamal Mostafa
                   ` (149 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Mathias Nyman, Greg Kroah-Hartman, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Mathias Nyman <mathias.nyman@linux.intel.com>

commit cdc77c82a8286b1181b81b6e5ef60c8e83ded7bc upstream.

The current implemenentation restart the sent pattern for each entry in
the sg list. The receiving end expects a continuous pattern, and test
will fail unless scatterilst entries happen to be aligned with the
pattern

Fix this by calculating the pattern byte based on total sent size
instead of just the current sg entry.

Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Fixes: 8b5249019352 ("[PATCH] USB: usbtest: scatterlist OUT data pattern testing")
Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/usb/misc/usbtest.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/misc/usbtest.c b/drivers/usb/misc/usbtest.c
index 46bb062..bbddc44 100644
--- a/drivers/usb/misc/usbtest.c
+++ b/drivers/usb/misc/usbtest.c
@@ -492,6 +492,7 @@ static struct scatterlist *
 alloc_sglist(int nents, int max, int vary, struct usbtest_dev *dev, int pipe)
 {
 	struct scatterlist	*sg;
+	unsigned int		n_size = 0;
 	unsigned		i;
 	unsigned		size = max;
 	unsigned		maxpacket =
@@ -524,7 +525,8 @@ alloc_sglist(int nents, int max, int vary, struct usbtest_dev *dev, int pipe)
 			break;
 		case 1:
 			for (j = 0; j < size; j++)
-				*buf++ = (u8) ((j % maxpacket) % 63);
+				*buf++ = (u8) (((j + n_size) % maxpacket) % 63);
+			n_size += size;
 			break;
 		}
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 057/206] mcb: Fixed bar number assignment for the gdd
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (55 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 056/206] usb: misc: usbtest: fix pattern tests for scatterlists Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 058/206] USB: serial: option: add more ZTE device ids Kamal Mostafa
                   ` (148 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Andreas Werner, Johannes Thumshirn, Greg Kroah-Hartman, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Andreas Werner <andreas.werner@men.de>

commit f75564d343010b025301d9548f2304f48eb25f01 upstream.

The bar number is found in reg2 within the gdd. Therefore
we need to change the assigment from reg1 to reg2 which
is the correct location.

Signed-off-by: Andreas Werner <andreas.werner@men.de>
Fixes: '3764e82e5' drivers: Introduce MEN Chameleon Bus
Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/mcb/mcb-parse.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/mcb/mcb-parse.c b/drivers/mcb/mcb-parse.c
index 0049269..b0155b0 100644
--- a/drivers/mcb/mcb-parse.c
+++ b/drivers/mcb/mcb-parse.c
@@ -57,7 +57,7 @@ static int chameleon_parse_gdd(struct mcb_bus *bus,
 	mdev->id = GDD_DEV(reg1);
 	mdev->rev = GDD_REV(reg1);
 	mdev->var = GDD_VAR(reg1);
-	mdev->bar = GDD_BAR(reg1);
+	mdev->bar = GDD_BAR(reg2);
 	mdev->group = GDD_GRP(reg2);
 	mdev->inst = GDD_INS(reg2);
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 058/206] USB: serial: option: add more ZTE device ids
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (56 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 057/206] mcb: Fixed bar number assignment for the gdd Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 059/206] USB: serial: option: add even " Kamal Mostafa
                   ` (147 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: lei liu, Greg Kroah-Hartman, Johan Hovold, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: lei liu <liu.lei78@zte.com.cn>

commit f0d09463c59c2d764a6c6d492cbe6d2c77f27153 upstream.

More ZTE device ids.

Signed-off-by: lei liu <liu.lei78@zte.com.cn>
[properly sort them - gregkh]
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/usb/serial/option.c | 75 ++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 74 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
index 6bed9a4..21cac3f 100644
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1622,7 +1622,79 @@ static const struct usb_device_id option_ids[] = {
 		.driver_info = (kernel_ulong_t)&net_intf3_blacklist },
 	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0178, 0xff, 0xff, 0xff),
 		.driver_info = (kernel_ulong_t)&net_intf3_blacklist },
-	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffe9, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff42, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff43, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff44, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff45, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff46, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff47, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff48, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff49, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff4a, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff4b, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff4c, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff4d, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff4e, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff4f, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff50, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff51, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff52, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff53, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff54, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff55, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff56, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff57, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff58, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff59, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff5a, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff5b, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff5c, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff5d, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff5e, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff5f, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff60, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff61, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff62, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff63, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff64, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff65, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff66, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff67, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff68, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff69, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff6a, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff6b, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff6c, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff6d, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff6e, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff6f, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff70, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff71, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff72, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff73, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff74, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff75, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff76, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff77, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff78, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff79, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff7a, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff7b, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff7c, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff7d, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff7e, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff7f, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff80, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff81, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff82, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff83, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff84, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff85, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff86, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff87, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff88, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff89, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff8a, 0xff, 0xff, 0xff) },
 	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff8b, 0xff, 0xff, 0xff) },
 	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff8c, 0xff, 0xff, 0xff) },
 	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff8d, 0xff, 0xff, 0xff) },
@@ -1633,6 +1705,7 @@ static const struct usb_device_id option_ids[] = {
 	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff92, 0xff, 0xff, 0xff) },
 	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff93, 0xff, 0xff, 0xff) },
 	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff94, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffe9, 0xff, 0xff, 0xff) },
 	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffec, 0xff, 0xff, 0xff) },
 	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffee, 0xff, 0xff, 0xff) },
 	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xfff6, 0xff, 0xff, 0xff) },
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 059/206] USB: serial: option: add even more ZTE device ids
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (57 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 058/206] USB: serial: option: add more ZTE device ids Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 060/206] ACPI / osi: Fix an issue that acpi_osi=!* cannot disable ACPICA internal strings Kamal Mostafa
                   ` (146 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team; +Cc: lei liu, Johan Hovold, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Lei Liu <lei35151@163.com>

commit 74d2a91aec97ab832790c9398d320413ad185321 upstream.

Add even more ZTE device ids.

Signed-off-by: lei liu <liu.lei78@zte.com.cn>
[johan: rebase and replace commit message ]
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/usb/serial/option.c | 54 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)

diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
index 21cac3f..f00919d 100644
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1705,6 +1705,60 @@ static const struct usb_device_id option_ids[] = {
 	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff92, 0xff, 0xff, 0xff) },
 	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff93, 0xff, 0xff, 0xff) },
 	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff94, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff9f, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffa0, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffa1, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffa2, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffa3, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffa4, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffa5, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffa6, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffa7, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffa8, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffa9, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffaa, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffab, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffac, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffae, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffaf, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffb0, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffb1, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffb2, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffb3, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffb4, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffb5, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffb6, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffb7, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffb8, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffb9, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffba, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffbb, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffbc, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffbd, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffbe, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffbf, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffc0, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffc1, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffc2, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffc3, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffc4, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffc5, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffc6, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffc7, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffc8, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffc9, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffca, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffcb, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffcc, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffcd, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffce, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffcf, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffd0, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffd1, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffd2, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffd3, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffd4, 0xff, 0xff, 0xff) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffd5, 0xff, 0xff, 0xff) },
 	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffe9, 0xff, 0xff, 0xff) },
 	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffec, 0xff, 0xff, 0xff) },
 	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffee, 0xff, 0xff, 0xff) },
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 060/206] ACPI / osi: Fix an issue that acpi_osi=!* cannot disable ACPICA internal strings
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (58 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 059/206] USB: serial: option: add even " Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 061/206] drm/amdgpu: use drm_mode_vrefresh() rather than mode->vrefresh Kamal Mostafa
                   ` (145 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Lv Zheng, Rafael J . Wysocki, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Lv Zheng <lv.zheng@intel.com>

commit 30c9bb0d7603e7b3f4d6a0ea231e1cddae020c32 upstream.

The order of the _OSI related functionalities is as follows:

  acpi_blacklisted()
    acpi_dmi_osi_linux()
      acpi_osi_setup()
    acpi_osi_setup()
      acpi_update_interfaces() if "!*"
      <<<<<<<<<<<<<<<<<<<<<<<<
  parse_args()
    __setup("acpi_osi=")
      acpi_osi_setup_linux()
        acpi_update_interfaces() if "!*"
        <<<<<<<<<<<<<<<<<<<<<<<<
  acpi_early_init()
    acpi_initialize_subsystem()
      acpi_ut_initialize_interfaces()
      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  acpi_bus_init()
    acpi_os_initialize1()
      acpi_install_interface_handler(acpi_osi_handler)
      acpi_osi_setup_late()
        acpi_update_interfaces() for "!"
        >>>>>>>>>>>>>>>>>>>>>>>>
  acpi_osi_handler()

Since acpi_osi_setup_linux() can override acpi_dmi_osi_linux(), the command
line setting can override the DMI detection. That's why acpi_blacklisted()
is put before __setup("acpi_osi=").

Then we can notice the following wrong invocation order. There are
acpi_update_interfaces() (marked by <<<<) calls invoked before
acpi_ut_initialize_interfaces() (marked by ^^^^). This makes it impossible
to use acpi_osi=!* correctly from OSI DMI table or from the command line.
The use of acpi_osi=!* is meant to disable both ACPICA
(acpi_gbl_supported_interfaces) and Linux specific strings
(osi_setup_entries) while the ACPICA part should have stopped working
because of the order issue.

This patch fixes this issue by moving acpi_update_interfaces() to where
it is invoked for acpi_osi=! (marked by >>>>) as this is ensured to be
invoked after acpi_ut_initialize_interfaces() (marked by ^^^^). Linux
specific strings are still handled in the original place in order to make
the following command line working: acpi_osi=!* acpi_osi="Module Device".

Note that since acpi_osi=!* is meant to further disable linux specific
string comparing to the acpi_osi=!, there is no such use case in our bug
fixing work and hence there is no one using acpi_osi=!* either from the
command line or from the DMI quirks, this issue is just a theoretical
issue.

Fixes: 741d81280ad2 (ACPI: Add facility to remove all _OSI strings)
Tested-by: Lukas Wunner <lukas@wunner.de>
Tested-by: Chen Yu <yu.c.chen@intel.com>
Signed-off-by: Lv Zheng <lv.zheng@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/acpi/osl.c | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
index 9d5436f..111ec4a 100644
--- a/drivers/acpi/osl.c
+++ b/drivers/acpi/osl.c
@@ -139,7 +139,7 @@ static struct osi_linux {
 	unsigned int	enable:1;
 	unsigned int	dmi:1;
 	unsigned int	cmdline:1;
-	unsigned int	default_disabling:1;
+	u8		default_disabling;
 } osi_linux = {0, 0, 0, 0};
 
 static u32 acpi_osi_handler(acpi_string interface, u32 supported)
@@ -1473,10 +1473,13 @@ void __init acpi_osi_setup(char *str)
 	if (*str == '!') {
 		str++;
 		if (*str == '\0') {
-			osi_linux.default_disabling = 1;
+			/* Do not override acpi_osi=!* */
+			if (!osi_linux.default_disabling)
+				osi_linux.default_disabling =
+					ACPI_DISABLE_ALL_VENDOR_STRINGS;
 			return;
 		} else if (*str == '*') {
-			acpi_update_interfaces(ACPI_DISABLE_ALL_STRINGS);
+			osi_linux.default_disabling = ACPI_DISABLE_ALL_STRINGS;
 			for (i = 0; i < OSI_STRING_ENTRIES_MAX; i++) {
 				osi = &osi_setup_entries[i];
 				osi->enable = false;
@@ -1549,10 +1552,13 @@ static void __init acpi_osi_setup_late(void)
 	acpi_status status;
 
 	if (osi_linux.default_disabling) {
-		status = acpi_update_interfaces(ACPI_DISABLE_ALL_VENDOR_STRINGS);
+		status = acpi_update_interfaces(osi_linux.default_disabling);
 
 		if (ACPI_SUCCESS(status))
-			printk(KERN_INFO PREFIX "Disabled all _OSI OS vendors\n");
+			printk(KERN_INFO PREFIX "Disabled all _OSI OS vendors%s\n",
+				osi_linux.default_disabling ==
+				ACPI_DISABLE_ALL_STRINGS ?
+				" and feature groups" : "");
 	}
 
 	for (i = 0; i < OSI_STRING_ENTRIES_MAX; i++) {
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 061/206] drm/amdgpu: use drm_mode_vrefresh() rather than mode->vrefresh
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (59 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 060/206] ACPI / osi: Fix an issue that acpi_osi=!* cannot disable ACPICA internal strings Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 062/206] USB: serial: cp210x: fix hardware flow-control disable Kamal Mostafa
                   ` (144 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team; +Cc: Alex Deucher, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Alex Deucher <alexander.deucher@amd.com>

commit 6b8812eb004ee2b24aac8b1a711a0e8e797df3ce upstream.

This is a port of radeon commit:
3d2d98ee1af0cf6eebfbd6bff4c17d3601ac1284
drm/radeon: use drm_mode_vrefresh() rather than mode->vrefresh
to amdgpu.

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/gpu/drm/amd/amdgpu/amdgpu_dpm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_dpm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_dpm.c
index 7b7f4ab..fe36caf 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_dpm.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_dpm.c
@@ -150,7 +150,7 @@ u32 amdgpu_dpm_get_vrefresh(struct amdgpu_device *adev)
 		list_for_each_entry(crtc, &dev->mode_config.crtc_list, head) {
 			amdgpu_crtc = to_amdgpu_crtc(crtc);
 			if (crtc->enabled && amdgpu_crtc->enabled && amdgpu_crtc->hw_mode.clock) {
-				vrefresh = amdgpu_crtc->hw_mode.vrefresh;
+				vrefresh = drm_mode_vrefresh(&amdgpu_crtc->hw_mode);
 				break;
 			}
 		}
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 062/206] USB: serial: cp210x: fix hardware flow-control disable
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (60 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 061/206] drm/amdgpu: use drm_mode_vrefresh() rather than mode->vrefresh Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 063/206] ext4: fix oops on corrupted filesystem Kamal Mostafa
                   ` (143 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Konstantin Shkolnyy, Johan Hovold, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Konstantin Shkolnyy <konstantin.shkolnyy@gmail.com>

commit a377f9e906af4df9071ba8ddba60188cb4013d93 upstream.

A bug in the CRTSCTS handling caused RTS to alternate between

CRTSCTS=0 => "RTS is transmit active signal" and
CRTSCTS=1 => "RTS is used for receive flow control"

instead of

CRTSCTS=0 => "RTS is statically active" and
CRTSCTS=1 => "RTS is used for receive flow control"

This only happened after first having enabled CRTSCTS.

Signed-off-by: Konstantin Shkolnyy <konstantin.shkolnyy@gmail.com>
Fixes: 39a66b8d22a3 ("[PATCH] USB: CP2101 Add support for flow control")
[johan: reword commit message ]
Signed-off-by: Johan Hovold <johan@kernel.org>
[ kamal: backport to 4.2-stable: context ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/usb/serial/cp210x.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
index a2b43a6..c33dfff 100644
--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -784,7 +784,7 @@ static void cp210x_set_termios(struct tty_struct *tty,
 		} else {
 			modem_ctl[0] &= ~0x7B;
 			modem_ctl[0] |= 0x01;
-			modem_ctl[1] |= 0x40;
+			modem_ctl[1] = 0x40;
 			dev_dbg(dev, "%s - flow control = NONE\n", __func__);
 		}
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 063/206] ext4: fix oops on corrupted filesystem
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (61 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 062/206] USB: serial: cp210x: fix hardware flow-control disable Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 064/206] ext4: address UBSAN warning in mb_find_order_for_block() Kamal Mostafa
                   ` (142 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Jan Kara, Theodore Ts'o, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Jan Kara <jack@suse.cz>

commit 74177f55b70e2f2be770dd28684dd6d17106a4ba upstream.

When filesystem is corrupted in the right way, it can happen
ext4_mark_iloc_dirty() in ext4_orphan_add() returns error and we
subsequently remove inode from the in-memory orphan list. However this
deletion is done with list_del(&EXT4_I(inode)->i_orphan) and thus we
leave i_orphan list_head with a stale content. Later we can look at this
content causing list corruption, oops, or other issues. The reported
trace looked like:

WARNING: CPU: 0 PID: 46 at lib/list_debug.c:53 __list_del_entry+0x6b/0x100()
list_del corruption, 0000000061c1d6e0->next is LIST_POISON1
0000000000100100)
CPU: 0 PID: 46 Comm: ext4.exe Not tainted 4.1.0-rc4+ #250
Stack:
 60462947 62219960 602ede24 62219960
 602ede24 603ca293 622198f0 602f02eb
 62219950 6002c12c 62219900 601b4d6b
Call Trace:
 [<6005769c>] ? vprintk_emit+0x2dc/0x5c0
 [<602ede24>] ? printk+0x0/0x94
 [<600190bc>] show_stack+0xdc/0x1a0
 [<602ede24>] ? printk+0x0/0x94
 [<602ede24>] ? printk+0x0/0x94
 [<602f02eb>] dump_stack+0x2a/0x2c
 [<6002c12c>] warn_slowpath_common+0x9c/0xf0
 [<601b4d6b>] ? __list_del_entry+0x6b/0x100
 [<6002c254>] warn_slowpath_fmt+0x94/0xa0
 [<602f4d09>] ? __mutex_lock_slowpath+0x239/0x3a0
 [<6002c1c0>] ? warn_slowpath_fmt+0x0/0xa0
 [<60023ebf>] ? set_signals+0x3f/0x50
 [<600a205a>] ? kmem_cache_free+0x10a/0x180
 [<602f4e88>] ? mutex_lock+0x18/0x30
 [<601b4d6b>] __list_del_entry+0x6b/0x100
 [<601177ec>] ext4_orphan_del+0x22c/0x2f0
 [<6012f27c>] ? __ext4_journal_start_sb+0x2c/0xa0
 [<6010b973>] ? ext4_truncate+0x383/0x390
 [<6010bc8b>] ext4_write_begin+0x30b/0x4b0
 [<6001bb50>] ? copy_from_user+0x0/0xb0
 [<601aa840>] ? iov_iter_fault_in_readable+0xa0/0xc0
 [<60072c4f>] generic_perform_write+0xaf/0x1e0
 [<600c4166>] ? file_update_time+0x46/0x110
 [<60072f0f>] __generic_file_write_iter+0x18f/0x1b0
 [<6010030f>] ext4_file_write_iter+0x15f/0x470
 [<60094e10>] ? unlink_file_vma+0x0/0x70
 [<6009b180>] ? unlink_anon_vmas+0x0/0x260
 [<6008f169>] ? free_pgtables+0xb9/0x100
 [<600a6030>] __vfs_write+0xb0/0x130
 [<600a61d5>] vfs_write+0xa5/0x170
 [<600a63d6>] SyS_write+0x56/0xe0
 [<6029fcb0>] ? __libc_waitpid+0x0/0xa0
 [<6001b698>] handle_syscall+0x68/0x90
 [<6002633d>] userspace+0x4fd/0x600
 [<6002274f>] ? save_registers+0x1f/0x40
 [<60028bd7>] ? arch_prctl+0x177/0x1b0
 [<60017bd5>] fork_handler+0x85/0x90

Fix the problem by using list_del_init() as we always should with
i_orphan list.

Reported-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 fs/ext4/namei.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
index 011dcfb..81fc2c6 100644
--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -2805,7 +2805,7 @@ int ext4_orphan_add(handle_t *handle, struct inode *inode)
 			 * list entries can cause panics at unmount time.
 			 */
 			mutex_lock(&sbi->s_orphan_lock);
-			list_del(&EXT4_I(inode)->i_orphan);
+			list_del_init(&EXT4_I(inode)->i_orphan);
 			mutex_unlock(&sbi->s_orphan_lock);
 		}
 	}
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 064/206] ext4: address UBSAN warning in mb_find_order_for_block()
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (62 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 063/206] ext4: fix oops on corrupted filesystem Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 065/206] ext4: silence UBSAN in ext4_mb_init() Kamal Mostafa
                   ` (141 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Nicolai Stange, Theodore Ts'o, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Nicolai Stange <nicstange@gmail.com>

commit b5cb316cdf3a3f5f6125412b0f6065185240cfdc upstream.

Currently, in mb_find_order_for_block(), there's a loop like the following:

  while (order <= e4b->bd_blkbits + 1) {
    ...
    bb += 1 << (e4b->bd_blkbits - order);
  }

Note that the updated bb is used in the loop's next iteration only.

However, at the last iteration, that is at order == e4b->bd_blkbits + 1,
the shift count becomes negative (c.f. C99 6.5.7(3)) and UBSAN reports

  UBSAN: Undefined behaviour in fs/ext4/mballoc.c:1281:11
  shift exponent -1 is negative
  [...]
  Call Trace:
   [<ffffffff818c4d35>] dump_stack+0xbc/0x117
   [<ffffffff818c4c79>] ? _atomic_dec_and_lock+0x169/0x169
   [<ffffffff819411bb>] ubsan_epilogue+0xd/0x4e
   [<ffffffff81941cbc>] __ubsan_handle_shift_out_of_bounds+0x1fb/0x254
   [<ffffffff81941ac1>] ? __ubsan_handle_load_invalid_value+0x158/0x158
   [<ffffffff816e93a0>] ? ext4_mb_generate_from_pa+0x590/0x590
   [<ffffffff816502c8>] ? ext4_read_block_bitmap_nowait+0x598/0xe80
   [<ffffffff816e7b7e>] mb_find_order_for_block+0x1ce/0x240
   [...]

Unless compilers start to do some fancy transformations (which at least
GCC 6.0.0 doesn't currently do), the issue is of cosmetic nature only: the
such calculated value of bb is never used again.

Silence UBSAN by introducing another variable, bb_incr, holding the next
increment to apply to bb and adjust that one by right shifting it by one
position per loop iteration.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=114701
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=112161

Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 fs/ext4/mballoc.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index 34b610e..d9f9361 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -1252,6 +1252,7 @@ static void ext4_mb_unload_buddy(struct ext4_buddy *e4b)
 static int mb_find_order_for_block(struct ext4_buddy *e4b, int block)
 {
 	int order = 1;
+	int bb_incr = 1 << (e4b->bd_blkbits - 1);
 	void *bb;
 
 	BUG_ON(e4b->bd_bitmap == e4b->bd_buddy);
@@ -1264,7 +1265,8 @@ static int mb_find_order_for_block(struct ext4_buddy *e4b, int block)
 			/* this block is part of buddy of order 'order' */
 			return order;
 		}
-		bb += 1 << (e4b->bd_blkbits - order);
+		bb += bb_incr;
+		bb_incr >>= 1;
 		order++;
 	}
 	return 0;
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 065/206] ext4: silence UBSAN in ext4_mb_init()
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (63 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 064/206] ext4: address UBSAN warning in mb_find_order_for_block() Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 066/206] arm64: Ensure pmd_present() returns false after pmd_mknotpresent() Kamal Mostafa
                   ` (140 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Nicolai Stange, Theodore Ts'o, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Nicolai Stange <nicstange@gmail.com>

commit 935244cd54b86ca46e69bc6604d2adfb1aec2d42 upstream.

Currently, in ext4_mb_init(), there's a loop like the following:

  do {
    ...
    offset += 1 << (sb->s_blocksize_bits - i);
    i++;
  } while (i <= sb->s_blocksize_bits + 1);

Note that the updated offset is used in the loop's next iteration only.

However, at the last iteration, that is at i == sb->s_blocksize_bits + 1,
the shift count becomes equal to (unsigned)-1 > 31 (c.f. C99 6.5.7(3))
and UBSAN reports

  UBSAN: Undefined behaviour in fs/ext4/mballoc.c:2621:15
  shift exponent 4294967295 is too large for 32-bit type 'int'
  [...]
  Call Trace:
   [<ffffffff818c4d25>] dump_stack+0xbc/0x117
   [<ffffffff818c4c69>] ? _atomic_dec_and_lock+0x169/0x169
   [<ffffffff819411ab>] ubsan_epilogue+0xd/0x4e
   [<ffffffff81941cac>] __ubsan_handle_shift_out_of_bounds+0x1fb/0x254
   [<ffffffff81941ab1>] ? __ubsan_handle_load_invalid_value+0x158/0x158
   [<ffffffff814b6dc1>] ? kmem_cache_alloc+0x101/0x390
   [<ffffffff816fc13b>] ? ext4_mb_init+0x13b/0xfd0
   [<ffffffff814293c7>] ? create_cache+0x57/0x1f0
   [<ffffffff8142948a>] ? create_cache+0x11a/0x1f0
   [<ffffffff821c2168>] ? mutex_lock+0x38/0x60
   [<ffffffff821c23ab>] ? mutex_unlock+0x1b/0x50
   [<ffffffff814c26ab>] ? put_online_mems+0x5b/0xc0
   [<ffffffff81429677>] ? kmem_cache_create+0x117/0x2c0
   [<ffffffff816fcc49>] ext4_mb_init+0xc49/0xfd0
   [...]

Observe that the mentioned shift exponent, 4294967295, equals (unsigned)-1.

Unless compilers start to do some fancy transformations (which at least
GCC 6.0.0 doesn't currently do), the issue is of cosmetic nature only: the
such calculated value of offset is never used again.

Silence UBSAN by introducing another variable, offset_incr, holding the
next increment to apply to offset and adjust that one by right shifting it
by one position per loop iteration.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=114701
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=112161

Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 fs/ext4/mballoc.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index d9f9361..5162921 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -2571,7 +2571,7 @@ int ext4_mb_init(struct super_block *sb)
 {
 	struct ext4_sb_info *sbi = EXT4_SB(sb);
 	unsigned i, j;
-	unsigned offset;
+	unsigned offset, offset_incr;
 	unsigned max;
 	int ret;
 
@@ -2600,11 +2600,13 @@ int ext4_mb_init(struct super_block *sb)
 
 	i = 1;
 	offset = 0;
+	offset_incr = 1 << (sb->s_blocksize_bits - 1);
 	max = sb->s_blocksize << 2;
 	do {
 		sbi->s_mb_offsets[i] = offset;
 		sbi->s_mb_maxs[i] = max;
-		offset += 1 << (sb->s_blocksize_bits - i);
+		offset += offset_incr;
+		offset_incr = offset_incr >> 1;
 		max = max >> 1;
 		i++;
 	} while (i <= sb->s_blocksize_bits + 1);
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 066/206] arm64: Ensure pmd_present() returns false after pmd_mknotpresent()
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (64 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 065/206] ext4: silence UBSAN in ext4_mb_init() Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 067/206] ARM: dts: exynos: Add interrupt line to MAX8997 PMIC on exynos4210-trats Kamal Mostafa
                   ` (139 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Catalin Marinas, Will Deacon, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Catalin Marinas <catalin.marinas@arm.com>

commit 5bb1cc0ff9a6b68871970737e6c4c16919928d8b upstream.

Currently, pmd_present() only checks for a non-zero value, returning
true even after pmd_mknotpresent() (which only clears the type bits).
This patch converts pmd_present() to using pte_present(), similar to the
other pmd_*() checks. As a side effect, it will return true for
PROT_NONE mappings, though they are not yet used by the kernel with
transparent huge pages.

For consistency, also change pmd_mknotpresent() to only clear the
PMD_SECT_VALID bit, even though the PMD_TABLE_BIT is already 0 for block
mappings (no functional change). The unused PMD_SECT_PROT_NONE
definition is removed as transparent huge pages use the pte page prot
values.

Fixes: 9c7e535fcc17 ("arm64: mm: Route pmd thp functions through pte equivalents")
Reviewed-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/arm64/include/asm/pgtable-hwdef.h | 1 -
 arch/arm64/include/asm/pgtable.h       | 4 ++--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/arch/arm64/include/asm/pgtable-hwdef.h b/arch/arm64/include/asm/pgtable-hwdef.h
index 59bfae7..d007a7b 100644
--- a/arch/arm64/include/asm/pgtable-hwdef.h
+++ b/arch/arm64/include/asm/pgtable-hwdef.h
@@ -77,7 +77,6 @@
  * Section
  */
 #define PMD_SECT_VALID		(_AT(pmdval_t, 1) << 0)
-#define PMD_SECT_PROT_NONE	(_AT(pmdval_t, 1) << 58)
 #define PMD_SECT_USER		(_AT(pmdval_t, 1) << 6)		/* AP[1] */
 #define PMD_SECT_RDONLY		(_AT(pmdval_t, 1) << 7)		/* AP[2] */
 #define PMD_SECT_S		(_AT(pmdval_t, 3) << 8)
diff --git a/arch/arm64/include/asm/pgtable.h b/arch/arm64/include/asm/pgtable.h
index 526a9cb..f1fc314 100644
--- a/arch/arm64/include/asm/pgtable.h
+++ b/arch/arm64/include/asm/pgtable.h
@@ -285,6 +285,7 @@ void pmdp_splitting_flush(struct vm_area_struct *vma, unsigned long address,
 #endif /* CONFIG_HAVE_RCU_TABLE_FREE */
 #endif /* CONFIG_TRANSPARENT_HUGEPAGE */
 
+#define pmd_present(pmd)	pte_present(pmd_pte(pmd))
 #define pmd_dirty(pmd)		pte_dirty(pmd_pte(pmd))
 #define pmd_young(pmd)		pte_young(pmd_pte(pmd))
 #define pmd_wrprotect(pmd)	pte_pmd(pte_wrprotect(pmd_pte(pmd)))
@@ -293,7 +294,7 @@ void pmdp_splitting_flush(struct vm_area_struct *vma, unsigned long address,
 #define pmd_mkwrite(pmd)	pte_pmd(pte_mkwrite(pmd_pte(pmd)))
 #define pmd_mkdirty(pmd)	pte_pmd(pte_mkdirty(pmd_pte(pmd)))
 #define pmd_mkyoung(pmd)	pte_pmd(pte_mkyoung(pmd_pte(pmd)))
-#define pmd_mknotpresent(pmd)	(__pmd(pmd_val(pmd) & ~PMD_TYPE_MASK))
+#define pmd_mknotpresent(pmd)	(__pmd(pmd_val(pmd) & ~PMD_SECT_VALID))
 
 #define __HAVE_ARCH_PMD_WRITE
 #define pmd_write(pmd)		pte_write(pmd_pte(pmd))
@@ -332,7 +333,6 @@ extern pgprot_t phys_mem_access_prot(struct file *file, unsigned long pfn,
 				     unsigned long size, pgprot_t vma_prot);
 
 #define pmd_none(pmd)		(!pmd_val(pmd))
-#define pmd_present(pmd)	(pmd_val(pmd))
 
 #define pmd_bad(pmd)		(!(pmd_val(pmd) & 2))
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 067/206] ARM: dts: exynos: Add interrupt line to MAX8997 PMIC on exynos4210-trats
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (65 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 066/206] arm64: Ensure pmd_present() returns false after pmd_mknotpresent() Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 068/206] ath10k: fix kernel panic, move arvifs list head init before htt init Kamal Mostafa
                   ` (138 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Marek Szyprowski, Krzysztof Kozlowski, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Marek Szyprowski <m.szyprowski@samsung.com>

commit 330d12764e15f6e3e94ff34cda29db96d2589c24 upstream.

MAX8997 PMIC requires interrupt and fails probing without it.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Fixes: d105f0b1215d ("ARM: dts: Add basic dts file for Samsung Trats board")
[k.kozlowski: Write commit message, add CC-stable]
Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/arm/boot/dts/exynos4210-trats.dts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/arch/arm/boot/dts/exynos4210-trats.dts b/arch/arm/boot/dts/exynos4210-trats.dts
index ba34886..60efd46 100644
--- a/arch/arm/boot/dts/exynos4210-trats.dts
+++ b/arch/arm/boot/dts/exynos4210-trats.dts
@@ -296,6 +296,8 @@
 		compatible = "maxim,max8997-pmic";
 
 		reg = <0x66>;
+		interrupt-parent = <&gpx0>;
+		interrupts = <7 0>;
 
 		max8997,pmic-buck1-uses-gpio-dvs;
 		max8997,pmic-buck2-uses-gpio-dvs;
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 068/206] ath10k: fix kernel panic, move arvifs list head init before htt init
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (66 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 067/206] ARM: dts: exynos: Add interrupt line to MAX8997 PMIC on exynos4210-trats Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 069/206] can: fix handling of unmodifiable configuration options Kamal Mostafa
                   ` (137 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Anilkumar Kolli, Kalle Valo, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Anilkumar Kolli <akolli@qti.qualcomm.com>

commit 4ad24a9d83bd4bf0a85e95bf144e18d3fda4fbf1 upstream.

It is observed that while loading and unloading ath10k modules
in an infinite loop, before ath10k_core_start() completion HTT
rx frames are received, while processing these frames,
dereferencing the arvifs list code is getting hit before
initilizing the arvifs list, causing a kernel panic.

This patch initilizes the arvifs list before initilizing htt.

Fixes the below issue:
 [<bf88b058>] (ath10k_htt_rx_pktlog_completion_handler+0x278/0xd08 [ath10k_core])
 [<bf88b058>] (ath10k_htt_rx_pktlog_completion_handler [ath10k_core])
 [<bf88c0dc>] (ath10k_htt_txrx_compl_task+0x5f4/0xeb0 [ath10k_core])
 [<bf88c0dc>] (ath10k_htt_txrx_compl_task [ath10k_core])
 [<c0234100>] (tasklet_action+0x8c/0xec)
 [<c0234100>] (tasklet_action)
 [<c02337c0>] (__do_softirq+0xf8/0x228)
 [<c02337c0>] (__do_softirq)  [<c0233920>] (run_ksoftirqd+0x30/0x90)
 Code: e5954ad8 e2899008 e1540009 0a00000d (e5943008)
 ---[ end trace 71de5c2e011dbf56 ]---
 Kernel panic - not syncing: Fatal exception in interrupt

Fixes: 500ff9f9389d ("ath10k: implement chanctx API")
Signed-off-by: Anilkumar Kolli <akolli@qti.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/net/wireless/ath/ath10k/core.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/net/wireless/ath/ath10k/core.c b/drivers/net/wireless/ath/ath10k/core.c
index 59496a9..b67cdec 100644
--- a/drivers/net/wireless/ath/ath10k/core.c
+++ b/drivers/net/wireless/ath/ath10k/core.c
@@ -1214,6 +1214,10 @@ int ath10k_core_start(struct ath10k *ar, enum ath10k_firmware_mode mode)
 		goto err_hif_stop;
 	}
 
+	ar->free_vdev_map = (1LL << ar->max_num_vdevs) - 1;
+
+	INIT_LIST_HEAD(&ar->arvifs);
+
 	/* we don't care about HTT in UTF mode */
 	if (mode == ATH10K_FIRMWARE_MODE_NORMAL) {
 		status = ath10k_htt_setup(&ar->htt);
@@ -1227,10 +1231,6 @@ int ath10k_core_start(struct ath10k *ar, enum ath10k_firmware_mode mode)
 	if (status)
 		goto err_hif_stop;
 
-	ar->free_vdev_map = (1LL << ar->max_num_vdevs) - 1;
-
-	INIT_LIST_HEAD(&ar->arvifs);
-
 	return 0;
 
 err_hif_stop:
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 069/206] can: fix handling of unmodifiable configuration options
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (67 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 068/206] ath10k: fix kernel panic, move arvifs list head init before htt init Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 070/206] MIPS: Fix siginfo.h to use strict posix types Kamal Mostafa
                   ` (136 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Oliver Hartkopp, Marc Kleine-Budde, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Oliver Hartkopp <socketcan@hartkopp.net>

commit bb208f144cf3f59d8f89a09a80efd04389718907 upstream.

As described in 'can: m_can: tag current CAN FD controllers as non-ISO'
(6cfda7fbebe) it is possible to define fixed configuration options by
setting the according bit in 'ctrlmode' and clear it in 'ctrlmode_supported'.
This leads to the incovenience that the fixed configuration bits can not be
passed by netlink even when they have the correct values (e.g. non-ISO, FD).

This patch fixes that issue and not only allows fixed set bit values to be set
again but now requires(!) to provide these fixed values at configuration time.
A valid CAN FD configuration consists of a nominal/arbitration bittiming, a
data bittiming and a control mode with CAN_CTRLMODE_FD set - which is now
enforced by a new can_validate() function. This fix additionally removed the
inconsistency that was prohibiting the support of 'CANFD-only' controller
drivers, like the RCar CAN FD.

For this reason a new helper can_set_static_ctrlmode() has been introduced to
provide a proper interface to handle static enabled CAN controller options.

Reported-by: Ramesh Shanmugasundaram <ramesh.shanmugasundaram@bp.renesas.com>
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Reviewed-by: Ramesh Shanmugasundaram  <ramesh.shanmugasundaram@bp.renesas.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/net/can/dev.c         | 56 +++++++++++++++++++++++++++++++++++++++----
 drivers/net/can/m_can/m_can.c |  2 +-
 include/linux/can/dev.h       | 22 +++++++++++++++--
 3 files changed, 73 insertions(+), 7 deletions(-)

diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
index 141c2a4..910c12e 100644
--- a/drivers/net/can/dev.c
+++ b/drivers/net/can/dev.c
@@ -696,11 +696,17 @@ int can_change_mtu(struct net_device *dev, int new_mtu)
 	/* allow change of MTU according to the CANFD ability of the device */
 	switch (new_mtu) {
 	case CAN_MTU:
+		/* 'CANFD-only' controllers can not switch to CAN_MTU */
+		if (priv->ctrlmode_static & CAN_CTRLMODE_FD)
+			return -EINVAL;
+
 		priv->ctrlmode &= ~CAN_CTRLMODE_FD;
 		break;
 
 	case CANFD_MTU:
-		if (!(priv->ctrlmode_supported & CAN_CTRLMODE_FD))
+		/* check for potential CANFD ability */
+		if (!(priv->ctrlmode_supported & CAN_CTRLMODE_FD) &&
+		    !(priv->ctrlmode_static & CAN_CTRLMODE_FD))
 			return -EINVAL;
 
 		priv->ctrlmode |= CAN_CTRLMODE_FD;
@@ -782,6 +788,35 @@ static const struct nla_policy can_policy[IFLA_CAN_MAX + 1] = {
 				= { .len = sizeof(struct can_bittiming_const) },
 };
 
+static int can_validate(struct nlattr *tb[], struct nlattr *data[])
+{
+	bool is_can_fd = false;
+
+	/* Make sure that valid CAN FD configurations always consist of
+	 * - nominal/arbitration bittiming
+	 * - data bittiming
+	 * - control mode with CAN_CTRLMODE_FD set
+	 */
+
+	if (data[IFLA_CAN_CTRLMODE]) {
+		struct can_ctrlmode *cm = nla_data(data[IFLA_CAN_CTRLMODE]);
+
+		is_can_fd = cm->flags & cm->mask & CAN_CTRLMODE_FD;
+	}
+
+	if (is_can_fd) {
+		if (!data[IFLA_CAN_BITTIMING] || !data[IFLA_CAN_DATA_BITTIMING])
+			return -EOPNOTSUPP;
+	}
+
+	if (data[IFLA_CAN_DATA_BITTIMING]) {
+		if (!is_can_fd || !data[IFLA_CAN_BITTIMING])
+			return -EOPNOTSUPP;
+	}
+
+	return 0;
+}
+
 static int can_changelink(struct net_device *dev,
 			  struct nlattr *tb[], struct nlattr *data[])
 {
@@ -813,19 +848,31 @@ static int can_changelink(struct net_device *dev,
 
 	if (data[IFLA_CAN_CTRLMODE]) {
 		struct can_ctrlmode *cm;
+		u32 ctrlstatic;
+		u32 maskedflags;
 
 		/* Do not allow changing controller mode while running */
 		if (dev->flags & IFF_UP)
 			return -EBUSY;
 		cm = nla_data(data[IFLA_CAN_CTRLMODE]);
+		ctrlstatic = priv->ctrlmode_static;
+		maskedflags = cm->flags & cm->mask;
+
+		/* check whether provided bits are allowed to be passed */
+		if (cm->mask & ~(priv->ctrlmode_supported | ctrlstatic))
+			return -EOPNOTSUPP;
+
+		/* do not check for static fd-non-iso if 'fd' is disabled */
+		if (!(maskedflags & CAN_CTRLMODE_FD))
+			ctrlstatic &= ~CAN_CTRLMODE_FD_NON_ISO;
 
-		/* check whether changed bits are allowed to be modified */
-		if (cm->mask & ~priv->ctrlmode_supported)
+		/* make sure static options are provided by configuration */
+		if ((maskedflags & ctrlstatic) != ctrlstatic)
 			return -EOPNOTSUPP;
 
 		/* clear bits to be modified and copy the flag values */
 		priv->ctrlmode &= ~cm->mask;
-		priv->ctrlmode |= (cm->flags & cm->mask);
+		priv->ctrlmode |= maskedflags;
 
 		/* CAN_CTRLMODE_FD can only be set when driver supports FD */
 		if (priv->ctrlmode & CAN_CTRLMODE_FD)
@@ -966,6 +1013,7 @@ static struct rtnl_link_ops can_link_ops __read_mostly = {
 	.maxtype	= IFLA_CAN_MAX,
 	.policy		= can_policy,
 	.setup		= can_setup,
+	.validate	= can_validate,
 	.newlink	= can_newlink,
 	.changelink	= can_changelink,
 	.get_size	= can_get_size,
diff --git a/drivers/net/can/m_can/m_can.c b/drivers/net/can/m_can/m_can.c
index ef65517..37f15eb 100644
--- a/drivers/net/can/m_can/m_can.c
+++ b/drivers/net/can/m_can/m_can.c
@@ -958,7 +958,7 @@ static struct net_device *alloc_m_can_dev(void)
 	priv->can.do_get_berr_counter = m_can_get_berr_counter;
 
 	/* CAN_CTRLMODE_FD_NON_ISO is fixed with M_CAN IP v3.0.1 */
-	priv->can.ctrlmode = CAN_CTRLMODE_FD_NON_ISO;
+	can_set_static_ctrlmode(dev, CAN_CTRLMODE_FD_NON_ISO);
 
 	/* CAN_CTRLMODE_FD_NON_ISO can not be changed with M_CAN IP v3.0.1 */
 	priv->can.ctrlmode_supported = CAN_CTRLMODE_LOOPBACK |
diff --git a/include/linux/can/dev.h b/include/linux/can/dev.h
index c3a9c8f..5e13b98 100644
--- a/include/linux/can/dev.h
+++ b/include/linux/can/dev.h
@@ -39,8 +39,11 @@ struct can_priv {
 	struct can_clock clock;
 
 	enum can_state state;
-	u32 ctrlmode;
-	u32 ctrlmode_supported;
+
+	/* CAN controller features - see include/uapi/linux/can/netlink.h */
+	u32 ctrlmode;		/* current options setting */
+	u32 ctrlmode_supported;	/* options that can be modified by netlink */
+	u32 ctrlmode_static;	/* static enabled options for driver/hardware */
 
 	int restart_ms;
 	struct timer_list restart_timer;
@@ -107,6 +110,21 @@ static inline bool can_is_canfd_skb(const struct sk_buff *skb)
 	return skb->len == CANFD_MTU;
 }
 
+/* helper to define static CAN controller features at device creation time */
+static inline void can_set_static_ctrlmode(struct net_device *dev,
+					   u32 static_mode)
+{
+	struct can_priv *priv = netdev_priv(dev);
+
+	/* alloc_candev() succeeded => netdev_priv() is valid at this point */
+	priv->ctrlmode = static_mode;
+	priv->ctrlmode_static = static_mode;
+
+	/* override MTU which was set by default in can_setup()? */
+	if (static_mode & CAN_CTRLMODE_FD)
+		dev->mtu = CANFD_MTU;
+}
+
 /* get data length from can_dlc with sanitized can_dlc */
 u8 can_dlc2len(u8 can_dlc);
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 070/206] MIPS: Fix siginfo.h to use strict posix types
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (68 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 069/206] can: fix handling of unmodifiable configuration options Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 071/206] MIPS: Don't unwind to user mode with EVA Kamal Mostafa
                   ` (135 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: James Hogan, Christopher Ferris, linux-mips, Ralf Baechle, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: James Hogan <james.hogan@imgtec.com>

commit 5daebc477da4dfeb31ae193d83084def58fd2697 upstream.

Commit 85efde6f4e0d ("make exported headers use strict posix types")
changed the asm-generic siginfo.h to use the __kernel_* types, and
commit 3a471cbc081b ("remove __KERNEL_STRICT_NAMES") make the internal
types accessible only to the kernel, but the MIPS implementation hasn't
been updated to match.

Switch to proper types now so that the exported asm/siginfo.h won't
produce quite so many compiler errors when included alone by a user
program.

Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Christopher Ferris <cferris@google.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/12477/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/mips/include/uapi/asm/siginfo.h | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/arch/mips/include/uapi/asm/siginfo.h b/arch/mips/include/uapi/asm/siginfo.h
index 2cb7fde..03ec109 100644
--- a/arch/mips/include/uapi/asm/siginfo.h
+++ b/arch/mips/include/uapi/asm/siginfo.h
@@ -42,13 +42,13 @@ typedef struct siginfo {
 
 		/* kill() */
 		struct {
-			pid_t _pid;		/* sender's pid */
+			__kernel_pid_t _pid;	/* sender's pid */
 			__ARCH_SI_UID_T _uid;	/* sender's uid */
 		} _kill;
 
 		/* POSIX.1b timers */
 		struct {
-			timer_t _tid;		/* timer id */
+			__kernel_timer_t _tid;	/* timer id */
 			int _overrun;		/* overrun count */
 			char _pad[sizeof( __ARCH_SI_UID_T) - sizeof(int)];
 			sigval_t _sigval;	/* same as below */
@@ -57,26 +57,26 @@ typedef struct siginfo {
 
 		/* POSIX.1b signals */
 		struct {
-			pid_t _pid;		/* sender's pid */
+			__kernel_pid_t _pid;	/* sender's pid */
 			__ARCH_SI_UID_T _uid;	/* sender's uid */
 			sigval_t _sigval;
 		} _rt;
 
 		/* SIGCHLD */
 		struct {
-			pid_t _pid;		/* which child */
+			__kernel_pid_t _pid;	/* which child */
 			__ARCH_SI_UID_T _uid;	/* sender's uid */
 			int _status;		/* exit code */
-			clock_t _utime;
-			clock_t _stime;
+			__kernel_clock_t _utime;
+			__kernel_clock_t _stime;
 		} _sigchld;
 
 		/* IRIX SIGCHLD */
 		struct {
-			pid_t _pid;		/* which child */
-			clock_t _utime;
+			__kernel_pid_t _pid;	/* which child */
+			__kernel_clock_t _utime;
 			int _status;		/* exit code */
-			clock_t _stime;
+			__kernel_clock_t _stime;
 		} _irix_sigchld;
 
 		/* SIGILL, SIGFPE, SIGSEGV, SIGBUS */
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 071/206] MIPS: Don't unwind to user mode with EVA
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (69 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 070/206] MIPS: Fix siginfo.h to use strict posix types Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 072/206] MIPS: Avoid using unwind_stack() with usermode Kamal Mostafa
                   ` (134 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: James Hogan, linux-mips, Ralf Baechle, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: James Hogan <james.hogan@imgtec.com>

commit a816b306c62195b7c43c92cb13330821a96bdc27 upstream.

When unwinding through IRQs and exceptions, the unwinding only continues
if the PC is a kernel text address, however since EVA it is possible for
user and kernel address ranges to overlap, potentially allowing
unwinding to continue to user mode if the user PC happens to be in the
kernel text address range.

Adjust the check to also ensure that the register state from before the
exception is actually running in kernel mode, i.e. !user_mode(regs).

I don't believe any harm can come of this problem, since the PC is only
output, the stack pointer is checked to ensure it resides within the
task's stack page before it is dereferenced in search of the return
address, and the return address register is similarly only output (if
the PC is in a leaf function or the beginning of a non-leaf function).

However unwind_stack() is only meant for unwinding kernel code, so to be
correct the unwind should stop there.

Signed-off-by: James Hogan <james.hogan@imgtec.com>
Reviewed-by: Leonid Yegoshin <Leonid.Yegoshin@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/11700/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/mips/kernel/process.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c
index f2975d4..6b3ae73 100644
--- a/arch/mips/kernel/process.c
+++ b/arch/mips/kernel/process.c
@@ -457,7 +457,7 @@ unsigned long notrace unwind_stack_by_address(unsigned long stack_page,
 		    *sp + sizeof(*regs) <= stack_page + THREAD_SIZE - 32) {
 			regs = (struct pt_regs *)*sp;
 			pc = regs->cp0_epc;
-			if (__kernel_text_address(pc)) {
+			if (!user_mode(regs) && __kernel_text_address(pc)) {
 				*sp = regs->regs[29];
 				*ra = regs->regs[31];
 				return pc;
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 072/206] MIPS: Avoid using unwind_stack() with usermode
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (70 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 071/206] MIPS: Don't unwind to user mode with EVA Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 073/206] MIPS: Reserve nosave data for hibernation Kamal Mostafa
                   ` (133 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: James Hogan, linux-mips, Ralf Baechle, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: James Hogan <james.hogan@imgtec.com>

commit 81a76d7119f63c359750e4adeff922a31ad1135f upstream.

When showing backtraces in response to traps, for example crashes and
address errors (usually unaligned accesses) when they are set in debugfs
to be reported, unwind_stack will be used if the PC was in the kernel
text address range. However since EVA it is possible for user and kernel
address ranges to overlap, and even without EVA userland can still
trigger an address error by jumping to a KSeg0 address.

Adjust the check to also ensure that it was running in kernel mode. I
don't believe any harm can come of this problem, since unwind_stack() is
sufficiently defensive, however it is only meant for unwinding kernel
code, so to be correct it should use the raw backtracing instead.

Signed-off-by: James Hogan <james.hogan@imgtec.com>
Reviewed-by: Leonid Yegoshin <Leonid.Yegoshin@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/11701/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
(cherry picked from commit d2941a975ac745c607dfb590e92bb30bc352dad9)
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/mips/kernel/traps.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/mips/kernel/traps.c b/arch/mips/kernel/traps.c
index ef1e9d3..86454f5 100644
--- a/arch/mips/kernel/traps.c
+++ b/arch/mips/kernel/traps.c
@@ -143,7 +143,7 @@ static void show_backtrace(struct task_struct *task, const struct pt_regs *regs)
 	if (!task)
 		task = current;
 
-	if (raw_show_trace || !__kernel_text_address(pc)) {
+	if (raw_show_trace || user_mode(regs) || !__kernel_text_address(pc)) {
 		show_raw_backtrace(sp);
 		return;
 	}
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 073/206] MIPS: Reserve nosave data for hibernation
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (71 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 072/206] MIPS: Avoid using unwind_stack() with usermode Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 074/206] MIPS: Loongson-3: Reserve 32MB for RS780E integrated GPU Kamal Mostafa
                   ` (132 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Huacai Chen, Aurelien Jarno, Steven J . Hill, Fuxin Zhang,
	Zhangjin Wu, linux-mips, Ralf Baechle, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Huacai Chen <chenhc@lemote.com>

commit a95d069204e178f18476f5499abab0d0d9cbc32c upstream.

After commit 92923ca3aacef63c92d ("mm: meminit: only set page reserved
in the memblock region"), the MIPS hibernation is broken. Because pages
in nosave data section should be "reserved", but currently they aren't
set to "reserved" at initialization. This patch makes hibernation work
again.

Signed-off-by: Huacai Chen <chenhc@lemote.com>
Cc: Aurelien Jarno <aurelien@aurel32.net>
Cc: Steven J . Hill <sjhill@realitydiluted.com>
Cc: Fuxin Zhang <zhangfx@lemote.com>
Cc: Zhangjin Wu <wuzhangjin@gmail.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/12888/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/mips/kernel/setup.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/arch/mips/kernel/setup.c b/arch/mips/kernel/setup.c
index 4ceac5c..c737bc1 100644
--- a/arch/mips/kernel/setup.c
+++ b/arch/mips/kernel/setup.c
@@ -691,6 +691,9 @@ static void __init arch_mem_init(char **cmdline_p)
 	for_each_memblock(reserved, reg)
 		if (reg->size != 0)
 			reserve_bootmem(reg->base, reg->size, BOOTMEM_DEFAULT);
+
+	reserve_bootmem_region(__pa_symbol(&__nosave_begin),
+			__pa_symbol(&__nosave_end)); /* Reserve for hibernation */
 }
 
 static void __init resource_init(void)
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 074/206] MIPS: Loongson-3: Reserve 32MB for RS780E integrated GPU
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (72 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 073/206] MIPS: Reserve nosave data for hibernation Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 075/206] MIPS64: R6: R2 emulation bugfix Kamal Mostafa
                   ` (131 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Huacai Chen, Aurelien Jarno, Steven J . Hill, Fuxin Zhang,
	Zhangjin Wu, linux-mips, Ralf Baechle, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Huacai Chen <chenhc@lemote.com>

commit 3484de7bcbed20ecbf2b8d80671619e7059e2dd7 upstream.

Due to datasheet, reserving 0xff800000~0xffffffff (8MB below 4GB) is
not enough for RS780E integrated GPU's TOM (top of memory) registers
and MSI/MSI-x memory region, so we reserve 0xfe000000~0xffffffff (32MB
below 4GB).

Signed-off-by: Huacai Chen <chenhc@lemote.com>
Cc: Aurelien Jarno <aurelien@aurel32.net>
Cc: Steven J . Hill <sjhill@realitydiluted.com>
Cc: Fuxin Zhang <zhangfx@lemote.com>
Cc: Zhangjin Wu <wuzhangjin@gmail.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/12889/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/mips/loongson64/loongson-3/numa.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/arch/mips/loongson64/loongson-3/numa.c b/arch/mips/loongson64/loongson-3/numa.c
index 6f9e010..282c5a8 100644
--- a/arch/mips/loongson64/loongson-3/numa.c
+++ b/arch/mips/loongson64/loongson-3/numa.c
@@ -213,10 +213,10 @@ static void __init node_mem_init(unsigned int node)
 		BOOTMEM_DEFAULT);
 
 	if (node == 0 && node_end_pfn(0) >= (0xffffffff >> PAGE_SHIFT)) {
-		/* Reserve 0xff800000~0xffffffff for RS780E integrated GPU */
+		/* Reserve 0xfe000000~0xffffffff for RS780E integrated GPU */
 		reserve_bootmem_node(NODE_DATA(node),
-				(node_addrspace_offset | 0xff800000),
-				8 << 20, BOOTMEM_DEFAULT);
+				(node_addrspace_offset | 0xfe000000),
+				32 << 20, BOOTMEM_DEFAULT);
 	}
 
 	sparse_memory_present_with_active_regions(node);
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 075/206] MIPS64: R6: R2 emulation bugfix
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (73 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 074/206] MIPS: Loongson-3: Reserve 32MB for RS780E integrated GPU Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 076/206] usb: host: xhci-rcar: Avoid long wait in xhci_reset() Kamal Mostafa
                   ` (130 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Leonid Yegoshin, macro, linux-mips, Ralf Baechle, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Leonid Yegoshin <Leonid.Yegoshin@imgtec.com>

commit 41fa29e4d8cf4150568a0fe9bb4d62229f9caed5 upstream.

Error recovery pointers for fixups was improperly set as ".word"
which is unsuitable for MIPS64.

Replaced by STR(PTR)

[ralf@linux-mips.org: Apply changes as requested in the review process.]

Signed-off-by: Leonid Yegoshin <Leonid.Yegoshin@imgtec.com>
Reviewed-by: James Hogan <james.hogan@imgtec.com>
Reviewed-by: Markos Chandras <markos.chandras@imgtec.com>
Fixes: b0a668fb2038 ("MIPS: kernel: mips-r2-to-r6-emul: Add R2 emulator for MIPS R6")
Cc: macro@linux-mips.org
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/9911/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/mips/kernel/mips-r2-to-r6-emul.c | 105 +++++++++++++++++-----------------
 1 file changed, 53 insertions(+), 52 deletions(-)

diff --git a/arch/mips/kernel/mips-r2-to-r6-emul.c b/arch/mips/kernel/mips-r2-to-r6-emul.c
index f2977f0..e19fa36 100644
--- a/arch/mips/kernel/mips-r2-to-r6-emul.c
+++ b/arch/mips/kernel/mips-r2-to-r6-emul.c
@@ -27,6 +27,7 @@
 #include <asm/inst.h>
 #include <asm/mips-r2-to-r6-emul.h>
 #include <asm/local.h>
+#include <asm/mipsregs.h>
 #include <asm/ptrace.h>
 #include <asm/uaccess.h>
 
@@ -1250,10 +1251,10 @@ fpu_emul:
 			"	j	10b\n"
 			"	.previous\n"
 			"	.section	__ex_table,\"a\"\n"
-			"	.word	1b,8b\n"
-			"	.word	2b,8b\n"
-			"	.word	3b,8b\n"
-			"	.word	4b,8b\n"
+			STR(PTR) " 1b,8b\n"
+			STR(PTR) " 2b,8b\n"
+			STR(PTR) " 3b,8b\n"
+			STR(PTR) " 4b,8b\n"
 			"	.previous\n"
 			"	.set	pop\n"
 			: "+&r"(rt), "=&r"(rs),
@@ -1325,10 +1326,10 @@ fpu_emul:
 			"	j	10b\n"
 			"       .previous\n"
 			"	.section	__ex_table,\"a\"\n"
-			"	.word	1b,8b\n"
-			"	.word	2b,8b\n"
-			"	.word	3b,8b\n"
-			"	.word	4b,8b\n"
+			STR(PTR) " 1b,8b\n"
+			STR(PTR) " 2b,8b\n"
+			STR(PTR) " 3b,8b\n"
+			STR(PTR) " 4b,8b\n"
 			"	.previous\n"
 			"	.set	pop\n"
 			: "+&r"(rt), "=&r"(rs),
@@ -1396,10 +1397,10 @@ fpu_emul:
 			"	j	9b\n"
 			"	.previous\n"
 			"	.section        __ex_table,\"a\"\n"
-			"	.word	1b,8b\n"
-			"	.word	2b,8b\n"
-			"	.word	3b,8b\n"
-			"	.word	4b,8b\n"
+			STR(PTR) " 1b,8b\n"
+			STR(PTR) " 2b,8b\n"
+			STR(PTR) " 3b,8b\n"
+			STR(PTR) " 4b,8b\n"
 			"	.previous\n"
 			"	.set	pop\n"
 			: "+&r"(rt), "=&r"(rs),
@@ -1466,10 +1467,10 @@ fpu_emul:
 			"	j	9b\n"
 			"	.previous\n"
 			"	.section        __ex_table,\"a\"\n"
-			"	.word	1b,8b\n"
-			"	.word	2b,8b\n"
-			"	.word	3b,8b\n"
-			"	.word	4b,8b\n"
+			STR(PTR) " 1b,8b\n"
+			STR(PTR) " 2b,8b\n"
+			STR(PTR) " 3b,8b\n"
+			STR(PTR) " 4b,8b\n"
 			"	.previous\n"
 			"	.set	pop\n"
 			: "+&r"(rt), "=&r"(rs),
@@ -1581,14 +1582,14 @@ fpu_emul:
 			"	j	9b\n"
 			"	.previous\n"
 			"	.section        __ex_table,\"a\"\n"
-			"	.word	1b,8b\n"
-			"	.word	2b,8b\n"
-			"	.word	3b,8b\n"
-			"	.word	4b,8b\n"
-			"	.word	5b,8b\n"
-			"	.word	6b,8b\n"
-			"	.word	7b,8b\n"
-			"	.word	0b,8b\n"
+			STR(PTR) " 1b,8b\n"
+			STR(PTR) " 2b,8b\n"
+			STR(PTR) " 3b,8b\n"
+			STR(PTR) " 4b,8b\n"
+			STR(PTR) " 5b,8b\n"
+			STR(PTR) " 6b,8b\n"
+			STR(PTR) " 7b,8b\n"
+			STR(PTR) " 0b,8b\n"
 			"	.previous\n"
 			"	.set	pop\n"
 			: "+&r"(rt), "=&r"(rs),
@@ -1700,14 +1701,14 @@ fpu_emul:
 			"	j      9b\n"
 			"	.previous\n"
 			"	.section        __ex_table,\"a\"\n"
-			"	.word  1b,8b\n"
-			"	.word  2b,8b\n"
-			"	.word  3b,8b\n"
-			"	.word  4b,8b\n"
-			"	.word  5b,8b\n"
-			"	.word  6b,8b\n"
-			"	.word  7b,8b\n"
-			"	.word  0b,8b\n"
+			STR(PTR) " 1b,8b\n"
+			STR(PTR) " 2b,8b\n"
+			STR(PTR) " 3b,8b\n"
+			STR(PTR) " 4b,8b\n"
+			STR(PTR) " 5b,8b\n"
+			STR(PTR) " 6b,8b\n"
+			STR(PTR) " 7b,8b\n"
+			STR(PTR) " 0b,8b\n"
 			"	.previous\n"
 			"	.set    pop\n"
 			: "+&r"(rt), "=&r"(rs),
@@ -1819,14 +1820,14 @@ fpu_emul:
 			"	j	9b\n"
 			"	.previous\n"
 			"	.section        __ex_table,\"a\"\n"
-			"	.word	1b,8b\n"
-			"	.word	2b,8b\n"
-			"	.word	3b,8b\n"
-			"	.word	4b,8b\n"
-			"	.word	5b,8b\n"
-			"	.word	6b,8b\n"
-			"	.word	7b,8b\n"
-			"	.word	0b,8b\n"
+			STR(PTR) " 1b,8b\n"
+			STR(PTR) " 2b,8b\n"
+			STR(PTR) " 3b,8b\n"
+			STR(PTR) " 4b,8b\n"
+			STR(PTR) " 5b,8b\n"
+			STR(PTR) " 6b,8b\n"
+			STR(PTR) " 7b,8b\n"
+			STR(PTR) " 0b,8b\n"
 			"	.previous\n"
 			"	.set	pop\n"
 			: "+&r"(rt), "=&r"(rs),
@@ -1937,14 +1938,14 @@ fpu_emul:
 			"       j	9b\n"
 			"       .previous\n"
 			"       .section        __ex_table,\"a\"\n"
-			"       .word	1b,8b\n"
-			"       .word	2b,8b\n"
-			"       .word	3b,8b\n"
-			"       .word	4b,8b\n"
-			"       .word	5b,8b\n"
-			"       .word	6b,8b\n"
-			"       .word	7b,8b\n"
-			"       .word	0b,8b\n"
+			STR(PTR) " 1b,8b\n"
+			STR(PTR) " 2b,8b\n"
+			STR(PTR) " 3b,8b\n"
+			STR(PTR) " 4b,8b\n"
+			STR(PTR) " 5b,8b\n"
+			STR(PTR) " 6b,8b\n"
+			STR(PTR) " 7b,8b\n"
+			STR(PTR) " 0b,8b\n"
 			"       .previous\n"
 			"       .set	pop\n"
 			: "+&r"(rt), "=&r"(rs),
@@ -1999,7 +2000,7 @@ fpu_emul:
 			"j	2b\n"
 			".previous\n"
 			".section        __ex_table,\"a\"\n"
-			".word  1b, 3b\n"
+			STR(PTR) " 1b,3b\n"
 			".previous\n"
 			: "=&r"(res), "+&r"(err)
 			: "r"(vaddr), "i"(SIGSEGV)
@@ -2057,7 +2058,7 @@ fpu_emul:
 			"j	2b\n"
 			".previous\n"
 			".section        __ex_table,\"a\"\n"
-			".word	1b, 3b\n"
+			STR(PTR) " 1b,3b\n"
 			".previous\n"
 			: "+&r"(res), "+&r"(err)
 			: "r"(vaddr), "i"(SIGSEGV));
@@ -2118,7 +2119,7 @@ fpu_emul:
 			"j	2b\n"
 			".previous\n"
 			".section        __ex_table,\"a\"\n"
-			".word  1b, 3b\n"
+			STR(PTR) " 1b,3b\n"
 			".previous\n"
 			: "=&r"(res), "+&r"(err)
 			: "r"(vaddr), "i"(SIGSEGV)
@@ -2181,7 +2182,7 @@ fpu_emul:
 			"j	2b\n"
 			".previous\n"
 			".section        __ex_table,\"a\"\n"
-			".word	1b, 3b\n"
+			STR(PTR) " 1b,3b\n"
 			".previous\n"
 			: "+&r"(res), "+&r"(err)
 			: "r"(vaddr), "i"(SIGSEGV));
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 076/206] usb: host: xhci-rcar: Avoid long wait in xhci_reset()
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (74 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 075/206] MIPS64: R6: R2 emulation bugfix Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 077/206] mfd: omap-usb-tll: Fix scheduling while atomic BUG Kamal Mostafa
                   ` (129 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Yoshihiro Shimoda, Greg Kroah-Hartman, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>

commit f879fc32aa0c96fbac261b3d857a1239d554ad01 upstream.

The firmware of R-Car USB 3.0 host controller will control the reset.
So, if the xhci driver doesn't do firmware downloading (e.g. kernel
configuration is CONFIG_USB_XHCI_PLATFORM=y and CONFIG_USB_XHCI_RCAR
is not set), the reset of USB 3.0 host controller doesn't work
correctly. Then, the host controller will cause long wait in
xhci_reset() because the CMD_RESET bit of op_regs->command is not
cleared for 10 seconds.

So, this patch modifies the Kconfig to enable both CONFIG_USB_XHCI_PLATFORM
and CONFIG_USB_XHCI_RCAR.

Fixes: 4ac8918f3a7 (usb: host: xhci-plat: add support for the R-Car H2 and M2 xHCI controllers)
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Reviewed-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ kamal: backport to 4.2-stable: s/ARCH_RENESAS/ARCH_SHMOBILE/ ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/usb/host/Kconfig | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/host/Kconfig b/drivers/usb/host/Kconfig
index 8afc3c1..a69b405 100644
--- a/drivers/usb/host/Kconfig
+++ b/drivers/usb/host/Kconfig
@@ -33,6 +33,7 @@ config USB_XHCI_PCI
 
 config USB_XHCI_PLATFORM
 	tristate
+	select USB_XHCI_RCAR if ARCH_SHMOBILE
 
 config USB_XHCI_MVEBU
 	tristate "xHCI support for Marvell Armada 375/38x"
@@ -44,7 +45,7 @@ config USB_XHCI_MVEBU
 
 config USB_XHCI_RCAR
 	tristate "xHCI support for Renesas R-Car SoCs"
-	select USB_XHCI_PLATFORM
+	depends on USB_XHCI_PLATFORM
 	depends on ARCH_SHMOBILE || COMPILE_TEST
 	---help---
 	  Say 'Y' to enable the support for the xHCI host controller
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 077/206] mfd: omap-usb-tll: Fix scheduling while atomic BUG
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (75 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 076/206] usb: host: xhci-rcar: Avoid long wait in xhci_reset() Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 078/206] USB: serial: io_edgeport: fix memory leaks in attach error path Kamal Mostafa
                   ` (128 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team; +Cc: Roger Quadros, Lee Jones, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Roger Quadros <rogerq@ti.com>

commit b49b927f16acee626c56a1af4ab4cb062f75b5df upstream.

We shouldn't be calling clk_prepare_enable()/clk_prepare_disable()
in an atomic context.

Fixes the following issue:

[    5.830970] ehci-omap: OMAP-EHCI Host Controller driver
[    5.830974] driver_register 'ehci-omap'
[    5.895849] driver_register 'wl1271_sdio'
[    5.896870] BUG: scheduling while atomic: udevd/994/0x00000002
[    5.896876] 4 locks held by udevd/994:
[    5.896904]  #0:  (&dev->mutex){......}, at: [<c049597c>] __driver_attach+0x60/0xac
[    5.896923]  #1:  (&dev->mutex){......}, at: [<c049598c>] __driver_attach+0x70/0xac
[    5.896946]  #2:  (tll_lock){+.+...}, at: [<c04c2630>] omap_tll_enable+0x2c/0xd0
[    5.896966]  #3:  (prepare_lock){+.+...}, at: [<c05ce9c8>] clk_prepare_lock+0x48/0xe0
[    5.897042] Modules linked in: wlcore_sdio(+) ehci_omap(+) dwc3_omap snd_soc_ts3a225e leds_is31fl319x bq27xxx_battery_i2c tsc2007 bq27xxx_battery bq2429x_charger ina2xx tca8418_keypad as5013 leds_tca6507 twl6040_vibra gpio_twl6040 bmp085_i2c(+) palmas_gpadc usb3503 palmas_pwrbutton bmg160_i2c(+) bmp085 bma150(+) bmg160_core bmp280 input_polldev snd_soc_omap_mcbsp snd_soc_omap_mcpdm snd_soc_omap snd_pcm_dmaengine
[    5.897048] Preemption disabled at:[<  (null)>]   (null)
[    5.897051]
[    5.897059] CPU: 0 PID: 994 Comm: udevd Not tainted 4.6.0-rc5-letux+ #233
[    5.897062] Hardware name: Generic OMAP5 (Flattened Device Tree)
[    5.897076] [<c010e714>] (unwind_backtrace) from [<c010af34>] (show_stack+0x10/0x14)
[    5.897087] [<c010af34>] (show_stack) from [<c040aa7c>] (dump_stack+0x88/0xc0)
[    5.897099] [<c040aa7c>] (dump_stack) from [<c020c558>] (__schedule_bug+0xac/0xd0)
[    5.897111] [<c020c558>] (__schedule_bug) from [<c06f3d44>] (__schedule+0x88/0x7e4)
[    5.897120] [<c06f3d44>] (__schedule) from [<c06f46d8>] (schedule+0x9c/0xc0)
[    5.897129] [<c06f46d8>] (schedule) from [<c06f4904>] (schedule_preempt_disabled+0x14/0x20)
[    5.897140] [<c06f4904>] (schedule_preempt_disabled) from [<c06f64e4>] (mutex_lock_nested+0x258/0x43c)
[    5.897150] [<c06f64e4>] (mutex_lock_nested) from [<c05ce9c8>] (clk_prepare_lock+0x48/0xe0)
[    5.897160] [<c05ce9c8>] (clk_prepare_lock) from [<c05d0e7c>] (clk_prepare+0x10/0x28)
[    5.897169] [<c05d0e7c>] (clk_prepare) from [<c04c2668>] (omap_tll_enable+0x64/0xd0)
[    5.897180] [<c04c2668>] (omap_tll_enable) from [<c04c1728>] (usbhs_runtime_resume+0x18/0x17c)
[    5.897192] [<c04c1728>] (usbhs_runtime_resume) from [<c049d404>] (pm_generic_runtime_resume+0x2c/0x40)
[    5.897202] [<c049d404>] (pm_generic_runtime_resume) from [<c049f180>] (__rpm_callback+0x38/0x68)
[    5.897210] [<c049f180>] (__rpm_callback) from [<c049f220>] (rpm_callback+0x70/0x88)
[    5.897218] [<c049f220>] (rpm_callback) from [<c04a0a00>] (rpm_resume+0x4ec/0x7ec)
[    5.897227] [<c04a0a00>] (rpm_resume) from [<c04a0f48>] (__pm_runtime_resume+0x4c/0x64)
[    5.897236] [<c04a0f48>] (__pm_runtime_resume) from [<c04958dc>] (driver_probe_device+0x30/0x70)
[    5.897246] [<c04958dc>] (driver_probe_device) from [<c04959a4>] (__driver_attach+0x88/0xac)
[    5.897256] [<c04959a4>] (__driver_attach) from [<c04940f8>] (bus_for_each_dev+0x50/0x84)
[    5.897267] [<c04940f8>] (bus_for_each_dev) from [<c0494e40>] (bus_add_driver+0xcc/0x1e4)
[    5.897276] [<c0494e40>] (bus_add_driver) from [<c0496914>] (driver_register+0xac/0xf4)
[    5.897286] [<c0496914>] (driver_register) from [<c01018e0>] (do_one_initcall+0x100/0x1b8)
[    5.897296] [<c01018e0>] (do_one_initcall) from [<c01c7a54>] (do_init_module+0x58/0x1c0)
[    5.897304] [<c01c7a54>] (do_init_module) from [<c01c8a3c>] (SyS_finit_module+0x88/0x90)
[    5.897313] [<c01c8a3c>] (SyS_finit_module) from [<c0107120>] (ret_fast_syscall+0x0/0x1c)
[    5.912697] ------------[ cut here ]------------
[    5.912711] WARNING: CPU: 0 PID: 994 at kernel/sched/core.c:2996 _raw_spin_unlock+0x28/0x58
[    5.912717] DEBUG_LOCKS_WARN_ON(val > preempt_count())

Reported-by: H. Nikolaus Schaller <hns@goldelico.com>
Tested-by: H. Nikolaus Schaller <hns@goldelico.com>
Signed-off-by: Roger Quadros <rogerq@ti.com>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/mfd/omap-usb-tll.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/drivers/mfd/omap-usb-tll.c b/drivers/mfd/omap-usb-tll.c
index b7b3e8e..c30290f 100644
--- a/drivers/mfd/omap-usb-tll.c
+++ b/drivers/mfd/omap-usb-tll.c
@@ -269,6 +269,8 @@ static int usbtll_omap_probe(struct platform_device *pdev)
 
 		if (IS_ERR(tll->ch_clk[i]))
 			dev_dbg(dev, "can't get clock : %s\n", clkname);
+		else
+			clk_prepare(tll->ch_clk[i]);
 	}
 
 	pm_runtime_put_sync(dev);
@@ -301,9 +303,12 @@ static int usbtll_omap_remove(struct platform_device *pdev)
 	tll_dev = NULL;
 	spin_unlock(&tll_lock);
 
-	for (i = 0; i < tll->nch; i++)
-		if (!IS_ERR(tll->ch_clk[i]))
+	for (i = 0; i < tll->nch; i++) {
+		if (!IS_ERR(tll->ch_clk[i])) {
+			clk_unprepare(tll->ch_clk[i]);
 			clk_put(tll->ch_clk[i]);
+		}
+	}
 
 	pm_runtime_disable(&pdev->dev);
 	return 0;
@@ -420,7 +425,7 @@ int omap_tll_enable(struct usbhs_omap_platform_data *pdata)
 			if (IS_ERR(tll->ch_clk[i]))
 				continue;
 
-			r = clk_prepare_enable(tll->ch_clk[i]);
+			r = clk_enable(tll->ch_clk[i]);
 			if (r) {
 				dev_err(tll_dev,
 				 "Error enabling ch %d clock: %d\n", i, r);
@@ -448,7 +453,7 @@ int omap_tll_disable(struct usbhs_omap_platform_data *pdata)
 	for (i = 0; i < tll->nch; i++) {
 		if (omap_usb_mode_needs_tll(pdata->port_mode[i])) {
 			if (!IS_ERR(tll->ch_clk[i]))
-				clk_disable_unprepare(tll->ch_clk[i]);
+				clk_disable(tll->ch_clk[i]);
 		}
 	}
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 078/206] USB: serial: io_edgeport: fix memory leaks in attach error path
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (76 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 077/206] mfd: omap-usb-tll: Fix scheduling while atomic BUG Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 079/206] USB: serial: io_edgeport: fix memory leaks in probe " Kamal Mostafa
                   ` (127 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team; +Cc: Johan Hovold, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Johan Hovold <johan@kernel.org>

commit c5c0c55598cefc826d6cfb0a417eeaee3631715c upstream.

Private data, URBs and buffers allocated for Epic devices during
attach were never released on errors (e.g. missing endpoints).

Fixes: 6e8cf7751f9f ("USB: add EPIC support to the io_edgeport driver")
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/usb/serial/io_edgeport.c | 39 ++++++++++++++++++++++++++++-----------
 1 file changed, 28 insertions(+), 11 deletions(-)

diff --git a/drivers/usb/serial/io_edgeport.c b/drivers/usb/serial/io_edgeport.c
index c086697..1106e7d 100644
--- a/drivers/usb/serial/io_edgeport.c
+++ b/drivers/usb/serial/io_edgeport.c
@@ -2856,14 +2856,16 @@ static int edge_startup(struct usb_serial *serial)
 				/* not set up yet, so do it now */
 				edge_serial->interrupt_read_urb =
 						usb_alloc_urb(0, GFP_KERNEL);
-				if (!edge_serial->interrupt_read_urb)
-					return -ENOMEM;
+				if (!edge_serial->interrupt_read_urb) {
+					response = -ENOMEM;
+					break;
+				}
 
 				edge_serial->interrupt_in_buffer =
 					kmalloc(buffer_size, GFP_KERNEL);
 				if (!edge_serial->interrupt_in_buffer) {
-					usb_free_urb(edge_serial->interrupt_read_urb);
-					return -ENOMEM;
+					response = -ENOMEM;
+					break;
 				}
 				edge_serial->interrupt_in_endpoint =
 						endpoint->bEndpointAddress;
@@ -2891,14 +2893,16 @@ static int edge_startup(struct usb_serial *serial)
 				/* not set up yet, so do it now */
 				edge_serial->read_urb =
 						usb_alloc_urb(0, GFP_KERNEL);
-				if (!edge_serial->read_urb)
-					return -ENOMEM;
+				if (!edge_serial->read_urb) {
+					response = -ENOMEM;
+					break;
+				}
 
 				edge_serial->bulk_in_buffer =
 					kmalloc(buffer_size, GFP_KERNEL);
 				if (!edge_serial->bulk_in_buffer) {
-					usb_free_urb(edge_serial->read_urb);
-					return -ENOMEM;
+					response = -ENOMEM;
+					break;
 				}
 				edge_serial->bulk_in_endpoint =
 						endpoint->bEndpointAddress;
@@ -2924,9 +2928,22 @@ static int edge_startup(struct usb_serial *serial)
 			}
 		}
 
-		if (!interrupt_in_found || !bulk_in_found || !bulk_out_found) {
-			dev_err(ddev, "Error - the proper endpoints were not found!\n");
-			return -ENODEV;
+		if (response || !interrupt_in_found || !bulk_in_found ||
+							!bulk_out_found) {
+			if (!response) {
+				dev_err(ddev, "expected endpoints not found\n");
+				response = -ENODEV;
+			}
+
+			usb_free_urb(edge_serial->interrupt_read_urb);
+			kfree(edge_serial->interrupt_in_buffer);
+
+			usb_free_urb(edge_serial->read_urb);
+			kfree(edge_serial->bulk_in_buffer);
+
+			kfree(edge_serial);
+
+			return response;
 		}
 
 		/* start interrupt read for this edgeport this interrupt will
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 079/206] USB: serial: io_edgeport: fix memory leaks in probe error path
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (77 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 078/206] USB: serial: io_edgeport: fix memory leaks in attach error path Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 080/206] USB: serial: keyspan: fix use-after-free " Kamal Mostafa
                   ` (126 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team; +Cc: Johan Hovold, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Johan Hovold <johan@kernel.org>

commit c8d62957d450cc1a22ce3242908709fe367ddc8e upstream.

URBs and buffers allocated in attach for Epic devices would never be
deallocated in case of a later probe error (e.g. failure to allocate
minor numbers) as disconnect is then never called.

Fix by moving deallocation to release and making sure that the
URBs are first unlinked.

Fixes: f9c99bb8b3a1 ("USB: usb-serial: replace shutdown with disconnect,
release")
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/usb/serial/io_edgeport.c | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/drivers/usb/serial/io_edgeport.c b/drivers/usb/serial/io_edgeport.c
index 1106e7d..1947ea0 100644
--- a/drivers/usb/serial/io_edgeport.c
+++ b/drivers/usb/serial/io_edgeport.c
@@ -2966,16 +2966,9 @@ static void edge_disconnect(struct usb_serial *serial)
 {
 	struct edgeport_serial *edge_serial = usb_get_serial_data(serial);
 
-	/* stop reads and writes on all ports */
-	/* free up our endpoint stuff */
 	if (edge_serial->is_epic) {
 		usb_kill_urb(edge_serial->interrupt_read_urb);
-		usb_free_urb(edge_serial->interrupt_read_urb);
-		kfree(edge_serial->interrupt_in_buffer);
-
 		usb_kill_urb(edge_serial->read_urb);
-		usb_free_urb(edge_serial->read_urb);
-		kfree(edge_serial->bulk_in_buffer);
 	}
 }
 
@@ -2988,6 +2981,16 @@ static void edge_release(struct usb_serial *serial)
 {
 	struct edgeport_serial *edge_serial = usb_get_serial_data(serial);
 
+	if (edge_serial->is_epic) {
+		usb_kill_urb(edge_serial->interrupt_read_urb);
+		usb_free_urb(edge_serial->interrupt_read_urb);
+		kfree(edge_serial->interrupt_in_buffer);
+
+		usb_kill_urb(edge_serial->read_urb);
+		usb_free_urb(edge_serial->read_urb);
+		kfree(edge_serial->bulk_in_buffer);
+	}
+
 	kfree(edge_serial);
 }
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 080/206] USB: serial: keyspan: fix use-after-free in probe error path
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (78 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 079/206] USB: serial: io_edgeport: fix memory leaks in probe " Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 081/206] USB: serial: mxuport: " Kamal Mostafa
                   ` (125 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team; +Cc: Johan Hovold, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Johan Hovold <johan@kernel.org>

commit 35be1a71d70775e7bd7e45fa6d2897342ff4c9d2 upstream.

The interface instat and indat URBs were submitted in attach, but never
unlinked in release before deallocating the corresponding transfer
buffers.

In the case of a late probe error (e.g. due to failed minor allocation),
disconnect would not have been called before release, causing the
buffers to be freed while the URBs are still in use. We'd also end up
with active URBs for an unbound interface.

Fixes: f9c99bb8b3a1 ("USB: usb-serial: replace shutdown with disconnect,
release")
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/usb/serial/keyspan.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/usb/serial/keyspan.c b/drivers/usb/serial/keyspan.c
index e07b15e..7faa901 100644
--- a/drivers/usb/serial/keyspan.c
+++ b/drivers/usb/serial/keyspan.c
@@ -2376,6 +2376,10 @@ static void keyspan_release(struct usb_serial *serial)
 
 	s_priv = usb_get_serial_data(serial);
 
+	/* Make sure to unlink the URBs submitted in attach. */
+	usb_kill_urb(s_priv->instat_urb);
+	usb_kill_urb(s_priv->indat_urb);
+
 	usb_free_urb(s_priv->instat_urb);
 	usb_free_urb(s_priv->indat_urb);
 	usb_free_urb(s_priv->glocont_urb);
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 081/206] USB: serial: mxuport: fix use-after-free in probe error path
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (79 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 080/206] USB: serial: keyspan: fix use-after-free " Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 082/206] USB: serial: quatech2: " Kamal Mostafa
                   ` (124 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team; +Cc: Johan Hovold, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Johan Hovold <johan@kernel.org>

commit 9e45284984096314994777f27e1446dfbfd2f0d7 upstream.

The interface read and event URBs are submitted in attach, but were
never explicitly unlinked by the driver. Instead the URBs would have
been killed by usb-serial core on disconnect.

In case of a late probe error (e.g. due to failed minor allocation),
disconnect is never called and we could end up with active URBs for an
unbound interface. This in turn could lead to deallocated memory being
dereferenced in the completion callbacks.

Fixes: ee467a1f2066 ("USB: serial: add Moxa UPORT 12XX/14XX/16XX
driver")
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/usb/serial/mxuport.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/drivers/usb/serial/mxuport.c b/drivers/usb/serial/mxuport.c
index 460a406..d029b2f 100644
--- a/drivers/usb/serial/mxuport.c
+++ b/drivers/usb/serial/mxuport.c
@@ -1263,6 +1263,15 @@ static int mxuport_attach(struct usb_serial *serial)
 	return 0;
 }
 
+static void mxuport_release(struct usb_serial *serial)
+{
+	struct usb_serial_port *port0 = serial->port[0];
+	struct usb_serial_port *port1 = serial->port[1];
+
+	usb_serial_generic_close(port1);
+	usb_serial_generic_close(port0);
+}
+
 static int mxuport_open(struct tty_struct *tty, struct usb_serial_port *port)
 {
 	struct mxuport_port *mxport = usb_get_serial_port_data(port);
@@ -1365,6 +1374,7 @@ static struct usb_serial_driver mxuport_device = {
 	.probe			= mxuport_probe,
 	.port_probe		= mxuport_port_probe,
 	.attach			= mxuport_attach,
+	.release		= mxuport_release,
 	.calc_num_ports		= mxuport_calc_num_ports,
 	.open			= mxuport_open,
 	.close			= mxuport_close,
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 082/206] USB: serial: quatech2: fix use-after-free in probe error path
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (80 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 081/206] USB: serial: mxuport: " Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 083/206] crypto: caam - fix caam_jr_alloc() ret code Kamal Mostafa
                   ` (123 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team; +Cc: Johan Hovold, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Johan Hovold <johan@kernel.org>

commit 028c49f5e02a257c94129cd815f7c8485f51d4ef upstream.

The interface read URB is submitted in attach, but was only unlinked by
the driver at disconnect.

In case of a late probe error (e.g. due to failed minor allocation),
disconnect is never called and we would end up with active URBs for an
unbound interface. This in turn could lead to deallocated memory being
dereferenced in the completion callback.

Fixes: f7a33e608d9a ("USB: serial: add quatech2 usb to serial driver")
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/usb/serial/quatech2.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/usb/serial/quatech2.c b/drivers/usb/serial/quatech2.c
index 504f5bf..b18974c 100644
--- a/drivers/usb/serial/quatech2.c
+++ b/drivers/usb/serial/quatech2.c
@@ -141,6 +141,7 @@ static void qt2_release(struct usb_serial *serial)
 
 	serial_priv = usb_get_serial_data(serial);
 
+	usb_kill_urb(serial_priv->read_urb);
 	usb_free_urb(serial_priv->read_urb);
 	kfree(serial_priv->read_buffer);
 	kfree(serial_priv);
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 083/206] crypto: caam - fix caam_jr_alloc() ret code
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (81 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 082/206] USB: serial: quatech2: " Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 084/206] MIPS: KVM: Fix timer IRQ race when freezing timer Kamal Mostafa
                   ` (122 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Catalin Vasile, Herbert Xu, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Catalin Vasile <cata.vasile@nxp.com>

commit e930c765ca5c6b039cd22ebfb4504ea7b5dab43d upstream.

caam_jr_alloc() used to return NULL if a JR device could not be
allocated for a session. In turn, every user of this function used
IS_ERR() function to verify if anything went wrong, which does NOT look
for NULL values. This made the kernel crash if the sanity check failed,
because the driver continued to think it had allocated a valid JR dev
instance to the session and at some point it tries to do a caam_jr_free()
on a NULL JR dev pointer.
This patch is a fix for this issue.

Signed-off-by: Catalin Vasile <cata.vasile@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/crypto/caam/jr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/crypto/caam/jr.c b/drivers/crypto/caam/jr.c
index b8b5d47..9bfd410 100644
--- a/drivers/crypto/caam/jr.c
+++ b/drivers/crypto/caam/jr.c
@@ -241,7 +241,7 @@ static void caam_jr_dequeue(unsigned long devarg)
 struct device *caam_jr_alloc(void)
 {
 	struct caam_drv_private_jr *jrpriv, *min_jrpriv = NULL;
-	struct device *dev = NULL;
+	struct device *dev = ERR_PTR(-ENODEV);
 	int min_tfm_cnt	= INT_MAX;
 	int tfm_cnt;
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 084/206] MIPS: KVM: Fix timer IRQ race when freezing timer
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (82 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 083/206] crypto: caam - fix caam_jr_alloc() ret code Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 085/206] MIPS: KVM: Fix timer IRQ race when writing CP0_Compare Kamal Mostafa
                   ` (121 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: James Hogan, Paolo Bonzini,
	Radim Krčmář,
	Ralf Baechle, linux-mips, kvm, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: James Hogan <james.hogan@imgtec.com>

commit 4355c44f063d3de4f072d796604c7f4ba4085cc3 upstream.

There's a particularly narrow and subtle race condition when the
software emulated guest timer is frozen which can allow a guest timer
interrupt to be missed.

This happens due to the hrtimer expiry being inexact, so very
occasionally the freeze time will be after the moment when the emulated
CP0_Count transitions to the same value as CP0_Compare (so an IRQ should
be generated), but before the moment when the hrtimer is due to expire
(so no IRQ is generated). The IRQ won't be generated when the timer is
resumed either, since the resume CP0_Count will already match CP0_Compare.

With VZ guests in particular this is far more likely to happen, since
the soft timer may be frozen frequently in order to restore the timer
state to the hardware guest timer. This happens after 5-10 hours of
guest soak testing, resulting in an overflow in guest kernel timekeeping
calculations, hanging the guest. A more focussed test case to
intentionally hit the race (with the help of a new hypcall to cause the
timer state to migrated between hardware & software) hits the condition
fairly reliably within around 30 seconds.

Instead of relying purely on the inexact hrtimer expiry to determine
whether an IRQ should be generated, read the guest CP0_Compare and
directly check whether the freeze time is before or after it. Only if
CP0_Count is on or after CP0_Compare do we check the hrtimer expiry to
determine whether the last IRQ has already been generated (which will
have pushed back the expiry by one timer period).

Fixes: e30492bbe95a ("MIPS: KVM: Rewrite count/compare timer emulation")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: "Radim Krčmář" <rkrcmar@redhat.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: linux-mips@linux-mips.org
Cc: kvm@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/mips/kvm/emulate.c | 28 +++++++++++++++++++++++-----
 1 file changed, 23 insertions(+), 5 deletions(-)

diff --git a/arch/mips/kvm/emulate.c b/arch/mips/kvm/emulate.c
index 41b1b09..eaf77b5 100644
--- a/arch/mips/kvm/emulate.c
+++ b/arch/mips/kvm/emulate.c
@@ -302,12 +302,31 @@ static inline ktime_t kvm_mips_count_time(struct kvm_vcpu *vcpu)
  */
 static uint32_t kvm_mips_read_count_running(struct kvm_vcpu *vcpu, ktime_t now)
 {
-	ktime_t expires;
+	struct mips_coproc *cop0 = vcpu->arch.cop0;
+	ktime_t expires, threshold;
+	uint32_t count, compare;
 	int running;
 
-	/* Is the hrtimer pending? */
+	/* Calculate the biased and scaled guest CP0_Count */
+	count = vcpu->arch.count_bias + kvm_mips_ktime_to_count(vcpu, now);
+	compare = kvm_read_c0_guest_compare(cop0);
+
+	/*
+	 * Find whether CP0_Count has reached the closest timer interrupt. If
+	 * not, we shouldn't inject it.
+	 */
+	if ((int32_t)(count - compare) < 0)
+		return count;
+
+	/*
+	 * The CP0_Count we're going to return has already reached the closest
+	 * timer interrupt. Quickly check if it really is a new interrupt by
+	 * looking at whether the interval until the hrtimer expiry time is
+	 * less than 1/4 of the timer period.
+	 */
 	expires = hrtimer_get_expires(&vcpu->arch.comparecount_timer);
-	if (ktime_compare(now, expires) >= 0) {
+	threshold = ktime_add_ns(now, vcpu->arch.count_period / 4);
+	if (ktime_before(expires, threshold)) {
 		/*
 		 * Cancel it while we handle it so there's no chance of
 		 * interference with the timeout handler.
@@ -329,8 +348,7 @@ static uint32_t kvm_mips_read_count_running(struct kvm_vcpu *vcpu, ktime_t now)
 		}
 	}
 
-	/* Return the biased and scaled guest CP0_Count */
-	return vcpu->arch.count_bias + kvm_mips_ktime_to_count(vcpu, now);
+	return count;
 }
 
 /**
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 085/206] MIPS: KVM: Fix timer IRQ race when writing CP0_Compare
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (83 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 084/206] MIPS: KVM: Fix timer IRQ race when freezing timer Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 086/206] gcov: disable tree-loop-im to reduce stack usage Kamal Mostafa
                   ` (120 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: James Hogan, Paolo Bonzini,
	Radim Krčmář,
	Ralf Baechle, linux-mips, kvm, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: James Hogan <james.hogan@imgtec.com>

commit b45bacd2d048f405c7760e5cc9b60dd67708734f upstream.

Writing CP0_Compare clears the timer interrupt pending bit
(CP0_Cause.TI), but this wasn't being done atomically. If a timer
interrupt raced with the write of the guest CP0_Compare, the timer
interrupt could end up being pending even though the new CP0_Compare is
nowhere near CP0_Count.

We were already updating the hrtimer expiry with
kvm_mips_update_hrtimer(), which used both kvm_mips_freeze_hrtimer() and
kvm_mips_resume_hrtimer(). Close the race window by expanding out
kvm_mips_update_hrtimer(), and clearing CP0_Cause.TI and setting
CP0_Compare between the freeze and resume. Since the pending timer
interrupt should not be cleared when CP0_Compare is written via the KVM
user API, an ack argument is added to distinguish the source of the
write.

Fixes: e30492bbe95a ("MIPS: KVM: Rewrite count/compare timer emulation")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: "Radim Krčmář" <rkrcmar@redhat.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: linux-mips@linux-mips.org
Cc: kvm@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/mips/include/asm/kvm_host.h |  2 +-
 arch/mips/kvm/emulate.c          | 61 ++++++++++++++++++----------------------
 arch/mips/kvm/trap_emul.c        |  2 +-
 3 files changed, 29 insertions(+), 36 deletions(-)

diff --git a/arch/mips/include/asm/kvm_host.h b/arch/mips/include/asm/kvm_host.h
index e8c8d9d..4afe1ec 100644
--- a/arch/mips/include/asm/kvm_host.h
+++ b/arch/mips/include/asm/kvm_host.h
@@ -782,7 +782,7 @@ extern enum emulation_result kvm_mips_complete_mmio_load(struct kvm_vcpu *vcpu,
 
 uint32_t kvm_mips_read_count(struct kvm_vcpu *vcpu);
 void kvm_mips_write_count(struct kvm_vcpu *vcpu, uint32_t count);
-void kvm_mips_write_compare(struct kvm_vcpu *vcpu, uint32_t compare);
+void kvm_mips_write_compare(struct kvm_vcpu *vcpu, uint32_t compare, bool ack);
 void kvm_mips_init_count(struct kvm_vcpu *vcpu);
 int kvm_mips_set_count_ctl(struct kvm_vcpu *vcpu, s64 count_ctl);
 int kvm_mips_set_count_resume(struct kvm_vcpu *vcpu, s64 count_resume);
diff --git a/arch/mips/kvm/emulate.c b/arch/mips/kvm/emulate.c
index eaf77b5..dc10c77 100644
--- a/arch/mips/kvm/emulate.c
+++ b/arch/mips/kvm/emulate.c
@@ -438,32 +438,6 @@ static void kvm_mips_resume_hrtimer(struct kvm_vcpu *vcpu,
 }
 
 /**
- * kvm_mips_update_hrtimer() - Update next expiry time of hrtimer.
- * @vcpu:	Virtual CPU.
- *
- * Recalculates and updates the expiry time of the hrtimer. This can be used
- * after timer parameters have been altered which do not depend on the time that
- * the change occurs (in those cases kvm_mips_freeze_hrtimer() and
- * kvm_mips_resume_hrtimer() are used directly).
- *
- * It is guaranteed that no timer interrupts will be lost in the process.
- *
- * Assumes !kvm_mips_count_disabled(@vcpu) (guest CP0_Count timer is running).
- */
-static void kvm_mips_update_hrtimer(struct kvm_vcpu *vcpu)
-{
-	ktime_t now;
-	uint32_t count;
-
-	/*
-	 * freeze_hrtimer takes care of a timer interrupts <= count, and
-	 * resume_hrtimer the hrtimer takes care of a timer interrupts > count.
-	 */
-	now = kvm_mips_freeze_hrtimer(vcpu, &count);
-	kvm_mips_resume_hrtimer(vcpu, now, count);
-}
-
-/**
  * kvm_mips_write_count() - Modify the count and update timer.
  * @vcpu:	Virtual CPU.
  * @count:	Guest CP0_Count value to set.
@@ -558,23 +532,42 @@ int kvm_mips_set_count_hz(struct kvm_vcpu *vcpu, s64 count_hz)
  * kvm_mips_write_compare() - Modify compare and update timer.
  * @vcpu:	Virtual CPU.
  * @compare:	New CP0_Compare value.
+ * @ack:	Whether to acknowledge timer interrupt.
  *
  * Update CP0_Compare to a new value and update the timeout.
+ * If @ack, atomically acknowledge any pending timer interrupt, otherwise ensure
+ * any pending timer interrupt is preserved.
  */
-void kvm_mips_write_compare(struct kvm_vcpu *vcpu, uint32_t compare)
+void kvm_mips_write_compare(struct kvm_vcpu *vcpu, uint32_t compare, bool ack)
 {
 	struct mips_coproc *cop0 = vcpu->arch.cop0;
+	int dc;
+	u32 old_compare = kvm_read_c0_guest_compare(cop0);
+	ktime_t now;
+	uint32_t count;
 
 	/* if unchanged, must just be an ack */
-	if (kvm_read_c0_guest_compare(cop0) == compare)
+	if (old_compare == compare) {
+		if (!ack)
+			return;
+		kvm_mips_callbacks->dequeue_timer_int(vcpu);
+		kvm_write_c0_guest_compare(cop0, compare);
 		return;
+	}
+
+	/* freeze_hrtimer() takes care of timer interrupts <= count */
+	dc = kvm_mips_count_disabled(vcpu);
+	if (!dc)
+		now = kvm_mips_freeze_hrtimer(vcpu, &count);
+
+	if (ack)
+		kvm_mips_callbacks->dequeue_timer_int(vcpu);
 
-	/* Update compare */
 	kvm_write_c0_guest_compare(cop0, compare);
 
-	/* Update timeout if count enabled */
-	if (!kvm_mips_count_disabled(vcpu))
-		kvm_mips_update_hrtimer(vcpu);
+	/* resume_hrtimer() takes care of timer interrupts > count */
+	if (!dc)
+		kvm_mips_resume_hrtimer(vcpu, now, count);
 }
 
 /**
@@ -1113,9 +1106,9 @@ enum emulation_result kvm_mips_emulate_CP0(uint32_t inst, uint32_t *opc,
 
 				/* If we are writing to COMPARE */
 				/* Clear pending timer interrupt, if any */
-				kvm_mips_callbacks->dequeue_timer_int(vcpu);
 				kvm_mips_write_compare(vcpu,
-						       vcpu->arch.gprs[rt]);
+						       vcpu->arch.gprs[rt],
+						       true);
 			} else if ((rd == MIPS_CP0_STATUS) && (sel == 0)) {
 				unsigned int old_val, val, change;
 
diff --git a/arch/mips/kvm/trap_emul.c b/arch/mips/kvm/trap_emul.c
index d836ed5..307cc4c 100644
--- a/arch/mips/kvm/trap_emul.c
+++ b/arch/mips/kvm/trap_emul.c
@@ -547,7 +547,7 @@ static int kvm_trap_emul_set_one_reg(struct kvm_vcpu *vcpu,
 		kvm_mips_write_count(vcpu, v);
 		break;
 	case KVM_REG_MIPS_CP0_COMPARE:
-		kvm_mips_write_compare(vcpu, v);
+		kvm_mips_write_compare(vcpu, v, false);
 		break;
 	case KVM_REG_MIPS_CP0_CAUSE:
 		/*
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 086/206] gcov: disable tree-loop-im to reduce stack usage
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (84 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 085/206] MIPS: KVM: Fix timer IRQ race when writing CP0_Compare Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 087/206] irqchip/gic: Ensure ordering between read of INTACK and shared data Kamal Mostafa
                   ` (119 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Arnd Bergmann, Michal Marek, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Arnd Bergmann <arnd@arndb.de>

commit c87bf431448b404a6ef5fbabd74c0e3e42157a7f upstream.

Enabling CONFIG_GCOV_PROFILE_ALL produces us a lot of warnings like

lib/lz4/lz4hc_compress.c: In function 'lz4_compresshcctx':
lib/lz4/lz4hc_compress.c:514:1: warning: the frame size of 1504 bytes is larger than 1024 bytes [-Wframe-larger-than=]

After some investigation, I found that this behavior started with gcc-4.9,
and opened https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69702.
A suggested workaround for it is to use the -fno-tree-loop-im
flag that turns off one of the optimization stages in gcc, so the
code runs a little slower but does not use excessive amounts
of stack.

We could make this conditional on the gcc version, but I could not
find an easy way to do this in Kbuild and the benefit would be
fairly small, given that most of the gcc version in production are
affected now.

I'm marking this for 'stable' backports because it addresses a bug
with code generation in gcc that exists in all kernel versions
with the affected gcc releases.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Peter Oberparleiter <oberpar@linux.vnet.ibm.com>
Signed-off-by: Michal Marek <mmarek@suse.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index daa93e8..70e04ba 100644
--- a/Makefile
+++ b/Makefile
@@ -364,7 +364,7 @@ AFLAGS_MODULE   =
 LDFLAGS_MODULE  =
 CFLAGS_KERNEL	=
 AFLAGS_KERNEL	=
-CFLAGS_GCOV	= -fprofile-arcs -ftest-coverage
+CFLAGS_GCOV	= -fprofile-arcs -ftest-coverage -fno-tree-loop-im
 
 
 # Use USERINCLUDE when you must reference the UAPI directories only.
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 087/206] irqchip/gic: Ensure ordering between read of INTACK and shared data
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (85 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 086/206] gcov: disable tree-loop-im to reduce stack usage Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 088/206] irqchip/gic-v3: Configure all interrupts as non-secure Group-1 Kamal Mostafa
                   ` (118 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Will Deacon, Marc Zyngier, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Will Deacon <will.deacon@arm.com>

commit f86c4fbd930ff6fecf3d8a1c313182bd0f49f496 upstream.

When an IPI is generated by a CPU, the pattern looks roughly like:

  <write shared data>
  smp_wmb();
  <write to GIC to signal SGI>

On the receiving CPU we rely on the fact that, once we've taken the
interrupt, then the freshly written shared data must be visible to us.
Put another way, the CPU isn't going to speculate taking an interrupt.

Unfortunately, this assumption turns out to be broken.

Consider that CPUx wants to send an IPI to CPUy, which will cause CPUy
to read some shared_data. Before CPUx has done anything, a random
peripheral raises an IRQ to the GIC and the IRQ line on CPUy is raised.
CPUy then takes the IRQ and starts executing the entry code, heading
towards gic_handle_irq. Furthermore, let's assume that a bunch of the
previous interrupts handled by CPUy were SGIs, so the branch predictor
kicks in and speculates that irqnr will be <16 and we're likely to
head into handle_IPI. The prefetcher then grabs a speculative copy of
shared_data which contains a stale value.

Meanwhile, CPUx gets round to updating shared_data and asking the GIC
to send an SGI to CPUy. Internally, the GIC decides that the SGI is
more important than the peripheral interrupt (which hasn't yet been
ACKed) but doesn't need to do anything to CPUy, because the IRQ line
is already raised.

CPUy then reads the ACK register on the GIC, sees the SGI value which
confirms the branch prediction and we end up with a stale shared_data
value.

This patch fixes the problem by adding an smp_rmb() to the IPI entry
code in gic_handle_irq. As it turns out, the combination of a control
dependency and an ISB instruction from the EOI in the GICv3 driver is
enough to provide the ordering we need, so we add a comment there
justifying the absence of an explicit smp_rmb().

Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/irqchip/irq-gic-v3.c | 7 +++++++
 drivers/irqchip/irq-gic.c    | 8 ++++++++
 2 files changed, 15 insertions(+)

diff --git a/drivers/irqchip/irq-gic-v3.c b/drivers/irqchip/irq-gic-v3.c
index c52f7ba..f5c518b 100644
--- a/drivers/irqchip/irq-gic-v3.c
+++ b/drivers/irqchip/irq-gic-v3.c
@@ -353,6 +353,13 @@ static asmlinkage void __exception_irq_entry gic_handle_irq(struct pt_regs *regs
 		if (irqnr < 16) {
 			gic_write_eoir(irqnr);
 #ifdef CONFIG_SMP
+			/*
+			 * Unlike GICv2, we don't need an smp_rmb() here.
+			 * The control dependency from gic_read_iar to
+			 * the ISB in gic_write_eoir is enough to ensure
+			 * that any shared data read by handle_IPI will
+			 * be read after the ACK.
+			 */
 			handle_IPI(irqnr, regs);
 #else
 			WARN_ONCE(true, "Unexpected SGI received!\n");
diff --git a/drivers/irqchip/irq-gic.c b/drivers/irqchip/irq-gic.c
index 4dd8826..374b9fa 100644
--- a/drivers/irqchip/irq-gic.c
+++ b/drivers/irqchip/irq-gic.c
@@ -278,6 +278,14 @@ static void __exception_irq_entry gic_handle_irq(struct pt_regs *regs)
 		if (irqnr < 16) {
 			writel_relaxed(irqstat, cpu_base + GIC_CPU_EOI);
 #ifdef CONFIG_SMP
+			/*
+			 * Ensure any shared data written by the CPU sending
+			 * the IPI is read after we've read the ACK register
+			 * on the GIC.
+			 *
+			 * Pairs with the write barrier in gic_raise_softirq
+			 */
+			smp_rmb();
 			handle_IPI(irqnr, regs);
 #endif
 			continue;
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 088/206] irqchip/gic-v3: Configure all interrupts as non-secure Group-1
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (86 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 087/206] irqchip/gic: Ensure ordering between read of INTACK and shared data Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 089/206] arm64: cpuinfo: Missing NULL terminator in compat_hwcap_str Kamal Mostafa
                   ` (117 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team; +Cc: Marc Zyngier, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Marc Zyngier <marc.zyngier@arm.com>

commit 7c9b973061b03af62734f613f6abec46c0dd4a88 upstream.

The GICv3 driver wrongly assumes that it runs on the non-secure
side of a secure-enabled system, while it could be on a system
with a single security state, or a GICv3 with GICD_CTLR.DS set.

Either way, it is important to configure this properly, or
interrupts will simply not be delivered on this HW.

Reported-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/irqchip/irq-gic-v3.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/drivers/irqchip/irq-gic-v3.c b/drivers/irqchip/irq-gic-v3.c
index f5c518b..0daa31d 100644
--- a/drivers/irqchip/irq-gic-v3.c
+++ b/drivers/irqchip/irq-gic-v3.c
@@ -379,6 +379,15 @@ static void __init gic_dist_init(void)
 	writel_relaxed(0, base + GICD_CTLR);
 	gic_dist_wait_for_rwp();
 
+	/*
+	 * Configure SPIs as non-secure Group-1. This will only matter
+	 * if the GIC only has a single security state. This will not
+	 * do the right thing if the kernel is running in secure mode,
+	 * but that's not the intended use case anyway.
+	 */
+	for (i = 32; i < gic_data.irq_nr; i += 32)
+		writel_relaxed(~0, base + GICD_IGROUPR + i / 8);
+
 	gic_dist_config(base, gic_data.irq_nr, gic_dist_wait_for_rwp);
 
 	/* Enable distributor with ARE, Group1 */
@@ -482,6 +491,9 @@ static void gic_cpu_init(void)
 
 	rbase = gic_data_rdist_sgi_base();
 
+	/* Configure SGIs/PPIs as non-secure Group-1 */
+	writel_relaxed(~0, rbase + GICR_IGROUPR0);
+
 	gic_cpu_config(rbase, gic_redist_wait_for_rwp);
 
 	/* Give LPIs a spin */
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 089/206] arm64: cpuinfo: Missing NULL terminator in compat_hwcap_str
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (87 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 088/206] irqchip/gic-v3: Configure all interrupts as non-secure Group-1 Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 090/206] kbuild: move -Wunused-const-variable to W=1 warning level Kamal Mostafa
                   ` (116 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Julien Grall, Will Deacon, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Julien Grall <julien.grall@arm.com>

commit f228b494e56d949be8d8ea09d4f973d1979201bf upstream.

The loop that browses the array compat_hwcap_str will stop when a NULL
is encountered, however NULL is missing at the end of array. This will
lead to overrun until a NULL is found somewhere in the following memory.
In reality, this works out because the compat_hwcap2_str array tends to
follow immediately in memory, and that *is* terminated correctly.
Furthermore, the unsigned int compat_elf_hwcap is checked before
printing each capability, so we end up doing the right thing because
the size of the two arrays is less than 32. Still, this is an obvious
mistake and should be fixed.

Note for backporting: commit 12d11817eaafa414 ("arm64: Move
/proc/cpuinfo handling code") moved this code in v4.4. Prior to that
commit, the same change should be made in arch/arm64/kernel/setup.c.

Fixes: 44b82b7700d0 "arm64: Fix up /proc/cpuinfo"
Signed-off-by: Julien Grall <julien.grall@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
[ kamal: backport to 4.2-stable: applied to setup.c ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/arm64/kernel/setup.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/arm64/kernel/setup.c b/arch/arm64/kernel/setup.c
index f3067d4..448b501 100644
--- a/arch/arm64/kernel/setup.c
+++ b/arch/arm64/kernel/setup.c
@@ -482,7 +482,8 @@ static const char *compat_hwcap_str[] = {
 	"idivt",
 	"vfpd32",
 	"lpae",
-	"evtstrm"
+	"evtstrm",
+	NULL
 };
 
 static const char *compat_hwcap2_str[] = {
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 090/206] kbuild: move -Wunused-const-variable to W=1 warning level
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (88 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 089/206] arm64: cpuinfo: Missing NULL terminator in compat_hwcap_str Kamal Mostafa
@ 2016-06-09 21:14 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 091/206] rtlwifi: Fix logic error in enter/exit power-save mode Kamal Mostafa
                   ` (115 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:14 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Arnd Bergmann, Michal Marek, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Arnd Bergmann <arnd@arndb.de>

commit c9c6837d39311b0cc14cdbe7c18e815ab44aefb1 upstream.

gcc-6 started warning by default about variables that are not
used anywhere and that are marked 'const', generating many
false positives in an allmodconfig build, e.g.:

arch/arm/mach-davinci/board-da830-evm.c:282:20: warning: 'da830_evm_emif25_pins' defined but not used [-Wunused-const-variable=]
arch/arm/plat-omap/dmtimer.c:958:34: warning: 'omap_timer_match' defined but not used [-Wunused-const-variable=]
drivers/bluetooth/hci_bcm.c:625:39: warning: 'acpi_bcm_default_gpios' defined but not used [-Wunused-const-variable=]
drivers/char/hw_random/omap-rng.c:92:18: warning: 'reg_map_omap4' defined but not used [-Wunused-const-variable=]
drivers/devfreq/exynos/exynos5_bus.c:381:32: warning: 'exynos5_busfreq_int_pm' defined but not used [-Wunused-const-variable=]
drivers/dma/mv_xor.c:1139:34: warning: 'mv_xor_dt_ids' defined but not used [-Wunused-const-variable=]

This is similar to the existing -Wunused-but-set-variable warning
that was added in an earlier release and that we disable by default
now and only enable when W=1 is set, so it makes sense to do
the same here. Once we have eliminated the majority of the
warnings for both, we can put them back into the default list.

We probably want this in backport kernels as well, to allow building
them with gcc-6 without introducing extra warnings.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Olof Johansson <olof@lixom.net>
Acked-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Michal Marek <mmarek@suse.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 Makefile                   | 5 +++--
 scripts/Makefile.extrawarn | 1 +
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index 70e04ba..6a1001b 100644
--- a/Makefile
+++ b/Makefile
@@ -688,9 +688,10 @@ KBUILD_CFLAGS += $(call cc-option, -mno-global-merge,)
 KBUILD_CFLAGS += $(call cc-option, -fcatch-undefined-behavior)
 else
 
-# This warning generated too much noise in a regular build.
-# Use make W=1 to enable this warning (see scripts/Makefile.build)
+# These warnings generated too much noise in a regular build.
+# Use make W=1 to enable them (see scripts/Makefile.build)
 KBUILD_CFLAGS += $(call cc-disable-warning, unused-but-set-variable)
+KBUILD_CFLAGS += $(call cc-disable-warning, unused-const-variable)
 endif
 
 ifdef CONFIG_FRAME_POINTER
diff --git a/scripts/Makefile.extrawarn b/scripts/Makefile.extrawarn
index 0f8ba77..7339c39 100644
--- a/scripts/Makefile.extrawarn
+++ b/scripts/Makefile.extrawarn
@@ -24,6 +24,7 @@ warning-1 += $(call cc-option, -Wmissing-prototypes)
 warning-1 += -Wold-style-definition
 warning-1 += $(call cc-option, -Wmissing-include-dirs)
 warning-1 += $(call cc-option, -Wunused-but-set-variable)
+warning-1 += $(call cc-option, -Wunused-const-variable)
 warning-1 += $(call cc-disable-warning, missing-field-initializers)
 warning-1 += $(call cc-disable-warning, sign-compare)
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 091/206] rtlwifi: Fix logic error in enter/exit power-save mode
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (89 preceding siblings ...)
  2016-06-09 21:14 ` [PATCH 4.2.y-ckt 090/206] kbuild: move -Wunused-const-variable to W=1 warning level Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 092/206] rtlwifi: pci: use dev_kfree_skb_irq instead of kfree_skb in rtl_pci_reset_trx_ring Kamal Mostafa
                   ` (114 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team; +Cc: Wang YanQing, Kalle Valo, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: wang yanqing <udknight@gmail.com>

commit 873ffe154ae074c46ed2d72dbd9a2a99f06f55b4 upstream.

In commit a269913c52ad ("rtlwifi: Rework rtl_lps_leave() and
rtl_lps_enter() to use work queue"), the tests for enter/exit
power-save mode were inverted. With this change applied, the
wifi connection becomes much more stable.

Fixes: a269913c52ad ("rtlwifi: Rework rtl_lps_leave() and rtl_lps_enter() to use work queue")
Signed-off-by: Wang YanQing <udknight@gmail.com>
Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[ kamal: backport to 4.2-stable: files moved ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/net/wireless/rtlwifi/base.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/rtlwifi/base.c b/drivers/net/wireless/rtlwifi/base.c
index 0517a4f..7a40d8d 100644
--- a/drivers/net/wireless/rtlwifi/base.c
+++ b/drivers/net/wireless/rtlwifi/base.c
@@ -1660,9 +1660,9 @@ void rtl_watchdog_wq_callback(void *data)
 		if (((rtlpriv->link_info.num_rx_inperiod +
 		      rtlpriv->link_info.num_tx_inperiod) > 8) ||
 		    (rtlpriv->link_info.num_rx_inperiod > 2))
-			rtl_lps_enter(hw);
-		else
 			rtl_lps_leave(hw);
+		else
+			rtl_lps_enter(hw);
 	}
 
 	rtlpriv->link_info.num_rx_inperiod = 0;
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 092/206] rtlwifi: pci: use dev_kfree_skb_irq instead of kfree_skb in rtl_pci_reset_trx_ring
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (90 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 091/206] rtlwifi: Fix logic error in enter/exit power-save mode Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 093/206] sched/loadavg: Fix loadavg artifacts on fully idle and on fully loaded systems Kamal Mostafa
                   ` (113 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team; +Cc: Wang YanQing, Kalle Valo, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: wang yanqing <udknight@gmail.com>

commit cf968937d27751296920e6b82ffa89735e3a0023 upstream.

We can't use kfree_skb in irq disable context, because spin_lock_irqsave
make sure we are always in irq disable context, use dev_kfree_skb_irq
instead of kfree_skb is better than dev_kfree_skb_any.

This patch fix below kernel warning:
[ 7612.095528] ------------[ cut here ]------------
[ 7612.095546] WARNING: CPU: 3 PID: 4460 at kernel/softirq.c:150 __local_bh_enable_ip+0x58/0x80()
[ 7612.095550] Modules linked in: rtl8723be x86_pkg_temp_thermal btcoexist rtl_pci rtlwifi rtl8723_common
[ 7612.095567] CPU: 3 PID: 4460 Comm: ifconfig Tainted: G        W       4.4.0+ #4
[ 7612.095570] Hardware name: LENOVO 20DFA04FCD/20DFA04FCD, BIOS J5ET48WW (1.19 ) 08/27/2015
[ 7612.095574]  00000000 00000000 da37fc70 c12ce7c5 00000000 da37fca0 c104cc59 c19d4454
[ 7612.095584]  00000003 0000116c c19d4784 00000096 c10508a8 c10508a8 00000200 c1b42400
[ 7612.095594]  f29be780 da37fcb0 c104ccad 00000009 00000000 da37fcbc c10508a8 f21f08b8
[ 7612.095604] Call Trace:
[ 7612.095614]  [<c12ce7c5>] dump_stack+0x41/0x5c
[ 7612.095620]  [<c104cc59>] warn_slowpath_common+0x89/0xc0
[ 7612.095628]  [<c10508a8>] ? __local_bh_enable_ip+0x58/0x80
[ 7612.095634]  [<c10508a8>] ? __local_bh_enable_ip+0x58/0x80
[ 7612.095640]  [<c104ccad>] warn_slowpath_null+0x1d/0x20
[ 7612.095646]  [<c10508a8>] __local_bh_enable_ip+0x58/0x80
[ 7612.095653]  [<c16b7d34>] destroy_conntrack+0x64/0xa0
[ 7612.095660]  [<c16b300f>] nf_conntrack_destroy+0xf/0x20
[ 7612.095665]  [<c1677565>] skb_release_head_state+0x55/0xa0
[ 7612.095670]  [<c16775bb>] skb_release_all+0xb/0x20
[ 7612.095674]  [<c167760b>] __kfree_skb+0xb/0x60
[ 7612.095679]  [<c16776f0>] kfree_skb+0x30/0x70
[ 7612.095686]  [<f81b869d>] ? rtl_pci_reset_trx_ring+0x22d/0x370 [rtl_pci]
[ 7612.095692]  [<f81b869d>] rtl_pci_reset_trx_ring+0x22d/0x370 [rtl_pci]
[ 7612.095698]  [<f81b87f9>] rtl_pci_start+0x19/0x190 [rtl_pci]
[ 7612.095705]  [<f81970e6>] rtl_op_start+0x56/0x90 [rtlwifi]
[ 7612.095712]  [<c17e3f16>] drv_start+0x36/0xc0
[ 7612.095717]  [<c17f5ab3>] ieee80211_do_open+0x2d3/0x890
[ 7612.095725]  [<c16820fe>] ? call_netdevice_notifiers_info+0x2e/0x60
[ 7612.095730]  [<c17f60bd>] ieee80211_open+0x4d/0x50
[ 7612.095736]  [<c16891b3>] __dev_open+0xa3/0x130
[ 7612.095742]  [<c183fa53>] ? _raw_spin_unlock_bh+0x13/0x20
[ 7612.095748]  [<c1689499>] __dev_change_flags+0x89/0x140
[ 7612.095753]  [<c127c70d>] ? selinux_capable+0xd/0x10
[ 7612.095759]  [<c1689589>] dev_change_flags+0x29/0x60
[ 7612.095765]  [<c1700b93>] devinet_ioctl+0x553/0x670
[ 7612.095772]  [<c12db758>] ? _copy_to_user+0x28/0x40
[ 7612.095777]  [<c17018b5>] inet_ioctl+0x85/0xb0
[ 7612.095783]  [<c166e647>] sock_ioctl+0x67/0x260
[ 7612.095788]  [<c166e5e0>] ? sock_fasync+0x80/0x80
[ 7612.095795]  [<c115c99b>] do_vfs_ioctl+0x6b/0x550
[ 7612.095800]  [<c127c812>] ? selinux_file_ioctl+0x102/0x1e0
[ 7612.095807]  [<c10a8914>] ? timekeeping_suspend+0x294/0x320
[ 7612.095813]  [<c10a256a>] ? __hrtimer_run_queues+0x14a/0x210
[ 7612.095820]  [<c1276e24>] ? security_file_ioctl+0x34/0x50
[ 7612.095827]  [<c115cef0>] SyS_ioctl+0x70/0x80
[ 7612.095832]  [<c1001804>] do_fast_syscall_32+0x84/0x120
[ 7612.095839]  [<c183ff91>] sysenter_past_esp+0x36/0x55
[ 7612.095844] ---[ end trace 97e9c637a20e8348 ]---

Signed-off-by: Wang YanQing <udknight@gmail.com>
Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[ kamal: backport to 4.2-stable: files moved ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/net/wireless/rtlwifi/pci.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/rtlwifi/pci.c b/drivers/net/wireless/rtlwifi/pci.c
index 7f471bf..5b40480 100644
--- a/drivers/net/wireless/rtlwifi/pci.c
+++ b/drivers/net/wireless/rtlwifi/pci.c
@@ -1573,7 +1573,7 @@ int rtl_pci_reset_trx_ring(struct ieee80211_hw *hw)
 							 true,
 							 HW_DESC_TXBUFF_ADDR),
 						 skb->len, PCI_DMA_TODEVICE);
-				kfree_skb(skb);
+				dev_kfree_skb_irq(skb);
 				ring->idx = (ring->idx + 1) % ring->entries;
 			}
 			ring->idx = 0;
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 093/206] sched/loadavg: Fix loadavg artifacts on fully idle and on fully loaded systems
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (91 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 092/206] rtlwifi: pci: use dev_kfree_skb_irq instead of kfree_skb in rtl_pci_reset_trx_ring Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 094/206] powerpc/eeh: Don't report error in eeh_pe_reset_and_recover() Kamal Mostafa
                   ` (112 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Vik Heyndrickx, Peter Zijlstra, Doug Smythies, Linus Torvalds,
	Mike Galbraith, Thomas Gleixner, Ingo Molnar, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Vik Heyndrickx <vik.heyndrickx@veribox.net>

commit 20878232c52329f92423d27a60e48b6a6389e0dd upstream.

Systems show a minimal load average of 0.00, 0.01, 0.05 even when they
have no load at all.

Uptime and /proc/loadavg on all systems with kernels released during the
last five years up until kernel version 4.6-rc5, show a 5- and 15-minute
minimum loadavg of 0.01 and 0.05 respectively. This should be 0.00 on
idle systems, but the way the kernel calculates this value prevents it
from getting lower than the mentioned values.

Likewise but not as obviously noticeable, a fully loaded system with no
processes waiting, shows a maximum 1/5/15 loadavg of 1.00, 0.99, 0.95
(multiplied by number of cores).

Once the (old) load becomes 93 or higher, it mathematically can never
get lower than 93, even when the active (load) remains 0 forever.
This results in the strange 0.00, 0.01, 0.05 uptime values on idle
systems.  Note: 93/2048 = 0.0454..., which rounds up to 0.05.

It is not correct to add a 0.5 rounding (=1024/2048) here, since the
result from this function is fed back into the next iteration again,
so the result of that +0.5 rounding value then gets multiplied by
(2048-2037), and then rounded again, so there is a virtual "ghost"
load created, next to the old and active load terms.

By changing the way the internally kept value is rounded, that internal
value equivalent now can reach 0.00 on idle, and 1.00 on full load. Upon
increasing load, the internally kept load value is rounded up, when the
load is decreasing, the load value is rounded down.

The modified code was tested on nohz=off and nohz kernels. It was tested
on vanilla kernel 4.6-rc5 and on centos 7.1 kernel 3.10.0-327. It was
tested on single, dual, and octal cores system. It was tested on virtual
hosts and bare hardware. No unwanted effects have been observed, and the
problems that the patch intended to fix were indeed gone.

Tested-by: Damien Wyart <damien.wyart@free.fr>
Signed-off-by: Vik Heyndrickx <vik.heyndrickx@veribox.net>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Doug Smythies <dsmythies@telus.net>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mike Galbraith <efault@gmx.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: 0f004f5a696a ("sched: Cure more NO_HZ load average woes")
Link: http://lkml.kernel.org/r/e8d32bff-d544-7748-72b5-3c86cc71f09f@veribox.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 kernel/sched/loadavg.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/kernel/sched/loadavg.c b/kernel/sched/loadavg.c
index ef71590..b0b93fd 100644
--- a/kernel/sched/loadavg.c
+++ b/kernel/sched/loadavg.c
@@ -99,10 +99,13 @@ long calc_load_fold_active(struct rq *this_rq)
 static unsigned long
 calc_load(unsigned long load, unsigned long exp, unsigned long active)
 {
-	load *= exp;
-	load += active * (FIXED_1 - exp);
-	load += 1UL << (FSHIFT - 1);
-	return load >> FSHIFT;
+	unsigned long newload;
+
+	newload = load * exp + active * (FIXED_1 - exp);
+	if (active >= load)
+		newload += FIXED_1-1;
+
+	return newload / FIXED_1;
 }
 
 #ifdef CONFIG_NO_HZ_COMMON
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 094/206] powerpc/eeh: Don't report error in eeh_pe_reset_and_recover()
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (92 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 093/206] sched/loadavg: Fix loadavg artifacts on fully idle and on fully loaded systems Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 095/206] powerpc/eeh: Restore initial state " Kamal Mostafa
                   ` (111 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Gavin Shan, Michael Ellerman, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Gavin Shan <gwshan@linux.vnet.ibm.com>

commit affeb0f2d3a9af419ad7ef4ac782e1540b2f7b28 upstream.

The function eeh_pe_reset_and_recover() is used to recover EEH
error when the passthrough device are transferred to guest and
backwards, meaning the device's driver is vfio-pci or none.
When the driver is vfio-pci that provides error_detected() error
handler only, the handler simply stops the guest and it's not
expected behaviour. On the other hand, no error handlers will
be called if we don't have a bound driver.

This ignores the error handler in eeh_pe_reset_and_recover()
that reports the error to device driver to avoid the exceptional
behaviour.

Fixes: 5cfb20b9 ("powerpc/eeh: Emulate EEH recovery for VFIO devices")
Signed-off-by: Gavin Shan <gwshan@linux.vnet.ibm.com>
Reviewed-by: Russell Currey <ruscur@russell.cc>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/powerpc/kernel/eeh_driver.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/arch/powerpc/kernel/eeh_driver.c b/arch/powerpc/kernel/eeh_driver.c
index afeb2bd..e5f488c 100644
--- a/arch/powerpc/kernel/eeh_driver.c
+++ b/arch/powerpc/kernel/eeh_driver.c
@@ -502,9 +502,6 @@ int eeh_pe_reset_and_recover(struct eeh_pe *pe)
 	/* Save states */
 	eeh_pe_dev_traverse(pe, eeh_dev_save_state, NULL);
 
-	/* Report error */
-	eeh_pe_dev_traverse(pe, eeh_report_error, &result);
-
 	/* Issue reset */
 	ret = eeh_reset_pe(pe);
 	if (ret) {
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 095/206] powerpc/eeh: Restore initial state in eeh_pe_reset_and_recover()
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (93 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 094/206] powerpc/eeh: Don't report error in eeh_pe_reset_and_recover() Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 096/206] Revert "powerpc/eeh: Fix crash in eeh_add_device_early() on Cell" Kamal Mostafa
                   ` (110 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Gavin Shan, Michael Ellerman, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Gavin Shan <gwshan@linux.vnet.ibm.com>

commit 5a0cdbfd17b90a89c64a71d8aec9773ecdb20d0d upstream.

The function eeh_pe_reset_and_recover() is used to recover EEH
error when the passthrou device are transferred to guest and
backwards. The content in the device's config space will be lost
on PE reset issued in the middle of the recovery. The function
saves/restores it before/after the reset. However, config access
to some adapters like Broadcom BCM5719 at this point will causes
fenced PHB. The config space is always blocked and we save 0xFF's
that are restored at late point. The memory BARs are totally
corrupted, causing another EEH error upon access to one of the
memory BARs.

This restores the config space on those adapters like BCM5719
from the content saved to the EEH device when it's populated,
to resolve above issue.

Fixes: 5cfb20b9 ("powerpc/eeh: Emulate EEH recovery for VFIO devices")
Signed-off-by: Gavin Shan <gwshan@linux.vnet.ibm.com>
Reviewed-by: Russell Currey <ruscur@russell.cc>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/powerpc/kernel/eeh_driver.c | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/arch/powerpc/kernel/eeh_driver.c b/arch/powerpc/kernel/eeh_driver.c
index e5f488c..16f315f 100644
--- a/arch/powerpc/kernel/eeh_driver.c
+++ b/arch/powerpc/kernel/eeh_driver.c
@@ -166,6 +166,16 @@ static void *eeh_dev_save_state(void *data, void *userdata)
 	if (!edev)
 		return NULL;
 
+	/*
+	 * We cannot access the config space on some adapters.
+	 * Otherwise, it will cause fenced PHB. We don't save
+	 * the content in their config space and will restore
+	 * from the initial config space saved when the EEH
+	 * device is created.
+	 */
+	if (edev->pe && (edev->pe->state & EEH_PE_CFG_RESTRICTED))
+		return NULL;
+
 	pdev = eeh_dev_to_pci_dev(edev);
 	if (!pdev)
 		return NULL;
@@ -305,6 +315,19 @@ static void *eeh_dev_restore_state(void *data, void *userdata)
 	if (!edev)
 		return NULL;
 
+	/*
+	 * The content in the config space isn't saved because
+	 * the blocked config space on some adapters. We have
+	 * to restore the initial saved config space when the
+	 * EEH device is created.
+	 */
+	if (edev->pe && (edev->pe->state & EEH_PE_CFG_RESTRICTED)) {
+		if (list_is_last(&edev->list, &edev->pe->edevs))
+			eeh_pe_restore_bars(edev->pe);
+
+		return NULL;
+	}
+
 	pdev = eeh_dev_to_pci_dev(edev);
 	if (!pdev)
 		return NULL;
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 096/206] Revert "powerpc/eeh: Fix crash in eeh_add_device_early() on Cell"
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (94 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 095/206] powerpc/eeh: Restore initial state " Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 097/206] MIPS: Handle highmem pages in __update_cache Kamal Mostafa
                   ` (109 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Guilherme G . Piccoli, Michael Ellerman, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: "Guilherme G. Piccoli" <gpiccoli@linux.vnet.ibm.com>

commit c2078d9ef600bdbe568c89e5ddc2c6f15b7982c8 upstream.

This reverts commit 89a51df5ab1d38b257300b8ac940bbac3bb0eb9b.

The function eeh_add_device_early() is used to perform EEH
initialization in devices added later on the system, like in
hotplug/DLPAR scenarios. Since the commit 89a51df5ab1d ("powerpc/eeh:
Fix crash in eeh_add_device_early() on Cell") a new check was introduced
in this function - Cell has no EEH capabilities which led to kernel oops
if hotplug was performed, so checking for eeh_enabled() was introduced
to avoid the issue.

However, in architectures that EEH is present like pSeries or PowerNV,
we might reach a case in which no PCI devices are present on boot time
and so EEH is not initialized. Then, if a device is added via DLPAR for
example, eeh_add_device_early() fails because eeh_enabled() is false,
and EEH end up not being enabled at all.

This reverts the aforementioned patch since a new verification was
introduced by the commit d91dafc02f42 ("powerpc/eeh: Delay probing EEH
device during hotplug") and so the original Cell issue does not happen
anymore.

Reviewed-by: Gavin Shan <gwshan@linux.vnet.ibm.com>
Signed-off-by: Guilherme G. Piccoli <gpiccoli@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/powerpc/kernel/eeh.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/powerpc/kernel/eeh.c b/arch/powerpc/kernel/eeh.c
index 01c961d..1109964 100644
--- a/arch/powerpc/kernel/eeh.c
+++ b/arch/powerpc/kernel/eeh.c
@@ -1071,7 +1071,7 @@ void eeh_add_device_early(struct pci_dn *pdn)
 	struct pci_controller *phb;
 	struct eeh_dev *edev = pdn_to_eeh_dev(pdn);
 
-	if (!edev || !eeh_enabled())
+	if (!edev)
 		return;
 
 	if (!eeh_has_flag(EEH_PROBE_MODE_DEVTREE))
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 097/206] MIPS: Handle highmem pages in __update_cache
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (95 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 096/206] Revert "powerpc/eeh: Fix crash in eeh_add_device_early() on Cell" Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 098/206] MIPS: Sync icache & dcache in set_pte_at Kamal Mostafa
                   ` (108 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Paul Burton, Lars Persson, Andrew Morton, Jerome Marchand,
	Kirill A . Shutemov, linux-mips, Ralf Baechle, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Paul Burton <paul.burton@imgtec.com>

commit f4281bba818105c7c91799abe40bc05c0dbdaa25 upstream.

The following patch will expose __update_cache to highmem pages. Handle
them by mapping them in for the duration of the cache maintenance, just
like in __flush_dcache_page. The code for that isn't shared because we
need the page address in __update_cache so sharing became messy. Given
that the entirity is an extra 5 lines, just duplicate it.

Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Cc: Lars Persson <lars.persson@axis.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Jerome Marchand <jmarchan@redhat.com>
Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/12721/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/mips/mm/cache.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/arch/mips/mm/cache.c b/arch/mips/mm/cache.c
index aab218c..0d71fdd 100644
--- a/arch/mips/mm/cache.c
+++ b/arch/mips/mm/cache.c
@@ -143,9 +143,17 @@ void __update_cache(struct vm_area_struct *vma, unsigned long address,
 		return;
 	page = pfn_to_page(pfn);
 	if (page_mapping(page) && Page_dcache_dirty(page)) {
-		addr = (unsigned long) page_address(page);
+		if (PageHighMem(page))
+			addr = (unsigned long)kmap_atomic(page);
+		else
+			addr = (unsigned long)page_address(page);
+
 		if (exec || pages_do_alias(addr, address & PAGE_MASK))
 			flush_data_cache_page(addr);
+
+		if (PageHighMem(page))
+			__kunmap_atomic((void *)addr);
+
 		ClearPageDcacheDirty(page);
 	}
 }
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 098/206] MIPS: Sync icache & dcache in set_pte_at
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (96 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 097/206] MIPS: Handle highmem pages in __update_cache Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 099/206] SIGNAL: Move generic copy_siginfo() to signal.h Kamal Mostafa
                   ` (107 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Paul Burton, Lars Persson, Steven J . Hill, David Daney,
	Huacai Chen, Aneesh Kumar K . V, Andrew Morton, Jerome Marchand,
	Kirill A . Shutemov, linux-mips, Ralf Baechle, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Paul Burton <paul.burton@imgtec.com>

commit 37d22a0d798b5c938b277d32cfd86dc231381342 upstream.

It's possible for pages to become visible prior to update_mmu_cache
running if a thread within the same address space preempts the current
thread or runs simultaneously on another CPU. That is, the following
scenario is possible:

    CPU0                            CPU1

    write to page
    flush_dcache_page
    flush_icache_page
    set_pte_at
                                    map page
    update_mmu_cache

If CPU1 maps the page in between CPU0's set_pte_at, which marks it valid
& visible, and update_mmu_cache where the dcache flush occurs then CPU1s
icache will fill from stale data (unless it fills from the dcache, in
which case all is good, but most MIPS CPUs don't have this property).
Commit 4d46a67a3eb8 ("MIPS: Fix race condition in lazy cache flushing.")
attempted to fix that by performing the dcache flush in
flush_icache_page such that it occurs before the set_pte_at call makes
the page visible. However it has the problem that not all code that
writes to pages exposed to userland call flush_icache_page. There are
many callers of set_pte_at under mm/ and only 2 of them do call
flush_icache_page. Thus the race window between a page becoming visible
& being coherent between the icache & dcache remains open in some cases.

To illustrate some of the cases, a WARN was added to __update_cache with
this patch applied that triggered in cases where a page about to be
flushed from the dcache was not the last page provided to
flush_icache_page. That is, backtraces were obtained for cases in which
the race window is left open without this patch. The 2 standout examples
follow.

When forking a process:

[   15.271842] [<80417630>] __update_cache+0xcc/0x188
[   15.277274] [<80530394>] copy_page_range+0x56c/0x6ac
[   15.282861] [<8042936c>] copy_process.part.54+0xd40/0x17ac
[   15.289028] [<80429f80>] do_fork+0xe4/0x420
[   15.293747] [<80413808>] handle_sys+0x128/0x14c

When exec'ing an ELF binary:

[   14.445964] [<80417630>] __update_cache+0xcc/0x188
[   14.451369] [<80538d88>] move_page_tables+0x414/0x498
[   14.457075] [<8055d848>] setup_arg_pages+0x220/0x318
[   14.462685] [<805b0f38>] load_elf_binary+0x530/0x12a0
[   14.468374] [<8055ec3c>] search_binary_handler+0xbc/0x214
[   14.474444] [<8055f6c0>] do_execveat_common+0x43c/0x67c
[   14.480324] [<8055f938>] do_execve+0x38/0x44
[   14.485137] [<80413808>] handle_sys+0x128/0x14c

These code paths write into a page, call flush_dcache_page then call
set_pte_at without flush_icache_page inbetween. The end result is that
the icache can become corrupted & userland processes may execute
unexpected or invalid code, typically resulting in a reserved
instruction exception, a trap or a segfault.

Fix this race condition fully by performing any cache maintenance
required to keep the icache & dcache in sync in set_pte_at, before the
page is made valid. This has the added bonus of ensuring the cache
maintenance always happens in one location, rather than being duplicated
in flush_icache_page & update_mmu_cache. It also matches the way other
architectures solve the same problem (see arm, ia64 & powerpc).

Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Reported-by: Ionela Voinescu <ionela.voinescu@imgtec.com>
Cc: Lars Persson <lars.persson@axis.com>
Fixes: 4d46a67a3eb8 ("MIPS: Fix race condition in lazy cache flushing.")
Cc: Steven J. Hill <sjhill@realitydiluted.com>
Cc: David Daney <david.daney@cavium.com>
Cc: Huacai Chen <chenhc@lemote.com>
Cc: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Jerome Marchand <jmarchan@redhat.com>
Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/12722/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/mips/include/asm/cacheflush.h |  6 ------
 arch/mips/include/asm/pgtable.h    | 26 +++++++++++++++++++++-----
 arch/mips/mm/cache.c               | 19 +++----------------
 3 files changed, 24 insertions(+), 27 deletions(-)

diff --git a/arch/mips/include/asm/cacheflush.h b/arch/mips/include/asm/cacheflush.h
index 723229f..176de58 100644
--- a/arch/mips/include/asm/cacheflush.h
+++ b/arch/mips/include/asm/cacheflush.h
@@ -51,7 +51,6 @@ extern void (*flush_cache_range)(struct vm_area_struct *vma,
 	unsigned long start, unsigned long end);
 extern void (*flush_cache_page)(struct vm_area_struct *vma, unsigned long page, unsigned long pfn);
 extern void __flush_dcache_page(struct page *page);
-extern void __flush_icache_page(struct vm_area_struct *vma, struct page *page);
 
 #define ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE 1
 static inline void flush_dcache_page(struct page *page)
@@ -77,11 +76,6 @@ static inline void flush_anon_page(struct vm_area_struct *vma,
 static inline void flush_icache_page(struct vm_area_struct *vma,
 	struct page *page)
 {
-	if (!cpu_has_ic_fills_f_dc && (vma->vm_flags & VM_EXEC) &&
-	    Page_dcache_dirty(page)) {
-		__flush_icache_page(vma, page);
-		ClearPageDcacheDirty(page);
-	}
 }
 
 extern void (*flush_icache_range)(unsigned long start, unsigned long end);
diff --git a/arch/mips/include/asm/pgtable.h b/arch/mips/include/asm/pgtable.h
index 6bc427f..29a9de2 100644
--- a/arch/mips/include/asm/pgtable.h
+++ b/arch/mips/include/asm/pgtable.h
@@ -127,10 +127,14 @@ do {									\
 	}								\
 } while(0)
 
+static inline void set_pte_at(struct mm_struct *mm, unsigned long addr,
+			      pte_t *ptep, pte_t pteval);
+
 #if defined(CONFIG_PHYS_ADDR_T_64BIT) && defined(CONFIG_CPU_MIPS32)
 
 #define pte_none(pte)		(!(((pte).pte_high) & ~_PAGE_GLOBAL))
 #define pte_present(pte)	((pte).pte_low & _PAGE_PRESENT)
+#define pte_no_exec(pte)	((pte).pte_low & _PAGE_NO_EXEC)
 
 static inline void set_pte(pte_t *ptep, pte_t pte)
 {
@@ -148,7 +152,6 @@ static inline void set_pte(pte_t *ptep, pte_t pte)
 			buddy->pte_high |= _PAGE_GLOBAL;
 	}
 }
-#define set_pte_at(mm, addr, ptep, pteval) set_pte(ptep, pteval)
 
 static inline void pte_clear(struct mm_struct *mm, unsigned long addr, pte_t *ptep)
 {
@@ -166,6 +169,7 @@ static inline void pte_clear(struct mm_struct *mm, unsigned long addr, pte_t *pt
 
 #define pte_none(pte)		(!(pte_val(pte) & ~_PAGE_GLOBAL))
 #define pte_present(pte)	(pte_val(pte) & _PAGE_PRESENT)
+#define pte_no_exec(pte)	(pte_val(pte) & _PAGE_NO_EXEC)
 
 /*
  * Certain architectures need to do special things when pte's
@@ -218,7 +222,6 @@ static inline void set_pte(pte_t *ptep, pte_t pteval)
 	}
 #endif
 }
-#define set_pte_at(mm, addr, ptep, pteval) set_pte(ptep, pteval)
 
 static inline void pte_clear(struct mm_struct *mm, unsigned long addr, pte_t *ptep)
 {
@@ -234,6 +237,22 @@ static inline void pte_clear(struct mm_struct *mm, unsigned long addr, pte_t *pt
 }
 #endif
 
+static inline void set_pte_at(struct mm_struct *mm, unsigned long addr,
+			      pte_t *ptep, pte_t pteval)
+{
+	extern void __update_cache(unsigned long address, pte_t pte);
+
+	if (!pte_present(pteval))
+		goto cache_sync_done;
+
+	if (pte_present(*ptep) && (pte_pfn(*ptep) == pte_pfn(pteval)))
+		goto cache_sync_done;
+
+	__update_cache(addr, pteval);
+cache_sync_done:
+	set_pte(ptep, pteval);
+}
+
 /*
  * (pmds are folded into puds so this doesn't get actually called,
  * but the define is needed for a generic inline function.)
@@ -428,15 +447,12 @@ static inline pte_t pte_modify(pte_t pte, pgprot_t newprot)
 
 extern void __update_tlb(struct vm_area_struct *vma, unsigned long address,
 	pte_t pte);
-extern void __update_cache(struct vm_area_struct *vma, unsigned long address,
-	pte_t pte);
 
 static inline void update_mmu_cache(struct vm_area_struct *vma,
 	unsigned long address, pte_t *ptep)
 {
 	pte_t pte = *ptep;
 	__update_tlb(vma, address, pte);
-	__update_cache(vma, address, pte);
 }
 
 static inline void update_mmu_cache_pmd(struct vm_area_struct *vma,
diff --git a/arch/mips/mm/cache.c b/arch/mips/mm/cache.c
index 0d71fdd..48e8172 100644
--- a/arch/mips/mm/cache.c
+++ b/arch/mips/mm/cache.c
@@ -119,30 +119,17 @@ void __flush_anon_page(struct page *page, unsigned long vmaddr)
 
 EXPORT_SYMBOL(__flush_anon_page);
 
-void __flush_icache_page(struct vm_area_struct *vma, struct page *page)
-{
-	unsigned long addr;
-
-	if (PageHighMem(page))
-		return;
-
-	addr = (unsigned long) page_address(page);
-	flush_data_cache_page(addr);
-}
-EXPORT_SYMBOL_GPL(__flush_icache_page);
-
-void __update_cache(struct vm_area_struct *vma, unsigned long address,
-	pte_t pte)
+void __update_cache(unsigned long address, pte_t pte)
 {
 	struct page *page;
 	unsigned long pfn, addr;
-	int exec = (vma->vm_flags & VM_EXEC) && !cpu_has_ic_fills_f_dc;
+	int exec = !pte_no_exec(pte) && !cpu_has_ic_fills_f_dc;
 
 	pfn = pte_pfn(pte);
 	if (unlikely(!pfn_valid(pfn)))
 		return;
 	page = pfn_to_page(pfn);
-	if (page_mapping(page) && Page_dcache_dirty(page)) {
+	if (Page_dcache_dirty(page)) {
 		if (PageHighMem(page))
 			addr = (unsigned long)kmap_atomic(page);
 		else
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 099/206] SIGNAL: Move generic copy_siginfo() to signal.h
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (97 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 098/206] MIPS: Sync icache & dcache in set_pte_at Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 100/206] MIPS: Fix uapi include in exported asm/siginfo.h Kamal Mostafa
                   ` (106 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: James Hogan, Arnd Bergmann, Ralf Baechle, Petr Malat, Tony Luck,
	Fenghua Yu, Christopher Ferris, linux-arch, linux-mips,
	linux-ia64, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: James Hogan <james.hogan@imgtec.com>

commit ca9eb49aa9562eaadf3cea071ec7018ad6800425 upstream.

The generic copy_siginfo() is currently defined in
asm-generic/siginfo.h, after including uapi/asm-generic/siginfo.h which
defines the generic struct siginfo. However this makes it awkward for an
architecture to use it if it has to define its own struct siginfo (e.g.
MIPS and potentially IA64), since it means that asm-generic/siginfo.h
can only be included after defining the arch-specific siginfo, which may
be problematic if the arch-specific definition needs definitions from
uapi/asm-generic/siginfo.h.

It is possible to work around this by first including
uapi/asm-generic/siginfo.h to get the constants before defining the
arch-specific siginfo, and include asm-generic/siginfo.h after. However
uapi headers can't be included by other uapi headers, so that first
include has to be in an ifdef __kernel__, with the non __kernel__ case
including the non-UAPI header instead.

Instead of that mess, move the generic copy_siginfo() definition into
linux/signal.h, which allows an arch-specific uapi/asm/siginfo.h to
include asm-generic/siginfo.h and define the arch-specific siginfo, and
for the generic copy_siginfo() to see that arch-specific definition.

Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Petr Malat <oss@malat.biz>
Cc: Tony Luck <tony.luck@intel.com>
Cc: Fenghua Yu <fenghua.yu@intel.com>
Cc: Christopher Ferris <cferris@google.com>
Cc: linux-arch@vger.kernel.org
Cc: linux-mips@linux-mips.org
Cc: linux-ia64@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/12478/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 include/asm-generic/siginfo.h | 15 ---------------
 include/linux/signal.h        | 15 +++++++++++++++
 2 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/include/asm-generic/siginfo.h b/include/asm-generic/siginfo.h
index 3d1a3af..a2508a8 100644
--- a/include/asm-generic/siginfo.h
+++ b/include/asm-generic/siginfo.h
@@ -17,21 +17,6 @@
 struct siginfo;
 void do_schedule_next_timer(struct siginfo *info);
 
-#ifndef HAVE_ARCH_COPY_SIGINFO
-
-#include <linux/string.h>
-
-static inline void copy_siginfo(struct siginfo *to, struct siginfo *from)
-{
-	if (from->si_code < 0)
-		memcpy(to, from, sizeof(*to));
-	else
-		/* _sigchld is currently the largest know union member */
-		memcpy(to, from, __ARCH_SI_PREAMBLE_SIZE + sizeof(from->_sifields._sigchld));
-}
-
-#endif
-
 extern int copy_siginfo_to_user(struct siginfo __user *to, const struct siginfo *from);
 
 #endif
diff --git a/include/linux/signal.h b/include/linux/signal.h
index 92557bb..d80259a 100644
--- a/include/linux/signal.h
+++ b/include/linux/signal.h
@@ -28,6 +28,21 @@ struct sigpending {
 	sigset_t signal;
 };
 
+#ifndef HAVE_ARCH_COPY_SIGINFO
+
+#include <linux/string.h>
+
+static inline void copy_siginfo(struct siginfo *to, struct siginfo *from)
+{
+	if (from->si_code < 0)
+		memcpy(to, from, sizeof(*to));
+	else
+		/* _sigchld is currently the largest know union member */
+		memcpy(to, from, __ARCH_SI_PREAMBLE_SIZE + sizeof(from->_sifields._sigchld));
+}
+
+#endif
+
 /*
  * Define some primitives to manipulate sigset_t.
  */
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 100/206] MIPS: Fix uapi include in exported asm/siginfo.h
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (98 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 099/206] SIGNAL: Move generic copy_siginfo() to signal.h Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 101/206] MIPS: math-emu: Fix jalr emulation when rd == $0 Kamal Mostafa
                   ` (105 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: James Hogan, Petr Malat, linux-mips, Ralf Baechle, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: James Hogan <james.hogan@imgtec.com>

commit 987e5b834467c9251ca584febda65ef8f66351a9 upstream.

Since commit 8cb48fe169dd ("MIPS: Provide correct siginfo_t.si_stime"),
MIPS' uapi/asm/siginfo.h has included uapi/asm-generic/siginfo.h
directly before defining MIPS' struct siginfo, in order to get the
necessary definitions needed for the siginfo struct without the generic
copy_siginfo() hitting compiler errors due to struct siginfo not yet
being defined.

Now that the generic copy_siginfo() is moved out to linux/signal.h we
can safely include asm-generic/siginfo.h before defining the MIPS
specific struct siginfo, which avoids the uapi/ include as well as
breakage due to generic copy_siginfo() being defined before struct
siginfo.

Reported-by: Christopher Ferris <cferris@google.com>
Fixes: 8cb48fe169dd ("MIPS: Provide correct siginfo_t.si_stime")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Petr Malat <oss@malat.biz>
Cc: linux-mips@linux-mips.org
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/mips/include/uapi/asm/siginfo.h | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/arch/mips/include/uapi/asm/siginfo.h b/arch/mips/include/uapi/asm/siginfo.h
index 03ec109..e2b5337 100644
--- a/arch/mips/include/uapi/asm/siginfo.h
+++ b/arch/mips/include/uapi/asm/siginfo.h
@@ -28,7 +28,7 @@
 
 #define __ARCH_SIGSYS
 
-#include <uapi/asm-generic/siginfo.h>
+#include <asm-generic/siginfo.h>
 
 /* We can't use generic siginfo_t, because our si_code and si_errno are swapped */
 typedef struct siginfo {
@@ -118,6 +118,4 @@ typedef struct siginfo {
 #define SI_TIMER __SI_CODE(__SI_TIMER, -3) /* sent by timer expiration */
 #define SI_MESGQ __SI_CODE(__SI_MESGQ, -4) /* sent by real time mesq state change */
 
-#include <asm-generic/siginfo.h>
-
 #endif /* _UAPI_ASM_SIGINFO_H */
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 101/206] MIPS: math-emu: Fix jalr emulation when rd == $0
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (99 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 100/206] MIPS: Fix uapi include in exported asm/siginfo.h Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 102/206] MIPS: ptrace: Fix FP context restoration FCSR regression Kamal Mostafa
                   ` (104 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Paul Burton, Maciej W . Rozycki, James Hogan, linux-mips,
	Ralf Baechle, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Paul Burton <paul.burton@imgtec.com>

commit ab4a92e66741b35ca12f8497896bafbe579c28a1 upstream.

When emulating a jalr instruction with rd == $0, the code in
isBranchInstr was incorrectly writing to GPR $0 which should actually
always remain zeroed. This would lead to any further instructions
emulated which use $0 operating on a bogus value until the task is next
context switched, at which point the value of $0 in the task context
would be restored to the correct zero by a store in SAVE_SOME. Fix this
by not writing to rd if it is $0.

Fixes: 102cedc32a6e ("MIPS: microMIPS: Floating point support.")
Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Cc: Maciej W. Rozycki <macro@imgtec.com>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/13160/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/mips/math-emu/cp1emu.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/arch/mips/math-emu/cp1emu.c b/arch/mips/math-emu/cp1emu.c
index f0f1b98..2bf9209 100644
--- a/arch/mips/math-emu/cp1emu.c
+++ b/arch/mips/math-emu/cp1emu.c
@@ -445,9 +445,11 @@ static int isBranchInstr(struct pt_regs *regs, struct mm_decoded_insn dec_insn,
 	case spec_op:
 		switch (insn.r_format.func) {
 		case jalr_op:
-			regs->regs[insn.r_format.rd] =
-				regs->cp0_epc + dec_insn.pc_inc +
-				dec_insn.next_pc_inc;
+			if (insn.r_format.rd != 0) {
+				regs->regs[insn.r_format.rd] =
+					regs->cp0_epc + dec_insn.pc_inc +
+					dec_insn.next_pc_inc;
+			}
 			/* Fall through */
 		case jr_op:
 			/* For R6, JR already emulated in jalr_op */
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 102/206] MIPS: ptrace: Fix FP context restoration FCSR regression
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (100 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 101/206] MIPS: math-emu: Fix jalr emulation when rd == $0 Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 103/206] MIPS: ptrace: Prevent writes to read-only FCSR bits Kamal Mostafa
                   ` (103 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Maciej W . Rozycki, linux-mips, Ralf Baechle, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: "Maciej W. Rozycki" <macro@imgtec.com>

commit 4249548454f7ba4581aeee26bd83f42b48a14d15 upstream.

Fix a floating-point context restoration regression introduced with
commit 9b26616c8d9d ("MIPS: Respect the ISA level in FCSR handling")
that causes a Floating Point exception and consequently a kernel oops
with hard float configurations when one or more FCSR Enable and their
corresponding Cause bits are set both at a time via a ptrace(2) call.

To do so reinstate Cause bit masking originally introduced with commit
b1442d39fac2 ("MIPS: Prevent user from setting FCSR cause bits") to
address this exact problem and then inadvertently removed from the
PTRACE_SETFPREGS request with the commit referred above.

Signed-off-by: Maciej W. Rozycki <macro@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/13238/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/mips/kernel/ptrace.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c
index e933a30..d56642a 100644
--- a/arch/mips/kernel/ptrace.c
+++ b/arch/mips/kernel/ptrace.c
@@ -175,6 +175,7 @@ int ptrace_setfpregs(struct task_struct *child, __u32 __user *data)
 	}
 
 	__get_user(value, data + 64);
+	value &= ~FPU_CSR_ALL_X;
 	fcr31 = child->thread.fpu.fcr31;
 	mask = boot_cpu_data.fpu_msk31;
 	child->thread.fpu.fcr31 = (value & ~mask) | (fcr31 & mask);
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 103/206] MIPS: ptrace: Prevent writes to read-only FCSR bits
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (101 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 102/206] MIPS: ptrace: Fix FP context restoration FCSR regression Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 104/206] MIPS: Disable preemption during prctl(PR_SET_FP_MODE, ...) Kamal Mostafa
                   ` (102 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Maciej W . Rozycki, linux-mips, Ralf Baechle, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: "Maciej W. Rozycki" <macro@imgtec.com>

commit abf378be49f38c4d3e23581d3df3fa9f1b1b11d2 upstream.

Correct the cases missed with commit 9b26616c8d9d ("MIPS: Respect the
ISA level in FCSR handling") and prevent writes to read-only FCSR bits
there.

This in particular applies to FP context initialisation where any IEEE
754-2008 bits preset by `mips_set_personality_nan' are cleared before
the relevant ptrace(2) call takes effect and the PTRACE_POKEUSR request
addressing FPC_CSR where no masking of read-only FCSR bits is done.

Remove the FCSR clearing from FP context initialisation then and unify
PTRACE_POKEUSR/FPC_CSR and PTRACE_SETFPREGS handling, by factoring out
code from `ptrace_setfpregs' and calling it from both places.

This mostly matters to soft float configurations where the emulator can
be switched this way to a mode which should not be accessible and cannot
be set with the CTC1 instruction.  With hard float configurations any
effect is transient anyway as read-only bits will retain their values at
the time the FP context is restored.

Signed-off-by: Maciej W. Rozycki <macro@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/13239/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/mips/kernel/ptrace.c | 28 +++++++++++++++++++---------
 1 file changed, 19 insertions(+), 9 deletions(-)

diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c
index d56642a..f7968b5 100644
--- a/arch/mips/kernel/ptrace.c
+++ b/arch/mips/kernel/ptrace.c
@@ -56,8 +56,7 @@ static void init_fp_ctx(struct task_struct *target)
 	/* Begin with data registers set to all 1s... */
 	memset(&target->thread.fpu.fpr, ~0, sizeof(target->thread.fpu.fpr));
 
-	/* ...and FCSR zeroed */
-	target->thread.fpu.fcr31 = 0;
+	/* FCSR has been preset by `mips_set_personality_nan'.  */
 
 	/*
 	 * Record that the target has "used" math, such that the context
@@ -79,6 +78,22 @@ void ptrace_disable(struct task_struct *child)
 }
 
 /*
+ * Poke at FCSR according to its mask.  Don't set the cause bits as
+ * this is currently not handled correctly in FP context restoration
+ * and will cause an oops if a corresponding enable bit is set.
+ */
+static void ptrace_setfcr31(struct task_struct *child, u32 value)
+{
+	u32 fcr31;
+	u32 mask;
+
+	value &= ~FPU_CSR_ALL_X;
+	fcr31 = child->thread.fpu.fcr31;
+	mask = boot_cpu_data.fpu_msk31;
+	child->thread.fpu.fcr31 = (value & ~mask) | (fcr31 & mask);
+}
+
+/*
  * Read a general register set.	 We always use the 64-bit format, even
  * for 32-bit kernels and for 32-bit processes on a 64-bit kernel.
  * Registers are sign extended to fill the available space.
@@ -158,9 +173,7 @@ int ptrace_setfpregs(struct task_struct *child, __u32 __user *data)
 {
 	union fpureg *fregs;
 	u64 fpr_val;
-	u32 fcr31;
 	u32 value;
-	u32 mask;
 	int i;
 
 	if (!access_ok(VERIFY_READ, data, 33 * 8))
@@ -175,10 +188,7 @@ int ptrace_setfpregs(struct task_struct *child, __u32 __user *data)
 	}
 
 	__get_user(value, data + 64);
-	value &= ~FPU_CSR_ALL_X;
-	fcr31 = child->thread.fpu.fcr31;
-	mask = boot_cpu_data.fpu_msk31;
-	child->thread.fpu.fcr31 = (value & ~mask) | (fcr31 & mask);
+	ptrace_setfcr31(child, value);
 
 	/* FIR may not be written.  */
 
@@ -721,7 +731,7 @@ long arch_ptrace(struct task_struct *child, long request,
 			break;
 #endif
 		case FPC_CSR:
-			child->thread.fpu.fcr31 = data & ~FPU_CSR_ALL_X;
+			ptrace_setfcr31(child, data);
 			break;
 		case DSP_BASE ... DSP_BASE + 5: {
 			dspreg_t *dregs;
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 104/206] MIPS: Disable preemption during prctl(PR_SET_FP_MODE, ...)
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (102 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 103/206] MIPS: ptrace: Prevent writes to read-only FCSR bits Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 105/206] MIPS: Force CPUs to lose FP context during mode switches Kamal Mostafa
                   ` (101 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Paul Burton, Adam Buchbinder, James Hogan, linux-mips,
	Ralf Baechle, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Paul Burton <paul.burton@imgtec.com>

commit bd239f1e1429e7781096bf3884bdb1b2b1bb4f28 upstream.

Whilst a PR_SET_FP_MODE prctl is performed there are decisions made
based upon whether the task is executing on the current CPU. This may
change if we're preempted, so disable preemption to avoid such changes
for the lifetime of the mode switch.

Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Fixes: 9791554b45a2 ("MIPS,prctl: add PR_[GS]ET_FP_MODE prctl options for MIPS")
Reviewed-by: Maciej W. Rozycki <macro@imgtec.com>
Tested-by: Aurelien Jarno <aurelien@aurel32.net>
Cc: Adam Buchbinder <adam.buchbinder@gmail.com>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/13144/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/mips/kernel/process.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c
index 6b3ae73..89847be 100644
--- a/arch/mips/kernel/process.c
+++ b/arch/mips/kernel/process.c
@@ -603,6 +603,9 @@ int mips_set_process_fp_mode(struct task_struct *task, unsigned int value)
 	if (!(value & PR_FP_MODE_FR) && cpu_has_fpu && cpu_has_mips_r6)
 		return -EOPNOTSUPP;
 
+	/* Proceed with the mode switch */
+	preempt_disable();
+
 	/* Save FP & vector context, then disable FPU & MSA */
 	if (task->signal == current->signal)
 		lose_fpu(1);
@@ -661,6 +664,7 @@ int mips_set_process_fp_mode(struct task_struct *task, unsigned int value)
 
 	/* Allow threads to use FP again */
 	atomic_set(&task->mm->context.fp_mode_switching, 0);
+	preempt_enable();
 
 	return 0;
 }
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 105/206] MIPS: Force CPUs to lose FP context during mode switches
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (103 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 104/206] MIPS: Disable preemption during prctl(PR_SET_FP_MODE, ...) Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 106/206] ring-buffer: Use long for nr_pages to avoid overflow failures Kamal Mostafa
                   ` (100 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Paul Burton, Adam Buchbinder, James Hogan, linux-mips,
	Ralf Baechle, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Paul Burton <paul.burton@imgtec.com>

commit 6b8322576e9d325b65c54fbef64e4e8690ad70ce upstream.

Commit 9791554b45a2 ("MIPS,prctl: add PR_[GS]ET_FP_MODE prctl options
for MIPS") added support for the PR_SET_FP_MODE prctl, which allows a
userland program to modify its FP mode at runtime. This is most notably
required if dynamic linking leads to the FP mode requirement changing at
runtime from that indicated in the initial executable's ELF header. In
order to avoid overhead in the general FP context restore code, it aimed
to have threads in the process become unable to enable the FPU during a
mode switch & have the thread calling the prctl syscall wait for all
other threads in the process to be context switched at least once. Once
that happens we can know that no thread in the process whose mode will
be switched has live FP context, and it's safe to perform the mode
switch. However in the (rare) case of modeswitches occurring in
multithreaded programs this can lead to indeterminate delays for the
thread invoking the prctl syscall, and the code monitoring for those
context switches was woefully inadequate for all but the simplest cases.

Fix this by broadcasting an IPI if other CPUs may have live FP context
for an affected thread, with a handler causing those CPUs to relinquish
their FPU ownership. Threads will then be allowed to continue running
but will stall on the wait_on_atomic_t in enable_restore_fp_context if
they attempt to use FP again whilst the mode switch is still in
progress. The end result is less fragile poking at scheduler context
switch counts & a more expedient completion of the mode switch.

Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Fixes: 9791554b45a2 ("MIPS,prctl: add PR_[GS]ET_FP_MODE prctl options for MIPS")
Reviewed-by: Maciej W. Rozycki <macro@imgtec.com>
Cc: Adam Buchbinder <adam.buchbinder@gmail.com>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/13145/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/mips/kernel/process.c | 40 +++++++++++++++++-----------------------
 1 file changed, 17 insertions(+), 23 deletions(-)

diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c
index 89847be..ac84ac8 100644
--- a/arch/mips/kernel/process.c
+++ b/arch/mips/kernel/process.c
@@ -582,11 +582,19 @@ int mips_get_process_fp_mode(struct task_struct *task)
 	return value;
 }
 
+static void prepare_for_fp_mode_switch(void *info)
+{
+	struct mm_struct *mm = info;
+
+	if (current->mm == mm)
+		lose_fpu(1);
+}
+
 int mips_set_process_fp_mode(struct task_struct *task, unsigned int value)
 {
 	const unsigned int known_bits = PR_FP_MODE_FR | PR_FP_MODE_FRE;
-	unsigned long switch_count;
 	struct task_struct *t;
+	int max_users;
 
 	/* Check the value is valid */
 	if (value & ~known_bits)
@@ -615,31 +623,17 @@ int mips_set_process_fp_mode(struct task_struct *task, unsigned int value)
 	smp_mb__after_atomic();
 
 	/*
-	 * If there are multiple online CPUs then wait until all threads whose
-	 * FP mode is about to change have been context switched. This approach
-	 * allows us to only worry about whether an FP mode switch is in
-	 * progress when FP is first used in a tasks time slice. Pretty much all
-	 * of the mode switch overhead can thus be confined to cases where mode
-	 * switches are actually occuring. That is, to here. However for the
-	 * thread performing the mode switch it may take a while...
+	 * If there are multiple online CPUs then force any which are running
+	 * threads in this process to lose their FPU context, which they can't
+	 * regain until fp_mode_switching is cleared later.
 	 */
 	if (num_online_cpus() > 1) {
-		spin_lock_irq(&task->sighand->siglock);
-
-		for_each_thread(task, t) {
-			if (t == current)
-				continue;
-
-			switch_count = t->nvcsw + t->nivcsw;
-
-			do {
-				spin_unlock_irq(&task->sighand->siglock);
-				cond_resched();
-				spin_lock_irq(&task->sighand->siglock);
-			} while ((t->nvcsw + t->nivcsw) == switch_count);
-		}
+		/* No need to send an IPI for the local CPU */
+		max_users = (task->mm == current->mm) ? 1 : 0;
 
-		spin_unlock_irq(&task->sighand->siglock);
+		if (atomic_read(&current->mm->mm_users) > max_users)
+			smp_call_function(prepare_for_fp_mode_switch,
+					  (void *)current->mm, 1);
 	}
 
 	/*
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 106/206] ring-buffer: Use long for nr_pages to avoid overflow failures
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (104 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 105/206] MIPS: Force CPUs to lose FP context during mode switches Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 107/206] ring-buffer: Prevent overflow of size in ring_buffer_resize() Kamal Mostafa
                   ` (99 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team; +Cc: Steven Rostedt, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>

commit 9b94a8fba501f38368aef6ac1b30e7335252a220 upstream.

The size variable to change the ring buffer in ftrace is a long. The
nr_pages used to update the ring buffer based on the size is int. On 64 bit
machines this can cause an overflow problem.

For example, the following will cause the ring buffer to crash:

 # cd /sys/kernel/debug/tracing
 # echo 10 > buffer_size_kb
 # echo 8556384240 > buffer_size_kb

Then you get the warning of:

 WARNING: CPU: 1 PID: 318 at kernel/trace/ring_buffer.c:1527 rb_update_pages+0x22f/0x260

Which is:

  RB_WARN_ON(cpu_buffer, nr_removed);

Note each ring buffer page holds 4080 bytes.

This is because:

 1) 10 causes the ring buffer to have 3 pages.
    (10kb requires 3 * 4080 pages to hold)

 2) (2^31 / 2^10  + 1) * 4080 = 8556384240
    The value written into buffer_size_kb is shifted by 10 and then passed
    to ring_buffer_resize(). 8556384240 * 2^10 = 8761737461760

 3) The size passed to ring_buffer_resize() is then divided by BUF_PAGE_SIZE
    which is 4080. 8761737461760 / 4080 = 2147484672

 4) nr_pages is subtracted from the current nr_pages (3) and we get:
    2147484669. This value is saved in a signed integer nr_pages_to_update

 5) 2147484669 is greater than 2^31 but smaller than 2^32, a signed int
    turns into the value of -2147482627

 6) As the value is a negative number, in update_pages_handler() it is
    negated and passed to rb_remove_pages() and 2147482627 pages will
    be removed, which is much larger than 3 and it causes the warning
    because not all the pages asked to be removed were removed.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=118001

Fixes: 7a8e76a3829f1 ("tracing: unified trace buffer")
Reported-by: Hao Qin <QEver.cn@gmail.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 kernel/trace/ring_buffer.c | 26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
index 40718df..c3f1f34 100644
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -426,7 +426,7 @@ struct ring_buffer_per_cpu {
 	raw_spinlock_t			reader_lock;	/* serialize readers */
 	arch_spinlock_t			lock;
 	struct lock_class_key		lock_key;
-	unsigned int			nr_pages;
+	unsigned long			nr_pages;
 	unsigned int			current_context;
 	struct list_head		*pages;
 	struct buffer_page		*head_page;	/* read from head */
@@ -447,7 +447,7 @@ struct ring_buffer_per_cpu {
 	u64				write_stamp;
 	u64				read_stamp;
 	/* ring buffer pages to update, > 0 to add, < 0 to remove */
-	int				nr_pages_to_update;
+	long				nr_pages_to_update;
 	struct list_head		new_pages; /* new pages to add */
 	struct work_struct		update_pages_work;
 	struct completion		update_done;
@@ -1126,10 +1126,10 @@ static int rb_check_pages(struct ring_buffer_per_cpu *cpu_buffer)
 	return 0;
 }
 
-static int __rb_allocate_pages(int nr_pages, struct list_head *pages, int cpu)
+static int __rb_allocate_pages(long nr_pages, struct list_head *pages, int cpu)
 {
-	int i;
 	struct buffer_page *bpage, *tmp;
+	long i;
 
 	for (i = 0; i < nr_pages; i++) {
 		struct page *page;
@@ -1166,7 +1166,7 @@ free_pages:
 }
 
 static int rb_allocate_pages(struct ring_buffer_per_cpu *cpu_buffer,
-			     unsigned nr_pages)
+			     unsigned long nr_pages)
 {
 	LIST_HEAD(pages);
 
@@ -1191,7 +1191,7 @@ static int rb_allocate_pages(struct ring_buffer_per_cpu *cpu_buffer,
 }
 
 static struct ring_buffer_per_cpu *
-rb_allocate_cpu_buffer(struct ring_buffer *buffer, int nr_pages, int cpu)
+rb_allocate_cpu_buffer(struct ring_buffer *buffer, long nr_pages, int cpu)
 {
 	struct ring_buffer_per_cpu *cpu_buffer;
 	struct buffer_page *bpage;
@@ -1291,8 +1291,9 @@ struct ring_buffer *__ring_buffer_alloc(unsigned long size, unsigned flags,
 					struct lock_class_key *key)
 {
 	struct ring_buffer *buffer;
+	long nr_pages;
 	int bsize;
-	int cpu, nr_pages;
+	int cpu;
 
 	/* keep it in its own cache line */
 	buffer = kzalloc(ALIGN(sizeof(*buffer), cache_line_size()),
@@ -1418,12 +1419,12 @@ static inline unsigned long rb_page_write(struct buffer_page *bpage)
 }
 
 static int
-rb_remove_pages(struct ring_buffer_per_cpu *cpu_buffer, unsigned int nr_pages)
+rb_remove_pages(struct ring_buffer_per_cpu *cpu_buffer, unsigned long nr_pages)
 {
 	struct list_head *tail_page, *to_remove, *next_page;
 	struct buffer_page *to_remove_page, *tmp_iter_page;
 	struct buffer_page *last_page, *first_page;
-	unsigned int nr_removed;
+	unsigned long nr_removed;
 	unsigned long head_bit;
 	int page_entries;
 
@@ -1640,7 +1641,7 @@ int ring_buffer_resize(struct ring_buffer *buffer, unsigned long size,
 			int cpu_id)
 {
 	struct ring_buffer_per_cpu *cpu_buffer;
-	unsigned nr_pages;
+	unsigned long nr_pages;
 	int cpu, err = 0;
 
 	/*
@@ -4602,8 +4603,9 @@ static int rb_cpu_notify(struct notifier_block *self,
 	struct ring_buffer *buffer =
 		container_of(self, struct ring_buffer, cpu_notify);
 	long cpu = (long)hcpu;
-	int cpu_i, nr_pages_same;
-	unsigned int nr_pages;
+	long nr_pages_same;
+	int cpu_i;
+	unsigned long nr_pages;
 
 	switch (action) {
 	case CPU_UP_PREPARE:
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 107/206] ring-buffer: Prevent overflow of size in ring_buffer_resize()
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (105 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 106/206] ring-buffer: Use long for nr_pages to avoid overflow failures Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 108/206] mmc: mmc: Fix partition switch timeout for some eMMCs Kamal Mostafa
                   ` (98 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team; +Cc: Steven Rostedt, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>

commit 59643d1535eb220668692a5359de22545af579f6 upstream.

If the size passed to ring_buffer_resize() is greater than MAX_LONG - BUF_PAGE_SIZE
then the DIV_ROUND_UP() will return zero.

Here's the details:

  # echo 18014398509481980 > /sys/kernel/debug/tracing/buffer_size_kb

tracing_entries_write() processes this and converts kb to bytes.

 18014398509481980 << 10 = 18446744073709547520

and this is passed to ring_buffer_resize() as unsigned long size.

 size = DIV_ROUND_UP(size, BUF_PAGE_SIZE);

Where DIV_ROUND_UP(a, b) is (a + b - 1)/b

BUF_PAGE_SIZE is 4080 and here

 18446744073709547520 + 4080 - 1 = 18446744073709551599

where 18446744073709551599 is still smaller than 2^64

 2^64 - 18446744073709551599 = 17

But now 18446744073709551599 / 4080 = 4521260802379792

and size = size * 4080 = 18446744073709551360

This is checked to make sure its still greater than 2 * 4080,
which it is.

Then we convert to the number of buffer pages needed.

 nr_page = DIV_ROUND_UP(size, BUF_PAGE_SIZE)

but this time size is 18446744073709551360 and

 2^64 - (18446744073709551360 + 4080 - 1) = -3823

Thus it overflows and the resulting number is less than 4080, which makes

  3823 / 4080 = 0

an nr_pages is set to this. As we already checked against the minimum that
nr_pages may be, this causes the logic to fail as well, and we crash the
kernel.

There's no reason to have the two DIV_ROUND_UP() (that's just result of
historical code changes), clean up the code and fix this bug.

Fixes: 83f40318dab00 ("ring-buffer: Make removal of ring buffer pages atomic")
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 kernel/trace/ring_buffer.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
index c3f1f34..f683029 100644
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -1655,14 +1655,13 @@ int ring_buffer_resize(struct ring_buffer *buffer, unsigned long size,
 	    !cpumask_test_cpu(cpu_id, buffer->cpumask))
 		return size;
 
-	size = DIV_ROUND_UP(size, BUF_PAGE_SIZE);
-	size *= BUF_PAGE_SIZE;
+	nr_pages = DIV_ROUND_UP(size, BUF_PAGE_SIZE);
 
 	/* we need a minimum of two pages */
-	if (size < BUF_PAGE_SIZE * 2)
-		size = BUF_PAGE_SIZE * 2;
+	if (nr_pages < 2)
+		nr_pages = 2;
 
-	nr_pages = DIV_ROUND_UP(size, BUF_PAGE_SIZE);
+	size = nr_pages * BUF_PAGE_SIZE;
 
 	/*
 	 * Don't succeed if resizing is disabled, as a reader might be
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 108/206] mmc: mmc: Fix partition switch timeout for some eMMCs
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (106 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 107/206] ring-buffer: Prevent overflow of size in ring_buffer_resize() Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 109/206] PCI: Disable all BAR sizing for devices with non-compliant BARs Kamal Mostafa
                   ` (97 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Adrian Hunter, Ulf Hansson, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Adrian Hunter <adrian.hunter@intel.com>

commit 1c447116d017a98c90f8f71c8c5a611e0aa42178 upstream.

Some eMMCs set the partition switch timeout too low.

Now typically eMMCs are considered a critical component (e.g. because
they store the root file system) and consequently are expected to be
reliable.  Thus we can neglect the use case where eMMCs can't switch
reliably and we might want a lower timeout to facilitate speedy
recovery.

Although we could employ a quirk for the cards that are affected (if
we could identify them all), as described above, there is little
benefit to having a low timeout, so instead simply set a minimum
timeout.

The minimum is set to 300ms somewhat arbitrarily - the examples that
have been seen had a timeout of 10ms but were sometimes taking 60-70ms.

Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/mmc/core/mmc.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/mmc/core/mmc.c b/drivers/mmc/core/mmc.c
index c3c48b1..863b673 100644
--- a/drivers/mmc/core/mmc.c
+++ b/drivers/mmc/core/mmc.c
@@ -333,6 +333,9 @@ static void mmc_manage_gp_partitions(struct mmc_card *card, u8 *ext_csd)
 	}
 }
 
+/* Minimum partition switch timeout in milliseconds */
+#define MMC_MIN_PART_SWITCH_TIME	300
+
 /*
  * Decode extended CSD.
  */
@@ -397,6 +400,10 @@ static int mmc_decode_ext_csd(struct mmc_card *card, u8 *ext_csd)
 
 		/* EXT_CSD value is in units of 10ms, but we store in ms */
 		card->ext_csd.part_time = 10 * ext_csd[EXT_CSD_PART_SWITCH_TIME];
+		/* Some eMMC set the value too low so set a minimum */
+		if (card->ext_csd.part_time &&
+		    card->ext_csd.part_time < MMC_MIN_PART_SWITCH_TIME)
+			card->ext_csd.part_time = MMC_MIN_PART_SWITCH_TIME;
 
 		/* Sleep / awake timeout in 100ns units */
 		if (sa_shift > 0 && sa_shift <= 0x17)
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 109/206] PCI: Disable all BAR sizing for devices with non-compliant BARs
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (107 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 108/206] mmc: mmc: Fix partition switch timeout for some eMMCs Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 110/206] MIPS: MSA: Fix a link error on `_init_msa_upper' with older GCC Kamal Mostafa
                   ` (96 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Prarit Bhargava, Bjorn Helgaas, Thomas Gleixner, Ingo Molnar,
	H. Peter Anvin, Andi Kleen, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Prarit Bhargava <prarit@redhat.com>

commit ad67b437f187ea818b2860524d10f878fadfdd99 upstream.

b84106b4e229 ("PCI: Disable IO/MEM decoding for devices with non-compliant
BARs") disabled BAR sizing for BARs 0-5 of devices that don't comply with
the PCI spec.  But it didn't do anything for expansion ROM BARs, so we
still try to size them, resulting in warnings like this on Broadwell-EP:

  pci 0000:ff:12.0: BAR 6: failed to assign [mem size 0x00000001 pref]

Move the non-compliant BAR check from __pci_read_base() up to
pci_read_bases() so it applies to the expansion ROM BAR as well as
to BARs 0-5.

Note that direct callers of __pci_read_base(), like sriov_init(), will now
bypass this check.  We haven't had reports of devices with broken SR-IOV
BARs yet.

[bhelgaas: changelog]
Fixes: b84106b4e229 ("PCI: Disable IO/MEM decoding for devices with non-compliant BARs")
Signed-off-by: Prarit Bhargava <prarit@redhat.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
CC: Thomas Gleixner <tglx@linutronix.de>
CC: Ingo Molnar <mingo@redhat.com>
CC: "H. Peter Anvin" <hpa@zytor.com>
CC: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/pci/probe.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
index 8cb5197..ea55f82 100644
--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -176,9 +176,6 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type,
 	u16 orig_cmd;
 	struct pci_bus_region region, inverted_region;
 
-	if (dev->non_compliant_bars)
-		return 0;
-
 	mask = type ? PCI_ROM_ADDRESS_MASK : ~0;
 
 	/* No printks while decoding is disabled! */
@@ -319,6 +316,9 @@ static void pci_read_bases(struct pci_dev *dev, unsigned int howmany, int rom)
 {
 	unsigned int pos, reg;
 
+	if (dev->non_compliant_bars)
+		return;
+
 	for (pos = 0; pos < howmany; pos++) {
 		struct resource *res = &dev->resource[pos];
 		reg = PCI_BASE_ADDRESS_0 + (pos << 2);
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 110/206] MIPS: MSA: Fix a link error on `_init_msa_upper' with older GCC
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (108 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 109/206] PCI: Disable all BAR sizing for devices with non-compliant BARs Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 111/206] drm/i915/fbdev: Fix num_connector references in intel_fb_initial_config() Kamal Mostafa
                   ` (95 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Maciej W . Rozycki, linux-mips, Ralf Baechle, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: "Maciej W. Rozycki" <macro@imgtec.com>

commit e49d38488515057dba8f0c2ba4cfde5be4a7281f upstream.

Fix a build regression from commit c9017757c532 ("MIPS: init upper 64b
of vector registers when MSA is first used"):

arch/mips/built-in.o: In function `enable_restore_fp_context':
traps.c:(.text+0xbb90): undefined reference to `_init_msa_upper'
traps.c:(.text+0xbb90): relocation truncated to fit: R_MIPS_26 against `_init_msa_upper'
traps.c:(.text+0xbef0): undefined reference to `_init_msa_upper'
traps.c:(.text+0xbef0): relocation truncated to fit: R_MIPS_26 against `_init_msa_upper'

to !CONFIG_CPU_HAS_MSA configurations with older GCC versions, which are
unable to figure out that calls to `_init_msa_upper' are indeed dead.
Of the many ways to tackle this failure choose the approach we have
already taken in `thread_msa_context_live'.

[ralf@linux-mips.org: Drop patch segment to junk file.]

Signed-off-by: Maciej W. Rozycki <macro@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/13271/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/mips/include/asm/msa.h | 13 +++++++++++++
 arch/mips/kernel/traps.c    |  6 +++---
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/arch/mips/include/asm/msa.h b/arch/mips/include/asm/msa.h
index af5638b..38bbeda 100644
--- a/arch/mips/include/asm/msa.h
+++ b/arch/mips/include/asm/msa.h
@@ -67,6 +67,19 @@ static inline void restore_msa(struct task_struct *t)
 		_restore_msa(t);
 }
 
+static inline void init_msa_upper(void)
+{
+	/*
+	 * Check cpu_has_msa only if it's a constant. This will allow the
+	 * compiler to optimise out code for CPUs without MSA without adding
+	 * an extra redundant check for CPUs with MSA.
+	 */
+	if (__builtin_constant_p(cpu_has_msa) && !cpu_has_msa)
+		return;
+
+	_init_msa_upper();
+}
+
 #ifdef TOOLCHAIN_SUPPORTS_MSA
 
 #define __BUILD_MSA_CTL_REG(name, cs)				\
diff --git a/arch/mips/kernel/traps.c b/arch/mips/kernel/traps.c
index 86454f5..4f1d297 100644
--- a/arch/mips/kernel/traps.c
+++ b/arch/mips/kernel/traps.c
@@ -1229,7 +1229,7 @@ static int enable_restore_fp_context(int msa)
 		err = init_fpu();
 		if (msa && !err) {
 			enable_msa();
-			_init_msa_upper();
+			init_msa_upper();
 			set_thread_flag(TIF_USEDMSA);
 			set_thread_flag(TIF_MSA_CTX_LIVE);
 		}
@@ -1292,7 +1292,7 @@ static int enable_restore_fp_context(int msa)
 	 */
 	prior_msa = test_and_set_thread_flag(TIF_MSA_CTX_LIVE);
 	if (!prior_msa && was_fpu_owner) {
-		_init_msa_upper();
+		init_msa_upper();
 
 		goto out;
 	}
@@ -1309,7 +1309,7 @@ static int enable_restore_fp_context(int msa)
 		 * of each vector register such that it cannot see data left
 		 * behind by another task.
 		 */
-		_init_msa_upper();
+		init_msa_upper();
 	} else {
 		/* We need to restore the vector context. */
 		restore_msa(current);
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 111/206] drm/i915/fbdev: Fix num_connector references in intel_fb_initial_config()
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (109 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 110/206] MIPS: MSA: Fix a link error on `_init_msa_upper' with older GCC Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 112/206] drm/fb_helper: Fix references to dev->mode_config.num_connector Kamal Mostafa
                   ` (94 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team; +Cc: Lyude, Daniel Vetter, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Lyude <cpaul@redhat.com>

commit 14a3842a1d5945067d1dd0788f314e14d5b18e5b upstream.

During boot time, MST devices usually send a ton of hotplug events
irregardless of whether or not any physical hotplugs actually occurred.
Hotplugs mean connectors being created/destroyed, and the number of DRM
connectors changing under us. This isn't a problem if we use
fb_helper->connector_count since we only set it once in the code,
however if we use num_connector from struct drm_mode_config we risk it's
value changing under us. On top of that, there's even a chance that
dev->mode_config.num_connector != fb_helper->connector_count. If the
number of connectors happens to increase under us, we'll end up using
the wrong array size for memcpy and start writing beyond the actual
length of the array, occasionally resulting in kernel panics.

Note: This is just polish for 4.7, Dave Airlie's drm_connector
refcounting fixed these bugs for real. But it's good enough duct-tape
for stable kernel backporting, since backporting the refcounting
changes is way too invasive.

Signed-off-by: Lyude <cpaul@redhat.com>
[danvet: Clarify why we need this.]
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: http://patchwork.freedesktop.org/patch/msgid/1463065021-18280-2-git-send-email-cpaul@redhat.com
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/gpu/drm/i915/intel_fbdev.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/drm/i915/intel_fbdev.c b/drivers/gpu/drm/i915/intel_fbdev.c
index 6372cfc..b39fdf7 100644
--- a/drivers/gpu/drm/i915/intel_fbdev.c
+++ b/drivers/gpu/drm/i915/intel_fbdev.c
@@ -387,12 +387,12 @@ static bool intel_fb_initial_config(struct drm_fb_helper *fb_helper,
 	uint64_t conn_configured = 0, mask;
 	int pass = 0;
 
-	save_enabled = kcalloc(dev->mode_config.num_connector, sizeof(bool),
+	save_enabled = kcalloc(fb_helper->connector_count, sizeof(bool),
 			       GFP_KERNEL);
 	if (!save_enabled)
 		return false;
 
-	memcpy(save_enabled, enabled, dev->mode_config.num_connector);
+	memcpy(save_enabled, enabled, fb_helper->connector_count);
 	mask = (1 << fb_helper->connector_count) - 1;
 retry:
 	for (i = 0; i < fb_helper->connector_count; i++) {
@@ -531,7 +531,7 @@ retry:
 	if (fallback) {
 bail:
 		DRM_DEBUG_KMS("Not using firmware configuration\n");
-		memcpy(enabled, save_enabled, dev->mode_config.num_connector);
+		memcpy(enabled, save_enabled, fb_helper->connector_count);
 		kfree(save_enabled);
 		return false;
 	}
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 112/206] drm/fb_helper: Fix references to dev->mode_config.num_connector
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (110 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 111/206] drm/i915/fbdev: Fix num_connector references in intel_fb_initial_config() Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 113/206] fs/cifs: correctly to anonymous authentication via NTLMSSP Kamal Mostafa
                   ` (93 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team; +Cc: Lyude, Daniel Vetter, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Lyude <cpaul@redhat.com>

commit 255f0e7c418ad95a4baeda017ae6182ba9b3c423 upstream.

During boot, MST hotplugs are generally expected (even if no physical
hotplugging occurs) and result in DRM's connector topology changing.
This means that using num_connector from the current mode configuration
can lead to the number of connectors changing under us. This can lead to
some nasty scenarios in fbcon:

- We allocate an array to the size of dev->mode_config.num_connectors.
- MST hotplug occurs, dev->mode_config.num_connectors gets incremented.
- We try to loop through each element in the array using the new value
  of dev->mode_config.num_connectors, and end up going out of bounds
  since dev->mode_config.num_connectors is now larger then the array we
  allocated.

fb_helper->connector_count however, will always remain consistent while
we do a modeset in fb_helper.

Note: This is just polish for 4.7, Dave Airlie's drm_connector
refcounting fixed these bugs for real. But it's good enough duct-tape
for stable kernel backporting, since backporting the refcounting
changes is way too invasive.

Signed-off-by: Lyude <cpaul@redhat.com>
[danvet: Clarify why we need this. Also remove the now unused "dev"
local variable to appease gcc.]
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: http://patchwork.freedesktop.org/patch/msgid/1463065021-18280-3-git-send-email-cpaul@redhat.com
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/gpu/drm/drm_fb_helper.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c
index cac4229..c8b90b3 100644
--- a/drivers/gpu/drm/drm_fb_helper.c
+++ b/drivers/gpu/drm/drm_fb_helper.c
@@ -1549,7 +1549,6 @@ static int drm_pick_crtcs(struct drm_fb_helper *fb_helper,
 			  int n, int width, int height)
 {
 	int c, o;
-	struct drm_device *dev = fb_helper->dev;
 	struct drm_connector *connector;
 	const struct drm_connector_helper_funcs *connector_funcs;
 	struct drm_encoder *encoder;
@@ -1568,7 +1567,7 @@ static int drm_pick_crtcs(struct drm_fb_helper *fb_helper,
 	if (modes[n] == NULL)
 		return best_score;
 
-	crtcs = kzalloc(dev->mode_config.num_connector *
+	crtcs = kzalloc(fb_helper->connector_count *
 			sizeof(struct drm_fb_helper_crtc *), GFP_KERNEL);
 	if (!crtcs)
 		return best_score;
@@ -1614,7 +1613,7 @@ static int drm_pick_crtcs(struct drm_fb_helper *fb_helper,
 		if (score > best_score) {
 			best_score = score;
 			memcpy(best_crtcs, crtcs,
-			       dev->mode_config.num_connector *
+			       fb_helper->connector_count *
 			       sizeof(struct drm_fb_helper_crtc *));
 		}
 	}
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 113/206] fs/cifs: correctly to anonymous authentication via NTLMSSP
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (111 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 112/206] drm/fb_helper: Fix references to dev->mode_config.num_connector Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 114/206] fs/cifs: correctly to anonymous authentication for the LANMAN authentication Kamal Mostafa
                   ` (92 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Stefan Metzmacher, Steve French, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Stefan Metzmacher <metze@samba.org>

commit cfda35d98298131bf38fbad3ce4cd5ecb3cf18db upstream.

See [MS-NLMP] 3.2.5.1.2 Server Receives an AUTHENTICATE_MESSAGE from the Client:

   ...
   Set NullSession to FALSE
   If (AUTHENTICATE_MESSAGE.UserNameLen == 0 AND
      AUTHENTICATE_MESSAGE.NtChallengeResponse.Length == 0 AND
      (AUTHENTICATE_MESSAGE.LmChallengeResponse == Z(1)
       OR
       AUTHENTICATE_MESSAGE.LmChallengeResponse.Length == 0))
       -- Special case: client requested anonymous authentication
       Set NullSession to TRUE
   ...

Only server which map unknown users to guest will allow
access using a non-null NTChallengeResponse.

For Samba it's the "map to guest = bad user" option.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11913

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Steve French <smfrench@gmail.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 fs/cifs/sess.c | 32 ++++++++++++++++++++------------
 1 file changed, 20 insertions(+), 12 deletions(-)

diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
index bce6fdc..abaeeab 100644
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -400,19 +400,27 @@ int build_ntlmssp_auth_blob(unsigned char *pbuffer,
 	sec_blob->LmChallengeResponse.MaximumLength = 0;
 
 	sec_blob->NtChallengeResponse.BufferOffset = cpu_to_le32(tmp - pbuffer);
-	rc = setup_ntlmv2_rsp(ses, nls_cp);
-	if (rc) {
-		cifs_dbg(VFS, "Error %d during NTLMSSP authentication\n", rc);
-		goto setup_ntlmv2_ret;
+	if (ses->user_name != NULL) {
+		rc = setup_ntlmv2_rsp(ses, nls_cp);
+		if (rc) {
+			cifs_dbg(VFS, "Error %d during NTLMSSP authentication\n", rc);
+			goto setup_ntlmv2_ret;
+		}
+		memcpy(tmp, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
+				ses->auth_key.len - CIFS_SESS_KEY_SIZE);
+		tmp += ses->auth_key.len - CIFS_SESS_KEY_SIZE;
+
+		sec_blob->NtChallengeResponse.Length =
+				cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
+		sec_blob->NtChallengeResponse.MaximumLength =
+				cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
+	} else {
+		/*
+		 * don't send an NT Response for anonymous access
+		 */
+		sec_blob->NtChallengeResponse.Length = 0;
+		sec_blob->NtChallengeResponse.MaximumLength = 0;
 	}
-	memcpy(tmp, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
-			ses->auth_key.len - CIFS_SESS_KEY_SIZE);
-	tmp += ses->auth_key.len - CIFS_SESS_KEY_SIZE;
-
-	sec_blob->NtChallengeResponse.Length =
-			cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
-	sec_blob->NtChallengeResponse.MaximumLength =
-			cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
 
 	if (ses->domainName == NULL) {
 		sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - pbuffer);
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 114/206] fs/cifs: correctly to anonymous authentication for the LANMAN authentication
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (112 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 113/206] fs/cifs: correctly to anonymous authentication via NTLMSSP Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 115/206] fs/cifs: correctly to anonymous authentication for the NTLM(v1) authentication Kamal Mostafa
                   ` (91 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Stefan Metzmacher, Steve French, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Stefan Metzmacher <metze@samba.org>

commit fa8f3a354bb775ec586e4475bcb07f7dece97e0c upstream.

Only server which map unknown users to guest will allow
access using a non-null LMChallengeResponse.

For Samba it's the "map to guest = bad user" option.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11913

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Steve French <smfrench@gmail.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 fs/cifs/sess.c | 28 ++++++++++++++++------------
 1 file changed, 16 insertions(+), 12 deletions(-)

diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
index abaeeab..91dbaca 100644
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -678,20 +678,24 @@ sess_auth_lanman(struct sess_data *sess_data)
 
 	pSMB->req.hdr.Flags2 &= ~SMBFLG2_UNICODE;
 
-	/* no capabilities flags in old lanman negotiation */
-	pSMB->old_req.PasswordLength = cpu_to_le16(CIFS_AUTH_RESP_SIZE);
+	if (ses->user_name != NULL) {
+		/* no capabilities flags in old lanman negotiation */
+		pSMB->old_req.PasswordLength = cpu_to_le16(CIFS_AUTH_RESP_SIZE);
 
-	/* Calculate hash with password and copy into bcc_ptr.
-	 * Encryption Key (stored as in cryptkey) gets used if the
-	 * security mode bit in Negottiate Protocol response states
-	 * to use challenge/response method (i.e. Password bit is 1).
-	 */
-	rc = calc_lanman_hash(ses->password, ses->server->cryptkey,
-			      ses->server->sec_mode & SECMODE_PW_ENCRYPT ?
-			      true : false, lnm_session_key);
+		/* Calculate hash with password and copy into bcc_ptr.
+		 * Encryption Key (stored as in cryptkey) gets used if the
+		 * security mode bit in Negottiate Protocol response states
+		 * to use challenge/response method (i.e. Password bit is 1).
+		 */
+		rc = calc_lanman_hash(ses->password, ses->server->cryptkey,
+				      ses->server->sec_mode & SECMODE_PW_ENCRYPT ?
+				      true : false, lnm_session_key);
 
-	memcpy(bcc_ptr, (char *)lnm_session_key, CIFS_AUTH_RESP_SIZE);
-	bcc_ptr += CIFS_AUTH_RESP_SIZE;
+		memcpy(bcc_ptr, (char *)lnm_session_key, CIFS_AUTH_RESP_SIZE);
+		bcc_ptr += CIFS_AUTH_RESP_SIZE;
+	} else {
+		pSMB->old_req.PasswordLength = 0;
+	}
 
 	/*
 	 * can not sign if LANMAN negotiated so no need
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 115/206] fs/cifs: correctly to anonymous authentication for the NTLM(v1) authentication
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (113 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 114/206] fs/cifs: correctly to anonymous authentication for the LANMAN authentication Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 116/206] fs/cifs: correctly to anonymous authentication for the NTLM(v2) authentication Kamal Mostafa
                   ` (90 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Stefan Metzmacher, Steve French, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Stefan Metzmacher <metze@samba.org>

commit 777f69b8d26bf35ade4a76b08f203c11e048365d upstream.

Only server which map unknown users to guest will allow
access using a non-null NTChallengeResponse.

For Samba it's the "map to guest = bad user" option.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11913

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Steve French <smfrench@gmail.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 fs/cifs/sess.c | 41 +++++++++++++++++++++++------------------
 1 file changed, 23 insertions(+), 18 deletions(-)

diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
index 91dbaca..a58b100 100644
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -781,26 +781,31 @@ sess_auth_ntlm(struct sess_data *sess_data)
 	capabilities = cifs_ssetup_hdr(ses, pSMB);
 
 	pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);
-	pSMB->req_no_secext.CaseInsensitivePasswordLength =
-			cpu_to_le16(CIFS_AUTH_RESP_SIZE);
-	pSMB->req_no_secext.CaseSensitivePasswordLength =
-			cpu_to_le16(CIFS_AUTH_RESP_SIZE);
+	if (ses->user_name != NULL) {
+		pSMB->req_no_secext.CaseInsensitivePasswordLength =
+				cpu_to_le16(CIFS_AUTH_RESP_SIZE);
+		pSMB->req_no_secext.CaseSensitivePasswordLength =
+				cpu_to_le16(CIFS_AUTH_RESP_SIZE);
 
-	/* calculate ntlm response and session key */
-	rc = setup_ntlm_response(ses, sess_data->nls_cp);
-	if (rc) {
-		cifs_dbg(VFS, "Error %d during NTLM authentication\n",
-				 rc);
-		goto out;
-	}
+		/* calculate ntlm response and session key */
+		rc = setup_ntlm_response(ses, sess_data->nls_cp);
+		if (rc) {
+			cifs_dbg(VFS, "Error %d during NTLM authentication\n",
+					 rc);
+			goto out;
+		}
 
-	/* copy ntlm response */
-	memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
-			CIFS_AUTH_RESP_SIZE);
-	bcc_ptr += CIFS_AUTH_RESP_SIZE;
-	memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
-			CIFS_AUTH_RESP_SIZE);
-	bcc_ptr += CIFS_AUTH_RESP_SIZE;
+		/* copy ntlm response */
+		memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
+				CIFS_AUTH_RESP_SIZE);
+		bcc_ptr += CIFS_AUTH_RESP_SIZE;
+		memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
+				CIFS_AUTH_RESP_SIZE);
+		bcc_ptr += CIFS_AUTH_RESP_SIZE;
+	} else {
+		pSMB->req_no_secext.CaseInsensitivePasswordLength = 0;
+		pSMB->req_no_secext.CaseSensitivePasswordLength = 0;
+	}
 
 	if (ses->capabilities & CAP_UNICODE) {
 		/* unicode strings must be word aligned */
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 116/206] fs/cifs: correctly to anonymous authentication for the NTLM(v2) authentication
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (114 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 115/206] fs/cifs: correctly to anonymous authentication for the NTLM(v1) authentication Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 117/206] remove directory incorrectly tries to set delete on close on non-empty directories Kamal Mostafa
                   ` (89 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Stefan Metzmacher, Steve French, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Stefan Metzmacher <metze@samba.org>

commit 1a967d6c9b39c226be1b45f13acd4d8a5ab3dc44 upstream.

Only server which map unknown users to guest will allow
access using a non-null NTLMv2_Response.

For Samba it's the "map to guest = bad user" option.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11913

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Steve French <smfrench@gmail.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 fs/cifs/sess.c | 32 ++++++++++++++++++--------------
 1 file changed, 18 insertions(+), 14 deletions(-)

diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
index a58b100..8ffda50 100644
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -895,22 +895,26 @@ sess_auth_ntlmv2(struct sess_data *sess_data)
 	/* LM2 password would be here if we supported it */
 	pSMB->req_no_secext.CaseInsensitivePasswordLength = 0;
 
-	/* calculate nlmv2 response and session key */
-	rc = setup_ntlmv2_rsp(ses, sess_data->nls_cp);
-	if (rc) {
-		cifs_dbg(VFS, "Error %d during NTLMv2 authentication\n", rc);
-		goto out;
-	}
+	if (ses->user_name != NULL) {
+		/* calculate nlmv2 response and session key */
+		rc = setup_ntlmv2_rsp(ses, sess_data->nls_cp);
+		if (rc) {
+			cifs_dbg(VFS, "Error %d during NTLMv2 authentication\n", rc);
+			goto out;
+		}
 
-	memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
-			ses->auth_key.len - CIFS_SESS_KEY_SIZE);
-	bcc_ptr += ses->auth_key.len - CIFS_SESS_KEY_SIZE;
+		memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
+				ses->auth_key.len - CIFS_SESS_KEY_SIZE);
+		bcc_ptr += ses->auth_key.len - CIFS_SESS_KEY_SIZE;
 
-	/* set case sensitive password length after tilen may get
-	 * assigned, tilen is 0 otherwise.
-	 */
-	pSMB->req_no_secext.CaseSensitivePasswordLength =
-		cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
+		/* set case sensitive password length after tilen may get
+		 * assigned, tilen is 0 otherwise.
+		 */
+		pSMB->req_no_secext.CaseSensitivePasswordLength =
+			cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
+	} else {
+		pSMB->req_no_secext.CaseSensitivePasswordLength = 0;
+	}
 
 	if (ses->capabilities & CAP_UNICODE) {
 		if (sess_data->iov[0].iov_len % 2) {
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 117/206] remove directory incorrectly tries to set delete on close on non-empty directories
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (115 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 116/206] fs/cifs: correctly to anonymous authentication for the NTLM(v2) authentication Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 118/206] cpuidle: Fix cpuidle_state_is_coupled() argument in cpuidle_enter() Kamal Mostafa
                   ` (88 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team; +Cc: Steve French, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Steve French <smfrench@gmail.com>

commit 897fba1172d637d344f009d700f7eb8a1fa262f1 upstream.

Wrong return code was being returned on SMB3 rmdir of
non-empty directory.

For SMB3 (unlike for cifs), we attempt to delete a directory by
set of delete on close flag on the open. Windows clients set
this flag via a set info (SET_FILE_DISPOSITION to set this flag)
which properly checks if the directory is empty.

With this patch on smb3 mounts we correctly return
 "DIRECTORY NOT EMPTY"
on attempts to remove a non-empty directory.

Signed-off-by: Steve French <steve.french@primarydata.com>
Acked-by: Sachin Prabhu <sprabhu@redhat.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 fs/cifs/smb2glob.h  |  1 +
 fs/cifs/smb2inode.c |  8 ++++++--
 fs/cifs/smb2pdu.c   | 16 ++++++++++++++++
 fs/cifs/smb2proto.h |  2 ++
 4 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/fs/cifs/smb2glob.h b/fs/cifs/smb2glob.h
index bc0bb9c..0ffa180 100644
--- a/fs/cifs/smb2glob.h
+++ b/fs/cifs/smb2glob.h
@@ -44,6 +44,7 @@
 #define SMB2_OP_DELETE 7
 #define SMB2_OP_HARDLINK 8
 #define SMB2_OP_SET_EOF 9
+#define SMB2_OP_RMDIR 10
 
 /* Used when constructing chained read requests. */
 #define CHAINED_REQUEST 1
diff --git a/fs/cifs/smb2inode.c b/fs/cifs/smb2inode.c
index 899bbc8..4f0231e 100644
--- a/fs/cifs/smb2inode.c
+++ b/fs/cifs/smb2inode.c
@@ -80,6 +80,10 @@ smb2_open_op_close(const unsigned int xid, struct cifs_tcon *tcon,
 		 * SMB2_open() call.
 		 */
 		break;
+	case SMB2_OP_RMDIR:
+		tmprc = SMB2_rmdir(xid, tcon, fid.persistent_fid,
+				   fid.volatile_fid);
+		break;
 	case SMB2_OP_RENAME:
 		tmprc = SMB2_rename(xid, tcon, fid.persistent_fid,
 				    fid.volatile_fid, (__le16 *)data);
@@ -191,8 +195,8 @@ smb2_rmdir(const unsigned int xid, struct cifs_tcon *tcon, const char *name,
 	   struct cifs_sb_info *cifs_sb)
 {
 	return smb2_open_op_close(xid, tcon, cifs_sb, name, DELETE, FILE_OPEN,
-				  CREATE_NOT_FILE | CREATE_DELETE_ON_CLOSE,
-				  NULL, SMB2_OP_DELETE);
+				  CREATE_NOT_FILE,
+				  NULL, SMB2_OP_RMDIR);
 }
 
 int
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index e543e6a..27ad3dd 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -2443,6 +2443,22 @@ SMB2_rename(const unsigned int xid, struct cifs_tcon *tcon,
 }
 
 int
+SMB2_rmdir(const unsigned int xid, struct cifs_tcon *tcon,
+		  u64 persistent_fid, u64 volatile_fid)
+{
+	__u8 delete_pending = 1;
+	void *data;
+	unsigned int size;
+
+	data = &delete_pending;
+	size = 1; /* sizeof __u8 */
+
+	return send_set_info(xid, tcon, persistent_fid, volatile_fid,
+			current->tgid, FILE_DISPOSITION_INFORMATION, 1, &data,
+			&size);
+}
+
+int
 SMB2_set_hardlink(const unsigned int xid, struct cifs_tcon *tcon,
 		  u64 persistent_fid, u64 volatile_fid, __le16 *target_file)
 {
diff --git a/fs/cifs/smb2proto.h b/fs/cifs/smb2proto.h
index 79dc650..9bc59f9 100644
--- a/fs/cifs/smb2proto.h
+++ b/fs/cifs/smb2proto.h
@@ -140,6 +140,8 @@ extern int SMB2_query_directory(const unsigned int xid, struct cifs_tcon *tcon,
 extern int SMB2_rename(const unsigned int xid, struct cifs_tcon *tcon,
 		       u64 persistent_fid, u64 volatile_fid,
 		       __le16 *target_file);
+extern int SMB2_rmdir(const unsigned int xid, struct cifs_tcon *tcon,
+		      u64 persistent_fid, u64 volatile_fid);
 extern int SMB2_set_hardlink(const unsigned int xid, struct cifs_tcon *tcon,
 			     u64 persistent_fid, u64 volatile_fid,
 			     __le16 *target_file);
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 118/206] cpuidle: Fix cpuidle_state_is_coupled() argument in cpuidle_enter()
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (116 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 117/206] remove directory incorrectly tries to set delete on close on non-empty directories Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 119/206] xfs: xfs_iflush_cluster fails to abort on error Kamal Mostafa
                   ` (87 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Daniel Lezcano, Rafael J . Wysocki, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Daniel Lezcano <daniel.lezcano@linaro.org>

commit e7387da52028b072489c45efeb7a916c0205ebd2 upstream.

Commit 0b89e9aa2856 (cpuidle: delay enabling interrupts until all
coupled CPUs leave idle) rightfully fixed a regression by letting
the coupled idle state framework to handle local interrupt enabling
when the CPU is exiting an idle state.

The current code checks if the idle state is coupled and, if so, it
will let the coupled code to enable interrupts. This way, it can
decrement the ready-count before handling the interrupt. This
mechanism prevents the other CPUs from waiting for a CPU which is
handling interrupts.

But the check is done against the state index returned by the back
end driver's ->enter functions which could be different from the
initial index passed as parameter to the cpuidle_enter_state()
function.

 entered_state = target_state->enter(dev, drv, index);

 [ ... ]

 if (!cpuidle_state_is_coupled(drv, entered_state))
	local_irq_enable();

 [ ... ]

If the 'index' is referring to a coupled idle state but the
'entered_state' is *not* coupled, then the interrupts are enabled
again. All CPUs blocked on the sync barrier may busy loop longer
if the CPU has interrupts to handle before decrementing the
ready-count. That's consuming more energy than saving.

Fixes: 0b89e9aa2856 (cpuidle: delay enabling interrupts until all coupled CPUs leave idle)
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
[ rjw: Subject & changelog ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ kamal: backport to 4.2-stable: context ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/cpuidle/cpuidle.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/cpuidle/cpuidle.c b/drivers/cpuidle/cpuidle.c
index f4db470..d17881f 100644
--- a/drivers/cpuidle/cpuidle.c
+++ b/drivers/cpuidle/cpuidle.c
@@ -210,7 +210,7 @@ int cpuidle_enter_state(struct cpuidle_device *dev, struct cpuidle_driver *drv,
 		tick_broadcast_exit();
 	}
 
-	if (!cpuidle_state_is_coupled(dev, drv, entered_state))
+	if (!cpuidle_state_is_coupled(dev, drv, index))
 		local_irq_enable();
 
 	diff = ktime_to_us(ktime_sub(time_end, time_start));
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 119/206] xfs: xfs_iflush_cluster fails to abort on error
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (117 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 118/206] cpuidle: Fix cpuidle_state_is_coupled() argument in cpuidle_enter() Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 120/206] xfs: fix inode validity check in xfs_iflush_cluster Kamal Mostafa
                   ` (86 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Dave Chinner, Dave Chinner, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Dave Chinner <dchinner@redhat.com>

commit b1438f477934f5a4d5a44df26f3079a7575d5946 upstream.

When a failure due to an inode buffer occurs, the error handling
fails to abort the inode writeback correctly. This can result in the
inode being reclaimed whilst still in the AIL, leading to
use-after-free situations as well as filesystems that cannot be
unmounted as the inode log items left in the AIL never get removed.

Fix this by ensuring fatal errors from xfs_imap_to_bp() result in
the inode flush being aborted correctly.

Reported-by: Shyam Kaushik <shyam@zadarastorage.com>
Diagnosed-by: Shyam Kaushik <shyam@zadarastorage.com>
Tested-by: Shyam Kaushik <shyam@zadarastorage.com>
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 fs/xfs/xfs_inode.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/fs/xfs/xfs_inode.c b/fs/xfs/xfs_inode.c
index 3da9f4d..13c58cf 100644
--- a/fs/xfs/xfs_inode.c
+++ b/fs/xfs/xfs_inode.c
@@ -3286,7 +3286,7 @@ xfs_iflush(
 	struct xfs_buf		**bpp)
 {
 	struct xfs_mount	*mp = ip->i_mount;
-	struct xfs_buf		*bp;
+	struct xfs_buf		*bp = NULL;
 	struct xfs_dinode	*dip;
 	int			error;
 
@@ -3328,14 +3328,22 @@ xfs_iflush(
 	}
 
 	/*
-	 * Get the buffer containing the on-disk inode.
+	 * Get the buffer containing the on-disk inode. We are doing a try-lock
+	 * operation here, so we may get  an EAGAIN error. In that case, we
+	 * simply want to return with the inode still dirty.
+	 *
+	 * If we get any other error, we effectively have a corruption situation
+	 * and we cannot flush the inode, so we treat it the same as failing
+	 * xfs_iflush_int().
 	 */
 	error = xfs_imap_to_bp(mp, NULL, &ip->i_imap, &dip, &bp, XBF_TRYLOCK,
 			       0);
-	if (error || !bp) {
+	if (error == -EAGAIN) {
 		xfs_ifunlock(ip);
 		return error;
 	}
+	if (error)
+		goto corrupt_out;
 
 	/*
 	 * First flush out the inode that xfs_iflush was called with.
@@ -3363,7 +3371,8 @@ xfs_iflush(
 	return 0;
 
 corrupt_out:
-	xfs_buf_relse(bp);
+	if (bp)
+		xfs_buf_relse(bp);
 	xfs_force_shutdown(mp, SHUTDOWN_CORRUPT_INCORE);
 cluster_corrupt_out:
 	error = -EFSCORRUPTED;
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 120/206] xfs: fix inode validity check in xfs_iflush_cluster
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (118 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 119/206] xfs: xfs_iflush_cluster fails to abort on error Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 121/206] xfs: skip stale inodes " Kamal Mostafa
                   ` (85 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Dave Chinner, Dave Chinner, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Dave Chinner <dchinner@redhat.com>

commit 51b07f30a71c27405259a0248206ed4e22adbee2 upstream.

Some careless idiot(*) wrote crap code in commit 1a3e8f3 ("xfs:
convert inode cache lookups to use RCU locking") back in late 2010,
and so xfs_iflush_cluster checks the wrong inode for whether it is
still valid under RCU protection. Fix it to lock and check the
correct inode.

(*) Careless-idiot: Dave Chinner <dchinner@redhat.com>

Discovered-by: Brain Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 fs/xfs/xfs_inode.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/fs/xfs/xfs_inode.c b/fs/xfs/xfs_inode.c
index 13c58cf..22b249f 100644
--- a/fs/xfs/xfs_inode.c
+++ b/fs/xfs/xfs_inode.c
@@ -3164,13 +3164,13 @@ xfs_iflush_cluster(
 		 * We need to check under the i_flags_lock for a valid inode
 		 * here. Skip it if it is not valid or the wrong inode.
 		 */
-		spin_lock(&ip->i_flags_lock);
-		if (!ip->i_ino ||
+		spin_lock(&iq->i_flags_lock);
+		if (!iq->i_ino ||
 		    (XFS_INO_TO_AGINO(mp, iq->i_ino) & mask) != first_index) {
-			spin_unlock(&ip->i_flags_lock);
+			spin_unlock(&iq->i_flags_lock);
 			continue;
 		}
-		spin_unlock(&ip->i_flags_lock);
+		spin_unlock(&iq->i_flags_lock);
 
 		/*
 		 * Do an un-protected check to see if the inode is dirty and
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 121/206] xfs: skip stale inodes in xfs_iflush_cluster
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (119 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 120/206] xfs: fix inode validity check in xfs_iflush_cluster Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 122/206] KVM: MTRR: remove MSR 0x2f8 Kamal Mostafa
                   ` (84 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Dave Chinner, Dave Chinner, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Dave Chinner <dchinner@redhat.com>

commit 7d3aa7fe970791f1a674b14572a411accf2f4d4e upstream.

We don't write back stale inodes so we should skip them in
xfs_iflush_cluster, too.

Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 fs/xfs/xfs_inode.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/xfs/xfs_inode.c b/fs/xfs/xfs_inode.c
index 22b249f..01f3e07 100644
--- a/fs/xfs/xfs_inode.c
+++ b/fs/xfs/xfs_inode.c
@@ -3166,6 +3166,7 @@ xfs_iflush_cluster(
 		 */
 		spin_lock(&iq->i_flags_lock);
 		if (!iq->i_ino ||
+		    __xfs_iflags_test(iq, XFS_ISTALE) ||
 		    (XFS_INO_TO_AGINO(mp, iq->i_ino) & mask) != first_index) {
 			spin_unlock(&iq->i_flags_lock);
 			continue;
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 122/206] KVM: MTRR: remove MSR 0x2f8
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (120 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 121/206] xfs: skip stale inodes " Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 123/206] ASoC: ak4642: Enable cache usage to fix crashes on resume Kamal Mostafa
                   ` (83 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Andy Honig, Radim Krčmář, Paolo Bonzini, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Andy Honig <ahonig@google.com>

commit 9842df62004f366b9fed2423e24df10542ee0dc5 upstream.

MSR 0x2f8 accessed the 124th Variable Range MTRR ever since MTRR support
was introduced by 9ba075a664df ("KVM: MTRR support").

0x2f8 became harmful when 910a6aae4e2e ("KVM: MTRR: exactly define the
size of variable MTRRs") shrinked the array of VR MTRRs from 256 to 8,
which made access to index 124 out of bounds.  The surrounding code only
WARNs in this situation, thus the guest gained a limited read/write
access to struct kvm_arch_vcpu.

0x2f8 is not a valid VR MTRR MSR, because KVM has/advertises only 16 VR
MTRR MSRs, 0x200-0x20f.  Every VR MTRR is set up using two MSRs, 0x2f8
was treated as a PHYSBASE and 0x2f9 would be its PHYSMASK, but 0x2f9 was
not implemented in KVM, therefore 0x2f8 could never do anything useful
and getting rid of it is safe.

This fixes CVE-2016-3713.

Fixes: 910a6aae4e2e ("KVM: MTRR: exactly define the size of variable MTRRs")
Reported-by: David Matlack <dmatlack@google.com>
Signed-off-by: Andy Honig <ahonig@google.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/x86/kvm/mtrr.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/arch/x86/kvm/mtrr.c b/arch/x86/kvm/mtrr.c
index 3f8c732..c146f3c 100644
--- a/arch/x86/kvm/mtrr.c
+++ b/arch/x86/kvm/mtrr.c
@@ -44,8 +44,6 @@ static bool msr_mtrr_valid(unsigned msr)
 	case MSR_MTRRdefType:
 	case MSR_IA32_CR_PAT:
 		return true;
-	case 0x2f8:
-		return true;
 	}
 	return false;
 }
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 123/206] ASoC: ak4642: Enable cache usage to fix crashes on resume
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (121 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 122/206] KVM: MTRR: remove MSR 0x2f8 Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 124/206] cifs: Create dedicated keyring for spnego operations Kamal Mostafa
                   ` (82 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team; +Cc: Mark Brown, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Mark Brown <broonie@kernel.org>

commit d3030d11961a8c103cf07aed59905276ddfc06c2 upstream.

The ak4642 driver is using a regmap cache sync to restore the
configuration of the chip on resume but (as Peter observed) does not
actually define a register cache which means that the resume is never
going to work and we trigger asserts in regmap.  Fix this by enabling
caching.

Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
Reported-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Mark Brown <broonie@kernel.org>
[ kamal: backport to 4.2-stable: no separate ak4643_regmap ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 sound/soc/codecs/ak4642.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sound/soc/codecs/ak4642.c b/sound/soc/codecs/ak4642.c
index 7c0f6552..d41708f 100644
--- a/sound/soc/codecs/ak4642.c
+++ b/sound/soc/codecs/ak4642.c
@@ -538,6 +538,7 @@ static const struct regmap_config ak4642_regmap = {
 	.max_register		= ARRAY_SIZE(ak4642_reg) + 1,
 	.reg_defaults		= ak4642_reg,
 	.num_reg_defaults	= ARRAY_SIZE(ak4642_reg),
+	.cache_type		= REGCACHE_RBTREE,
 };
 
 static const struct regmap_config ak4648_regmap = {
@@ -546,6 +547,7 @@ static const struct regmap_config ak4648_regmap = {
 	.max_register		= ARRAY_SIZE(ak4648_reg) + 1,
 	.reg_defaults		= ak4648_reg,
 	.num_reg_defaults	= ARRAY_SIZE(ak4648_reg),
+	.cache_type		= REGCACHE_RBTREE,
 };
 
 static const struct ak4642_drvdata ak4642_drvdata = {
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 124/206] cifs: Create dedicated keyring for spnego operations
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (122 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 123/206] ASoC: ak4642: Enable cache usage to fix crashes on resume Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 125/206] ALSA: hda - Fix headphone noise on Dell XPS 13 9360 Kamal Mostafa
                   ` (81 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Sachin Prabhu, Steve French, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Sachin Prabhu <sprabhu@redhat.com>

commit b74cb9a80268be5c80cf4c87c74debf0ff2129ac upstream.

The session key is the default keyring set for request_key operations.
This session key is revoked when the user owning the session logs out.
Any long running daemon processes started by this session ends up with
revoked session keyring which prevents these processes from using the
request_key mechanism from obtaining the krb5 keys.

The problem has been reported by a large number of autofs users. The
problem is also seen with multiuser mounts where the share may be used
by processes run by a user who has since logged out. A reproducer using
automount is available on the Red Hat bz.

The patch creates a new keyring which is used to cache cifs spnego
upcalls.

Red Hat bz: 1267754

Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
Reported-by: Scott Mayhew <smayhew@redhat.com>
Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
Signed-off-by: Steve French <smfrench@gmail.com>
[ kamal: backport to 4.2-stable: keyring_alloc takes no restrict_link param ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 fs/cifs/cifs_spnego.c | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++
 fs/cifs/cifsfs.c      |  4 +--
 fs/cifs/cifsproto.h   |  2 ++
 3 files changed, 71 insertions(+), 2 deletions(-)

diff --git a/fs/cifs/cifs_spnego.c b/fs/cifs/cifs_spnego.c
index f4cf200..79450fa 100644
--- a/fs/cifs/cifs_spnego.c
+++ b/fs/cifs/cifs_spnego.c
@@ -24,10 +24,13 @@
 #include <linux/string.h>
 #include <keys/user-type.h>
 #include <linux/key-type.h>
+#include <linux/keyctl.h>
 #include <linux/inet.h>
 #include "cifsglob.h"
 #include "cifs_spnego.h"
 #include "cifs_debug.h"
+#include "cifsproto.h"
+static const struct cred *spnego_cred;
 
 /* create a new cifs key */
 static int
@@ -102,6 +105,7 @@ cifs_get_spnego_key(struct cifs_ses *sesInfo)
 	size_t desc_len;
 	struct key *spnego_key;
 	const char *hostname = server->hostname;
+	const struct cred *saved_cred;
 
 	/* length of fields (with semicolons): ver=0xyz ip4=ipaddress
 	   host=hostname sec=mechanism uid=0xFF user=username */
@@ -163,7 +167,9 @@ cifs_get_spnego_key(struct cifs_ses *sesInfo)
 	sprintf(dp, ";pid=0x%x", current->pid);
 
 	cifs_dbg(FYI, "key description = %s\n", description);
+	saved_cred = override_creds(spnego_cred);
 	spnego_key = request_key(&cifs_spnego_key_type, description, "");
+	revert_creds(saved_cred);
 
 #ifdef CONFIG_CIFS_DEBUG2
 	if (cifsFYI && !IS_ERR(spnego_key)) {
@@ -177,3 +183,64 @@ out:
 	kfree(description);
 	return spnego_key;
 }
+
+int
+init_cifs_spnego(void)
+{
+	struct cred *cred;
+	struct key *keyring;
+	int ret;
+
+	cifs_dbg(FYI, "Registering the %s key type\n",
+		 cifs_spnego_key_type.name);
+
+	/*
+	 * Create an override credential set with special thread keyring for
+	 * spnego upcalls.
+	 */
+
+	cred = prepare_kernel_cred(NULL);
+	if (!cred)
+		return -ENOMEM;
+
+	keyring = keyring_alloc(".cifs_spnego",
+				GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred,
+				(KEY_POS_ALL & ~KEY_POS_SETATTR) |
+				KEY_USR_VIEW | KEY_USR_READ,
+				KEY_ALLOC_NOT_IN_QUOTA, NULL);
+	if (IS_ERR(keyring)) {
+		ret = PTR_ERR(keyring);
+		goto failed_put_cred;
+	}
+
+	ret = register_key_type(&cifs_spnego_key_type);
+	if (ret < 0)
+		goto failed_put_key;
+
+	/*
+	 * instruct request_key() to use this special keyring as a cache for
+	 * the results it looks up
+	 */
+	set_bit(KEY_FLAG_ROOT_CAN_CLEAR, &keyring->flags);
+	cred->thread_keyring = keyring;
+	cred->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
+	spnego_cred = cred;
+
+	cifs_dbg(FYI, "cifs spnego keyring: %d\n", key_serial(keyring));
+	return 0;
+
+failed_put_key:
+	key_put(keyring);
+failed_put_cred:
+	put_cred(cred);
+	return ret;
+}
+
+void
+exit_cifs_spnego(void)
+{
+	key_revoke(spnego_cred->thread_keyring);
+	unregister_key_type(&cifs_spnego_key_type);
+	put_cred(spnego_cred);
+	cifs_dbg(FYI, "Unregistered %s key type\n", cifs_spnego_key_type.name);
+}
diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
index 6a1119e..fe24e22 100644
--- a/fs/cifs/cifsfs.c
+++ b/fs/cifs/cifsfs.c
@@ -1238,7 +1238,7 @@ init_cifs(void)
 		goto out_destroy_mids;
 
 #ifdef CONFIG_CIFS_UPCALL
-	rc = register_key_type(&cifs_spnego_key_type);
+	rc = init_cifs_spnego();
 	if (rc)
 		goto out_destroy_request_bufs;
 #endif /* CONFIG_CIFS_UPCALL */
@@ -1261,7 +1261,7 @@ out_init_cifs_idmap:
 out_register_key_type:
 #endif
 #ifdef CONFIG_CIFS_UPCALL
-	unregister_key_type(&cifs_spnego_key_type);
+	exit_cifs_spnego();
 out_destroy_request_bufs:
 #endif
 	cifs_destroy_request_bufs();
diff --git a/fs/cifs/cifsproto.h b/fs/cifs/cifsproto.h
index c63fd1d..f730c06 100644
--- a/fs/cifs/cifsproto.h
+++ b/fs/cifs/cifsproto.h
@@ -60,6 +60,8 @@ do {								\
 } while (0)
 extern int init_cifs_idmap(void);
 extern void exit_cifs_idmap(void);
+extern int init_cifs_spnego(void);
+extern void exit_cifs_spnego(void);
 extern char *build_path_from_dentry(struct dentry *);
 extern char *cifs_build_path_to_root(struct smb_vol *vol,
 				     struct cifs_sb_info *cifs_sb,
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 125/206] ALSA: hda - Fix headphone noise on Dell XPS 13 9360
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (123 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 124/206] cifs: Create dedicated keyring for spnego operations Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 126/206] kvm: arm64: Fix EC field in inject_abt64 Kamal Mostafa
                   ` (80 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Kai-Heng Feng, Takashi Iwai, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Kai-Heng Feng <kaihengfeng@gmail.com>

commit 423cd785619ac6778252fbdb916505aa1c153959 upstream.

The headphone has noise when playing sound or switching microphone sources.
It uses the same codec on XPS 13 9350, but with different subsystem ID.
Applying the fixup can solve the issue.
Also, changing the model name to better differentiate models.

v2: Reorder by device ID.

Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 sound/pci/hda/patch_realtek.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
index f3f73f8..ac56e0c 100644
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -5408,8 +5408,9 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
 	SND_PCI_QUIRK(0x1028, 0x06de, "Dell", ALC293_FIXUP_DISABLE_AAMIX_MULTIJACK),
 	SND_PCI_QUIRK(0x1028, 0x06df, "Dell", ALC293_FIXUP_DISABLE_AAMIX_MULTIJACK),
 	SND_PCI_QUIRK(0x1028, 0x06e0, "Dell", ALC293_FIXUP_DISABLE_AAMIX_MULTIJACK),
-	SND_PCI_QUIRK(0x1028, 0x0704, "Dell XPS 13", ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE),
+	SND_PCI_QUIRK(0x1028, 0x0704, "Dell XPS 13 9350", ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE),
 	SND_PCI_QUIRK(0x1028, 0x0725, "Dell Inspiron 3162", ALC255_FIXUP_DELL_SPK_NOISE),
+	SND_PCI_QUIRK(0x1028, 0x075b, "Dell XPS 13 9360", ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE),
 	SND_PCI_QUIRK(0x1028, 0x164a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
 	SND_PCI_QUIRK(0x1028, 0x164b, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
 	SND_PCI_QUIRK(0x103c, 0x1586, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC2),
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 126/206] kvm: arm64: Fix EC field in inject_abt64
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (124 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 125/206] ALSA: hda - Fix headphone noise on Dell XPS 13 9360 Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 127/206] Input: uinput - handle compat ioctl for UI_SET_PHYS Kamal Mostafa
                   ` (79 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Matt Evans, Christoffer Dall, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Matt Evans <matt.evans@arm.com>

commit e4fe9e7dc3828bf6a5714eb3c55aef6260d823a2 upstream.

The EC field of the constructed ESR is conditionally modified by ORing in
ESR_ELx_EC_DABT_LOW for a data abort.  However, ESR_ELx_EC_SHIFT is missing
from this condition.

Signed-off-by: Matt Evans <matt.evans@arm.com>
Acked-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/arm64/kvm/inject_fault.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm64/kvm/inject_fault.c b/arch/arm64/kvm/inject_fault.c
index 648112e..3972e65 100644
--- a/arch/arm64/kvm/inject_fault.c
+++ b/arch/arm64/kvm/inject_fault.c
@@ -130,7 +130,7 @@ static void inject_abt64(struct kvm_vcpu *vcpu, bool is_iabt, unsigned long addr
 		esr |= (ESR_ELx_EC_IABT_CUR << ESR_ELx_EC_SHIFT);
 
 	if (!is_iabt)
-		esr |= ESR_ELx_EC_DABT_LOW;
+		esr |= ESR_ELx_EC_DABT_LOW << ESR_ELx_EC_SHIFT;
 
 	vcpu_sys_reg(vcpu, ESR_EL1) = esr | ESR_ELx_FSC_EXTABT;
 }
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 127/206] Input: uinput - handle compat ioctl for UI_SET_PHYS
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (125 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 126/206] kvm: arm64: Fix EC field in inject_abt64 Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 128/206] PM / sleep: Handle failures in device_suspend_late() consistently Kamal Mostafa
                   ` (78 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Ricky Liang, Dmitry Torokhov, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Ricky Liang <jcliang@chromium.org>

commit affa80bd97f7ca282d1faa91667b3ee9e4c590e6 upstream.

When running a 32-bit userspace on a 64-bit kernel, the UI_SET_PHYS
ioctl needs to be treated with special care, as it has the pointer
size encoded in the command.

Signed-off-by: Ricky Liang <jcliang@chromium.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/input/misc/uinput.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
index 421e29e..5221450 100644
--- a/drivers/input/misc/uinput.c
+++ b/drivers/input/misc/uinput.c
@@ -895,9 +895,15 @@ static long uinput_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
 }
 
 #ifdef CONFIG_COMPAT
+
+#define UI_SET_PHYS_COMPAT	_IOW(UINPUT_IOCTL_BASE, 108, compat_uptr_t)
+
 static long uinput_compat_ioctl(struct file *file,
 				unsigned int cmd, unsigned long arg)
 {
+	if (cmd == UI_SET_PHYS_COMPAT)
+		cmd = UI_SET_PHYS;
+
 	return uinput_ioctl_handler(file, cmd, arg, compat_ptr(arg));
 }
 #endif
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 128/206] PM / sleep: Handle failures in device_suspend_late() consistently
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (126 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 127/206] Input: uinput - handle compat ioctl for UI_SET_PHYS Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 129/206] mm: use phys_addr_t for reserve_bootmem_region() arguments Kamal Mostafa
                   ` (77 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team; +Cc: Rafael J . Wysocki, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>

commit 3a17fb329da68cb00558721aff876a80bba2fdb9 upstream.

Grygorii Strashko reports:

 The PM runtime will be left disabled for the device if its
 .suspend_late() callback fails and async suspend is not allowed
 for this device. In this case device will not be added in
 dpm_late_early_list and dpm_resume_early() will ignore this
 device, as result PM runtime will be disabled for it forever
 (side effect: after 8 subsequent failures for the same device
 the PM runtime will be reenabled due to disable_depth overflow).

To fix this problem, add devices to dpm_late_early_list regardless
of whether or not device_suspend_late() returns errors for them.

That will ensure failures in there to be handled consistently for
all devices regardless of their async suspend/resume status.

Reported-by: Grygorii Strashko <grygorii.strashko@ti.com>
Tested-by: Grygorii Strashko <grygorii.strashko@ti.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/base/power/main.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c
index 30b7bbf..964d5e4 100644
--- a/drivers/base/power/main.c
+++ b/drivers/base/power/main.c
@@ -1262,14 +1262,15 @@ int dpm_suspend_late(pm_message_t state)
 		error = device_suspend_late(dev);
 
 		mutex_lock(&dpm_list_mtx);
+		if (!list_empty(&dev->power.entry))
+			list_move(&dev->power.entry, &dpm_late_early_list);
+
 		if (error) {
 			pm_dev_err(dev, state, " late", error);
 			dpm_save_failed_dev(dev_name(dev));
 			put_device(dev);
 			break;
 		}
-		if (!list_empty(&dev->power.entry))
-			list_move(&dev->power.entry, &dpm_late_early_list);
 		put_device(dev);
 
 		if (async_error)
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 129/206] mm: use phys_addr_t for reserve_bootmem_region() arguments
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (127 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 128/206] PM / sleep: Handle failures in device_suspend_late() consistently Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 130/206] locking,qspinlock: Fix spin_is_locked() and spin_unlock_wait() Kamal Mostafa
                   ` (76 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Stefan Bader, Andrew Morton, Linus Torvalds, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Stefan Bader <stefan.bader@canonical.com>

commit 4b50bcc7eda4d3cc9e3f2a0aa60e590fedf728c5 upstream.

Since commit 92923ca3aace ("mm: meminit: only set page reserved in the
memblock region") the reserved bit is set on reserved memblock regions.
However start and end address are passed as unsigned long.  This is only
32bit on i386, so it can end up marking the wrong pages reserved for
ranges at 4GB and above.

This was observed on a 32bit Xen dom0 which was booted with initial
memory set to a value below 4G but allowing to balloon in memory
(dom0_mem=1024M for example).  This would define a reserved bootmem
region for the additional memory (for example on a 8GB system there was
a reverved region covering the 4GB-8GB range).  But since the addresses
were passed on as unsigned long, this was actually marking all pages
from 0 to 4GB as reserved.

Fixes: 92923ca3aacef63 ("mm: meminit: only set page reserved in the memblock region")
Link: http://lkml.kernel.org/r/1463491221-10573-1-git-send-email-stefan.bader@canonical.com
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 include/linux/mm.h | 2 +-
 mm/page_alloc.c    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/linux/mm.h b/include/linux/mm.h
index 2b05068..63bb576 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -1684,7 +1684,7 @@ extern void free_highmem_page(struct page *page);
 extern void adjust_managed_page_count(struct page *page, long count);
 extern void mem_init_print_info(const char *str);
 
-extern void reserve_bootmem_region(unsigned long start, unsigned long end);
+extern void reserve_bootmem_region(phys_addr_t start, phys_addr_t end);
 
 /* Free the reserved page into the buddy system, so it gets managed. */
 static inline void __free_reserved_page(struct page *page)
diff --git a/mm/page_alloc.c b/mm/page_alloc.c
index 6d95dea..51fd491 100644
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -908,7 +908,7 @@ static inline void init_reserved_page(unsigned long pfn)
  * marks the pages PageReserved. The remaining valid pages are later
  * sent to the buddy page allocator.
  */
-void __meminit reserve_bootmem_region(unsigned long start, unsigned long end)
+void __meminit reserve_bootmem_region(phys_addr_t start, phys_addr_t end)
 {
 	unsigned long start_pfn = PFN_DOWN(start);
 	unsigned long end_pfn = PFN_UP(end);
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 130/206] locking,qspinlock: Fix spin_is_locked() and spin_unlock_wait()
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (128 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 129/206] mm: use phys_addr_t for reserve_bootmem_region() arguments Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 131/206] drm/i915: Don't leave old junk in ilk active watermarks on readout Kamal Mostafa
                   ` (75 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Peter Zijlstra, Linus Torvalds, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Peter Zijlstra <peterz@infradead.org>

commit 54cf809b9512be95f53ed4a5e3b631d1ac42f0fa upstream.

Similar to commits:

  51d7d5205d33 ("powerpc: Add smp_mb() to arch_spin_is_locked()")
  d86b8da04dfa ("arm64: spinlock: serialise spin_unlock_wait against concurrent lockers")

qspinlock suffers from the fact that the _Q_LOCKED_VAL store is
unordered inside the ACQUIRE of the lock.

And while this is not a problem for the regular mutual exclusive
critical section usage of spinlocks, it breaks creative locking like:

	spin_lock(A)			spin_lock(B)
	spin_unlock_wait(B)		if (!spin_is_locked(A))
	do_something()			  do_something()

In that both CPUs can end up running do_something at the same time,
because our _Q_LOCKED_VAL store can drop past the spin_unlock_wait()
spin_is_locked() loads (even on x86!!).

To avoid making the normal case slower, add smp_mb()s to the less used
spin_unlock_wait() / spin_is_locked() side of things to avoid this
problem.

Reported-and-tested-by: Davidlohr Bueso <dave@stgolabs.net>
Reported-by: Giovanni Gherdovich <ggherdovich@suse.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 include/asm-generic/qspinlock.h | 27 ++++++++++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/include/asm-generic/qspinlock.h b/include/asm-generic/qspinlock.h
index e2aadbc..7d633f1 100644
--- a/include/asm-generic/qspinlock.h
+++ b/include/asm-generic/qspinlock.h
@@ -27,7 +27,30 @@
  */
 static __always_inline int queued_spin_is_locked(struct qspinlock *lock)
 {
-	return atomic_read(&lock->val);
+	/*
+	 * queued_spin_lock_slowpath() can ACQUIRE the lock before
+	 * issuing the unordered store that sets _Q_LOCKED_VAL.
+	 *
+	 * See both smp_cond_acquire() sites for more detail.
+	 *
+	 * This however means that in code like:
+	 *
+	 *   spin_lock(A)		spin_lock(B)
+	 *   spin_unlock_wait(B)	spin_is_locked(A)
+	 *   do_something()		do_something()
+	 *
+	 * Both CPUs can end up running do_something() because the store
+	 * setting _Q_LOCKED_VAL will pass through the loads in
+	 * spin_unlock_wait() and/or spin_is_locked().
+	 *
+	 * Avoid this by issuing a full memory barrier between the spin_lock()
+	 * and the loads in spin_unlock_wait() and spin_is_locked().
+	 *
+	 * Note that regular mutual exclusion doesn't care about this
+	 * delayed store.
+	 */
+	smp_mb();
+	return atomic_read(&lock->val) & _Q_LOCKED_MASK;
 }
 
 /**
@@ -107,6 +130,8 @@ static __always_inline void queued_spin_unlock(struct qspinlock *lock)
  */
 static inline void queued_spin_unlock_wait(struct qspinlock *lock)
 {
+	/* See queued_spin_is_locked() */
+	smp_mb();
 	while (atomic_read(&lock->val) & _Q_LOCKED_MASK)
 		cpu_relax();
 }
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 131/206] drm/i915: Don't leave old junk in ilk active watermarks on readout
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (129 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 130/206] locking,qspinlock: Fix spin_is_locked() and spin_unlock_wait() Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 132/206] mmc: longer timeout for long read time quirk Kamal Mostafa
                   ` (74 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Matt Roper, Ville Syrjälä, Jani Nikula, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>

commit 7045c3689f148a0c95f42bae8ef3eb2829ac7de9 upstream.

When we read out the watermark state from the hardware we're supposed to
transfer that into the active watermarks, but currently we fail to any
part of the active watermarks that isn't explicitly written. Let's clear
it all upfront.

Looks like this has been like this since the beginning, when I added the
readout. No idea why I didn't clear it up.

Cc: Matt Roper <matthew.d.roper@intel.com>
Fixes: 243e6a44b9ca ("drm/i915: Init HSW watermark tracking in intel_modeset_setup_hw_state()")
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Reviewed-by: Matt Roper <matthew.d.roper@intel.com>
Signed-off-by: Matt Roper <matthew.d.roper@intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/1463151318-14719-2-git-send-email-ville.syrjala@linux.intel.com
(cherry picked from commit 15606534bf0a65d8a74a90fd57b8712d147dbca6)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/gpu/drm/i915/intel_pm.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/gpu/drm/i915/intel_pm.c b/drivers/gpu/drm/i915/intel_pm.c
index 6907a1b..d4b6c20 100644
--- a/drivers/gpu/drm/i915/intel_pm.c
+++ b/drivers/gpu/drm/i915/intel_pm.c
@@ -3656,6 +3656,8 @@ static void ilk_pipe_wm_get_hw_state(struct drm_crtc *crtc)
 	if (IS_HASWELL(dev) || IS_BROADWELL(dev))
 		hw->wm_linetime[pipe] = I915_READ(PIPE_WM_LINETIME(pipe));
 
+	memset(active, 0, sizeof(*active));
+
 	active->pipe_enabled = intel_crtc->active;
 
 	if (active->pipe_enabled) {
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 132/206] mmc: longer timeout for long read time quirk
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (130 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 131/206] drm/i915: Don't leave old junk in ilk active watermarks on readout Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 133/206] mmc: sdhci-pci: Remove MMC_CAP_BUS_WIDTH_TEST for Intel controllers Kamal Mostafa
                   ` (73 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Matt Gumbel, Adrian Hunter, Ulf Hansson, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Matt Gumbel <matthew.k.gumbel@intel.com>

commit 32ecd320db39bcb007679ed42f283740641b81ea upstream.

008GE0 Toshiba mmc in some Intel Baytrail tablets responds to
MMC_SEND_EXT_CSD in 450-600ms.

This patch will...

() Increase the long read time quirk timeout from 300ms to 600ms. Original
   author of that quirk says 300ms was only a guess and that the number
   may need to be raised in the future.

() Add this specific MMC to the quirk

Signed-off-by: Matt Gumbel <matthew.k.gumbel@intel.com>
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/mmc/card/block.c | 5 +++--
 drivers/mmc/core/core.c  | 4 ++--
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
index 88c4e08..18fb6cd 100644
--- a/drivers/mmc/card/block.c
+++ b/drivers/mmc/card/block.c
@@ -2411,11 +2411,12 @@ static const struct mmc_fixup blk_fixups[] =
 		  MMC_QUIRK_BLK_NO_CMD23),
 
 	/*
-	 * Some Micron MMC cards needs longer data read timeout than
-	 * indicated in CSD.
+	 * Some MMC cards need longer data read timeout than indicated in CSD.
 	 */
 	MMC_FIXUP(CID_NAME_ANY, CID_MANFID_MICRON, 0x200, add_quirk_mmc,
 		  MMC_QUIRK_LONG_READ_TIME),
+	MMC_FIXUP("008GE0", CID_MANFID_TOSHIBA, CID_OEMID_ANY, add_quirk_mmc,
+		  MMC_QUIRK_LONG_READ_TIME),
 
 	/*
 	 * On these Samsung MoviNAND parts, performing secure erase or
diff --git a/drivers/mmc/core/core.c b/drivers/mmc/core/core.c
index 2f4503a..1f1c42a 100644
--- a/drivers/mmc/core/core.c
+++ b/drivers/mmc/core/core.c
@@ -866,11 +866,11 @@ void mmc_set_data_timeout(struct mmc_data *data, const struct mmc_card *card)
 	/*
 	 * Some cards require longer data read timeout than indicated in CSD.
 	 * Address this by setting the read timeout to a "reasonably high"
-	 * value. For the cards tested, 300ms has proven enough. If necessary,
+	 * value. For the cards tested, 600ms has proven enough. If necessary,
 	 * this value can be increased if other problematic cards require this.
 	 */
 	if (mmc_card_long_read_time(card) && data->flags & MMC_DATA_READ) {
-		data->timeout_ns = 300000000;
+		data->timeout_ns = 600000000;
 		data->timeout_clks = 0;
 	}
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 133/206] mmc: sdhci-pci: Remove MMC_CAP_BUS_WIDTH_TEST for Intel controllers
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (131 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 132/206] mmc: longer timeout for long read time quirk Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 134/206] mmc: sdhci-acpi: " Kamal Mostafa
                   ` (72 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Adrian Hunter, Ulf Hansson, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Adrian Hunter <adrian.hunter@intel.com>

commit 822969369482166050c5b2f7013501505e025c39 upstream.

The CMD19/CMD14 bus width test has been found to be unreliable in
some cases.  It is not essential, so simply remove it.

Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
[ kamal: backport to 4.2-stable: files moved ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/mmc/host/sdhci-pci.c | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/drivers/mmc/host/sdhci-pci.c b/drivers/mmc/host/sdhci-pci.c
index 5d2e222..2580f02 100644
--- a/drivers/mmc/host/sdhci-pci.c
+++ b/drivers/mmc/host/sdhci-pci.c
@@ -334,7 +334,6 @@ static int byt_emmc_probe_slot(struct sdhci_pci_slot *slot)
 {
 	slot->host->mmc->caps |= MMC_CAP_8_BIT_DATA | MMC_CAP_NONREMOVABLE |
 				 MMC_CAP_HW_RESET | MMC_CAP_1_8V_DDR |
-				 MMC_CAP_BUS_WIDTH_TEST |
 				 MMC_CAP_WAIT_WHILE_BUSY;
 	slot->host->mmc->caps2 |= MMC_CAP2_HC_ERASE_SZ;
 	slot->hw_reset = sdhci_pci_int_hw_reset;
@@ -350,15 +349,13 @@ static int byt_emmc_probe_slot(struct sdhci_pci_slot *slot)
 static int byt_sdio_probe_slot(struct sdhci_pci_slot *slot)
 {
 	slot->host->mmc->caps |= MMC_CAP_POWER_OFF_CARD | MMC_CAP_NONREMOVABLE |
-				 MMC_CAP_BUS_WIDTH_TEST |
 				 MMC_CAP_WAIT_WHILE_BUSY;
 	return 0;
 }
 
 static int byt_sd_probe_slot(struct sdhci_pci_slot *slot)
 {
-	slot->host->mmc->caps |= MMC_CAP_BUS_WIDTH_TEST |
-				 MMC_CAP_WAIT_WHILE_BUSY;
+	slot->host->mmc->caps |= MMC_CAP_WAIT_WHILE_BUSY;
 	slot->cd_con_id = NULL;
 	slot->cd_idx = 0;
 	slot->cd_override_level = true;
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 134/206] mmc: sdhci-acpi: Remove MMC_CAP_BUS_WIDTH_TEST for Intel controllers
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (132 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 133/206] mmc: sdhci-pci: Remove MMC_CAP_BUS_WIDTH_TEST for Intel controllers Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 135/206] sunrpc: fix stripping of padded MIC tokens Kamal Mostafa
                   ` (71 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Adrian Hunter, Ulf Hansson, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Adrian Hunter <adrian.hunter@intel.com>

commit 265984b36ce82fec67957d452dd2b22e010611e4 upstream.

The CMD19/CMD14 bus width test has been found to be unreliable in
some cases.  It is not essential, so simply remove it.

Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/mmc/host/sdhci-acpi.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/mmc/host/sdhci-acpi.c b/drivers/mmc/host/sdhci-acpi.c
index 22d929f..5d4b8a6 100644
--- a/drivers/mmc/host/sdhci-acpi.c
+++ b/drivers/mmc/host/sdhci-acpi.c
@@ -203,7 +203,7 @@ static const struct sdhci_acpi_slot sdhci_acpi_slot_int_emmc = {
 	.chip    = &sdhci_acpi_chip_int,
 	.caps    = MMC_CAP_8_BIT_DATA | MMC_CAP_NONREMOVABLE |
 		   MMC_CAP_HW_RESET | MMC_CAP_1_8V_DDR |
-		   MMC_CAP_BUS_WIDTH_TEST | MMC_CAP_WAIT_WHILE_BUSY,
+		   MMC_CAP_WAIT_WHILE_BUSY,
 	.caps2   = MMC_CAP2_HC_ERASE_SZ,
 	.flags   = SDHCI_ACPI_RUNTIME_PM,
 	.quirks  = SDHCI_QUIRK_NO_ENDATTR_IN_NOPDESC,
@@ -216,7 +216,7 @@ static const struct sdhci_acpi_slot sdhci_acpi_slot_int_sdio = {
 		   SDHCI_QUIRK_NO_ENDATTR_IN_NOPDESC,
 	.quirks2 = SDHCI_QUIRK2_HOST_OFF_CARD_ON,
 	.caps    = MMC_CAP_NONREMOVABLE | MMC_CAP_POWER_OFF_CARD |
-		   MMC_CAP_BUS_WIDTH_TEST | MMC_CAP_WAIT_WHILE_BUSY,
+		   MMC_CAP_WAIT_WHILE_BUSY,
 	.flags   = SDHCI_ACPI_RUNTIME_PM,
 	.pm_caps = MMC_PM_KEEP_POWER,
 	.probe_slot	= sdhci_acpi_sdio_probe_slot,
@@ -228,7 +228,7 @@ static const struct sdhci_acpi_slot sdhci_acpi_slot_int_sd = {
 	.quirks  = SDHCI_QUIRK_NO_ENDATTR_IN_NOPDESC,
 	.quirks2 = SDHCI_QUIRK2_CARD_ON_NEEDS_BUS_ON |
 		   SDHCI_QUIRK2_STOP_WITH_TC,
-	.caps    = MMC_CAP_BUS_WIDTH_TEST | MMC_CAP_WAIT_WHILE_BUSY,
+	.caps    = MMC_CAP_WAIT_WHILE_BUSY,
 	.probe_slot	= sdhci_acpi_sd_probe_slot,
 };
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 135/206] sunrpc: fix stripping of padded MIC tokens
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (133 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 134/206] mmc: sdhci-acpi: " Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 136/206] wait/ptrace: assume __WALL if the child is traced Kamal Mostafa
                   ` (70 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Tomáš Trnka, J . Bruce Fields, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Trnka?= <ttrnka@mail.muni.cz>

commit c0cb8bf3a8e4bd82e640862cdd8891400405cb89 upstream.

The length of the GSS MIC token need not be a multiple of four bytes.
It is then padded by XDR to a multiple of 4 B, but unwrap_integ_data()
would previously only trim mic.len + 4 B. The remaining up to three
bytes would then trigger a check in nfs4svc_decode_compoundargs(),
leading to a "garbage args" error and mount failure:

nfs4svc_decode_compoundargs: compound not properly padded!
nfsd: failed to decode arguments!

This would prevent older clients using the pre-RFC 4121 MIC format
(37-byte MIC including a 9-byte OID) from mounting exports from v3.9+
servers using krb5i.

The trimming was introduced by commit 4c190e2f913f ("sunrpc: trim off
trailing checksum before returning decrypted or integrity authenticated
buffer").

Fixes: 4c190e2f913f "unrpc: trim off trailing checksum..."
Signed-off-by: Tomáš Trnka <ttrnka@mail.muni.cz>
Acked-by: Jeff Layton <jlayton@poochiereds.net>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 net/sunrpc/auth_gss/svcauth_gss.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
index 1095be9..4605dc7 100644
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -857,8 +857,8 @@ unwrap_integ_data(struct svc_rqst *rqstp, struct xdr_buf *buf, u32 seq, struct g
 		goto out;
 	if (svc_getnl(&buf->head[0]) != seq)
 		goto out;
-	/* trim off the mic at the end before returning */
-	xdr_buf_trim(buf, mic.len + 4);
+	/* trim off the mic and padding at the end before returning */
+	xdr_buf_trim(buf, round_up_to_quad(mic.len) + 4);
 	stat = 0;
 out:
 	kfree(mic.data);
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 136/206] wait/ptrace: assume __WALL if the child is traced
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (134 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 135/206] sunrpc: fix stripping of padded MIC tokens Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 137/206] xen/x86: actually allocate legacy interrupts on PV guests Kamal Mostafa
                   ` (69 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Oleg Nesterov, Denys Vlasenko, Jan Kratochvil,
	Michael Kerrisk (man-pages),
	Pedro Alves, Roland McGrath, syzkaller, Andrew Morton,
	Linus Torvalds, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Oleg Nesterov <oleg@redhat.com>

commit bf959931ddb88c4e4366e96dd22e68fa0db9527c upstream.

The following program (simplified version of generated by syzkaller)

	#include <pthread.h>
	#include <unistd.h>
	#include <sys/ptrace.h>
	#include <stdio.h>
	#include <signal.h>

	void *thread_func(void *arg)
	{
		ptrace(PTRACE_TRACEME, 0,0,0);
		return 0;
	}

	int main(void)
	{
		pthread_t thread;

		if (fork())
			return 0;

		while (getppid() != 1)
			;

		pthread_create(&thread, NULL, thread_func, NULL);
		pthread_join(thread, NULL);
		return 0;
	}

creates an unreapable zombie if /sbin/init doesn't use __WALL.

This is not a kernel bug, at least in a sense that everything works as
expected: debugger should reap a traced sub-thread before it can reap the
leader, but without __WALL/__WCLONE do_wait() ignores sub-threads.

Unfortunately, it seems that /sbin/init in most (all?) distributions
doesn't use it and we have to change the kernel to avoid the problem.
Note also that most init's use sys_waitid() which doesn't allow __WALL, so
the necessary user-space fix is not that trivial.

This patch just adds the "ptrace" check into eligible_child().  To some
degree this matches the "tsk->ptrace" in exit_notify(), ->exit_signal is
mostly ignored when the tracee reports to debugger.  Or WSTOPPED, the
tracer doesn't need to set this flag to wait for the stopped tracee.

This obviously means the user-visible change: __WCLONE and __WALL no
longer have any meaning for debugger.  And I can only hope that this won't
break something, but at least strace/gdb won't suffer.

We could make a more conservative change.  Say, we can take __WCLONE into
account, or !thread_group_leader().  But it would be nice to not
complicate these historical/confusing checks.

Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: Jan Kratochvil <jan.kratochvil@redhat.com>
Cc: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
Cc: Pedro Alves <palves@redhat.com>
Cc: Roland McGrath <roland@hack.frob.com>
Cc: <syzkaller@googlegroups.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 kernel/exit.c | 29 ++++++++++++++++++++---------
 1 file changed, 20 insertions(+), 9 deletions(-)

diff --git a/kernel/exit.c b/kernel/exit.c
index 031325e..269831c 100644
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -914,17 +914,28 @@ static int eligible_pid(struct wait_opts *wo, struct task_struct *p)
 		task_pid_type(p, wo->wo_type) == wo->wo_pid;
 }
 
-static int eligible_child(struct wait_opts *wo, struct task_struct *p)
+static int
+eligible_child(struct wait_opts *wo, bool ptrace, struct task_struct *p)
 {
 	if (!eligible_pid(wo, p))
 		return 0;
-	/* Wait for all children (clone and not) if __WALL is set;
-	 * otherwise, wait for clone children *only* if __WCLONE is
-	 * set; otherwise, wait for non-clone children *only*.  (Note:
-	 * A "clone" child here is one that reports to its parent
-	 * using a signal other than SIGCHLD.) */
-	if (((p->exit_signal != SIGCHLD) ^ !!(wo->wo_flags & __WCLONE))
-	    && !(wo->wo_flags & __WALL))
+
+	/*
+	 * Wait for all children (clone and not) if __WALL is set or
+	 * if it is traced by us.
+	 */
+	if (ptrace || (wo->wo_flags & __WALL))
+		return 1;
+
+	/*
+	 * Otherwise, wait for clone children *only* if __WCLONE is set;
+	 * otherwise, wait for non-clone children *only*.
+	 *
+	 * Note: a "clone" child here is one that reports to its parent
+	 * using a signal other than SIGCHLD, or a non-leader thread which
+	 * we can only see if it is traced by us.
+	 */
+	if ((p->exit_signal != SIGCHLD) ^ !!(wo->wo_flags & __WCLONE))
 		return 0;
 
 	return 1;
@@ -1297,7 +1308,7 @@ static int wait_consider_task(struct wait_opts *wo, int ptrace,
 	if (unlikely(exit_state == EXIT_DEAD))
 		return 0;
 
-	ret = eligible_child(wo, p);
+	ret = eligible_child(wo, ptrace, p);
 	if (!ret)
 		return ret;
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 137/206] xen/x86: actually allocate legacy interrupts on PV guests
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (135 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 136/206] wait/ptrace: assume __WALL if the child is traced Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 138/206] xen/events: Don't move disabled irqs Kamal Mostafa
                   ` (68 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team; +Cc: Stefano Stabellini, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Stefano Stabellini <sstabellini@kernel.org>

commit 702f926067d2a4b28c10a3c41a1172dd62d9e735 upstream.

b4ff8389ed14 is incomplete: relies on nr_legacy_irqs() to get the number
of legacy interrupts when actually nr_legacy_irqs() returns 0 after
probe_8259A(). Use NR_IRQS_LEGACY instead.

Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/x86/pci/xen.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/arch/x86/pci/xen.c b/arch/x86/pci/xen.c
index d22f4b5..6b8b107 100644
--- a/arch/x86/pci/xen.c
+++ b/arch/x86/pci/xen.c
@@ -488,8 +488,11 @@ int __init pci_xen_initial_domain(void)
 #endif
 	__acpi_register_gsi = acpi_register_gsi_xen;
 	__acpi_unregister_gsi = NULL;
-	/* Pre-allocate legacy irqs */
-	for (irq = 0; irq < nr_legacy_irqs(); irq++) {
+	/*
+	 * Pre-allocate the legacy IRQs.  Use NR_LEGACY_IRQS here
+	 * because we don't have a PIC and thus nr_legacy_irqs() is zero.
+	 */
+	for (irq = 0; irq < NR_IRQS_LEGACY; irq++) {
 		int trigger, polarity;
 
 		if (acpi_get_override_irq(irq, &trigger, &polarity) == -1)
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 138/206] xen/events: Don't move disabled irqs
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (136 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 137/206] xen/x86: actually allocate legacy interrupts on PV guests Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 139/206] UBI: Fix static volume checks when Fastmap is used Kamal Mostafa
                   ` (67 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Ross Lagerwall, David Vrabel, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Ross Lagerwall <ross.lagerwall@citrix.com>

commit f0f393877c71ad227d36705d61d1e4062bc29cf5 upstream.

Commit ff1e22e7a638 ("xen/events: Mask a moving irq") open-coded
irq_move_irq() but left out checking if the IRQ is disabled. This broke
resuming from suspend since it tries to move a (disabled) irq without
holding the IRQ's desc->lock. Fix it by adding in a check for disabled
IRQs.

The resulting stacktrace was:
kernel BUG at /build/linux-UbQGH5/linux-4.4.0/kernel/irq/migration.c:31!
invalid opcode: 0000 [#1] SMP
Modules linked in: xenfs xen_privcmd ...
CPU: 0 PID: 9 Comm: migration/0 Not tainted 4.4.0-22-generic #39-Ubuntu
Hardware name: Xen HVM domU, BIOS 4.6.1-xs125180 05/04/2016
task: ffff88003d75ee00 ti: ffff88003d7bc000 task.ti: ffff88003d7bc000
RIP: 0010:[<ffffffff810e26e2>]  [<ffffffff810e26e2>] irq_move_masked_irq+0xd2/0xe0
RSP: 0018:ffff88003d7bfc50  EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff88003d40ba00 RCX: 0000000000000001
RDX: 0000000000000001 RSI: 0000000000000100 RDI: ffff88003d40bad8
RBP: ffff88003d7bfc68 R08: 0000000000000000 R09: ffff88003d000000
R10: 0000000000000000 R11: 000000000000023c R12: ffff88003d40bad0
R13: ffffffff81f3a4a0 R14: 0000000000000010 R15: 00000000ffffffff
FS:  0000000000000000(0000) GS:ffff88003da00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd4264de624 CR3: 0000000037922000 CR4: 00000000003406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
 ffff88003d40ba38 0000000000000024 0000000000000000 ffff88003d7bfca0
 ffffffff814c8d92 00000010813ef89d 00000000805ea732 0000000000000009
 0000000000000024 ffff88003cc39b80 ffff88003d7bfce0 ffffffff814c8f66
Call Trace:
 [<ffffffff814c8d92>] eoi_pirq+0xb2/0xf0
 [<ffffffff814c8f66>] __startup_pirq+0xe6/0x150
 [<ffffffff814ca659>] xen_irq_resume+0x319/0x360
 [<ffffffff814c7e75>] xen_suspend+0xb5/0x180
 [<ffffffff81120155>] multi_cpu_stop+0xb5/0xe0
 [<ffffffff811200a0>] ? cpu_stop_queue_work+0x80/0x80
 [<ffffffff811203d0>] cpu_stopper_thread+0xb0/0x140
 [<ffffffff810a94e6>] ? finish_task_switch+0x76/0x220
 [<ffffffff810ca731>] ? __raw_callee_save___pv_queued_spin_unlock+0x11/0x20
 [<ffffffff810a3935>] smpboot_thread_fn+0x105/0x160
 [<ffffffff810a3830>] ? sort_range+0x30/0x30
 [<ffffffff810a0588>] kthread+0xd8/0xf0
 [<ffffffff810a04b0>] ? kthread_create_on_node+0x1e0/0x1e0
 [<ffffffff8182568f>] ret_from_fork+0x3f/0x70
 [<ffffffff810a04b0>] ? kthread_create_on_node+0x1e0/0x1e0

Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/xen/events/events_base.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c
index d90302e..89e801f 100644
--- a/drivers/xen/events/events_base.c
+++ b/drivers/xen/events/events_base.c
@@ -487,7 +487,8 @@ static void eoi_pirq(struct irq_data *data)
 	if (!VALID_EVTCHN(evtchn))
 		return;
 
-	if (unlikely(irqd_is_setaffinity_pending(data))) {
+	if (unlikely(irqd_is_setaffinity_pending(data)) &&
+	    likely(!irqd_irq_disabled(data))) {
 		int masked = test_and_set_mask(evtchn);
 
 		clear_evtchn(evtchn);
@@ -1374,7 +1375,8 @@ static void ack_dynirq(struct irq_data *data)
 	if (!VALID_EVTCHN(evtchn))
 		return;
 
-	if (unlikely(irqd_is_setaffinity_pending(data))) {
+	if (unlikely(irqd_is_setaffinity_pending(data)) &&
+	    likely(!irqd_irq_disabled(data))) {
 		int masked = test_and_set_mask(evtchn);
 
 		clear_evtchn(evtchn);
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 139/206] UBI: Fix static volume checks when Fastmap is used
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (137 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 138/206] xen/events: Don't move disabled irqs Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 140/206] drm/amdgpu: Fix hdmi deep color support Kamal Mostafa
                   ` (66 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team; +Cc: Richard Weinberger, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Richard Weinberger <richard@nod.at>

commit 1900149c835ab5b48bea31a823ea5e5a401fb560 upstream.

Ezequiel reported that he's facing UBI going into read-only
mode after power cut. It turned out that this behavior happens
only when updating a static volume is interrupted and Fastmap is
used.

A possible trace can look like:
ubi0 warning: ubi_io_read_vid_hdr [ubi]: no VID header found at PEB 2323, only 0xFF bytes
ubi0 warning: ubi_eba_read_leb [ubi]: switch to read-only mode
CPU: 0 PID: 833 Comm: ubiupdatevol Not tainted 4.6.0-rc2-ARCH #4
Hardware name: SAMSUNG ELECTRONICS CO., LTD. 300E4C/300E5C/300E7C/NP300E5C-AD8AR, BIOS P04RAP 10/15/2012
0000000000000286 00000000eba949bd ffff8800c45a7b38 ffffffff8140d841
ffff8801964be000 ffff88018eaa4800 ffff8800c45a7bb8 ffffffffa003abf6
ffffffff850e2ac0 8000000000000163 ffff8801850e2ac0 ffff8801850e2ac0
Call Trace:
[<ffffffff8140d841>] dump_stack+0x63/0x82
[<ffffffffa003abf6>] ubi_eba_read_leb+0x486/0x4a0 [ubi]
[<ffffffffa00453b3>] ubi_check_volume+0x83/0xf0 [ubi]
[<ffffffffa0039d97>] ubi_open_volume+0x177/0x350 [ubi]
[<ffffffffa00375d8>] vol_cdev_open+0x58/0xb0 [ubi]
[<ffffffff8124b08e>] chrdev_open+0xae/0x1d0
[<ffffffff81243bcf>] do_dentry_open+0x1ff/0x300
[<ffffffff8124afe0>] ? cdev_put+0x30/0x30
[<ffffffff81244d36>] vfs_open+0x56/0x60
[<ffffffff812545f4>] path_openat+0x4f4/0x1190
[<ffffffff81256621>] do_filp_open+0x91/0x100
[<ffffffff81263547>] ? __alloc_fd+0xc7/0x190
[<ffffffff812450df>] do_sys_open+0x13f/0x210
[<ffffffff812451ce>] SyS_open+0x1e/0x20
[<ffffffff81a99e32>] entry_SYSCALL_64_fastpath+0x1a/0xa4

UBI checks static volumes for data consistency and reads the
whole volume upon first open. If the volume is found erroneous
users of UBI cannot read from it, but another volume update is
possible to fix it. The check is performed by running
ubi_eba_read_leb() on every allocated LEB of the volume.
For static volumes ubi_eba_read_leb() computes the checksum of all
data stored in a LEB. To verify the computed checksum it has to read
the LEB's volume header which stores the original checksum.
If the volume header is not found UBI treats this as fatal internal
error and switches to RO mode. If the UBI device was attached via a
full scan the assumption is correct, the volume header has to be
present as it had to be there while scanning to get known as mapped.
If the attach operation happened via Fastmap the assumption is no
longer correct. When attaching via Fastmap UBI learns the mapping
table from Fastmap's snapshot of the system state and not via a full
scan. It can happen that a LEB got unmapped after a Fastmap was
written to the flash. Then UBI can learn the LEB still as mapped and
accessing it returns only 0xFF bytes. As UBI is not a FTL it is
allowed to have mappings to empty PEBs, it assumes that the layer
above takes care of LEB accounting and referencing.
UBIFS does so using the LEB property tree (LPT).
For static volumes UBI blindly assumes that all LEBs are present and
therefore special actions have to be taken.

The described situation can happen when updating a static volume is
interrupted, either by a user or a power cut.
The volume update code first unmaps all LEBs of a volume and then
writes LEB by LEB. If the sequence of operations is interrupted UBI
detects this either by the absence of LEBs, no volume header present
at scan time, or corrupted payload, detected via checksum.
In the Fastmap case the former method won't trigger as no scan
happened and UBI automatically thinks all LEBs are present.
Only by reading data from a LEB it detects that the volume header is
missing and incorrectly treats this as fatal error.
To deal with the situation ubi_eba_read_leb() from now on checks
whether we attached via Fastmap and handles the absence of a
volume header like a data corruption error.
This way interrupted static volume updates will correctly get detected
also when Fastmap is used.

Reported-by: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
Tested-by: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/mtd/ubi/eba.c     | 21 +++++++++++++++++++--
 drivers/mtd/ubi/fastmap.c |  1 +
 drivers/mtd/ubi/ubi.h     |  2 ++
 3 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/drivers/mtd/ubi/eba.c b/drivers/mtd/ubi/eba.c
index 51bca03..1c73ba6 100644
--- a/drivers/mtd/ubi/eba.c
+++ b/drivers/mtd/ubi/eba.c
@@ -426,8 +426,25 @@ retry:
 						 pnum, vol_id, lnum);
 					err = -EBADMSG;
 				} else {
-					err = -EINVAL;
-					ubi_ro_mode(ubi);
+					/*
+					 * Ending up here in the non-Fastmap case
+					 * is a clear bug as the VID header had to
+					 * be present at scan time to have it referenced.
+					 * With fastmap the story is more complicated.
+					 * Fastmap has the mapping info without the need
+					 * of a full scan. So the LEB could have been
+					 * unmapped, Fastmap cannot know this and keeps
+					 * the LEB referenced.
+					 * This is valid and works as the layer above UBI
+					 * has to do bookkeeping about used/referenced
+					 * LEBs in any case.
+					 */
+					if (ubi->fast_attach) {
+						err = -EBADMSG;
+					} else {
+						err = -EINVAL;
+						ubi_ro_mode(ubi);
+					}
 				}
 			}
 			goto out_free;
diff --git a/drivers/mtd/ubi/fastmap.c b/drivers/mtd/ubi/fastmap.c
index 4aa2fd8..370a0e2 100644
--- a/drivers/mtd/ubi/fastmap.c
+++ b/drivers/mtd/ubi/fastmap.c
@@ -1058,6 +1058,7 @@ int ubi_scan_fastmap(struct ubi_device *ubi, struct ubi_attach_info *ai,
 	ubi_msg(ubi, "fastmap WL pool size: %d",
 		ubi->fm_wl_pool.max_size);
 	ubi->fm_disabled = 0;
+	ubi->fast_attach = 1;
 
 	ubi_free_vid_hdr(ubi, vh);
 	kfree(ech);
diff --git a/drivers/mtd/ubi/ubi.h b/drivers/mtd/ubi/ubi.h
index 2974b67..de1ea2e4 100644
--- a/drivers/mtd/ubi/ubi.h
+++ b/drivers/mtd/ubi/ubi.h
@@ -462,6 +462,7 @@ struct ubi_debug_info {
  * @fm_eba_sem: allows ubi_update_fastmap() to block EBA table changes
  * @fm_work: fastmap work queue
  * @fm_work_scheduled: non-zero if fastmap work was scheduled
+ * @fast_attach: non-zero if UBI was attached by fastmap
  *
  * @used: RB-tree of used physical eraseblocks
  * @erroneous: RB-tree of erroneous used physical eraseblocks
@@ -570,6 +571,7 @@ struct ubi_device {
 	size_t fm_size;
 	struct work_struct fm_work;
 	int fm_work_scheduled;
+	int fast_attach;
 
 	/* Wear-leveling sub-system's stuff */
 	struct rb_root used;
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 140/206] drm/amdgpu: Fix hdmi deep color support.
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (138 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 139/206] UBI: Fix static volume checks when Fastmap is used Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 141/206] dma-debug: avoid spinlock recursion when disabling dma-debug Kamal Mostafa
                   ` (65 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Mario Kleiner, Alex Deucher, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Mario Kleiner <mario.kleiner.de@gmail.com>

commit 9d746ab68163d642dae13756b2b3145b2e38cb65 upstream.

When porting the hdmi deep color detection code from
radeon-kms to amdgpu-kms apparently some kind of
copy and paste error happened, attaching an else
branch to the wrong if statement.

The result is that hdmi deep color mode is always
disabled, regardless of gpu and display capabilities and
user wishes, as the code mistakenly thinks that the display
doesn't provide the required max_tmds_clock limit and falls
back to 8 bpc.

This patch fixes deep color support, as tested on a
R9 380 Tonga Pro + suitable display, and should be
backported to all kernels with amdgpu-kms support.

Signed-off-by: Mario Kleiner <mario.kleiner.de@gmail.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
index 119cdc2..7ef2c13 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
@@ -194,12 +194,12 @@ int amdgpu_connector_get_monitor_bpc(struct drm_connector *connector)
 				bpc = 8;
 				DRM_DEBUG("%s: HDMI deep color 10 bpc exceeds max tmds clock. Using %d bpc.\n",
 					  connector->name, bpc);
-			} else if (bpc > 8) {
-				/* max_tmds_clock missing, but hdmi spec mandates it for deep color. */
-				DRM_DEBUG("%s: Required max tmds clock for HDMI deep color missing. Using 8 bpc.\n",
-					  connector->name);
-				bpc = 8;
 			}
+		} else if (bpc > 8) {
+			/* max_tmds_clock missing, but hdmi spec mandates it for deep color. */
+			DRM_DEBUG("%s: Required max tmds clock for HDMI deep color missing. Using 8 bpc.\n",
+				  connector->name);
+			bpc = 8;
 		}
 	}
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 141/206] dma-debug: avoid spinlock recursion when disabling dma-debug
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (139 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 140/206] drm/amdgpu: Fix hdmi deep color support Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 142/206] dell-rbtn: Ignore ACPI notifications if device is suspended Kamal Mostafa
                   ` (64 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Ville Syrjälä, Andrew Morton, Linus Torvalds, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>

commit 3017cd63f26fc655d56875aaf497153ba60e9edf upstream.

With netconsole (at least) the pr_err("...  disablingn") call can
recurse back into the dma-debug code, where it'll try to grab
free_entries_lock again.  Avoid the problem by doing the printk after
dropping the lock.

Link: http://lkml.kernel.org/r/1463678421-18683-1-git-send-email-ville.syrjala@linux.intel.com
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 lib/dma-debug.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/dma-debug.c b/lib/dma-debug.c
index d8b4df8..0c66f76 100644
--- a/lib/dma-debug.c
+++ b/lib/dma-debug.c
@@ -657,9 +657,9 @@ static struct dma_debug_entry *dma_entry_alloc(void)
 	spin_lock_irqsave(&free_entries_lock, flags);
 
 	if (list_empty(&free_entries)) {
-		pr_err("DMA-API: debugging out of memory - disabling\n");
 		global_disable = true;
 		spin_unlock_irqrestore(&free_entries_lock, flags);
+		pr_err("DMA-API: debugging out of memory - disabling\n");
 		return NULL;
 	}
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 142/206] dell-rbtn: Ignore ACPI notifications if device is suspended
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (140 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 141/206] dma-debug: avoid spinlock recursion when disabling dma-debug Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 143/206] Input: xpad - prevent spurious input from wired Xbox 360 controllers Kamal Mostafa
                   ` (63 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Gabriele Mazzotta, Darren Hart, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Gabriele Mazzotta <gabriele.mzt@gmail.com>

commit ff8651237f39cea60dc89b2d9f25d9ede3fc82c0 upstream.

Some BIOSes unconditionally send an ACPI notification to RBTN when the
system is resuming from suspend. This makes dell-rbtn send an input
event to userspace as if a function key was pressed. Prevent this by
ignoring all the notifications received while the device is suspended.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=106031
Signed-off-by: Gabriele Mazzotta <gabriele.mzt@gmail.com>
Tested-by: Alex Hung <alex.hung@canonical.com>
Reviewed-by: Pali Rohár <pali.rohar@gmail.com>
Signed-off-by: Darren Hart <dvhart@linux.intel.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/platform/x86/dell-rbtn.c | 56 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)

diff --git a/drivers/platform/x86/dell-rbtn.c b/drivers/platform/x86/dell-rbtn.c
index cd410e3..d33e9ad 100644
--- a/drivers/platform/x86/dell-rbtn.c
+++ b/drivers/platform/x86/dell-rbtn.c
@@ -28,6 +28,7 @@ struct rbtn_data {
 	enum rbtn_type type;
 	struct rfkill *rfkill;
 	struct input_dev *input_dev;
+	bool suspended;
 };
 
 
@@ -220,9 +221,55 @@ static const struct acpi_device_id rbtn_ids[] = {
 	{ "", 0 },
 };
 
+#ifdef CONFIG_PM_SLEEP
+static void ACPI_SYSTEM_XFACE rbtn_clear_suspended_flag(void *context)
+{
+	struct rbtn_data *rbtn_data = context;
+
+	rbtn_data->suspended = false;
+}
+
+static int rbtn_suspend(struct device *dev)
+{
+	struct acpi_device *device = to_acpi_device(dev);
+	struct rbtn_data *rbtn_data = acpi_driver_data(device);
+
+	rbtn_data->suspended = true;
+
+	return 0;
+}
+
+static int rbtn_resume(struct device *dev)
+{
+	struct acpi_device *device = to_acpi_device(dev);
+	struct rbtn_data *rbtn_data = acpi_driver_data(device);
+	acpi_status status;
+
+	/*
+	 * Upon resume, some BIOSes send an ACPI notification thet triggers
+	 * an unwanted input event. In order to ignore it, we use a flag
+	 * that we set at suspend and clear once we have received the extra
+	 * ACPI notification. Since ACPI notifications are delivered
+	 * asynchronously to drivers, we clear the flag from the workqueue
+	 * used to deliver the notifications. This should be enough
+	 * to have the flag cleared only after we received the extra
+	 * notification, if any.
+	 */
+	status = acpi_os_execute(OSL_NOTIFY_HANDLER,
+			 rbtn_clear_suspended_flag, rbtn_data);
+	if (ACPI_FAILURE(status))
+		rbtn_clear_suspended_flag(rbtn_data);
+
+	return 0;
+}
+#endif
+
+static SIMPLE_DEV_PM_OPS(rbtn_pm_ops, rbtn_suspend, rbtn_resume);
+
 static struct acpi_driver rbtn_driver = {
 	.name = "dell-rbtn",
 	.ids = rbtn_ids,
+	.drv.pm = &rbtn_pm_ops,
 	.ops = {
 		.add = rbtn_add,
 		.remove = rbtn_remove,
@@ -384,6 +431,15 @@ static void rbtn_notify(struct acpi_device *device, u32 event)
 {
 	struct rbtn_data *rbtn_data = device->driver_data;
 
+	/*
+	 * Some BIOSes send a notification at resume.
+	 * Ignore it to prevent unwanted input events.
+	 */
+	if (rbtn_data->suspended) {
+		dev_dbg(&device->dev, "ACPI notification ignored\n");
+		return;
+	}
+
 	if (event != 0x80) {
 		dev_info(&device->dev, "Received unknown event (0x%x)\n",
 			 event);
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 143/206] Input: xpad - prevent spurious input from wired Xbox 360 controllers
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (141 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 142/206] dell-rbtn: Ignore ACPI notifications if device is suspended Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 144/206] Input: pwm-beeper - fix - scheduling while atomic Kamal Mostafa
                   ` (62 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Cameron Gutman, Pavel Rojtberg, Dmitry Torokhov, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Cameron Gutman <aicommander@gmail.com>

commit 1ff5fa3c6732f08e01ae12f12286d4728c9e4d86 upstream.

After initially connecting a wired Xbox 360 controller or sending it
a command to change LEDs, a status/response packet is interpreted as
controller input. This causes the state of buttons represented in
byte 2 of the controller data packet to be incorrect until the next
valid input packet. Wireless Xbox 360 controllers are not affected.

Writing a new value to the LED device while holding the Start button
and running jstest is sufficient to reproduce this bug. An event will
come through with the Start button released.

Xboxdrv also won't attempt to read controller input from a packet
where byte 0 is non-zero. It also checks that byte 1 is 0x14, but
that value differs between wired and wireless controllers and this
code is shared by both. I think just checking byte 0 is enough to
eliminate unwanted packets.

The following are some examples of 3-byte status packets I saw:
01 03 02
02 03 00
03 03 03
08 03 00

Signed-off-by: Cameron Gutman <aicommander@gmail.com>
Signed-off-by: Pavel Rojtberg <rojtberg@gmail.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/input/joystick/xpad.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c
index 38fd7b7..8aea29c 100644
--- a/drivers/input/joystick/xpad.c
+++ b/drivers/input/joystick/xpad.c
@@ -432,6 +432,10 @@ static void xpad360_process_packet(struct usb_xpad *xpad,
 {
 	struct input_dev *dev = xpad->dev;
 
+	/* valid pad data */
+	if (data[0] != 0x00)
+		return;
+
 	/* digital pad */
 	if (xpad->mapping & MAP_DPAD_TO_BUTTONS) {
 		/* dpad as buttons (left, right, up, down) */
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 144/206] Input: pwm-beeper - fix - scheduling while atomic
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (142 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 143/206] Input: xpad - prevent spurious input from wired Xbox 360 controllers Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 145/206] MIPS: lib: Mark intrinsics notrace Kamal Mostafa
                   ` (61 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Manfred Schlaegl, Dmitry Torokhov, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Manfred Schlaegl <manfred.schlaegl@gmx.at>

commit f49cf3b8b4c841457244c461c66186a719e13bcc upstream.

Pwm config may sleep so defer it using a worker.

On a Freescale i.MX53 based board we ran into "BUG: scheduling while
atomic" because input_inject_event locks interrupts, but
imx_pwm_config_v2 sleeps.

Tested on Freescale i.MX53 SoC with 4.6.0.

Signed-off-by: Manfred Schlaegl <manfred.schlaegl@gmx.at>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/input/misc/pwm-beeper.c | 69 ++++++++++++++++++++++++++++-------------
 1 file changed, 48 insertions(+), 21 deletions(-)

diff --git a/drivers/input/misc/pwm-beeper.c b/drivers/input/misc/pwm-beeper.c
index e82edf8..9021725 100644
--- a/drivers/input/misc/pwm-beeper.c
+++ b/drivers/input/misc/pwm-beeper.c
@@ -20,21 +20,40 @@
 #include <linux/platform_device.h>
 #include <linux/pwm.h>
 #include <linux/slab.h>
+#include <linux/workqueue.h>
 
 struct pwm_beeper {
 	struct input_dev *input;
 	struct pwm_device *pwm;
+	struct work_struct work;
 	unsigned long period;
 };
 
 #define HZ_TO_NANOSECONDS(x) (1000000000UL/(x))
 
+static void __pwm_beeper_set(struct pwm_beeper *beeper)
+{
+	unsigned long period = beeper->period;
+
+	if (period) {
+		pwm_config(beeper->pwm, period / 2, period);
+		pwm_enable(beeper->pwm);
+	} else
+		pwm_disable(beeper->pwm);
+}
+
+static void pwm_beeper_work(struct work_struct *work)
+{
+	struct pwm_beeper *beeper =
+		container_of(work, struct pwm_beeper, work);
+
+	__pwm_beeper_set(beeper);
+}
+
 static int pwm_beeper_event(struct input_dev *input,
 			    unsigned int type, unsigned int code, int value)
 {
-	int ret = 0;
 	struct pwm_beeper *beeper = input_get_drvdata(input);
-	unsigned long period;
 
 	if (type != EV_SND || value < 0)
 		return -EINVAL;
@@ -49,22 +68,31 @@ static int pwm_beeper_event(struct input_dev *input,
 		return -EINVAL;
 	}
 
-	if (value == 0) {
-		pwm_disable(beeper->pwm);
-	} else {
-		period = HZ_TO_NANOSECONDS(value);
-		ret = pwm_config(beeper->pwm, period / 2, period);
-		if (ret)
-			return ret;
-		ret = pwm_enable(beeper->pwm);
-		if (ret)
-			return ret;
-		beeper->period = period;
-	}
+	if (value == 0)
+		beeper->period = 0;
+	else
+		beeper->period = HZ_TO_NANOSECONDS(value);
+
+	schedule_work(&beeper->work);
 
 	return 0;
 }
 
+static void pwm_beeper_stop(struct pwm_beeper *beeper)
+{
+	cancel_work_sync(&beeper->work);
+
+	if (beeper->period)
+		pwm_disable(beeper->pwm);
+}
+
+static void pwm_beeper_close(struct input_dev *input)
+{
+	struct pwm_beeper *beeper = input_get_drvdata(input);
+
+	pwm_beeper_stop(beeper);
+}
+
 static int pwm_beeper_probe(struct platform_device *pdev)
 {
 	unsigned long pwm_id = (unsigned long)dev_get_platdata(&pdev->dev);
@@ -87,6 +115,8 @@ static int pwm_beeper_probe(struct platform_device *pdev)
 		goto err_free;
 	}
 
+	INIT_WORK(&beeper->work, pwm_beeper_work);
+
 	beeper->input = input_allocate_device();
 	if (!beeper->input) {
 		dev_err(&pdev->dev, "Failed to allocate input device\n");
@@ -106,6 +136,7 @@ static int pwm_beeper_probe(struct platform_device *pdev)
 	beeper->input->sndbit[0] = BIT(SND_TONE) | BIT(SND_BELL);
 
 	beeper->input->event = pwm_beeper_event;
+	beeper->input->close = pwm_beeper_close;
 
 	input_set_drvdata(beeper->input, beeper);
 
@@ -135,7 +166,6 @@ static int pwm_beeper_remove(struct platform_device *pdev)
 
 	input_unregister_device(beeper->input);
 
-	pwm_disable(beeper->pwm);
 	pwm_free(beeper->pwm);
 
 	kfree(beeper);
@@ -147,8 +177,7 @@ static int __maybe_unused pwm_beeper_suspend(struct device *dev)
 {
 	struct pwm_beeper *beeper = dev_get_drvdata(dev);
 
-	if (beeper->period)
-		pwm_disable(beeper->pwm);
+	pwm_beeper_stop(beeper);
 
 	return 0;
 }
@@ -157,10 +186,8 @@ static int __maybe_unused pwm_beeper_resume(struct device *dev)
 {
 	struct pwm_beeper *beeper = dev_get_drvdata(dev);
 
-	if (beeper->period) {
-		pwm_config(beeper->pwm, beeper->period / 2, beeper->period);
-		pwm_enable(beeper->pwm);
-	}
+	if (beeper->period)
+		__pwm_beeper_set(beeper);
 
 	return 0;
 }
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 145/206] MIPS: lib: Mark intrinsics notrace
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (143 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 144/206] Input: pwm-beeper - fix - scheduling while atomic Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 146/206] hpfs: fix remount failure when there are no options changed Kamal Mostafa
                   ` (60 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Harvey Hunt, linux-mips, Ralf Baechle, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Harvey Hunt <harvey.hunt@imgtec.com>

commit aedcfbe06558a9f53002e82d5be64c6c94687726 upstream.

On certain MIPS32 devices, the ftrace tracer "function_graph" uses
__lshrdi3() during the capturing of trace data. ftrace then attempts to
trace __lshrdi3() which leads to infinite recursion and a stack overflow.
Fix this by marking __lshrdi3() as notrace. Mark the other compiler
intrinsics as notrace in case the compiler decides to use them in the
ftrace path.

Signed-off-by: Harvey Hunt <harvey.hunt@imgtec.com>
Cc: <linux-mips@linux-mips.org>
Cc: <linux-kernel@vger.kernel.org>
Patchwork: https://patchwork.linux-mips.org/patch/13354/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
[ kamal: backport to 4.2-stable: no bswap[ds]i.c ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/mips/lib/ashldi3.c | 2 +-
 arch/mips/lib/ashrdi3.c | 2 +-
 arch/mips/lib/cmpdi2.c  | 2 +-
 arch/mips/lib/lshrdi3.c | 2 +-
 arch/mips/lib/ucmpdi2.c | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/arch/mips/lib/ashldi3.c b/arch/mips/lib/ashldi3.c
index beb80f31..927dc94 100644
--- a/arch/mips/lib/ashldi3.c
+++ b/arch/mips/lib/ashldi3.c
@@ -2,7 +2,7 @@
 
 #include "libgcc.h"
 
-long long __ashldi3(long long u, word_type b)
+long long notrace __ashldi3(long long u, word_type b)
 {
 	DWunion uu, w;
 	word_type bm;
diff --git a/arch/mips/lib/ashrdi3.c b/arch/mips/lib/ashrdi3.c
index c884a91..9fdf1a5 100644
--- a/arch/mips/lib/ashrdi3.c
+++ b/arch/mips/lib/ashrdi3.c
@@ -2,7 +2,7 @@
 
 #include "libgcc.h"
 
-long long __ashrdi3(long long u, word_type b)
+long long notrace __ashrdi3(long long u, word_type b)
 {
 	DWunion uu, w;
 	word_type bm;
diff --git a/arch/mips/lib/cmpdi2.c b/arch/mips/lib/cmpdi2.c
index 8c13064..06857da 100644
--- a/arch/mips/lib/cmpdi2.c
+++ b/arch/mips/lib/cmpdi2.c
@@ -2,7 +2,7 @@
 
 #include "libgcc.h"
 
-word_type __cmpdi2(long long a, long long b)
+word_type notrace __cmpdi2(long long a, long long b)
 {
 	const DWunion au = {
 		.ll = a
diff --git a/arch/mips/lib/lshrdi3.c b/arch/mips/lib/lshrdi3.c
index dcf8d68..3645474 100644
--- a/arch/mips/lib/lshrdi3.c
+++ b/arch/mips/lib/lshrdi3.c
@@ -2,7 +2,7 @@
 
 #include "libgcc.h"
 
-long long __lshrdi3(long long u, word_type b)
+long long notrace __lshrdi3(long long u, word_type b)
 {
 	DWunion uu, w;
 	word_type bm;
diff --git a/arch/mips/lib/ucmpdi2.c b/arch/mips/lib/ucmpdi2.c
index bb4cb2f..bd599f5 100644
--- a/arch/mips/lib/ucmpdi2.c
+++ b/arch/mips/lib/ucmpdi2.c
@@ -2,7 +2,7 @@
 
 #include "libgcc.h"
 
-word_type __ucmpdi2(unsigned long long a, unsigned long long b)
+word_type notrace __ucmpdi2(unsigned long long a, unsigned long long b)
 {
 	const DWunion au = {.ll = a};
 	const DWunion bu = {.ll = b};
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 146/206] hpfs: fix remount failure when there are no options changed
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (144 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 145/206] MIPS: lib: Mark intrinsics notrace Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 147/206] affs: " Kamal Mostafa
                   ` (59 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Mikulas Patocka, Linus Torvalds, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Mikulas Patocka <mikulas@twibright.com>

commit 44d51706b4685f965cd32acde3fe0fcc1e6198e8 upstream.

Commit ce657611baf9 ("hpfs: kstrdup() out of memory handling") checks if
the kstrdup function returns NULL due to out-of-memory condition.

However, if we are remounting a filesystem with no change to
filesystem-specific options, the parameter data is NULL.  In this case,
kstrdup returns NULL (because it was passed NULL parameter), although no
out of memory condition exists.  The mount syscall then fails with
ENOMEM.

This patch fixes the bug.  We fail with ENOMEM only if data is non-NULL.

The patch also changes the call to replace_mount_options - if we didn't
pass any filesystem-specific options, we don't call
replace_mount_options (thus we don't erase existing reported options).

Fixes: ce657611baf9 ("hpfs: kstrdup() out of memory handling")
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 fs/hpfs/super.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/fs/hpfs/super.c b/fs/hpfs/super.c
index 68a9bed..8c2b6e9 100644
--- a/fs/hpfs/super.c
+++ b/fs/hpfs/super.c
@@ -455,7 +455,7 @@ static int hpfs_remount_fs(struct super_block *s, int *flags, char *data)
 	struct hpfs_sb_info *sbi = hpfs_sb(s);
 	char *new_opts = kstrdup(data, GFP_KERNEL);
 
-	if (!new_opts)
+	if (data && !new_opts)
 		return -ENOMEM;
 
 	sync_filesystem(s);
@@ -493,7 +493,8 @@ static int hpfs_remount_fs(struct super_block *s, int *flags, char *data)
 
 	if (!(*flags & MS_RDONLY)) mark_dirty(s, 1);
 
-	replace_mount_options(s, new_opts);
+	if (new_opts)
+		replace_mount_options(s, new_opts);
 
 	hpfs_unlock(s);
 	return 0;
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 147/206] affs: fix remount failure when there are no options changed
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (145 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 146/206] hpfs: fix remount failure when there are no options changed Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 148/206] hpfs: implement the show_options method Kamal Mostafa
                   ` (58 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Mikulas Patocka, Linus Torvalds, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Mikulas Patocka <mikulas@twibright.com>

commit 01d6e08711bf90bc4d7ead14a93a0cbd73b1896a upstream.

Commit c8f33d0bec99 ("affs: kstrdup() memory handling") checks if the
kstrdup function returns NULL due to out-of-memory condition.

However, if we are remounting a filesystem with no change to
filesystem-specific options, the parameter data is NULL.  In this case,
kstrdup returns NULL (because it was passed NULL parameter), although no
out of memory condition exists.  The mount syscall then fails with
ENOMEM.

This patch fixes the bug.  We fail with ENOMEM only if data is non-NULL.

The patch also changes the call to replace_mount_options - if we didn't
pass any filesystem-specific options, we don't call
replace_mount_options (thus we don't erase existing reported options).

Fixes: c8f33d0bec99 ("affs: kstrdup() memory handling")
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 fs/affs/super.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/fs/affs/super.c b/fs/affs/super.c
index 3f89c9e..cc75712 100644
--- a/fs/affs/super.c
+++ b/fs/affs/super.c
@@ -526,7 +526,7 @@ affs_remount(struct super_block *sb, int *flags, char *data)
 	char			*prefix = NULL;
 
 	new_opts = kstrdup(data, GFP_KERNEL);
-	if (!new_opts)
+	if (data && !new_opts)
 		return -ENOMEM;
 
 	pr_debug("%s(flags=0x%x,opts=\"%s\")\n", __func__, *flags, data);
@@ -544,7 +544,8 @@ affs_remount(struct super_block *sb, int *flags, char *data)
 	}
 
 	flush_delayed_work(&sbi->sb_work);
-	replace_mount_options(sb, new_opts);
+	if (new_opts)
+		replace_mount_options(sb, new_opts);
 
 	sbi->s_flags = mount_flags;
 	sbi->s_mode  = mode;
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 148/206] hpfs: implement the show_options method
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (146 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 147/206] affs: " Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 149/206] regmap: cache: Fix typo in cache_bypass parameter description Kamal Mostafa
                   ` (57 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Mikulas Patocka, Linus Torvalds, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Mikulas Patocka <mikulas@twibright.com>

commit 037369b872940cd923835a0a589763180c4a36bc upstream.

The HPFS filesystem used generic_show_options to produce string that is
displayed in /proc/mounts.  However, there is a problem that the options
may disappear after remount.  If we mount the filesystem with option1
and then remount it with option2, /proc/mounts should show both option1
and option2, however it only shows option2 because the whole option
string is replaced with replace_mount_options in hpfs_remount_fs.

To fix this bug, implement the hpfs_show_options function that prints
options that are currently selected.

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 fs/hpfs/super.c | 43 ++++++++++++++++++++++++++++++++-----------
 1 file changed, 32 insertions(+), 11 deletions(-)

diff --git a/fs/hpfs/super.c b/fs/hpfs/super.c
index 8c2b6e9..0b49ffe 100644
--- a/fs/hpfs/super.c
+++ b/fs/hpfs/super.c
@@ -15,6 +15,7 @@
 #include <linux/sched.h>
 #include <linux/bitmap.h>
 #include <linux/slab.h>
+#include <linux/seq_file.h>
 
 /* Mark the filesystem dirty, so that chkdsk checks it when os/2 booted */
 
@@ -453,10 +454,6 @@ static int hpfs_remount_fs(struct super_block *s, int *flags, char *data)
 	int lowercase, eas, chk, errs, chkdsk, timeshift;
 	int o;
 	struct hpfs_sb_info *sbi = hpfs_sb(s);
-	char *new_opts = kstrdup(data, GFP_KERNEL);
-
-	if (data && !new_opts)
-		return -ENOMEM;
 
 	sync_filesystem(s);
 
@@ -493,18 +490,44 @@ static int hpfs_remount_fs(struct super_block *s, int *flags, char *data)
 
 	if (!(*flags & MS_RDONLY)) mark_dirty(s, 1);
 
-	if (new_opts)
-		replace_mount_options(s, new_opts);
-
 	hpfs_unlock(s);
 	return 0;
 
 out_err:
 	hpfs_unlock(s);
-	kfree(new_opts);
 	return -EINVAL;
 }
 
+static int hpfs_show_options(struct seq_file *seq, struct dentry *root)
+{
+	struct hpfs_sb_info *sbi = hpfs_sb(root->d_sb);
+
+	seq_printf(seq, ",uid=%u", from_kuid_munged(&init_user_ns, sbi->sb_uid));
+	seq_printf(seq, ",gid=%u", from_kgid_munged(&init_user_ns, sbi->sb_gid));
+	seq_printf(seq, ",umask=%03o", (~sbi->sb_mode & 0777));
+	if (sbi->sb_lowercase)
+		seq_printf(seq, ",case=lower");
+	if (!sbi->sb_chk)
+		seq_printf(seq, ",check=none");
+	if (sbi->sb_chk == 2)
+		seq_printf(seq, ",check=strict");
+	if (!sbi->sb_err)
+		seq_printf(seq, ",errors=continue");
+	if (sbi->sb_err == 2)
+		seq_printf(seq, ",errors=panic");
+	if (!sbi->sb_chkdsk)
+		seq_printf(seq, ",chkdsk=no");
+	if (sbi->sb_chkdsk == 2)
+		seq_printf(seq, ",chkdsk=always");
+	if (!sbi->sb_eas)
+		seq_printf(seq, ",eas=no");
+	if (sbi->sb_eas == 1)
+		seq_printf(seq, ",eas=ro");
+	if (sbi->sb_timeshift)
+		seq_printf(seq, ",timeshift=%d", sbi->sb_timeshift);
+	return 0;
+}
+
 /* Super operations */
 
 static const struct super_operations hpfs_sops =
@@ -515,7 +538,7 @@ static const struct super_operations hpfs_sops =
 	.put_super	= hpfs_put_super,
 	.statfs		= hpfs_statfs,
 	.remount_fs	= hpfs_remount_fs,
-	.show_options	= generic_show_options,
+	.show_options	= hpfs_show_options,
 };
 
 static int hpfs_fill_super(struct super_block *s, void *options, int silent)
@@ -538,8 +561,6 @@ static int hpfs_fill_super(struct super_block *s, void *options, int silent)
 
 	int o;
 
-	save_mount_options(s, options);
-
 	sbi = kzalloc(sizeof(*sbi), GFP_KERNEL);
 	if (!sbi) {
 		return -ENOMEM;
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 149/206] regmap: cache: Fix typo in cache_bypass parameter description
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (147 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 148/206] hpfs: implement the show_options method Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 150/206] ARM: dts: kirkwood: add kirkwood-ds112.dtb to Makefile Kamal Mostafa
                   ` (56 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Andrew F . Davis, Mark Brown, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: "Andrew F. Davis" <afd@ti.com>

commit 267c85860308d36bc163c5573308cd024f659d7c upstream.

Setting the flag 'cache_bypass' will bypass the cache not the hardware.
Fix this comment here.

Fixes: 0eef6b0415f5 ("regmap: Fix doc comment")
Signed-off-by: Andrew F. Davis <afd@ti.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/base/regmap/regcache.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/base/regmap/regcache.c b/drivers/base/regmap/regcache.c
index b9862d7..bc2c94d 100644
--- a/drivers/base/regmap/regcache.c
+++ b/drivers/base/regmap/regcache.c
@@ -502,7 +502,7 @@ EXPORT_SYMBOL_GPL(regcache_mark_dirty);
  * regcache_cache_bypass: Put a register map into cache bypass mode
  *
  * @map: map to configure
- * @cache_bypass: flag if changes should not be written to the hardware
+ * @cache_bypass: flag if changes should not be written to the cache
  *
  * When a register map is marked with the cache bypass option, writes
  * to the register map API will only update the hardware and not the
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 150/206] ARM: dts: kirkwood: add kirkwood-ds112.dtb to Makefile
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (148 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 149/206] regmap: cache: Fix typo in cache_bypass parameter description Kamal Mostafa
@ 2016-06-09 21:15 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 151/206] serial: doc: Un-document non-existing uart_write_console() Kamal Mostafa
                   ` (55 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:15 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Heinrich Schuchardt, Gregory CLEMENT, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Heinrich Schuchardt <xypron.glpk@gmx.de>

commit fc5c796e12511a7c027b5a4438719dde2f796208 upstream.

Commit 2d0a7addbd10 ("ARM: Kirkwood: Add support for many Synology
NAS devices") created the new file kirkwood-ds112.dts but did not
add it to the Makefile.

Fixes: 2d0a7addbd10 ("ARM: Kirkwood: Add support for many Synology NAS devices")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/arm/boot/dts/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/arm/boot/dts/Makefile b/arch/arm/boot/dts/Makefile
index 246473a..908c288 100644
--- a/arch/arm/boot/dts/Makefile
+++ b/arch/arm/boot/dts/Makefile
@@ -158,6 +158,7 @@ dtb-$(CONFIG_MACH_KIRKWOOD) += \
 	kirkwood-ds109.dtb \
 	kirkwood-ds110jv10.dtb \
 	kirkwood-ds111.dtb \
+	kirkwood-ds112.dtb \
 	kirkwood-ds209.dtb \
 	kirkwood-ds210.dtb \
 	kirkwood-ds212.dtb \
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 151/206] serial: doc: Un-document non-existing uart_write_console()
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (149 preceding siblings ...)
  2016-06-09 21:15 ` [PATCH 4.2.y-ckt 150/206] ARM: dts: kirkwood: add kirkwood-ds112.dtb to Makefile Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 152/206] iio: buffer: add missing descriptions in iio_buffer_access_funcs Kamal Mostafa
                   ` (54 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Geert Uytterhoeven, Jonathan Corbet, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Geert Uytterhoeven <geert+renesas@glider.be>

commit 834392a7d92677ff2bdc1c709b1171ee585b55c9 upstream.

uart_write_console() never existed, not even when the "new
uart_write_console function" was documented.

Fixes: 67ab7f596b6adbae ("[SERIAL] Update serial driver documentation")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 Documentation/serial/driver | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/Documentation/serial/driver b/Documentation/serial/driver
index c415b0e..7bff80876 100644
--- a/Documentation/serial/driver
+++ b/Documentation/serial/driver
@@ -28,11 +28,6 @@ The serial core provides a few helper functions.  This includes identifing
 the correct port structure (via uart_get_console) and decoding command line
 arguments (uart_parse_options).
 
-There is also a helper function (uart_write_console) which performs a
-character by character write, translating newlines to CRLF sequences.
-Driver writers are recommended to use this function rather than implementing
-their own version.
-
 
 Locking
 -------
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 152/206] iio: buffer: add missing descriptions in iio_buffer_access_funcs
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (150 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 151/206] serial: doc: Un-document non-existing uart_write_console() Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 153/206] iommu/vt-d: Ratelimit fault handler Kamal Mostafa
                   ` (53 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Luis de Bethencourt, Jonathan Cameron, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Luis de Bethencourt <luisbg@osg.samsung.com>

commit 8cb359e3a1f6318f971bec281623613f48b711be upstream.

The members buffer_group and attrs of iio_buffer_access_funcs have no
descriptions for the documentation. Adding them.

Fixes: 08e7e0adaa17 ("iio: buffer: Allocate standard attributes in the core")
Signed-off-by: Luis de Bethencourt <luisbg@osg.samsung.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 include/linux/iio/buffer.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/include/linux/iio/buffer.h b/include/linux/iio/buffer.h
index 1600c55..e776fe4 100644
--- a/include/linux/iio/buffer.h
+++ b/include/linux/iio/buffer.h
@@ -67,10 +67,12 @@ struct iio_buffer_access_funcs {
  * @access:		[DRIVER] buffer access functions associated with the
  *			implementation.
  * @scan_el_dev_attr_list:[INTERN] list of scan element related attributes.
+ * @buffer_group:	[INTERN] attributes of the buffer group
  * @scan_el_group:	[DRIVER] attribute group for those attributes not
  *			created from the iio_chan_info array.
  * @pollq:		[INTERN] wait queue to allow for polling on the buffer.
  * @stufftoread:	[INTERN] flag to indicate new data.
+ * @attrs:		[INTERN] standard attributes of the buffer
  * @demux_list:		[INTERN] list of operations required to demux the scan.
  * @demux_bounce:	[INTERN] buffer for doing gather from incoming scan.
  * @buffer_list:	[INTERN] entry in the devices list of current buffers.
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 153/206] iommu/vt-d: Ratelimit fault handler
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (151 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 152/206] iio: buffer: add missing descriptions in iio_buffer_access_funcs Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 154/206] iommu/vt-d: Improve fault handler error messages Kamal Mostafa
                   ` (52 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Alex Williamson, Joerg Roedel, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Alex Williamson <alex.williamson@redhat.com>

commit c43fce4eebae257ca413733690e2076757282093 upstream.

Fault rates can easily overwhelm the console and make the system
unresponsive.  Ratelimit to allow an opportunity for maintenance.

Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Fixes: 0ac2491f57af ('x86, dmar: move page fault handling code to dmar.c')
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/iommu/dmar.c | 33 ++++++++++++++++++++++-----------
 1 file changed, 22 insertions(+), 11 deletions(-)

diff --git a/drivers/iommu/dmar.c b/drivers/iommu/dmar.c
index b526875..3e93632 100644
--- a/drivers/iommu/dmar.c
+++ b/drivers/iommu/dmar.c
@@ -1575,10 +1575,17 @@ irqreturn_t dmar_fault(int irq, void *dev_id)
 	int reg, fault_index;
 	u32 fault_status;
 	unsigned long flag;
+	bool ratelimited;
+	static DEFINE_RATELIMIT_STATE(rs,
+				      DEFAULT_RATELIMIT_INTERVAL,
+				      DEFAULT_RATELIMIT_BURST);
+
+	/* Disable printing, simply clear the fault when ratelimited */
+	ratelimited = !__ratelimit(&rs);
 
 	raw_spin_lock_irqsave(&iommu->register_lock, flag);
 	fault_status = readl(iommu->reg + DMAR_FSTS_REG);
-	if (fault_status)
+	if (fault_status && !ratelimited)
 		pr_err("DRHD: handling fault status reg %x\n", fault_status);
 
 	/* TBD: ignore advanced fault log currently */
@@ -1600,24 +1607,28 @@ irqreturn_t dmar_fault(int irq, void *dev_id)
 		if (!(data & DMA_FRCD_F))
 			break;
 
-		fault_reason = dma_frcd_fault_reason(data);
-		type = dma_frcd_type(data);
+		if (!ratelimited) {
+			fault_reason = dma_frcd_fault_reason(data);
+			type = dma_frcd_type(data);
 
-		data = readl(iommu->reg + reg +
-				fault_index * PRIMARY_FAULT_REG_LEN + 8);
-		source_id = dma_frcd_source_id(data);
+			data = readl(iommu->reg + reg +
+				     fault_index * PRIMARY_FAULT_REG_LEN + 8);
+			source_id = dma_frcd_source_id(data);
+
+			guest_addr = dmar_readq(iommu->reg + reg +
+					fault_index * PRIMARY_FAULT_REG_LEN);
+			guest_addr = dma_frcd_page_addr(guest_addr);
+		}
 
-		guest_addr = dmar_readq(iommu->reg + reg +
-				fault_index * PRIMARY_FAULT_REG_LEN);
-		guest_addr = dma_frcd_page_addr(guest_addr);
 		/* clear the fault */
 		writel(DMA_FRCD_F, iommu->reg + reg +
 			fault_index * PRIMARY_FAULT_REG_LEN + 12);
 
 		raw_spin_unlock_irqrestore(&iommu->register_lock, flag);
 
-		dmar_fault_do_one(iommu, type, fault_reason,
-				source_id, guest_addr);
+		if (!ratelimited)
+			dmar_fault_do_one(iommu, type, fault_reason,
+					  source_id, guest_addr);
 
 		fault_index++;
 		if (fault_index >= cap_num_fault_regs(iommu->cap))
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 154/206] iommu/vt-d: Improve fault handler error messages
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (152 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 153/206] iommu/vt-d: Ratelimit fault handler Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 155/206] power: ipaq-micro-battery: freeing the wrong variable Kamal Mostafa
                   ` (51 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Alex Williamson, Joerg Roedel, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Alex Williamson <alex.williamson@redhat.com>

commit a0fe14d7dcf5db2f101b4fe8689ecabb255ab7d3 upstream.

Remove new line in error logs, avoid duplicate and explicit pr_fmt.

Suggested-by: Joe Perches <joe@perches.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Fixes: 0ac2491f57af ('x86, dmar: move page fault handling code to dmar.c')
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/iommu/dmar.c | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

diff --git a/drivers/iommu/dmar.c b/drivers/iommu/dmar.c
index 3e93632..c4a55d8 100644
--- a/drivers/iommu/dmar.c
+++ b/drivers/iommu/dmar.c
@@ -1552,18 +1552,14 @@ static int dmar_fault_do_one(struct intel_iommu *iommu, int type,
 	reason = dmar_get_fault_reason(fault_reason, &fault_type);
 
 	if (fault_type == INTR_REMAP)
-		pr_err("INTR-REMAP: Request device [[%02x:%02x.%d] "
-		       "fault index %llx\n"
-			"INTR-REMAP:[fault reason %02d] %s\n",
-			(source_id >> 8), PCI_SLOT(source_id & 0xFF),
+		pr_err("[INTR-REMAP] Request device [%02x:%02x.%d] fault index %llx [fault reason %02d] %s\n",
+			source_id >> 8, PCI_SLOT(source_id & 0xFF),
 			PCI_FUNC(source_id & 0xFF), addr >> 48,
 			fault_reason, reason);
 	else
-		pr_err("DMAR:[%s] Request device [%02x:%02x.%d] "
-		       "fault addr %llx \n"
-		       "DMAR:[fault reason %02d] %s\n",
-		       (type ? "DMA Read" : "DMA Write"),
-		       (source_id >> 8), PCI_SLOT(source_id & 0xFF),
+		pr_err("[%s] Request device [%02x:%02x.%d] fault addr %llx [fault reason %02d] %s\n",
+		       type ? "DMA Read" : "DMA Write",
+		       source_id >> 8, PCI_SLOT(source_id & 0xFF),
 		       PCI_FUNC(source_id & 0xFF), addr, fault_reason, reason);
 	return 0;
 }
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 155/206] power: ipaq-micro-battery: freeing the wrong variable
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (153 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 154/206] iommu/vt-d: Improve fault handler error messages Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 156/206] ARM: OMAP2+: hwmod: fix _idle() hwmod state sanity check sequence Kamal Mostafa
                   ` (50 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Dan Carpenter, Sebastian Reichel, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit b9223da41794030a5dfd5106c34ed1b98255e2ae upstream.

We accidentally free "micro_ac_power" which is an error pointer and it
leads to an oops.  We intended to free "micro_batt_power".

Fixes: a2c1d531854c ('power_supply: ipaq_micro_battery: Check return values in probe')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Sebastian Reichel <sre@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/power/ipaq_micro_battery.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/power/ipaq_micro_battery.c b/drivers/power/ipaq_micro_battery.c
index f03014e..65e9921 100644
--- a/drivers/power/ipaq_micro_battery.c
+++ b/drivers/power/ipaq_micro_battery.c
@@ -261,7 +261,7 @@ static int micro_batt_probe(struct platform_device *pdev)
 	return 0;
 
 ac_err:
-	power_supply_unregister(micro_ac_power);
+	power_supply_unregister(micro_batt_power);
 batt_err:
 	cancel_delayed_work_sync(&mb->update);
 	destroy_workqueue(mb->wq);
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 156/206] ARM: OMAP2+: hwmod: fix _idle() hwmod state sanity check sequence
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (154 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 155/206] power: ipaq-micro-battery: freeing the wrong variable Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 157/206] security: drop the unused hook skb_owned_by Kamal Mostafa
                   ` (49 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Suman Anna, Paul Walmsley, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Suman Anna <s-anna@ti.com>

commit c20c8f750d9f8f8617f07ee2352d3ff560e66bc2 upstream.

The omap_hwmod _enable() function can return success without setting
the hwmod state to _HWMOD_STATE_ENABLED for IPs with reset lines when
all of the reset lines are asserted. The omap_hwmod _idle() function
also performs a similar check, but after checking for the hwmod state
first. This triggers the WARN when pm_runtime_get and pm_runtime_put
are invoked on IPs with all reset lines asserted. Reverse the checks
for hwmod state and reset lines status to fix this.

Issue found during a unbind operation on a device with reset lines
still asserted, example backtrace below

 ------------[ cut here ]------------
 WARNING: CPU: 1 PID: 879 at arch/arm/mach-omap2/omap_hwmod.c:2207 _idle+0x1e4/0x240()
 omap_hwmod: mmu_dsp: idle state can only be entered from enabled state
 Modules linked in:
 CPU: 1 PID: 879 Comm: sh Not tainted 4.4.0-00008-ga989d951331a #3
 Hardware name: Generic OMAP5 (Flattened Device Tree)
 [<c0018e60>] (unwind_backtrace) from [<c0014dc4>] (show_stack+0x10/0x14)
 [<c0014dc4>] (show_stack) from [<c037ac28>] (dump_stack+0x90/0xc0)
 [<c037ac28>] (dump_stack) from [<c003f420>] (warn_slowpath_common+0x78/0xb4)
 [<c003f420>] (warn_slowpath_common) from [<c003f48c>] (warn_slowpath_fmt+0x30/0x40)
 [<c003f48c>] (warn_slowpath_fmt) from [<c0028c20>] (_idle+0x1e4/0x240)
 [<c0028c20>] (_idle) from [<c0029080>] (omap_hwmod_idle+0x28/0x48)
 [<c0029080>] (omap_hwmod_idle) from [<c002a5a4>] (omap_device_idle+0x3c/0x90)
 [<c002a5a4>] (omap_device_idle) from [<c0427a90>] (__rpm_callback+0x2c/0x60)
 [<c0427a90>] (__rpm_callback) from [<c0427ae4>] (rpm_callback+0x20/0x80)
 [<c0427ae4>] (rpm_callback) from [<c0427f84>] (rpm_suspend+0x138/0x74c)
 [<c0427f84>] (rpm_suspend) from [<c0428b78>] (__pm_runtime_idle+0x78/0xa8)
 [<c0428b78>] (__pm_runtime_idle) from [<c041f514>] (__device_release_driver+0x64/0x100)
 [<c041f514>] (__device_release_driver) from [<c041f5d0>] (device_release_driver+0x20/0x2c)
 [<c041f5d0>] (device_release_driver) from [<c041d85c>] (unbind_store+0x78/0xf8)
 [<c041d85c>] (unbind_store) from [<c0206df8>] (kernfs_fop_write+0xc0/0x1c4)
 [<c0206df8>] (kernfs_fop_write) from [<c018a120>] (__vfs_write+0x20/0xdc)
 [<c018a120>] (__vfs_write) from [<c018a9cc>] (vfs_write+0x90/0x164)
 [<c018a9cc>] (vfs_write) from [<c018b1f0>] (SyS_write+0x44/0x9c)
 [<c018b1f0>] (SyS_write) from [<c0010420>] (ret_fast_syscall+0x0/0x1c)
 ---[ end trace a4182013c75a9f50 ]---

While at this, fix the sequence in _shutdown() as well, though there
is no easy reproducible scenario.

Fixes: 747834ab8347 ("ARM: OMAP2+: hwmod: revise hardreset behavior")
Signed-off-by: Suman Anna <s-anna@ti.com>
Signed-off-by: Paul Walmsley <paul@pwsan.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/arm/mach-omap2/omap_hwmod.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/arch/arm/mach-omap2/omap_hwmod.c b/arch/arm/mach-omap2/omap_hwmod.c
index 0325041..11bf8f9 100644
--- a/arch/arm/mach-omap2/omap_hwmod.c
+++ b/arch/arm/mach-omap2/omap_hwmod.c
@@ -2187,15 +2187,15 @@ static int _idle(struct omap_hwmod *oh)
 
 	pr_debug("omap_hwmod: %s: idling\n", oh->name);
 
+	if (_are_all_hardreset_lines_asserted(oh))
+		return 0;
+
 	if (oh->_state != _HWMOD_STATE_ENABLED) {
 		WARN(1, "omap_hwmod: %s: idle state can only be entered from enabled state\n",
 			oh->name);
 		return -EINVAL;
 	}
 
-	if (_are_all_hardreset_lines_asserted(oh))
-		return 0;
-
 	if (oh->class->sysc)
 		_idle_sysc(oh);
 	_del_initiator_dep(oh, mpu_oh);
@@ -2242,6 +2242,9 @@ static int _shutdown(struct omap_hwmod *oh)
 	int ret, i;
 	u8 prev_state;
 
+	if (_are_all_hardreset_lines_asserted(oh))
+		return 0;
+
 	if (oh->_state != _HWMOD_STATE_IDLE &&
 	    oh->_state != _HWMOD_STATE_ENABLED) {
 		WARN(1, "omap_hwmod: %s: disabled state can only be entered from idle, or enabled state\n",
@@ -2249,9 +2252,6 @@ static int _shutdown(struct omap_hwmod *oh)
 		return -EINVAL;
 	}
 
-	if (_are_all_hardreset_lines_asserted(oh))
-		return 0;
-
 	pr_debug("omap_hwmod: %s: disabling\n", oh->name);
 
 	if (oh->class->pre_shutdown) {
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 157/206] security: drop the unused hook skb_owned_by
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (155 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 156/206] ARM: OMAP2+: hwmod: fix _idle() hwmod state sanity check sequence Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 158/206] mfd: lp8788-irq: Uninitialized variable in irq handler Kamal Mostafa
                   ` (48 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Paolo Abeni, James Morris, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Paolo Abeni <pabeni@redhat.com>

commit 3c9d6296b7aee536a96ea2b53a15d23511738c1c upstream.

The skb_owned_by hook was added with the commit ca10b9e9a8ca
("selinux: add a skb_owned_by() hook") and later removed
when said commit was reverted.

Later on, when switching to list of hooks, a field named
'skb_owned_by' was included into the security_hook_head struct,
but without any users nor caller.

This commit removes the said left-over field.

Fixes: b1d9e6b0646d ("LSM: Switch to lists of hooks")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: Paul Moore <pmoore@paul-moore.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 include/linux/lsm_hooks.h | 1 -
 security/security.c       | 1 -
 2 files changed, 2 deletions(-)

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 9429f05..0045c2c 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1797,7 +1797,6 @@ struct security_hook_heads {
 	struct list_head tun_dev_attach_queue;
 	struct list_head tun_dev_attach;
 	struct list_head tun_dev_open;
-	struct list_head skb_owned_by;
 #endif	/* CONFIG_SECURITY_NETWORK */
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
 	struct list_head xfrm_policy_alloc_security;
diff --git a/security/security.c b/security/security.c
index 9942836..1fbe2c1 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1843,7 +1843,6 @@ struct security_hook_heads security_hook_heads = {
 	.tun_dev_attach =
 		LIST_HEAD_INIT(security_hook_heads.tun_dev_attach),
 	.tun_dev_open =	LIST_HEAD_INIT(security_hook_heads.tun_dev_open),
-	.skb_owned_by =	LIST_HEAD_INIT(security_hook_heads.skb_owned_by),
 #endif	/* CONFIG_SECURITY_NETWORK */
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
 	.xfrm_policy_alloc_security =
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 158/206] mfd: lp8788-irq: Uninitialized variable in irq handler
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (156 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 157/206] security: drop the unused hook skb_owned_by Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 159/206] am437x-vfpe: fix typo in vpfe_get_app_input_index Kamal Mostafa
                   ` (47 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team; +Cc: Dan Carpenter, Lee Jones, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 22aab38e7b59fd79ce1045006be69a9abab58e5a upstream.

Instead to being true/false, the "handled" is true/uninitialized.
Presumably this doesn't cause that many problems in real life because
normally we handle the IRQ.

Fixes: eea6b7cc53aa ('mfd: Add lp8788 mfd driver')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Milo Kim <milo.kim@ti.com>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/mfd/lp8788-irq.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/mfd/lp8788-irq.c b/drivers/mfd/lp8788-irq.c
index a87f2b5..ff4f845 100644
--- a/drivers/mfd/lp8788-irq.c
+++ b/drivers/mfd/lp8788-irq.c
@@ -112,7 +112,7 @@ static irqreturn_t lp8788_irq_handler(int irq, void *ptr)
 	struct lp8788_irq_data *irqd = ptr;
 	struct lp8788 *lp = irqd->lp;
 	u8 status[NUM_REGS], addr, mask;
-	bool handled;
+	bool handled = false;
 	int i;
 
 	if (lp8788_read_multi_bytes(lp, LP8788_INT_1, status, NUM_REGS))
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 159/206] am437x-vfpe: fix typo in vpfe_get_app_input_index
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (157 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 158/206] mfd: lp8788-irq: Uninitialized variable in irq handler Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 160/206] am437x-vpfe: fix an uninitialized variable bug Kamal Mostafa
                   ` (46 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Arnd Bergmann, Hans Verkuil, Mauro Carvalho Chehab, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Arnd Bergmann <arnd@arndb.de>

commit 0fb504001192c1df62c847a8bb6558753c36ebef upstream.

gcc-6 points out an obviously silly comparison in vpfe_get_app_input_index():

drivers/media/platform/am437x/am437x-vpfe.c: In function 'vpfe_get_app_input_index':
drivers/media/platform/am437x/am437x-vpfe.c:1709:27: warning: self-comparison always evaluats to true [-Wtautological-compare]
       client->adapter->nr == client->adapter->nr) {
                           ^~

This was introduced in a slighly incorrect conversion, and it's
clear that the comparison was meant to compare the iterator
to the current subdev instead, as we do in the line above.

Fixes: d37232390fd4 ("[media] media: am437x-vpfe: match the OF node/i2c addr instead of name")

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Lad, Prabhakar <prabhakar.csengg@gmail.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/media/platform/am437x/am437x-vpfe.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/platform/am437x/am437x-vpfe.c b/drivers/media/platform/am437x/am437x-vpfe.c
index c8447fa..50dbb0b 100644
--- a/drivers/media/platform/am437x/am437x-vpfe.c
+++ b/drivers/media/platform/am437x/am437x-vpfe.c
@@ -1705,7 +1705,7 @@ static int vpfe_get_app_input_index(struct vpfe_device *vpfe,
 		sdinfo = &cfg->sub_devs[i];
 		client = v4l2_get_subdevdata(sdinfo->sd);
 		if (client->addr == curr_client->addr &&
-		    client->adapter->nr == client->adapter->nr) {
+		    client->adapter->nr == curr_client->adapter->nr) {
 			if (vpfe->current_input >= 1)
 				return -1;
 			*app_input_index = j + vpfe->current_input;
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 160/206] am437x-vpfe: fix an uninitialized variable bug
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (158 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 159/206] am437x-vfpe: fix typo in vpfe_get_app_input_index Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 161/206] cx23885: uninitialized variable in cx23885_av_work_handler() Kamal Mostafa
                   ` (45 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Dan Carpenter, Hans Verkuil, Mauro Carvalho Chehab, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit e4bccada44c177cde31b9a236b7dfd7f76d403ed upstream.

If we are doing V4L2_FIELD_NONE then "ret" is used uninitialized.

Fixes: 417d2e507edc ('[media] media: platform: add VPFE capture driver support for AM437X')

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Lad, Prabhakar <prabhakar.csengg@gmail.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/media/platform/am437x/am437x-vpfe.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/platform/am437x/am437x-vpfe.c b/drivers/media/platform/am437x/am437x-vpfe.c
index 50dbb0b..10ed94f 100644
--- a/drivers/media/platform/am437x/am437x-vpfe.c
+++ b/drivers/media/platform/am437x/am437x-vpfe.c
@@ -1046,7 +1046,7 @@ static int vpfe_get_ccdc_image_format(struct vpfe_device *vpfe,
 static int vpfe_config_ccdc_image_format(struct vpfe_device *vpfe)
 {
 	enum ccdc_frmfmt frm_fmt = CCDC_FRMFMT_INTERLACED;
-	int ret;
+	int ret = 0;
 
 	vpfe_dbg(2, vpfe, "vpfe_config_ccdc_image_format\n");
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 161/206] cx23885: uninitialized variable in cx23885_av_work_handler()
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (159 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 160/206] am437x-vpfe: fix an uninitialized variable bug Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 162/206] ipv6, token: allow for clearing the current device token Kamal Mostafa
                   ` (44 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Dan Carpenter, Hans Verkuil, Mauro Carvalho Chehab, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 60587bd0680507f48ae3a7360983228fd207de8a upstream.

The "handled" variable could be uninitialized if the
interrupt_service_routine() call back hasn't been implimented or if it
has been implemented but doesn't initialize "handled" to zero at the
start.  For example, adv76xx_isr() only sets "handled" to true.

Fixes: 44b153ca639f ('[media] m5mols: Add ISO sensitivity controls')

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/media/pci/cx23885/cx23885-av.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/pci/cx23885/cx23885-av.c b/drivers/media/pci/cx23885/cx23885-av.c
index 877dad8..e7d4406 100644
--- a/drivers/media/pci/cx23885/cx23885-av.c
+++ b/drivers/media/pci/cx23885/cx23885-av.c
@@ -24,7 +24,7 @@ void cx23885_av_work_handler(struct work_struct *work)
 {
 	struct cx23885_dev *dev =
 			   container_of(work, struct cx23885_dev, cx25840_work);
-	bool handled;
+	bool handled = false;
 
 	v4l2_subdev_call(dev->sd_cx25840, core, interrupt_service_routine,
 			 PCI_MSK_AV_CORE, &handled);
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 162/206] ipv6, token: allow for clearing the current device token
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (160 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 161/206] cx23885: uninitialized variable in cx23885_av_work_handler() Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 163/206] usb: gadget: f_fs: Fix EFAULT generation for async read operations Kamal Mostafa
                   ` (43 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Daniel Borkmann, Hannes Frederic Sowa, David S . Miller, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Daniel Borkmann <daniel@iogearbox.net>

commit 47e27d5e92c46a3a62d4dfd8895b1ddb8613f531 upstream.

The original tokenized iid support implemented via f53adae4eae5 ("net: ipv6:
add tokenized interface identifier support") didn't allow for clearing a
device token as it was intended that this addressing mode was the only one
active for globally scoped IPv6 addresses. Later we relaxed that restriction
via 617fe29d45bd ("net: ipv6: only invalidate previously tokenized addresses"),
and we should also allow for clearing tokens as there's no good reason why
it shouldn't be allowed.

Fixes: 617fe29d45bd ("net: ipv6: only invalidate previously tokenized addresses")
Reported-by: Robin H. Johnson <robbat2@gentoo.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 net/ipv6/addrconf.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 335f495..135f1b8 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -4737,15 +4737,13 @@ static int inet6_set_iftoken(struct inet6_dev *idev, struct in6_addr *token)
 {
 	struct inet6_ifaddr *ifp;
 	struct net_device *dev = idev->dev;
-	bool update_rs = false;
+	bool clear_token, update_rs = false;
 	struct in6_addr ll_addr;
 
 	ASSERT_RTNL();
 
 	if (!token)
 		return -EINVAL;
-	if (ipv6_addr_any(token))
-		return -EINVAL;
 	if (dev->flags & (IFF_LOOPBACK | IFF_NOARP))
 		return -EINVAL;
 	if (!ipv6_accept_ra(idev))
@@ -4760,10 +4758,13 @@ static int inet6_set_iftoken(struct inet6_dev *idev, struct in6_addr *token)
 
 	write_unlock_bh(&idev->lock);
 
+	clear_token = ipv6_addr_any(token);
+	if (clear_token)
+		goto update_lft;
+
 	if (!idev->dead && (idev->if_flags & IF_READY) &&
 	    !ipv6_get_lladdr(dev, &ll_addr, IFA_F_TENTATIVE |
 			     IFA_F_OPTIMISTIC)) {
-
 		/* If we're not ready, then normal ifup will take care
 		 * of this. Otherwise, we need to request our rs here.
 		 */
@@ -4771,6 +4772,7 @@ static int inet6_set_iftoken(struct inet6_dev *idev, struct in6_addr *token)
 		update_rs = true;
 	}
 
+update_lft:
 	write_lock_bh(&idev->lock);
 
 	if (update_rs) {
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 163/206] usb: gadget: f_fs: Fix EFAULT generation for async read operations
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (161 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 162/206] ipv6, token: allow for clearing the current device token Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 164/206] perf test: Ignore kcore files in the "vmlinux matches kallsyms" test Kamal Mostafa
                   ` (42 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Lars-Peter Clausen, Felipe Balbi, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Lars-Peter Clausen <lars@metafoo.de>

commit 332a5b446b7916d272c2a659a3b20909ce34d2c1 upstream.

In the current implementation functionfs generates a EFAULT for async read
operations if the read buffer size is larger than the URB data size. Since
a application does not necessarily know how much data the host side is
going to send it typically supplies a buffer larger than the actual data,
which will then result in a EFAULT error.

This behaviour was introduced while refactoring the code to use iov_iter
interface in commit c993c39b8639 ("gadget/function/f_fs.c: use put iov_iter
into io_data"). The original code took the minimum over the URB size and
the user buffer size and then attempted to copy that many bytes using
copy_to_user(). If copy_to_user() could not copy all data a EFAULT error
was generated. Restore the original behaviour by only generating a EFAULT
error when the number of bytes copied is not the size of the URB and the
target buffer has not been fully filled.

Commit 342f39a6c8d3 ("usb: gadget: f_fs: fix check in read operation")
already fixed the same problem for the synchronous read path.

Fixes: c993c39b8639 ("gadget/function/f_fs.c: use put iov_iter into io_data")
Acked-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/usb/gadget/function/f_fs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index 82240db..db9433e 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -651,7 +651,7 @@ static void ffs_user_copy_worker(struct work_struct *work)
 	if (io_data->read && ret > 0) {
 		use_mm(io_data->mm);
 		ret = copy_to_iter(io_data->buf, ret, &io_data->data);
-		if (iov_iter_count(&io_data->data))
+		if (ret != io_data->req->actual && iov_iter_count(&io_data->data))
 			ret = -EFAULT;
 		unuse_mm(io_data->mm);
 	}
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 164/206] perf test: Ignore kcore files in the "vmlinux matches kallsyms" test
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (162 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 163/206] usb: gadget: f_fs: Fix EFAULT generation for async read operations Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 165/206] EDAC: Increment correct counter in edac_inc_ue_error() Kamal Mostafa
                   ` (41 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Adrian Hunter, David Ahern, Jiri Olsa, Namhyung Kim, Wang Nan,
	Arnaldo Carvalho de Melo, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Arnaldo Carvalho de Melo <acme@redhat.com>

commit 53d0fe68275dbdaf6a532bb4e87f00db5d36c140 upstream.

Before:

  # perf test -v kallsyms
<SNIP>
  Maps only in vmlinux:
   ffffffff81d5e000-ffffffff81ec3ac8 115e000 [kernel].init.text
   ffffffff81ec3ac8-ffffffffa0000000 12c3ac8 [kernel].exit.text
   ffffffffa0000000-ffffffffa000c000 0 [fjes]
   ffffffffa000c000-ffffffffa0017000 0 [video]
   ffffffffa0017000-ffffffffa001c000 0 [grace]
<SNIP>
   ffffffffa0a7f000-ffffffffa0ba5000 0 [xfs]
   ffffffffa0ba5000-ffffffffffffffff 0 [veth]
  Maps in vmlinux with a different name in kallsyms:
  Maps only in kallsyms:
   ffff880000100000-ffff88001000b000 80000103000 [kernel.kallsyms]
   ffff88001000b000-ffff880100000000 8001000e000 [kernel.kallsyms]
   ffff880100000000-ffffc90000000000 80100003000 [kernel.kallsyms]
<SNIP>
   ffffffffa0000000-ffffffffff600000 7fffa0003000 [kernel.kallsyms]
   ffffffffff600000-ffffffffffffffff 7fffff603000 [kernel.kallsyms]
  test child finished with -1
  ---- end ----
  vmlinux symtab matches kallsyms: FAILED!
  #

After:

  # perf test -v 1
   1: vmlinux symtab matches kallsyms                          :
  --- start ---
  test child forked, pid 7058
  Looking at the vmlinux_path (8 entries long)
  Using /lib/modules/4.6.0-rc1+/build/vmlinux for symbols
  0xffffffff81076870: diff end addr for aesni_gcm_dec v: 0xffffffff810791f2 k: 0xffffffff81076902
  0xffffffff81079200: diff end addr for aesni_gcm_enc v: 0xffffffff8107bb03 k: 0xffffffff81079292
  0xffffffff8107e8d0: diff end addr for aesni_gcm_enc_avx_gen2 v: 0xffffffff81083e76 k: 0xffffffff8107e943
  0xffffffff81083e80: diff end addr for aesni_gcm_dec_avx_gen2 v: 0xffffffff81089611 k: 0xffffffff81083ef3
  0xffffffff81089990: diff end addr for aesni_gcm_enc_avx_gen4 v: 0xffffffff8108e7c4 k: 0xffffffff81089a03
  0xffffffff8108e7d0: diff end addr for aesni_gcm_dec_avx_gen4 v: 0xffffffff810937ef k: 0xffffffff8108e843
  Maps only in vmlinux:
   ffffffff81d5e000-ffffffff81ec3ac8 115e000 [kernel].init.text
   ffffffff81ec3ac8-ffffffffa0000000 12c3ac8 [kernel].exit.text
  Maps in vmlinux with a different name in kallsyms:
  Maps only in kallsyms:
  test child finished with -1
  ---- end ----
 vmlinux symtab matches kallsyms: FAILED!
  #

Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Wang Nan <wangnan0@huawei.com>
Fixes: 8e0cf965f95e ("perf symbols: Add support for reading from /proc/kcore")
Link: http://lkml.kernel.org/n/tip-n6vrwt9t89w8k769y349govx@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 tools/perf/tests/vmlinux-kallsyms.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/tools/perf/tests/vmlinux-kallsyms.c b/tools/perf/tests/vmlinux-kallsyms.c
index b34c5fc..8de34ea 100644
--- a/tools/perf/tests/vmlinux-kallsyms.c
+++ b/tools/perf/tests/vmlinux-kallsyms.c
@@ -54,8 +54,14 @@ int test__vmlinux_matches_kallsyms(void)
 	 * Step 3:
 	 *
 	 * Load and split /proc/kallsyms into multiple maps, one per module.
+	 * Do not use kcore, as this test was designed before kcore support
+	 * and has parts that only make sense if using the non-kcore code.
+	 * XXX: extend it to stress the kcorre code as well, hint: the list
+	 * of modules extracted from /proc/kcore, in its current form, can't
+	 * be compacted against the list of modules found in the "vmlinux"
+	 * code and with the one got from /proc/modules from the "kallsyms" code.
 	 */
-	if (machine__load_kallsyms(&kallsyms, "/proc/kallsyms", type, NULL) <= 0) {
+	if (__machine__load_kallsyms(&kallsyms, "/proc/kallsyms", type, true, NULL) <= 0) {
 		pr_debug("dso__load_kallsyms ");
 		goto out;
 	}
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 165/206] EDAC: Increment correct counter in edac_inc_ue_error()
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (163 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 164/206] perf test: Ignore kcore files in the "vmlinux matches kallsyms" test Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 166/206] PCI: Supply CPU physical address (not bus address) to iomem_is_exclusive() Kamal Mostafa
                   ` (40 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Emmanouil Maroudas, Mauro Carvalho Chehab, linux-edac,
	Borislav Petkov, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Emmanouil Maroudas <emmanouil.maroudas@gmail.com>

commit 993f88f1cc7f0879047ff353e824e5cc8f10adfc upstream.

Fix typo in edac_inc_ue_error() to increment ue_noinfo_count instead of
ce_noinfo_count.

Signed-off-by: Emmanouil Maroudas <emmanouil.maroudas@gmail.com>
Cc: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Cc: linux-edac <linux-edac@vger.kernel.org>
Fixes: 4275be635597 ("edac: Change internal representation to work with layers")
Link: http://lkml.kernel.org/r/1461425580-5898-1-git-send-email-emmanouil.maroudas@gmail.com
Signed-off-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/edac/edac_mc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/edac/edac_mc.c b/drivers/edac/edac_mc.c
index e315e5e..aa7f137 100644
--- a/drivers/edac/edac_mc.c
+++ b/drivers/edac/edac_mc.c
@@ -966,7 +966,7 @@ static void edac_inc_ue_error(struct mem_ctl_info *mci,
 	mci->ue_mc += count;
 
 	if (!enable_per_layer_report) {
-		mci->ce_noinfo_count += count;
+		mci->ue_noinfo_count += count;
 		return;
 	}
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 166/206] PCI: Supply CPU physical address (not bus address) to iomem_is_exclusive()
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (164 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 165/206] EDAC: Increment correct counter in edac_inc_ue_error() Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 167/206] alpha/PCI: Call iomem_is_exclusive() for IORESOURCE_MEM, but not IORESOURCE_IO Kamal Mostafa
                   ` (39 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Bjorn Helgaas, Arjan van de Ven, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Bjorn Helgaas <bhelgaas@google.com>

commit ca620723d4ff9ea7ed484eab46264c3af871b9ae upstream.

iomem_is_exclusive() requires a CPU physical address, but on some arches we
supplied a PCI bus address instead.

On most arches, pci_resource_to_user(res) returns "res->start", which is a
CPU physical address.  But on microblaze, mips, powerpc, and sparc, it
returns the PCI bus address corresponding to "res->start".

The result is that pci_mmap_resource() may fail when it shouldn't (if the
bus address happens to match an existing resource), or it may succeed when
it should fail (if the resource is exclusive but the bus address doesn't
match it).

Call iomem_is_exclusive() with "res->start", which is always a CPU physical
address, not the result of pci_resource_to_user().

Fixes: e8de1481fd71 ("resource: allow MMIO exclusivity for device drivers")
Suggested-by: Yinghai Lu <yinghai@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
CC: Arjan van de Ven <arjan@linux.intel.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/pci/pci-sysfs.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
index eead54c..5f7cbea 100644
--- a/drivers/pci/pci-sysfs.c
+++ b/drivers/pci/pci-sysfs.c
@@ -1013,6 +1013,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
 	if (i >= PCI_ROM_RESOURCE)
 		return -ENODEV;
 
+	if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start))
+		return -EINVAL;
+
 	if (!pci_mmap_fits(pdev, i, vma, PCI_MMAP_SYSFS)) {
 		WARN(1, "process \"%s\" tried to map 0x%08lx bytes at page 0x%08lx on %s BAR %d (start 0x%16Lx, size 0x%16Lx)\n",
 			current->comm, vma->vm_end-vma->vm_start, vma->vm_pgoff,
@@ -1029,10 +1032,6 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
 	pci_resource_to_user(pdev, i, res, &start, &end);
 	vma->vm_pgoff += start >> PAGE_SHIFT;
 	mmap_type = res->flags & IORESOURCE_MEM ? pci_mmap_mem : pci_mmap_io;
-
-	if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(start))
-		return -EINVAL;
-
 	return pci_mmap_page_range(pdev, vma, mmap_type, write_combine);
 }
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 167/206] alpha/PCI: Call iomem_is_exclusive() for IORESOURCE_MEM, but not IORESOURCE_IO
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (165 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 166/206] PCI: Supply CPU physical address (not bus address) to iomem_is_exclusive() Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 168/206] ARM: debug: remove extraneous DEBUG_HI3716_UART option Kamal Mostafa
                   ` (38 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Bjorn Helgaas, Ivan Kokshaysky, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Bjorn Helgaas <bhelgaas@google.com>

commit c20e128030caf0537d5e906753eac1c28fefdb75 upstream.

The alpha pci_mmap_resource() is used for both IORESOURCE_MEM and
IORESOURCE_IO resources, but iomem_is_exclusive() is only applicable for
IORESOURCE_MEM.

Call iomem_is_exclusive() only for IORESOURCE_MEM resources, and do it
earlier to match the generic version of pci_mmap_resource().

Fixes: 10a0ef39fbd1 ("PCI/alpha: pci sysfs resources")
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
CC: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/alpha/kernel/pci-sysfs.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/alpha/kernel/pci-sysfs.c b/arch/alpha/kernel/pci-sysfs.c
index 99e8d47..92c0d46 100644
--- a/arch/alpha/kernel/pci-sysfs.c
+++ b/arch/alpha/kernel/pci-sysfs.c
@@ -77,10 +77,10 @@ static int pci_mmap_resource(struct kobject *kobj,
 	if (i >= PCI_ROM_RESOURCE)
 		return -ENODEV;
 
-	if (!__pci_mmap_fits(pdev, i, vma, sparse))
+	if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start))
 		return -EINVAL;
 
-	if (iomem_is_exclusive(res->start))
+	if (!__pci_mmap_fits(pdev, i, vma, sparse))
 		return -EINVAL;
 
 	pcibios_resource_to_bus(pdev->bus, &bar, res);
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 168/206] ARM: debug: remove extraneous DEBUG_HI3716_UART option
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (166 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 167/206] alpha/PCI: Call iomem_is_exclusive() for IORESOURCE_MEM, but not IORESOURCE_IO Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 169/206] cxl: Fix DAR check & use REGION_ID instead of opencoding Kamal Mostafa
                   ` (37 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team; +Cc: Arnd Bergmann, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Arnd Bergmann <arnd@arndb.de>

commit 3b9d78a4f3886f84db0a58dc986fbabb937799c6 upstream.

DEBUG_HI3716_UART was supposed to be renamed to DEBUG_HIX5HD2_UART, but
accidentally both got left in place, which results in a build error when
CONFIG_DEBUG_UART_PHYS is not set as it should be.

This removes the old symbol.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Fixes: 12aae3097454 ("ARM: debug: Rename Hi3716 to HIX5HD2")
Acked-by: Wei Xu <xuwei5@hisilicon.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/arm/Kconfig.debug | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/arch/arm/Kconfig.debug b/arch/arm/Kconfig.debug
index 55ef850..0b967a1 100644
--- a/arch/arm/Kconfig.debug
+++ b/arch/arm/Kconfig.debug
@@ -277,14 +277,6 @@ choice
 		  Say Y here if you want kernel low-level debugging support
 		  on HI3620 UART.
 
-	config DEBUG_HI3716_UART
-		bool "Hisilicon Hi3716 Debug UART"
-		depends on ARCH_HI3xxx
-		select DEBUG_UART_PL01X
-		help
-		  Say Y here if you want kernel low-level debugging support
-		  on HI3716 UART.
-
 	config DEBUG_HIGHBANK_UART
 		bool "Kernel low-level debugging messages via Highbank UART"
 		depends on ARCH_HIGHBANK
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 169/206] cxl: Fix DAR check & use REGION_ID instead of opencoding
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (167 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 168/206] ARM: debug: remove extraneous DEBUG_HI3716_UART option Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 170/206] taskstats: fix nl parsing in accounting/getdelays.c Kamal Mostafa
                   ` (36 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Aneesh Kumar K . V, Michael Ellerman, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>

commit 3b1dbfa14f97188ec33fdfc7acb66bea59a3bb21 upstream.

The current code will set _PAGE_USER to the access flags for any
fault address, because the ~ operation will be true for all address we
take a fault on. But setting _PAGE_USER also means that the fault will
be handled only if the page table have _PAGE_USER set. Hence there is
no security hole with the current code.

Now if it is an user space access, then the change in this patch really
don't have an impact because we have (!ctx->kernel) set true
and we take the if condition true.

Now kernel context created fault on an address in the kernel range
will result in a fault loop because we will not insert the
hash pte due to access and pte permission mismatch. This patch fix
the above issue.

Fixes: f204e0b8cedd ("cxl: Driver code for powernv PCIe based cards for userspace access")
Reviewed-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
Acked-by: Ian Munsie <imunsie@au1.ibm.com>
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/misc/cxl/fault.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/misc/cxl/fault.c b/drivers/misc/cxl/fault.c
index 25a5418..e4080ce 100644
--- a/drivers/misc/cxl/fault.c
+++ b/drivers/misc/cxl/fault.c
@@ -152,7 +152,7 @@ static void cxl_handle_page_fault(struct cxl_context *ctx,
 	access = _PAGE_PRESENT;
 	if (dsisr & CXL_PSL_DSISR_An_S)
 		access |= _PAGE_RW;
-	if ((!ctx->kernel) || ~(dar & (1ULL << 63)))
+	if ((!ctx->kernel) || (REGION_ID(dar) == USER_REGION_ID))
 		access |= _PAGE_USER;
 
 	if (dsisr & DSISR_NOHPTE)
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 170/206] taskstats: fix nl parsing in accounting/getdelays.c
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (168 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 169/206] cxl: Fix DAR check & use REGION_ID instead of opencoding Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 171/206] char: Drop bogus dependency of DEVPORT on !M68K Kamal Mostafa
                   ` (35 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Nicolas Dichtel, David S . Miller, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Nicolas Dichtel <nicolas.dichtel@6wind.com>

commit 570d8e9398011a63590c281a36cdce311196608e upstream.

The type TASKSTATS_TYPE_NULL should always be ignored.

When jumping to the next attribute, only the length of the current
attribute should be added, not the length of all nested attributes.
This last bug was not visible before commit 80df554275c2, because the
kernel didn't put more than two nested attributes.

Fixes: a3baf649ca9c ("[PATCH] per-task-delay-accounting: documentation")
Fixes: 80df554275c2 ("taskstats: use the libnl API to align nlattr on 64-bit")
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 Documentation/accounting/getdelays.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/Documentation/accounting/getdelays.c b/Documentation/accounting/getdelays.c
index f405780..9497d20 100644
--- a/Documentation/accounting/getdelays.c
+++ b/Documentation/accounting/getdelays.c
@@ -504,6 +504,8 @@ int main(int argc, char *argv[])
 						if (!loop)
 							goto done;
 						break;
+					case TASKSTATS_TYPE_NULL:
+						break;
 					default:
 						fprintf(stderr, "Unknown nested"
 							" nla_type %d\n",
@@ -511,7 +513,8 @@ int main(int argc, char *argv[])
 						break;
 					}
 					len2 += NLA_ALIGN(na->nla_len);
-					na = (struct nlattr *) ((char *) na + len2);
+					na = (struct nlattr *)((char *)na +
+							       NLA_ALIGN(na->nla_len));
 				}
 				break;
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 171/206] char: Drop bogus dependency of DEVPORT on !M68K
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (169 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 170/206] taskstats: fix nl parsing in accounting/getdelays.c Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 172/206] driver-core: use 'dev' argument in dev_dbg_ratelimited stub Kamal Mostafa
                   ` (34 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Geert Uytterhoeven, Greg Kroah-Hartman, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Geert Uytterhoeven <geert@linux-m68k.org>

commit 309124e2648d668a0c23539c5078815660a4a850 upstream.

According to full-history-linux commit d3794f4fa7c3edc3 ("[PATCH] M68k
update (part 25)"), port operations are allowed on m68k if CONFIG_ISA is
defined.

However, commit 153dcc54df826d2f ("[PATCH] mem driver: fix conditional
on isa i/o support") accidentally changed an "||" into an "&&",
disabling it completely on m68k. This logic was retained when
introducing the DEVPORT symbol in commit 4f911d64e04a44c4 ("Make
/dev/port conditional on config symbol").

Drop the bogus dependency on !M68K to fix this.

Fixes: 153dcc54df826d2f ("[PATCH] mem driver: fix conditional on isa i/o support")
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Tested-by: Al Stone <ahs3@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/char/Kconfig | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig
index a043107..b130d38 100644
--- a/drivers/char/Kconfig
+++ b/drivers/char/Kconfig
@@ -584,7 +584,6 @@ config TELCLOCK
 
 config DEVPORT
 	bool
-	depends on !M68K
 	depends on ISA || PCI
 	default y
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 172/206] driver-core: use 'dev' argument in dev_dbg_ratelimited stub
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (170 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 171/206] char: Drop bogus dependency of DEVPORT on !M68K Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 173/206] metag: Fix atomic_*_return inline asm constraints Kamal Mostafa
                   ` (33 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Arnd Bergmann, Greg Kroah-Hartman, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Arnd Bergmann <arnd@arndb.de>

commit 1f62ff34a90471d1b735bac2c79e894afc7c59bc upstream.

dev_dbg_ratelimited() is a macro that ignores its first argument when DEBUG is
not set, which can lead to unused variable warnings:

ethernet/mellanox/mlxsw/pci.c: In function 'mlxsw_pci_cqe_sdq_handle':
ethernet/mellanox/mlxsw/pci.c:646:18: warning: unused variable 'pdev' [-Wunused-variable]
ethernet/mellanox/mlxsw/pci.c: In function 'mlxsw_pci_cqe_rdq_handle':
ethernet/mellanox/mlxsw/pci.c:671:18: warning: unused variable 'pdev' [-Wunused-variable]

The macro already ensures that all its other arguments are silently
ignored by the compiler without triggering a warning, through the
use of the no_printk() macro, but the dev argument is not passed into
that.

This changes the definition to use the same trick as no_printk() with
an if(0) that leads the compiler to not evaluate the side-effects but
still see that 'dev' might not be unused.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Suggested-by: Andrew Lunn <andrew@lunn.ch>
Fixes: 6f586e663e3b ("driver-core: Shut up dev_dbg_reatelimited() without DEBUG")
Reviewed-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 include/linux/device.h | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/include/linux/device.h b/include/linux/device.h
index a2b4ea7..b9f58f8 100644
--- a/include/linux/device.h
+++ b/include/linux/device.h
@@ -1236,8 +1236,11 @@ do {									\
 		dev_printk(KERN_DEBUG, dev, fmt, ##__VA_ARGS__);	\
 } while (0)
 #else
-#define dev_dbg_ratelimited(dev, fmt, ...)			\
-	no_printk(KERN_DEBUG pr_fmt(fmt), ##__VA_ARGS__)
+#define dev_dbg_ratelimited(dev, fmt, ...)				\
+do {									\
+	if (0)								\
+		dev_printk(KERN_DEBUG, dev, fmt, ##__VA_ARGS__);	\
+} while (0)
 #endif
 
 #ifdef VERBOSE_DEBUG
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 173/206] metag: Fix atomic_*_return inline asm constraints
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (171 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 172/206] driver-core: use 'dev' argument in dev_dbg_ratelimited stub Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 174/206] tty: vt, return error when con_startup fails Kamal Mostafa
                   ` (32 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: James Hogan, Peter Zijlstra, linux-metag, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: James Hogan <james.hogan@imgtec.com>

commit 096a8b6d5e7ab9f8ca3d2474b3ca6a1fe79e0371 upstream.

The argument i of atomic_*_return() operations is given to inline asm
with the "bd" constraint, which means "An Op2 register where Op1 is a
data unit register and the instruction supports O2R", however Op1 is
constrained by "da" which allows an address unit register to be used.

Fix the constraint to use "br", meaning "An Op2 register and the
instruction supports O2R", i.e. not requiring Op1 to be a data unit
register.

Fixes: d6dfe2509da9 ("locking,arch,metag: Fold atomic_ops")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: linux-metag@vger.kernel.org
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/metag/include/asm/atomic_lnkget.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/metag/include/asm/atomic_lnkget.h b/arch/metag/include/asm/atomic_lnkget.h
index 948d868..d0bdc28 100644
--- a/arch/metag/include/asm/atomic_lnkget.h
+++ b/arch/metag/include/asm/atomic_lnkget.h
@@ -61,7 +61,7 @@ static inline int atomic_##op##_return(int i, atomic_t *v)		\
 		"	CMPT	%0, #HI(0x02000000)\n"			\
 		"	BNZ 1b\n"					\
 		: "=&d" (temp), "=&da" (result)				\
-		: "da" (&v->counter), "bd" (i)				\
+		: "da" (&v->counter), "br" (i)				\
 		: "cc");						\
 									\
 	smp_mb();							\
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 174/206] tty: vt, return error when con_startup fails
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (172 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 173/206] metag: Fix atomic_*_return inline asm constraints Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 175/206] cpufreq: Fix GOV_LIMITS handling for the userspace governor Kamal Mostafa
                   ` (31 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Jiri Slaby, Greg Kroah-Hartman, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Jiri Slaby <jslaby@suse.cz>

commit 6798df4c5fe0a7e6d2065cf79649a794e5ba7114 upstream.

When csw->con_startup() fails in do_register_con_driver, we return no
error (i.e. 0). This was changed back in 2006 by commit 3e795de763.
Before that we used to return -ENODEV.

So fix the return value to be -ENODEV in that case again.

Fixes: 3e795de763 ("VT binding: Add binding/unbinding support for the VT console")
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Reported-by: "Dan Carpenter" <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/tty/vt/vt.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index 4462d16..cf20282 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -3583,9 +3583,10 @@ static int do_register_con_driver(const struct consw *csw, int first, int last)
 		goto err;
 
 	desc = csw->con_startup();
-
-	if (!desc)
+	if (!desc) {
+		retval = -ENODEV;
 		goto err;
+	}
 
 	retval = -EINVAL;
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 175/206] cpufreq: Fix GOV_LIMITS handling for the userspace governor
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (173 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 174/206] tty: vt, return error when con_startup fails Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 176/206] ACPI / sysfs: fix error code in get_status() Kamal Mostafa
                   ` (30 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Sai Gurrappadi, Rafael J . Wysocki, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Sai Gurrappadi <sgurrappadi@nvidia.com>

commit e43e94c1eda76dabd686ddf6f7825f54d747b310 upstream.

Currently, the userspace governor only updates frequency on GOV_LIMITS
if policy->cur falls outside policy->{min/max}. However, it is also
necessary to update current frequency on GOV_LIMITS to match the user
requested value if it can be achieved within the new policy->{max/min}.

This was previously the behaviour in the governor until commit d1922f0
("cpufreq: Simplify userspace governor") which incorrectly assumed that
policy->cur == user requested frequency via scaling_setspeed. This won't
be true if the user requested frequency falls outside policy->{min/max}.
Ex: a temporary thermal cap throttled the user requested frequency.

Fix this by storing the user requested frequency in a seperate variable.
The governor will then try to achieve this request on every GOV_LIMITS
change.

Fixes: d1922f02562f (cpufreq: Simplify userspace governor)
Signed-off-by: Sai Gurrappadi <sgurrappadi@nvidia.com>
Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/cpufreq/cpufreq_userspace.c | 43 ++++++++++++++++++++++++++++++++-----
 1 file changed, 38 insertions(+), 5 deletions(-)

diff --git a/drivers/cpufreq/cpufreq_userspace.c b/drivers/cpufreq/cpufreq_userspace.c
index 4dbf1db..9cc8abd 100644
--- a/drivers/cpufreq/cpufreq_userspace.c
+++ b/drivers/cpufreq/cpufreq_userspace.c
@@ -17,6 +17,7 @@
 #include <linux/init.h>
 #include <linux/module.h>
 #include <linux/mutex.h>
+#include <linux/slab.h>
 
 static DEFINE_PER_CPU(unsigned int, cpu_is_managed);
 static DEFINE_MUTEX(userspace_mutex);
@@ -31,6 +32,7 @@ static DEFINE_MUTEX(userspace_mutex);
 static int cpufreq_set(struct cpufreq_policy *policy, unsigned int freq)
 {
 	int ret = -EINVAL;
+	unsigned int *setspeed = policy->governor_data;
 
 	pr_debug("cpufreq_set for cpu %u, freq %u kHz\n", policy->cpu, freq);
 
@@ -38,6 +40,8 @@ static int cpufreq_set(struct cpufreq_policy *policy, unsigned int freq)
 	if (!per_cpu(cpu_is_managed, policy->cpu))
 		goto err;
 
+	*setspeed = freq;
+
 	ret = __cpufreq_driver_target(policy, freq, CPUFREQ_RELATION_L);
  err:
 	mutex_unlock(&userspace_mutex);
@@ -49,19 +53,45 @@ static ssize_t show_speed(struct cpufreq_policy *policy, char *buf)
 	return sprintf(buf, "%u\n", policy->cur);
 }
 
+static int cpufreq_userspace_policy_init(struct cpufreq_policy *policy)
+{
+	unsigned int *setspeed;
+
+	setspeed = kzalloc(sizeof(*setspeed), GFP_KERNEL);
+	if (!setspeed)
+		return -ENOMEM;
+
+	policy->governor_data = setspeed;
+	return 0;
+}
+
 static int cpufreq_governor_userspace(struct cpufreq_policy *policy,
 				   unsigned int event)
 {
+	unsigned int *setspeed = policy->governor_data;
 	unsigned int cpu = policy->cpu;
 	int rc = 0;
 
+	if (event == CPUFREQ_GOV_POLICY_INIT)
+		return cpufreq_userspace_policy_init(policy);
+
+	if (!setspeed)
+		return -EINVAL;
+
 	switch (event) {
+	case CPUFREQ_GOV_POLICY_EXIT:
+		mutex_lock(&userspace_mutex);
+		policy->governor_data = NULL;
+		kfree(setspeed);
+		mutex_unlock(&userspace_mutex);
+		break;
 	case CPUFREQ_GOV_START:
 		BUG_ON(!policy->cur);
 		pr_debug("started managing cpu %u\n", cpu);
 
 		mutex_lock(&userspace_mutex);
 		per_cpu(cpu_is_managed, cpu) = 1;
+		*setspeed = policy->cur;
 		mutex_unlock(&userspace_mutex);
 		break;
 	case CPUFREQ_GOV_STOP:
@@ -69,20 +99,23 @@ static int cpufreq_governor_userspace(struct cpufreq_policy *policy,
 
 		mutex_lock(&userspace_mutex);
 		per_cpu(cpu_is_managed, cpu) = 0;
+		*setspeed = 0;
 		mutex_unlock(&userspace_mutex);
 		break;
 	case CPUFREQ_GOV_LIMITS:
 		mutex_lock(&userspace_mutex);
-		pr_debug("limit event for cpu %u: %u - %u kHz, currently %u kHz\n",
-			cpu, policy->min, policy->max,
-			policy->cur);
+		pr_debug("limit event for cpu %u: %u - %u kHz, currently %u kHz, last set to %u kHz\n",
+			cpu, policy->min, policy->max, policy->cur, *setspeed);
 
-		if (policy->max < policy->cur)
+		if (policy->max < *setspeed)
 			__cpufreq_driver_target(policy, policy->max,
 						CPUFREQ_RELATION_H);
-		else if (policy->min > policy->cur)
+		else if (policy->min > *setspeed)
 			__cpufreq_driver_target(policy, policy->min,
 						CPUFREQ_RELATION_L);
+		else
+			__cpufreq_driver_target(policy, *setspeed,
+						CPUFREQ_RELATION_L);
 		mutex_unlock(&userspace_mutex);
 		break;
 	}
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 176/206] ACPI / sysfs: fix error code in get_status()
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (174 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 175/206] cpufreq: Fix GOV_LIMITS handling for the userspace governor Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 177/206] clk: qcom: msm8916: Fix crypto clock flags Kamal Mostafa
                   ` (29 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Dan Carpenter, Rafael J . Wysocki, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit f18ebc211e259d4f591e39e74b2aa2de226c9a1d upstream.

The problem with ornamental, do-nothing gotos is that they lead to
"forgot to set the error code" bugs.  We should be returning -EINVAL
here but we don't.  It leads to an uninitalized variable in
counter_show():

    drivers/acpi/sysfs.c:603 counter_show()
    error: uninitialized symbol 'status'.

Fixes: 1c8fce27e275 (ACPI: introduce drivers/acpi/sysfs.c)
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/acpi/sysfs.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/drivers/acpi/sysfs.c b/drivers/acpi/sysfs.c
index 0876d77b..f56e27c 100644
--- a/drivers/acpi/sysfs.c
+++ b/drivers/acpi/sysfs.c
@@ -492,23 +492,22 @@ static void acpi_global_event_handler(u32 event_type, acpi_handle device,
 static int get_status(u32 index, acpi_event_status *status,
 		      acpi_handle *handle)
 {
-	int result = 0;
+	int result;
 
 	if (index >= num_gpes + ACPI_NUM_FIXED_EVENTS)
-		goto end;
+		return -EINVAL;
 
 	if (index < num_gpes) {
 		result = acpi_get_gpe_device(index, handle);
 		if (result) {
 			ACPI_EXCEPTION((AE_INFO, AE_NOT_FOUND,
 					"Invalid GPE 0x%x", index));
-			goto end;
+			return result;
 		}
 		result = acpi_get_gpe_status(*handle, index, status);
 	} else if (index < (num_gpes + ACPI_NUM_FIXED_EVENTS))
 		result = acpi_get_event_status(index - num_gpes, status);
 
-end:
 	return result;
 }
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 177/206] clk: qcom: msm8916: Fix crypto clock flags
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (175 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 176/206] ACPI / sysfs: fix error code in get_status() Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 178/206] MIPS: BMIPS: Fix PRID_IMP_BMIPS5000 masking for BMIPS5200 Kamal Mostafa
                   ` (28 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team; +Cc: Andy Gross, Stephen Boyd, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Andy Gross <andy.gross@linaro.org>

commit 2a0974aa1a0b40a92387ea03dbfeacfbc9ba182c upstream.

This patch adds the CLK_SET_RATE_PARENT flag for the crypto core and
ahb blocks.  Without this flag, clk_set_rate can fail for certain
frequency requests.

Signed-off-by: Andy Gross <andy.gross@linaro.org>
Fixes: 3966fab8b6ab ("clk: qcom: Add MSM8916 Global Clock Controller support")
Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/clk/qcom/gcc-msm8916.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/clk/qcom/gcc-msm8916.c b/drivers/clk/qcom/gcc-msm8916.c
index 5d75bff..36d21eb 100644
--- a/drivers/clk/qcom/gcc-msm8916.c
+++ b/drivers/clk/qcom/gcc-msm8916.c
@@ -1996,6 +1996,7 @@ static struct clk_branch gcc_crypto_clk = {
 				"crypto_clk_src",
 			},
 			.num_parents = 1,
+			.flags = CLK_SET_RATE_PARENT,
 			.ops = &clk_branch2_ops,
 		},
 	},
@@ -2285,6 +2286,7 @@ static struct clk_branch gcc_prng_ahb_clk = {
 				"pcnoc_bfdcd_clk_src",
 			},
 			.num_parents = 1,
+			.flags = CLK_SET_RATE_PARENT,
 			.ops = &clk_branch2_ops,
 		},
 	},
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 178/206] MIPS: BMIPS: Fix PRID_IMP_BMIPS5000 masking for BMIPS5200
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (176 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 177/206] clk: qcom: msm8916: Fix crypto clock flags Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 179/206] NFS: Fix an LOCK/OPEN race when unlinking an open file Kamal Mostafa
                   ` (27 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Florian Fainelli, john, cernekee, jogo, jaedon.shin, jfraser,
	pgynther, dragan.stancevic, linux-mips, Ralf Baechle,
	Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Florian Fainelli <f.fainelli@gmail.com>

commit cbbda6e7c9c3e4532bd70a73ff9d5e6655c894dc upstream.

BMIPS5000 have a PrID value of 0x5A00 and BMIPS5200 have a PrID value of
0x5B00, which, masked with 0x5A00, returns 0x5A00. Update all conditionals on
the PrID to cover both variants since we are going to need this to enable
BMIPS5200 SMP. The existing check, masking with 0xFF00 would not cover
BMIPS5200 at all.

Fixes: 68e6a78373a6d ("MIPS: BMIPS: Add PRId for BMIPS5200 (Whirlwind)")
Fixes: 6465460c92a85 ("MIPS: BMIPS: change compile time checks to runtime checks")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Cc: john@phrozen.org
Cc: cernekee@gmail.com
Cc: jogo@openwrt.org
Cc: jaedon.shin@gmail.com
Cc: jfraser@broadcom.com
Cc: pgynther@google.com
Cc: dragan.stancevic@gmail.com
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/12279/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/mips/kernel/bmips_vec.S | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/arch/mips/kernel/bmips_vec.S b/arch/mips/kernel/bmips_vec.S
index 8649507..d9495f3 100644
--- a/arch/mips/kernel/bmips_vec.S
+++ b/arch/mips/kernel/bmips_vec.S
@@ -93,7 +93,8 @@ NESTED(bmips_reset_nmi_vec, PT_SIZE, sp)
 #if defined(CONFIG_CPU_BMIPS5000)
 	mfc0	k0, CP0_PRID
 	li	k1, PRID_IMP_BMIPS5000
-	andi	k0, 0xff00
+	/* mask with PRID_IMP_BMIPS5000 to cover both variants */
+	andi	k0, PRID_IMP_BMIPS5000
 	bne	k0, k1, 1f
 
 	/* if we're not on core 0, this must be the SMP boot signal */
@@ -166,10 +167,12 @@ bmips_smp_entry:
 2:
 #endif /* CONFIG_CPU_BMIPS4350 || CONFIG_CPU_BMIPS4380 */
 #if defined(CONFIG_CPU_BMIPS5000)
-	/* set exception vector base */
+	/* mask with PRID_IMP_BMIPS5000 to cover both variants */
 	li	k1, PRID_IMP_BMIPS5000
+	andi	k0, PRID_IMP_BMIPS5000
 	bne	k0, k1, 3f
 
+	/* set exception vector base */
 	la	k0, ebase
 	lw	k0, 0(k0)
 	mtc0	k0, $15, 1
@@ -263,6 +266,8 @@ LEAF(bmips_enable_xks01)
 #endif /* CONFIG_CPU_BMIPS4380 */
 #if defined(CONFIG_CPU_BMIPS5000)
 	li	t1, PRID_IMP_BMIPS5000
+	/* mask with PRID_IMP_BMIPS5000 to cover both variants */
+	andi	t2, PRID_IMP_BMIPS5000
 	bne	t2, t1, 2f
 
 	mfc0	t0, $22, 5
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 179/206] NFS: Fix an LOCK/OPEN race when unlinking an open file
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (177 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 178/206] MIPS: BMIPS: Fix PRID_IMP_BMIPS5000 masking for BMIPS5200 Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 180/206] ata: sata_dwc_460ex: remove incorrect locking Kamal Mostafa
                   ` (26 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Chuck Lever, Anna Schumaker, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Chuck Lever <chuck.lever@oracle.com>

commit 11476e9dec39d90fe1e9bf12abc6f3efe35a073d upstream.

At Connectathon 2016, we found that recent upstream Linux clients
would occasionally send a LOCK operation with a zero stateid. This
appeared to happen in close proximity to another thread returning
a delegation before unlinking the same file while it remained open.

Earlier, the client received a write delegation on this file and
returned the open stateid. Now, as it is getting ready to unlink the
file, it returns the write delegation. But there is still an open
file descriptor on that file, so the client must OPEN the file
again before it returns the delegation.

Since commit 24311f884189 ('NFSv4: Recovery of recalled read
delegations is broken'), nfs_open_delegation_recall() clears the
NFS_DELEGATED_STATE flag _before_ it sends the OPEN. This allows a
racing LOCK on the same inode to be put on the wire before the OPEN
operation has returned a valid open stateid.

To eliminate this race, serialize delegation return with the
acquisition of a file lock on the same file. Adopt the same approach
as is used in the unlock path.

This patch also eliminates a similar race seen when sending a LOCK
operation at the same time as returning a delegation on the same file.

Fixes: 24311f884189 ('NFSv4: Recovery of recalled read ... ')
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
[Anna: Add sentence about LOCK / delegation race]
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 fs/nfs/nfs4proc.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index 731641a..c00bf26 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -6020,6 +6020,7 @@ static int nfs41_lock_expired(struct nfs4_state *state, struct file_lock *reques
 static int _nfs4_proc_setlk(struct nfs4_state *state, int cmd, struct file_lock *request)
 {
 	struct nfs_inode *nfsi = NFS_I(state->inode);
+	struct nfs4_state_owner *sp = state->owner;
 	unsigned char fl_flags = request->fl_flags;
 	int status = -ENOLCK;
 
@@ -6034,6 +6035,7 @@ static int _nfs4_proc_setlk(struct nfs4_state *state, int cmd, struct file_lock
 	status = do_vfs_lock(state->inode, request);
 	if (status < 0)
 		goto out;
+	mutex_lock(&sp->so_delegreturn_mutex);
 	down_read(&nfsi->rwsem);
 	if (test_bit(NFS_DELEGATED_STATE, &state->flags)) {
 		/* Yes: cache locks! */
@@ -6041,9 +6043,11 @@ static int _nfs4_proc_setlk(struct nfs4_state *state, int cmd, struct file_lock
 		request->fl_flags = fl_flags & ~FL_SLEEP;
 		status = do_vfs_lock(state->inode, request);
 		up_read(&nfsi->rwsem);
+		mutex_unlock(&sp->so_delegreturn_mutex);
 		goto out;
 	}
 	up_read(&nfsi->rwsem);
+	mutex_unlock(&sp->so_delegreturn_mutex);
 	status = _nfs4_do_setlk(state, cmd, request, NFS_LOCK_NEW);
 out:
 	request->fl_flags = fl_flags;
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 180/206] ata: sata_dwc_460ex: remove incorrect locking
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (178 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 179/206] NFS: Fix an LOCK/OPEN race when unlinking an open file Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 181/206] s390/vmem: fix identity mapping Kamal Mostafa
                   ` (25 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team; +Cc: Mans Rullgard, Tejun Heo, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Mans Rullgard <mans@mansr.com>

commit 55e610cdd28c0ad3dce0652030c0296d549673f3 upstream.

This lock is already taken in ata_scsi_queuecmd() a few levels up the
call stack so attempting to take it here is an error.  Moreover, it is
pointless in the first place since it only protects a single, atomic
assignment.

Enabling lock debugging gives the following output:

=============================================
[ INFO: possible recursive locking detected ]
4.4.0-rc5+ #189 Not tainted
---------------------------------------------
kworker/u2:3/37 is trying to acquire lock:
 (&(&host->lock)->rlock){-.-...}, at: [<90283294>] sata_dwc_exec_command_by_tag.constprop.14+0x44/0x8c

but task is already holding lock:
 (&(&host->lock)->rlock){-.-...}, at: [<902761ac>] ata_scsi_queuecmd+0x2c/0x330

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(&(&host->lock)->rlock);
  lock(&(&host->lock)->rlock);

 *** DEADLOCK ***
 May be due to missing lock nesting notation

4 locks held by kworker/u2:3/37:
 #0:  ("events_unbound"){.+.+.+}, at: [<9003a0a4>] process_one_work+0x12c/0x430
 #1:  ((&entry->work)){+.+.+.}, at: [<9003a0a4>] process_one_work+0x12c/0x430
 #2:  (&bdev->bd_mutex){+.+.+.}, at: [<9011fd54>] __blkdev_get+0x50/0x380
 #3:  (&(&host->lock)->rlock){-.-...}, at: [<902761ac>] ata_scsi_queuecmd+0x2c/0x330

stack backtrace:
CPU: 0 PID: 37 Comm: kworker/u2:3 Not tainted 4.4.0-rc5+ #189
Workqueue: events_unbound async_run_entry_fn
Stack : 90b38e30 00000021 00000003 9b2a6040 00000000 9005f3f0 904fc8dc 00000025
        906b96e4 00000000 90528648 9b3336c4 904fc8dc 9009bf18 00000002 00000004
        00000000 00000000 9b3336c4 9b3336e4 904fc8dc 9003d074 00000000 90500000
        9005e738 00000000 00000000 00000000 00000000 00000000 00000000 00000000
        6e657665 755f7374 756f626e 0000646e 00000000 00000000 9b00ca00 9b025000
          ...
Call Trace:
[<90009d6c>] show_stack+0x88/0xa4
[<90057744>] __lock_acquire+0x1ce8/0x2154
[<900583e4>] lock_acquire+0x64/0x8c
[<9045ff10>] _raw_spin_lock_irqsave+0x54/0x78
[<90283294>] sata_dwc_exec_command_by_tag.constprop.14+0x44/0x8c
[<90283484>] sata_dwc_qc_issue+0x1a8/0x24c
[<9026b39c>] ata_qc_issue+0x1f0/0x410
[<90273c6c>] ata_scsi_translate+0xb4/0x200
[<90276234>] ata_scsi_queuecmd+0xb4/0x330
[<9025800c>] scsi_dispatch_cmd+0xd0/0x128
[<90259934>] scsi_request_fn+0x58c/0x638
[<901a3e50>] __blk_run_queue+0x40/0x5c
[<901a83d4>] blk_queue_bio+0x27c/0x28c
[<901a5914>] generic_make_request+0xf0/0x188
[<901a5a54>] submit_bio+0xa8/0x194
[<9011adcc>] submit_bh_wbc.isra.23+0x15c/0x17c
[<9011c908>] block_read_full_page+0x3e4/0x428
[<9009e2e0>] do_read_cache_page+0xac/0x210
[<9009fd90>] read_cache_page+0x18/0x24
[<901bbd18>] read_dev_sector+0x38/0xb0
[<901bd174>] msdos_partition+0xb4/0x5c0
[<901bcb8c>] check_partition+0x140/0x274
[<901bba60>] rescan_partitions+0xa0/0x2b0
[<9011ff68>] __blkdev_get+0x264/0x380
[<901201ac>] blkdev_get+0x128/0x36c
[<901b9378>] add_disk+0x3c0/0x4bc
[<90268268>] sd_probe_async+0x100/0x224
[<90043a44>] async_run_entry_fn+0x50/0x124
[<9003a11c>] process_one_work+0x1a4/0x430
[<9003a4f4>] worker_thread+0x14c/0x4fc
[<900408f4>] kthread+0xd0/0xe8
[<90004338>] ret_from_kernel_thread+0x14/0x1c

Fixes: 62936009f35a ("[libata] Add 460EX on-chip SATA driver, sata_dwc_460ex")
Tested-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: Mans Rullgard <mans@mansr.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/ata/sata_dwc_460ex.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/drivers/ata/sata_dwc_460ex.c b/drivers/ata/sata_dwc_460ex.c
index 9020349..7a7faca 100644
--- a/drivers/ata/sata_dwc_460ex.c
+++ b/drivers/ata/sata_dwc_460ex.c
@@ -924,15 +924,13 @@ static void sata_dwc_exec_command_by_tag(struct ata_port *ap,
 					 struct ata_taskfile *tf,
 					 u8 tag, u32 cmd_issued)
 {
-	unsigned long flags;
 	struct sata_dwc_device_port *hsdevp = HSDEVP_FROM_AP(ap);
 
 	dev_dbg(ap->dev, "%s cmd(0x%02x): %s tag=%d\n", __func__, tf->command,
 		ata_get_cmd_descript(tf->command), tag);
 
-	spin_lock_irqsave(&ap->host->lock, flags);
 	hsdevp->cmd_issued[tag] = cmd_issued;
-	spin_unlock_irqrestore(&ap->host->lock, flags);
+
 	/*
 	 * Clear SError before executing a new command.
 	 * sata_dwc_scr_write and read can not be used here. Clearing the PM
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 181/206] s390/vmem: fix identity mapping
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (179 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 180/206] ata: sata_dwc_460ex: remove incorrect locking Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 182/206] perf tools: Fix perf regs mask generation Kamal Mostafa
                   ` (24 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Heiko Carstens, Martin Schwidefsky, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Heiko Carstens <heiko.carstens@de.ibm.com>

commit c34a69059d7876e0793eb410deedfb08ccb22b02 upstream.

The identity mapping is suboptimal for the last 2GB frame. The mapping
will be established with a mix of 4KB and 1MB mappings instead of a
single 2GB mapping.

This happens because of a off-by-one bug introduced with
commit 50be63450728 ("s390/mm: Convert bootmem to memblock").

Currently the identity mapping looks like this:

0x0000000080000000-0x0000000180000000        4G PUD RW
0x0000000180000000-0x00000001fff00000     2047M PMD RW
0x00000001fff00000-0x0000000200000000        1M PTE RW

With the bug fixed it looks like this:

0x0000000080000000-0x0000000200000000        6G PUD RW

Fixes: 50be63450728 ("s390/mm: Convert bootmem to memblock")
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/s390/mm/vmem.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/s390/mm/vmem.c b/arch/s390/mm/vmem.c
index ef7d6c8..f354fd8 100644
--- a/arch/s390/mm/vmem.c
+++ b/arch/s390/mm/vmem.c
@@ -372,7 +372,7 @@ void __init vmem_map_init(void)
 	ro_end = (unsigned long)&_eshared & PAGE_MASK;
 	for_each_memblock(memory, reg) {
 		start = reg->base;
-		end = reg->base + reg->size - 1;
+		end = reg->base + reg->size;
 		if (start >= ro_end || end <= ro_start)
 			vmem_add_mem(start, end - start, 0);
 		else if (start >= ro_start && end <= ro_end)
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 182/206] perf tools: Fix perf regs mask generation
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (180 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 181/206] s390/vmem: fix identity mapping Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 183/206] powerpc/sstep: Fix sstep.c compile on powerpcspe Kamal Mostafa
                   ` (23 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Naveen N . Rao, Michael Ellerman, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: "Naveen N. Rao" <naveen.n.rao@linux.vnet.ibm.com>

commit f47822078dece7189cad0a5f472f148e5e916736 upstream.

On some architectures (powerpc in particular), the number of registers
exceeds what can be represented in an integer bitmask. Ensure we
generate the proper bitmask on such platforms.

Fixes: 71ad0f5e4 ("perf tools: Support for DWARF CFI unwinding on post processing")
Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
Acked-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 tools/perf/util/perf_regs.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/tools/perf/util/perf_regs.c b/tools/perf/util/perf_regs.c
index 43168fb..2fb6f2a 100644
--- a/tools/perf/util/perf_regs.c
+++ b/tools/perf/util/perf_regs.c
@@ -7,18 +7,18 @@ int perf_reg_value(u64 *valp, struct regs_dump *regs, int id)
 	int i, idx = 0;
 	u64 mask = regs->mask;
 
-	if (regs->cache_mask & (1 << id))
+	if (regs->cache_mask & (1ULL << id))
 		goto out;
 
-	if (!(mask & (1 << id)))
+	if (!(mask & (1ULL << id)))
 		return -EINVAL;
 
 	for (i = 0; i < id; i++) {
-		if (mask & (1 << i))
+		if (mask & (1ULL << i))
 			idx++;
 	}
 
-	regs->cache_mask |= (1 << id);
+	regs->cache_mask |= (1ULL << id);
 	regs->cache_regs[id] = regs->regs[idx];
 
 out:
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 183/206] powerpc/sstep: Fix sstep.c compile on powerpcspe
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (181 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 182/206] perf tools: Fix perf regs mask generation Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 184/206] MIPS: BMIPS: BMIPS5000 has I cache filing from D cache Kamal Mostafa
                   ` (22 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Len Sorensen, Michael Ellerman, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Lennart Sorensen <lsorense@csclub.uwaterloo.ca>

commit dd21731022faf43c1250050e5d28d11add599149 upstream.

Commit be96f63375a1 ("powerpc: Split out instruction analysis part of
emulate_step()") introduced ldarx and stdcx into the instructions in
sstep.c, which are not accepted by the assembler on powerpcspe, but does
seem to be accepted by the normal powerpc assembler even in 32 bit mode.

Wrap these two instructions in a __powerpc64__ check like it is
everywhere else in the file.

Fixes: be96f63375a1 ("powerpc: Split out instruction analysis part of emulate_step()")
Signed-off-by: Len Sorensen <lsorense@csclub.uwaterloo.ca>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/powerpc/lib/sstep.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/arch/powerpc/lib/sstep.c b/arch/powerpc/lib/sstep.c
index dc885b3..6d34310 100644
--- a/arch/powerpc/lib/sstep.c
+++ b/arch/powerpc/lib/sstep.c
@@ -1818,9 +1818,11 @@ int __kprobes emulate_step(struct pt_regs *regs, unsigned int instr)
 		case 4:
 			__get_user_asmx(val, op.ea, err, "lwarx");
 			break;
+#ifdef __powerpc64__
 		case 8:
 			__get_user_asmx(val, op.ea, err, "ldarx");
 			break;
+#endif
 		default:
 			return 0;
 		}
@@ -1841,9 +1843,11 @@ int __kprobes emulate_step(struct pt_regs *regs, unsigned int instr)
 		case 4:
 			__put_user_asmx(op.val, op.ea, err, "stwcx.", cr);
 			break;
+#ifdef __powerpc64__
 		case 8:
 			__put_user_asmx(op.val, op.ea, err, "stdcx.", cr);
 			break;
+#endif
 		default:
 			return 0;
 		}
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 184/206] MIPS: BMIPS: BMIPS5000 has I cache filing from D cache
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (182 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 183/206] powerpc/sstep: Fix sstep.c compile on powerpcspe Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 185/206] MIPS: BMIPS: Clear MIPS_CACHE_ALIASES earlier Kamal Mostafa
                   ` (21 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Florian Fainelli, linux-mips, Ralf Baechle, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Florian Fainelli <f.fainelli@gmail.com>

commit c130d2fd3d59fbd5d269f7d5827bd4ed1d94aec6 upstream.

BMIPS5000 and BMIPS52000 processors have their I-cache filling from the
D-cache. Since BMIPS_GENERIC does not provide (yet) a
cpu-feature-overrides.h file, this was not set anywhere, so make sure
the R4K cache detection takes care of that.

Fixes: d74b0172e4e2c ("MIPS: BMIPS: Add special cache handling in c-r4k.c")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/13010/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/mips/mm/c-r4k.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/arch/mips/mm/c-r4k.c b/arch/mips/mm/c-r4k.c
index fbea443..b2c1685 100644
--- a/arch/mips/mm/c-r4k.c
+++ b/arch/mips/mm/c-r4k.c
@@ -1305,6 +1305,10 @@ static void probe_pcache(void)
 		c->icache.flags |= MIPS_CACHE_IC_F_DC;
 		break;
 
+	case CPU_BMIPS5000:
+		c->icache.flags |= MIPS_CACHE_IC_F_DC;
+		break;
+
 	case CPU_LOONGSON2:
 		/*
 		 * LOONGSON2 has 4 way icache, but when using indexed cache op,
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 185/206] MIPS: BMIPS: Clear MIPS_CACHE_ALIASES earlier
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (183 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 184/206] MIPS: BMIPS: BMIPS5000 has I cache filing from D cache Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 186/206] MIPS: BMIPS: local_r4k___flush_cache_all needs to blast S-cache Kamal Mostafa
                   ` (20 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Florian Fainelli, linux-mips, Ralf Baechle, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Florian Fainelli <f.fainelli@gmail.com>

commit 73c4ca047f440c79f545bc6133e3033f754cd239 upstream.

BMIPS5000 and BMIPS5200 processor have no D cache aliases, and this is
properly handled by the per-CPU override added at the end of
r4k_cache_init(), the problem is that the output of probe_pcache()
disagrees with that, since this is too late:

Primary instruction cache 32kB, VIPT, 4-way, linesize 64 bytes.
Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes

With the change moved earlier, we now have a consistent output with the
settings we are intending to have:

Primary instruction cache 32kB, VIPT, 4-way, linesize 64 bytes.
Primary data cache 32kB, 4-way, VIPT, no aliases, linesize 32 bytes

Fixes: d74b0172e4e2c ("MIPS: BMIPS: Add special cache handling in c-r4k.c")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/13011/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/mips/mm/c-r4k.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/mips/mm/c-r4k.c b/arch/mips/mm/c-r4k.c
index b2c1685..f22809f 100644
--- a/arch/mips/mm/c-r4k.c
+++ b/arch/mips/mm/c-r4k.c
@@ -1307,6 +1307,8 @@ static void probe_pcache(void)
 
 	case CPU_BMIPS5000:
 		c->icache.flags |= MIPS_CACHE_IC_F_DC;
+		/* Cache aliases are handled in hardware; allow HIGHMEM */
+		c->dcache.flags &= ~MIPS_CACHE_ALIASES;
 		break;
 
 	case CPU_LOONGSON2:
@@ -1746,8 +1748,6 @@ void r4k_cache_init(void)
 		flush_icache_range = (void *)b5k_instruction_hazard;
 		local_flush_icache_range = (void *)b5k_instruction_hazard;
 
-		/* Cache aliases are handled in hardware; allow HIGHMEM */
-		current_cpu_data.dcache.flags &= ~MIPS_CACHE_ALIASES;
 
 		/* Optimization: an L2 flush implicitly flushes the L1 */
 		current_cpu_data.options |= MIPS_CPU_INCLUSIVE_CACHES;
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 186/206] MIPS: BMIPS: local_r4k___flush_cache_all needs to blast S-cache
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (184 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 185/206] MIPS: BMIPS: Clear MIPS_CACHE_ALIASES earlier Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 187/206] MIPS: BMIPS: Pretty print BMIPS5200 processor name Kamal Mostafa
                   ` (19 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Florian Fainelli, linux-mips, Ralf Baechle, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Florian Fainelli <f.fainelli@gmail.com>

commit f675843ddfdfdf467d08cc922201614a149e439e upstream.

local_r4k___flush_cache_all() is missing a special check for BMIPS5000
processors, we need to blast the S-cache, just like other MTI processors
since we have an inclusive cache. We also need an additional __sync() to
make sure this is completed.

Fixes: d74b0172e4e2c ("MIPS: BMIPS: Add special cache handling in c-r4k.c")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/13012/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/mips/mm/c-r4k.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/arch/mips/mm/c-r4k.c b/arch/mips/mm/c-r4k.c
index f22809f..a50011a 100644
--- a/arch/mips/mm/c-r4k.c
+++ b/arch/mips/mm/c-r4k.c
@@ -447,6 +447,11 @@ static inline void local_r4k___flush_cache_all(void * args)
 		r4k_blast_scache();
 		break;
 
+	case CPU_BMIPS5000:
+		r4k_blast_scache();
+		__sync();
+		break;
+
 	default:
 		r4k_blast_dcache();
 		r4k_blast_icache();
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 187/206] MIPS: BMIPS: Pretty print BMIPS5200 processor name
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (185 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 186/206] MIPS: BMIPS: local_r4k___flush_cache_all needs to blast S-cache Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 188/206] MIPS: math-emu: Fix BC1{EQ,NE}Z emulation Kamal Mostafa
                   ` (18 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Florian Fainelli, linux-mips, Ralf Baechle, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Florian Fainelli <f.fainelli@gmail.com>

commit 37808d62afcdc420d98875c4b514c178d56f6815 upstream.

Just to ease debugging of multiplatform kernel, make sure we print
"Broadcom BMIPS5200" for the BMIPS5200 implementation instead of
Broadcom BMIPS5000.

Fixes: 68e6a78373a6d ("MIPS: BMIPS: Add PRId for BMIPS5200 (Whirlwind)")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/13014/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/mips/kernel/cpu-probe.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/arch/mips/kernel/cpu-probe.c b/arch/mips/kernel/cpu-probe.c
index dbe0792..cbd4c43 100644
--- a/arch/mips/kernel/cpu-probe.c
+++ b/arch/mips/kernel/cpu-probe.c
@@ -1248,7 +1248,10 @@ static inline void cpu_probe_broadcom(struct cpuinfo_mips *c, unsigned int cpu)
 	case PRID_IMP_BMIPS5000:
 	case PRID_IMP_BMIPS5200:
 		c->cputype = CPU_BMIPS5000;
-		__cpu_name[cpu] = "Broadcom BMIPS5000";
+		if ((c->processor_id & PRID_IMP_MASK) == PRID_IMP_BMIPS5200)
+			__cpu_name[cpu] = "Broadcom BMIPS5200";
+		else
+			__cpu_name[cpu] = "Broadcom BMIPS5000";
 		set_elf_platform(cpu, "bmips5000");
 		c->options |= MIPS_CPU_ULRI;
 		break;
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 188/206] MIPS: math-emu: Fix BC1{EQ,NE}Z emulation
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (186 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 187/206] MIPS: BMIPS: Pretty print BMIPS5200 processor name Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 189/206] MIPS: Fix BC1{EQ,NE}Z return offset calculation Kamal Mostafa
                   ` (17 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Paul Burton, Maciej W . Rozycki, linux-mips, Ralf Baechle, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Paul Burton <paul.burton@imgtec.com>

commit 93583e178ebfdd2fadf950eef1547f305cac12ca upstream.

The conditions for branching when emulating the BC1EQZ & BC1NEZ
instructions were backwards, leading to each of those instructions being
treated as the other. Fix this by reversing the conditions, and clear up
the code a little for readability & checkpatch.

Fixes: c909ca718e8f ("MIPS: math-emu: Emulate missing BC1{EQ,NE}Z instructions")
Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Reviewed-by: James Hogan <james.hogan@imgtec.com>
Cc: Maciej W. Rozycki <macro@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/13150/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/mips/math-emu/cp1emu.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/arch/mips/math-emu/cp1emu.c b/arch/mips/math-emu/cp1emu.c
index 2bf9209..8d9133f 100644
--- a/arch/mips/math-emu/cp1emu.c
+++ b/arch/mips/math-emu/cp1emu.c
@@ -975,9 +975,10 @@ static int cop1Emulate(struct pt_regs *xcp, struct mips_fpu_struct *ctx,
 		struct mm_decoded_insn dec_insn, void *__user *fault_addr)
 {
 	unsigned long contpc = xcp->cp0_epc + dec_insn.pc_inc;
-	unsigned int cond, cbit;
+	unsigned int cond, cbit, bit0;
 	mips_instruction ir;
 	int likely, pc_inc;
+	union fpureg *fpr;
 	u32 __user *wva;
 	u64 __user *dva;
 	u32 wval;
@@ -1189,14 +1190,14 @@ emul:
 				return SIGILL;
 
 			cond = likely = 0;
+			fpr = &current->thread.fpu.fpr[MIPSInst_RT(ir)];
+			bit0 = get_fpr32(fpr, 0) & 0x1;
 			switch (MIPSInst_RS(ir)) {
 			case bc1eqz_op:
-				if (get_fpr32(&current->thread.fpu.fpr[MIPSInst_RT(ir)], 0) & 0x1)
-				    cond = 1;
+				cond = bit0 == 0;
 				break;
 			case bc1nez_op:
-				if (!(get_fpr32(&current->thread.fpu.fpr[MIPSInst_RT(ir)], 0) & 0x1))
-				    cond = 1;
+				cond = bit0 != 0;
 				break;
 			}
 			goto branch_common;
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 189/206] MIPS: Fix BC1{EQ,NE}Z return offset calculation
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (187 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 188/206] MIPS: math-emu: Fix BC1{EQ,NE}Z emulation Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 190/206] MIPS: BMIPS: Adjust mips-hpt-frequency for BCM7435 Kamal Mostafa
                   ` (16 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Paul Burton, linux-mips, Ralf Baechle, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Paul Burton <paul.burton@imgtec.com>

commit ac1496980f1d2752f26769f5db63afbc9ac2b603 upstream.

The conditions for branching when emulating the BC1EQZ & BC1NEZ
instructions were backwards, leading to each of those instructions being
treated as the other. Fix this by reversing the conditions, and clear up
the code a little for readability & checkpatch.

Fixes: c8a34581ec09 ("MIPS: Emulate the BC1{EQ,NE}Z FPU instructions")
Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Reviewed-by: James Hogan <james.hogan@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/13151/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/mips/kernel/branch.c | 18 +++---------------
 1 file changed, 3 insertions(+), 15 deletions(-)

diff --git a/arch/mips/kernel/branch.c b/arch/mips/kernel/branch.c
index d8f9b35..ceca6cc 100644
--- a/arch/mips/kernel/branch.c
+++ b/arch/mips/kernel/branch.c
@@ -688,21 +688,9 @@ int __compute_return_epc_for_insn(struct pt_regs *regs,
 			}
 			lose_fpu(1);    /* Save FPU state for the emulator. */
 			reg = insn.i_format.rt;
-			bit = 0;
-			switch (insn.i_format.rs) {
-			case bc1eqz_op:
-				/* Test bit 0 */
-				if (get_fpr32(&current->thread.fpu.fpr[reg], 0)
-				    & 0x1)
-					bit = 1;
-				break;
-			case bc1nez_op:
-				/* Test bit 0 */
-				if (!(get_fpr32(&current->thread.fpu.fpr[reg], 0)
-				      & 0x1))
-					bit = 1;
-				break;
-			}
+			bit = get_fpr32(&current->thread.fpu.fpr[reg], 0) & 0x1;
+			if (insn.i_format.rs == bc1eqz_op)
+				bit = !bit;
 			own_fpu(1);
 			if (bit)
 				epc = epc + 4 +
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 190/206] MIPS: BMIPS: Adjust mips-hpt-frequency for BCM7435
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (188 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 189/206] MIPS: Fix BC1{EQ,NE}Z return offset calculation Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 191/206] IB/srp: Print "ib_srp: " prefix once Kamal Mostafa
                   ` (15 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Florian Fainelli, linux-mips, john, cernekee, jaedon.shin,
	Ralf Baechle, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Florian Fainelli <f.fainelli@gmail.com>

commit 80fa40acaa1dad5a0a9c15ed2e5d2e72461843f5 upstream.

The CPU actually runs at 1405Mhz which gives us a 175625000 Hz MIPS timer
frequency (CPU frequency / 8).

Fixes: e4c7d009654a ("MIPS: BMIPS: Add BCM7435 dtsi")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Cc: linux-mips@linux-mips.org
Cc: john@phrozen.org
Cc: cernekee@gmail.com
Cc: jaedon.shin@gmail.com
Patchwork: https://patchwork.linux-mips.org/patch/13132/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/mips/boot/dts/brcm/bcm7435.dtsi | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/mips/boot/dts/brcm/bcm7435.dtsi b/arch/mips/boot/dts/brcm/bcm7435.dtsi
index 8b9432c..27b2b8e 100644
--- a/arch/mips/boot/dts/brcm/bcm7435.dtsi
+++ b/arch/mips/boot/dts/brcm/bcm7435.dtsi
@@ -7,7 +7,7 @@
 		#address-cells = <1>;
 		#size-cells = <0>;
 
-		mips-hpt-frequency = <163125000>;
+		mips-hpt-frequency = <175625000>;
 
 		cpu@0 {
 			compatible = "brcm,bmips5200";
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 191/206] IB/srp: Print "ib_srp: " prefix once
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (189 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 190/206] MIPS: BMIPS: Adjust mips-hpt-frequency for BCM7435 Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 192/206] IB/IWPM: Fix a potential skb leak Kamal Mostafa
                   ` (14 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Bart Van Assche, Christoph Hellwig, Sagi Grimberg, Doug Ledford,
	Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Bart Van Assche <bart.vanassche@sandisk.com>

commit cf1acab7d75652a372ee5b9c996689d518914e83 upstream.

pr_debug() already prints prefix PFX. Avoid that PFX is printed
twice if the debug statement in srp_add_target() is enabled.

Fixes: 34aa654ecb8e ("IB/srp: Avoid that I/O hangs due to a cable pull during LUN scanning")
Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Tested-by: Laurence Oberman <loberman@redhat.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/infiniband/ulp/srp/ib_srp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/infiniband/ulp/srp/ib_srp.c b/drivers/infiniband/ulp/srp/ib_srp.c
index bdcb72e..fdf808e 100644
--- a/drivers/infiniband/ulp/srp/ib_srp.c
+++ b/drivers/infiniband/ulp/srp/ib_srp.c
@@ -2807,7 +2807,7 @@ static int srp_add_target(struct srp_host *host, struct srp_target_port *target)
 		goto out;
 	}
 
-	pr_debug(PFX "%s: SCSI scan succeeded - detected %d LUNs\n",
+	pr_debug("%s: SCSI scan succeeded - detected %d LUNs\n",
 		 dev_name(&target->scsi_host->shost_gendev),
 		 srp_sdev_count(target->scsi_host));
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 192/206] IB/IWPM: Fix a potential skb leak
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (190 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 191/206] IB/srp: Print "ib_srp: " prefix once Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 193/206] i40e: fix an uninitialized variable bug Kamal Mostafa
                   ` (13 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Mark Bloch, Leon Romanovsky, Doug Ledford, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Mark Bloch <markb@mellanox.com>

commit 5ed935e861a4cbf2158ad3386d6d26edd60d2658 upstream.

In case ibnl_put_msg fails in send_nlmsg_done,
the function returns with -ENOMEM without freeing.

This patch fixes this behavior.

Fixes: 30dc5e63d6a5 ("RDMA/core: Add support for iWARP Port Mapper user space service")
Signed-off-by: Mark Bloch <markb@mellanox.com>
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Reviewed-by: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/infiniband/core/iwpm_util.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/infiniband/core/iwpm_util.c b/drivers/infiniband/core/iwpm_util.c
index 5fb089e..fb43a24 100644
--- a/drivers/infiniband/core/iwpm_util.c
+++ b/drivers/infiniband/core/iwpm_util.c
@@ -634,6 +634,7 @@ static int send_nlmsg_done(struct sk_buff *skb, u8 nl_client, int iwpm_pid)
 	if (!(ibnl_put_msg(skb, &nlh, 0, 0, nl_client,
 			   RDMA_NL_IWPM_MAPINFO, NLM_F_MULTI))) {
 		pr_warn("%s Unable to put NLMSG_DONE\n", __func__);
+		dev_kfree_skb(skb);
 		return -ENOMEM;
 	}
 	nlh->nlmsg_type = NLMSG_DONE;
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 193/206] i40e: fix an uninitialized variable bug
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (191 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 192/206] IB/IWPM: Fix a potential skb leak Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 194/206] blk-mq: fix undefined behaviour in order_to_size() Kamal Mostafa
                   ` (12 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Dan Carpenter, Jeff Kirsher, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 1c306f7f62a38ee5f05f0ee994dfe82d654cf47c upstream.

We removed this initialization but it is required.  Let's put it back.

Fixes: 895106a577c4 ('i40e: trivial fixes')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/net/ethernet/intel/i40e/i40e_hmc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/intel/i40e/i40e_hmc.c b/drivers/net/ethernet/intel/i40e/i40e_hmc.c
index 9b987cc..a915030 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_hmc.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_hmc.c
@@ -49,7 +49,7 @@ i40e_status i40e_add_sd_table_entry(struct i40e_hw *hw,
 	struct i40e_hmc_sd_entry *sd_entry;
 	bool dma_mem_alloc_done = false;
 	struct i40e_dma_mem mem;
-	i40e_status ret_code;
+	i40e_status ret_code = I40E_SUCCESS;
 	u64 alloc_len;
 
 	if (NULL == hmc_info->sd_table.sd_entry) {
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 194/206] blk-mq: fix undefined behaviour in order_to_size()
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (192 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 193/206] i40e: fix an uninitialized variable bug Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 195/206] x86/PCI: Mark Broadwell-EP Home Agent 1 as having non-compliant BARs Kamal Mostafa
                   ` (11 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Bartlomiej Zolnierkiewicz, Jens Axboe, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>

commit b3a834b1596ac668df206aa2bb1f191c31f5f5e4 upstream.

When this_order variable in blk_mq_init_rq_map() becomes zero
the code incorrectly decrements the variable and passes the result
to order_to_size() helper causing undefined behaviour:

 UBSAN: Undefined behaviour in block/blk-mq.c:1459:27
 shift exponent 4294967295 is too large for 32-bit type 'unsigned int'
 CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.6.0-rc6-00072-g33656a1 #22

Fix the code by checking this_order variable for not having the zero
value first.

Reported-by: Meelis Roos <mroos@linux.ee>
Fixes: 320ae51feed5 ("blk-mq: new multi-queue block IO queueing mechanism")
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 block/blk-mq.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/block/blk-mq.c b/block/blk-mq.c
index 0990d4c..7d5f8cb 100644
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -1488,7 +1488,7 @@ static struct blk_mq_tags *blk_mq_init_rq_map(struct blk_mq_tag_set *set,
 		int to_do;
 		void *p;
 
-		while (left < order_to_size(this_order - 1) && this_order)
+		while (this_order && left < order_to_size(this_order - 1))
 			this_order--;
 
 		do {
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 195/206] x86/PCI: Mark Broadwell-EP Home Agent 1 as having non-compliant BARs
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (193 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 194/206] blk-mq: fix undefined behaviour in order_to_size() Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 196/206] netlink: Fix dump skb leak/double free Kamal Mostafa
                   ` (10 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Prarit Bhargava, Bjorn Helgaas, Thomas Gleixner, Ingo Molnar,
	H. Peter Anvin, Andi Kleen, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Prarit Bhargava <prarit@redhat.com>

commit da77b67195de1c65bef4908fa29967c4d0af2da2 upstream.

Commit b894157145e4 ("x86/PCI: Mark Broadwell-EP Home Agent & PCU as having
non-compliant BARs") marked Home Agent 0 & PCU has having non-compliant
BARs.  Home Agent 1 also has non-compliant BARs.

Mark Home Agent 1 as having non-compliant BARs so the PCI core doesn't
touch them.

The problem with these devices is documented in the Xeon v4 specification
update:

  BDF2          PCI BARs in the Home Agent Will Return Non-Zero Values
                During Enumeration

  Problem:      During system initialization the Operating System may access
                the standard PCI BARs (Base Address Registers).  Due to
                this erratum, accesses to the Home Agent BAR registers (Bus
                1; Device 18; Function 0,4; Offsets (0x14-0x24) will return
                non-zero values.

  Implication:  The operating system may issue a warning.  Intel has not
                observed any functional failures due to this erratum.

Link: http://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v4-spec-update.html
Fixes: b894157145e4 ("x86/PCI: Mark Broadwell-EP Home Agent & PCU as having non-compliant BARs")
Signed-off-by: Prarit Bhargava <prarit@redhat.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
CC: Thomas Gleixner <tglx@linutronix.de>
CC: Ingo Molnar <mingo@redhat.com>
CC: "H. Peter Anvin" <hpa@zytor.com>
CC: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/x86/pci/fixup.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/arch/x86/pci/fixup.c b/arch/x86/pci/fixup.c
index f16af96..156fbb6 100644
--- a/arch/x86/pci/fixup.c
+++ b/arch/x86/pci/fixup.c
@@ -554,9 +554,16 @@ static void twinhead_reserve_killing_zone(struct pci_dev *dev)
 }
 DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x27B9, twinhead_reserve_killing_zone);
 
+/*
+ * Broadwell EP Home Agent BARs erroneously return non-zero values when read.
+ *
+ * See http://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v4-spec-update.html
+ * entry BDF2.
+ */
 static void pci_bdwep_bar(struct pci_dev *dev)
 {
 	dev->non_compliant_bars = 1;
 }
+DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x6f60, pci_bdwep_bar);
 DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x6fa0, pci_bdwep_bar);
 DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x6fc0, pci_bdwep_bar);
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 196/206] netlink: Fix dump skb leak/double free
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (194 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 195/206] x86/PCI: Mark Broadwell-EP Home Agent 1 as having non-compliant BARs Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 197/206] MIPS: ath79: fix regression in PCI window initialization Kamal Mostafa
                   ` (9 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Herbert Xu, David S . Miller, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Herbert Xu <herbert@gondor.apana.org.au>

commit 92964c79b357efd980812c4de5c1fd2ec8bb5520 upstream.

When we free cb->skb after a dump, we do it after releasing the
lock.  This means that a new dump could have started in the time
being and we'll end up freeing their skb instead of ours.

This patch saves the skb and module before we unlock so we free
the right memory.

Fixes: 16b304f3404f ("netlink: Eliminate kmalloc in netlink dump operation.")
Reported-by: Baozeng Ding <sploving1@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 net/netlink/af_netlink.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 08bd219..c216bff 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -2755,6 +2755,7 @@ static int netlink_dump(struct sock *sk)
 	struct netlink_callback *cb;
 	struct sk_buff *skb = NULL;
 	struct nlmsghdr *nlh;
+	struct module *module;
 	int len, err = -ENOBUFS;
 	int alloc_min_size;
 	int alloc_size;
@@ -2835,9 +2836,11 @@ static int netlink_dump(struct sock *sk)
 		cb->done(cb);
 
 	nlk->cb_running = false;
+	module = cb->module;
+	skb = cb->skb;
 	mutex_unlock(nlk->cb_mutex);
-	module_put(cb->module);
-	consume_skb(cb->skb);
+	module_put(module);
+	consume_skb(skb);
 	return 0;
 
 errout_skb:
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 197/206] MIPS: ath79: fix regression in PCI window initialization
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (195 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 196/206] netlink: Fix dump skb leak/double free Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 198/206] sched/preempt: Fix preempt_count manipulations Kamal Mostafa
                   ` (8 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Alban Bedel, Felix Fietkau, sergei.shtylyov, linux-mips,
	Ralf Baechle, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Felix Fietkau <nbd@nbd.name>

commit 9184dc8ffa56844352b3b9860e562ec4ee41176f upstream.

ath79_ddr_pci_win_base has the type void __iomem *, so register offsets
need to be a multiple of 4.

Cc: Alban Bedel <albeu@free.fr>
Fixes: 24b0e3e84fbf ("MIPS: ath79: Improve the DDR controller interface")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Cc: sergei.shtylyov@cogentembedded.com
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/13258/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 arch/mips/ath79/common.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/arch/mips/ath79/common.c b/arch/mips/ath79/common.c
index 3cedd1f..8ae4067 100644
--- a/arch/mips/ath79/common.c
+++ b/arch/mips/ath79/common.c
@@ -76,14 +76,14 @@ void ath79_ddr_set_pci_windows(void)
 {
 	BUG_ON(!ath79_ddr_pci_win_base);
 
-	__raw_writel(AR71XX_PCI_WIN0_OFFS, ath79_ddr_pci_win_base + 0);
-	__raw_writel(AR71XX_PCI_WIN1_OFFS, ath79_ddr_pci_win_base + 1);
-	__raw_writel(AR71XX_PCI_WIN2_OFFS, ath79_ddr_pci_win_base + 2);
-	__raw_writel(AR71XX_PCI_WIN3_OFFS, ath79_ddr_pci_win_base + 3);
-	__raw_writel(AR71XX_PCI_WIN4_OFFS, ath79_ddr_pci_win_base + 4);
-	__raw_writel(AR71XX_PCI_WIN5_OFFS, ath79_ddr_pci_win_base + 5);
-	__raw_writel(AR71XX_PCI_WIN6_OFFS, ath79_ddr_pci_win_base + 6);
-	__raw_writel(AR71XX_PCI_WIN7_OFFS, ath79_ddr_pci_win_base + 7);
+	__raw_writel(AR71XX_PCI_WIN0_OFFS, ath79_ddr_pci_win_base + 0x0);
+	__raw_writel(AR71XX_PCI_WIN1_OFFS, ath79_ddr_pci_win_base + 0x4);
+	__raw_writel(AR71XX_PCI_WIN2_OFFS, ath79_ddr_pci_win_base + 0x8);
+	__raw_writel(AR71XX_PCI_WIN3_OFFS, ath79_ddr_pci_win_base + 0xc);
+	__raw_writel(AR71XX_PCI_WIN4_OFFS, ath79_ddr_pci_win_base + 0x10);
+	__raw_writel(AR71XX_PCI_WIN5_OFFS, ath79_ddr_pci_win_base + 0x14);
+	__raw_writel(AR71XX_PCI_WIN6_OFFS, ath79_ddr_pci_win_base + 0x18);
+	__raw_writel(AR71XX_PCI_WIN7_OFFS, ath79_ddr_pci_win_base + 0x1c);
 }
 EXPORT_SYMBOL_GPL(ath79_ddr_set_pci_windows);
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 198/206] sched/preempt: Fix preempt_count manipulations
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (196 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 197/206] MIPS: ath79: fix regression in PCI window initialization Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 199/206] tipc: fix nametable publication field in nl compat Kamal Mostafa
                   ` (7 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Peter Zijlstra, Linus Torvalds, Thomas Gleixner, Ingo Molnar,
	Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Peter Zijlstra <peterz@infradead.org>

commit 2e636d5e66c35dfcbaf617aa8fa963f6847478fe upstream.

Vikram reported that his ARM64 compiler managed to 'optimize' away the
preempt_count manipulations in code like:

	preempt_enable_no_resched();
	put_user();
	preempt_disable();

Irrespective of that fact that that is horrible code that should be
fixed for many reasons, it does highlight a deficiency in the generic
preempt_count manipulators. As it is never right to combine/elide
preempt_count manipulations like this.

Therefore sprinkle some volatile in the two generic accessors to
ensure the compiler is aware of the fact that the preempt_count is
observed outside of the regular program-order view and thus cannot be
optimized away like this.

x86; the only arch not using the generic code is not affected as we
do all this in asm in order to use the segment base per-cpu stuff.

Reported-by: Vikram Mulukutla <markivx@codeaurora.org>
Tested-by: Vikram Mulukutla <markivx@codeaurora.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: a787870924db ("sched, arch: Create asm/preempt.h")
Link: http://lkml.kernel.org/r/20160516131751.GH3205@twins.programming.kicks-ass.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 include/asm-generic/preempt.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/asm-generic/preempt.h b/include/asm-generic/preempt.h
index 0bec580..af36c87 100644
--- a/include/asm-generic/preempt.h
+++ b/include/asm-generic/preempt.h
@@ -7,10 +7,10 @@
 
 static __always_inline int preempt_count(void)
 {
-	return current_thread_info()->preempt_count;
+	return READ_ONCE(current_thread_info()->preempt_count);
 }
 
-static __always_inline int *preempt_count_ptr(void)
+static __always_inline volatile int *preempt_count_ptr(void)
 {
 	return &current_thread_info()->preempt_count;
 }
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 199/206] tipc: fix nametable publication field in nl compat
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (197 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 198/206] sched/preempt: Fix preempt_count manipulations Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 200/206] sunrpc: Update RPCBIND_MAXNETIDLEN Kamal Mostafa
                   ` (6 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Richard Alpe, David S . Miller, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Richard Alpe <richard.alpe@ericsson.com>

commit 03aaaa9b941e136757b55c4cf775aab6068dfd94 upstream.

The publication field of the old netlink API should contain the
publication key and not the publication reference.

Fixes: 44a8ae94fd55 (tipc: convert legacy nl name table dump to nl compat)
Signed-off-by: Richard Alpe <richard.alpe@ericsson.com>
Acked-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 net/tipc/netlink_compat.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
index 53e0fee..cd6346b 100644
--- a/net/tipc/netlink_compat.c
+++ b/net/tipc/netlink_compat.c
@@ -802,7 +802,7 @@ static int tipc_nl_compat_name_table_dump(struct tipc_nl_compat_msg *msg,
 		goto out;
 
 	tipc_tlv_sprintf(msg->rep, "%-10u %s",
-			 nla_get_u32(publ[TIPC_NLA_PUBL_REF]),
+			 nla_get_u32(publ[TIPC_NLA_PUBL_KEY]),
 			 scope_str[nla_get_u32(publ[TIPC_NLA_PUBL_SCOPE])]);
 out:
 	tipc_tlv_sprintf(msg->rep, "\n");
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 200/206] sunrpc: Update RPCBIND_MAXNETIDLEN
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (198 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 199/206] tipc: fix nametable publication field in nl compat Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 201/206] batman-adv: fix skb deref after free Kamal Mostafa
                   ` (5 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Chuck Lever, Anna Schumaker, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Chuck Lever <chuck.lever@oracle.com>

commit 4b9c7f9db9a003f5c342184dc4401c1b7f2efb39 upstream.

Commit 176e21ee2ec8 ("SUNRPC: Support for RPC over AF_LOCAL
transports") added a 5-character netid, but did not bump
RPCBIND_MAXNETIDLEN from 4 to 5.

Fixes: 176e21ee2ec8 ("SUNRPC: Support for RPC over AF_LOCAL ...")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 include/linux/sunrpc/msg_prot.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/linux/sunrpc/msg_prot.h b/include/linux/sunrpc/msg_prot.h
index 8073713..59cbf16 100644
--- a/include/linux/sunrpc/msg_prot.h
+++ b/include/linux/sunrpc/msg_prot.h
@@ -158,9 +158,9 @@ typedef __be32	rpc_fraghdr;
 
 /*
  * Note that RFC 1833 does not put any size restrictions on the
- * netid string, but all currently defined netid's fit in 4 bytes.
+ * netid string, but all currently defined netid's fit in 5 bytes.
  */
-#define RPCBIND_MAXNETIDLEN	(4u)
+#define RPCBIND_MAXNETIDLEN	(5u)
 
 /*
  * Universal addresses are introduced in RFC 1833 and further spelled
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 201/206] batman-adv: fix skb deref after free
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (199 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 200/206] sunrpc: Update RPCBIND_MAXNETIDLEN Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 202/206] net: ehea: avoid null pointer dereference Kamal Mostafa
                   ` (4 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Florian Westphal, Marek Lindner, Antonio Quartulli, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Florian Westphal <fw@strlen.de>

commit 63d443efe8be2c1d02b30d7e4edeb9aa085352b3 upstream.

batadv_send_skb_to_orig() calls dev_queue_xmit() so we can't use skb->len.

Fixes: 953324776d6d ("batman-adv: network coding - buffer unicast packets before forward")
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 net/batman-adv/routing.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c
index cf57b20..fe25db2 100644
--- a/net/batman-adv/routing.c
+++ b/net/batman-adv/routing.c
@@ -585,6 +585,7 @@ static int batadv_route_unicast_packet(struct sk_buff *skb,
 	struct batadv_unicast_packet *unicast_packet;
 	struct ethhdr *ethhdr = eth_hdr(skb);
 	int res, hdr_len, ret = NET_RX_DROP;
+	unsigned int len;
 
 	unicast_packet = (struct batadv_unicast_packet *)skb->data;
 
@@ -625,6 +626,7 @@ static int batadv_route_unicast_packet(struct sk_buff *skb,
 	if (hdr_len > 0)
 		batadv_skb_set_priority(skb, hdr_len);
 
+	len = skb->len;
 	res = batadv_send_skb_to_orig(skb, orig_node, recv_if);
 
 	/* translate transmit result into receive result */
@@ -632,7 +634,7 @@ static int batadv_route_unicast_packet(struct sk_buff *skb,
 		/* skb was transmitted and consumed */
 		batadv_inc_counter(bat_priv, BATADV_CNT_FORWARD);
 		batadv_add_counter(bat_priv, BATADV_CNT_FORWARD_BYTES,
-				   skb->len + ETH_HLEN);
+				   len + ETH_HLEN);
 
 		ret = NET_RX_SUCCESS;
 	} else if (res == NET_XMIT_POLICED) {
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 202/206] net: ehea: avoid null pointer dereference
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (200 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 201/206] batman-adv: fix skb deref after free Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 203/206] tuntap: correctly wake up process during uninit Kamal Mostafa
                   ` (3 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Heinrich Schuchardt, David S . Miller, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: "xypron.glpk@gmx.de" <xypron.glpk@gmx.de>

commit 1740c29a46b30a2f157afc473156f157e599d4c2 upstream.

ehea_get_port may return NULL. Do not dereference NULL value.

Fixes: 8c4877a4128e ("ehea: Use the standard logging functions")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Acked-by: Thadeu Lima de Souza Cascardo <cascardo@debian.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/net/ethernet/ibm/ehea/ehea_main.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/drivers/net/ethernet/ibm/ehea/ehea_main.c b/drivers/net/ethernet/ibm/ehea/ehea_main.c
index 2a0dc12..54efa9a 100644
--- a/drivers/net/ethernet/ibm/ehea/ehea_main.c
+++ b/drivers/net/ethernet/ibm/ehea/ehea_main.c
@@ -1169,16 +1169,15 @@ static void ehea_parse_eqe(struct ehea_adapter *adapter, u64 eqe)
 	ec = EHEA_BMASK_GET(NEQE_EVENT_CODE, eqe);
 	portnum = EHEA_BMASK_GET(NEQE_PORTNUM, eqe);
 	port = ehea_get_port(adapter, portnum);
+	if (!port) {
+		netdev_err(NULL, "unknown portnum %x\n", portnum);
+		return;
+	}
 	dev = port->netdev;
 
 	switch (ec) {
 	case EHEA_EC_PORTSTATE_CHG:	/* port state change */
 
-		if (!port) {
-			netdev_err(dev, "unknown portnum %x\n", portnum);
-			break;
-		}
-
 		if (EHEA_BMASK_GET(NEQE_PORT_UP, eqe)) {
 			if (!netif_carrier_ok(dev)) {
 				ret = ehea_sense_port_attr(port);
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 203/206] tuntap: correctly wake up process during uninit
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (201 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 202/206] net: ehea: avoid null pointer dereference Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 204/206] uapi glibc compat: fix compilation when !__USE_MISC in glibc Kamal Mostafa
                   ` (2 subsequent siblings)
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Eric Dumazet, Xi Wang, Michael S . Tsirkin, Jason Wang,
	David S . Miller, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Jason Wang <jasowang@redhat.com>

commit addf8fc4acb1cf79492ac64966f07178793cb3d7 upstream.

We used to check dev->reg_state against NETREG_REGISTERED after each
time we are woke up. But after commit 9e641bdcfa4e ("net-tun:
restructure tun_do_read for better sleep/wakeup efficiency"), it uses
skb_recv_datagram() which does not check dev->reg_state. This will
result if we delete a tun/tap device after a process is blocked in the
reading. The device will wait for the reference count which was held
by that process for ever.

Fixes this by using RCV_SHUTDOWN which will be checked during
sk_recv_datagram() before trying to wake up the process during uninit.

Fixes: 9e641bdcfa4e ("net-tun: restructure tun_do_read for better
sleep/wakeup efficiency")
Cc: Eric Dumazet <edumazet@google.com>
Cc: Xi Wang <xii@google.com>
Cc: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/net/tun.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index 6049086..2405f4e 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -567,11 +567,13 @@ static void tun_detach_all(struct net_device *dev)
 	for (i = 0; i < n; i++) {
 		tfile = rtnl_dereference(tun->tfiles[i]);
 		BUG_ON(!tfile);
+		tfile->socket.sk->sk_shutdown = RCV_SHUTDOWN;
 		tfile->socket.sk->sk_data_ready(tfile->socket.sk);
 		RCU_INIT_POINTER(tfile->tun, NULL);
 		--tun->numqueues;
 	}
 	list_for_each_entry(tfile, &tun->disabled, next) {
+		tfile->socket.sk->sk_shutdown = RCV_SHUTDOWN;
 		tfile->socket.sk->sk_data_ready(tfile->socket.sk);
 		RCU_INIT_POINTER(tfile->tun, NULL);
 	}
@@ -627,6 +629,7 @@ static int tun_attach(struct tun_struct *tun, struct file *file, bool skip_filte
 			goto out;
 	}
 	tfile->queue_index = tun->numqueues;
+	tfile->socket.sk->sk_shutdown &= ~RCV_SHUTDOWN;
 	rcu_assign_pointer(tfile->tun, tun);
 	rcu_assign_pointer(tun->tfiles[tun->numqueues], tfile);
 	tun->numqueues++;
@@ -1409,9 +1412,6 @@ static ssize_t tun_do_read(struct tun_struct *tun, struct tun_file *tfile,
 	if (!iov_iter_count(to))
 		return 0;
 
-	if (tun->dev->reg_state != NETREG_REGISTERED)
-		return -EIO;
-
 	/* Read frames from queue */
 	skb = __skb_recv_datagram(tfile->socket.sk, noblock ? MSG_DONTWAIT : 0,
 				  &peeked, &off, &err);
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 204/206] uapi glibc compat: fix compilation when !__USE_MISC in glibc
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (202 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 203/206] tuntap: correctly wake up process during uninit Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 205/206] drivers/hwspinlock: use correct radix tree API Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 206/206] RDMA/cxgb3: device driver frees DMA memory with different size Kamal Mostafa
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Jan Engelhardt, Josh Boyer, Stephen Hemminger, Waldemar Brodkorb,
	Gabriel Laskar, Mikko Rapeli, Nicolas Dichtel, David S . Miller,
	Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Nicolas Dichtel <nicolas.dichtel@6wind.com>

commit f0a3fdca794d1e68ae284ef4caefe681f7c18e89 upstream.

These structures are defined only if __USE_MISC is set in glibc net/if.h
headers, ie when _BSD_SOURCE or _SVID_SOURCE are defined.

CC: Jan Engelhardt <jengelh@inai.de>
CC: Josh Boyer <jwboyer@fedoraproject.org>
CC: Stephen Hemminger <shemming@brocade.com>
CC: Waldemar Brodkorb <mail@waldemar-brodkorb.de>
CC: Gabriel Laskar <gabriel@lse.epita.fr>
CC: Mikko Rapeli <mikko.rapeli@iki.fi>
Fixes: 4a91cb61bb99 ("uapi glibc compat: fix compile errors when glibc net/if.h included before linux/if.h")
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 include/uapi/linux/libc-compat.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/uapi/linux/libc-compat.h b/include/uapi/linux/libc-compat.h
index d5e38c7..e4f048e 100644
--- a/include/uapi/linux/libc-compat.h
+++ b/include/uapi/linux/libc-compat.h
@@ -52,7 +52,7 @@
 #if defined(__GLIBC__)
 
 /* Coordinate with glibc net/if.h header. */
-#if defined(_NET_IF_H)
+#if defined(_NET_IF_H) && defined(__USE_MISC)
 
 /* GLIBC headers included first so don't define anything
  * that would already be defined. */
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 205/206] drivers/hwspinlock: use correct radix tree API
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (203 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 204/206] uapi glibc compat: fix compilation when !__USE_MISC in glibc Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 206/206] RDMA/cxgb3: device driver frees DMA memory with different size Kamal Mostafa
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Matthew Wilcox, Konstantin Khlebnikov, Kirill Shutemov, Jan Kara,
	Neil Brown, Ross Zwisler, Andrew Morton, Linus Torvalds,
	Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Matthew Wilcox <willy@linux.intel.com>

commit b76ba4af4ddd6a06f7f65769e7be1bc56556cdf5 upstream.

radix_tree_is_indirect_ptr() is an internal API.  The correct call to
use is radix_tree_deref_retry() which has the appropriate unlikely()
annotation.

Fixes: c6400ba7e13a ("drivers/hwspinlock: fix race between radix tree insertion and lookup")
Signed-off-by: Matthew Wilcox <willy@linux.intel.com>
Cc: Konstantin Khlebnikov <koct9i@gmail.com>
Cc: Kirill Shutemov <kirill.shutemov@linux.intel.com>
Cc: Jan Kara <jack@suse.com>
Cc: Neil Brown <neilb@suse.de>
Cc: Ross Zwisler <ross.zwisler@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/hwspinlock/hwspinlock_core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/hwspinlock/hwspinlock_core.c b/drivers/hwspinlock/hwspinlock_core.c
index d50c701..4074441 100644
--- a/drivers/hwspinlock/hwspinlock_core.c
+++ b/drivers/hwspinlock/hwspinlock_core.c
@@ -313,7 +313,7 @@ int of_hwspin_lock_get_id(struct device_node *np, int index)
 		hwlock = radix_tree_deref_slot(slot);
 		if (unlikely(!hwlock))
 			continue;
-		if (radix_tree_is_indirect_ptr(hwlock)) {
+		if (radix_tree_deref_retry(hwlock)) {
 			slot = radix_tree_iter_retry(&iter);
 			continue;
 		}
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* [PATCH 4.2.y-ckt 206/206] RDMA/cxgb3: device driver frees DMA memory with different size
  2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
                   ` (204 preceding siblings ...)
  2016-06-09 21:16 ` [PATCH 4.2.y-ckt 205/206] drivers/hwspinlock: use correct radix tree API Kamal Mostafa
@ 2016-06-09 21:16 ` Kamal Mostafa
  205 siblings, 0 replies; 208+ messages in thread
From: Kamal Mostafa @ 2016-06-09 21:16 UTC (permalink / raw)
  To: linux-kernel, stable, kernel-team
  Cc: Honggang Li, Doug Ledford, Kamal Mostafa

4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Honggang Li <honli@redhat.com>

commit 0de4cbb3dddca35ecd06b95918f38439c9c6401f upstream.

[  598.852037] ------------[ cut here ]------------
[  598.856698] WARNING: at lib/dma-debug.c:887 check_unmap+0xf8/0x920()
[  598.863079] cxgb3 0000:01:00.0: DMA-API: device driver frees DMA memory with different size [device address=0x0000000003310000] [map size=17 bytes] [unmap size=16 bytes]
[  598.878265] Modules linked in: xprtrdma ib_isert iscsi_target_mod ib_iser libiscsi scsi_transport_iscsi ib_srpt target_core_mod ib_srp scsi_transport_srp scsi_tgt ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm ib_sa ib_mad kvm_amd kvm ipmi_devintf ipmi_ssif dcdbas pcspkr ipmi_si sg ipmi_msghandler acpi_power_meter amd64_edac_mod shpchp edac_core sp5100_tco k10temp edac_mce_amd i2c_piix4 acpi_cpufreq nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c sd_mod crc_t10dif crct10dif_generic crct10dif_common ata_generic iw_cxgb3 pata_acpi ib_core ib_addr mgag200 syscopyarea sysfillrect sysimgblt i2c_algo_bit drm_kms_helper ttm pata_atiixp drm ahci libahci serio_raw i2c_core cxgb3 libata bnx2 mdio dm_mirror dm_region_hash dm_log dm_mod
[  598.946822] CPU: 3 PID: 11820 Comm: cmtime Not tainted 3.10.0-327.el7.x86_64.debug #1
[  598.954681] Hardware name: Dell Inc. PowerEdge R415/0GXH08, BIOS 2.0.2 10/22/2012
[  598.962193]  ffff8808077479a8 000000000381a432 ffff880807747960 ffffffff81700918
[  598.969663]  ffff880807747998 ffffffff8108b6c0 ffff880807747a80 ffff8808063f55c0
[  598.977132]  ffffffff833ca850 0000000000000282 ffff88080b1bb800 ffff880807747a00
[  598.984602] Call Trace:
[  598.987062]  [<ffffffff81700918>] dump_stack+0x19/0x1b
[  598.992224]  [<ffffffff8108b6c0>] warn_slowpath_common+0x70/0xb0
[  598.998254]  [<ffffffff8108b75c>] warn_slowpath_fmt+0x5c/0x80
[  599.004033]  [<ffffffff813903b8>] check_unmap+0xf8/0x920
[  599.009369]  [<ffffffff81025959>] ? sched_clock+0x9/0x10
[  599.014702]  [<ffffffff81390cee>] debug_dma_free_coherent+0x7e/0xa0
[  599.021008]  [<ffffffffa01ece2c>] cxio_destroy_cq+0xcc/0x160 [iw_cxgb3]
[  599.027654]  [<ffffffffa01e8da0>] iwch_destroy_cq+0xf0/0x140 [iw_cxgb3]
[  599.034307]  [<ffffffffa01c4bfe>] ib_destroy_cq+0x1e/0x30 [ib_core]
[  599.040601]  [<ffffffffa04ff2d2>] ib_uverbs_close+0x302/0x4d0 [ib_uverbs]
[  599.047417]  [<ffffffff812335a2>] __fput+0x102/0x310
[  599.052401]  [<ffffffff8123388e>] ____fput+0xe/0x10
[  599.057297]  [<ffffffff810bbde4>] task_work_run+0xb4/0xe0
[  599.062719]  [<ffffffff81092a84>] do_exit+0x304/0xc60
[  599.067789]  [<ffffffff81025905>] ? native_sched_clock+0x35/0x80
[  599.073820]  [<ffffffff81025959>] ? sched_clock+0x9/0x10
[  599.079153]  [<ffffffff8170a49c>] ? _raw_spin_unlock_irq+0x2c/0x50
[  599.085358]  [<ffffffff8109346c>] do_group_exit+0x4c/0xc0
[  599.090779]  [<ffffffff810a8661>] get_signal_to_deliver+0x2e1/0x960
[  599.097071]  [<ffffffff8101c497>] do_signal+0x57/0x6e0
[  599.102229]  [<ffffffff81714bd1>] ? sysret_signal+0x5/0x4e
[  599.107738]  [<ffffffff8101cb7f>] do_notify_resume+0x5f/0xb0
[  599.113418]  [<ffffffff81714e7d>] int_signal+0x12/0x17
[  599.118576] ---[ end trace 1e4653102e7e7019 ]---
[  599.123211] Mapped at:
[  599.125577]  [<ffffffff8138ed8b>] debug_dma_alloc_coherent+0x2b/0x80
[  599.131968]  [<ffffffffa01ec862>] cxio_create_cq+0xf2/0x1f0 [iw_cxgb3]
[  599.139920]  [<ffffffffa01e9c05>] iwch_create_cq+0x105/0x4e0 [iw_cxgb3]
[  599.147895]  [<ffffffffa0500584>] create_cq.constprop.14+0x184/0x2e0 [ib_uverbs]
[  599.156649]  [<ffffffffa05027fb>] ib_uverbs_create_cq+0x10b/0x140 [ib_uverbs]

Fixes: b955150ea784 ('RDMA/cxgb3: When a user QP is marked in error, also mark the CQs in error')
Signed-off-by: Honggang Li <honli@redhat.com>
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Reviewed-by: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/infiniband/hw/cxgb3/cxio_hal.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/infiniband/hw/cxgb3/cxio_hal.c b/drivers/infiniband/hw/cxgb3/cxio_hal.c
index de1c61b4..ada2e50 100644
--- a/drivers/infiniband/hw/cxgb3/cxio_hal.c
+++ b/drivers/infiniband/hw/cxgb3/cxio_hal.c
@@ -327,7 +327,7 @@ int cxio_destroy_cq(struct cxio_rdev *rdev_p, struct t3_cq *cq)
 	kfree(cq->sw_queue);
 	dma_free_coherent(&(rdev_p->rnic_info.pdev->dev),
 			  (1UL << (cq->size_log2))
-			  * sizeof(struct t3_cqe), cq->queue,
+			  * sizeof(struct t3_cqe) + 1, cq->queue,
 			  dma_unmap_addr(cq, mapping));
 	cxio_hal_put_cqid(rdev_p->rscp, cq->cqid);
 	return err;
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 208+ messages in thread

* RE: [PATCH 4.2.y-ckt 006/206] drm/i915: Exit cherryview_irq_handler() after one pass
  2016-06-09 21:13 ` [PATCH 4.2.y-ckt 006/206] drm/i915: Exit cherryview_irq_handler() after one pass Kamal Mostafa
@ 2016-06-10  8:37   ` Ursulin, Tvrtko
  0 siblings, 0 replies; 208+ messages in thread
From: Ursulin, Tvrtko @ 2016-06-10  8:37 UTC (permalink / raw)
  To: Kamal Mostafa, linux-kernel, stable, kernel-team
  Cc: Chris Wilson, Ville Syrjälä, Antti Koskipää

Hi,

Should not be cherry picked to stable, it needs many more patches to make it work or otherwise breaks the platform.

Regards,

Tvrtko

> -----Original Message-----
> From: Kamal Mostafa [mailto:kamal@canonical.com]
> Sent: Thursday, June 09, 2016 10:14 PM
> To: linux-kernel@vger.kernel.org; stable@vger.kernel.org; kernel-
> team@lists.ubuntu.com
> Cc: Chris Wilson; Ville Syrjälä; Antti Koskipää; Ursulin, Tvrtko; Kamal Mostafa
> Subject: [PATCH 4.2.y-ckt 006/206] drm/i915: Exit cherryview_irq_handler()
> after one pass
> 
> 4.2.8-ckt12 -stable review patch.  If anyone has any objections, please let me
> know.
> 
> ---8<------------------------------------------------------------
> 
> From: Chris Wilson <chris@chris-wilson.co.uk>
> 
> commit 579de73b048a0a4c66c25a033ac76a2836e0cf73 upstream.
> 
> This effectively reverts
> 
> commit 8e5fd599eb219f1054e39b40d18b217af669eea9
> Author: Ville Syrjälä <ville.syrjala@linux.intel.com>
> Date:   Wed Apr 9 13:28:50 2014 +0300
> 
>     drm/i915/chv: Make CHV irq handler loop until all interrupts are consumed
> 
> as under continuous execlists load we can saturate the IRQ handler,
> destablising the tsc clock and triggering the NMI watchdog to declare a hung
> CPU.
> 
> [  552.756051] clocksource: timekeeping watchdog on CPU0: Marking
> clocksource 'tsc' as unstable because the skew is too large:
> [  552.756080] clocksource:                       'refined-jiffies' wd_now: 10003b480
> wd_last: 10003b28c mask: ffffffff
> [  552.756091] clocksource:                       'tsc' cs_now: d55d31aa50 cs_last:
> d17446166c mask: ffffffffffffffff
> [  552.756210] clocksource: Switched to clocksource refined-jiffies
> [  575.217870] NMI watchdog: Watchdog detected hard LOCKUP on cpu 1
> [  575.217893] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.5.0-rc7+ #18
> [  575.217905] Hardware name:                  /NUC5CPYB, BIOS
> PYBSWCEL.86A.0027.2015.0507.1758 05/07/2015
> [  575.217915]  0000000000000000 ffff88027fd05bc0 ffffffff81288c6d
> 0000000000000000
> [  575.217935]  0000000000000001 ffff88027fd05be0 ffffffff810e72d1
> 0000000000000000
> [  575.217951]  ffff88027fd05c80 ffff88027fd05c20 ffffffff81114b60
> 0000000181015f1e
> [  575.217967] Call Trace:
> [  575.217973]  <NMI>  [<ffffffff81288c6d>] dump_stack+0x4f/0x72
> [  575.217994]  [<ffffffff810e72d1>]
> watchdog_overflow_callback+0x151/0x160
> [  575.218003]  [<ffffffff81114b60>] __perf_event_overflow+0xa0/0x1e0
> [  575.218016]  [<ffffffff811154c4>] perf_event_overflow+0x14/0x20
> [  575.218028]  [<ffffffff8101d2ca>] intel_pmu_handle_irq+0x1da/0x460
> [  575.218042]  [<ffffffff814a8aae>] ? poll_idle+0x3e/0x70
> [  575.218052]  [<ffffffff814a8aae>] ? poll_idle+0x3e/0x70
> [  575.218064]  [<ffffffff81014ae8>] perf_event_nmi_handler+0x28/0x50
> [  575.218075]  [<ffffffff81007540>] nmi_handle+0x60/0x130
> [  575.218086]  [<ffffffff814a8aae>] ? poll_idle+0x3e/0x70
> [  575.218096]  [<ffffffff810079c0>] do_nmi+0x140/0x470
> [  575.218108]  [<ffffffff81559ec7>] end_repeat_nmi+0x1a/0x1e
> [  575.218119]  [<ffffffff814a8aae>] ? poll_idle+0x3e/0x70
> [  575.218129]  [<ffffffff814a8aae>] ? poll_idle+0x3e/0x70
> [  575.218139]  [<ffffffff814a8aae>] ? poll_idle+0x3e/0x70
> [  575.218148]  <<EOE>>  [<ffffffff814a8353>]
> cpuidle_enter_state+0xf3/0x2f0
> [  575.218164]  [<ffffffff814a8587>] cpuidle_enter+0x17/0x20
> [  575.218175]  [<ffffffff810aaa3a>] call_cpuidle+0x2a/0x40
> [  575.218185]  [<ffffffff810aade3>] cpu_startup_entry+0x273/0x330
> [  575.218196]  [<ffffffff81033a1e>] start_secondary+0x10e/0x130
> 
> However, not servicing all available IIR within the handler does hurt the
> throughput of pathological nop execbuf by about 20%, with a similar effect
> upon the dispatch latency of a series of execbuf.
> 
> v2: use do {} while(0) for a smaller patch, and easier to revert again
> 
> I have reasonable confidence that we do not miss GT interrupts (as
> execlists provides a stress case with a failure mechanism easily
> detected by igt), however I have less confidence about all the other
> sources of interrupts and worry that may lose a display hotplug
> interrupt, for example.
> 
> Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=93467
> Testcase: igt/gem_exec_nop/basic # requires NMI watchdog
> Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
> Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
> Cc: Antti Koskipää <antti.koskipaa@linux.intel.com>
> Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
> Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
> Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
> Link: http://patchwork.freedesktop.org/patch/msgid/1457946117-6714-1-git-
> send-email-chris@chris-wilson.co.uk
> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
> ---
>  drivers/gpu/drm/i915/i915_irq.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/gpu/drm/i915/i915_irq.c
> b/drivers/gpu/drm/i915/i915_irq.c
> index 6a51bc6..6f453fe 100644
> --- a/drivers/gpu/drm/i915/i915_irq.c
> +++ b/drivers/gpu/drm/i915/i915_irq.c
> @@ -1837,7 +1837,7 @@ static irqreturn_t cherryview_irq_handler(int irq,
> void *arg)
>  	if (!intel_irqs_enabled(dev_priv))
>  		return IRQ_NONE;
> 
> -	for (;;) {
> +	do {
>  		master_ctl = I915_READ(GEN8_MASTER_IRQ) &
> ~GEN8_MASTER_IRQ_CONTROL;
>  		iir = I915_READ(VLV_IIR);
> 
> @@ -1865,7 +1865,7 @@ static irqreturn_t cherryview_irq_handler(int irq,
> void *arg)
> 
>  		I915_WRITE(GEN8_MASTER_IRQ,
> DE_MASTER_IRQ_CONTROL);
>  		POSTING_READ(GEN8_MASTER_IRQ);
> -	}
> +	} while (0);
> 
>  	return ret;
>  }
> --
> 2.7.4

^ permalink raw reply	[flat|nested] 208+ messages in thread

end of thread, other threads:[~2016-06-10  8:40 UTC | newest]

Thread overview: 208+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-06-09 21:13 [4.2.y-ckt stable] Linux 4.2.8-ckt12 stable review Kamal Mostafa
2016-06-09 21:13 ` [PATCH 4.2.y-ckt 001/206] ath10k: fix firmware assert in monitor mode Kamal Mostafa
2016-06-09 21:13 ` [PATCH 4.2.y-ckt 002/206] drm/i915: Fix race condition in intel_dp_destroy_mst_connector() Kamal Mostafa
2016-06-09 21:13 ` [PATCH 4.2.y-ckt 003/206] ath10k: fix debugfs pktlog_filter write Kamal Mostafa
2016-06-09 21:13 ` [PATCH 4.2.y-ckt 004/206] drm/i915: Call intel_dp_mst_resume() before resuming displays Kamal Mostafa
2016-06-09 21:13 ` [PATCH 4.2.y-ckt 005/206] ARM: mvebu: fix GPIO config on the Linksys boards Kamal Mostafa
2016-06-09 21:13 ` [PATCH 4.2.y-ckt 006/206] drm/i915: Exit cherryview_irq_handler() after one pass Kamal Mostafa
2016-06-10  8:37   ` Ursulin, Tvrtko
2016-06-09 21:13 ` [PATCH 4.2.y-ckt 007/206] ath5k: Change led pin configuration for compaq c700 laptop Kamal Mostafa
2016-06-09 21:13 ` [PATCH 4.2.y-ckt 008/206] xfs: disallow rw remount on fs with unknown ro-compat features Kamal Mostafa
2016-06-09 21:13 ` [PATCH 4.2.y-ckt 009/206] xfs: Don't wrap growfs AGFL indexes Kamal Mostafa
2016-06-09 21:13 ` [PATCH 4.2.y-ckt 010/206] rtlwifi: rtl8723be: Add antenna select module parameter Kamal Mostafa
2016-06-09 21:13 ` [PATCH 4.2.y-ckt 011/206] rtlwifi: btcoexist: Implement antenna selection Kamal Mostafa
2016-06-09 21:13 ` [PATCH 4.2.y-ckt 012/206] drm/gma500: Fix possible out of bounds read Kamal Mostafa
2016-06-09 21:13 ` [PATCH 4.2.y-ckt 013/206] Bluetooth: vhci: fix open_timeout vs. hdev race Kamal Mostafa
2016-06-09 21:13 ` [PATCH 4.2.y-ckt 014/206] Bluetooth: vhci: purge unhandled skbs Kamal Mostafa
2016-06-09 21:13 ` [PATCH 4.2.y-ckt 015/206] cpuidle: Indicate when a device has been unregistered Kamal Mostafa
2016-06-09 21:13 ` [PATCH 4.2.y-ckt 016/206] mfd: intel_quark_i2c_gpio: Use clkdev_create() Kamal Mostafa
2016-06-09 21:13 ` [PATCH 4.2.y-ckt 017/206] mfd: intel_quark_i2c_gpio: Remove clock tree on error path Kamal Mostafa
2016-06-09 21:13 ` [PATCH 4.2.y-ckt 018/206] [media] media: v4l2-compat-ioctl32: fix missing reserved field copy in put_v4l2_create32 Kamal Mostafa
2016-06-09 21:13 ` [PATCH 4.2.y-ckt 019/206] scsi: Add intermediate STARGET_REMOVE state to scsi_target_state Kamal Mostafa
2016-06-09 21:13 ` [PATCH 4.2.y-ckt 020/206] Revert "scsi: fix soft lockup in scsi_remove_target() on module removal" Kamal Mostafa
2016-06-09 21:13 ` [PATCH 4.2.y-ckt 021/206] drm/i915/dsi: fix CHV dsi encoder hardware state readout on port C Kamal Mostafa
2016-06-09 21:13 ` [PATCH 4.2.y-ckt 022/206] usb: f_mass_storage: test whether thread is running before starting another Kamal Mostafa
2016-06-09 21:13 ` [PATCH 4.2.y-ckt 023/206] hwmon: (ads7828) Enable internal reference Kamal Mostafa
2016-06-09 21:13 ` [PATCH 4.2.y-ckt 024/206] ath10k: fix rx_channel during hw reconfigure Kamal Mostafa
2016-06-09 21:13 ` [PATCH 4.2.y-ckt 025/206] Bluetooth: vhci: Fix race at creating hci device Kamal Mostafa
2016-06-09 21:13 ` [PATCH 4.2.y-ckt 026/206] powerpc/book3s64: Fix branching to OOL handlers in relocatable kernel Kamal Mostafa
2016-06-09 21:13 ` [PATCH 4.2.y-ckt 027/206] PM / Runtime: Fix error path in pm_runtime_force_resume() Kamal Mostafa
2016-06-09 21:13 ` [PATCH 4.2.y-ckt 028/206] crypto: s5p-sss - Fix missed interrupts when working with 8 kB blocks Kamal Mostafa
2016-06-09 21:13 ` [PATCH 4.2.y-ckt 029/206] ath9k: Add a module parameter to invert LED polarity Kamal Mostafa
2016-06-09 21:13 ` [PATCH 4.2.y-ckt 030/206] ath9k: Fix LED polarity for some Mini PCI AR9220 MB92 cards Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 031/206] pinctrl: exynos5440: Use off-stack memory for pinctrl_gpio_range Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 032/206] btrfs: bugfix: handle FS_IOC32_{GETFLAGS,SETFLAGS,GETVERSION} in btrfs_ioctl Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 033/206] usb: core: hub: hub_port_init lock controller instead of bus Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 034/206] serial: 8250_pci: fix divide error bug if baud rate is 0 Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 035/206] TTY: n_gsm, fix false positive WARN_ON Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 036/206] staging: comedi: das1800: fix possible NULL dereference Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 037/206] arm/arm64: KVM: Enforce Break-Before-Make on Stage-2 page tables Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 038/206] KVM: x86: fix ordering of cr0 initialization code in vmx_cpu_reset Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 039/206] aacraid: Relinquish CPU during timeout wait Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 040/206] aacraid: Fix for aac_command_thread hang Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 041/206] aacraid: Fix for KDUMP driver hang Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 042/206] ext4: fix hang when processing corrupted orphaned inode list Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 043/206] MIPS: ath79: make bootconsole wait for both THRE and TEMT Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 044/206] Drivers: hv_vmbus: Fix signal to host condition Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 045/206] Drivers: hv: ring_buffer.c: fix comment style Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 046/206] Drivers: hv: vmbus: Fix signaling logic in hv_need_to_signal_on_read() Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 047/206] mei: fix NULL dereferencing during FW initiated disconnection Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 048/206] mei: amthif: discard not read messages Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 049/206] tty: Abstract tty buffer work Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 050/206] Fix OpenSSH pty regression on close Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 051/206] QE-UART: add "fsl,t1040-ucc-uart" to of_device_id Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 052/206] thunderbolt: Fix double free of drom buffer Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 053/206] USB: serial: option: add support for Cinterion PH8 and AHxx Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 054/206] USB: leave LPM alone if possible when binding/unbinding interface drivers Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 055/206] usb: misc: usbtest: format the data pattern according to max packet size Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 056/206] usb: misc: usbtest: fix pattern tests for scatterlists Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 057/206] mcb: Fixed bar number assignment for the gdd Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 058/206] USB: serial: option: add more ZTE device ids Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 059/206] USB: serial: option: add even " Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 060/206] ACPI / osi: Fix an issue that acpi_osi=!* cannot disable ACPICA internal strings Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 061/206] drm/amdgpu: use drm_mode_vrefresh() rather than mode->vrefresh Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 062/206] USB: serial: cp210x: fix hardware flow-control disable Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 063/206] ext4: fix oops on corrupted filesystem Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 064/206] ext4: address UBSAN warning in mb_find_order_for_block() Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 065/206] ext4: silence UBSAN in ext4_mb_init() Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 066/206] arm64: Ensure pmd_present() returns false after pmd_mknotpresent() Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 067/206] ARM: dts: exynos: Add interrupt line to MAX8997 PMIC on exynos4210-trats Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 068/206] ath10k: fix kernel panic, move arvifs list head init before htt init Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 069/206] can: fix handling of unmodifiable configuration options Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 070/206] MIPS: Fix siginfo.h to use strict posix types Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 071/206] MIPS: Don't unwind to user mode with EVA Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 072/206] MIPS: Avoid using unwind_stack() with usermode Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 073/206] MIPS: Reserve nosave data for hibernation Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 074/206] MIPS: Loongson-3: Reserve 32MB for RS780E integrated GPU Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 075/206] MIPS64: R6: R2 emulation bugfix Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 076/206] usb: host: xhci-rcar: Avoid long wait in xhci_reset() Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 077/206] mfd: omap-usb-tll: Fix scheduling while atomic BUG Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 078/206] USB: serial: io_edgeport: fix memory leaks in attach error path Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 079/206] USB: serial: io_edgeport: fix memory leaks in probe " Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 080/206] USB: serial: keyspan: fix use-after-free " Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 081/206] USB: serial: mxuport: " Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 082/206] USB: serial: quatech2: " Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 083/206] crypto: caam - fix caam_jr_alloc() ret code Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 084/206] MIPS: KVM: Fix timer IRQ race when freezing timer Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 085/206] MIPS: KVM: Fix timer IRQ race when writing CP0_Compare Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 086/206] gcov: disable tree-loop-im to reduce stack usage Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 087/206] irqchip/gic: Ensure ordering between read of INTACK and shared data Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 088/206] irqchip/gic-v3: Configure all interrupts as non-secure Group-1 Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 089/206] arm64: cpuinfo: Missing NULL terminator in compat_hwcap_str Kamal Mostafa
2016-06-09 21:14 ` [PATCH 4.2.y-ckt 090/206] kbuild: move -Wunused-const-variable to W=1 warning level Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 091/206] rtlwifi: Fix logic error in enter/exit power-save mode Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 092/206] rtlwifi: pci: use dev_kfree_skb_irq instead of kfree_skb in rtl_pci_reset_trx_ring Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 093/206] sched/loadavg: Fix loadavg artifacts on fully idle and on fully loaded systems Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 094/206] powerpc/eeh: Don't report error in eeh_pe_reset_and_recover() Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 095/206] powerpc/eeh: Restore initial state " Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 096/206] Revert "powerpc/eeh: Fix crash in eeh_add_device_early() on Cell" Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 097/206] MIPS: Handle highmem pages in __update_cache Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 098/206] MIPS: Sync icache & dcache in set_pte_at Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 099/206] SIGNAL: Move generic copy_siginfo() to signal.h Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 100/206] MIPS: Fix uapi include in exported asm/siginfo.h Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 101/206] MIPS: math-emu: Fix jalr emulation when rd == $0 Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 102/206] MIPS: ptrace: Fix FP context restoration FCSR regression Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 103/206] MIPS: ptrace: Prevent writes to read-only FCSR bits Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 104/206] MIPS: Disable preemption during prctl(PR_SET_FP_MODE, ...) Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 105/206] MIPS: Force CPUs to lose FP context during mode switches Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 106/206] ring-buffer: Use long for nr_pages to avoid overflow failures Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 107/206] ring-buffer: Prevent overflow of size in ring_buffer_resize() Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 108/206] mmc: mmc: Fix partition switch timeout for some eMMCs Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 109/206] PCI: Disable all BAR sizing for devices with non-compliant BARs Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 110/206] MIPS: MSA: Fix a link error on `_init_msa_upper' with older GCC Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 111/206] drm/i915/fbdev: Fix num_connector references in intel_fb_initial_config() Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 112/206] drm/fb_helper: Fix references to dev->mode_config.num_connector Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 113/206] fs/cifs: correctly to anonymous authentication via NTLMSSP Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 114/206] fs/cifs: correctly to anonymous authentication for the LANMAN authentication Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 115/206] fs/cifs: correctly to anonymous authentication for the NTLM(v1) authentication Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 116/206] fs/cifs: correctly to anonymous authentication for the NTLM(v2) authentication Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 117/206] remove directory incorrectly tries to set delete on close on non-empty directories Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 118/206] cpuidle: Fix cpuidle_state_is_coupled() argument in cpuidle_enter() Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 119/206] xfs: xfs_iflush_cluster fails to abort on error Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 120/206] xfs: fix inode validity check in xfs_iflush_cluster Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 121/206] xfs: skip stale inodes " Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 122/206] KVM: MTRR: remove MSR 0x2f8 Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 123/206] ASoC: ak4642: Enable cache usage to fix crashes on resume Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 124/206] cifs: Create dedicated keyring for spnego operations Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 125/206] ALSA: hda - Fix headphone noise on Dell XPS 13 9360 Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 126/206] kvm: arm64: Fix EC field in inject_abt64 Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 127/206] Input: uinput - handle compat ioctl for UI_SET_PHYS Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 128/206] PM / sleep: Handle failures in device_suspend_late() consistently Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 129/206] mm: use phys_addr_t for reserve_bootmem_region() arguments Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 130/206] locking,qspinlock: Fix spin_is_locked() and spin_unlock_wait() Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 131/206] drm/i915: Don't leave old junk in ilk active watermarks on readout Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 132/206] mmc: longer timeout for long read time quirk Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 133/206] mmc: sdhci-pci: Remove MMC_CAP_BUS_WIDTH_TEST for Intel controllers Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 134/206] mmc: sdhci-acpi: " Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 135/206] sunrpc: fix stripping of padded MIC tokens Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 136/206] wait/ptrace: assume __WALL if the child is traced Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 137/206] xen/x86: actually allocate legacy interrupts on PV guests Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 138/206] xen/events: Don't move disabled irqs Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 139/206] UBI: Fix static volume checks when Fastmap is used Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 140/206] drm/amdgpu: Fix hdmi deep color support Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 141/206] dma-debug: avoid spinlock recursion when disabling dma-debug Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 142/206] dell-rbtn: Ignore ACPI notifications if device is suspended Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 143/206] Input: xpad - prevent spurious input from wired Xbox 360 controllers Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 144/206] Input: pwm-beeper - fix - scheduling while atomic Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 145/206] MIPS: lib: Mark intrinsics notrace Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 146/206] hpfs: fix remount failure when there are no options changed Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 147/206] affs: " Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 148/206] hpfs: implement the show_options method Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 149/206] regmap: cache: Fix typo in cache_bypass parameter description Kamal Mostafa
2016-06-09 21:15 ` [PATCH 4.2.y-ckt 150/206] ARM: dts: kirkwood: add kirkwood-ds112.dtb to Makefile Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 151/206] serial: doc: Un-document non-existing uart_write_console() Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 152/206] iio: buffer: add missing descriptions in iio_buffer_access_funcs Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 153/206] iommu/vt-d: Ratelimit fault handler Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 154/206] iommu/vt-d: Improve fault handler error messages Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 155/206] power: ipaq-micro-battery: freeing the wrong variable Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 156/206] ARM: OMAP2+: hwmod: fix _idle() hwmod state sanity check sequence Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 157/206] security: drop the unused hook skb_owned_by Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 158/206] mfd: lp8788-irq: Uninitialized variable in irq handler Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 159/206] am437x-vfpe: fix typo in vpfe_get_app_input_index Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 160/206] am437x-vpfe: fix an uninitialized variable bug Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 161/206] cx23885: uninitialized variable in cx23885_av_work_handler() Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 162/206] ipv6, token: allow for clearing the current device token Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 163/206] usb: gadget: f_fs: Fix EFAULT generation for async read operations Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 164/206] perf test: Ignore kcore files in the "vmlinux matches kallsyms" test Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 165/206] EDAC: Increment correct counter in edac_inc_ue_error() Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 166/206] PCI: Supply CPU physical address (not bus address) to iomem_is_exclusive() Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 167/206] alpha/PCI: Call iomem_is_exclusive() for IORESOURCE_MEM, but not IORESOURCE_IO Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 168/206] ARM: debug: remove extraneous DEBUG_HI3716_UART option Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 169/206] cxl: Fix DAR check & use REGION_ID instead of opencoding Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 170/206] taskstats: fix nl parsing in accounting/getdelays.c Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 171/206] char: Drop bogus dependency of DEVPORT on !M68K Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 172/206] driver-core: use 'dev' argument in dev_dbg_ratelimited stub Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 173/206] metag: Fix atomic_*_return inline asm constraints Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 174/206] tty: vt, return error when con_startup fails Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 175/206] cpufreq: Fix GOV_LIMITS handling for the userspace governor Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 176/206] ACPI / sysfs: fix error code in get_status() Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 177/206] clk: qcom: msm8916: Fix crypto clock flags Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 178/206] MIPS: BMIPS: Fix PRID_IMP_BMIPS5000 masking for BMIPS5200 Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 179/206] NFS: Fix an LOCK/OPEN race when unlinking an open file Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 180/206] ata: sata_dwc_460ex: remove incorrect locking Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 181/206] s390/vmem: fix identity mapping Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 182/206] perf tools: Fix perf regs mask generation Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 183/206] powerpc/sstep: Fix sstep.c compile on powerpcspe Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 184/206] MIPS: BMIPS: BMIPS5000 has I cache filing from D cache Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 185/206] MIPS: BMIPS: Clear MIPS_CACHE_ALIASES earlier Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 186/206] MIPS: BMIPS: local_r4k___flush_cache_all needs to blast S-cache Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 187/206] MIPS: BMIPS: Pretty print BMIPS5200 processor name Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 188/206] MIPS: math-emu: Fix BC1{EQ,NE}Z emulation Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 189/206] MIPS: Fix BC1{EQ,NE}Z return offset calculation Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 190/206] MIPS: BMIPS: Adjust mips-hpt-frequency for BCM7435 Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 191/206] IB/srp: Print "ib_srp: " prefix once Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 192/206] IB/IWPM: Fix a potential skb leak Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 193/206] i40e: fix an uninitialized variable bug Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 194/206] blk-mq: fix undefined behaviour in order_to_size() Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 195/206] x86/PCI: Mark Broadwell-EP Home Agent 1 as having non-compliant BARs Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 196/206] netlink: Fix dump skb leak/double free Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 197/206] MIPS: ath79: fix regression in PCI window initialization Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 198/206] sched/preempt: Fix preempt_count manipulations Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 199/206] tipc: fix nametable publication field in nl compat Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 200/206] sunrpc: Update RPCBIND_MAXNETIDLEN Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 201/206] batman-adv: fix skb deref after free Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 202/206] net: ehea: avoid null pointer dereference Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 203/206] tuntap: correctly wake up process during uninit Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 204/206] uapi glibc compat: fix compilation when !__USE_MISC in glibc Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 205/206] drivers/hwspinlock: use correct radix tree API Kamal Mostafa
2016-06-09 21:16 ` [PATCH 4.2.y-ckt 206/206] RDMA/cxgb3: device driver frees DMA memory with different size Kamal Mostafa

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).