commit 8d5e93bb8c9c48ee5948f6b1aff0e895381f09e6 Author: Greg Kroah-Hartman Date: Sat Sep 24 10:08:14 2016 +0200 Linux 4.4.22 commit 7e30e5bb42de8039d78dd8c4c69039e155d536d1 Author: Guenter Roeck Date: Sat Sep 17 12:57:24 2016 -0700 openrisc: fix the fix of copy_from_user() commit 8e4b72054f554967827e18be1de0e8122e6efc04 upstream. Since commit acb2505d0119 ("openrisc: fix copy_from_user()"), copy_from_user() returns the number of bytes requested, not the number of bytes not copied. Cc: Al Viro Fixes: acb2505d0119 ("openrisc: fix copy_from_user()") Signed-off-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit 8519e2886bbe1be0aed485142d0939e3f917e876 Author: Guenter Roeck Date: Sat Sep 17 07:52:49 2016 -0700 avr32: fix 'undefined reference to `___copy_from_user' commit 65c0044ca8d7c7bbccae37f0ff2972f0210e9f41 upstream. avr32 builds fail with: arch/avr32/kernel/built-in.o: In function `arch_ptrace': (.text+0x650): undefined reference to `___copy_from_user' arch/avr32/kernel/built-in.o:(___ksymtab+___copy_from_user+0x0): undefined reference to `___copy_from_user' kernel/built-in.o: In function `proc_doulongvec_ms_jiffies_minmax': (.text+0x5dd8): undefined reference to `___copy_from_user' kernel/built-in.o: In function `proc_dointvec_minmax_sysadmin': sysctl.c:(.text+0x6174): undefined reference to `___copy_from_user' kernel/built-in.o: In function `ptrace_has_cap': ptrace.c:(.text+0x69c0): undefined reference to `___copy_from_user' kernel/built-in.o:ptrace.c:(.text+0x6b90): more undefined references to `___copy_from_user' follow Fixes: 8630c32275ba ("avr32: fix copy_from_user()") Cc: Al Viro Acked-by: Havard Skinnemoen Acked-by: Hans-Christian Noren Egtvedt Signed-off-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit 005a4638aeaeba4f3540fa2a9bd4af870dbd981a Author: Al Viro Date: Thu Aug 18 21:31:41 2016 -0400 ia64: copy_from_user() should zero the destination on access_ok() failure commit a5e541f796f17228793694d64b507f5f57db4cd7 upstream. Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 2fbc61d977c4ad1d448c67fa56d8c689121e7f19 Author: Thomas Gleixner Date: Mon Jul 4 15:32:25 2016 +0200 genirq/msi: Fix broken debug output commit 4364e1a29be16b2783c0bcbc263f61236af64281 upstream. virq is not required to be the same for all msi descs. Use the base irq number from the desc in the debug printk. Reported-by: Ingo Molnar Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 735e76b1bf048ff435477b0b07941a3561215bdc Author: Al Viro Date: Sun Aug 21 19:16:26 2016 -0400 ppc32: fix copy_from_user() commit 224264657b8b228f949b42346e09ed8c90136a8e upstream. should clear on access_ok() failures. Also remove the useless range truncation logics. Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 6de81788b42ff5ce5355ffd8c92341023c628a5c Author: Al Viro Date: Mon Aug 22 00:23:07 2016 -0400 sparc32: fix copy_from_user() commit 917400cecb4b52b5cde5417348322bb9c8272fa6 upstream. Acked-by: David S. Miller Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 22782f043e5900e14928760de0f01ef6935d7e8d Author: Al Viro Date: Sat Aug 20 16:33:10 2016 -0400 mn10300: copy_from_user() should zero on access_ok() failure... commit ae7cc577ec2a4a6151c9e928fd1f595d953ecef1 upstream. Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit ba5bfcba1f57eb99f6ef4fe91e2d1d9d8b9f4d50 Author: Al Viro Date: Sat Aug 20 16:36:36 2016 -0400 nios2: copy_from_user() should zero the tail of destination commit e33d1f6f72cc82fcfc3d1fb20c9e3ad83b1928fa upstream. Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 40c38ca6075b5e0fdee03731936b0b5f86a49cbc Author: Al Viro Date: Sat Aug 20 17:05:21 2016 -0400 openrisc: fix copy_from_user() commit acb2505d0119033a80c85ac8d02dccae41271667 upstream. ... that should zero on faults. Also remove the helpful logics wrt range truncation copied from ppc32. Where it had ever been needed only in case of copy_from_user() *and* had not been merged into the mainline until a month after the need had disappeared. A decade before openrisc went into mainline, I might add... Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 25581084396957ea7fc0a265c3ab4bacb07b15c1 Author: Al Viro Date: Sat Aug 20 19:03:37 2016 -0400 parisc: fix copy_from_user() commit aace880feea38875fbc919761b77e5732a3659ef upstream. Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 312357440573be806fcaf4b2fb0c36078476ec30 Author: Al Viro Date: Thu Aug 18 22:08:20 2016 -0400 metag: copy_from_user() should zero the destination on access_ok() failure commit 8ae95ed4ae5fc7c3391ed668b2014c9e2079533b upstream. Acked-by: James Hogan Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 0883ebba7a459ff06ec305b1694bcc17424209bf Author: Al Viro Date: Wed Aug 17 16:02:32 2016 -0400 alpha: fix copy_from_user() commit 2561d309dfd1555e781484af757ed0115035ddb3 upstream. it should clear the destination even when access_ok() fails. Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 2e51ca2d942c67c81fdc981f9d144db1e50ee942 Author: Al Viro Date: Wed Aug 17 16:36:37 2016 -0400 asm-generic: make copy_from_user() zero the destination properly commit 2545e5da080b4839dd859e3b09343a884f6ab0e3 upstream. ... in all cases, including the failing access_ok() Note that some architectures using asm-generic/uaccess.h have __copy_from_user() not zeroing the tail on failure halfway through. This variant works either way. Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 8b3f6edcdd3e71feaf8cb4c428fd1b58fcf1e0b1 Author: Al Viro Date: Sat Aug 20 16:18:53 2016 -0400 mips: copy_from_user() must zero the destination on access_ok() failure commit e69d700535ac43a18032b3c399c69bf4639e89a2 upstream. Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 0be8d73a033a3fee288c8f51990213449e94b204 Author: Al Viro Date: Thu Aug 18 21:16:49 2016 -0400 hexagon: fix strncpy_from_user() error return commit f35c1e0671728d1c9abc405d05ef548b5fcb2fc4 upstream. It's -EFAULT, not -1 (and contrary to the comment in there, __strnlen_user() can return 0 - on faults). Acked-by: Richard Kuo Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit df243b41c66ebad9361bfb75fa022dd168ffb394 Author: Al Viro Date: Sun Aug 21 23:39:47 2016 -0400 sh: fix copy_from_user() commit 6e050503a150b2126620c1a1e9b3a368fcd51eac upstream. Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit dd23e60ee45ec7c0f78853e6791e97dc08eff8a2 Author: Al Viro Date: Sun Aug 21 22:30:44 2016 -0400 score: fix copy_from_user() and friends commit b615e3c74621e06cd97f86373ca90d43d6d998aa upstream. Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 0356e0999ba48e6f22d94634ea198aa5934b063a Author: Al Viro Date: Fri Sep 9 19:16:58 2016 -0400 blackfin: fix copy_from_user() commit 8f035983dd826d7e04f67b28acf8e2f08c347e41 upstream. Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 012c06e027b86ba99b30511af43b66631bb85ba2 Author: Al Viro Date: Thu Aug 18 19:34:00 2016 -0400 cris: buggered copy_from_user/copy_to_user/clear_user commit eb47e0293baaa3044022059f1fa9ff474bfe35cb upstream. * copy_from_user() on access_ok() failure ought to zero the destination * none of those primitives should skip the access_ok() check in case of small constant size. Acked-by: Jesper Nilsson Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit ad3817096cf97fad790f45a38c53d5bb39c1b5be Author: Al Viro Date: Thu Aug 18 20:54:02 2016 -0400 frv: fix clear_user() commit 3b8767a8f00cc6538ba6b1cf0f88502e2fd2eb90 upstream. It should check access_ok(). Otherwise a bunch of places turn into trivially exploitable rootholes. Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit c6a4404dc27411fe3f1876dbf21f1839bcc207c1 Author: Al Viro Date: Wed Aug 17 23:19:01 2016 -0400 asm-generic: make get_user() clear the destination on errors commit 9ad18b75c2f6e4a78ce204e79f37781f8815c0fa upstream. both for access_ok() failures and for faults halfway through Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 59a2d6b2a6851435a34a7f42a1082367ac8296f0 Author: Vineet Gupta Date: Fri Aug 19 12:10:02 2016 -0700 ARC: uaccess: get_user to zero out dest in cause of fault commit 05d9d0b96e53c52a113fd783c0c97c830c8dc7af upstream. Al reported potential issue with ARC get_user() as it wasn't clearing out destination pointer in case of fault due to bad address etc. Verified using following | { | u32 bogus1 = 0xdeadbeef; | u64 bogus2 = 0xdead; | int rc1, rc2; | | pr_info("Orig values %x %llx\n", bogus1, bogus2); | rc1 = get_user(bogus1, (u32 __user *)0x40000000); | rc2 = get_user(bogus2, (u64 __user *)0x50000000); | pr_info("access %d %d, new values %x %llx\n", | rc1, rc2, bogus1, bogus2); | } | [ARCLinux]# insmod /mnt/kernel-module/qtn.ko | Orig values deadbeef dead | access -14 -14, new values 0 0 Reported-by: Al Viro Cc: Linus Torvalds Cc: linux-snps-arc@lists.infradead.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Vineet Gupta Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit bcc4b94af53ba260d98ebfdd74edff7582898d06 Author: Al Viro Date: Sun Aug 21 22:00:54 2016 -0400 s390: get_user() should zero on failure commit fd2d2b191fe75825c4c7a6f12f3fef35aaed7dd7 upstream. Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 71cf3752acc763f81ac7454a65479f1b8b45844e Author: Al Viro Date: Sun Aug 21 22:13:39 2016 -0400 score: fix __get_user/get_user commit c2f18fa4cbb3ad92e033a24efa27583978ce9600 upstream. * should zero on any failure * __get_user() should use __copy_from_user(), not copy_from_user() Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit ba45b3ff27474fd540d6efa66c62f7d53c17b073 Author: Al Viro Date: Sat Aug 20 16:39:01 2016 -0400 nios2: fix __get_user() commit 2e29f50ad5e23db37dde9be71410d95d50241ecd upstream. a) should not leave crap on fault b) should _not_ require access_ok() in any cases. Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 9ce4d2bd802d99a39b424408c9633dac047c0b32 Author: Al Viro Date: Sun Aug 21 23:33:47 2016 -0400 sh64: failing __get_user() should zero commit c6852389228df9fb3067f94f3b651de2a7921b36 upstream. It could be done in exception-handling bits in __get_user_b() et.al., but the surgery involved would take more knowledge of sh64 details than I have or _want_ to have. Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 163a6508543598ce62c089df34866999dc169e5c Author: Al Viro Date: Fri Sep 9 19:20:13 2016 -0400 m32r: fix __get_user() commit c90a3bc5061d57e7931a9b7ad14784e1a0ed497d upstream. Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 6eb02b036f20232fb4184af39996a67eb9c2c67e Author: Al Viro Date: Sat Aug 20 16:32:02 2016 -0400 mn10300: failing __get_user() and get_user() should zero commit 43403eabf558d2800b429cd886e996fd555aa542 upstream. Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 9d25c78ec01c402dc56272693c44ef9d72ecdd2e Author: Al Viro Date: Thu Sep 15 02:35:29 2016 +0100 fix minor infoleak in get_user_ex() commit 1c109fabbd51863475cd12ac206bdd249aee35af upstream. get_user_ex(x, ptr) should zero x on failure. It's not a lot of a leak (at most we are leaking uninitialized 64bit value off the kernel stack, and in a fairly constrained situation, at that), but the fix is trivial, so... Signed-off-by: Al Viro [ This sat in different branch from the uaccess fixes since mid-August ] Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit a14f64ca402125152197f14783d97bc1a1e8279f Author: Al Viro Date: Fri Sep 9 19:22:34 2016 -0400 microblaze: fix copy_from_user() commit d0cf385160c12abd109746cad1f13e3b3e8b50b8 upstream. Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 51677e2e5ea48db4752ff0f183fd55c46454d93e Author: Al Viro Date: Fri Sep 9 19:28:23 2016 -0400 avr32: fix copy_from_user() commit 8630c32275bac2de6ffb8aea9d9b11663e7ad28e upstream. really ugly, but apparently avr32 compilers turns access_ok() into something so bad that they want it in assembler. Left that way, zeroing added in inline wrapper. Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit fdbeffb7a3b3953233cfb6de937fa9e15fa3e292 Author: Al Viro Date: Fri Sep 9 19:23:33 2016 -0400 microblaze: fix __get_user() commit e98b9e37ae04562d52c96f46b3cf4c2e80222dc1 upstream. Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 99526912c934f848e5dc1065ec6a1c1c33b1a8d1 Author: Al Viro Date: Fri Sep 16 00:11:45 2016 +0100 fix iov_iter_fault_in_readable() commit d4690f1e1cdabb4d61207b6787b1605a0dc0aeab upstream. ... by turning it into what used to be multipages counterpart Signed-off-by: Al Viro Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 805f0c26099d7c354654e1fe64a45b4c98a6cae7 Author: Boris Brezillon Date: Tue Sep 13 15:58:29 2016 +0200 irqchip/atmel-aic: Fix potential deadlock in ->xlate() commit 5eb0d6eb3fac3daa60d9190eed9fa41cf809c756 upstream. aic5_irq_domain_xlate() and aic_irq_domain_xlate() take the generic chip lock without disabling interrupts, which can lead to a deadlock if an interrupt occurs while the lock is held in one of these functions. Replace irq_gc_{lock,unlock}() calls by irq_gc_{lock_irqsave,unlock_irqrestore}() ones to prevent this bug from happening. Fixes: b1479ebb7720 ("irqchip: atmel-aic: Add atmel AIC/AIC5 drivers") Signed-off-by: Boris Brezillon Acked-by: Marc Zyngier Cc: Jason Cooper Cc: Nicolas Ferre Cc: Alexandre Belloni Link: http://lkml.kernel.org/r/1473775109-4192-2-git-send-email-boris.brezillon@free-electrons.com Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 17b54ccf496f88d1a1d404f3e56710f692c8afbd Author: Boris Brezillon Date: Tue Sep 13 15:58:28 2016 +0200 genirq: Provide irq_gc_{lock_irqsave,unlock_irqrestore}() helpers commit ebf9ff753c041b296241990aef76163bbb2cc9c8 upstream. Some irqchip drivers need to take the generic chip lock outside of the irq context. Provide the irq_gc_{lock_irqsave,unlock_irqrestore}() helpers to allow one to disable irqs while entering a critical section protected by gc->lock. Note that we do not provide optimized version of these helpers for !SMP, because they are not called from the hot-path. [ tglx: Added a comment when these helpers should be [not] used ] Signed-off-by: Boris Brezillon Cc: Jason Cooper Cc: Marc Zyngier Cc: Nicolas Ferre Cc: Alexandre Belloni Link: http://lkml.kernel.org/r/1473775109-4192-1-git-send-email-boris.brezillon@free-electrons.com Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit e765e0454f5ef83f62903ea858aab36bfe41bdf1 Author: Kristian H. Kristensen Date: Tue Sep 13 14:20:45 2016 -0700 drm: Only use compat ioctl for addfb2 on X86/IA64 commit 47a66e45d7a7613322549c2475ea9d809baaf514 upstream. Similar to struct drm_update_draw, struct drm_mode_fb_cmd2 has an unaligned 64 bit field (modifier). This get packed differently between 32 bit and 64 bit modes on architectures that can handle unaligned 64 bit access (X86 and IA64). Other architectures pack the structs the same and don't need the compat wrapper. Use the same condition for drm_mode_fb_cmd2 as we use for drm_update_draw. Note that only the modifier will be packed differently between compat and non-compat versions. Reviewed-by: Rob Clark Signed-off-by: Kristian H. Kristensen [seanpaul added not at bottom of commit msg re: modifier] Signed-off-by: Sean Paul Link: http://patchwork.freedesktop.org/patch/msgid/1473801645-116011-1-git-send-email-hoegsberg@chromium.org Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit f4877097201684942a975b8c9d6a0c96583bdd4c Author: Jan Leupold Date: Wed Jul 6 13:22:35 2016 +0200 drm: atmel-hlcdc: Fix vertical scaling commit d31ed3f05763644840c654a384eaefa94c097ba2 upstream. The code is applying the same scaling for the X and Y components, thus making the scaling feature only functional when both components have the same scaling factor. Do the s/_w/_h/ replacement where appropriate to fix vertical scaling. Signed-off-by: Jan Leupold Fixes: 1a396789f65a2 ("drm: add Atmel HLCDC Display Controller support") Signed-off-by: Boris Brezillon Signed-off-by: Greg Kroah-Hartman commit b214985cfaeda53495f9f115cb946b42432f4d6d Author: Arnd Bergmann Date: Fri Jan 22 11:43:44 2016 +0100 net: simplify napi_synchronize() to avoid warnings commit facc432faa59414bd7c60c307ff1645154a66c98 upstream. The napi_synchronize() function is defined twice: The definition for SMP builds waits for other CPUs to be done, while the uniprocessor variant just contains a barrier and ignores its argument. In the mvneta driver, this leads to a warning about an unused variable when we lookup the NAPI struct of another CPU and then don't use it: ethernet/marvell/mvneta.c: In function 'mvneta_percpu_notifier': ethernet/marvell/mvneta.c:2910:30: error: unused variable 'other_port' [-Werror=unused-variable] There are no other CPUs on a UP build, so that code never runs, but gcc does not know this. The nicest solution seems to be to turn the napi_synchronize() helper into an inline function for the UP case as well, as that leads gcc to not complain about the argument being unused. Once we do that, we can also combine the two cases into a single function definition and use if(IS_ENABLED()) rather than #ifdef to make it look a bit nicer. The warning first came up in linux-4.4, but I failed to catch it earlier. Signed-off-by: Arnd Bergmann Fixes: f86428854480 ("net: mvneta: Statically assign queues to CPUs") Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 268a8bf90ee36d159bdb73079dec9c0e83e362ef Author: Arnd Bergmann Date: Thu Sep 1 16:14:47 2016 -0700 kconfig: tinyconfig: provide whole choice blocks to avoid warnings commit 236dec051078a8691950f56949612b4b74107e48 upstream. Using "make tinyconfig" produces a couple of annoying warnings that show up for build test machines all the time: .config:966:warning: override: NOHIGHMEM changes choice state .config:965:warning: override: SLOB changes choice state .config:963:warning: override: KERNEL_XZ changes choice state .config:962:warning: override: CC_OPTIMIZE_FOR_SIZE changes choice state .config:933:warning: override: SLOB changes choice state .config:930:warning: override: CC_OPTIMIZE_FOR_SIZE changes choice state .config:870:warning: override: SLOB changes choice state .config:868:warning: override: KERNEL_XZ changes choice state .config:867:warning: override: CC_OPTIMIZE_FOR_SIZE changes choice state I've made a previous attempt at fixing them and we discussed a number of alternatives. I tried changing the Makefile to use "merge_config.sh -n $(fragment-list)" but couldn't get that to work properly. This is yet another approach, based on the observation that we do want to see a warning for conflicting 'choice' options, and that we can simply make them non-conflicting by listing all other options as disabled. This is a trivial patch that we can apply independent of plans for other changes. Link: http://lkml.kernel.org/r/20160829214952.1334674-2-arnd@arndb.de Link: https://storage.kernelci.org/mainline/v4.7-rc6/x86-tinyconfig/build.log https://patchwork.kernel.org/patch/9212749/ Signed-off-by: Arnd Bergmann Reviewed-by: Josh Triplett Reviewed-by: Masahiro Yamada Acked-by: Ingo Molnar Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e50d38bdfc5c58b07e3b15b6fd790ed0c0d97f02 Author: Arnd Bergmann Date: Sun Jan 17 01:02:56 2016 +0100 soc: qcom/spm: shut up uninitialized variable warning commit 00affcac69c7aae6c2cfcbc71f724e1c16d0b445 upstream. gcc warns about the 'found' variable possibly being used uninitialized: drivers/soc/qcom/spm.c: In function 'spm_dev_probe': drivers/soc/qcom/spm.c:305:5: error: 'found' may be used uninitialized in this function [-Werror=maybe-uninitialized] However, the code is correct because we know that there is always at least one online CPU. This initializes the 'found' variable to zero before the loop so the compiler knows it does not have to warn about it. Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit 958acc30ea7704fd1d7eaa7995665e54706e830a Author: Arnd Bergmann Date: Wed Nov 18 16:21:17 2015 +0100 pinctrl: at91-pio4: use %pr format string for resource commit 32844138e31347fc0f61d3bf2d7b9c4583f189e3 upstream. resource_size_t may be defined as 32 or 64 bit depending on configuration, so it cannot be printed using the normal format strings, as gcc correctly warns: pinctrl-at91-pio4.c: In function 'atmel_pinctrl_probe': pinctrl-at91-pio4.c:1003:41: warning: format '%u' expects argument of type 'unsigned int', but argument 5 has type 'resource_size_t {aka long long unsigned int}' [-Wformat=] dev_dbg(dev, "bank %i: hwirq=%u\n", i, res->start); This changes the format string to use the special "%pr" format string that prints a resource, and changes the arguments so we the resource structure directly. Signed-off-by: Arnd Bergmann Acked-by: Ludovic Desroches Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit 59e62eb42a5923a095c7616ef9997327e0bfdb70 Author: Arnd Bergmann Date: Thu Nov 12 15:14:23 2015 +0100 mmc: dw_mmc: use resource_size_t to store physical address commit 260b31643691e8a58683a4ccc3bdf7abfd86f54a upstream. The dw_mmc driver stores the physical address of the MMIO registers in a pointer, which requires the use of type casts, and is actually broken if anyone ever has this device on a 32-bit SoC in registers above 4GB. Gcc warns about this possibility when the driver is built with ARM LPAE enabled: mmc/host/dw_mmc.c: In function 'dw_mci_edmac_start_dma': mmc/host/dw_mmc.c:702:17: warning: cast from pointer to integer of different size cfg.dst_addr = (dma_addr_t)(host->phy_regs + fifo_offset); ^ mmc/host/dw_mmc-pltfm.c: In function 'dw_mci_pltfm_register': mmc/host/dw_mmc-pltfm.c:63:19: warning: cast to pointer from integer of different size host->phy_regs = (void *)(regs->start); This changes the code to use resource_size_t, which gets rid of the warning, the bug and the useless casts. Signed-off-by: Arnd Bergmann Signed-off-by: Jaehoon Chung Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit 0da2f8261e3aab234f59541a6a9e1d71d102cd43 Author: Mika Kuoppala Date: Fri Oct 30 13:26:15 2015 +0200 drm/i915: Avoid pointer arithmetic in calculating plane surface offset commit 44eb0cb9620c6a53ec8e7073262e2af8079b727f upstream. VMA offsets are 64 bits. Plane surface offsets are in ggtt and the hardware register to set this is thus 32 bits. Be explicit about these and convert carefully to from vma to final size. This will make sparse happy by not creating 32bit pointers out of 64bit vma offsets. Cc: Tvrtko Ursulin Signed-off-by: Mika Kuoppala Link: http://patchwork.freedesktop.org/patch/msgid/1446204375-29831-1-git-send-email-mika.kuoppala@intel.com Reviewed-by: Tvrtko Ursulin Signed-off-by: Ville Syrjälä Signed-off-by: Greg Kroah-Hartman commit 3314f1f6989742447ff191f6cc9a1971c5560c33 Author: Mike Danese Date: Thu May 19 21:54:51 2016 -0700 mpssd: fix buffer overflow warning commit 3610a2add39365a0f153154c60169a66c616d50f upstream. The compilation emits a warning in function ‘snprintf’, inlined from ‘set_cmdline’ at ../Documentation/mic/mpssd/mpssd.c:1541:9: /usr/include/x86_64-linux-gnu/bits/stdio2.h:64:10: warning: call to __builtin___snprintf_chk will always overflow destination buffer This was introduced in commit f4a66c204482 ("misc: mic: Update MIC host daemon with COSM changes") and is fixed by reverting the changes to the size argument of these snprintf statements. Cc: Ashutosh Dixit Signed-off-by: Mike Danese Signed-off-by: Jonathan Corbet Signed-off-by: Greg Kroah-Hartman commit 0d284a3933c612c40e29aaa9cced4ab17b59e74f Author: Linus Torvalds Date: Mon Apr 4 12:38:46 2016 -0700 gma500: remove annoying deprecation warning commit 166c5a6ef765653848161e6f4af81c05e4b3ecf6 upstream. In commit e45708976aea ("drm/dp-helper: Move the legacy helpers to gma500") the legacy i2c helpers were moved to the only remaining user of them, the gma500 driver. Together with that move, i2c_dp_aux_add_bus() was marked deprecated and started warning about its remaining use. It's now been a year and a half of annoying warning, and apparently nobody cares enough about gma500 to try to move it along to the more modern models. Get rid of the warning - if even the gma500 people don't care enough, then they should certainly not spam other innocent developers with a warning that might hide other, much more real issues. Cc: Daniel Vetter Cc: Alan Cox Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 8b18e0e49804ad6d481482a6663b18d99510fdfe Author: Wei Yongjun Date: Mon Sep 5 16:06:31 2016 +0800 ipv6: addrconf: fix dev refcont leak when DAD failed commit 751eb6b6042a596b0080967c1a529a9fe98dac1d upstream. In general, when DAD detected IPv6 duplicate address, ifp->state will be set to INET6_IFADDR_STATE_ERRDAD and DAD is stopped by a delayed work, the call tree should be like this: ndisc_recv_ns -> addrconf_dad_failure <- missing ifp put -> addrconf_mod_dad_work -> schedule addrconf_dad_work() -> addrconf_dad_stop() <- missing ifp hold before call it addrconf_dad_failure() called with ifp refcont holding but not put. addrconf_dad_work() call addrconf_dad_stop() without extra holding refcount. This will not cause any issue normally. But the race between addrconf_dad_failure() and addrconf_dad_work() may cause ifp refcount leak and netdevice can not be unregister, dmesg show the following messages: IPv6: eth0: IPv6 duplicate address fe80::XX:XXXX:XXXX:XX detected! ... unregister_netdevice: waiting for eth0 to become free. Usage count = 1 Fixes: c15b1ccadb32 ("ipv6: move DAD and addrconf_verify processing to workqueue") Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a37a538e82b037b51ad8418c5c33d1274cfe27d4 Author: Balbir Singh Date: Mon Sep 5 13:16:40 2016 +1000 sched/core: Fix a race between try_to_wake_up() and a woken up task commit 135e8c9250dd5c8c9aae5984fde6f230d0cbfeaf upstream. The origin of the issue I've seen is related to a missing memory barrier between check for task->state and the check for task->on_rq. The task being woken up is already awake from a schedule() and is doing the following: do { schedule() set_current_state(TASK_(UN)INTERRUPTIBLE); } while (!cond); The waker, actually gets stuck doing the following in try_to_wake_up(): while (p->on_cpu) cpu_relax(); Analysis: The instance I've seen involves the following race: CPU1 CPU2 while () { if (cond) break; do { schedule(); set_current_state(TASK_UN..) } while (!cond); wakeup_routine() spin_lock_irqsave(wait_lock) raw_spin_lock_irqsave(wait_lock) wake_up_process() } try_to_wake_up() set_current_state(TASK_RUNNING); .. list_del(&waiter.list); CPU2 wakes up CPU1, but before it can get the wait_lock and set current state to TASK_RUNNING the following occurs: CPU3 wakeup_routine() raw_spin_lock_irqsave(wait_lock) if (!list_empty) wake_up_process() try_to_wake_up() raw_spin_lock_irqsave(p->pi_lock) .. if (p->on_rq && ttwu_wakeup()) .. while (p->on_cpu) cpu_relax() .. CPU3 tries to wake up the task on CPU1 again since it finds it on the wait_queue, CPU1 is spinning on wait_lock, but immediately after CPU2, CPU3 got it. CPU3 checks the state of p on CPU1, it is TASK_UNINTERRUPTIBLE and the task is spinning on the wait_lock. Interestingly since p->on_rq is checked under pi_lock, I've noticed that try_to_wake_up() finds p->on_rq to be 0. This was the most confusing bit of the analysis, but p->on_rq is changed under runqueue lock, rq_lock, the p->on_rq check is not reliable without this fix IMHO. The race is visible (based on the analysis) only when ttwu_queue() does a remote wakeup via ttwu_queue_remote. In which case the p->on_rq change is not done uder the pi_lock. The result is that after a while the entire system locks up on the raw_spin_irqlock_save(wait_lock) and the holder spins infintely Reproduction of the issue: The issue can be reproduced after a long run on my system with 80 threads and having to tweak available memory to very low and running memory stress-ng mmapfork test. It usually takes a long time to reproduce. I am trying to work on a test case that can reproduce the issue faster, but thats work in progress. I am still testing the changes on my still in a loop and the tests seem OK thus far. Big thanks to Benjamin and Nick for helping debug this as well. Ben helped catch the missing barrier, Nick caught every missing bit in my theory. Signed-off-by: Balbir Singh [ Updated comment to clarify matching barriers. Many architectures do not have a full barrier in switch_to() so that cannot be relied upon. ] Signed-off-by: Peter Zijlstra (Intel) Acked-by: Benjamin Herrenschmidt Cc: Alexey Kardashevskiy Cc: Linus Torvalds Cc: Nicholas Piggin Cc: Nicholas Piggin Cc: Oleg Nesterov Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/e02cce7b-d9ca-1ad0-7a61-ea97c7582b37@gmail.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 7f71eec92e1ed8eba4c71c8bc205cfb54f2a13cf Author: Johannes Berg Date: Mon Aug 8 08:45:33 2016 +0200 Revert "wext: Fix 32 bit iwpriv compatibility issue with 64 bit Kernel" commit 4d0bd46a4d55383f7b925e6cf7865a77e0f0e020 upstream. This reverts commit 3d5fdff46c4b2b9534fa2f9fc78e90a48e0ff724. Ben Hutchings pointed out that the commit isn't safe since it assumes that the structure used by the driver is iw_point, when in fact there's no way to know about that. Fortunately, the only driver in the tree that ever runs this code path is the wilc1000 staging driver, so it doesn't really matter. Clearly I should have investigated this better before applying, sorry. Reported-by: Ben Hutchings Fixes: 3d5fdff46c4b ("wext: Fix 32 bit iwpriv compatibility issue with 64 bit Kernel") Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 17127b7c6951e4fbe5ec7a692b715a5533f7c149 Author: Felix Fietkau Date: Fri Aug 19 13:37:46 2016 +0300 ath9k: fix using sta->drv_priv before initializing it commit 7711aaf08ad3fc4d0e937eec1de0a63620444ce7 upstream. A station pointer can be passed to the driver on tx, before it has been marked as associated. Since ath9k_sta_state was initializing the entry too late, it resulted in some spurious crashes. Fixes: df3c6eb34da5 ("ath9k: Use sta_state() callback") Signed-off-by: Felix Fietkau Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit 10c2897d864e58ae7706bcb9c3b54b8d667dcb51 Author: Guoqing Jiang Date: Sun Sep 4 22:17:28 2016 -0400 md-cluster: make md-cluster also can work when compiled into kernel commit 47a7b0d8888c04c9746812820b6e60553cc77bbc upstream. The md-cluster is compiled as module by default, if it is compiled by built-in way, then we can't make md-cluster works. [64782.630008] md/raid1:md127: active with 2 out of 2 mirrors [64782.630528] md-cluster module not found. [64782.630530] md127: Could not setup cluster service (-2) Fixes: edb39c9 ("Introduce md_cluster_operations to handle cluster functions") Reported-by: Marc Smith Reviewed-by: NeilBrown Signed-off-by: Guoqing Jiang Signed-off-by: Shaohua Li Signed-off-by: Greg Kroah-Hartman commit 6267a54a24331b4ddee59ebf98c76e92cfed6719 Author: Mathias Nyman Date: Wed Sep 7 17:26:33 2016 +0300 xhci: fix null pointer dereference in stop command timeout function commit bcf42aa60c2832510b9be0f30c090bfd35bb172d upstream. The stop endpoint command has its own 5 second timeout timer. If the timeout function is triggered between USB3 and USB2 host removal it will try to call usb_hc_died(xhci_to_hcd(xhci)->primary_hcd) the ->primary_hcd will be set to NULL at USB3 hcd removal. Fix this by first checking if the PCI host is being removed, and also by using only xhci_to_hcd() as it will always return the primary hcd. Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman commit 8aa6a2a34fbb8f7a326c50ffc6738461798b5d77 Author: Miklos Szeredi Date: Wed Aug 24 18:17:04 2016 +0200 fuse: direct-io: don't dirty ITER_BVEC pages commit 8fba54aebbdf1f999738121922e74bf796ad60ee upstream. When reading from a loop device backed by a fuse file it deadlocks on lock_page(). This is because the page is already locked by the read() operation done on the loop device. In this case we don't want to either lock the page or dirty it. So do what fs/direct-io.c does: only dirty the page for ITER_IOVEC vectors. Reported-by: Sheng Yang Fixes: aa4d86163e4e ("block: loop: switch to VFS ITER_BVEC") Signed-off-by: Miklos Szeredi Reviewed-by: Sheng Yang Reviewed-by: Ashish Samant Tested-by: Sheng Yang Tested-by: Ashish Samant Signed-off-by: Greg Kroah-Hartman commit 5e0286ed4f61c840802adc432cbcb6c90d08e0d8 Author: Chris Mason Date: Tue Sep 6 05:37:40 2016 -0700 Btrfs: remove root_log_ctx from ctx list before btrfs_sync_log returns commit cbd60aa7cd17d81a434234268c55192862147439 upstream. We use a btrfs_log_ctx structure to pass information into the tree log commit, and get error values out. It gets added to a per log-transaction list which we walk when things go bad. Commit d1433debe added an optimization to skip waiting for the log commit, but didn't take root_log_ctx out of the list. This patch makes sure we remove things before exiting. Signed-off-by: Chris Mason Fixes: d1433debe7f4346cf9fc0dafc71c3137d2a97bc4 Signed-off-by: Greg Kroah-Hartman commit 3d1ca49a9a784b463f1a0f47fa66eb93a5f5b644 Author: Ard Biesheuvel Date: Thu Sep 1 14:25:43 2016 +0100 crypto: cryptd - initialize child shash_desc on import commit 0bd2223594a4dcddc1e34b15774a3a4776f7749e upstream. When calling .import() on a cryptd ahash_request, the structure members that describe the child transform in the shash_desc need to be initialized like they are when calling .init() Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 554b0ee1e89295d87c3f4bb5bcfb2d288ccde455 Author: Will Deacon Date: Mon Sep 5 11:56:05 2016 +0100 arm64: spinlocks: implement smp_mb__before_spinlock() as smp_mb() commit 872c63fbf9e153146b07f0cece4da0d70b283eeb upstream. smp_mb__before_spinlock() is intended to upgrade a spin_lock() operation to a full barrier, such that prior stores are ordered with respect to loads and stores occuring inside the critical section. Unfortunately, the core code defines the barrier as smp_wmb(), which is insufficient to provide the required ordering guarantees when used in conjunction with our load-acquire-based spinlock implementation. This patch overrides the arm64 definition of smp_mb__before_spinlock() to map to a full smp_mb(). Cc: Peter Zijlstra Reported-by: Alan Stern Signed-off-by: Will Deacon Signed-off-by: Catalin Marinas Signed-off-by: Greg Kroah-Hartman commit c16cfc6688ac17ec78f018ea43345bc9f85dd70a Author: Icenowy Zheng Date: Tue Aug 23 13:58:25 2016 +0800 pinctrl: sunxi: fix uart1 CTS/RTS pins at PG on A23/A33 commit 486095fae3a8a6b1ae07c51844699d9bd5cfbebc upstream. PG8, PG9 is said to be the CTS/RTS pins for UART1 according to the A23/33 datasheets. However, the function is wrongly named "uart2" in the pinctrl driver. This patch fixes this by modifying them to be named "uart1". Signed-off-by: Icenowy Zheng Acked-by: Maxime Ripard Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit 936a93809184e9297e723fb8e5cb5a8f771b0a17 Author: James Hartley Date: Fri Aug 19 12:03:23 2016 +0100 pinctrl: pistachio: fix mfio pll_lock pinmux commit a32ac2912f97d7ea9b67eb67bb4aa30b9156a88e upstream. A previous patch attempted to fix the pinmuxes for mfio 84 - 89, but it omitted a change to pistachio_pin_group pistachio_groups, which results in incorrect pll_lock signals being routed. Apply the correct mux settings throughout the driver. fixes: cefc03e5995e ("pinctrl: Add Pistachio SoC pin control driver") fixes: e9adb336d0bf ("pinctrl: pistachio: fix mfio84-89 function description and pinmux.") Signed-off-by: James Hartley Reviewed-by: Sifan Naeem Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit 2ab3ad1db7fa2fd07972d11b34c586ac13a4f59a Author: Mikulas Patocka Date: Tue Aug 30 16:38:42 2016 -0400 dm crypt: fix error with too large bios commit 4e870e948fbabf62b78e8410f04c67703e7c816b upstream. When dm-crypt processes writes, it allocates a new bio in crypt_alloc_buffer(). The bio is allocated from a bio set and it can have at most BIO_MAX_PAGES vector entries, however the incoming bio can be larger (e.g. if it was allocated by bcache). If the incoming bio is larger, bio_alloc_bioset() fails and an error is returned. To avoid the error, we test for a too large bio in the function crypt_map() and use dm_accept_partial_bio() to split the bio. dm_accept_partial_bio() trims the current bio to the desired size and asks DM core to send another bio with the rest of the data. Signed-off-by: Mikulas Patocka Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit 319930894f3614de9dabd1e4fae34328d4274a6e Author: Mikulas Patocka Date: Tue Aug 30 16:11:53 2016 -0400 dm log writes: move IO accounting earlier to fix error path commit a5d60783df61fbb67b7596b8a0f6b4b2e05251d5 upstream. Move log_one_block()'s atomic_inc(&lc->io_blocks) before bio_alloc() to fix a bug that the target hangs if bio_alloc() fails. The error path does put_io_block(lc), so atomic_inc(&lc->io_blocks) must occur before invoking the error path to avoid underflow of lc->io_blocks. Signed-off-by: Mikulas Patocka Reviewed-by: Josef Bacik Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit 52fe28832acd3a5174e94a3439af8d3b51968b37 Author: Vladimir Zapolskiy Date: Thu Mar 10 01:22:19 2016 +0200 dm log writes: fix check of kthread_run() return value commit 91e630d9ae6de6f740ef7c8176736eb55366833e upstream. The kthread_run() function returns either a valid task_struct or ERR_PTR() value, check for NULL is invalid. This change fixes potential for oops, e.g. in OOM situation. Signed-off-by: Vladimir Zapolskiy Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit 3c328c32e6798036243f179dca895fff7bb70253 Author: Pawel Moll Date: Wed Aug 10 17:06:26 2016 +0100 bus: arm-ccn: Fix XP watchpoint settings bitmask commit b928466b2169e061822daad48ecf55b005445547 upstream. The code setting XP watchpoint comparator and mask registers should, in order to be fully compliant with specification, zero one or more most significant bits of each field. In both L cases it means zeroing bit 63. The bitmask doing this was wrong, though, zeroing bit 60 instead. Fortunately, due to a lucky coincidence, this turned out to be fairly innocent with the existing hardware. Fixed now. Signed-off-by: Pawel Moll Signed-off-by: Greg Kroah-Hartman commit bd47c363ff8ca5e155c672849087a877ed594efb Author: Pawel Moll Date: Fri Aug 5 15:07:10 2016 +0100 bus: arm-ccn: Do not attempt to configure XPs for cycle counter commit b7c1beb278e8e3dc664ed3df3fc786db126120a9 upstream. Fuzzing the CCN perf driver revealed a small but definitely dangerous mistake in the event setup code. When a cycle counter is requested, the driver should not reconfigure the events bus at all, otherwise it will corrupt (in most but the simplest cases) its configuration and may end up accessing XP array out of its bounds and corrupting control registers. Reported-by: Mark Rutland Reviewed-by: Mark Rutland Tested-by: Mark Rutland Signed-off-by: Pawel Moll Signed-off-by: Greg Kroah-Hartman commit 23d6ad91f35f6a2cae06dfe0d664c6c66d94bc65 Author: Pawel Moll Date: Tue Aug 2 16:45:37 2016 +0100 bus: arm-ccn: Fix PMU handling of MN commit 4e486cba285ff06a1f28f0fc2991dde1482d1dcf upstream. The "Miscellaneous Node" fell through cracks of node initialisation, as its ID is shared with HN-I. This patch treats MN as a special case (which it is), adding separate validation check for it and pre-defining the node ID in relevant events descriptions. That way one can simply run: # perf stat -a -e ccn/mn_ecbarrier/ Additionally, direction in the MN pseudo-events XP watchpoint definitions is corrected to be "TX" (1) as they are defined from the crosspoint point of view (thus barriers are transmitted from XP to MN). Signed-off-by: Pawel Moll Signed-off-by: Greg Kroah-Hartman commit e33981e6101298649fc47b9a554435c1ee96be09 Author: Lee Jones Date: Thu Sep 8 11:11:00 2016 +0200 ARM: dts: STiH407-family: Provide interconnect clock for consumption in ST SDHCI commit 78567f135d9bbbaf4538f63656d3e4d957c35fe9 upstream. The STiH4{07,10} platform contains some interconnect clocks which are used by various IPs. If these clocks aren't handled correctly by ST's SDHCI driver MMC will break and the following output can be observed: [ 13.916949] mmc0: Timeout waiting for hardware interrupt. [ 13.922349] sdhci: =========== REGISTER DUMP (mmc0)=========== [ 13.928175] sdhci: Sys addr: 0x00000000 | Version: 0x00001002 [ 13.933999] sdhci: Blk size: 0x00007040 | Blk cnt: 0x00000001 [ 13.939825] sdhci: Argument: 0x00fffff0 | Trn mode: 0x00000013 [ 13.945650] sdhci: Present: 0x1fff0206 | Host ctl: 0x00000011 [ 13.951475] sdhci: Power: 0x0000000f | Blk gap: 0x00000080 [ 13.957300] sdhci: Wake-up: 0x00000000 | Clock: 0x00003f07 [ 13.963126] sdhci: Timeout: 0x00000004 | Int stat: 0x00000000 [ 13.968952] sdhci: Int enab: 0x02ff008b | Sig enab: 0x02ff008b [ 13.974777] sdhci: AC12 err: 0x00000000 | Slot int: 0x00000000 [ 13.980602] sdhci: Caps: 0x21ed3281 | Caps_1: 0x00000000 [ 13.986428] sdhci: Cmd: 0x0000063a | Max curr: 0x00000000 [ 13.992252] sdhci: Host ctl2: 0x00000000 [ 13.996166] sdhci: ADMA Err: 0x00000000 | ADMA Ptr: 0x7c048200 [ 14.001990] sdhci: =========================================== [ 14.009802] mmc0: Got data interrupt 0x02000000 even though no data operation was in progress. Tested-by: Peter Griffin Signed-off-by: Lee Jones Acked-by: Patrice Chotard Signed-off-by: Greg Kroah-Hartman commit ead4f548131fec903b4b2e704bc3149275415e79 Author: Johan Hovold Date: Mon Aug 15 09:10:49 2016 -0700 ARM: dts: overo: fix gpmc nand on boards with ethernet commit 153b58ea932b2d0642fa5cd41c93bb0555f3f09b upstream. The gpmc ranges property for NAND at CS0 was being overridden by later includes that defined gpmc ethernet nodes, effectively breaking NAND on these systems: omap-gpmc 6e000000.gpmc: /ocp/gpmc@6e000000/nand@0,0 has malformed 'reg' property Instead of redefining the NAND range in every such dtsi, define all currently used ranges in omap3-overo-base.dtsi. Fixes: 98ce6007efb4 ("ARM: dts: overo: Support PoP NAND") Signed-off-by: Johan Hovold Signed-off-by: Tony Lindgren Signed-off-by: Greg Kroah-Hartman commit e2b1bd8508276be1e53be235f6f50d7591c593cb Author: Johan Hovold Date: Mon Aug 15 09:10:45 2016 -0700 ARM: dts: overo: fix gpmc nand cs0 range commit 5e0568dfbfb8c13cdb69c9fd06d600593ad4b430 upstream. The gpmc ranges property for NAND at CS0 has been broken since it was first added. This currently prevents the nand gpmc child node from being probed: omap-gpmc 6e000000.gpmc: /ocp/gpmc@6e000000/nand@0,0 has malformed 'reg' property and consequently the NAND device from being registered. Fixes: 98ce6007efb4 ("ARM: dts: overo: Support PoP NAND") Signed-off-by: Johan Hovold Signed-off-by: Tony Lindgren Signed-off-by: Greg Kroah-Hartman commit 9c89714b57dce6312d2d7af36d6c4fc0954b9c0d Author: Fabio Estevam Date: Wed Aug 31 10:56:48 2016 -0300 ARM: dts: imx6qdl: Fix SPDIF regression commit f065e9e4addd75c21bb976bb2558648bf4f61de6 upstream. Commit 833f2cbf7091 ("ARM: dts: imx6: change the core clock of spdif") changed many more clocks than only the SPDIF core clock as stated in the commit message. The MLB clock has been added and this causes SPDIF regression as reported by Xavi Drudis Ferran and also in this forum post: https://forum.digikey.com/thread/34240 The MX6Q Reference Manual does not mention that MLB is a clock related to SPDIF, so change it back to a dummy clock to restore SPDIF functionality. Thanks to Ambika for providing the fix at: https://community.nxp.com/thread/387131 Fixes: 833f2cbf7091 ("ARM: dts: imx6: change the core clock of spdif") Reported-by: Xavi Drudis Ferran Signed-off-by: Fabio Estevam Tested-by: Xavi Drudis Ferran Signed-off-by: Shawn Guo Signed-off-by: Greg Kroah-Hartman commit 26dc6acdd70bbe1b3c901d4aa6ff54badcf3a94b Author: Sebastian Reichel Date: Fri Jun 24 03:59:33 2016 +0200 ARM: OMAP3: hwmod data: Add sysc information for DSI commit b46211d6dcfb81a8af66b8684a42d629183670d4 upstream. Add missing sysconfig/sysstatus information to OMAP3 hwmod. The information has been checked against OMAP34xx and OMAP36xx TRM. Without this change DSI block is not reset during boot, which is required for working Nokia N950 display. Signed-off-by: Sebastian Reichel Signed-off-by: Tony Lindgren Signed-off-by: Greg Kroah-Hartman commit d5d04f50920f834a3761bd8cde8afaaffcfe5548 Author: Simon Baatz Date: Fri Aug 12 19:12:50 2016 +0200 ARM: kirkwood: ib62x0: fix size of u-boot environment partition commit a778937888867aac17a33887d1c429120790fbc2 upstream. Commit 148c274ea644 ("ARM: kirkwood: ib62x0: add u-boot environment partition") split the "u-boot" partition into "u-boot" and "u-boot environment". However, instead of the size of the environment, an offset was given, resulting in overlapping partitions. Signed-off-by: Simon Baatz Fixes: 148c274ea644 ("ARM: kirkwood: ib62x0: add u-boot environment partition") Cc: Jason Cooper Cc: Andrew Lunn Cc: Gregory Clement Cc: Sebastian Hesselbarth Cc: Luka Perkov Reviewed-by: Andrew Lunn Signed-off-by: Gregory CLEMENT Signed-off-by: Greg Kroah-Hartman commit c3aea8b87aff8c1a8677fa4993c672c262fa7a3c Author: Anson Huang Date: Mon Aug 22 23:53:25 2016 +0800 ARM: imx6: add missing BM_CLPCR_BYPASS_PMIC_READY setting for imx6sx commit 8aade778f787305fdbfd3c1d54e6b583601b5902 upstream. i.MX6SX has bypass PMIC ready function, as this function is normally NOT enabled on the board design, so we need to bypass the PMIC ready pin check during DSM mode resume flow, otherwise, the internal DSM resume logic will be waiting for this signal to be ready forever and cause resume fail. Signed-off-by: Anson Huang Fixes: ff843d621bfc ("ARM: imx: add suspend support for i.mx6sx") Tested-by: Peter Chen Signed-off-by: Shawn Guo Signed-off-by: Greg Kroah-Hartman commit 11ba8bf8a0fc5df60520bf2f1011550e7cc2ef2e Author: Peter Chen Date: Tue Aug 9 16:24:43 2016 +0800 ARM: imx6: add missing BM_CLPCR_BYP_MMDC_CH0_LPM_HS setting for imx6ul commit f5a49057c71433e35a4712ab8d8f00641b3e1ec0 upstream. There is a missing BM_CLPCR_BYP_MMDC_CH0_LPM_HS setting for imx6ul, without it, the "standby" mode can't work well, the system can't be resumed. With this commit, the "standby" mode works well. Signed-off-by: Peter Chen Cc: Anson Huang Fixes: ee4a5f838c84 ("ARM: imx: add suspend/resume support for i.mx6ul") Signed-off-by: Shawn Guo Signed-off-by: Greg Kroah-Hartman commit e28b7b6b998efb01bf71ec92ef49a04bf07d191b Author: Keerthy Date: Mon Jun 20 09:22:25 2016 +0530 ARM: AM43XX: hwmod: Fix RSTST register offset for pruss commit b00ccf5b684992829610d162e78a7836933a1b19 upstream. pruss hwmod RSTST register wrongly points to PWRSTCTRL register in case of am43xx. Fix the RSTST register offset value. This can lead to setting of wrong power state values for PER domain. Fixes: 1c7e224d ("ARM: OMAP2+: hwmod: AM335x: runtime register update") Signed-off-by: Keerthy Signed-off-by: Tony Lindgren Signed-off-by: Greg Kroah-Hartman commit 06ec7a1d7646833cac76516fe78a23577cdb4a8a Author: Zefan Li Date: Tue Aug 9 11:25:01 2016 +0800 cpuset: make sure new tasks conform to the current config of the cpuset commit 06f4e94898918bcad00cdd4d349313a439d6911e upstream. A new task inherits cpus_allowed and mems_allowed masks from its parent, but if someone changes cpuset's config by writing to cpuset.cpus/cpuset.mems before this new task is inserted into the cgroup's task list, the new task won't be updated accordingly. Signed-off-by: Zefan Li Signed-off-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman commit e43dccac6393653706ef7486d3261f21563cf997 Author: David Daney Date: Tue Aug 16 13:30:36 2016 -0700 net: thunderx: Fix OOPs with ethtool --register-dump commit 1423661fed2c40d6d71b5e2e3aa390f85157f9d5 upstream. The ethtool_ops .get_regs function attempts to read the nonexistent register NIC_QSET_SQ_0_7_CNM_CHG, which produces a "bus error" type OOPs. Fix by not attempting to read, and removing the definition of, NIC_QSET_SQ_0_7_CNM_CHG. A zero is written into the register dump to keep the layout unchanged. Signed-off-by: David Daney Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit cfcbd5b85eab2c977cad92289453d25f77d3cdd7 Author: Alan Stern Date: Fri Sep 16 10:24:26 2016 -0400 USB: change bInterval default to 10 ms commit 08c5cd37480f59ea39682f4585d92269be6b1424 upstream. Some full-speed mceusb infrared transceivers contain invalid endpoint descriptors for their interrupt endpoints, with bInterval set to 0. In the past they have worked out okay with the mceusb driver, because the driver sets the bInterval field in the descriptor to 1, overwriting whatever value may have been there before. However, this approach was never sanctioned by the USB core, and in fact it does not work with xHCI controllers, because they use the bInterval value that was present when the configuration was installed. Currently usbcore uses 32 ms as the default interval if the value in the endpoint descriptor is invalid. It turns out that these IR transceivers don't work properly unless the interval is set to 10 ms or below. To work around this mceusb problem, this patch changes the endpoint-descriptor parsing routine, making the default interval value be 10 ms rather than 32 ms. Signed-off-by: Alan Stern Tested-by: Wade Berrier Signed-off-by: Greg Kroah-Hartman commit 15efc6e93fdfe95ecdea87a51567833a999f248b Author: Lee Jones Date: Thu Sep 8 11:11:00 2016 +0200 ARM: dts: STiH410: Handle interconnect clock required by EHCI/OHCI (USB) commit 7e9d2850a8db4e0d85a20bb692198bf2cc4be3b7 upstream. The STiH4{07,10} platform contains some interconnect clocks which are used by various IPs. If this clock isn't handled correctly by ST's EHCI/OHCI drivers, their hub won't be found, the following error be shown and the result will be non-working USB: [ 97.221963] hub 2-1:1.0: hub_ext_port_status failed (err = -110) Tested-by: Peter Griffin Signed-off-by: Lee Jones Acked-by: Patrice Chotard Signed-off-by: Greg Kroah-Hartman commit 34e255a63b415fbcb36190b9e4f2a24a846cd1fe Author: Clemens Gruber Date: Mon Sep 5 19:29:58 2016 +0200 usb: chipidea: udc: fix NULL ptr dereference in isr_setup_status_phase commit 6f3c4fb6d05e63c9c6d8968302491c3a5457be61 upstream. Problems with the signal integrity of the high speed USB data lines or noise on reference ground lines can cause the i.MX6 USB controller to violate USB specs and exhibit unexpected behavior. It was observed that USBi_UI interrupts were triggered first and when isr_setup_status_phase was called, ci->status was NULL, which lead to a NULL pointer dereference kernel panic. This patch fixes the kernel panic, emits a warning once and returns -EPIPE to halt the device and let the host get stalled. It also adds a comment to point people, who are experiencing this issue, to their USB hardware design. Signed-off-by: Clemens Gruber Signed-off-by: Peter Chen Signed-off-by: Greg Kroah-Hartman commit 59bc6b85d6a407aae0bb7135ea4da2aa00161f88 Author: Yoshihiro Shimoda Date: Mon Aug 29 18:00:38 2016 +0900 usb: renesas_usbhs: fix clearing the {BRDY,BEMP}STS condition commit 519d8bd4b5d3d82c413eac5bb42b106bb4b9ec15 upstream. The previous driver is possible to stop the transfer wrongly. For example: 1) An interrupt happens, but not BRDY interruption. 2) Read INTSTS0. And than state->intsts0 is not set to BRDY. 3) BRDY is set to 1 here. 4) Read BRDYSTS. 5) Clear the BRDYSTS. And then. the BRDY is cleared wrongly. Remarks: - The INTSTS0.BRDY is read only. - If any bits of BRDYSTS are set to 1, the BRDY is set to 1. - If BRDYSTS is 0, the BRDY is set to 0. So, this patch adds condition to avoid such situation. (And about NRDYSTS, this is not used for now. But, avoiding any side effects, this patch doesn't touch it.) Fixes: d5c6a1e024dd ("usb: renesas_usbhs: fixup interrupt status clear method") Signed-off-by: Yoshihiro Shimoda Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit b3e1877db1f25614b8db298abef4817c8a3d22c5 Author: Daniele Palmas Date: Fri Sep 2 10:37:56 2016 +0200 USB: serial: simple: add support for another Infineon flashloader commit f190fd92458da3e869b4e2c6289e2c617490ae53 upstream. This patch adds support for Infineon flashloader 0x8087/0x0801. The flashloader is used in Telit LE940B modem family with Telit flashing application. Signed-off-by: Daniele Palmas Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 58559c6776bee647e48c0673d69af3b398a3d346 Author: Jimi Damon Date: Wed Jul 20 17:00:40 2016 -0700 serial: 8250: added acces i/o products quad and octal serial cards commit c8d192428f52f244130b84650ad616df09f2b1e1 upstream. Added devices ids for acces i/o products quad and octal serial cards that make use of existing Pericom PI7C9X7954 and PI7C9X7958 configurations . Signed-off-by: Jimi Damon Signed-off-by: Greg Kroah-Hartman commit d5d1383049c8d4ed1b906850175be2f547ba574e Author: Andy Shevchenko Date: Fri Jul 1 17:21:49 2016 +0300 serial: 8250_mid: fix divide error bug if baud rate is 0 commit 47b34d2ef266e2c283b514d65c8963c2ccd42474 upstream. Since the commit c1a67b48f6a5 ("serial: 8250_pci: replace switch-case by formula for Intel MID"), the 8250 driver crashes in the byt_set_termios() function with a divide error. This is caused by the fact that a baud rate of 0 (B0) is not handled properly. Fix it by falling back to B9600 in this case. Reported-by: "Mendez Salinas, Fernando" Fixes: c1a67b48f6a5 ("serial: 8250_pci: replace switch-case by formula for Intel MID") Signed-off-by: Andy Shevchenko Signed-off-by: Greg Kroah-Hartman commit 73c165a6f3828c61d2a0e725597ffc6e07c0c40b Author: Colin Ian King Date: Mon Sep 5 15:39:06 2016 +0100 iio: ensure ret is initialized to zero before entering do loop commit 5dba4b14bafe801083d01e1f400816df7e5a8f2e upstream. A recent fix to iio_buffer_read_first_n_outer removed ret from being set by a return from wait_event_interruptible and also added a continue in a loop which causes the variable ret to not be set when it reaches the end of the loop. Fix this by initializing ret to zero. Also remove extraneous white space at the end of the loop. Fixes: fcf68f3c0bb2a5 ("fix sched WARNING "do not call blocking ops when !TASK_RUNNING") Signed-off-by: Colin Ian King Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit dd1e7b2406492f2fc833a148d470fbc4abb5b45e Author: Gregor Boirie Date: Fri Sep 2 20:27:46 2016 +0200 iio:core: fix IIO_VAL_FRACTIONAL sign handling commit 171c0091837c81ed5c949fec6966bb5afff2d1cf upstream. 7985e7c100 ("iio: Introduce a new fractional value type") introduced a new IIO_VAL_FRACTIONAL value type meant to represent rational type numbers expressed by a numerator and denominator combination. Formating of IIO_VAL_FRACTIONAL values relies upon do_div() usage. This fails handling negative values properly since parameters are reevaluated as unsigned values. Fix this by using div_s64_rem() instead. Computed integer part will carry properly signed value. Formatted fractional part will always be positive. Fixes: 7985e7c100 ("iio: Introduce a new fractional value type") Signed-off-by: Gregor Boirie Reviewed-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 2157e3380858613d70037b0d4c3448a694a7e458 Author: Linus Walleij Date: Thu Sep 1 11:44:35 2016 +0200 iio: accel: kxsd9: Fix scaling bug commit 307fe9dd11ae44d4f8881ee449a7cbac36e1f5de upstream. All the scaling of the KXSD9 involves multiplication with a fraction number < 1. However the scaling value returned from IIO_INFO_SCALE was unpredictable as only the micros of the value was assigned, and not the integer part, resulting in scaling like this: $cat in_accel_scale -1057462640.011978 Fix this by assigning zero to the integer part. Tested-by: Jonathan Cameron Signed-off-by: Linus Walleij Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 4b90e67c84918ea4d2b0f2aa55799e08c0fb11d8 Author: Kweh, Hock Leong Date: Mon Aug 29 18:50:56 2016 +0800 iio: fix pressure data output unit in hid-sensor-attributes commit 36afb176d3c9580651d7f410ed7f000ec48b5137 upstream. According to IIO ABI definition, IIO_PRESSURE data output unit is kilopascal: http://lxr.free-electrons.com/source/Documentation/ABI/testing/sysfs-bus-iio This patch fix output unit of HID pressure sensor IIO driver from pascal to kilopascal to follow IIO ABI definition. Signed-off-by: Kweh, Hock Leong Reviewed-by: Srinivas Pandruvada Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 58ddc4433365fa49eaf716fc811fde864d496ab3 Author: Olof Johansson Date: Thu Aug 25 09:45:33 2016 -0700 iio: accel: bmc150: reset chip at init time commit 1c500840934a138bd6b13556c210516e9301fbee upstream. In at least one known setup, the chip comes up in a state where reading the chip ID returns garbage unless it's been reset, due to noise on the wires during system boot. All supported chips have the same reset method, and based on the datasheets they all need 1.3 or 1.8ms to recover after reset. So, do the conservative thing here and always reset the chip. Signed-off-by: Olof Johansson Reviewed-by: Srinivas Pandruvada Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 8f1f9b0ffd8ae8310c5ec80e6e9d6f508946da10 Author: Anders Darander Date: Mon Aug 8 14:42:16 2016 +0200 iio: adc: at91: unbreak channel adc channel 3 commit c2ab447454d498e709d9011c0f2d2945ee321f9b upstream. The driver always assumes that an input device has been created when reading channel 3. This causes a kernel panic when dereferencing st->ts_input. The change was introduced in commit 84882b060301 ("iio: adc: at91_adc: Add support for touchscreens without TSMR"). Earlier versions only entered that part of the if-else statement if only the following flags are set: AT91_ADC_IER_XRDY | AT91_ADC_IER_YRDY | AT91_ADC_IER_PRDY Signed-off-by: Anders Darander Acked-by: Alexandre Belloni Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 734ee23cd4c134ed046812c82302fe05543b3b92 Author: Lars-Peter Clausen Date: Mon Jul 11 13:54:17 2016 +0200 iio: ad799x: Fix buffered capture for ad7991/ad7995/ad7999 commit 7d3cc21dab5313a02f2f3ca8164529b828a030d1 upstream. The data buffer for captured mode for the ad799x driver is allocated in the update_scan_mode() callback. This callback is not set in the iio_info struct for the ad7791/ad7995/ad7999, which means that the data buffer is not allocated when a captured transfer is started. As a result the driver crashes when the first sample is received. To fix this properly set the update_scan_mode() callback. Fixes: d8dca33027c1 ("staging:iio:ad799x: Preallocate sample buffer") Signed-off-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 023e76b1d1fd4857ba6af6e99dfbefd667aae6d1 Author: Vignesh R Date: Wed Aug 17 17:43:01 2016 +0530 iio: adc: ti_am335x_adc: Increase timeout value waiting for ADC sample commit 7175cce1c3f1d8c8840d2004f78f96a3904249b5 upstream. Now that open delay and sample delay for each channel is configurable via DT, the default IDLE_TIMEOUT value is not enough as this is calculated based on hardcoded macros. This results in driver returning EBUSY sometimes. Fix this by increasing the timeout value based on maximum value possible to open delay and sample delays for each channel. Fixes: 5dc11e810676e ("iio: adc: ti_am335x_adc: make sample delay, open delay, averaging DT parameters") Signed-off-by: Vignesh R Acked-by: Lee Jones Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit a1f72192d04cf4cef432f37b590f6c5f9c8f9791 Author: Vignesh R Date: Wed Aug 17 17:43:00 2016 +0530 iio: adc: ti_am335x_adc: Protect FIFO1 from concurrent access commit 90c43ec6997a892448f1f86180a515f59cafd8a3 upstream. It is possible that two or more ADC channels can be simultaneously requested for raw samples, in which case there can be race in access to FIFO data resulting in loss of samples. If am335x_tsc_se_set_once() is called again from tiadc_read_raw(), when ADC is still acquired to sample one of the channels, the second process might be put into uninterruptible sleep state. Fix these issues, by protecting FIFO access and channel configurations with a mutex. Since tiadc_read_raw() might take anywhere between few microseconds to few milliseconds to finish execution (depending on averaging and delay values supplied via DT), its better to use mutex instead of spinlock. Fixes: 7ca6740cd1cd4 ("mfd: input: iio: ti_amm335x: Rework TSC/ADC synchronization") Signed-off-by: Vignesh R Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 5be0ba290063b1519f5c02ab2ef6b8788e91dfc7 Author: Caesar Wang Date: Wed Jul 27 22:24:04 2016 +0800 iio: adc: rockchip_saradc: reset saradc controller before programming it commit 543852af8e5902aee8f7c72c89e1513663e0f696 upstream. SARADC controller needs to be reset before programming it, otherwise it will not function properly. Signed-off-by: Caesar Wang Cc: Jonathan Cameron Cc: Heiko Stuebner Cc: Rob Herring Cc: linux-iio@vger.kernel.org Cc: linux-rockchip@lists.infradead.org Tested-by: Guenter Roeck Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit cb082cd5018c43860e2120e36292a1ffc6be2269 Author: Alison Schofield Date: Mon Jul 11 08:26:56 2016 -0700 iio: proximity: as3935: set up buffer timestamps for non-zero values commit f8adf645db03345af2d9a8b6095b02327ea50885 upstream. Use the iio_pollfunc_store_time parameter during triggered buffer set-up to get valid timestamps. Signed-off-by: Alison Schofield Cc: Daniel Baluta Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 3014185421009a5bb5ab68c93e61a62e66809b9c Author: Linus Walleij Date: Tue Aug 16 15:33:28 2016 +0200 iio: accel: kxsd9: Fix raw read return commit 7ac61a062f3147dc23e3f12b9dfe7c4dd35f9cb8 upstream. Any readings from the raw interface of the KXSD9 driver will return an empty string, because it does not return IIO_VAL_INT but rather some random value from the accelerometer to the caller. Signed-off-by: Linus Walleij Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 1f72c8b60e5983353bf65b1d60940d8b883fd8a5 Author: Suzuki K Poulose Date: Thu Sep 8 16:25:49 2016 +0100 kvm-arm: Unmap shadow pagetables properly commit 293f293637b55db4f9f522a5a72514e98a541076 upstream. On arm/arm64, we depend on the kvm_unmap_hva* callbacks (via mmu_notifiers::invalidate_*) to unmap the stage2 pagetables when the userspace buffer gets unmapped. However, when the Hypervisor process exits without explicit unmap of the guest buffers, the only notifier we get is kvm_arch_flush_shadow_all() (via mmu_notifier::release ) which does nothing on arm. Later this causes us to access pages that were already released [via exit_mmap() -> unmap_vmas()] when we actually get to unmap the stage2 pagetable [via kvm_arch_destroy_vm() -> kvm_free_stage2_pgd()]. This triggers crashes with CONFIG_DEBUG_PAGEALLOC, which unmaps any free'd pages from the linear map. [ 757.644120] Unable to handle kernel paging request at virtual address ffff800661e00000 [ 757.652046] pgd = ffff20000b1a2000 [ 757.655471] [ffff800661e00000] *pgd=00000047fffe3003, *pud=00000047fcd8c003, *pmd=00000047fcc7c003, *pte=00e8004661e00712 [ 757.666492] Internal error: Oops: 96000147 [#3] PREEMPT SMP [ 757.672041] Modules linked in: [ 757.675100] CPU: 7 PID: 3630 Comm: qemu-system-aar Tainted: G D 4.8.0-rc1 #3 [ 757.683240] Hardware name: AppliedMicro X-Gene Mustang Board/X-Gene Mustang Board, BIOS 3.06.15 Aug 19 2016 [ 757.692938] task: ffff80069cdd3580 task.stack: ffff8006adb7c000 [ 757.698840] PC is at __flush_dcache_area+0x1c/0x40 [ 757.703613] LR is at kvm_flush_dcache_pmd+0x60/0x70 [ 757.708469] pc : [] lr : [] pstate: 20000145 ... [ 758.357249] [] __flush_dcache_area+0x1c/0x40 [ 758.363059] [] unmap_stage2_range+0x458/0x5f0 [ 758.368954] [] kvm_free_stage2_pgd+0x34/0x60 [ 758.374761] [] kvm_arch_destroy_vm+0x20/0x68 [ 758.380570] [] kvm_put_kvm+0x210/0x358 [ 758.385860] [] kvm_vm_release+0x2c/0x40 [ 758.391239] [] __fput+0x114/0x2e8 [ 758.396096] [] ____fput+0xc/0x18 [ 758.400869] [] task_work_run+0x108/0x138 [ 758.406332] [] do_exit+0x48c/0x10e8 [ 758.411363] [] do_group_exit+0x6c/0x130 [ 758.416739] [] get_signal+0x284/0xa18 [ 758.421943] [] do_signal+0x158/0x860 [ 758.427060] [] do_notify_resume+0x6c/0x88 [ 758.432608] [] work_pending+0x10/0x14 [ 758.437812] Code: 9ac32042 8b010001 d1000443 8a230000 (d50b7e20) This patch fixes the issue by moving the kvm_free_stage2_pgd() to kvm_arch_flush_shadow_all(). Tested-by: Itaru Kitayama Reported-by: Itaru Kitayama Reported-by: James Morse Cc: Marc Zyngier Cc: Catalin Marinas Cc: Christoffer Dall Signed-off-by: Suzuki K Poulose Signed-off-by: Christoffer Dall Signed-off-by: Greg Kroah-Hartman commit 07450b30b7d94a546560106c5d9ac3aaf6e272fb Author: Emanuel Czirai Date: Fri Sep 2 07:35:50 2016 +0200 x86/AMD: Apply erratum 665 on machines without a BIOS fix commit d1992996753132e2dafe955cccb2fb0714d3cfc4 upstream. AMD F12h machines have an erratum which can cause DIV/IDIV to behave unpredictably. The workaround is to set MSRC001_1029[31] but sometimes there is no BIOS update containing that workaround so let's do it ourselves unconditionally. It is simple enough. [ Borislav: Wrote commit message. ] Signed-off-by: Emanuel Czirai Signed-off-by: Borislav Petkov Cc: Yaowu Xu Link: http://lkml.kernel.org/r/20160902053550.18097-1-bp@alien8.de Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 7547bc9f032baa8f6469dd66bb9c142c1f56e769 Author: Steven Rostedt Date: Wed May 25 13:47:26 2016 -0400 x86/paravirt: Do not trace _paravirt_ident_*() functions commit 15301a570754c7af60335d094dd2d1808b0641a5 upstream. Łukasz Daniluk reported that on a RHEL kernel that his machine would lock up after enabling function tracer. I asked him to bisect the functions within available_filter_functions, which he did and it came down to three: _paravirt_nop(), _paravirt_ident_32() and _paravirt_ident_64() It was found that this is only an issue when noreplace-paravirt is added to the kernel command line. This means that those functions are most likely called within critical sections of the funtion tracer, and must not be traced. In newer kenels _paravirt_nop() is defined within gcc asm(), and is no longer an issue. But both _paravirt_ident_{32,64}() causes the following splat when they are traced: mm/pgtable-generic.c:33: bad pmd ffff8800d2435150(0000000001d00054) mm/pgtable-generic.c:33: bad pmd ffff8800d3624190(0000000001d00070) mm/pgtable-generic.c:33: bad pmd ffff8800d36a5110(0000000001d00054) mm/pgtable-generic.c:33: bad pmd ffff880118eb1450(0000000001d00054) NMI watchdog: BUG: soft lockup - CPU#2 stuck for 22s! [systemd-journal:469] Modules linked in: e1000e CPU: 2 PID: 469 Comm: systemd-journal Not tainted 4.6.0-rc4-test+ #513 Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v02.05 05/07/2012 task: ffff880118f740c0 ti: ffff8800d4aec000 task.ti: ffff8800d4aec000 RIP: 0010:[] [] queued_spin_lock_slowpath+0x118/0x1a0 RSP: 0018:ffff8800d4aefb90 EFLAGS: 00000246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88011eb16d40 RDX: ffffffff82485760 RSI: 000000001f288820 RDI: ffffea0000008030 RBP: ffff8800d4aefb90 R08: 00000000000c0000 R09: 0000000000000000 R10: ffffffff821c8e0e R11: 0000000000000000 R12: ffff880000200fb8 R13: 00007f7a4e3f7000 R14: ffffea000303f600 R15: ffff8800d4b562e0 FS: 00007f7a4e3d7840(0000) GS:ffff88011eb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f7a4e3f7000 CR3: 00000000d3e71000 CR4: 00000000001406e0 Call Trace: _raw_spin_lock+0x27/0x30 handle_pte_fault+0x13db/0x16b0 handle_mm_fault+0x312/0x670 __do_page_fault+0x1b1/0x4e0 do_page_fault+0x22/0x30 page_fault+0x28/0x30 __vfs_read+0x28/0xe0 vfs_read+0x86/0x130 SyS_read+0x46/0xa0 entry_SYSCALL_64_fastpath+0x1e/0xa8 Code: 12 48 c1 ea 0c 83 e8 01 83 e2 30 48 98 48 81 c2 40 6d 01 00 48 03 14 c5 80 6a 5d 82 48 89 0a 8b 41 08 85 c0 75 09 f3 90 8b 41 08 <85> c0 74 f7 4c 8b 09 4d 85 c9 74 08 41 0f 18 09 eb 02 f3 90 8b Reported-by: Łukasz Daniluk Signed-off-by: Steven Rostedt Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 49bd6aea0081161a3c3ad241b3ea733008c0ebe4 Author: Vineet Gupta Date: Tue Aug 16 18:27:07 2016 -0700 ARC: mm: fix build breakage with STRICT_MM_TYPECHECKS commit 1c3c909303924d30145601f47b6c058fdd2cbc2e upstream. | CC mm/memory.o | In file included from ../mm/memory.c:53:0: | ../include/linux/pfn_t.h: In function ‘pfn_t_pte’: | ../include/linux/pfn_t.h:78:2: error: conversion to non-scalar type requested | return pfn_pte(pfn_t_to_pfn(pfn), pgprot); With STRICT_MM_TYPECHECKS pte_t is a struct and the offending code forces a cast which ends up shifting a struct and hence the gcc warning. Note that in recent past some of the arches (aarch64, s390) made STRICT_MM_TYPECHECKS default, but we don't for ARC as this leads to slightly worse generated code, given ARC ABI definition of returning structs (which pte_t would become) Quoting from ARC ABI... "Results of type struct are returned in a caller-supplied temporary variable whose address is passed in r0. For such functions, the arguments are shifted so that they are passed in r1 and up." So - struct to be returned would be allocated on stack requiring extra code at call sites - callee updates stack memory to facilitate the return (vs. simple MOV into return reg r0) Hence STRICT_MM_TYPECHECKS is not enabled by default for ARC Signed-off-by: Vineet Gupta Signed-off-by: Greg Kroah-Hartman commit abe5aabf5c46788320bc3c74f888ef48f0cc1e2a Author: Jason Gunthorpe Date: Sun Jul 3 15:28:18 2016 +0300 IB/uverbs: Fix race between uverbs_close and remove_one commit d1e09f304a1d9651c5059ebfeb696dc2effc9b32 upstream. Fixes an oops that might happen if uverbs_close races with remove_one. Both contexts may run ib_uverbs_cleanup_ucontext, it depends on the flow. Currently, there is no protection for a case that remove_one didn't make the cleanup it runs to its end, the underlying ib_device was freed then uverbs_close will call ib_uverbs_cleanup_ucontext and OOPs. Above might happen if uverbs_close deleted the file from the list then remove_one didn't find it and runs to its end. Fixes to protect against that case by a new cleanup lock so that ib_uverbs_cleanup_ucontext will be called always before that remove_one is ended. Fixes: 35d4a0b63dc0 ("IB/uverbs: Fix race between ib_uverbs_open and remove_one") Reported-by: Devesh Sharma Signed-off-by: Jason Gunthorpe Signed-off-by: Yishai Hadas Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford Signed-off-by: Greg Kroah-Hartman commit 00918eaca8e2a8ed80034060a6100ae23f50b467 Author: Mike Snitzer Date: Wed Aug 24 21:12:58 2016 -0400 dm flakey: fix reads to be issued if drop_writes configured commit 299f6230bc6d0ccd5f95bb0fb865d80a9c7d5ccc upstream. v4.8-rc3 commit 99f3c90d0d ("dm flakey: error READ bios during the down_interval") overlooked the 'drop_writes' feature, which is meant to allow reads to be issued rather than errored, during the down_interval. Fixes: 99f3c90d0d ("dm flakey: error READ bios during the down_interval") Reported-by: Qu Wenruo Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit d0259cc85b4c37930c102c21c03f64b5afa25792 Author: Mateusz Guzik Date: Tue Aug 23 16:20:39 2016 +0200 audit: fix exe_file access in audit_exe_compare commit 5efc244346f9f338765da3d592f7947b0afdc4b5 upstream. Prior to the change the function would blindly deference mm, exe_file and exe_file->f_inode, each of which could have been NULL or freed. Use get_task_exe_file to safely obtain stable exe_file. Signed-off-by: Mateusz Guzik Acked-by: Konstantin Khlebnikov Acked-by: Richard Guy Briggs Signed-off-by: Paul Moore Signed-off-by: Greg Kroah-Hartman commit f750847daa22bee9cbb3309f11e8c2eef7bbe5c6 Author: Mateusz Guzik Date: Tue Aug 23 16:20:38 2016 +0200 mm: introduce get_task_exe_file commit cd81a9170e69e018bbaba547c1fd85a585f5697a upstream. For more convenient access if one has a pointer to the task. As a minor nit take advantage of the fact that only task lock + rcu are needed to safely grab ->exe_file. This saves mm refcount dance. Use the helper in proc_exe_link. Signed-off-by: Mateusz Guzik Acked-by: Konstantin Khlebnikov Acked-by: Richard Guy Briggs Signed-off-by: Paul Moore Signed-off-by: Greg Kroah-Hartman commit 0d57cbc66b9018f548f6f0dd3b1aff8bf1a214d2 Author: Thiago Jung Bauermann Date: Thu Sep 1 16:14:44 2016 -0700 kexec: fix double-free when failing to relocate the purgatory commit 070c43eea5043e950daa423707ae3c77e2f48edb upstream. If kexec_apply_relocations fails, kexec_load_purgatory frees pi->sechdrs and pi->purgatory_buf. This is redundant, because in case of error kimage_file_prepare_segments calls kimage_file_post_load_cleanup, which will also free those buffers. This causes two warnings like the following, one for pi->sechdrs and the other for pi->purgatory_buf: kexec-bzImage64: Loading purgatory failed ------------[ cut here ]------------ WARNING: CPU: 1 PID: 2119 at mm/vmalloc.c:1490 __vunmap+0xc1/0xd0 Trying to vfree() nonexistent vm area (ffffc90000e91000) Modules linked in: CPU: 1 PID: 2119 Comm: kexec Not tainted 4.8.0-rc3+ #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: dump_stack+0x4d/0x65 __warn+0xcb/0xf0 warn_slowpath_fmt+0x4f/0x60 ? find_vmap_area+0x19/0x70 ? kimage_file_post_load_cleanup+0x47/0xb0 __vunmap+0xc1/0xd0 vfree+0x2e/0x70 kimage_file_post_load_cleanup+0x5e/0xb0 SyS_kexec_file_load+0x448/0x680 ? putname+0x54/0x60 ? do_sys_open+0x190/0x1f0 entry_SYSCALL_64_fastpath+0x13/0x8f ---[ end trace 158bb74f5950ca2b ]--- Fix by setting pi->sechdrs an pi->purgatory_buf to NULL, since vfree won't try to free a NULL pointer. Link: http://lkml.kernel.org/r/1472083546-23683-1-git-send-email-bauerman@linux.vnet.ibm.com Signed-off-by: Thiago Jung Bauermann Acked-by: Baoquan He Cc: "Eric W. Biederman" Cc: Vivek Goyal Cc: Dave Young Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 2f7e766bc1441f8bb7671bf0f1b894973eb81a0e Author: Trond Myklebust Date: Sun Sep 11 14:50:01 2016 -0400 NFSv4.1: Fix the CREATE_SESSION slot number accounting commit b519d408ea32040b1c7e10b155a3ee9a36660947 upstream. Ensure that we conform to the algorithm described in RFC5661, section 18.36.4 for when to bump the sequence id. In essence we do it for all cases except when the RPC call timed out, or in case of the server returning NFS4ERR_DELAY or NFS4ERR_STALE_CLIENTID. Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 20e44c3acfa49a02645456047e9dc32274a6e559 Author: Trond Myklebust Date: Sat Sep 3 10:39:51 2016 -0400 pNFS: Ensure LAYOUTGET and LAYOUTRETURN are properly serialised commit bf0291dd2267a2b9a4cd74d65249553d11bb45d6 upstream. According to RFC5661, the client is responsible for serialising LAYOUTGET and LAYOUTRETURN to avoid ambiguity. Consider the case where we send both in parallel. Client Server ====== ====== LAYOUTGET(seqid=X) LAYOUTRETURN(seqid=X) LAYOUTGET return seqid=X+1 LAYOUTRETURN return seqid=X+2 Process LAYOUTRETURN Forget layout stateid Process LAYOUTGET Set seqid=X+1 The client processes the layoutget/layoutreturn in the wrong order, and since the result of the layoutreturn was to clear the only existing layout segment, the client forgets the layout stateid. When the LAYOUTGET comes in, it is treated as having a completely new stateid, and so the client sets the wrong sequence id... Fix is to check if there are outstanding LAYOUTGET requests before we send the LAYOUTRETURN (note that LAYOUGET will already wait if it sees an outstanding LAYOUTRETURN). Signed-off-by: Trond Myklebust Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 1d13f37f6a3940226ff75ac7473b81bbd7ac6d37 Author: Chuck Lever Date: Wed Jul 13 16:40:14 2016 -0400 nfsd: Close race between nfsd4_release_lockowner and nfsd4_lock commit 885848186fbc2d1d8fb6d2fdc2156638ae289a46 upstream. nfsd4_release_lockowner finds a lock owner that has no lock state, and drops cl_lock. Then release_lockowner picks up cl_lock and unhashes the lock owner. During the window where cl_lock is dropped, I don't see anything preventing a concurrent nfsd4_lock from finding that same lock owner and adding lock state to it. Move release_lockowner() into nfsd4_release_lockowner and hang onto the cl_lock until after the lock owner's state cannot be found again. Found by inspection, we don't currently have a reproducer. Fixes: 2c41beb0e5cf ("nfsd: reduce cl_lock thrashing in ... ") Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit 35c12ee60b5cd3d4531a36d07ca12c43484c3a19 Author: Trond Myklebust Date: Mon Aug 29 11:15:36 2016 -0400 NFSv4.x: Fix a refcount leak in nfs_callback_up_net commit 98b0f80c2396224bbbed81792b526e6c72ba9efa upstream. On error, the callers expect us to return without bumping nn->cb_users[]. Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit ab8cf653505e6f9194b7be41388941dcc7560ef9 Author: Trond Myklebust Date: Tue Aug 23 11:19:33 2016 -0400 pNFS: The client must not do I/O to the DS if it's lease has expired commit b88fa69eaa8649f11828158c7b65c4bcd886ebd5 upstream. Ensure that the client conforms to the normative behaviour described in RFC5661 Section 12.7.2: "If a client believes its lease has expired, it MUST NOT send I/O to the storage device until it has validated its lease." So ensure that we wait for the lease to be validated before using the layout. Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit a37004d339b848e987f2f0119e537a8ba8ffe285 Author: Tejun Heo Date: Fri Jun 17 17:51:17 2016 -0400 kernfs: don't depend on d_find_any_alias() when generating notifications commit df6a58c5c5aa8ecb1e088ecead3fa33ae70181f1 upstream. kernfs_notify_workfn() sends out file modified events for the scheduled kernfs_nodes. Because the modifications aren't from userland, it doesn't have the matching file struct at hand and can't use fsnotify_modify(). Instead, it looked up the inode and then used d_find_any_alias() to find the dentry and used fsnotify_parent() and fsnotify() directly to generate notifications. The assumption was that the relevant dentries would have been pinned if there are listeners, which isn't true as inotify doesn't pin dentries at all and watching the parent doesn't pin the child dentries even for dnotify. This led to, for example, inotify watchers not getting notifications if the system is under memory pressure and the matching dentries got reclaimed. It can also be triggered through /proc/sys/vm/drop_caches or a remount attempt which involves shrinking dcache. fsnotify_parent() only uses the dentry to access the parent inode, which kernfs can do easily. Update kernfs_notify_workfn() so that it uses fsnotify() directly for both the parent and target inodes without going through d_find_any_alias(). While at it, supply the target file name to fsnotify() from kernfs_node->name. Signed-off-by: Tejun Heo Reported-by: Evgeny Vereshchagin Fixes: d911d9874801 ("kernfs: make kernfs_notify() trigger inotify events too") Cc: John McCutchan Cc: Robert Love Cc: Eric Paris Signed-off-by: Greg Kroah-Hartman commit 2c6ae28f81d06c4d71438a0329f57ad5150e4529 Author: Paul Mackerras Date: Fri Sep 2 21:47:59 2016 +1000 powerpc/mm: Don't alias user region to other regions below PAGE_OFFSET commit f077aaf0754bcba0fffdbd925bc12f09cd1e38aa upstream. In commit c60ac5693c47 ("powerpc: Update kernel VSID range", 2013-03-13) we lost a check on the region number (the top four bits of the effective address) for addresses below PAGE_OFFSET. That commit replaced a check that the top 18 bits were all zero with a check that bits 46 - 59 were zero (performed for all addresses, not just user addresses). This means that userspace can access an address like 0x1000_0xxx_xxxx_xxxx and we will insert a valid SLB entry for it. The VSID used will be the same as if the top 4 bits were 0, but the page size will be some random value obtained by indexing beyond the end of the mm_ctx_high_slices_psize array in the paca. If that page size is the same as would be used for region 0, then userspace just has an alias of the region 0 space. If the page size is different, then no HPTE will be found for the access, and the process will get a SIGSEGV (since hash_page_mm() will refuse to create a HPTE for the bogus address). The access beyond the end of the mm_ctx_high_slices_psize can be at most 5.5MB past the array, and so will be in RAM somewhere. Since the access is a load performed in real mode, it won't fault or crash the kernel. At most this bug could perhaps leak a little bit of information about blocks of 32 bytes of memory located at offsets of i * 512kB past the paca->mm_ctx_high_slices_psize array, for 1 <= i <= 11. Fixes: c60ac5693c47 ("powerpc: Update kernel VSID range") Signed-off-by: Paul Mackerras Reviewed-by: Aneesh Kumar K.V Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman commit 76ddde66addcb24ee2e0a3f910dc533d5ee61a8f Author: Mukesh Ojha Date: Mon Aug 22 12:17:44 2016 +0530 powerpc/powernv : Drop reference added by kset_find_obj() commit a9cbf0b2195b695cbeeeecaa4e2770948c212e9a upstream. In a situation, where Linux kernel gets notified about duplicate error log from OPAL, it is been observed that kernel fails to remove sysfs entries (/sys/firmware/opal/elog/0xXXXXXXXX) of such error logs. This is because, we currently search the error log/dump kobject in the kset list via 'kset_find_obj()' routine. Which eventually increment the reference count by one, once it founds the kobject. So, unless we decrement the reference count by one after it found the kobject, we would not be able to release the kobject properly later. This patch adds the 'kobject_put()' which was missing earlier. Signed-off-by: Mukesh Ojha Reviewed-by: Vasant Hegde Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 53545131ecea3a41f4b1b4f6d8b04c8a2a78ac35 Author: Nicholas Piggin Date: Mon Jul 25 14:26:51 2016 +1000 powerpc/tm: do not use r13 for tabort_syscall commit cc7786d3ee7e3c979799db834b528db2c0834c2e upstream. tabort_syscall runs with RI=1, so a nested recoverable machine check will load the paca into r13 and overwrite what we loaded it with, because exceptions returning to privileged mode do not restore r13. Fixes: b4b56f9ecab4 (powerpc/tm: Abort syscalls in active transactions) Signed-off-by: Nick Piggin Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit e70bb22b8fc502757332d06a484696ce3efa9d2a Author: Jon Paul Maloy Date: Wed Sep 21 15:00:02 2016 +0200 tipc: move linearization of buffers to generic code commit c7cad0d6f70cd4ce8644ffe528a4df1cdc2e77f5 upstream. In commit 5cbb28a4bf65c7e4 ("tipc: linearize arriving NAME_DISTR and LINK_PROTO buffers") we added linearization of NAME_DISTRIBUTOR, LINK_PROTOCOL/RESET and LINK_PROTOCOL/ACTIVATE to the function tipc_udp_recv(). The location of the change was selected in order to make the commit easily appliable to 'net' and 'stable'. We now move this linearization to where it should be done, in the functions tipc_named_rcv() and tipc_link_proto_rcv() respectively. Reviewed-by: Ying Xue Signed-off-by: Jon Maloy Signed-off-by: David S. Miller Signed-off-by: Juerg Haefliger Signed-off-by: Greg Kroah-Hartman commit 8e81d6b8c1507fab84f00c860f4883739ad5ba20 Author: Wenwei Tao Date: Thu Feb 4 15:13:23 2016 +0100 lightnvm: put bio before return commit 16c6d048d7b74249a4387700887e8adb13028866 upstream. The bio is not returned if the data page cannot be allocated. Signed-off-by: Wenwei Tao Signed-off-by: Matias Bjørling Signed-off-by: Jens Axboe Cc: Ben Hutchings Signed-off-by: Greg Kroah-Hartman commit bf63b9d429357bcb4857259874e36a44855f56ae Author: Eric Biggers Date: Thu Sep 8 14:20:38 2016 -0700 fscrypto: require write access to mount to set encryption policy commit ba63f23d69a3a10e7e527a02702023da68ef8a6d upstream. Since setting an encryption policy requires writing metadata to the filesystem, it should be guarded by mnt_want_write/mnt_drop_write. Otherwise, a user could cause a write to a frozen or readonly filesystem. This was handled correctly by f2fs but not by ext4. Make fscrypt_process_policy() handle it rather than relying on the filesystem to get it right. Signed-off-by: Eric Biggers Cc: stable@vger.kernel.org # 4.1+; check fs/{ext4,f2fs} Signed-off-by: Theodore Ts'o Acked-by: Jaegeuk Kim Signed-off-by: Greg Kroah-Hartman commit 92c67861dab5e7ac2593609cb27d92751891e808 Author: Paolo Bonzini Date: Thu Sep 15 23:52:43 2016 +0200 Revert "KVM: x86: fix missed hardware breakpoints" [the change is part of 70e4da7a8ff62f2775337b705f45c804bb450454, which is already in stable kernels 4.1.y to 4.4.y. this part of the fix however was later undone, so remove the line again] The following patches were applied in the wrong order in -stable. This is the order as they appear in Linus' tree, [0] commit 4e422bdd2f84 ("KVM: x86: fix missed hardware breakpoints") [1] commit 172b2386ed16 ("KVM: x86: fix missed hardware breakpoints") [2] commit 70e4da7a8ff6 ("KVM: x86: fix root cause for missed hardware breakpoints") but this is the order for linux-4.4.y [1] commit fc90441e728a ("KVM: x86: fix missed hardware breakpoints") [2] commit 25e8618619a5 ("KVM: x86: fix root cause for missed hardware breakpoints") [0] commit 0f6e5e26e68f ("KVM: x86: fix missed hardware breakpoints") The upshot is that KVM_DEBUGREG_RELOAD is always set when returning from kvm_arch_vcpu_load() in stable, but not in Linus' tree. This happened because [0] and [1] are the same patch. [0] and [1] come from two different merges, and the later merge is trivially resolved; when [2] is applied it reverts both of them. Instead, when using the [1][2][0] order, patches applies normally but "KVM: x86: fix missed hardware breakpoints" is present in the final tree. Reported-by: Matt Fleming Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 717cb2d8cb5706415c43cbc04e39ed4a23692a3c Author: James Hogan Date: Fri Aug 19 14:30:29 2016 +0100 MIPS: KVM: Check for pfn noslot case commit ba913e4f72fc9cfd03dad968dfb110eb49211d80 upstream. When mapping a page into the guest we error check using is_error_pfn(), however this doesn't detect a value of KVM_PFN_NOSLOT, indicating an error HVA for the page. This can only happen on MIPS right now due to unusual memslot management (e.g. being moved / removed / resized), or with an Enhanced Virtual Memory (EVA) configuration where the default KVM_HVA_ERR_* and kvm_is_error_hva() definitions are unsuitable (fixed in a later patch). This case will be treated as a pfn of zero, mapping the first page of physical memory into the guest. It would appear the MIPS KVM port wasn't updated prior to being merged (in v3.10) to take commit 81c52c56e2b4 ("KVM: do not treat noslot pfn as a error pfn") into account (merged v3.8), which converted a bunch of is_error_pfn() calls to is_error_noslot_pfn(). Switch to using is_error_noslot_pfn() instead to catch this case properly. Fixes: 858dd5d45733 ("KVM/MIPS32: MMU/TLB operations for the Guest.") Signed-off-by: James Hogan Cc: Paolo Bonzini Cc: Radim Krčmář Cc: Ralf Baechle Cc: linux-mips@linux-mips.org Cc: kvm@vger.kernel.org Signed-off-by: Paolo Bonzini [james.hogan@imgtec.com: Backport to v4.7.y] Signed-off-by: James Hogan Signed-off-by: Greg Kroah-Hartman commit 5fa42205ab60c43c021983e6e27301dde103e3c3 Author: Chen-Yu Tsai Date: Thu Aug 25 14:26:59 2016 +0800 clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function commit b53e7d000d9e6e9fd2c6eb6b82d2783c67fd599e upstream. The bootloader (U-boot) sometimes uses this timer for various delays. It uses it as a ongoing counter, and does comparisons on the current counter value. The timer counter is never stopped. In some cases when the user interacts with the bootloader, or lets it idle for some time before loading Linux, the timer may expire, and an interrupt will be pending. This results in an unexpected interrupt when the timer interrupt is enabled by the kernel, at which point the event_handler isn't set yet. This results in a NULL pointer dereference exception, panic, and no way to reboot. Clear any pending interrupts after we stop the timer in the probe function to avoid this. Signed-off-by: Chen-Yu Tsai Signed-off-by: Daniel Lezcano Acked-by: Maxime Ripard Signed-off-by: Greg Kroah-Hartman commit 8d693a2e67b5793ee58d106fded28902b7fd0f72 Author: Eric Biggers Date: Thu Sep 8 10:57:08 2016 -0700 fscrypto: add authorization check for setting encryption policy commit 163ae1c6ad6299b19e22b4a35d5ab24a89791a98 upstream. On an ext4 or f2fs filesystem with file encryption supported, a user could set an encryption policy on any empty directory(*) to which they had readonly access. This is obviously problematic, since such a directory might be owned by another user and the new encryption policy would prevent that other user from creating files in their own directory (for example). Fix this by requiring inode_owner_or_capable() permission to set an encryption policy. This means that either the caller must own the file, or the caller must have the capability CAP_FOWNER. (*) Or also on any regular file, for f2fs v4.6 and later and ext4 v4.8-rc1 and later; a separate bug fix is coming for that. Signed-off-by: Eric Biggers Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman commit d8aafd0cd155f070d814b65d16bfc389519c0ac9 Author: Konstantin Khlebnikov Date: Sun Mar 13 17:29:06 2016 -0400 ext4: use __GFP_NOFAIL in ext4_free_blocks() commit adb7ef600cc9d9d15ecc934cc26af5c1379777df upstream. This might be unexpected but pages allocated for sbi->s_buddy_cache are charged to current memory cgroup. So, GFP_NOFS allocation could fail if current task has been killed by OOM or if current memory cgroup has no free memory left. Block allocator cannot handle such failures here yet. Signed-off-by: Konstantin Khlebnikov Signed-off-by: Theodore Ts'o Cc: Jan Kara Signed-off-by: Greg Kroah-Hartman