commit 1f2ce4a2e7aea3a2123b17aff62a80553df31e21 Author: Greg Kroah-Hartman Date: Mon Nov 9 14:34:10 2015 -0800 Linux 4.1.13 commit 50eda1546d87542d21eb5a69caf4f046a4bb416e Author: Dong Aisheng Date: Wed Jul 22 20:53:02 2015 +0800 dts: imx6: fix sd card gpio polarity specified in device tree commit 89c1a8cf63f8c69dfddb6e377c04df8b25ab1c88 upstream. cd-gpios polarity should be changed to GPIO_ACTIVE_LOW and wp-gpios should be changed to GPIO_ACTIVE_HIGH. Otherwise, the SD may not work properly due to wrong polarity inversion specified in DT after switch to common parsing function mmc_of_parse(). Signed-off-by: Dong Aisheng Acked-by: Shawn Guo Signed-off-by: Ulf Hansson Signed-off-by: Fabio Estevam Signed-off-by: Greg Kroah-Hartman commit e4338aeff6aab3640c2925844f4e5e53746cd3d9 Author: Greg Kroah-Hartman Date: Fri Nov 6 11:07:07 2015 -0800 xen: fix backport of previous kexec patch Fixes the backport of 0b34a166f291d255755be46e43ed5497cdd194f2 upstream Commit 0b34a166f291d255755be46e43ed5497cdd194f2 "x86/xen: Support kexec/kdump in HVM guests by doing a soft reset" has been added to the 4.2-stable tree" needed to correct the CONFIG variable, as CONFIG_KEXEC_CORE only showed up in 4.3. Reported-by: David Vrabel Reported-by: Luis Henriques Signed-off-by: Greg Kroah-Hartman commit cdfdd2ea3f8a5e80f7a350ee08b2d6fef0c6db0f Author: Soeren Grunewald Date: Thu Jun 11 09:25:04 2015 +0200 serial: 8250_pci: Add support for 12 port Exar boards commit be32c0cf0462c36f482b5ddcff1d8371be1e183c upstream. The Exar XR17V358 can also be combined with a XR17V354 chip to act as a single 12 port chip. This works the same way as the combining two XR17V358 chips. But the reported device id then is 0x4358. Signed-off-by: Soeren Grunewald Signed-off-by: Greg Kroah-Hartman commit 709adbf08f54b646159c3524144dfb09af59b8cb Author: Mika Westerberg Date: Mon Aug 17 16:03:17 2015 +0300 pinctrl: baytrail: Use raw_spinlock for locking commit 78e1c896932df5b8bcdff7bf5417d8e72a4d0d6b upstream. The Intel Baytrail pinctrl driver implements irqchip callbacks which are called with desc->lock raw_spinlock held. In mainline this is fine because spinlock resolves to raw_spinlock. However, running the same code in -rt we get: BUG: sleeping function called from invalid context at kernel/locking/rtmutex.c:917 in_atomic(): 1, irqs_disabled(): 1, pid: 0, name: swapper/0 Preemption disabled at:[] cpu_startup_entry+0x17f/0x480 CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.1.5-rt5 #13 ... Call Trace: [] dump_stack+0x4a/0x61 [] ___might_sleep+0xe7/0x170 [] rt_spin_lock+0x1f/0x50 [] byt_gpio_clear_triggering+0x38/0x60 [] byt_irq_mask+0x11/0x20 [] handle_level_irq+0x83/0x150 [] generic_handle_irq+0x27/0x40 [] byt_gpio_irq_handler+0x7f/0xc0 [] handle_irq+0xaa/0x190 ... This is because in -rt spinlocks are preemptible so taking the driver private spinlock in irqchip callbacks causes might_sleep() to trigger. In order to keep -rt happy but at the same time make sure that register accesses get serialized, convert the driver to use raw_spinlock instead. Also shorten the critical section a bit in few places. Suggested-by: Linus Walleij Signed-off-by: Mika Westerberg Signed-off-by: Linus Walleij Cc: Lucas De Marchi Signed-off-by: Greg Kroah-Hartman commit 7b4744eee459a9c521e538907ee822318e9b303e Author: Mika Westerberg Date: Tue Aug 4 15:03:14 2015 +0300 pinctrl: baytrail: Serialize all register access commit 39ce8150a079e3ae6ed9abf26d7918a558ef7c19 upstream. There is a hardware issue in Intel Baytrail where concurrent GPIO register access might result reads of 0xffffffff and writes might get dropped completely. Prevent this from happening by taking the serializing lock in all places where it is possible that more than one thread might be accessing the hardware concurrently. Signed-off-by: Mika Westerberg Signed-off-by: Linus Walleij Cc: Lucas De Marchi Signed-off-by: Greg Kroah-Hartman commit dc14f050d2a7bd60b32179f842a72e376cfd467b Author: Minchan Kim Date: Thu Oct 22 13:32:19 2015 -0700 thp: use is_zero_pfn() only after pte_present() check commit 47aee4d8e314384807e98b67ade07f6da476aa75 upstream. Use is_zero_pfn() on pteval only after pte_present() check on pteval (It might be better idea to introduce is_zero_pte() which checks pte_present() first). Otherwise when working on a swap or migration entry and if pte_pfn's result is equal to zero_pfn by chance, we lose user's data in __collapse_huge_page_copy(). So if you're unlucky, the application segfaults and finally you could see below message on exit: BUG: Bad rss-counter state mm:ffff88007f099300 idx:2 val:3 Fixes: ca0984caa823 ("mm: incorporate zero pages into transparent huge pages") Signed-off-by: Minchan Kim Reviewed-by: Andrea Arcangeli Acked-by: Kirill A. Shutemov Cc: Mel Gorman Acked-by: Vlastimil Babka Cc: Hugh Dickins Cc: Rik van Riel Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 435d5d7f3a0dd62dc1465c314e338f159fb7d43a Author: Thomas Hellstrom Date: Mon Sep 14 01:13:11 2015 -0700 drm/vmwgfx: Fix up user_dmabuf refcounting commit 54c12bc374408faddbff75dbf1a6167c19af39c4 upstream. If user space calls unreference on a user_dmabuf it will typically kill the struct ttm_base_object member which is responsible for the user-space visibility. However the dmabuf part may still be alive and refcounted. In some situations, like for shared guest-backed surface referencing/opening, the driver may try to reference the struct ttm_base_object member again, causing an immediate kernel warning and a later kernel NULL pointer dereference. Fix this by always maintaining a reference on the struct ttm_base_object member, in situations where it might subsequently be referenced. Signed-off-by: Thomas Hellstrom Reviewed-by: Brian Paul Reviewed-by: Sinclair Yeh Signed-off-by: Greg Kroah-Hartman commit a1638a11d9fb9457a8a5a9cc1a00e59ca56c8fe3 Author: Keith Busch Date: Thu Oct 15 13:38:48 2015 -0600 NVMe: Fix memory leak on retried commands commit 0dfc70c33409afc232ef0b9ec210535dfbf9bc61 upstream. Resources are reallocated for requeued commands, so unmap and release the iod for the failed command. It's a pretty bad memory leak and causes a kernel hang if you remove a drive because of a busy dma pool. You'll get messages spewing like this: nvme 0000:xx:xx.x: dma_pool_destroy prp list 256, ffff880420dec000 busy and lock up pci and the driver since removal never completes while holding a lock. Signed-off-by: Keith Busch Reviewed-by: Christoph Hellwig Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 599f528a90026dd61533aa5145e64cc0ac3625ae Author: Will Deacon Date: Thu Oct 15 13:55:53 2015 +0100 arm64: compat: fix stxr failure case in SWP emulation commit 589cb22bbedacf325951014c07a35a2b01ca57f6 upstream. If the STXR instruction fails in the SWP emulation code, we leave *data overwritten with the loaded value, therefore corrupting the data written by a subsequent, successful attempt. This patch re-jigs the code so that we only write back to *data once we know that the update has happened. Fixes: bd35a4adc413 ("arm64: Port SWP/SWPB emulation support from arm") Reported-by: Shengjiu Wang Reported-by: Vladimir Murzin Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit dbf2a8c020446889a5214c3f91fd69442cd2cd86 Author: Lorenzo Pieralisi Date: Tue Oct 27 17:29:10 2015 +0000 arm64: kernel: fix tcr_el1.t0sz restore on systems with extended idmap commit e13d918a19a7b6cba62b32884f5e336e764c2cc6 upstream. Commit dd006da21646 ("arm64: mm: increase VA range of identity map") introduced a mechanism to extend the virtual memory map range to support arm64 systems with system RAM located at very high offset, where the identity mapping used to enable/disable the MMU requires additional translation levels to map the physical memory at an equal virtual offset. The kernel detects at boot time the tcr_el1.t0sz value required by the identity mapping and sets-up the tcr_el1.t0sz register field accordingly, any time the identity map is required in the kernel (ie when enabling the MMU). After enabling the MMU, in the cold boot path the kernel resets the tcr_el1.t0sz to its default value (ie the actual configuration value for the system virtual address space) so that after enabling the MMU the memory space translated by ttbr0_el1 is restored as expected. Commit dd006da21646 ("arm64: mm: increase VA range of identity map") also added code to set-up the tcr_el1.t0sz value when the kernel resumes from low-power states with the MMU off through cpu_resume() in order to effectively use the identity mapping to enable the MMU but failed to add the code required to restore the tcr_el1.t0sz to its default value, when the core returns to the kernel with the MMU enabled, so that the kernel might end up running with tcr_el1.t0sz value set-up for the identity mapping which can be lower than the value required by the actual virtual address space, resulting in an erroneous set-up. This patchs adds code in the resume path that restores the tcr_el1.t0sz default value upon core resume, mirroring this way the cold boot path behaviour therefore fixing the issue. Cc: Catalin Marinas Fixes: dd006da21646 ("arm64: mm: increase VA range of identity map") Acked-by: Ard Biesheuvel Signed-off-by: Lorenzo Pieralisi Signed-off-by: James Morse Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit fb1de80c1b15980a0e5109d00fd2ffad30563de3 Author: Sudeep Holla Date: Thu Jun 18 15:41:32 2015 +0100 arm64: kernel: rename __cpu_suspend to keep it aligned with arm commit af391b15f7b56ce19f52862d36595637dd42b575 upstream. This patch renames __cpu_suspend to cpu_suspend so that it's aligned with ARM32. It also removes the redundant wrapper created. This is in preparation to implement generic PSCI system suspend using the cpu_{suspend,resume} which now has the same interface on both ARM and ARM64. Cc: Mark Rutland Reviewed-by: Lorenzo Pieralisi Reviewed-by: Ashwin Chaugule Signed-off-by: Sudeep Holla Signed-off-by: Catalin Marinas Signed-off-by: Greg Kroah-Hartman commit 82696471b9c72e4b996e009bb6b4ee432c175582 Author: Srinivas Pandruvada Date: Thu Oct 15 12:34:21 2015 -0700 cpufreq: intel_pstate: Fix divide by zero on Knights Landing (KNL) commit 8e601a9f97a00bab031980de34f9a81891c1f82f upstream. This is a workaround for KNL platform, where in some cases MPERF counter will not have updated value before next read of MSR_IA32_MPERF. In this case divide by zero will occur. This change ignores current sample for busy calculation in this case. Fixes: b34ef932d79a (intel_pstate: Knights Landing support) Signed-off-by: Srinivas Pandruvada Acked-by: Kristen Carlson Accardi Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 5a52c0e04133b418583244918b3fda8bd3b87d43 Author: Doron Tsur Date: Sun Oct 11 15:58:17 2015 +0300 IB/cm: Fix rb-tree duplicate free and use-after-free commit 0ca81a2840f77855bbad1b9f172c545c4dc9e6a4 upstream. ib_send_cm_sidr_rep could sometimes erase the node from the sidr (depending on errors in the process). Since ib_send_cm_sidr_rep is called both from cm_sidr_req_handler and cm_destroy_id, cm_id_priv could be either erased from the rb_tree twice or not erased at all. Fixing that by making sure it's erased only once before freeing cm_id_priv. Fixes: a977049dacde ('[PATCH] IB: Add the kernel CM implementation') Signed-off-by: Doron Tsur Signed-off-by: Matan Barak Signed-off-by: Doug Ledford Signed-off-by: Greg Kroah-Hartman commit ee03d02ebc5dd0ee414fc47eb3992e8d3aa7396e Author: Christian Engelmayer Date: Wed Oct 21 00:50:06 2015 +0200 btrfs: fix possible leak in btrfs_ioctl_balance() commit 0f89abf56abbd0e1c6e3cef9813e6d9f05383c1e upstream. Commit 8eb934591f8b ("btrfs: check unsupported filters in balance arguments") adds a jump to exit label out_bargs in case the argument check fails. At this point in addition to the bargs memory, the memory for struct btrfs_balance_control has already been allocated. Ownership of bctl is passed to btrfs_balance() in the good case, thus the memory is not freed due to the introduced jump. Make sure that the memory gets freed in any case as necessary. Detected by Coverity CID 1328378. Signed-off-by: Christian Engelmayer Reviewed-by: David Sterba Signed-off-by: Chris Mason Signed-off-by: Greg Kroah-Hartman commit d35e462164987724e4a1d20a55351e52181464aa Author: Linus Walleij Date: Tue Mar 3 09:52:20 2015 +0100 MFD/OF: document MFD devices and handle simple-mfd commit 22869a9eca4ea5b534538d160b68c7aef44e378a upstream. This defines a new compatible option for MFD devices "simple-mfd" that will make the OF core spawn child devices for all subnodes of that MFD device. It is optional but handy for things like syscon and possibly other simpler MFD devices. Since there was no file to put the documentation in, I took this opportunity to make a small writeup on MFD devices and add the compatible definition there. Suggested-by: Lee Jones Acked-by: Lee Jones Acked-by: Antoine Tenart Acked-by: Alexandre Belloni Cc: Arnd Bergmann Cc: Devicetree Cc: Rob Herring Cc: Benjamin Herrenschmidt Cc: Grant Likely Cc: Pawel Moll Cc: Mark Rutland Cc: Ian Campbell Cc: Kumar Gala Signed-off-by: Linus Walleij Cc: Henrik Juul Pedersen Signed-off-by: Greg Kroah-Hartman commit e12243dc14b81bc5c4e6e82b0b9ff9911a060a30 Author: Dāvis Mosāns Date: Fri Aug 21 07:29:22 2015 +0300 mvsas: Fix NULL pointer dereference in mvs_slot_task_free commit 2280521719e81919283b82902ac24058f87dfc1b upstream. When pci_pool_alloc fails in mvs_task_prep then task->lldd_task stays NULL but it's later used in mvs_abort_task as slot which is passed to mvs_slot_task_free causing NULL pointer dereference. Just return from mvs_slot_task_free when passed with NULL slot. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=101891 Signed-off-by: Dāvis Mosāns Reviewed-by: Tomas Henzl Reviewed-by: Johannes Thumshirn Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit f37c8c0acecff7edaec3bdd5ea84765e2058edb6 Author: Lucas Stach Date: Sun Oct 25 16:39:12 2015 +0100 irqchip/tegra: Propagate IRQ type setting to parent commit 209da39154837ec1b69fb34f438041939911e4b4 upstream. The LIC doesn't deal with the different types of interrupts itself but needs to forward calls to set the appropriate type to its parent IRQ controller. Without this fix all IRQs routed through the LIC will stay at the initial EDGE type, while most of them should actually be level triggered. Fixes: 1eec582158e2 "irqchip: tegra: Add Tegra210 support" Signed-off-by: Lucas Stach Cc: Stephen Warren Cc: Thierry Reding Cc: Alexandre Courbot Cc: Jason Cooper Cc: Marc Zyngier Link: http://lkml.kernel.org/r/1445787552-13062-1-git-send-email-dev@lynxeye.de Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit e4b49886889e2e3feb166b9718cbcae61c001a34 Author: Seth Jennings Date: Wed Aug 5 13:16:01 2015 -0500 EDAC, sb_edac: Fix TAD presence check for sbridge_mci_bind_devs() commit 2900ea609616c2651dec65312beeb2a6e536bc50 upstream. In commit 7d375bffa524 ("sb_edac: Fix support for systems with two home agents per socket") NUM_CHANNELS was changed to 8 and the channel space was renumerated to handle EN, EP, and EX configurations. The *_mci_bind_devs() functions - except for sbridge_mci_bind_devs() - got a new device presence check in the form of saw_chan_mask. However, sbridge_mci_bind_devs() still uses the NUM_CHANNELS for loop. With the increase in NUM_CHANNELS, this loop fails at index 4 since SB only has 4 TADs. This results in the following error on SB machines: EDAC sbridge: Some needed devices are missing EDAC sbridge: Couldn't find mci handler EDAC sbridge: Couldn't find mci handle This patch adapts the saw_chan_mask logic for sbridge_mci_bind_devs() as well. After this patch: EDAC MC0: Giving out device to module sbridge_edac.c controller Sandy Bridge Socket#0: DEV 0000:3f:0e.0 (POLLED) EDAC MC1: Giving out device to module sbridge_edac.c controller Sandy Bridge Socket#1: DEV 0000:7f:0e.0 (POLLED) Signed-off-by: Seth Jennings Acked-by: Aristeu Rozanski Acked-by: Tony Luck Tested-by: Borislav Petkov Cc: Mauro Carvalho Chehab Cc: linux-edac Link: http://lkml.kernel.org/r/1438798561-10180-1-git-send-email-sjenning@redhat.com Signed-off-by: Borislav Petkov Signed-off-by: Greg Kroah-Hartman commit bd4009424ef161c0d07ca48ce00bf2d81658ca21 Author: NeilBrown Date: Sat Oct 31 11:00:56 2015 +1100 Revert "md: allow a partially recovered device to be hot-added to an array." commit d01552a76d71f9879af448e9142389ee9be6e95b upstream. This reverts commit 7eb418851f3278de67126ea0c427641ab4792c57. This commit is poorly justified, I can find not discusison in email, and it clearly causes a problem. If a device which is being recovered fails and is subsequently re-added to an array, there could easily have been changes to the array *before* the point where the recovery was up to. So the recovery must start again from the beginning. If a spare is being recovered and fails, then when it is re-added we really should do a bitmap-based recovery up to the recovery-offset, and then a full recovery from there. Before this reversion, we only did the "full recovery from there" which is not corect. After this reversion with will do a full recovery from the start, which is safer but not ideal. It will be left to a future patch to arrange the two different styles of recovery. Reported-and-tested-by: Nate Dailey Signed-off-by: NeilBrown Fixes: 7eb418851f32 ("md: allow a partially recovered device to be hot-added to an array.") Signed-off-by: Greg Kroah-Hartman commit a89e9e234a84bf9a67586f57f4e027c880439383 Author: Roman Gushchin Date: Sat Oct 31 10:53:50 2015 +1100 md/raid5: fix locking in handle_stripe_clean_event() commit b8a9d66d043ffac116100775a469f05f5158c16f upstream. After commit 566c09c53455 ("raid5: relieve lock contention in get_active_stripe()") __find_stripe() is called under conf->hash_locks + hash. But handle_stripe_clean_event() calls remove_hash() under conf->device_lock. Under some cirscumstances the hash chain can be circuited, and we get an infinite loop with disabled interrupts and locked hash lock in __find_stripe(). This leads to hard lockup on multiple CPUs and following system crash. I was able to reproduce this behavior on raid6 over 6 ssd disks. The devices_handle_discard_safely option should be set to enable trim support. The following script was used: for i in `seq 1 32`; do dd if=/dev/zero of=large$i bs=10M count=100 & done neilb: original was against a 3.x kernel. I forward-ported to 4.3-rc. This verison is suitable for any kernel since Commit: 59fc630b8b5f ("RAID5: batch adjacent full stripe write") (v4.1+). I'll post a version for earlier kernels to stable. Signed-off-by: Roman Gushchin Fixes: 566c09c53455 ("raid5: relieve lock contention in get_active_stripe()") Signed-off-by: NeilBrown Cc: Shaohua Li Signed-off-by: Greg Kroah-Hartman commit e73ccce0672d430409dd021735d658bdcd78656e Author: Jes Sorensen Date: Tue Oct 20 12:09:13 2015 -0400 md/raid10: submit_bio_wait() returns 0 on success commit 681ab4696062f5aa939c9e04d058732306a97176 upstream. This was introduced with 9e882242c6193ae6f416f2d8d8db0d9126bd996b which changed the return value of submit_bio_wait() to return != 0 on error, but didn't update the caller accordingly. Fixes: 9e882242c6 ("block: Add submit_bio_wait(), remove from md") Reported-by: Bill Kuzeja Signed-off-by: Jes Sorensen Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 26b70a8981b22f03f677dd569b5c8191ade40848 Author: Jes Sorensen Date: Tue Oct 20 12:09:12 2015 -0400 md/raid1: submit_bio_wait() returns 0 on success commit 203d27b0226a05202438ddb39ef0ef1acb14a759 upstream. This was introduced with 9e882242c6193ae6f416f2d8d8db0d9126bd996b which changed the return value of submit_bio_wait() to return != 0 on error, but didn't update the caller accordingly. Fixes: 9e882242c6 ("block: Add submit_bio_wait(), remove from md") Reported-by: Bill Kuzeja Signed-off-by: Jes Sorensen Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 4f277ccd28e4525d8c7bbe2de27f2710de8d4368 Author: Herbert Xu Date: Mon Oct 19 18:23:57 2015 +0800 crypto: api - Only abort operations on fatal signal commit 3fc89adb9fa4beff31374a4bf50b3d099d88ae83 upstream. Currently a number of Crypto API operations may fail when a signal occurs. This causes nasty problems as the caller of those operations are often not in a good position to restart the operation. In fact there is currently no need for those operations to be interrupted by user signals at all. All we need is for them to be killable. This patch replaces the relevant calls of signal_pending with fatal_signal_pending, and wait_for_completion_interruptible with wait_for_completion_killable, respectively. Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 250f9c620c988485bea9499146a5c6a58f5b0e2e Author: Hans de Goede Date: Mon Oct 26 01:50:28 2015 -0700 Input: alps - only the Dell Latitude D420/430/620/630 have separate stick button bits commit 195562194aad3a0a3915941077f283bcc6347b9b upstream. commit 92bac83dd79e ("Input: alps - non interleaved V2 dualpoint has separate stick button bits") assumes that all alps v2 non-interleaved dual point setups have the separate stick button bits. Later we limited this to Dell laptops only because of reports that this broke things on non Dell laptops. Now it turns out that this breaks things on the Dell Latitude D600 too. So it seems that only the Dell Latitude D420/430/620/630, which all share the same touchpad / stick combo, have these separate bits. This patch limits the checking of the separate bits to only these models fixing regressions with other models. Reported-and-tested-by: Larry Finger Tested-by: Hans de Goede Signed-off-by: Hans de Goede Acked-By: Pali Rohár Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 7fd58acc9f6f751aebcee8288d020d959d815445 Author: David Howells Date: Fri Sep 18 11:45:22 2015 +0100 ovl: fix dentry reference leak commit ab79efab0a0ba01a74df782eb7fa44b044dae8b5 upstream. In ovl_copy_up_locked(), newdentry is leaked if the function exits through out_cleanup as this just to out after calling ovl_cleanup() - which doesn't actually release the ref on newdentry. The out_cleanup segment should instead exit through out2 as certainly newdentry leaks - and possibly upper does also, though this isn't caught given the catch of newdentry. Without this fix, something like the following is seen: BUG: Dentry ffff880023e9eb20{i=f861,n=#ffff880023e82d90} still in use (1) [unmount of tmpfs tmpfs] BUG: Dentry ffff880023ece640{i=0,n=bigfile} still in use (1) [unmount of tmpfs tmpfs] when unmounting the upper layer after an error occurred in copyup. An error can be induced by creating a big file in a lower layer with something like: dd if=/dev/zero of=/lower/a/bigfile bs=65536 count=1 seek=$((0xf000)) to create a large file (4.1G). Overlay an upper layer that is too small (on tmpfs might do) and then induce a copy up by opening it writably. Reported-by: Ulrich Obergfell Signed-off-by: David Howells Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit aa637cda1d17943103bde4263252e5215a1f2805 Author: David Howells Date: Fri Sep 18 11:45:12 2015 +0100 ovl: use O_LARGEFILE in ovl_copy_up() commit 0480334fa60488d12ae101a02d7d9e1a3d03d7dd upstream. Open the lower file with O_LARGEFILE in ovl_copy_up(). Pass O_LARGEFILE unconditionally in ovl_copy_up_data() as it's purely for catching 32-bit userspace dealing with a file large enough that it'll be mishandled if the application isn't aware that there might be an integer overflow. Inside the kernel, there shouldn't be any problems. Reported-by: Ulrich Obergfell Signed-off-by: David Howells Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit 5c418f1bde8deab2ab636d64d4e8465bc22b0bb8 Author: Konstantin Khlebnikov Date: Mon Aug 24 15:57:19 2015 +0300 ovl: free lower_mnt array in ovl_put_super commit 5ffdbe8bf1e485026e1c7e4714d2841553cf0b40 upstream. This fixes memory leak after umount. Kmemleak report: unreferenced object 0xffff8800ba791010 (size 8): comm "mount", pid 2394, jiffies 4294996294 (age 53.920s) hex dump (first 8 bytes): 20 1c 13 02 00 88 ff ff ....... backtrace: [] create_object+0x124/0x2c0 [] kmemleak_alloc+0x7b/0xc0 [] __kmalloc+0x106/0x340 [] ovl_fill_super+0x55c/0x9b0 [overlay] [] mount_nodev+0x54/0xa0 [] ovl_mount+0x18/0x20 [overlay] [] mount_fs+0x43/0x170 [] vfs_kern_mount+0x74/0x170 [] do_mount+0x22d/0xdf0 [] SyS_mount+0x7b/0xc0 [] entry_SYSCALL_64_fastpath+0x12/0x76 [] 0xffffffffffffffff Signed-off-by: Konstantin Khlebnikov Signed-off-by: Miklos Szeredi Fixes: dd662667e6d3 ("ovl: add mutli-layer infrastructure") Signed-off-by: Greg Kroah-Hartman commit a03bd0e033ca7b1d5394ebf17cd6e2f6a3395478 Author: Konstantin Khlebnikov Date: Mon Aug 24 15:57:18 2015 +0300 ovl: free stack of paths in ovl_fill_super commit 0f95502ad84874b3c05fc7cdd9d4d9d5cddf7859 upstream. This fixes small memory leak after mount. Kmemleak report: unreferenced object 0xffff88003683fe00 (size 16): comm "mount", pid 2029, jiffies 4294909563 (age 33.380s) hex dump (first 16 bytes): 20 27 1f bb 00 88 ff ff 40 4b 0f 36 02 88 ff ff '......@K.6.... backtrace: [] create_object+0x124/0x2c0 [] kmemleak_alloc+0x7b/0xc0 [] __kmalloc+0x106/0x340 [] ovl_fill_super+0x389/0x9a0 [overlay] [] mount_nodev+0x54/0xa0 [] ovl_mount+0x18/0x20 [overlay] [] mount_fs+0x43/0x170 [] vfs_kern_mount+0x74/0x170 [] do_mount+0x22d/0xdf0 [] SyS_mount+0x7b/0xc0 [] entry_SYSCALL_64_fastpath+0x12/0x76 [] 0xffffffffffffffff Signed-off-by: Konstantin Khlebnikov Signed-off-by: Miklos Szeredi Fixes: a78d9f0d5d5c ("ovl: support multiple lower layers") Signed-off-by: Greg Kroah-Hartman commit ca9ba892ebc734af45a9b61d9bc4169f73f8e379 Author: Sasha Levin Date: Wed Oct 7 11:03:28 2015 -0500 PCI: Prevent out of bounds access in numa_node override commit 1266963170f576d4d08e6310b6963e26d3ff9d1e upstream. 63692df103e9 ("PCI: Allow numa_node override via sysfs") didn't check that the numa node provided by userspace is valid. Passing a node number too high would attempt to access invalid memory and trigger a kernel panic. Fixes: 63692df103e9 ("PCI: Allow numa_node override via sysfs") Signed-off-by: Sasha Levin Signed-off-by: Bjorn Helgaas Signed-off-by: Greg Kroah-Hartman commit 310b5f12920a7d329cf7258f8488d10d4f65b4e1 Author: Peter Zijlstra Date: Thu Aug 20 10:34:59 2015 +0930 module: Fix locking in symbol_put_addr() commit 275d7d44d802ef271a42dc87ac091a495ba72fc5 upstream. Poma (on the way to another bug) reported an assertion triggering: [] module_assert_mutex_or_preempt+0x49/0x90 [] __module_address+0x32/0x150 [] __module_text_address+0x16/0x70 [] symbol_put_addr+0x29/0x40 [] dvb_frontend_detach+0x7d/0x90 [dvb_core] Laura Abbott produced a patch which lead us to inspect symbol_put_addr(). This function has a comment claiming it doesn't need to disable preemption around the module lookup because it holds a reference to the module it wants to find, which therefore cannot go away. This is wrong (and a false optimization too, preempt_disable() is really rather cheap, and I doubt any of this is on uber critical paths, otherwise it would've retained a pointer to the actual module anyway and avoided the second lookup). While its true that the module cannot go away while we hold a reference on it, the data structure we do the lookup in very much _CAN_ change while we do the lookup. Therefore fix the comment and add the required preempt_disable(). Reported-by: poma Signed-off-by: Peter Zijlstra (Intel) Signed-off-by: Rusty Russell Fixes: a6e6abd575fc ("module: remove module_text_address()") Signed-off-by: Greg Kroah-Hartman commit 89d8953e76da25abcc74e0934267f70977e79582 Author: Cathy Avery Date: Fri Oct 2 09:35:01 2015 -0400 xen-blkfront: check for null drvdata in blkback_changed (XenbusStateClosing) commit a54c8f0f2d7df525ff997e2afe71866a1a013064 upstream. xen-blkfront will crash if the check to talk_to_blkback() in blkback_changed()(XenbusStateInitWait) returns an error. The driver data is freed and info is set to NULL. Later during the close process via talk_to_blkback's call to xenbus_dev_fatal() the null pointer is passed to and dereference in blkfront_closing. Signed-off-by: Cathy Avery Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Greg Kroah-Hartman commit 01d369942901be5e54715047d0b88936ced31197 Author: Laura Abbott Date: Mon Oct 12 11:30:13 2015 +0300 xhci: Add spurious wakeup quirk for LynxPoint-LP controllers commit fd7cd061adcf5f7503515ba52b6a724642a839c8 upstream. We received several reports of systems rebooting and powering on after an attempted shutdown. Testing showed that setting XHCI_SPURIOUS_WAKEUP quirk in addition to the XHCI_SPURIOUS_REBOOT quirk allowed the system to shutdown as expected for LynxPoint-LP xHCI controllers. Set the quirk back. Note that the quirk was originally introduced for LynxPoint and LynxPoint-LP just for this same reason. See: commit 638298dc66ea ("xhci: Fix spurious wakeups after S5 on Haswell") It was later limited to only concern HP machines as it caused regression on some machines, see both bug and commit: Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=66171 commit 6962d914f317 ("xhci: Limit the spurious wakeup fix only to HP machines") Later it was discovered that the powering on after shutdown was limited to LynxPoint-LP (Haswell-ULT) and that some non-LP HP machine suffered from spontaneous resume from S3 (which should not be related to the SPURIOUS_WAKEUP quirk at all). An attempt to fix this then removed the SPURIOUS_WAKEUP flag usage completely. commit b45abacde3d5 ("xhci: no switching back on non-ULT Haswell") Current understanding is that LynxPoint-LP (Haswell ULT) machines need the SPURIOUS_WAKEUP quirk, otherwise they will restart, and plain Lynxpoint (Haswell) machines may _not_ have the quirk set otherwise they again will restart. Signed-off-by: Laura Abbott Cc: Takashi Iwai Cc: Oliver Neukum [Added more history to commit message -Mathias] Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman commit 25713cfc86030924312dec2ba82667f2fb94856b Author: Mathias Nyman Date: Mon Oct 12 11:30:12 2015 +0300 xhci: handle no ping response error properly commit 3b4739b8951d650becbcd855d7d6f18ac98a9a85 upstream. If a host fails to wake up a isochronous SuperSpeed device from U1/U2 in time for a isoch transfer it will generate a "No ping response error" Host will then move to the next transfer descriptor. Handle this case in the same way as missed service errors, tag the current TD as skipped and handle it on the next transfer event. Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman commit 783a9cc58acb0fd2d1c34bd620d524f664c47edf Author: Hezi Shahmoon Date: Tue Oct 20 16:32:24 2015 +0200 i2c: mv64xxx: really allow I2C offloading commit 0729a04977d497cf66234fd7f900ddcec3ef1c52 upstream. Commit 00d8689b85a7 ("i2c: mv64xxx: rework offload support to fix several problems") completely reworked the offload support, but left a debugging-related "return false" at the beginning of the mv64xxx_i2c_can_offload() function. This has the unfortunate consequence that offloading is in fact never used, which wasn't really the intention. This commit fixes that problem by removing the bogus "return false". Fixes: 00d8689b85a7 ("i2c: mv64xxx: rework offload support to fix several problems") Signed-off-by: Hezi Shahmoon [Thomas: reworked commit log and title.] Signed-off-by: Thomas Petazzoni Signed-off-by: Wolfram Sang Signed-off-by: Greg Kroah-Hartman commit 34a251c6eecaaf5e863ed366089e7ac9a5b78986 Author: Bjørn Mork Date: Thu Oct 22 14:24:24 2015 +0200 USB: qcserial: add Sierra Wireless MC74xx/EM74xx commit f504ab1888026d15b5be8f9c262bf4ae9cacd177 upstream. New device IDs shamelessly lifted from the vendor driver. Signed-off-by: Bjørn Mork Acked-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 2eed4a75bda13e54bd19d00f2c6ed00611d82327 Author: Frederic Danis Date: Fri Oct 9 17:14:56 2015 +0200 Revert "serial: 8250_dma: don't bother DMA with small transfers" commit f967fc8f165fadb72166f2bd4785094b3ca21307 upstream. This reverts commit 9119fba0cfeda6d415c9f068df66838a104b87cb. This commit prevents from sending "big" file using Bluetooth. When sending a lot of data quickly through the Bluetooth interface, and after a variable amount of data sent, transfer fails with error: kernel: [ 415.247453] Bluetooth: hci0 hardware error 0x00 Found on T100TA. After reverting this commit, send works fine for any file size. Signed-off-by: Frederic Danis Fixes: 9119fba0cfed (serial: 8250_dma: don't bother DMA with small transfers) Reviewed-by: Heikki Krogerus Acked-by: Andy Shevchenko Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit 8104ee7b8f8bcfad0114cdad62dd3b4aea5fcf74 Author: Mike Snitzer Date: Thu Oct 22 10:56:40 2015 -0400 dm btree: fix leak of bufio-backed block in btree_split_beneath error path commit 4dcb8b57df3593dcb20481d9d6cf79d1dc1534be upstream. btree_split_beneath()'s error path had an outstanding FIXME that speaks directly to the potential for _not_ cleaning up a previously allocated bufio-backed block. Fix this by releasing the previously allocated bufio block using unlock_block(). Reported-by: Mikulas Patocka Signed-off-by: Mike Snitzer Acked-by: Joe Thornber Signed-off-by: Greg Kroah-Hartman commit f043d45591b6a6fd4ae2888a5dbbb53f8e50153b Author: Joe Thornber Date: Wed Oct 21 18:36:49 2015 +0100 dm btree remove: fix a bug when rebalancing nodes after removal commit 2871c69e025e8bc507651d5a9cf81a8a7da9d24b upstream. Commit 4c7e309340ff ("dm btree remove: fix bug in redistribute3") wasn't a complete fix for redistribute3(). The redistribute3 function takes 3 btree nodes and shares out the entries evenly between them. If the three nodes in total contained (MAX_ENTRIES * 3) - 1 entries between them then this was erroneously getting rebalanced as (MAX_ENTRIES - 1) on the left and right, and (MAX_ENTRIES + 1) in the center. Fix this issue by being more careful about calculating the target number of entries for the left and right nodes. Unit tested in userspace using this program: https://github.com/jthornber/redistribute3-test/blob/master/redistribute3_t.c Signed-off-by: Joe Thornber Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit c538a266b0214f8fcf76b93d374549493c526ae1 Author: Will Deacon Date: Wed Oct 28 16:56:13 2015 +0000 Revert "ARM64: unwind: Fix PC calculation" commit 9702970c7bd3e2d6fecb642a190269131d4ac16c upstream. This reverts commit e306dfd06fcb44d21c80acb8e5a88d55f3d1cf63. With this patch applied, we were the only architecture making this sort of adjustment to the PC calculation in the unwinder. This causes problems for ftrace, where the PC values are matched against the contents of the stack frames in the callchain and fail to match any records after the address adjustment. Whilst there has been some effort to change ftrace to workaround this, those patches are not yet ready for mainline and, since we're the odd architecture in this regard, let's just step in line with other architectures (like arch/arm/) for now. Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit 62f362095ba8f7cc31c8f7a48e07bd9c871a6524 Author: H. Nikolaus Schaller Date: Wed Oct 28 19:00:26 2015 +0100 ARM: 8449/1: fix bug in vdsomunge swab32 macro commit 38850d786a799c3ff2de0dc1980902c3263698dc upstream. Commit 8a603f91cc48 ("ARM: 8445/1: fix vdsomunge not to depend on glibc specific byteswap.h") unfortunately introduced a bug created but not found during discussion and patch simplification. Reported-by: Efraim Yawitz Signed-off-by: H. Nikolaus Schaller Fixes: 8a603f91cc48 ("ARM: 8445/1: fix vdsomunge not to depend on glibc specific byteswap.h") Signed-off-by: Nathan Lynch Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 5c11cecb4671b380f0802c1fbe8833aad9d914d2 Author: H. Nikolaus Schaller Date: Fri Oct 16 22:19:06 2015 +0100 ARM: 8445/1: fix vdsomunge not to depend on glibc specific byteswap.h commit 8a603f91cc4848ab1a0458bc065aa9f64322e123 upstream. If the host toolchain is not glibc based then the arm kernel build fails with HOSTCC arch/arm/vdso/vdsomunge arch/arm/vdso/vdsomunge.c:48:22: fatal error: byteswap.h: No such file or directory Observed: with omap2plus_defconfig and compile on Mac OS X with arm ELF cross-compiler. Reason: byteswap.h is a glibc only header. Solution: replace by private byte-swapping macros (taken from arch/mips/boot/elf2ecoff.c and kindly improved by Russell King) Tested to compile on Mac OS X 10.9.5 host. Signed-off-by: H. Nikolaus Schaller Signed-off-by: Nathan Lynch Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit ec51ec401be08a6216f9a29249f733fcd0e74a17 Author: Timo Sigurdsson Date: Tue Aug 4 23:08:01 2015 +0200 ARM: dts: sunxi: Raise minimum CPU voltage for sun7i-a20 to meet SoC specifications commit eaeef1ad9b6ea6df1d1220c254d9563da60cb9d1 upstream. sun7i-a20.dtsi contains a cpufreq operating point at 0.9 volts. The minimum CPU voltage for the Allwinner A20 SoC, however, is 1.0 volts. Thus, raise the voltage for the lowest operating point to 1.0 volts in order to stay within the SoC specifications. It is an undervolted setting that isn't stable across all SoCs and boards out there. Fixes: d96b7161916f ("ARM: dts: sun7i: Add cpu clock reference and operating points to dtsi") Signed-off-by: Timo Sigurdsson Acked-by: Iain Paton Signed-off-by: Maxime Ripard Signed-off-by: Greg Kroah-Hartman commit 9e21e90e845f80a15ef2b3c9cb9793567e11af27 Author: Tomi Valkeinen Date: Fri Sep 25 16:02:03 2015 +0300 ARM: dts: am57xx-beagle-x15: set VDD_SD to always-on commit 7e381ec6a36aa44f15fc1a76e6efb9e2cd942e61 upstream. LDO1 regulator (VDD_SD) is connected to SoC's vddshv8. vddshv8 needs to be kept always powered (see commit 5a0f93c6576a ("ARM: dts: Add am57xx-beagle-x15"), but at the moment VDD_SD is enabled/disabled depending on whether an SD card is inserted or not. This patch sets LDO1 regulator to always-on. This patch has a side effect of fixing another issue, HDMI DDC not working when SD card is not inserted: Why this happens is that the tpd12s015 (HDMI level shifter/ESD protection chip) has LS_OE GPIO input, which needs to be enabled for the HDMI DDC to work. LS_OE comes from gpio6_28. The pin that provides gpio6_28 is powered by vddshv8, and vddshv8 comes from VDD_SD. So when SD card is not inserted, VDD_SD is disabled, and LS_OE stays off. The proper fix for the HDMI DDC issue would be to maybe have the pinctrl framework manage the pin specific power. Apparently this fixes also a third issue (copy paste from Kishon's patch): ldo1_reg in addition to being connected to the io lines is also connected to the card detect line. On card removal, omap_hsmmc driver does a regulator_disable causing card detect line to be pulled down. This raises a card insertion interrupt and once the MMC core detects there is no card inserted, it does a regulator disable which again raises a card insertion interrupt. This happens in a loop causing infinite MMC interrupts. Fixes: 5a0f93c6576a ("ARM: dts: Add am57xx-beagle-x15") Cc: Kishon Vijay Abraham I Signed-off-by: Tomi Valkeinen Reported-by: Louis McCarthy Acked-by: Nishanth Menon Signed-off-by: Tony Lindgren Signed-off-by: Greg Kroah-Hartman commit cad2d6d21eb4f335a03f43da2deaa50a327294b1 Author: Alim Akhtar Date: Tue Oct 13 04:32:53 2015 +0900 ARM: dts: Fix audio card detection on Peach boards commit b8bb9baad27e455c467e8fac47eebadbe765c18f upstream. Since commit 2fad972d45c4 ("ARM: dts: Add mclk entry for Peach boards"), sound card detection is broken on peach boards and gives below errors: [ 3.630457] max98090 7-0010: MAX98091 REVID=0x51 [ 3.634233] max98090 7-0010: use default 2.8v micbias [ 3.640985] snow-audio sound: HiFi <-> 3830000.i2s mapping ok [ 3.645307] max98090 7-0010: Invalid master clock frequency [ 3.650824] snow-audio sound: ASoC: Peach-Pi-I2S-MAX98091 late_probe() failed: -22 [ 3.658914] snow-audio sound: snd_soc_register_card failed (-22) [ 3.664366] snow-audio: probe of sound failed with error -22 This patch adds missing assigned-clocks and assigned-clock-parents for pmu_system_controller node which is used as "mclk" for audio codec. Fixes: 2fad972d45c4 ("ARM: dts: Add mclk entry for Peach boards") Signed-off-by: Alim Akhtar Reviewed-by: Krzysztof Kozlowski Signed-off-by: Kukjin Kim Signed-off-by: Greg Kroah-Hartman commit af50e1769ca3edf7239890059e7877e7513d1098 Author: Marcin Wojtas Date: Thu Oct 15 03:17:08 2015 +0200 ARM: mvebu: correct a385-db-ap compatible string commit db347f1a5304d68c68c52f19971924b1e5842f3c upstream. This commit enables standby support on Armada 385 DB-AP board, because the PM initalization routine requires "marvell,armada380" compatible string for all Armada 38x-based platforms. Beside the compatible "marvell,armada38x" was wrong and should be fixed in the stable kernels too. [gregory.clement@free-electrons.com: add information, about the fixes] Fixes: e5ee12817e9ea ("ARM: mvebu: Add Armada 385 Access Point Development Board support") Signed-off-by: Marcin Wojtas Signed-off-by: Gregory CLEMENT Signed-off-by: Greg Kroah-Hartman commit 17a85a76a2cfa579060efcd7c25e0daa134c2746 Author: Florian Fainelli Date: Sat Oct 3 13:03:47 2015 -0700 ARM: orion: Fix DSA platform device after mvmdio conversion commit d836ace65ee98d7079bc3c5afdbcc0e27dca20a3 upstream. DSA expects the host_dev pointer to be the device structure associated with the MDIO bus controller driver. First commit breaking that was c3a07134e6aa ("mv643xx_eth: convert to use the Marvell Orion MDIO driver"), and then, it got completely under the radar for a while. Reported-by: Frans van de Wiel Fixes: c3a07134e6aa ("mv643xx_eth: convert to use the Marvell Orion MDIO driver") Signed-off-by: Florian Fainelli Signed-off-by: Gregory CLEMENT Signed-off-by: Greg Kroah-Hartman commit 1e335cfce3d1fe07b754f2efd0781e8d58f1e675 Author: Ilya Dryomov Date: Sun Oct 11 19:38:00 2015 +0200 rbd: prevent kernel stack blow up on rbd map commit 6d69bb536bac0d403d83db1ca841444981b280cd upstream. Mapping an image with a long parent chain (e.g. image foo, whose parent is bar, whose parent is baz, etc) currently leads to a kernel stack overflow, due to the following recursion in the reply path: rbd_osd_req_callback() rbd_obj_request_complete() rbd_img_obj_callback() rbd_img_parent_read_callback() rbd_obj_request_complete() ... Limit the parent chain to 16 images, which is ~5K worth of stack. When the above recursion is eliminated, this limit can be lifted. Fixes: http://tracker.ceph.com/issues/12538 Signed-off-by: Ilya Dryomov Reviewed-by: Josh Durgin [idryomov@gmail.com: backport to 4.1: rbd_dev->opts] Signed-off-by: Greg Kroah-Hartman commit 10f560cde4edf75af70eb55c0e55b3a04fcb6b31 Author: Ilya Dryomov Date: Sun Oct 11 19:38:00 2015 +0200 rbd: don't leak parent_spec in rbd_dev_probe_parent() commit 1f2c6651f69c14d0d3a9cfbda44ea101b02160ba upstream. Currently we leak parent_spec and trigger a "parent reference underflow" warning if rbd_dev_create() in rbd_dev_probe_parent() fails. The problem is we take the !parent out_err branch and that only drops refcounts; parent_spec that would've been freed had we called rbd_dev_unparent() remains and triggers rbd_warn() in rbd_dev_parent_put() - at that point we have parent_spec != NULL and parent_ref == 0, so counter ends up being -1 after the decrement. Redo rbd_dev_probe_parent() to fix this. Signed-off-by: Ilya Dryomov [idryomov@gmail.com: backport to < 4.2: rbd_dev->opts] Reviewed-by: Alex Elder Signed-off-by: Greg Kroah-Hartman commit 3c38392d5697f28d62a2a910c2ec7aa700d0b2ad Author: Ronny Hegewald Date: Thu Oct 15 18:50:46 2015 +0000 rbd: require stable pages if message data CRCs are enabled commit bae818ee1577c27356093901a0ea48f672eda514 upstream. rbd requires stable pages, as it performs a crc of the page data before they are send to the OSDs. But since kernel 3.9 (patch 1d1d1a767206fbe5d4c69493b7e6d2a8d08cc0a0 "mm: only enforce stable page writes if the backing device requires it") it is not assumed anymore that block devices require stable pages. This patch sets the necessary flag to get stable pages back for rbd. In a ceph installation that provides multiple ext4 formatted rbd devices "bad crc" messages appeared regularly (ca 1 message every 1-2 minutes on every OSD that provided the data for the rbd) in the OSD-logs before this patch. After this patch this messages are pretty much gone (only ca 1-2 / month / OSD). Signed-off-by: Ronny Hegewald [idryomov@gmail.com: require stable pages only in crc case, changelog] [idryomov@gmail.com: backport to 3.18-4.2: context] Signed-off-by: Ilya Dryomov Signed-off-by: Greg Kroah-Hartman commit d3f3bbe554198c39f2e8e69b92c87444ae4273c4 Author: Dan Carpenter Date: Sat Aug 8 22:16:42 2015 +0300 iio: accel: sca3000: memory corruption in sca3000_read_first_n_hw_rb() commit eda7d0f38aaf50dbb2a2de15e8db386c4f6f65fc upstream. "num_read" is in byte units but we are write u16s so we end up write twice as much as intended. Signed-off-by: Dan Carpenter Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 49ffed3bf81c2da2ba1958df661d2f0580a2335c Author: Linus Walleij Date: Wed Sep 2 21:02:58 2015 +0200 iio: st_accel: fix interrupt handling on LIS3LV02 commit 61fd56309165d4790f99462d893b099f0b07312a upstream. This accelerometer accidentally either emits a DRDY signal or an IRQ signal. Accidentally I activated the IRQ signal as I thought it was analogous to the interrupt generator on other ST accelerometers. This was wrong. After this patch generic_buffer gives a nice stream of accelerometer readings. Fixes: 3acddf74f807778f "iio: st-sensors: add support for lis3lv02d accelerometer" Cc: Denis CIOCCA Signed-off-by: Linus Walleij Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit b13d8c95f5e0de81892045ec4d8633ab9fc025fd Author: Alexandre Belloni Date: Wed Oct 7 13:10:54 2015 +0200 iio: mxs-lradc: Fix temperature offset commit b94e22805a2224061bb263a82b72e09544a5fbb3 upstream. 0° Kelvin is actually −273.15°C, not -272.15°C. Fix the temperature offset. Also improve the comment explaining the calculation. Reported-by: Janusz Użycki Signed-off-by: Alexandre Belloni Acked-by: Stefan Wahren Acked-by: Marek Vasut Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit c5989318286f04f54bfc2549198856b4546d01a5 Author: Alex Deucher Date: Wed Oct 28 14:26:32 2015 -0400 drm/radeon: move bl encoder assignment into bl init commit 4cee6a9057d5e13911f0cb6e143d11dc1a3245dd upstream. So that the bl encoder will be null if the GPU does not control the backlight. Reviewed-by: Michel Dänzer Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit bf1289f0ad3cb1a9fb8d765078aefe94ece856d2 Author: Alex Deucher Date: Tue Oct 27 10:56:44 2015 -0400 drm/radeon: fix dpms when driver backlight control is disabled commit ae93580ee59c02395c1711d3e6b90546b8137b86 upstream. If driver backlight control is disabled, either by driver parameter or default per-asic setting, revert to the old behavior. Fixes a regression in commit: 4281f46ef839050d2ef60348f661eb463c21cc2e Reviewed-by: Michel Dänzer Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 2753f24e284e0fc9f2dbb61be84e1bfea05da1ee Author: Alex Deucher Date: Fri Oct 23 10:38:52 2015 -0400 drm/radeon: don't try to recreate sysfs entries on resume commit 49abb26651167c892393cd9f2ad23df429645ed9 upstream. Fixes a harmless error message caused by: 51a4726b04e880fdd9b4e0e58b13f70b0a68a7f5 Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 377bc0b544cae329a385a16320e178f00f6dfcde Author: Chris Wilson Date: Tue Oct 13 14:22:26 2015 +0100 drm/i915: Deny wrapping an userptr into a framebuffer commit cc917ab43541db3ff66d0136042686d40a1b4c9a upstream. Pinning a userptr onto the hardware raises interesting questions about the lifetime of such a surface as the framebuffer extends that life beyond the client's address space. That is the hardware will need to keep scanning out from the backing storage even after the client wants to remap its address space. As the hardware pins the backing storage, the userptr becomes invalid and this raises a WARN when the clients tries to unmap its address space. The situation can be even more complicated when the buffer is passed between processes, between a client and display server, where the lifetime and hardware access is even more confusing. Deny it. Signed-off-by: Chris Wilson Cc: Daniel Vetter Cc: Tvrtko Ursulin Cc: Michał Winiarski Reviewed-by: Tvrtko Ursulin Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit 4ba1aed6217900eda26bbe55ded2f927910024d5 Author: Ville Syrjälä Date: Wed Oct 7 22:08:24 2015 +0300 drm/i915: Restore lost DPLL register write on gen2-4 commit 8e7a65aa70bcc1235a44e40ae0da5056525fe081 upstream. We accidentally lost the initial DPLL register write in 1c4e02746147 drm/i915: Fix DVO 2x clock enable on 830M The "three times for luck" hack probably saved us from a total disaster. But anyway, bring the initial write back so that the code actually makes some sense. Reported-and-tested-by: Nick Bowler References: http://mid.gmane.org/CAN_QmVyMaArxYgEcVVsGvsMo7-6ohZr8HmF5VhkkL4i9KOmrhw@mail.gmail.com Cc: Nick Bowler Signed-off-by: Ville Syrjälä Reviewed-by: Daniel Vetter Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit e634bc30d00ee9830d762dca0cb7707346e721c3 Author: Chris Wilson Date: Fri Aug 21 16:08:41 2015 +0100 drm/i915: Flush pipecontrol post-sync writes commit 40a24488f5250d63341e74b9994159afc4589606 upstream. In order to flush the results from in-batch pipecontrol writes (used for example in glQuery) before declaring the batch complete (and so declaring the query results coherent), we need to set the FlushEnable bit in our flushing pipecontrol. The FlushEnable bit "waits until all previous writes of immediate data from post-sync circles are complete before executing the next command". I get GPU hangs on byt without flushing these writes (running ue4). piglit has examples where the flush is required for correct rendering. Signed-off-by: Chris Wilson Reviewed-by: Ville Syrjälä Acked-by: Daniel Vetter Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit 269b571f0d6ac7b2da7f9d4d7ea56ccff1ea998d Author: Alex Deucher Date: Mon Oct 19 09:30:42 2015 -0400 drm/radeon/dpm: don't add pwm attributes if DPM is disabled commit 2a7d44f47f53fa1be677f44c73d78b1bcf9c05d9 upstream. PWM fan control is only available with DPM. If DPM disabled, don't expose the PWM fan controls to avoid a crash. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=92524 Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 930a50a45963c8da0a27fbee73ae462d8ea54aca Author: Ilia Mirkin Date: Tue Oct 20 01:15:39 2015 -0400 drm/nouveau/gem: return only valid domain when there's only one commit 2a6c521bb41ce862e43db46f52e7681d33e8d771 upstream. On nv50+, we restrict the valid domains to just the one where the buffer was originally created. However after the buffer is evicted to system memory, we might move it back to a different domain that was not originally valid. When sharing the buffer and retrieving its GEM_INFO data, we still want the domain that will be valid for this buffer in a pushbuf, not the one where it currently happens to be. This resolves fdo#92504 and several others. These are due to suspend evicting all buffers, making it more likely that they temporarily end up in the wrong place. Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=92504 Signed-off-by: Ilia Mirkin Signed-off-by: Ben Skeggs Signed-off-by: Greg Kroah-Hartman commit 65bda5f8ba4552e6f16a2c9d94f2b367a4456875 Author: Florian Westphal Date: Thu Oct 22 13:32:27 2015 -0700 fault-inject: fix inverted interval/probability values in printk commit bb387002693ed28b2bb0408c5dec65521b71e5f1 upstream. interval displays the probability and vice versa. Fixes: 6adc4a22f20bb ("fault-inject: add ratelimit option") Acked-by: Akinobu Mita Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 6c0da28df5dac10672efe955eb89051a850008eb Author: Jan Kara Date: Thu Oct 22 13:32:21 2015 -0700 mm: make sendfile(2) killable commit 296291cdd1629c308114504b850dc343eabc2782 upstream. Currently a simple program below issues a sendfile(2) system call which takes about 62 days to complete in my test KVM instance. int fd; off_t off = 0; fd = open("file", O_RDWR | O_TRUNC | O_SYNC | O_CREAT, 0644); ftruncate(fd, 2); lseek(fd, 0, SEEK_END); sendfile(fd, fd, &off, 0xfffffff); Now you should not ask kernel to do a stupid stuff like copying 256MB in 2-byte chunks and call fsync(2) after each chunk but if you do, sysadmin should have a way to stop you. We actually do have a check for fatal_signal_pending() in generic_perform_write() which triggers in this path however because we always succeed in writing something before the check is done, we return value > 0 from generic_perform_write() and thus the information about signal gets lost. Fix the problem by doing the signal check before writing anything. That way generic_perform_write() returns -EINTR, the error gets propagated up and the sendfile loop terminates early. Signed-off-by: Jan Kara Reported-by: Dmitry Vyukov Cc: Al Viro Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit bd69119dc8db8a1768c29e0e6b96a7501f63328a Author: Kővágó, Zoltán Date: Mon Oct 12 15:13:56 2015 +0100 x86/efi: Fix multiple GOP device support commit 8a53554e12e98d1759205afd7b8e9e2ea0936f48 upstream. When multiple GOP devices exists, but none of them implements ConOut, the code should just choose the first GOP (according to the comments). But currently 'fb_base' will refer to the last GOP, while other parameters to the first GOP, which will likely result in a garbled display. I can reliably reproduce this bug using my ASRock Z87M Extreme4 motherboard with CSM and integrated GPU disabled, and two PCIe video cards (NVidia GT640 and GTX980), booting from efi-stub (booting from grub works fine). On the primary display the ASRock logo remains and on the secondary screen it is garbled up completely. Signed-off-by: Kővágó, Zoltán Signed-off-by: Matt Fleming Cc: Linus Torvalds Cc: Matthew Garrett Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/1444659236-24837-2-git-send-email-matt@codeblueprint.co.uk Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit d4fde24fbd0c536122bce56dce7973a4b74d3c05 Author: Charles Keepax Date: Tue Oct 20 10:25:58 2015 +0100 ASoC: wm8904: Correct number of EQ registers commit 97aff2c03a1e4d343266adadb52313613efb027f upstream. There are 24 EQ registers not 25, I suspect this bug came about because the registers start at EQ1 not zero. The bug is relatively harmless as the extra register written is an unused one. Signed-off-by: Charles Keepax Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit a895124c5b62b4b50ba8d56ac2ffd06f2f4fda20 Author: Charles Keepax Date: Wed Oct 14 13:31:24 2015 +0100 ASoC: Add info callback for SX_TLV controls commit 34198710f55b5f359f43e67d9a08fe5aadfbca1b upstream. SX_TLV controls are intended for situations where the register behind the control has some non-zero value indicating the minimum gain and then gains increasing from there and eventually overflowing through zero. Currently every CODEC implementing these controls specifies the minimum as the non-zero value for the minimum and the maximum as the number of gain settings available. This means when the info callback subtracts the minimum value from the maximum value to calculate the number of gain levels available it is actually under reporting the available levels. This patch fixes this issue by adding a new snd_soc_info_volsw_sx callback that does not subtract the minimum value. Fixes: 1d99f2436d0d ("ASoC: core: Rework SOC_DOUBLE_R_SX_TLV add SOC_SINGLE_SX_TLV") Signed-off-by: Charles Keepax Acked-by: Brian Austin Tested-by: Brian Austin Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 4d721de616dd7c1b994a66252de98cca798dc8b5 Author: Takashi Iwai Date: Tue Oct 20 16:23:55 2015 +0200 ALSA: hda - Fix deadlock at error in building PCM commit d289619a219dd01e255d7b5e30f9171b25efea48 upstream. The HDA codec driver issues snd_hda_codec_reset() at the error path of PCM build. This was needed in the earlier code base, but the recent rewrite to use the standard bus binding made this a deadlock: modprobe D 0000000000000005 0 720 716 0x00000080 Call Trace: [] schedule+0x3e/0x90 [] schedule_preempt_disabled+0x15/0x20 [] __mutex_lock_slowpath+0xb5/0x120 [] mutex_lock+0x1b/0x30 [] device_release_driver+0x1b/0x30 [] bus_remove_device+0x105/0x180 [] device_del+0x139/0x260 [] snd_hdac_device_unregister+0x25/0x30 [snd_hda_core] [] snd_hda_codec_reset+0x2a/0x70 [snd_hda_codec] [] snd_hda_codec_build_pcms+0x18b/0x1b0 [snd_hda_codec] [] hda_codec_driver_probe+0xbe/0x140 [snd_hda_codec] [] driver_probe_device+0x1f4/0x460 [] __driver_attach+0x90/0xa0 [] bus_for_each_dev+0x64/0xa0 [] driver_attach+0x1e/0x20 [] bus_add_driver+0x1eb/0x280 [] driver_register+0x60/0xe0 [] __hda_codec_driver_register+0x5a/0x60 [snd_hda_codec] [] realtek_driver_init+0x1e/0x1000 [snd_hda_codec_realtek] [] do_one_initcall+0xb3/0x200 [] do_init_module+0x60/0x1f8 [] load_module+0x1653/0x1bd0 [] SYSC_finit_module+0x98/0xc0 [] SyS_finit_module+0xe/0x10 [] entry_SYSCALL_64_fastpath+0x16/0x75 The simple fix is just to remove this call, since we don't need to think about unbinding at there any longer. Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=948758 Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 85cdc32aea927682cfbaf21e1503a024c4356e51 Author: David Henningsson Date: Tue Oct 13 10:10:18 2015 +0200 ALSA: hda - Fix inverted internal mic on Lenovo G50-80 commit e8d65a8d985271a102f07c7456da5b86c19ffe16 upstream. Add the appropriate quirk to indicate the Lenovo G50-80 has a stereo mic input where one channel has reverse polarity. Alsa-info available at: https://launchpadlibrarian.net/220846272/AlsaInfo.txt BugLink: https://bugs.launchpad.net/bugs/1504778 Signed-off-by: David Henningsson Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 7f075aa594aab632cb6e04859679f72eb9ff8407 Author: Arnd Bergmann Date: Mon Oct 12 15:22:31 2015 +0200 KVM: arm: use GIC support unconditionally commit 4a5d69b73948d0e03cd38d77dc11edb2e707165f upstream. The vgic code on ARM is built for all configurations that enable KVM, but the parent_data field that it references is only present when CONFIG_IRQ_DOMAIN_HIERARCHY is set: virt/kvm/arm/vgic.c: In function 'kvm_vgic_map_phys_irq': virt/kvm/arm/vgic.c:1781:13: error: 'struct irq_data' has no member named 'parent_data' This flag is implied by the GIC driver, and indeed the VGIC code only makes sense if a GIC is present. This changes the CONFIG_KVM symbol to always select GIC, which avoids the issue. Fixes: 662d9715840 ("arm/arm64: KVM: Kill CONFIG_KVM_ARM_{VGIC,TIMER}") Signed-off-by: Arnd Bergmann Acked-by: Marc Zyngier Signed-off-by: Christoffer Dall Signed-off-by: Greg Kroah-Hartman commit f4778084b715e649d4b095151cfe30c9067c2a59 Author: Antti Palosaari Date: Tue Oct 6 00:22:23 2015 -0300 rtl28xxu: fix control message flaws commit d18ca5b7ceca0e9674cb4bb2ed476b0fcbb23ba2 upstream. Add lock to prevent concurrent access for control message as control message function uses shared buffer. Without the lock there may be remote control polling which messes the buffer causing IO errors. Increase buffer size and add check for maximum supported message length. Link: https://bugzilla.kernel.org/show_bug.cgi?id=103391 Fixes: c56222a6b25c ("[media] rtl28xxu: move usb buffers to state") Signed-off-by: Antti Palosaari Signed-off-by: Greg Kroah-Hartman commit 76d6f9644b3c9029e920b315c7187605e7acf260 Author: Laura Abbott Date: Tue Sep 29 21:10:09 2015 -0300 si2168: Bounds check firmware commit 47810b4341ac9d2f558894bc5995e6fa2a1298f9 upstream. When reading the firmware and sending commands, the length must be bounds checked to avoid overrunning the size of the command buffer and smashing the stack if the firmware is not in the expected format: si2168 11-0064: found a 'Silicon Labs Si2168-B40' si2168 11-0064: downloading firmware from file 'dvb-demod-si2168-b40-01.fw' si2168 11-0064: firmware download failed -95 Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffffa085708f Add the proper check. Reported-by: Stuart Auchterlonie Reviewed-by: Antti Palosaari Signed-off-by: Laura Abbott Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit f7832ff91dd51ad2a43bd37846f9cef15b8c03e6 Author: Laura Abbott Date: Tue Sep 29 21:10:10 2015 -0300 si2157: Bounds check firmware commit a828d72df216c36e9c40b6c24dc4b17b6f7b5a76 upstream. When reading the firmware and sending commands, the length must be bounds checked to avoid overrunning the size of the command buffer and smashing the stack if the firmware is not in the expected format. Add the proper check. Signed-off-by: Laura Abbott Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit d347b289bf2767fe6d2c87589c38cc194a6a07c5 Author: Adam Richter Date: Fri Oct 16 03:33:02 2015 -0700 drm: fix mutex leak in drm_dp_get_mst_branch_device commit 30730c7f5943b3beace1e29f7f1476e05de3da14 upstream. In Linux 4.3-rc5, there is an error case in drm_dp_get_branch_device that returns without releasing mgr->lock, resulting a spew of kernel messages about a kernel work function possibly having leaked a mutex and presumably more serious adverse consequences later. This patch changes the error to "goto out" to unlock the mutex before returning. [airlied: grabbed from drm-next as it fixes something we've seen] Signed-off-by: Adam J. Richter Signed-off-by: Daniel Vetter Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 29589707855ec7ed432a614ee91e3fab38643233 Author: Vasant Hegde Date: Fri Oct 16 15:53:29 2015 +0530 powerpc/rtas: Validate rtas.entry before calling enter_rtas() commit 8832317f662c06f5c06e638f57bfe89a71c9b266 upstream. Currently we do not validate rtas.entry before calling enter_rtas(). This leads to a kernel oops when user space calls rtas system call on a powernv platform (see below). This patch adds code to validate rtas.entry before making enter_rtas() call. Oops: Exception in kernel mode, sig: 4 [#1] SMP NR_CPUS=1024 NUMA PowerNV task: c000000004294b80 ti: c0000007e1a78000 task.ti: c0000007e1a78000 NIP: 0000000000000000 LR: 0000000000009c14 CTR: c000000000423140 REGS: c0000007e1a7b920 TRAP: 0e40 Not tainted (3.18.17-340.el7_1.pkvm3_1_0.2400.1.ppc64le) MSR: 1000000000081000 CR: 00000000 XER: 00000000 CFAR: c000000000009c0c SOFTE: 0 NIP [0000000000000000] (null) LR [0000000000009c14] 0x9c14 Call Trace: [c0000007e1a7bba0] [c00000000041a7f4] avc_has_perm_noaudit+0x54/0x110 (unreliable) [c0000007e1a7bd80] [c00000000002ddc0] ppc_rtas+0x150/0x2d0 [c0000007e1a7be30] [c000000000009358] syscall_exit+0x0/0x98 Fixes: 55190f88789a ("powerpc: Add skeleton PowerNV platform") Reported-by: NAGESWARA R. SASTRY Signed-off-by: Vasant Hegde [mpe: Reword change log, trim oops, and add stable + fixes] Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman commit 11d9bb923f7f15361313e6f52bcd6dac0ebbe117 Author: Joerg Roedel Date: Tue Oct 20 14:59:36 2015 +0200 iommu/amd: Don't clear DTE flags when modifying it commit cbf3ccd09d683abf1cacd36e3640872ee912d99b upstream. During device assignment/deassignment the flags in the DTE get lost, which might cause spurious faults, for example when the device tries to access the system management range. Fix this by not clearing the flags with the rest of the DTE. Reported-by: G. Richard Bellamy Tested-by: G. Richard Bellamy Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit 75deee3f94d33c9858bbc2e7d67f43eaca84f5dc Author: Jay Cornwall Date: Wed Sep 16 14:10:03 2015 -0500 iommu/amd: Fix BUG when faulting a PROT_NONE VMA commit d14f6fced5f9360edca5a1325ddb7077aab1203b upstream. handle_mm_fault indirectly triggers a BUG in do_numa_page when given a VMA without read/write/execute access. Check this condition in do_fault. do_fault -> handle_mm_fault -> handle_pte_fault -> do_numa_page mm/memory.c 3147 static int do_numa_page(struct mm_struct *mm, struct vm_area_struct *vma, .... 3159 /* A PROT_NONE fault should not end up here */ 3160 BUG_ON(!(vma->vm_flags & (VM_READ | VM_EXEC | VM_WRITE))); Signed-off-by: Jay Cornwall Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit 1fe434c0efcc3aecc851649511b9d43e7480b79e Author: Christian Zander Date: Wed Jun 10 09:41:45 2015 -0700 iommu/vt-d: fix range computation when making room for large pages commit ba2374fd2bf379f933773811fdb06cb6a5445f41 upstream. In preparation for the installation of a large page, any small page tables that may still exist in the target IOV address range are removed. However, if a scatter/gather list entry is large enough to fit more than one large page, the address space for any subsequent large pages is not cleared of conflicting small page tables. This can cause legitimate mapping requests to fail with errors of the form below, potentially followed by a series of IOMMU faults: ERROR: DMA PTE for vPFN 0xfde00 already set (to 7f83a4003 not 7e9e00083) In this example, a 4MiB scatter/gather list entry resulted in the successful installation of a large page @ vPFN 0xfdc00, followed by a failed attempt to install another large page @ vPFN 0xfde00, due to the presence of a pointer to a small page table @ 0x7f83a4000. To address this problem, compute the number of large pages that fit into a given scatter/gather list entry, and use it to derive the last vPFN covered by the large page(s). Signed-off-by: Christian Zander Signed-off-by: David Woodhouse Signed-off-by: Greg Kroah-Hartman commit ebf5cf189b7dfc2e9c563f3e027d4d9719af2c8d Author: Luca Coelho Date: Tue Sep 22 09:44:39 2015 +0300 iwlwifi: pci: add a few more PCI subvendor IDs for the 7265 series commit f08f625876476b6c4a87834dc86e3b927f4697d2 upstream. Add 3 new subdevice IDs for the 0x095A device ID and 2 for the 0x095B device ID. Reported-by: Jeremy Signed-off-by: Luca Coelho Signed-off-by: Greg Kroah-Hartman commit c35a6567e963b129a0258494ef690e29c6fb44ad Author: Andrei Otcheretianski Date: Wed Sep 30 12:26:23 2015 +0200 iwlwifi: mvm: flush fw_dump_wk when mvm fails to start commit dbf73d4a8bb8f4e1d1f3edd3be825692279e2ef3 upstream. FW dump may be triggered when running init ucode, for example due to a sysassert. In this case fw_dump_wk may run after mvm is freed, resulting in a kernel panic. Fix it by flushing the work. Fixes: 01b988a708af ("iwlwifi: mvm: allow to collect debug data when restart is disabled") Signed-off-by: Andrei Otcheretianski Signed-off-by: Luca Coelho Signed-off-by: Greg Kroah-Hartman commit 4508582e6a831d8256fe6305967d0a8cf13f9758 Author: Arik Nemtsov Date: Wed Sep 30 11:19:55 2015 +0300 iwlwifi: mvm: init card correctly on ctkill exit check commit 1a3fe0b2b6778b7866e2b3f5c9a299d5e9bbd89c upstream. During the CT-kill exit flow, the card is powered up and partially initialized to check if the temperature is already low enough. Unfortunately the init bails early because the CT-kill flag is set. Make the code bail early only for HW RF-kill, as was intended by the author. CT-kill is self-imposed and is not really RF-kill. Fixes: 31b8b343e019 ("iwlwifi: fix RFkill while calibrating") Signed-off-by: Arik Nemtsov Signed-off-by: Luca Coelho Signed-off-by: Greg Kroah-Hartman commit 940bea34f5034f94321984e9546f4f4b064d9ded Author: Johannes Berg Date: Tue Sep 15 14:36:09 2015 +0200 iwlwifi: mvm: fix D3 firmware PN programming commit 2cf5eb3ab7bb7f2e3a70edcef236cd62c87db030 upstream. The code to send the RX PN data (for each TID) to the firmware has a devastating bug: it overwrites the data for TID 0 with all the TID data, leaving the remaining TIDs zeroed. This will allow replays to actually be accepted by the firmware, which could allow waking up the system. Signed-off-by: Johannes Berg Signed-off-by: Luca Coelho Signed-off-by: Greg Kroah-Hartman commit a55c440ef8c233c97dd1b0ebe095b96f2a93e917 Author: Avraham Stern Date: Mon Aug 31 11:08:27 2015 +0300 iwlwifi: mvm: clear csa countdown when AP is stopped commit e9cb0327b26dd7ba43a3b7a05b4b62219decf42d upstream. The csa_countdown flag was not cleared when the AP is stopped. As a result, if the AP was stopped after csa_countdown had started, all the folowing channel switch commands would fail. Fix that by clearing the csa_countdown flag when the AP is stopped. Signed-off-by: Avraham Stern Signed-off-by: Luca Coelho Signed-off-by: Greg Kroah-Hartman commit 0f4e2e7765c5cd0f0fd84a943364e6a44b84b706 Author: Larry Finger Date: Fri Oct 2 11:44:30 2015 -0500 rtlwifi: rtl8821ae: Fix system lockups on boot commit 54328e64047a54b8fc2362c2e1f0fa16c90f739f upstream. In commit 1277fa2ab2f9 ("rtlwifi: Remove the clear interrupt routine from all drivers"), the code that cleared all interrupt enable bits before setting them was removed for all PCI drivers. This fixed an issue that caused TX to be blocked for 3-5 seconds. On some RTL8821AE units, this change causes soft lockups to occur on boot. For that reason, the portion of the earlier commit that applied to rtl8821ae is reverted. Kernels 4.1 and newer are affected. See http://marc.info/?l=linux-wireless&m=144373370103285&w=2 and https://bugzilla.opensuse.org/show_bug.cgi?id=944978 for two cases where this regression affected user systems. Note that this bug does not appear on any of the developer's setups. For those users whose systems are affected by the TX blockage, but do not lock up on boot, a module parameter is added to disable the interrupt clear Fixes: 1277fa2ab2f9 ("rtlwifi: Remove the clear interrupt routine from all drivers") Signed-off-by: Larry Finger Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit 02fe6ec79d4ddd0624406a49af1939c99191f6d0 Author: Johannes Berg Date: Tue Sep 22 10:47:27 2015 +0200 iwlwifi: fix firmware filename for 3160 commit b5a48134f8af08f5243328f8a0b05fc5ae7cf343 upstream. The MODULE_FIRMWARE() for 3160 should be using the 7260 version as it's done in the device configuration struct instead of referencing IWL3160_UCODE_API_OK which doesn't even exist. Reported-by: Hauke Mehrtens Signed-off-by: Johannes Berg Signed-off-by: Luca Coelho Signed-off-by: Greg Kroah-Hartman commit f45118528da06f294cc4aa6867dc431b9fe54001 Author: Johannes Berg Date: Tue Sep 15 14:36:09 2015 +0200 iwlwifi: dvm: fix D3 firmware PN programming commit 5bd166872d8f99f156fac191299d24f828bb2348 upstream. The code to send the RX PN data (for each TID) to the firmware has a devastating bug: it overwrites the data for TID 0 with all the TID data, leaving the remaining TIDs zeroed. This will allow replays to actually be accepted by the firmware, which could allow waking up the system. Signed-off-by: Johannes Berg Signed-off-by: Luca Coelho Signed-off-by: Greg Kroah-Hartman commit 1b4fe74c9f9af831cef9b9ec27dfdb22802838ef Author: Felix Fietkau Date: Thu Sep 24 16:59:46 2015 +0200 ath9k: declare required extra tx headroom commit 029cd0370241641eb70235d205aa0b90c84dce44 upstream. ath9k inserts padding between the 802.11 header and the data area (to align it). Since it didn't declare this extra required headroom, this led to some nasty issues like randomly dropped packets in some setups. Signed-off-by: Felix Fietkau Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman