commit 71745ce1b85ccb00d6374bcdc310ee134da85d1f Author: Greg Kroah-Hartman Date: Tue Jan 27 08:30:10 2015 -0800 Linux 3.18.4 commit 0bcd13a05308afc6bb95479be9ca876e68f68951 Author: Bandan Das Date: Sat Dec 6 20:32:16 2014 +0530 KVM: nVMX: Disable unrestricted mode if ept=0 commit 78051e3b7e35722ad3f31dd611f1b34770bddab8 upstream. If L0 has disabled EPT, don't advertise unrestricted mode at all since it depends on EPT to run real mode code. Fixes: 92fbc7b195b824e201d9f06f2b93105f72384d65 Reviewed-by: Jan Kiszka Signed-off-by: Bandan Das Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 3e038e9d2df3167f234ff7b5730642319d590e99 Author: Ville Syrjälä Date: Thu Dec 18 11:44:06 2014 +0200 drm/i915: Kill check_power_well() calls commit 7f1241ed1a06b4846ad7a2a57eb088b757e58e16 upstream. pps_{lock,unlock}() call intel_display_power_{get,put}() outside pps_mutes to avoid deadlocks with the power_domain mutex. In theory during aux transfers we should usually have the relevant power domain references already held by some higher level code, so this should not result in much overhead (exception being userspace i2c-dev access). However thanks to the check_power_well() calls in intel_display_power_{get/put}() we end up doing a few Punit reads for each aux transfer. Obviously doing this for each byte transferred via i2c-over-aux is not a good idea. I can't think of a good way to keep check_power_well() while eliminating the overhead, so let's just remove check_power_well() entirely. Fixes a driver init time regression introduced by: commit 773538e86081d146e0020435d614f4b96996c1f9 Author: Ville Syrjälä Date: Thu Sep 4 14:54:56 2014 +0300 drm/i915: Reset power sequencer pipe tracking when disp2d is off Credit goes to Jani for figuring this out. v2: Add the regression note in the commit message. Cc: Egbert Eich Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=86201 Tested-by: Wendy Wang Signed-off-by: Ville Syrjälä [Jani: s/intel_runtime_pm.c/intel_pm.c/g and wiggle for 3.18] Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit 65f81ccbd1e33872b1b47bc550e452e7e3dadf58 Author: Nicholas Bellinger Date: Sun Dec 21 10:42:08 2014 -0800 vhost-scsi: Add missing virtio-scsi -> TCM attribute conversion commit 46243860806bdc2756f3ce8ac86b4d7c616bcd6c upstream. While looking at hch's recent conversion to drop the MSG_*_TAG definitions, I noticed a long standing bug in vhost-scsi where the VIRTIO_SCSI_S_* attribute definitions where incorrectly being passed directly into target_submit_cmd_map_sgls(). This patch adds the missing virtio-scsi to TCM/SAM task attribute conversion. Cc: Christoph Hellwig Cc: Michael S. Tsirkin Cc: Paolo Bonzini Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit 82bc9d04f4281276b8941b09a9306e15d4dc53f6 Author: Nicholas Bellinger Date: Tue Jan 6 16:10:37 2015 -0800 target: Drop arbitrary maximum I/O size limit commit 046ba64285a4389ae5e9a7dfa253c6bff3d7c341 upstream. This patch drops the arbitrary maximum I/O size limit in sbc_parse_cdb(), which currently for fabric_max_sectors is hardcoded to 8192 (4 MB for 512 byte sector devices), and for hw_max_sectors is a backend driver dependent value. This limit is problematic because Linux initiators have only recently started to honor block limits MAXIMUM TRANSFER LENGTH, and other non-Linux based initiators (eg: MSFT Fibre Channel) can also generate I/Os larger than 4 MB in size. Currently when this happens, the following message will appear on the target resulting in I/Os being returned with non recoverable status: SCSI OP 28h with too big sectors 16384 exceeds fabric_max_sectors: 8192 Instead, drop both [fabric,hw]_max_sector checks in sbc_parse_cdb(), and convert the existing hw_max_sectors into a purely informational attribute used to represent the granuality that backend driver and/or subsystem code is splitting I/Os upon. Also, update FILEIO with an explicit FD_MAX_BYTES check in fd_execute_rw() to deal with the one special iovec limitiation case. v2 changes: - Drop hw_max_sectors check in sbc_parse_cdb() Reported-by: Lance Gropper Reported-by: Stefan Priebe Cc: Christoph Hellwig Cc: Martin K. Petersen Cc: Roland Dreier Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit e7b2033159b6e12240af8b4a543e955dbd3cade3 Author: Trond Myklebust Date: Fri Jan 2 15:05:25 2015 -0500 LOCKD: Fix a race when initialising nlmsvc_timeout commit 06bed7d18c2c07b3e3eeadf4bd357f6e806618cc upstream. This commit fixes a race whereby nlmclnt_init() first starts the lockd daemon, and then calls nlm_bind_host() with the expectation that nlmsvc_timeout has already been initialised. Unfortunately, there is no no synchronisation between lockd() and lockd_up() to guarantee that this is the case. Fix is to move the initialisation of nlmsvc_timeout into lockd_create_svc Fixes: 9a1b6bf818e74 ("LOCKD: Don't call utsname()->nodename...") Cc: Bruce Fields Cc: stable@vger.kernel.org # 3.10.x Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 90293ffa75c11bd3dc26c196e68495e3d09c1fad Author: Michal Marek Date: Wed Dec 31 16:29:35 2014 +0100 kbuild: Fix removal of the debian/ directory commit a16c5f99a28c9945165c46da27fff8e6f26f8736 upstream. scripts/Makefile.clean treats absolute path specially, but $(objtree)/debian is no longer an absolute path since 7e1c0477 (kbuild: Use relative path for $(objtree). Work around this by checking if the path starts with $(objtree)/. Reported-and-tested-by: Sedat Dilek Fixes: 7e1c0477 (kbuild: Use relative path for $(objtree) Signed-off-by: Michal Marek Signed-off-by: Greg Kroah-Hartman commit 51fbc0559758cc38fbb479640767234bb146e75c Author: Daniel Borkmann Date: Sat Jan 3 13:11:10 2015 +0100 x86, um: actually mark system call tables readonly commit b485342bd79af363c77ef1a421c4a0aef2de9812 upstream. Commit a074335a370e ("x86, um: Mark system call tables readonly") was supposed to mark the sys_call_table in UML as RO by adding the const, but it doesn't have the desired effect as it's nevertheless being placed into the data section since __cacheline_aligned enforces sys_call_table being placed into .data..cacheline_aligned instead. We need to use the ____cacheline_aligned version instead to fix this issue. Before: $ nm -v arch/x86/um/sys_call_table_64.o | grep -1 "sys_call_table" U sys_writev 0000000000000000 D sys_call_table 0000000000000000 D syscall_table_size After: $ nm -v arch/x86/um/sys_call_table_64.o | grep -1 "sys_call_table" U sys_writev 0000000000000000 R sys_call_table 0000000000000000 D syscall_table_size Fixes: a074335a370e ("x86, um: Mark system call tables readonly") Cc: H. Peter Anvin Cc: Andrew Morton Signed-off-by: Daniel Borkmann Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit b9d078ca4432b59f167e9c7824d8248353ede275 Author: Richard Weinberger Date: Wed Dec 10 13:53:51 2014 +0100 um: Skip futex_atomic_cmpxchg_inatomic() test commit f911d731054ab3d82ee72a16b889e17ca3a2332a upstream. futex_atomic_cmpxchg_inatomic() does not work on UML because it triggers a copy_from_user() in kernel context. On UML copy_from_user() can only be used if the kernel was called by a real user space process such that UML can use ptrace() to fetch the value. Reported-by: Miklos Szeredi Suggested-by: Geert Uytterhoeven Signed-off-by: Richard Weinberger Tested-by: Daniel Walter Signed-off-by: Greg Kroah-Hartman commit dcd295f7bec22860063b1339162d18b811659c4b Author: Dan Carpenter Date: Fri Dec 12 16:58:05 2014 -0800 decompress_bunzip2: off by one in get_next_block() commit b5c8afe5be51078a979d86ae5ae78c4ac948063d upstream. "origPtr" is used as an offset into the bd->dbuf[] array. That array is allocated in start_bunzip() and has "bd->dbufSize" number of elements so the test here should be >= instead of >. Later we check "origPtr" again before using it as an offset so I don't know if this bug can be triggered in real life. Fixes: bc22c17e12c1 ('bzip2/lzma: library support for gzip, bzip2 and lzma decompression') Signed-off-by: Dan Carpenter Cc: Alain Knaff Cc: Yinghai Lu Cc: "H. Peter Anvin" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 13b2e3a5c422daa63f1e913cf25462cb9c40dcd0 Author: Lars-Peter Clausen Date: Wed Nov 26 11:35:35 2014 +0100 iio: ad799x: Fix ad7991/ad7995/ad7999 config setup commit 2eacc608b3bf3519fc353c558454873f4589146d upstream. The ad7991/ad7995/ad7999 does not have a configuration register like the other devices that can be written and read. The configuration is written as part of the conversion sequence. Fixes: 0f7ddcc1bff1 ("iio:adc:ad799x: Write default config on probe and reset alert status on probe") Signed-off-by: Lars-Peter Clausen Tested-by: Mike Looijmans Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 8d622085d61265c0cf35999634757b04862d464a Author: Mugunthan V N Date: Mon Jan 5 15:45:45 2015 -0800 ARM: dts: dra7-evm: fix qspi device tree partition size commit 69d2626f97b7f017ee4416b7dc071e9499c2c944 upstream. 64KiB is allocated for qspi dtb partition which is not sufficient, so updating the partition table size to 512KiB for device tree partition. This also aligns the QSPI partition definitions between kernel and U-Boot. Fixes: dc2dd5b8 ("ARM: dts: dra7: Add qspi device") Signed-off-by: Mugunthan V N Signed-off-by: Tony Lindgren Signed-off-by: Greg Kroah-Hartman commit 7a66eeb23e48f93cab7f6a9b9fe9ce6371b57f08 Author: Geert Uytterhoeven Date: Tue Jan 6 14:39:10 2015 +0100 ARM: shmobile: sh73a0 legacy: Set .control_parent for all irqpin instances commit b0ddb319db3d7a1943445f0de0a45c07a7f3457a upstream. The sh73a0 INTC can't mask interrupts properly most likely due to a hardware bug. Set the .control_parent flag to delegate masking to the parent interrupt controller, like was already done for irqpin1. Without this, accessing the three-axis digital accelerometer ADXL345 on kzm9g through /dev/input/event1 causes an interrupt storm, which requires a power-cycle to recover from. This was inspired by a patch for arch/arm/boot/dts/sh73a0.dtsi from Laurent Pinchart . Signed-off-by: Geert Uytterhoeven Fixes: 341eb5465f67437a ("ARM: shmobile: INTC External IRQ pin driver on sh73a0") Signed-off-by: Simon Horman Signed-off-by: Greg Kroah-Hartman commit 25bcda837ac0aaed8fe5706f3e10ba2e76633bbd Author: Jisheng Zhang Date: Wed Dec 31 16:57:51 2014 +0800 ARM: dts: berlin: add broken-cd and set bus width for eMMC in Marvell DMP DT commit 5adba7c2daaecccf377e7ed5a2996caedd5384f1 upstream. There's no card detection for the eMMC, so this patch adds the missing broken-cd property. This patch also sets bus width as 8 to add MMC_CAP_8_BIT_DATA in the Host capabilities. Fixes: 3047086dfd56 ("ARM: dts: berlin: enable SD card reader and eMMC for the BG2Q DMP") Signed-off-by: Jisheng Zhang Signed-off-by: Sebastian Hesselbarth Signed-off-by: Greg Kroah-Hartman commit 4cb194fd5aa555e65e4af4ddc77315ac59f1520a Author: Keerthy Date: Mon Nov 10 23:49:48 2014 +0530 bus: omap_l3_noc: Correct returning IRQ_HANDLED unconditionally in the irq handler commit c4cf0935a2d8fe6d186bf4253ea3c4b4a8a8a710 upstream. Correct returning IRQ_HANDLED unconditionally in the irq handler. Return IRQ_NONE for some interrupt which we do not expect to be handled in this handler. This prevents kernel stalling with back to back spurious interrupts. Fixes: 2722e56de6 ("OMAP4: l3: Introduce l3-interconnect error handling driver") Acked-by: Nishanth Menon Signed-off-by: Keerthy Signed-off-by: Tony Lindgren Signed-off-by: Greg Kroah-Hartman commit 397ee6685dbe3d1dd7b002bcf6231d969080ab0c Author: Keerthy Date: Mon Nov 10 23:49:47 2014 +0530 bus: omap_l3_noc: Add resume hook to restore context commit 61b43d4e919e8fa5e10c77ee32ba328da07e0264 upstream. On certain SoCs such as AM437x SoC, L3_noc error registers are maintained in power domain such as per domain which looses context as part of low power state such as RTC+DDR mode. On these platforms when we mask interrupts which we cannot handle, the source of these interrupts still remain on resume, however, the flag mux registers now contain their reset value (unmasked) - this breaks the system with infinite interrupts since we do not these interrupts to take place ever again. To handle this: restore the masking of interrupts which we have already recorded in the system as ones we cannot handle. Fixes: 2100b595b7 ("bus: omap_l3_noc: ignore masked out unclearable targets") Acked-by: Nishanth Menon Signed-off-by: Keerthy Signed-off-by: Tony Lindgren Signed-off-by: Greg Kroah-Hartman commit fa036ea44cf070a7688c36531938b28f41aed45e Author: Lennart Sorensen Date: Mon Jan 5 15:45:45 2015 -0800 ARM: omap5/dra7xx: Enable booting secondary CPU in HYP mode commit 999f934de195a1506089b52c77429fdba25da688 upstream. If the boot loader enables HYP mode on the boot CPU, the secondary CPU also needs to call into the ROM to switch to HYP mode before booting. The firmwares on the omap5 and dra7xx unfortunately do not take care of this, so it has to be handled by the kernel. This patch is based on "[PATCH 2/2] ARM: OMAP5: Add HYP mode entry support for secondary CPUs" by Santosh Shilimkar , except this version does not require a compile time CONFIG to control if it should enable HYP mode or not, it simply does it based on the mode of the boot CPU, so it works whether the CPU boots in SVC or HYP mode, and should even work as a guest kernel inside kvm if qemu decides to support emulating the omap5 or dra7xx. Signed-off-by: Len Sorensen Signed-off-by: Tony Lindgren Signed-off-by: Greg Kroah-Hartman commit 3af7a88e25ab4e6d3e82266f4fe94ebbbb4e6dde Author: Lennart Sorensen Date: Mon Jan 5 15:45:45 2015 -0800 ARM: omap5/dra7xx: Fix frequency typos commit 572b24e6d85d98cdc552f07e9fb9870d9460d81b upstream. The switch statement of the possible list of SYSCLK1 frequencies is missing a 0 in 4 out of the 7 frequencies. Fixes: fa6d79d27614 ("ARM: OMAP: Add initialisation for the real-time counter") Signed-off-by: Len Sorensen Reviewed-by: Lokesh Vutla Acked-by: Nishanth Menon Signed-off-by: Tony Lindgren Signed-off-by: Greg Kroah-Hartman commit 73ea8acf0bb3e7150a91c3e8b01ca7e221d59dec Author: Gary Bisson Date: Wed Dec 3 15:03:51 2014 -0800 ARM: clk-imx6q: fix video divider for rev T0 1.0 commit 81ef447950bf0955aca46f4a7617d8ce435cf0ce upstream. The post dividers do not work on i.MX6Q rev T0 1.0 so they must be fixed to 1. As the table index was wrong, a divider a of 4 could still be requested which implied the clock not to be set properly. This is the root cause of the HDMI not working at high resolution on rev T0 1.0 of the SoC. Signed-off-by: Gary Bisson Cc: Signed-off-by: Shawn Guo Signed-off-by: Greg Kroah-Hartman commit 61bca51affccbb1de568ff4142a86b543b3a6cbb Author: Dmitry Voytik Date: Thu Nov 6 22:46:20 2014 +0400 ARM: imx6q: drop unnecessary semicolon commit d2a10a1727b3948019128e83162f22c65859f1fd upstream. Drop unnecessary semicolon after closing curly bracket. Signed-off-by: Dmitry Voytik Signed-off-by: Shawn Guo Signed-off-by: Greg Kroah-Hartman commit a3576e471f71e8e7559fa85ef503b2278d9b04a1 Author: Fabio Estevam Date: Mon Jan 5 15:19:08 2015 -0200 ARM: dts: imx51-babbage: Fix ULPI PHY reset modelling commit 7a9f0604bd56936b2b18f49824e0e392dc7878c3 upstream. GPIO2_5 is the reset GPIO for the USB3317 ULPI PHY. Instead of modelling it as a regulator, the correct approach is to use the 'reset_gpios' property of the "usb-nop-xceiv" node. GPIO1_7 is the reset GPIO for the USB2517 USB hub. As we currently don't have dt bindings to describe a HUB reset, let's keep using the regulator approach. Rename the regulator to 'reg_hub_reset' to better describe its function and bind it with the USB host1 port instead. USB host support has been introduced by commit 9bf206a9d13be3 ("ARM: dts: imx51-babbage: Add USB Host1 support"), which landed in 3.16 and it seems that USB has only been functional due to previous bootloader initialization. With this patch applied we can get USB host to work without relying on the bootloader. Signed-off-by: Fabio Estevam Signed-off-by: Shawn Guo Signed-off-by: Greg Kroah-Hartman commit 1fb91db57fd102f4522e0b1169aadeaf33ba8cad Author: Fabio Estevam Date: Fri Dec 5 16:16:07 2014 -0200 ARM: dts: imx25: Fix the SPI1 clocks commit 7a87e9cbc3a2f0ff0955815335e08c9862359130 upstream. From Documentation/devicetree/bindings/clock/imx25-clock.txt: cspi1_ipg 78 cspi2_ipg 79 cspi3_ipg 80 , so fix the SPI1 clocks accordingly to avoid a kernel hang when trying to access SPI1. Signed-off-by: Fabio Estevam Signed-off-by: Shawn Guo Signed-off-by: Greg Kroah-Hartman commit 64c2607ba8867e77bdb09cec99f0641146f08a09 Author: Fabio Estevam Date: Tue Dec 16 17:30:28 2014 -0200 ARM: imx6sx: Set PLL2 as parent of QSPI clocks commit 7c168ed898931f6c3314d696e63cf993378ca192 upstream. The default qspi2_clk_sel field of register CCM_CS2CDR contains '110' which is marked as 'reserved', so we can't rely on the default value. Provide a proper parent for QSPI clocks to avoid a kernel oops: [ 1.037920] Division by zero in kernel. [ 1.041807] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 3.18.0-rc7-next-20141204-00002-g5aa23e1 #2143 [ 1.050967] Hardware name: Freescale i.MX6 SoloX (Device Tree) [ 1.056853] Backtrace: [ 1.059360] [<80011ea0>] (dump_backtrace) from [<8001203c>] (show_stack+0x18/0x1c) [ 1.066982] r6:00000000 r5:00000000 r4:00000000 r3:00000000 [ 1.072754] [<80012024>] (show_stack) from [<806b7100>] (dump_stack+0x88/0xa4) [ 1.080038] [<806b7078>] (dump_stack) from [<80011d20>] (__div0+0x18/0x20) [ 1.086958] r5:be018500 r4:be017c00 [ 1.090600] [<80011d08>] (__div0) from [<802aa418>] (Ldiv0+0x8/0x10) [ 1.097012] [<80504fbc>] (clk_divider_set_rate) from [<80503ddc>] (clk_change_rate+0x14c/0x17c) [ 1.105759] r7:00000000 r6:00000000 r5:be018500 r4:00000000 [ 1.111516] [<80503c90>] (clk_change_rate) from [<80503ea0>] (clk_set_rate+0x94/0x98) [ 1.119391] r8:be7e0368 r7:00000000 r6:be11a000 r5:be018500 r4:00000000 r3:00000000 [ 1.127290] [<80503e0c>] (clk_set_rate) from [<80410558>] (fsl_qspi_probe+0x23c/0x75c) [ 1.135260] r5:be11a010 r4:be350010 [ 1.138900] [<8041031c>] (fsl_qspi_probe) from [<80385a18>] (platform_drv_probe+0x50/0xac) Signed-off-by: Fabio Estevam Signed-off-by: Shawn Guo Signed-off-by: Greg Kroah-Hartman commit 2e953b852039b7de26642dedac90275333aaa279 Author: Nishanth Menon Date: Mon Jan 5 15:45:45 2015 -0800 ARM: omap2plus_defconfig: use CONFIG_CPUFREQ_DT commit 40d1746d2eeec5e05956d749cca6364573b472b6 upstream. CONFIG_GENERIC_CPUFREQ_CPU0 disappeared with commit bbcf071969b20f ("cpufreq: cpu0: rename driver and internals to 'cpufreq_dt'") Use the renamed CONFIG_CPUFREQ_DT generic driver. It looks like with v3.18-rc1, commit bbcf071969b20f and fdc509b15eb3eb came in via different trees causing the resultant v3.18-rc1 to be non-functional for cpufreq as default supported with omap2plus_defconfig. Fixes: fdc509b15eb3eb ("ARM: omap2plus_defconfig: Add cpufreq to defconfig") Signed-off-by: Nishanth Menon Acked-by: Viresh Kumar Signed-off-by: Tony Lindgren Signed-off-by: Greg Kroah-Hartman commit d3c248b638b606c80c9c771a0275ed488420f41a Author: Dmitry Torokhov Date: Thu Jan 8 14:53:23 2015 -0800 Input: I8042 - add Acer Aspire 7738 to the nomux list commit 9333caeaeae4f831054e0e127a6ed3948b604d3e upstream. When KBC is in active multiplexing mode the touchpad on this laptop does not work. Reported-by: Bilal Koc Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit aae7cd96b4e51e28032b2fa14f1552cec5d90146 Author: Srihari Vijayaraghavan Date: Wed Jan 7 16:25:53 2015 -0800 Input: i8042 - reset keyboard to fix Elantech touchpad detection commit 148e9a711e034e06310a8c36b64957934ebe30f2 upstream. On some laptops, keyboard needs to be reset in order to successfully detect touchpad (e.g., some Gigabyte laptop models with Elantech touchpads). Without resettin keyboard touchpad pretends to be completely dead. Based on the original patch by Mateusz Jończyk this version has been expanded to include DMI based detection & application of the fix automatically on the affected models of laptops. This has been confirmed to fix problem by three users already on three different models of laptops. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=81331 Signed-off-by: Srihari Vijayaraghavan Acked-by: Mateusz Jończyk Tested-by: Srihari Vijayaraghavan Tested by: Zakariya Dehlawi Tested-by: Guillaum Bouchard Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 17afe476900a76e3dfc3bc51d5776a52738eb2eb Author: Sam hung Date: Thu Jan 8 13:22:43 2015 -0800 Input: elantech - support new ICs types for version 4 commit 810aa0918b2b032684c8cad13f73d6ba37ad11c0 upstream. This change allows the driver to recognize newer Elantech touchpads. Signed-off-by: Yi ju Hong Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 17fb11ae0cb25d050aae298ded291a7d51879649 Author: Ahmed S. Darwish Date: Mon Jan 5 12:57:13 2015 -0500 can: kvaser_usb: Don't send a RESET_CHIP for non-existing channels commit 5e7e6e0c9b47a45576c38b4a72d67927a5e049f7 upstream. Recent Leaf firmware versions (>= 3.1.557) do not allow to send commands for non-existing channels. If a command is sent for a non-existing channel, the firmware crashes. Reported-by: Christopher Storah Signed-off-by: Olivier Sobrie Signed-off-by: Ahmed S. Darwish Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 9111e41c16da4139e5219099b91040aa6b359e73 Author: Ahmed S. Darwish Date: Mon Jan 5 12:52:06 2015 -0500 can: kvaser_usb: Reset all URB tx contexts upon channel close commit 889b77f7fd2bcc922493d73a4c51d8a851505815 upstream. Flooding the Kvaser CAN to USB dongle with multiple reads and writes in very high frequency (*), closing the CAN channel while all the transmissions are on (#), opening the device again (@), then sending a small number of packets would make the driver enter an almost infinite loop of: [....] [15959.853988] kvaser_usb 4-3:1.0 can0: cannot find free context [15959.853990] kvaser_usb 4-3:1.0 can0: cannot find free context [15959.853991] kvaser_usb 4-3:1.0 can0: cannot find free context [15959.853993] kvaser_usb 4-3:1.0 can0: cannot find free context [15959.853994] kvaser_usb 4-3:1.0 can0: cannot find free context [15959.853995] kvaser_usb 4-3:1.0 can0: cannot find free context [....] _dragging the whole system down_ in the process due to the excessive logging output. Initially, this has caused random panics in the kernel due to a buggy error recovery path. That got fixed in an earlier commit.(%) This patch aims at solving the root cause. --> 16 tx URBs and contexts are allocated per CAN channel per USB device. Such URBs are protected by: a) A simple atomic counter, up to a value of MAX_TX_URBS (16) b) A flag in each URB context, stating if it's free c) The fact that ndo_start_xmit calls are themselves protected by the networking layers higher above After grabbing one of the tx URBs, if the driver noticed that all of them are now taken, it stops the netif transmission queue. Such queue is worken up again only if an acknowedgment was received from the firmware on one of our earlier-sent frames. Meanwhile, upon channel close (#), the driver sends a CMD_STOP_CHIP to the firmware, effectively closing all further communication. In the high traffic case, the atomic counter remains at MAX_TX_URBS, and all the URB contexts remain marked as active. While opening the channel again (@), it cannot send any further frames since no more free tx URB contexts are available. Reset all tx URB contexts upon CAN channel close. (*) 50 parallel instances of `cangen0 -g 0 -ix` (#) `ifconfig can0 down` (@) `ifconfig can0 up` (%) "can: kvaser_usb: Don't free packets when tight on URBs" Signed-off-by: Ahmed S. Darwish Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 198e0c9d005f7cc44872c722e24a34c10c83736a Author: Ahmed S. Darwish Date: Mon Jan 5 12:49:10 2015 -0500 can: kvaser_usb: Don't free packets when tight on URBs commit b442723fcec445fb0ae1104888dd22cd285e0a91 upstream. Flooding the Kvaser CAN to USB dongle with multiple reads and writes in high frequency caused seemingly-random panics in the kernel. On further inspection, it seems the driver erroneously freed the to-be-transmitted packet upon getting tight on URBs and returning NETDEV_TX_BUSY, leading to invalid memory writes and double frees at a later point in time. Note: Finding no more URBs/transmit-contexts and returning NETDEV_TX_BUSY is a driver bug in and out of itself: it means that our start/stop queue flow control is broken. This patch only fixes the (buggy) error handling code; the root cause shall be fixed in a later commit. Acked-by: Olivier Sobrie Signed-off-by: Ahmed S. Darwish Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 81699fed3caad746f435824b3130c5c2e957557d Author: Sebastian Andrzej Siewior Date: Thu Dec 11 18:14:18 2014 +0100 usb: musb: stuff leak of struct usb_hcd commit 68693b8ea4e284c46bff919ac62bd9ccdfdbb6ba upstream. since the split of host+gadget mode in commit 74c2e9360058 ("usb: musb: factor out hcd initalization") we leak the usb_hcd struct. We call now musb_host_cleanup() which does basically usb_remove_hcd() and also sets the hcd variable to NULL. Doing so makes the finall call to musb_host_free() basically a nop and the usb_hcd remains around for ever without anowner. This patch drops that NULL assignment for that reason. Fixes: 74c2e9360058 ("usb: musb: factor out hcd initalization") Cc: Daniel Mack Signed-off-by: Sebastian Andrzej Siewior Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 99688ecfbc63e2aa90fab5e704c47c4fd6439197 Author: Alan Stern Date: Thu Dec 4 10:21:56 2014 -0500 USB: EHCI: fix initialization bug in iso_stream_schedule() commit 6d89252a998a695ecb0348fc2d717dc33d90cae9 upstream. Commit c3ee9b76aa93 (EHCI: improved logic for isochronous scheduling) introduced the idea of using ehci->last_iso_frame as the origin (or base) for the circular calculations involved in modifying the isochronous schedule. However, the new code it added used ehci->last_iso_frame before the value was properly initialized. This patch rectifies the mistake by moving the initialization lines earlier in iso_stream_schedule(). This fixes Bugzilla #72891. Signed-off-by: Alan Stern Fixes: c3ee9b76aa93 Reported-by: Joe Bryant Tested-by: Joe Bryant Tested-by: Martin Long Signed-off-by: Greg Kroah-Hartman commit 72934919ba0f17b51166e5ab31c52e114676cb25 Author: Johan Hovold Date: Mon Jan 5 16:04:13 2015 +0100 USB: console: fix potential use after free commit 32a4bf2e81ec378e5925d4e069e0677a6c86a6ad upstream. Use tty kref to release the fake tty in usb_console_setup to avoid use after free if the underlying serial driver has acquired a reference. Note that using the tty destructor release_one_tty requires some more state to be initialised. Fixes: 4a90f09b20f4 ("tty: usb-serial krefs") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 68d91b4c79481099b0fe0b37c7eafeabd12813ae Author: Johan Hovold Date: Mon Jan 5 16:04:12 2015 +0100 USB: console: fix uninitialised ldisc semaphore commit d269d4434c72ed0da3a9b1230c30da82c4918c63 upstream. The USB console currently allocates a temporary fake tty which is used to pass terminal settings to the underlying serial driver. The tty struct is not fully initialised, something which can lead to a lockdep warning (or worse) if a serial driver tries to acquire a line-discipline reference: usbserial: USB Serial support registered for pl2303 pl2303 1-2.1:1.0: pl2303 converter detected usb 1-2.1: pl2303 converter now attached to ttyUSB0 INFO: trying to register non-static key. the code is fine but needs lockdep annotation. turning off the locking correctness validator. CPU: 0 PID: 68 Comm: udevd Tainted: G W 3.18.0-rc5 #10 [] (unwind_backtrace) from [] (show_stack+0x20/0x24) [] (show_stack) from [] (dump_stack+0x24/0x28) [] (dump_stack) from [] (__lock_acquire+0x1e50/0x2004) [] (__lock_acquire) from [] (lock_acquire+0xe4/0x18c) [] (lock_acquire) from [] (ldsem_down_read_trylock+0x78/0x90) [] (ldsem_down_read_trylock) from [] (tty_ldisc_ref+0x24/0x58) [] (tty_ldisc_ref) from [] (usb_serial_handle_dcd_change+0x48/0xe8) [] (usb_serial_handle_dcd_change) from [] (pl2303_read_int_callback+0x210/0x220 [pl2303]) [] (pl2303_read_int_callback [pl2303]) from [] (__usb_hcd_giveback_urb+0x80/0x140) [] (__usb_hcd_giveback_urb) from [] (usb_giveback_urb_bh+0x98/0xd4) [] (usb_giveback_urb_bh) from [] (tasklet_hi_action+0x9c/0x108) [] (tasklet_hi_action) from [] (__do_softirq+0x148/0x42c) [] (__do_softirq) from [] (irq_exit+0xd8/0x114) [] (irq_exit) from [] (__handle_domain_irq+0x84/0xdc) [] (__handle_domain_irq) from [] (omap_intc_handle_irq+0xd8/0xe0) [] (omap_intc_handle_irq) from [] (__irq_svc+0x44/0x7c) Exception stack(0xdf4e7f08 to 0xdf4e7f50) 7f00: debc0b80 df4e7f5c 00000000 00000000 debc0b80 be8da96c 7f20: 00000000 00000128 c000fc84 df4e6000 00000000 df4e7f94 00000004 df4e7f50 7f40: c038ebc0 c038d74c 600f0013 ffffffff [] (__irq_svc) from [] (___sys_sendmsg.part.29+0x0/0x2e0) [] (___sys_sendmsg.part.29) from [] (SyS_sendmsg+0x18/0x1c) [] (SyS_sendmsg) from [] (ret_fast_syscall+0x0/0x48) console [ttyUSB0] enabled Fixes: 36697529b5bb ("tty: Replace ldisc locking with ldisc_sem") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit f33e402782f80c63c283e6fa0c1c038f18778fc2 Author: Songjun Wu Date: Fri Jan 9 17:11:24 2015 +0100 usb: gadget: udc: atmel: fix possible oops when unloading module commit 5fb694f96e7c19e66b1c55124b98812e32e3efa5 upstream. When unloading the module 'g_hid.ko', the urb request will be dequeued and the completion routine will be excuted. If there is no urb packet, the urb request will not be added to the endpoint queue and the completion routine pointer in urb request is NULL. Accessing to this NULL function pointer will cause the Oops issue reported below. Add the code to check if the urb request is in the endpoint queue or not. If the urb request is not in the endpoint queue, a negative error code will be returned. Here is the Oops log: Unable to handle kernel NULL pointer dereference at virtual address 00000000 pgd = dedf0000 [00000000] *pgd=3ede5831, *pte=00000000, *ppte=00000000 Internal error: Oops: 80000007 [#1] ARM Modules linked in: g_hid(-) usb_f_hid libcomposite CPU: 0 PID: 923 Comm: rmmod Not tainted 3.18.0+ #2 Hardware name: Atmel SAMA5 (Device Tree) task: df6b1100 ti: dedf6000 task.ti: dedf6000 PC is at 0x0 LR is at usb_gadget_giveback_request+0xc/0x10 pc : [<00000000>] lr : [] psr: 60000093 sp : dedf7eb0 ip : df572634 fp : 00000000 r10: 00000000 r9 : df52e210 r8 : 60000013 r7 : df6a9858 r6 : df52e210 r5 : df6a9858 r4 : df572600 r3 : 00000000 r2 : ffffff98 r1 : df572600 r0 : df6a9868 Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user Control: 10c53c7d Table: 3edf0059 DAC: 00000015 Process rmmod (pid: 923, stack limit = 0xdedf6230) Stack: (0xdedf7eb0 to 0xdedf8000) 7ea0: 00000000 c02adbbc df572580 deced608 7ec0: df572600 df6a9868 df572634 c02aed3c df577c00 c01b8608 00000000 df6be27c 7ee0: 00200200 00100100 bf0162f4 c000e544 dedf6000 00000000 00000000 bf010c00 7f00: bf0162cc bf00159c 00000000 df572980 df52e218 00000001 df5729b8 bf0031d0 [..] [] (usb_gadget_giveback_request) from [] (request_complete+0x64/0x88) [] (request_complete) from [] (usba_ep_dequeue+0x70/0x128) [] (usba_ep_dequeue) from [] (hidg_unbind+0x50/0x7c [usb_f_hid]) [] (hidg_unbind [usb_f_hid]) from [] (remove_config.isra.6+0x98/0x9c [libcomposite]) [] (remove_config.isra.6 [libcomposite]) from [] (__composite_unbind+0x34/0x98 [libcomposite]) [] (__composite_unbind [libcomposite]) from [] (usb_gadget_remove_driver+0x50/0x78) [] (usb_gadget_remove_driver) from [] (usb_gadget_unregister_driver+0x64/0x94) [] (usb_gadget_unregister_driver) from [] (hidg_cleanup+0x10/0x34 [g_hid]) [] (hidg_cleanup [g_hid]) from [] (SyS_delete_module+0x118/0x19c) [] (SyS_delete_module) from [] (ret_fast_syscall+0x0/0x30) Code: bad PC value Signed-off-by: Songjun Wu [nicolas.ferre@atmel.com: reworked the commit message] Signed-off-by: Nicolas Ferre Fixes: 914a3f3b3754 ("USB: add atmel_usba_udc driver") Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 967e5620db6d2434a4fec9853598ef3f80d684d5 Author: Bo Shen Date: Wed Dec 17 17:18:49 2014 +0800 usb: gadget: udc: atmel: fix possible IN hang issue commit 6785a1034461c2d2c205215f63a50a740896e55b upstream. When receive data, the RXRDY in status register set by hardware after a new packet has been stored in the endpoint FIFO. When it is copied from FIFO, this bit is cleared which make the FIFO can be accessed again. In the receive_data() function, this bit RXRDY has been cleared. So, after the receive_data() function return, this bit should not be cleared again, or else it may cause the accessing FIFO corrupt, which will make the data loss. Fixes: 914a3f3b3754 (USB: add atmel_usba_udc driver) Acked-by: Nicolas Ferre Signed-off-by: Bo Shen Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit c811188452a5aaf843ad820105931fe5d57b3ba8 Author: Bo Shen Date: Wed Dec 17 17:18:48 2014 +0800 usb: gadget: udc: atmel: change setting for DMA commit f40afdddeb6c54ffd1e2920a5e93e363d6748db6 upstream. According to the datasheet, when transfer using DMA, the control setting for IN packet only need END_BUF_EN, END_BUF_IE, CH_EN, while for OUT packet, need more two bits END_TR_EN and END_TR_IE to be configured. Fixes: 914a3f3b3754 (USB: add atmel_usba_udc driver) Acked-by: Nicolas Ferre Signed-off-by: Bo Shen Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 84ac889beef825e15ab0830d5c8da643836044e6 Author: Mario Schuknecht Date: Tue Dec 16 08:58:57 2014 +0100 usb: gadget: gadgetfs: Free memory allocated by memdup_user() commit b44be2462dbe3e23f0aedff64de52a1e8e47a1cd upstream. Commit 3b74c73f8d6f053f422e85fce955b61fb181cfe7 switched over to memdup_user() in ep_write() function and removed kfree (kbuf). memdup_user() function allocates memory which is never freed. Fixes: 3b74c73 (usb: gadget: inode: switch over to memdup_user()) Signed-off-by: Mario Schuknecht Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 2c5d2dde06b89f1a2f3fc5f064cd39685f8e3c47 Author: Johan Hovold Date: Mon Dec 22 18:39:39 2014 +0100 USB: keyspan: fix null-deref at probe commit b5122236bba8d7ef62153da5b55cc65d0944c61e upstream. Fix null-pointer dereference during probe if the interface-status completion handler is called before the individual ports have been set up. Fixes: f79b2d0fe81e ("USB: keyspan: fix NULL-pointer dereferences and memory leaks") Reported-by: Richard Tested-by: Richard Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 14d38f7d8076508b54bf0bb4426151b1ee9a163d Author: Reinhard Speyerer Date: Tue Jan 6 22:06:38 2015 +0100 USB: qcserial/option: make AT URCs work for Sierra Wireless MC73xx commit d80c0d14183516f184a5ac88e11008ee4c7d2a2e upstream. As has been discussed in the thread starting with https://lkml.kernel.org/g/549748e9.d+SiJzqu50f1r4lSAL043YSc@arcor.de Sierra Wireless MC73xx devices with USB VID/PID 0x1199:0x68c0 require the option_send_setup() code to be used on the USB interface for the AT port to make unsolicited response codes work correctly. Move these devices from the qcserial driver where they have been added by commit 70a3615fc07c2330ed7c1e922f3c44f4a67c0762 ("usb: qcserial: add Sierra Wireless MC73xx") to the option driver and add a MC73xx-specific blacklist to ensure that 1. the sendsetup code is not used for the DIAG/DM and NMEA interfaces 2. the option driver does not attach to the QMI/network interfaces Signed-off-by: Reinhard Speyerer Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 34aa8bbd747429eaa0109247b99db3d98d9956f0 Author: David Peterson Date: Tue Jan 6 15:00:52 2015 +0000 USB: cp210x: add IDs for CEL USB sticks and MeshWorks devices commit 1ae78a4870989a354028cb17dabf819b595e70e3 upstream. Added virtual com port VID/PID entries for CEL USB sticks and MeshWorks devices. Signed-off-by: David Peterson Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit ee4597bd5ab06d3f1091e85100ec1e4fcf5e52b2 Author: Preston Fick Date: Sat Dec 27 01:32:41 2014 -0600 USB: cp210x: fix ID for production CEL MeshConnect USB Stick commit 90441b4dbe90ba0c38111ea89fa093a8c9627801 upstream. Fixing typo for MeshConnect IDs. The original PID (0x8875) is not in production and is not needed. Instead it has been changed to the official production PID (0x8857). Signed-off-by: Preston Fick Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 11fb1b95745900b31caa6936cff482a0aa9a0f4f Author: Amit Virdi Date: Tue Jan 13 14:27:21 2015 +0530 usb: dwc3: gadget: Stop TRB preparation after limit is reached commit 39e60635a01520e8c8ed3946a28c2b98e6a46f79 upstream. DWC3 gadget sets up a pool of 32 TRBs for each EP during initialization. This means, the max TRBs that can be submitted for an EP is fixed to 32. Since the request queue for an EP is a linked list, any number of requests can be queued to it by the gadget layer. However, the dwc3 driver must not submit TRBs more than the pool it has created for. This limit wasn't respected when SG was used resulting in submitting more than the max TRBs, eventually leading to non-transfer of the TRBs submitted over the max limit. Root cause: When SG is used, there are two loops iterating to prepare TRBs: - Outer loop over the request_list - Inner loop over the SG list The code was missing break to get out of the outer loop. Fixes: eeb720fb21d6 (usb: dwc3: gadget: add support for SG lists) Signed-off-by: Amit Virdi Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 64227c12bb0a7773d650464f91ac7555f185431e Author: Amit Virdi Date: Tue Jan 13 14:27:20 2015 +0530 usb: dwc3: gadget: Fix TRB preparation during SG commit ec512fb8e5611fed1df2895f90317ce6797d6b32 upstream. When scatter gather (SG) is used, multiple TRBs are prepared from one DWC3 request (dwc3_request). So while preparing TRBs, the 'last' flag should be set only when it is the last TRB being prepared from the last dwc3_request entry. The current implementation uses list_is_last to check if the dwc3_request is the last entry from the request_list. However, list_is_last returns false for the last entry too. This is because, while preparing the first TRB from a request, the function dwc3_prepare_one_trb modifies the request's next and prev pointers while moving the URB to req_queued. Hence, list_is_last always returns false no matter what. The correct way is not to access the modified pointers of dwc3_request but to use list_empty macro instead. Fixes: e5ba5ec833aa (usb: dwc3: gadget: fix scatter gather implementation) Signed-off-by: Amit Virdi Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 8db5755be1bf888ce3a2efd587e2a53043924a39 Author: Arseny Solokha Date: Sat Dec 6 09:54:06 2014 +0700 OHCI: add a quirk for ULi M5237 blocking on reset commit 56abcab833fafcfaeb2f5b25e0364c1dec45f53e upstream. Commit 8dccddbc2368 ("OHCI: final fix for NVIDIA problems (I hope)") introduced into 3.1.9 broke boot on e.g. Freescale P2020DS development board. The code path that was previously specific to NVIDIA controllers had then become taken for all chips. However, the M5237 installed on the board wedges solid when accessing its base+OHCI_FMINTERVAL register, making it impossible to boot any kernel newer than 3.1.8 on this particular and apparently other similar machines. Don't readl() and writel() base+OHCI_FMINTERVAL on PCI ID 10b9:5237. The patch is suitable for the -next tree as well as all maintained kernels up to 3.2 inclusive. Signed-off-by: Arseny Solokha Acked-by: Alan Stern Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit f0f49ab7a04ea0422c548d062979436db6b974b6 Author: Johan Hovold Date: Tue Jan 13 13:00:05 2015 +0100 gpio: sysfs: fix gpio device-attribute leak commit 0915e6feb38de8d3601819992a5bd050201a56fa upstream. The gpio device attributes were never destroyed when the gpio was unexported (or on export failures). Use device_create_with_groups() to create the default device attributes of the gpio class device. Note that this also fixes the attribute-creation race with userspace for these attributes. Remove contingent attributes in export error path and on unexport. Fixes: d8f388d8dc8d ("gpio: sysfs interface") Signed-off-by: Johan Hovold Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit 3d6b88b3423115d32d60531413b1fb83f462c1d1 Author: Johan Hovold Date: Tue Jan 13 13:00:04 2015 +0100 gpio: sysfs: fix gpio-chip device-attribute leak commit 121b6a79955a3a3fd7bbb9b8cb88d5b9dad6283d upstream. The gpio-chip device attributes were never destroyed when the device was removed. Fix by using device_create_with_groups() to create the device attributes of the chip class device. Note that this also fixes the attribute-creation race with userspace. Fixes: d8f388d8dc8d ("gpio: sysfs interface") Signed-off-by: Johan Hovold Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit 72d8d4dd175d25cfaee6d0a585811f0ead9a9054 Author: Johan Hovold Date: Mon Jan 12 17:12:28 2015 +0100 gpio: fix sleep-while-atomic in gpiochip_remove commit 6798acaa0138d8b12f1c54402ebcb66fea3deb03 upstream. Move direct and indirect calls to gpiochip_remove_pin_ranges outside of spin lock as they can end up taking a mutex in pinctrl_remove_gpio_range. Note that the pin ranges are already added outside of the lock. Fixes: 9ef0d6f7628b ("gpiolib: call pin removal in chip removal function") Fixes: f23f1516b675 ("gpiolib: provide provision to register pin ranges") Signed-off-by: Johan Hovold Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit 2bc26f4444e6e0b1ebab6dfc9987b9f89d1377b5 Author: Johan Hovold Date: Mon Jan 12 17:12:27 2015 +0100 gpio: fix memory leak and sleep-while-atomic commit 00acc3dc248063f982cfacfbe5e78c0d6797ffef upstream. Fix memory leak and sleep-while-atomic in gpiochip_remove. The memory leak was introduced by afa82fab5e13 ("gpio / ACPI: Move event handling registration to gpiolib irqchip helpers") that moved the release of acpi interrupt resources to gpiochip_irqchip_remove, but by then the resources are no longer accessible as the acpi_gpio_chip has already been freed by acpi_gpiochip_remove. Note that this also fixes a few potential sleep-while-atomics, which has been around since 1425052097b5 ("gpio: add IRQ chip helpers in gpiolib") when the call to gpiochip_irqchip_remove while holding a spinlock was added (a couple of irq-domain paths can end up grabbing mutexes). Fixes: afa82fab5e13 ("gpio / ACPI: Move event handling registration to gpiolib irqchip helpers") Fixes: 1425052097b5 ("gpio: add IRQ chip helpers in gpiolib") Signed-off-by: Johan Hovold Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit e1c76d694f656d593f5a6d001e6fec04d7252b7c Author: Johan Hovold Date: Mon Jan 12 17:12:24 2015 +0100 gpio: fix memory and reference leaks in gpiochip_add error path commit 5539b3c938d64a60cb1fc442ac3ce9263d52de0c upstream. Memory allocated and references taken by of_gpiochip_add and acpi_gpiochip_add were never released on errors in gpiochip_add (e.g. failure to find free gpio range). Fixes: 391c970c0dd1 ("of/gpio: add default of_xlate function if device has a node pointer") Fixes: 664e3e5ac64c ("gpio / ACPI: register to ACPI events automatically") Signed-off-by: Johan Hovold Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit fe7930b607e8f7d238495390a4c262ffbdab1506 Author: Aaron Lu Date: Mon Jan 12 10:09:32 2015 +0800 gpio: crystalcove: use handle_nested_irq commit e733a2fb8cbcff0747108cb529ffb4e4a00465ac upstream. The CrystalCove GPIO chip has can_sleep set so its demultiplexed irqs will have IRQ_NESTED_THREAD flag set, thus we should use the nested version handle_nested_irq in CrystalCove's irq handler instead of handle_generic_irq, or the following warning will be hit and the functionality is lost: [ 4089.639554] Hardware name: ASUSTeK COMPUTER INC. T100TA/T100TA, BIOS T100TA.313 08/13/2014 [ 4089.639564] 00000002 00000000 c24fbdf4 c16e0257 c24fbe38 c24fbe28 c105390c c18ec480 [ 4089.639596] c24fbe54 00000048 c18f8e3b 00000295 c10a60fc 00000295 c10a60fc f4464540 [ 4089.639626] f446459c c278ad40 c24fbe40 c1053974 00000009 c24fbe38 c18ec480 c24fbe54 [ 4089.639656] Call Trace: [ 4089.639685] [] dump_stack+0x41/0x52 [ 4089.639707] [] warn_slowpath_common+0x8c/0xc0 [ 4089.639727] [] ? irq_nested_primary_handler+0x2c/0x30 [ 4089.639744] [] ? irq_nested_primary_handler+0x2c/0x30 [ 4089.639763] [] warn_slowpath_fmt+0x34/0x40 [ 4089.639781] [] irq_nested_primary_handler+0x2c/0x30 [ 4089.639800] [] handle_irq_event_percpu+0x76/0x190 [ 4089.639818] [] ? regmap_format_10_14_write+0x30/0x30 [ 4089.639836] [] ? _regmap_bus_raw_write+0x4c/0x70 [ 4089.639854] [] handle_irq_event+0x31/0x50 [ 4089.639872] [] handle_simple_irq+0x4b/0x70 [ 4089.639889] [] generic_handle_irq+0x24/0x40 [ 4089.639908] [] crystalcove_gpio_irq_handler+0xa7/0xc0 [ 4089.639927] [] handle_nested_irq+0x77/0x190 [ 4089.639947] [] regmap_irq_thread+0x1b1/0x360 [ 4089.639966] [] irq_thread_fn+0x18/0x30 [ 4089.639983] [] irq_thread+0xf6/0x110 [ 4089.640001] [] ? irq_finalize_oneshot.part.30+0x1b0/0x1b0 [ 4089.640019] [] ? irq_forced_thread_fn+0x50/0x50 [ 4089.640037] [] ? irq_thread_check_affinity+0xc0/0xc0 [ 4089.640054] [] kthread+0xa9/0xc0 [ 4089.640074] [] ret_from_kernel_thread+0x21/0x30 [ 4089.640091] [] ? kthread_create_on_node+0x110/0x110 [ 4089.640105] ---[ end trace dca7946ad31eba7d ]--- Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=90521 Reported-and-tested-by: Brian Loften Signed-off-by: Aaron Lu Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit 0dc7c71158efa49bcc4e294bf943e8b14ea28fa8 Author: Hans Holmberg Date: Fri Jan 9 09:40:43 2015 +0100 gpiolib: of: Correct error handling in of_get_named_gpiod_flags commit 7b8792bbdffdff3abda704f89c6a45ea97afdc62 upstream. of_get_named_gpiod_flags fails with -EPROBE_DEFER in cases where the gpio chip is available and the GPIO translation fails. This causes drivers to be re-probed erroneusly, and hides the real problem(i.e. the GPIO number being out of range). Signed-off-by: Hans Holmberg Reviewed-by: Alexandre Courbot Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit f32b586a9de6b2d17e3acc141da8d84d376465a2 Author: Johan Hovold Date: Mon Jan 12 17:20:51 2015 +0100 pinctrl: lantiq: remove bogus of_gpio_chip_add commit 41f632fe177bc4822c2e8236fe7c291e6e9eb6f8 upstream. Remove bogus call to of_gpiochip_add (and of_gpio_chip remove in error path) which is also called when adding the gpio chip. This prevents adding the same pinctrl range twice. Fixes: 3f8c50c9b110 ("OF: pinctrl: MIPS: lantiq: implement lantiq/xway pinctrl support") Signed-off-by: Johan Hovold Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit d38456025410529a88ff0c53d2812bfd0f438064 Author: Jisheng Zhang Date: Fri Dec 26 16:58:01 2014 +0800 ARM: dts: berlin: correct BG2Q's SM GPIO location. commit 5138d5c562e3bfe30964e20ab46eec9f8b89225d upstream. The gpio4 and gpio5 are in 0xf7fc0000 apb which is located in the SM domain. This patch moves gpio4 and gpio5 to the correct location. This patch also renames them as the following to match the names we internally used in marvell: gpio4 -> sm_gpio1 gpio5 -> sm_gpio0 porte -> portf portf -> porte This also matches what we did for BG2 and BG2CD's SM GPIO. Fixes: cedf57fc4f2f ("ARM: dts: berlin: add the BG2Q GPIO nodes") Signed-off-by: Jisheng Zhang Signed-off-by: Sebastian Hesselbarth Signed-off-by: Greg Kroah-Hartman commit a96747d8e1228d7d30cef185c897fc943a550b83 Author: Tyler Baker Date: Mon Jan 12 07:54:46 2015 -0800 reset: sunxi: fix spinlock initialization commit 41544f9f38f19cb46dc9a8fa37c58677a0300899 upstream. Call spin_lock_init() before the spinlocks are used, both in early init and probe functions preventing a lockdep splat. I have been observing lockdep complaining [1] during boot on my a80 optimus [2] when CONFIG_PROVE_LOCKING has been enabled. This patch resolves the splat, and has been tested on a few other sunxi platforms without issue. [1] http://storage.kernelci.org/next/next-20150107/arm-multi_v7_defconfig+CONFIG_PROVE_LOCKING=y/lab-tbaker/boot-sun9i-a80-optimus.html [2] http://kernelci.org/boot/?a80-optimus Signed-off-by: Tyler Baker Acked-by: Philipp Zabel Signed-off-by: Kevin Hilman Signed-off-by: Olof Johansson Signed-off-by: Greg Kroah-Hartman commit e77b867c9373fc82a01fd96485dfe8454e434ce2 Author: Hans de Goede Date: Thu Jan 8 15:15:15 2015 +0100 uas: Add US_FL_NO_ATA_1X for 2 more Seagate disk enclosures commit 3ca8c717429b90f621aed28af029da4c3da378bc upstream. Just like all previous UAS capable Seagate disk enclosures, these need the US_FL_NO_ATA_1X to not crash when udev probes them. Signed-off-by: Hans de Goede Signed-off-by: Greg Kroah-Hartman commit 03642fd92a5763a9f60de9101ea9e0d758152ec3 Author: Hans de Goede Date: Mon Dec 8 09:50:47 2014 +0100 uas: Add US_FL_NO_REPORT_OPCODES for JMicron JMS566 with usb-id 0bc2:a013 commit c6fa3945c8b5baf62f2e849104ecd6f3a1e5e407 upstream. Like the JMicron JMS567 enclosures with the JMS566 choke on report-opcodes, so avoid it. Tested-and-reported-by: Takeo Nakayama Signed-off-by: Hans de Goede Signed-off-by: Greg Kroah-Hartman commit 887934ee2b1dc9c570fb09bcb3ff95ab44ab27e4 Author: Hans de Goede Date: Fri Dec 5 11:11:29 2014 +0100 uas: Add US_FL_NO_ATA_1X for Seagate devices with usb-id 0bc2:a013 commit e5797a3d079f3e5049140055d850691b5cc7d10a upstream. This is yet another Seagate device which needs the US_FL_NO_ATA_1X quirk Reported-by: Marcin Zajączkowski Signed-off-by: Hans de Goede Signed-off-by: Greg Kroah-Hartman commit ee45552ef3e0d6d72947f23b23bb86683e8b9f4b Author: Alexander Usyskin Date: Thu Dec 25 00:37:46 2014 +0200 mei: clean reset bit before reset commit b13a65ef190e488e2761d65bdd2e1fe8a3a125f5 upstream. H_RST bit in H_CSR register may be found lit before reset is started, for example if preceding reset flow hasn't completed. In that case asserting H_RST will be ignored, therefore we need to clean H_RST bit to start a successful reset sequence. Signed-off-by: Alexander Usyskin Signed-off-by: Tomas Winkler Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit 60ff540168e9b8fc9a43cf5b182700227edfde7f Author: Trond Myklebust Date: Fri Jan 2 16:25:08 2015 -0500 NFSv4.1: Fix client id trunking on Linux commit 1fc0703af3143914a389bfa081c7acb09502ed5d upstream. Currently, our trunking code will check for session trunking, but will fail to detect client id trunking. This is a problem, because it means that the client will fail to recognise that the two connections represent shared state, even if they do not permit a shared session. By removing the check for the server minor id, and only checking the major id, we will end up doing the right thing in both cases: we close down the new nfs_client and fall back to using the existing one. Fixes: 05f4c350ee02e ("NFS: Discover NFSv4 server trunking when mounting") Cc: Chuck Lever Tested-by: Chuck Lever Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit a2a15f402da905b91d91fae2c5aabdd0acd4f12d Author: Steven Rostedt (Red Hat) Date: Tue Jan 13 14:03:38 2015 -0500 ftrace: Check both notrace and filter for old hash commit 7485058eea40783ac142a60c3e799fc66ce72583 upstream. Using just the filter for checking for trampolines or regs is not enough when updating the code against the records that represent all functions. Both the filter hash and the notrace hash need to be checked. To trigger this bug (using trace-cmd and perf): # perf probe -a do_fork # trace-cmd start -B foo -e probe # trace-cmd record -p function_graph -n do_fork sleep 1 The trace-cmd record at the end clears the filter before it disables function_graph tracing and then that causes the accounting of the ftrace function records to become incorrect and causes ftrace to bug. Link: http://lkml.kernel.org/r/20150114154329.358378039@goodmis.org [ still need to switch old_hash_ops to old_ops_hash ] Reviewed-by: Masami Hiramatsu Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit edc9d336597d9dc018884a4306bfb8f6bd7fa4e9 Author: Steven Rostedt (Red Hat) Date: Tue Jan 13 11:20:43 2015 -0500 ftrace: Fix updating of filters for shared global_ops filters commit 8f86f83709c585742dea5dd7f0d2b79c43f992ec upstream. As the set_ftrace_filter affects both the function tracer as well as the function graph tracer, the ops that represent each have a shared ftrace_ops_hash structure. This allows both to be updated when the filter files are updated. But if function graph is enabled and the global_ops (function tracing) ops is not, then it is possible that the filter could be changed without the update happening for the function graph ops. This will cause the changes to not take place and may even cause a ftrace_bug to occur as it could mess with the trampoline accounting. The solution is to check if the ops uses the shared global_ops filter and if the ops itself is not enabled, to check if there's another ops that is enabled and also shares the global_ops filter. In that case, the modification still needs to be executed. Link: http://lkml.kernel.org/r/20150114154329.055980438@goodmis.org Reviewed-by: Masami Hiramatsu Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit 7769f8be6bd1715ddaa720539200a01bf4bdbe4e Author: Steven Rostedt (Red Hat) Date: Mon Jan 12 12:12:03 2015 -0500 ftrace/jprobes/x86: Fix conflict between jprobes and function graph tracing commit 237d28db036e411f22c03cfd5b0f6dc2aa9bf3bc upstream. If the function graph tracer traces a jprobe callback, the system will crash. This can easily be demonstrated by compiling the jprobe sample module that is in the kernel tree, loading it and running the function graph tracer. # modprobe jprobe_example.ko # echo function_graph > /sys/kernel/debug/tracing/current_tracer # ls The first two commands end up in a nice crash after the first fork. (do_fork has a jprobe attached to it, so "ls" just triggers that fork) The problem is caused by the jprobe_return() that all jprobe callbacks must end with. The way jprobes works is that the function a jprobe is attached to has a breakpoint placed at the start of it (or it uses ftrace if fentry is supported). The breakpoint handler (or ftrace callback) will copy the stack frame and change the ip address to return to the jprobe handler instead of the function. The jprobe handler must end with jprobe_return() which swaps the stack and does an int3 (breakpoint). This breakpoint handler will then put back the saved stack frame, simulate the instruction at the beginning of the function it added a breakpoint to, and then continue on. For function tracing to work, it hijakes the return address from the stack frame, and replaces it with a hook function that will trace the end of the call. This hook function will restore the return address of the function call. If the function tracer traces the jprobe handler, the hook function for that handler will not be called, and its saved return address will be used for the next function. This will result in a kernel crash. To solve this, pause function tracing before the jprobe handler is called and unpause it before it returns back to the function it probed. Some other updates: Used a variable "saved_sp" to hold kcb->jprobe_saved_sp. This makes the code look a bit cleaner and easier to understand (various tries to fix this bug required this change). Note, if fentry is being used, jprobes will change the ip address before the function graph tracer runs and it will not be able to trace the function that the jprobe is probing. Link: http://lkml.kernel.org/r/20150114154329.552437962@goodmis.org Acked-by: Masami Hiramatsu Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit 87a5d5643f1d0348fc5b459a01f9995e609e67b1 Author: Simon Guinot Date: Tue Dec 2 07:32:10 2014 -0800 leds: netxbig: fix oops at probe time commit 0c86ac2c50647451d6a70dc900f8bb0ee3d485d9 upstream. This patch fixes a NULL pointer dereference on led_dat->mode_val. Due to this bug, a kernel oops can be observed at probe time on the LaCie 2Big and 5Big v2 boards: Unable to handle kernel NULL pointer dereference at virtual address 00000008 [...] [] (netxbig_led_probe) from [] (platform_drv_probe+0x4c/0x9c) [] (platform_drv_probe) from [] (driver_probe_device+0x98/0x25c) [] (driver_probe_device) from [] (__driver_attach+0x8c/0x90) [] (__driver_attach) from [] (bus_for_each_dev+0x68/0x94) [] (bus_for_each_dev) from [] (bus_add_driver+0x124/0x1dc) [] (bus_add_driver) from [] (driver_register+0x78/0xf8) [] (driver_register) from [] (do_one_initcall+0x80/0x1cc) [] (do_one_initcall) from [] (kernel_init_freeable+0xe4/0x1b4) [] (kernel_init_freeable) from [] (kernel_init+0xc/0xec) [] (kernel_init) from [] (ret_from_fork+0x14/0x24) [...] This bug was introduced by commit 588a6a99286ae30afb1339d8bc2163517b1b7dd1 ("leds: netxbig: fix attribute-creation race"). Signed-off-by: Simon Guinot Acked-by: Johan Hovold Signed-off-by: Bryan Wu Signed-off-by: Greg Kroah-Hartman commit 76da8f966ff47e0f20ff7f9eb8559188d4797b0a Author: Mugunthan V N Date: Tue Jan 13 17:35:49 2015 +0530 drivers: net: cpsw: fix multicast flush in dual emac mode commit 25906052d953d3fbdb7e19480b9de5e6bb949f3f upstream. Since ALE table is a common resource for both the interfaces in Dual EMAC mode and while bringing up the second interface in cpsw_ndo_set_rx_mode() all the multicast entries added by the first interface is flushed out and only second interface multicast addresses are added. Fixing this by flushing multicast addresses based on dual EMAC port vlans which will not affect the other emac port multicast addresses. Fixes: d9ba8f9 (driver: net: ethernet: cpsw: dual emac interface implementation) Signed-off-by: Mugunthan V N Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d8682e1d2663f516d0da60ecdcbbcc77c78af8b3 Author: Vasu Dev Date: Wed Jan 14 05:14:07 2015 -0800 i40e: adds FCoE configure option commit 776d4e9f5c0229037707f692b386b1f2a5bac054 upstream. Adds FCoE config option I40E_FCOE, so that FCoE can be enabled as needed but otherwise have it disabled by default. This also eliminate multiple FCoE config checks, instead now just one config check for CONFIG_I40E_FCOE. The I40E FCoE was added with 3.17 kernel and therefore this patch shall be applied to stable 3.17 kernel also. Signed-off-by: Vasu Dev Tested-by: Jim Young Signed-off-by: Jeff Kirsher Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 87a1898761c9831e7dea15783ba34ff669182308 Author: Eyal Shapira Date: Wed Dec 31 19:30:15 2014 +0200 iwlwifi: mvm: fix Rx with both chains commit c93edc639392df733c7d72db4376a9add775d18a upstream. commit 5c90422439d6 "iwlwifi: mvm: don't allow diversity if BT Coex / TT forbid it" broke Rx with 2 chains for diversity. This had an impact on throughput where we're using only a single stream (11a/b/g APs, single stream APs, static SMPS). Fixes: 5c90422439d6 ("iwlwifi: mvm: don't allow diversity if BT Coex / TT forbid it") Signed-off-by: Eyal Shapira Signed-off-by: Emmanuel Grumbach Signed-off-by: Greg Kroah-Hartman commit 27f16502f01f51cb20cba470efb913163bd0cb39 Author: Catalin Marinas Date: Fri Jan 16 13:56:38 2015 +0000 arm64: partially revert "ARM: 8167/1: extend the reserved memory for initrd to be page aligned" commit 0145058c3d30b4319d747f64caa16a9cb15f0581 upstream. This patch partially reverts commit 421520ba98290a73b35b7644e877a48f18e06004 (only the arm64 part). There is no guarantee that the boot-loader places other images like dtb in a different page than initrd start/end, especially when the kernel is built with 64KB pages. When this happens, such pages must not be freed. The free_reserved_area() already takes care of rounding up "start" and rounding down "end" to avoid freeing partially used pages. Reported-by: Peter Maydell Signed-off-by: Catalin Marinas Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit 6a315939e62f9a18b12bfedf0607830177db32e0 Author: Tim Kryger Date: Wed Jan 14 07:24:12 2015 +0100 mmc: sdhci: Set SDHCI_POWER_ON with external vmmc commit 3cbc6123a93dc91b99b58f7ea37d267fe93e1cad upstream. Host controllers lacking the required internal vmmc regulator may still follow the spec with regard to the LSB of SDHCI_POWER_CONTROL. Set the SDHCI_POWER_ON bit when vmmc is enabled to encourage the controller to to drive CMD, DAT, SDCLK. This fixes a regression observed on some Qualcomm and Nvidia boards caused by 5222161 mmc: sdhci: Improve external VDD regulator support. Fixes: 52221610dd84 (mmc: sdhci: Improve external VDD regulator support) Signed-off-by: Tim Kryger Tested-by: Bjorn Andersson Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit e247868d3b9d040730c08e82001f8e34b1273271 Author: Anton Blanchard Date: Tue Jan 6 21:12:08 2015 +1100 powernv: Fix OPAL tracepoint code commit bfe5fda8e7ced129716f5741cf7ed2592a338824 upstream. Patch c49f63530bb6 ("powernv: Add OPAL tracepoints") has a spurious store to the stack: ld r12,opal_tracepoint_refcount@toc(r2); \ std r12,32(r1); \ The store was originally used to save the current tracepoint status so the entry and the exit tracepoints were always balanced. In the end I just created a separate path when tracepoints are enabled. The offset on the stack used for this store is not valid for ABIv2 and it causes strange issues. I noticed it because OPAL console input was broken. Fixes: c49f63530bb6 ("powernv: Add OPAL tracepoints") Signed-off-by: Anton Blanchard Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman commit d5471f896bb7a39074c802f22247cf332e4b5551 Author: NeilBrown Date: Tue Jan 13 15:17:43 2015 +1300 locks: fix NULL-deref in generic_delete_lease commit 52d304eb4eaced9ad04b64ba7cd6ceb5153bbf18 upstream. commit 0efaa7e82f02fe69c05ad28e905f31fc86e6f08e locks: generic_delete_lease doesn't need a file_lock at all moves the call to fl->fl_lmops->lm_change() to a place in the code where fl might be a non-lease lock. When that happens, fl_lmops is NULL and an Oops ensures. So add an extra test to restore correct functioning. Reported-by: Linda Walsh Link: https://bugzilla.suse.com/show_bug.cgi?id=912569 Fixes: 0efaa7e82f02fe69c05ad28e905f31fc86e6f08e Signed-off-by: NeilBrown Signed-off-by: Jeff Layton Signed-off-by: Greg Kroah-Hartman commit 820b511fc45ef1719fc451539031a6ea02452c0e Author: Wei Yang Date: Wed Jan 7 10:29:11 2015 -0700 vfio-pci: Fix the check on pci device type in vfio_pci_probe() commit 7c2e211f3c95b91912a92a8c6736343690042e2e upstream. Current vfio-pci just supports normal pci device, so vfio_pci_probe() will return if the pci device is not a normal device. While current code makes a mistake. PCI_HEADER_TYPE is the offset in configuration space of the device type, but we use this value to mask the type value. This patch fixs this by do the check directly on the pci_dev->hdr_type. Signed-off-by: Wei Yang Signed-off-by: Alex Williamson Signed-off-by: Greg Kroah-Hartman commit 24a209fd9b566f5f0ec3307cb2edba0d42c1d886 Author: Hans Verkuil Date: Sat Dec 6 07:30:03 2014 -0300 vivid: fix CROP_BOUNDS typo for video output commit bb9ff078860f9d2f79d3a6bea3af9f48354ddb75 upstream. An error was returned if composing was not supported, instead of if cropping was not supported. A classic copy-and-paste bug. Found with v4l2-compliance. Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit e6bd63e792d95c1dd9644c315951b734ef3680f3 Author: James Hogan Date: Mon Dec 1 09:55:10 2014 -0300 img-ir/hw: Fix potential deadlock stopping timer commit ac03086067a5524ae9e020ba5712a208c67b2736 upstream. The end timer is used for switching back from repeat code timings when no repeat codes have been received for a certain amount of time. When the protocol is changed, the end timer is deleted synchronously with del_timer_sync(), however this takes place while holding the main spin lock, and the timer handler also needs to acquire the spin lock. This opens the possibility of a deadlock on an SMP system if the protocol is changed just as the repeat timer is expiring. One CPU could end up in img_ir_set_decoder() holding the lock and waiting for the end timer to complete, while the other CPU is stuck in the timer handler spinning on the lock held by the first CPU. Lockdep also spots a possible lock inversion in the same code, since img_ir_set_decoder() acquires the img-ir lock before the timer lock, but the timer handler will try and acquire them the other way around: ========================================================= [ INFO: possible irq lock inversion dependency detected ] 3.18.0-rc5+ #957 Not tainted --------------------------------------------------------- swapper/0/0 just changed the state of lock: (((&hw->end_timer))){+.-...}, at: [<4006ae5c>] _call_timer_fn+0x0/0xfc but this lock was taken by another, HARDIRQ-safe lock in the past: (&(&priv->lock)->rlock#2){-.....} and interrupts could create inverse lock ordering between them. other info that might help us debug this: Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(((&hw->end_timer))); local_irq_disable(); lock(&(&priv->lock)->rlock#2); lock(((&hw->end_timer))); lock(&(&priv->lock)->rlock#2); *** DEADLOCK *** This is fixed by releasing the main spin lock while performing the del_timer_sync() call. The timer is prevented from restarting before the lock is reacquired by a new "stopping" flag which img_ir_handle_data() checks before updating the timer. --------------------------------------------------------- swapper/0/0 just changed the state of lock: (((&hw->end_timer))){+.-...}, at: [<4006ae5c>] _call_timer_fn+0x0/0xfc but this lock was taken by another, HARDIRQ-safe lock in the past: (&(&priv->lock)->rlock#2){-.....} and interrupts could create inverse lock ordering between them. other info that might help us debug this: Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(((&hw->end_timer))); local_irq_disable(); lock(&(&priv->lock)->rlock#2); lock(((&hw->end_timer))); lock(&(&priv->lock)->rlock#2); *** DEADLOCK *** This is fixed by releasing the main spin lock while performing the del_timer_sync() call. The timer is prevented from restarting before the lock is reacquired by a new "stopping" flag which img_ir_handle_data() checks before updating the timer. Signed-off-by: James Hogan Cc: Sifan Naeem Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 7abbdc958907add5be23aac04e691c3706e3a852 Author: Dylan Rajaratnam Date: Mon Nov 17 09:17:45 2014 -0300 img-ir/hw: Always read data to clear buffer commit ea0de4ec5489da0fe738b274effac4f950e93d76 upstream. A problem was found on Polaris where if the unit it booted via the power button on the infrared remote then the next button press on the remote would return the key code used to power on the unit. The sequence is: - The polaris powered off but with the powerdown controller (PDC) block still powered. - Press power key on remote, IR block receives the key. - Kernel starts, IR code is in IMG_IR_DATA_x but neither IMG_IR_RXDVAL or IMG_IR_RXDVALD2 are set. - Wait any amount of time. - Press any key. - IMG_IR_RXDVAL or IMG_IR_RXDVALD2 is set but IMG_IR_DATA_x is unchanged since the powerup key data was never read. This is worked around by always reading the IMG_IR_DATA_x in img_ir_set_decoder(), rather than only when the IMG_IR_RXDVAL or IMG_IR_RXDVALD2 bit is set. Signed-off-by: Dylan Rajaratnam Signed-off-by: James Hogan Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 73db430b6665717ba49baa5f06b87e782877c23e Author: Takashi Iwai Date: Fri Oct 24 05:10:20 2014 -0300 uvcvideo: Fix destruction order in uvc_delete() commit 2228d80dd05a4fc5a410fde847677b8fb3eb23d7 upstream. We've got a bug report at disconnecting a Webcam, where the kernel spews warnings like below: WARNING: CPU: 0 PID: 8385 at ../fs/sysfs/group.c:219 sysfs_remove_group+0x87/0x90() sysfs group c0b2350c not found for kobject 'event3' CPU: 0 PID: 8385 Comm: queue2:src Not tainted 3.16.2-1.gdcee397-default #1 Hardware name: ASUSTeK Computer INC. A7N8X-E/A7N8X-E, BIOS ASUS A7N8X-E Deluxe ACPI BIOS Rev 1013 11/12/2004 c08d0705 ddc75cbc c0718c5b ddc75ccc c024b654 c08c6d44 ddc75ce8 000020c1 c08d0705 000000db c03d1ec7 c03d1ec7 00000009 00000000 c0b2350c d62c9064 ddc75cd4 c024b6a3 00000009 ddc75ccc c08c6d44 ddc75ce8 ddc75cfc c03d1ec7 Call Trace: [] try_stack_unwind+0x156/0x170 [] dump_trace+0x53/0x180 [] show_trace_log_lvl+0x46/0x50 [] show_stack_log_lvl+0x51/0xe0 [] show_stack+0x27/0x50 [] dump_stack+0x3e/0x4e [] warn_slowpath_common+0x84/0xa0 [] warn_slowpath_fmt+0x33/0x40 [] sysfs_remove_group+0x87/0x90 [] device_del+0x34/0x180 [] evdev_disconnect+0x19/0x50 [] __input_unregister_device+0x9a/0x140 [] input_unregister_device+0x45/0x80 [] uvc_delete+0x26/0x110 [uvcvideo] [] v4l2_device_release+0x98/0xc0 [videodev] [] device_release+0x2b/0x90 [] kobject_cleanup+0x6f/0x1a0 [] v4l2_release+0x43/0x70 [videodev] [] __fput+0xb1/0x1b0 [] task_work_run+0x91/0xb0 [] do_exit+0x265/0x910 [] do_group_exit+0x34/0xa0 [] get_signal_to_deliver+0x17f/0x590 [] do_signal+0x3a/0x960 [] do_notify_resume+0x67/0x90 [] work_notifysig+0x30/0x3b [] 0xb7739e5f ---[ end trace b1e56095a485b631 ]--- The cause is that uvc_status_cleanup() is called after usb_put_*() in uvc_delete(). usb_put_*() removes the sysfs parent and eventually removes the children recursively, so the later device_del() can't find its sysfs. The fix is simply rearrange the call orders in uvc_delete() so that the child is removed before the parent. Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=897736 Reported-and-tested-by: Martin Pluskal Signed-off-by: Takashi Iwai Signed-off-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 3971a1c954aa4cb35a874441322e7a1f198ea7ff Author: Mauro Carvalho Chehab Date: Thu Oct 30 07:53:05 2014 -0300 sound: Update au0828 quirks table commit 678fa12fb8e75c6dc1e781a02e3ddbbba7e1a904 upstream. The au0828 quirks table is currently not in sync with the au0828 media driver. Syncronize it and put them on the same order as found at au0828 driver, as all the au0828 devices with analog TV need the same quirks. Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 5eb7814b215eeeda452ad906fec2bfcd78b54fee Author: Mauro Carvalho Chehab Date: Thu Oct 30 07:53:04 2014 -0300 sound: simplify au0828 quirk table commit 5d1f00a20d2d56ed480e64e938a2391353ee565b upstream. Add a macro to simplify au0828 quirk table. That makes easier to check it against the USB IDs at drivers/media/usb/au0828/au0828-cards.c. Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 129d51a91f17a60e58d2c4201925710431610275 Author: Sakari Ailus Date: Tue Sep 16 15:57:07 2014 -0300 smiapp: Take mutex during PLL update in sensor initialisation commit f85698cd296f08218a7750f321e94607da128600 upstream. The mutex does not serialise anything in this case but avoids a lockdep warning from the control framework. Signed-off-by: Sakari Ailus Acked-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 8d5d2e131054a376d92e685b5946e23f853ffa07 Author: Frank Schaefer Date: Mon Sep 29 15:17:35 2014 -0300 af9005: fix kernel panic on init if compiled without IR commit 2279948735609d0d17d7384e776b674619f792ef upstream. This patches fixes an ancient bug in the dvb_usb_af9005 driver, which has been reported at least in the following threads: https://lkml.org/lkml/2009/2/4/350 https://lkml.org/lkml/2014/9/18/558 If the driver is compiled in without any IR support (neither DVB_USB_AF9005_REMOTE nor custom symbols), the symbol_request calls in af9005_usb_module_init() return pointers != NULL although the IR symbols are not available. This leads to the following oops: ... [ 8.529751] usbcore: registered new interface driver dvb_usb_af9005 [ 8.531584] BUG: unable to handle kernel paging request at 02e00000 [ 8.533385] IP: [<7d9d67c6>] af9005_usb_module_init+0x6b/0x9d [ 8.535613] *pde = 00000000 [ 8.536416] Oops: 0000 [#1] PREEMPT PREEMPT DEBUG_PAGEALLOCDEBUG_PAGEALLOC [ 8.537863] CPU: 0 PID: 1 Comm: swapper Not tainted 3.15.0-rc6-00151-ga5c075c #1 [ 8.539827] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014 [ 8.541519] task: 89c9a670 ti: 89c9c000 task.ti: 89c9c000 [ 8.541519] EIP: 0060:[<7d9d67c6>] EFLAGS: 00010206 CPU: 0 [ 8.541519] EIP is at af9005_usb_module_init+0x6b/0x9d [ 8.541519] EAX: 02e00000 EBX: 00000000 ECX: 00000006 EDX: 00000000 [ 8.541519] ESI: 00000000 EDI: 7da33ec8 EBP: 89c9df30 ESP: 89c9df2c [ 8.541519] DS: 007b ES: 007b FS: 0000 GS: 00e0 SS: 0068 [ 8.541519] CR0: 8005003b CR2: 02e00000 CR3: 05a54000 CR4: 00000690 [ 8.541519] Stack: [ 8.541519] 7d9d675b 89c9df90 7d992a49 7d7d5914 89c9df4c 7be3a800 7d08c58c 8a4c3968 [ 8.541519] 89c9df80 7be3a966 00000192 00000006 00000006 7d7d3ff4 8a4c397a 00000200 [ 8.541519] 7d6b1280 8a4c3979 00000006 000009a6 7da32db8 b13eec81 00000006 000009a6 [ 8.541519] Call Trace: [ 8.541519] [<7d9d675b>] ? ttusb2_driver_init+0x16/0x16 [ 8.541519] [<7d992a49>] do_one_initcall+0x77/0x106 [ 8.541519] [<7be3a800>] ? parameqn+0x2/0x35 [ 8.541519] [<7be3a966>] ? parse_args+0x113/0x25c [ 8.541519] [<7d992bc2>] kernel_init_freeable+0xea/0x167 [ 8.541519] [<7cf01070>] kernel_init+0x8/0xb8 [ 8.541519] [<7cf27ec0>] ret_from_kernel_thread+0x20/0x30 [ 8.541519] [<7cf01068>] ? rest_init+0x10c/0x10c [ 8.541519] Code: 08 c2 c7 05 44 ed f9 7d 00 00 e0 02 c7 05 40 ed f9 7d 00 00 e0 02 c7 05 3c ed f9 7d 00 00 e0 02 75 1f b8 00 00 e0 02 85 c0 74 16 00 00 e0 02 c7 05 54 84 8e 7d 00 00 e0 02 a3 58 84 8e 7d eb [ 8.541519] EIP: [<7d9d67c6>] af9005_usb_module_init+0x6b/0x9d SS:ESP 0068:89c9df2c [ 8.541519] CR2: 0000000002e00000 [ 8.541519] ---[ end trace 768b6faf51370fc7 ]--- The prefered fix would be to convert the whole IR code to use the kernel IR infrastructure (which wasn't available at the time this driver had been created). Until anyone who still has this old hardware steps up an does the conversion, fix it by not calling the symbol_request calls if the driver is compiled in without the default IR symbols (CONFIG_DVB_USB_AF9005_REMOTE). Due to the IR related pointers beeing NULL by default, IR support will then be disabled. The downside of this solution is, that it will no longer be possible to compile custom IR symbols (not using CONFIG_DVB_USB_AF9005_REMOTE) in. Please note that this patch has NOT been tested with all possible cases. I don't have the hardware and could only verify that it fixes the reported bug. Reported-by: Fengguag Wu Signed-off-by: Frank Schäfer Acked-by: Luca Olivetti Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit b5b7b720cb3674ae1be1daa64c670f348f644256 Author: Sakari Ailus Date: Tue Apr 1 10:22:46 2014 -0300 smiapp-pll: Correct clock debug prints commit bc47150ab93988714d1fab7bc82fe5f505a107ad upstream. The PLL flags were not used correctly. Signed-off-by: Sakari Ailus Acked-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit e5dcc09dd9f1597581dbf76af0a357b8af101658 Author: Tomi Valkeinen Date: Fri Dec 19 13:55:41 2014 +0200 video/fbdev: fix defio's fsync commit 30ea9c5218651bc11cbdba7820be78f04e2d83bc upstream. fb_deferred_io_fsync() returns the value of schedule_delayed_work() as an error code, but schedule_delayed_work() does not return an error. It returns true/false depending on whether the work was already queued. Fix this by ignoring the return value of schedule_delayed_work(). Signed-off-by: Tomi Valkeinen Signed-off-by: Greg Kroah-Hartman commit 7c73bd96b40f4fd3ed5064e73dc96139a18fe463 Author: Tomi Valkeinen Date: Thu Dec 18 13:40:06 2014 +0200 video/logo: prevent use of logos after they have been freed commit 92b004d1aa9f367c372511ca0330f58216b25703 upstream. If the probe of an fb driver has been deferred due to missing dependencies, and the probe is later ran when a module is loaded, the fbdev framework will try to find a logo to use. However, the logos are __initdata, and have already been freed. This causes sometimes page faults, if the logo memory is not mapped, sometimes other random crashes as the logo data is invalid, and sometimes nothing, if the fbdev decides to reject the logo (e.g. the random value depicting the logo's height is too big). This patch adds a late_initcall function to mark the logos as freed. In reality the logos are freed later, and fbdev probe may be ran between this late_initcall and the freeing of the logos. In that case we will miss drawing the logo, even if it would be possible. Signed-off-by: Tomi Valkeinen Signed-off-by: Greg Kroah-Hartman commit bf80baa10a012b3e1b86833f0b5e7cdefe7cbf6b Author: Bjørn Mork Date: Tue Dec 23 12:57:43 2014 +0100 x86/build: Clean auto-generated processor feature files commit 280dbc572357eb50184663fc9e4aaf09c8141e9b upstream. Commit 9def39be4e96 ("x86: Support compiling out human-friendly processor feature names") made two source file targets conditional. Such conditional targets will not be cleaned automatically by make mrproper. Fix by adding explicit clean-files targets for the two files. Fixes: 9def39be4e96 ("x86: Support compiling out human-friendly processor feature names") Signed-off-by: Bjørn Mork Cc: Josh Triplett Link: http://lkml.kernel.org/r/1419335863-10608-1-git-send-email-bjorn@mork.no Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 7e20e84067aea5c85d61477a37924b73f8b77cfa Author: Felipe Balbi Date: Fri Jan 2 16:15:59 2015 -0600 net: ethernet: cpsw: fix hangs with interrupts commit 7ce67a38f799d1fb332f672b117efbadedaa5352 upstream. The CPSW IP implements pulse-signaled interrupts. Due to that we must write a correct, pre-defined value to the CPDMA_MACEOIVECTOR register so the controller generates a pulse on the correct IRQ line to signal the End Of Interrupt. The way the driver is written today, all four IRQ lines are requested using the same IRQ handler and, because of that, we could fall into situations where a TX IRQ fires but we tell the controller that we ended an RX IRQ (or vice-versa). This situation triggers an IRQ storm on the reserved IRQ 127 of INTC which will in turn call ack_bad_irq() which will, then, print a ton of: unexpected IRQ trap at vector 00 In order to fix the problem, we are moving all calls to cpdma_ctlr_eoi() inside the IRQ handler and making sure we *always* write the correct value to the CPDMA_MACEOIVECTOR register. Note that the algorithm assumes that IRQ numbers and value-to-be-written-to-EOI are proportional, meaning that a write of value 0 would trigger an EOI pulse for the RX_THRESHOLD Interrupt and that's the IRQ number sitting in the 0-th index of our irqs_table array. This, however, is safe at least for current implementations of CPSW so we will refrain from making the check smarter (and, as a side-effect, slower) until we actually have a platform where IRQ lines are swapped. This patch has been tested for several days with AM335x- and AM437x-based platforms. AM57x was left out because there are still pending patches to enable ethernet in mainline for that platform. A read of the TRM confirms the statement on previous paragraph. Reported-by: Yegor Yefremov Fixes: 510a1e7 (drivers: net: davinci_cpdma: acknowledge interrupt properly) Signed-off-by: Felipe Balbi Acked-by: Tony Lindgren Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 143b34a4a526e0557bb8d0511b99008337a273bf Author: Long Li Date: Fri Dec 5 19:38:18 2014 -0800 storvsc: ring buffer failures may result in I/O freeze commit e86fb5e8ab95f10ec5f2e9430119d5d35020c951 upstream. When ring buffer returns an error indicating retry, storvsc may not return a proper error code to SCSI when bounce buffer is not used. This has introduced I/O freeze on RAID running atop storvsc devices. This patch fixes it by always returning a proper error code. Signed-off-by: Long Li Reviewed-by: K. Y. Srinivasan Signed-off-by: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit ac5a275b1437ded4e2da7fce8d0af298e6f7c4d8 Author: James Bottomley Date: Fri Jan 2 10:05:13 2015 -0800 serial: fix parisc boot hang commit 68ed7e1c3d236e9e1e60ed6cae22f2c1c4ba2952 upstream. This is a partial revert of 2f2dafe (serial: serial_core.c: printk replacement) which gets us booting again. The real problem seems to be the _emit path in early boot. However, until we can root cause it, we need at least to get boot working. Fixes: 2f2dafe77df2c78e189a9fa6b1879dffd06ae5a1 Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 52925954eb7d35287c51afd152ad4e237758f4f4 Author: John David Anglin Date: Sun Dec 14 10:49:11 2014 -0500 parisc: fix out-of-register compiler error in ldcw inline assembler function commit 45db07382a5c78b0c43b3b0002b63757fb60e873 upstream. The __ldcw macro has a problem when its argument needs to be reloaded from memory. The output memory operand and the input register operand both need to be reloaded using a register in class R1_REGS when generating 64-bit code. This fails because there's only a single register in the class. Instead, use a memory clobber. This also makes the __ldcw macro a compiler memory barrier. Signed-off-by: John David Anglin Signed-off-by: Helge Deller Signed-off-by: Greg Kroah-Hartman commit 31b6929b577d0f4594967029944ca95ef256312f Author: zhendong chen Date: Wed Dec 17 14:37:04 2014 +0800 dm: fix missed error code if .end_io isn't implemented by target_type commit 5164bece1673cdf04782f8ed3fba70743700f5da upstream. In bio-based DM's clone_endio(), when target_type doesn't implement .end_io (e.g. linear) r will be always be initialized 0. So if a WRITE SAME bio fails WRITE SAME will not be disabled as intended. Fix this by initializing r to error, rather than 0, in clone_endio(). Signed-off-by: Alex Chen Signed-off-by: Mike Snitzer Fixes: 7eee4ae2db ("dm: disable WRITE SAME if it fails") Signed-off-by: Greg Kroah-Hartman commit 3b7dd6ec0f620bf8a7a3b2e9bed89e1728e3872b Author: Mauro Carvalho Chehab Date: Tue Oct 28 15:18:24 2014 -0200 bugon.cocci: fix Options at the macro commit 7426977c8efeaedf0a7ca00e1c1a5f52ef6b950f upstream. The comma after --no-includes makes coccinelle to not run the script: /usr/bin/spatch -D report --very-quiet --no-show-diff --cocci-file ./scripts/coccinelle/misc/bugon.cocci --no-includes, --include-headers --patch . --dir drivers/media/platform/coda/ -I ./arch/x86/include -I arch/x86/include/generated -I include -I ./arch/x86/include/uapi -I arch/x86/include/generated/uapi -I ./include/uapi -I include/generated/uapi -I ./include/linux/kconfig.h Usage: spatch.opt --sp-file [-o ] [--iso-file ] [options] Options are: --sp-file the semantic patch file -o the output file --in-place do the modification on the file directly --backup-suffix suffix to use when making a backup for inplace ... At least with Fedora 20 coccinelle package: coccinelle-1.0.0-0.rc20.1.fc21.x86_64 Signed-off-by: Mauro Carvalho Chehab Acked-by: Julia Lawall Tested-by: Wolfram Sang Fixes: 5be1df66 (Coccinelle: Script to replace if and BUG with BUG_ON) Signed-off-by: Michal Marek Signed-off-by: Greg Kroah-Hartman commit f12848067bd837d755992d787d83107a5200279d Author: Jisheng Zhang Date: Wed Dec 31 16:57:50 2014 +0800 ARM: dts: berlin: fix io clk and add missing core clk for BG2Q sdhci2 host commit 96ed6046d3bf1113de3bdbd6dbb7f40e6d0ae0ef upstream. On BG2Q, the sdhci2 host uses nfcecc for "io" clk and nfc for "core" clk. The shdci2 can't work without this patch due to the "core" clk is gated. Fixes: 0d859a6a9d14 ("ARM: dts: berlin: add the SDHCI nodes for the BG2Q") Signed-off-by: Jisheng Zhang Signed-off-by: Sebastian Hesselbarth Signed-off-by: Greg Kroah-Hartman commit 8f3922eea5611ebc2693b169b6dbf5487fb5b75d Author: Boris Brezillon Date: Tue Jan 13 15:44:06 2015 +0100 clk: at91: keep slow clk enabled to prevent system hang commit dca1a4b5ff6e2c25adeff366eb06270dadeab3db upstream. All slow clk users are not properly claiming it (get + prepare + enable) before using it. If all users properly claiming this clock release it, the clock is disabled, but faulty users still depends on it, and the system hangs. This fix prevents the slow clock from being disabled, and should solve the hanging issue, but offending drivers should be patched to properly claim this clock. Signed-off-by: Boris Brezillon Reported-by: Bo Shen Signed-off-by: Michael Turquette Signed-off-by: Greg Kroah-Hartman commit cfde14bfad76d049ac250398910bce468df871a3 Author: Jisheng Zhang Date: Wed Dec 31 16:57:52 2014 +0800 clk: berlin: bg2q: remove non-exist "smemc" gate clock commit b71e8ecd57c8aae5b1815782c47b74ffe3efc09a upstream. The "smemc" clock is removed on BG2Q SoCs. In fact, bit19 of clkenable register is for nfc. Current code use bit19 for non-exist "smemc" incorrectly, this prevents eMMC from working due to the sdhci's "core" clk is still gated. Signed-off-by: Jisheng Zhang Signed-off-by: Michael Turquette Signed-off-by: Greg Kroah-Hartman commit 94085032b432ab156da4c0ddfa510bb89268ce6d Author: Heiko Stuebner Date: Wed Dec 24 14:31:06 2014 +0100 clk: rockchip: fix rk3066 pll lock bit location commit 12551f0239b50c88352e3292dd7703382addbf5e upstream. The bit locations indicating the locking status of the plls on rk3066 are shifted by one to the right when compared to the rk3188, bits [7:4] instead of [8:5] on the rk3188, thus indicating the locking state of the wrong pll or a completely different information in case of the gpll. The recently introduced pll init code exposed that problem on some rk3066 boards when it tried to bring the boot-pll value in line with the value from the rate table. Fix this by defining separate pll definitions for rk3066 with the correct locking indices. Signed-off-by: Heiko Stuebner Fixes: 2c14736c75db ("clk: rockchip: add clock driver for rk3188 and rk3066 clocks") Tested-by: FUKAUMI Naoki Signed-off-by: Greg Kroah-Hartman commit a195f753217c0cfb47e53fd4ab6db210ae498015 Author: Heiko Stuebner Date: Thu Dec 18 20:06:57 2014 +0100 clk: rockchip: fix rk3288 cpuclk core dividers commit 9880d4277f6aab6b21404c824f9d9c652ba518ac upstream. Commit 0e5bdb3f9fa5 (clk: rockchip: switch to using the new cpuclk type for armclk) didn't take into account that the divider used on rk3288 are of the (n+1) type. The rk3066 and rk3188 socs use more complex divider types making it necessary for the list-elements to be the real register-values to write. Therefore reduce divider values in the table accordingly so that they really are the values that should be written to the registers and match the dividers actually specified for the rk3288. Reported-by: Sonny Rao Fixes: 0e5bdb3f9fa5 ("clk: rockchip: switch to using the new cpuclk type for armclk") Signed-off-by: Heiko Stuebner Reviewed-by: Doug Anderson Signed-off-by: Greg Kroah-Hartman commit f3067bf77664b8fdc67f89b09abf112ff0f9e038 Author: Kevin Hao Date: Wed Dec 3 16:53:51 2014 +0800 Revert "clk: ppc-corenet: Fix Section mismatch warning" commit 176a107b868781c8d6868454aea7d07e0b82d6b8 upstream. This reverts commit da788acb28386aa896224e784954bb73c99ff26c. That commit tried to fix the section mismatch warning by moving the ppc_corenet_clk_driver struct to init section. This is definitely wrong because the kernel would free the memories occupied by this struct after boot while this driver is still registered in the driver core. The kernel would panic when accessing this driver struct. Signed-off-by: Kevin Hao Acked-by: Scott Wood Signed-off-by: Michael Turquette Signed-off-by: Greg Kroah-Hartman commit fcdb6d6101c937dd590cfc15c8bcd8a45048fe4f Author: Tomeu Vizoso Date: Tue Dec 2 08:54:19 2014 +0100 clk: Don't try to use a struct clk* after it could have been freed commit 10cdfe54dab034311c8e2fad9ba2dffbe616caa9 upstream. As __clk_release could call kfree on clk and then we wouldn't have a safe way of getting the module that owns the clock. Signed-off-by: Tomeu Vizoso Fixes: fcb0ee6a3d33 ("clk: Implement clk_unregister") Reviewed-by: Stephen Boyd Signed-off-by: Michael Turquette Signed-off-by: Greg Kroah-Hartman commit e2481b604dd9424a873bc5ab45eaa0c0de0d9036 Author: Stephen Boyd Date: Fri Dec 12 15:04:16 2014 -0800 clk: Really fix deadlock with mmap_sem commit 89f7e9de59bf3e3cda2e00de12c66db22675a7cf upstream. Commit 6314b6796e3c (clk: Don't hold prepare_lock across debugfs creation, 2014-09-04) forgot to update one place where we hold the prepare_lock while creating debugfs directories. This means we still have the chance of a deadlock that the commit was trying to fix. Actually fix it by moving the debugfs creation outside the prepare_lock. Reported-by: Russell King Fixes: 6314b6796e3c "clk: Don't hold prepare_lock across debugfs creation" Signed-off-by: Stephen Boyd Reviewed-by: Thomas Gleixner Signed-off-by: Michael Turquette [mturquette@linaro.org: removed lockdep_assert] Signed-off-by: Greg Kroah-Hartman commit e553baaa08938c9dd1b8145ed2ea6d8a93c47cb2 Author: Krzysztof Kozlowski Date: Wed Nov 26 15:24:13 2014 +0100 clk: samsung: Fix double add of syscore ops after driver rebind commit c31844ffdbd4e73a16c66e9d7df8ec290ab4b159 upstream. During driver unbind the syscore ops were not unregistered which lead to double add on syscore list: $ echo "3810000.audss-clock-controller" > /sys/bus/platform/drivers/exynos-audss-clk/unbind $ echo "3810000.audss-clock-controller" > /sys/bus/platform/drivers/exynos-audss-clk/bind [ 1463.044061] ------------[ cut here ]------------ [ 1463.047255] WARNING: CPU: 0 PID: 1 at lib/list_debug.c:36 __list_add+0x8c/0xc0() [ 1463.054613] list_add double add: new=c06e52c0, prev=c06e52c0, next=c06d5f84. [ 1463.061625] Modules linked in: [ 1463.064623] CPU: 0 PID: 1 Comm: bash Tainted: G W 3.18.0-rc5-next-20141121-00005-ga8fab06eab42-dirty #1022 [ 1463.075338] [] (unwind_backtrace) from [] (show_stack+0x10/0x14) [ 1463.083046] [] (show_stack) from [] (dump_stack+0x70/0xbc) [ 1463.090236] [] (dump_stack) from [] (warn_slowpath_common+0x74/0xb0) [ 1463.098295] [] (warn_slowpath_common) from [] (warn_slowpath_fmt+0x30/0x40) [ 1463.106962] [] (warn_slowpath_fmt) from [] (__list_add+0x8c/0xc0) [ 1463.114760] [] (__list_add) from [] (register_syscore_ops+0x30/0x3c) [ 1463.122819] [] (register_syscore_ops) from [] (exynos_audss_clk_probe+0x36c/0x460) [ 1463.132091] [] (exynos_audss_clk_probe) from [] (platform_drv_probe+0x48/0xa4) [ 1463.141013] [] (platform_drv_probe) from [] (driver_probe_device+0x13c/0x37c) [ 1463.149852] [] (driver_probe_device) from [] (bind_store+0x90/0xe0) [ 1463.157822] [] (bind_store) from [] (drv_attr_store+0x20/0x2c) [ 1463.165363] [] (drv_attr_store) from [] (sysfs_kf_write+0x4c/0x50) [ 1463.173252] [] (sysfs_kf_write) from [] (kernfs_fop_write+0xbc/0x198) [ 1463.181395] [] (kernfs_fop_write) from [] (vfs_write+0xa0/0x1a8) [ 1463.189104] [] (vfs_write) from [] (SyS_write+0x40/0x8c) [ 1463.196122] [] (SyS_write) from [] (ret_fast_syscall+0x0/0x48) [ 1463.203655] ---[ end trace 08f6710c9bc8d8f3 ]--- [ 1463.208244] exynos-audss-clk 3810000.audss-clock-controller: setup completed Signed-off-by: Krzysztof Kozlowski Fixes: 1241ef94ccc3 ("clk: samsung: register audio subsystem clocks using common clock framework") Signed-off-by: Sylwester Nawrocki Signed-off-by: Greg Kroah-Hartman commit f8db847bcc2c924496e97c052368f83d2b18e0f5 Author: Alan Stern Date: Fri Nov 21 10:44:49 2014 -0500 SCSI: fix regression in scsi_send_eh_cmnd() commit 511833acfc06c013d453e288f483c682c60ffbff upstream. Commit ac61d1955934 (scsi: set correct completion code in scsi_send_eh_cmnd()) introduced a bug. It changed the stored return value from a queuecommand call, but it didn't take into account that the return value was used again later on. This patch fixes the bug by changing the later usage. There is a big comment in the middle of scsi_send_eh_cmnd() which does a good job of explaining how the routine works. But it mentions a "rtn = FAILURE" value that doesn't exist in the code. This patch adjusts the code to match the comment (I assume the comment is right and the code is wrong). This fixes Bugzilla #88341. Signed-off-by: Alan Stern Reported-by: Андрей Аладьев Tested-by: Андрей Аладьев Fixes: ac61d19559349e205dad7b5122b281419aa74a82 Acked-by: Hannes Reinecke Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 7fbdd0ef30d4515f6638a80b1a3e76713e2c88db Author: Tony Battersby Date: Mon Dec 8 17:20:52 2014 -0500 scsi: fix random memory corruption with scsi-mq + T10 PI commit 120bb3e1e36da9c1ae6b978c825a28b944a5d7c5 upstream. This fixes random memory corruption triggered when all three of the following are true: * scsi-mq enabled * T10 Protection Information (DIF) enabled * SCSI host with sg_tablesize > SCSI_MAX_SG_SEGMENTS (128) The symptoms of this bug are unpredictable memory corruption, BUG()s, oopses, lockups, etc., any of which may appear to be completely unrelated to the root cause. Signed-off-by: Tony Battersby Reviewed-by: Nicholas Bellinger Signed-off-by: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit 5f5628fbda628598dbb22a9b02dcabf771dcaa28 Author: Martin K. Petersen Date: Wed Dec 3 21:18:10 2014 -0500 scsi: blacklist RSOC for Microsoft iSCSI target devices commit 198a956a11b15b564ac06d1411881e215b587408 upstream. The Microsoft iSCSI target does not support REPORT SUPPORTED OPERATION CODES. Blacklist these devices so we don't attempt to send the command. Signed-off-by: Martin K. Petersen Tested-by: Mike Christie Reported-by: jazz@deti74.ru Signed-off-by: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit f6637f8ef1fa330c6d3822d4c2d4bc92c442e7d4 Author: Sreekanth Reddy Date: Tue Dec 2 20:58:47 2014 +0530 Revert "[SCSI] mpt3sas: Remove phys on topology change" commit 2311ce4d9c91ed63a46e18f0378f3e406e7e888e upstream. This reverts commit 963ba22b90a955363644cd397b20226928eab976 ("mpt3sas: Remove phys on topology change") Reverting the previous mpt3sas drives patch changes, since we will observe below issue Issue: Drives connected Enclosure/Expander will unregister with SCSI Transport Layer, if any one remove and add expander cable with in DMD (Device Missing Delay) time period or even any one power-off and power-on the Enclosure with in the DMD period. Signed-off-by: Sreekanth Reddy Reviewed-by: Tomas Henzl Signed-off-by: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit f3018e1f5a9d4874b011dfa33849c539e63b3aa6 Author: Sreekanth Reddy Date: Tue Dec 2 20:58:46 2014 +0530 Revert "[SCSI] mpt2sas: Remove phys on topology change." commit 81a89c2d891b78695aa7e4cc0d5a7427785ae078 upstream. This reverts commit 3520f9c779bed098ca76dd3fb6377264301d57ed ("mpt2sas: Remove phys on topology change") Reverting the previous mpt2sas drives patch changes, since we will observe below issue Issue: Drives connected Enclosure/Expander will unregister with SCSI Transport Layer, if any one remove and add expander cable with in DMD (Device Missing Delay) time period or even any one power-off and power-on the Enclosure with in the DMD period. Signed-off-by: Sreekanth Reddy Reviewed-by: Tomas Henzl Signed-off-by: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit 527400f8941dff30b48c61bc4305366ef1117d18 Author: Ville Syrjälä Date: Tue Dec 16 18:38:37 2014 +0200 Revert "drm/i915: Preserve VGACNTR bits from the BIOS" commit 01f5a6261cea395f72877aeb7c2fe2d42e1b1e00 upstream. The VGA_2X_MODE bit apparently affects the display even when the VGA plane is disabled. The bit will set by the BIOS when the panel width is at least 1280 pixels. So by preserving the bit from the BIOS we end up with corrupted display on machines with such high res panels. I only have 1024x768 panels on my gen2 machines so never ran into this problem. The original reason for preserving the VGACNTR register was to make my 830 survive S3 with acpi_sleep=s3_bios option. However after further 830 fixes that option is no longer needed to make S3 work and preserving VGACNTR doesn't seem to be necessary without it, so we can just revert the entire patch. This reverts commit 69769f9a422bfc62e17399da3590c5e31ac37f24 Author: Ville Syrjälä Date: Fri Aug 15 01:22:08 2014 +0300 drm/i915: Preserve VGACNTR bits from the BIOS Cc: Bruno Prémont Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=87171 Signed-off-by: Ville Syrjälä Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit 5786521105589b9d3bff59fcb6dfb92e2b9d284d Author: Sagi Grimberg Date: Tue Dec 2 16:57:35 2014 +0200 iscsi,iser-target: Expose supported protection ops according to t10_pi commit 23a548ee656c8ba6da8cb2412070edcd62e2ac5d upstream. iSER will report supported protection operations based on the tpg attribute t10_pi settings and HCA PI offload capabilities. If the HCA does not support PI offload or tpg attribute t10_pi is not set, we fall to SW PI mode. In order to do that, we move iscsit_get_sup_prot_ops after connection tpg assignment. Signed-off-by: Sagi Grimberg Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit 7737bb03f5bf045a334de608aa85b673de9248da Author: Sagi Grimberg Date: Tue Dec 2 16:57:34 2014 +0200 iser-target: Fix NULL dereference in SW mode DIF commit 302cc7c3ca14d21ccdffdebdb61c4fe028f2d5ad upstream. Fallback to software mode DIF if HCA does not support PI (without crashing obviously). It is still possible to run with backend protection and an unprotected frontend, so looking at the command prot_op is not enough. Check device PI capability on a per-IO basis (isert_prot_cmd inline static) to determine if we need to handle protection information. Trace: BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 IP: [] isert_reg_sig_mr+0x351/0x3b0 [ib_isert] Call Trace: [] ? swiotlb_map_sg_attrs+0x7a/0x130 [] isert_reg_rdma+0x2fd/0x370 [ib_isert] [] ? idle_balance+0x6c/0x2c0 [] isert_put_datain+0x68/0x210 [ib_isert] [] lio_queue_data_in+0x2b/0x30 [iscsi_target_mod] [] target_complete_ok_work+0x21b/0x310 [target_core_mod] [] process_one_work+0x182/0x3b0 [] worker_thread+0x120/0x3c0 [] ? maybe_create_worker+0x190/0x190 [] kthread+0xce/0xf0 [] ? kthread_freezable_should_stop+0x70/0x70 [] ret_from_fork+0x7c/0xb0 [] ? kthread_freezable_should_stop+0x70/0x70 Reported-by: Slava Shwartsman Signed-off-by: Sagi Grimberg Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit 80e47cd14093e0facd8896e99c28483784bed9cc Author: Sagi Grimberg Date: Tue Dec 2 16:57:31 2014 +0200 iser-target: Allocate PI contexts dynamically commit 570db170f37715b7df23c95868169f3d9affa48c upstream. This patch converts to allocate PI contexts dynamically in order avoid a potentially bogus np->tpg_np and associated NULL pointer dereference in isert_connect_request() during iser-target endpoint shutdown with multiple network portals. Also, there is really no need to allocate these at connection establishment since it is not guaranteed that all the IOs on that connection will be to a PI formatted device. We can do it in a lazy fashion so the initial burst will have a transient slow down, but very fast all IOs will allocate a PI context. Squashed: iser-target: Centralize PI context handling code Signed-off-by: Sagi Grimberg Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit a536c94faf99ea19641caa323e35dfcc97f6b01d Author: Sagi Grimberg Date: Tue Dec 2 16:57:29 2014 +0200 iser-target: Fix implicit termination of connections commit b02efbfc9a051b41e71fe8f94ddf967260e024a6 upstream. In situations such as bond failover, The new session establishment implicitly invokes the termination of the old connection. So, we don't want to wait for the old connection wait_conn to completely terminate before we accept the new connection and post a login response. The solution is to deffer the comp_wait completion and the conn_put to a work so wait_conn will effectively be non-blocking (flush errors are assumed to come very fast). We allocate isert_release_wq with WQ_UNBOUND and WQ_UNBOUND_MAX_ACTIVE to spread the concurrency of release works. Reported-by: Slava Shwartsman Signed-off-by: Sagi Grimberg Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit b8444e98840146ca8715413acbfc3e7c7a2afc1d Author: Sagi Grimberg Date: Tue Dec 2 16:57:27 2014 +0200 iser-target: Handle ADDR_CHANGE event for listener cm_id commit ca6c1d82d12d8013fb75ce015900d62b9754623c upstream. The np listener cm_id will also get ADDR_CHANGE event upcall (in case it is bound to a specific IP). Handle it correctly by creating a new cm_id and implicitly destroy the old one. Since this is the second event a listener np cm_id may encounter, we move the np cm_id event handling to a routine. Squashed: iser-target: Move cma_id setup to a function Reported-by: Slava Shwartsman Signed-off-by: Sagi Grimberg Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit 0105b025addc9f2a52a5aae8dd4f2587d3634f7b Author: Sagi Grimberg Date: Tue Dec 2 16:57:26 2014 +0200 iser-target: Fix connected_handler + teardown flow race commit 19e2090fb246ca21b3e569ead51a6a7a1748eadd upstream. Take isert_conn pointer from cm_id->qp->qp_context. This will allow us to know that the cm_id context is always the network portal. This will make the cm_id event check (connection or network portal) more reliable. In order to avoid a NULL dereference in cma_id->qp->qp_context we destroy the qp after we destroy the cm_id (and make the dereference safe). session stablishment/teardown sequences can happen in parallel, we should take into account that connected_handler might race with connection teardown flow. Also, protect isert_conn->conn_device->active_qps decrement within the error patch during QP creation failure and the normal teardown path in isert_connect_release(). Squashed: iser-target: Decrement completion context active_qps in error flow Signed-off-by: Sagi Grimberg Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit 2413d956cddddfbb6fba1ef682bffb4c8d588b25 Author: Sagi Grimberg Date: Tue Dec 2 16:57:21 2014 +0200 iser-target: Parallelize CM connection establishment commit 2371e5da8cfe91443339b54444dec6254fdd6dfc upstream. There is no point in accepting a new CM request only when we are completely done with the last iscsi login. Instead we accept immediately, this will also cause the CM connection to reach connected state and the initiator is allowed to send the first login. We mark that we got the initial login and let iscsi layer pick it up when it gets there. This reduces the parallel login sequence by a factor of more then 4 (and more for multi-login) and also prevents the initiator (who does all logins in parallel) from giving up on login timeout expiration. In order to support multiple login requests sequence (CHAP) we call isert_rx_login_req from isert_rx_completion insead of letting isert_get_login_rx call it. Squashed: iser-target: Use kref_get_unless_zero in connected_handler iser-target: Acquire conn_mutex when changing connection state iser-target: Reject connect request in failure path Signed-off-by: Sagi Grimberg Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit 425ec461581238067efbec5ceda3005dc902563a Author: Sagi Grimberg Date: Tue Dec 2 16:57:20 2014 +0200 iser-target: Fix flush + disconnect completion handling commit 128e9cc84566a84146baea2335b3824288eed817 upstream. ISER_CONN_UP state is not sufficient to know if we should wait for completion of flush errors and disconnected_handler event. Instead, split it to 2 states: - ISER_CONN_UP: Got to CM connected phase, This state indicates that we need to wait for a CM disconnect event before going to teardown. - ISER_CONN_FULL_FEATURE: Got to full feature phase after we posted login response, This state indicates that we posted recv buffers and we need to wait for flush completions before going to teardown. Also avoid deffering disconnected handler to a work, and handle it within disconnected handler. More work here is needed to handle DEVICE_REMOVAL event correctly (cleanup all resources). Squashed: iser-target: Don't deffer disconnected handler to a work Signed-off-by: Sagi Grimberg Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit 988168465f4528fe6eafce5d88f3c5b55edf9108 Author: Sagi Grimberg Date: Tue Dec 2 16:57:17 2014 +0200 iscsi,iser-target: Initiate termination only once commit 954f23722b5753305be490330cf2680b7a25f4a3 upstream. Since commit 0fc4ea701fcf ("Target/iser: Don't put isert_conn inside disconnected handler") we put the conn kref in isert_wait_conn, so we need .wait_conn to be invoked also in the error path. Introduce call to isert_conn_terminate (called under lock) which transitions the connection state to TERMINATING and calls rdma_disconnect. If the state is already teminating, just bail out back (temination started). Also, make sure to destroy the connection when getting a connect error event if didn't get to connected (state UP). Same for the handling of REJECTED and UNREACHABLE cma events. Squashed: iscsi-target: Add call to wait_conn in establishment error flow Reported-by: Slava Shwartsman Signed-off-by: Sagi Grimberg Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit 2fc431d1bd9e9fd04e5cd34a39f58cf85dadd4b5 Author: Nicholas Bellinger Date: Thu Nov 20 20:50:07 2014 -0800 iscsi-target: Fail connection on short sendmsg writes commit 6bf6ca7515c1df06f5c03737537f5e0eb191e29e upstream. This patch changes iscsit_do_tx_data() to fail on short writes when kernel_sendmsg() returns a value different than requested transfer length, returning -EPIPE and thus causing a connection reset to occur. This avoids a potential bug in the original code where a short write would result in kernel_sendmsg() being called again with the original iovec base + length. In practice this has not been an issue because iscsit_do_tx_data() is only used for transferring 48 byte headers + 4 byte digests, along with seldom used control payloads from NOPIN + TEXT_RSP + REJECT with less than 32k of data. So following Al's audit of iovec consumers, go ahead and fail the connection on short writes for now, and remove the bogus logic ahead of his proper upstream fix. Reported-by: Al Viro Cc: David S. Miller Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit a27d8a2319e7abd65c41ed4fcddb7e55d4f64e42 Author: Thomas Gleixner Date: Thu Dec 11 23:01:41 2014 +0100 genirq: Prevent proc race against freeing of irq descriptors commit c291ee622165cb2c8d4e7af63fffd499354a23be upstream. Since the rework of the sparse interrupt code to actually free the unused interrupt descriptors there exists a race between the /proc interfaces to the irq subsystem and the code which frees the interrupt descriptor. CPU0 CPU1 show_interrupts() desc = irq_to_desc(X); free_desc(desc) remove_from_radix_tree(); kfree(desc); raw_spinlock_irq(&desc->lock); /proc/interrupts is the only interface which can actively corrupt kernel memory via the lock access. /proc/stat can only read from freed memory. Extremly hard to trigger, but possible. The interfaces in /proc/irq/N/ are not affected by this because the removal of the proc file is serialized in procfs against concurrent readers/writers. The removal happens before the descriptor is freed. For architectures which have CONFIG_SPARSE_IRQ=n this is a non issue as the descriptor is never freed. It's merely cleared out with the irq descriptor lock held. So any concurrent proc access will either see the old correct value or the cleared out ones. Protect the lookup and access to the irq descriptor in show_interrupts() with the sparse_irq_lock. Provide kstat_irqs_usr() which is protecting the lookup and access with sparse_irq_lock and switch /proc/stat to use it. Document the existing kstat_irqs interfaces so it's clear that the caller needs to take care about protection. The users of these interfaces are either not affected due to SPARSE_IRQ=n or already protected against removal. Fixes: 1f5a5b87f78f "genirq: Implement a sane sparse_irq allocator" Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit f7146ce05680673475291c4ec89a5f3f2f3fc93e Author: Max Gurtovoy Date: Sun Dec 7 16:09:56 2014 +0200 IB/iser: Fix possible SQ overflow commit 6ec9d4d2310e8fc54fc638e4454271d1fcaefa95 upstream. Fix a regression was introduced in commit 6df5a128f0fd ("IB/iser: Suppress scsi command send completions"). The sig_count was wrongly set to be static variable, thus it is possible that we won't reach to (sig_count % ISER_SIGNAL_BATCH) == 0 condition (due to races) and the send queue will be overflowed. Instead keep sig_count per connection. We don't need it to be atomic as we are safe under the iscsi session frwd_lock taken by libiscsi on the queuecommand path. Fixes: 6df5a128f0fd ("IB/iser: Suppress scsi command send completions") Signed-off-by: Max Gurtovoy Signed-off-by: Sagi Grimberg Signed-off-by: Or Gerlitz Signed-off-by: Roland Dreier Signed-off-by: Greg Kroah-Hartman commit 1943a1a76b5fa2b7c402fc0e9b93389a71abdd41 Author: Hannes Reinecke Date: Wed Nov 26 14:58:57 2014 +0100 tcm_loop: Fix wrong I_T nexus association commit 506787a2c7daed45f0a213674ca706cbc83a9089 upstream. tcm_loop has the I_T nexus associated with the HBA. This causes commands to become misdirected if the HBA has more than one target portal group; any command is then being sent to the first target portal group instead of the correct one. The nexus needs to be associated with the target portal group instead. Signed-off-by: Hannes Reinecke Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit 937723cf8386bb3d67b997809b8a61cbabd7acb3 Author: Kyle McMartin Date: Thu Dec 18 12:57:14 2014 -0500 uapi/linux/target_core_user.h: fix headers_install.sh badness commit 3875f15207f9ecb3f24a8e91e7ad196899139595 upstream. scripts/headers_install.sh will transform __packed to __attribute__((packed)), so the #ifndef is not necessary. (and, in fact, it's problematic, because we'll end up with the header containing: #ifndef __attribute__((packed)) #define __attribu... and so forth.) Signed-off-by: Kyle McMartin Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit 97bb3ed647b3623d8b28f40adcedf5d651065463 Author: Thomas Gleixner Date: Thu Dec 18 11:51:01 2014 +0100 tick/powerclamp: Remove tick_nohz_idle abuse commit a5fd9733a30d18d7ac23f17080e7e07bb3205b69 upstream. commit 4dbd27711cd9 "tick: export nohz tick idle symbols for module use" was merged via the thermal tree without an explicit ack from the relevant maintainers. The exports are abused by the intel powerclamp driver which implements a fake idle state from a sched FIFO task. This causes all kinds of wreckage in the NOHZ core code which rightfully assumes that tick_nohz_idle_enter/exit() are only called from the idle task itself. Recent changes in the NOHZ core lead to a failure of the powerclamp driver and now people try to hack completely broken and backwards workarounds into the NOHZ core code. This is completely unacceptable and just papers over the real problem. There are way more subtle issues lurking around the corner. The real solution is to fix the powerclamp driver by rewriting it with a sane concept, but that's beyond the scope of this. So the only solution for now is to remove the calls into the core NOHZ code from the powerclamp trainwreck along with the exports. Fixes: d6d71ee4a14a "PM: Introduce Intel PowerClamp Driver" Signed-off-by: Thomas Gleixner Cc: Preeti U Murthy Cc: Viresh Kumar Cc: Frederic Weisbecker Cc: Fengguang Wu Cc: Frederic Weisbecker Cc: Pan Jacob jun Cc: LKP Cc: Peter Zijlstra Cc: Zhang Rui Link: http://lkml.kernel.org/r/alpine.DEB.2.11.1412181110110.17382@nanos Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 45145567d6dc91f8220bf92286ba57fe75793160 Author: Dominique Leuenberger Date: Thu Nov 13 20:57:37 2014 +0100 hp_accel: Add support for HP ZBook 15 commit 6583659e0f92e38079a8dd081e0a1181a0f37747 upstream. HP ZBook 15 laptop needs a non-standard mapping (x_inverted). BugLink: http://bugzilla.opensuse.org/show_bug.cgi?id=905329 Signed-off-by: Dominique Leuenberger Signed-off-by: Takashi Iwai Signed-off-by: Darren Hart Signed-off-by: Greg Kroah-Hartman commit 37c8f276b0a61bf3fb79199165e3a8cb350b7848 Author: Hans de Goede Date: Mon Nov 24 11:26:32 2014 +0100 asus-nb-wmi: Add another wapf=4 quirk commit 841e11ccdf90c29a7778a5d5d553bc716c3d477a upstream. Wifi on this laptop does not work unless asus-nb-wmi.wapf=4 is specified on the kerne commandline, add a quirk for this. BugLink: https://bugs.launchpad.net/bugs/1173681 Signed-off-by: Hans de Goede Signed-off-by: Darren Hart Signed-off-by: Greg Kroah-Hartman commit 42e62067a895b890ce9c3510747b0f5f90732acd Author: Larry Finger Date: Tue Dec 30 21:33:07 2014 -0600 rtlwifi: Fix error when accessing unmapped memory in skb commit e9538cf4f90713eca71b1d6a74b4eae1d445c664 upstream. These drivers use 9100-byte receive buffers, thus allocating an skb requires an O(3) memory allocation. Under heavy memory loads and fragmentation, such a request can fail. Previous versions of the driver have dropped the packet and reused the old buffer; however, the new version introduced a bug in that it released the old buffer before trying to allocate a new one. The previous method is implemented here. The skb is unmapped before any attempt is made to allocate another. Signed-off-by: Larry Finger Reported-by: Eric Biggers Cc: Eric Biggers Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit 7d01c211a8694f4d7f7ed3b120e8f832c72d1fd2 Author: Larry Finger Date: Wed Dec 10 14:38:29 2014 -0600 rtlwifi: rtl8192ce: Set fw_ready flag commit 9a1dce3a059111a7289680f4b8c0ec4f8736b6ee upstream. The setting of this flag was missed in previous modifications. Signed-off-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit fff824488bc9831fd9eadf4b748f43416d13cdeb Author: Jouni Malinen Date: Thu Dec 11 23:48:55 2014 +0200 cfg80211: Fix 160 MHz channels with 80+80 and 160 MHz drivers commit 08f6f147773b23b765b94633a8eaa82e7defcf4c upstream. The VHT supported channel width field is a two bit integer, not a bitfield. cfg80211_chandef_usable() was interpreting it incorrectly and ended up rejecting 160 MHz channel width if the driver indicated support for both 160 and 80+80 MHz channels. Fixes: 3d9d1d6656a73 ("nl80211/cfg80211: support VHT channel configuration") (however, no real drivers had 160 MHz support it until 3.16) Signed-off-by: Jouni Malinen Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit a7b2c7ffae7c8a48a2064adfea0eecfadc042b08 Author: Arik Nemtsov Date: Thu Dec 4 12:22:16 2014 +0200 cfg80211: avoid mem leak on driver hint set commit 34f05f543f02350e920bddb7660ffdd4697aaf60 upstream. In the already-set and intersect case of a driver-hint, the previous wiphy regdomain was not freed before being reset with a copy of the cfg80211 regdomain. Signed-off-by: Arik Nemtsov Acked-by: Luis R. Rodriguez Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 0a57c26d6410712a5b4ed42d961284d2204b4a7c Author: Emmanuel Grumbach Date: Tue Dec 2 09:53:25 2014 +0200 cfg80211: don't WARN about two consecutive Country IE hint commit 70dcec5a488a7b81779190ac8089475fe4b8b962 upstream. This can happen and there is no point in added more detection code lower in the stack. Catching these in one single point (cfg80211) is enough. Stop WARNING about this case. This fixes: https://bugzilla.kernel.org/show_bug.cgi?id=89001 Fixes: 2f1c6c572d7b ("cfg80211: process non country IE conflicting first") Signed-off-by: Emmanuel Grumbach Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 65a39b355999b72e9cd325de29870a39cc3c3686 Author: Luciano Coelho Date: Mon Dec 1 11:32:09 2014 +0200 nl80211: check matches array length before acessing it commit f89f46cf3a23d8d7c98f924a461fd931e1331746 upstream. If the userspace passes a malformed sched scan request (or a net detect wowlan configuration) by adding a NL80211_ATTR_SCHED_SCAN_MATCH attribute without any nested matchsets, a NULL pointer dereference will occur. Fix this by checking that we do have matchsets in our array before trying to access it. BUG: unable to handle kernel NULL pointer dereference at 0000000000000024 IP: [] nl80211_parse_sched_scan.part.67+0x6e9/0x900 [cfg80211] PGD 865c067 PUD 865b067 PMD 0 Oops: 0002 [#1] SMP Modules linked in: iwlmvm(O) iwlwifi(O) mac80211(O) cfg80211(O) compat(O) [last unloaded: compat] CPU: 2 PID: 2442 Comm: iw Tainted: G O 3.17.2 #31 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 task: ffff880013800790 ti: ffff880008d80000 task.ti: ffff880008d80000 RIP: 0010:[] [] nl80211_parse_sched_scan.part.67+0x6e9/0x900 [cfg80211] RSP: 0018:ffff880008d838d0 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 000000000000143c RSI: 0000000000000000 RDI: ffff880008ee8dd0 RBP: ffff880008d83948 R08: 0000000000000002 R09: 0000000000000019 R10: ffff88001d1b3c40 R11: 0000000000000002 R12: ffff880019e85e00 R13: 00000000fffffed4 R14: ffff880009757800 R15: 0000000000001388 FS: 00007fa3b6d13700(0000) GS:ffff88003e200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000024 CR3: 0000000008670000 CR4: 00000000000006e0 Stack: ffff880009757800 ffff880000000001 0000000000000000 ffff880008ee84e0 0000000000000000 ffff880009757800 00000000fffffed4 ffff880008d83948 ffffffff814689c9 ffff880009757800 ffff880008ee8000 0000000000000000 Call Trace: [] ? nla_parse+0xb9/0x120 [] nl80211_set_wowlan+0x75e/0x960 [cfg80211] [] ? mark_held_locks+0x75/0xa0 [] genl_family_rcv_msg+0x18b/0x360 [] ? trace_hardirqs_on+0xd/0x10 [] genl_rcv_msg+0x84/0xc0 [] ? genl_family_rcv_msg+0x360/0x360 [] netlink_rcv_skb+0xa9/0xd0 [] genl_rcv+0x28/0x40 [] netlink_unicast+0x105/0x180 [] netlink_sendmsg+0x34f/0x7a0 [] ? kvm_clock_read+0x27/0x40 [] sock_sendmsg+0x8d/0xc0 [] ? might_fault+0xb9/0xc0 [] ? might_fault+0x5e/0xc0 [] ? verify_iovec+0x56/0xe0 [] ___sys_sendmsg+0x3d0/0x3e0 [] ? sched_clock_cpu+0x98/0xd0 [] ? __do_page_fault+0x254/0x580 [] ? up_read+0x1f/0x40 [] ? __do_page_fault+0x254/0x580 [] ? __fget_light+0x13d/0x160 [] __sys_sendmsg+0x42/0x80 [] SyS_sendmsg+0x12/0x20 [] system_call_fastpath+0x16/0x1b Fixes: ea73cbce4e1f ("nl80211: fix scheduled scan RSSI matchset attribute confusion") Signed-off-by: Luciano Coelho Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 7d277a0b5c6c47a0dda255ae5fa4555fb5494c48 Author: Hans de Goede Date: Fri Dec 5 11:11:28 2014 +0100 xhci: Add broken-streams quirk for Fresco Logic FL1000G xhci controllers commit 7f5c4d631aed243ca89c6673427954210b1628ec upstream. Streams do not work reliabe on Fresco Logic FL1000G xhci controllers, trying to use them results in errors like this: 21:37:33 kernel: xhci_hcd 0000:04:00.0: ERROR Transfer event for disabled endpoint or incorrect stream ring 21:37:33 kernel: xhci_hcd 0000:04:00.0: @00000000368b3570 9067b000 00000000 05000000 01078001 21:37:33 kernel: xhci_hcd 0000:04:00.0: ERROR Transfer event for disabled endpoint or incorrect stream ring 21:37:33 kernel: xhci_hcd 0000:04:00.0: @00000000368b3580 9067b400 00000000 05000000 01038001 As always I've ordered a pci-e addon card with a Fresco Logic controller for myself to see if I can come up with a better fix then the big hammer, in the mean time this will make uas devices work again (in usb-storage mode) for FL1000G users. Reported-by: Marcin Zajączkowski Signed-off-by: Hans de Goede Signed-off-by: Greg Kroah-Hartman commit cb7ac02a7453fb64b555e26660eecac8977c04a1 Author: Mathias Nyman Date: Fri Jan 9 17:18:28 2015 +0200 xhci: Check if slot is already in default state before moving it there commit f161ead70fa6a62e432dff6e9dab8e3cfbeabea6 upstream. Solves xhci error cases with debug messages: xhci_hcd 0000:00:14.0: Setup ERROR: setup context command for slot 1. usb 1-6: hub failed to enable device, error -22 xhci will give a context state error if we try to set a slot in default state to the same default state with a special address device command. Turns out this happends in several cases: - retry reading the device rescriptor in hub_port_init() - usb_reset_device() is called for a slot in default state - in resume path, usb_port_resume() calls hub_port_init() The default state is usually reached from most states with a reset device command without any context state errors, but using the address device command with BSA bit set (block set address) only works from the enabled state and will otherwise cause context error. solve this by checking if we are already in the default state before issuing a address device BSA=1 command. Fixes: 48fc7dbd52c0 ("usb: xhci: change enumeration scheme to 'new scheme'") Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit 00ba02150d664472961b83b016fe03825a2176e9 Author: Ian Munsie Date: Mon Dec 8 19:18:01 2014 +1100 cxl: Unmap MMIO regions when detaching a context commit b123429e6a9e8d03aacf888d23262835f0081448 upstream. If we need to force detach a context (e.g. due to EEH or simply force unbinding the driver) we should prevent the userspace contexts from being able to access the Problem State Area MMIO region further, which they may have mapped with mmap(). This patch unmaps any mapped MMIO regions when detaching a userspace context. Signed-off-by: Ian Munsie Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman commit 3db65dba3a87e17e1cb341b585f9e854afd87e1b Author: Ian Munsie Date: Mon Dec 8 19:17:56 2014 +1100 cxl: Add timeout to process element commands commit a98e6e9f4e0224d85b4d951edc44af16dfe6094a upstream. In the event that something goes wrong in the hardware and it is unable to complete a process element comment we would end up polling forever, effectively making the associated process unkillable. This patch adds a timeout to the process element command code path, so that we will give up if the hardware does not respond in a reasonable time. Signed-off-by: Ian Munsie Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman commit d4a26d119b968328e0b039a00520e08cd862962a Author: Ian Munsie Date: Mon Dec 8 19:17:55 2014 +1100 cxl: Change contexts_lock to a mutex to fix sleep while atomic bug commit ee41d11d53c8fc4968f0816504651541d606cf40 upstream. We had a known sleep while atomic bug if a CXL device was forcefully unbound while it was in use. This could occur as a result of EEH, or manually induced with something like this while the device was in use: echo 0000:01:00.0 > /sys/bus/pci/drivers/cxl-pci/unbind The issue was that in this code path we iterated over each context and forcefully detached it with the contexts_lock spin lock held, however the detach also needed to take the spu_mutex, and call schedule. This patch changes the contexts_lock to a mutex so that we are not in atomic context while doing the detach, thereby avoiding the sleep while atomic. Also delete the related TODO comment, which suggested an alternate solution which turned out to not be workable. Signed-off-by: Ian Munsie Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman commit 70819eaa82553959d226749ff06db808fe2ef2cc Author: Vineet Gupta Date: Wed Oct 1 14:28:36 2014 +0530 ARC: [nsimosci] move peripherals to match model to FPGA commit e8ef060b37c2d3cc5fd0c0edbe4e42ec1cb9768b upstream. This allows the sdplite/Zebu images to run on OSCI simulation platform Signed-off-by: Vineet Gupta Signed-off-by: Greg Kroah-Hartman commit a754520397aab6e8ef0b615218535ff9a5e69ff6 Author: Rob Clark Date: Sat Nov 8 10:16:19 2014 -0500 drm/irq: BUG_ON() -> WARN_ON() commit 7f907bf284ba7bb8d271f094b226699d3fef2142 upstream. Let's make things a bit easier to debug when things go bad (potentially under console_lock). Signed-off-by: Rob Clark Reviewed-by: Michel Dänzer Signed-off-by: Dave Airlie Cc: Anand Moon Signed-off-by: Greg Kroah-Hartman commit 00a80b754943257bd9a7d37957741978bb48a465 Author: Ville Syrjälä Date: Wed Dec 17 23:08:03 2014 +0200 drm/i915: Don't call intel_prepare_page_flip() multiple times on gen2-4 commit 7d47559ee84b3ac206aa9e675606fafcd7c0b500 upstream. The flip stall detector kicks in when pending>=INTEL_FLIP_COMPLETE. That means if we first call intel_prepare_page_flip() but don't call intel_finish_page_flip(), the next stall check will erroneosly think the page flip was somehow stuck. With enough debug spew emitted from the interrupt handler my 830 hangs when this happens. My theory is that the previous vblank interrupt gets sufficiently delayed that the handler will see the pending bit set in IIR, but ISR still has the bit set as well (ie. the flip was processed by CS but didn't complete yet). In this case the handler will proceed to call intel_check_page_flip() immediately after intel_prepare_page_flip(). It then tries to print a backtrace for the stuck flip WARN, which apparetly results in way too much debug spew delaying interrupt processing further. That then seems to cause an endless loop in the interrupt handler, and the machine is dead until the watchdog kicks in and reboots. At least limiting the number of iterations of the loop in the interrupt handler also prevented the hang. So it seems better to not call intel_prepare_page_flip() without immediately calling intel_finish_page_flip(). The IIR/ISR trickery avoids races here so this is a perfectly safe thing to do. v2: Fix typo in commit message (checkpatch) Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=88381 Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=85888 Reviewed-by: Chris Wilson Signed-off-by: Ville Syrjälä Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit bb0edc80da0d70107a92a139be83dea6e4f3d292 Author: Chris Wilson Date: Tue Dec 16 10:02:27 2014 +0000 drm/i915: Disable PSMI sleep messages on all rings around context switches commit 2c550183476dfa25641309ae9a28d30feed14379 upstream. There exists a current workaround to prevent a hang on context switch should the ring go to sleep in the middle of the restore, WaProgramMiArbOnOffAroundMiSetContext (applicable to all gen7+). In spite of disabling arbitration (which prevents the ring from powering down during the critical section) we were still hitting hangs that had the hallmarks of the known erratum. That is we are still seeing hangs "on the last instruction in the context restore". By comparing -nightly (broken) with requests (working), we were able to deduce that it was the semaphore LRI cross-talk that reproduced the original failure. The key was that requests implemented deferred semaphore signalling, and disabling that, i.e. emitting the semaphore signal to every other ring after every batch restored the frequent hang. Explicitly disabling PSMI sleep on the RCS ring was insufficient, all the rings had to be awake to prevent the hangs. Fortunately, we can reduce the wakelock to the MI_SET_CONTEXT operation itself, and so should be able to limit the extra power implications. Since the MI_ARB_ON_OFF workaround is listed for all gen7 and above products, we should apply this extra hammer for all of the same platforms despite so far that we have only been able to reproduce the hang on certain ivb and hsw models. The last question is whether we want to always use the extra hammer or only when we know semaphores are in operation. At the moment, we only use LRI on non-RCS rings for semaphores, but that may change in the future with the possibility of reintroducing this bug under subtle conditions. v2: Make it explicit that the PSMI LRI are an extension to the original workaround for the other rings. v3: Bikeshedding variable names and whitespacing Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=80660 Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=83677 Cc: Simon Farnsworth Cc: Daniel Vetter Cc: Ville Syrjälä Signed-off-by: Chris Wilson Tested-by: Peter Frühberger Reviewed-by: Daniel Vetter Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit 3ea5944abe894ed80e7f79faa6e8c3479c68d08f Author: Chris Wilson Date: Tue Dec 16 08:44:32 2014 +0000 drm/i915: Force the CS stall for invalidate flushes commit add284a3a2481e759d6bec35f6444c32c8ddc383 upstream. In order to act as a full command barrier by itself, we need to tell the pipecontrol to actually stall the command streamer while the flush runs. We require the full command barrier before operations like MI_SET_CONTEXT, which currently rely on a prior invalidate flush. References: https://bugs.freedesktop.org/show_bug.cgi?id=83677 Cc: Simon Farnsworth Cc: Daniel Vetter Cc: Ville Syrjälä Signed-off-by: Chris Wilson Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit 1c61a7113181719e21ef70ed61ba5f18b291d5f0 Author: Chris Wilson Date: Tue Dec 16 08:44:31 2014 +0000 drm/i915: Invalidate media caches on gen7 commit 148b83d0815a3778c8949e6a97cb798cbaa0efb3 upstream. In the gen7 pipe control there is an extra bit to flush the media caches, so let's set it during cache invalidation flushes. v2: Rename to MEDIA_STATE_CLEAR to be more inline with spec. Cc: Simon Farnsworth Cc: Ville Syrjälä Cc: Daniel Vetter Signed-off-by: Chris Wilson Reviewed-by: Daniel Vetter Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit 715f7c8214c7822833af757109022006c3f01d6a Author: Ilia Mirkin Date: Tue Dec 16 13:55:38 2014 -0500 drm/nv4c/mc: disable msi commit 4761703bd04bbdf56396d264903cc5a1fdcb3c01 upstream. Several users have, over time, reported issues with MSI on these IGPs. They're old, rarely available, and MSI doesn't provide such huge advantages on them. Just disable. Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=87361 Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=74492 Fixes: fa8c9ac72fe ("drm/nv4c/mc: nv4x igp's have a different msi rearm register") Signed-off-by: Ilia Mirkin Signed-off-by: Ben Skeggs Signed-off-by: Greg Kroah-Hartman commit 6ba4636adcdd2b98d445a9cd9b08d936403a58e0 Author: Jesse Barnes Date: Wed Dec 10 12:16:05 2014 -0800 drm/i915: save/restore GMBUS freq across suspend/resume on gen4 commit 9f49c37635d5c2a801f7670d5fbf0b25ec461f2c upstream. Should probably just init this in the GMbus code all the time, based on the cdclk and HPLL like we do on newer platforms. Ville has code for that in a rework branch, but until then we can fix this bug fairly easily. Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=76301 Signed-off-by: Jesse Barnes Reviewed-by: Ville Syrjälä Tested-by: Nikolay Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit ddf6f9a4c9fb1c72ea2e8d196c9a580a8e914dbd Author: Dave Airlie Date: Mon Dec 8 13:23:37 2014 +1000 drm/i915: resume MST after reading back hw state commit e7d6f7d708290da1b7c92f533444b042c79412e0 upstream. Otherwise the MST resume paths can hit DPMS paths which hit state checker paths, which hit WARN_ON, because the state checker is inconsistent with the hw. This fixes a bunch of WARN_ON's on resume after undocking. Signed-off-by: Dave Airlie Reviewed-by: Daniel Vetter Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit a5872ca0a6f5e889d628b2946e550c7d0e892430 Author: Chris Wilson Date: Mon Nov 24 08:03:12 2014 +0000 drm/i915: Only warn the first time we attempt to mmio whilst suspended commit 2b387059817fd100cddc5a97118d63e3f3fade74 upstream. In all likelihood we will do a few hundred errnoneous register operations if we do a single invalid register access whilst the device is suspended. As each instance causes a WARN, this floods the system logs and can make the system unresponsive. The warning was first introduced in commit b2ec142cb0101f298f8e091c7d75b1ec5b809b65 Author: Paulo Zanoni Date: Fri Feb 21 13:52:25 2014 -0300 drm/i915: call assert_device_not_suspended at gen6_force_wake_work and despite the claims the WARN is still encountered in the wild today. Signed-off-by: Chris Wilson Cc: Paulo Zanoni Cc: Imre Deak Signed-off-by: Daniel Vetter Signed-off-by: Greg Kroah-Hartman commit 06b7ae708b7c6a2bb6cbe7af7d617f701a458e32 Author: Daniel Vetter Date: Mon Nov 24 11:12:42 2014 +0100 drm/i915: Disallow pin ioctl completely for kms drivers commit d472fcc8379c062bd56a3876fc6ef22258f14a91 upstream. The problem here is that SNA pins batchbuffers to etch out a bit more performance. Iirc it started out as a w/a for i830M (which we've implemented in the kernel since a long time already). The problem is that the pin ioctl wasn't added in commit d23db88c3ab233daed18709e3a24d6c95344117f Author: Chris Wilson Date: Fri May 23 08:48:08 2014 +0200 drm/i915: Prevent negative relocation deltas from wrapping Fix this by simply disallowing pinning from userspace so that the kernel is in full control of batch placement again. Especially since distros are moving towards running X as non-root, so most users won't even be able to see any benefits. UMS support is dead now, but we need this minimal patch for backporting. Follow-up patch will remove the pin ioctl code completely. Note to backporters: You must have both commit b45305fce5bb1abec263fcff9d81ebecd6306ede Author: Daniel Vetter Date: Mon Dec 17 16:21:27 2012 +0100 drm/i915: Implement workaround for broken CS tlb on i830/845 which laned in 3.8 and commit c4d69da167fa967749aeb70bc0e94a457e5d00c1 Author: Chris Wilson Date: Mon Sep 8 14:25:41 2014 +0100 drm/i915: Evict CS TLBs between batches which is also marked cc: stable. Otherwise this could introduce a regression by disabling the userspace w/a without the kernel w/a being fully functional on i830/45. References: https://bugs.freedesktop.org/show_bug.cgi?id=76554#c116 Cc: Chris Wilson Signed-off-by: Daniel Vetter Signed-off-by: Greg Kroah-Hartman commit 09764573535fea7cb5b4203def63c4eed3bb0011 Author: Daniel Vetter Date: Fri Apr 11 15:55:17 2014 +0200 drm/i915: Don't complain about stolen conflicts on gen3 commit 0b6d24c01932db99fc95304235e751e7f7625c41 upstream. Apparently stuff works that way on those machines. I agree with Chris' concern that this is a bit risky but imo worth a shot in -next just for fun. Afaics all these machines have the pci resources allocated like that by the BIOS, so I suspect that it's all ok. This regression goes back to commit eaba1b8f3379b5d100bd146b9a41d28348bdfd09 Author: Chris Wilson Date: Thu Jul 4 12:28:35 2013 +0100 drm/i915: Verify that our stolen memory doesn't conflict Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=76983 Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=71031 Tested-by: lu hua Signed-off-by: Daniel Vetter Reviewed-by: Jesse Barnes Tested-by: Paul Menzel Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit e8e547f61c30368146e60791b0ce62bee49f1d69 Author: Alex Deucher Date: Wed Dec 10 09:42:10 2014 -0500 drm/radeon: properly filter DP1.2 4k modes on non-DP1.2 hw commit 410cce2a6b82299b46ff316c6384e789ce275ecb upstream. The check was already in place in the dp mode_valid check, but radeon_dp_get_dp_link_clock() never returned the high clock mode_valid was checking for because that function clipped the clock based on the hw capabilities. Add an explicit check in the mode_valid function. bug: https://bugs.freedesktop.org/show_bug.cgi?id=87172 Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 2710eb292c06d159a73febe6336bdd7eba94ab07 Author: Alex Deucher Date: Mon Dec 15 17:24:19 2014 -0500 drm/radeon: adjust default bapm settings for KV commit 02ae7af53a451a1b0a51022c4693f5b339133e79 upstream. Enabling bapm seems to cause clocking problems on some KV configurations. Disable it by default for now. Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit ca01c8f06aef98ba2a94df3dcc0c03eb8100f6c3 Author: Alex Deucher Date: Tue Dec 9 10:04:01 2014 -0500 drm/radeon: fix sad_count check for dce3 commit 5665c3ebe5ee8a2c516925461f7214ba59c2e6d7 upstream. Make it consistent with the sad code for other asics to deal with monitors that don't report sads. bug: https://bugzilla.kernel.org/show_bug.cgi?id=89461 Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 310a18b4d556f40b01410fd6e684b70cf516a401 Author: Alex Deucher Date: Fri Dec 5 13:46:07 2014 -0500 drm/radeon: KV has three PPLLs (v2) commit fbedf1c3fc3a1e9f249c2efe2f4553d8df9d86d3 upstream. Enable all three in the driver. Early documentation indicated the 3rd one was used for something else, but that is not the case. v2: handle disable as well Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 65c48e05c6009fe2550a013785f4b3ff679f8005 Author: Alex Deucher Date: Wed Dec 3 00:03:49 2014 -0500 drm/radeon: check the right ring in radeon_evict_flags() commit 5e5c21cac1001089007260c48b0c89ebaace0e71 upstream. Check the that ring we are using for copies is functional rather than the GFX ring. On newer asics we use the DMA ring for bo moves. Reviewed-by: Christian König Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit b29b3ee327761239f7b9c7f2f0b1284a0c0387d0 Author: Alex Deucher Date: Mon Nov 17 15:08:17 2014 -0500 drm/radeon: work around a hw bug in MGCG on CIK commit 4bb62c95a7e781a238b2ab374f34b1bf91e01ddc upstream. Always need to set bit 0 of RLC_CGTT_MGCG_OVERRIDE to avoid unreliable doorbell updates in some cases. Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 0d0521465b1f6034c3381d002cd69b64959bf823 Author: Alex Deucher Date: Fri Nov 7 11:05:04 2014 -0500 drm/radeon: fix typo in CI dpm disable commit 129acb7c0b682512e89c4f65c33593d50f2f49a9 upstream. Need to disable DS, not enable it when disabling dpm. Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit c3c16208d8fba6fee7805c3145d1ea888eea5e01 Author: Daniel Vetter Date: Mon Dec 8 22:55:22 2014 +0100 drm/dp-mst: Remove branches before dropping the reference commit 0391359ddf79b52bb7e7bb9ace08e34fb08b0e76 upstream. When we unplug a dp mst branch we unreference the entire tree from the root towards the leaves. Which is ok, since that's the way the pointers and so also the refcounts go. But when we drop the reference we must make sure that we remove the branches/ports from the lists/pointers before dropping the reference. Otherwise the get_validated functions will still return it instead of returning NULL (which indicates a potentially on-going unplug). The mst branch destroy gets this right for ports: First it deletes the port from the ports list, then it unrefs. But the ports destroy function gets it wrong: First it unrefs, then it drops the ref. Which means a zombie mst branch can still be validate with get_validated_mstb_ref when it shouldn't. Fix this. This should address a backtrace Dave dug out somewhere on unplug: [] drm_dp_mst_get_validated_mstb_ref_locked+0x92/0xa0 [drm_kms_helper] [] drm_dp_mst_get_validated_mstb_ref_locked+0x41/0xa0 [drm_kms_helper] [] drm_dp_get_validated_mstb_ref+0x3a/0x60 [drm_kms_helper] [] drm_dp_payload_send_msg.isra.14+0x2b/0x100 [drm_kms_helper] [] drm_dp_update_payload_part1+0x177/0x360 [drm_kms_helper] [] intel_mst_disable_dp+0x3e/0x80 [i915] [] haswell_crtc_disable+0x1cb/0x340 [i915] [] intel_crtc_control+0x49/0x100 [i915] [] intel_crtc_update_dpms+0x67/0x80 [i915] [] intel_connector_dpms+0x59/0x70 [i915] [] intel_dp_destroy_mst_connector+0x32/0xc0 [i915] [] drm_dp_destroy_port+0x6b/0xa0 [drm_kms_helper] [] drm_dp_destroy_mst_branch_device+0x108/0x130 [drm_kms_helper] [] drm_dp_port_teardown_pdt+0x3d/0x50 [drm_kms_helper] [] drm_dp_mst_handle_up_req+0x499/0x540 [drm_kms_helper] [] ? trace_hardirqs_on_caller+0x15d/0x200 [] drm_dp_mst_hpd_irq+0x53/0xa00 [drm_kms_helper] [] ? drm_dp_dpcd_read+0x1b/0x20 [drm_kms_helper] [] ? intel_dp_dpcd_read_wake+0x38/0x70 [i915] [] intel_dp_check_mst_status+0xb5/0x250 [i915] [] intel_dp_hpd_pulse+0x181/0x210 [i915] [] i915_digport_work_func+0x96/0x120 [i915] Signed-off-by: Daniel Vetter Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 1cc635aa16036cf61e082cb57469bb6f82af2ea8 Author: Dave Airlie Date: Wed Nov 26 13:13:09 2014 +1000 drm/dp: retry AUX transactions 32 times (v1.1) commit 19a93f042fc241ecdf98543cedfe7c171f8cdf53 upstream. At least on two MST devices I've tested with, when they are link training downstream, they are totally unable to handle aux ch msgs, so they defer like nuts. I tried 16, it wasn't enough, 32 seems better. This fixes one Dell 4k monitor and one of the MST hubs. v1.1: fixup comment (Tom). Acked-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit f5f6dd6dadf75e957b66446b49fc643daa708d72 Author: Dave Airlie Date: Wed Nov 26 13:15:24 2014 +1000 drm/fb_helper: move deferred fb checking into restore mode (v2) commit e2809c7db818df6bbd0edf843e1beb2fbc9d8541 upstream. On MST systems the monitors don't appear when we set the fb up, but plymouth opens the drm device and holds it open while they come up, when plymouth finishes and lastclose gets called we don't do the delayed fb probe, so the monitor never appears on the console. Fix this by moving the delayed checking into the mode restore. v2: Daniel suggested that ->delayed_hotplug is set under the mode_config mutex, so we should check it under that as well, while we are in the area. Reviewed-by: Daniel Vetter Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 330841392a97523a299f0ff93323e2940aa784f8 Author: Tetsuo Handa Date: Thu Nov 13 22:43:23 2014 +0900 drm/ttm: Avoid memory allocation from shrinker functions. commit 881fdaa5e4cb0d68e52acab0ad4e1820e2bfffa4 upstream. Andrew Morton wrote: > On Wed, 12 Nov 2014 13:08:55 +0900 Tetsuo Handa wrote: > > > Andrew Morton wrote: > > > Poor ttm guys - this is a bit of a trap we set for them. > > > > Commit a91576d7916f6cce ("drm/ttm: Pass GFP flags in order to avoid deadlock.") > > changed to use sc->gfp_mask rather than GFP_KERNEL. > > > > - pages_to_free = kmalloc(npages_to_free * sizeof(struct page *), > > - GFP_KERNEL); > > + pages_to_free = kmalloc(npages_to_free * sizeof(struct page *), gfp); > > > > But this bug is caused by sc->gfp_mask containing some flags which are not > > in GFP_KERNEL, right? Then, I think > > > > - pages_to_free = kmalloc(npages_to_free * sizeof(struct page *), gfp); > > + pages_to_free = kmalloc(npages_to_free * sizeof(struct page *), gfp & GFP_KERNEL); > > > > would hide this bug. > > > > But I think we should use GFP_ATOMIC (or drop __GFP_WAIT flag) > > Well no - ttm_page_pool_free() should stop calling kmalloc altogether. > Just do > > struct page *pages_to_free[16]; > > and rework the code to free 16 pages at a time. Easy. Well, ttm code wants to process 512 pages at a time for performance. Memory footprint increased by 512 * sizeof(struct page *) buffer is only 4096 bytes. What about using static buffer like below? ---------- >From d3cb5393c9c8099d6b37e769f78c31af1541fe8c Mon Sep 17 00:00:00 2001 From: Tetsuo Handa Date: Thu, 13 Nov 2014 22:21:54 +0900 Subject: drm/ttm: Avoid memory allocation from shrinker functions. Commit a91576d7916f6cce ("drm/ttm: Pass GFP flags in order to avoid deadlock.") caused BUG_ON() due to sc->gfp_mask containing flags which are not in GFP_KERNEL. https://bugzilla.kernel.org/show_bug.cgi?id=87891 Changing from sc->gfp_mask to (sc->gfp_mask & GFP_KERNEL) would avoid the BUG_ON(), but avoiding memory allocation from shrinker function is better and reliable fix. Shrinker function is already serialized by global lock, and clean up function is called after shrinker function is unregistered. Thus, we can use static buffer when called from shrinker function and clean up function. Signed-off-by: Tetsuo Handa Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit a869935d81eecebd12ed8390e3e18fbfb79fd255 Author: Thomas Hellstrom Date: Tue Dec 2 03:36:57 2014 -0800 drm/vmwgfx: Fix fence event code commit 89669e7a7f96be3ee8d9a22a071d7c0d3b4428fc upstream. The commit "vmwgfx: Rework fence event action" introduced a number of bugs that are fixed with this commit: a) A forgotten return stateemnt. b) An if statement with identical branches. Reported-by: Rob Clark Signed-off-by: Thomas Hellstrom Reviewed-by: Jakob Bornecrantz Reviewed-by: Sinclair Yeh Signed-off-by: Greg Kroah-Hartman commit ad2b9bb40a7115f1b54a564ed16413e1543a5ce9 Author: Thomas Hellstrom Date: Tue Nov 25 08:20:05 2014 +0100 drm/vmwgfx: Fix error printout on signals pending commit e338c4c2b620ba4e75fd3576f8142eb93be12ce3 upstream. The function vmw_master_check() might return -ERESTARTSYS if there is a signal pending, indicating that the IOCTL should be rerun, potentially from user-space. At that point we shouldn't print out an error message since that is not an error condition. In short, avoid bloating the kernel log when a process refuses to die on SIGTERM. Signed-off-by: Thomas Hellstrom Reviewed-by: Jakob Bornecrantz Signed-off-by: Greg Kroah-Hartman commit 28c54a2613a2945c3d136e290f4ab01d59dbfe30 Author: Thomas Hellstrom Date: Tue Dec 2 03:32:24 2014 -0800 drm/vmwgfx: Don't use memory accounting for kernel-side fence objects commit 1f563a6a46544602183e7493b6ef69769d3d76d9 upstream. Kernel side fence objects are used when unbinding resources and may thus be created as part of a memory reclaim operation. This might trigger recursive memory reclaims and result in the kernel running out of stack space. So a simple way out is to avoid accounting of these fence objects. In principle this is OK since while user-space can trigger the creation of such objects, it can't really hold on to them. However, their lifetime is quite long, so some form of accounting should perhaps be implemented in the future. Fixes kernel crashes when running, for example viewperf11 ensight-04 test 3 with low system memory settings. Signed-off-by: Thomas Hellstrom Reviewed-by: Jakob Bornecrantz Reviewed-by: Sinclair Yeh Signed-off-by: Greg Kroah-Hartman commit 4c056b89e5259cc0a62dcc10f45dff87de9abfd7 Author: Govindarajulu Varadarajan <_govind@gmx.com> Date: Thu Dec 18 15:58:42 2014 +0530 enic: fix rx skb checksum [ Upstream commit 17e96834fd35997ca7cdfbf15413bcd5a36ad448 ] Hardware always provides compliment of IP pseudo checksum. Stack expects whole packet checksum without pseudo checksum if CHECKSUM_COMPLETE is set. This causes checksum error in nf & ovs. kernel: qg-19546f09-f2: hw csum failure kernel: CPU: 9 PID: 0 Comm: swapper/9 Tainted: GF O-------------- 3.10.0-123.8.1.el7.x86_64 #1 kernel: Hardware name: Cisco Systems Inc UCSB-B200-M3/UCSB-B200-M3, BIOS B200M3.2.2.3.0.080820141339 08/08/2014 kernel: ffff881218f40000 df68243feb35e3a8 ffff881237a43ab8 ffffffff815e237b kernel: ffff881237a43ad0 ffffffff814cd4ca ffff8829ec71eb00 ffff881237a43af0 kernel: ffffffff814c6232 0000000000000286 ffff8829ec71eb00 ffff881237a43b00 kernel: Call Trace: kernel: [] dump_stack+0x19/0x1b kernel: [] netdev_rx_csum_fault+0x3a/0x40 kernel: [] __skb_checksum_complete_head+0x62/0x70 kernel: [] __skb_checksum_complete+0x11/0x20 kernel: [] nf_ip_checksum+0xcc/0x100 kernel: [] icmp_error+0x1f7/0x35c [nf_conntrack_ipv4] kernel: [] ? netif_rx+0xb9/0x1d0 kernel: [] ? internal_dev_recv+0xdb/0x130 [openvswitch] kernel: [] nf_conntrack_in+0xf0/0xa80 [nf_conntrack] kernel: [] ? inet_del_offload+0x40/0x40 kernel: [] ipv4_conntrack_in+0x22/0x30 [nf_conntrack_ipv4] kernel: [] nf_iterate+0xaa/0xc0 kernel: [] ? inet_del_offload+0x40/0x40 kernel: [] nf_hook_slow+0x84/0x140 kernel: [] ? inet_del_offload+0x40/0x40 kernel: [] ip_rcv+0x344/0x380 Hardware verifies IP & tcp/udp header checksum but does not provide payload checksum, use CHECKSUM_UNNECESSARY. Set it only if its valid IP tcp/udp packet. Cc: Jiri Benc Cc: Stefan Assmann Reported-by: Sunil Choudhary Signed-off-by: Govindarajulu Varadarajan <_govind@gmx.com> Reviewed-by: Jiri Benc Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 58f2f9c8bda3cf63ad7c5b6adb055fb7ee5c666d Author: Jiri Pirko Date: Wed Jan 14 18:15:30 2015 +0100 team: avoid possible underflow of count_pending value for notify_peers and mcast_rejoin [ Upstream commit b0d11b42785b70e19bc6a3122eead3f7969a7589 ] This patch is fixing a race condition that may cause setting count_pending to -1, which results in unwanted big bulk of arp messages (in case of "notify peers"). Consider following scenario: count_pending == 2 CPU0 CPU1 team_notify_peers_work atomic_dec_and_test (dec count_pending to 1) schedule_delayed_work team_notify_peers atomic_add (adding 1 to count_pending) team_notify_peers_work atomic_dec_and_test (dec count_pending to 1) schedule_delayed_work team_notify_peers_work atomic_dec_and_test (dec count_pending to 0) schedule_delayed_work team_notify_peers_work atomic_dec_and_test (dec count_pending to -1) Fix this race by using atomic_dec_if_positive - that will prevent count_pending running under 0. Fixes: fc423ff00df3a1955441 ("team: add peer notification") Fixes: 492b200efdd20b8fcfd ("team: add support for sending multicast rejoins") Signed-off-by: Jiri Pirko Signed-off-by: Jiri Benc Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ff9df482e8dc6252570d3d2ea7ba9597e0c843f4 Author: Eric Dumazet Date: Sun Jan 11 10:32:18 2015 -0800 alx: fix alx_poll() [ Upstream commit 7a05dc64e2e4c611d89007b125b20c0d2a4d31a5 ] Commit d75b1ade567f ("net: less interrupt masking in NAPI") uncovered wrong alx_poll() behavior. A NAPI poll() handler is supposed to return exactly the budget when/if napi_complete() has not been called. It is also supposed to return number of frames that were received, so that netdev_budget can have a meaning. Also, in case of TX pressure, we still have to dequeue received packets : alx_clean_rx_irq() has to be called even if alx_clean_tx_irq(alx) returns false, otherwise device is half duplex. Signed-off-by: Eric Dumazet Fixes: d75b1ade567f ("net: less interrupt masking in NAPI") Reported-by: Oded Gabbay Bisected-by: Oded Gabbay Tested-by: Oded Gabbay Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2aab9536573d5cadca61e35c94c44f010ca6ede1 Author: Palik, Imre Date: Tue Jan 6 16:44:44 2015 +0100 xen-netback: fixing the propagation of the transmit shaper timeout [ Upstream commit 07ff890daeda31cf23173865edf50bcb03e100c3 ] Since e9ce7cb6b107 ("xen-netback: Factor queue-specific data into queue struct"), the transimt shaper timeout is always set to 0. The value the user sets via xenbus is never propagated to the transmit shaper. This patch fixes the issue. Cc: Anthony Liguori Signed-off-by: Imre Palik Acked-by: Ian Campbell Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 04e5427dbe91e600cf5c03e7e97095ce3865af92 Author: Herbert Xu Date: Thu Jan 1 00:39:23 2015 +1100 tcp: Do not apply TSO segment limit to non-TSO packets [ Upstream commit 843925f33fcc293d80acf2c5c8a78adf3344d49b ] Thomas Jarosch reported IPsec TCP stalls when a PMTU event occurs. In fact the problem was completely unrelated to IPsec. The bug is also reproducible if you just disable TSO/GSO. The problem is that when the MSS goes down, existing queued packet on the TX queue that have not been transmitted yet all look like TSO packets and get treated as such. This then triggers a bug where tcp_mss_split_point tells us to generate a zero-sized packet on the TX queue. Once that happens we're screwed because the zero-sized packet can never be removed by ACKs. Fixes: 1485348d242 ("tcp: Apply device TSO segment limit earlier") Reported-by: Thomas Jarosch Signed-off-by: Herbert Xu Cheers, Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f3721ea3af92789549d8943d4705b2538a69f038 Author: Maor Gottlieb Date: Tue Dec 30 11:59:49 2014 +0200 net/mlx4_core: Correcly update the mtt's offset in the MR re-reg flow [ Upstream commit a51e0df4c1e06afd7aba84496c14238e6b363caa ] Previously, mlx4_mt_rereg_write filled the MPT's entity_size with the old MTT's page shift, which could result in using an incorrect offset. Fix the initialization to be after we calculate the new MTT offset. In addition, assign mtt order to -1 after calling mlx4_mtt_cleanup. This is necessary in order to mark the MTT as invalid and avoid freeing it later. Fixes: e630664 ('mlx4_core: Add helper functions to support MR re-registration') Signed-off-by: Maor Gottlieb Signed-off-by: Matan Barak Signed-off-by: Or Gerlitz Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 12d5e0bb53dab45bcebeb7fc0dafc88d2b618468 Author: Jesse Gross Date: Tue Dec 23 22:37:26 2014 -0800 net: Generalize ndo_gso_check to ndo_features_check [ Upstream commit 5f35227ea34bb616c436d9da47fc325866c428f3 ] GSO isn't the only offload feature with restrictions that potentially can't be expressed with the current features mechanism. Checksum is another although it's a general issue that could in theory apply to anything. Even if it may be possible to implement these restrictions in other ways, it can result in duplicate code or inefficient per-packet behavior. This generalizes ndo_gso_check so that drivers can remove any features that don't make sense for a given packet, similar to netif_skb_features(). It also converts existing driver restrictions to the new format, completing the work that was done to support tunnel protocols since the issues apply to checksums as well. By actually removing features from the set that are used to do offloading, it solves another problem with the existing interface. In these cases, GSO would run with the original set of features and not do anything because it appears that segmentation is not required. CC: Tom Herbert CC: Joe Stringer CC: Eric Dumazet CC: Hayes Wang Signed-off-by: Jesse Gross Acked-by: Tom Herbert Fixes: 04ffcb255f22 ("net: Add ndo_gso_check") Tested-by: Hayes Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3890e4287ea8ce14a68a82054c9df2cd92e3eafa Author: Jay Vosburgh Date: Fri Dec 19 15:32:00 2014 -0800 net/core: Handle csum for CHECKSUM_COMPLETE VXLAN forwarding [ Upstream commit 2c26d34bbcc0b3f30385d5587aa232289e2eed8e ] When using VXLAN tunnels and a sky2 device, I have experienced checksum failures of the following type: [ 4297.761899] eth0: hw csum failure [...] [ 4297.765223] Call Trace: [ 4297.765224] [] dump_stack+0x46/0x58 [ 4297.765235] [] netdev_rx_csum_fault+0x42/0x50 [ 4297.765238] [] ? skb_push+0x40/0x40 [ 4297.765240] [] __skb_checksum_complete+0xbc/0xd0 [ 4297.765243] [] tcp_v4_rcv+0x2e2/0x950 [ 4297.765246] [] ? ip_rcv_finish+0x360/0x360 These are reliably reproduced in a network topology of: container:eth0 == host(OVS VXLAN on VLAN) == bond0 == eth0 (sky2) -> switch When VXLAN encapsulated traffic is received from a similarly configured peer, the above warning is generated in the receive processing of the encapsulated packet. Note that the warning is associated with the container eth0. The skbs from sky2 have ip_summed set to CHECKSUM_COMPLETE, and because the packet is an encapsulated Ethernet frame, the checksum generated by the hardware includes the inner protocol and Ethernet headers. The receive code is careful to update the skb->csum, except in __dev_forward_skb, as called by dev_forward_skb. __dev_forward_skb calls eth_type_trans, which in turn calls skb_pull_inline(skb, ETH_HLEN) to skip over the Ethernet header, but does not update skb->csum when doing so. This patch resolves the problem by adding a call to skb_postpull_rcsum to update the skb->csum after the call to eth_type_trans. Signed-off-by: Jay Vosburgh Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 253ab5247813de6ce1d5efcdf9bf7cde749d8597 Author: Thomas Graf Date: Tue Dec 23 01:13:18 2014 +0100 net: Reset secmark when scrubbing packet [ Upstream commit b8fb4e0648a2ab3734140342002f68fb0c7d1602 ] skb_scrub_packet() is called when a packet switches between a context such as between underlay and overlay, between namespaces, or between L3 subnets. While we already scrub the packet mark, connection tracking entry, and cached destination, the security mark/context is left intact. It seems wrong to inherit the security context of a packet when going from overlay to underlay or across forwarding paths. Signed-off-by: Thomas Graf Acked-by: Flavio Leitner Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 29862482563a6a445174109b149f210f69094da7 Author: Toshiaki Makita Date: Mon Dec 22 19:04:14 2014 +0900 net: Fix stacked vlan offload features computation [ Upstream commit 796f2da81bead71ffc91ef70912cd8d1827bf756 ] When vlan tags are stacked, it is very likely that the outer tag is stored in skb->vlan_tci and skb->protocol shows the inner tag's vlan_proto. Currently netif_skb_features() first looks at skb->protocol even if there is the outer tag in vlan_tci, thus it incorrectly retrieves the protocol encapsulated by the inner vlan instead of the inner vlan protocol. This allows GSO packets to be passed to HW and they end up being corrupted. Fixes: 58e998c6d239 ("offloading: Force software GSO for multiple vlan tags.") Signed-off-by: Toshiaki Makita Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 060e2832a5f5f7ec2ad3a1cc2803faf44ad690ec Author: Nicolas Dichtel Date: Mon Dec 22 18:22:48 2014 +0100 tcp6: don't move IP6CB before xfrm6_policy_check() [ Upstream commit 2dc49d1680b534877fd20cce52557ea542bb06b6 ] When xfrm6_policy_check() is used, _decode_session6() is called after some intermediate functions. This function uses IP6CB(), thus TCP_SKB_CB() must be prepared after the call of xfrm6_policy_check(). Before this patch, scenarii with IPv6 + TCP + IPsec Transport are broken. Fixes: 971f10eca186 ("tcp: better TCP_SKB_CB layout to reduce cache line misses") Reported-by: Huaibin Wang Suggested-by: Eric Dumazet Signed-off-by: Nicolas Dichtel Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit bfd6ab619cb8e9944c9d8446604b1c24ac0b686a Author: Amir Vadai Date: Mon Dec 22 10:21:57 2014 +0200 net/mlx4_en: Doorbell is byteswapped in Little Endian archs [ Upstream commit 492f5add4be84652bbe13da8a250d60c6856a5c5 ] iowrite32() will byteswap it's argument on big endian archs. iowrite32be() will byteswap on little endian archs. Since we don't want to do this unnecessary byteswap on the fast path, doorbell is stored in the NIC's native endianness. Using the right iowrite() according to the arch endianness. CC: Wei Yang CC: David Laight Fixes: 6a4e812 ("net/mlx4_en: Avoid calling bswap in tx fast path") Signed-off-by: Amir Vadai Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a67fa81c8702d3ba8f35329ed12869f04036ee8b Author: Antonio Quartulli Date: Sat Dec 20 13:48:57 2014 +0100 batman-adv: avoid NULL dereferences and fix if check [ Upstream commit 0d1644919578db525b9a7b6c8197ce02adbfce26 ] Gateway having bandwidth_down equal to zero are not accepted at all and so never added to the Gateway list. For this reason checking the bandwidth_down member in batadv_gw_out_of_range() is useless. This is probably a copy/paste error and this check was supposed to be "!gw_node" only. Moreover, the way the check is written now may also lead to a NULL dereference. Fix this by rewriting the if-condition properly. Introduced by 414254e342a0d58144de40c3da777521ebaeeb07 ("batman-adv: tvlv - gateway download/upload bandwidth container") Signed-off-by: Antonio Quartulli Reported-by: David Binderman Signed-off-by: Marek Lindner Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4a4867f65770a2f79cc8f140360fea9e9d490e43 Author: Sven Eckelmann Date: Sat Dec 20 13:48:56 2014 +0100 batman-adv: Unify fragment size calculation [ Upstream commit 0402e444cd199389b7fe47be68a67b817e09e097 ] The fragmentation code was replaced in 610bfc6bc99bc83680d190ebc69359a05fc7f605 ("batman-adv: Receive fragmented packets and merge") by an implementation which can handle up to 16 fragments of a packet. The packet is prepared for the split in fragments by the function batadv_frag_send_packet and the actual split is done by batadv_frag_create. Both functions calculate the size of a fragment themself. But their calculation differs because batadv_frag_send_packet also subtracts ETH_HLEN. Therefore, the check in batadv_frag_send_packet "can a full fragment can be created?" may return true even when batadv_frag_create cannot create a full fragment. The function batadv_frag_create doesn't check the size of the skb before splitting it and therefore might try to create a larger fragment than the remaining buffer. This creates an integer underflow and an invalid len is given to skb_split. Signed-off-by: Sven Eckelmann Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 53fd27c1a28d8e974e800a75abc15382dc51f205 Author: Sven Eckelmann Date: Sat Dec 20 13:48:55 2014 +0100 batman-adv: Calculate extra tail size based on queued fragments [ Upstream commit 5b6698b0e4a37053de35cc24ee695b98a7eb712b ] The fragmentation code was replaced in 610bfc6bc99bc83680d190ebc69359a05fc7f605 ("batman-adv: Receive fragmented packets and merge"). The new code provided a mostly unused parameter skb for the merging function. It is used inside the function to calculate the additionally needed skb tailroom. But instead of increasing its own tailroom, it is only increasing the tailroom of the first queued skb. This is not correct in some situations because the first queued entry can be a different one than the parameter. An observed problem was: 1. packet with size 104, total_size 1464, fragno 1 was received - packet is queued 2. packet with size 1400, total_size 1464, fragno 0 was received - packet is queued at the end of the list 3. enough data was received and can be given to the merge function (1464 == (1400 - 20) + (104 - 20)) - merge functions gets 1400 byte large packet as skb argument 4. merge function gets first entry in queue (104 byte) - stored as skb_out 5. merge function calculates the required extra tail as total_size - skb->len - pskb_expand_head tail of skb_out with 64 bytes 6. merge function tries to squeeze the extra 1380 bytes from the second queued skb (1400 byte aka skb parameter) in the 64 extra tail bytes of skb_out Instead calculate the extra required tail bytes for skb_out also using skb_out instead of using the parameter skb. The skb parameter is only used to get the total_size from the last received packet. This is also the total_size used to decide that all fragments were received. Reported-by: Philipp Psurek Signed-off-by: Sven Eckelmann Acked-by: Martin Hundebøll Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ea1e9a30ca0301dd7517976092bd44bc0bf47902 Author: Prashant Sreedharan Date: Sat Dec 20 12:16:17 2014 -0800 tg3: tg3_disable_ints using uninitialized mailbox value to disable interrupts [ Upstream commit 05b0aa579397b734f127af58e401a30784a1e315 ] During driver load in tg3_init_one, if the driver detects DMA activity before intializing the chip tg3_halt is called. As part of tg3_halt interrupts are disabled using routine tg3_disable_ints. This routine was using mailbox value which was not initialized (default value is 0). As a result driver was writing 0x00000001 to pci config space register 0, which is the vendor id / device id. This driver bug was exposed because of the commit a7877b17a667 (PCI: Check only the Vendor ID to identify Configuration Request Retry). Also this issue is only seen in older generation chipsets like 5722 because config space write to offset 0 from driver is possible. The newer generation chips ignore writes to offset 0. Also without commit a7877b17a667, for these older chips when a GRC reset is issued the Bootcode would reprogram the vendor id/device id, which is the reason this bug was masked earlier. Fixed by initializing the interrupt mailbox registers before calling tg3_halt. Please queue for -stable. Reported-by: Nils Holland Reported-by: Marcelo Ricardo Leitner Signed-off-by: Prashant Sreedharan Signed-off-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b7efdb64acc4acd4213d6577c202e84294b31ca4 Author: stephen hemminger Date: Sat Dec 20 12:15:49 2014 -0800 in6: fix conflict with glibc [ Upstream commit 6d08acd2d32e3e877579315dc3202d7a5f336d98 ] Resolve conflicts between glibc definition of IPV6 socket options and those defined in Linux headers. Looks like earlier efforts to solve this did not cover all the definitions. It resolves warnings during iproute2 build. Please consider for stable as well. Signed-off-by: Stephen Hemminger Acked-by: Hannes Frederic Sowa Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3614d566f7d018a4f3667ecb75c029140664d8e0 Author: Jason Wang Date: Fri Dec 19 11:09:13 2014 +0800 net: drop the packet when fails to do software segmentation or header check [ Upstream commit af6dabc9c70ae3f307685b1f32f52d60b1bf0527 ] Commit cecda693a969816bac5e470e1d9c9c0ef5567bca ("net: keep original skb which only needs header checking during software GSO") keeps the original skb for packets that only needs header check, but it doesn't drop the packet if software segmentation or header check were failed. Fixes cecda693a9 ("net: keep original skb which only needs header checking during software GSO") Cc: Eric Dumazet Signed-off-by: Jason Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 639e13dad757d24a73fef6112f55ac3eaeccb688 Author: David Vrabel Date: Thu Dec 18 11:13:06 2014 +0000 xen-netback: support frontends without feature-rx-notify again [ Upstram commit 26c0e102585d5a4d311f5d6eb7f524d288e7f6b7 ] Commit bc96f648df1bbc2729abbb84513cf4f64273a1f1 (xen-netback: make feature-rx-notify mandatory) incorrectly assumed that there were no frontends in use that did not support this feature. But the frontend driver in MiniOS does not and since this is used by (qemu) stubdoms, these stopped working. Netback sort of works as-is in this mode except: - If there are no Rx requests and the internal Rx queue fills, only the drain timeout will wake the thread. The default drain timeout of 10 s would give unacceptable pauses. - If an Rx stall was detected and the internal Rx queue is drained, then the Rx thread would never wake. Handle these two cases (when feature-rx-notify is disabled) by: - Reducing the drain timeout to 30 ms. - Disabling Rx stall detection. Reported-by: John Tested-by: John Signed-off-by: David Vrabel Reviewed-by: Wei Liu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit bce2a13e79891e11ebaed87ac2b68fef643426b2 Author: Jesse Gross Date: Tue Dec 16 18:25:32 2014 -0800 geneve: Fix races between socket add and release. [ Upstream commit 12069401d895ff84076a50189ca842c0696b84b2 ] Currently, searching for a socket to add a reference to is not synchronized with deletion of sockets. This can result in use after free if there is another operation that is removing a socket at the same time. Solving this requires both holding the appropriate lock and checking the refcount to ensure that it has not already hit zero. Inspired by a related (but not exactly the same) issue in the VXLAN driver. Fixes: 0b5e8b8e ("net: Add Geneve tunneling protocol driver") CC: Andy Zhou Signed-off-by: Jesse Gross Acked-by: Thomas Graf Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4378fe7d7973624d7b9a8d814651c82e428c241b Author: Jesse Gross Date: Tue Dec 16 18:25:31 2014 -0800 geneve: Remove socket and offload handlers at destruction. [ Upstream commit 7ed767f73192d6daf673c6d885cd02d5f280ac1f ] Sockets aren't currently removed from the the global list when they are destroyed. In addition, offload handlers need to be cleaned up as well. Fixes: 0b5e8b8e ("net: Add Geneve tunneling protocol driver") CC: Andy Zhou Signed-off-by: Jesse Gross Acked-by: Thomas Graf Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3c030f1946d3faf374d71824de18bf1f201e416c Author: Thomas Graf Date: Thu Dec 18 10:30:26 2014 +0000 netlink: Don't reorder loads/stores before marking mmap netlink frame as available [ Upstream commit a18e6a186f53af06937a2c268c72443336f4ab56 ] Each mmap Netlink frame contains a status field which indicates whether the frame is unused, reserved, contains data or needs to be skipped. Both loads and stores may not be reordeded and must complete before the status field is changed and another CPU might pick up the frame for use. Use an smp_mb() to cover needs of both types of callers to netlink_set_status(), callers which have been reading data frame from the frame, and callers which have been filling or releasing and thus writing to the frame. - Example code path requiring a smp_rmb(): memcpy(skb->data, (void *)hdr + NL_MMAP_HDRLEN, hdr->nm_len); netlink_set_status(hdr, NL_MMAP_STATUS_UNUSED); - Example code path requiring a smp_wmb(): hdr->nm_uid = from_kuid(sk_user_ns(sk), NETLINK_CB(skb).creds.uid); hdr->nm_gid = from_kgid(sk_user_ns(sk), NETLINK_CB(skb).creds.gid); netlink_frame_flush_dcache(hdr); netlink_set_status(hdr, NL_MMAP_STATUS_VALID); Fixes: f9c228 ("netlink: implement memory mapped recvmsg()") Reported-by: Eric Dumazet Signed-off-by: Thomas Graf Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b68d3ab6b312d63c70c858b0cde1dbe3a59eb05b Author: David Miller Date: Tue Dec 16 17:58:17 2014 -0500 netlink: Always copy on mmap TX. [ Upstream commit 4682a0358639b29cf69437ed909c6221f8c89847 ] Checking the file f_count and the nlk->mapped count is not completely sufficient to prevent the mmap'd area contents from changing from under us during netlink mmap sendmsg() operations. Be careful to sample the header's length field only once, because this could change from under us as well. Fixes: 5fd96123ee19 ("netlink: implement memory mapped sendmsg()") Signed-off-by: David S. Miller Acked-by: Daniel Borkmann Acked-by: Thomas Graf Signed-off-by: Greg Kroah-Hartman commit 15c11606c9e1223b9f1a3c6356735e7314dab81f Author: Ido Shamay Date: Tue Dec 16 13:28:54 2014 +0200 net/mlx4: Cache line CQE/EQE stride fixes [ Upstream commit c3f2511feac088030055012cc8f64ebd84c87dbc ] This commit contains 2 fixes for the 128B CQE/EQE stride feaure. Wei found that mlx4_QUERY_HCA function marked the wrong capability in flags (64B CQE/EQE), when CQE/EQE stride feature was enabled. Also added small fix in initial CQE ownership bit assignment, when CQE is size is not default 32B. Fixes: 77507aa24 (net/mlx4: Enable CQE/EQE stride support) Signed-off-by: Wei Yang Signed-off-by: Ido Shamay Signed-off-by: Amir Vadai Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit feb15ac3628470f770562545beed7c62226b3592 Author: Timo Teräs Date: Mon Dec 15 09:24:13 2014 +0200 gre: fix the inner mac header in nbma tunnel xmit path [ Upstream commit 8a0033a947403569caeca45fa5e6f7ba60d51974 ] The NBMA GRE tunnels temporarily push GRE header that contain the per-packet NBMA destination on the skb via header ops early in xmit path. It is the later pulled before the real GRE header is constructed. The inner mac was thus set differently in nbma case: the GRE header has been pushed by neighbor layer, and mac header points to beginning of the temporary gre header (set by dev_queue_xmit). Now that the offloads expect mac header to point to the gre payload, fix the xmit patch to: - pull first the temporary gre header away - and reset mac header to point to gre payload This fixes tso to work again with nbma tunnels. Fixes: 14051f0452a2 ("gre: Use inner mac length when computing tunnel length") Signed-off-by: Timo Teräs Cc: Tom Herbert Cc: Alexander Duyck Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman