[PATCH 4.0 004/220] tcp: fix possible deadlock in tcp_send

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Filipe Manana <fdma...@suse.com>

commit ccccf3d67294714af2d72a6fd6fd7d73b01c9329 upstream.

If we attempt to clone a 0 length region into a file we can end up
inserting a range in the inode's extent_io tree with a start offset
that is greater then the end offset, which triggers immediately the
following warning:

[ 3914.619057] WARNING: CPU: 17 PID: 4199 at fs/btrfs/extent_io.c:435 insert_state+0x4b/0x10b [btrfs]()
[ 3914.620886] BTRFS: end < start 4095 4096
(...)
[ 3914.638093] Call Trace:
[ 3914.638636] [<ffffffff81425fd9>] dump_stack+0x4c/0x65
[ 3914.639620] [<ffffffff81045390>] warn_slowpath_common+0xa1/0xbb
[ 3914.640789] [<ffffffffa03ca44f>] ? insert_state+0x4b/0x10b [btrfs]
[ 3914.642041] [<ffffffff810453f0>] warn_slowpath_fmt+0x46/0x48
[ 3914.643236] [<ffffffffa03ca44f>] insert_state+0x4b/0x10b [btrfs]
[ 3914.644441] [<ffffffffa03ca729>] __set_extent_bit+0x107/0x3f4 [btrfs]
[ 3914.645711] [<ffffffffa03cb256>] lock_extent_bits+0x65/0x1bf [btrfs]
[ 3914.646914] [<ffffffff8142b2fb>] ? _raw_spin_unlock+0x28/0x33
[ 3914.648058] [<ffffffffa03cbac4>] ? test_range_bit+0xcc/0xde [btrfs]
[ 3914.650105] [<ffffffffa03cb3c3>] lock_extent+0x13/0x15 [btrfs]
[ 3914.651361] [<ffffffffa03db39e>] lock_extent_range+0x3d/0xcd [btrfs]
[ 3914.652761] [<ffffffffa03de1fe>] btrfs_ioctl_clone+0x278/0x388 [btrfs]
[ 3914.654128] [<ffffffff811226dd>] ? might_fault+0x58/0xb5
[ 3914.655320] [<ffffffffa03e0909>] btrfs_ioctl+0xb51/0x2195 [btrfs]
(...)
[ 3914.669271] ---[ end trace 14843d3e2e622fc1 ]---

This later makes the inode eviction handler enter an infinite loop that
keeps dumping the following warning over and over:

[ 3915.117629] WARNING: CPU: 22 PID: 4228 at fs/btrfs/extent_io.c:435 insert_state+0x4b/0x10b [btrfs]()
[ 3915.119913] BTRFS: end < start 4095 4096
(...)
[ 3915.137394] Call Trace:
[ 3915.137913] [<ffffffff81425fd9>] dump_stack+0x4c/0x65
[ 3915.139154] [<ffffffff81045390>] warn_slowpath_common+0xa1/0xbb
[ 3915.140316] [<ffffffffa03ca44f>] ? insert_state+0x4b/0x10b [btrfs]
[ 3915.141505] [<ffffffff810453f0>] warn_slowpath_fmt+0x46/0x48
[ 3915.142709] [<ffffffffa03ca44f>] insert_state+0x4b/0x10b [btrfs]
[ 3915.143849] [<ffffffffa03ca729>] __set_extent_bit+0x107/0x3f4 [btrfs]
[ 3915.145120] [<ffffffffa038c1e3>] ? btrfs_kill_super+0x17/0x23 [btrfs]
[ 3915.146352] [<ffffffff811548f6>] ? deactivate_locked_super+0x3b/0x50
[ 3915.147565] [<ffffffffa03cb256>] lock_extent_bits+0x65/0x1bf [btrfs]
[ 3915.148785] [<ffffffff8142b7e2>] ? _raw_write_unlock+0x28/0x33
[ 3915.149931] [<ffffffffa03bc325>] btrfs_evict_inode+0x196/0x482 [btrfs]
[ 3915.151154] [<ffffffff81168904>] evict+0xa0/0x148
[ 3915.152094] [<ffffffff811689e5>] dispose_list+0x39/0x43
[ 3915.153081] [<ffffffff81169564>] evict_inodes+0xdc/0xeb
[ 3915.154062] [<ffffffff81154418>] generic_shutdown_super+0x49/0xef
[ 3915.155193] [<ffffffff811546d1>] kill_anon_super+0x13/0x1e
[ 3915.156274] [<ffffffffa038c1e3>] btrfs_kill_super+0x17/0x23 [btrfs]
(...)
[ 3915.167404] ---[ end trace 14843d3e2e622fc2 ]---

So just bail out of the clone ioctl if the length of the region to clone
is zero, without locking any extent range, in order to prevent this issue
(same behaviour as a pwrite with a 0 length for example).

This is trivial to reproduce. For example, the steps for the test I just
made for fstests:

mkfs.btrfs -f SCRATCH_DEV
mount SCRATCH_DEV $SCRATCH_MNT

touch $SCRATCH_MNT/foo
touch $SCRATCH_MNT/bar

$CLONER_PROG -s 0 -d 4096 -l 0 $SCRATCH_MNT/foo $SCRATCH_MNT/bar
umount $SCRATCH_MNT

A test case for fstests follows soon.

Signed-off-by: Filipe Manana <fdma...@suse.com>
Reviewed-by: Omar Sandoval <osa...@osandov.com>
Signed-off-by: Chris Mason <c...@fb.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

fs/btrfs/ioctl.c | 5 +++++
1 file changed, 5 insertions(+)

--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -3626,6 +3626,11 @@ static noinline long btrfs_ioctl_clone(s
if (off + len == src->i_size)
len = ALIGN(src->i_size, bs) - off;

+ if (len == 0) {

+ ret = 0;
+ goto out_unlock;
+ }
+
/* verify the end result is block aligned */
if (!IS_ALIGNED(off, bs) || !IS_ALIGNED(off + len, bs) ||
!IS_ALIGNED(destoff, bs))

Greg Kroah-Hartman

unread,

May 2, 2015, 3:10:13 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Scott Wood <scot...@freescale.com>

commit 50c6a665b383cb5839e45d04e36faeeefaffa052 upstream.

Commit dc6c9a35b66b5 ("mm: account pmd page tables to the process")
added a counter that is incremented whenever a PMD is allocated and
decremented whenever a PMD is freed. For hugepages on PPC, common code
is used to allocated PMDs, but arch-specific code is used to free PMDs.

This results in kernel output such as "BUG: non-zero nr_pmds on freeing
mm: 1" when using hugepages.

Update the PPC hugepage PMD freeing code to decrement the count, just
as the above commit did for free_pmd_range().

Fixes: dc6c9a35b66b5 ("mm: account pmd page tables to the process")
Signed-off-by: Scott Wood <scot...@freescale.com>
Reviewed-by: Aneesh Kumar K.V <aneesh...@linux.vnet.ibm.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

arch/powerpc/mm/hugetlbpage.c | 1 +

1 file changed, 1 insertion(+)

unread,

May 2, 2015, 3:20:06 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: "Eric W. Biederman" <ebie...@xmission.com>

commit 8318e667f176f7ea34451a1a530634e293f216ac upstream.

Invoking mount propagation from __detach_mounts is inefficient and
wrong.

It is inefficient because __detach_mounts already walks the list of
mounts that where something needs to be done, and mount propagation
walks some subset of those mounts again.

It is actively wrong because if the dentry that is passed to
__detach_mounts is not part of the path to a mount that mount should
not be affected.

change_mnt_propagation(p,MS_PRIVATE) modifies the mount propagation
tree of a master mount so it's slaves are connected to another master
if possible. Which means even removing a mount from the middle of a
mount tree with __detach_mounts will not deprive any mount propagated
mount events.

Signed-off-by: "Eric W. Biederman" <ebie...@xmission.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

fs/namespace.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1487,7 +1487,7 @@ void __detach_mounts(struct dentry *dent
lock_mount_hash();
while (!hlist_empty(&mp->m_list)) {
mnt = hlist_entry(mp->m_list.first, struct mount, mnt_mp_list);
- umount_tree(mnt, UMOUNT_PROPAGATE);
+ umount_tree(mnt, 0);
}
unlock_mount_hash();
put_mountpoint(mp);

Greg Kroah-Hartman

unread,

May 2, 2015, 3:20:06 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Jarkko Sakkinen <jarkko....@linux.intel.com>

commit 34d47b6322087665be33ca3aa81775b143a4d7ac upstream.

I started to work with PPI interface so that it would be available
under character device sysfs directory and realized that chip
registeration was still too messy.

In TPM 1.x in some rare scenarios (errors that almost never occur)
wrong order in deinitialization steps was taken in teardown. I
reproduced these scenarios by manually inserting error codes in the
place of the corresponding function calls.

The key problem is that the teardown is messy with two separate code
paths (this was inherited when moving code from tpm-interface.c).

Moved TPM 1.x specific register/unregister functionality to own helper
functions and added single code path for teardown in tpm_chip_register().
Now the code paths have been fixed and it should be easier to review
later on this part of the code.

Fixes: 7a1d7e6dd76a ("tpm: TPM 2.0 baseline support")
Signed-off-by: Jarkko Sakkinen <jarkko....@linux.intel.com>
Tested-by: Scot Doyle <lkm...@scotdoyle.com>
Reviewed-by: Peter Huewe <peter...@gmx.de>
Signed-off-by: Peter Huewe <peter...@gmx.de>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/char/tpm/tpm-chip.c | 66 ++++++++++++++++++++++++++++----------------
1 file changed, 42 insertions(+), 24 deletions(-)

--- a/drivers/char/tpm/tpm-chip.c
+++ b/drivers/char/tpm/tpm-chip.c
@@ -170,6 +170,41 @@ static void tpm_dev_del_device(struct tp
device_unregister(&chip->dev);
}

+static int tpm1_chip_register(struct tpm_chip *chip)
+{
+ int rc;
+
+ if (chip->flags & TPM_CHIP_FLAG_TPM2)
+ return 0;
+
+ rc = tpm_sysfs_add_device(chip);
+ if (rc)
+ return rc;
+
+ rc = tpm_add_ppi(chip);
+ if (rc) {
+ tpm_sysfs_del_device(chip);
+ return rc;
+ }
+
+ chip->bios_dir = tpm_bios_log_setup(chip->devname);
+

+ return 0;
+}
+

+static void tpm1_chip_unregister(struct tpm_chip *chip)
+{
+ if (chip->flags & TPM_CHIP_FLAG_TPM2)
+ return;
+
+ if (chip->bios_dir)
+ tpm_bios_log_teardown(chip->bios_dir);
+
+ tpm_remove_ppi(chip);
+
+ tpm_sysfs_del_device(chip);
+}
+
/*
* tpm_chip_register() - create a character device for the TPM chip
* @chip: TPM chip to use.
@@ -185,22 +220,13 @@ int tpm_chip_register(struct tpm_chip *c
{
int rc;

- /* Populate sysfs for TPM1 devices. */
- if (!(chip->flags & TPM_CHIP_FLAG_TPM2)) {
- rc = tpm_sysfs_add_device(chip);
- if (rc)
- goto del_misc;
-
- rc = tpm_add_ppi(chip);
- if (rc)
- goto del_sysfs;
-
- chip->bios_dir = tpm_bios_log_setup(chip->devname);
- }
+ rc = tpm1_chip_register(chip);
+ if (rc)
+ return rc;

rc = tpm_dev_add_device(chip);
if (rc)
- return rc;
+ goto out_err;

/* Make the chip available. */
spin_lock(&driver_lock);
@@ -210,10 +236,8 @@ int tpm_chip_register(struct tpm_chip *c
chip->flags |= TPM_CHIP_FLAG_REGISTERED;

return 0;
-del_sysfs:
- tpm_sysfs_del_device(chip);
-del_misc:
- tpm_dev_del_device(chip);
+out_err:
+ tpm1_chip_unregister(chip);
return rc;
}
EXPORT_SYMBOL_GPL(tpm_chip_register);
@@ -238,13 +262,7 @@ void tpm_chip_unregister(struct tpm_chip
spin_unlock(&driver_lock);
synchronize_rcu();

- if (!(chip->flags & TPM_CHIP_FLAG_TPM2)) {
- if (chip->bios_dir)
- tpm_bios_log_teardown(chip->bios_dir);
- tpm_remove_ppi(chip);
- tpm_sysfs_del_device(chip);
- }
-
+ tpm1_chip_unregister(chip);
tpm_dev_del_device(chip);
}
EXPORT_SYMBOL_GPL(tpm_chip_unregister);

Greg Kroah-Hartman

unread,

May 2, 2015, 3:20:06 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Felipe Balbi <ba...@ti.com>

commit b8fb6f79f76f478acbbffccc966daa878f172a0a upstream.

Make sure we're using the new macro, so our
resume signaling will always pass certification.

Signed-off-by: Felipe Balbi <ba...@ti.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/usb/host/uhci-hub.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/usb/host/uhci-hub.c
+++ b/drivers/usb/host/uhci-hub.c
@@ -166,7 +166,7 @@ static void uhci_check_ports(struct uhci
/* Port received a wakeup request */
set_bit(port, &uhci->resuming_ports);
uhci->ports_timeout = jiffies +
- msecs_to_jiffies(25);
+ msecs_to_jiffies(USB_RESUME_TIMEOUT);
usb_hcd_start_port_resume(
&uhci_to_hcd(uhci)->self, port);

@@ -338,7 +338,8 @@ static int uhci_hub_control(struct usb_h
uhci_finish_suspend(uhci, port, port_addr);

/* USB v2.0 7.1.7.5 */
- uhci->ports_timeout = jiffies + msecs_to_jiffies(50);
+ uhci->ports_timeout = jiffies +
+ msecs_to_jiffies(USB_RESUME_TIMEOUT);
break;
case USB_PORT_FEAT_POWER:
/* UHCI has no power switching */

Greg Kroah-Hartman

unread,

May 2, 2015, 3:20:06 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Christoph Hellwig <h...@infradead.org>

commit 16b8528d20607925899b1df93bfd8fbab98d267c upstream.

We only want to steer the I/O completion towards a queue, but don't
actually access any per-CPU data, so the raw_ version is fine to use
and avoids the warnings when using smp_processor_id().

Signed-off-by: Christoph Hellwig <h...@lst.de>
Reported-by: Andy Lutomirski <lu...@kernel.org>
Tested-by: Andy Lutomirski <lu...@kernel.org>
Acked-by: Sumit Saxena <sumit....@avagotech.com>
Signed-off-by: James Bottomley <JBott...@Odin.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/scsi/megaraid/megaraid_sas_fusion.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)

--- a/drivers/scsi/megaraid/megaraid_sas_fusion.c
+++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c
@@ -1584,11 +1584,11 @@ megasas_build_ldio_fusion(struct megasas
fp_possible = io_info.fpOkForIo;
}

- /* Use smp_processor_id() for now until cmd->request->cpu is CPU
+ /* Use raw_smp_processor_id() for now until cmd->request->cpu is CPU
id by default, not CPU group id, otherwise all MSI-X queues won't
be utilized */
cmd->request_desc->SCSIIO.MSIxIndex = instance->msix_vectors ?
- smp_processor_id() % instance->msix_vectors : 0;
+ raw_smp_processor_id() % instance->msix_vectors : 0;

if (fp_possible) {
megasas_set_pd_lba(io_request, scp->cmd_len, &io_info, scp,
@@ -1693,7 +1693,10 @@ megasas_build_dcdb_fusion(struct megasas
<< MR_RAID_CTX_RAID_FLAGS_IO_SUB_TYPE_SHIFT;
cmd->request_desc->SCSIIO.DevHandle = io_request->DevHandle;
cmd->request_desc->SCSIIO.MSIxIndex =
- instance->msix_vectors ? smp_processor_id() % instance->msix_vectors : 0;
+ instance->msix_vectors ?
+ raw_smp_processor_id() %
+ instance->msix_vectors :
+ 0;
os_timeout_value = scmd->request->timeout / HZ;

if (instance->secure_jbod_support &&

Greg Kroah-Hartman

unread,

May 2, 2015, 3:20:07 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Andrew Elble <awe...@rit.edu>

commit c1b8940b42bb6487b10f2267a96b486276ce9ff7 upstream.

We have observed a BUG() crash in fs/attr.c:notify_change(). The crash
occurs during an rsync into a filesystem that is exported via NFS.

1.) fs/attr.c:notify_change() modifies the caller's version of attr.
2.) 6de0ec00ba8d ("VFS: make notify_change pass ATTR_KILL_S*ID to
setattr operations") introduced a BUG() restriction such that "no
function will ever call notify_change() with both ATTR_MODE and
ATTR_KILL_S*ID set". Under some circumstances though, it will have
assisted in setting the caller's version of attr to this very
combination.
3.) 27ac0ffeac80 ("locks: break delegations on any attribute
modification") introduced code to handle breaking
delegations. This can result in notify_change() being re-called. attr
_must_ be explicitly reset to avoid triggering the BUG() established
in #2.
4.) The path that that triggers this is via fs/open.c:chmod_common().
The combination of attr flags set here and in the first call to
notify_change() along with a later failed break_deleg_wait()
results in notify_change() being called again via retry_deleg
without resetting attr.

Solution is to move retry_deleg in chmod_common() a bit further up to
ensure attr is completely reset.

There are other places where this seemingly could occur, such as
fs/utimes.c:utimes_common(), but the attr flags are not initially
set in such a way to trigger this.

Fixes: 27ac0ffeac80 ("locks: break delegations on any attribute modification")
Reported-by: Eric Meddaugh <etm...@rit.edu>
Tested-by: Eric Meddaugh <etm...@rit.edu>
Signed-off-by: Andrew Elble <awe...@rit.edu>
Signed-off-by: Al Viro <vi...@zeniv.linux.org.uk>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

fs/open.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/open.c
+++ b/fs/open.c
@@ -570,6 +570,7 @@ static int chown_common(struct path *pat
uid = make_kuid(current_user_ns(), user);
gid = make_kgid(current_user_ns(), group);

+retry_deleg:
newattrs.ia_valid = ATTR_CTIME;
if (user != (uid_t) -1) {
if (!uid_valid(uid))
@@ -586,7 +587,6 @@ static int chown_common(struct path *pat
if (!S_ISDIR(inode->i_mode))
newattrs.ia_valid |=
ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_KILL_PRIV;
-retry_deleg:
mutex_lock(&inode->i_mutex);
error = security_path_chown(path, uid, gid);
if (!error)

Greg Kroah-Hartman

unread,

May 2, 2015, 3:20:07 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edum...@google.com>

[ Upstream commit 2ea2f62c8bda242433809c7f4e9eae1c52c40bbe ]

When I added pfmemalloc support in build_skb(), I forgot netlink
was using build_skb() with a vmalloc() area.

In this patch I introduce __build_skb() for netlink use,
and build_skb() is a wrapper handling both skb->head_frag and
skb->pfmemalloc

This means netlink no longer has to hack skb->head_frag

[ 1567.700067] kernel BUG at arch/x86/mm/physaddr.c:26!
[ 1567.700067] invalid opcode: 0000 [#1] PREEMPT SMP KASAN
[ 1567.700067] Dumping ftrace buffer:
[ 1567.700067] (ftrace buffer empty)
[ 1567.700067] Modules linked in:
[ 1567.700067] CPU: 9 PID: 16186 Comm: trinity-c182 Not tainted 4.0.0-next-20150424-sasha-00037-g4796e21 #2167
[ 1567.700067] task: ffff880127efb000 ti: ffff880246770000 task.ti: ffff880246770000
[ 1567.700067] RIP: __phys_addr (arch/x86/mm/physaddr.c:26 (discriminator 3))
[ 1567.700067] RSP: 0018:ffff8802467779d8 EFLAGS: 00010202
[ 1567.700067] RAX: 000041000ed8e000 RBX: ffffc9008ed8e000 RCX: 000000000000002c
[ 1567.700067] RDX: 0000000000000004 RSI: 0000000000000000 RDI: ffffffffb3fd6049
[ 1567.700067] RBP: ffff8802467779f8 R08: 0000000000000019 R09: ffff8801d0168000
[ 1567.700067] R10: ffff8801d01680c7 R11: ffffed003a02d019 R12: ffffc9000ed8e000
[ 1567.700067] R13: 0000000000000f40 R14: 0000000000001180 R15: ffffc9000ed8e000
[ 1567.700067] FS: 00007f2a7da3f700(0000) GS:ffff8801d1000000(0000) knlGS:0000000000000000
[ 1567.700067] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1567.700067] CR2: 0000000000738308 CR3: 000000022e329000 CR4: 00000000000007e0
[ 1567.700067] Stack:
[ 1567.700067] ffffc9000ed8e000 ffff8801d0168000 ffffc9000ed8e000 ffff8801d0168000
[ 1567.700067] ffff880246777a28 ffffffffad7c0a21 0000000000001080 ffff880246777c08
[ 1567.700067] ffff88060d302e68 ffff880246777b58 ffff880246777b88 ffffffffad9a6821
[ 1567.700067] Call Trace:
[ 1567.700067] build_skb (include/linux/mm.h:508 net/core/skbuff.c:316)
[ 1567.700067] netlink_sendmsg (net/netlink/af_netlink.c:1633 net/netlink/af_netlink.c:2329)
[ 1567.774369] ? sched_clock_cpu (kernel/sched/clock.c:311)
[ 1567.774369] ? netlink_unicast (net/netlink/af_netlink.c:2273)
[ 1567.774369] ? netlink_unicast (net/netlink/af_netlink.c:2273)
[ 1567.774369] sock_sendmsg (net/socket.c:614 net/socket.c:623)
[ 1567.774369] sock_write_iter (net/socket.c:823)
[ 1567.774369] ? sock_sendmsg (net/socket.c:806)
[ 1567.774369] __vfs_write (fs/read_write.c:479 fs/read_write.c:491)
[ 1567.774369] ? get_lock_stats (kernel/locking/lockdep.c:249)
[ 1567.774369] ? default_llseek (fs/read_write.c:487)
[ 1567.774369] ? vtime_account_user (kernel/sched/cputime.c:701)
[ 1567.774369] ? rw_verify_area (fs/read_write.c:406 (discriminator 4))
[ 1567.774369] vfs_write (fs/read_write.c:539)
[ 1567.774369] SyS_write (fs/read_write.c:586 fs/read_write.c:577)
[ 1567.774369] ? SyS_read (fs/read_write.c:577)
[ 1567.774369] ? __this_cpu_preempt_check (lib/smp_processor_id.c:63)
[ 1567.774369] ? trace_hardirqs_on_caller (kernel/locking/lockdep.c:2594 kernel/locking/lockdep.c:2636)
[ 1567.774369] ? trace_hardirqs_on_thunk (arch/x86/lib/thunk_64.S:42)
[ 1567.774369] system_call_fastpath (arch/x86/kernel/entry_64.S:261)

Fixes: 79930f5892e ("net: do not deplete pfmemalloc reserve")
Signed-off-by: Eric Dumazet <edum...@google.com>
Reported-by: Sasha Levin <sasha...@oracle.com>

unread,

May 2, 2015, 3:20:07 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Geert Uytterhoeven <geert+...@glider.be>

commit 13a6a2ed1f5e77ae47c2b1a8e3bf22b2fa2d56ba upstream.

If CONFIG_DEBUG_SLAB=y:

sh_mobile_sdhi ee100000.sd: Got CD GPIO
sh_mobile_sdhi ee100000.sd: Got WP GPIO
platform ee100000.sd: Driver sh_mobile_sdhi requests probe deferral
...
Slab corruption (Not tainted): kmalloc-1024 start=ed8b3c00, len=1024
2d0: 00 00 00 00 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b ....kkkkkkkkkkkk
Prev obj: start=ed8b3800, len=1024
000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk

Struct tmio_mmc_host is embedded inside struct mmc_host, and thus is
freed by the call to mmc_free_host(). Hence it must not be written to
afterwards, as that will corrupt freed (and perhaps already reused)
memory.

Fixes: 94b110aff8679b14 ("mmc: tmio: add tmio_mmc_host_alloc/free()")
Signed-off-by: Geert Uytterhoeven <geert+...@glider.be>
Signed-off-by: Ulf Hansson <ulf.h...@linaro.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/mmc/host/tmio_mmc_pio.c | 2 --
1 file changed, 2 deletions(-)

--- a/drivers/mmc/host/tmio_mmc_pio.c
+++ b/drivers/mmc/host/tmio_mmc_pio.c
@@ -1073,8 +1073,6 @@ EXPORT_SYMBOL(tmio_mmc_host_alloc);
void tmio_mmc_host_free(struct tmio_mmc_host *host)
{
mmc_free_host(host->mmc);
-
- host->mmc = NULL;
}
EXPORT_SYMBOL(tmio_mmc_host_free);

Greg Kroah-Hartman

unread,

May 2, 2015, 3:20:07 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Alexander Ploumistos <alex.pl...@gmail.com>

commit 2eeff0b4317a02f0e281df891d990194f0737aae upstream.

Add 04f2:aff1 to ath3k.c supported devices list and btusb.c blacklist, so
that the device can load the ath3k firmware and re-enumerate itself as an
AR3011 device.

T: Bus=05 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=12 MxCh= 0
D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=04f2 ProdID=aff1 Rev= 0.01
C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms

Signed-off-by: Alexander Ploumistos <ale...@fedoraproject.org>
Signed-off-by: Marcel Holtmann <mar...@holtmann.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/bluetooth/ath3k.c | 1 +
drivers/bluetooth/btusb.c | 1 +

2 files changed, 2 insertions(+)

--- a/drivers/bluetooth/ath3k.c
+++ b/drivers/bluetooth/ath3k.c
@@ -65,6 +65,7 @@ static const struct usb_device_id ath3k_
/* Atheros AR3011 with sflash firmware*/
{ USB_DEVICE(0x0489, 0xE027) },
{ USB_DEVICE(0x0489, 0xE03D) },
+ { USB_DEVICE(0x04F2, 0xAFF1) },
{ USB_DEVICE(0x0930, 0x0215) },
{ USB_DEVICE(0x0CF3, 0x3002) },
{ USB_DEVICE(0x0CF3, 0xE019) },
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -159,6 +159,7 @@ static const struct usb_device_id blackl
/* Atheros 3011 with sflash firmware */
{ USB_DEVICE(0x0489, 0xe027), .driver_info = BTUSB_IGNORE },
{ USB_DEVICE(0x0489, 0xe03d), .driver_info = BTUSB_IGNORE },
+ { USB_DEVICE(0x04f2, 0xaff1), .driver_info = BTUSB_IGNORE },
{ USB_DEVICE(0x0930, 0x0215), .driver_info = BTUSB_IGNORE },
{ USB_DEVICE(0x0cf3, 0x3002), .driver_info = BTUSB_IGNORE },
{ USB_DEVICE(0x0cf3, 0xe019), .driver_info = BTUSB_IGNORE },

Greg Kroah-Hartman

unread,

May 2, 2015, 3:20:07 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: "Eric W. Biederman" <ebie...@xmission.com>

commit 0c56fe31420ca599c90240315f7959bf1b4eb6ce upstream.

If the first mount in shared subtree is locked don't unmount the
shared subtree.

This is ensured by walking through the mounts parents before children
and marking a mount as unmountable if it is not locked or it is locked
but it's parent is marked.

This allows recursive mount detach to propagate through a set of
mounts when unmounting them would not reveal what is under any locked
mount.

Signed-off-by: "Eric W. Biederman" <ebie...@xmission.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

fs/pnode.c | 32 +++++++++++++++++++++++++++++---
fs/pnode.h | 1 +
2 files changed, 30 insertions(+), 3 deletions(-)

--- a/fs/pnode.c
+++ b/fs/pnode.c
@@ -382,6 +382,26 @@ void propagate_mount_unlock(struct mount
}

/*
+ * Mark all mounts that the MNT_LOCKED logic will allow to be unmounted.
+ */
+static void mark_umount_candidates(struct mount *mnt)
+{
+ struct mount *parent = mnt->mnt_parent;
+ struct mount *m;
+
+ BUG_ON(parent == mnt);
+
+ for (m = propagation_next(parent, parent); m;
+ m = propagation_next(m, parent)) {
+ struct mount *child = __lookup_mnt_last(&m->mnt,
+ mnt->mnt_mountpoint);
+ if (child && (!IS_MNT_LOCKED(child) || IS_MNT_MARKED(m))) {
+ SET_MNT_MARK(child);
+ }
+ }
+}
+
+/*
* NOTE: unmounting 'mnt' naturally propagates to all other mounts its
* parent propagates to.
*/
@@ -398,10 +418,13 @@ static void __propagate_umount(struct mo
struct mount *child = __lookup_mnt_last(&m->mnt,
mnt->mnt_mountpoint);
/*
- * umount the child only if the child has no
- * other children
+ * umount the child only if the child has no children
+ * and the child is marked safe to unmount.
*/
- if (child && list_empty(&child->mnt_mounts)) {
+ if (!child || !IS_MNT_MARKED(child))
+ continue;
+ CLEAR_MNT_MARK(child);
+ if (list_empty(&child->mnt_mounts)) {
list_del_init(&child->mnt_child);
child->mnt.mnt_flags |= MNT_UMOUNT;
list_move_tail(&child->mnt_list, &mnt->mnt_list);
@@ -420,6 +443,9 @@ int propagate_umount(struct list_head *l
{
struct mount *mnt;

+ list_for_each_entry_reverse(mnt, list, mnt_list)
+ mark_umount_candidates(mnt);
+
list_for_each_entry(mnt, list, mnt_list)
__propagate_umount(mnt);
return 0;
--- a/fs/pnode.h
+++ b/fs/pnode.h
@@ -19,6 +19,7 @@
#define IS_MNT_MARKED(m) ((m)->mnt.mnt_flags & MNT_MARKED)

#define SET_MNT_MARK(m) ((m)->mnt.mnt_flags |= MNT_MARKED)
#define CLEAR_MNT_MARK(m) ((m)->mnt.mnt_flags &= ~MNT_MARKED)

+#define IS_MNT_LOCKED(m) ((m)->mnt.mnt_flags & MNT_LOCKED)

#define CL_EXPIRE 0x01
#define CL_SLAVE 0x02

Greg Kroah-Hartman

unread,

May 2, 2015, 3:20:07 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: "Rafael J. Wysocki" <rafael.j...@intel.com>

commit 0ee0d34985ceffe4036319e1e46df8bff591b9e3 upstream.

It is reported that ACPI interrupts do not work any more on
Dell Latitude D600 after commit c50f13c672df (ACPICA: Save
current masks of enabled GPEs after enable register writes).
The problem turns out to be related to the fact that the
enable_mask and enable_for_run GPE bit masks are not in
sync (in the absence of any system suspend/resume events)
for at least one GPE register on that machine.

Address this problem by writing the enable_for_run mask into
enable_mask as soon as enable_for_run is updated instead of
doing that only after the subsequent register write has
succeeded. For consistency, update acpi_hw_gpe_enable_write()
to store the bit mask to be written into the GPE register
in enable_mask unconditionally before the write.

Since the ACPI_GPE_SAVE_MASK flag is not necessary any more after
that, drop it along with the symbols depending on it.

Reported-and-tested-by: Jim Bos <jim...@xs4all.nl>
Fixes: c50f13c672df (ACPICA: Save current masks of enabled GPEs after enable register writes)
Signed-off-by: Rafael J. Wysocki <rafael.j...@intel.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/acpi/acpica/evgpe.c | 5 +++--
drivers/acpi/acpica/hwgpe.c | 11 ++++-------
include/acpi/actypes.h | 4 ----
3 files changed, 7 insertions(+), 13 deletions(-)

--- a/drivers/acpi/acpica/evgpe.c
+++ b/drivers/acpi/acpica/evgpe.c
@@ -92,6 +92,7 @@ acpi_ev_update_gpe_enable_mask(struct ac
ACPI_SET_BIT(gpe_register_info->enable_for_run,
(u8)register_bit);
}
+ gpe_register_info->enable_mask = gpe_register_info->enable_for_run;

return_ACPI_STATUS(AE_OK);
}
@@ -123,7 +124,7 @@ acpi_status acpi_ev_enable_gpe(struct ac

/* Enable the requested GPE */

- status = acpi_hw_low_set_gpe(gpe_event_info, ACPI_GPE_ENABLE_SAVE);
+ status = acpi_hw_low_set_gpe(gpe_event_info, ACPI_GPE_ENABLE);
return_ACPI_STATUS(status);
}

@@ -202,7 +203,7 @@ acpi_ev_remove_gpe_reference(struct acpi
if (ACPI_SUCCESS(status)) {
status =
acpi_hw_low_set_gpe(gpe_event_info,
- ACPI_GPE_DISABLE_SAVE);
+ ACPI_GPE_DISABLE);
}

if (ACPI_FAILURE(status)) {
--- a/drivers/acpi/acpica/hwgpe.c
+++ b/drivers/acpi/acpica/hwgpe.c
@@ -89,6 +89,8 @@ u32 acpi_hw_get_gpe_register_bit(struct
* RETURN: Status
*
* DESCRIPTION: Enable or disable a single GPE in the parent enable register.
+ * The enable_mask field of the involved GPE register must be
+ * updated by the caller if necessary.
*
******************************************************************************/

@@ -119,7 +121,7 @@ acpi_hw_low_set_gpe(struct acpi_gpe_even
/* Set or clear just the bit that corresponds to this GPE */

register_bit = acpi_hw_get_gpe_register_bit(gpe_event_info);
- switch (action & ~ACPI_GPE_SAVE_MASK) {
+ switch (action) {
case ACPI_GPE_CONDITIONAL_ENABLE:

/* Only enable if the corresponding enable_mask bit is set */
@@ -149,9 +151,6 @@ acpi_hw_low_set_gpe(struct acpi_gpe_even
/* Write the updated enable mask */

status = acpi_hw_write(enable_mask, &gpe_register_info->enable_address);
- if (ACPI_SUCCESS(status) && (action & ACPI_GPE_SAVE_MASK)) {
- gpe_register_info->enable_mask = (u8)enable_mask;
- }
return (status);
}

@@ -286,10 +285,8 @@ acpi_hw_gpe_enable_write(u8 enable_mask,
{
acpi_status status;

+ gpe_register_info->enable_mask = enable_mask;
status = acpi_hw_write(enable_mask, &gpe_register_info->enable_address);
- if (ACPI_SUCCESS(status)) {
- gpe_register_info->enable_mask = enable_mask;
- }
return (status);
}

--- a/include/acpi/actypes.h
+++ b/include/acpi/actypes.h
@@ -756,10 +756,6 @@ typedef u32 acpi_event_status;
#define ACPI_GPE_ENABLE 0
#define ACPI_GPE_DISABLE 1
#define ACPI_GPE_CONDITIONAL_ENABLE 2
-#define ACPI_GPE_SAVE_MASK 4
-
-#define ACPI_GPE_ENABLE_SAVE (ACPI_GPE_ENABLE | ACPI_GPE_SAVE_MASK)
-#define ACPI_GPE_DISABLE_SAVE (ACPI_GPE_DISABLE | ACPI_GPE_SAVE_MASK)

/*
* GPE info flags - Per GPE

Greg Kroah-Hartman

unread,

May 2, 2015, 3:20:07 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Sergej Sawazki <ce...@gmx.de>

commit 8787041d9bb832b9449b1eb878cedcebce42c61a upstream.

The WM8741 DAC supports the following typical audio sampling rates:
44.1kHz, 88.2kHz, 176.4kHz (eg: with a master clock of 22.5792MHz)
32kHz, 48kHz, 96kHz, 192kHz (eg: with a master clock of 24.576MHz)

For the rates lists, we should use 82000 instead of 88235, 176400
instead of 1764000 and 192000 instead of 19200 (seems to be a typo).

Signed-off-by: Sergej Sawazki <ce...@gmx.de>
Acked-by: Charles Keepax <cke...@opensource.wolfsonmicro.com>
Signed-off-by: Mark Brown <bro...@kernel.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

sound/soc/codecs/wm8741.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

--- a/sound/soc/codecs/wm8741.c
+++ b/sound/soc/codecs/wm8741.c
@@ -123,7 +123,7 @@ static struct {
};

static const unsigned int rates_11289[] = {
- 44100, 88235,
+ 44100, 88200,
};

static const struct snd_pcm_hw_constraint_list constraints_11289 = {
@@ -150,7 +150,7 @@ static const struct snd_pcm_hw_constrain
};

static const unsigned int rates_16934[] = {
- 44100, 88235,
+ 44100, 88200,
};

static const struct snd_pcm_hw_constraint_list constraints_16934 = {
@@ -168,7 +168,7 @@ static const struct snd_pcm_hw_constrain
};

static const unsigned int rates_22579[] = {
- 44100, 88235, 1764000
+ 44100, 88200, 176400
};

static const struct snd_pcm_hw_constraint_list constraints_22579 = {
@@ -186,7 +186,7 @@ static const struct snd_pcm_hw_constrain
};

static const unsigned int rates_36864[] = {
- 48000, 96000, 19200
+ 48000, 96000, 192000
};

static const struct snd_pcm_hw_constraint_list constraints_36864 = {

Greg Kroah-Hartman

unread,

May 2, 2015, 3:20:07 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: "Eric W. Biederman" <ebie...@xmission.com>

commit f53e57975151f54ad8caa1b0ac8a78091cd5700a upstream.

lookup_mountpoint can return either NULL or an error value.
Update the test in __detach_mounts to test for an error value
to avoid pathological cases causing a NULL pointer dereferences.

The callers of __detach_mounts should prevent it from ever being
called on an unlinked dentry but don't take any chances.

Signed-off-by: "Eric W. Biederman" <ebie...@xmission.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

fs/namespace.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1518,7 +1518,7 @@ void __detach_mounts(struct dentry *dent

namespace_lock();
mp = lookup_mountpoint(dentry);
- if (!mp)
+ if (IS_ERR_OR_NULL(mp))
goto out_unlock;

lock_mount_hash();

Greg Kroah-Hartman

unread,

May 2, 2015, 3:20:07 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Andre Przywara <andre.p...@arm.com>

commit fd1d0ddf2ae92fb3df42ed476939861806c5d785 upstream.

When userland injects a SPI via the KVM_IRQ_LINE ioctl we currently
only check it against a fixed limit, which historically is set
to 127. With the new dynamic IRQ allocation the effective limit may
actually be smaller (64).
So when now a malicious or buggy userland injects a SPI in that
range, we spill over on our VGIC bitmaps and bytemaps memory.
I could trigger a host kernel NULL pointer dereference with current
mainline by injecting some bogus IRQ number from a hacked kvmtool:
-----------------
....
DEBUG: kvm_vgic_inject_irq(kvm, cpu=0, irq=114, level=1)
DEBUG: vgic_update_irq_pending(kvm, cpu=0, irq=114, level=1)
DEBUG: IRQ #114 still in the game, writing to bytemap now...
Unable to handle kernel NULL pointer dereference at virtual address 00000000
pgd = ffffffc07652e000
[00000000] *pgd=00000000f658b003, *pud=00000000f658b003, *pmd=0000000000000000
Internal error: Oops: 96000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 1053 Comm: lkvm-msi-irqinj Not tainted 4.0.0-rc7+ #3027
Hardware name: FVP Base (DT)
task: ffffffc0774e9680 ti: ffffffc0765a8000 task.ti: ffffffc0765a8000
PC is at kvm_vgic_inject_irq+0x234/0x310
LR is at kvm_vgic_inject_irq+0x30c/0x310
pc : [<ffffffc0000ae0a8>] lr : [<ffffffc0000ae180>] pstate: 80000145
.....

So this patch fixes this by checking the SPI number against the
actual limit. Also we remove the former legacy hard limit of
127 in the ioctl code.

Signed-off-by: Andre Przywara <andre.p...@arm.com>
Reviewed-by: Christoffer Dall <christof...@linaro.org>
[maz: wrap KVM_ARM_IRQ_GIC_MAX with #ifndef __KERNEL__,
as suggested by Christopher Covington]
Signed-off-by: Marc Zyngier <marc.z...@arm.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

arch/arm/include/uapi/asm/kvm.h | 8 +++++++-
arch/arm/kvm/arm.c | 3 +--
arch/arm64/include/uapi/asm/kvm.h | 8 +++++++-
virt/kvm/arm/vgic.c | 3 +++
4 files changed, 18 insertions(+), 4 deletions(-)

--- a/arch/arm/include/uapi/asm/kvm.h
+++ b/arch/arm/include/uapi/asm/kvm.h
@@ -195,8 +195,14 @@ struct kvm_arch_memory_slot {
#define KVM_ARM_IRQ_CPU_IRQ 0
#define KVM_ARM_IRQ_CPU_FIQ 1

-/* Highest supported SPI, from VGIC_NR_IRQS */
+/*
+ * This used to hold the highest supported SPI, but it is now obsolete
+ * and only here to provide source code level compatibility with older
+ * userland. The highest SPI number can be set via KVM_DEV_ARM_VGIC_GRP_NR_IRQS.
+ */
+#ifndef __KERNEL__
#define KVM_ARM_IRQ_GIC_MAX 127
+#endif

/* PSCI interface */
#define KVM_PSCI_FN_BASE 0x95c1ba5e
--- a/arch/arm/kvm/arm.c
+++ b/arch/arm/kvm/arm.c
@@ -651,8 +651,7 @@ int kvm_vm_ioctl_irq_line(struct kvm *kv
if (!irqchip_in_kernel(kvm))
return -ENXIO;

- if (irq_num < VGIC_NR_PRIVATE_IRQS ||
- irq_num > KVM_ARM_IRQ_GIC_MAX)
+ if (irq_num < VGIC_NR_PRIVATE_IRQS)
return -EINVAL;

return kvm_vgic_inject_irq(kvm, 0, irq_num, level);
--- a/arch/arm64/include/uapi/asm/kvm.h
+++ b/arch/arm64/include/uapi/asm/kvm.h
@@ -188,8 +188,14 @@ struct kvm_arch_memory_slot {
#define KVM_ARM_IRQ_CPU_IRQ 0
#define KVM_ARM_IRQ_CPU_FIQ 1

-/* Highest supported SPI, from VGIC_NR_IRQS */
+/*
+ * This used to hold the highest supported SPI, but it is now obsolete
+ * and only here to provide source code level compatibility with older
+ * userland. The highest SPI number can be set via KVM_DEV_ARM_VGIC_GRP_NR_IRQS.
+ */
+#ifndef __KERNEL__
#define KVM_ARM_IRQ_GIC_MAX 127
+#endif

/* PSCI interface */
#define KVM_PSCI_FN_BASE 0x95c1ba5e
--- a/virt/kvm/arm/vgic.c
+++ b/virt/kvm/arm/vgic.c
@@ -1371,6 +1371,9 @@ int kvm_vgic_inject_irq(struct kvm *kvm,
goto out;
}

+ if (irq_num >= kvm->arch.vgic.nr_irqs)
+ return -EINVAL;
+
vcpu_id = vgic_update_irq_pending(kvm, cpuid, irq_num, level);
if (vcpu_id >= 0) {
/* kick the specified vcpu */

Greg Kroah-Hartman

unread,

May 2, 2015, 3:20:08 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Felipe Balbi <ba...@ti.com>

commit 59c9904cce77b55892e15f40791f1e66e4d3a1e6 upstream.

Make sure we're using the new macro, so our
resume signaling will always pass certification.

Signed-off-by: Felipe Balbi <ba...@ti.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/usb/isp1760/isp1760-hcd.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/isp1760/isp1760-hcd.c
+++ b/drivers/usb/isp1760/isp1760-hcd.c
@@ -1869,7 +1869,7 @@ static int isp1760_hub_control(struct us
reg_write32(hcd->regs, HC_PORTSC1,
temp | PORT_RESUME);
priv->reset_done = jiffies +
- msecs_to_jiffies(20);
+ msecs_to_jiffies(USB_RESUME_TIMEOUT);
}
break;
case USB_PORT_FEAT_C_SUSPEND:

Greg Kroah-Hartman

unread,

May 2, 2015, 3:20:08 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Sebastian Hesselbarth <sebastian....@gmail.com>

commit a74cd13b807029397f7232449df929bac11fb228 upstream.

Fix Dove's register addresses of uart2 and uart3 nodes that seem to
be broken since ages due to a copy-and-paste error.

Signed-off-by: Sebastian Hesselbarth <sebastian....@gmail.com>
Acked-by: Gregory CLEMENT <gregory...@free-electrons.com>
Signed-off-by: Gregory CLEMENT <gregory...@free-electrons.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

arch/arm/boot/dts/dove.dtsi | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/arm/boot/dts/dove.dtsi
+++ b/arch/arm/boot/dts/dove.dtsi
@@ -154,7 +154,7 @@

uart2: serial@12200 {
compatible = "ns16550a";
- reg = <0x12000 0x100>;
+ reg = <0x12200 0x100>;
reg-shift = <2>;
interrupts = <9>;
clocks = <&core_clk 0>;
@@ -163,7 +163,7 @@

uart3: serial@12300 {
compatible = "ns16550a";
- reg = <0x12100 0x100>;
+ reg = <0x12300 0x100>;
reg-shift = <2>;
interrupts = <10>;
clocks = <&core_clk 0>;

Greg Kroah-Hartman

unread,

May 2, 2015, 3:20:08 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Lucas Stach <l.s...@pengutronix.de>

commit f511ab09dfb0fe7b2335eccac51ff9f001a32e4a upstream.

They are used to decide if the controller can do DMA on a buffer
of a specific length and thus are needed before any transfer is attempted.

This fixes a memory leak where the SPI core uses the drivers can_dma()
callback to determine if a buffer needs to be mapped. As the watermark
levels aren't correct at that point the driver falsely claims to be able to
DMA the buffer when it fact it isn't.
After the transfer has been done the core uses the same callback to
determine if it needs to unmap the buffers. As the driver now correctly
claims to not being able to DMA the buffer the core doesn't attempt to
unmap the buffer which leaves the SGT leaking.

Fixes: f62caccd12c17e4 (spi: spi-imx: add DMA support)
Signed-off-by: Lucas Stach <l.s...@pengutronix.de>
Signed-off-by: Mark Brown <bro...@kernel.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/spi/spi-imx.c | 4 ++--

1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/spi/spi-imx.c
+++ b/drivers/spi/spi-imx.c
@@ -370,8 +370,6 @@ static int __maybe_unused mx51_ecspi_con
if (spi_imx->dma_is_inited) {
dma = readl(spi_imx->base + MX51_ECSPI_DMA);

- spi_imx->tx_wml = spi_imx_get_fifosize(spi_imx) / 2;
- spi_imx->rx_wml = spi_imx_get_fifosize(spi_imx) / 2;
spi_imx->rxt_wml = spi_imx_get_fifosize(spi_imx) / 2;
rx_wml_cfg = spi_imx->rx_wml << MX51_ECSPI_DMA_RX_WML_OFFSET;
tx_wml_cfg = spi_imx->tx_wml << MX51_ECSPI_DMA_TX_WML_OFFSET;
@@ -868,6 +866,8 @@ static int spi_imx_sdma_init(struct devi
master->max_dma_len = MAX_SDMA_BD_BYTES;
spi_imx->bitbang.master->flags = SPI_MASTER_MUST_RX |
SPI_MASTER_MUST_TX;
+ spi_imx->tx_wml = spi_imx_get_fifosize(spi_imx) / 2;
+ spi_imx->rx_wml = spi_imx_get_fifosize(spi_imx) / 2;
spi_imx->dma_is_inited = 1;

return 0;

Greg Kroah-Hartman

unread,

May 2, 2015, 3:20:08 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Sudeep Holla <sudeep...@arm.com>

commit 8a7d95f95c95f396decbd4cda6d4903fc4664946 upstream.

On architectures that depend on DT for obtaining cache hierarcy, we need
to validate the device node for all the cache indices, failing to do so
might result in wrong information being exposed to the userspace.

This is quite possible on initial/incomplete versions of the device
trees. In such cases, it's better to bail out if all the required device
nodes are not present.

This patch adds checks for the validation of device node for all the
caches and doesn't initialise the cacheinfo if there's any error.

Reported-by: Mark Rutland <mark.r...@arm.com>
Acked-by: Mark Rutland <mark.r...@arm.com>
Signed-off-by: Sudeep Holla <sudeep...@arm.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/base/cacheinfo.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)

--- a/drivers/base/cacheinfo.c
+++ b/drivers/base/cacheinfo.c
@@ -62,15 +62,21 @@ static int cache_setup_of_node(unsigned
return -ENOENT;
}

- while (np && index < cache_leaves(cpu)) {
+ while (index < cache_leaves(cpu)) {
this_leaf = this_cpu_ci->info_list + index;
if (this_leaf->level != 1)
np = of_find_next_cache_node(np);
else
np = of_node_get(np);/* cpu node itself */
+ if (!np)
+ break;
this_leaf->of_node = np;
index++;
}
+
+ if (index != cache_leaves(cpu)) /* not all OF nodes populated */
+ return -ENOENT;
+
return 0;
}

@@ -189,8 +195,11 @@ static int detect_cache_attributes(unsig
* will be set up here only if they are not populated already
*/
ret = cache_shared_cpu_map_setup(cpu);
- if (ret)
+ if (ret) {
+ pr_warn("Unable to detect cache hierarcy from DT for CPU %d\n",
+ cpu);
goto free_ci;
+ }
return 0;

free_ci:

Greg Kroah-Hartman

unread,

May 2, 2015, 3:20:08 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Mark Rutland <mark.r...@arm.com>

commit 91d57155dc5ab4b311624b7ee570339b6af19ad5 upstream.

After writing the page tables, we use __inval_cache_range to invalidate
any stale cache entries. Strongly Ordered memory accesses are not
ordered w.r.t. cache maintenance instructions, and hence explicit memory
barriers are required to provide this ordering. However,
__inval_cache_range was written to be used on Normal Cacheable memory
once the MMU and caches are on, and does not have any barriers prior to
the DC instructions.

This patch adds a DMB between the page tables being written and the
corresponding cachelines being invalidated, ensuring that the
invalidation makes the new data visible to subsequent cacheable
accesses. A barrier is not required before the prior invalidate as we do
not access the page table memory area prior to this, and earlier
barriers in preserve_boot_args and set_cpu_boot_mode_flag ensures
ordering w.r.t. any stores performed prior to entering Linux.

Signed-off-by: Mark Rutland <mark.r...@arm.com>
Cc: Catalin Marinas <catalin...@arm.com>
Cc: Will Deacon <will....@arm.com>
Fixes: c218bca74eeafa2f ("arm64: Relax the kernel cache requirements for boot")
Signed-off-by: Will Deacon <will....@arm.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

arch/arm64/kernel/head.S | 1 +

1 file changed, 1 insertion(+)

--- a/arch/arm64/kernel/head.S
+++ b/arch/arm64/kernel/head.S
@@ -426,6 +426,7 @@ __create_page_tables:
*/
mov x0, x25
add x1, x26, #SWAPPER_DIR_SIZE
+ dmb sy
bl __inval_cache_range

mov lr, x27

Greg Kroah-Hartman

unread,

May 2, 2015, 3:20:08 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Nicholas Bellinger <n...@linux-iscsi.org>

commit c8e639852ad720499912acedfd6b072325fd2807 upstream.

This patch fixes a bug for COMPARE_AND_WRITE handling with
fabrics using SCF_PASSTHROUGH_SG_TO_MEM_NOALLOC.

It adds the missing allocation for cmd->t_bidi_data_sg within
transport_generic_new_cmd() that is used by COMPARE_AND_WRITE
for the initial READ payload, even if the fabric is already
providing a pre-allocated buffer for cmd->t_data_sg.

Also, fix zero-length COMPARE_AND_WRITE handling within the
compare_and_write_callback() and target_complete_ok_work()
to queue the response, skipping the initial READ.

This fixes COMPARE_AND_WRITE emulation with loopback, vhost,
and xen-backend fabric drivers using SG_TO_MEM_NOALLOC.

Reported-by: Christoph Hellwig <h...@lst.de>
Cc: Christoph Hellwig <h...@lst.de>
Signed-off-by: Nicholas Bellinger <n...@linux-iscsi.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

unread,

May 2, 2015, 3:20:08 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: James Hogan <james...@imgtec.com>

commit 98119ad53376885819d93dfb8737b6a9a61ca0ba upstream.

Guest user mode can generate a guest MSA Disabled exception on an MSA
capable core by simply trying to execute an MSA instruction. Since this
exception is unknown to KVM it will be passed on to the guest kernel.
However guest Linux kernels prior to v3.15 do not set up an exception
handler for the MSA Disabled exception as they don't support any MSA
capable cores. This results in a guest OS panic.

Since an older processor ID may be being emulated, and MSA support is
not advertised to the guest, the correct behaviour is to generate a
Reserved Instruction exception in the guest kernel so it can send the
guest process an illegal instruction signal (SIGILL), as would happen
with a non-MSA-capable core.

Fix this as minimally as reasonably possible by preventing
kvm_mips_check_privilege() from relaying MSA Disabled exceptions from
guest user mode to the guest kernel, and handling the MSA Disabled
exception by emulating a Reserved Instruction exception in the guest,
via a new handle_msa_disabled() KVM callback.

Signed-off-by: James Hogan <james...@imgtec.com>
Cc: Paolo Bonzini <pbon...@redhat.com>
Cc: Paul Burton <paul....@imgtec.com>
Cc: Ralf Baechle <ra...@linux-mips.org>
Cc: Gleb Natapov <gl...@kernel.org>
Cc: linux...@linux-mips.org
Cc: k...@vger.kernel.org

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

arch/mips/include/asm/kvm_host.h | 2 ++
arch/mips/kvm/emulate.c | 1 +
arch/mips/kvm/mips.c | 4 ++++
arch/mips/kvm/trap_emul.c | 28 ++++++++++++++++++++++++++++
4 files changed, 35 insertions(+)

--- a/arch/mips/include/asm/kvm_host.h
+++ b/arch/mips/include/asm/kvm_host.h
@@ -322,6 +322,7 @@ enum mips_mmu_types {
#define T_TRAP 13 /* Trap instruction */
#define T_VCEI 14 /* Virtual coherency exception */
#define T_FPE 15 /* Floating point exception */
+#define T_MSADIS 21 /* MSA disabled exception */
#define T_WATCH 23 /* Watch address reference */
#define T_VCED 31 /* Virtual coherency data */

@@ -578,6 +579,7 @@ struct kvm_mips_callbacks {
int (*handle_syscall)(struct kvm_vcpu *vcpu);
int (*handle_res_inst)(struct kvm_vcpu *vcpu);
int (*handle_break)(struct kvm_vcpu *vcpu);
+ int (*handle_msa_disabled)(struct kvm_vcpu *vcpu);
int (*vm_init)(struct kvm *kvm);
int (*vcpu_init)(struct kvm_vcpu *vcpu);
int (*vcpu_setup)(struct kvm_vcpu *vcpu);
--- a/arch/mips/kvm/emulate.c
+++ b/arch/mips/kvm/emulate.c
@@ -2176,6 +2176,7 @@ enum emulation_result kvm_mips_check_pri
case T_SYSCALL:
case T_BREAK:
case T_RES_INST:
+ case T_MSADIS:
break;

case T_COP_UNUSABLE:
--- a/arch/mips/kvm/mips.c
+++ b/arch/mips/kvm/mips.c
@@ -1119,6 +1119,10 @@ int kvm_mips_handle_exit(struct kvm_run
ret = kvm_mips_callbacks->handle_break(vcpu);
break;

+ case T_MSADIS:
+ ret = kvm_mips_callbacks->handle_msa_disabled(vcpu);
+ break;
+
default:
kvm_err("Exception Code: %d, not yet handled, @ PC: %p, inst: 0x%08x BadVaddr: %#lx Status: %#lx\n",
exccode, opc, kvm_get_inst(opc, vcpu), badvaddr,
--- a/arch/mips/kvm/trap_emul.c
+++ b/arch/mips/kvm/trap_emul.c
@@ -330,6 +330,33 @@ static int kvm_trap_emul_handle_break(st
return ret;
}

+static int kvm_trap_emul_handle_msa_disabled(struct kvm_vcpu *vcpu)
+{
+ struct kvm_run *run = vcpu->run;
+ uint32_t __user *opc = (uint32_t __user *) vcpu->arch.pc;
+ unsigned long cause = vcpu->arch.host_cp0_cause;
+ enum emulation_result er = EMULATE_DONE;
+ int ret = RESUME_GUEST;
+
+ /* No MSA supported in guest, guest reserved instruction exception */
+ er = kvm_mips_emulate_ri_exc(cause, opc, run, vcpu);
+
+ switch (er) {
+ case EMULATE_DONE:
+ ret = RESUME_GUEST;
+ break;
+
+ case EMULATE_FAIL:
+ run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
+ ret = RESUME_HOST;
+ break;
+
+ default:
+ BUG();
+ }
+ return ret;
+}
+
static int kvm_trap_emul_vm_init(struct kvm *kvm)
{
return 0;
@@ -470,6 +497,7 @@ static struct kvm_mips_callbacks kvm_tra
.handle_syscall = kvm_trap_emul_handle_syscall,
.handle_res_inst = kvm_trap_emul_handle_res_inst,
.handle_break = kvm_trap_emul_handle_break,
+ .handle_msa_disabled = kvm_trap_emul_handle_msa_disabled,

.vm_init = kvm_trap_emul_vm_init,
.vcpu_init = kvm_trap_emul_vcpu_init,

Greg Kroah-Hartman

unread,

May 2, 2015, 3:20:08 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Sagi Grimberg <sa...@mellanox.com>

commit 4a579da2586bd3b79b025947ea24ede2bbfede62 upstream.

Before we reach to connection established we may get an
error event. In this case the core won't teardown this
connection (never established it), so we take care of freeing
it ourselves.

Signed-off-by: Sagi Grimberg <sa...@mellanox.com>
Signed-off-by: Nicholas Bellinger <n...@linux-iscsi.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/infiniband/ulp/isert/ib_isert.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)

--- a/drivers/infiniband/ulp/isert/ib_isert.c
+++ b/drivers/infiniband/ulp/isert/ib_isert.c
@@ -222,7 +222,7 @@ fail:
static void
isert_free_rx_descriptors(struct isert_conn *isert_conn)
{
- struct ib_device *ib_dev = isert_conn->conn_cm_id->device;
+ struct ib_device *ib_dev = isert_conn->conn_device->ib_device;
struct iser_rx_desc *rx_desc;
int i;

@@ -719,8 +719,8 @@ out:
static void
isert_connect_release(struct isert_conn *isert_conn)
{
- struct ib_device *ib_dev = isert_conn->conn_cm_id->device;
struct isert_device *device = isert_conn->conn_device;
+ struct ib_device *ib_dev = device->ib_device;

isert_dbg("conn %p\n", isert_conn);

@@ -728,7 +728,8 @@ isert_connect_release(struct isert_conn
isert_conn_free_fastreg_pool(isert_conn);

isert_free_rx_descriptors(isert_conn);
- rdma_destroy_id(isert_conn->conn_cm_id);
+ if (isert_conn->conn_cm_id)
+ rdma_destroy_id(isert_conn->conn_cm_id);

if (isert_conn->conn_qp) {
struct isert_comp *comp = isert_conn->conn_qp->recv_cq->cq_context;
@@ -878,12 +879,15 @@ isert_disconnected_handler(struct rdma_c
return 0;
}

-static void
+static int
isert_connect_error(struct rdma_cm_id *cma_id)
{
struct isert_conn *isert_conn = cma_id->qp->qp_context;

+ isert_conn->conn_cm_id = NULL;
isert_put_conn(isert_conn);
+
+ return -1;
}

static int
@@ -912,7 +916,7 @@ isert_cma_handler(struct rdma_cm_id *cma
case RDMA_CM_EVENT_REJECTED: /* FALLTHRU */
case RDMA_CM_EVENT_UNREACHABLE: /* FALLTHRU */
case RDMA_CM_EVENT_CONNECT_ERROR:
- isert_connect_error(cma_id);
+ ret = isert_connect_error(cma_id);
break;
default:
isert_err("Unhandled RDMA CMA event: %d\n", event->event);

Greg Kroah-Hartman

unread,

May 2, 2015, 3:20:08 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Anton Blanchard <an...@samba.org>

commit 58995a9a5b292458f94a2356b8c878230fa56fe0 upstream.

Commit 1bc9e47aa8e4 ("powerpc/jump_label: Use HAVE_JUMP_LABEL")
converted uses of CONFIG_JUMP_LABEL to HAVE_JUMP_LABEL in
some assembly files.

HAVE_JUMP_LABEL is defined in linux/jump_label.h, so we need to
include this or we always get the non jump label fallback code.

Signed-off-by: Anton Blanchard <an...@samba.org>
Acked-by: Michael Ellerman <m...@ellerman.id.au>
Acked-by: Peter Zijlstra (Intel) <pet...@infradead.org>
Cc: Andrew Morton <ak...@linux-foundation.org>
Cc: Linus Torvalds <torv...@linux-foundation.org>
Cc: Paul E. McKenney <pau...@linux.vnet.ibm.com>
Cc: Peter Zijlstra <pet...@infradead.org>
Cc: Thomas Gleixner <tg...@linutronix.de>
Cc: be...@kernel.crashing.org
Cc: catalin...@arm.com
Cc: da...@davemloft.net
Cc: heiko.c...@de.ibm.com
Cc: jba...@akamai.com
Cc: li...@arm.linux.org.uk
Cc: linuxp...@lists.ozlabs.org
Cc: liu...@gmail.com
Cc: mgo...@suse.de
Cc: mma...@suse.cz
Cc: pau...@samba.org
Cc: ra...@linux-mips.org
Cc: ros...@goodmis.org
Cc: schwi...@de.ibm.com
Cc: will....@arm.com
Fixes: 1bc9e47aa8e4 ("powerpc/jump_label: Use HAVE_JUMP_LABEL")
Link: http://lkml.kernel.org/r/1428551492-21977-3-...@samba.org
Signed-off-by: Ingo Molnar <mi...@kernel.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

arch/powerpc/platforms/powernv/opal-wrappers.S | 2 +-
arch/powerpc/platforms/pseries/hvCall.S | 2 +-
arch/powerpc/platforms/pseries/lpar.c | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)

--- a/arch/powerpc/platforms/powernv/opal-wrappers.S
+++ b/arch/powerpc/platforms/powernv/opal-wrappers.S
@@ -9,11 +9,11 @@
* 2 of the License, or (at your option) any later version.
*/

+#include <linux/jump_label.h>
#include <asm/ppc_asm.h>
#include <asm/hvcall.h>
#include <asm/asm-offsets.h>
#include <asm/opal.h>
-#include <asm/jump_label.h>

.section ".text"

--- a/arch/powerpc/platforms/pseries/hvCall.S
+++ b/arch/powerpc/platforms/pseries/hvCall.S
@@ -7,12 +7,12 @@
* as published by the Free Software Foundation; either version
* 2 of the License, or (at your option) any later version.
*/
+#include <linux/jump_label.h>
#include <asm/hvcall.h>
#include <asm/processor.h>
#include <asm/ppc_asm.h>
#include <asm/asm-offsets.h>
#include <asm/ptrace.h>
-#include <asm/jump_label.h>

.section ".text"

--- a/arch/powerpc/platforms/pseries/lpar.c
+++ b/arch/powerpc/platforms/pseries/lpar.c
@@ -26,7 +26,7 @@
#include <linux/dma-mapping.h>
#include <linux/console.h>
#include <linux/export.h>
-#include <linux/static_key.h>
+#include <linux/jump_label.h>
#include <asm/processor.h>
#include <asm/mmu.h>
#include <asm/page.h>

Greg Kroah-Hartman

unread,

May 2, 2015, 3:20:09 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Felipe Balbi <ba...@ti.com>

commit 08debfb13b199716da6153940c31968c556b195d upstream.

Make sure we're using the new macro, so our
resume signaling will always pass certification.

Signed-off-by: Felipe Balbi <ba...@ti.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/usb/host/sl811-hcd.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/host/sl811-hcd.c
+++ b/drivers/usb/host/sl811-hcd.c
@@ -1259,7 +1259,7 @@ sl811h_hub_control(
sl811_write(sl811, SL11H_CTLREG1, sl811->ctrl1);

mod_timer(&sl811->timer, jiffies
- + msecs_to_jiffies(20));
+ + msecs_to_jiffies(USB_RESUME_TIMEOUT));
break;
case USB_PORT_FEAT_POWER:
port_power(sl811, 0);

Greg Kroah-Hartman

unread,

May 2, 2015, 3:20:09 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edum...@google.com>

[ Upstream commit a31196b07f8034eba6a3487a1ad1bb5ec5cd58a5 ]

Commit 567e4b79731c ("net: rfs: add hash collision detection") had one
mistake :

RPS_NO_CPU is no longer the marker for invalid cpu in set_rps_cpu()
and get_rps_cpu(), as @next_cpu was the result of an AND with
rps_cpu_mask

This bug showed up on a host with 72 cpus :
next_cpu was 0x7f, and the code was trying to access percpu data of an
non existent cpu.

In a follow up patch, we might get rid of compares against nr_cpu_ids,
if we init the tables with 0. This is silly to test for a very unlikely
condition that exists only shortly after table initialization, as
we got rid of rps_reset_sock_flow() and similar functions that were
writing this RPS_NO_CPU magic value at flow dismantle : When table is
old enough, it never contains this value anymore.

Fixes: 567e4b79731c ("net: rfs: add hash collision detection")
Signed-off-by: Eric Dumazet <edum...@google.com>
Cc: Tom Herbert <t...@herbertland.com>
Cc: Ben Hutchings <b...@decadent.org.uk>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

Documentation/networking/scaling.txt | 2 +-
net/core/dev.c | 12 ++++++------
2 files changed, 7 insertions(+), 7 deletions(-)

--- a/Documentation/networking/scaling.txt
+++ b/Documentation/networking/scaling.txt
@@ -282,7 +282,7 @@ following is true:

- The current CPU's queue head counter >= the recorded tail counter
value in rps_dev_flow[i]
-- The current CPU is unset (equal to RPS_NO_CPU)
+- The current CPU is unset (>= nr_cpu_ids)
- The current CPU is offline

After this check, the packet is sent to the (possibly updated) current
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -3041,7 +3041,7 @@ static struct rps_dev_flow *
set_rps_cpu(struct net_device *dev, struct sk_buff *skb,
struct rps_dev_flow *rflow, u16 next_cpu)
{
- if (next_cpu != RPS_NO_CPU) {
+ if (next_cpu < nr_cpu_ids) {
#ifdef CONFIG_RFS_ACCEL
struct netdev_rx_queue *rxqueue;
struct rps_dev_flow_table *flow_table;
@@ -3146,7 +3146,7 @@ static int get_rps_cpu(struct net_device
* If the desired CPU (where last recvmsg was done) is
* different from current CPU (one in the rx-queue flow
* table entry), switch if one of the following holds:
- * - Current CPU is unset (equal to RPS_NO_CPU).
+ * - Current CPU is unset (>= nr_cpu_ids).
* - Current CPU is offline.
* - The current CPU's queue tail has advanced beyond the
* last packet that was enqueued using this table entry.
@@ -3154,14 +3154,14 @@ static int get_rps_cpu(struct net_device
* have been dequeued, thus preserving in order delivery.
*/
if (unlikely(tcpu != next_cpu) &&
- (tcpu == RPS_NO_CPU || !cpu_online(tcpu) ||
+ (tcpu >= nr_cpu_ids || !cpu_online(tcpu) ||
((int)(per_cpu(softnet_data, tcpu).input_queue_head -
rflow->last_qtail)) >= 0)) {
tcpu = next_cpu;
rflow = set_rps_cpu(dev, skb, rflow, next_cpu);
}

- if (tcpu != RPS_NO_CPU && cpu_online(tcpu)) {
+ if (tcpu < nr_cpu_ids && cpu_online(tcpu)) {
*rflowp = rflow;
cpu = tcpu;
goto done;
@@ -3202,14 +3202,14 @@ bool rps_may_expire_flow(struct net_devi
struct rps_dev_flow_table *flow_table;
struct rps_dev_flow *rflow;
bool expire = true;
- int cpu;
+ unsigned int cpu;

rcu_read_lock();
flow_table = rcu_dereference(rxqueue->rps_flow_table);
if (flow_table && flow_id <= flow_table->mask) {
rflow = &flow_table->flows[flow_id];
cpu = ACCESS_ONCE(rflow->cpu);
- if (rflow->filter == filter_id && cpu != RPS_NO_CPU &&
+ if (rflow->filter == filter_id && cpu < nr_cpu_ids &&
((int)(per_cpu(softnet_data, cpu).input_queue_head -
rflow->last_qtail) <
(int)(10 * flow_table->mask)))

Greg Kroah-Hartman

unread,

May 2, 2015, 3:20:09 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Felipe Balbi <ba...@ti.com>

commit 7e136bb71a08e8b8be3bc492f041d9b0bea3856d upstream.

Make sure we're using the new macro, so our
resume signaling will always pass certification.

Signed-off-by: Felipe Balbi <ba...@ti.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/usb/host/fotg210-hcd.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/host/fotg210-hcd.c
+++ b/drivers/usb/host/fotg210-hcd.c
@@ -1595,7 +1595,7 @@ static int fotg210_hub_control(
/* resume signaling for 20 msec */
fotg210_writel(fotg210, temp | PORT_RESUME, status_reg);
fotg210->reset_done[wIndex] = jiffies
- + msecs_to_jiffies(20);
+ + msecs_to_jiffies(USB_RESUME_TIMEOUT);
break;
case USB_PORT_FEAT_C_SUSPEND:
clear_bit(wIndex, &fotg210->port_c_suspend);

Greg Kroah-Hartman

unread,

May 2, 2015, 3:20:09 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Lv Zheng <lv.z...@intel.com>

commit 2b8760100e1de69b6ff004c986328a82947db4ad upstream.

ACPICA commit aacf863cfffd46338e268b7415f7435cae93b451

It is reported that on a physically 64-bit addressed machine, 32-bit kernel
can trigger crashes in accessing the memory regions that are beyond the
32-bit boundary. The region field's start address should still be 32-bit
compliant, but after a calculation (adding some offsets), it may exceed the
32-bit boundary. This case is rare and buggy, but there are real BIOSes
leaked with such issues (see References below).

This patch fixes this gap by always defining IO addresses as 64-bit, and
allows OSPMs to optimize it for a real 32-bit machine to reduce the size of
the internal objects.

Internal acpi_physical_address usages in the structures that can be fixed
by this change include:
1. struct acpi_object_region:
acpi_physical_address address;
2. struct acpi_address_range:
acpi_physical_address start_address;
acpi_physical_address end_address;
3. struct acpi_mem_space_context;
acpi_physical_address address;
4. struct acpi_table_desc
acpi_physical_address address;
See known issues 1 for other usages.

Note that acpi_io_address which is used for ACPI_PROCESSOR may also suffer
from same problem, so this patch changes it accordingly.

For iasl, it will enforce acpi_physical_address as 32-bit to generate
32-bit OSPM compatible tables on 32-bit platforms, we need to define
ACPI_32BIT_PHYSICAL_ADDRESS for it in acenv.h.

Known issues:
1. Cleanup of mapped virtual address
In struct acpi_mem_space_context, acpi_physical_address is used as a virtual
address:
acpi_physical_address mapped_physical_address;
It is better to introduce acpi_virtual_address or use acpi_size instead.
This patch doesn't make such a change. Because this should be done along
with a change to acpi_os_map_memory()/acpi_os_unmap_memory().
There should be no functional problem to leave this unchanged except
that only this structure is enlarged unexpectedly.

Link: https://github.com/acpica/acpica/commit/aacf863c
Reference: https://bugzilla.kernel.org/show_bug.cgi?id=87971
Reference: https://bugzilla.kernel.org/show_bug.cgi?id=79501
Reported-and-tested-by: Paul Menzel <paule...@users.sourceforge.net>
Reported-and-tested-by: Sial Nije <sial...@gmail.com>
Signed-off-by: Lv Zheng <lv.z...@intel.com>
Signed-off-by: Bob Moore <robert...@intel.com>

Signed-off-by: Rafael J. Wysocki <rafael.j...@intel.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

include/acpi/actypes.h | 20 ++++++++++++++++++++
include/acpi/platform/acenv.h | 1 +
2 files changed, 21 insertions(+)

--- a/include/acpi/actypes.h
+++ b/include/acpi/actypes.h
@@ -199,9 +199,29 @@ typedef int s32;
typedef s32 acpi_native_int;

typedef u32 acpi_size;
+
+#ifdef ACPI_32BIT_PHYSICAL_ADDRESS
+
+/*
+ * OSPMs can define this to shrink the size of the structures for 32-bit
+ * none PAE environment. ASL compiler may always define this to generate
+ * 32-bit OSPM compliant tables.
+ */
typedef u32 acpi_io_address;
typedef u32 acpi_physical_address;

+#else /* ACPI_32BIT_PHYSICAL_ADDRESS */
+
+/*
+ * It is reported that, after some calculations, the physical addresses can
+ * wrap over the 32-bit boundary on 32-bit PAE environment.
+ * https://bugzilla.kernel.org/show_bug.cgi?id=87971
+ */
+typedef u64 acpi_io_address;
+typedef u64 acpi_physical_address;
+
+#endif /* ACPI_32BIT_PHYSICAL_ADDRESS */
+
#define ACPI_MAX_PTR ACPI_UINT32_MAX
#define ACPI_SIZE_MAX ACPI_UINT32_MAX

--- a/include/acpi/platform/acenv.h
+++ b/include/acpi/platform/acenv.h
@@ -76,6 +76,7 @@
#define ACPI_LARGE_NAMESPACE_NODE
#define ACPI_DATA_TABLE_DISASSEMBLY
#define ACPI_SINGLE_THREADED
+#define ACPI_32BIT_PHYSICAL_ADDRESS
#endif

/* acpi_exec configuration. Multithreaded with full AML debugger */

Greg Kroah-Hartman

unread,

May 2, 2015, 3:20:09 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Felipe Balbi <ba...@ti.com>

commit e3c93e1a3f35be4cf1493d3ccfb0c6d9209e4922 upstream.

As per Mentor Graphics' documentation, we should
always handle TX endpoints before RX endpoints.

This patch fixes that error while also updating
some hard-to-read comments which were scattered
around musb_interrupt().

This patch should be backported as far back as
possible since this error has been in the driver
since it's conception.

Signed-off-by: Felipe Balbi <ba...@ti.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/usb/musb/musb_core.c | 44 +++++++++++++++++++++++++------------------
1 file changed, 26 insertions(+), 18 deletions(-)

--- a/drivers/usb/musb/musb_core.c
+++ b/drivers/usb/musb/musb_core.c
@@ -1597,16 +1597,30 @@ irqreturn_t musb_interrupt(struct musb *
is_host_active(musb) ? "host" : "peripheral",
musb->int_usb, musb->int_tx, musb->int_rx);

- /* the core can interrupt us for multiple reasons; docs have
- * a generic interrupt flowchart to follow
+ /**
+ * According to Mentor Graphics' documentation, flowchart on page 98,
+ * IRQ should be handled as follows:
+ *
+ * . Resume IRQ
+ * . Session Request IRQ
+ * . VBUS Error IRQ
+ * . Suspend IRQ
+ * . Connect IRQ
+ * . Disconnect IRQ
+ * . Reset/Babble IRQ
+ * . SOF IRQ (we're not using this one)
+ * . Endpoint 0 IRQ
+ * . TX Endpoints
+ * . RX Endpoints
+ *
+ * We will be following that flowchart in order to avoid any problems
+ * that might arise with internal Finite State Machine.
*/
+
if (musb->int_usb)
retval |= musb_stage0_irq(musb, musb->int_usb,
devctl);

- /* "stage 1" is handling endpoint irqs */
-
- /* handle endpoint 0 first */
if (musb->int_tx & 1) {
if (is_host_active(musb))
retval |= musb_h_ep0_irq(musb);
@@ -1614,37 +1628,31 @@ irqreturn_t musb_interrupt(struct musb *
retval |= musb_g_ep0_irq(musb);
}

- /* RX on endpoints 1-15 */
- reg = musb->int_rx >> 1;
+ reg = musb->int_tx >> 1;
ep_num = 1;
while (reg) {
if (reg & 1) {
- /* musb_ep_select(musb->mregs, ep_num); */
- /* REVISIT just retval = ep->rx_irq(...) */
retval = IRQ_HANDLED;
if (is_host_active(musb))
- musb_host_rx(musb, ep_num);
+ musb_host_tx(musb, ep_num);
else
- musb_g_rx(musb, ep_num);
+ musb_g_tx(musb, ep_num);
}
-
reg >>= 1;
ep_num++;
}

- /* TX on endpoints 1-15 */
- reg = musb->int_tx >> 1;
+ reg = musb->int_rx >> 1;
ep_num = 1;
while (reg) {
if (reg & 1) {
- /* musb_ep_select(musb->mregs, ep_num); */
- /* REVISIT just retval |= ep->tx_irq(...) */
retval = IRQ_HANDLED;
if (is_host_active(musb))
- musb_host_tx(musb, ep_num);
+ musb_host_rx(musb, ep_num);
else
- musb_g_tx(musb, ep_num);
+ musb_g_rx(musb, ep_num);
}
+
reg >>= 1;
ep_num++;

Greg Kroah-Hartman

unread,

May 2, 2015, 3:20:09 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Oliver Neukum <one...@suse.de>

commit 7a8e53c414c8183e8735e3b08d9a776200e6e665 upstream.

This mouse needs QUIRK_ALWAYS_POLL.

Signed-off-by: Oliver Neukum <one...@suse.de>
Signed-off-by: Jiri Kosina <jko...@suse.cz>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/hid/hid-ids.h | 3 +++
drivers/hid/usbhid/hid-quirks.c | 1 +
2 files changed, 4 insertions(+)

--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -459,6 +459,9 @@
#define USB_DEVICE_ID_UGCI_FLYING 0x0020
#define USB_DEVICE_ID_UGCI_FIGHTING 0x0030

+#define USB_VENDOR_ID_HP 0x03f0
+#define USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE 0x0a4a
+
#define USB_VENDOR_ID_HUION 0x256c
#define USB_DEVICE_ID_HUION_TABLET 0x006e

--- a/drivers/hid/usbhid/hid-quirks.c
+++ b/drivers/hid/usbhid/hid-quirks.c
@@ -78,6 +78,7 @@ static const struct hid_blacklist {
{ USB_VENDOR_ID_ELO, USB_DEVICE_ID_ELO_TS2700, HID_QUIRK_NOGET },
{ USB_VENDOR_ID_FORMOSA, USB_DEVICE_ID_FORMOSA_IR_RECEIVER, HID_QUIRK_NO_INIT_REPORTS },
{ USB_VENDOR_ID_FREESCALE, USB_DEVICE_ID_FREESCALE_MX28, HID_QUIRK_NOGET },
+ { USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE, HID_QUIRK_ALWAYS_POLL },
{ USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_C077, HID_QUIRK_ALWAYS_POLL },
{ USB_VENDOR_ID_MGE, USB_DEVICE_ID_MGE_UPS, HID_QUIRK_NOGET },
{ USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_3, HID_QUIRK_NO_INIT_REPORTS },

Greg Kroah-Hartman

unread,

May 2, 2015, 3:20:10 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Akinobu Mita <akinob...@gmail.com>

commit 64d240b721b21e266ffde645ec965c3b6d1c551f upstream.

When UNMAP command is issued with DIF protection support enabled,
the protection info for the unmapped region is remain unchanged.
So READ command for the region causes data integrity failure.

This fixes it by invalidating protection info for the unmapped region
by filling with 0xff pattern. This change also adds helper function
fd_do_prot_fill() in order to reduce code duplication with existing
fd_format_prot().

Signed-off-by: Akinobu Mita <akinob...@gmail.com>
Reviewed-by: Sagi Grimberg <sa...@mellanox.com>
Reviewed-by: "Martin K. Petersen" <martin....@oracle.com>
Cc: Christoph Hellwig <h...@lst.de>
Cc: "James E.J. Bottomley" <James.B...@HansenPartnership.com>
Signed-off-by: Nicholas Bellinger <n...@linux-iscsi.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/target/target_core_file.c | 86 ++++++++++++++++++++++++++------------
1 file changed, 61 insertions(+), 25 deletions(-)

--- a/drivers/target/target_core_file.c
+++ b/drivers/target/target_core_file.c
@@ -550,6 +550,56 @@ fd_execute_write_same(struct se_cmd *cmd
return 0;
}

+static int
+fd_do_prot_fill(struct se_device *se_dev, sector_t lba, sector_t nolb,
+ void *buf, size_t bufsize)
+{
+ struct fd_dev *fd_dev = FD_DEV(se_dev);
+ struct file *prot_fd = fd_dev->fd_prot_file;
+ sector_t prot_length, prot;
+ loff_t pos = lba * se_dev->prot_length;
+
+ if (!prot_fd) {
+ pr_err("Unable to locate fd_dev->fd_prot_file\n");
+ return -ENODEV;
+ }
+
+ prot_length = nolb * se_dev->prot_length;
+
+ for (prot = 0; prot < prot_length;) {
+ sector_t len = min_t(sector_t, bufsize, prot_length - prot);
+ ssize_t ret = kernel_write(prot_fd, buf, len, pos + prot);
+
+ if (ret != len) {
+ pr_err("vfs_write to prot file failed: %zd\n", ret);
+ return ret < 0 ? ret : -ENODEV;
+ }
+ prot += ret;
+ }
+
+ return 0;
+}
+
+static int
+fd_do_prot_unmap(struct se_cmd *cmd, sector_t lba, sector_t nolb)
+{
+ void *buf;
+ int rc;
+
+ buf = (void *)__get_free_page(GFP_KERNEL);
+ if (!buf) {
+ pr_err("Unable to allocate FILEIO prot buf\n");
+ return -ENOMEM;
+ }
+ memset(buf, 0xff, PAGE_SIZE);
+
+ rc = fd_do_prot_fill(cmd->se_dev, lba, nolb, buf, PAGE_SIZE);
+
+ free_page((unsigned long)buf);
+
+ return rc;
+}
+
static sense_reason_t
fd_do_unmap(struct se_cmd *cmd, void *priv, sector_t lba, sector_t nolb)
{
@@ -557,6 +607,12 @@ fd_do_unmap(struct se_cmd *cmd, void *pr
struct inode *inode = file->f_mapping->host;
int ret;

+ if (cmd->se_dev->dev_attrib.pi_prot_type) {
+ ret = fd_do_prot_unmap(cmd, lba, nolb);
+ if (ret)
+ return TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE;
+ }
+
if (S_ISBLK(inode->i_mode)) {
/* The backend is block device, use discard */
struct block_device *bdev = inode->i_bdev;
@@ -879,48 +935,28 @@ static int fd_init_prot(struct se_device

static int fd_format_prot(struct se_device *dev)
{
- struct fd_dev *fd_dev = FD_DEV(dev);
- struct file *prot_fd = fd_dev->fd_prot_file;
- sector_t prot_length, prot;
unsigned char *buf;
- loff_t pos = 0;
int unit_size = FDBD_FORMAT_UNIT_SIZE * dev->dev_attrib.block_size;
- int rc, ret = 0, size, len;
+ int ret;

if (!dev->dev_attrib.pi_prot_type) {
pr_err("Unable to format_prot while pi_prot_type == 0\n");
return -ENODEV;
}
- if (!prot_fd) {
- pr_err("Unable to locate fd_dev->fd_prot_file\n");
- return -ENODEV;
- }

buf = vzalloc(unit_size);
if (!buf) {
pr_err("Unable to allocate FILEIO prot buf\n");
return -ENOMEM;
}
- prot_length = (dev->transport->get_blocks(dev) + 1) * dev->prot_length;
- size = prot_length;

pr_debug("Using FILEIO prot_length: %llu\n",
- (unsigned long long)prot_length);
+ (unsigned long long)(dev->transport->get_blocks(dev) + 1) *
+ dev->prot_length);

memset(buf, 0xff, unit_size);
- for (prot = 0; prot < prot_length; prot += unit_size) {
- len = min(unit_size, size);
- rc = kernel_write(prot_fd, buf, len, pos);
- if (rc != len) {
- pr_err("vfs_write to prot file failed: %d\n", rc);
- ret = -ENODEV;
- goto out;
- }
- pos += len;
- size -= len;
- }
-
-out:
+ ret = fd_do_prot_fill(dev, 0, dev->transport->get_blocks(dev) + 1,
+ buf, unit_size);
vfree(buf);
return ret;

Greg Kroah-Hartman

unread,

May 2, 2015, 3:20:10 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Pascal Huerst <pascal...@gmail.com>

commit 74ff960222d90999508b4ba0d3449f796695b6d5 upstream.

The delay time after a reset in the codec probe callback was too short,
and did not work on certain hw because the codec needs more time to
power on. This increases the delay time from 1us to 1ms.

Signed-off-by: Pascal Huerst <pascal...@gmail.com>
Acked-by: Brian Austin <brian....@cirrus.com>
Signed-off-by: Mark Brown <bro...@kernel.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

sound/soc/codecs/cs4271.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/sound/soc/codecs/cs4271.c
+++ b/sound/soc/codecs/cs4271.c
@@ -561,10 +561,10 @@ static int cs4271_codec_probe(struct snd
if (gpio_is_valid(cs4271->gpio_nreset)) {
/* Reset codec */
gpio_direction_output(cs4271->gpio_nreset, 0);
- udelay(1);
+ mdelay(1);
gpio_set_value(cs4271->gpio_nreset, 1);
/* Give the codec time to wake up */
- udelay(1);
+ mdelay(1);
}

ret = regmap_update_bits(cs4271->regmap, CS4271_MODE2,

Greg Kroah-Hartman

unread,

May 2, 2015, 3:20:10 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Gregory CLEMENT <gregory...@free-electrons.com>

commit 548ae94c1cc7fc120848757249b9a542b1080ffb upstream.

On Armada 38x SoCs, under heavy I/O load, the system hangs when CPU
Idle is enabled. Waiting for a solution to this issue, this patch
disables the CPU Idle support for this SoC.

As CPU Hot plug support also uses some of the CPU Idle functions it is
also affected by the same issue. This patch disables it also for the
Armada 38x SoCs.

Signed-off-by: Gregory CLEMENT <gregory...@free-electrons.com>
Tested-by: Thomas Petazzoni <thomas.p...@free-electrons.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

arch/arm/mach-mvebu/pmsu.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)

--- a/arch/arm/mach-mvebu/pmsu.c
+++ b/arch/arm/mach-mvebu/pmsu.c
@@ -415,6 +415,9 @@ static __init int armada_38x_cpuidle_ini
void __iomem *mpsoc_base;
u32 reg;

+ pr_warn("CPU idle is currently broken on Armada 38x: disabling");
+ return 0;
+
np = of_find_compatible_node(NULL, NULL,
"marvell,armada-380-coherency-fabric");
if (!np)
@@ -476,6 +479,16 @@ static int __init mvebu_v7_cpu_pm_init(v
return 0;
of_node_put(np);

+ /*
+ * Currently the CPU idle support for Armada 38x is broken, as
+ * the CPU hotplug uses some of the CPU idle functions it is
+ * broken too, so let's disable it
+ */
+ if (of_machine_is_compatible("marvell,armada380")) {
+ cpu_hotplug_disable();
+ pr_warn("CPU hotplug support is currently broken on Armada 38x: disabling");
+ }
+
if (of_machine_is_compatible("marvell,armadaxp"))
ret = armada_xp_cpuidle_init();
else if (of_machine_is_compatible("marvell,armada370"))
@@ -489,7 +502,8 @@ static int __init mvebu_v7_cpu_pm_init(v
return ret;

mvebu_v7_pmsu_enable_l2_powerdown_onidle();
- platform_device_register(&mvebu_v7_cpuidle_device);
+ if (mvebu_v7_cpuidle_device.name)
+ platform_device_register(&mvebu_v7_cpuidle_device);
cpu_pm_register_notifier(&mvebu_v7_cpu_pm_notifier);

return 0;

Greg Kroah-Hartman

unread,

May 2, 2015, 3:20:10 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Kailang Yang <kai...@realtek.com>

commit d32b66668c702aed0e330dc5ca186afbadcdacf8 upstream.

Switch default pcbeep path to Line in path.

Signed-off-by: Kailang Yang <kai...@realtek.com>
Tested-by: Hui Wang <hui....@canonical.com>
Signed-off-by: Takashi Iwai <ti...@suse.de>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

sound/pci/hda/patch_realtek.c | 1 +
1 file changed, 1 insertion(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c

unread,

May 2, 2015, 3:20:07 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Malcolm Priestley <tvbo...@gmail.com>

commit a6388e68321a1e0a0f408379c2a36396807745b3 upstream.

Information for packet type is in ieee80211_tx_info

band IEEE80211_BAND_5GHZ for PK_TYPE_11A.

IEEE80211_TX_RC_USE_CTS_PROTECT via tx_rate flags selects PK_TYPE_11GB

This ensures that the packet is always the right type.

Signed-off-by: Malcolm Priestley <tvbo...@gmail.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/staging/vt6655/rxtx.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)

--- a/drivers/staging/vt6655/rxtx.c
+++ b/drivers/staging/vt6655/rxtx.c
@@ -1308,10 +1308,18 @@ int vnt_generate_fifo_header(struct vnt_
priv->hw->conf.chandef.chan->hw_value);
}

- if (current_rate > RATE_11M)
- pkt_type = (u8)priv->byPacketType;
- else
+ if (current_rate > RATE_11M) {
+ if (info->band == IEEE80211_BAND_5GHZ) {
+ pkt_type = PK_TYPE_11A;
+ } else {
+ if (tx_rate->flags & IEEE80211_TX_RC_USE_CTS_PROTECT)
+ pkt_type = PK_TYPE_11GB;
+ else
+ pkt_type = PK_TYPE_11GA;
+ }
+ } else {
pkt_type = PK_TYPE_11B;
+ }

/*Set fifo controls */
if (pkt_type == PK_TYPE_11A)

Greg Kroah-Hartman

unread,

May 2, 2015, 3:20:07 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Mark Rutland <mark.r...@arm.com>

commit 137650aad96c9594683445e41afa8ac5a2097520 upstream.

Currently we only perform alternative patching for kernels built with
CONFIG_SMP, as we call apply_alternatives_all() in smp.c, which is only
built for CONFIG_SMP. Thus !SMP kernels may not have necessary
alternatives patched in.

This patch ensures that we call apply_alternatives_all() once all CPUs
are booted, even for !SMP kernels, by having the smp_init_cpus() stub
call this for !SMP kernels via up_late_init. A new wrapper,
do_post_cpus_up_work, is added so we can hook other calls here later
(e.g. boot mode logging).

Cc: Andre Przywara <andre.p...@arm.com>
Cc: Catalin Marinas <catalin...@arm.com>
Fixes: e039ee4ee3fcf174 ("arm64: add alternative runtime patching")
Tested-by: Ard Biesheuvel <ard.bie...@linaro.org>
Reviewed-by: Ard Biesheuvel <ard.bie...@linaro.org>
Signed-off-by: Mark Rutland <mark.r...@arm.com>
Signed-off-by: Will Deacon <will....@arm.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

arch/arm64/Kconfig | 4 ++++
arch/arm64/include/asm/smp_plat.h | 2 ++
arch/arm64/kernel/setup.c | 12 ++++++++++++
arch/arm64/kernel/smp.c | 2 +-
4 files changed, 19 insertions(+), 1 deletion(-)

--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -470,6 +470,10 @@ config HOTPLUG_CPU

source kernel/Kconfig.preempt

+config UP_LATE_INIT
+ def_bool y
+ depends on !SMP
+
config HZ
int
default 100
--- a/arch/arm64/include/asm/smp_plat.h
+++ b/arch/arm64/include/asm/smp_plat.h
@@ -40,4 +40,6 @@ static inline u32 mpidr_hash_size(void)
extern u64 __cpu_logical_map[NR_CPUS];
#define cpu_logical_map(cpu) __cpu_logical_map[cpu]

+void __init do_post_cpus_up_work(void);
+
#endif /* __ASM_SMP_PLAT_H */
--- a/arch/arm64/kernel/setup.c
+++ b/arch/arm64/kernel/setup.c
@@ -207,6 +207,18 @@ static void __init smp_build_mpidr_hash(
}
#endif

+void __init do_post_cpus_up_work(void)
+{
+ apply_alternatives_all();
+}
+
+#ifdef CONFIG_UP_LATE_INIT
+void __init up_late_init(void)
+{
+ do_post_cpus_up_work();
+}
+#endif /* CONFIG_UP_LATE_INIT */
+
static void __init setup_processor(void)
{
struct cpu_info *cpu_info;
--- a/arch/arm64/kernel/smp.c
+++ b/arch/arm64/kernel/smp.c
@@ -309,7 +309,7 @@ void cpu_die(void)
void __init smp_cpus_done(unsigned int max_cpus)
{
pr_info("SMP: Total of %d processors activated.\n", num_online_cpus());
- apply_alternatives_all();
+ do_post_cpus_up_work();
}

void __init smp_prepare_boot_cpu(void)

Greg Kroah-Hartman

unread,

May 2, 2015, 3:20:07 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Charles Keepax <cke...@opensource.wolfsonmicro.com>

commit 4e330ae4ab2915444f1e6dca1358a910aa259362 upstream.

There are two PMICs on Cragganmore, currently one dynamically assign
its IRQ base and the other uses a fixed base. It is possible for the
statically assigned PMIC to fail if its IRQ is taken by the dynamically
assigned one. Fix this by statically assigning both the IRQ bases.

Signed-off-by: Charles Keepax <cke...@opensource.wolfsonmicro.com>
Signed-off-by: Kukjin Kim <kg...@kernel.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

arch/arm/mach-s3c64xx/crag6410.h | 1 +
arch/arm/mach-s3c64xx/mach-crag6410.c | 1 +
2 files changed, 2 insertions(+)

--- a/arch/arm/mach-s3c64xx/crag6410.h
+++ b/arch/arm/mach-s3c64xx/crag6410.h
@@ -14,6 +14,7 @@
#include <mach/gpio-samsung.h>

#define GLENFARCLAS_PMIC_IRQ_BASE IRQ_BOARD_START
+#define BANFF_PMIC_IRQ_BASE (IRQ_BOARD_START + 64)

#define PCA935X_GPIO_BASE GPIO_BOARD_START
#define CODEC_GPIO_BASE (GPIO_BOARD_START + 8)
--- a/arch/arm/mach-s3c64xx/mach-crag6410.c
+++ b/arch/arm/mach-s3c64xx/mach-crag6410.c
@@ -554,6 +554,7 @@ static struct wm831x_touch_pdata touch_p

static struct wm831x_pdata crag_pmic_pdata = {
.wm831x_num = 1,
+ .irq_base = BANFF_PMIC_IRQ_BASE,
.gpio_base = BANFF_PMIC_GPIO_BASE,
.soft_shutdown = true,

Greg Kroah-Hartman

unread,

May 2, 2015, 3:20:08 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Nicholas Bellinger <n...@linux-iscsi.org>

commit 88dcd2dab5c23b1c9cfc396246d8f476c872f0ca upstream.

This patch converts iscsi-target code to use modern kthread.h API
callers for creating RX/TX threads for each new iscsi_conn descriptor,
and releasing associated RX/TX threads during connection shutdown.

This is done using iscsit_start_kthreads() -> kthread_run() to start
new kthreads from within iscsi_post_login_handler(), and invoking
kthread_stop() from existing iscsit_close_connection() code.

Also, convert iscsit_logout_post_handler_closesession() code to use
cmpxchg when determing when iscsit_cause_connection_reinstatement()
needs to sleep waiting for completion.

Reported-by: Sagi Grimberg <sa...@mellanox.com>
Tested-by: Sagi Grimberg <sa...@mellanox.com>
Cc: Slava Shwartsman <valyu...@gmail.com>
Signed-off-by: Nicholas Bellinger <n...@linux-iscsi.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/target/iscsi/iscsi_target.c | 104 ++++++++++++------------------
drivers/target/iscsi/iscsi_target_erl0.c | 13 ++-
drivers/target/iscsi/iscsi_target_login.c | 59 +++++++++++++++--
include/target/iscsi/iscsi_target_core.h | 7 ++
4 files changed, 114 insertions(+), 69 deletions(-)

--- a/drivers/target/iscsi/iscsi_target.c
+++ b/drivers/target/iscsi/iscsi_target.c
@@ -537,7 +537,7 @@ static struct iscsit_transport iscsi_tar

static int __init iscsi_target_init_module(void)
{
- int ret = 0;
+ int ret = 0, size;

pr_debug("iSCSI-Target "ISCSIT_VERSION"\n");

@@ -546,6 +546,7 @@ static int __init iscsi_target_init_modu
pr_err("Unable to allocate memory for iscsit_global\n");
return -1;
}
+ spin_lock_init(&iscsit_global->ts_bitmap_lock);
mutex_init(&auth_id_lock);
spin_lock_init(&sess_idr_lock);
idr_init(&tiqn_idr);
@@ -555,15 +556,11 @@ static int __init iscsi_target_init_modu
if (ret < 0)
goto out;

- ret = iscsi_thread_set_init();
- if (ret < 0)
+ size = BITS_TO_LONGS(ISCSIT_BITMAP_BITS) * sizeof(long);
+ iscsit_global->ts_bitmap = vzalloc(size);
+ if (!iscsit_global->ts_bitmap) {
+ pr_err("Unable to allocate iscsit_global->ts_bitmap\n");
goto configfs_out;
-
- if (iscsi_allocate_thread_sets(TARGET_THREAD_SET_COUNT) !=
- TARGET_THREAD_SET_COUNT) {
- pr_err("iscsi_allocate_thread_sets() returned"
- " unexpected value!\n");
- goto ts_out1;
}

lio_qr_cache = kmem_cache_create("lio_qr_cache",
@@ -572,7 +569,7 @@ static int __init iscsi_target_init_modu
if (!lio_qr_cache) {
pr_err("nable to kmem_cache_create() for"
" lio_qr_cache\n");
- goto ts_out2;
+ goto bitmap_out;
}

lio_dr_cache = kmem_cache_create("lio_dr_cache",
@@ -617,10 +614,8 @@ dr_out:
kmem_cache_destroy(lio_dr_cache);
qr_out:
kmem_cache_destroy(lio_qr_cache);
-ts_out2:
- iscsi_deallocate_thread_sets();
-ts_out1:
- iscsi_thread_set_free();
+bitmap_out:
+ vfree(iscsit_global->ts_bitmap);
configfs_out:
iscsi_target_deregister_configfs();
out:
@@ -630,8 +625,6 @@ out:

static void __exit iscsi_target_cleanup_module(void)
{
- iscsi_deallocate_thread_sets();
- iscsi_thread_set_free();
iscsit_release_discovery_tpg();
iscsit_unregister_transport(&iscsi_target_transport);
kmem_cache_destroy(lio_qr_cache);
@@ -641,6 +634,7 @@ static void __exit iscsi_target_cleanup_

iscsi_target_deregister_configfs();

+ vfree(iscsit_global->ts_bitmap);
kfree(iscsit_global);
}

@@ -3715,17 +3709,16 @@ static int iscsit_send_reject(

void iscsit_thread_get_cpumask(struct iscsi_conn *conn)
{
- struct iscsi_thread_set *ts = conn->thread_set;
int ord, cpu;
/*
- * thread_id is assigned from iscsit_global->ts_bitmap from
- * within iscsi_thread_set.c:iscsi_allocate_thread_sets()
+ * bitmap_id is assigned from iscsit_global->ts_bitmap from
+ * within iscsit_start_kthreads()
*
- * Here we use thread_id to determine which CPU that this
- * iSCSI connection's iscsi_thread_set will be scheduled to
+ * Here we use bitmap_id to determine which CPU that this
+ * iSCSI connection's RX/TX threads will be scheduled to
* execute upon.
*/
- ord = ts->thread_id % cpumask_weight(cpu_online_mask);
+ ord = conn->bitmap_id % cpumask_weight(cpu_online_mask);
for_each_online_cpu(cpu) {
if (ord-- == 0) {
cpumask_set_cpu(cpu, conn->conn_cpumask);
@@ -3914,7 +3907,7 @@ check_rsp_state:
switch (state) {
case ISTATE_SEND_LOGOUTRSP:
if (!iscsit_logout_post_handler(cmd, conn))
- goto restart;
+ return -ECONNRESET;
/* fall through */
case ISTATE_SEND_STATUS:
case ISTATE_SEND_ASYNCMSG:
@@ -3942,8 +3935,6 @@ check_rsp_state:

err:
return -1;
-restart:
- return -EAGAIN;
}

static int iscsit_handle_response_queue(struct iscsi_conn *conn)
@@ -3970,21 +3961,13 @@ static int iscsit_handle_response_queue(
int iscsi_target_tx_thread(void *arg)
{
int ret = 0;
- struct iscsi_conn *conn;
- struct iscsi_thread_set *ts = arg;
+ struct iscsi_conn *conn = arg;
/*
* Allow ourselves to be interrupted by SIGINT so that a
* connection recovery / failure event can be triggered externally.
*/
allow_signal(SIGINT);

-restart:
- conn = iscsi_tx_thread_pre_handler(ts);
- if (!conn)
- goto out;
-
- ret = 0;
-
while (!kthread_should_stop()) {
/*
* Ensure that both TX and RX per connection kthreads
@@ -3993,11 +3976,9 @@ restart:
iscsit_thread_check_cpumask(conn, current, 1);

wait_event_interruptible(conn->queues_wq,
- !iscsit_conn_all_queues_empty(conn) ||
- ts->status == ISCSI_THREAD_SET_RESET);
+ !iscsit_conn_all_queues_empty(conn));

- if ((ts->status == ISCSI_THREAD_SET_RESET) ||
- signal_pending(current))
+ if (signal_pending(current))
goto transport_err;

get_immediate:
@@ -4008,15 +3989,14 @@ get_immediate:
ret = iscsit_handle_response_queue(conn);
if (ret == 1)
goto get_immediate;
- else if (ret == -EAGAIN)
- goto restart;
+ else if (ret == -ECONNRESET)
+ goto out;
else if (ret < 0)
goto transport_err;
}

transport_err:
iscsit_take_action_for_connection_exit(conn);
- goto restart;
out:
return 0;
}
@@ -4111,8 +4091,7 @@ int iscsi_target_rx_thread(void *arg)
int ret;
u8 buffer[ISCSI_HDR_LEN], opcode;
u32 checksum = 0, digest = 0;
- struct iscsi_conn *conn = NULL;
- struct iscsi_thread_set *ts = arg;
+ struct iscsi_conn *conn = arg;
struct kvec iov;
/*
* Allow ourselves to be interrupted by SIGINT so that a
@@ -4120,11 +4099,6 @@ int iscsi_target_rx_thread(void *arg)
*/
allow_signal(SIGINT);

-restart:
- conn = iscsi_rx_thread_pre_handler(ts);
- if (!conn)
- goto out;
-
if (conn->conn_transport->transport_type == ISCSI_INFINIBAND) {
struct completion comp;
int rc;
@@ -4134,7 +4108,7 @@ restart:
if (rc < 0)
goto transport_err;

- goto out;
+ goto transport_err;
}

while (!kthread_should_stop()) {
@@ -4210,8 +4184,6 @@ transport_err:
if (!signal_pending(current))
atomic_set(&conn->transport_failed, 1);
iscsit_take_action_for_connection_exit(conn);
- goto restart;
-out:
return 0;
}

@@ -4273,7 +4245,24 @@ int iscsit_close_connection(
if (conn->conn_transport->transport_type == ISCSI_TCP)
complete(&conn->conn_logout_comp);

- iscsi_release_thread_set(conn);
+ if (!strcmp(current->comm, ISCSI_RX_THREAD_NAME)) {
+ if (conn->tx_thread &&
+ cmpxchg(&conn->tx_thread_active, true, false)) {
+ send_sig(SIGINT, conn->tx_thread, 1);
+ kthread_stop(conn->tx_thread);
+ }
+ } else if (!strcmp(current->comm, ISCSI_TX_THREAD_NAME)) {
+ if (conn->rx_thread &&
+ cmpxchg(&conn->rx_thread_active, true, false)) {
+ send_sig(SIGINT, conn->rx_thread, 1);
+ kthread_stop(conn->rx_thread);
+ }
+ }
+
+ spin_lock(&iscsit_global->ts_bitmap_lock);
+ bitmap_release_region(iscsit_global->ts_bitmap, conn->bitmap_id,
+ get_order(1));
+ spin_unlock(&iscsit_global->ts_bitmap_lock);

iscsit_stop_timers_for_cmds(conn);
iscsit_stop_nopin_response_timer(conn);
@@ -4551,15 +4540,13 @@ static void iscsit_logout_post_handler_c
struct iscsi_conn *conn)
{
struct iscsi_session *sess = conn->sess;
-
- iscsi_set_thread_clear(conn, ISCSI_CLEAR_TX_THREAD);
- iscsi_set_thread_set_signal(conn, ISCSI_SIGNAL_TX_THREAD);
+ int sleep = cmpxchg(&conn->tx_thread_active, true, false);

atomic_set(&conn->conn_logout_remove, 0);
complete(&conn->conn_logout_comp);

iscsit_dec_conn_usage_count(conn);
- iscsit_stop_session(sess, 1, 1);
+ iscsit_stop_session(sess, sleep, sleep);
iscsit_dec_session_usage_count(sess);
target_put_session(sess->se_sess);
}
@@ -4567,13 +4554,12 @@ static void iscsit_logout_post_handler_c
static void iscsit_logout_post_handler_samecid(
struct iscsi_conn *conn)
{
- iscsi_set_thread_clear(conn, ISCSI_CLEAR_TX_THREAD);
- iscsi_set_thread_set_signal(conn, ISCSI_SIGNAL_TX_THREAD);
+ int sleep = cmpxchg(&conn->tx_thread_active, true, false);

atomic_set(&conn->conn_logout_remove, 0);
complete(&conn->conn_logout_comp);

- iscsit_cause_connection_reinstatement(conn, 1);
+ iscsit_cause_connection_reinstatement(conn, sleep);
iscsit_dec_conn_usage_count(conn);
}

--- a/drivers/target/iscsi/iscsi_target_erl0.c
+++ b/drivers/target/iscsi/iscsi_target_erl0.c
@@ -860,7 +860,10 @@ void iscsit_connection_reinstatement_rcf
}
spin_unlock_bh(&conn->state_lock);

- iscsi_thread_set_force_reinstatement(conn);
+ if (conn->tx_thread && conn->tx_thread_active)
+ send_sig(SIGINT, conn->tx_thread, 1);
+ if (conn->rx_thread && conn->rx_thread_active)
+ send_sig(SIGINT, conn->rx_thread, 1);

sleep:
wait_for_completion(&conn->conn_wait_rcfr_comp);
@@ -885,10 +888,10 @@ void iscsit_cause_connection_reinstateme
return;
}

- if (iscsi_thread_set_force_reinstatement(conn) < 0) {
- spin_unlock_bh(&conn->state_lock);
- return;
- }
+ if (conn->tx_thread && conn->tx_thread_active)
+ send_sig(SIGINT, conn->tx_thread, 1);
+ if (conn->rx_thread && conn->rx_thread_active)
+ send_sig(SIGINT, conn->rx_thread, 1);

atomic_set(&conn->connection_reinstatement, 1);
if (!sleep) {
--- a/drivers/target/iscsi/iscsi_target_login.c
+++ b/drivers/target/iscsi/iscsi_target_login.c
@@ -699,6 +699,51 @@ static void iscsi_post_login_start_timer
iscsit_start_nopin_timer(conn);
}

+int iscsit_start_kthreads(struct iscsi_conn *conn)
+{
+ int ret = 0;
+
+ spin_lock(&iscsit_global->ts_bitmap_lock);
+ conn->bitmap_id = bitmap_find_free_region(iscsit_global->ts_bitmap,
+ ISCSIT_BITMAP_BITS, get_order(1));
+ spin_unlock(&iscsit_global->ts_bitmap_lock);
+
+ if (conn->bitmap_id < 0) {
+ pr_err("bitmap_find_free_region() failed for"
+ " iscsit_start_kthreads()\n");

+ return -ENOMEM;
+ }
+

+ conn->tx_thread = kthread_run(iscsi_target_tx_thread, conn,
+ "%s", ISCSI_TX_THREAD_NAME);
+ if (IS_ERR(conn->tx_thread)) {
+ pr_err("Unable to start iscsi_target_tx_thread\n");
+ ret = PTR_ERR(conn->tx_thread);
+ goto out_bitmap;
+ }
+ conn->tx_thread_active = true;
+
+ conn->rx_thread = kthread_run(iscsi_target_rx_thread, conn,
+ "%s", ISCSI_RX_THREAD_NAME);
+ if (IS_ERR(conn->rx_thread)) {
+ pr_err("Unable to start iscsi_target_rx_thread\n");
+ ret = PTR_ERR(conn->rx_thread);
+ goto out_tx;
+ }
+ conn->rx_thread_active = true;
+
+ return 0;
+out_tx:
+ kthread_stop(conn->tx_thread);
+ conn->tx_thread_active = false;
+out_bitmap:
+ spin_lock(&iscsit_global->ts_bitmap_lock);
+ bitmap_release_region(iscsit_global->ts_bitmap, conn->bitmap_id,
+ get_order(1));
+ spin_unlock(&iscsit_global->ts_bitmap_lock);

+ return ret;
+}
+

int iscsi_post_login_handler(
struct iscsi_np *np,
struct iscsi_conn *conn,
@@ -709,7 +754,7 @@ int iscsi_post_login_handler(
struct se_session *se_sess = sess->se_sess;
struct iscsi_portal_group *tpg = sess->tpg;
struct se_portal_group *se_tpg = &tpg->tpg_se_tpg;
- struct iscsi_thread_set *ts;
+ int rc;

iscsit_inc_conn_usage_count(conn);

@@ -724,7 +769,6 @@ int iscsi_post_login_handler(
/*
* SCSI Initiator -> SCSI Target Port Mapping
*/
- ts = iscsi_get_thread_set();
if (!zero_tsih) {
iscsi_set_session_parameters(sess->sess_ops,
conn->param_list, 0);
@@ -751,9 +795,11 @@ int iscsi_post_login_handler(
sess->sess_ops->InitiatorName);
spin_unlock_bh(&sess->conn_lock);

- iscsi_post_login_start_timers(conn);
+ rc = iscsit_start_kthreads(conn);
+ if (rc)
+ return rc;

- iscsi_activate_thread_set(conn, ts);
+ iscsi_post_login_start_timers(conn);
/*
* Determine CPU mask to ensure connection's RX and TX kthreads
* are scheduled on the same CPU.
@@ -810,8 +856,11 @@ int iscsi_post_login_handler(
" iSCSI Target Portal Group: %hu\n", tpg->nsessions, tpg->tpgt);
spin_unlock_bh(&se_tpg->session_lock);

+ rc = iscsit_start_kthreads(conn);
+ if (rc)
+ return rc;
+
iscsi_post_login_start_timers(conn);
- iscsi_activate_thread_set(conn, ts);
/*
* Determine CPU mask to ensure connection's RX and TX kthreads
* are scheduled on the same CPU.
--- a/include/target/iscsi/iscsi_target_core.h
+++ b/include/target/iscsi/iscsi_target_core.h
@@ -602,6 +602,11 @@ struct iscsi_conn {
struct iscsi_session *sess;
/* Pointer to thread_set in use for this conn's threads */
struct iscsi_thread_set *thread_set;
+ int bitmap_id;
+ int rx_thread_active;
+ struct task_struct *rx_thread;
+ int tx_thread_active;
+ struct task_struct *tx_thread;
/* list_head for session connection list */
struct list_head conn_list;
} ____cacheline_aligned;
@@ -871,10 +876,12 @@ struct iscsit_global {
/* Unique identifier used for the authentication daemon */
u32 auth_id;
u32 inactive_ts;
+#define ISCSIT_BITMAP_BITS 262144
/* Thread Set bitmap count */
int ts_bitmap_count;
/* Thread Set bitmap pointer */
unsigned long *ts_bitmap;
+ spinlock_t ts_bitmap_lock;
/* Used for iSCSI discovery session authentication */
struct iscsi_node_acl discovery_acl;
struct iscsi_portal_group *discovery_tpg;

Greg Kroah-Hartman

unread,

May 2, 2015, 3:20:08 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Akinobu Mita <akinob...@gmail.com>

commit c836777830428372074d5129ac513e1472c99791 upstream.

In fd_do_prot_rw(), it allocates prot_buf which is used to copy from
se_cmd->t_prot_sg by sbc_dif_copy_prot(). The SG table for prot_buf
is also initialized by allocating 'se_cmd->t_prot_nents' entries of
scatterlist and setting the data length of each entry to PAGE_SIZE
at most.

However if se_cmd->t_prot_sg contains a clustered entry (i.e.
sg->length > PAGE_SIZE), the SG table for prot_buf can't be
initialized correctly and sbc_dif_copy_prot() can't copy to prot_buf.
(This actually happened with TCM loopback fabric module)

As prot_buf is allocated by kzalloc() and it's physically contiguous,
we only need a single scatterlist entry.

Signed-off-by: Akinobu Mita <akinob...@gmail.com>
Cc: Sagi Grimberg <sa...@mellanox.com>
Cc: "Martin K. Petersen" <martin....@oracle.com>

Cc: Christoph Hellwig <h...@lst.de>
Cc: "James E.J. Bottomley" <James.B...@HansenPartnership.com>

Signed-off-by: Nicholas Bellinger <n...@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/target/target_core_file.c | 21 ++++++---------------
1 file changed, 6 insertions(+), 15 deletions(-)

--- a/drivers/target/target_core_file.c
+++ b/drivers/target/target_core_file.c
@@ -264,11 +264,10 @@ static int fd_do_prot_rw(struct se_cmd *
struct se_device *se_dev = cmd->se_dev;
struct fd_dev *dev = FD_DEV(se_dev);
struct file *prot_fd = dev->fd_prot_file;
- struct scatterlist *sg;
loff_t pos = (cmd->t_task_lba * se_dev->prot_length);
unsigned char *buf;
- u32 prot_size, len, size;
- int rc, ret = 1, i;
+ u32 prot_size;
+ int rc, ret = 1;

prot_size = (cmd->data_length / se_dev->dev_attrib.block_size) *
se_dev->prot_length;
@@ -281,24 +280,16 @@ static int fd_do_prot_rw(struct se_cmd *
}
buf = fd_prot->prot_buf;

- fd_prot->prot_sg_nents = cmd->t_prot_nents;
- fd_prot->prot_sg = kzalloc(sizeof(struct scatterlist) *
- fd_prot->prot_sg_nents, GFP_KERNEL);
+ fd_prot->prot_sg_nents = 1;
+ fd_prot->prot_sg = kzalloc(sizeof(struct scatterlist),
+ GFP_KERNEL);
if (!fd_prot->prot_sg) {
pr_err("Unable to allocate fd_prot->prot_sg\n");
kfree(fd_prot->prot_buf);
return -ENOMEM;
}
sg_init_table(fd_prot->prot_sg, fd_prot->prot_sg_nents);
- size = prot_size;
-
- for_each_sg(fd_prot->prot_sg, sg, fd_prot->prot_sg_nents, i) {
-
- len = min_t(u32, PAGE_SIZE, size);
- sg_set_buf(sg, buf, len);
- size -= len;
- buf += len;
- }
+ sg_set_buf(fd_prot->prot_sg, buf, prot_size);
}

if (is_write) {

Greg Kroah-Hartman

unread,

May 2, 2015, 3:20:09 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Len Brown <len....@intel.com>

commit d7ef76717322c8e2df7d4360b33faa9466cb1a0d upstream.

On some Silvermont-Core/Baytrail-SOC systems,
C1E latency is higher than original specifications.
Although C1E is still enumerated in CPUID.MWAIT.EDX,
we delete the state from intel_idle to avoid latency impact.

Under some conditions, the latency of the C6N-BYT and C6S-BYT states
may exceed the specified values of 40 and 140 usec, respectively.
Increase those values to 300 and 500 usec; to assure
that the hardware does not violate constraints that may be set
by the Linux PM_QOS sub-system.

Also increase the C7-BYT target residency to 4.0 ms from 1.5 ms.

Signed-off-by: Len Brown <len....@intel.com>
Cc: Kumar P Mahesh <mahesh....@intel.com>
Cc: Alan Cox <al...@linux.intel.com>
Cc: Mika Westerberg <mika.we...@linux.intel.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/idle/intel_idle.c | 14 +++-----------
1 file changed, 3 insertions(+), 11 deletions(-)

--- a/drivers/idle/intel_idle.c
+++ b/drivers/idle/intel_idle.c
@@ -218,18 +218,10 @@ static struct cpuidle_state byt_cstates[
.enter = &intel_idle,
.enter_freeze = intel_idle_freeze, },
{
- .name = "C1E-BYT",
- .desc = "MWAIT 0x01",
- .flags = MWAIT2flg(0x01),
- .exit_latency = 15,
- .target_residency = 30,
- .enter = &intel_idle,
- .enter_freeze = intel_idle_freeze, },
- {
.name = "C6N-BYT",
.desc = "MWAIT 0x58",
.flags = MWAIT2flg(0x58) | CPUIDLE_FLAG_TLB_FLUSHED,
- .exit_latency = 40,
+ .exit_latency = 300,
.target_residency = 275,
.enter = &intel_idle,
.enter_freeze = intel_idle_freeze, },
@@ -237,7 +229,7 @@ static struct cpuidle_state byt_cstates[
.name = "C6S-BYT",
.desc = "MWAIT 0x52",
.flags = MWAIT2flg(0x52) | CPUIDLE_FLAG_TLB_FLUSHED,
- .exit_latency = 140,
+ .exit_latency = 500,
.target_residency = 560,
.enter = &intel_idle,
.enter_freeze = intel_idle_freeze, },
@@ -246,7 +238,7 @@ static struct cpuidle_state byt_cstates[
.desc = "MWAIT 0x60",
.flags = MWAIT2flg(0x60) | CPUIDLE_FLAG_TLB_FLUSHED,
.exit_latency = 1200,
- .target_residency = 1500,
+ .target_residency = 4000,
.enter = &intel_idle,
.enter_freeze = intel_idle_freeze, },

Greg Kroah-Hartman

unread,

May 2, 2015, 3:20:10 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Felipe Balbi <ba...@ti.com>

commit 309be239369609929d5d3833ee043f7c5afc95d1 upstream.

Make sure we're using the new macro, so our
resume signaling will always pass certification.

Based on original work by Bin Liu <Bin Liu <b-...@ti.com>>

Cc: Bin Liu <b-...@ti.com>
Signed-off-by: Felipe Balbi <ba...@ti.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/usb/musb/musb_core.c | 7 ++++---
drivers/usb/musb/musb_virthub.c | 2 +-
2 files changed, 5 insertions(+), 4 deletions(-)

--- a/drivers/usb/musb/musb_core.c
+++ b/drivers/usb/musb/musb_core.c
@@ -99,6 +99,7 @@
#include <linux/platform_device.h>
#include <linux/io.h>
#include <linux/dma-mapping.h>
+#include <linux/usb.h>

#include "musb_core.h"

@@ -562,7 +563,7 @@ static irqreturn_t musb_stage0_irq(struc
(USB_PORT_STAT_C_SUSPEND << 16)
| MUSB_PORT_STAT_RESUME;
musb->rh_timer = jiffies

- + msecs_to_jiffies(20);
+ + msecs_to_jiffies(USB_RESUME_TIMEOUT);

musb->need_finish_resume = 1;

musb->xceiv->otg->state = OTG_STATE_A_HOST;
@@ -2471,7 +2472,7 @@ static int musb_resume(struct device *de
if (musb->need_finish_resume) {
musb->need_finish_resume = 0;
schedule_delayed_work(&musb->finish_resume_work,
- msecs_to_jiffies(20));
+ msecs_to_jiffies(USB_RESUME_TIMEOUT));
}

/*
@@ -2514,7 +2515,7 @@ static int musb_runtime_resume(struct de
if (musb->need_finish_resume) {
musb->need_finish_resume = 0;
schedule_delayed_work(&musb->finish_resume_work,
- msecs_to_jiffies(20));
+ msecs_to_jiffies(USB_RESUME_TIMEOUT));
}

return 0;
--- a/drivers/usb/musb/musb_virthub.c
+++ b/drivers/usb/musb/musb_virthub.c
@@ -136,7 +136,7 @@ void musb_port_suspend(struct musb *musb
/* later, GetPortStatus will stop RESUME signaling */
musb->port1_status |= MUSB_PORT_STAT_RESUME;
schedule_delayed_work(&musb->finish_resume_work,
- msecs_to_jiffies(20));
+ msecs_to_jiffies(USB_RESUME_TIMEOUT));

Greg Kroah-Hartman

unread,

May 2, 2015, 3:20:10 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edum...@google.com>

[ Upstream commit 845704a535e9b3c76448f52af1b70e4422ea03fd ]

Presence of an unbound loop in tcp_send_fin() had always been hard
to explain when analyzing crash dumps involving gigantic dying processes
with millions of sockets.

Lets try a different strategy :

In case of memory pressure, try to add the FIN flag to last packet
in write queue, even if packet was already sent. TCP stack will
be able to deliver this FIN after a timeout event. Note that this
FIN being delivered by a retransmit, it also carries a Push flag
given our current implementation.

By checking sk_under_memory_pressure(), we anticipate that cooking
many FIN packets might deplete tcp memory.

In the case we could not allocate a packet, even with __GFP_WAIT
allocation, then not sending a FIN seems quite reasonable if it allows
to get rid of this socket, free memory, and not block the process from
eventually doing other useful work.

Signed-off-by: Eric Dumazet <edum...@google.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

net/ipv4/tcp_output.c | 50 +++++++++++++++++++++++++++++---------------------
1 file changed, 29 insertions(+), 21 deletions(-)

--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2753,7 +2753,8 @@ begin_fwd:

/* We allow to exceed memory limits for FIN packets to expedite
* connection tear down and (memory) recovery.
- * Otherwise tcp_send_fin() could loop forever.
+ * Otherwise tcp_send_fin() could be tempted to either delay FIN
+ * or even be forced to close flow without any FIN.
*/
static void sk_forced_wmem_schedule(struct sock *sk, int size)
{
@@ -2766,33 +2767,40 @@ static void sk_forced_wmem_schedule(stru
sk_memory_allocated_add(sk, amt, &status);
}

-/* Send a fin. The caller locks the socket for us. This cannot be
- * allowed to fail queueing a FIN frame under any circumstances.
+/* Send a FIN. The caller locks the socket for us.
+ * We should try to send a FIN packet really hard, but eventually give up.
*/
void tcp_send_fin(struct sock *sk)
{
+ struct sk_buff *skb, *tskb = tcp_write_queue_tail(sk);
struct tcp_sock *tp = tcp_sk(sk);
- struct sk_buff *skb = tcp_write_queue_tail(sk);
- int mss_now;

- /* Optimization, tack on the FIN if we have a queue of
- * unsent frames. But be careful about outgoing SACKS
- * and IP options.
+ /* Optimization, tack on the FIN if we have one skb in write queue and
+ * this skb was not yet sent, or we are under memory pressure.
+ * Note: in the latter case, FIN packet will be sent after a timeout,
+ * as TCP stack thinks it has already been transmitted.
*/
- mss_now = tcp_current_mss(sk);
-
- if (tcp_send_head(sk) != NULL) {
- TCP_SKB_CB(skb)->tcp_flags |= TCPHDR_FIN;
- TCP_SKB_CB(skb)->end_seq++;
+ if (tskb && (tcp_send_head(sk) || sk_under_memory_pressure(sk))) {
+coalesce:
+ TCP_SKB_CB(tskb)->tcp_flags |= TCPHDR_FIN;
+ TCP_SKB_CB(tskb)->end_seq++;
tp->write_seq++;
+ if (!tcp_send_head(sk)) {
+ /* This means tskb was already sent.
+ * Pretend we included the FIN on previous transmit.
+ * We need to set tp->snd_nxt to the value it would have
+ * if FIN had been sent. This is because retransmit path
+ * does not change tp->snd_nxt.
+ */
+ tp->snd_nxt++;
+ return;
+ }
} else {
- /* Socket is locked, keep trying until memory is available. */
- for (;;) {
- skb = alloc_skb_fclone(MAX_TCP_HEADER,
- sk->sk_allocation);
- if (skb)
- break;
- yield();
+ skb = alloc_skb_fclone(MAX_TCP_HEADER, sk->sk_allocation);
+ if (unlikely(!skb)) {
+ if (tskb)
+ goto coalesce;
+ return;
}
skb_reserve(skb, MAX_TCP_HEADER);
sk_forced_wmem_schedule(sk, skb->truesize);
@@ -2801,7 +2809,7 @@ void tcp_send_fin(struct sock *sk)
TCPHDR_ACK | TCPHDR_FIN);
tcp_queue_skb(sk, skb);
}
- __tcp_push_pending_frames(sk, mss_now, TCP_NAGLE_OFF);
+ __tcp_push_pending_frames(sk, tcp_current_mss(sk), TCP_NAGLE_OFF);
}

/* We get here when a process closes a file descriptor (either due to

Greg Kroah-Hartman

unread,

May 2, 2015, 3:20:10 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edum...@google.com>

[ Upstream commit 79930f5892e134c6da1254389577fffb8bd72c66 ]

build_skb() should look at the page pfmemalloc status.
If set, this means page allocator allocated this page in the
expectation it would help to free other pages. Networking
stack can do that only if skb->pfmemalloc is also set.

Also, we must refrain using high order pages from the pfmemalloc
reserve, so __page_frag_refill() must also use __GFP_NOMEMALLOC for
them. Under memory pressure, using order-0 pages is probably the best
strategy.

Signed-off-by: Eric Dumazet <edum...@google.com>
Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

net/core/skbuff.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)

--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -311,7 +311,11 @@ struct sk_buff *build_skb(void *data, un

memset(skb, 0, offsetof(struct sk_buff, tail));
skb->truesize = SKB_TRUESIZE(size);
- skb->head_frag = frag_size != 0;
+ if (frag_size) {
+ skb->head_frag = 1;
+ if (virt_to_head_page(data)->pfmemalloc)
+ skb->pfmemalloc = 1;
+ }
atomic_set(&skb->users, 1);
skb->head = data;
skb->data = data;
@@ -348,7 +352,8 @@ static struct page *__page_frag_refill(s
gfp_t gfp = gfp_mask;

if (order) {
- gfp_mask |= __GFP_COMP | __GFP_NOWARN | __GFP_NORETRY;
+ gfp_mask |= __GFP_COMP | __GFP_NOWARN | __GFP_NORETRY |
+ __GFP_NOMEMALLOC;
page = alloc_pages_node(NUMA_NO_NODE, gfp_mask, order);
nc->frag.size = PAGE_SIZE << (page ? order : 0);

Greg Kroah-Hartman

unread,

May 2, 2015, 3:20:10 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: "Eric W. Biederman" <ebie...@xmission.com>

commit 5d88457eb5b86b475422dc882f089203faaeedb5 upstream.

A prerequisite of calling umount_tree is that the point where the tree
is mounted at is valid to unmount.

If we are propagating the effect of the unmount clear MNT_LOCKED in
every instance where the same filesystem is mounted on the same
mountpoint in the mount tree, as we know (by virtue of the fact
that umount_tree was called) that it is safe to reveal what
is at that mountpoint.

Signed-off-by: "Eric W. Biederman" <ebie...@xmission.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

fs/namespace.c | 3 +++
fs/pnode.c | 20 ++++++++++++++++++++
fs/pnode.h | 1 +
3 files changed, 24 insertions(+)

--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1335,6 +1335,9 @@ static void umount_tree(struct mount *mn
LIST_HEAD(tmp_list);
struct mount *p;

+ if (how & UMOUNT_PROPAGATE)
+ propagate_mount_unlock(mnt);
+
/* Gather the mounts to umount */
for (p = mnt; p; p = next_mnt(p, mnt)) {
p->mnt.mnt_flags |= MNT_UMOUNT;
--- a/fs/pnode.c
+++ b/fs/pnode.c
@@ -362,6 +362,26 @@ int propagate_mount_busy(struct mount *m
}

/*
+ * Clear MNT_LOCKED when it can be shown to be safe.
+ *
+ * mount_lock lock must be held for write
+ */
+void propagate_mount_unlock(struct mount *mnt)
+{
+ struct mount *parent = mnt->mnt_parent;
+ struct mount *m, *child;
+
+ BUG_ON(parent == mnt);
+
+ for (m = propagation_next(parent, parent); m;
+ m = propagation_next(m, parent)) {
+ child = __lookup_mnt_last(&m->mnt, mnt->mnt_mountpoint);
+ if (child)
+ child->mnt.mnt_flags &= ~MNT_LOCKED;
+ }
+}
+
+/*
* NOTE: unmounting 'mnt' naturally propagates to all other mounts its
* parent propagates to.
*/
--- a/fs/pnode.h
+++ b/fs/pnode.h
@@ -42,6 +42,7 @@ int propagate_mnt(struct mount *, struct
struct hlist_head *);
int propagate_umount(struct list_head *);
int propagate_mount_busy(struct mount *, int);
+void propagate_mount_unlock(struct mount *);
void mnt_release_group_id(struct mount *);
int get_dominating_id(struct mount *mnt, const struct path *root);
unsigned int mnt_get_count(struct mount *mnt);

Greg Kroah-Hartman

unread,

May 2, 2015, 3:20:10 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Adam Honse <calcpro...@gmail.com>

commit eef0342cf32689f77d78ee3302999e5caaa6a8f3 upstream.

Adds Microsoft LifeCam Cinema USB ID to the snd_usb_get_sample_rate_quirk list as the Lifecam Cinema does not appear to support getting the sample rate.

Fixes the issue where the LifeCam Cinema would wait for USB timeout and log the message "cannot get freq at ep 0x82" when accessed.

Addresses bug report https://bugzilla.kernel.org/show_bug.cgi?id=95961.

Signed-off-by: Adam Honse <calcpro...@gmail.com>
Signed-off-by: Takashi Iwai <ti...@suse.de>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

sound/usb/quirks.c | 1 +

1 file changed, 1 insertion(+)

--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -1115,6 +1115,7 @@ bool snd_usb_get_sample_rate_quirk(struc
{
/* devices which do not support reading the sample rate. */
switch (chip->usb_id) {
+ case USB_ID(0x045E, 0x075D): /* MS Lifecam Cinema */
case USB_ID(0x045E, 0x076D): /* MS Lifecam HD-5000 */
case USB_ID(0x04D8, 0xFEEA): /* Benchmark DAC1 Pre */
return true;

Greg Kroah-Hartman

unread,

May 2, 2015, 3:20:10 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Lukas Czerner <lcze...@redhat.com>

commit e12fb97222fc41e8442896934f76d39ef99b590a upstream.

Previously commit 14ece1028b3ed53ffec1b1213ffc6acaf79ad77c added a
support for for syncing parent directory of newly created inodes to
make sure that the inode is not lost after a power failure in
no-journal mode.

However this does not work in majority of cases, namely:
- if the directory has inline data
- if the directory is already indexed
- if the directory already has at least one block and:
- the new entry fits into it
- or we've successfully converted it to indexed

So in those cases we might lose the inode entirely even after fsync in
the no-journal mode. This also includes ext2 default mode obviously.

I've noticed this while running xfstest generic/321 and even though the
test should fail (we need to run fsck after a crash in no-journal mode)
I could not find a newly created entries even when if it was fsynced
before.

Fix this by adjusting the ext4_add_entry() successful exit paths to set
the inode EXT4_STATE_NEWENTRY so that fsync has the chance to fsync the
parent directory as well.

Signed-off-by: Lukas Czerner <lcze...@redhat.com>
Signed-off-by: Theodore Ts'o <ty...@mit.edu>
Reviewed-by: Jan Kara <ja...@suse.cz>
Cc: Frank Mayhar <fma...@google.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

fs/ext4/namei.c | 20 +++++++++++---------
1 file changed, 11 insertions(+), 9 deletions(-)

--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -1865,7 +1865,7 @@ static int ext4_add_entry(handle_t *hand
struct inode *inode)
{
struct inode *dir = dentry->d_parent->d_inode;
- struct buffer_head *bh;
+ struct buffer_head *bh = NULL;
struct ext4_dir_entry_2 *de;
struct ext4_dir_entry_tail *t;
struct super_block *sb;
@@ -1889,14 +1889,14 @@ static int ext4_add_entry(handle_t *hand
return retval;
if (retval == 1) {
retval = 0;
- return retval;
+ goto out;
}
}

if (is_dx(dir)) {
retval = ext4_dx_add_entry(handle, dentry, inode);
if (!retval || (retval != ERR_BAD_DX_DIR))
- return retval;
+ goto out;
ext4_clear_inode_flag(dir, EXT4_INODE_INDEX);
dx_fallback++;
ext4_mark_inode_dirty(handle, dir);
@@ -1908,14 +1908,15 @@ static int ext4_add_entry(handle_t *hand
return PTR_ERR(bh);

retval = add_dirent_to_buf(handle, dentry, inode, NULL, bh);
- if (retval != -ENOSPC) {
- brelse(bh);
- return retval;
- }
+ if (retval != -ENOSPC)
+ goto out;

if (blocks == 1 && !dx_fallback &&
- EXT4_HAS_COMPAT_FEATURE(sb, EXT4_FEATURE_COMPAT_DIR_INDEX))
- return make_indexed_dir(handle, dentry, inode, bh);
+ EXT4_HAS_COMPAT_FEATURE(sb, EXT4_FEATURE_COMPAT_DIR_INDEX)) {
+ retval = make_indexed_dir(handle, dentry, inode, bh);
+ bh = NULL; /* make_indexed_dir releases bh */
+ goto out;
+ }
brelse(bh);
}
bh = ext4_append(handle, dir, &block);
@@ -1931,6 +1932,7 @@ static int ext4_add_entry(handle_t *hand
}

retval = add_dirent_to_buf(handle, dentry, inode, de, bh);
+out:
brelse(bh);
if (retval == 0)
ext4_set_inode_state(inode, EXT4_STATE_NEWENTRY);

Greg Kroah-Hartman

unread,

May 2, 2015, 3:20:07 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Krzysztof Kozlowski <k.koz...@samsung.com>

commit a7117f81e8391e035c49b3440792f7e6cea28173 upstream.

Driver forgot to unregister charger power supply if registering of
battery supply failed in probe(). In such case the memory associated
with power supply leaked.

Signed-off-by: Krzysztof Kozlowski <k.koz...@samsung.com>
Fixes: 98a276649358 ("power_supply: Add new lp8788 charger driver")
Signed-off-by: Sebastian Reichel <s...@kernel.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/power/lp8788-charger.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/power/lp8788-charger.c
+++ b/drivers/power/lp8788-charger.c
@@ -417,8 +417,10 @@ static int lp8788_psy_register(struct pl
pchg->battery.num_properties = ARRAY_SIZE(lp8788_battery_prop);
pchg->battery.get_property = lp8788_battery_get_property;

- if (power_supply_register(&pdev->dev, &pchg->battery))
+ if (power_supply_register(&pdev->dev, &pchg->battery)) {
+ power_supply_unregister(&pchg->charger);
return -EPERM;
+ }

return 0;

Greg Kroah-Hartman

unread,

May 2, 2015, 3:25:38 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Ulrik De Bie <ulrik.d...@e2big.org>

commit bd884149aca61de269fd9bad83fe2a4232ffab21 upstream.

On ASUS TP500LN and X750JN, the touchpad absolute mode is reset each
time set_rate is done.

In order to fix this, we will verify the firmware version, and if it
matches the one in those laptops, the set_rate function is overloaded
with a function elantech_set_rate_restore_reg_07 that performs the
set_rate with the original function, followed by a restore of reg_07
(the register that sets the absolute mode on elantech v4 hardware).

Also the ASUS TP500LN and X750JN firmware version, capabilities, and
button constellation is added to elantech.c

Reported-and-tested-by: George Moutsopoulos <gmo...@yahoo.co.uk>
Signed-off-by: Ulrik De Bie <ulrik.d...@e2big.org>
Signed-off-by: Dmitry Torokhov <dmitry....@gmail.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/input/mouse/elantech.c | 22 ++++++++++++++++++++++
drivers/input/mouse/elantech.h | 1 +
2 files changed, 23 insertions(+)

--- a/drivers/input/mouse/elantech.c
+++ b/drivers/input/mouse/elantech.c
@@ -893,6 +893,21 @@ static psmouse_ret_t elantech_process_by
}

/*
+ * This writes the reg_07 value again to the hardware at the end of every
+ * set_rate call because the register loses its value. reg_07 allows setting
+ * absolute mode on v4 hardware
+ */
+static void elantech_set_rate_restore_reg_07(struct psmouse *psmouse,
+ unsigned int rate)
+{
+ struct elantech_data *etd = psmouse->private;
+
+ etd->original_set_rate(psmouse, rate);
+ if (elantech_write_reg(psmouse, 0x07, etd->reg_07))
+ psmouse_err(psmouse, "restoring reg_07 failed\n");
+}
+
+/*
* Put the touchpad into absolute mode
*/
static int elantech_set_absolute_mode(struct psmouse *psmouse)
@@ -1094,6 +1109,8 @@ static int elantech_get_resolution_v4(st
* Asus K53SV 0x450f01 78, 15, 0c 2 hw buttons
* Asus G46VW 0x460f02 00, 18, 0c 2 hw buttons
* Asus G750JX 0x360f00 00, 16, 0c 2 hw buttons
+ * Asus TP500LN 0x381f17 10, 14, 0e clickpad
+ * Asus X750JN 0x381f17 10, 14, 0e clickpad
* Asus UX31 0x361f00 20, 15, 0e clickpad
* Asus UX32VD 0x361f02 00, 15, 0e clickpad
* Avatar AVIU-145A2 0x361f00 ? clickpad
@@ -1635,6 +1652,11 @@ int elantech_init(struct psmouse *psmous
goto init_fail;
}

+ if (etd->fw_version == 0x381f17) {
+ etd->original_set_rate = psmouse->set_rate;
+ psmouse->set_rate = elantech_set_rate_restore_reg_07;
+ }
+
if (elantech_set_input_params(psmouse)) {
psmouse_err(psmouse, "failed to query touchpad range.\n");
goto init_fail;
--- a/drivers/input/mouse/elantech.h
+++ b/drivers/input/mouse/elantech.h
@@ -142,6 +142,7 @@ struct elantech_data {
struct finger_pos mt[ETP_MAX_FINGERS];
unsigned char parity[256];
int (*send_cmd)(struct psmouse *psmouse, unsigned char c, unsigned char *param);
+ void (*original_set_rate)(struct psmouse *psmouse, unsigned int rate);
};

#ifdef CONFIG_MOUSE_PS2_ELANTECH

Greg Kroah-Hartman

unread,

May 2, 2015, 3:25:38 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Andrey Ryabinin <a.rya...@samsung.com>

commit 8defb3367fcd19d1af64c07792aade0747b54e0f upstream.

Usually ELF_ET_DYN_BASE is 2/3 of TASK_SIZE. With 3G/1G user/kernel
split this is not so, because 2*TASK_SIZE overflows 32 bits,
so the actual value of ELF_ET_DYN_BASE is:
(2 * TASK_SIZE / 3) = 0x2a000000

When ASLR is disabled PIE binaries will load at ELF_ET_DYN_BASE address.
On 32bit platforms AddressSanitzer uses addresses [0x20000000 - 0x40000000]
for shadow memory [1]. So ASan doesn't work for PIE binaries when ASLR disabled
as it fails to map shadow memory.
Also after Kees's 'split ET_DYN ASLR from mmap ASLR' patchset PIE binaries
has a high chance of loading somewhere in between [0x2a000000 - 0x40000000]
even if ASLR enabled. This makes ASan with PIE absolutely incompatible.

Fix overflow by dividing TASK_SIZE prior to multiplying.
After this patch ELF_ET_DYN_BASE equals to (for CONFIG_VMSPLIT_3G=y):
(TASK_SIZE / 3 * 2) = 0x7f555554

[1] https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm#Mapping

Signed-off-by: Andrey Ryabinin <a.rya...@samsung.com>
Reported-by: Maria Guseva <m.gu...@samsung.com>
Signed-off-by: Russell King <rmk+k...@arm.linux.org.uk>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

arch/arm/include/asm/elf.h | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

unread,

May 2, 2015, 3:25:42 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: "Eric W. Biederman" <ebie...@xmission.com>

commit 590ce4bcbfb4e0462a720a4ad901e84416080bba upstream.

In some instances it is necessary to know if the the unmounting
process has begun on a mount. Add MNT_UMOUNT to make that reliably
testable.

This fix gets used in fixing locked mounts in MNT_DETACH

Signed-off-by: "Eric W. Biederman" <ebie...@xmission.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

fs/namespace.c | 4 +++-
fs/pnode.c | 1 +
include/linux/mount.h | 1 +
3 files changed, 5 insertions(+), 1 deletion(-)

--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1333,8 +1333,10 @@ static void umount_tree(struct mount *mn
struct mount *p;

/* Gather the mounts to umount */

- for (p = mnt; p; p = next_mnt(p, mnt))
+ for (p = mnt; p; p = next_mnt(p, mnt)) {
+ p->mnt.mnt_flags |= MNT_UMOUNT;
list_move(&p->mnt_list, &tmp_list);
+ }

/* Hide the mounts from lookup_mnt and mnt_mounts */
list_for_each_entry(p, &tmp_list, mnt_list) {
--- a/fs/pnode.c
+++ b/fs/pnode.c
@@ -384,6 +384,7 @@ static void __propagate_umount(struct mo
if (child && list_empty(&child->mnt_mounts)) {
list_del_init(&child->mnt_child);
hlist_del_init_rcu(&child->mnt_hash);
+ child->mnt.mnt_flags |= MNT_UMOUNT;
list_move_tail(&child->mnt_list, &mnt->mnt_list);
}
}
--- a/include/linux/mount.h
+++ b/include/linux/mount.h
@@ -61,6 +61,7 @@ struct mnt_namespace;
#define MNT_DOOMED 0x1000000
#define MNT_SYNC_UMOUNT 0x2000000
#define MNT_MARKED 0x4000000
+#define MNT_UMOUNT 0x8000000

struct vfsmount {
struct dentry *mnt_root; /* root of the mounted tree */

Greg Kroah-Hartman

unread,

May 2, 2015, 3:25:43 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: "K. Y. Srinivasan" <k...@microsoft.com>

commit 8de580742fee8bc34d116f57a20b22b9a5f08403 upstream.

We may exit this function without properly freeing up the maapings
we may have acquired. Fix the bug.

Signed-off-by: K. Y. Srinivasan <k...@microsoft.com>
Reviewed-by: Long Li <lon...@microsoft.com>
Signed-off-by: James Bottomley <JBott...@Odin.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/scsi/storvsc_drv.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)

--- a/drivers/scsi/storvsc_drv.c
+++ b/drivers/scsi/storvsc_drv.c
@@ -746,21 +746,22 @@ static unsigned int copy_to_bounce_buffe
if (bounce_sgl[j].length == PAGE_SIZE) {
/* full..move to next entry */
sg_kunmap_atomic(bounce_addr);
+ bounce_addr = 0;
j++;
+ }

- /* if we need to use another bounce buffer */
- if (srclen || i != orig_sgl_count - 1)
- bounce_addr = sg_kmap_atomic(bounce_sgl,j);
+ /* if we need to use another bounce buffer */
+ if (srclen && bounce_addr == 0)
+ bounce_addr = sg_kmap_atomic(bounce_sgl, j);

- } else if (srclen == 0 && i == orig_sgl_count - 1) {
- /* unmap the last bounce that is < PAGE_SIZE */
- sg_kunmap_atomic(bounce_addr);
- }
}

sg_kunmap_atomic(src_addr - orig_sgl[i].offset);
}

+ if (bounce_addr)
+ sg_kunmap_atomic(bounce_addr);
+
local_irq_restore(flags);

return total_copied;

Greg Kroah-Hartman

unread,

May 2, 2015, 3:25:43 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Oliver Neukum <one...@suse.de>

commit b70b82580248b5393241c986082842ec05a2b7d7 upstream.

This mouse is also known under other IDs. It needs the quirk or will disconnect
in runlevel 1 or 3.

Signed-off-by: Oliver Neukum <one...@suse.de>
Signed-off-by: Jiri Kosina <jko...@suse.cz>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/hid/hid-ids.h | 1 +
drivers/hid/usbhid/hid-quirks.c | 1 +
2 files changed, 2 insertions(+)

--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -461,6 +461,7 @@

#define USB_VENDOR_ID_HP 0x03f0
#define USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE 0x0a4a
+#define USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE 0x134a

#define USB_VENDOR_ID_HUION 0x256c
#define USB_DEVICE_ID_HUION_TABLET 0x006e
--- a/drivers/hid/usbhid/hid-quirks.c
+++ b/drivers/hid/usbhid/hid-quirks.c
@@ -79,6 +79,7 @@ static const struct hid_blacklist {
{ USB_VENDOR_ID_FORMOSA, USB_DEVICE_ID_FORMOSA_IR_RECEIVER, HID_QUIRK_NO_INIT_REPORTS },
{ USB_VENDOR_ID_FREESCALE, USB_DEVICE_ID_FREESCALE_MX28, HID_QUIRK_NOGET },
{ USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE, HID_QUIRK_ALWAYS_POLL },
+ { USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE, HID_QUIRK_ALWAYS_POLL },
{ USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_C077, HID_QUIRK_ALWAYS_POLL },
{ USB_VENDOR_ID_MGE, USB_DEVICE_ID_MGE_UPS, HID_QUIRK_NOGET },
{ USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_3, HID_QUIRK_NO_INIT_REPORTS },

Greg Kroah-Hartman

unread,

May 2, 2015, 3:25:43 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Felipe Balbi <ba...@ti.com>

commit 8c0ae6574ccfd3d619876a65829aad74c9d22ba5 upstream.

Make sure we're using the new macro, so our
resume signaling will always pass certification.

Signed-off-by: Felipe Balbi <ba...@ti.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/usb/host/isp116x-hcd.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/host/isp116x-hcd.c
+++ b/drivers/usb/host/isp116x-hcd.c
@@ -1490,7 +1490,7 @@ static int isp116x_bus_resume(struct usb
spin_unlock_irq(&isp116x->lock);

hcd->state = HC_STATE_RESUMING;
- msleep(20);
+ msleep(USB_RESUME_TIMEOUT);

/* Go operational */
spin_lock_irq(&isp116x->lock);

Greg Kroah-Hartman

unread,

May 2, 2015, 3:25:46 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: "Eric W. Biederman" <ebie...@xmission.com>

commit 6a46c5735c29175da55b2fa9d53775182422cdd7 upstream.

For future use factor out a function umount_mnt from umount_tree.
This function unhashes a mount and remembers where the mount
was mounted so that eventually when the code makes it to a
sleeping context the mountpoint can be dput.

Signed-off-by: "Eric W. Biederman" <ebie...@xmission.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

fs/namespace.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)

--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -822,6 +822,16 @@ static void detach_mnt(struct mount *mnt
/*
* vfsmount lock must be held for write
*/
+static void umount_mnt(struct mount *mnt)
+{
+ /* old mountpoint will be dropped when we can do that */
+ mnt->mnt_ex_mountpoint = mnt->mnt_mountpoint;
+ unhash_mnt(mnt);
+}
+
+/*
+ * vfsmount lock must be held for write
+ */
void mnt_set_mountpoint(struct mount *mnt,
struct mountpoint *mp,
struct mount *child_mnt)
@@ -1373,9 +1383,7 @@ static void umount_tree(struct mount *mn
pin_insert_group(&p->mnt_umount, &p->mnt_parent->mnt, &unmounted);
if (mnt_has_parent(p)) {
mnt_add_count(p->mnt_parent, -1);
- /* old mountpoint will be dropped when we can do that */
- p->mnt_ex_mountpoint = p->mnt_mountpoint;
- unhash_mnt(p);
+ umount_mnt(p);
}
change_mnt_propagation(p, MS_PRIVATE);

Greg Kroah-Hartman

unread,

May 2, 2015, 3:25:48 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Dave Olson <ol...@cumulusnetworks.com>

commit f7e9e358362557c3aa2c1ec47490f29fe880a09e upstream.

This problem appears to have been introduced in 2.6.29 by commit
93197a36a9c1 "Rewrite sysfs processor cache info code".

This caused lscpu to error out on at least e500v2 devices, eg:

error: cannot open /sys/devices/system/cpu/cpu0/cache/index2/size: No such file or directory

Some embedded powerpc systems use cache-size in DTS for the unified L2
cache size, not d-cache-size, so we need to allow for both DTS names.
Added a new CACHE_TYPE_UNIFIED_D cache_type_info structure to handle
this.

Fixes: 93197a36a9c1 ("powerpc: Rewrite sysfs processor cache info code")
Signed-off-by: Dave Olson <ol...@cumulusnetworks.com>
Signed-off-by: Michael Ellerman <m...@ellerman.id.au>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

arch/powerpc/kernel/cacheinfo.c | 44 ++++++++++++++++++++++++++++++----------
1 file changed, 34 insertions(+), 10 deletions(-)

--- a/arch/powerpc/kernel/cacheinfo.c
+++ b/arch/powerpc/kernel/cacheinfo.c
@@ -61,12 +61,22 @@ struct cache_type_info {
};

/* These are used to index the cache_type_info array. */
-#define CACHE_TYPE_UNIFIED 0
-#define CACHE_TYPE_INSTRUCTION 1
-#define CACHE_TYPE_DATA 2
+#define CACHE_TYPE_UNIFIED 0 /* cache-size, cache-block-size, etc. */
+#define CACHE_TYPE_UNIFIED_D 1 /* d-cache-size, d-cache-block-size, etc */
+#define CACHE_TYPE_INSTRUCTION 2
+#define CACHE_TYPE_DATA 3

static const struct cache_type_info cache_type_info[] = {
{
+ /* Embedded systems that use cache-size, cache-block-size,
+ * etc. for the Unified (typically L2) cache. */
+ .name = "Unified",
+ .size_prop = "cache-size",
+ .line_size_props = { "cache-line-size",
+ "cache-block-size", },
+ .nr_sets_prop = "cache-sets",
+ },
+ {
/* PowerPC Processor binding says the [di]-cache-*
* must be equal on unified caches, so just use
* d-cache properties. */
@@ -293,7 +303,8 @@ static struct cache *cache_find_first_si
{
struct cache *iter;

- if (cache->type == CACHE_TYPE_UNIFIED)
+ if (cache->type == CACHE_TYPE_UNIFIED ||
+ cache->type == CACHE_TYPE_UNIFIED_D)
return cache;

list_for_each_entry(iter, &cache_list, list)
@@ -324,16 +335,29 @@ static bool cache_node_is_unified(const
return of_get_property(np, "cache-unified", NULL);
}

-static struct cache *cache_do_one_devnode_unified(struct device_node *node,
- int level)
+/*
+ * Unified caches can have two different sets of tags. Most embedded
+ * use cache-size, etc. for the unified cache size, but open firmware systems
+ * use d-cache-size, etc. Check on initialization for which type we have, and
+ * return the appropriate structure type. Assume it's embedded if it isn't
+ * open firmware. If it's yet a 3rd type, then there will be missing entries
+ * in /sys/devices/system/cpu/cpu0/cache/index2/, and this code will need
+ * to be extended further.
+ */
+static int cache_is_unified_d(const struct device_node *np)
{
- struct cache *cache;
+ return of_get_property(np,
+ cache_type_info[CACHE_TYPE_UNIFIED_D].size_prop, NULL) ?
+ CACHE_TYPE_UNIFIED_D : CACHE_TYPE_UNIFIED;
+}

+/*
+ */
+static struct cache *cache_do_one_devnode_unified(struct device_node *node, int level)
+{
pr_debug("creating L%d ucache for %s\n", level, node->full_name);

- cache = new_cache(CACHE_TYPE_UNIFIED, level, node);
-
- return cache;
+ return new_cache(cache_is_unified_d(node), level, node);
}

static struct cache *cache_do_one_devnode_split(struct device_node *node,

Greg Kroah-Hartman

unread,

May 2, 2015, 3:25:51 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Larry Finger <Larry....@lwfinger.net>

commit 2f92b314f4daff2117847ac5343c54d3d041bf78 upstream.

USB ID 2001:330d is used for a D-Link DWA-131.

Signed-off-by: Larry Finger <Larry....@lwfinger.net>
Signed-off-by: Kalle Valo <kv...@codeaurora.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/net/wireless/rtlwifi/rtl8192cu/sw.c | 1 +

1 file changed, 1 insertion(+)

--- a/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
+++ b/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
@@ -377,6 +377,7 @@ static struct usb_device_id rtl8192c_usb
{RTL_USB_DEVICE(0x2001, 0x3307, rtl92cu_hal_cfg)}, /*D-Link-Cameo*/
{RTL_USB_DEVICE(0x2001, 0x3309, rtl92cu_hal_cfg)}, /*D-Link-Alpha*/
{RTL_USB_DEVICE(0x2001, 0x330a, rtl92cu_hal_cfg)}, /*D-Link-Alpha*/
+ {RTL_USB_DEVICE(0x2001, 0x330d, rtl92cu_hal_cfg)}, /*D-Link DWA-131 */
{RTL_USB_DEVICE(0x2019, 0xab2b, rtl92cu_hal_cfg)}, /*Planex -Abocom*/
{RTL_USB_DEVICE(0x20f4, 0x624d, rtl92cu_hal_cfg)}, /*TRENDNet*/
{RTL_USB_DEVICE(0x2357, 0x0100, rtl92cu_hal_cfg)}, /*TP-Link WN8200ND*/

Greg Kroah-Hartman

unread,

May 2, 2015, 3:25:52 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Felipe Balbi <ba...@ti.com>

commit bbc78c07a51f6fd29c227b1220a9016e585358ba upstream.

Make sure we're using the new macro, so our
resume signaling will always pass certification.

Signed-off-by: Felipe Balbi <ba...@ti.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/usb/core/hub.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -3406,10 +3406,10 @@ int usb_port_resume(struct usb_device *u
if (status) {
dev_dbg(&port_dev->dev, "can't resume, status %d\n", status);
} else {
- /* drive resume for at least 20 msec */
+ /* drive resume for USB_RESUME_TIMEOUT msec */
dev_dbg(&udev->dev, "usb %sresume\n",
(PMSG_IS_AUTO(msg) ? "auto-" : ""));
- msleep(25);
+ msleep(USB_RESUME_TIMEOUT);

/* Virtual root hubs can trigger on GET_PORT_STATUS to
* stop resume signaling. Then finish the resume

Greg Kroah-Hartman

unread,

May 2, 2015, 3:26:02 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Alexey Khoroshilov <khoro...@ispras.ru>

[ Upstream commit 0e03fd3e335d272bee88fe733d5fd13f5c5b7140 ]

Commit 43d3ddf87a57 ("net: pxa168_eth: add device tree support") starts
to use managed resources by adding devm_clk_get() and
devm_ioremap_resource(), but it leaves explicit iounmap() and clock_put()
in pxa168_eth_remove() and in failure handling code of pxa168_eth_probe().
As a result double free can happen.

The patch removes explicit resource deallocation. Also it converts
clk_disable() to clk_disable_unprepare() to make it symmetrical with
clk_prepare_enable().

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Alexey Khoroshilov <khoro...@ispras.ru>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

drivers/net/ethernet/marvell/pxa168_eth.c | 16 +++++-----------
1 file changed, 5 insertions(+), 11 deletions(-)

--- a/drivers/net/ethernet/marvell/pxa168_eth.c
+++ b/drivers/net/ethernet/marvell/pxa168_eth.c
@@ -1508,7 +1508,8 @@ static int pxa168_eth_probe(struct platf
np = of_parse_phandle(pdev->dev.of_node, "phy-handle", 0);
if (!np) {
dev_err(&pdev->dev, "missing phy-handle\n");
- return -EINVAL;
+ err = -EINVAL;
+ goto err_netdev;
}
of_property_read_u32(np, "reg", &pep->phy_addr);
pep->phy_intf = of_get_phy_mode(pdev->dev.of_node);
@@ -1526,7 +1527,7 @@ static int pxa168_eth_probe(struct platf
pep->smi_bus = mdiobus_alloc();
if (pep->smi_bus == NULL) {
err = -ENOMEM;
- goto err_base;
+ goto err_netdev;
}
pep->smi_bus->priv = pep;
pep->smi_bus->name = "pxa168_eth smi";
@@ -1551,13 +1552,10 @@ err_mdiobus:
mdiobus_unregister(pep->smi_bus);
err_free_mdio:
mdiobus_free(pep->smi_bus);
-err_base:
- iounmap(pep->base);
err_netdev:
free_netdev(dev);
err_clk:
- clk_disable(clk);
- clk_put(clk);
+ clk_disable_unprepare(clk);
return err;
}

@@ -1574,13 +1572,9 @@ static int pxa168_eth_remove(struct plat
if (pep->phy)
phy_disconnect(pep->phy);
if (pep->clk) {
- clk_disable(pep->clk);
- clk_put(pep->clk);
- pep->clk = NULL;
+ clk_disable_unprepare(pep->clk);
}

- iounmap(pep->base);
- pep->base = NULL;
mdiobus_unregister(pep->smi_bus);
mdiobus_free(pep->smi_bus);
unregister_netdev(dev);

Greg Kroah-Hartman

unread,

May 2, 2015, 3:26:06 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Jo-Philipp Wich <j...@openwrt.org>

commit f2aa111041ce36b94e651d882458dea502e76721 upstream.

The Lenovo Thinkpad T450 requires the ALC292_FIXUP_TPT440_DOCK as well in
order to get working sound output on the docking stations headphone jack.

Patch tested on a Thinkpad T450 (20BVCTO1WW) using kernel 4.0-rc7 in
conjunction with a ThinkPad Ultradock.

Signed-off-by: Jo-Philipp Wich <j...@openwrt.org>
Signed-off-by: Takashi Iwai <ti...@suse.de>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

sound/pci/hda/patch_realtek.c | 1 +

1 file changed, 1 insertion(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -5054,6 +5054,7 @@ static const struct snd_pci_quirk alc269
SND_PCI_QUIRK(0x17aa, 0x501a, "Thinkpad", ALC283_FIXUP_INT_MIC),
SND_PCI_QUIRK(0x17aa, 0x501e, "Thinkpad L440", ALC292_FIXUP_TPT440_DOCK),
SND_PCI_QUIRK(0x17aa, 0x5026, "Thinkpad", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
+ SND_PCI_QUIRK(0x17aa, 0x5034, "Thinkpad T450", ALC292_FIXUP_TPT440_DOCK),
SND_PCI_QUIRK(0x17aa, 0x5036, "Thinkpad T450s", ALC292_FIXUP_TPT440_DOCK),
SND_PCI_QUIRK(0x17aa, 0x5109, "Thinkpad", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
SND_PCI_QUIRK(0x17aa, 0x3bf8, "Quanta FL1", ALC269_FIXUP_PCM_44K),

Greg Kroah-Hartman

unread,

May 2, 2015, 3:26:09 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Markos Chandras <markos....@imgtec.com>

commit 3563c32d6532ece53c9dd8905a8e41983ef9952f upstream.

It's best to surround such complex macros with do {} while statements
so they can appear as independent logical blocks when used within other
control blocks.

Signed-off-by: Markos Chandras <markos....@imgtec.com>
Cc: linux...@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/9502/
Signed-off-by: Ralf Baechle <ra...@linux-mips.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

arch/mips/kernel/unaligned.c | 116 +++++++++++++++++++++++++++++++++----------
1 file changed, 90 insertions(+), 26 deletions(-)

--- a/arch/mips/kernel/unaligned.c
+++ b/arch/mips/kernel/unaligned.c
@@ -110,6 +110,7 @@ extern void show_registers(struct pt_reg

#ifdef __BIG_ENDIAN
#define _LoadHW(addr, value, res, type) \
+do { \
__asm__ __volatile__ (".set\tnoat\n" \
"1:\t"type##_lb("%0", "0(%2)")"\n" \
"2:\t"type##_lbu("$1", "1(%2)")"\n\t"\
@@ -127,10 +128,12 @@ extern void show_registers(struct pt_reg
STR(PTR)"\t2b, 4b\n\t" \
".previous" \
: "=&r" (value), "=r" (res) \
- : "r" (addr), "i" (-EFAULT));
+ : "r" (addr), "i" (-EFAULT)); \
+} while(0)

#ifndef CONFIG_CPU_MIPSR6
#define _LoadW(addr, value, res, type) \
+do { \
__asm__ __volatile__ ( \
"1:\t"type##_lwl("%0", "(%2)")"\n" \
"2:\t"type##_lwr("%0", "3(%2)")"\n\t"\
@@ -146,10 +149,13 @@ extern void show_registers(struct pt_reg
STR(PTR)"\t2b, 4b\n\t" \
".previous" \
: "=&r" (value), "=r" (res) \
- : "r" (addr), "i" (-EFAULT));
+ : "r" (addr), "i" (-EFAULT)); \
+} while(0)
+
#else
/* MIPSR6 has no lwl instruction */
#define _LoadW(addr, value, res, type) \
+do { \
__asm__ __volatile__ ( \
".set\tpush\n" \
".set\tnoat\n\t" \
@@ -178,10 +184,13 @@ extern void show_registers(struct pt_reg
STR(PTR)"\t4b, 11b\n\t" \
".previous" \
: "=&r" (value), "=r" (res) \
- : "r" (addr), "i" (-EFAULT));
+ : "r" (addr), "i" (-EFAULT)); \
+} while(0)
+
#endif /* CONFIG_CPU_MIPSR6 */

#define _LoadHWU(addr, value, res, type) \
+do { \
__asm__ __volatile__ ( \
".set\tnoat\n" \
"1:\t"type##_lbu("%0", "0(%2)")"\n" \
@@ -201,10 +210,12 @@ extern void show_registers(struct pt_reg
STR(PTR)"\t2b, 4b\n\t" \
".previous" \
: "=&r" (value), "=r" (res) \
- : "r" (addr), "i" (-EFAULT));
+ : "r" (addr), "i" (-EFAULT)); \
+} while(0)

#ifndef CONFIG_CPU_MIPSR6
#define _LoadWU(addr, value, res, type) \
+do { \
__asm__ __volatile__ ( \
"1:\t"type##_lwl("%0", "(%2)")"\n" \
"2:\t"type##_lwr("%0", "3(%2)")"\n\t"\
@@ -222,9 +233,11 @@ extern void show_registers(struct pt_reg
STR(PTR)"\t2b, 4b\n\t" \
".previous" \
: "=&r" (value), "=r" (res) \
- : "r" (addr), "i" (-EFAULT));
+ : "r" (addr), "i" (-EFAULT)); \
+} while(0)

#define _LoadDW(addr, value, res) \
+do { \
__asm__ __volatile__ ( \
"1:\tldl\t%0, (%2)\n" \
"2:\tldr\t%0, 7(%2)\n\t" \
@@ -240,10 +253,13 @@ extern void show_registers(struct pt_reg
STR(PTR)"\t2b, 4b\n\t" \
".previous" \
: "=&r" (value), "=r" (res) \
- : "r" (addr), "i" (-EFAULT));
+ : "r" (addr), "i" (-EFAULT)); \
+} while(0)
+
#else
/* MIPSR6 has not lwl and ldl instructions */
#define _LoadWU(addr, value, res, type) \
+do { \
__asm__ __volatile__ ( \
".set\tpush\n\t" \
".set\tnoat\n\t" \
@@ -272,9 +288,11 @@ extern void show_registers(struct pt_reg
STR(PTR)"\t4b, 11b\n\t" \
".previous" \
: "=&r" (value), "=r" (res) \
- : "r" (addr), "i" (-EFAULT));
+ : "r" (addr), "i" (-EFAULT)); \
+} while(0)

#define _LoadDW(addr, value, res) \
+do { \
__asm__ __volatile__ ( \
".set\tpush\n\t" \
".set\tnoat\n\t" \
@@ -319,11 +337,14 @@ extern void show_registers(struct pt_reg
STR(PTR)"\t8b, 11b\n\t" \
".previous" \
: "=&r" (value), "=r" (res) \
- : "r" (addr), "i" (-EFAULT));
+ : "r" (addr), "i" (-EFAULT)); \
+} while(0)
+
#endif /* CONFIG_CPU_MIPSR6 */

#define _StoreHW(addr, value, res, type) \
+do { \
__asm__ __volatile__ ( \
".set\tnoat\n" \
"1:\t"type##_sb("%1", "1(%2)")"\n" \
@@ -342,10 +363,12 @@ extern void show_registers(struct pt_reg
STR(PTR)"\t2b, 4b\n\t" \
".previous" \
: "=r" (res) \
- : "r" (value), "r" (addr), "i" (-EFAULT));
+ : "r" (value), "r" (addr), "i" (-EFAULT));\
+} while(0)

#ifndef CONFIG_CPU_MIPSR6
#define _StoreW(addr, value, res, type) \
+do { \
__asm__ __volatile__ ( \
"1:\t"type##_swl("%1", "(%2)")"\n" \
"2:\t"type##_swr("%1", "3(%2)")"\n\t"\
@@ -361,9 +384,11 @@ extern void show_registers(struct pt_reg
STR(PTR)"\t2b, 4b\n\t" \
".previous" \
: "=r" (res) \
- : "r" (value), "r" (addr), "i" (-EFAULT));
+ : "r" (value), "r" (addr), "i" (-EFAULT)); \
+} while(0)

#define _StoreDW(addr, value, res) \
+do { \
__asm__ __volatile__ ( \
"1:\tsdl\t%1,(%2)\n" \
"2:\tsdr\t%1, 7(%2)\n\t" \
@@ -379,10 +404,13 @@ extern void show_registers(struct pt_reg
STR(PTR)"\t2b, 4b\n\t" \
".previous" \
: "=r" (res) \
- : "r" (value), "r" (addr), "i" (-EFAULT));
+ : "r" (value), "r" (addr), "i" (-EFAULT)); \
+} while(0)
+
#else
/* MIPSR6 has no swl and sdl instructions */
#define _StoreW(addr, value, res, type) \
+do { \
__asm__ __volatile__ ( \
".set\tpush\n\t" \
".set\tnoat\n\t" \
@@ -409,9 +437,11 @@ extern void show_registers(struct pt_reg
".previous" \
: "=&r" (res) \
: "r" (value), "r" (addr), "i" (-EFAULT) \
- : "memory");
+ : "memory"); \
+} while(0)

#define StoreDW(addr, value, res) \
+do { \
__asm__ __volatile__ ( \
".set\tpush\n\t" \
".set\tnoat\n\t" \
@@ -451,12 +481,15 @@ extern void show_registers(struct pt_reg
".previous" \
: "=&r" (res) \
: "r" (value), "r" (addr), "i" (-EFAULT) \
- : "memory");
+ : "memory"); \
+} while(0)
+
#endif /* CONFIG_CPU_MIPSR6 */

#else /* __BIG_ENDIAN */

#define _LoadHW(addr, value, res, type) \
+do { \
__asm__ __volatile__ (".set\tnoat\n" \
"1:\t"type##_lb("%0", "1(%2)")"\n" \
"2:\t"type##_lbu("$1", "0(%2)")"\n\t"\
@@ -474,10 +507,12 @@ extern void show_registers(struct pt_reg
STR(PTR)"\t2b, 4b\n\t" \
".previous" \
: "=&r" (value), "=r" (res) \
- : "r" (addr), "i" (-EFAULT));
+ : "r" (addr), "i" (-EFAULT)); \
+} while(0)

#ifndef CONFIG_CPU_MIPSR6
#define _LoadW(addr, value, res, type) \
+do { \
__asm__ __volatile__ ( \
"1:\t"type##_lwl("%0", "3(%2)")"\n" \
"2:\t"type##_lwr("%0", "(%2)")"\n\t"\
@@ -493,10 +528,13 @@ extern void show_registers(struct pt_reg
STR(PTR)"\t2b, 4b\n\t" \
".previous" \
: "=&r" (value), "=r" (res) \
- : "r" (addr), "i" (-EFAULT));
+ : "r" (addr), "i" (-EFAULT)); \
+} while(0)
+
#else
/* MIPSR6 has no lwl instruction */
#define _LoadW(addr, value, res, type) \
+do { \
__asm__ __volatile__ ( \
".set\tpush\n" \
".set\tnoat\n\t" \
@@ -525,11 +563,14 @@ extern void show_registers(struct pt_reg
STR(PTR)"\t4b, 11b\n\t" \
".previous" \
: "=&r" (value), "=r" (res) \
- : "r" (addr), "i" (-EFAULT));
+ : "r" (addr), "i" (-EFAULT)); \
+} while(0)
+
#endif /* CONFIG_CPU_MIPSR6 */

#define _LoadHWU(addr, value, res, type) \
+do { \
__asm__ __volatile__ ( \
".set\tnoat\n" \
"1:\t"type##_lbu("%0", "1(%2)")"\n" \
@@ -549,10 +590,12 @@ extern void show_registers(struct pt_reg
STR(PTR)"\t2b, 4b\n\t" \
".previous" \
: "=&r" (value), "=r" (res) \
- : "r" (addr), "i" (-EFAULT));
+ : "r" (addr), "i" (-EFAULT)); \
+} while(0)

#ifndef CONFIG_CPU_MIPSR6
#define _LoadWU(addr, value, res, type) \
+do { \
__asm__ __volatile__ ( \
"1:\t"type##_lwl("%0", "3(%2)")"\n" \
"2:\t"type##_lwr("%0", "(%2)")"\n\t"\
@@ -570,9 +613,11 @@ extern void show_registers(struct pt_reg
STR(PTR)"\t2b, 4b\n\t" \
".previous" \
: "=&r" (value), "=r" (res) \
- : "r" (addr), "i" (-EFAULT));
+ : "r" (addr), "i" (-EFAULT)); \
+} while(0)

#define _LoadDW(addr, value, res) \
+do { \
__asm__ __volatile__ ( \
"1:\tldl\t%0, 7(%2)\n" \
"2:\tldr\t%0, (%2)\n\t" \
@@ -588,10 +633,13 @@ extern void show_registers(struct pt_reg
STR(PTR)"\t2b, 4b\n\t" \
".previous" \
: "=&r" (value), "=r" (res) \
- : "r" (addr), "i" (-EFAULT));
+ : "r" (addr), "i" (-EFAULT)); \
+} while(0)
+
#else
/* MIPSR6 has not lwl and ldl instructions */
#define _LoadWU(addr, value, res, type) \
+do { \
__asm__ __volatile__ ( \
".set\tpush\n\t" \
".set\tnoat\n\t" \
@@ -620,9 +668,11 @@ extern void show_registers(struct pt_reg
STR(PTR)"\t4b, 11b\n\t" \
".previous" \
: "=&r" (value), "=r" (res) \
- : "r" (addr), "i" (-EFAULT));
+ : "r" (addr), "i" (-EFAULT)); \
+} while(0)

#define _LoadDW(addr, value, res) \
+do { \
__asm__ __volatile__ ( \
".set\tpush\n\t" \
".set\tnoat\n\t" \
@@ -667,10 +717,12 @@ extern void show_registers(struct pt_reg
STR(PTR)"\t8b, 11b\n\t" \
".previous" \
: "=&r" (value), "=r" (res) \
- : "r" (addr), "i" (-EFAULT));
+ : "r" (addr), "i" (-EFAULT)); \
+} while(0)
#endif /* CONFIG_CPU_MIPSR6 */

#define _StoreHW(addr, value, res, type) \
+do { \
__asm__ __volatile__ ( \
".set\tnoat\n" \
"1:\t"type##_sb("%1", "0(%2)")"\n" \
@@ -689,9 +741,12 @@ extern void show_registers(struct pt_reg
STR(PTR)"\t2b, 4b\n\t" \
".previous" \
: "=r" (res) \
- : "r" (value), "r" (addr), "i" (-EFAULT));
+ : "r" (value), "r" (addr), "i" (-EFAULT));\
+} while(0)
+
#ifndef CONFIG_CPU_MIPSR6
#define _StoreW(addr, value, res, type) \
+do { \
__asm__ __volatile__ ( \
"1:\t"type##_swl("%1", "3(%2)")"\n" \
"2:\t"type##_swr("%1", "(%2)")"\n\t"\
@@ -707,9 +762,11 @@ extern void show_registers(struct pt_reg
STR(PTR)"\t2b, 4b\n\t" \
".previous" \
: "=r" (res) \
- : "r" (value), "r" (addr), "i" (-EFAULT));
+ : "r" (value), "r" (addr), "i" (-EFAULT)); \
+} while(0)

#define _StoreDW(addr, value, res) \
+do { \
__asm__ __volatile__ ( \
"1:\tsdl\t%1, 7(%2)\n" \
"2:\tsdr\t%1, (%2)\n\t" \
@@ -725,10 +782,13 @@ extern void show_registers(struct pt_reg
STR(PTR)"\t2b, 4b\n\t" \
".previous" \
: "=r" (res) \
- : "r" (value), "r" (addr), "i" (-EFAULT));
+ : "r" (value), "r" (addr), "i" (-EFAULT)); \
+} while(0)
+
#else
/* MIPSR6 has no swl and sdl instructions */
#define _StoreW(addr, value, res, type) \
+do { \
__asm__ __volatile__ ( \
".set\tpush\n\t" \
".set\tnoat\n\t" \
@@ -755,9 +815,11 @@ extern void show_registers(struct pt_reg
".previous" \
: "=&r" (res) \
: "r" (value), "r" (addr), "i" (-EFAULT) \
- : "memory");
+ : "memory"); \
+} while(0)

#define _StoreDW(addr, value, res) \
+do { \
__asm__ __volatile__ ( \
".set\tpush\n\t" \
".set\tnoat\n\t" \
@@ -797,7 +859,9 @@ extern void show_registers(struct pt_reg
".previous" \
: "=&r" (res) \
: "r" (value), "r" (addr), "i" (-EFAULT) \
- : "memory");
+ : "memory"); \
+} while(0)
+
#endif /* CONFIG_CPU_MIPSR6 */
#endif

Greg Kroah-Hartman

unread,

May 2, 2015, 3:26:11 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Felipe Balbi <ba...@ti.com>

commit 595227db1f2d98bfc33f02a55842f268e12b247d upstream.

Make sure we're using the new macro, so our
resume signaling will always pass certification.

Signed-off-by: Felipe Balbi <ba...@ti.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/usb/host/fusbh200-hcd.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)

--- a/drivers/usb/host/fusbh200-hcd.c
+++ b/drivers/usb/host/fusbh200-hcd.c
@@ -1550,10 +1550,9 @@ static int fusbh200_hub_control (
if ((temp & PORT_PE) == 0)
goto error;

- /* resume signaling for 20 msec */
fusbh200_writel(fusbh200, temp | PORT_RESUME, status_reg);
fusbh200->reset_done[wIndex] = jiffies

- + msecs_to_jiffies(20);
+ + msecs_to_jiffies(USB_RESUME_TIMEOUT);

break;
case USB_PORT_FEAT_C_SUSPEND:
clear_bit(wIndex, &fusbh200->port_c_suspend);

Greg Kroah-Hartman

unread,

May 2, 2015, 3:26:15 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Sudip Mukherjee <sudipm.m...@gmail.com>

commit 2c20d92dad5db6440cfa88d811b69fd605240ce4 upstream.

the lcd type as defined in the Kconfig is not matching in the code.
as a result the rs, rw and en pins were getting interchanged.
Kconfig defines the value of PANEL_LCD to be 1 if we select custom
configuration but in the code LCD_TYPE_CUSTOM is defined as 5.

my hardware is LCD_TYPE_CUSTOM, but the pins were assigned to it
as pins of LCD_TYPE_OLD, and it was not working.
Now values are corrected with referenece to the values defined in
Kconfig and it is working.
checked on JHD204A lcd with LCD_TYPE_CUSTOM configuration.

Signed-off-by: Sudip Mukherjee <su...@vectorindia.org>
Acked-by: Willy Tarreau <w...@1wt.eu>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/staging/panel/panel.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)

--- a/drivers/staging/panel/panel.c
+++ b/drivers/staging/panel/panel.c
@@ -335,11 +335,11 @@ static unsigned char lcd_bits[LCD_PORTS]
* LCD types
*/
#define LCD_TYPE_NONE 0
-#define LCD_TYPE_OLD 1
-#define LCD_TYPE_KS0074 2
-#define LCD_TYPE_HANTRONIX 3
-#define LCD_TYPE_NEXCOM 4
-#define LCD_TYPE_CUSTOM 5
+#define LCD_TYPE_CUSTOM 1
+#define LCD_TYPE_OLD 2
+#define LCD_TYPE_KS0074 3
+#define LCD_TYPE_HANTRONIX 4
+#define LCD_TYPE_NEXCOM 5

/*
* keypad types
@@ -502,7 +502,7 @@ MODULE_PARM_DESC(keypad_type,
static int lcd_type = NOT_SET;
module_param(lcd_type, int, 0000);
MODULE_PARM_DESC(lcd_type,
- "LCD type: 0=none, 1=old //, 2=serial ks0074, 3=hantronix //, 4=nexcom //, 5=compiled-in");
+ "LCD type: 0=none, 1=compiled-in, 2=old, 3=serial ks0074, 4=hantronix, 5=nexcom");

static int lcd_height = NOT_SET;
module_param(lcd_height, int, 0000);

Greg Kroah-Hartman

unread,

May 2, 2015, 3:26:19 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Krzysztof Kozlowski <k.koz...@samsung.com>

commit 1915a718b1872edffcb13e5436a9f7302d3d36f0 upstream.

The return value of power_supply_register() call was not checked and
even on error probe() function returned 0. If registering failed then
during unbind the driver tried to unregister power supply which was not
actually registered.

This could lead to memory corruption because power_supply_unregister()
unconditionally cleans up given power supply.

Fix this by checking return status of power_supply_register() call. In
case of failure, clean up sysfs entries and fail the probe.

Signed-off-by: Krzysztof Kozlowski <k.koz...@samsung.com>
Fixes: 9be0fcb5ed46 ("compal-laptop: add JHL90, battery & hwmon interface")
Signed-off-by: Sebastian Reichel <s...@kernel.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/platform/x86/compal-laptop.c | 4 +++-

1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/platform/x86/compal-laptop.c
+++ b/drivers/platform/x86/compal-laptop.c
@@ -1036,7 +1036,9 @@ static int compal_probe(struct platform_

/* Power supply */
initialize_power_supply_data(data);
- power_supply_register(&compal_device->dev, &data->psy);
+ err = power_supply_register(&compal_device->dev, &data->psy);
+ if (err < 0)
+ goto remove;

platform_set_drvdata(pdev, data);

Greg Kroah-Hartman

unread,

May 2, 2015, 3:26:26 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Alistair Strachan <alistair...@imgtec.com>

commit 8e43c9c75faf2902955bd2ecd7a50a8cc41cb00a upstream.

The android_fence_release() function checks for active sync points
by calling list_empty() on the list head embedded on the sync
point. However, it is only valid to use list_empty() on nodes that
have been initialized with INIT_LIST_HEAD() or list_del_init().

Because the list entry has likely been removed from the active list
by sync_timeline_signal(), there is a good chance that this
WARN_ON_ONCE() will be hit due to dangling pointers pointing at
freed memory (even though the sync drivers did nothing wrong)
and memory corruption will ensue as the list entry is removed for
a second time, corrupting the active list.

This problem can be reproduced quite easily with CONFIG_DEBUG_LIST=y
and fences with more than one sync point.

Signed-off-by: Alistair Strachan <alistair...@imgtec.com>
Cc: Maarten Lankhorst <maarten....@canonical.com>
Cc: Greg Kroah-Hartman <gre...@linuxfoundation.org>
Cc: Colin Cross <ccr...@google.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/staging/android/sync.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/staging/android/sync.c
+++ b/drivers/staging/android/sync.c
@@ -114,7 +114,7 @@ void sync_timeline_signal(struct sync_ti
list_for_each_entry_safe(pt, next, &obj->active_list_head,
active_list) {
if (fence_is_signaled_locked(&pt->base))
- list_del(&pt->active_list);
+ list_del_init(&pt->active_list);
}

spin_unlock_irqrestore(&obj->child_list_lock, flags);

Greg Kroah-Hartman

unread,

May 2, 2015, 3:26:43 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Felipe Balbi <ba...@ti.com>

commit 74bd7b69801819707713b88e9d0bc074efa2f5e7 upstream.

Make sure we're using the new macro, so our
resume signaling will always pass certification.

Signed-off-by: Felipe Balbi <ba...@ti.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/usb/dwc2/hcd.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/dwc2/hcd.c
+++ b/drivers/usb/dwc2/hcd.c
@@ -1521,7 +1521,7 @@ static int dwc2_hcd_hub_control(struct d
dev_dbg(hsotg->dev,
"ClearPortFeature USB_PORT_FEAT_SUSPEND\n");
writel(0, hsotg->regs + PCGCTL);
- usleep_range(20000, 40000);
+ msleep(USB_RESUME_TIMEOUT);

hprt0 = dwc2_read_hprt0(hsotg);
hprt0 |= HPRT0_RES;

Greg Kroah-Hartman

unread,

May 2, 2015, 3:27:02 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Markos Chandras <markos....@imgtec.com>

commit 6eae35485b26f9e51ab896eb8a936bed9908fdf6 upstream.

When emulating a regular lh/lw/lhu/sh/sw we need to use the appropriate
instruction if we are in EVA mode. This is necessary for userspace
applications which trigger alignment exceptions. In such case, the
userspace load/store instruction needs to be emulated with the correct
eva/non-eva instruction by the kernel emulator.

Signed-off-by: Markos Chandras <markos....@imgtec.com>
Fixes: c1771216ab48 ("MIPS: kernel: unaligned: Handle unaligned accesses for EVA")
Cc: linux...@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/9503/
Signed-off-by: Ralf Baechle <ra...@linux-mips.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

arch/mips/kernel/unaligned.c | 52 ++++++++++++++++++++++++++++++++++++++-----
1 file changed, 47 insertions(+), 5 deletions(-)

--- a/arch/mips/kernel/unaligned.c
+++ b/arch/mips/kernel/unaligned.c
@@ -1023,7 +1023,15 @@ static void emulate_load_store_insn(stru
if (!access_ok(VERIFY_READ, addr, 2))
goto sigbus;

- LoadHW(addr, value, res);
+ if (config_enabled(CONFIG_EVA)) {
+ if (segment_eq(get_fs(), get_ds()))
+ LoadHW(addr, value, res);
+ else
+ LoadHWE(addr, value, res);
+ } else {
+ LoadHW(addr, value, res);
+ }
+
if (res)
goto fault;
compute_return_epc(regs);
@@ -1034,7 +1042,15 @@ static void emulate_load_store_insn(stru
if (!access_ok(VERIFY_READ, addr, 4))
goto sigbus;

- LoadW(addr, value, res);
+ if (config_enabled(CONFIG_EVA)) {
+ if (segment_eq(get_fs(), get_ds()))
+ LoadW(addr, value, res);
+ else
+ LoadWE(addr, value, res);
+ } else {
+ LoadW(addr, value, res);
+ }
+
if (res)
goto fault;
compute_return_epc(regs);
@@ -1045,7 +1061,15 @@ static void emulate_load_store_insn(stru
if (!access_ok(VERIFY_READ, addr, 2))
goto sigbus;

- LoadHWU(addr, value, res);
+ if (config_enabled(CONFIG_EVA)) {
+ if (segment_eq(get_fs(), get_ds()))
+ LoadHWU(addr, value, res);
+ else
+ LoadHWUE(addr, value, res);
+ } else {
+ LoadHWU(addr, value, res);
+ }
+
if (res)
goto fault;
compute_return_epc(regs);
@@ -1104,7 +1128,16 @@ static void emulate_load_store_insn(stru

compute_return_epc(regs);
value = regs->regs[insn.i_format.rt];
- StoreHW(addr, value, res);
+
+ if (config_enabled(CONFIG_EVA)) {
+ if (segment_eq(get_fs(), get_ds()))
+ StoreHW(addr, value, res);
+ else
+ StoreHWE(addr, value, res);
+ } else {
+ StoreHW(addr, value, res);
+ }
+
if (res)
goto fault;
break;
@@ -1115,7 +1148,16 @@ static void emulate_load_store_insn(stru

compute_return_epc(regs);
value = regs->regs[insn.i_format.rt];
- StoreW(addr, value, res);
+
+ if (config_enabled(CONFIG_EVA)) {
+ if (segment_eq(get_fs(), get_ds()))
+ StoreW(addr, value, res);
+ else
+ StoreWE(addr, value, res);
+ } else {
+ StoreW(addr, value, res);
+ }
+
if (res)
goto fault;
break;

Greg Kroah-Hartman

unread,

May 2, 2015, 3:30:06 PM5/2/15

to

3.19-stable review patch. If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edum...@google.com>

[ Upstream commit 2ea2f62c8bda242433809c7f4e9eae1c52c40bbe ]

When I added pfmemalloc support in build_skb(), I forgot netlink
was using build_skb() with a vmalloc() area.

In this patch I introduce __build_skb() for netlink use,
and build_skb() is a wrapper handling both skb->head_frag and
skb->pfmemalloc

This means netlink no longer has to hack skb->head_frag

[ 1567.700067] kernel BUG at arch/x86/mm/physaddr.c:26!
[ 1567.700067] invalid opcode: 0000 [#1] PREEMPT SMP KASAN
[ 1567.700067] Dumping ftrace buffer:
[ 1567.700067] (ftrace buffer empty)
[ 1567.700067] Modules linked in:
[ 1567.700067] CPU: 9 PID: 16186 Comm: trinity-c182 Not tainted 4.0.0-next-20150424-sasha-00037-g4796e21 #2167
[ 1567.700067] task: ffff880127efb000 ti: ffff880246770000 task.ti: ffff880246770000
[ 1567.700067] RIP: __phys_addr (arch/x86/mm/physaddr.c:26 (discriminator 3))
[ 1567.700067] RSP: 0018:ffff8802467779d8 EFLAGS: 00010202
[ 1567.700067] RAX: 000041000ed8e000 RBX: ffffc9008ed8e000 RCX: 000000000000002c
[ 1567.700067] RDX: 0000000000000004 RSI: 0000000000000000 RDI: ffffffffb3fd6049
[ 1567.700067] RBP: ffff8802467779f8 R08: 0000000000000019 R09: ffff8801d0168000
[ 1567.700067] R10: ffff8801d01680c7 R11: ffffed003a02d019 R12: ffffc9000ed8e000
[ 1567.700067] R13: 0000000000000f40 R14: 0000000000001180 R15: ffffc9000ed8e000
[ 1567.700067] FS: 00007f2a7da3f700(0000) GS:ffff8801d1000000(0000) knlGS:0000000000000000
[ 1567.700067] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1567.700067] CR2: 0000000000738308 CR3: 000000022e329000 CR4: 00000000000007e0
[ 1567.700067] Stack:
[ 1567.700067] ffffc9000ed8e000 ffff8801d0168000 ffffc9000ed8e000 ffff8801d0168000
[ 1567.700067] ffff880246777a28 ffffffffad7c0a21 0000000000001080 ffff880246777c08
[ 1567.700067] ffff88060d302e68 ffff880246777b58 ffff880246777b88 ffffffffad9a6821
[ 1567.700067] Call Trace:
[ 1567.700067] build_skb (include/linux/mm.h:508 net/core/skbuff.c:316)
[ 1567.700067] netlink_sendmsg (net/netlink/af_netlink.c:1633 net/netlink/af_netlink.c:2329)
[ 1567.774369] ? sched_clock_cpu (kernel/sched/clock.c:311)
[ 1567.774369] ? netlink_unicast (net/netlink/af_netlink.c:2273)
[ 1567.774369] ? netlink_unicast (net/netlink/af_netlink.c:2273)
[ 1567.774369] sock_sendmsg (net/socket.c:614 net/socket.c:623)
[ 1567.774369] sock_write_iter (net/socket.c:823)
[ 1567.774369] ? sock_sendmsg (net/socket.c:806)
[ 1567.774369] __vfs_write (fs/read_write.c:479 fs/read_write.c:491)
[ 1567.774369] ? get_lock_stats (kernel/locking/lockdep.c:249)
[ 1567.774369] ? default_llseek (fs/read_write.c:487)
[ 1567.774369] ? vtime_account_user (kernel/sched/cputime.c:701)
[ 1567.774369] ? rw_verify_area (fs/read_write.c:406 (discriminator 4))
[ 1567.774369] vfs_write (fs/read_write.c:539)
[ 1567.774369] SyS_write (fs/read_write.c:586 fs/read_write.c:577)
[ 1567.774369] ? SyS_read (fs/read_write.c:577)
[ 1567.774369] ? __this_cpu_preempt_check (lib/smp_processor_id.c:63)
[ 1567.774369] ? trace_hardirqs_on_caller (kernel/locking/lockdep.c:2594 kernel/locking/lockdep.c:2636)
[ 1567.774369] ? trace_hardirqs_on_thunk (arch/x86/lib/thunk_64.S:42)
[ 1567.774369] system_call_fastpath (arch/x86/kernel/entry_64.S:261)

Fixes: 79930f5892e ("net: do not deplete pfmemalloc reserve")
Signed-off-by: Eric Dumazet <edum...@google.com>
Reported-by: Sasha Levin <sasha...@oracle.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---

include/linux/skbuff.h | 1 +
net/core/skbuff.c | 31 ++++++++++++++++++++++---------
net/netlink/af_netlink.c | 6 ++----
3 files changed, 25 insertions(+), 13 deletions(-)

--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -762,6 +762,7 @@ bool skb_try_coalesce(struct sk_buff *to

struct sk_buff *__alloc_skb(unsigned int size, gfp_t priority, int flags,
int node);
+struct sk_buff *__build_skb(void *data, unsigned int frag_size);
struct sk_buff *build_skb(void *data, unsigned int frag_size);
static inline struct sk_buff *alloc_skb(unsigned int size,
gfp_t priority)
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -278,13 +278,14 @@ nodata:
EXPORT_SYMBOL(__alloc_skb);

/**
- * build_skb - build a network buffer
+ * __build_skb - build a network buffer
* @data: data buffer provided by caller
- * @frag_size: size of fragment, or 0 if head was kmalloced
+ * @frag_size: size of data, or 0 if head was kmalloced
*
* Allocate a new &sk_buff. Caller provides space holding head and
* skb_shared_info. @data must have been allocated by kmalloc() only if
- * @frag_size is 0, otherwise data should come from the page allocator.
+ * @frag_size is 0, otherwise data should come from the page allocator
+ * or vmalloc()
* The return is the new skb buffer.
* On a failure the return is %NULL, and @data is not freed.
* Notes :
@@ -295,7 +296,7 @@ EXPORT_SYMBOL(__alloc_skb);
* before giving packet to stack.
* RX rings only contains data buffers, not full skbs.
*/
-struct sk_buff *build_skb(void *data, unsigned int frag_size)
+struct sk_buff *__build_skb(void *data, unsigned int frag_size)
{
struct skb_shared_info *shinfo;
struct sk_buff *skb;
@@ -309,11 +310,6 @@ struct sk_buff *build_skb(void *data, un

memset(skb, 0, offsetof(struct sk_buff, tail));
skb->truesize = SKB_TRUESIZE(size);
- if (frag_size) {
- skb->head_frag = 1;
- if (virt_to_head_page(data)->pfmemalloc)
- skb->pfmemalloc = 1;
- }
atomic_set(&skb->users, 1);
skb->head = data;
skb->data = data;
@@ -330,6 +326,23 @@ struct sk_buff *build_skb(void *data, un

return skb;
}
+
+/* build_skb() is wrapper over __build_skb(), that specifically
+ * takes care of skb->head and skb->pfmemalloc
+ * This means that if @frag_size is not zero, then @data must be backed
+ * by a page fragment, not kmalloc() or vmalloc()
+ */
+struct sk_buff *build_skb(void *data, unsigned int frag_size)
+{
+ struct sk_buff *skb = __build_skb(data, frag_size);
+
+ if (skb && frag_size) {
+ skb->head_frag = 1;
+ if (virt_to_head_page(data)->pfmemalloc)
+ skb->pfmemalloc = 1;
+ }
+ return skb;
+}
EXPORT_SYMBOL(build_skb);

struct netdev_alloc_cache {
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1616,13 +1616,11 @@ static struct sk_buff *netlink_alloc_lar
if (data == NULL)
return NULL;

- skb = build_skb(data, size);
+ skb = __build_skb(data, size);
if (skb == NULL)
vfree(data);
- else {
- skb->head_frag = 0;
+ else
skb->destructor = netlink_skb_destructor;
- }

return skb;

Greg Kroah-Hartman

unread,

May 2, 2015, 3:30:06 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Dmitry Torokhov <dmitry....@gmail.com>

commit 9535c4757b881e06fae72a857485ad57c422b8d2 upstream.

The hardware, according to the specs, is limited to 256 byte transfers,
and current driver has no protections in case users attempt to do larger
transfers. The code will just stomp over status register and mayhem
ensues.

Let's split larger transfers into digestable chunks. Doing this allows
Atmel MXT driver on Pixel 1 function properly (it hasn't since commit
9d8dc3e529a19e427fd379118acd132520935c5d "Input: atmel_mxt_ts -
implement T44 message handling" which tries to consume multiple
touchscreen/touchpad reports in a single transaction).

Reviewed-by: Chris Wilson <ch...@chris-wilson.co.uk>
Signed-off-by: Dmitry Torokhov <dmitry....@gmail.com>
Signed-off-by: Jani Nikula <jani....@intel.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/gpu/drm/i915/i915_reg.h | 1
drivers/gpu/drm/i915/intel_i2c.c | 66 +++++++++++++++++++++++++++++++++------
2 files changed, 57 insertions(+), 10 deletions(-)

--- a/drivers/gpu/drm/i915/i915_reg.h
+++ b/drivers/gpu/drm/i915/i915_reg.h
@@ -1740,6 +1740,7 @@ enum punit_power_well {
#define GMBUS_CYCLE_INDEX (2<<25)
#define GMBUS_CYCLE_STOP (4<<25)
#define GMBUS_BYTE_COUNT_SHIFT 16
+#define GMBUS_BYTE_COUNT_MAX 256U
#define GMBUS_SLAVE_INDEX_SHIFT 8
#define GMBUS_SLAVE_ADDR_SHIFT 1
#define GMBUS_SLAVE_READ (1<<0)
--- a/drivers/gpu/drm/i915/intel_i2c.c
+++ b/drivers/gpu/drm/i915/intel_i2c.c
@@ -270,18 +270,17 @@ gmbus_wait_idle(struct drm_i915_private
}

static int
-gmbus_xfer_read(struct drm_i915_private *dev_priv, struct i2c_msg *msg,
- u32 gmbus1_index)
+gmbus_xfer_read_chunk(struct drm_i915_private *dev_priv,
+ unsigned short addr, u8 *buf, unsigned int len,
+ u32 gmbus1_index)
{
int reg_offset = dev_priv->gpio_mmio_base;
- u16 len = msg->len;
- u8 *buf = msg->buf;

I915_WRITE(GMBUS1 + reg_offset,
gmbus1_index |
GMBUS_CYCLE_WAIT |
(len << GMBUS_BYTE_COUNT_SHIFT) |
- (msg->addr << GMBUS_SLAVE_ADDR_SHIFT) |
+ (addr << GMBUS_SLAVE_ADDR_SHIFT) |
GMBUS_SLAVE_READ | GMBUS_SW_RDY);
while (len) {
int ret;
@@ -303,11 +302,35 @@ gmbus_xfer_read(struct drm_i915_private
}

static int
-gmbus_xfer_write(struct drm_i915_private *dev_priv, struct i2c_msg *msg)
+gmbus_xfer_read(struct drm_i915_private *dev_priv, struct i2c_msg *msg,
+ u32 gmbus1_index)
{
- int reg_offset = dev_priv->gpio_mmio_base;
- u16 len = msg->len;
u8 *buf = msg->buf;
+ unsigned int rx_size = msg->len;
+ unsigned int len;
+ int ret;
+
+ do {
+ len = min(rx_size, GMBUS_BYTE_COUNT_MAX);
+
+ ret = gmbus_xfer_read_chunk(dev_priv, msg->addr,
+ buf, len, gmbus1_index);
+ if (ret)
+ return ret;
+
+ rx_size -= len;
+ buf += len;
+ } while (rx_size != 0);
+
+ return 0;
+}
+
+static int
+gmbus_xfer_write_chunk(struct drm_i915_private *dev_priv,
+ unsigned short addr, u8 *buf, unsigned int len)
+{
+ int reg_offset = dev_priv->gpio_mmio_base;
+ unsigned int chunk_size = len;
u32 val, loop;

val = loop = 0;
@@ -319,8 +342,8 @@ gmbus_xfer_write(struct drm_i915_private
I915_WRITE(GMBUS3 + reg_offset, val);
I915_WRITE(GMBUS1 + reg_offset,
GMBUS_CYCLE_WAIT |
- (msg->len << GMBUS_BYTE_COUNT_SHIFT) |
- (msg->addr << GMBUS_SLAVE_ADDR_SHIFT) |
+ (chunk_size << GMBUS_BYTE_COUNT_SHIFT) |
+ (addr << GMBUS_SLAVE_ADDR_SHIFT) |
GMBUS_SLAVE_WRITE | GMBUS_SW_RDY);
while (len) {
int ret;
@@ -337,6 +360,29 @@ gmbus_xfer_write(struct drm_i915_private
if (ret)
return ret;
}
+
+ return 0;
+}
+
+static int
+gmbus_xfer_write(struct drm_i915_private *dev_priv, struct i2c_msg *msg)
+{
+ u8 *buf = msg->buf;
+ unsigned int tx_size = msg->len;
+ unsigned int len;
+ int ret;
+
+ do {
+ len = min(tx_size, GMBUS_BYTE_COUNT_MAX);
+
+ ret = gmbus_xfer_write_chunk(dev_priv, msg->addr, buf, len);
+ if (ret)
+ return ret;
+
+ buf += len;
+ tx_size -= len;
+ } while (tx_size != 0);
+
return 0;

Greg Kroah-Hartman

unread,

May 2, 2015, 3:30:06 PM5/2/15

to

3.19-stable review patch. If anyone has any objections, please let me know.

------------------

From: Malcolm Priestley <tvbo...@gmail.com>

commit a6388e68321a1e0a0f408379c2a36396807745b3 upstream.

Information for packet type is in ieee80211_tx_info

band IEEE80211_BAND_5GHZ for PK_TYPE_11A.

IEEE80211_TX_RC_USE_CTS_PROTECT via tx_rate flags selects PK_TYPE_11GB

This ensures that the packet is always the right type.

Signed-off-by: Malcolm Priestley <tvbo...@gmail.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/staging/vt6655/rxtx.c | 14 +++++++++++---

1 file changed, 11 insertions(+), 3 deletions(-)

--- a/drivers/staging/vt6655/rxtx.c
+++ b/drivers/staging/vt6655/rxtx.c
@@ -1309,10 +1309,18 @@ int vnt_generate_fifo_header(struct vnt_
priv->hw->conf.chandef.chan->hw_value);
}

- if (current_rate > RATE_11M)
- pkt_type = (u8)priv->byPacketType;
- else
+ if (current_rate > RATE_11M) {
+ if (info->band == IEEE80211_BAND_5GHZ) {
+ pkt_type = PK_TYPE_11A;
+ } else {
+ if (tx_rate->flags & IEEE80211_TX_RC_USE_CTS_PROTECT)
+ pkt_type = PK_TYPE_11GB;
+ else
+ pkt_type = PK_TYPE_11GA;
+ }
+ } else {
pkt_type = PK_TYPE_11B;
+ }

/*Set fifo controls */
if (pkt_type == PK_TYPE_11A)

Greg Kroah-Hartman

unread,

May 2, 2015, 3:30:06 PM5/2/15

to

4.0-stable review patch. If anyone has any objections, please let me know.

------------------

From: Joonsoo Kim <iamjoon...@lge.com>

commit 84fce9db4d7eaebd6cb2ee30c15da6d4e4daf846 upstream.

There is a problem that trace events are not properly enabled with
boot cmdline. The problem is that if we pass "trace_event=kmem:mm_page_alloc"
to the boot cmdline, it enables all kmem trace events, and not just
the page_alloc event.

This is caused by the parsing mechanism. When we parse the cmdline, the buffer
contents is modified due to tokenization. And, if we use this buffer
again, we will get the wrong result.

Unfortunately, this buffer is be accessed three times to set trace events
properly at boot time. So, we need to handle this situation.

There is already code handling ",", but we need another for ":".
This patch adds it.

Link: http://lkml.kernel.org/r/1429159484-22977-1-git-s...@lge.com

Signed-off-by: Joonsoo Kim <iamjoon...@lge.com>
[ added missing return ret; ]
Signed-off-by: Steven Rostedt <ros...@goodmis.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

kernel/trace/trace_events.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)

--- a/kernel/trace/trace_events.c
+++ b/kernel/trace/trace_events.c
@@ -565,6 +565,7 @@ static int __ftrace_set_clr_event(struct
static int ftrace_set_clr_event(struct trace_array *tr, char *buf, int set)
{
char *event = NULL, *sub = NULL, *match;
+ int ret;

/*
* The buf format can be <subsystem>:<event-name>
@@ -590,7 +591,13 @@ static int ftrace_set_clr_event(struct t
event = NULL;
}

- return __ftrace_set_clr_event(tr, match, sub, event, set);
+ ret = __ftrace_set_clr_event(tr, match, sub, event, set);
+
+ /* Put back the colon to allow this to be called again */
+ if (buf)
+ *(buf - 1) = ':';
+
+ return ret;
}

/**

[PATCH 4.0 004/220] tcp: fix possible deadlock in tcp_send_fin()

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman