commit acd21d848252d8ea06b19066b675391d012b1737 Author: Greg Kroah-Hartman Date: Mon Oct 31 06:15:26 2016 -0600 Linux 4.4.29 commit 590a3edaa4ffd6b6894b4f8dcb908db20994b6c1 Author: Robert Jarzmik Date: Sun Sep 4 20:59:45 2016 +0200 ARM: pxa: pxa_cplds: fix interrupt handling commit 9ba63e3cc849cdaf3b675c47cc51fe35419e5117 upstream. Since its initial commit, the driver is buggy for multiple interrupts handling. The translation from the former lubbock.c file was not complete, and might stall all interrupt handling when multiple interrupts occur. This is especially true when inside the interrupt handler and if a new interrupt comes and is not handled, leaving the output line still held, and not creating a transition as the GPIO block behind would expect to trigger another cplds_irq_handler() call. For the record, the hardware is working as follows. The interrupt mechanism relies on : - one status register - one mask register Let's suppose the input irq lines are called : - i_sa1111 - i_lan91x - i_mmc_cd Let's suppose the status register for each irq line is called : - status_sa1111 - status_lan91x - status_mmc_cd Let's suppose the interrupt mask for each irq line is called : - irqen_sa1111 - irqen_lan91x - irqen_mmc_cd Let's suppose the output irq line, connected to GPIO0 is called : - o_gpio0 The behavior is as follows : - o_gpio0 = not((status_sa1111 & irqen_sa1111) | (status_lan91x & irqen_lan91x) | (status_mmc_cd & irqen_mmc_cd)) => this is a N-to-1 NOR gate and multiple AND gates - irqen_* is exactly as programmed by a write to the FPGA - status_* behavior is governed by a bi-stable D flip-flop => on next FPGA clock : - if i_xxx is high, status_xxx becomes 1 - if i_xxx is low, status_xxx remains as it is - if software sets status_xxx to 0, the D flip-flop is reset => status_xxx becomes 0 => on next FPGA clock cycle, if i_xxx is high, status_xxx becomes 1 again Fixes: fc9e38c0f4d3 ("ARM: pxa: lubbock: use new pxa_cplds driver") Reported-by: Russell King Signed-off-by: Robert Jarzmik Signed-off-by: Greg Kroah-Hartman commit cccc670b51375081667db9d0d516818c5cddfe02 Author: Pan Xinhui Date: Thu Dec 10 15:30:02 2015 +0800 powerpc/nvram: Fix an incorrect partition merge commit 11b7e154b132232535befe51c55db048069c8461 upstream. When we merge two contiguous partitions whose signatures are marked NVRAM_SIG_FREE, We need update prev's length and checksum, then write it to nvram, not cur's. So lets fix this mistake now. Also use memset instead of strncpy to set the partition's name. It's more readable if we want to fill up with duplicate chars . Fixes: fa2b4e54d41f ("powerpc/nvram: Improve partition removal") Signed-off-by: Pan Xinhui Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman commit 2577121578e1857f6438d182ffa1f34d5c9cc8c8 Author: Johannes Thumshirn Date: Wed Aug 3 15:00:18 2016 +0200 mpt3sas: Don't spam logs if logging level is 0 commit 0d667f72b2a20bbac72bec0ab11467fc70bb0f1f upstream. In _scsih_io_done() we test if the ioc->logging_level does _not_ have the MPT_DEBUG_REPLY bit set and if it hasn't we print the debug messages. This unfortunately is the wrong way around. Note, the actual bug is older than af0094115 but this commit removed the CONFIG_SCSI_MPT3SAS_LOGGING Kconfig option which hid the bug. Fixes: af0094115 'mpt2sas, mpt3sas: Remove SCSI_MPTXSAS_LOGGING entry from Kconfig' Signed-off-by: Johannes Thumshirn Acked-by: Chaitra P B Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit c60955f44624946f937844c812e1e52a26742249 Author: Arnaldo Carvalho de Melo Date: Thu Sep 1 11:00:23 2016 -0300 perf symbols: Fixup symbol sizes before picking best ones commit 432746f8e0b6a82ba832b771afe31abd51af6752 upstream. When we call symbol__fixup_duplicate() we use algorithms to pick the "best" symbols for cases where there are various functions/aliases to an address, and those check zero size symbols, which, before calling symbol__fixup_end() are _all_ symbols in a just parsed kallsyms file. So first fixup the end, then fixup the duplicates. Found while trying to figure out why 'perf test vmlinux' failed, see the output of 'perf test -v vmlinux' to see cases where the symbols picked as best for vmlinux don't match the ones picked for kallsyms. Cc: Anton Blanchard Cc: Adrian Hunter Cc: David Ahern Cc: Jiri Olsa Cc: Masami Hiramatsu Cc: Namhyung Kim Cc: Wang Nan Fixes: 694bf407b061 ("perf symbols: Add some heuristics for choosing the best duplicate symbol") Link: http://lkml.kernel.org/n/tip-rxqvdgr0mqjdxee0kf8i2ufn@git.kernel.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Greg Kroah-Hartman commit 8d31e5f9949ddbf6b700a71c4a7b68d612df1b9c Author: Arnaldo Carvalho de Melo Date: Thu Sep 1 10:56:06 2016 -0300 perf symbols: Check symbol_conf.allow_aliases for kallsyms loading too commit c97b40e4d15f13a36cd037d598e45cbe9e1e5757 upstream. We can allow aliases to be kept, but we were checking this just when loading vmlinux files, be consistent, do it for any symbol table loading code that calls symbol__fixup_duplicate() by making this function check .allow_aliases instead. Cc: Adrian Hunter Cc: David Ahern Cc: Jiri Olsa Cc: Masami Hiramatsu Cc: Namhyung Kim Cc: Wang Nan Fixes: 680d926a8cb0 ("perf symbols: Allow symbol alias when loading map for symbol name") Link: http://lkml.kernel.org/n/tip-z0avp0s6cfjckc4xj3pdfjdz@git.kernel.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Greg Kroah-Hartman commit 349eb2cf6d72b29228d4fb673faa26fec49ffd84 Author: Namhyung Kim Date: Mon Sep 12 15:19:52 2016 +0900 perf hists browser: Fix event group display commit d9ea48bc4e7cc297ca1073fa3f90ed80d964b7b4 upstream. Milian reported that the event group on TUI shows duplicated overhead. This was due to a bug on calculating hpp->buf position. The hpp_advance() was called from __hpp__slsmg_color_printf() on TUI but it's already called from the hpp__call_print_fn macro in __hpp__fmt(). The end result is that the print function returns number of bytes it printed but the buffer advanced twice of the length. This is generally not a problem since it doesn't need to access the buffer again. But with event group, overhead needs to be printed multiple times and hist_entry__snprintf_alignment() tries to fill the space with buffer after it printed. So it (brokenly) showed the last overhead again. The bug was there from the beginning, but I think it's only revealed when the alignment function was added. Reported-by: Milian Wolff Signed-off-by: Namhyung Kim Cc: Andi Kleen Cc: Jiri Olsa Cc: Peter Zijlstra Fixes: 89fee7094323 ("perf hists: Do column alignment on the format iterator") Link: http://lkml.kernel.org/r/20160912061958.16656-2-namhyung@kernel.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Greg Kroah-Hartman commit c869f386bbfdd9e19148b7ab60b8ea4fec676ec8 Author: Geert Uytterhoeven Date: Fri Aug 12 14:37:54 2016 +0200 clk: divider: Fix clk_divider_round_rate() to use clk_readl() commit 2cf9a57811bddb6fa6b0f8d7376da164d5534813 upstream. clk-divider uses clk_readl()/clk_writel() everywhere, except in clk_divider_round_rate(), where plain readl() is used. Change this to clk_readl(), as it makes a difference on powerpc. Fixes: e6d5e7d90be92cee ("clk-divider: Fix READ_ONLY when divider > 1") Signed-off-by: Geert Uytterhoeven Reviewed-by: James Hogan Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit 122b5c3c15b3ff8e5fc06c2ea318603ede85acc7 Author: Tang Yuantian Date: Mon Aug 15 15:28:20 2016 +0800 clk: qoriq: fix a register offset error commit 8964193f6bfda5c4cf14eedb7e94892c1f1c34f0 upstream. The offset of Core Cluster clock control/status register on cluster group V3 version is different from others, and should be plus 0x70000. Signed-off-by: Tang Yuantian Reviewed-by: Scott Wood Fixes: 9e19ca2f627e ("clk: qoriq: Add ls2080a support.") Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit 9c72ae999e4f9c1619a154851aedbb35e1ad95f2 Author: Sascha Silbe Date: Tue Sep 20 19:09:07 2016 +0200 s390/con3270: fix insufficient space padding commit 6cd997db911f28f2510b771691270c52b63ed2e6 upstream. con3270 contains an optimisation that reduces the amount of data to be transmitted to the 3270 terminal by putting a Repeat to Address (RA) order into the data stream. The RA order itself takes up space, so con3270 only uses it if there's enough space left in the line buffer. Otherwise it just pads out the line manually. For lines that were _just_ short enough that the RA order still fit in the line buffer, the line was instead padded with an insufficient amount of spaces. This was caused by examining the size of the allocated line buffer rather than the length of the string to be displayed. For con3270_cline_end(), we just compare against the line length. For con3270_update_string() however that isn't available anymore, so we check whether the Repeat to Address order is present. Fixes: f51320a5 ("[PATCH] s390: new 3270 driver.") (tglx/history.git) Tested-by: Jing Liu Tested-by: Yang Chen Signed-off-by: Sascha Silbe Signed-off-by: Martin Schwidefsky Signed-off-by: Greg Kroah-Hartman commit 8b477849186cbdc701a979460bad298a17f40649 Author: Sascha Silbe Date: Thu Aug 11 21:34:54 2016 +0200 s390/con3270: fix use of uninitialised data commit c14f2aac7aa147861793eed9f41f91dd530f0be1 upstream. con3270 contains an optimisation that reduces the amount of data to be transmitted to the 3270 terminal by putting a Repeat to Address (RA) order into the data stream. The RA order itself takes up space, so con3270 only uses it if there's enough space left in the line buffer. Otherwise it just pads out the line manually. For lines too long to include the RA order, one byte was left uninitialised. This was caused by an off-by-one bug in the loop that pads out the line. Since the buffer is allocated from a common pool, the single byte left uninitialised contained some previous buffer content. Usually this was just a space or some character (which can result in clutter but is otherwise harmless). Sometimes, however, it was a Repeat to Address order, messing up the entire screen layout and causing the display to send the entire buffer content on every keystroke. Fixes: f51320a5 ("[PATCH] s390: new 3270 driver.") (tglx/history.git) Reported-by: Liu Jing Tested-by: Jing Liu Tested-by: Yang Chen Signed-off-by: Sascha Silbe Signed-off-by: Martin Schwidefsky Signed-off-by: Greg Kroah-Hartman commit 5266d3d15f832a98e294422541e3c13949d6aabe Author: Sebastian Ott Date: Wed Sep 28 13:36:19 2016 +0200 s390/cio: fix accidental interrupt enabling during resume commit d53c51f26145657aa7c55fa396f93677e613548d upstream. Since commit 9f3d6d7 chsc_get_channel_measurement_chars is called with interrupts disabled during resume from hibernate. Since this function used spin_unlock_irq, interrupts have been enabled accidentally. Fix this by using the irqsave variant. Since we can't guarantee the IRQ-enablement state for all (future/ external) callers, change the locking in related functions to prevent similar bugs in the future. Fixes: 9f3d6d7 ("s390/cio: update measurement characteristics") Signed-off-by: Sebastian Ott Reviewed-by: Peter Oberparleiter Signed-off-by: Martin Schwidefsky Signed-off-by: Greg Kroah-Hartman commit fcf5e5198b447969ed2a56ec335dae3c695a6b46 Author: Tony Luck Date: Wed Feb 17 10:20:12 2016 -0800 x86/mm: Expand the exception table logic to allow new handling options commit 548acf19234dbda5a52d5a8e7e205af46e9da840 upstream. Huge amounts of help from Andy Lutomirski and Borislav Petkov to produce this. Andy provided the inspiration to add classes to the exception table with a clever bit-squeezing trick, Boris pointed out how much cleaner it would all be if we just had a new field. Linus Torvalds blessed the expansion with: ' I'd rather not be clever in order to save just a tiny amount of space in the exception table, which isn't really criticial for anybody. ' The third field is another relative function pointer, this one to a handler that executes the actions. We start out with three handlers: 1: Legacy - just jumps the to fixup IP 2: Fault - provide the trap number in %ax to the fixup code 3: Cleaned up legacy for the uaccess error hack Signed-off-by: Tony Luck Reviewed-by: Borislav Petkov Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/f6af78fcbd348cf4939875cfda9c19689b5e50b8.1455732970.git.tony.luck@intel.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 90bc49cd66f5cf28f3b1d5bf4621e5569c1b4901 Author: Arnd Bergmann Date: Sat Sep 3 01:22:02 2016 +0200 dmaengine: ipu: remove bogus NO_IRQ reference commit 86c7e6836479c4045a9a81ed5ea76c51d719f9c1 upstream. A workaround for a warning introduced a use of the NO_IRQ macro that should have been gone for a long time. It is clear from the code that the value cannot actually be used, but apparently there was a configuration at some point that caused a warning, so instead of just reverting that patch, this rearranges the code in a way that the warning cannot reappear. Signed-off-by: Arnd Bergmann Fixes: 6ef41cf6f721 ("dmaengine :ipu: change ipu_irq_handler() to remove compile warning") Signed-off-by: Vinod Koul Signed-off-by: Greg Kroah-Hartman commit 936ea759b70591231f47b10fd8fde20d8d210c2b Author: Georges Savoundararadj Date: Wed Sep 7 18:38:15 2016 -0700 power: bq24257: Fix use of uninitialized pointer bq->charger commit 0610735928ee47870e083d5901caa371089216f1 upstream. bq->charger is initialized in bq24257_power_supply_init. Therefore, bq24257_power_supply_init should be called before the registration of the IRQ handler bq24257_irq_handler_thread that calls power_supply_changed(bq->charger). Signed-off-by: Georges Savoundararadj Cc: Aurelien Chanot Cc: Andreas Dannenberg Cc: Sebastian Reichel Cc: David Woodhouse Fixes: 2219a935963e ("power_supply: Add TI BQ24257 charger driver") Signed-off-by: Sebastian Reichel Signed-off-by: Greg Kroah-Hartman commit fb911dfec0b0186d64604bbbf62dfdbb42a1aa79 Author: Larry Finger Date: Sun Jun 5 14:11:19 2016 -0500 staging: r8188eu: Fix scheduling while atomic splat commit 1335a9516d3d52f157ad87456efdd8dc9ae1747b upstream. Commit fadbe0cd5292851608e2e01b91d9295fa287b9fe ("staging: rtl8188eu: Remove rtw_zmalloc(), wrapper for kzalloc()") changed all allocation calls to be GFP_KERNEL even though the original wrapper was testing to determine if the caller was in atomic mode. Most of the mistakes were corrected with commit 33dc85c3c667209c930b2dac5ccbc2a365e06b7a ("staging: r8188eu: Fix scheduling while atomic error introduced in commit fadbe0cd"); however, two kzalloc calls were missed as the call only happens when the driver is shutting down. Fixes: fadbe0cd5292851608e2e01b91d9295fa287b9fe ("staging: rtl8188eu: Remove rtw_zmalloc(), wrapper for kzalloc()") Signed-off-by: Larry Finger Cc: navin patidar Signed-off-by: Greg Kroah-Hartman commit fb257da3e81d53cd373980b317ec0352ad5c151c Author: Chen-Yu Tsai Date: Sat Aug 27 19:28:00 2016 +0800 ASoC: dapm: Fix kcontrol creation for output driver widget commit a3930ed060df4ccf2a06cf0b68738dec3e6ff89a upstream. Commit d88429a695a4 ("ASoC: dapm: Add output driver widget") added the snd_soc_dapm_out_drv ID for the output driver widget, which is the same as the PGA widget, with a later power sequence number. Commit 19a2557b76d6 ("ASoC: dapm: Add kcontrol support for PGAs") then added kcontrol support for PGA widgets, but failed to account for output driver widgets. Attempts to use kcontrols with output driver widgets result in silent failures, with the developer having little idea about what went on. Add snd_soc_dapm_out_drv to the switch/case block under snd_soc_dapm_pga in dapm_create_or_share_kcontrol, since they are essentially the same. Fixes: 19a2557b76d6 (ASoC: dapm: Add kcontrol support for PGAs) Signed-off-by: Chen-Yu Tsai Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit de0b70569c1ec41b2c7d7464c5dac36ebdf1c735 Author: Chen-Yu Tsai Date: Sat Aug 27 19:27:59 2016 +0800 ASoC: dapm: Fix value setting for _ENUM_DOUBLE MUX's second channel commit 071133a209354f39d4e5785d5a6a390e03241841 upstream. The value for the second channel in _ENUM_DOUBLE (double channel) MUXs is not correctly updated, due to using the wrong bit shift. Use the correct bit shift, so both channels toggle together. Fixes: 3727b4968453 (ASoC: dapm: Consolidate MUXs and value MUXs) Signed-off-by: Chen-Yu Tsai Reviewed-by: Charles Keepax Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 41201d18e2c40d82bb022b382c417c216c91fbbb Author: Chen-Yu Tsai Date: Sat Aug 27 19:27:58 2016 +0800 ASoC: dapm: Fix possible uninitialized variable in snd_soc_dapm_get_volsw() commit 01ad5e7de67b408d9b48b437b06a9938ddf460b5 upstream. If soc_dapm_read() fails, val will be uninitialized, and bogus values will be written later: ret = soc_dapm_read(dapm, reg, &val); val = (val >> shift) & mask; However, the compiler does not give a warning. Return on error before val is really used to avoid this. This is similar to the commit 6912831623c5 ("ASoC: dapm: Fix uninitialized variable in snd_soc_dapm_get_enum_double()") Fixes: ce0fc93ae56e (ASoC: Add DAPM support at the component level) Signed-off-by: Chen-Yu Tsai Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 41b4b00e6daa22c75bd6a8961fa2aef3370c9d8c Author: Wei Yongjun Date: Wed Aug 10 13:43:12 2016 +0000 ASoC: topology: Fix error return code in soc_tplg_dapm_widget_create() commit 8ae3ea48df0d746b663057cf0b972a18d0777b7b upstream. Fix to return error code -ENOMEM instead of 0 when failed to create widget, as done elsewhere in this function. Fixes: 8a9782346dcc ("ASoC: topology: Add topology core") Signed-off-by: Wei Yongjun Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 1ea1d49d1630c1617cd04489faf419b0aeb18bfa Author: Dave Gerlach Date: Tue Sep 20 10:25:40 2016 -0500 hwrng: omap - Only fail if pm_runtime_get_sync returns < 0 commit ad8529fde9e3601180a839867a8ab041109aebb5 upstream. Currently omap-rng checks the return value of pm_runtime_get_sync and reports failure if anything is returned, however it should be checking if ret < 0 as pm_runtime_get_sync return 0 on success but also can return 1 if the device was already active which is not a failure case. Only values < 0 are actual failures. Fixes: 61dc0a446e5d ("hwrng: omap - Fix assumption that runtime_get_sync will always succeed") Signed-off-by: Dave Gerlach Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 2b1309856d5b4604bf0aaa403ee674fe6a6880d6 Author: Ard Biesheuvel Date: Thu Sep 1 14:25:42 2016 +0100 crypto: arm/ghash-ce - add missing async import/export commit ed4767d612fd2c39e2c4c69eba484c1219dcddb6 upstream. Since commit 8996eafdcbad ("crypto: ahash - ensure statesize is non-zero"), all ahash drivers are required to implement import()/export(), and must have a non-zero statesize. Fix this for the ARM Crypto Extensions GHASH implementation. Fixes: 8996eafdcbad ("crypto: ahash - ensure statesize is non-zero") Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 5171c1660e9c0d9ed1a44ada59a45b85eb1f2ef6 Author: Ondrej Mosnáček Date: Fri Sep 23 10:47:32 2016 +0200 crypto: gcm - Fix IV buffer size in crypto_gcm_setkey commit 50d2e6dc1f83db0563c7d6603967bf9585ce934b upstream. The cipher block size for GCM is 16 bytes, and thus the CTR transform used in crypto_gcm_setkey() will also expect a 16-byte IV. However, the code currently reserves only 8 bytes for the IV, causing an out-of-bounds access in the CTR transform. This patch fixes the issue by setting the size of the IV buffer to 16 bytes. Fixes: 84c911523020 ("[CRYPTO] gcm: Add support for async ciphers") Signed-off-by: Ondrej Mosnacek Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit b31602293c200928cf8d90c13738a90392757ac4 Author: Xinming Hu Date: Tue Aug 9 20:20:44 2016 +0530 mwifiex: correct aid value during tdls setup commit b64db1b252e9974a43a51ba083fa7d03e4716167 upstream. AID gets updated during TDLS setup, but modified value isn't reflected in "priv->assoc_rsp_buf". This causes TDLS setup failure. The problem is fixed here. Fixes: 4aff53ef18e4a4 ("mwifiex: parsing aid while receiving..") Signed-off-by: Xinming Hu Signed-off-by: Amitkumar Karwar Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit a5a7f1e5ea0135c5794a80ebe228fbb8d011c01f Author: Wei Yongjun Date: Sat Aug 20 15:25:32 2016 +0000 spi: spi-fsl-dspi: Drop extra spi_master_put in device remove function commit 6999aeabbb703a81a204cb6f9f8f151759a99ac4 upstream. The call sequence spi_alloc_master/spi_register_master/spi_unregister_master is complete; it reduces the device reference count to zero, which and results in device memory being freed. The subsequent call to spi_master_put is unnecessary and results in an access to free memory. Drop it. Fixes: 9298bc727385 ("spi: spi-fsl-dspi: Remove spi-bitbang") Signed-off-by: Wei Yongjun Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit fdf85ceaf04aca4f61cb2b967ad6171151fc1f7f Author: Uwe Kleine-König Date: Thu Sep 8 11:30:21 2016 +0200 ARM: clk-imx35: fix name for ckil clk commit fcff03813a7c612873303037cef5ba0329850c35 upstream. This fixes [ 0.000000] i.MX clk 82: register failed with -17 because the name is duplicated. Signed-off-by: Uwe Kleine-König Fixes: 3713e3f5e927 ("clk: imx35: define two clocks for rtc") Acked-by: Shawn Guo Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit 4d0842a484407d6d470e57dff30e414f365af1ad Author: Jan Viktorin Date: Tue May 17 11:22:17 2016 +0200 uio: fix dmem_region_start computation commit 4d31a2588ae37a5d0f61f4d956454e9504846aeb upstream. The variable i contains a total number of resources (including IORESOURCE_IRQ). However, we want the dmem_region_start to point after the last resource of type IORESOURCE_MEM. The original behaviour leads (very likely) to skipping several UIO mapping regions and makes them useless. Fix this by computing dmem_region_start from the uiomem which points to the last used UIO mapping. Fixes: 0a0c3b5a24bd ("Add new uio device for dynamic memory allocation") Signed-off-by: Jan Viktorin Signed-off-by: Greg Kroah-Hartman commit f2c4508a35a1e4aba0f910ba41c7001bb7801cfe Author: Sebastian Frias Date: Mon Aug 1 16:27:38 2016 +0200 genirq/generic_chip: Add irq_unmap callback commit ee26c013cdee0b947e29d6cadfb9ff3341c69ff9 upstream. Without this patch irq_domain_disassociate() cannot properly release the interrupt. In fact, irq_map_generic_chip() checks a bit on 'gc->installed' but said bit is never cleared, only set. Commit 088f40b7b027 ("genirq: Generic chip: Add linear irq domain support") added irq_map_generic_chip() function and also stated "This lacks a removal function for now". This commit provides an implementation of an unmap function that can be called by irq_domain_disassociate(). [ tglx: Made the function static and removed the export as we have neither a prototype nor a modular user. ] Fixes: 088f40b7b027 ("genirq: Generic chip: Add linear irq domain support") Signed-off-by: Sebastian Frias Cc: Marc Zyngier Cc: Mason Cc: Jason Cooper Link: http://lkml.kernel.org/r/579F5C5A.2070507@laposte.net Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 7629c7ef5291f692949e8ce1630db9a550e6e62f Author: Jiri Olsa Date: Wed Feb 3 08:43:56 2016 +0100 perf stat: Fix interval output values commit 51fd2df1e882a3c2a3f4b6c9ff243a93c9046dba upstream. We broke interval data displays with commit: 3f416f22d1e2 ("perf stat: Do not clean event's private stats") This commit removed stats cleaning, which is important for '-r' option to carry counters data over the whole run. But it's necessary to clean it for interval mode, otherwise the displayed value is avg of all previous values. Before: $ perf stat -e cycles -a -I 1000 record # time counts unit events 1.000240796 75,216,287 cycles 2.000512791 107,823,524 cycles $ perf stat report # time counts unit events 1.000240796 75,216,287 cycles 2.000512791 91,519,906 cycles Now: $ perf stat report # time counts unit events 1.000240796 75,216,287 cycles 2.000512791 107,823,524 cycles Notice the second value being bigger (91,.. < 107,..). This could be easily verified by using perf script which displays raw stat data: $ perf script CPU THREAD VAL ENA RUN TIME EVENT 0 -1 23855779 1000209530 1000209530 1000240796 cycles 1 -1 33340397 1000224964 1000224964 1000240796 cycles 2 -1 15835415 1000226695 1000226695 1000240796 cycles 3 -1 2184696 1000228245 1000228245 1000240796 cycles 0 -1 97014312 2000514533 2000514533 2000512791 cycles 1 -1 46121497 2000543795 2000543795 2000512791 cycles 2 -1 32269530 2000543566 2000543566 2000512791 cycles 3 -1 7634472 2000544108 2000544108 2000512791 cycles The sum of the first 4 values is the first interval aggregated value: 23855779 + 33340397 + 15835415 + 2184696 = 75,216,287 The sum of the second 4 values minus first value is the second interval aggregated value: 97014312 + 46121497 + 32269530 + 7634472 - 75216287 = 107,823,524 Signed-off-by: Jiri Olsa Cc: Andi Kleen Cc: David Ahern Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Stephane Eranian Link: http://lkml.kernel.org/r/1454485436-20639-1-git-send-email-jolsa@kernel.org Signed-off-by: Arnaldo Carvalho de Melo Cc: Jeremy Linton Signed-off-by: Greg Kroah-Hartman commit e6cd4f09b48e762a4e447044632a5bf9e01a4ae8 Author: Russell Currey Date: Mon Sep 12 14:17:22 2016 +1000 powerpc/eeh: Null check uses of eeh_pe_bus_get commit 04fec21c06e35b169a83e75a84a015ab4606bf5e upstream. eeh_pe_bus_get() can return NULL if a PCI bus isn't found for a given PE. Some callers don't check this, and can cause a null pointer dereference under certain circumstances. Fix this by checking NULL everywhere eeh_pe_bus_get() is called. Fixes: 8a6b1bc70dbb ("powerpc/eeh: EEH core to handle special event") Cc: stable@vger.kernel.org # v3.11+ Signed-off-by: Russell Currey Reviewed-by: Andrew Donnellan Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman commit 9f9818f8c1cf44055634297247620be4755e7af2 Author: Jesse Gross Date: Sat Mar 19 09:32:02 2016 -0700 tunnels: Remove encapsulation offloads on decap. commit a09a4c8dd1ec7f830e1fb9e59eb72bddc965d168 upstream. If a packet is either locally encapsulated or processed through GRO it is marked with the offloads that it requires. However, when it is decapsulated these tunnel offload indications are not removed. This means that if we receive an encapsulated TCP packet, aggregate it with GRO, decapsulate, and retransmit the resulting frame on a NIC that does not support encapsulation, we won't be able to take advantage of hardware offloads even though it is just a simple TCP packet at this point. This fixes the problem by stripping off encapsulation offload indications when packets are decapsulated. The performance impacts of this bug are significant. In a test where a Geneve encapsulated TCP stream is sent to a hypervisor, GRO'ed, decapsulated, and bridged to a VM performance is improved by 60% (5Gbps->8Gbps) as a result of avoiding unnecessary segmentation at the VM tap interface. Reported-by: Ramu Ramamurthy Fixes: 68c33163 ("v4 GRE: Add TCP segmentation offload for GRE") Signed-off-by: Jesse Gross Signed-off-by: David S. Miller (backported from commit a09a4c8dd1ec7f830e1fb9e59eb72bddc965d168) [adapt iptunnel_pull_header arguments, avoid 7f290c9] Signed-off-by: Stefan Bader Signed-off-by: Juerg Haefliger Signed-off-by: Greg Kroah-Hartman commit 5699b3431e0b14736867484b8669ead2d40f575e Author: Jesse Gross Date: Sat Mar 19 09:32:01 2016 -0700 tunnels: Don't apply GRO to multiple layers of encapsulation. commit fac8e0f579695a3ecbc4d3cac369139d7f819971 upstream. When drivers express support for TSO of encapsulated packets, they only mean that they can do it for one layer of encapsulation. Supporting additional levels would mean updating, at a minimum, more IP length fields and they are unaware of this. No encapsulation device expresses support for handling offloaded encapsulated packets, so we won't generate these types of frames in the transmit path. However, GRO doesn't have a check for multiple levels of encapsulation and will attempt to build them. UDP tunnel GRO actually does prevent this situation but it only handles multiple UDP tunnels stacked on top of each other. This generalizes that solution to prevent any kind of tunnel stacking that would cause problems. Fixes: bf5a755f ("net-gre-gro: Add GRE support to the GRO stack") Signed-off-by: Jesse Gross Signed-off-by: David S. Miller Signed-off-by: Juerg Haefliger Signed-off-by: Greg Kroah-Hartman commit 419cabdcc4818dd06a1827e5e84df7738900a458 Author: Jesse Gross Date: Sat Mar 19 09:32:00 2016 -0700 ipip: Properly mark ipip GRO packets as encapsulated. commit b8cba75bdf6a48ea4811bbefb11a94a5c7281b68 upstream. ipip encapsulated packets can be merged together by GRO but the result does not have the proper GSO type set or even marked as being encapsulated at all. Later retransmission of these packets will likely fail if the device does not support ipip offloads. This is similar to the issue resolved in IPv6 sit in feec0cb3 ("ipv6: gro: support sit protocol"). Reported-by: Patrick Boutilier Fixes: 9667e9bb ("ipip: Add gro callbacks to ipip offload") Tested-by: Patrick Boutilier Acked-by: Eric Dumazet Signed-off-by: Jesse Gross Signed-off-by: David S. Miller Signed-off-by: Juerg Haefliger Signed-off-by: Greg Kroah-Hartman commit 57c9cfdb61ea270936fab76da99a742c6ef0b86f Author: Jan Kara Date: Mon Sep 19 17:39:09 2016 +0200 posix_acl: Clear SGID bit when setting file permissions commit 073931017b49d9458aa351605b43a7e34598caef upstream. When file permissions are modified via chmod(2) and the user is not in the owning group or capable of CAP_FSETID, the setgid bit is cleared in inode_change_ok(). Setting a POSIX ACL via setxattr(2) sets the file permissions as well as the new ACL, but doesn't clear the setgid bit in a similar way; this allows to bypass the check in chmod(2). Fix that. References: CVE-2016-7097 Reviewed-by: Christoph Hellwig Reviewed-by: Jeff Layton Signed-off-by: Jan Kara Signed-off-by: Andreas Gruenbacher Signed-off-by: Greg Kroah-Hartman commit b82a7f93b4e60d8689d8f4e687ef58ed2098739f Author: Arend Van Spriel Date: Mon Sep 5 10:45:47 2016 +0100 brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap() commit ded89912156b1a47d940a0c954c43afbabd0c42c upstream. User-space can choose to omit NL80211_ATTR_SSID and only provide raw IE TLV data. When doing so it can provide SSID IE with length exceeding the allowed size. The driver further processes this IE copying it into a local variable without checking the length. Hence stack can be corrupted and used as exploit. Reported-by: Daxing Guo Reviewed-by: Hante Meuleman Reviewed-by: Pieter-Paul Giesberts Reviewed-by: Franky Lin Signed-off-by: Arend van Spriel Signed-off-by: Kalle Valo Signed-off-by: Juerg Haefliger Signed-off-by: Greg Kroah-Hartman commit b5784d4209810937eebdd66d792d9ee02c886c5f Author: Gerald Schaefer Date: Fri Oct 7 17:01:07 2016 -0700 mm/hugetlb: fix memory offline with hugepage size > memory block size commit 2247bb335ab9c40058484cac36ea74ee652f3b7b upstream. Patch series "mm/hugetlb: memory offline issues with hugepages", v4. This addresses several issues with hugepages and memory offline. While the first patch fixes a panic, and is therefore rather important, the last patch is just a performance optimization. The second patch fixes a theoretical issue with reserved hugepages, while still leaving some ugly usability issue, see description. This patch (of 3): dissolve_free_huge_pages() will either run into the VM_BUG_ON() or a list corruption and addressing exception when trying to set a memory block offline that is part (but not the first part) of a "gigantic" hugetlb page with a size > memory block size. When no other smaller hugetlb page sizes are present, the VM_BUG_ON() will trigger directly. In the other case we will run into an addressing exception later, because dissolve_free_huge_page() will not work on the head page of the compound hugetlb page which will result in a NULL hstate from page_hstate(). To fix this, first remove the VM_BUG_ON() because it is wrong, and then use the compound head page in dissolve_free_huge_page(). This means that an unused pre-allocated gigantic page that has any part of itself inside the memory block that is going offline will be dissolved completely. Losing an unused gigantic hugepage is preferable to failing the memory offline, for example in the situation where a (possibly faulty) memory DIMM needs to go offline. Changes for v4.4 stable: - make it apply w/o commit c1470b33 "mm/hugetlb: fix incorrect hugepages count during mem hotplug" Fixes: c8721bbb ("mm: memory-hotplug: enable memory hotplug to handle hugepage") Link: http://lkml.kernel.org/r/20160926172811.94033-2-gerald.schaefer@de.ibm.com Signed-off-by: Gerald Schaefer Acked-by: Michal Hocko Acked-by: Naoya Horiguchi Cc: "Kirill A . Shutemov" Cc: Vlastimil Babka Cc: Mike Kravetz Cc: "Aneesh Kumar K . V" Cc: Martin Schwidefsky Cc: Heiko Carstens Cc: Rui Teng Cc: Dave Hansen Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Gerald Schaefer Signed-off-by: Greg Kroah-Hartman commit 89758797f1c267e1e0fbc87c56dce2b13d673d0b Author: Chris Wilson Date: Mon Oct 3 13:45:15 2016 +0100 drm/i915: Unalias obj->phys_handle and obj->userptr commit ca5732c53bf66ad755284786897e0dd10330de87 upstream. We use obj->phys_handle to choose the pread/pwrite path, but as obj->phys_handle is a union with obj->userptr, we then mistakenly use the phys_handle path for userptr objects within pread/pwrite. Testcase: igt/gem_userptr_blits/forbidden-operations Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=97519 Signed-off-by: Chris Wilson Reviewed-by: Joonas Lahtinen Link: http://patchwork.freedesktop.org/patch/msgid/20161003124516.12388-2-chris@chris-wilson.co.uk (cherry picked from commit 5f12b80a0b42da253691ca03828033014bb786eb) Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit be1cd22fe136705b0624dfb73ee7e159a2a425eb Author: Ville Syrjälä Date: Mon Aug 8 13:58:39 2016 +0300 drm/i915: Account for TSEG size when determining 865G stolen base commit d721b02fd00bf133580f431b82ef37f3b746dfb2 upstream. Looks like the TSEG lives just above TOUD, stolen comes after TSEG. The spec seems somewhat self-contradictory in places, in the ESMRAMC register desctription it says: TSEG Size: 10=(TOUD + 512 KB) to TOUD 11 =(TOUD + 1 MB) to TOUD so that agrees with TSEG being at TOUD. But the example given elsehwere in the spec says: TOUD equals 62.5 MB = 03E7FFFFh TSEG selected as 512 KB in size, Graphics local memory selected as 1 MB in size General System RAM available in system = 62.5 MB General system RAM range00000000h to 03E7FFFFh TSEG address range03F80000h to 03FFFFFFh TSEG pre-allocated from03F80000h to 03FFFFFFh Graphics local memory pre-allocated from03E80000h to 03F7FFFFh so here we have TSEG above stolen. Real world evidence agrees with the TOUD->TSEG->stolen order however, so let's fix up the code to account for the TSEG size. Cc: Taketo Kabe Cc: Chris Wilson Cc: Daniel Vetter Cc: Thomas Gleixner Cc: Ingo Molnar Cc: "H. Peter Anvin" Cc: x86@kernel.org Fixes: 0ad98c74e093 ("drm/i915: Determine the stolen memory base address on gen2") Fixes: a4dff76924fe ("x86/gpu: Add Intel graphics stolen memory quirk for gen2 platforms") Reported-by: Taketo Kabe Tested-by: Taketo Kabe Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=96473 Signed-off-by: Ville Syrjälä Link: http://patchwork.freedesktop.org/patch/msgid/1470653919-27251-1-git-send-email-ville.syrjala@linux.intel.com Link: http://download.intel.com/design/chipsets/datashts/25251405.pdf Reviewed-by: Chris Wilson Signed-off-by: Greg Kroah-Hartman commit cbadb9d9de33960d1d735944adac6de4123378ef Author: David Weinehall Date: Wed Aug 17 15:47:48 2016 +0300 Revert "drm/i915: Check live status before reading edid" commit 23f889bdf6ee5cfff012d8b09f6bec920c691696 upstream. This reverts commit 237ed86c693d8a8e4db476976aeb30df4deac74b. Our current implementation of live status check (repeat 9 times with 10ms delays between each attempt as a workaround for buggy displays) imposes a rather serious penalty, time wise, on intel_hdmi_detect(). Since we we already skip live status checks on platforms before gen 7, and since we seem to have coped quite well before the live status check was introduced for newer platforms too, the previous behaviour is probably preferable, at least unless someone can point to a use-case that the live status check improves (apart from "Bspec says so".) Signed-off-by: David Weinehall Fixes: 237ed86c693d ("drm/i915: Check live status before reading edid") Fixes: f8d03ea0053b ("drm/i915: increase the tries for HDMI hotplug live status checking") Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=97139 Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=94014 Acked-by: Chris Wilson Signed-off-by: Jani Nikula Link: http://patchwork.freedesktop.org/patch/msgid/20160817124748.31208-1-david.weinehall@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit a768ae1daea31b549e2401caca543adb9f225ef5 Author: Paulo Zanoni Date: Thu Sep 22 18:00:30 2016 -0300 drm/i915/gen9: fix the WaWmMemoryReadLatency implementation commit 4e4d3814a9bb4d71cd3ff0701d8d7041edefd8f0 upstream. Bspec says: "The mailbox response data may not account for memory read latency. If the mailbox response data for level 0 is 0us, add 2 microseconds to the result for each valid level." This means we should only do the +2 in case wm[0] == 0, not always. So split the sanitizing implementation from the WA implementation and fix the WA implementation. v2: Add Fixes tag (Maarten). Fixes: 367294be7c25 ("drm/i915/gen9: Add 2us read latency to WM level") Cc: Vandana Kannan Reviewed-by: Maarten Lankhorst Signed-off-by: Paulo Zanoni Link: http://patchwork.freedesktop.org/patch/msgid/1474578035-424-5-git-send-email-paulo.r.zanoni@intel.com (cherry picked from commit 0727e40a48a1d08cf54ce2c01e120864b92e59bf) Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit 03cebefe8926d836d736e31d3f8259cd94e7814b Author: Jan Beulich Date: Mon Aug 15 09:02:38 2016 -0600 xenbus: don't look up transaction IDs for ordinary writes commit 9a035a40f7f3f6708b79224b86c5777a3334f7ea upstream. This should really only be done for XS_TRANSACTION_END messages, or else at least some of the xenstore-* tools don't work anymore. Fixes: 0beef634b8 ("xenbus: don't BUG() on user mode induced condition") Reported-by: Richard Schütz Signed-off-by: Jan Beulich Tested-by: Richard Schütz Signed-off-by: David Vrabel Cc: "M. Vefa Bicakci" Signed-off-by: Greg Kroah-Hartman commit edd2b5fd028edd47db5da2601e043644e499a44c Author: Thomas Hellstrom Date: Mon Oct 10 10:51:24 2016 -0700 drm/vmwgfx: Limit the user-space command buffer size commit 51ab70bed997f64f091a639dbe22b629725a7faf upstream. With older hardware versions, the user could specify arbitrarily large command buffer sizes, causing a vmalloc / vmap space exhaustion. Signed-off-by: Thomas Hellstrom Reviewed-by: Brian Paul Reviewed-by: Sinclair Yeh Signed-off-by: Sinclair Yeh Signed-off-by: Greg Kroah-Hartman commit 78f2cffcdbade80073fe7049676e71e521afa0fc Author: Alex Deucher Date: Wed Oct 12 15:28:55 2016 -0400 drm/radeon: change vblank_time's calculation method to reduce computational error. commit 02cfb5fccb0f9f968f0e208d89d9769aa16267bc upstream. Ported from Rex's amdgpu change. Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 5d980100fb5fe8ac0de4d472321570546898dd90 Author: Alex Deucher Date: Tue Sep 27 14:51:53 2016 -0400 drm/radeon/si/dpm: fix phase shedding setup commit 427920292b00474d978d632bc03a8e4e50029af3 upstream. Used the wrong index to setup the phase shedding mask. Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit a92829480b1856b054efe4430354c4627344d8f9 Author: Alex Deucher Date: Mon Sep 19 12:35:22 2016 -0400 drm/radeon: narrow asic_init for virtualization commit 884031f0aacf57dad1575f96714efc80de9b19cc upstream. Only needed on CIK+ due to the way pci reset is handled by the GPU. Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit d88e951b67a99c9b33f85f2b094457b87227bf30 Author: Rex Zhu Date: Mon Oct 10 15:57:21 2016 +0800 drm/amdgpu: change vblank_time's calculation method to reduce computational error. commit dc8184aa8621ee8048652496884d9f40d4bb407f upstream. Signed-off-by: Rex Zhu Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 5307cd52b7aacb68dc955544bab9c76e971449b0 Author: Grazvydas Ignotas Date: Mon Oct 3 00:06:45 2016 +0300 drm/amdgpu/dce11: add missing drm_mode_config_cleanup call commit 140c94da3c3338c0ff4cc127cf9bec87905ca83c upstream. All other amdgpu/dce_v* files have this call, it's only mysteriously missing from dce_v11_0.c since the file was added and causes leaks. Fixes: aaa36a976bbb ("drm/amdgpu: Add initial VI support") Signed-off-by: Grazvydas Ignotas Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit aed5d16300597a60c51ac28a1e40dd8953fd2801 Author: Alex Deucher Date: Wed Sep 28 12:43:33 2016 -0400 drm/amdgpu/dce11: disable hpd on local panels commit 3a9d993ee9809c217f4322623a9b78c8d17fdd1f upstream. Otherwise we can get a hotplug interrupt storm when we turn the panel off if hpd interrupts were enabled by the bios. bug: https://bugs.freedesktop.org/show_bug.cgi?id=97471 Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 67c35d5d664ffd46728c34bd2acbce3a83f3ebd8 Author: Alex Deucher Date: Wed Sep 28 12:44:20 2016 -0400 drm/amdgpu/dce8: disable hpd on local panels commit 324082586cc5918e3230f0b2f326656c653201eb upstream. Otherwise we can get a hotplug interrupt storm when we turn the panel off if hpd interrupts were enabled by the bios. bug: https://bugs.freedesktop.org/show_bug.cgi?id=97471 Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit aead680bd82fdf09d569636b01855307fe6346d5 Author: Alex Deucher Date: Wed Sep 28 12:41:50 2016 -0400 drm/amdgpu/dce10: disable hpd on local panels commit e96ec90f496603c48e0945f8bdeb4cdf3088cbba upstream. Otherwise we can get a hotplug interrupt storm when we turn the panel off if hpd interrupts were enabled by the bios. bug: https://bugs.freedesktop.org/show_bug.cgi?id=97471 Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 2aedf0e301a3ac2305bd9e6b7112bd858e37abb0 Author: Alex Deucher Date: Mon Aug 22 16:31:36 2016 -0400 drm/amdgpu: fix IB alignment for UVD commit c4795ca642b8bd76b5b6ffba41ba909543273d43 upstream. According to the hw team, it should be 16, not 8. Cc: Peter Fang Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 7a9ddd2f1f4ba34cffb6121a6c360d426310f08c Author: Chris Wilson Date: Wed Oct 5 13:21:43 2016 +0100 drm/prime: Pass the right module owner through to dma_buf_export() commit 56a76c0123d6cb034975901c80fce2627338ef9e upstream. dma_buf_export() adds a reference to the owning module to the dmabuf (to prevent the driver from being unloaded whilst a third party still refers to the dmabuf). However, drm_gem_prime_export() was passing its own THIS_MODULE (i.e. drm.ko) rather than the driver. Extract the right owner from the device->fops instead. v2: Use C99 initializers to zero out unset elements of dma_buf_export_info v3: Extract the right module from dev->fops. Testcase: igt/vgem_basic/unload Reported-by: Petri Latvala Signed-off-by: Chris Wilson Cc: Petri Latvala Cc: Christian König Tested-by: Petri Latvala Reviewed-by: Petri Latvala Reviewed-by: Christian König Signed-off-by: Daniel Vetter Link: http://patchwork.freedesktop.org/patch/msgid/20161005122145.1507-1-chris@chris-wilson.co.uk Signed-off-by: Greg Kroah-Hartman