commit 36311a9ec4904c080bbdfcefc0f3d609ed508224 Author: Greg Kroah-Hartman Date: Mon Sep 21 10:06:02 2015 -0700 Linux 4.1.8 commit 77798915750db46f10bb449e1625d6368ea42e25 Author: Caesar Wang Date: Mon Jul 6 11:37:23 2015 +0800 ARM: rockchip: fix broken build commit cb8cc37f4d38d96552f2c52deb15e511cdacf906 upstream. The following was seen in branch[0] build. arch/arm/mach-rockchip/platsmp.c:154:23: error: 'rockchip_secondary_startup' undeclared (first use in this function) branch[0]: git://git.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip.git v4.3-armsoc/soc The broken build is caused by the commit fe4407c0dc58 ("ARM: rockchip: fix the CPU soft reset"). Signed-off-by: Caesar Wang The breakage was a result of it being wrongly merged in my branch with the cache invalidation rework from Russell 02b4e2756e01c ("ARM: v7 setup function should invalidate L1 cache"). Signed-off-by: Heiko Stuebner Cc: Willy Tarreau Signed-off-by: Greg Kroah-Hartman commit d3b428f0361d6dcbe7c6665ae0a824517a0b1ca9 Author: Kees Cook Date: Fri Sep 4 15:44:57 2015 -0700 fs: create and use seq_show_option for escaping commit a068acf2ee77693e0bf39d6e07139ba704f461c3 upstream. Many file systems that implement the show_options hook fail to correctly escape their output which could lead to unescaped characters (e.g. new lines) leaking into /proc/mounts and /proc/[pid]/mountinfo files. This could lead to confusion, spoofed entries (resulting in things like systemd issuing false d-bus "mount" notifications), and who knows what else. This looks like it would only be the root user stepping on themselves, but it's possible weird things could happen in containers or in other situations with delegated mount privileges. Here's an example using overlay with setuid fusermount trusting the contents of /proc/mounts (via the /etc/mtab symlink). Imagine the use of "sudo" is something more sneaky: $ BASE="ovl" $ MNT="$BASE/mnt" $ LOW="$BASE/lower" $ UP="$BASE/upper" $ WORK="$BASE/work/ 0 0 none /proc fuse.pwn user_id=1000" $ mkdir -p "$LOW" "$UP" "$WORK" $ sudo mount -t overlay -o "lowerdir=$LOW,upperdir=$UP,workdir=$WORK" none /mnt $ cat /proc/mounts none /root/ovl/mnt overlay rw,relatime,lowerdir=ovl/lower,upperdir=ovl/upper,workdir=ovl/work/ 0 0 none /proc fuse.pwn user_id=1000 0 0 $ fusermount -u /proc $ cat /proc/mounts cat: /proc/mounts: No such file or directory This fixes the problem by adding new seq_show_option and seq_show_option_n helpers, and updating the vulnerable show_option handlers to use them as needed. Some, like SELinux, need to be open coded due to unusual existing escape mechanisms. [akpm@linux-foundation.org: add lost chunk, per Kees] [keescook@chromium.org: seq_show_option should be using const parameters] Signed-off-by: Kees Cook Acked-by: Serge Hallyn Acked-by: Jan Kara Acked-by: Paul Moore Cc: J. R. Okajima Signed-off-by: Kees Cook Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 213abaf9525398c7dd34012b29274261dd8cd797 Author: Mikulas Patocka Date: Wed Sep 2 22:51:53 2015 +0200 hpfs: update ctime and mtime on directory modification commit f49a26e7718dd30b49e3541e3e25aecf5e7294e2 upstream. Update ctime and mtime when a directory is modified. (though OS/2 doesn't update them anyway) Signed-off-by: Mikulas Patocka Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 16e327d319bf3cbdd507693ed18792cda3af3324 Author: Eric W. Biederman Date: Wed Aug 12 15:00:12 2015 -0500 fs: Set the size of empty dirs to 0. commit 4b75de8615050c1b0dd8d7794838c42f74ed36ba upstream. Before the make_empty_dir_inode calls were introduce into proc, sysfs, and sysctl those directories when stated reported an i_size of 0. make_empty_dir_inode started reporting an i_size of 2. At least one userspace application depended on stat returning i_size of 0. So modify make_empty_dir_inode to cause an i_size of 0 to be reported for these directories. Reported-by: Tejun Heo Acked-by: Tejun Heo Signed-off-by: "Eric W. Biederman" Signed-off-by: Greg Kroah-Hartman commit ad2fee661f32e3f5399c116453d50867df3a6042 Author: Grant Likely Date: Sun Jun 7 15:20:11 2015 +0100 drivercore: Fix unregistration path of platform devices commit 7f5dcaf1fdf289767a126a0a5cc3ef39b5254b06 upstream. The unregister path of platform_device is broken. On registration, it will register all resources with either a parent already set, or type==IORESOURCE_{IO,MEM}. However, on unregister it will release everything with type==IORESOURCE_{IO,MEM}, but ignore the others. There are also cases where resources don't get registered in the first place, like with devices created by of_platform_populate()*. Fix the unregister path to be symmetrical with the register path by checking the parent pointer instead of the type field to decide which resources to unregister. This is safe because the upshot of the registration path algorithm is that registered resources have a parent pointer, and non-registered resources do not. * It can be argued that of_platform_populate() should be registering it's resources, and they argument has some merit. However, there are quite a few platforms that end up broken if we try to do that due to overlapping resources in the device tree. Until that is fixed, we need to solve the immediate problem. Cc: Pantelis Antoniou Cc: Wolfram Sang Cc: Rob Herring Cc: Greg Kroah-Hartman Cc: Ricardo Ribalda Delgado Signed-off-by: Grant Likely Tested-by: Ricardo Ribalda Delgado Tested-by: Wolfram Sang Signed-off-by: Rob Herring Signed-off-by: Greg Kroah-Hartman commit f4e4aaa5b1c9ad0ce9370444f566b972fb988349 Author: Jiang Liu Date: Fri Aug 21 15:36:23 2015 +0800 ACPI, PCI: Penalize legacy IRQ used by ACPI SCI commit 5d0ddfebb93069061880fc57ee4ba7246bd1e1ee upstream. Nick Meier reported a regression with HyperV that " After rebooting the VM, the following messages are logged in syslog when trying to load the tulip driver: tulip: Linux Tulip drivers version 1.1.15 (Feb 27, 2007) tulip: 0000:00:0a.0: PCI INT A: failed to register GSI tulip: Cannot enable tulip board #0, aborting tulip: probe of 0000:00:0a.0 failed with error -16 Errors occur in 3.19.0 kernel Works in 3.17 kernel. " According to the ACPI dump file posted by Nick at https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1440072 The ACPI MADT table includes an interrupt source overridden entry for ACPI SCI: [236h 0566 1] Subtable Type : 02 [237h 0567 1] Length : 0A [238h 0568 1] Bus : 00 [239h 0569 1] Source : 09 [23Ah 0570 4] Interrupt : 00000009 [23Eh 0574 2] Flags (decoded below) : 000D Polarity : 1 Trigger Mode : 3 And in DSDT table, we have _PRT method to define PCI interrupts, which eventually goes to: Name (PRSA, ResourceTemplate () { IRQ (Level, ActiveLow, Shared, ) {3,4,5,7,9,10,11,12,14,15} }) Name (PRSB, ResourceTemplate () { IRQ (Level, ActiveLow, Shared, ) {3,4,5,7,9,10,11,12,14,15} }) Name (PRSC, ResourceTemplate () { IRQ (Level, ActiveLow, Shared, ) {3,4,5,7,9,10,11,12,14,15} }) Name (PRSD, ResourceTemplate () { IRQ (Level, ActiveLow, Shared, ) {3,4,5,7,9,10,11,12,14,15} }) According to the MADT and DSDT tables, IRQ 9 may be used for: 1) ACPI SCI in level, high mode 2) PCI legacy IRQ in level, low mode So there's a conflict in polarity setting for IRQ 9. Prior to commit cd68f6bd53cf ("x86, irq, acpi: Get rid of special handling of GSI for ACPI SCI"), ACPI SCI is handled specially and there's no check for conflicts between ACPI SCI and PCI legagy IRQ. And it seems that the HyperV hypervisor doesn't make use of the polarity configuration in IOAPIC entry, so it just works. Commit cd68f6bd53cf gets rid of the specially handling of ACPI SCI, and then the pin attribute checking code discloses the conflicts between ACPI SCI and PCI legacy IRQ on HyperV virtual machine, and rejects the request to assign IRQ9 to PCI devices. So penalize legacy IRQ used by ACPI SCI and mark it unusable if ACPI SCI attributes conflict with PCI IRQ attributes. Please refer to following links for more information: https://bugzilla.kernel.org/show_bug.cgi?id=101301 https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1440072 Fixes: cd68f6bd53cf ("x86, irq, acpi: Get rid of special handling of GSI for ACPI SCI") Reported-and-tested-by: Nick Meier Acked-by: Thomas Gleixner Signed-off-by: Jiang Liu Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 33a0064c659d8fbbe6811aaddd0274e0e68b5e92 Author: Heiko Stuebner Date: Fri Jun 19 16:31:14 2015 +0200 ARM: dts: rockchip: fix rk3288 watchdog irq commit 1a1b698b115467242303daf5fe1d3c9886c2fa17 upstream. The watchdog irq is actually SPI 79, which translates to the original 111 in the manual where the SPI irqs start at 32. The current dw_wdt driver does not use the irq at all, so this issue never surfaced. Nevertheless fix this for a time we want to use the irq. Fixes: 2ab557b72d46 ("ARM: dts: rockchip: add core rk3288 dtsi") Signed-off-by: Heiko Stuebner Reviewed-by: Douglas Anderson Signed-off-by: Greg Kroah-Hartman commit 322ce3c54460446faa3db9db50f0e801c631625e Author: Caesar Wang Date: Tue Jun 9 17:49:57 2015 +0800 ARM: rockchip: fix the CPU soft reset commit fe4407c0dc58215a7abfb7532740d79ddabe7a7a upstream. We need different orderings when turning a core on and turning a core off. In one case we need to assert reset before turning power off. In ther other case we need to turn power on and the deassert reset. In general, the correct flow is: CPU off: reset_control_assert regmap_update_bits(pmu, PMU_PWRDN_CON, BIT(pd), BIT(pd)) wait_for_power_domain_to_turn_off CPU on: regmap_update_bits(pmu, PMU_PWRDN_CON, BIT(pd), 0) wait_for_power_domain_to_turn_on reset_control_deassert This is needed for stressing CPU up/down, as per: cd /sys/devices/system/cpu/ for i in $(seq 10000); do echo "================= $i ============" for j in $(seq 100); do while [[ "$(cat cpu1/online)$(cat cpu2/online)$(cat cpu3/online)" != "000"" ]] echo 0 > cpu1/online echo 0 > cpu2/online echo 0 > cpu3/online done while [[ "$(cat cpu1/online)$(cat cpu2/online)$(cat cpu3/online)" != "111" ]]; do echo 1 > cpu1/online echo 1 > cpu2/online echo 1 > cpu3/online done done done The following is reproducable log: [34466.186812] PM: noirq suspend of devices complete after 0.669 msecs [34466.186824] Disabling non-boot CPUs ... [34466.187509] CPU1: shutdown [34466.188672] CPU2: shutdown [34473.736627] Kernel panic - not syncing:Watchdog detected hard LOCKUP on cpu 0 ....... or others similar log: ....... [ 4072.454453] CPU1: shutdown [ 4072.504436] CPU2: shutdown [ 4072.554426] CPU3: shutdown [ 4072.577827] CPU1: Booted secondary processor [ 4072.582611] CPU2: Booted secondary processor Tested by cpu up/down scripts, the results told us need delay more time before write the sram. The wait time is affected by many aspects (e.g: cpu frequency, bootrom frequency, sram frequency, bus speed, ...). Although the cpus other than cpu0 will write the sram, the speedy is no the same as cpu0, if the cpu0 early wake up, perhaps the other cpus can't startup. As we know, the cpu0 can wake up when the cpu1/2/3 write the 'sram+4/8' and send the sev. Anyway..... At the moment, 1ms delay will be happy work for cpu up/down scripts test. Signed-off-by: Caesar Wang Reviewed-by: Doug Anderson Reviewed-by: Kever Yang Fixes: 3ee851e212d0 ("ARM: rockchip: add basic smp support for rk3288") Signed-off-by: Heiko Stuebner Signed-off-by: Greg Kroah-Hartman commit 23df80191134ee02b5575436c7f1d366b2795a15 Author: Vignesh R Date: Wed Jun 3 17:21:20 2015 +0530 ARM: OMAP2+: DRA7: clockdomain: change l4per2_7xx_clkdm to SW_WKUP commit b9e23f321940d2db2c9def8ff723b8464fb86343 upstream. Legacy IPs like PWMSS, present under l4per2_7xx_clkdm, cannot support smart-idle when its clock domain is in HW_AUTO on DRA7 SoCs. Hence, program clock domain to SW_WKUP. Signed-off-by: Vignesh R Acked-by: Tero Kristo Reviewed-by: Paul Walmsley Signed-off-by: Paul Walmsley Signed-off-by: Greg Kroah-Hartman commit f7da4ad880129c40624b22e009ef94891ac8d32e Author: Hyungwon Hwang Date: Mon Jun 15 13:03:17 2015 +0900 ARM: dts: fix clock-frequency of display timing0 for exynos3250-rinato commit 65e3293381e1cf1abcfe1aa22b914650a40e3af4 upstream. After the commit abc0b1447d49 ("drm: Perform basic sanity checks on probed modes"), proper clock-frequency becomes mandatory for validating the mode of panel. The display does not work if there is no mode validated. Also, this clock-frequency must be set appropriately for getting required frame rate. Fixes: abc0b1447d49 ("drm: Perform basic sanity checks on probed modes") Signed-off-by: Hyungwon Hwang Signed-off-by: Krzysztof Kozlowski Sigend-off-by: Kukjin Kim Signed-off-by: Greg Kroah-Hartman commit 25f5225e7c06316ed7d5866bb95ea0acd3de7921 Author: Benjamin Cama Date: Tue Jul 14 16:25:58 2015 +0200 ARM: orion5x: fix legacy orion5x IRQ numbers commit 5be9fc23cdb42e1d383ecc8eae8a8ff70a752708 upstream. Since v3.18, attempts to deliver IRQ0 are rejected, breaking orion5x. Fix this by increasing all interrupts by one, as did 5d6bed2a9c8b for dove. Also, force MULTI_IRQ_HANDLER for all orion platforms (including dove) as the specific handler is needed to shift back IRQ numbers by one. [gregory.clement@free-electrons.com]: moved the select MULTI_IRQ_HANDLER from PLAT_ORION_LEGACY to ARCH_ORION5X as it broke the build for dove. Fixes: a71b092a9c68 ("ARM: Convert handle_IRQ to use __handle_domain_irq") Signed-off-by: Benjamin Cama Signed-off-by: Gregory CLEMENT Tested-by: Detlef Vollmann Signed-off-by: Greg Kroah-Hartman commit 86bd6436f2d4df75952820010af611dcf85d17f9 Author: David Daney Date: Wed Aug 19 13:17:47 2015 -0700 of/address: Don't loop forever in of_find_matching_node_by_address(). commit 3a496b00b6f90c41bd21a410871dfc97d4f3c7ab upstream. If the internal call to of_address_to_resource() fails, we end up looping forever in of_find_matching_node_by_address(). This can be caused by a defective device tree, or calling with an incorrect matches argument. Fix by calling of_find_matching_node() unconditionally at the end of the loop. Signed-off-by: David Daney Signed-off-by: Rob Herring Signed-off-by: Greg Kroah-Hartman commit 72cdf324731e08faebd16a6a281872f6f7d8fcb2 Author: Thierry Reding Date: Thu Jul 9 09:59:55 2015 +0200 soc/tegra: pmc: Avoid usage of uninitialized variable commit 95169cd23bfa88003f8be06234dbd65f5737add0 upstream. Make sure to only drop the reference to the OF node after it's been successfully obtained. Fixes: 3568df3d31d6 ("soc: tegra: Add thermal reset (thermtrip) support to PMC") Reviewed-by: Mikko Perttunen Signed-off-by: Thierry Reding Signed-off-by: Greg Kroah-Hartman commit e4b09a61e9b1eb200f300cdc21d146dbdc4014ca Author: Xie XiuQi Date: Wed Aug 12 18:29:41 2015 +0200 x86/mce: Reenable CMCI banks when swiching back to interrupt mode commit 1b48465500611a2dc5e75800c61ac352e22d41c3 upstream. Zhang Liguang reported the following issue: 1) System detects a CMCI storm on the current CPU. 2) Kernel disables the CMCI interrupt on banks owned by the current CPU and switches to poll mode 3) After the CMCI storm subsides, kernel switches back to interrupt mode 4) We expect the system to reenable the CMCI interrupt on banks owned by the current CPU mce_intel_adjust_timer |-> cmci_reenable |-> cmci_discover # owned banks are ignored here static void cmci_discover(int banks) ... for (i = 0; i < banks; i++) { ... if (test_bit(i, owned)) # ownd banks is ignore here continue; So convert cmci_storm_disable_banks() to cmci_toggle_interrupt_mode() which controls whether to enable or disable CMCI interrupts with its argument. NB: We cannot clear the owned bit because the banks won't be polled, otherwise. See: 27f6c573e0f7 ("x86, CMCI: Add proper detection of end of CMCI storms") for more info. Reported-by: Zhang Liguang Signed-off-by: Xie XiuQi Signed-off-by: Borislav Petkov Cc: H. Peter Anvin Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: Tony Luck Cc: huawei.libin@huawei.com Cc: linux-edac Cc: rui.xiang@huawei.com Link: http://lkml.kernel.org/r/1439396985-12812-10-git-send-email-bp@alien8.de Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 0fd96604b85be283a3bef4939fdd70d30a232bbc Author: Kishon Vijay Abraham I Date: Mon Jul 27 16:54:10 2015 +0530 regulator: pbias: Fix broken pbias disable functionality commit c329061be51bef655f28c9296093984c977aff85 upstream. regulator_disable of pbias always writes '0' to the enable_reg. However actual disable value of pbias regulator is not always '0'. Fix it by populating the disable_val in pbias_reg_info for the various platforms and assign it to the disable_val of pbias regulator descriptor. This will be used by regulator_disable_regmap while disabling pbias regulator. Signed-off-by: Kishon Vijay Abraham I Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 1042a41280224603cc6e6c282d4811bcfd79a251 Author: Sudip Mukherjee Date: Mon Jul 20 17:27:21 2015 +0530 auxdisplay: ks0108: fix refcount commit bab383de3b84e584b0f09227151020b2a43dc34c upstream. parport_find_base() will implicitly do parport_get_port() which increases the refcount. Then parport_register_device() will again increment the refcount. But while unloading the module we are only doing parport_unregister_device() decrementing the refcount only once. We add an parport_put_port() to neutralize the effect of parport_get_port(). Signed-off-by: Sudip Mukherjee Signed-off-by: Greg Kroah-Hartman commit 7aa3b3b1d7838a75ad91fce91f187d26aacaa682 Author: Ricardo Ribalda Delgado Date: Wed Aug 12 18:04:04 2015 +0200 spi/spi-xilinx: Fix mixed poll/irq mode commit 16ea9b8ac45bf11d48af6013283e141e8ed86348 upstream. Once the module process a transfer in irq mode, the next poll transfer will not work because the transmitter is left in inhibited state. Fixes: 22417352f6b7f623 (Use polling mode on small transfers) Reported-by: Edward Kigwana Signed-off-by: Ricardo Ribalda Delgado Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 7d3cb0eecda8d19007f0004a3af071ed1bc997b7 Author: Ricardo Ribalda Delgado Date: Thu Aug 13 16:09:28 2015 +0200 spi/spi-xilinx: Fix spurious IRQ ACK on irq mode commit 74346841e6f5df5f7b83d5904435d273c507dba6 upstream. The ACK of an inexistent IRQ can trigger an spurious IRQ that breaks the txrx logic. This has been observed on axi_quad_spi:3.2 core. This patch only ACKs IRQs that have not been Acknowledge jet. Reported-by: Edward Kigwana Tested-by: Edward Kigwana Signed-off-by: Ricardo Ribalda Delgado Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 7d72c3751d555482a6729f99d4a41cc71660db1f Author: Peter Chen Date: Fri Jul 31 16:36:29 2015 +0800 Doc: ABI: testing: configfs-usb-gadget-sourcesink commit 4bc58eb16bb2352854b9c664cc36c1c68d2bfbb7 upstream. Fix the name of attribute Signed-off-by: Peter Chen Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit d92f2a2a9b0afc5dd75679b63d0f682d75865c07 Author: Peter Chen Date: Fri Jul 31 16:36:28 2015 +0800 Doc: ABI: testing: configfs-usb-gadget-loopback commit 8cd50626823c00ca7472b2f61cb8c0eb9798ddc0 upstream. Fix the name of attribute Signed-off-by: Peter Chen Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit f1d35b3d905cc564fa3fb89a3d802dd90b8ef8a8 Author: Masahiro Yamada Date: Wed Jul 15 10:29:00 2015 +0900 devres: fix devres_get() commit 64526370d11ce8868ca495723d595b61e8697fbf upstream. Currently, devres_get() passes devres_free() the pointer to devres, but devres_free() should be given with the pointer to resource data. Fixes: 9ac7849e35f7 ("devres: device resource management") Signed-off-by: Masahiro Yamada Acked-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman commit 3799248733cbdb14ca12b0680a2e776cb35e19fe Author: Max Filippov Date: Thu Jul 16 10:41:02 2015 +0300 xtensa: fix kernel register spilling commit 77d6273e79e3a86552fcf10cdd31a69b46ed2ce6 upstream. call12 can't be safely used as the first call in the inline function, because the compiler does not extend the stack frame of the bounding function accordingly, which may result in corruption of local variables. If a call needs to be done, do call8 first followed by call12. For pure assembly code in _switch_to increase stack frame size of the bounding function. Signed-off-by: Max Filippov Signed-off-by: Greg Kroah-Hartman commit 36c2895c6b132f8ff19074f6d226bcedf2614e89 Author: Max Filippov Date: Sat Jul 4 15:27:39 2015 +0300 xtensa: fix threadptr reload on return to userspace commit 4229fb12a03e5da5882b420b0aa4a02e77447b86 upstream. Userspace return code may skip restoring THREADPTR register if there are no registers that need to be zeroed. This leads to spurious failures in libc NPTL tests. Always restore THREADPTR on return to userspace. Signed-off-by: Max Filippov Signed-off-by: Greg Kroah-Hartman commit 49102e956fec3806fb0c7fb7b68b0900feab8ece Author: Haozhong Zhang Date: Fri Aug 7 11:24:32 2015 +0800 KVM: x86: Use adjustment in guest cycles when handling MSR_IA32_TSC_ADJUST commit d7add05458084a5e3d65925764a02ca9c8202c1e upstream. When kvm_set_msr_common() handles a guest's write to MSR_IA32_TSC_ADJUST, it will calcuate an adjustment based on the data written by guest and then use it to adjust TSC offset by calling a call-back adjust_tsc_offset(). The 3rd parameter of adjust_tsc_offset() indicates whether the adjustment is in host TSC cycles or in guest TSC cycles. If SVM TSC scaling is enabled, adjust_tsc_offset() [i.e. svm_adjust_tsc_offset()] will first scale the adjustment; otherwise, it will just use the unscaled one. As the MSR write here comes from the guest, the adjustment is in guest TSC cycles. However, the current kvm_set_msr_common() uses it as a value in host TSC cycles (by using true as the 3rd parameter of adjust_tsc_offset()), which can result in an incorrect adjustment of TSC offset if SVM TSC scaling is enabled. This patch fixes this problem. Signed-off-by: Haozhong Zhang Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 73e56fdc3699efea574812d1116dfebd347ce88e Author: Paul Mackerras Date: Wed Jun 24 21:18:05 2015 +1000 KVM: PPC: Book3S HV: Fix race in reading change bit when removing HPTE commit 1e5bf454f58731e360e504253e85bae7aaa2d298 upstream. The reference (R) and change (C) bits in a HPT entry can be set by hardware at any time up until the HPTE is invalidated and the TLB invalidation sequence has completed. This means that when removing a HPTE, we need to read the HPTE after the invalidation sequence has completed in order to obtain reliable values of R and C. The code in kvmppc_do_h_remove() used to do this. However, commit 6f22bd3265fb ("KVM: PPC: Book3S HV: Make HTAB code LE host aware") removed the read after invalidation as a side effect of other changes. This restores the read of the HPTE after invalidation. The user-visible effect of this bug would be that when migrating a guest, there is a small probability that a page modified by the guest and then unmapped by the guest might not get re-transmitted and thus the destination might end up with a stale copy of the page. Fixes: 6f22bd3265fb Signed-off-by: Paul Mackerras Signed-off-by: Alexander Graf Signed-off-by: Greg Kroah-Hartman commit 76c77a45a74a51dc7bdf7773d8ec37ba7cffe361 Author: Gautham R. Shenoy Date: Fri Aug 7 17:41:20 2015 +0530 KVM: PPC: Book3S HV: Exit on H_DOORBELL if HOST_IPI is set commit 06554d9f6cc8f0b5ec903db19726a15dfc7b09d6 upstream. The code that handles the case when we receive a H_DOORBELL interrupt has a comment which says "Hypervisor doorbell - exit only if host IPI flag set". However, the current code does not actually check if the host IPI flag is set. This is due to a comparison instruction that got missed. As a result, the current code performs the exit to host only if some sibling thread or a sibling sub-core is exiting to the host. This implies that, an IPI sent to a sibling core in (subcores-per-core != 1) mode will be missed by the host unless the sibling core is on the exit path to the host. This patch adds the missing comparison operation which will ensure that when HOST_IPI flag is set, we unconditionally exit to the host. Fixes: 66feed61cdf6 Signed-off-by: Gautham R. Shenoy Reviewed-by: David Gibson Signed-off-by: Paul Mackerras Signed-off-by: Greg Kroah-Hartman commit 8609dd0dc11cf342adc727d5f19e471ed291cf4e Author: Xiao Guangrong Date: Wed Aug 5 12:04:19 2015 +0800 KVM: MMU: fix validation of mmio page fault commit 6f691251c0350ac52a007c54bf3ef62e9d8cdc5e upstream. We got the bug that qemu complained with "KVM: unknown exit, hardware reason 31" and KVM shown these info: [84245.284948] EPT: Misconfiguration. [84245.285056] EPT: GPA: 0xfeda848 [84245.285154] ept_misconfig_inspect_spte: spte 0x5eaef50107 level 4 [84245.285344] ept_misconfig_inspect_spte: spte 0x5f5fadc107 level 3 [84245.285532] ept_misconfig_inspect_spte: spte 0x5141d18107 level 2 [84245.285723] ept_misconfig_inspect_spte: spte 0x52e40dad77 level 1 This is because we got a mmio #PF and the handler see the mmio spte becomes normal (points to the ram page) However, this is valid after introducing fast mmio spte invalidation which increases the generation-number instead of zapping mmio sptes, a example is as follows: 1. QEMU drops mmio region by adding a new memslot 2. invalidate all mmio sptes 3. VCPU 0 VCPU 1 access the invalid mmio spte access the region originally was MMIO before set the spte to the normal ram map mmio #PF check the spte and see it becomes normal ram mapping !!! This patch fixes the bug just by dropping the check in mmio handler, it's good for backport. Full check will be introduced in later patches Reported-by: Pavel Shirshov Tested-by: Pavel Shirshov Signed-off-by: Xiao Guangrong Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit fd54f2ee1ac27477ebf78d082e6e411d82fe3766 Author: Ellen Wang Date: Mon Jul 13 15:23:54 2015 -0700 HID: cp2112: fix I2C_SMBUS_BYTE write commit 6d00d153f00097d259f86304e11858a50a1b8ad1 upstream. When doing an I2C_SMBUS_BYTE write (one byte write, no address), the data to be written is in "command" not "data->byte". Signed-off-by: Ellen Wang Acked-by: Wolfram Sang Reviewed-by: Antonio Borneo Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit d60fc16235b744ac10a82f03aec26110eeec7b51 Author: Ellen Wang Date: Thu Jul 9 22:04:31 2015 -0700 HID: cp2112: fix byte order in SMBUS operations commit 29e2d6d1f6f61ba2b5cc9d9867e01d8c31a6c4f7 upstream. Change all occurrences of be16 to le16 in cp2112_xfer(), because SMBUS words are little endian, not big endian. Signed-off-by: Ellen Wang Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit 3e1ed32743b9a2eb37c90d7e66c8b416bd60ffae Author: Don Zickus Date: Mon Aug 10 12:06:53 2015 -0400 HID: usbhid: Fix the check for HID_RESET_PENDING in hid_io_error commit 3af4e5a95184d6d3c1c6a065f163faa174a96a1d upstream. It was reported that after 10-20 reboots, a usb keyboard plugged into a docking station would not work unless it was replugged in. Using usbmon, it turns out the interrupt URBs were streaming with callback errors of -71 for some reason. The hid-core.c::hid_io_error was supposed to retry and then reset, but the reset wasn't really happening. The check for HID_NO_BANDWIDTH was inverted. Fix was simple. Tested by reporter and locally by me by unplugging a keyboard halfway until I could recreate a stream of errors but no disconnect. Signed-off-by: Don Zickus Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit 16d2c7bc05ebfa25feecaacb74d43ec4b3dbc28e Author: Andrey Ryabinin Date: Thu Sep 3 14:32:01 2015 +0300 crypto: ghash-clmulni: specify context size for ghash async algorithm commit 71c6da846be478a61556717ef1ee1cea91f5d6a8 upstream. Currently context size (cra_ctxsize) doesn't specified for ghash_async_alg. Which means it's zero. Thus crypto_create_tfm() doesn't allocate needed space for ghash_async_ctx, so any read/write to ctx (e.g. in ghash_async_init_tfm()) is not valid. Signed-off-by: Andrey Ryabinin Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 176688bba97e4829627a08c852ff8bf07348bffa Author: Leonidas Da Silva Barbosa Date: Fri Aug 14 10:14:16 2015 -0300 crypto: vmx - Fixing GHASH Key issue on little endian commit 3c5f0ed78e976be705218cad62acf6a68e9d121e upstream. GHASH table algorithm is using a big endian key. In little endian machines key will be LE ordered. After a lxvd2x instruction key is loaded as it is, LE/BE order, in first case it'll generate a wrong table resulting in wrong hashes from the algorithm. Bug affects only LE machines. In order to fix it we do a swap for loaded key. Signed-off-by: Leonidas S Barbosa Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 9feb2d70d3bc561c900e0d976d7700306f4806a4 Author: Robert Baldyga Date: Fri Jul 31 10:58:28 2015 +0200 serial: samsung: fix DMA for FIFO smaller than cache line size commit 736cd79f483fd7a1e0b71e6eaddf01d8d87fbbbb upstream. So far DMA mode were activated when only number of bytes to send was equal or greater than min_dma_size. Due to requirement that DMA transaction buffer should be aligned to cache line size, the excessive bytes were written to FIFO before starting DMA transaction. The problem occurred when FIFO size were smaller than cache alignment, because writing all excessive bytes to FIFO would fail. It happened in DMA mode when PIO interrupts disabled, which caused driver hung. The solution is to test if buffer is alligned to cache line size before activating DMA mode, and if it's not, running PIO mode to align buffer and then starting DMA transaction. In PIO mode, when interrupts are enabled, lack of space in FIFO isn't the problem, so buffer aligning will always finish with success. Reported-by: Krzysztof Kozlowski Signed-off-by: Robert Baldyga Signed-off-by: Greg Kroah-Hartman commit da5b2f0abeaa4816e8dbc8dffef33704f53db1b3 Author: Marek Szyprowski Date: Fri Jul 31 10:58:27 2015 +0200 serial: samsung: fix DMA mode enter condition for small FIFO sizes commit 81ccb2a69f76b88295a1da9fc9484df715fe3bfa upstream. Due to some of serial ports can have FIFO size smaller than cache line size, and because of need to align DMA buffer address to cache line size, it's necessary to calculate minimum number of bytes for which we want to start DMA transaction to be at least cache line size. The simplest way to meet this requirement is to get maximum of cache line size and FIFO size. Reported-by: Krzysztof Kozlowski Signed-off-by: Marek Szyprowski Signed-off-by: Robert Baldyga Signed-off-by: Greg Kroah-Hartman commit 5fe45c8dbe3f1927db62fbbbc37b64cbe41967b4 Author: Adam Lee Date: Mon Aug 3 13:28:13 2015 +0800 serial: 8250_pci: Add support for Pericom PI7C9X795[1248] commit 89c043a6cb2d4525d48a38ed78d5f0f5672338b3 upstream. Pericom PI7C9X795[1248] are Uno/Dual/Quad/Octal UART devices, this patch enables them, also defines PCI_VENDOR_ID_PERICOM here. Signed-off-by: Adam Lee Signed-off-by: Greg Kroah-Hartman commit 72b188506229b25c075a6573b0a6b54b5a14947d Author: Maciej S. Szmigiero Date: Sun Aug 2 23:15:05 2015 +0200 serial: 8250: bind to ALi Fast Infrared Controller (ALI5123) commit 1d7002777a8fe8188caaa98d4a8eb4ed298fcdae upstream. This way this device can be used with irtty-sir - at least on Toshiba Satellite A20-S103 it is not configured by default and needs PNP activation before it starts to respond on I/O ports. This device has actually its own driver (ali-ircc), but this driver seems to be non-functional for a very long time (see http://permalink.gmane.org/gmane.linux.irda.general/484 http://permalink.gmane.org/gmane.network.protocols.obex.openobex.user/943 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=535070 ). Signed-off-by: Maciej Szmigiero Signed-off-by: Greg Kroah-Hartman commit 6c5f039655a41ba80e5e64ebb2b7032369f16ee1 Author: Maciej S. Szmigiero Date: Sun Aug 2 23:11:52 2015 +0200 serial: 8250: don't bind to SMSC IrCC IR port commit ffa34de03bcfbfa88d8352942bc238bb48e94e2d upstream. SMSC IrCC SIR/FIR port should not be bound to by (legacy) serial driver so its own driver (smsc-ircc2) can bind to it. Signed-off-by: Maciej Szmigiero Signed-off-by: Greg Kroah-Hartman commit b3100c898181590cabc652a925d268c78a69b77a Author: Charles Keepax Date: Tue Aug 25 12:43:48 2015 +0100 ASoC: arizona: Poll for FLL clock OK rather than use interrupts commit 0e7659712836ca59b4735bc5cc94de38698a5e01 upstream. The extcon driver takes the DAPM mutex from within the interrupt thread in several places, which makes it possible to get into a situation where the interrupt thread is blocked waiting on the DAPM mutex whilst a DAPM sequence is running which is attempting to configure the FLL. In this case the FLL completion can't be completed as as the IRQ handler is ONE_SHOT, which cause the FLL lock to use the full time out (250mS) and report that the process timed out. It is not really practical to make the extcon driver not take the DAPM mutex from within the interrupt thread, at least not without extensive modification. So this patch fixes the issue by switching the wait for the FLL lock to polling. A few fast polls are done first as the FLL should lock quickly for a good quality reference clock, (indeed it hits on the first poll on my system) and it will poll every 20mS after that until it times out. Signed-off-by: Charles Keepax Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit d23f2688b991310d4f27d4abaf7769ea301c9a91 Author: Nikesh Oswal Date: Wed Aug 19 16:02:24 2015 +0100 ASoC: arizona: Fix gain settings of FLL in free-run mode commit 1cf5a330c05ae37a0a98ac7c9800a6f50d5579ec upstream. The wrong register was used to set the gain of ref loop, when changing the FLL output on an active FLL. This patch corrects the offset of the gain register. Signed-off-by: Nikesh Oswal Signed-off-by: Charles Keepax Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 3f3c08dd0dc598f0cfe6efb8de17139c03309ea7 Author: Axel Lin Date: Fri Aug 14 17:54:07 2015 +0800 ASoC: adav80x: Remove .read_flag_mask setting from adav80x_regmap_config commit 9d8352864907f0ad76124c5b28f65b5a382d7d7c upstream. Don't set .read_flag_mask for adav803, it's for adav801 only. Fixes: 0c2d69645628 ("ASoC: adav80x: Split SPI and I2C code into different modules") Signed-off-by: Axel Lin Acked-by: Lars-Peter Clausen Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit b167a60c024decd22fd48459f24225cb6f92ab05 Author: Vaishali Thakkar Date: Thu Aug 20 22:11:15 2015 +0530 ASoC: samsung: Remove redundant arndale_audio_remove commit 14a500fe1396934c6b3ed8f009459a4723da7862 upstream. There is no use of snd_soc_unregister_card in remove function as devm_snd_soc_register_card in probe function automatically handles it. So, remove use of snd_soc_unregister_card and with this change remove arndale_audio_remove as it is now redundant. Signed-off-by: Vaishali Thakkar Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 59358f278d5c3ba3b2bd14d83ded72a2faafb51b Author: John Lin Date: Tue Aug 11 14:27:25 2015 +0800 ASoC: rt5640: fix line out no sound issue commit 9b850ca4f1c5acd7fcbbd4b38a2d27132801a8d5 upstream. The power for line out was not turned on when line out is enabled. So we add "LOUT amp" widget to turn on the power for line out. Signed-off-by: John Lin Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit c7d416e290ded6f563c0d316787037c79e268a07 Author: Johannes Thumshirn Date: Thu Aug 6 09:16:37 2015 +0200 tty: serial: men_z135_uart.c: Fix race between IRQ and set_termios() commit 8117e347406278fd399b077add4e638cd017ae2d upstream. Fix panic caused by a race between men_z135_intr() and men_z135_set_termios(). men_z135_intr() and men_z135_set_termios() both hold the struct uart_port::lock spinlock, but men_z135_intr() does a spin_lock_irqsave() and men_z135_set_termios() does a normal spin_lock(), which can lead to a deadlock when an interrupt is called while the lock is being helt by men_z135_set_termios(). This was discovered using a insmod, hardware looppback send/receive, rmmod stress test. Signed-off-by: Johannes Thumshirn Reviewed-by: Peter Hurley Cc: Andreas Werner Signed-off-by: Greg Kroah-Hartman commit bf14cc44d1adfe4d2d3420b51f6f44765e0219ff Author: Peter Chen Date: Mon Aug 17 10:23:03 2015 +0800 usb: host: ehci-sys: delete useless bus_to_hcd conversion commit 0521cfd06e1ebcd575e7ae36aab068b38df23850 upstream. The ehci platform device's drvdata is the pointer of struct usb_hcd already, so we doesn't need to call bus_to_hcd conversion again. Signed-off-by: Peter Chen Acked-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit 08ccc8bb7d2a9cf6543e686b43b59f888f4782e9 Author: Peter Chen Date: Thu Jul 30 13:13:03 2015 +0800 usb: gadget: f_uac2: finalize wMaxPacketSize according to bandwidth commit 913e4a90b6f9687ac0f543e7b632753e4f51c441 upstream. According to USB Audio Device 2.0 Spec, Ch4.10.1.1: wMaxPacketSize is defined as follows: Maximum packet size this endpoint is capable of sending or receiving when this configuration is selected. This is determined by the audio bandwidth constraints of the endpoint. In current code, the wMaxPacketSize is defined as the maximum packet size for ISO endpoint, and it will let the host reserve much more space than it really needs, so that we can't let more endpoints work together at one frame. We find this issue when we try to let 4 f_uac2 gadgets work together [1] at FS connection. [1]http://www.spinics.net/lists/linux-usb/msg123478.html Acked-by: Daniel Mack Cc: andrzej.p@samsung.com Cc: Daniel Mack Cc: tiwai@suse.de Cc: Alan Stern Signed-off-by: Peter Chen Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit d408e5eccd26f1efd97fdbd568f3fa6b6f95e2a0 Author: Kishon Vijay Abraham I Date: Mon Jul 27 12:25:27 2015 +0530 usb: dwc3: ep0: Fix mem corruption on OUT transfers of more than 512 bytes commit b2fb5b1a0f50d3ebc12342c8d8dead245e9c9d4e upstream. DWC3 uses bounce buffer to handle non max packet aligned OUT transfers and the size of bounce buffer is 512 bytes. However if the host initiates OUT transfers of size more than 512 bytes (and non max packet aligned), the driver throws a WARN dump but still programs the TRB to receive more than 512 bytes. This will cause bounce buffer to overflow and corrupt the adjacent memory locations which can be fatal. Fix it by programming the TRB to receive a maximum of DWC3_EP0_BOUNCE_SIZE (512) bytes. Signed-off-by: Kishon Vijay Abraham I Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit bd89ac2a5d7760cd739eb228214295862bfb64f9 Author: Peter Chen Date: Fri Jul 31 16:36:30 2015 +0800 doc: usb: gadget-testing: using the updated testusb.c commit f811a38300be3cdb603171aea5ad3fb42b71ca53 upstream. testusb.c at http://www.linux-usb.org/usbtest/ is out of date, using the one at the kernel source folder. Signed-off-by: Peter Chen Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 6e9660ca6fbf805c26aaef8856eb4680c689a5d2 Author: Dan Carpenter Date: Thu Jul 30 00:30:58 2015 +0300 usb: gadget: m66592-udc: forever loop in set_feature() commit 5feb5d2003499b1094d898c010a7604d7afddc4c upstream. There is an "&&" vs "||" typo here so this loops 3000 times or if we get unlucky it could loop forever. Fixes: ceaa0a6eeadf ('usb: gadget: m66592-udc: add support for TEST_MODE') Signed-off-by: Dan Carpenter Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 533f267763456f75d57bd590830629bf28fe3d8c Author: Jan Kara Date: Tue Aug 25 10:05:13 2015 +1000 xfs: Fix file type directory corruption for btree directories commit 037542345a82aaaa228ec280fe6ddff1568d169f upstream. Users have occasionally reported that file type for some directory entries is wrong. This mostly happened after updating libraries some libraries. After some debugging the problem was traced down to xfs_dir2_node_replace(). The function uses args->filetype as a file type to store in the replaced directory entry however it also calls xfs_da3_node_lookup_int() which will store file type of the current directory entry in args->filetype. Thus we fail to change file type of a directory entry to a proper type. Fix the problem by storing new file type in a local variable before calling xfs_da3_node_lookup_int(). Reported-by: Giacomo Comes Signed-off-by: Jan Kara Reviewed-by: Dave Chinner Signed-off-by: Dave Chinner Signed-off-by: Greg Kroah-Hartman commit 39516016709f4bf72d6e4c12089bbae7b1432ba7 Author: Jan Kara Date: Wed Aug 19 10:34:32 2015 +1000 xfs: Fix xfs_attr_leafblock definition commit ffeecc5213024ae663377b442eedcfbacf6d0c5d upstream. struct xfs_attr_leafblock contains 'entries' array which is declared with size 1 altough it can in fact contain much more entries. Since this array is followed by further struct members, gcc (at least in version 4.8.3) thinks that the array has the fixed size of 1 element and thus may optimize away all accesses beyond the end of array resulting in non-working code. This problem was only observed with userspace code in xfsprogs, however it's better to be safe in kernel as well and have matching kernel and xfsprogs definitions. Signed-off-by: Jan Kara Reviewed-by: Dave Chinner Signed-off-by: Dave Chinner Signed-off-by: Greg Kroah-Hartman commit 16f47b6ab239970067885a9384c456c6b530bb12 Author: Darrick J. Wong Date: Wed Aug 19 10:33:58 2015 +1000 libxfs: readahead of dir3 data blocks should use the read verifier commit 2f123bce18943fff819bc10f8868ffb9149fc622 upstream. In the dir3 data block readahead function, use the regular read verifier to check the block's CRC and spot-check the block contents instead of directly calling only the spot-checking routine. This prevents corrupted directory data blocks from being read into the kernel, which can lead to garbage ls output and directory loops (if say one of the entries contains slashes and other junk). Signed-off-by: Darrick J. Wong Reviewed-by: Dave Chinner Signed-off-by: Dave Chinner Signed-off-by: Greg Kroah-Hartman commit 3a6e0a041c7eea1455def429f97ca3ec3844b004 Author: Michał Pecio Date: Sun Jul 26 11:14:34 2015 +0200 USB: pl2303: fix baud-rate divisor calculations commit 49bda21266fdf195142e8b5dea057f09e96ada9f upstream. This commit fixes the following issues: 1. The 9th bit of buf was believed to be the LSB of divisor's exponent, but the hardware interprets it as MSB (9th bit) of the mantissa. The exponent is actually one bit shorter and applies to base 4, not 2 as previously believed. 2. Loop iterations doubled the exponent instead of incrementing. 3. The exponent wasn't checked for overflow. 4. The function returned requested rate instead of actual rate. Due to issue #2, the old code deviated from the wrong formula described in #1 and actually yielded correct rates when divisor was lower than 4096 by using exponents of 0, 2 or 4 base-2, interpreted as 0, 1, 2 base-4 with the 9th mantissa bit clear. However, at 93.75 kbaud or less the rate turned out too slow due to #2 or too fast due to #2 and #3. I tested this patch by sending and validating 0x00,0x01,..,0xff to an FTDI dongle at 234, 987, 2401, 9601, 31415, 115199, 250k, 500k, 750k, 1M, 1.5M, 3M+1 baud. All rates passed. I also used pv to check speed at some rates unsupported by FTDI: 45 (the lowest possible), 2M, 4M, 5M and 6M-1. Looked sane. Signed-off-by: Michal Pecio Fixes: 399aa9a75ad3 ("USB: pl2303: use divisors for unsupported baud rates") [johan: update summary ] Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 62e9fa636be500d83cae0b2de1ad91a98d6b986b Author: Matthijs Kooijman Date: Tue Aug 18 10:33:56 2015 +0200 USB: ftdi_sio: Added custom PID for CustomWare products commit 1fb8dc36384ae1140ee6ccc470de74397606a9d5 upstream. CustomWare uses the FTDI VID with custom PIDs for their ShipModul MiniPlex products. Signed-off-by: Matthijs Kooijman Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 16b58e65e405a1b671caad2204fce9d46df26dd0 Author: David Ward Date: Tue Aug 18 10:36:23 2015 +0200 USB: qcserial: add HP lt4111 LTE/EV-DO/HSPA+ Gobi 4G Module commit 44840dec6127e4d7c5074f75d2dd96bc4ab85fe3 upstream. This is an HP-branded Sierra Wireless EM7355: https://bugzilla.redhat.com/show_bug.cgi?id=1223646#c2 Signed-off-by: David Ward Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 0d57ef0f108b7a956f6cd246eda2777391b134e5 Author: Philipp Hachtmann Date: Mon Aug 17 17:31:46 2015 +0200 USB: symbolserial: Use usb_get_serial_port_data commit 951d3793bbfc0a441d791d820183aa3085c83ea9 upstream. The driver used usb_get_serial_data(port->serial) which compiled but resulted in a NULL pointer being returned (and subsequently used). I did not go deeper into this but I guess this is a regression. Signed-off-by: Philipp Hachtmann Fixes: a85796ee5149 ("USB: symbolserial: move private-data allocation to port_probe") Acked-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 574c2c05ce61098130a06bf6cd16c7215b19be58 Author: Michael van der Westhuizen Date: Tue Aug 18 22:21:53 2015 +0200 spi: dw: Allow interface drivers to limit data I/O to word sizes commit c4fe57f76269dbb2af135071513f260ca40229a3 upstream. The commit dd11444327ce ("spi: dw-spi: Convert 16bit accesses to 32bit accesses") changed all 16bit accesses in the DW_apb_ssi driver to 32bit. This, unfortunately, breaks data register access on picoXcell, where the DW IP needs data register accesses to be word accesses (all other accesses appear to be OK). This change introduces a new master variable to allow interface drivers to specify that 16bit data transfer I/O is required. This change also introduces the ability to set this variable via device tree bindings in the MMIO interface driver. Both the core and the MMIO interface driver default to the current 32bit behaviour. Before this change, on a picoXcell pc3x3: spi_master spi32766: interrupt_transfer: fifo overrun/underrun m25p80 spi32766.0: error -5 reading 9f m25p80: probe of spi32766.0 failed with error -5 After this change: m25p80 spi32766.0: m25p40 (512 Kbytes) Fixes: dd11444327ce ("spi: dw-spi: Convert 16bit accesses to 32bit accesses") Signed-off-by: Michael van der Westhuizen Reviewed-by: Andy Shevchenko Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit e712a3824ba05f5edddab8066a148dfd548f0119 Author: Sifan Naeem Date: Thu Aug 6 10:33:01 2015 +0100 spi: img-spfi: fix kbuild test robot warning commit 9176c6657b5c313cf504d157e6d91496ee5c8708 upstream. drivers/spi/spi-img-spfi.c: In function 'img_spfi_setup': drivers/spi/spi-img-spfi.c:446: warning: 'ret' may be used uninitialized in this function. Fixes: commit b03ba9e314c1 ("spi: img-spfi: fix multiple calls to request gpio") Signed-off-by: Sifan Naeem Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 1d43421636933f74c6f642a61951dbfa3732edec Author: Sifan Naeem Date: Wed Jul 29 11:55:26 2015 +0100 spi: img-spfi: fix multiple calls to request gpio commit b03ba9e314c12b2127243145b5c1f41b2408de62 upstream. spfi_setup may be called many times by the spi framework, but gpio_request_one can only be called once without freeing, repeatedly calling gpio_request_one will cause an error to be thrown, which causes the request to spi_setup to be marked as failed. We can have a per-spi_device flag that indicates whether or not the gpio has been requested. If the gpio has already been requested use gpio_direction_output to set the direction of the gpio. Fixes: 8c2c8c03cdcb ("spi: img-spfi: Control CS lines with GPIO") Signed-off-by: Sifan Naeem Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit b82ed8c90e5f1ad73d1c355c58ef38a789a16c7d Author: Sifan Naeem Date: Mon Jul 27 13:11:15 2015 +0100 spi: img-spfi: check for timeout error before proceeding commit 011710e2ab659c7ad6e5e554806414bd7a9508be upstream. Calling spfi_wait_all_done is not required if the transfer has timed out before all data is transferred. spfi_wait_all_done polls for Alldone interrupt which is triggered to mark the transfer as complete and to indicate it is now safe to issue a new transfer. Fixes: 8c2c8c0 ("spi: img-spfi: Control CS lines with GPIO") Signed-off-by: Sifan Naeem Reviewed-by: Andrew Bresticker Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 49b85054a83dd407879206f43fd6944287848189 Author: Koji Matsuoka Date: Mon Jun 15 02:25:05 2015 +0900 spi: sh-msiof: Fix FIFO size to 64 word from 256 word commit fe78d0b7691c02744004b15f6979b3f106464bc4 upstream. The upper limit of Tx/Rx FIFO size is 64 word by the specification of H/W. This patch corrects to 64 word from 256 word. Signed-off-by: Koji Matsuoka Signed-off-by: Yoshihiro Kaneko Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 1583eaece6faf7b389085771c0eb4bf1af5960f2 Author: Lars Persson Date: Wed Jul 29 09:32:02 2015 +0200 spi: Fix regression in spi-bitbang-txrx.h commit 26a67ec47a4c58fe79c6421c3dc3d697d322d2d6 upstream. This patch fixes a regression introduced by commit 232a5adc5199 ("spi: bitbang: only toggle bitchanges"). The attempt to optimize writes of consecutive bit patterns broke most of the combinations of word size and SPI modes due to selecting the wrong bit as the MSB value. Fixes: 232a5adc5199 (spi: bitbang: only toggle bitchanges) Signed-off-by: Lars Persson Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 7f3f69a695fe2d10a9afad4419c68d731f775b94 Author: Martin Sperl Date: Tue Jul 28 14:03:12 2015 +0000 spi: bcm2835: set up spi-mode before asserting cs-gpio commit acace73df2c1913a526c1b41e4741a4a6704c863 upstream. When using reverse polarity for clock (spi-cpol) on a device the clock line gets altered after chip-select has been asserted resulting in an additional clock beat, which confuses hardware. This did not show when using native-CS, as the same register is used to control cs as well as polarity, so the changes came into effect at the same time. Unfortunately this is not true with gpio-cs. To avoid this situation this patch moves the setup of polarity (spi-cpol and spi-cpha) outside of the chip-select into prepare_message, which is run prior to asserting chip-select. Also fixes resetting 3-wire mode after use of rx-mode, so that a 3-Wire sequence TX, RX, TX works as well (right now it runs TX, RX, RX instead) Reported-by: Noralf Tronnes Signed-off-by: Martin Sperl Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit a1ff8fe3a5387ac0c33b2a4677690e322bec8c04 Author: Zhang Rui Date: Mon Aug 24 15:27:11 2015 -0500 PCI: Disable async suspend/resume for JMicron multi-function SATA/AHCI commit 91f15fb30c77d4a0d0d9b97e5cec647650853145 upstream. On multi-function JMicron SATA/PATA/AHCI devices, the PATA controller at function 1 doesn't work if it is powered on before the SATA controller at function 0. The result is that PATA doesn't work after resume, and we print messages like this: pata_jmicron 0000:02:00.1: Refused to change power state, currently in D3 irq 17: nobody cared (try booting with the "irqpoll" option) Async resume was introduced in v3.15 by 76569faa62c4 ("PM / sleep: Asynchronous threads for resume_noirq"). Prior to that, we powered on the functions in order, so this problem shouldn't happen. e6b7e41cdd8c ("ata: Disabling the async PM for JMicron chip 363/361") solved the problem for JMicron 361 and 363 devices. With async suspend disabled, we always power on function 0 before function 1. Barto then reported the same problem with a JMicron 368 (see comment #57 in the bugzilla). Rather than extending the blacklist piecemeal, disable async suspend for all JMicron multi-function SATA/PATA/AHCI devices. This quirk could stay in the ahci and pata_jmicron drivers, but it's likely the problem will occur even if pata_jmicron isn't loaded until after the suspend/resume. Making it a PCI quirk ensures that we'll preserve the power-on order even if the drivers aren't loaded. [bhelgaas: changelog, limit to multi-function, limit to IDE/ATA] Link: https://bugzilla.kernel.org/show_bug.cgi?id=81551 Reported-and-tested-by: Barto Signed-off-by: Zhang Rui Signed-off-by: Bjorn Helgaas Signed-off-by: Greg Kroah-Hartman commit 884372a6b09964f236fa8148bc831c84f68d8a09 Author: Mark Rustad Date: Mon Jul 13 11:40:07 2015 -0700 PCI: Add VPD function 0 quirk for Intel Ethernet devices commit 7aa6ca4d39edf01f997b9e02cf6d2fdeb224f351 upstream. Set the PCI_DEV_FLAGS_VPD_REF_F0 flag on all Intel Ethernet device functions other than function 0, so that on multi-function devices, we will always read VPD from function 0 instead of from the other functions. [bhelgaas: changelog] Signed-off-by: Mark Rustad Signed-off-by: Bjorn Helgaas Acked-by: Alexander Duyck Signed-off-by: Greg Kroah-Hartman commit 91a37c794cf2cf7ec1f9afc4cbf4a118df7e085e Author: Mark Rustad Date: Mon Jul 13 11:40:02 2015 -0700 PCI: Add dev_flags bit to access VPD through function 0 commit 932c435caba8a2ce473a91753bad0173269ef334 upstream. Add a dev_flags bit, PCI_DEV_FLAGS_VPD_REF_F0, to access VPD through function 0 to provide VPD access on other functions. This is for hardware devices that provide copies of the same VPD capability registers in multiple functions. Because the kernel expects that each function has its own registers, both the locking and the state tracking are affected by VPD accesses to different functions. On such devices for example, if a VPD write is performed on function 0, *any* later attempt to read VPD from any other function of that device will hang. This has to do with how the kernel tracks the expected value of the F bit per function. Concurrent accesses to different functions of the same device can not only hang but also corrupt both read and write VPD data. When hangs occur, typically the error message: vpd r/w failed. This is likely a firmware bug on this device. will be seen. Never set this bit on function 0 or there will be an infinite recursion. Signed-off-by: Mark Rustad Signed-off-by: Bjorn Helgaas Acked-by: Alexander Duyck Signed-off-by: Greg Kroah-Hartman commit e756cabae72cb32d339a8584b73fb8f67f5d5211 Author: Bjorn Helgaas Date: Fri Jun 19 15:58:24 2015 -0500 PCI: Fix TI816X class code quirk commit d1541dc977d376406f4584d8eb055488655c98ec upstream. In fixup_ti816x_class(), we assigned "class = PCI_CLASS_MULTIMEDIA_VIDEO". But PCI_CLASS_MULTIMEDIA_VIDEO is only the two-byte base class/sub-class and needs to be shifted to make space for the low-order interface byte. Shift PCI_CLASS_MULTIMEDIA_VIDEO to set the correct class code. Fixes: 63c4408074cb ("PCI: Add quirk for setting valid class for TI816X Endpoint") Signed-off-by: Bjorn Helgaas CC: Hemant Pedanekar Signed-off-by: Greg Kroah-Hartman commit 88ce676adff806066f2ec27ff8ad3aa366a2dd20 Author: Georgi Djakov Date: Tue Aug 25 15:27:43 2015 +0300 clk: qcom: Fix MSM8916 prng clock enable bit commit 1c4b4b0eb1909010b8ebda1ef208bf3ed62e7487 upstream. Fix the enable bit of the pseudorandom number generator clock. Reported-by: Stanimir Varbanov Fixes: 3966fab8b6ab "clk: qcom: Add MSM8916 Global Clock Controller support" Signed-off-by: Georgi Djakov Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit 448696655e6d9a8e94a6e7af5ec5d2834840edd9 Author: Stephen Boyd Date: Tue Jul 14 16:57:29 2015 -0700 clk: qcom: Set CLK_SET_RATE_PARENT on ce1 clocks commit d7a304e9d018c99dda80f4c16ec0fe817b5be4a1 upstream. The other ce clocks have the flag set, but ce1 doesn't, so clk_set_rate() doesn't propagate up the tree to the ce1_src_clk. Set the flag as this is supported. Reported-by: Bjorn Andersson Tested-by: Bjorn Andersson Fixes: 02824653200b ("clk: qcom: Add APQ8084 Global Clock Controller support") Fixes: d33faa9ead8d ("clk: qcom: Add support for MSM8974's global clock controller (GCC)") Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit 95a275367ba98a04f790a9b2dd320a866ed5f153 Author: Robert Jarzmik Date: Sun Jul 12 22:49:53 2015 +0200 clk: pxa: fix core frequency reporting unit commit 4b5fb7dc9096d949a22651370bb6bf11f21edb30 upstream. Legacy drivers which are not yet ported, such as cpufreq-pxa[23]xx, rely on pxaXXx_get_clk_frequency_khz() to find the CPU core frequency. This reporting was broken because the expected unit is kHz and not Hz. Fix the reporting for pxa25x, pxa27x and pxa3xx. Fixes: fe7710fae477 ("clk: add pxa25x clock drivers") Fixes: d40670dc6169 ("clk: add pxa27x clock drivers") Fixes: 9bbb8a338fb2 ("clk: pxa: add pxa3xx clock driver") Signed-off-by: Robert Jarzmik Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit 77ec29edce35e4d969b9c8ced633d02da2365e34 Author: Dan Carpenter Date: Wed Jul 29 13:17:06 2015 +0300 clk: versatile: off by one in clk_sp810_timerclken_of_get() commit 3294bee87091be5f179474f6c39d1d87769635e2 upstream. The ">" should be ">=" or we end up reading beyond the end of the array. Fixes: 6e973d2c4385 ('clk: vexpress: Add separate SP810 driver') Signed-off-by: Dan Carpenter Acked-by: Pawel Moll Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit 30840a6068fca6d56208b48dd83f448e509753ef Author: Damien.Horsley Date: Wed Aug 26 17:11:40 2015 +0100 clk: pistachio: correct critical clock list commit d31ff5f7f3b142b8d1ebb3da89187c54cdf2bc71 upstream. Current critical clock list for pistachio enables only mips and sys clocks by default but there are also other clocks that are not claimed by anyone and needs to be enabled by default. This patch updates the critical clocks that need to be enabled by default. Add a separate struct to distinguish the critical clocks as listed: 1.) core clocks: a.) mips clock 2.) peripheral system clocks: a.) sys clock b.) sys_bus clock c.) DDR clock d.) ROM clock Fixes: b35d7c33419c("CLK: Pistachio: Register core clocks") Reviewed-by: Andrew Bresticker Signed-off-by: Ezequiel Garcia Signed-off-by: Damien.Horsley Signed-off-by: Govindraj Raja Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit d865d79dba304627da19806d454838ee80b6eae4 Author: Zdenko Pulitika Date: Wed Aug 26 17:11:38 2015 +0100 clk: pistachio: Fix override of clk-pll settings from boot loader commit e53f21c761d141bbcbce06e9ddab3b4e0a828f2c upstream. PLL enable callbacks are overriding PLL mode (int/frac) and Noise reduction (on/off) settings set by the boot loader which results in the incorrect clock rate. PLL mode and noise reduction are defined by the DSMPD and DACPD bits of the PLL control register. PLL .enable() callbacks enable PLL by deasserting all power-down bits of the PLL control register, including DSMPD and DACPD bits, which is not necessary since these bits don't actually enable/disable PLL. This commit fixes the problem by removing DSMPD and DACPD bits from the "PLL enable" mask. Fixes: 43049b0c83f17("CLK: Pistachio: Add PLL driver") Reviewed-by: Andrew Bresitcker Signed-off-by: Zdenko Pulitika Signed-off-by: Govindraj Raja Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit 0c34e6c8de0e7fcd7321217aeedfa797894c2324 Author: Marek Szyprowski Date: Wed Aug 12 10:58:22 2015 +0200 clk: s5pv210: add missing call to samsung_clk_of_add_provider() commit ba30011577330b7e29ecb5916d89c6db9fbc5b3d upstream. Commit d5e136a21b2028fb1f45143ea7112d5869bfc6c7 ("clk: samsung: Register clk provider only after registering its all clocks", merged to v3.17-rc1) modified a way that driver registers registers to core framework. This change has not been applied to s5pv210 clocks driver, which has been merged in parallel to that commit. This patch adds a missing call to samsung_clk_of_add_provider(), so the driver is operational again. Signed-off-by: Marek Szyprowski Acked-by: Tomasz Figa Signed-off-by: Michael Turquette Signed-off-by: Greg Kroah-Hartman commit dcce0e4e44ed93c0438d258232b15be481641cfa Author: Krzysztof Kozlowski Date: Fri Jun 12 10:53:25 2015 +0900 clk: exynos4: Fix wrong clock for Exynos4x12 ADC commit e323d56eb06b266b77c2b430cb5f1977ba549e03 upstream. The TSADC gate clock was used in Exynos4x12 DTSI for exynos-adc driver. However TSADC is present only on Exynos4210 so on Trats2 board (with Exynos4412 SoC) the exynos-adc driver could not be probed: ERROR: could not get clock /adc@126C0000:adc(0) exynos-adc 126c0000.adc: failed getting clock, err = -2 exynos-adc: probe of 126c0000.adc failed with error -2 Instead on Exynos4x12 SoCs the main clock used by Analog to Digital Converter is located in different register and it is named in datasheet as PCLK_ADC. Regardless of the name the purpose of this PCLK_ADC clock is the same as purpose of TSADC from Exynos4210. The patch adds gate clock for Exynos4x12 using the proper register so backward compatibility is preserved. This fixes the probe of exynos-adc driver on Exynos4x12 boards and allows accessing sensors connected to it on Trats2 board (ntc,ncp15wb473 AP and battery thermistors). Signed-off-by: Krzysztof Kozlowski Fixes: c63c57433003 ("ARM: dts: Add ADC's dt data to read raw data for exynos4x12") Reviewed-by: Javier Martinez Canillas Acked-by: Tomasz Figa Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit befadb239291808c185c9029d8b418beca05882a Author: Heiko Stuebner Date: Thu Jun 18 16:18:28 2015 +0200 clk: rockchip: rk3288: add CLK_SET_RATE_PARENT to sclk_mac commit 4791eb61dbe8100ccac59fecfac9d93a15db1447 upstream. The dwmac ethernet controller on the rk3288 supports phys connected via rgmii and rmii. With rgmii phys it is expected that the mac clock is provided externally while with rmii phys the clock can be external but also generated from the plls. In the later case it of course needs be at 50MHz, which gets set from the dwmac_rk driver. As most devices use a rgmii phy it never surfaced so far that the mac clk mux, doesn't go up one lever to the pll clock in the rmii case with internal clock generation, as it is missing the CLK_SET_RATE_PARENT flag, and thus will not set the correct frequency in most cases. Fixes: b9e4ba541607 ("clk: rockchip: add clock controller for rk3288") Signed-off-by: Heiko Stuebner Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit 2c0a3f6ee3f768a4cc3462b532ce38ae5cbbf22c Author: Colin Ian King Date: Mon Jun 29 22:13:38 2015 +0100 PM / clk: don't return int on __pm_clk_enable() commit f4745a92781b872455f32feb01d1dce92aefcb6c upstream. Static analysis by cppcheck found an issue that was recently introduced by commit 471f7707b6f0b1 ("PM / clock_ops: make __pm_clk_enable more generic") where a return status in ret was not being initialised and garbage being returned when ce->status >= PCE_STATUS_ERROR. The fact that ret is not being checked by the caller and that ret is only used internally __pm_clk_enable() to check if clk_enable() was OK means we can ignore returning it instead turn __pm_clk_enable() into function with a void return. Fixes: 471f7707b6f0b1 ("PM / clock_ops: make __pm_clk_enable more generic") Signed-off-by: Colin Ian King Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit b248fcf1cedcb427ccfd7a09a1b56b3c50190f81 Author: Ian Abbott Date: Thu Jul 23 16:46:58 2015 +0100 staging: comedi: usbduxsigma: don't clobber ao_timer in command test commit c04a1f17803e0d3eeada586ca34a6b436959bc20 upstream. `devpriv->ao_timer` is used while an asynchronous command is running on the AO subdevice. It also gets modified by the subdevice's `cmdtest` handler for checking new asynchronous commands, `usbduxsigma_ao_cmdtest()`, which is not correct as it's allowed to check new commands while an old command is still running. Fix it by moving the code which sets up `devpriv->ao_timer` into the subdevice's `cmd` handler, `usbduxsigma_ao_cmd()`. Note that the removed code in `usbduxsigma_ao_cmdtest()` checked that `devpriv->ao_timer` did not end up less that 1, but that could not happen due because `cmd->scan_begin_arg` or `cmd->convert_arg` had already been range-checked. Also note that we tested the `high_speed` variable in the old code, but that is currently always 0 and means that we always use "scan" timing (`cmd->scan_begin_src == TRIG_TIMER` and `cmd->convert_src == TRIG_NOW`) and never "convert" (individual sample) timing (`cmd->scan_begin_src == TRIG_FOLLOW` and `cmd->convert_src == TRIG_TIMER`). The moved code tests `cmd->convert_src` instead to decide whether "scan" or "convert" timing is being used, although currently only "scan" timing is supported. Fixes: fb1ef622e7a3 ("staging: comedi: usbduxsigma: tidy up analog output command support") Signed-off-by: Ian Abbott Reviewed-by: Bernd Porr Reviewed-by: H Hartley Sweeten Signed-off-by: Greg Kroah-Hartman commit 815efa5df8a5fc651289a3302cd89a6dbf30ac28 Author: Ian Abbott Date: Thu Jul 23 16:46:57 2015 +0100 staging: comedi: usbduxsigma: don't clobber ai_timer in command test commit 423b24c37dd5794a674c74b0ed56392003a69891 upstream. `devpriv->ai_timer` is used while an asynchronous command is running on the AI subdevice. It also gets modified by the subdevice's `cmdtest` handler for checking new asynchronous commands (`usbduxsigma_ai_cmdtest()`), which is not correct as it's allowed to check new commands while an old command is still running. Fix it by moving the code which sets up `devpriv->ai_timer` and `devpriv->ai_interval` into the subdevice's `cmd` handler, `usbduxsigma_ai_cmd()`. Note that the removed code in `usbduxsigma_ai_cmdtest()` checked that `devpriv->ai_timer` did not end up less than than 1, but that could not happen because `cmd->scan_begin_arg` had already been checked to be at least the minimum required value (at least when `cmd->scan_begin_src == TRIG_TIMER`, which had also been checked to be the case). Fixes: b986be8527c7 ("staging: comedi: usbduxsigma: tidy up analog input command support) Signed-off-by: Ian Abbott Reviewed-by: Bernd Porr Reviewed-by: H Hartley Sweeten Signed-off-by: Greg Kroah-Hartman commit 75882550ea3ec52c783f440f97ac4c6999916ede Author: Ian Abbott Date: Tue Aug 11 13:05:10 2015 +0100 staging: comedi: adl_pci7x3x: fix digital output on PCI-7230 commit ad83dbd974feb2e2a8cc071a1d28782bd4d2c70e upstream. The "adl_pci7x3x" driver replaced the "adl_pci7230" and "adl_pci7432" drivers in commits 8f567c373c4b ("staging: comedi: new adl_pci7x3x driver") and 657f77d173d3 ("staging: comedi: remove adl_pci7230 and adl_pci7432 drivers"). Although the new driver code agrees with the user manuals for the respective boards, digital outputs stopped working on the PCI-7230. This has 16 digital output channels and the previous adl_pci7230 driver shifted the 16 bit output state left by 16 bits before writing to the hardware register. The new adl_pci7x3x driver doesn't do that. Fix it in `adl_pci7x3x_do_insn_bits()` by checking for the special case of the subdevice having only 16 channels and duplicating the 16 bit output state into both halves of the 32-bit register. That should work both for what the board actually does and for what the user manual says it should do. Fixes: 8f567c373c4b ("staging: comedi: new adl_pci7x3x driver") Signed-off-by: Ian Abbott Signed-off-by: Greg Kroah-Hartman commit 668327e49d2aa4782da771c4b1c6c152bf5084a1 Author: Jan H. Schönherr Date: Wed Aug 12 21:35:56 2015 +0200 sched: Fix cpu_active_mask/cpu_online_mask race commit dd9d3843755da95f63dd3a376f62b3e45c011210 upstream. There is a race condition in SMP bootup code, which may result in WARNING: CPU: 0 PID: 1 at kernel/workqueue.c:4418 workqueue_cpu_up_callback() or kernel BUG at kernel/smpboot.c:135! It can be triggered with a bit of luck in Linux guests running on busy hosts. CPU0 CPUn ==== ==== _cpu_up() __cpu_up() start_secondary() set_cpu_online() cpumask_set_cpu(cpu, to_cpumask(cpu_online_bits)); cpu_notify(CPU_ONLINE) cpumask_set_cpu(cpu, to_cpumask(cpu_active_bits)); During the various CPU_ONLINE callbacks CPUn is online but not active. Several things can go wrong at that point, depending on the scheduling of tasks on CPU0. Variant 1: cpu_notify(CPU_ONLINE) workqueue_cpu_up_callback() rebind_workers() set_cpus_allowed_ptr() This call fails because it requires an active CPU; rebind_workers() ends with a warning: WARNING: CPU: 0 PID: 1 at kernel/workqueue.c:4418 workqueue_cpu_up_callback() Variant 2: cpu_notify(CPU_ONLINE) smpboot_thread_call() smpboot_unpark_threads() .. __kthread_unpark() __kthread_bind() wake_up_state() .. select_task_rq() select_fallback_rq() The ->wake_cpu of the unparked thread is not allowed, making a call to select_fallback_rq() necessary. Then, select_fallback_rq() cannot find an allowed, active CPU and promptly resets the allowed CPUs, so that the task in question ends up on CPU0. When those unparked tasks are eventually executed, they run immediately into a BUG: kernel BUG at kernel/smpboot.c:135! Just changing the order in which the online/active bits are set (and adding some memory barriers), would solve the two issues above. However, it would change the order of operations back to the one before commit 6acbfb96976f ("sched: Fix hotplug vs. set_cpus_allowed_ptr()"), thus, reintroducing that particular problem. Going further back into history, we have at least the following commits touching this topic: - commit 2baab4e90495 ("sched: Fix select_fallback_rq() vs cpu_active/cpu_online") - commit 5fbd036b552f ("sched: Cleanup cpu_active madness") Together, these give us the following non-working solutions: - secondary CPU sets active before online, because active is assumed to be a subset of online; - secondary CPU sets online before active, because the primary CPU assumes that an online CPU is also active; - secondary CPU sets online and waits for primary CPU to set active, because it might deadlock. Commit 875ebe940d77 ("powerpc/smp: Wait until secondaries are active & online") introduces an arch-specific solution to this arch-independent problem. Now, go for a more general solution without explicit waiting and simply set active twice: once on the secondary CPU after online was set and once on the primary CPU after online was seen. set_cpus_allowed_ptr()") Signed-off-by: Jan H. Schönherr Acked-by: Peter Zijlstra Cc: Anton Blanchard Cc: Borislav Petkov Cc: Joerg Roedel Cc: Linus Torvalds Cc: Matt Wilson Cc: Michael Ellerman Cc: Peter Zijlstra Cc: Thomas Gleixner Fixes: 6acbfb96976f ("sched: Fix hotplug vs. set_cpus_allowed_ptr()") Link: http://lkml.kernel.org/r/1439408156-18840-1-git-send-email-jschoenh@amazon.de Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit da4ecf32643639585af69bf5f0e5143198e43c39 Author: Lars-Peter Clausen Date: Wed Aug 5 15:38:15 2015 +0200 iio: adis16480: Fix scale factors commit 7abad1063deb0f77d275c61f58863ec319c58c5c upstream. The different devices support by the adis16480 driver have slightly different scales for the gyroscope and accelerometer channels. Signed-off-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit db783fa06defd4f908861a83d602c33f29af86e9 Author: Lars-Peter Clausen Date: Wed Aug 5 15:38:14 2015 +0200 iio: Add inverse unit conversion macros commit c689a923c867eac40ed3826c1d9328edea8b6bc7 upstream. Add inverse unit conversion macro to convert from standard IIO units to units that might be used by some devices. Those are useful in combination with scale factors that are specified as IIO_VAL_FRACTIONAL. Typically the denominator for those specifications will contain the maximum raw value the sensor will generate and the numerator the value it maps to in a specific unit. Sometimes datasheets specify those in different units than the standard IIO units (e.g. degree/s instead of rad/s) and so we need to do a unit conversion. From a mathematical point of view it does not make a difference whether we apply the unit conversion to the numerator or the inverse unit conversion to the denominator since (x / y) / z = x / (y * z). But as the denominator is typically a larger value and we are rounding both the numerator and denominator to integer values using the later method gives us a better precision (E.g. the relative error is smaller if we round 8000.3 to 8000 rather than rounding 8.3 to 8). This is where in inverse unit conversion macros will be used. Marked for stable as used by some upcoming fixes. Signed-off-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit dfc28f84d3d1d45bf2720362ee03420b8637d4ba Author: Lars-Peter Clausen Date: Wed Aug 5 15:38:13 2015 +0200 iio: adis16400: Fix adis16448 gyroscope scale commit 8166537283b31d7abaae9e56bd48fbbc30cdc579 upstream. Use the correct scale for the adis16448 gyroscope output. Signed-off-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 3f0ade6354d14d0efb7d344ea388a4d154fba03f Author: Cristina Opriceana Date: Mon Aug 3 13:37:40 2015 +0300 iio: industrialio-buffer: Fix iio_buffer_poll return value commit 1bdc0293901cbea23c6dc29432e81919d4719844 upstream. Change return value to 0 if no device is bound since unsigned int cannot support negative error codes. Fixes: f18e7a068 ("iio: Return -ENODEV for file operations if the device has been unregistered") Signed-off-by: Cristina Opriceana Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit ddf196ae809800281b5494b3cda7cbff0f89e4a3 Author: Cristina Opriceana Date: Mon Aug 3 13:00:47 2015 +0300 iio: event: Remove negative error code from iio_event_poll commit 41d903c00051d8f31c98a8136edbac67e6f8688f upstream. Negative return values are not supported by iio_event_poll since its return type is unsigned int. Fixes: f18e7a068a0a3 ("iio: Return -ENODEV for file operations if the device has been unregistered") Signed-off-by: Cristina Opriceana Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit b78f553c856992967005427faf3cdc403578f863 Author: Markus Pargmann Date: Wed Jul 29 15:46:03 2015 +0200 iio: bmg160: IIO_BUFFER and IIO_TRIGGERED_BUFFER are required commit 06d2f6ca5a38abe92f1f3a132b331eee773868c3 upstream. This patch adds selects for IIO_BUFFER and IIO_TRIGGERED_BUFFER. Without IIO_BUFFER, the driver does not compile. Signed-off-by: Markus Pargmann Reviewed-by: Srinivas Pandruvada Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 93f3257cb2a4f75e6d7ed3eb3d608639c708dd19 Author: Martin Schwidefsky Date: Fri Aug 14 13:20:28 2015 +0200 s390/setup: fix novx parameter commit 89b1145e93771d727645c96e323539c029b63f1c upstream. The novx parameter disables the vector facility but the HWCAP_S390_VXRS bit in the ELf hardware capabilies is always set if the machine has the vector facility. If the user space program uses the "vx" string in the features field of /proc/cpuinfo to utilize vector instruction it will crash if the novx kernel paramter is set. Convert setup_hwcaps to an arch_initcall and use MACHINE_HAS_VX to decide if the HWCAPS_S390_VXRS bit needs to be set. Reported-by: Ulrich Weigand Reviewed-by: Heiko Carstens Signed-off-by: Martin Schwidefsky Signed-off-by: Greg Kroah-Hartman commit 8613898412bb80464d201bc9af7a44e599e547e1 Author: Sebastian Ott Date: Thu Jun 25 09:32:22 2015 +0200 s390/sclp: fix compile error commit a313bdc5310dd807655d3ca3eb2219cd65dfe45a upstream. Fix this error when compiling with CONFIG_SMP=n and CONFIG_DYNAMIC_DEBUG=y: drivers/s390/char/sclp_early.c: In function 'sclp_read_info_early': drivers/s390/char/sclp_early.c:87:19: error: 'EBUSY' undeclared (first use in this function) } while (rc == -EBUSY); ^ Signed-off-by: Sebastian Ott Signed-off-by: Martin Schwidefsky Signed-off-by: Greg Kroah-Hartman commit f22f4cf524e66f20c86570023027504288f9bef2 Author: Chris Wilson Date: Tue Sep 8 14:17:13 2015 +0100 drm/i915: Limit the number of loops for reading a split 64bit register commit acd29f7b22262d9e848393b9b6ae13eb42d22514 upstream. In I915_READ64_2x32 we attempt to read a 64bit register using 2 32bit reads. Due to the nature of the registers we try to read in this manner, they may increment between the two instruction (e.g. a timestamp counter). To keep the result accurate, we repeat the read if we detect an overflow (i.e. the upper value varies). However, some hardware is just plain flaky and may endless loop as the the upper 32bits are not stable. Just give up after a couple of tries and report whatever we read last. v2: Use the most recent values when erring out on an unstable register. Reported-by: russianneuromancer@ya.ru Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=91906 Signed-off-by: Chris Wilson Cc: Michał Winiarski Cc: Daniel Vetter Cc: Jani Nikula Reviewed-by: Daniel Vetter Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit 5b2c006168304879990b33f696219eff47157d8d Author: Chris Wilson Date: Mon Aug 31 15:10:39 2015 +0100 drm/i915: Always mark the object as dirty when used by the GPU commit 51bc140431e233284660b1d22c47dec9ecdb521e upstream. There have been many hard to track down bugs whereby userspace forgot to flag a write buffer and then cause graphics corruption or a hung GPU when that buffer was later purged under memory pressure (as the buffer appeared clean, its pages would have been evicted rather than preserved and any changes more recent than in the backing storage would be lost). In retrospect this is a rare optimisation against memory pressure, already the slow path. If we always mark the buffer as dirty when accessed by the GPU, anything not used can still be evicted cheaply (ideal behaviour for mark-and-sweep eviction) but we do not run the risk of corruption. For correct read serialisation, userspace still has to notify when the GPU writes to an object. However, there are certain situations under which userspace may wish to tell white lies to the kernel... Signed-off-by: Chris Wilson Cc: Daniel Vetter Cc: Kristian Høgsberg Cc: Jesse Barnes Cc: "Goel, Akash" Cc: Michał Winiarski Reviewed-by: Daniel Vetter Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit a822e861b7457e17d83ab7cb3f1c78c64e346cb1 Author: Gaurav K Singh Date: Mon Aug 3 15:45:32 2015 +0530 drm/i915: Allow DSI dual link to be configured on any pipe commit 824257857fd81f5e749831ff9cd63566b5a86abe upstream. Just like single link MIPI panels, similarly for dual link panels, pipe to be configured is based on the DVO port from VBT Block 2. In hardware, Port A is mapped with Pipe A and Port C is mapped with Pipe B. This issue got introduced in - commit 7e9804fdcffc650515c60f524b8b2076ee59e710 Author: Jani Nikula Date: Fri Jan 16 14:27:23 2015 +0200 drm/i915/dsi: add drm mipi dsi host support Signed-off-by: Gaurav K Singh Reviewed-by: Ville Syrjälä Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit 2c176780c2cd8e66d6fd1041debc9bdd909fa479 Author: Jonathon Jongsma Date: Thu Aug 20 14:04:32 2015 -0500 drm/qxl: validate monitors config modes commit bd3e1c7c6de9f5f70d97cdb6c817151c0477c5e3 upstream. Due to some recent changes in drm_helper_probe_single_connector_modes_merge_bits(), old custom modes were not being pruned properly. In current kernels, drm_mode_validate_basic() is called to sanity-check each mode in the list. If the sanity-check passes, the mode's status gets set to to MODE_OK. In older kernels this check was not done, so old custom modes would still have a status of MODE_UNVERIFIED at this point, and would therefore be pruned later in the function. As a result of this new behavior, the list of modes for a device always includes every custom mode ever configured for the device, with the largest one listed first. Since desktop environments usually choose the first preferred mode when a hotplug event is emitted, this had the result of making it very difficult for the user to reduce the size of the display. The qxl driver did implement the mode_valid connector function, but it was empty. In order to restore the old behavior where old custom modes are pruned, we implement a proper mode_valid function for the qxl driver. This function now checks each mode against the last configured custom mode and the list of standard modes. If the mode doesn't match any of these, its status is set to MODE_BAD so that it will be pruned as expected. Signed-off-by: Jonathon Jongsma Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit cdfbbe252c3fa94a4ce83fb8d8331cc58de2fc35 Author: Lukas Wunner Date: Wed Jul 15 13:57:35 2015 +0200 drm/i915: Preserve SSC earlier commit 69f92f67b68ab7028ffe15f0eea76b59f8859383 upstream. Commit 92122789b2d6 ("drm/i915: preserve SSC if previously set v3") added code to intel_modeset_gem_init to override the SSC status read from VBT with the SSC status set by BIOS. However, intel_modeset_gem_init is invoked *after* intel_modeset_init, which calls intel_setup_outputs, which *modifies* SSC status by way of intel_init_pch_refclk. So unlike advertised, intel_modeset_gem_init doesn't preserve the SSC status set by BIOS but whatever intel_init_pch_refclk decided on. This is a problem on dual gpu laptops such as the MacBook Pro which require either a handler to switch DDC lines, or the discrete gpu to proxy DDC/AUX communication: Both the handler and the discrete gpu may initialize after the i915 driver, and consequently, an LVDS connector may initially seem disconnected and the SSC therefore is disabled by intel_init_pch_refclk, but on reprobe the connector may turn out to be connected and the SSC must then be enabled. Due to 92122789b2d6 however, the SSC is not enabled on reprobe since it is assumed BIOS disabled it while in fact it was disabled by intel_init_pch_refclk. Also, because the SSC status is preserved so late, the preserved value only ever gets used on resume but not on panel initialization: intel_modeset_init calls intel_init_display which indirectly calls intel_panel_use_ssc via multiple subroutines, *before* the BIOS value overrides the VBT value in intel_modeset_gem_init (intel_panel_use_ssc is the sole user of dev_priv->vbt.lvds_use_ssc). Fix this by moving the code introduced by 92122789b2d6 from intel_modeset_gem_init to intel_modeset_init before the invocation of intel_setup_outputs and intel_init_display. Add a DRM_DEBUG_KMS as suggested way back by Jani: http://lists.freedesktop.org/archives/intel-gfx/2014-June/046666.html Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=88861 Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=61115 Tested-by: Paul Hordiienko [MBP 6,2 2010 intel ILK + nvidia GT216 pre-retina] Tested-by: William Brown [MBP 8,2 2011 intel SNB + amd turks pre-retina] Tested-by: Lukas Wunner [MBP 9,1 2012 intel IVB + nvidia GK107 pre-retina] Tested-by: Bruno Bierbaumer [MBP 11,3 2013 intel HSW + nvidia GK107 retina -- work in progress] Fixes: 92122789b2d6 ("drm/i915: preserve SSC if previously set v3") Signed-off-by: Lukas Wunner Reviewed-by: Jesse Barnes Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit 6002d1973933c76033c08d531e3f29d2da68000b Author: Alex Deucher Date: Thu Aug 27 09:52:22 2015 -0400 drm/radeon: fix HDMI quantization_range for pre-DCE5 asics commit 86b7709d48f0df8796bddd7e1ce45c6fb7a7c6ec upstream. Support for output_csc is only available on DCE5 and newer so don't mess with the HDMI quantization_range on pre-DCE5 asics. bug: https://bugs.freedesktop.org/show_bug.cgi?id=83226 Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 00f6fa71ff02e572f660f7971232e9f3a95c9838 Author: Alex Deucher Date: Mon Aug 31 11:15:05 2015 -0400 drm/radeon/native: Send out the full AUX address commit 7040c399aea2b0213a9aefd73e507369a6d641d6 upstream. AUX addresses are 20 bits long. Send out the entire address instead of just the low 16 bits. Port of: drm/radeon/atom: Send out the full AUX address to radeon non-atom aux path Reviewed-by: Christian König Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit b394195ca54af86c6ebb44396c29c24875870de4 Author: Ville Syrjälä Date: Thu Aug 27 17:23:31 2015 +0300 drm/radeon/atom: Send out the full AUX address commit 3f8340cc72c9a1a4b49bce7802afd7f248400ef5 upstream. AUX addresses are 20 bits long. Send out the entire address instead of just the low 16 bits. Cc: Alex Deucher Cc: "Christian König" Signed-off-by: Ville Syrjälä Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 16c5921e6028fb684b7082eca718e2189fc3ae2b Author: Ville Syrjälä Date: Thu Aug 20 19:37:29 2015 +0300 drm/i915: Check DP link status on long hpd too commit d14e7b6d1d8747826cb900db852351c550e00fdd upstream. We are no longer checkling the DP link status on long hpd. We used to do that from the .hot_plug() handler, but it was removed when MST got introduced. If there's no userspace we now fail to retrain the link if the sink power is toggled (or cable yanked and replugged), meaning the user is left staring at a blank screen. With the retraining put back that should be fixed. Also remove the leftover comment that referred to the old retraining from .hot_plug(). Fixes a regression introduced in: commit 0e32b39ceed665bfa4a77a4bc307b6652b991632 Author: Dave Airlie Date: Fri May 2 14:02:48 2014 +1000 drm/i915: add DP 1.2 MST support (v0.7) Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=89453 Tested-by: Palmer Dabbelt Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=91407 Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=89461 Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=89594 Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=85641 Cc: Dave Airlie Signed-off-by: Ville Syrjälä Reviewed-by: Daniel Vetter Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit 8aece0b0ccfda469bbe589cc178fe832f15a69be Author: Imre Deak Date: Tue Jun 30 17:06:47 2015 +0300 drm/i915: apply the PCI_D0/D3 hibernation workaround everywhere on pre GEN6 commit 54875571bbfde00fc63741715c531cbb5246c3b2 upstream. commit da2bc1b9db3351addd293e5b82757efe1f77ed1d Author: Imre Deak Date: Thu Oct 23 19:23:26 2014 +0300 drm/i915: add poweroff_late handler introduced a regression on old platforms during hibernation. A workaround was added in commit ab3be73fa7b43f4c3648ce29b5fd649ea54d3adb Author: Imre Deak Date: Mon Mar 2 13:04:41 2015 +0200 drm/i915: gen4: work around hang during hibernation using an explicit blacklist for the GENs/BIOS vendors where the issue was reported. Later there we had reports of the same failure on platforms not on this list. To my best knowledge the correct thing to do is still to put the device to PCI D3 state during hibernation, see [1] and [2] for the reasons. This also aligns with our future plans to unify more the runtime and system suspend/resume paths. Since an exact blacklist seems to be impractical (multiple GENs and BIOS vendors are affected) apply the workaround on everything pre GEN6. [1] http://lists.freedesktop.org/archives/intel-gfx/2015-February/060710.html [2] https://lkml.org/lkml/2015/6/22/274 Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=95061 Reported-by: Ilya Tumaykin Reported-by: Dirk Griesbach Reported-by: Pavel Machek Reported-by: Mikko Rapeli Tested-by: Mikko Rapeli Reported-by: Paul Bolle Signed-off-by: Imre Deak Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit 5a206fe2675e696828be0df1c48a7e9f30e03003 Author: Stephen Chandler Paul Date: Fri Aug 21 14:16:12 2015 -0400 DRM - radeon: Don't link train DisplayPort on HPD until we get the dpcd commit 924f92bf12bfbef3662619e3ed24a1cea7c1cbcd upstream. Most of the time this isn't an issue since hotplugging an adaptor will trigger a crtc mode change which in turn, causes the driver to probe every DisplayPort for a dpcd. However, in cases where hotplugging doesn't cause a mode change (specifically when one unplugs a monitor from a DisplayPort connector, then plugs that same monitor back in seconds later on the same port without any other monitors connected), we never probe for the dpcd before starting the initial link training. What happens from there looks like this: - GPU has only one monitor connected. It's connected via DisplayPort, and does not go through an adaptor of any sort. - User unplugs DisplayPort connector from GPU. - Change in HPD is detected by the driver, we probe every DisplayPort for a possible connection. - Probe the port the user originally had the monitor connected on for it's dpcd. This fails, and we clear the first (and only the first) byte of the dpcd to indicate we no longer have a dpcd for this port. - User plugs the previously disconnected monitor back into the same DisplayPort. - radeon_connector_hotplug() is called before everyone else, and tries to handle the link training. Since only the first byte of the dpcd is zeroed, the driver is able to complete link training but does so against the wrong dpcd, causing it to initialize the link with the wrong settings. - Display stays blank (usually), dpcd is probed after the initial link training, and the driver prints no obvious messages to the log. In theory, since only one byte of the dpcd is chopped off (specifically, the byte that contains the revision information for DisplayPort), it's not entirely impossible that this bug may not show on certain monitors. For instance, the only reason this bug was visible on my ASUS PB238 monitor was due to the fact that this monitor using the enhanced framing symbol sequence, the flag for which is ignored if the radeon driver thinks that the DisplayPort version is below 1.1. Signed-off-by: Stephen Chandler Paul Reviewed-by: Jerome Glisse Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 7b638e8e6d2cca69e5756cf4eb66fc41a661a037 Author: Andy Lutomirski Date: Fri Aug 14 15:02:55 2015 -0700 x86/ldt: Further fix FPU emulation commit 12e244f4b550498bbaf654a52f93633f7dde2dc7 upstream. The previous fix confused a selector with a segment prefix. Fix it. Compile-tested only. Cc: Juergen Gross Reported-by: Linus Torvalds Fixes: 4809146b86c3 ("x86/ldt: Correct FPU emulation access to LDT") Signed-off-by: Andy Lutomirski Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b33c0beeedf3fd7e329b0a81add3a15920184019 Author: Juergen Gross Date: Thu Aug 6 19:54:34 2015 +0200 x86/ldt: Correct FPU emulation access to LDT commit 4809146b86c3d41ce588fdb767d021e2a80600dd upstream. Commit 37868fe113ff ("x86/ldt: Make modify_ldt synchronous") introduced a new struct ldt_struct anchored at mm->context.ldt. Adapt the x86 fpu emulation code to use that new structure. Signed-off-by: Juergen Gross Reviewed-by: Andy Lutomirski Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: billm@melbpc.org.au Link: http://lkml.kernel.org/r/1438883674-1240-1-git-send-email-jgross@suse.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 7a1644e246c65eb58b04c3167dd5307de7ac86c9 Author: Juergen Gross Date: Thu Aug 6 10:04:38 2015 +0200 x86/ldt: Correct LDT access in single stepping logic commit 136d9d83c07c5e30ac49fc83b27e8c4842f108fc upstream. Commit 37868fe113ff ("x86/ldt: Make modify_ldt synchronous") introduced a new struct ldt_struct anchored at mm->context.ldt. convert_ip_to_linear() was changed to reflect this, but indexing into the ldt has to be changed as the pointer is no longer void *. Signed-off-by: Juergen Gross Reviewed-by: Andy Lutomirski Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: bp@suse.de Link: http://lkml.kernel.org/r/1438848278-12906-1-git-send-email-jgross@suse.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 618683abc90f828b980a969d4f55d0d322155c8f Author: Andy Lutomirski Date: Thu Jul 30 14:31:32 2015 -0700 x86/ldt: Make modify_ldt synchronous commit 37868fe113ff2ba814b3b4eb12df214df555f8dc upstream. modify_ldt() has questionable locking and does not synchronize threads. Improve it: redesign the locking and synchronize all threads' LDTs using an IPI on all modifications. This will dramatically slow down modify_ldt in multithreaded programs, but there shouldn't be any multithreaded programs that care about modify_ldt's performance in the first place. This fixes some fallout from the CVE-2015-5157 fixes. Signed-off-by: Andy Lutomirski Reviewed-by: Borislav Petkov Cc: Andrew Cooper Cc: Andy Lutomirski Cc: Boris Ostrovsky Cc: Borislav Petkov Cc: Brian Gerst Cc: Denys Vlasenko Cc: H. Peter Anvin Cc: Jan Beulich Cc: Konrad Rzeszutek Wilk Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Sasha Levin Cc: Steven Rostedt Cc: Thomas Gleixner Cc: security@kernel.org Cc: xen-devel Link: http://lkml.kernel.org/r/4c6978476782160600471bd865b318db34c7b628.1438291540.git.luto@kernel.org Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman