diff options
| -rw-r--r-- | 0001-ACPI-processor-Request-native-thermal-interrupt-hand.patch | 169 | ||||
| -rw-r--r-- | 0001-uas-Limit-qdepth-at-the-scsi-host-level.patch | 45 | ||||
| -rw-r--r-- | HID-wacom-fix-Bamboo-ONE-oops.patch | 46 | ||||
| -rw-r--r-- | USB-usbip-fix-potential-out-of-bounds-write.patch | 45 | ||||
| -rw-r--r-- | antenna_select.patch | 227 | ||||
| -rw-r--r-- | arm-fix-idiv.patch | 52 | ||||
| -rw-r--r-- | drm-udl-Use-unlocked-gem-unreferencing.patch | 58 | ||||
| -rw-r--r-- | ipv4-Dont-do-expensive-useless-work-during-inetdev-des.patch | 97 | ||||
| -rw-r--r-- | kernel.spec | 45 | ||||
| -rw-r--r-- | rebase-notes.txt | 1 | ||||
| -rw-r--r-- | sources | 2 | ||||
| -rw-r--r-- | x86-xen-suppress-hugetlbfs-in-PV-guests.patch | 70 |
12 files changed, 542 insertions, 315 deletions
diff --git a/0001-ACPI-processor-Request-native-thermal-interrupt-hand.patch b/0001-ACPI-processor-Request-native-thermal-interrupt-hand.patch new file mode 100644 index 000000000..a76603900 --- /dev/null +++ b/0001-ACPI-processor-Request-native-thermal-interrupt-hand.patch @@ -0,0 +1,169 @@ +From a21211672c9a1d730a39aa65d4a5b3414700adfb Mon Sep 17 00:00:00 2001 +From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com> +Date: Wed, 23 Mar 2016 21:07:39 -0700 +Subject: [PATCH] ACPI / processor: Request native thermal interrupt handling + via _OSC + +There are several reports of freeze on enabling HWP (Hardware PStates) +feature on Skylake-based systems by the Intel P-states driver. The root +cause is identified as the HWP interrupts causing BIOS code to freeze. + +HWP interrupts use the thermal LVT which can be handled by Linux +natively, but on the affected Skylake-based systems SMM will respond +to it by default. This is a problem for several reasons: + - On the affected systems the SMM thermal LVT handler is broken (it + will crash when invoked) and a BIOS update is necessary to fix it. + - With thermal interrupt handled in SMM we lose all of the reporting + features of the arch/x86/kernel/cpu/mcheck/therm_throt driver. + - Some thermal drivers like x86-package-temp depend on the thermal + threshold interrupts signaled via the thermal LVT. + - The HWP interrupts are useful for debugging and tuning + performance (if the kernel can handle them). +The native handling of thermal interrupts needs to be enabled +because of that. + +This requires some way to tell SMM that the OS can handle thermal +interrupts. That can be done by using _OSC/_PDC in processor +scope very early during ACPI initialization. + +The meaning of _OSC/_PDC bit 12 in processor scope is whether or +not the OS supports native handling of interrupts for Collaborative +Processor Performance Control (CPPC) notifications. Since on +HWP-capable systems CPPC is a firmware interface to HWP, setting +this bit effectively tells the firmware that the OS will handle +thermal interrupts natively going forward. + +For details on _OSC/_PDC refer to: +http://www.intel.com/content/www/us/en/standards/processor-vendor-specific-acpi-specification.html + +To implement the _OSC/_PDC handshake as described, introduce a new +function, acpi_early_processor_osc(), that walks the ACPI +namespace looking for ACPI processor objects and invokes _OSC for +them with bit 12 in the capabilities buffer set and terminates the +namespace walk on the first success. + +Also modify intel_thermal_interrupt() to clear HWP status bits in +the HWP_STATUS MSR to acknowledge HWP interrupts (which prevents +them from firing continuously). + +Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com> +[ rjw: Subject & changelog, function rename ] +Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> +--- + arch/x86/kernel/cpu/mcheck/therm_throt.c | 3 ++ + drivers/acpi/acpi_processor.c | 52 ++++++++++++++++++++++++++++++++ + drivers/acpi/bus.c | 3 ++ + drivers/acpi/internal.h | 6 ++++ + 4 files changed, 64 insertions(+) + +diff --git a/arch/x86/kernel/cpu/mcheck/therm_throt.c b/arch/x86/kernel/cpu/mcheck/therm_throt.c +index 2c5aaf8..0553858 100644 +--- a/arch/x86/kernel/cpu/mcheck/therm_throt.c ++++ b/arch/x86/kernel/cpu/mcheck/therm_throt.c +@@ -385,6 +385,9 @@ static void intel_thermal_interrupt(void) + { + __u64 msr_val; + ++ if (static_cpu_has(X86_FEATURE_HWP)) ++ wrmsrl_safe(MSR_HWP_STATUS, 0); ++ + rdmsrl(MSR_IA32_THERM_STATUS, msr_val); + + /* Check for violation of core thermal thresholds*/ +diff --git a/drivers/acpi/acpi_processor.c b/drivers/acpi/acpi_processor.c +index b5e54f2..0d92d0f 100644 +--- a/drivers/acpi/acpi_processor.c ++++ b/drivers/acpi/acpi_processor.c +@@ -491,6 +491,58 @@ static void acpi_processor_remove(struct acpi_device *device) + } + #endif /* CONFIG_ACPI_HOTPLUG_CPU */ + ++#ifdef CONFIG_X86 ++static bool acpi_hwp_native_thermal_lvt_set; ++static acpi_status __init acpi_hwp_native_thermal_lvt_osc(acpi_handle handle, ++ u32 lvl, ++ void *context, ++ void **rv) ++{ ++ u8 sb_uuid_str[] = "4077A616-290C-47BE-9EBD-D87058713953"; ++ u32 capbuf[2]; ++ struct acpi_osc_context osc_context = { ++ .uuid_str = sb_uuid_str, ++ .rev = 1, ++ .cap.length = 8, ++ .cap.pointer = capbuf, ++ }; ++ ++ if (acpi_hwp_native_thermal_lvt_set) ++ return AE_CTRL_TERMINATE; ++ ++ capbuf[0] = 0x0000; ++ capbuf[1] = 0x1000; /* set bit 12 */ ++ ++ if (ACPI_SUCCESS(acpi_run_osc(handle, &osc_context))) { ++ if (osc_context.ret.pointer && osc_context.ret.length > 1) { ++ u32 *capbuf_ret = osc_context.ret.pointer; ++ ++ if (capbuf_ret[1] & 0x1000) { ++ acpi_handle_info(handle, ++ "_OSC native thermal LVT Acked\n"); ++ acpi_hwp_native_thermal_lvt_set = true; ++ } ++ } ++ kfree(osc_context.ret.pointer); ++ } ++ ++ return AE_OK; ++} ++ ++void __init acpi_early_processor_osc(void) ++{ ++ if (boot_cpu_has(X86_FEATURE_HWP)) { ++ acpi_walk_namespace(ACPI_TYPE_PROCESSOR, ACPI_ROOT_OBJECT, ++ ACPI_UINT32_MAX, ++ acpi_hwp_native_thermal_lvt_osc, ++ NULL, NULL, NULL); ++ acpi_get_devices(ACPI_PROCESSOR_DEVICE_HID, ++ acpi_hwp_native_thermal_lvt_osc, ++ NULL, NULL); ++ } ++} ++#endif ++ + /* + * The following ACPI IDs are known to be suitable for representing as + * processor devices. +diff --git a/drivers/acpi/bus.c b/drivers/acpi/bus.c +index 891c42d..f9081b7 100644 +--- a/drivers/acpi/bus.c ++++ b/drivers/acpi/bus.c +@@ -1005,6 +1005,9 @@ static int __init acpi_bus_init(void) + goto error1; + } + ++ /* Set capability bits for _OSC under processor scope */ ++ acpi_early_processor_osc(); ++ + /* + * _OSC method may exist in module level code, + * so it must be run after ACPI_FULL_INITIALIZATION +diff --git a/drivers/acpi/internal.h b/drivers/acpi/internal.h +index 1e6833a..6f41c73 100644 +--- a/drivers/acpi/internal.h ++++ b/drivers/acpi/internal.h +@@ -138,6 +138,12 @@ void acpi_early_processor_set_pdc(void); + static inline void acpi_early_processor_set_pdc(void) {} + #endif + ++#ifdef CONFIG_X86 ++void acpi_early_processor_osc(void); ++#else ++static inline void acpi_early_processor_osc(void) {} ++#endif ++ + /* -------------------------------------------------------------------------- + Embedded Controller + -------------------------------------------------------------------------- */ +-- +2.5.5 + diff --git a/0001-uas-Limit-qdepth-at-the-scsi-host-level.patch b/0001-uas-Limit-qdepth-at-the-scsi-host-level.patch deleted file mode 100644 index b6c446829..000000000 --- a/0001-uas-Limit-qdepth-at-the-scsi-host-level.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 79abe2bd501d628b165f323098d6972d69bd13d7 Mon Sep 17 00:00:00 2001 -From: Hans de Goede <hdegoede@redhat.com> -Date: Wed, 16 Mar 2016 13:20:51 +0100 -Subject: [PATCH] uas: Limit qdepth at the scsi-host level - -Commit 64d513ac31bd ("scsi: use host wide tags by default") causes -the scsi-core to queue more cmnds then we can handle on devices with -multiple LUNs, limit the qdepth at the scsi-host level instead of -per slave to fix this. - -BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1315013 -Cc: stable@vger.kernel.org # 4.4.x and 4.5.x -Signed-off-by: Hans de Goede <hdegoede@redhat.com> ---- - drivers/usb/storage/uas.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c -index c90a7e4..b5cb7ab 100644 ---- a/drivers/usb/storage/uas.c -+++ b/drivers/usb/storage/uas.c -@@ -800,7 +800,6 @@ static int uas_slave_configure(struct scsi_device *sdev) - if (devinfo->flags & US_FL_BROKEN_FUA) - sdev->broken_fua = 1; - -- scsi_change_queue_depth(sdev, devinfo->qdepth - 2); - return 0; - } - -@@ -932,6 +931,12 @@ static int uas_probe(struct usb_interface *intf, const struct usb_device_id *id) - if (result) - goto set_alt0; - -+ /* -+ * 1 tag is reserved for untagged commands + -+ * 1 tag to avoid of by one errors in some bridge firmwares -+ */ -+ shost->can_queue = devinfo->qdepth - 2; -+ - usb_set_intfdata(intf, shost); - result = scsi_add_host(shost, &intf->dev); - if (result) --- -2.7.3 - diff --git a/HID-wacom-fix-Bamboo-ONE-oops.patch b/HID-wacom-fix-Bamboo-ONE-oops.patch deleted file mode 100644 index 09e83179a..000000000 --- a/HID-wacom-fix-Bamboo-ONE-oops.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 580549ef6b3e3fb3b958de490ca99f43a089a2cf Mon Sep 17 00:00:00 2001 -From: Benjamin Tissoires <benjamin.tissoires@redhat.com> -Date: Fri, 25 Mar 2016 15:26:55 +0100 -Subject: [PATCH] HID: wacom: fix Bamboo ONE oops - -Looks like recent changes in the Wacom driver made the Bamboo ONE crashes. -The tablet behaves as if it was a regular Bamboo device with pen, touch -and pad, but there is no physical pad connected to it. -The weird part is that the pad is still sending events and given that -there is no input node connected to it, we get anull pointer exception. - -Link: https://bugzilla.redhat.com/show_bug.cgi?id=1317116 - -Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> -Acked-by: Ping Cheng <pingc@wacom.com> -Cc: stable@vger.kernel.org -Signed-off-by: Jiri Kosina <jkosina@suse.cz> ---- - drivers/hid/wacom_wac.c | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c -index bd198bbd4df0..02c4efea241c 100644 ---- a/drivers/hid/wacom_wac.c -+++ b/drivers/hid/wacom_wac.c -@@ -2426,6 +2426,17 @@ void wacom_setup_device_quirks(struct wacom *wacom) - } - - /* -+ * Hack for the Bamboo One: -+ * the device presents a PAD/Touch interface as most Bamboos and even -+ * sends ghosts PAD data on it. However, later, we must disable this -+ * ghost interface, and we can not detect it unless we set it here -+ * to WACOM_DEVICETYPE_PAD or WACOM_DEVICETYPE_TOUCH. -+ */ -+ if (features->type == BAMBOO_PEN && -+ features->pktlen == WACOM_PKGLEN_BBTOUCH3) -+ features->device_type |= WACOM_DEVICETYPE_PAD; -+ -+ /* - * Raw Wacom-mode pen and touch events both come from interface - * 0, whose HID descriptor has an application usage of 0xFF0D - * (i.e., WACOM_VENDORDEFINED_PEN). We route pen packets back --- -2.5.5 - diff --git a/USB-usbip-fix-potential-out-of-bounds-write.patch b/USB-usbip-fix-potential-out-of-bounds-write.patch new file mode 100644 index 000000000..3d9f7c294 --- /dev/null +++ b/USB-usbip-fix-potential-out-of-bounds-write.patch @@ -0,0 +1,45 @@ +From b348d7dddb6c4fbfc810b7a0626e8ec9e29f7cbb Mon Sep 17 00:00:00 2001 +From: Ignat Korchagin <ignat.korchagin@gmail.com> +Date: Thu, 17 Mar 2016 18:00:29 +0000 +Subject: [PATCH] USB: usbip: fix potential out-of-bounds write + +Fix potential out-of-bounds write to urb->transfer_buffer +usbip handles network communication directly in the kernel. When receiving a +packet from its peer, usbip code parses headers according to protocol. As +part of this parsing urb->actual_length is filled. Since the input for +urb->actual_length comes from the network, it should be treated as untrusted. +Any entity controlling the network may put any value in the input and the +preallocated urb->transfer_buffer may not be large enough to hold the data. +Thus, the malicious entity is able to write arbitrary data to kernel memory. + +Signed-off-by: Ignat Korchagin <ignat.korchagin@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/usb/usbip/usbip_common.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/usb/usbip/usbip_common.c b/drivers/usb/usbip/usbip_common.c +index facaaf003f19..e40da7759a0e 100644 +--- a/drivers/usb/usbip/usbip_common.c ++++ b/drivers/usb/usbip/usbip_common.c +@@ -741,6 +741,17 @@ int usbip_recv_xbuff(struct usbip_device *ud, struct urb *urb) + if (!(size > 0)) + return 0; + ++ if (size > urb->transfer_buffer_length) { ++ /* should not happen, probably malicious packet */ ++ if (ud->side == USBIP_STUB) { ++ usbip_event_add(ud, SDEV_EVENT_ERROR_TCP); ++ return 0; ++ } else { ++ usbip_event_add(ud, VDEV_EVENT_ERROR_TCP); ++ return -EPIPE; ++ } ++ } ++ + ret = usbip_recv(ud->tcp_socket, urb->transfer_buffer, size); + if (ret != size) { + dev_err(&urb->dev->dev, "recv xbuf, %d\n", ret); +-- +2.5.5 + diff --git a/antenna_select.patch b/antenna_select.patch new file mode 100644 index 000000000..15763e9bc --- /dev/null +++ b/antenna_select.patch @@ -0,0 +1,227 @@ +From c18d8f5095715c56bb3cd9cba64242542632054b Mon Sep 17 00:00:00 2001 +From: Larry Finger <Larry.Finger@lwfinger.net> +Date: Wed, 16 Mar 2016 13:33:34 -0500 +Subject: rtlwifi: rtl8723be: Add antenna select module parameter + +A number of new laptops have been delivered with only a single antenna. +In principle, this is OK; however, a problem arises when the on-board +EEPROM is programmed to use the other antenna connection. The option +of opening the computer and moving the connector is not always possible +as it will void the warranty in some cases. In addition, this solution +breaks the Windows driver when the box dual boots Linux and Windows. + +A fix involving a new module parameter has been developed. This commit +adds the new parameter and implements the changes needed for the driver. + +Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> +Cc: Stable <stable@vger.kernel.org> [V4.0+] +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +--- + drivers/net/wireless/realtek/rtlwifi/rtl8723be/hw.c | 5 +++++ + drivers/net/wireless/realtek/rtlwifi/rtl8723be/sw.c | 3 +++ + drivers/net/wireless/realtek/rtlwifi/wifi.h | 3 +++ + 3 files changed, 11 insertions(+) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8723be/hw.c b/drivers/net/wireless/realtek/rtlwifi/rtl8723be/hw.c +index c983d2f..5a3df91 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8723be/hw.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8723be/hw.c +@@ -2684,6 +2684,7 @@ void rtl8723be_read_bt_coexist_info_from_hwpg(struct ieee80211_hw *hw, + bool auto_load_fail, u8 *hwinfo) + { + struct rtl_priv *rtlpriv = rtl_priv(hw); ++ struct rtl_mod_params *mod_params = rtlpriv->cfg->mod_params; + u8 value; + u32 tmpu_32; + +@@ -2702,6 +2703,10 @@ void rtl8723be_read_bt_coexist_info_from_hwpg(struct ieee80211_hw *hw, + rtlpriv->btcoexist.btc_info.ant_num = ANT_X2; + } + ++ /* override ant_num / ant_path */ ++ if (mod_params->ant_sel) ++ rtlpriv->btcoexist.btc_info.ant_num = ++ (mod_params->ant_sel == 1 ? ANT_X2 : ANT_X1); + } + + void rtl8723be_bt_reg_init(struct ieee80211_hw *hw) +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8723be/sw.c b/drivers/net/wireless/realtek/rtlwifi/rtl8723be/sw.c +index a78eaed..2101793 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8723be/sw.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8723be/sw.c +@@ -273,6 +273,7 @@ static struct rtl_mod_params rtl8723be_mod_params = { + .msi_support = false, + .disable_watchdog = false, + .debug = DBG_EMERG, ++ .ant_sel = 0, + }; + + static struct rtl_hal_cfg rtl8723be_hal_cfg = { +@@ -394,6 +395,7 @@ module_param_named(fwlps, rtl8723be_mod_params.fwctrl_lps, bool, 0444); + module_param_named(msi, rtl8723be_mod_params.msi_support, bool, 0444); + module_param_named(disable_watchdog, rtl8723be_mod_params.disable_watchdog, + bool, 0444); ++module_param_named(ant_sel, rtl8723be_mod_params.ant_sel, int, 0444); + MODULE_PARM_DESC(swenc, "Set to 1 for software crypto (default 0)\n"); + MODULE_PARM_DESC(ips, "Set to 0 to not use link power save (default 1)\n"); + MODULE_PARM_DESC(swlps, "Set to 1 to use SW control power save (default 0)\n"); +@@ -402,6 +404,7 @@ MODULE_PARM_DESC(msi, "Set to 1 to use MSI interrupts mode (default 0)\n"); + MODULE_PARM_DESC(debug, "Set debug level (0-5) (default 0)"); + MODULE_PARM_DESC(disable_watchdog, + "Set to 1 to disable the watchdog (default 0)\n"); ++MODULE_PARM_DESC(ant_sel, "Set to 1 or 2 to force antenna number (default 0)\n"); + + static SIMPLE_DEV_PM_OPS(rtlwifi_pm_ops, rtl_pci_suspend, rtl_pci_resume); + +diff --git a/drivers/net/wireless/realtek/rtlwifi/wifi.h b/drivers/net/wireless/realtek/rtlwifi/wifi.h +index 554d814..93bd7fc 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/wifi.h ++++ b/drivers/net/wireless/realtek/rtlwifi/wifi.h +@@ -2246,6 +2246,9 @@ struct rtl_mod_params { + + /* default 0: 1 means do not disable interrupts */ + bool int_clear; ++ ++ /* select antenna */ ++ int ant_sel; + }; + + struct rtl_hal_usbint_cfg { +-- +cgit v0.12 + +From baa1702290953295e421f0f433e2b1ff4815827c Mon Sep 17 00:00:00 2001 +From: Larry Finger <Larry.Finger@lwfinger.net> +Date: Wed, 16 Mar 2016 13:33:35 -0500 +Subject: rtlwifi: btcoexist: Implement antenna selection + +The previous patch added an option to rtl8723be to manually select the +antenna for those cases when only a single antenna is present, and the +on-board EEPROM is incorrectly programmed. This patch implements the +necessary changes in the Bluetooth coexistence driver. + +Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> +Cc: Stable <stable@vger.kernel.org> [V4.0+] +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +--- + .../realtek/rtlwifi/btcoexist/halbtc8723b2ant.c | 9 ++++++-- + .../realtek/rtlwifi/btcoexist/halbtcoutsrc.c | 27 +++++++++++++++++++++- + .../realtek/rtlwifi/btcoexist/halbtcoutsrc.h | 2 +- + .../wireless/realtek/rtlwifi/btcoexist/rtl_btc.c | 5 +++- + 4 files changed, 38 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtc8723b2ant.c b/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtc8723b2ant.c +index c43ab59..77cbd10 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtc8723b2ant.c ++++ b/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtc8723b2ant.c +@@ -1203,7 +1203,6 @@ static void btc8723b2ant_set_ant_path(struct btc_coexist *btcoexist, + + /* Force GNT_BT to low */ + btcoexist->btc_write_1byte_bitmask(btcoexist, 0x765, 0x18, 0x0); +- btcoexist->btc_write_2byte(btcoexist, 0x948, 0x0); + + if (board_info->btdm_ant_pos == BTC_ANTENNA_AT_MAIN_PORT) { + /* tell firmware "no antenna inverse" */ +@@ -1211,19 +1210,25 @@ static void btc8723b2ant_set_ant_path(struct btc_coexist *btcoexist, + h2c_parameter[1] = 1; /* ext switch type */ + btcoexist->btc_fill_h2c(btcoexist, 0x65, 2, + h2c_parameter); ++ btcoexist->btc_write_2byte(btcoexist, 0x948, 0x0); + } else { + /* tell firmware "antenna inverse" */ + h2c_parameter[0] = 1; + h2c_parameter[1] = 1; /* ext switch type */ + btcoexist->btc_fill_h2c(btcoexist, 0x65, 2, + h2c_parameter); ++ btcoexist->btc_write_2byte(btcoexist, 0x948, 0x280); + } + } + + /* ext switch setting */ + if (use_ext_switch) { + /* fixed internal switch S1->WiFi, S0->BT */ +- btcoexist->btc_write_2byte(btcoexist, 0x948, 0x0); ++ if (board_info->btdm_ant_pos == BTC_ANTENNA_AT_MAIN_PORT) ++ btcoexist->btc_write_2byte(btcoexist, 0x948, 0x0); ++ else ++ btcoexist->btc_write_2byte(btcoexist, 0x948, 0x280); ++ + switch (antpos_type) { + case BTC_ANT_WIFI_AT_MAIN: + /* ext switch main at wifi */ +diff --git a/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtcoutsrc.c b/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtcoutsrc.c +index b2791c8..babd149 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtcoutsrc.c ++++ b/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtcoutsrc.c +@@ -965,13 +965,38 @@ void exhalbtc_set_chip_type(u8 chip_type) + } + } + +-void exhalbtc_set_ant_num(u8 type, u8 ant_num) ++void exhalbtc_set_ant_num(struct rtl_priv *rtlpriv, u8 type, u8 ant_num) + { + if (BT_COEX_ANT_TYPE_PG == type) { + gl_bt_coexist.board_info.pg_ant_num = ant_num; + gl_bt_coexist.board_info.btdm_ant_num = ant_num; ++ /* The antenna position: ++ * Main (default) or Aux for pgAntNum=2 && btdmAntNum =1. ++ * The antenna position should be determined by ++ * auto-detect mechanism. ++ * The following is assumed to main, ++ * and those must be modified ++ * if y auto-detect mechanism is ready ++ */ ++ if ((gl_bt_coexist.board_info.pg_ant_num == 2) && ++ (gl_bt_coexist.board_info.btdm_ant_num == 1)) ++ gl_bt_coexist.board_info.btdm_ant_pos = ++ BTC_ANTENNA_AT_MAIN_PORT; ++ else ++ gl_bt_coexist.board_info.btdm_ant_pos = ++ BTC_ANTENNA_AT_MAIN_PORT; + } else if (BT_COEX_ANT_TYPE_ANTDIV == type) { + gl_bt_coexist.board_info.btdm_ant_num = ant_num; ++ gl_bt_coexist.board_info.btdm_ant_pos = ++ BTC_ANTENNA_AT_MAIN_PORT; ++ } else if (type == BT_COEX_ANT_TYPE_DETECTED) { ++ gl_bt_coexist.board_info.btdm_ant_num = ant_num; ++ if (rtlpriv->cfg->mod_params->ant_sel == 1) ++ gl_bt_coexist.board_info.btdm_ant_pos = ++ BTC_ANTENNA_AT_AUX_PORT; ++ else ++ gl_bt_coexist.board_info.btdm_ant_pos = ++ BTC_ANTENNA_AT_MAIN_PORT; + } + } + +diff --git a/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtcoutsrc.h b/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtcoutsrc.h +index 0a903ea..f41ca57 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtcoutsrc.h ++++ b/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtcoutsrc.h +@@ -535,7 +535,7 @@ void exhalbtc_set_bt_patch_version(u16 bt_hci_version, u16 bt_patch_version); + void exhalbtc_update_min_bt_rssi(char bt_rssi); + void exhalbtc_set_bt_exist(bool bt_exist); + void exhalbtc_set_chip_type(u8 chip_type); +-void exhalbtc_set_ant_num(u8 type, u8 ant_num); ++void exhalbtc_set_ant_num(struct rtl_priv *rtlpriv, u8 type, u8 ant_num); + void exhalbtc_display_bt_coex_info(struct btc_coexist *btcoexist); + void exhalbtc_signal_compensation(struct btc_coexist *btcoexist, + u8 *rssi_wifi, u8 *rssi_bt); +diff --git a/drivers/net/wireless/realtek/rtlwifi/btcoexist/rtl_btc.c b/drivers/net/wireless/realtek/rtlwifi/btcoexist/rtl_btc.c +index b9b0cb7..d3fd921 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/btcoexist/rtl_btc.c ++++ b/drivers/net/wireless/realtek/rtlwifi/btcoexist/rtl_btc.c +@@ -72,7 +72,10 @@ void rtl_btc_init_hal_vars(struct rtl_priv *rtlpriv) + __func__, bt_type); + exhalbtc_set_chip_type(bt_type); + +- exhalbtc_set_ant_num(BT_COEX_ANT_TYPE_PG, ant_num); ++ if (rtlpriv->cfg->mod_params->ant_sel == 1) ++ exhalbtc_set_ant_num(rtlpriv, BT_COEX_ANT_TYPE_DETECTED, 1); ++ else ++ exhalbtc_set_ant_num(rtlpriv, BT_COEX_ANT_TYPE_PG, ant_num); + } + + void rtl_btc_init_hw_config(struct rtl_priv *rtlpriv) +-- +cgit v0.12 + diff --git a/arm-fix-idiv.patch b/arm-fix-idiv.patch deleted file mode 100644 index 26eac32d8..000000000 --- a/arm-fix-idiv.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 208fae5c3b9431013ad7bcea07cbcee114e7d163 Mon Sep 17 00:00:00 2001 -From: Nicolas Pitre <nicolas.pitre@linaro.org> -Date: Mon, 14 Mar 2016 02:55:45 +0100 -Subject: ARM: 8550/1: protect idiv patching against undefined gcc behavior - -It was reported that a kernel with CONFIG_ARM_PATCH_IDIV=y stopped -booting when compiled with the upcoming gcc 6. Turns out that turning -a function address into a writable array is undefined and gcc 6 decided -it was OK to omit the store to the first word of the function while -still preserving the store to the second word. - -Even though gcc 6 is now fixed to behave more coherently, it is a -mystery that gcc 4 and gcc 5 actually produce wanted code in the kernel. -And in fact the reduced test case to illustrate the issue does indeed -break with gcc < 6 as well. - -In any case, let's guard the kernel against undefined compiler behavior -by hiding the nature of the array location as suggested by gcc -developers. - -Reference: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70128 - -Signed-off-by: Nicolas Pitre <nico@linaro.org> -Reported-by: Marcin Juszkiewicz <mjuszkiewicz@redhat.com> -Cc: Arnd Bergmann <arnd@arndb.de> -Cc: stable@vger.kernel.org # v4.5 -Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk> ---- - arch/arm/kernel/setup.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/arch/arm/kernel/setup.c b/arch/arm/kernel/setup.c -index 139791e..a28fce0 100644 ---- a/arch/arm/kernel/setup.c -+++ b/arch/arm/kernel/setup.c -@@ -430,11 +430,13 @@ static void __init patch_aeabi_idiv(void) - pr_info("CPU: div instructions available: patching division code\n"); - - fn_addr = ((uintptr_t)&__aeabi_uidiv) & ~1; -+ asm ("" : "+g" (fn_addr)); - ((u32 *)fn_addr)[0] = udiv_instruction(); - ((u32 *)fn_addr)[1] = bx_lr_instruction(); - flush_icache_range(fn_addr, fn_addr + 8); - - fn_addr = ((uintptr_t)&__aeabi_idiv) & ~1; -+ asm ("" : "+g" (fn_addr)); - ((u32 *)fn_addr)[0] = sdiv_instruction(); - ((u32 *)fn_addr)[1] = bx_lr_instruction(); - flush_icache_range(fn_addr, fn_addr + 8); --- -cgit v0.12 - diff --git a/drm-udl-Use-unlocked-gem-unreferencing.patch b/drm-udl-Use-unlocked-gem-unreferencing.patch deleted file mode 100644 index e2dbabe83..000000000 --- a/drm-udl-Use-unlocked-gem-unreferencing.patch +++ /dev/null @@ -1,58 +0,0 @@ -From patchwork Mon Nov 23 09:32:42 2015 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: [09/29] drm/udl: Use unlocked gem unreferencing -From: Daniel Vetter <daniel.vetter@ffwll.ch> -X-Patchwork-Id: 65722 -Message-Id: <1448271183-20523-10-git-send-email-daniel.vetter@ffwll.ch> -To: DRI Development <dri-devel@lists.freedesktop.org> -Cc: Daniel Vetter <daniel.vetter@intel.com>, - Daniel Vetter <daniel.vetter@ffwll.ch>, - Intel Graphics Development <intel-gfx@lists.freedesktop.org>, - Dave Airlie <airlied@redhat.com> -Date: Mon, 23 Nov 2015 10:32:42 +0100 - -For drm_gem_object_unreference callers are required to hold -dev->struct_mutex, which these paths don't. Enforcing this requirement -has become a bit more strict with - -commit ef4c6270bf2867e2f8032e9614d1a8cfc6c71663 -Author: Daniel Vetter <daniel.vetter@ffwll.ch> -Date: Thu Oct 15 09:36:25 2015 +0200 - - drm/gem: Check locking in drm_gem_object_unreference - -Cc: Dave Airlie <airlied@redhat.com> -Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> ---- - drivers/gpu/drm/udl/udl_fb.c | 2 +- - drivers/gpu/drm/udl/udl_gem.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/gpu/drm/udl/udl_fb.c b/drivers/gpu/drm/udl/udl_fb.c -index 200419d4d43c..18a2acbccb7d 100644 ---- a/drivers/gpu/drm/udl/udl_fb.c -+++ b/drivers/gpu/drm/udl/udl_fb.c -@@ -538,7 +538,7 @@ static int udlfb_create(struct drm_fb_helper *helper, - out_destroy_fbi: - drm_fb_helper_release_fbi(helper); - out_gfree: -- drm_gem_object_unreference(&ufbdev->ufb.obj->base); -+ drm_gem_object_unreference_unlocked(&ufbdev->ufb.obj->base); - out: - return ret; - } -diff --git a/drivers/gpu/drm/udl/udl_gem.c b/drivers/gpu/drm/udl/udl_gem.c -index 2a0a784ab6ee..d7528e0d8442 100644 ---- a/drivers/gpu/drm/udl/udl_gem.c -+++ b/drivers/gpu/drm/udl/udl_gem.c -@@ -52,7 +52,7 @@ udl_gem_create(struct drm_file *file, - return ret; - } - -- drm_gem_object_unreference(&obj->base); -+ drm_gem_object_unreference_unlocked(&obj->base); - *handle_p = handle; - return 0; - } diff --git a/ipv4-Dont-do-expensive-useless-work-during-inetdev-des.patch b/ipv4-Dont-do-expensive-useless-work-during-inetdev-des.patch deleted file mode 100644 index 48e4762e3..000000000 --- a/ipv4-Dont-do-expensive-useless-work-during-inetdev-des.patch +++ /dev/null @@ -1,97 +0,0 @@ -From fbd40ea0180a2d328c5adc61414dc8bab9335ce2 Mon Sep 17 00:00:00 2001 -From: "David S. Miller" <davem@davemloft.net> -Date: Sun, 13 Mar 2016 23:28:00 -0400 -Subject: ipv4: Don't do expensive useless work during inetdev destroy. - -When an inetdev is destroyed, every address assigned to the interface -is removed. And in this scenerio we do two pointless things which can -be very expensive if the number of assigned interfaces is large: - -1) Address promotion. We are deleting all addresses, so there is no - point in doing this. - -2) A full nf conntrack table purge for every address. We only need to - do this once, as is already caught by the existing - masq_dev_notifier so masq_inet_event() can skip this. - -Reported-by: Solar Designer <solar@openwall.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Tested-by: Cyrill Gorcunov <gorcunov@openvz.org> ---- - net/ipv4/devinet.c | 4 ++++ - net/ipv4/fib_frontend.c | 4 ++++ - net/ipv4/netfilter/nf_nat_masquerade_ipv4.c | 12 ++++++++++-- - 3 files changed, 18 insertions(+), 2 deletions(-) - -diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c -index 65e76a4..e333bc8 100644 ---- a/net/ipv4/devinet.c -+++ b/net/ipv4/devinet.c -@@ -334,6 +334,9 @@ static void __inet_del_ifa(struct in_device *in_dev, struct in_ifaddr **ifap, - - ASSERT_RTNL(); - -+ if (in_dev->dead) -+ goto no_promotions; -+ - /* 1. Deleting primary ifaddr forces deletion all secondaries - * unless alias promotion is set - **/ -@@ -380,6 +383,7 @@ static void __inet_del_ifa(struct in_device *in_dev, struct in_ifaddr **ifap, - fib_del_ifaddr(ifa, ifa1); - } - -+no_promotions: - /* 2. Unlink it */ - - *ifap = ifa1->ifa_next; -diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c -index 4734475..21add55 100644 ---- a/net/ipv4/fib_frontend.c -+++ b/net/ipv4/fib_frontend.c -@@ -922,6 +922,9 @@ void fib_del_ifaddr(struct in_ifaddr *ifa, struct in_ifaddr *iprim) - subnet = 1; - } - -+ if (in_dev->dead) -+ goto no_promotions; -+ - /* Deletion is more complicated than add. - * We should take care of not to delete too much :-) - * -@@ -997,6 +1000,7 @@ void fib_del_ifaddr(struct in_ifaddr *ifa, struct in_ifaddr *iprim) - } - } - -+no_promotions: - if (!(ok & BRD_OK)) - fib_magic(RTM_DELROUTE, RTN_BROADCAST, ifa->ifa_broadcast, 32, prim); - if (subnet && ifa->ifa_prefixlen < 31) { -diff --git a/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c b/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c -index c6eb421..ea91058 100644 ---- a/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c -+++ b/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c -@@ -108,10 +108,18 @@ static int masq_inet_event(struct notifier_block *this, - unsigned long event, - void *ptr) - { -- struct net_device *dev = ((struct in_ifaddr *)ptr)->ifa_dev->dev; -+ struct in_device *idev = ((struct in_ifaddr *)ptr)->ifa_dev; - struct netdev_notifier_info info; - -- netdev_notifier_info_init(&info, dev); -+ /* The masq_dev_notifier will catch the case of the device going -+ * down. So if the inetdev is dead and being destroyed we have -+ * no work to do. Otherwise this is an individual address removal -+ * and we have to perform the flush. -+ */ -+ if (idev->dead) -+ return NOTIFY_DONE; -+ -+ netdev_notifier_info_init(&info, idev->dev); - return masq_device_event(this, event, &info); - } - --- -cgit v0.12 - diff --git a/kernel.spec b/kernel.spec index 496603e18..b34bb1222 100644 --- a/kernel.spec +++ b/kernel.spec @@ -54,12 +54,12 @@ Summary: The Linux kernel ## If this is a released kernel ## %if 0%{?released_kernel} -%define stable_update 1 - - # Is it a -stable RC? %define stable_rc 0 + +# Do we have a -stable update to apply? +%define stable_update 2 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -527,8 +527,6 @@ Patch423: Initial-AllWinner-A64-and-PINE64-support.patch # http://www.spinics.net/lists/arm-kernel/msg493431.html Patch424: efi-arm64-don-t-apply-MEMBLOCK_NOMAP-to-UEFI-memory-map-mapping.patch -Patch425: arm-fix-idiv.patch - # http://patchwork.ozlabs.org/patch/587554/ Patch430: ARM-tegra-usb-no-reset.patch @@ -634,9 +632,6 @@ Patch508: kexec-uefi-copy-secure_boot-flag-in-boot-params.patch #rhbz 1286293 Patch571: ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch -#rhbz 1295646 -Patch621: drm-udl-Use-unlocked-gem-unreferencing.patch - #Required for some persistent memory options Patch641: disable-CONFIG_EXPERT-for-ZONE_DMA.patch @@ -652,20 +647,23 @@ Patch664: netfilter-x_tables-check-for-size-overflow.patch #CVE-2016-3134 rhbz 1317383 1317384 Patch665: netfilter-x_tables-deal-with-bogus-nextoffset-values.patch -#CVE-2016-3135 rhbz 1318172 1318270 -Patch666: ipv4-Dont-do-expensive-useless-work-during-inetdev-des.patch - -#rhbz 1315013 -Patch679: 0001-uas-Limit-qdepth-at-the-scsi-host-level.patch - #CVE-2016-2187 rhbz 1317017 1317010 Patch686: input-gtco-fix-crash-on-detecting-device-without-end.patch # CVE-2016-3672 rhbz 1324749 1324750 Patch689: x86-mm-32-Enable-full-randomization-on-i386-and-X86_.patch -#rhbz 1317116 -Patch697: HID-wacom-fix-Bamboo-ONE-oops.patch +#rhbz 1309980 +Patch698: 0001-ACPI-processor-Request-native-thermal-interrupt-hand.patch + +# CVE-2016-3961 rhbz 1327219 1323956 +Patch699: x86-xen-suppress-hugetlbfs-in-PV-guests.patch + +# CVE-2016-3955 rhbz 1328478 1328479 +Patch700: USB-usbip-fix-potential-out-of-bounds-write.patch + +#rhbz 1309487 +Patch701: antenna_select.patch # END OF PATCH DEFINITIONS @@ -2191,6 +2189,21 @@ fi # # %changelog +* Wed Apr 20 2016 Laura Abbott <labbott@fedoraproject.org> +- Allow antenna selection for rtl8723be (rhbz 1309487) + +* Wed Apr 20 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.5.2-300 +- Linux v4.5.2 + +* Tue Apr 19 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-3955 usbip: buffer overflow by trusting length of incoming packets (rhbz 1328478 1328479) + +* Fri Apr 15 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-3961 xen: hugetlbfs use may crash PV guests (rhbz 1327219 1323956) + +* Wed Apr 13 2016 Laura Abbott <labbott@fedoraproject.org> +- Fix for Skylake pstate issues (rhbz 1309980) + * Tue Apr 12 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.5.1-300 - Linux v4.5.1 diff --git a/rebase-notes.txt b/rebase-notes.txt index 0b077dd37..0d7d76f2d 100644 --- a/rebase-notes.txt +++ b/rebase-notes.txt @@ -2,6 +2,7 @@ Linux 4.5 rebase notes: - Check on status of drm-i915-turn-off-wc-mmaps.patch - Check on status of disabled ZONE_DMA +- Check on status of CONFIG_DW_DMAC_CORE Linux 4.4 rebase notes: @@ -1,3 +1,3 @@ a60d48eee08ec0536d5efb17ca819aef linux-4.5.tar.xz 6f557fe90b800b615c85c2ca04da6154 perf-man-4.5.tar.gz -1df9ff0283c1732ebbf7c55f340a121b patch-4.5.1.xz +19a835c1d16183f629d45779f62d36b6 patch-4.5.2.xz diff --git a/x86-xen-suppress-hugetlbfs-in-PV-guests.patch b/x86-xen-suppress-hugetlbfs-in-PV-guests.patch new file mode 100644 index 000000000..1b7c8f24a --- /dev/null +++ b/x86-xen-suppress-hugetlbfs-in-PV-guests.patch @@ -0,0 +1,70 @@ +From 72c339e0c6d9969e664c2cf63e162753d7d859ae Mon Sep 17 00:00:00 2001 +From: Jan Beulich <jbeulich@suse.com> +Date: Thu, 14 Apr 2016 13:03:47 +0000 +Subject: [PATCH] x86/xen: suppress hugetlbfs in PV guests + +Huge pages are not normally available to PV guests. Not suppressing +hugetlbfs use results in an endless loop of page faults when user mode +code tries to access a hugetlbfs mapped area (since the hypervisor +denies such PTEs to be created, but error indications can't be +propagated out of xen_set_pte_at(), just like for various of its +siblings), and - once killed in an oops like this: + +kernel BUG at .../fs/hugetlbfs/inode.c:428! +invalid opcode: 0000 [#1] SMP +Modules linked in: ... +Supported: Yes +CPU: 2 PID: 6088 Comm: hugetlbfs Tainted: G W 4.4.0-2016-01-20-pv #2 +Hardware name: ... +task: ffff8808059205c0 ti: ffff880803c84000 task.ti: ffff880803c84000 +RIP: e030:[<ffffffff811c333b>] [<ffffffff811c333b>] remove_inode_hugepages+0x25b/0x320 +RSP: e02b:ffff880803c879a8 EFLAGS: 00010202 +RAX: 000000000077a4db RBX: ffffea001acff000 RCX: 0000000078417d38 +RDX: 0000000000000000 RSI: 000000007e154fa7 RDI: ffff880805d70960 +RBP: 0000000000000960 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000 +R13: ffff880807486018 R14: 0000000000000000 R15: ffff880803c87af0 +FS: 00007f85fa8b8700(0000) GS:ffff88080b640000(0000) knlGS:0000000000000000 +CS: e033 DS: 0000 ES: 0000 CR0: 000000008005003b +CR2: 00007f85fa000000 CR3: 0000000001a0a000 CR4: 0000000000040660 +Stack: + ffff880000000fb0 ffff880803c87a18 ffff880803c87ae8 ffff8808059205c0 + ffff880803c87af0 ffff880803c87ae8 ffff880807486018 0000000000000000 + ffffffff81bf6e60 ffff880807486168 000003ffffffffff 0000000003c87758 +Call Trace: + [<ffffffff811c3415>] hugetlbfs_evict_inode+0x15/0x40 + [<ffffffff81167b3d>] evict+0xbd/0x1b0 + [<ffffffff8116514a>] __dentry_kill+0x19a/0x1f0 + [<ffffffff81165b0e>] dput+0x1fe/0x220 + [<ffffffff81150535>] __fput+0x155/0x200 + [<ffffffff81079fc0>] task_work_run+0x60/0xa0 + [<ffffffff81063510>] do_exit+0x160/0x400 + [<ffffffff810637eb>] do_group_exit+0x3b/0xa0 + [<ffffffff8106e8bd>] get_signal+0x1ed/0x470 + [<ffffffff8100f854>] do_signal+0x14/0x110 + [<ffffffff810030e9>] prepare_exit_to_usermode+0xe9/0xf0 + [<ffffffff814178a5>] retint_user+0x8/0x13 + +This is XSA-174. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Cc: stable@vger.kernel.org +--- + arch/x86/include/asm/hugetlb.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/include/asm/hugetlb.h b/arch/x86/include/asm/hugetlb.h +index f8a29d2c97b0..e6a8613fbfb0 100644 +--- a/arch/x86/include/asm/hugetlb.h ++++ b/arch/x86/include/asm/hugetlb.h +@@ -4,6 +4,7 @@ + #include <asm/page.h> + #include <asm-generic/hugetlb.h> + ++#define hugepages_supported() cpu_has_pse + + static inline int is_hugepage_only_range(struct mm_struct *mm, + unsigned long addr, +-- +2.5.5 + |