--- /dev/null
+From 4a07083ed613644c96c34a7dd2853dc5d7c70902 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 1 Apr 2016 12:28:16 +0200
+Subject: ALSA: timer: Use mod_timer() for rearming the system timer
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 4a07083ed613644c96c34a7dd2853dc5d7c70902 upstream.
+
+ALSA system timer backend stops the timer via del_timer() without sync
+and leaves del_timer_sync() at the close instead. This is because of
+the restriction by the design of ALSA timer: namely, the stop callback
+may be called from the timer handler, and calling the sync shall lead
+to a hangup. However, this also triggers a kernel BUG() when the
+timer is rearmed immediately after stopping without sync:
+ kernel BUG at kernel/time/timer.c:966!
+ Call Trace:
+ <IRQ>
+ [<ffffffff8239c94e>] snd_timer_s_start+0x13e/0x1a0
+ [<ffffffff8239e1f4>] snd_timer_interrupt+0x504/0xec0
+ [<ffffffff8122fca0>] ? debug_check_no_locks_freed+0x290/0x290
+ [<ffffffff8239ec64>] snd_timer_s_function+0xb4/0x120
+ [<ffffffff81296b72>] call_timer_fn+0x162/0x520
+ [<ffffffff81296add>] ? call_timer_fn+0xcd/0x520
+ [<ffffffff8239ebb0>] ? snd_timer_interrupt+0xec0/0xec0
+ ....
+
+It's the place where add_timer() checks the pending timer. It's clear
+that this may happen after the immediate restart without sync in our
+cases.
+
+So, the workaround here is just to use mod_timer() instead of
+add_timer(). This looks like a band-aid fix, but it's a right move,
+as snd_timer_interrupt() takes care of the continuous rearm of timer.
+
+Reported-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/timer.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1012,8 +1012,8 @@ static int snd_timer_s_start(struct snd_
+ njiff += timer->sticks - priv->correction;
+ priv->correction = 0;
+ }
+- priv->last_expires = priv->tlist.expires = njiff;
+- add_timer(&priv->tlist);
++ priv->last_expires = njiff;
++ mod_timer(&priv->tlist, njiff);
+ return 0;
+ }
+
--- /dev/null
+From 3c2e2266a5bd2d1cef258e6e54dca1d99946379f Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Sat, 26 Mar 2016 12:28:05 -0700
+Subject: hwmon: (max1111) Return -ENODEV from max1111_read_channel if not instantiated
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+commit 3c2e2266a5bd2d1cef258e6e54dca1d99946379f upstream.
+
+arm:pxa_defconfig can result in the following crash if the max1111 driver
+is not instantiated.
+
+Unhandled fault: page domain fault (0x01b) at 0x00000000
+pgd = c0004000
+[00000000] *pgd=00000000
+Internal error: : 1b [#1] PREEMPT ARM
+Modules linked in:
+CPU: 0 PID: 300 Comm: kworker/0:1 Not tainted 4.5.0-01301-g1701f680407c #10
+Hardware name: SHARP Akita
+Workqueue: events sharpsl_charge_toggle
+task: c390a000 ti: c391e000 task.ti: c391e000
+PC is at max1111_read_channel+0x20/0x30
+LR is at sharpsl_pm_pxa_read_max1111+0x2c/0x3c
+pc : [<c03aaab0>] lr : [<c0024b50>] psr: 20000013
+...
+[<c03aaab0>] (max1111_read_channel) from [<c0024b50>]
+ (sharpsl_pm_pxa_read_max1111+0x2c/0x3c)
+[<c0024b50>] (sharpsl_pm_pxa_read_max1111) from [<c00262e0>]
+ (spitzpm_read_devdata+0x5c/0xc4)
+[<c00262e0>] (spitzpm_read_devdata) from [<c0024094>]
+ (sharpsl_check_battery_temp+0x78/0x110)
+[<c0024094>] (sharpsl_check_battery_temp) from [<c0024f9c>]
+ (sharpsl_charge_toggle+0x48/0x110)
+[<c0024f9c>] (sharpsl_charge_toggle) from [<c004429c>]
+ (process_one_work+0x14c/0x48c)
+[<c004429c>] (process_one_work) from [<c0044618>] (worker_thread+0x3c/0x5d4)
+[<c0044618>] (worker_thread) from [<c004a238>] (kthread+0xd0/0xec)
+[<c004a238>] (kthread) from [<c000a670>] (ret_from_fork+0x14/0x24)
+
+This can occur because the SPI controller driver (SPI_PXA2XX) is built as
+module and thus not necessarily loaded. While building SPI_PXA2XX into the
+kernel would make the problem disappear, it appears prudent to ensure that
+the driver is instantiated before accessing its data structures.
+
+Cc: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwmon/max1111.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/hwmon/max1111.c
++++ b/drivers/hwmon/max1111.c
+@@ -85,6 +85,9 @@ static struct max1111_data *the_max1111;
+
+ int max1111_read_channel(int channel)
+ {
++ if (!the_max1111 || !the_max1111->spi)
++ return -ENODEV;
++
+ return max1111_read(&the_max1111->spi->dev, channel);
+ }
+ EXPORT_SYMBOL(max1111_read_channel);
+@@ -260,6 +263,9 @@ static int max1111_remove(struct spi_dev
+ {
+ struct max1111_data *data = spi_get_drvdata(spi);
+
++#ifdef CONFIG_SHARPSL_PM
++ the_max1111 = NULL;
++#endif
+ hwmon_device_unregister(data->hwmon_dev);
+ sysfs_remove_group(&spi->dev.kobj, &max1110_attr_group);
+ sysfs_remove_group(&spi->dev.kobj, &max1111_attr_group);
--- /dev/null
+From 6f25a14a7053b69917e2ebea0d31dd444cd31fd5 Mon Sep 17 00:00:00 2001
+From: Xishi Qiu <qiuxishi@huawei.com>
+Date: Fri, 1 Apr 2016 14:31:20 -0700
+Subject: mm: fix invalid node in alloc_migrate_target()
+
+From: Xishi Qiu <qiuxishi@huawei.com>
+
+commit 6f25a14a7053b69917e2ebea0d31dd444cd31fd5 upstream.
+
+It is incorrect to use next_node to find a target node, it will return
+MAX_NUMNODES or invalid node. This will lead to crash in buddy system
+allocation.
+
+Fixes: c8721bbbdd36 ("mm: memory-hotplug: enable memory hotplug to handle hugepage")
+Signed-off-by: Xishi Qiu <qiuxishi@huawei.com>
+Acked-by: Vlastimil Babka <vbabka@suse.cz>
+Acked-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+Cc: Joonsoo Kim <js1304@gmail.com>
+Cc: David Rientjes <rientjes@google.com>
+Cc: "Laura Abbott" <lauraa@codeaurora.org>
+Cc: Hui Zhu <zhuhui@xiaomi.com>
+Cc: Wang Xiaoqiang <wangxq10@lzu.edu.cn>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/page_isolation.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/mm/page_isolation.c
++++ b/mm/page_isolation.c
+@@ -259,11 +259,11 @@ struct page *alloc_migrate_target(struct
+ * now as a simple work-around, we use the next node for destination.
+ */
+ if (PageHuge(page)) {
+- nodemask_t src = nodemask_of_node(page_to_nid(page));
+- nodemask_t dst;
+- nodes_complement(dst, src);
++ int node = next_online_node(page_to_nid(page));
++ if (node == MAX_NUMNODES)
++ node = first_online_node;
+ return alloc_huge_page_node(page_hstate(compound_head(page)),
+- next_node(page_to_nid(page), dst));
++ node);
+ }
+
+ if (PageHighMem(page))
--- /dev/null
+From e3893027a300927049efc1572f852201eb785142 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Fri, 8 Apr 2016 18:11:33 +0200
+Subject: parisc: Avoid function pointers for kernel exception routines
+
+From: Helge Deller <deller@gmx.de>
+
+commit e3893027a300927049efc1572f852201eb785142 upstream.
+
+We want to avoid the kernel module loader to create function pointers
+for the kernel fixup routines of get_user() and put_user(). Changing
+the external reference from function type to int type fixes this.
+
+This unbreaks exception handling for get_user() and put_user() when
+called from a kernel module.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/kernel/parisc_ksyms.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/arch/parisc/kernel/parisc_ksyms.c
++++ b/arch/parisc/kernel/parisc_ksyms.c
+@@ -47,11 +47,11 @@ EXPORT_SYMBOL(__cmpxchg_u64);
+ EXPORT_SYMBOL(lclear_user);
+ EXPORT_SYMBOL(lstrnlen_user);
+
+-/* Global fixups */
+-extern void fixup_get_user_skip_1(void);
+-extern void fixup_get_user_skip_2(void);
+-extern void fixup_put_user_skip_1(void);
+-extern void fixup_put_user_skip_2(void);
++/* Global fixups - defined as int to avoid creation of function pointers */
++extern int fixup_get_user_skip_1;
++extern int fixup_get_user_skip_2;
++extern int fixup_put_user_skip_1;
++extern int fixup_put_user_skip_2;
+ EXPORT_SYMBOL(fixup_get_user_skip_1);
+ EXPORT_SYMBOL(fixup_get_user_skip_2);
+ EXPORT_SYMBOL(fixup_put_user_skip_1);
--- /dev/null
+From ef72f3110d8b19f4c098a0bff7ed7d11945e70c6 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Fri, 8 Apr 2016 18:18:48 +0200
+Subject: parisc: Fix kernel crash with reversed copy_from_user()
+
+From: Helge Deller <deller@gmx.de>
+
+commit ef72f3110d8b19f4c098a0bff7ed7d11945e70c6 upstream.
+
+The kernel module testcase (lib/test_user_copy.c) exhibited a kernel
+crash on parisc if the parameters for copy_from_user were reversed
+("illegal reversed copy_to_user" testcase).
+
+Fix this potential crash by checking the fault handler if the faulting
+address is in the exception table.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: Kees Cook <keescook@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/kernel/traps.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/parisc/kernel/traps.c
++++ b/arch/parisc/kernel/traps.c
+@@ -802,6 +802,9 @@ void notrace handle_interruption(int cod
+
+ if (fault_space == 0 && !in_atomic())
+ {
++ /* Clean up and return if in exception table. */
++ if (fixup_exception(regs))
++ return;
+ pdc_chassis_send_status(PDC_CHASSIS_DIRECT_PANIC);
+ parisc_terminate("Kernel Fault", regs, code, fault_address);
+ }
--- /dev/null
+hwmon-max1111-return-enodev-from-max1111_read_channel-if-not-instantiated.patch
+parisc-avoid-function-pointers-for-kernel-exception-routines.patch
+parisc-fix-kernel-crash-with-reversed-copy_from_user.patch
+alsa-timer-use-mod_timer-for-rearming-the-system-timer.patch
+mm-fix-invalid-node-in-alloc_migrate_target.patch
--- /dev/null
+hwmon-max1111-return-enodev-from-max1111_read_channel-if-not-instantiated.patch
+pkcs-7-pkcs7_validate_trust-initialize-the-_trusted-output-argument.patch
--- /dev/null
+hwmon-max1111-return-enodev-from-max1111_read_channel-if-not-instantiated.patch
+pkcs-7-pkcs7_validate_trust-initialize-the-_trusted-output-argument.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
