--- /dev/null
+From 8a545f185145e3c09348cd74326268ecfc6715a3 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 13 Jul 2016 13:12:34 +0300
+Subject: hostfs: Freeing an ERR_PTR in hostfs_fill_sb_common()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 8a545f185145e3c09348cd74326268ecfc6715a3 upstream.
+
+We can't pass error pointers to kfree() or it causes an oops.
+
+Fixes: 52b209f7b848 ('get rid of hostfs_read_inode()')
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/hostfs/hostfs_kern.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/fs/hostfs/hostfs_kern.c
++++ b/fs/hostfs/hostfs_kern.c
+@@ -959,10 +959,11 @@ static int hostfs_fill_sb_common(struct
+
+ if (S_ISLNK(root_inode->i_mode)) {
+ char *name = follow_link(host_root_path);
+- if (IS_ERR(name))
++ if (IS_ERR(name)) {
+ err = PTR_ERR(name);
+- else
+- err = read_name(root_inode, name);
++ goto out_put;
++ }
++ err = read_name(root_inode, name);
+ kfree(name);
+ if (err)
+ goto out_put;
--- /dev/null
+From 924d8696751c4b9e58263bc82efdafcf875596a6 Mon Sep 17 00:00:00 2001
+From: James Morse <james.morse@arm.com>
+Date: Tue, 16 Aug 2016 10:46:38 +0100
+Subject: PM / hibernate: Fix rtree_next_node() to avoid walking off list ends
+
+From: James Morse <james.morse@arm.com>
+
+commit 924d8696751c4b9e58263bc82efdafcf875596a6 upstream.
+
+rtree_next_node() walks the linked list of leaf nodes to find the next
+block of pages in the struct memory_bitmap. If it walks off the end of
+the list of nodes, it walks the list of memory zones to find the next
+region of memory. If it walks off the end of the list of zones, it
+returns false.
+
+This leaves the struct bm_position's node and zone pointers pointing
+at their respective struct list_heads in struct mem_zone_bm_rtree.
+
+memory_bm_find_bit() uses struct bm_position's node and zone pointers
+to avoid walking lists and trees if the next bit appears in the same
+node/zone. It handles these values being stale.
+
+Swap rtree_next_node()s 'step then test' to 'test-next then step',
+this means if we reach the end of memory we return false and leave
+the node and zone pointers as they were.
+
+This fixes a panic on resume using AMD Seattle with 64K pages:
+[ 6.868732] Freezing user space processes ... (elapsed 0.000 seconds) done.
+[ 6.875753] Double checking all user space processes after OOM killer disable... (elapsed 0.000 seconds)
+[ 6.896453] PM: Using 3 thread(s) for decompression.
+[ 6.896453] PM: Loading and decompressing image data (5339 pages)...
+[ 7.318890] PM: Image loading progress: 0%
+[ 7.323395] Unable to handle kernel paging request at virtual address 00800040
+[ 7.330611] pgd = ffff000008df0000
+[ 7.334003] [00800040] *pgd=00000083fffe0003, *pud=00000083fffe0003, *pmd=00000083fffd0003, *pte=0000000000000000
+[ 7.344266] Internal error: Oops: 96000005 [#1] PREEMPT SMP
+[ 7.349825] Modules linked in:
+[ 7.352871] CPU: 2 PID: 1 Comm: swapper/0 Tainted: G W I 4.8.0-rc1 #4737
+[ 7.360512] Hardware name: AMD Overdrive/Supercharger/Default string, BIOS ROD1002C 04/08/2016
+[ 7.369109] task: ffff8003c0220000 task.stack: ffff8003c0280000
+[ 7.375020] PC is at set_bit+0x18/0x30
+[ 7.378758] LR is at memory_bm_set_bit+0x24/0x30
+[ 7.383362] pc : [<ffff00000835bbc8>] lr : [<ffff0000080faf18>] pstate: 60000045
+[ 7.390743] sp : ffff8003c0283b00
+[ 7.473551]
+[ 7.475031] Process swapper/0 (pid: 1, stack limit = 0xffff8003c0280020)
+[ 7.481718] Stack: (0xffff8003c0283b00 to 0xffff8003c0284000)
+[ 7.800075] Call trace:
+[ 7.887097] [<ffff00000835bbc8>] set_bit+0x18/0x30
+[ 7.891876] [<ffff0000080fb038>] duplicate_memory_bitmap.constprop.38+0x54/0x70
+[ 7.899172] [<ffff0000080fcc40>] snapshot_write_next+0x22c/0x47c
+[ 7.905166] [<ffff0000080fe1b4>] load_image_lzo+0x754/0xa88
+[ 7.910725] [<ffff0000080ff0a8>] swsusp_read+0x144/0x230
+[ 7.916025] [<ffff0000080fa338>] load_image_and_restore+0x58/0x90
+[ 7.922105] [<ffff0000080fa660>] software_resume+0x2f0/0x338
+[ 7.927752] [<ffff000008083350>] do_one_initcall+0x38/0x11c
+[ 7.933314] [<ffff000008b40cc0>] kernel_init_freeable+0x14c/0x1ec
+[ 7.939395] [<ffff0000087ce564>] kernel_init+0x10/0xfc
+[ 7.944520] [<ffff000008082e90>] ret_from_fork+0x10/0x40
+[ 7.949820] Code: d2800022 8b400c21 f9800031 9ac32043 (c85f7c22)
+[ 7.955909] ---[ end trace 0024a5986e6ff323 ]---
+[ 7.960529] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
+
+Here struct mem_zone_bm_rtree's start_pfn has been returned instead of
+struct rtree_node's addr as the node/zone pointers are corrupt after
+we walked off the end of the lists during mark_unsafe_pages().
+
+This behaviour was exposed by commit 6dbecfd345a6 ("PM / hibernate:
+Simplify mark_unsafe_pages()"), which caused mark_unsafe_pages() to call
+duplicate_memory_bitmap(), which uses memory_bm_find_bit() after walking
+off the end of the memory bitmap.
+
+Fixes: 3a20cb177961 (PM / Hibernate: Implement position keeping in radix tree)
+Signed-off-by: James Morse <james.morse@arm.com>
+[ rjw: Subject ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/power/snapshot.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/kernel/power/snapshot.c
++++ b/kernel/power/snapshot.c
+@@ -765,9 +765,9 @@ static bool memory_bm_pfn_present(struct
+ */
+ static bool rtree_next_node(struct memory_bitmap *bm)
+ {
+- bm->cur.node = list_entry(bm->cur.node->list.next,
+- struct rtree_node, list);
+- if (&bm->cur.node->list != &bm->cur.zone->leaves) {
++ if (!list_is_last(&bm->cur.node->list, &bm->cur.zone->leaves)) {
++ bm->cur.node = list_entry(bm->cur.node->list.next,
++ struct rtree_node, list);
+ bm->cur.node_pfn += BM_BITS_PER_BLOCK;
+ bm->cur.node_bit = 0;
+ touch_softlockup_watchdog();
+@@ -775,9 +775,9 @@ static bool rtree_next_node(struct memor
+ }
+
+ /* No more nodes, goto next zone */
+- bm->cur.zone = list_entry(bm->cur.zone->list.next,
++ if (!list_is_last(&bm->cur.zone->list, &bm->zones)) {
++ bm->cur.zone = list_entry(bm->cur.zone->list.next,
+ struct mem_zone_bm_rtree, list);
+- if (&bm->cur.zone->list != &bm->zones) {
+ bm->cur.node = list_entry(bm->cur.zone->leaves.next,
+ struct rtree_node, list);
+ bm->cur.node_pfn = 0;
--- /dev/null
+From 62822e2ec4ad091ba31f823f577ef80db52e3c2c Mon Sep 17 00:00:00 2001
+From: Thomas Garnier <thgarnie@google.com>
+Date: Thu, 11 Aug 2016 14:49:29 -0700
+Subject: PM / hibernate: Restore processor state before using per-CPU variables
+
+From: Thomas Garnier <thgarnie@google.com>
+
+commit 62822e2ec4ad091ba31f823f577ef80db52e3c2c upstream.
+
+Restore the processor state before calling any other functions to
+ensure per-CPU variables can be used with KASLR memory randomization.
+
+Tracing functions use per-CPU variables (GS based on x86) and one was
+called just before restoring the processor state fully. It resulted
+in a double fault when both the tracing & the exception handler
+functions tried to use a per-CPU variable.
+
+Fixes: bb3632c6101b (PM / sleep: trace events for suspend/resume)
+Reported-and-tested-by: Borislav Petkov <bp@suse.de>
+Reported-by: Jiri Kosina <jikos@kernel.org>
+Tested-by: Rafael J. Wysocki <rafael@kernel.org>
+Tested-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Thomas Garnier <thgarnie@google.com>
+Acked-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/power/hibernate.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/power/hibernate.c
++++ b/kernel/power/hibernate.c
+@@ -299,12 +299,12 @@ static int create_image(int platform_mod
+ save_processor_state();
+ trace_suspend_resume(TPS("machine_suspend"), PM_EVENT_HIBERNATE, true);
+ error = swsusp_arch_suspend();
++ /* Restore control flow magically appears here */
++ restore_processor_state();
+ trace_suspend_resume(TPS("machine_suspend"), PM_EVENT_HIBERNATE, false);
+ if (error)
+ printk(KERN_ERR "PM: Error %d creating hibernation image\n",
+ error);
+- /* Restore control flow magically appears here */
+- restore_processor_state();
+ if (!in_suspend)
+ events_check_enabled = false;
+
--- /dev/null
+From 5381cfb6f0422da24cfa9da35b0433c0415830e0 Mon Sep 17 00:00:00 2001
+From: Sven Van Asbroeck <thesven73@gmail.com>
+Date: Fri, 12 Aug 2016 09:10:27 -0400
+Subject: power: supply: max17042_battery: fix model download bug.
+
+From: Sven Van Asbroeck <thesven73@gmail.com>
+
+commit 5381cfb6f0422da24cfa9da35b0433c0415830e0 upstream.
+
+The device's model download function returns the model data as
+an array of u32s, which is later compared to the reference
+model data. However, since the latter is an array of u16s,
+the comparison does not happen correctly, and model verification
+fails. This in turn breaks the POR initialization sequence.
+
+Fixes: 39e7213edc4f3 ("max17042_battery: Support regmap to access device's registers")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Sven Van Asbroeck <TheSven73@googlemail.com>
+Reviewed-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Signed-off-by: Sebastian Reichel <sre@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/power/max17042_battery.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/drivers/power/max17042_battery.c
++++ b/drivers/power/max17042_battery.c
+@@ -457,13 +457,16 @@ static inline void max17042_write_model_
+ }
+
+ static inline void max17042_read_model_data(struct max17042_chip *chip,
+- u8 addr, u32 *data, int size)
++ u8 addr, u16 *data, int size)
+ {
+ struct regmap *map = chip->regmap;
+ int i;
++ u32 tmp;
+
+- for (i = 0; i < size; i++)
+- regmap_read(map, addr + i, &data[i]);
++ for (i = 0; i < size; i++) {
++ regmap_read(map, addr + i, &tmp);
++ data[i] = (u16)tmp;
++ }
+ }
+
+ static inline int max17042_model_data_compare(struct max17042_chip *chip,
+@@ -486,7 +489,7 @@ static int max17042_init_model(struct ma
+ {
+ int ret;
+ int table_size = ARRAY_SIZE(chip->pdata->config_data->cell_char_tbl);
+- u32 *temp_data;
++ u16 *temp_data;
+
+ temp_data = kcalloc(table_size, sizeof(*temp_data), GFP_KERNEL);
+ if (!temp_data)
+@@ -501,7 +504,7 @@ static int max17042_init_model(struct ma
+ ret = max17042_model_data_compare(
+ chip,
+ chip->pdata->config_data->cell_char_tbl,
+- (u16 *)temp_data,
++ temp_data,
+ table_size);
+
+ max10742_lock_model(chip);
+@@ -514,7 +517,7 @@ static int max17042_verify_model_lock(st
+ {
+ int i;
+ int table_size = ARRAY_SIZE(chip->pdata->config_data->cell_char_tbl);
+- u32 *temp_data;
++ u16 *temp_data;
+ int ret = 0;
+
+ temp_data = kcalloc(table_size, sizeof(*temp_data), GFP_KERNEL);
--- /dev/null
+From 33e7664a0af6e9a516f01014f39737aaa119b6d9 Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <weiyj.lk@gmail.com>
+Date: Tue, 26 Jul 2016 14:49:04 +0000
+Subject: power_supply: tps65217-charger: fix missing platform_set_drvdata()
+
+From: Wei Yongjun <weiyj.lk@gmail.com>
+
+commit 33e7664a0af6e9a516f01014f39737aaa119b6d9 upstream.
+
+Add missing platform_set_drvdata() in tps65217_charger_probe(), otherwise
+calling platform_get_drvdata() in remove returns NULL.
+
+This is detected by Coccinelle semantic patch.
+
+Fixes: 3636859b280c ("power_supply: Add support for tps65217-charger")
+Signed-off-by: Wei Yongjun <weiyj.lk@gmail.com>
+Signed-off-by: Sebastian Reichel <sre@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/power/tps65217_charger.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/power/tps65217_charger.c
++++ b/drivers/power/tps65217_charger.c
+@@ -205,6 +205,7 @@ static int tps65217_charger_probe(struct
+ if (!charger)
+ return -ENOMEM;
+
++ platform_set_drvdata(pdev, charger);
+ charger->tps = tps;
+ charger->dev = &pdev->dev;
+
--- /dev/null
+From f4cceb2affcd1285d4ce498089e8a79f4cd2fa66 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 11 Jul 2016 11:46:33 +0300
+Subject: qxl: check for kmap failures
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit f4cceb2affcd1285d4ce498089e8a79f4cd2fa66 upstream.
+
+If kmap fails, it leads to memory corruption.
+
+Fixes: f64122c1f6ad ('drm: add new QXL driver. (v1.4)')
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: http://patchwork.freedesktop.org/patch/msgid/20160711084633.GA31411@mwanda
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/qxl/qxl_draw.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpu/drm/qxl/qxl_draw.c
++++ b/drivers/gpu/drm/qxl/qxl_draw.c
+@@ -136,6 +136,8 @@ static int qxl_palette_create_1bit(struc
+ * correctly globaly, since that would require
+ * tracking all of our palettes. */
+ ret = qxl_bo_kmap(palette_bo, (void **)&pal);
++ if (ret)
++ return ret;
+ pal->num_ents = 2;
+ pal->unique = unique++;
+ if (visual == FB_VISUAL_TRUECOLOR || visual == FB_VISUAL_DIRECTCOLOR) {
mips-avoid-a-bug-warning-during-prctl-pr_set_fp_mode.patch
mips-add-a-missing-.set-pop-in-an-early-commit.patch
mips-paravirt-fix-undefined-reference-to-smp_bootstrap.patch
+pm-hibernate-restore-processor-state-before-using-per-cpu-variables.patch
+pm-hibernate-fix-rtree_next_node-to-avoid-walking-off-list-ends.patch
+power_supply-tps65217-charger-fix-missing-platform_set_drvdata.patch
+power-supply-max17042_battery-fix-model-download-bug.patch
+qxl-check-for-kmap-failures.patch
+hostfs-freeing-an-err_ptr-in-hostfs_fill_sb_common.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
