From: Greg Kroah-Hartman Date: Mon, 5 Dec 2016 14:58:43 +0000 (+0100) Subject: 4.8-stable patches X-Git-Tag: v4.8.13~3 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=16ec54c874456778ecbe8883bb000a5c661980ab;p=thirdparty%2Fkernel%2Fstable-queue.git 4.8-stable patches added patches: arm64-dts-juno-fix-cluster-sleep-state-entry-latency-on-all-soc-versions.patch batman-adv-detect-missing-primaryif-during-tp_send-as-error.patch clk-sunxi-fix-m-factor-computation-for-apb1.patch drm-mediatek-fix-null-pointer-dereference.patch kvm-use-after-free-in-kvm_ioctl_create_device.patch perf-x86-restore-task_size-check-on-frame-pointer.patch pwm-fix-device-reference-leak.patch --- diff --git a/queue-4.8/arm64-dts-juno-fix-cluster-sleep-state-entry-latency-on-all-soc-versions.patch b/queue-4.8/arm64-dts-juno-fix-cluster-sleep-state-entry-latency-on-all-soc-versions.patch new file mode 100644 index 00000000000..c30fcc3ee98 --- /dev/null +++ b/queue-4.8/arm64-dts-juno-fix-cluster-sleep-state-entry-latency-on-all-soc-versions.patch @@ -0,0 +1,64 @@ +From 909e481e2467f202b97d42beef246e8829416a85 Mon Sep 17 00:00:00 2001 +From: Sudeep Holla +Date: Wed, 16 Nov 2016 17:31:31 +0000 +Subject: arm64: dts: juno: fix cluster sleep state entry latency on all SoC versions + +From: Sudeep Holla + +commit 909e481e2467f202b97d42beef246e8829416a85 upstream. + +The core and the cluster sleep state entry latencies can't be same as +cluster sleep involves more work compared to core level e.g. shared +cache maintenance. + +Experiments have shown on an average about 100us more latency for the +cluster sleep state compared to the core level sleep. This patch fixes +the entry latency for the cluster sleep state. + +Fixes: 28e10a8f3a03 ("arm64: dts: juno: Add idle-states to device tree") +Cc: Lorenzo Pieralisi +Cc: "Jon Medhurst (Tixy)" +Reviewed-by: Liviu Dudau +Signed-off-by: Sudeep Holla +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/boot/dts/arm/juno-r1.dts | 2 +- + arch/arm64/boot/dts/arm/juno-r2.dts | 2 +- + arch/arm64/boot/dts/arm/juno.dts | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/arm64/boot/dts/arm/juno-r1.dts ++++ b/arch/arm64/boot/dts/arm/juno-r1.dts +@@ -76,7 +76,7 @@ + compatible = "arm,idle-state"; + arm,psci-suspend-param = <0x1010000>; + local-timer-stop; +- entry-latency-us = <300>; ++ entry-latency-us = <400>; + exit-latency-us = <1200>; + min-residency-us = <2500>; + }; +--- a/arch/arm64/boot/dts/arm/juno-r2.dts ++++ b/arch/arm64/boot/dts/arm/juno-r2.dts +@@ -76,7 +76,7 @@ + compatible = "arm,idle-state"; + arm,psci-suspend-param = <0x1010000>; + local-timer-stop; +- entry-latency-us = <300>; ++ entry-latency-us = <400>; + exit-latency-us = <1200>; + min-residency-us = <2500>; + }; +--- a/arch/arm64/boot/dts/arm/juno.dts ++++ b/arch/arm64/boot/dts/arm/juno.dts +@@ -76,7 +76,7 @@ + compatible = "arm,idle-state"; + arm,psci-suspend-param = <0x1010000>; + local-timer-stop; +- entry-latency-us = <300>; ++ entry-latency-us = <400>; + exit-latency-us = <1200>; + min-residency-us = <2500>; + }; diff --git a/queue-4.8/batman-adv-detect-missing-primaryif-during-tp_send-as-error.patch b/queue-4.8/batman-adv-detect-missing-primaryif-during-tp_send-as-error.patch new file mode 100644 index 00000000000..b043a9e2303 --- /dev/null +++ b/queue-4.8/batman-adv-detect-missing-primaryif-during-tp_send-as-error.patch @@ -0,0 +1,34 @@ +From e13258f38e927b61cdb5f4ad25309450d3b127d1 Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Sat, 29 Oct 2016 09:18:43 +0200 +Subject: batman-adv: Detect missing primaryif during tp_send as error + +From: Sven Eckelmann + +commit e13258f38e927b61cdb5f4ad25309450d3b127d1 upstream. + +The throughput meter detects different situations as problems for the +current test. It stops the test after these and reports it to userspace. +This also has to be done when the primary interface disappeared during the +test. + +Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation") +Reported-by: Joe Perches +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman + +--- + net/batman-adv/tp_meter.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/batman-adv/tp_meter.c ++++ b/net/batman-adv/tp_meter.c +@@ -837,6 +837,7 @@ static int batadv_tp_send(void *arg) + primary_if = batadv_primary_if_get_selected(bat_priv); + if (unlikely(!primary_if)) { + err = BATADV_TP_REASON_DST_UNREACHABLE; ++ tp_vars->reason = err; + goto out; + } + diff --git a/queue-4.8/clk-sunxi-fix-m-factor-computation-for-apb1.patch b/queue-4.8/clk-sunxi-fix-m-factor-computation-for-apb1.patch new file mode 100644 index 00000000000..0f3579dd859 --- /dev/null +++ b/queue-4.8/clk-sunxi-fix-m-factor-computation-for-apb1.patch @@ -0,0 +1,45 @@ +From ac95330b96376550ae7a533d1396272d675adfa2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?St=C3=A9phan=20Rafin?= +Date: Fri, 4 Nov 2016 00:53:56 +0100 +Subject: clk: sunxi: Fix M factor computation for APB1 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Stéphan Rafin + +commit ac95330b96376550ae7a533d1396272d675adfa2 upstream. + +commit cfa636886033 ("clk: sunxi: factors: Consolidate get_factors +parameters into a struct") introduced a regression for m factor +computation in sun4i_get_apb1_factors function. + +The old code reassigned the "parent_rate" parameter to the targeted +divisor value and was buggy for the returned frequency but not for the +computed factors. Now, returned frequency is good but m factor is +incorrectly computed (its max value 31 is always set resulting in a +significantly slower frequency than the requested one...) + +This patch simply restores the original proper computation for m while +keeping the good changes for returned rate. + +Fixes: cfa636886033 ("clk: sunxi: factors: Consolidate get_factors parameters into a struct") +Signed-off-by: Stéphan Rafin +Signed-off-by: Maxime Ripard +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/sunxi/clk-sunxi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clk/sunxi/clk-sunxi.c ++++ b/drivers/clk/sunxi/clk-sunxi.c +@@ -373,7 +373,7 @@ static void sun4i_get_apb1_factors(struc + else + calcp = 3; + +- calcm = (req->parent_rate >> calcp) - 1; ++ calcm = (div >> calcp) - 1; + + req->rate = (req->parent_rate >> calcp) / (calcm + 1); + req->m = calcm; diff --git a/queue-4.8/drm-mediatek-fix-null-pointer-dereference.patch b/queue-4.8/drm-mediatek-fix-null-pointer-dereference.patch new file mode 100644 index 00000000000..ff7123fbab7 --- /dev/null +++ b/queue-4.8/drm-mediatek-fix-null-pointer-dereference.patch @@ -0,0 +1,54 @@ +From 5ad45307d990020b25a8f7486178b6e033790f70 Mon Sep 17 00:00:00 2001 +From: Matthias Brugger +Date: Fri, 18 Nov 2016 11:06:10 +0100 +Subject: drm/mediatek: fix null pointer dereference + +From: Matthias Brugger + +commit 5ad45307d990020b25a8f7486178b6e033790f70 upstream. + +The probe function requests the interrupt before initializing +the ddp component. Which leads to a null pointer dereference at boot. +Fix this by requesting the interrput after all components got +initialized properly. + +Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.") +Signed-off-by: Matthias Brugger +Signed-off-by: Greg Kroah-Hartman + +Change-Id: I57193a7ab554dfb37c35a455900689333adf511c + +--- + drivers/gpu/drm/mediatek/mtk_disp_ovl.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/gpu/drm/mediatek/mtk_disp_ovl.c ++++ b/drivers/gpu/drm/mediatek/mtk_disp_ovl.c +@@ -249,13 +249,6 @@ static int mtk_disp_ovl_probe(struct pla + if (irq < 0) + return irq; + +- ret = devm_request_irq(dev, irq, mtk_disp_ovl_irq_handler, +- IRQF_TRIGGER_NONE, dev_name(dev), priv); +- if (ret < 0) { +- dev_err(dev, "Failed to request irq %d: %d\n", irq, ret); +- return ret; +- } +- + comp_id = mtk_ddp_comp_get_id(dev->of_node, MTK_DISP_OVL); + if (comp_id < 0) { + dev_err(dev, "Failed to identify by alias: %d\n", comp_id); +@@ -271,6 +264,13 @@ static int mtk_disp_ovl_probe(struct pla + + platform_set_drvdata(pdev, priv); + ++ ret = devm_request_irq(dev, irq, mtk_disp_ovl_irq_handler, ++ IRQF_TRIGGER_NONE, dev_name(dev), priv); ++ if (ret < 0) { ++ dev_err(dev, "Failed to request irq %d: %d\n", irq, ret); ++ return ret; ++ } ++ + ret = component_add(dev, &mtk_disp_ovl_component_ops); + if (ret) + dev_err(dev, "Failed to add component: %d\n", ret); diff --git a/queue-4.8/kvm-use-after-free-in-kvm_ioctl_create_device.patch b/queue-4.8/kvm-use-after-free-in-kvm_ioctl_create_device.patch new file mode 100644 index 00000000000..7f5ebf9c96d --- /dev/null +++ b/queue-4.8/kvm-use-after-free-in-kvm_ioctl_create_device.patch @@ -0,0 +1,39 @@ +From a0f1d21c1ccb1da66629627a74059dd7f5ac9c61 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 30 Nov 2016 22:21:05 +0300 +Subject: KVM: use after free in kvm_ioctl_create_device() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dan Carpenter + +commit a0f1d21c1ccb1da66629627a74059dd7f5ac9c61 upstream. + +We should move the ops->destroy(dev) after the list_del(&dev->vm_node) +so that we don't use "dev" after freeing it. + +Fixes: a28ebea2adc4 ("KVM: Protect device ops->create and list_add with kvm->lock") +Signed-off-by: Dan Carpenter +Reviewed-by: David Hildenbrand +Signed-off-by: Radim Krčmář +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/kvm_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -2852,10 +2852,10 @@ static int kvm_ioctl_create_device(struc + + ret = anon_inode_getfd(ops->name, &kvm_device_fops, dev, O_RDWR | O_CLOEXEC); + if (ret < 0) { +- ops->destroy(dev); + mutex_lock(&kvm->lock); + list_del(&dev->vm_node); + mutex_unlock(&kvm->lock); ++ ops->destroy(dev); + return ret; + } + diff --git a/queue-4.8/perf-x86-restore-task_size-check-on-frame-pointer.patch b/queue-4.8/perf-x86-restore-task_size-check-on-frame-pointer.patch new file mode 100644 index 00000000000..cedc227e144 --- /dev/null +++ b/queue-4.8/perf-x86-restore-task_size-check-on-frame-pointer.patch @@ -0,0 +1,119 @@ +From ae31fe51a3cceaa0cabdb3058f69669ecb47f12e Mon Sep 17 00:00:00 2001 +From: Johannes Weiner +Date: Tue, 22 Nov 2016 10:57:42 +0100 +Subject: perf/x86: Restore TASK_SIZE check on frame pointer + +From: Johannes Weiner + +commit ae31fe51a3cceaa0cabdb3058f69669ecb47f12e upstream. + +The following commit: + + 75925e1ad7f5 ("perf/x86: Optimize stack walk user accesses") + +... switched from copy_from_user_nmi() to __copy_from_user_nmi() with a manual +access_ok() check. + +Unfortunately, copy_from_user_nmi() does an explicit check against TASK_SIZE, +whereas the access_ok() uses whatever the current address limit of the task is. + +We are getting NMIs when __probe_kernel_read() has switched to KERNEL_DS, and +then see vmalloc faults when we access what looks like pointers into vmalloc +space: + + [] WARNING: CPU: 3 PID: 3685731 at arch/x86/mm/fault.c:435 vmalloc_fault+0x289/0x290 + [] CPU: 3 PID: 3685731 Comm: sh Tainted: G W 4.6.0-5_fbk1_223_gdbf0f40 #1 + [] Call Trace: + [] [] dump_stack+0x4d/0x6c + [] [] __warn+0xd3/0xf0 + [] [] warn_slowpath_null+0x1d/0x20 + [] [] vmalloc_fault+0x289/0x290 + [] [] __do_page_fault+0x330/0x490 + [] [] do_page_fault+0xc/0x10 + [] [] page_fault+0x22/0x30 + [] [] ? perf_callchain_user+0x100/0x2a0 + [] [] get_perf_callchain+0x17f/0x190 + [] [] perf_callchain+0x67/0x80 + [] [] perf_prepare_sample+0x2a0/0x370 + [] [] perf_event_output+0x20/0x60 + [] [] ? perf_event_update_userpage+0xc7/0x130 + [] [] __perf_event_overflow+0x181/0x1d0 + [] [] perf_event_overflow+0x14/0x20 + [] [] intel_pmu_handle_irq+0x1d3/0x490 + [] [] ? copy_user_enhanced_fast_string+0x7/0x10 + [] [] ? vunmap_page_range+0x1a1/0x2f0 + [] [] ? unmap_kernel_range_noflush+0x11/0x20 + [] [] ? ghes_copy_tofrom_phys+0x116/0x1f0 + [] [] ? x2apic_send_IPI_self+0x1d/0x20 + [] [] perf_event_nmi_handler+0x2d/0x50 + [] [] nmi_handle+0x61/0x110 + [] [] default_do_nmi+0x44/0x110 + [] [] do_nmi+0xdb/0x150 + [] [] end_repeat_nmi+0x1a/0x1e + [] [] ? copy_user_enhanced_fast_string+0x7/0x10 + [] [] ? copy_user_enhanced_fast_string+0x7/0x10 + [] [] ? copy_user_enhanced_fast_string+0x7/0x10 + [] <> [] ? __probe_kernel_read+0x3e/0xa0 + +Fix this by moving the valid_user_frame() check to before the uaccess +that loads the return address and the pointer to the next frame. + +Signed-off-by: Johannes Weiner +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: linux-kernel@vger.kernel.org +Fixes: 75925e1ad7f5 ("perf/x86: Optimize stack walk user accesses") +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/events/core.c | 10 ++-------- + 1 file changed, 2 insertions(+), 8 deletions(-) + +--- a/arch/x86/events/core.c ++++ b/arch/x86/events/core.c +@@ -2344,7 +2344,7 @@ perf_callchain_user32(struct pt_regs *re + frame.next_frame = 0; + frame.return_address = 0; + +- if (!access_ok(VERIFY_READ, fp, 8)) ++ if (!valid_user_frame(fp, sizeof(frame))) + break; + + bytes = __copy_from_user_nmi(&frame.next_frame, fp, 4); +@@ -2354,9 +2354,6 @@ perf_callchain_user32(struct pt_regs *re + if (bytes != 0) + break; + +- if (!valid_user_frame(fp, sizeof(frame))) +- break; +- + perf_callchain_store(entry, cs_base + frame.return_address); + fp = compat_ptr(ss_base + frame.next_frame); + } +@@ -2405,7 +2402,7 @@ perf_callchain_user(struct perf_callchai + frame.next_frame = NULL; + frame.return_address = 0; + +- if (!access_ok(VERIFY_READ, fp, sizeof(*fp) * 2)) ++ if (!valid_user_frame(fp, sizeof(frame))) + break; + + bytes = __copy_from_user_nmi(&frame.next_frame, fp, sizeof(*fp)); +@@ -2415,9 +2412,6 @@ perf_callchain_user(struct perf_callchai + if (bytes != 0) + break; + +- if (!valid_user_frame(fp, sizeof(frame))) +- break; +- + perf_callchain_store(entry, frame.return_address); + fp = (void __user *)frame.next_frame; + } diff --git a/queue-4.8/pwm-fix-device-reference-leak.patch b/queue-4.8/pwm-fix-device-reference-leak.patch new file mode 100644 index 00000000000..3fccdf7baf4 --- /dev/null +++ b/queue-4.8/pwm-fix-device-reference-leak.patch @@ -0,0 +1,33 @@ +From 0e1614ac84f1719d87bed577963bb8140d0c9ce8 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 1 Nov 2016 11:46:39 +0100 +Subject: pwm: Fix device reference leak + +From: Johan Hovold + +commit 0e1614ac84f1719d87bed577963bb8140d0c9ce8 upstream. + +Make sure to drop the reference to the parent device taken by +class_find_device() after "unexporting" any children when deregistering +a PWM chip. + +Fixes: 0733424c9ba9 ("pwm: Unexport children before chip removal") +Signed-off-by: Johan Hovold +Signed-off-by: Thierry Reding +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pwm/sysfs.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/pwm/sysfs.c ++++ b/drivers/pwm/sysfs.c +@@ -425,6 +425,8 @@ void pwmchip_sysfs_unexport_children(str + if (test_bit(PWMF_EXPORTED, &pwm->flags)) + pwm_unexport_child(parent, pwm); + } ++ ++ put_device(parent); + } + + static int __init pwm_sysfs_init(void) diff --git a/queue-4.8/series b/queue-4.8/series index f206a903945..566fbc8b4d3 100644 --- a/queue-4.8/series +++ b/queue-4.8/series @@ -23,3 +23,10 @@ drm-amdgpu-fix-power-state-when-port-pm-is-unavailable.patch drm-radeon-fix-power-state-when-port-pm-is-unavailable-v2.patch drm-amdgpu-fix-check-for-port-pm-availability.patch drm-radeon-fix-check-for-port-pm-availability.patch +arm64-dts-juno-fix-cluster-sleep-state-entry-latency-on-all-soc-versions.patch +kvm-use-after-free-in-kvm_ioctl_create_device.patch +pwm-fix-device-reference-leak.patch +drm-mediatek-fix-null-pointer-dereference.patch +perf-x86-restore-task_size-check-on-frame-pointer.patch +clk-sunxi-fix-m-factor-computation-for-apb1.patch +batman-adv-detect-missing-primaryif-during-tp_send-as-error.patch