From: Greg Kroah-Hartman Date: Tue, 12 Apr 2016 21:00:08 +0000 (-0700) Subject: 4.4-stable patches X-Git-Tag: v3.14.67~21 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1fe17a922134be601214086a98eb293364668c7f;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: alsa-hda-apply-fix-for-white-noise-on-asus-n550jv-too.patch alsa-hda-asus-n750jv-external-subwoofer-fixup.patch alsa-hda-fix-white-noise-on-asus-n750jv-headphone.patch alsa-timer-use-mod_timer-for-rearming-the-system-timer.patch arm64-opcodes.h-add-arm-big-endian-config-options-before-including-arm-header.patch compiler-gcc-disable-ftracer-for-__noclone-functions.patch hwmon-max1111-return-enodev-from-max1111_read_channel-if-not-instantiated.patch libnvdimm-fix-smart-data-retrieval.patch libnvdimm-pfn-fix-uuid-validation.patch mm-fix-invalid-node-in-alloc_migrate_target.patch parisc-avoid-function-pointers-for-kernel-exception-routines.patch parisc-fix-kernel-crash-with-reversed-copy_from_user.patch parisc-unbreak-handling-exceptions-from-kernel-modules.patch pkcs-7-pkcs7_validate_trust-initialize-the-_trusted-output-argument.patch powerpc-mm-fixup-preempt-underflow-with-huge-pages.patch --- diff --git a/queue-4.4/alsa-hda-apply-fix-for-white-noise-on-asus-n550jv-too.patch b/queue-4.4/alsa-hda-apply-fix-for-white-noise-on-asus-n550jv-too.patch new file mode 100644 index 00000000000..cf01bb52ede --- /dev/null +++ b/queue-4.4/alsa-hda-apply-fix-for-white-noise-on-asus-n550jv-too.patch @@ -0,0 +1,32 @@ +From 83a9efb5b8170b7cffef4f62656656e1d8ad2ccd Mon Sep 17 00:00:00 2001 +From: Bobi Mihalca +Date: Wed, 23 Mar 2016 13:32:33 +0200 +Subject: ALSA: hda - Apply fix for white noise on Asus N550JV, too + +From: Bobi Mihalca + +commit 83a9efb5b8170b7cffef4f62656656e1d8ad2ccd upstream. + +Apply the new fixup that is used for ASUS N750JV to another similar +model, N500JV, too, for reducing the headphone noise. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=115181 +Signed-off-by: Bobi Mihalca +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6648,7 +6648,7 @@ static const struct snd_pci_quirk alc662 + SND_PCI_QUIRK(0x1028, 0x0698, "Dell", ALC668_FIXUP_DELL_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1028, 0x069f, "Dell", ALC668_FIXUP_DELL_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x1632, "HP RP5800", ALC662_FIXUP_HP_RP5800), +- SND_PCI_QUIRK(0x1043, 0x11cd, "Asus N550", ALC662_FIXUP_BASS_1A), ++ SND_PCI_QUIRK(0x1043, 0x11cd, "Asus N550", ALC662_FIXUP_ASUS_Nx50), + SND_PCI_QUIRK(0x1043, 0x13df, "Asus N550JX", ALC662_FIXUP_BASS_1A), + SND_PCI_QUIRK(0x1043, 0x129d, "Asus N750", ALC662_FIXUP_ASUS_Nx50), + SND_PCI_QUIRK(0x1043, 0x1477, "ASUS N56VZ", ALC662_FIXUP_BASS_MODE4_CHMAP), diff --git a/queue-4.4/alsa-hda-asus-n750jv-external-subwoofer-fixup.patch b/queue-4.4/alsa-hda-asus-n750jv-external-subwoofer-fixup.patch new file mode 100644 index 00000000000..d7a40121382 --- /dev/null +++ b/queue-4.4/alsa-hda-asus-n750jv-external-subwoofer-fixup.patch @@ -0,0 +1,30 @@ +From 70cf2cbd685e218c3ffd105d9fb6cf0f8d767481 Mon Sep 17 00:00:00 2001 +From: Bobi Mihalca +Date: Wed, 23 Mar 2016 13:23:55 +0200 +Subject: ALSA: hda - Asus N750JV external subwoofer fixup + +From: Bobi Mihalca + +commit 70cf2cbd685e218c3ffd105d9fb6cf0f8d767481 upstream. + +ASUS N750JV needs the same fixup as N550 for enabling its subwoofer. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=115181 +Signed-off-by: Bobi Mihalca +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6643,6 +6643,7 @@ static const struct snd_pci_quirk alc662 + SND_PCI_QUIRK(0x103c, 0x1632, "HP RP5800", ALC662_FIXUP_HP_RP5800), + SND_PCI_QUIRK(0x1043, 0x11cd, "Asus N550", ALC662_FIXUP_BASS_1A), + SND_PCI_QUIRK(0x1043, 0x13df, "Asus N550JX", ALC662_FIXUP_BASS_1A), ++ SND_PCI_QUIRK(0x1043, 0x129d, "Asus N750", ALC662_FIXUP_BASS_1A), + SND_PCI_QUIRK(0x1043, 0x1477, "ASUS N56VZ", ALC662_FIXUP_BASS_MODE4_CHMAP), + SND_PCI_QUIRK(0x1043, 0x15a7, "ASUS UX51VZH", ALC662_FIXUP_BASS_16), + SND_PCI_QUIRK(0x1043, 0x1b73, "ASUS N55SF", ALC662_FIXUP_BASS_16), diff --git a/queue-4.4/alsa-hda-fix-white-noise-on-asus-n750jv-headphone.patch b/queue-4.4/alsa-hda-fix-white-noise-on-asus-n750jv-headphone.patch new file mode 100644 index 00000000000..49519af8268 --- /dev/null +++ b/queue-4.4/alsa-hda-fix-white-noise-on-asus-n750jv-headphone.patch @@ -0,0 +1,53 @@ +From 9d4dc5840f93bcb002fa311693349deae7702bc5 Mon Sep 17 00:00:00 2001 +From: Bobi Mihalca +Date: Wed, 23 Mar 2016 13:26:11 +0200 +Subject: ALSA: hda - Fix white noise on Asus N750JV headphone + +From: Bobi Mihalca + +commit 9d4dc5840f93bcb002fa311693349deae7702bc5 upstream. + +For reducing the noise from the headphone output on ASUS N750JV, +call the existing fixup, alc_fixup_auto_mute_via_amp(), additionally. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=115181 +Signed-off-by: Bobi Mihalca +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6379,6 +6379,7 @@ enum { + ALC668_FIXUP_AUTO_MUTE, + ALC668_FIXUP_DELL_DISABLE_AAMIX, + ALC668_FIXUP_DELL_XPS13, ++ ALC662_FIXUP_ASUS_Nx50, + }; + + static const struct hda_fixup alc662_fixups[] = { +@@ -6619,6 +6620,12 @@ static const struct hda_fixup alc662_fix + .type = HDA_FIXUP_FUNC, + .v.func = alc_fixup_bass_chmap, + }, ++ [ALC662_FIXUP_ASUS_Nx50] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc_fixup_auto_mute_via_amp, ++ .chained = true, ++ .chain_id = ALC662_FIXUP_BASS_1A ++ }, + }; + + static const struct snd_pci_quirk alc662_fixup_tbl[] = { +@@ -6643,7 +6650,7 @@ static const struct snd_pci_quirk alc662 + SND_PCI_QUIRK(0x103c, 0x1632, "HP RP5800", ALC662_FIXUP_HP_RP5800), + SND_PCI_QUIRK(0x1043, 0x11cd, "Asus N550", ALC662_FIXUP_BASS_1A), + SND_PCI_QUIRK(0x1043, 0x13df, "Asus N550JX", ALC662_FIXUP_BASS_1A), +- SND_PCI_QUIRK(0x1043, 0x129d, "Asus N750", ALC662_FIXUP_BASS_1A), ++ SND_PCI_QUIRK(0x1043, 0x129d, "Asus N750", ALC662_FIXUP_ASUS_Nx50), + SND_PCI_QUIRK(0x1043, 0x1477, "ASUS N56VZ", ALC662_FIXUP_BASS_MODE4_CHMAP), + SND_PCI_QUIRK(0x1043, 0x15a7, "ASUS UX51VZH", ALC662_FIXUP_BASS_16), + SND_PCI_QUIRK(0x1043, 0x1b73, "ASUS N55SF", ALC662_FIXUP_BASS_16), diff --git a/queue-4.4/alsa-timer-use-mod_timer-for-rearming-the-system-timer.patch b/queue-4.4/alsa-timer-use-mod_timer-for-rearming-the-system-timer.patch new file mode 100644 index 00000000000..2d16ae191aa --- /dev/null +++ b/queue-4.4/alsa-timer-use-mod_timer-for-rearming-the-system-timer.patch @@ -0,0 +1,56 @@ +From 4a07083ed613644c96c34a7dd2853dc5d7c70902 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 1 Apr 2016 12:28:16 +0200 +Subject: ALSA: timer: Use mod_timer() for rearming the system timer + +From: Takashi Iwai + +commit 4a07083ed613644c96c34a7dd2853dc5d7c70902 upstream. + +ALSA system timer backend stops the timer via del_timer() without sync +and leaves del_timer_sync() at the close instead. This is because of +the restriction by the design of ALSA timer: namely, the stop callback +may be called from the timer handler, and calling the sync shall lead +to a hangup. However, this also triggers a kernel BUG() when the +timer is rearmed immediately after stopping without sync: + kernel BUG at kernel/time/timer.c:966! + Call Trace: + + [] snd_timer_s_start+0x13e/0x1a0 + [] snd_timer_interrupt+0x504/0xec0 + [] ? debug_check_no_locks_freed+0x290/0x290 + [] snd_timer_s_function+0xb4/0x120 + [] call_timer_fn+0x162/0x520 + [] ? call_timer_fn+0xcd/0x520 + [] ? snd_timer_interrupt+0xec0/0xec0 + .... + +It's the place where add_timer() checks the pending timer. It's clear +that this may happen after the immediate restart without sync in our +cases. + +So, the workaround here is just to use mod_timer() instead of +add_timer(). This looks like a band-aid fix, but it's a right move, +as snd_timer_interrupt() takes care of the continuous rearm of timer. + +Reported-by: Jiri Slaby +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/timer.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -1051,8 +1051,8 @@ static int snd_timer_s_start(struct snd_ + njiff += timer->sticks - priv->correction; + priv->correction = 0; + } +- priv->last_expires = priv->tlist.expires = njiff; +- add_timer(&priv->tlist); ++ priv->last_expires = njiff; ++ mod_timer(&priv->tlist, njiff); + return 0; + } + diff --git a/queue-4.4/arm64-opcodes.h-add-arm-big-endian-config-options-before-including-arm-header.patch b/queue-4.4/arm64-opcodes.h-add-arm-big-endian-config-options-before-including-arm-header.patch new file mode 100644 index 00000000000..c61e9db0e82 --- /dev/null +++ b/queue-4.4/arm64-opcodes.h-add-arm-big-endian-config-options-before-including-arm-header.patch @@ -0,0 +1,58 @@ +From a6002ec5a8c68e69706b2efd6db6d682d0ab672c Mon Sep 17 00:00:00 2001 +From: James Morse +Date: Thu, 24 Mar 2016 16:54:34 +0000 +Subject: arm64: opcodes.h: Add arm big-endian config options before including arm header + +From: James Morse + +commit a6002ec5a8c68e69706b2efd6db6d682d0ab672c upstream. + +arm and arm64 use different config options to specify big endian. This +needs taking into account when including code/headers between the two +architectures. + +A case in point is PAN, which uses the __instr_arm() macro to output +instructions. The macro comes from opcodes.h, which lives under arch/arm. +On a big-endian build the mismatched config options mean the instruction +isn't byte swapped correctly, resulting in undefined instruction exceptions +during boot: + +| alternatives: patching kernel code +| kdevtmpfs[87]: undefined instruction: pc=ffffffc0004505b4 +| kdevtmpfs[87]: undefined instruction: pc=ffffffc00076231c +| kdevtmpfs[87]: undefined instruction: pc=ffffffc00076231c +| kdevtmpfs[87]: undefined instruction: pc=ffffffc00076231c +| kdevtmpfs[87]: undefined instruction: pc=ffffffc00076231c +| kdevtmpfs[87]: undefined instruction: pc=ffffffc00076231c +| kdevtmpfs[87]: undefined instruction: pc=ffffffc00076231c +| kdevtmpfs[87]: undefined instruction: pc=ffffffc00076231c +| kdevtmpfs[87]: undefined instruction: pc=ffffffc00076231c +| kdevtmpfs[87]: undefined instruction: pc=ffffffc00076231c +| Internal error: Oops - undefined instruction: 0 [#1] SMP +| Modules linked in: +| CPU: 0 PID: 87 Comm: kdevtmpfs Not tainted 4.1.16+ #5 +| Hardware name: Hisilicon PhosphorHi1382 EVB (DT) +| task: ffffffc336591700 ti: ffffffc3365a4000 task.ti: ffffffc3365a4000 +| PC is at dump_instr+0x68/0x100 +| LR is at do_undefinstr+0x1d4/0x2a4 +| pc : [] lr : [] pstate: 604001c5 +| sp : ffffffc3365a6450 + +Reported-by: Hanjun Guo +Tested-by: Xuefeng Wang +Signed-off-by: James Morse +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/opcodes.h | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/arm64/include/asm/opcodes.h ++++ b/arch/arm64/include/asm/opcodes.h +@@ -1 +1,5 @@ ++#ifdef CONFIG_CPU_BIG_ENDIAN ++#define CONFIG_CPU_ENDIAN_BE8 CONFIG_CPU_BIG_ENDIAN ++#endif ++ + #include <../../arm/include/asm/opcodes.h> diff --git a/queue-4.4/compiler-gcc-disable-ftracer-for-__noclone-functions.patch b/queue-4.4/compiler-gcc-disable-ftracer-for-__noclone-functions.patch new file mode 100644 index 00000000000..12cbe2a73f7 --- /dev/null +++ b/queue-4.4/compiler-gcc-disable-ftracer-for-__noclone-functions.patch @@ -0,0 +1,42 @@ +From 95272c29378ee7dc15f43fa2758cb28a5913a06d Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Thu, 31 Mar 2016 09:38:51 +0200 +Subject: compiler-gcc: disable -ftracer for __noclone functions + +From: Paolo Bonzini + +commit 95272c29378ee7dc15f43fa2758cb28a5913a06d upstream. + +-ftracer can duplicate asm blocks causing compilation to fail in +noclone functions. For example, KVM declares a global variable +in an asm like + + asm("2: ... \n + .pushsection data \n + .global vmx_return \n + vmx_return: .long 2b"); + +and -ftracer causes a double declaration. + +Cc: Andrew Morton +Cc: Michal Marek +Cc: kvm@vger.kernel.org +Reported-by: Linda Walsh +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/compiler-gcc.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/compiler-gcc.h ++++ b/include/linux/compiler-gcc.h +@@ -199,7 +199,7 @@ + #define unreachable() __builtin_unreachable() + + /* Mark a function definition as prohibited from being cloned. */ +-#define __noclone __attribute__((__noclone__)) ++#define __noclone __attribute__((__noclone__, __optimize__("no-tracer"))) + + #endif /* GCC_VERSION >= 40500 */ + diff --git a/queue-4.4/hwmon-max1111-return-enodev-from-max1111_read_channel-if-not-instantiated.patch b/queue-4.4/hwmon-max1111-return-enodev-from-max1111_read_channel-if-not-instantiated.patch new file mode 100644 index 00000000000..36bf1ed7f11 --- /dev/null +++ b/queue-4.4/hwmon-max1111-return-enodev-from-max1111_read_channel-if-not-instantiated.patch @@ -0,0 +1,74 @@ +From 3c2e2266a5bd2d1cef258e6e54dca1d99946379f Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Sat, 26 Mar 2016 12:28:05 -0700 +Subject: hwmon: (max1111) Return -ENODEV from max1111_read_channel if not instantiated + +From: Guenter Roeck + +commit 3c2e2266a5bd2d1cef258e6e54dca1d99946379f upstream. + +arm:pxa_defconfig can result in the following crash if the max1111 driver +is not instantiated. + +Unhandled fault: page domain fault (0x01b) at 0x00000000 +pgd = c0004000 +[00000000] *pgd=00000000 +Internal error: : 1b [#1] PREEMPT ARM +Modules linked in: +CPU: 0 PID: 300 Comm: kworker/0:1 Not tainted 4.5.0-01301-g1701f680407c #10 +Hardware name: SHARP Akita +Workqueue: events sharpsl_charge_toggle +task: c390a000 ti: c391e000 task.ti: c391e000 +PC is at max1111_read_channel+0x20/0x30 +LR is at sharpsl_pm_pxa_read_max1111+0x2c/0x3c +pc : [] lr : [] psr: 20000013 +... +[] (max1111_read_channel) from [] + (sharpsl_pm_pxa_read_max1111+0x2c/0x3c) +[] (sharpsl_pm_pxa_read_max1111) from [] + (spitzpm_read_devdata+0x5c/0xc4) +[] (spitzpm_read_devdata) from [] + (sharpsl_check_battery_temp+0x78/0x110) +[] (sharpsl_check_battery_temp) from [] + (sharpsl_charge_toggle+0x48/0x110) +[] (sharpsl_charge_toggle) from [] + (process_one_work+0x14c/0x48c) +[] (process_one_work) from [] (worker_thread+0x3c/0x5d4) +[] (worker_thread) from [] (kthread+0xd0/0xec) +[] (kthread) from [] (ret_from_fork+0x14/0x24) + +This can occur because the SPI controller driver (SPI_PXA2XX) is built as +module and thus not necessarily loaded. While building SPI_PXA2XX into the +kernel would make the problem disappear, it appears prudent to ensure that +the driver is instantiated before accessing its data structures. + +Cc: Arnd Bergmann +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwmon/max1111.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/hwmon/max1111.c ++++ b/drivers/hwmon/max1111.c +@@ -85,6 +85,9 @@ static struct max1111_data *the_max1111; + + int max1111_read_channel(int channel) + { ++ if (!the_max1111 || !the_max1111->spi) ++ return -ENODEV; ++ + return max1111_read(&the_max1111->spi->dev, channel); + } + EXPORT_SYMBOL(max1111_read_channel); +@@ -258,6 +261,9 @@ static int max1111_remove(struct spi_dev + { + struct max1111_data *data = spi_get_drvdata(spi); + ++#ifdef CONFIG_SHARPSL_PM ++ the_max1111 = NULL; ++#endif + hwmon_device_unregister(data->hwmon_dev); + sysfs_remove_group(&spi->dev.kobj, &max1110_attr_group); + sysfs_remove_group(&spi->dev.kobj, &max1111_attr_group); diff --git a/queue-4.4/libnvdimm-fix-smart-data-retrieval.patch b/queue-4.4/libnvdimm-fix-smart-data-retrieval.patch new file mode 100644 index 00000000000..03a2755bd47 --- /dev/null +++ b/queue-4.4/libnvdimm-fix-smart-data-retrieval.patch @@ -0,0 +1,31 @@ +From 211291126698c8f047617565b2e2e7f822f86354 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Thu, 7 Apr 2016 19:58:44 -0700 +Subject: libnvdimm: fix smart data retrieval + +From: Dan Williams + +commit 211291126698c8f047617565b2e2e7f822f86354 upstream. + +It appears that smart data retrieval has been broken the since the +initial implementation. Fix the payload size to be 128-bytes per the +specification. + +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nvdimm/bus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/nvdimm/bus.c ++++ b/drivers/nvdimm/bus.c +@@ -335,7 +335,7 @@ static const struct nd_cmd_desc __nd_cmd + [ND_CMD_IMPLEMENTED] = { }, + [ND_CMD_SMART] = { + .out_num = 2, +- .out_sizes = { 4, 8, }, ++ .out_sizes = { 4, 128, }, + }, + [ND_CMD_SMART_THRESHOLD] = { + .out_num = 2, diff --git a/queue-4.4/libnvdimm-pfn-fix-uuid-validation.patch b/queue-4.4/libnvdimm-pfn-fix-uuid-validation.patch new file mode 100644 index 00000000000..af83baf307f --- /dev/null +++ b/queue-4.4/libnvdimm-pfn-fix-uuid-validation.patch @@ -0,0 +1,35 @@ +From e5670563f588ed1c0603819350c0f02cec23f5c5 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Thu, 7 Apr 2016 19:59:27 -0700 +Subject: libnvdimm, pfn: fix uuid validation + +From: Dan Williams + +commit e5670563f588ed1c0603819350c0f02cec23f5c5 upstream. + +If we detect a namespace has a stale info block in the init path, we +should overwrite with the latest configuration. In fact, we already +return -ENODEV when the parent uuid is invalid, the same should be done +for the 'self' uuid. Otherwise we can get into a condition where +userspace is unable to reconfigure the pfn-device without directly / +manually invalidating the info block. + +Reported-by: Jeff Moyer +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nvdimm/pfn_devs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/nvdimm/pfn_devs.c ++++ b/drivers/nvdimm/pfn_devs.c +@@ -275,7 +275,7 @@ int nd_pfn_validate(struct nd_pfn *nd_pf + } else { + /* from init we validate */ + if (memcmp(nd_pfn->uuid, pfn_sb->uuid, 16) != 0) +- return -EINVAL; ++ return -ENODEV; + } + + /* diff --git a/queue-4.4/mm-fix-invalid-node-in-alloc_migrate_target.patch b/queue-4.4/mm-fix-invalid-node-in-alloc_migrate_target.patch new file mode 100644 index 00000000000..3d5ccf77d5e --- /dev/null +++ b/queue-4.4/mm-fix-invalid-node-in-alloc_migrate_target.patch @@ -0,0 +1,48 @@ +From 6f25a14a7053b69917e2ebea0d31dd444cd31fd5 Mon Sep 17 00:00:00 2001 +From: Xishi Qiu +Date: Fri, 1 Apr 2016 14:31:20 -0700 +Subject: mm: fix invalid node in alloc_migrate_target() + +From: Xishi Qiu + +commit 6f25a14a7053b69917e2ebea0d31dd444cd31fd5 upstream. + +It is incorrect to use next_node to find a target node, it will return +MAX_NUMNODES or invalid node. This will lead to crash in buddy system +allocation. + +Fixes: c8721bbbdd36 ("mm: memory-hotplug: enable memory hotplug to handle hugepage") +Signed-off-by: Xishi Qiu +Acked-by: Vlastimil Babka +Acked-by: Naoya Horiguchi +Cc: Joonsoo Kim +Cc: David Rientjes +Cc: "Laura Abbott" +Cc: Hui Zhu +Cc: Wang Xiaoqiang +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/page_isolation.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/mm/page_isolation.c ++++ b/mm/page_isolation.c +@@ -283,11 +283,11 @@ struct page *alloc_migrate_target(struct + * now as a simple work-around, we use the next node for destination. + */ + if (PageHuge(page)) { +- nodemask_t src = nodemask_of_node(page_to_nid(page)); +- nodemask_t dst; +- nodes_complement(dst, src); ++ int node = next_online_node(page_to_nid(page)); ++ if (node == MAX_NUMNODES) ++ node = first_online_node; + return alloc_huge_page_node(page_hstate(compound_head(page)), +- next_node(page_to_nid(page), dst)); ++ node); + } + + if (PageHighMem(page)) diff --git a/queue-4.4/parisc-avoid-function-pointers-for-kernel-exception-routines.patch b/queue-4.4/parisc-avoid-function-pointers-for-kernel-exception-routines.patch new file mode 100644 index 00000000000..7b511a0603d --- /dev/null +++ b/queue-4.4/parisc-avoid-function-pointers-for-kernel-exception-routines.patch @@ -0,0 +1,42 @@ +From e3893027a300927049efc1572f852201eb785142 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Fri, 8 Apr 2016 18:11:33 +0200 +Subject: parisc: Avoid function pointers for kernel exception routines + +From: Helge Deller + +commit e3893027a300927049efc1572f852201eb785142 upstream. + +We want to avoid the kernel module loader to create function pointers +for the kernel fixup routines of get_user() and put_user(). Changing +the external reference from function type to int type fixes this. + +This unbreaks exception handling for get_user() and put_user() when +called from a kernel module. + +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/kernel/parisc_ksyms.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/arch/parisc/kernel/parisc_ksyms.c ++++ b/arch/parisc/kernel/parisc_ksyms.c +@@ -47,11 +47,11 @@ EXPORT_SYMBOL(__cmpxchg_u64); + EXPORT_SYMBOL(lclear_user); + EXPORT_SYMBOL(lstrnlen_user); + +-/* Global fixups */ +-extern void fixup_get_user_skip_1(void); +-extern void fixup_get_user_skip_2(void); +-extern void fixup_put_user_skip_1(void); +-extern void fixup_put_user_skip_2(void); ++/* Global fixups - defined as int to avoid creation of function pointers */ ++extern int fixup_get_user_skip_1; ++extern int fixup_get_user_skip_2; ++extern int fixup_put_user_skip_1; ++extern int fixup_put_user_skip_2; + EXPORT_SYMBOL(fixup_get_user_skip_1); + EXPORT_SYMBOL(fixup_get_user_skip_2); + EXPORT_SYMBOL(fixup_put_user_skip_1); diff --git a/queue-4.4/parisc-fix-kernel-crash-with-reversed-copy_from_user.patch b/queue-4.4/parisc-fix-kernel-crash-with-reversed-copy_from_user.patch new file mode 100644 index 00000000000..e20831b52a1 --- /dev/null +++ b/queue-4.4/parisc-fix-kernel-crash-with-reversed-copy_from_user.patch @@ -0,0 +1,36 @@ +From ef72f3110d8b19f4c098a0bff7ed7d11945e70c6 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Fri, 8 Apr 2016 18:18:48 +0200 +Subject: parisc: Fix kernel crash with reversed copy_from_user() + +From: Helge Deller + +commit ef72f3110d8b19f4c098a0bff7ed7d11945e70c6 upstream. + +The kernel module testcase (lib/test_user_copy.c) exhibited a kernel +crash on parisc if the parameters for copy_from_user were reversed +("illegal reversed copy_to_user" testcase). + +Fix this potential crash by checking the fault handler if the faulting +address is in the exception table. + +Signed-off-by: Helge Deller +Cc: Kees Cook +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/kernel/traps.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/parisc/kernel/traps.c ++++ b/arch/parisc/kernel/traps.c +@@ -798,6 +798,9 @@ void notrace handle_interruption(int cod + + if (fault_space == 0 && !faulthandler_disabled()) + { ++ /* Clean up and return if in exception table. */ ++ if (fixup_exception(regs)) ++ return; + pdc_chassis_send_status(PDC_CHASSIS_DIRECT_PANIC); + parisc_terminate("Kernel Fault", regs, code, fault_address); + } diff --git a/queue-4.4/parisc-unbreak-handling-exceptions-from-kernel-modules.patch b/queue-4.4/parisc-unbreak-handling-exceptions-from-kernel-modules.patch new file mode 100644 index 00000000000..c66fc5790ff --- /dev/null +++ b/queue-4.4/parisc-unbreak-handling-exceptions-from-kernel-modules.patch @@ -0,0 +1,88 @@ +From 2ef4dfd9d9f288943e249b78365a69e3ea3ec072 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Fri, 8 Apr 2016 18:32:52 +0200 +Subject: parisc: Unbreak handling exceptions from kernel modules + +From: Helge Deller + +commit 2ef4dfd9d9f288943e249b78365a69e3ea3ec072 upstream. + +Handling exceptions from modules never worked on parisc. +It was just masked by the fact that exceptions from modules +don't happen during normal use. + +When a module triggers an exception in get_user() we need to load the +main kernel dp value before accessing the exception_data structure, and +afterwards restore the original dp value of the module on exit. + +Noticed-by: Mikulas Patocka +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/include/asm/uaccess.h | 1 + + arch/parisc/kernel/asm-offsets.c | 1 + + arch/parisc/lib/fixup.S | 6 ++++++ + arch/parisc/mm/fault.c | 1 + + 4 files changed, 9 insertions(+) + +--- a/arch/parisc/include/asm/uaccess.h ++++ b/arch/parisc/include/asm/uaccess.h +@@ -76,6 +76,7 @@ struct exception_table_entry { + */ + struct exception_data { + unsigned long fault_ip; ++ unsigned long fault_gp; + unsigned long fault_space; + unsigned long fault_addr; + }; +--- a/arch/parisc/kernel/asm-offsets.c ++++ b/arch/parisc/kernel/asm-offsets.c +@@ -299,6 +299,7 @@ int main(void) + #endif + BLANK(); + DEFINE(EXCDATA_IP, offsetof(struct exception_data, fault_ip)); ++ DEFINE(EXCDATA_GP, offsetof(struct exception_data, fault_gp)); + DEFINE(EXCDATA_SPACE, offsetof(struct exception_data, fault_space)); + DEFINE(EXCDATA_ADDR, offsetof(struct exception_data, fault_addr)); + BLANK(); +--- a/arch/parisc/lib/fixup.S ++++ b/arch/parisc/lib/fixup.S +@@ -26,6 +26,7 @@ + + #ifdef CONFIG_SMP + .macro get_fault_ip t1 t2 ++ loadgp + addil LT%__per_cpu_offset,%r27 + LDREG RT%__per_cpu_offset(%r1),\t1 + /* t2 = smp_processor_id() */ +@@ -40,14 +41,19 @@ + LDREG RT%exception_data(%r1),\t1 + /* t1 = this_cpu_ptr(&exception_data) */ + add,l \t1,\t2,\t1 ++ /* %r27 = t1->fault_gp - restore gp */ ++ LDREG EXCDATA_GP(\t1), %r27 + /* t1 = t1->fault_ip */ + LDREG EXCDATA_IP(\t1), \t1 + .endm + #else + .macro get_fault_ip t1 t2 ++ loadgp + /* t1 = this_cpu_ptr(&exception_data) */ + addil LT%exception_data,%r27 + LDREG RT%exception_data(%r1),\t2 ++ /* %r27 = t2->fault_gp - restore gp */ ++ LDREG EXCDATA_GP(\t2), %r27 + /* t1 = t2->fault_ip */ + LDREG EXCDATA_IP(\t2), \t1 + .endm +--- a/arch/parisc/mm/fault.c ++++ b/arch/parisc/mm/fault.c +@@ -151,6 +151,7 @@ int fixup_exception(struct pt_regs *regs + struct exception_data *d; + d = this_cpu_ptr(&exception_data); + d->fault_ip = regs->iaoq[0]; ++ d->fault_gp = regs->gr[27]; + d->fault_space = regs->isr; + d->fault_addr = regs->ior; + diff --git a/queue-4.4/pkcs-7-pkcs7_validate_trust-initialize-the-_trusted-output-argument.patch b/queue-4.4/pkcs-7-pkcs7_validate_trust-initialize-the-_trusted-output-argument.patch new file mode 100644 index 00000000000..e4e0b0bfb5c --- /dev/null +++ b/queue-4.4/pkcs-7-pkcs7_validate_trust-initialize-the-_trusted-output-argument.patch @@ -0,0 +1,65 @@ +From e54358915d0a00399c11c2c23ae1be674cba188a Mon Sep 17 00:00:00 2001 +From: Nicolai Stange +Date: Sun, 20 Mar 2016 23:23:46 +0100 +Subject: PKCS#7: pkcs7_validate_trust(): initialize the _trusted output argument + +From: Nicolai Stange + +commit e54358915d0a00399c11c2c23ae1be674cba188a upstream. + +Despite what the DocBook comment to pkcs7_validate_trust() says, the +*_trusted argument is never set to false. + +pkcs7_validate_trust() only positively sets *_trusted upon encountering +a trusted PKCS#7 SignedInfo block. + +This is quite unfortunate since its callers, system_verify_data() for +example, depend on pkcs7_validate_trust() clearing *_trusted on non-trust. + +Indeed, UBSAN splats when attempting to load the uninitialized local +variable 'trusted' from system_verify_data() in pkcs7_validate_trust(): + + UBSAN: Undefined behaviour in crypto/asymmetric_keys/pkcs7_trust.c:194:14 + load of value 82 is not a valid value for type '_Bool' + [...] + Call Trace: + [] dump_stack+0xbc/0x117 + [] ? _atomic_dec_and_lock+0x169/0x169 + [] ubsan_epilogue+0xd/0x4e + [] __ubsan_handle_load_invalid_value+0x111/0x158 + [] ? val_to_string.constprop.12+0xcf/0xcf + [] ? x509_request_asymmetric_key+0x114/0x370 + [] ? kfree+0x220/0x370 + [] ? public_key_verify_signature_2+0x32/0x50 + [] pkcs7_validate_trust+0x524/0x5f0 + [] system_verify_data+0xca/0x170 + [] ? top_trace_array+0x9b/0x9b + [] ? __vfs_read+0x279/0x3d0 + [] mod_verify_sig+0x1ff/0x290 + [...] + +The implication is that pkcs7_validate_trust() effectively grants trust +when it really shouldn't have. + +Fix this by explicitly setting *_trusted to false at the very beginning +of pkcs7_validate_trust(). + +Signed-off-by: Nicolai Stange +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/asymmetric_keys/pkcs7_trust.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/crypto/asymmetric_keys/pkcs7_trust.c ++++ b/crypto/asymmetric_keys/pkcs7_trust.c +@@ -178,6 +178,8 @@ int pkcs7_validate_trust(struct pkcs7_me + int cached_ret = -ENOKEY; + int ret; + ++ *_trusted = false; ++ + for (p = pkcs7->certs; p; p = p->next) + p->seen = false; + diff --git a/queue-4.4/powerpc-mm-fixup-preempt-underflow-with-huge-pages.patch b/queue-4.4/powerpc-mm-fixup-preempt-underflow-with-huge-pages.patch new file mode 100644 index 00000000000..3a7c05feb77 --- /dev/null +++ b/queue-4.4/powerpc-mm-fixup-preempt-underflow-with-huge-pages.patch @@ -0,0 +1,52 @@ +From 08a5bb2921e490939f78f38fd0d02858bb709942 Mon Sep 17 00:00:00 2001 +From: Sebastian Siewior +Date: Tue, 8 Mar 2016 10:03:56 +0100 +Subject: powerpc/mm: Fixup preempt underflow with huge pages + +From: Sebastian Siewior + +commit 08a5bb2921e490939f78f38fd0d02858bb709942 upstream. + +hugepd_free() used __get_cpu_var() once. Nothing ensured that the code +accessing the variable did not migrate from one CPU to another and soon +this was noticed by Tiejun Chen in 94b09d755462 ("powerpc/hugetlb: +Replace __get_cpu_var with get_cpu_var"). So we had it fixed. + +Christoph Lameter was doing his __get_cpu_var() replaces and forgot +PowerPC. Then he noticed this and sent his fixed up batch again which +got applied as 69111bac42f5 ("powerpc: Replace __get_cpu_var uses"). + +The careful reader will noticed one little detail: get_cpu_var() got +replaced with this_cpu_ptr(). So now we have a put_cpu_var() which does +a preempt_enable() and nothing that does preempt_disable() so we +underflow the preempt counter. + +Cc: Benjamin Herrenschmidt +Cc: Christoph Lameter +Signed-off-by: Sebastian Andrzej Siewior +Reviewed-by: Aneesh Kumar K.V +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/mm/hugetlbpage.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/mm/hugetlbpage.c ++++ b/arch/powerpc/mm/hugetlbpage.c +@@ -486,13 +486,13 @@ static void hugepd_free(struct mmu_gathe + { + struct hugepd_freelist **batchp; + +- batchp = this_cpu_ptr(&hugepd_freelist_cur); ++ batchp = &get_cpu_var(hugepd_freelist_cur); + + if (atomic_read(&tlb->mm->mm_users) < 2 || + cpumask_equal(mm_cpumask(tlb->mm), + cpumask_of(smp_processor_id()))) { + kmem_cache_free(hugepte_cache, hugepte); +- put_cpu_var(hugepd_freelist_cur); ++ put_cpu_var(hugepd_freelist_cur); + return; + } + diff --git a/queue-4.4/series b/queue-4.4/series index 18e49decf03..92c6e923dd5 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -1,2 +1,15 @@ hwmon-max1111-return-enodev-from-max1111_read_channel-if-not-instantiated.patch pkcs-7-pkcs7_validate_trust-initialize-the-_trusted-output-argument.patch +parisc-avoid-function-pointers-for-kernel-exception-routines.patch +parisc-fix-kernel-crash-with-reversed-copy_from_user.patch +parisc-unbreak-handling-exceptions-from-kernel-modules.patch +alsa-timer-use-mod_timer-for-rearming-the-system-timer.patch +alsa-hda-asus-n750jv-external-subwoofer-fixup.patch +alsa-hda-fix-white-noise-on-asus-n750jv-headphone.patch +alsa-hda-apply-fix-for-white-noise-on-asus-n550jv-too.patch +mm-fix-invalid-node-in-alloc_migrate_target.patch +powerpc-mm-fixup-preempt-underflow-with-huge-pages.patch +libnvdimm-fix-smart-data-retrieval.patch +libnvdimm-pfn-fix-uuid-validation.patch +compiler-gcc-disable-ftracer-for-__noclone-functions.patch +arm64-opcodes.h-add-arm-big-endian-config-options-before-including-arm-header.patch