From: Greg Kroah-Hartman Date: Thu, 22 Sep 2016 15:41:36 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v4.4.22~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=596791dcd72a6d946b8587ae935543296c7f11c8;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: alpha-fix-copy_from_user.patch arc-uaccess-get_user-to-zero-out-dest-in-cause-of-fault.patch asm-generic-make-copy_from_user-zero-the-destination-properly.patch asm-generic-make-get_user-clear-the-destination-on-errors.patch avr32-fix-copy_from_user.patch blackfin-fix-copy_from_user.patch cris-buggered-copy_from_user-copy_to_user-clear_user.patch drm-atmel-hlcdc-fix-vertical-scaling.patch drm-i915-avoid-pointer-arithmetic-in-calculating-plane-surface-offset.patch drm-only-use-compat-ioctl-for-addfb2-on-x86-ia64.patch fix-iov_iter_fault_in_readable.patch fix-minor-infoleak-in-get_user_ex.patch frv-fix-clear_user.patch genirq-provide-irq_gc_-lock_irqsave-unlock_irqrestore-helpers.patch gma500-remove-annoying-deprecation-warning.patch hexagon-fix-strncpy_from_user-error-return.patch irqchip-atmel-aic-fix-potential-deadlock-in-xlate.patch kconfig-tinyconfig-provide-whole-choice-blocks-to-avoid-warnings.patch m32r-fix-__get_user.patch metag-copy_from_user-should-zero-the-destination-on-access_ok-failure.patch microblaze-fix-__get_user.patch microblaze-fix-copy_from_user.patch mips-copy_from_user-must-zero-the-destination-on-access_ok-failure.patch mmc-dw_mmc-use-resource_size_t-to-store-physical-address.patch mn10300-copy_from_user-should-zero-on-access_ok-failure.patch mn10300-failing-__get_user-and-get_user-should-zero.patch mpssd-fix-buffer-overflow-warning.patch net-simplify-napi_synchronize-to-avoid-warnings.patch nios2-copy_from_user-should-zero-the-tail-of-destination.patch nios2-fix-__get_user.patch openrisc-fix-copy_from_user.patch parisc-fix-copy_from_user.patch pinctrl-at91-pio4-use-pr-format-string-for-resource.patch s390-get_user-should-zero-on-failure.patch score-fix-__get_user-get_user.patch score-fix-copy_from_user-and-friends.patch sh-fix-copy_from_user.patch sh64-failing-__get_user-should-zero.patch soc-qcom-spm-shut-up-uninitialized-variable-warning.patch --- diff --git a/queue-4.4/alpha-fix-copy_from_user.patch b/queue-4.4/alpha-fix-copy_from_user.patch new file mode 100644 index 00000000000..4ee7f3bfdd0 --- /dev/null +++ b/queue-4.4/alpha-fix-copy_from_user.patch @@ -0,0 +1,61 @@ +From 2561d309dfd1555e781484af757ed0115035ddb3 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Wed, 17 Aug 2016 16:02:32 -0400 +Subject: alpha: fix copy_from_user() + +From: Al Viro + +commit 2561d309dfd1555e781484af757ed0115035ddb3 upstream. + +it should clear the destination even when access_ok() fails. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/alpha/include/asm/uaccess.h | 19 ++++++++----------- + 1 file changed, 8 insertions(+), 11 deletions(-) + +--- a/arch/alpha/include/asm/uaccess.h ++++ b/arch/alpha/include/asm/uaccess.h +@@ -371,14 +371,6 @@ __copy_tofrom_user_nocheck(void *to, con + return __cu_len; + } + +-extern inline long +-__copy_tofrom_user(void *to, const void *from, long len, const void __user *validate) +-{ +- if (__access_ok((unsigned long)validate, len, get_fs())) +- len = __copy_tofrom_user_nocheck(to, from, len); +- return len; +-} +- + #define __copy_to_user(to, from, n) \ + ({ \ + __chk_user_ptr(to); \ +@@ -393,17 +385,22 @@ __copy_tofrom_user(void *to, const void + #define __copy_to_user_inatomic __copy_to_user + #define __copy_from_user_inatomic __copy_from_user + +- + extern inline long + copy_to_user(void __user *to, const void *from, long n) + { +- return __copy_tofrom_user((__force void *)to, from, n, to); ++ if (likely(__access_ok((unsigned long)to, n, get_fs()))) ++ n = __copy_tofrom_user_nocheck((__force void *)to, from, n); ++ return n; + } + + extern inline long + copy_from_user(void *to, const void __user *from, long n) + { +- return __copy_tofrom_user(to, (__force void *)from, n, from); ++ if (likely(__access_ok((unsigned long)from, n, get_fs()))) ++ n = __copy_tofrom_user_nocheck(to, (__force void *)from, n); ++ else ++ memset(to, 0, n); ++ return n; + } + + extern void __do_clear_user(void); diff --git a/queue-4.4/arc-uaccess-get_user-to-zero-out-dest-in-cause-of-fault.patch b/queue-4.4/arc-uaccess-get_user-to-zero-out-dest-in-cause-of-fault.patch new file mode 100644 index 00000000000..945663fe43a --- /dev/null +++ b/queue-4.4/arc-uaccess-get_user-to-zero-out-dest-in-cause-of-fault.patch @@ -0,0 +1,69 @@ +From 05d9d0b96e53c52a113fd783c0c97c830c8dc7af Mon Sep 17 00:00:00 2001 +From: Vineet Gupta +Date: Fri, 19 Aug 2016 12:10:02 -0700 +Subject: ARC: uaccess: get_user to zero out dest in cause of fault + +From: Vineet Gupta + +commit 05d9d0b96e53c52a113fd783c0c97c830c8dc7af upstream. + +Al reported potential issue with ARC get_user() as it wasn't clearing +out destination pointer in case of fault due to bad address etc. + +Verified using following + +| { +| u32 bogus1 = 0xdeadbeef; +| u64 bogus2 = 0xdead; +| int rc1, rc2; +| +| pr_info("Orig values %x %llx\n", bogus1, bogus2); +| rc1 = get_user(bogus1, (u32 __user *)0x40000000); +| rc2 = get_user(bogus2, (u64 __user *)0x50000000); +| pr_info("access %d %d, new values %x %llx\n", +| rc1, rc2, bogus1, bogus2); +| } + +| [ARCLinux]# insmod /mnt/kernel-module/qtn.ko +| Orig values deadbeef dead +| access -14 -14, new values 0 0 + +Reported-by: Al Viro +Cc: Linus Torvalds +Cc: linux-snps-arc@lists.infradead.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Vineet Gupta +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/include/asm/uaccess.h | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/arch/arc/include/asm/uaccess.h ++++ b/arch/arc/include/asm/uaccess.h +@@ -83,7 +83,10 @@ + "2: ;nop\n" \ + " .section .fixup, \"ax\"\n" \ + " .align 4\n" \ +- "3: mov %0, %3\n" \ ++ "3: # return -EFAULT\n" \ ++ " mov %0, %3\n" \ ++ " # zero out dst ptr\n" \ ++ " mov %1, 0\n" \ + " j 2b\n" \ + " .previous\n" \ + " .section __ex_table, \"a\"\n" \ +@@ -101,7 +104,11 @@ + "2: ;nop\n" \ + " .section .fixup, \"ax\"\n" \ + " .align 4\n" \ +- "3: mov %0, %3\n" \ ++ "3: # return -EFAULT\n" \ ++ " mov %0, %3\n" \ ++ " # zero out dst ptr\n" \ ++ " mov %1, 0\n" \ ++ " mov %R1, 0\n" \ + " j 2b\n" \ + " .previous\n" \ + " .section __ex_table, \"a\"\n" \ diff --git a/queue-4.4/asm-generic-make-copy_from_user-zero-the-destination-properly.patch b/queue-4.4/asm-generic-make-copy_from_user-zero-the-destination-properly.patch new file mode 100644 index 00000000000..fcef00ee61a --- /dev/null +++ b/queue-4.4/asm-generic-make-copy_from_user-zero-the-destination-properly.patch @@ -0,0 +1,42 @@ +From 2545e5da080b4839dd859e3b09343a884f6ab0e3 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Wed, 17 Aug 2016 16:36:37 -0400 +Subject: asm-generic: make copy_from_user() zero the destination properly + +From: Al Viro + +commit 2545e5da080b4839dd859e3b09343a884f6ab0e3 upstream. + +... in all cases, including the failing access_ok() + +Note that some architectures using asm-generic/uaccess.h have +__copy_from_user() not zeroing the tail on failure halfway +through. This variant works either way. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + include/asm-generic/uaccess.h | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/include/asm-generic/uaccess.h ++++ b/include/asm-generic/uaccess.h +@@ -261,11 +261,13 @@ extern int __get_user_bad(void) __attrib + static inline long copy_from_user(void *to, + const void __user * from, unsigned long n) + { ++ unsigned long res = n; + might_fault(); +- if (access_ok(VERIFY_READ, from, n)) +- return __copy_from_user(to, from, n); +- else +- return n; ++ if (likely(access_ok(VERIFY_READ, from, n))) ++ res = __copy_from_user(to, from, n); ++ if (unlikely(res)) ++ memset(to + (n - res), 0, res); ++ return res; + } + + static inline long copy_to_user(void __user *to, diff --git a/queue-4.4/asm-generic-make-get_user-clear-the-destination-on-errors.patch b/queue-4.4/asm-generic-make-get_user-clear-the-destination-on-errors.patch new file mode 100644 index 00000000000..cec6362e5a2 --- /dev/null +++ b/queue-4.4/asm-generic-make-get_user-clear-the-destination-on-errors.patch @@ -0,0 +1,42 @@ +From 9ad18b75c2f6e4a78ce204e79f37781f8815c0fa Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Wed, 17 Aug 2016 23:19:01 -0400 +Subject: asm-generic: make get_user() clear the destination on errors + +From: Al Viro + +commit 9ad18b75c2f6e4a78ce204e79f37781f8815c0fa upstream. + +both for access_ok() failures and for faults halfway through + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + include/asm-generic/uaccess.h | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/include/asm-generic/uaccess.h ++++ b/include/asm-generic/uaccess.h +@@ -230,14 +230,18 @@ extern int __put_user_bad(void) __attrib + might_fault(); \ + access_ok(VERIFY_READ, __p, sizeof(*ptr)) ? \ + __get_user((x), (__typeof__(*(ptr)) *)__p) : \ +- -EFAULT; \ ++ ((x) = (__typeof__(*(ptr)))0,-EFAULT); \ + }) + + #ifndef __get_user_fn + static inline int __get_user_fn(size_t size, const void __user *ptr, void *x) + { +- size = __copy_from_user(x, ptr, size); +- return size ? -EFAULT : size; ++ size_t n = __copy_from_user(x, ptr, size); ++ if (unlikely(n)) { ++ memset(x + (size - n), 0, n); ++ return -EFAULT; ++ } ++ return 0; + } + + #define __get_user_fn(sz, u, k) __get_user_fn(sz, u, k) diff --git a/queue-4.4/avr32-fix-copy_from_user.patch b/queue-4.4/avr32-fix-copy_from_user.patch new file mode 100644 index 00000000000..3570fb1670f --- /dev/null +++ b/queue-4.4/avr32-fix-copy_from_user.patch @@ -0,0 +1,76 @@ +From 8630c32275bac2de6ffb8aea9d9b11663e7ad28e Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Fri, 9 Sep 2016 19:28:23 -0400 +Subject: avr32: fix copy_from_user() + +From: Al Viro + +commit 8630c32275bac2de6ffb8aea9d9b11663e7ad28e upstream. + +really ugly, but apparently avr32 compilers turns access_ok() into +something so bad that they want it in assembler. Left that way, +zeroing added in inline wrapper. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/avr32/include/asm/uaccess.h | 11 ++++++++++- + arch/avr32/kernel/avr32_ksyms.c | 2 +- + arch/avr32/lib/copy_user.S | 4 ++-- + 3 files changed, 13 insertions(+), 4 deletions(-) + +--- a/arch/avr32/include/asm/uaccess.h ++++ b/arch/avr32/include/asm/uaccess.h +@@ -74,7 +74,7 @@ extern __kernel_size_t __copy_user(void + + extern __kernel_size_t copy_to_user(void __user *to, const void *from, + __kernel_size_t n); +-extern __kernel_size_t copy_from_user(void *to, const void __user *from, ++extern __kernel_size_t ___copy_from_user(void *to, const void __user *from, + __kernel_size_t n); + + static inline __kernel_size_t __copy_to_user(void __user *to, const void *from, +@@ -88,6 +88,15 @@ static inline __kernel_size_t __copy_fro + { + return __copy_user(to, (const void __force *)from, n); + } ++static inline __kernel_size_t copy_from_user(void *to, ++ const void __user *from, ++ __kernel_size_t n) ++{ ++ size_t res = ___copy_from_user(to, from, n); ++ if (unlikely(res)) ++ memset(to + (n - res), 0, res); ++ return res; ++} + + #define __copy_to_user_inatomic __copy_to_user + #define __copy_from_user_inatomic __copy_from_user +--- a/arch/avr32/kernel/avr32_ksyms.c ++++ b/arch/avr32/kernel/avr32_ksyms.c +@@ -36,7 +36,7 @@ EXPORT_SYMBOL(copy_page); + /* + * Userspace access stuff. + */ +-EXPORT_SYMBOL(copy_from_user); ++EXPORT_SYMBOL(___copy_from_user); + EXPORT_SYMBOL(copy_to_user); + EXPORT_SYMBOL(__copy_user); + EXPORT_SYMBOL(strncpy_from_user); +--- a/arch/avr32/lib/copy_user.S ++++ b/arch/avr32/lib/copy_user.S +@@ -25,11 +25,11 @@ + .align 1 + .global copy_from_user + .type copy_from_user, @function +-copy_from_user: ++___copy_from_user: + branch_if_kernel r8, __copy_user + ret_if_privileged r8, r11, r10, r10 + rjmp __copy_user +- .size copy_from_user, . - copy_from_user ++ .size ___copy_from_user, . - ___copy_from_user + + .global copy_to_user + .type copy_to_user, @function diff --git a/queue-4.4/blackfin-fix-copy_from_user.patch b/queue-4.4/blackfin-fix-copy_from_user.patch new file mode 100644 index 00000000000..b875ebc5f98 --- /dev/null +++ b/queue-4.4/blackfin-fix-copy_from_user.patch @@ -0,0 +1,35 @@ +From 8f035983dd826d7e04f67b28acf8e2f08c347e41 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Fri, 9 Sep 2016 19:16:58 -0400 +Subject: blackfin: fix copy_from_user() + +From: Al Viro + +commit 8f035983dd826d7e04f67b28acf8e2f08c347e41 upstream. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/blackfin/include/asm/uaccess.h | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/arch/blackfin/include/asm/uaccess.h ++++ b/arch/blackfin/include/asm/uaccess.h +@@ -177,11 +177,12 @@ static inline int bad_user_access_length + static inline unsigned long __must_check + copy_from_user(void *to, const void __user *from, unsigned long n) + { +- if (access_ok(VERIFY_READ, from, n)) ++ if (likely(access_ok(VERIFY_READ, from, n))) { + memcpy(to, (const void __force *)from, n); +- else +- return n; +- return 0; ++ return 0; ++ } ++ memset(to, 0, n); ++ return n; + } + + static inline unsigned long __must_check diff --git a/queue-4.4/cris-buggered-copy_from_user-copy_to_user-clear_user.patch b/queue-4.4/cris-buggered-copy_from_user-copy_to_user-clear_user.patch new file mode 100644 index 00000000000..fec55c197b5 --- /dev/null +++ b/queue-4.4/cris-buggered-copy_from_user-copy_to_user-clear_user.patch @@ -0,0 +1,131 @@ +From eb47e0293baaa3044022059f1fa9ff474bfe35cb Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Thu, 18 Aug 2016 19:34:00 -0400 +Subject: cris: buggered copy_from_user/copy_to_user/clear_user + +From: Al Viro + +commit eb47e0293baaa3044022059f1fa9ff474bfe35cb upstream. + +* copy_from_user() on access_ok() failure ought to zero the destination +* none of those primitives should skip the access_ok() check in case of +small constant size. + +Acked-by: Jesper Nilsson +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/cris/include/asm/uaccess.h | 75 ++++++++++++++++++---------------------- + 1 file changed, 34 insertions(+), 41 deletions(-) + +--- a/arch/cris/include/asm/uaccess.h ++++ b/arch/cris/include/asm/uaccess.h +@@ -194,30 +194,6 @@ extern unsigned long __copy_user(void __ + extern unsigned long __copy_user_zeroing(void *to, const void __user *from, unsigned long n); + extern unsigned long __do_clear_user(void __user *to, unsigned long n); + +-static inline unsigned long +-__generic_copy_to_user(void __user *to, const void *from, unsigned long n) +-{ +- if (access_ok(VERIFY_WRITE, to, n)) +- return __copy_user(to, from, n); +- return n; +-} +- +-static inline unsigned long +-__generic_copy_from_user(void *to, const void __user *from, unsigned long n) +-{ +- if (access_ok(VERIFY_READ, from, n)) +- return __copy_user_zeroing(to, from, n); +- return n; +-} +- +-static inline unsigned long +-__generic_clear_user(void __user *to, unsigned long n) +-{ +- if (access_ok(VERIFY_WRITE, to, n)) +- return __do_clear_user(to, n); +- return n; +-} +- + static inline long + __strncpy_from_user(char *dst, const char __user *src, long count) + { +@@ -282,7 +258,7 @@ __constant_copy_from_user(void *to, cons + else if (n == 24) + __asm_copy_from_user_24(to, from, ret); + else +- ret = __generic_copy_from_user(to, from, n); ++ ret = __copy_user_zeroing(to, from, n); + + return ret; + } +@@ -333,7 +309,7 @@ __constant_copy_to_user(void __user *to, + else if (n == 24) + __asm_copy_to_user_24(to, from, ret); + else +- ret = __generic_copy_to_user(to, from, n); ++ ret = __copy_user(to, from, n); + + return ret; + } +@@ -366,26 +342,43 @@ __constant_clear_user(void __user *to, u + else if (n == 24) + __asm_clear_24(to, ret); + else +- ret = __generic_clear_user(to, n); ++ ret = __do_clear_user(to, n); + + return ret; + } + + +-#define clear_user(to, n) \ +- (__builtin_constant_p(n) ? \ +- __constant_clear_user(to, n) : \ +- __generic_clear_user(to, n)) +- +-#define copy_from_user(to, from, n) \ +- (__builtin_constant_p(n) ? \ +- __constant_copy_from_user(to, from, n) : \ +- __generic_copy_from_user(to, from, n)) +- +-#define copy_to_user(to, from, n) \ +- (__builtin_constant_p(n) ? \ +- __constant_copy_to_user(to, from, n) : \ +- __generic_copy_to_user(to, from, n)) ++static inline size_t clear_user(void __user *to, size_t n) ++{ ++ if (unlikely(!access_ok(VERIFY_WRITE, to, n))) ++ return n; ++ if (__builtin_constant_p(n)) ++ return __constant_clear_user(to, n); ++ else ++ return __do_clear_user(to, n); ++} ++ ++static inline size_t copy_from_user(void *to, const void __user *from, size_t n) ++{ ++ if (unlikely(!access_ok(VERIFY_READ, from, n))) { ++ memset(to, 0, n); ++ return n; ++ } ++ if (__builtin_constant_p(n)) ++ return __constant_copy_from_user(to, from, n); ++ else ++ return __copy_user_zeroing(to, from, n); ++} ++ ++static inline size_t copy_to_user(void __user *to, const void *from, size_t n) ++{ ++ if (unlikely(!access_ok(VERIFY_WRITE, to, n))) ++ return n; ++ if (__builtin_constant_p(n)) ++ return __constant_copy_to_user(to, from, n); ++ else ++ return __copy_user(to, from, n); ++} + + /* We let the __ versions of copy_from/to_user inline, because they're often + * used in fast paths and have only a small space overhead. diff --git a/queue-4.4/drm-atmel-hlcdc-fix-vertical-scaling.patch b/queue-4.4/drm-atmel-hlcdc-fix-vertical-scaling.patch new file mode 100644 index 00000000000..476a0585d32 --- /dev/null +++ b/queue-4.4/drm-atmel-hlcdc-fix-vertical-scaling.patch @@ -0,0 +1,51 @@ +From d31ed3f05763644840c654a384eaefa94c097ba2 Mon Sep 17 00:00:00 2001 +From: Jan Leupold +Date: Wed, 6 Jul 2016 13:22:35 +0200 +Subject: drm: atmel-hlcdc: Fix vertical scaling + +From: Jan Leupold + +commit d31ed3f05763644840c654a384eaefa94c097ba2 upstream. + +The code is applying the same scaling for the X and Y components, +thus making the scaling feature only functional when both components +have the same scaling factor. + +Do the s/_w/_h/ replacement where appropriate to fix vertical scaling. + +Signed-off-by: Jan Leupold +Fixes: 1a396789f65a2 ("drm: add Atmel HLCDC Display Controller support") +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c ++++ b/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c +@@ -316,19 +316,19 @@ atmel_hlcdc_plane_update_pos_and_size(st + u32 *coeff_tab = heo_upscaling_ycoef; + u32 max_memsize; + +- if (state->crtc_w < state->src_w) ++ if (state->crtc_h < state->src_h) + coeff_tab = heo_downscaling_ycoef; + for (i = 0; i < ARRAY_SIZE(heo_upscaling_ycoef); i++) + atmel_hlcdc_layer_update_cfg(&plane->layer, + 33 + i, + 0xffffffff, + coeff_tab[i]); +- factor = ((8 * 256 * state->src_w) - (256 * 4)) / +- state->crtc_w; ++ factor = ((8 * 256 * state->src_h) - (256 * 4)) / ++ state->crtc_h; + factor++; +- max_memsize = ((factor * state->crtc_w) + (256 * 4)) / ++ max_memsize = ((factor * state->crtc_h) + (256 * 4)) / + 2048; +- if (max_memsize > state->src_w) ++ if (max_memsize > state->src_h) + factor--; + factor_reg |= (factor << 16) | 0x80000000; + } diff --git a/queue-4.4/drm-i915-avoid-pointer-arithmetic-in-calculating-plane-surface-offset.patch b/queue-4.4/drm-i915-avoid-pointer-arithmetic-in-calculating-plane-surface-offset.patch new file mode 100644 index 00000000000..de5193014b8 --- /dev/null +++ b/queue-4.4/drm-i915-avoid-pointer-arithmetic-in-calculating-plane-surface-offset.patch @@ -0,0 +1,106 @@ +From 44eb0cb9620c6a53ec8e7073262e2af8079b727f Mon Sep 17 00:00:00 2001 +From: Mika Kuoppala +Date: Fri, 30 Oct 2015 13:26:15 +0200 +Subject: drm/i915: Avoid pointer arithmetic in calculating plane surface offset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mika Kuoppala + +commit 44eb0cb9620c6a53ec8e7073262e2af8079b727f upstream. + +VMA offsets are 64 bits. Plane surface offsets are in ggtt and +the hardware register to set this is thus 32 bits. Be explicit +about these and convert carefully to from vma to final size. + +This will make sparse happy by not creating 32bit pointers out +of 64bit vma offsets. + +Cc: Tvrtko Ursulin +Signed-off-by: Mika Kuoppala +Link: http://patchwork.freedesktop.org/patch/msgid/1446204375-29831-1-git-send-email-mika.kuoppala@intel.com +Reviewed-by: Tvrtko Ursulin +Signed-off-by: Ville Syrjälä +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_display.c | 16 +++++++++------- + drivers/gpu/drm/i915/intel_drv.h | 6 +++--- + drivers/gpu/drm/i915/intel_sprite.c | 2 +- + 3 files changed, 13 insertions(+), 11 deletions(-) + +--- a/drivers/gpu/drm/i915/intel_display.c ++++ b/drivers/gpu/drm/i915/intel_display.c +@@ -2950,13 +2950,13 @@ u32 intel_fb_stride_alignment(struct drm + } + } + +-unsigned long intel_plane_obj_offset(struct intel_plane *intel_plane, +- struct drm_i915_gem_object *obj, +- unsigned int plane) ++u32 intel_plane_obj_offset(struct intel_plane *intel_plane, ++ struct drm_i915_gem_object *obj, ++ unsigned int plane) + { + const struct i915_ggtt_view *view = &i915_ggtt_view_normal; + struct i915_vma *vma; +- unsigned char *offset; ++ u64 offset; + + if (intel_rotation_90_or_270(intel_plane->base.state->rotation)) + view = &i915_ggtt_view_rotated; +@@ -2966,14 +2966,16 @@ unsigned long intel_plane_obj_offset(str + view->type)) + return -1; + +- offset = (unsigned char *)vma->node.start; ++ offset = vma->node.start; + + if (plane == 1) { + offset += vma->ggtt_view.rotation_info.uv_start_page * + PAGE_SIZE; + } + +- return (unsigned long)offset; ++ WARN_ON(upper_32_bits(offset)); ++ ++ return lower_32_bits(offset); + } + + static void skl_detach_scaler(struct intel_crtc *intel_crtc, int id) +@@ -3099,7 +3101,7 @@ static void skylake_update_primary_plane + u32 tile_height, plane_offset, plane_size; + unsigned int rotation; + int x_offset, y_offset; +- unsigned long surf_addr; ++ u32 surf_addr; + struct intel_crtc_state *crtc_state = intel_crtc->config; + struct intel_plane_state *plane_state; + int src_x = 0, src_y = 0, src_w = 0, src_h = 0; +--- a/drivers/gpu/drm/i915/intel_drv.h ++++ b/drivers/gpu/drm/i915/intel_drv.h +@@ -1177,9 +1177,9 @@ void intel_modeset_preclose(struct drm_d + int skl_update_scaler_crtc(struct intel_crtc_state *crtc_state); + int skl_max_scale(struct intel_crtc *crtc, struct intel_crtc_state *crtc_state); + +-unsigned long intel_plane_obj_offset(struct intel_plane *intel_plane, +- struct drm_i915_gem_object *obj, +- unsigned int plane); ++u32 intel_plane_obj_offset(struct intel_plane *intel_plane, ++ struct drm_i915_gem_object *obj, ++ unsigned int plane); + + u32 skl_plane_ctl_format(uint32_t pixel_format); + u32 skl_plane_ctl_tiling(uint64_t fb_modifier); +--- a/drivers/gpu/drm/i915/intel_sprite.c ++++ b/drivers/gpu/drm/i915/intel_sprite.c +@@ -195,7 +195,7 @@ skl_update_plane(struct drm_plane *drm_p + int pixel_size = drm_format_plane_cpp(fb->pixel_format, 0); + const struct drm_intel_sprite_colorkey *key = + &to_intel_plane_state(drm_plane->state)->ckey; +- unsigned long surf_addr; ++ u32 surf_addr; + u32 tile_height, plane_offset, plane_size; + unsigned int rotation; + int x_offset, y_offset; diff --git a/queue-4.4/drm-only-use-compat-ioctl-for-addfb2-on-x86-ia64.patch b/queue-4.4/drm-only-use-compat-ioctl-for-addfb2-on-x86-ia64.patch new file mode 100644 index 00000000000..7a6e466cf8a --- /dev/null +++ b/queue-4.4/drm-only-use-compat-ioctl-for-addfb2-on-x86-ia64.patch @@ -0,0 +1,59 @@ +From 47a66e45d7a7613322549c2475ea9d809baaf514 Mon Sep 17 00:00:00 2001 +From: "Kristian H. Kristensen" +Date: Tue, 13 Sep 2016 14:20:45 -0700 +Subject: drm: Only use compat ioctl for addfb2 on X86/IA64 + +From: Kristian H. Kristensen + +commit 47a66e45d7a7613322549c2475ea9d809baaf514 upstream. + +Similar to struct drm_update_draw, struct drm_mode_fb_cmd2 has an +unaligned 64 bit field (modifier). This get packed differently between +32 bit and 64 bit modes on architectures that can handle unaligned 64 +bit access (X86 and IA64). Other architectures pack the structs the +same and don't need the compat wrapper. Use the same condition for +drm_mode_fb_cmd2 as we use for drm_update_draw. + +Note that only the modifier will be packed differently between compat +and non-compat versions. + +Reviewed-by: Rob Clark +Signed-off-by: Kristian H. Kristensen +[seanpaul added not at bottom of commit msg re: modifier] +Signed-off-by: Sean Paul +Link: http://patchwork.freedesktop.org/patch/msgid/1473801645-116011-1-git-send-email-hoegsberg@chromium.org +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_ioc32.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/gpu/drm/drm_ioc32.c ++++ b/drivers/gpu/drm/drm_ioc32.c +@@ -1015,6 +1015,7 @@ static int compat_drm_wait_vblank(struct + return 0; + } + ++#if defined(CONFIG_X86) || defined(CONFIG_IA64) + typedef struct drm_mode_fb_cmd232 { + u32 fb_id; + u32 width; +@@ -1071,6 +1072,7 @@ static int compat_drm_mode_addfb2(struct + + return 0; + } ++#endif + + static drm_ioctl_compat_t *drm_compat_ioctls[] = { + [DRM_IOCTL_NR(DRM_IOCTL_VERSION32)] = compat_drm_version, +@@ -1104,7 +1106,9 @@ static drm_ioctl_compat_t *drm_compat_io + [DRM_IOCTL_NR(DRM_IOCTL_UPDATE_DRAW32)] = compat_drm_update_draw, + #endif + [DRM_IOCTL_NR(DRM_IOCTL_WAIT_VBLANK32)] = compat_drm_wait_vblank, ++#if defined(CONFIG_X86) || defined(CONFIG_IA64) + [DRM_IOCTL_NR(DRM_IOCTL_MODE_ADDFB232)] = compat_drm_mode_addfb2, ++#endif + }; + + /** diff --git a/queue-4.4/fix-iov_iter_fault_in_readable.patch b/queue-4.4/fix-iov_iter_fault_in_readable.patch new file mode 100644 index 00000000000..dfe08bf46ad --- /dev/null +++ b/queue-4.4/fix-iov_iter_fault_in_readable.patch @@ -0,0 +1,77 @@ +From d4690f1e1cdabb4d61207b6787b1605a0dc0aeab Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Fri, 16 Sep 2016 00:11:45 +0100 +Subject: fix iov_iter_fault_in_readable() + +From: Al Viro + +commit d4690f1e1cdabb4d61207b6787b1605a0dc0aeab upstream. + +... by turning it into what used to be multipages counterpart + +Signed-off-by: Al Viro +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/uio.h | 2 +- + lib/iov_iter.c | 24 ++---------------------- + 2 files changed, 3 insertions(+), 23 deletions(-) + +--- a/include/linux/uio.h ++++ b/include/linux/uio.h +@@ -76,7 +76,7 @@ size_t iov_iter_copy_from_user_atomic(st + struct iov_iter *i, unsigned long offset, size_t bytes); + void iov_iter_advance(struct iov_iter *i, size_t bytes); + int iov_iter_fault_in_readable(struct iov_iter *i, size_t bytes); +-int iov_iter_fault_in_multipages_readable(struct iov_iter *i, size_t bytes); ++#define iov_iter_fault_in_multipages_readable iov_iter_fault_in_readable + size_t iov_iter_single_seg_count(const struct iov_iter *i); + size_t copy_page_to_iter(struct page *page, size_t offset, size_t bytes, + struct iov_iter *i); +--- a/lib/iov_iter.c ++++ b/lib/iov_iter.c +@@ -298,33 +298,13 @@ done: + } + + /* +- * Fault in the first iovec of the given iov_iter, to a maximum length +- * of bytes. Returns 0 on success, or non-zero if the memory could not be +- * accessed (ie. because it is an invalid address). +- * +- * writev-intensive code may want this to prefault several iovecs -- that +- * would be possible (callers must not rely on the fact that _only_ the +- * first iovec will be faulted with the current implementation). +- */ +-int iov_iter_fault_in_readable(struct iov_iter *i, size_t bytes) +-{ +- if (!(i->type & (ITER_BVEC|ITER_KVEC))) { +- char __user *buf = i->iov->iov_base + i->iov_offset; +- bytes = min(bytes, i->iov->iov_len - i->iov_offset); +- return fault_in_pages_readable(buf, bytes); +- } +- return 0; +-} +-EXPORT_SYMBOL(iov_iter_fault_in_readable); +- +-/* + * Fault in one or more iovecs of the given iov_iter, to a maximum length of + * bytes. For each iovec, fault in each page that constitutes the iovec. + * + * Return 0 on success, or non-zero if the memory could not be accessed (i.e. + * because it is an invalid address). + */ +-int iov_iter_fault_in_multipages_readable(struct iov_iter *i, size_t bytes) ++int iov_iter_fault_in_readable(struct iov_iter *i, size_t bytes) + { + size_t skip = i->iov_offset; + const struct iovec *iov; +@@ -341,7 +321,7 @@ int iov_iter_fault_in_multipages_readabl + } + return 0; + } +-EXPORT_SYMBOL(iov_iter_fault_in_multipages_readable); ++EXPORT_SYMBOL(iov_iter_fault_in_readable); + + void iov_iter_init(struct iov_iter *i, int direction, + const struct iovec *iov, unsigned long nr_segs, diff --git a/queue-4.4/fix-minor-infoleak-in-get_user_ex.patch b/queue-4.4/fix-minor-infoleak-in-get_user_ex.patch new file mode 100644 index 00000000000..58902da8bc2 --- /dev/null +++ b/queue-4.4/fix-minor-infoleak-in-get_user_ex.patch @@ -0,0 +1,38 @@ +From 1c109fabbd51863475cd12ac206bdd249aee35af Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Thu, 15 Sep 2016 02:35:29 +0100 +Subject: fix minor infoleak in get_user_ex() + +From: Al Viro + +commit 1c109fabbd51863475cd12ac206bdd249aee35af upstream. + +get_user_ex(x, ptr) should zero x on failure. It's not a lot of a leak +(at most we are leaking uninitialized 64bit value off the kernel stack, +and in a fairly constrained situation, at that), but the fix is trivial, +so... + +Signed-off-by: Al Viro +[ This sat in different branch from the uaccess fixes since mid-August ] +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/uaccess.h | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/arch/x86/include/asm/uaccess.h ++++ b/arch/x86/include/asm/uaccess.h +@@ -394,7 +394,11 @@ do { \ + #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \ + asm volatile("1: mov"itype" %1,%"rtype"0\n" \ + "2:\n" \ +- _ASM_EXTABLE_EX(1b, 2b) \ ++ ".section .fixup,\"ax\"\n" \ ++ "3:xor"itype" %"rtype"0,%"rtype"0\n" \ ++ " jmp 2b\n" \ ++ ".previous\n" \ ++ _ASM_EXTABLE_EX(1b, 3b) \ + : ltype(x) : "m" (__m(addr))) + + #define __put_user_nocheck(x, ptr, size) \ diff --git a/queue-4.4/frv-fix-clear_user.patch b/queue-4.4/frv-fix-clear_user.patch new file mode 100644 index 00000000000..af0736778fc --- /dev/null +++ b/queue-4.4/frv-fix-clear_user.patch @@ -0,0 +1,50 @@ +From 3b8767a8f00cc6538ba6b1cf0f88502e2fd2eb90 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Thu, 18 Aug 2016 20:54:02 -0400 +Subject: frv: fix clear_user() + +From: Al Viro + +commit 3b8767a8f00cc6538ba6b1cf0f88502e2fd2eb90 upstream. + +It should check access_ok(). Otherwise a bunch of places turn into +trivially exploitable rootholes. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/frv/include/asm/uaccess.h | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/arch/frv/include/asm/uaccess.h ++++ b/arch/frv/include/asm/uaccess.h +@@ -263,19 +263,25 @@ do { \ + extern long __memset_user(void *dst, unsigned long count); + extern long __memcpy_user(void *dst, const void *src, unsigned long count); + +-#define clear_user(dst,count) __memset_user(____force(dst), (count)) ++#define __clear_user(dst,count) __memset_user(____force(dst), (count)) + #define __copy_from_user_inatomic(to, from, n) __memcpy_user((to), ____force(from), (n)) + #define __copy_to_user_inatomic(to, from, n) __memcpy_user(____force(to), (from), (n)) + + #else + +-#define clear_user(dst,count) (memset(____force(dst), 0, (count)), 0) ++#define __clear_user(dst,count) (memset(____force(dst), 0, (count)), 0) + #define __copy_from_user_inatomic(to, from, n) (memcpy((to), ____force(from), (n)), 0) + #define __copy_to_user_inatomic(to, from, n) (memcpy(____force(to), (from), (n)), 0) + + #endif + +-#define __clear_user clear_user ++static inline unsigned long __must_check ++clear_user(void __user *to, unsigned long n) ++{ ++ if (likely(__access_ok(to, n))) ++ n = __clear_user(to, n); ++ return n; ++} + + static inline unsigned long __must_check + __copy_to_user(void __user *to, const void *from, unsigned long n) diff --git a/queue-4.4/genirq-provide-irq_gc_-lock_irqsave-unlock_irqrestore-helpers.patch b/queue-4.4/genirq-provide-irq_gc_-lock_irqsave-unlock_irqrestore-helpers.patch new file mode 100644 index 00000000000..d371c18c6dc --- /dev/null +++ b/queue-4.4/genirq-provide-irq_gc_-lock_irqsave-unlock_irqrestore-helpers.patch @@ -0,0 +1,53 @@ +From ebf9ff753c041b296241990aef76163bbb2cc9c8 Mon Sep 17 00:00:00 2001 +From: Boris Brezillon +Date: Tue, 13 Sep 2016 15:58:28 +0200 +Subject: genirq: Provide irq_gc_{lock_irqsave,unlock_irqrestore}() helpers + +From: Boris Brezillon + +commit ebf9ff753c041b296241990aef76163bbb2cc9c8 upstream. + +Some irqchip drivers need to take the generic chip lock outside of the +irq context. + +Provide the irq_gc_{lock_irqsave,unlock_irqrestore}() helpers to allow +one to disable irqs while entering a critical section protected by +gc->lock. + +Note that we do not provide optimized version of these helpers for !SMP, +because they are not called from the hot-path. + +[ tglx: Added a comment when these helpers should be [not] used ] + +Signed-off-by: Boris Brezillon +Cc: Jason Cooper +Cc: Marc Zyngier +Cc: Nicolas Ferre +Cc: Alexandre Belloni +Link: http://lkml.kernel.org/r/1473775109-4192-1-git-send-email-boris.brezillon@free-electrons.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/irq.h | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/include/linux/irq.h ++++ b/include/linux/irq.h +@@ -916,6 +916,16 @@ static inline void irq_gc_lock(struct ir + static inline void irq_gc_unlock(struct irq_chip_generic *gc) { } + #endif + ++/* ++ * The irqsave variants are for usage in non interrupt code. Do not use ++ * them in irq_chip callbacks. Use irq_gc_lock() instead. ++ */ ++#define irq_gc_lock_irqsave(gc, flags) \ ++ raw_spin_lock_irqsave(&(gc)->lock, flags) ++ ++#define irq_gc_unlock_irqrestore(gc, flags) \ ++ raw_spin_unlock_irqrestore(&(gc)->lock, flags) ++ + static inline void irq_reg_writel(struct irq_chip_generic *gc, + u32 val, int reg_offset) + { diff --git a/queue-4.4/gma500-remove-annoying-deprecation-warning.patch b/queue-4.4/gma500-remove-annoying-deprecation-warning.patch new file mode 100644 index 00000000000..c4a9d43cfd2 --- /dev/null +++ b/queue-4.4/gma500-remove-annoying-deprecation-warning.patch @@ -0,0 +1,42 @@ +From 166c5a6ef765653848161e6f4af81c05e4b3ecf6 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Mon, 4 Apr 2016 12:38:46 -0700 +Subject: gma500: remove annoying deprecation warning + +From: Linus Torvalds + +commit 166c5a6ef765653848161e6f4af81c05e4b3ecf6 upstream. + +In commit e45708976aea ("drm/dp-helper: Move the legacy helpers to +gma500") the legacy i2c helpers were moved to the only remaining user of +them, the gma500 driver. Together with that move, i2c_dp_aux_add_bus() +was marked deprecated and started warning about its remaining use. + +It's now been a year and a half of annoying warning, and apparently +nobody cares enough about gma500 to try to move it along to the more +modern models. + +Get rid of the warning - if even the gma500 people don't care enough, +then they should certainly not spam other innocent developers with a +warning that might hide other, much more real issues. + +Cc: Daniel Vetter +Cc: Alan Cox +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/gma500/cdv_intel_dp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/gma500/cdv_intel_dp.c ++++ b/drivers/gpu/drm/gma500/cdv_intel_dp.c +@@ -220,7 +220,7 @@ i2c_dp_aux_prepare_bus(struct i2c_adapte + * FIXME: This is the old dp aux helper, gma500 is the last driver that needs to + * be ported over to the new helper code in drm_dp_helper.c like i915 or radeon. + */ +-static int __deprecated ++static int + i2c_dp_aux_add_bus(struct i2c_adapter *adapter) + { + int error; diff --git a/queue-4.4/hexagon-fix-strncpy_from_user-error-return.patch b/queue-4.4/hexagon-fix-strncpy_from_user-error-return.patch new file mode 100644 index 00000000000..35b033a9572 --- /dev/null +++ b/queue-4.4/hexagon-fix-strncpy_from_user-error-return.patch @@ -0,0 +1,32 @@ +From f35c1e0671728d1c9abc405d05ef548b5fcb2fc4 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Thu, 18 Aug 2016 21:16:49 -0400 +Subject: hexagon: fix strncpy_from_user() error return + +From: Al Viro + +commit f35c1e0671728d1c9abc405d05ef548b5fcb2fc4 upstream. + +It's -EFAULT, not -1 (and contrary to the comment in there, +__strnlen_user() can return 0 - on faults). + +Acked-by: Richard Kuo +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/hexagon/include/asm/uaccess.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/hexagon/include/asm/uaccess.h ++++ b/arch/hexagon/include/asm/uaccess.h +@@ -103,7 +103,8 @@ static inline long hexagon_strncpy_from_ + { + long res = __strnlen_user(src, n); + +- /* return from strnlen can't be zero -- that would be rubbish. */ ++ if (unlikely(!res)) ++ return -EFAULT; + + if (res > n) { + copy_from_user(dst, src, n); diff --git a/queue-4.4/irqchip-atmel-aic-fix-potential-deadlock-in-xlate.patch b/queue-4.4/irqchip-atmel-aic-fix-potential-deadlock-in-xlate.patch new file mode 100644 index 00000000000..a461598a08f --- /dev/null +++ b/queue-4.4/irqchip-atmel-aic-fix-potential-deadlock-in-xlate.patch @@ -0,0 +1,83 @@ +From 5eb0d6eb3fac3daa60d9190eed9fa41cf809c756 Mon Sep 17 00:00:00 2001 +From: Boris Brezillon +Date: Tue, 13 Sep 2016 15:58:29 +0200 +Subject: irqchip/atmel-aic: Fix potential deadlock in ->xlate() + +From: Boris Brezillon + +commit 5eb0d6eb3fac3daa60d9190eed9fa41cf809c756 upstream. + +aic5_irq_domain_xlate() and aic_irq_domain_xlate() take the generic chip +lock without disabling interrupts, which can lead to a deadlock if an +interrupt occurs while the lock is held in one of these functions. + +Replace irq_gc_{lock,unlock}() calls by +irq_gc_{lock_irqsave,unlock_irqrestore}() ones to prevent this bug from +happening. + +Fixes: b1479ebb7720 ("irqchip: atmel-aic: Add atmel AIC/AIC5 drivers") +Signed-off-by: Boris Brezillon +Acked-by: Marc Zyngier +Cc: Jason Cooper +Cc: Nicolas Ferre +Cc: Alexandre Belloni +Link: http://lkml.kernel.org/r/1473775109-4192-2-git-send-email-boris.brezillon@free-electrons.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/irqchip/irq-atmel-aic.c | 5 +++-- + drivers/irqchip/irq-atmel-aic5.c | 5 +++-- + 2 files changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/irqchip/irq-atmel-aic.c ++++ b/drivers/irqchip/irq-atmel-aic.c +@@ -176,6 +176,7 @@ static int aic_irq_domain_xlate(struct i + { + struct irq_domain_chip_generic *dgc = d->gc; + struct irq_chip_generic *gc; ++ unsigned long flags; + unsigned smr; + int idx; + int ret; +@@ -194,12 +195,12 @@ static int aic_irq_domain_xlate(struct i + + gc = dgc->gc[idx]; + +- irq_gc_lock(gc); ++ irq_gc_lock_irqsave(gc, flags); + smr = irq_reg_readl(gc, AT91_AIC_SMR(*out_hwirq)); + ret = aic_common_set_priority(intspec[2], &smr); + if (!ret) + irq_reg_writel(gc, smr, AT91_AIC_SMR(*out_hwirq)); +- irq_gc_unlock(gc); ++ irq_gc_unlock_irqrestore(gc, flags); + + return ret; + } +--- a/drivers/irqchip/irq-atmel-aic5.c ++++ b/drivers/irqchip/irq-atmel-aic5.c +@@ -258,6 +258,7 @@ static int aic5_irq_domain_xlate(struct + unsigned int *out_type) + { + struct irq_chip_generic *bgc = irq_get_domain_generic_chip(d, 0); ++ unsigned long flags; + unsigned smr; + int ret; + +@@ -269,13 +270,13 @@ static int aic5_irq_domain_xlate(struct + if (ret) + return ret; + +- irq_gc_lock(bgc); ++ irq_gc_lock_irqsave(bgc, flags); + irq_reg_writel(bgc, *out_hwirq, AT91_AIC5_SSR); + smr = irq_reg_readl(bgc, AT91_AIC5_SMR); + ret = aic_common_set_priority(intspec[2], &smr); + if (!ret) + irq_reg_writel(bgc, intspec[2] | smr, AT91_AIC5_SMR); +- irq_gc_unlock(bgc); ++ irq_gc_unlock_irqrestore(bgc, flags); + + return ret; + } diff --git a/queue-4.4/kconfig-tinyconfig-provide-whole-choice-blocks-to-avoid-warnings.patch b/queue-4.4/kconfig-tinyconfig-provide-whole-choice-blocks-to-avoid-warnings.patch new file mode 100644 index 00000000000..b8063c16ea6 --- /dev/null +++ b/queue-4.4/kconfig-tinyconfig-provide-whole-choice-blocks-to-avoid-warnings.patch @@ -0,0 +1,71 @@ +From 236dec051078a8691950f56949612b4b74107e48 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Thu, 1 Sep 2016 16:14:47 -0700 +Subject: kconfig: tinyconfig: provide whole choice blocks to avoid warnings + +From: Arnd Bergmann + +commit 236dec051078a8691950f56949612b4b74107e48 upstream. + +Using "make tinyconfig" produces a couple of annoying warnings that show +up for build test machines all the time: + + .config:966:warning: override: NOHIGHMEM changes choice state + .config:965:warning: override: SLOB changes choice state + .config:963:warning: override: KERNEL_XZ changes choice state + .config:962:warning: override: CC_OPTIMIZE_FOR_SIZE changes choice state + .config:933:warning: override: SLOB changes choice state + .config:930:warning: override: CC_OPTIMIZE_FOR_SIZE changes choice state + .config:870:warning: override: SLOB changes choice state + .config:868:warning: override: KERNEL_XZ changes choice state + .config:867:warning: override: CC_OPTIMIZE_FOR_SIZE changes choice state + +I've made a previous attempt at fixing them and we discussed a number of +alternatives. + +I tried changing the Makefile to use "merge_config.sh -n +$(fragment-list)" but couldn't get that to work properly. + +This is yet another approach, based on the observation that we do want +to see a warning for conflicting 'choice' options, and that we can +simply make them non-conflicting by listing all other options as +disabled. This is a trivial patch that we can apply independent of +plans for other changes. + +Link: http://lkml.kernel.org/r/20160829214952.1334674-2-arnd@arndb.de +Link: https://storage.kernelci.org/mainline/v4.7-rc6/x86-tinyconfig/build.log +https://patchwork.kernel.org/patch/9212749/ +Signed-off-by: Arnd Bergmann +Reviewed-by: Josh Triplett +Reviewed-by: Masahiro Yamada +Acked-by: Ingo Molnar +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/configs/tiny.config | 2 ++ + kernel/configs/tiny.config | 8 ++++++++ + 2 files changed, 10 insertions(+) + +--- a/arch/x86/configs/tiny.config ++++ b/arch/x86/configs/tiny.config +@@ -1 +1,3 @@ + CONFIG_NOHIGHMEM=y ++# CONFIG_HIGHMEM4G is not set ++# CONFIG_HIGHMEM64G is not set +--- a/kernel/configs/tiny.config ++++ b/kernel/configs/tiny.config +@@ -1,4 +1,12 @@ ++# CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE is not set + CONFIG_CC_OPTIMIZE_FOR_SIZE=y ++# CONFIG_KERNEL_GZIP is not set ++# CONFIG_KERNEL_BZIP2 is not set ++# CONFIG_KERNEL_LZMA is not set + CONFIG_KERNEL_XZ=y ++# CONFIG_KERNEL_LZO is not set ++# CONFIG_KERNEL_LZ4 is not set + CONFIG_OPTIMIZE_INLINING=y ++# CONFIG_SLAB is not set ++# CONFIG_SLUB is not set + CONFIG_SLOB=y diff --git a/queue-4.4/m32r-fix-__get_user.patch b/queue-4.4/m32r-fix-__get_user.patch new file mode 100644 index 00000000000..0aaaa2d7895 --- /dev/null +++ b/queue-4.4/m32r-fix-__get_user.patch @@ -0,0 +1,27 @@ +From c90a3bc5061d57e7931a9b7ad14784e1a0ed497d Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Fri, 9 Sep 2016 19:20:13 -0400 +Subject: m32r: fix __get_user() + +From: Al Viro + +commit c90a3bc5061d57e7931a9b7ad14784e1a0ed497d upstream. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/m32r/include/asm/uaccess.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/m32r/include/asm/uaccess.h ++++ b/arch/m32r/include/asm/uaccess.h +@@ -219,7 +219,7 @@ extern int fixup_exception(struct pt_reg + #define __get_user_nocheck(x, ptr, size) \ + ({ \ + long __gu_err = 0; \ +- unsigned long __gu_val; \ ++ unsigned long __gu_val = 0; \ + might_fault(); \ + __get_user_size(__gu_val, (ptr), (size), __gu_err); \ + (x) = (__force __typeof__(*(ptr)))__gu_val; \ diff --git a/queue-4.4/metag-copy_from_user-should-zero-the-destination-on-access_ok-failure.patch b/queue-4.4/metag-copy_from_user-should-zero-the-destination-on-access_ok-failure.patch new file mode 100644 index 00000000000..f0ba8e984f9 --- /dev/null +++ b/queue-4.4/metag-copy_from_user-should-zero-the-destination-on-access_ok-failure.patch @@ -0,0 +1,30 @@ +From 8ae95ed4ae5fc7c3391ed668b2014c9e2079533b Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Thu, 18 Aug 2016 22:08:20 -0400 +Subject: metag: copy_from_user() should zero the destination on access_ok() failure + +From: Al Viro + +commit 8ae95ed4ae5fc7c3391ed668b2014c9e2079533b upstream. + +Acked-by: James Hogan +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/metag/include/asm/uaccess.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/metag/include/asm/uaccess.h ++++ b/arch/metag/include/asm/uaccess.h +@@ -204,8 +204,9 @@ extern unsigned long __must_check __copy + static inline unsigned long + copy_from_user(void *to, const void __user *from, unsigned long n) + { +- if (access_ok(VERIFY_READ, from, n)) ++ if (likely(access_ok(VERIFY_READ, from, n))) + return __copy_user_zeroing(to, from, n); ++ memset(to, 0, n); + return n; + } + diff --git a/queue-4.4/microblaze-fix-__get_user.patch b/queue-4.4/microblaze-fix-__get_user.patch new file mode 100644 index 00000000000..49bd3a91b11 --- /dev/null +++ b/queue-4.4/microblaze-fix-__get_user.patch @@ -0,0 +1,27 @@ +From e98b9e37ae04562d52c96f46b3cf4c2e80222dc1 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Fri, 9 Sep 2016 19:23:33 -0400 +Subject: microblaze: fix __get_user() + +From: Al Viro + +commit e98b9e37ae04562d52c96f46b3cf4c2e80222dc1 upstream. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/microblaze/include/asm/uaccess.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/microblaze/include/asm/uaccess.h ++++ b/arch/microblaze/include/asm/uaccess.h +@@ -227,7 +227,7 @@ extern long __user_bad(void); + + #define __get_user(x, ptr) \ + ({ \ +- unsigned long __gu_val; \ ++ unsigned long __gu_val = 0; \ + /*unsigned long __gu_ptr = (unsigned long)(ptr);*/ \ + long __gu_err; \ + switch (sizeof(*(ptr))) { \ diff --git a/queue-4.4/microblaze-fix-copy_from_user.patch b/queue-4.4/microblaze-fix-copy_from_user.patch new file mode 100644 index 00000000000..ca35ef4997e --- /dev/null +++ b/queue-4.4/microblaze-fix-copy_from_user.patch @@ -0,0 +1,35 @@ +From d0cf385160c12abd109746cad1f13e3b3e8b50b8 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Fri, 9 Sep 2016 19:22:34 -0400 +Subject: microblaze: fix copy_from_user() + +From: Al Viro + +commit d0cf385160c12abd109746cad1f13e3b3e8b50b8 upstream. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/microblaze/include/asm/uaccess.h | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/arch/microblaze/include/asm/uaccess.h ++++ b/arch/microblaze/include/asm/uaccess.h +@@ -373,10 +373,13 @@ extern long __user_bad(void); + static inline long copy_from_user(void *to, + const void __user *from, unsigned long n) + { ++ unsigned long res = n; + might_fault(); +- if (access_ok(VERIFY_READ, from, n)) +- return __copy_from_user(to, from, n); +- return n; ++ if (likely(access_ok(VERIFY_READ, from, n))) ++ res = __copy_from_user(to, from, n); ++ if (unlikely(res)) ++ memset(to + (n - res), 0, res); ++ return res; + } + + #define __copy_to_user(to, from, n) \ diff --git a/queue-4.4/mips-copy_from_user-must-zero-the-destination-on-access_ok-failure.patch b/queue-4.4/mips-copy_from_user-must-zero-the-destination-on-access_ok-failure.patch new file mode 100644 index 00000000000..0aae213be41 --- /dev/null +++ b/queue-4.4/mips-copy_from_user-must-zero-the-destination-on-access_ok-failure.patch @@ -0,0 +1,35 @@ +From e69d700535ac43a18032b3c399c69bf4639e89a2 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sat, 20 Aug 2016 16:18:53 -0400 +Subject: mips: copy_from_user() must zero the destination on access_ok() failure + +From: Al Viro + +commit e69d700535ac43a18032b3c399c69bf4639e89a2 upstream. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/include/asm/uaccess.h | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/mips/include/asm/uaccess.h ++++ b/arch/mips/include/asm/uaccess.h +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + #include + + /* +@@ -1170,6 +1171,8 @@ extern size_t __copy_in_user_eva(void *_ + __cu_len = __invoke_copy_from_user(__cu_to, \ + __cu_from, \ + __cu_len); \ ++ } else { \ ++ memset(__cu_to, 0, __cu_len); \ + } \ + } \ + __cu_len; \ diff --git a/queue-4.4/mmc-dw_mmc-use-resource_size_t-to-store-physical-address.patch b/queue-4.4/mmc-dw_mmc-use-resource_size_t-to-store-physical-address.patch new file mode 100644 index 00000000000..b3df3682e02 --- /dev/null +++ b/queue-4.4/mmc-dw_mmc-use-resource_size_t-to-store-physical-address.patch @@ -0,0 +1,70 @@ +From 260b31643691e8a58683a4ccc3bdf7abfd86f54a Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Thu, 12 Nov 2015 15:14:23 +0100 +Subject: mmc: dw_mmc: use resource_size_t to store physical address + +From: Arnd Bergmann + +commit 260b31643691e8a58683a4ccc3bdf7abfd86f54a upstream. + +The dw_mmc driver stores the physical address of the MMIO registers +in a pointer, which requires the use of type casts, and is actually +broken if anyone ever has this device on a 32-bit SoC in registers +above 4GB. Gcc warns about this possibility when the driver is built +with ARM LPAE enabled: + +mmc/host/dw_mmc.c: In function 'dw_mci_edmac_start_dma': +mmc/host/dw_mmc.c:702:17: warning: cast from pointer to integer of different size + cfg.dst_addr = (dma_addr_t)(host->phy_regs + fifo_offset); + ^ +mmc/host/dw_mmc-pltfm.c: In function 'dw_mci_pltfm_register': +mmc/host/dw_mmc-pltfm.c:63:19: warning: cast to pointer from integer of different size + host->phy_regs = (void *)(regs->start); + +This changes the code to use resource_size_t, which gets rid of the +warning, the bug and the useless casts. + +Signed-off-by: Arnd Bergmann +Signed-off-by: Jaehoon Chung +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/dw_mmc-pltfm.c | 2 +- + drivers/mmc/host/dw_mmc.c | 2 +- + include/linux/mmc/dw_mmc.h | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/mmc/host/dw_mmc-pltfm.c ++++ b/drivers/mmc/host/dw_mmc-pltfm.c +@@ -60,7 +60,7 @@ int dw_mci_pltfm_register(struct platfor + + regs = platform_get_resource(pdev, IORESOURCE_MEM, 0); + /* Get registers' physical base address */ +- host->phy_regs = (void *)(regs->start); ++ host->phy_regs = regs->start; + host->regs = devm_ioremap_resource(&pdev->dev, regs); + if (IS_ERR(host->regs)) + return PTR_ERR(host->regs); +--- a/drivers/mmc/host/dw_mmc.c ++++ b/drivers/mmc/host/dw_mmc.c +@@ -699,7 +699,7 @@ static int dw_mci_edmac_start_dma(struct + int ret = 0; + + /* Set external dma config: burst size, burst width */ +- cfg.dst_addr = (dma_addr_t)(host->phy_regs + fifo_offset); ++ cfg.dst_addr = host->phy_regs + fifo_offset; + cfg.src_addr = cfg.dst_addr; + cfg.dst_addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES; + cfg.src_addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES; +--- a/include/linux/mmc/dw_mmc.h ++++ b/include/linux/mmc/dw_mmc.h +@@ -172,7 +172,7 @@ struct dw_mci { + /* For edmac */ + struct dw_mci_dma_slave *dms; + /* Registers's physical base address */ +- void *phy_regs; ++ resource_size_t phy_regs; + + u32 cmd_status; + u32 data_status; diff --git a/queue-4.4/mn10300-copy_from_user-should-zero-on-access_ok-failure.patch b/queue-4.4/mn10300-copy_from_user-should-zero-on-access_ok-failure.patch new file mode 100644 index 00000000000..41262a11cf5 --- /dev/null +++ b/queue-4.4/mn10300-copy_from_user-should-zero-on-access_ok-failure.patch @@ -0,0 +1,36 @@ +From ae7cc577ec2a4a6151c9e928fd1f595d953ecef1 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sat, 20 Aug 2016 16:33:10 -0400 +Subject: mn10300: copy_from_user() should zero on access_ok() failure... + +From: Al Viro + +commit ae7cc577ec2a4a6151c9e928fd1f595d953ecef1 upstream. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mn10300/lib/usercopy.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/mn10300/lib/usercopy.c ++++ b/arch/mn10300/lib/usercopy.c +@@ -9,7 +9,7 @@ + * as published by the Free Software Foundation; either version + * 2 of the Licence, or (at your option) any later version. + */ +-#include ++#include + + unsigned long + __generic_copy_to_user(void *to, const void *from, unsigned long n) +@@ -24,6 +24,8 @@ __generic_copy_from_user(void *to, const + { + if (access_ok(VERIFY_READ, from, n)) + __copy_user_zeroing(to, from, n); ++ else ++ memset(to, 0, n); + return n; + } + diff --git a/queue-4.4/mn10300-failing-__get_user-and-get_user-should-zero.patch b/queue-4.4/mn10300-failing-__get_user-and-get_user-should-zero.patch new file mode 100644 index 00000000000..4a9d54bf30d --- /dev/null +++ b/queue-4.4/mn10300-failing-__get_user-and-get_user-should-zero.patch @@ -0,0 +1,26 @@ +From 43403eabf558d2800b429cd886e996fd555aa542 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sat, 20 Aug 2016 16:32:02 -0400 +Subject: mn10300: failing __get_user() and get_user() should zero + +From: Al Viro + +commit 43403eabf558d2800b429cd886e996fd555aa542 upstream. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mn10300/include/asm/uaccess.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/mn10300/include/asm/uaccess.h ++++ b/arch/mn10300/include/asm/uaccess.h +@@ -181,6 +181,7 @@ struct __large_struct { unsigned long bu + "2:\n" \ + " .section .fixup,\"ax\"\n" \ + "3:\n\t" \ ++ " mov 0,%1\n" \ + " mov %3,%0\n" \ + " jmp 2b\n" \ + " .previous\n" \ diff --git a/queue-4.4/mpssd-fix-buffer-overflow-warning.patch b/queue-4.4/mpssd-fix-buffer-overflow-warning.patch new file mode 100644 index 00000000000..af992cb7eb8 --- /dev/null +++ b/queue-4.4/mpssd-fix-buffer-overflow-warning.patch @@ -0,0 +1,46 @@ +From 3610a2add39365a0f153154c60169a66c616d50f Mon Sep 17 00:00:00 2001 +From: Mike Danese +Date: Thu, 19 May 2016 21:54:51 -0700 +Subject: mpssd: fix buffer overflow warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mike Danese + +commit 3610a2add39365a0f153154c60169a66c616d50f upstream. + +The compilation emits a warning in function ‘snprintf’, + inlined from ‘set_cmdline’ at + ../Documentation/mic/mpssd/mpssd.c:1541:9: +/usr/include/x86_64-linux-gnu/bits/stdio2.h:64:10: + warning: call to __builtin___snprintf_chk will always overflow + destination buffer + +This was introduced in commit f4a66c204482 ("misc: mic: Update MIC host +daemon with COSM changes") and is fixed by reverting the changes to the +size argument of these snprintf statements. + +Cc: Ashutosh Dixit +Signed-off-by: Mike Danese +Signed-off-by: Jonathan Corbet +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/mic/mpssd/mpssd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/Documentation/mic/mpssd/mpssd.c ++++ b/Documentation/mic/mpssd/mpssd.c +@@ -1538,9 +1538,9 @@ set_cmdline(struct mic_info *mic) + + len = snprintf(buffer, PATH_MAX, + "clocksource=tsc highres=off nohz=off "); +- len += snprintf(buffer + len, PATH_MAX, ++ len += snprintf(buffer + len, PATH_MAX - len, + "cpufreq_on;corec6_off;pc3_off;pc6_off "); +- len += snprintf(buffer + len, PATH_MAX, ++ len += snprintf(buffer + len, PATH_MAX - len, + "ifcfg=static;address,172.31.%d.1;netmask,255.255.255.0", + mic->id + 1); + diff --git a/queue-4.4/net-simplify-napi_synchronize-to-avoid-warnings.patch b/queue-4.4/net-simplify-napi_synchronize-to-avoid-warnings.patch new file mode 100644 index 00000000000..19f6bc8a440 --- /dev/null +++ b/queue-4.4/net-simplify-napi_synchronize-to-avoid-warnings.patch @@ -0,0 +1,68 @@ +From facc432faa59414bd7c60c307ff1645154a66c98 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 22 Jan 2016 11:43:44 +0100 +Subject: net: simplify napi_synchronize() to avoid warnings + +From: Arnd Bergmann + +commit facc432faa59414bd7c60c307ff1645154a66c98 upstream. + +The napi_synchronize() function is defined twice: The definition +for SMP builds waits for other CPUs to be done, while the uniprocessor +variant just contains a barrier and ignores its argument. + +In the mvneta driver, this leads to a warning about an unused variable +when we lookup the NAPI struct of another CPU and then don't use it: + +ethernet/marvell/mvneta.c: In function 'mvneta_percpu_notifier': +ethernet/marvell/mvneta.c:2910:30: error: unused variable 'other_port' [-Werror=unused-variable] + +There are no other CPUs on a UP build, so that code never runs, but +gcc does not know this. + +The nicest solution seems to be to turn the napi_synchronize() helper +into an inline function for the UP case as well, as that leads gcc to +not complain about the argument being unused. Once we do that, we can +also combine the two cases into a single function definition and use +if(IS_ENABLED()) rather than #ifdef to make it look a bit nicer. + +The warning first came up in linux-4.4, but I failed to catch it +earlier. + +Signed-off-by: Arnd Bergmann +Fixes: f86428854480 ("net: mvneta: Statically assign queues to CPUs") +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/netdevice.h | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -511,7 +511,6 @@ static inline void napi_enable(struct na + clear_bit(NAPI_STATE_NPSVC, &n->state); + } + +-#ifdef CONFIG_SMP + /** + * napi_synchronize - wait until NAPI is not running + * @n: napi context +@@ -522,12 +521,12 @@ static inline void napi_enable(struct na + */ + static inline void napi_synchronize(const struct napi_struct *n) + { +- while (test_bit(NAPI_STATE_SCHED, &n->state)) +- msleep(1); ++ if (IS_ENABLED(CONFIG_SMP)) ++ while (test_bit(NAPI_STATE_SCHED, &n->state)) ++ msleep(1); ++ else ++ barrier(); + } +-#else +-# define napi_synchronize(n) barrier() +-#endif + + enum netdev_queue_state_t { + __QUEUE_STATE_DRV_XOFF, diff --git a/queue-4.4/nios2-copy_from_user-should-zero-the-tail-of-destination.patch b/queue-4.4/nios2-copy_from_user-should-zero-the-tail-of-destination.patch new file mode 100644 index 00000000000..5231fb3bbdb --- /dev/null +++ b/queue-4.4/nios2-copy_from_user-should-zero-the-tail-of-destination.patch @@ -0,0 +1,34 @@ +From e33d1f6f72cc82fcfc3d1fb20c9e3ad83b1928fa Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sat, 20 Aug 2016 16:36:36 -0400 +Subject: nios2: copy_from_user() should zero the tail of destination + +From: Al Viro + +commit e33d1f6f72cc82fcfc3d1fb20c9e3ad83b1928fa upstream. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/nios2/include/asm/uaccess.h | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/arch/nios2/include/asm/uaccess.h ++++ b/arch/nios2/include/asm/uaccess.h +@@ -102,9 +102,12 @@ extern long __copy_to_user(void __user * + static inline long copy_from_user(void *to, const void __user *from, + unsigned long n) + { +- if (!access_ok(VERIFY_READ, from, n)) +- return n; +- return __copy_from_user(to, from, n); ++ unsigned long res = n; ++ if (access_ok(VERIFY_READ, from, n)) ++ res = __copy_from_user(to, from, n); ++ if (unlikely(res)) ++ memset(to + (n - res), 0, res); ++ return res; + } + + static inline long copy_to_user(void __user *to, const void *from, diff --git a/queue-4.4/nios2-fix-__get_user.patch b/queue-4.4/nios2-fix-__get_user.patch new file mode 100644 index 00000000000..ffb4b9fd632 --- /dev/null +++ b/queue-4.4/nios2-fix-__get_user.patch @@ -0,0 +1,39 @@ +From 2e29f50ad5e23db37dde9be71410d95d50241ecd Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sat, 20 Aug 2016 16:39:01 -0400 +Subject: nios2: fix __get_user() + +From: Al Viro + +commit 2e29f50ad5e23db37dde9be71410d95d50241ecd upstream. + +a) should not leave crap on fault +b) should _not_ require access_ok() in any cases. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/nios2/include/asm/uaccess.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/nios2/include/asm/uaccess.h ++++ b/arch/nios2/include/asm/uaccess.h +@@ -139,7 +139,7 @@ extern long strnlen_user(const char __us + + #define __get_user_unknown(val, size, ptr, err) do { \ + err = 0; \ +- if (copy_from_user(&(val), ptr, size)) { \ ++ if (__copy_from_user(&(val), ptr, size)) { \ + err = -EFAULT; \ + } \ + } while (0) +@@ -166,7 +166,7 @@ do { \ + ({ \ + long __gu_err = -EFAULT; \ + const __typeof__(*(ptr)) __user *__gu_ptr = (ptr); \ +- unsigned long __gu_val; \ ++ unsigned long __gu_val = 0; \ + __get_user_common(__gu_val, sizeof(*(ptr)), __gu_ptr, __gu_err);\ + (x) = (__force __typeof__(x))__gu_val; \ + __gu_err; \ diff --git a/queue-4.4/openrisc-fix-copy_from_user.patch b/queue-4.4/openrisc-fix-copy_from_user.patch new file mode 100644 index 00000000000..af7021e874e --- /dev/null +++ b/queue-4.4/openrisc-fix-copy_from_user.patch @@ -0,0 +1,77 @@ +From acb2505d0119033a80c85ac8d02dccae41271667 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sat, 20 Aug 2016 17:05:21 -0400 +Subject: openrisc: fix copy_from_user() + +From: Al Viro + +commit acb2505d0119033a80c85ac8d02dccae41271667 upstream. + +... that should zero on faults. Also remove the helpful +logics wrt range truncation copied from ppc32. Where it had ever +been needed only in case of copy_from_user() *and* had not been merged +into the mainline until a month after the need had disappeared. +A decade before openrisc went into mainline, I might add... + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/openrisc/include/asm/uaccess.h | 33 ++++++++++----------------------- + 1 file changed, 10 insertions(+), 23 deletions(-) + +--- a/arch/openrisc/include/asm/uaccess.h ++++ b/arch/openrisc/include/asm/uaccess.h +@@ -273,28 +273,20 @@ __copy_tofrom_user(void *to, const void + static inline unsigned long + copy_from_user(void *to, const void *from, unsigned long n) + { +- unsigned long over; ++ unsigned long res = n; + +- if (access_ok(VERIFY_READ, from, n)) +- return __copy_tofrom_user(to, from, n); +- if ((unsigned long)from < TASK_SIZE) { +- over = (unsigned long)from + n - TASK_SIZE; +- return __copy_tofrom_user(to, from, n - over) + over; +- } +- return n; ++ if (likely(access_ok(VERIFY_READ, from, n))) ++ n = __copy_tofrom_user(to, from, n); ++ if (unlikely(res)) ++ memset(to + (n - res), 0, res); ++ return res; + } + + static inline unsigned long + copy_to_user(void *to, const void *from, unsigned long n) + { +- unsigned long over; +- +- if (access_ok(VERIFY_WRITE, to, n)) +- return __copy_tofrom_user(to, from, n); +- if ((unsigned long)to < TASK_SIZE) { +- over = (unsigned long)to + n - TASK_SIZE; +- return __copy_tofrom_user(to, from, n - over) + over; +- } ++ if (likely(access_ok(VERIFY_WRITE, to, n))) ++ n = __copy_tofrom_user(to, from, n); + return n; + } + +@@ -303,13 +295,8 @@ extern unsigned long __clear_user(void * + static inline __must_check unsigned long + clear_user(void *addr, unsigned long size) + { +- +- if (access_ok(VERIFY_WRITE, addr, size)) +- return __clear_user(addr, size); +- if ((unsigned long)addr < TASK_SIZE) { +- unsigned long over = (unsigned long)addr + size - TASK_SIZE; +- return __clear_user(addr, size - over) + over; +- } ++ if (likely(access_ok(VERIFY_WRITE, addr, size))) ++ size = __clear_user(addr, size); + return size; + } + diff --git a/queue-4.4/parisc-fix-copy_from_user.patch b/queue-4.4/parisc-fix-copy_from_user.patch new file mode 100644 index 00000000000..77e761eab5c --- /dev/null +++ b/queue-4.4/parisc-fix-copy_from_user.patch @@ -0,0 +1,43 @@ +From aace880feea38875fbc919761b77e5732a3659ef Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sat, 20 Aug 2016 19:03:37 -0400 +Subject: parisc: fix copy_from_user() + +From: Al Viro + +commit aace880feea38875fbc919761b77e5732a3659ef upstream. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/include/asm/uaccess.h | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/parisc/include/asm/uaccess.h ++++ b/arch/parisc/include/asm/uaccess.h +@@ -10,6 +10,7 @@ + #include + + #include ++#include + + #define VERIFY_READ 0 + #define VERIFY_WRITE 1 +@@ -245,13 +246,14 @@ static inline unsigned long __must_check + unsigned long n) + { + int sz = __compiletime_object_size(to); +- int ret = -EFAULT; ++ unsigned long ret = n; + + if (likely(sz == -1 || !__builtin_constant_p(n) || sz >= n)) + ret = __copy_from_user(to, from, n); + else + copy_from_user_overflow(); +- ++ if (unlikely(ret)) ++ memset(to + (n - ret), 0, ret); + return ret; + } + diff --git a/queue-4.4/pinctrl-at91-pio4-use-pr-format-string-for-resource.patch b/queue-4.4/pinctrl-at91-pio4-use-pr-format-string-for-resource.patch new file mode 100644 index 00000000000..60b485db112 --- /dev/null +++ b/queue-4.4/pinctrl-at91-pio4-use-pr-format-string-for-resource.patch @@ -0,0 +1,41 @@ +From 32844138e31347fc0f61d3bf2d7b9c4583f189e3 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Wed, 18 Nov 2015 16:21:17 +0100 +Subject: pinctrl: at91-pio4: use %pr format string for resource + +From: Arnd Bergmann + +commit 32844138e31347fc0f61d3bf2d7b9c4583f189e3 upstream. + +resource_size_t may be defined as 32 or 64 bit depending on configuration, +so it cannot be printed using the normal format strings, as gcc correctly +warns: + +pinctrl-at91-pio4.c: In function 'atmel_pinctrl_probe': +pinctrl-at91-pio4.c:1003:41: warning: format '%u' expects argument of type 'unsigned int', but argument 5 has type 'resource_size_t {aka long long unsigned int}' [-Wformat=] + dev_dbg(dev, "bank %i: hwirq=%u\n", i, res->start); + +This changes the format string to use the special "%pr" format +string that prints a resource, and changes the arguments so we +the resource structure directly. + +Signed-off-by: Arnd Bergmann +Acked-by: Ludovic Desroches +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/pinctrl-at91-pio4.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pinctrl/pinctrl-at91-pio4.c ++++ b/drivers/pinctrl/pinctrl-at91-pio4.c +@@ -1002,7 +1002,7 @@ static int atmel_pinctrl_probe(struct pl + atmel_pioctrl->irqs[i] = res->start; + irq_set_chained_handler(res->start, atmel_gpio_irq_handler); + irq_set_handler_data(res->start, atmel_pioctrl); +- dev_dbg(dev, "bank %i: hwirq=%u\n", i, res->start); ++ dev_dbg(dev, "bank %i: irq=%pr\n", i, res); + } + + atmel_pioctrl->irq_domain = irq_domain_add_linear(dev->of_node, diff --git a/queue-4.4/s390-get_user-should-zero-on-failure.patch b/queue-4.4/s390-get_user-should-zero-on-failure.patch new file mode 100644 index 00000000000..3544ba7ec7e --- /dev/null +++ b/queue-4.4/s390-get_user-should-zero-on-failure.patch @@ -0,0 +1,51 @@ +From fd2d2b191fe75825c4c7a6f12f3fef35aaed7dd7 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sun, 21 Aug 2016 22:00:54 -0400 +Subject: s390: get_user() should zero on failure + +From: Al Viro + +commit fd2d2b191fe75825c4c7a6f12f3fef35aaed7dd7 upstream. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/include/asm/uaccess.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/s390/include/asm/uaccess.h ++++ b/arch/s390/include/asm/uaccess.h +@@ -215,28 +215,28 @@ int __put_user_bad(void) __attribute__(( + __chk_user_ptr(ptr); \ + switch (sizeof(*(ptr))) { \ + case 1: { \ +- unsigned char __x; \ ++ unsigned char __x = 0; \ + __gu_err = __get_user_fn(&__x, ptr, \ + sizeof(*(ptr))); \ + (x) = *(__force __typeof__(*(ptr)) *) &__x; \ + break; \ + }; \ + case 2: { \ +- unsigned short __x; \ ++ unsigned short __x = 0; \ + __gu_err = __get_user_fn(&__x, ptr, \ + sizeof(*(ptr))); \ + (x) = *(__force __typeof__(*(ptr)) *) &__x; \ + break; \ + }; \ + case 4: { \ +- unsigned int __x; \ ++ unsigned int __x = 0; \ + __gu_err = __get_user_fn(&__x, ptr, \ + sizeof(*(ptr))); \ + (x) = *(__force __typeof__(*(ptr)) *) &__x; \ + break; \ + }; \ + case 8: { \ +- unsigned long long __x; \ ++ unsigned long long __x = 0; \ + __gu_err = __get_user_fn(&__x, ptr, \ + sizeof(*(ptr))); \ + (x) = *(__force __typeof__(*(ptr)) *) &__x; \ diff --git a/queue-4.4/score-fix-__get_user-get_user.patch b/queue-4.4/score-fix-__get_user-get_user.patch new file mode 100644 index 00000000000..3d9de166cdd --- /dev/null +++ b/queue-4.4/score-fix-__get_user-get_user.patch @@ -0,0 +1,47 @@ +From c2f18fa4cbb3ad92e033a24efa27583978ce9600 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sun, 21 Aug 2016 22:13:39 -0400 +Subject: score: fix __get_user/get_user + +From: Al Viro + +commit c2f18fa4cbb3ad92e033a24efa27583978ce9600 upstream. + +* should zero on any failure +* __get_user() should use __copy_from_user(), not copy_from_user() + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/score/include/asm/uaccess.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/arch/score/include/asm/uaccess.h ++++ b/arch/score/include/asm/uaccess.h +@@ -163,7 +163,7 @@ do { \ + __get_user_asm(val, "lw", ptr); \ + break; \ + case 8: \ +- if ((copy_from_user((void *)&val, ptr, 8)) == 0) \ ++ if (__copy_from_user((void *)&val, ptr, 8) == 0) \ + __gu_err = 0; \ + else \ + __gu_err = -EFAULT; \ +@@ -188,6 +188,8 @@ do { \ + \ + if (likely(access_ok(VERIFY_READ, __gu_ptr, size))) \ + __get_user_common((x), size, __gu_ptr); \ ++ else \ ++ (x) = 0; \ + \ + __gu_err; \ + }) +@@ -201,6 +203,7 @@ do { \ + "2:\n" \ + ".section .fixup,\"ax\"\n" \ + "3:li %0, %4\n" \ ++ "li %1, 0\n" \ + "j 2b\n" \ + ".previous\n" \ + ".section __ex_table,\"a\"\n" \ diff --git a/queue-4.4/score-fix-copy_from_user-and-friends.patch b/queue-4.4/score-fix-copy_from_user-and-friends.patch new file mode 100644 index 00000000000..819f087e2d7 --- /dev/null +++ b/queue-4.4/score-fix-copy_from_user-and-friends.patch @@ -0,0 +1,92 @@ +From b615e3c74621e06cd97f86373ca90d43d6d998aa Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sun, 21 Aug 2016 22:30:44 -0400 +Subject: score: fix copy_from_user() and friends + +From: Al Viro + +commit b615e3c74621e06cd97f86373ca90d43d6d998aa upstream. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/score/include/asm/uaccess.h | 41 +++++++++++++++++++-------------------- + 1 file changed, 20 insertions(+), 21 deletions(-) + +--- a/arch/score/include/asm/uaccess.h ++++ b/arch/score/include/asm/uaccess.h +@@ -301,35 +301,34 @@ extern int __copy_tofrom_user(void *to, + static inline unsigned long + copy_from_user(void *to, const void *from, unsigned long len) + { +- unsigned long over; ++ unsigned long res = len; + +- if (access_ok(VERIFY_READ, from, len)) +- return __copy_tofrom_user(to, from, len); ++ if (likely(access_ok(VERIFY_READ, from, len))) ++ res = __copy_tofrom_user(to, from, len); + +- if ((unsigned long)from < TASK_SIZE) { +- over = (unsigned long)from + len - TASK_SIZE; +- return __copy_tofrom_user(to, from, len - over) + over; +- } +- return len; ++ if (unlikely(res)) ++ memset(to + (len - res), 0, res); ++ ++ return res; + } + + static inline unsigned long + copy_to_user(void *to, const void *from, unsigned long len) + { +- unsigned long over; +- +- if (access_ok(VERIFY_WRITE, to, len)) +- return __copy_tofrom_user(to, from, len); ++ if (likely(access_ok(VERIFY_WRITE, to, len))) ++ len = __copy_tofrom_user(to, from, len); + +- if ((unsigned long)to < TASK_SIZE) { +- over = (unsigned long)to + len - TASK_SIZE; +- return __copy_tofrom_user(to, from, len - over) + over; +- } + return len; + } + +-#define __copy_from_user(to, from, len) \ +- __copy_tofrom_user((to), (from), (len)) ++static inline unsigned long ++__copy_from_user(void *to, const void *from, unsigned long len) ++{ ++ unsigned long left = __copy_tofrom_user(to, from, len); ++ if (unlikely(left)) ++ memset(to + (len - left), 0, left); ++ return left; ++} + + #define __copy_to_user(to, from, len) \ + __copy_tofrom_user((to), (from), (len)) +@@ -343,17 +342,17 @@ __copy_to_user_inatomic(void *to, const + static inline unsigned long + __copy_from_user_inatomic(void *to, const void *from, unsigned long len) + { +- return __copy_from_user(to, from, len); ++ return __copy_tofrom_user(to, from, len); + } + +-#define __copy_in_user(to, from, len) __copy_from_user(to, from, len) ++#define __copy_in_user(to, from, len) __copy_tofrom_user(to, from, len) + + static inline unsigned long + copy_in_user(void *to, const void *from, unsigned long len) + { + if (access_ok(VERIFY_READ, from, len) && + access_ok(VERFITY_WRITE, to, len)) +- return copy_from_user(to, from, len); ++ return __copy_tofrom_user(to, from, len); + } + + /* diff --git a/queue-4.4/series b/queue-4.4/series index 58844676c17..f7bfe2b3e48 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -73,3 +73,42 @@ ath9k-fix-using-sta-drv_priv-before-initializing-it.patch revert-wext-fix-32-bit-iwpriv-compatibility-issue-with-64-bit-kernel.patch sched-core-fix-a-race-between-try_to_wake_up-and-a-woken-up-task.patch ipv6-addrconf-fix-dev-refcont-leak-when-dad-failed.patch +gma500-remove-annoying-deprecation-warning.patch +mpssd-fix-buffer-overflow-warning.patch +drm-i915-avoid-pointer-arithmetic-in-calculating-plane-surface-offset.patch +mmc-dw_mmc-use-resource_size_t-to-store-physical-address.patch +pinctrl-at91-pio4-use-pr-format-string-for-resource.patch +soc-qcom-spm-shut-up-uninitialized-variable-warning.patch +kconfig-tinyconfig-provide-whole-choice-blocks-to-avoid-warnings.patch +net-simplify-napi_synchronize-to-avoid-warnings.patch +drm-atmel-hlcdc-fix-vertical-scaling.patch +drm-only-use-compat-ioctl-for-addfb2-on-x86-ia64.patch +genirq-provide-irq_gc_-lock_irqsave-unlock_irqrestore-helpers.patch +irqchip-atmel-aic-fix-potential-deadlock-in-xlate.patch +fix-iov_iter_fault_in_readable.patch +microblaze-fix-__get_user.patch +avr32-fix-copy_from_user.patch +microblaze-fix-copy_from_user.patch +fix-minor-infoleak-in-get_user_ex.patch +mn10300-failing-__get_user-and-get_user-should-zero.patch +m32r-fix-__get_user.patch +sh64-failing-__get_user-should-zero.patch +nios2-fix-__get_user.patch +score-fix-__get_user-get_user.patch +s390-get_user-should-zero-on-failure.patch +arc-uaccess-get_user-to-zero-out-dest-in-cause-of-fault.patch +asm-generic-make-get_user-clear-the-destination-on-errors.patch +frv-fix-clear_user.patch +cris-buggered-copy_from_user-copy_to_user-clear_user.patch +blackfin-fix-copy_from_user.patch +score-fix-copy_from_user-and-friends.patch +sh-fix-copy_from_user.patch +hexagon-fix-strncpy_from_user-error-return.patch +mips-copy_from_user-must-zero-the-destination-on-access_ok-failure.patch +asm-generic-make-copy_from_user-zero-the-destination-properly.patch +alpha-fix-copy_from_user.patch +metag-copy_from_user-should-zero-the-destination-on-access_ok-failure.patch +parisc-fix-copy_from_user.patch +openrisc-fix-copy_from_user.patch +nios2-copy_from_user-should-zero-the-tail-of-destination.patch +mn10300-copy_from_user-should-zero-on-access_ok-failure.patch diff --git a/queue-4.4/sh-fix-copy_from_user.patch b/queue-4.4/sh-fix-copy_from_user.patch new file mode 100644 index 00000000000..cd8d5439e43 --- /dev/null +++ b/queue-4.4/sh-fix-copy_from_user.patch @@ -0,0 +1,30 @@ +From 6e050503a150b2126620c1a1e9b3a368fcd51eac Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sun, 21 Aug 2016 23:39:47 -0400 +Subject: sh: fix copy_from_user() + +From: Al Viro + +commit 6e050503a150b2126620c1a1e9b3a368fcd51eac upstream. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/sh/include/asm/uaccess.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/arch/sh/include/asm/uaccess.h ++++ b/arch/sh/include/asm/uaccess.h +@@ -151,7 +151,10 @@ copy_from_user(void *to, const void __us + __kernel_size_t __copy_size = (__kernel_size_t) n; + + if (__copy_size && __access_ok(__copy_from, __copy_size)) +- return __copy_user(to, from, __copy_size); ++ __copy_size = __copy_user(to, from, __copy_size); ++ ++ if (unlikely(__copy_size)) ++ memset(to + (n - __copy_size), 0, __copy_size); + + return __copy_size; + } diff --git a/queue-4.4/sh64-failing-__get_user-should-zero.patch b/queue-4.4/sh64-failing-__get_user-should-zero.patch new file mode 100644 index 00000000000..9664f3c0d5b --- /dev/null +++ b/queue-4.4/sh64-failing-__get_user-should-zero.patch @@ -0,0 +1,30 @@ +From c6852389228df9fb3067f94f3b651de2a7921b36 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sun, 21 Aug 2016 23:33:47 -0400 +Subject: sh64: failing __get_user() should zero + +From: Al Viro + +commit c6852389228df9fb3067f94f3b651de2a7921b36 upstream. + +It could be done in exception-handling bits in __get_user_b() et.al., +but the surgery involved would take more knowledge of sh64 details +than I have or _want_ to have. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/sh/include/asm/uaccess_64.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/sh/include/asm/uaccess_64.h ++++ b/arch/sh/include/asm/uaccess_64.h +@@ -24,6 +24,7 @@ + #define __get_user_size(x,ptr,size,retval) \ + do { \ + retval = 0; \ ++ x = 0; \ + switch (size) { \ + case 1: \ + retval = __get_user_asm_b((void *)&x, \ diff --git a/queue-4.4/soc-qcom-spm-shut-up-uninitialized-variable-warning.patch b/queue-4.4/soc-qcom-spm-shut-up-uninitialized-variable-warning.patch new file mode 100644 index 00000000000..159c86403a9 --- /dev/null +++ b/queue-4.4/soc-qcom-spm-shut-up-uninitialized-variable-warning.patch @@ -0,0 +1,37 @@ +From 00affcac69c7aae6c2cfcbc71f724e1c16d0b445 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Sun, 17 Jan 2016 01:02:56 +0100 +Subject: soc: qcom/spm: shut up uninitialized variable warning + +From: Arnd Bergmann + +commit 00affcac69c7aae6c2cfcbc71f724e1c16d0b445 upstream. + +gcc warns about the 'found' variable possibly being used uninitialized: + +drivers/soc/qcom/spm.c: In function 'spm_dev_probe': +drivers/soc/qcom/spm.c:305:5: error: 'found' may be used uninitialized in this function [-Werror=maybe-uninitialized] + +However, the code is correct because we know that there is +always at least one online CPU. This initializes the 'found' +variable to zero before the loop so the compiler knows +it does not have to warn about it. + +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/soc/qcom/spm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/soc/qcom/spm.c ++++ b/drivers/soc/qcom/spm.c +@@ -288,7 +288,7 @@ static struct spm_driver_data *spm_get_d + struct spm_driver_data *drv = NULL; + struct device_node *cpu_node, *saw_node; + int cpu; +- bool found; ++ bool found = 0; + + for_each_possible_cpu(cpu) { + cpu_node = of_cpu_device_node_get(cpu);