From: Greg Kroah-Hartman Date: Wed, 28 Sep 2016 08:37:54 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v4.7.6~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7387643b5564054fa5abcb4de7bb8665827bf438;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: hostfs-freeing-an-err_ptr-in-hostfs_fill_sb_common.patch pm-hibernate-fix-rtree_next_node-to-avoid-walking-off-list-ends.patch pm-hibernate-restore-processor-state-before-using-per-cpu-variables.patch power-supply-max17042_battery-fix-model-download-bug.patch power_supply-tps65217-charger-fix-missing-platform_set_drvdata.patch qxl-check-for-kmap-failures.patch --- diff --git a/queue-4.4/hostfs-freeing-an-err_ptr-in-hostfs_fill_sb_common.patch b/queue-4.4/hostfs-freeing-an-err_ptr-in-hostfs_fill_sb_common.patch new file mode 100644 index 00000000000..49cd8fe7c85 --- /dev/null +++ b/queue-4.4/hostfs-freeing-an-err_ptr-in-hostfs_fill_sb_common.patch @@ -0,0 +1,37 @@ +From 8a545f185145e3c09348cd74326268ecfc6715a3 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 13 Jul 2016 13:12:34 +0300 +Subject: hostfs: Freeing an ERR_PTR in hostfs_fill_sb_common() + +From: Dan Carpenter + +commit 8a545f185145e3c09348cd74326268ecfc6715a3 upstream. + +We can't pass error pointers to kfree() or it causes an oops. + +Fixes: 52b209f7b848 ('get rid of hostfs_read_inode()') +Signed-off-by: Dan Carpenter +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + fs/hostfs/hostfs_kern.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/fs/hostfs/hostfs_kern.c ++++ b/fs/hostfs/hostfs_kern.c +@@ -959,10 +959,11 @@ static int hostfs_fill_sb_common(struct + + if (S_ISLNK(root_inode->i_mode)) { + char *name = follow_link(host_root_path); +- if (IS_ERR(name)) ++ if (IS_ERR(name)) { + err = PTR_ERR(name); +- else +- err = read_name(root_inode, name); ++ goto out_put; ++ } ++ err = read_name(root_inode, name); + kfree(name); + if (err) + goto out_put; diff --git a/queue-4.4/pm-hibernate-fix-rtree_next_node-to-avoid-walking-off-list-ends.patch b/queue-4.4/pm-hibernate-fix-rtree_next_node-to-avoid-walking-off-list-ends.patch new file mode 100644 index 00000000000..90f316b5e08 --- /dev/null +++ b/queue-4.4/pm-hibernate-fix-rtree_next_node-to-avoid-walking-off-list-ends.patch @@ -0,0 +1,109 @@ +From 924d8696751c4b9e58263bc82efdafcf875596a6 Mon Sep 17 00:00:00 2001 +From: James Morse +Date: Tue, 16 Aug 2016 10:46:38 +0100 +Subject: PM / hibernate: Fix rtree_next_node() to avoid walking off list ends + +From: James Morse + +commit 924d8696751c4b9e58263bc82efdafcf875596a6 upstream. + +rtree_next_node() walks the linked list of leaf nodes to find the next +block of pages in the struct memory_bitmap. If it walks off the end of +the list of nodes, it walks the list of memory zones to find the next +region of memory. If it walks off the end of the list of zones, it +returns false. + +This leaves the struct bm_position's node and zone pointers pointing +at their respective struct list_heads in struct mem_zone_bm_rtree. + +memory_bm_find_bit() uses struct bm_position's node and zone pointers +to avoid walking lists and trees if the next bit appears in the same +node/zone. It handles these values being stale. + +Swap rtree_next_node()s 'step then test' to 'test-next then step', +this means if we reach the end of memory we return false and leave +the node and zone pointers as they were. + +This fixes a panic on resume using AMD Seattle with 64K pages: +[ 6.868732] Freezing user space processes ... (elapsed 0.000 seconds) done. +[ 6.875753] Double checking all user space processes after OOM killer disable... (elapsed 0.000 seconds) +[ 6.896453] PM: Using 3 thread(s) for decompression. +[ 6.896453] PM: Loading and decompressing image data (5339 pages)... +[ 7.318890] PM: Image loading progress: 0% +[ 7.323395] Unable to handle kernel paging request at virtual address 00800040 +[ 7.330611] pgd = ffff000008df0000 +[ 7.334003] [00800040] *pgd=00000083fffe0003, *pud=00000083fffe0003, *pmd=00000083fffd0003, *pte=0000000000000000 +[ 7.344266] Internal error: Oops: 96000005 [#1] PREEMPT SMP +[ 7.349825] Modules linked in: +[ 7.352871] CPU: 2 PID: 1 Comm: swapper/0 Tainted: G W I 4.8.0-rc1 #4737 +[ 7.360512] Hardware name: AMD Overdrive/Supercharger/Default string, BIOS ROD1002C 04/08/2016 +[ 7.369109] task: ffff8003c0220000 task.stack: ffff8003c0280000 +[ 7.375020] PC is at set_bit+0x18/0x30 +[ 7.378758] LR is at memory_bm_set_bit+0x24/0x30 +[ 7.383362] pc : [] lr : [] pstate: 60000045 +[ 7.390743] sp : ffff8003c0283b00 +[ 7.473551] +[ 7.475031] Process swapper/0 (pid: 1, stack limit = 0xffff8003c0280020) +[ 7.481718] Stack: (0xffff8003c0283b00 to 0xffff8003c0284000) +[ 7.800075] Call trace: +[ 7.887097] [] set_bit+0x18/0x30 +[ 7.891876] [] duplicate_memory_bitmap.constprop.38+0x54/0x70 +[ 7.899172] [] snapshot_write_next+0x22c/0x47c +[ 7.905166] [] load_image_lzo+0x754/0xa88 +[ 7.910725] [] swsusp_read+0x144/0x230 +[ 7.916025] [] load_image_and_restore+0x58/0x90 +[ 7.922105] [] software_resume+0x2f0/0x338 +[ 7.927752] [] do_one_initcall+0x38/0x11c +[ 7.933314] [] kernel_init_freeable+0x14c/0x1ec +[ 7.939395] [] kernel_init+0x10/0xfc +[ 7.944520] [] ret_from_fork+0x10/0x40 +[ 7.949820] Code: d2800022 8b400c21 f9800031 9ac32043 (c85f7c22) +[ 7.955909] ---[ end trace 0024a5986e6ff323 ]--- +[ 7.960529] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b + +Here struct mem_zone_bm_rtree's start_pfn has been returned instead of +struct rtree_node's addr as the node/zone pointers are corrupt after +we walked off the end of the lists during mark_unsafe_pages(). + +This behaviour was exposed by commit 6dbecfd345a6 ("PM / hibernate: +Simplify mark_unsafe_pages()"), which caused mark_unsafe_pages() to call +duplicate_memory_bitmap(), which uses memory_bm_find_bit() after walking +off the end of the memory bitmap. + +Fixes: 3a20cb177961 (PM / Hibernate: Implement position keeping in radix tree) +Signed-off-by: James Morse +[ rjw: Subject ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/power/snapshot.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/kernel/power/snapshot.c ++++ b/kernel/power/snapshot.c +@@ -765,9 +765,9 @@ static bool memory_bm_pfn_present(struct + */ + static bool rtree_next_node(struct memory_bitmap *bm) + { +- bm->cur.node = list_entry(bm->cur.node->list.next, +- struct rtree_node, list); +- if (&bm->cur.node->list != &bm->cur.zone->leaves) { ++ if (!list_is_last(&bm->cur.node->list, &bm->cur.zone->leaves)) { ++ bm->cur.node = list_entry(bm->cur.node->list.next, ++ struct rtree_node, list); + bm->cur.node_pfn += BM_BITS_PER_BLOCK; + bm->cur.node_bit = 0; + touch_softlockup_watchdog(); +@@ -775,9 +775,9 @@ static bool rtree_next_node(struct memor + } + + /* No more nodes, goto next zone */ +- bm->cur.zone = list_entry(bm->cur.zone->list.next, ++ if (!list_is_last(&bm->cur.zone->list, &bm->zones)) { ++ bm->cur.zone = list_entry(bm->cur.zone->list.next, + struct mem_zone_bm_rtree, list); +- if (&bm->cur.zone->list != &bm->zones) { + bm->cur.node = list_entry(bm->cur.zone->leaves.next, + struct rtree_node, list); + bm->cur.node_pfn = 0; diff --git a/queue-4.4/pm-hibernate-restore-processor-state-before-using-per-cpu-variables.patch b/queue-4.4/pm-hibernate-restore-processor-state-before-using-per-cpu-variables.patch new file mode 100644 index 00000000000..b36098ea339 --- /dev/null +++ b/queue-4.4/pm-hibernate-restore-processor-state-before-using-per-cpu-variables.patch @@ -0,0 +1,48 @@ +From 62822e2ec4ad091ba31f823f577ef80db52e3c2c Mon Sep 17 00:00:00 2001 +From: Thomas Garnier +Date: Thu, 11 Aug 2016 14:49:29 -0700 +Subject: PM / hibernate: Restore processor state before using per-CPU variables + +From: Thomas Garnier + +commit 62822e2ec4ad091ba31f823f577ef80db52e3c2c upstream. + +Restore the processor state before calling any other functions to +ensure per-CPU variables can be used with KASLR memory randomization. + +Tracing functions use per-CPU variables (GS based on x86) and one was +called just before restoring the processor state fully. It resulted +in a double fault when both the tracing & the exception handler +functions tried to use a per-CPU variable. + +Fixes: bb3632c6101b (PM / sleep: trace events for suspend/resume) +Reported-and-tested-by: Borislav Petkov +Reported-by: Jiri Kosina +Tested-by: Rafael J. Wysocki +Tested-by: Jiri Kosina +Signed-off-by: Thomas Garnier +Acked-by: Pavel Machek +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/power/hibernate.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/power/hibernate.c ++++ b/kernel/power/hibernate.c +@@ -299,12 +299,12 @@ static int create_image(int platform_mod + save_processor_state(); + trace_suspend_resume(TPS("machine_suspend"), PM_EVENT_HIBERNATE, true); + error = swsusp_arch_suspend(); ++ /* Restore control flow magically appears here */ ++ restore_processor_state(); + trace_suspend_resume(TPS("machine_suspend"), PM_EVENT_HIBERNATE, false); + if (error) + printk(KERN_ERR "PM: Error %d creating hibernation image\n", + error); +- /* Restore control flow magically appears here */ +- restore_processor_state(); + if (!in_suspend) + events_check_enabled = false; + diff --git a/queue-4.4/power-supply-max17042_battery-fix-model-download-bug.patch b/queue-4.4/power-supply-max17042_battery-fix-model-download-bug.patch new file mode 100644 index 00000000000..7f9d6989845 --- /dev/null +++ b/queue-4.4/power-supply-max17042_battery-fix-model-download-bug.patch @@ -0,0 +1,75 @@ +From 5381cfb6f0422da24cfa9da35b0433c0415830e0 Mon Sep 17 00:00:00 2001 +From: Sven Van Asbroeck +Date: Fri, 12 Aug 2016 09:10:27 -0400 +Subject: power: supply: max17042_battery: fix model download bug. + +From: Sven Van Asbroeck + +commit 5381cfb6f0422da24cfa9da35b0433c0415830e0 upstream. + +The device's model download function returns the model data as +an array of u32s, which is later compared to the reference +model data. However, since the latter is an array of u16s, +the comparison does not happen correctly, and model verification +fails. This in turn breaks the POR initialization sequence. + +Fixes: 39e7213edc4f3 ("max17042_battery: Support regmap to access device's registers") +Reported-by: Dan Carpenter +Signed-off-by: Sven Van Asbroeck +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/power/max17042_battery.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/drivers/power/max17042_battery.c ++++ b/drivers/power/max17042_battery.c +@@ -457,13 +457,16 @@ static inline void max17042_write_model_ + } + + static inline void max17042_read_model_data(struct max17042_chip *chip, +- u8 addr, u32 *data, int size) ++ u8 addr, u16 *data, int size) + { + struct regmap *map = chip->regmap; + int i; ++ u32 tmp; + +- for (i = 0; i < size; i++) +- regmap_read(map, addr + i, &data[i]); ++ for (i = 0; i < size; i++) { ++ regmap_read(map, addr + i, &tmp); ++ data[i] = (u16)tmp; ++ } + } + + static inline int max17042_model_data_compare(struct max17042_chip *chip, +@@ -486,7 +489,7 @@ static int max17042_init_model(struct ma + { + int ret; + int table_size = ARRAY_SIZE(chip->pdata->config_data->cell_char_tbl); +- u32 *temp_data; ++ u16 *temp_data; + + temp_data = kcalloc(table_size, sizeof(*temp_data), GFP_KERNEL); + if (!temp_data) +@@ -501,7 +504,7 @@ static int max17042_init_model(struct ma + ret = max17042_model_data_compare( + chip, + chip->pdata->config_data->cell_char_tbl, +- (u16 *)temp_data, ++ temp_data, + table_size); + + max10742_lock_model(chip); +@@ -514,7 +517,7 @@ static int max17042_verify_model_lock(st + { + int i; + int table_size = ARRAY_SIZE(chip->pdata->config_data->cell_char_tbl); +- u32 *temp_data; ++ u16 *temp_data; + int ret = 0; + + temp_data = kcalloc(table_size, sizeof(*temp_data), GFP_KERNEL); diff --git a/queue-4.4/power_supply-tps65217-charger-fix-missing-platform_set_drvdata.patch b/queue-4.4/power_supply-tps65217-charger-fix-missing-platform_set_drvdata.patch new file mode 100644 index 00000000000..e80bb41daba --- /dev/null +++ b/queue-4.4/power_supply-tps65217-charger-fix-missing-platform_set_drvdata.patch @@ -0,0 +1,33 @@ +From 33e7664a0af6e9a516f01014f39737aaa119b6d9 Mon Sep 17 00:00:00 2001 +From: Wei Yongjun +Date: Tue, 26 Jul 2016 14:49:04 +0000 +Subject: power_supply: tps65217-charger: fix missing platform_set_drvdata() + +From: Wei Yongjun + +commit 33e7664a0af6e9a516f01014f39737aaa119b6d9 upstream. + +Add missing platform_set_drvdata() in tps65217_charger_probe(), otherwise +calling platform_get_drvdata() in remove returns NULL. + +This is detected by Coccinelle semantic patch. + +Fixes: 3636859b280c ("power_supply: Add support for tps65217-charger") +Signed-off-by: Wei Yongjun +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/power/tps65217_charger.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/power/tps65217_charger.c ++++ b/drivers/power/tps65217_charger.c +@@ -205,6 +205,7 @@ static int tps65217_charger_probe(struct + if (!charger) + return -ENOMEM; + ++ platform_set_drvdata(pdev, charger); + charger->tps = tps; + charger->dev = &pdev->dev; + diff --git a/queue-4.4/qxl-check-for-kmap-failures.patch b/queue-4.4/qxl-check-for-kmap-failures.patch new file mode 100644 index 00000000000..a027592b394 --- /dev/null +++ b/queue-4.4/qxl-check-for-kmap-failures.patch @@ -0,0 +1,32 @@ +From f4cceb2affcd1285d4ce498089e8a79f4cd2fa66 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Mon, 11 Jul 2016 11:46:33 +0300 +Subject: qxl: check for kmap failures + +From: Dan Carpenter + +commit f4cceb2affcd1285d4ce498089e8a79f4cd2fa66 upstream. + +If kmap fails, it leads to memory corruption. + +Fixes: f64122c1f6ad ('drm: add new QXL driver. (v1.4)') +Signed-off-by: Dan Carpenter +Signed-off-by: Daniel Vetter +Link: http://patchwork.freedesktop.org/patch/msgid/20160711084633.GA31411@mwanda +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/qxl/qxl_draw.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/qxl/qxl_draw.c ++++ b/drivers/gpu/drm/qxl/qxl_draw.c +@@ -136,6 +136,8 @@ static int qxl_palette_create_1bit(struc + * correctly globaly, since that would require + * tracking all of our palettes. */ + ret = qxl_bo_kmap(palette_bo, (void **)&pal); ++ if (ret) ++ return ret; + pal->num_ents = 2; + pal->unique = unique++; + if (visual == FB_VISUAL_TRUECOLOR || visual == FB_VISUAL_DIRECTCOLOR) { diff --git a/queue-4.4/series b/queue-4.4/series index a2f9e8e81ac..90eefc7b62c 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -65,3 +65,9 @@ mips-remove-compact-branch-policy-kconfig-entries.patch mips-avoid-a-bug-warning-during-prctl-pr_set_fp_mode.patch mips-add-a-missing-.set-pop-in-an-early-commit.patch mips-paravirt-fix-undefined-reference-to-smp_bootstrap.patch +pm-hibernate-restore-processor-state-before-using-per-cpu-variables.patch +pm-hibernate-fix-rtree_next_node-to-avoid-walking-off-list-ends.patch +power_supply-tps65217-charger-fix-missing-platform_set_drvdata.patch +power-supply-max17042_battery-fix-model-download-bug.patch +qxl-check-for-kmap-failures.patch +hostfs-freeing-an-err_ptr-in-hostfs_fill_sb_common.patch