From: Greg Kroah-Hartman Date: Mon, 25 Jul 2016 00:29:04 +0000 (-0700) Subject: 3.14-stable patches X-Git-Tag: v4.6.5~13 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8c7db56ad1a081c7d77bf52e2f6e0a58350aa8eb;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: alsa-au88x0-fix-calculation-in-vortex_wtdma_bufshift.patch alsa-ctl-stop-notification-after-disconnection.patch alsa-dummy-fix-a-use-after-free-at-closing.patch iio-accel-kxsd9-fix-the-usage-of-spi_w8r8.patch iio-ad7266-fix-broken-regulator-error-handling.patch iio-ad7266-fix-probe-deferral-for-vref.patch iio-ad7266-fix-support-for-optional-regulators.patch iio-fix-error-handling-in-iio_trigger_attach_poll_func.patch perf-x86-fix-undefined-shift-on-32-bit-kernels.patch perf-x86-honor-the-architectural-performance-monitoring-version.patch staging-iio-accel-fix-error-check.patch tty-vt-fix-soft-lockup-in-fbcon-cursor-blink-timer.patch tty-vt-keyboard-fix-oob-access-in-do_compute_shiftstate.patch --- diff --git a/queue-3.14/alsa-au88x0-fix-calculation-in-vortex_wtdma_bufshift.patch b/queue-3.14/alsa-au88x0-fix-calculation-in-vortex_wtdma_bufshift.patch new file mode 100644 index 00000000000..c68b4aa8f1d --- /dev/null +++ b/queue-3.14/alsa-au88x0-fix-calculation-in-vortex_wtdma_bufshift.patch @@ -0,0 +1,35 @@ +From 62db7152c924e4c060e42b34a69cd39658e8a0dc Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 29 Jun 2016 15:23:08 +0200 +Subject: ALSA: au88x0: Fix calculation in vortex_wtdma_bufshift() + +From: Takashi Iwai + +commit 62db7152c924e4c060e42b34a69cd39658e8a0dc upstream. + +vortex_wtdma_bufshift() function does calculate the page index +wrongly, first masking then shift, which always results in zero. +The proper computation is to first shift, then mask. + +Reported-by: Dan Carpenter +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/au88x0/au88x0_core.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/sound/pci/au88x0/au88x0_core.c ++++ b/sound/pci/au88x0/au88x0_core.c +@@ -1442,9 +1442,8 @@ static int vortex_wtdma_bufshift(vortex_ + int page, p, pp, delta, i; + + page = +- (hwread(vortex->mmio, VORTEX_WTDMA_STAT + (wtdma << 2)) & +- WT_SUBBUF_MASK) +- >> WT_SUBBUF_SHIFT; ++ (hwread(vortex->mmio, VORTEX_WTDMA_STAT + (wtdma << 2)) ++ >> WT_SUBBUF_SHIFT) & WT_SUBBUF_MASK; + if (dma->nr_periods >= 4) + delta = (page - dma->period_real) & 3; + else { diff --git a/queue-3.14/alsa-ctl-stop-notification-after-disconnection.patch b/queue-3.14/alsa-ctl-stop-notification-after-disconnection.patch new file mode 100644 index 00000000000..6e50df41828 --- /dev/null +++ b/queue-3.14/alsa-ctl-stop-notification-after-disconnection.patch @@ -0,0 +1,37 @@ +From f388cdcdd160687c6650833f286b9c89c50960ff Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 8 Jul 2016 08:05:19 +0200 +Subject: ALSA: ctl: Stop notification after disconnection + +From: Takashi Iwai + +commit f388cdcdd160687c6650833f286b9c89c50960ff upstream. + +snd_ctl_remove() has a notification for the removal event. It's +superfluous when done during the device got disconnected. Although +the notification itself is mostly harmless, it may potentially be +harmful, and should be suppressed. Actually some components PCM may +free ctl elements during the disconnect or free callbacks, thus it's +no theoretical issue. + +This patch adds the check of card->shutdown flag for avoiding +unnecessary notifications after (or during) the disconnect. + +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/control.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/core/control.c ++++ b/sound/core/control.c +@@ -150,6 +150,8 @@ void snd_ctl_notify(struct snd_card *car + + if (snd_BUG_ON(!card || !id)) + return; ++ if (card->shutdown) ++ return; + read_lock(&card->ctl_files_rwlock); + #if defined(CONFIG_SND_MIXER_OSS) || defined(CONFIG_SND_MIXER_OSS_MODULE) + card->mixer_oss_change_count++; diff --git a/queue-3.14/alsa-dummy-fix-a-use-after-free-at-closing.patch b/queue-3.14/alsa-dummy-fix-a-use-after-free-at-closing.patch new file mode 100644 index 00000000000..80d5b3ef12f --- /dev/null +++ b/queue-3.14/alsa-dummy-fix-a-use-after-free-at-closing.patch @@ -0,0 +1,72 @@ +From d5dbbe6569481bf12dcbe3e12cff72c5f78d272c Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 24 Jun 2016 15:15:26 +0200 +Subject: ALSA: dummy: Fix a use-after-free at closing + +From: Takashi Iwai + +commit d5dbbe6569481bf12dcbe3e12cff72c5f78d272c upstream. + +syzkaller fuzzer spotted a potential use-after-free case in snd-dummy +driver when hrtimer is used as backend: +> ================================================================== +> BUG: KASAN: use-after-free in rb_erase+0x1b17/0x2010 at addr ffff88005e5b6f68 +> Read of size 8 by task syz-executor/8984 +> ============================================================================= +> BUG kmalloc-192 (Not tainted): kasan: bad access detected +> ----------------------------------------------------------------------------- +> +> Disabling lock debugging due to kernel taint +> INFO: Allocated in 0xbbbbbbbbbbbbbbbb age=18446705582212484632 +> .... +> [< none >] dummy_hrtimer_create+0x49/0x1a0 sound/drivers/dummy.c:464 +> .... +> INFO: Freed in 0xfffd8e09 age=18446705496313138713 cpu=2164287125 pid=-1 +> [< none >] dummy_hrtimer_free+0x68/0x80 sound/drivers/dummy.c:481 +> .... +> Call Trace: +> [] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:333 +> [< inline >] rb_set_parent include/linux/rbtree_augmented.h:111 +> [< inline >] __rb_erase_augmented include/linux/rbtree_augmented.h:218 +> [] rb_erase+0x1b17/0x2010 lib/rbtree.c:427 +> [] timerqueue_del+0x78/0x170 lib/timerqueue.c:86 +> [] __remove_hrtimer+0x90/0x220 kernel/time/hrtimer.c:903 +> [< inline >] remove_hrtimer kernel/time/hrtimer.c:945 +> [] hrtimer_try_to_cancel+0x22a/0x570 kernel/time/hrtimer.c:1046 +> [] hrtimer_cancel+0x22/0x40 kernel/time/hrtimer.c:1066 +> [] dummy_hrtimer_stop+0x91/0xb0 sound/drivers/dummy.c:417 +> [] dummy_pcm_trigger+0x17f/0x1e0 sound/drivers/dummy.c:507 +> [] snd_pcm_do_stop+0x160/0x1b0 sound/core/pcm_native.c:1106 +> [] snd_pcm_action_single+0x76/0x120 sound/core/pcm_native.c:956 +> [] snd_pcm_action+0x231/0x290 sound/core/pcm_native.c:974 +> [< inline >] snd_pcm_stop sound/core/pcm_native.c:1139 +> [] snd_pcm_drop+0x12d/0x1d0 sound/core/pcm_native.c:1784 +> [] snd_pcm_common_ioctl1+0xfae/0x2150 sound/core/pcm_native.c:2805 +> [] snd_pcm_capture_ioctl1+0x2a1/0x5e0 sound/core/pcm_native.c:2976 +> [] snd_pcm_kernel_ioctl+0x11c/0x160 sound/core/pcm_native.c:3020 +> [] snd_pcm_oss_sync+0x3a4/0xa30 sound/core/oss/pcm_oss.c:1693 +> [] snd_pcm_oss_release+0x1ad/0x280 sound/core/oss/pcm_oss.c:2483 +> ..... + +A workaround is to call hrtimer_cancel() in dummy_hrtimer_sync() which +is called certainly before other blocking ops. + +Reported-by: Dmitry Vyukov +Tested-by: Dmitry Vyukov +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/drivers/dummy.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/drivers/dummy.c ++++ b/sound/drivers/dummy.c +@@ -422,6 +422,7 @@ static int dummy_hrtimer_stop(struct snd + + static inline void dummy_hrtimer_sync(struct dummy_hrtimer_pcm *dpcm) + { ++ hrtimer_cancel(&dpcm->timer); + tasklet_kill(&dpcm->tasklet); + } + diff --git a/queue-3.14/iio-accel-kxsd9-fix-the-usage-of-spi_w8r8.patch b/queue-3.14/iio-accel-kxsd9-fix-the-usage-of-spi_w8r8.patch new file mode 100644 index 00000000000..de3d35dcb3c --- /dev/null +++ b/queue-3.14/iio-accel-kxsd9-fix-the-usage-of-spi_w8r8.patch @@ -0,0 +1,42 @@ +From 0c1f91b98552da49d9d8eed32b3132a58d2f4598 Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Fri, 17 Jun 2016 15:22:24 +0200 +Subject: iio: accel: kxsd9: fix the usage of spi_w8r8() + +From: Linus Walleij + +commit 0c1f91b98552da49d9d8eed32b3132a58d2f4598 upstream. + +These two spi_w8r8() calls return a value with is used by the code +following the error check. The dubious use was caused by a cleanup +patch. + +Fixes: d34dbee8ac8e ("staging:iio:accel:kxsd9 cleanup and conversion to iio_chan_spec.") +Signed-off-by: Linus Walleij +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/accel/kxsd9.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/iio/accel/kxsd9.c ++++ b/drivers/iio/accel/kxsd9.c +@@ -81,7 +81,7 @@ static int kxsd9_write_scale(struct iio_ + + mutex_lock(&st->buf_lock); + ret = spi_w8r8(st->us, KXSD9_READ(KXSD9_REG_CTRL_C)); +- if (ret) ++ if (ret < 0) + goto error_ret; + st->tx[0] = KXSD9_WRITE(KXSD9_REG_CTRL_C); + st->tx[1] = (ret & ~KXSD9_FS_MASK) | i; +@@ -163,7 +163,7 @@ static int kxsd9_read_raw(struct iio_dev + break; + case IIO_CHAN_INFO_SCALE: + ret = spi_w8r8(st->us, KXSD9_READ(KXSD9_REG_CTRL_C)); +- if (ret) ++ if (ret < 0) + goto error_ret; + *val2 = kxsd9_micro_scales[ret & KXSD9_FS_MASK]; + ret = IIO_VAL_INT_PLUS_MICRO; diff --git a/queue-3.14/iio-ad7266-fix-broken-regulator-error-handling.patch b/queue-3.14/iio-ad7266-fix-broken-regulator-error-handling.patch new file mode 100644 index 00000000000..4a1ca15d47c --- /dev/null +++ b/queue-3.14/iio-ad7266-fix-broken-regulator-error-handling.patch @@ -0,0 +1,32 @@ +From 6b7f4e25f3309f106a5c7ff42c8231494cf285d3 Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Mon, 20 Jun 2016 13:53:32 +0100 +Subject: iio:ad7266: Fix broken regulator error handling + +From: Mark Brown + +commit 6b7f4e25f3309f106a5c7ff42c8231494cf285d3 upstream. + +All regulator_get() variants return either a pointer to a regulator or an +ERR_PTR() so testing for NULL makes no sense and may lead to bugs if we +use NULL as a valid regulator. Fix this by using IS_ERR() as expected. + +Signed-off-by: Mark Brown +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/ad7266.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/adc/ad7266.c ++++ b/drivers/iio/adc/ad7266.c +@@ -397,7 +397,7 @@ static int ad7266_probe(struct spi_devic + st = iio_priv(indio_dev); + + st->reg = devm_regulator_get(&spi->dev, "vref"); +- if (!IS_ERR_OR_NULL(st->reg)) { ++ if (!IS_ERR(st->reg)) { + ret = regulator_enable(st->reg); + if (ret) + return ret; diff --git a/queue-3.14/iio-ad7266-fix-probe-deferral-for-vref.patch b/queue-3.14/iio-ad7266-fix-probe-deferral-for-vref.patch new file mode 100644 index 00000000000..86fc1d84c94 --- /dev/null +++ b/queue-3.14/iio-ad7266-fix-probe-deferral-for-vref.patch @@ -0,0 +1,35 @@ +From 68b356eb3d9f5e38910fb62e22a78e2a18d544ae Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Mon, 20 Jun 2016 13:53:34 +0100 +Subject: iio:ad7266: Fix probe deferral for vref + +From: Mark Brown + +commit 68b356eb3d9f5e38910fb62e22a78e2a18d544ae upstream. + +Currently the ad7266 driver treats any failure to get vref as though the +regulator were not present but this means that if probe deferral is +triggered the driver will act as though the regulator were not present. +Instead only use the internal reference if we explicitly got -ENODEV which +is what is returned for absent regulators. + +Signed-off-by: Mark Brown +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/ad7266.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/iio/adc/ad7266.c ++++ b/drivers/iio/adc/ad7266.c +@@ -408,6 +408,9 @@ static int ad7266_probe(struct spi_devic + + st->vref_mv = ret / 1000; + } else { ++ /* Any other error indicates that the regulator does exist */ ++ if (PTR_ERR(st->reg) != -ENODEV) ++ return PTR_ERR(st->reg); + /* Use internal reference */ + st->vref_mv = 2500; + } diff --git a/queue-3.14/iio-ad7266-fix-support-for-optional-regulators.patch b/queue-3.14/iio-ad7266-fix-support-for-optional-regulators.patch new file mode 100644 index 00000000000..c4680ba78e2 --- /dev/null +++ b/queue-3.14/iio-ad7266-fix-support-for-optional-regulators.patch @@ -0,0 +1,38 @@ +From e5511c816e5ac4909bdd38e85ac344e2b9b8e984 Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Mon, 20 Jun 2016 13:53:33 +0100 +Subject: iio:ad7266: Fix support for optional regulators + +From: Mark Brown + +commit e5511c816e5ac4909bdd38e85ac344e2b9b8e984 upstream. + +The ad7266 driver attempts to support deciding between the use of internal +and external power supplies by checking to see if an error is returned when +requesting the regulator. This doesn't work with the current code since the +driver uses a normal regulator_get() which is for non-optional supplies +and so assumes that if a regulator is not provided by the platform then +this is a bug in the platform integration and so substitutes a dummy +regulator. Use regulator_get_optional() instead which indicates to the +framework that the regulator may be absent and provides a dummy regulator +instead. + +Signed-off-by: Mark Brown +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/ad7266.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/adc/ad7266.c ++++ b/drivers/iio/adc/ad7266.c +@@ -396,7 +396,7 @@ static int ad7266_probe(struct spi_devic + + st = iio_priv(indio_dev); + +- st->reg = devm_regulator_get(&spi->dev, "vref"); ++ st->reg = devm_regulator_get_optional(&spi->dev, "vref"); + if (!IS_ERR(st->reg)) { + ret = regulator_enable(st->reg); + if (ret) diff --git a/queue-3.14/iio-fix-error-handling-in-iio_trigger_attach_poll_func.patch b/queue-3.14/iio-fix-error-handling-in-iio_trigger_attach_poll_func.patch new file mode 100644 index 00000000000..5de598caff1 --- /dev/null +++ b/queue-3.14/iio-fix-error-handling-in-iio_trigger_attach_poll_func.patch @@ -0,0 +1,68 @@ +From 99543823357966ac938d9a310947e731b67338e6 Mon Sep 17 00:00:00 2001 +From: Crestez Dan Leonard +Date: Tue, 3 May 2016 15:27:09 +0300 +Subject: iio: Fix error handling in iio_trigger_attach_poll_func + +From: Crestez Dan Leonard + +commit 99543823357966ac938d9a310947e731b67338e6 upstream. + +When attaching a pollfunc iio_trigger_attach_poll_func will allocate a +virtual irq and call the driver's set_trigger_state function. Fix error +handling to undo previous steps if any fails. + +In particular this fixes handling errors from a driver's +set_trigger_state function. When using triggered buffers a failure to +enable the trigger used to make the buffer unusable. + +Signed-off-by: Crestez Dan Leonard +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/industrialio-trigger.c | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +--- a/drivers/iio/industrialio-trigger.c ++++ b/drivers/iio/industrialio-trigger.c +@@ -205,22 +205,35 @@ static int iio_trigger_attach_poll_func( + + /* Prevent the module from being removed whilst attached to a trigger */ + __module_get(pf->indio_dev->info->driver_module); ++ ++ /* Get irq number */ + pf->irq = iio_trigger_get_irq(trig); ++ if (pf->irq < 0) ++ goto out_put_module; ++ ++ /* Request irq */ + ret = request_threaded_irq(pf->irq, pf->h, pf->thread, + pf->type, pf->name, + pf); +- if (ret < 0) { +- module_put(pf->indio_dev->info->driver_module); +- return ret; +- } ++ if (ret < 0) ++ goto out_put_irq; + ++ /* Enable trigger in driver */ + if (trig->ops && trig->ops->set_trigger_state && notinuse) { + ret = trig->ops->set_trigger_state(trig, true); + if (ret < 0) +- module_put(pf->indio_dev->info->driver_module); ++ goto out_free_irq; + } + + return ret; ++ ++out_free_irq: ++ free_irq(pf->irq, pf); ++out_put_irq: ++ iio_trigger_put_irq(trig, pf->irq); ++out_put_module: ++ module_put(pf->indio_dev->info->driver_module); ++ return ret; + } + + static int iio_trigger_detach_poll_func(struct iio_trigger *trig, diff --git a/queue-3.14/perf-x86-fix-undefined-shift-on-32-bit-kernels.patch b/queue-3.14/perf-x86-fix-undefined-shift-on-32-bit-kernels.patch new file mode 100644 index 00000000000..bfdbf224a2d --- /dev/null +++ b/queue-3.14/perf-x86-fix-undefined-shift-on-32-bit-kernels.patch @@ -0,0 +1,51 @@ +From 6d6f2833bfbf296101f9f085e10488aef2601ba5 Mon Sep 17 00:00:00 2001 +From: Andrey Ryabinin +Date: Wed, 11 May 2016 16:51:51 +0300 +Subject: perf/x86: Fix undefined shift on 32-bit kernels + +From: Andrey Ryabinin + +commit 6d6f2833bfbf296101f9f085e10488aef2601ba5 upstream. + +Jim reported: + + UBSAN: Undefined behaviour in arch/x86/events/intel/core.c:3708:12 + shift exponent 35 is too large for 32-bit type 'long unsigned int' + +The use of 'unsigned long' type obviously is not correct here, make it +'unsigned long long' instead. + +Reported-by: Jim Cromie +Signed-off-by: Andrey Ryabinin +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: H. Peter Anvin +Cc: Imre Palik +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Fixes: 2c33645d366d ("perf/x86: Honor the architectural performance monitoring version") +Link: http://lkml.kernel.org/r/1462974711-10037-1-git-send-email-aryabinin@virtuozzo.com +Signed-off-by: Ingo Molnar +Cc: Kevin Christopher +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/perf_event_intel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/cpu/perf_event_intel.c ++++ b/arch/x86/kernel/cpu/perf_event_intel.c +@@ -2611,7 +2611,7 @@ __init int intel_pmu_init(void) + c->idxmsk64 |= (1ULL << x86_pmu.num_counters) - 1; + } + c->idxmsk64 &= +- ~(~0UL << (INTEL_PMC_IDX_FIXED + x86_pmu.num_counters_fixed)); ++ ~(~0ULL << (INTEL_PMC_IDX_FIXED + x86_pmu.num_counters_fixed)); + c->weight = hweight64(c->idxmsk64); + } + } diff --git a/queue-3.14/perf-x86-honor-the-architectural-performance-monitoring-version.patch b/queue-3.14/perf-x86-honor-the-architectural-performance-monitoring-version.patch new file mode 100644 index 00000000000..813890a99ba --- /dev/null +++ b/queue-3.14/perf-x86-honor-the-architectural-performance-monitoring-version.patch @@ -0,0 +1,67 @@ +From 2c33645d366d13b969d936b68b9f4875b1fdddea Mon Sep 17 00:00:00 2001 +From: "Palik, Imre" +Date: Mon, 8 Jun 2015 14:46:49 +0200 +Subject: perf/x86: Honor the architectural performance monitoring version + +From: Palik, Imre + +commit 2c33645d366d13b969d936b68b9f4875b1fdddea upstream. + +Architectural performance monitoring, version 1, doesn't support fixed counters. + +Currently, even if a hypervisor advertises support for architectural +performance monitoring version 1, perf may still try to use the fixed +counters, as the constraints are set up based on the CPU model. + +This patch ensures that perf honors the architectural performance monitoring +version returned by CPUID, and it only uses the fixed counters for version 2 +and above. + +(Some of the ideas in this patch came from Peter Zijlstra.) + +Signed-off-by: Imre Palik +Signed-off-by: Peter Zijlstra (Intel) +Cc: Andrew Morton +Cc: Andy Lutomirski +Cc: Anthony Liguori +Cc: Arnaldo Carvalho de Melo +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Oleg Nesterov +Cc: Paul Mackerras +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/1433767609-1039-1-git-send-email-imrep.amz@gmail.com +Signed-off-by: Ingo Molnar +Cc: Kevin Christopher +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/perf_event_intel.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/arch/x86/kernel/cpu/perf_event_intel.c ++++ b/arch/x86/kernel/cpu/perf_event_intel.c +@@ -2606,13 +2606,13 @@ __init int intel_pmu_init(void) + * counter, so do not extend mask to generic counters + */ + for_each_event_constraint(c, x86_pmu.event_constraints) { +- if (c->cmask != FIXED_EVENT_FLAGS +- || c->idxmsk64 == INTEL_PMC_MSK_FIXED_REF_CYCLES) { +- continue; ++ if (c->cmask == FIXED_EVENT_FLAGS ++ && c->idxmsk64 != INTEL_PMC_MSK_FIXED_REF_CYCLES) { ++ c->idxmsk64 |= (1ULL << x86_pmu.num_counters) - 1; + } +- +- c->idxmsk64 |= (1ULL << x86_pmu.num_counters) - 1; +- c->weight += x86_pmu.num_counters; ++ c->idxmsk64 &= ++ ~(~0UL << (INTEL_PMC_IDX_FIXED + x86_pmu.num_counters_fixed)); ++ c->weight = hweight64(c->idxmsk64); + } + } + diff --git a/queue-3.14/series b/queue-3.14/series index 01fb11254cb..410881ec772 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -33,3 +33,16 @@ tracing-handle-null-formats-in-hold_module_trace_bprintk_format.patch base-make-module_create_drivers_dir-race-free.patch drm-radeon-fix-asic-initialization-for-virtualized-environments.patch drm-i915-ilk-don-t-disable-ssc-source-if-it-s-in-use.patch +perf-x86-honor-the-architectural-performance-monitoring-version.patch +perf-x86-fix-undefined-shift-on-32-bit-kernels.patch +iio-fix-error-handling-in-iio_trigger_attach_poll_func.patch +staging-iio-accel-fix-error-check.patch +iio-accel-kxsd9-fix-the-usage-of-spi_w8r8.patch +iio-ad7266-fix-broken-regulator-error-handling.patch +iio-ad7266-fix-support-for-optional-regulators.patch +iio-ad7266-fix-probe-deferral-for-vref.patch +tty-vt-fix-soft-lockup-in-fbcon-cursor-blink-timer.patch +tty-vt-keyboard-fix-oob-access-in-do_compute_shiftstate.patch +alsa-dummy-fix-a-use-after-free-at-closing.patch +alsa-au88x0-fix-calculation-in-vortex_wtdma_bufshift.patch +alsa-ctl-stop-notification-after-disconnection.patch diff --git a/queue-3.14/staging-iio-accel-fix-error-check.patch b/queue-3.14/staging-iio-accel-fix-error-check.patch new file mode 100644 index 00000000000..dec400f7053 --- /dev/null +++ b/queue-3.14/staging-iio-accel-fix-error-check.patch @@ -0,0 +1,31 @@ +From ef3149eb3ddb7f9125e11c90f8330e371b55cffd Mon Sep 17 00:00:00 2001 +From: Luis de Bethencourt +Date: Wed, 22 Jun 2016 20:43:30 +0100 +Subject: staging: iio: accel: fix error check + +From: Luis de Bethencourt + +commit ef3149eb3ddb7f9125e11c90f8330e371b55cffd upstream. + +sca3000_read_ctrl_reg() returns a negative number on failure, check for +this instead of zero. + +Signed-off-by: Luis de Bethencourt +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/iio/accel/sca3000_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/iio/accel/sca3000_core.c ++++ b/drivers/staging/iio/accel/sca3000_core.c +@@ -592,7 +592,7 @@ static ssize_t sca3000_read_frequency(st + goto error_ret_mut; + ret = sca3000_read_ctrl_reg(st, SCA3000_REG_CTRL_SEL_OUT_CTRL); + mutex_unlock(&st->lock); +- if (ret) ++ if (ret < 0) + goto error_ret; + val = ret; + if (base_freq > 0) diff --git a/queue-3.14/tty-vt-fix-soft-lockup-in-fbcon-cursor-blink-timer.patch b/queue-3.14/tty-vt-fix-soft-lockup-in-fbcon-cursor-blink-timer.patch new file mode 100644 index 00000000000..c97b5163537 --- /dev/null +++ b/queue-3.14/tty-vt-fix-soft-lockup-in-fbcon-cursor-blink-timer.patch @@ -0,0 +1,51 @@ +From 1b45996d2ebf9680ccd0db875fc668aa025f40fd Mon Sep 17 00:00:00 2001 +From: David Daney +Date: Tue, 17 May 2016 11:41:04 -0700 +Subject: tty: vt: Fix soft lockup in fbcon cursor blink timer. + +From: David Daney + +commit 1b45996d2ebf9680ccd0db875fc668aa025f40fd upstream. + +We are getting somewhat random soft lockups with this signature: + +[ 86.992215] [] el1_irq+0xa0/0x10c +[ 86.997082] [] cursor_timer_handler+0x30/0x54 +[ 87.002991] [] call_timer_fn+0x54/0x1a8 +[ 87.008378] [] run_timer_softirq+0x1c4/0x2bc +[ 87.014200] [] __do_softirq+0x114/0x344 +[ 87.019590] [] irq_exit+0x74/0x98 +[ 87.024458] [] __handle_domain_irq+0x98/0xfc +[ 87.030278] [] gic_handle_irq+0x94/0x190 + +This is caused by the vt visual_init() function calling into +fbcon_init() with a vc_cur_blink_ms value of zero. This is a +transient condition, as it is later set to a non-zero value. But, if +the timer happens to expire while the blink rate is zero, it goes into +an endless loop, and we get soft lockup. + +The fix is to initialize vc_cur_blink_ms before calling the con_init() +function. + +Signed-off-by: David Daney +Acked-by: Pavel Machek +Tested-by: Ming Lei +Acked-by: Scot Doyle +Tested-by: Henrique de Moraes Holschuh +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/vt/vt.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/tty/vt/vt.c ++++ b/drivers/tty/vt/vt.c +@@ -742,6 +742,7 @@ static void visual_init(struct vc_data * + vc->vc_complement_mask = 0; + vc->vc_can_do_color = 0; + vc->vc_panic_force_write = false; ++ vc->vc_cur_blink_ms = DEFAULT_CURSOR_BLINK_MS; + vc->vc_sw->con_init(vc, init); + if (!vc->vc_complement_mask) + vc->vc_complement_mask = vc->vc_can_do_color ? 0x7700 : 0x0800; diff --git a/queue-3.14/tty-vt-keyboard-fix-oob-access-in-do_compute_shiftstate.patch b/queue-3.14/tty-vt-keyboard-fix-oob-access-in-do_compute_shiftstate.patch new file mode 100644 index 00000000000..b5ff8edbbf9 --- /dev/null +++ b/queue-3.14/tty-vt-keyboard-fix-oob-access-in-do_compute_shiftstate.patch @@ -0,0 +1,79 @@ +From 510cccb5b0c8868a2b302a0ab524da7912da648b Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Mon, 27 Jun 2016 14:12:34 -0700 +Subject: tty/vt/keyboard: fix OOB access in do_compute_shiftstate() + +From: Dmitry Torokhov + +commit 510cccb5b0c8868a2b302a0ab524da7912da648b upstream. + +The size of individual keymap in drivers/tty/vt/keyboard.c is NR_KEYS, +which is currently 256, whereas number of keys/buttons in input device (and +therefor in key_down) is much larger - KEY_CNT - 768, and that can cause +out-of-bound access when we do + + sym = U(key_maps[0][k]); + +with large 'k'. + +To fix it we should not attempt iterating beyond smaller of NR_KEYS and +KEY_CNT. + +Also while at it let's switch to for_each_set_bit() instead of open-coding +it. + +Reported-by: Sasha Levin +Reviewed-by: Guenter Roeck +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/vt/keyboard.c | 30 +++++++++--------------------- + 1 file changed, 9 insertions(+), 21 deletions(-) + +--- a/drivers/tty/vt/keyboard.c ++++ b/drivers/tty/vt/keyboard.c +@@ -365,34 +365,22 @@ static void to_utf8(struct vc_data *vc, + + static void do_compute_shiftstate(void) + { +- unsigned int i, j, k, sym, val; ++ unsigned int k, sym, val; + + shift_state = 0; + memset(shift_down, 0, sizeof(shift_down)); + +- for (i = 0; i < ARRAY_SIZE(key_down); i++) { +- +- if (!key_down[i]) ++ for_each_set_bit(k, key_down, min(NR_KEYS, KEY_CNT)) { ++ sym = U(key_maps[0][k]); ++ if (KTYP(sym) != KT_SHIFT && KTYP(sym) != KT_SLOCK) + continue; + +- k = i * BITS_PER_LONG; +- +- for (j = 0; j < BITS_PER_LONG; j++, k++) { +- +- if (!test_bit(k, key_down)) +- continue; +- +- sym = U(key_maps[0][k]); +- if (KTYP(sym) != KT_SHIFT && KTYP(sym) != KT_SLOCK) +- continue; +- +- val = KVAL(sym); +- if (val == KVAL(K_CAPSSHIFT)) +- val = KVAL(K_SHIFT); ++ val = KVAL(sym); ++ if (val == KVAL(K_CAPSSHIFT)) ++ val = KVAL(K_SHIFT); + +- shift_down[val]++; +- shift_state |= (1 << val); +- } ++ shift_down[val]++; ++ shift_state |= BIT(val); + } + } +