From: Greg Kroah-Hartman Date: Fri, 6 May 2016 18:37:08 +0000 (-0400) Subject: 4.5-stable patches X-Git-Tag: v3.14.69~22 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a47f6b52b92bb692f4ee5733e85f9a623325fa06;p=thirdparty%2Fkernel%2Fstable-queue.git 4.5-stable patches added patches: arm-exynos-properly-skip-unitialized-parent-clock-in-power-domain-on.patch arm-socfpga-fix-secondary-cpu-startup-in-thumb2-kernel.patch batman-adv-check-skb-size-before-using-encapsulated-eth-vlan-header.patch batman-adv-fix-broadcast-ogm-queue-limit-on-a-removed-interface.patch batman-adv-fix-dat-candidate-selection-must-use-vid.patch batman-adv-reduce-refcnt-of-removed-router-when-updating-route.patch hid-fix-boot-delay-for-creative-sb-omni-surround-5.1-with-quirk.patch hid-wacom-add-support-for-dtk-1651.patch input-zforce_ts-fix-dual-touch-recognition.patch mm-cma-prevent-nr_isolated_-counters-from-going-negative.patch mm-memcontrol-let-v2-cgroups-follow-changes-in-system-swappiness.patch mm-update-min_free_kbytes-from-khugepaged-after-core-initialization.patch mm-zswap-provide-unique-zpool-name.patch modpost-fix-module-autoloading-for-of-devices-with-generic-compatible-property.patch proc-prevent-accessing-proc-pid-environ-until-it-s-ready.patch propogate_mnt-handle-the-first-propogated-copy-being-a-slave.patch xen-balloon-fix-crash-when-ballooning-on-x86-32-bit-pae.patch xen-evtchn-fix-ring-resize-when-binding-new-events.patch xen-fix-page-pfn-conversion-on-32-bit-systems.patch --- diff --git a/queue-4.5/arm-exynos-properly-skip-unitialized-parent-clock-in-power-domain-on.patch b/queue-4.5/arm-exynos-properly-skip-unitialized-parent-clock-in-power-domain-on.patch new file mode 100644 index 00000000000..125acc1d88b --- /dev/null +++ b/queue-4.5/arm-exynos-properly-skip-unitialized-parent-clock-in-power-domain-on.patch @@ -0,0 +1,40 @@ +From a0a966b83873f33778710a4fc59240244b0734a5 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Fri, 22 Apr 2016 09:26:52 +0200 +Subject: ARM: EXYNOS: Properly skip unitialized parent clock in power domain on + +From: Krzysztof Kozlowski + +commit a0a966b83873f33778710a4fc59240244b0734a5 upstream. + +We want to skip reparenting a clock on turning on power domain, if we +do not have the parent yet. The parent is obtained when turning the +domain off. However due to a typo, the loop is continued on IS_ERR() of +clock being reparented, not on the IS_ERR() of the parent. + +Theoretically this could lead to OOPS on first turn on of a power +domain, if there was no turn off before. Practically that should never +happen because all power domains are turned on by default (reset value, +bootloader does not turn off them usually) so the first action will be +always turn off. + +Fixes: 29e5eea06bc1 ("ARM: EXYNOS: Get current parent clock for power domain on/off") +Reported-by: Vladimir Zapolskiy +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-exynos/pm_domains.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/mach-exynos/pm_domains.c ++++ b/arch/arm/mach-exynos/pm_domains.c +@@ -92,7 +92,7 @@ static int exynos_pd_power(struct generi + if (IS_ERR(pd->clk[i])) + break; + +- if (IS_ERR(pd->clk[i])) ++ if (IS_ERR(pd->pclk[i])) + continue; /* Skip on first power up */ + if (clk_set_parent(pd->clk[i], pd->pclk[i])) + pr_err("%s: error setting parent to clock%d\n", diff --git a/queue-4.5/arm-socfpga-fix-secondary-cpu-startup-in-thumb2-kernel.patch b/queue-4.5/arm-socfpga-fix-secondary-cpu-startup-in-thumb2-kernel.patch new file mode 100644 index 00000000000..226a8e50f0b --- /dev/null +++ b/queue-4.5/arm-socfpga-fix-secondary-cpu-startup-in-thumb2-kernel.patch @@ -0,0 +1,34 @@ +From 5616f36713ea77f57ae908bf2fef641364403c9f Mon Sep 17 00:00:00 2001 +From: Sascha Hauer +Date: Wed, 20 Apr 2016 13:34:31 +0000 +Subject: ARM: SoCFPGA: Fix secondary CPU startup in thumb2 kernel + +From: Sascha Hauer + +commit 5616f36713ea77f57ae908bf2fef641364403c9f upstream. + +The secondary CPU starts up in ARM mode. When the kernel is compiled in +thumb2 mode we have to explicitly compile the secondary startup +trampoline in ARM mode, otherwise the CPU will go to Nirvana. + +Signed-off-by: Sascha Hauer +Reported-by: Steffen Trumtrar +Suggested-by: Ard Biesheuvel +Signed-off-by: Dinh Nguyen +Signed-off-by: Kevin Hilman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-socfpga/headsmp.S | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm/mach-socfpga/headsmp.S ++++ b/arch/arm/mach-socfpga/headsmp.S +@@ -13,6 +13,7 @@ + #include + + .arch armv7-a ++ .arm + + ENTRY(secondary_trampoline) + /* CPU1 will always fetch from 0x0 when it is brought out of reset. diff --git a/queue-4.5/batman-adv-check-skb-size-before-using-encapsulated-eth-vlan-header.patch b/queue-4.5/batman-adv-check-skb-size-before-using-encapsulated-eth-vlan-header.patch new file mode 100644 index 00000000000..8db98523720 --- /dev/null +++ b/queue-4.5/batman-adv-check-skb-size-before-using-encapsulated-eth-vlan-header.patch @@ -0,0 +1,52 @@ +From c78296665c3d81f040117432ab9e1cb125521b0c Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Fri, 26 Feb 2016 17:56:13 +0100 +Subject: batman-adv: Check skb size before using encapsulated ETH+VLAN header + +From: Sven Eckelmann + +commit c78296665c3d81f040117432ab9e1cb125521b0c upstream. + +The encapsulated ethernet and VLAN header may be outside the received +ethernet frame. Thus the skb buffer size has to be checked before it can be +parsed to find out if it encapsulates another batman-adv packet. + +Fixes: 420193573f11 ("batman-adv: softif bridge loop avoidance") +Signed-off-by: Sven Eckelmann +Signed-off-by: Marek Lindner +Signed-off-by: Antonio Quartulli +Signed-off-by: Greg Kroah-Hartman + +--- + net/batman-adv/soft-interface.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/net/batman-adv/soft-interface.c ++++ b/net/batman-adv/soft-interface.c +@@ -407,11 +407,17 @@ void batadv_interface_rx(struct net_devi + */ + nf_reset(skb); + ++ if (unlikely(!pskb_may_pull(skb, ETH_HLEN))) ++ goto dropped; ++ + vid = batadv_get_vid(skb, 0); + ethhdr = eth_hdr(skb); + + switch (ntohs(ethhdr->h_proto)) { + case ETH_P_8021Q: ++ if (!pskb_may_pull(skb, VLAN_ETH_HLEN)) ++ goto dropped; ++ + vhdr = (struct vlan_ethhdr *)skb->data; + + if (vhdr->h_vlan_encapsulated_proto != ethertype) +@@ -423,8 +429,6 @@ void batadv_interface_rx(struct net_devi + } + + /* skb->dev & skb->pkt_type are set here */ +- if (unlikely(!pskb_may_pull(skb, ETH_HLEN))) +- goto dropped; + skb->protocol = eth_type_trans(skb, soft_iface); + + /* should not be necessary anymore as we use skb_pull_rcsum() diff --git a/queue-4.5/batman-adv-fix-broadcast-ogm-queue-limit-on-a-removed-interface.patch b/queue-4.5/batman-adv-fix-broadcast-ogm-queue-limit-on-a-removed-interface.patch new file mode 100644 index 00000000000..beed2803563 --- /dev/null +++ b/queue-4.5/batman-adv-fix-broadcast-ogm-queue-limit-on-a-removed-interface.patch @@ -0,0 +1,45 @@ +From c4fdb6cff2aa0ae740c5f19b6f745cbbe786d42f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Linus=20L=C3=BCssing?= +Date: Fri, 11 Mar 2016 14:04:49 +0100 +Subject: batman-adv: Fix broadcast/ogm queue limit on a removed interface +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Lüssing + +commit c4fdb6cff2aa0ae740c5f19b6f745cbbe786d42f upstream. + +When removing a single interface while a broadcast or ogm packet is +still pending then we will free the forward packet without releasing the +queue slots again. + +This patch is supposed to fix this issue. + +Fixes: 6d5808d4ae1b ("batman-adv: Add missing hardif_free_ref in forw_packet_free") +Signed-off-by: Linus Lüssing +[sven@narfation.org: fix conflicts with current version] +Signed-off-by: Sven Eckelmann +Signed-off-by: Marek Lindner +Signed-off-by: Antonio Quartulli +Signed-off-by: Greg Kroah-Hartman + +--- + net/batman-adv/send.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/batman-adv/send.c ++++ b/net/batman-adv/send.c +@@ -656,6 +656,12 @@ batadv_purge_outstanding_packets(struct + + if (pending) { + hlist_del(&forw_packet->list); ++ if (!forw_packet->own) ++ atomic_inc(&bat_priv->bcast_queue_left); ++ ++ if (!forw_packet->own) ++ atomic_inc(&bat_priv->batman_queue_left); ++ + batadv_forw_packet_free(forw_packet); + } + } diff --git a/queue-4.5/batman-adv-fix-dat-candidate-selection-must-use-vid.patch b/queue-4.5/batman-adv-fix-dat-candidate-selection-must-use-vid.patch new file mode 100644 index 00000000000..51759538de4 --- /dev/null +++ b/queue-4.5/batman-adv-fix-dat-candidate-selection-must-use-vid.patch @@ -0,0 +1,99 @@ +From 2871734e85e920503d49b3a8bc0afbe0773b6036 Mon Sep 17 00:00:00 2001 +From: Antonio Quartulli +Date: Sat, 12 Mar 2016 11:12:59 +0100 +Subject: batman-adv: fix DAT candidate selection (must use vid) + +From: Antonio Quartulli + +commit 2871734e85e920503d49b3a8bc0afbe0773b6036 upstream. + +Now that DAT is VLAN aware, it must use the VID when +computing the DHT address of the candidate nodes where +an entry is going to be stored/retrieved. + +Fixes: be1db4f6615b ("batman-adv: make the Distributed ARP Table vlan aware") +Signed-off-by: Antonio Quartulli +[sven@narfation.org: fix conflicts with current version] +Signed-off-by: Sven Eckelmann +Signed-off-by: Marek Lindner +Signed-off-by: Greg Kroah-Hartman + +--- + net/batman-adv/distributed-arp-table.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +--- a/net/batman-adv/distributed-arp-table.c ++++ b/net/batman-adv/distributed-arp-table.c +@@ -553,6 +553,7 @@ static void batadv_choose_next_candidate + * be sent to + * @bat_priv: the bat priv with all the soft interface information + * @ip_dst: ipv4 to look up in the DHT ++ * @vid: VLAN identifier + * + * An originator O is selected if and only if its DHT_ID value is one of three + * closest values (from the LEFT, with wrap around if needed) then the hash +@@ -561,7 +562,8 @@ static void batadv_choose_next_candidate + * Returns the candidate array of size BATADV_DAT_CANDIDATE_NUM. + */ + static struct batadv_dat_candidate * +-batadv_dat_select_candidates(struct batadv_priv *bat_priv, __be32 ip_dst) ++batadv_dat_select_candidates(struct batadv_priv *bat_priv, __be32 ip_dst, ++ unsigned short vid) + { + int select; + batadv_dat_addr_t last_max = BATADV_DAT_ADDR_MAX, ip_key; +@@ -577,7 +579,7 @@ batadv_dat_select_candidates(struct bata + return NULL; + + dat.ip = ip_dst; +- dat.vid = 0; ++ dat.vid = vid; + ip_key = (batadv_dat_addr_t)batadv_hash_dat(&dat, + BATADV_DAT_ADDR_MAX); + +@@ -597,6 +599,7 @@ batadv_dat_select_candidates(struct bata + * @bat_priv: the bat priv with all the soft interface information + * @skb: payload to send + * @ip: the DHT key ++ * @vid: VLAN identifier + * @packet_subtype: unicast4addr packet subtype to use + * + * This function copies the skb with pskb_copy() and is sent as unicast packet +@@ -607,7 +610,7 @@ batadv_dat_select_candidates(struct bata + */ + static bool batadv_dat_send_data(struct batadv_priv *bat_priv, + struct sk_buff *skb, __be32 ip, +- int packet_subtype) ++ unsigned short vid, int packet_subtype) + { + int i; + bool ret = false; +@@ -616,7 +619,7 @@ static bool batadv_dat_send_data(struct + struct sk_buff *tmp_skb; + struct batadv_dat_candidate *cand; + +- cand = batadv_dat_select_candidates(bat_priv, ip); ++ cand = batadv_dat_select_candidates(bat_priv, ip, vid); + if (!cand) + goto out; + +@@ -1004,7 +1007,7 @@ bool batadv_dat_snoop_outgoing_arp_reque + ret = true; + } else { + /* Send the request to the DHT */ +- ret = batadv_dat_send_data(bat_priv, skb, ip_dst, ++ ret = batadv_dat_send_data(bat_priv, skb, ip_dst, vid, + BATADV_P_DAT_DHT_GET); + } + out: +@@ -1132,8 +1135,8 @@ void batadv_dat_snoop_outgoing_arp_reply + /* Send the ARP reply to the candidates for both the IP addresses that + * the node obtained from the ARP reply + */ +- batadv_dat_send_data(bat_priv, skb, ip_src, BATADV_P_DAT_DHT_PUT); +- batadv_dat_send_data(bat_priv, skb, ip_dst, BATADV_P_DAT_DHT_PUT); ++ batadv_dat_send_data(bat_priv, skb, ip_src, vid, BATADV_P_DAT_DHT_PUT); ++ batadv_dat_send_data(bat_priv, skb, ip_dst, vid, BATADV_P_DAT_DHT_PUT); + } + + /** diff --git a/queue-4.5/batman-adv-reduce-refcnt-of-removed-router-when-updating-route.patch b/queue-4.5/batman-adv-reduce-refcnt-of-removed-router-when-updating-route.patch new file mode 100644 index 00000000000..cf270e454d0 --- /dev/null +++ b/queue-4.5/batman-adv-reduce-refcnt-of-removed-router-when-updating-route.patch @@ -0,0 +1,48 @@ +From d1a65f1741bfd9c69f9e4e2ad447a89b6810427d Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Sun, 20 Mar 2016 12:27:53 +0100 +Subject: batman-adv: Reduce refcnt of removed router when updating route + +From: Sven Eckelmann + +commit d1a65f1741bfd9c69f9e4e2ad447a89b6810427d upstream. + +_batadv_update_route rcu_derefences orig_ifinfo->router outside of a +spinlock protected region to print some information messages to the debug +log. But this pointer is not checked again when the new pointer is assigned +in the spinlock protected region. Thus is can happen that the value of +orig_ifinfo->router changed in the meantime and thus the reference counter +of the wrong router gets reduced after the spinlock protected region. + +Just rcu_dereferencing the value of orig_ifinfo->router inside the spinlock +protected region (which also set the new pointer) is enough to get the +correct old router object. + +Fixes: e1a5382f978b ("batman-adv: Make orig_node->router an rcu protected pointer") +Signed-off-by: Sven Eckelmann +Signed-off-by: Marek Lindner +Signed-off-by: Antonio Quartulli +Signed-off-by: Greg Kroah-Hartman + +--- + net/batman-adv/routing.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/net/batman-adv/routing.c ++++ b/net/batman-adv/routing.c +@@ -104,6 +104,15 @@ static void _batadv_update_route(struct + neigh_node = NULL; + + spin_lock_bh(&orig_node->neigh_list_lock); ++ /* curr_router used earlier may not be the current orig_ifinfo->router ++ * anymore because it was dereferenced outside of the neigh_list_lock ++ * protected region. After the new best neighbor has replace the current ++ * best neighbor the reference counter needs to decrease. Consequently, ++ * the code needs to ensure the curr_router variable contains a pointer ++ * to the replaced best neighbor. ++ */ ++ curr_router = rcu_dereference_protected(orig_ifinfo->router, true); ++ + rcu_assign_pointer(orig_ifinfo->router, neigh_node); + spin_unlock_bh(&orig_node->neigh_list_lock); + batadv_orig_ifinfo_free_ref(orig_ifinfo); diff --git a/queue-4.5/hid-fix-boot-delay-for-creative-sb-omni-surround-5.1-with-quirk.patch b/queue-4.5/hid-fix-boot-delay-for-creative-sb-omni-surround-5.1-with-quirk.patch new file mode 100644 index 00000000000..201614a144c --- /dev/null +++ b/queue-4.5/hid-fix-boot-delay-for-creative-sb-omni-surround-5.1-with-quirk.patch @@ -0,0 +1,42 @@ +From 567a44ecb44eb2584ddb93e962cfb133ce77e0bb Mon Sep 17 00:00:00 2001 +From: Nazar Mokrynskyi +Date: Mon, 25 Apr 2016 17:01:56 +0300 +Subject: HID: Fix boot delay for Creative SB Omni Surround 5.1 with quirk + +From: Nazar Mokrynskyi + +commit 567a44ecb44eb2584ddb93e962cfb133ce77e0bb upstream. + +Needed for v2 of the device firmware, otherwise kernel will stuck for few +seconds and throw "usb_submit_urb(ctrl) failed: -1" early on system boot. + +Signed-off-by: Nazar Mokrynskyi +Reviewed-by: Benjamin Tissoires +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/usbhid/hid-quirks.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -255,6 +255,7 @@ + #define USB_DEVICE_ID_CORSAIR_K90 0x1b02 + + #define USB_VENDOR_ID_CREATIVELABS 0x041e ++#define USB_DEVICE_ID_CREATIVE_SB_OMNI_SURROUND_51 0x322c + #define USB_DEVICE_ID_PRODIKEYS_PCMIDI 0x2801 + + #define USB_VENDOR_ID_CVTOUCH 0x1ff7 +--- a/drivers/hid/usbhid/hid-quirks.c ++++ b/drivers/hid/usbhid/hid-quirks.c +@@ -70,6 +70,7 @@ static const struct hid_blacklist { + { USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_3AXIS_5BUTTON_STICK, HID_QUIRK_NOGET }, + { USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_AXIS_295, HID_QUIRK_NOGET }, + { USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_PIXART_USB_OPTICAL_MOUSE, HID_QUIRK_ALWAYS_POLL }, ++ { USB_VENDOR_ID_CREATIVELABS, USB_DEVICE_ID_CREATIVE_SB_OMNI_SURROUND_51, HID_QUIRK_NOGET }, + { USB_VENDOR_ID_DMI, USB_DEVICE_ID_DMI_ENC, HID_QUIRK_NOGET }, + { USB_VENDOR_ID_DRAGONRISE, USB_DEVICE_ID_DRAGONRISE_WIIU, HID_QUIRK_MULTI_INPUT }, + { USB_VENDOR_ID_ELAN, HID_ANY_ID, HID_QUIRK_ALWAYS_POLL }, diff --git a/queue-4.5/hid-wacom-add-support-for-dtk-1651.patch b/queue-4.5/hid-wacom-add-support-for-dtk-1651.patch new file mode 100644 index 00000000000..ee9fbd6c523 --- /dev/null +++ b/queue-4.5/hid-wacom-add-support-for-dtk-1651.patch @@ -0,0 +1,40 @@ +From e1123fe975852cc0970b4e53ea65ca917e54c923 Mon Sep 17 00:00:00 2001 +From: Ping Cheng +Date: Tue, 12 Apr 2016 13:37:45 -0700 +Subject: HID: wacom: Add support for DTK-1651 + +From: Ping Cheng + +commit e1123fe975852cc0970b4e53ea65ca917e54c923 upstream. + +DTK-1651 is a display pen-only tablet + +Signed-off-by: Ping Cheng +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/wacom_wac.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -3378,6 +3378,10 @@ static const struct wacom_features wacom + { "Wacom Intuos PT M 2", 21600, 13500, 2047, 63, + INTUOSHT2, WACOM_INTUOS_RES, WACOM_INTUOS_RES, .touch_max = 16, + .check_for_hid_type = true, .hid_type = HID_TYPE_USBNONE }; ++static const struct wacom_features wacom_features_0x343 = ++ { "Wacom DTK1651", 34616, 19559, 1023, 0, ++ DTUS, WACOM_INTUOS_RES, WACOM_INTUOS_RES, 4, ++ WACOM_DTU_OFFSET, WACOM_DTU_OFFSET }; + + static const struct wacom_features wacom_features_HID_ANY_ID = + { "Wacom HID", .type = HID_GENERIC }; +@@ -3543,6 +3547,7 @@ const struct hid_device_id wacom_ids[] = + { USB_DEVICE_WACOM(0x33C) }, + { USB_DEVICE_WACOM(0x33D) }, + { USB_DEVICE_WACOM(0x33E) }, ++ { USB_DEVICE_WACOM(0x343) }, + { USB_DEVICE_WACOM(0x4001) }, + { USB_DEVICE_WACOM(0x4004) }, + { USB_DEVICE_WACOM(0x5000) }, diff --git a/queue-4.5/input-zforce_ts-fix-dual-touch-recognition.patch b/queue-4.5/input-zforce_ts-fix-dual-touch-recognition.patch new file mode 100644 index 00000000000..2a2290169fb --- /dev/null +++ b/queue-4.5/input-zforce_ts-fix-dual-touch-recognition.patch @@ -0,0 +1,39 @@ +From 6984ab1ab35f422292b7781c65284038bcc0f6a6 Mon Sep 17 00:00:00 2001 +From: Knut Wohlrab +Date: Mon, 25 Apr 2016 14:08:25 -0700 +Subject: Input: zforce_ts - fix dual touch recognition + +From: Knut Wohlrab + +commit 6984ab1ab35f422292b7781c65284038bcc0f6a6 upstream. + +A wrong decoding of the touch coordinate message causes a wrong touch +ID. Touch ID for dual touch must be 0 or 1. + +According to the actual Neonode nine byte touch coordinate coding, +the state is transported in the lower nibble and the touch ID in +the higher nibble of payload byte five. + +Signed-off-by: Knut Wohlrab +Signed-off-by: Oleksij Rempel +Signed-off-by: Dirk Behme +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/touchscreen/zforce_ts.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/input/touchscreen/zforce_ts.c ++++ b/drivers/input/touchscreen/zforce_ts.c +@@ -370,8 +370,8 @@ static int zforce_touch_event(struct zfo + point.coord_x = point.coord_y = 0; + } + +- point.state = payload[9 * i + 5] & 0x03; +- point.id = (payload[9 * i + 5] & 0xfc) >> 2; ++ point.state = payload[9 * i + 5] & 0x0f; ++ point.id = (payload[9 * i + 5] & 0xf0) >> 4; + + /* determine touch major, minor and orientation */ + point.area_major = max(payload[9 * i + 6], diff --git a/queue-4.5/mm-cma-prevent-nr_isolated_-counters-from-going-negative.patch b/queue-4.5/mm-cma-prevent-nr_isolated_-counters-from-going-negative.patch new file mode 100644 index 00000000000..7dccfd5c2b0 --- /dev/null +++ b/queue-4.5/mm-cma-prevent-nr_isolated_-counters-from-going-negative.patch @@ -0,0 +1,57 @@ +From 14af4a5e9b26ad251f81c174e8a43f3e179434a5 Mon Sep 17 00:00:00 2001 +From: Hugh Dickins +Date: Thu, 5 May 2016 16:22:15 -0700 +Subject: mm, cma: prevent nr_isolated_* counters from going negative + +From: Hugh Dickins + +commit 14af4a5e9b26ad251f81c174e8a43f3e179434a5 upstream. + +/proc/sys/vm/stat_refresh warns nr_isolated_anon and nr_isolated_file go +increasingly negative under compaction: which would add delay when +should be none, or no delay when should delay. The bug in compaction +was due to a recent mmotm patch, but much older instance of the bug was +also noticed in isolate_migratepages_range() which is used for CMA and +gigantic hugepage allocations. + +The bug is caused by putback_movable_pages() in an error path +decrementing the isolated counters without them being previously +incremented by acct_isolated(). Fix isolate_migratepages_range() by +removing the error-path putback, thus reaching acct_isolated() with +migratepages still isolated, and leaving putback to caller like most +other places do. + +Fixes: edc2ca612496 ("mm, compaction: move pageblock checks up from isolate_migratepages_range()") +[vbabka@suse.cz: expanded the changelog] +Signed-off-by: Hugh Dickins +Signed-off-by: Vlastimil Babka +Acked-by: Joonsoo Kim +Cc: Michal Hocko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/compaction.c | 10 +--------- + 1 file changed, 1 insertion(+), 9 deletions(-) + +--- a/mm/compaction.c ++++ b/mm/compaction.c +@@ -880,16 +880,8 @@ isolate_migratepages_range(struct compac + pfn = isolate_migratepages_block(cc, pfn, block_end_pfn, + ISOLATE_UNEVICTABLE); + +- /* +- * In case of fatal failure, release everything that might +- * have been isolated in the previous iteration, and signal +- * the failure back to caller. +- */ +- if (!pfn) { +- putback_movable_pages(&cc->migratepages); +- cc->nr_migratepages = 0; ++ if (!pfn) + break; +- } + + if (cc->nr_migratepages == COMPACT_CLUSTER_MAX) + break; diff --git a/queue-4.5/mm-memcontrol-let-v2-cgroups-follow-changes-in-system-swappiness.patch b/queue-4.5/mm-memcontrol-let-v2-cgroups-follow-changes-in-system-swappiness.patch new file mode 100644 index 00000000000..929f3723252 --- /dev/null +++ b/queue-4.5/mm-memcontrol-let-v2-cgroups-follow-changes-in-system-swappiness.patch @@ -0,0 +1,37 @@ +From 4550c4e157ca3da929593bb6c64080a59141af35 Mon Sep 17 00:00:00 2001 +From: Johannes Weiner +Date: Thu, 5 May 2016 16:22:03 -0700 +Subject: mm: memcontrol: let v2 cgroups follow changes in system swappiness + +From: Johannes Weiner + +commit 4550c4e157ca3da929593bb6c64080a59141af35 upstream. + +Cgroup2 currently doesn't have a per-cgroup swappiness setting. We +might want to add one later - that's a different discussion - but until +we do, the cgroups should always follow the system setting. Otherwise +it will be unchangeably set to whatever the ancestor inherited from the +system setting at the time of cgroup creation. + +Signed-off-by: Johannes Weiner +Acked-by: Michal Hocko +Acked-by: Vladimir Davydov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +diff --git a/include/linux/swap.h b/include/linux/swap.h +index 2b83359c19ca..0a4cd4703f40 100644 +--- a/include/linux/swap.h ++++ b/include/linux/swap.h +@@ -533,6 +533,10 @@ static inline swp_entry_t get_swap_page(void) + #ifdef CONFIG_MEMCG + static inline int mem_cgroup_swappiness(struct mem_cgroup *memcg) + { ++ /* Cgroup2 doesn't have per-cgroup swappiness */ ++ if (cgroup_subsys_on_dfl(memory_cgrp_subsys)) ++ return vm_swappiness; ++ + /* root ? */ + if (mem_cgroup_disabled() || !memcg->css.parent) + return vm_swappiness; diff --git a/queue-4.5/mm-update-min_free_kbytes-from-khugepaged-after-core-initialization.patch b/queue-4.5/mm-update-min_free_kbytes-from-khugepaged-after-core-initialization.patch new file mode 100644 index 00000000000..69c487abbc4 --- /dev/null +++ b/queue-4.5/mm-update-min_free_kbytes-from-khugepaged-after-core-initialization.patch @@ -0,0 +1,55 @@ +From bc22af74f271ef76b2e6f72f3941f91f0da3f5f8 Mon Sep 17 00:00:00 2001 +From: Jason Baron +Date: Thu, 5 May 2016 16:22:12 -0700 +Subject: mm: update min_free_kbytes from khugepaged after core initialization + +From: Jason Baron + +commit bc22af74f271ef76b2e6f72f3941f91f0da3f5f8 upstream. + +Khugepaged attempts to raise min_free_kbytes if its set too low. +However, on boot khugepaged sets min_free_kbytes first from +subsys_initcall(), and then the mm 'core' over-rides min_free_kbytes +after from init_per_zone_wmark_min(), via a module_init() call. + +Khugepaged used to use a late_initcall() to set min_free_kbytes (such +that it occurred after the core initialization), however this was +removed when the initialization of min_free_kbytes was integrated into +the starting of the khugepaged thread. + +The fix here is simply to invoke the core initialization using a +core_initcall() instead of module_init(), such that the previous +initialization ordering is restored. I didn't restore the +late_initcall() since start_stop_khugepaged() already sets +min_free_kbytes via set_recommended_min_free_kbytes(). + +This was noticed when we had a number of page allocation failures when +moving a workload to a kernel with this new initialization ordering. On +an 8GB system this restores min_free_kbytes back to 67584 from 11365 +when CONFIG_TRANSPARENT_HUGEPAGE=y is set and either +CONFIG_TRANSPARENT_HUGEPAGE_ALWAYS=y or +CONFIG_TRANSPARENT_HUGEPAGE_MADVISE=y. + +Fixes: 79553da293d3 ("thp: cleanup khugepaged startup") +Signed-off-by: Jason Baron +Acked-by: Kirill A. Shutemov +Acked-by: David Rientjes +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/page_alloc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -6214,7 +6214,7 @@ int __meminit init_per_zone_wmark_min(vo + setup_per_zone_inactive_ratio(); + return 0; + } +-module_init(init_per_zone_wmark_min) ++core_initcall(init_per_zone_wmark_min) + + /* + * min_free_kbytes_sysctl_handler - just a wrapper around proc_dointvec() so diff --git a/queue-4.5/mm-zswap-provide-unique-zpool-name.patch b/queue-4.5/mm-zswap-provide-unique-zpool-name.patch new file mode 100644 index 00000000000..8cfafb66205 --- /dev/null +++ b/queue-4.5/mm-zswap-provide-unique-zpool-name.patch @@ -0,0 +1,69 @@ +From 32a4e169039927bfb6ee9f0ccbbe3a8aaf13a4bc Mon Sep 17 00:00:00 2001 +From: Dan Streetman +Date: Thu, 5 May 2016 16:22:23 -0700 +Subject: mm/zswap: provide unique zpool name + +From: Dan Streetman + +commit 32a4e169039927bfb6ee9f0ccbbe3a8aaf13a4bc upstream. + +Instead of using "zswap" as the name for all zpools created, add an +atomic counter and use "zswap%x" with the counter number for each zpool +created, to provide a unique name for each new zpool. + +As zsmalloc, one of the zpool implementations, requires/expects a unique +name for each pool created, zswap should provide a unique name. The +zsmalloc pool creation does not fail if a new pool with a conflicting +name is created, unless CONFIG_ZSMALLOC_STAT is enabled; in that case, +zsmalloc pool creation fails with -ENOMEM. Then zswap will be unable to +change its compressor parameter if its zpool is zsmalloc; it also will +be unable to change its zpool parameter back to zsmalloc, if it has any +existing old zpool using zsmalloc with page(s) in it. Attempts to +change the parameters will result in failure to create the zpool. This +changes zswap to provide a unique name for each zpool creation. + +Fixes: f1c54846ee45 ("zswap: dynamic pool creation") +Signed-off-by: Dan Streetman +Reported-by: Sergey Senozhatsky +Reviewed-by: Sergey Senozhatsky +Cc: Dan Streetman +Cc: Minchan Kim +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/zswap.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/mm/zswap.c ++++ b/mm/zswap.c +@@ -170,6 +170,8 @@ static struct zswap_tree *zswap_trees[MA + static LIST_HEAD(zswap_pools); + /* protects zswap_pools list modification */ + static DEFINE_SPINLOCK(zswap_pools_lock); ++/* pool counter to provide unique names to zpool */ ++static atomic_t zswap_pools_count = ATOMIC_INIT(0); + + /* used by param callback function */ + static bool zswap_init_started; +@@ -565,6 +567,7 @@ static struct zswap_pool *zswap_pool_fin + static struct zswap_pool *zswap_pool_create(char *type, char *compressor) + { + struct zswap_pool *pool; ++ char name[38]; /* 'zswap' + 32 char (max) num + \0 */ + gfp_t gfp = __GFP_NORETRY | __GFP_NOWARN | __GFP_KSWAPD_RECLAIM; + + pool = kzalloc(sizeof(*pool), GFP_KERNEL); +@@ -573,7 +576,10 @@ static struct zswap_pool *zswap_pool_cre + return NULL; + } + +- pool->zpool = zpool_create_pool(type, "zswap", gfp, &zswap_zpool_ops); ++ /* unique name for each pool specifically required by zsmalloc */ ++ snprintf(name, 38, "zswap%x", atomic_inc_return(&zswap_pools_count)); ++ ++ pool->zpool = zpool_create_pool(type, name, gfp, &zswap_zpool_ops); + if (!pool->zpool) { + pr_err("%s zpool not available\n", type); + goto error; diff --git a/queue-4.5/modpost-fix-module-autoloading-for-of-devices-with-generic-compatible-property.patch b/queue-4.5/modpost-fix-module-autoloading-for-of-devices-with-generic-compatible-property.patch new file mode 100644 index 00000000000..87f6061e219 --- /dev/null +++ b/queue-4.5/modpost-fix-module-autoloading-for-of-devices-with-generic-compatible-property.patch @@ -0,0 +1,139 @@ +From acbef7b7662953cec96c243db4009ac561d88989 Mon Sep 17 00:00:00 2001 +From: Philipp Zabel +Date: Thu, 5 May 2016 16:22:29 -0700 +Subject: modpost: fix module autoloading for OF devices with generic compatible property + +From: Philipp Zabel + +commit acbef7b7662953cec96c243db4009ac561d88989 upstream. + +Since the wildcard at the end of OF module aliases is gone, autoloading +of modules that don't match a device's last (most generic) compatible +value fails. + +For example the CODA960 VPU on i.MX6Q has the SoC specific compatible +"fsl,imx6q-vpu" and the generic compatible "cnm,coda960". Since the +driver currently only works with knowledge about the SoC specific +integration, it doesn't list "cnm,cod960" in the module device table. + +This results in the device compatible +"of:NvpuTCfsl,imx6q-vpuCcnm,coda960" not matching the module alias +"of:N*T*Cfsl,imx6q-vpu" anymore, whereas before commit 2f632369ab79 +("modpost: don't add a trailing wildcard for OF module aliases") it +matched the module alias "of:N*T*Cfsl,imx6q-vpu*". + +This patch adds two module aliases for each compatible, one without the +wildcard and one with "C*" appended. + + $ modinfo coda | grep imx6q + alias: of:N*T*Cfsl,imx6q-vpuC* + alias: of:N*T*Cfsl,imx6q-vpu + +Fixes: 2f632369ab79 ("modpost: don't add a trailing wildcard for OF module aliases") +Link: http://lkml.kernel.org/r/1462203339-15340-1-git-send-email-p.zabel@pengutronix.de +Signed-off-by: Philipp Zabel +Cc: Javier Martinez Canillas +Cc: Brian Norris +Cc: Sjoerd Simons +Cc: Rusty Russell +Cc: Greg Kroah-Hartman +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + scripts/mod/file2alias.c | 69 ++++++++++++++++++++++++++++++----------------- + 1 file changed, 45 insertions(+), 24 deletions(-) + +--- a/scripts/mod/file2alias.c ++++ b/scripts/mod/file2alias.c +@@ -371,6 +371,49 @@ static void do_usb_table(void *symval, u + do_usb_entry_multi(symval + i, mod); + } + ++static void do_of_entry_multi(void *symval, struct module *mod) ++{ ++ char alias[500]; ++ int len; ++ char *tmp; ++ ++ DEF_FIELD_ADDR(symval, of_device_id, name); ++ DEF_FIELD_ADDR(symval, of_device_id, type); ++ DEF_FIELD_ADDR(symval, of_device_id, compatible); ++ ++ len = sprintf(alias, "of:N%sT%s", (*name)[0] ? *name : "*", ++ (*type)[0] ? *type : "*"); ++ ++ if (compatible[0]) ++ sprintf(&alias[len], "%sC%s", (*type)[0] ? "*" : "", ++ *compatible); ++ ++ /* Replace all whitespace with underscores */ ++ for (tmp = alias; tmp && *tmp; tmp++) ++ if (isspace(*tmp)) ++ *tmp = '_'; ++ ++ buf_printf(&mod->dev_table_buf, "MODULE_ALIAS(\"%s\");\n", alias); ++ strcat(alias, "C"); ++ add_wildcard(alias); ++ buf_printf(&mod->dev_table_buf, "MODULE_ALIAS(\"%s\");\n", alias); ++} ++ ++static void do_of_table(void *symval, unsigned long size, ++ struct module *mod) ++{ ++ unsigned int i; ++ const unsigned long id_size = SIZE_of_device_id; ++ ++ device_id_check(mod->name, "of", size, id_size, symval); ++ ++ /* Leave last one: it's the terminator. */ ++ size -= id_size; ++ ++ for (i = 0; i < size; i += id_size) ++ do_of_entry_multi(symval + i, mod); ++} ++ + /* Looks like: hid:bNvNpN */ + static int do_hid_entry(const char *filename, + void *symval, char *alias) +@@ -684,30 +727,6 @@ static int do_pcmcia_entry(const char *f + } + ADD_TO_DEVTABLE("pcmcia", pcmcia_device_id, do_pcmcia_entry); + +-static int do_of_entry (const char *filename, void *symval, char *alias) +-{ +- int len; +- char *tmp; +- DEF_FIELD_ADDR(symval, of_device_id, name); +- DEF_FIELD_ADDR(symval, of_device_id, type); +- DEF_FIELD_ADDR(symval, of_device_id, compatible); +- +- len = sprintf(alias, "of:N%sT%s", (*name)[0] ? *name : "*", +- (*type)[0] ? *type : "*"); +- +- if (compatible[0]) +- sprintf(&alias[len], "%sC%s", (*type)[0] ? "*" : "", +- *compatible); +- +- /* Replace all whitespace with underscores */ +- for (tmp = alias; tmp && *tmp; tmp++) +- if (isspace (*tmp)) +- *tmp = '_'; +- +- return 1; +-} +-ADD_TO_DEVTABLE("of", of_device_id, do_of_entry); +- + static int do_vio_entry(const char *filename, void *symval, + char *alias) + { +@@ -1348,6 +1367,8 @@ void handle_moddevtable(struct module *m + /* First handle the "special" cases */ + if (sym_is(name, namelen, "usb")) + do_usb_table(symval, sym->st_size, mod); ++ if (sym_is(name, namelen, "of")) ++ do_of_table(symval, sym->st_size, mod); + else if (sym_is(name, namelen, "pnp")) + do_pnp_device_entry(symval, sym->st_size, mod); + else if (sym_is(name, namelen, "pnp_card")) diff --git a/queue-4.5/proc-prevent-accessing-proc-pid-environ-until-it-s-ready.patch b/queue-4.5/proc-prevent-accessing-proc-pid-environ-until-it-s-ready.patch new file mode 100644 index 00000000000..902cf75769d --- /dev/null +++ b/queue-4.5/proc-prevent-accessing-proc-pid-environ-until-it-s-ready.patch @@ -0,0 +1,57 @@ +From 8148a73c9901a8794a50f950083c00ccf97d43b3 Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Thu, 5 May 2016 16:22:26 -0700 +Subject: proc: prevent accessing /proc//environ until it's ready + +From: Mathias Krause + +commit 8148a73c9901a8794a50f950083c00ccf97d43b3 upstream. + +If /proc//environ gets read before the envp[] array is fully set up +in create_{aout,elf,elf_fdpic,flat}_tables(), we might end up trying to +read more bytes than are actually written, as env_start will already be +set but env_end will still be zero, making the range calculation +underflow, allowing to read beyond the end of what has been written. + +Fix this as it is done for /proc//cmdline by testing env_end for +zero. It is, apparently, intentionally set last in create_*_tables(). + +This bug was found by the PaX size_overflow plugin that detected the +arithmetic underflow of 'this_len = env_end - (env_start + src)' when +env_end is still zero. + +The expected consequence is that userland trying to access +/proc//environ of a not yet fully set up process may get +inconsistent data as we're in the middle of copying in the environment +variables. + +Fixes: https://forums.grsecurity.net/viewtopic.php?f=3&t=4363 +Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=116461 +Signed-off-by: Mathias Krause +Cc: Emese Revfy +Cc: Pax Team +Cc: Al Viro +Cc: Mateusz Guzik +Cc: Alexey Dobriyan +Cc: Cyrill Gorcunov +Cc: Jarod Wilson +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/proc/base.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -955,7 +955,8 @@ static ssize_t environ_read(struct file + struct mm_struct *mm = file->private_data; + unsigned long env_start, env_end; + +- if (!mm) ++ /* Ensure the process spawned far enough to have an environment. */ ++ if (!mm || !mm->env_end) + return 0; + + page = (char *)__get_free_page(GFP_TEMPORARY); diff --git a/queue-4.5/propogate_mnt-handle-the-first-propogated-copy-being-a-slave.patch b/queue-4.5/propogate_mnt-handle-the-first-propogated-copy-being-a-slave.patch new file mode 100644 index 00000000000..3ffb254bd65 --- /dev/null +++ b/queue-4.5/propogate_mnt-handle-the-first-propogated-copy-being-a-slave.patch @@ -0,0 +1,131 @@ +From 5ec0811d30378ae104f250bfc9b3640242d81e3f Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Thu, 5 May 2016 09:29:29 -0500 +Subject: propogate_mnt: Handle the first propogated copy being a slave + +From: Eric W. Biederman + +commit 5ec0811d30378ae104f250bfc9b3640242d81e3f upstream. + +When the first propgated copy was a slave the following oops would result: +> BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 +> IP: [] propagate_one+0xbe/0x1c0 +> PGD bacd4067 PUD bac66067 PMD 0 +> Oops: 0000 [#1] SMP +> Modules linked in: +> CPU: 1 PID: 824 Comm: mount Not tainted 4.6.0-rc5userns+ #1523 +> Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007 +> task: ffff8800bb0a8000 ti: ffff8800bac3c000 task.ti: ffff8800bac3c000 +> RIP: 0010:[] [] propagate_one+0xbe/0x1c0 +> RSP: 0018:ffff8800bac3fd38 EFLAGS: 00010283 +> RAX: 0000000000000000 RBX: ffff8800bb77ec00 RCX: 0000000000000010 +> RDX: 0000000000000000 RSI: ffff8800bb58c000 RDI: ffff8800bb58c480 +> RBP: ffff8800bac3fd48 R08: 0000000000000001 R09: 0000000000000000 +> R10: 0000000000001ca1 R11: 0000000000001c9d R12: 0000000000000000 +> R13: ffff8800ba713800 R14: ffff8800bac3fda0 R15: ffff8800bb77ec00 +> FS: 00007f3c0cd9b7e0(0000) GS:ffff8800bfb00000(0000) knlGS:0000000000000000 +> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +> CR2: 0000000000000010 CR3: 00000000bb79d000 CR4: 00000000000006e0 +> Stack: +> ffff8800bb77ec00 0000000000000000 ffff8800bac3fd88 ffffffff811fbf85 +> ffff8800bac3fd98 ffff8800bb77f080 ffff8800ba713800 ffff8800bb262b40 +> 0000000000000000 0000000000000000 ffff8800bac3fdd8 ffffffff811f1da0 +> Call Trace: +> [] propagate_mnt+0x105/0x140 +> [] attach_recursive_mnt+0x120/0x1e0 +> [] graft_tree+0x63/0x70 +> [] do_add_mount+0x9b/0x100 +> [] do_mount+0x2aa/0xdf0 +> [] ? strndup_user+0x4e/0x70 +> [] SyS_mount+0x75/0xc0 +> [] do_syscall_64+0x4b/0xa0 +> [] entry_SYSCALL64_slow_path+0x25/0x25 +> Code: 00 00 75 ec 48 89 0d 02 22 22 01 8b 89 10 01 00 00 48 89 05 fd 21 22 01 39 8e 10 01 00 00 0f 84 e0 00 00 00 48 8b 80 d8 00 00 00 <48> 8b 50 10 48 89 05 df 21 22 01 48 89 15 d0 21 22 01 8b 53 30 +> RIP [] propagate_one+0xbe/0x1c0 +> RSP +> CR2: 0000000000000010 +> ---[ end trace 2725ecd95164f217 ]--- + +This oops happens with the namespace_sem held and can be triggered by +non-root users. An all around not pleasant experience. + +To avoid this scenario when finding the appropriate source mount to +copy stop the walk up the mnt_master chain when the first source mount +is encountered. + +Further rewrite the walk up the last_source mnt_master chain so that +it is clear what is going on. + +The reason why the first source mount is special is that it it's +mnt_parent is not a mount in the dest_mnt propagation tree, and as +such termination conditions based up on the dest_mnt mount propgation +tree do not make sense. + +To avoid other kinds of confusion last_dest is not changed when +computing last_source. last_dest is only used once in propagate_one +and that is above the point of the code being modified, so changing +the global variable is meaningless and confusing. + +fixes: f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68 ("smarter propagate_mnt()") +Reported-by: Tycho Andersen +Reviewed-by: Seth Forshee +Tested-by: Seth Forshee +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Greg Kroah-Hartman + +--- + fs/pnode.c | 25 ++++++++++++++----------- + 1 file changed, 14 insertions(+), 11 deletions(-) + +--- a/fs/pnode.c ++++ b/fs/pnode.c +@@ -198,7 +198,7 @@ static struct mount *next_group(struct m + + /* all accesses are serialized by namespace_sem */ + static struct user_namespace *user_ns; +-static struct mount *last_dest, *last_source, *dest_master; ++static struct mount *last_dest, *first_source, *last_source, *dest_master; + static struct mountpoint *mp; + static struct hlist_head *list; + +@@ -221,20 +221,22 @@ static int propagate_one(struct mount *m + type = CL_MAKE_SHARED; + } else { + struct mount *n, *p; ++ bool done; + for (n = m; ; n = p) { + p = n->mnt_master; +- if (p == dest_master || IS_MNT_MARKED(p)) { +- while (last_dest->mnt_master != p) { +- last_source = last_source->mnt_master; +- last_dest = last_source->mnt_parent; +- } +- if (!peers(n, last_dest)) { +- last_source = last_source->mnt_master; +- last_dest = last_source->mnt_parent; +- } ++ if (p == dest_master || IS_MNT_MARKED(p)) + break; +- } + } ++ do { ++ struct mount *parent = last_source->mnt_parent; ++ if (last_source == first_source) ++ break; ++ done = parent->mnt_master == p; ++ if (done && peers(n, parent)) ++ break; ++ last_source = last_source->mnt_master; ++ } while (!done); ++ + type = CL_SLAVE; + /* beginning of peer group among the slaves? */ + if (IS_MNT_SHARED(m)) +@@ -286,6 +288,7 @@ int propagate_mnt(struct mount *dest_mnt + */ + user_ns = current->nsproxy->mnt_ns->user_ns; + last_dest = dest_mnt; ++ first_source = source_mnt; + last_source = source_mnt; + mp = dest_mp; + list = tree_list; diff --git a/queue-4.5/series b/queue-4.5/series index 0fc7b66027e..1460c7bf4fc 100644 --- a/queue-4.5/series +++ b/queue-4.5/series @@ -35,3 +35,22 @@ mac80211-fix-statistics-leak-if-dev_alloc_name-fails.patch tracing-don-t-display-trigger-file-for-events-that-can-t-be-enabled.patch md-make-bio-mergeable.patch minimal-fix-up-of-bad-hashing-behavior-of-hash_64.patch +mm-memcontrol-let-v2-cgroups-follow-changes-in-system-swappiness.patch +mm-cma-prevent-nr_isolated_-counters-from-going-negative.patch +mm-zswap-provide-unique-zpool-name.patch +propogate_mnt-handle-the-first-propogated-copy-being-a-slave.patch +modpost-fix-module-autoloading-for-of-devices-with-generic-compatible-property.patch +arm-exynos-properly-skip-unitialized-parent-clock-in-power-domain-on.patch +arm-socfpga-fix-secondary-cpu-startup-in-thumb2-kernel.patch +xen-fix-page-pfn-conversion-on-32-bit-systems.patch +xen-balloon-fix-crash-when-ballooning-on-x86-32-bit-pae.patch +xen-evtchn-fix-ring-resize-when-binding-new-events.patch +hid-wacom-add-support-for-dtk-1651.patch +hid-fix-boot-delay-for-creative-sb-omni-surround-5.1-with-quirk.patch +input-zforce_ts-fix-dual-touch-recognition.patch +proc-prevent-accessing-proc-pid-environ-until-it-s-ready.patch +mm-update-min_free_kbytes-from-khugepaged-after-core-initialization.patch +batman-adv-fix-dat-candidate-selection-must-use-vid.patch +batman-adv-check-skb-size-before-using-encapsulated-eth-vlan-header.patch +batman-adv-fix-broadcast-ogm-queue-limit-on-a-removed-interface.patch +batman-adv-reduce-refcnt-of-removed-router-when-updating-route.patch diff --git a/queue-4.5/xen-balloon-fix-crash-when-ballooning-on-x86-32-bit-pae.patch b/queue-4.5/xen-balloon-fix-crash-when-ballooning-on-x86-32-bit-pae.patch new file mode 100644 index 00000000000..058bcb80fc5 --- /dev/null +++ b/queue-4.5/xen-balloon-fix-crash-when-ballooning-on-x86-32-bit-pae.patch @@ -0,0 +1,60 @@ +From dfd74a1edfaba5864276a2859190a8d242d18952 Mon Sep 17 00:00:00 2001 +From: Ross Lagerwall +Date: Thu, 17 Mar 2016 16:52:00 +0000 +Subject: xen/balloon: Fix crash when ballooning on x86 32 bit PAE + +From: Ross Lagerwall + +commit dfd74a1edfaba5864276a2859190a8d242d18952 upstream. + +Commit 55b3da98a40dbb3776f7454daf0d95dde25c33d2 (xen/balloon: find +non-conflicting regions to place hotplugged memory) caused a +regression in 4.4. + +When ballooning on an x86 32 bit PAE system with close to 64 GiB of +memory, the address returned by allocate_resource may be above 64 GiB. +When using CONFIG_SPARSEMEM, this setup is limited to using physical +addresses < 64 GiB. When adding memory at this address, it runs off +the end of the mem_section array and causes a crash. Instead, fail +the ballooning request. + +Signed-off-by: Ross Lagerwall +Signed-off-by: David Vrabel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/balloon.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/drivers/xen/balloon.c ++++ b/drivers/xen/balloon.c +@@ -152,6 +152,8 @@ static DECLARE_WAIT_QUEUE_HEAD(balloon_w + static void balloon_process(struct work_struct *work); + static DECLARE_DELAYED_WORK(balloon_worker, balloon_process); + ++static void release_memory_resource(struct resource *resource); ++ + /* When ballooning out (allocating memory to return to Xen) we don't really + want the kernel to try too hard since that can trigger the oom killer. */ + #define GFP_BALLOON \ +@@ -268,6 +270,20 @@ static struct resource *additional_memor + return NULL; + } + ++#ifdef CONFIG_SPARSEMEM ++ { ++ unsigned long limit = 1UL << (MAX_PHYSMEM_BITS - PAGE_SHIFT); ++ unsigned long pfn = res->start >> PAGE_SHIFT; ++ ++ if (pfn > limit) { ++ pr_err("New System RAM resource outside addressable RAM (%lu > %lu)\n", ++ pfn, limit); ++ release_memory_resource(res); ++ return NULL; ++ } ++ } ++#endif ++ + return res; + } + diff --git a/queue-4.5/xen-evtchn-fix-ring-resize-when-binding-new-events.patch b/queue-4.5/xen-evtchn-fix-ring-resize-when-binding-new-events.patch new file mode 100644 index 00000000000..c2de96b7606 --- /dev/null +++ b/queue-4.5/xen-evtchn-fix-ring-resize-when-binding-new-events.patch @@ -0,0 +1,72 @@ +From 27e0e6385377c4dc68a4ddaf1a35a2dfa951f3c5 Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Wed, 4 May 2016 07:02:36 -0600 +Subject: xen/evtchn: fix ring resize when binding new events + +From: Jan Beulich + +commit 27e0e6385377c4dc68a4ddaf1a35a2dfa951f3c5 upstream. + +The copying of ring data was wrong for two cases: For a full ring +nothing got copied at all (as in that case the canonicalized producer +and consumer indexes are identical). And in case one or both of the +canonicalized (after the resize) indexes would point into the second +half of the buffer, the copied data ended up in the wrong (free) part +of the new buffer. In both cases uninitialized data would get passed +back to the caller. + +Fix this by simply copying the old ring contents twice: Once to the +low half of the new buffer, and a second time to the high half. + +This addresses the inability to boot a HVM guest with 64 or more +vCPUs. This regression was caused by 8620015499101090 (xen/evtchn: +dynamically grow pending event channel ring). + +Reported-by: Konrad Rzeszutek Wilk +Signed-off-by: Jan Beulich +Signed-off-by: David Vrabel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/evtchn.c | 20 ++++++++------------ + 1 file changed, 8 insertions(+), 12 deletions(-) + +--- a/drivers/xen/evtchn.c ++++ b/drivers/xen/evtchn.c +@@ -316,7 +316,6 @@ static int evtchn_resize_ring(struct per + { + unsigned int new_size; + evtchn_port_t *new_ring, *old_ring; +- unsigned int p, c; + + /* + * Ensure the ring is large enough to capture all possible +@@ -346,20 +345,17 @@ static int evtchn_resize_ring(struct per + /* + * Copy the old ring contents to the new ring. + * +- * If the ring contents crosses the end of the current ring, +- * it needs to be copied in two chunks. ++ * To take care of wrapping, a full ring, and the new index ++ * pointing into the second half, simply copy the old contents ++ * twice. + * + * +---------+ +------------------+ +- * |34567 12| -> | 1234567 | +- * +-----p-c-+ +------------------+ ++ * |34567 12| -> |34567 1234567 12| ++ * +-----p-c-+ +-------c------p---+ + */ +- p = evtchn_ring_offset(u, u->ring_prod); +- c = evtchn_ring_offset(u, u->ring_cons); +- if (p < c) { +- memcpy(new_ring + c, u->ring + c, (u->ring_size - c) * sizeof(*u->ring)); +- memcpy(new_ring + u->ring_size, u->ring, p * sizeof(*u->ring)); +- } else +- memcpy(new_ring + c, u->ring + c, (p - c) * sizeof(*u->ring)); ++ memcpy(new_ring, old_ring, u->ring_size * sizeof(*u->ring)); ++ memcpy(new_ring + u->ring_size, old_ring, ++ u->ring_size * sizeof(*u->ring)); + + u->ring = new_ring; + u->ring_size = new_size; diff --git a/queue-4.5/xen-fix-page-pfn-conversion-on-32-bit-systems.patch b/queue-4.5/xen-fix-page-pfn-conversion-on-32-bit-systems.patch new file mode 100644 index 00000000000..21294f89c19 --- /dev/null +++ b/queue-4.5/xen-fix-page-pfn-conversion-on-32-bit-systems.patch @@ -0,0 +1,43 @@ +From 60901df3aed230d4565dca003f11b6a95fbf30d9 Mon Sep 17 00:00:00 2001 +From: Ross Lagerwall +Date: Thu, 17 Mar 2016 16:51:59 +0000 +Subject: xen: Fix page <-> pfn conversion on 32 bit systems + +From: Ross Lagerwall + +commit 60901df3aed230d4565dca003f11b6a95fbf30d9 upstream. + +Commit 1084b1988d22dc165c9dbbc2b0e057f9248ac4db (xen: Add Xen specific +page definition) caused a regression in 4.4. + +The xen functions to convert between pages and pfns fail due to an +overflow on systems where a physical address may not fit in an +unsigned long (e.g. x86 32 bit PAE systems). Rework the conversion to +avoid overflow. This should also result in simpler object code. + +This bug manifested itself as disk corruption with Linux 4.4 when +using blkfront in a Xen HVM x86 32 bit guest with more than 4 GiB of +memory. + +Signed-off-by: Ross Lagerwall +Signed-off-by: David Vrabel +Signed-off-by: Greg Kroah-Hartman + +--- + include/xen/page.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/xen/page.h ++++ b/include/xen/page.h +@@ -15,9 +15,9 @@ + */ + + #define xen_pfn_to_page(xen_pfn) \ +- ((pfn_to_page(((unsigned long)(xen_pfn) << XEN_PAGE_SHIFT) >> PAGE_SHIFT))) ++ (pfn_to_page((unsigned long)(xen_pfn) >> (PAGE_SHIFT - XEN_PAGE_SHIFT))) + #define page_to_xen_pfn(page) \ +- (((page_to_pfn(page)) << PAGE_SHIFT) >> XEN_PAGE_SHIFT) ++ ((page_to_pfn(page)) << (PAGE_SHIFT - XEN_PAGE_SHIFT)) + + #define XEN_PFN_PER_PAGE (PAGE_SIZE / XEN_PAGE_SIZE) +