From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 30 Jan 2017 09:07:06 +0000 (+0100)
Subject: 4.4-stable patches
X-Git-Tag: v4.4.46~7
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c5b549a00f9f31ab090396e6f8bb01eb04769e2d;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	isdn-eicon-silence-misleading-array-bounds-warning.patch
	mm-mempolicy.c-do-not-put-mempolicy-before-using-its-nodemask.patch
	sysctl-fix-proc_doulongvec_ms_jiffies_minmax.patch
---

diff --git a/queue-4.4/isdn-eicon-silence-misleading-array-bounds-warning.patch b/queue-4.4/isdn-eicon-silence-misleading-array-bounds-warning.patch
new file mode 100644
index 00000000000..6ad8d9cf30e
--- /dev/null
+++ b/queue-4.4/isdn-eicon-silence-misleading-array-bounds-warning.patch
@@ -0,0 +1,41 @@
+From 950eabbd6ddedc1b08350b9169a6a51b130ebaaf Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 27 Jan 2017 13:32:14 +0100
+Subject: ISDN: eicon: silence misleading array-bounds warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 950eabbd6ddedc1b08350b9169a6a51b130ebaaf upstream.
+
+With some gcc versions, we get a warning about the eicon driver,
+and that currently shows up as the only remaining warning in one
+of the build bots:
+
+In file included from ../drivers/isdn/hardware/eicon/message.c:30:0:
+eicon/message.c: In function 'mixer_notify_update':
+eicon/platform.h:333:18: warning: array subscript is above array bounds [-Warray-bounds]
+
+The code is easily changed to open-code the unusual PUT_WORD() line
+causing this to avoid the warning.
+
+Link: http://arm-soc.lixom.net/buildlogs/stable-rc/v4.4.45/
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/isdn/hardware/eicon/message.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/isdn/hardware/eicon/message.c
++++ b/drivers/isdn/hardware/eicon/message.c
+@@ -11304,7 +11304,8 @@ static void mixer_notify_update(PLCI *pl
+ 				((CAPI_MSG *) msg)->header.ncci = 0;
+ 				((CAPI_MSG *) msg)->info.facility_req.Selector = SELECTOR_LINE_INTERCONNECT;
+ 				((CAPI_MSG *) msg)->info.facility_req.structs[0] = 3;
+-				PUT_WORD(&(((CAPI_MSG *) msg)->info.facility_req.structs[1]), LI_REQ_SILENT_UPDATE);
++				((CAPI_MSG *) msg)->info.facility_req.structs[1] = LI_REQ_SILENT_UPDATE & 0xff;
++				((CAPI_MSG *) msg)->info.facility_req.structs[2] = LI_REQ_SILENT_UPDATE >> 8;
+ 				((CAPI_MSG *) msg)->info.facility_req.structs[3] = 0;
+ 				w = api_put(notify_plci->appl, (CAPI_MSG *) msg);
+ 				if (w != _QUEUE_FULL)
diff --git a/queue-4.4/mm-mempolicy.c-do-not-put-mempolicy-before-using-its-nodemask.patch b/queue-4.4/mm-mempolicy.c-do-not-put-mempolicy-before-using-its-nodemask.patch
new file mode 100644
index 00000000000..04537e45f2a
--- /dev/null
+++ b/queue-4.4/mm-mempolicy.c-do-not-put-mempolicy-before-using-its-nodemask.patch
@@ -0,0 +1,48 @@
+From d51e9894d27492783fc6d1b489070b4ba66ce969 Mon Sep 17 00:00:00 2001
+From: Vlastimil Babka <vbabka@suse.cz>
+Date: Tue, 24 Jan 2017 15:18:18 -0800
+Subject: mm/mempolicy.c: do not put mempolicy before using its nodemask
+
+From: Vlastimil Babka <vbabka@suse.cz>
+
+commit d51e9894d27492783fc6d1b489070b4ba66ce969 upstream.
+
+Since commit be97a41b291e ("mm/mempolicy.c: merge alloc_hugepage_vma to
+alloc_pages_vma") alloc_pages_vma() can potentially free a mempolicy by
+mpol_cond_put() before accessing the embedded nodemask by
+__alloc_pages_nodemask().  The commit log says it's so "we can use a
+single exit path within the function" but that's clearly wrong.  We can
+still do that when doing mpol_cond_put() after the allocation attempt.
+
+Make sure the mempolicy is not freed prematurely, otherwise
+__alloc_pages_nodemask() can end up using a bogus nodemask, which could
+lead e.g.  to premature OOM.
+
+Fixes: be97a41b291e ("mm/mempolicy.c: merge alloc_hugepage_vma to alloc_pages_vma")
+Link: http://lkml.kernel.org/r/20170118141124.8345-1-vbabka@suse.cz
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Acked-by: David Rientjes <rientjes@google.com>
+Cc: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/mempolicy.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/mempolicy.c
++++ b/mm/mempolicy.c
+@@ -2006,8 +2006,8 @@ retry_cpuset:
+ 
+ 	nmask = policy_nodemask(gfp, pol);
+ 	zl = policy_zonelist(gfp, pol, node);
+-	mpol_cond_put(pol);
+ 	page = __alloc_pages_nodemask(gfp, order, zl, nmask);
++	mpol_cond_put(pol);
+ out:
+ 	if (unlikely(!page && read_mems_allowed_retry(cpuset_mems_cookie)))
+ 		goto retry_cpuset;
diff --git a/queue-4.4/series b/queue-4.4/series
index aa8bde42540..d36cb1585a2 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -1,3 +1,6 @@
 fbdev-color-map-copying-bounds-checking.patch
 tile-ptrace-preserve-previous-registers-for-short-regset-write.patch
 drm-fix-broken-vt-switch-with-video-1366x768-option.patch
+mm-mempolicy.c-do-not-put-mempolicy-before-using-its-nodemask.patch
+sysctl-fix-proc_doulongvec_ms_jiffies_minmax.patch
+isdn-eicon-silence-misleading-array-bounds-warning.patch
diff --git a/queue-4.4/sysctl-fix-proc_doulongvec_ms_jiffies_minmax.patch b/queue-4.4/sysctl-fix-proc_doulongvec_ms_jiffies_minmax.patch
new file mode 100644
index 00000000000..46b4c101b46
--- /dev/null
+++ b/queue-4.4/sysctl-fix-proc_doulongvec_ms_jiffies_minmax.patch
@@ -0,0 +1,34 @@
+From ff9f8a7cf935468a94d9927c68b00daae701667e Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 25 Jan 2017 18:20:55 -0800
+Subject: sysctl: fix proc_doulongvec_ms_jiffies_minmax()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit ff9f8a7cf935468a94d9927c68b00daae701667e upstream.
+
+We perform the conversion between kernel jiffies and ms only when
+exporting kernel value to user space.
+
+We need to do the opposite operation when value is written by user.
+
+Only matters when HZ != 1000
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/sysctl.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/sysctl.c
++++ b/kernel/sysctl.c
+@@ -2414,6 +2414,7 @@ static int __do_proc_doulongvec_minmax(v
+ 				break;
+ 			if (neg)
+ 				continue;
++			val = convmul * val / convdiv;
+ 			if ((min && val < *min) || (max && val > *max))
+ 				continue;
+ 			*i = val;