From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 10 Jan 2017 13:14:30 +0000 (+0100)
Subject: 4.9-stable patches
X-Git-Tag: v4.4.42~6
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d403e538491b74a3bc50341c155092c15717fb41;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	clocksource-dummy_timer-move-hotplug-callback-after-the-real-timers.patch
	tick-broadcast-prevent-null-pointer-dereference.patch
---

diff --git a/queue-4.9/clocksource-dummy_timer-move-hotplug-callback-after-the-real-timers.patch b/queue-4.9/clocksource-dummy_timer-move-hotplug-callback-after-the-real-timers.patch
new file mode 100644
index 00000000000..60b497b1451
--- /dev/null
+++ b/queue-4.9/clocksource-dummy_timer-move-hotplug-callback-after-the-real-timers.patch
@@ -0,0 +1,58 @@
+From 9bf11ecce5a2758e5a097c2f3a13d08552d0d6f9 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Thu, 15 Dec 2016 12:01:05 +0100
+Subject: clocksource/dummy_timer: Move hotplug callback after the real timers
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 9bf11ecce5a2758e5a097c2f3a13d08552d0d6f9 upstream.
+
+When the dummy timer callback is invoked before the real timer callbacks,
+then it tries to install that timer for the starting CPU. If the platform
+does not have a broadcast timer installed the installation fails with a
+kernel crash. The crash happens due to a unconditional deference of the non
+available broadcast device. This needs to be fixed in the timer core code.
+
+But even when this is fixed in the core code then installing the dummy
+timer before the real timers is a pointless exercise.
+
+Move it to the end of the callback list.
+
+Fixes: 00c1d17aab51 ("clocksource/dummy_timer: Convert to hotplug state machine")
+Reported-and-tested-by: Mason <slash.tmp@free.fr>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Cc: Richard Cochran <rcochran@linutronix.de>
+Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Cc: Daniel Lezcano <daniel.lezcano@linaro.org>
+Cc: Peter Zijlstra <peterz@infradead.org>,
+Cc: Sebastian Frias <sf84@laposte.net>
+Cc: Thibaud Cornic <thibaud_cornic@sigmadesigns.com>
+Cc: Robin Murphy <robin.murphy@arm.com>
+Link: http://lkml.kernel.org/r/1147ef90-7877-e4d2-bb2b-5c4fa8d3144b@free.fr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/cpuhotplug.h |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/include/linux/cpuhotplug.h
++++ b/include/linux/cpuhotplug.h
+@@ -80,7 +80,6 @@ enum cpuhp_state {
+ 	CPUHP_AP_ARM_L2X0_STARTING,
+ 	CPUHP_AP_ARM_ARCH_TIMER_STARTING,
+ 	CPUHP_AP_ARM_GLOBAL_TIMER_STARTING,
+-	CPUHP_AP_DUMMY_TIMER_STARTING,
+ 	CPUHP_AP_JCORE_TIMER_STARTING,
+ 	CPUHP_AP_EXYNOS4_MCT_TIMER_STARTING,
+ 	CPUHP_AP_ARM_TWD_STARTING,
+@@ -94,6 +93,8 @@ enum cpuhp_state {
+ 	CPUHP_AP_KVM_ARM_VGIC_INIT_STARTING,
+ 	CPUHP_AP_KVM_ARM_VGIC_STARTING,
+ 	CPUHP_AP_KVM_ARM_TIMER_STARTING,
++	/* Must be the last timer callback */
++	CPUHP_AP_DUMMY_TIMER_STARTING,
+ 	CPUHP_AP_ARM_XEN_STARTING,
+ 	CPUHP_AP_ARM_CORESIGHT_STARTING,
+ 	CPUHP_AP_ARM_CORESIGHT4_STARTING,
diff --git a/queue-4.9/series b/queue-4.9/series
index 11f0ded7f9e..c30f6b0aef7 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -202,3 +202,5 @@ xfs-fix-double-cleanup-when-cui-recovery-fails.patch
 xfs-use-the-actual-ag-length-when-reserving-blocks.patch
 xfs-fix-crash-and-data-corruption-due-to-removal-of-busy-cow-extents.patch
 xfs-fix-max_retries-_show-and-_store-functions.patch
+clocksource-dummy_timer-move-hotplug-callback-after-the-real-timers.patch
+tick-broadcast-prevent-null-pointer-dereference.patch
diff --git a/queue-4.9/tick-broadcast-prevent-null-pointer-dereference.patch b/queue-4.9/tick-broadcast-prevent-null-pointer-dereference.patch
new file mode 100644
index 00000000000..f68f77a356b
--- /dev/null
+++ b/queue-4.9/tick-broadcast-prevent-null-pointer-dereference.patch
@@ -0,0 +1,46 @@
+From c1a9eeb938b5433947e5ea22f89baff3182e7075 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Thu, 15 Dec 2016 12:10:37 +0100
+Subject: tick/broadcast: Prevent NULL pointer dereference
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit c1a9eeb938b5433947e5ea22f89baff3182e7075 upstream.
+
+When a disfunctional timer, e.g. dummy timer, is installed, the tick core
+tries to setup the broadcast timer.
+
+If no broadcast device is installed, the kernel crashes with a NULL pointer
+dereference in tick_broadcast_setup_oneshot() because the function has no
+sanity check.
+
+Reported-by: Mason <slash.tmp@free.fr>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Cc: Richard Cochran <rcochran@linutronix.de>
+Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Cc: Daniel Lezcano <daniel.lezcano@linaro.org>
+Cc: Peter Zijlstra <peterz@infradead.org>,
+Cc: Sebastian Frias <sf84@laposte.net>
+Cc: Thibaud Cornic <thibaud_cornic@sigmadesigns.com>
+Cc: Robin Murphy <robin.murphy@arm.com>
+Link: http://lkml.kernel.org/r/1147ef90-7877-e4d2-bb2b-5c4fa8d3144b@free.fr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/time/tick-broadcast.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/kernel/time/tick-broadcast.c
++++ b/kernel/time/tick-broadcast.c
+@@ -871,6 +871,9 @@ void tick_broadcast_setup_oneshot(struct
+ {
+ 	int cpu = smp_processor_id();
+ 
++	if (!bc)
++		return;
++
+ 	/* Set it up only once ! */
+ 	if (bc->event_handler != tick_handle_oneshot_broadcast) {
+ 		int was_periodic = clockevent_state_periodic(bc);