From: Greg Kroah-Hartman Date: Fri, 6 May 2016 18:36:59 +0000 (-0400) Subject: 4.4-stable patches X-Git-Tag: v3.14.69~23 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f38783b2c112754624af0759efad7f3fdc9f2c37;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: arm-exynos-properly-skip-unitialized-parent-clock-in-power-domain-on.patch arm-socfpga-fix-secondary-cpu-startup-in-thumb2-kernel.patch batman-adv-check-skb-size-before-using-encapsulated-eth-vlan-header.patch batman-adv-fix-broadcast-ogm-queue-limit-on-a-removed-interface.patch batman-adv-fix-dat-candidate-selection-must-use-vid.patch batman-adv-reduce-refcnt-of-removed-router-when-updating-route.patch hid-fix-boot-delay-for-creative-sb-omni-surround-5.1-with-quirk.patch hid-wacom-add-support-for-dtk-1651.patch input-zforce_ts-fix-dual-touch-recognition.patch mm-cma-prevent-nr_isolated_-counters-from-going-negative.patch mm-update-min_free_kbytes-from-khugepaged-after-core-initialization.patch mm-zswap-provide-unique-zpool-name.patch proc-prevent-accessing-proc-pid-environ-until-it-s-ready.patch xen-balloon-fix-crash-when-ballooning-on-x86-32-bit-pae.patch xen-evtchn-fix-ring-resize-when-binding-new-events.patch xen-fix-page-pfn-conversion-on-32-bit-systems.patch --- diff --git a/queue-4.4/arm-exynos-properly-skip-unitialized-parent-clock-in-power-domain-on.patch b/queue-4.4/arm-exynos-properly-skip-unitialized-parent-clock-in-power-domain-on.patch new file mode 100644 index 00000000000..125acc1d88b --- /dev/null +++ b/queue-4.4/arm-exynos-properly-skip-unitialized-parent-clock-in-power-domain-on.patch @@ -0,0 +1,40 @@ +From a0a966b83873f33778710a4fc59240244b0734a5 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Fri, 22 Apr 2016 09:26:52 +0200 +Subject: ARM: EXYNOS: Properly skip unitialized parent clock in power domain on + +From: Krzysztof Kozlowski + +commit a0a966b83873f33778710a4fc59240244b0734a5 upstream. + +We want to skip reparenting a clock on turning on power domain, if we +do not have the parent yet. The parent is obtained when turning the +domain off. However due to a typo, the loop is continued on IS_ERR() of +clock being reparented, not on the IS_ERR() of the parent. + +Theoretically this could lead to OOPS on first turn on of a power +domain, if there was no turn off before. Practically that should never +happen because all power domains are turned on by default (reset value, +bootloader does not turn off them usually) so the first action will be +always turn off. + +Fixes: 29e5eea06bc1 ("ARM: EXYNOS: Get current parent clock for power domain on/off") +Reported-by: Vladimir Zapolskiy +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-exynos/pm_domains.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/mach-exynos/pm_domains.c ++++ b/arch/arm/mach-exynos/pm_domains.c +@@ -92,7 +92,7 @@ static int exynos_pd_power(struct generi + if (IS_ERR(pd->clk[i])) + break; + +- if (IS_ERR(pd->clk[i])) ++ if (IS_ERR(pd->pclk[i])) + continue; /* Skip on first power up */ + if (clk_set_parent(pd->clk[i], pd->pclk[i])) + pr_err("%s: error setting parent to clock%d\n", diff --git a/queue-4.4/arm-socfpga-fix-secondary-cpu-startup-in-thumb2-kernel.patch b/queue-4.4/arm-socfpga-fix-secondary-cpu-startup-in-thumb2-kernel.patch new file mode 100644 index 00000000000..226a8e50f0b --- /dev/null +++ b/queue-4.4/arm-socfpga-fix-secondary-cpu-startup-in-thumb2-kernel.patch @@ -0,0 +1,34 @@ +From 5616f36713ea77f57ae908bf2fef641364403c9f Mon Sep 17 00:00:00 2001 +From: Sascha Hauer +Date: Wed, 20 Apr 2016 13:34:31 +0000 +Subject: ARM: SoCFPGA: Fix secondary CPU startup in thumb2 kernel + +From: Sascha Hauer + +commit 5616f36713ea77f57ae908bf2fef641364403c9f upstream. + +The secondary CPU starts up in ARM mode. When the kernel is compiled in +thumb2 mode we have to explicitly compile the secondary startup +trampoline in ARM mode, otherwise the CPU will go to Nirvana. + +Signed-off-by: Sascha Hauer +Reported-by: Steffen Trumtrar +Suggested-by: Ard Biesheuvel +Signed-off-by: Dinh Nguyen +Signed-off-by: Kevin Hilman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-socfpga/headsmp.S | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm/mach-socfpga/headsmp.S ++++ b/arch/arm/mach-socfpga/headsmp.S +@@ -13,6 +13,7 @@ + #include + + .arch armv7-a ++ .arm + + ENTRY(secondary_trampoline) + /* CPU1 will always fetch from 0x0 when it is brought out of reset. diff --git a/queue-4.4/batman-adv-check-skb-size-before-using-encapsulated-eth-vlan-header.patch b/queue-4.4/batman-adv-check-skb-size-before-using-encapsulated-eth-vlan-header.patch new file mode 100644 index 00000000000..8db98523720 --- /dev/null +++ b/queue-4.4/batman-adv-check-skb-size-before-using-encapsulated-eth-vlan-header.patch @@ -0,0 +1,52 @@ +From c78296665c3d81f040117432ab9e1cb125521b0c Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Fri, 26 Feb 2016 17:56:13 +0100 +Subject: batman-adv: Check skb size before using encapsulated ETH+VLAN header + +From: Sven Eckelmann + +commit c78296665c3d81f040117432ab9e1cb125521b0c upstream. + +The encapsulated ethernet and VLAN header may be outside the received +ethernet frame. Thus the skb buffer size has to be checked before it can be +parsed to find out if it encapsulates another batman-adv packet. + +Fixes: 420193573f11 ("batman-adv: softif bridge loop avoidance") +Signed-off-by: Sven Eckelmann +Signed-off-by: Marek Lindner +Signed-off-by: Antonio Quartulli +Signed-off-by: Greg Kroah-Hartman + +--- + net/batman-adv/soft-interface.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/net/batman-adv/soft-interface.c ++++ b/net/batman-adv/soft-interface.c +@@ -407,11 +407,17 @@ void batadv_interface_rx(struct net_devi + */ + nf_reset(skb); + ++ if (unlikely(!pskb_may_pull(skb, ETH_HLEN))) ++ goto dropped; ++ + vid = batadv_get_vid(skb, 0); + ethhdr = eth_hdr(skb); + + switch (ntohs(ethhdr->h_proto)) { + case ETH_P_8021Q: ++ if (!pskb_may_pull(skb, VLAN_ETH_HLEN)) ++ goto dropped; ++ + vhdr = (struct vlan_ethhdr *)skb->data; + + if (vhdr->h_vlan_encapsulated_proto != ethertype) +@@ -423,8 +429,6 @@ void batadv_interface_rx(struct net_devi + } + + /* skb->dev & skb->pkt_type are set here */ +- if (unlikely(!pskb_may_pull(skb, ETH_HLEN))) +- goto dropped; + skb->protocol = eth_type_trans(skb, soft_iface); + + /* should not be necessary anymore as we use skb_pull_rcsum() diff --git a/queue-4.4/batman-adv-fix-broadcast-ogm-queue-limit-on-a-removed-interface.patch b/queue-4.4/batman-adv-fix-broadcast-ogm-queue-limit-on-a-removed-interface.patch new file mode 100644 index 00000000000..de88291559e --- /dev/null +++ b/queue-4.4/batman-adv-fix-broadcast-ogm-queue-limit-on-a-removed-interface.patch @@ -0,0 +1,45 @@ +From c4fdb6cff2aa0ae740c5f19b6f745cbbe786d42f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Linus=20L=C3=BCssing?= +Date: Fri, 11 Mar 2016 14:04:49 +0100 +Subject: batman-adv: Fix broadcast/ogm queue limit on a removed interface +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Lüssing + +commit c4fdb6cff2aa0ae740c5f19b6f745cbbe786d42f upstream. + +When removing a single interface while a broadcast or ogm packet is +still pending then we will free the forward packet without releasing the +queue slots again. + +This patch is supposed to fix this issue. + +Fixes: 6d5808d4ae1b ("batman-adv: Add missing hardif_free_ref in forw_packet_free") +Signed-off-by: Linus Lüssing +[sven@narfation.org: fix conflicts with current version] +Signed-off-by: Sven Eckelmann +Signed-off-by: Marek Lindner +Signed-off-by: Antonio Quartulli +Signed-off-by: Greg Kroah-Hartman + +--- + net/batman-adv/send.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/batman-adv/send.c ++++ b/net/batman-adv/send.c +@@ -657,6 +657,12 @@ batadv_purge_outstanding_packets(struct + + if (pending) { + hlist_del(&forw_packet->list); ++ if (!forw_packet->own) ++ atomic_inc(&bat_priv->bcast_queue_left); ++ ++ if (!forw_packet->own) ++ atomic_inc(&bat_priv->batman_queue_left); ++ + batadv_forw_packet_free(forw_packet); + } + } diff --git a/queue-4.4/batman-adv-fix-dat-candidate-selection-must-use-vid.patch b/queue-4.4/batman-adv-fix-dat-candidate-selection-must-use-vid.patch new file mode 100644 index 00000000000..51759538de4 --- /dev/null +++ b/queue-4.4/batman-adv-fix-dat-candidate-selection-must-use-vid.patch @@ -0,0 +1,99 @@ +From 2871734e85e920503d49b3a8bc0afbe0773b6036 Mon Sep 17 00:00:00 2001 +From: Antonio Quartulli +Date: Sat, 12 Mar 2016 11:12:59 +0100 +Subject: batman-adv: fix DAT candidate selection (must use vid) + +From: Antonio Quartulli + +commit 2871734e85e920503d49b3a8bc0afbe0773b6036 upstream. + +Now that DAT is VLAN aware, it must use the VID when +computing the DHT address of the candidate nodes where +an entry is going to be stored/retrieved. + +Fixes: be1db4f6615b ("batman-adv: make the Distributed ARP Table vlan aware") +Signed-off-by: Antonio Quartulli +[sven@narfation.org: fix conflicts with current version] +Signed-off-by: Sven Eckelmann +Signed-off-by: Marek Lindner +Signed-off-by: Greg Kroah-Hartman + +--- + net/batman-adv/distributed-arp-table.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +--- a/net/batman-adv/distributed-arp-table.c ++++ b/net/batman-adv/distributed-arp-table.c +@@ -553,6 +553,7 @@ static void batadv_choose_next_candidate + * be sent to + * @bat_priv: the bat priv with all the soft interface information + * @ip_dst: ipv4 to look up in the DHT ++ * @vid: VLAN identifier + * + * An originator O is selected if and only if its DHT_ID value is one of three + * closest values (from the LEFT, with wrap around if needed) then the hash +@@ -561,7 +562,8 @@ static void batadv_choose_next_candidate + * Returns the candidate array of size BATADV_DAT_CANDIDATE_NUM. + */ + static struct batadv_dat_candidate * +-batadv_dat_select_candidates(struct batadv_priv *bat_priv, __be32 ip_dst) ++batadv_dat_select_candidates(struct batadv_priv *bat_priv, __be32 ip_dst, ++ unsigned short vid) + { + int select; + batadv_dat_addr_t last_max = BATADV_DAT_ADDR_MAX, ip_key; +@@ -577,7 +579,7 @@ batadv_dat_select_candidates(struct bata + return NULL; + + dat.ip = ip_dst; +- dat.vid = 0; ++ dat.vid = vid; + ip_key = (batadv_dat_addr_t)batadv_hash_dat(&dat, + BATADV_DAT_ADDR_MAX); + +@@ -597,6 +599,7 @@ batadv_dat_select_candidates(struct bata + * @bat_priv: the bat priv with all the soft interface information + * @skb: payload to send + * @ip: the DHT key ++ * @vid: VLAN identifier + * @packet_subtype: unicast4addr packet subtype to use + * + * This function copies the skb with pskb_copy() and is sent as unicast packet +@@ -607,7 +610,7 @@ batadv_dat_select_candidates(struct bata + */ + static bool batadv_dat_send_data(struct batadv_priv *bat_priv, + struct sk_buff *skb, __be32 ip, +- int packet_subtype) ++ unsigned short vid, int packet_subtype) + { + int i; + bool ret = false; +@@ -616,7 +619,7 @@ static bool batadv_dat_send_data(struct + struct sk_buff *tmp_skb; + struct batadv_dat_candidate *cand; + +- cand = batadv_dat_select_candidates(bat_priv, ip); ++ cand = batadv_dat_select_candidates(bat_priv, ip, vid); + if (!cand) + goto out; + +@@ -1004,7 +1007,7 @@ bool batadv_dat_snoop_outgoing_arp_reque + ret = true; + } else { + /* Send the request to the DHT */ +- ret = batadv_dat_send_data(bat_priv, skb, ip_dst, ++ ret = batadv_dat_send_data(bat_priv, skb, ip_dst, vid, + BATADV_P_DAT_DHT_GET); + } + out: +@@ -1132,8 +1135,8 @@ void batadv_dat_snoop_outgoing_arp_reply + /* Send the ARP reply to the candidates for both the IP addresses that + * the node obtained from the ARP reply + */ +- batadv_dat_send_data(bat_priv, skb, ip_src, BATADV_P_DAT_DHT_PUT); +- batadv_dat_send_data(bat_priv, skb, ip_dst, BATADV_P_DAT_DHT_PUT); ++ batadv_dat_send_data(bat_priv, skb, ip_src, vid, BATADV_P_DAT_DHT_PUT); ++ batadv_dat_send_data(bat_priv, skb, ip_dst, vid, BATADV_P_DAT_DHT_PUT); + } + + /** diff --git a/queue-4.4/batman-adv-reduce-refcnt-of-removed-router-when-updating-route.patch b/queue-4.4/batman-adv-reduce-refcnt-of-removed-router-when-updating-route.patch new file mode 100644 index 00000000000..cf270e454d0 --- /dev/null +++ b/queue-4.4/batman-adv-reduce-refcnt-of-removed-router-when-updating-route.patch @@ -0,0 +1,48 @@ +From d1a65f1741bfd9c69f9e4e2ad447a89b6810427d Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Sun, 20 Mar 2016 12:27:53 +0100 +Subject: batman-adv: Reduce refcnt of removed router when updating route + +From: Sven Eckelmann + +commit d1a65f1741bfd9c69f9e4e2ad447a89b6810427d upstream. + +_batadv_update_route rcu_derefences orig_ifinfo->router outside of a +spinlock protected region to print some information messages to the debug +log. But this pointer is not checked again when the new pointer is assigned +in the spinlock protected region. Thus is can happen that the value of +orig_ifinfo->router changed in the meantime and thus the reference counter +of the wrong router gets reduced after the spinlock protected region. + +Just rcu_dereferencing the value of orig_ifinfo->router inside the spinlock +protected region (which also set the new pointer) is enough to get the +correct old router object. + +Fixes: e1a5382f978b ("batman-adv: Make orig_node->router an rcu protected pointer") +Signed-off-by: Sven Eckelmann +Signed-off-by: Marek Lindner +Signed-off-by: Antonio Quartulli +Signed-off-by: Greg Kroah-Hartman + +--- + net/batman-adv/routing.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/net/batman-adv/routing.c ++++ b/net/batman-adv/routing.c +@@ -104,6 +104,15 @@ static void _batadv_update_route(struct + neigh_node = NULL; + + spin_lock_bh(&orig_node->neigh_list_lock); ++ /* curr_router used earlier may not be the current orig_ifinfo->router ++ * anymore because it was dereferenced outside of the neigh_list_lock ++ * protected region. After the new best neighbor has replace the current ++ * best neighbor the reference counter needs to decrease. Consequently, ++ * the code needs to ensure the curr_router variable contains a pointer ++ * to the replaced best neighbor. ++ */ ++ curr_router = rcu_dereference_protected(orig_ifinfo->router, true); ++ + rcu_assign_pointer(orig_ifinfo->router, neigh_node); + spin_unlock_bh(&orig_node->neigh_list_lock); + batadv_orig_ifinfo_free_ref(orig_ifinfo); diff --git a/queue-4.4/hid-fix-boot-delay-for-creative-sb-omni-surround-5.1-with-quirk.patch b/queue-4.4/hid-fix-boot-delay-for-creative-sb-omni-surround-5.1-with-quirk.patch new file mode 100644 index 00000000000..201614a144c --- /dev/null +++ b/queue-4.4/hid-fix-boot-delay-for-creative-sb-omni-surround-5.1-with-quirk.patch @@ -0,0 +1,42 @@ +From 567a44ecb44eb2584ddb93e962cfb133ce77e0bb Mon Sep 17 00:00:00 2001 +From: Nazar Mokrynskyi +Date: Mon, 25 Apr 2016 17:01:56 +0300 +Subject: HID: Fix boot delay for Creative SB Omni Surround 5.1 with quirk + +From: Nazar Mokrynskyi + +commit 567a44ecb44eb2584ddb93e962cfb133ce77e0bb upstream. + +Needed for v2 of the device firmware, otherwise kernel will stuck for few +seconds and throw "usb_submit_urb(ctrl) failed: -1" early on system boot. + +Signed-off-by: Nazar Mokrynskyi +Reviewed-by: Benjamin Tissoires +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/usbhid/hid-quirks.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -255,6 +255,7 @@ + #define USB_DEVICE_ID_CORSAIR_K90 0x1b02 + + #define USB_VENDOR_ID_CREATIVELABS 0x041e ++#define USB_DEVICE_ID_CREATIVE_SB_OMNI_SURROUND_51 0x322c + #define USB_DEVICE_ID_PRODIKEYS_PCMIDI 0x2801 + + #define USB_VENDOR_ID_CVTOUCH 0x1ff7 +--- a/drivers/hid/usbhid/hid-quirks.c ++++ b/drivers/hid/usbhid/hid-quirks.c +@@ -70,6 +70,7 @@ static const struct hid_blacklist { + { USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_3AXIS_5BUTTON_STICK, HID_QUIRK_NOGET }, + { USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_AXIS_295, HID_QUIRK_NOGET }, + { USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_PIXART_USB_OPTICAL_MOUSE, HID_QUIRK_ALWAYS_POLL }, ++ { USB_VENDOR_ID_CREATIVELABS, USB_DEVICE_ID_CREATIVE_SB_OMNI_SURROUND_51, HID_QUIRK_NOGET }, + { USB_VENDOR_ID_DMI, USB_DEVICE_ID_DMI_ENC, HID_QUIRK_NOGET }, + { USB_VENDOR_ID_DRAGONRISE, USB_DEVICE_ID_DRAGONRISE_WIIU, HID_QUIRK_MULTI_INPUT }, + { USB_VENDOR_ID_ELAN, HID_ANY_ID, HID_QUIRK_ALWAYS_POLL }, diff --git a/queue-4.4/hid-wacom-add-support-for-dtk-1651.patch b/queue-4.4/hid-wacom-add-support-for-dtk-1651.patch new file mode 100644 index 00000000000..8a7ef7ab2f8 --- /dev/null +++ b/queue-4.4/hid-wacom-add-support-for-dtk-1651.patch @@ -0,0 +1,40 @@ +From e1123fe975852cc0970b4e53ea65ca917e54c923 Mon Sep 17 00:00:00 2001 +From: Ping Cheng +Date: Tue, 12 Apr 2016 13:37:45 -0700 +Subject: HID: wacom: Add support for DTK-1651 + +From: Ping Cheng + +commit e1123fe975852cc0970b4e53ea65ca917e54c923 upstream. + +DTK-1651 is a display pen-only tablet + +Signed-off-by: Ping Cheng +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/wacom_wac.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -3449,6 +3449,10 @@ static const struct wacom_features wacom + { "Wacom Intuos PT M 2", 21600, 13500, 2047, 63, + INTUOSHT2, WACOM_INTUOS_RES, WACOM_INTUOS_RES, .touch_max = 16, + .check_for_hid_type = true, .hid_type = HID_TYPE_USBNONE }; ++static const struct wacom_features wacom_features_0x343 = ++ { "Wacom DTK1651", 34616, 19559, 1023, 0, ++ DTUS, WACOM_INTUOS_RES, WACOM_INTUOS_RES, 4, ++ WACOM_DTU_OFFSET, WACOM_DTU_OFFSET }; + + static const struct wacom_features wacom_features_HID_ANY_ID = + { "Wacom HID", .type = HID_GENERIC }; +@@ -3614,6 +3618,7 @@ const struct hid_device_id wacom_ids[] = + { USB_DEVICE_WACOM(0x33C) }, + { USB_DEVICE_WACOM(0x33D) }, + { USB_DEVICE_WACOM(0x33E) }, ++ { USB_DEVICE_WACOM(0x343) }, + { USB_DEVICE_WACOM(0x4001) }, + { USB_DEVICE_WACOM(0x4004) }, + { USB_DEVICE_WACOM(0x5000) }, diff --git a/queue-4.4/input-zforce_ts-fix-dual-touch-recognition.patch b/queue-4.4/input-zforce_ts-fix-dual-touch-recognition.patch new file mode 100644 index 00000000000..2a2290169fb --- /dev/null +++ b/queue-4.4/input-zforce_ts-fix-dual-touch-recognition.patch @@ -0,0 +1,39 @@ +From 6984ab1ab35f422292b7781c65284038bcc0f6a6 Mon Sep 17 00:00:00 2001 +From: Knut Wohlrab +Date: Mon, 25 Apr 2016 14:08:25 -0700 +Subject: Input: zforce_ts - fix dual touch recognition + +From: Knut Wohlrab + +commit 6984ab1ab35f422292b7781c65284038bcc0f6a6 upstream. + +A wrong decoding of the touch coordinate message causes a wrong touch +ID. Touch ID for dual touch must be 0 or 1. + +According to the actual Neonode nine byte touch coordinate coding, +the state is transported in the lower nibble and the touch ID in +the higher nibble of payload byte five. + +Signed-off-by: Knut Wohlrab +Signed-off-by: Oleksij Rempel +Signed-off-by: Dirk Behme +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/touchscreen/zforce_ts.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/input/touchscreen/zforce_ts.c ++++ b/drivers/input/touchscreen/zforce_ts.c +@@ -370,8 +370,8 @@ static int zforce_touch_event(struct zfo + point.coord_x = point.coord_y = 0; + } + +- point.state = payload[9 * i + 5] & 0x03; +- point.id = (payload[9 * i + 5] & 0xfc) >> 2; ++ point.state = payload[9 * i + 5] & 0x0f; ++ point.id = (payload[9 * i + 5] & 0xf0) >> 4; + + /* determine touch major, minor and orientation */ + point.area_major = max(payload[9 * i + 6], diff --git a/queue-4.4/mm-cma-prevent-nr_isolated_-counters-from-going-negative.patch b/queue-4.4/mm-cma-prevent-nr_isolated_-counters-from-going-negative.patch new file mode 100644 index 00000000000..7dccfd5c2b0 --- /dev/null +++ b/queue-4.4/mm-cma-prevent-nr_isolated_-counters-from-going-negative.patch @@ -0,0 +1,57 @@ +From 14af4a5e9b26ad251f81c174e8a43f3e179434a5 Mon Sep 17 00:00:00 2001 +From: Hugh Dickins +Date: Thu, 5 May 2016 16:22:15 -0700 +Subject: mm, cma: prevent nr_isolated_* counters from going negative + +From: Hugh Dickins + +commit 14af4a5e9b26ad251f81c174e8a43f3e179434a5 upstream. + +/proc/sys/vm/stat_refresh warns nr_isolated_anon and nr_isolated_file go +increasingly negative under compaction: which would add delay when +should be none, or no delay when should delay. The bug in compaction +was due to a recent mmotm patch, but much older instance of the bug was +also noticed in isolate_migratepages_range() which is used for CMA and +gigantic hugepage allocations. + +The bug is caused by putback_movable_pages() in an error path +decrementing the isolated counters without them being previously +incremented by acct_isolated(). Fix isolate_migratepages_range() by +removing the error-path putback, thus reaching acct_isolated() with +migratepages still isolated, and leaving putback to caller like most +other places do. + +Fixes: edc2ca612496 ("mm, compaction: move pageblock checks up from isolate_migratepages_range()") +[vbabka@suse.cz: expanded the changelog] +Signed-off-by: Hugh Dickins +Signed-off-by: Vlastimil Babka +Acked-by: Joonsoo Kim +Cc: Michal Hocko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/compaction.c | 10 +--------- + 1 file changed, 1 insertion(+), 9 deletions(-) + +--- a/mm/compaction.c ++++ b/mm/compaction.c +@@ -880,16 +880,8 @@ isolate_migratepages_range(struct compac + pfn = isolate_migratepages_block(cc, pfn, block_end_pfn, + ISOLATE_UNEVICTABLE); + +- /* +- * In case of fatal failure, release everything that might +- * have been isolated in the previous iteration, and signal +- * the failure back to caller. +- */ +- if (!pfn) { +- putback_movable_pages(&cc->migratepages); +- cc->nr_migratepages = 0; ++ if (!pfn) + break; +- } + + if (cc->nr_migratepages == COMPACT_CLUSTER_MAX) + break; diff --git a/queue-4.4/mm-update-min_free_kbytes-from-khugepaged-after-core-initialization.patch b/queue-4.4/mm-update-min_free_kbytes-from-khugepaged-after-core-initialization.patch new file mode 100644 index 00000000000..3a274906b75 --- /dev/null +++ b/queue-4.4/mm-update-min_free_kbytes-from-khugepaged-after-core-initialization.patch @@ -0,0 +1,55 @@ +From bc22af74f271ef76b2e6f72f3941f91f0da3f5f8 Mon Sep 17 00:00:00 2001 +From: Jason Baron +Date: Thu, 5 May 2016 16:22:12 -0700 +Subject: mm: update min_free_kbytes from khugepaged after core initialization + +From: Jason Baron + +commit bc22af74f271ef76b2e6f72f3941f91f0da3f5f8 upstream. + +Khugepaged attempts to raise min_free_kbytes if its set too low. +However, on boot khugepaged sets min_free_kbytes first from +subsys_initcall(), and then the mm 'core' over-rides min_free_kbytes +after from init_per_zone_wmark_min(), via a module_init() call. + +Khugepaged used to use a late_initcall() to set min_free_kbytes (such +that it occurred after the core initialization), however this was +removed when the initialization of min_free_kbytes was integrated into +the starting of the khugepaged thread. + +The fix here is simply to invoke the core initialization using a +core_initcall() instead of module_init(), such that the previous +initialization ordering is restored. I didn't restore the +late_initcall() since start_stop_khugepaged() already sets +min_free_kbytes via set_recommended_min_free_kbytes(). + +This was noticed when we had a number of page allocation failures when +moving a workload to a kernel with this new initialization ordering. On +an 8GB system this restores min_free_kbytes back to 67584 from 11365 +when CONFIG_TRANSPARENT_HUGEPAGE=y is set and either +CONFIG_TRANSPARENT_HUGEPAGE_ALWAYS=y or +CONFIG_TRANSPARENT_HUGEPAGE_MADVISE=y. + +Fixes: 79553da293d3 ("thp: cleanup khugepaged startup") +Signed-off-by: Jason Baron +Acked-by: Kirill A. Shutemov +Acked-by: David Rientjes +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/page_alloc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -6193,7 +6193,7 @@ int __meminit init_per_zone_wmark_min(vo + setup_per_zone_inactive_ratio(); + return 0; + } +-module_init(init_per_zone_wmark_min) ++core_initcall(init_per_zone_wmark_min) + + /* + * min_free_kbytes_sysctl_handler - just a wrapper around proc_dointvec() so diff --git a/queue-4.4/mm-zswap-provide-unique-zpool-name.patch b/queue-4.4/mm-zswap-provide-unique-zpool-name.patch new file mode 100644 index 00000000000..8cfafb66205 --- /dev/null +++ b/queue-4.4/mm-zswap-provide-unique-zpool-name.patch @@ -0,0 +1,69 @@ +From 32a4e169039927bfb6ee9f0ccbbe3a8aaf13a4bc Mon Sep 17 00:00:00 2001 +From: Dan Streetman +Date: Thu, 5 May 2016 16:22:23 -0700 +Subject: mm/zswap: provide unique zpool name + +From: Dan Streetman + +commit 32a4e169039927bfb6ee9f0ccbbe3a8aaf13a4bc upstream. + +Instead of using "zswap" as the name for all zpools created, add an +atomic counter and use "zswap%x" with the counter number for each zpool +created, to provide a unique name for each new zpool. + +As zsmalloc, one of the zpool implementations, requires/expects a unique +name for each pool created, zswap should provide a unique name. The +zsmalloc pool creation does not fail if a new pool with a conflicting +name is created, unless CONFIG_ZSMALLOC_STAT is enabled; in that case, +zsmalloc pool creation fails with -ENOMEM. Then zswap will be unable to +change its compressor parameter if its zpool is zsmalloc; it also will +be unable to change its zpool parameter back to zsmalloc, if it has any +existing old zpool using zsmalloc with page(s) in it. Attempts to +change the parameters will result in failure to create the zpool. This +changes zswap to provide a unique name for each zpool creation. + +Fixes: f1c54846ee45 ("zswap: dynamic pool creation") +Signed-off-by: Dan Streetman +Reported-by: Sergey Senozhatsky +Reviewed-by: Sergey Senozhatsky +Cc: Dan Streetman +Cc: Minchan Kim +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/zswap.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/mm/zswap.c ++++ b/mm/zswap.c +@@ -170,6 +170,8 @@ static struct zswap_tree *zswap_trees[MA + static LIST_HEAD(zswap_pools); + /* protects zswap_pools list modification */ + static DEFINE_SPINLOCK(zswap_pools_lock); ++/* pool counter to provide unique names to zpool */ ++static atomic_t zswap_pools_count = ATOMIC_INIT(0); + + /* used by param callback function */ + static bool zswap_init_started; +@@ -565,6 +567,7 @@ static struct zswap_pool *zswap_pool_fin + static struct zswap_pool *zswap_pool_create(char *type, char *compressor) + { + struct zswap_pool *pool; ++ char name[38]; /* 'zswap' + 32 char (max) num + \0 */ + gfp_t gfp = __GFP_NORETRY | __GFP_NOWARN | __GFP_KSWAPD_RECLAIM; + + pool = kzalloc(sizeof(*pool), GFP_KERNEL); +@@ -573,7 +576,10 @@ static struct zswap_pool *zswap_pool_cre + return NULL; + } + +- pool->zpool = zpool_create_pool(type, "zswap", gfp, &zswap_zpool_ops); ++ /* unique name for each pool specifically required by zsmalloc */ ++ snprintf(name, 38, "zswap%x", atomic_inc_return(&zswap_pools_count)); ++ ++ pool->zpool = zpool_create_pool(type, name, gfp, &zswap_zpool_ops); + if (!pool->zpool) { + pr_err("%s zpool not available\n", type); + goto error; diff --git a/queue-4.4/proc-prevent-accessing-proc-pid-environ-until-it-s-ready.patch b/queue-4.4/proc-prevent-accessing-proc-pid-environ-until-it-s-ready.patch new file mode 100644 index 00000000000..7738e301060 --- /dev/null +++ b/queue-4.4/proc-prevent-accessing-proc-pid-environ-until-it-s-ready.patch @@ -0,0 +1,57 @@ +From 8148a73c9901a8794a50f950083c00ccf97d43b3 Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Thu, 5 May 2016 16:22:26 -0700 +Subject: proc: prevent accessing /proc//environ until it's ready + +From: Mathias Krause + +commit 8148a73c9901a8794a50f950083c00ccf97d43b3 upstream. + +If /proc//environ gets read before the envp[] array is fully set up +in create_{aout,elf,elf_fdpic,flat}_tables(), we might end up trying to +read more bytes than are actually written, as env_start will already be +set but env_end will still be zero, making the range calculation +underflow, allowing to read beyond the end of what has been written. + +Fix this as it is done for /proc//cmdline by testing env_end for +zero. It is, apparently, intentionally set last in create_*_tables(). + +This bug was found by the PaX size_overflow plugin that detected the +arithmetic underflow of 'this_len = env_end - (env_start + src)' when +env_end is still zero. + +The expected consequence is that userland trying to access +/proc//environ of a not yet fully set up process may get +inconsistent data as we're in the middle of copying in the environment +variables. + +Fixes: https://forums.grsecurity.net/viewtopic.php?f=3&t=4363 +Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=116461 +Signed-off-by: Mathias Krause +Cc: Emese Revfy +Cc: Pax Team +Cc: Al Viro +Cc: Mateusz Guzik +Cc: Alexey Dobriyan +Cc: Cyrill Gorcunov +Cc: Jarod Wilson +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/proc/base.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -954,7 +954,8 @@ static ssize_t environ_read(struct file + int ret = 0; + struct mm_struct *mm = file->private_data; + +- if (!mm) ++ /* Ensure the process spawned far enough to have an environment. */ ++ if (!mm || !mm->env_end) + return 0; + + page = (char *)__get_free_page(GFP_TEMPORARY); diff --git a/queue-4.4/series b/queue-4.4/series index 1a6df08d3b7..6e532088f22 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -21,3 +21,19 @@ mac80211-fix-statistics-leak-if-dev_alloc_name-fails.patch tracing-don-t-display-trigger-file-for-events-that-can-t-be-enabled.patch md-make-bio-mergeable.patch minimal-fix-up-of-bad-hashing-behavior-of-hash_64.patch +mm-cma-prevent-nr_isolated_-counters-from-going-negative.patch +mm-zswap-provide-unique-zpool-name.patch +arm-exynos-properly-skip-unitialized-parent-clock-in-power-domain-on.patch +arm-socfpga-fix-secondary-cpu-startup-in-thumb2-kernel.patch +xen-fix-page-pfn-conversion-on-32-bit-systems.patch +xen-balloon-fix-crash-when-ballooning-on-x86-32-bit-pae.patch +xen-evtchn-fix-ring-resize-when-binding-new-events.patch +hid-wacom-add-support-for-dtk-1651.patch +hid-fix-boot-delay-for-creative-sb-omni-surround-5.1-with-quirk.patch +input-zforce_ts-fix-dual-touch-recognition.patch +proc-prevent-accessing-proc-pid-environ-until-it-s-ready.patch +mm-update-min_free_kbytes-from-khugepaged-after-core-initialization.patch +batman-adv-fix-dat-candidate-selection-must-use-vid.patch +batman-adv-check-skb-size-before-using-encapsulated-eth-vlan-header.patch +batman-adv-fix-broadcast-ogm-queue-limit-on-a-removed-interface.patch +batman-adv-reduce-refcnt-of-removed-router-when-updating-route.patch diff --git a/queue-4.4/xen-balloon-fix-crash-when-ballooning-on-x86-32-bit-pae.patch b/queue-4.4/xen-balloon-fix-crash-when-ballooning-on-x86-32-bit-pae.patch new file mode 100644 index 00000000000..058bcb80fc5 --- /dev/null +++ b/queue-4.4/xen-balloon-fix-crash-when-ballooning-on-x86-32-bit-pae.patch @@ -0,0 +1,60 @@ +From dfd74a1edfaba5864276a2859190a8d242d18952 Mon Sep 17 00:00:00 2001 +From: Ross Lagerwall +Date: Thu, 17 Mar 2016 16:52:00 +0000 +Subject: xen/balloon: Fix crash when ballooning on x86 32 bit PAE + +From: Ross Lagerwall + +commit dfd74a1edfaba5864276a2859190a8d242d18952 upstream. + +Commit 55b3da98a40dbb3776f7454daf0d95dde25c33d2 (xen/balloon: find +non-conflicting regions to place hotplugged memory) caused a +regression in 4.4. + +When ballooning on an x86 32 bit PAE system with close to 64 GiB of +memory, the address returned by allocate_resource may be above 64 GiB. +When using CONFIG_SPARSEMEM, this setup is limited to using physical +addresses < 64 GiB. When adding memory at this address, it runs off +the end of the mem_section array and causes a crash. Instead, fail +the ballooning request. + +Signed-off-by: Ross Lagerwall +Signed-off-by: David Vrabel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/balloon.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/drivers/xen/balloon.c ++++ b/drivers/xen/balloon.c +@@ -152,6 +152,8 @@ static DECLARE_WAIT_QUEUE_HEAD(balloon_w + static void balloon_process(struct work_struct *work); + static DECLARE_DELAYED_WORK(balloon_worker, balloon_process); + ++static void release_memory_resource(struct resource *resource); ++ + /* When ballooning out (allocating memory to return to Xen) we don't really + want the kernel to try too hard since that can trigger the oom killer. */ + #define GFP_BALLOON \ +@@ -268,6 +270,20 @@ static struct resource *additional_memor + return NULL; + } + ++#ifdef CONFIG_SPARSEMEM ++ { ++ unsigned long limit = 1UL << (MAX_PHYSMEM_BITS - PAGE_SHIFT); ++ unsigned long pfn = res->start >> PAGE_SHIFT; ++ ++ if (pfn > limit) { ++ pr_err("New System RAM resource outside addressable RAM (%lu > %lu)\n", ++ pfn, limit); ++ release_memory_resource(res); ++ return NULL; ++ } ++ } ++#endif ++ + return res; + } + diff --git a/queue-4.4/xen-evtchn-fix-ring-resize-when-binding-new-events.patch b/queue-4.4/xen-evtchn-fix-ring-resize-when-binding-new-events.patch new file mode 100644 index 00000000000..c2de96b7606 --- /dev/null +++ b/queue-4.4/xen-evtchn-fix-ring-resize-when-binding-new-events.patch @@ -0,0 +1,72 @@ +From 27e0e6385377c4dc68a4ddaf1a35a2dfa951f3c5 Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Wed, 4 May 2016 07:02:36 -0600 +Subject: xen/evtchn: fix ring resize when binding new events + +From: Jan Beulich + +commit 27e0e6385377c4dc68a4ddaf1a35a2dfa951f3c5 upstream. + +The copying of ring data was wrong for two cases: For a full ring +nothing got copied at all (as in that case the canonicalized producer +and consumer indexes are identical). And in case one or both of the +canonicalized (after the resize) indexes would point into the second +half of the buffer, the copied data ended up in the wrong (free) part +of the new buffer. In both cases uninitialized data would get passed +back to the caller. + +Fix this by simply copying the old ring contents twice: Once to the +low half of the new buffer, and a second time to the high half. + +This addresses the inability to boot a HVM guest with 64 or more +vCPUs. This regression was caused by 8620015499101090 (xen/evtchn: +dynamically grow pending event channel ring). + +Reported-by: Konrad Rzeszutek Wilk +Signed-off-by: Jan Beulich +Signed-off-by: David Vrabel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/evtchn.c | 20 ++++++++------------ + 1 file changed, 8 insertions(+), 12 deletions(-) + +--- a/drivers/xen/evtchn.c ++++ b/drivers/xen/evtchn.c +@@ -316,7 +316,6 @@ static int evtchn_resize_ring(struct per + { + unsigned int new_size; + evtchn_port_t *new_ring, *old_ring; +- unsigned int p, c; + + /* + * Ensure the ring is large enough to capture all possible +@@ -346,20 +345,17 @@ static int evtchn_resize_ring(struct per + /* + * Copy the old ring contents to the new ring. + * +- * If the ring contents crosses the end of the current ring, +- * it needs to be copied in two chunks. ++ * To take care of wrapping, a full ring, and the new index ++ * pointing into the second half, simply copy the old contents ++ * twice. + * + * +---------+ +------------------+ +- * |34567 12| -> | 1234567 | +- * +-----p-c-+ +------------------+ ++ * |34567 12| -> |34567 1234567 12| ++ * +-----p-c-+ +-------c------p---+ + */ +- p = evtchn_ring_offset(u, u->ring_prod); +- c = evtchn_ring_offset(u, u->ring_cons); +- if (p < c) { +- memcpy(new_ring + c, u->ring + c, (u->ring_size - c) * sizeof(*u->ring)); +- memcpy(new_ring + u->ring_size, u->ring, p * sizeof(*u->ring)); +- } else +- memcpy(new_ring + c, u->ring + c, (p - c) * sizeof(*u->ring)); ++ memcpy(new_ring, old_ring, u->ring_size * sizeof(*u->ring)); ++ memcpy(new_ring + u->ring_size, old_ring, ++ u->ring_size * sizeof(*u->ring)); + + u->ring = new_ring; + u->ring_size = new_size; diff --git a/queue-4.4/xen-fix-page-pfn-conversion-on-32-bit-systems.patch b/queue-4.4/xen-fix-page-pfn-conversion-on-32-bit-systems.patch new file mode 100644 index 00000000000..21294f89c19 --- /dev/null +++ b/queue-4.4/xen-fix-page-pfn-conversion-on-32-bit-systems.patch @@ -0,0 +1,43 @@ +From 60901df3aed230d4565dca003f11b6a95fbf30d9 Mon Sep 17 00:00:00 2001 +From: Ross Lagerwall +Date: Thu, 17 Mar 2016 16:51:59 +0000 +Subject: xen: Fix page <-> pfn conversion on 32 bit systems + +From: Ross Lagerwall + +commit 60901df3aed230d4565dca003f11b6a95fbf30d9 upstream. + +Commit 1084b1988d22dc165c9dbbc2b0e057f9248ac4db (xen: Add Xen specific +page definition) caused a regression in 4.4. + +The xen functions to convert between pages and pfns fail due to an +overflow on systems where a physical address may not fit in an +unsigned long (e.g. x86 32 bit PAE systems). Rework the conversion to +avoid overflow. This should also result in simpler object code. + +This bug manifested itself as disk corruption with Linux 4.4 when +using blkfront in a Xen HVM x86 32 bit guest with more than 4 GiB of +memory. + +Signed-off-by: Ross Lagerwall +Signed-off-by: David Vrabel +Signed-off-by: Greg Kroah-Hartman + +--- + include/xen/page.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/xen/page.h ++++ b/include/xen/page.h +@@ -15,9 +15,9 @@ + */ + + #define xen_pfn_to_page(xen_pfn) \ +- ((pfn_to_page(((unsigned long)(xen_pfn) << XEN_PAGE_SHIFT) >> PAGE_SHIFT))) ++ (pfn_to_page((unsigned long)(xen_pfn) >> (PAGE_SHIFT - XEN_PAGE_SHIFT))) + #define page_to_xen_pfn(page) \ +- (((page_to_pfn(page)) << PAGE_SHIFT) >> XEN_PAGE_SHIFT) ++ ((page_to_pfn(page)) << (PAGE_SHIFT - XEN_PAGE_SHIFT)) + + #define XEN_PFN_PER_PAGE (PAGE_SIZE / XEN_PAGE_SIZE) +