From 261590334677b5eb6243209f8c10ef1ec3d1eecc Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 15 May 2016 01:59:30 +0200 Subject: [PATCH] 3.14-stable patches added patches: asmlinkage-pnp-make-variables-used-from-assembler-code-visible.patch crypto-hash-fix-page-length-clamping-in-hash-walk.patch get_rock_ridge_filename-handle-malformed-nm-entries.patch input-max8997-haptic-fix-null-pointer-dereference.patch --- ...les-used-from-assembler-code-visible.patch | 56 +++++++++++++++++ ...ix-page-length-clamping-in-hash-walk.patch | 34 ++++++++++ ...filename-handle-malformed-nm-entries.patch | 63 +++++++++++++++++++ ...-haptic-fix-null-pointer-dereference.patch | 61 ++++++++++++++++++ queue-3.14/series | 4 ++ queue-4.4/series | 30 +++++++++ queue-4.5/series | 32 ++++++++++ 7 files changed, 280 insertions(+) create mode 100644 queue-3.14/asmlinkage-pnp-make-variables-used-from-assembler-code-visible.patch create mode 100644 queue-3.14/crypto-hash-fix-page-length-clamping-in-hash-walk.patch create mode 100644 queue-3.14/get_rock_ridge_filename-handle-malformed-nm-entries.patch create mode 100644 queue-3.14/input-max8997-haptic-fix-null-pointer-dereference.patch create mode 100644 queue-3.14/series create mode 100644 queue-4.4/series create mode 100644 queue-4.5/series diff --git a/queue-3.14/asmlinkage-pnp-make-variables-used-from-assembler-code-visible.patch b/queue-3.14/asmlinkage-pnp-make-variables-used-from-assembler-code-visible.patch new file mode 100644 index 00000000000..536aa742812 --- /dev/null +++ b/queue-3.14/asmlinkage-pnp-make-variables-used-from-assembler-code-visible.patch @@ -0,0 +1,56 @@ +From a99aa42d0253f033cbb85096d3f2bd82201321e6 Mon Sep 17 00:00:00 2001 +From: Andi Kleen +Date: Sat, 8 Feb 2014 08:52:00 +0100 +Subject: asmlinkage, pnp: Make variables used from assembler code visible + +From: Andi Kleen + +commit a99aa42d0253f033cbb85096d3f2bd82201321e6 upstream. + +Mark variables referenced from assembler files visible. + +This fixes compile problems with LTO. + +Cc: Jaroslav Kysela +Signed-off-by: Andi Kleen +Link: http://lkml.kernel.org/r/1391845930-28580-4-git-send-email-ak@linux.intel.com +Signed-off-by: H. Peter Anvin +Cc: Christoph Biedl +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pnp/pnpbios/bioscalls.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/pnp/pnpbios/bioscalls.c ++++ b/drivers/pnp/pnpbios/bioscalls.c +@@ -21,7 +21,7 @@ + + #include "pnpbios.h" + +-static struct { ++__visible struct { + u16 offset; + u16 segment; + } pnp_bios_callpoint; +@@ -41,6 +41,7 @@ asmlinkage void pnp_bios_callfunc(void); + + __asm__(".text \n" + __ALIGN_STR "\n" ++ ".globl pnp_bios_callfunc\n" + "pnp_bios_callfunc:\n" + " pushl %edx \n" + " pushl %ecx \n" +@@ -66,9 +67,9 @@ static struct desc_struct bad_bios_desc + * after PnP BIOS oopses. + */ + +-u32 pnp_bios_fault_esp; +-u32 pnp_bios_fault_eip; +-u32 pnp_bios_is_utter_crap = 0; ++__visible u32 pnp_bios_fault_esp; ++__visible u32 pnp_bios_fault_eip; ++__visible u32 pnp_bios_is_utter_crap = 0; + + static spinlock_t pnp_bios_lock; + diff --git a/queue-3.14/crypto-hash-fix-page-length-clamping-in-hash-walk.patch b/queue-3.14/crypto-hash-fix-page-length-clamping-in-hash-walk.patch new file mode 100644 index 00000000000..f9515a1931d --- /dev/null +++ b/queue-3.14/crypto-hash-fix-page-length-clamping-in-hash-walk.patch @@ -0,0 +1,34 @@ +From 13f4bb78cf6a312bbdec367ba3da044b09bf0e29 Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Wed, 4 May 2016 17:52:56 +0800 +Subject: crypto: hash - Fix page length clamping in hash walk + +From: Herbert Xu + +commit 13f4bb78cf6a312bbdec367ba3da044b09bf0e29 upstream. + +The crypto hash walk code is broken when supplied with an offset +greater than or equal to PAGE_SIZE. This patch fixes it by adjusting +walk->pg and walk->offset when this happens. + +Reported-by: Steffen Klassert +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/ahash.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/crypto/ahash.c ++++ b/crypto/ahash.c +@@ -64,8 +64,9 @@ static int hash_walk_new_entry(struct cr + struct scatterlist *sg; + + sg = walk->sg; +- walk->pg = sg_page(sg); + walk->offset = sg->offset; ++ walk->pg = sg_page(walk->sg) + (walk->offset >> PAGE_SHIFT); ++ walk->offset = offset_in_page(walk->offset); + walk->entrylen = sg->length; + + if (walk->entrylen > walk->total) diff --git a/queue-3.14/get_rock_ridge_filename-handle-malformed-nm-entries.patch b/queue-3.14/get_rock_ridge_filename-handle-malformed-nm-entries.patch new file mode 100644 index 00000000000..8e55fc2c98b --- /dev/null +++ b/queue-3.14/get_rock_ridge_filename-handle-malformed-nm-entries.patch @@ -0,0 +1,63 @@ +From 99d825822eade8d827a1817357cbf3f889a552d6 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Thu, 5 May 2016 16:25:35 -0400 +Subject: get_rock_ridge_filename(): handle malformed NM entries + +From: Al Viro + +commit 99d825822eade8d827a1817357cbf3f889a552d6 upstream. + +Payloads of NM entries are not supposed to contain NUL. When we run +into such, only the part prior to the first NUL goes into the +concatenation (i.e. the directory entry name being encoded by a bunch +of NM entries). We do stop when the amount collected so far + the +claimed amount in the current NM entry exceed 254. So far, so good, +but what we return as the total length is the sum of *claimed* +sizes, not the actual amount collected. And that can grow pretty +large - not unlimited, since you'd need to put CE entries in +between to be able to get more than the maximum that could be +contained in one isofs directory entry / continuation chunk and +we are stop once we'd encountered 32 CEs, but you can get about 8Kb +easily. And that's what will be passed to readdir callback as the +name length. 8Kb __copy_to_user() from a buffer allocated by +__get_free_page() + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/isofs/rock.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/fs/isofs/rock.c ++++ b/fs/isofs/rock.c +@@ -203,6 +203,8 @@ int get_rock_ridge_filename(struct iso_d + int retnamlen = 0; + int truncate = 0; + int ret = 0; ++ char *p; ++ int len; + + if (!ISOFS_SB(inode->i_sb)->s_rock) + return 0; +@@ -267,12 +269,17 @@ repeat: + rr->u.NM.flags); + break; + } +- if ((strlen(retname) + rr->len - 5) >= 254) { ++ len = rr->len - 5; ++ if (retnamlen + len >= 254) { + truncate = 1; + break; + } +- strncat(retname, rr->u.NM.name, rr->len - 5); +- retnamlen += rr->len - 5; ++ p = memchr(rr->u.NM.name, '\0', len); ++ if (unlikely(p)) ++ len = p - rr->u.NM.name; ++ memcpy(retname + retnamlen, rr->u.NM.name, len); ++ retnamlen += len; ++ retname[retnamlen] = '\0'; + break; + case SIG('R', 'E'): + kfree(rs.buffer); diff --git a/queue-3.14/input-max8997-haptic-fix-null-pointer-dereference.patch b/queue-3.14/input-max8997-haptic-fix-null-pointer-dereference.patch new file mode 100644 index 00000000000..29458f58aa1 --- /dev/null +++ b/queue-3.14/input-max8997-haptic-fix-null-pointer-dereference.patch @@ -0,0 +1,61 @@ +From 6ae645d5fa385f3787bf1723639cd907fe5865e7 Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski +Date: Mon, 9 May 2016 09:31:47 -0700 +Subject: Input: max8997-haptic - fix NULL pointer dereference + +From: Marek Szyprowski + +commit 6ae645d5fa385f3787bf1723639cd907fe5865e7 upstream. + +NULL pointer derefence happens when booting with DTB because the +platform data for haptic device is not set in supplied data from parent +MFD device. + +The MFD device creates only platform data (from Device Tree) for itself, +not for haptic child. + +Unable to handle kernel NULL pointer dereference at virtual address 0000009c +pgd = c0004000 + [0000009c] *pgd=00000000 + Internal error: Oops: 5 [#1] PREEMPT SMP ARM + (max8997_haptic_probe) from [] (platform_drv_probe+0x4c/0xb0) + (platform_drv_probe) from [] (driver_probe_device+0x214/0x2c0) + (driver_probe_device) from [] (__driver_attach+0xac/0xb0) + (__driver_attach) from [] (bus_for_each_dev+0x68/0x9c) + (bus_for_each_dev) from [] (bus_add_driver+0x1a0/0x218) + (bus_add_driver) from [] (driver_register+0x78/0xf8) + (driver_register) from [] (do_one_initcall+0x90/0x1d8) + (do_one_initcall) from [] (kernel_init_freeable+0x15c/0x1fc) + (kernel_init_freeable) from [] (kernel_init+0x8/0x114) + (kernel_init) from [] (ret_from_fork+0x14/0x3c) + +Signed-off-by: Marek Szyprowski +Fixes: 104594b01ce7 ("Input: add driver support for MAX8997-haptic") +[k.kozlowski: Write commit message, add CC-stable] +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/misc/max8997_haptic.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/input/misc/max8997_haptic.c ++++ b/drivers/input/misc/max8997_haptic.c +@@ -245,12 +245,14 @@ static int max8997_haptic_probe(struct p + struct max8997_dev *iodev = dev_get_drvdata(pdev->dev.parent); + const struct max8997_platform_data *pdata = + dev_get_platdata(iodev->dev); +- const struct max8997_haptic_platform_data *haptic_pdata = +- pdata->haptic_pdata; ++ const struct max8997_haptic_platform_data *haptic_pdata = NULL; + struct max8997_haptic *chip; + struct input_dev *input_dev; + int error; + ++ if (pdata) ++ haptic_pdata = pdata->haptic_pdata; ++ + if (!haptic_pdata) { + dev_err(&pdev->dev, "no haptic platform data\n"); + return -EINVAL; diff --git a/queue-3.14/series b/queue-3.14/series new file mode 100644 index 00000000000..90de2d0a770 --- /dev/null +++ b/queue-3.14/series @@ -0,0 +1,4 @@ +crypto-hash-fix-page-length-clamping-in-hash-walk.patch +get_rock_ridge_filename-handle-malformed-nm-entries.patch +input-max8997-haptic-fix-null-pointer-dereference.patch +asmlinkage-pnp-make-variables-used-from-assembler-code-visible.patch diff --git a/queue-4.4/series b/queue-4.4/series new file mode 100644 index 00000000000..5cc2dc36ff4 --- /dev/null +++ b/queue-4.4/series @@ -0,0 +1,30 @@ +ocfs2-revert-using-ocfs2_acl_chmod-to-avoid-inode-cluster-lock-hang.patch +ocfs2-fix-posix_acl_create-deadlock.patch +zsmalloc-fix-zs_can_compact-integer-overflow.patch +s390-mm-fix-asce_bits-handling-with-dynamic-pagetable-levels.patch +crypto-qat-fix-invalid-pf2vf_resp_wq-logic.patch +crypto-hash-fix-page-length-clamping-in-hash-walk.patch +crypto-testmgr-use-kmalloc-memory-for-rsa-input.patch +alsa-usb-audio-quirk-for-yet-another-phoenix-audio-devices-v2.patch +alsa-usb-audio-yet-another-phoneix-audio-device-quirk.patch +alsa-hda-fix-subwoofer-pin-on-asus-n751-and-n551.patch +alsa-hda-fix-white-noise-on-asus-ux501vw-headset.patch +alsa-hda-fix-broken-reconfig.patch +spi-pxa2xx-do-not-detect-number-of-enabled-chip-selects-on-intel-spt.patch +spi-spi-ti-qspi-fix-flen-and-wlen-settings-if-bits_per_word-is-overridden.patch +spi-spi-ti-qspi-handle-truncated-frames-properly.patch +pinctrl-at91-pio4-fix-pull-up-down-logic.patch +regmap-spmi-fix-regmap_spmi_ext_read-in-multi-byte-case.patch +perf-core-disable-the-event-on-a-truncated-aux-record.patch +vfs-add-vfs_select_inode-helper.patch +vfs-rename-check-backing-inode-being-equal.patch +arm-dts-at91-sam9x5-fix-the-memory-range-assigned-to-the-pmc.patch +workqueue-fix-rebind-bound-workers-warning.patch +regulator-s2mps11-fix-invalid-selector-mask-and-voltages-for-buck9.patch +regulator-axp20x-fix-axp22x-ldo_io-voltage-ranges.patch +atomic_open-fix-the-handling-of-create_error.patch +qla1280-don-t-allocate-512kb-of-host-tags.patch +tools-lib-traceevent-do-not-reassign-parg-after-collapse_tree.patch +get_rock_ridge_filename-handle-malformed-nm-entries.patch +input-max8997-haptic-fix-null-pointer-dereference.patch +revert-videobuf2-v4l2-verify-planes-array-in-buffer-dequeueing.patch diff --git a/queue-4.5/series b/queue-4.5/series new file mode 100644 index 00000000000..07e8e045d4b --- /dev/null +++ b/queue-4.5/series @@ -0,0 +1,32 @@ +ocfs2-revert-using-ocfs2_acl_chmod-to-avoid-inode-cluster-lock-hang.patch +ocfs2-fix-posix_acl_create-deadlock.patch +zsmalloc-fix-zs_can_compact-integer-overflow.patch +mm-thp-calculate-the-mapcount-correctly-for-thp-pages-during-wp-faults.patch +crypto-qat-fix-invalid-pf2vf_resp_wq-logic.patch +crypto-qat-fix-adf_ctl_drv.c-undefined-reference-to-adf_init_pf_wq.patch +crypto-hash-fix-page-length-clamping-in-hash-walk.patch +crypto-testmgr-use-kmalloc-memory-for-rsa-input.patch +alsa-usb-audio-quirk-for-yet-another-phoenix-audio-devices-v2.patch +alsa-usb-audio-yet-another-phoneix-audio-device-quirk.patch +alsa-hda-fix-subwoofer-pin-on-asus-n751-and-n551.patch +alsa-hda-fix-white-noise-on-asus-ux501vw-headset.patch +alsa-hda-fix-broken-reconfig.patch +spi-pxa2xx-do-not-detect-number-of-enabled-chip-selects-on-intel-spt.patch +spi-spi-ti-qspi-fix-flen-and-wlen-settings-if-bits_per_word-is-overridden.patch +spi-spi-ti-qspi-handle-truncated-frames-properly.patch +pinctrl-at91-pio4-fix-pull-up-down-logic.patch +regmap-spmi-fix-regmap_spmi_ext_read-in-multi-byte-case.patch +perf-diff-fix-duplicated-output-column.patch +perf-core-disable-the-event-on-a-truncated-aux-record.patch +vfs-add-vfs_select_inode-helper.patch +vfs-rename-check-backing-inode-being-equal.patch +arm-dts-at91-sam9x5-fix-the-memory-range-assigned-to-the-pmc.patch +workqueue-fix-rebind-bound-workers-warning.patch +regulator-s2mps11-fix-invalid-selector-mask-and-voltages-for-buck9.patch +regulator-axp20x-fix-axp22x-ldo_io-voltage-ranges.patch +atomic_open-fix-the-handling-of-create_error.patch +qla1280-don-t-allocate-512kb-of-host-tags.patch +tools-lib-traceevent-do-not-reassign-parg-after-collapse_tree.patch +get_rock_ridge_filename-handle-malformed-nm-entries.patch +input-max8997-haptic-fix-null-pointer-dereference.patch +revert-videobuf2-v4l2-verify-planes-array-in-buffer-dequeueing.patch -- 2.47.3