From 429f23e2eef54b3a681ed68e7b4f34730d9b47a2 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 12 Apr 2016 13:59:52 -0700 Subject: [PATCH] 3.14-stable patches added patches: alsa-timer-use-mod_timer-for-rearming-the-system-timer.patch hwmon-max1111-return-enodev-from-max1111_read_channel-if-not-instantiated.patch mm-fix-invalid-node-in-alloc_migrate_target.patch parisc-avoid-function-pointers-for-kernel-exception-routines.patch parisc-fix-kernel-crash-with-reversed-copy_from_user.patch --- ..._timer-for-rearming-the-system-timer.patch | 56 ++++++++++++++ ...111_read_channel-if-not-instantiated.patch | 74 +++++++++++++++++++ ...invalid-node-in-alloc_migrate_target.patch | 48 ++++++++++++ ...inters-for-kernel-exception-routines.patch | 42 +++++++++++ ...l-crash-with-reversed-copy_from_user.patch | 36 +++++++++ queue-3.14/series | 5 ++ queue-4.4/series | 2 + queue-4.5/series | 2 + 8 files changed, 265 insertions(+) create mode 100644 queue-3.14/alsa-timer-use-mod_timer-for-rearming-the-system-timer.patch create mode 100644 queue-3.14/hwmon-max1111-return-enodev-from-max1111_read_channel-if-not-instantiated.patch create mode 100644 queue-3.14/mm-fix-invalid-node-in-alloc_migrate_target.patch create mode 100644 queue-3.14/parisc-avoid-function-pointers-for-kernel-exception-routines.patch create mode 100644 queue-3.14/parisc-fix-kernel-crash-with-reversed-copy_from_user.patch create mode 100644 queue-3.14/series create mode 100644 queue-4.4/series create mode 100644 queue-4.5/series diff --git a/queue-3.14/alsa-timer-use-mod_timer-for-rearming-the-system-timer.patch b/queue-3.14/alsa-timer-use-mod_timer-for-rearming-the-system-timer.patch new file mode 100644 index 00000000000..ef05f4001e3 --- /dev/null +++ b/queue-3.14/alsa-timer-use-mod_timer-for-rearming-the-system-timer.patch @@ -0,0 +1,56 @@ +From 4a07083ed613644c96c34a7dd2853dc5d7c70902 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 1 Apr 2016 12:28:16 +0200 +Subject: ALSA: timer: Use mod_timer() for rearming the system timer + +From: Takashi Iwai + +commit 4a07083ed613644c96c34a7dd2853dc5d7c70902 upstream. + +ALSA system timer backend stops the timer via del_timer() without sync +and leaves del_timer_sync() at the close instead. This is because of +the restriction by the design of ALSA timer: namely, the stop callback +may be called from the timer handler, and calling the sync shall lead +to a hangup. However, this also triggers a kernel BUG() when the +timer is rearmed immediately after stopping without sync: + kernel BUG at kernel/time/timer.c:966! + Call Trace: + + [] snd_timer_s_start+0x13e/0x1a0 + [] snd_timer_interrupt+0x504/0xec0 + [] ? debug_check_no_locks_freed+0x290/0x290 + [] snd_timer_s_function+0xb4/0x120 + [] call_timer_fn+0x162/0x520 + [] ? call_timer_fn+0xcd/0x520 + [] ? snd_timer_interrupt+0xec0/0xec0 + .... + +It's the place where add_timer() checks the pending timer. It's clear +that this may happen after the immediate restart without sync in our +cases. + +So, the workaround here is just to use mod_timer() instead of +add_timer(). This looks like a band-aid fix, but it's a right move, +as snd_timer_interrupt() takes care of the continuous rearm of timer. + +Reported-by: Jiri Slaby +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/timer.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -1012,8 +1012,8 @@ static int snd_timer_s_start(struct snd_ + njiff += timer->sticks - priv->correction; + priv->correction = 0; + } +- priv->last_expires = priv->tlist.expires = njiff; +- add_timer(&priv->tlist); ++ priv->last_expires = njiff; ++ mod_timer(&priv->tlist, njiff); + return 0; + } + diff --git a/queue-3.14/hwmon-max1111-return-enodev-from-max1111_read_channel-if-not-instantiated.patch b/queue-3.14/hwmon-max1111-return-enodev-from-max1111_read_channel-if-not-instantiated.patch new file mode 100644 index 00000000000..7da01bb8716 --- /dev/null +++ b/queue-3.14/hwmon-max1111-return-enodev-from-max1111_read_channel-if-not-instantiated.patch @@ -0,0 +1,74 @@ +From 3c2e2266a5bd2d1cef258e6e54dca1d99946379f Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Sat, 26 Mar 2016 12:28:05 -0700 +Subject: hwmon: (max1111) Return -ENODEV from max1111_read_channel if not instantiated + +From: Guenter Roeck + +commit 3c2e2266a5bd2d1cef258e6e54dca1d99946379f upstream. + +arm:pxa_defconfig can result in the following crash if the max1111 driver +is not instantiated. + +Unhandled fault: page domain fault (0x01b) at 0x00000000 +pgd = c0004000 +[00000000] *pgd=00000000 +Internal error: : 1b [#1] PREEMPT ARM +Modules linked in: +CPU: 0 PID: 300 Comm: kworker/0:1 Not tainted 4.5.0-01301-g1701f680407c #10 +Hardware name: SHARP Akita +Workqueue: events sharpsl_charge_toggle +task: c390a000 ti: c391e000 task.ti: c391e000 +PC is at max1111_read_channel+0x20/0x30 +LR is at sharpsl_pm_pxa_read_max1111+0x2c/0x3c +pc : [] lr : [] psr: 20000013 +... +[] (max1111_read_channel) from [] + (sharpsl_pm_pxa_read_max1111+0x2c/0x3c) +[] (sharpsl_pm_pxa_read_max1111) from [] + (spitzpm_read_devdata+0x5c/0xc4) +[] (spitzpm_read_devdata) from [] + (sharpsl_check_battery_temp+0x78/0x110) +[] (sharpsl_check_battery_temp) from [] + (sharpsl_charge_toggle+0x48/0x110) +[] (sharpsl_charge_toggle) from [] + (process_one_work+0x14c/0x48c) +[] (process_one_work) from [] (worker_thread+0x3c/0x5d4) +[] (worker_thread) from [] (kthread+0xd0/0xec) +[] (kthread) from [] (ret_from_fork+0x14/0x24) + +This can occur because the SPI controller driver (SPI_PXA2XX) is built as +module and thus not necessarily loaded. While building SPI_PXA2XX into the +kernel would make the problem disappear, it appears prudent to ensure that +the driver is instantiated before accessing its data structures. + +Cc: Arnd Bergmann +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwmon/max1111.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/hwmon/max1111.c ++++ b/drivers/hwmon/max1111.c +@@ -85,6 +85,9 @@ static struct max1111_data *the_max1111; + + int max1111_read_channel(int channel) + { ++ if (!the_max1111 || !the_max1111->spi) ++ return -ENODEV; ++ + return max1111_read(&the_max1111->spi->dev, channel); + } + EXPORT_SYMBOL(max1111_read_channel); +@@ -260,6 +263,9 @@ static int max1111_remove(struct spi_dev + { + struct max1111_data *data = spi_get_drvdata(spi); + ++#ifdef CONFIG_SHARPSL_PM ++ the_max1111 = NULL; ++#endif + hwmon_device_unregister(data->hwmon_dev); + sysfs_remove_group(&spi->dev.kobj, &max1110_attr_group); + sysfs_remove_group(&spi->dev.kobj, &max1111_attr_group); diff --git a/queue-3.14/mm-fix-invalid-node-in-alloc_migrate_target.patch b/queue-3.14/mm-fix-invalid-node-in-alloc_migrate_target.patch new file mode 100644 index 00000000000..76a39053b49 --- /dev/null +++ b/queue-3.14/mm-fix-invalid-node-in-alloc_migrate_target.patch @@ -0,0 +1,48 @@ +From 6f25a14a7053b69917e2ebea0d31dd444cd31fd5 Mon Sep 17 00:00:00 2001 +From: Xishi Qiu +Date: Fri, 1 Apr 2016 14:31:20 -0700 +Subject: mm: fix invalid node in alloc_migrate_target() + +From: Xishi Qiu + +commit 6f25a14a7053b69917e2ebea0d31dd444cd31fd5 upstream. + +It is incorrect to use next_node to find a target node, it will return +MAX_NUMNODES or invalid node. This will lead to crash in buddy system +allocation. + +Fixes: c8721bbbdd36 ("mm: memory-hotplug: enable memory hotplug to handle hugepage") +Signed-off-by: Xishi Qiu +Acked-by: Vlastimil Babka +Acked-by: Naoya Horiguchi +Cc: Joonsoo Kim +Cc: David Rientjes +Cc: "Laura Abbott" +Cc: Hui Zhu +Cc: Wang Xiaoqiang +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/page_isolation.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/mm/page_isolation.c ++++ b/mm/page_isolation.c +@@ -259,11 +259,11 @@ struct page *alloc_migrate_target(struct + * now as a simple work-around, we use the next node for destination. + */ + if (PageHuge(page)) { +- nodemask_t src = nodemask_of_node(page_to_nid(page)); +- nodemask_t dst; +- nodes_complement(dst, src); ++ int node = next_online_node(page_to_nid(page)); ++ if (node == MAX_NUMNODES) ++ node = first_online_node; + return alloc_huge_page_node(page_hstate(compound_head(page)), +- next_node(page_to_nid(page), dst)); ++ node); + } + + if (PageHighMem(page)) diff --git a/queue-3.14/parisc-avoid-function-pointers-for-kernel-exception-routines.patch b/queue-3.14/parisc-avoid-function-pointers-for-kernel-exception-routines.patch new file mode 100644 index 00000000000..7b511a0603d --- /dev/null +++ b/queue-3.14/parisc-avoid-function-pointers-for-kernel-exception-routines.patch @@ -0,0 +1,42 @@ +From e3893027a300927049efc1572f852201eb785142 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Fri, 8 Apr 2016 18:11:33 +0200 +Subject: parisc: Avoid function pointers for kernel exception routines + +From: Helge Deller + +commit e3893027a300927049efc1572f852201eb785142 upstream. + +We want to avoid the kernel module loader to create function pointers +for the kernel fixup routines of get_user() and put_user(). Changing +the external reference from function type to int type fixes this. + +This unbreaks exception handling for get_user() and put_user() when +called from a kernel module. + +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/kernel/parisc_ksyms.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/arch/parisc/kernel/parisc_ksyms.c ++++ b/arch/parisc/kernel/parisc_ksyms.c +@@ -47,11 +47,11 @@ EXPORT_SYMBOL(__cmpxchg_u64); + EXPORT_SYMBOL(lclear_user); + EXPORT_SYMBOL(lstrnlen_user); + +-/* Global fixups */ +-extern void fixup_get_user_skip_1(void); +-extern void fixup_get_user_skip_2(void); +-extern void fixup_put_user_skip_1(void); +-extern void fixup_put_user_skip_2(void); ++/* Global fixups - defined as int to avoid creation of function pointers */ ++extern int fixup_get_user_skip_1; ++extern int fixup_get_user_skip_2; ++extern int fixup_put_user_skip_1; ++extern int fixup_put_user_skip_2; + EXPORT_SYMBOL(fixup_get_user_skip_1); + EXPORT_SYMBOL(fixup_get_user_skip_2); + EXPORT_SYMBOL(fixup_put_user_skip_1); diff --git a/queue-3.14/parisc-fix-kernel-crash-with-reversed-copy_from_user.patch b/queue-3.14/parisc-fix-kernel-crash-with-reversed-copy_from_user.patch new file mode 100644 index 00000000000..73f0472537e --- /dev/null +++ b/queue-3.14/parisc-fix-kernel-crash-with-reversed-copy_from_user.patch @@ -0,0 +1,36 @@ +From ef72f3110d8b19f4c098a0bff7ed7d11945e70c6 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Fri, 8 Apr 2016 18:18:48 +0200 +Subject: parisc: Fix kernel crash with reversed copy_from_user() + +From: Helge Deller + +commit ef72f3110d8b19f4c098a0bff7ed7d11945e70c6 upstream. + +The kernel module testcase (lib/test_user_copy.c) exhibited a kernel +crash on parisc if the parameters for copy_from_user were reversed +("illegal reversed copy_to_user" testcase). + +Fix this potential crash by checking the fault handler if the faulting +address is in the exception table. + +Signed-off-by: Helge Deller +Cc: Kees Cook +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/kernel/traps.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/parisc/kernel/traps.c ++++ b/arch/parisc/kernel/traps.c +@@ -802,6 +802,9 @@ void notrace handle_interruption(int cod + + if (fault_space == 0 && !in_atomic()) + { ++ /* Clean up and return if in exception table. */ ++ if (fixup_exception(regs)) ++ return; + pdc_chassis_send_status(PDC_CHASSIS_DIRECT_PANIC); + parisc_terminate("Kernel Fault", regs, code, fault_address); + } diff --git a/queue-3.14/series b/queue-3.14/series new file mode 100644 index 00000000000..89b5fb18c2a --- /dev/null +++ b/queue-3.14/series @@ -0,0 +1,5 @@ +hwmon-max1111-return-enodev-from-max1111_read_channel-if-not-instantiated.patch +parisc-avoid-function-pointers-for-kernel-exception-routines.patch +parisc-fix-kernel-crash-with-reversed-copy_from_user.patch +alsa-timer-use-mod_timer-for-rearming-the-system-timer.patch +mm-fix-invalid-node-in-alloc_migrate_target.patch diff --git a/queue-4.4/series b/queue-4.4/series new file mode 100644 index 00000000000..18e49decf03 --- /dev/null +++ b/queue-4.4/series @@ -0,0 +1,2 @@ +hwmon-max1111-return-enodev-from-max1111_read_channel-if-not-instantiated.patch +pkcs-7-pkcs7_validate_trust-initialize-the-_trusted-output-argument.patch diff --git a/queue-4.5/series b/queue-4.5/series new file mode 100644 index 00000000000..18e49decf03 --- /dev/null +++ b/queue-4.5/series @@ -0,0 +1,2 @@ +hwmon-max1111-return-enodev-from-max1111_read_channel-if-not-instantiated.patch +pkcs-7-pkcs7_validate_trust-initialize-the-_trusted-output-argument.patch -- 2.47.2