--- /dev/null
+From f4781e76f90df7aec400635d73ea4c35ee1d4765 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Tue, 30 May 2017 23:15:34 +0200
+Subject: alarmtimer: Prevent overflow of relative timers
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit f4781e76f90df7aec400635d73ea4c35ee1d4765 upstream.
+
+Andrey reported a alartimer related RCU stall while fuzzing the kernel with
+syzkaller.
+
+The reason for this is an overflow in ktime_add() which brings the
+resulting time into negative space and causes immediate expiry of the
+timer. The following rearm with a small interval does not bring the timer
+back into positive space due to the same issue.
+
+This results in a permanent firing alarmtimer which hogs the CPU.
+
+Use ktime_add_safe() instead which detects the overflow and clamps the
+result to KTIME_SEC_MAX.
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Kostya Serebryany <kcc@google.com>
+Cc: syzkaller <syzkaller@googlegroups.com>
+Cc: John Stultz <john.stultz@linaro.org>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Link: http://lkml.kernel.org/r/20170530211655.802921648@linutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/time/alarmtimer.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/kernel/time/alarmtimer.c
++++ b/kernel/time/alarmtimer.c
+@@ -354,7 +354,7 @@ void alarm_start_relative(struct alarm *
+ {
+ struct alarm_base *base = &alarm_bases[alarm->type];
+
+- start = ktime_add(start, base->gettime());
++ start = ktime_add_safe(start, base->gettime());
+ alarm_start(alarm, start);
+ }
+ EXPORT_SYMBOL_GPL(alarm_start_relative);
+@@ -440,7 +440,7 @@ u64 alarm_forward(struct alarm *alarm, k
+ overrun++;
+ }
+
+- alarm->node.expires = ktime_add(alarm->node.expires, interval);
++ alarm->node.expires = ktime_add_safe(alarm->node.expires, interval);
+ return overrun;
+ }
+ EXPORT_SYMBOL_GPL(alarm_forward);
+@@ -630,7 +630,7 @@ static int alarm_timer_set(struct k_itim
+ ktime_t now;
+
+ now = alarm_bases[timr->it.alarm.alarmtimer.type].gettime();
+- exp = ktime_add(now, exp);
++ exp = ktime_add_safe(now, exp);
+ }
+
+ alarm_start(&timr->it.alarm.alarmtimer, exp);
--- /dev/null
+From fa07ab72cbb0d843429e61bf179308aed6cbe0dd Mon Sep 17 00:00:00 2001
+From: Heiner Kallweit <hkallweit1@gmail.com>
+Date: Sun, 11 Jun 2017 00:38:36 +0200
+Subject: genirq: Release resources in __setup_irq() error path
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+commit fa07ab72cbb0d843429e61bf179308aed6cbe0dd upstream.
+
+In case __irq_set_trigger() fails the resources requested via
+irq_request_resources() are not released.
+
+Add the missing release call into the error handling path.
+
+Fixes: c1bacbae8192 ("genirq: Provide irq_request/release_resources chip callbacks")
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/655538f5-cb20-a892-ff15-fbd2dd1fa4ec@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/irq/manage.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/kernel/irq/manage.c
++++ b/kernel/irq/manage.c
+@@ -1308,8 +1308,10 @@ __setup_irq(unsigned int irq, struct irq
+ ret = __irq_set_trigger(desc,
+ new->flags & IRQF_TRIGGER_MASK);
+
+- if (ret)
++ if (ret) {
++ irq_release_resources(desc);
+ goto out_mask;
++ }
+ }
+
+ desc->istate &= ~(IRQS_AUTODETECT | IRQS_SPURIOUS_DISABLED | \
--- /dev/null
+From 252d2a4117bc181b287eeddf848863788da733ae Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@kernel.org>
+Date: Fri, 9 Jun 2017 11:49:15 -0700
+Subject: sched/core: Idle_task_exit() shouldn't use switch_mm_irqs_off()
+
+From: Andy Lutomirski <luto@kernel.org>
+
+commit 252d2a4117bc181b287eeddf848863788da733ae upstream.
+
+idle_task_exit() can be called with IRQs on x86 on and therefore
+should use switch_mm(), not switch_mm_irqs_off().
+
+This doesn't seem to cause any problems right now, but it will
+confuse my upcoming TLB flush changes. Nonetheless, I think it
+should be backported because it's trivial. There won't be any
+meaningful performance impact because idle_task_exit() is only
+used when offlining a CPU.
+
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bp@suse.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: f98db6013c55 ("sched/core: Add switch_mm_irqs_off() and use it in the scheduler")
+Link: http://lkml.kernel.org/r/ca3d1a9fa93a0b49f5a8ff729eda3640fb6abdf9.1497034141.git.luto@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/sched/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -5469,7 +5469,7 @@ void idle_task_exit(void)
+ BUG_ON(cpu_online(smp_processor_id()));
+
+ if (mm != &init_mm) {
+- switch_mm_irqs_off(mm, &init_mm, current);
++ switch_mm(mm, &init_mm, current);
+ finish_arch_post_lock_switch();
+ }
+ mmdrop(mm);
mm-memory-failure.c-use-compound_head-flags-for-huge-pages.patch
swap-cond_resched-in-swap_cgroup_prepare.patch
iio-imu-inv_mpu6050-add-accel-lpf-setting-for-chip-mpu6500.patch
+sched-core-idle_task_exit-shouldn-t-use-switch_mm_irqs_off.patch
+genirq-release-resources-in-__setup_irq-error-path.patch
+alarmtimer-prevent-overflow-of-relative-timers.patch
+usb-gadget-composite-fix-function-used-to-free-memory.patch
+usb-dwc3-exynos-fix-axius-clock-error-path-to-do-cleanup.patch
--- /dev/null
+From 8ae584d1951f241efd45499f8774fd7066f22823 Mon Sep 17 00:00:00 2001
+From: Shuah Khan <shuahkh@osg.samsung.com>
+Date: Tue, 10 Jan 2017 16:05:28 -0700
+Subject: usb: dwc3: exynos fix axius clock error path to do cleanup
+
+From: Shuah Khan <shuahkh@osg.samsung.com>
+
+commit 8ae584d1951f241efd45499f8774fd7066f22823 upstream.
+
+Axius clock error path returns without disabling clock and suspend clock.
+Fix it to disable them before returning error.
+
+Reviewed-by: Javier Martinez Canillas <javier@osg.samsung.com>
+Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc3/dwc3-exynos.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/dwc3/dwc3-exynos.c
++++ b/drivers/usb/dwc3/dwc3-exynos.c
+@@ -148,7 +148,8 @@ static int dwc3_exynos_probe(struct plat
+ exynos->axius_clk = devm_clk_get(dev, "usbdrd30_axius_clk");
+ if (IS_ERR(exynos->axius_clk)) {
+ dev_err(dev, "no AXI UpScaler clk specified\n");
+- return -ENODEV;
++ ret = -ENODEV;
++ goto axius_clk_err;
+ }
+ clk_prepare_enable(exynos->axius_clk);
+ } else {
+@@ -206,6 +207,7 @@ err3:
+ regulator_disable(exynos->vdd33);
+ err2:
+ clk_disable_unprepare(exynos->axius_clk);
++axius_clk_err:
+ clk_disable_unprepare(exynos->susp_clk);
+ clk_disable_unprepare(exynos->clk);
+ return ret;
--- /dev/null
+From 990758c53eafe5a220a780ed12e7b4d51b3df032 Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Wed, 4 Jan 2017 06:30:16 +0100
+Subject: usb: gadget: composite: Fix function used to free memory
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+commit 990758c53eafe5a220a780ed12e7b4d51b3df032 upstream.
+
+'cdev->os_desc_req' has been allocated with 'usb_ep_alloc_request()' so
+'usb_ep_free_request()' should be used to free it.
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/composite.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/composite.c
++++ b/drivers/usb/gadget/composite.c
+@@ -2147,7 +2147,7 @@ int composite_os_desc_req_prepare(struct
+ cdev->os_desc_req->buf = kmalloc(4096, GFP_KERNEL);
+ if (!cdev->os_desc_req->buf) {
+ ret = -ENOMEM;
+- kfree(cdev->os_desc_req);
++ usb_ep_free_request(ep0, cdev->os_desc_req);
+ goto end;
+ }
+ cdev->os_desc_req->context = cdev;
projects / thirdparty / kernel / stable-queue.git / commitdiff
