--- /dev/null
+From 7cecd9ab80f43972c056dc068338f7bcc407b71c Mon Sep 17 00:00:00 2001
+From: Mirza Krak <mirza.krak@hostmobility.com>
+Date: Tue, 10 Nov 2015 14:59:34 +0100
+Subject: can: sja1000: clear interrupts on start
+
+From: Mirza Krak <mirza.krak@hostmobility.com>
+
+commit 7cecd9ab80f43972c056dc068338f7bcc407b71c upstream.
+
+According to SJA1000 data sheet error-warning (EI) interrupt is not
+cleared by setting the controller in to reset-mode.
+
+Then if we have the following case:
+- system is suspended (echo mem > /sys/power/state) and SJA1000 is left
+ in operating state
+- A bus error condition occurs which activates EI interrupt, system is
+ still suspended which means EI interrupt will be not be handled nor
+ cleared.
+
+If the above two events occur, on resume there is no way to return the
+SJA1000 to operating state, except to cycle power to it.
+
+By simply reading the IR register on start we will clear any previous
+conditions that could be present.
+
+Signed-off-by: Mirza Krak <mirza.krak@hostmobility.com>
+Reported-by: Christian Magnusson <Christian.Magnusson@semcon.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/sja1000/sja1000.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/can/sja1000/sja1000.c
++++ b/drivers/net/can/sja1000/sja1000.c
+@@ -187,6 +187,9 @@ static void sja1000_start(struct net_dev
+ /* clear interrupt flags */
+ priv->read_reg(priv, SJA1000_IR);
+
++ /* clear interrupt flags */
++ priv->read_reg(priv, SJA1000_IR);
++
+ /* leave reset mode */
+ set_normal_mode(dev);
+ }
--- /dev/null
+From ed8b45a3679eb49069b094c0711b30833f27c734 Mon Sep 17 00:00:00 2001
+From: Joe Thornber <ejt@redhat.com>
+Date: Thu, 10 Dec 2015 14:37:53 +0000
+Subject: dm btree: fix bufio buffer leaks in dm_btree_del() error path
+
+From: Joe Thornber <ejt@redhat.com>
+
+commit ed8b45a3679eb49069b094c0711b30833f27c734 upstream.
+
+If dm_btree_del()'s call to push_frame() fails, e.g. due to
+btree_node_validator finding invalid metadata, the dm_btree_del() error
+path must unlock all frames (which have active dm-bufio buffers) that
+were pushed onto the del_stack.
+
+Otherwise, dm_bufio_client_destroy() will BUG_ON() because dm-bufio
+buffers have leaked, e.g.:
+ device-mapper: bufio: leaked buffer 3, hold count 1, list 0
+
+Signed-off-by: Joe Thornber <ejt@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/persistent-data/dm-btree.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/persistent-data/dm-btree.c
++++ b/drivers/md/persistent-data/dm-btree.c
+@@ -235,6 +235,16 @@ static bool is_internal_level(struct dm_
+ return f->level < (info->levels - 1);
+ }
+
++static void unlock_all_frames(struct del_stack *s)
++{
++ struct frame *f;
++
++ while (unprocessed_frames(s)) {
++ f = s->spine + s->top--;
++ dm_tm_unlock(s->tm, f->b);
++ }
++}
++
+ int dm_btree_del(struct dm_btree_info *info, dm_block_t root)
+ {
+ int r;
+@@ -290,9 +300,13 @@ int dm_btree_del(struct dm_btree_info *i
+ f->current_child = f->nr_children;
+ }
+ }
+-
+ out:
++ if (r) {
++ /* cleanup all frames of del_stack */
++ unlock_all_frames(s);
++ }
+ kfree(s);
++
+ return r;
+ }
+ EXPORT_SYMBOL_GPL(dm_btree_del);
--- /dev/null
+From c2e703a55245bfff3db53b1f7cbe59f1ee8a4339 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 17 Nov 2015 14:25:21 +0100
+Subject: mac80211: mesh: fix call_rcu() usage
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit c2e703a55245bfff3db53b1f7cbe59f1ee8a4339 upstream.
+
+When using call_rcu(), the called function may be delayed quite
+significantly, and without a matching rcu_barrier() there's no
+way to be sure it has finished.
+Therefore, global state that could be gone/freed/reused should
+never be touched in the callback.
+
+Fix this in mesh by moving the atomic_dec() into the caller;
+that's not really a problem since we already unlinked the path
+and it will be destroyed anyway.
+
+This fixes a crash Jouni observed when running certain tests in
+a certain order, in which the mesh interface was torn down, the
+memory reused for a function pointer (work struct) and running
+that then crashed since the pointer had been decremented by 1,
+resulting in an invalid instruction byte stream.
+
+Fixes: eb2b9311fd00 ("mac80211: mesh path table implementation")
+Reported-by: Jouni Malinen <j@w1.fi>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/mesh_pathtbl.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/mac80211/mesh_pathtbl.c
++++ b/net/mac80211/mesh_pathtbl.c
+@@ -747,10 +747,8 @@ void mesh_plink_broken(struct sta_info *
+ static void mesh_path_node_reclaim(struct rcu_head *rp)
+ {
+ struct mpath_node *node = container_of(rp, struct mpath_node, rcu);
+- struct ieee80211_sub_if_data *sdata = node->mpath->sdata;
+
+ del_timer_sync(&node->mpath->timer);
+- atomic_dec(&sdata->u.mesh.mpaths);
+ kfree(node->mpath);
+ kfree(node);
+ }
+@@ -758,8 +756,9 @@ static void mesh_path_node_reclaim(struc
+ /* needs to be called with the corresponding hashwlock taken */
+ static void __mesh_path_del(struct mesh_table *tbl, struct mpath_node *node)
+ {
+- struct mesh_path *mpath;
+- mpath = node->mpath;
++ struct mesh_path *mpath = node->mpath;
++ struct ieee80211_sub_if_data *sdata = node->mpath->sdata;
++
+ spin_lock(&mpath->state_lock);
+ mpath->flags |= MESH_PATH_RESOLVING;
+ if (mpath->is_gate)
+@@ -767,6 +766,7 @@ static void __mesh_path_del(struct mesh_
+ hlist_del_rcu(&node->list);
+ call_rcu(&node->rcu, mesh_path_node_reclaim);
+ spin_unlock(&mpath->state_lock);
++ atomic_dec(&sdata->u.mesh.mpaths);
+ atomic_dec(&tbl->entries);
+ }
+
--- /dev/null
+From 8c7188b23474cca017b3ef354c4a58456f68303a Mon Sep 17 00:00:00 2001
+From: Quentin Casasnovas <quentin.casasnovas@oracle.com>
+Date: Tue, 24 Nov 2015 17:13:21 -0500
+Subject: RDS: fix race condition when sending a message on unbound socket
+
+From: Quentin Casasnovas <quentin.casasnovas@oracle.com>
+
+commit 8c7188b23474cca017b3ef354c4a58456f68303a upstream.
+
+Sasha's found a NULL pointer dereference in the RDS connection code when
+sending a message to an apparently unbound socket. The problem is caused
+by the code checking if the socket is bound in rds_sendmsg(), which checks
+the rs_bound_addr field without taking a lock on the socket. This opens a
+race where rs_bound_addr is temporarily set but where the transport is not
+in rds_bind(), leading to a NULL pointer dereference when trying to
+dereference 'trans' in __rds_conn_create().
+
+Vegard wrote a reproducer for this issue, so kindly ask him to share if
+you're interested.
+
+I cannot reproduce the NULL pointer dereference using Vegard's reproducer
+with this patch, whereas I could without.
+
+Complete earlier incomplete fix to CVE-2015-6937:
+
+ 74e98eb08588 ("RDS: verify the underlying transport exists before creating a connection")
+
+Reviewed-by: Vegard Nossum <vegard.nossum@oracle.com>
+Reviewed-by: Sasha Levin <sasha.levin@oracle.com>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/rds/connection.c | 6 ------
+ net/rds/send.c | 4 +++-
+ 2 files changed, 3 insertions(+), 7 deletions(-)
+
+--- a/net/rds/connection.c
++++ b/net/rds/connection.c
+@@ -177,12 +177,6 @@ static struct rds_connection *__rds_conn
+ }
+ }
+
+- if (trans == NULL) {
+- kmem_cache_free(rds_conn_slab, conn);
+- conn = ERR_PTR(-ENODEV);
+- goto out;
+- }
+-
+ conn->c_trans = trans;
+
+ ret = trans->conn_alloc(conn, gfp);
+--- a/net/rds/send.c
++++ b/net/rds/send.c
+@@ -955,11 +955,13 @@ int rds_sendmsg(struct kiocb *iocb, stru
+ release_sock(sk);
+ }
+
+- /* racing with another thread binding seems ok here */
++ lock_sock(sk);
+ if (daddr == 0 || rs->rs_bound_addr == 0) {
++ release_sock(sk);
+ ret = -ENOTCONN; /* XXX not a great errno */
+ goto out;
+ }
++ release_sock(sk);
+
+ /* size of rm including all sgs */
+ ret = rds_rm_size(msg, payload_len);
--- /dev/null
+From b7bb110008607a915298bf0f47d25886ecb94477 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Thu, 10 Dec 2015 10:37:51 +0100
+Subject: rfkill: copy the name into the rfkill struct
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit b7bb110008607a915298bf0f47d25886ecb94477 upstream.
+
+Some users of rfkill, like NFC and cfg80211, use a dynamic name when
+allocating rfkill, in those cases dev_name(). Therefore, the pointer
+passed to rfkill_alloc() might not be valid forever, I specifically
+found the case that the rfkill name was quite obviously an invalid
+pointer (or at least garbage) when the wiphy had been renamed.
+
+Fix this by making a copy of the rfkill name in rfkill_alloc().
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/rfkill/core.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/rfkill/core.c
++++ b/net/rfkill/core.c
+@@ -51,7 +51,6 @@
+ struct rfkill {
+ spinlock_t lock;
+
+- const char *name;
+ enum rfkill_type type;
+
+ unsigned long state;
+@@ -75,6 +74,7 @@ struct rfkill {
+ struct delayed_work poll_work;
+ struct work_struct uevent_work;
+ struct work_struct sync_work;
++ char name[];
+ };
+ #define to_rfkill(d) container_of(d, struct rfkill, dev)
+
+@@ -871,14 +871,14 @@ struct rfkill * __must_check rfkill_allo
+ if (WARN_ON(type == RFKILL_TYPE_ALL || type >= NUM_RFKILL_TYPES))
+ return NULL;
+
+- rfkill = kzalloc(sizeof(*rfkill), GFP_KERNEL);
++ rfkill = kzalloc(sizeof(*rfkill) + strlen(name) + 1, GFP_KERNEL);
+ if (!rfkill)
+ return NULL;
+
+ spin_lock_init(&rfkill->lock);
+ INIT_LIST_HEAD(&rfkill->node);
+ rfkill->type = type;
+- rfkill->name = name;
++ strcpy(rfkill->name, name);
+ rfkill->ops = ops;
+ rfkill->data = ops_data;
+
--- /dev/null
+From d98f1cd0a3b70ea91f1dfda3ac36c3b2e1a4d5e2 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Thu, 26 Nov 2015 12:00:59 -0500
+Subject: sata_sil: disable trim
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit d98f1cd0a3b70ea91f1dfda3ac36c3b2e1a4d5e2 upstream.
+
+When I connect an Intel SSD to SATA SIL controller (PCI ID 1095:3114), any
+TRIM command results in I/O errors being reported in the log. There is
+other similar error reported with TRIM and the SIL controller:
+https://bugs.centos.org/view.php?id=5880
+
+Apparently the controller doesn't support TRIM commands. This patch
+disables TRIM support on the SATA SIL controller.
+
+ata7.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0
+ata7.00: BMDMA2 stat 0x50001
+ata7.00: failed command: DATA SET MANAGEMENT
+ata7.00: cmd 06/01:01:00:00:00/00:00:00:00:00/a0 tag 0 dma 512 out
+ res 51/04:01:00:00:00/00:00:00:00:00/a0 Emask 0x1 (device error)
+ata7.00: status: { DRDY ERR }
+ata7.00: error: { ABRT }
+ata7.00: device reported invalid CHS sector 0
+sd 8:0:0:0: [sdb] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
+sd 8:0:0:0: [sdb] tag#0 Sense Key : Illegal Request [current] [descriptor]
+sd 8:0:0:0: [sdb] tag#0 Add. Sense: Unaligned write command
+sd 8:0:0:0: [sdb] tag#0 CDB: Write same(16) 93 08 00 00 00 00 00 21 95 88 00 20 00 00 00 00
+blk_update_request: I/O error, dev sdb, sector 2200968
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/sata_sil.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/ata/sata_sil.c
++++ b/drivers/ata/sata_sil.c
+@@ -631,6 +631,9 @@ static void sil_dev_config(struct ata_de
+ unsigned int n, quirks = 0;
+ unsigned char model_num[ATA_ID_PROD_LEN + 1];
+
++ /* This controller doesn't support trim */
++ dev->horkage |= ATA_HORKAGE_NOTRIM;
++
+ ata_id_c_string(dev->id, model_num, ATA_ID_PROD, sizeof(model_num));
+
+ for (n = 0; sil_blacklist[n].product; n++)
--- /dev/null
+From 119d6f6a3be8b424b200dcee56e74484d5445f7e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sasha.levin@oracle.com>
+Date: Mon, 30 Nov 2015 20:34:20 -0500
+Subject: sched/core: Remove false-positive warning from wake_up_process()
+
+From: Sasha Levin <sasha.levin@oracle.com>
+
+commit 119d6f6a3be8b424b200dcee56e74484d5445f7e upstream.
+
+Because wakeups can (fundamentally) be late, a task might not be in
+the expected state. Therefore testing against a task's state is racy,
+and can yield false positives.
+
+Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Mike Galbraith <efault@gmx.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: oleg@redhat.com
+Fixes: 9067ac85d533 ("wake_up_process() should be never used to wakeup a TASK_STOPPED/TRACED task")
+Link: http://lkml.kernel.org/r/1448933660-23082-1-git-send-email-sasha.levin@oracle.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/sched/core.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -1587,7 +1587,6 @@ out:
+ */
+ int wake_up_process(struct task_struct *p)
+ {
+- WARN_ON(task_is_stopped_or_traced(p));
+ return try_to_wake_up(p, TASK_NORMAL, 0);
+ }
+ EXPORT_SYMBOL(wake_up_process);
--- /dev/null
+From dd39a26538e37f6c6131e829a4a510787e43c783 Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@arm.linux.org.uk>
+Date: Fri, 11 Dec 2015 12:09:03 +0000
+Subject: scripts: recordmcount: break hardlinks
+
+From: Russell King <rmk+kernel@arm.linux.org.uk>
+
+commit dd39a26538e37f6c6131e829a4a510787e43c783 upstream.
+
+recordmcount edits the file in-place, which can cause problems when
+using ccache in hardlink mode. Arrange for recordmcount to break a
+hardlinked object.
+
+Link: http://lkml.kernel.org/r/E1a7MVT-0000et-62@rmk-PC.arm.linux.org.uk
+
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ scripts/recordmcount.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/scripts/recordmcount.c
++++ b/scripts/recordmcount.c
+@@ -189,6 +189,20 @@ static void *mmap_file(char const *fname
+ addr = umalloc(sb.st_size);
+ uread(fd_map, addr, sb.st_size);
+ }
++ if (sb.st_nlink != 1) {
++ /* file is hard-linked, break the hard link */
++ close(fd_map);
++ if (unlink(fname) < 0) {
++ perror(fname);
++ fail_file();
++ }
++ fd_map = open(fname, O_RDWR | O_CREAT, sb.st_mode);
++ if (fd_map < 0) {
++ perror(fname);
++ fail_file();
++ }
++ uwrite(fd_map, addr, sb.st_size);
++ }
+ return addr;
+ }
+
vfs-avoid-softlockups-with-sendfile-2.patch
ring-buffer-update-read-stamp-with-first-real-commit-on-page.patch
virtio-fix-memory-leak-of-virtio-ida-cache-layers.patch
+mac80211-mesh-fix-call_rcu-usage.patch
+rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch
+can-sja1000-clear-interrupts-on-start.patch
+sched-core-remove-false-positive-warning-from-wake_up_process.patch
+sata_sil-disable-trim.patch
+dm-btree-fix-bufio-buffer-leaks-in-dm_btree_del-error-path.patch
+vgaarb-fix-signal-handling-in-vga_get.patch
+rfkill-copy-the-name-into-the-rfkill-struct.patch
+ses-fix-problems-with-simple-enclosures.patch
+ses-fix-additional-element-traversal-bug.patch
+scripts-recordmcount-break-hardlinks.patch
--- /dev/null
+From 5e1033561da1152c57b97ee84371dba2b3d64c25 Mon Sep 17 00:00:00 2001
+From: James Bottomley <James.Bottomley@HansenPartnership.com>
+Date: Fri, 11 Dec 2015 09:16:38 -0800
+Subject: ses: fix additional element traversal bug
+
+From: James Bottomley <James.Bottomley@HansenPartnership.com>
+
+commit 5e1033561da1152c57b97ee84371dba2b3d64c25 upstream.
+
+KASAN found that our additional element processing scripts drop off
+the end of the VPD page into unallocated space. The reason is that
+not every element has additional information but our traversal
+routines think they do, leading to them expecting far more additional
+information than is present. Fix this by adding a gate to the
+traversal routine so that it only processes elements that are expected
+to have additional information (list is in SES-2 section 6.1.13.1:
+Additional Element Status diagnostic page overview)
+
+Reported-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
+Tested-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
+Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/ses.c | 10 +++++++++-
+ include/linux/enclosure.h | 4 ++++
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/ses.c
++++ b/drivers/scsi/ses.c
+@@ -454,7 +454,15 @@ static void ses_enclosure_data_process(s
+ if (desc_ptr)
+ desc_ptr += len;
+
+- if (addl_desc_ptr)
++ if (addl_desc_ptr &&
++ /* only find additional descriptions for specific devices */
++ (type_ptr[0] == ENCLOSURE_COMPONENT_DEVICE ||
++ type_ptr[0] == ENCLOSURE_COMPONENT_ARRAY_DEVICE ||
++ type_ptr[0] == ENCLOSURE_COMPONENT_SAS_EXPANDER ||
++ /* these elements are optional */
++ type_ptr[0] == ENCLOSURE_COMPONENT_SCSI_TARGET_PORT ||
++ type_ptr[0] == ENCLOSURE_COMPONENT_SCSI_INITIATOR_PORT ||
++ type_ptr[0] == ENCLOSURE_COMPONENT_CONTROLLER_ELECTRONICS))
+ addl_desc_ptr += addl_desc_ptr[1] + 2;
+
+ }
+--- a/include/linux/enclosure.h
++++ b/include/linux/enclosure.h
+@@ -29,7 +29,11 @@
+ /* A few generic types ... taken from ses-2 */
+ enum enclosure_component_type {
+ ENCLOSURE_COMPONENT_DEVICE = 0x01,
++ ENCLOSURE_COMPONENT_CONTROLLER_ELECTRONICS = 0x07,
++ ENCLOSURE_COMPONENT_SCSI_TARGET_PORT = 0x14,
++ ENCLOSURE_COMPONENT_SCSI_INITIATOR_PORT = 0x15,
+ ENCLOSURE_COMPONENT_ARRAY_DEVICE = 0x17,
++ ENCLOSURE_COMPONENT_SAS_EXPANDER = 0x18,
+ };
+
+ /* ses-2 common element status */
--- /dev/null
+From 3417c1b5cb1fdc10261dbed42b05cc93166a78fd Mon Sep 17 00:00:00 2001
+From: James Bottomley <James.Bottomley@HansenPartnership.com>
+Date: Tue, 8 Dec 2015 09:00:31 -0800
+Subject: ses: Fix problems with simple enclosures
+
+From: James Bottomley <James.Bottomley@HansenPartnership.com>
+
+commit 3417c1b5cb1fdc10261dbed42b05cc93166a78fd upstream.
+
+Simple enclosure implementations (mostly USB) are allowed to return only
+page 8 to every diagnostic query. That really confuses our
+implementation because we assume the return is the page we asked for and
+end up doing incorrect offsets based on bogus information leading to
+accesses outside of allocated ranges. Fix that by checking the page
+code of the return and giving an error if it isn't the one we asked for.
+This should fix reported bugs with USB storage by simply refusing to
+attach to enclosures that behave like this. It's also good defensive
+practise now that we're starting to see more USB enclosures.
+
+Reported-by: Andrea Gelmini <andrea.gelmini@gelma.net>
+Reviewed-by: Ewan D. Milne <emilne@redhat.com>
+Reviewed-by: Tomas Henzl <thenzl@redhat.com>
+Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/ses.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/ses.c
++++ b/drivers/scsi/ses.c
+@@ -70,6 +70,7 @@ static int ses_probe(struct device *dev)
+ static int ses_recv_diag(struct scsi_device *sdev, int page_code,
+ void *buf, int bufflen)
+ {
++ int ret;
+ unsigned char cmd[] = {
+ RECEIVE_DIAGNOSTIC,
+ 1, /* Set PCV bit */
+@@ -78,9 +79,26 @@ static int ses_recv_diag(struct scsi_dev
+ bufflen & 0xff,
+ 0
+ };
++ unsigned char recv_page_code;
+
+- return scsi_execute_req(sdev, cmd, DMA_FROM_DEVICE, buf, bufflen,
++ ret = scsi_execute_req(sdev, cmd, DMA_FROM_DEVICE, buf, bufflen,
+ NULL, SES_TIMEOUT, SES_RETRIES, NULL);
++ if (unlikely(!ret))
++ return ret;
++
++ recv_page_code = ((unsigned char *)buf)[0];
++
++ if (likely(recv_page_code == page_code))
++ return ret;
++
++ /* successful diagnostic but wrong page code. This happens to some
++ * USB devices, just print a message and pretend there was an error */
++
++ sdev_printk(KERN_ERR, sdev,
++ "Wrong diagnostic page; asked for %d got %u\n",
++ page_code, recv_page_code);
++
++ return -EINVAL;
+ }
+
+ static int ses_send_diag(struct scsi_device *sdev, int page_code,
--- /dev/null
+From 9f5bd30818c42c6c36a51f93b4df75a2ea2bd85e Mon Sep 17 00:00:00 2001
+From: "Kirill A. Shutemov" <kirill@shutemov.name>
+Date: Mon, 30 Nov 2015 04:17:31 +0200
+Subject: vgaarb: fix signal handling in vga_get()
+
+From: Kirill A. Shutemov <kirill@shutemov.name>
+
+commit 9f5bd30818c42c6c36a51f93b4df75a2ea2bd85e upstream.
+
+There are few defects in vga_get() related to signal hadning:
+
+ - we shouldn't check for pending signals for TASK_UNINTERRUPTIBLE
+ case;
+
+ - if we found pending signal we must remove ourself from wait queue
+ and change task state back to running;
+
+ - -ERESTARTSYS is more appropriate, I guess.
+
+Signed-off-by: Kirill A. Shutemov <kirill@shutemov.name>
+Reviewed-by: David Herrmann <dh.herrmann@gmail.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/vga/vgaarb.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/vga/vgaarb.c
++++ b/drivers/gpu/vga/vgaarb.c
+@@ -392,8 +392,10 @@ int vga_get(struct pci_dev *pdev, unsign
+ set_current_state(interruptible ?
+ TASK_INTERRUPTIBLE :
+ TASK_UNINTERRUPTIBLE);
+- if (signal_pending(current)) {
+- rc = -EINTR;
++ if (interruptible && signal_pending(current)) {
++ __set_current_state(TASK_RUNNING);
++ remove_wait_queue(&vga_wait_queue, &wait);
++ rc = -ERESTARTSYS;
+ break;
+ }
+ schedule();
projects / thirdparty / kernel / stable-queue.git / commitdiff
