--- /dev/null
+From b9a5e5e18fbf223502c0b2264c15024e393da928 Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Thu, 7 May 2015 21:19:39 +0200
+Subject: ACPI / init: Fix the ordering of acpi_reserve_resources()
+
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+
+commit b9a5e5e18fbf223502c0b2264c15024e393da928 upstream.
+
+Since acpi_reserve_resources() is defined as a device_initcall(),
+there's no guarantee that it will be executed in the right order
+with respect to the rest of the ACPI initialization code. On some
+systems this leads to breakage if, for example, the address range
+that should be reserved for the ACPI fixed registers is given to
+the PCI host bridge instead if the race is won by the wrong code
+path.
+
+Fix this by turning acpi_reserve_resources() into a void function
+and calling it directly from within the ACPI initialization sequence.
+
+Reported-and-tested-by: George McCollister <george.mccollister@gmail.com>
+Link: http://marc.info/?t=143092384600002&r=1&w=2
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/osl.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/acpi/osl.c
++++ b/drivers/acpi/osl.c
+@@ -173,7 +173,7 @@ static void __init acpi_request_region (
+ request_mem_region(addr, length, desc);
+ }
+
+-static int __init acpi_reserve_resources(void)
++static void __init acpi_reserve_resources(void)
+ {
+ acpi_request_region(&acpi_gbl_FADT.xpm1a_event_block, acpi_gbl_FADT.pm1_event_length,
+ "ACPI PM1a_EVT_BLK");
+@@ -202,10 +202,7 @@ static int __init acpi_reserve_resources
+ if (!(acpi_gbl_FADT.gpe1_block_length & 0x1))
+ acpi_request_region(&acpi_gbl_FADT.xgpe1_block,
+ acpi_gbl_FADT.gpe1_block_length, "ACPI GPE1_BLK");
+-
+- return 0;
+ }
+-device_initcall(acpi_reserve_resources);
+
+ void acpi_os_printf(const char *fmt, ...)
+ {
+@@ -1727,6 +1724,7 @@ acpi_status __init acpi_os_initialize(vo
+
+ acpi_status __init acpi_os_initialize1(void)
+ {
++ acpi_reserve_resources();
+ kacpid_wq = alloc_workqueue("kacpid", 0, 1);
+ kacpi_notify_wq = alloc_workqueue("kacpi_notify", 0, 1);
+ kacpi_hotplug_wq = alloc_workqueue("kacpi_hotplug", 0, 1);
--- /dev/null
+From 2b1d3ae940acd11be44c6eced5873d47c2e00ffa Mon Sep 17 00:00:00 2001
+From: Andrew Morton <akpm@linux-foundation.org>
+Date: Thu, 28 May 2015 15:44:24 -0700
+Subject: fs/binfmt_elf.c:load_elf_binary(): return -EINVAL on zero-length mappings
+
+From: Andrew Morton <akpm@linux-foundation.org>
+
+commit 2b1d3ae940acd11be44c6eced5873d47c2e00ffa upstream.
+
+load_elf_binary() returns `retval', not `error'.
+
+Fixes: a87938b2e246b81b4fb ("fs/binfmt_elf.c: fix bug in loading of PIE binaries")
+Reported-by: James Hogan <james.hogan@imgtec.com>
+Cc: Michael Davidson <md@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/binfmt_elf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -824,7 +824,7 @@ static int load_elf_binary(struct linux_
+ total_size = total_mapping_size(elf_phdata,
+ loc->elf_ex.e_phnum);
+ if (!total_size) {
+- error = -EINVAL;
++ retval = -EINVAL;
+ goto out_free_dentry;
+ }
+ }
--- /dev/null
+From 3c0213d17a09601e0c6c0ae0e27caf70d988290f Mon Sep 17 00:00:00 2001
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Date: Thu, 23 Apr 2015 09:08:43 -0700
+Subject: Input: elantech - fix semi-mt protocol for v3 HW
+
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+
+commit 3c0213d17a09601e0c6c0ae0e27caf70d988290f upstream.
+
+When the v3 hardware sees more than one finger, it uses the semi-mt
+protocol to report the touches. However, it currently works when
+num_fingers is 0, 1 or 2, but when it is 3 and above, it sends only 1
+finger as if num_fingers was 1.
+
+This confuses userspace which knows how to deal with extra fingers
+when all the slots are used, but not when some are missing.
+
+Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=90101
+
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/elantech.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/mouse/elantech.c
++++ b/drivers/input/mouse/elantech.c
+@@ -314,7 +314,7 @@ static void elantech_report_semi_mt_data
+ unsigned int x2, unsigned int y2)
+ {
+ elantech_set_slot(dev, 0, num_fingers != 0, x1, y1);
+- elantech_set_slot(dev, 1, num_fingers == 2, x2, y2);
++ elantech_set_slot(dev, 1, num_fingers >= 2, x2, y2);
+ }
+
+ /*
--- /dev/null
+From 414b7e3b9ce8b0577f613e656fdbc36b34b444dd Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Fri, 24 Apr 2015 11:03:37 -0500
+Subject: rtlwifi: rtl8192cu: Fix kernel deadlock
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit 414b7e3b9ce8b0577f613e656fdbc36b34b444dd upstream.
+
+The USB mini-driver in rtlwifi, which is used by rtl8192cu, issues a call to
+usb_control_msg() with a timeout value of 0. In some instances where the
+interface is shutting down, this infinite wait results in a CPU deadlock. A
+one second timeout fixes this problem without affecting any normal operations.
+
+This bug is reported at https://bugzilla.novell.com/show_bug.cgi?id=927786.
+
+Reported-by: Bernhard Wiedemann <bwiedemann@suse.com>
+Tested-by: Bernhard Wiedemann <bwiedemann@suse.com>
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Cc: Bernhard Wiedemann <bwiedemann@suse.com>
+Cc: Takashi Iwai<tiwai@suse.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rtlwifi/usb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/rtlwifi/usb.c
++++ b/drivers/net/wireless/rtlwifi/usb.c
+@@ -119,7 +119,7 @@ static int _usbctrl_vendorreq_sync_read(
+
+ do {
+ status = usb_control_msg(udev, pipe, request, reqtype, value,
+- index, pdata, len, 0); /*max. timeout*/
++ index, pdata, len, 1000);
+ if (status < 0) {
+ /* firmware download is checksumed, don't retry */
+ if ((value >= FW_8192C_START_ADDRESS &&
arm-fix-missing-syscall-trace-exit.patch
svcrpc-fix-potential-gssx_accept_sec_context-decoding-failures.patch
md-raid5-don-t-record-new-size-if-resize_stripes-fails.patch
+rtlwifi-rtl8192cu-fix-kernel-deadlock.patch
+input-elantech-fix-semi-mt-protocol-for-v3-hw.patch
+acpi-init-fix-the-ordering-of-acpi_reserve_resources.patch
+vfs-read-file_handle-only-once-in-handle_to_path.patch
+fs-binfmt_elf.c-load_elf_binary-return-einval-on-zero-length-mappings.patch
--- /dev/null
+From 161f873b89136eb1e69477c847d5a5033239d9ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sasha.levin@oracle.com>
+Date: Wed, 28 Jan 2015 15:30:43 -0500
+Subject: vfs: read file_handle only once in handle_to_path
+
+From: Sasha Levin <sasha.levin@oracle.com>
+
+commit 161f873b89136eb1e69477c847d5a5033239d9ba upstream.
+
+We used to read file_handle twice. Once to get the amount of extra
+bytes, and once to fetch the entire structure.
+
+This may be problematic since we do size verifications only after the
+first read, so if the number of extra bytes changes in userspace between
+the first and second calls, we'll have an incoherent view of
+file_handle.
+
+Instead, read the constant size once, and copy that over to the final
+structure without having to re-read it again.
+
+Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fhandle.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/fhandle.c
++++ b/fs/fhandle.c
+@@ -195,8 +195,9 @@ static int handle_to_path(int mountdirfd
+ goto out_err;
+ }
+ /* copy the full handle */
+- if (copy_from_user(handle, ufh,
+- sizeof(struct file_handle) +
++ *handle = f_handle;
++ if (copy_from_user(&handle->f_handle,
++ &ufh->f_handle,
+ f_handle.handle_bytes)) {
+ retval = -EFAULT;
+ goto out_handle;
projects / thirdparty / kernel / stable-queue.git / commitdiff
