4.4-stable patches

added patches:
	ipmi-fix-kernel-panic-at-ipmi_ssif_thread.patch

diff --git a/queue-4.4/ipmi-fix-kernel-panic-at-ipmi_ssif_thread.patch b/queue-4.4/ipmi-fix-kernel-panic-at-ipmi_ssif_thread.patch
new file mode 100644 (file)
index 0000000..793e619
--- /dev/null
+++ b/queue-4.4/ipmi-fix-kernel-panic-at-ipmi_ssif_thread.patch
@@ -0,0 +1,51 @@
+From 6de65fcfdb51835789b245203d1bfc8d14cb1e06 Mon Sep 17 00:00:00 2001
+From: Joeseph Chang <joechang@codeaurora.org>
+Date: Mon, 27 Mar 2017 20:22:09 -0600
+Subject: ipmi: Fix kernel panic at ipmi_ssif_thread()
+
+From: Joeseph Chang <joechang@codeaurora.org>
+
+commit 6de65fcfdb51835789b245203d1bfc8d14cb1e06 upstream.
+
+msg_written_handler() may set ssif_info->multi_data to NULL
+when using ipmitool to write fru.
+
+Before setting ssif_info->multi_data to NULL, add new local
+pointer "data_to_send" and store correct i2c data pointer to
+it to fix NULL pointer kernel panic and incorrect ssif_info->multi_pos.
+
+Signed-off-by: Joeseph Chang <joechang@codeaurora.org>
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/ipmi/ipmi_ssif.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/char/ipmi/ipmi_ssif.c
++++ b/drivers/char/ipmi/ipmi_ssif.c
+@@ -888,6 +888,7 @@ static void msg_written_handler(struct s
+                * for details on the intricacies of this.
+                */
+               int left;
++              unsigned char *data_to_send;
+ 
+               ssif_inc_stat(ssif_info, sent_messages_parts);
+ 
+@@ -896,6 +897,7 @@ static void msg_written_handler(struct s
+                       left = 32;
+               /* Length byte. */
+               ssif_info->multi_data[ssif_info->multi_pos] = left;
++              data_to_send = ssif_info->multi_data + ssif_info->multi_pos;
+               ssif_info->multi_pos += left;
+               if (left < 32)
+                       /*
+@@ -909,7 +911,7 @@ static void msg_written_handler(struct s
+               rv = ssif_i2c_send(ssif_info, msg_written_handler,
+                                 I2C_SMBUS_WRITE,
+                                 SSIF_IPMI_MULTI_PART_REQUEST_MIDDLE,
+-                                ssif_info->multi_data + ssif_info->multi_pos,
++                                data_to_send,
+                                 I2C_SMBUS_BLOCK_DATA);
+               if (rv < 0) {
+                       /* request failed, just return the error. */

diff --git a/queue-4.4/series b/queue-4.4/series
index a5751201daeea6332f9a37a7731ce9b2b3e1ec34..e55738fbc470d3f9480133e18d6bdec7ddcd2599 100644 (file)
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -53,3 +53,4 @@ mac80211-pass-block-ack-session-timeout-to-to-driver.patch
 mac80211-rx-ba-support-for-sta-max_rx_aggregation_subframes.patch
 wlcore-pass-win_size-taken-from-ieee80211_sta-to-fw.patch
 wlcore-add-rx_ba_win_size_change_event-event.patch
+ipmi-fix-kernel-panic-at-ipmi_ssif_thread.patch