]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
3.14-stable patches
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 1 Mar 2016 08:24:41 +0000 (00:24 -0800)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 1 Mar 2016 08:24:41 +0000 (00:24 -0800)
added patches:
can-sja1000-clear-interrupts-on-start.patch
dm-btree-fix-bufio-buffer-leaks-in-dm_btree_del-error-path.patch
dm-space-map-metadata-fix-ref-counting-bug-when-bootstrapping-a-new-space-map.patch
irqchip-versatile-fpga-fix-pci-irq-mapping-on-versatile-pb.patch
mac80211-mesh-fix-call_rcu-usage.patch
powercap-rapl-fix-bios-lock-check.patch
rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch
rfkill-copy-the-name-into-the-rfkill-struct.patch
sata_sil-disable-trim.patch
sched-core-clear-the-root_domain-cpumasks-in-init_rootdomain.patch
sched-core-remove-false-positive-warning-from-wake_up_process.patch
scripts-recordmcount-break-hardlinks.patch
ses-fix-additional-element-traversal-bug.patch
ses-fix-problems-with-simple-enclosures.patch
vgaarb-fix-signal-handling-in-vga_get.patch

16 files changed:
queue-3.14/can-sja1000-clear-interrupts-on-start.patch [new file with mode: 0644]
queue-3.14/dm-btree-fix-bufio-buffer-leaks-in-dm_btree_del-error-path.patch [new file with mode: 0644]
queue-3.14/dm-space-map-metadata-fix-ref-counting-bug-when-bootstrapping-a-new-space-map.patch [new file with mode: 0644]
queue-3.14/irqchip-versatile-fpga-fix-pci-irq-mapping-on-versatile-pb.patch [new file with mode: 0644]
queue-3.14/mac80211-mesh-fix-call_rcu-usage.patch [new file with mode: 0644]
queue-3.14/powercap-rapl-fix-bios-lock-check.patch [new file with mode: 0644]
queue-3.14/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch [new file with mode: 0644]
queue-3.14/rfkill-copy-the-name-into-the-rfkill-struct.patch [new file with mode: 0644]
queue-3.14/sata_sil-disable-trim.patch [new file with mode: 0644]
queue-3.14/sched-core-clear-the-root_domain-cpumasks-in-init_rootdomain.patch [new file with mode: 0644]
queue-3.14/sched-core-remove-false-positive-warning-from-wake_up_process.patch [new file with mode: 0644]
queue-3.14/scripts-recordmcount-break-hardlinks.patch [new file with mode: 0644]
queue-3.14/series
queue-3.14/ses-fix-additional-element-traversal-bug.patch [new file with mode: 0644]
queue-3.14/ses-fix-problems-with-simple-enclosures.patch [new file with mode: 0644]
queue-3.14/vgaarb-fix-signal-handling-in-vga_get.patch [new file with mode: 0644]

diff --git a/queue-3.14/can-sja1000-clear-interrupts-on-start.patch b/queue-3.14/can-sja1000-clear-interrupts-on-start.patch
new file mode 100644 (file)
index 0000000..f1fa9dc
--- /dev/null
@@ -0,0 +1,46 @@
+From 7cecd9ab80f43972c056dc068338f7bcc407b71c Mon Sep 17 00:00:00 2001
+From: Mirza Krak <mirza.krak@hostmobility.com>
+Date: Tue, 10 Nov 2015 14:59:34 +0100
+Subject: can: sja1000: clear interrupts on start
+
+From: Mirza Krak <mirza.krak@hostmobility.com>
+
+commit 7cecd9ab80f43972c056dc068338f7bcc407b71c upstream.
+
+According to SJA1000 data sheet error-warning (EI) interrupt is not
+cleared by setting the controller in to reset-mode.
+
+Then if we have the following case:
+- system is suspended (echo mem > /sys/power/state) and SJA1000 is left
+  in operating state
+- A bus error condition occurs which activates EI interrupt, system is
+  still suspended which means EI interrupt will be not be handled nor
+  cleared.
+
+If the above two events occur, on resume there is no way to return the
+SJA1000 to operating state, except to cycle power to it.
+
+By simply reading the IR register on start we will clear any previous
+conditions that could be present.
+
+Signed-off-by: Mirza Krak <mirza.krak@hostmobility.com>
+Reported-by: Christian Magnusson <Christian.Magnusson@semcon.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/sja1000/sja1000.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/can/sja1000/sja1000.c
++++ b/drivers/net/can/sja1000/sja1000.c
+@@ -187,6 +187,9 @@ static void sja1000_start(struct net_dev
+       /* clear interrupt flags */
+       priv->read_reg(priv, SJA1000_IR);
++      /* clear interrupt flags */
++      priv->read_reg(priv, SJA1000_IR);
++
+       /* leave reset mode */
+       set_normal_mode(dev);
+ }
diff --git a/queue-3.14/dm-btree-fix-bufio-buffer-leaks-in-dm_btree_del-error-path.patch b/queue-3.14/dm-btree-fix-bufio-buffer-leaks-in-dm_btree_del-error-path.patch
new file mode 100644 (file)
index 0000000..4312cd9
--- /dev/null
@@ -0,0 +1,60 @@
+From ed8b45a3679eb49069b094c0711b30833f27c734 Mon Sep 17 00:00:00 2001
+From: Joe Thornber <ejt@redhat.com>
+Date: Thu, 10 Dec 2015 14:37:53 +0000
+Subject: dm btree: fix bufio buffer leaks in dm_btree_del() error path
+
+From: Joe Thornber <ejt@redhat.com>
+
+commit ed8b45a3679eb49069b094c0711b30833f27c734 upstream.
+
+If dm_btree_del()'s call to push_frame() fails, e.g. due to
+btree_node_validator finding invalid metadata, the dm_btree_del() error
+path must unlock all frames (which have active dm-bufio buffers) that
+were pushed onto the del_stack.
+
+Otherwise, dm_bufio_client_destroy() will BUG_ON() because dm-bufio
+buffers have leaked, e.g.:
+  device-mapper: bufio: leaked buffer 3, hold count 1, list 0
+
+Signed-off-by: Joe Thornber <ejt@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/persistent-data/dm-btree.c |   16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/persistent-data/dm-btree.c
++++ b/drivers/md/persistent-data/dm-btree.c
+@@ -250,6 +250,16 @@ static void pop_frame(struct del_stack *
+       dm_tm_unlock(s->tm, f->b);
+ }
++static void unlock_all_frames(struct del_stack *s)
++{
++      struct frame *f;
++
++      while (unprocessed_frames(s)) {
++              f = s->spine + s->top--;
++              dm_tm_unlock(s->tm, f->b);
++      }
++}
++
+ int dm_btree_del(struct dm_btree_info *info, dm_block_t root)
+ {
+       int r;
+@@ -306,9 +316,13 @@ int dm_btree_del(struct dm_btree_info *i
+                       pop_frame(s);
+               }
+       }
+-
+ out:
++      if (r) {
++              /* cleanup all frames of del_stack */
++              unlock_all_frames(s);
++      }
+       kfree(s);
++
+       return r;
+ }
+ EXPORT_SYMBOL_GPL(dm_btree_del);
diff --git a/queue-3.14/dm-space-map-metadata-fix-ref-counting-bug-when-bootstrapping-a-new-space-map.patch b/queue-3.14/dm-space-map-metadata-fix-ref-counting-bug-when-bootstrapping-a-new-space-map.patch
new file mode 100644 (file)
index 0000000..de32b4e
--- /dev/null
@@ -0,0 +1,115 @@
+From 50dd842ad83b43bed71790efb31cfb2f6c05c9c1 Mon Sep 17 00:00:00 2001
+From: Joe Thornber <ejt@redhat.com>
+Date: Wed, 9 Dec 2015 16:38:12 +0000
+Subject: dm space map metadata: fix ref counting bug when bootstrapping a new space map
+
+From: Joe Thornber <ejt@redhat.com>
+
+commit 50dd842ad83b43bed71790efb31cfb2f6c05c9c1 upstream.
+
+When applying block operations (BOPs) do not remove them from the
+uncommitted BOP ring-buffer until after they've been applied -- in case
+we recurse.
+
+Also, perform BOP_INC operation, in dm_sm_metadata_create() and
+sm_metadata_extend(), in terms of the uncommitted BOP ring-buffer rather
+than using direct calls to sm_ll_inc().
+
+Signed-off-by: Joe Thornber <ejt@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/persistent-data/dm-space-map-metadata.c |   32 ++++++++++++++-------
+ 1 file changed, 22 insertions(+), 10 deletions(-)
+
+--- a/drivers/md/persistent-data/dm-space-map-metadata.c
++++ b/drivers/md/persistent-data/dm-space-map-metadata.c
+@@ -136,7 +136,7 @@ static int brb_push(struct bop_ring_buff
+       return 0;
+ }
+-static int brb_pop(struct bop_ring_buffer *brb, struct block_op *result)
++static int brb_peek(struct bop_ring_buffer *brb, struct block_op *result)
+ {
+       struct block_op *bop;
+@@ -147,6 +147,17 @@ static int brb_pop(struct bop_ring_buffe
+       result->type = bop->type;
+       result->block = bop->block;
++      return 0;
++}
++
++static int brb_pop(struct bop_ring_buffer *brb)
++{
++      struct block_op *bop;
++
++      if (brb_empty(brb))
++              return -ENODATA;
++
++      bop = brb->bops + brb->begin;
+       brb->begin = brb_next(brb, brb->begin);
+       return 0;
+@@ -211,7 +222,7 @@ static int apply_bops(struct sm_metadata
+       while (!brb_empty(&smm->uncommitted)) {
+               struct block_op bop;
+-              r = brb_pop(&smm->uncommitted, &bop);
++              r = brb_peek(&smm->uncommitted, &bop);
+               if (r) {
+                       DMERR("bug in bop ring buffer");
+                       break;
+@@ -220,6 +231,8 @@ static int apply_bops(struct sm_metadata
+               r = commit_bop(smm, &bop);
+               if (r)
+                       break;
++
++              brb_pop(&smm->uncommitted);
+       }
+       return r;
+@@ -681,7 +694,6 @@ static struct dm_space_map bootstrap_ops
+ static int sm_metadata_extend(struct dm_space_map *sm, dm_block_t extra_blocks)
+ {
+       int r, i;
+-      enum allocation_event ev;
+       struct sm_metadata *smm = container_of(sm, struct sm_metadata, sm);
+       dm_block_t old_len = smm->ll.nr_blocks;
+@@ -703,11 +715,12 @@ static int sm_metadata_extend(struct dm_
+        * allocate any new blocks.
+        */
+       do {
+-              for (i = old_len; !r && i < smm->begin; i++) {
+-                      r = sm_ll_inc(&smm->ll, i, &ev);
+-                      if (r)
+-                              goto out;
+-              }
++              for (i = old_len; !r && i < smm->begin; i++)
++                      r = add_bop(smm, BOP_INC, i);
++
++              if (r)
++                      goto out;
++
+               old_len = smm->begin;
+               r = apply_bops(smm);
+@@ -752,7 +765,6 @@ int dm_sm_metadata_create(struct dm_spac
+ {
+       int r;
+       dm_block_t i;
+-      enum allocation_event ev;
+       struct sm_metadata *smm = container_of(sm, struct sm_metadata, sm);
+       smm->begin = superblock + 1;
+@@ -780,7 +792,7 @@ int dm_sm_metadata_create(struct dm_spac
+        * allocated blocks that they were built from.
+        */
+       for (i = superblock; !r && i < smm->begin; i++)
+-              r = sm_ll_inc(&smm->ll, i, &ev);
++              r = add_bop(smm, BOP_INC, i);
+       if (r)
+               return r;
diff --git a/queue-3.14/irqchip-versatile-fpga-fix-pci-irq-mapping-on-versatile-pb.patch b/queue-3.14/irqchip-versatile-fpga-fix-pci-irq-mapping-on-versatile-pb.patch
new file mode 100644 (file)
index 0000000..e6dc7b0
--- /dev/null
@@ -0,0 +1,38 @@
+From d5d4fdd86f5759924fe54efa793e22eccf508db6 Mon Sep 17 00:00:00 2001
+From: Guillaume Delbergue <guillaume.delbergue@greensocs.com>
+Date: Tue, 1 Dec 2015 18:55:51 +0100
+Subject: irqchip/versatile-fpga: Fix PCI IRQ mapping on Versatile PB
+
+From: Guillaume Delbergue <guillaume.delbergue@greensocs.com>
+
+commit d5d4fdd86f5759924fe54efa793e22eccf508db6 upstream.
+
+This patch is specifically for PCI support on the Versatile PB board using
+a DT. Currently, the dynamic IRQ mapping is broken when using DTs. For
+example, on QEMU, the SCSI driver is unable to request the IRQ. To fix
+this issue, this patch replaces the current dynamic mechanism with a
+static value as is done in the non-DT case.
+
+Signed-off-by: Guillaume Delbergue <guillaume.delbergue@greensocs.com>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/irqchip/irq-versatile-fpga.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/irqchip/irq-versatile-fpga.c
++++ b/drivers/irqchip/irq-versatile-fpga.c
+@@ -204,7 +204,12 @@ int __init fpga_irq_of_init(struct devic
+       if (!parent_irq)
+               parent_irq = -1;
++#ifdef CONFIG_ARCH_VERSATILE
++      fpga_irq_init(base, node->name, IRQ_SIC_START, parent_irq, valid_mask,
++                                node);
++#else
+       fpga_irq_init(base, node->name, 0, parent_irq, valid_mask, node);
++#endif
+       writel(clear_mask, base + IRQ_ENABLE_CLEAR);
+       writel(clear_mask, base + FIQ_ENABLE_CLEAR);
diff --git a/queue-3.14/mac80211-mesh-fix-call_rcu-usage.patch b/queue-3.14/mac80211-mesh-fix-call_rcu-usage.patch
new file mode 100644 (file)
index 0000000..6f700d0
--- /dev/null
@@ -0,0 +1,67 @@
+From c2e703a55245bfff3db53b1f7cbe59f1ee8a4339 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 17 Nov 2015 14:25:21 +0100
+Subject: mac80211: mesh: fix call_rcu() usage
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit c2e703a55245bfff3db53b1f7cbe59f1ee8a4339 upstream.
+
+When using call_rcu(), the called function may be delayed quite
+significantly, and without a matching rcu_barrier() there's no
+way to be sure it has finished.
+Therefore, global state that could be gone/freed/reused should
+never be touched in the callback.
+
+Fix this in mesh by moving the atomic_dec() into the caller;
+that's not really a problem since we already unlinked the path
+and it will be destroyed anyway.
+
+This fixes a crash Jouni observed when running certain tests in
+a certain order, in which the mesh interface was torn down, the
+memory reused for a function pointer (work struct) and running
+that then crashed since the pointer had been decremented by 1,
+resulting in an invalid instruction byte stream.
+
+Fixes: eb2b9311fd00 ("mac80211: mesh path table implementation")
+Reported-by: Jouni Malinen <j@w1.fi>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/mesh_pathtbl.c |    8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/mac80211/mesh_pathtbl.c
++++ b/net/mac80211/mesh_pathtbl.c
+@@ -746,10 +746,8 @@ void mesh_plink_broken(struct sta_info *
+ static void mesh_path_node_reclaim(struct rcu_head *rp)
+ {
+       struct mpath_node *node = container_of(rp, struct mpath_node, rcu);
+-      struct ieee80211_sub_if_data *sdata = node->mpath->sdata;
+       del_timer_sync(&node->mpath->timer);
+-      atomic_dec(&sdata->u.mesh.mpaths);
+       kfree(node->mpath);
+       kfree(node);
+ }
+@@ -757,8 +755,9 @@ static void mesh_path_node_reclaim(struc
+ /* needs to be called with the corresponding hashwlock taken */
+ static void __mesh_path_del(struct mesh_table *tbl, struct mpath_node *node)
+ {
+-      struct mesh_path *mpath;
+-      mpath = node->mpath;
++      struct mesh_path *mpath = node->mpath;
++      struct ieee80211_sub_if_data *sdata = node->mpath->sdata;
++
+       spin_lock(&mpath->state_lock);
+       mpath->flags |= MESH_PATH_RESOLVING;
+       if (mpath->is_gate)
+@@ -766,6 +765,7 @@ static void __mesh_path_del(struct mesh_
+       hlist_del_rcu(&node->list);
+       call_rcu(&node->rcu, mesh_path_node_reclaim);
+       spin_unlock(&mpath->state_lock);
++      atomic_dec(&sdata->u.mesh.mpaths);
+       atomic_dec(&tbl->entries);
+ }
diff --git a/queue-3.14/powercap-rapl-fix-bios-lock-check.patch b/queue-3.14/powercap-rapl-fix-bios-lock-check.patch
new file mode 100644 (file)
index 0000000..c311818
--- /dev/null
@@ -0,0 +1,48 @@
+From 79a21dbfae3cd40d5a801778071a9967b79c2c20 Mon Sep 17 00:00:00 2001
+From: Prarit Bhargava <prarit@redhat.com>
+Date: Wed, 9 Dec 2015 08:31:12 -0500
+Subject: powercap / RAPL: fix BIOS lock check
+
+From: Prarit Bhargava <prarit@redhat.com>
+
+commit 79a21dbfae3cd40d5a801778071a9967b79c2c20 upstream.
+
+Intel RAPL initialized on several systems where the BIOS lock bit (msr
+0x610, bit 63) was set.  This occured because the return value of
+rapl_read_data_raw() was being checked, rather than the value of the variable
+passed in, locked.
+
+This patch properly implments the rapl_read_data_raw() call to check the
+variable locked, and now the Intel RAPL driver outputs the warning:
+
+       intel_rapl: RAPL package 0 domain package locked by BIOS
+
+and does not initialize for the package.
+
+Signed-off-by: Prarit Bhargava <prarit@redhat.com>
+Acked-by: Jacob Pan <jacob.jun.pan@linux.intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/powercap/intel_rapl.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/powercap/intel_rapl.c
++++ b/drivers/powercap/intel_rapl.c
+@@ -1194,10 +1194,13 @@ static int rapl_detect_domains(struct ra
+       for (rd = rp->domains; rd < rp->domains + rp->nr_domains; rd++) {
+               /* check if the domain is locked by BIOS */
+-              if (rapl_read_data_raw(rd, FW_LOCK, false, &locked)) {
++              ret = rapl_read_data_raw(rd, FW_LOCK, false, &locked);
++              if (ret)
++                      return ret;
++              if (locked) {
+                       pr_info("RAPL package %d domain %s locked by BIOS\n",
+                               rp->id, rd->name);
+-                              rd->state |= DOMAIN_STATE_BIOS_LOCKED;
++                      rd->state |= DOMAIN_STATE_BIOS_LOCKED;
+               }
+       }
diff --git a/queue-3.14/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch b/queue-3.14/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch
new file mode 100644 (file)
index 0000000..2bf9264
--- /dev/null
@@ -0,0 +1,71 @@
+From 8c7188b23474cca017b3ef354c4a58456f68303a Mon Sep 17 00:00:00 2001
+From: Quentin Casasnovas <quentin.casasnovas@oracle.com>
+Date: Tue, 24 Nov 2015 17:13:21 -0500
+Subject: RDS: fix race condition when sending a message on unbound socket
+
+From: Quentin Casasnovas <quentin.casasnovas@oracle.com>
+
+commit 8c7188b23474cca017b3ef354c4a58456f68303a upstream.
+
+Sasha's found a NULL pointer dereference in the RDS connection code when
+sending a message to an apparently unbound socket.  The problem is caused
+by the code checking if the socket is bound in rds_sendmsg(), which checks
+the rs_bound_addr field without taking a lock on the socket.  This opens a
+race where rs_bound_addr is temporarily set but where the transport is not
+in rds_bind(), leading to a NULL pointer dereference when trying to
+dereference 'trans' in __rds_conn_create().
+
+Vegard wrote a reproducer for this issue, so kindly ask him to share if
+you're interested.
+
+I cannot reproduce the NULL pointer dereference using Vegard's reproducer
+with this patch, whereas I could without.
+
+Complete earlier incomplete fix to CVE-2015-6937:
+
+  74e98eb08588 ("RDS: verify the underlying transport exists before creating a connection")
+
+Reviewed-by: Vegard Nossum <vegard.nossum@oracle.com>
+Reviewed-by: Sasha Levin <sasha.levin@oracle.com>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/rds/connection.c |    6 ------
+ net/rds/send.c       |    4 +++-
+ 2 files changed, 3 insertions(+), 7 deletions(-)
+
+--- a/net/rds/connection.c
++++ b/net/rds/connection.c
+@@ -189,12 +189,6 @@ static struct rds_connection *__rds_conn
+               goto out;
+       }
+-      if (trans == NULL) {
+-              kmem_cache_free(rds_conn_slab, conn);
+-              conn = ERR_PTR(-ENODEV);
+-              goto out;
+-      }
+-
+       conn->c_trans = trans;
+       ret = trans->conn_alloc(conn, gfp);
+--- a/net/rds/send.c
++++ b/net/rds/send.c
+@@ -955,11 +955,13 @@ int rds_sendmsg(struct kiocb *iocb, stru
+               release_sock(sk);
+       }
+-      /* racing with another thread binding seems ok here */
++      lock_sock(sk);
+       if (daddr == 0 || rs->rs_bound_addr == 0) {
++              release_sock(sk);
+               ret = -ENOTCONN; /* XXX not a great errno */
+               goto out;
+       }
++      release_sock(sk);
+       /* size of rm including all sgs */
+       ret = rds_rm_size(msg, payload_len);
diff --git a/queue-3.14/rfkill-copy-the-name-into-the-rfkill-struct.patch b/queue-3.14/rfkill-copy-the-name-into-the-rfkill-struct.patch
new file mode 100644 (file)
index 0000000..1e9a097
--- /dev/null
@@ -0,0 +1,59 @@
+From b7bb110008607a915298bf0f47d25886ecb94477 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Thu, 10 Dec 2015 10:37:51 +0100
+Subject: rfkill: copy the name into the rfkill struct
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit b7bb110008607a915298bf0f47d25886ecb94477 upstream.
+
+Some users of rfkill, like NFC and cfg80211, use a dynamic name when
+allocating rfkill, in those cases dev_name(). Therefore, the pointer
+passed to rfkill_alloc() might not be valid forever, I specifically
+found the case that the rfkill name was quite obviously an invalid
+pointer (or at least garbage) when the wiphy had been renamed.
+
+Fix this by making a copy of the rfkill name in rfkill_alloc().
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/rfkill/core.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/rfkill/core.c
++++ b/net/rfkill/core.c
+@@ -49,7 +49,6 @@
+ struct rfkill {
+       spinlock_t              lock;
+-      const char              *name;
+       enum rfkill_type        type;
+       unsigned long           state;
+@@ -73,6 +72,7 @@ struct rfkill {
+       struct delayed_work     poll_work;
+       struct work_struct      uevent_work;
+       struct work_struct      sync_work;
++      char                    name[];
+ };
+ #define to_rfkill(d)  container_of(d, struct rfkill, dev)
+@@ -861,14 +861,14 @@ struct rfkill * __must_check rfkill_allo
+       if (WARN_ON(type == RFKILL_TYPE_ALL || type >= NUM_RFKILL_TYPES))
+               return NULL;
+-      rfkill = kzalloc(sizeof(*rfkill), GFP_KERNEL);
++      rfkill = kzalloc(sizeof(*rfkill) + strlen(name) + 1, GFP_KERNEL);
+       if (!rfkill)
+               return NULL;
+       spin_lock_init(&rfkill->lock);
+       INIT_LIST_HEAD(&rfkill->node);
+       rfkill->type = type;
+-      rfkill->name = name;
++      strcpy(rfkill->name, name);
+       rfkill->ops = ops;
+       rfkill->data = ops_data;
diff --git a/queue-3.14/sata_sil-disable-trim.patch b/queue-3.14/sata_sil-disable-trim.patch
new file mode 100644 (file)
index 0000000..d320819
--- /dev/null
@@ -0,0 +1,51 @@
+From d98f1cd0a3b70ea91f1dfda3ac36c3b2e1a4d5e2 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Thu, 26 Nov 2015 12:00:59 -0500
+Subject: sata_sil: disable trim
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit d98f1cd0a3b70ea91f1dfda3ac36c3b2e1a4d5e2 upstream.
+
+When I connect an Intel SSD to SATA SIL controller (PCI ID 1095:3114), any
+TRIM command results in I/O errors being reported in the log. There is
+other similar error reported with TRIM and the SIL controller:
+https://bugs.centos.org/view.php?id=5880
+
+Apparently the controller doesn't support TRIM commands. This patch
+disables TRIM support on the SATA SIL controller.
+
+ata7.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0
+ata7.00: BMDMA2 stat 0x50001
+ata7.00: failed command: DATA SET MANAGEMENT
+ata7.00: cmd 06/01:01:00:00:00/00:00:00:00:00/a0 tag 0 dma 512 out
+         res 51/04:01:00:00:00/00:00:00:00:00/a0 Emask 0x1 (device error)
+ata7.00: status: { DRDY ERR }
+ata7.00: error: { ABRT }
+ata7.00: device reported invalid CHS sector 0
+sd 8:0:0:0: [sdb] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
+sd 8:0:0:0: [sdb] tag#0 Sense Key : Illegal Request [current] [descriptor]
+sd 8:0:0:0: [sdb] tag#0 Add. Sense: Unaligned write command
+sd 8:0:0:0: [sdb] tag#0 CDB: Write same(16) 93 08 00 00 00 00 00 21 95 88 00 20 00 00 00 00
+blk_update_request: I/O error, dev sdb, sector 2200968
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/sata_sil.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/ata/sata_sil.c
++++ b/drivers/ata/sata_sil.c
+@@ -631,6 +631,9 @@ static void sil_dev_config(struct ata_de
+       unsigned int n, quirks = 0;
+       unsigned char model_num[ATA_ID_PROD_LEN + 1];
++      /* This controller doesn't support trim */
++      dev->horkage |= ATA_HORKAGE_NOTRIM;
++
+       ata_id_c_string(dev->id, model_num, ATA_ID_PROD, sizeof(model_num));
+       for (n = 0; sil_blacklist[n].product; n++)
diff --git a/queue-3.14/sched-core-clear-the-root_domain-cpumasks-in-init_rootdomain.patch b/queue-3.14/sched-core-clear-the-root_domain-cpumasks-in-init_rootdomain.patch
new file mode 100644 (file)
index 0000000..7a95a68
--- /dev/null
@@ -0,0 +1,60 @@
+From 8295c69925ad53ec32ca54ac9fc194ff21bc40e2 Mon Sep 17 00:00:00 2001
+From: Xunlei Pang <xlpang@redhat.com>
+Date: Wed, 2 Dec 2015 19:52:59 +0800
+Subject: sched/core: Clear the root_domain cpumasks in init_rootdomain()
+
+From: Xunlei Pang <xlpang@redhat.com>
+
+commit 8295c69925ad53ec32ca54ac9fc194ff21bc40e2 upstream.
+
+root_domain::rto_mask allocated through alloc_cpumask_var()
+contains garbage data, this may cause problems. For instance,
+When doing pull_rt_task(), it may do useless iterations if
+rto_mask retains some extra garbage bits. Worse still, this
+violates the isolated domain rule for clustered scheduling
+using cpuset, because the tasks(with all the cpus allowed)
+belongs to one root domain can be pulled away into another
+root domain.
+
+The patch cleans the garbage by using zalloc_cpumask_var()
+instead of alloc_cpumask_var() for root_domain::rto_mask
+allocation, thereby addressing the issues.
+
+Do the same thing for root_domain's other cpumask memembers:
+dlo_mask, span, and online.
+
+Signed-off-by: Xunlei Pang <xlpang@redhat.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Mike Galbraith <efault@gmx.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/1449057179-29321-1-git-send-email-xlpang@redhat.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/sched/core.c |    8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -5420,13 +5420,13 @@ static int init_rootdomain(struct root_d
+ {
+       memset(rd, 0, sizeof(*rd));
+-      if (!alloc_cpumask_var(&rd->span, GFP_KERNEL))
++      if (!zalloc_cpumask_var(&rd->span, GFP_KERNEL))
+               goto out;
+-      if (!alloc_cpumask_var(&rd->online, GFP_KERNEL))
++      if (!zalloc_cpumask_var(&rd->online, GFP_KERNEL))
+               goto free_span;
+-      if (!alloc_cpumask_var(&rd->dlo_mask, GFP_KERNEL))
++      if (!zalloc_cpumask_var(&rd->dlo_mask, GFP_KERNEL))
+               goto free_online;
+-      if (!alloc_cpumask_var(&rd->rto_mask, GFP_KERNEL))
++      if (!zalloc_cpumask_var(&rd->rto_mask, GFP_KERNEL))
+               goto free_dlo_mask;
+       init_dl_bw(&rd->dl_bw);
diff --git a/queue-3.14/sched-core-remove-false-positive-warning-from-wake_up_process.patch b/queue-3.14/sched-core-remove-false-positive-warning-from-wake_up_process.patch
new file mode 100644 (file)
index 0000000..7ca11ae
--- /dev/null
@@ -0,0 +1,39 @@
+From 119d6f6a3be8b424b200dcee56e74484d5445f7e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sasha.levin@oracle.com>
+Date: Mon, 30 Nov 2015 20:34:20 -0500
+Subject: sched/core: Remove false-positive warning from wake_up_process()
+
+From: Sasha Levin <sasha.levin@oracle.com>
+
+commit 119d6f6a3be8b424b200dcee56e74484d5445f7e upstream.
+
+Because wakeups can (fundamentally) be late, a task might not be in
+the expected state. Therefore testing against a task's state is racy,
+and can yield false positives.
+
+Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Mike Galbraith <efault@gmx.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: oleg@redhat.com
+Fixes: 9067ac85d533 ("wake_up_process() should be never used to wakeup a TASK_STOPPED/TRACED task")
+Link: http://lkml.kernel.org/r/1448933660-23082-1-git-send-email-sasha.levin@oracle.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/sched/core.c |    1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -1696,7 +1696,6 @@ out:
+  */
+ int wake_up_process(struct task_struct *p)
+ {
+-      WARN_ON(task_is_stopped_or_traced(p));
+       return try_to_wake_up(p, TASK_NORMAL, 0);
+ }
+ EXPORT_SYMBOL(wake_up_process);
diff --git a/queue-3.14/scripts-recordmcount-break-hardlinks.patch b/queue-3.14/scripts-recordmcount-break-hardlinks.patch
new file mode 100644 (file)
index 0000000..3171006
--- /dev/null
@@ -0,0 +1,46 @@
+From dd39a26538e37f6c6131e829a4a510787e43c783 Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@arm.linux.org.uk>
+Date: Fri, 11 Dec 2015 12:09:03 +0000
+Subject: scripts: recordmcount: break hardlinks
+
+From: Russell King <rmk+kernel@arm.linux.org.uk>
+
+commit dd39a26538e37f6c6131e829a4a510787e43c783 upstream.
+
+recordmcount edits the file in-place, which can cause problems when
+using ccache in hardlink mode.  Arrange for recordmcount to break a
+hardlinked object.
+
+Link: http://lkml.kernel.org/r/E1a7MVT-0000et-62@rmk-PC.arm.linux.org.uk
+
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ scripts/recordmcount.c |   14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/scripts/recordmcount.c
++++ b/scripts/recordmcount.c
+@@ -189,6 +189,20 @@ static void *mmap_file(char const *fname
+               addr = umalloc(sb.st_size);
+               uread(fd_map, addr, sb.st_size);
+       }
++      if (sb.st_nlink != 1) {
++              /* file is hard-linked, break the hard link */
++              close(fd_map);
++              if (unlink(fname) < 0) {
++                      perror(fname);
++                      fail_file();
++              }
++              fd_map = open(fname, O_RDWR | O_CREAT, sb.st_mode);
++              if (fd_map < 0) {
++                      perror(fname);
++                      fail_file();
++              }
++              uwrite(fd_map, addr, sb.st_size);
++      }
+       return addr;
+ }
index f18b7ee90e55248150762bae11bed28d4e181adc..51a0ddf8852760fdb2db68209f777c86f176ea19 100644 (file)
@@ -67,3 +67,18 @@ target-fix-race-for-scf_compare_and_write_post-checking.patch
 target-fix-compare_and_write-non-zero-sgl-offset-data-corruption.patch
 ring-buffer-update-read-stamp-with-first-real-commit-on-page.patch
 virtio-fix-memory-leak-of-virtio-ida-cache-layers.patch
+mac80211-mesh-fix-call_rcu-usage.patch
+rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch
+can-sja1000-clear-interrupts-on-start.patch
+sched-core-clear-the-root_domain-cpumasks-in-init_rootdomain.patch
+sched-core-remove-false-positive-warning-from-wake_up_process.patch
+sata_sil-disable-trim.patch
+dm-space-map-metadata-fix-ref-counting-bug-when-bootstrapping-a-new-space-map.patch
+dm-btree-fix-bufio-buffer-leaks-in-dm_btree_del-error-path.patch
+irqchip-versatile-fpga-fix-pci-irq-mapping-on-versatile-pb.patch
+vgaarb-fix-signal-handling-in-vga_get.patch
+rfkill-copy-the-name-into-the-rfkill-struct.patch
+ses-fix-problems-with-simple-enclosures.patch
+ses-fix-additional-element-traversal-bug.patch
+powercap-rapl-fix-bios-lock-check.patch
+scripts-recordmcount-break-hardlinks.patch
diff --git a/queue-3.14/ses-fix-additional-element-traversal-bug.patch b/queue-3.14/ses-fix-additional-element-traversal-bug.patch
new file mode 100644 (file)
index 0000000..f91861d
--- /dev/null
@@ -0,0 +1,61 @@
+From 5e1033561da1152c57b97ee84371dba2b3d64c25 Mon Sep 17 00:00:00 2001
+From: James Bottomley <James.Bottomley@HansenPartnership.com>
+Date: Fri, 11 Dec 2015 09:16:38 -0800
+Subject: ses: fix additional element traversal bug
+
+From: James Bottomley <James.Bottomley@HansenPartnership.com>
+
+commit 5e1033561da1152c57b97ee84371dba2b3d64c25 upstream.
+
+KASAN found that our additional element processing scripts drop off
+the end of the VPD page into unallocated space.  The reason is that
+not every element has additional information but our traversal
+routines think they do, leading to them expecting far more additional
+information than is present.  Fix this by adding a gate to the
+traversal routine so that it only processes elements that are expected
+to have additional information (list is in SES-2 section 6.1.13.1:
+Additional Element Status diagnostic page overview)
+
+Reported-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
+Tested-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
+Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/ses.c        |   10 +++++++++-
+ include/linux/enclosure.h |    4 ++++
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/ses.c
++++ b/drivers/scsi/ses.c
+@@ -454,7 +454,15 @@ static void ses_enclosure_data_process(s
+                       if (desc_ptr)
+                               desc_ptr += len;
+-                      if (addl_desc_ptr)
++                      if (addl_desc_ptr &&
++                          /* only find additional descriptions for specific devices */
++                          (type_ptr[0] == ENCLOSURE_COMPONENT_DEVICE ||
++                           type_ptr[0] == ENCLOSURE_COMPONENT_ARRAY_DEVICE ||
++                           type_ptr[0] == ENCLOSURE_COMPONENT_SAS_EXPANDER ||
++                           /* these elements are optional */
++                           type_ptr[0] == ENCLOSURE_COMPONENT_SCSI_TARGET_PORT ||
++                           type_ptr[0] == ENCLOSURE_COMPONENT_SCSI_INITIATOR_PORT ||
++                           type_ptr[0] == ENCLOSURE_COMPONENT_CONTROLLER_ELECTRONICS))
+                               addl_desc_ptr += addl_desc_ptr[1] + 2;
+               }
+--- a/include/linux/enclosure.h
++++ b/include/linux/enclosure.h
+@@ -29,7 +29,11 @@
+ /* A few generic types ... taken from ses-2 */
+ enum enclosure_component_type {
+       ENCLOSURE_COMPONENT_DEVICE = 0x01,
++      ENCLOSURE_COMPONENT_CONTROLLER_ELECTRONICS = 0x07,
++      ENCLOSURE_COMPONENT_SCSI_TARGET_PORT = 0x14,
++      ENCLOSURE_COMPONENT_SCSI_INITIATOR_PORT = 0x15,
+       ENCLOSURE_COMPONENT_ARRAY_DEVICE = 0x17,
++      ENCLOSURE_COMPONENT_SAS_EXPANDER = 0x18,
+ };
+ /* ses-2 common element status */
diff --git a/queue-3.14/ses-fix-problems-with-simple-enclosures.patch b/queue-3.14/ses-fix-problems-with-simple-enclosures.patch
new file mode 100644 (file)
index 0000000..a5e1c7d
--- /dev/null
@@ -0,0 +1,67 @@
+From 3417c1b5cb1fdc10261dbed42b05cc93166a78fd Mon Sep 17 00:00:00 2001
+From: James Bottomley <James.Bottomley@HansenPartnership.com>
+Date: Tue, 8 Dec 2015 09:00:31 -0800
+Subject: ses: Fix problems with simple enclosures
+
+From: James Bottomley <James.Bottomley@HansenPartnership.com>
+
+commit 3417c1b5cb1fdc10261dbed42b05cc93166a78fd upstream.
+
+Simple enclosure implementations (mostly USB) are allowed to return only
+page 8 to every diagnostic query.  That really confuses our
+implementation because we assume the return is the page we asked for and
+end up doing incorrect offsets based on bogus information leading to
+accesses outside of allocated ranges.  Fix that by checking the page
+code of the return and giving an error if it isn't the one we asked for.
+This should fix reported bugs with USB storage by simply refusing to
+attach to enclosures that behave like this.  It's also good defensive
+practise now that we're starting to see more USB enclosures.
+
+Reported-by: Andrea Gelmini <andrea.gelmini@gelma.net>
+Reviewed-by: Ewan D. Milne <emilne@redhat.com>
+Reviewed-by: Tomas Henzl <thenzl@redhat.com>
+Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/ses.c |   20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/ses.c
++++ b/drivers/scsi/ses.c
+@@ -70,6 +70,7 @@ static int ses_probe(struct device *dev)
+ static int ses_recv_diag(struct scsi_device *sdev, int page_code,
+                        void *buf, int bufflen)
+ {
++      int ret;
+       unsigned char cmd[] = {
+               RECEIVE_DIAGNOSTIC,
+               1,              /* Set PCV bit */
+@@ -78,9 +79,26 @@ static int ses_recv_diag(struct scsi_dev
+               bufflen & 0xff,
+               0
+       };
++      unsigned char recv_page_code;
+-      return scsi_execute_req(sdev, cmd, DMA_FROM_DEVICE, buf, bufflen,
++      ret =  scsi_execute_req(sdev, cmd, DMA_FROM_DEVICE, buf, bufflen,
+                               NULL, SES_TIMEOUT, SES_RETRIES, NULL);
++      if (unlikely(!ret))
++              return ret;
++
++      recv_page_code = ((unsigned char *)buf)[0];
++
++      if (likely(recv_page_code == page_code))
++              return ret;
++
++      /* successful diagnostic but wrong page code.  This happens to some
++       * USB devices, just print a message and pretend there was an error */
++
++      sdev_printk(KERN_ERR, sdev,
++                  "Wrong diagnostic page; asked for %d got %u\n",
++                  page_code, recv_page_code);
++
++      return -EINVAL;
+ }
+ static int ses_send_diag(struct scsi_device *sdev, int page_code,
diff --git a/queue-3.14/vgaarb-fix-signal-handling-in-vga_get.patch b/queue-3.14/vgaarb-fix-signal-handling-in-vga_get.patch
new file mode 100644 (file)
index 0000000..a51dd31
--- /dev/null
@@ -0,0 +1,43 @@
+From 9f5bd30818c42c6c36a51f93b4df75a2ea2bd85e Mon Sep 17 00:00:00 2001
+From: "Kirill A. Shutemov" <kirill@shutemov.name>
+Date: Mon, 30 Nov 2015 04:17:31 +0200
+Subject: vgaarb: fix signal handling in vga_get()
+
+From: Kirill A. Shutemov <kirill@shutemov.name>
+
+commit 9f5bd30818c42c6c36a51f93b4df75a2ea2bd85e upstream.
+
+There are few defects in vga_get() related to signal hadning:
+
+  - we shouldn't check for pending signals for TASK_UNINTERRUPTIBLE
+    case;
+
+  - if we found pending signal we must remove ourself from wait queue
+    and change task state back to running;
+
+  - -ERESTARTSYS is more appropriate, I guess.
+
+Signed-off-by: Kirill A. Shutemov <kirill@shutemov.name>
+Reviewed-by: David Herrmann <dh.herrmann@gmail.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/vga/vgaarb.c |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/vga/vgaarb.c
++++ b/drivers/gpu/vga/vgaarb.c
+@@ -392,8 +392,10 @@ int vga_get(struct pci_dev *pdev, unsign
+               set_current_state(interruptible ?
+                                 TASK_INTERRUPTIBLE :
+                                 TASK_UNINTERRUPTIBLE);
+-              if (signal_pending(current)) {
+-                      rc = -EINTR;
++              if (interruptible && signal_pending(current)) {
++                      __set_current_state(TASK_RUNNING);
++                      remove_wait_queue(&vga_wait_queue, &wait);
++                      rc = -ERESTARTSYS;
+                       break;
+               }
+               schedule();