--- /dev/null
+From f42d79ab67322e51b92dd7aa965e310c71352a64 Mon Sep 17 00:00:00 2001
+From: Junichi Nomura <j-nomura@ce.jp.nec.com>
+Date: Wed, 14 Oct 2015 05:02:15 +0000
+Subject: blk-mq: fix use-after-free in blk_mq_free_tag_set()
+
+From: Junichi Nomura <j-nomura@ce.jp.nec.com>
+
+commit f42d79ab67322e51b92dd7aa965e310c71352a64 upstream.
+
+tags is freed in blk_mq_free_rq_map() and should not be used after that.
+The problem doesn't manifest if CONFIG_CPUMASK_OFFSTACK is false because
+free_cpumask_var() is nop.
+
+tags->cpumask is allocated in blk_mq_init_tags() so it's natural to
+free cpumask in its counter part, blk_mq_free_tags().
+
+Fixes: f26cdc8536ad ("blk-mq: Shared tag enhancements")
+Signed-off-by: Jun'ichi Nomura <j-nomura@ce.jp.nec.com>
+Cc: Keith Busch <keith.busch@intel.com>
+Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/blk-mq-tag.c | 1 +
+ block/blk-mq.c | 4 +---
+ 2 files changed, 2 insertions(+), 3 deletions(-)
+
+--- a/block/blk-mq-tag.c
++++ b/block/blk-mq-tag.c
+@@ -628,6 +628,7 @@ void blk_mq_free_tags(struct blk_mq_tags
+ {
+ bt_free(&tags->bitmap_tags);
+ bt_free(&tags->breserved_tags);
++ free_cpumask_var(tags->cpumask);
+ kfree(tags);
+ }
+
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -2263,10 +2263,8 @@ void blk_mq_free_tag_set(struct blk_mq_t
+ int i;
+
+ for (i = 0; i < set->nr_hw_queues; i++) {
+- if (set->tags[i]) {
++ if (set->tags[i])
+ blk_mq_free_rq_map(set, set->tags[i], i);
+- free_cpumask_var(set->tags[i]->cpumask);
+- }
+ }
+
+ kfree(set->tags);
--- /dev/null
+From 0f89abf56abbd0e1c6e3cef9813e6d9f05383c1e Mon Sep 17 00:00:00 2001
+From: Christian Engelmayer <cengelma@gmx.at>
+Date: Wed, 21 Oct 2015 00:50:06 +0200
+Subject: btrfs: fix possible leak in btrfs_ioctl_balance()
+
+From: Christian Engelmayer <cengelma@gmx.at>
+
+commit 0f89abf56abbd0e1c6e3cef9813e6d9f05383c1e upstream.
+
+Commit 8eb934591f8b ("btrfs: check unsupported filters in balance
+arguments") adds a jump to exit label out_bargs in case the argument
+check fails. At this point in addition to the bargs memory, the
+memory for struct btrfs_balance_control has already been allocated.
+Ownership of bctl is passed to btrfs_balance() in the good case,
+thus the memory is not freed due to the introduced jump. Make sure
+that the memory gets freed in any case as necessary. Detected by
+Coverity CID 1328378.
+
+Signed-off-by: Christian Engelmayer <cengelma@gmx.at>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Chris Mason <clm@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/ioctl.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -4649,7 +4649,7 @@ locked:
+
+ if (bctl->flags & ~(BTRFS_BALANCE_ARGS_MASK | BTRFS_BALANCE_TYPE_MASK)) {
+ ret = -EINVAL;
+- goto out_bargs;
++ goto out_bctl;
+ }
+
+ do_balance:
+@@ -4663,12 +4663,15 @@ do_balance:
+ need_unlock = false;
+
+ ret = btrfs_balance(bctl, bargs);
++ bctl = NULL;
+
+ if (arg) {
+ if (copy_to_user(arg, bargs, sizeof(*bargs)))
+ ret = -EFAULT;
+ }
+
++out_bctl:
++ kfree(bctl);
+ out_bargs:
+ kfree(bargs);
+ out_unlock:
--- /dev/null
+From 8e601a9f97a00bab031980de34f9a81891c1f82f Mon Sep 17 00:00:00 2001
+From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Date: Thu, 15 Oct 2015 12:34:21 -0700
+Subject: cpufreq: intel_pstate: Fix divide by zero on Knights Landing (KNL)
+
+From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+
+commit 8e601a9f97a00bab031980de34f9a81891c1f82f upstream.
+
+This is a workaround for KNL platform, where in some cases MPERF counter
+will not have updated value before next read of MSR_IA32_MPERF. In this
+case divide by zero will occur. This change ignores current sample for
+busy calculation in this case.
+
+Fixes: b34ef932d79a (intel_pstate: Knights Landing support)
+Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Acked-by: Kristen Carlson Accardi <kristen@linux.intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/cpufreq/intel_pstate.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/cpufreq/intel_pstate.c
++++ b/drivers/cpufreq/intel_pstate.c
+@@ -766,6 +766,11 @@ static inline void intel_pstate_sample(s
+ local_irq_save(flags);
+ rdmsrl(MSR_IA32_APERF, aperf);
+ rdmsrl(MSR_IA32_MPERF, mperf);
++ if (cpu->prev_mperf == mperf) {
++ local_irq_restore(flags);
++ return;
++ }
++
+ tsc = native_read_tsc();
+ local_irq_restore(flags);
+
--- /dev/null
+From 3fc89adb9fa4beff31374a4bf50b3d099d88ae83 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Mon, 19 Oct 2015 18:23:57 +0800
+Subject: crypto: api - Only abort operations on fatal signal
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit 3fc89adb9fa4beff31374a4bf50b3d099d88ae83 upstream.
+
+Currently a number of Crypto API operations may fail when a signal
+occurs. This causes nasty problems as the caller of those operations
+are often not in a good position to restart the operation.
+
+In fact there is currently no need for those operations to be
+interrupted by user signals at all. All we need is for them to
+be killable.
+
+This patch replaces the relevant calls of signal_pending with
+fatal_signal_pending, and wait_for_completion_interruptible with
+wait_for_completion_killable, respectively.
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/ablkcipher.c | 2 +-
+ crypto/algapi.c | 2 +-
+ crypto/api.c | 6 +++---
+ crypto/crypto_user.c | 2 +-
+ 4 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/crypto/ablkcipher.c
++++ b/crypto/ablkcipher.c
+@@ -706,7 +706,7 @@ struct crypto_ablkcipher *crypto_alloc_a
+ err:
+ if (err != -EAGAIN)
+ break;
+- if (signal_pending(current)) {
++ if (fatal_signal_pending(current)) {
+ err = -EINTR;
+ break;
+ }
+--- a/crypto/algapi.c
++++ b/crypto/algapi.c
+@@ -335,7 +335,7 @@ static void crypto_wait_for_test(struct
+ crypto_alg_tested(larval->alg.cra_driver_name, 0);
+ }
+
+- err = wait_for_completion_interruptible(&larval->completion);
++ err = wait_for_completion_killable(&larval->completion);
+ WARN_ON(err);
+
+ out:
+--- a/crypto/api.c
++++ b/crypto/api.c
+@@ -172,7 +172,7 @@ static struct crypto_alg *crypto_larval_
+ struct crypto_larval *larval = (void *)alg;
+ long timeout;
+
+- timeout = wait_for_completion_interruptible_timeout(
++ timeout = wait_for_completion_killable_timeout(
+ &larval->completion, 60 * HZ);
+
+ alg = larval->adult;
+@@ -445,7 +445,7 @@ struct crypto_tfm *crypto_alloc_base(con
+ err:
+ if (err != -EAGAIN)
+ break;
+- if (signal_pending(current)) {
++ if (fatal_signal_pending(current)) {
+ err = -EINTR;
+ break;
+ }
+@@ -562,7 +562,7 @@ void *crypto_alloc_tfm(const char *alg_n
+ err:
+ if (err != -EAGAIN)
+ break;
+- if (signal_pending(current)) {
++ if (fatal_signal_pending(current)) {
+ err = -EINTR;
+ break;
+ }
+--- a/crypto/crypto_user.c
++++ b/crypto/crypto_user.c
+@@ -376,7 +376,7 @@ static struct crypto_alg *crypto_user_sk
+ err = PTR_ERR(alg);
+ if (err != -EAGAIN)
+ break;
+- if (signal_pending(current)) {
++ if (fatal_signal_pending(current)) {
+ err = -EINTR;
+ break;
+ }
--- /dev/null
+From 2900ea609616c2651dec65312beeb2a6e536bc50 Mon Sep 17 00:00:00 2001
+From: Seth Jennings <sjenning@redhat.com>
+Date: Wed, 5 Aug 2015 13:16:01 -0500
+Subject: EDAC, sb_edac: Fix TAD presence check for sbridge_mci_bind_devs()
+
+From: Seth Jennings <sjenning@redhat.com>
+
+commit 2900ea609616c2651dec65312beeb2a6e536bc50 upstream.
+
+In commit
+
+ 7d375bffa524 ("sb_edac: Fix support for systems with two home agents per socket")
+
+NUM_CHANNELS was changed to 8 and the channel space was renumerated to
+handle EN, EP, and EX configurations.
+
+The *_mci_bind_devs() functions - except for sbridge_mci_bind_devs() -
+got a new device presence check in the form of saw_chan_mask. However,
+sbridge_mci_bind_devs() still uses the NUM_CHANNELS for loop.
+
+With the increase in NUM_CHANNELS, this loop fails at index 4 since
+SB only has 4 TADs. This results in the following error on SB machines:
+
+ EDAC sbridge: Some needed devices are missing
+ EDAC sbridge: Couldn't find mci handler
+ EDAC sbridge: Couldn't find mci handle
+
+This patch adapts the saw_chan_mask logic for sbridge_mci_bind_devs() as
+well.
+
+After this patch:
+
+ EDAC MC0: Giving out device to module sbridge_edac.c controller Sandy Bridge Socket#0: DEV 0000:3f:0e.0 (POLLED)
+ EDAC MC1: Giving out device to module sbridge_edac.c controller Sandy Bridge Socket#1: DEV 0000:7f:0e.0 (POLLED)
+
+Signed-off-by: Seth Jennings <sjenning@redhat.com>
+Acked-by: Aristeu Rozanski <aris@redhat.com>
+Acked-by: Tony Luck <tony.luck@intel.com>
+Tested-by: Borislav Petkov <bp@suse.de>
+Cc: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Link: http://lkml.kernel.org/r/1438798561-10180-1-git-send-email-sjenning@redhat.com
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/edac/sb_edac.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/edac/sb_edac.c
++++ b/drivers/edac/sb_edac.c
+@@ -1648,6 +1648,7 @@ static int sbridge_mci_bind_devs(struct
+ {
+ struct sbridge_pvt *pvt = mci->pvt_info;
+ struct pci_dev *pdev;
++ u8 saw_chan_mask = 0;
+ int i;
+
+ for (i = 0; i < sbridge_dev->n_devs; i++) {
+@@ -1681,6 +1682,7 @@ static int sbridge_mci_bind_devs(struct
+ {
+ int id = pdev->device - PCI_DEVICE_ID_INTEL_SBRIDGE_IMC_TAD0;
+ pvt->pci_tad[id] = pdev;
++ saw_chan_mask |= 1 << id;
+ }
+ break;
+ case PCI_DEVICE_ID_INTEL_SBRIDGE_IMC_DDRIO:
+@@ -1701,10 +1703,8 @@ static int sbridge_mci_bind_devs(struct
+ !pvt-> pci_tad || !pvt->pci_ras || !pvt->pci_ta)
+ goto enodev;
+
+- for (i = 0; i < NUM_CHANNELS; i++) {
+- if (!pvt->pci_tad[i])
+- goto enodev;
+- }
++ if (saw_chan_mask != 0x0f)
++ goto enodev;
+ return 0;
+
+ enodev:
--- /dev/null
+From 0ca81a2840f77855bbad1b9f172c545c4dc9e6a4 Mon Sep 17 00:00:00 2001
+From: Doron Tsur <doront@mellanox.com>
+Date: Sun, 11 Oct 2015 15:58:17 +0300
+Subject: IB/cm: Fix rb-tree duplicate free and use-after-free
+
+From: Doron Tsur <doront@mellanox.com>
+
+commit 0ca81a2840f77855bbad1b9f172c545c4dc9e6a4 upstream.
+
+ib_send_cm_sidr_rep could sometimes erase the node from the sidr
+(depending on errors in the process). Since ib_send_cm_sidr_rep is
+called both from cm_sidr_req_handler and cm_destroy_id, cm_id_priv
+could be either erased from the rb_tree twice or not erased at all.
+Fixing that by making sure it's erased only once before freeing
+cm_id_priv.
+
+Fixes: a977049dacde ('[PATCH] IB: Add the kernel CM implementation')
+Signed-off-by: Doron Tsur <doront@mellanox.com>
+Signed-off-by: Matan Barak <matanb@mellanox.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/cm.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/core/cm.c
++++ b/drivers/infiniband/core/cm.c
+@@ -873,6 +873,11 @@ retest:
+ case IB_CM_SIDR_REQ_RCVD:
+ spin_unlock_irq(&cm_id_priv->lock);
+ cm_reject_sidr_req(cm_id_priv, IB_SIDR_REJECT);
++ spin_lock_irq(&cm.lock);
++ if (!RB_EMPTY_NODE(&cm_id_priv->sidr_id_node))
++ rb_erase(&cm_id_priv->sidr_id_node,
++ &cm.remote_sidr_table);
++ spin_unlock_irq(&cm.lock);
+ break;
+ case IB_CM_REQ_SENT:
+ case IB_CM_MRA_REQ_RCVD:
+@@ -3112,7 +3117,10 @@ int ib_send_cm_sidr_rep(struct ib_cm_id
+ spin_unlock_irqrestore(&cm_id_priv->lock, flags);
+
+ spin_lock_irqsave(&cm.lock, flags);
+- rb_erase(&cm_id_priv->sidr_id_node, &cm.remote_sidr_table);
++ if (!RB_EMPTY_NODE(&cm_id_priv->sidr_id_node)) {
++ rb_erase(&cm_id_priv->sidr_id_node, &cm.remote_sidr_table);
++ RB_CLEAR_NODE(&cm_id_priv->sidr_id_node);
++ }
+ spin_unlock_irqrestore(&cm.lock, flags);
+ return 0;
+
--- /dev/null
+From 195562194aad3a0a3915941077f283bcc6347b9b Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Mon, 26 Oct 2015 01:50:28 -0700
+Subject: Input: alps - only the Dell Latitude D420/430/620/630 have separate stick button bits
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 195562194aad3a0a3915941077f283bcc6347b9b upstream.
+
+commit 92bac83dd79e ("Input: alps - non interleaved V2 dualpoint has
+separate stick button bits") assumes that all alps v2 non-interleaved
+dual point setups have the separate stick button bits.
+
+Later we limited this to Dell laptops only because of reports that this
+broke things on non Dell laptops. Now it turns out that this breaks things
+on the Dell Latitude D600 too. So it seems that only the Dell Latitude
+D420/430/620/630, which all share the same touchpad / stick combo,
+have these separate bits.
+
+This patch limits the checking of the separate bits to only these models
+fixing regressions with other models.
+
+Reported-and-tested-by: Larry Finger <Larry.Finger@lwfinger.net>
+Tested-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-By: Pali Rohár <pali.rohar@gmail.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/alps.c | 48 +++++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 42 insertions(+), 6 deletions(-)
+
+--- a/drivers/input/mouse/alps.c
++++ b/drivers/input/mouse/alps.c
+@@ -100,7 +100,7 @@ static const struct alps_nibble_commands
+ #define ALPS_FOUR_BUTTONS 0x40 /* 4 direction button present */
+ #define ALPS_PS2_INTERLEAVED 0x80 /* 3-byte PS/2 packet interleaved with
+ 6-byte ALPS packet */
+-#define ALPS_DELL 0x100 /* device is a Dell laptop */
++#define ALPS_STICK_BITS 0x100 /* separate stick button bits */
+ #define ALPS_BUTTONPAD 0x200 /* device is a clickpad */
+
+ static const struct alps_model_info alps_model_data[] = {
+@@ -159,6 +159,43 @@ static const struct alps_protocol_info a
+ ALPS_PROTO_V8, 0x18, 0x18, 0
+ };
+
++/*
++ * Some v2 models report the stick buttons in separate bits
++ */
++static const struct dmi_system_id alps_dmi_has_separate_stick_buttons[] = {
++#if defined(CONFIG_DMI) && defined(CONFIG_X86)
++ {
++ /* Extrapolated from other entries */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Latitude D420"),
++ },
++ },
++ {
++ /* Reported-by: Hans de Bruin <jmdebruin@xmsnet.nl> */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Latitude D430"),
++ },
++ },
++ {
++ /* Reported-by: Hans de Goede <hdegoede@redhat.com> */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Latitude D620"),
++ },
++ },
++ {
++ /* Extrapolated from other entries */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Latitude D630"),
++ },
++ },
++#endif
++ { }
++};
++
+ static void alps_set_abs_params_st(struct alps_data *priv,
+ struct input_dev *dev1);
+ static void alps_set_abs_params_semi_mt(struct alps_data *priv,
+@@ -253,9 +290,8 @@ static void alps_process_packet_v1_v2(st
+ return;
+ }
+
+- /* Dell non interleaved V2 dualpoint has separate stick button bits */
+- if (priv->proto_version == ALPS_PROTO_V2 &&
+- priv->flags == (ALPS_DELL | ALPS_PASS | ALPS_DUALPOINT)) {
++ /* Some models have separate stick button bits */
++ if (priv->flags & ALPS_STICK_BITS) {
+ left |= packet[0] & 1;
+ right |= packet[0] & 2;
+ middle |= packet[0] & 4;
+@@ -2552,8 +2588,6 @@ static int alps_set_protocol(struct psmo
+ priv->byte0 = protocol->byte0;
+ priv->mask0 = protocol->mask0;
+ priv->flags = protocol->flags;
+- if (dmi_name_in_vendors("Dell"))
+- priv->flags |= ALPS_DELL;
+
+ priv->x_max = 2000;
+ priv->y_max = 1400;
+@@ -2568,6 +2602,8 @@ static int alps_set_protocol(struct psmo
+ priv->set_abs_params = alps_set_abs_params_st;
+ priv->x_max = 1023;
+ priv->y_max = 767;
++ if (dmi_check_system(alps_dmi_has_separate_stick_buttons))
++ priv->flags |= ALPS_STICK_BITS;
+ break;
+
+ case ALPS_PROTO_V3:
--- /dev/null
+From 209da39154837ec1b69fb34f438041939911e4b4 Mon Sep 17 00:00:00 2001
+From: Lucas Stach <dev@lynxeye.de>
+Date: Sun, 25 Oct 2015 16:39:12 +0100
+Subject: irqchip/tegra: Propagate IRQ type setting to parent
+
+From: Lucas Stach <dev@lynxeye.de>
+
+commit 209da39154837ec1b69fb34f438041939911e4b4 upstream.
+
+The LIC doesn't deal with the different types of interrupts itself
+but needs to forward calls to set the appropriate type to its parent
+IRQ controller.
+
+Without this fix all IRQs routed through the LIC will stay at the
+initial EDGE type, while most of them should actually be level triggered.
+
+Fixes: 1eec582158e2 "irqchip: tegra: Add Tegra210 support"
+Signed-off-by: Lucas Stach <dev@lynxeye.de>
+Cc: Stephen Warren <swarren@wwwdotorg.org>
+Cc: Thierry Reding <thierry.reding@gmail.com>
+Cc: Alexandre Courbot <gnurou@gmail.com>
+Cc: Jason Cooper <jason@lakedaemon.net>
+Cc: Marc Zyngier <marc.zyngier@arm.com>
+Link: http://lkml.kernel.org/r/1445787552-13062-1-git-send-email-dev@lynxeye.de
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/irqchip/irq-tegra.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/irqchip/irq-tegra.c
++++ b/drivers/irqchip/irq-tegra.c
+@@ -215,6 +215,7 @@ static struct irq_chip tegra_ictlr_chip
+ .irq_unmask = tegra_unmask,
+ .irq_retrigger = tegra_retrigger,
+ .irq_set_wake = tegra_set_wake,
++ .irq_set_type = irq_chip_set_type_parent,
+ .flags = IRQCHIP_MASK_ON_SUSPEND,
+ #ifdef CONFIG_SMP
+ .irq_set_affinity = irq_chip_set_affinity_parent,
--- /dev/null
+From ba60c41ae392b473a1897faa0b8739fcb8759d69 Mon Sep 17 00:00:00 2001
+From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Date: Wed, 2 Sep 2015 12:33:53 +0530
+Subject: kvm: irqchip: fix memory leak
+
+From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+
+commit ba60c41ae392b473a1897faa0b8739fcb8759d69 upstream.
+
+We were taking the exit path after checking ue->flags and return value
+of setup_routing_entry(), but 'e' was not freed incase of a failure.
+
+Signed-off-by: Sudip Mukherjee <sudip@vectorindia.org>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Cc: William Dauchy <william@gandi.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/irqchip.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/virt/kvm/irqchip.c
++++ b/virt/kvm/irqchip.c
+@@ -213,11 +213,15 @@ int kvm_set_irq_routing(struct kvm *kvm,
+ goto out;
+
+ r = -EINVAL;
+- if (ue->flags)
++ if (ue->flags) {
++ kfree(e);
+ goto out;
++ }
+ r = setup_routing_entry(new, e, ue);
+- if (r)
++ if (r) {
++ kfree(e);
+ goto out;
++ }
+ ++ue;
+ }
+
--- /dev/null
+From 203d27b0226a05202438ddb39ef0ef1acb14a759 Mon Sep 17 00:00:00 2001
+From: Jes Sorensen <Jes.Sorensen@redhat.com>
+Date: Tue, 20 Oct 2015 12:09:12 -0400
+Subject: md/raid1: submit_bio_wait() returns 0 on success
+
+From: Jes Sorensen <Jes.Sorensen@redhat.com>
+
+commit 203d27b0226a05202438ddb39ef0ef1acb14a759 upstream.
+
+This was introduced with 9e882242c6193ae6f416f2d8d8db0d9126bd996b
+which changed the return value of submit_bio_wait() to return != 0 on
+error, but didn't update the caller accordingly.
+
+Fixes: 9e882242c6 ("block: Add submit_bio_wait(), remove from md")
+Reported-by: Bill Kuzeja <William.Kuzeja@stratus.com>
+Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/raid1.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/raid1.c
++++ b/drivers/md/raid1.c
+@@ -2249,7 +2249,7 @@ static int narrow_write_error(struct r1b
+ bio_trim(wbio, sector - r1_bio->sector, sectors);
+ wbio->bi_iter.bi_sector += rdev->data_offset;
+ wbio->bi_bdev = rdev->bdev;
+- if (submit_bio_wait(WRITE, wbio) == 0)
++ if (submit_bio_wait(WRITE, wbio) < 0)
+ /* failure! */
+ ok = rdev_set_badblocks(rdev, sector,
+ sectors, 0)
--- /dev/null
+From 681ab4696062f5aa939c9e04d058732306a97176 Mon Sep 17 00:00:00 2001
+From: Jes Sorensen <Jes.Sorensen@redhat.com>
+Date: Tue, 20 Oct 2015 12:09:13 -0400
+Subject: md/raid10: submit_bio_wait() returns 0 on success
+
+From: Jes Sorensen <Jes.Sorensen@redhat.com>
+
+commit 681ab4696062f5aa939c9e04d058732306a97176 upstream.
+
+This was introduced with 9e882242c6193ae6f416f2d8d8db0d9126bd996b
+which changed the return value of submit_bio_wait() to return != 0 on
+error, but didn't update the caller accordingly.
+
+Fixes: 9e882242c6 ("block: Add submit_bio_wait(), remove from md")
+Reported-by: Bill Kuzeja <William.Kuzeja@stratus.com>
+Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/raid10.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/raid10.c
++++ b/drivers/md/raid10.c
+@@ -2580,7 +2580,7 @@ static int narrow_write_error(struct r10
+ choose_data_offset(r10_bio, rdev) +
+ (sector - r10_bio->sector));
+ wbio->bi_bdev = rdev->bdev;
+- if (submit_bio_wait(WRITE, wbio) == 0)
++ if (submit_bio_wait(WRITE, wbio) < 0)
+ /* Failure! */
+ ok = rdev_set_badblocks(rdev, sector,
+ sectors, 0)
--- /dev/null
+From b8a9d66d043ffac116100775a469f05f5158c16f Mon Sep 17 00:00:00 2001
+From: Roman Gushchin <klamm@yandex-team.ru>
+Date: Sat, 31 Oct 2015 10:53:50 +1100
+Subject: md/raid5: fix locking in handle_stripe_clean_event()
+
+From: Roman Gushchin <klamm@yandex-team.ru>
+
+commit b8a9d66d043ffac116100775a469f05f5158c16f upstream.
+
+After commit 566c09c53455 ("raid5: relieve lock contention in get_active_stripe()")
+__find_stripe() is called under conf->hash_locks + hash.
+But handle_stripe_clean_event() calls remove_hash() under
+conf->device_lock.
+
+Under some cirscumstances the hash chain can be circuited,
+and we get an infinite loop with disabled interrupts and locked hash
+lock in __find_stripe(). This leads to hard lockup on multiple CPUs
+and following system crash.
+
+I was able to reproduce this behavior on raid6 over 6 ssd disks.
+The devices_handle_discard_safely option should be set to enable trim
+support. The following script was used:
+
+for i in `seq 1 32`; do
+ dd if=/dev/zero of=large$i bs=10M count=100 &
+done
+
+neilb: original was against a 3.x kernel. I forward-ported
+ to 4.3-rc. This verison is suitable for any kernel since
+ Commit: 59fc630b8b5f ("RAID5: batch adjacent full stripe write")
+ (v4.1+). I'll post a version for earlier kernels to stable.
+
+Signed-off-by: Roman Gushchin <klamm@yandex-team.ru>
+Fixes: 566c09c53455 ("raid5: relieve lock contention in get_active_stripe()")
+Signed-off-by: NeilBrown <neilb@suse.com>
+Cc: Shaohua Li <shli@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/raid5.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/raid5.c
++++ b/drivers/md/raid5.c
+@@ -3505,6 +3505,7 @@ returnbi:
+ }
+ if (!discard_pending &&
+ test_bit(R5_Discard, &sh->dev[sh->pd_idx].flags)) {
++ int hash;
+ clear_bit(R5_Discard, &sh->dev[sh->pd_idx].flags);
+ clear_bit(R5_UPTODATE, &sh->dev[sh->pd_idx].flags);
+ if (sh->qd_idx >= 0) {
+@@ -3518,16 +3519,17 @@ returnbi:
+ * no updated data, so remove it from hash list and the stripe
+ * will be reinitialized
+ */
+- spin_lock_irq(&conf->device_lock);
+ unhash:
++ hash = sh->hash_lock_index;
++ spin_lock_irq(conf->hash_locks + hash);
+ remove_hash(sh);
++ spin_unlock_irq(conf->hash_locks + hash);
+ if (head_sh->batch_head) {
+ sh = list_first_entry(&sh->batch_list,
+ struct stripe_head, batch_list);
+ if (sh != head_sh)
+ goto unhash;
+ }
+- spin_unlock_irq(&conf->device_lock);
+ sh = head_sh;
+
+ if (test_bit(STRIPE_SYNC_REQUESTED, &sh->state))
--- /dev/null
+From 2280521719e81919283b82902ac24058f87dfc1b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?D=C4=81vis=20Mos=C4=81ns?= <davispuh@gmail.com>
+Date: Fri, 21 Aug 2015 07:29:22 +0300
+Subject: mvsas: Fix NULL pointer dereference in mvs_slot_task_free
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: =?UTF-8?q?D=C4=81vis=20Mos=C4=81ns?= <davispuh@gmail.com>
+
+commit 2280521719e81919283b82902ac24058f87dfc1b upstream.
+
+When pci_pool_alloc fails in mvs_task_prep then task->lldd_task stays
+NULL but it's later used in mvs_abort_task as slot which is passed
+to mvs_slot_task_free causing NULL pointer dereference.
+
+Just return from mvs_slot_task_free when passed with NULL slot.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=101891
+Signed-off-by: Dāvis Mosāns <davispuh@gmail.com>
+Reviewed-by: Tomas Henzl <thenzl@redhat.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: James Bottomley <JBottomley@Odin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/mvsas/mv_sas.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/scsi/mvsas/mv_sas.c
++++ b/drivers/scsi/mvsas/mv_sas.c
+@@ -887,6 +887,8 @@ static void mvs_slot_free(struct mvs_inf
+ static void mvs_slot_task_free(struct mvs_info *mvi, struct sas_task *task,
+ struct mvs_slot_info *slot, u32 slot_idx)
+ {
++ if (!slot)
++ return;
+ if (!slot->task)
+ return;
+ if (!sas_protocol_ata(task->task_proto))
--- /dev/null
+From 00db674bedd68ff8b5afae9030ff5e04d45d1b4a Mon Sep 17 00:00:00 2001
+From: Nikolay Borisov <kernel@kyup.com>
+Date: Fri, 16 Oct 2015 09:40:28 +0300
+Subject: netfilter: ipset: Fix sleeping memory allocation in atomic context
+
+From: Nikolay Borisov <kernel@kyup.com>
+
+commit 00db674bedd68ff8b5afae9030ff5e04d45d1b4a upstream.
+
+Commit 00590fdd5be0 introduced RCU locking in list type and in
+doing so introduced a memory allocation in list_set_add, which
+is done in an atomic context, due to the fact that ipset rcu
+list modifications are serialised with a spin lock. The reason
+why we can't use a mutex is that in addition to modifying the
+list with ipset commands, it's also being modified when a
+particular ipset rule timeout expires aka garbage collection.
+This gc is triggered from set_cleanup_entries, which in turn
+is invoked from a timer thus requiring the lock to be bh-safe.
+
+Concretely the following call chain can lead to "sleeping function
+called in atomic context" splat:
+call_ad -> list_set_uadt -> list_set_uadd -> kzalloc(, GFP_KERNEL).
+And since GFP_KERNEL allows initiating direct reclaim thus
+potentially sleeping in the allocation path.
+
+To fix the issue change the allocation type to GFP_ATOMIC, to
+correctly reflect that it is occuring in an atomic context.
+
+Fixes: 00590fdd5be0 ("netfilter: ipset: Introduce RCU locking in list type")
+Signed-off-by: Nikolay Borisov <kernel@kyup.com>
+Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/ipset/ip_set_list_set.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/ipset/ip_set_list_set.c
++++ b/net/netfilter/ipset/ip_set_list_set.c
+@@ -297,7 +297,7 @@ list_set_uadd(struct ip_set *set, void *
+ ip_set_timeout_expired(ext_timeout(n, set))))
+ n = NULL;
+
+- e = kzalloc(set->dsize, GFP_KERNEL);
++ e = kzalloc(set->dsize, GFP_ATOMIC);
+ if (!e)
+ return -ENOMEM;
+ e->id = d->id;
--- /dev/null
+From d01552a76d71f9879af448e9142389ee9be6e95b Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.com>
+Date: Sat, 31 Oct 2015 11:00:56 +1100
+Subject: Revert "md: allow a partially recovered device to be hot-added to an array."
+
+From: NeilBrown <neilb@suse.com>
+
+commit d01552a76d71f9879af448e9142389ee9be6e95b upstream.
+
+This reverts commit 7eb418851f3278de67126ea0c427641ab4792c57.
+
+This commit is poorly justified, I can find not discusison in email,
+and it clearly causes a problem.
+
+If a device which is being recovered fails and is subsequently
+re-added to an array, there could easily have been changes to the
+array *before* the point where the recovery was up to. So the
+recovery must start again from the beginning.
+
+If a spare is being recovered and fails, then when it is re-added we
+really should do a bitmap-based recovery up to the recovery-offset,
+and then a full recovery from there. Before this reversion, we only
+did the "full recovery from there" which is not corect. After this
+reversion with will do a full recovery from the start, which is safer
+but not ideal.
+
+It will be left to a future patch to arrange the two different styles
+of recovery.
+
+Reported-and-tested-by: Nate Dailey <nate.dailey@stratus.com>
+Signed-off-by: NeilBrown <neilb@suse.com>
+Fixes: 7eb418851f32 ("md: allow a partially recovered device to be hot-added to an array.")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/md.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -8030,8 +8030,7 @@ static int remove_and_add_spares(struct
+ !test_bit(Bitmap_sync, &rdev->flags)))
+ continue;
+
+- if (rdev->saved_raid_disk < 0)
+- rdev->recovery_offset = 0;
++ rdev->recovery_offset = 0;
+ if (mddev->pers->
+ hot_add_disk(mddev, rdev) == 0) {
+ if (sysfs_link_rdev(mddev, rdev))
--- /dev/null
+From 5aa5050787f449e7eaef2c5ec93c7b357aa7dcdc Mon Sep 17 00:00:00 2001
+From: Luca Abeni <luca.abeni@unitn.it>
+Date: Fri, 16 Oct 2015 10:06:21 +0200
+Subject: sched/deadline: Fix migration of SCHED_DEADLINE tasks
+
+From: Luca Abeni <luca.abeni@unitn.it>
+
+commit 5aa5050787f449e7eaef2c5ec93c7b357aa7dcdc upstream.
+
+Commit:
+
+ 9d5142624256 ("sched/deadline: Reduce rq lock contention by eliminating locking of non-feasible target")
+
+broke select_task_rq_dl() and find_lock_later_rq(), because it introduced
+a comparison between the local task's deadline and dl.earliest_dl.curr of
+the remote queue.
+
+However, if the remote runqueue does not contain any SCHED_DEADLINE
+task its earliest_dl.curr is 0 (always smaller than the deadline of
+the local task) and the remote runqueue is not selected for pushing.
+
+As a result, if an application creates multiple SCHED_DEADLINE
+threads, they will never be pushed to runqueues that do not already
+contain SCHED_DEADLINE tasks.
+
+This patch fixes the issue by checking if dl.dl_nr_running == 0.
+
+Signed-off-by: Luca Abeni <luca.abeni@unitn.it>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Juri Lelli <juri.lelli@arm.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Mike Galbraith <efault@gmx.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Wanpeng Li <wanpeng.li@linux.intel.com>
+Fixes: 9d5142624256 ("sched/deadline: Reduce rq lock contention by eliminating locking of non-feasible target")
+Link: http://lkml.kernel.org/r/1444982781-15608-1-git-send-email-luca.abeni@unitn.it
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/sched/deadline.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/kernel/sched/deadline.c
++++ b/kernel/sched/deadline.c
+@@ -1066,8 +1066,9 @@ select_task_rq_dl(struct task_struct *p,
+ int target = find_later_rq(p);
+
+ if (target != -1 &&
+- dl_time_before(p->dl.deadline,
+- cpu_rq(target)->dl.earliest_dl.curr))
++ (dl_time_before(p->dl.deadline,
++ cpu_rq(target)->dl.earliest_dl.curr) ||
++ (cpu_rq(target)->dl.dl_nr_running == 0)))
+ cpu = target;
+ }
+ rcu_read_unlock();
+@@ -1417,7 +1418,8 @@ static struct rq *find_lock_later_rq(str
+
+ later_rq = cpu_rq(cpu);
+
+- if (!dl_time_before(task->dl.deadline,
++ if (later_rq->dl.dl_nr_running &&
++ !dl_time_before(task->dl.deadline,
+ later_rq->dl.earliest_dl.curr)) {
+ /*
+ * Target rq has tasks of equal or earlier deadline,
ovl-use-o_largefile-in-ovl_copy_up.patch
ovl-fix-dentry-reference-leak.patch
ovl-fix-open-in-stacked-overlay.patch
+input-alps-only-the-dell-latitude-d420-430-620-630-have-separate-stick-button-bits.patch
+crypto-api-only-abort-operations-on-fatal-signal.patch
+md-raid1-submit_bio_wait-returns-0-on-success.patch
+md-raid10-submit_bio_wait-returns-0-on-success.patch
+md-raid5-fix-locking-in-handle_stripe_clean_event.patch
+revert-md-allow-a-partially-recovered-device-to-be-hot-added-to-an-array.patch
+edac-sb_edac-fix-tad-presence-check-for-sbridge_mci_bind_devs.patch
+irqchip-tegra-propagate-irq-type-setting-to-parent.patch
+mvsas-fix-null-pointer-dereference-in-mvs_slot_task_free.patch
+netfilter-ipset-fix-sleeping-memory-allocation-in-atomic-context.patch
+btrfs-fix-possible-leak-in-btrfs_ioctl_balance.patch
+kvm-irqchip-fix-memory-leak.patch
+thermal-exynos-fix-register-read-in-tmu.patch
+um-fix-kernel-mode-fault-condition.patch
+blk-mq-fix-use-after-free-in-blk_mq_free_tag_set.patch
+ib-cm-fix-rb-tree-duplicate-free-and-use-after-free.patch
+sched-deadline-fix-migration-of-sched_deadline-tasks.patch
+cpufreq-intel_pstate-fix-divide-by-zero-on-knights-landing-knl.patch
--- /dev/null
+From b28fec1324bf8f5010d2c3c5d57db4115bda66d4 Mon Sep 17 00:00:00 2001
+From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Date: Sat, 17 Oct 2015 08:08:56 +0900
+Subject: thermal: exynos: Fix register read in TMU
+
+From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+
+commit b28fec1324bf8f5010d2c3c5d57db4115bda66d4 upstream.
+
+The value of emul_con was getting overwritten if the selected soc is
+SOC_ARCH_EXYNOS5260. And so as a result we were reading from the wrong
+register in the case of SOC_ARCH_EXYNOS5260.
+
+Fixes: 488c7455d74c ("thermal: exynos: Add the support for Exynos5433 TMU")
+Signed-off-by: Sudip Mukherjee <sudip@vectorindia.org>
+Reviewed-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Reviewed-by: Chanwoo Choi <cw00.choi@samsung.com>
+Acked-by: Lukasz Majewski <l.majewski@samsung.com>
+Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Signed-off-by: Kukjin Kim <kgene@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/thermal/samsung/exynos_tmu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/thermal/samsung/exynos_tmu.c
++++ b/drivers/thermal/samsung/exynos_tmu.c
+@@ -933,7 +933,7 @@ static void exynos4412_tmu_set_emulation
+
+ if (data->soc == SOC_ARCH_EXYNOS5260)
+ emul_con = EXYNOS5260_EMUL_CON;
+- if (data->soc == SOC_ARCH_EXYNOS5433)
++ else if (data->soc == SOC_ARCH_EXYNOS5433)
+ emul_con = EXYNOS5433_TMU_EMUL_CON;
+ else if (data->soc == SOC_ARCH_EXYNOS7)
+ emul_con = EXYNOS7_TMU_REG_EMUL_CON;
--- /dev/null
+From 56b88a3bf97a39d3f4f010509917b76a865a6dc8 Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Sun, 9 Aug 2015 22:26:33 +0200
+Subject: um: Fix kernel mode fault condition
+
+From: Richard Weinberger <richard@nod.at>
+
+commit 56b88a3bf97a39d3f4f010509917b76a865a6dc8 upstream.
+
+We have to exclude memory locations <= PAGE_SIZE from
+the condition and let the kernel mode fault path catch it.
+Otherwise a kernel NULL pointer exception will be reported
+as a kernel user space access.
+
+Fixes: d2313084e2c (um: Catch unprotected user memory access)
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/um/kernel/trap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/um/kernel/trap.c
++++ b/arch/um/kernel/trap.c
+@@ -220,7 +220,7 @@ unsigned long segv(struct faultinfo fi,
+ show_regs(container_of(regs, struct pt_regs, regs));
+ panic("Segfault with no mm");
+ }
+- else if (!is_user && address < TASK_SIZE) {
++ else if (!is_user && address > PAGE_SIZE && address < TASK_SIZE) {
+ show_regs(container_of(regs, struct pt_regs, regs));
+ panic("Kernel tried to access user memory at addr 0x%lx, ip 0x%lx",
+ address, ip);
projects / thirdparty / kernel / stable-queue.git / commitdiff
