--- /dev/null
+From 43200a4480cbbe660309621817f54cbb93907108 Mon Sep 17 00:00:00 2001
+From: Wolfgang Grandegger <wg@grandegger.com>
+Date: Mon, 13 Jun 2016 15:44:19 +0200
+Subject: can: at91_can: RX queue could get stuck at high bus load
+
+From: Wolfgang Grandegger <wg@grandegger.com>
+
+commit 43200a4480cbbe660309621817f54cbb93907108 upstream.
+
+At high bus load it could happen that "at91_poll()" enters with all RX
+message boxes filled up. If then at the end the "quota" is exceeded as
+well, "rx_next" will not be reset to the first RX mailbox and hence the
+interrupts remain disabled.
+
+Signed-off-by: Wolfgang Grandegger <wg@grandegger.com>
+Tested-by: Amr Bekhit <amrbekhit@gmail.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/at91_can.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/can/at91_can.c
++++ b/drivers/net/can/at91_can.c
+@@ -712,9 +712,10 @@ static int at91_poll_rx(struct net_devic
+
+ /* upper group completed, look again in lower */
+ if (priv->rx_next > get_mb_rx_low_last(priv) &&
+- quota > 0 && mb > get_mb_rx_last(priv)) {
++ mb > get_mb_rx_last(priv)) {
+ priv->rx_next = get_mb_rx_first(priv);
+- goto again;
++ if (quota > 0)
++ goto again;
+ }
+
+ return received;
--- /dev/null
+From 427460c83cdf55069eee49799a0caef7dde8df69 Mon Sep 17 00:00:00 2001
+From: Thor Thayer <tthayer@opensource.altera.com>
+Date: Thu, 16 Jun 2016 11:10:19 -0500
+Subject: can: c_can: Update D_CAN TX and RX functions to 32 bit - fix Altera Cyclone access
+
+From: Thor Thayer <tthayer@opensource.altera.com>
+
+commit 427460c83cdf55069eee49799a0caef7dde8df69 upstream.
+
+When testing CAN write floods on Altera's CycloneV, the first 2 bytes
+are sometimes 0x00, 0x00 or corrupted instead of the values sent. Also
+observed bytes 4 & 5 were corrupted in some cases.
+
+The D_CAN Data registers are 32 bits and changing from 16 bit writes to
+32 bit writes fixes the problem.
+
+Testing performed on Altera CycloneV (D_CAN). Requesting tests on other
+C_CAN & D_CAN platforms.
+
+Reported-by: Richard Andrysek <richard.andrysek@gomtec.de>
+Signed-off-by: Thor Thayer <tthayer@opensource.altera.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/c_can/c_can.c | 38 +++++++++++++++++++++++++++++++-------
+ 1 file changed, 31 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/can/c_can/c_can.c
++++ b/drivers/net/can/c_can/c_can.c
+@@ -332,9 +332,23 @@ static void c_can_setup_tx_object(struct
+
+ priv->write_reg(priv, C_CAN_IFACE(MSGCTRL_REG, iface), ctrl);
+
+- for (i = 0; i < frame->can_dlc; i += 2) {
+- priv->write_reg(priv, C_CAN_IFACE(DATA1_REG, iface) + i / 2,
+- frame->data[i] | (frame->data[i + 1] << 8));
++ if (priv->type == BOSCH_D_CAN) {
++ u32 data = 0, dreg = C_CAN_IFACE(DATA1_REG, iface);
++
++ for (i = 0; i < frame->can_dlc; i += 4, dreg += 2) {
++ data = (u32)frame->data[i];
++ data |= (u32)frame->data[i + 1] << 8;
++ data |= (u32)frame->data[i + 2] << 16;
++ data |= (u32)frame->data[i + 3] << 24;
++ priv->write_reg32(priv, dreg, data);
++ }
++ } else {
++ for (i = 0; i < frame->can_dlc; i += 2) {
++ priv->write_reg(priv,
++ C_CAN_IFACE(DATA1_REG, iface) + i / 2,
++ frame->data[i] |
++ (frame->data[i + 1] << 8));
++ }
+ }
+ }
+
+@@ -402,10 +416,20 @@ static int c_can_read_msg_object(struct
+ } else {
+ int i, dreg = C_CAN_IFACE(DATA1_REG, iface);
+
+- for (i = 0; i < frame->can_dlc; i += 2, dreg ++) {
+- data = priv->read_reg(priv, dreg);
+- frame->data[i] = data;
+- frame->data[i + 1] = data >> 8;
++ if (priv->type == BOSCH_D_CAN) {
++ for (i = 0; i < frame->can_dlc; i += 4, dreg += 2) {
++ data = priv->read_reg32(priv, dreg);
++ frame->data[i] = data;
++ frame->data[i + 1] = data >> 8;
++ frame->data[i + 2] = data >> 16;
++ frame->data[i + 3] = data >> 24;
++ }
++ } else {
++ for (i = 0; i < frame->can_dlc; i += 2, dreg++) {
++ data = priv->read_reg(priv, dreg);
++ frame->data[i] = data;
++ frame->data[i + 1] = data >> 8;
++ }
+ }
+ }
+
--- /dev/null
+From bce271f255dae8335dc4d2ee2c4531e09cc67f5a Mon Sep 17 00:00:00 2001
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+Date: Tue, 21 Jun 2016 12:14:07 +0200
+Subject: can: fix handling of unmodifiable configuration options fix
+
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+
+commit bce271f255dae8335dc4d2ee2c4531e09cc67f5a upstream.
+
+With upstream commit bb208f144cf3f59 (can: fix handling of unmodifiable
+configuration options) a new can_validate() function was introduced.
+
+When invoking 'ip link set can0 type can' without any configuration data
+can_validate() tries to validate the content without taking into account that
+there's totally no content. This patch adds a check for missing content.
+
+Reported-by: ajneu <ajneu1@gmail.com>
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/dev.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -798,6 +798,9 @@ static int can_validate(struct nlattr *t
+ * - control mode with CAN_CTRLMODE_FD set
+ */
+
++ if (!data)
++ return 0;
++
+ if (data[IFLA_CAN_CTRLMODE]) {
+ struct can_ctrlmode *cm = nla_data(data[IFLA_CAN_CTRLMODE]);
+
--- /dev/null
+From 25e1ed6e64f52a692ba3191c4fde650aab3ecc07 Mon Sep 17 00:00:00 2001
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+Date: Tue, 21 Jun 2016 15:45:47 +0200
+Subject: can: fix oops caused by wrong rtnl dellink usage
+
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+
+commit 25e1ed6e64f52a692ba3191c4fde650aab3ecc07 upstream.
+
+For 'real' hardware CAN devices the netlink interface is used to set CAN
+specific communication parameters. Real CAN hardware can not be created nor
+removed with the ip tool ...
+
+This patch adds a private dellink function for the CAN device driver interface
+that does just nothing.
+
+It's a follow up to commit 993e6f2fd ("can: fix oops caused by wrong rtnl
+newlink usage") but for dellink.
+
+Reported-by: ajneu <ajneu1@gmail.com>
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/dev.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -1011,6 +1011,11 @@ static int can_newlink(struct net *src_n
+ return -EOPNOTSUPP;
+ }
+
++static void can_dellink(struct net_device *dev, struct list_head *head)
++{
++ return;
++}
++
+ static struct rtnl_link_ops can_link_ops __read_mostly = {
+ .kind = "can",
+ .maxtype = IFLA_CAN_MAX,
+@@ -1019,6 +1024,7 @@ static struct rtnl_link_ops can_link_ops
+ .validate = can_validate,
+ .newlink = can_newlink,
+ .changelink = can_changelink,
++ .dellink = can_dellink,
+ .get_size = can_get_size,
+ .fill_info = can_fill_info,
+ .get_xstats_size = can_get_xstats_size,
--- /dev/null
+From 54e430bbd490e18ab116afa4cd90dcc45787b3df Mon Sep 17 00:00:00 2001
+From: Brian King <brking@linux.vnet.ibm.com>
+Date: Mon, 27 Jun 2016 09:09:40 -0500
+Subject: ipr: Clear interrupt on croc/crocodile when running with LSI
+
+From: Brian King <brking@linux.vnet.ibm.com>
+
+commit 54e430bbd490e18ab116afa4cd90dcc45787b3df upstream.
+
+If we fall back to using LSI on the Croc or Crocodile chip we need to
+clear the interrupt so we don't hang the system.
+
+Tested-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Brian King <brking@linux.vnet.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/ipr.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/scsi/ipr.c
++++ b/drivers/scsi/ipr.c
+@@ -10093,6 +10093,7 @@ static int ipr_probe_ioa(struct pci_dev
+ ioa_cfg->intr_flag = IPR_USE_MSI;
+ else {
+ ioa_cfg->intr_flag = IPR_USE_LSI;
++ ioa_cfg->clear_isr = 1;
+ ioa_cfg->nvectors = 1;
+ dev_info(&pdev->dev, "Cannot enable MSI.\n");
+ }
--- /dev/null
+From 99ec8a3608330d202448085185cf28389b789b7b Mon Sep 17 00:00:00 2001
+From: Paul Burton <paul.burton@imgtec.com>
+Date: Tue, 5 Jul 2016 14:25:59 +0100
+Subject: irqchip/mips-gic: Map to VPs using HW VPNum
+
+From: Paul Burton <paul.burton@imgtec.com>
+
+commit 99ec8a3608330d202448085185cf28389b789b7b upstream.
+
+When mapping an interrupt to a VP(E) we must use the identifier for the
+VP that the hardware expects, and this does not always match up with the
+Linux CPU number. Commit d46812bb0bef ("irqchip: mips-gic: Use HW IDs
+for VPE_OTHER_ADDR") corrected this for the cases that existed at the
+time it was written, but commit 2af70a962070 ("irqchip/mips-gic: Add a
+IPI hierarchy domain") added another case before the former patch was
+merged. This leads to incorrectly using Linux CPU numbers when mapping
+interrupts to VPs, which breaks on certain systems such as those with
+multi-core I6400 CPUs. Fix by adding the appropriate call to
+mips_cm_vp_id() to retrieve the expected VP identifier.
+
+Fixes: d46812bb0bef ("irqchip: mips-gic: Use HW IDs for VPE_OTHER_ADDR")
+Fixes: 2af70a962070 ("irqchip/mips-gic: Add a IPI hierarchy domain")
+Signed-off-by: Paul Burton <paul.burton@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Cc: Jason Cooper <jason@lakedaemon.net>
+Cc: Qais Yousef <qsyousef@gmail.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Marc Zyngier <marc.zyngier@arm.com>
+Link: http://lkml.kernel.org/r/20160705132600.27730-1-paul.burton@imgtec.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/irqchip/irq-mips-gic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/irqchip/irq-mips-gic.c
++++ b/drivers/irqchip/irq-mips-gic.c
+@@ -706,7 +706,7 @@ static int gic_shared_irq_domain_map(str
+
+ spin_lock_irqsave(&gic_lock, flags);
+ gic_map_to_pin(intr, gic_cpu_pin);
+- gic_map_to_vpe(intr, vpe);
++ gic_map_to_vpe(intr, mips_cm_vp_id(vpe));
+ for (i = 0; i < min(gic_vpes, NR_CPUS); i++)
+ clear_bit(intr, pcpu_masks[i].pcpu_mask);
+ set_bit(intr, pcpu_masks[vpe].pcpu_mask);
--- /dev/null
+From 547aefc4db877e65245c3d95fcce703701bf3a0c Mon Sep 17 00:00:00 2001
+From: Paul Burton <paul.burton@imgtec.com>
+Date: Tue, 5 Jul 2016 14:26:00 +0100
+Subject: irqchip/mips-gic: Match IPI IRQ domain by bus token only
+
+From: Paul Burton <paul.burton@imgtec.com>
+
+commit 547aefc4db877e65245c3d95fcce703701bf3a0c upstream.
+
+Commit fbde2d7d8290 ("MIPS: Add generic SMP IPI support") introduced
+code which calls irq_find_matching_host with a NULL node parameter in
+order to discover IPI IRQ domains which are not associated with the DT
+root node's interrupt parent. This suggests that implementations of IPI
+IRQ domains should effectively ignore the node parameter if it is NULL
+and search purely based upon the bus token. Commit 2af70a962070
+("irqchip/mips-gic: Add a IPI hierarchy domain") did not do this when
+implementing the GIC IPI IRQ domain, and on MIPS Boston boards this
+leads to no IPI domain being discovered and a NULL pointer dereference
+when attempting to send an IPI:
+
+ CPU 0 Unable to handle kernel paging request at virtual address 0000000000000040, epc == ffffffff8016e70c, ra == ffffffff8010ff5c
+ Oops[#1]:
+ CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.7.0-rc6-00223-gad0d1b6 #945
+ task: a8000000ff066fc0 ti: a8000000ff068000 task.ti: a8000000ff068000
+ $ 0 : 0000000000000000 0000000000000001 ffffffff80730000 0000000000000003
+ $ 4 : 0000000000000000 ffffffff8057e5b0 a800000001e3ee00 0000000000000000
+ $ 8 : 0000000000000000 0000000000000023 0000000000000001 0000000000000001
+ $12 : 0000000000000000 ffffffff803323d0 0000000000000000 0000000000000000
+ $16 : 0000000000000000 0000000000000000 0000000000000001 ffffffff801108fc
+ $20 : 0000000000000000 ffffffff8057e5b0 0000000000000001 0000000000000000
+ $24 : 0000000000000000 ffffffff8012de28
+ $28 : a8000000ff068000 a8000000ff06fbc0 0000000000000000 ffffffff8010ff5c
+ Hi : ffffffff8014c174
+ Lo : a800000001e1e140
+ epc : ffffffff8016e70c __ipi_send_mask+0x24/0x11c
+ ra : ffffffff8010ff5c mips_smp_send_ipi_mask+0x68/0x178
+ Status: 140084e2 KX SX UX KERNEL EXL
+ Cause : 00800008 (ExcCode 02)
+ BadVA : 0000000000000040
+ PrId : 0001a920 (MIPS I6400)
+ Process swapper/0 (pid: 1, threadinfo=a8000000ff068000, task=a8000000ff066fc0, tls=0000000000000000)
+ Stack : 0000000000000000 0000000000000000 0000000000000001 ffffffff801108fc
+ 0000000000000000 ffffffff8057e5b0 0000000000000001 ffffffff8010ff5c
+ 0000000000000001 0000000000000020 0000000000000000 0000000000000000
+ 0000000000000000 ffffffff801108fc 0000000000000000 0000000000000001
+ 0000000000000001 0000000000000000 0000000000000000 ffffffff801865e8
+ a8000000ff0c7500 a8000000ff06fc90 0000000000000001 0000000000000002
+ ffffffff801108fc ffffffff801868b8 0000000000000000 ffffffff801108fc
+ 0000000000000000 0000000000000003 ffffffff8068c700 0000000000000001
+ ffffffff80730000 0000000000000001 a8000000ff00a290 ffffffff80110c50
+ 0000000000000003 a800000001e48308 0000000000000003 0000000000000008
+ ...
+ Call Trace:
+ [<ffffffff8016e70c>] __ipi_send_mask+0x24/0x11c
+ [<ffffffff8010ff5c>] mips_smp_send_ipi_mask+0x68/0x178
+ [<ffffffff801865e8>] generic_exec_single+0x150/0x170
+ [<ffffffff801868b8>] smp_call_function_single+0x108/0x160
+ [<ffffffff80110c50>] cps_boot_secondary+0x328/0x394
+ [<ffffffff80110534>] __cpu_up+0x38/0x90
+ [<ffffffff8012de4c>] bringup_cpu+0x24/0xac
+ [<ffffffff8012df40>] cpuhp_up_callbacks+0x58/0xdc
+ [<ffffffff8012e648>] cpu_up+0x118/0x18c
+ [<ffffffff806dc158>] smp_init+0xbc/0xe8
+ [<ffffffff806d4c18>] kernel_init_freeable+0xa0/0x228
+ [<ffffffff8056c908>] kernel_init+0x10/0xf0
+ [<ffffffff80105098>] ret_from_kernel_thread+0x14/0x1c
+
+Fix this by allowing the GIC IPI IRQ domain to match purely based upon
+the bus token if the node provided is NULL.
+
+Fixes: 2af70a962070 ("irqchip/mips-gic: Add a IPI hierarchy domain")
+Signed-off-by: Paul Burton <paul.burton@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Cc: Jason Cooper <jason@lakedaemon.net>
+Cc: Qais Yousef <qsyousef@gmail.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Marc Zyngier <marc.zyngier@arm.com>
+Link: http://lkml.kernel.org/r/20160705132600.27730-2-paul.burton@imgtec.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/irqchip/irq-mips-gic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/irqchip/irq-mips-gic.c
++++ b/drivers/irqchip/irq-mips-gic.c
+@@ -947,7 +947,7 @@ int gic_ipi_domain_match(struct irq_doma
+ switch (bus_token) {
+ case DOMAIN_BUS_IPI:
+ is_ipi = d->bus_token == bus_token;
+- return to_of_node(d->fwnode) == node && is_ipi;
++ return (!node || to_of_node(d->fwnode) == node) && is_ipi;
+ break;
+ default:
+ return 0;
--- /dev/null
+From 262e2bfd7d1e1f1ee48b870e5dfabb87c06b975e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bruno=20Pr=C3=83=C2=A9mont?= <bonbons@linux-vserver.org>
+Date: Thu, 30 Jun 2016 17:00:32 +0200
+Subject: qla2xxx: Fix NULL pointer deref in QLA interrupt
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Bruno Prémont <bonbons@linux-vserver.org>
+
+commit 262e2bfd7d1e1f1ee48b870e5dfabb87c06b975e upstream.
+
+In qla24xx_process_response_queue() rsp->msix->cpuid may trigger NULL
+pointer dereference when rsp->msix is NULL:
+
+[ 5.622457] NULL pointer dereference at 0000000000000050
+[ 5.622457] IP: [<ffffffff8155e614>] qla24xx_process_response_queue+0x44/0x4b0
+[ 5.622457] PGD 0
+[ 5.622457] Oops: 0000 [#1] SMP
+[ 5.622457] Modules linked in:
+[ 5.622457] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.6.3-x86_64 #1
+[ 5.622457] Hardware name: HP ProLiant DL360 G5, BIOS P58 05/02/2011
+[ 5.622457] task: ffff8801a88f3740 ti: ffff8801a8954000 task.ti: ffff8801a8954000
+[ 5.622457] RIP: 0010:[<ffffffff8155e614>] [<ffffffff8155e614>] qla24xx_process_response_queue+0x44/0x4b0
+[ 5.622457] RSP: 0000:ffff8801afb03de8 EFLAGS: 00010002
+[ 5.622457] RAX: 0000000000000000 RBX: 0000000000000032 RCX: 00000000ffffffff
+[ 5.622457] RDX: 0000000000000002 RSI: ffff8801a79bf8c8 RDI: ffff8800c8f7e7c0
+[ 5.622457] RBP: ffff8801afb03e68 R08: 0000000000000000 R09: 0000000000000000
+[ 5.622457] R10: 00000000ffff8c47 R11: 0000000000000002 R12: ffff8801a79bf8c8
+[ 5.622457] R13: ffff8800c8f7e7c0 R14: ffff8800c8f60000 R15: 0000000000018013
+[ 5.622457] FS: 0000000000000000(0000) GS:ffff8801afb00000(0000) knlGS:0000000000000000
+[ 5.622457] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 5.622457] CR2: 0000000000000050 CR3: 0000000001e07000 CR4: 00000000000006e0
+[ 5.622457] Stack:
+[ 5.622457] ffff8801afb03e30 ffffffff810c0f2d 0000000000000086 0000000000000002
+[ 5.622457] ffff8801afb03e28 ffffffff816570e1 ffff8800c8994628 0000000000000002
+[ 5.622457] ffff8801afb03e60 ffffffff816772d4 b47c472ad6955e68 0000000000000032
+[ 5.622457] Call Trace:
+[ 5.622457] <IRQ>
+[ 5.622457] [<ffffffff810c0f2d>] ? __wake_up_common+0x4d/0x80
+[ 5.622457] [<ffffffff816570e1>] ? usb_hcd_resume_root_hub+0x51/0x60
+[ 5.622457] [<ffffffff816772d4>] ? uhci_hub_status_data+0x64/0x240
+[ 5.622457] [<ffffffff81560d00>] qla24xx_intr_handler+0xf0/0x2e0
+[ 5.622457] [<ffffffff810d569e>] ? get_next_timer_interrupt+0xce/0x200
+[ 5.622457] [<ffffffff810c89b4>] handle_irq_event_percpu+0x64/0x100
+[ 5.622457] [<ffffffff810c8a77>] handle_irq_event+0x27/0x50
+[ 5.622457] [<ffffffff810cb965>] handle_edge_irq+0x65/0x140
+[ 5.622457] [<ffffffff8101a498>] handle_irq+0x18/0x30
+[ 5.622457] [<ffffffff8101a276>] do_IRQ+0x46/0xd0
+[ 5.622457] [<ffffffff817f8fff>] common_interrupt+0x7f/0x7f
+[ 5.622457] <EOI>
+[ 5.622457] [<ffffffff81020d38>] ? mwait_idle+0x68/0x80
+[ 5.622457] [<ffffffff8102114a>] arch_cpu_idle+0xa/0x10
+[ 5.622457] [<ffffffff810c1b97>] default_idle_call+0x27/0x30
+[ 5.622457] [<ffffffff810c1d3b>] cpu_startup_entry+0x19b/0x230
+[ 5.622457] [<ffffffff810324c6>] start_secondary+0x136/0x140
+[ 5.622457] Code: 00 00 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 48 8b 47 58 a8 02 0f 84 c5 00 00 00 48 8b 46 50 49 89 f4 65 8b 15 34 bb aa 7e <39> 50 50 74 11 89 50 50 48 8b 46 50 8b 40 50 41 89 86 60 8b 00
+[ 5.622457] RIP [<ffffffff8155e614>] qla24xx_process_response_queue+0x44/0x4b0
+[ 5.622457] RSP <ffff8801afb03de8>
+[ 5.622457] CR2: 0000000000000050
+[ 5.622457] ---[ end trace fa2b19c25106d42b ]---
+[ 5.622457] Kernel panic - not syncing: Fatal exception in interrupt
+
+The affected code was introduced by commit cdb898c52d1dfad4b4800b83a58b3fe5d352edde
+(qla2xxx: Add irq affinity notification).
+
+Only dereference rsp->msix when it has been set so the machine can boot
+fine. Possibly rsp->msix is unset because:
+[ 3.479679] qla2xxx [0000:00:00.0]-0005: : QLogic Fibre Channel HBA Driver: 8.07.00.33-k.
+[ 3.481839] qla2xxx [0000:13:00.0]-001d: : Found an ISP2432 irq 17 iobase 0xffffc90000038000.
+[ 3.484081] qla2xxx [0000:13:00.0]-0035:0: MSI-X; Unsupported ISP2432 (0x2, 0x3).
+[ 3.485804] qla2xxx [0000:13:00.0]-0037:0: Falling back-to MSI mode -258.
+[ 3.890145] scsi host0: qla2xxx
+[ 3.891956] qla2xxx [0000:13:00.0]-00fb:0: QLogic QLE2460 - PCI-Express Single Channel 4Gb Fibre Channel HBA.
+[ 3.894207] qla2xxx [0000:13:00.0]-00fc:0: ISP2432: PCIe (2.5GT/s x4) @ 0000:13:00.0 hdma+ host#=0 fw=7.03.00 (9496).
+[ 5.714774] qla2xxx [0000:13:00.0]-500a:0: LOOP UP detected (4 Gbps).
+
+Signed-off-by: Bruno Prémont <bonbons@linux-vserver.org>
+Acked-by: Quinn Tran <quinn.tran@qlogic.com>
+Fixes: cdb898c52d1dfad4b4800b83a58b3fe5d352edde
+Signed-off-by: James Bottomley <jejb@linux.vnet.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_isr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/qla2xxx/qla_isr.c
++++ b/drivers/scsi/qla2xxx/qla_isr.c
+@@ -2548,7 +2548,7 @@ void qla24xx_process_response_queue(stru
+ if (!vha->flags.online)
+ return;
+
+- if (rsp->msix->cpuid != smp_processor_id()) {
++ if (rsp->msix && rsp->msix->cpuid != smp_processor_id()) {
+ /* if kernel does not notify qla of IRQ's CPU change,
+ * then set it here.
+ */
--- /dev/null
+From 3dad5424adfb346c871847d467f97dcdca64ea97 Mon Sep 17 00:00:00 2001
+From: Vegard Nossum <vegard.nossum@oracle.com>
+Date: Sun, 3 Jul 2016 10:54:54 +0200
+Subject: RDS: fix rds_tcp_init() error path
+
+From: Vegard Nossum <vegard.nossum@oracle.com>
+
+commit 3dad5424adfb346c871847d467f97dcdca64ea97 upstream.
+
+If register_pernet_subsys() fails, we shouldn't try to call
+unregister_pernet_subsys().
+
+Fixes: 467fa15356 ("RDS-TCP: Support multiple RDS-TCP listen endpoints, one per netns.")
+Cc: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+Cc: David S. Miller <davem@davemloft.net>
+Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
+Acked-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/rds/tcp.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/rds/tcp.c
++++ b/net/rds/tcp.c
+@@ -544,7 +544,7 @@ static int rds_tcp_init(void)
+
+ ret = rds_tcp_recv_init();
+ if (ret)
+- goto out_slab;
++ goto out_pernet;
+
+ ret = rds_trans_register(&rds_tcp_transport);
+ if (ret)
+@@ -556,8 +556,9 @@ static int rds_tcp_init(void)
+
+ out_recv:
+ rds_tcp_recv_exit();
+-out_slab:
++out_pernet:
+ unregister_pernet_subsys(&rds_tcp_net_ops);
++out_slab:
+ kmem_cache_destroy(rds_tcp_conn_slab);
+ out:
+ return ret;
--- /dev/null
+From 5e7ff2ca7f2da55fe777167849d0c93403bd0dc8 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Thu, 23 Jun 2016 15:05:26 -0400
+Subject: SCSI: fix new bug in scsi_dev_info_list string matching
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 5e7ff2ca7f2da55fe777167849d0c93403bd0dc8 upstream.
+
+Commit b704f70ce200 ("SCSI: fix bug in scsi_dev_info_list matching")
+changed the way vendor- and model-string matching was carried out in the
+routine that looks up entries in a SCSI devinfo list. The new matching
+code failed to take into account the case of a maximum-length string; in
+such cases it could end up testing for a terminating '\0' byte beyond
+the end of the memory allocated to the string. This out-of-bounds bug
+was detected by UBSAN.
+
+I don't know if anybody has actually encountered this bug. The symptom
+would be that a device entry in the blacklist might not be matched
+properly if it contained an 8-character vendor name or a 16-character
+model name. Such entries certainly exist in scsi_static_device_list.
+
+This patch fixes the problem by adding a check for a maximum-length
+string before the '\0' test.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Fixes: b704f70ce200 ("SCSI: fix bug in scsi_dev_info_list matching")
+Tested-by: Wilfried Klaebe <linux-kernel@lebenslange-mailadresse.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/scsi_devinfo.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/scsi/scsi_devinfo.c
++++ b/drivers/scsi/scsi_devinfo.c
+@@ -429,7 +429,7 @@ static struct scsi_dev_info_list *scsi_d
+ * here, and we don't know what device it is
+ * trying to work with, leave it as-is.
+ */
+- vmax = 8; /* max length of vendor */
++ vmax = sizeof(devinfo->vendor);
+ vskip = vendor;
+ while (vmax > 0 && *vskip == ' ') {
+ vmax--;
+@@ -439,7 +439,7 @@ static struct scsi_dev_info_list *scsi_d
+ while (vmax > 0 && vskip[vmax - 1] == ' ')
+ --vmax;
+
+- mmax = 16; /* max length of model */
++ mmax = sizeof(devinfo->model);
+ mskip = model;
+ while (mmax > 0 && *mskip == ' ') {
+ mmax--;
+@@ -455,10 +455,12 @@ static struct scsi_dev_info_list *scsi_d
+ * Behave like the older version of get_device_flags.
+ */
+ if (memcmp(devinfo->vendor, vskip, vmax) ||
+- devinfo->vendor[vmax])
++ (vmax < sizeof(devinfo->vendor) &&
++ devinfo->vendor[vmax]))
+ continue;
+ if (memcmp(devinfo->model, mskip, mmax) ||
+- devinfo->model[mmax])
++ (mmax < sizeof(devinfo->model) &&
++ devinfo->model[mmax]))
+ continue;
+ return devinfo;
+ } else {
mmc-block-fix-free-of-uninitialized-idata-buf.patch
mmc-block-fix-packed-command-header-endianness.patch
sched-fair-fix-effective_load-to-consistently-use-smoothed-load.patch
+can-at91_can-rx-queue-could-get-stuck-at-high-bus-load.patch
+can-c_can-update-d_can-tx-and-rx-functions-to-32-bit-fix-altera-cyclone-access.patch
+can-fix-handling-of-unmodifiable-configuration-options-fix.patch
+can-fix-oops-caused-by-wrong-rtnl-dellink-usage.patch
+rds-fix-rds_tcp_init-error-path.patch
+irqchip-mips-gic-map-to-vps-using-hw-vpnum.patch
+irqchip-mips-gic-match-ipi-irq-domain-by-bus-token-only.patch
+qla2xxx-fix-null-pointer-deref-in-qla-interrupt.patch
+scsi-fix-new-bug-in-scsi_dev_info_list-string-matching.patch
+ipr-clear-interrupt-on-croc-crocodile-when-running-with-lsi.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
