4.9-stable patches

added patches:
	ipmi-fix-kernel-panic-at-ipmi_ssif_thread.patch

diff --git a/queue-4.9/ipmi-fix-kernel-panic-at-ipmi_ssif_thread.patch b/queue-4.9/ipmi-fix-kernel-panic-at-ipmi_ssif_thread.patch
new file mode 100644 (file)
index 0000000..5f9cab0
--- /dev/null
+++ b/queue-4.9/ipmi-fix-kernel-panic-at-ipmi_ssif_thread.patch
@@ -0,0 +1,51 @@
+From 6de65fcfdb51835789b245203d1bfc8d14cb1e06 Mon Sep 17 00:00:00 2001
+From: Joeseph Chang <joechang@codeaurora.org>
+Date: Mon, 27 Mar 2017 20:22:09 -0600
+Subject: ipmi: Fix kernel panic at ipmi_ssif_thread()
+
+From: Joeseph Chang <joechang@codeaurora.org>
+
+commit 6de65fcfdb51835789b245203d1bfc8d14cb1e06 upstream.
+
+msg_written_handler() may set ssif_info->multi_data to NULL
+when using ipmitool to write fru.
+
+Before setting ssif_info->multi_data to NULL, add new local
+pointer "data_to_send" and store correct i2c data pointer to
+it to fix NULL pointer kernel panic and incorrect ssif_info->multi_pos.
+
+Signed-off-by: Joeseph Chang <joechang@codeaurora.org>
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/ipmi/ipmi_ssif.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/char/ipmi/ipmi_ssif.c
++++ b/drivers/char/ipmi/ipmi_ssif.c
+@@ -892,6 +892,7 @@ static void msg_written_handler(struct s
+                * for details on the intricacies of this.
+                */
+               int left;
++              unsigned char *data_to_send;
+ 
+               ssif_inc_stat(ssif_info, sent_messages_parts);
+ 
+@@ -900,6 +901,7 @@ static void msg_written_handler(struct s
+                       left = 32;
+               /* Length byte. */
+               ssif_info->multi_data[ssif_info->multi_pos] = left;
++              data_to_send = ssif_info->multi_data + ssif_info->multi_pos;
+               ssif_info->multi_pos += left;
+               if (left < 32)
+                       /*
+@@ -913,7 +915,7 @@ static void msg_written_handler(struct s
+               rv = ssif_i2c_send(ssif_info, msg_written_handler,
+                                 I2C_SMBUS_WRITE,
+                                 SSIF_IPMI_MULTI_PART_REQUEST_MIDDLE,
+-                                ssif_info->multi_data + ssif_info->multi_pos,
++                                data_to_send,
+                                 I2C_SMBUS_BLOCK_DATA);
+               if (rv < 0) {
+                       /* request failed, just return the error. */

diff --git a/queue-4.9/series b/queue-4.9/series
index 196f06fc7854451dfb8895c499fe384229c24412..67489a9ea192ab34fbef221f4a80f4e51996c455 100644 (file)
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -72,3 +72,4 @@ tty-pty-fix-ldisc-flush-after-userspace-become-aware-of-the-data-already.patch
 bluetooth-fix-user-channel-for-32bit-userspace-on-64bit-kernel.patch
 bluetooth-hci_bcm-add-missing-tty-device-sanity-check.patch
 bluetooth-hci_intel-add-missing-tty-device-sanity-check.patch
+ipmi-fix-kernel-panic-at-ipmi_ssif_thread.patch