From: Greg Kroah-Hartman Date: Fri, 6 Nov 2015 06:58:30 +0000 (-0800) Subject: 4.1-stable patches X-Git-Tag: v3.10.93~14 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7773b1b783bfde7839d0d57aa13445be94a33ea2;p=thirdparty%2Fkernel%2Fstable-queue.git 4.1-stable patches added patches: btrfs-fix-possible-leak-in-btrfs_ioctl_balance.patch cpufreq-intel_pstate-fix-divide-by-zero-on-knights-landing-knl.patch crypto-api-only-abort-operations-on-fatal-signal.patch edac-sb_edac-fix-tad-presence-check-for-sbridge_mci_bind_devs.patch ib-cm-fix-rb-tree-duplicate-free-and-use-after-free.patch input-alps-only-the-dell-latitude-d420-430-620-630-have-separate-stick-button-bits.patch irqchip-tegra-propagate-irq-type-setting-to-parent.patch md-raid1-submit_bio_wait-returns-0-on-success.patch md-raid10-submit_bio_wait-returns-0-on-success.patch md-raid5-fix-locking-in-handle_stripe_clean_event.patch mfd-of-document-mfd-devices-and-handle-simple-mfd.patch mvsas-fix-null-pointer-dereference-in-mvs_slot_task_free.patch revert-md-allow-a-partially-recovered-device-to-be-hot-added-to-an-array.patch --- diff --git a/queue-4.1/btrfs-fix-possible-leak-in-btrfs_ioctl_balance.patch b/queue-4.1/btrfs-fix-possible-leak-in-btrfs_ioctl_balance.patch new file mode 100644 index 00000000000..6e34c47d963 --- /dev/null +++ b/queue-4.1/btrfs-fix-possible-leak-in-btrfs_ioctl_balance.patch @@ -0,0 +1,54 @@ +From 0f89abf56abbd0e1c6e3cef9813e6d9f05383c1e Mon Sep 17 00:00:00 2001 +From: Christian Engelmayer +Date: Wed, 21 Oct 2015 00:50:06 +0200 +Subject: btrfs: fix possible leak in btrfs_ioctl_balance() + +From: Christian Engelmayer + +commit 0f89abf56abbd0e1c6e3cef9813e6d9f05383c1e upstream. + +Commit 8eb934591f8b ("btrfs: check unsupported filters in balance +arguments") adds a jump to exit label out_bargs in case the argument +check fails. At this point in addition to the bargs memory, the +memory for struct btrfs_balance_control has already been allocated. +Ownership of bctl is passed to btrfs_balance() in the good case, +thus the memory is not freed due to the introduced jump. Make sure +that the memory gets freed in any case as necessary. Detected by +Coverity CID 1328378. + +Signed-off-by: Christian Engelmayer +Reviewed-by: David Sterba +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/ioctl.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -4494,7 +4494,7 @@ locked: + + if (bctl->flags & ~(BTRFS_BALANCE_ARGS_MASK | BTRFS_BALANCE_TYPE_MASK)) { + ret = -EINVAL; +- goto out_bargs; ++ goto out_bctl; + } + + do_balance: +@@ -4508,12 +4508,15 @@ do_balance: + need_unlock = false; + + ret = btrfs_balance(bctl, bargs); ++ bctl = NULL; + + if (arg) { + if (copy_to_user(arg, bargs, sizeof(*bargs))) + ret = -EFAULT; + } + ++out_bctl: ++ kfree(bctl); + out_bargs: + kfree(bargs); + out_unlock: diff --git a/queue-4.1/cpufreq-intel_pstate-fix-divide-by-zero-on-knights-landing-knl.patch b/queue-4.1/cpufreq-intel_pstate-fix-divide-by-zero-on-knights-landing-knl.patch new file mode 100644 index 00000000000..791654606b0 --- /dev/null +++ b/queue-4.1/cpufreq-intel_pstate-fix-divide-by-zero-on-knights-landing-knl.patch @@ -0,0 +1,38 @@ +From 8e601a9f97a00bab031980de34f9a81891c1f82f Mon Sep 17 00:00:00 2001 +From: Srinivas Pandruvada +Date: Thu, 15 Oct 2015 12:34:21 -0700 +Subject: cpufreq: intel_pstate: Fix divide by zero on Knights Landing (KNL) + +From: Srinivas Pandruvada + +commit 8e601a9f97a00bab031980de34f9a81891c1f82f upstream. + +This is a workaround for KNL platform, where in some cases MPERF counter +will not have updated value before next read of MSR_IA32_MPERF. In this +case divide by zero will occur. This change ignores current sample for +busy calculation in this case. + +Fixes: b34ef932d79a (intel_pstate: Knights Landing support) +Signed-off-by: Srinivas Pandruvada +Acked-by: Kristen Carlson Accardi +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cpufreq/intel_pstate.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/cpufreq/intel_pstate.c ++++ b/drivers/cpufreq/intel_pstate.c +@@ -761,6 +761,11 @@ static inline void intel_pstate_sample(s + local_irq_save(flags); + rdmsrl(MSR_IA32_APERF, aperf); + rdmsrl(MSR_IA32_MPERF, mperf); ++ if (cpu->prev_mperf == mperf) { ++ local_irq_restore(flags); ++ return; ++ } ++ + local_irq_restore(flags); + + cpu->last_sample_time = cpu->sample.time; diff --git a/queue-4.1/crypto-api-only-abort-operations-on-fatal-signal.patch b/queue-4.1/crypto-api-only-abort-operations-on-fatal-signal.patch new file mode 100644 index 00000000000..62060925d73 --- /dev/null +++ b/queue-4.1/crypto-api-only-abort-operations-on-fatal-signal.patch @@ -0,0 +1,93 @@ +From 3fc89adb9fa4beff31374a4bf50b3d099d88ae83 Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Mon, 19 Oct 2015 18:23:57 +0800 +Subject: crypto: api - Only abort operations on fatal signal + +From: Herbert Xu + +commit 3fc89adb9fa4beff31374a4bf50b3d099d88ae83 upstream. + +Currently a number of Crypto API operations may fail when a signal +occurs. This causes nasty problems as the caller of those operations +are often not in a good position to restart the operation. + +In fact there is currently no need for those operations to be +interrupted by user signals at all. All we need is for them to +be killable. + +This patch replaces the relevant calls of signal_pending with +fatal_signal_pending, and wait_for_completion_interruptible with +wait_for_completion_killable, respectively. + +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/ablkcipher.c | 2 +- + crypto/algapi.c | 2 +- + crypto/api.c | 6 +++--- + crypto/crypto_user.c | 2 +- + 4 files changed, 6 insertions(+), 6 deletions(-) + +--- a/crypto/ablkcipher.c ++++ b/crypto/ablkcipher.c +@@ -698,7 +698,7 @@ struct crypto_ablkcipher *crypto_alloc_a + err: + if (err != -EAGAIN) + break; +- if (signal_pending(current)) { ++ if (fatal_signal_pending(current)) { + err = -EINTR; + break; + } +--- a/crypto/algapi.c ++++ b/crypto/algapi.c +@@ -337,7 +337,7 @@ static void crypto_wait_for_test(struct + crypto_alg_tested(larval->alg.cra_driver_name, 0); + } + +- err = wait_for_completion_interruptible(&larval->completion); ++ err = wait_for_completion_killable(&larval->completion); + WARN_ON(err); + + out: +--- a/crypto/api.c ++++ b/crypto/api.c +@@ -172,7 +172,7 @@ static struct crypto_alg *crypto_larval_ + struct crypto_larval *larval = (void *)alg; + long timeout; + +- timeout = wait_for_completion_interruptible_timeout( ++ timeout = wait_for_completion_killable_timeout( + &larval->completion, 60 * HZ); + + alg = larval->adult; +@@ -445,7 +445,7 @@ struct crypto_tfm *crypto_alloc_base(con + err: + if (err != -EAGAIN) + break; +- if (signal_pending(current)) { ++ if (fatal_signal_pending(current)) { + err = -EINTR; + break; + } +@@ -562,7 +562,7 @@ void *crypto_alloc_tfm(const char *alg_n + err: + if (err != -EAGAIN) + break; +- if (signal_pending(current)) { ++ if (fatal_signal_pending(current)) { + err = -EINTR; + break; + } +--- a/crypto/crypto_user.c ++++ b/crypto/crypto_user.c +@@ -381,7 +381,7 @@ static struct crypto_alg *crypto_user_ae + err = PTR_ERR(alg); + if (err != -EAGAIN) + break; +- if (signal_pending(current)) { ++ if (fatal_signal_pending(current)) { + err = -EINTR; + break; + } diff --git a/queue-4.1/edac-sb_edac-fix-tad-presence-check-for-sbridge_mci_bind_devs.patch b/queue-4.1/edac-sb_edac-fix-tad-presence-check-for-sbridge_mci_bind_devs.patch new file mode 100644 index 00000000000..5af2f29e783 --- /dev/null +++ b/queue-4.1/edac-sb_edac-fix-tad-presence-check-for-sbridge_mci_bind_devs.patch @@ -0,0 +1,80 @@ +From 2900ea609616c2651dec65312beeb2a6e536bc50 Mon Sep 17 00:00:00 2001 +From: Seth Jennings +Date: Wed, 5 Aug 2015 13:16:01 -0500 +Subject: EDAC, sb_edac: Fix TAD presence check for sbridge_mci_bind_devs() + +From: Seth Jennings + +commit 2900ea609616c2651dec65312beeb2a6e536bc50 upstream. + +In commit + + 7d375bffa524 ("sb_edac: Fix support for systems with two home agents per socket") + +NUM_CHANNELS was changed to 8 and the channel space was renumerated to +handle EN, EP, and EX configurations. + +The *_mci_bind_devs() functions - except for sbridge_mci_bind_devs() - +got a new device presence check in the form of saw_chan_mask. However, +sbridge_mci_bind_devs() still uses the NUM_CHANNELS for loop. + +With the increase in NUM_CHANNELS, this loop fails at index 4 since +SB only has 4 TADs. This results in the following error on SB machines: + + EDAC sbridge: Some needed devices are missing + EDAC sbridge: Couldn't find mci handler + EDAC sbridge: Couldn't find mci handle + +This patch adapts the saw_chan_mask logic for sbridge_mci_bind_devs() as +well. + +After this patch: + + EDAC MC0: Giving out device to module sbridge_edac.c controller Sandy Bridge Socket#0: DEV 0000:3f:0e.0 (POLLED) + EDAC MC1: Giving out device to module sbridge_edac.c controller Sandy Bridge Socket#1: DEV 0000:7f:0e.0 (POLLED) + +Signed-off-by: Seth Jennings +Acked-by: Aristeu Rozanski +Acked-by: Tony Luck +Tested-by: Borislav Petkov +Cc: Mauro Carvalho Chehab +Cc: linux-edac +Link: http://lkml.kernel.org/r/1438798561-10180-1-git-send-email-sjenning@redhat.com +Signed-off-by: Borislav Petkov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/edac/sb_edac.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/edac/sb_edac.c ++++ b/drivers/edac/sb_edac.c +@@ -1608,6 +1608,7 @@ static int sbridge_mci_bind_devs(struct + { + struct sbridge_pvt *pvt = mci->pvt_info; + struct pci_dev *pdev; ++ u8 saw_chan_mask = 0; + int i; + + for (i = 0; i < sbridge_dev->n_devs; i++) { +@@ -1641,6 +1642,7 @@ static int sbridge_mci_bind_devs(struct + { + int id = pdev->device - PCI_DEVICE_ID_INTEL_SBRIDGE_IMC_TAD0; + pvt->pci_tad[id] = pdev; ++ saw_chan_mask |= 1 << id; + } + break; + case PCI_DEVICE_ID_INTEL_SBRIDGE_IMC_DDRIO: +@@ -1661,10 +1663,8 @@ static int sbridge_mci_bind_devs(struct + !pvt-> pci_tad || !pvt->pci_ras || !pvt->pci_ta) + goto enodev; + +- for (i = 0; i < NUM_CHANNELS; i++) { +- if (!pvt->pci_tad[i]) +- goto enodev; +- } ++ if (saw_chan_mask != 0x0f) ++ goto enodev; + return 0; + + enodev: diff --git a/queue-4.1/ib-cm-fix-rb-tree-duplicate-free-and-use-after-free.patch b/queue-4.1/ib-cm-fix-rb-tree-duplicate-free-and-use-after-free.patch new file mode 100644 index 00000000000..09694769bfe --- /dev/null +++ b/queue-4.1/ib-cm-fix-rb-tree-duplicate-free-and-use-after-free.patch @@ -0,0 +1,52 @@ +From 0ca81a2840f77855bbad1b9f172c545c4dc9e6a4 Mon Sep 17 00:00:00 2001 +From: Doron Tsur +Date: Sun, 11 Oct 2015 15:58:17 +0300 +Subject: IB/cm: Fix rb-tree duplicate free and use-after-free + +From: Doron Tsur + +commit 0ca81a2840f77855bbad1b9f172c545c4dc9e6a4 upstream. + +ib_send_cm_sidr_rep could sometimes erase the node from the sidr +(depending on errors in the process). Since ib_send_cm_sidr_rep is +called both from cm_sidr_req_handler and cm_destroy_id, cm_id_priv +could be either erased from the rb_tree twice or not erased at all. +Fixing that by making sure it's erased only once before freeing +cm_id_priv. + +Fixes: a977049dacde ('[PATCH] IB: Add the kernel CM implementation') +Signed-off-by: Doron Tsur +Signed-off-by: Matan Barak +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/cm.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/core/cm.c ++++ b/drivers/infiniband/core/cm.c +@@ -859,6 +859,11 @@ retest: + case IB_CM_SIDR_REQ_RCVD: + spin_unlock_irq(&cm_id_priv->lock); + cm_reject_sidr_req(cm_id_priv, IB_SIDR_REJECT); ++ spin_lock_irq(&cm.lock); ++ if (!RB_EMPTY_NODE(&cm_id_priv->sidr_id_node)) ++ rb_erase(&cm_id_priv->sidr_id_node, ++ &cm.remote_sidr_table); ++ spin_unlock_irq(&cm.lock); + break; + case IB_CM_REQ_SENT: + case IB_CM_MRA_REQ_RCVD: +@@ -3098,7 +3103,10 @@ int ib_send_cm_sidr_rep(struct ib_cm_id + spin_unlock_irqrestore(&cm_id_priv->lock, flags); + + spin_lock_irqsave(&cm.lock, flags); +- rb_erase(&cm_id_priv->sidr_id_node, &cm.remote_sidr_table); ++ if (!RB_EMPTY_NODE(&cm_id_priv->sidr_id_node)) { ++ rb_erase(&cm_id_priv->sidr_id_node, &cm.remote_sidr_table); ++ RB_CLEAR_NODE(&cm_id_priv->sidr_id_node); ++ } + spin_unlock_irqrestore(&cm.lock, flags); + return 0; + diff --git a/queue-4.1/input-alps-only-the-dell-latitude-d420-430-620-630-have-separate-stick-button-bits.patch b/queue-4.1/input-alps-only-the-dell-latitude-d420-430-620-630-have-separate-stick-button-bits.patch new file mode 100644 index 00000000000..f683ff38841 --- /dev/null +++ b/queue-4.1/input-alps-only-the-dell-latitude-d420-430-620-630-have-separate-stick-button-bits.patch @@ -0,0 +1,121 @@ +From 195562194aad3a0a3915941077f283bcc6347b9b Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 26 Oct 2015 01:50:28 -0700 +Subject: Input: alps - only the Dell Latitude D420/430/620/630 have separate stick button bits +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hans de Goede + +commit 195562194aad3a0a3915941077f283bcc6347b9b upstream. + +commit 92bac83dd79e ("Input: alps - non interleaved V2 dualpoint has +separate stick button bits") assumes that all alps v2 non-interleaved +dual point setups have the separate stick button bits. + +Later we limited this to Dell laptops only because of reports that this +broke things on non Dell laptops. Now it turns out that this breaks things +on the Dell Latitude D600 too. So it seems that only the Dell Latitude +D420/430/620/630, which all share the same touchpad / stick combo, +have these separate bits. + +This patch limits the checking of the separate bits to only these models +fixing regressions with other models. + +Reported-and-tested-by: Larry Finger +Tested-by: Hans de Goede +Signed-off-by: Hans de Goede +Acked-By: Pali Rohár +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/mouse/alps.c | 48 +++++++++++++++++++++++++++++++++++++++------ + 1 file changed, 42 insertions(+), 6 deletions(-) + +--- a/drivers/input/mouse/alps.c ++++ b/drivers/input/mouse/alps.c +@@ -100,7 +100,7 @@ static const struct alps_nibble_commands + #define ALPS_FOUR_BUTTONS 0x40 /* 4 direction button present */ + #define ALPS_PS2_INTERLEAVED 0x80 /* 3-byte PS/2 packet interleaved with + 6-byte ALPS packet */ +-#define ALPS_DELL 0x100 /* device is a Dell laptop */ ++#define ALPS_STICK_BITS 0x100 /* separate stick button bits */ + #define ALPS_BUTTONPAD 0x200 /* device is a clickpad */ + + static const struct alps_model_info alps_model_data[] = { +@@ -159,6 +159,43 @@ static const struct alps_protocol_info a + ALPS_PROTO_V8, 0x18, 0x18, 0 + }; + ++/* ++ * Some v2 models report the stick buttons in separate bits ++ */ ++static const struct dmi_system_id alps_dmi_has_separate_stick_buttons[] = { ++#if defined(CONFIG_DMI) && defined(CONFIG_X86) ++ { ++ /* Extrapolated from other entries */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Latitude D420"), ++ }, ++ }, ++ { ++ /* Reported-by: Hans de Bruin */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Latitude D430"), ++ }, ++ }, ++ { ++ /* Reported-by: Hans de Goede */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Latitude D620"), ++ }, ++ }, ++ { ++ /* Extrapolated from other entries */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Latitude D630"), ++ }, ++ }, ++#endif ++ { } ++}; ++ + static void alps_set_abs_params_st(struct alps_data *priv, + struct input_dev *dev1); + static void alps_set_abs_params_mt(struct alps_data *priv, +@@ -253,9 +290,8 @@ static void alps_process_packet_v1_v2(st + return; + } + +- /* Dell non interleaved V2 dualpoint has separate stick button bits */ +- if (priv->proto_version == ALPS_PROTO_V2 && +- priv->flags == (ALPS_DELL | ALPS_PASS | ALPS_DUALPOINT)) { ++ /* Some models have separate stick button bits */ ++ if (priv->flags & ALPS_STICK_BITS) { + left |= packet[0] & 1; + right |= packet[0] & 2; + middle |= packet[0] & 4; +@@ -2544,8 +2580,6 @@ static int alps_set_protocol(struct psmo + priv->byte0 = protocol->byte0; + priv->mask0 = protocol->mask0; + priv->flags = protocol->flags; +- if (dmi_name_in_vendors("Dell")) +- priv->flags |= ALPS_DELL; + + priv->x_max = 2000; + priv->y_max = 1400; +@@ -2560,6 +2594,8 @@ static int alps_set_protocol(struct psmo + priv->set_abs_params = alps_set_abs_params_st; + priv->x_max = 1023; + priv->y_max = 767; ++ if (dmi_check_system(alps_dmi_has_separate_stick_buttons)) ++ priv->flags |= ALPS_STICK_BITS; + break; + + case ALPS_PROTO_V3: diff --git a/queue-4.1/irqchip-tegra-propagate-irq-type-setting-to-parent.patch b/queue-4.1/irqchip-tegra-propagate-irq-type-setting-to-parent.patch new file mode 100644 index 00000000000..922fc5592a4 --- /dev/null +++ b/queue-4.1/irqchip-tegra-propagate-irq-type-setting-to-parent.patch @@ -0,0 +1,41 @@ +From 209da39154837ec1b69fb34f438041939911e4b4 Mon Sep 17 00:00:00 2001 +From: Lucas Stach +Date: Sun, 25 Oct 2015 16:39:12 +0100 +Subject: irqchip/tegra: Propagate IRQ type setting to parent + +From: Lucas Stach + +commit 209da39154837ec1b69fb34f438041939911e4b4 upstream. + +The LIC doesn't deal with the different types of interrupts itself +but needs to forward calls to set the appropriate type to its parent +IRQ controller. + +Without this fix all IRQs routed through the LIC will stay at the +initial EDGE type, while most of them should actually be level triggered. + +Fixes: 1eec582158e2 "irqchip: tegra: Add Tegra210 support" +Signed-off-by: Lucas Stach +Cc: Stephen Warren +Cc: Thierry Reding +Cc: Alexandre Courbot +Cc: Jason Cooper +Cc: Marc Zyngier +Link: http://lkml.kernel.org/r/1445787552-13062-1-git-send-email-dev@lynxeye.de +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/irqchip/irq-tegra.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/irqchip/irq-tegra.c ++++ b/drivers/irqchip/irq-tegra.c +@@ -215,6 +215,7 @@ static struct irq_chip tegra_ictlr_chip + .irq_unmask = tegra_unmask, + .irq_retrigger = tegra_retrigger, + .irq_set_wake = tegra_set_wake, ++ .irq_set_type = irq_chip_set_type_parent, + .flags = IRQCHIP_MASK_ON_SUSPEND, + #ifdef CONFIG_SMP + .irq_set_affinity = irq_chip_set_affinity_parent, diff --git a/queue-4.1/md-raid1-submit_bio_wait-returns-0-on-success.patch b/queue-4.1/md-raid1-submit_bio_wait-returns-0-on-success.patch new file mode 100644 index 00000000000..cab271af3dd --- /dev/null +++ b/queue-4.1/md-raid1-submit_bio_wait-returns-0-on-success.patch @@ -0,0 +1,34 @@ +From 203d27b0226a05202438ddb39ef0ef1acb14a759 Mon Sep 17 00:00:00 2001 +From: Jes Sorensen +Date: Tue, 20 Oct 2015 12:09:12 -0400 +Subject: md/raid1: submit_bio_wait() returns 0 on success + +From: Jes Sorensen + +commit 203d27b0226a05202438ddb39ef0ef1acb14a759 upstream. + +This was introduced with 9e882242c6193ae6f416f2d8d8db0d9126bd996b +which changed the return value of submit_bio_wait() to return != 0 on +error, but didn't update the caller accordingly. + +Fixes: 9e882242c6 ("block: Add submit_bio_wait(), remove from md") +Reported-by: Bill Kuzeja +Signed-off-by: Jes Sorensen +Signed-off-by: NeilBrown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/raid1.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -2248,7 +2248,7 @@ static int narrow_write_error(struct r1b + bio_trim(wbio, sector - r1_bio->sector, sectors); + wbio->bi_iter.bi_sector += rdev->data_offset; + wbio->bi_bdev = rdev->bdev; +- if (submit_bio_wait(WRITE, wbio) == 0) ++ if (submit_bio_wait(WRITE, wbio) < 0) + /* failure! */ + ok = rdev_set_badblocks(rdev, sector, + sectors, 0) diff --git a/queue-4.1/md-raid10-submit_bio_wait-returns-0-on-success.patch b/queue-4.1/md-raid10-submit_bio_wait-returns-0-on-success.patch new file mode 100644 index 00000000000..98a43422f52 --- /dev/null +++ b/queue-4.1/md-raid10-submit_bio_wait-returns-0-on-success.patch @@ -0,0 +1,34 @@ +From 681ab4696062f5aa939c9e04d058732306a97176 Mon Sep 17 00:00:00 2001 +From: Jes Sorensen +Date: Tue, 20 Oct 2015 12:09:13 -0400 +Subject: md/raid10: submit_bio_wait() returns 0 on success + +From: Jes Sorensen + +commit 681ab4696062f5aa939c9e04d058732306a97176 upstream. + +This was introduced with 9e882242c6193ae6f416f2d8d8db0d9126bd996b +which changed the return value of submit_bio_wait() to return != 0 on +error, but didn't update the caller accordingly. + +Fixes: 9e882242c6 ("block: Add submit_bio_wait(), remove from md") +Reported-by: Bill Kuzeja +Signed-off-by: Jes Sorensen +Signed-off-by: NeilBrown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/raid10.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -2590,7 +2590,7 @@ static int narrow_write_error(struct r10 + choose_data_offset(r10_bio, rdev) + + (sector - r10_bio->sector)); + wbio->bi_bdev = rdev->bdev; +- if (submit_bio_wait(WRITE, wbio) == 0) ++ if (submit_bio_wait(WRITE, wbio) < 0) + /* Failure! */ + ok = rdev_set_badblocks(rdev, sector, + sectors, 0) diff --git a/queue-4.1/md-raid5-fix-locking-in-handle_stripe_clean_event.patch b/queue-4.1/md-raid5-fix-locking-in-handle_stripe_clean_event.patch new file mode 100644 index 00000000000..0bfaa5aee19 --- /dev/null +++ b/queue-4.1/md-raid5-fix-locking-in-handle_stripe_clean_event.patch @@ -0,0 +1,72 @@ +From b8a9d66d043ffac116100775a469f05f5158c16f Mon Sep 17 00:00:00 2001 +From: Roman Gushchin +Date: Sat, 31 Oct 2015 10:53:50 +1100 +Subject: md/raid5: fix locking in handle_stripe_clean_event() + +From: Roman Gushchin + +commit b8a9d66d043ffac116100775a469f05f5158c16f upstream. + +After commit 566c09c53455 ("raid5: relieve lock contention in get_active_stripe()") +__find_stripe() is called under conf->hash_locks + hash. +But handle_stripe_clean_event() calls remove_hash() under +conf->device_lock. + +Under some cirscumstances the hash chain can be circuited, +and we get an infinite loop with disabled interrupts and locked hash +lock in __find_stripe(). This leads to hard lockup on multiple CPUs +and following system crash. + +I was able to reproduce this behavior on raid6 over 6 ssd disks. +The devices_handle_discard_safely option should be set to enable trim +support. The following script was used: + +for i in `seq 1 32`; do + dd if=/dev/zero of=large$i bs=10M count=100 & +done + +neilb: original was against a 3.x kernel. I forward-ported + to 4.3-rc. This verison is suitable for any kernel since + Commit: 59fc630b8b5f ("RAID5: batch adjacent full stripe write") + (v4.1+). I'll post a version for earlier kernels to stable. + +Signed-off-by: Roman Gushchin +Fixes: 566c09c53455 ("raid5: relieve lock contention in get_active_stripe()") +Signed-off-by: NeilBrown +Cc: Shaohua Li +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/raid5.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -3494,6 +3494,7 @@ returnbi: + } + if (!discard_pending && + test_bit(R5_Discard, &sh->dev[sh->pd_idx].flags)) { ++ int hash; + clear_bit(R5_Discard, &sh->dev[sh->pd_idx].flags); + clear_bit(R5_UPTODATE, &sh->dev[sh->pd_idx].flags); + if (sh->qd_idx >= 0) { +@@ -3507,16 +3508,17 @@ returnbi: + * no updated data, so remove it from hash list and the stripe + * will be reinitialized + */ +- spin_lock_irq(&conf->device_lock); + unhash: ++ hash = sh->hash_lock_index; ++ spin_lock_irq(conf->hash_locks + hash); + remove_hash(sh); ++ spin_unlock_irq(conf->hash_locks + hash); + if (head_sh->batch_head) { + sh = list_first_entry(&sh->batch_list, + struct stripe_head, batch_list); + if (sh != head_sh) + goto unhash; + } +- spin_unlock_irq(&conf->device_lock); + sh = head_sh; + + if (test_bit(STRIPE_SYNC_REQUESTED, &sh->state)) diff --git a/queue-4.1/mfd-of-document-mfd-devices-and-handle-simple-mfd.patch b/queue-4.1/mfd-of-document-mfd-devices-and-handle-simple-mfd.patch new file mode 100644 index 00000000000..33bb5599cc0 --- /dev/null +++ b/queue-4.1/mfd-of-document-mfd-devices-and-handle-simple-mfd.patch @@ -0,0 +1,94 @@ +From 22869a9eca4ea5b534538d160b68c7aef44e378a Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Tue, 3 Mar 2015 09:52:20 +0100 +Subject: MFD/OF: document MFD devices and handle simple-mfd + +From: Linus Walleij + +commit 22869a9eca4ea5b534538d160b68c7aef44e378a upstream. + +This defines a new compatible option for MFD devices "simple-mfd" that will +make the OF core spawn child devices for all subnodes of that MFD device. +It is optional but handy for things like syscon and possibly other +simpler MFD devices. + +Since there was no file to put the documentation in, I took this opportunity +to make a small writeup on MFD devices and add the compatible definition +there. + +Suggested-by: Lee Jones +Acked-by: Lee Jones +Acked-by: Antoine Tenart +Acked-by: Alexandre Belloni +Cc: Arnd Bergmann +Cc: Devicetree +Cc: Rob Herring +Cc: Benjamin Herrenschmidt +Cc: Grant Likely +Cc: Pawel Moll +Cc: Mark Rutland +Cc: Ian Campbell +Cc: Kumar Gala +Signed-off-by: Linus Walleij +Cc: Henrik Juul Pedersen +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/devicetree/bindings/mfd/mfd.txt | 41 ++++++++++++++++++++++++++ + drivers/of/platform.c | 1 + 2 files changed, 42 insertions(+) + +--- /dev/null ++++ b/Documentation/devicetree/bindings/mfd/mfd.txt +@@ -0,0 +1,41 @@ ++Multi-Function Devices (MFD) ++ ++These devices comprise a nexus for heterogeneous hardware blocks containing ++more than one non-unique yet varying hardware functionality. ++ ++A typical MFD can be: ++ ++- A mixed signal ASIC on an external bus, sometimes a PMIC (Power Management ++ Integrated Circuit) that is manufactured in a lower technology node (rough ++ silicon) that handles analog drivers for things like audio amplifiers, LED ++ drivers, level shifters, PHY (physical interfaces to things like USB or ++ ethernet), regulators etc. ++ ++- A range of memory registers containing "miscellaneous system registers" also ++ known as a system controller "syscon" or any other memory range containing a ++ mix of unrelated hardware devices. ++ ++Optional properties: ++ ++- compatible : "simple-mfd" - this signifies that the operating system should ++ consider all subnodes of the MFD device as separate devices akin to how ++ "simple-bus" inidicates when to see subnodes as children for a simple ++ memory-mapped bus. For more complex devices, when the nexus driver has to ++ probe registers to figure out what child devices exist etc, this should not ++ be used. In the latter case the child devices will be determined by the ++ operating system. ++ ++Example: ++ ++foo@1000 { ++ compatible = "syscon", "simple-mfd"; ++ reg = <0x01000 0x1000>; ++ ++ led@08.0 { ++ compatible = "register-bit-led"; ++ offset = <0x08>; ++ mask = <0x01>; ++ label = "myled"; ++ default-state = "on"; ++ }; ++}; +--- a/drivers/of/platform.c ++++ b/drivers/of/platform.c +@@ -25,6 +25,7 @@ + + const struct of_device_id of_default_bus_match_table[] = { + { .compatible = "simple-bus", }, ++ { .compatible = "simple-mfd", }, + #ifdef CONFIG_ARM_AMBA + { .compatible = "arm,amba-bus", }, + #endif /* CONFIG_ARM_AMBA */ diff --git a/queue-4.1/mvsas-fix-null-pointer-dereference-in-mvs_slot_task_free.patch b/queue-4.1/mvsas-fix-null-pointer-dereference-in-mvs_slot_task_free.patch new file mode 100644 index 00000000000..1e019f68ba1 --- /dev/null +++ b/queue-4.1/mvsas-fix-null-pointer-dereference-in-mvs_slot_task_free.patch @@ -0,0 +1,40 @@ +From 2280521719e81919283b82902ac24058f87dfc1b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?D=C4=81vis=20Mos=C4=81ns?= +Date: Fri, 21 Aug 2015 07:29:22 +0300 +Subject: mvsas: Fix NULL pointer dereference in mvs_slot_task_free +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?D=C4=81vis=20Mos=C4=81ns?= + +commit 2280521719e81919283b82902ac24058f87dfc1b upstream. + +When pci_pool_alloc fails in mvs_task_prep then task->lldd_task stays +NULL but it's later used in mvs_abort_task as slot which is passed +to mvs_slot_task_free causing NULL pointer dereference. + +Just return from mvs_slot_task_free when passed with NULL slot. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=101891 +Signed-off-by: Dāvis Mosāns +Reviewed-by: Tomas Henzl +Reviewed-by: Johannes Thumshirn +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/mvsas/mv_sas.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/scsi/mvsas/mv_sas.c ++++ b/drivers/scsi/mvsas/mv_sas.c +@@ -887,6 +887,8 @@ static void mvs_slot_free(struct mvs_inf + static void mvs_slot_task_free(struct mvs_info *mvi, struct sas_task *task, + struct mvs_slot_info *slot, u32 slot_idx) + { ++ if (!slot) ++ return; + if (!slot->task) + return; + if (!sas_protocol_ata(task->task_proto)) diff --git a/queue-4.1/revert-md-allow-a-partially-recovered-device-to-be-hot-added-to-an-array.patch b/queue-4.1/revert-md-allow-a-partially-recovered-device-to-be-hot-added-to-an-array.patch new file mode 100644 index 00000000000..03a7e8f1f6e --- /dev/null +++ b/queue-4.1/revert-md-allow-a-partially-recovered-device-to-be-hot-added-to-an-array.patch @@ -0,0 +1,50 @@ +From d01552a76d71f9879af448e9142389ee9be6e95b Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Sat, 31 Oct 2015 11:00:56 +1100 +Subject: Revert "md: allow a partially recovered device to be hot-added to an array." + +From: NeilBrown + +commit d01552a76d71f9879af448e9142389ee9be6e95b upstream. + +This reverts commit 7eb418851f3278de67126ea0c427641ab4792c57. + +This commit is poorly justified, I can find not discusison in email, +and it clearly causes a problem. + +If a device which is being recovered fails and is subsequently +re-added to an array, there could easily have been changes to the +array *before* the point where the recovery was up to. So the +recovery must start again from the beginning. + +If a spare is being recovered and fails, then when it is re-added we +really should do a bitmap-based recovery up to the recovery-offset, +and then a full recovery from there. Before this reversion, we only +did the "full recovery from there" which is not corect. After this +reversion with will do a full recovery from the start, which is safer +but not ideal. + +It will be left to a future patch to arrange the two different styles +of recovery. + +Reported-and-tested-by: Nate Dailey +Signed-off-by: NeilBrown +Fixes: 7eb418851f32 ("md: allow a partially recovered device to be hot-added to an array.") +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/md.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -8013,8 +8013,7 @@ static int remove_and_add_spares(struct + !test_bit(Bitmap_sync, &rdev->flags))) + continue; + +- if (rdev->saved_raid_disk < 0) +- rdev->recovery_offset = 0; ++ rdev->recovery_offset = 0; + if (mddev->pers-> + hot_add_disk(mddev, rdev) == 0) { + if (sysfs_link_rdev(mddev, rdev)) diff --git a/queue-4.1/series b/queue-4.1/series index 0d9749ff6c2..7965c37a49c 100644 --- a/queue-4.1/series +++ b/queue-4.1/series @@ -60,3 +60,16 @@ ovl-free-stack-of-paths-in-ovl_fill_super.patch ovl-free-lower_mnt-array-in-ovl_put_super.patch ovl-use-o_largefile-in-ovl_copy_up.patch ovl-fix-dentry-reference-leak.patch +input-alps-only-the-dell-latitude-d420-430-620-630-have-separate-stick-button-bits.patch +crypto-api-only-abort-operations-on-fatal-signal.patch +md-raid1-submit_bio_wait-returns-0-on-success.patch +md-raid10-submit_bio_wait-returns-0-on-success.patch +md-raid5-fix-locking-in-handle_stripe_clean_event.patch +revert-md-allow-a-partially-recovered-device-to-be-hot-added-to-an-array.patch +edac-sb_edac-fix-tad-presence-check-for-sbridge_mci_bind_devs.patch +irqchip-tegra-propagate-irq-type-setting-to-parent.patch +mvsas-fix-null-pointer-dereference-in-mvs_slot_task_free.patch +mfd-of-document-mfd-devices-and-handle-simple-mfd.patch +btrfs-fix-possible-leak-in-btrfs_ioctl_balance.patch +ib-cm-fix-rb-tree-duplicate-free-and-use-after-free.patch +cpufreq-intel_pstate-fix-divide-by-zero-on-knights-landing-knl.patch