From: Greg Kroah-Hartman Date: Mon, 8 Aug 2016 13:42:44 +0000 (+0200) Subject: 4.6-stable patches X-Git-Tag: v3.14.75~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ac33baed548398aa9f1bf724e4ae9e50a4fb8161;p=thirdparty%2Fkernel%2Fstable-queue.git 4.6-stable patches added patches: can-at91_can-rx-queue-could-get-stuck-at-high-bus-load.patch can-c_can-update-d_can-tx-and-rx-functions-to-32-bit-fix-altera-cyclone-access.patch can-fix-handling-of-unmodifiable-configuration-options-fix.patch can-fix-oops-caused-by-wrong-rtnl-dellink-usage.patch ipr-clear-interrupt-on-croc-crocodile-when-running-with-lsi.patch irqchip-mips-gic-map-to-vps-using-hw-vpnum.patch irqchip-mips-gic-match-ipi-irq-domain-by-bus-token-only.patch qla2xxx-fix-null-pointer-deref-in-qla-interrupt.patch rds-fix-rds_tcp_init-error-path.patch scsi-fix-new-bug-in-scsi_dev_info_list-string-matching.patch --- diff --git a/queue-4.6/can-at91_can-rx-queue-could-get-stuck-at-high-bus-load.patch b/queue-4.6/can-at91_can-rx-queue-could-get-stuck-at-high-bus-load.patch new file mode 100644 index 00000000000..99f9a054f5e --- /dev/null +++ b/queue-4.6/can-at91_can-rx-queue-could-get-stuck-at-high-bus-load.patch @@ -0,0 +1,38 @@ +From 43200a4480cbbe660309621817f54cbb93907108 Mon Sep 17 00:00:00 2001 +From: Wolfgang Grandegger +Date: Mon, 13 Jun 2016 15:44:19 +0200 +Subject: can: at91_can: RX queue could get stuck at high bus load + +From: Wolfgang Grandegger + +commit 43200a4480cbbe660309621817f54cbb93907108 upstream. + +At high bus load it could happen that "at91_poll()" enters with all RX +message boxes filled up. If then at the end the "quota" is exceeded as +well, "rx_next" will not be reset to the first RX mailbox and hence the +interrupts remain disabled. + +Signed-off-by: Wolfgang Grandegger +Tested-by: Amr Bekhit +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/at91_can.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/can/at91_can.c ++++ b/drivers/net/can/at91_can.c +@@ -712,9 +712,10 @@ static int at91_poll_rx(struct net_devic + + /* upper group completed, look again in lower */ + if (priv->rx_next > get_mb_rx_low_last(priv) && +- quota > 0 && mb > get_mb_rx_last(priv)) { ++ mb > get_mb_rx_last(priv)) { + priv->rx_next = get_mb_rx_first(priv); +- goto again; ++ if (quota > 0) ++ goto again; + } + + return received; diff --git a/queue-4.6/can-c_can-update-d_can-tx-and-rx-functions-to-32-bit-fix-altera-cyclone-access.patch b/queue-4.6/can-c_can-update-d_can-tx-and-rx-functions-to-32-bit-fix-altera-cyclone-access.patch new file mode 100644 index 00000000000..c0a02b66ad6 --- /dev/null +++ b/queue-4.6/can-c_can-update-d_can-tx-and-rx-functions-to-32-bit-fix-altera-cyclone-access.patch @@ -0,0 +1,82 @@ +From 427460c83cdf55069eee49799a0caef7dde8df69 Mon Sep 17 00:00:00 2001 +From: Thor Thayer +Date: Thu, 16 Jun 2016 11:10:19 -0500 +Subject: can: c_can: Update D_CAN TX and RX functions to 32 bit - fix Altera Cyclone access + +From: Thor Thayer + +commit 427460c83cdf55069eee49799a0caef7dde8df69 upstream. + +When testing CAN write floods on Altera's CycloneV, the first 2 bytes +are sometimes 0x00, 0x00 or corrupted instead of the values sent. Also +observed bytes 4 & 5 were corrupted in some cases. + +The D_CAN Data registers are 32 bits and changing from 16 bit writes to +32 bit writes fixes the problem. + +Testing performed on Altera CycloneV (D_CAN). Requesting tests on other +C_CAN & D_CAN platforms. + +Reported-by: Richard Andrysek +Signed-off-by: Thor Thayer +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/c_can/c_can.c | 38 +++++++++++++++++++++++++++++++------- + 1 file changed, 31 insertions(+), 7 deletions(-) + +--- a/drivers/net/can/c_can/c_can.c ++++ b/drivers/net/can/c_can/c_can.c +@@ -332,9 +332,23 @@ static void c_can_setup_tx_object(struct + + priv->write_reg(priv, C_CAN_IFACE(MSGCTRL_REG, iface), ctrl); + +- for (i = 0; i < frame->can_dlc; i += 2) { +- priv->write_reg(priv, C_CAN_IFACE(DATA1_REG, iface) + i / 2, +- frame->data[i] | (frame->data[i + 1] << 8)); ++ if (priv->type == BOSCH_D_CAN) { ++ u32 data = 0, dreg = C_CAN_IFACE(DATA1_REG, iface); ++ ++ for (i = 0; i < frame->can_dlc; i += 4, dreg += 2) { ++ data = (u32)frame->data[i]; ++ data |= (u32)frame->data[i + 1] << 8; ++ data |= (u32)frame->data[i + 2] << 16; ++ data |= (u32)frame->data[i + 3] << 24; ++ priv->write_reg32(priv, dreg, data); ++ } ++ } else { ++ for (i = 0; i < frame->can_dlc; i += 2) { ++ priv->write_reg(priv, ++ C_CAN_IFACE(DATA1_REG, iface) + i / 2, ++ frame->data[i] | ++ (frame->data[i + 1] << 8)); ++ } + } + } + +@@ -402,10 +416,20 @@ static int c_can_read_msg_object(struct + } else { + int i, dreg = C_CAN_IFACE(DATA1_REG, iface); + +- for (i = 0; i < frame->can_dlc; i += 2, dreg ++) { +- data = priv->read_reg(priv, dreg); +- frame->data[i] = data; +- frame->data[i + 1] = data >> 8; ++ if (priv->type == BOSCH_D_CAN) { ++ for (i = 0; i < frame->can_dlc; i += 4, dreg += 2) { ++ data = priv->read_reg32(priv, dreg); ++ frame->data[i] = data; ++ frame->data[i + 1] = data >> 8; ++ frame->data[i + 2] = data >> 16; ++ frame->data[i + 3] = data >> 24; ++ } ++ } else { ++ for (i = 0; i < frame->can_dlc; i += 2, dreg++) { ++ data = priv->read_reg(priv, dreg); ++ frame->data[i] = data; ++ frame->data[i + 1] = data >> 8; ++ } + } + } + diff --git a/queue-4.6/can-fix-handling-of-unmodifiable-configuration-options-fix.patch b/queue-4.6/can-fix-handling-of-unmodifiable-configuration-options-fix.patch new file mode 100644 index 00000000000..f22e0f0c784 --- /dev/null +++ b/queue-4.6/can-fix-handling-of-unmodifiable-configuration-options-fix.patch @@ -0,0 +1,37 @@ +From bce271f255dae8335dc4d2ee2c4531e09cc67f5a Mon Sep 17 00:00:00 2001 +From: Oliver Hartkopp +Date: Tue, 21 Jun 2016 12:14:07 +0200 +Subject: can: fix handling of unmodifiable configuration options fix + +From: Oliver Hartkopp + +commit bce271f255dae8335dc4d2ee2c4531e09cc67f5a upstream. + +With upstream commit bb208f144cf3f59 (can: fix handling of unmodifiable +configuration options) a new can_validate() function was introduced. + +When invoking 'ip link set can0 type can' without any configuration data +can_validate() tries to validate the content without taking into account that +there's totally no content. This patch adds a check for missing content. + +Reported-by: ajneu +Signed-off-by: Oliver Hartkopp +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/dev.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/can/dev.c ++++ b/drivers/net/can/dev.c +@@ -798,6 +798,9 @@ static int can_validate(struct nlattr *t + * - control mode with CAN_CTRLMODE_FD set + */ + ++ if (!data) ++ return 0; ++ + if (data[IFLA_CAN_CTRLMODE]) { + struct can_ctrlmode *cm = nla_data(data[IFLA_CAN_CTRLMODE]); + diff --git a/queue-4.6/can-fix-oops-caused-by-wrong-rtnl-dellink-usage.patch b/queue-4.6/can-fix-oops-caused-by-wrong-rtnl-dellink-usage.patch new file mode 100644 index 00000000000..cbbc57ece81 --- /dev/null +++ b/queue-4.6/can-fix-oops-caused-by-wrong-rtnl-dellink-usage.patch @@ -0,0 +1,50 @@ +From 25e1ed6e64f52a692ba3191c4fde650aab3ecc07 Mon Sep 17 00:00:00 2001 +From: Oliver Hartkopp +Date: Tue, 21 Jun 2016 15:45:47 +0200 +Subject: can: fix oops caused by wrong rtnl dellink usage + +From: Oliver Hartkopp + +commit 25e1ed6e64f52a692ba3191c4fde650aab3ecc07 upstream. + +For 'real' hardware CAN devices the netlink interface is used to set CAN +specific communication parameters. Real CAN hardware can not be created nor +removed with the ip tool ... + +This patch adds a private dellink function for the CAN device driver interface +that does just nothing. + +It's a follow up to commit 993e6f2fd ("can: fix oops caused by wrong rtnl +newlink usage") but for dellink. + +Reported-by: ajneu +Signed-off-by: Oliver Hartkopp +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/dev.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/can/dev.c ++++ b/drivers/net/can/dev.c +@@ -1011,6 +1011,11 @@ static int can_newlink(struct net *src_n + return -EOPNOTSUPP; + } + ++static void can_dellink(struct net_device *dev, struct list_head *head) ++{ ++ return; ++} ++ + static struct rtnl_link_ops can_link_ops __read_mostly = { + .kind = "can", + .maxtype = IFLA_CAN_MAX, +@@ -1019,6 +1024,7 @@ static struct rtnl_link_ops can_link_ops + .validate = can_validate, + .newlink = can_newlink, + .changelink = can_changelink, ++ .dellink = can_dellink, + .get_size = can_get_size, + .fill_info = can_fill_info, + .get_xstats_size = can_get_xstats_size, diff --git a/queue-4.6/ipr-clear-interrupt-on-croc-crocodile-when-running-with-lsi.patch b/queue-4.6/ipr-clear-interrupt-on-croc-crocodile-when-running-with-lsi.patch new file mode 100644 index 00000000000..5fb6183ad4c --- /dev/null +++ b/queue-4.6/ipr-clear-interrupt-on-croc-crocodile-when-running-with-lsi.patch @@ -0,0 +1,31 @@ +From 54e430bbd490e18ab116afa4cd90dcc45787b3df Mon Sep 17 00:00:00 2001 +From: Brian King +Date: Mon, 27 Jun 2016 09:09:40 -0500 +Subject: ipr: Clear interrupt on croc/crocodile when running with LSI + +From: Brian King + +commit 54e430bbd490e18ab116afa4cd90dcc45787b3df upstream. + +If we fall back to using LSI on the Croc or Crocodile chip we need to +clear the interrupt so we don't hang the system. + +Tested-by: Benjamin Herrenschmidt +Signed-off-by: Brian King +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/ipr.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/ipr.c ++++ b/drivers/scsi/ipr.c +@@ -10093,6 +10093,7 @@ static int ipr_probe_ioa(struct pci_dev + ioa_cfg->intr_flag = IPR_USE_MSI; + else { + ioa_cfg->intr_flag = IPR_USE_LSI; ++ ioa_cfg->clear_isr = 1; + ioa_cfg->nvectors = 1; + dev_info(&pdev->dev, "Cannot enable MSI.\n"); + } diff --git a/queue-4.6/irqchip-mips-gic-map-to-vps-using-hw-vpnum.patch b/queue-4.6/irqchip-mips-gic-map-to-vps-using-hw-vpnum.patch new file mode 100644 index 00000000000..007531cadfa --- /dev/null +++ b/queue-4.6/irqchip-mips-gic-map-to-vps-using-hw-vpnum.patch @@ -0,0 +1,47 @@ +From 99ec8a3608330d202448085185cf28389b789b7b Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Tue, 5 Jul 2016 14:25:59 +0100 +Subject: irqchip/mips-gic: Map to VPs using HW VPNum + +From: Paul Burton + +commit 99ec8a3608330d202448085185cf28389b789b7b upstream. + +When mapping an interrupt to a VP(E) we must use the identifier for the +VP that the hardware expects, and this does not always match up with the +Linux CPU number. Commit d46812bb0bef ("irqchip: mips-gic: Use HW IDs +for VPE_OTHER_ADDR") corrected this for the cases that existed at the +time it was written, but commit 2af70a962070 ("irqchip/mips-gic: Add a +IPI hierarchy domain") added another case before the former patch was +merged. This leads to incorrectly using Linux CPU numbers when mapping +interrupts to VPs, which breaks on certain systems such as those with +multi-core I6400 CPUs. Fix by adding the appropriate call to +mips_cm_vp_id() to retrieve the expected VP identifier. + +Fixes: d46812bb0bef ("irqchip: mips-gic: Use HW IDs for VPE_OTHER_ADDR") +Fixes: 2af70a962070 ("irqchip/mips-gic: Add a IPI hierarchy domain") +Signed-off-by: Paul Burton +Cc: linux-mips@linux-mips.org +Cc: Jason Cooper +Cc: Qais Yousef +Cc: Ralf Baechle +Cc: Marc Zyngier +Link: http://lkml.kernel.org/r/20160705132600.27730-1-paul.burton@imgtec.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/irqchip/irq-mips-gic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/irqchip/irq-mips-gic.c ++++ b/drivers/irqchip/irq-mips-gic.c +@@ -706,7 +706,7 @@ static int gic_shared_irq_domain_map(str + + spin_lock_irqsave(&gic_lock, flags); + gic_map_to_pin(intr, gic_cpu_pin); +- gic_map_to_vpe(intr, vpe); ++ gic_map_to_vpe(intr, mips_cm_vp_id(vpe)); + for (i = 0; i < min(gic_vpes, NR_CPUS); i++) + clear_bit(intr, pcpu_masks[i].pcpu_mask); + set_bit(intr, pcpu_masks[vpe].pcpu_mask); diff --git a/queue-4.6/irqchip-mips-gic-match-ipi-irq-domain-by-bus-token-only.patch b/queue-4.6/irqchip-mips-gic-match-ipi-irq-domain-by-bus-token-only.patch new file mode 100644 index 00000000000..bb4eee7edc6 --- /dev/null +++ b/queue-4.6/irqchip-mips-gic-match-ipi-irq-domain-by-bus-token-only.patch @@ -0,0 +1,96 @@ +From 547aefc4db877e65245c3d95fcce703701bf3a0c Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Tue, 5 Jul 2016 14:26:00 +0100 +Subject: irqchip/mips-gic: Match IPI IRQ domain by bus token only + +From: Paul Burton + +commit 547aefc4db877e65245c3d95fcce703701bf3a0c upstream. + +Commit fbde2d7d8290 ("MIPS: Add generic SMP IPI support") introduced +code which calls irq_find_matching_host with a NULL node parameter in +order to discover IPI IRQ domains which are not associated with the DT +root node's interrupt parent. This suggests that implementations of IPI +IRQ domains should effectively ignore the node parameter if it is NULL +and search purely based upon the bus token. Commit 2af70a962070 +("irqchip/mips-gic: Add a IPI hierarchy domain") did not do this when +implementing the GIC IPI IRQ domain, and on MIPS Boston boards this +leads to no IPI domain being discovered and a NULL pointer dereference +when attempting to send an IPI: + + CPU 0 Unable to handle kernel paging request at virtual address 0000000000000040, epc == ffffffff8016e70c, ra == ffffffff8010ff5c + Oops[#1]: + CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.7.0-rc6-00223-gad0d1b6 #945 + task: a8000000ff066fc0 ti: a8000000ff068000 task.ti: a8000000ff068000 + $ 0 : 0000000000000000 0000000000000001 ffffffff80730000 0000000000000003 + $ 4 : 0000000000000000 ffffffff8057e5b0 a800000001e3ee00 0000000000000000 + $ 8 : 0000000000000000 0000000000000023 0000000000000001 0000000000000001 + $12 : 0000000000000000 ffffffff803323d0 0000000000000000 0000000000000000 + $16 : 0000000000000000 0000000000000000 0000000000000001 ffffffff801108fc + $20 : 0000000000000000 ffffffff8057e5b0 0000000000000001 0000000000000000 + $24 : 0000000000000000 ffffffff8012de28 + $28 : a8000000ff068000 a8000000ff06fbc0 0000000000000000 ffffffff8010ff5c + Hi : ffffffff8014c174 + Lo : a800000001e1e140 + epc : ffffffff8016e70c __ipi_send_mask+0x24/0x11c + ra : ffffffff8010ff5c mips_smp_send_ipi_mask+0x68/0x178 + Status: 140084e2 KX SX UX KERNEL EXL + Cause : 00800008 (ExcCode 02) + BadVA : 0000000000000040 + PrId : 0001a920 (MIPS I6400) + Process swapper/0 (pid: 1, threadinfo=a8000000ff068000, task=a8000000ff066fc0, tls=0000000000000000) + Stack : 0000000000000000 0000000000000000 0000000000000001 ffffffff801108fc + 0000000000000000 ffffffff8057e5b0 0000000000000001 ffffffff8010ff5c + 0000000000000001 0000000000000020 0000000000000000 0000000000000000 + 0000000000000000 ffffffff801108fc 0000000000000000 0000000000000001 + 0000000000000001 0000000000000000 0000000000000000 ffffffff801865e8 + a8000000ff0c7500 a8000000ff06fc90 0000000000000001 0000000000000002 + ffffffff801108fc ffffffff801868b8 0000000000000000 ffffffff801108fc + 0000000000000000 0000000000000003 ffffffff8068c700 0000000000000001 + ffffffff80730000 0000000000000001 a8000000ff00a290 ffffffff80110c50 + 0000000000000003 a800000001e48308 0000000000000003 0000000000000008 + ... + Call Trace: + [] __ipi_send_mask+0x24/0x11c + [] mips_smp_send_ipi_mask+0x68/0x178 + [] generic_exec_single+0x150/0x170 + [] smp_call_function_single+0x108/0x160 + [] cps_boot_secondary+0x328/0x394 + [] __cpu_up+0x38/0x90 + [] bringup_cpu+0x24/0xac + [] cpuhp_up_callbacks+0x58/0xdc + [] cpu_up+0x118/0x18c + [] smp_init+0xbc/0xe8 + [] kernel_init_freeable+0xa0/0x228 + [] kernel_init+0x10/0xf0 + [] ret_from_kernel_thread+0x14/0x1c + +Fix this by allowing the GIC IPI IRQ domain to match purely based upon +the bus token if the node provided is NULL. + +Fixes: 2af70a962070 ("irqchip/mips-gic: Add a IPI hierarchy domain") +Signed-off-by: Paul Burton +Cc: linux-mips@linux-mips.org +Cc: Jason Cooper +Cc: Qais Yousef +Cc: Ralf Baechle +Cc: Marc Zyngier +Link: http://lkml.kernel.org/r/20160705132600.27730-2-paul.burton@imgtec.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/irqchip/irq-mips-gic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/irqchip/irq-mips-gic.c ++++ b/drivers/irqchip/irq-mips-gic.c +@@ -947,7 +947,7 @@ int gic_ipi_domain_match(struct irq_doma + switch (bus_token) { + case DOMAIN_BUS_IPI: + is_ipi = d->bus_token == bus_token; +- return to_of_node(d->fwnode) == node && is_ipi; ++ return (!node || to_of_node(d->fwnode) == node) && is_ipi; + break; + default: + return 0; diff --git a/queue-4.6/qla2xxx-fix-null-pointer-deref-in-qla-interrupt.patch b/queue-4.6/qla2xxx-fix-null-pointer-deref-in-qla-interrupt.patch new file mode 100644 index 00000000000..4b491c27909 --- /dev/null +++ b/queue-4.6/qla2xxx-fix-null-pointer-deref-in-qla-interrupt.patch @@ -0,0 +1,98 @@ +From 262e2bfd7d1e1f1ee48b870e5dfabb87c06b975e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bruno=20Pr=C3=83=C2=A9mont?= +Date: Thu, 30 Jun 2016 17:00:32 +0200 +Subject: qla2xxx: Fix NULL pointer deref in QLA interrupt +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Bruno Prémont + +commit 262e2bfd7d1e1f1ee48b870e5dfabb87c06b975e upstream. + +In qla24xx_process_response_queue() rsp->msix->cpuid may trigger NULL +pointer dereference when rsp->msix is NULL: + +[ 5.622457] NULL pointer dereference at 0000000000000050 +[ 5.622457] IP: [] qla24xx_process_response_queue+0x44/0x4b0 +[ 5.622457] PGD 0 +[ 5.622457] Oops: 0000 [#1] SMP +[ 5.622457] Modules linked in: +[ 5.622457] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.6.3-x86_64 #1 +[ 5.622457] Hardware name: HP ProLiant DL360 G5, BIOS P58 05/02/2011 +[ 5.622457] task: ffff8801a88f3740 ti: ffff8801a8954000 task.ti: ffff8801a8954000 +[ 5.622457] RIP: 0010:[] [] qla24xx_process_response_queue+0x44/0x4b0 +[ 5.622457] RSP: 0000:ffff8801afb03de8 EFLAGS: 00010002 +[ 5.622457] RAX: 0000000000000000 RBX: 0000000000000032 RCX: 00000000ffffffff +[ 5.622457] RDX: 0000000000000002 RSI: ffff8801a79bf8c8 RDI: ffff8800c8f7e7c0 +[ 5.622457] RBP: ffff8801afb03e68 R08: 0000000000000000 R09: 0000000000000000 +[ 5.622457] R10: 00000000ffff8c47 R11: 0000000000000002 R12: ffff8801a79bf8c8 +[ 5.622457] R13: ffff8800c8f7e7c0 R14: ffff8800c8f60000 R15: 0000000000018013 +[ 5.622457] FS: 0000000000000000(0000) GS:ffff8801afb00000(0000) knlGS:0000000000000000 +[ 5.622457] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 5.622457] CR2: 0000000000000050 CR3: 0000000001e07000 CR4: 00000000000006e0 +[ 5.622457] Stack: +[ 5.622457] ffff8801afb03e30 ffffffff810c0f2d 0000000000000086 0000000000000002 +[ 5.622457] ffff8801afb03e28 ffffffff816570e1 ffff8800c8994628 0000000000000002 +[ 5.622457] ffff8801afb03e60 ffffffff816772d4 b47c472ad6955e68 0000000000000032 +[ 5.622457] Call Trace: +[ 5.622457] +[ 5.622457] [] ? __wake_up_common+0x4d/0x80 +[ 5.622457] [] ? usb_hcd_resume_root_hub+0x51/0x60 +[ 5.622457] [] ? uhci_hub_status_data+0x64/0x240 +[ 5.622457] [] qla24xx_intr_handler+0xf0/0x2e0 +[ 5.622457] [] ? get_next_timer_interrupt+0xce/0x200 +[ 5.622457] [] handle_irq_event_percpu+0x64/0x100 +[ 5.622457] [] handle_irq_event+0x27/0x50 +[ 5.622457] [] handle_edge_irq+0x65/0x140 +[ 5.622457] [] handle_irq+0x18/0x30 +[ 5.622457] [] do_IRQ+0x46/0xd0 +[ 5.622457] [] common_interrupt+0x7f/0x7f +[ 5.622457] +[ 5.622457] [] ? mwait_idle+0x68/0x80 +[ 5.622457] [] arch_cpu_idle+0xa/0x10 +[ 5.622457] [] default_idle_call+0x27/0x30 +[ 5.622457] [] cpu_startup_entry+0x19b/0x230 +[ 5.622457] [] start_secondary+0x136/0x140 +[ 5.622457] Code: 00 00 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 48 8b 47 58 a8 02 0f 84 c5 00 00 00 48 8b 46 50 49 89 f4 65 8b 15 34 bb aa 7e <39> 50 50 74 11 89 50 50 48 8b 46 50 8b 40 50 41 89 86 60 8b 00 +[ 5.622457] RIP [] qla24xx_process_response_queue+0x44/0x4b0 +[ 5.622457] RSP +[ 5.622457] CR2: 0000000000000050 +[ 5.622457] ---[ end trace fa2b19c25106d42b ]--- +[ 5.622457] Kernel panic - not syncing: Fatal exception in interrupt + +The affected code was introduced by commit cdb898c52d1dfad4b4800b83a58b3fe5d352edde +(qla2xxx: Add irq affinity notification). + +Only dereference rsp->msix when it has been set so the machine can boot +fine. Possibly rsp->msix is unset because: +[ 3.479679] qla2xxx [0000:00:00.0]-0005: : QLogic Fibre Channel HBA Driver: 8.07.00.33-k. +[ 3.481839] qla2xxx [0000:13:00.0]-001d: : Found an ISP2432 irq 17 iobase 0xffffc90000038000. +[ 3.484081] qla2xxx [0000:13:00.0]-0035:0: MSI-X; Unsupported ISP2432 (0x2, 0x3). +[ 3.485804] qla2xxx [0000:13:00.0]-0037:0: Falling back-to MSI mode -258. +[ 3.890145] scsi host0: qla2xxx +[ 3.891956] qla2xxx [0000:13:00.0]-00fb:0: QLogic QLE2460 - PCI-Express Single Channel 4Gb Fibre Channel HBA. +[ 3.894207] qla2xxx [0000:13:00.0]-00fc:0: ISP2432: PCIe (2.5GT/s x4) @ 0000:13:00.0 hdma+ host#=0 fw=7.03.00 (9496). +[ 5.714774] qla2xxx [0000:13:00.0]-500a:0: LOOP UP detected (4 Gbps). + +Signed-off-by: Bruno Prémont +Acked-by: Quinn Tran +Fixes: cdb898c52d1dfad4b4800b83a58b3fe5d352edde +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_isr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/qla2xxx/qla_isr.c ++++ b/drivers/scsi/qla2xxx/qla_isr.c +@@ -2548,7 +2548,7 @@ void qla24xx_process_response_queue(stru + if (!vha->flags.online) + return; + +- if (rsp->msix->cpuid != smp_processor_id()) { ++ if (rsp->msix && rsp->msix->cpuid != smp_processor_id()) { + /* if kernel does not notify qla of IRQ's CPU change, + * then set it here. + */ diff --git a/queue-4.6/rds-fix-rds_tcp_init-error-path.patch b/queue-4.6/rds-fix-rds_tcp_init-error-path.patch new file mode 100644 index 00000000000..41f78e283bd --- /dev/null +++ b/queue-4.6/rds-fix-rds_tcp_init-error-path.patch @@ -0,0 +1,47 @@ +From 3dad5424adfb346c871847d467f97dcdca64ea97 Mon Sep 17 00:00:00 2001 +From: Vegard Nossum +Date: Sun, 3 Jul 2016 10:54:54 +0200 +Subject: RDS: fix rds_tcp_init() error path + +From: Vegard Nossum + +commit 3dad5424adfb346c871847d467f97dcdca64ea97 upstream. + +If register_pernet_subsys() fails, we shouldn't try to call +unregister_pernet_subsys(). + +Fixes: 467fa15356 ("RDS-TCP: Support multiple RDS-TCP listen endpoints, one per netns.") +Cc: Sowmini Varadhan +Cc: David S. Miller +Signed-off-by: Vegard Nossum +Acked-by: Sowmini Varadhan +Acked-by: Santosh Shilimkar +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/rds/tcp.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/rds/tcp.c ++++ b/net/rds/tcp.c +@@ -544,7 +544,7 @@ static int rds_tcp_init(void) + + ret = rds_tcp_recv_init(); + if (ret) +- goto out_slab; ++ goto out_pernet; + + ret = rds_trans_register(&rds_tcp_transport); + if (ret) +@@ -556,8 +556,9 @@ static int rds_tcp_init(void) + + out_recv: + rds_tcp_recv_exit(); +-out_slab: ++out_pernet: + unregister_pernet_subsys(&rds_tcp_net_ops); ++out_slab: + kmem_cache_destroy(rds_tcp_conn_slab); + out: + return ret; diff --git a/queue-4.6/scsi-fix-new-bug-in-scsi_dev_info_list-string-matching.patch b/queue-4.6/scsi-fix-new-bug-in-scsi_dev_info_list-string-matching.patch new file mode 100644 index 00000000000..2ae21ef1679 --- /dev/null +++ b/queue-4.6/scsi-fix-new-bug-in-scsi_dev_info_list-string-matching.patch @@ -0,0 +1,70 @@ +From 5e7ff2ca7f2da55fe777167849d0c93403bd0dc8 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Thu, 23 Jun 2016 15:05:26 -0400 +Subject: SCSI: fix new bug in scsi_dev_info_list string matching + +From: Alan Stern + +commit 5e7ff2ca7f2da55fe777167849d0c93403bd0dc8 upstream. + +Commit b704f70ce200 ("SCSI: fix bug in scsi_dev_info_list matching") +changed the way vendor- and model-string matching was carried out in the +routine that looks up entries in a SCSI devinfo list. The new matching +code failed to take into account the case of a maximum-length string; in +such cases it could end up testing for a terminating '\0' byte beyond +the end of the memory allocated to the string. This out-of-bounds bug +was detected by UBSAN. + +I don't know if anybody has actually encountered this bug. The symptom +would be that a device entry in the blacklist might not be matched +properly if it contained an 8-character vendor name or a 16-character +model name. Such entries certainly exist in scsi_static_device_list. + +This patch fixes the problem by adding a check for a maximum-length +string before the '\0' test. + +Signed-off-by: Alan Stern +Fixes: b704f70ce200 ("SCSI: fix bug in scsi_dev_info_list matching") +Tested-by: Wilfried Klaebe +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/scsi_devinfo.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/scsi/scsi_devinfo.c ++++ b/drivers/scsi/scsi_devinfo.c +@@ -429,7 +429,7 @@ static struct scsi_dev_info_list *scsi_d + * here, and we don't know what device it is + * trying to work with, leave it as-is. + */ +- vmax = 8; /* max length of vendor */ ++ vmax = sizeof(devinfo->vendor); + vskip = vendor; + while (vmax > 0 && *vskip == ' ') { + vmax--; +@@ -439,7 +439,7 @@ static struct scsi_dev_info_list *scsi_d + while (vmax > 0 && vskip[vmax - 1] == ' ') + --vmax; + +- mmax = 16; /* max length of model */ ++ mmax = sizeof(devinfo->model); + mskip = model; + while (mmax > 0 && *mskip == ' ') { + mmax--; +@@ -455,10 +455,12 @@ static struct scsi_dev_info_list *scsi_d + * Behave like the older version of get_device_flags. + */ + if (memcmp(devinfo->vendor, vskip, vmax) || +- devinfo->vendor[vmax]) ++ (vmax < sizeof(devinfo->vendor) && ++ devinfo->vendor[vmax])) + continue; + if (memcmp(devinfo->model, mskip, mmax) || +- devinfo->model[mmax]) ++ (mmax < sizeof(devinfo->model) && ++ devinfo->model[mmax])) + continue; + return devinfo; + } else { diff --git a/queue-4.6/series b/queue-4.6/series index 3f265536612..6e43a0bbb7c 100644 --- a/queue-4.6/series +++ b/queue-4.6/series @@ -70,3 +70,13 @@ block-fix-use-after-free-in-sys_ioprio_get.patch mmc-block-fix-free-of-uninitialized-idata-buf.patch mmc-block-fix-packed-command-header-endianness.patch sched-fair-fix-effective_load-to-consistently-use-smoothed-load.patch +can-at91_can-rx-queue-could-get-stuck-at-high-bus-load.patch +can-c_can-update-d_can-tx-and-rx-functions-to-32-bit-fix-altera-cyclone-access.patch +can-fix-handling-of-unmodifiable-configuration-options-fix.patch +can-fix-oops-caused-by-wrong-rtnl-dellink-usage.patch +rds-fix-rds_tcp_init-error-path.patch +irqchip-mips-gic-map-to-vps-using-hw-vpnum.patch +irqchip-mips-gic-match-ipi-irq-domain-by-bus-token-only.patch +qla2xxx-fix-null-pointer-deref-in-qla-interrupt.patch +scsi-fix-new-bug-in-scsi_dev_info_list-string-matching.patch +ipr-clear-interrupt-on-croc-crocodile-when-running-with-lsi.patch