From: Greg Kroah-Hartman Date: Mon, 5 Sep 2016 13:18:16 +0000 (+0200) Subject: 3.14-stable patches X-Git-Tag: v3.14.78~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fa651833cd4edd6a11a060e9874e445b6b36dc4b;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: aacraid-check-size-values-after-double-fetch-from-user.patch cdc-acm-fix-wrong-pipe-type-on-rx-interrupt-xfers.patch edac-increment-correct-counter-in-edac_inc_ue_error.patch fs-seq_file-fix-out-of-bounds-read.patch gpio-fix-of-build-problem-on-um.patch mac80211-fix-purging-multicast-ps-buffer-queue.patch megaraid_sas-fix-probing-cards-without-io-port.patch s390-dasd-fix-hanging-device-after-clear-subchannel.patch --- diff --git a/queue-3.14/aacraid-check-size-values-after-double-fetch-from-user.patch b/queue-3.14/aacraid-check-size-values-after-double-fetch-from-user.patch new file mode 100644 index 00000000000..2ab30e68bdc --- /dev/null +++ b/queue-3.14/aacraid-check-size-values-after-double-fetch-from-user.patch @@ -0,0 +1,65 @@ +From fa00c437eef8dc2e7b25f8cd868cfa405fcc2bb3 Mon Sep 17 00:00:00 2001 +From: Dave Carroll +Date: Fri, 5 Aug 2016 13:44:10 -0600 +Subject: aacraid: Check size values after double-fetch from user + +From: Dave Carroll + +commit fa00c437eef8dc2e7b25f8cd868cfa405fcc2bb3 upstream. + +In aacraid's ioctl_send_fib() we do two fetches from userspace, one the +get the fib header's size and one for the fib itself. Later we use the +size field from the second fetch to further process the fib. If for some +reason the size from the second fetch is different than from the first +fix, we may encounter an out-of- bounds access in aac_fib_send(). We +also check the sender size to insure it is not out of bounds. This was +reported in https://bugzilla.kernel.org/show_bug.cgi?id=116751 and was +assigned CVE-2016-6480. + +Reported-by: Pengfei Wang +Fixes: 7c00ffa31 '[SCSI] 2.6 aacraid: Variable FIB size (updated patch)' +Signed-off-by: Dave Carroll +Reviewed-by: Johannes Thumshirn +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/aacraid/commctrl.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/aacraid/commctrl.c ++++ b/drivers/scsi/aacraid/commctrl.c +@@ -63,7 +63,7 @@ static int ioctl_send_fib(struct aac_dev + struct fib *fibptr; + struct hw_fib * hw_fib = (struct hw_fib *)0; + dma_addr_t hw_fib_pa = (dma_addr_t)0LL; +- unsigned size; ++ unsigned int size, osize; + int retval; + + if (dev->in_reset) { +@@ -87,7 +87,8 @@ static int ioctl_send_fib(struct aac_dev + * will not overrun the buffer when we copy the memory. Return + * an error if we would. + */ +- size = le16_to_cpu(kfib->header.Size) + sizeof(struct aac_fibhdr); ++ osize = size = le16_to_cpu(kfib->header.Size) + ++ sizeof(struct aac_fibhdr); + if (size < le16_to_cpu(kfib->header.SenderSize)) + size = le16_to_cpu(kfib->header.SenderSize); + if (size > dev->max_fib_size) { +@@ -118,6 +119,14 @@ static int ioctl_send_fib(struct aac_dev + goto cleanup; + } + ++ /* Sanity check the second copy */ ++ if ((osize != le16_to_cpu(kfib->header.Size) + ++ sizeof(struct aac_fibhdr)) ++ || (size < le16_to_cpu(kfib->header.SenderSize))) { ++ retval = -EINVAL; ++ goto cleanup; ++ } ++ + if (kfib->header.Command == cpu_to_le16(TakeABreakPt)) { + aac_adapter_interrupt(dev); + /* diff --git a/queue-3.14/cdc-acm-fix-wrong-pipe-type-on-rx-interrupt-xfers.patch b/queue-3.14/cdc-acm-fix-wrong-pipe-type-on-rx-interrupt-xfers.patch new file mode 100644 index 00000000000..392b9fa0836 --- /dev/null +++ b/queue-3.14/cdc-acm-fix-wrong-pipe-type-on-rx-interrupt-xfers.patch @@ -0,0 +1,57 @@ +From add125054b8727103631dce116361668436ef6a7 Mon Sep 17 00:00:00 2001 +From: Gavin Li +Date: Fri, 12 Aug 2016 00:52:56 -0700 +Subject: cdc-acm: fix wrong pipe type on rx interrupt xfers + +From: Gavin Li + +commit add125054b8727103631dce116361668436ef6a7 upstream. + +This fixes the "BOGUS urb xfer" warning logged by usb_submit_urb(). + +Signed-off-by: Gavin Li +Acked-by: Oliver Neukum +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/class/cdc-acm.c | 5 ++--- + drivers/usb/class/cdc-acm.h | 1 - + 2 files changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1296,7 +1296,6 @@ made_compressed_probe: + spin_lock_init(&acm->write_lock); + spin_lock_init(&acm->read_lock); + mutex_init(&acm->mutex); +- acm->rx_endpoint = usb_rcvbulkpipe(usb_dev, epread->bEndpointAddress); + acm->is_int_ep = usb_endpoint_xfer_int(epread); + if (acm->is_int_ep) + acm->bInterval = epread->bInterval; +@@ -1345,14 +1344,14 @@ made_compressed_probe: + urb->transfer_dma = rb->dma; + if (acm->is_int_ep) { + usb_fill_int_urb(urb, acm->dev, +- acm->rx_endpoint, ++ usb_rcvintpipe(usb_dev, epread->bEndpointAddress), + rb->base, + acm->readsize, + acm_read_bulk_callback, rb, + acm->bInterval); + } else { + usb_fill_bulk_urb(urb, acm->dev, +- acm->rx_endpoint, ++ usb_rcvbulkpipe(usb_dev, epread->bEndpointAddress), + rb->base, + acm->readsize, + acm_read_bulk_callback, rb); +--- a/drivers/usb/class/cdc-acm.h ++++ b/drivers/usb/class/cdc-acm.h +@@ -95,7 +95,6 @@ struct acm { + struct urb *read_urbs[ACM_NR]; + struct acm_rb read_buffers[ACM_NR]; + int rx_buflimit; +- int rx_endpoint; + spinlock_t read_lock; + int write_used; /* number of non-empty write buffers */ + int transmitting; diff --git a/queue-3.14/edac-increment-correct-counter-in-edac_inc_ue_error.patch b/queue-3.14/edac-increment-correct-counter-in-edac_inc_ue_error.patch new file mode 100644 index 00000000000..b0db0ba625c --- /dev/null +++ b/queue-3.14/edac-increment-correct-counter-in-edac_inc_ue_error.patch @@ -0,0 +1,35 @@ +From 993f88f1cc7f0879047ff353e824e5cc8f10adfc Mon Sep 17 00:00:00 2001 +From: Emmanouil Maroudas +Date: Sat, 23 Apr 2016 18:33:00 +0300 +Subject: EDAC: Increment correct counter in edac_inc_ue_error() + +From: Emmanouil Maroudas + +commit 993f88f1cc7f0879047ff353e824e5cc8f10adfc upstream. + +Fix typo in edac_inc_ue_error() to increment ue_noinfo_count instead of +ce_noinfo_count. + +Signed-off-by: Emmanouil Maroudas +Cc: Mauro Carvalho Chehab +Cc: linux-edac +Fixes: 4275be635597 ("edac: Change internal representation to work with layers") +Link: http://lkml.kernel.org/r/1461425580-5898-1-git-send-email-emmanouil.maroudas@gmail.com +Signed-off-by: Borislav Petkov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/edac/edac_mc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/edac/edac_mc.c ++++ b/drivers/edac/edac_mc.c +@@ -962,7 +962,7 @@ static void edac_inc_ue_error(struct mem + mci->ue_mc += count; + + if (!enable_per_layer_report) { +- mci->ce_noinfo_count += count; ++ mci->ue_noinfo_count += count; + return; + } + diff --git a/queue-3.14/fs-seq_file-fix-out-of-bounds-read.patch b/queue-3.14/fs-seq_file-fix-out-of-bounds-read.patch new file mode 100644 index 00000000000..9115ba40e9b --- /dev/null +++ b/queue-3.14/fs-seq_file-fix-out-of-bounds-read.patch @@ -0,0 +1,110 @@ +From 088bf2ff5d12e2e32ee52a4024fec26e582f44d3 Mon Sep 17 00:00:00 2001 +From: Vegard Nossum +Date: Thu, 25 Aug 2016 15:17:11 -0700 +Subject: fs/seq_file: fix out-of-bounds read + +From: Vegard Nossum + +commit 088bf2ff5d12e2e32ee52a4024fec26e582f44d3 upstream. + +seq_read() is a nasty piece of work, not to mention buggy. + +It has (I think) an old bug which allows unprivileged userspace to read +beyond the end of m->buf. + +I was getting these: + + BUG: KASAN: slab-out-of-bounds in seq_read+0xcd2/0x1480 at addr ffff880116889880 + Read of size 2713 by task trinity-c2/1329 + CPU: 2 PID: 1329 Comm: trinity-c2 Not tainted 4.8.0-rc1+ #96 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014 + Call Trace: + kasan_object_err+0x1c/0x80 + kasan_report_error+0x2cb/0x7e0 + kasan_report+0x4e/0x80 + check_memory_region+0x13e/0x1a0 + kasan_check_read+0x11/0x20 + seq_read+0xcd2/0x1480 + proc_reg_read+0x10b/0x260 + do_loop_readv_writev.part.5+0x140/0x2c0 + do_readv_writev+0x589/0x860 + vfs_readv+0x7b/0xd0 + do_readv+0xd8/0x2c0 + SyS_readv+0xb/0x10 + do_syscall_64+0x1b3/0x4b0 + entry_SYSCALL64_slow_path+0x25/0x25 + Object at ffff880116889100, in cache kmalloc-4096 size: 4096 + Allocated: + PID = 1329 + save_stack_trace+0x26/0x80 + save_stack+0x46/0xd0 + kasan_kmalloc+0xad/0xe0 + __kmalloc+0x1aa/0x4a0 + seq_buf_alloc+0x35/0x40 + seq_read+0x7d8/0x1480 + proc_reg_read+0x10b/0x260 + do_loop_readv_writev.part.5+0x140/0x2c0 + do_readv_writev+0x589/0x860 + vfs_readv+0x7b/0xd0 + do_readv+0xd8/0x2c0 + SyS_readv+0xb/0x10 + do_syscall_64+0x1b3/0x4b0 + return_from_SYSCALL_64+0x0/0x6a + Freed: + PID = 0 + (stack is not available) + Memory state around the buggy address: + ffff88011688a000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff88011688a080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + >ffff88011688a100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ^ + ffff88011688a180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff88011688a200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ================================================================== + Disabling lock debugging due to kernel taint + +This seems to be the same thing that Dave Jones was seeing here: + + https://lkml.org/lkml/2016/8/12/334 + +There are multiple issues here: + + 1) If we enter the function with a non-empty buffer, there is an attempt + to flush it. But it was not clearing m->from after doing so, which + means that if we try to do this flush twice in a row without any call + to traverse() in between, we are going to be reading from the wrong + place -- the splat above, fixed by this patch. + + 2) If there's a short write to userspace because of page faults, the + buffer may already contain multiple lines (i.e. pos has advanced by + more than 1), but we don't save the progress that was made so the + next call will output what we've already returned previously. Since + that is a much less serious issue (and I have a headache after + staring at seq_read() for the past 8 hours), I'll leave that for now. + +Link: http://lkml.kernel.org/r/1471447270-32093-1-git-send-email-vegard.nossum@oracle.com +Signed-off-by: Vegard Nossum +Reported-by: Dave Jones +Cc: Al Viro +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/seq_file.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/seq_file.c ++++ b/fs/seq_file.c +@@ -207,8 +207,10 @@ ssize_t seq_read(struct file *file, char + size -= n; + buf += n; + copied += n; +- if (!m->count) ++ if (!m->count) { ++ m->from = 0; + m->index++; ++ } + if (!size) + goto Done; + } diff --git a/queue-3.14/gpio-fix-of-build-problem-on-um.patch b/queue-3.14/gpio-fix-of-build-problem-on-um.patch new file mode 100644 index 00000000000..156cce42652 --- /dev/null +++ b/queue-3.14/gpio-fix-of-build-problem-on-um.patch @@ -0,0 +1,33 @@ +From 2527ecc9195e9c66252af24c4689e8a67cd4ccb9 Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Tue, 16 Aug 2016 09:58:25 +0200 +Subject: gpio: Fix OF build problem on UM + +From: Linus Walleij + +commit 2527ecc9195e9c66252af24c4689e8a67cd4ccb9 upstream. + +The UserMode (UM) Linux build was failing in gpiolib-of as it requires +ioremap()/iounmap() to exist, which is absent from UM. The non-existence +of IO memory is negatively defined as CONFIG_NO_IOMEM which means we +need to depend on HAS_IOMEM. + +Cc: Geert Uytterhoeven +Reported-by: kbuild test robot +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpio/Kconfig ++++ b/drivers/gpio/Kconfig +@@ -50,6 +50,7 @@ config GPIO_DEVRES + config OF_GPIO + def_bool y + depends on OF ++ depends on HAS_IOMEM + + config GPIO_ACPI + def_bool y diff --git a/queue-3.14/mac80211-fix-purging-multicast-ps-buffer-queue.patch b/queue-3.14/mac80211-fix-purging-multicast-ps-buffer-queue.patch new file mode 100644 index 00000000000..a944790736b --- /dev/null +++ b/queue-3.14/mac80211-fix-purging-multicast-ps-buffer-queue.patch @@ -0,0 +1,65 @@ +From 6b07d9ca9b5363dda959b9582a3fc9c0b89ef3b5 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Tue, 2 Aug 2016 11:13:41 +0200 +Subject: mac80211: fix purging multicast PS buffer queue + +From: Felix Fietkau + +commit 6b07d9ca9b5363dda959b9582a3fc9c0b89ef3b5 upstream. + +The code currently assumes that buffered multicast PS frames don't have +a pending ACK frame for tx status reporting. +However, hostapd sends a broadcast deauth frame on teardown for which tx +status is requested. This can lead to the "Have pending ack frames" +warning on module reload. +Fix this by using ieee80211_free_txskb/ieee80211_purge_tx_queue. + +Signed-off-by: Felix Fietkau +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/cfg.c | 2 +- + net/mac80211/tx.c | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1126,7 +1126,7 @@ static int ieee80211_stop_ap(struct wiph + + /* free all potentially still buffered bcast frames */ + local->total_ps_buffered -= skb_queue_len(&sdata->u.ap.ps.bc_buf); +- skb_queue_purge(&sdata->u.ap.ps.bc_buf); ++ ieee80211_purge_tx_queue(&local->hw, &sdata->u.ap.ps.bc_buf); + + ieee80211_vif_copy_chanctx_to_vlans(sdata, true); + mutex_lock(&local->mtx); +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -351,7 +351,7 @@ static void purge_old_ps_buffers(struct + skb = skb_dequeue(&ps->bc_buf); + if (skb) { + purged++; +- dev_kfree_skb(skb); ++ ieee80211_free_txskb(&local->hw, skb); + } + total += skb_queue_len(&ps->bc_buf); + } +@@ -434,7 +434,7 @@ ieee80211_tx_h_multicast_ps_buf(struct i + if (skb_queue_len(&ps->bc_buf) >= AP_MAX_BC_BUFFER) { + ps_dbg(tx->sdata, + "BC TX buffer full - dropping the oldest frame\n"); +- dev_kfree_skb(skb_dequeue(&ps->bc_buf)); ++ ieee80211_free_txskb(&tx->local->hw, skb_dequeue(&ps->bc_buf)); + } else + tx->local->total_ps_buffered++; + +@@ -2910,7 +2910,7 @@ ieee80211_get_buffered_bc(struct ieee802 + sdata = IEEE80211_DEV_TO_SUB_IF(skb->dev); + if (!ieee80211_tx_prepare(sdata, &tx, skb)) + break; +- dev_kfree_skb_any(skb); ++ ieee80211_free_txskb(hw, skb); + } + + info = IEEE80211_SKB_CB(skb); diff --git a/queue-3.14/megaraid_sas-fix-probing-cards-without-io-port.patch b/queue-3.14/megaraid_sas-fix-probing-cards-without-io-port.patch new file mode 100644 index 00000000000..488a6615e15 --- /dev/null +++ b/queue-3.14/megaraid_sas-fix-probing-cards-without-io-port.patch @@ -0,0 +1,84 @@ +From e7f851684efb3377e9c93aca7fae6e76212e5680 Mon Sep 17 00:00:00 2001 +From: Yinghai Lu +Date: Fri, 5 Aug 2016 23:37:34 -0700 +Subject: megaraid_sas: Fix probing cards without io port + +From: Yinghai Lu + +commit e7f851684efb3377e9c93aca7fae6e76212e5680 upstream. + +Found one megaraid_sas HBA probe fails, + +[ 187.235190] scsi host2: Avago SAS based MegaRAID driver +[ 191.112365] megaraid_sas 0000:89:00.0: BAR 0: can't reserve [io 0x0000-0x00ff] +[ 191.120548] megaraid_sas 0000:89:00.0: IO memory region busy! + +and the card has resource like, +[ 125.097714] pci 0000:89:00.0: [1000:005d] type 00 class 0x010400 +[ 125.104446] pci 0000:89:00.0: reg 0x10: [io 0x0000-0x00ff] +[ 125.110686] pci 0000:89:00.0: reg 0x14: [mem 0xce400000-0xce40ffff 64bit] +[ 125.118286] pci 0000:89:00.0: reg 0x1c: [mem 0xce300000-0xce3fffff 64bit] +[ 125.125891] pci 0000:89:00.0: reg 0x30: [mem 0xce200000-0xce2fffff pref] + +that does not io port resource allocated from BIOS, and kernel can not +assign one as io port shortage. + +The driver is only looking for MEM, and should not fail. + +It turns out megasas_init_fw() etc are using bar index as mask. index 1 +is used as mask 1, so that pci_request_selected_regions() is trying to +request BAR0 instead of BAR1. + +Fix all related reference. + +Fixes: b6d5d8808b4c ("megaraid_sas: Use lowest memory bar for SR-IOV VF support") +Signed-off-by: Yinghai Lu +Acked-by: Kashyap Desai +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/megaraid/megaraid_sas_base.c | 6 +++--- + drivers/scsi/megaraid/megaraid_sas_fusion.c | 2 +- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/scsi/megaraid/megaraid_sas_base.c ++++ b/drivers/scsi/megaraid/megaraid_sas_base.c +@@ -3624,7 +3624,7 @@ static int megasas_init_fw(struct megasa + /* Find first memory bar */ + bar_list = pci_select_bars(instance->pdev, IORESOURCE_MEM); + instance->bar = find_first_bit(&bar_list, sizeof(unsigned long)); +- if (pci_request_selected_regions(instance->pdev, instance->bar, ++ if (pci_request_selected_regions(instance->pdev, 1<bar, + "megasas: LSI")) { + printk(KERN_DEBUG "megasas: IO memory region busy!\n"); + return -EBUSY; +@@ -3858,7 +3858,7 @@ fail_ready_state: + iounmap(instance->reg_set); + + fail_ioremap: +- pci_release_selected_regions(instance->pdev, instance->bar); ++ pci_release_selected_regions(instance->pdev, 1<bar); + + return -EINVAL; + } +@@ -3879,7 +3879,7 @@ static void megasas_release_mfi(struct m + + iounmap(instance->reg_set); + +- pci_release_selected_regions(instance->pdev, instance->bar); ++ pci_release_selected_regions(instance->pdev, 1<bar); + } + + /** +--- a/drivers/scsi/megaraid/megaraid_sas_fusion.c ++++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c +@@ -2175,7 +2175,7 @@ megasas_release_fusion(struct megasas_in + + iounmap(instance->reg_set); + +- pci_release_selected_regions(instance->pdev, instance->bar); ++ pci_release_selected_regions(instance->pdev, 1<bar); + } + + /** diff --git a/queue-3.14/s390-dasd-fix-hanging-device-after-clear-subchannel.patch b/queue-3.14/s390-dasd-fix-hanging-device-after-clear-subchannel.patch new file mode 100644 index 00000000000..2b011f17fce --- /dev/null +++ b/queue-3.14/s390-dasd-fix-hanging-device-after-clear-subchannel.patch @@ -0,0 +1,56 @@ +From 9ba333dc55cbb9523553df973adb3024d223e905 Mon Sep 17 00:00:00 2001 +From: Stefan Haberland +Date: Mon, 8 Aug 2016 14:08:17 +0200 +Subject: s390/dasd: fix hanging device after clear subchannel + +From: Stefan Haberland + +commit 9ba333dc55cbb9523553df973adb3024d223e905 upstream. + +When a device is in a status where CIO has killed all I/O by itself the +interrupt for a clear request may not contain an irb to determine the +clear function. Instead it contains an error pointer -EIO. +This was ignored by the DASD int_handler leading to a hanging device +waiting for a clear interrupt. + +Handle -EIO error pointer correctly for requests that are clear pending and +treat the clear as successful. + +Signed-off-by: Stefan Haberland +Reviewed-by: Sebastian Ott +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/s390/block/dasd.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/s390/block/dasd.c ++++ b/drivers/s390/block/dasd.c +@@ -1613,9 +1613,18 @@ void dasd_int_handler(struct ccw_device + unsigned long long now; + int expires; + ++ cqr = (struct dasd_ccw_req *) intparm; + if (IS_ERR(irb)) { + switch (PTR_ERR(irb)) { + case -EIO: ++ if (cqr && cqr->status == DASD_CQR_CLEAR_PENDING) { ++ device = (struct dasd_device *) cqr->startdev; ++ cqr->status = DASD_CQR_CLEARED; ++ dasd_device_clear_timer(device); ++ wake_up(&dasd_flush_wq); ++ dasd_schedule_device_bh(device); ++ return; ++ } + break; + case -ETIMEDOUT: + DBF_EVENT_DEVID(DBF_WARNING, cdev, "%s: " +@@ -1631,7 +1640,6 @@ void dasd_int_handler(struct ccw_device + } + + now = get_tod_clock(); +- cqr = (struct dasd_ccw_req *) intparm; + /* check for conditions that should be handled immediately */ + if (!cqr || + !(scsw_dstat(&irb->scsw) == (DEV_STAT_CHN_END | DEV_STAT_DEV_END) && diff --git a/queue-3.14/series b/queue-3.14/series index 01a6098b7ef..e34d65d551d 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -16,3 +16,11 @@ usb-serial-option-add-support-for-telit-le920a4.patch usb-serial-ftdi_sio-add-device-id-for-wiced-usb-uart-dev-board.patch usb-serial-ftdi_sio-add-pids-for-ivium-technologies-devices.patch xhci-make-sure-xhci-handles-usb_speed_super_plus-devices.patch +edac-increment-correct-counter-in-edac_inc_ue_error.patch +s390-dasd-fix-hanging-device-after-clear-subchannel.patch +mac80211-fix-purging-multicast-ps-buffer-queue.patch +aacraid-check-size-values-after-double-fetch-from-user.patch +cdc-acm-fix-wrong-pipe-type-on-rx-interrupt-xfers.patch +megaraid_sas-fix-probing-cards-without-io-port.patch +gpio-fix-of-build-problem-on-um.patch +fs-seq_file-fix-out-of-bounds-read.patch