From 6ad5c07f16896fbe767456972e802c78f08697ff Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 1 Mar 2016 00:24:41 -0800 Subject: [PATCH] 3.14-stable patches added patches: can-sja1000-clear-interrupts-on-start.patch dm-btree-fix-bufio-buffer-leaks-in-dm_btree_del-error-path.patch dm-space-map-metadata-fix-ref-counting-bug-when-bootstrapping-a-new-space-map.patch irqchip-versatile-fpga-fix-pci-irq-mapping-on-versatile-pb.patch mac80211-mesh-fix-call_rcu-usage.patch powercap-rapl-fix-bios-lock-check.patch rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch rfkill-copy-the-name-into-the-rfkill-struct.patch sata_sil-disable-trim.patch sched-core-clear-the-root_domain-cpumasks-in-init_rootdomain.patch sched-core-remove-false-positive-warning-from-wake_up_process.patch scripts-recordmcount-break-hardlinks.patch ses-fix-additional-element-traversal-bug.patch ses-fix-problems-with-simple-enclosures.patch vgaarb-fix-signal-handling-in-vga_get.patch --- ...an-sja1000-clear-interrupts-on-start.patch | 46 +++++++ ...fer-leaks-in-dm_btree_del-error-path.patch | 60 +++++++++ ...g-when-bootstrapping-a-new-space-map.patch | 115 ++++++++++++++++++ ...-fix-pci-irq-mapping-on-versatile-pb.patch | 38 ++++++ .../mac80211-mesh-fix-call_rcu-usage.patch | 67 ++++++++++ .../powercap-rapl-fix-bios-lock-check.patch | 48 ++++++++ ...-sending-a-message-on-unbound-socket.patch | 71 +++++++++++ ...copy-the-name-into-the-rfkill-struct.patch | 59 +++++++++ queue-3.14/sata_sil-disable-trim.patch | 51 ++++++++ ...t_domain-cpumasks-in-init_rootdomain.patch | 60 +++++++++ ...ositive-warning-from-wake_up_process.patch | 39 ++++++ ...scripts-recordmcount-break-hardlinks.patch | 46 +++++++ queue-3.14/series | 15 +++ ...fix-additional-element-traversal-bug.patch | 61 ++++++++++ ...-fix-problems-with-simple-enclosures.patch | 67 ++++++++++ ...gaarb-fix-signal-handling-in-vga_get.patch | 43 +++++++ 16 files changed, 886 insertions(+) create mode 100644 queue-3.14/can-sja1000-clear-interrupts-on-start.patch create mode 100644 queue-3.14/dm-btree-fix-bufio-buffer-leaks-in-dm_btree_del-error-path.patch create mode 100644 queue-3.14/dm-space-map-metadata-fix-ref-counting-bug-when-bootstrapping-a-new-space-map.patch create mode 100644 queue-3.14/irqchip-versatile-fpga-fix-pci-irq-mapping-on-versatile-pb.patch create mode 100644 queue-3.14/mac80211-mesh-fix-call_rcu-usage.patch create mode 100644 queue-3.14/powercap-rapl-fix-bios-lock-check.patch create mode 100644 queue-3.14/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch create mode 100644 queue-3.14/rfkill-copy-the-name-into-the-rfkill-struct.patch create mode 100644 queue-3.14/sata_sil-disable-trim.patch create mode 100644 queue-3.14/sched-core-clear-the-root_domain-cpumasks-in-init_rootdomain.patch create mode 100644 queue-3.14/sched-core-remove-false-positive-warning-from-wake_up_process.patch create mode 100644 queue-3.14/scripts-recordmcount-break-hardlinks.patch create mode 100644 queue-3.14/ses-fix-additional-element-traversal-bug.patch create mode 100644 queue-3.14/ses-fix-problems-with-simple-enclosures.patch create mode 100644 queue-3.14/vgaarb-fix-signal-handling-in-vga_get.patch diff --git a/queue-3.14/can-sja1000-clear-interrupts-on-start.patch b/queue-3.14/can-sja1000-clear-interrupts-on-start.patch new file mode 100644 index 00000000000..f1fa9dcbdac --- /dev/null +++ b/queue-3.14/can-sja1000-clear-interrupts-on-start.patch @@ -0,0 +1,46 @@ +From 7cecd9ab80f43972c056dc068338f7bcc407b71c Mon Sep 17 00:00:00 2001 +From: Mirza Krak +Date: Tue, 10 Nov 2015 14:59:34 +0100 +Subject: can: sja1000: clear interrupts on start + +From: Mirza Krak + +commit 7cecd9ab80f43972c056dc068338f7bcc407b71c upstream. + +According to SJA1000 data sheet error-warning (EI) interrupt is not +cleared by setting the controller in to reset-mode. + +Then if we have the following case: +- system is suspended (echo mem > /sys/power/state) and SJA1000 is left + in operating state +- A bus error condition occurs which activates EI interrupt, system is + still suspended which means EI interrupt will be not be handled nor + cleared. + +If the above two events occur, on resume there is no way to return the +SJA1000 to operating state, except to cycle power to it. + +By simply reading the IR register on start we will clear any previous +conditions that could be present. + +Signed-off-by: Mirza Krak +Reported-by: Christian Magnusson +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/sja1000/sja1000.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/can/sja1000/sja1000.c ++++ b/drivers/net/can/sja1000/sja1000.c +@@ -187,6 +187,9 @@ static void sja1000_start(struct net_dev + /* clear interrupt flags */ + priv->read_reg(priv, SJA1000_IR); + ++ /* clear interrupt flags */ ++ priv->read_reg(priv, SJA1000_IR); ++ + /* leave reset mode */ + set_normal_mode(dev); + } diff --git a/queue-3.14/dm-btree-fix-bufio-buffer-leaks-in-dm_btree_del-error-path.patch b/queue-3.14/dm-btree-fix-bufio-buffer-leaks-in-dm_btree_del-error-path.patch new file mode 100644 index 00000000000..4312cd90d01 --- /dev/null +++ b/queue-3.14/dm-btree-fix-bufio-buffer-leaks-in-dm_btree_del-error-path.patch @@ -0,0 +1,60 @@ +From ed8b45a3679eb49069b094c0711b30833f27c734 Mon Sep 17 00:00:00 2001 +From: Joe Thornber +Date: Thu, 10 Dec 2015 14:37:53 +0000 +Subject: dm btree: fix bufio buffer leaks in dm_btree_del() error path + +From: Joe Thornber + +commit ed8b45a3679eb49069b094c0711b30833f27c734 upstream. + +If dm_btree_del()'s call to push_frame() fails, e.g. due to +btree_node_validator finding invalid metadata, the dm_btree_del() error +path must unlock all frames (which have active dm-bufio buffers) that +were pushed onto the del_stack. + +Otherwise, dm_bufio_client_destroy() will BUG_ON() because dm-bufio +buffers have leaked, e.g.: + device-mapper: bufio: leaked buffer 3, hold count 1, list 0 + +Signed-off-by: Joe Thornber +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/persistent-data/dm-btree.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +--- a/drivers/md/persistent-data/dm-btree.c ++++ b/drivers/md/persistent-data/dm-btree.c +@@ -250,6 +250,16 @@ static void pop_frame(struct del_stack * + dm_tm_unlock(s->tm, f->b); + } + ++static void unlock_all_frames(struct del_stack *s) ++{ ++ struct frame *f; ++ ++ while (unprocessed_frames(s)) { ++ f = s->spine + s->top--; ++ dm_tm_unlock(s->tm, f->b); ++ } ++} ++ + int dm_btree_del(struct dm_btree_info *info, dm_block_t root) + { + int r; +@@ -306,9 +316,13 @@ int dm_btree_del(struct dm_btree_info *i + pop_frame(s); + } + } +- + out: ++ if (r) { ++ /* cleanup all frames of del_stack */ ++ unlock_all_frames(s); ++ } + kfree(s); ++ + return r; + } + EXPORT_SYMBOL_GPL(dm_btree_del); diff --git a/queue-3.14/dm-space-map-metadata-fix-ref-counting-bug-when-bootstrapping-a-new-space-map.patch b/queue-3.14/dm-space-map-metadata-fix-ref-counting-bug-when-bootstrapping-a-new-space-map.patch new file mode 100644 index 00000000000..de32b4e72d7 --- /dev/null +++ b/queue-3.14/dm-space-map-metadata-fix-ref-counting-bug-when-bootstrapping-a-new-space-map.patch @@ -0,0 +1,115 @@ +From 50dd842ad83b43bed71790efb31cfb2f6c05c9c1 Mon Sep 17 00:00:00 2001 +From: Joe Thornber +Date: Wed, 9 Dec 2015 16:38:12 +0000 +Subject: dm space map metadata: fix ref counting bug when bootstrapping a new space map + +From: Joe Thornber + +commit 50dd842ad83b43bed71790efb31cfb2f6c05c9c1 upstream. + +When applying block operations (BOPs) do not remove them from the +uncommitted BOP ring-buffer until after they've been applied -- in case +we recurse. + +Also, perform BOP_INC operation, in dm_sm_metadata_create() and +sm_metadata_extend(), in terms of the uncommitted BOP ring-buffer rather +than using direct calls to sm_ll_inc(). + +Signed-off-by: Joe Thornber +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/persistent-data/dm-space-map-metadata.c | 32 ++++++++++++++------- + 1 file changed, 22 insertions(+), 10 deletions(-) + +--- a/drivers/md/persistent-data/dm-space-map-metadata.c ++++ b/drivers/md/persistent-data/dm-space-map-metadata.c +@@ -136,7 +136,7 @@ static int brb_push(struct bop_ring_buff + return 0; + } + +-static int brb_pop(struct bop_ring_buffer *brb, struct block_op *result) ++static int brb_peek(struct bop_ring_buffer *brb, struct block_op *result) + { + struct block_op *bop; + +@@ -147,6 +147,17 @@ static int brb_pop(struct bop_ring_buffe + result->type = bop->type; + result->block = bop->block; + ++ return 0; ++} ++ ++static int brb_pop(struct bop_ring_buffer *brb) ++{ ++ struct block_op *bop; ++ ++ if (brb_empty(brb)) ++ return -ENODATA; ++ ++ bop = brb->bops + brb->begin; + brb->begin = brb_next(brb, brb->begin); + + return 0; +@@ -211,7 +222,7 @@ static int apply_bops(struct sm_metadata + while (!brb_empty(&smm->uncommitted)) { + struct block_op bop; + +- r = brb_pop(&smm->uncommitted, &bop); ++ r = brb_peek(&smm->uncommitted, &bop); + if (r) { + DMERR("bug in bop ring buffer"); + break; +@@ -220,6 +231,8 @@ static int apply_bops(struct sm_metadata + r = commit_bop(smm, &bop); + if (r) + break; ++ ++ brb_pop(&smm->uncommitted); + } + + return r; +@@ -681,7 +694,6 @@ static struct dm_space_map bootstrap_ops + static int sm_metadata_extend(struct dm_space_map *sm, dm_block_t extra_blocks) + { + int r, i; +- enum allocation_event ev; + struct sm_metadata *smm = container_of(sm, struct sm_metadata, sm); + dm_block_t old_len = smm->ll.nr_blocks; + +@@ -703,11 +715,12 @@ static int sm_metadata_extend(struct dm_ + * allocate any new blocks. + */ + do { +- for (i = old_len; !r && i < smm->begin; i++) { +- r = sm_ll_inc(&smm->ll, i, &ev); +- if (r) +- goto out; +- } ++ for (i = old_len; !r && i < smm->begin; i++) ++ r = add_bop(smm, BOP_INC, i); ++ ++ if (r) ++ goto out; ++ + old_len = smm->begin; + + r = apply_bops(smm); +@@ -752,7 +765,6 @@ int dm_sm_metadata_create(struct dm_spac + { + int r; + dm_block_t i; +- enum allocation_event ev; + struct sm_metadata *smm = container_of(sm, struct sm_metadata, sm); + + smm->begin = superblock + 1; +@@ -780,7 +792,7 @@ int dm_sm_metadata_create(struct dm_spac + * allocated blocks that they were built from. + */ + for (i = superblock; !r && i < smm->begin; i++) +- r = sm_ll_inc(&smm->ll, i, &ev); ++ r = add_bop(smm, BOP_INC, i); + + if (r) + return r; diff --git a/queue-3.14/irqchip-versatile-fpga-fix-pci-irq-mapping-on-versatile-pb.patch b/queue-3.14/irqchip-versatile-fpga-fix-pci-irq-mapping-on-versatile-pb.patch new file mode 100644 index 00000000000..e6dc7b05d3f --- /dev/null +++ b/queue-3.14/irqchip-versatile-fpga-fix-pci-irq-mapping-on-versatile-pb.patch @@ -0,0 +1,38 @@ +From d5d4fdd86f5759924fe54efa793e22eccf508db6 Mon Sep 17 00:00:00 2001 +From: Guillaume Delbergue +Date: Tue, 1 Dec 2015 18:55:51 +0100 +Subject: irqchip/versatile-fpga: Fix PCI IRQ mapping on Versatile PB + +From: Guillaume Delbergue + +commit d5d4fdd86f5759924fe54efa793e22eccf508db6 upstream. + +This patch is specifically for PCI support on the Versatile PB board using +a DT. Currently, the dynamic IRQ mapping is broken when using DTs. For +example, on QEMU, the SCSI driver is unable to request the IRQ. To fix +this issue, this patch replaces the current dynamic mechanism with a +static value as is done in the non-DT case. + +Signed-off-by: Guillaume Delbergue +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/irqchip/irq-versatile-fpga.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/irqchip/irq-versatile-fpga.c ++++ b/drivers/irqchip/irq-versatile-fpga.c +@@ -204,7 +204,12 @@ int __init fpga_irq_of_init(struct devic + if (!parent_irq) + parent_irq = -1; + ++#ifdef CONFIG_ARCH_VERSATILE ++ fpga_irq_init(base, node->name, IRQ_SIC_START, parent_irq, valid_mask, ++ node); ++#else + fpga_irq_init(base, node->name, 0, parent_irq, valid_mask, node); ++#endif + + writel(clear_mask, base + IRQ_ENABLE_CLEAR); + writel(clear_mask, base + FIQ_ENABLE_CLEAR); diff --git a/queue-3.14/mac80211-mesh-fix-call_rcu-usage.patch b/queue-3.14/mac80211-mesh-fix-call_rcu-usage.patch new file mode 100644 index 00000000000..6f700d0abf4 --- /dev/null +++ b/queue-3.14/mac80211-mesh-fix-call_rcu-usage.patch @@ -0,0 +1,67 @@ +From c2e703a55245bfff3db53b1f7cbe59f1ee8a4339 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Tue, 17 Nov 2015 14:25:21 +0100 +Subject: mac80211: mesh: fix call_rcu() usage + +From: Johannes Berg + +commit c2e703a55245bfff3db53b1f7cbe59f1ee8a4339 upstream. + +When using call_rcu(), the called function may be delayed quite +significantly, and without a matching rcu_barrier() there's no +way to be sure it has finished. +Therefore, global state that could be gone/freed/reused should +never be touched in the callback. + +Fix this in mesh by moving the atomic_dec() into the caller; +that's not really a problem since we already unlinked the path +and it will be destroyed anyway. + +This fixes a crash Jouni observed when running certain tests in +a certain order, in which the mesh interface was torn down, the +memory reused for a function pointer (work struct) and running +that then crashed since the pointer had been decremented by 1, +resulting in an invalid instruction byte stream. + +Fixes: eb2b9311fd00 ("mac80211: mesh path table implementation") +Reported-by: Jouni Malinen +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/mesh_pathtbl.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/net/mac80211/mesh_pathtbl.c ++++ b/net/mac80211/mesh_pathtbl.c +@@ -746,10 +746,8 @@ void mesh_plink_broken(struct sta_info * + static void mesh_path_node_reclaim(struct rcu_head *rp) + { + struct mpath_node *node = container_of(rp, struct mpath_node, rcu); +- struct ieee80211_sub_if_data *sdata = node->mpath->sdata; + + del_timer_sync(&node->mpath->timer); +- atomic_dec(&sdata->u.mesh.mpaths); + kfree(node->mpath); + kfree(node); + } +@@ -757,8 +755,9 @@ static void mesh_path_node_reclaim(struc + /* needs to be called with the corresponding hashwlock taken */ + static void __mesh_path_del(struct mesh_table *tbl, struct mpath_node *node) + { +- struct mesh_path *mpath; +- mpath = node->mpath; ++ struct mesh_path *mpath = node->mpath; ++ struct ieee80211_sub_if_data *sdata = node->mpath->sdata; ++ + spin_lock(&mpath->state_lock); + mpath->flags |= MESH_PATH_RESOLVING; + if (mpath->is_gate) +@@ -766,6 +765,7 @@ static void __mesh_path_del(struct mesh_ + hlist_del_rcu(&node->list); + call_rcu(&node->rcu, mesh_path_node_reclaim); + spin_unlock(&mpath->state_lock); ++ atomic_dec(&sdata->u.mesh.mpaths); + atomic_dec(&tbl->entries); + } + diff --git a/queue-3.14/powercap-rapl-fix-bios-lock-check.patch b/queue-3.14/powercap-rapl-fix-bios-lock-check.patch new file mode 100644 index 00000000000..c311818b571 --- /dev/null +++ b/queue-3.14/powercap-rapl-fix-bios-lock-check.patch @@ -0,0 +1,48 @@ +From 79a21dbfae3cd40d5a801778071a9967b79c2c20 Mon Sep 17 00:00:00 2001 +From: Prarit Bhargava +Date: Wed, 9 Dec 2015 08:31:12 -0500 +Subject: powercap / RAPL: fix BIOS lock check + +From: Prarit Bhargava + +commit 79a21dbfae3cd40d5a801778071a9967b79c2c20 upstream. + +Intel RAPL initialized on several systems where the BIOS lock bit (msr +0x610, bit 63) was set. This occured because the return value of +rapl_read_data_raw() was being checked, rather than the value of the variable +passed in, locked. + +This patch properly implments the rapl_read_data_raw() call to check the +variable locked, and now the Intel RAPL driver outputs the warning: + + intel_rapl: RAPL package 0 domain package locked by BIOS + +and does not initialize for the package. + +Signed-off-by: Prarit Bhargava +Acked-by: Jacob Pan +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/powercap/intel_rapl.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/powercap/intel_rapl.c ++++ b/drivers/powercap/intel_rapl.c +@@ -1194,10 +1194,13 @@ static int rapl_detect_domains(struct ra + + for (rd = rp->domains; rd < rp->domains + rp->nr_domains; rd++) { + /* check if the domain is locked by BIOS */ +- if (rapl_read_data_raw(rd, FW_LOCK, false, &locked)) { ++ ret = rapl_read_data_raw(rd, FW_LOCK, false, &locked); ++ if (ret) ++ return ret; ++ if (locked) { + pr_info("RAPL package %d domain %s locked by BIOS\n", + rp->id, rd->name); +- rd->state |= DOMAIN_STATE_BIOS_LOCKED; ++ rd->state |= DOMAIN_STATE_BIOS_LOCKED; + } + } + diff --git a/queue-3.14/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch b/queue-3.14/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch new file mode 100644 index 00000000000..2bf9264fa6a --- /dev/null +++ b/queue-3.14/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch @@ -0,0 +1,71 @@ +From 8c7188b23474cca017b3ef354c4a58456f68303a Mon Sep 17 00:00:00 2001 +From: Quentin Casasnovas +Date: Tue, 24 Nov 2015 17:13:21 -0500 +Subject: RDS: fix race condition when sending a message on unbound socket + +From: Quentin Casasnovas + +commit 8c7188b23474cca017b3ef354c4a58456f68303a upstream. + +Sasha's found a NULL pointer dereference in the RDS connection code when +sending a message to an apparently unbound socket. The problem is caused +by the code checking if the socket is bound in rds_sendmsg(), which checks +the rs_bound_addr field without taking a lock on the socket. This opens a +race where rs_bound_addr is temporarily set but where the transport is not +in rds_bind(), leading to a NULL pointer dereference when trying to +dereference 'trans' in __rds_conn_create(). + +Vegard wrote a reproducer for this issue, so kindly ask him to share if +you're interested. + +I cannot reproduce the NULL pointer dereference using Vegard's reproducer +with this patch, whereas I could without. + +Complete earlier incomplete fix to CVE-2015-6937: + + 74e98eb08588 ("RDS: verify the underlying transport exists before creating a connection") + +Reviewed-by: Vegard Nossum +Reviewed-by: Sasha Levin +Acked-by: Santosh Shilimkar +Signed-off-by: Quentin Casasnovas +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/rds/connection.c | 6 ------ + net/rds/send.c | 4 +++- + 2 files changed, 3 insertions(+), 7 deletions(-) + +--- a/net/rds/connection.c ++++ b/net/rds/connection.c +@@ -189,12 +189,6 @@ static struct rds_connection *__rds_conn + goto out; + } + +- if (trans == NULL) { +- kmem_cache_free(rds_conn_slab, conn); +- conn = ERR_PTR(-ENODEV); +- goto out; +- } +- + conn->c_trans = trans; + + ret = trans->conn_alloc(conn, gfp); +--- a/net/rds/send.c ++++ b/net/rds/send.c +@@ -955,11 +955,13 @@ int rds_sendmsg(struct kiocb *iocb, stru + release_sock(sk); + } + +- /* racing with another thread binding seems ok here */ ++ lock_sock(sk); + if (daddr == 0 || rs->rs_bound_addr == 0) { ++ release_sock(sk); + ret = -ENOTCONN; /* XXX not a great errno */ + goto out; + } ++ release_sock(sk); + + /* size of rm including all sgs */ + ret = rds_rm_size(msg, payload_len); diff --git a/queue-3.14/rfkill-copy-the-name-into-the-rfkill-struct.patch b/queue-3.14/rfkill-copy-the-name-into-the-rfkill-struct.patch new file mode 100644 index 00000000000..1e9a097f132 --- /dev/null +++ b/queue-3.14/rfkill-copy-the-name-into-the-rfkill-struct.patch @@ -0,0 +1,59 @@ +From b7bb110008607a915298bf0f47d25886ecb94477 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Thu, 10 Dec 2015 10:37:51 +0100 +Subject: rfkill: copy the name into the rfkill struct + +From: Johannes Berg + +commit b7bb110008607a915298bf0f47d25886ecb94477 upstream. + +Some users of rfkill, like NFC and cfg80211, use a dynamic name when +allocating rfkill, in those cases dev_name(). Therefore, the pointer +passed to rfkill_alloc() might not be valid forever, I specifically +found the case that the rfkill name was quite obviously an invalid +pointer (or at least garbage) when the wiphy had been renamed. + +Fix this by making a copy of the rfkill name in rfkill_alloc(). + +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/rfkill/core.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/rfkill/core.c ++++ b/net/rfkill/core.c +@@ -49,7 +49,6 @@ + struct rfkill { + spinlock_t lock; + +- const char *name; + enum rfkill_type type; + + unsigned long state; +@@ -73,6 +72,7 @@ struct rfkill { + struct delayed_work poll_work; + struct work_struct uevent_work; + struct work_struct sync_work; ++ char name[]; + }; + #define to_rfkill(d) container_of(d, struct rfkill, dev) + +@@ -861,14 +861,14 @@ struct rfkill * __must_check rfkill_allo + if (WARN_ON(type == RFKILL_TYPE_ALL || type >= NUM_RFKILL_TYPES)) + return NULL; + +- rfkill = kzalloc(sizeof(*rfkill), GFP_KERNEL); ++ rfkill = kzalloc(sizeof(*rfkill) + strlen(name) + 1, GFP_KERNEL); + if (!rfkill) + return NULL; + + spin_lock_init(&rfkill->lock); + INIT_LIST_HEAD(&rfkill->node); + rfkill->type = type; +- rfkill->name = name; ++ strcpy(rfkill->name, name); + rfkill->ops = ops; + rfkill->data = ops_data; + diff --git a/queue-3.14/sata_sil-disable-trim.patch b/queue-3.14/sata_sil-disable-trim.patch new file mode 100644 index 00000000000..d3208190580 --- /dev/null +++ b/queue-3.14/sata_sil-disable-trim.patch @@ -0,0 +1,51 @@ +From d98f1cd0a3b70ea91f1dfda3ac36c3b2e1a4d5e2 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Thu, 26 Nov 2015 12:00:59 -0500 +Subject: sata_sil: disable trim + +From: Mikulas Patocka + +commit d98f1cd0a3b70ea91f1dfda3ac36c3b2e1a4d5e2 upstream. + +When I connect an Intel SSD to SATA SIL controller (PCI ID 1095:3114), any +TRIM command results in I/O errors being reported in the log. There is +other similar error reported with TRIM and the SIL controller: +https://bugs.centos.org/view.php?id=5880 + +Apparently the controller doesn't support TRIM commands. This patch +disables TRIM support on the SATA SIL controller. + +ata7.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0 +ata7.00: BMDMA2 stat 0x50001 +ata7.00: failed command: DATA SET MANAGEMENT +ata7.00: cmd 06/01:01:00:00:00/00:00:00:00:00/a0 tag 0 dma 512 out + res 51/04:01:00:00:00/00:00:00:00:00/a0 Emask 0x1 (device error) +ata7.00: status: { DRDY ERR } +ata7.00: error: { ABRT } +ata7.00: device reported invalid CHS sector 0 +sd 8:0:0:0: [sdb] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE +sd 8:0:0:0: [sdb] tag#0 Sense Key : Illegal Request [current] [descriptor] +sd 8:0:0:0: [sdb] tag#0 Add. Sense: Unaligned write command +sd 8:0:0:0: [sdb] tag#0 CDB: Write same(16) 93 08 00 00 00 00 00 21 95 88 00 20 00 00 00 00 +blk_update_request: I/O error, dev sdb, sector 2200968 + +Signed-off-by: Mikulas Patocka +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/sata_sil.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/ata/sata_sil.c ++++ b/drivers/ata/sata_sil.c +@@ -631,6 +631,9 @@ static void sil_dev_config(struct ata_de + unsigned int n, quirks = 0; + unsigned char model_num[ATA_ID_PROD_LEN + 1]; + ++ /* This controller doesn't support trim */ ++ dev->horkage |= ATA_HORKAGE_NOTRIM; ++ + ata_id_c_string(dev->id, model_num, ATA_ID_PROD, sizeof(model_num)); + + for (n = 0; sil_blacklist[n].product; n++) diff --git a/queue-3.14/sched-core-clear-the-root_domain-cpumasks-in-init_rootdomain.patch b/queue-3.14/sched-core-clear-the-root_domain-cpumasks-in-init_rootdomain.patch new file mode 100644 index 00000000000..7a95a68753c --- /dev/null +++ b/queue-3.14/sched-core-clear-the-root_domain-cpumasks-in-init_rootdomain.patch @@ -0,0 +1,60 @@ +From 8295c69925ad53ec32ca54ac9fc194ff21bc40e2 Mon Sep 17 00:00:00 2001 +From: Xunlei Pang +Date: Wed, 2 Dec 2015 19:52:59 +0800 +Subject: sched/core: Clear the root_domain cpumasks in init_rootdomain() + +From: Xunlei Pang + +commit 8295c69925ad53ec32ca54ac9fc194ff21bc40e2 upstream. + +root_domain::rto_mask allocated through alloc_cpumask_var() +contains garbage data, this may cause problems. For instance, +When doing pull_rt_task(), it may do useless iterations if +rto_mask retains some extra garbage bits. Worse still, this +violates the isolated domain rule for clustered scheduling +using cpuset, because the tasks(with all the cpus allowed) +belongs to one root domain can be pulled away into another +root domain. + +The patch cleans the garbage by using zalloc_cpumask_var() +instead of alloc_cpumask_var() for root_domain::rto_mask +allocation, thereby addressing the issues. + +Do the same thing for root_domain's other cpumask memembers: +dlo_mask, span, and online. + +Signed-off-by: Xunlei Pang +Signed-off-by: Peter Zijlstra (Intel) +Cc: Linus Torvalds +Cc: Mike Galbraith +Cc: Peter Zijlstra +Cc: Steven Rostedt +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/1449057179-29321-1-git-send-email-xlpang@redhat.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/sched/core.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -5420,13 +5420,13 @@ static int init_rootdomain(struct root_d + { + memset(rd, 0, sizeof(*rd)); + +- if (!alloc_cpumask_var(&rd->span, GFP_KERNEL)) ++ if (!zalloc_cpumask_var(&rd->span, GFP_KERNEL)) + goto out; +- if (!alloc_cpumask_var(&rd->online, GFP_KERNEL)) ++ if (!zalloc_cpumask_var(&rd->online, GFP_KERNEL)) + goto free_span; +- if (!alloc_cpumask_var(&rd->dlo_mask, GFP_KERNEL)) ++ if (!zalloc_cpumask_var(&rd->dlo_mask, GFP_KERNEL)) + goto free_online; +- if (!alloc_cpumask_var(&rd->rto_mask, GFP_KERNEL)) ++ if (!zalloc_cpumask_var(&rd->rto_mask, GFP_KERNEL)) + goto free_dlo_mask; + + init_dl_bw(&rd->dl_bw); diff --git a/queue-3.14/sched-core-remove-false-positive-warning-from-wake_up_process.patch b/queue-3.14/sched-core-remove-false-positive-warning-from-wake_up_process.patch new file mode 100644 index 00000000000..7ca11ae41a7 --- /dev/null +++ b/queue-3.14/sched-core-remove-false-positive-warning-from-wake_up_process.patch @@ -0,0 +1,39 @@ +From 119d6f6a3be8b424b200dcee56e74484d5445f7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Nov 2015 20:34:20 -0500 +Subject: sched/core: Remove false-positive warning from wake_up_process() + +From: Sasha Levin + +commit 119d6f6a3be8b424b200dcee56e74484d5445f7e upstream. + +Because wakeups can (fundamentally) be late, a task might not be in +the expected state. Therefore testing against a task's state is racy, +and can yield false positives. + +Signed-off-by: Sasha Levin +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Linus Torvalds +Cc: Mike Galbraith +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: oleg@redhat.com +Fixes: 9067ac85d533 ("wake_up_process() should be never used to wakeup a TASK_STOPPED/TRACED task") +Link: http://lkml.kernel.org/r/1448933660-23082-1-git-send-email-sasha.levin@oracle.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/sched/core.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -1696,7 +1696,6 @@ out: + */ + int wake_up_process(struct task_struct *p) + { +- WARN_ON(task_is_stopped_or_traced(p)); + return try_to_wake_up(p, TASK_NORMAL, 0); + } + EXPORT_SYMBOL(wake_up_process); diff --git a/queue-3.14/scripts-recordmcount-break-hardlinks.patch b/queue-3.14/scripts-recordmcount-break-hardlinks.patch new file mode 100644 index 00000000000..3171006873c --- /dev/null +++ b/queue-3.14/scripts-recordmcount-break-hardlinks.patch @@ -0,0 +1,46 @@ +From dd39a26538e37f6c6131e829a4a510787e43c783 Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Fri, 11 Dec 2015 12:09:03 +0000 +Subject: scripts: recordmcount: break hardlinks + +From: Russell King + +commit dd39a26538e37f6c6131e829a4a510787e43c783 upstream. + +recordmcount edits the file in-place, which can cause problems when +using ccache in hardlink mode. Arrange for recordmcount to break a +hardlinked object. + +Link: http://lkml.kernel.org/r/E1a7MVT-0000et-62@rmk-PC.arm.linux.org.uk + +Signed-off-by: Russell King +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + scripts/recordmcount.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/scripts/recordmcount.c ++++ b/scripts/recordmcount.c +@@ -189,6 +189,20 @@ static void *mmap_file(char const *fname + addr = umalloc(sb.st_size); + uread(fd_map, addr, sb.st_size); + } ++ if (sb.st_nlink != 1) { ++ /* file is hard-linked, break the hard link */ ++ close(fd_map); ++ if (unlink(fname) < 0) { ++ perror(fname); ++ fail_file(); ++ } ++ fd_map = open(fname, O_RDWR | O_CREAT, sb.st_mode); ++ if (fd_map < 0) { ++ perror(fname); ++ fail_file(); ++ } ++ uwrite(fd_map, addr, sb.st_size); ++ } + return addr; + } + diff --git a/queue-3.14/series b/queue-3.14/series index f18b7ee90e5..51a0ddf8852 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -67,3 +67,18 @@ target-fix-race-for-scf_compare_and_write_post-checking.patch target-fix-compare_and_write-non-zero-sgl-offset-data-corruption.patch ring-buffer-update-read-stamp-with-first-real-commit-on-page.patch virtio-fix-memory-leak-of-virtio-ida-cache-layers.patch +mac80211-mesh-fix-call_rcu-usage.patch +rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch +can-sja1000-clear-interrupts-on-start.patch +sched-core-clear-the-root_domain-cpumasks-in-init_rootdomain.patch +sched-core-remove-false-positive-warning-from-wake_up_process.patch +sata_sil-disable-trim.patch +dm-space-map-metadata-fix-ref-counting-bug-when-bootstrapping-a-new-space-map.patch +dm-btree-fix-bufio-buffer-leaks-in-dm_btree_del-error-path.patch +irqchip-versatile-fpga-fix-pci-irq-mapping-on-versatile-pb.patch +vgaarb-fix-signal-handling-in-vga_get.patch +rfkill-copy-the-name-into-the-rfkill-struct.patch +ses-fix-problems-with-simple-enclosures.patch +ses-fix-additional-element-traversal-bug.patch +powercap-rapl-fix-bios-lock-check.patch +scripts-recordmcount-break-hardlinks.patch diff --git a/queue-3.14/ses-fix-additional-element-traversal-bug.patch b/queue-3.14/ses-fix-additional-element-traversal-bug.patch new file mode 100644 index 00000000000..f91861d717d --- /dev/null +++ b/queue-3.14/ses-fix-additional-element-traversal-bug.patch @@ -0,0 +1,61 @@ +From 5e1033561da1152c57b97ee84371dba2b3d64c25 Mon Sep 17 00:00:00 2001 +From: James Bottomley +Date: Fri, 11 Dec 2015 09:16:38 -0800 +Subject: ses: fix additional element traversal bug + +From: James Bottomley + +commit 5e1033561da1152c57b97ee84371dba2b3d64c25 upstream. + +KASAN found that our additional element processing scripts drop off +the end of the VPD page into unallocated space. The reason is that +not every element has additional information but our traversal +routines think they do, leading to them expecting far more additional +information than is present. Fix this by adding a gate to the +traversal routine so that it only processes elements that are expected +to have additional information (list is in SES-2 section 6.1.13.1: +Additional Element Status diagnostic page overview) + +Reported-by: Pavel Tikhomirov +Tested-by: Pavel Tikhomirov +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/ses.c | 10 +++++++++- + include/linux/enclosure.h | 4 ++++ + 2 files changed, 13 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/ses.c ++++ b/drivers/scsi/ses.c +@@ -454,7 +454,15 @@ static void ses_enclosure_data_process(s + if (desc_ptr) + desc_ptr += len; + +- if (addl_desc_ptr) ++ if (addl_desc_ptr && ++ /* only find additional descriptions for specific devices */ ++ (type_ptr[0] == ENCLOSURE_COMPONENT_DEVICE || ++ type_ptr[0] == ENCLOSURE_COMPONENT_ARRAY_DEVICE || ++ type_ptr[0] == ENCLOSURE_COMPONENT_SAS_EXPANDER || ++ /* these elements are optional */ ++ type_ptr[0] == ENCLOSURE_COMPONENT_SCSI_TARGET_PORT || ++ type_ptr[0] == ENCLOSURE_COMPONENT_SCSI_INITIATOR_PORT || ++ type_ptr[0] == ENCLOSURE_COMPONENT_CONTROLLER_ELECTRONICS)) + addl_desc_ptr += addl_desc_ptr[1] + 2; + + } +--- a/include/linux/enclosure.h ++++ b/include/linux/enclosure.h +@@ -29,7 +29,11 @@ + /* A few generic types ... taken from ses-2 */ + enum enclosure_component_type { + ENCLOSURE_COMPONENT_DEVICE = 0x01, ++ ENCLOSURE_COMPONENT_CONTROLLER_ELECTRONICS = 0x07, ++ ENCLOSURE_COMPONENT_SCSI_TARGET_PORT = 0x14, ++ ENCLOSURE_COMPONENT_SCSI_INITIATOR_PORT = 0x15, + ENCLOSURE_COMPONENT_ARRAY_DEVICE = 0x17, ++ ENCLOSURE_COMPONENT_SAS_EXPANDER = 0x18, + }; + + /* ses-2 common element status */ diff --git a/queue-3.14/ses-fix-problems-with-simple-enclosures.patch b/queue-3.14/ses-fix-problems-with-simple-enclosures.patch new file mode 100644 index 00000000000..a5e1c7d4b1f --- /dev/null +++ b/queue-3.14/ses-fix-problems-with-simple-enclosures.patch @@ -0,0 +1,67 @@ +From 3417c1b5cb1fdc10261dbed42b05cc93166a78fd Mon Sep 17 00:00:00 2001 +From: James Bottomley +Date: Tue, 8 Dec 2015 09:00:31 -0800 +Subject: ses: Fix problems with simple enclosures + +From: James Bottomley + +commit 3417c1b5cb1fdc10261dbed42b05cc93166a78fd upstream. + +Simple enclosure implementations (mostly USB) are allowed to return only +page 8 to every diagnostic query. That really confuses our +implementation because we assume the return is the page we asked for and +end up doing incorrect offsets based on bogus information leading to +accesses outside of allocated ranges. Fix that by checking the page +code of the return and giving an error if it isn't the one we asked for. +This should fix reported bugs with USB storage by simply refusing to +attach to enclosures that behave like this. It's also good defensive +practise now that we're starting to see more USB enclosures. + +Reported-by: Andrea Gelmini +Reviewed-by: Ewan D. Milne +Reviewed-by: Tomas Henzl +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/ses.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/ses.c ++++ b/drivers/scsi/ses.c +@@ -70,6 +70,7 @@ static int ses_probe(struct device *dev) + static int ses_recv_diag(struct scsi_device *sdev, int page_code, + void *buf, int bufflen) + { ++ int ret; + unsigned char cmd[] = { + RECEIVE_DIAGNOSTIC, + 1, /* Set PCV bit */ +@@ -78,9 +79,26 @@ static int ses_recv_diag(struct scsi_dev + bufflen & 0xff, + 0 + }; ++ unsigned char recv_page_code; + +- return scsi_execute_req(sdev, cmd, DMA_FROM_DEVICE, buf, bufflen, ++ ret = scsi_execute_req(sdev, cmd, DMA_FROM_DEVICE, buf, bufflen, + NULL, SES_TIMEOUT, SES_RETRIES, NULL); ++ if (unlikely(!ret)) ++ return ret; ++ ++ recv_page_code = ((unsigned char *)buf)[0]; ++ ++ if (likely(recv_page_code == page_code)) ++ return ret; ++ ++ /* successful diagnostic but wrong page code. This happens to some ++ * USB devices, just print a message and pretend there was an error */ ++ ++ sdev_printk(KERN_ERR, sdev, ++ "Wrong diagnostic page; asked for %d got %u\n", ++ page_code, recv_page_code); ++ ++ return -EINVAL; + } + + static int ses_send_diag(struct scsi_device *sdev, int page_code, diff --git a/queue-3.14/vgaarb-fix-signal-handling-in-vga_get.patch b/queue-3.14/vgaarb-fix-signal-handling-in-vga_get.patch new file mode 100644 index 00000000000..a51dd312516 --- /dev/null +++ b/queue-3.14/vgaarb-fix-signal-handling-in-vga_get.patch @@ -0,0 +1,43 @@ +From 9f5bd30818c42c6c36a51f93b4df75a2ea2bd85e Mon Sep 17 00:00:00 2001 +From: "Kirill A. Shutemov" +Date: Mon, 30 Nov 2015 04:17:31 +0200 +Subject: vgaarb: fix signal handling in vga_get() + +From: Kirill A. Shutemov + +commit 9f5bd30818c42c6c36a51f93b4df75a2ea2bd85e upstream. + +There are few defects in vga_get() related to signal hadning: + + - we shouldn't check for pending signals for TASK_UNINTERRUPTIBLE + case; + + - if we found pending signal we must remove ourself from wait queue + and change task state back to running; + + - -ERESTARTSYS is more appropriate, I guess. + +Signed-off-by: Kirill A. Shutemov +Reviewed-by: David Herrmann +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/vga/vgaarb.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/vga/vgaarb.c ++++ b/drivers/gpu/vga/vgaarb.c +@@ -392,8 +392,10 @@ int vga_get(struct pci_dev *pdev, unsign + set_current_state(interruptible ? + TASK_INTERRUPTIBLE : + TASK_UNINTERRUPTIBLE); +- if (signal_pending(current)) { +- rc = -EINTR; ++ if (interruptible && signal_pending(current)) { ++ __set_current_state(TASK_RUNNING); ++ remove_wait_queue(&vga_wait_queue, &wait); ++ rc = -ERESTARTSYS; + break; + } + schedule(); -- 2.47.3