From 99638e6a7e2b9ed983d436ee31e74ce86c98f1a8 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 5 Nov 2015 22:58:42 -0800 Subject: [PATCH] 4.2-stable patches added patches: blk-mq-fix-use-after-free-in-blk_mq_free_tag_set.patch btrfs-fix-possible-leak-in-btrfs_ioctl_balance.patch cpufreq-intel_pstate-fix-divide-by-zero-on-knights-landing-knl.patch crypto-api-only-abort-operations-on-fatal-signal.patch edac-sb_edac-fix-tad-presence-check-for-sbridge_mci_bind_devs.patch ib-cm-fix-rb-tree-duplicate-free-and-use-after-free.patch input-alps-only-the-dell-latitude-d420-430-620-630-have-separate-stick-button-bits.patch irqchip-tegra-propagate-irq-type-setting-to-parent.patch kvm-irqchip-fix-memory-leak.patch md-raid1-submit_bio_wait-returns-0-on-success.patch md-raid10-submit_bio_wait-returns-0-on-success.patch md-raid5-fix-locking-in-handle_stripe_clean_event.patch mvsas-fix-null-pointer-dereference-in-mvs_slot_task_free.patch netfilter-ipset-fix-sleeping-memory-allocation-in-atomic-context.patch revert-md-allow-a-partially-recovered-device-to-be-hot-added-to-an-array.patch sched-deadline-fix-migration-of-sched_deadline-tasks.patch thermal-exynos-fix-register-read-in-tmu.patch um-fix-kernel-mode-fault-condition.patch --- ...se-after-free-in-blk_mq_free_tag_set.patch | 52 ++++++++ ...possible-leak-in-btrfs_ioctl_balance.patch | 54 ++++++++ ...ivide-by-zero-on-knights-landing-knl.patch | 38 ++++++ ...nly-abort-operations-on-fatal-signal.patch | 93 ++++++++++++++ ...ence-check-for-sbridge_mci_bind_devs.patch | 80 ++++++++++++ ...ee-duplicate-free-and-use-after-free.patch | 52 ++++++++ ...-630-have-separate-stick-button-bits.patch | 121 ++++++++++++++++++ ...propagate-irq-type-setting-to-parent.patch | 41 ++++++ queue-4.2/kvm-irqchip-fix-memory-leak.patch | 41 ++++++ ...submit_bio_wait-returns-0-on-success.patch | 34 +++++ ...submit_bio_wait-returns-0-on-success.patch | 34 +++++ ...locking-in-handle_stripe_clean_event.patch | 72 +++++++++++ ...er-dereference-in-mvs_slot_task_free.patch | 40 ++++++ ...-memory-allocation-in-atomic-context.patch | 49 +++++++ ...d-device-to-be-hot-added-to-an-array.patch | 50 ++++++++ ...ix-migration-of-sched_deadline-tasks.patch | 68 ++++++++++ queue-4.2/series | 18 +++ ...rmal-exynos-fix-register-read-in-tmu.patch | 37 ++++++ .../um-fix-kernel-mode-fault-condition.patch | 33 +++++ 19 files changed, 1007 insertions(+) create mode 100644 queue-4.2/blk-mq-fix-use-after-free-in-blk_mq_free_tag_set.patch create mode 100644 queue-4.2/btrfs-fix-possible-leak-in-btrfs_ioctl_balance.patch create mode 100644 queue-4.2/cpufreq-intel_pstate-fix-divide-by-zero-on-knights-landing-knl.patch create mode 100644 queue-4.2/crypto-api-only-abort-operations-on-fatal-signal.patch create mode 100644 queue-4.2/edac-sb_edac-fix-tad-presence-check-for-sbridge_mci_bind_devs.patch create mode 100644 queue-4.2/ib-cm-fix-rb-tree-duplicate-free-and-use-after-free.patch create mode 100644 queue-4.2/input-alps-only-the-dell-latitude-d420-430-620-630-have-separate-stick-button-bits.patch create mode 100644 queue-4.2/irqchip-tegra-propagate-irq-type-setting-to-parent.patch create mode 100644 queue-4.2/kvm-irqchip-fix-memory-leak.patch create mode 100644 queue-4.2/md-raid1-submit_bio_wait-returns-0-on-success.patch create mode 100644 queue-4.2/md-raid10-submit_bio_wait-returns-0-on-success.patch create mode 100644 queue-4.2/md-raid5-fix-locking-in-handle_stripe_clean_event.patch create mode 100644 queue-4.2/mvsas-fix-null-pointer-dereference-in-mvs_slot_task_free.patch create mode 100644 queue-4.2/netfilter-ipset-fix-sleeping-memory-allocation-in-atomic-context.patch create mode 100644 queue-4.2/revert-md-allow-a-partially-recovered-device-to-be-hot-added-to-an-array.patch create mode 100644 queue-4.2/sched-deadline-fix-migration-of-sched_deadline-tasks.patch create mode 100644 queue-4.2/thermal-exynos-fix-register-read-in-tmu.patch create mode 100644 queue-4.2/um-fix-kernel-mode-fault-condition.patch diff --git a/queue-4.2/blk-mq-fix-use-after-free-in-blk_mq_free_tag_set.patch b/queue-4.2/blk-mq-fix-use-after-free-in-blk_mq_free_tag_set.patch new file mode 100644 index 00000000000..9b84a63ed2a --- /dev/null +++ b/queue-4.2/blk-mq-fix-use-after-free-in-blk_mq_free_tag_set.patch @@ -0,0 +1,52 @@ +From f42d79ab67322e51b92dd7aa965e310c71352a64 Mon Sep 17 00:00:00 2001 +From: Junichi Nomura +Date: Wed, 14 Oct 2015 05:02:15 +0000 +Subject: blk-mq: fix use-after-free in blk_mq_free_tag_set() + +From: Junichi Nomura + +commit f42d79ab67322e51b92dd7aa965e310c71352a64 upstream. + +tags is freed in blk_mq_free_rq_map() and should not be used after that. +The problem doesn't manifest if CONFIG_CPUMASK_OFFSTACK is false because +free_cpumask_var() is nop. + +tags->cpumask is allocated in blk_mq_init_tags() so it's natural to +free cpumask in its counter part, blk_mq_free_tags(). + +Fixes: f26cdc8536ad ("blk-mq: Shared tag enhancements") +Signed-off-by: Jun'ichi Nomura +Cc: Keith Busch +Reviewed-by: Jeff Moyer +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/blk-mq-tag.c | 1 + + block/blk-mq.c | 4 +--- + 2 files changed, 2 insertions(+), 3 deletions(-) + +--- a/block/blk-mq-tag.c ++++ b/block/blk-mq-tag.c +@@ -628,6 +628,7 @@ void blk_mq_free_tags(struct blk_mq_tags + { + bt_free(&tags->bitmap_tags); + bt_free(&tags->breserved_tags); ++ free_cpumask_var(tags->cpumask); + kfree(tags); + } + +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -2263,10 +2263,8 @@ void blk_mq_free_tag_set(struct blk_mq_t + int i; + + for (i = 0; i < set->nr_hw_queues; i++) { +- if (set->tags[i]) { ++ if (set->tags[i]) + blk_mq_free_rq_map(set, set->tags[i], i); +- free_cpumask_var(set->tags[i]->cpumask); +- } + } + + kfree(set->tags); diff --git a/queue-4.2/btrfs-fix-possible-leak-in-btrfs_ioctl_balance.patch b/queue-4.2/btrfs-fix-possible-leak-in-btrfs_ioctl_balance.patch new file mode 100644 index 00000000000..a59572e2727 --- /dev/null +++ b/queue-4.2/btrfs-fix-possible-leak-in-btrfs_ioctl_balance.patch @@ -0,0 +1,54 @@ +From 0f89abf56abbd0e1c6e3cef9813e6d9f05383c1e Mon Sep 17 00:00:00 2001 +From: Christian Engelmayer +Date: Wed, 21 Oct 2015 00:50:06 +0200 +Subject: btrfs: fix possible leak in btrfs_ioctl_balance() + +From: Christian Engelmayer + +commit 0f89abf56abbd0e1c6e3cef9813e6d9f05383c1e upstream. + +Commit 8eb934591f8b ("btrfs: check unsupported filters in balance +arguments") adds a jump to exit label out_bargs in case the argument +check fails. At this point in addition to the bargs memory, the +memory for struct btrfs_balance_control has already been allocated. +Ownership of bctl is passed to btrfs_balance() in the good case, +thus the memory is not freed due to the introduced jump. Make sure +that the memory gets freed in any case as necessary. Detected by +Coverity CID 1328378. + +Signed-off-by: Christian Engelmayer +Reviewed-by: David Sterba +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/ioctl.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -4649,7 +4649,7 @@ locked: + + if (bctl->flags & ~(BTRFS_BALANCE_ARGS_MASK | BTRFS_BALANCE_TYPE_MASK)) { + ret = -EINVAL; +- goto out_bargs; ++ goto out_bctl; + } + + do_balance: +@@ -4663,12 +4663,15 @@ do_balance: + need_unlock = false; + + ret = btrfs_balance(bctl, bargs); ++ bctl = NULL; + + if (arg) { + if (copy_to_user(arg, bargs, sizeof(*bargs))) + ret = -EFAULT; + } + ++out_bctl: ++ kfree(bctl); + out_bargs: + kfree(bargs); + out_unlock: diff --git a/queue-4.2/cpufreq-intel_pstate-fix-divide-by-zero-on-knights-landing-knl.patch b/queue-4.2/cpufreq-intel_pstate-fix-divide-by-zero-on-knights-landing-knl.patch new file mode 100644 index 00000000000..186805c27ee --- /dev/null +++ b/queue-4.2/cpufreq-intel_pstate-fix-divide-by-zero-on-knights-landing-knl.patch @@ -0,0 +1,38 @@ +From 8e601a9f97a00bab031980de34f9a81891c1f82f Mon Sep 17 00:00:00 2001 +From: Srinivas Pandruvada +Date: Thu, 15 Oct 2015 12:34:21 -0700 +Subject: cpufreq: intel_pstate: Fix divide by zero on Knights Landing (KNL) + +From: Srinivas Pandruvada + +commit 8e601a9f97a00bab031980de34f9a81891c1f82f upstream. + +This is a workaround for KNL platform, where in some cases MPERF counter +will not have updated value before next read of MSR_IA32_MPERF. In this +case divide by zero will occur. This change ignores current sample for +busy calculation in this case. + +Fixes: b34ef932d79a (intel_pstate: Knights Landing support) +Signed-off-by: Srinivas Pandruvada +Acked-by: Kristen Carlson Accardi +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cpufreq/intel_pstate.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/cpufreq/intel_pstate.c ++++ b/drivers/cpufreq/intel_pstate.c +@@ -766,6 +766,11 @@ static inline void intel_pstate_sample(s + local_irq_save(flags); + rdmsrl(MSR_IA32_APERF, aperf); + rdmsrl(MSR_IA32_MPERF, mperf); ++ if (cpu->prev_mperf == mperf) { ++ local_irq_restore(flags); ++ return; ++ } ++ + tsc = native_read_tsc(); + local_irq_restore(flags); + diff --git a/queue-4.2/crypto-api-only-abort-operations-on-fatal-signal.patch b/queue-4.2/crypto-api-only-abort-operations-on-fatal-signal.patch new file mode 100644 index 00000000000..357097aed11 --- /dev/null +++ b/queue-4.2/crypto-api-only-abort-operations-on-fatal-signal.patch @@ -0,0 +1,93 @@ +From 3fc89adb9fa4beff31374a4bf50b3d099d88ae83 Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Mon, 19 Oct 2015 18:23:57 +0800 +Subject: crypto: api - Only abort operations on fatal signal + +From: Herbert Xu + +commit 3fc89adb9fa4beff31374a4bf50b3d099d88ae83 upstream. + +Currently a number of Crypto API operations may fail when a signal +occurs. This causes nasty problems as the caller of those operations +are often not in a good position to restart the operation. + +In fact there is currently no need for those operations to be +interrupted by user signals at all. All we need is for them to +be killable. + +This patch replaces the relevant calls of signal_pending with +fatal_signal_pending, and wait_for_completion_interruptible with +wait_for_completion_killable, respectively. + +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/ablkcipher.c | 2 +- + crypto/algapi.c | 2 +- + crypto/api.c | 6 +++--- + crypto/crypto_user.c | 2 +- + 4 files changed, 6 insertions(+), 6 deletions(-) + +--- a/crypto/ablkcipher.c ++++ b/crypto/ablkcipher.c +@@ -706,7 +706,7 @@ struct crypto_ablkcipher *crypto_alloc_a + err: + if (err != -EAGAIN) + break; +- if (signal_pending(current)) { ++ if (fatal_signal_pending(current)) { + err = -EINTR; + break; + } +--- a/crypto/algapi.c ++++ b/crypto/algapi.c +@@ -335,7 +335,7 @@ static void crypto_wait_for_test(struct + crypto_alg_tested(larval->alg.cra_driver_name, 0); + } + +- err = wait_for_completion_interruptible(&larval->completion); ++ err = wait_for_completion_killable(&larval->completion); + WARN_ON(err); + + out: +--- a/crypto/api.c ++++ b/crypto/api.c +@@ -172,7 +172,7 @@ static struct crypto_alg *crypto_larval_ + struct crypto_larval *larval = (void *)alg; + long timeout; + +- timeout = wait_for_completion_interruptible_timeout( ++ timeout = wait_for_completion_killable_timeout( + &larval->completion, 60 * HZ); + + alg = larval->adult; +@@ -445,7 +445,7 @@ struct crypto_tfm *crypto_alloc_base(con + err: + if (err != -EAGAIN) + break; +- if (signal_pending(current)) { ++ if (fatal_signal_pending(current)) { + err = -EINTR; + break; + } +@@ -562,7 +562,7 @@ void *crypto_alloc_tfm(const char *alg_n + err: + if (err != -EAGAIN) + break; +- if (signal_pending(current)) { ++ if (fatal_signal_pending(current)) { + err = -EINTR; + break; + } +--- a/crypto/crypto_user.c ++++ b/crypto/crypto_user.c +@@ -376,7 +376,7 @@ static struct crypto_alg *crypto_user_sk + err = PTR_ERR(alg); + if (err != -EAGAIN) + break; +- if (signal_pending(current)) { ++ if (fatal_signal_pending(current)) { + err = -EINTR; + break; + } diff --git a/queue-4.2/edac-sb_edac-fix-tad-presence-check-for-sbridge_mci_bind_devs.patch b/queue-4.2/edac-sb_edac-fix-tad-presence-check-for-sbridge_mci_bind_devs.patch new file mode 100644 index 00000000000..84100dad565 --- /dev/null +++ b/queue-4.2/edac-sb_edac-fix-tad-presence-check-for-sbridge_mci_bind_devs.patch @@ -0,0 +1,80 @@ +From 2900ea609616c2651dec65312beeb2a6e536bc50 Mon Sep 17 00:00:00 2001 +From: Seth Jennings +Date: Wed, 5 Aug 2015 13:16:01 -0500 +Subject: EDAC, sb_edac: Fix TAD presence check for sbridge_mci_bind_devs() + +From: Seth Jennings + +commit 2900ea609616c2651dec65312beeb2a6e536bc50 upstream. + +In commit + + 7d375bffa524 ("sb_edac: Fix support for systems with two home agents per socket") + +NUM_CHANNELS was changed to 8 and the channel space was renumerated to +handle EN, EP, and EX configurations. + +The *_mci_bind_devs() functions - except for sbridge_mci_bind_devs() - +got a new device presence check in the form of saw_chan_mask. However, +sbridge_mci_bind_devs() still uses the NUM_CHANNELS for loop. + +With the increase in NUM_CHANNELS, this loop fails at index 4 since +SB only has 4 TADs. This results in the following error on SB machines: + + EDAC sbridge: Some needed devices are missing + EDAC sbridge: Couldn't find mci handler + EDAC sbridge: Couldn't find mci handle + +This patch adapts the saw_chan_mask logic for sbridge_mci_bind_devs() as +well. + +After this patch: + + EDAC MC0: Giving out device to module sbridge_edac.c controller Sandy Bridge Socket#0: DEV 0000:3f:0e.0 (POLLED) + EDAC MC1: Giving out device to module sbridge_edac.c controller Sandy Bridge Socket#1: DEV 0000:7f:0e.0 (POLLED) + +Signed-off-by: Seth Jennings +Acked-by: Aristeu Rozanski +Acked-by: Tony Luck +Tested-by: Borislav Petkov +Cc: Mauro Carvalho Chehab +Cc: linux-edac +Link: http://lkml.kernel.org/r/1438798561-10180-1-git-send-email-sjenning@redhat.com +Signed-off-by: Borislav Petkov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/edac/sb_edac.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/edac/sb_edac.c ++++ b/drivers/edac/sb_edac.c +@@ -1648,6 +1648,7 @@ static int sbridge_mci_bind_devs(struct + { + struct sbridge_pvt *pvt = mci->pvt_info; + struct pci_dev *pdev; ++ u8 saw_chan_mask = 0; + int i; + + for (i = 0; i < sbridge_dev->n_devs; i++) { +@@ -1681,6 +1682,7 @@ static int sbridge_mci_bind_devs(struct + { + int id = pdev->device - PCI_DEVICE_ID_INTEL_SBRIDGE_IMC_TAD0; + pvt->pci_tad[id] = pdev; ++ saw_chan_mask |= 1 << id; + } + break; + case PCI_DEVICE_ID_INTEL_SBRIDGE_IMC_DDRIO: +@@ -1701,10 +1703,8 @@ static int sbridge_mci_bind_devs(struct + !pvt-> pci_tad || !pvt->pci_ras || !pvt->pci_ta) + goto enodev; + +- for (i = 0; i < NUM_CHANNELS; i++) { +- if (!pvt->pci_tad[i]) +- goto enodev; +- } ++ if (saw_chan_mask != 0x0f) ++ goto enodev; + return 0; + + enodev: diff --git a/queue-4.2/ib-cm-fix-rb-tree-duplicate-free-and-use-after-free.patch b/queue-4.2/ib-cm-fix-rb-tree-duplicate-free-and-use-after-free.patch new file mode 100644 index 00000000000..b094f25b7f0 --- /dev/null +++ b/queue-4.2/ib-cm-fix-rb-tree-duplicate-free-and-use-after-free.patch @@ -0,0 +1,52 @@ +From 0ca81a2840f77855bbad1b9f172c545c4dc9e6a4 Mon Sep 17 00:00:00 2001 +From: Doron Tsur +Date: Sun, 11 Oct 2015 15:58:17 +0300 +Subject: IB/cm: Fix rb-tree duplicate free and use-after-free + +From: Doron Tsur + +commit 0ca81a2840f77855bbad1b9f172c545c4dc9e6a4 upstream. + +ib_send_cm_sidr_rep could sometimes erase the node from the sidr +(depending on errors in the process). Since ib_send_cm_sidr_rep is +called both from cm_sidr_req_handler and cm_destroy_id, cm_id_priv +could be either erased from the rb_tree twice or not erased at all. +Fixing that by making sure it's erased only once before freeing +cm_id_priv. + +Fixes: a977049dacde ('[PATCH] IB: Add the kernel CM implementation') +Signed-off-by: Doron Tsur +Signed-off-by: Matan Barak +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/cm.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/core/cm.c ++++ b/drivers/infiniband/core/cm.c +@@ -873,6 +873,11 @@ retest: + case IB_CM_SIDR_REQ_RCVD: + spin_unlock_irq(&cm_id_priv->lock); + cm_reject_sidr_req(cm_id_priv, IB_SIDR_REJECT); ++ spin_lock_irq(&cm.lock); ++ if (!RB_EMPTY_NODE(&cm_id_priv->sidr_id_node)) ++ rb_erase(&cm_id_priv->sidr_id_node, ++ &cm.remote_sidr_table); ++ spin_unlock_irq(&cm.lock); + break; + case IB_CM_REQ_SENT: + case IB_CM_MRA_REQ_RCVD: +@@ -3112,7 +3117,10 @@ int ib_send_cm_sidr_rep(struct ib_cm_id + spin_unlock_irqrestore(&cm_id_priv->lock, flags); + + spin_lock_irqsave(&cm.lock, flags); +- rb_erase(&cm_id_priv->sidr_id_node, &cm.remote_sidr_table); ++ if (!RB_EMPTY_NODE(&cm_id_priv->sidr_id_node)) { ++ rb_erase(&cm_id_priv->sidr_id_node, &cm.remote_sidr_table); ++ RB_CLEAR_NODE(&cm_id_priv->sidr_id_node); ++ } + spin_unlock_irqrestore(&cm.lock, flags); + return 0; + diff --git a/queue-4.2/input-alps-only-the-dell-latitude-d420-430-620-630-have-separate-stick-button-bits.patch b/queue-4.2/input-alps-only-the-dell-latitude-d420-430-620-630-have-separate-stick-button-bits.patch new file mode 100644 index 00000000000..8c028458149 --- /dev/null +++ b/queue-4.2/input-alps-only-the-dell-latitude-d420-430-620-630-have-separate-stick-button-bits.patch @@ -0,0 +1,121 @@ +From 195562194aad3a0a3915941077f283bcc6347b9b Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 26 Oct 2015 01:50:28 -0700 +Subject: Input: alps - only the Dell Latitude D420/430/620/630 have separate stick button bits +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hans de Goede + +commit 195562194aad3a0a3915941077f283bcc6347b9b upstream. + +commit 92bac83dd79e ("Input: alps - non interleaved V2 dualpoint has +separate stick button bits") assumes that all alps v2 non-interleaved +dual point setups have the separate stick button bits. + +Later we limited this to Dell laptops only because of reports that this +broke things on non Dell laptops. Now it turns out that this breaks things +on the Dell Latitude D600 too. So it seems that only the Dell Latitude +D420/430/620/630, which all share the same touchpad / stick combo, +have these separate bits. + +This patch limits the checking of the separate bits to only these models +fixing regressions with other models. + +Reported-and-tested-by: Larry Finger +Tested-by: Hans de Goede +Signed-off-by: Hans de Goede +Acked-By: Pali Rohár +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/mouse/alps.c | 48 +++++++++++++++++++++++++++++++++++++++------ + 1 file changed, 42 insertions(+), 6 deletions(-) + +--- a/drivers/input/mouse/alps.c ++++ b/drivers/input/mouse/alps.c +@@ -100,7 +100,7 @@ static const struct alps_nibble_commands + #define ALPS_FOUR_BUTTONS 0x40 /* 4 direction button present */ + #define ALPS_PS2_INTERLEAVED 0x80 /* 3-byte PS/2 packet interleaved with + 6-byte ALPS packet */ +-#define ALPS_DELL 0x100 /* device is a Dell laptop */ ++#define ALPS_STICK_BITS 0x100 /* separate stick button bits */ + #define ALPS_BUTTONPAD 0x200 /* device is a clickpad */ + + static const struct alps_model_info alps_model_data[] = { +@@ -159,6 +159,43 @@ static const struct alps_protocol_info a + ALPS_PROTO_V8, 0x18, 0x18, 0 + }; + ++/* ++ * Some v2 models report the stick buttons in separate bits ++ */ ++static const struct dmi_system_id alps_dmi_has_separate_stick_buttons[] = { ++#if defined(CONFIG_DMI) && defined(CONFIG_X86) ++ { ++ /* Extrapolated from other entries */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Latitude D420"), ++ }, ++ }, ++ { ++ /* Reported-by: Hans de Bruin */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Latitude D430"), ++ }, ++ }, ++ { ++ /* Reported-by: Hans de Goede */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Latitude D620"), ++ }, ++ }, ++ { ++ /* Extrapolated from other entries */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Latitude D630"), ++ }, ++ }, ++#endif ++ { } ++}; ++ + static void alps_set_abs_params_st(struct alps_data *priv, + struct input_dev *dev1); + static void alps_set_abs_params_semi_mt(struct alps_data *priv, +@@ -253,9 +290,8 @@ static void alps_process_packet_v1_v2(st + return; + } + +- /* Dell non interleaved V2 dualpoint has separate stick button bits */ +- if (priv->proto_version == ALPS_PROTO_V2 && +- priv->flags == (ALPS_DELL | ALPS_PASS | ALPS_DUALPOINT)) { ++ /* Some models have separate stick button bits */ ++ if (priv->flags & ALPS_STICK_BITS) { + left |= packet[0] & 1; + right |= packet[0] & 2; + middle |= packet[0] & 4; +@@ -2552,8 +2588,6 @@ static int alps_set_protocol(struct psmo + priv->byte0 = protocol->byte0; + priv->mask0 = protocol->mask0; + priv->flags = protocol->flags; +- if (dmi_name_in_vendors("Dell")) +- priv->flags |= ALPS_DELL; + + priv->x_max = 2000; + priv->y_max = 1400; +@@ -2568,6 +2602,8 @@ static int alps_set_protocol(struct psmo + priv->set_abs_params = alps_set_abs_params_st; + priv->x_max = 1023; + priv->y_max = 767; ++ if (dmi_check_system(alps_dmi_has_separate_stick_buttons)) ++ priv->flags |= ALPS_STICK_BITS; + break; + + case ALPS_PROTO_V3: diff --git a/queue-4.2/irqchip-tegra-propagate-irq-type-setting-to-parent.patch b/queue-4.2/irqchip-tegra-propagate-irq-type-setting-to-parent.patch new file mode 100644 index 00000000000..922fc5592a4 --- /dev/null +++ b/queue-4.2/irqchip-tegra-propagate-irq-type-setting-to-parent.patch @@ -0,0 +1,41 @@ +From 209da39154837ec1b69fb34f438041939911e4b4 Mon Sep 17 00:00:00 2001 +From: Lucas Stach +Date: Sun, 25 Oct 2015 16:39:12 +0100 +Subject: irqchip/tegra: Propagate IRQ type setting to parent + +From: Lucas Stach + +commit 209da39154837ec1b69fb34f438041939911e4b4 upstream. + +The LIC doesn't deal with the different types of interrupts itself +but needs to forward calls to set the appropriate type to its parent +IRQ controller. + +Without this fix all IRQs routed through the LIC will stay at the +initial EDGE type, while most of them should actually be level triggered. + +Fixes: 1eec582158e2 "irqchip: tegra: Add Tegra210 support" +Signed-off-by: Lucas Stach +Cc: Stephen Warren +Cc: Thierry Reding +Cc: Alexandre Courbot +Cc: Jason Cooper +Cc: Marc Zyngier +Link: http://lkml.kernel.org/r/1445787552-13062-1-git-send-email-dev@lynxeye.de +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/irqchip/irq-tegra.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/irqchip/irq-tegra.c ++++ b/drivers/irqchip/irq-tegra.c +@@ -215,6 +215,7 @@ static struct irq_chip tegra_ictlr_chip + .irq_unmask = tegra_unmask, + .irq_retrigger = tegra_retrigger, + .irq_set_wake = tegra_set_wake, ++ .irq_set_type = irq_chip_set_type_parent, + .flags = IRQCHIP_MASK_ON_SUSPEND, + #ifdef CONFIG_SMP + .irq_set_affinity = irq_chip_set_affinity_parent, diff --git a/queue-4.2/kvm-irqchip-fix-memory-leak.patch b/queue-4.2/kvm-irqchip-fix-memory-leak.patch new file mode 100644 index 00000000000..6fb4bd3f502 --- /dev/null +++ b/queue-4.2/kvm-irqchip-fix-memory-leak.patch @@ -0,0 +1,41 @@ +From ba60c41ae392b473a1897faa0b8739fcb8759d69 Mon Sep 17 00:00:00 2001 +From: Sudip Mukherjee +Date: Wed, 2 Sep 2015 12:33:53 +0530 +Subject: kvm: irqchip: fix memory leak + +From: Sudip Mukherjee + +commit ba60c41ae392b473a1897faa0b8739fcb8759d69 upstream. + +We were taking the exit path after checking ue->flags and return value +of setup_routing_entry(), but 'e' was not freed incase of a failure. + +Signed-off-by: Sudip Mukherjee +Signed-off-by: Paolo Bonzini +Cc: William Dauchy +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/irqchip.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/virt/kvm/irqchip.c ++++ b/virt/kvm/irqchip.c +@@ -213,11 +213,15 @@ int kvm_set_irq_routing(struct kvm *kvm, + goto out; + + r = -EINVAL; +- if (ue->flags) ++ if (ue->flags) { ++ kfree(e); + goto out; ++ } + r = setup_routing_entry(new, e, ue); +- if (r) ++ if (r) { ++ kfree(e); + goto out; ++ } + ++ue; + } + diff --git a/queue-4.2/md-raid1-submit_bio_wait-returns-0-on-success.patch b/queue-4.2/md-raid1-submit_bio_wait-returns-0-on-success.patch new file mode 100644 index 00000000000..2f84e53d2fb --- /dev/null +++ b/queue-4.2/md-raid1-submit_bio_wait-returns-0-on-success.patch @@ -0,0 +1,34 @@ +From 203d27b0226a05202438ddb39ef0ef1acb14a759 Mon Sep 17 00:00:00 2001 +From: Jes Sorensen +Date: Tue, 20 Oct 2015 12:09:12 -0400 +Subject: md/raid1: submit_bio_wait() returns 0 on success + +From: Jes Sorensen + +commit 203d27b0226a05202438ddb39ef0ef1acb14a759 upstream. + +This was introduced with 9e882242c6193ae6f416f2d8d8db0d9126bd996b +which changed the return value of submit_bio_wait() to return != 0 on +error, but didn't update the caller accordingly. + +Fixes: 9e882242c6 ("block: Add submit_bio_wait(), remove from md") +Reported-by: Bill Kuzeja +Signed-off-by: Jes Sorensen +Signed-off-by: NeilBrown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/raid1.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -2249,7 +2249,7 @@ static int narrow_write_error(struct r1b + bio_trim(wbio, sector - r1_bio->sector, sectors); + wbio->bi_iter.bi_sector += rdev->data_offset; + wbio->bi_bdev = rdev->bdev; +- if (submit_bio_wait(WRITE, wbio) == 0) ++ if (submit_bio_wait(WRITE, wbio) < 0) + /* failure! */ + ok = rdev_set_badblocks(rdev, sector, + sectors, 0) diff --git a/queue-4.2/md-raid10-submit_bio_wait-returns-0-on-success.patch b/queue-4.2/md-raid10-submit_bio_wait-returns-0-on-success.patch new file mode 100644 index 00000000000..0bdf3e02079 --- /dev/null +++ b/queue-4.2/md-raid10-submit_bio_wait-returns-0-on-success.patch @@ -0,0 +1,34 @@ +From 681ab4696062f5aa939c9e04d058732306a97176 Mon Sep 17 00:00:00 2001 +From: Jes Sorensen +Date: Tue, 20 Oct 2015 12:09:13 -0400 +Subject: md/raid10: submit_bio_wait() returns 0 on success + +From: Jes Sorensen + +commit 681ab4696062f5aa939c9e04d058732306a97176 upstream. + +This was introduced with 9e882242c6193ae6f416f2d8d8db0d9126bd996b +which changed the return value of submit_bio_wait() to return != 0 on +error, but didn't update the caller accordingly. + +Fixes: 9e882242c6 ("block: Add submit_bio_wait(), remove from md") +Reported-by: Bill Kuzeja +Signed-off-by: Jes Sorensen +Signed-off-by: NeilBrown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/raid10.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -2580,7 +2580,7 @@ static int narrow_write_error(struct r10 + choose_data_offset(r10_bio, rdev) + + (sector - r10_bio->sector)); + wbio->bi_bdev = rdev->bdev; +- if (submit_bio_wait(WRITE, wbio) == 0) ++ if (submit_bio_wait(WRITE, wbio) < 0) + /* Failure! */ + ok = rdev_set_badblocks(rdev, sector, + sectors, 0) diff --git a/queue-4.2/md-raid5-fix-locking-in-handle_stripe_clean_event.patch b/queue-4.2/md-raid5-fix-locking-in-handle_stripe_clean_event.patch new file mode 100644 index 00000000000..74bf6806f00 --- /dev/null +++ b/queue-4.2/md-raid5-fix-locking-in-handle_stripe_clean_event.patch @@ -0,0 +1,72 @@ +From b8a9d66d043ffac116100775a469f05f5158c16f Mon Sep 17 00:00:00 2001 +From: Roman Gushchin +Date: Sat, 31 Oct 2015 10:53:50 +1100 +Subject: md/raid5: fix locking in handle_stripe_clean_event() + +From: Roman Gushchin + +commit b8a9d66d043ffac116100775a469f05f5158c16f upstream. + +After commit 566c09c53455 ("raid5: relieve lock contention in get_active_stripe()") +__find_stripe() is called under conf->hash_locks + hash. +But handle_stripe_clean_event() calls remove_hash() under +conf->device_lock. + +Under some cirscumstances the hash chain can be circuited, +and we get an infinite loop with disabled interrupts and locked hash +lock in __find_stripe(). This leads to hard lockup on multiple CPUs +and following system crash. + +I was able to reproduce this behavior on raid6 over 6 ssd disks. +The devices_handle_discard_safely option should be set to enable trim +support. The following script was used: + +for i in `seq 1 32`; do + dd if=/dev/zero of=large$i bs=10M count=100 & +done + +neilb: original was against a 3.x kernel. I forward-ported + to 4.3-rc. This verison is suitable for any kernel since + Commit: 59fc630b8b5f ("RAID5: batch adjacent full stripe write") + (v4.1+). I'll post a version for earlier kernels to stable. + +Signed-off-by: Roman Gushchin +Fixes: 566c09c53455 ("raid5: relieve lock contention in get_active_stripe()") +Signed-off-by: NeilBrown +Cc: Shaohua Li +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/raid5.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -3505,6 +3505,7 @@ returnbi: + } + if (!discard_pending && + test_bit(R5_Discard, &sh->dev[sh->pd_idx].flags)) { ++ int hash; + clear_bit(R5_Discard, &sh->dev[sh->pd_idx].flags); + clear_bit(R5_UPTODATE, &sh->dev[sh->pd_idx].flags); + if (sh->qd_idx >= 0) { +@@ -3518,16 +3519,17 @@ returnbi: + * no updated data, so remove it from hash list and the stripe + * will be reinitialized + */ +- spin_lock_irq(&conf->device_lock); + unhash: ++ hash = sh->hash_lock_index; ++ spin_lock_irq(conf->hash_locks + hash); + remove_hash(sh); ++ spin_unlock_irq(conf->hash_locks + hash); + if (head_sh->batch_head) { + sh = list_first_entry(&sh->batch_list, + struct stripe_head, batch_list); + if (sh != head_sh) + goto unhash; + } +- spin_unlock_irq(&conf->device_lock); + sh = head_sh; + + if (test_bit(STRIPE_SYNC_REQUESTED, &sh->state)) diff --git a/queue-4.2/mvsas-fix-null-pointer-dereference-in-mvs_slot_task_free.patch b/queue-4.2/mvsas-fix-null-pointer-dereference-in-mvs_slot_task_free.patch new file mode 100644 index 00000000000..1e019f68ba1 --- /dev/null +++ b/queue-4.2/mvsas-fix-null-pointer-dereference-in-mvs_slot_task_free.patch @@ -0,0 +1,40 @@ +From 2280521719e81919283b82902ac24058f87dfc1b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?D=C4=81vis=20Mos=C4=81ns?= +Date: Fri, 21 Aug 2015 07:29:22 +0300 +Subject: mvsas: Fix NULL pointer dereference in mvs_slot_task_free +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?D=C4=81vis=20Mos=C4=81ns?= + +commit 2280521719e81919283b82902ac24058f87dfc1b upstream. + +When pci_pool_alloc fails in mvs_task_prep then task->lldd_task stays +NULL but it's later used in mvs_abort_task as slot which is passed +to mvs_slot_task_free causing NULL pointer dereference. + +Just return from mvs_slot_task_free when passed with NULL slot. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=101891 +Signed-off-by: Dāvis Mosāns +Reviewed-by: Tomas Henzl +Reviewed-by: Johannes Thumshirn +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/mvsas/mv_sas.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/scsi/mvsas/mv_sas.c ++++ b/drivers/scsi/mvsas/mv_sas.c +@@ -887,6 +887,8 @@ static void mvs_slot_free(struct mvs_inf + static void mvs_slot_task_free(struct mvs_info *mvi, struct sas_task *task, + struct mvs_slot_info *slot, u32 slot_idx) + { ++ if (!slot) ++ return; + if (!slot->task) + return; + if (!sas_protocol_ata(task->task_proto)) diff --git a/queue-4.2/netfilter-ipset-fix-sleeping-memory-allocation-in-atomic-context.patch b/queue-4.2/netfilter-ipset-fix-sleeping-memory-allocation-in-atomic-context.patch new file mode 100644 index 00000000000..ee5c51aaa03 --- /dev/null +++ b/queue-4.2/netfilter-ipset-fix-sleeping-memory-allocation-in-atomic-context.patch @@ -0,0 +1,49 @@ +From 00db674bedd68ff8b5afae9030ff5e04d45d1b4a Mon Sep 17 00:00:00 2001 +From: Nikolay Borisov +Date: Fri, 16 Oct 2015 09:40:28 +0300 +Subject: netfilter: ipset: Fix sleeping memory allocation in atomic context + +From: Nikolay Borisov + +commit 00db674bedd68ff8b5afae9030ff5e04d45d1b4a upstream. + +Commit 00590fdd5be0 introduced RCU locking in list type and in +doing so introduced a memory allocation in list_set_add, which +is done in an atomic context, due to the fact that ipset rcu +list modifications are serialised with a spin lock. The reason +why we can't use a mutex is that in addition to modifying the +list with ipset commands, it's also being modified when a +particular ipset rule timeout expires aka garbage collection. +This gc is triggered from set_cleanup_entries, which in turn +is invoked from a timer thus requiring the lock to be bh-safe. + +Concretely the following call chain can lead to "sleeping function +called in atomic context" splat: +call_ad -> list_set_uadt -> list_set_uadd -> kzalloc(, GFP_KERNEL). +And since GFP_KERNEL allows initiating direct reclaim thus +potentially sleeping in the allocation path. + +To fix the issue change the allocation type to GFP_ATOMIC, to +correctly reflect that it is occuring in an atomic context. + +Fixes: 00590fdd5be0 ("netfilter: ipset: Introduce RCU locking in list type") +Signed-off-by: Nikolay Borisov +Acked-by: Jozsef Kadlecsik +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/ipset/ip_set_list_set.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/ipset/ip_set_list_set.c ++++ b/net/netfilter/ipset/ip_set_list_set.c +@@ -297,7 +297,7 @@ list_set_uadd(struct ip_set *set, void * + ip_set_timeout_expired(ext_timeout(n, set)))) + n = NULL; + +- e = kzalloc(set->dsize, GFP_KERNEL); ++ e = kzalloc(set->dsize, GFP_ATOMIC); + if (!e) + return -ENOMEM; + e->id = d->id; diff --git a/queue-4.2/revert-md-allow-a-partially-recovered-device-to-be-hot-added-to-an-array.patch b/queue-4.2/revert-md-allow-a-partially-recovered-device-to-be-hot-added-to-an-array.patch new file mode 100644 index 00000000000..c448c4ebe6d --- /dev/null +++ b/queue-4.2/revert-md-allow-a-partially-recovered-device-to-be-hot-added-to-an-array.patch @@ -0,0 +1,50 @@ +From d01552a76d71f9879af448e9142389ee9be6e95b Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Sat, 31 Oct 2015 11:00:56 +1100 +Subject: Revert "md: allow a partially recovered device to be hot-added to an array." + +From: NeilBrown + +commit d01552a76d71f9879af448e9142389ee9be6e95b upstream. + +This reverts commit 7eb418851f3278de67126ea0c427641ab4792c57. + +This commit is poorly justified, I can find not discusison in email, +and it clearly causes a problem. + +If a device which is being recovered fails and is subsequently +re-added to an array, there could easily have been changes to the +array *before* the point where the recovery was up to. So the +recovery must start again from the beginning. + +If a spare is being recovered and fails, then when it is re-added we +really should do a bitmap-based recovery up to the recovery-offset, +and then a full recovery from there. Before this reversion, we only +did the "full recovery from there" which is not corect. After this +reversion with will do a full recovery from the start, which is safer +but not ideal. + +It will be left to a future patch to arrange the two different styles +of recovery. + +Reported-and-tested-by: Nate Dailey +Signed-off-by: NeilBrown +Fixes: 7eb418851f32 ("md: allow a partially recovered device to be hot-added to an array.") +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/md.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -8030,8 +8030,7 @@ static int remove_and_add_spares(struct + !test_bit(Bitmap_sync, &rdev->flags))) + continue; + +- if (rdev->saved_raid_disk < 0) +- rdev->recovery_offset = 0; ++ rdev->recovery_offset = 0; + if (mddev->pers-> + hot_add_disk(mddev, rdev) == 0) { + if (sysfs_link_rdev(mddev, rdev)) diff --git a/queue-4.2/sched-deadline-fix-migration-of-sched_deadline-tasks.patch b/queue-4.2/sched-deadline-fix-migration-of-sched_deadline-tasks.patch new file mode 100644 index 00000000000..9d28d919866 --- /dev/null +++ b/queue-4.2/sched-deadline-fix-migration-of-sched_deadline-tasks.patch @@ -0,0 +1,68 @@ +From 5aa5050787f449e7eaef2c5ec93c7b357aa7dcdc Mon Sep 17 00:00:00 2001 +From: Luca Abeni +Date: Fri, 16 Oct 2015 10:06:21 +0200 +Subject: sched/deadline: Fix migration of SCHED_DEADLINE tasks + +From: Luca Abeni + +commit 5aa5050787f449e7eaef2c5ec93c7b357aa7dcdc upstream. + +Commit: + + 9d5142624256 ("sched/deadline: Reduce rq lock contention by eliminating locking of non-feasible target") + +broke select_task_rq_dl() and find_lock_later_rq(), because it introduced +a comparison between the local task's deadline and dl.earliest_dl.curr of +the remote queue. + +However, if the remote runqueue does not contain any SCHED_DEADLINE +task its earliest_dl.curr is 0 (always smaller than the deadline of +the local task) and the remote runqueue is not selected for pushing. + +As a result, if an application creates multiple SCHED_DEADLINE +threads, they will never be pushed to runqueues that do not already +contain SCHED_DEADLINE tasks. + +This patch fixes the issue by checking if dl.dl_nr_running == 0. + +Signed-off-by: Luca Abeni +Signed-off-by: Peter Zijlstra (Intel) +Cc: Juri Lelli +Cc: Linus Torvalds +Cc: Mike Galbraith +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Wanpeng Li +Fixes: 9d5142624256 ("sched/deadline: Reduce rq lock contention by eliminating locking of non-feasible target") +Link: http://lkml.kernel.org/r/1444982781-15608-1-git-send-email-luca.abeni@unitn.it +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/sched/deadline.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/kernel/sched/deadline.c ++++ b/kernel/sched/deadline.c +@@ -1066,8 +1066,9 @@ select_task_rq_dl(struct task_struct *p, + int target = find_later_rq(p); + + if (target != -1 && +- dl_time_before(p->dl.deadline, +- cpu_rq(target)->dl.earliest_dl.curr)) ++ (dl_time_before(p->dl.deadline, ++ cpu_rq(target)->dl.earliest_dl.curr) || ++ (cpu_rq(target)->dl.dl_nr_running == 0))) + cpu = target; + } + rcu_read_unlock(); +@@ -1417,7 +1418,8 @@ static struct rq *find_lock_later_rq(str + + later_rq = cpu_rq(cpu); + +- if (!dl_time_before(task->dl.deadline, ++ if (later_rq->dl.dl_nr_running && ++ !dl_time_before(task->dl.deadline, + later_rq->dl.earliest_dl.curr)) { + /* + * Target rq has tasks of equal or earlier deadline, diff --git a/queue-4.2/series b/queue-4.2/series index 24503f66090..7b609bc6e93 100644 --- a/queue-4.2/series +++ b/queue-4.2/series @@ -83,3 +83,21 @@ ovl-free-lower_mnt-array-in-ovl_put_super.patch ovl-use-o_largefile-in-ovl_copy_up.patch ovl-fix-dentry-reference-leak.patch ovl-fix-open-in-stacked-overlay.patch +input-alps-only-the-dell-latitude-d420-430-620-630-have-separate-stick-button-bits.patch +crypto-api-only-abort-operations-on-fatal-signal.patch +md-raid1-submit_bio_wait-returns-0-on-success.patch +md-raid10-submit_bio_wait-returns-0-on-success.patch +md-raid5-fix-locking-in-handle_stripe_clean_event.patch +revert-md-allow-a-partially-recovered-device-to-be-hot-added-to-an-array.patch +edac-sb_edac-fix-tad-presence-check-for-sbridge_mci_bind_devs.patch +irqchip-tegra-propagate-irq-type-setting-to-parent.patch +mvsas-fix-null-pointer-dereference-in-mvs_slot_task_free.patch +netfilter-ipset-fix-sleeping-memory-allocation-in-atomic-context.patch +btrfs-fix-possible-leak-in-btrfs_ioctl_balance.patch +kvm-irqchip-fix-memory-leak.patch +thermal-exynos-fix-register-read-in-tmu.patch +um-fix-kernel-mode-fault-condition.patch +blk-mq-fix-use-after-free-in-blk_mq_free_tag_set.patch +ib-cm-fix-rb-tree-duplicate-free-and-use-after-free.patch +sched-deadline-fix-migration-of-sched_deadline-tasks.patch +cpufreq-intel_pstate-fix-divide-by-zero-on-knights-landing-knl.patch diff --git a/queue-4.2/thermal-exynos-fix-register-read-in-tmu.patch b/queue-4.2/thermal-exynos-fix-register-read-in-tmu.patch new file mode 100644 index 00000000000..8ad9639dca0 --- /dev/null +++ b/queue-4.2/thermal-exynos-fix-register-read-in-tmu.patch @@ -0,0 +1,37 @@ +From b28fec1324bf8f5010d2c3c5d57db4115bda66d4 Mon Sep 17 00:00:00 2001 +From: Sudip Mukherjee +Date: Sat, 17 Oct 2015 08:08:56 +0900 +Subject: thermal: exynos: Fix register read in TMU + +From: Sudip Mukherjee + +commit b28fec1324bf8f5010d2c3c5d57db4115bda66d4 upstream. + +The value of emul_con was getting overwritten if the selected soc is +SOC_ARCH_EXYNOS5260. And so as a result we were reading from the wrong +register in the case of SOC_ARCH_EXYNOS5260. + +Fixes: 488c7455d74c ("thermal: exynos: Add the support for Exynos5433 TMU") +Signed-off-by: Sudip Mukherjee +Reviewed-by: Krzysztof Kozlowski +Reviewed-by: Chanwoo Choi +Acked-by: Lukasz Majewski +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Kukjin Kim +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/thermal/samsung/exynos_tmu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/thermal/samsung/exynos_tmu.c ++++ b/drivers/thermal/samsung/exynos_tmu.c +@@ -933,7 +933,7 @@ static void exynos4412_tmu_set_emulation + + if (data->soc == SOC_ARCH_EXYNOS5260) + emul_con = EXYNOS5260_EMUL_CON; +- if (data->soc == SOC_ARCH_EXYNOS5433) ++ else if (data->soc == SOC_ARCH_EXYNOS5433) + emul_con = EXYNOS5433_TMU_EMUL_CON; + else if (data->soc == SOC_ARCH_EXYNOS7) + emul_con = EXYNOS7_TMU_REG_EMUL_CON; diff --git a/queue-4.2/um-fix-kernel-mode-fault-condition.patch b/queue-4.2/um-fix-kernel-mode-fault-condition.patch new file mode 100644 index 00000000000..5cb934583a7 --- /dev/null +++ b/queue-4.2/um-fix-kernel-mode-fault-condition.patch @@ -0,0 +1,33 @@ +From 56b88a3bf97a39d3f4f010509917b76a865a6dc8 Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Sun, 9 Aug 2015 22:26:33 +0200 +Subject: um: Fix kernel mode fault condition + +From: Richard Weinberger + +commit 56b88a3bf97a39d3f4f010509917b76a865a6dc8 upstream. + +We have to exclude memory locations <= PAGE_SIZE from +the condition and let the kernel mode fault path catch it. +Otherwise a kernel NULL pointer exception will be reported +as a kernel user space access. + +Fixes: d2313084e2c (um: Catch unprotected user memory access) +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + arch/um/kernel/trap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/um/kernel/trap.c ++++ b/arch/um/kernel/trap.c +@@ -220,7 +220,7 @@ unsigned long segv(struct faultinfo fi, + show_regs(container_of(regs, struct pt_regs, regs)); + panic("Segfault with no mm"); + } +- else if (!is_user && address < TASK_SIZE) { ++ else if (!is_user && address > PAGE_SIZE && address < TASK_SIZE) { + show_regs(container_of(regs, struct pt_regs, regs)); + panic("Kernel tried to access user memory at addr 0x%lx, ip 0x%lx", + address, ip); -- 2.47.2