<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers, branch v4.6.1</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>Revert "scsi: fix soft lockup in scsi_remove_target() on module removal"</title>
<updated>2016-06-01T19:18:05+00:00</updated>
<author>
<name>Johannes Thumshirn</name>
<email>jthumshirn@suse.de</email>
</author>
<published>2016-04-05T09:50:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=09bac95fa11396b8bdcba21c9784d960eab20650'/>
<id>09bac95fa11396b8bdcba21c9784d960eab20650</id>
<content type='text'>
commit 305c2e71b3d733ec065cb716c76af7d554bd5571 upstream.

Now that we've done a more comprehensive fix with the intermediate
target state we can remove the previous hack introduced with commit
90a88d6ef88e ("scsi: fix soft lockup in scsi_remove_target() on module
removal").

Signed-off-by: Johannes Thumshirn &lt;jthumshirn@suse.de&gt;
Reviewed-by: Ewan D. Milne &lt;emilne@redhat.com&gt;
Reviewed-by: Hannes Reinecke &lt;hare@suse.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 305c2e71b3d733ec065cb716c76af7d554bd5571 upstream.

Now that we've done a more comprehensive fix with the intermediate
target state we can remove the previous hack introduced with commit
90a88d6ef88e ("scsi: fix soft lockup in scsi_remove_target() on module
removal").

Signed-off-by: Johannes Thumshirn &lt;jthumshirn@suse.de&gt;
Reviewed-by: Ewan D. Milne &lt;emilne@redhat.com&gt;
Reviewed-by: Hannes Reinecke &lt;hare@suse.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>scsi: Add intermediate STARGET_REMOVE state to scsi_target_state</title>
<updated>2016-06-01T19:18:05+00:00</updated>
<author>
<name>Johannes Thumshirn</name>
<email>jthumshirn@suse.de</email>
</author>
<published>2016-04-05T09:50:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=9f10b086c213b2b56cf4d2198a1194d0aaeca95a'/>
<id>9f10b086c213b2b56cf4d2198a1194d0aaeca95a</id>
<content type='text'>
commit f05795d3d771f30a7bdc3a138bf714b06d42aa95 upstream.

Add intermediate STARGET_REMOVE state to scsi_target_state to avoid
running into the BUG_ON() in scsi_target_reap(). The STARGET_REMOVE
state is only valid in the path from scsi_remove_target() to
scsi_target_destroy() indicating this target is going to be removed.

This re-fixes the problem introduced in commits bc3f02a795d3 ("[SCSI]
scsi_remove_target: fix softlockup regression on hot remove") and
40998193560d ("scsi: restart list search after unlock in
scsi_remove_target") in a more comprehensive way.

[mkp: Included James' fix for scsi_target_destroy()]

Signed-off-by: Johannes Thumshirn &lt;jthumshirn@suse.de&gt;
Fixes: 40998193560dab6c3ce8d25f4fa58a23e252ef38
Reported-by: Sergey Senozhatsky &lt;sergey.senozhatsky@gmail.com&gt;
Tested-by: Sergey Senozhatsky &lt;sergey.senozhatsky@gmail.com&gt;
Reviewed-by: Ewan D. Milne &lt;emilne@redhat.com&gt;
Reviewed-by: Hannes Reinecke &lt;hare@suse.com&gt;
Reviewed-by: James Bottomley &lt;jejb@linux.vnet.ibm.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit f05795d3d771f30a7bdc3a138bf714b06d42aa95 upstream.

Add intermediate STARGET_REMOVE state to scsi_target_state to avoid
running into the BUG_ON() in scsi_target_reap(). The STARGET_REMOVE
state is only valid in the path from scsi_remove_target() to
scsi_target_destroy() indicating this target is going to be removed.

This re-fixes the problem introduced in commits bc3f02a795d3 ("[SCSI]
scsi_remove_target: fix softlockup regression on hot remove") and
40998193560d ("scsi: restart list search after unlock in
scsi_remove_target") in a more comprehensive way.

[mkp: Included James' fix for scsi_target_destroy()]

Signed-off-by: Johannes Thumshirn &lt;jthumshirn@suse.de&gt;
Fixes: 40998193560dab6c3ce8d25f4fa58a23e252ef38
Reported-by: Sergey Senozhatsky &lt;sergey.senozhatsky@gmail.com&gt;
Tested-by: Sergey Senozhatsky &lt;sergey.senozhatsky@gmail.com&gt;
Reviewed-by: Ewan D. Milne &lt;emilne@redhat.com&gt;
Reviewed-by: Hannes Reinecke &lt;hare@suse.com&gt;
Reviewed-by: James Bottomley &lt;jejb@linux.vnet.ibm.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>UBI: Fix static volume checks when Fastmap is used</title>
<updated>2016-06-01T19:18:05+00:00</updated>
<author>
<name>Richard Weinberger</name>
<email>richard@nod.at</email>
</author>
<published>2016-04-26T14:39:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=9ebe3bf54f844d081cbf0146294d04cc69bd1cb9'/>
<id>9ebe3bf54f844d081cbf0146294d04cc69bd1cb9</id>
<content type='text'>
commit 1900149c835ab5b48bea31a823ea5e5a401fb560 upstream.

Ezequiel reported that he's facing UBI going into read-only
mode after power cut. It turned out that this behavior happens
only when updating a static volume is interrupted and Fastmap is
used.

A possible trace can look like:
ubi0 warning: ubi_io_read_vid_hdr [ubi]: no VID header found at PEB 2323, only 0xFF bytes
ubi0 warning: ubi_eba_read_leb [ubi]: switch to read-only mode
CPU: 0 PID: 833 Comm: ubiupdatevol Not tainted 4.6.0-rc2-ARCH #4
Hardware name: SAMSUNG ELECTRONICS CO., LTD. 300E4C/300E5C/300E7C/NP300E5C-AD8AR, BIOS P04RAP 10/15/2012
0000000000000286 00000000eba949bd ffff8800c45a7b38 ffffffff8140d841
ffff8801964be000 ffff88018eaa4800 ffff8800c45a7bb8 ffffffffa003abf6
ffffffff850e2ac0 8000000000000163 ffff8801850e2ac0 ffff8801850e2ac0
Call Trace:
[&lt;ffffffff8140d841&gt;] dump_stack+0x63/0x82
[&lt;ffffffffa003abf6&gt;] ubi_eba_read_leb+0x486/0x4a0 [ubi]
[&lt;ffffffffa00453b3&gt;] ubi_check_volume+0x83/0xf0 [ubi]
[&lt;ffffffffa0039d97&gt;] ubi_open_volume+0x177/0x350 [ubi]
[&lt;ffffffffa00375d8&gt;] vol_cdev_open+0x58/0xb0 [ubi]
[&lt;ffffffff8124b08e&gt;] chrdev_open+0xae/0x1d0
[&lt;ffffffff81243bcf&gt;] do_dentry_open+0x1ff/0x300
[&lt;ffffffff8124afe0&gt;] ? cdev_put+0x30/0x30
[&lt;ffffffff81244d36&gt;] vfs_open+0x56/0x60
[&lt;ffffffff812545f4&gt;] path_openat+0x4f4/0x1190
[&lt;ffffffff81256621&gt;] do_filp_open+0x91/0x100
[&lt;ffffffff81263547&gt;] ? __alloc_fd+0xc7/0x190
[&lt;ffffffff812450df&gt;] do_sys_open+0x13f/0x210
[&lt;ffffffff812451ce&gt;] SyS_open+0x1e/0x20
[&lt;ffffffff81a99e32&gt;] entry_SYSCALL_64_fastpath+0x1a/0xa4

UBI checks static volumes for data consistency and reads the
whole volume upon first open. If the volume is found erroneous
users of UBI cannot read from it, but another volume update is
possible to fix it. The check is performed by running
ubi_eba_read_leb() on every allocated LEB of the volume.
For static volumes ubi_eba_read_leb() computes the checksum of all
data stored in a LEB. To verify the computed checksum it has to read
the LEB's volume header which stores the original checksum.
If the volume header is not found UBI treats this as fatal internal
error and switches to RO mode. If the UBI device was attached via a
full scan the assumption is correct, the volume header has to be
present as it had to be there while scanning to get known as mapped.
If the attach operation happened via Fastmap the assumption is no
longer correct. When attaching via Fastmap UBI learns the mapping
table from Fastmap's snapshot of the system state and not via a full
scan. It can happen that a LEB got unmapped after a Fastmap was
written to the flash. Then UBI can learn the LEB still as mapped and
accessing it returns only 0xFF bytes. As UBI is not a FTL it is
allowed to have mappings to empty PEBs, it assumes that the layer
above takes care of LEB accounting and referencing.
UBIFS does so using the LEB property tree (LPT).
For static volumes UBI blindly assumes that all LEBs are present and
therefore special actions have to be taken.

The described situation can happen when updating a static volume is
interrupted, either by a user or a power cut.
The volume update code first unmaps all LEBs of a volume and then
writes LEB by LEB. If the sequence of operations is interrupted UBI
detects this either by the absence of LEBs, no volume header present
at scan time, or corrupted payload, detected via checksum.
In the Fastmap case the former method won't trigger as no scan
happened and UBI automatically thinks all LEBs are present.
Only by reading data from a LEB it detects that the volume header is
missing and incorrectly treats this as fatal error.
To deal with the situation ubi_eba_read_leb() from now on checks
whether we attached via Fastmap and handles the absence of a
volume header like a data corruption error.
This way interrupted static volume updates will correctly get detected
also when Fastmap is used.

Reported-by: Ezequiel Garcia &lt;ezequiel@vanguardiasur.com.ar&gt;
Tested-by: Ezequiel Garcia &lt;ezequiel@vanguardiasur.com.ar&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 1900149c835ab5b48bea31a823ea5e5a401fb560 upstream.

Ezequiel reported that he's facing UBI going into read-only
mode after power cut. It turned out that this behavior happens
only when updating a static volume is interrupted and Fastmap is
used.

A possible trace can look like:
ubi0 warning: ubi_io_read_vid_hdr [ubi]: no VID header found at PEB 2323, only 0xFF bytes
ubi0 warning: ubi_eba_read_leb [ubi]: switch to read-only mode
CPU: 0 PID: 833 Comm: ubiupdatevol Not tainted 4.6.0-rc2-ARCH #4
Hardware name: SAMSUNG ELECTRONICS CO., LTD. 300E4C/300E5C/300E7C/NP300E5C-AD8AR, BIOS P04RAP 10/15/2012
0000000000000286 00000000eba949bd ffff8800c45a7b38 ffffffff8140d841
ffff8801964be000 ffff88018eaa4800 ffff8800c45a7bb8 ffffffffa003abf6
ffffffff850e2ac0 8000000000000163 ffff8801850e2ac0 ffff8801850e2ac0
Call Trace:
[&lt;ffffffff8140d841&gt;] dump_stack+0x63/0x82
[&lt;ffffffffa003abf6&gt;] ubi_eba_read_leb+0x486/0x4a0 [ubi]
[&lt;ffffffffa00453b3&gt;] ubi_check_volume+0x83/0xf0 [ubi]
[&lt;ffffffffa0039d97&gt;] ubi_open_volume+0x177/0x350 [ubi]
[&lt;ffffffffa00375d8&gt;] vol_cdev_open+0x58/0xb0 [ubi]
[&lt;ffffffff8124b08e&gt;] chrdev_open+0xae/0x1d0
[&lt;ffffffff81243bcf&gt;] do_dentry_open+0x1ff/0x300
[&lt;ffffffff8124afe0&gt;] ? cdev_put+0x30/0x30
[&lt;ffffffff81244d36&gt;] vfs_open+0x56/0x60
[&lt;ffffffff812545f4&gt;] path_openat+0x4f4/0x1190
[&lt;ffffffff81256621&gt;] do_filp_open+0x91/0x100
[&lt;ffffffff81263547&gt;] ? __alloc_fd+0xc7/0x190
[&lt;ffffffff812450df&gt;] do_sys_open+0x13f/0x210
[&lt;ffffffff812451ce&gt;] SyS_open+0x1e/0x20
[&lt;ffffffff81a99e32&gt;] entry_SYSCALL_64_fastpath+0x1a/0xa4

UBI checks static volumes for data consistency and reads the
whole volume upon first open. If the volume is found erroneous
users of UBI cannot read from it, but another volume update is
possible to fix it. The check is performed by running
ubi_eba_read_leb() on every allocated LEB of the volume.
For static volumes ubi_eba_read_leb() computes the checksum of all
data stored in a LEB. To verify the computed checksum it has to read
the LEB's volume header which stores the original checksum.
If the volume header is not found UBI treats this as fatal internal
error and switches to RO mode. If the UBI device was attached via a
full scan the assumption is correct, the volume header has to be
present as it had to be there while scanning to get known as mapped.
If the attach operation happened via Fastmap the assumption is no
longer correct. When attaching via Fastmap UBI learns the mapping
table from Fastmap's snapshot of the system state and not via a full
scan. It can happen that a LEB got unmapped after a Fastmap was
written to the flash. Then UBI can learn the LEB still as mapped and
accessing it returns only 0xFF bytes. As UBI is not a FTL it is
allowed to have mappings to empty PEBs, it assumes that the layer
above takes care of LEB accounting and referencing.
UBIFS does so using the LEB property tree (LPT).
For static volumes UBI blindly assumes that all LEBs are present and
therefore special actions have to be taken.

The described situation can happen when updating a static volume is
interrupted, either by a user or a power cut.
The volume update code first unmaps all LEBs of a volume and then
writes LEB by LEB. If the sequence of operations is interrupted UBI
detects this either by the absence of LEBs, no volume header present
at scan time, or corrupted payload, detected via checksum.
In the Fastmap case the former method won't trigger as no scan
happened and UBI automatically thinks all LEBs are present.
Only by reading data from a LEB it detects that the volume header is
missing and incorrectly treats this as fatal error.
To deal with the situation ubi_eba_read_leb() from now on checks
whether we attached via Fastmap and handles the absence of a
volume header like a data corruption error.
This way interrupted static volume updates will correctly get detected
also when Fastmap is used.

Reported-by: Ezequiel Garcia &lt;ezequiel@vanguardiasur.com.ar&gt;
Tested-by: Ezequiel Garcia &lt;ezequiel@vanguardiasur.com.ar&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>md: md.c: fix oops in mddev_suspend for raid0</title>
<updated>2016-06-01T19:18:04+00:00</updated>
<author>
<name>Heinz Mauelshagen</name>
<email>heinzm@redhat.com</email>
</author>
<published>2016-05-03T17:43:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5269fcd77a7ec9a5ba26b47423d79eafba0210ff'/>
<id>5269fcd77a7ec9a5ba26b47423d79eafba0210ff</id>
<content type='text'>
commit 092398dce8c2406bfb0c9eebc3e764ff2ddb62a8 upstream.

Introduced by upstream commit 70d9798b95562abac005d4ba71d28820f9a201eb

The raid0 personality does not create mddev-&gt;thread as oposed to
other personalities leading to its unconditional access in
mddev_suspend() causing an oops.

Patch checks for mddev-&gt;thread in order to keep the
intention of aforementioned commit.

Fixes: 70d9798b9556 ("MD: warn for potential deadlock")
Signed-off-by: Heinz Mauelshagen &lt;heinzm@redhat.com&gt;
Signed-off-by: Shaohua Li &lt;shli@fb.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 092398dce8c2406bfb0c9eebc3e764ff2ddb62a8 upstream.

Introduced by upstream commit 70d9798b95562abac005d4ba71d28820f9a201eb

The raid0 personality does not create mddev-&gt;thread as oposed to
other personalities leading to its unconditional access in
mddev_suspend() causing an oops.

Patch checks for mddev-&gt;thread in order to keep the
intention of aforementioned commit.

Fixes: 70d9798b9556 ("MD: warn for potential deadlock")
Signed-off-by: Heinz Mauelshagen &lt;heinzm@redhat.com&gt;
Signed-off-by: Shaohua Li &lt;shli@fb.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>thunderbolt: Fix double free of drom buffer</title>
<updated>2016-06-01T19:18:04+00:00</updated>
<author>
<name>Andreas Noever</name>
<email>andreas.noever@gmail.com</email>
</author>
<published>2016-04-10T10:48:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6e3ef9021846959be412a77506906173118bf3f5'/>
<id>6e3ef9021846959be412a77506906173118bf3f5</id>
<content type='text'>
commit 2ffa9a5d76a75abbc1f95c17959fced666095bdd upstream.

If tb_drom_read() fails, sw-&gt;drom is freed but not set to NULL.  sw-&gt;drom
is then freed again in the error path of tb_switch_alloc().

The bug can be triggered by unplugging a thunderbolt device shortly after
it is detected by the thunderbolt driver.

Clear sw-&gt;drom if tb_drom_read() fails.

[bhelgaas: add Fixes:, stable versions of interest]
Fixes: 343fcb8c70d7 ("thunderbolt: Fix nontrivial endpoint devices.")
Signed-off-by: Andreas Noever &lt;andreas.noever@gmail.com&gt;
Signed-off-by: Bjorn Helgaas &lt;bhelgaas@google.com&gt;
CC: Lukas Wunner &lt;lukas@wunner.de&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 2ffa9a5d76a75abbc1f95c17959fced666095bdd upstream.

If tb_drom_read() fails, sw-&gt;drom is freed but not set to NULL.  sw-&gt;drom
is then freed again in the error path of tb_switch_alloc().

The bug can be triggered by unplugging a thunderbolt device shortly after
it is detected by the thunderbolt driver.

Clear sw-&gt;drom if tb_drom_read() fails.

[bhelgaas: add Fixes:, stable versions of interest]
Fixes: 343fcb8c70d7 ("thunderbolt: Fix nontrivial endpoint devices.")
Signed-off-by: Andreas Noever &lt;andreas.noever@gmail.com&gt;
Signed-off-by: Bjorn Helgaas &lt;bhelgaas@google.com&gt;
CC: Lukas Wunner &lt;lukas@wunner.de&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>IB/srp: Fix srp_create_target() error handling</title>
<updated>2016-06-01T19:18:04+00:00</updated>
<author>
<name>Bart Van Assche</name>
<email>bart.vanassche@sandisk.com</email>
</author>
<published>2016-05-12T17:48:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=80772cfb1c98f38b939a776df6ebcca4e80726a3'/>
<id>80772cfb1c98f38b939a776df6ebcca4e80726a3</id>
<content type='text'>
commit f83b2561a6d4ff12959660ad597580097b744941 upstream.

Avoid that the following kernel oops occurs if memory pool
allocation fails:

BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [&lt;ffffffffa048d0a0&gt;] ib_drain_rq+0x0/0x20 [ib_core]
Call Trace:
 [&lt;ffffffffa04af386&gt;] srp_create_target+0xca6/0x13a9 [ib_srp]
 [&lt;ffffffff813cc863&gt;] dev_attr_store+0x13/0x20
 [&lt;ffffffff81214b50&gt;] sysfs_kf_write+0x40/0x50
 [&lt;ffffffff81213f1c&gt;] kernfs_fop_write+0x13c/0x180
 [&lt;ffffffff81197683&gt;] __vfs_write+0x23/0xf0
 [&lt;ffffffff81198744&gt;] vfs_write+0xa4/0x1a0
 [&lt;ffffffff81199a44&gt;] SyS_write+0x44/0xa0
 [&lt;ffffffff8159e3e9&gt;] entry_SYSCALL_64_fastpath+0x1c/0xac

Fixes: 1dc7b1f10dcb ("IB/srp: use the new CQ API")
Signed-off-by: Bart Van Assche &lt;bart.vanassche@sandisk.com&gt;
Reviewed-by: Leon Romanovsky &lt;leonro@mellanox.com&gt;
Tested-by: Laurence Oberman &lt;loberman@redhat.com&gt;
Cc: Christoph Hellwig &lt;hch@lst.de&gt;
Cc: Sagi Grimberg &lt;sagi@grimberg.me&gt;
Signed-off-by: Doug Ledford &lt;dledford@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit f83b2561a6d4ff12959660ad597580097b744941 upstream.

Avoid that the following kernel oops occurs if memory pool
allocation fails:

BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [&lt;ffffffffa048d0a0&gt;] ib_drain_rq+0x0/0x20 [ib_core]
Call Trace:
 [&lt;ffffffffa04af386&gt;] srp_create_target+0xca6/0x13a9 [ib_srp]
 [&lt;ffffffff813cc863&gt;] dev_attr_store+0x13/0x20
 [&lt;ffffffff81214b50&gt;] sysfs_kf_write+0x40/0x50
 [&lt;ffffffff81213f1c&gt;] kernfs_fop_write+0x13c/0x180
 [&lt;ffffffff81197683&gt;] __vfs_write+0x23/0xf0
 [&lt;ffffffff81198744&gt;] vfs_write+0xa4/0x1a0
 [&lt;ffffffff81199a44&gt;] SyS_write+0x44/0xa0
 [&lt;ffffffff8159e3e9&gt;] entry_SYSCALL_64_fastpath+0x1c/0xac

Fixes: 1dc7b1f10dcb ("IB/srp: use the new CQ API")
Signed-off-by: Bart Van Assche &lt;bart.vanassche@sandisk.com&gt;
Reviewed-by: Leon Romanovsky &lt;leonro@mellanox.com&gt;
Tested-by: Laurence Oberman &lt;loberman@redhat.com&gt;
Cc: Christoph Hellwig &lt;hch@lst.de&gt;
Cc: Sagi Grimberg &lt;sagi@grimberg.me&gt;
Signed-off-by: Doug Ledford &lt;dledford@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>IB/srp: Fix a debug kernel crash</title>
<updated>2016-06-01T19:18:04+00:00</updated>
<author>
<name>Bart Van Assche</name>
<email>bart.vanassche@sandisk.com</email>
</author>
<published>2016-04-12T21:39:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a1e9e0f4f2176938bb1f0bad7d70f9dba27992de'/>
<id>a1e9e0f4f2176938bb1f0bad7d70f9dba27992de</id>
<content type='text'>
commit 54f5c9c52d69afa55abf2b034df8d45f588466c3 upstream.

Avoid that the following BUG() is triggered against a debug
kernel:

kernel BUG at include/linux/scatterlist.h:92!
RIP: 0010:[&lt;ffffffffa0467199&gt;]  [&lt;ffffffffa0467199&gt;] srp_map_idb+0x199/0x1a0 [ib_srp]
Call Trace:
 [&lt;ffffffffa04685fa&gt;] srp_map_data+0x84a/0x890 [ib_srp]
 [&lt;ffffffffa0469674&gt;] srp_queuecommand+0x1e4/0x610 [ib_srp]
 [&lt;ffffffff813f5a5e&gt;] scsi_dispatch_cmd+0x9e/0x180
 [&lt;ffffffff813f8b07&gt;] scsi_request_fn+0x477/0x610
 [&lt;ffffffff81298ffe&gt;] __blk_run_queue+0x2e/0x40
 [&lt;ffffffff81299070&gt;] blk_delay_work+0x20/0x30
 [&lt;ffffffff81071f07&gt;] process_one_work+0x197/0x480
 [&lt;ffffffff81072239&gt;] worker_thread+0x49/0x490
 [&lt;ffffffff810787ea&gt;] kthread+0xea/0x100
 [&lt;ffffffff8159b632&gt;] ret_from_fork+0x22/0x40

Fixes: f7f7aab1a5c0 ("IB/srp: Convert to new registration API")
Signed-off-by: Bart Van Assche &lt;bart.vanassche@sandisk.com&gt;
Cc: Sagi Grimberg &lt;sagi@grimberg.me&gt;
Cc: Christoph Hellwig &lt;hch@lst.de&gt;
Reviewed-by: Max Gurtovoy &lt;maxg@mellanox.com&gt;
Reviewed-by: Sagi Grimberg &lt;sagi@grimberg.me&gt;
Signed-off-by: Doug Ledford &lt;dledford@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 54f5c9c52d69afa55abf2b034df8d45f588466c3 upstream.

Avoid that the following BUG() is triggered against a debug
kernel:

kernel BUG at include/linux/scatterlist.h:92!
RIP: 0010:[&lt;ffffffffa0467199&gt;]  [&lt;ffffffffa0467199&gt;] srp_map_idb+0x199/0x1a0 [ib_srp]
Call Trace:
 [&lt;ffffffffa04685fa&gt;] srp_map_data+0x84a/0x890 [ib_srp]
 [&lt;ffffffffa0469674&gt;] srp_queuecommand+0x1e4/0x610 [ib_srp]
 [&lt;ffffffff813f5a5e&gt;] scsi_dispatch_cmd+0x9e/0x180
 [&lt;ffffffff813f8b07&gt;] scsi_request_fn+0x477/0x610
 [&lt;ffffffff81298ffe&gt;] __blk_run_queue+0x2e/0x40
 [&lt;ffffffff81299070&gt;] blk_delay_work+0x20/0x30
 [&lt;ffffffff81071f07&gt;] process_one_work+0x197/0x480
 [&lt;ffffffff81072239&gt;] worker_thread+0x49/0x490
 [&lt;ffffffff810787ea&gt;] kthread+0xea/0x100
 [&lt;ffffffff8159b632&gt;] ret_from_fork+0x22/0x40

Fixes: f7f7aab1a5c0 ("IB/srp: Convert to new registration API")
Signed-off-by: Bart Van Assche &lt;bart.vanassche@sandisk.com&gt;
Cc: Sagi Grimberg &lt;sagi@grimberg.me&gt;
Cc: Christoph Hellwig &lt;hch@lst.de&gt;
Reviewed-by: Max Gurtovoy &lt;maxg@mellanox.com&gt;
Reviewed-by: Sagi Grimberg &lt;sagi@grimberg.me&gt;
Signed-off-by: Doug Ledford &lt;dledford@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>mcb: Fixed bar number assignment for the gdd</title>
<updated>2016-06-01T19:18:04+00:00</updated>
<author>
<name>Andreas Werner</name>
<email>andreas.werner@men.de</email>
</author>
<published>2016-05-03T10:42:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5aa78548be4d04fff593d883291512c29cc32354'/>
<id>5aa78548be4d04fff593d883291512c29cc32354</id>
<content type='text'>
commit f75564d343010b025301d9548f2304f48eb25f01 upstream.

The bar number is found in reg2 within the gdd. Therefore
we need to change the assigment from reg1 to reg2 which
is the correct location.

Signed-off-by: Andreas Werner &lt;andreas.werner@men.de&gt;
Fixes: '3764e82e5' drivers: Introduce MEN Chameleon Bus
Signed-off-by: Johannes Thumshirn &lt;jthumshirn@suse.de&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit f75564d343010b025301d9548f2304f48eb25f01 upstream.

The bar number is found in reg2 within the gdd. Therefore
we need to change the assigment from reg1 to reg2 which
is the correct location.

Signed-off-by: Andreas Werner &lt;andreas.werner@men.de&gt;
Fixes: '3764e82e5' drivers: Introduce MEN Chameleon Bus
Signed-off-by: Johannes Thumshirn &lt;jthumshirn@suse.de&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>misc: mic: Fix for double fetch security bug in VOP driver</title>
<updated>2016-06-01T19:18:04+00:00</updated>
<author>
<name>Ashutosh Dixit</name>
<email>ashutosh.dixit@intel.com</email>
</author>
<published>2016-04-27T21:36:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2a9369456a384d84c521c8ebb48d247e8738f84f'/>
<id>2a9369456a384d84c521c8ebb48d247e8738f84f</id>
<content type='text'>
commit 9bf292bfca94694a721449e3fd752493856710f6 upstream.

The MIC VOP driver does two successive reads from user space to read a
variable length data structure. Kernel memory corruption can result if
the data structure changes between the two reads. This patch disallows
the chance of this happening.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=116651
Reported by: Pengfei Wang &lt;wpengfeinudt@gmail.com&gt;
Reviewed-by: Sudeep Dutt &lt;sudeep.dutt@intel.com&gt;
Signed-off-by: Ashutosh Dixit &lt;ashutosh.dixit@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 9bf292bfca94694a721449e3fd752493856710f6 upstream.

The MIC VOP driver does two successive reads from user space to read a
variable length data structure. Kernel memory corruption can result if
the data structure changes between the two reads. This patch disallows
the chance of this happening.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=116651
Reported by: Pengfei Wang &lt;wpengfeinudt@gmail.com&gt;
Reviewed-by: Sudeep Dutt &lt;sudeep.dutt@intel.com&gt;
Signed-off-by: Ashutosh Dixit &lt;ashutosh.dixit@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>watchdog: sp5100_tco: properly check for new register layouts</title>
<updated>2016-06-01T19:18:03+00:00</updated>
<author>
<name>Lucas Stach</name>
<email>dev@lynxeye.de</email>
</author>
<published>2016-05-03T17:15:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=9411afb65b049c35d5faaaff677eb27bf6c85f42'/>
<id>9411afb65b049c35d5faaaff677eb27bf6c85f42</id>
<content type='text'>
commit 46856fabe40cc80f92134683cdec7dc0fc8f4000 upstream.

Commits 190aa4304de6 (Add AMD Mullins platform support) and
cca118fa2a0a94 (Add AMD Carrizo platform support) enabled the
driver on a lot more devices, but the following commit missed
a single location in the code when checking if the SB800 register
offsets should be used. This leads to the wrong register being
written which in turn causes ACPI to go haywire.

Fix this by introducing a helper function to check for the new
register layout and use this consistently.

https://bugzilla.kernel.org/show_bug.cgi?id=114201
https://bugzilla.redhat.com/show_bug.cgi?id=1329910
Fixes: bdecfcdb5461 (sp5100_tco: fix the device check for SB800
and later chipsets)
Signed-off-by: Lucas Stach &lt;dev@lynxeye.de&gt;
Signed-off-by: Guenter Roeck &lt;linux@roeck-us.net&gt;
Signed-off-by: Wim Van Sebroeck &lt;wim@iguana.be&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 46856fabe40cc80f92134683cdec7dc0fc8f4000 upstream.

Commits 190aa4304de6 (Add AMD Mullins platform support) and
cca118fa2a0a94 (Add AMD Carrizo platform support) enabled the
driver on a lot more devices, but the following commit missed
a single location in the code when checking if the SB800 register
offsets should be used. This leads to the wrong register being
written which in turn causes ACPI to go haywire.

Fix this by introducing a helper function to check for the new
register layout and use this consistently.

https://bugzilla.kernel.org/show_bug.cgi?id=114201
https://bugzilla.redhat.com/show_bug.cgi?id=1329910
Fixes: bdecfcdb5461 (sp5100_tco: fix the device check for SB800
and later chipsets)
Signed-off-by: Lucas Stach &lt;dev@lynxeye.de&gt;
Signed-off-by: Guenter Roeck &lt;linux@roeck-us.net&gt;
Signed-off-by: Wim Van Sebroeck &lt;wim@iguana.be&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
</feed>
