--- /dev/null
+From a52ff34e5ec61749c62c6618b76a9d6dbecee450 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 4 Aug 2016 22:38:36 +0200
+Subject: ALSA: hda - Manage power well properly for resume
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit a52ff34e5ec61749c62c6618b76a9d6dbecee450 upstream.
+
+For SKL and later Intel chips, we control the power well per codec
+basis via link_power callback since the commit [03b135cebc47: ALSA:
+hda - remove dependency on i915 power well for SKL].
+However, there are a few exceptional cases where the gfx registers are
+accessed from the audio driver: namely the wakeup override bit
+toggling at (both system and runtime) resume. This seems causing a
+kernel warning when accessed during the power well down (and likely
+resulting in the bogus register accesses).
+
+This patch puts the proper power up / down sequence around the resume
+code so that the wakeup bit is fiddled properly while the power is
+up. (The other callback, sync_audio_rate, is used only in the PCM
+callback, so it's guaranteed in the power-on.)
+
+Also, by this proper power up/down, the instantaneous flip of wakeup
+bit in the resume callback that was introduced by the commit
+[033ea349a7cd: ALSA: hda - Fix Skylake codec timeout] becomes
+superfluous, as snd_hdac_display_power() already does it. So we can
+clean it up together.
+
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=96214
+Fixes: 03b135cebc47 ('ALSA: hda - remove dependency on i915 power well for SKL')
+Tested-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/hda_intel.c | 32 ++++++++++++++++++++------------
+ 1 file changed, 20 insertions(+), 12 deletions(-)
+
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -906,20 +906,23 @@ static int azx_resume(struct device *dev
+ struct snd_card *card = dev_get_drvdata(dev);
+ struct azx *chip;
+ struct hda_intel *hda;
++ struct hdac_bus *bus;
+
+ if (!card)
+ return 0;
+
+ chip = card->private_data;
+ hda = container_of(chip, struct hda_intel, chip);
++ bus = azx_bus(chip);
+ if (chip->disabled || hda->init_failed || !chip->running)
+ return 0;
+
+- if (chip->driver_caps & AZX_DCAPS_I915_POWERWELL
+- && hda->need_i915_power) {
+- snd_hdac_display_power(azx_bus(chip), true);
+- snd_hdac_i915_set_bclk(azx_bus(chip));
++ if (chip->driver_caps & AZX_DCAPS_I915_POWERWELL) {
++ snd_hdac_display_power(bus, true);
++ if (hda->need_i915_power)
++ snd_hdac_i915_set_bclk(bus);
+ }
++
+ if (chip->msi)
+ if (pci_enable_msi(pci) < 0)
+ chip->msi = 0;
+@@ -929,6 +932,11 @@ static int azx_resume(struct device *dev
+
+ hda_intel_init_chip(chip, true);
+
++ /* power down again for link-controlled chips */
++ if ((chip->driver_caps & AZX_DCAPS_I915_POWERWELL) &&
++ !hda->need_i915_power)
++ snd_hdac_display_power(bus, false);
++
+ snd_power_change_state(card, SNDRV_CTL_POWER_D0);
+
+ trace_azx_resume(chip);
+@@ -1008,6 +1016,7 @@ static int azx_runtime_resume(struct dev
+
+ chip = card->private_data;
+ hda = container_of(chip, struct hda_intel, chip);
++ bus = azx_bus(chip);
+ if (chip->disabled || hda->init_failed)
+ return 0;
+
+@@ -1015,15 +1024,9 @@ static int azx_runtime_resume(struct dev
+ return 0;
+
+ if (chip->driver_caps & AZX_DCAPS_I915_POWERWELL) {
+- bus = azx_bus(chip);
+- if (hda->need_i915_power) {
+- snd_hdac_display_power(bus, true);
++ snd_hdac_display_power(bus, true);
++ if (hda->need_i915_power)
+ snd_hdac_i915_set_bclk(bus);
+- } else {
+- /* toggle codec wakeup bit for STATESTS read */
+- snd_hdac_set_codec_wakeup(bus, true);
+- snd_hdac_set_codec_wakeup(bus, false);
+- }
+ }
+
+ /* Read STATESTS before controller reset */
+@@ -1043,6 +1046,11 @@ static int azx_runtime_resume(struct dev
+ azx_writew(chip, WAKEEN, azx_readw(chip, WAKEEN) &
+ ~STATESTS_INT_MASK);
+
++ /* power down again for link-controlled chips */
++ if ((chip->driver_caps & AZX_DCAPS_I915_POWERWELL) &&
++ !hda->need_i915_power)
++ snd_hdac_display_power(bus, false);
++
+ trace_azx_runtime_resume(chip);
+ return 0;
+ }
--- /dev/null
+From 7627e40c66b5547e12b6c5673646ceea84797a74 Mon Sep 17 00:00:00 2001
+From: Piotr Karasinski <peter.karasinski@gmail.com>
+Date: Sat, 6 Aug 2016 21:23:05 +0200
+Subject: ALSA: usb-audio: Add a sample rate quirk for Creative Live! Cam Socialize HD (VF0610)
+
+From: Piotr Karasinski <peter.karasinski@gmail.com>
+
+commit 7627e40c66b5547e12b6c5673646ceea84797a74 upstream.
+
+VF0610 does not support reading the sample rate which leads to many
+lines of "cannot get freq at ep 0x82". This patch adds the USB ID
+(0x041E:4080) to snd_usb_get_sample_rate_quirk() list.
+
+Signed-off-by: Piotr Karasinski <peter.karasinski@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/quirks.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -1128,6 +1128,7 @@ bool snd_usb_get_sample_rate_quirk(struc
+ {
+ /* devices which do not support reading the sample rate. */
+ switch (chip->usb_id) {
++ case USB_ID(0x041E, 0x4080): /* Creative Live Cam VF0610 */
+ case USB_ID(0x045E, 0x075D): /* MS Lifecam Cinema */
+ case USB_ID(0x045E, 0x076D): /* MS Lifecam HD-5000 */
+ case USB_ID(0x045E, 0x076E): /* MS Lifecam HD-5001 */
--- /dev/null
+From 41f5e3bdbf706a9e98194bf0c4b62a875c02f170 Mon Sep 17 00:00:00 2001
+From: "Vittorio Gambaletta (VittGam)" <linuxbugs@vittgam.net>
+Date: Mon, 8 Aug 2016 12:35:40 +0200
+Subject: ALSA: usb-audio: Add quirk for ELP HD USB Camera
+
+From: Vittorio Gambaletta (VittGam) <linuxbugs@vittgam.net>
+
+commit 41f5e3bdbf706a9e98194bf0c4b62a875c02f170 upstream.
+
+The ELP HD USB Camera (05a3:9420) needs this quirk for suppressing
+the unsupported sample rate inquiry.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=98481
+Signed-off-by: Vittorio Gambaletta <linuxbugs@vittgam.net>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/quirks.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -1139,6 +1139,7 @@ bool snd_usb_get_sample_rate_quirk(struc
+ case USB_ID(0x047F, 0xAA05): /* Plantronics DA45 */
+ case USB_ID(0x04D8, 0xFEEA): /* Benchmark DAC1 Pre */
+ case USB_ID(0x0556, 0x0014): /* Phoenix Audio TMX320VC */
++ case USB_ID(0x05A3, 0x9420): /* ELP HD USB Camera */
+ case USB_ID(0x074D, 0x3553): /* Outlaw RR2150 (Micronas UAC3553B) */
+ case USB_ID(0x1de7, 0x0013): /* Phoenix Audio MT202exe */
+ case USB_ID(0x1de7, 0x0014): /* Phoenix Audio TMX320 */
--- /dev/null
+From 3146bc64d12377a74dbda12b96ea32da3774ae07 Mon Sep 17 00:00:00 2001
+From: James Hogan <james.hogan@imgtec.com>
+Date: Mon, 25 Jul 2016 16:59:52 +0100
+Subject: arm64: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO
+
+From: James Hogan <james.hogan@imgtec.com>
+
+commit 3146bc64d12377a74dbda12b96ea32da3774ae07 upstream.
+
+AT_VECTOR_SIZE_ARCH should be defined with the maximum number of
+NEW_AUX_ENT entries that ARCH_DLINFO can contain, but it wasn't defined
+for arm64 at all even though ARCH_DLINFO will contain one NEW_AUX_ENT
+for the VDSO address.
+
+This shouldn't be a problem as AT_VECTOR_SIZE_BASE includes space for
+AT_BASE_PLATFORM which arm64 doesn't use, but lets define it now and add
+the comment above ARCH_DLINFO as found in several other architectures to
+remind future modifiers of ARCH_DLINFO to keep AT_VECTOR_SIZE_ARCH up to
+date.
+
+Fixes: f668cd1673aa ("arm64: ELF definitions")
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: linux-arm-kernel@lists.infradead.org
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/include/asm/elf.h | 1 +
+ arch/arm64/include/uapi/asm/auxvec.h | 2 ++
+ 2 files changed, 3 insertions(+)
+
+--- a/arch/arm64/include/asm/elf.h
++++ b/arch/arm64/include/asm/elf.h
+@@ -140,6 +140,7 @@ typedef struct user_fpsimd_state elf_fpr
+
+ #define SET_PERSONALITY(ex) clear_thread_flag(TIF_32BIT);
+
++/* update AT_VECTOR_SIZE_ARCH if the number of NEW_AUX_ENT entries changes */
+ #define ARCH_DLINFO \
+ do { \
+ NEW_AUX_ENT(AT_SYSINFO_EHDR, \
+--- a/arch/arm64/include/uapi/asm/auxvec.h
++++ b/arch/arm64/include/uapi/asm/auxvec.h
+@@ -19,4 +19,6 @@
+ /* vDSO location */
+ #define AT_SYSINFO_EHDR 33
+
++#define AT_VECTOR_SIZE_ARCH 1 /* entries in ARCH_DLINFO */
++
+ #endif
--- /dev/null
+From 6862e6ad95e984991a6ceec592cf67831658f928 Mon Sep 17 00:00:00 2001
+From: Austin Christ <austinwc@codeaurora.org>
+Date: Thu, 11 Aug 2016 11:42:00 +0100
+Subject: efi/capsule: Allocate whole capsule into virtual memory
+
+From: Austin Christ <austinwc@codeaurora.org>
+
+commit 6862e6ad95e984991a6ceec592cf67831658f928 upstream.
+
+According to UEFI 2.6 section 7.5.3, the capsule should be in contiguous
+virtual memory and firmware may consume the capsule immediately. To
+correctly implement this functionality, the kernel driver needs to vmap
+the entire capsule at the time it is made available to firmware.
+
+The virtual allocation of the capsule update has been changed from kmap,
+which was only allocating the first page of the update, to vmap, and
+allocates the entire data payload.
+
+Signed-off-by: Austin Christ <austinwc@codeaurora.org>
+Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
+Reviewed-by: Matt Fleming <matt@codeblueprint.co.uk>
+Reviewed-by: Lee, Chun-Yi <jlee@suse.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Bryan O'Donoghue <pure.logic@nexus-software.ie>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Kweh Hock Leong <hock.leong.kweh@intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-efi@vger.kernel.org
+Link: http://lkml.kernel.org/r/1470912120-22831-3-git-send-email-matt@codeblueprint.co.uk
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/firmware/efi/capsule-loader.c | 8 +++++---
+ drivers/firmware/efi/capsule.c | 6 +++---
+ 2 files changed, 8 insertions(+), 6 deletions(-)
+
+--- a/drivers/firmware/efi/capsule-loader.c
++++ b/drivers/firmware/efi/capsule-loader.c
+@@ -16,6 +16,7 @@
+ #include <linux/slab.h>
+ #include <linux/mutex.h>
+ #include <linux/efi.h>
++#include <linux/vmalloc.h>
+
+ #define NO_FURTHER_WRITE_ACTION -1
+
+@@ -108,14 +109,15 @@ static ssize_t efi_capsule_submit_update
+ int ret;
+ void *cap_hdr_temp;
+
+- cap_hdr_temp = kmap(cap_info->pages[0]);
++ cap_hdr_temp = vmap(cap_info->pages, cap_info->index,
++ VM_MAP, PAGE_KERNEL);
+ if (!cap_hdr_temp) {
+- pr_debug("%s: kmap() failed\n", __func__);
++ pr_debug("%s: vmap() failed\n", __func__);
+ return -EFAULT;
+ }
+
+ ret = efi_capsule_update(cap_hdr_temp, cap_info->pages);
+- kunmap(cap_info->pages[0]);
++ vunmap(cap_hdr_temp);
+ if (ret) {
+ pr_err("%s: efi_capsule_update() failed\n", __func__);
+ return ret;
+--- a/drivers/firmware/efi/capsule.c
++++ b/drivers/firmware/efi/capsule.c
+@@ -190,9 +190,9 @@ efi_capsule_update_locked(efi_capsule_he
+ * map the capsule described by @capsule with its data in @pages and
+ * send it to the firmware via the UpdateCapsule() runtime service.
+ *
+- * @capsule must be a virtual mapping of the first page in @pages
+- * (@pages[0]) in the kernel address space. That is, a
+- * capsule_header_t that describes the entire contents of the capsule
++ * @capsule must be a virtual mapping of the complete capsule update in the
++ * kernel address space, as the capsule can be consumed immediately.
++ * A capsule_header_t that describes the entire contents of the capsule
+ * must be at the start of the first data page.
+ *
+ * Even though this function will validate that the firmware supports
--- /dev/null
+From 68202c9f0ad6e16ee806fbadbc5838d55fe5aa5c Mon Sep 17 00:00:00 2001
+From: Ross Zwisler <ross.zwisler@linux.intel.com>
+Date: Fri, 29 Jul 2016 14:59:12 -0600
+Subject: libnvdimm, nd_blk: mask off reserved status bits
+
+From: Ross Zwisler <ross.zwisler@linux.intel.com>
+
+commit 68202c9f0ad6e16ee806fbadbc5838d55fe5aa5c upstream.
+
+The "NVDIMM Block Window Driver Writer's Guide":
+
+ http://pmem.io/documents/NVDIMM_DriverWritersGuide-July-2016.pdf
+
+...defines the layout of the block window status register. For the July
+2016 version of the spec linked to above, this happens in Figure 4 on
+page 26.
+
+The only bits defined in this spec are bits 31, 5, 4, 2, 1 and 0. The
+rest of the bits in the status register are reserved, and there is a
+warning following the diagram that says:
+
+ Note: The driver cannot assume the value of the RESERVED bits in the
+ status register are zero. These reserved bits need to be masked off, and
+ the driver must avoid checking the state of those bits.
+
+This change ensures that for hardware implementations that set these
+reserved bits in the status register, the driver won't incorrectly fail the
+block I/Os.
+
+Reviewed-by: Lee, Chun-Yi <jlee@suse.com>
+Signed-off-by: Ross Zwisler <ross.zwisler@linux.intel.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/nfit.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/acpi/nfit.c
++++ b/drivers/acpi/nfit.c
+@@ -1396,11 +1396,12 @@ static u32 read_blk_stat(struct nfit_blk
+ {
+ struct nfit_blk_mmio *mmio = &nfit_blk->mmio[DCR];
+ u64 offset = nfit_blk->stat_offset + mmio->size * bw;
++ const u32 STATUS_MASK = 0x80000037;
+
+ if (mmio->num_lines)
+ offset = to_interleave_offset(offset, mmio);
+
+- return readl(mmio->addr.base + offset);
++ return readl(mmio->addr.base + offset) & STATUS_MASK;
+ }
+
+ static void write_blk_ctl(struct nfit_blk *nfit_blk, unsigned int bw,
--- /dev/null
+From 6039892396d845b18228935561960441900cffca Mon Sep 17 00:00:00 2001
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Wed, 10 Aug 2016 16:27:58 -0700
+Subject: mm/slub.c: run free_partial() outside of the kmem_cache_node->list_lock
+
+From: Chris Wilson <chris@chris-wilson.co.uk>
+
+commit 6039892396d845b18228935561960441900cffca upstream.
+
+With debugobjects enabled and using SLAB_DESTROY_BY_RCU, when a
+kmem_cache_node is destroyed the call_rcu() may trigger a slab
+allocation to fill the debug object pool (__debug_object_init:fill_pool).
+
+Everywhere but during kmem_cache_destroy(), discard_slab() is performed
+outside of the kmem_cache_node->list_lock and avoids a lockdep warning
+about potential recursion:
+
+ =============================================
+ [ INFO: possible recursive locking detected ]
+ 4.8.0-rc1-gfxbench+ #1 Tainted: G U
+ ---------------------------------------------
+ rmmod/8895 is trying to acquire lock:
+ (&(&n->list_lock)->rlock){-.-...}, at: [<ffffffff811c80d7>] get_partial_node.isra.63+0x47/0x430
+
+ but task is already holding lock:
+ (&(&n->list_lock)->rlock){-.-...}, at: [<ffffffff811cbda4>] __kmem_cache_shutdown+0x54/0x320
+
+ other info that might help us debug this:
+ Possible unsafe locking scenario:
+ CPU0
+ ----
+ lock(&(&n->list_lock)->rlock);
+ lock(&(&n->list_lock)->rlock);
+
+ *** DEADLOCK ***
+ May be due to missing lock nesting notation
+ 5 locks held by rmmod/8895:
+ #0: (&dev->mutex){......}, at: driver_detach+0x42/0xc0
+ #1: (&dev->mutex){......}, at: driver_detach+0x50/0xc0
+ #2: (cpu_hotplug.dep_map){++++++}, at: get_online_cpus+0x2d/0x80
+ #3: (slab_mutex){+.+.+.}, at: kmem_cache_destroy+0x3c/0x220
+ #4: (&(&n->list_lock)->rlock){-.-...}, at: __kmem_cache_shutdown+0x54/0x320
+
+ stack backtrace:
+ CPU: 6 PID: 8895 Comm: rmmod Tainted: G U 4.8.0-rc1-gfxbench+ #1
+ Hardware name: Gigabyte Technology Co., Ltd. H87M-D3H/H87M-D3H, BIOS F11 08/18/2015
+ Call Trace:
+ __lock_acquire+0x1646/0x1ad0
+ lock_acquire+0xb2/0x200
+ _raw_spin_lock+0x36/0x50
+ get_partial_node.isra.63+0x47/0x430
+ ___slab_alloc.constprop.67+0x1a7/0x3b0
+ __slab_alloc.isra.64.constprop.66+0x43/0x80
+ kmem_cache_alloc+0x236/0x2d0
+ __debug_object_init+0x2de/0x400
+ debug_object_activate+0x109/0x1e0
+ __call_rcu.constprop.63+0x32/0x2f0
+ call_rcu+0x12/0x20
+ discard_slab+0x3d/0x40
+ __kmem_cache_shutdown+0xdb/0x320
+ shutdown_cache+0x19/0x60
+ kmem_cache_destroy+0x1ae/0x220
+ i915_gem_load_cleanup+0x14/0x40 [i915]
+ i915_driver_unload+0x151/0x180 [i915]
+ i915_pci_remove+0x14/0x20 [i915]
+ pci_device_remove+0x34/0xb0
+ __device_release_driver+0x95/0x140
+ driver_detach+0xb6/0xc0
+ bus_remove_driver+0x53/0xd0
+ driver_unregister+0x27/0x50
+ pci_unregister_driver+0x25/0x70
+ i915_exit+0x1a/0x1e2 [i915]
+ SyS_delete_module+0x193/0x1f0
+ entry_SYSCALL_64_fastpath+0x1c/0xac
+
+Fixes: 52b4b950b507 ("mm: slab: free kmem_cache_node after destroy sysfs file")
+Link: http://lkml.kernel.org/r/1470759070-18743-1-git-send-email-chris@chris-wilson.co.uk
+Reported-by: Dave Gordon <david.s.gordon@intel.com>
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Reviewed-by: Vladimir Davydov <vdavydov@virtuozzo.com>
+Acked-by: Christoph Lameter <cl@linux.com>
+Cc: Pekka Enberg <penberg@kernel.org>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Cc: Dmitry Safonov <dsafonov@virtuozzo.com>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: Dave Gordon <david.s.gordon@intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/slub.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/mm/slub.c
++++ b/mm/slub.c
+@@ -3479,6 +3479,7 @@ static void list_slab_objects(struct kme
+ */
+ static void free_partial(struct kmem_cache *s, struct kmem_cache_node *n)
+ {
++ LIST_HEAD(discard);
+ struct page *page, *h;
+
+ BUG_ON(irqs_disabled());
+@@ -3486,13 +3487,16 @@ static void free_partial(struct kmem_cac
+ list_for_each_entry_safe(page, h, &n->partial, lru) {
+ if (!page->inuse) {
+ remove_partial(n, page);
+- discard_slab(s, page);
++ list_add(&page->lru, &discard);
+ } else {
+ list_slab_objects(s, page,
+ "Objects remaining in %s on __kmem_cache_shutdown()");
+ }
+ }
+ spin_unlock_irq(&n->list_lock);
++
++ list_for_each_entry_safe(page, h, &discard, lru)
++ discard_slab(s, page);
+ }
+
+ /*
--- /dev/null
+From 3eb53b20d7bd1374598cfb1feaa081fcac0e76cd Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Sat, 20 Aug 2016 11:51:38 +0200
+Subject: parisc: Fix order of EREFUSED define in errno.h
+
+From: Helge Deller <deller@gmx.de>
+
+commit 3eb53b20d7bd1374598cfb1feaa081fcac0e76cd upstream.
+
+When building gccgo in userspace, errno.h gets parsed and the go include file
+sysinfo.go is generated.
+
+Since EREFUSED is defined to the same value as ECONNREFUSED, and ECONNREFUSED
+is defined later on in errno.h, this leads to go complaining that EREFUSED
+isn't defined yet.
+
+Fix this trivial problem by moving the define of EREFUSED down after
+ECONNREFUSED in errno.h (and clean up the indenting while touching this line).
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/include/uapi/asm/errno.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/parisc/include/uapi/asm/errno.h
++++ b/arch/parisc/include/uapi/asm/errno.h
+@@ -97,10 +97,10 @@
+ #define ENOTCONN 235 /* Transport endpoint is not connected */
+ #define ESHUTDOWN 236 /* Cannot send after transport endpoint shutdown */
+ #define ETOOMANYREFS 237 /* Too many references: cannot splice */
+-#define EREFUSED ECONNREFUSED /* for HP's NFS apparently */
+ #define ETIMEDOUT 238 /* Connection timed out */
+ #define ECONNREFUSED 239 /* Connection refused */
+-#define EREMOTERELEASE 240 /* Remote peer released connection */
++#define EREFUSED ECONNREFUSED /* for HP's NFS apparently */
++#define EREMOTERELEASE 240 /* Remote peer released connection */
+ #define EHOSTDOWN 241 /* Host is down */
+ #define EHOSTUNREACH 242 /* No route to host */
+
--- /dev/null
+From 3d918fb13abdbeca7947578f5d7e426eafad7f5e Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Mon, 15 Aug 2016 10:23:04 +0300
+Subject: perf intel-pt: Fix occasional decoding errors when tracing system-wide
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit 3d918fb13abdbeca7947578f5d7e426eafad7f5e upstream.
+
+In order to successfully decode Intel PT traces, context switch events
+are needed from the moment the trace starts. Currently that is ensured
+by using the 'immediate' flag which enables the switch event when it is
+opened.
+
+However, since commit 86c2786994bd ("perf intel-pt: Add support for
+PERF_RECORD_SWITCH") that might not always happen. When tracing
+system-wide the context switch event is added to the tracking event
+which was not set as 'immediate'. Change that so it is.
+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Fixes: 86c2786994bd ("perf intel-pt: Add support for PERF_RECORD_SWITCH")
+Link: http://lkml.kernel.org/r/1471245784-22580-1-git-send-email-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/perf/arch/x86/util/intel-pt.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/tools/perf/arch/x86/util/intel-pt.c
++++ b/tools/perf/arch/x86/util/intel-pt.c
+@@ -501,7 +501,7 @@ static int intel_pt_recording_options(st
+ struct intel_pt_recording *ptr =
+ container_of(itr, struct intel_pt_recording, itr);
+ struct perf_pmu *intel_pt_pmu = ptr->intel_pt_pmu;
+- bool have_timing_info;
++ bool have_timing_info, need_immediate = false;
+ struct perf_evsel *evsel, *intel_pt_evsel = NULL;
+ const struct cpu_map *cpus = evlist->cpus;
+ bool privileged = geteuid() == 0 || perf_event_paranoid() < 0;
+@@ -655,6 +655,7 @@ static int intel_pt_recording_options(st
+ ptr->have_sched_switch = 3;
+ } else {
+ opts->record_switch_events = true;
++ need_immediate = true;
+ if (cpu_wide)
+ ptr->have_sched_switch = 3;
+ else
+@@ -700,6 +701,9 @@ static int intel_pt_recording_options(st
+ tracking_evsel->attr.freq = 0;
+ tracking_evsel->attr.sample_period = 1;
+
++ if (need_immediate)
++ tracking_evsel->immediate = true;
++
+ /* In per-cpu case, always need the time of mmap events etc */
+ if (!cpu_map__empty(cpus)) {
+ perf_evsel__set_sample_bit(tracking_evsel, TIME);
uprobes-x86-fix-rip-relative-handling-of-evex-encoded-instructions.patch
x86-platform-uv-skip-uv-runtime-services-mapping-in-the-efi_runtime_disabled-case.patch
tools-testing-nvdimm-fix-sigterm-vs-hotplug-crash.patch
+sunrpc-handle-eaddrnotavail-on-connection-failures.patch
+sunrpc-allow-for-upcalls-for-same-uid-but-different-gss-service.patch
+alsa-usb-audio-add-a-sample-rate-quirk-for-creative-live-cam-socialize-hd-vf0610.patch
+alsa-usb-audio-add-quirk-for-elp-hd-usb-camera.patch
+alsa-hda-manage-power-well-properly-for-resume.patch
+arm64-define-at_vector_size_arch-for-arch_dlinfo.patch
+efi-capsule-allocate-whole-capsule-into-virtual-memory.patch
+parisc-fix-order-of-erefused-define-in-errno.h.patch
+virtio-fix-memory-leak-in-virtqueue_add.patch
+mm-slub.c-run-free_partial-outside-of-the-kmem_cache_node-list_lock.patch
+vfio-pci-fix-null-pointer-oops-in-error-interrupt-setup-handling.patch
+tracing-fix-tick_stop-tracepoint-symbols-for-user-export.patch
+perf-intel-pt-fix-occasional-decoding-errors-when-tracing-system-wide.patch
+libnvdimm-nd_blk-mask-off-reserved-status-bits.patch
--- /dev/null
+From 9130b8dbc6ac20f2dc5846e1647f5b60eafab6e3 Mon Sep 17 00:00:00 2001
+From: Olga Kornievskaia <kolga@netapp.com>
+Date: Wed, 3 Aug 2016 20:19:48 -0400
+Subject: SUNRPC: allow for upcalls for same uid but different gss service
+
+From: Olga Kornievskaia <kolga@netapp.com>
+
+commit 9130b8dbc6ac20f2dc5846e1647f5b60eafab6e3 upstream.
+
+It's possible to have simultaneous upcalls for the same UIDs but
+different GSS service. In that case, we need to allow for the
+upcall to gssd to proceed so that not the same context is used
+by two different GSS services. Some servers lock the use of context
+to the GSS service.
+
+Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/auth_gss/auth_gss.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/net/sunrpc/auth_gss/auth_gss.c
++++ b/net/sunrpc/auth_gss/auth_gss.c
+@@ -340,12 +340,14 @@ gss_release_msg(struct gss_upcall_msg *g
+ }
+
+ static struct gss_upcall_msg *
+-__gss_find_upcall(struct rpc_pipe *pipe, kuid_t uid)
++__gss_find_upcall(struct rpc_pipe *pipe, kuid_t uid, const struct gss_auth *auth)
+ {
+ struct gss_upcall_msg *pos;
+ list_for_each_entry(pos, &pipe->in_downcall, list) {
+ if (!uid_eq(pos->uid, uid))
+ continue;
++ if (auth && pos->auth->service != auth->service)
++ continue;
+ atomic_inc(&pos->count);
+ dprintk("RPC: %s found msg %p\n", __func__, pos);
+ return pos;
+@@ -365,7 +367,7 @@ gss_add_msg(struct gss_upcall_msg *gss_m
+ struct gss_upcall_msg *old;
+
+ spin_lock(&pipe->lock);
+- old = __gss_find_upcall(pipe, gss_msg->uid);
++ old = __gss_find_upcall(pipe, gss_msg->uid, gss_msg->auth);
+ if (old == NULL) {
+ atomic_inc(&gss_msg->count);
+ list_add(&gss_msg->list, &pipe->in_downcall);
+@@ -714,7 +716,7 @@ gss_pipe_downcall(struct file *filp, con
+ err = -ENOENT;
+ /* Find a matching upcall */
+ spin_lock(&pipe->lock);
+- gss_msg = __gss_find_upcall(pipe, uid);
++ gss_msg = __gss_find_upcall(pipe, uid, NULL);
+ if (gss_msg == NULL) {
+ spin_unlock(&pipe->lock);
+ goto err_put_ctx;
--- /dev/null
+From 1f4c17a03ba7f430d63dba8c8e08ff1e2712581d Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Mon, 1 Aug 2016 13:36:08 -0400
+Subject: SUNRPC: Handle EADDRNOTAVAIL on connection failures
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+commit 1f4c17a03ba7f430d63dba8c8e08ff1e2712581d upstream.
+
+If the connect attempt immediately fails with an EADDRNOTAVAIL error, then
+that means our choice of source port number was bad.
+This error is expected when we set the SO_REUSEPORT socket option and we
+have 2 sockets sharing the same source and destination address and port
+combinations.
+
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Fixes: 402e23b4ed9ed ("SUNRPC: Fix stupid typo in xs_sock_set_reuseport")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/xprtsock.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/sunrpc/xprtsock.c
++++ b/net/sunrpc/xprtsock.c
+@@ -2278,6 +2278,10 @@ static int xs_tcp_finish_connecting(stru
+ /* SYN_SENT! */
+ if (xprt->reestablish_timeout < XS_TCP_INIT_REEST_TO)
+ xprt->reestablish_timeout = XS_TCP_INIT_REEST_TO;
++ break;
++ case -EADDRNOTAVAIL:
++ /* Source port number is unavailable. Try a new one! */
++ transport->srcport = 0;
+ }
+ out:
+ return ret;
--- /dev/null
+From c87edb36118664f1fa275107c1138b6f47793240 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
+Date: Fri, 5 Aug 2016 12:41:52 -0400
+Subject: tracing: Fix tick_stop tracepoint symbols for user export
+
+From: Steven Rostedt (Red Hat) <rostedt@goodmis.org>
+
+commit c87edb36118664f1fa275107c1138b6f47793240 upstream.
+
+The symbols used in the tick_stop tracepoint were not being converted
+properly into integers in the trace_stop format file. Instead we had this:
+
+print fmt: "success=%d dependency=%s", REC->success,
+ __print_symbolic(REC->dependency, { 0, "NONE" },
+ { (1 << TICK_DEP_BIT_POSIX_TIMER), "POSIX_TIMER" },
+ { (1 << TICK_DEP_BIT_PERF_EVENTS), "PERF_EVENTS" },
+ { (1 << TICK_DEP_BIT_SCHED), "SCHED" },
+ { (1 << TICK_DEP_BIT_CLOCK_UNSTABLE), "CLOCK_UNSTABLE" })
+
+User space tools have no idea how to parse "TICK_DEP_BIT_SCHED" or the other
+symbols used to do the bit shifting. The reason is that the conversion was
+done with using the TICK_DEP_MASK_* symbols which are just macros that
+convert to the BIT shift itself (with the exception of NONE, which was
+converted properly, because it doesn't use bits, and is defined as zero).
+
+The TICK_DEP_BIT_* needs to be denoted by TRACE_DEFINE_ENUM() in order to
+have this properly converted for user space tools to parse this event.
+
+Cc: Frederic Weisbecker <fweisbec@gmail.com>
+Fixes: e6e6cc22e067 ("nohz: Use enum code for tick stop failure tracing message")
+Reported-by: Luiz Capitulino <lcapitulino@redhat.com>
+Tested-by: Luiz Capitulino <lcapitulino@redhat.com>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/trace/events/timer.h | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/include/trace/events/timer.h
++++ b/include/trace/events/timer.h
+@@ -330,24 +330,32 @@ TRACE_EVENT(itimer_expire,
+ #ifdef CONFIG_NO_HZ_COMMON
+
+ #define TICK_DEP_NAMES \
+- tick_dep_name(NONE) \
++ tick_dep_mask_name(NONE) \
+ tick_dep_name(POSIX_TIMER) \
+ tick_dep_name(PERF_EVENTS) \
+ tick_dep_name(SCHED) \
+ tick_dep_name_end(CLOCK_UNSTABLE)
+
+ #undef tick_dep_name
++#undef tick_dep_mask_name
+ #undef tick_dep_name_end
+
+-#define tick_dep_name(sdep) TRACE_DEFINE_ENUM(TICK_DEP_MASK_##sdep);
+-#define tick_dep_name_end(sdep) TRACE_DEFINE_ENUM(TICK_DEP_MASK_##sdep);
++/* The MASK will convert to their bits and they need to be processed too */
++#define tick_dep_name(sdep) TRACE_DEFINE_ENUM(TICK_DEP_BIT_##sdep); \
++ TRACE_DEFINE_ENUM(TICK_DEP_MASK_##sdep);
++#define tick_dep_name_end(sdep) TRACE_DEFINE_ENUM(TICK_DEP_BIT_##sdep); \
++ TRACE_DEFINE_ENUM(TICK_DEP_MASK_##sdep);
++/* NONE only has a mask defined for it */
++#define tick_dep_mask_name(sdep) TRACE_DEFINE_ENUM(TICK_DEP_MASK_##sdep);
+
+ TICK_DEP_NAMES
+
+ #undef tick_dep_name
++#undef tick_dep_mask_name
+ #undef tick_dep_name_end
+
+ #define tick_dep_name(sdep) { TICK_DEP_MASK_##sdep, #sdep },
++#define tick_dep_mask_name(sdep) { TICK_DEP_MASK_##sdep, #sdep },
+ #define tick_dep_name_end(sdep) { TICK_DEP_MASK_##sdep, #sdep }
+
+ #define show_tick_dep_name(val) \
--- /dev/null
+From c8952a707556e04374d7b2fdb3a079d63ddf6f2f Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@redhat.com>
+Date: Mon, 8 Aug 2016 16:16:23 -0600
+Subject: vfio/pci: Fix NULL pointer oops in error interrupt setup handling
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+commit c8952a707556e04374d7b2fdb3a079d63ddf6f2f upstream.
+
+There are multiple cases in vfio_pci_set_ctx_trigger_single() where
+we assume we can safely read from our data pointer without actually
+checking whether the user has passed any data via the count field.
+VFIO_IRQ_SET_DATA_NONE in particular is entirely broken since we
+attempt to pull an int32_t file descriptor out before even checking
+the data type. The other data types assume the data pointer contains
+one element of their type as well.
+
+In part this is good news because we were previously restricted from
+doing much sanitization of parameters because it was missed in the
+past and we didn't want to break existing users. Clearly DATA_NONE
+is completely broken, so it must not have any users and we can fix
+it up completely. For DATA_BOOL and DATA_EVENTFD, we'll just
+protect ourselves, returning error when count is zero since we
+previously would have oopsed.
+
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Reported-by: Chris Thompson <the_cartographer@hotmail.com>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/vfio/pci/vfio_pci_intrs.c | 85 +++++++++++++++++++++-----------------
+ 1 file changed, 49 insertions(+), 36 deletions(-)
+
+--- a/drivers/vfio/pci/vfio_pci_intrs.c
++++ b/drivers/vfio/pci/vfio_pci_intrs.c
+@@ -564,67 +564,80 @@ static int vfio_pci_set_msi_trigger(stru
+ }
+
+ static int vfio_pci_set_ctx_trigger_single(struct eventfd_ctx **ctx,
+- uint32_t flags, void *data)
++ unsigned int count, uint32_t flags,
++ void *data)
+ {
+- int32_t fd = *(int32_t *)data;
+-
+- if (!(flags & VFIO_IRQ_SET_DATA_TYPE_MASK))
+- return -EINVAL;
+-
+ /* DATA_NONE/DATA_BOOL enables loopback testing */
+ if (flags & VFIO_IRQ_SET_DATA_NONE) {
+- if (*ctx)
+- eventfd_signal(*ctx, 1);
+- return 0;
++ if (*ctx) {
++ if (count) {
++ eventfd_signal(*ctx, 1);
++ } else {
++ eventfd_ctx_put(*ctx);
++ *ctx = NULL;
++ }
++ return 0;
++ }
+ } else if (flags & VFIO_IRQ_SET_DATA_BOOL) {
+- uint8_t trigger = *(uint8_t *)data;
++ uint8_t trigger;
++
++ if (!count)
++ return -EINVAL;
++
++ trigger = *(uint8_t *)data;
+ if (trigger && *ctx)
+ eventfd_signal(*ctx, 1);
+- return 0;
+- }
+
+- /* Handle SET_DATA_EVENTFD */
+- if (fd == -1) {
+- if (*ctx)
+- eventfd_ctx_put(*ctx);
+- *ctx = NULL;
+ return 0;
+- } else if (fd >= 0) {
+- struct eventfd_ctx *efdctx;
+- efdctx = eventfd_ctx_fdget(fd);
+- if (IS_ERR(efdctx))
+- return PTR_ERR(efdctx);
+- if (*ctx)
+- eventfd_ctx_put(*ctx);
+- *ctx = efdctx;
++ } else if (flags & VFIO_IRQ_SET_DATA_EVENTFD) {
++ int32_t fd;
++
++ if (!count)
++ return -EINVAL;
++
++ fd = *(int32_t *)data;
++ if (fd == -1) {
++ if (*ctx)
++ eventfd_ctx_put(*ctx);
++ *ctx = NULL;
++ } else if (fd >= 0) {
++ struct eventfd_ctx *efdctx;
++
++ efdctx = eventfd_ctx_fdget(fd);
++ if (IS_ERR(efdctx))
++ return PTR_ERR(efdctx);
++
++ if (*ctx)
++ eventfd_ctx_put(*ctx);
++
++ *ctx = efdctx;
++ }
+ return 0;
+- } else
+- return -EINVAL;
++ }
++
++ return -EINVAL;
+ }
+
+ static int vfio_pci_set_err_trigger(struct vfio_pci_device *vdev,
+ unsigned index, unsigned start,
+ unsigned count, uint32_t flags, void *data)
+ {
+- if (index != VFIO_PCI_ERR_IRQ_INDEX)
++ if (index != VFIO_PCI_ERR_IRQ_INDEX || start != 0 || count > 1)
+ return -EINVAL;
+
+- /*
+- * We should sanitize start & count, but that wasn't caught
+- * originally, so this IRQ index must forever ignore them :-(
+- */
+-
+- return vfio_pci_set_ctx_trigger_single(&vdev->err_trigger, flags, data);
++ return vfio_pci_set_ctx_trigger_single(&vdev->err_trigger,
++ count, flags, data);
+ }
+
+ static int vfio_pci_set_req_trigger(struct vfio_pci_device *vdev,
+ unsigned index, unsigned start,
+ unsigned count, uint32_t flags, void *data)
+ {
+- if (index != VFIO_PCI_REQ_IRQ_INDEX || start != 0 || count != 1)
++ if (index != VFIO_PCI_REQ_IRQ_INDEX || start != 0 || count > 1)
+ return -EINVAL;
+
+- return vfio_pci_set_ctx_trigger_single(&vdev->req_trigger, flags, data);
++ return vfio_pci_set_ctx_trigger_single(&vdev->req_trigger,
++ count, flags, data);
+ }
+
+ int vfio_pci_set_irqs_ioctl(struct vfio_pci_device *vdev, uint32_t flags,
--- /dev/null
+From 58625edf9e2515ed41dac2a24fa8004030a87b87 Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <weiyj.lk@gmail.com>
+Date: Tue, 2 Aug 2016 14:16:31 +0000
+Subject: virtio: fix memory leak in virtqueue_add()
+
+From: Wei Yongjun <weiyj.lk@gmail.com>
+
+commit 58625edf9e2515ed41dac2a24fa8004030a87b87 upstream.
+
+When using the indirect buffers feature, 'desc' is allocated in
+virtqueue_add() but isn't freed before leaving on a ring full error,
+causing a memory leak.
+
+For example, it seems rather clear that this can trigger
+with virtio net if mergeable buffers are not used.
+
+Signed-off-by: Wei Yongjun <weiyj.lk@gmail.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/virtio/virtio_ring.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/virtio/virtio_ring.c
++++ b/drivers/virtio/virtio_ring.c
+@@ -316,6 +316,8 @@ static inline int virtqueue_add(struct v
+ * host should service the ring ASAP. */
+ if (out_sgs)
+ vq->notify(&vq->vq);
++ if (indirect)
++ kfree(desc);
+ END_USE(vq);
+ return -ENOSPC;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
