--- /dev/null
+From 18f5ed365d3f188a91149d528c853000330a4a58 Mon Sep 17 00:00:00 2001
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Wed, 5 Aug 2015 09:21:05 +0900
+Subject: ALSA: fireworks/firewire-lib: add support for recent firmware quirk
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+commit 18f5ed365d3f188a91149d528c853000330a4a58 upstream.
+
+Fireworks uses TSB43CB43(IceLynx-Micro) as its IEC 61883-1/6 interface.
+This chip includes ARM7 core, and loads and runs program. The firmware
+is stored in on-board memory and loaded every powering-on from it.
+
+Echo Audio ships several versions of firmwares for each model. These
+firmwares have each quirk and the quirk changes a sequence of packets.
+
+As long as I investigated, AudioFire2/AudioFire4/AudioFirePre8 have a
+quirk to transfer a first packet with 0x02 in its dbc field. This causes
+ALSA Fireworks driver to detect discontinuity. In this case, firmware
+version 5.7.0, 5.7.3 and 5.8.0 are used.
+
+Payload CIP CIP
+quadlets header1 header2
+02 00050002 90ffffff <-
+42 0005000a 90013000
+42 00050012 90014400
+42 0005001a 90015800
+02 0005001a 90ffffff
+42 00050022 90019000
+42 0005002a 9001a400
+42 00050032 9001b800
+02 00050032 90ffffff
+42 0005003a 9001d000
+42 00050042 9001e400
+42 0005004a 9001f800
+02 0005004a 90ffffff
+(AudioFire2 with firmware version 5.7.)
+
+$ dmesg
+snd-fireworks fw1.0: Detect discontinuity of CIP: 00 02
+
+These models, AudioFire8 (since Jul 2009 ) and Gibson Robot Interface
+Pack series uses the same ARM binary as their firmware. Thus, this
+quirk may be observed among them.
+
+This commit adds a new member for AMDTP structure. This member represents
+the value of dbc field in a first AMDTP packet. Drivers can set it with
+a preferred value according to model's quirk.
+
+Tested-by: Johannes Oertei <johannes.oertel@uni-due.de>
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/amdtp.c | 5 +++--
+ sound/firewire/amdtp.h | 2 ++
+ sound/firewire/fireworks/fireworks.c | 8 ++++++++
+ sound/firewire/fireworks/fireworks.h | 1 +
+ sound/firewire/fireworks/fireworks_stream.c | 9 +++++++++
+ 5 files changed, 23 insertions(+), 2 deletions(-)
+
+--- a/sound/firewire/amdtp.c
++++ b/sound/firewire/amdtp.c
+@@ -730,8 +730,9 @@ static void handle_in_packet(struct amdt
+ s->data_block_counter != UINT_MAX)
+ data_block_counter = s->data_block_counter;
+
+- if (((s->flags & CIP_SKIP_DBC_ZERO_CHECK) && data_block_counter == 0) ||
+- (s->data_block_counter == UINT_MAX)) {
++ if (((s->flags & CIP_SKIP_DBC_ZERO_CHECK) &&
++ data_block_counter == s->tx_first_dbc) ||
++ s->data_block_counter == UINT_MAX) {
+ lost = false;
+ } else if (!(s->flags & CIP_DBC_IS_END_EVENT)) {
+ lost = data_block_counter != s->data_block_counter;
+--- a/sound/firewire/amdtp.h
++++ b/sound/firewire/amdtp.h
+@@ -153,6 +153,8 @@ struct amdtp_stream {
+
+ /* quirk: fixed interval of dbc between previos/current packets. */
+ unsigned int tx_dbc_interval;
++ /* quirk: indicate the value of dbc field in a first packet. */
++ unsigned int tx_first_dbc;
+
+ bool callbacked;
+ wait_queue_head_t callback_wait;
+--- a/sound/firewire/fireworks/fireworks.c
++++ b/sound/firewire/fireworks/fireworks.c
+@@ -248,8 +248,16 @@ efw_probe(struct fw_unit *unit,
+ err = get_hardware_info(efw);
+ if (err < 0)
+ goto error;
++ /* AudioFire8 (since 2009) and AudioFirePre8 */
+ if (entry->model_id == MODEL_ECHO_AUDIOFIRE_9)
+ efw->is_af9 = true;
++ /* These models uses the same firmware. */
++ if (entry->model_id == MODEL_ECHO_AUDIOFIRE_2 ||
++ entry->model_id == MODEL_ECHO_AUDIOFIRE_4 ||
++ entry->model_id == MODEL_ECHO_AUDIOFIRE_9 ||
++ entry->model_id == MODEL_GIBSON_RIP ||
++ entry->model_id == MODEL_GIBSON_GOLDTOP)
++ efw->is_fireworks3 = true;
+
+ snd_efw_proc_init(efw);
+
+--- a/sound/firewire/fireworks/fireworks.h
++++ b/sound/firewire/fireworks/fireworks.h
+@@ -71,6 +71,7 @@ struct snd_efw {
+
+ /* for quirks */
+ bool is_af9;
++ bool is_fireworks3;
+ u32 firmware_version;
+
+ unsigned int midi_in_ports;
+--- a/sound/firewire/fireworks/fireworks_stream.c
++++ b/sound/firewire/fireworks/fireworks_stream.c
+@@ -172,6 +172,15 @@ int snd_efw_stream_init_duplex(struct sn
+ efw->tx_stream.flags |= CIP_DBC_IS_END_EVENT;
+ /* Fireworks reset dbc at bus reset. */
+ efw->tx_stream.flags |= CIP_SKIP_DBC_ZERO_CHECK;
++ /*
++ * But Recent firmwares starts packets with non-zero dbc.
++ * Driver version 5.7.6 installs firmware version 5.7.3.
++ */
++ if (efw->is_fireworks3 &&
++ (efw->firmware_version == 0x5070000 ||
++ efw->firmware_version == 0x5070300 ||
++ efw->firmware_version == 0x5080000))
++ efw->tx_stream.tx_first_dbc = 0x02;
+ /* AudioFire9 always reports wrong dbs. */
+ if (efw->is_af9)
+ efw->tx_stream.flags |= CIP_WRONG_DBS;
--- /dev/null
+From 44008f0896ae205b02b0882dbf807f0de149efc4 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Sat, 25 Jul 2015 03:03:38 +0300
+Subject: ALSA: hda - fix cs4210_spdif_automute()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 44008f0896ae205b02b0882dbf807f0de149efc4 upstream.
+
+Smatch complains that we have nested checks for "spdif_present". It
+turns out the current behavior isn't correct, we should remove the first
+check and keep the second.
+
+Fixes: 1077a024812d ('ALSA: hda - Use generic parser for Cirrus codec driver')
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_cirrus.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/sound/pci/hda/patch_cirrus.c
++++ b/sound/pci/hda/patch_cirrus.c
+@@ -1001,9 +1001,7 @@ static void cs4210_spdif_automute(struct
+
+ spec->spdif_present = spdif_present;
+ /* SPDIF TX on/off */
+- if (spdif_present)
+- snd_hda_set_pin_ctl(codec, spdif_pin,
+- spdif_present ? PIN_OUT : 0);
++ snd_hda_set_pin_ctl(codec, spdif_pin, spdif_present ? PIN_OUT : 0);
+
+ cs_automute(codec);
+ }
--- /dev/null
+From 73851b36fe73819f8c201971e913324d4846a7ea Mon Sep 17 00:00:00 2001
+From: Hui Wang <hui.wang@canonical.com>
+Date: Wed, 5 Aug 2015 18:03:34 +0800
+Subject: ALSA: hda - one Dell machine needs the headphone white noise fixup
+
+From: Hui Wang <hui.wang@canonical.com>
+
+commit 73851b36fe73819f8c201971e913324d4846a7ea upstream.
+
+The fixup ALC292_FIXUP_DISABLE_AAMIX can fix the white noise of
+the headphone on this Dell machine.
+
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -5118,6 +5118,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x1028, 0x06c7, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1028, 0x06d9, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1028, 0x06da, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
++ SND_PCI_QUIRK(0x1028, 0x06de, "Dell", ALC292_FIXUP_DISABLE_AAMIX),
+ SND_PCI_QUIRK(0x1028, 0x164a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1028, 0x164b, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x103c, 0x1586, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC2),
--- /dev/null
+From bd4aaf8f9b85d6b2df3231fd62b219ebb75d3568 Mon Sep 17 00:00:00 2001
+From: Mike Snitzer <snitzer@redhat.com>
+Date: Mon, 3 Aug 2015 09:54:58 -0400
+Subject: dm: fix dm_merge_bvec regression on 32 bit systems
+
+From: Mike Snitzer <snitzer@redhat.com>
+
+commit bd4aaf8f9b85d6b2df3231fd62b219ebb75d3568 upstream.
+
+A DM regression on 32 bit systems was reported against v4.2-rc3 here:
+https://lkml.org/lkml/2015/7/29/401
+
+Fix this by reverting both commit 1c220c69 ("dm: fix casting bug in
+dm_merge_bvec()") and 148e51ba ("dm: improve documentation and code
+clarity in dm_merge_bvec"). This combined revert is done to eliminate
+the possibility of a partial revert in stable@ kernels.
+
+In hindsight the correct fix, at the time 1c220c69 was applied to fix
+the regression that 148e51ba introduced, should've been to simply revert
+148e51ba.
+
+Reported-by: Josh Boyer <jwboyer@fedoraproject.org>
+Tested-by: Adam Williamson <awilliam@redhat.com>
+Acked-by: Joe Thornber <ejt@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm.c | 27 ++++++++++-----------------
+ 1 file changed, 10 insertions(+), 17 deletions(-)
+
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -1719,7 +1719,8 @@ static int dm_merge_bvec(struct request_
+ struct mapped_device *md = q->queuedata;
+ struct dm_table *map = dm_get_live_table_fast(md);
+ struct dm_target *ti;
+- sector_t max_sectors, max_size = 0;
++ sector_t max_sectors;
++ int max_size = 0;
+
+ if (unlikely(!map))
+ goto out;
+@@ -1732,18 +1733,10 @@ static int dm_merge_bvec(struct request_
+ * Find maximum amount of I/O that won't need splitting
+ */
+ max_sectors = min(max_io_len(bvm->bi_sector, ti),
+- (sector_t) queue_max_sectors(q));
++ (sector_t) BIO_MAX_SECTORS);
+ max_size = (max_sectors << SECTOR_SHIFT) - bvm->bi_size;
+-
+- /*
+- * FIXME: this stop-gap fix _must_ be cleaned up (by passing a sector_t
+- * to the targets' merge function since it holds sectors not bytes).
+- * Just doing this as an interim fix for stable@ because the more
+- * comprehensive cleanup of switching to sector_t will impact every
+- * DM target that implements a ->merge hook.
+- */
+- if (max_size > INT_MAX)
+- max_size = INT_MAX;
++ if (max_size < 0)
++ max_size = 0;
+
+ /*
+ * merge_bvec_fn() returns number of bytes
+@@ -1751,13 +1744,13 @@ static int dm_merge_bvec(struct request_
+ * max is precomputed maximal io size
+ */
+ if (max_size && ti->type->merge)
+- max_size = ti->type->merge(ti, bvm, biovec, (int) max_size);
++ max_size = ti->type->merge(ti, bvm, biovec, max_size);
+ /*
+ * If the target doesn't support merge method and some of the devices
+- * provided their merge_bvec method (we know this by looking for the
+- * max_hw_sectors that dm_set_device_limits may set), then we can't
+- * allow bios with multiple vector entries. So always set max_size
+- * to 0, and the code below allows just one page.
++ * provided their merge_bvec method (we know this by looking at
++ * queue_max_hw_sectors), then we can't allow bios with multiple vector
++ * entries. So always set max_size to 0, and the code below allows
++ * just one page.
+ */
+ else if (queue_max_hw_sectors(q) <= PAGE_SIZE >> 9)
+ max_size = 0;
--- /dev/null
+From a4b45b25f18d1e798965efec429ba5fc01b9f0b6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pali=20Roh=C3=A1r?= <pali.rohar@gmail.com>
+Date: Thu, 30 Jul 2015 20:41:57 +0200
+Subject: hwmon: (dell-smm) Blacklist Dell Studio XPS 8100
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: =?UTF-8?q?Pali=20Roh=C3=A1r?= <pali.rohar@gmail.com>
+
+commit a4b45b25f18d1e798965efec429ba5fc01b9f0b6 upstream.
+
+CPU fan speed going up and down on Dell Studio XPS 8100 for
+unknown reasons. Without further debugging on the affected
+machine, it is not possible to find the problem.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=100121
+Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
+Tested-by: Jan C Peters <jcpeters89@gmail.com>
+[groeck: cleaned up description, comments]
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/i8k.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+--- a/drivers/char/i8k.c
++++ b/drivers/char/i8k.c
+@@ -900,6 +900,21 @@ static struct dmi_system_id i8k_dmi_tabl
+
+ MODULE_DEVICE_TABLE(dmi, i8k_dmi_table);
+
++static struct dmi_system_id i8k_blacklist_dmi_table[] __initdata = {
++ {
++ /*
++ * CPU fan speed going up and down on Dell Studio XPS 8100
++ * for unknown reasons.
++ */
++ .ident = "Dell Studio XPS 8100",
++ .matches = {
++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "Studio XPS 8100"),
++ },
++ },
++ { }
++};
++
+ /*
+ * Probe for the presence of a supported laptop.
+ */
+@@ -911,7 +926,8 @@ static int __init i8k_probe(void)
+ /*
+ * Get DMI information
+ */
+- if (!dmi_check_system(i8k_dmi_table)) {
++ if (!dmi_check_system(i8k_dmi_table) ||
++ dmi_check_system(i8k_blacklist_dmi_table)) {
+ if (!ignore_dmi && !force)
+ return -ENODEV;
+
--- /dev/null
+From 1252be9ce0ab4f622b8692b648894d09c0df71ce Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javier@osg.samsung.com>
+Date: Thu, 30 Jul 2015 18:18:39 +0200
+Subject: hwmon: (nct7904) Export I2C module alias information
+
+From: Javier Martinez Canillas <javier@osg.samsung.com>
+
+commit 1252be9ce0ab4f622b8692b648894d09c0df71ce upstream.
+
+The I2C core always reports the MODALIAS uevent as "i2c:<client name"
+regardless if the driver was matched using the I2C id_table or the
+of_match_table. So the driver needs to export the I2C table and this
+be built into the module or udev won't have the necessary information
+to auto load the correct module when the device is added.
+
+Signed-off-by: Javier Martinez Canillas <javier@osg.samsung.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwmon/nct7904.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/hwmon/nct7904.c
++++ b/drivers/hwmon/nct7904.c
+@@ -575,6 +575,7 @@ static const struct i2c_device_id nct790
+ {"nct7904", 0},
+ {}
+ };
++MODULE_DEVICE_TABLE(i2c, nct7904_id);
+
+ static struct i2c_driver nct7904_driver = {
+ .class = I2C_CLASS_HWMON,
--- /dev/null
+From 073e570d7c2caae9910a993d56f340be4548a4a8 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Mon, 3 Aug 2015 14:06:24 -0700
+Subject: Input: alps - only Dell laptops have separate button bits for v2 dualpoint sticks
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 073e570d7c2caae9910a993d56f340be4548a4a8 upstream.
+
+It turns out that only Dell laptops have the separate button bits for
+v2 dualpoint sticks and that commit 92bac83dd79e ("Input: alps - non
+interleaved V2 dualpoint has separate stick button bits") causes
+regressions on Toshiba laptops.
+
+This commit adds a check for Dell laptops to the code for handling these
+extra button bits, fixing this regression.
+
+This patch has been tested on a Dell Latitude D620 to make sure that it
+does not reintroduce the original problem.
+
+Reported-and-tested-by: Douglas Christman <douglaschristman@gmail.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/input/alps.txt | 6 ++++--
+ drivers/input/mouse/alps.c | 8 ++++++--
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+--- a/Documentation/input/alps.txt
++++ b/Documentation/input/alps.txt
+@@ -119,8 +119,10 @@ ALPS Absolute Mode - Protocol Version 2
+ byte 5: 0 z6 z5 z4 z3 z2 z1 z0
+
+ Protocol Version 2 DualPoint devices send standard PS/2 mouse packets for
+-the DualPoint Stick. For non interleaved dualpoint devices the pointingstick
+-buttons get reported separately in the PSM, PSR and PSL bits.
++the DualPoint Stick. The M, R and L bits signal the combined status of both
++the pointingstick and touchpad buttons, except for Dell dualpoint devices
++where the pointingstick buttons get reported separately in the PSM, PSR
++and PSL bits.
+
+ Dualpoint device -- interleaved packet format
+ ---------------------------------------------
+--- a/drivers/input/mouse/alps.c
++++ b/drivers/input/mouse/alps.c
+@@ -20,6 +20,7 @@
+ #include <linux/input/mt.h>
+ #include <linux/serio.h>
+ #include <linux/libps2.h>
++#include <linux/dmi.h>
+
+ #include "psmouse.h"
+ #include "alps.h"
+@@ -99,6 +100,7 @@ static const struct alps_nibble_commands
+ #define ALPS_FOUR_BUTTONS 0x40 /* 4 direction button present */
+ #define ALPS_PS2_INTERLEAVED 0x80 /* 3-byte PS/2 packet interleaved with
+ 6-byte ALPS packet */
++#define ALPS_DELL 0x100 /* device is a Dell laptop */
+ #define ALPS_BUTTONPAD 0x200 /* device is a clickpad */
+
+ static const struct alps_model_info alps_model_data[] = {
+@@ -251,9 +253,9 @@ static void alps_process_packet_v1_v2(st
+ return;
+ }
+
+- /* Non interleaved V2 dualpoint has separate stick button bits */
++ /* Dell non interleaved V2 dualpoint has separate stick button bits */
+ if (priv->proto_version == ALPS_PROTO_V2 &&
+- priv->flags == (ALPS_PASS | ALPS_DUALPOINT)) {
++ priv->flags == (ALPS_DELL | ALPS_PASS | ALPS_DUALPOINT)) {
+ left |= packet[0] & 1;
+ right |= packet[0] & 2;
+ middle |= packet[0] & 4;
+@@ -2542,6 +2544,8 @@ static int alps_set_protocol(struct psmo
+ priv->byte0 = protocol->byte0;
+ priv->mask0 = protocol->mask0;
+ priv->flags = protocol->flags;
++ if (dmi_name_in_vendors("Dell"))
++ priv->flags |= ALPS_DELL;
+
+ priv->x_max = 2000;
+ priv->y_max = 1400;
--- /dev/null
+From de54b9ac253787c366bbfb28d901a31954eb3511 Mon Sep 17 00:00:00 2001
+From: Marcus Gelderie <redmnic@gmail.com>
+Date: Thu, 6 Aug 2015 15:46:10 -0700
+Subject: ipc: modify message queue accounting to not take kernel data structures into account
+
+From: Marcus Gelderie <redmnic@gmail.com>
+
+commit de54b9ac253787c366bbfb28d901a31954eb3511 upstream.
+
+A while back, the message queue implementation in the kernel was
+improved to use btrees to speed up retrieval of messages, in commit
+d6629859b36d ("ipc/mqueue: improve performance of send/recv").
+
+That patch introducing the improved kernel handling of message queues
+(using btrees) has, as a by-product, changed the meaning of the QSIZE
+field in the pseudo-file created for the queue. Before, this field
+reflected the size of the user-data in the queue. Since, it also takes
+kernel data structures into account. For example, if 13 bytes of user
+data are in the queue, on my machine the file reports a size of 61
+bytes.
+
+There was some discussion on this topic before (for example
+https://lkml.org/lkml/2014/10/1/115). Commenting on a th lkml, Michael
+Kerrisk gave the following background
+(https://lkml.org/lkml/2015/6/16/74):
+
+ The pseudofiles in the mqueue filesystem (usually mounted at
+ /dev/mqueue) expose fields with metadata describing a message
+ queue. One of these fields, QSIZE, as originally implemented,
+ showed the total number of bytes of user data in all messages in
+ the message queue, and this feature was documented from the
+ beginning in the mq_overview(7) page. In 3.5, some other (useful)
+ work happened to break the user-space API in a couple of places,
+ including the value exposed via QSIZE, which now includes a measure
+ of kernel overhead bytes for the queue, a figure that renders QSIZE
+ useless for its original purpose, since there's no way to deduce
+ the number of overhead bytes consumed by the implementation.
+ (The other user-space breakage was subsequently fixed.)
+
+This patch removes the accounting of kernel data structures in the
+queue. Reporting the size of these data-structures in the QSIZE field
+was a breaking change (see Michael's comment above). Without the QSIZE
+field reporting the total size of user-data in the queue, there is no
+way to deduce this number.
+
+It should be noted that the resource limit RLIMIT_MSGQUEUE is counted
+against the worst-case size of the queue (in both the old and the new
+implementation). Therefore, the kernel overhead accounting in QSIZE is
+not necessary to help the user understand the limitations RLIMIT imposes
+on the processes.
+
+Signed-off-by: Marcus Gelderie <redmnic@gmail.com>
+Acked-by: Doug Ledford <dledford@redhat.com>
+Acked-by: Michael Kerrisk <mtk.manpages@gmail.com>
+Acked-by: Davidlohr Bueso <dbueso@suse.de>
+Cc: David Howells <dhowells@redhat.com>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: John Duffy <jb_duffy@btinternet.com>
+Cc: Arto Bendiken <arto@bendiken.net>
+Cc: Manfred Spraul <manfred@colorfullife.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ ipc/mqueue.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/ipc/mqueue.c
++++ b/ipc/mqueue.c
+@@ -143,7 +143,6 @@ static int msg_insert(struct msg_msg *ms
+ if (!leaf)
+ return -ENOMEM;
+ INIT_LIST_HEAD(&leaf->msg_list);
+- info->qsize += sizeof(*leaf);
+ }
+ leaf->priority = msg->m_type;
+ rb_link_node(&leaf->rb_node, parent, p);
+@@ -188,7 +187,6 @@ try_again:
+ "lazy leaf delete!\n");
+ rb_erase(&leaf->rb_node, &info->msg_tree);
+ if (info->node_cache) {
+- info->qsize -= sizeof(*leaf);
+ kfree(leaf);
+ } else {
+ info->node_cache = leaf;
+@@ -201,7 +199,6 @@ try_again:
+ if (list_empty(&leaf->msg_list)) {
+ rb_erase(&leaf->rb_node, &info->msg_tree);
+ if (info->node_cache) {
+- info->qsize -= sizeof(*leaf);
+ kfree(leaf);
+ } else {
+ info->node_cache = leaf;
+@@ -1026,7 +1023,6 @@ SYSCALL_DEFINE5(mq_timedsend, mqd_t, mqd
+ /* Save our speculative allocation into the cache */
+ INIT_LIST_HEAD(&new_leaf->msg_list);
+ info->node_cache = new_leaf;
+- info->qsize += sizeof(*new_leaf);
+ new_leaf = NULL;
+ } else {
+ kfree(new_leaf);
+@@ -1133,7 +1129,6 @@ SYSCALL_DEFINE5(mq_timedreceive, mqd_t,
+ /* Save our speculative allocation into the cache */
+ INIT_LIST_HEAD(&new_leaf->msg_list);
+ info->node_cache = new_leaf;
+- info->qsize += sizeof(*new_leaf);
+ } else {
+ kfree(new_leaf);
+ }
--- /dev/null
+From 423f04d63cf421ea436bcc5be02543d549ce4b28 Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.com>
+Date: Mon, 27 Jul 2015 11:48:52 +1000
+Subject: md/raid1: extend spinlock to protect raid1_end_read_request against inconsistencies
+
+From: NeilBrown <neilb@suse.com>
+
+commit 423f04d63cf421ea436bcc5be02543d549ce4b28 upstream.
+
+raid1_end_read_request() assumes that the In_sync bits are consistent
+with the ->degaded count.
+raid1_spare_active updates the In_sync bit before the ->degraded count
+and so exposes an inconsistency, as does error()
+So extend the spinlock in raid1_spare_active() and error() to hide those
+inconsistencies.
+
+This should probably be part of
+ Commit: 34cab6f42003 ("md/raid1: fix test for 'was read error from
+ last working device'.")
+as it addresses the same issue. It fixes the same bug and should go
+to -stable for same reasons.
+
+Fixes: 76073054c95b ("md/raid1: clean up read_balance.")
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/raid1.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/md/raid1.c
++++ b/drivers/md/raid1.c
+@@ -1475,6 +1475,7 @@ static void error(struct mddev *mddev, s
+ {
+ char b[BDEVNAME_SIZE];
+ struct r1conf *conf = mddev->private;
++ unsigned long flags;
+
+ /*
+ * If it is not operational, then we have already marked it as dead
+@@ -1494,14 +1495,13 @@ static void error(struct mddev *mddev, s
+ return;
+ }
+ set_bit(Blocked, &rdev->flags);
++ spin_lock_irqsave(&conf->device_lock, flags);
+ if (test_and_clear_bit(In_sync, &rdev->flags)) {
+- unsigned long flags;
+- spin_lock_irqsave(&conf->device_lock, flags);
+ mddev->degraded++;
+ set_bit(Faulty, &rdev->flags);
+- spin_unlock_irqrestore(&conf->device_lock, flags);
+ } else
+ set_bit(Faulty, &rdev->flags);
++ spin_unlock_irqrestore(&conf->device_lock, flags);
+ /*
+ * if recovery is running, make sure it aborts.
+ */
+@@ -1567,7 +1567,10 @@ static int raid1_spare_active(struct mdd
+ * Find all failed disks within the RAID1 configuration
+ * and mark them readable.
+ * Called under mddev lock, so rcu protection not needed.
++ * device_lock used to avoid races with raid1_end_read_request
++ * which expects 'In_sync' flags and ->degraded to be consistent.
+ */
++ spin_lock_irqsave(&conf->device_lock, flags);
+ for (i = 0; i < conf->raid_disks; i++) {
+ struct md_rdev *rdev = conf->mirrors[i].rdev;
+ struct md_rdev *repl = conf->mirrors[conf->raid_disks + i].rdev;
+@@ -1598,7 +1601,6 @@ static int raid1_spare_active(struct mdd
+ sysfs_notify_dirent_safe(rdev->sysfs_state);
+ }
+ }
+- spin_lock_irqsave(&conf->device_lock, flags);
+ mddev->degraded -= count;
+ spin_unlock_irqrestore(&conf->device_lock, flags);
+
--- /dev/null
+From 5f867db63473f32cce1b868e281ebd42a41f8fad Mon Sep 17 00:00:00 2001
+From: Scott Wood <scottwood@freescale.com>
+Date: Fri, 26 Jun 2015 19:43:58 -0500
+Subject: mtd: nand: Fix NAND_USE_BOUNCE_BUFFER flag conflict
+
+From: Scott Wood <scottwood@freescale.com>
+
+commit 5f867db63473f32cce1b868e281ebd42a41f8fad upstream.
+
+Commit 66507c7bc8895f0da6b ("mtd: nand: Add support to use nand_base
+poi databuf as bounce buffer") added a flag NAND_USE_BOUNCE_BUFFER
+using the same bit value as the existing NAND_BUSWIDTH_AUTO.
+
+Cc: Kamal Dasu <kdasu.kdev@gmail.com>
+Fixes: 66507c7bc8895f0da6b ("mtd: nand: Add support to use nand_base
+ poi databuf as bounce buffer")
+Signed-off-by: Scott Wood <scottwood@freescale.com>
+Signed-off-by: Brian Norris <computersforpeace@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/mtd/nand.h | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/include/linux/mtd/nand.h
++++ b/include/linux/mtd/nand.h
+@@ -176,17 +176,17 @@ typedef enum {
+ /* Chip may not exist, so silence any errors in scan */
+ #define NAND_SCAN_SILENT_NODEV 0x00040000
+ /*
+- * This option could be defined by controller drivers to protect against
+- * kmap'ed, vmalloc'ed highmem buffers being passed from upper layers
+- */
+-#define NAND_USE_BOUNCE_BUFFER 0x00080000
+-/*
+ * Autodetect nand buswidth with readid/onfi.
+ * This suppose the driver will configure the hardware in 8 bits mode
+ * when calling nand_scan_ident, and update its configuration
+ * before calling nand_scan_tail.
+ */
+ #define NAND_BUSWIDTH_AUTO 0x00080000
++/*
++ * This option could be defined by controller drivers to protect against
++ * kmap'ed, vmalloc'ed highmem buffers being passed from upper layers
++ */
++#define NAND_USE_BOUNCE_BUFFER 0x00100000
+
+ /* Options set by nand scan */
+ /* Nand scan has allocated controller struct */
--- /dev/null
+From c2227a39a078473115910512aa0f8d53bd915e60 Mon Sep 17 00:00:00 2001
+From: Kinglong Mee <kinglongmee@gmail.com>
+Date: Tue, 7 Jul 2015 10:16:37 +0800
+Subject: nfsd: Drop BUG_ON and ignore SECLABEL on absent filesystem
+
+From: Kinglong Mee <kinglongmee@gmail.com>
+
+commit c2227a39a078473115910512aa0f8d53bd915e60 upstream.
+
+On an absent filesystem (one served by another server), we need to be
+able to handle requests for certain attributest (like fs_locations, so
+the client can find out which server does have the filesystem), but
+others we can't.
+
+We forgot to take that into account when adding another attribute
+bitmask work for the SECURITY_LABEL attribute.
+
+There an export entry with the "refer" option can result in:
+
+[ 88.414272] kernel BUG at fs/nfsd/nfs4xdr.c:2249!
+[ 88.414828] invalid opcode: 0000 [#1] SMP
+[ 88.415368] Modules linked in: rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache nfsd xfs libcrc32c iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi iosf_mbi ppdev btrfs coretemp crct10dif_pclmul crc32_pclmul crc32c_intel xor ghash_clmulni_intel raid6_pq vmw_balloon parport_pc parport i2c_piix4 shpchp vmw_vmci acpi_cpufreq auth_rpcgss nfs_acl lockd grace sunrpc vmwgfx drm_kms_helper ttm drm mptspi mptscsih serio_raw mptbase e1000 scsi_transport_spi ata_generic pata_acpi [last unloaded: nfsd]
+[ 88.417827] CPU: 0 PID: 2116 Comm: nfsd Not tainted 4.0.7-300.fc22.x86_64 #1
+[ 88.418448] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/20/2014
+[ 88.419093] task: ffff880079146d50 ti: ffff8800785d8000 task.ti: ffff8800785d8000
+[ 88.419729] RIP: 0010:[<ffffffffa04b3c10>] [<ffffffffa04b3c10>] nfsd4_encode_fattr+0x820/0x1f00 [nfsd]
+[ 88.420376] RSP: 0000:ffff8800785db998 EFLAGS: 00010206
+[ 88.421027] RAX: 0000000000000001 RBX: 000000000018091a RCX: ffff88006668b980
+[ 88.421676] RDX: 00000000fffef7fc RSI: 0000000000000000 RDI: ffff880078d05000
+[ 88.422315] RBP: ffff8800785dbb58 R08: ffff880078d043f8 R09: ffff880078d4a000
+[ 88.422968] R10: 0000000000010000 R11: 0000000000000002 R12: 0000000000b0a23a
+[ 88.423612] R13: ffff880078d05000 R14: ffff880078683100 R15: ffff88006668b980
+[ 88.424295] FS: 0000000000000000(0000) GS:ffff88007c600000(0000) knlGS:0000000000000000
+[ 88.424944] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 88.425597] CR2: 00007f40bc370f90 CR3: 0000000035af5000 CR4: 00000000001407f0
+[ 88.426285] Stack:
+[ 88.426921] ffff8800785dbaa8 ffffffffa049e4af ffff8800785dba08 ffffffff813298f0
+[ 88.427585] ffff880078683300 ffff8800769b0de8 0000089d00000001 0000000087f805e0
+[ 88.428228] ffff880000000000 ffff880079434a00 0000000000000000 ffff88006668b980
+[ 88.428877] Call Trace:
+[ 88.429527] [<ffffffffa049e4af>] ? exp_get_by_name+0x7f/0xb0 [nfsd]
+[ 88.430168] [<ffffffff813298f0>] ? inode_doinit_with_dentry+0x210/0x6a0
+[ 88.430807] [<ffffffff8123833e>] ? d_lookup+0x2e/0x60
+[ 88.431449] [<ffffffff81236133>] ? dput+0x33/0x230
+[ 88.432097] [<ffffffff8123f214>] ? mntput+0x24/0x40
+[ 88.432719] [<ffffffff812272b2>] ? path_put+0x22/0x30
+[ 88.433340] [<ffffffffa049ac87>] ? nfsd_cross_mnt+0xb7/0x1c0 [nfsd]
+[ 88.433954] [<ffffffffa04b54e0>] nfsd4_encode_dirent+0x1b0/0x3d0 [nfsd]
+[ 88.434601] [<ffffffffa04b5330>] ? nfsd4_encode_getattr+0x40/0x40 [nfsd]
+[ 88.435172] [<ffffffffa049c991>] nfsd_readdir+0x1c1/0x2a0 [nfsd]
+[ 88.435710] [<ffffffffa049a530>] ? nfsd_direct_splice_actor+0x20/0x20 [nfsd]
+[ 88.436447] [<ffffffffa04abf30>] nfsd4_encode_readdir+0x120/0x220 [nfsd]
+[ 88.437011] [<ffffffffa04b58cd>] nfsd4_encode_operation+0x7d/0x190 [nfsd]
+[ 88.437566] [<ffffffffa04aa6dd>] nfsd4_proc_compound+0x24d/0x6f0 [nfsd]
+[ 88.438157] [<ffffffffa0496103>] nfsd_dispatch+0xc3/0x220 [nfsd]
+[ 88.438680] [<ffffffffa006f0cb>] svc_process_common+0x43b/0x690 [sunrpc]
+[ 88.439192] [<ffffffffa0070493>] svc_process+0x103/0x1b0 [sunrpc]
+[ 88.439694] [<ffffffffa0495a57>] nfsd+0x117/0x190 [nfsd]
+[ 88.440194] [<ffffffffa0495940>] ? nfsd_destroy+0x90/0x90 [nfsd]
+[ 88.440697] [<ffffffff810bb728>] kthread+0xd8/0xf0
+[ 88.441260] [<ffffffff810bb650>] ? kthread_worker_fn+0x180/0x180
+[ 88.441762] [<ffffffff81789e58>] ret_from_fork+0x58/0x90
+[ 88.442322] [<ffffffff810bb650>] ? kthread_worker_fn+0x180/0x180
+[ 88.442879] Code: 0f 84 93 05 00 00 83 f8 ea c7 85 a0 fe ff ff 00 00 27 30 0f 84 ba fe ff ff 85 c0 0f 85 a5 fe ff ff e9 e3 f9 ff ff 0f 1f 44 00 00 <0f> 0b 66 0f 1f 44 00 00 be 04 00 00 00 4c 89 ef 4c 89 8d 68 fe
+[ 88.444052] RIP [<ffffffffa04b3c10>] nfsd4_encode_fattr+0x820/0x1f00 [nfsd]
+[ 88.444658] RSP <ffff8800785db998>
+[ 88.445232] ---[ end trace 6cb9d0487d94a29f ]---
+
+Signed-off-by: Kinglong Mee <kinglongmee@gmail.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs4xdr.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/fs/nfsd/nfs4xdr.c
++++ b/fs/nfsd/nfs4xdr.c
+@@ -2142,6 +2142,7 @@ nfsd4_encode_aclname(struct xdr_stream *
+ #define WORD0_ABSENT_FS_ATTRS (FATTR4_WORD0_FS_LOCATIONS | FATTR4_WORD0_FSID | \
+ FATTR4_WORD0_RDATTR_ERROR)
+ #define WORD1_ABSENT_FS_ATTRS FATTR4_WORD1_MOUNTED_ON_FILEID
++#define WORD2_ABSENT_FS_ATTRS 0
+
+ #ifdef CONFIG_NFSD_V4_SECURITY_LABEL
+ static inline __be32
+@@ -2170,7 +2171,7 @@ nfsd4_encode_security_label(struct xdr_s
+ { return 0; }
+ #endif
+
+-static __be32 fattr_handle_absent_fs(u32 *bmval0, u32 *bmval1, u32 *rdattr_err)
++static __be32 fattr_handle_absent_fs(u32 *bmval0, u32 *bmval1, u32 *bmval2, u32 *rdattr_err)
+ {
+ /* As per referral draft: */
+ if (*bmval0 & ~WORD0_ABSENT_FS_ATTRS ||
+@@ -2183,6 +2184,7 @@ static __be32 fattr_handle_absent_fs(u32
+ }
+ *bmval0 &= WORD0_ABSENT_FS_ATTRS;
+ *bmval1 &= WORD1_ABSENT_FS_ATTRS;
++ *bmval2 &= WORD2_ABSENT_FS_ATTRS;
+ return 0;
+ }
+
+@@ -2246,8 +2248,7 @@ nfsd4_encode_fattr(struct xdr_stream *xd
+ BUG_ON(bmval2 & ~nfsd_suppattrs2(minorversion));
+
+ if (exp->ex_fslocs.migrated) {
+- BUG_ON(bmval[2]);
+- status = fattr_handle_absent_fs(&bmval0, &bmval1, &rdattr_err);
++ status = fattr_handle_absent_fs(&bmval0, &bmval1, &bmval2, &rdattr_err);
+ if (status)
+ goto out;
+ }
+@@ -2290,8 +2291,8 @@ nfsd4_encode_fattr(struct xdr_stream *xd
+ }
+
+ #ifdef CONFIG_NFSD_V4_SECURITY_LABEL
+- if ((bmval[2] & FATTR4_WORD2_SECURITY_LABEL) ||
+- bmval[0] & FATTR4_WORD0_SUPPORTED_ATTRS) {
++ if ((bmval2 & FATTR4_WORD2_SECURITY_LABEL) ||
++ bmval0 & FATTR4_WORD0_SUPPORTED_ATTRS) {
+ err = security_inode_getsecctx(d_inode(dentry),
+ &context, &contextlen);
+ contextsupport = (err == 0);
--- /dev/null
+From 209f7512d007980fd111a74a064d70a3656079cf Mon Sep 17 00:00:00 2001
+From: Joseph Qi <joseph.qi@huawei.com>
+Date: Thu, 6 Aug 2015 15:46:23 -0700
+Subject: ocfs2: fix BUG in ocfs2_downconvert_thread_do_work()
+
+From: Joseph Qi <joseph.qi@huawei.com>
+
+commit 209f7512d007980fd111a74a064d70a3656079cf upstream.
+
+The "BUG_ON(list_empty(&osb->blocked_lock_list))" in
+ocfs2_downconvert_thread_do_work can be triggered in the following case:
+
+ocfs2dc has firstly saved osb->blocked_lock_count to local varibale
+processed, and then processes the dentry lockres. During the dentry
+put, it calls iput and then deletes rw, inode and open lockres from
+blocked list in ocfs2_mark_lockres_freeing. And this causes the
+variable `processed' to not reflect the number of blocked lockres to be
+processed, which triggers the BUG.
+
+Signed-off-by: Joseph Qi <joseph.qi@huawei.com>
+Cc: Mark Fasheh <mfasheh@suse.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ocfs2/dlmglue.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/fs/ocfs2/dlmglue.c
++++ b/fs/ocfs2/dlmglue.c
+@@ -4025,9 +4025,13 @@ static void ocfs2_downconvert_thread_do_
+ osb->dc_work_sequence = osb->dc_wake_sequence;
+
+ processed = osb->blocked_lock_count;
+- while (processed) {
+- BUG_ON(list_empty(&osb->blocked_lock_list));
+-
++ /*
++ * blocked lock processing in this loop might call iput which can
++ * remove items off osb->blocked_lock_list. Downconvert up to
++ * 'processed' number of locks, but stop short if we had some
++ * removed in ocfs2_mark_lockres_freeing when downconverting.
++ */
++ while (processed && !list_empty(&osb->blocked_lock_list)) {
+ lockres = list_entry(osb->blocked_lock_list.next,
+ struct ocfs2_lock_res, l_blocked_list);
+ list_del_init(&lockres->l_blocked_list);
--- /dev/null
+From 32e5a2a2be6b085febaac36efff495ad65a55e6c Mon Sep 17 00:00:00 2001
+From: Joseph Qi <joseph.qi@huawei.com>
+Date: Thu, 6 Aug 2015 15:46:48 -0700
+Subject: ocfs2: fix shift left overflow
+
+From: Joseph Qi <joseph.qi@huawei.com>
+
+commit 32e5a2a2be6b085febaac36efff495ad65a55e6c upstream.
+
+When using a large volume, for example 9T volume with 2T already used,
+frequent creation of small files with O_DIRECT when the IO is not
+cluster aligned may clear sectors in the wrong place. This will cause
+filesystem corruption.
+
+This is because p_cpos is a u32. When calculating the corresponding
+sector it should be converted to u64 first, otherwise it may overflow.
+
+Signed-off-by: Joseph Qi <joseph.qi@huawei.com>
+Cc: Mark Fasheh <mfasheh@suse.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ocfs2/aops.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/ocfs2/aops.c
++++ b/fs/ocfs2/aops.c
+@@ -686,7 +686,7 @@ static int ocfs2_direct_IO_zero_extend(s
+
+ if (p_cpos && !(ext_flags & OCFS2_EXT_UNWRITTEN)) {
+ u64 s = i_size_read(inode);
+- sector_t sector = (p_cpos << (osb->s_clustersize_bits - 9)) +
++ sector_t sector = ((u64)p_cpos << (osb->s_clustersize_bits - 9)) +
+ (do_div(s, osb->s_clustersize) >> 9);
+
+ ret = blkdev_issue_zeroout(osb->sb->s_bdev, sector,
+@@ -911,7 +911,7 @@ static ssize_t ocfs2_direct_IO_write(str
+ BUG_ON(!p_cpos || (ext_flags & OCFS2_EXT_UNWRITTEN));
+
+ ret = blkdev_issue_zeroout(osb->sb->s_bdev,
+- p_cpos << (osb->s_clustersize_bits - 9),
++ (u64)p_cpos << (osb->s_clustersize_bits - 9),
+ zero_len_head >> 9, GFP_NOFS, false);
+ if (ret < 0)
+ mlog_errno(ret);
--- /dev/null
+From c9ddbac9c89110f77cb0fa07e634aaf1194899aa Mon Sep 17 00:00:00 2001
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Tue, 14 Jul 2015 18:27:46 -0500
+Subject: PCI: Restore PCI_MSIX_FLAGS_BIRMASK definition
+
+From: "Michael S. Tsirkin" <mst@redhat.com>
+
+commit c9ddbac9c89110f77cb0fa07e634aaf1194899aa upstream.
+
+09a2c73ddfc7 ("PCI: Remove unused PCI_MSIX_FLAGS_BIRMASK definition")
+removed PCI_MSIX_FLAGS_BIRMASK from an exported header because it was
+unused in the kernel. But that breaks user programs that were using it
+(QEMU in particular).
+
+Restore the PCI_MSIX_FLAGS_BIRMASK definition.
+
+[bhelgaas: changelog]
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/uapi/linux/pci_regs.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/include/uapi/linux/pci_regs.h
++++ b/include/uapi/linux/pci_regs.h
+@@ -319,6 +319,7 @@
+ #define PCI_MSIX_PBA 8 /* Pending Bit Array offset */
+ #define PCI_MSIX_PBA_BIR 0x00000007 /* BAR index */
+ #define PCI_MSIX_PBA_OFFSET 0xfffffff8 /* Offset into specified BAR */
++#define PCI_MSIX_FLAGS_BIRMASK PCI_MSIX_PBA_BIR /* deprecated */
+ #define PCI_CAP_MSIX_SIZEOF 12 /* size of MSIX registers */
+
+ /* MSI-X Table entry format */
x86-xen-probe-target-addresses-in-set_aliased_prot-before-the-hypercall.patch
xen-gntdevt-fix-race-condition-in-gntdev_release.patch
xen-events-fifo-handle-linked-events-when-closing-a-port.patch
-x86-ldt-make-modify_ldt-synchronous.patch
hwrng-core-correct-error-check-of-kthread_run-call.patch
crypto-qat-fix-invalid-synchronization-between-register-unregister-sym-algs.patch
crypto-ixp4xx-remove-bogus-bug_on-on-scattered-dst-buffer.patch
rbd-fix-copyup-completion-race.patch
arm-dts-i.mx35-fix-can-support.patch
arm-omap2-hwmod-fix-_wait_target_ready-for-hwmods-without-sysc.patch
+alsa-hda-fix-cs4210_spdif_automute.patch
+alsa-hda-one-dell-machine-needs-the-headphone-white-noise-fixup.patch
+alsa-fireworks-firewire-lib-add-support-for-recent-firmware-quirk.patch
+hwmon-nct7904-export-i2c-module-alias-information.patch
+hwmon-dell-smm-blacklist-dell-studio-xps-8100.patch
+ipc-modify-message-queue-accounting-to-not-take-kernel-data-structures-into-account.patch
+ocfs2-fix-bug-in-ocfs2_downconvert_thread_do_work.patch
+ocfs2-fix-shift-left-overflow.patch
+nfsd-drop-bug_on-and-ignore-seclabel-on-absent-filesystem.patch
+pci-restore-pci_msix_flags_birmask-definition.patch
+md-raid1-extend-spinlock-to-protect-raid1_end_read_request-against-inconsistencies.patch
+dm-fix-dm_merge_bvec-regression-on-32-bit-systems.patch
+staging-vt6655-vnt_bss_info_changed-check-conf-beacon_rate-is-not-null.patch
+staging-lustre-include-unaligned.h-instead-of-access_ok.h.patch
+usb-gadget-f_uac2-fix-calculation-of-uac2-p_interval.patch
+usb-qcserial-option-make-at-urcs-work-for-sierra-wireless-mc7305-mc7355.patch
+usb-qcserial-add-support-for-dell-wireless-5809e-4g-modem.patch
+mtd-nand-fix-nand_use_bounce_buffer-flag-conflict.patch
+input-alps-only-dell-laptops-have-separate-button-bits-for-v2-dualpoint-sticks.patch
+thermal-exynos-disable-the-regulator-on-probe-failure.patch
--- /dev/null
+From fb1de5a4c825a389f054cc3803e06116d2fbdc7e Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Sat, 1 Aug 2015 07:01:24 -0700
+Subject: staging: lustre: Include unaligned.h instead of access_ok.h
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+commit fb1de5a4c825a389f054cc3803e06116d2fbdc7e upstream.
+
+Including access_ok.h causes the ia64:allmodconfig build (and maybe others)
+to fail with
+
+include/linux/unaligned/le_struct.h:6:19: error:
+ redefinition of 'get_unaligned_le16'
+include/linux/unaligned/access_ok.h:7:19: note:
+ previous definition of 'get_unaligned_le16' was here
+include/linux/unaligned/le_struct.h:26:20: error:
+ redefinition of 'put_unaligned_le32'
+include/linux/unaligned/access_ok.h:42:20: note:
+ previous definition of 'put_unaligned_le32' was here
+include/linux/unaligned/le_struct.h:31:20: error:
+ redefinition of 'put_unaligned_le64'
+include/linux/unaligned/access_ok.h:47:20: note:
+ previous definition of 'put_unaligned_le64' was here
+
+Include unaligned.h instead and leave it up to the architecture to decide
+how to implement unaligned accesses.
+
+Fixes: 8c4f136497315 ("Staging: lustre: Use put_unaligned_le64")
+Cc: Vaishali Thakkar <vthakkar1994@gmail.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/lustre/lustre/obdclass/debug.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/lustre/lustre/obdclass/debug.c
++++ b/drivers/staging/lustre/lustre/obdclass/debug.c
+@@ -40,7 +40,7 @@
+
+ #define DEBUG_SUBSYSTEM D_OTHER
+
+-#include <linux/unaligned/access_ok.h>
++#include <asm/unaligned.h>
+
+ #include "../include/obd_support.h"
+ #include "../include/lustre_debug.h"
--- /dev/null
+From 1f17124006b65482d9084c01e252b59dbca8db8f Mon Sep 17 00:00:00 2001
+From: Malcolm Priestley <tvboxspy@gmail.com>
+Date: Sun, 2 Aug 2015 12:34:46 +0100
+Subject: staging: vt6655: vnt_bss_info_changed check conf->beacon_rate is not NULL
+
+From: Malcolm Priestley <tvboxspy@gmail.com>
+
+commit 1f17124006b65482d9084c01e252b59dbca8db8f upstream.
+
+conf->beacon_rate can be NULL on association. So check conf->beacon_rate
+
+BSS_CHANGED_BEACON_INFO needs to flagged in changed as the beacon_rate
+will appear later.
+
+Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/vt6655/device_main.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/vt6655/device_main.c
++++ b/drivers/staging/vt6655/device_main.c
+@@ -1486,8 +1486,9 @@ static void vnt_bss_info_changed(struct
+ }
+ }
+
+- if (changed & BSS_CHANGED_ASSOC && priv->op_mode != NL80211_IFTYPE_AP) {
+- if (conf->assoc) {
++ if (changed & (BSS_CHANGED_ASSOC | BSS_CHANGED_BEACON_INFO) &&
++ priv->op_mode != NL80211_IFTYPE_AP) {
++ if (conf->assoc && conf->beacon_rate) {
+ CARDbUpdateTSF(priv, conf->beacon_rate->hw_value,
+ conf->sync_tsf);
+
--- /dev/null
+From 5f09a5cbd14ae16e93866040fa44d930ff885650 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Date: Mon, 8 Jun 2015 10:35:49 +0900
+Subject: thermal: exynos: Disable the regulator on probe failure
+
+From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+
+commit 5f09a5cbd14ae16e93866040fa44d930ff885650 upstream.
+
+During probe the regulator (if present) was enabled but not disabled in
+case of failure. So an unsuccessful probe lead to enabling the
+regulator which was actually not needed because the device was not
+enabled.
+
+Additionally each deferred probe lead to increase of regulator enable
+count so it would not be effectively disabled during removal of the
+device.
+
+Test HW: Exynos4412 - Trats2 board
+
+Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Fixes: 498d22f616f6 ("thermal: exynos: Support for TMU regulator defined at device tree")
+Reviewed-by: Javier Martinez Canillas <javier.martinez@collabora.co.uk>
+Signed-off-by: Lukasz Majewski <l.majewski@samsung.com>
+Tested-by: Lukasz Majewski <l.majewski@samsung.com>
+Signed-off-by: Eduardo Valentin <edubezval@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/thermal/samsung/exynos_tmu.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/thermal/samsung/exynos_tmu.c
++++ b/drivers/thermal/samsung/exynos_tmu.c
+@@ -1209,6 +1209,8 @@ err_clk_sec:
+ if (!IS_ERR(data->clk_sec))
+ clk_unprepare(data->clk_sec);
+ err_sensor:
++ if (!IS_ERR_OR_NULL(data->regulator))
++ regulator_disable(data->regulator);
+ thermal_zone_of_sensor_unregister(&pdev->dev, data->tzd);
+
+ return ret;
--- /dev/null
+From c41b7767673cb76adeb2b5fde220209f717ea13c Mon Sep 17 00:00:00 2001
+From: Peter Chen <peter.chen@freescale.com>
+Date: Mon, 27 Jul 2015 14:51:47 +0800
+Subject: usb: gadget: f_uac2: fix calculation of uac2->p_interval
+
+From: Peter Chen <peter.chen@freescale.com>
+
+commit c41b7767673cb76adeb2b5fde220209f717ea13c upstream.
+
+The p_interval should be less if the 'bInterval' at the descriptor
+is larger, eg, if 'bInterval' is 5 for HS, the p_interval should be
+8000 / 16 = 500.
+
+It fixes the patch 9bb87f168931 ("usb: gadget: f_uac2: send
+reasonably sized packets")
+
+Fixes: 9bb87f168931 ("usb: gadget: f_uac2: send reasonably sized packets")
+Acked-by: Daniel Mack <zonque@gmail.com>
+Signed-off-by: Peter Chen <peter.chen@freescale.com>
+Signed-off-by: Felipe Balbi <balbi@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/f_uac2.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_uac2.c
++++ b/drivers/usb/gadget/function/f_uac2.c
+@@ -1162,14 +1162,14 @@ afunc_set_alt(struct usb_function *fn, u
+ factor = 1000;
+ } else {
+ ep_desc = &hs_epin_desc;
+- factor = 125;
++ factor = 8000;
+ }
+
+ /* pre-compute some values for iso_complete() */
+ uac2->p_framesize = opts->p_ssize *
+ num_channels(opts->p_chmask);
+ rate = opts->p_srate * uac2->p_framesize;
+- uac2->p_interval = (1 << (ep_desc->bInterval - 1)) * factor;
++ uac2->p_interval = factor / (1 << (ep_desc->bInterval - 1));
+ uac2->p_pktsize = min_t(unsigned int, rate / uac2->p_interval,
+ prm->max_psize);
+
--- /dev/null
+From 6da3700c98cdc8360f55c5510915efae1d66deea Mon Sep 17 00:00:00 2001
+From: Pieter Hollants <pieter@hollants.com>
+Date: Mon, 20 Jul 2015 11:56:17 +0200
+Subject: USB: qcserial: Add support for Dell Wireless 5809e 4G Modem
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pieter Hollants <pieter@hollants.com>
+
+commit 6da3700c98cdc8360f55c5510915efae1d66deea upstream.
+
+Added the USB IDs 0x413c:0x81b1 for the "Dell Wireless 5809e Gobi(TM) 4G
+LTE Mobile Broadband Card", a Dell-branded Sierra Wireless EM7305 LTE
+card in M.2 form factor, used eg. in Dell's Latitude E7540 Notebook
+series.
+
+"lsusb -v" output for this device:
+
+Bus 002 Device 003: ID 413c:81b1 Dell Computer Corp.
+Device Descriptor:
+ bLength 18
+ bDescriptorType 1
+ bcdUSB 2.00
+ bDeviceClass 0
+ bDeviceSubClass 0
+ bDeviceProtocol 0
+ bMaxPacketSize0 64
+ idVendor 0x413c Dell Computer Corp.
+ idProduct 0x81b1
+ bcdDevice 0.06
+ iManufacturer 1 Sierra Wireless, Incorporated
+ iProduct 2 Dell Wireless 5809e Gobi™ 4G LTE Mobile Broadband Card
+ iSerial 3
+ bNumConfigurations 2
+ Configuration Descriptor:
+ bLength 9
+ bDescriptorType 2
+ wTotalLength 204
+ bNumInterfaces 4
+ bConfigurationValue 1
+ iConfiguration 0
+ bmAttributes 0xe0
+ Self Powered
+ Remote Wakeup
+ MaxPower 500mA
+ Interface Descriptor:
+ bLength 9
+ bDescriptorType 4
+ bInterfaceNumber 0
+ bAlternateSetting 0
+ bNumEndpoints 2
+ bInterfaceClass 255 Vendor Specific Class
+ bInterfaceSubClass 255 Vendor Specific Subclass
+ bInterfaceProtocol 255 Vendor Specific Protocol
+ iInterface 0
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x81 EP 1 IN
+ bmAttributes 2
+ Transfer Type Bulk
+ Synch Type None
+ Usage Type Data
+ wMaxPacketSize 0x0200 1x 512 bytes
+ bInterval 0
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x01 EP 1 OUT
+ bmAttributes 2
+ Transfer Type Bulk
+ Synch Type None
+ Usage Type Data
+ wMaxPacketSize 0x0200 1x 512 bytes
+ bInterval 0
+ Interface Descriptor:
+ bLength 9
+ bDescriptorType 4
+ bInterfaceNumber 2
+ bAlternateSetting 0
+ bNumEndpoints 3
+ bInterfaceClass 255 Vendor Specific Class
+ bInterfaceSubClass 0
+ bInterfaceProtocol 0
+ iInterface 0
+ ** UNRECOGNIZED: 05 24 00 10 01
+ ** UNRECOGNIZED: 05 24 01 00 00
+ ** UNRECOGNIZED: 04 24 02 02
+ ** UNRECOGNIZED: 05 24 06 00 00
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x83 EP 3 IN
+ bmAttributes 3
+ Transfer Type Interrupt
+ Synch Type None
+ Usage Type Data
+ wMaxPacketSize 0x000c 1x 12 bytes
+ bInterval 9
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x82 EP 2 IN
+ bmAttributes 2
+ Transfer Type Bulk
+ Synch Type None
+ Usage Type Data
+ wMaxPacketSize 0x0200 1x 512 bytes
+ bInterval 0
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x02 EP 2 OUT
+ bmAttributes 2
+ Transfer Type Bulk
+ Synch Type None
+ Usage Type Data
+ wMaxPacketSize 0x0200 1x 512 bytes
+ bInterval 0
+ Interface Descriptor:
+ bLength 9
+ bDescriptorType 4
+ bInterfaceNumber 3
+ bAlternateSetting 0
+ bNumEndpoints 3
+ bInterfaceClass 255 Vendor Specific Class
+ bInterfaceSubClass 0
+ bInterfaceProtocol 0
+ iInterface 0
+ ** UNRECOGNIZED: 05 24 00 10 01
+ ** UNRECOGNIZED: 05 24 01 00 00
+ ** UNRECOGNIZED: 04 24 02 02
+ ** UNRECOGNIZED: 05 24 06 00 00
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x85 EP 5 IN
+ bmAttributes 3
+ Transfer Type Interrupt
+ Synch Type None
+ Usage Type Data
+ wMaxPacketSize 0x000c 1x 12 bytes
+ bInterval 9
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x84 EP 4 IN
+ bmAttributes 2
+ Transfer Type Bulk
+ Synch Type None
+ Usage Type Data
+ wMaxPacketSize 0x0200 1x 512 bytes
+ bInterval 0
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x03 EP 3 OUT
+ bmAttributes 2
+ Transfer Type Bulk
+ Synch Type None
+ Usage Type Data
+ wMaxPacketSize 0x0200 1x 512 bytes
+ bInterval 0
+ Interface Descriptor:
+ bLength 9
+ bDescriptorType 4
+ bInterfaceNumber 8
+ bAlternateSetting 0
+ bNumEndpoints 3
+ bInterfaceClass 255 Vendor Specific Class
+ bInterfaceSubClass 255 Vendor Specific Subclass
+ bInterfaceProtocol 255 Vendor Specific Protocol
+ iInterface 0
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x87 EP 7 IN
+ bmAttributes 3
+ Transfer Type Interrupt
+ Synch Type None
+ Usage Type Data
+ wMaxPacketSize 0x000a 1x 10 bytes
+ bInterval 9
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x86 EP 6 IN
+ bmAttributes 2
+ Transfer Type Bulk
+ Synch Type None
+ Usage Type Data
+ wMaxPacketSize 0x0200 1x 512 bytes
+ bInterval 0
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x04 EP 4 OUT
+ bmAttributes 2
+ Transfer Type Bulk
+ Synch Type None
+ Usage Type Data
+ wMaxPacketSize 0x0200 1x 512 bytes
+ bInterval 0
+ ** UNRECOGNIZED: 2c ff 42 49 53 54 00 01 07 f5 40 f6 00 00 00 00 01 f7 c4 09 02 f8 c4 09 03 f9 88 13 04 fa 10 27 05 fb 10 27 06 fc c4 09 07 fd c4 09
+ Configuration Descriptor:
+ bLength 9
+ bDescriptorType 2
+ wTotalLength 95
+ bNumInterfaces 2
+ bConfigurationValue 2
+ iConfiguration 0
+ bmAttributes 0xe0
+ Self Powered
+ Remote Wakeup
+ MaxPower 500mA
+ Interface Association:
+ bLength 8
+ bDescriptorType 11
+ bFirstInterface 12
+ bInterfaceCount 2
+ bFunctionClass 2 Communications
+ bFunctionSubClass 14
+ bFunctionProtocol 0
+ iFunction 0
+ Interface Descriptor:
+ bLength 9
+ bDescriptorType 4
+ bInterfaceNumber 12
+ bAlternateSetting 0
+ bNumEndpoints 1
+ bInterfaceClass 2 Communications
+ bInterfaceSubClass 14
+ bInterfaceProtocol 0
+ iInterface 0
+ CDC Header:
+ bcdCDC 1.10
+ CDC Union:
+ bMasterInterface 12
+ bSlaveInterface 13
+ CDC MBIM:
+ bcdMBIMVersion 1.00
+ wMaxControlMessage 4096
+ bNumberFilters 32
+ bMaxFilterSize 128
+ wMaxSegmentSize 1500
+ bmNetworkCapabilities 0x20
+ 8-byte ntb input size
+ CDC MBIM Extended:
+ bcdMBIMExtendedVersion 1.00
+ bMaxOutstandingCommandMessages 64
+ wMTU 1500
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x82 EP 2 IN
+ bmAttributes 3
+ Transfer Type Interrupt
+ Synch Type None
+ Usage Type Data
+ wMaxPacketSize 0x0040 1x 64 bytes
+ bInterval 9
+ Interface Descriptor:
+ bLength 9
+ bDescriptorType 4
+ bInterfaceNumber 13
+ bAlternateSetting 0
+ bNumEndpoints 0
+ bInterfaceClass 10 CDC Data
+ bInterfaceSubClass 0
+ bInterfaceProtocol 2
+ iInterface 0
+ Interface Descriptor:
+ bLength 9
+ bDescriptorType 4
+ bInterfaceNumber 13
+ bAlternateSetting 1
+ bNumEndpoints 2
+ bInterfaceClass 10 CDC Data
+ bInterfaceSubClass 0
+ bInterfaceProtocol 2
+ iInterface 0
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x81 EP 1 IN
+ bmAttributes 2
+ Transfer Type Bulk
+ Synch Type None
+ Usage Type Data
+ wMaxPacketSize 0x0200 1x 512 bytes
+ bInterval 0
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x01 EP 1 OUT
+ bmAttributes 2
+ Transfer Type Bulk
+ Synch Type None
+ Usage Type Data
+ wMaxPacketSize 0x0200 1x 512 bytes
+ bInterval 0
+Device Qualifier (for other device speed):
+ bLength 10
+ bDescriptorType 6
+ bcdUSB 2.00
+ bDeviceClass 0
+ bDeviceSubClass 0
+ bDeviceProtocol 0
+ bMaxPacketSize0 64
+ bNumConfigurations 2
+Device Status: 0x0000
+ (Bus Powered)
+
+Signed-off-by: Pieter Hollants <pieter@hollants.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/qcserial.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/serial/qcserial.c
++++ b/drivers/usb/serial/qcserial.c
+@@ -157,6 +157,7 @@ static const struct usb_device_id id_tab
+ {DEVICE_SWI(0x413c, 0x81a4)}, /* Dell Wireless 5570e HSPA+ (42Mbps) Mobile Broadband Card */
+ {DEVICE_SWI(0x413c, 0x81a8)}, /* Dell Wireless 5808 Gobi(TM) 4G LTE Mobile Broadband Card */
+ {DEVICE_SWI(0x413c, 0x81a9)}, /* Dell Wireless 5808e Gobi(TM) 4G LTE Mobile Broadband Card */
++ {DEVICE_SWI(0x413c, 0x81b1)}, /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card */
+
+ /* Huawei devices */
+ {DEVICE_HWI(0x03f0, 0x581d)}, /* HP lt4112 LTE/HSPA+ Gobi 4G Modem (Huawei me906e) */
--- /dev/null
+From 653cdc13a340ad1cef29f1bab0d05d0771fa1d57 Mon Sep 17 00:00:00 2001
+From: Reinhard Speyerer <rspmn@arcor.de>
+Date: Tue, 14 Jul 2015 22:55:06 +0200
+Subject: USB: qcserial/option: make AT URCs work for Sierra Wireless MC7305/MC7355
+
+From: Reinhard Speyerer <rspmn@arcor.de>
+
+commit 653cdc13a340ad1cef29f1bab0d05d0771fa1d57 upstream.
+
+Tests with a Sierra Wireless MC7355 have shown that 1199:9041 devices
+also require the option_send_setup() code to be used on the USB
+interface for the AT port to make unsolicited response codes work
+correctly. Move these devices from the qcserial driver to the option
+driver like it has been done for the 1199:68c0 devices in commit
+d80c0d14183516f184a5ac88e11008ee4c7d2a2e ("USB: qcserial/option: make
+AT URCs work for Sierra Wireless MC73xx").
+
+Signed-off-by: Reinhard Speyerer <rspmn@arcor.de>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/option.c | 2 ++
+ drivers/usb/serial/qcserial.c | 1 -
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -1099,6 +1099,8 @@ static const struct usb_device_id option
+ { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x9000)}, /* SIMCom SIM5218 */
+ { USB_DEVICE_INTERFACE_CLASS(SIERRA_VENDOR_ID, 0x68c0, 0xff),
+ .driver_info = (kernel_ulong_t)&sierra_mc73xx_blacklist }, /* MC73xx */
++ { USB_DEVICE_INTERFACE_CLASS(SIERRA_VENDOR_ID, 0x9041, 0xff),
++ .driver_info = (kernel_ulong_t)&sierra_mc73xx_blacklist }, /* MC7305/MC7355 */
+ { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6001) },
+ { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CMU_300) },
+ { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6003),
+--- a/drivers/usb/serial/qcserial.c
++++ b/drivers/usb/serial/qcserial.c
+@@ -145,7 +145,6 @@ static const struct usb_device_id id_tab
+ {DEVICE_SWI(0x1199, 0x901c)}, /* Sierra Wireless EM7700 */
+ {DEVICE_SWI(0x1199, 0x901f)}, /* Sierra Wireless EM7355 */
+ {DEVICE_SWI(0x1199, 0x9040)}, /* Sierra Wireless Modem */
+- {DEVICE_SWI(0x1199, 0x9041)}, /* Sierra Wireless MC7305/MC7355 */
+ {DEVICE_SWI(0x1199, 0x9051)}, /* Netgear AirCard 340U */
+ {DEVICE_SWI(0x1199, 0x9053)}, /* Sierra Wireless Modem */
+ {DEVICE_SWI(0x1199, 0x9054)}, /* Sierra Wireless Modem */
+++ /dev/null
-From 37868fe113ff2ba814b3b4eb12df214df555f8dc Mon Sep 17 00:00:00 2001
-From: Andy Lutomirski <luto@kernel.org>
-Date: Thu, 30 Jul 2015 14:31:32 -0700
-Subject: x86/ldt: Make modify_ldt synchronous
-
-From: Andy Lutomirski <luto@kernel.org>
-
-commit 37868fe113ff2ba814b3b4eb12df214df555f8dc upstream.
-
-modify_ldt() has questionable locking and does not synchronize
-threads. Improve it: redesign the locking and synchronize all
-threads' LDTs using an IPI on all modifications.
-
-This will dramatically slow down modify_ldt in multithreaded
-programs, but there shouldn't be any multithreaded programs that
-care about modify_ldt's performance in the first place.
-
-This fixes some fallout from the CVE-2015-5157 fixes.
-
-Signed-off-by: Andy Lutomirski <luto@kernel.org>
-Reviewed-by: Borislav Petkov <bp@suse.de>
-Cc: Andrew Cooper <andrew.cooper3@citrix.com>
-Cc: Andy Lutomirski <luto@amacapital.net>
-Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
-Cc: Borislav Petkov <bp@alien8.de>
-Cc: Brian Gerst <brgerst@gmail.com>
-Cc: Denys Vlasenko <dvlasenk@redhat.com>
-Cc: H. Peter Anvin <hpa@zytor.com>
-Cc: Jan Beulich <jbeulich@suse.com>
-Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Sasha Levin <sasha.levin@oracle.com>
-Cc: Steven Rostedt <rostedt@goodmis.org>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: security@kernel.org <security@kernel.org>
-Cc: xen-devel <xen-devel@lists.xen.org>
-Link: http://lkml.kernel.org/r/4c6978476782160600471bd865b318db34c7b628.1438291540.git.luto@kernel.org
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- arch/x86/include/asm/desc.h | 15 --
- arch/x86/include/asm/mmu.h | 3
- arch/x86/include/asm/mmu_context.h | 54 ++++++-
- arch/x86/kernel/cpu/common.c | 4
- arch/x86/kernel/cpu/perf_event.c | 12 +
- arch/x86/kernel/ldt.c | 264 ++++++++++++++++++++-----------------
- arch/x86/kernel/process_64.c | 4
- arch/x86/kernel/step.c | 6
- arch/x86/power/cpu.c | 3
- 9 files changed, 211 insertions(+), 154 deletions(-)
-
---- a/arch/x86/include/asm/desc.h
-+++ b/arch/x86/include/asm/desc.h
-@@ -280,21 +280,6 @@ static inline void clear_LDT(void)
- set_ldt(NULL, 0);
- }
-
--/*
-- * load one particular LDT into the current CPU
-- */
--static inline void load_LDT_nolock(mm_context_t *pc)
--{
-- set_ldt(pc->ldt, pc->size);
--}
--
--static inline void load_LDT(mm_context_t *pc)
--{
-- preempt_disable();
-- load_LDT_nolock(pc);
-- preempt_enable();
--}
--
- static inline unsigned long get_desc_base(const struct desc_struct *desc)
- {
- return (unsigned)(desc->base0 | ((desc->base1) << 16) | ((desc->base2) << 24));
---- a/arch/x86/include/asm/mmu.h
-+++ b/arch/x86/include/asm/mmu.h
-@@ -9,8 +9,7 @@
- * we put the segment information here.
- */
- typedef struct {
-- void *ldt;
-- int size;
-+ struct ldt_struct *ldt;
-
- #ifdef CONFIG_X86_64
- /* True if mm supports a task running in 32 bit compatibility mode. */
---- a/arch/x86/include/asm/mmu_context.h
-+++ b/arch/x86/include/asm/mmu_context.h
-@@ -34,6 +34,50 @@ static inline void load_mm_cr4(struct mm
- #endif
-
- /*
-+ * ldt_structs can be allocated, used, and freed, but they are never
-+ * modified while live.
-+ */
-+struct ldt_struct {
-+ /*
-+ * Xen requires page-aligned LDTs with special permissions. This is
-+ * needed to prevent us from installing evil descriptors such as
-+ * call gates. On native, we could merge the ldt_struct and LDT
-+ * allocations, but it's not worth trying to optimize.
-+ */
-+ struct desc_struct *entries;
-+ int size;
-+};
-+
-+static inline void load_mm_ldt(struct mm_struct *mm)
-+{
-+ struct ldt_struct *ldt;
-+
-+ /* lockless_dereference synchronizes with smp_store_release */
-+ ldt = lockless_dereference(mm->context.ldt);
-+
-+ /*
-+ * Any change to mm->context.ldt is followed by an IPI to all
-+ * CPUs with the mm active. The LDT will not be freed until
-+ * after the IPI is handled by all such CPUs. This means that,
-+ * if the ldt_struct changes before we return, the values we see
-+ * will be safe, and the new values will be loaded before we run
-+ * any user code.
-+ *
-+ * NB: don't try to convert this to use RCU without extreme care.
-+ * We would still need IRQs off, because we don't want to change
-+ * the local LDT after an IPI loaded a newer value than the one
-+ * that we can see.
-+ */
-+
-+ if (unlikely(ldt))
-+ set_ldt(ldt->entries, ldt->size);
-+ else
-+ clear_LDT();
-+
-+ DEBUG_LOCKS_WARN_ON(preemptible());
-+}
-+
-+/*
- * Used for LDT copy/destruction.
- */
- int init_new_context(struct task_struct *tsk, struct mm_struct *mm);
-@@ -78,12 +122,12 @@ static inline void switch_mm(struct mm_s
- * was called and then modify_ldt changed
- * prev->context.ldt but suppressed an IPI to this CPU.
- * In this case, prev->context.ldt != NULL, because we
-- * never free an LDT while the mm still exists. That
-- * means that next->context.ldt != prev->context.ldt,
-- * because mms never share an LDT.
-+ * never set context.ldt to NULL while the mm still
-+ * exists. That means that next->context.ldt !=
-+ * prev->context.ldt, because mms never share an LDT.
- */
- if (unlikely(prev->context.ldt != next->context.ldt))
-- load_LDT_nolock(&next->context);
-+ load_mm_ldt(next);
- }
- #ifdef CONFIG_SMP
- else {
-@@ -106,7 +150,7 @@ static inline void switch_mm(struct mm_s
- load_cr3(next->pgd);
- trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL);
- load_mm_cr4(next);
-- load_LDT_nolock(&next->context);
-+ load_mm_ldt(next);
- }
- }
- #endif
---- a/arch/x86/kernel/cpu/common.c
-+++ b/arch/x86/kernel/cpu/common.c
-@@ -1434,7 +1434,7 @@ void cpu_init(void)
- load_sp0(t, ¤t->thread);
- set_tss_desc(cpu, t);
- load_TR_desc();
-- load_LDT(&init_mm.context);
-+ load_mm_ldt(&init_mm);
-
- clear_all_debug_regs();
- dbg_restore_debug_regs();
-@@ -1483,7 +1483,7 @@ void cpu_init(void)
- load_sp0(t, thread);
- set_tss_desc(cpu, t);
- load_TR_desc();
-- load_LDT(&init_mm.context);
-+ load_mm_ldt(&init_mm);
-
- t->x86_tss.io_bitmap_base = offsetof(struct tss_struct, io_bitmap);
-
---- a/arch/x86/kernel/cpu/perf_event.c
-+++ b/arch/x86/kernel/cpu/perf_event.c
-@@ -2170,21 +2170,25 @@ static unsigned long get_segment_base(un
- int idx = segment >> 3;
-
- if ((segment & SEGMENT_TI_MASK) == SEGMENT_LDT) {
-+ struct ldt_struct *ldt;
-+
- if (idx > LDT_ENTRIES)
- return 0;
-
-- if (idx > current->active_mm->context.size)
-+ /* IRQs are off, so this synchronizes with smp_store_release */
-+ ldt = lockless_dereference(current->active_mm->context.ldt);
-+ if (!ldt || idx > ldt->size)
- return 0;
-
-- desc = current->active_mm->context.ldt;
-+ desc = &ldt->entries[idx];
- } else {
- if (idx > GDT_ENTRIES)
- return 0;
-
-- desc = raw_cpu_ptr(gdt_page.gdt);
-+ desc = raw_cpu_ptr(gdt_page.gdt) + idx;
- }
-
-- return get_desc_base(desc + idx);
-+ return get_desc_base(desc);
- }
-
- #ifdef CONFIG_COMPAT
---- a/arch/x86/kernel/ldt.c
-+++ b/arch/x86/kernel/ldt.c
-@@ -12,6 +12,7 @@
- #include <linux/string.h>
- #include <linux/mm.h>
- #include <linux/smp.h>
-+#include <linux/slab.h>
- #include <linux/vmalloc.h>
- #include <linux/uaccess.h>
-
-@@ -20,82 +21,82 @@
- #include <asm/mmu_context.h>
- #include <asm/syscalls.h>
-
--#ifdef CONFIG_SMP
-+/* context.lock is held for us, so we don't need any locking. */
- static void flush_ldt(void *current_mm)
- {
-- if (current->active_mm == current_mm)
-- load_LDT(¤t->active_mm->context);
-+ mm_context_t *pc;
-+
-+ if (current->active_mm != current_mm)
-+ return;
-+
-+ pc = ¤t->active_mm->context;
-+ set_ldt(pc->ldt->entries, pc->ldt->size);
- }
--#endif
-
--static int alloc_ldt(mm_context_t *pc, int mincount, int reload)
-+/* The caller must call finalize_ldt_struct on the result. LDT starts zeroed. */
-+static struct ldt_struct *alloc_ldt_struct(int size)
- {
-- void *oldldt, *newldt;
-- int oldsize;
-+ struct ldt_struct *new_ldt;
-+ int alloc_size;
-
-- if (mincount <= pc->size)
-- return 0;
-- oldsize = pc->size;
-- mincount = (mincount + (PAGE_SIZE / LDT_ENTRY_SIZE - 1)) &
-- (~(PAGE_SIZE / LDT_ENTRY_SIZE - 1));
-- if (mincount * LDT_ENTRY_SIZE > PAGE_SIZE)
-- newldt = vmalloc(mincount * LDT_ENTRY_SIZE);
-- else
-- newldt = (void *)__get_free_page(GFP_KERNEL);
-+ if (size > LDT_ENTRIES)
-+ return NULL;
-
-- if (!newldt)
-- return -ENOMEM;
-+ new_ldt = kmalloc(sizeof(struct ldt_struct), GFP_KERNEL);
-+ if (!new_ldt)
-+ return NULL;
-+
-+ BUILD_BUG_ON(LDT_ENTRY_SIZE != sizeof(struct desc_struct));
-+ alloc_size = size * LDT_ENTRY_SIZE;
-+
-+ /*
-+ * Xen is very picky: it requires a page-aligned LDT that has no
-+ * trailing nonzero bytes in any page that contains LDT descriptors.
-+ * Keep it simple: zero the whole allocation and never allocate less
-+ * than PAGE_SIZE.
-+ */
-+ if (alloc_size > PAGE_SIZE)
-+ new_ldt->entries = vzalloc(alloc_size);
-+ else
-+ new_ldt->entries = kzalloc(PAGE_SIZE, GFP_KERNEL);
-
-- if (oldsize)
-- memcpy(newldt, pc->ldt, oldsize * LDT_ENTRY_SIZE);
-- oldldt = pc->ldt;
-- memset(newldt + oldsize * LDT_ENTRY_SIZE, 0,
-- (mincount - oldsize) * LDT_ENTRY_SIZE);
--
-- paravirt_alloc_ldt(newldt, mincount);
--
--#ifdef CONFIG_X86_64
-- /* CHECKME: Do we really need this ? */
-- wmb();
--#endif
-- pc->ldt = newldt;
-- wmb();
-- pc->size = mincount;
-- wmb();
--
-- if (reload) {
--#ifdef CONFIG_SMP
-- preempt_disable();
-- load_LDT(pc);
-- if (!cpumask_equal(mm_cpumask(current->mm),
-- cpumask_of(smp_processor_id())))
-- smp_call_function(flush_ldt, current->mm, 1);
-- preempt_enable();
--#else
-- load_LDT(pc);
--#endif
-- }
-- if (oldsize) {
-- paravirt_free_ldt(oldldt, oldsize);
-- if (oldsize * LDT_ENTRY_SIZE > PAGE_SIZE)
-- vfree(oldldt);
-- else
-- put_page(virt_to_page(oldldt));
-+ if (!new_ldt->entries) {
-+ kfree(new_ldt);
-+ return NULL;
- }
-- return 0;
-+
-+ new_ldt->size = size;
-+ return new_ldt;
- }
-
--static inline int copy_ldt(mm_context_t *new, mm_context_t *old)
-+/* After calling this, the LDT is immutable. */
-+static void finalize_ldt_struct(struct ldt_struct *ldt)
- {
-- int err = alloc_ldt(new, old->size, 0);
-- int i;
-+ paravirt_alloc_ldt(ldt->entries, ldt->size);
-+}
-+
-+/* context.lock is held */
-+static void install_ldt(struct mm_struct *current_mm,
-+ struct ldt_struct *ldt)
-+{
-+ /* Synchronizes with lockless_dereference in load_mm_ldt. */
-+ smp_store_release(¤t_mm->context.ldt, ldt);
-+
-+ /* Activate the LDT for all CPUs using current_mm. */
-+ on_each_cpu_mask(mm_cpumask(current_mm), flush_ldt, current_mm, true);
-+}
-
-- if (err < 0)
-- return err;
-+static void free_ldt_struct(struct ldt_struct *ldt)
-+{
-+ if (likely(!ldt))
-+ return;
-
-- for (i = 0; i < old->size; i++)
-- write_ldt_entry(new->ldt, i, old->ldt + i * LDT_ENTRY_SIZE);
-- return 0;
-+ paravirt_free_ldt(ldt->entries, ldt->size);
-+ if (ldt->size * LDT_ENTRY_SIZE > PAGE_SIZE)
-+ vfree(ldt->entries);
-+ else
-+ kfree(ldt->entries);
-+ kfree(ldt);
- }
-
- /*
-@@ -104,17 +105,37 @@ static inline int copy_ldt(mm_context_t
- */
- int init_new_context(struct task_struct *tsk, struct mm_struct *mm)
- {
-+ struct ldt_struct *new_ldt;
- struct mm_struct *old_mm;
- int retval = 0;
-
- mutex_init(&mm->context.lock);
-- mm->context.size = 0;
- old_mm = current->mm;
-- if (old_mm && old_mm->context.size > 0) {
-- mutex_lock(&old_mm->context.lock);
-- retval = copy_ldt(&mm->context, &old_mm->context);
-- mutex_unlock(&old_mm->context.lock);
-+ if (!old_mm) {
-+ mm->context.ldt = NULL;
-+ return 0;
- }
-+
-+ mutex_lock(&old_mm->context.lock);
-+ if (!old_mm->context.ldt) {
-+ mm->context.ldt = NULL;
-+ goto out_unlock;
-+ }
-+
-+ new_ldt = alloc_ldt_struct(old_mm->context.ldt->size);
-+ if (!new_ldt) {
-+ retval = -ENOMEM;
-+ goto out_unlock;
-+ }
-+
-+ memcpy(new_ldt->entries, old_mm->context.ldt->entries,
-+ new_ldt->size * LDT_ENTRY_SIZE);
-+ finalize_ldt_struct(new_ldt);
-+
-+ mm->context.ldt = new_ldt;
-+
-+out_unlock:
-+ mutex_unlock(&old_mm->context.lock);
- return retval;
- }
-
-@@ -125,53 +146,47 @@ int init_new_context(struct task_struct
- */
- void destroy_context(struct mm_struct *mm)
- {
-- if (mm->context.size) {
--#ifdef CONFIG_X86_32
-- /* CHECKME: Can this ever happen ? */
-- if (mm == current->active_mm)
-- clear_LDT();
--#endif
-- paravirt_free_ldt(mm->context.ldt, mm->context.size);
-- if (mm->context.size * LDT_ENTRY_SIZE > PAGE_SIZE)
-- vfree(mm->context.ldt);
-- else
-- put_page(virt_to_page(mm->context.ldt));
-- mm->context.size = 0;
-- }
-+ free_ldt_struct(mm->context.ldt);
-+ mm->context.ldt = NULL;
- }
-
- static int read_ldt(void __user *ptr, unsigned long bytecount)
- {
-- int err;
-+ int retval;
- unsigned long size;
- struct mm_struct *mm = current->mm;
-
-- if (!mm->context.size)
-- return 0;
-+ mutex_lock(&mm->context.lock);
-+
-+ if (!mm->context.ldt) {
-+ retval = 0;
-+ goto out_unlock;
-+ }
-+
- if (bytecount > LDT_ENTRY_SIZE * LDT_ENTRIES)
- bytecount = LDT_ENTRY_SIZE * LDT_ENTRIES;
-
-- mutex_lock(&mm->context.lock);
-- size = mm->context.size * LDT_ENTRY_SIZE;
-+ size = mm->context.ldt->size * LDT_ENTRY_SIZE;
- if (size > bytecount)
- size = bytecount;
-
-- err = 0;
-- if (copy_to_user(ptr, mm->context.ldt, size))
-- err = -EFAULT;
-- mutex_unlock(&mm->context.lock);
-- if (err < 0)
-- goto error_return;
-+ if (copy_to_user(ptr, mm->context.ldt->entries, size)) {
-+ retval = -EFAULT;
-+ goto out_unlock;
-+ }
-+
- if (size != bytecount) {
-- /* zero-fill the rest */
-- if (clear_user(ptr + size, bytecount - size) != 0) {
-- err = -EFAULT;
-- goto error_return;
-+ /* Zero-fill the rest and pretend we read bytecount bytes. */
-+ if (clear_user(ptr + size, bytecount - size)) {
-+ retval = -EFAULT;
-+ goto out_unlock;
- }
- }
-- return bytecount;
--error_return:
-- return err;
-+ retval = bytecount;
-+
-+out_unlock:
-+ mutex_unlock(&mm->context.lock);
-+ return retval;
- }
-
- static int read_default_ldt(void __user *ptr, unsigned long bytecount)
-@@ -195,6 +210,8 @@ static int write_ldt(void __user *ptr, u
- struct desc_struct ldt;
- int error;
- struct user_desc ldt_info;
-+ int oldsize, newsize;
-+ struct ldt_struct *new_ldt, *old_ldt;
-
- error = -EINVAL;
- if (bytecount != sizeof(ldt_info))
-@@ -213,34 +230,39 @@ static int write_ldt(void __user *ptr, u
- goto out;
- }
-
-- mutex_lock(&mm->context.lock);
-- if (ldt_info.entry_number >= mm->context.size) {
-- error = alloc_ldt(¤t->mm->context,
-- ldt_info.entry_number + 1, 1);
-- if (error < 0)
-- goto out_unlock;
-- }
--
-- /* Allow LDTs to be cleared by the user. */
-- if (ldt_info.base_addr == 0 && ldt_info.limit == 0) {
-- if (oldmode || LDT_empty(&ldt_info)) {
-- memset(&ldt, 0, sizeof(ldt));
-- goto install;
-+ if ((oldmode && !ldt_info.base_addr && !ldt_info.limit) ||
-+ LDT_empty(&ldt_info)) {
-+ /* The user wants to clear the entry. */
-+ memset(&ldt, 0, sizeof(ldt));
-+ } else {
-+ if (!IS_ENABLED(CONFIG_X86_16BIT) && !ldt_info.seg_32bit) {
-+ error = -EINVAL;
-+ goto out;
- }
-+
-+ fill_ldt(&ldt, &ldt_info);
-+ if (oldmode)
-+ ldt.avl = 0;
- }
-
-- if (!IS_ENABLED(CONFIG_X86_16BIT) && !ldt_info.seg_32bit) {
-- error = -EINVAL;
-+ mutex_lock(&mm->context.lock);
-+
-+ old_ldt = mm->context.ldt;
-+ oldsize = old_ldt ? old_ldt->size : 0;
-+ newsize = max((int)(ldt_info.entry_number + 1), oldsize);
-+
-+ error = -ENOMEM;
-+ new_ldt = alloc_ldt_struct(newsize);
-+ if (!new_ldt)
- goto out_unlock;
-- }
-
-- fill_ldt(&ldt, &ldt_info);
-- if (oldmode)
-- ldt.avl = 0;
--
-- /* Install the new entry ... */
--install:
-- write_ldt_entry(mm->context.ldt, ldt_info.entry_number, &ldt);
-+ if (old_ldt)
-+ memcpy(new_ldt->entries, old_ldt->entries, oldsize * LDT_ENTRY_SIZE);
-+ new_ldt->entries[ldt_info.entry_number] = ldt;
-+ finalize_ldt_struct(new_ldt);
-+
-+ install_ldt(mm, new_ldt);
-+ free_ldt_struct(old_ldt);
- error = 0;
-
- out_unlock:
---- a/arch/x86/kernel/process_64.c
-+++ b/arch/x86/kernel/process_64.c
-@@ -122,11 +122,11 @@ void __show_regs(struct pt_regs *regs, i
- void release_thread(struct task_struct *dead_task)
- {
- if (dead_task->mm) {
-- if (dead_task->mm->context.size) {
-+ if (dead_task->mm->context.ldt) {
- pr_warn("WARNING: dead process %s still has LDT? <%p/%d>\n",
- dead_task->comm,
- dead_task->mm->context.ldt,
-- dead_task->mm->context.size);
-+ dead_task->mm->context.ldt->size);
- BUG();
- }
- }
---- a/arch/x86/kernel/step.c
-+++ b/arch/x86/kernel/step.c
-@@ -5,6 +5,7 @@
- #include <linux/mm.h>
- #include <linux/ptrace.h>
- #include <asm/desc.h>
-+#include <asm/mmu_context.h>
-
- unsigned long convert_ip_to_linear(struct task_struct *child, struct pt_regs *regs)
- {
-@@ -30,10 +31,11 @@ unsigned long convert_ip_to_linear(struc
- seg &= ~7UL;
-
- mutex_lock(&child->mm->context.lock);
-- if (unlikely((seg >> 3) >= child->mm->context.size))
-+ if (unlikely(!child->mm->context.ldt ||
-+ (seg >> 3) >= child->mm->context.ldt->size))
- addr = -1L; /* bogus selector, access would fault */
- else {
-- desc = child->mm->context.ldt + seg;
-+ desc = &child->mm->context.ldt->entries[seg];
- base = get_desc_base(desc);
-
- /* 16-bit code segment? */
---- a/arch/x86/power/cpu.c
-+++ b/arch/x86/power/cpu.c
-@@ -23,6 +23,7 @@
- #include <asm/debugreg.h>
- #include <asm/fpu-internal.h> /* pcntxt_mask */
- #include <asm/cpu.h>
-+#include <asm/mmu_context.h>
-
- #ifdef CONFIG_X86_32
- __visible unsigned long saved_context_ebx;
-@@ -154,7 +155,7 @@ static void fix_processor_context(void)
- syscall_init(); /* This sets MSR_*STAR and related */
- #endif
- load_TR_desc(); /* This does ltr */
-- load_LDT(¤t->active_mm->context); /* This does lldt */
-+ load_mm_ldt(current->active_mm); /* This does lldt */
- }
-
- /**
projects / thirdparty / kernel / stable-queue.git / commitdiff
