--- /dev/null
+From 3feab13c919f99b0a17d0ca22ae00cf90f5d3fd1 Mon Sep 17 00:00:00 2001
+From: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Date: Tue, 16 Aug 2016 16:59:52 +0100
+Subject: ACPI / drivers: fix typo in ACPI_DECLARE_PROBE_ENTRY macro
+
+From: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+
+commit 3feab13c919f99b0a17d0ca22ae00cf90f5d3fd1 upstream.
+
+When the ACPI_DECLARE_PROBE_ENTRY macro was added in
+commit e647b532275b ("ACPI: Add early device probing infrastructure"),
+a stub macro adding an unused entry was added for the !CONFIG_ACPI
+Kconfig option case to make sure kernel code making use of the
+macro did not require to be guarded within CONFIG_ACPI in order to
+be compiled.
+
+The stub macro was never used since all kernel code that defines
+ACPI_DECLARE_PROBE_ENTRY entries is currently guarded within
+CONFIG_ACPI; it contains a typo that should be nonetheless fixed.
+
+Fix the typo in the stub (ie !CONFIG_ACPI) ACPI_DECLARE_PROBE_ENTRY()
+macro so that it can actually be used if needed.
+
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Fixes: e647b532275b (ACPI: Add early device probing infrastructure)
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/acpi.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/acpi.h
++++ b/include/linux/acpi.h
+@@ -920,7 +920,7 @@ static inline struct fwnode_handle *acpi
+ return NULL;
+ }
+
+-#define ACPI_DECLARE_PROBE_ENTRY(table, name, table_id, subtable, validate, data, fn) \
++#define ACPI_DECLARE_PROBE_ENTRY(table, name, table_id, subtable, valid, data, fn) \
+ static const void * __acpi_table_##name[] \
+ __attribute__((unused)) \
+ = { (void *) table_id, \
--- /dev/null
+From 5331d9cab32ef640b4cd38a43b0858874fbb7168 Mon Sep 17 00:00:00 2001
+From: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Date: Tue, 16 Aug 2016 16:59:53 +0100
+Subject: ACPI / drivers: replace acpi_probe_lock spinlock with mutex
+
+From: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+
+commit 5331d9cab32ef640b4cd38a43b0858874fbb7168 upstream.
+
+Commit e647b532275b ("ACPI: Add early device probing infrastructure")
+introduced code that allows inserting driver specific
+struct acpi_probe_entry probe entries into ACPI linker sections
+(one per-subsystem, eg irqchip, clocksource) that are then walked
+to retrieve the data and function hooks required to probe the
+respective kernel components.
+
+Probing for all entries in a section is triggered through
+the __acpi_probe_device_table() function, that in turn, according
+to the table ID a given probe entry reports parses the table
+with the function retrieved from the respective section structures
+(ie struct acpi_probe_entry). Owing to the current ACPI table
+parsing implementation, the __acpi_probe_device_table() function
+has to share global variables with the acpi_match_madt() function, so
+in order to guarantee mutual exclusion locking is required
+between the two functions.
+
+Current kernel code implements the locking through the acpi_probe_lock
+spinlock; this has the side effect of requiring all code called
+within the lock (ie struct acpi_probe_entry.probe_{table/subtbl} hooks)
+not to sleep.
+
+However, kernel subsystems that make use of the early probing
+infrastructure are relying on kernel APIs that may sleep (eg
+irq_domain_alloc_fwnode(), among others) in the function calls
+pointed at by struct acpi_probe_entry.{probe_table/subtbl} entries
+(eg gic_v2_acpi_init()), which is a bug.
+
+Since __acpi_probe_device_table() is called from context
+that is allowed to sleep the acpi_probe_lock spinlock can be replaced
+with a mutex; this fixes the issue whilst still guaranteeing
+mutual exclusion.
+
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Fixes: e647b532275b (ACPI: Add early device probing infrastructure)
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/scan.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/acpi/scan.c
++++ b/drivers/acpi/scan.c
+@@ -1958,7 +1958,7 @@ int __init acpi_scan_init(void)
+
+ static struct acpi_probe_entry *ape;
+ static int acpi_probe_count;
+-static DEFINE_SPINLOCK(acpi_probe_lock);
++static DEFINE_MUTEX(acpi_probe_mutex);
+
+ static int __init acpi_match_madt(struct acpi_subtable_header *header,
+ const unsigned long end)
+@@ -1977,7 +1977,7 @@ int __init __acpi_probe_device_table(str
+ if (acpi_disabled)
+ return 0;
+
+- spin_lock(&acpi_probe_lock);
++ mutex_lock(&acpi_probe_mutex);
+ for (ape = ap_head; nr; ape++, nr--) {
+ if (ACPI_COMPARE_NAME(ACPI_SIG_MADT, ape->id)) {
+ acpi_probe_count = 0;
+@@ -1990,7 +1990,7 @@ int __init __acpi_probe_device_table(str
+ count++;
+ }
+ }
+- spin_unlock(&acpi_probe_lock);
++ mutex_unlock(&acpi_probe_mutex);
+
+ return count;
+ }
--- /dev/null
+From 702b07fcc9b264c9afd372676bbdd50a762dcde0 Mon Sep 17 00:00:00 2001
+From: Lukasz Anaczkowski <lukasz.anaczkowski@intel.com>
+Date: Thu, 21 Apr 2016 11:29:00 +0200
+Subject: ACPI / SRAT: fix SRAT parsing order with both LAPIC and X2APIC present
+
+From: Lukasz Anaczkowski <lukasz.anaczkowski@intel.com>
+
+commit 702b07fcc9b264c9afd372676bbdd50a762dcde0 upstream.
+
+SRAT maps APIC ID to proximity domains ids (PXM). Mapping from PXM to
+NUMA node ids is based on order of entries in SRAT table.
+SRAT table has just LAPIC entires or mix of LAPIC and X2APIC entries.
+As long as there are only LAPIC entires, mapping from proximity domain
+id to NUMA node id is as assumed by BIOS. However, once APIC entries are
+mixed, X2APIC entries would be first mapped which causes unexpected NUMA
+node mapping.
+
+To fix that, change parsing to check each entry against both LAPIC and
+X2APIC so mapping is in the SRAT/PXM order.
+
+This is supplemental change to the fix made by commit d81056b5278
+(Handle apic/x2apic entries in MADT in correct order) and using the
+mechanism introduced by 9b3fedd (ACPI / tables: Add acpi_subtable_proc
+to ACPI table parsers).
+
+Fixes: d81056b5278 (Handle apic/x2apic entries in MADT in correct order)
+Signed-off-by: Lukasz Anaczkowski <lukasz.anaczkowski@intel.com>
+[ rjw : Subject & changelog ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/numa.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/acpi/numa.c
++++ b/drivers/acpi/numa.c
+@@ -327,10 +327,18 @@ int __init acpi_numa_init(void)
+
+ /* SRAT: Static Resource Affinity Table */
+ if (!acpi_table_parse(ACPI_SIG_SRAT, acpi_parse_srat)) {
+- acpi_table_parse_srat(ACPI_SRAT_TYPE_X2APIC_CPU_AFFINITY,
+- acpi_parse_x2apic_affinity, 0);
+- acpi_table_parse_srat(ACPI_SRAT_TYPE_CPU_AFFINITY,
+- acpi_parse_processor_affinity, 0);
++ struct acpi_subtable_proc srat_proc[2];
++
++ memset(srat_proc, 0, sizeof(srat_proc));
++ srat_proc[0].id = ACPI_SRAT_TYPE_CPU_AFFINITY;
++ srat_proc[0].handler = acpi_parse_processor_affinity;
++ srat_proc[1].id = ACPI_SRAT_TYPE_X2APIC_CPU_AFFINITY;
++ srat_proc[1].handler = acpi_parse_x2apic_affinity;
++
++ acpi_table_parse_entries_array(ACPI_SIG_SRAT,
++ sizeof(struct acpi_table_srat),
++ srat_proc, ARRAY_SIZE(srat_proc), 0);
++
+ cnt = acpi_table_parse_srat(ACPI_SRAT_TYPE_MEMORY_AFFINITY,
+ acpi_parse_memory_affinity,
+ NR_NODE_MEMBLKS);
--- /dev/null
+From f18ebc211e259d4f591e39e74b2aa2de226c9a1d Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 5 May 2016 16:23:04 +0300
+Subject: ACPI / sysfs: fix error code in get_status()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit f18ebc211e259d4f591e39e74b2aa2de226c9a1d upstream.
+
+The problem with ornamental, do-nothing gotos is that they lead to
+"forgot to set the error code" bugs. We should be returning -EINVAL
+here but we don't. It leads to an uninitalized variable in
+counter_show():
+
+ drivers/acpi/sysfs.c:603 counter_show()
+ error: uninitialized symbol 'status'.
+
+Fixes: 1c8fce27e275 (ACPI: introduce drivers/acpi/sysfs.c)
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/sysfs.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/acpi/sysfs.c
++++ b/drivers/acpi/sysfs.c
+@@ -555,23 +555,22 @@ static void acpi_global_event_handler(u3
+ static int get_status(u32 index, acpi_event_status *status,
+ acpi_handle *handle)
+ {
+- int result = 0;
++ int result;
+
+ if (index >= num_gpes + ACPI_NUM_FIXED_EVENTS)
+- goto end;
++ return -EINVAL;
+
+ if (index < num_gpes) {
+ result = acpi_get_gpe_device(index, handle);
+ if (result) {
+ ACPI_EXCEPTION((AE_INFO, AE_NOT_FOUND,
+ "Invalid GPE 0x%x", index));
+- goto end;
++ return result;
+ }
+ result = acpi_get_gpe_status(*handle, index, status);
+ } else if (index < (num_gpes + ACPI_NUM_FIXED_EVENTS))
+ result = acpi_get_event_status(index - num_gpes, status);
+
+-end:
+ return result;
+ }
+
--- /dev/null
+From b027d11263836a0cd335520175257dcb99b43757 Mon Sep 17 00:00:00 2001
+From: Andrej Krutak <dev@andree.sk>
+Date: Thu, 18 Aug 2016 23:52:12 +0200
+Subject: ALSA: line6: Fix POD sysfs attributes segfault
+
+From: Andrej Krutak <dev@andree.sk>
+
+commit b027d11263836a0cd335520175257dcb99b43757 upstream.
+
+The commit 02fc76f6a changed base of the sysfs attributes from device to card.
+The "show" callbacks dereferenced wrong objects because of this.
+
+Fixes: 02fc76f6a7db ('ALSA: line6: Create sysfs via snd_card_add_dev_attr()')
+Reviewed-by: Stefan Hajnoczi <stefanha@gmail.com>
+Signed-off-by: Andrej Krutak <dev@andree.sk>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/line6/pod.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/sound/usb/line6/pod.c
++++ b/sound/usb/line6/pod.c
+@@ -244,8 +244,8 @@ static int pod_set_system_param_int(stru
+ static ssize_t serial_number_show(struct device *dev,
+ struct device_attribute *attr, char *buf)
+ {
+- struct usb_interface *interface = to_usb_interface(dev);
+- struct usb_line6_pod *pod = usb_get_intfdata(interface);
++ struct snd_card *card = dev_to_snd_card(dev);
++ struct usb_line6_pod *pod = card->private_data;
+
+ return sprintf(buf, "%u\n", pod->serial_number);
+ }
+@@ -256,8 +256,8 @@ static ssize_t serial_number_show(struct
+ static ssize_t firmware_version_show(struct device *dev,
+ struct device_attribute *attr, char *buf)
+ {
+- struct usb_interface *interface = to_usb_interface(dev);
+- struct usb_line6_pod *pod = usb_get_intfdata(interface);
++ struct snd_card *card = dev_to_snd_card(dev);
++ struct usb_line6_pod *pod = card->private_data;
+
+ return sprintf(buf, "%d.%02d\n", pod->firmware_version / 100,
+ pod->firmware_version % 100);
+@@ -269,8 +269,8 @@ static ssize_t firmware_version_show(str
+ static ssize_t device_id_show(struct device *dev,
+ struct device_attribute *attr, char *buf)
+ {
+- struct usb_interface *interface = to_usb_interface(dev);
+- struct usb_line6_pod *pod = usb_get_intfdata(interface);
++ struct snd_card *card = dev_to_snd_card(dev);
++ struct usb_line6_pod *pod = card->private_data;
+
+ return sprintf(buf, "%d\n", pod->device_id);
+ }
--- /dev/null
+From adc8a43a6d6688272ebffa81789fa857e603dec6 Mon Sep 17 00:00:00 2001
+From: Andrej Krutak <dev@andree.sk>
+Date: Thu, 18 Aug 2016 23:52:11 +0200
+Subject: ALSA: line6: Give up on the lock while URBs are released.
+
+From: Andrej Krutak <dev@andree.sk>
+
+commit adc8a43a6d6688272ebffa81789fa857e603dec6 upstream.
+
+Done, because line6_stream_stop() locks and calls line6_unlink_audio_urbs(),
+which in turn invokes audio_out_callback(), which tries to lock 2nd time.
+
+Fixes:
+
+=============================================
+[ INFO: possible recursive locking detected ]
+4.4.15+ #15 Not tainted
+---------------------------------------------
+mplayer/3591 is trying to acquire lock:
+ (&(&line6pcm->out.lock)->rlock){-.-...}, at: [<bfa27655>] audio_out_callback+0x70/0x110 [snd_usb_line6]
+
+but task is already holding lock:
+ (&(&line6pcm->out.lock)->rlock){-.-...}, at: [<bfa26aad>] line6_stream_stop+0x24/0x5c [snd_usb_line6]
+
+other info that might help us debug this:
+ Possible unsafe locking scenario:
+
+ CPU0
+ ----
+ lock(&(&line6pcm->out.lock)->rlock);
+ lock(&(&line6pcm->out.lock)->rlock);
+
+ *** DEADLOCK ***
+
+ May be due to missing lock nesting notation
+
+3 locks held by mplayer/3591:
+ #0: (snd_pcm_link_rwlock){.-.-..}, at: [<bf8d49a7>] snd_pcm_stream_lock+0x1e/0x40 [snd_pcm]
+ #1: (&(&substream->self_group.lock)->rlock){-.-...}, at: [<bf8d49af>] snd_pcm_stream_lock+0x26/0x40 [snd_pcm]
+ #2: (&(&line6pcm->out.lock)->rlock){-.-...}, at: [<bfa26aad>] line6_stream_stop+0x24/0x5c [snd_usb_line6]
+
+stack backtrace:
+CPU: 0 PID: 3591 Comm: mplayer Not tainted 4.4.15+ #15
+Hardware name: Generic AM33XX (Flattened Device Tree)
+[<c0015d85>] (unwind_backtrace) from [<c001253d>] (show_stack+0x11/0x14)
+[<c001253d>] (show_stack) from [<c02f1bdf>] (dump_stack+0x8b/0xac)
+[<c02f1bdf>] (dump_stack) from [<c0076f43>] (__lock_acquire+0xc8b/0x1780)
+[<c0076f43>] (__lock_acquire) from [<c007810d>] (lock_acquire+0x99/0x1c0)
+[<c007810d>] (lock_acquire) from [<c06171e7>] (_raw_spin_lock_irqsave+0x3f/0x4c)
+[<c06171e7>] (_raw_spin_lock_irqsave) from [<bfa27655>] (audio_out_callback+0x70/0x110 [snd_usb_line6])
+[<bfa27655>] (audio_out_callback [snd_usb_line6]) from [<c04294db>] (__usb_hcd_giveback_urb+0x53/0xd0)
+[<c04294db>] (__usb_hcd_giveback_urb) from [<c046388d>] (musb_giveback+0x3d/0x98)
+[<c046388d>] (musb_giveback) from [<c04647f5>] (musb_urb_dequeue+0x6d/0x114)
+[<c04647f5>] (musb_urb_dequeue) from [<c042ac11>] (usb_hcd_unlink_urb+0x39/0x98)
+[<c042ac11>] (usb_hcd_unlink_urb) from [<bfa26a87>] (line6_unlink_audio_urbs+0x6a/0x6c [snd_usb_line6])
+[<bfa26a87>] (line6_unlink_audio_urbs [snd_usb_line6]) from [<bfa26acb>] (line6_stream_stop+0x42/0x5c [snd_usb_line6])
+[<bfa26acb>] (line6_stream_stop [snd_usb_line6]) from [<bfa26fe7>] (snd_line6_trigger+0xb6/0xf4 [snd_usb_line6])
+[<bfa26fe7>] (snd_line6_trigger [snd_usb_line6]) from [<bf8d47b7>] (snd_pcm_do_stop+0x36/0x38 [snd_pcm])
+[<bf8d47b7>] (snd_pcm_do_stop [snd_pcm]) from [<bf8d462f>] (snd_pcm_action_single+0x22/0x40 [snd_pcm])
+[<bf8d462f>] (snd_pcm_action_single [snd_pcm]) from [<bf8d46f9>] (snd_pcm_action+0xac/0xb0 [snd_pcm])
+[<bf8d46f9>] (snd_pcm_action [snd_pcm]) from [<bf8d4b61>] (snd_pcm_drop+0x38/0x64 [snd_pcm])
+[<bf8d4b61>] (snd_pcm_drop [snd_pcm]) from [<bf8d6233>] (snd_pcm_common_ioctl1+0x7fe/0xbe8 [snd_pcm])
+[<bf8d6233>] (snd_pcm_common_ioctl1 [snd_pcm]) from [<bf8d6779>] (snd_pcm_playback_ioctl1+0x15c/0x51c [snd_pcm])
+[<bf8d6779>] (snd_pcm_playback_ioctl1 [snd_pcm]) from [<bf8d6b59>] (snd_pcm_playback_ioctl+0x20/0x28 [snd_pcm])
+[<bf8d6b59>] (snd_pcm_playback_ioctl [snd_pcm]) from [<c016714b>] (do_vfs_ioctl+0x3af/0x5c8)
+
+Fixes: 63e20df1e5b2 ('ALSA: line6: Reorganize PCM stream handling')
+Reviewed-by: Stefan Hajnoczi <stefanha@gmail.com>
+Signed-off-by: Andrej Krutak <dev@andree.sk>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/line6/pcm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/usb/line6/pcm.c
++++ b/sound/usb/line6/pcm.c
+@@ -210,7 +210,9 @@ static void line6_stream_stop(struct snd
+ spin_lock_irqsave(&pstr->lock, flags);
+ clear_bit(type, &pstr->running);
+ if (!pstr->running) {
++ spin_unlock_irqrestore(&pstr->lock, flags);
+ line6_unlink_audio_urbs(line6pcm, pstr);
++ spin_lock_irqsave(&pstr->lock, flags);
+ if (direction == SNDRV_PCM_STREAM_CAPTURE) {
+ line6pcm->prev_fbuf = NULL;
+ line6pcm->prev_fsize = 0;
--- /dev/null
+From 7e4379eae0e31994ea645db1d13006ea8e5ce539 Mon Sep 17 00:00:00 2001
+From: Andrej Krutak <dev@andree.sk>
+Date: Thu, 18 Aug 2016 23:52:10 +0200
+Subject: ALSA: line6: Remove double line6_pcm_release() after failed acquire.
+
+From: Andrej Krutak <dev@andree.sk>
+
+commit 7e4379eae0e31994ea645db1d13006ea8e5ce539 upstream.
+
+If there's an error, pcm is released in line6_pcm_acquire already.
+
+Fixes: 247d95ee6dd2 ('ALSA: line6: Handle error from line6_pcm_acquire()')
+Reviewed-by: Stefan Hajnoczi <stefanha@gmail.com>
+Signed-off-by: Andrej Krutak <dev@andree.sk>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/line6/pcm.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/sound/usb/line6/pcm.c
++++ b/sound/usb/line6/pcm.c
+@@ -55,7 +55,6 @@ static int snd_line6_impulse_volume_put(
+ err = line6_pcm_acquire(line6pcm, LINE6_STREAM_IMPULSE);
+ if (err < 0) {
+ line6pcm->impulse_volume = 0;
+- line6_pcm_release(line6pcm, LINE6_STREAM_IMPULSE);
+ return err;
+ }
+ } else {
--- /dev/null
+From e514cc0a492a3f39ef71b31590a7ef67537ee04b Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 15 Jul 2016 14:09:13 +0300
+Subject: crypto: nx - off by one bug in nx_of_update_msc()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit e514cc0a492a3f39ef71b31590a7ef67537ee04b upstream.
+
+The props->ap[] array is defined like this:
+
+ struct alg_props ap[NX_MAX_FC][NX_MAX_MODE][3];
+
+So we can see that if msc->fc and msc->mode are == to NX_MAX_FC or
+NX_MAX_MODE then we're off by one.
+
+Fixes: ae0222b7289d ('powerpc/crypto: nx driver code supporting nx encryption')
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/nx/nx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/crypto/nx/nx.c
++++ b/drivers/crypto/nx/nx.c
+@@ -392,7 +392,7 @@ static void nx_of_update_msc(struct devi
+ ((bytes_so_far + sizeof(struct msc_triplet)) <= lenp) &&
+ i < msc->triplets;
+ i++) {
+- if (msc->fc > NX_MAX_FC || msc->mode > NX_MAX_MODE) {
++ if (msc->fc >= NX_MAX_FC || msc->mode >= NX_MAX_MODE) {
+ dev_err(dev, "unknown function code/mode "
+ "combo: %d/%d (ignored)\n", msc->fc,
+ msc->mode);
--- /dev/null
+From 10bb087ce381c812cd81a65ffd5e6f83e6399291 Mon Sep 17 00:00:00 2001
+From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Date: Thu, 18 Aug 2016 19:53:36 +0100
+Subject: crypto: qat - fix aes-xts key sizes
+
+From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+
+commit 10bb087ce381c812cd81a65ffd5e6f83e6399291 upstream.
+
+Increase value of supported key sizes for qat_aes_xts.
+aes-xts keys consists of keys of equal size concatenated.
+
+Fixes: def14bfaf30d ("crypto: qat - add support for ctr(aes) and xts(aes)")
+Reported-by: Wenqian Yu <wenqian.yu@intel.com>
+Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/qat/qat_common/qat_algs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/crypto/qat/qat_common/qat_algs.c
++++ b/drivers/crypto/qat/qat_common/qat_algs.c
+@@ -1262,8 +1262,8 @@ static struct crypto_alg qat_algs[] = {
+ .setkey = qat_alg_ablkcipher_xts_setkey,
+ .decrypt = qat_alg_ablkcipher_decrypt,
+ .encrypt = qat_alg_ablkcipher_encrypt,
+- .min_keysize = AES_MIN_KEY_SIZE,
+- .max_keysize = AES_MAX_KEY_SIZE,
++ .min_keysize = 2 * AES_MIN_KEY_SIZE,
++ .max_keysize = 2 * AES_MAX_KEY_SIZE,
+ .ivsize = AES_BLOCK_SIZE,
+ },
+ },
--- /dev/null
+From 626d2f07de89bf6be3d7301524d0ab3375b81b9c Mon Sep 17 00:00:00 2001
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Thu, 4 Aug 2016 19:59:41 +0900
+Subject: dmaengine: usb-dmac: check CHCR.DE bit in usb_dmac_isr_channel()
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+commit 626d2f07de89bf6be3d7301524d0ab3375b81b9c upstream.
+
+The USB-DMAC's interruption happens even if the CHCR.DE is not set to 1
+because CHCR.NULLE is set to 1. So, this driver should call
+usb_dmac_isr_transfer_end() if the DE bit is set to 1 only. Otherwise,
+the desc is possible to be NULL in the usb_dmac_isr_transfer_end().
+
+Fixes: 0c1c8ff32fa2 ("dmaengine: usb-dmac: Add Renesas USB DMA Controller (USB-DMAC) driver)
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Signed-off-by: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma/sh/usb-dmac.c | 19 +++++++++++--------
+ 1 file changed, 11 insertions(+), 8 deletions(-)
+
+--- a/drivers/dma/sh/usb-dmac.c
++++ b/drivers/dma/sh/usb-dmac.c
+@@ -600,27 +600,30 @@ static irqreturn_t usb_dmac_isr_channel(
+ {
+ struct usb_dmac_chan *chan = dev;
+ irqreturn_t ret = IRQ_NONE;
+- u32 mask = USB_DMACHCR_TE;
+- u32 check_bits = USB_DMACHCR_TE | USB_DMACHCR_SP;
++ u32 mask = 0;
+ u32 chcr;
++ bool xfer_end = false;
+
+ spin_lock(&chan->vc.lock);
+
+ chcr = usb_dmac_chan_read(chan, USB_DMACHCR);
+- if (chcr & check_bits)
+- mask |= USB_DMACHCR_DE | check_bits;
++ if (chcr & (USB_DMACHCR_TE | USB_DMACHCR_SP)) {
++ mask |= USB_DMACHCR_DE | USB_DMACHCR_TE | USB_DMACHCR_SP;
++ if (chcr & USB_DMACHCR_DE)
++ xfer_end = true;
++ ret |= IRQ_HANDLED;
++ }
+ if (chcr & USB_DMACHCR_NULL) {
+ /* An interruption of TE will happen after we set FTE */
+ mask |= USB_DMACHCR_NULL;
+ chcr |= USB_DMACHCR_FTE;
+ ret |= IRQ_HANDLED;
+ }
+- usb_dmac_chan_write(chan, USB_DMACHCR, chcr & ~mask);
++ if (mask)
++ usb_dmac_chan_write(chan, USB_DMACHCR, chcr & ~mask);
+
+- if (chcr & check_bits) {
++ if (xfer_end)
+ usb_dmac_isr_transfer_end(chan);
+- ret |= IRQ_HANDLED;
+- }
+
+ spin_unlock(&chan->vc.lock);
+
--- /dev/null
+From 5d17d3b4bbf3becb89fd48b74340a50a39736f6d Mon Sep 17 00:00:00 2001
+From: Quentin Schulz <quentin.schulz@free-electrons.com>
+Date: Tue, 26 Jul 2016 09:47:09 +0200
+Subject: hwmon: (iio_hwmon) fix memory leak in name attribute
+
+From: Quentin Schulz <quentin.schulz@free-electrons.com>
+
+commit 5d17d3b4bbf3becb89fd48b74340a50a39736f6d upstream.
+
+The "name" variable's memory is now freed when the device is destructed
+thanks to devm function.
+
+Signed-off-by: Quentin Schulz <quentin.schulz@free-electrons.com>
+Reported-by: Guenter Roeck <linux@roeck-us.net>
+Fixes: e0f8a24e0edfd ("staging:iio::hwmon interface client driver.")
+Fixes: 61bb53bcbdd86 ("hwmon: (iio_hwmon) Add support for humidity sensors")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwmon/iio_hwmon.c | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+--- a/drivers/hwmon/iio_hwmon.c
++++ b/drivers/hwmon/iio_hwmon.c
+@@ -109,24 +109,24 @@ static int iio_hwmon_probe(struct platfo
+
+ switch (type) {
+ case IIO_VOLTAGE:
+- a->dev_attr.attr.name = kasprintf(GFP_KERNEL,
+- "in%d_input",
+- in_i++);
++ a->dev_attr.attr.name = devm_kasprintf(dev, GFP_KERNEL,
++ "in%d_input",
++ in_i++);
+ break;
+ case IIO_TEMP:
+- a->dev_attr.attr.name = kasprintf(GFP_KERNEL,
+- "temp%d_input",
+- temp_i++);
++ a->dev_attr.attr.name = devm_kasprintf(dev, GFP_KERNEL,
++ "temp%d_input",
++ temp_i++);
+ break;
+ case IIO_CURRENT:
+- a->dev_attr.attr.name = kasprintf(GFP_KERNEL,
+- "curr%d_input",
+- curr_i++);
++ a->dev_attr.attr.name = devm_kasprintf(dev, GFP_KERNEL,
++ "curr%d_input",
++ curr_i++);
+ break;
+ case IIO_HUMIDITYRELATIVE:
+- a->dev_attr.attr.name = kasprintf(GFP_KERNEL,
+- "humidity%d_input",
+- humidity_i++);
++ a->dev_attr.attr.name = devm_kasprintf(dev, GFP_KERNEL,
++ "humidity%d_input",
++ humidity_i++);
+ break;
+ default:
+ ret = -EINVAL;
--- /dev/null
+From 47af45d684b5f3ae000ad448db02ce4f13f73273 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Tue, 16 Aug 2016 17:38:54 -0700
+Subject: Input: i8042 - set up shared ps2_cmd_mutex for AUX ports
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit 47af45d684b5f3ae000ad448db02ce4f13f73273 upstream.
+
+The commit 4097461897df ("Input: i8042 - break load dependency ...")
+correctly set up ps2_cmd_mutex pointer for the KBD port but forgot to do
+the same for AUX port(s), which results in communication on KBD and AUX
+ports to clash with each other.
+
+Fixes: 4097461897df ("Input: i8042 - break load dependency ...")
+Reported-by: Bruno Wolff III <bruno@wolff.to>
+Tested-by: Bruno Wolff III <bruno@wolff.to>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/serio/i8042.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/input/serio/i8042.c
++++ b/drivers/input/serio/i8042.c
+@@ -1305,6 +1305,7 @@ static int __init i8042_create_aux_port(
+ serio->write = i8042_aux_write;
+ serio->start = i8042_start;
+ serio->stop = i8042_stop;
++ serio->ps2_cmd_mutex = &i8042_mutex;
+ serio->port_data = port;
+ serio->dev.parent = &i8042_platform_device->dev;
+ if (idx < 0) {
--- /dev/null
+From fae16989be77b09bab86c79233e4b511ea769cea Mon Sep 17 00:00:00 2001
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+Date: Mon, 22 Aug 2016 13:25:56 -0700
+Subject: Input: tegra-kbc - fix inverted reset logic
+
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+
+commit fae16989be77b09bab86c79233e4b511ea769cea upstream.
+
+Commit fe6b0dfaba68 ("Input: tegra-kbc - use reset framework")
+accidentally converted _deassert to _assert, so there is no code
+to wake up this hardware.
+
+Fixes: fe6b0dfaba68 ("Input: tegra-kbc - use reset framework")
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Acked-by: Thierry Reding <treding@nvidia.com>
+Acked-by: Laxman Dewangan <ldewangan@nvidia.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/keyboard/tegra-kbc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/keyboard/tegra-kbc.c
++++ b/drivers/input/keyboard/tegra-kbc.c
+@@ -376,7 +376,7 @@ static int tegra_kbc_start(struct tegra_
+ /* Reset the KBC controller to clear all previous status.*/
+ reset_control_assert(kbc->rst);
+ udelay(100);
+- reset_control_assert(kbc->rst);
++ reset_control_deassert(kbc->rst);
+ udelay(100);
+
+ tegra_kbc_config_pins(kbc);
fs-seq_file-fix-out-of-bounds-read.patch
btrfs-waiting-on-qgroup-rescan-should-not-always-be-interruptible.patch
btrfs-properly-track-when-rescan-worker-is-running.patch
+input-tegra-kbc-fix-inverted-reset-logic.patch
+input-i8042-break-load-dependency-between-atkbd-psmouse-and-i8042.patch
+input-i8042-set-up-shared-ps2_cmd_mutex-for-aux-ports.patch
+crypto-nx-off-by-one-bug-in-nx_of_update_msc.patch
+crypto-qat-fix-aes-xts-key-sizes.patch
+dmaengine-usb-dmac-check-chcr.de-bit-in-usb_dmac_isr_channel.patch
+usb-avoid-left-shift-by-1.patch
+usb-chipidea-udc-don-t-touch-dp-when-controller-is-in-host-mode.patch
+usb-fix-typo-in-wmaxpacketsize-validation.patch
+usb-serial-mos7720-fix-non-atomic-allocation-in-write-path.patch
+usb-serial-mos7840-fix-non-atomic-allocation-in-write-path.patch
+usb-serial-option-add-wetelecom-wm-d200.patch
+usb-serial-option-add-wetelecom-0x6802-and-0x6803-products.patch
+staging-comedi-daqboard2000-bug-fix-board-type-matching-code.patch
+staging-comedi-comedi_test-fix-timer-race-conditions.patch
+staging-comedi-ni_mio_common-fix-ao-inttrig-backwards-compatibility.patch
+staging-comedi-ni_mio_common-fix-wrong-insn_write-handler.patch
+acpi-drivers-fix-typo-in-acpi_declare_probe_entry-macro.patch
+acpi-drivers-replace-acpi_probe_lock-spinlock-with-mutex.patch
+acpi-sysfs-fix-error-code-in-get_status.patch
+acpi-srat-fix-srat-parsing-order-with-both-lapic-and-x2apic-present.patch
+alsa-line6-remove-double-line6_pcm_release-after-failed-acquire.patch
+alsa-line6-give-up-on-the-lock-while-urbs-are-released.patch
+alsa-line6-fix-pod-sysfs-attributes-segfault.patch
+hwmon-iio_hwmon-fix-memory-leak-in-name-attribute.patch
+sysfs-correctly-handle-read-offset-on-prealloc-attrs.patch
--- /dev/null
+From 403fe7f34e3327ddac2e06a15e76a293d613381e Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Thu, 30 Jun 2016 19:58:32 +0100
+Subject: staging: comedi: comedi_test: fix timer race conditions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 403fe7f34e3327ddac2e06a15e76a293d613381e upstream.
+
+Commit 73e0e4dfed4c ("staging: comedi: comedi_test: fix timer lock-up")
+fixed a lock-up in the timer routine `waveform_ai_timer()` (which was
+called `waveform_ai_interrupt()` at the time) caused by
+commit 240512474424 ("staging: comedi: comedi_test: use
+comedi_handle_events()"). However, it introduced a race condition that
+can result in the timer routine misbehaving, such as accessing freed
+memory or dereferencing a NULL pointer.
+
+73e0... changed the timer routine to do nothing unless a
+`WAVEFORM_AI_RUNNING` flag was set, and changed `waveform_ai_cancel()`
+to clear the flag and replace a call to `del_timer_sync()` with a call
+to `del_timer()`. `waveform_ai_cancel()` may be called from the timer
+routine itself (via `comedi_handle_events()`), or from `do_cancel()`.
+(`do_cancel()` is called as a result of a file operation (usually a
+`COMEDI_CANCEL` ioctl command, or a release), or during device removal.)
+When called from `do_cancel()`, the call to `waveform_ai_cancel()` is
+followed by a call to `do_become_nonbusy()`, which frees up stuff for
+the current asynchronous command under the assumption that it is now
+safe to do so. The race condition occurs when the timer routine
+`waveform_ai_timer()` checks the `WAVEFORM_AI_RUNNING` flag just before
+it is cleared by `waveform_ai_cancel()`, and is still running during the
+call to `do_become_nonbusy()`. In particular, it can lead to a NULL
+pointer dereference:
+
+BUG: unable to handle kernel NULL pointer dereference at (null)
+IP: [<ffffffffc0c63add>] waveform_ai_timer+0x17d/0x290 [comedi_test]
+
+That corresponds to this line in `waveform_ai_timer()`:
+
+ unsigned int chanspec = cmd->chanlist[async->cur_chan];
+
+but `do_become_nonbusy()` frees `cmd->chanlist` and sets it to `NULL`.
+
+Fix the race by calling `del_timer_sync()` instead of `del_timer()` in
+`waveform_ai_cancel()` when not in an interrupt context. The only time
+`waveform_ai_cancel()` is called in an interrupt context is when it is
+called from the timer routine itself, via `comedi_handle_events()`.
+
+There is no longer any need for the `WAVEFORM_AI_RUNNING` flag, so get
+rid of it.
+
+The bug was copied from the AI subdevice to the AO when support for
+commands on the AO subdevice was added by commit 0cf55bbef2f9 ("staging:
+comedi: comedi_test: implement commands on AO subdevice"). That
+involves the timer routine `waveform_ao_timer()`, the comedi "cancel"
+routine `waveform_ao_cancel()`, and the flag `WAVEFORM_AO_RUNNING`. Fix
+it in the same way as for the AI subdevice.
+
+Fixes: 73e0e4dfed4c ("staging: comedi: comedi_test: fix timer lock-up")
+Fixes: 0cf55bbef2f9 ("staging: comedi: comedi_test: implement commands
+ on AO subdevice")
+Reported-by: Éric Piel <piel@delmic.com>
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Cc: Éric Piel <piel@delmic.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/comedi/drivers/comedi_test.c | 46 +++++++--------------------
+ 1 file changed, 12 insertions(+), 34 deletions(-)
+
+--- a/drivers/staging/comedi/drivers/comedi_test.c
++++ b/drivers/staging/comedi/drivers/comedi_test.c
+@@ -56,11 +56,6 @@
+
+ #define N_CHANS 8
+
+-enum waveform_state_bits {
+- WAVEFORM_AI_RUNNING,
+- WAVEFORM_AO_RUNNING
+-};
+-
+ /* Data unique to this driver */
+ struct waveform_private {
+ struct timer_list ai_timer; /* timer for AI commands */
+@@ -68,7 +63,6 @@ struct waveform_private {
+ unsigned int wf_amplitude; /* waveform amplitude in microvolts */
+ unsigned int wf_period; /* waveform period in microseconds */
+ unsigned int wf_current; /* current time in waveform period */
+- unsigned long state_bits;
+ unsigned int ai_scan_period; /* AI scan period in usec */
+ unsigned int ai_convert_period; /* AI conversion period in usec */
+ struct timer_list ao_timer; /* timer for AO commands */
+@@ -191,10 +185,6 @@ static void waveform_ai_timer(unsigned l
+ unsigned int nsamples;
+ unsigned int time_increment;
+
+- /* check command is still active */
+- if (!test_bit(WAVEFORM_AI_RUNNING, &devpriv->state_bits))
+- return;
+-
+ now = ktime_to_us(ktime_get());
+ nsamples = comedi_nsamples_left(s, UINT_MAX);
+
+@@ -386,11 +376,6 @@ static int waveform_ai_cmd(struct comedi
+ */
+ devpriv->ai_timer.expires =
+ jiffies + usecs_to_jiffies(devpriv->ai_convert_period) + 1;
+-
+- /* mark command as active */
+- smp_mb__before_atomic();
+- set_bit(WAVEFORM_AI_RUNNING, &devpriv->state_bits);
+- smp_mb__after_atomic();
+ add_timer(&devpriv->ai_timer);
+ return 0;
+ }
+@@ -400,11 +385,12 @@ static int waveform_ai_cancel(struct com
+ {
+ struct waveform_private *devpriv = dev->private;
+
+- /* mark command as no longer active */
+- clear_bit(WAVEFORM_AI_RUNNING, &devpriv->state_bits);
+- smp_mb__after_atomic();
+- /* cannot call del_timer_sync() as may be called from timer routine */
+- del_timer(&devpriv->ai_timer);
++ if (in_softirq()) {
++ /* Assume we were called from the timer routine itself. */
++ del_timer(&devpriv->ai_timer);
++ } else {
++ del_timer_sync(&devpriv->ai_timer);
++ }
+ return 0;
+ }
+
+@@ -436,10 +422,6 @@ static void waveform_ao_timer(unsigned l
+ u64 scans_since;
+ unsigned int scans_avail = 0;
+
+- /* check command is still active */
+- if (!test_bit(WAVEFORM_AO_RUNNING, &devpriv->state_bits))
+- return;
+-
+ /* determine number of scan periods since last time */
+ now = ktime_to_us(ktime_get());
+ scans_since = now - devpriv->ao_last_scan_time;
+@@ -518,11 +500,6 @@ static int waveform_ao_inttrig_start(str
+ devpriv->ao_last_scan_time = ktime_to_us(ktime_get());
+ devpriv->ao_timer.expires =
+ jiffies + usecs_to_jiffies(devpriv->ao_scan_period);
+-
+- /* mark command as active */
+- smp_mb__before_atomic();
+- set_bit(WAVEFORM_AO_RUNNING, &devpriv->state_bits);
+- smp_mb__after_atomic();
+ add_timer(&devpriv->ao_timer);
+
+ return 1;
+@@ -608,11 +585,12 @@ static int waveform_ao_cancel(struct com
+ struct waveform_private *devpriv = dev->private;
+
+ s->async->inttrig = NULL;
+- /* mark command as no longer active */
+- clear_bit(WAVEFORM_AO_RUNNING, &devpriv->state_bits);
+- smp_mb__after_atomic();
+- /* cannot call del_timer_sync() as may be called from timer routine */
+- del_timer(&devpriv->ao_timer);
++ if (in_softirq()) {
++ /* Assume we were called from the timer routine itself. */
++ del_timer(&devpriv->ao_timer);
++ } else {
++ del_timer_sync(&devpriv->ao_timer);
++ }
+ return 0;
+ }
+
--- /dev/null
+From 80e162ee9b31d77d851b10f8c5299132be1e120f Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Wed, 29 Jun 2016 20:27:44 +0100
+Subject: staging: comedi: daqboard2000: bug fix board type matching code
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 80e162ee9b31d77d851b10f8c5299132be1e120f upstream.
+
+`daqboard2000_find_boardinfo()` is supposed to check if the
+DaqBoard/2000 series model is supported, based on the PCI subvendor and
+subdevice ID. The current code is wrong as it is comparing the PCI
+device's subdevice ID to an expected, fixed value for the subvendor ID.
+It should be comparing the PCI device's subvendor ID to this fixed
+value. Correct it.
+
+Fixes: 7e8401b23e7f ("staging: comedi: daqboard2000: add back subsystem_device check")
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/comedi/drivers/daqboard2000.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/comedi/drivers/daqboard2000.c
++++ b/drivers/staging/comedi/drivers/daqboard2000.c
+@@ -636,7 +636,7 @@ static const void *daqboard2000_find_boa
+ const struct daq200_boardtype *board;
+ int i;
+
+- if (pcidev->subsystem_device != PCI_VENDOR_ID_IOTECH)
++ if (pcidev->subsystem_vendor != PCI_VENDOR_ID_IOTECH)
+ return NULL;
+
+ for (i = 0; i < ARRAY_SIZE(boardtypes); i++) {
--- /dev/null
+From f0f4b0cc3a8cffd983f5940d46cd0227f3f5710a Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Tue, 19 Jul 2016 12:17:39 +0100
+Subject: staging: comedi: ni_mio_common: fix AO inttrig backwards compatibility
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit f0f4b0cc3a8cffd983f5940d46cd0227f3f5710a upstream.
+
+Commit ebb657babfa9 ("staging: comedi: ni_mio_common: clarify the
+cmd->start_arg validation and use") introduced a backwards compatibility
+issue in the use of asynchronous commands on the AO subdevice when
+`start_src` is `TRIG_EXT`. Valid values for `start_src` are `TRIG_INT`
+(for internal, software trigger), and `TRIG_EXT` (for external trigger).
+When set to `TRIG_EXT`. In both cases, the driver relies on an
+internal, software trigger to set things up (allowing the user
+application to write sufficient samples to the data buffer before the
+trigger), so it acts as a software "pre-trigger" in the `TRIG_EXT` case.
+The software trigger is handled by `ni_ao_inttrig()`.
+
+Prior to the above change, when `start_src` was `TRIG_INT`, `start_arg`
+was required to be 0, and `ni_ao_inttrig()` checked that the software
+trigger number was also 0. After the above change, when `start_src` was
+`TRIG_INT`, any value was allowed for `start_arg`, and `ni_ao_inttrig()`
+checked that the software trigger number matched this `start_arg` value.
+The backwards compatibility issue is that the internal trigger number
+now has to match `start_arg` when `start_src` is `TRIG_EXT` when it
+previously had to be 0.
+
+Fix the backwards compatibility issue in `ni_ao_inttrig()` by always
+allowing software trigger number 0 when `start_src` is something other
+than `TRIG_INT`.
+
+Thanks to Spencer Olson for reporting the issue.
+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Reported-by: Spencer Olson <olsonse@umich.edu>
+Fixes: ebb657babfa9 ("staging: comedi: ni_mio_common: clarify the cmd->start_arg validation and use")
+Reviewed-by: H Hartley Sweeten <hsweeten@visionengravers.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/comedi/drivers/ni_mio_common.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/staging/comedi/drivers/ni_mio_common.c
++++ b/drivers/staging/comedi/drivers/ni_mio_common.c
+@@ -2823,7 +2823,15 @@ static int ni_ao_inttrig(struct comedi_d
+ int i;
+ static const int timeout = 1000;
+
+- if (trig_num != cmd->start_arg)
++ /*
++ * Require trig_num == cmd->start_arg when cmd->start_src == TRIG_INT.
++ * For backwards compatibility, also allow trig_num == 0 when
++ * cmd->start_src != TRIG_INT (i.e. when cmd->start_src == TRIG_EXT);
++ * in that case, the internal trigger is being used as a pre-trigger
++ * before the external trigger.
++ */
++ if (!(trig_num == cmd->start_arg ||
++ (trig_num == 0 && cmd->start_src != TRIG_INT)))
+ return -EINVAL;
+
+ /* Null trig at beginning prevent ao start trigger from executing more than
--- /dev/null
+From 5ca05345c56cb979e1a25ab6146437002f95cac8 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Wed, 20 Jul 2016 17:07:34 +0100
+Subject: staging: comedi: ni_mio_common: fix wrong insn_write handler
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 5ca05345c56cb979e1a25ab6146437002f95cac8 upstream.
+
+For counter subdevices, the `s->insn_write` handler is being set to the
+wrong function, `ni_tio_insn_read()`. It should be
+`ni_tio_insn_write()`.
+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Reported-by: Éric Piel <piel@delmic.com>
+Fixes: 10f74377eec3 ("staging: comedi: ni_tio: make ni_tio_winsn() a
+ proper comedi (*insn_write)"
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/comedi/drivers/ni_mio_common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/comedi/drivers/ni_mio_common.c
++++ b/drivers/staging/comedi/drivers/ni_mio_common.c
+@@ -5354,7 +5354,7 @@ static int ni_E_init(struct comedi_devic
+ s->maxdata = (devpriv->is_m_series) ? 0xffffffff
+ : 0x00ffffff;
+ s->insn_read = ni_tio_insn_read;
+- s->insn_write = ni_tio_insn_read;
++ s->insn_write = ni_tio_insn_write;
+ s->insn_config = ni_tio_insn_config;
+ #ifdef PCIDMA
+ if (dev->irq && devpriv->mite) {
--- /dev/null
+From 17d0774f80681020eccc9638d925a23f1fc4f671 Mon Sep 17 00:00:00 2001
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Date: Wed, 22 Jun 2016 21:42:16 +0300
+Subject: sysfs: correctly handle read offset on PREALLOC attrs
+
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+
+commit 17d0774f80681020eccc9638d925a23f1fc4f671 upstream.
+
+Attributes declared with __ATTR_PREALLOC use sysfs_kf_read() which returns
+zero bytes for non-zero offset. This breaks script checkarray in mdadm tool
+in debian where /bin/sh is 'dash' because its builtin 'read' reads only one
+byte at a time. Script gets 'i' instead of 'idle' when reads current action
+from /sys/block/$dev/md/sync_action and as a result does nothing.
+
+This patch adds trivial implementation of partial read: generate whole
+string and move required part into buffer head.
+
+Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Fixes: 4ef67a8c95f3 ("sysfs/kernfs: make read requests on pre-alloc files use the buffer.")
+Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=787950
+Acked-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/sysfs/file.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/fs/sysfs/file.c
++++ b/fs/sysfs/file.c
+@@ -114,9 +114,15 @@ static ssize_t sysfs_kf_read(struct kern
+ * If buf != of->prealloc_buf, we don't know how
+ * large it is, so cannot safely pass it to ->show
+ */
+- if (pos || WARN_ON_ONCE(buf != of->prealloc_buf))
++ if (WARN_ON_ONCE(buf != of->prealloc_buf))
+ return 0;
+ len = ops->show(kobj, of->kn->priv, buf);
++ if (pos) {
++ if (len <= pos)
++ return 0;
++ len -= pos;
++ memmove(buf, buf + pos, len);
++ }
+ return min(count, len);
+ }
+
--- /dev/null
+From 53e5f36fbd2453ad69a3369a1db62dc06c30a4aa Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Tue, 23 Aug 2016 15:32:51 -0400
+Subject: USB: avoid left shift by -1
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 53e5f36fbd2453ad69a3369a1db62dc06c30a4aa upstream.
+
+UBSAN complains about a left shift by -1 in proc_do_submiturb(). This
+can occur when an URB is submitted for a bulk or control endpoint on
+a high-speed device, since the code doesn't bother to check the
+endpoint type; normally only interrupt or isochronous endpoints have
+a nonzero bInterval value.
+
+Aside from the fact that the operation is illegal, it shouldn't matter
+because the result isn't used. Still, in theory it could cause a
+hardware exception or other problem, so we should work around it.
+This patch avoids doing the left shift unless the shift amount is >= 0.
+
+The same piece of code has another problem. When checking the device
+speed (the exponential encoding for interrupt endpoints is used only
+by high-speed or faster devices), we need to look for speed >=
+USB_SPEED_SUPER as well as speed == USB_SPEED HIGH. The patch adds
+this check.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: Vittorio Zecca <zeccav@gmail.com>
+Tested-by: Vittorio Zecca <zeccav@gmail.com>
+Suggested-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/devio.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -1530,11 +1530,17 @@ static int proc_do_submiturb(struct usb_
+ as->urb->start_frame = uurb->start_frame;
+ as->urb->number_of_packets = number_of_packets;
+ as->urb->stream_id = stream_id;
+- if (uurb->type == USBDEVFS_URB_TYPE_ISO ||
+- ps->dev->speed == USB_SPEED_HIGH)
+- as->urb->interval = 1 << min(15, ep->desc.bInterval - 1);
+- else
+- as->urb->interval = ep->desc.bInterval;
++
++ if (ep->desc.bInterval) {
++ if (uurb->type == USBDEVFS_URB_TYPE_ISO ||
++ ps->dev->speed == USB_SPEED_HIGH ||
++ ps->dev->speed >= USB_SPEED_SUPER)
++ as->urb->interval = 1 <<
++ min(15, ep->desc.bInterval - 1);
++ else
++ as->urb->interval = ep->desc.bInterval;
++ }
++
+ as->urb->context = as;
+ as->urb->complete = async_completed;
+ for (totlen = u = 0; u < number_of_packets; u++) {
--- /dev/null
+From c4e94174983a86c935be1537a73e496b778b0287 Mon Sep 17 00:00:00 2001
+From: Li Jun <jun.li@nxp.com>
+Date: Tue, 16 Aug 2016 19:19:11 +0800
+Subject: usb: chipidea: udc: don't touch DP when controller is in host mode
+
+From: Li Jun <jun.li@nxp.com>
+
+commit c4e94174983a86c935be1537a73e496b778b0287 upstream.
+
+When the controller is configured to be dual role and it's in host mode,
+if bind udc and gadgt driver, those gadget operations will do gadget
+disconnect and finally pull down DP line, which will break host function.
+
+Signed-off-by: Li Jun <jun.li@nxp.com>
+Signed-off-by: Peter Chen <peter.chen@nxp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/chipidea/udc.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/chipidea/udc.c
++++ b/drivers/usb/chipidea/udc.c
+@@ -1585,8 +1585,11 @@ static int ci_udc_pullup(struct usb_gadg
+ {
+ struct ci_hdrc *ci = container_of(_gadget, struct ci_hdrc, gadget);
+
+- /* Data+ pullup controlled by OTG state machine in OTG fsm mode */
+- if (ci_otg_is_fsm_mode(ci))
++ /*
++ * Data+ pullup controlled by OTG state machine in OTG fsm mode;
++ * and don't touch Data+ in host mode for dual role config.
++ */
++ if (ci_otg_is_fsm_mode(ci) || ci->role == CI_ROLE_HOST)
+ return 0;
+
+ pm_runtime_get_sync(&ci->gadget.dev);
--- /dev/null
+From 6c73358c83ce870c0cf32413e5cadb3b9a39c606 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Mon, 22 Aug 2016 16:58:53 -0400
+Subject: USB: fix typo in wMaxPacketSize validation
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 6c73358c83ce870c0cf32413e5cadb3b9a39c606 upstream.
+
+The maximum value allowed for wMaxPacketSize of a high-speed interrupt
+endpoint is 1024 bytes, not 1023.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Fixes: aed9d65ac327 ("USB: validate wMaxPacketValue entries in endpoint descriptors")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/config.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/core/config.c
++++ b/drivers/usb/core/config.c
+@@ -158,7 +158,7 @@ static const unsigned short high_speed_m
+ [USB_ENDPOINT_XFER_CONTROL] = 64,
+ [USB_ENDPOINT_XFER_ISOC] = 1024,
+ [USB_ENDPOINT_XFER_BULK] = 512,
+- [USB_ENDPOINT_XFER_INT] = 1023,
++ [USB_ENDPOINT_XFER_INT] = 1024,
+ };
+ static const unsigned short super_speed_maxpacket_maxes[4] = {
+ [USB_ENDPOINT_XFER_CONTROL] = 512,
--- /dev/null
+From 5a5a1d614287a647b36dff3f40c2b0ceabbc83ec Mon Sep 17 00:00:00 2001
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Date: Fri, 12 Aug 2016 01:05:08 +0300
+Subject: USB: serial: mos7720: fix non-atomic allocation in write path
+
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+
+commit 5a5a1d614287a647b36dff3f40c2b0ceabbc83ec upstream.
+
+There is an allocation with GFP_KERNEL flag in mos7720_write(),
+while it may be called from interrupt context.
+
+Follow-up for commit 191252837626 ("USB: kobil_sct: fix non-atomic
+allocation in write path")
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/mos7720.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/serial/mos7720.c
++++ b/drivers/usb/serial/mos7720.c
+@@ -1252,7 +1252,7 @@ static int mos7720_write(struct tty_stru
+
+ if (urb->transfer_buffer == NULL) {
+ urb->transfer_buffer = kmalloc(URB_TRANSFER_BUFFER_SIZE,
+- GFP_KERNEL);
++ GFP_ATOMIC);
+ if (!urb->transfer_buffer)
+ goto exit;
+ }
--- /dev/null
+From 3b7c7e52efda0d4640060de747768360ba70a7c0 Mon Sep 17 00:00:00 2001
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Date: Fri, 12 Aug 2016 01:05:09 +0300
+Subject: USB: serial: mos7840: fix non-atomic allocation in write path
+
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+
+commit 3b7c7e52efda0d4640060de747768360ba70a7c0 upstream.
+
+There is an allocation with GFP_KERNEL flag in mos7840_write(),
+while it may be called from interrupt context.
+
+Follow-up for commit 191252837626 ("USB: kobil_sct: fix non-atomic
+allocation in write path")
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/mos7840.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/serial/mos7840.c
++++ b/drivers/usb/serial/mos7840.c
+@@ -1340,8 +1340,8 @@ static int mos7840_write(struct tty_stru
+ }
+
+ if (urb->transfer_buffer == NULL) {
+- urb->transfer_buffer =
+- kmalloc(URB_TRANSFER_BUFFER_SIZE, GFP_KERNEL);
++ urb->transfer_buffer = kmalloc(URB_TRANSFER_BUFFER_SIZE,
++ GFP_ATOMIC);
+ if (!urb->transfer_buffer)
+ goto exit;
+ }
--- /dev/null
+From 40d9c32525cba79130612650b1abc47c0c0f19a8 Mon Sep 17 00:00:00 2001
+From: Aleksandr Makarov <aleksandr.o.makarov@gmail.com>
+Date: Wed, 24 Aug 2016 13:06:22 +0300
+Subject: USB: serial: option: add WeTelecom 0x6802 and 0x6803 products
+
+From: Aleksandr Makarov <aleksandr.o.makarov@gmail.com>
+
+commit 40d9c32525cba79130612650b1abc47c0c0f19a8 upstream.
+
+These product IDs are listed in Windows driver.
+0x6803 corresponds to WeTelecom WM-D300.
+0x6802 name is unknown.
+
+Signed-off-by: Aleksandr Makarov <aleksandr.o.makarov@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/option.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -528,6 +528,8 @@ static void option_instat_callback(struc
+ /* WeTelecom products */
+ #define WETELECOM_VENDOR_ID 0x22de
+ #define WETELECOM_PRODUCT_WMD200 0x6801
++#define WETELECOM_PRODUCT_6802 0x6802
++#define WETELECOM_PRODUCT_WMD300 0x6803
+
+ struct option_blacklist_info {
+ /* bitmask of interface numbers blacklisted for send_setup */
+@@ -1996,6 +1998,8 @@ static const struct usb_device_id option
+ { USB_DEVICE(INOVIA_VENDOR_ID, INOVIA_SEW858) },
+ { USB_DEVICE(VIATELECOM_VENDOR_ID, VIATELECOM_PRODUCT_CDS7) },
+ { USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_WMD200, 0xff, 0xff, 0xff) },
++ { USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_6802, 0xff, 0xff, 0xff) },
++ { USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_WMD300, 0xff, 0xff, 0xff) },
+ { } /* Terminating entry */
+ };
+ MODULE_DEVICE_TABLE(usb, option_ids);
--- /dev/null
+From 6695593e4a7659db49ac6eca98c164f7b5589f72 Mon Sep 17 00:00:00 2001
+From: Aleksandr Makarov <aleksandr.o.makarov@gmail.com>
+Date: Sat, 20 Aug 2016 13:29:41 +0300
+Subject: USB: serial: option: add WeTelecom WM-D200
+
+From: Aleksandr Makarov <aleksandr.o.makarov@gmail.com>
+
+commit 6695593e4a7659db49ac6eca98c164f7b5589f72 upstream.
+
+Add support for WeTelecom WM-D200.
+
+T: Bus=03 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 4 Spd=12 MxCh= 0
+D: Ver= 1.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=22de ProdID=6801 Rev=00.00
+S: Manufacturer=WeTelecom Incorporated
+S: Product=WeTelecom Mobile Products
+C: #Ifs= 4 Cfg#= 1 Atr=80 MxPwr=500mA
+I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
+I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
+I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
+I: If#= 3 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage
+
+Signed-off-by: Aleksandr Makarov <aleksandr.o.makarov@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/option.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -525,6 +525,10 @@ static void option_instat_callback(struc
+ #define VIATELECOM_VENDOR_ID 0x15eb
+ #define VIATELECOM_PRODUCT_CDS7 0x0001
+
++/* WeTelecom products */
++#define WETELECOM_VENDOR_ID 0x22de
++#define WETELECOM_PRODUCT_WMD200 0x6801
++
+ struct option_blacklist_info {
+ /* bitmask of interface numbers blacklisted for send_setup */
+ const unsigned long sendsetup;
+@@ -1991,6 +1995,7 @@ static const struct usb_device_id option
+ { USB_DEVICE_INTERFACE_CLASS(0x2020, 0x4000, 0xff) }, /* OLICARD300 - MT6225 */
+ { USB_DEVICE(INOVIA_VENDOR_ID, INOVIA_SEW858) },
+ { USB_DEVICE(VIATELECOM_VENDOR_ID, VIATELECOM_PRODUCT_CDS7) },
++ { USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_WMD200, 0xff, 0xff, 0xff) },
+ { } /* Terminating entry */
+ };
+ MODULE_DEVICE_TABLE(usb, option_ids);