--- /dev/null
+From b4dff2874006e54b60ce4f4dbcfec9ab81c6aff4 Mon Sep 17 00:00:00 2001
+From: Vladimir Kondratiev <vladimir.kondratiev@intel.com>
+Date: Sun, 3 Jul 2016 10:07:48 +0300
+Subject: ARC: dma: fix address translation in arc_dma_free
+
+From: Vladimir Kondratiev <vladimir.kondratiev@intel.com>
+
+commit b4dff2874006e54b60ce4f4dbcfec9ab81c6aff4 upstream.
+
+page should be calculated using physical address.
+If platform uses non-trivial dma-to-phys memory translation,
+dma_handle should be converted to physicval address before
+calculation of page.
+
+Failing to do so results in struct page * pointing to
+wrong or non-existent memory.
+
+Fixes: f2e3d55397ff ("ARC: dma: reintroduce platform specific dma<->phys")
+Signed-off-by: Vladimir Kondratiev <vladimir.kondratiev@intel.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arc/mm/dma.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/arc/mm/dma.c
++++ b/arch/arc/mm/dma.c
+@@ -92,7 +92,8 @@ static void *arc_dma_alloc(struct device
+ static void arc_dma_free(struct device *dev, size_t size, void *vaddr,
+ dma_addr_t dma_handle, struct dma_attrs *attrs)
+ {
+- struct page *page = virt_to_page(dma_handle);
++ phys_addr_t paddr = plat_dma_to_phys(dev, dma_handle);
++ struct page *page = virt_to_page(paddr);
+ int is_non_coh = 1;
+
+ is_non_coh = dma_get_attr(DMA_ATTR_NON_CONSISTENT, attrs) ||
--- /dev/null
+From 3925a16ae980c79d1a8fd182d7f9487da1edd4dc Mon Sep 17 00:00:00 2001
+From: Vineet Gupta <vgupta@synopsys.com>
+Date: Thu, 28 Jul 2016 11:35:50 -0700
+Subject: ARC: mm: don't loose PTE_SPECIAL in pte_modify()
+
+From: Vineet Gupta <vgupta@synopsys.com>
+
+commit 3925a16ae980c79d1a8fd182d7f9487da1edd4dc upstream.
+
+LTP madvise05 was generating mm splat
+
+| [ARCLinux]# /sd/ltp/testcases/bin/madvise05
+| BUG: Bad page map in process madvise05 pte:80e08211 pmd:9f7d4000
+| page:9fdcfc90 count:1 mapcount:-1 mapping: (null) index:0x0 flags: 0x404(referenced|reserved)
+| page dumped because: bad pte
+| addr:200b8000 vm_flags:00000070 anon_vma: (null) mapping: (null) index:1005c
+| file: (null) fault: (null) mmap: (null) readpage: (null)
+| CPU: 2 PID: 6707 Comm: madvise05
+
+And for newer kernels, the system was rendered unusable afterwards.
+
+The problem was mprotect->pte_modify() clearing PTE_SPECIAL (which is
+set to identify the special zero page wired to the pte).
+When pte was finally unmapped, special casing for zero page was not
+done, and instead it was treated as a "normal" page, tripping on the
+map counts etc.
+
+This fixes ARC STAR 9001053308
+
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arc/include/asm/pgtable.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arc/include/asm/pgtable.h
++++ b/arch/arc/include/asm/pgtable.h
+@@ -110,7 +110,7 @@
+ #define ___DEF (_PAGE_PRESENT | _PAGE_CACHEABLE)
+
+ /* Set of bits not changed in pte_modify */
+-#define _PAGE_CHG_MASK (PAGE_MASK | _PAGE_ACCESSED | _PAGE_DIRTY)
++#define _PAGE_CHG_MASK (PAGE_MASK | _PAGE_ACCESSED | _PAGE_DIRTY | _PAGE_SPECIAL)
+
+ /* More Abbrevaited helpers */
+ #define PAGE_U_NONE __pgprot(___DEF)
--- /dev/null
+From 1bea0512c3394965de28a152149b90afd686fae5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <zajec5@gmail.com>
+Date: Mon, 11 Jul 2016 23:01:36 +0200
+Subject: bcma: add PCI ID for Foxconn's BCM43142 device
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rafał Miłecki <zajec5@gmail.com>
+
+commit 1bea0512c3394965de28a152149b90afd686fae5 upstream.
+
+After discovering there are 2 very different 14e4:4365 PCI devices we
+made ID tables less generic. Back then we believed there are only 2 such
+devices:
+1) 14e4:4365 1028:0016 with SoftMAC BCM43142 chipset
+2) 14e4:4365 14e4:4365 with FullMAC BCM4366 chipset
+
+>From the recent report it appears there is also 14e4:4365 105b:e092
+which should be claimed by bcma. Add back support for it.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=121881
+Fixes: 515b399c9a20 ("bcma: claim only 14e4:4365 PCI Dell card with SoftMAC BCM43142")
+Reported-by: Igor Mammedov <imammedo@redhat.com>
+Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
+Tested-by: Igor Mammedov <imammedo@redhat.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bcma/host_pci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/bcma/host_pci.c
++++ b/drivers/bcma/host_pci.c
+@@ -295,6 +295,7 @@ static const struct pci_device_id bcma_p
+ { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 0x4359) },
+ { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 0x4360) },
+ { PCI_DEVICE_SUB(PCI_VENDOR_ID_BROADCOM, 0x4365, PCI_VENDOR_ID_DELL, 0x0016) },
++ { PCI_DEVICE_SUB(PCI_VENDOR_ID_BROADCOM, 0x4365, PCI_VENDOR_ID_FOXCONN, 0xe092) },
+ { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 0x43a0) },
+ { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 0x43a9) },
+ { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 0x43aa) },
--- /dev/null
+From 12d868964f7352e8b18e755488f7265a93431de1 Mon Sep 17 00:00:00 2001
+From: Dmitry Tunin <hanipouspilot@gmail.com>
+Date: Tue, 12 Jul 2016 01:35:18 +0300
+Subject: Bluetooth: Add support of 13d3:3490 AR3012 device
+
+From: Dmitry Tunin <hanipouspilot@gmail.com>
+
+commit 12d868964f7352e8b18e755488f7265a93431de1 upstream.
+
+T: Bus=01 Lev=01 Prnt=01 Port=07 Cnt=05 Dev#= 5 Spd=12 MxCh= 0
+D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=13d3 ProdID=3490 Rev=00.01
+C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
+I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+
+BugLink: https://bugs.launchpad.net/bugs/1600623
+
+Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bluetooth/ath3k.c | 2 ++
+ drivers/bluetooth/btusb.c | 1 +
+ 2 files changed, 3 insertions(+)
+
+--- a/drivers/bluetooth/ath3k.c
++++ b/drivers/bluetooth/ath3k.c
+@@ -123,6 +123,7 @@ static const struct usb_device_id ath3k_
+ { USB_DEVICE(0x13d3, 0x3472) },
+ { USB_DEVICE(0x13d3, 0x3474) },
+ { USB_DEVICE(0x13d3, 0x3487) },
++ { USB_DEVICE(0x13d3, 0x3490) },
+
+ /* Atheros AR5BBU12 with sflash firmware */
+ { USB_DEVICE(0x0489, 0xE02C) },
+@@ -190,6 +191,7 @@ static const struct usb_device_id ath3k_
+ { USB_DEVICE(0x13d3, 0x3472), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3487), .driver_info = BTUSB_ATH3012 },
++ { USB_DEVICE(0x13d3, 0x3490), .driver_info = BTUSB_ATH3012 },
+
+ /* Atheros AR5BBU22 with sflash firmware */
+ { USB_DEVICE(0x0489, 0xE036), .driver_info = BTUSB_ATH3012 },
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -237,6 +237,7 @@ static const struct usb_device_id blackl
+ { USB_DEVICE(0x13d3, 0x3472), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3487), .driver_info = BTUSB_ATH3012 },
++ { USB_DEVICE(0x13d3, 0x3490), .driver_info = BTUSB_ATH3012 },
+
+ /* Atheros AR5BBU12 with sflash firmware */
+ { USB_DEVICE(0x0489, 0xe02c), .driver_info = BTUSB_IGNORE },
--- /dev/null
+From 23bc6ab0a0912146fd674a0becc758c3162baabc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Amadeusz=20S=C5=82awi=C5=84ski?=
+ <amadeusz.slawinski@tieto.com>
+Date: Thu, 14 Jul 2016 10:50:23 +0200
+Subject: Bluetooth: Fix l2cap_sock_setsockopt() with optname BT_RCVMTU
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Amadeusz Sławiński <amadeusz.slawinski@tieto.com>
+
+commit 23bc6ab0a0912146fd674a0becc758c3162baabc upstream.
+
+When we retrieve imtu value from userspace we should use 16 bit pointer
+cast instead of 32 as it's defined that way in headers. Fixes setsockopt
+calls on big-endian platforms.
+
+Signed-off-by: Amadeusz Sławiński <amadeusz.slawinski@tieto.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/l2cap_sock.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -927,7 +927,7 @@ static int l2cap_sock_setsockopt(struct
+ break;
+ }
+
+- if (get_user(opt, (u32 __user *) optval)) {
++ if (get_user(opt, (u16 __user *) optval)) {
+ err = -EFAULT;
+ break;
+ }
--- /dev/null
+From 82bc9ab6a8f577d2174a736c33f3d4ecf7d9ef47 Mon Sep 17 00:00:00 2001
+From: Arend Van Spriel <arend.vanspriel@broadcom.com>
+Date: Fri, 15 Jul 2016 12:16:12 +0200
+Subject: brcmfmac: restore stopping netdev queue when bus clogs up
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Arend Van Spriel <arend.vanspriel@broadcom.com>
+
+commit 82bc9ab6a8f577d2174a736c33f3d4ecf7d9ef47 upstream.
+
+When the host-interface bus has hard time handling transmit packets
+it informs higher layer about this and it would stop the netdev
+queue when needed. However, since commit 9cd18359d31e ("brcmfmac:
+Make FWS queueing configurable.") this was broken. With this patch
+the behaviour is restored.
+
+Fixes: 9cd18359d31e ("brcmfmac: Make FWS queueing configurable.")
+Tested-by: Per Förlin <per.forlin@gmail.com>
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c | 22 +++++++++---
+ 1 file changed, 17 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
+@@ -2469,10 +2469,22 @@ void brcmf_fws_bustxfail(struct brcmf_fw
+ void brcmf_fws_bus_blocked(struct brcmf_pub *drvr, bool flow_blocked)
+ {
+ struct brcmf_fws_info *fws = drvr->fws;
++ struct brcmf_if *ifp;
++ int i;
+
+- fws->bus_flow_blocked = flow_blocked;
+- if (!flow_blocked)
+- brcmf_fws_schedule_deq(fws);
+- else
+- fws->stats.bus_flow_block++;
++ if (fws->avoid_queueing) {
++ for (i = 0; i < BRCMF_MAX_IFS; i++) {
++ ifp = drvr->iflist[i];
++ if (!ifp || !ifp->ndev)
++ continue;
++ brcmf_txflowblock_if(ifp, BRCMF_NETIF_STOP_REASON_FLOW,
++ flow_blocked);
++ }
++ } else {
++ fws->bus_flow_blocked = flow_blocked;
++ if (!flow_blocked)
++ brcmf_fws_schedule_deq(fws);
++ else
++ fws->stats.bus_flow_block++;
++ }
+ }
--- /dev/null
+From bd9f55ea1cf6e14eb054b06ea877d2d1fa339514 Mon Sep 17 00:00:00 2001
+From: Tahsin Erdogan <tahsin@google.com>
+Date: Fri, 15 Jul 2016 06:27:08 -0700
+Subject: dm: fix second blk_delay_queue() parameter to be in msec units not jiffies
+
+From: Tahsin Erdogan <tahsin@google.com>
+
+commit bd9f55ea1cf6e14eb054b06ea877d2d1fa339514 upstream.
+
+Commit d548b34b062 ("dm: reduce the queue delay used in dm_request_fn
+from 100ms to 10ms") always intended the value to be 10 msecs -- it
+just expressed it in jiffies because earlier commit 7eaceaccab ("block:
+remove per-queue plugging") did.
+
+Signed-off-by: Tahsin Erdogan <tahsin@google.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Fixes: d548b34b062 ("dm: reduce the queue delay used in dm_request_fn from 100ms to 10ms")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -2175,7 +2175,7 @@ static void dm_request_fn(struct request
+ md_in_flight(md) && rq->bio && rq->bio->bi_vcnt == 1 &&
+ md->last_rq_pos == pos && md->last_rq_rw == rq_data_dir(rq)) ||
+ (ti->type->busy && ti->type->busy(ti))) {
+- blk_delay_queue(q, HZ / 100);
++ blk_delay_queue(q, 10);
+ return;
+ }
+
--- /dev/null
+From eaf9a7361f47727b166688a9f2096854eef60fbe Mon Sep 17 00:00:00 2001
+From: Mike Snitzer <snitzer@redhat.com>
+Date: Tue, 2 Aug 2016 13:07:20 -0400
+Subject: dm: set DMF_SUSPENDED* _before_ clearing DMF_NOFLUSH_SUSPENDING
+
+From: Mike Snitzer <snitzer@redhat.com>
+
+commit eaf9a7361f47727b166688a9f2096854eef60fbe upstream.
+
+Otherwise, there is potential for both DMF_SUSPENDED* and
+DMF_NOFLUSH_SUSPENDING to not be set during dm_suspend() -- which is
+definitely _not_ a valid state.
+
+This fix, in conjuction with "dm rq: fix the starting and stopping of
+blk-mq queues", addresses the potential for request-based DM multipath's
+__multipath_map() to see !dm_noflush_suspending() during suspend.
+
+Reported-by: Bart Van Assche <bart.vanassche@sandisk.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -3128,7 +3128,8 @@ static void unlock_fs(struct mapped_devi
+ * Caller must hold md->suspend_lock
+ */
+ static int __dm_suspend(struct mapped_device *md, struct dm_table *map,
+- unsigned suspend_flags, int interruptible)
++ unsigned suspend_flags, int interruptible,
++ int dmf_suspended_flag)
+ {
+ bool do_lockfs = suspend_flags & DM_SUSPEND_LOCKFS_FLAG;
+ bool noflush = suspend_flags & DM_SUSPEND_NOFLUSH_FLAG;
+@@ -3195,6 +3196,8 @@ static int __dm_suspend(struct mapped_de
+ * to finish.
+ */
+ r = dm_wait_for_completion(md, interruptible);
++ if (!r)
++ set_bit(dmf_suspended_flag, &md->flags);
+
+ if (noflush)
+ clear_bit(DMF_NOFLUSH_SUSPENDING, &md->flags);
+@@ -3256,12 +3259,10 @@ retry:
+
+ map = rcu_dereference_protected(md->map, lockdep_is_held(&md->suspend_lock));
+
+- r = __dm_suspend(md, map, suspend_flags, TASK_INTERRUPTIBLE);
++ r = __dm_suspend(md, map, suspend_flags, TASK_INTERRUPTIBLE, DMF_SUSPENDED);
+ if (r)
+ goto out_unlock;
+
+- set_bit(DMF_SUSPENDED, &md->flags);
+-
+ dm_table_postsuspend_targets(map);
+
+ out_unlock:
+@@ -3355,9 +3356,8 @@ static void __dm_internal_suspend(struct
+ * would require changing .presuspend to return an error -- avoid this
+ * until there is a need for more elaborate variants of internal suspend.
+ */
+- (void) __dm_suspend(md, map, suspend_flags, TASK_UNINTERRUPTIBLE);
+-
+- set_bit(DMF_SUSPENDED_INTERNALLY, &md->flags);
++ (void) __dm_suspend(md, map, suspend_flags, TASK_UNINTERRUPTIBLE,
++ DMF_SUSPENDED_INTERNALLY);
+
+ dm_table_postsuspend_targets(map);
+ }
--- /dev/null
+From 602d1657c603eedd7379a8bcde1ad3a2972ecc5f Mon Sep 17 00:00:00 2001
+From: Sami Tolvanen <samitolvanen@google.com>
+Date: Tue, 21 Jun 2016 11:02:42 -0700
+Subject: dm verity fec: fix block calculation
+
+From: Sami Tolvanen <samitolvanen@google.com>
+
+commit 602d1657c603eedd7379a8bcde1ad3a2972ecc5f upstream.
+
+do_div was replaced with div64_u64 at some point, causing a bug with
+block calculation due to incompatible semantics of the two functions.
+
+Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
+Fixes: a739ff3f543a ("dm verity: add support for forward error correction")
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-verity-fec.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/md/dm-verity-fec.c
++++ b/drivers/md/dm-verity-fec.c
+@@ -453,9 +453,7 @@ int verity_fec_decode(struct dm_verity *
+ */
+
+ offset = block << v->data_dev_block_bits;
+-
+- res = offset;
+- div64_u64(res, v->fec->rounds << v->data_dev_block_bits);
++ res = div64_u64(offset, v->fec->rounds << v->data_dev_block_bits);
+
+ /*
+ * The base RS block we can feed to the interleaver to find out all
--- /dev/null
+From bba142957e04c400440d2df83c1b3b2dfc42e220 Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <bp@suse.de>
+Date: Fri, 10 Jun 2016 10:28:38 +0200
+Subject: EDAC: Correct channel count limit
+
+From: Borislav Petkov <bp@suse.de>
+
+commit bba142957e04c400440d2df83c1b3b2dfc42e220 upstream.
+
+c44696fff04f ("EDAC: Remove arbitrary limit on number of channels")
+lifted the arbitrary limit on memory controller channels in EDAC.
+However, the dynamic channel attributes dynamic_csrow_dimm_attr and
+dynamic_csrow_ce_count_attr remained 6.
+
+This wasn't a problem except channels 6 and 7 weren't visible in sysfs
+on machines with more than 6 channels after the conversion to static
+attr groups with
+
+ 2c1946b6d629 ("EDAC: Use static attribute groups for managing sysfs entries")
+
+ [ without that, we're exploding in edac_create_sysfs_mci_device()
+ because we're dereferencing out of the bounds of the
+ dynamic_csrow_dimm_attr array. ]
+
+Add attributes for channels 6 and 7 along with a guard for the
+future, should more channels be required and/or to sanity check for
+misconfigured machines.
+
+We still need to check against the number of channels present on the MC
+first, as Thor reported.
+
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reported-by: Hironobu Ishii <ishii.hironobu@jp.fujitsu.com>
+Tested-by: Thor Thayer <tthayer@opensource.altera.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/edac/edac_mc_sysfs.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+--- a/drivers/edac/edac_mc_sysfs.c
++++ b/drivers/edac/edac_mc_sysfs.c
+@@ -313,7 +313,6 @@ static struct device_type csrow_attr_typ
+ * possible dynamic channel DIMM Label attribute files
+ *
+ */
+-
+ DEVICE_CHANNEL(ch0_dimm_label, S_IRUGO | S_IWUSR,
+ channel_dimm_label_show, channel_dimm_label_store, 0);
+ DEVICE_CHANNEL(ch1_dimm_label, S_IRUGO | S_IWUSR,
+@@ -326,6 +325,10 @@ DEVICE_CHANNEL(ch4_dimm_label, S_IRUGO |
+ channel_dimm_label_show, channel_dimm_label_store, 4);
+ DEVICE_CHANNEL(ch5_dimm_label, S_IRUGO | S_IWUSR,
+ channel_dimm_label_show, channel_dimm_label_store, 5);
++DEVICE_CHANNEL(ch6_dimm_label, S_IRUGO | S_IWUSR,
++ channel_dimm_label_show, channel_dimm_label_store, 6);
++DEVICE_CHANNEL(ch7_dimm_label, S_IRUGO | S_IWUSR,
++ channel_dimm_label_show, channel_dimm_label_store, 7);
+
+ /* Total possible dynamic DIMM Label attribute file table */
+ static struct attribute *dynamic_csrow_dimm_attr[] = {
+@@ -335,6 +338,8 @@ static struct attribute *dynamic_csrow_d
+ &dev_attr_legacy_ch3_dimm_label.attr.attr,
+ &dev_attr_legacy_ch4_dimm_label.attr.attr,
+ &dev_attr_legacy_ch5_dimm_label.attr.attr,
++ &dev_attr_legacy_ch6_dimm_label.attr.attr,
++ &dev_attr_legacy_ch7_dimm_label.attr.attr,
+ NULL
+ };
+
+@@ -351,6 +356,10 @@ DEVICE_CHANNEL(ch4_ce_count, S_IRUGO,
+ channel_ce_count_show, NULL, 4);
+ DEVICE_CHANNEL(ch5_ce_count, S_IRUGO,
+ channel_ce_count_show, NULL, 5);
++DEVICE_CHANNEL(ch6_ce_count, S_IRUGO,
++ channel_ce_count_show, NULL, 6);
++DEVICE_CHANNEL(ch7_ce_count, S_IRUGO,
++ channel_ce_count_show, NULL, 7);
+
+ /* Total possible dynamic ce_count attribute file table */
+ static struct attribute *dynamic_csrow_ce_count_attr[] = {
+@@ -360,6 +369,8 @@ static struct attribute *dynamic_csrow_c
+ &dev_attr_legacy_ch3_ce_count.attr.attr,
+ &dev_attr_legacy_ch4_ce_count.attr.attr,
+ &dev_attr_legacy_ch5_ce_count.attr.attr,
++ &dev_attr_legacy_ch6_ce_count.attr.attr,
++ &dev_attr_legacy_ch7_ce_count.attr.attr,
+ NULL
+ };
+
+@@ -371,9 +382,16 @@ static umode_t csrow_dev_is_visible(stru
+
+ if (idx >= csrow->nr_channels)
+ return 0;
++
++ if (idx >= ARRAY_SIZE(dynamic_csrow_ce_count_attr) - 1) {
++ WARN_ONCE(1, "idx: %d\n", idx);
++ return 0;
++ }
++
+ /* Only expose populated DIMMs */
+ if (!csrow->channels[idx]->dimm->nr_pages)
+ return 0;
++
+ return attr->mode;
+ }
+
--- /dev/null
+From bbdb34c90aeb8b2253eae88029788ebe1d7f2fd4 Mon Sep 17 00:00:00 2001
+From: Jonathan McDowell <noodles@earth.li>
+Date: Sat, 14 May 2016 14:01:26 -0300
+Subject: [media] Fix RC5 decoding with Fintek CIR chipset
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jonathan McDowell <noodles@earth.li>
+
+commit bbdb34c90aeb8b2253eae88029788ebe1d7f2fd4 upstream.
+
+Fix RC5 decoding with Fintek CIR chipset
+
+Commit e87b540be2dd02552fb9244d50ae8b4e4619a34b tightened up the RC5
+decoding by adding a check for trailing silence to ensure a valid RC5
+command had been received. Unfortunately the trailer length checked was
+10 units and the Fintek CIR device does not want to provide details of a
+space longer than 6350us. This meant that RC5 remotes working on a
+Fintek setup on 3.16 failed on 3.17 and later. Fix this by shortening
+the trailer check to 6 units (allowing for a previous space in the
+received remote command).
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=117221
+
+Signed-off-by: Jonathan McDowell <noodles@earth.li>
+Signed-off-by: David Härdeman <david@hardeman.nu>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/rc/ir-rc5-decoder.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/rc/ir-rc5-decoder.c
++++ b/drivers/media/rc/ir-rc5-decoder.c
+@@ -29,7 +29,7 @@
+ #define RC5_BIT_START (1 * RC5_UNIT)
+ #define RC5_BIT_END (1 * RC5_UNIT)
+ #define RC5X_SPACE (4 * RC5_UNIT)
+-#define RC5_TRAILER (10 * RC5_UNIT) /* In reality, approx 100 */
++#define RC5_TRAILER (6 * RC5_UNIT) /* In reality, approx 100 */
+
+ enum rc5_state {
+ STATE_INACTIVE,
--- /dev/null
+From 67f8ecc550b5bda03335f845dc869b8501d25fd0 Mon Sep 17 00:00:00 2001
+From: Roderick Colenbrander <roderick.colenbrander@sony.com>
+Date: Wed, 18 May 2016 13:11:09 -0700
+Subject: HID: uhid: fix timeout when probe races with IO
+
+From: Roderick Colenbrander <roderick.colenbrander@sony.com>
+
+commit 67f8ecc550b5bda03335f845dc869b8501d25fd0 upstream.
+
+Many devices use userspace bluetooth stacks like BlueZ or Bluedroid in combination
+with uhid. If any of these stacks is used with a HID device for which the driver
+performs a HID request as part .probe (or technically another HID operation),
+this results in a deadlock situation. The deadlock results in a 5 second timeout
+for I/O operations in HID drivers, so isn't fatal, but none of the I/O operations
+have a chance of succeeding.
+
+The root cause for the problem is that uhid only allows for one request to be
+processed at a time per uhid instance and locks out other operations. This means
+that if a user space is creating a new HID device through 'UHID_CREATE', which
+ultimately triggers '.probe' through the HID layer. Then any HID request e.g. a
+read for calibration data would trigger a HID operation on uhid again, but it
+won't go out to userspace, because it is still stuck in UHID_CREATE.
+In addition bluetooth stacks are typically single threaded, so they wouldn't be
+able to handle any requests while waiting on uhid.
+
+Lucikly the UHID spec is somewhat flexible and allows for fixing the issue,
+without breaking user space. The idea which the patch implements as discussed
+with David Herrmann is to decouple adding of a hid device (which triggers .probe)
+from UHID_CREATE. The work will kick off roughly once UHID_CREATE completed (or
+else will wait a tiny bit of time in .probe for a lock). A HID driver has to call
+HID to call 'hid_hw_start()' as part of .probe once it is ready for I/O, which
+triggers UHID_START to user space. Any HID operations should function now within
+.probe and won't deadlock because userspace is stuck on UHID_CREATE.
+
+We verified this patch on Bluedroid with Android 6.0 and on desktop Linux with
+BlueZ stacks. Prior to the patch they had the deadlock issue.
+
+[jkosina@suse.cz: reword subject]
+Signed-off-by: Roderick Colenbrander <roderick.colenbrander@sony.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/uhid.c | 33 ++++++++++++++++++++++++---------
+ 1 file changed, 24 insertions(+), 9 deletions(-)
+
+--- a/drivers/hid/uhid.c
++++ b/drivers/hid/uhid.c
+@@ -51,10 +51,26 @@ struct uhid_device {
+ u32 report_id;
+ u32 report_type;
+ struct uhid_event report_buf;
++ struct work_struct worker;
+ };
+
+ static struct miscdevice uhid_misc;
+
++static void uhid_device_add_worker(struct work_struct *work)
++{
++ struct uhid_device *uhid = container_of(work, struct uhid_device, worker);
++ int ret;
++
++ ret = hid_add_device(uhid->hid);
++ if (ret) {
++ hid_err(uhid->hid, "Cannot register HID device: error %d\n", ret);
++
++ hid_destroy_device(uhid->hid);
++ uhid->hid = NULL;
++ uhid->running = false;
++ }
++}
++
+ static void uhid_queue(struct uhid_device *uhid, struct uhid_event *ev)
+ {
+ __u8 newhead;
+@@ -498,18 +514,14 @@ static int uhid_dev_create2(struct uhid_
+ uhid->hid = hid;
+ uhid->running = true;
+
+- ret = hid_add_device(hid);
+- if (ret) {
+- hid_err(hid, "Cannot register HID device\n");
+- goto err_hid;
+- }
++ /* Adding of a HID device is done through a worker, to allow HID drivers
++ * which use feature requests during .probe to work, without they would
++ * be blocked on devlock, which is held by uhid_char_write.
++ */
++ schedule_work(&uhid->worker);
+
+ return 0;
+
+-err_hid:
+- hid_destroy_device(hid);
+- uhid->hid = NULL;
+- uhid->running = false;
+ err_free:
+ kfree(uhid->rd_data);
+ uhid->rd_data = NULL;
+@@ -550,6 +562,8 @@ static int uhid_dev_destroy(struct uhid_
+ uhid->running = false;
+ wake_up_interruptible(&uhid->report_wait);
+
++ cancel_work_sync(&uhid->worker);
++
+ hid_destroy_device(uhid->hid);
+ kfree(uhid->rd_data);
+
+@@ -612,6 +626,7 @@ static int uhid_char_open(struct inode *
+ init_waitqueue_head(&uhid->waitq);
+ init_waitqueue_head(&uhid->report_wait);
+ uhid->running = false;
++ INIT_WORK(&uhid->worker, uhid_device_add_worker);
+
+ file->private_data = uhid;
+ nonseekable_open(inode, file);
--- /dev/null
+From fc8a601e1175ae351f662506030f9939cb7fdbfe Mon Sep 17 00:00:00 2001
+From: Alex Hung <alex.hung@canonical.com>
+Date: Mon, 13 Jun 2016 19:44:00 +0800
+Subject: hp-wmi: Fix wifi cannot be hard-unblocked
+
+From: Alex Hung <alex.hung@canonical.com>
+
+commit fc8a601e1175ae351f662506030f9939cb7fdbfe upstream.
+
+Several users reported wifi cannot be unblocked as discussed in [1].
+This patch removes the use of the 2009 flag by BIOS but uses the actual
+WMI function calls - it will be skipped if WMI reports unsupported.
+
+[1] https://bugzilla.kernel.org/show_bug.cgi?id=69131
+
+Signed-off-by: Alex Hung <alex.hung@canonical.com>
+Tested-by: Evgenii Shatokhin <eugene.shatokhin@yandex.ru>
+Signed-off-by: Darren Hart <dvhart@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/platform/x86/hp-wmi.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/platform/x86/hp-wmi.c
++++ b/drivers/platform/x86/hp-wmi.c
+@@ -718,6 +718,11 @@ static int __init hp_wmi_rfkill_setup(st
+ if (err)
+ return err;
+
++ err = hp_wmi_perform_query(HPWMI_WIRELESS_QUERY, 1, &wireless,
++ sizeof(wireless), 0);
++ if (err)
++ return err;
++
+ if (wireless & 0x1) {
+ wifi_rfkill = rfkill_alloc("hp-wifi", &device->dev,
+ RFKILL_TYPE_WLAN,
+@@ -882,7 +887,7 @@ static int __init hp_wmi_bios_setup(stru
+ wwan_rfkill = NULL;
+ rfkill2_count = 0;
+
+- if (hp_wmi_bios_2009_later() || hp_wmi_rfkill_setup(device))
++ if (hp_wmi_rfkill_setup(device))
+ hp_wmi_rfkill2_setup(device);
+
+ err = device_create_file(&device->dev, &dev_attr_display);
--- /dev/null
+From 7dd91d52a813f99a95d20f539b777e9e6198b931 Mon Sep 17 00:00:00 2001
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Date: Sat, 16 Jul 2016 02:36:38 +0300
+Subject: i2c: efm32: fix a failure path in efm32_i2c_probe()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+
+commit 7dd91d52a813f99a95d20f539b777e9e6198b931 upstream.
+
+There is the only failure path in efm32_i2c_probe(),
+where clk_disable_unprepare() is missed.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Fixes: 1b5b23718b84 ("i2c: efm32: new bus driver")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-efm32.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-efm32.c
++++ b/drivers/i2c/busses/i2c-efm32.c
+@@ -433,7 +433,7 @@ static int efm32_i2c_probe(struct platfo
+ ret = request_irq(ddata->irq, efm32_i2c_irq, 0, DRIVER_NAME, ddata);
+ if (ret < 0) {
+ dev_err(&pdev->dev, "failed to request irq (%d)\n", ret);
+- return ret;
++ goto err_disable_clk;
+ }
+
+ ret = i2c_add_adapter(&ddata->adapter);
--- /dev/null
+From 4b79deece5d45396422d469afa11f9d69ccb3d8b Mon Sep 17 00:00:00 2001
+From: Oren Givon <oren.givon@intel.com>
+Date: Mon, 23 May 2016 09:58:17 +0300
+Subject: iwlwifi: add new 8260 PCI IDs
+
+From: Oren Givon <oren.givon@intel.com>
+
+commit 4b79deece5d45396422d469afa11f9d69ccb3d8b upstream.
+
+Add 3 new 8260 series PCI IDs:
+ - (0x24F3, 0x10B0)
+ - (0x24F3, 0xD0B0)
+ - (0x24F3, 0xB0B0)
+
+Signed-off-by: Oren Givon <oren.givon@intel.com>
+Signed-off-by: David Spinadel <david.spinadel@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
+@@ -433,6 +433,7 @@ static const struct pci_device_id iwl_hw
+ /* 8000 Series */
+ {IWL_PCI_DEVICE(0x24F3, 0x0010, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x1010, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x10B0, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x0130, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x1130, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x0132, iwl8260_2ac_cfg)},
+@@ -454,6 +455,8 @@ static const struct pci_device_id iwl_hw
+ {IWL_PCI_DEVICE(0x24F3, 0xD010, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0xC050, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0xD050, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0xD0B0, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0xB0B0, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x8010, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x8110, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x9010, iwl8260_2ac_cfg)},
--- /dev/null
+From f24bbae565d279cd90c904fe55b539a45631705e Mon Sep 17 00:00:00 2001
+From: Oren Givon <oren.givon@intel.com>
+Date: Mon, 23 May 2016 09:58:17 +0300
+Subject: iwlwifi: add new 8265
+
+From: Oren Givon <oren.givon@intel.com>
+
+commit f24bbae565d279cd90c904fe55b539a45631705e upstream.
+
+Add 6 new 8265 series PCI IDs:
+ - (0x24FD, 0x1130)
+ - (0x24FD, 0x0130)
+ - (0x24FD, 0x0910)
+ - (0x24FD, 0x0930)
+ - (0x24FD, 0x0950)
+ - (0x24FD, 0x0850)
+
+Signed-off-by: Oren Givon <oren.givon@intel.com>
+Signed-off-by: David Spinadel <david.spinadel@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
+@@ -484,6 +484,8 @@ static const struct pci_device_id iwl_hw
+ {IWL_PCI_DEVICE(0x24FD, 0x0010, iwl8265_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24FD, 0x0110, iwl8265_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24FD, 0x1110, iwl8265_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24FD, 0x1130, iwl8265_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24FD, 0x0130, iwl8265_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24FD, 0x1010, iwl8265_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24FD, 0x0050, iwl8265_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24FD, 0x0150, iwl8265_2ac_cfg)},
+@@ -494,6 +496,10 @@ static const struct pci_device_id iwl_hw
+ {IWL_PCI_DEVICE(0x24FD, 0x0810, iwl8265_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24FD, 0x9110, iwl8265_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24FD, 0x8130, iwl8265_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24FD, 0x0910, iwl8265_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24FD, 0x0930, iwl8265_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24FD, 0x0950, iwl8265_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24FD, 0x0850, iwl8265_2ac_cfg)},
+
+ /* 9000 Series */
+ {IWL_PCI_DEVICE(0x2526, 0x0000, iwl9260_2ac_cfg)},
--- /dev/null
+From 2aabdbdc17b7c53490337bfc58de3409c84d85d2 Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Wed, 8 Jun 2016 23:07:31 +0300
+Subject: iwlwifi: pcie: enable interrupts before releasing the NIC's CPU
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit 2aabdbdc17b7c53490337bfc58de3409c84d85d2 upstream.
+
+The NIC's CPU gets started after the firmware has been
+written to its memory. The first thing it does is to
+send an interrupt to let the driver know that it is
+running. In order to get that interrupt, the driver needs
+to make sure it is not masked. Of course, the interrupt
+needs to be enabled in the driver before the CPU starts to
+run.
+I mistakenly inversed those two steps leading to races
+which prevented the driver from getting the alive interrupt
+from the firmware.
+Fix that.
+
+Fixes: a6bd005fe92 ("iwlwifi: pcie: fix RF-Kill vs. firmware load race")
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
+@@ -801,6 +801,8 @@ static int iwl_pcie_load_cpu_sections_80
+
+ *first_ucode_section = last_read_idx;
+
++ iwl_enable_interrupts(trans);
++
+ if (cpu == 1)
+ iwl_write_direct32(trans, FH_UCODE_LOAD_STATUS, 0xFFFF);
+ else
+@@ -980,6 +982,8 @@ static int iwl_pcie_load_given_ucode(str
+ iwl_pcie_apply_destination(trans);
+ }
+
++ iwl_enable_interrupts(trans);
++
+ /* release CPU reset */
+ iwl_write32(trans, CSR_RESET, 0);
+
+@@ -1215,7 +1219,6 @@ static int iwl_trans_pcie_start_fw(struc
+ ret = iwl_pcie_load_given_ucode_8000(trans, fw);
+ else
+ ret = iwl_pcie_load_given_ucode(trans, fw);
+- iwl_enable_interrupts(trans);
+
+ /* re-check RF-Kill state since we may have missed the interrupt */
+ hw_rfkill = iwl_is_rfkill_set(trans);
--- /dev/null
+From f16c3ebfa64fdf0e2dc88e6baa72da95ab70ffd7 Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Mon, 13 Jun 2016 08:28:26 +0300
+Subject: iwlwifi: pcie: fix a race in firmware loading flow
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit f16c3ebfa64fdf0e2dc88e6baa72da95ab70ffd7 upstream.
+
+Upon firmware load interrupt (FH_TX), the ISR re-enables the
+firmware load interrupt only to avoid races with other
+flows as described in the commit below. When the firmware
+is completely loaded, the thread that is loading the
+firmware will enable all the interrupts to make sure that
+the driver gets the ALIVE interrupt.
+The problem with that is that the thread that is loading
+the firmware is actually racing against the ISR and we can
+get to the following situation:
+
+CPU0 CPU1
+iwl_pcie_load_given_ucode
+ ...
+ iwl_pcie_load_firmware_chunk
+ wait_for_interrupt
+ <interrupt>
+ ISR handles CSR_INT_BIT_FH_TX
+ ISR wakes up the thread on CPU0
+ /* enable all the interrupts
+ * to get the ALIVE interrupt
+ */
+ iwl_enable_interrupts
+ ISR re-enables CSR_INT_BIT_FH_TX only
+ /* start the firmware */
+ iwl_write32(trans, CSR_RESET, 0);
+
+BUG! ALIVE interrupt will never arrive since it has been
+masked by CPU1.
+
+In order to fix that, change the ISR to first check if
+STATUS_INT_ENABLED is set. If so, re-enable all the
+interrupts. If STATUS_INT_ENABLED is clear, then we can
+check what specific interrupt happened and re-enable only
+that specific interrupt (RFKILL or FH_TX).
+
+All the credit for the analysis goes to Kirtika who did the
+actual debugging work.
+
+Fixes: a6bd005fe92 ("iwlwifi: pcie: fix RF-Kill vs. firmware load race")
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/internal.h | 21 +++++++++++++++++++--
+ drivers/net/wireless/intel/iwlwifi/pcie/rx.c | 16 +++++++++-------
+ drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 8 --------
+ 3 files changed, 28 insertions(+), 17 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/internal.h
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/internal.h
+@@ -496,7 +496,7 @@ void iwl_pcie_dump_csr(struct iwl_trans
+ /*****************************************************
+ * Helpers
+ ******************************************************/
+-static inline void iwl_disable_interrupts(struct iwl_trans *trans)
++static inline void _iwl_disable_interrupts(struct iwl_trans *trans)
+ {
+ struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans);
+
+@@ -519,7 +519,16 @@ static inline void iwl_disable_interrupt
+ IWL_DEBUG_ISR(trans, "Disabled interrupts\n");
+ }
+
+-static inline void iwl_enable_interrupts(struct iwl_trans *trans)
++static inline void iwl_disable_interrupts(struct iwl_trans *trans)
++{
++ struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans);
++
++ spin_lock(&trans_pcie->irq_lock);
++ _iwl_disable_interrupts(trans);
++ spin_unlock(&trans_pcie->irq_lock);
++}
++
++static inline void _iwl_enable_interrupts(struct iwl_trans *trans)
+ {
+ struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans);
+
+@@ -542,6 +551,14 @@ static inline void iwl_enable_interrupts
+ }
+ }
+
++static inline void iwl_enable_interrupts(struct iwl_trans *trans)
++{
++ struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans);
++
++ spin_lock(&trans_pcie->irq_lock);
++ _iwl_enable_interrupts(trans);
++ spin_unlock(&trans_pcie->irq_lock);
++}
+ static inline void iwl_enable_hw_int_msk_msix(struct iwl_trans *trans, u32 msk)
+ {
+ struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans);
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/rx.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/rx.c
+@@ -1507,7 +1507,7 @@ irqreturn_t iwl_pcie_irq_handler(int irq
+ * have anything to service
+ */
+ if (test_bit(STATUS_INT_ENABLED, &trans->status))
+- iwl_enable_interrupts(trans);
++ _iwl_enable_interrupts(trans);
+ spin_unlock(&trans_pcie->irq_lock);
+ lock_map_release(&trans->sync_cmd_lockdep_map);
+ return IRQ_NONE;
+@@ -1699,15 +1699,17 @@ irqreturn_t iwl_pcie_irq_handler(int irq
+ inta & ~trans_pcie->inta_mask);
+ }
+
++ spin_lock(&trans_pcie->irq_lock);
++ /* only Re-enable all interrupt if disabled by irq */
++ if (test_bit(STATUS_INT_ENABLED, &trans->status))
++ _iwl_enable_interrupts(trans);
+ /* we are loading the firmware, enable FH_TX interrupt only */
+- if (handled & CSR_INT_BIT_FH_TX)
++ else if (handled & CSR_INT_BIT_FH_TX)
+ iwl_enable_fw_load_int(trans);
+- /* only Re-enable all interrupt if disabled by irq */
+- else if (test_bit(STATUS_INT_ENABLED, &trans->status))
+- iwl_enable_interrupts(trans);
+ /* Re-enable RF_KILL if it occurred */
+ else if (handled & CSR_INT_BIT_RF_KILL)
+ iwl_enable_rfkill_int(trans);
++ spin_unlock(&trans_pcie->irq_lock);
+
+ out:
+ lock_map_release(&trans->sync_cmd_lockdep_map);
+@@ -1771,7 +1773,7 @@ void iwl_pcie_reset_ict(struct iwl_trans
+ return;
+
+ spin_lock(&trans_pcie->irq_lock);
+- iwl_disable_interrupts(trans);
++ _iwl_disable_interrupts(trans);
+
+ memset(trans_pcie->ict_tbl, 0, ICT_SIZE);
+
+@@ -1787,7 +1789,7 @@ void iwl_pcie_reset_ict(struct iwl_trans
+ trans_pcie->use_ict = true;
+ trans_pcie->ict_index = 0;
+ iwl_write32(trans, CSR_INT, trans_pcie->inta_mask);
+- iwl_enable_interrupts(trans);
++ _iwl_enable_interrupts(trans);
+ spin_unlock(&trans_pcie->irq_lock);
+ }
+
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
+@@ -1037,9 +1037,7 @@ static void _iwl_trans_pcie_stop_device(
+ was_hw_rfkill = iwl_is_rfkill_set(trans);
+
+ /* tell the device to stop sending interrupts */
+- spin_lock(&trans_pcie->irq_lock);
+ iwl_disable_interrupts(trans);
+- spin_unlock(&trans_pcie->irq_lock);
+
+ /* device going down, Stop using ICT table */
+ iwl_pcie_disable_ict(trans);
+@@ -1083,9 +1081,7 @@ static void _iwl_trans_pcie_stop_device(
+ * the time, unless the interrupt is ACKed even if the interrupt
+ * should be masked. Re-ACK all the interrupts here.
+ */
+- spin_lock(&trans_pcie->irq_lock);
+ iwl_disable_interrupts(trans);
+- spin_unlock(&trans_pcie->irq_lock);
+
+ /* clear all status bits */
+ clear_bit(STATUS_SYNC_HCMD_ACTIVE, &trans->status);
+@@ -1570,15 +1566,11 @@ static void iwl_trans_pcie_op_mode_leave
+ mutex_lock(&trans_pcie->mutex);
+
+ /* disable interrupts - don't enable HW RF kill interrupt */
+- spin_lock(&trans_pcie->irq_lock);
+ iwl_disable_interrupts(trans);
+- spin_unlock(&trans_pcie->irq_lock);
+
+ iwl_pcie_apm_stop(trans, true);
+
+- spin_lock(&trans_pcie->irq_lock);
+ iwl_disable_interrupts(trans);
+- spin_unlock(&trans_pcie->irq_lock);
+
+ iwl_pcie_disable_ict(trans);
+
--- /dev/null
+From abcfb5d979892fc8b12574551fc907c05fe1b11b Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Thu, 30 Jun 2016 11:49:01 -0400
+Subject: jbd2: make journal y2038 safe
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit abcfb5d979892fc8b12574551fc907c05fe1b11b upstream.
+
+The jbd2 journal stores the commit time in 64-bit seconds and 32-bit
+nanoseconds, which avoids an overflow in 2038, but it gets the numbers
+from current_kernel_time(), which uses 'long' seconds on 32-bit
+architectures.
+
+This simply changes the code to call current_kernel_time64() so
+we use 64-bit seconds consistently.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/jbd2/commit.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/jbd2/commit.c
++++ b/fs/jbd2/commit.c
+@@ -124,7 +124,7 @@ static int journal_submit_commit_record(
+ struct commit_header *tmp;
+ struct buffer_head *bh;
+ int ret;
+- struct timespec now = current_kernel_time();
++ struct timespec64 now = current_kernel_time64();
+
+ *cbh = NULL;
+
--- /dev/null
+From ca6e6126db5494f18c6c6615060d4d803b528bff Mon Sep 17 00:00:00 2001
+From: Soeren Moch <smoch@web.de>
+Date: Wed, 11 May 2016 13:49:11 -0300
+Subject: [media] media: dvb_ringbuffer: Add memory barriers
+
+From: Soeren Moch <smoch@web.de>
+
+commit ca6e6126db5494f18c6c6615060d4d803b528bff upstream.
+
+Implement memory barriers according to Documentation/circular-buffers.txt:
+- use smp_store_release() to update ringbuffer read/write pointers
+- use smp_load_acquire() to load write pointer on reader side
+- use ACCESS_ONCE() to load read pointer on writer side
+
+This fixes data stream corruptions observed e.g. on an ARM Cortex-A9
+quad core system with different types (PCI, USB) of DVB tuners.
+
+Signed-off-by: Soeren Moch <smoch@web.de>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/dvb-core/dvb_ringbuffer.c | 74 ++++++++++++++++++++++++++------
+ 1 file changed, 61 insertions(+), 13 deletions(-)
+
+--- a/drivers/media/dvb-core/dvb_ringbuffer.c
++++ b/drivers/media/dvb-core/dvb_ringbuffer.c
+@@ -55,7 +55,13 @@ void dvb_ringbuffer_init(struct dvb_ring
+
+ int dvb_ringbuffer_empty(struct dvb_ringbuffer *rbuf)
+ {
+- return (rbuf->pread==rbuf->pwrite);
++ /* smp_load_acquire() to load write pointer on reader side
++ * this pairs with smp_store_release() in dvb_ringbuffer_write(),
++ * dvb_ringbuffer_write_user(), or dvb_ringbuffer_reset()
++ *
++ * for memory barriers also see Documentation/circular-buffers.txt
++ */
++ return (rbuf->pread == smp_load_acquire(&rbuf->pwrite));
+ }
+
+
+@@ -64,7 +70,12 @@ ssize_t dvb_ringbuffer_free(struct dvb_r
+ {
+ ssize_t free;
+
+- free = rbuf->pread - rbuf->pwrite;
++ /* ACCESS_ONCE() to load read pointer on writer side
++ * this pairs with smp_store_release() in dvb_ringbuffer_read(),
++ * dvb_ringbuffer_read_user(), dvb_ringbuffer_flush(),
++ * or dvb_ringbuffer_reset()
++ */
++ free = ACCESS_ONCE(rbuf->pread) - rbuf->pwrite;
+ if (free <= 0)
+ free += rbuf->size;
+ return free-1;
+@@ -76,7 +87,11 @@ ssize_t dvb_ringbuffer_avail(struct dvb_
+ {
+ ssize_t avail;
+
+- avail = rbuf->pwrite - rbuf->pread;
++ /* smp_load_acquire() to load write pointer on reader side
++ * this pairs with smp_store_release() in dvb_ringbuffer_write(),
++ * dvb_ringbuffer_write_user(), or dvb_ringbuffer_reset()
++ */
++ avail = smp_load_acquire(&rbuf->pwrite) - rbuf->pread;
+ if (avail < 0)
+ avail += rbuf->size;
+ return avail;
+@@ -86,14 +101,25 @@ ssize_t dvb_ringbuffer_avail(struct dvb_
+
+ void dvb_ringbuffer_flush(struct dvb_ringbuffer *rbuf)
+ {
+- rbuf->pread = rbuf->pwrite;
++ /* dvb_ringbuffer_flush() counts as read operation
++ * smp_load_acquire() to load write pointer
++ * smp_store_release() to update read pointer, this ensures that the
++ * correct pointer is visible for subsequent dvb_ringbuffer_free()
++ * calls on other cpu cores
++ */
++ smp_store_release(&rbuf->pread, smp_load_acquire(&rbuf->pwrite));
+ rbuf->error = 0;
+ }
+ EXPORT_SYMBOL(dvb_ringbuffer_flush);
+
+ void dvb_ringbuffer_reset(struct dvb_ringbuffer *rbuf)
+ {
+- rbuf->pread = rbuf->pwrite = 0;
++ /* dvb_ringbuffer_reset() counts as read and write operation
++ * smp_store_release() to update read pointer
++ */
++ smp_store_release(&rbuf->pread, 0);
++ /* smp_store_release() to update write pointer */
++ smp_store_release(&rbuf->pwrite, 0);
+ rbuf->error = 0;
+ }
+
+@@ -119,12 +145,17 @@ ssize_t dvb_ringbuffer_read_user(struct
+ return -EFAULT;
+ buf += split;
+ todo -= split;
+- rbuf->pread = 0;
++ /* smp_store_release() for read pointer update to ensure
++ * that buf is not overwritten until read is complete,
++ * this pairs with ACCESS_ONCE() in dvb_ringbuffer_free()
++ */
++ smp_store_release(&rbuf->pread, 0);
+ }
+ if (copy_to_user(buf, rbuf->data+rbuf->pread, todo))
+ return -EFAULT;
+
+- rbuf->pread = (rbuf->pread + todo) % rbuf->size;
++ /* smp_store_release() to update read pointer, see above */
++ smp_store_release(&rbuf->pread, (rbuf->pread + todo) % rbuf->size);
+
+ return len;
+ }
+@@ -139,11 +170,16 @@ void dvb_ringbuffer_read(struct dvb_ring
+ memcpy(buf, rbuf->data+rbuf->pread, split);
+ buf += split;
+ todo -= split;
+- rbuf->pread = 0;
++ /* smp_store_release() for read pointer update to ensure
++ * that buf is not overwritten until read is complete,
++ * this pairs with ACCESS_ONCE() in dvb_ringbuffer_free()
++ */
++ smp_store_release(&rbuf->pread, 0);
+ }
+ memcpy(buf, rbuf->data+rbuf->pread, todo);
+
+- rbuf->pread = (rbuf->pread + todo) % rbuf->size;
++ /* smp_store_release() to update read pointer, see above */
++ smp_store_release(&rbuf->pread, (rbuf->pread + todo) % rbuf->size);
+ }
+
+
+@@ -158,10 +194,16 @@ ssize_t dvb_ringbuffer_write(struct dvb_
+ memcpy(rbuf->data+rbuf->pwrite, buf, split);
+ buf += split;
+ todo -= split;
+- rbuf->pwrite = 0;
++ /* smp_store_release() for write pointer update to ensure that
++ * written data is visible on other cpu cores before the pointer
++ * update, this pairs with smp_load_acquire() in
++ * dvb_ringbuffer_empty() or dvb_ringbuffer_avail()
++ */
++ smp_store_release(&rbuf->pwrite, 0);
+ }
+ memcpy(rbuf->data+rbuf->pwrite, buf, todo);
+- rbuf->pwrite = (rbuf->pwrite + todo) % rbuf->size;
++ /* smp_store_release() for write pointer update, see above */
++ smp_store_release(&rbuf->pwrite, (rbuf->pwrite + todo) % rbuf->size);
+
+ return len;
+ }
+@@ -181,12 +223,18 @@ ssize_t dvb_ringbuffer_write_user(struct
+ return len - todo;
+ buf += split;
+ todo -= split;
+- rbuf->pwrite = 0;
++ /* smp_store_release() for write pointer update to ensure that
++ * written data is visible on other cpu cores before the pointer
++ * update, this pairs with smp_load_acquire() in
++ * dvb_ringbuffer_empty() or dvb_ringbuffer_avail()
++ */
++ smp_store_release(&rbuf->pwrite, 0);
+ }
+ status = copy_from_user(rbuf->data+rbuf->pwrite, buf, todo);
+ if (status)
+ return len - todo;
+- rbuf->pwrite = (rbuf->pwrite + todo) % rbuf->size;
++ /* smp_store_release() for write pointer update, see above */
++ smp_store_release(&rbuf->pwrite, (rbuf->pwrite + todo) % rbuf->size);
+
+ return len;
+ }
--- /dev/null
+From 2a00932f082aff93c3a55426e0c7af6d0ec03997 Mon Sep 17 00:00:00 2001
+From: Matthew Leach <matthew@mattleach.net>
+Date: Fri, 8 Jul 2016 09:04:27 -0300
+Subject: [media] media: usbtv: prevent access to free'd resources
+
+From: Matthew Leach <matthew@mattleach.net>
+
+commit 2a00932f082aff93c3a55426e0c7af6d0ec03997 upstream.
+
+When disconnecting the usbtv device, the sound card is unregistered
+from ALSA and the snd member of the usbtv struct is set to NULL. If
+the usbtv snd_trigger work is running, this can cause a race condition
+where the kernel will attempt to access free'd resources, shown in
+[1].
+
+This patch fixes the disconnection code by cancelling any snd_trigger
+work before unregistering the sound card from ALSA and checking that
+the snd member still exists in the work function.
+
+[1]:
+ usb 3-1.2: USB disconnect, device number 6
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
+ IP: [<ffffffff81093850>] process_one_work+0x30/0x480
+ PGD 405bbf067 PUD 405bbe067 PMD 0
+ Call Trace:
+ [<ffffffff81093ce8>] worker_thread+0x48/0x4e0
+ [<ffffffff81093ca0>] ? process_one_work+0x480/0x480
+ [<ffffffff81093ca0>] ? process_one_work+0x480/0x480
+ [<ffffffff81099998>] kthread+0xd8/0xf0
+ [<ffffffff815c73c2>] ret_from_fork+0x22/0x40
+ [<ffffffff810998c0>] ? kthread_worker_fn+0x170/0x170
+ ---[ end trace 0f3dac5c1a38e610 ]---
+
+Signed-off-by: Matthew Leach <matthew@mattleach.net>
+Tested-by: Peter Sutton <foxxy@foxdogstudios.com>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/usbtv/usbtv-audio.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/media/usb/usbtv/usbtv-audio.c
++++ b/drivers/media/usb/usbtv/usbtv-audio.c
+@@ -278,6 +278,9 @@ static void snd_usbtv_trigger(struct wor
+ {
+ struct usbtv *chip = container_of(work, struct usbtv, snd_trigger);
+
++ if (!chip->snd)
++ return;
++
+ if (atomic_read(&chip->snd_stream))
+ usbtv_audio_start(chip);
+ else
+@@ -378,6 +381,8 @@ err:
+
+ void usbtv_audio_free(struct usbtv *usbtv)
+ {
++ cancel_work_sync(&usbtv->snd_trigger);
++
+ if (usbtv->snd && usbtv->udev) {
+ snd_card_free(usbtv->snd);
+ usbtv->snd = NULL;
--- /dev/null
+From d9083160c2f6ee456ea867ea2279c1fc6124e56f Mon Sep 17 00:00:00 2001
+From: Sumit Saxena <sumit.saxena@broadcom.com>
+Date: Fri, 8 Jul 2016 03:30:16 -0700
+Subject: megaraid_sas: Do not fire MR_DCMD_PD_LIST_QUERY to controllers which do not support it
+
+From: Sumit Saxena <sumit.saxena@broadcom.com>
+
+commit d9083160c2f6ee456ea867ea2279c1fc6124e56f upstream.
+
+There was an issue reported by Lucz Geza on Dell Perc 6i. As per issue
+reported, megaraid_sas driver goes into an infinite error reporting loop
+as soon as there is a change in the status of one of the
+arrays (degrade, resync online etc ). Below are the error logs reported
+continuously-
+
+Jun 25 08:49:30 ns8 kernel: [ 757.757017] megaraid_sas 0000:02:00.0: DCMD failed/not supported by firmware: megasas_get_pd_list 4115
+Jun 25 08:49:30 ns8 kernel: [ 757.778017] megaraid_sas 0000:02:00.0: DCMD failed/not supported by firmware: megasas_get_pd_list 4115
+Jun 25 08:49:30 ns8 kernel: [ 757.799017] megaraid_sas 0000:02:00.0: DCMD failed/not supported by firmware: megasas_get_pd_list 4115
+Jun 25 08:49:30 ns8 kernel: [ 757.820018] megaraid_sas 0000:02:00.0: DCMD failed/not supported by firmware: megasas_get_pd_list 4115
+Jun 25 08:49:30 ns8 kernel: [ 757.841018] megaraid_sas 0000:02:00.0: DCMD failed/not supported by firmware: megasas_get_pd_list 4115
+
+This issue is very much specific to controllers which do not support
+DCMD- MR_DCMD_PD_LIST_QUERY. In case of any hotplugging/rescanning of
+drives, AEN thread will be scheduled by driver and fire DCMD-
+MR_DCMD_PD_LIST_QUERY and if this DCMD is failed then driver will fail
+this event processing and will not go ahead for further events. This
+will cause infinite loop of same event getting retried infinitely and
+causing above mentioned logs.
+
+Fix for this problem is: not to fire DCMD MR_DCMD_PD_LIST_QUERY for
+controllers which do not support it and send DCMD SUCCESS status to AEN
+function so that it can go ahead with other event processing.
+
+Reported-by: Lucz Geza <geza@lucz.com>
+Signed-off-by: Sumit Saxena <sumit.saxena@broadcom.com>
+Reviewed-by: Tomas Henzl <thenzl@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/megaraid/megaraid_sas_base.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/scsi/megaraid/megaraid_sas_base.c
++++ b/drivers/scsi/megaraid/megaraid_sas_base.c
+@@ -4079,6 +4079,12 @@ megasas_get_pd_list(struct megasas_insta
+ struct MR_PD_ADDRESS *pd_addr;
+ dma_addr_t ci_h = 0;
+
++ if (instance->pd_list_not_supported) {
++ dev_info(&instance->pdev->dev, "MR_DCMD_PD_LIST_QUERY "
++ "not supported by firmware\n");
++ return ret;
++ }
++
+ cmd = megasas_get_cmd(instance);
+
+ if (!cmd) {
--- /dev/null
+From 76bc8e2843b66f8205026365966b49ec6da39ae7 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Fri, 29 Jul 2016 12:05:24 +0200
+Subject: ovl: disallow overlayfs as upperdir
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 76bc8e2843b66f8205026365966b49ec6da39ae7 upstream.
+
+This does not work and does not make sense. So instead of fixing it
+(probably not hard) just disallow.
+
+Reported-by: Andrei Vagin <avagin@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/overlayfs/super.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/overlayfs/super.c
++++ b/fs/overlayfs/super.c
+@@ -404,7 +404,8 @@ static struct ovl_entry *ovl_alloc_entry
+ static bool ovl_dentry_remote(struct dentry *dentry)
+ {
+ return dentry->d_flags &
+- (DCACHE_OP_REVALIDATE | DCACHE_OP_WEAK_REVALIDATE);
++ (DCACHE_OP_REVALIDATE | DCACHE_OP_WEAK_REVALIDATE |
++ DCACHE_OP_REAL);
+ }
+
+ static bool ovl_dentry_weird(struct dentry *dentry)
--- /dev/null
+From 5cac1f67ea0363d463a58ec2d9118268fe2ba5d6 Mon Sep 17 00:00:00 2001
+From: Heiner Kallweit <hkallweit1@gmail.com>
+Date: Thu, 7 Jul 2016 03:17:39 -0300
+Subject: [media] rc: nuvoton: fix hang if chip is configured for alternative EFM IO address
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+commit 5cac1f67ea0363d463a58ec2d9118268fe2ba5d6 upstream.
+
+If a system configures the Nuvoton chip to use the alternative
+EFM IO address (CR_EFIR2) then after probing the primary EFM IO
+address (CR_EFIR) this region is not released.
+
+If a driver for another function of the Nuvoton Super I/O
+chip uses the same probing mechanism then it will hang if
+loaded after the nuvoton-cir driver.
+This was reported for the nct6775 hwmon driver.
+
+Fix this by properly releasing the region after probing CR_EFIR.
+This regression was introduced with kernel 4.6 so cc it to stable.
+
+Reported-by: Antti Seppälä <a.seppala@gmail.com>
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Tested-by: Antti Seppälä <a.seppala@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/rc/nuvoton-cir.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/media/rc/nuvoton-cir.c
++++ b/drivers/media/rc/nuvoton-cir.c
+@@ -401,6 +401,7 @@ static int nvt_hw_detect(struct nvt_dev
+ /* Check if we're wired for the alternate EFER setup */
+ nvt->chip_major = nvt_cr_read(nvt, CR_CHIP_ID_HI);
+ if (nvt->chip_major == 0xff) {
++ nvt_efm_disable(nvt);
+ nvt->cr_efir = CR_EFIR2;
+ nvt->cr_efdr = CR_EFDR2;
+ nvt_efm_enable(nvt);
--- /dev/null
+From 04c16b84e49a6d609c88f4f5523237ece3612b74 Mon Sep 17 00:00:00 2001
+From: Alim Akhtar <alim.akhtar@samsung.com>
+Date: Tue, 12 Jul 2016 11:26:43 +0530
+Subject: regulator: s2mps11: Fix the voltage linear range for s2mps15
+
+From: Alim Akhtar <alim.akhtar@samsung.com>
+
+commit 04c16b84e49a6d609c88f4f5523237ece3612b74 upstream.
+
+This patch fixes some of the LDOs and BUCKs voltage range as per
+user manual of s2mps15 (REV0.4).
+
+Fixes: 51af20675800 ("regulator: s2mps11: Add support for S2MPS15 regulators")
+Signed-off-by: Alim Akhtar <alim.akhtar@samsung.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/regulator/s2mps11.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/regulator/s2mps11.c
++++ b/drivers/regulator/s2mps11.c
+@@ -750,7 +750,7 @@ static const struct regulator_linear_ran
+
+ /* voltage range for s2mps15 LDO 7, 8, 9 and 10 */
+ static const struct regulator_linear_range s2mps15_ldo_voltage_ranges4[] = {
+- REGULATOR_LINEAR_RANGE(700000, 0xc, 0x18, 25000),
++ REGULATOR_LINEAR_RANGE(700000, 0x10, 0x20, 25000),
+ };
+
+ /* voltage range for s2mps15 LDO 1 */
+@@ -760,12 +760,12 @@ static const struct regulator_linear_ran
+
+ /* voltage range for s2mps15 BUCK 1, 2, 3, 4, 5, 6 and 7 */
+ static const struct regulator_linear_range s2mps15_buck_voltage_ranges1[] = {
+- REGULATOR_LINEAR_RANGE(500000, 0x20, 0xb0, 6250),
++ REGULATOR_LINEAR_RANGE(500000, 0x20, 0xc0, 6250),
+ };
+
+ /* voltage range for s2mps15 BUCK 8, 9 and 10 */
+ static const struct regulator_linear_range s2mps15_buck_voltage_ranges2[] = {
+- REGULATOR_LINEAR_RANGE(1000000, 0x20, 0xc0, 12500),
++ REGULATOR_LINEAR_RANGE(1000000, 0x20, 0x78, 12500),
+ };
+
+ static const struct regulator_desc s2mps15_regulators[] = {
--- /dev/null
+From d2e12e66a939c54ed84e5f1b6947f0c45f6c56eb Mon Sep 17 00:00:00 2001
+From: Dave Gerlach <d-gerlach@ti.com>
+Date: Wed, 25 May 2016 15:41:28 -0500
+Subject: remoteproc: Fix potential race condition in rproc_add
+
+From: Dave Gerlach <d-gerlach@ti.com>
+
+commit d2e12e66a939c54ed84e5f1b6947f0c45f6c56eb upstream.
+
+rproc_add adds the newly created remoteproc to a list for use by
+rproc_get_by_phandle and then does some additional processing to finish
+adding the remoteproc. This leaves a small window of time in which the
+rproc is available in the list but not yet fully initialized, so if
+another driver comes along and gets a handle to the rproc, it will be
+invalid. Rearrange the code in rproc_add to make sure the rproc is added
+to the list only after it has been successfuly initialized.
+
+Fixes: fec47d863587 ("remoteproc: introduce rproc_get_by_phandle API")
+Signed-off-by: Dave Gerlach <d-gerlach@ti.com>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/remoteproc/remoteproc_core.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/drivers/remoteproc/remoteproc_core.c
++++ b/drivers/remoteproc/remoteproc_core.c
+@@ -1264,11 +1264,6 @@ int rproc_add(struct rproc *rproc)
+ if (ret < 0)
+ return ret;
+
+- /* expose to rproc_get_by_phandle users */
+- mutex_lock(&rproc_list_mutex);
+- list_add(&rproc->node, &rproc_list);
+- mutex_unlock(&rproc_list_mutex);
+-
+ dev_info(dev, "%s is available\n", rproc->name);
+
+ dev_info(dev, "Note: remoteproc is still under development and considered experimental.\n");
+@@ -1276,8 +1271,16 @@ int rproc_add(struct rproc *rproc)
+
+ /* create debugfs entries */
+ rproc_create_debug_dir(rproc);
++ ret = rproc_add_virtio_devices(rproc);
++ if (ret < 0)
++ return ret;
++
++ /* expose to rproc_get_by_phandle users */
++ mutex_lock(&rproc_list_mutex);
++ list_add(&rproc->node, &rproc_list);
++ mutex_unlock(&rproc_list_mutex);
+
+- return rproc_add_virtio_devices(rproc);
++ return 0;
+ }
+ EXPORT_SYMBOL(rproc_add);
+
--- /dev/null
+From 6311f1261f59ce5e51fbe5cc3b5e7737197316ac Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javier@osg.samsung.com>
+Date: Tue, 3 May 2016 16:27:17 -0400
+Subject: s5p-mfc: Add release callback for memory region devs
+
+From: Javier Martinez Canillas <javier@osg.samsung.com>
+
+commit 6311f1261f59ce5e51fbe5cc3b5e7737197316ac upstream.
+
+When s5p_mfc_remove() calls put_device() for the reserved memory region
+devs, the driver core warns that the dev doesn't have a release callback:
+
+WARNING: CPU: 0 PID: 591 at drivers/base/core.c:251 device_release+0x8c/0x90
+Device 's5p-mfc-l' does not have a release() function, it is broken and must be fixed.
+
+Also, the declared DMA memory using dma_declare_coherent_memory() isn't
+relased so add a dev .release that calls dma_release_declared_memory().
+
+Fixes: 6e83e6e25eb4 ("[media] s5p-mfc: Fix kernel warning on memory init")
+Signed-off-by: Javier Martinez Canillas <javier@osg.samsung.com>
+Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/platform/s5p-mfc/s5p_mfc.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/media/platform/s5p-mfc/s5p_mfc.c
++++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c
+@@ -1050,6 +1050,11 @@ static int match_child(struct device *de
+ return !strcmp(dev_name(dev), (char *)data);
+ }
+
++static void s5p_mfc_memdev_release(struct device *dev)
++{
++ dma_release_declared_memory(dev);
++}
++
+ static void *mfc_get_drv_data(struct platform_device *pdev);
+
+ static int s5p_mfc_alloc_memdevs(struct s5p_mfc_dev *dev)
+@@ -1064,6 +1069,7 @@ static int s5p_mfc_alloc_memdevs(struct
+ }
+
+ dev_set_name(dev->mem_dev_l, "%s", "s5p-mfc-l");
++ dev->mem_dev_l->release = s5p_mfc_memdev_release;
+ device_initialize(dev->mem_dev_l);
+ of_property_read_u32_array(dev->plat_dev->dev.of_node,
+ "samsung,mfc-l", mem_info, 2);
+@@ -1083,6 +1089,7 @@ static int s5p_mfc_alloc_memdevs(struct
+ }
+
+ dev_set_name(dev->mem_dev_r, "%s", "s5p-mfc-r");
++ dev->mem_dev_r->release = s5p_mfc_memdev_release;
+ device_initialize(dev->mem_dev_r);
+ of_property_read_u32_array(dev->plat_dev->dev.of_node,
+ "samsung,mfc-r", mem_info, 2);
--- /dev/null
+From 29debab0a94035a390801d1f177d171d014b7765 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javier@osg.samsung.com>
+Date: Tue, 3 May 2016 16:27:16 -0400
+Subject: s5p-mfc: Set device name for reserved memory region devs
+
+From: Javier Martinez Canillas <javier@osg.samsung.com>
+
+commit 29debab0a94035a390801d1f177d171d014b7765 upstream.
+
+The devices don't have a name set, so makes dev_name() returns NULL which
+makes harder to identify the devices that are causing issues, for example:
+
+WARNING: CPU: 2 PID: 616 at drivers/base/core.c:251 device_release+0x8c/0x90
+Device '(null)' does not have a release() function, it is broken and must be fixed.
+
+And after setting the device name:
+
+WARNING: CPU: 0 PID: 591 at drivers/base/core.c:251 device_release+0x8c/0x90
+Device 's5p-mfc-l' does not have a release() function, it is broken and must be fixed.
+
+Fixes: 6e83e6e25eb4 ("[media] s5p-mfc: Fix kernel warning on memory init")
+Signed-off-by: Javier Martinez Canillas <javier@osg.samsung.com>
+Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/platform/s5p-mfc/s5p_mfc.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/media/platform/s5p-mfc/s5p_mfc.c
++++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c
+@@ -1062,6 +1062,8 @@ static int s5p_mfc_alloc_memdevs(struct
+ mfc_err("Not enough memory\n");
+ return -ENOMEM;
+ }
++
++ dev_set_name(dev->mem_dev_l, "%s", "s5p-mfc-l");
+ device_initialize(dev->mem_dev_l);
+ of_property_read_u32_array(dev->plat_dev->dev.of_node,
+ "samsung,mfc-l", mem_info, 2);
+@@ -1079,6 +1081,8 @@ static int s5p_mfc_alloc_memdevs(struct
+ mfc_err("Not enough memory\n");
+ return -ENOMEM;
+ }
++
++ dev_set_name(dev->mem_dev_r, "%s", "s5p-mfc-r");
+ device_initialize(dev->mem_dev_r);
+ of_property_read_u32_array(dev->plat_dev->dev.of_node,
+ "samsung,mfc-r", mem_info, 2);
mfd-qcom_rpm-parametrize-also-ack-selector-size.patch
perf-x86-intel-uncore-fix-uncore-num_counters.patch
objtool-add-fixdep-to-objtool-.gitignore.patch
+media-usbtv-prevent-access-to-free-d-resources.patch
+media-dvb_ringbuffer-add-memory-barriers.patch
+rc-nuvoton-fix-hang-if-chip-is-configured-for-alternative-efm-io-address.patch
+videobuf2-v4l2-verify-planes-array-in-buffer-dequeueing.patch
+vb2-core-skip-planes-array-verification-if-pb-is-null.patch
+fix-rc5-decoding-with-fintek-cir-chipset.patch
+sur40-lower-poll-interval-to-fix-occasional-fps-drops-to-56-fps.patch
+sur40-fix-occasional-oopses-on-device-close.patch
+regulator-s2mps11-fix-the-voltage-linear-range-for-s2mps15.patch
+dm-fix-second-blk_delay_queue-parameter-to-be-in-msec-units-not-jiffies.patch
+dm-set-dmf_suspended-_before_-clearing-dmf_noflush_suspending.patch
+xfs-bufferhead-chains-are-invalid-after-end_page_writeback.patch
+hp-wmi-fix-wifi-cannot-be-hard-unblocked.patch
+s5p-mfc-set-device-name-for-reserved-memory-region-devs.patch
+s5p-mfc-add-release-callback-for-memory-region-devs.patch
+dm-verity-fec-fix-block-calculation.patch
+iwlwifi-pcie-enable-interrupts-before-releasing-the-nic-s-cpu.patch
+iwlwifi-pcie-fix-a-race-in-firmware-loading-flow.patch
+iwlwifi-add-new-8260-pci-ids.patch
+iwlwifi-add-new-8265.patch
+bcma-add-pci-id-for-foxconn-s-bcm43142-device.patch
+i2c-efm32-fix-a-failure-path-in-efm32_i2c_probe.patch
+spi-pxa2xx-clear-all-rft-bits-in-reset_sccr1-on-intel-quark.patch
+brcmfmac-restore-stopping-netdev-queue-when-bus-clogs-up.patch
+bluetooth-add-support-of-13d3-3490-ar3012-device.patch
+bluetooth-fix-l2cap_sock_setsockopt-with-optname-bt_rcvmtu.patch
+edac-correct-channel-count-limit.patch
+megaraid_sas-do-not-fire-mr_dcmd_pd_list_query-to-controllers-which-do-not-support-it.patch
+hid-uhid-fix-timeout-when-probe-races-with-io.patch
+ovl-disallow-overlayfs-as-upperdir.patch
+remoteproc-fix-potential-race-condition-in-rproc_add.patch
+arc-mm-don-t-loose-pte_special-in-pte_modify.patch
+arc-dma-fix-address-translation-in-arc_dma_free.patch
+jbd2-make-journal-y2038-safe.patch
--- /dev/null
+From 152bc19e2fc2b7fce7ffbc2a9cea94b147223702 Mon Sep 17 00:00:00 2001
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Wed, 6 Jul 2016 12:08:11 +0300
+Subject: spi: pxa2xx: Clear all RFT bits in reset_sccr1() on Intel Quark
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+commit 152bc19e2fc2b7fce7ffbc2a9cea94b147223702 upstream.
+
+It seems the commit e5262d0568dc ("spi: spi-pxa2xx: SPI support for Intel Quark
+X1000") misses one place to be adapted for Intel Quark, i.e. in reset_sccr1().
+
+Clear all RFT bits when call reset_sccr1() on Intel Quark.
+
+Fixes: e5262d0568dc ("spi: spi-pxa2xx: SPI support for Intel Quark X1000")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-pxa2xx.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-pxa2xx.c
++++ b/drivers/spi/spi-pxa2xx.c
+@@ -585,7 +585,14 @@ static void reset_sccr1(struct driver_da
+ u32 sccr1_reg;
+
+ sccr1_reg = pxa2xx_spi_read(drv_data, SSCR1) & ~drv_data->int_cr1;
+- sccr1_reg &= ~SSCR1_RFT;
++ switch (drv_data->ssp_type) {
++ case QUARK_X1000_SSP:
++ sccr1_reg &= ~QUARK_X1000_SSCR1_RFT;
++ break;
++ default:
++ sccr1_reg &= ~SSCR1_RFT;
++ break;
++ }
+ sccr1_reg |= chip->threshold;
+ pxa2xx_spi_write(drv_data, SSCR1, sccr1_reg);
+ }
--- /dev/null
+From 6a8588156657e607fcfdffd46c1daae8ba88a1e5 Mon Sep 17 00:00:00 2001
+From: Florian Echtler <floe@butterbrot.org>
+Date: Tue, 31 May 2016 17:15:33 -0300
+Subject: [media] sur40: fix occasional oopses on device close
+
+From: Florian Echtler <floe@butterbrot.org>
+
+commit 6a8588156657e607fcfdffd46c1daae8ba88a1e5 upstream.
+
+Closing the V4L2 device sometimes triggers a kernel oops.
+Present patch fixes this.
+
+Signed-off-by: Martin Kaltenbrunner <modin@yuri.at>
+Signed-off-by: Florian Echtler <floe@butterbrot.org>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/touchscreen/sur40.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/input/touchscreen/sur40.c
++++ b/drivers/input/touchscreen/sur40.c
+@@ -448,7 +448,7 @@ static void sur40_process_video(struct s
+
+ /* return error if streaming was stopped in the meantime */
+ if (sur40->sequence == -1)
+- goto err_poll;
++ return;
+
+ /* mark as finished */
+ new_buf->vb.vb2_buf.timestamp = ktime_get_ns();
+@@ -736,6 +736,7 @@ static int sur40_start_streaming(struct
+ static void sur40_stop_streaming(struct vb2_queue *vq)
+ {
+ struct sur40_state *sur40 = vb2_get_drv_priv(vq);
++ vb2_wait_for_all_buffers(vq);
+ sur40->sequence = -1;
+
+ /* Release all active buffers */
--- /dev/null
+From af766ee005c496b8567976dc3eed7676443ed6de Mon Sep 17 00:00:00 2001
+From: Florian Echtler <floe@butterbrot.org>
+Date: Tue, 31 May 2016 17:15:32 -0300
+Subject: [media] sur40: lower poll interval to fix occasional FPS drops to ~56 FPS
+
+From: Florian Echtler <floe@butterbrot.org>
+
+commit af766ee005c496b8567976dc3eed7676443ed6de upstream.
+
+The framerate sometimes drops below 60 Hz if the poll interval is too high.
+Lowering it to the minimum of 1 ms fixes this.
+
+Signed-off-by: Martin Kaltenbrunner <modin@yuri.at>
+Signed-off-by: Florian Echtler <floe@butterbrot.org>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/touchscreen/sur40.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/touchscreen/sur40.c
++++ b/drivers/input/touchscreen/sur40.c
+@@ -126,7 +126,7 @@ struct sur40_image_header {
+ #define VIDEO_PACKET_SIZE 16384
+
+ /* polling interval (ms) */
+-#define POLL_INTERVAL 4
++#define POLL_INTERVAL 1
+
+ /* maximum number of contacts FIXME: this is a guess? */
+ #define MAX_CONTACTS 64
--- /dev/null
+From 126f40298446a82116e1f92a1aaf72b8c8228fae Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Wed, 11 May 2016 18:44:32 -0300
+Subject: [media] vb2: core: Skip planes array verification if pb is NULL
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+commit 126f40298446a82116e1f92a1aaf72b8c8228fae upstream.
+
+An earlier patch fixing an input validation issue introduced another
+issue: vb2_core_dqbuf() is called with pb argument value NULL in some
+cases, causing a NULL pointer dereference. Fix this by skipping the
+verification as there's nothing to verify.
+
+Fixes: e7e0c3e26587 ("[media] videobuf2-core: Check user space planes array in dqbuf")
+
+Signed-off-by: David R <david@unsolicited.net>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Reviewed-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/v4l2-core/videobuf2-core.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/media/v4l2-core/videobuf2-core.c
++++ b/drivers/media/v4l2-core/videobuf2-core.c
+@@ -1648,7 +1648,7 @@ static int __vb2_get_done_vb(struct vb2_
+ void *pb, int nonblocking)
+ {
+ unsigned long flags;
+- int ret;
++ int ret = 0;
+
+ /*
+ * Wait for at least one buffer to become available on the done_list.
+@@ -1664,10 +1664,12 @@ static int __vb2_get_done_vb(struct vb2_
+ spin_lock_irqsave(&q->done_lock, flags);
+ *vb = list_first_entry(&q->done_list, struct vb2_buffer, done_entry);
+ /*
+- * Only remove the buffer from done_list if v4l2_buffer can handle all
+- * the planes.
++ * Only remove the buffer from done_list if all planes can be
++ * handled. Some cases such as V4L2 file I/O and DVB have pb
++ * == NULL; skip the check then as there's nothing to verify.
+ */
+- ret = call_bufop(q, verify_planes_array, *vb, pb);
++ if (pb)
++ ret = call_bufop(q, verify_planes_array, *vb, pb);
+ if (!ret)
+ list_del(&(*vb)->done_entry);
+ spin_unlock_irqrestore(&q->done_lock, flags);
--- /dev/null
+From 83934b75c368f529d084815c463a7ef781dc9751 Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Sun, 3 Apr 2016 16:31:03 -0300
+Subject: [media] videobuf2-v4l2: Verify planes array in buffer dequeueing
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+commit 83934b75c368f529d084815c463a7ef781dc9751 upstream.
+
+When a buffer is being dequeued using VIDIOC_DQBUF IOCTL, the exact buffer
+which will be dequeued is not known until the buffer has been removed from
+the queue. The number of planes is specific to a buffer, not to the queue.
+
+This does lead to the situation where multi-plane buffers may be requested
+and queued with n planes, but VIDIOC_DQBUF IOCTL may be passed an argument
+struct with fewer planes.
+
+__fill_v4l2_buffer() however uses the number of planes from the dequeued
+videobuf2 buffer, overwriting kernel memory (the m.planes array allocated
+in video_usercopy() in v4l2-ioctl.c) if the user provided fewer
+planes than the dequeued buffer had. Oops!
+
+Fixes: b0e0e1f83de3 ("[media] media: videobuf2: Prepare to divide videobuf2")
+
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Acked-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/v4l2-core/videobuf2-v4l2.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/media/v4l2-core/videobuf2-v4l2.c
++++ b/drivers/media/v4l2-core/videobuf2-v4l2.c
+@@ -74,6 +74,11 @@ static int __verify_planes_array(struct
+ return 0;
+ }
+
++static int __verify_planes_array_core(struct vb2_buffer *vb, const void *pb)
++{
++ return __verify_planes_array(vb, pb);
++}
++
+ /**
+ * __verify_length() - Verify that the bytesused value for each plane fits in
+ * the plane length and that the data offset doesn't exceed the bytesused value.
+@@ -437,6 +442,7 @@ static int __fill_vb2_buffer(struct vb2_
+ }
+
+ static const struct vb2_buf_ops v4l2_buf_ops = {
++ .verify_planes_array = __verify_planes_array_core,
+ .fill_user_buffer = __fill_v4l2_buffer,
+ .fill_vb2_buffer = __fill_vb2_buffer,
+ .copy_timestamp = __copy_timestamp,
--- /dev/null
+From 28b783e47ad702b8e0f4861ef94cdfce6abd7c80 Mon Sep 17 00:00:00 2001
+From: Dave Chinner <dchinner@redhat.com>
+Date: Fri, 22 Jul 2016 09:56:38 +1000
+Subject: xfs: bufferhead chains are invalid after end_page_writeback
+
+From: Dave Chinner <dchinner@redhat.com>
+
+commit 28b783e47ad702b8e0f4861ef94cdfce6abd7c80 upstream.
+
+In xfs_finish_page_writeback(), we have a loop that looks like this:
+
+ do {
+ if (off < bvec->bv_offset)
+ goto next_bh;
+ if (off > end)
+ break;
+ bh->b_end_io(bh, !error);
+next_bh:
+ off += bh->b_size;
+ } while ((bh = bh->b_this_page) != head);
+
+The b_end_io function is end_buffer_async_write(), which will call
+end_page_writeback() once all the buffers have marked as no longer
+under IO. This issue here is that the only thing currently
+protecting both the bufferhead chain and the page from being
+reclaimed is the PageWriteback state held on the page.
+
+While we attempt to limit the loop to just the buffers covered by
+the IO, we still read from the buffer size and follow the next
+pointer in the bufferhead chain. There is no guarantee that either
+of these are valid after the PageWriteback flag has been cleared.
+Hence, loops like this are completely unsafe, and result in
+use-after-free issues. One such problem was caught by Calvin Owens
+with KASAN:
+
+.....
+ INFO: Freed in 0x103fc80ec age=18446651500051355200 cpu=2165122683 pid=-1
+ free_buffer_head+0x41/0x90
+ __slab_free+0x1ed/0x340
+ kmem_cache_free+0x270/0x300
+ free_buffer_head+0x41/0x90
+ try_to_free_buffers+0x171/0x240
+ xfs_vm_releasepage+0xcb/0x3b0
+ try_to_release_page+0x106/0x190
+ shrink_page_list+0x118e/0x1a10
+ shrink_inactive_list+0x42c/0xdf0
+ shrink_zone_memcg+0xa09/0xfa0
+ shrink_zone+0x2c3/0xbc0
+.....
+ Call Trace:
+ <IRQ> [<ffffffff81e8b8e4>] dump_stack+0x68/0x94
+ [<ffffffff8153a995>] print_trailer+0x115/0x1a0
+ [<ffffffff81541174>] object_err+0x34/0x40
+ [<ffffffff815436e7>] kasan_report_error+0x217/0x530
+ [<ffffffff81543b33>] __asan_report_load8_noabort+0x43/0x50
+ [<ffffffff819d651f>] xfs_destroy_ioend+0x3bf/0x4c0
+ [<ffffffff819d69d4>] xfs_end_bio+0x154/0x220
+ [<ffffffff81de0c58>] bio_endio+0x158/0x1b0
+ [<ffffffff81dff61b>] blk_update_request+0x18b/0xb80
+ [<ffffffff821baf57>] scsi_end_request+0x97/0x5a0
+ [<ffffffff821c5558>] scsi_io_completion+0x438/0x1690
+ [<ffffffff821a8d95>] scsi_finish_command+0x375/0x4e0
+ [<ffffffff821c3940>] scsi_softirq_done+0x280/0x340
+
+
+Where the access is occuring during IO completion after the buffer
+had been freed from direct memory reclaim.
+
+Prevent use-after-free accidents in this end_io processing loop by
+pre-calculating the loop conditionals before calling bh->b_end_io().
+The loop is already limited to just the bufferheads covered by the
+IO in progress, so the offset checks are sufficient to prevent
+accessing buffers in the chain after end_page_writeback() has been
+called by the the bh->b_end_io() callout.
+
+Yet another example of why Bufferheads Must Die.
+
+Signed-off-by: Dave Chinner <dchinner@redhat.com>
+Reported-and-Tested-by: Calvin Owens <calvinowens@fb.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Signed-off-by: Dave Chinner <david@fromorbit.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/xfs/xfs_aops.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/fs/xfs/xfs_aops.c
++++ b/fs/xfs/xfs_aops.c
+@@ -87,6 +87,12 @@ xfs_find_bdev_for_inode(
+ * We're now finished for good with this page. Update the page state via the
+ * associated buffer_heads, paying attention to the start and end offsets that
+ * we need to process on the page.
++ *
++ * Landmine Warning: bh->b_end_io() will call end_page_writeback() on the last
++ * buffer in the IO. Once it does this, it is unsafe to access the bufferhead or
++ * the page at all, as we may be racing with memory reclaim and it can free both
++ * the bufferhead chain and the page as it will see the page as clean and
++ * unused.
+ */
+ static void
+ xfs_finish_page_writeback(
+@@ -95,8 +101,9 @@ xfs_finish_page_writeback(
+ int error)
+ {
+ unsigned int end = bvec->bv_offset + bvec->bv_len - 1;
+- struct buffer_head *head, *bh;
++ struct buffer_head *head, *bh, *next;
+ unsigned int off = 0;
++ unsigned int bsize;
+
+ ASSERT(bvec->bv_offset < PAGE_SIZE);
+ ASSERT((bvec->bv_offset & ((1 << inode->i_blkbits) - 1)) == 0);
+@@ -105,15 +112,17 @@ xfs_finish_page_writeback(
+
+ bh = head = page_buffers(bvec->bv_page);
+
++ bsize = bh->b_size;
+ do {
++ next = bh->b_this_page;
+ if (off < bvec->bv_offset)
+ goto next_bh;
+ if (off > end)
+ break;
+ bh->b_end_io(bh, !error);
+ next_bh:
+- off += bh->b_size;
+- } while ((bh = bh->b_this_page) != head);
++ off += bsize;
++ } while ((bh = next) != head);
+ }
+
+ /*
projects / thirdparty / kernel / stable-queue.git / commitdiff
