--- /dev/null
+From be3bb8236db2d0fcd705062ae2e2a9d75131222f Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 11 Mar 2015 18:12:49 +0100
+Subject: ALSA: control: Add sanity checks for user ctl id name string
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit be3bb8236db2d0fcd705062ae2e2a9d75131222f upstream.
+
+There was no check about the id string of user control elements, so we
+accepted even a control element with an empty string, which is
+obviously bogus. This patch adds more sanity checks of id strings.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/control.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/sound/core/control.c
++++ b/sound/core/control.c
+@@ -1168,6 +1168,10 @@ static int snd_ctl_elem_add(struct snd_c
+
+ if (info->count < 1)
+ return -EINVAL;
++ if (!*info->id.name)
++ return -EINVAL;
++ if (strnlen(info->id.name, sizeof(info->id.name)) >= sizeof(info->id.name))
++ return -EINVAL;
+ access = info->access == 0 ? SNDRV_CTL_ELEM_ACCESS_READWRITE :
+ (info->access & (SNDRV_CTL_ELEM_ACCESS_READWRITE|
+ SNDRV_CTL_ELEM_ACCESS_INACTIVE|
--- /dev/null
+From 2ddee91abe9cc34ddb6294ee14702b46ae07d460 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 12 Mar 2015 20:47:15 +0100
+Subject: ALSA: hda - Add workaround for MacBook Air 5,2 built-in mic
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 2ddee91abe9cc34ddb6294ee14702b46ae07d460 upstream.
+
+MacBook Air 5,2 has the same problem as MacBook Pro 8,1 where the
+built-in mic records only the right channel. Apply the same
+workaround as MBP8,1 to spread the mono channel via a Cirrus codec
+vendor-specific COEF setup.
+
+Reported-and-tested-by: Vasil Zlatanov <vasil.zlatanov@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_cirrus.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_cirrus.c
++++ b/sound/pci/hda/patch_cirrus.c
+@@ -363,6 +363,7 @@ static const struct snd_pci_quirk cs420x
+ SND_PCI_QUIRK(0x106b, 0x1c00, "MacBookPro 8,1", CS420X_MBP81),
+ SND_PCI_QUIRK(0x106b, 0x2000, "iMac 12,2", CS420X_IMAC27_122),
+ SND_PCI_QUIRK(0x106b, 0x2800, "MacBookPro 10,1", CS420X_MBP101),
++ SND_PCI_QUIRK(0x106b, 0x5600, "MacBookAir 5,2", CS420X_MBP81),
+ SND_PCI_QUIRK(0x106b, 0x5b00, "MacBookAir 4,2", CS420X_MBA42),
+ SND_PCI_QUIRK_VENDOR(0x106b, "Apple", CS420X_APPLE),
+ {} /* terminator */
--- /dev/null
+From ef403edb75580a3ec5d155f5de82155f0419c621 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 12 Mar 2015 08:30:11 +0100
+Subject: ALSA: hda - Don't access stereo amps for mono channel widgets
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit ef403edb75580a3ec5d155f5de82155f0419c621 upstream.
+
+The current HDA generic parser initializes / modifies the amp values
+always in stereo, but this seems causing the problem on ALC3229 codec
+that has a few mono channel widgets: namely, these mono widgets react
+to actions for both channels equally.
+
+In the driver code, we do care the mono channel and create a control
+only for the left channel (as defined in HD-audio spec) for such a
+node. When the control is updated, only the left channel value is
+changed. However, in the resume, the right channel value is also
+restored from the initial value we took as stereo, and this overwrites
+the left channel value. This ends up being the silent output as the
+right channel has been never touched and remains muted.
+
+This patch covers the places where unconditional stereo amp accesses
+are done and converts to the conditional accesses.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=94581
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/hda_generic.c | 30 ++++++++++++++++++++++--------
+ 1 file changed, 22 insertions(+), 8 deletions(-)
+
+--- a/sound/pci/hda/hda_generic.c
++++ b/sound/pci/hda/hda_generic.c
+@@ -647,7 +647,23 @@ static void init_amp(struct hda_codec *c
+ {
+ unsigned int caps = query_amp_caps(codec, nid, dir);
+ int val = get_amp_val_to_activate(codec, nid, dir, caps, false);
+- snd_hda_codec_amp_init_stereo(codec, nid, dir, idx, 0xff, val);
++
++ if (get_wcaps(codec, nid) & AC_WCAP_STEREO)
++ snd_hda_codec_amp_init_stereo(codec, nid, dir, idx, 0xff, val);
++ else
++ snd_hda_codec_amp_init(codec, nid, 0, dir, idx, 0xff, val);
++}
++
++/* update the amp, doing in stereo or mono depending on NID */
++static int update_amp(struct hda_codec *codec, hda_nid_t nid, int dir, int idx,
++ unsigned int mask, unsigned int val)
++{
++ if (get_wcaps(codec, nid) & AC_WCAP_STEREO)
++ return snd_hda_codec_amp_stereo(codec, nid, dir, idx,
++ mask, val);
++ else
++ return snd_hda_codec_amp_update(codec, nid, 0, dir, idx,
++ mask, val);
+ }
+
+ /* calculate amp value mask we can modify;
+@@ -687,7 +703,7 @@ static void activate_amp(struct hda_code
+ return;
+
+ val &= mask;
+- snd_hda_codec_amp_stereo(codec, nid, dir, idx, mask, val);
++ update_amp(codec, nid, dir, idx, mask, val);
+ }
+
+ static void activate_amp_out(struct hda_codec *codec, struct nid_path *path,
+@@ -4235,13 +4251,11 @@ static void mute_all_mixer_nid(struct hd
+ has_amp = nid_has_mute(codec, mix, HDA_INPUT);
+ for (i = 0; i < nums; i++) {
+ if (has_amp)
+- snd_hda_codec_amp_stereo(codec, mix,
+- HDA_INPUT, i,
+- 0xff, HDA_AMP_MUTE);
++ update_amp(codec, mix, HDA_INPUT, i,
++ 0xff, HDA_AMP_MUTE);
+ else if (nid_has_volume(codec, conn[i], HDA_OUTPUT))
+- snd_hda_codec_amp_stereo(codec, conn[i],
+- HDA_OUTPUT, 0,
+- 0xff, HDA_AMP_MUTE);
++ update_amp(codec, conn[i], HDA_OUTPUT, 0,
++ 0xff, HDA_AMP_MUTE);
+ }
+ }
+
--- /dev/null
+From ddb6ca75b5671b8fbf1909bc588c449ee74b34f9 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 11 Mar 2015 16:05:19 +0100
+Subject: ALSA: hda - Fix built-in mic on Compaq Presario CQ60
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit ddb6ca75b5671b8fbf1909bc588c449ee74b34f9 upstream.
+
+Compaq Presario CQ60 laptop with CX20561 gives a wrong pin for the
+built-in mic NID 0x17 instead of NID 0x1d, and it results in the
+non-working mic. This patch just remaps the pin correctly via fixup.
+
+Bugzilla: https://bugzilla.opensuse.org/show_bug.cgi?id=920604
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_conexant.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/sound/pci/hda/patch_conexant.c
++++ b/sound/pci/hda/patch_conexant.c
+@@ -3223,6 +3223,7 @@ enum {
+ CXT_PINCFG_LENOVO_TP410,
+ CXT_PINCFG_LEMOTE_A1004,
+ CXT_PINCFG_LEMOTE_A1205,
++ CXT_PINCFG_COMPAQ_CQ60,
+ CXT_FIXUP_STEREO_DMIC,
+ CXT_FIXUP_INC_MIC_BOOST,
+ CXT_FIXUP_GPIO1,
+@@ -3296,6 +3297,15 @@ static const struct hda_fixup cxt_fixups
+ .type = HDA_FIXUP_PINS,
+ .v.pins = cxt_pincfg_lemote,
+ },
++ [CXT_PINCFG_COMPAQ_CQ60] = {
++ .type = HDA_FIXUP_PINS,
++ .v.pins = (const struct hda_pintbl[]) {
++ /* 0x17 was falsely set up as a mic, it should 0x1d */
++ { 0x17, 0x400001f0 },
++ { 0x1d, 0x97a70120 },
++ { }
++ }
++ },
+ [CXT_FIXUP_STEREO_DMIC] = {
+ .type = HDA_FIXUP_FUNC,
+ .v.func = cxt_fixup_stereo_dmic,
+@@ -3316,6 +3326,7 @@ static const struct hda_fixup cxt_fixups
+ };
+
+ static const struct snd_pci_quirk cxt5051_fixups[] = {
++ SND_PCI_QUIRK(0x103c, 0x360b, "Compaq CQ60", CXT_PINCFG_COMPAQ_CQ60),
+ SND_PCI_QUIRK(0x17aa, 0x20f2, "Lenovo X200", CXT_PINCFG_LENOVO_X200),
+ {}
+ };
--- /dev/null
+From bad994f5b4ab57eec8d56c180edca00505c3eeb2 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 12 Mar 2015 20:28:04 +0100
+Subject: ALSA: hda - Set single_adc_amp flag for CS420x codecs
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit bad994f5b4ab57eec8d56c180edca00505c3eeb2 upstream.
+
+CS420x codecs seem to deal only the single amps of ADC nodes even
+though the nodes receive multiple inputs. This leads to the
+inconsistent amp value after S3/S4 resume, for example.
+
+The fix is just to set codec->single_adc_amp flag. Then the driver
+handles these ADC amps as if single connections.
+
+Reported-and-tested-by: Vasil Zlatanov <vasil.zlatanov@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_cirrus.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_cirrus.c
++++ b/sound/pci/hda/patch_cirrus.c
+@@ -531,6 +531,7 @@ static int patch_cs420x(struct hda_codec
+ return -ENOMEM;
+
+ spec->gen.automute_hook = cs_automute;
++ codec->single_adc_amp = 1;
+
+ snd_hda_pick_fixup(codec, cs420x_models, cs420x_fixup_tbl,
+ cs420x_fixups);
--- /dev/null
+From cc261738add93947d138d2fabad9f4dbed4e5c00 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 16 Mar 2015 10:18:08 +0100
+Subject: ALSA: hda - Treat stereo-to-mono mix properly
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit cc261738add93947d138d2fabad9f4dbed4e5c00 upstream.
+
+The commit [ef403edb7558: ALSA: hda - Don't access stereo amps for
+mono channel widgets] fixed the handling of mono widgets in general,
+but it still misses an exceptional case: namely, a mono mixer widget
+taking a single stereo input. In this case, it has stereo volumes
+although it's a mono widget, and thus we have to take care of both
+left and right input channels, as stated in HD-audio spec ("7.1.3
+Widget Interconnection Rules").
+
+This patch covers this missing piece by adding proper checks of stereo
+amps in both the generic parser and the proc output codes.
+
+Reported-by: Raymond Yau <superquad.vortex2@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/hda_generic.c | 21 +++++++++++++++++++--
+ sound/pci/hda/hda_proc.c | 38 ++++++++++++++++++++++++++++++--------
+ 2 files changed, 49 insertions(+), 10 deletions(-)
+
+--- a/sound/pci/hda/hda_generic.c
++++ b/sound/pci/hda/hda_generic.c
+@@ -642,13 +642,30 @@ static int get_amp_val_to_activate(struc
+ return val;
+ }
+
++/* is this a stereo widget or a stereo-to-mono mix? */
++static bool is_stereo_amps(struct hda_codec *codec, hda_nid_t nid, int dir)
++{
++ unsigned int wcaps = get_wcaps(codec, nid);
++ hda_nid_t conn;
++
++ if (wcaps & AC_WCAP_STEREO)
++ return true;
++ if (dir != HDA_INPUT || get_wcaps_type(wcaps) != AC_WID_AUD_MIX)
++ return false;
++ if (snd_hda_get_num_conns(codec, nid) != 1)
++ return false;
++ if (snd_hda_get_connections(codec, nid, &conn, 1) < 0)
++ return false;
++ return !!(get_wcaps(codec, conn) & AC_WCAP_STEREO);
++}
++
+ /* initialize the amp value (only at the first time) */
+ static void init_amp(struct hda_codec *codec, hda_nid_t nid, int dir, int idx)
+ {
+ unsigned int caps = query_amp_caps(codec, nid, dir);
+ int val = get_amp_val_to_activate(codec, nid, dir, caps, false);
+
+- if (get_wcaps(codec, nid) & AC_WCAP_STEREO)
++ if (is_stereo_amps(codec, nid, dir))
+ snd_hda_codec_amp_init_stereo(codec, nid, dir, idx, 0xff, val);
+ else
+ snd_hda_codec_amp_init(codec, nid, 0, dir, idx, 0xff, val);
+@@ -658,7 +675,7 @@ static void init_amp(struct hda_codec *c
+ static int update_amp(struct hda_codec *codec, hda_nid_t nid, int dir, int idx,
+ unsigned int mask, unsigned int val)
+ {
+- if (get_wcaps(codec, nid) & AC_WCAP_STEREO)
++ if (is_stereo_amps(codec, nid, dir))
+ return snd_hda_codec_amp_stereo(codec, nid, dir, idx,
+ mask, val);
+ else
+--- a/sound/pci/hda/hda_proc.c
++++ b/sound/pci/hda/hda_proc.c
+@@ -129,13 +129,38 @@ static void print_amp_caps(struct snd_in
+ (caps & AC_AMPCAP_MUTE) >> AC_AMPCAP_MUTE_SHIFT);
+ }
+
++/* is this a stereo widget or a stereo-to-mono mix? */
++static bool is_stereo_amps(struct hda_codec *codec, hda_nid_t nid,
++ int dir, unsigned int wcaps, int indices)
++{
++ hda_nid_t conn;
++
++ if (wcaps & AC_WCAP_STEREO)
++ return true;
++ /* check for a stereo-to-mono mix; it must be:
++ * only a single connection, only for input, and only a mixer widget
++ */
++ if (indices != 1 || dir != HDA_INPUT ||
++ get_wcaps_type(wcaps) != AC_WID_AUD_MIX)
++ return false;
++
++ if (snd_hda_get_raw_connections(codec, nid, &conn, 1) < 0)
++ return false;
++ /* the connection source is a stereo? */
++ wcaps = snd_hda_param_read(codec, conn, AC_PAR_AUDIO_WIDGET_CAP);
++ return !!(wcaps & AC_WCAP_STEREO);
++}
++
+ static void print_amp_vals(struct snd_info_buffer *buffer,
+ struct hda_codec *codec, hda_nid_t nid,
+- int dir, int stereo, int indices)
++ int dir, unsigned int wcaps, int indices)
+ {
+ unsigned int val;
++ bool stereo;
+ int i;
+
++ stereo = is_stereo_amps(codec, nid, dir, wcaps, indices);
++
+ dir = dir == HDA_OUTPUT ? AC_AMP_GET_OUTPUT : AC_AMP_GET_INPUT;
+ for (i = 0; i < indices; i++) {
+ snd_iprintf(buffer, " [");
+@@ -682,12 +707,10 @@ static void print_codec_info(struct snd_
+ (codec->single_adc_amp &&
+ wid_type == AC_WID_AUD_IN))
+ print_amp_vals(buffer, codec, nid, HDA_INPUT,
+- wid_caps & AC_WCAP_STEREO,
+- 1);
++ wid_caps, 1);
+ else
+ print_amp_vals(buffer, codec, nid, HDA_INPUT,
+- wid_caps & AC_WCAP_STEREO,
+- conn_len);
++ wid_caps, conn_len);
+ }
+ if (wid_caps & AC_WCAP_OUT_AMP) {
+ snd_iprintf(buffer, " Amp-Out caps: ");
+@@ -696,11 +719,10 @@ static void print_codec_info(struct snd_
+ if (wid_type == AC_WID_PIN &&
+ codec->pin_amp_workaround)
+ print_amp_vals(buffer, codec, nid, HDA_OUTPUT,
+- wid_caps & AC_WCAP_STEREO,
+- conn_len);
++ wid_caps, conn_len);
+ else
+ print_amp_vals(buffer, codec, nid, HDA_OUTPUT,
+- wid_caps & AC_WCAP_STEREO, 1);
++ wid_caps, 1);
+ }
+
+ switch (wid_type) {
--- /dev/null
+From 969439016d2cf61fef53a973d7e6d2061c3793b1 Mon Sep 17 00:00:00 2001
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+Date: Mon, 23 Feb 2015 20:37:54 +0100
+Subject: can: add missing initialisations in CAN related skbuffs
+
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+
+commit 969439016d2cf61fef53a973d7e6d2061c3793b1 upstream.
+
+When accessing CAN network interfaces with AF_PACKET sockets e.g. by dhclient
+this can lead to a skb_under_panic due to missing skb initialisations.
+
+Add the missing initialisations at the CAN skbuff creation times on driver
+level (rx path) and in the network layer (tx path).
+
+Reported-by: Austin Schuh <austin@peloton-tech.com>
+Reported-by: Daniel Steer <daniel.steer@mclaren.com>
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/dev.c | 8 ++++++++
+ net/can/af_can.c | 3 +++
+ 2 files changed, 11 insertions(+)
+
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -503,6 +503,14 @@ struct sk_buff *alloc_can_skb(struct net
+ skb->pkt_type = PACKET_BROADCAST;
+ skb->ip_summed = CHECKSUM_UNNECESSARY;
+
++ skb_reset_mac_header(skb);
++ skb_reset_network_header(skb);
++ skb_reset_transport_header(skb);
++
++ skb_reset_mac_header(skb);
++ skb_reset_network_header(skb);
++ skb_reset_transport_header(skb);
++
+ can_skb_reserve(skb);
+ can_skb_prv(skb)->ifindex = dev->ifindex;
+
+--- a/net/can/af_can.c
++++ b/net/can/af_can.c
+@@ -262,6 +262,9 @@ int can_send(struct sk_buff *skb, int lo
+ goto inval_skb;
+ }
+
++ skb->ip_summed = CHECKSUM_UNNECESSARY;
++
++ skb_reset_mac_header(skb);
+ skb_reset_network_header(skb);
+ skb_reset_transport_header(skb);
+
--- /dev/null
+From 283ee1482f349d6c0c09dfb725db5880afc56813 Mon Sep 17 00:00:00 2001
+From: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+Date: Thu, 12 Mar 2015 16:26:00 -0700
+Subject: nilfs2: fix deadlock of segment constructor during recovery
+
+From: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+
+commit 283ee1482f349d6c0c09dfb725db5880afc56813 upstream.
+
+According to a report from Yuxuan Shui, nilfs2 in kernel 3.19 got stuck
+during recovery at mount time. The code path that caused the deadlock was
+as follows:
+
+ nilfs_fill_super()
+ load_nilfs()
+ nilfs_salvage_orphan_logs()
+ * Do roll-forwarding, attach segment constructor for recovery,
+ and kick it.
+
+ nilfs_segctor_thread()
+ nilfs_segctor_thread_construct()
+ * A lock is held with nilfs_transaction_lock()
+ nilfs_segctor_do_construct()
+ nilfs_segctor_drop_written_files()
+ iput()
+ iput_final()
+ write_inode_now()
+ writeback_single_inode()
+ __writeback_single_inode()
+ do_writepages()
+ nilfs_writepage()
+ nilfs_construct_dsync_segment()
+ nilfs_transaction_lock() --> deadlock
+
+This can happen if commit 7ef3ff2fea8b ("nilfs2: fix deadlock of segment
+constructor over I_SYNC flag") is applied and roll-forward recovery was
+performed at mount time. The roll-forward recovery can happen if datasync
+write is done and the file system crashes immediately after that. For
+instance, we can reproduce the issue with the following steps:
+
+ < nilfs2 is mounted on /nilfs (device: /dev/sdb1) >
+ # dd if=/dev/zero of=/nilfs/test bs=4k count=1 && sync
+ # dd if=/dev/zero of=/nilfs/test conv=notrunc oflag=dsync bs=4k
+ count=1 && reboot -nfh
+ < the system will immediately reboot >
+ # mount -t nilfs2 /dev/sdb1 /nilfs
+
+The deadlock occurs because iput() can run segment constructor through
+writeback_single_inode() if MS_ACTIVE flag is not set on sb->s_flags. The
+above commit changed segment constructor so that it calls iput()
+asynchronously for inodes with i_nlink == 0, but that change was
+imperfect.
+
+This fixes the another deadlock by deferring iput() in segment constructor
+even for the case that mount is not finished, that is, for the case that
+MS_ACTIVE flag is not set.
+
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+Reported-by: Yuxuan Shui <yshuiv7@gmail.com>
+Tested-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nilfs2/segment.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/fs/nilfs2/segment.c
++++ b/fs/nilfs2/segment.c
+@@ -1906,6 +1906,7 @@ static void nilfs_segctor_drop_written_f
+ struct the_nilfs *nilfs)
+ {
+ struct nilfs_inode_info *ii, *n;
++ int during_mount = !(sci->sc_super->s_flags & MS_ACTIVE);
+ int defer_iput = false;
+
+ spin_lock(&nilfs->ns_inode_lock);
+@@ -1918,10 +1919,10 @@ static void nilfs_segctor_drop_written_f
+ brelse(ii->i_bh);
+ ii->i_bh = NULL;
+ list_del_init(&ii->i_dirty);
+- if (!ii->vfs_inode.i_nlink) {
++ if (!ii->vfs_inode.i_nlink || during_mount) {
+ /*
+- * Defer calling iput() to avoid a deadlock
+- * over I_SYNC flag for inodes with i_nlink == 0
++ * Defer calling iput() to avoid deadlocks if
++ * i_nlink == 0 or mount is not yet finished.
+ */
+ list_add_tail(&ii->i_dirty, &sci->sc_iput_queue);
+ defer_iput = true;
--- /dev/null
+From 29d62ec5f87fbeec8413e2215ddad12e7f972e4c Mon Sep 17 00:00:00 2001
+From: Doug Anderson <dianders@chromium.org>
+Date: Tue, 3 Mar 2015 15:20:47 -0800
+Subject: regulator: core: Fix enable GPIO reference counting
+
+From: Doug Anderson <dianders@chromium.org>
+
+commit 29d62ec5f87fbeec8413e2215ddad12e7f972e4c upstream.
+
+Normally _regulator_do_enable() isn't called on an already-enabled
+rdev. That's because the main caller, _regulator_enable() always
+calls _regulator_is_enabled() and only calls _regulator_do_enable() if
+the rdev was not already enabled.
+
+However, there is one caller of _regulator_do_enable() that doesn't
+check: regulator_suspend_finish(). While we might want to make
+regulator_suspend_finish() behave more like _regulator_enable(), it's
+probably also a good idea to make _regulator_do_enable() robust if it
+is called on an already enabled rdev.
+
+At the moment, _regulator_do_enable() is _not_ robust for already
+enabled rdevs if we're using an ena_pin. Each time
+_regulator_do_enable() is called for an rdev using an ena_pin the
+reference count of the ena_pin is incremented even if the rdev was
+already enabled. This is not as intended because the ena_pin is for
+something else: for keeping track of how many active rdevs there are
+sharing the same ena_pin.
+
+Here's how the reference counting works here:
+
+* Each time _regulator_enable() is called we increment
+ rdev->use_count, so _regulator_enable() calls need to be balanced
+ with _regulator_disable() calls.
+
+* There is no explicit reference counting in _regulator_do_enable()
+ which is normally just a warapper around rdev->desc->ops->enable()
+ with code for supporting delays. It's not expected that the
+ "ops->enable()" call do reference counting.
+
+* Since regulator_ena_gpio_ctrl() does have reference counting
+ (handling the sharing of the pin amongst multiple rdevs), we
+ shouldn't call it if the current rdev is already enabled.
+
+Note that as part of this we cleanup (remove) the initting of
+ena_gpio_state in regulator_register(). In _regulator_do_enable(),
+_regulator_do_disable() and _regulator_is_enabled() is is clear that
+ena_gpio_state should be the state of whether this particular rdev has
+requested the GPIO be enabled. regulator_register() was initting it
+as the actual state of the pin.
+
+Fixes: 967cfb18c0e3 ("regulator: core: manage enable GPIO list")
+Signed-off-by: Doug Anderson <dianders@chromium.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/regulator/core.c | 26 ++++++++++++--------------
+ 1 file changed, 12 insertions(+), 14 deletions(-)
+
+--- a/drivers/regulator/core.c
++++ b/drivers/regulator/core.c
+@@ -1596,10 +1596,12 @@ static int _regulator_do_enable(struct r
+ trace_regulator_enable(rdev_get_name(rdev));
+
+ if (rdev->ena_pin) {
+- ret = regulator_ena_gpio_ctrl(rdev, true);
+- if (ret < 0)
+- return ret;
+- rdev->ena_gpio_state = 1;
++ if (!rdev->ena_gpio_state) {
++ ret = regulator_ena_gpio_ctrl(rdev, true);
++ if (ret < 0)
++ return ret;
++ rdev->ena_gpio_state = 1;
++ }
+ } else if (rdev->desc->ops->enable) {
+ ret = rdev->desc->ops->enable(rdev);
+ if (ret < 0)
+@@ -1701,10 +1703,12 @@ static int _regulator_do_disable(struct
+ trace_regulator_disable(rdev_get_name(rdev));
+
+ if (rdev->ena_pin) {
+- ret = regulator_ena_gpio_ctrl(rdev, false);
+- if (ret < 0)
+- return ret;
+- rdev->ena_gpio_state = 0;
++ if (rdev->ena_gpio_state) {
++ ret = regulator_ena_gpio_ctrl(rdev, false);
++ if (ret < 0)
++ return ret;
++ rdev->ena_gpio_state = 0;
++ }
+
+ } else if (rdev->desc->ops->disable) {
+ ret = rdev->desc->ops->disable(rdev);
+@@ -3614,12 +3618,6 @@ regulator_register(const struct regulato
+ config->ena_gpio, ret);
+ goto wash;
+ }
+-
+- if (config->ena_gpio_flags & GPIOF_OUT_INIT_HIGH)
+- rdev->ena_gpio_state = 1;
+-
+- if (config->ena_gpio_invert)
+- rdev->ena_gpio_state = !rdev->ena_gpio_state;
+ }
+
+ /* set regulator constraints */
--- /dev/null
+From 0548bf4f5ad6fc3bd93c4940fa48078b34609682 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javier.martinez@collabora.co.uk>
+Date: Mon, 2 Mar 2015 21:40:39 +0100
+Subject: regulator: Only enable disabled regulators on resume
+
+From: Javier Martinez Canillas <javier.martinez@collabora.co.uk>
+
+commit 0548bf4f5ad6fc3bd93c4940fa48078b34609682 upstream.
+
+The _regulator_do_enable() call ought to be a no-op when called on an
+already-enabled regulator. However, as an optimization
+_regulator_enable() doesn't call _regulator_do_enable() on an already
+enabled regulator. That means we never test the case of calling
+_regulator_do_enable() during normal usage and there may be hidden
+bugs or warnings. We have seen warnings issued by the tps65090 driver
+and bugs when using the GPIO enable pin.
+
+Let's match the same optimization that _regulator_enable() in
+regulator_suspend_finish(). That may speed up suspend/resume and also
+avoids exposing hidden bugs.
+
+[Use much clearer commit message from Doug Anderson]
+
+Signed-off-by: Javier Martinez Canillas <javier.martinez@collabora.co.uk>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/regulator/core.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/regulator/core.c
++++ b/drivers/regulator/core.c
+@@ -3788,9 +3788,11 @@ int regulator_suspend_finish(void)
+ list_for_each_entry(rdev, ®ulator_list, list) {
+ mutex_lock(&rdev->mutex);
+ if (rdev->use_count > 0 || rdev->constraints->always_on) {
+- error = _regulator_do_enable(rdev);
+- if (error)
+- ret = error;
++ if (!_regulator_is_enabled(rdev)) {
++ error = _regulator_do_enable(rdev);
++ if (error)
++ ret = error;
++ }
+ } else {
+ if (!has_full_constraints)
+ goto unlock;
fuse-notify-don-t-move-pages.patch
virtio_console-init-work-unconditionally.patch
change-email-address-for-8250_pci.patch
+can-add-missing-initialisations-in-can-related-skbuffs.patch
+workqueue-fix-hang-involving-racing-cancel_work_sync-s-for-preempt_none.patch
+tpm-ibmvtpm-additional-le-support-for-tpm_ibmvtpm_send.patch
+spi-pl022-fix-race-in-giveback-leading-to-driver-lock-up.patch
+alsa-control-add-sanity-checks-for-user-ctl-id-name-string.patch
+alsa-hda-fix-built-in-mic-on-compaq-presario-cq60.patch
+alsa-hda-don-t-access-stereo-amps-for-mono-channel-widgets.patch
+alsa-hda-set-single_adc_amp-flag-for-cs420x-codecs.patch
+alsa-hda-add-workaround-for-macbook-air-5-2-built-in-mic.patch
+alsa-hda-treat-stereo-to-mono-mix-properly.patch
+regulator-only-enable-disabled-regulators-on-resume.patch
+regulator-core-fix-enable-gpio-reference-counting.patch
+nilfs2-fix-deadlock-of-segment-constructor-during-recovery.patch
--- /dev/null
+From cd6fa8d2ca53cac3226fdcffcf763be390abae32 Mon Sep 17 00:00:00 2001
+From: Alexander Sverdlin <alexander.sverdlin@nokia.com>
+Date: Fri, 27 Feb 2015 16:30:21 +0100
+Subject: spi: pl022: Fix race in giveback() leading to driver lock-up
+
+From: Alexander Sverdlin <alexander.sverdlin@nokia.com>
+
+commit cd6fa8d2ca53cac3226fdcffcf763be390abae32 upstream.
+
+Commit fd316941c ("spi/pl022: disable port when unused") introduced a race,
+which leads to possible driver lock up (easily reproducible on SMP).
+
+The problem happens in giveback() function where the completion of the transfer
+is signalled to SPI subsystem and then the HW SPI controller is disabled. Another
+transfer might be setup in between, which brings driver in locked-up state.
+
+Exact event sequence on SMP:
+
+core0 core1
+
+ => pump_transfers()
+ /* message->state == STATE_DONE */
+ => giveback()
+ => spi_finalize_current_message()
+
+=> pl022_unprepare_transfer_hardware()
+=> pl022_transfer_one_message
+ => flush()
+ => do_interrupt_dma_transfer()
+ => set_up_next_transfer()
+ /* Enable SSP, turn on interrupts */
+ writew((readw(SSP_CR1(pl022->virtbase)) |
+ SSP_CR1_MASK_SSE), SSP_CR1(pl022->virtbase));
+
+...
+
+=> pl022_interrupt_handler()
+ => readwriter()
+
+ /* disable the SPI/SSP operation */
+ => writew((readw(SSP_CR1(pl022->virtbase)) &
+ (~SSP_CR1_MASK_SSE)), SSP_CR1(pl022->virtbase));
+
+Lockup! SPI controller is disabled and the data will never be received. Whole
+SPI subsystem is waiting for transfer ACK and blocked.
+
+So, only signal transfer completion after disabling the controller.
+
+Fixes: fd316941c (spi/pl022: disable port when unused)
+Signed-off-by: Alexander Sverdlin <alexander.sverdlin@nokia.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-pl022.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-pl022.c
++++ b/drivers/spi/spi-pl022.c
+@@ -508,12 +508,12 @@ static void giveback(struct pl022 *pl022
+ pl022->cur_msg = NULL;
+ pl022->cur_transfer = NULL;
+ pl022->cur_chip = NULL;
+- spi_finalize_current_message(pl022->master);
+
+ /* disable the SPI/SSP operation */
+ writew((readw(SSP_CR1(pl022->virtbase)) &
+ (~SSP_CR1_MASK_SSE)), SSP_CR1(pl022->virtbase));
+
++ spi_finalize_current_message(pl022->master);
+ }
+
+ /**
--- /dev/null
+From 62dfd912ab3b5405b6fe72d0135c37e9648071f1 Mon Sep 17 00:00:00 2001
+From: "jmlatten@linux.vnet.ibm.com" <jmlatten@linux.vnet.ibm.com>
+Date: Fri, 20 Feb 2015 18:11:24 -0600
+Subject: tpm/ibmvtpm: Additional LE support for tpm_ibmvtpm_send
+
+From: "jmlatten@linux.vnet.ibm.com" <jmlatten@linux.vnet.ibm.com>
+
+commit 62dfd912ab3b5405b6fe72d0135c37e9648071f1 upstream.
+
+Problem: When IMA and VTPM are both enabled in kernel config,
+kernel hangs during bootup on LE OS.
+
+Why?: IMA calls tpm_pcr_read() which results in tpm_ibmvtpm_send
+and tpm_ibmtpm_recv getting called. A trace showed that
+tpm_ibmtpm_recv was hanging.
+
+Resolution: tpm_ibmtpm_recv was hanging because tpm_ibmvtpm_send
+was sending CRQ message that probably did not make much sense
+to phype because of Endianness. The fix below sends correctly
+converted CRQ for LE. This was not caught before because it
+seems IMA is not enabled by default in kernel config and
+IMA exercises this particular code path in vtpm.
+
+Tested with IMA and VTPM enabled in kernel config and VTPM
+enabled on both a BE OS and a LE OS ppc64 lpar. This exercised
+CRQ and TPM command code paths in vtpm.
+Patch is against Peter's tpmdd tree on github which included
+Vicky's previous vtpm le patches.
+
+Signed-off-by: Joy Latten <jmlatten@linux.vnet.ibm.com>
+Reviewed-by: Ashley Lai <ashley@ahsleylai.com>
+Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/tpm/tpm_ibmvtpm.c | 10 +++++-----
+ drivers/char/tpm/tpm_ibmvtpm.h | 6 +++---
+ 2 files changed, 8 insertions(+), 8 deletions(-)
+
+--- a/drivers/char/tpm/tpm_ibmvtpm.c
++++ b/drivers/char/tpm/tpm_ibmvtpm.c
+@@ -124,7 +124,7 @@ static int tpm_ibmvtpm_send(struct tpm_c
+ {
+ struct ibmvtpm_dev *ibmvtpm;
+ struct ibmvtpm_crq crq;
+- u64 *word = (u64 *) &crq;
++ __be64 *word = (__be64 *)&crq;
+ int rc;
+
+ ibmvtpm = (struct ibmvtpm_dev *)TPM_VPRIV(chip);
+@@ -145,11 +145,11 @@ static int tpm_ibmvtpm_send(struct tpm_c
+ memcpy((void *)ibmvtpm->rtce_buf, (void *)buf, count);
+ crq.valid = (u8)IBMVTPM_VALID_CMD;
+ crq.msg = (u8)VTPM_TPM_COMMAND;
+- crq.len = (u16)count;
+- crq.data = ibmvtpm->rtce_dma_handle;
++ crq.len = cpu_to_be16(count);
++ crq.data = cpu_to_be32(ibmvtpm->rtce_dma_handle);
+
+- rc = ibmvtpm_send_crq(ibmvtpm->vdev, cpu_to_be64(word[0]),
+- cpu_to_be64(word[1]));
++ rc = ibmvtpm_send_crq(ibmvtpm->vdev, be64_to_cpu(word[0]),
++ be64_to_cpu(word[1]));
+ if (rc != H_SUCCESS) {
+ dev_err(ibmvtpm->dev, "tpm_ibmvtpm_send failed rc=%d\n", rc);
+ rc = 0;
+--- a/drivers/char/tpm/tpm_ibmvtpm.h
++++ b/drivers/char/tpm/tpm_ibmvtpm.h
+@@ -22,9 +22,9 @@
+ struct ibmvtpm_crq {
+ u8 valid;
+ u8 msg;
+- u16 len;
+- u32 data;
+- u64 reserved;
++ __be16 len;
++ __be32 data;
++ __be64 reserved;
+ } __attribute__((packed, aligned(8)));
+
+ struct ibmvtpm_crq_queue {
--- /dev/null
+From 8603e1b30027f943cc9c1eef2b291d42c3347af1 Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Thu, 5 Mar 2015 08:04:13 -0500
+Subject: workqueue: fix hang involving racing cancel[_delayed]_work_sync()'s for PREEMPT_NONE
+
+From: Tejun Heo <tj@kernel.org>
+
+commit 8603e1b30027f943cc9c1eef2b291d42c3347af1 upstream.
+
+cancel[_delayed]_work_sync() are implemented using
+__cancel_work_timer() which grabs the PENDING bit using
+try_to_grab_pending() and then flushes the work item with PENDING set
+to prevent the on-going execution of the work item from requeueing
+itself.
+
+try_to_grab_pending() can always grab PENDING bit without blocking
+except when someone else is doing the above flushing during
+cancelation. In that case, try_to_grab_pending() returns -ENOENT. In
+this case, __cancel_work_timer() currently invokes flush_work(). The
+assumption is that the completion of the work item is what the other
+canceling task would be waiting for too and thus waiting for the same
+condition and retrying should allow forward progress without excessive
+busy looping
+
+Unfortunately, this doesn't work if preemption is disabled or the
+latter task has real time priority. Let's say task A just got woken
+up from flush_work() by the completion of the target work item. If,
+before task A starts executing, task B gets scheduled and invokes
+__cancel_work_timer() on the same work item, its try_to_grab_pending()
+will return -ENOENT as the work item is still being canceled by task A
+and flush_work() will also immediately return false as the work item
+is no longer executing. This puts task B in a busy loop possibly
+preventing task A from executing and clearing the canceling state on
+the work item leading to a hang.
+
+task A task B worker
+
+ executing work
+__cancel_work_timer()
+ try_to_grab_pending()
+ set work CANCELING
+ flush_work()
+ block for work completion
+ completion, wakes up A
+ __cancel_work_timer()
+ while (forever) {
+ try_to_grab_pending()
+ -ENOENT as work is being canceled
+ flush_work()
+ false as work is no longer executing
+ }
+
+This patch removes the possible hang by updating __cancel_work_timer()
+to explicitly wait for clearing of CANCELING rather than invoking
+flush_work() after try_to_grab_pending() fails with -ENOENT.
+
+Link: http://lkml.kernel.org/g/20150206171156.GA8942@axis.com
+
+v3: bit_waitqueue() can't be used for work items defined in vmalloc
+ area. Switched to custom wake function which matches the target
+ work item and exclusive wait and wakeup.
+
+v2: v1 used wake_up() on bit_waitqueue() which leads to NULL deref if
+ the target bit waitqueue has wait_bit_queue's on it. Use
+ DEFINE_WAIT_BIT() and __wake_up_bit() instead. Reported by Tomeu
+ Vizoso.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reported-by: Rabin Vincent <rabin.vincent@axis.com>
+Cc: Tomeu Vizoso <tomeu.vizoso@gmail.com>
+Tested-by: Jesper Nilsson <jesper.nilsson@axis.com>
+Tested-by: Rabin Vincent <rabin.vincent@axis.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/workqueue.h | 3 +-
+ kernel/workqueue.c | 56 ++++++++++++++++++++++++++++++++++++++++++----
+ 2 files changed, 54 insertions(+), 5 deletions(-)
+
+--- a/include/linux/workqueue.h
++++ b/include/linux/workqueue.h
+@@ -71,7 +71,8 @@ enum {
+ /* data contains off-queue information when !WORK_STRUCT_PWQ */
+ WORK_OFFQ_FLAG_BASE = WORK_STRUCT_COLOR_SHIFT,
+
+- WORK_OFFQ_CANCELING = (1 << WORK_OFFQ_FLAG_BASE),
++ __WORK_OFFQ_CANCELING = WORK_OFFQ_FLAG_BASE,
++ WORK_OFFQ_CANCELING = (1 << __WORK_OFFQ_CANCELING),
+
+ /*
+ * When a work item is off queue, its high bits point to the last
+--- a/kernel/workqueue.c
++++ b/kernel/workqueue.c
+@@ -2861,19 +2861,57 @@ bool flush_work(struct work_struct *work
+ }
+ EXPORT_SYMBOL_GPL(flush_work);
+
++struct cwt_wait {
++ wait_queue_t wait;
++ struct work_struct *work;
++};
++
++static int cwt_wakefn(wait_queue_t *wait, unsigned mode, int sync, void *key)
++{
++ struct cwt_wait *cwait = container_of(wait, struct cwt_wait, wait);
++
++ if (cwait->work != key)
++ return 0;
++ return autoremove_wake_function(wait, mode, sync, key);
++}
++
+ static bool __cancel_work_timer(struct work_struct *work, bool is_dwork)
+ {
++ static DECLARE_WAIT_QUEUE_HEAD(cancel_waitq);
+ unsigned long flags;
+ int ret;
+
+ do {
+ ret = try_to_grab_pending(work, is_dwork, &flags);
+ /*
+- * If someone else is canceling, wait for the same event it
+- * would be waiting for before retrying.
++ * If someone else is already canceling, wait for it to
++ * finish. flush_work() doesn't work for PREEMPT_NONE
++ * because we may get scheduled between @work's completion
++ * and the other canceling task resuming and clearing
++ * CANCELING - flush_work() will return false immediately
++ * as @work is no longer busy, try_to_grab_pending() will
++ * return -ENOENT as @work is still being canceled and the
++ * other canceling task won't be able to clear CANCELING as
++ * we're hogging the CPU.
++ *
++ * Let's wait for completion using a waitqueue. As this
++ * may lead to the thundering herd problem, use a custom
++ * wake function which matches @work along with exclusive
++ * wait and wakeup.
+ */
+- if (unlikely(ret == -ENOENT))
+- flush_work(work);
++ if (unlikely(ret == -ENOENT)) {
++ struct cwt_wait cwait;
++
++ init_wait(&cwait.wait);
++ cwait.wait.func = cwt_wakefn;
++ cwait.work = work;
++
++ prepare_to_wait_exclusive(&cancel_waitq, &cwait.wait,
++ TASK_UNINTERRUPTIBLE);
++ if (work_is_canceling(work))
++ schedule();
++ finish_wait(&cancel_waitq, &cwait.wait);
++ }
+ } while (unlikely(ret < 0));
+
+ /* tell other tasks trying to grab @work to back off */
+@@ -2882,6 +2920,16 @@ static bool __cancel_work_timer(struct w
+
+ flush_work(work);
+ clear_work_data(work);
++
++ /*
++ * Paired with prepare_to_wait() above so that either
++ * waitqueue_active() is visible here or !work_is_canceling() is
++ * visible there.
++ */
++ smp_mb();
++ if (waitqueue_active(&cancel_waitq))
++ __wake_up(&cancel_waitq, TASK_NORMAL, 1, work);
++
+ return ret;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
