--- /dev/null
+From 9e92f48c34eb2b9af9d12f892e2fe1fce5e8ce35 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Tue, 22 Mar 2016 16:13:15 -0400
+Subject: ext4: check if in-inode xattr is corrupted in ext4_expand_extra_isize_ea()
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 9e92f48c34eb2b9af9d12f892e2fe1fce5e8ce35 upstream.
+
+We aren't checking to see if the in-inode extended attribute is
+corrupted before we try to expand the inode's extra isize fields.
+
+This can lead to potential crashes caused by the BUG_ON() check in
+ext4_xattr_shift_entries().
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/xattr.c | 32 ++++++++++++++++++++++++++++----
+ 1 file changed, 28 insertions(+), 4 deletions(-)
+
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -233,6 +233,27 @@ ext4_xattr_check_block(struct inode *ino
+ return error;
+ }
+
++static int
++__xattr_check_inode(struct inode *inode, struct ext4_xattr_ibody_header *header,
++ void *end, const char *function, unsigned int line)
++{
++ struct ext4_xattr_entry *entry = IFIRST(header);
++ int error = -EFSCORRUPTED;
++
++ if (((void *) header >= end) ||
++ (header->h_magic != le32_to_cpu(EXT4_XATTR_MAGIC)))
++ goto errout;
++ error = ext4_xattr_check_names(entry, end, entry);
++errout:
++ if (error)
++ __ext4_error_inode(inode, function, line, 0,
++ "corrupted in-inode xattr");
++ return error;
++}
++
++#define xattr_check_inode(inode, header, end) \
++ __xattr_check_inode((inode), (header), (end), __func__, __LINE__)
++
+ static inline int
+ ext4_xattr_check_entry(struct ext4_xattr_entry *entry, size_t size)
+ {
+@@ -344,7 +365,7 @@ ext4_xattr_ibody_get(struct inode *inode
+ header = IHDR(inode, raw_inode);
+ entry = IFIRST(header);
+ end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
+- error = ext4_xattr_check_names(entry, end, entry);
++ error = xattr_check_inode(inode, header, end);
+ if (error)
+ goto cleanup;
+ error = ext4_xattr_find_entry(&entry, name_index, name,
+@@ -476,7 +497,7 @@ ext4_xattr_ibody_list(struct dentry *den
+ raw_inode = ext4_raw_inode(&iloc);
+ header = IHDR(inode, raw_inode);
+ end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
+- error = ext4_xattr_check_names(IFIRST(header), end, IFIRST(header));
++ error = xattr_check_inode(inode, header, end);
+ if (error)
+ goto cleanup;
+ error = ext4_xattr_list_entries(dentry, IFIRST(header),
+@@ -993,8 +1014,7 @@ int ext4_xattr_ibody_find(struct inode *
+ is->s.here = is->s.first;
+ is->s.end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
+ if (ext4_test_inode_state(inode, EXT4_STATE_XATTR)) {
+- error = ext4_xattr_check_names(IFIRST(header), is->s.end,
+- IFIRST(header));
++ error = xattr_check_inode(inode, header, is->s.end);
+ if (error)
+ return error;
+ /* Find the named attribute. */
+@@ -1291,6 +1311,10 @@ retry:
+ last = entry;
+ total_ino = sizeof(struct ext4_xattr_ibody_header);
+
++ error = xattr_check_inode(inode, header, end);
++ if (error)
++ goto cleanup;
++
+ free = ext4_xattr_free_space(last, &min_offs, base, &total_ino);
+ if (free >= new_extra_isize) {
+ entry = IFIRST(header);
--- /dev/null
+From 816b0acf3deb6d6be5d0519b286fdd4bafade905 Mon Sep 17 00:00:00 2001
+From: Wei Fang <fangwei1@huawei.com>
+Date: Mon, 21 Mar 2016 19:18:32 +0800
+Subject: md:raid1: fix a dead loop when read from a WriteMostly disk
+
+From: Wei Fang <fangwei1@huawei.com>
+
+commit 816b0acf3deb6d6be5d0519b286fdd4bafade905 upstream.
+
+If first_bad == this_sector when we get the WriteMostly disk
+in read_balance(), valid disk will be returned with zero
+max_sectors. It'll lead to a dead loop in make_request(), and
+OOM will happen because of endless allocation of struct bio.
+
+Since we can't get data from this disk in this case, so
+continue for another disk.
+
+Signed-off-by: Wei Fang <fangwei1@huawei.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/raid1.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/raid1.c
++++ b/drivers/md/raid1.c
+@@ -563,7 +563,7 @@ static int read_balance(struct r1conf *c
+ if (best_dist_disk < 0) {
+ if (is_badblock(rdev, this_sector, sectors,
+ &first_bad, &bad_sectors)) {
+- if (first_bad < this_sector)
++ if (first_bad <= this_sector)
+ /* Cannot use this */
+ continue;
+ best_good_sectors = first_bad - this_sector;
--- /dev/null
+From c80e1b62ffca52e2d1d865ee58bc79c4c0c55005 Mon Sep 17 00:00:00 2001
+From: Corey Minyard <cminyard@mvista.com>
+Date: Mon, 11 Apr 2016 09:10:19 -0500
+Subject: MIPS: Fix crash registers on non-crashing CPUs
+
+From: Corey Minyard <cminyard@mvista.com>
+
+commit c80e1b62ffca52e2d1d865ee58bc79c4c0c55005 upstream.
+
+As part of handling a crash on an SMP system, an IPI is send to
+all other CPUs to save their current registers and stop. It was
+using task_pt_regs(current) to get the registers, but that will
+only be accurate if the CPU was interrupted running in userland.
+Instead allow the architecture to pass in the registers (all
+pass NULL now, but allow for the future) and then use get_irq_regs()
+which should be accurate as we are in an interrupt. Fall back to
+task_pt_regs(current) if nothing else is available.
+
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Cc: David Daney <ddaney@caviumnetworks.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/13050/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/crash.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+--- a/arch/mips/kernel/crash.c
++++ b/arch/mips/kernel/crash.c
+@@ -14,12 +14,22 @@ static int crashing_cpu = -1;
+ static cpumask_t cpus_in_crash = CPU_MASK_NONE;
+
+ #ifdef CONFIG_SMP
+-static void crash_shutdown_secondary(void *ignore)
++static void crash_shutdown_secondary(void *passed_regs)
+ {
+- struct pt_regs *regs;
++ struct pt_regs *regs = passed_regs;
+ int cpu = smp_processor_id();
+
+- regs = task_pt_regs(current);
++ /*
++ * If we are passed registers, use those. Otherwise get the
++ * regs from the last interrupt, which should be correct, as
++ * we are in an interrupt. But if the regs are not there,
++ * pull them from the top of the stack. They are probably
++ * wrong, but we need something to keep from crashing again.
++ */
++ if (!regs)
++ regs = get_irq_regs();
++ if (!regs)
++ regs = task_pt_regs(current);
+
+ if (!cpu_online(cpu))
+ return;
--- /dev/null
+From e47db94e10447fc467777a40302f2b393e9af2fa Mon Sep 17 00:00:00 2001
+From: "santosh.shilimkar@oracle.com" <santosh.shilimkar@oracle.com>
+Date: Thu, 14 Apr 2016 10:43:27 -0700
+Subject: RDS: Fix the atomicity for congestion map update
+
+From: santosh.shilimkar@oracle.com <santosh.shilimkar@oracle.com>
+
+commit e47db94e10447fc467777a40302f2b393e9af2fa upstream.
+
+Two different threads with different rds sockets may be in
+rds_recv_rcvbuf_delta() via receive path. If their ports
+both map to the same word in the congestion map, then
+using non-atomic ops to update it could cause the map to
+be incorrect. Lets use atomics to avoid such an issue.
+
+Full credit to Wengang <wen.gang.wang@oracle.com> for
+finding the issue, analysing it and also pointing out
+to offending code with spin lock based fix.
+
+Reviewed-by: Leon Romanovsky <leon@leon.nu>
+Signed-off-by: Wengang Wang <wen.gang.wang@oracle.com>
+Signed-off-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/rds/cong.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/rds/cong.c
++++ b/net/rds/cong.c
+@@ -285,7 +285,7 @@ void rds_cong_set_bit(struct rds_cong_ma
+ i = be16_to_cpu(port) / RDS_CONG_MAP_PAGE_BITS;
+ off = be16_to_cpu(port) % RDS_CONG_MAP_PAGE_BITS;
+
+- __set_bit_le(off, (void *)map->m_page_addrs[i]);
++ set_bit_le(off, (void *)map->m_page_addrs[i]);
+ }
+
+ void rds_cong_clear_bit(struct rds_cong_map *map, __be16 port)
+@@ -299,7 +299,7 @@ void rds_cong_clear_bit(struct rds_cong_
+ i = be16_to_cpu(port) / RDS_CONG_MAP_PAGE_BITS;
+ off = be16_to_cpu(port) % RDS_CONG_MAP_PAGE_BITS;
+
+- __clear_bit_le(off, (void *)map->m_page_addrs[i]);
++ clear_bit_le(off, (void *)map->m_page_addrs[i]);
+ }
+
+ static int rds_cong_test_bit(struct rds_cong_map *map, __be16 port)
--- /dev/null
+From 03d27ade4941076b34c823d63d91dc895731a595 Mon Sep 17 00:00:00 2001
+From: "Felipe F. Tonello" <eu@felipetonello.com>
+Date: Wed, 9 Mar 2016 19:39:30 +0000
+Subject: usb: gadget: f_midi: Fixed a bug when buflen was smaller than wMaxPacketSize
+
+From: Felipe F. Tonello <eu@felipetonello.com>
+
+commit 03d27ade4941076b34c823d63d91dc895731a595 upstream.
+
+buflen by default (256) is smaller than wMaxPacketSize (512) in high-speed
+devices.
+
+That caused the OUT endpoint to freeze if the host send any data packet of
+length greater than 256 bytes.
+
+This is an example dump of what happended on that enpoint:
+HOST: [DATA][Length=260][...]
+DEVICE: [NAK]
+HOST: [PING]
+DEVICE: [NAK]
+HOST: [PING]
+DEVICE: [NAK]
+...
+HOST: [PING]
+DEVICE: [NAK]
+
+This patch fixes this problem by setting the minimum usb_request's buffer size
+for the OUT endpoint as its wMaxPacketSize.
+
+Acked-by: Michal Nazarewicz <mina86@mina86.com>
+Signed-off-by: Felipe F. Tonello <eu@felipetonello.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/f_midi.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/function/f_midi.c
++++ b/drivers/usb/gadget/function/f_midi.c
+@@ -357,7 +357,9 @@ static int f_midi_set_alt(struct usb_fun
+ /* allocate a bunch of read buffers and queue them all at once. */
+ for (i = 0; i < midi->qlen && err == 0; i++) {
+ struct usb_request *req =
+- midi_alloc_ep_req(midi->out_ep, midi->buflen);
++ midi_alloc_ep_req(midi->out_ep,
++ max_t(unsigned, midi->buflen,
++ bulk_out_desc.wMaxPacketSize));
+ if (req == NULL)
+ return -ENOMEM;
+
--- /dev/null
+From c06b6d70feb32d28f04ba37aa3df17973fd37b6b Mon Sep 17 00:00:00 2001
+From: Stefano Stabellini <sstabellini@kernel.org>
+Date: Fri, 15 Apr 2016 18:23:00 -0700
+Subject: xen/x86: don't lose event interrupts
+
+From: Stefano Stabellini <sstabellini@kernel.org>
+
+commit c06b6d70feb32d28f04ba37aa3df17973fd37b6b upstream.
+
+On slow platforms with unreliable TSC, such as QEMU emulated machines,
+it is possible for the kernel to request the next event in the past. In
+that case, in the current implementation of xen_vcpuop_clockevent, we
+simply return -ETIME. To be precise the Xen returns -ETIME and we pass
+it on. However the result of this is a missed event, which simply causes
+the kernel to hang.
+
+Instead it is better to always ask the hypervisor for a timer event,
+even if the timeout is in the past. That way there are no lost
+interrupts and the kernel survives. To do that, remove the
+VCPU_SSHOTTMR_future flag.
+
+Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
+Acked-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/xen/time.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/xen/time.c
++++ b/arch/x86/xen/time.c
+@@ -362,11 +362,11 @@ static int xen_vcpuop_set_next_event(uns
+ WARN_ON(evt->mode != CLOCK_EVT_MODE_ONESHOT);
+
+ single.timeout_abs_ns = get_abs_timeout(delta);
+- single.flags = VCPU_SSHOTTMR_future;
++ /* Get an event anyway, even if the timeout is already expired */
++ single.flags = 0;
+
+ ret = HYPERVISOR_vcpu_op(VCPUOP_set_singleshot_timer, cpu, &single);
+-
+- BUG_ON(ret != 0 && ret != -ETIME);
++ BUG_ON(ret != 0);
+
+ return ret;
+ }
--- /dev/null
+From 970f9091d25df14e9540ec7ff48a2f709e284cd1 Mon Sep 17 00:00:00 2001
+From: Tero Kristo <t-kristo@ti.com>
+Date: Thu, 16 Jun 2016 15:25:18 +0300
+Subject: ARM: OMAP2+: timer: add probe for clocksources
+
+From: Tero Kristo <t-kristo@ti.com>
+
+commit 970f9091d25df14e9540ec7ff48a2f709e284cd1 upstream.
+
+A few platforms are currently missing clocksource_probe() completely
+in their time_init functionality. On OMAP3430 for example, this is
+causing cpuidle to be pretty much dead, as the counter32k is not
+going to be registered and instead a gptimer is used as a clocksource.
+This will tick in periodic mode, preventing any deeper idle states.
+
+While here, also drop one unnecessary check for populated DT before
+existing clocksource_probe() call.
+
+Signed-off-by: Tero Kristo <t-kristo@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-omap2/timer.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/mach-omap2/timer.c
++++ b/arch/arm/mach-omap2/timer.c
+@@ -496,8 +496,7 @@ void __init omap_init_time(void)
+ __omap_sync32k_timer_init(1, "timer_32k_ck", "ti,timer-alwon",
+ 2, "timer_sys_ck", NULL, false);
+
+- if (of_have_populated_dt())
+- clocksource_probe();
++ clocksource_probe();
+ }
+
+ #if defined(CONFIG_ARCH_OMAP3) || defined(CONFIG_SOC_AM43XX)
+@@ -505,6 +504,8 @@ void __init omap3_secure_sync32k_timer_i
+ {
+ __omap_sync32k_timer_init(12, "secure_32k_fck", "ti,timer-secure",
+ 2, "timer_sys_ck", NULL, false);
++
++ clocksource_probe();
+ }
+ #endif /* CONFIG_ARCH_OMAP3 */
+
+@@ -513,6 +514,8 @@ void __init omap3_gptimer_timer_init(voi
+ {
+ __omap_sync32k_timer_init(2, "timer_sys_ck", NULL,
+ 1, "timer_sys_ck", "ti,timer-alwon", true);
++
++ clocksource_probe();
+ }
+ #endif
+
--- /dev/null
+From 6e17b4181603d183d20c73f4535529ddf2a2a020 Mon Sep 17 00:00:00 2001
+From: Krzysztof Adamski <k@japko.eu>
+Date: Mon, 22 Feb 2016 14:03:25 +0100
+Subject: clk: sunxi: Add apb0 gates for H3
+
+From: Krzysztof Adamski <k@japko.eu>
+
+commit 6e17b4181603d183d20c73f4535529ddf2a2a020 upstream.
+
+This patch adds support for APB0 in H3. It seems to be compatible with
+earlier SOCs. apb0 gates controls R_ block peripherals (R_PIO, R_IR,
+etc).
+
+Since this gates behave just like any Allwinner clock gate, add a generic
+compatible that can be reused if we don't have any clock to protect.
+
+Signed-off-by: Krzysztof Adamski <k@japko.eu>
+[Maxime: Removed the H3 compatible from the simple-gates driver, reworked
+ the commit log a bit]
+Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/devicetree/bindings/clock/sunxi.txt | 2 ++
+ drivers/clk/sunxi/clk-simple-gates.c | 2 ++
+ 2 files changed, 4 insertions(+)
+
+--- a/Documentation/devicetree/bindings/clock/sunxi.txt
++++ b/Documentation/devicetree/bindings/clock/sunxi.txt
+@@ -18,6 +18,7 @@ Required properties:
+ "allwinner,sun4i-a10-cpu-clk" - for the CPU multiplexer clock
+ "allwinner,sun4i-a10-axi-clk" - for the AXI clock
+ "allwinner,sun8i-a23-axi-clk" - for the AXI clock on A23
++ "allwinner,sun4i-a10-gates-clk" - for generic gates on all compatible SoCs
+ "allwinner,sun4i-a10-axi-gates-clk" - for the AXI gates
+ "allwinner,sun4i-a10-ahb-clk" - for the AHB clock
+ "allwinner,sun5i-a13-ahb-clk" - for the AHB clock on A13
+@@ -43,6 +44,7 @@ Required properties:
+ "allwinner,sun6i-a31-apb0-gates-clk" - for the APB0 gates on A31
+ "allwinner,sun7i-a20-apb0-gates-clk" - for the APB0 gates on A20
+ "allwinner,sun8i-a23-apb0-gates-clk" - for the APB0 gates on A23
++ "allwinner,sun8i-h3-apb0-gates-clk" - for the APB0 gates on H3
+ "allwinner,sun9i-a80-apb0-gates-clk" - for the APB0 gates on A80
+ "allwinner,sun4i-a10-apb1-clk" - for the APB1 clock
+ "allwinner,sun9i-a80-apb1-clk" - for the APB1 bus clock on A80
+--- a/drivers/clk/sunxi/clk-simple-gates.c
++++ b/drivers/clk/sunxi/clk-simple-gates.c
+@@ -98,6 +98,8 @@ static void __init sunxi_simple_gates_in
+ sunxi_simple_gates_setup(node, NULL, 0);
+ }
+
++CLK_OF_DECLARE(sun4i_a10_gates, "allwinner,sun4i-a10-gates-clk",
++ sunxi_simple_gates_init);
+ CLK_OF_DECLARE(sun4i_a10_apb0, "allwinner,sun4i-a10-apb0-gates-clk",
+ sunxi_simple_gates_init);
+ CLK_OF_DECLARE(sun4i_a10_apb1, "allwinner,sun4i-a10-apb1-gates-clk",
--- /dev/null
+From abfa7f4357e3640fdee87dfc276fd0f379fb5ae6 Mon Sep 17 00:00:00 2001
+From: Jerome Marchand <jmarchan@redhat.com>
+Date: Wed, 3 Feb 2016 13:58:12 +0100
+Subject: crypto: testmgr - fix out of bound read in __test_aead()
+
+From: Jerome Marchand <jmarchan@redhat.com>
+
+commit abfa7f4357e3640fdee87dfc276fd0f379fb5ae6 upstream.
+
+__test_aead() reads MAX_IVLEN bytes from template[i].iv, but the
+actual length of the initialisation vector can be shorter.
+The length of the IV is already calculated earlier in the
+function. Let's just reuses that. Also the IV length is currently
+calculated several time for no reason. Let's fix that too.
+This fix an out-of-bound error detected by KASan.
+
+Signed-off-by: Jerome Marchand <jmarchan@redhat.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/testmgr.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/crypto/testmgr.c
++++ b/crypto/testmgr.c
+@@ -488,6 +488,8 @@ static int __test_aead(struct crypto_aea
+ aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
+ tcrypt_complete, &result);
+
++ iv_len = crypto_aead_ivsize(tfm);
++
+ for (i = 0, j = 0; i < tcount; i++) {
+ if (template[i].np)
+ continue;
+@@ -508,7 +510,6 @@ static int __test_aead(struct crypto_aea
+
+ memcpy(input, template[i].input, template[i].ilen);
+ memcpy(assoc, template[i].assoc, template[i].alen);
+- iv_len = crypto_aead_ivsize(tfm);
+ if (template[i].iv)
+ memcpy(iv, template[i].iv, iv_len);
+ else
+@@ -617,7 +618,7 @@ static int __test_aead(struct crypto_aea
+ j++;
+
+ if (template[i].iv)
+- memcpy(iv, template[i].iv, MAX_IVLEN);
++ memcpy(iv, template[i].iv, iv_len);
+ else
+ memset(iv, 0, MAX_IVLEN);
+
--- /dev/null
+From 484f689fc9d4eb91c68f53e97dc355b1b06c3edb Mon Sep 17 00:00:00 2001
+From: tom will <os@iscas.ac.cn>
+Date: Mon, 16 May 2016 10:31:07 -0400
+Subject: drm/amdgpu: fix array out of bounds
+
+From: tom will <os@iscas.ac.cn>
+
+commit 484f689fc9d4eb91c68f53e97dc355b1b06c3edb upstream.
+
+When the initial value of i is greater than zero,
+it may cause endless loop, resulting in array out
+of bounds, fix it.
+
+This is a port of the radeon fix to amdgpu.
+
+Signed-off-by: tom will <os@iscas.ac.cn>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/kv_dpm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/kv_dpm.c
++++ b/drivers/gpu/drm/amd/amdgpu/kv_dpm.c
+@@ -2258,7 +2258,7 @@ static void kv_apply_state_adjust_rules(
+ if (pi->caps_stable_p_state) {
+ stable_p_state_sclk = (max_limits->sclk * 75) / 100;
+
+- for (i = table->count - 1; i >= 0; i++) {
++ for (i = table->count - 1; i >= 0; i--) {
+ if (stable_p_state_sclk >= table->entries[i].clk) {
+ stable_p_state_sclk = table->entries[i].clk;
+ break;
--- /dev/null
+From 9e92f48c34eb2b9af9d12f892e2fe1fce5e8ce35 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Tue, 22 Mar 2016 16:13:15 -0400
+Subject: ext4: check if in-inode xattr is corrupted in ext4_expand_extra_isize_ea()
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 9e92f48c34eb2b9af9d12f892e2fe1fce5e8ce35 upstream.
+
+We aren't checking to see if the in-inode extended attribute is
+corrupted before we try to expand the inode's extra isize fields.
+
+This can lead to potential crashes caused by the BUG_ON() check in
+ext4_xattr_shift_entries().
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/xattr.c | 32 ++++++++++++++++++++++++++++----
+ 1 file changed, 28 insertions(+), 4 deletions(-)
+
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -233,6 +233,27 @@ ext4_xattr_check_block(struct inode *ino
+ return error;
+ }
+
++static int
++__xattr_check_inode(struct inode *inode, struct ext4_xattr_ibody_header *header,
++ void *end, const char *function, unsigned int line)
++{
++ struct ext4_xattr_entry *entry = IFIRST(header);
++ int error = -EFSCORRUPTED;
++
++ if (((void *) header >= end) ||
++ (header->h_magic != le32_to_cpu(EXT4_XATTR_MAGIC)))
++ goto errout;
++ error = ext4_xattr_check_names(entry, end, entry);
++errout:
++ if (error)
++ __ext4_error_inode(inode, function, line, 0,
++ "corrupted in-inode xattr");
++ return error;
++}
++
++#define xattr_check_inode(inode, header, end) \
++ __xattr_check_inode((inode), (header), (end), __func__, __LINE__)
++
+ static inline int
+ ext4_xattr_check_entry(struct ext4_xattr_entry *entry, size_t size)
+ {
+@@ -344,7 +365,7 @@ ext4_xattr_ibody_get(struct inode *inode
+ header = IHDR(inode, raw_inode);
+ entry = IFIRST(header);
+ end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
+- error = ext4_xattr_check_names(entry, end, entry);
++ error = xattr_check_inode(inode, header, end);
+ if (error)
+ goto cleanup;
+ error = ext4_xattr_find_entry(&entry, name_index, name,
+@@ -475,7 +496,7 @@ ext4_xattr_ibody_list(struct dentry *den
+ raw_inode = ext4_raw_inode(&iloc);
+ header = IHDR(inode, raw_inode);
+ end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
+- error = ext4_xattr_check_names(IFIRST(header), end, IFIRST(header));
++ error = xattr_check_inode(inode, header, end);
+ if (error)
+ goto cleanup;
+ error = ext4_xattr_list_entries(dentry, IFIRST(header),
+@@ -991,8 +1012,7 @@ int ext4_xattr_ibody_find(struct inode *
+ is->s.here = is->s.first;
+ is->s.end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
+ if (ext4_test_inode_state(inode, EXT4_STATE_XATTR)) {
+- error = ext4_xattr_check_names(IFIRST(header), is->s.end,
+- IFIRST(header));
++ error = xattr_check_inode(inode, header, is->s.end);
+ if (error)
+ return error;
+ /* Find the named attribute. */
+@@ -1293,6 +1313,10 @@ retry:
+ last = entry;
+ total_ino = sizeof(struct ext4_xattr_ibody_header);
+
++ error = xattr_check_inode(inode, header, end);
++ if (error)
++ goto cleanup;
++
+ free = ext4_xattr_free_space(last, &min_offs, base, &total_ino);
+ if (free >= isize_diff) {
+ entry = IFIRST(header);
--- /dev/null
+From 816b0acf3deb6d6be5d0519b286fdd4bafade905 Mon Sep 17 00:00:00 2001
+From: Wei Fang <fangwei1@huawei.com>
+Date: Mon, 21 Mar 2016 19:18:32 +0800
+Subject: md:raid1: fix a dead loop when read from a WriteMostly disk
+
+From: Wei Fang <fangwei1@huawei.com>
+
+commit 816b0acf3deb6d6be5d0519b286fdd4bafade905 upstream.
+
+If first_bad == this_sector when we get the WriteMostly disk
+in read_balance(), valid disk will be returned with zero
+max_sectors. It'll lead to a dead loop in make_request(), and
+OOM will happen because of endless allocation of struct bio.
+
+Since we can't get data from this disk in this case, so
+continue for another disk.
+
+Signed-off-by: Wei Fang <fangwei1@huawei.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/raid1.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/raid1.c
++++ b/drivers/md/raid1.c
+@@ -570,7 +570,7 @@ static int read_balance(struct r1conf *c
+ if (best_dist_disk < 0) {
+ if (is_badblock(rdev, this_sector, sectors,
+ &first_bad, &bad_sectors)) {
+- if (first_bad < this_sector)
++ if (first_bad <= this_sector)
+ /* Cannot use this */
+ continue;
+ best_good_sectors = first_bad - this_sector;
--- /dev/null
+From c80e1b62ffca52e2d1d865ee58bc79c4c0c55005 Mon Sep 17 00:00:00 2001
+From: Corey Minyard <cminyard@mvista.com>
+Date: Mon, 11 Apr 2016 09:10:19 -0500
+Subject: MIPS: Fix crash registers on non-crashing CPUs
+
+From: Corey Minyard <cminyard@mvista.com>
+
+commit c80e1b62ffca52e2d1d865ee58bc79c4c0c55005 upstream.
+
+As part of handling a crash on an SMP system, an IPI is send to
+all other CPUs to save their current registers and stop. It was
+using task_pt_regs(current) to get the registers, but that will
+only be accurate if the CPU was interrupted running in userland.
+Instead allow the architecture to pass in the registers (all
+pass NULL now, but allow for the future) and then use get_irq_regs()
+which should be accurate as we are in an interrupt. Fall back to
+task_pt_regs(current) if nothing else is available.
+
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Cc: David Daney <ddaney@caviumnetworks.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/13050/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/crash.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+--- a/arch/mips/kernel/crash.c
++++ b/arch/mips/kernel/crash.c
+@@ -14,12 +14,22 @@ static int crashing_cpu = -1;
+ static cpumask_t cpus_in_crash = CPU_MASK_NONE;
+
+ #ifdef CONFIG_SMP
+-static void crash_shutdown_secondary(void *ignore)
++static void crash_shutdown_secondary(void *passed_regs)
+ {
+- struct pt_regs *regs;
++ struct pt_regs *regs = passed_regs;
+ int cpu = smp_processor_id();
+
+- regs = task_pt_regs(current);
++ /*
++ * If we are passed registers, use those. Otherwise get the
++ * regs from the last interrupt, which should be correct, as
++ * we are in an interrupt. But if the regs are not there,
++ * pull them from the top of the stack. They are probably
++ * wrong, but we need something to keep from crashing again.
++ */
++ if (!regs)
++ regs = get_irq_regs();
++ if (!regs)
++ regs = task_pt_regs(current);
+
+ if (!cpu_online(cpu))
+ return;
--- /dev/null
+From 8e6ce7ebeb34f0992f56de078c3744fb383657fa Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Fri, 15 Jul 2016 16:42:16 -0700
+Subject: net: cavium: liquidio: Avoid dma_unmap_single on uninitialized ndata
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+commit 8e6ce7ebeb34f0992f56de078c3744fb383657fa upstream.
+
+The label lio_xmit_failed is used 3 times through liquidio_xmit() but it
+always makes a call to dma_unmap_single() using potentially
+uninitialized variables from "ndata" variable. Out of the 3 gotos, 2 run
+after ndata has been initialized, and had a prior dma_map_single() call.
+
+Fix this by adding a new error label: lio_xmit_dma_failed which does
+this dma_unmap_single() and then processed with the lio_xmit_failed
+fallthrough.
+
+Fixes: f21fb3ed364bb ("Add support of Cavium Liquidio ethernet adapters")
+Reported-by: coverity (CID 1309740)
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/cavium/liquidio/lio_main.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/cavium/liquidio/lio_main.c
++++ b/drivers/net/ethernet/cavium/liquidio/lio_main.c
+@@ -2823,7 +2823,7 @@ static int liquidio_xmit(struct sk_buff
+ if (!g) {
+ netif_info(lio, tx_err, lio->netdev,
+ "Transmit scatter gather: glist null!\n");
+- goto lio_xmit_failed;
++ goto lio_xmit_dma_failed;
+ }
+
+ cmdsetup.s.gather = 1;
+@@ -2894,7 +2894,7 @@ static int liquidio_xmit(struct sk_buff
+ else
+ status = octnet_send_nic_data_pkt(oct, &ndata, xmit_more);
+ if (status == IQ_SEND_FAILED)
+- goto lio_xmit_failed;
++ goto lio_xmit_dma_failed;
+
+ netif_info(lio, tx_queued, lio->netdev, "Transmit queued successfully\n");
+
+@@ -2908,12 +2908,13 @@ static int liquidio_xmit(struct sk_buff
+
+ return NETDEV_TX_OK;
+
++lio_xmit_dma_failed:
++ dma_unmap_single(&oct->pci_dev->dev, ndata.cmd.dptr,
++ ndata.datasize, DMA_TO_DEVICE);
+ lio_xmit_failed:
+ stats->tx_dropped++;
+ netif_info(lio, tx_err, lio->netdev, "IQ%d Transmit dropped:%llu\n",
+ iq_no, stats->tx_dropped);
+- dma_unmap_single(&oct->pci_dev->dev, ndata.cmd.dptr,
+- ndata.datasize, DMA_TO_DEVICE);
+ recv_buffer_free(skb);
+ return NETDEV_TX_OK;
+ }
--- /dev/null
+From dc327f8931cb9d66191f489eb9a852fc04530546 Mon Sep 17 00:00:00 2001
+From: WANG Cong <xiyou.wangcong@gmail.com>
+Date: Mon, 16 May 2016 15:11:18 -0700
+Subject: net_sched: close another race condition in tcf_mirred_release()
+
+From: WANG Cong <xiyou.wangcong@gmail.com>
+
+commit dc327f8931cb9d66191f489eb9a852fc04530546 upstream.
+
+We saw the following extra refcount release on veth device:
+
+ kernel: [7957821.463992] unregister_netdevice: waiting for mesos50284 to become free. Usage count = -1
+
+Since we heavily use mirred action to redirect packets to veth, I think
+this is caused by the following race condition:
+
+CPU0:
+tcf_mirred_release(): (in RCU callback)
+ struct net_device *dev = rcu_dereference_protected(m->tcfm_dev, 1);
+
+CPU1:
+mirred_device_event():
+ spin_lock_bh(&mirred_list_lock);
+ list_for_each_entry(m, &mirred_list, tcfm_list) {
+ if (rcu_access_pointer(m->tcfm_dev) == dev) {
+ dev_put(dev);
+ /* Note : no rcu grace period necessary, as
+ * net_device are already rcu protected.
+ */
+ RCU_INIT_POINTER(m->tcfm_dev, NULL);
+ }
+ }
+ spin_unlock_bh(&mirred_list_lock);
+
+CPU0:
+tcf_mirred_release():
+ spin_lock_bh(&mirred_list_lock);
+ list_del(&m->tcfm_list);
+ spin_unlock_bh(&mirred_list_lock);
+ if (dev) // <======== Stil refers to the old m->tcfm_dev
+ dev_put(dev); // <======== dev_put() is called on it again
+
+The action init code path is good because it is impossible to modify
+an action that is being removed.
+
+So, fix this by moving everything under the spinlock.
+
+Fixes: 2ee22a90c7af ("net_sched: act_mirred: remove spinlock in fast path")
+Fixes: 6bd00b850635 ("act_mirred: fix a race condition on mirred_list")
+Cc: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sched/act_mirred.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/sched/act_mirred.c
++++ b/net/sched/act_mirred.c
+@@ -36,14 +36,15 @@ static DEFINE_SPINLOCK(mirred_list_lock)
+ static void tcf_mirred_release(struct tc_action *a, int bind)
+ {
+ struct tcf_mirred *m = to_mirred(a);
+- struct net_device *dev = rcu_dereference_protected(m->tcfm_dev, 1);
++ struct net_device *dev;
+
+ /* We could be called either in a RCU callback or with RTNL lock held. */
+ spin_lock_bh(&mirred_list_lock);
+ list_del(&m->tcfm_list);
+- spin_unlock_bh(&mirred_list_lock);
++ dev = rcu_dereference_protected(m->tcfm_dev, 1);
+ if (dev)
+ dev_put(dev);
++ spin_unlock_bh(&mirred_list_lock);
+ }
+
+ static const struct nla_policy mirred_policy[TCA_MIRRED_MAX + 1] = {
--- /dev/null
+From e47db94e10447fc467777a40302f2b393e9af2fa Mon Sep 17 00:00:00 2001
+From: "santosh.shilimkar@oracle.com" <santosh.shilimkar@oracle.com>
+Date: Thu, 14 Apr 2016 10:43:27 -0700
+Subject: RDS: Fix the atomicity for congestion map update
+
+From: santosh.shilimkar@oracle.com <santosh.shilimkar@oracle.com>
+
+commit e47db94e10447fc467777a40302f2b393e9af2fa upstream.
+
+Two different threads with different rds sockets may be in
+rds_recv_rcvbuf_delta() via receive path. If their ports
+both map to the same word in the congestion map, then
+using non-atomic ops to update it could cause the map to
+be incorrect. Lets use atomics to avoid such an issue.
+
+Full credit to Wengang <wen.gang.wang@oracle.com> for
+finding the issue, analysing it and also pointing out
+to offending code with spin lock based fix.
+
+Reviewed-by: Leon Romanovsky <leon@leon.nu>
+Signed-off-by: Wengang Wang <wen.gang.wang@oracle.com>
+Signed-off-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/rds/cong.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/rds/cong.c
++++ b/net/rds/cong.c
+@@ -299,7 +299,7 @@ void rds_cong_set_bit(struct rds_cong_ma
+ i = be16_to_cpu(port) / RDS_CONG_MAP_PAGE_BITS;
+ off = be16_to_cpu(port) % RDS_CONG_MAP_PAGE_BITS;
+
+- __set_bit_le(off, (void *)map->m_page_addrs[i]);
++ set_bit_le(off, (void *)map->m_page_addrs[i]);
+ }
+
+ void rds_cong_clear_bit(struct rds_cong_map *map, __be16 port)
+@@ -313,7 +313,7 @@ void rds_cong_clear_bit(struct rds_cong_
+ i = be16_to_cpu(port) / RDS_CONG_MAP_PAGE_BITS;
+ off = be16_to_cpu(port) % RDS_CONG_MAP_PAGE_BITS;
+
+- __clear_bit_le(off, (void *)map->m_page_addrs[i]);
++ clear_bit_le(off, (void *)map->m_page_addrs[i]);
+ }
+
+ static int rds_cong_test_bit(struct rds_cong_map *map, __be16 port)
--- /dev/null
+From 8e5356a73604f53da6a1e0756727cb8f9f7bba17 Mon Sep 17 00:00:00 2001
+From: Jon Hunter <jonathanh@nvidia.com>
+Date: Thu, 21 Apr 2016 17:11:58 +0100
+Subject: regulator: core: Clear the supply pointer if enabling fails
+
+From: Jon Hunter <jonathanh@nvidia.com>
+
+commit 8e5356a73604f53da6a1e0756727cb8f9f7bba17 upstream.
+
+During the resolution of a regulator's supply, we may attempt to enable
+the supply if the regulator itself is already enabled. If enabling the
+supply fails, then we will call _regulator_put() for the supply.
+However, the pointer to the supply has not been cleared for the
+regulator and this will cause a crash if we then unregister the
+regulator and attempt to call regulator_put() a second time for the
+supply. Fix this by clearing the supply pointer if enabling the supply
+after fails when resolving the supply for a regulator.
+
+Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/regulator/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/regulator/core.c
++++ b/drivers/regulator/core.c
+@@ -1519,6 +1519,7 @@ static int regulator_resolve_supply(stru
+ ret = regulator_enable(rdev->supply);
+ if (ret < 0) {
+ _regulator_put(rdev->supply);
++ rdev->supply = NULL;
+ return ret;
+ }
+ }
--- /dev/null
+From 03d27ade4941076b34c823d63d91dc895731a595 Mon Sep 17 00:00:00 2001
+From: "Felipe F. Tonello" <eu@felipetonello.com>
+Date: Wed, 9 Mar 2016 19:39:30 +0000
+Subject: usb: gadget: f_midi: Fixed a bug when buflen was smaller than wMaxPacketSize
+
+From: Felipe F. Tonello <eu@felipetonello.com>
+
+commit 03d27ade4941076b34c823d63d91dc895731a595 upstream.
+
+buflen by default (256) is smaller than wMaxPacketSize (512) in high-speed
+devices.
+
+That caused the OUT endpoint to freeze if the host send any data packet of
+length greater than 256 bytes.
+
+This is an example dump of what happended on that enpoint:
+HOST: [DATA][Length=260][...]
+DEVICE: [NAK]
+HOST: [PING]
+DEVICE: [NAK]
+HOST: [PING]
+DEVICE: [NAK]
+...
+HOST: [PING]
+DEVICE: [NAK]
+
+This patch fixes this problem by setting the minimum usb_request's buffer size
+for the OUT endpoint as its wMaxPacketSize.
+
+Acked-by: Michal Nazarewicz <mina86@mina86.com>
+Signed-off-by: Felipe F. Tonello <eu@felipetonello.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/f_midi.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/function/f_midi.c
++++ b/drivers/usb/gadget/function/f_midi.c
+@@ -361,7 +361,9 @@ static int f_midi_set_alt(struct usb_fun
+ /* allocate a bunch of read buffers and queue them all at once. */
+ for (i = 0; i < midi->qlen && err == 0; i++) {
+ struct usb_request *req =
+- midi_alloc_ep_req(midi->out_ep, midi->buflen);
++ midi_alloc_ep_req(midi->out_ep,
++ max_t(unsigned, midi->buflen,
++ bulk_out_desc.wMaxPacketSize));
+ if (req == NULL)
+ return -ENOMEM;
+
--- /dev/null
+From c06b6d70feb32d28f04ba37aa3df17973fd37b6b Mon Sep 17 00:00:00 2001
+From: Stefano Stabellini <sstabellini@kernel.org>
+Date: Fri, 15 Apr 2016 18:23:00 -0700
+Subject: xen/x86: don't lose event interrupts
+
+From: Stefano Stabellini <sstabellini@kernel.org>
+
+commit c06b6d70feb32d28f04ba37aa3df17973fd37b6b upstream.
+
+On slow platforms with unreliable TSC, such as QEMU emulated machines,
+it is possible for the kernel to request the next event in the past. In
+that case, in the current implementation of xen_vcpuop_clockevent, we
+simply return -ETIME. To be precise the Xen returns -ETIME and we pass
+it on. However the result of this is a missed event, which simply causes
+the kernel to hang.
+
+Instead it is better to always ask the hypervisor for a timer event,
+even if the timeout is in the past. That way there are no lost
+interrupts and the kernel survives. To do that, remove the
+VCPU_SSHOTTMR_future flag.
+
+Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
+Acked-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/xen/time.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/xen/time.c
++++ b/arch/x86/xen/time.c
+@@ -343,11 +343,11 @@ static int xen_vcpuop_set_next_event(uns
+ WARN_ON(!clockevent_state_oneshot(evt));
+
+ single.timeout_abs_ns = get_abs_timeout(delta);
+- single.flags = VCPU_SSHOTTMR_future;
++ /* Get an event anyway, even if the timeout is already expired */
++ single.flags = 0;
+
+ ret = HYPERVISOR_vcpu_op(VCPUOP_set_singleshot_timer, cpu, &single);
+-
+- BUG_ON(ret != 0 && ret != -ETIME);
++ BUG_ON(ret != 0);
+
+ return ret;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
