--- /dev/null
+From 0f4f2afd4402883a51ad27a1d9e046643bb1e3cb Mon Sep 17 00:00:00 2001
+From: Giuseppe Cavallaro <peppe.cavallaro@st.com>
+Date: Tue, 23 Jun 2015 16:09:23 +0200
+Subject: drivers: clk: st: Fix flexgen lock init
+
+From: Giuseppe Cavallaro <peppe.cavallaro@st.com>
+
+commit 0f4f2afd4402883a51ad27a1d9e046643bb1e3cb upstream.
+
+While proving lock, the following warning happens
+and it is fixed after initializing lock in the setup
+function
+
+INFO: trying to register non-static key.
+the code is fine but needs lockdep annotation.
+turning off the locking correctness validator.
+CPU: 0 PID: 0 Comm: swapper/0 Not tainted 3.10.27-02861-g39df285-dirty #33
+[<c00154ac>] (unwind_backtrace+0x0/0xf4) from [<c0011b50>] (show_stack+0x10/0x14)
+[<c0011b50>] (show_stack+0x10/0x14) from [<c00689ac>] (__lock_acquire+0x900/0xb14)
+[<c00689ac>] (__lock_acquire+0x900/0xb14) from [<c0069394>] (lock_acquire+0x68/0x7c)
+[<c0069394>] (lock_acquire+0x68/0x7c) from [<c04958f8>] (_raw_spin_lock_irqsave+0x48/0x5c)
+[<c04958f8>] (_raw_spin_lock_irqsave+0x48/0x5c) from [<c0381e6c>] (clk_gate_endisable+0x28/0x88)
+[<c0381e6c>] (clk_gate_endisable+0x28/0x88) from [<c0381ee0>] (clk_gate_enable+0xc/0x14)
+[<c0381ee0>] (clk_gate_enable+0xc/0x14) from [<c0386c68>] (flexgen_enable+0x28/0x40)
+[<c0386c68>] (flexgen_enable+0x28/0x40) from [<c037f260>] (__clk_enable+0x5c/0x9c)
+[<c037f260>] (__clk_enable+0x5c/0x9c) from [<c037f558>] (clk_enable+0x18/0x2c)
+[<c037f558>] (clk_enable+0x18/0x2c) from [<c064a1dc>] (st_lpc_of_register+0xc0/0x248)
+[<c064a1dc>] (st_lpc_of_register+0xc0/0x248) from [<c0649e44>] (clocksource_of_init+0x34/0x58)
+[<c0649e44>] (clocksource_of_init+0x34/0x58) from [<c0637ddc>] (sti_timer_init+0x10/0x18)
+[<c0637ddc>] (sti_timer_init+0x10/0x18) from [<c06343f8>] (time_init+0x20/0x30)
+[<c06343f8>] (time_init+0x20/0x30) from [<c0632984>] (start_kernel+0x20c/0x2e8)
+[<c0632984>] (start_kernel+0x20c/0x2e8) from [<40008074>] (0x40008074)
+
+Signed-off-by: Giuseppe Cavallaro <peppe.cavallaro@st.com>
+Signed-off-by: Gabriel Fernandez <gabriel.fernandez@linaro.org>
+Fixes: b116517055b7 ("clk: st: STiH407: Support for Flexgen Clocks")
+Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clk/st/clk-flexgen.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/clk/st/clk-flexgen.c
++++ b/drivers/clk/st/clk-flexgen.c
+@@ -303,6 +303,8 @@ void __init st_of_flexgen_setup(struct d
+ if (!rlock)
+ goto err;
+
++ spin_lock_init(rlock);
++
+ for (i = 0; i < clk_data->clk_num; i++) {
+ struct clk *clk;
+ const char *clk_name;
--- /dev/null
+From 3be6d8ce639d92e60d144fb99dd74a53fe3799bb Mon Sep 17 00:00:00 2001
+From: Gabriel Fernandez <gabriel.fernandez@linaro.org>
+Date: Tue, 23 Jun 2015 16:09:25 +0200
+Subject: drivers: clk: st: Fix mux bit-setting for Cortex A9 clocks
+
+From: Gabriel Fernandez <gabriel.fernandez@linaro.org>
+
+commit 3be6d8ce639d92e60d144fb99dd74a53fe3799bb upstream.
+
+This patch fixes the mux bit-setting for ClockgenA9.
+
+Signed-off-by: Gabriel Fernandez <gabriel.fernandez@linaro.org>
+Fixes: 13e6f2da1ddf ("clk: st: STiH407: Support for A9 MUX Clocks")
+Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clk/st/clkgen-mux.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/clk/st/clkgen-mux.c
++++ b/drivers/clk/st/clkgen-mux.c
+@@ -582,7 +582,7 @@ static struct clkgen_mux_data stih416_a9
+ };
+ static struct clkgen_mux_data stih407_a9_mux_data = {
+ .offset = 0x1a4,
+- .shift = 1,
++ .shift = 0,
+ .width = 2,
+ };
+
--- /dev/null
+From 56551da9255f20ffd3a9711728a1a3ad4b7100af Mon Sep 17 00:00:00 2001
+From: Pankaj Dev <pankaj.dev@st.com>
+Date: Tue, 7 Jul 2015 09:40:50 +0200
+Subject: drivers: clk: st: Incorrect register offset used for lock_status
+
+From: Pankaj Dev <pankaj.dev@st.com>
+
+commit 56551da9255f20ffd3a9711728a1a3ad4b7100af upstream.
+
+Incorrect register offset used for sthi407 clockgenC
+
+Signed-off-by: Pankaj Dev <pankaj.dev@st.com>
+Signed-off-by: Gabriel Fernandez <gabriel.fernandez@linaro.org>
+Fixes: 51306d56ba81 ("clk: st: STiH407: Support for clockgenC0")
+Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clk/st/clkgen-fsyn.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/clk/st/clkgen-fsyn.c
++++ b/drivers/clk/st/clkgen-fsyn.c
+@@ -340,7 +340,7 @@ static const struct clkgen_quadfs_data s
+ CLKGEN_FIELD(0x30c, 0xf, 20),
+ CLKGEN_FIELD(0x310, 0xf, 20) },
+ .lockstatus_present = true,
+- .lock_status = CLKGEN_FIELD(0x2A0, 0x1, 24),
++ .lock_status = CLKGEN_FIELD(0x2f0, 0x1, 24),
+ .powerup_polarity = 1,
+ .standby_polarity = 1,
+ .pll_ops = &st_quadfs_pll_c32_ops,
--- /dev/null
+From e3eea1404f5ff7a2ceb7b5e7ba412a6fd94f2935 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
+Date: Fri, 24 Jul 2015 10:38:12 -0400
+Subject: ftrace: Fix breakage of set_ftrace_pid
+
+From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
+
+commit e3eea1404f5ff7a2ceb7b5e7ba412a6fd94f2935 upstream.
+
+Commit 4104d326b670 ("ftrace: Remove global function list and call function
+directly") simplified the ftrace code by removing the global_ops list with a
+new design. But this cleanup also broke the filtering of PIDs that are added
+to the set_ftrace_pid file.
+
+Add back the proper hooks to have pid filtering working once again.
+
+Reported-by: Matt Fleming <matt@console-pimps.org>
+Reported-by: Richard Weinberger <richard.weinberger@gmail.com>
+Tested-by: Matt Fleming <matt@console-pimps.org>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/ftrace.h | 3 ++
+ kernel/trace/ftrace.c | 52 ++++++++++++++++++++++++++++++++-----------------
+ 2 files changed, 37 insertions(+), 18 deletions(-)
+
+--- a/include/linux/ftrace.h
++++ b/include/linux/ftrace.h
+@@ -116,6 +116,7 @@ ftrace_func_t ftrace_ops_get_func(struct
+ * SAVE_REGS. If another ops with this flag set is already registered
+ * for any of the functions that this ops will be registered for, then
+ * this ops will fail to register or set_filter_ip.
++ * PID - Is affected by set_ftrace_pid (allows filtering on those pids)
+ */
+ enum {
+ FTRACE_OPS_FL_ENABLED = 1 << 0,
+@@ -132,6 +133,7 @@ enum {
+ FTRACE_OPS_FL_MODIFYING = 1 << 11,
+ FTRACE_OPS_FL_ALLOC_TRAMP = 1 << 12,
+ FTRACE_OPS_FL_IPMODIFY = 1 << 13,
++ FTRACE_OPS_FL_PID = 1 << 14,
+ };
+
+ #ifdef CONFIG_DYNAMIC_FTRACE
+@@ -159,6 +161,7 @@ struct ftrace_ops {
+ struct ftrace_ops *next;
+ unsigned long flags;
+ void *private;
++ ftrace_func_t saved_func;
+ int __percpu *disabled;
+ #ifdef CONFIG_DYNAMIC_FTRACE
+ int nr_trampolines;
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -98,6 +98,13 @@ struct ftrace_pid {
+ struct pid *pid;
+ };
+
++static bool ftrace_pids_enabled(void)
++{
++ return !list_empty(&ftrace_pids);
++}
++
++static void ftrace_update_trampoline(struct ftrace_ops *ops);
++
+ /*
+ * ftrace_disabled is set when an anomaly is discovered.
+ * ftrace_disabled is much stronger than ftrace_enabled.
+@@ -109,7 +116,6 @@ static DEFINE_MUTEX(ftrace_lock);
+ static struct ftrace_ops *ftrace_control_list __read_mostly = &ftrace_list_end;
+ static struct ftrace_ops *ftrace_ops_list __read_mostly = &ftrace_list_end;
+ ftrace_func_t ftrace_trace_function __read_mostly = ftrace_stub;
+-ftrace_func_t ftrace_pid_function __read_mostly = ftrace_stub;
+ static struct ftrace_ops global_ops;
+ static struct ftrace_ops control_ops;
+
+@@ -183,14 +189,7 @@ static void ftrace_pid_func(unsigned lon
+ if (!test_tsk_trace_trace(current))
+ return;
+
+- ftrace_pid_function(ip, parent_ip, op, regs);
+-}
+-
+-static void set_ftrace_pid_function(ftrace_func_t func)
+-{
+- /* do not set ftrace_pid_function to itself! */
+- if (func != ftrace_pid_func)
+- ftrace_pid_function = func;
++ op->saved_func(ip, parent_ip, op, regs);
+ }
+
+ /**
+@@ -202,7 +201,6 @@ static void set_ftrace_pid_function(ftra
+ void clear_ftrace_function(void)
+ {
+ ftrace_trace_function = ftrace_stub;
+- ftrace_pid_function = ftrace_stub;
+ }
+
+ static void control_ops_disable_all(struct ftrace_ops *ops)
+@@ -436,6 +434,12 @@ static int __register_ftrace_function(st
+ } else
+ add_ftrace_ops(&ftrace_ops_list, ops);
+
++ /* Always save the function, and reset at unregistering */
++ ops->saved_func = ops->func;
++
++ if (ops->flags & FTRACE_OPS_FL_PID && ftrace_pids_enabled())
++ ops->func = ftrace_pid_func;
++
+ ftrace_update_trampoline(ops);
+
+ if (ftrace_enabled)
+@@ -463,15 +467,28 @@ static int __unregister_ftrace_function(
+ if (ftrace_enabled)
+ update_ftrace_function();
+
++ ops->func = ops->saved_func;
++
+ return 0;
+ }
+
+ static void ftrace_update_pid_func(void)
+ {
++ bool enabled = ftrace_pids_enabled();
++ struct ftrace_ops *op;
++
+ /* Only do something if we are tracing something */
+ if (ftrace_trace_function == ftrace_stub)
+ return;
+
++ do_for_each_ftrace_op(op, ftrace_ops_list) {
++ if (op->flags & FTRACE_OPS_FL_PID) {
++ op->func = enabled ? ftrace_pid_func :
++ op->saved_func;
++ ftrace_update_trampoline(op);
++ }
++ } while_for_each_ftrace_op(op);
++
+ update_ftrace_function();
+ }
+
+@@ -1133,7 +1150,8 @@ static struct ftrace_ops global_ops = {
+ .local_hash.filter_hash = EMPTY_HASH,
+ INIT_OPS_HASH(global_ops)
+ .flags = FTRACE_OPS_FL_RECURSION_SAFE |
+- FTRACE_OPS_FL_INITIALIZED,
++ FTRACE_OPS_FL_INITIALIZED |
++ FTRACE_OPS_FL_PID,
+ };
+
+ /*
+@@ -5023,7 +5041,9 @@ static void ftrace_update_trampoline(str
+
+ static struct ftrace_ops global_ops = {
+ .func = ftrace_stub,
+- .flags = FTRACE_OPS_FL_RECURSION_SAFE | FTRACE_OPS_FL_INITIALIZED,
++ .flags = FTRACE_OPS_FL_RECURSION_SAFE |
++ FTRACE_OPS_FL_INITIALIZED |
++ FTRACE_OPS_FL_PID,
+ };
+
+ static int __init ftrace_nodyn_init(void)
+@@ -5080,11 +5100,6 @@ void ftrace_init_array_ops(struct trace_
+ if (WARN_ON(tr->ops->func != ftrace_stub))
+ printk("ftrace ops had %pS for function\n",
+ tr->ops->func);
+- /* Only the top level instance does pid tracing */
+- if (!list_empty(&ftrace_pids)) {
+- set_ftrace_pid_function(func);
+- func = ftrace_pid_func;
+- }
+ }
+ tr->ops->func = func;
+ tr->ops->private = tr;
+@@ -5371,7 +5386,7 @@ static void *fpid_start(struct seq_file
+ {
+ mutex_lock(&ftrace_lock);
+
+- if (list_empty(&ftrace_pids) && (!*pos))
++ if (!ftrace_pids_enabled() && (!*pos))
+ return (void *) 1;
+
+ return seq_list_start(&ftrace_pids, *pos);
+@@ -5610,6 +5625,7 @@ static struct ftrace_ops graph_ops = {
+ .func = ftrace_stub,
+ .flags = FTRACE_OPS_FL_RECURSION_SAFE |
+ FTRACE_OPS_FL_INITIALIZED |
++ FTRACE_OPS_FL_PID |
+ FTRACE_OPS_FL_STUB,
+ #ifdef FTRACE_GRAPH_TRAMP_ADDR
+ .trampoline = FTRACE_GRAPH_TRAMP_ADDR,
--- /dev/null
+From 6debce6f4e787a8eb4cec94e7afa85fb4f40db27 Mon Sep 17 00:00:00 2001
+From: Antonio Borneo <borneo.antonio@gmail.com>
+Date: Sun, 21 Jun 2015 14:20:25 +0800
+Subject: HID: cp2112: fix to force single data-report reply
+
+From: Antonio Borneo <borneo.antonio@gmail.com>
+
+commit 6debce6f4e787a8eb4cec94e7afa85fb4f40db27 upstream.
+
+Current implementation of cp2112_raw_event() only accepts one data report at a
+time. If last received data report is not fully handled yet, a new incoming
+data report will overwrite it. In such case we don't guaranteed to propagate
+the correct incoming data.
+
+The trivial fix implemented here forces a single report at a time by requesting
+in cp2112_read() no more than 61 byte of data, which is the payload size of a
+single data report.
+
+Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>
+Tested-by: Ellen Wang <ellen@cumulusnetworks.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-cp2112.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/hid/hid-cp2112.c
++++ b/drivers/hid/hid-cp2112.c
+@@ -356,6 +356,8 @@ static int cp2112_read(struct cp2112_dev
+ struct cp2112_force_read_report report;
+ int ret;
+
++ if (size > sizeof(dev->read_data))
++ size = sizeof(dev->read_data);
+ report.report = CP2112_DATA_READ_FORCE_SEND;
+ report.length = cpu_to_be16(size);
+
--- /dev/null
+From 46ebb7af7b93792de65e124e1ab8b89a108a41f2 Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@redhat.com>
+Date: Tue, 14 Jul 2015 14:48:53 -0600
+Subject: iommu/vt-d: Fix VM domain ID leak
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+commit 46ebb7af7b93792de65e124e1ab8b89a108a41f2 upstream.
+
+This continues the attempt to fix commit fb170fb4c548 ("iommu/vt-d:
+Introduce helper functions to make code symmetric for readability").
+The previous attempt in commit 71684406905f ("iommu/vt-d: Detach
+domain *only* from attached iommus") overlooked the fact that
+dmar_domain.iommu_bmp gets cleared for VM domains when devices are
+detached:
+
+intel_iommu_detach_device
+ domain_remove_one_dev_info
+ domain_detach_iommu
+
+The domain is detached from the iommu, but the iommu is still attached
+to the domain, for whatever reason. Thus when we get to domain_exit(),
+we can't rely on iommu_bmp for VM domains to find the active iommus,
+we must check them all. Without that, the corresponding bit in
+intel_iommu.domain_ids doesn't get cleared and repeated VM domain
+creation and destruction will run out of domain IDs. Meanwhile we
+still can't call iommu_detach_domain() on arbitrary non-VM domains or
+we risk clearing in-use domain IDs, as 71684406905f attempted to
+address.
+
+It's tempting to modify iommu_detach_domain() to test the domain
+iommu_bmp, but the call ordering from domain_remove_one_dev_info()
+prevents it being able to work as fb170fb4c548 seems to have intended.
+Caching of unused VM domains on the iommu object seems to be the root
+of the problem, but this code is far too fragile for that kind of
+rework to be proposed for stable, so we simply revert this chunk to
+its state prior to fb170fb4c548.
+
+Fixes: fb170fb4c548 ("iommu/vt-d: Introduce helper functions to make
+ code symmetric for readability")
+Fixes: 71684406905f ("iommu/vt-d: Detach domain *only* from attached
+ iommus")
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Cc: Jiang Liu <jiang.liu@linux.intel.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/intel-iommu.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/iommu/intel-iommu.c
++++ b/drivers/iommu/intel-iommu.c
+@@ -1756,8 +1756,9 @@ static int domain_init(struct dmar_domai
+
+ static void domain_exit(struct dmar_domain *domain)
+ {
++ struct dmar_drhd_unit *drhd;
++ struct intel_iommu *iommu;
+ struct page *freelist = NULL;
+- int i;
+
+ /* Domain 0 is reserved, so dont process it */
+ if (!domain)
+@@ -1777,8 +1778,10 @@ static void domain_exit(struct dmar_doma
+
+ /* clear attached or cached domains */
+ rcu_read_lock();
+- for_each_set_bit(i, domain->iommu_bmp, g_num_of_iommus)
+- iommu_detach_domain(domain, g_iommus[i]);
++ for_each_active_iommu(iommu, drhd)
++ if (domain_type_is_vm(domain) ||
++ test_bit(iommu->seq_id, domain->iommu_bmp))
++ iommu_detach_domain(domain, iommu);
+ rcu_read_unlock();
+
+ dma_free_pagelist(freelist);
--- /dev/null
+From 591e5bec13f15feb13fc445b6c9c59954711c4ac Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Fri, 17 Jul 2015 10:46:42 +0100
+Subject: irqchip/gicv3-its: Fix mapping of LPIs to collections
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+commit 591e5bec13f15feb13fc445b6c9c59954711c4ac upstream.
+
+The GICv3 ITS architecture allows a given [DevID, EventID] pair to be
+translated to a [LPI, Collection] pair, where DevID is the device writing
+the MSI, EventID is the payload being written, LPI is the actual
+interrupt number, and Collection is roughly equivalent to a target CPU.
+
+Each LPI can be mapped to a separate collection, but the ITS driver
+insists on maintaining the collection on a device basis, instead of doing
+it on a per interrupt basis.
+
+This is obviously flawed, and this patch fixes it by adding a per interrupt
+index that indicates which collection number is in use.
+
+Reported-by: Ian Campbell <ian.campbell@citrix.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Cc: <linux-arm-kernel@lists.infradead.org>
+Cc: Jason Cooper <jason@lakedaemon.net>
+Link: http://lkml.kernel.org/r/1437126402-11677-1-git-send-email-marc.zyngier@arm.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/irqchip/irq-gic-v3-its.c | 111 ++++++++++++++++++++++++++-------------
+ 1 file changed, 75 insertions(+), 36 deletions(-)
+
+--- a/drivers/irqchip/irq-gic-v3-its.c
++++ b/drivers/irqchip/irq-gic-v3-its.c
+@@ -75,6 +75,13 @@ struct its_node {
+
+ #define ITS_ITT_ALIGN SZ_256
+
++struct event_lpi_map {
++ unsigned long *lpi_map;
++ u16 *col_map;
++ irq_hw_number_t lpi_base;
++ int nr_lpis;
++};
++
+ /*
+ * The ITS view of a device - belongs to an ITS, a collection, owns an
+ * interrupt translation table, and a list of interrupts.
+@@ -82,11 +89,8 @@ struct its_node {
+ struct its_device {
+ struct list_head entry;
+ struct its_node *its;
+- struct its_collection *collection;
++ struct event_lpi_map event_map;
+ void *itt;
+- unsigned long *lpi_map;
+- irq_hw_number_t lpi_base;
+- int nr_lpis;
+ u32 nr_ites;
+ u32 device_id;
+ };
+@@ -99,6 +103,14 @@ static struct rdists *gic_rdists;
+ #define gic_data_rdist() (raw_cpu_ptr(gic_rdists->rdist))
+ #define gic_data_rdist_rd_base() (gic_data_rdist()->rd_base)
+
++static struct its_collection *dev_event_to_col(struct its_device *its_dev,
++ u32 event)
++{
++ struct its_node *its = its_dev->its;
++
++ return its->collections + its_dev->event_map.col_map[event];
++}
++
+ /*
+ * ITS command descriptors - parameters to be encoded in a command
+ * block.
+@@ -134,7 +146,7 @@ struct its_cmd_desc {
+ struct {
+ struct its_device *dev;
+ struct its_collection *col;
+- u32 id;
++ u32 event_id;
+ } its_movi_cmd;
+
+ struct {
+@@ -241,7 +253,7 @@ static struct its_collection *its_build_
+
+ its_fixup_cmd(cmd);
+
+- return desc->its_mapd_cmd.dev->collection;
++ return NULL;
+ }
+
+ static struct its_collection *its_build_mapc_cmd(struct its_cmd_block *cmd,
+@@ -260,52 +272,72 @@ static struct its_collection *its_build_
+ static struct its_collection *its_build_mapvi_cmd(struct its_cmd_block *cmd,
+ struct its_cmd_desc *desc)
+ {
++ struct its_collection *col;
++
++ col = dev_event_to_col(desc->its_mapvi_cmd.dev,
++ desc->its_mapvi_cmd.event_id);
++
+ its_encode_cmd(cmd, GITS_CMD_MAPVI);
+ its_encode_devid(cmd, desc->its_mapvi_cmd.dev->device_id);
+ its_encode_event_id(cmd, desc->its_mapvi_cmd.event_id);
+ its_encode_phys_id(cmd, desc->its_mapvi_cmd.phys_id);
+- its_encode_collection(cmd, desc->its_mapvi_cmd.dev->collection->col_id);
++ its_encode_collection(cmd, col->col_id);
+
+ its_fixup_cmd(cmd);
+
+- return desc->its_mapvi_cmd.dev->collection;
++ return col;
+ }
+
+ static struct its_collection *its_build_movi_cmd(struct its_cmd_block *cmd,
+ struct its_cmd_desc *desc)
+ {
++ struct its_collection *col;
++
++ col = dev_event_to_col(desc->its_movi_cmd.dev,
++ desc->its_movi_cmd.event_id);
++
+ its_encode_cmd(cmd, GITS_CMD_MOVI);
+ its_encode_devid(cmd, desc->its_movi_cmd.dev->device_id);
+- its_encode_event_id(cmd, desc->its_movi_cmd.id);
++ its_encode_event_id(cmd, desc->its_movi_cmd.event_id);
+ its_encode_collection(cmd, desc->its_movi_cmd.col->col_id);
+
+ its_fixup_cmd(cmd);
+
+- return desc->its_movi_cmd.dev->collection;
++ return col;
+ }
+
+ static struct its_collection *its_build_discard_cmd(struct its_cmd_block *cmd,
+ struct its_cmd_desc *desc)
+ {
++ struct its_collection *col;
++
++ col = dev_event_to_col(desc->its_discard_cmd.dev,
++ desc->its_discard_cmd.event_id);
++
+ its_encode_cmd(cmd, GITS_CMD_DISCARD);
+ its_encode_devid(cmd, desc->its_discard_cmd.dev->device_id);
+ its_encode_event_id(cmd, desc->its_discard_cmd.event_id);
+
+ its_fixup_cmd(cmd);
+
+- return desc->its_discard_cmd.dev->collection;
++ return col;
+ }
+
+ static struct its_collection *its_build_inv_cmd(struct its_cmd_block *cmd,
+ struct its_cmd_desc *desc)
+ {
++ struct its_collection *col;
++
++ col = dev_event_to_col(desc->its_inv_cmd.dev,
++ desc->its_inv_cmd.event_id);
++
+ its_encode_cmd(cmd, GITS_CMD_INV);
+ its_encode_devid(cmd, desc->its_inv_cmd.dev->device_id);
+ its_encode_event_id(cmd, desc->its_inv_cmd.event_id);
+
+ its_fixup_cmd(cmd);
+
+- return desc->its_inv_cmd.dev->collection;
++ return col;
+ }
+
+ static struct its_collection *its_build_invall_cmd(struct its_cmd_block *cmd,
+@@ -497,7 +529,7 @@ static void its_send_movi(struct its_dev
+
+ desc.its_movi_cmd.dev = dev;
+ desc.its_movi_cmd.col = col;
+- desc.its_movi_cmd.id = id;
++ desc.its_movi_cmd.event_id = id;
+
+ its_send_single_command(dev->its, its_build_movi_cmd, &desc);
+ }
+@@ -528,7 +560,7 @@ static void its_send_invall(struct its_n
+ static inline u32 its_get_event_id(struct irq_data *d)
+ {
+ struct its_device *its_dev = irq_data_get_irq_chip_data(d);
+- return d->hwirq - its_dev->lpi_base;
++ return d->hwirq - its_dev->event_map.lpi_base;
+ }
+
+ static void lpi_set_config(struct irq_data *d, bool enable)
+@@ -583,7 +615,7 @@ static int its_set_affinity(struct irq_d
+
+ target_col = &its_dev->its->collections[cpu];
+ its_send_movi(its_dev, target_col, id);
+- its_dev->collection = target_col;
++ its_dev->event_map.col_map[id] = cpu;
+
+ return IRQ_SET_MASK_OK_DONE;
+ }
+@@ -713,8 +745,10 @@ out:
+ return bitmap;
+ }
+
+-static void its_lpi_free(unsigned long *bitmap, int base, int nr_ids)
++static void its_lpi_free(struct event_lpi_map *map)
+ {
++ int base = map->lpi_base;
++ int nr_ids = map->nr_lpis;
+ int lpi;
+
+ spin_lock(&lpi_lock);
+@@ -731,7 +765,8 @@ static void its_lpi_free(unsigned long *
+
+ spin_unlock(&lpi_lock);
+
+- kfree(bitmap);
++ kfree(map->lpi_map);
++ kfree(map->col_map);
+ }
+
+ /*
+@@ -1099,11 +1134,11 @@ static struct its_device *its_create_dev
+ struct its_device *dev;
+ unsigned long *lpi_map;
+ unsigned long flags;
++ u16 *col_map = NULL;
+ void *itt;
+ int lpi_base;
+ int nr_lpis;
+ int nr_ites;
+- int cpu;
+ int sz;
+
+ dev = kzalloc(sizeof(*dev), GFP_KERNEL);
+@@ -1117,20 +1152,24 @@ static struct its_device *its_create_dev
+ sz = max(sz, ITS_ITT_ALIGN) + ITS_ITT_ALIGN - 1;
+ itt = kzalloc(sz, GFP_KERNEL);
+ lpi_map = its_lpi_alloc_chunks(nvecs, &lpi_base, &nr_lpis);
++ if (lpi_map)
++ col_map = kzalloc(sizeof(*col_map) * nr_lpis, GFP_KERNEL);
+
+- if (!dev || !itt || !lpi_map) {
++ if (!dev || !itt || !lpi_map || !col_map) {
+ kfree(dev);
+ kfree(itt);
+ kfree(lpi_map);
++ kfree(col_map);
+ return NULL;
+ }
+
+ dev->its = its;
+ dev->itt = itt;
+ dev->nr_ites = nr_ites;
+- dev->lpi_map = lpi_map;
+- dev->lpi_base = lpi_base;
+- dev->nr_lpis = nr_lpis;
++ dev->event_map.lpi_map = lpi_map;
++ dev->event_map.col_map = col_map;
++ dev->event_map.lpi_base = lpi_base;
++ dev->event_map.nr_lpis = nr_lpis;
+ dev->device_id = dev_id;
+ INIT_LIST_HEAD(&dev->entry);
+
+@@ -1138,10 +1177,6 @@ static struct its_device *its_create_dev
+ list_add(&dev->entry, &its->its_device_list);
+ raw_spin_unlock_irqrestore(&its->lock, flags);
+
+- /* Bind the device to the first possible CPU */
+- cpu = cpumask_first(cpu_online_mask);
+- dev->collection = &its->collections[cpu];
+-
+ /* Map device to its ITT */
+ its_send_mapd(dev, 1);
+
+@@ -1163,12 +1198,13 @@ static int its_alloc_device_irq(struct i
+ {
+ int idx;
+
+- idx = find_first_zero_bit(dev->lpi_map, dev->nr_lpis);
+- if (idx == dev->nr_lpis)
++ idx = find_first_zero_bit(dev->event_map.lpi_map,
++ dev->event_map.nr_lpis);
++ if (idx == dev->event_map.nr_lpis)
+ return -ENOSPC;
+
+- *hwirq = dev->lpi_base + idx;
+- set_bit(idx, dev->lpi_map);
++ *hwirq = dev->event_map.lpi_base + idx;
++ set_bit(idx, dev->event_map.lpi_map);
+
+ return 0;
+ }
+@@ -1288,7 +1324,8 @@ static int its_irq_domain_alloc(struct i
+ irq_domain_set_hwirq_and_chip(domain, virq + i,
+ hwirq, &its_irq_chip, its_dev);
+ dev_dbg(info->scratchpad[1].ptr, "ID:%d pID:%d vID:%d\n",
+- (int)(hwirq - its_dev->lpi_base), (int)hwirq, virq + i);
++ (int)(hwirq - its_dev->event_map.lpi_base),
++ (int)hwirq, virq + i);
+ }
+
+ return 0;
+@@ -1300,6 +1337,9 @@ static void its_irq_domain_activate(stru
+ struct its_device *its_dev = irq_data_get_irq_chip_data(d);
+ u32 event = its_get_event_id(d);
+
++ /* Bind the LPI to the first possible CPU */
++ its_dev->event_map.col_map[event] = cpumask_first(cpu_online_mask);
++
+ /* Map the GIC IRQ and event to the device */
+ its_send_mapvi(its_dev, d->hwirq, event);
+ }
+@@ -1327,17 +1367,16 @@ static void its_irq_domain_free(struct i
+ u32 event = its_get_event_id(data);
+
+ /* Mark interrupt index as unused */
+- clear_bit(event, its_dev->lpi_map);
++ clear_bit(event, its_dev->event_map.lpi_map);
+
+ /* Nuke the entry in the domain */
+ irq_domain_reset_irq_data(data);
+ }
+
+ /* If all interrupts have been freed, start mopping the floor */
+- if (bitmap_empty(its_dev->lpi_map, its_dev->nr_lpis)) {
+- its_lpi_free(its_dev->lpi_map,
+- its_dev->lpi_base,
+- its_dev->nr_lpis);
++ if (bitmap_empty(its_dev->event_map.lpi_map,
++ its_dev->event_map.nr_lpis)) {
++ its_lpi_free(&its_dev->event_map);
+
+ /* Unmap device/itt */
+ its_send_mapd(its_dev, 0);
--- /dev/null
+From 4479004e6409087d1b4986881dc98c6c15dffb28 Mon Sep 17 00:00:00 2001
+From: Tom Hughes <tom@compton.nu>
+Date: Mon, 29 Jun 2015 19:41:49 +0100
+Subject: mac80211: clear subdir_stations when removing debugfs
+
+From: Tom Hughes <tom@compton.nu>
+
+commit 4479004e6409087d1b4986881dc98c6c15dffb28 upstream.
+
+If we don't do this, and we then fail to recreate the debugfs
+directory during a mode change, then we will fail later trying
+to add stations to this now bogus directory:
+
+BUG: unable to handle kernel NULL pointer dereference at 0000006c
+IP: [<c0a92202>] mutex_lock+0x12/0x30
+Call Trace:
+[<c0678ab4>] start_creating+0x44/0xc0
+[<c0679203>] debugfs_create_dir+0x13/0xf0
+[<f8a938ae>] ieee80211_sta_debugfs_add+0x6e/0x490 [mac80211]
+
+Signed-off-by: Tom Hughes <tom@compton.nu>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/debugfs_netdev.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/mac80211/debugfs_netdev.c
++++ b/net/mac80211/debugfs_netdev.c
+@@ -723,6 +723,7 @@ void ieee80211_debugfs_remove_netdev(str
+
+ debugfs_remove_recursive(sdata->vif.debugfs_dir);
+ sdata->vif.debugfs_dir = NULL;
++ sdata->debugfs.subdir_stations = NULL;
+ }
+
+ void ieee80211_debugfs_rename_netdev(struct ieee80211_sub_if_data *sdata)
--- /dev/null
+From 408806f740497c5d71f9c305b3d6aad260ff186d Mon Sep 17 00:00:00 2001
+From: Kishon Vijay Abraham I <kishon@ti.com>
+Date: Tue, 16 Jun 2015 16:07:17 +0530
+Subject: mmc: omap_hsmmc: Fix DTO and DCRC handling
+
+From: Kishon Vijay Abraham I <kishon@ti.com>
+
+commit 408806f740497c5d71f9c305b3d6aad260ff186d upstream.
+
+DTO/DCRC errors were not being informed to the mmc core since
+commit ae4bf788ee9b ("mmc: omap_hsmmc: consolidate error report handling of
+HSMMC IRQ"). This commit made sure 'end_trans' is never set on DTO/DCRC
+errors. This is because after this commit 'host->data' is checked after
+it has been cleared to NULL by omap_hsmmc_dma_cleanup().
+
+Because 'end_trans' is never set, omap_hsmmc_xfer_done() is never invoked
+making core layer not to be aware of DTO/DCRC errors. Because of this
+any command invoked after DTO/DCRC error leads to a hang.
+
+Fix this by checking for 'host->data' before it is actually cleared.
+
+Fixes: ae4bf788ee9b ("mmc: omap_hsmmc: consolidate error report handling of
+HSMMC IRQ")
+
+Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
+Signed-off-by: Vignesh R <vigneshr@ti.com>
+Tested-by: Andreas Fenkart <afenkart@gmail.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/omap_hsmmc.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/mmc/host/omap_hsmmc.c
++++ b/drivers/mmc/host/omap_hsmmc.c
+@@ -1062,6 +1062,10 @@ static void omap_hsmmc_do_irq(struct oma
+
+ if (status & (CTO_EN | CCRC_EN))
+ end_cmd = 1;
++ if (host->data || host->response_busy) {
++ end_trans = !end_cmd;
++ host->response_busy = 0;
++ }
+ if (status & (CTO_EN | DTO_EN))
+ hsmmc_command_incomplete(host, -ETIMEDOUT, end_cmd);
+ else if (status & (CCRC_EN | DCRC_EN))
+@@ -1081,10 +1085,6 @@ static void omap_hsmmc_do_irq(struct oma
+ }
+ dev_dbg(mmc_dev(host->mmc), "AC12 err: 0x%x\n", ac12);
+ }
+- if (host->data || host->response_busy) {
+- end_trans = !end_cmd;
+- host->response_busy = 0;
+- }
+ }
+
+ OMAP_HSMMC_WRITE(host->base, STAT, status);
--- /dev/null
+From 7ac020366b0a436d726408841160b5dc32c19214 Mon Sep 17 00:00:00 2001
+From: Peng Fan <van.freenix@gmail.com>
+Date: Mon, 22 Jun 2015 11:41:23 +0800
+Subject: mmc: sdhci check parameters before call dma_free_coherent
+
+From: Peng Fan <van.freenix@gmail.com>
+
+commit 7ac020366b0a436d726408841160b5dc32c19214 upstream.
+
+We should not call dma_free_coherent if host->adma_table is NULL,
+otherwise may trigger panic.
+
+Fixes: d1e49f77d7c7 ("mmc: sdhci: convert ADMA descriptors to a...")
+Signed-off-by: Peng Fan <van.freenix@gmail.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sdhci.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/mmc/host/sdhci.c
++++ b/drivers/mmc/host/sdhci.c
+@@ -3037,8 +3037,11 @@ int sdhci_add_host(struct sdhci_host *ho
+ GFP_KERNEL);
+ host->align_buffer = kmalloc(host->align_buffer_sz, GFP_KERNEL);
+ if (!host->adma_table || !host->align_buffer) {
+- dma_free_coherent(mmc_dev(mmc), host->adma_table_sz,
+- host->adma_table, host->adma_addr);
++ if (host->adma_table)
++ dma_free_coherent(mmc_dev(mmc),
++ host->adma_table_sz,
++ host->adma_table,
++ host->adma_addr);
+ kfree(host->align_buffer);
+ pr_warn("%s: Unable to allocate ADMA buffers - falling back to standard DMA\n",
+ mmc_hostname(mmc));
--- /dev/null
+From 8e91125ff3f57f15c6568e2a6d32743b3f7815e4 Mon Sep 17 00:00:00 2001
+From: Joakim Tjernlund <Joakim.Tjernlund@transmode.se>
+Date: Wed, 22 Jul 2015 16:44:26 +0200
+Subject: mmc: sdhci-esdhc: Make 8BIT bus work
+
+From: Joakim Tjernlund <Joakim.Tjernlund@transmode.se>
+
+commit 8e91125ff3f57f15c6568e2a6d32743b3f7815e4 upstream.
+
+Support for 8BIT bus with was added some time ago to sdhci-esdhc but
+then missed to remove the 8BIT from the reserved bit mask which made
+8BIT non functional.
+
+Fixes: 66b50a00992d ("mmc: esdhc: Add support for 8-bit bus width and..")
+Signed-off-by: Joakim Tjernlund <joakim.tjernlund@transmode.se>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sdhci-esdhc.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/sdhci-esdhc.h
++++ b/drivers/mmc/host/sdhci-esdhc.h
+@@ -45,6 +45,6 @@
+ #define ESDHC_DMA_SYSCTL 0x40c
+ #define ESDHC_DMA_SNOOP 0x00000040
+
+-#define ESDHC_HOST_CONTROL_RES 0x05
++#define ESDHC_HOST_CONTROL_RES 0x01
+
+ #endif /* _DRIVERS_MMC_SDHCI_ESDHC_H */
--- /dev/null
+From 9cd76049f0d90ae241f5ad80e311489824527000 Mon Sep 17 00:00:00 2001
+From: Jingju Hou <houjingj@marvell.com>
+Date: Thu, 23 Jul 2015 17:56:23 +0800
+Subject: mmc: sdhci-pxav3: fix platform_data is not initialized
+
+From: Jingju Hou <houjingj@marvell.com>
+
+commit 9cd76049f0d90ae241f5ad80e311489824527000 upstream.
+
+pdev->dev.platform_data is not initialized if match is true in function
+sdhci_pxav3_probe. Just local variable pdata is assigned the return value
+from function pxav3_get_mmc_pdata().
+
+static int sdhci_pxav3_probe(struct platform_device *pdev) {
+
+ struct sdhci_pxa_platdata *pdata = pdev->dev.platform_data;
+ ...
+ if (match) {
+ ret = mmc_of_parse(host->mmc);
+ if (ret)
+ goto err_of_parse;
+ sdhci_get_of_property(pdev);
+ pdata = pxav3_get_mmc_pdata(dev);
+ }
+ ...
+}
+
+Signed-off-by: Jingju Hou <houjingj@marvell.com>
+Fixes: b650352dd3df("mmc: sdhci-pxa: Add device tree support")
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sdhci-pxav3.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mmc/host/sdhci-pxav3.c
++++ b/drivers/mmc/host/sdhci-pxav3.c
+@@ -411,6 +411,7 @@ static int sdhci_pxav3_probe(struct plat
+ goto err_of_parse;
+ sdhci_get_of_property(pdev);
+ pdata = pxav3_get_mmc_pdata(dev);
++ pdev->dev.platform_data = pdata;
+ } else if (pdata) {
+ /* on-chip device */
+ if (pdata->flags & PXA_FLAG_CARD_PERMANENT)
--- /dev/null
+From f2d0a123bcf16d1a9cf7942ddc98e0ef77862c2b Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Fri, 17 Jul 2015 14:15:30 -0500
+Subject: mnt: Clarify and correct the disconnect logic in umount_tree
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+commit f2d0a123bcf16d1a9cf7942ddc98e0ef77862c2b upstream.
+
+rmdir mntpoint will result in an infinite loop when there is
+a mount locked on the mountpoint in another mount namespace.
+
+This is because the logic to test to see if a mount should
+be disconnected in umount_tree is buggy.
+
+Move the logic to decide if a mount should remain connected to
+it's mountpoint into it's own function disconnect_mount so that
+clarity of expression instead of terseness of expression becomes
+a virtue.
+
+When the conditions where it is invalid to leave a mount connected
+are first ruled out, the logic for deciding if a mount should
+be disconnected becomes much clearer and simpler.
+
+Fixes: e0c9c0afd2fc958ffa34b697972721d81df8a56f mnt: Update detach_mounts to leave mounts connected
+Fixes: ce07d891a0891d3c0d0c2d73d577490486b809e1 mnt: Honor MNT_LOCKED when detaching mounts
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/namespace.c | 35 +++++++++++++++++++++++++++++++----
+ fs/pnode.h | 2 --
+ 2 files changed, 31 insertions(+), 6 deletions(-)
+
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -1350,6 +1350,36 @@ enum umount_tree_flags {
+ UMOUNT_PROPAGATE = 2,
+ UMOUNT_CONNECTED = 4,
+ };
++
++static bool disconnect_mount(struct mount *mnt, enum umount_tree_flags how)
++{
++ /* Leaving mounts connected is only valid for lazy umounts */
++ if (how & UMOUNT_SYNC)
++ return true;
++
++ /* A mount without a parent has nothing to be connected to */
++ if (!mnt_has_parent(mnt))
++ return true;
++
++ /* Because the reference counting rules change when mounts are
++ * unmounted and connected, umounted mounts may not be
++ * connected to mounted mounts.
++ */
++ if (!(mnt->mnt_parent->mnt.mnt_flags & MNT_UMOUNT))
++ return true;
++
++ /* Has it been requested that the mount remain connected? */
++ if (how & UMOUNT_CONNECTED)
++ return false;
++
++ /* Is the mount locked such that it needs to remain connected? */
++ if (IS_MNT_LOCKED(mnt))
++ return false;
++
++ /* By default disconnect the mount */
++ return true;
++}
++
+ /*
+ * mount_lock must be held
+ * namespace_sem must be held for write
+@@ -1387,10 +1417,7 @@ static void umount_tree(struct mount *mn
+ if (how & UMOUNT_SYNC)
+ p->mnt.mnt_flags |= MNT_SYNC_UMOUNT;
+
+- disconnect = !(((how & UMOUNT_CONNECTED) &&
+- mnt_has_parent(p) &&
+- (p->mnt_parent->mnt.mnt_flags & MNT_UMOUNT)) ||
+- IS_MNT_LOCKED_AND_LAZY(p));
++ disconnect = disconnect_mount(p, how);
+
+ pin_insert_group(&p->mnt_umount, &p->mnt_parent->mnt,
+ disconnect ? &unmounted : NULL);
+--- a/fs/pnode.h
++++ b/fs/pnode.h
+@@ -20,8 +20,6 @@
+ #define SET_MNT_MARK(m) ((m)->mnt.mnt_flags |= MNT_MARKED)
+ #define CLEAR_MNT_MARK(m) ((m)->mnt.mnt_flags &= ~MNT_MARKED)
+ #define IS_MNT_LOCKED(m) ((m)->mnt.mnt_flags & MNT_LOCKED)
+-#define IS_MNT_LOCKED_AND_LAZY(m) \
+- (((m)->mnt.mnt_flags & (MNT_LOCKED|MNT_SYNC_UMOUNT)) == MNT_LOCKED)
+
+ #define CL_EXPIRE 0x01
+ #define CL_SLAVE 0x02
--- /dev/null
+From fe78fcc85a2046c51f1535710996860557eeec20 Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Fri, 17 Jul 2015 14:54:27 -0500
+Subject: mnt: In detach_mounts detach the appropriate unmounted mount
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+commit fe78fcc85a2046c51f1535710996860557eeec20 upstream.
+
+The handling of in detach_mounts of unmounted but connected mounts is
+buggy and can lead to an infinite loop.
+
+Correct the handling of unmounted mounts in detach_mount. When the
+mountpoint of an unmounted but connected mount is connected to a
+dentry, and that dentry is deleted we need to disconnect that mount
+from the parent mount and the deleted dentry.
+
+Nothing changes for the unmounted and connected children. They can be
+safely ignored.
+
+Fixes: ce07d891a0891d3c0d0c2d73d577490486b809e1 mnt: Honor MNT_LOCKED when detaching mounts
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/namespace.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -1554,11 +1554,8 @@ void __detach_mounts(struct dentry *dent
+ while (!hlist_empty(&mp->m_list)) {
+ mnt = hlist_entry(mp->m_list.first, struct mount, mnt_mp_list);
+ if (mnt->mnt.mnt_flags & MNT_UMOUNT) {
+- struct mount *p, *tmp;
+- list_for_each_entry_safe(p, tmp, &mnt->mnt_mounts, mnt_child) {
+- hlist_add_head(&p->mnt_umount.s_list, &unmounted);
+- umount_mnt(p);
+- }
++ hlist_add_head(&mnt->mnt_umount.s_list, &unmounted);
++ umount_mnt(mnt);
+ }
+ else umount_tree(mnt, UMOUNT_CONNECTED);
+ }
--- /dev/null
+From 621739b00e16ca2d80411dc9b111cb15b91f3ba9 Mon Sep 17 00:00:00 2001
+From: Mike Snitzer <snitzer@redhat.com>
+Date: Wed, 8 Jul 2015 16:08:24 -0400
+Subject: Revert "dm: only run the queue on completion if congested or
+ no requests pending"
+
+From: Mike Snitzer <snitzer@redhat.com>
+
+commit 621739b00e16ca2d80411dc9b111cb15b91f3ba9 upstream.
+
+This reverts commit 9a0e609e3fd8a95c96629b9fbde6b8c5b9a1456a.
+(Resolved a conflict during revert due to commit bfebd1cdb4 that came
+after)
+
+This revert is motivated by a couple failure reports on request-based DM
+multipath testbeds:
+1) Netapp reported that their multipath fault injection test under heavy
+ IO load can stall longer than 300 seconds.
+2) IBM reported elevated lock contention in their testbed (likely due to
+ increased back pressure due to IO not being dispatched as quickly):
+ https://www.redhat.com/archives/dm-devel/2015-July/msg00057.html
+
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -1053,13 +1053,10 @@ static struct dm_rq_target_io *tio_from_
+ */
+ static void rq_completed(struct mapped_device *md, int rw, bool run_queue)
+ {
+- int nr_requests_pending;
+-
+ atomic_dec(&md->pending[rw]);
+
+ /* nudge anyone waiting on suspend queue */
+- nr_requests_pending = md_in_flight(md);
+- if (!nr_requests_pending)
++ if (!md_in_flight(md))
+ wake_up(&md->wait);
+
+ /*
+@@ -1071,8 +1068,7 @@ static void rq_completed(struct mapped_d
+ if (run_queue) {
+ if (md->queue->mq_ops)
+ blk_mq_run_hw_queues(md->queue, true);
+- else if (!nr_requests_pending ||
+- (nr_requests_pending >= md->queue->nr_congestion_on))
++ else
+ blk_run_queue_async(md->queue);
+ }
+
--- /dev/null
+From 1278dd6809b11dc298e19d81ac0916275f7318c1 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@fb.com>
+Date: Mon, 13 Jul 2015 08:24:39 -0600
+Subject: scsi: fix host max depth checking for the 'queue_depth' sysfs interface
+
+From: Jens Axboe <axboe@fb.com>
+
+commit 1278dd6809b11dc298e19d81ac0916275f7318c1 upstream.
+
+Commit 1e6f2416044c0 changed the scsi sysfs 'queue_depth' code to
+rejects depths higher than the scsi host template setting. But lots
+of hosts set this to 1, and update the settings in the scsi host
+when the controller/devices probing happens.
+
+This breaks (at least) mpt2sas and mpt3sas runtime setting of queue
+depth, returning EINVAL for all settings but '1'. And once it's set to
+1, there's no way to go back up.
+
+Fixes: 1e6f2416044c0 "scsi: don't allow setting of queue_depth bigger than can_queue"
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: James Bottomley <JBottomley@Odin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/scsi_sysfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/scsi_sysfs.c
++++ b/drivers/scsi/scsi_sysfs.c
+@@ -859,7 +859,7 @@ sdev_store_queue_depth(struct device *de
+
+ depth = simple_strtoul(buf, NULL, 0);
+
+- if (depth < 1 || depth > sht->can_queue)
++ if (depth < 1 || depth > sdev->host->can_queue)
+ return -EINVAL;
+
+ retval = sht->change_queue_depth(sdev, depth);
--- /dev/null
+From 0c958ecc69c277b25f38f72bc6d18ab145e8167c Mon Sep 17 00:00:00 2001
+From: Tony Battersby <tonyb@cybernetics.com>
+Date: Thu, 16 Jul 2015 11:40:41 -0400
+Subject: scsi: fix memory leak with scsi-mq
+
+From: Tony Battersby <tonyb@cybernetics.com>
+
+commit 0c958ecc69c277b25f38f72bc6d18ab145e8167c upstream.
+
+Fix a memory leak with scsi-mq triggered by commands with large data
+transfer length.
+
+__sg_alloc_table() sets both table->nents and table->orig_nents to the
+same value. When the scatterlist is DMA-mapped, table->nents is
+overwritten with the (possibly smaller) size of the DMA-mapped
+scatterlist, while table->orig_nents retains the original size of the
+allocated scatterlist. scsi_free_sgtable() should therefore check
+orig_nents instead of nents, and all code that initializes sdb->table
+without calling __sg_alloc_table() should set both nents and orig_nents.
+
+Fixes: d285203cf647 ("scsi: add support for a blk-mq based I/O path.")
+Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Ewan D. Milne <emilne@redhat.com>
+Signed-off-by: James Bottomley <JBottomley@Odin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/scsi_error.c | 2 +-
+ drivers/scsi/scsi_lib.c | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/scsi/scsi_error.c
++++ b/drivers/scsi/scsi_error.c
+@@ -944,7 +944,7 @@ void scsi_eh_prep_cmnd(struct scsi_cmnd
+ scmd->sdb.length);
+ scmd->sdb.table.sgl = &ses->sense_sgl;
+ scmd->sc_data_direction = DMA_FROM_DEVICE;
+- scmd->sdb.table.nents = 1;
++ scmd->sdb.table.nents = scmd->sdb.table.orig_nents = 1;
+ scmd->cmnd[0] = REQUEST_SENSE;
+ scmd->cmnd[4] = scmd->sdb.length;
+ scmd->cmd_len = COMMAND_SIZE(scmd->cmnd[0]);
+--- a/drivers/scsi/scsi_lib.c
++++ b/drivers/scsi/scsi_lib.c
+@@ -583,7 +583,7 @@ static struct scatterlist *scsi_sg_alloc
+
+ static void scsi_free_sgtable(struct scsi_data_buffer *sdb, bool mq)
+ {
+- if (mq && sdb->table.nents <= SCSI_MAX_SG_SEGMENTS)
++ if (mq && sdb->table.orig_nents <= SCSI_MAX_SG_SEGMENTS)
+ return;
+ __sg_free_table(&sdb->table, SCSI_MAX_SG_SEGMENTS, mq, scsi_sg_free);
+ }
+@@ -597,8 +597,8 @@ static int scsi_alloc_sgtable(struct scs
+
+ if (mq) {
+ if (nents <= SCSI_MAX_SG_SEGMENTS) {
+- sdb->table.nents = nents;
+- sg_init_table(sdb->table.sgl, sdb->table.nents);
++ sdb->table.nents = sdb->table.orig_nents = nents;
++ sg_init_table(sdb->table.sgl, nents);
+ return 0;
+ }
+ first_chunk = sdb->table.sgl;
alsa-hda-apply-a-fixup-to-dell-vostro-5480.patch
alsa-usb-audio-add-db-range-mapping-for-some-devices.patch
alsa-hda-fix-macbook-pro-5-2-quirk.patch
+x86-perf-fix-static_key-bug-in-load_mm_cr4.patch
+revert-dm-only-run-the-queue-on-completion-if-congested-or.patch
+irqchip-gicv3-its-fix-mapping-of-lpis-to-collections.patch
+scsi-fix-host-max-depth-checking-for-the-queue_depth-sysfs-interface.patch
+scsi-fix-memory-leak-with-scsi-mq.patch
+st-null-pointer-dereference-panic-caused-by-use-after-kref_put-by-st_open.patch
+drivers-clk-st-fix-flexgen-lock-init.patch
+drivers-clk-st-fix-mux-bit-setting-for-cortex-a9-clocks.patch
+drivers-clk-st-incorrect-register-offset-used-for-lock_status.patch
+mac80211-clear-subdir_stations-when-removing-debugfs.patch
+subject-pinctrl-imx1-core-fix-debug-output-in-.pin_config_set-callback.patch
+mnt-clarify-and-correct-the-disconnect-logic-in-umount_tree.patch
+mnt-in-detach_mounts-detach-the-appropriate-unmounted-mount.patch
+ftrace-fix-breakage-of-set_ftrace_pid.patch
+iommu-vt-d-fix-vm-domain-id-leak.patch
+mmc-omap_hsmmc-fix-dto-and-dcrc-handling.patch
+mmc-sdhci-check-parameters-before-call-dma_free_coherent.patch
+mmc-sdhci-esdhc-make-8bit-bus-work.patch
+mmc-sdhci-pxav3-fix-platform_data-is-not-initialized.patch
+hid-cp2112-fix-to-force-single-data-report-reply.patch
--- /dev/null
+From e7ac6c6666bec0a354758a1298d3231e4a635362 Mon Sep 17 00:00:00 2001
+From: "Seymour, Shane M" <shane.seymour@hp.com>
+Date: Thu, 2 Jul 2015 12:01:10 +0000
+Subject: st: null pointer dereference panic caused by use after kref_put by st_open
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: "Seymour, Shane M" <shane.seymour@hp.com>
+
+commit e7ac6c6666bec0a354758a1298d3231e4a635362 upstream.
+
+Two SLES11 SP3 servers encountered similar crashes simultaneously
+following some kind of SAN/tape target issue:
+
+...
+qla2xxx [0000:81:00.0]-801c:3: Abort command issued nexus=3:0:2 -- 1 2002.
+qla2xxx [0000:81:00.0]-801c:3: Abort command issued nexus=3:0:2 -- 1 2002.
+qla2xxx [0000:81:00.0]-8009:3: DEVICE RESET ISSUED nexus=3:0:2 cmd=ffff882f89c2c7c0.
+qla2xxx [0000:81:00.0]-800c:3: do_reset failed for cmd=ffff882f89c2c7c0.
+qla2xxx [0000:81:00.0]-800f:3: DEVICE RESET FAILED: Task management failed nexus=3:0:2 cmd=ffff882f89c2c7c0.
+qla2xxx [0000:81:00.0]-8009:3: TARGET RESET ISSUED nexus=3:0:2 cmd=ffff882f89c2c7c0.
+qla2xxx [0000:81:00.0]-800c:3: do_reset failed for cmd=ffff882f89c2c7c0.
+qla2xxx [0000:81:00.0]-800f:3: TARGET RESET FAILED: Task management failed nexus=3:0:2 cmd=ffff882f89c2c7c0.
+qla2xxx [0000:81:00.0]-8012:3: BUS RESET ISSUED nexus=3:0:2.
+qla2xxx [0000:81:00.0]-802b:3: BUS RESET SUCCEEDED nexus=3:0:2.
+qla2xxx [0000:81:00.0]-505f:3: Link is operational (8 Gbps).
+qla2xxx [0000:81:00.0]-8018:3: ADAPTER RESET ISSUED nexus=3:0:2.
+qla2xxx [0000:81:00.0]-00af:3: Performing ISP error recovery - ha=ffff88bf04d18000.
+ rport-3:0-0: blocked FC remote port time out: removing target and saving binding
+qla2xxx [0000:81:00.0]-505f:3: Link is operational (8 Gbps).
+qla2xxx [0000:81:00.0]-8017:3: ADAPTER RESET SUCCEEDED nexus=3:0:2.
+ rport-2:0-0: blocked FC remote port time out: removing target and saving binding
+sg_rq_end_io: device detached
+BUG: unable to handle kernel NULL pointer dereference at 00000000000002a8
+IP: [<ffffffff8133b268>] __pm_runtime_idle+0x28/0x90
+PGD 7e6586f067 PUD 7e5af06067 PMD 0 [1739975.390354] Oops: 0002 [#1] SMP
+CPU 0
+...
+Supported: No, Proprietary modules are loaded [1739975.390463]
+Pid: 27965, comm: ABCD Tainted: PF X 3.0.101-0.29-default #1 HP ProLiant DL580 Gen8
+RIP: 0010:[<ffffffff8133b268>] [<ffffffff8133b268>] __pm_runtime_idle+0x28/0x90
+RSP: 0018:ffff8839dc1e7c68 EFLAGS: 00010202
+RAX: 0000000000000000 RBX: ffff883f0592fc00 RCX: 0000000000000090
+RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000138
+RBP: 0000000000000138 R08: 0000000000000010 R09: ffffffff81bd39d0
+R10: 00000000000009c0 R11: ffffffff81025790 R12: 0000000000000001
+R13: ffff883022212b80 R14: 0000000000000004 R15: ffff883022212b80
+FS: 00007f8e54560720(0000) GS:ffff88407f800000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+CR2: 00000000000002a8 CR3: 0000007e6ced6000 CR4: 00000000001407f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+Process ABCD (pid: 27965, threadinfo ffff8839dc1e6000, task ffff883592e0c640)
+Stack:
+ ffff883f0592fc00 00000000fffffffa 0000000000000001 ffff883022212b80
+ ffff883eff772400 ffffffffa03fa309 0000000000000000 0000000000000000
+ ffffffffa04003a0 ffff883f063196c0 ffff887f0379a930 ffffffff8115ea1e
+Call Trace:
+ [<ffffffffa03fa309>] st_open+0x129/0x240 [st]
+ [<ffffffff8115ea1e>] chrdev_open+0x13e/0x200
+ [<ffffffff811588a8>] __dentry_open+0x198/0x310
+ [<ffffffff81167d74>] do_last+0x1f4/0x800
+ [<ffffffff81168fe9>] path_openat+0xd9/0x420
+ [<ffffffff8116946c>] do_filp_open+0x4c/0xc0
+ [<ffffffff8115a00f>] do_sys_open+0x17f/0x250
+ [<ffffffff81468d92>] system_call_fastpath+0x16/0x1b
+ [<00007f8e4f617fd0>] 0x7f8e4f617fcf
+Code: eb d3 90 48 83 ec 28 40 f6 c6 04 48 89 6c 24 08 4c 89 74 24 20 48 89 fd 48 89 1c 24 4c 89 64 24 10 41 89 f6 4c 89 6c 24 18 74 11 <f0> ff 8f 70 01 00 00 0f 94 c0 45 31 ed 84 c0 74 2b 4c 8d a5 a0
+RIP [<ffffffff8133b268>] __pm_runtime_idle+0x28/0x90
+ RSP <ffff8839dc1e7c68>
+CR2: 00000000000002a8
+
+Analysis reveals the cause of the crash to be due to STp->device
+being NULL. The pointer was NULLed via scsi_tape_put(STp) when it
+calls scsi_tape_release(). In st_open() we jump to err_out after
+scsi_block_when_processing_errors() completes and returns the
+device as offline (sdev_state was SDEV_DEL):
+
+1180 /* Open the device. Needs to take the BKL only because of incrementing the SCSI host
+1181 module count. */
+1182 static int st_open(struct inode *inode, struct file *filp)
+1183 {
+1184 int i, retval = (-EIO);
+1185 int resumed = 0;
+1186 struct scsi_tape *STp;
+1187 struct st_partstat *STps;
+1188 int dev = TAPE_NR(inode);
+1189 char *name;
+...
+1217 if (scsi_autopm_get_device(STp->device) < 0) {
+1218 retval = -EIO;
+1219 goto err_out;
+1220 }
+1221 resumed = 1;
+1222 if (!scsi_block_when_processing_errors(STp->device)) {
+1223 retval = (-ENXIO);
+1224 goto err_out;
+1225 }
+...
+1264 err_out:
+1265 normalize_buffer(STp->buffer);
+1266 spin_lock(&st_use_lock);
+1267 STp->in_use = 0;
+1268 spin_unlock(&st_use_lock);
+1269 scsi_tape_put(STp); <-- STp->device = 0 after this
+1270 if (resumed)
+1271 scsi_autopm_put_device(STp->device);
+1272 return retval;
+
+The ref count for the struct scsi_tape had already been reduced
+to 1 when the .remove method of the st module had been called.
+The kref_put() in scsi_tape_put() caused scsi_tape_release()
+to be called:
+
+0266 static void scsi_tape_put(struct scsi_tape *STp)
+0267 {
+0268 struct scsi_device *sdev = STp->device;
+0269
+0270 mutex_lock(&st_ref_mutex);
+0271 kref_put(&STp->kref, scsi_tape_release); <-- calls this
+0272 scsi_device_put(sdev);
+0273 mutex_unlock(&st_ref_mutex);
+0274 }
+
+In scsi_tape_release() the struct scsi_device in the struct
+scsi_tape gets set to NULL:
+
+4273 static void scsi_tape_release(struct kref *kref)
+4274 {
+4275 struct scsi_tape *tpnt = to_scsi_tape(kref);
+4276 struct gendisk *disk = tpnt->disk;
+4277
+4278 tpnt->device = NULL; <<<---- where the dev is nulled
+4279
+4280 if (tpnt->buffer) {
+4281 normalize_buffer(tpnt->buffer);
+4282 kfree(tpnt->buffer->reserved_pages);
+4283 kfree(tpnt->buffer);
+4284 }
+4285
+4286 disk->private_data = NULL;
+4287 put_disk(disk);
+4288 kfree(tpnt);
+4289 return;
+4290 }
+
+Although the problem was reported on SLES11.3 the problem appears
+in linux-next as well.
+
+The crash is fixed by reordering the code so we no longer access
+the struct scsi_tape after the kref_put() is done on it in st_open().
+
+Signed-off-by: Shane Seymour <shane.seymour@hp.com>
+Signed-off-by: Darren Lavender <darren.lavender@hp.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.com>
+Acked-by: Kai Mäkisara <kai.makisara@kolumbus.fi>
+Signed-off-by: James Bottomley <JBottomley@Odin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/st.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/st.c
++++ b/drivers/scsi/st.c
+@@ -1274,9 +1274,9 @@ static int st_open(struct inode *inode,
+ spin_lock(&st_use_lock);
+ STp->in_use = 0;
+ spin_unlock(&st_use_lock);
+- scsi_tape_put(STp);
+ if (resumed)
+ scsi_autopm_put_device(STp->device);
++ scsi_tape_put(STp);
+ return retval;
+
+ }
--- /dev/null
+From 9571b25df1dbf4db17191b54f59734e8b77fd591 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <u.kleine-koenig@pengutronix.de>
+Date: Fri, 17 Jul 2015 09:38:43 +0200
+Subject: Subject: pinctrl: imx1-core: Fix debug output in .pin_config_set callback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <u.kleine-koenig@pengutronix.de>
+
+commit 9571b25df1dbf4db17191b54f59734e8b77fd591 upstream.
+
+imx1_pinconf_set assumes that the array of pins in struct
+imx1_pinctrl_soc_info can be indexed by pin id to get the
+pinctrl_pin_desc for a pin. This used to be correct up to commit
+607af165c047 which removed some entries from the array and so made it
+wrong to access the array by pin id.
+
+The result of this bug is a wrong pin name in the output for small pin
+ids and an oops for the bigger ones.
+
+This patch is the result of a discussion that includes patches by Markus
+Pargmann and Chris Ruehl.
+
+Fixes: 607af165c047 ("pinctrl: i.MX27: Remove nonexistent pad definitions")
+Reported-by: Chris Ruehl <chris.ruehl@gtsys.com.hk>
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Reviewed-by: Markus Pargmann <mpa@pengutronix.de>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/freescale/pinctrl-imx1-core.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/pinctrl/freescale/pinctrl-imx1-core.c
++++ b/drivers/pinctrl/freescale/pinctrl-imx1-core.c
+@@ -403,14 +403,13 @@ static int imx1_pinconf_set(struct pinct
+ unsigned num_configs)
+ {
+ struct imx1_pinctrl *ipctl = pinctrl_dev_get_drvdata(pctldev);
+- const struct imx1_pinctrl_soc_info *info = ipctl->info;
+ int i;
+
+ for (i = 0; i != num_configs; ++i) {
+ imx1_write_bit(ipctl, pin_id, configs[i] & 0x01, MX1_PUEN);
+
+ dev_dbg(ipctl->dev, "pinconf set pullup pin %s\n",
+- info->pins[pin_id].name);
++ pin_desc_get(pctldev, pin_id)->name);
+ }
+
+ return 0;
--- /dev/null
+From a833581e372a4adae2319d8dc379493edbc444e9 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Thu, 9 Jul 2015 19:23:38 +0200
+Subject: x86, perf: Fix static_key bug in load_mm_cr4()
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit a833581e372a4adae2319d8dc379493edbc444e9 upstream.
+
+Mikulas reported his K6-3 not booting. This is because the
+static_key API confusion struck and bit Andy, this wants to be
+static_key_false().
+
+Reported-by: Mikulas Patocka <mpatocka@redhat.com>
+Tested-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Paul Mackerras <paulus@samba.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Valdis Kletnieks <Valdis.Kletnieks@vt.edu>
+Cc: Vince Weaver <vince@deater.net>
+Cc: hillf.zj <hillf.zj@alibaba-inc.com>
+Fixes: a66734297f78 ("perf/x86: Add /sys/devices/cpu/rdpmc=2 to allow rdpmc for all tasks")
+Link: http://lkml.kernel.org/r/20150709172338.GC19282@twins.programming.kicks-ass.net
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/mmu_context.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/include/asm/mmu_context.h
++++ b/arch/x86/include/asm/mmu_context.h
+@@ -23,7 +23,7 @@ extern struct static_key rdpmc_always_av
+
+ static inline void load_mm_cr4(struct mm_struct *mm)
+ {
+- if (static_key_true(&rdpmc_always_available) ||
++ if (static_key_false(&rdpmc_always_available) ||
+ atomic_read(&mm->context.perf_rdpmc_allowed))
+ cr4_set_bits(X86_CR4_PCE);
+ else
projects / thirdparty / kernel / stable-queue.git / commitdiff
