--- /dev/null
+From 6ab42ff44864d26e8e498b8ac655d24ee389d267 Mon Sep 17 00:00:00 2001
+From: Hui Wang <hui.wang@canonical.com>
+Date: Mon, 15 Jun 2015 17:43:39 +0800
+Subject: ALSA: hda - adding a DAC/pin preference map for a HP Envy TS machine
+
+From: Hui Wang <hui.wang@canonical.com>
+
+commit 6ab42ff44864d26e8e498b8ac655d24ee389d267 upstream.
+
+On a HP Envy TouchSmart laptop, there are 2 speakers (main speaker
+and subwoofer speaker), 1 headphone and 2 DACs, without this fixup,
+the headphone will be assigned to a DAC and the 2 speakers will be
+assigned to another DAC, this assignment makes the surround-2.1
+channels invalid.
+
+To fix it, here using a DAC/pin preference map to bind the main
+speaker to 1 DAC and the subwoofer speaker will be assigned to another
+DAC.
+
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_sigmatel.c | 25 +++++++++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+
+--- a/sound/pci/hda/patch_sigmatel.c
++++ b/sound/pci/hda/patch_sigmatel.c
+@@ -100,6 +100,7 @@ enum {
+ STAC_HP_ENVY_BASS,
+ STAC_HP_BNB13_EQ,
+ STAC_HP_ENVY_TS_BASS,
++ STAC_HP_ENVY_TS_DAC_BIND,
+ STAC_92HD83XXX_GPIO10_EAPD,
+ STAC_92HD83XXX_MODELS
+ };
+@@ -2170,6 +2171,22 @@ static void stac92hd83xxx_fixup_gpio10_e
+ spec->eapd_switch = 0;
+ }
+
++static void hp_envy_ts_fixup_dac_bind(struct hda_codec *codec,
++ const struct hda_fixup *fix,
++ int action)
++{
++ struct sigmatel_spec *spec = codec->spec;
++ static hda_nid_t preferred_pairs[] = {
++ 0xd, 0x13,
++ 0
++ };
++
++ if (action != HDA_FIXUP_ACT_PRE_PROBE)
++ return;
++
++ spec->gen.preferred_dacs = preferred_pairs;
++}
++
+ static const struct hda_verb hp_bnb13_eq_verbs[] = {
+ /* 44.1KHz base */
+ { 0x22, 0x7A6, 0x3E },
+@@ -2685,6 +2702,12 @@ static const struct hda_fixup stac92hd83
+ {}
+ },
+ },
++ [STAC_HP_ENVY_TS_DAC_BIND] = {
++ .type = HDA_FIXUP_FUNC,
++ .v.func = hp_envy_ts_fixup_dac_bind,
++ .chained = true,
++ .chain_id = STAC_HP_ENVY_TS_BASS,
++ },
+ [STAC_92HD83XXX_GPIO10_EAPD] = {
+ .type = HDA_FIXUP_FUNC,
+ .v.func = stac92hd83xxx_fixup_gpio10_eapd,
+@@ -2763,6 +2786,8 @@ static const struct snd_pci_quirk stac92
+ "HP bNB13", STAC_HP_BNB13_EQ),
+ SND_PCI_QUIRK(PCI_VENDOR_ID_HP, 0x190e,
+ "HP ENVY TS", STAC_HP_ENVY_TS_BASS),
++ SND_PCI_QUIRK(PCI_VENDOR_ID_HP, 0x1967,
++ "HP ENVY TS", STAC_HP_ENVY_TS_DAC_BIND),
+ SND_PCI_QUIRK(PCI_VENDOR_ID_HP, 0x1940,
+ "HP bNB13", STAC_HP_BNB13_EQ),
+ SND_PCI_QUIRK(PCI_VENDOR_ID_HP, 0x1941,
--- /dev/null
+From 28df9c2fb6f896179fcffd5a3f5a86e2d1dff0a5 Mon Sep 17 00:00:00 2001
+From: Nicolas Ferre <nicolas.ferre@atmel.com>
+Date: Thu, 28 May 2015 15:07:21 +0200
+Subject: clk: at91: fix h32mx prototype inclusion in pmc header
+
+From: Nicolas Ferre <nicolas.ferre@atmel.com>
+
+commit 28df9c2fb6f896179fcffd5a3f5a86e2d1dff0a5 upstream.
+
+Trivial fix that prevents to compile this pmc clock driver if h32mx clock is
+present but smd clock isn't.
+
+Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Acked-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Fixes: bcc5fd49a0fd ("clk: at91: add a driver for the h32mx clock")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clk/at91/pmc.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/clk/at91/pmc.h
++++ b/drivers/clk/at91/pmc.h
+@@ -121,7 +121,7 @@ extern void __init of_at91sam9x5_clk_smd
+ struct at91_pmc *pmc);
+ #endif
+
+-#if defined(CONFIG_HAVE_AT91_SMD)
++#if defined(CONFIG_HAVE_AT91_H32MX)
+ extern void __init of_sama5d4_clk_h32mx_setup(struct device_node *np,
+ struct at91_pmc *pmc);
+ #endif
--- /dev/null
+From 6c7b03e1aef2e92176435f4fa562cc483422d20f Mon Sep 17 00:00:00 2001
+From: Boris Brezillon <boris.brezillon@free-electrons.com>
+Date: Fri, 27 Mar 2015 23:53:15 +0100
+Subject: clk: at91: pll: fix input range validity check
+
+From: Boris Brezillon <boris.brezillon@free-electrons.com>
+
+commit 6c7b03e1aef2e92176435f4fa562cc483422d20f upstream.
+
+The PLL impose a certain input range to work correctly, but it appears that
+this input range does not apply on the input clock (or parent clock) but
+on the input clock after it has passed the PLL divisor.
+Fix the implementation accordingly.
+
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Reported-by: Jonas Andersson <jonas@microbit.se>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clk/at91/clk-pll.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/clk/at91/clk-pll.c
++++ b/drivers/clk/at91/clk-pll.c
+@@ -173,8 +173,7 @@ static long clk_pll_get_best_div_mul(str
+ int i = 0;
+
+ /* Check if parent_rate is a valid input rate */
+- if (parent_rate < characteristics->input.min ||
+- parent_rate > characteristics->input.max)
++ if (parent_rate < characteristics->input.min)
+ return -ERANGE;
+
+ /*
+@@ -187,6 +186,15 @@ static long clk_pll_get_best_div_mul(str
+ if (!mindiv)
+ mindiv = 1;
+
++ if (parent_rate > characteristics->input.max) {
++ tmpdiv = DIV_ROUND_UP(parent_rate, characteristics->input.max);
++ if (tmpdiv > PLL_DIV_MAX)
++ return -ERANGE;
++
++ if (tmpdiv > mindiv)
++ mindiv = tmpdiv;
++ }
++
+ /*
+ * Calculate the maximum divider which is limited by PLL register
+ * layout (limited by the MUL or DIV field size).
--- /dev/null
+From 412c98c1bef65fe7589f1300e93735d96130307c Mon Sep 17 00:00:00 2001
+From: Steve Cornelius <steve.cornelius@freescale.com>
+Date: Mon, 15 Jun 2015 16:52:59 -0700
+Subject: crypto: caam - fix RNG buffer cache alignment
+
+From: Steve Cornelius <steve.cornelius@freescale.com>
+
+commit 412c98c1bef65fe7589f1300e93735d96130307c upstream.
+
+The hwrng output buffers (2) are cast inside of a a struct (caam_rng_ctx)
+allocated in one DMA-tagged region. While the kernel's heap allocator
+should place the overall struct on a cacheline aligned boundary, the 2
+buffers contained within may not necessarily align. Consenquently, the ends
+of unaligned buffers may not fully flush, and if so, stale data will be left
+behind, resulting in small repeating patterns.
+
+This fix aligns the buffers inside the struct.
+
+Note that not all of the data inside caam_rng_ctx necessarily needs to be
+DMA-tagged, only the buffers themselves require this. However, a fix would
+incur the expense of error-handling bloat in the case of allocation failure.
+
+Signed-off-by: Steve Cornelius <steve.cornelius@freescale.com>
+Signed-off-by: Victoria Milhoan <vicki.milhoan@freescale.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/caam/caamrng.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/crypto/caam/caamrng.c
++++ b/drivers/crypto/caam/caamrng.c
+@@ -56,7 +56,7 @@
+
+ /* Buffer, its dma address and lock */
+ struct buf_data {
+- u8 buf[RN_BUF_SIZE];
++ u8 buf[RN_BUF_SIZE] ____cacheline_aligned;
+ dma_addr_t addr;
+ struct completion filled;
+ u32 hw_desc[DESC_JOB_O_LEN];
--- /dev/null
+From 6fd4b15603124c1b56e03db29b41ec39d8a077b9 Mon Sep 17 00:00:00 2001
+From: Steve Cornelius <steve.cornelius@freescale.com>
+Date: Mon, 15 Jun 2015 16:52:56 -0700
+Subject: crypto: caam - improve initalization for context state saves
+
+From: Steve Cornelius <steve.cornelius@freescale.com>
+
+commit 6fd4b15603124c1b56e03db29b41ec39d8a077b9 upstream.
+
+Multiple function in asynchronous hashing use a saved-state block,
+a.k.a. struct caam_hash_state, which holds a stash of information
+between requests (init/update/final). Certain values in this state
+block are loaded for processing using an inline-if, and when this
+is done, the potential for uninitialized data can pose conflicts.
+Therefore, this patch improves initialization of state data to
+prevent false assignments using uninitialized data in the state block.
+
+This patch addresses the following traceback, originating in
+ahash_final_ctx(), although a problem like this could certainly
+exhibit other symptoms:
+
+kernel BUG at arch/arm/mm/dma-mapping.c:465!
+Unable to handle kernel NULL pointer dereference at virtual address 00000000
+pgd = 80004000
+[00000000] *pgd=00000000
+Internal error: Oops: 805 [#1] PREEMPT SMP
+Modules linked in:
+CPU: 0 Not tainted (3.0.15-01752-gdd441b9-dirty #40)
+PC is at __bug+0x1c/0x28
+LR is at __bug+0x18/0x28
+pc : [<80043240>] lr : [<8004323c>] psr: 60000013
+sp : e423fd98 ip : 60000013 fp : 0000001c
+r10: e4191b84 r9 : 00000020 r8 : 00000009
+r7 : 88005038 r6 : 00000001 r5 : 2d676572 r4 : e4191a60
+r3 : 00000000 r2 : 00000001 r1 : 60000093 r0 : 00000033
+Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel
+Control: 10c53c7d Table: 1000404a DAC: 00000015
+Process cryptomgr_test (pid: 1306, stack limit = 0xe423e2f0)
+Stack: (0xe423fd98 to 0xe4240000)
+fd80: 11807fd1 80048544
+fda0: 88005000 e4191a00 e5178040 8039dda0 00000000 00000014 2d676572 e4191008
+fdc0: 88005018 e4191a60 00100100 e4191a00 00000000 8039ce0c e423fea8 00000007
+fde0: e4191a00 e4227000 e5178000 8039ce18 e419183c 80203808 80a94a44 00000006
+fe00: 00000000 80207180 00000000 00000006 e423ff08 00000000 00000007 e5178000
+fe20: e41918a4 80a949b4 8c4844e2 00000000 00000049 74227000 8c4844e2 00000e90
+fe40: 0000000e 74227e90 ffff8c58 80ac29e0 e423fed4 8006a350 8c81625c e423ff5c
+fe60: 00008576 e4002500 00000003 00030010 e4002500 00000003 e5180000 e4002500
+fe80: e5178000 800e6d24 007fffff 00000000 00000010 e4001280 e4002500 60000013
+fea0: 000000d0 804df078 00000000 00000000 00000000 00000000 00000000 00000000
+fec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+fee0: 00000000 00000000 e4227000 e4226000 e4753000 e4752000 e40a5000 e40a4000
+ff00: e41e7000 e41e6000 00000000 00000000 00000000 e423ff14 e423ff14 00000000
+ff20: 00000400 804f9080 e5178000 e4db0b40 00000000 e4db0b80 0000047c 00000400
+ff40: 00000000 8020758c 00000400 ffffffff 0000008a 00000000 e4db0b40 80206e00
+ff60: e4049dbc 00000000 00000000 00000003 e423ffa4 80062978 e41a8bfc 00000000
+ff80: 00000000 e4049db4 00000013 e4049db0 00000013 00000000 00000000 00000000
+ffa0: e4db0b40 e4db0b40 80204cbc 00000013 00000000 00000000 00000000 80204cfc
+ffc0: e4049da0 80089544 80040a40 00000000 e4db0b40 00000000 00000000 00000000
+ffe0: e423ffe0 e423ffe0 e4049da0 800894c4 80040a40 80040a40 00000000 00000000
+[<80043240>] (__bug+0x1c/0x28) from [<80048544>] (___dma_single_dev_to_cpu+0x84)
+[<80048544>] (___dma_single_dev_to_cpu+0x84/0x94) from [<8039dda0>] (ahash_fina)
+[<8039dda0>] (ahash_final_ctx+0x180/0x428) from [<8039ce18>] (ahash_final+0xc/0)
+[<8039ce18>] (ahash_final+0xc/0x10) from [<80203808>] (crypto_ahash_op+0x28/0xc)
+[<80203808>] (crypto_ahash_op+0x28/0xc0) from [<80207180>] (test_hash+0x214/0x5)
+[<80207180>] (test_hash+0x214/0x5b8) from [<8020758c>] (alg_test_hash+0x68/0x8c)
+[<8020758c>] (alg_test_hash+0x68/0x8c) from [<80206e00>] (alg_test+0x7c/0x1b8)
+[<80206e00>] (alg_test+0x7c/0x1b8) from [<80204cfc>] (cryptomgr_test+0x40/0x48)
+[<80204cfc>] (cryptomgr_test+0x40/0x48) from [<80089544>] (kthread+0x80/0x88)
+[<80089544>] (kthread+0x80/0x88) from [<80040a40>] (kernel_thread_exit+0x0/0x8)
+Code: e59f0010 e1a01003 eb126a8d e3a03000 (e5833000)
+---[ end trace d52a403a1d1eaa86 ]---
+
+Signed-off-by: Steve Cornelius <steve.cornelius@freescale.com>
+Signed-off-by: Victoria Milhoan <vicki.milhoan@freescale.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/caam/caamhash.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/crypto/caam/caamhash.c
++++ b/drivers/crypto/caam/caamhash.c
+@@ -1543,6 +1543,8 @@ static int ahash_init(struct ahash_reque
+
+ state->current_buf = 0;
+ state->buf_dma = 0;
++ state->buflen_0 = 0;
++ state->buflen_1 = 0;
+
+ return 0;
+ }
--- /dev/null
+From 016a65a39170c3cdca09a6ac343ff4f124668b45 Mon Sep 17 00:00:00 2001
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Thu, 11 Jun 2015 08:06:08 +0100
+Subject: drm/i915: Always reset vma->ggtt_view.pages cache on unbinding
+
+From: Chris Wilson <chris@chris-wilson.co.uk>
+
+commit 016a65a39170c3cdca09a6ac343ff4f124668b45 upstream.
+
+With the introduction of multiple views of an obj in the same vm, each
+vma was taught to cache its copy of the pages (so that different views
+could have different page arrangements). However, this missed decoupling
+those vma->ggtt_view.pages when the vma released its reference on the
+obj->pages. As we don't always free the vma, this leads to a possible
+scenario (e.g. execbuffer interrupted by the shrinker) where the vma
+points to a stale obj->pages, and explodes.
+
+Fixes regression from commit fe14d5f4e5468c5b80a24f1a64abcbe116143670
+Author: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+Date: Wed Dec 10 17:27:58 2014 +0000
+
+ drm/i915: Infrastructure for supporting different GGTT views per object
+
+Tvrtko says, if someone else will be confused how this can happen, key
+is the reservation execbuffer path. That puts the VMA on the exec_list
+which prevents i915_vma_unbind and i915_gem_vma_destroy from fully
+destroying the VMA. So the VMA is left existing as an empty object in
+the list - unbound and disassociated with the backing store. Kind of a
+cached memory object. And then re-using it needs to clear the cached
+pages pointer which is fixed above.
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1227892
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: Michel Thierry <michel.thierry@intel.com>
+Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+[Jani: Added Tvrtko's explanation to commit message.]
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/i915_gem.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/i915/i915_gem.c
++++ b/drivers/gpu/drm/i915/i915_gem.c
+@@ -3088,8 +3088,8 @@ int i915_vma_unbind(struct i915_vma *vma
+ } else if (vma->ggtt_view.pages) {
+ sg_free_table(vma->ggtt_view.pages);
+ kfree(vma->ggtt_view.pages);
+- vma->ggtt_view.pages = NULL;
+ }
++ vma->ggtt_view.pages = NULL;
+ }
+
+ drm_mm_remove_node(&vma->node);
--- /dev/null
+From 25161084b1c1b0c29948f6f77266a35f302196b7 Mon Sep 17 00:00:00 2001
+From: Adam Jackson <ajax@redhat.com>
+Date: Mon, 15 Jun 2015 16:16:15 -0400
+Subject: drm/mgag200: Reject non-character-cell-aligned mode widths
+
+From: Adam Jackson <ajax@redhat.com>
+
+commit 25161084b1c1b0c29948f6f77266a35f302196b7 upstream.
+
+Turns out 1366x768 does not in fact work on this hardware.
+
+Signed-off-by: Adam Jackson <ajax@redhat.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/mgag200/mgag200_mode.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/gpu/drm/mgag200/mgag200_mode.c
++++ b/drivers/gpu/drm/mgag200/mgag200_mode.c
+@@ -1526,6 +1526,11 @@ static int mga_vga_mode_valid(struct drm
+ return MODE_BANDWIDTH;
+ }
+
++ if ((mode->hdisplay % 8) != 0 || (mode->hsync_start % 8) != 0 ||
++ (mode->hsync_end % 8) != 0 || (mode->htotal % 8) != 0) {
++ return MODE_H_ILLEGAL;
++ }
++
+ if (mode->crtc_hdisplay > 2048 || mode->crtc_hsync_start > 4096 ||
+ mode->crtc_hsync_end > 4096 || mode->crtc_htotal > 4096 ||
+ mode->crtc_vdisplay > 2048 || mode->crtc_vsync_start > 4096 ||
--- /dev/null
+From 524630d5824c7a75aab568c6bd1423fd748cd3bb Mon Sep 17 00:00:00 2001
+From: Sagi Grimberg <sagig@mellanox.com>
+Date: Thu, 4 Jun 2015 19:49:21 +0300
+Subject: iser-target: Fix possible use-after-free
+
+From: Sagi Grimberg <sagig@mellanox.com>
+
+commit 524630d5824c7a75aab568c6bd1423fd748cd3bb upstream.
+
+iser connection termination process happens in 2 stages:
+- isert_wait_conn:
+ - resumes rdma disconnect
+ - wait for session commands
+ - wait for flush completions (post a marked wr to signal we are done)
+ - wait for logout completion
+ - queue work for connection cleanup (depends on disconnected/timewait
+ events)
+- isert_free_conn
+ - last reference put on the connection
+
+In case we are terminating during IOs, we might be posting send/recv
+requests after we posted the last work request which might lead
+to a use-after-free condition in isert_handle_wc.
+After we posted the last wr in isert_wait_conn we are guaranteed that
+no successful completions will follow (meaning no new work request posts
+may happen) but other flush errors might still come. So before we
+put the last reference on the connection, we repeat the process of
+posting a marked work request (isert_wait4flush) in order to make sure all
+pending completions were flushed.
+
+Signed-off-by: Sagi Grimberg <sagig@mellanox.com>
+Signed-off-by: Jenny Falkovich <jennyf@mellanox.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/isert/ib_isert.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/infiniband/ulp/isert/ib_isert.c
++++ b/drivers/infiniband/ulp/isert/ib_isert.c
+@@ -3313,6 +3313,7 @@ static void isert_free_conn(struct iscsi
+ {
+ struct isert_conn *isert_conn = conn->context;
+
++ isert_wait4flush(isert_conn);
+ isert_put_conn(isert_conn);
+ }
+
--- /dev/null
+From 9253e667ab50fd4611a60e1cdd6a6e05a1d91cf1 Mon Sep 17 00:00:00 2001
+From: Sagi Grimberg <sagig@mellanox.com>
+Date: Thu, 4 Jun 2015 19:49:19 +0300
+Subject: iser-target: Fix variable-length response error completion
+
+From: Sagi Grimberg <sagig@mellanox.com>
+
+commit 9253e667ab50fd4611a60e1cdd6a6e05a1d91cf1 upstream.
+
+Since commit "2426bd456a6 target: Report correct response ..."
+we might get a command with data_size that does not fit to
+the number of allocated data sg elements. Given that we rely on
+cmd t_data_nents which might be different than the data_size,
+we sometimes receive local length error completion. The correct
+approach would be to take the command data_size into account when
+constructing the ib sg_list.
+
+Signed-off-by: Sagi Grimberg <sagig@mellanox.com>
+Signed-off-by: Jenny Falkovich <jennyf@mellanox.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/isert/ib_isert.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/ulp/isert/ib_isert.c
++++ b/drivers/infiniband/ulp/isert/ib_isert.c
+@@ -2316,7 +2316,6 @@ isert_build_rdma_wr(struct isert_conn *i
+ page_off = offset % PAGE_SIZE;
+
+ send_wr->sg_list = ib_sge;
+- send_wr->num_sge = sg_nents;
+ send_wr->wr_id = (uintptr_t)&isert_cmd->tx_desc;
+ /*
+ * Perform mapping of TCM scatterlist memory ib_sge dma_addr.
+@@ -2336,14 +2335,17 @@ isert_build_rdma_wr(struct isert_conn *i
+ ib_sge->addr, ib_sge->length, ib_sge->lkey);
+ page_off = 0;
+ data_left -= ib_sge->length;
++ if (!data_left)
++ break;
+ ib_sge++;
+ isert_dbg("Incrementing ib_sge pointer to %p\n", ib_sge);
+ }
+
++ send_wr->num_sge = ++i;
+ isert_dbg("Set outgoing sg_list: %p num_sg: %u from TCM SGLs\n",
+ send_wr->sg_list, send_wr->num_sge);
+
+- return sg_nents;
++ return send_wr->num_sge;
+ }
+
+ static int
--- /dev/null
+From b6ac069532218027f2991cba01d7a72a200688b0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
+Date: Fri, 5 Jun 2015 20:57:41 +0200
+Subject: KVM: x86: fix lapic.timer_mode on restore
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
+
+commit b6ac069532218027f2991cba01d7a72a200688b0 upstream.
+
+lapic.timer_mode was not properly initialized after migration, which
+broke few useful things, like login, by making every sleep eternal.
+
+Fix this by calling apic_update_lvtt in kvm_apic_post_state_restore.
+
+There are other slowpaths that update lvtt, so this patch makes sure
+something similar doesn't happen again by calling apic_update_lvtt
+after every modification.
+
+Fixes: f30ebc312ca9 ("KVM: x86: optimize some accesses to LVTT and SPIV")
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/lapic.c | 26 ++++++++++++++++----------
+ 1 file changed, 16 insertions(+), 10 deletions(-)
+
+--- a/arch/x86/kvm/lapic.c
++++ b/arch/x86/kvm/lapic.c
+@@ -1064,6 +1064,17 @@ static void update_divide_count(struct k
+ apic->divide_count);
+ }
+
++static void apic_update_lvtt(struct kvm_lapic *apic)
++{
++ u32 timer_mode = kvm_apic_get_reg(apic, APIC_LVTT) &
++ apic->lapic_timer.timer_mode_mask;
++
++ if (apic->lapic_timer.timer_mode != timer_mode) {
++ apic->lapic_timer.timer_mode = timer_mode;
++ hrtimer_cancel(&apic->lapic_timer.timer);
++ }
++}
++
+ static void apic_timer_expired(struct kvm_lapic *apic)
+ {
+ struct kvm_vcpu *vcpu = apic->vcpu;
+@@ -1272,6 +1283,7 @@ static int apic_reg_write(struct kvm_lap
+ apic_set_reg(apic, APIC_LVTT + 0x10 * i,
+ lvt_val | APIC_LVT_MASKED);
+ }
++ apic_update_lvtt(apic);
+ atomic_set(&apic->lapic_timer.pending, 0);
+
+ }
+@@ -1304,20 +1316,13 @@ static int apic_reg_write(struct kvm_lap
+
+ break;
+
+- case APIC_LVTT: {
+- u32 timer_mode = val & apic->lapic_timer.timer_mode_mask;
+-
+- if (apic->lapic_timer.timer_mode != timer_mode) {
+- apic->lapic_timer.timer_mode = timer_mode;
+- hrtimer_cancel(&apic->lapic_timer.timer);
+- }
+-
++ case APIC_LVTT:
+ if (!kvm_apic_sw_enabled(apic))
+ val |= APIC_LVT_MASKED;
+ val &= (apic_lvt_mask[0] | apic->lapic_timer.timer_mode_mask);
+ apic_set_reg(apic, APIC_LVTT, val);
++ apic_update_lvtt(apic);
+ break;
+- }
+
+ case APIC_TMICT:
+ if (apic_lvtt_tscdeadline(apic))
+@@ -1552,7 +1557,7 @@ void kvm_lapic_reset(struct kvm_vcpu *vc
+
+ for (i = 0; i < APIC_LVT_NUM; i++)
+ apic_set_reg(apic, APIC_LVTT + 0x10 * i, APIC_LVT_MASKED);
+- apic->lapic_timer.timer_mode = 0;
++ apic_update_lvtt(apic);
+ apic_set_reg(apic, APIC_LVT0,
+ SET_APIC_DELIVERY_MODE(0, APIC_MODE_EXTINT));
+
+@@ -1778,6 +1783,7 @@ void kvm_apic_post_state_restore(struct
+
+ apic_update_ppr(apic);
+ hrtimer_cancel(&apic->lapic_timer.timer);
++ apic_update_lvtt(apic);
+ update_divide_count(apic);
+ start_apic_timer(apic);
+ apic->irr_pending = true;
--- /dev/null
+From 245ec9d85696c3e539b23e210f248698b478379c Mon Sep 17 00:00:00 2001
+From: Jani Nikula <jani.nikula@intel.com>
+Date: Mon, 15 Jun 2015 12:59:37 +0300
+Subject: Revert "drm/i915: Don't skip request retirement if the active list is empty"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jani Nikula <jani.nikula@intel.com>
+
+commit 245ec9d85696c3e539b23e210f248698b478379c upstream.
+
+This reverts commit 0aedb1626566efd72b369c01992ee7413c82a0c5.
+
+I messed things up while applying [1] to drm-intel-fixes. Rectify.
+
+[1] http://mid.gmane.org/1432827156-9605-1-git-send-email-ville.syrjala@linux.intel.com
+
+Fixes: 0aedb1626566 ("drm/i915: Don't skip request retirement if the active list is empty")
+Acked-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/i915_gem.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/i915/i915_gem.c
++++ b/drivers/gpu/drm/i915/i915_gem.c
+@@ -2732,6 +2732,9 @@ void i915_gem_reset(struct drm_device *d
+ void
+ i915_gem_retire_requests_ring(struct intel_engine_cs *ring)
+ {
++ if (list_empty(&ring->request_list))
++ return;
++
+ WARN_ON(i915_verify_lists(ring->dev));
+
+ /* Retire requests first as we use it above for the early return.
--- /dev/null
+From 2cf30dc180cea808077f003c5116388183e54f9e Mon Sep 17 00:00:00 2001
+From: Steven Rostedt <rostedt@goodmis.org>
+Date: Mon, 15 Jun 2015 17:50:25 -0400
+Subject: tracing: Have filter check for balanced ops
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+commit 2cf30dc180cea808077f003c5116388183e54f9e upstream.
+
+When the following filter is used it causes a warning to trigger:
+
+ # cd /sys/kernel/debug/tracing
+ # echo "((dev==1)blocks==2)" > events/ext4/ext4_truncate_exit/filter
+-bash: echo: write error: Invalid argument
+ # cat events/ext4/ext4_truncate_exit/filter
+((dev==1)blocks==2)
+^
+parse_error: No error
+
+ ------------[ cut here ]------------
+ WARNING: CPU: 2 PID: 1223 at kernel/trace/trace_events_filter.c:1640 replace_preds+0x3c5/0x990()
+ Modules linked in: bnep lockd grace bluetooth ...
+ CPU: 3 PID: 1223 Comm: bash Tainted: G W 4.1.0-rc3-test+ #450
+ Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v02.05 05/07/2012
+ 0000000000000668 ffff8800c106bc98 ffffffff816ed4f9 ffff88011ead0cf0
+ 0000000000000000 ffff8800c106bcd8 ffffffff8107fb07 ffffffff8136b46c
+ ffff8800c7d81d48 ffff8800d4c2bc00 ffff8800d4d4f920 00000000ffffffea
+ Call Trace:
+ [<ffffffff816ed4f9>] dump_stack+0x4c/0x6e
+ [<ffffffff8107fb07>] warn_slowpath_common+0x97/0xe0
+ [<ffffffff8136b46c>] ? _kstrtoull+0x2c/0x80
+ [<ffffffff8107fb6a>] warn_slowpath_null+0x1a/0x20
+ [<ffffffff81159065>] replace_preds+0x3c5/0x990
+ [<ffffffff811596b2>] create_filter+0x82/0xb0
+ [<ffffffff81159944>] apply_event_filter+0xd4/0x180
+ [<ffffffff81152bbf>] event_filter_write+0x8f/0x120
+ [<ffffffff811db2a8>] __vfs_write+0x28/0xe0
+ [<ffffffff811dda43>] ? __sb_start_write+0x53/0xf0
+ [<ffffffff812e51e0>] ? security_file_permission+0x30/0xc0
+ [<ffffffff811dc408>] vfs_write+0xb8/0x1b0
+ [<ffffffff811dc72f>] SyS_write+0x4f/0xb0
+ [<ffffffff816f5217>] system_call_fastpath+0x12/0x6a
+ ---[ end trace e11028bd95818dcd ]---
+
+Worse yet, reading the error message (the filter again) it says that
+there was no error, when there clearly was. The issue is that the
+code that checks the input does not check for balanced ops. That is,
+having an op between a closed parenthesis and the next token.
+
+This would only cause a warning, and fail out before doing any real
+harm, but it should still not caues a warning, and the error reported
+should work:
+
+ # cd /sys/kernel/debug/tracing
+ # echo "((dev==1)blocks==2)" > events/ext4/ext4_truncate_exit/filter
+-bash: echo: write error: Invalid argument
+ # cat events/ext4/ext4_truncate_exit/filter
+((dev==1)blocks==2)
+^
+parse_error: Meaningless filter expression
+
+And give no kernel warning.
+
+Link: http://lkml.kernel.org/r/20150615175025.7e809215@gandalf.local.home
+
+Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Reported-by: Vince Weaver <vincent.weaver@maine.edu>
+Tested-by: Vince Weaver <vincent.weaver@maine.edu>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_events_filter.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/kernel/trace/trace_events_filter.c
++++ b/kernel/trace/trace_events_filter.c
+@@ -1369,19 +1369,26 @@ static int check_preds(struct filter_par
+ {
+ int n_normal_preds = 0, n_logical_preds = 0;
+ struct postfix_elt *elt;
++ int cnt = 0;
+
+ list_for_each_entry(elt, &ps->postfix, list) {
+- if (elt->op == OP_NONE)
++ if (elt->op == OP_NONE) {
++ cnt++;
+ continue;
++ }
+
+ if (elt->op == OP_AND || elt->op == OP_OR) {
+ n_logical_preds++;
++ cnt--;
+ continue;
+ }
++ if (elt->op != OP_NOT)
++ cnt--;
+ n_normal_preds++;
++ WARN_ON_ONCE(cnt < 0);
+ }
+
+- if (!n_normal_preds || n_logical_preds >= n_normal_preds) {
++ if (cnt != 1 || !n_normal_preds || n_logical_preds >= n_normal_preds) {
+ parse_error(ps, FILT_ERR_INVALID_FILTER, 0);
+ return -EINVAL;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
