--- /dev/null
+From 04b2d9c9c319277ad4fbbb71855c256a9f4d5f98 Mon Sep 17 00:00:00 2001
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Wed, 31 Aug 2016 20:15:32 +0900
+Subject: ALSA: firewire-tascam: accessing to user space outside spinlock
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+commit 04b2d9c9c319277ad4fbbb71855c256a9f4d5f98 upstream.
+
+In hwdep interface of firewire-tascam driver, accessing to user space is
+in a critical section with disabled local interrupt. Depending on
+architecture, accessing to user space can cause page fault exception. Then
+local processor stores machine status and handle the synchronous event. A
+handler corresponding to the event can call task scheduler to wait for
+preparing pages. In a case of usage of single core processor, the state to
+disable local interrupt is worse because it doesn't handle usual interrupts
+from hardware.
+
+This commit fixes this bug, by performing the accessing outside spinlock.
+
+Reported-by: Vaishali Thakkar <vaishali.thakkar@oracle.com>
+Fixes: e5e0c3dd257b('ALSA: firewire-tascam: add hwdep interface')
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/tascam/tascam-hwdep.c | 33 +++++++++++----------------------
+ 1 file changed, 11 insertions(+), 22 deletions(-)
+
+--- a/sound/firewire/tascam/tascam-hwdep.c
++++ b/sound/firewire/tascam/tascam-hwdep.c
+@@ -16,31 +16,14 @@
+
+ #include "tascam.h"
+
+-static long hwdep_read_locked(struct snd_tscm *tscm, char __user *buf,
+- long count)
+-{
+- union snd_firewire_event event;
+-
+- memset(&event, 0, sizeof(event));
+-
+- event.lock_status.type = SNDRV_FIREWIRE_EVENT_LOCK_STATUS;
+- event.lock_status.status = (tscm->dev_lock_count > 0);
+- tscm->dev_lock_changed = false;
+-
+- count = min_t(long, count, sizeof(event.lock_status));
+-
+- if (copy_to_user(buf, &event, count))
+- return -EFAULT;
+-
+- return count;
+-}
+-
+ static long hwdep_read(struct snd_hwdep *hwdep, char __user *buf, long count,
+ loff_t *offset)
+ {
+ struct snd_tscm *tscm = hwdep->private_data;
+ DEFINE_WAIT(wait);
+- union snd_firewire_event event;
++ union snd_firewire_event event = {
++ .lock_status.type = SNDRV_FIREWIRE_EVENT_LOCK_STATUS,
++ };
+
+ spin_lock_irq(&tscm->lock);
+
+@@ -54,10 +37,16 @@ static long hwdep_read(struct snd_hwdep
+ spin_lock_irq(&tscm->lock);
+ }
+
+- memset(&event, 0, sizeof(event));
+- count = hwdep_read_locked(tscm, buf, count);
++ event.lock_status.status = (tscm->dev_lock_count > 0);
++ tscm->dev_lock_changed = false;
++
+ spin_unlock_irq(&tscm->lock);
+
++ count = min_t(long, count, sizeof(event.lock_status));
++
++ if (copy_to_user(buf, &event, count))
++ return -EFAULT;
++
+ return count;
+ }
+
--- /dev/null
+From 6b1ca4bcadf9ef077cc5f03c6822ba276ed14902 Mon Sep 17 00:00:00 2001
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Wed, 31 Aug 2016 22:58:42 +0900
+Subject: ALSA: fireworks: accessing to user space outside spinlock
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+commit 6b1ca4bcadf9ef077cc5f03c6822ba276ed14902 upstream.
+
+In hwdep interface of fireworks driver, accessing to user space is in a
+critical section with disabled local interrupt. Depending on architecture,
+accessing to user space can cause page fault exception. Then local
+processor stores machine status and handles the synchronous event. A
+handler corresponding to the event can call task scheduler to wait for
+preparing pages. In a case of usage of single core processor, the state to
+disable local interrupt is worse because it don't handle usual interrupts
+from hardware.
+
+This commit fixes this bug, performing the accessing outside spinlock. This
+commit also gives up counting the number of queued response messages to
+simplify ring-buffer management.
+
+Reported-by: Vaishali Thakkar <vaishali.thakkar@oracle.com>
+Fixes: 555e8a8f7f14('ALSA: fireworks: Add command/response functionality into hwdep interface')
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/fireworks/fireworks.h | 1
+ sound/firewire/fireworks/fireworks_hwdep.c | 71 ++++++++++++++++-------
+ sound/firewire/fireworks/fireworks_proc.c | 4 -
+ sound/firewire/fireworks/fireworks_transaction.c | 5 -
+ 4 files changed, 56 insertions(+), 25 deletions(-)
+
+--- a/sound/firewire/fireworks/fireworks.h
++++ b/sound/firewire/fireworks/fireworks.h
+@@ -106,7 +106,6 @@ struct snd_efw {
+ u8 *resp_buf;
+ u8 *pull_ptr;
+ u8 *push_ptr;
+- unsigned int resp_queues;
+ };
+
+ int snd_efw_transaction_cmd(struct fw_unit *unit,
+--- a/sound/firewire/fireworks/fireworks_hwdep.c
++++ b/sound/firewire/fireworks/fireworks_hwdep.c
+@@ -25,6 +25,7 @@ hwdep_read_resp_buf(struct snd_efw *efw,
+ {
+ unsigned int length, till_end, type;
+ struct snd_efw_transaction *t;
++ u8 *pull_ptr;
+ long count = 0;
+
+ if (remained < sizeof(type) + sizeof(struct snd_efw_transaction))
+@@ -38,8 +39,17 @@ hwdep_read_resp_buf(struct snd_efw *efw,
+ buf += sizeof(type);
+
+ /* write into buffer as many responses as possible */
+- while (efw->resp_queues > 0) {
+- t = (struct snd_efw_transaction *)(efw->pull_ptr);
++ spin_lock_irq(&efw->lock);
++
++ /*
++ * When another task reaches here during this task's access to user
++ * space, it picks up current position in buffer and can read the same
++ * series of responses.
++ */
++ pull_ptr = efw->pull_ptr;
++
++ while (efw->push_ptr != pull_ptr) {
++ t = (struct snd_efw_transaction *)(pull_ptr);
+ length = be32_to_cpu(t->length) * sizeof(__be32);
+
+ /* confirm enough space for this response */
+@@ -49,26 +59,39 @@ hwdep_read_resp_buf(struct snd_efw *efw,
+ /* copy from ring buffer to user buffer */
+ while (length > 0) {
+ till_end = snd_efw_resp_buf_size -
+- (unsigned int)(efw->pull_ptr - efw->resp_buf);
++ (unsigned int)(pull_ptr - efw->resp_buf);
+ till_end = min_t(unsigned int, length, till_end);
+
+- if (copy_to_user(buf, efw->pull_ptr, till_end))
++ spin_unlock_irq(&efw->lock);
++
++ if (copy_to_user(buf, pull_ptr, till_end))
+ return -EFAULT;
+
+- efw->pull_ptr += till_end;
+- if (efw->pull_ptr >= efw->resp_buf +
+- snd_efw_resp_buf_size)
+- efw->pull_ptr -= snd_efw_resp_buf_size;
++ spin_lock_irq(&efw->lock);
++
++ pull_ptr += till_end;
++ if (pull_ptr >= efw->resp_buf + snd_efw_resp_buf_size)
++ pull_ptr -= snd_efw_resp_buf_size;
+
+ length -= till_end;
+ buf += till_end;
+ count += till_end;
+ remained -= till_end;
+ }
+-
+- efw->resp_queues--;
+ }
+
++ /*
++ * All of tasks can read from the buffer nearly simultaneously, but the
++ * last position for each task is different depending on the length of
++ * given buffer. Here, for simplicity, a position of buffer is set by
++ * the latest task. It's better for a listening application to allow one
++ * thread to read from the buffer. Unless, each task can read different
++ * sequence of responses depending on variation of buffer length.
++ */
++ efw->pull_ptr = pull_ptr;
++
++ spin_unlock_irq(&efw->lock);
++
+ return count;
+ }
+
+@@ -76,14 +99,17 @@ static long
+ hwdep_read_locked(struct snd_efw *efw, char __user *buf, long count,
+ loff_t *offset)
+ {
+- union snd_firewire_event event;
++ union snd_firewire_event event = {
++ .lock_status.type = SNDRV_FIREWIRE_EVENT_LOCK_STATUS,
++ };
+
+- memset(&event, 0, sizeof(event));
++ spin_lock_irq(&efw->lock);
+
+- event.lock_status.type = SNDRV_FIREWIRE_EVENT_LOCK_STATUS;
+ event.lock_status.status = (efw->dev_lock_count > 0);
+ efw->dev_lock_changed = false;
+
++ spin_unlock_irq(&efw->lock);
++
+ count = min_t(long, count, sizeof(event.lock_status));
+
+ if (copy_to_user(buf, &event, count))
+@@ -98,10 +124,15 @@ hwdep_read(struct snd_hwdep *hwdep, char
+ {
+ struct snd_efw *efw = hwdep->private_data;
+ DEFINE_WAIT(wait);
++ bool dev_lock_changed;
++ bool queued;
+
+ spin_lock_irq(&efw->lock);
+
+- while ((!efw->dev_lock_changed) && (efw->resp_queues == 0)) {
++ dev_lock_changed = efw->dev_lock_changed;
++ queued = efw->push_ptr != efw->pull_ptr;
++
++ while (!dev_lock_changed && !queued) {
+ prepare_to_wait(&efw->hwdep_wait, &wait, TASK_INTERRUPTIBLE);
+ spin_unlock_irq(&efw->lock);
+ schedule();
+@@ -109,15 +140,17 @@ hwdep_read(struct snd_hwdep *hwdep, char
+ if (signal_pending(current))
+ return -ERESTARTSYS;
+ spin_lock_irq(&efw->lock);
++ dev_lock_changed = efw->dev_lock_changed;
++ queued = efw->push_ptr != efw->pull_ptr;
+ }
+
+- if (efw->dev_lock_changed)
++ spin_unlock_irq(&efw->lock);
++
++ if (dev_lock_changed)
+ count = hwdep_read_locked(efw, buf, count, offset);
+- else if (efw->resp_queues > 0)
++ else if (queued)
+ count = hwdep_read_resp_buf(efw, buf, count, offset);
+
+- spin_unlock_irq(&efw->lock);
+-
+ return count;
+ }
+
+@@ -160,7 +193,7 @@ hwdep_poll(struct snd_hwdep *hwdep, stru
+ poll_wait(file, &efw->hwdep_wait, wait);
+
+ spin_lock_irq(&efw->lock);
+- if (efw->dev_lock_changed || (efw->resp_queues > 0))
++ if (efw->dev_lock_changed || efw->pull_ptr != efw->push_ptr)
+ events = POLLIN | POLLRDNORM;
+ else
+ events = 0;
+--- a/sound/firewire/fireworks/fireworks_proc.c
++++ b/sound/firewire/fireworks/fireworks_proc.c
+@@ -188,8 +188,8 @@ proc_read_queues_state(struct snd_info_e
+ else
+ consumed = (unsigned int)(efw->push_ptr - efw->pull_ptr);
+
+- snd_iprintf(buffer, "%d %d/%d\n",
+- efw->resp_queues, consumed, snd_efw_resp_buf_size);
++ snd_iprintf(buffer, "%d/%d\n",
++ consumed, snd_efw_resp_buf_size);
+ }
+
+ static void
+--- a/sound/firewire/fireworks/fireworks_transaction.c
++++ b/sound/firewire/fireworks/fireworks_transaction.c
+@@ -121,11 +121,11 @@ copy_resp_to_buf(struct snd_efw *efw, vo
+ size_t capacity, till_end;
+ struct snd_efw_transaction *t;
+
+- spin_lock_irq(&efw->lock);
+-
+ t = (struct snd_efw_transaction *)data;
+ length = min_t(size_t, be32_to_cpu(t->length) * sizeof(u32), length);
+
++ spin_lock_irq(&efw->lock);
++
+ if (efw->push_ptr < efw->pull_ptr)
+ capacity = (unsigned int)(efw->pull_ptr - efw->push_ptr);
+ else
+@@ -155,7 +155,6 @@ copy_resp_to_buf(struct snd_efw *efw, vo
+ }
+
+ /* for hwdep */
+- efw->resp_queues++;
+ wake_up(&efw->hwdep_wait);
+
+ *rcode = RCODE_COMPLETE;
--- /dev/null
+From 311042d1b67d9a1856a8e1294e7729fb86f64014 Mon Sep 17 00:00:00 2001
+From: Shrirang Bagul <shrirang.bagul@canonical.com>
+Date: Mon, 29 Aug 2016 15:19:27 +0800
+Subject: ALSA: hda - Add headset mic quirk for Dell Inspiron 5468
+
+From: Shrirang Bagul <shrirang.bagul@canonical.com>
+
+commit 311042d1b67d9a1856a8e1294e7729fb86f64014 upstream.
+
+This patch enables headset microphone on some variants of
+Dell Inspiron 5468. (Dell SSID 0x07ad)
+
+BugLink: https://bugs.launchpad.net/bugs/1617900
+Signed-off-by: Shrirang Bagul <shrirang.bagul@canonical.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -5879,6 +5879,10 @@ static const struct snd_hda_pin_quirk al
+ {0x12, 0x90a60170},
+ {0x14, 0x90170120},
+ {0x21, 0x02211030}),
++ SND_HDA_PIN_QUIRK(0x10ec0256, 0x1028, "Dell Inspiron 5468", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
++ {0x12, 0x90a60180},
++ {0x14, 0x90170120},
++ {0x21, 0x02211030}),
+ SND_HDA_PIN_QUIRK(0x10ec0256, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
+ ALC256_STANDARD_PINS),
+ SND_HDA_PIN_QUIRK(0x10ec0280, 0x103c, "HP", ALC280_FIXUP_HP_GPIO4,
--- /dev/null
+From fd06c77eb9200b53d421da5fffe0dcd894b5d72a Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Tue, 30 Aug 2016 15:36:34 +0800
+Subject: ALSA: hda - Enable subwoofer on Dell Inspiron 7559
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+commit fd06c77eb9200b53d421da5fffe0dcd894b5d72a upstream.
+
+The subwoofer on Inspiron 7559 was disabled originally.
+Applying a pin fixup to node 0x1b can enable it and make it work.
+
+Old pin: 0x411111f0
+New pin: 0x90170151
+
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -4840,6 +4840,7 @@ enum {
+ ALC221_FIXUP_HP_FRONT_MIC,
+ ALC292_FIXUP_TPT460,
+ ALC298_FIXUP_SPK_VOLUME,
++ ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER,
+ };
+
+ static const struct hda_fixup alc269_fixups[] = {
+@@ -5501,6 +5502,15 @@ static const struct hda_fixup alc269_fix
+ .chained = true,
+ .chain_id = ALC298_FIXUP_DELL1_MIC_NO_PRESENCE,
+ },
++ [ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER] = {
++ .type = HDA_FIXUP_PINS,
++ .v.pins = (const struct hda_pintbl[]) {
++ { 0x1b, 0x90170151 },
++ { }
++ },
++ .chained = true,
++ .chain_id = ALC255_FIXUP_DELL1_MIC_NO_PRESENCE
++ },
+ };
+
+ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+@@ -5545,6 +5555,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x1028, 0x06df, "Dell", ALC293_FIXUP_DISABLE_AAMIX_MULTIJACK),
+ SND_PCI_QUIRK(0x1028, 0x06e0, "Dell", ALC293_FIXUP_DISABLE_AAMIX_MULTIJACK),
+ SND_PCI_QUIRK(0x1028, 0x0704, "Dell XPS 13 9350", ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE),
++ SND_PCI_QUIRK(0x1028, 0x0706, "Dell Inspiron 7559", ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER),
+ SND_PCI_QUIRK(0x1028, 0x0725, "Dell Inspiron 3162", ALC255_FIXUP_DELL_SPK_NOISE),
+ SND_PCI_QUIRK(0x1028, 0x075b, "Dell XPS 13 9360", ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE),
+ SND_PCI_QUIRK(0x1028, 0x075d, "Dell AIO", ALC298_FIXUP_SPK_VOLUME),
--- /dev/null
+From 816f318b2364262a51024096da7ca3b84e78e3b5 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 30 Aug 2016 14:45:46 +0200
+Subject: ALSA: rawmidi: Fix possible deadlock with virmidi registration
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 816f318b2364262a51024096da7ca3b84e78e3b5 upstream.
+
+When a seq-virmidi driver is initialized, it registers a rawmidi
+instance with its callback to create an associated seq kernel client.
+Currently it's done throughly in rawmidi's register_mutex context.
+Recently it was found that this may lead to a deadlock another rawmidi
+device that is being attached with the sequencer is accessed, as both
+open with the same register_mutex. This was actually triggered by
+syzkaller, as Dmitry Vyukov reported:
+
+======================================================
+ [ INFO: possible circular locking dependency detected ]
+ 4.8.0-rc1+ #11 Not tainted
+ -------------------------------------------------------
+ syz-executor/7154 is trying to acquire lock:
+ (register_mutex#5){+.+.+.}, at: [<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341
+
+ but task is already holding lock:
+ (&grp->list_mutex){++++.+}, at: [<ffffffff850138bb>] check_and_subscribe_port+0x5b/0x5c0 sound/core/seq/seq_ports.c:495
+
+ which lock already depends on the new lock.
+
+ the existing dependency chain (in reverse order) is:
+
+ -> #1 (&grp->list_mutex){++++.+}:
+ [<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746
+ [<ffffffff863f6199>] down_read+0x49/0xc0 kernel/locking/rwsem.c:22
+ [< inline >] deliver_to_subscribers sound/core/seq/seq_clientmgr.c:681
+ [<ffffffff85005c5e>] snd_seq_deliver_event+0x35e/0x890 sound/core/seq/seq_clientmgr.c:822
+ [<ffffffff85006e96>] > snd_seq_kernel_client_dispatch+0x126/0x170 sound/core/seq/seq_clientmgr.c:2418
+ [<ffffffff85012c52>] snd_seq_system_broadcast+0xb2/0xf0 sound/core/seq/seq_system.c:101
+ [<ffffffff84fff70a>] snd_seq_create_kernel_client+0x24a/0x330 sound/core/seq/seq_clientmgr.c:2297
+ [< inline >] snd_virmidi_dev_attach_seq sound/core/seq/seq_virmidi.c:383
+ [<ffffffff8502d29f>] snd_virmidi_dev_register+0x29f/0x750 sound/core/seq/seq_virmidi.c:450
+ [<ffffffff84fd208c>] snd_rawmidi_dev_register+0x30c/0xd40 sound/core/rawmidi.c:1645
+ [<ffffffff84f816d3>] __snd_device_register.part.0+0x63/0xc0 sound/core/device.c:164
+ [< inline >] __snd_device_register sound/core/device.c:162
+ [<ffffffff84f8235d>] snd_device_register_all+0xad/0x110 sound/core/device.c:212
+ [<ffffffff84f7546f>] snd_card_register+0xef/0x6c0 sound/core/init.c:749
+ [<ffffffff85040b7f>] snd_virmidi_probe+0x3ef/0x590 sound/drivers/virmidi.c:123
+ [<ffffffff833ebf7b>] platform_drv_probe+0x8b/0x170 drivers/base/platform.c:564
+ ......
+
+ -> #0 (register_mutex#5){+.+.+.}:
+ [< inline >] check_prev_add kernel/locking/lockdep.c:1829
+ [< inline >] check_prevs_add kernel/locking/lockdep.c:1939
+ [< inline >] validate_chain kernel/locking/lockdep.c:2266
+ [<ffffffff814791f4>] __lock_acquire+0x4d44/0x4d80 kernel/locking/lockdep.c:3335
+ [<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746
+ [< inline >] __mutex_lock_common kernel/locking/mutex.c:521
+ [<ffffffff863f0ef1>] mutex_lock_nested+0xb1/0xa20 kernel/locking/mutex.c:621
+ [<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341
+ [<ffffffff8502e7c7>] midisynth_subscribe+0xf7/0x350 sound/core/seq/seq_midi.c:188
+ [< inline >] subscribe_port sound/core/seq/seq_ports.c:427
+ [<ffffffff85013cc7>] check_and_subscribe_port+0x467/0x5c0 sound/core/seq/seq_ports.c:510
+ [<ffffffff85015da9>] snd_seq_port_connect+0x2c9/0x500 sound/core/seq/seq_ports.c:579
+ [<ffffffff850079b8>] snd_seq_ioctl_subscribe_port+0x1d8/0x2b0 sound/core/seq/seq_clientmgr.c:1480
+ [<ffffffff84ffe9e4>] snd_seq_do_ioctl+0x184/0x1e0 sound/core/seq/seq_clientmgr.c:2225
+ [<ffffffff84ffeae8>] snd_seq_kernel_client_ctl+0xa8/0x110 sound/core/seq/seq_clientmgr.c:2440
+ [<ffffffff85027664>] snd_seq_oss_midi_open+0x3b4/0x610 sound/core/seq/oss/seq_oss_midi.c:375
+ [<ffffffff85023d67>] snd_seq_oss_synth_setup_midi+0x107/0x4c0 sound/core/seq/oss/seq_oss_synth.c:281
+ [<ffffffff8501b0a8>] snd_seq_oss_open+0x748/0x8d0 sound/core/seq/oss/seq_oss_init.c:274
+ [<ffffffff85019d8a>] odev_open+0x6a/0x90 sound/core/seq/oss/seq_oss.c:138
+ [<ffffffff84f7040f>] soundcore_open+0x30f/0x640 sound/sound_core.c:639
+ ......
+
+ other info that might help us debug this:
+
+ Possible unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(&grp->list_mutex);
+ lock(register_mutex#5);
+ lock(&grp->list_mutex);
+ lock(register_mutex#5);
+
+ *** DEADLOCK ***
+======================================================
+
+The fix is to simply move the registration parts in
+snd_rawmidi_dev_register() to the outside of the register_mutex lock.
+The lock is needed only to manage the linked list, and it's not
+necessarily to cover the whole initialization process.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/rawmidi.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/sound/core/rawmidi.c
++++ b/sound/core/rawmidi.c
+@@ -1633,11 +1633,13 @@ static int snd_rawmidi_dev_register(stru
+ return -EBUSY;
+ }
+ list_add_tail(&rmidi->list, &snd_rawmidi_devices);
++ mutex_unlock(®ister_mutex);
+ err = snd_register_device(SNDRV_DEVICE_TYPE_RAWMIDI,
+ rmidi->card, rmidi->device,
+ &snd_rawmidi_f_ops, rmidi, &rmidi->dev);
+ if (err < 0) {
+ rmidi_err(rmidi, "unable to register\n");
++ mutex_lock(®ister_mutex);
+ list_del(&rmidi->list);
+ mutex_unlock(®ister_mutex);
+ return err;
+@@ -1645,6 +1647,7 @@ static int snd_rawmidi_dev_register(stru
+ if (rmidi->ops && rmidi->ops->dev_register &&
+ (err = rmidi->ops->dev_register(rmidi)) < 0) {
+ snd_unregister_device(&rmidi->dev);
++ mutex_lock(®ister_mutex);
+ list_del(&rmidi->list);
+ mutex_unlock(®ister_mutex);
+ return err;
+@@ -1677,7 +1680,6 @@ static int snd_rawmidi_dev_register(stru
+ }
+ }
+ #endif /* CONFIG_SND_OSSEMUL */
+- mutex_unlock(®ister_mutex);
+ sprintf(name, "midi%d", rmidi->device);
+ entry = snd_info_create_card_entry(rmidi->card, name, rmidi->card->proc_root);
+ if (entry) {
--- /dev/null
+From 6b760bb2c63a9e322c0e4a0b5daf335ad93d5a33 Mon Sep 17 00:00:00 2001
+From: Vegard Nossum <vegard.nossum@oracle.com>
+Date: Mon, 29 Aug 2016 00:33:50 +0200
+Subject: ALSA: timer: fix division by zero after SNDRV_TIMER_IOCTL_CONTINUE
+
+From: Vegard Nossum <vegard.nossum@oracle.com>
+
+commit 6b760bb2c63a9e322c0e4a0b5daf335ad93d5a33 upstream.
+
+I got this:
+
+ divide error: 0000 [#1] PREEMPT SMP KASAN
+ CPU: 1 PID: 1327 Comm: a.out Not tainted 4.8.0-rc2+ #189
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
+ task: ffff8801120a9580 task.stack: ffff8801120b0000
+ RIP: 0010:[<ffffffff82c8bd9a>] [<ffffffff82c8bd9a>] snd_hrtimer_callback+0x1da/0x3f0
+ RSP: 0018:ffff88011aa87da8 EFLAGS: 00010006
+ RAX: 0000000000004f76 RBX: ffff880112655e88 RCX: 0000000000000000
+ RDX: 0000000000000000 RSI: ffff880112655ea0 RDI: 0000000000000001
+ RBP: ffff88011aa87e00 R08: ffff88013fff905c R09: ffff88013fff9048
+ R10: ffff88013fff9050 R11: 00000001050a7b8c R12: ffff880114778a00
+ R13: ffff880114778ab4 R14: ffff880114778b30 R15: 0000000000000000
+ FS: 00007f071647c700(0000) GS:ffff88011aa80000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000603001 CR3: 0000000112021000 CR4: 00000000000006e0
+ Stack:
+ 0000000000000000 ffff880114778ab8 ffff880112655ea0 0000000000004f76
+ ffff880112655ec8 ffff880112655e80 ffff880112655e88 ffff88011aa98fc0
+ 00000000b97ccf2b dffffc0000000000 ffff88011aa98fc0 ffff88011aa87ef0
+ Call Trace:
+ <IRQ>
+ [<ffffffff813abce7>] __hrtimer_run_queues+0x347/0xa00
+ [<ffffffff82c8bbc0>] ? snd_hrtimer_close+0x130/0x130
+ [<ffffffff813ab9a0>] ? retrigger_next_event+0x1b0/0x1b0
+ [<ffffffff813ae1a6>] ? hrtimer_interrupt+0x136/0x4b0
+ [<ffffffff813ae220>] hrtimer_interrupt+0x1b0/0x4b0
+ [<ffffffff8120f91e>] local_apic_timer_interrupt+0x6e/0xf0
+ [<ffffffff81227ad3>] ? kvm_guest_apic_eoi_write+0x13/0xc0
+ [<ffffffff83c35086>] smp_apic_timer_interrupt+0x76/0xa0
+ [<ffffffff83c3416c>] apic_timer_interrupt+0x8c/0xa0
+ <EOI>
+ [<ffffffff83c3239c>] ? _raw_spin_unlock_irqrestore+0x2c/0x60
+ [<ffffffff82c8185d>] snd_timer_start1+0xdd/0x670
+ [<ffffffff82c87015>] snd_timer_continue+0x45/0x80
+ [<ffffffff82c88100>] snd_timer_user_ioctl+0x1030/0x2830
+ [<ffffffff8159f3a0>] ? __follow_pte.isra.49+0x430/0x430
+ [<ffffffff82c870d0>] ? snd_timer_pause+0x80/0x80
+ [<ffffffff815a26fa>] ? do_wp_page+0x3aa/0x1c90
+ [<ffffffff815aa4f8>] ? handle_mm_fault+0xbc8/0x27f0
+ [<ffffffff815a9930>] ? __pmd_alloc+0x370/0x370
+ [<ffffffff82c870d0>] ? snd_timer_pause+0x80/0x80
+ [<ffffffff816b0733>] do_vfs_ioctl+0x193/0x1050
+ [<ffffffff816b05a0>] ? ioctl_preallocate+0x200/0x200
+ [<ffffffff81002f2f>] ? syscall_trace_enter+0x3cf/0xdb0
+ [<ffffffff815045ba>] ? __context_tracking_exit.part.4+0x9a/0x1e0
+ [<ffffffff81002b60>] ? exit_to_usermode_loop+0x190/0x190
+ [<ffffffff82001a97>] ? check_preemption_disabled+0x37/0x1e0
+ [<ffffffff81d93889>] ? security_file_ioctl+0x89/0xb0
+ [<ffffffff816b167f>] SyS_ioctl+0x8f/0xc0
+ [<ffffffff816b15f0>] ? do_vfs_ioctl+0x1050/0x1050
+ [<ffffffff81005524>] do_syscall_64+0x1c4/0x4e0
+ [<ffffffff83c32b2a>] entry_SYSCALL64_slow_path+0x25/0x25
+ Code: e8 fc 42 7b fe 8b 0d 06 8a 50 03 49 0f af cf 48 85 c9 0f 88 7c 01 00 00 48 89 4d a8 e8 e0 42 7b fe 48 8b 45 c0 48 8b 4d a8 48 99 <48> f7 f9 49 01 c7 e8 cb 42 7b fe 48 8b 55 d0 48 b8 00 00 00 00
+ RIP [<ffffffff82c8bd9a>] snd_hrtimer_callback+0x1da/0x3f0
+ RSP <ffff88011aa87da8>
+ ---[ end trace 6aa380f756a21074 ]---
+
+The problem happens when you call ioctl(SNDRV_TIMER_IOCTL_CONTINUE) on a
+completely new/unused timer -- it will have ->sticks == 0, which causes a
+divide by 0 in snd_hrtimer_callback().
+
+Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/timer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -837,6 +837,7 @@ int snd_timer_new(struct snd_card *card,
+ timer->tmr_subdevice = tid->subdevice;
+ if (id)
+ strlcpy(timer->id, id, sizeof(timer->id));
++ timer->sticks = 1;
+ INIT_LIST_HEAD(&timer->device_list);
+ INIT_LIST_HEAD(&timer->open_list_head);
+ INIT_LIST_HEAD(&timer->active_list_head);
--- /dev/null
+From 11749e086b2766cccf6217a527ef5c5604ba069c Mon Sep 17 00:00:00 2001
+From: Vegard Nossum <vegard.nossum@oracle.com>
+Date: Sun, 28 Aug 2016 10:13:07 +0200
+Subject: ALSA: timer: fix NULL pointer dereference in read()/ioctl() race
+
+From: Vegard Nossum <vegard.nossum@oracle.com>
+
+commit 11749e086b2766cccf6217a527ef5c5604ba069c upstream.
+
+I got this with syzkaller:
+
+ ==================================================================
+ BUG: KASAN: null-ptr-deref on address 0000000000000020
+ Read of size 32 by task syz-executor/22519
+ CPU: 1 PID: 22519 Comm: syz-executor Not tainted 4.8.0-rc2+ #169
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2
+ 014
+ 0000000000000001 ffff880111a17a00 ffffffff81f9f141 ffff880111a17a90
+ ffff880111a17c50 ffff880114584a58 ffff880114584a10 ffff880111a17a80
+ ffffffff8161fe3f ffff880100000000 ffff880118d74a48 ffff880118d74a68
+ Call Trace:
+ [<ffffffff81f9f141>] dump_stack+0x83/0xb2
+ [<ffffffff8161fe3f>] kasan_report_error+0x41f/0x4c0
+ [<ffffffff8161ff74>] kasan_report+0x34/0x40
+ [<ffffffff82c84b54>] ? snd_timer_user_read+0x554/0x790
+ [<ffffffff8161e79e>] check_memory_region+0x13e/0x1a0
+ [<ffffffff8161e9c1>] kasan_check_read+0x11/0x20
+ [<ffffffff82c84b54>] snd_timer_user_read+0x554/0x790
+ [<ffffffff82c84600>] ? snd_timer_user_info_compat.isra.5+0x2b0/0x2b0
+ [<ffffffff817d0831>] ? proc_fault_inject_write+0x1c1/0x250
+ [<ffffffff817d0670>] ? next_tgid+0x2a0/0x2a0
+ [<ffffffff8127c278>] ? do_group_exit+0x108/0x330
+ [<ffffffff8174653a>] ? fsnotify+0x72a/0xca0
+ [<ffffffff81674dfe>] __vfs_read+0x10e/0x550
+ [<ffffffff82c84600>] ? snd_timer_user_info_compat.isra.5+0x2b0/0x2b0
+ [<ffffffff81674cf0>] ? do_sendfile+0xc50/0xc50
+ [<ffffffff81745e10>] ? __fsnotify_update_child_dentry_flags+0x60/0x60
+ [<ffffffff8143fec6>] ? kcov_ioctl+0x56/0x190
+ [<ffffffff81e5ada2>] ? common_file_perm+0x2e2/0x380
+ [<ffffffff81746b0e>] ? __fsnotify_parent+0x5e/0x2b0
+ [<ffffffff81d93536>] ? security_file_permission+0x86/0x1e0
+ [<ffffffff816728f5>] ? rw_verify_area+0xe5/0x2b0
+ [<ffffffff81675355>] vfs_read+0x115/0x330
+ [<ffffffff81676371>] SyS_read+0xd1/0x1a0
+ [<ffffffff816762a0>] ? vfs_write+0x4b0/0x4b0
+ [<ffffffff82001c2c>] ? __this_cpu_preempt_check+0x1c/0x20
+ [<ffffffff8150455a>] ? __context_tracking_exit.part.4+0x3a/0x1e0
+ [<ffffffff816762a0>] ? vfs_write+0x4b0/0x4b0
+ [<ffffffff81005524>] do_syscall_64+0x1c4/0x4e0
+ [<ffffffff810052fc>] ? syscall_return_slowpath+0x16c/0x1d0
+ [<ffffffff83c3276a>] entry_SYSCALL64_slow_path+0x25/0x25
+ ==================================================================
+
+There are a couple of problems that I can see:
+
+ - ioctl(SNDRV_TIMER_IOCTL_SELECT), which potentially sets
+ tu->queue/tu->tqueue to NULL on memory allocation failure, so read()
+ would get a NULL pointer dereference like the above splat
+
+ - the same ioctl() can free tu->queue/to->tqueue which means read()
+ could potentially see (and dereference) the freed pointer
+
+We can fix both by taking the ioctl_lock mutex when dereferencing
+->queue/->tqueue, since that's always held over all the ioctl() code.
+
+Just looking at the code I find it likely that there are more problems
+here such as tu->qhead pointing outside the buffer if the size is
+changed concurrently using SNDRV_TIMER_IOCTL_PARAMS.
+
+Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/timer.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1967,6 +1967,7 @@ static ssize_t snd_timer_user_read(struc
+ tu->qused--;
+ spin_unlock_irq(&tu->qlock);
+
++ mutex_lock(&tu->ioctl_lock);
+ if (tu->tread) {
+ if (copy_to_user(buffer, &tu->tqueue[qhead],
+ sizeof(struct snd_timer_tread)))
+@@ -1976,6 +1977,7 @@ static ssize_t snd_timer_user_read(struc
+ sizeof(struct snd_timer_read)))
+ err = -EFAULT;
+ }
++ mutex_unlock(&tu->ioctl_lock);
+
+ spin_lock_irq(&tu->qlock);
+ if (err < 0)
--- /dev/null
+From 8ddc05638ee42b18ba4fe99b5fb647fa3ad20456 Mon Sep 17 00:00:00 2001
+From: Vegard Nossum <vegard.nossum@oracle.com>
+Date: Mon, 29 Aug 2016 00:33:51 +0200
+Subject: ALSA: timer: fix NULL pointer dereference on memory allocation failure
+
+From: Vegard Nossum <vegard.nossum@oracle.com>
+
+commit 8ddc05638ee42b18ba4fe99b5fb647fa3ad20456 upstream.
+
+I hit this with syzkaller:
+
+ kasan: CONFIG_KASAN_INLINE enabled
+ kasan: GPF could be caused by NULL-ptr deref or user memory access
+ general protection fault: 0000 [#1] PREEMPT SMP KASAN
+ CPU: 0 PID: 1327 Comm: a.out Not tainted 4.8.0-rc2+ #190
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
+ task: ffff88011278d600 task.stack: ffff8801120c0000
+ RIP: 0010:[<ffffffff82c8ba07>] [<ffffffff82c8ba07>] snd_hrtimer_start+0x77/0x100
+ RSP: 0018:ffff8801120c7a60 EFLAGS: 00010006
+ RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000007
+ RDX: 0000000000000009 RSI: 1ffff10023483091 RDI: 0000000000000048
+ RBP: ffff8801120c7a78 R08: ffff88011a5cf768 R09: ffff88011a5ba790
+ R10: 0000000000000002 R11: ffffed00234b9ef1 R12: ffff880114843980
+ R13: ffffffff84213c00 R14: ffff880114843ab0 R15: 0000000000000286
+ FS: 00007f72958f3700(0000) GS:ffff88011aa00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000603001 CR3: 00000001126ab000 CR4: 00000000000006f0
+ Stack:
+ ffff880114843980 ffff880111eb2dc0 ffff880114843a34 ffff8801120c7ad0
+ ffffffff82c81ab1 0000000000000000 ffffffff842138e0 0000000100000000
+ ffff880111eb2dd0 ffff880111eb2dc0 0000000000000001 ffff880111eb2dc0
+ Call Trace:
+ [<ffffffff82c81ab1>] snd_timer_start1+0x331/0x670
+ [<ffffffff82c85bfd>] snd_timer_start+0x5d/0xa0
+ [<ffffffff82c8795e>] snd_timer_user_ioctl+0x88e/0x2830
+ [<ffffffff8159f3a0>] ? __follow_pte.isra.49+0x430/0x430
+ [<ffffffff82c870d0>] ? snd_timer_pause+0x80/0x80
+ [<ffffffff815a26fa>] ? do_wp_page+0x3aa/0x1c90
+ [<ffffffff8132762f>] ? put_prev_entity+0x108f/0x21a0
+ [<ffffffff82c870d0>] ? snd_timer_pause+0x80/0x80
+ [<ffffffff816b0733>] do_vfs_ioctl+0x193/0x1050
+ [<ffffffff813510af>] ? cpuacct_account_field+0x12f/0x1a0
+ [<ffffffff816b05a0>] ? ioctl_preallocate+0x200/0x200
+ [<ffffffff81002f2f>] ? syscall_trace_enter+0x3cf/0xdb0
+ [<ffffffff815045ba>] ? __context_tracking_exit.part.4+0x9a/0x1e0
+ [<ffffffff81002b60>] ? exit_to_usermode_loop+0x190/0x190
+ [<ffffffff82001a97>] ? check_preemption_disabled+0x37/0x1e0
+ [<ffffffff81d93889>] ? security_file_ioctl+0x89/0xb0
+ [<ffffffff816b167f>] SyS_ioctl+0x8f/0xc0
+ [<ffffffff816b15f0>] ? do_vfs_ioctl+0x1050/0x1050
+ [<ffffffff81005524>] do_syscall_64+0x1c4/0x4e0
+ [<ffffffff83c32b2a>] entry_SYSCALL64_slow_path+0x25/0x25
+ Code: c7 c7 c4 b9 c8 82 48 89 d9 4c 89 ee e8 63 88 7f fe e8 7e 46 7b fe 48 8d 7b 48 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 04 84 c0 7e 65 80 7b 48 00 74 0e e8 52 46
+ RIP [<ffffffff82c8ba07>] snd_hrtimer_start+0x77/0x100
+ RSP <ffff8801120c7a60>
+ ---[ end trace 5955b08db7f2b029 ]---
+
+This can happen if snd_hrtimer_open() fails to allocate memory and
+returns an error, which is currently not checked by snd_timer_open():
+
+ ioctl(SNDRV_TIMER_IOCTL_SELECT)
+ - snd_timer_user_tselect()
+ - snd_timer_close()
+ - snd_hrtimer_close()
+ - (struct snd_timer *) t->private_data = NULL
+ - snd_timer_open()
+ - snd_hrtimer_open()
+ - kzalloc() fails; t->private_data is still NULL
+
+ ioctl(SNDRV_TIMER_IOCTL_START)
+ - snd_timer_user_start()
+ - snd_timer_start()
+ - snd_timer_start1()
+ - snd_hrtimer_start()
+ - t->private_data == NULL // boom
+
+Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/timer.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -296,8 +296,21 @@ int snd_timer_open(struct snd_timer_inst
+ get_device(&timer->card->card_dev);
+ timeri->slave_class = tid->dev_sclass;
+ timeri->slave_id = slave_id;
+- if (list_empty(&timer->open_list_head) && timer->hw.open)
+- timer->hw.open(timer);
++
++ if (list_empty(&timer->open_list_head) && timer->hw.open) {
++ int err = timer->hw.open(timer);
++ if (err) {
++ kfree(timeri->owner);
++ kfree(timeri);
++
++ if (timer->card)
++ put_device(&timer->card->card_dev);
++ module_put(timer->module);
++ mutex_unlock(®ister_mutex);
++ return err;
++ }
++ }
++
+ list_add_tail(&timeri->open_list, &timer->open_list_head);
+ snd_timer_check_master(timeri);
+ mutex_unlock(®ister_mutex);
--- /dev/null
+From 83d9956b7e6b310c1062df7894257251c625b22e Mon Sep 17 00:00:00 2001
+From: Ken Lin <ken.lin@advantech.com.tw>
+Date: Fri, 12 Aug 2016 14:08:47 -0400
+Subject: ALSA: usb-audio: Add sample rate inquiry quirk for B850V3 CP2114
+
+From: Ken Lin <ken.lin@advantech.com.tw>
+
+commit 83d9956b7e6b310c1062df7894257251c625b22e upstream.
+
+Avoid getting sample rate on B850V3 CP2114 as it is unsupported and
+causes noisy "current rate is different from the runtime rate" messages
+when playback starts.
+
+Signed-off-by: Ken Lin <ken.lin@advantech.com.tw>
+Signed-off-by: Akshay Bhat <akshay.bhat@timesys.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/quirks.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -1142,6 +1142,7 @@ bool snd_usb_get_sample_rate_quirk(struc
+ case USB_ID(0x0556, 0x0014): /* Phoenix Audio TMX320VC */
+ case USB_ID(0x05A3, 0x9420): /* ELP HD USB Camera */
+ case USB_ID(0x074D, 0x3553): /* Outlaw RR2150 (Micronas UAC3553B) */
++ case USB_ID(0x1901, 0x0191): /* GE B850V3 CP2114 audio interface */
+ case USB_ID(0x1de7, 0x0013): /* Phoenix Audio MT202exe */
+ case USB_ID(0x1de7, 0x0014): /* Phoenix Audio TMX320 */
+ case USB_ID(0x1de7, 0x0114): /* Phoenix Audio MT202pcs */
--- /dev/null
+From e43e94c1eda76dabd686ddf6f7825f54d747b310 Mon Sep 17 00:00:00 2001
+From: Sai Gurrappadi <sgurrappadi@nvidia.com>
+Date: Fri, 29 Apr 2016 14:44:37 -0700
+Subject: cpufreq: Fix GOV_LIMITS handling for the userspace governor
+
+From: Sai Gurrappadi <sgurrappadi@nvidia.com>
+
+commit e43e94c1eda76dabd686ddf6f7825f54d747b310 upstream.
+
+Currently, the userspace governor only updates frequency on GOV_LIMITS
+if policy->cur falls outside policy->{min/max}. However, it is also
+necessary to update current frequency on GOV_LIMITS to match the user
+requested value if it can be achieved within the new policy->{max/min}.
+
+This was previously the behaviour in the governor until commit d1922f0
+("cpufreq: Simplify userspace governor") which incorrectly assumed that
+policy->cur == user requested frequency via scaling_setspeed. This won't
+be true if the user requested frequency falls outside policy->{min/max}.
+Ex: a temporary thermal cap throttled the user requested frequency.
+
+Fix this by storing the user requested frequency in a seperate variable.
+The governor will then try to achieve this request on every GOV_LIMITS
+change.
+
+Fixes: d1922f02562f (cpufreq: Simplify userspace governor)
+Signed-off-by: Sai Gurrappadi <sgurrappadi@nvidia.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/cpufreq/cpufreq_userspace.c | 43 +++++++++++++++++++++++++++++++-----
+ 1 file changed, 38 insertions(+), 5 deletions(-)
+
+--- a/drivers/cpufreq/cpufreq_userspace.c
++++ b/drivers/cpufreq/cpufreq_userspace.c
+@@ -17,6 +17,7 @@
+ #include <linux/init.h>
+ #include <linux/module.h>
+ #include <linux/mutex.h>
++#include <linux/slab.h>
+
+ static DEFINE_PER_CPU(unsigned int, cpu_is_managed);
+ static DEFINE_MUTEX(userspace_mutex);
+@@ -31,6 +32,7 @@ static DEFINE_MUTEX(userspace_mutex);
+ static int cpufreq_set(struct cpufreq_policy *policy, unsigned int freq)
+ {
+ int ret = -EINVAL;
++ unsigned int *setspeed = policy->governor_data;
+
+ pr_debug("cpufreq_set for cpu %u, freq %u kHz\n", policy->cpu, freq);
+
+@@ -38,6 +40,8 @@ static int cpufreq_set(struct cpufreq_po
+ if (!per_cpu(cpu_is_managed, policy->cpu))
+ goto err;
+
++ *setspeed = freq;
++
+ ret = __cpufreq_driver_target(policy, freq, CPUFREQ_RELATION_L);
+ err:
+ mutex_unlock(&userspace_mutex);
+@@ -49,19 +53,45 @@ static ssize_t show_speed(struct cpufreq
+ return sprintf(buf, "%u\n", policy->cur);
+ }
+
++static int cpufreq_userspace_policy_init(struct cpufreq_policy *policy)
++{
++ unsigned int *setspeed;
++
++ setspeed = kzalloc(sizeof(*setspeed), GFP_KERNEL);
++ if (!setspeed)
++ return -ENOMEM;
++
++ policy->governor_data = setspeed;
++ return 0;
++}
++
+ static int cpufreq_governor_userspace(struct cpufreq_policy *policy,
+ unsigned int event)
+ {
++ unsigned int *setspeed = policy->governor_data;
+ unsigned int cpu = policy->cpu;
+ int rc = 0;
+
++ if (event == CPUFREQ_GOV_POLICY_INIT)
++ return cpufreq_userspace_policy_init(policy);
++
++ if (!setspeed)
++ return -EINVAL;
++
+ switch (event) {
++ case CPUFREQ_GOV_POLICY_EXIT:
++ mutex_lock(&userspace_mutex);
++ policy->governor_data = NULL;
++ kfree(setspeed);
++ mutex_unlock(&userspace_mutex);
++ break;
+ case CPUFREQ_GOV_START:
+ BUG_ON(!policy->cur);
+ pr_debug("started managing cpu %u\n", cpu);
+
+ mutex_lock(&userspace_mutex);
+ per_cpu(cpu_is_managed, cpu) = 1;
++ *setspeed = policy->cur;
+ mutex_unlock(&userspace_mutex);
+ break;
+ case CPUFREQ_GOV_STOP:
+@@ -69,20 +99,23 @@ static int cpufreq_governor_userspace(st
+
+ mutex_lock(&userspace_mutex);
+ per_cpu(cpu_is_managed, cpu) = 0;
++ *setspeed = 0;
+ mutex_unlock(&userspace_mutex);
+ break;
+ case CPUFREQ_GOV_LIMITS:
+ mutex_lock(&userspace_mutex);
+- pr_debug("limit event for cpu %u: %u - %u kHz, currently %u kHz\n",
+- cpu, policy->min, policy->max,
+- policy->cur);
++ pr_debug("limit event for cpu %u: %u - %u kHz, currently %u kHz, last set to %u kHz\n",
++ cpu, policy->min, policy->max, policy->cur, *setspeed);
+
+- if (policy->max < policy->cur)
++ if (policy->max < *setspeed)
+ __cpufreq_driver_target(policy, policy->max,
+ CPUFREQ_RELATION_H);
+- else if (policy->min > policy->cur)
++ else if (policy->min > *setspeed)
+ __cpufreq_driver_target(policy, policy->min,
+ CPUFREQ_RELATION_L);
++ else
++ __cpufreq_driver_target(policy, *setspeed,
++ CPUFREQ_RELATION_L);
+ mutex_unlock(&userspace_mutex);
+ break;
+ }
--- /dev/null
+From 8b18e2359aff2ab810aba84cebffc9da07fef78f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Horia=20Geant=C4=83?= <horia.geanta@nxp.com>
+Date: Mon, 29 Aug 2016 14:52:14 +0300
+Subject: crypto: caam - fix IV loading for authenc (giv)decryption
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Horia Geantă <horia.geanta@nxp.com>
+
+commit 8b18e2359aff2ab810aba84cebffc9da07fef78f upstream.
+
+For algorithms that implement IV generators before the crypto ops,
+the IV needed for decryption is initially located in req->src
+scatterlist, not in req->iv.
+
+Avoid copying the IV into req->iv by modifying the (givdecrypt)
+descriptors to load it directly from req->src.
+aead_givdecrypt() is no longer needed and goes away.
+
+Fixes: 479bcc7c5b9e ("crypto: caam - Convert authenc to new AEAD interface")
+Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/caam/caamalg.c | 77 ++++++++++++++++++++----------------------
+ 1 file changed, 37 insertions(+), 40 deletions(-)
+
+--- a/drivers/crypto/caam/caamalg.c
++++ b/drivers/crypto/caam/caamalg.c
+@@ -556,7 +556,10 @@ skip_enc:
+
+ /* Read and write assoclen bytes */
+ append_math_add(desc, VARSEQINLEN, ZERO, REG3, CAAM_CMD_SZ);
+- append_math_add(desc, VARSEQOUTLEN, ZERO, REG3, CAAM_CMD_SZ);
++ if (alg->caam.geniv)
++ append_math_add_imm_u32(desc, VARSEQOUTLEN, REG3, IMM, ivsize);
++ else
++ append_math_add(desc, VARSEQOUTLEN, ZERO, REG3, CAAM_CMD_SZ);
+
+ /* Skip assoc data */
+ append_seq_fifo_store(desc, 0, FIFOST_TYPE_SKIP | FIFOLDST_VLF);
+@@ -565,6 +568,14 @@ skip_enc:
+ append_seq_fifo_load(desc, 0, FIFOLD_CLASS_CLASS2 | FIFOLD_TYPE_MSG |
+ KEY_VLF);
+
++ if (alg->caam.geniv) {
++ append_seq_load(desc, ivsize, LDST_CLASS_1_CCB |
++ LDST_SRCDST_BYTE_CONTEXT |
++ (ctx1_iv_off << LDST_OFFSET_SHIFT));
++ append_move(desc, MOVE_SRC_CLASS1CTX | MOVE_DEST_CLASS2INFIFO |
++ (ctx1_iv_off << MOVE_OFFSET_SHIFT) | ivsize);
++ }
++
+ /* Load Counter into CONTEXT1 reg */
+ if (is_rfc3686)
+ append_load_imm_u32(desc, be32_to_cpu(1), LDST_IMM |
+@@ -2150,7 +2161,7 @@ static void init_authenc_job(struct aead
+
+ init_aead_job(req, edesc, all_contig, encrypt);
+
+- if (ivsize && (is_rfc3686 || !(alg->caam.geniv && encrypt)))
++ if (ivsize && ((is_rfc3686 && encrypt) || !alg->caam.geniv))
+ append_load_as_imm(desc, req->iv, ivsize,
+ LDST_CLASS_1_CCB |
+ LDST_SRCDST_BYTE_CONTEXT |
+@@ -2537,20 +2548,6 @@ static int aead_decrypt(struct aead_requ
+ return ret;
+ }
+
+-static int aead_givdecrypt(struct aead_request *req)
+-{
+- struct crypto_aead *aead = crypto_aead_reqtfm(req);
+- unsigned int ivsize = crypto_aead_ivsize(aead);
+-
+- if (req->cryptlen < ivsize)
+- return -EINVAL;
+-
+- req->cryptlen -= ivsize;
+- req->assoclen += ivsize;
+-
+- return aead_decrypt(req);
+-}
+-
+ /*
+ * allocate and map the ablkcipher extended descriptor for ablkcipher
+ */
+@@ -3210,7 +3207,7 @@ static struct caam_aead_alg driver_aeads
+ .setkey = aead_setkey,
+ .setauthsize = aead_setauthsize,
+ .encrypt = aead_encrypt,
+- .decrypt = aead_givdecrypt,
++ .decrypt = aead_decrypt,
+ .ivsize = AES_BLOCK_SIZE,
+ .maxauthsize = MD5_DIGEST_SIZE,
+ },
+@@ -3256,7 +3253,7 @@ static struct caam_aead_alg driver_aeads
+ .setkey = aead_setkey,
+ .setauthsize = aead_setauthsize,
+ .encrypt = aead_encrypt,
+- .decrypt = aead_givdecrypt,
++ .decrypt = aead_decrypt,
+ .ivsize = AES_BLOCK_SIZE,
+ .maxauthsize = SHA1_DIGEST_SIZE,
+ },
+@@ -3302,7 +3299,7 @@ static struct caam_aead_alg driver_aeads
+ .setkey = aead_setkey,
+ .setauthsize = aead_setauthsize,
+ .encrypt = aead_encrypt,
+- .decrypt = aead_givdecrypt,
++ .decrypt = aead_decrypt,
+ .ivsize = AES_BLOCK_SIZE,
+ .maxauthsize = SHA224_DIGEST_SIZE,
+ },
+@@ -3348,7 +3345,7 @@ static struct caam_aead_alg driver_aeads
+ .setkey = aead_setkey,
+ .setauthsize = aead_setauthsize,
+ .encrypt = aead_encrypt,
+- .decrypt = aead_givdecrypt,
++ .decrypt = aead_decrypt,
+ .ivsize = AES_BLOCK_SIZE,
+ .maxauthsize = SHA256_DIGEST_SIZE,
+ },
+@@ -3394,7 +3391,7 @@ static struct caam_aead_alg driver_aeads
+ .setkey = aead_setkey,
+ .setauthsize = aead_setauthsize,
+ .encrypt = aead_encrypt,
+- .decrypt = aead_givdecrypt,
++ .decrypt = aead_decrypt,
+ .ivsize = AES_BLOCK_SIZE,
+ .maxauthsize = SHA384_DIGEST_SIZE,
+ },
+@@ -3440,7 +3437,7 @@ static struct caam_aead_alg driver_aeads
+ .setkey = aead_setkey,
+ .setauthsize = aead_setauthsize,
+ .encrypt = aead_encrypt,
+- .decrypt = aead_givdecrypt,
++ .decrypt = aead_decrypt,
+ .ivsize = AES_BLOCK_SIZE,
+ .maxauthsize = SHA512_DIGEST_SIZE,
+ },
+@@ -3486,7 +3483,7 @@ static struct caam_aead_alg driver_aeads
+ .setkey = aead_setkey,
+ .setauthsize = aead_setauthsize,
+ .encrypt = aead_encrypt,
+- .decrypt = aead_givdecrypt,
++ .decrypt = aead_decrypt,
+ .ivsize = DES3_EDE_BLOCK_SIZE,
+ .maxauthsize = MD5_DIGEST_SIZE,
+ },
+@@ -3534,7 +3531,7 @@ static struct caam_aead_alg driver_aeads
+ .setkey = aead_setkey,
+ .setauthsize = aead_setauthsize,
+ .encrypt = aead_encrypt,
+- .decrypt = aead_givdecrypt,
++ .decrypt = aead_decrypt,
+ .ivsize = DES3_EDE_BLOCK_SIZE,
+ .maxauthsize = SHA1_DIGEST_SIZE,
+ },
+@@ -3582,7 +3579,7 @@ static struct caam_aead_alg driver_aeads
+ .setkey = aead_setkey,
+ .setauthsize = aead_setauthsize,
+ .encrypt = aead_encrypt,
+- .decrypt = aead_givdecrypt,
++ .decrypt = aead_decrypt,
+ .ivsize = DES3_EDE_BLOCK_SIZE,
+ .maxauthsize = SHA224_DIGEST_SIZE,
+ },
+@@ -3630,7 +3627,7 @@ static struct caam_aead_alg driver_aeads
+ .setkey = aead_setkey,
+ .setauthsize = aead_setauthsize,
+ .encrypt = aead_encrypt,
+- .decrypt = aead_givdecrypt,
++ .decrypt = aead_decrypt,
+ .ivsize = DES3_EDE_BLOCK_SIZE,
+ .maxauthsize = SHA256_DIGEST_SIZE,
+ },
+@@ -3678,7 +3675,7 @@ static struct caam_aead_alg driver_aeads
+ .setkey = aead_setkey,
+ .setauthsize = aead_setauthsize,
+ .encrypt = aead_encrypt,
+- .decrypt = aead_givdecrypt,
++ .decrypt = aead_decrypt,
+ .ivsize = DES3_EDE_BLOCK_SIZE,
+ .maxauthsize = SHA384_DIGEST_SIZE,
+ },
+@@ -3726,7 +3723,7 @@ static struct caam_aead_alg driver_aeads
+ .setkey = aead_setkey,
+ .setauthsize = aead_setauthsize,
+ .encrypt = aead_encrypt,
+- .decrypt = aead_givdecrypt,
++ .decrypt = aead_decrypt,
+ .ivsize = DES3_EDE_BLOCK_SIZE,
+ .maxauthsize = SHA512_DIGEST_SIZE,
+ },
+@@ -3772,7 +3769,7 @@ static struct caam_aead_alg driver_aeads
+ .setkey = aead_setkey,
+ .setauthsize = aead_setauthsize,
+ .encrypt = aead_encrypt,
+- .decrypt = aead_givdecrypt,
++ .decrypt = aead_decrypt,
+ .ivsize = DES_BLOCK_SIZE,
+ .maxauthsize = MD5_DIGEST_SIZE,
+ },
+@@ -3818,7 +3815,7 @@ static struct caam_aead_alg driver_aeads
+ .setkey = aead_setkey,
+ .setauthsize = aead_setauthsize,
+ .encrypt = aead_encrypt,
+- .decrypt = aead_givdecrypt,
++ .decrypt = aead_decrypt,
+ .ivsize = DES_BLOCK_SIZE,
+ .maxauthsize = SHA1_DIGEST_SIZE,
+ },
+@@ -3864,7 +3861,7 @@ static struct caam_aead_alg driver_aeads
+ .setkey = aead_setkey,
+ .setauthsize = aead_setauthsize,
+ .encrypt = aead_encrypt,
+- .decrypt = aead_givdecrypt,
++ .decrypt = aead_decrypt,
+ .ivsize = DES_BLOCK_SIZE,
+ .maxauthsize = SHA224_DIGEST_SIZE,
+ },
+@@ -3910,7 +3907,7 @@ static struct caam_aead_alg driver_aeads
+ .setkey = aead_setkey,
+ .setauthsize = aead_setauthsize,
+ .encrypt = aead_encrypt,
+- .decrypt = aead_givdecrypt,
++ .decrypt = aead_decrypt,
+ .ivsize = DES_BLOCK_SIZE,
+ .maxauthsize = SHA256_DIGEST_SIZE,
+ },
+@@ -3956,7 +3953,7 @@ static struct caam_aead_alg driver_aeads
+ .setkey = aead_setkey,
+ .setauthsize = aead_setauthsize,
+ .encrypt = aead_encrypt,
+- .decrypt = aead_givdecrypt,
++ .decrypt = aead_decrypt,
+ .ivsize = DES_BLOCK_SIZE,
+ .maxauthsize = SHA384_DIGEST_SIZE,
+ },
+@@ -4002,7 +3999,7 @@ static struct caam_aead_alg driver_aeads
+ .setkey = aead_setkey,
+ .setauthsize = aead_setauthsize,
+ .encrypt = aead_encrypt,
+- .decrypt = aead_givdecrypt,
++ .decrypt = aead_decrypt,
+ .ivsize = DES_BLOCK_SIZE,
+ .maxauthsize = SHA512_DIGEST_SIZE,
+ },
+@@ -4051,7 +4048,7 @@ static struct caam_aead_alg driver_aeads
+ .setkey = aead_setkey,
+ .setauthsize = aead_setauthsize,
+ .encrypt = aead_encrypt,
+- .decrypt = aead_givdecrypt,
++ .decrypt = aead_decrypt,
+ .ivsize = CTR_RFC3686_IV_SIZE,
+ .maxauthsize = MD5_DIGEST_SIZE,
+ },
+@@ -4102,7 +4099,7 @@ static struct caam_aead_alg driver_aeads
+ .setkey = aead_setkey,
+ .setauthsize = aead_setauthsize,
+ .encrypt = aead_encrypt,
+- .decrypt = aead_givdecrypt,
++ .decrypt = aead_decrypt,
+ .ivsize = CTR_RFC3686_IV_SIZE,
+ .maxauthsize = SHA1_DIGEST_SIZE,
+ },
+@@ -4153,7 +4150,7 @@ static struct caam_aead_alg driver_aeads
+ .setkey = aead_setkey,
+ .setauthsize = aead_setauthsize,
+ .encrypt = aead_encrypt,
+- .decrypt = aead_givdecrypt,
++ .decrypt = aead_decrypt,
+ .ivsize = CTR_RFC3686_IV_SIZE,
+ .maxauthsize = SHA224_DIGEST_SIZE,
+ },
+@@ -4204,7 +4201,7 @@ static struct caam_aead_alg driver_aeads
+ .setkey = aead_setkey,
+ .setauthsize = aead_setauthsize,
+ .encrypt = aead_encrypt,
+- .decrypt = aead_givdecrypt,
++ .decrypt = aead_decrypt,
+ .ivsize = CTR_RFC3686_IV_SIZE,
+ .maxauthsize = SHA256_DIGEST_SIZE,
+ },
+@@ -4255,7 +4252,7 @@ static struct caam_aead_alg driver_aeads
+ .setkey = aead_setkey,
+ .setauthsize = aead_setauthsize,
+ .encrypt = aead_encrypt,
+- .decrypt = aead_givdecrypt,
++ .decrypt = aead_decrypt,
+ .ivsize = CTR_RFC3686_IV_SIZE,
+ .maxauthsize = SHA384_DIGEST_SIZE,
+ },
+@@ -4306,7 +4303,7 @@ static struct caam_aead_alg driver_aeads
+ .setkey = aead_setkey,
+ .setauthsize = aead_setauthsize,
+ .encrypt = aead_encrypt,
+- .decrypt = aead_givdecrypt,
++ .decrypt = aead_decrypt,
+ .ivsize = CTR_RFC3686_IV_SIZE,
+ .maxauthsize = SHA512_DIGEST_SIZE,
+ },
--- /dev/null
+From 48a61e1e2af8020f11a2b8f8dc878144477623c6 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Date: Mon, 14 Mar 2016 09:07:14 +0900
+Subject: hwrng: exynos - Disable runtime PM on probe failure
+
+From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+
+commit 48a61e1e2af8020f11a2b8f8dc878144477623c6 upstream.
+
+Add proper error path (for disabling runtime PM) when registering of
+hwrng fails.
+
+Fixes: b329669ea0b5 ("hwrng: exynos - Add support for Exynos random number generator")
+Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/hw_random/exynos-rng.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/char/hw_random/exynos-rng.c
++++ b/drivers/char/hw_random/exynos-rng.c
+@@ -118,6 +118,7 @@ static int exynos_rng_probe(struct platf
+ {
+ struct exynos_rng *exynos_rng;
+ struct resource *res;
++ int ret;
+
+ exynos_rng = devm_kzalloc(&pdev->dev, sizeof(struct exynos_rng),
+ GFP_KERNEL);
+@@ -145,7 +146,13 @@ static int exynos_rng_probe(struct platf
+ pm_runtime_use_autosuspend(&pdev->dev);
+ pm_runtime_enable(&pdev->dev);
+
+- return devm_hwrng_register(&pdev->dev, &exynos_rng->rng);
++ ret = devm_hwrng_register(&pdev->dev, &exynos_rng->rng);
++ if (ret) {
++ pm_runtime_dont_use_autosuspend(&pdev->dev);
++ pm_runtime_disable(&pdev->dev);
++ }
++
++ return ret;
+ }
+
+ #ifdef CONFIG_PM
--- /dev/null
+From f2d1362ff7d266b3d2b1c764d6c2ef4a3b457f23 Mon Sep 17 00:00:00 2001
+From: Nicolai Stange <nicstange@gmail.com>
+Date: Tue, 22 Mar 2016 13:12:35 +0100
+Subject: lib/mpi: mpi_write_sgl(): fix skipping of leading zero limbs
+
+From: Nicolai Stange <nicstange@gmail.com>
+
+commit f2d1362ff7d266b3d2b1c764d6c2ef4a3b457f23 upstream.
+
+Currently, if the number of leading zeros is greater than fits into a
+complete limb, mpi_write_sgl() skips them by iterating over them limb-wise.
+
+However, it fails to adjust its internal leading zeros tracking variable,
+lzeros, accordingly: it does a
+
+ p -= sizeof(alimb);
+ continue;
+
+which should really have been a
+
+ lzeros -= sizeof(alimb);
+ continue;
+
+Since lzeros never decreases if its initial value >= sizeof(alimb), nothing
+gets copied by mpi_write_sgl() in that case.
+
+Instead of skipping the high order zero limbs within the loop as shown
+above, fix the issue by adjusting the copying loop's bounds.
+
+Fixes: 2d4d1eea540b ("lib/mpi: Add mpi sgl helpers")
+Signed-off-by: Nicolai Stange <nicstange@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/mpi/mpicoder.c | 21 +++++++++------------
+ 1 file changed, 9 insertions(+), 12 deletions(-)
+
+--- a/lib/mpi/mpicoder.c
++++ b/lib/mpi/mpicoder.c
+@@ -367,7 +367,9 @@ int mpi_write_to_sgl(MPI a, struct scatt
+ buf_len = sgl->length;
+ p2 = sg_virt(sgl);
+
+- for (i = a->nlimbs - 1; i >= 0; i--) {
++ for (i = a->nlimbs - 1 - lzeros / BYTES_PER_MPI_LIMB,
++ lzeros %= BYTES_PER_MPI_LIMB;
++ i >= 0; i--) {
+ alimb = a->d[i];
+ p = (u8 *)&alimb2;
+ #if BYTES_PER_MPI_LIMB == 4
+@@ -388,17 +390,12 @@ int mpi_write_to_sgl(MPI a, struct scatt
+ #error please implement for this limb size.
+ #endif
+ if (lzeros > 0) {
+- if (lzeros >= sizeof(alimb)) {
+- p -= sizeof(alimb);
+- continue;
+- } else {
+- mpi_limb_t *limb1 = (void *)p - sizeof(alimb);
+- mpi_limb_t *limb2 = (void *)p - sizeof(alimb)
+- + lzeros;
+- *limb1 = *limb2;
+- p -= lzeros;
+- y = lzeros;
+- }
++ mpi_limb_t *limb1 = (void *)p - sizeof(alimb);
++ mpi_limb_t *limb2 = (void *)p - sizeof(alimb)
++ + lzeros;
++ *limb1 = *limb2;
++ p -= lzeros;
++ y = lzeros;
+ lzeros -= sizeof(alimb);
+ }
+
--- /dev/null
+From 57b8f112cfe6622ddddb8c2641206bb5fa8a112d Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Fri, 22 Jan 2016 15:34:16 -0500
+Subject: lustre: remove unused declaration
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 57b8f112cfe6622ddddb8c2641206bb5fa8a112d upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/lustre/lustre/llite/llite_internal.h | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/staging/lustre/lustre/llite/llite_internal.h
++++ b/drivers/staging/lustre/lustre/llite/llite_internal.h
+@@ -631,8 +631,6 @@ struct ll_file_data {
+
+ struct lov_stripe_md;
+
+-extern spinlock_t inode_lock;
+-
+ extern struct dentry *llite_root;
+ extern struct kset *llite_kset;
+
--- /dev/null
+From 096a8b6d5e7ab9f8ca3d2474b3ca6a1fe79e0371 Mon Sep 17 00:00:00 2001
+From: James Hogan <james.hogan@imgtec.com>
+Date: Tue, 3 May 2016 09:11:21 +0100
+Subject: metag: Fix atomic_*_return inline asm constraints
+
+From: James Hogan <james.hogan@imgtec.com>
+
+commit 096a8b6d5e7ab9f8ca3d2474b3ca6a1fe79e0371 upstream.
+
+The argument i of atomic_*_return() operations is given to inline asm
+with the "bd" constraint, which means "An Op2 register where Op1 is a
+data unit register and the instruction supports O2R", however Op1 is
+constrained by "da" which allows an address unit register to be used.
+
+Fix the constraint to use "br", meaning "An Op2 register and the
+instruction supports O2R", i.e. not requiring Op1 to be a data unit
+register.
+
+Fixes: d6dfe2509da9 ("locking,arch,metag: Fold atomic_ops")
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: linux-metag@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/metag/include/asm/atomic_lnkget.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/metag/include/asm/atomic_lnkget.h
++++ b/arch/metag/include/asm/atomic_lnkget.h
+@@ -61,7 +61,7 @@ static inline int atomic_##op##_return(i
+ " CMPT %0, #HI(0x02000000)\n" \
+ " BNZ 1b\n" \
+ : "=&d" (temp), "=&da" (result) \
+- : "da" (&v->counter), "bd" (i) \
++ : "da" (&v->counter), "br" (i) \
+ : "cc"); \
+ \
+ smp_mb(); \
--- /dev/null
+From 8a092e682f20f193f2070dba2ea1904e95814126 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Mika=20B=C3=A5tsman?= <mbatsman@mvista.com>
+Date: Fri, 17 Jun 2016 13:31:37 +0300
+Subject: regulator: anatop: allow regulator to be in bypass mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mika Båtsman <mbatsman@mvista.com>
+
+commit 8a092e682f20f193f2070dba2ea1904e95814126 upstream.
+
+Bypass support was added in commit d38018f2019c ("regulator: anatop: Add
+bypass support to digital LDOs"). A check for valid voltage selectors was
+added in commit da0607c8df5c ("regulator: anatop: Fail on invalid voltage
+selector") but it also discards all regulators that are in bypass mode. Add
+check for the bypass setting. Errors below were seen on a Variscite mx6
+board.
+
+anatop_regulator 20c8000.anatop:regulator-vddcore@140: Failed to read a valid default voltage selector.
+anatop_regulator: probe of 20c8000.anatop:regulator-vddcore@140 failed with error -22
+anatop_regulator 20c8000.anatop:regulator-vddsoc@140: Failed to read a valid default voltage selector.
+anatop_regulator: probe of 20c8000.anatop:regulator-vddsoc@140 failed with error -22
+
+Fixes: da0607c8df5c ("regulator: anatop: Fail on invalid voltage selector")
+Signed-off-by: Mika Båtsman <mbatsman@mvista.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/regulator/anatop-regulator.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/regulator/anatop-regulator.c
++++ b/drivers/regulator/anatop-regulator.c
+@@ -296,7 +296,7 @@ static int anatop_regulator_probe(struct
+ if (!sreg->sel && !strcmp(sreg->name, "vddpu"))
+ sreg->sel = 22;
+
+- if (!sreg->sel) {
++ if (!sreg->bypass && !sreg->sel) {
+ dev_err(&pdev->dev, "Failed to read a valid default voltage selector.\n");
+ return -EINVAL;
+ }
--- /dev/null
+From a87eeb900dbb9f8202f96604d56e47e67c936b9d Mon Sep 17 00:00:00 2001
+From: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
+Date: Fri, 12 Aug 2016 17:20:07 -0500
+Subject: scsi: fix upper bounds check of sense key in scsi_sense_key_string()
+
+From: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
+
+commit a87eeb900dbb9f8202f96604d56e47e67c936b9d upstream.
+
+Commit 655ee63cf371 ("scsi constants: command, sense key + additional
+sense string") added a "Completed" sense string with key 0xF to
+snstext[], but failed to updated the upper bounds check of the sense key
+in scsi_sense_key_string().
+
+Fixes: 655ee63cf371 ("[SCSI] scsi constants: command, sense key + additional sense strings")
+Signed-off-by: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
+Reviewed-by: Bart Van Assche <bart.vanassche@sandisk.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/constants.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/constants.c
++++ b/drivers/scsi/constants.c
+@@ -1181,8 +1181,9 @@ static const char * const snstext[] = {
+
+ /* Get sense key string or NULL if not available */
+ const char *
+-scsi_sense_key_string(unsigned char key) {
+- if (key <= 0xE)
++scsi_sense_key_string(unsigned char key)
++{
++ if (key < ARRAY_SIZE(snstext))
+ return snstext[key];
+ return NULL;
+ }
xfs-fix-superblock-inprogress-check.patch
timekeeping-cap-array-access-in-timekeeping_debug.patch
timekeeping-avoid-taking-lock-in-nmi-path-with-config_debug_timekeeping.patch
+lustre-remove-unused-declaration.patch
wrappers-for-i_mutex-access.patch
ovl-don-t-copy-up-opaqueness.patch
ovl-remove-posix_acl_default-from-workdir.patch
vhost-scsi-fix-reuse-of-vq-iov-in-response.patch
x86-apic-do-not-init-irq-remapping-if-ioapic-is-disabled.patch
uprobes-fix-the-memcg-accounting.patch
+crypto-caam-fix-iv-loading-for-authenc-giv-decryption.patch
+alsa-usb-audio-add-sample-rate-inquiry-quirk-for-b850v3-cp2114.patch
+alsa-firewire-tascam-accessing-to-user-space-outside-spinlock.patch
+alsa-fireworks-accessing-to-user-space-outside-spinlock.patch
+alsa-rawmidi-fix-possible-deadlock-with-virmidi-registration.patch
+alsa-hda-add-headset-mic-quirk-for-dell-inspiron-5468.patch
+alsa-hda-enable-subwoofer-on-dell-inspiron-7559.patch
+alsa-timer-fix-null-pointer-dereference-in-read-ioctl-race.patch
+alsa-timer-fix-division-by-zero-after-sndrv_timer_ioctl_continue.patch
+alsa-timer-fix-null-pointer-dereference-on-memory-allocation-failure.patch
+scsi-fix-upper-bounds-check-of-sense-key-in-scsi_sense_key_string.patch
+metag-fix-atomic_-_return-inline-asm-constraints.patch
+cpufreq-fix-gov_limits-handling-for-the-userspace-governor.patch
+hwrng-exynos-disable-runtime-pm-on-probe-failure.patch
+regulator-anatop-allow-regulator-to-be-in-bypass-mode.patch
+lib-mpi-mpi_write_sgl-fix-skipping-of-leading-zero-limbs.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
