--- /dev/null
+From 5accd17d0eb523350c9ef754d655e379c9bb93b3 Mon Sep 17 00:00:00 2001
+From: Robin Murphy <robin.murphy@arm.com>
+Date: Thu, 22 Oct 2015 15:41:52 +0100
+Subject: arm64: Fix compat register mappings
+
+From: Robin Murphy <robin.murphy@arm.com>
+
+commit 5accd17d0eb523350c9ef754d655e379c9bb93b3 upstream.
+
+For reasons not entirely apparent, but now enshrined in history, the
+architectural mapping of AArch32 banked registers to AArch64 registers
+actually orders SP_<mode> and LR_<mode> backwards compared to the
+intuitive r13/r14 order, for all modes except FIQ.
+
+Fix the compat_<reg>_<mode> macros accordingly, in the hope of avoiding
+subtle bugs with KVM and AArch32 guests.
+
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Acked-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/include/asm/ptrace.h | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/arch/arm64/include/asm/ptrace.h
++++ b/arch/arm64/include/asm/ptrace.h
+@@ -83,14 +83,14 @@
+ #define compat_sp regs[13]
+ #define compat_lr regs[14]
+ #define compat_sp_hyp regs[15]
+-#define compat_sp_irq regs[16]
+-#define compat_lr_irq regs[17]
+-#define compat_sp_svc regs[18]
+-#define compat_lr_svc regs[19]
+-#define compat_sp_abt regs[20]
+-#define compat_lr_abt regs[21]
+-#define compat_sp_und regs[22]
+-#define compat_lr_und regs[23]
++#define compat_lr_irq regs[16]
++#define compat_sp_irq regs[17]
++#define compat_lr_svc regs[18]
++#define compat_sp_svc regs[19]
++#define compat_lr_abt regs[20]
++#define compat_sp_abt regs[21]
++#define compat_lr_und regs[22]
++#define compat_sp_und regs[23]
+ #define compat_r8_fiq regs[24]
+ #define compat_r9_fiq regs[25]
+ #define compat_r10_fiq regs[26]
--- /dev/null
+From cb083816ab5ac3d10a9417527f07fc5962cc3808 Mon Sep 17 00:00:00 2001
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Mon, 26 Oct 2015 21:42:33 +0000
+Subject: arm64: page-align sections for DEBUG_RODATA
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+commit cb083816ab5ac3d10a9417527f07fc5962cc3808 upstream.
+
+A kernel built with DEBUG_RO_DATA && !CONFIG_DEBUG_ALIGN_RODATA doesn't
+have .text aligned to a page boundary, though fixup_executable works at
+page-granularity thanks to its use of create_mapping. If .text is not
+page-aligned, the first page it exists in may be marked non-executable,
+leading to failures when an attempt is made to execute code in said
+page.
+
+This patch upgrades ALIGN_DEBUG_RO and ALIGN_DEBUG_RO_MIN to force page
+alignment for DEBUG_RO_DATA && !CONFIG_DEBUG_ALIGN_RODATA kernels,
+ensuring that all sections with specific RWX permission requirements are
+mapped with the correct permissions.
+
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Reported-by: Jeremy Linton <jeremy.linton@arm.com>
+Reviewed-by: Laura Abbott <laura@labbott.name>
+Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Suzuki Poulose <suzuki.poulose@arm.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Fixes: da141706aea52c1a ("arm64: add better page protections to arm64")
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/vmlinux.lds.S | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/arch/arm64/kernel/vmlinux.lds.S
++++ b/arch/arm64/kernel/vmlinux.lds.S
+@@ -60,9 +60,12 @@ PECOFF_FILE_ALIGNMENT = 0x200;
+ #define PECOFF_EDATA_PADDING
+ #endif
+
+-#ifdef CONFIG_DEBUG_ALIGN_RODATA
++#if defined(CONFIG_DEBUG_ALIGN_RODATA)
+ #define ALIGN_DEBUG_RO . = ALIGN(1<<SECTION_SHIFT);
+ #define ALIGN_DEBUG_RO_MIN(min) ALIGN_DEBUG_RO
++#elif defined(CONFIG_DEBUG_RODATA)
++#define ALIGN_DEBUG_RO . = ALIGN(1<<PAGE_SHIFT);
++#define ALIGN_DEBUG_RO_MIN(min) ALIGN_DEBUG_RO
+ #else
+ #define ALIGN_DEBUG_RO
+ #define ALIGN_DEBUG_RO_MIN(min) . = ALIGN(min);
--- /dev/null
+From 5af82fa66a7ee8dfc29fadb487a02e2ef14ea965 Mon Sep 17 00:00:00 2001
+From: Kalle Valo <kvalo@qca.qualcomm.com>
+Date: Wed, 9 Sep 2015 11:34:37 +0300
+Subject: ath10k: add ATH10K_FW_FEATURE_RAW_MODE_SUPPORT to
+ ath10k_core_fw_feature_str[]
+
+From: Kalle Valo <kvalo@qca.qualcomm.com>
+
+commit 5af82fa66a7ee8dfc29fadb487a02e2ef14ea965 upstream.
+
+This was missed in the original commit adding the flag and ath10k only printed "bit10":
+
+ath10k_pci 0000:02:00.0: qca988x hw2.0 (0x4100016c, 0x043202ff) fw 10.2.4.70.6-2 api 3
+htt-ver 2.1 wmi-op 5 htt-op 2 cal otp max-sta 128 raw 0 hwcrypto 1 features no-p2p,bit10
+
+Also add a build test to avoid this happening again.
+
+Fixes: ccec9038c721 ("ath10k: enable raw encap mode and software crypto engine")
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath10k/core.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/wireless/ath/ath10k/core.c
++++ b/drivers/net/wireless/ath/ath10k/core.c
+@@ -142,12 +142,17 @@ static const char *const ath10k_core_fw_
+ [ATH10K_FW_FEATURE_IGNORE_OTP_RESULT] = "ignore-otp",
+ [ATH10K_FW_FEATURE_NO_NWIFI_DECAP_4ADDR_PADDING] = "no-4addr-pad",
+ [ATH10K_FW_FEATURE_SUPPORTS_SKIP_CLOCK_INIT] = "skip-clock-init",
++ [ATH10K_FW_FEATURE_RAW_MODE_SUPPORT] = "raw-mode",
+ };
+
+ static unsigned int ath10k_core_get_fw_feature_str(char *buf,
+ size_t buf_len,
+ enum ath10k_fw_features feat)
+ {
++ /* make sure that ath10k_core_fw_feature_str[] gets updated */
++ BUILD_BUG_ON(ARRAY_SIZE(ath10k_core_fw_feature_str) !=
++ ATH10K_FW_FEATURE_COUNT);
++
+ if (feat >= ARRAY_SIZE(ath10k_core_fw_feature_str) ||
+ WARN_ON(!ath10k_core_fw_feature_str[feat])) {
+ return scnprintf(buf, buf_len, "bit%d", feat);
--- /dev/null
+From f680f70adbeab28b35f849016b964dd645db6237 Mon Sep 17 00:00:00 2001
+From: Rajkumar Manoharan <rmanohar@qti.qualcomm.com>
+Date: Tue, 3 Nov 2015 11:51:33 +0530
+Subject: ath10k: fix invalid NSS for 4x4 devices
+
+From: Rajkumar Manoharan <rmanohar@qti.qualcomm.com>
+
+commit f680f70adbeab28b35f849016b964dd645db6237 upstream.
+
+The number of spatial streams that are derived from chain mask
+for 4x4 devices is using wrong bitmask and conditional check.
+This is affecting downlink throughput for QCA99x0 devices. Earlier
+cfg_tx_chainmask is not filled by default until user configured it
+and so get_nss_from_chainmask never be called. This issue is exposed
+by recent commit 166de3f1895d ("ath10k: remove supported chain mask").
+By default maximum supported chain mask is filled in cfg_tx_chainmask.
+
+Fixes: 5572a95b4b ("ath10k: apply chainmask settings to vdev on creation")
+Signed-off-by: Rajkumar Manoharan <rmanohar@qti.qualcomm.com>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath10k/mac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/ath10k/mac.c
++++ b/drivers/net/wireless/ath/ath10k/mac.c
+@@ -4056,7 +4056,7 @@ static int ath10k_config(struct ieee8021
+
+ static u32 get_nss_from_chainmask(u16 chain_mask)
+ {
+- if ((chain_mask & 0x15) == 0x15)
++ if ((chain_mask & 0xf) == 0xf)
+ return 4;
+ else if ((chain_mask & 0x7) == 0x7)
+ return 3;
--- /dev/null
+From 72f8cef5d1155209561b01e092ce1a04ad50c4cb Mon Sep 17 00:00:00 2001
+From: Vivek Natarajan <nataraja@qti.qualcomm.com>
+Date: Tue, 6 Oct 2015 15:19:34 +0300
+Subject: ath10k: use station's current operating mode from assoc request
+
+From: Vivek Natarajan <nataraja@qti.qualcomm.com>
+
+commit 72f8cef5d1155209561b01e092ce1a04ad50c4cb upstream.
+
+The current number of spatial streams used by the client is advertised
+as a separate IE in assoc request. Use this information to set
+the NSS operating mode.
+
+Fixes: 45c9abc059fa ("ath10k: implement more versatile set_bitrate_mask").
+Signed-off-by: Vivek Natarajan <nataraja@qti.qualcomm.com>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath10k/mac.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath10k/mac.c
++++ b/drivers/net/wireless/ath/ath10k/mac.c
+@@ -2083,7 +2083,8 @@ static void ath10k_peer_assoc_h_ht(struc
+ enum ieee80211_band band;
+ const u8 *ht_mcs_mask;
+ const u16 *vht_mcs_mask;
+- int i, n, max_nss;
++ int i, n;
++ u8 max_nss;
+ u32 stbc;
+
+ lockdep_assert_held(&ar->conf_mutex);
+@@ -2168,7 +2169,7 @@ static void ath10k_peer_assoc_h_ht(struc
+ arg->peer_ht_rates.rates[i] = i;
+ } else {
+ arg->peer_ht_rates.num_rates = n;
+- arg->peer_num_spatial_streams = max_nss;
++ arg->peer_num_spatial_streams = min(sta->rx_nss, max_nss);
+ }
+
+ ath10k_dbg(ar, ATH10K_DBG_MAC, "mac ht peer %pM mcs cnt %d nss %d\n",
--- /dev/null
+From cd355ff071cd37e7197eccf9216770b2b29369f7 Mon Sep 17 00:00:00 2001
+From: Dmitry Tunin <hanipouspilot@gmail.com>
+Date: Mon, 5 Oct 2015 19:29:33 +0300
+Subject: Bluetooth: ath3k: Add new AR3012 0930:021c id
+
+From: Dmitry Tunin <hanipouspilot@gmail.com>
+
+commit cd355ff071cd37e7197eccf9216770b2b29369f7 upstream.
+
+This adapter works with the existing linux-firmware.
+
+T: Bus=01 Lev=01 Prnt=01 Port=03 Cnt=02 Dev#= 3 Spd=12 MxCh= 0
+D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=0930 ProdID=021c Rev=00.01
+C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
+I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+
+BugLink: https://bugs.launchpad.net/bugs/1502781
+
+Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bluetooth/ath3k.c | 2 ++
+ drivers/bluetooth/btusb.c | 1 +
+ 2 files changed, 3 insertions(+)
+
+--- a/drivers/bluetooth/ath3k.c
++++ b/drivers/bluetooth/ath3k.c
+@@ -93,6 +93,7 @@ static const struct usb_device_id ath3k_
+ { USB_DEVICE(0x04CA, 0x300f) },
+ { USB_DEVICE(0x04CA, 0x3010) },
+ { USB_DEVICE(0x0930, 0x0219) },
++ { USB_DEVICE(0x0930, 0x021c) },
+ { USB_DEVICE(0x0930, 0x0220) },
+ { USB_DEVICE(0x0930, 0x0227) },
+ { USB_DEVICE(0x0b05, 0x17d0) },
+@@ -153,6 +154,7 @@ static const struct usb_device_id ath3k_
+ { USB_DEVICE(0x04ca, 0x300f), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 },
++ { USB_DEVICE(0x0930, 0x021c), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0930, 0x0227), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 },
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -195,6 +195,7 @@ static const struct usb_device_id blackl
+ { USB_DEVICE(0x04ca, 0x300f), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 },
++ { USB_DEVICE(0x0930, 0x021c), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0930, 0x0227), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 },
--- /dev/null
+From 18e0afab8ce3f1230ce3fef52b2e73374fd9c0e7 Mon Sep 17 00:00:00 2001
+From: Dmitry Tunin <hanipouspilot@gmail.com>
+Date: Fri, 16 Oct 2015 11:45:26 +0300
+Subject: Bluetooth: ath3k: Add support of AR3012 0cf3:817b device
+
+From: Dmitry Tunin <hanipouspilot@gmail.com>
+
+commit 18e0afab8ce3f1230ce3fef52b2e73374fd9c0e7 upstream.
+
+T: Bus=04 Lev=02 Prnt=02 Port=04 Cnt=01 Dev#= 3 Spd=12 MxCh= 0
+D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=0cf3 ProdID=817b Rev=00.02
+C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
+I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+
+BugLink: https://bugs.launchpad.net/bugs/1506615
+
+Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bluetooth/ath3k.c | 2 ++
+ drivers/bluetooth/btusb.c | 1 +
+ 2 files changed, 3 insertions(+)
+
+--- a/drivers/bluetooth/ath3k.c
++++ b/drivers/bluetooth/ath3k.c
+@@ -105,6 +105,7 @@ static const struct usb_device_id ath3k_
+ { USB_DEVICE(0x0CF3, 0x311F) },
+ { USB_DEVICE(0x0cf3, 0x3121) },
+ { USB_DEVICE(0x0CF3, 0x817a) },
++ { USB_DEVICE(0x0CF3, 0x817b) },
+ { USB_DEVICE(0x0cf3, 0xe003) },
+ { USB_DEVICE(0x0CF3, 0xE004) },
+ { USB_DEVICE(0x0CF3, 0xE005) },
+@@ -166,6 +167,7 @@ static const struct usb_device_id ath3k_
+ { USB_DEVICE(0x0cf3, 0x311F), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0CF3, 0x817a), .driver_info = BTUSB_ATH3012 },
++ { USB_DEVICE(0x0CF3, 0x817b), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0cf3, 0xe006), .driver_info = BTUSB_ATH3012 },
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -207,6 +207,7 @@ static const struct usb_device_id blackl
+ { USB_DEVICE(0x0cf3, 0x311f), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0cf3, 0x817a), .driver_info = BTUSB_ATH3012 },
++ { USB_DEVICE(0x0cf3, 0x817b), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0cf3, 0xe003), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 },
--- /dev/null
+From 8ce783dc5ea3af3a213ac9b4d9d2ccfeeb9c9058 Mon Sep 17 00:00:00 2001
+From: Johan Hedberg <johan.hedberg@intel.com>
+Date: Wed, 21 Oct 2015 15:21:31 +0300
+Subject: Bluetooth: Fix missing hdev locking for LE scan cleanup
+
+From: Johan Hedberg <johan.hedberg@intel.com>
+
+commit 8ce783dc5ea3af3a213ac9b4d9d2ccfeeb9c9058 upstream.
+
+The hci_conn objects don't have a dedicated lock themselves but rely
+on the caller to hold the hci_dev lock for most types of access. The
+hci_conn_timeout() function has so far sent certain HCI commands based
+on the hci_conn state which has been possible without holding the
+hci_dev lock.
+
+The recent changes to do LE scanning before connect attempts added
+even more operations to hci_conn and hci_dev from hci_conn_timeout,
+thereby exposing potential race conditions with the hci_dev and
+hci_conn states.
+
+As an example of such a race, here there's a timeout but an
+l2cap_sock_connect() call manages to race with the cleanup routine:
+
+[Oct21 08:14] l2cap_chan_timeout: chan ee4b12c0 state BT_CONNECT
+[ +0.000004] l2cap_chan_close: chan ee4b12c0 state BT_CONNECT
+[ +0.000002] l2cap_chan_del: chan ee4b12c0, conn f3141580, err 111, state BT_CONNECT
+[ +0.000002] l2cap_sock_teardown_cb: chan ee4b12c0 state BT_CONNECT
+[ +0.000005] l2cap_chan_put: chan ee4b12c0 orig refcnt 4
+[ +0.000010] hci_conn_drop: hcon f53d56e0 orig refcnt 1
+[ +0.000013] l2cap_chan_put: chan ee4b12c0 orig refcnt 3
+[ +0.000063] hci_conn_timeout: hcon f53d56e0 state BT_CONNECT
+[ +0.000049] hci_conn_params_del: addr ee:0d:30:09:53:1f (type 1)
+[ +0.000002] hci_chan_list_flush: hcon f53d56e0
+[ +0.000001] hci_chan_del: hci0 hcon f53d56e0 chan f4e7ccc0
+[ +0.004528] l2cap_sock_create: sock e708fc00
+[ +0.000023] l2cap_chan_create: chan ee4b1770
+[ +0.000001] l2cap_chan_hold: chan ee4b1770 orig refcnt 1
+[ +0.000002] l2cap_sock_init: sk ee4b3390
+[ +0.000029] l2cap_sock_bind: sk ee4b3390
+[ +0.000010] l2cap_sock_setsockopt: sk ee4b3390
+[ +0.000037] l2cap_sock_connect: sk ee4b3390
+[ +0.000002] l2cap_chan_connect: 00:02:72:d9:e5:8b -> ee:0d:30:09:53:1f (type 2) psm 0x00
+[ +0.000002] hci_get_route: 00:02:72:d9:e5:8b -> ee:0d:30:09:53:1f
+[ +0.000001] hci_dev_hold: hci0 orig refcnt 8
+[ +0.000003] hci_conn_hold: hcon f53d56e0 orig refcnt 0
+
+Above the l2cap_chan_connect() shouldn't have been able to reach the
+hci_conn f53d56e0 anymore but since hci_conn_timeout didn't do proper
+locking that's not the case. The end result is a reference to hci_conn
+that's not in the conn_hash list, resulting in list corruption when
+trying to remove it later:
+
+[Oct21 08:15] l2cap_chan_timeout: chan ee4b1770 state BT_CONNECT
+[ +0.000004] l2cap_chan_close: chan ee4b1770 state BT_CONNECT
+[ +0.000003] l2cap_chan_del: chan ee4b1770, conn f3141580, err 111, state BT_CONNECT
+[ +0.000001] l2cap_sock_teardown_cb: chan ee4b1770 state BT_CONNECT
+[ +0.000005] l2cap_chan_put: chan ee4b1770 orig refcnt 4
+[ +0.000002] hci_conn_drop: hcon f53d56e0 orig refcnt 1
+[ +0.000015] l2cap_chan_put: chan ee4b1770 orig refcnt 3
+[ +0.000038] hci_conn_timeout: hcon f53d56e0 state BT_CONNECT
+[ +0.000003] hci_chan_list_flush: hcon f53d56e0
+[ +0.000002] hci_conn_hash_del: hci0 hcon f53d56e0
+[ +0.000001] ------------[ cut here ]------------
+[ +0.000461] WARNING: CPU: 0 PID: 1782 at lib/list_debug.c:56 __list_del_entry+0x3f/0x71()
+[ +0.000839] list_del corruption, f53d56e0->prev is LIST_POISON2 (00000200)
+
+The necessary fix is unfortunately more complicated than just adding
+hci_dev_lock/unlock calls to the hci_conn_timeout() call path.
+Particularly, the hci_conn_del() API, which expects the hci_dev lock to
+be held, performs a cancel_delayed_work_sync(&hcon->disc_work) which
+would lead to a deadlock if the hci_conn_timeout() call path tries to
+acquire the same lock.
+
+This patch solves the problem by deferring the cleanup work to a
+separate work callback. To protect against the hci_dev or hci_conn
+going away meanwhile temporary references are taken with the help of
+hci_dev_hold() and hci_conn_get().
+
+Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/net/bluetooth/hci_core.h | 1
+ net/bluetooth/hci_conn.c | 50 ++++++++++++++++++++++++++++++++-------
+ 2 files changed, 43 insertions(+), 8 deletions(-)
+
+--- a/include/net/bluetooth/hci_core.h
++++ b/include/net/bluetooth/hci_core.h
+@@ -469,6 +469,7 @@ struct hci_conn {
+ struct delayed_work auto_accept_work;
+ struct delayed_work idle_work;
+ struct delayed_work le_conn_timeout;
++ struct work_struct le_scan_cleanup;
+
+ struct device dev;
+ struct dentry *debugfs;
+--- a/net/bluetooth/hci_conn.c
++++ b/net/bluetooth/hci_conn.c
+@@ -137,18 +137,51 @@ static void hci_conn_cleanup(struct hci_
+ hci_conn_put(conn);
+ }
+
+-/* This function requires the caller holds hdev->lock */
++static void le_scan_cleanup(struct work_struct *work)
++{
++ struct hci_conn *conn = container_of(work, struct hci_conn,
++ le_scan_cleanup);
++ struct hci_dev *hdev = conn->hdev;
++ struct hci_conn *c = NULL;
++
++ BT_DBG("%s hcon %p", hdev->name, conn);
++
++ hci_dev_lock(hdev);
++
++ /* Check that the hci_conn is still around */
++ rcu_read_lock();
++ list_for_each_entry_rcu(c, &hdev->conn_hash.list, list) {
++ if (c == conn)
++ break;
++ }
++ rcu_read_unlock();
++
++ if (c == conn) {
++ hci_connect_le_scan_cleanup(conn);
++ hci_conn_cleanup(conn);
++ }
++
++ hci_dev_unlock(hdev);
++ hci_dev_put(hdev);
++ hci_conn_put(conn);
++}
++
+ static void hci_connect_le_scan_remove(struct hci_conn *conn)
+ {
+- hci_connect_le_scan_cleanup(conn);
++ BT_DBG("%s hcon %p", conn->hdev->name, conn);
+
+- /* We can't call hci_conn_del here since that would deadlock
+- * with trying to call cancel_delayed_work_sync(&conn->disc_work).
+- * Instead, call just hci_conn_cleanup() which contains the bare
+- * minimum cleanup operations needed for a connection in this
+- * state.
++ /* We can't call hci_conn_del/hci_conn_cleanup here since that
++ * could deadlock with another hci_conn_del() call that's holding
++ * hci_dev_lock and doing cancel_delayed_work_sync(&conn->disc_work).
++ * Instead, grab temporary extra references to the hci_dev and
++ * hci_conn and perform the necessary cleanup in a separate work
++ * callback.
+ */
+- hci_conn_cleanup(conn);
++
++ hci_dev_hold(conn->hdev);
++ hci_conn_get(conn);
++
++ schedule_work(&conn->le_scan_cleanup);
+ }
+
+ static void hci_acl_create_connection(struct hci_conn *conn)
+@@ -580,6 +613,7 @@ struct hci_conn *hci_conn_add(struct hci
+ INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept);
+ INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle);
+ INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout);
++ INIT_WORK(&conn->le_scan_cleanup, le_scan_cleanup);
+
+ atomic_set(&conn->refcnt, 0);
+
--- /dev/null
+From a6ad2a6b9cc1d9d791aee5462cfb8528f366f1d4 Mon Sep 17 00:00:00 2001
+From: Johan Hedberg <johan.hedberg@intel.com>
+Date: Mon, 19 Oct 2015 10:51:47 +0300
+Subject: Bluetooth: Fix removing connection parameters when unpairing
+
+From: Johan Hedberg <johan.hedberg@intel.com>
+
+commit a6ad2a6b9cc1d9d791aee5462cfb8528f366f1d4 upstream.
+
+The commit 89cbb0638e9b7 introduced support for deferred connection
+parameter removal when unpairing by removing them only once an
+existing connection gets disconnected. However, it failed to address
+the scenario when we're *not* connected and do an unpair operation.
+
+What makes things worse is that most user space BlueZ versions will
+first issue a disconnect request and only then unpair, meaning the
+buggy code will be triggered every time. This effectively causes the
+kernel to resume scanning and reconnect to a device for which we've
+removed all keys and GATT database information.
+
+This patch fixes the issue by adding the missing call to the
+hci_conn_params_del() function to a branch which handles the case of
+no existing connection.
+
+Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/mgmt.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -3090,6 +3090,11 @@ static int unpair_device(struct sock *sk
+ } else {
+ u8 addr_type;
+
++ if (cp->addr.type == BDADDR_LE_PUBLIC)
++ addr_type = ADDR_LE_DEV_PUBLIC;
++ else
++ addr_type = ADDR_LE_DEV_RANDOM;
++
+ conn = hci_conn_hash_lookup_ba(hdev, LE_LINK,
+ &cp->addr.bdaddr);
+ if (conn) {
+@@ -3105,13 +3110,10 @@ static int unpair_device(struct sock *sk
+ */
+ if (!cp->disconnect)
+ conn = NULL;
++ } else {
++ hci_conn_params_del(hdev, &cp->addr.bdaddr, addr_type);
+ }
+
+- if (cp->addr.type == BDADDR_LE_PUBLIC)
+- addr_type = ADDR_LE_DEV_PUBLIC;
+- else
+- addr_type = ADDR_LE_DEV_RANDOM;
+-
+ hci_remove_irk(hdev, &cp->addr.bdaddr, addr_type);
+
+ err = hci_remove_ltk(hdev, &cp->addr.bdaddr, addr_type);
--- /dev/null
+From 660f0fc07d21114549c1862e67e78b1cf0c90c29 Mon Sep 17 00:00:00 2001
+From: David Herrmann <dh.herrmann@gmail.com>
+Date: Mon, 7 Sep 2015 12:05:41 +0200
+Subject: Bluetooth: hidp: fix device disconnect on idle timeout
+
+From: David Herrmann <dh.herrmann@gmail.com>
+
+commit 660f0fc07d21114549c1862e67e78b1cf0c90c29 upstream.
+
+The HIDP specs define an idle-timeout which automatically disconnects a
+device. This has always been implemented in the HIDP layer and forced a
+synchronous shutdown of the hidp-scheduler. This works just fine, but
+lacks a forced disconnect on the underlying l2cap channels. This has been
+broken since:
+
+ commit 5205185d461d5902325e457ca80bd421127b7308
+ Author: David Herrmann <dh.herrmann@gmail.com>
+ Date: Sat Apr 6 20:28:47 2013 +0200
+
+ Bluetooth: hidp: remove old session-management
+
+The old session-management always forced an l2cap error on the ctrl/intr
+channels when shutting down. The new session-management skips this, as we
+don't want to enforce channel policy on the caller. In other words, if
+user-space removes an HIDP device, the underlying channels (which are
+*owned* and *referenced* by user-space) are still left active. User-space
+needs to call shutdown(2) or close(2) to release them.
+
+Unfortunately, this does not work with idle-timeouts. There is no way to
+signal user-space that the HIDP layer has been stopped. The API simply
+does not support any event-passing except for poll(2). Hence, we restore
+old behavior and force EUNATCH on the sockets if the HIDP layer is
+disconnected due to idle-timeouts (behavior of explicit disconnects
+remains unmodified). User-space can still call
+
+ getsockopt(..., SO_ERROR, ...)
+
+..to retrieve the EUNATCH error and clear sk_err. Hence, the channels can
+still be re-used (which nobody does so far, though). Therefore, the API
+still supports the new behavior, but with this patch it's also compatible
+to the old implicit channel shutdown.
+
+Reported-by: Mark Haun <haunma@keteu.org>
+Reported-by: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
+Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/hidp/core.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/net/bluetooth/hidp/core.c
++++ b/net/bluetooth/hidp/core.c
+@@ -401,6 +401,20 @@ static void hidp_idle_timeout(unsigned l
+ {
+ struct hidp_session *session = (struct hidp_session *) arg;
+
++ /* The HIDP user-space API only contains calls to add and remove
++ * devices. There is no way to forward events of any kind. Therefore,
++ * we have to forcefully disconnect a device on idle-timeouts. This is
++ * unfortunate and weird API design, but it is spec-compliant and
++ * required for backwards-compatibility. Hence, on idle-timeout, we
++ * signal driver-detach events, so poll() will be woken up with an
++ * error-condition on both sockets.
++ */
++
++ session->intr_sock->sk->sk_err = EUNATCH;
++ session->ctrl_sock->sk->sk_err = EUNATCH;
++ wake_up_interruptible(sk_sleep(session->intr_sock->sk));
++ wake_up_interruptible(sk_sleep(session->ctrl_sock->sk));
++
+ hidp_session_terminate(session);
+ }
+
--- /dev/null
+From 7cecd9ab80f43972c056dc068338f7bcc407b71c Mon Sep 17 00:00:00 2001
+From: Mirza Krak <mirza.krak@hostmobility.com>
+Date: Tue, 10 Nov 2015 14:59:34 +0100
+Subject: can: sja1000: clear interrupts on start
+
+From: Mirza Krak <mirza.krak@hostmobility.com>
+
+commit 7cecd9ab80f43972c056dc068338f7bcc407b71c upstream.
+
+According to SJA1000 data sheet error-warning (EI) interrupt is not
+cleared by setting the controller in to reset-mode.
+
+Then if we have the following case:
+- system is suspended (echo mem > /sys/power/state) and SJA1000 is left
+ in operating state
+- A bus error condition occurs which activates EI interrupt, system is
+ still suspended which means EI interrupt will be not be handled nor
+ cleared.
+
+If the above two events occur, on resume there is no way to return the
+SJA1000 to operating state, except to cycle power to it.
+
+By simply reading the IR register on start we will clear any previous
+conditions that could be present.
+
+Signed-off-by: Mirza Krak <mirza.krak@hostmobility.com>
+Reported-by: Christian Magnusson <Christian.Magnusson@semcon.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/sja1000/sja1000.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/can/sja1000/sja1000.c
++++ b/drivers/net/can/sja1000/sja1000.c
+@@ -218,6 +218,9 @@ static void sja1000_start(struct net_dev
+ priv->write_reg(priv, SJA1000_RXERR, 0x0);
+ priv->read_reg(priv, SJA1000_ECC);
+
++ /* clear interrupt flags */
++ priv->read_reg(priv, SJA1000_IR);
++
+ /* leave reset mode */
+ set_normal_mode(dev);
+ }
--- /dev/null
+From 562b103a21974c2f9cd67514d110f918bb3e1796 Mon Sep 17 00:00:00 2001
+From: Marek Vasut <marex@denx.de>
+Date: Fri, 30 Oct 2015 13:48:19 +0100
+Subject: can: Use correct type in sizeof() in nla_put()
+
+From: Marek Vasut <marex@denx.de>
+
+commit 562b103a21974c2f9cd67514d110f918bb3e1796 upstream.
+
+The sizeof() is invoked on an incorrect variable, likely due to some
+copy-paste error, and this might result in memory corruption. Fix this.
+
+Signed-off-by: Marek Vasut <marex@denx.de>
+Cc: Wolfgang Grandegger <wg@grandegger.com>
+Cc: netdev@vger.kernel.org
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -915,7 +915,7 @@ static int can_fill_info(struct sk_buff
+ nla_put(skb, IFLA_CAN_BITTIMING_CONST,
+ sizeof(*priv->bittiming_const), priv->bittiming_const)) ||
+
+- nla_put(skb, IFLA_CAN_CLOCK, sizeof(cm), &priv->clock) ||
++ nla_put(skb, IFLA_CAN_CLOCK, sizeof(priv->clock), &priv->clock) ||
+ nla_put_u32(skb, IFLA_CAN_STATE, state) ||
+ nla_put(skb, IFLA_CAN_CTRLMODE, sizeof(cm), &cm) ||
+ nla_put_u32(skb, IFLA_CAN_RESTART_MS, priv->restart_ms) ||
--- /dev/null
+From 63243a4da7d0dfa19dcacd0a529782eeb2f86f92 Mon Sep 17 00:00:00 2001
+From: Simran Rai <ssimran@broadcom.com>
+Date: Mon, 19 Oct 2015 15:27:19 -0700
+Subject: clk: iproc: Fix PLL output frequency calculation
+
+From: Simran Rai <ssimran@broadcom.com>
+
+commit 63243a4da7d0dfa19dcacd0a529782eeb2f86f92 upstream.
+
+This patch affects the clocks that use fractional ndivider in their
+PLL output frequency calculation. Instead of 2^20 divide factor, the
+clock's ndiv integer shift was used. Fixed the bug by replacing ndiv
+integer shift with 2^20 factor.
+
+Signed-off-by: Simran Rai <ssimran@broadcom.com>
+Signed-off-by: Ray Jui <rjui@broadcom.com>
+Reviewed-by: Scott Branden <sbranden@broadcom.com>
+Fixes: 5fe225c105fd ("clk: iproc: add initial common clock support")
+Signed-off-by: Michael Turquette <mturquette@baylibre.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clk/bcm/clk-iproc-pll.c | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+--- a/drivers/clk/bcm/clk-iproc-pll.c
++++ b/drivers/clk/bcm/clk-iproc-pll.c
+@@ -345,8 +345,8 @@ static unsigned long iproc_pll_recalc_ra
+ struct iproc_pll *pll = clk->pll;
+ const struct iproc_pll_ctrl *ctrl = pll->ctrl;
+ u32 val;
+- u64 ndiv;
+- unsigned int ndiv_int, ndiv_frac, pdiv;
++ u64 ndiv, ndiv_int, ndiv_frac;
++ unsigned int pdiv;
+
+ if (parent_rate == 0)
+ return 0;
+@@ -366,22 +366,19 @@ static unsigned long iproc_pll_recalc_ra
+ val = readl(pll->pll_base + ctrl->ndiv_int.offset);
+ ndiv_int = (val >> ctrl->ndiv_int.shift) &
+ bit_mask(ctrl->ndiv_int.width);
+- ndiv = (u64)ndiv_int << ctrl->ndiv_int.shift;
++ ndiv = ndiv_int << 20;
+
+ if (ctrl->flags & IPROC_CLK_PLL_HAS_NDIV_FRAC) {
+ val = readl(pll->pll_base + ctrl->ndiv_frac.offset);
+ ndiv_frac = (val >> ctrl->ndiv_frac.shift) &
+ bit_mask(ctrl->ndiv_frac.width);
+-
+- if (ndiv_frac != 0)
+- ndiv = ((u64)ndiv_int << ctrl->ndiv_int.shift) |
+- ndiv_frac;
++ ndiv += ndiv_frac;
+ }
+
+ val = readl(pll->pll_base + ctrl->pdiv.offset);
+ pdiv = (val >> ctrl->pdiv.shift) & bit_mask(ctrl->pdiv.width);
+
+- clk->rate = (ndiv * parent_rate) >> ctrl->ndiv_int.shift;
++ clk->rate = (ndiv * parent_rate) >> 20;
+
+ if (pdiv == 0)
+ clk->rate *= 2;
--- /dev/null
+From 7bdccef34fc67d3fce6778a018601dd41e43c5ce Mon Sep 17 00:00:00 2001
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Fri, 23 Oct 2015 11:36:01 +0200
+Subject: clk: versatile-icst: fix memory leak
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+commit 7bdccef34fc67d3fce6778a018601dd41e43c5ce upstream.
+
+A static code checker found a memory leak in the Versatile
+ICST code. Fix it.
+
+Fixes: a183da637c52 "clk: versatile: respect parent rate in ICST clock"
+Reported-by: Stephen Boyd <sboyd@codeaurora.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clk/versatile/clk-icst.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/clk/versatile/clk-icst.c
++++ b/drivers/clk/versatile/clk-icst.c
+@@ -157,8 +157,10 @@ struct clk *icst_clk_register(struct dev
+ icst->lockreg = base + desc->lock_offset;
+
+ clk = clk_register(dev, &icst->hw);
+- if (IS_ERR(clk))
++ if (IS_ERR(clk)) {
++ kfree(pclone);
+ kfree(icst);
++ }
+
+ return clk;
+ }
--- /dev/null
+From b2f73922d119686323f14fbbe46587f863852328 Mon Sep 17 00:00:00 2001
+From: Ingo Molnar <mingo@kernel.org>
+Date: Wed, 30 Sep 2015 15:59:17 +0200
+Subject: fs/proc, core/debug: Don't expose absolute kernel addresses via wchan
+
+From: Ingo Molnar <mingo@kernel.org>
+
+commit b2f73922d119686323f14fbbe46587f863852328 upstream.
+
+So the /proc/PID/stat 'wchan' field (the 30th field, which contains
+the absolute kernel address of the kernel function a task is blocked in)
+leaks absolute kernel addresses to unprivileged user-space:
+
+ seq_put_decimal_ull(m, ' ', wchan);
+
+The absolute address might also leak via /proc/PID/wchan as well, if
+KALLSYMS is turned off or if the symbol lookup fails for some reason:
+
+static int proc_pid_wchan(struct seq_file *m, struct pid_namespace *ns,
+ struct pid *pid, struct task_struct *task)
+{
+ unsigned long wchan;
+ char symname[KSYM_NAME_LEN];
+
+ wchan = get_wchan(task);
+
+ if (lookup_symbol_name(wchan, symname) < 0) {
+ if (!ptrace_may_access(task, PTRACE_MODE_READ))
+ return 0;
+ seq_printf(m, "%lu", wchan);
+ } else {
+ seq_printf(m, "%s", symname);
+ }
+
+ return 0;
+}
+
+This isn't ideal, because for example it trivially leaks the KASLR offset
+to any local attacker:
+
+ fomalhaut:~> printf "%016lx\n" $(cat /proc/$$/stat | cut -d' ' -f35)
+ ffffffff8123b380
+
+Most real-life uses of wchan are symbolic:
+
+ ps -eo pid:10,tid:10,wchan:30,comm
+
+and procps uses /proc/PID/wchan, not the absolute address in /proc/PID/stat:
+
+ triton:~/tip> strace -f ps -eo pid:10,tid:10,wchan:30,comm 2>&1 | grep wchan | tail -1
+ open("/proc/30833/wchan", O_RDONLY) = 6
+
+There's one compatibility quirk here: procps relies on whether the
+absolute value is non-zero - and we can provide that functionality
+by outputing "0" or "1" depending on whether the task is blocked
+(whether there's a wchan address).
+
+These days there appears to be very little legitimate reason
+user-space would be interested in the absolute address. The
+absolute address is mostly historic: from the days when we
+didn't have kallsyms and user-space procps had to do the
+decoding itself via the System.map.
+
+So this patch sets all numeric output to "0" or "1" and keeps only
+symbolic output, in /proc/PID/wchan.
+
+( The absolute sleep address can generally still be profiled via
+ perf, by tasks with sufficient privileges. )
+
+Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Kees Cook <keescook@chromium.org>
+Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Alexander Potapenko <glider@google.com>
+Cc: Andrey Konovalov <andreyknvl@google.com>
+Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Kostya Serebryany <kcc@google.com>
+Cc: Mike Galbraith <efault@gmx.de>
+Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Sasha Levin <sasha.levin@oracle.com>
+Cc: kasan-dev <kasan-dev@googlegroups.com>
+Cc: linux-kernel@vger.kernel.org
+Link: http://lkml.kernel.org/r/20150930135917.GA3285@gmail.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/filesystems/proc.txt | 5 +++--
+ fs/proc/array.c | 16 ++++++++++++++--
+ fs/proc/base.c | 9 +++------
+ 3 files changed, 20 insertions(+), 10 deletions(-)
+
+--- a/Documentation/filesystems/proc.txt
++++ b/Documentation/filesystems/proc.txt
+@@ -140,7 +140,8 @@ Table 1-1: Process specific entries in /
+ stat Process status
+ statm Process memory status information
+ status Process status in human readable form
+- wchan If CONFIG_KALLSYMS is set, a pre-decoded wchan
++ wchan Present with CONFIG_KALLSYMS=y: it shows the kernel function
++ symbol the task is blocked in - or "0" if not blocked.
+ pagemap Page table
+ stack Report full stack trace, enable via CONFIG_STACKTRACE
+ smaps a extension based on maps, showing the memory consumption of
+@@ -310,7 +311,7 @@ Table 1-4: Contents of the stat files (a
+ blocked bitmap of blocked signals
+ sigign bitmap of ignored signals
+ sigcatch bitmap of caught signals
+- wchan address where process went to sleep
++ 0 (place holder, used to be the wchan address, use /proc/PID/wchan instead)
+ 0 (place holder)
+ 0 (place holder)
+ exit_signal signal to send to parent thread on exit
+--- a/fs/proc/array.c
++++ b/fs/proc/array.c
+@@ -375,7 +375,7 @@ int proc_pid_status(struct seq_file *m,
+ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
+ struct pid *pid, struct task_struct *task, int whole)
+ {
+- unsigned long vsize, eip, esp, wchan = ~0UL;
++ unsigned long vsize, eip, esp, wchan = 0;
+ int priority, nice;
+ int tty_pgrp = -1, tty_nr = 0;
+ sigset_t sigign, sigcatch;
+@@ -507,7 +507,19 @@ static int do_task_stat(struct seq_file
+ seq_put_decimal_ull(m, ' ', task->blocked.sig[0] & 0x7fffffffUL);
+ seq_put_decimal_ull(m, ' ', sigign.sig[0] & 0x7fffffffUL);
+ seq_put_decimal_ull(m, ' ', sigcatch.sig[0] & 0x7fffffffUL);
+- seq_put_decimal_ull(m, ' ', wchan);
++
++ /*
++ * We used to output the absolute kernel address, but that's an
++ * information leak - so instead we show a 0/1 flag here, to signal
++ * to user-space whether there's a wchan field in /proc/PID/wchan.
++ *
++ * This works with older implementations of procps as well.
++ */
++ if (wchan)
++ seq_puts(m, " 1");
++ else
++ seq_puts(m, " 0");
++
+ seq_put_decimal_ull(m, ' ', 0);
+ seq_put_decimal_ull(m, ' ', 0);
+ seq_put_decimal_ll(m, ' ', task->exit_signal);
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -430,13 +430,10 @@ static int proc_pid_wchan(struct seq_fil
+
+ wchan = get_wchan(task);
+
+- if (lookup_symbol_name(wchan, symname) < 0) {
+- if (!ptrace_may_access(task, PTRACE_MODE_READ))
+- return 0;
+- seq_printf(m, "%lu", wchan);
+- } else {
++ if (wchan && ptrace_may_access(task, PTRACE_MODE_READ) && !lookup_symbol_name(wchan, symname))
+ seq_printf(m, "%s", symname);
+- }
++ else
++ seq_putc(m, '0');
+
+ return 0;
+ }
--- /dev/null
+From 4ab75944c4b324c1f5f01dbd4c4d122d2b9da187 Mon Sep 17 00:00:00 2001
+From: Oren Givon <oren.givon@intel.com>
+Date: Wed, 28 Oct 2015 12:32:20 +0200
+Subject: iwlwifi: Add new PCI IDs for the 8260 series
+
+From: Oren Givon <oren.givon@intel.com>
+
+commit 4ab75944c4b324c1f5f01dbd4c4d122d2b9da187 upstream.
+
+Add some new PCI IDs for the 8260 series which were missing.
+The following sub-system IDs were added:
+0x0130, 0x1130, 0x0132, 0x1132, 0x1150, 0x8110, 0x9110, 0x8130,
+0x9130, 0x8132, 0x9132, 0x8150, 0x9150, 0x0044, 0x0930
+
+Signed-off-by: Oren Givon <oren.givon@intel.com>
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/iwlwifi/pcie/drv.c | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/iwlwifi/pcie/drv.c
++++ b/drivers/net/wireless/iwlwifi/pcie/drv.c
+@@ -423,14 +423,21 @@ static const struct pci_device_id iwl_hw
+ /* 8000 Series */
+ {IWL_PCI_DEVICE(0x24F3, 0x0010, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x1010, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x0130, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x1130, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x0132, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x1132, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x0110, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x01F0, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x0012, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x1012, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x1110, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x0050, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x0250, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x1050, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x0150, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x1150, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F4, 0x0030, iwl8260_2ac_cfg)},
+- {IWL_PCI_DEVICE(0x24F4, 0x1130, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F4, 0x1030, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0xC010, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0xC110, iwl8260_2ac_cfg)},
+@@ -438,18 +445,28 @@ static const struct pci_device_id iwl_hw
+ {IWL_PCI_DEVICE(0x24F3, 0xC050, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0xD050, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x8010, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x8110, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x9010, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x9110, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F4, 0x8030, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F4, 0x9030, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x8130, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x9130, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x8132, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x9132, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x8050, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x8150, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x9050, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x9150, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x0004, iwl8260_2n_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x0044, iwl8260_2n_cfg)},
+ {IWL_PCI_DEVICE(0x24F5, 0x0010, iwl4165_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F6, 0x0030, iwl4165_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x0810, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x0910, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x0850, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x0950, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x0930, iwl8260_2ac_cfg)},
+ #endif /* CONFIG_IWLMVM */
+
+ {0}
--- /dev/null
+From 03a19cbb91994212be72ce15ac3406fa9f8ba079 Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Wed, 21 Oct 2015 19:55:32 +0300
+Subject: iwlwifi: pcie: fix (again) prepare card flow
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit 03a19cbb91994212be72ce15ac3406fa9f8ba079 upstream.
+
+The hardware bug in the commit mentioned below forces us
+not to re-enable the clock gating in the Host Cluster.
+The impact on the power consumption is minimal and it allows
+the WAKE_ME interrupt to propagate.
+
+Fixes: c9fdec9f3970 ("iwlwifi: pcie: fix prepare card flow")
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/iwlwifi/pcie/trans.c | 10 ++--------
+ 1 file changed, 2 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/wireless/iwlwifi/pcie/trans.c
++++ b/drivers/net/wireless/iwlwifi/pcie/trans.c
+@@ -592,10 +592,8 @@ static int iwl_pcie_prepare_card_hw(stru
+
+ do {
+ ret = iwl_pcie_set_hw_ready(trans);
+- if (ret >= 0) {
+- ret = 0;
+- goto out;
+- }
++ if (ret >= 0)
++ return 0;
+
+ usleep_range(200, 1000);
+ t += 200;
+@@ -605,10 +603,6 @@ static int iwl_pcie_prepare_card_hw(stru
+
+ IWL_ERR(trans, "Couldn't prepare the card\n");
+
+-out:
+- iwl_clear_bit(trans, CSR_DBG_LINK_PWR_MGMT_REG,
+- CSR_RESET_LINK_PWR_MGMT_DISABLED);
+-
+ return ret;
+ }
+
--- /dev/null
+From b85de33a1a3433487b6a721cfdce25ec8673e622 Mon Sep 17 00:00:00 2001
+From: David Hildenbrand <dahi@linux.vnet.ibm.com>
+Date: Thu, 5 Nov 2015 09:38:15 +0100
+Subject: KVM: s390: avoid memory overwrites on emergency signal injection
+
+From: David Hildenbrand <dahi@linux.vnet.ibm.com>
+
+commit b85de33a1a3433487b6a721cfdce25ec8673e622 upstream.
+
+Commit 383d0b050106 ("KVM: s390: handle pending local interrupts via
+bitmap") introduced a possible memory overwrite from user space.
+
+User space could pass an invalid emergency signal code (sending VCPU)
+and therefore exceed the bitmap. Let's take care of this case and
+check that the id is in the valid range.
+
+Reviewed-by: Dominik Dingel <dingel@linux.vnet.ibm.com>
+Signed-off-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kvm/interrupt.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/s390/kvm/interrupt.c
++++ b/arch/s390/kvm/interrupt.c
+@@ -1136,6 +1136,10 @@ static int __inject_sigp_emergency(struc
+ trace_kvm_s390_inject_vcpu(vcpu->vcpu_id, KVM_S390_INT_EMERGENCY,
+ irq->u.emerg.code, 0);
+
++ /* sending vcpu invalid */
++ if (kvm_get_vcpu_by_id(vcpu->kvm, irq->u.emerg.code) == NULL)
++ return -EINVAL;
++
+ set_bit(irq->u.emerg.code, li->sigp_emerg_pending);
+ set_bit(IRQ_PEND_EXT_EMERGENCY, &li->pending_irqs);
+ atomic_or(CPUSTAT_EXT_INT, li->cpuflags);
--- /dev/null
+From 5967c17b118a2bd1dd1d554cc4eee16233e52bec Mon Sep 17 00:00:00 2001
+From: David Hildenbrand <dahi@linux.vnet.ibm.com>
+Date: Fri, 6 Nov 2015 12:08:48 +0100
+Subject: KVM: s390: enable SIMD only when no VCPUs were created
+
+From: David Hildenbrand <dahi@linux.vnet.ibm.com>
+
+commit 5967c17b118a2bd1dd1d554cc4eee16233e52bec upstream.
+
+We should never allow to enable/disable any facilities for the guest
+when other VCPUs were already created.
+
+kvm_arch_vcpu_(load|put) relies on SIMD not changing during runtime.
+If somebody would create and run VCPUs and then decides to enable
+SIMD, undefined behaviour could be possible (e.g. vector save area
+not being set up).
+
+Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Acked-by: Cornelia Huck <cornelia.huck@de.ibm.com>
+Signed-off-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kvm/kvm-s390.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/arch/s390/kvm/kvm-s390.c
++++ b/arch/s390/kvm/kvm-s390.c
+@@ -342,12 +342,16 @@ static int kvm_vm_ioctl_enable_cap(struc
+ r = 0;
+ break;
+ case KVM_CAP_S390_VECTOR_REGISTERS:
+- if (MACHINE_HAS_VX) {
++ mutex_lock(&kvm->lock);
++ if (atomic_read(&kvm->online_vcpus)) {
++ r = -EBUSY;
++ } else if (MACHINE_HAS_VX) {
+ set_kvm_facility(kvm->arch.model.fac->mask, 129);
+ set_kvm_facility(kvm->arch.model.fac->list, 129);
+ r = 0;
+ } else
+ r = -EINVAL;
++ mutex_unlock(&kvm->lock);
+ VM_EVENT(kvm, 3, "ENABLE: CAP_S390_VECTOR_REGISTERS %s",
+ r ? "(not available)" : "(success)");
+ break;
--- /dev/null
+From 152e9f65d66f0a3891efc3869440becc0e7ff53f Mon Sep 17 00:00:00 2001
+From: David Hildenbrand <dahi@linux.vnet.ibm.com>
+Date: Thu, 5 Nov 2015 09:06:06 +0100
+Subject: KVM: s390: fix wrong lookup of VCPUs by array index
+
+From: David Hildenbrand <dahi@linux.vnet.ibm.com>
+
+commit 152e9f65d66f0a3891efc3869440becc0e7ff53f upstream.
+
+For now, VCPUs were always created sequentially with incrementing
+VCPU ids. Therefore, the index in the VCPUs array matched the id.
+
+As sequential creation might change with cpu hotplug, let's use
+the correct lookup function to find a VCPU by id, not array index.
+
+Let's also use kvm_lookup_vcpu() for validation of the sending VCPU
+on external call injection.
+
+Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kvm/interrupt.c | 3 +--
+ arch/s390/kvm/sigp.c | 8 ++------
+ 2 files changed, 3 insertions(+), 8 deletions(-)
+
+--- a/arch/s390/kvm/interrupt.c
++++ b/arch/s390/kvm/interrupt.c
+@@ -1057,8 +1057,7 @@ static int __inject_extcall(struct kvm_v
+ src_id, 0);
+
+ /* sending vcpu invalid */
+- if (src_id >= KVM_MAX_VCPUS ||
+- kvm_get_vcpu(vcpu->kvm, src_id) == NULL)
++ if (kvm_get_vcpu_by_id(vcpu->kvm, src_id) == NULL)
+ return -EINVAL;
+
+ if (sclp.has_sigpif)
+--- a/arch/s390/kvm/sigp.c
++++ b/arch/s390/kvm/sigp.c
+@@ -291,12 +291,8 @@ static int handle_sigp_dst(struct kvm_vc
+ u16 cpu_addr, u32 parameter, u64 *status_reg)
+ {
+ int rc;
+- struct kvm_vcpu *dst_vcpu;
++ struct kvm_vcpu *dst_vcpu = kvm_get_vcpu_by_id(vcpu->kvm, cpu_addr);
+
+- if (cpu_addr >= KVM_MAX_VCPUS)
+- return SIGP_CC_NOT_OPERATIONAL;
+-
+- dst_vcpu = kvm_get_vcpu(vcpu->kvm, cpu_addr);
+ if (!dst_vcpu)
+ return SIGP_CC_NOT_OPERATIONAL;
+
+@@ -478,7 +474,7 @@ int kvm_s390_handle_sigp_pei(struct kvm_
+ trace_kvm_s390_handle_sigp_pei(vcpu, order_code, cpu_addr);
+
+ if (order_code == SIGP_EXTERNAL_CALL) {
+- dest_vcpu = kvm_get_vcpu(vcpu->kvm, cpu_addr);
++ dest_vcpu = kvm_get_vcpu_by_id(vcpu->kvm, cpu_addr);
+ BUG_ON(dest_vcpu == NULL);
+
+ kvm_s390_vcpu_wakeup(dest_vcpu);
--- /dev/null
+From c5c2c393468576bad6d10b2b5fefff8cd25df3f4 Mon Sep 17 00:00:00 2001
+From: David Hildenbrand <dahi@linux.vnet.ibm.com>
+Date: Mon, 26 Oct 2015 08:41:29 +0100
+Subject: KVM: s390: SCA must not cross page boundaries
+
+From: David Hildenbrand <dahi@linux.vnet.ibm.com>
+
+commit c5c2c393468576bad6d10b2b5fefff8cd25df3f4 upstream.
+
+We seemed to have missed a few corner cases in commit f6c137ff00a4
+("KVM: s390: randomize sca address").
+
+The SCA has a maximum size of 2112 bytes. By setting the sca_offset to
+some unlucky numbers, we exceed the page.
+
+0x7c0 (1984) -> Fits exactly
+0x7d0 (2000) -> 16 bytes out
+0x7e0 (2016) -> 32 bytes out
+0x7f0 (2032) -> 48 bytes out
+
+One VCPU entry is 32 bytes long.
+
+For the last two cases, we actually write data to the other page.
+1. The address of the VCPU.
+2. Injection/delivery/clearing of SIGP externall calls via SIGP IF.
+
+Especially the 2. happens regularly. So this could produce two problems:
+1. The guest losing/getting external calls.
+2. Random memory overwrites in the host.
+
+So this problem happens on every 127 + 128 created VM with 64 VCPUs.
+
+Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kvm/kvm-s390.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/s390/kvm/kvm-s390.c
++++ b/arch/s390/kvm/kvm-s390.c
+@@ -1120,7 +1120,9 @@ int kvm_arch_init_vm(struct kvm *kvm, un
+ if (!kvm->arch.sca)
+ goto out_err;
+ spin_lock(&kvm_lock);
+- sca_offset = (sca_offset + 16) & 0x7f0;
++ sca_offset += 16;
++ if (sca_offset + sizeof(struct sca_block) > PAGE_SIZE)
++ sca_offset = 0;
+ kvm->arch.sca = (struct sca_block *) ((char *) kvm->arch.sca + sca_offset);
+ spin_unlock(&kvm_lock);
+
--- /dev/null
+From 7a036a6f670f63b32c5ee126425f9109271ca13f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
+Date: Fri, 30 Oct 2015 16:36:24 +0100
+Subject: KVM: x86: add read_phys to x86_emulate_ops
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
+
+commit 7a036a6f670f63b32c5ee126425f9109271ca13f upstream.
+
+We want to read the physical memory when emulating RSM.
+
+X86EMUL_IO_NEEDED is returned on all errors for consistency with other
+helpers.
+
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Tested-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/kvm_emulate.h | 10 ++++++++++
+ arch/x86/kvm/x86.c | 10 ++++++++++
+ 2 files changed, 20 insertions(+)
+
+--- a/arch/x86/include/asm/kvm_emulate.h
++++ b/arch/x86/include/asm/kvm_emulate.h
+@@ -112,6 +112,16 @@ struct x86_emulate_ops {
+ struct x86_exception *fault);
+
+ /*
++ * read_phys: Read bytes of standard (non-emulated/special) memory.
++ * Used for descriptor reading.
++ * @addr: [IN ] Physical address from which to read.
++ * @val: [OUT] Value read from memory.
++ * @bytes: [IN ] Number of bytes to read from memory.
++ */
++ int (*read_phys)(struct x86_emulate_ctxt *ctxt, unsigned long addr,
++ void *val, unsigned int bytes);
++
++ /*
+ * write_std: Write bytes of standard (non-emulated/special) memory.
+ * Used for descriptor writing.
+ * @addr: [IN ] Linear address to which to write.
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -4059,6 +4059,15 @@ static int kvm_read_guest_virt_system(st
+ return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, 0, exception);
+ }
+
++static int kvm_read_guest_phys_system(struct x86_emulate_ctxt *ctxt,
++ unsigned long addr, void *val, unsigned int bytes)
++{
++ struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
++ int r = kvm_vcpu_read_guest(vcpu, addr, val, bytes);
++
++ return r < 0 ? X86EMUL_IO_NEEDED : X86EMUL_CONTINUE;
++}
++
+ int kvm_write_guest_virt_system(struct x86_emulate_ctxt *ctxt,
+ gva_t addr, void *val,
+ unsigned int bytes,
+@@ -4794,6 +4803,7 @@ static const struct x86_emulate_ops emul
+ .write_gpr = emulator_write_gpr,
+ .read_std = kvm_read_guest_virt_system,
+ .write_std = kvm_write_guest_virt_system,
++ .read_phys = kvm_read_guest_phys_system,
+ .fetch = kvm_fetch_guest_virt,
+ .read_emulated = emulator_read_emulated,
+ .write_emulated = emulator_write_emulated,
--- /dev/null
+From 89651a3decbe03754f304a0b248f27eeb9a37937 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 3 Nov 2015 13:43:05 +0100
+Subject: KVM: x86: allow RSM from 64-bit mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit 89651a3decbe03754f304a0b248f27eeb9a37937 upstream.
+
+The SDM says that exiting system management mode from 64-bit mode
+is invalid, but that would be too good to be true. But actually,
+most of the code is already there to support exiting from compat
+mode (EFER.LME=1, EFER.LMA=0). Getting all the way from 64-bit
+mode to real mode only requires clearing CS.L and CR4.PCIDE.
+
+Fixes: 660a5d517aaab9187f93854425c4c63f4a09195c
+Tested-by: Laszlo Ersek <lersek@redhat.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/emulate.c | 30 +++++++++++++++++++++++++-----
+ 1 file changed, 25 insertions(+), 5 deletions(-)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -2484,16 +2484,36 @@ static int em_rsm(struct x86_emulate_ctx
+
+ /*
+ * Get back to real mode, to prepare a safe state in which to load
+- * CR0/CR3/CR4/EFER.
+- *
+- * CR4.PCIDE must be zero, because it is a 64-bit mode only feature.
++ * CR0/CR3/CR4/EFER. It's all a bit more complicated if the vCPU
++ * supports long mode.
+ */
++ cr4 = ctxt->ops->get_cr(ctxt, 4);
++ if (emulator_has_longmode(ctxt)) {
++ struct desc_struct cs_desc;
++
++ /* Zero CR4.PCIDE before CR0.PG. */
++ if (cr4 & X86_CR4_PCIDE) {
++ ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PCIDE);
++ cr4 &= ~X86_CR4_PCIDE;
++ }
++
++ /* A 32-bit code segment is required to clear EFER.LMA. */
++ memset(&cs_desc, 0, sizeof(cs_desc));
++ cs_desc.type = 0xb;
++ cs_desc.s = cs_desc.g = cs_desc.p = 1;
++ ctxt->ops->set_segment(ctxt, 0, &cs_desc, 0, VCPU_SREG_CS);
++ }
++
++ /* For the 64-bit case, this will clear EFER.LMA. */
+ cr0 = ctxt->ops->get_cr(ctxt, 0);
+ if (cr0 & X86_CR0_PE)
+ ctxt->ops->set_cr(ctxt, 0, cr0 & ~(X86_CR0_PG | X86_CR0_PE));
+- cr4 = ctxt->ops->get_cr(ctxt, 4);
++
++ /* Now clear CR4.PAE (which must be done before clearing EFER.LME). */
+ if (cr4 & X86_CR4_PAE)
+ ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PAE);
++
++ /* And finally go back to 32-bit mode. */
+ efer = 0;
+ ctxt->ops->set_msr(ctxt, MSR_EFER, efer);
+
+@@ -4454,7 +4474,7 @@ static const struct opcode twobyte_table
+ F(DstMem | SrcReg | Src2CL | ModRM, em_shld), N, N,
+ /* 0xA8 - 0xAF */
+ I(Stack | Src2GS, em_push_sreg), I(Stack | Src2GS, em_pop_sreg),
+- II(No64 | EmulateOnUD | ImplicitOps, em_rsm, rsm),
++ II(EmulateOnUD | ImplicitOps, em_rsm, rsm),
+ F(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_bts),
+ F(DstMem | SrcReg | Src2ImmByte | ModRM, em_shrd),
+ F(DstMem | SrcReg | Src2CL | ModRM, em_shrd),
--- /dev/null
+From f40606b147dd5b4678cedc877a71deb520ca507e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
+Date: Fri, 30 Oct 2015 16:36:25 +0100
+Subject: KVM: x86: handle SMBASE as physical address in RSM
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
+
+commit f40606b147dd5b4678cedc877a71deb520ca507e upstream.
+
+GET_SMSTATE depends on real mode to ensure that smbase+offset is treated
+as a physical address, which has already caused a bug after shuffling
+the code. Enforce physical addressing.
+
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Reported-by: Laszlo Ersek <lersek@redhat.com>
+Tested-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/emulate.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -2272,8 +2272,8 @@ static int emulator_has_longmode(struct
+ #define GET_SMSTATE(type, smbase, offset) \
+ ({ \
+ type __val; \
+- int r = ctxt->ops->read_std(ctxt, smbase + offset, &__val, \
+- sizeof(__val), NULL); \
++ int r = ctxt->ops->read_phys(ctxt, smbase + offset, &__val, \
++ sizeof(__val)); \
+ if (r != X86EMUL_CONTINUE) \
+ return X86EMUL_UNHANDLEABLE; \
+ __val; \
+@@ -2484,8 +2484,7 @@ static int em_rsm(struct x86_emulate_ctx
+
+ /*
+ * Get back to real mode, to prepare a safe state in which to load
+- * CR0/CR3/CR4/EFER. Also this will ensure that addresses passed
+- * to read_std/write_std are not virtual.
++ * CR0/CR3/CR4/EFER.
+ *
+ * CR4.PCIDE must be zero, because it is a 64-bit mode only feature.
+ */
--- /dev/null
+From 879ae1880449c88db11c1ebdaedc2da79b2fe73f Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Wed, 4 Nov 2015 12:54:41 +0100
+Subject: KVM: x86: obey KVM_X86_QUIRK_CD_NW_CLEARED in kvm_set_cr0()
+
+From: Laszlo Ersek <lersek@redhat.com>
+
+commit 879ae1880449c88db11c1ebdaedc2da79b2fe73f upstream.
+
+Commit b18d5431acc7 ("KVM: x86: fix CR0.CD virtualization") was
+technically correct, but it broke OVMF guests by slowing down various
+parts of the firmware.
+
+Commit fb279950ba02 ("KVM: vmx: obey KVM_QUIRK_CD_NW_CLEARED") quirked the
+first function modified by b18d5431acc7, vmx_get_mt_mask(), for OVMF's
+sake. This restored the speed of the OVMF code that runs before
+PlatformPei (including the memory intensive LZMA decompression in SEC).
+
+This patch extends the quirk to the second function modified by
+b18d5431acc7, kvm_set_cr0(). It eliminates the intrusive slowdown that
+hits the EFI_MP_SERVICES_PROTOCOL implementation of edk2's
+UefiCpuPkg/CpuDxe -- which is built into OVMF --, when CpuDxe starts up
+all APs at once for initialization, in order to count them.
+
+We also carry over the kvm_arch_has_noncoherent_dma() sub-condition from
+the other half of the original commit b18d5431acc7.
+
+Fixes: b18d5431acc7a2fd22767925f3a6f597aa4bd29e
+Cc: Jordan Justen <jordan.l.justen@intel.com>
+Cc: Alex Williamson <alex.williamson@redhat.com>
+Reviewed-by: Xiao Guangrong <guangrong.xiao@linux.intel.com>
+Tested-by: Janusz Mocek <januszmk6@gmail.com>
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>#
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/x86.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -622,7 +622,9 @@ int kvm_set_cr0(struct kvm_vcpu *vcpu, u
+ if ((cr0 ^ old_cr0) & update_bits)
+ kvm_mmu_reset_context(vcpu);
+
+- if ((cr0 ^ old_cr0) & X86_CR0_CD)
++ if (((cr0 ^ old_cr0) & X86_CR0_CD) &&
++ kvm_arch_has_noncoherent_dma(vcpu->kvm) &&
++ !kvm_check_has_quirk(vcpu->kvm, KVM_X86_QUIRK_CD_NW_CLEARED))
+ kvm_zap_gfn_range(vcpu->kvm, 0, ~0ULL);
+
+ return 0;
--- /dev/null
+From c77f3fab441c3e466b4c3601a475fc31ce156b06 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
+Date: Thu, 8 Oct 2015 20:23:33 +0200
+Subject: kvm: x86: set KVM_REQ_EVENT when updating IRR
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
+
+commit c77f3fab441c3e466b4c3601a475fc31ce156b06 upstream.
+
+After moving PIR to IRR, the interrupt needs to be delivered manually.
+
+Reported-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/lapic.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/x86/kvm/lapic.c
++++ b/arch/x86/kvm/lapic.c
+@@ -348,6 +348,8 @@ void kvm_apic_update_irr(struct kvm_vcpu
+ struct kvm_lapic *apic = vcpu->arch.apic;
+
+ __kvm_apic_update_irr(pir, apic->regs);
++
++ kvm_make_request(KVM_REQ_EVENT, vcpu);
+ }
+ EXPORT_SYMBOL_GPL(kvm_apic_update_irr);
+
--- /dev/null
+From 54a20552e1eae07aa240fa370a0293e006b5faed Mon Sep 17 00:00:00 2001
+From: Eric Northup <digitaleric@google.com>
+Date: Tue, 3 Nov 2015 18:03:53 +0100
+Subject: KVM: x86: work around infinite loop in microcode when #AC is delivered
+
+From: Eric Northup <digitaleric@google.com>
+
+commit 54a20552e1eae07aa240fa370a0293e006b5faed upstream.
+
+It was found that a guest can DoS a host by triggering an infinite
+stream of "alignment check" (#AC) exceptions. This causes the
+microcode to enter an infinite loop where the core never receives
+another interrupt. The host kernel panics pretty quickly due to the
+effects (CVE-2015-5307).
+
+Signed-off-by: Eric Northup <digitaleric@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/uapi/asm/svm.h | 1 +
+ arch/x86/kvm/svm.c | 8 ++++++++
+ arch/x86/kvm/vmx.c | 5 ++++-
+ 3 files changed, 13 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/include/uapi/asm/svm.h
++++ b/arch/x86/include/uapi/asm/svm.h
+@@ -100,6 +100,7 @@
+ { SVM_EXIT_EXCP_BASE + UD_VECTOR, "UD excp" }, \
+ { SVM_EXIT_EXCP_BASE + PF_VECTOR, "PF excp" }, \
+ { SVM_EXIT_EXCP_BASE + NM_VECTOR, "NM excp" }, \
++ { SVM_EXIT_EXCP_BASE + AC_VECTOR, "AC excp" }, \
+ { SVM_EXIT_EXCP_BASE + MC_VECTOR, "MC excp" }, \
+ { SVM_EXIT_INTR, "interrupt" }, \
+ { SVM_EXIT_NMI, "nmi" }, \
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -1107,6 +1107,7 @@ static void init_vmcb(struct vcpu_svm *s
+ set_exception_intercept(svm, PF_VECTOR);
+ set_exception_intercept(svm, UD_VECTOR);
+ set_exception_intercept(svm, MC_VECTOR);
++ set_exception_intercept(svm, AC_VECTOR);
+
+ set_intercept(svm, INTERCEPT_INTR);
+ set_intercept(svm, INTERCEPT_NMI);
+@@ -1795,6 +1796,12 @@ static int ud_interception(struct vcpu_s
+ return 1;
+ }
+
++static int ac_interception(struct vcpu_svm *svm)
++{
++ kvm_queue_exception_e(&svm->vcpu, AC_VECTOR, 0);
++ return 1;
++}
++
+ static void svm_fpu_activate(struct kvm_vcpu *vcpu)
+ {
+ struct vcpu_svm *svm = to_svm(vcpu);
+@@ -3370,6 +3377,7 @@ static int (*const svm_exit_handlers[])(
+ [SVM_EXIT_EXCP_BASE + PF_VECTOR] = pf_interception,
+ [SVM_EXIT_EXCP_BASE + NM_VECTOR] = nm_interception,
+ [SVM_EXIT_EXCP_BASE + MC_VECTOR] = mc_interception,
++ [SVM_EXIT_EXCP_BASE + AC_VECTOR] = ac_interception,
+ [SVM_EXIT_INTR] = intr_interception,
+ [SVM_EXIT_NMI] = nmi_interception,
+ [SVM_EXIT_SMI] = nop_on_interception,
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -1567,7 +1567,7 @@ static void update_exception_bitmap(stru
+ u32 eb;
+
+ eb = (1u << PF_VECTOR) | (1u << UD_VECTOR) | (1u << MC_VECTOR) |
+- (1u << NM_VECTOR) | (1u << DB_VECTOR);
++ (1u << NM_VECTOR) | (1u << DB_VECTOR) | (1u << AC_VECTOR);
+ if ((vcpu->guest_debug &
+ (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP)) ==
+ (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP))
+@@ -5103,6 +5103,9 @@ static int handle_exception(struct kvm_v
+ return handle_rmode_exception(vcpu, ex_no, error_code);
+
+ switch (ex_no) {
++ case AC_VECTOR:
++ kvm_queue_exception_e(vcpu, AC_VECTOR, error_code);
++ return 1;
+ case DB_VECTOR:
+ dr6 = vmcs_readl(EXIT_QUALIFICATION);
+ if (!(vcpu->guest_debug &
--- /dev/null
+From 5690891bcec5fcfda38da974ffa5488e36a59811 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Mon, 19 Oct 2015 11:30:19 +0200
+Subject: kvm: x86: zero EFER on INIT
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit 5690891bcec5fcfda38da974ffa5488e36a59811 upstream.
+
+Not zeroing EFER means that a 32-bit firmware cannot enter paging mode
+without clearing EFER.LME first (which it should not know about).
+Yang Zhang from Intel confirmed that the manual is wrong and EFER is
+cleared to zero on INIT.
+
+Fixes: d28bc9dd25ce023270d2e039e7c98d38ecbf7758
+Cc: Yang Z Zhang <yang.z.zhang@intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/svm.c | 11 +++++------
+ arch/x86/kvm/vmx.c | 3 +--
+ 2 files changed, 6 insertions(+), 8 deletions(-)
+
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -1086,7 +1086,7 @@ static u64 svm_compute_tsc_offset(struct
+ return target_tsc - tsc;
+ }
+
+-static void init_vmcb(struct vcpu_svm *svm, bool init_event)
++static void init_vmcb(struct vcpu_svm *svm)
+ {
+ struct vmcb_control_area *control = &svm->vmcb->control;
+ struct vmcb_save_area *save = &svm->vmcb->save;
+@@ -1157,8 +1157,7 @@ static void init_vmcb(struct vcpu_svm *s
+ init_sys_seg(&save->ldtr, SEG_TYPE_LDT);
+ init_sys_seg(&save->tr, SEG_TYPE_BUSY_TSS16);
+
+- if (!init_event)
+- svm_set_efer(&svm->vcpu, 0);
++ svm_set_efer(&svm->vcpu, 0);
+ save->dr6 = 0xffff0ff0;
+ kvm_set_rflags(&svm->vcpu, 2);
+ save->rip = 0x0000fff0;
+@@ -1212,7 +1211,7 @@ static void svm_vcpu_reset(struct kvm_vc
+ if (kvm_vcpu_is_reset_bsp(&svm->vcpu))
+ svm->vcpu.arch.apic_base |= MSR_IA32_APICBASE_BSP;
+ }
+- init_vmcb(svm, init_event);
++ init_vmcb(svm);
+
+ kvm_cpuid(vcpu, &eax, &dummy, &dummy, &dummy);
+ kvm_register_write(vcpu, VCPU_REGS_RDX, eax);
+@@ -1268,7 +1267,7 @@ static struct kvm_vcpu *svm_create_vcpu(
+ clear_page(svm->vmcb);
+ svm->vmcb_pa = page_to_pfn(page) << PAGE_SHIFT;
+ svm->asid_generation = 0;
+- init_vmcb(svm, false);
++ init_vmcb(svm);
+
+ svm_init_osvw(&svm->vcpu);
+
+@@ -1890,7 +1889,7 @@ static int shutdown_interception(struct
+ * so reinitialize it.
+ */
+ clear_page(svm->vmcb);
+- init_vmcb(svm, false);
++ init_vmcb(svm);
+
+ kvm_run->exit_reason = KVM_EXIT_SHUTDOWN;
+ return 0;
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -4771,8 +4771,7 @@ static void vmx_vcpu_reset(struct kvm_vc
+ vmx_set_cr0(vcpu, cr0); /* enter rmode */
+ vmx->vcpu.arch.cr0 = cr0;
+ vmx_set_cr4(vcpu, 0);
+- if (!init_event)
+- vmx_set_efer(vcpu, 0);
++ vmx_set_efer(vcpu, 0);
+ vmx_fpu_activate(vcpu);
+ update_exception_bitmap(vcpu);
+
--- /dev/null
+From 254d3dfe445f94a764e399ca12e04365ac9413ed Mon Sep 17 00:00:00 2001
+From: Arik Nemtsov <arik@wizery.com>
+Date: Sun, 25 Oct 2015 10:59:41 +0200
+Subject: mac80211: allow null chandef in tracing
+
+From: Arik Nemtsov <arik@wizery.com>
+
+commit 254d3dfe445f94a764e399ca12e04365ac9413ed upstream.
+
+In TDLS channel-switch operations the chandef can sometimes be NULL.
+Avoid an oops in the trace code for these cases and just print a
+chandef full of zeros.
+
+Fixes: a7a6bdd0670fe ("mac80211: introduce TDLS channel switch ops")
+Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/trace.h | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/net/mac80211/trace.h
++++ b/net/mac80211/trace.h
+@@ -33,11 +33,11 @@
+ __field(u32, chan_width) \
+ __field(u32, center_freq1) \
+ __field(u32, center_freq2)
+-#define CHANDEF_ASSIGN(c) \
+- __entry->control_freq = (c)->chan ? (c)->chan->center_freq : 0; \
+- __entry->chan_width = (c)->width; \
+- __entry->center_freq1 = (c)->center_freq1; \
+- __entry->center_freq2 = (c)->center_freq2;
++#define CHANDEF_ASSIGN(c) \
++ __entry->control_freq = (c) ? ((c)->chan ? (c)->chan->center_freq : 0) : 0; \
++ __entry->chan_width = (c) ? (c)->width : 0; \
++ __entry->center_freq1 = (c) ? (c)->center_freq1 : 0; \
++ __entry->center_freq2 = (c) ? (c)->center_freq2 : 0;
+ #define CHANDEF_PR_FMT " control:%d MHz width:%d center: %d/%d MHz"
+ #define CHANDEF_PR_ARG __entry->control_freq, __entry->chan_width, \
+ __entry->center_freq1, __entry->center_freq2
--- /dev/null
+From 519ee6918b91abdc4bc9720deae17599a109eb40 Mon Sep 17 00:00:00 2001
+From: "Janusz.Dziedzic@tieto.com" <Janusz.Dziedzic@tieto.com>
+Date: Tue, 27 Oct 2015 08:35:11 +0100
+Subject: mac80211: fix divide by zero when NOA update
+
+From: "Janusz.Dziedzic@tieto.com" <Janusz.Dziedzic@tieto.com>
+
+commit 519ee6918b91abdc4bc9720deae17599a109eb40 upstream.
+
+In case of one shot NOA the interval can be 0, catch that
+instead of potentially (depending on the driver) crashing
+like this:
+
+divide error: 0000 [#1] SMP
+[...]
+Call Trace:
+<IRQ>
+[<ffffffffc08e891c>] ieee80211_extend_absent_time+0x6c/0xb0 [mac80211]
+[<ffffffffc08e8a17>] ieee80211_update_p2p_noa+0xb7/0xe0 [mac80211]
+[<ffffffffc069cc30>] ath9k_p2p_ps_timer+0x170/0x190 [ath9k]
+[<ffffffffc070adf8>] ath_gen_timer_isr+0xc8/0xf0 [ath9k_hw]
+[<ffffffffc0691156>] ath9k_tasklet+0x296/0x2f0 [ath9k]
+[<ffffffff8107ad65>] tasklet_action+0xe5/0xf0
+[...]
+
+Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/util.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/mac80211/util.c
++++ b/net/mac80211/util.c
+@@ -2951,6 +2951,13 @@ ieee80211_extend_noa_desc(struct ieee802
+ if (end > 0)
+ return false;
+
++ /* One shot NOA */
++ if (data->count[i] == 1)
++ return false;
++
++ if (data->desc[i].interval == 0)
++ return false;
++
+ /* End time is in the past, check for repetitions */
+ skip = DIV_ROUND_UP(-end, data->desc[i].interval);
+ if (data->count[i] < 255) {
--- /dev/null
+From 8ec6d97871f37e4743678ea4a455bd59580aa0f4 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Fri, 28 Aug 2015 10:52:53 +0200
+Subject: mac80211: fix driver RSSI event calculations
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 8ec6d97871f37e4743678ea4a455bd59580aa0f4 upstream.
+
+The ifmgd->ave_beacon_signal value cannot be taken as is for
+comparisons, it must be divided by since it's represented
+like that for better accuracy of the EWMA calculations. This
+would lead to invalid driver RSSI events. Fix the used value.
+
+Fixes: 615f7b9bb1f8 ("mac80211: add driver RSSI threshold events")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/mlme.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -3391,7 +3391,7 @@ static void ieee80211_rx_mgmt_beacon(str
+
+ if (ifmgd->rssi_min_thold != ifmgd->rssi_max_thold &&
+ ifmgd->count_beacon_signal >= IEEE80211_SIGNAL_AVE_MIN_COUNT) {
+- int sig = ifmgd->ave_beacon_signal;
++ int sig = ifmgd->ave_beacon_signal / 16;
+ int last_sig = ifmgd->last_ave_beacon_signal;
+ struct ieee80211_event event = {
+ .type = RSSI_EVENT,
--- /dev/null
+From a64cba3c5330704a034bd3179270b8d04daf6987 Mon Sep 17 00:00:00 2001
+From: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+Date: Sun, 25 Oct 2015 10:59:38 +0200
+Subject: mac80211: Fix local deauth while associating
+
+From: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+
+commit a64cba3c5330704a034bd3179270b8d04daf6987 upstream.
+
+Local request to deauthenticate wasn't handled while associating, thus
+the association could continue even when the user space required to
+disconnect.
+
+Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/mlme.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -5028,6 +5028,25 @@ int ieee80211_mgd_deauth(struct ieee8021
+ return 0;
+ }
+
++ if (ifmgd->assoc_data &&
++ ether_addr_equal(ifmgd->assoc_data->bss->bssid, req->bssid)) {
++ sdata_info(sdata,
++ "aborting association with %pM by local choice (Reason: %u=%s)\n",
++ req->bssid, req->reason_code,
++ ieee80211_get_reason_code_string(req->reason_code));
++
++ drv_mgd_prepare_tx(sdata->local, sdata);
++ ieee80211_send_deauth_disassoc(sdata, req->bssid,
++ IEEE80211_STYPE_DEAUTH,
++ req->reason_code, tx,
++ frame_buf);
++ ieee80211_destroy_assoc_data(sdata, false);
++ ieee80211_report_disconnect(sdata, frame_buf,
++ sizeof(frame_buf), true,
++ req->reason_code);
++ return 0;
++ }
++
+ if (ifmgd->associated &&
+ ether_addr_equal(ifmgd->associated->bssid, req->bssid)) {
+ sdata_info(sdata,
--- /dev/null
+From 75c08f17ec87c2d742487bb87408d6feebc526bd Mon Sep 17 00:00:00 2001
+From: Tony Lindgren <tony@atomide.com>
+Date: Fri, 18 Sep 2015 09:29:04 -0700
+Subject: mfd: twl6040: Fix deferred probe handling for clk32k
+
+From: Tony Lindgren <tony@atomide.com>
+
+commit 75c08f17ec87c2d742487bb87408d6feebc526bd upstream.
+
+Commit 68bab8662f49 ("mfd: twl6040: Optional clk32k clock handling")
+added clock handling for the 32k clock from palmas-clk. However, that
+patch did not consider a typical situation where twl6040 is built-in,
+and palmas-clk is a loadable module like we have in omap2plus_defconfig.
+
+If palmas-clk is not loaded before twl6040 probes, we will get a
+"clk32k is not handled" warning during booting. This means that any
+drivers relying on this clock will mysteriously fail, including
+omap5-uevm WLAN and audio.
+
+Note that for WLAN, we probably should also eventually get
+the clk32kgaudio for MMC3 directly as that's shared between
+audio and WLAN SDIO at least for omap5-uevm. It seems the
+WLAN chip cannot get it as otherwise MMC3 won't get properly
+probed.
+
+Fixes: 68bab8662f49 ("mfd: twl6040: Optional clk32k clock handling")
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Reviewed-by: Felipe Balbi <balbi@ti.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mfd/twl6040.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/mfd/twl6040.c
++++ b/drivers/mfd/twl6040.c
+@@ -647,6 +647,8 @@ static int twl6040_probe(struct i2c_clie
+
+ twl6040->clk32k = devm_clk_get(&client->dev, "clk32k");
+ if (IS_ERR(twl6040->clk32k)) {
++ if (PTR_ERR(twl6040->clk32k) == -EPROBE_DEFER)
++ return -EPROBE_DEFER;
+ dev_info(&client->dev, "clk32k is not handled\n");
+ twl6040->clk32k = NULL;
+ }
--- /dev/null
+From 5011a7e808c9fec643d752c5a495a48f27268a48 Mon Sep 17 00:00:00 2001
+From: Alban Bedel <albeu@free.fr>
+Date: Tue, 17 Nov 2015 09:40:07 +0100
+Subject: MIPS: ath79: Fix the DDR control initialization on ar71xx and ar934x
+
+From: Alban Bedel <albeu@free.fr>
+
+commit 5011a7e808c9fec643d752c5a495a48f27268a48 upstream.
+
+The DDR control initialization needs to know the SoC type, however
+ath79_detect_sys_type() was called after ath79_ddr_ctrl_init().
+Reverse the order to fix the DDR control initialization on ar71xx and
+ar934x.
+
+Signed-off-by: Alban Bedel <albeu@free.fr>
+Cc: Felix Fietkau <nbd@openwrt.org>
+Cc: Qais Yousef <qais.yousef@imgtec.com>
+Cc: Andrew Bresticker <abrestic@chromium.org>
+Cc: linux-mips@linux-mips.org
+Cc: linux-kernel@vger.kernel.org
+Patchwork: https://patchwork.linux-mips.org/patch/11500/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/ath79/setup.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/ath79/setup.c
++++ b/arch/mips/ath79/setup.c
+@@ -216,9 +216,9 @@ void __init plat_mem_setup(void)
+ AR71XX_RESET_SIZE);
+ ath79_pll_base = ioremap_nocache(AR71XX_PLL_BASE,
+ AR71XX_PLL_SIZE);
++ ath79_detect_sys_type();
+ ath79_ddr_ctrl_init();
+
+- ath79_detect_sys_type();
+ if (mips_machtype != ATH79_MACH_GENERIC_OF)
+ detect_memory_region(0, ATH79_MEM_SIZE_MIN, ATH79_MEM_SIZE_MAX);
+
--- /dev/null
+From 1b4a5ddb127caf125e14551ebd334be1acf21805 Mon Sep 17 00:00:00 2001
+From: James Hogan <james.hogan@imgtec.com>
+Date: Tue, 6 Oct 2015 15:12:05 +0100
+Subject: MIPS: CDMM: Add builtin_mips_cdmm_driver() macro
+
+From: James Hogan <james.hogan@imgtec.com>
+
+commit 1b4a5ddb127caf125e14551ebd334be1acf21805 upstream.
+
+Add helper macro builtin_mips_cdmm_driver() for builtin CDMM drivers
+that don't do anything special in init and have no exit. The
+module_mips_cdmm_driver() helper isn't really appropriate for drivers
+that can't be built as a module.
+
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Jiri Slaby <jslaby@suse.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: http://patchwork.linux-mips.org/patch/11264/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/include/asm/cdmm.h | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/arch/mips/include/asm/cdmm.h
++++ b/arch/mips/include/asm/cdmm.h
+@@ -84,6 +84,17 @@ void mips_cdmm_driver_unregister(struct
+ module_driver(__mips_cdmm_driver, mips_cdmm_driver_register, \
+ mips_cdmm_driver_unregister)
+
++/*
++ * builtin_mips_cdmm_driver() - Helper macro for drivers that don't do anything
++ * special in init and have no exit. This eliminates some boilerplate. Each
++ * driver may only use this macro once, and calling it replaces device_initcall
++ * (or in some cases, the legacy __initcall). This is meant to be a direct
++ * parallel of module_mips_cdmm_driver() above but without the __exit stuff that
++ * is not used for builtin cases.
++ */
++#define builtin_mips_cdmm_driver(__mips_cdmm_driver) \
++ builtin_driver(__mips_cdmm_driver, mips_cdmm_driver_register)
++
+ /* drivers/tty/mips_ejtag_fdc.c */
+
+ #ifdef CONFIG_MIPS_EJTAG_FDC_EARLYCON
--- /dev/null
+From 002374f371bd02df864cce1fe85d90dc5b292837 Mon Sep 17 00:00:00 2001
+From: James Hogan <james.hogan@imgtec.com>
+Date: Wed, 11 Nov 2015 14:21:18 +0000
+Subject: MIPS: KVM: Fix ASID restoration logic
+
+From: James Hogan <james.hogan@imgtec.com>
+
+commit 002374f371bd02df864cce1fe85d90dc5b292837 upstream.
+
+ASID restoration on guest resume should determine the guest execution
+mode based on the guest Status register rather than bit 30 of the guest
+PC.
+
+Fix the two places in locore.S that do this, loading the guest status
+from the cop0 area. Note, this assembly is specific to the trap &
+emulate implementation of KVM, so it doesn't need to check the
+supervisor bit as that mode is not implemented in the guest.
+
+Fixes: b680f70fc111 ("KVM/MIPS32: Entry point for trampolining to...")
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Gleb Natapov <gleb@kernel.org>
+Cc: linux-mips@linux-mips.org
+Cc: kvm@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kvm/locore.S | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+--- a/arch/mips/kvm/locore.S
++++ b/arch/mips/kvm/locore.S
+@@ -165,9 +165,11 @@ FEXPORT(__kvm_mips_vcpu_run)
+
+ FEXPORT(__kvm_mips_load_asid)
+ /* Set the ASID for the Guest Kernel */
+- INT_SLL t0, t0, 1 /* with kseg0 @ 0x40000000, kernel */
+- /* addresses shift to 0x80000000 */
+- bltz t0, 1f /* If kernel */
++ PTR_L t0, VCPU_COP0(k1)
++ LONG_L t0, COP0_STATUS(t0)
++ andi t0, KSU_USER | ST0_ERL | ST0_EXL
++ xori t0, KSU_USER
++ bnez t0, 1f /* If kernel */
+ INT_ADDIU t1, k1, VCPU_GUEST_KERNEL_ASID /* (BD) */
+ INT_ADDIU t1, k1, VCPU_GUEST_USER_ASID /* else user */
+ 1:
+@@ -482,9 +484,11 @@ __kvm_mips_return_to_guest:
+ mtc0 t0, CP0_EPC
+
+ /* Set the ASID for the Guest Kernel */
+- INT_SLL t0, t0, 1 /* with kseg0 @ 0x40000000, kernel */
+- /* addresses shift to 0x80000000 */
+- bltz t0, 1f /* If kernel */
++ PTR_L t0, VCPU_COP0(k1)
++ LONG_L t0, COP0_STATUS(t0)
++ andi t0, KSU_USER | ST0_ERL | ST0_EXL
++ xori t0, KSU_USER
++ bnez t0, 1f /* If kernel */
+ INT_ADDIU t1, k1, VCPU_GUEST_KERNEL_ASID /* (BD) */
+ INT_ADDIU t1, k1, VCPU_GUEST_USER_ASID /* else user */
+ 1:
--- /dev/null
+From c5c2a3b998f1ff5a586f9d37e154070b8d550d17 Mon Sep 17 00:00:00 2001
+From: James Hogan <james.hogan@imgtec.com>
+Date: Wed, 11 Nov 2015 14:21:19 +0000
+Subject: MIPS: KVM: Fix CACHE immediate offset sign extension
+
+From: James Hogan <james.hogan@imgtec.com>
+
+commit c5c2a3b998f1ff5a586f9d37e154070b8d550d17 upstream.
+
+The immediate field of the CACHE instruction is signed, so ensure that
+it gets sign extended by casting it to an int16_t rather than just
+masking the low 16 bits.
+
+Fixes: e685c689f3a8 ("KVM/MIPS32: Privileged instruction/target branch emulation.")
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Gleb Natapov <gleb@kernel.org>
+Cc: linux-mips@linux-mips.org
+Cc: kvm@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kvm/emulate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/kvm/emulate.c
++++ b/arch/mips/kvm/emulate.c
+@@ -1581,7 +1581,7 @@ enum emulation_result kvm_mips_emulate_c
+
+ base = (inst >> 21) & 0x1f;
+ op_inst = (inst >> 16) & 0x1f;
+- offset = inst & 0xffff;
++ offset = (int16_t)inst;
+ cache = (inst >> 16) & 0x3;
+ op = (inst >> 18) & 0x7;
+
--- /dev/null
+From 585bb8f9a5e592f2ce7abbe5ed3112d5438d2754 Mon Sep 17 00:00:00 2001
+From: James Hogan <james.hogan@imgtec.com>
+Date: Wed, 11 Nov 2015 14:21:20 +0000
+Subject: MIPS: KVM: Uninit VCPU in vcpu_create error path
+
+From: James Hogan <james.hogan@imgtec.com>
+
+commit 585bb8f9a5e592f2ce7abbe5ed3112d5438d2754 upstream.
+
+If either of the memory allocations in kvm_arch_vcpu_create() fail, the
+vcpu which has been allocated and kvm_vcpu_init'd doesn't get uninit'd
+in the error handling path. Add a call to kvm_vcpu_uninit() to fix this.
+
+Fixes: 669e846e6c4e ("KVM/MIPS32: MIPS arch specific APIs for KVM")
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Gleb Natapov <gleb@kernel.org>
+Cc: linux-mips@linux-mips.org
+Cc: kvm@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kvm/mips.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/arch/mips/kvm/mips.c
++++ b/arch/mips/kvm/mips.c
+@@ -279,7 +279,7 @@ struct kvm_vcpu *kvm_arch_vcpu_create(st
+
+ if (!gebase) {
+ err = -ENOMEM;
+- goto out_free_cpu;
++ goto out_uninit_cpu;
+ }
+ kvm_debug("Allocated %d bytes for KVM Exception Handlers @ %p\n",
+ ALIGN(size, PAGE_SIZE), gebase);
+@@ -343,6 +343,9 @@ struct kvm_vcpu *kvm_arch_vcpu_create(st
+ out_free_gebase:
+ kfree(gebase);
+
++out_uninit_cpu:
++ kvm_vcpu_uninit(vcpu);
++
+ out_free_cpu:
+ kfree(vcpu);
+
--- /dev/null
+From 4e7d30dba493b60a80e9b590add1b4402265cc83 Mon Sep 17 00:00:00 2001
+From: Hauke Mehrtens <hauke@hauke-m.de>
+Date: Sun, 25 Oct 2015 23:21:42 +0100
+Subject: MIPS: lantiq: add clk_round_rate()
+
+From: Hauke Mehrtens <hauke@hauke-m.de>
+
+commit 4e7d30dba493b60a80e9b590add1b4402265cc83 upstream.
+
+This adds a basic implementation of clk_round_rate()
+The clk_round_rate() function is called by multiple drivers and
+subsystems now and the lantiq clk driver is supposed to export this,
+but doesn't do so, this causes linking problems like this one:
+ERROR: "clk_round_rate" [drivers/media/v4l2-core/videodev.ko] undefined!
+
+Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
+Acked-by: John Crispin <blogic@openwrt.org>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/11358/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/lantiq/clk.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+--- a/arch/mips/lantiq/clk.c
++++ b/arch/mips/lantiq/clk.c
+@@ -99,6 +99,23 @@ int clk_set_rate(struct clk *clk, unsign
+ }
+ EXPORT_SYMBOL(clk_set_rate);
+
++long clk_round_rate(struct clk *clk, unsigned long rate)
++{
++ if (unlikely(!clk_good(clk)))
++ return 0;
++ if (clk->rates && *clk->rates) {
++ unsigned long *r = clk->rates;
++
++ while (*r && (*r != rate))
++ r++;
++ if (!*r) {
++ return clk->rate;
++ }
++ }
++ return rate;
++}
++EXPORT_SYMBOL(clk_round_rate);
++
+ int clk_enable(struct clk *clk)
+ {
+ if (unlikely(!clk_good(clk)))
--- /dev/null
+From 14d9c11c91a606fed65eaae2455423a23bb4ae59 Mon Sep 17 00:00:00 2001
+From: Amitkumar Karwar <akarwar@marvell.com>
+Date: Fri, 18 Sep 2015 06:32:10 -0700
+Subject: mwifiex: avoid memsetting PCIe event buffer
+
+From: Amitkumar Karwar <akarwar@marvell.com>
+
+commit 14d9c11c91a606fed65eaae2455423a23bb4ae59 upstream.
+
+Preallocated PCIe buffer is being reused for all PCIe interface
+events. Physical address of the buffer is shared with firmware
+so that it can perform DMA on it. As event length is specified
+in the header, there should not be a problem if the buffer gets
+overwritten.
+We will save some cycles by avoiding memset everytime while
+submitting the buffer to firmware.
+
+Fixes: 2728cecdc7d6bf3d21(mwifiex: corrections in PCIe event skb)
+Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mwifiex/pcie.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/net/wireless/mwifiex/pcie.c
++++ b/drivers/net/wireless/mwifiex/pcie.c
+@@ -1815,7 +1815,6 @@ static int mwifiex_pcie_event_complete(s
+ if (!card->evt_buf_list[rdptr]) {
+ skb_push(skb, INTF_HEADER_LEN);
+ skb_put(skb, MAX_EVENT_SIZE - skb->len);
+- memset(skb->data, 0, MAX_EVENT_SIZE);
+ if (mwifiex_map_pci_memory(adapter, skb,
+ MAX_EVENT_SIZE,
+ PCI_DMA_FROMDEVICE))
--- /dev/null
+From 1f9c6e1bc1ba5f8a10fcd6e99d170954d7c6d382 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 21 Sep 2015 19:19:53 +0300
+Subject: mwifiex: fix mwifiex_rdeeprom_read()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 1f9c6e1bc1ba5f8a10fcd6e99d170954d7c6d382 upstream.
+
+There were several bugs here.
+
+1) The done label was in the wrong place so we didn't copy any
+ information out when there was no command given.
+
+2) We were using PAGE_SIZE as the size of the buffer instead of
+ "PAGE_SIZE - pos".
+
+3) snprintf() returns the number of characters that would have been
+ printed if there were enough space. If there was not enough space
+ (and we had fixed the memory corruption bug #2) then it would result
+ in an information leak when we do simple_read_from_buffer(). I've
+ changed it to use scnprintf() instead.
+
+I also removed the initialization at the start of the function, because
+I thought it made the code a little more clear.
+
+Fixes: 5e6e3a92b9a4 ('wireless: mwifiex: initial commit for Marvell mwifiex driver')
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Amitkumar Karwar <akarwar@marvell.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mwifiex/debugfs.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/wireless/mwifiex/debugfs.c
++++ b/drivers/net/wireless/mwifiex/debugfs.c
+@@ -731,7 +731,7 @@ mwifiex_rdeeprom_read(struct file *file,
+ (struct mwifiex_private *) file->private_data;
+ unsigned long addr = get_zeroed_page(GFP_KERNEL);
+ char *buf = (char *) addr;
+- int pos = 0, ret = 0, i;
++ int pos, ret, i;
+ u8 value[MAX_EEPROM_DATA];
+
+ if (!buf)
+@@ -739,7 +739,7 @@ mwifiex_rdeeprom_read(struct file *file,
+
+ if (saved_offset == -1) {
+ /* No command has been given */
+- pos += snprintf(buf, PAGE_SIZE, "0");
++ pos = snprintf(buf, PAGE_SIZE, "0");
+ goto done;
+ }
+
+@@ -748,17 +748,17 @@ mwifiex_rdeeprom_read(struct file *file,
+ (u16) saved_bytes, value);
+ if (ret) {
+ ret = -EINVAL;
+- goto done;
++ goto out_free;
+ }
+
+- pos += snprintf(buf, PAGE_SIZE, "%d %d ", saved_offset, saved_bytes);
++ pos = snprintf(buf, PAGE_SIZE, "%d %d ", saved_offset, saved_bytes);
+
+ for (i = 0; i < saved_bytes; i++)
+- pos += snprintf(buf + strlen(buf), PAGE_SIZE, "%d ", value[i]);
+-
+- ret = simple_read_from_buffer(ubuf, count, ppos, buf, pos);
++ pos += scnprintf(buf + pos, PAGE_SIZE - pos, "%d ", value[i]);
+
+ done:
++ ret = simple_read_from_buffer(ubuf, count, ppos, buf, pos);
++out_free:
+ free_page(addr);
+ return ret;
+ }
--- /dev/null
+From 17e524b1b60f4390d24a51d9524d1648cf5d1447 Mon Sep 17 00:00:00 2001
+From: Aniket Nagarnaik <aniketn@marvell.com>
+Date: Fri, 18 Sep 2015 06:32:09 -0700
+Subject: mwifiex: fix NULL pointer dereference during hidden SSID scan
+
+From: Aniket Nagarnaik <aniketn@marvell.com>
+
+commit 17e524b1b60f4390d24a51d9524d1648cf5d1447 upstream.
+
+This NULL pointer dereference is observed during suspend resume
+stress test. All pending commands are cancelled when system goes
+into suspend state. There a corner case in which host may receive
+response for last scan command after this and try to trigger extra
+active scan for hidden SSIDs.
+
+The issue is fixed by adding a NULL check to skip that extra scan.
+
+Fixes: 2375fa2b36feaf34 (mwifiex: fix unable to connect hidden SSID..)
+Signed-off-by: Aniket Nagarnaik <aniketn@marvell.com>
+Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mwifiex/scan.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/mwifiex/scan.c
++++ b/drivers/net/wireless/mwifiex/scan.c
+@@ -1889,7 +1889,7 @@ mwifiex_active_scan_req_for_passive_chan
+ u8 id = 0;
+ struct mwifiex_user_scan_cfg *user_scan_cfg;
+
+- if (adapter->active_scan_triggered) {
++ if (adapter->active_scan_triggered || !priv->scan_request) {
+ adapter->active_scan_triggered = false;
+ return 0;
+ }
--- /dev/null
+From 2502d0ef272da7058ef303b849a2c8dc324c2e2e Mon Sep 17 00:00:00 2001
+From: Maxime Ripard <maxime.ripard@free-electrons.com>
+Date: Fri, 25 Sep 2015 18:09:35 +0200
+Subject: net: mvneta: Fix CPU_MAP registers initialisation
+
+From: Maxime Ripard <maxime.ripard@free-electrons.com>
+
+commit 2502d0ef272da7058ef303b849a2c8dc324c2e2e upstream.
+
+The CPU_MAP register is duplicated for each CPUs at different addresses,
+each instance being at a different address.
+
+However, the code so far was using CONFIG_NR_CPUS to initialise the CPU_MAP
+registers for each registers, while the SoCs embed at most 4 CPUs.
+
+This is especially an issue with multi_v7_defconfig, where CONFIG_NR_CPUS
+is currently set to 16, resulting in writes to registers that are not
+CPU_MAP.
+
+Fixes: c5aff18204da ("net: mvneta: driver for Marvell Armada 370/XP network unit")
+Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
+Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/marvell/mvneta.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/marvell/mvneta.c
++++ b/drivers/net/ethernet/marvell/mvneta.c
+@@ -949,7 +949,7 @@ static void mvneta_defaults_set(struct m
+ /* Set CPU queue access map - all CPUs have access to all RX
+ * queues and to all TX queues
+ */
+- for (cpu = 0; cpu < CONFIG_NR_CPUS; cpu++)
++ for_each_present_cpu(cpu)
+ mvreg_write(pp, MVNETA_CPU_MAP(cpu),
+ (MVNETA_CPU_RXQ_ACCESS_ALL_MASK |
+ MVNETA_CPU_TXQ_ACCESS_ALL_MASK));
--- /dev/null
+From 26c17a179f3f64f92de6e837c14279a6431a7ab6 Mon Sep 17 00:00:00 2001
+From: Marcin Wojtas <mw@semihalf.com>
+Date: Mon, 30 Nov 2015 13:27:44 +0100
+Subject: net: mvneta: fix error path for building skb
+
+From: Marcin Wojtas <mw@semihalf.com>
+
+commit 26c17a179f3f64f92de6e837c14279a6431a7ab6 upstream.
+
+In the actual RX processing, there is same error path for both descriptor
+ring refilling and building skb fails. This is not correct, because after
+successful refill, the ring is already updated with newly allocated
+buffer. Then, in case of build_skb() fail, hitherto code left the original
+buffer unmapped.
+
+This patch fixes above situation by swapping error check of skb build with
+DMA-unmap of original buffer.
+
+Signed-off-by: Marcin Wojtas <mw@semihalf.com>
+Acked-by: Simon Guinot <simon.guinot@sequanux.org>
+Fixes a84e32894191 ("net: mvneta: fix refilling for Rx DMA buffers")
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/marvell/mvneta.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/marvell/mvneta.c
++++ b/drivers/net/ethernet/marvell/mvneta.c
+@@ -1533,12 +1533,16 @@ static int mvneta_rx(struct mvneta_port
+ }
+
+ skb = build_skb(data, pp->frag_size > PAGE_SIZE ? 0 : pp->frag_size);
+- if (!skb)
+- goto err_drop_frame;
+
++ /* After refill old buffer has to be unmapped regardless
++ * the skb is successfully built or not.
++ */
+ dma_unmap_single(dev->dev.parent, phys_addr,
+ MVNETA_RX_BUF_SIZE(pp->pkt_size), DMA_FROM_DEVICE);
+
++ if (!skb)
++ goto err_drop_frame;
++
+ rcvd_pkts++;
+ rcvd_bytes += rx_bytes;
+
--- /dev/null
+From e65917b6d54f8b47d8293ea96adfa604fd46cf0d Mon Sep 17 00:00:00 2001
+From: Christophe Ricard <christophe.ricard@gmail.com>
+Date: Sun, 25 Oct 2015 22:54:22 +0100
+Subject: NFC: nci: extract pipe value using NCI_HCP_MSG_GET_PIPE
+
+From: Christophe Ricard <christophe.ricard@gmail.com>
+
+commit e65917b6d54f8b47d8293ea96adfa604fd46cf0d upstream.
+
+When receiving data in nci_hci_msg_rx_work, extract pipe
+value using NCI_HCP_MSG_GET_PIPE macro.
+
+Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
+Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/nfc/nci/hci.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/nfc/nci/hci.c
++++ b/net/nfc/nci/hci.c
+@@ -402,7 +402,7 @@ static void nci_hci_msg_rx_work(struct w
+ u8 pipe, type, instruction;
+
+ while ((skb = skb_dequeue(&hdev->msg_rx_queue)) != NULL) {
+- pipe = skb->data[0];
++ pipe = NCI_HCP_MSG_GET_PIPE(skb->data[0]);
+ skb_pull(skb, NCI_HCI_HCP_PACKET_HEADER_LEN);
+ message = (struct nci_hcp_message *)skb->data;
+ type = NCI_HCP_MSG_GET_TYPE(message->header);
+@@ -439,7 +439,7 @@ void nci_hci_data_received_cb(void *cont
+
+ /* it's the last fragment. Does it need re-aggregation? */
+ if (skb_queue_len(&ndev->hci_dev->rx_hcp_frags)) {
+- pipe = packet->header & NCI_HCI_FRAGMENT;
++ pipe = NCI_HCP_MSG_GET_PIPE(packet->header);
+ skb_queue_tail(&ndev->hci_dev->rx_hcp_frags, skb);
+
+ msg_len = 0;
--- /dev/null
+From d8cd37ed2fc871c66b4c79c59f651dc2cdf7091c Mon Sep 17 00:00:00 2001
+From: Christophe Ricard <christophe.ricard@gmail.com>
+Date: Sun, 25 Oct 2015 22:54:21 +0100
+Subject: NFC: nci: Fix improper management of HCI return code
+
+From: Christophe Ricard <christophe.ricard@gmail.com>
+
+commit d8cd37ed2fc871c66b4c79c59f651dc2cdf7091c upstream.
+
+When sending HCI data over NCI, HCI return code is part
+of the NCI data. In order to get correctly the HCI return
+code, we assume the NCI communication is successful and
+extract the return code for the nci_hci functions return code.
+
+This is done because nci_to_errno does not match hci return
+code value.
+
+Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
+Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/nfc/nci/hci.c | 64 ++++++++++++++++++++++++++++++++++++++++--------------
+ 1 file changed, 48 insertions(+), 16 deletions(-)
+
+--- a/net/nfc/nci/hci.c
++++ b/net/nfc/nci/hci.c
+@@ -101,6 +101,20 @@ struct nci_hcp_packet {
+ #define NCI_HCP_MSG_GET_CMD(header) (header & 0x3f)
+ #define NCI_HCP_MSG_GET_PIPE(header) (header & 0x7f)
+
++static int nci_hci_result_to_errno(u8 result)
++{
++ switch (result) {
++ case NCI_HCI_ANY_OK:
++ return 0;
++ case NCI_HCI_ANY_E_REG_PAR_UNKNOWN:
++ return -EOPNOTSUPP;
++ case NCI_HCI_ANY_E_TIMEOUT:
++ return -ETIME;
++ default:
++ return -1;
++ }
++}
++
+ /* HCI core */
+ static void nci_hci_reset_pipes(struct nci_hci_dev *hdev)
+ {
+@@ -218,7 +232,8 @@ int nci_hci_send_cmd(struct nci_dev *nde
+ const u8 *param, size_t param_len,
+ struct sk_buff **skb)
+ {
+- struct nci_conn_info *conn_info;
++ struct nci_hcp_message *message;
++ struct nci_conn_info *conn_info;
+ struct nci_data data;
+ int r;
+ u8 pipe = ndev->hci_dev->gate2pipe[gate];
+@@ -238,9 +253,15 @@ int nci_hci_send_cmd(struct nci_dev *nde
+
+ r = nci_request(ndev, nci_hci_send_data_req, (unsigned long)&data,
+ msecs_to_jiffies(NCI_DATA_TIMEOUT));
++ if (r == NCI_STATUS_OK) {
++ message = (struct nci_hcp_message *)conn_info->rx_skb->data;
++ r = nci_hci_result_to_errno(
++ NCI_HCP_MSG_GET_CMD(message->header));
++ skb_pull(conn_info->rx_skb, NCI_HCI_HCP_MESSAGE_HEADER_LEN);
+
+- if (r == NCI_STATUS_OK && skb)
+- *skb = conn_info->rx_skb;
++ if (!r && skb)
++ *skb = conn_info->rx_skb;
++ }
+
+ return r;
+ }
+@@ -334,9 +355,6 @@ static void nci_hci_resp_received(struct
+ struct nci_conn_info *conn_info;
+ u8 status = result;
+
+- if (result != NCI_HCI_ANY_OK)
+- goto exit;
+-
+ conn_info = ndev->hci_dev->conn_info;
+ if (!conn_info) {
+ status = NCI_STATUS_REJECTED;
+@@ -346,7 +364,7 @@ static void nci_hci_resp_received(struct
+ conn_info->rx_skb = skb;
+
+ exit:
+- nci_req_complete(ndev, status);
++ nci_req_complete(ndev, NCI_STATUS_OK);
+ }
+
+ /* Receive hcp message for pipe, with type and cmd.
+@@ -401,7 +419,7 @@ void nci_hci_data_received_cb(void *cont
+ {
+ struct nci_dev *ndev = (struct nci_dev *)context;
+ struct nci_hcp_packet *packet;
+- u8 pipe, type, instruction;
++ u8 pipe, type;
+ struct sk_buff *hcp_skb;
+ struct sk_buff *frag_skb;
+ int msg_len;
+@@ -440,7 +458,7 @@ void nci_hci_data_received_cb(void *cont
+ *skb_put(hcp_skb, NCI_HCI_HCP_PACKET_HEADER_LEN) = pipe;
+
+ skb_queue_walk(&ndev->hci_dev->rx_hcp_frags, frag_skb) {
+- msg_len = frag_skb->len - NCI_HCI_HCP_PACKET_HEADER_LEN;
++ msg_len = frag_skb->len - NCI_HCI_HCP_PACKET_HEADER_LEN;
+ memcpy(skb_put(hcp_skb, msg_len), frag_skb->data +
+ NCI_HCI_HCP_PACKET_HEADER_LEN, msg_len);
+ }
+@@ -458,11 +476,10 @@ void nci_hci_data_received_cb(void *cont
+ packet = (struct nci_hcp_packet *)hcp_skb->data;
+ type = NCI_HCP_MSG_GET_TYPE(packet->message.header);
+ if (type == NCI_HCI_HCP_RESPONSE) {
+- pipe = packet->header;
+- instruction = NCI_HCP_MSG_GET_CMD(packet->message.header);
+- skb_pull(hcp_skb, NCI_HCI_HCP_PACKET_HEADER_LEN +
+- NCI_HCI_HCP_MESSAGE_HEADER_LEN);
+- nci_hci_hcp_message_rx(ndev, pipe, type, instruction, hcp_skb);
++ pipe = NCI_HCP_MSG_GET_PIPE(packet->header);
++ skb_pull(hcp_skb, NCI_HCI_HCP_PACKET_HEADER_LEN);
++ nci_hci_hcp_message_rx(ndev, pipe, type,
++ NCI_STATUS_OK, hcp_skb);
+ } else {
+ skb_queue_tail(&ndev->hci_dev->msg_rx_queue, hcp_skb);
+ schedule_work(&ndev->hci_dev->msg_rx_work);
+@@ -494,6 +511,7 @@ EXPORT_SYMBOL(nci_hci_open_pipe);
+ int nci_hci_set_param(struct nci_dev *ndev, u8 gate, u8 idx,
+ const u8 *param, size_t param_len)
+ {
++ struct nci_hcp_message *message;
+ struct nci_conn_info *conn_info;
+ struct nci_data data;
+ int r;
+@@ -526,6 +544,12 @@ int nci_hci_set_param(struct nci_dev *nd
+ r = nci_request(ndev, nci_hci_send_data_req,
+ (unsigned long)&data,
+ msecs_to_jiffies(NCI_DATA_TIMEOUT));
++ if (r == NCI_STATUS_OK) {
++ message = (struct nci_hcp_message *)conn_info->rx_skb->data;
++ r = nci_hci_result_to_errno(
++ NCI_HCP_MSG_GET_CMD(message->header));
++ skb_pull(conn_info->rx_skb, NCI_HCI_HCP_MESSAGE_HEADER_LEN);
++ }
+
+ kfree(tmp);
+ return r;
+@@ -535,6 +559,7 @@ EXPORT_SYMBOL(nci_hci_set_param);
+ int nci_hci_get_param(struct nci_dev *ndev, u8 gate, u8 idx,
+ struct sk_buff **skb)
+ {
++ struct nci_hcp_message *message;
+ struct nci_conn_info *conn_info;
+ struct nci_data data;
+ int r;
+@@ -559,8 +584,15 @@ int nci_hci_get_param(struct nci_dev *nd
+ r = nci_request(ndev, nci_hci_send_data_req, (unsigned long)&data,
+ msecs_to_jiffies(NCI_DATA_TIMEOUT));
+
+- if (r == NCI_STATUS_OK)
+- *skb = conn_info->rx_skb;
++ if (r == NCI_STATUS_OK) {
++ message = (struct nci_hcp_message *)conn_info->rx_skb->data;
++ r = nci_hci_result_to_errno(
++ NCI_HCP_MSG_GET_CMD(message->header));
++ skb_pull(conn_info->rx_skb, NCI_HCI_HCP_MESSAGE_HEADER_LEN);
++
++ if (!r && skb)
++ *skb = conn_info->rx_skb;
++ }
+
+ return r;
+ }
--- /dev/null
+From 500c4ef02277eaadbfe20537f963b6221f6ac007 Mon Sep 17 00:00:00 2001
+From: Christophe Ricard <christophe.ricard@gmail.com>
+Date: Sun, 25 Oct 2015 22:54:20 +0100
+Subject: NFC: nci: Fix incorrect data chaining when sending data
+
+From: Christophe Ricard <christophe.ricard@gmail.com>
+
+commit 500c4ef02277eaadbfe20537f963b6221f6ac007 upstream.
+
+When sending HCI data over NCI, cmd information should be
+present only on the first packet.
+Each packet shall be specifically allocated and sent to the
+NCI layer.
+
+Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
+Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/nfc/nci/hci.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+--- a/net/nfc/nci/hci.c
++++ b/net/nfc/nci/hci.c
+@@ -146,18 +146,18 @@ static int nci_hci_send_data(struct nci_
+ if (!conn_info)
+ return -EPROTO;
+
+- skb = nci_skb_alloc(ndev, 2 + conn_info->max_pkt_payload_len +
++ i = 0;
++ skb = nci_skb_alloc(ndev, conn_info->max_pkt_payload_len +
+ NCI_DATA_HDR_SIZE, GFP_KERNEL);
+ if (!skb)
+ return -ENOMEM;
+
+- skb_reserve(skb, 2 + NCI_DATA_HDR_SIZE);
++ skb_reserve(skb, NCI_DATA_HDR_SIZE + 2);
+ *skb_push(skb, 1) = data_type;
+
+- i = 0;
+- len = conn_info->max_pkt_payload_len;
+-
+ do {
++ len = conn_info->max_pkt_payload_len;
++
+ /* If last packet add NCI_HFP_NO_CHAINING */
+ if (i + conn_info->max_pkt_payload_len -
+ (skb->len + 1) >= data_len) {
+@@ -177,9 +177,15 @@ static int nci_hci_send_data(struct nci_
+ return r;
+
+ i += len;
++
+ if (i < data_len) {
+- skb_trim(skb, 0);
+- skb_pull(skb, len);
++ skb = nci_skb_alloc(ndev,
++ conn_info->max_pkt_payload_len +
++ NCI_DATA_HDR_SIZE, GFP_KERNEL);
++ if (!skb)
++ return -ENOMEM;
++
++ skb_reserve(skb, NCI_DATA_HDR_SIZE + 1);
+ }
+ } while (i < data_len);
+
--- /dev/null
+From a1269dd116319335db6d73013a31c038486c813e Mon Sep 17 00:00:00 2001
+From: Christophe Ricard <christophe.ricard@gmail.com>
+Date: Sun, 25 Oct 2015 22:54:19 +0100
+Subject: NFC: st-nci: Fix incorrect spi buffer size
+
+From: Christophe Ricard <christophe.ricard@gmail.com>
+
+commit a1269dd116319335db6d73013a31c038486c813e upstream.
+
+When sending data over SPI, the maximum expected length is the maximum
+nci packet payload + data header size + the frame head room (1 for the
+ndlc header) + the frame trail room (0).
+
+Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
+Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nfc/st-nci/spi.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/nfc/st-nci/spi.c
++++ b/drivers/nfc/st-nci/spi.c
+@@ -25,6 +25,7 @@
+ #include <linux/interrupt.h>
+ #include <linux/delay.h>
+ #include <linux/nfc.h>
++#include <net/nfc/nci.h>
+ #include <linux/platform_data/st-nci.h>
+
+ #include "ndlc.h"
+@@ -94,7 +95,8 @@ static int st_nci_spi_write(void *phy_id
+ struct st_nci_spi_phy *phy = phy_id;
+ struct spi_device *dev = phy->spi_dev;
+ struct sk_buff *skb_rx;
+- u8 buf[ST_NCI_SPI_MAX_SIZE];
++ u8 buf[ST_NCI_SPI_MAX_SIZE + NCI_DATA_HDR_SIZE +
++ ST_NCI_FRAME_HEADROOM + ST_NCI_FRAME_TAILROOM];
+ struct spi_transfer spi_xfer = {
+ .tx_buf = skb->data,
+ .rx_buf = buf,
--- /dev/null
+From 4baf6bea37247e59f1971e8009d13aeda95edba2 Mon Sep 17 00:00:00 2001
+From: Ola Olsson <ola1olsson@gmail.com>
+Date: Thu, 29 Oct 2015 07:04:58 +0100
+Subject: nl80211: Fix potential memory leak from parse_acl_data
+
+From: Ola Olsson <ola1olsson@gmail.com>
+
+commit 4baf6bea37247e59f1971e8009d13aeda95edba2 upstream.
+
+If parse_acl_data succeeds but the subsequent parsing of smps
+attributes fails, there will be a memory leak due to early returns.
+Fix that by moving the ACL parsing later.
+
+Fixes: 18998c381b19b ("cfg80211: allow requesting SMPS mode on ap start")
+Signed-off-by: Ola Olsson <ola.olsson@sonymobile.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/nl80211.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -3409,12 +3409,6 @@ static int nl80211_start_ap(struct sk_bu
+ wdev->iftype))
+ return -EINVAL;
+
+- if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
+- params.acl = parse_acl_data(&rdev->wiphy, info);
+- if (IS_ERR(params.acl))
+- return PTR_ERR(params.acl);
+- }
+-
+ if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
+ params.smps_mode =
+ nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
+@@ -3438,6 +3432,12 @@ static int nl80211_start_ap(struct sk_bu
+ params.smps_mode = NL80211_SMPS_OFF;
+ }
+
++ if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
++ params.acl = parse_acl_data(&rdev->wiphy, info);
++ if (IS_ERR(params.acl))
++ return PTR_ERR(params.acl);
++ }
++
+ wdev_lock(wdev);
+ err = rdev_start_ap(rdev, dev, ¶ms);
+ if (!err) {
--- /dev/null
+From 11091fb0a1227d569d09353e1ce1f88694a033dc Mon Sep 17 00:00:00 2001
+From: Jonas Gorski <jogo@openwrt.org>
+Date: Sun, 11 Oct 2015 17:39:31 +0200
+Subject: pinctrl: qcom: ssbi: fix compilation with DEBUG_FS=n
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jonas Gorski <jogo@openwrt.org>
+
+commit 11091fb0a1227d569d09353e1ce1f88694a033dc upstream.
+
+The DEBUG_FS=n #defines for the dbg_show functions were missed when
+renaming the driver from msm_ to pm8xxx_, causing it to break the build
+when DEBUG_FS isn't enabled:
+
+ CC [M] drivers/pinctrl/qcom/pinctrl-ssbi-gpio.o
+drivers/pinctrl/qcom/pinctrl-ssbi-gpio.c:597:14: error: ‘pm8xxx_gpio_dbg_show’ undeclared here (not in a function)
+ .dbg_show = pm8xxx_gpio_dbg_show,
+
+Fix this by renaming them correctly.
+
+Fixes: b4c45fe974bc ("pinctrl: qcom: ssbi: Family A gpio & mpp drivers")
+Signed-off-by: Jonas Gorski <jogo@openwrt.org>
+Reviewed-by: Bjorn Andersson <bjorn.andersson@sonymobile.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/qcom/pinctrl-ssbi-gpio.c | 2 +-
+ drivers/pinctrl/qcom/pinctrl-ssbi-mpp.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/pinctrl/qcom/pinctrl-ssbi-gpio.c
++++ b/drivers/pinctrl/qcom/pinctrl-ssbi-gpio.c
+@@ -584,7 +584,7 @@ static void pm8xxx_gpio_dbg_show(struct
+ }
+
+ #else
+-#define msm_gpio_dbg_show NULL
++#define pm8xxx_gpio_dbg_show NULL
+ #endif
+
+ static struct gpio_chip pm8xxx_gpio_template = {
+--- a/drivers/pinctrl/qcom/pinctrl-ssbi-mpp.c
++++ b/drivers/pinctrl/qcom/pinctrl-ssbi-mpp.c
+@@ -639,7 +639,7 @@ static void pm8xxx_mpp_dbg_show(struct s
+ }
+
+ #else
+-#define msm_mpp_dbg_show NULL
++#define pm8xxx_mpp_dbg_show NULL
+ #endif
+
+ static struct gpio_chip pm8xxx_mpp_template = {
--- /dev/null
+From bac7f4c1bf5e7c6ccd5bb71edc015b26c77f7460 Mon Sep 17 00:00:00 2001
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+Date: Tue, 20 Oct 2015 17:25:09 +0900
+Subject: pinctrl: uniphier: set input-enable before pin-muxing
+
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+
+commit bac7f4c1bf5e7c6ccd5bb71edc015b26c77f7460 upstream.
+
+While IECTRL is disabled, input signals are pulled-down internally.
+If pin-muxing is set up first, glitch signals (Low to High transition)
+might be input to hardware blocks.
+
+Bad case scenario:
+[1] The hardware block is already running before pinctrl is handled.
+ (the reset is de-asserted by default or by a firmware, for example)
+[2] The pin-muxing is set up. The input signals to hardware block
+ are pulled-down by the chip-internal biasing.
+[3] The pins are input-enabled. The signals from the board reach the
+ hardware block.
+
+Actually, one invalid character is input to the UART blocks for such
+SoCs as PH1-LD4, PH1-sLD8, where UART devices start to run at the
+power on reset.
+
+To avoid such problems, pins should be input-enabled before muxing.
+
+Fixes: 6e9088920258 ("pinctrl: UniPhier: add UniPhier pinctrl core support")
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Reported-by: Dai Okamura <okamura.dai@socionext.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/uniphier/pinctrl-uniphier-core.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/pinctrl/uniphier/pinctrl-uniphier-core.c
++++ b/drivers/pinctrl/uniphier/pinctrl-uniphier-core.c
+@@ -539,6 +539,12 @@ static int uniphier_pmx_set_one_mux(stru
+ unsigned reg, reg_end, shift, mask;
+ int ret;
+
++ /* some pins need input-enabling */
++ ret = uniphier_conf_pin_input_enable(pctldev,
++ &pctldev->desc->pins[pin], 1);
++ if (ret)
++ return ret;
++
+ reg = UNIPHIER_PINCTRL_PINMUX_BASE + pin * mux_bits / 32 * reg_stride;
+ reg_end = reg + reg_stride;
+ shift = pin * mux_bits % 32;
+@@ -563,9 +569,7 @@ static int uniphier_pmx_set_one_mux(stru
+ return ret;
+ }
+
+- /* some pins need input-enabling */
+- return uniphier_conf_pin_input_enable(pctldev,
+- &pctldev->desc->pins[pin], 1);
++ return 0;
+ }
+
+ static int uniphier_pmx_set_mux(struct pinctrl_dev *pctldev,
--- /dev/null
+From d115d7050a0d2c4967532f18c9cb522fea6b7280 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Mon, 31 Aug 2015 19:48:28 +0300
+Subject: Revert "usb: dwc3: gadget: drop unnecessary loop when cleaning up TRBs"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+
+commit d115d7050a0d2c4967532f18c9cb522fea6b7280 upstream.
+
+This reverts commit 8f2c9544aba636134303105ecb164190a39dece4.
+
+As it breaks g_ether on my Baytrail FFRD8 device. Everything starts out
+fine, but after a bit of data has been transferred it just stops
+flowing.
+
+Note that I do get a bunch of these "NOHZ: local_softirq_pending 08"
+when booting the machine, but I'm not really sure if they're related
+to this problem.
+
+Cc: Felipe Balbi <balbi@ti.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: linux-usb@vger.kernel.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Signed-off-by: Felipe Balbi <balbi@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc3/gadget.c | 37 +++++++++++++++++++++----------------
+ 1 file changed, 21 insertions(+), 16 deletions(-)
+
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -1872,27 +1872,32 @@ static int dwc3_cleanup_done_reqs(struct
+ unsigned int i;
+ int ret;
+
+- req = next_request(&dep->req_queued);
+- if (!req) {
+- WARN_ON_ONCE(1);
+- return 1;
+- }
+- i = 0;
+ do {
+- slot = req->start_slot + i;
+- if ((slot == DWC3_TRB_NUM - 1) &&
++ req = next_request(&dep->req_queued);
++ if (!req) {
++ WARN_ON_ONCE(1);
++ return 1;
++ }
++ i = 0;
++ do {
++ slot = req->start_slot + i;
++ if ((slot == DWC3_TRB_NUM - 1) &&
+ usb_endpoint_xfer_isoc(dep->endpoint.desc))
+- slot++;
+- slot %= DWC3_TRB_NUM;
+- trb = &dep->trb_pool[slot];
++ slot++;
++ slot %= DWC3_TRB_NUM;
++ trb = &dep->trb_pool[slot];
++
++ ret = __dwc3_cleanup_done_trbs(dwc, dep, req, trb,
++ event, status);
++ if (ret)
++ break;
++ } while (++i < req->request.num_mapped_sgs);
++
++ dwc3_gadget_giveback(dep, req, status);
+
+- ret = __dwc3_cleanup_done_trbs(dwc, dep, req, trb,
+- event, status);
+ if (ret)
+ break;
+- } while (++i < req->request.num_mapped_sgs);
+-
+- dwc3_gadget_giveback(dep, req, status);
++ } while (1);
+
+ if (usb_endpoint_xfer_isoc(dep->endpoint.desc) &&
+ list_empty(&dep->req_queued)) {
--- /dev/null
+From 55a423b6f105fa323168f15f4bb67f23b21da44e Mon Sep 17 00:00:00 2001
+From: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Date: Tue, 27 Oct 2015 13:13:38 +0100
+Subject: s390/kernel: fix ptrace peek/poke for floating point registers
+
+From: Martin Schwidefsky <schwidefsky@de.ibm.com>
+
+commit 55a423b6f105fa323168f15f4bb67f23b21da44e upstream.
+
+git commit 155e839a814834a3b4b31e729f4716e59d3d2dd4
+"s390/kernel: dynamically allocate FP register save area"
+introduced a regression in regard to ptrace.
+
+If the vector register extension is not present or unused the
+ptrace peek of a floating pointer register return incorrect data
+and the ptrace poke to a floating pointer register overwrites the
+task structure starting at task->thread.fpu.fprs.
+
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kernel/ptrace.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/s390/kernel/ptrace.c
++++ b/arch/s390/kernel/ptrace.c
+@@ -244,7 +244,7 @@ static unsigned long __peek_user(struct
+ ((addr_t) child->thread.fpu.vxrs + 2*offset);
+ else
+ tmp = *(addr_t *)
+- ((addr_t) &child->thread.fpu.fprs + offset);
++ ((addr_t) child->thread.fpu.fprs + offset);
+
+ } else if (addr < (addr_t) (&dummy->regs.per_info + 1)) {
+ /*
+@@ -388,7 +388,7 @@ static int __poke_user(struct task_struc
+ child->thread.fpu.vxrs + 2*offset) = data;
+ else
+ *(addr_t *)((addr_t)
+- &child->thread.fpu.fprs + offset) = data;
++ child->thread.fpu.fprs + offset) = data;
+
+ } else if (addr < (addr_t) (&dummy->regs.per_info + 1)) {
+ /*
+@@ -622,7 +622,7 @@ static u32 __peek_user_compat(struct tas
+ ((addr_t) child->thread.fpu.vxrs + 2*offset);
+ else
+ tmp = *(__u32 *)
+- ((addr_t) &child->thread.fpu.fprs + offset);
++ ((addr_t) child->thread.fpu.fprs + offset);
+
+ } else if (addr < (addr_t) (&dummy32->regs.per_info + 1)) {
+ /*
+@@ -747,7 +747,7 @@ static int __poke_user_compat(struct tas
+ child->thread.fpu.vxrs + 2*offset) = tmp;
+ else
+ *(__u32 *)((addr_t)
+- &child->thread.fpu.fprs + offset) = tmp;
++ child->thread.fpu.fprs + offset) = tmp;
+
+ } else if (addr < (addr_t) (&dummy32->regs.per_info + 1)) {
+ /*
--- /dev/null
+From 7cc8944e13c73374b6f33b39ca24c0891c87b077 Mon Sep 17 00:00:00 2001
+From: Sebastian Ott <sebott@linux.vnet.ibm.com>
+Date: Fri, 9 Oct 2015 11:07:06 +0200
+Subject: s390/pci: reshuffle struct used to write debug data
+
+From: Sebastian Ott <sebott@linux.vnet.ibm.com>
+
+commit 7cc8944e13c73374b6f33b39ca24c0891c87b077 upstream.
+
+zpci_err_insn writes stale stack content to the debugfs.
+
+Ensure that the struct in zpci_err_insn is ordered in a way that
+we don't have uninitialized holes in it. In addition to that
+add the packed attribute.
+
+Fixes: 3d8258e (s390/pci: move debug messages to debugfs)
+Signed-off-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
+Reviewed-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/pci/pci_insn.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/s390/pci/pci_insn.c
++++ b/arch/s390/pci/pci_insn.c
+@@ -16,11 +16,11 @@
+ static inline void zpci_err_insn(u8 cc, u8 status, u64 req, u64 offset)
+ {
+ struct {
+- u8 cc;
+- u8 status;
+ u64 req;
+ u64 offset;
+- } data = {cc, status, req, offset};
++ u8 cc;
++ u8 status;
++ } __packed data = {req, offset, cc, status};
+
+ zpci_err_hex(&data, sizeof(data));
+ }
arm-dts-fix-wlan-regression-on-omap5-uevm.patch
arm-dts-sun6i-hummingbird-fix-vdd-cpu-and-vdd-gpu.patch
arm-pxa-remove-incorrect-__init-annotation-on-pxa27x_set_pwrmode.patch
+mips-lantiq-add-clk_round_rate.patch
+mips-cdmm-add-builtin_mips_cdmm_driver-macro.patch
+mips-ath79-fix-the-ddr-control-initialization-on-ar71xx-and-ar934x.patch
+mips-kvm-fix-asid-restoration-logic.patch
+mips-kvm-fix-cache-immediate-offset-sign-extension.patch
+mips-kvm-uninit-vcpu-in-vcpu_create-error-path.patch
+kvm-x86-set-kvm_req_event-when-updating-irr.patch
+kvm-x86-zero-efer-on-init.patch
+kvm-x86-add-read_phys-to-x86_emulate_ops.patch
+kvm-x86-handle-smbase-as-physical-address-in-rsm.patch
+kvm-x86-allow-rsm-from-64-bit-mode.patch
+kvm-x86-obey-kvm_x86_quirk_cd_nw_cleared-in-kvm_set_cr0.patch
+kvm-x86-work-around-infinite-loop-in-microcode-when-ac-is-delivered.patch
+x86-setup-fix-low-identity-map-for-2gb-kernel-range.patch
+x86-irq-probe-for-pic-presence-before-allocating-descs-for-legacy-irqs.patch
+x86-cpu-call-verify_cpu-after-having-entered-long-mode-too.patch
+x86-cpu-fix-smap-check-in-pvops-environments.patch
+x86-fpu-fix-get_xsave_addr-behavior-under-virtualization.patch
+x86-fpu-fix-32-bit-signal-frame-handling.patch
+x86-mpx-do-proper-get_user-when-running-32-bit-binaries-on-64-bit-kernels.patch
+x86-mpx-fix-32-bit-address-space-calculation.patch
+mac80211-fix-local-deauth-while-associating.patch
+mac80211-fix-driver-rssi-event-calculations.patch
+mac80211-allow-null-chandef-in-tracing.patch
+mac80211-fix-divide-by-zero-when-noa-update.patch
+nl80211-fix-potential-memory-leak-from-parse_acl_data.patch
+nfc-st-nci-fix-incorrect-spi-buffer-size.patch
+nfc-nci-fix-incorrect-data-chaining-when-sending-data.patch
+nfc-nci-fix-improper-management-of-hci-return-code.patch
+nfc-nci-extract-pipe-value-using-nci_hcp_msg_get_pipe.patch
+iwlwifi-pcie-fix-again-prepare-card-flow.patch
+iwlwifi-add-new-pci-ids-for-the-8260-series.patch
+net-mvneta-fix-cpu_map-registers-initialisation.patch
+net-mvneta-fix-error-path-for-building-skb.patch
+fs-proc-core-debug-don-t-expose-absolute-kernel-addresses-via-wchan.patch
+clk-iproc-fix-pll-output-frequency-calculation.patch
+clk-versatile-icst-fix-memory-leak.patch
+mfd-twl6040-fix-deferred-probe-handling-for-clk32k.patch
+mwifiex-fix-null-pointer-dereference-during-hidden-ssid-scan.patch
+mwifiex-avoid-memsetting-pcie-event-buffer.patch
+mwifiex-fix-mwifiex_rdeeprom_read.patch
+staging-rtl8712-add-device-id-for-sitecom-wla2100.patch
+bluetooth-hidp-fix-device-disconnect-on-idle-timeout.patch
+bluetooth-ath3k-add-new-ar3012-0930-021c-id.patch
+bluetooth-ath3k-add-support-of-ar3012-0cf3-817b-device.patch
+bluetooth-fix-removing-connection-parameters-when-unpairing.patch
+bluetooth-fix-missing-hdev-locking-for-le-scan-cleanup.patch
+can-use-correct-type-in-sizeof-in-nla_put.patch
+can-sja1000-clear-interrupts-on-start.patch
+arm64-fix-compat-register-mappings.patch
+arm64-page-align-sections-for-debug_rodata.patch
+pinctrl-uniphier-set-input-enable-before-pin-muxing.patch
+pinctrl-qcom-ssbi-fix-compilation-with-debug_fs-n.patch
+ath10k-add-ath10k_fw_feature_raw_mode_support-to.patch
+ath10k-use-station-s-current-operating-mode-from-assoc-request.patch
+ath10k-fix-invalid-nss-for-4x4-devices.patch
+s390-kernel-fix-ptrace-peek-poke-for-floating-point-registers.patch
+s390-pci-reshuffle-struct-used-to-write-debug-data.patch
+kvm-s390-sca-must-not-cross-page-boundaries.patch
+kvm-s390-fix-wrong-lookup-of-vcpus-by-array-index.patch
+kvm-s390-avoid-memory-overwrites-on-emergency-signal-injection.patch
+kvm-s390-enable-simd-only-when-no-vcpus-were-created.patch
+revert-usb-dwc3-gadget-drop-unnecessary-loop-when-cleaning-up-trbs.patch
+usb-gadget-net2280-restore-ep_cfg-after-defect7374-workaround.patch
+usb-gadget-atmel_usba_udc-expose-correct-device-speed.patch
+usb-dwc3-gadget-let-us-set-lower-max_speed.patch
+usb-chipidea-otg-gadget-module-load-and-unload-support.patch
+usb-dwc3-pci-add-the-synopsys-haps-axi-product-id.patch
+usb-dwc3-pci-add-the-pci-product-id-for-synopsys-usb-3.1.patch
+usb-dwc3-support-synopsys-usb-3.1-ip.patch
+usb-dwc3-pci-add-platform-data-for-synopsys-haps.patch
+usb-dwc3-add-dis_enblslpm_quirk.patch
+usb-dwc3-pci-set-enblslpm-quirk-for-synopsys-platforms.patch
--- /dev/null
+From 1e6e63283691a2a9048a35d9c6c59cf0abd342e4 Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Sun, 18 Oct 2015 22:14:48 -0500
+Subject: staging: rtl8712: Add device ID for Sitecom WLA2100
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit 1e6e63283691a2a9048a35d9c6c59cf0abd342e4 upstream.
+
+This adds the USB ID for the Sitecom WLA2100. The Windows 10 inf file
+was checked to verify that the addition is correct.
+
+Reported-by: Frans van de Wiel <fvdw@fvdw.eu>
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Cc: Frans van de Wiel <fvdw@fvdw.eu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/rtl8712/usb_intf.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/staging/rtl8712/usb_intf.c
++++ b/drivers/staging/rtl8712/usb_intf.c
+@@ -144,6 +144,7 @@ static struct usb_device_id rtl871x_usb_
+ {USB_DEVICE(0x0DF6, 0x0058)},
+ {USB_DEVICE(0x0DF6, 0x0049)},
+ {USB_DEVICE(0x0DF6, 0x004C)},
++ {USB_DEVICE(0x0DF6, 0x006C)},
+ {USB_DEVICE(0x0DF6, 0x0064)},
+ /* Skyworth */
+ {USB_DEVICE(0x14b2, 0x3300)},
--- /dev/null
+From 85da852df66e5e0d3aba761b0fece7c958ff0685 Mon Sep 17 00:00:00 2001
+From: Li Jun <B47624@freescale.com>
+Date: Fri, 12 Dec 2014 09:11:42 +0800
+Subject: usb: chipidea: otg: gadget module load and unload support
+
+From: Li Jun <B47624@freescale.com>
+
+commit 85da852df66e5e0d3aba761b0fece7c958ff0685 upstream.
+
+This patch is to support load and unload gadget driver in full OTG mode.
+
+Signed-off-by: Li Jun <jun.li@freescale.com>
+Signed-off-by: Peter Chen <peter.chen@freescale.com>
+Tested-by: Jiada Wang <jiada_wang@mentor.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/chipidea/udc.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+--- a/drivers/usb/chipidea/udc.c
++++ b/drivers/usb/chipidea/udc.c
+@@ -1751,6 +1751,22 @@ static int ci_udc_start(struct usb_gadge
+ return retval;
+ }
+
++static void ci_udc_stop_for_otg_fsm(struct ci_hdrc *ci)
++{
++ if (!ci_otg_is_fsm_mode(ci))
++ return;
++
++ mutex_lock(&ci->fsm.lock);
++ if (ci->fsm.otg->state == OTG_STATE_A_PERIPHERAL) {
++ ci->fsm.a_bidl_adis_tmout = 1;
++ ci_hdrc_otg_fsm_start(ci);
++ } else if (ci->fsm.otg->state == OTG_STATE_B_PERIPHERAL) {
++ ci->fsm.protocol = PROTO_UNDEF;
++ ci->fsm.otg->state = OTG_STATE_UNDEFINED;
++ }
++ mutex_unlock(&ci->fsm.lock);
++}
++
+ /**
+ * ci_udc_stop: unregister a gadget driver
+ */
+@@ -1775,6 +1791,7 @@ static int ci_udc_stop(struct usb_gadget
+ ci->driver = NULL;
+ spin_unlock_irqrestore(&ci->lock, flags);
+
++ ci_udc_stop_for_otg_fsm(ci);
+ return 0;
+ }
+
--- /dev/null
+From ec791d149bca4511e7d3a6a92bb3b030c5a443f9 Mon Sep 17 00:00:00 2001
+From: John Youn <John.Youn@synopsys.com>
+Date: Fri, 2 Oct 2015 20:30:57 -0700
+Subject: usb: dwc3: Add dis_enblslpm_quirk
+
+From: John Youn <John.Youn@synopsys.com>
+
+commit ec791d149bca4511e7d3a6a92bb3b030c5a443f9 upstream.
+
+Add a quirk to clear the GUSB2PHYCFG.ENBLSLPM bit, which controls
+whether the PHY receives the suspend signal from the controller.
+
+Signed-off-by: John Youn <johnyoun@synopsys.com>
+Signed-off-by: Felipe Balbi <balbi@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/devicetree/bindings/usb/dwc3.txt | 2 ++
+ drivers/usb/dwc3/core.c | 6 ++++++
+ drivers/usb/dwc3/core.h | 4 ++++
+ drivers/usb/dwc3/platform_data.h | 1 +
+ 4 files changed, 13 insertions(+)
+
+--- a/Documentation/devicetree/bindings/usb/dwc3.txt
++++ b/Documentation/devicetree/bindings/usb/dwc3.txt
+@@ -35,6 +35,8 @@ Optional properties:
+ LTSSM during USB3 Compliance mode.
+ - snps,dis_u3_susphy_quirk: when set core will disable USB3 suspend phy.
+ - snps,dis_u2_susphy_quirk: when set core will disable USB2 suspend phy.
++ - snps,dis_enblslpm_quirk: when set clears the enblslpm in GUSB2PHYCFG,
++ disabling the suspend signal to the PHY.
+ - snps,is-utmi-l1-suspend: true when DWC3 asserts output signal
+ utmi_l1_suspend_n, false when asserts utmi_sleep_n
+ - snps,hird-threshold: HIRD threshold
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -488,6 +488,9 @@ static int dwc3_phy_setup(struct dwc3 *d
+ if (dwc->dis_u2_susphy_quirk)
+ reg &= ~DWC3_GUSB2PHYCFG_SUSPHY;
+
++ if (dwc->dis_enblslpm_quirk)
++ reg &= ~DWC3_GUSB2PHYCFG_ENBLSLPM;
++
+ dwc3_writel(dwc->regs, DWC3_GUSB2PHYCFG(0), reg);
+
+ return 0;
+@@ -885,6 +888,8 @@ static int dwc3_probe(struct platform_de
+ "snps,dis_u3_susphy_quirk");
+ dwc->dis_u2_susphy_quirk = of_property_read_bool(node,
+ "snps,dis_u2_susphy_quirk");
++ dwc->dis_enblslpm_quirk = device_property_read_bool(dev,
++ "snps,dis_enblslpm_quirk");
+
+ dwc->tx_de_emphasis_quirk = of_property_read_bool(node,
+ "snps,tx_de_emphasis_quirk");
+@@ -915,6 +920,7 @@ static int dwc3_probe(struct platform_de
+ dwc->rx_detect_poll_quirk = pdata->rx_detect_poll_quirk;
+ dwc->dis_u3_susphy_quirk = pdata->dis_u3_susphy_quirk;
+ dwc->dis_u2_susphy_quirk = pdata->dis_u2_susphy_quirk;
++ dwc->dis_enblslpm_quirk = pdata->dis_enblslpm_quirk;
+
+ dwc->tx_de_emphasis_quirk = pdata->tx_de_emphasis_quirk;
+ if (pdata->tx_de_emphasis)
+--- a/drivers/usb/dwc3/core.h
++++ b/drivers/usb/dwc3/core.h
+@@ -178,6 +178,7 @@
+ #define DWC3_GUSB2PHYCFG_PHYSOFTRST (1 << 31)
+ #define DWC3_GUSB2PHYCFG_SUSPHY (1 << 6)
+ #define DWC3_GUSB2PHYCFG_ULPI_UTMI (1 << 4)
++#define DWC3_GUSB2PHYCFG_ENBLSLPM (1 << 8)
+
+ /* Global USB2 PHY Vendor Control Register */
+ #define DWC3_GUSB2PHYACC_NEWREGREQ (1 << 25)
+@@ -715,6 +716,8 @@ struct dwc3_scratchpad_array {
+ * @rx_detect_poll_quirk: set if we enable rx_detect to polling lfps quirk
+ * @dis_u3_susphy_quirk: set if we disable usb3 suspend phy
+ * @dis_u2_susphy_quirk: set if we disable usb2 suspend phy
++ * @dis_enblslpm_quirk: set if we clear enblslpm in GUSB2PHYCFG,
++ * disabling the suspend signal to the PHY.
+ * @tx_de_emphasis_quirk: set if we enable Tx de-emphasis quirk
+ * @tx_de_emphasis: Tx de-emphasis value
+ * 0 - -6dB de-emphasis
+@@ -859,6 +862,7 @@ struct dwc3 {
+ unsigned rx_detect_poll_quirk:1;
+ unsigned dis_u3_susphy_quirk:1;
+ unsigned dis_u2_susphy_quirk:1;
++ unsigned dis_enblslpm_quirk:1;
+
+ unsigned tx_de_emphasis_quirk:1;
+ unsigned tx_de_emphasis:2;
+--- a/drivers/usb/dwc3/platform_data.h
++++ b/drivers/usb/dwc3/platform_data.h
+@@ -42,6 +42,7 @@ struct dwc3_platform_data {
+ unsigned rx_detect_poll_quirk:1;
+ unsigned dis_u3_susphy_quirk:1;
+ unsigned dis_u2_susphy_quirk:1;
++ unsigned dis_enblslpm_quirk:1;
+
+ unsigned tx_de_emphasis_quirk:1;
+ unsigned tx_de_emphasis:2;
--- /dev/null
+From b9e51b2b1fda19143f48d182ed7a2943f21e1ae4 Mon Sep 17 00:00:00 2001
+From: Ben McCauley <ben.mccauley@garmin.com>
+Date: Mon, 16 Nov 2015 10:47:24 -0600
+Subject: usb: dwc3: gadget: let us set lower max_speed
+
+From: Ben McCauley <ben.mccauley@garmin.com>
+
+commit b9e51b2b1fda19143f48d182ed7a2943f21e1ae4 upstream.
+
+In some SoCs, dwc3 is implemented as a USB2.0 only
+core, meaning that it can't ever achieve SuperSpeed.
+
+Currect driver always sets gadget.max_speed to
+USB_SPEED_SUPER unconditionally. This can causes
+issues to some Host stacks where the host will issue
+a GetBOS() request and we will reply with a BOS
+containing Superspeed Capability Descriptor.
+
+At least Windows seems to be upset by this fact and
+prints a warning that we should connect $this device
+to another port.
+
+[ balbi@ti.com : rewrote entire commit, including
+source code comment to make a lot clearer what the
+problem is ]
+
+Signed-off-by: Ben McCauley <ben.mccauley@garmin.com>
+Signed-off-by: Felipe Balbi <balbi@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc3/gadget.c | 24 +++++++++++++++++++++++-
+ 1 file changed, 23 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -2723,12 +2723,34 @@ int dwc3_gadget_init(struct dwc3 *dwc)
+ }
+
+ dwc->gadget.ops = &dwc3_gadget_ops;
+- dwc->gadget.max_speed = USB_SPEED_SUPER;
+ dwc->gadget.speed = USB_SPEED_UNKNOWN;
+ dwc->gadget.sg_supported = true;
+ dwc->gadget.name = "dwc3-gadget";
+
+ /*
++ * FIXME We might be setting max_speed to <SUPER, however versions
++ * <2.20a of dwc3 have an issue with metastability (documented
++ * elsewhere in this driver) which tells us we can't set max speed to
++ * anything lower than SUPER.
++ *
++ * Because gadget.max_speed is only used by composite.c and function
++ * drivers (i.e. it won't go into dwc3's registers) we are allowing this
++ * to happen so we avoid sending SuperSpeed Capability descriptor
++ * together with our BOS descriptor as that could confuse host into
++ * thinking we can handle super speed.
++ *
++ * Note that, in fact, we won't even support GetBOS requests when speed
++ * is less than super speed because we don't have means, yet, to tell
++ * composite.c that we are USB 2.0 + LPM ECN.
++ */
++ if (dwc->revision < DWC3_REVISION_220A)
++ dwc3_trace(trace_dwc3_gadget,
++ "Changing max_speed on rev %08x\n",
++ dwc->revision);
++
++ dwc->gadget.max_speed = dwc->maximum_speed;
++
++ /*
+ * Per databook, DWC3 needs buffer size to be aligned to MaxPacketSize
+ * on ep out.
+ */
--- /dev/null
+From bb7f3d6d323a56b9c3b3e727380d1395a7f10107 Mon Sep 17 00:00:00 2001
+From: John Youn <John.Youn@synopsys.com>
+Date: Sat, 26 Sep 2015 00:11:15 -0700
+Subject: usb: dwc3: pci: Add platform data for Synopsys HAPS
+
+From: John Youn <John.Youn@synopsys.com>
+
+commit bb7f3d6d323a56b9c3b3e727380d1395a7f10107 upstream.
+
+Add platform data and set usb3_lpm_capable and has_lpm_erratum.
+
+Signed-off-by: John Youn <johnyoun@synopsys.com>
+Signed-off-by: Felipe Balbi <balbi@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc3/dwc3-pci.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/drivers/usb/dwc3/dwc3-pci.c
++++ b/drivers/usb/dwc3/dwc3-pci.c
+@@ -108,6 +108,21 @@ static int dwc3_pci_quirks(struct pci_de
+ }
+ }
+
++ if (pdev->vendor == PCI_VENDOR_ID_SYNOPSYS &&
++ (pdev->device == PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3 ||
++ pdev->device == PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3_AXI ||
++ pdev->device == PCI_DEVICE_ID_SYNOPSYS_HAPSUSB31)) {
++
++ struct dwc3_platform_data pdata;
++
++ memset(&pdata, 0, sizeof(pdata));
++ pdata.usb3_lpm_capable = true;
++ pdata.has_lpm_erratum = true;
++
++ return platform_device_add_data(pci_get_drvdata(pdev), &pdata,
++ sizeof(pdata));
++ }
++
+ return 0;
+ }
+
--- /dev/null
+From e8095a25364a30216ad40dbe8893ed5c3c235949 Mon Sep 17 00:00:00 2001
+From: John Youn <John.Youn@synopsys.com>
+Date: Fri, 7 Aug 2015 11:47:25 -0700
+Subject: usb: dwc3: pci: Add the PCI Product ID for Synopsys USB 3.1
+
+From: John Youn <John.Youn@synopsys.com>
+
+commit e8095a25364a30216ad40dbe8893ed5c3c235949 upstream.
+
+This adds the PCI product ID for the Synopsys USB 3.1 IP core
+(DWC_usb31) on a HAPS-based PCI development platform.
+
+Signed-off-by: John Youn <johnyoun@synopsys.com>
+Signed-off-by: Felipe Balbi <balbi@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc3/dwc3-pci.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/usb/dwc3/dwc3-pci.c
++++ b/drivers/usb/dwc3/dwc3-pci.c
+@@ -28,6 +28,7 @@
+
+ #define PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3 0xabcd
+ #define PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3_AXI 0xabce
++#define PCI_DEVICE_ID_SYNOPSYS_HAPSUSB31 0xabcf
+ #define PCI_DEVICE_ID_INTEL_BYT 0x0f37
+ #define PCI_DEVICE_ID_INTEL_MRFLD 0x119e
+ #define PCI_DEVICE_ID_INTEL_BSW 0x22B7
+@@ -183,6 +184,10 @@ static const struct pci_device_id dwc3_p
+ PCI_DEVICE(PCI_VENDOR_ID_SYNOPSYS,
+ PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3_AXI),
+ },
++ {
++ PCI_DEVICE(PCI_VENDOR_ID_SYNOPSYS,
++ PCI_DEVICE_ID_SYNOPSYS_HAPSUSB31),
++ },
+ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BSW), },
+ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BYT), },
+ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_MRFLD), },
--- /dev/null
+From 41adc59caece02aa2e988a0e8f9fe8e6f426f82e Mon Sep 17 00:00:00 2001
+From: John Youn <John.Youn@synopsys.com>
+Date: Fri, 7 Aug 2015 11:04:14 -0700
+Subject: usb: dwc3: pci: Add the Synopsys HAPS AXI Product ID
+
+From: John Youn <John.Youn@synopsys.com>
+
+commit 41adc59caece02aa2e988a0e8f9fe8e6f426f82e upstream.
+
+This ID is for the Synopsys DWC_usb3 core with AXI interface on PCIe
+HAPS platform. This core has the debug registers mapped at a separate
+BAR in order to support enhanced hibernation.
+
+Signed-off-by: John Youn <johnyoun@synopsys.com>
+Signed-off-by: Felipe Balbi <balbi@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc3/dwc3-pci.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/usb/dwc3/dwc3-pci.c
++++ b/drivers/usb/dwc3/dwc3-pci.c
+@@ -27,6 +27,7 @@
+ #include "platform_data.h"
+
+ #define PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3 0xabcd
++#define PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3_AXI 0xabce
+ #define PCI_DEVICE_ID_INTEL_BYT 0x0f37
+ #define PCI_DEVICE_ID_INTEL_MRFLD 0x119e
+ #define PCI_DEVICE_ID_INTEL_BSW 0x22B7
+@@ -178,6 +179,10 @@ static const struct pci_device_id dwc3_p
+ PCI_DEVICE(PCI_VENDOR_ID_SYNOPSYS,
+ PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3),
+ },
++ {
++ PCI_DEVICE(PCI_VENDOR_ID_SYNOPSYS,
++ PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3_AXI),
++ },
+ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BSW), },
+ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BYT), },
+ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_MRFLD), },
--- /dev/null
+From 94218ee31ba56fb3a8625978b393124ad660408e Mon Sep 17 00:00:00 2001
+From: John Youn <John.Youn@synopsys.com>
+Date: Fri, 2 Oct 2015 20:32:17 -0700
+Subject: usb: dwc3: pci: Set enblslpm quirk for Synopsys platforms
+
+From: John Youn <John.Youn@synopsys.com>
+
+commit 94218ee31ba56fb3a8625978b393124ad660408e upstream.
+
+Certain Synopsys prototyping PHY boards are not able to meet timings
+constraints for LPM. This allows the PHY to meet those timings by
+leaving the PHY clock running during suspend.
+
+Signed-off-by: John Youn <johnyoun@synopsys.com>
+Signed-off-by: Felipe Balbi <balbi@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc3/dwc3-pci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/dwc3/dwc3-pci.c
++++ b/drivers/usb/dwc3/dwc3-pci.c
+@@ -118,6 +118,7 @@ static int dwc3_pci_quirks(struct pci_de
+ memset(&pdata, 0, sizeof(pdata));
+ pdata.usb3_lpm_capable = true;
+ pdata.has_lpm_erratum = true;
++ pdata.dis_enblslpm_quirk = true;
+
+ return platform_device_add_data(pci_get_drvdata(pdev), &pdata,
+ sizeof(pdata));
--- /dev/null
+From 690fb3718a70c66004342f6f5e2e8a5f95b977db Mon Sep 17 00:00:00 2001
+From: John Youn <John.Youn@synopsys.com>
+Date: Fri, 4 Sep 2015 19:15:10 -0700
+Subject: usb: dwc3: Support Synopsys USB 3.1 IP
+
+From: John Youn <John.Youn@synopsys.com>
+
+commit 690fb3718a70c66004342f6f5e2e8a5f95b977db upstream.
+
+This patch allows the dwc3 driver to run on the new Synopsys USB 3.1
+IP core, albeit in USB 3.0 mode only.
+
+The Synopsys USB 3.1 IP (DWC_usb31) retains mostly the same register
+interface and programming model as the existing USB 3.0 controller IP
+(DWC_usb3). However the GSNPSID and version numbers are different.
+
+Add checking for the new ID to pass driver probe.
+
+Also, since the DWC_usb31 version number is lower in value than the
+full GSNPSID of the DWC_usb3 IP, we set the high bit to identify
+DWC_usb31 and to ensure the values are higher.
+
+Finally, add a documentation note about the revision numbering scheme.
+Any future revision checks (for STARS, workarounds, and new features)
+should take into consideration how it applies to both the 3.1/3.0 IP.
+
+Signed-off-by: John Youn <johnyoun@synopsys.com>
+Signed-off-by: Felipe Balbi <balbi@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc3/core.c | 10 ++++++++--
+ drivers/usb/dwc3/core.h | 18 ++++++++++++++++++
+ 2 files changed, 26 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -507,12 +507,18 @@ static int dwc3_core_init(struct dwc3 *d
+
+ reg = dwc3_readl(dwc->regs, DWC3_GSNPSID);
+ /* This should read as U3 followed by revision number */
+- if ((reg & DWC3_GSNPSID_MASK) != 0x55330000) {
++ if ((reg & DWC3_GSNPSID_MASK) == 0x55330000) {
++ /* Detected DWC_usb3 IP */
++ dwc->revision = reg;
++ } else if ((reg & DWC3_GSNPSID_MASK) == 0x33310000) {
++ /* Detected DWC_usb31 IP */
++ dwc->revision = dwc3_readl(dwc->regs, DWC3_VER_NUMBER);
++ dwc->revision |= DWC3_REVISION_IS_DWC31;
++ } else {
+ dev_err(dwc->dev, "this is not a DesignWare USB3 DRD Core\n");
+ ret = -ENODEV;
+ goto err0;
+ }
+- dwc->revision = reg;
+
+ /*
+ * Write Linux Version Code to our GUID register so it's easy to figure
+--- a/drivers/usb/dwc3/core.h
++++ b/drivers/usb/dwc3/core.h
+@@ -108,6 +108,9 @@
+ #define DWC3_GPRTBIMAP_FS0 0xc188
+ #define DWC3_GPRTBIMAP_FS1 0xc18c
+
++#define DWC3_VER_NUMBER 0xc1a0
++#define DWC3_VER_TYPE 0xc1a4
++
+ #define DWC3_GUSB2PHYCFG(n) (0xc200 + (n * 0x04))
+ #define DWC3_GUSB2I2CCTL(n) (0xc240 + (n * 0x04))
+
+@@ -766,6 +769,14 @@ struct dwc3 {
+ u32 num_event_buffers;
+ u32 u1u2;
+ u32 maximum_speed;
++
++ /*
++ * All 3.1 IP version constants are greater than the 3.0 IP
++ * version constants. This works for most version checks in
++ * dwc3. However, in the future, this may not apply as
++ * features may be developed on newer versions of the 3.0 IP
++ * that are not in the 3.1 IP.
++ */
+ u32 revision;
+
+ #define DWC3_REVISION_173A 0x5533173a
+@@ -788,6 +799,13 @@ struct dwc3 {
+ #define DWC3_REVISION_270A 0x5533270a
+ #define DWC3_REVISION_280A 0x5533280a
+
++/*
++ * NOTICE: we're using bit 31 as a "is usb 3.1" flag. This is really
++ * just so dwc31 revisions are always larger than dwc3.
++ */
++#define DWC3_REVISION_IS_DWC31 0x80000000
++#define DWC3_USB31_REVISION_110A (0x3131302a | DWC3_REVISION_IS_USB31)
++
+ enum dwc3_ep0_next ep0_next_event;
+ enum dwc3_ep0_state ep0state;
+ enum dwc3_link_state link_state;
--- /dev/null
+From d134c48d889ddceadf4c990e6f3df16b816ed5d4 Mon Sep 17 00:00:00 2001
+From: Douglas Gilbert <dgilbert@interlog.com>
+Date: Mon, 16 Nov 2015 19:22:08 +0100
+Subject: usb: gadget: atmel_usba_udc: Expose correct device speed
+
+From: Douglas Gilbert <dgilbert@interlog.com>
+
+commit d134c48d889ddceadf4c990e6f3df16b816ed5d4 upstream.
+
+Following changes that appeared in lk 4.0.0, the gadget udc driver for
+some ARM based Atmel SoCs (e.g. at91sam9x5 and sama5d3 families)
+incorrectly deduced full-speed USB link speed even when the hardware
+had negotiated a high-speed link. The fix is to make sure that the
+UDPHS Interrupt Enable Register value does not mask the SPEED bit
+in the Interrupt Status Register.
+
+For a mass storage gadget this problem lead to failures when the host
+had a USB 3 port with the xhci_hcd driver. If the host was a USB 2
+port using the ehci_hcd driver then the mass storage gadget worked
+(but probably at a lower speed than it should have).
+
+Signed-off-by: Douglas Gilbert <dgilbert@interlog.com>
+Reviewed-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Fixes: 9870d895ad87 ("usb: atmel_usba_udc: Mask status with enabled irqs")
+Signed-off-by: Felipe Balbi <balbi@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/udc/atmel_usba_udc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/udc/atmel_usba_udc.c
++++ b/drivers/usb/gadget/udc/atmel_usba_udc.c
+@@ -1633,7 +1633,7 @@ static irqreturn_t usba_udc_irq(int irq,
+ spin_lock(&udc->lock);
+
+ int_enb = usba_int_enb_get(udc);
+- status = usba_readl(udc, INT_STA) & int_enb;
++ status = usba_readl(udc, INT_STA) & (int_enb | USBA_HIGH_SPEED);
+ DBG(DBG_INT, "irq, status=%#08x\n", status);
+
+ if (status & USBA_DET_SUSPEND) {
--- /dev/null
+From 81e9d14a53eb1abfbe6ac828a87a2deb4702b5f1 Mon Sep 17 00:00:00 2001
+From: Mian Yousaf Kaukab <yousaf.kaukab@intel.com>
+Date: Mon, 19 Oct 2015 16:25:15 +0200
+Subject: usb: gadget: net2280: restore ep_cfg after defect7374 workaround
+
+From: Mian Yousaf Kaukab <yousaf.kaukab@intel.com>
+
+commit 81e9d14a53eb1abfbe6ac828a87a2deb4702b5f1 upstream.
+
+Defect 7374 workaround enables all GPEP as endpoint 0. Restore
+endpoint number when defect 7374 workaround is disabled. Otherwise,
+check to match USB endpoint number to hardware endpoint number in
+net2280_enable() fails.
+
+Reported-by: Paul Jones <p.jones@teclyn.com>
+Signed-off-by: Mian Yousaf Kaukab <yousaf.kaukab@intel.com>
+Signed-off-by: Felipe Balbi <balbi@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/udc/net2280.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/udc/net2280.c
++++ b/drivers/usb/gadget/udc/net2280.c
+@@ -1913,7 +1913,7 @@ static void defect7374_disable_data_eps(
+
+ for (i = 1; i < 5; i++) {
+ ep = &dev->ep[i];
+- writel(0, &ep->cfg->ep_cfg);
++ writel(i, &ep->cfg->ep_cfg);
+ }
+
+ /* CSROUT, CSRIN, PCIOUT, PCIIN, STATIN, RCIN */
--- /dev/null
+From 04633df0c43d710e5f696b06539c100898678235 Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <bp@suse.de>
+Date: Thu, 5 Nov 2015 16:57:56 +0100
+Subject: x86/cpu: Call verify_cpu() after having entered long mode too
+
+From: Borislav Petkov <bp@suse.de>
+
+commit 04633df0c43d710e5f696b06539c100898678235 upstream.
+
+When we get loaded by a 64-bit bootloader, kernel entry point is
+startup_64 in head_64.S. We don't trust any and all bootloaders because
+some will fiddle with CPU configuration so we go ahead and massage each
+CPU into sanity again.
+
+For example, some dell BIOSes have this XD disable feature which set
+IA32_MISC_ENABLE[34] and disable NX. This might be some dumb workaround
+for other OSes but Linux sure doesn't need it.
+
+A similar thing is present in the Surface 3 firmware - see
+https://bugzilla.kernel.org/show_bug.cgi?id=106051 - which sets this bit
+only on the BSP:
+
+ # rdmsr -a 0x1a0
+ 400850089
+ 850089
+ 850089
+ 850089
+
+I know, right?!
+
+There's not even an off switch in there.
+
+So fix all those cases by sanitizing the 64-bit entry point too. For
+that, make verify_cpu() callable in 64-bit mode also.
+
+Requested-and-debugged-by: "H. Peter Anvin" <hpa@zytor.com>
+Reported-and-tested-by: Bastien Nocera <bugzilla@hadess.net>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: Matt Fleming <matt@codeblueprint.co.uk>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lkml.kernel.org/r/1446739076-21303-1-git-send-email-bp@alien8.de
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/head_64.S | 8 ++++++++
+ arch/x86/kernel/verify_cpu.S | 12 +++++++-----
+ 2 files changed, 15 insertions(+), 5 deletions(-)
+
+--- a/arch/x86/kernel/head_64.S
++++ b/arch/x86/kernel/head_64.S
+@@ -65,6 +65,9 @@ startup_64:
+ * tables and then reload them.
+ */
+
++ /* Sanitize CPU configuration */
++ call verify_cpu
++
+ /*
+ * Compute the delta between the address I am compiled to run at and the
+ * address I am actually running at.
+@@ -174,6 +177,9 @@ ENTRY(secondary_startup_64)
+ * after the boot processor executes this code.
+ */
+
++ /* Sanitize CPU configuration */
++ call verify_cpu
++
+ movq $(init_level4_pgt - __START_KERNEL_map), %rax
+ 1:
+
+@@ -288,6 +294,8 @@ ENTRY(secondary_startup_64)
+ pushq %rax # target address in negative space
+ lretq
+
++#include "verify_cpu.S"
++
+ #ifdef CONFIG_HOTPLUG_CPU
+ /*
+ * Boot CPU0 entry point. It's called from play_dead(). Everything has been set
+--- a/arch/x86/kernel/verify_cpu.S
++++ b/arch/x86/kernel/verify_cpu.S
+@@ -34,10 +34,11 @@
+ #include <asm/msr-index.h>
+
+ verify_cpu:
+- pushfl # Save caller passed flags
+- pushl $0 # Kill any dangerous flags
+- popfl
++ pushf # Save caller passed flags
++ push $0 # Kill any dangerous flags
++ popf
+
++#ifndef __x86_64__
+ pushfl # standard way to check for cpuid
+ popl %eax
+ movl %eax,%ebx
+@@ -48,6 +49,7 @@ verify_cpu:
+ popl %eax
+ cmpl %eax,%ebx
+ jz verify_cpu_no_longmode # cpu has no cpuid
++#endif
+
+ movl $0x0,%eax # See if cpuid 1 is implemented
+ cpuid
+@@ -130,10 +132,10 @@ verify_cpu_sse_test:
+ jmp verify_cpu_sse_test # try again
+
+ verify_cpu_no_longmode:
+- popfl # Restore caller passed flags
++ popf # Restore caller passed flags
+ movl $1,%eax
+ ret
+ verify_cpu_sse_ok:
+- popfl # Restore caller passed flags
++ popf # Restore caller passed flags
+ xorl %eax, %eax
+ ret
--- /dev/null
+From 581b7f158fe0383b492acd1ce3fb4e99d4e57808 Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Wed, 3 Jun 2015 10:31:14 +0100
+Subject: x86/cpu: Fix SMAP check in PVOPS environments
+
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+
+commit 581b7f158fe0383b492acd1ce3fb4e99d4e57808 upstream.
+
+There appears to be no formal statement of what pv_irq_ops.save_fl() is
+supposed to return precisely. Native returns the full flags, while lguest and
+Xen only return the Interrupt Flag, and both have comments by the
+implementations stating that only the Interrupt Flag is looked at. This may
+have been true when initially implemented, but no longer is.
+
+To make matters worse, the Xen PVOP leaves the upper bits undefined, making
+the BUG_ON() undefined behaviour. Experimentally, this now trips for 32bit PV
+guests on Broadwell hardware. The BUG_ON() is consistent for an individual
+build, but not consistent for all builds. It has also been a sitting timebomb
+since SMAP support was introduced.
+
+Use native_save_fl() instead, which will obtain an accurate view of the AC
+flag.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: David Vrabel <david.vrabel@citrix.com>
+Tested-by: Rusty Russell <rusty@rustcorp.com.au>
+Cc: Rusty Russell <rusty@rustcorp.com.au>
+Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: <lguest@lists.ozlabs.org>
+Cc: Xen-devel <xen-devel@lists.xen.org>
+Link: http://lkml.kernel.org/r/1433323874-6927-1-git-send-email-andrew.cooper3@citrix.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/common.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/cpu/common.c
++++ b/arch/x86/kernel/cpu/common.c
+@@ -273,10 +273,9 @@ __setup("nosmap", setup_disable_smap);
+
+ static __always_inline void setup_smap(struct cpuinfo_x86 *c)
+ {
+- unsigned long eflags;
++ unsigned long eflags = native_save_fl();
+
+ /* This should have been cleared long ago */
+- raw_local_save_flags(eflags);
+ BUG_ON(eflags & X86_EFLAGS_AC);
+
+ if (cpu_has(c, X86_FEATURE_SMAP)) {
--- /dev/null
+From ab6b52947545a5355154f64f449f97af9d05845f Mon Sep 17 00:00:00 2001
+From: Dave Hansen <dave.hansen@linux.intel.com>
+Date: Tue, 10 Nov 2015 16:23:54 -0800
+Subject: x86/fpu: Fix 32-bit signal frame handling
+
+From: Dave Hansen <dave.hansen@linux.intel.com>
+
+commit ab6b52947545a5355154f64f449f97af9d05845f upstream.
+
+(This should have gone to LKML originally. Sorry for the extra
+ noise, folks on the cc.)
+
+Background:
+
+Signal frames on x86 have two formats:
+
+ 1. For 32-bit executables (whether on a real 32-bit kernel or
+ under 32-bit emulation on a 64-bit kernel) we have a
+ 'fpregset_t' that includes the "FSAVE" registers.
+
+ 2. For 64-bit executables (on 64-bit kernels obviously), the
+ 'fpregset_t' is smaller and does not contain the "FSAVE"
+ state.
+
+When creating the signal frame, we have to be aware of whether
+we are running a 32 or 64-bit executable so we create the
+correct format signal frame.
+
+Problem:
+
+save_xstate_epilog() uses 'fx_sw_reserved_ia32' whenever it is
+called for a 32-bit executable. This is for real 32-bit and
+ia32 emulation.
+
+But, fpu__init_prepare_fx_sw_frame() only initializes
+'fx_sw_reserved_ia32' when emulation is enabled, *NOT* for real
+32-bit kernels.
+
+This leads to really wierd situations where 32-bit programs
+lose their extended state when returning from a signal handler.
+The kernel copies the uninitialized (zero) 'fx_sw_reserved_ia32'
+out to userspace in save_xstate_epilog(). But when returning
+from the signal, the kernel errors out in check_for_xstate()
+when it does not see FP_XSTATE_MAGIC1 present (because it was
+zeroed). This leads to the FPU/XSAVE state being initialized.
+
+For MPX, this leads to the most permissive state and means we
+silently lose bounds violations. I think this would also mean
+that we could lose *ANY* FPU/SSE/AVX state. I'm not sure why
+no one has spotted this bug.
+
+I believe this was broken by:
+
+ 72a671ced66d ("x86, fpu: Unify signal handling code paths for x86 and x86_64 kernels")
+
+way back in 2012.
+
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: dave@sr71.net
+Cc: fenghua.yu@intel.com
+Cc: yu-cheng.yu@intel.com
+Link: http://lkml.kernel.org/r/20151111002354.A0799571@viggo.jf.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/fpu/signal.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/kernel/fpu/signal.c
++++ b/arch/x86/kernel/fpu/signal.c
+@@ -385,20 +385,19 @@ fpu__alloc_mathframe(unsigned long sp, i
+ */
+ void fpu__init_prepare_fx_sw_frame(void)
+ {
+- int fsave_header_size = sizeof(struct fregs_state);
+ int size = xstate_size + FP_XSTATE_MAGIC2_SIZE;
+
+- if (config_enabled(CONFIG_X86_32))
+- size += fsave_header_size;
+-
+ fx_sw_reserved.magic1 = FP_XSTATE_MAGIC1;
+ fx_sw_reserved.extended_size = size;
+ fx_sw_reserved.xfeatures = xfeatures_mask;
+ fx_sw_reserved.xstate_size = xstate_size;
+
+- if (config_enabled(CONFIG_IA32_EMULATION)) {
++ if (config_enabled(CONFIG_IA32_EMULATION) ||
++ config_enabled(CONFIG_X86_32)) {
++ int fsave_header_size = sizeof(struct fregs_state);
++
+ fx_sw_reserved_ia32 = fx_sw_reserved;
+- fx_sw_reserved_ia32.extended_size += fsave_header_size;
++ fx_sw_reserved_ia32.extended_size = size + fsave_header_size;
+ }
+ }
+
--- /dev/null
+From a05917b6ba9dc9a95fc42bdcbe3a875e8ad83935 Mon Sep 17 00:00:00 2001
+From: Huaitong Han <huaitong.han@intel.com>
+Date: Fri, 6 Nov 2015 17:00:23 +0800
+Subject: x86/fpu: Fix get_xsave_addr() behavior under virtualization
+
+From: Huaitong Han <huaitong.han@intel.com>
+
+commit a05917b6ba9dc9a95fc42bdcbe3a875e8ad83935 upstream.
+
+KVM uses the get_xsave_addr() function in a different fashion from
+the native kernel, in that the 'xsave' parameter belongs to guest vcpu,
+not the currently running task.
+
+But 'xsave' is replaced with current task's (host) xsave structure, so
+get_xsave_addr() will incorrectly return the bad xsave address to KVM.
+
+Fix it so that the passed in 'xsave' address is used - as intended
+originally.
+
+Signed-off-by: Huaitong Han <huaitong.han@intel.com>
+Reviewed-by: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Fenghua Yu <fenghua.yu@intel.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Quentin Casasnovas <quentin.casasnovas@oracle.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: dave.hansen@intel.com
+Link: http://lkml.kernel.org/r/1446800423-21622-1-git-send-email-huaitong.han@intel.com
+[ Tidied up the changelog. ]
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/fpu/xstate.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/arch/x86/kernel/fpu/xstate.c
++++ b/arch/x86/kernel/fpu/xstate.c
+@@ -402,7 +402,6 @@ void *get_xsave_addr(struct xregs_state
+ if (!boot_cpu_has(X86_FEATURE_XSAVE))
+ return NULL;
+
+- xsave = ¤t->thread.fpu.state.xsave;
+ /*
+ * We should not ever be requesting features that we
+ * have not enabled. Remember that pcntxt_mask is
--- /dev/null
+From 8c058b0b9c34d8c8d7912880956543769323e2d8 Mon Sep 17 00:00:00 2001
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+Date: Tue, 3 Nov 2015 10:40:14 +0100
+Subject: x86/irq: Probe for PIC presence before allocating descs for legacy IRQs
+
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+commit 8c058b0b9c34d8c8d7912880956543769323e2d8 upstream.
+
+Commit d32932d02e18 ("x86/irq: Convert IOAPIC to use hierarchical irqdomain
+interfaces") brought a regression for Hyper-V Gen2 instances. These
+instances don't have i8259 legacy PIC but they use legacy IRQs for serial
+port, rtc, and acpi. With this commit included we end up with these IRQs
+not initialized. Earlier, there was a special workaround for legacy IRQs
+in mp_map_pin_to_irq() doing mp_irqdomain_map() without looking at
+nr_legacy_irqs() and now we fail in __irq_domain_alloc_irqs() when
+irq_domain_alloc_descs() returns -EEXIST.
+
+The essence of the issue seems to be that early_irq_init() calls
+arch_probe_nr_irqs() to figure out the number of legacy IRQs before
+we probe for i8259 and gets 16. Later when init_8259A() is called we switch
+to NULL legacy PIC and nr_legacy_irqs() starts to return 0 but we already
+have 16 descs allocated.
+
+Solve the issue by separating i8259 probe from init and calling it in
+arch_probe_nr_irqs() before we actually use nr_legacy_irqs() information.
+
+Fixes: d32932d02e18 ("x86/irq: Convert IOAPIC to use hierarchical irqdomain interfaces")
+Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Cc: Jiang Liu <jiang.liu@linux.intel.com>
+Cc: K. Y. Srinivasan <kys@microsoft.com>
+Link: http://lkml.kernel.org/r/1446543614-3621-1-git-send-email-vkuznets@redhat.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/i8259.h | 1 +
+ arch/x86/kernel/apic/vector.c | 6 +++++-
+ arch/x86/kernel/i8259.c | 29 +++++++++++++++++++++--------
+ 3 files changed, 27 insertions(+), 9 deletions(-)
+
+--- a/arch/x86/include/asm/i8259.h
++++ b/arch/x86/include/asm/i8259.h
+@@ -60,6 +60,7 @@ struct legacy_pic {
+ void (*mask_all)(void);
+ void (*restore_mask)(void);
+ void (*init)(int auto_eoi);
++ int (*probe)(void);
+ int (*irq_pending)(unsigned int irq);
+ void (*make_irq)(unsigned int irq);
+ };
+--- a/arch/x86/kernel/apic/vector.c
++++ b/arch/x86/kernel/apic/vector.c
+@@ -361,7 +361,11 @@ int __init arch_probe_nr_irqs(void)
+ if (nr < nr_irqs)
+ nr_irqs = nr;
+
+- return nr_legacy_irqs();
++ /*
++ * We don't know if PIC is present at this point so we need to do
++ * probe() to get the right number of legacy IRQs.
++ */
++ return legacy_pic->probe();
+ }
+
+ #ifdef CONFIG_X86_IO_APIC
+--- a/arch/x86/kernel/i8259.c
++++ b/arch/x86/kernel/i8259.c
+@@ -295,16 +295,11 @@ static void unmask_8259A(void)
+ raw_spin_unlock_irqrestore(&i8259A_lock, flags);
+ }
+
+-static void init_8259A(int auto_eoi)
++static int probe_8259A(void)
+ {
+ unsigned long flags;
+ unsigned char probe_val = ~(1 << PIC_CASCADE_IR);
+ unsigned char new_val;
+-
+- i8259A_auto_eoi = auto_eoi;
+-
+- raw_spin_lock_irqsave(&i8259A_lock, flags);
+-
+ /*
+ * Check to see if we have a PIC.
+ * Mask all except the cascade and read
+@@ -312,16 +307,28 @@ static void init_8259A(int auto_eoi)
+ * have a PIC, we will read 0xff as opposed to the
+ * value we wrote.
+ */
++ raw_spin_lock_irqsave(&i8259A_lock, flags);
++
+ outb(0xff, PIC_SLAVE_IMR); /* mask all of 8259A-2 */
+ outb(probe_val, PIC_MASTER_IMR);
+ new_val = inb(PIC_MASTER_IMR);
+ if (new_val != probe_val) {
+ printk(KERN_INFO "Using NULL legacy PIC\n");
+ legacy_pic = &null_legacy_pic;
+- raw_spin_unlock_irqrestore(&i8259A_lock, flags);
+- return;
+ }
+
++ raw_spin_unlock_irqrestore(&i8259A_lock, flags);
++ return nr_legacy_irqs();
++}
++
++static void init_8259A(int auto_eoi)
++{
++ unsigned long flags;
++
++ i8259A_auto_eoi = auto_eoi;
++
++ raw_spin_lock_irqsave(&i8259A_lock, flags);
++
+ outb(0xff, PIC_MASTER_IMR); /* mask all of 8259A-1 */
+
+ /*
+@@ -379,6 +386,10 @@ static int legacy_pic_irq_pending_noop(u
+ {
+ return 0;
+ }
++static int legacy_pic_probe(void)
++{
++ return 0;
++}
+
+ struct legacy_pic null_legacy_pic = {
+ .nr_legacy_irqs = 0,
+@@ -388,6 +399,7 @@ struct legacy_pic null_legacy_pic = {
+ .mask_all = legacy_pic_noop,
+ .restore_mask = legacy_pic_noop,
+ .init = legacy_pic_int_noop,
++ .probe = legacy_pic_probe,
+ .irq_pending = legacy_pic_irq_pending_noop,
+ .make_irq = legacy_pic_uint_noop,
+ };
+@@ -400,6 +412,7 @@ struct legacy_pic default_legacy_pic = {
+ .mask_all = mask_8259A,
+ .restore_mask = unmask_8259A,
+ .init = init_8259A,
++ .probe = probe_8259A,
+ .irq_pending = i8259A_irq_pending,
+ .make_irq = make_8259A_irq,
+ };
--- /dev/null
+From 46561c3959d6307d22139c24cd0bf196162e5681 Mon Sep 17 00:00:00 2001
+From: Dave Hansen <dave.hansen@linux.intel.com>
+Date: Wed, 11 Nov 2015 10:19:31 -0800
+Subject: x86/mpx: Do proper get_user() when running 32-bit binaries on 64-bit kernels
+
+From: Dave Hansen <dave.hansen@linux.intel.com>
+
+commit 46561c3959d6307d22139c24cd0bf196162e5681 upstream.
+
+When you call get_user(foo, bar), you effectively do a
+
+ copy_from_user(&foo, bar, sizeof(*bar));
+
+Note that the sizeof() is implicit.
+
+When we reach out to userspace to try to zap an entire "bounds
+table" we need to go read a "bounds directory entry" in order to
+locate the table's address. The size of a "directory entry"
+depends on the binary being run and is always the size of a
+pointer.
+
+But, when we have a 64-bit kernel and a 32-bit application, the
+directory entry is still only 32-bits long, but we fetch it with
+a 64-bit pointer which makes get_user() does a 64-bit fetch.
+Reading 4 extra bytes isn't harmful, unless we are at the end of
+and run off the table. It might also cause the zero page to get
+faulted in unnecessarily even if you are not at the end.
+
+Fix it up by doing a special 32-bit get_user() via a cast when
+we have 32-bit userspace.
+
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Dave Hansen <dave@sr71.net>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/20151111181931.3ACF6822@viggo.jf.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/mm/mpx.c | 25 ++++++++++++++++++++++++-
+ 1 file changed, 24 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/mm/mpx.c
++++ b/arch/x86/mm/mpx.c
+@@ -585,6 +585,29 @@ static unsigned long mpx_bd_entry_to_bt_
+ }
+
+ /*
++ * We only want to do a 4-byte get_user() on 32-bit. Otherwise,
++ * we might run off the end of the bounds table if we are on
++ * a 64-bit kernel and try to get 8 bytes.
++ */
++int get_user_bd_entry(struct mm_struct *mm, unsigned long *bd_entry_ret,
++ long __user *bd_entry_ptr)
++{
++ u32 bd_entry_32;
++ int ret;
++
++ if (is_64bit_mm(mm))
++ return get_user(*bd_entry_ret, bd_entry_ptr);
++
++ /*
++ * Note that get_user() uses the type of the *pointer* to
++ * establish the size of the get, not the destination.
++ */
++ ret = get_user(bd_entry_32, (u32 __user *)bd_entry_ptr);
++ *bd_entry_ret = bd_entry_32;
++ return ret;
++}
++
++/*
+ * Get the base of bounds tables pointed by specific bounds
+ * directory entry.
+ */
+@@ -604,7 +627,7 @@ static int get_bt_addr(struct mm_struct
+ int need_write = 0;
+
+ pagefault_disable();
+- ret = get_user(bd_entry, bd_entry_ptr);
++ ret = get_user_bd_entry(mm, &bd_entry, bd_entry_ptr);
+ pagefault_enable();
+ if (!ret)
+ break;
--- /dev/null
+From f3119b830264d89d216bfb378ab65065dffa02d9 Mon Sep 17 00:00:00 2001
+From: Dave Hansen <dave.hansen@linux.intel.com>
+Date: Wed, 11 Nov 2015 10:19:34 -0800
+Subject: x86/mpx: Fix 32-bit address space calculation
+
+From: Dave Hansen <dave.hansen@linux.intel.com>
+
+commit f3119b830264d89d216bfb378ab65065dffa02d9 upstream.
+
+I received a bug report that running 32-bit MPX binaries on
+64-bit kernels was broken. I traced it down to this little code
+snippet. We were switching our "number of bounds directory
+entries" calculation correctly. But, we didn't switch the other
+side of the calculation: the virtual space size.
+
+This meant that we were calculating an absurd size for
+bd_entry_virt_space() on 32-bit because we used the 64-bit
+virt_space.
+
+This was _also_ broken for 32-bit kernels running on 64-bit
+hardware since boot_cpu_data.x86_virt_bits=48 even when running
+in 32-bit mode.
+
+Correct that and properly handle all 3 possible cases:
+
+ 1. 32-bit binary on 64-bit kernel
+ 2. 64-bit binary on 64-bit kernel
+ 3. 32-bit binary on 32-bit kernel
+
+This manifested in having bounds tables not properly unmapped.
+It "leaked" memory but had no functional impact otherwise.
+
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Dave Hansen <dave@sr71.net>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/20151111181934.FA7FAC34@viggo.jf.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/mm/mpx.c | 22 +++++++++++++++++-----
+ 1 file changed, 17 insertions(+), 5 deletions(-)
+
+--- a/arch/x86/mm/mpx.c
++++ b/arch/x86/mm/mpx.c
+@@ -722,11 +722,23 @@ static unsigned long mpx_get_bt_entry_of
+ */
+ static inline unsigned long bd_entry_virt_space(struct mm_struct *mm)
+ {
+- unsigned long long virt_space = (1ULL << boot_cpu_data.x86_virt_bits);
+- if (is_64bit_mm(mm))
+- return virt_space / MPX_BD_NR_ENTRIES_64;
+- else
+- return virt_space / MPX_BD_NR_ENTRIES_32;
++ unsigned long long virt_space;
++ unsigned long long GB = (1ULL << 30);
++
++ /*
++ * This covers 32-bit emulation as well as 32-bit kernels
++ * running on 64-bit harware.
++ */
++ if (!is_64bit_mm(mm))
++ return (4ULL * GB) / MPX_BD_NR_ENTRIES_32;
++
++ /*
++ * 'x86_virt_bits' returns what the hardware is capable
++ * of, and returns the full >32-bit adddress space when
++ * running 32-bit kernels on 64-bit hardware.
++ */
++ virt_space = (1ULL << boot_cpu_data.x86_virt_bits);
++ return virt_space / MPX_BD_NR_ENTRIES_64;
+ }
+
+ /*
--- /dev/null
+From 68accac392d859d24adcf1be3a90e41f978bd54c Mon Sep 17 00:00:00 2001
+From: Krzysztof Mazur <krzysiek@podlesie.net>
+Date: Fri, 6 Nov 2015 14:18:36 +0100
+Subject: x86/setup: Fix low identity map for >= 2GB kernel range
+
+From: Krzysztof Mazur <krzysiek@podlesie.net>
+
+commit 68accac392d859d24adcf1be3a90e41f978bd54c upstream.
+
+The commit f5f3497cad8c extended the low identity mapping. However, if
+the kernel uses more than 2 GB (VMSPLIT_2G_OPT or VMSPLIT_1G memory
+split), the normal memory mapping is overwritten by the low identity
+mapping causing a crash. To avoid overwritting, limit the low identity
+map to cover only memory before kernel range (PAGE_OFFSET).
+
+Fixes: f5f3497cad8c "x86/setup: Extend low identity map to cover whole kernel range
+Signed-off-by: Krzysztof Mazur <krzysiek@podlesie.net>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Laszlo Ersek <lersek@redhat.com>
+Cc: Matt Fleming <matt.fleming@intel.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Link: http://lkml.kernel.org/r/1446815916-22105-1-git-send-email-krzysiek@podlesie.net
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/setup.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/setup.c
++++ b/arch/x86/kernel/setup.c
+@@ -1180,7 +1180,7 @@ void __init setup_arch(char **cmdline_p)
+ */
+ clone_pgd_range(initial_page_table,
+ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
+- KERNEL_PGD_PTRS);
++ min(KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
+ #endif
+
+ tboot_probe();
projects / thirdparty / kernel / stable-queue.git / commitdiff
