--- /dev/null
+From addacd801e1638f41d659cb53b9b73fc14322cb1 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 10 May 2016 10:24:02 +0200
+Subject: ALSA: hda - Fix broken reconfig
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit addacd801e1638f41d659cb53b9b73fc14322cb1 upstream.
+
+The HD-audio reconfig function got broken in the recent kernels,
+typically resulting in a failure like:
+ snd_hda_intel 0000:00:1b.0: control 3:0:0:Playback Channel Map:0 is already present
+
+This is because of the code restructuring to move the PCM and control
+instantiation into the codec drive probe, by the commit [bcd96557bd0a:
+ALSA: hda - Build PCMs and controls at codec driver probe]. Although
+the commit above removed the calls of snd_hda_codec_build_pcms() and
+*_build_controls() at the controller driver probe, the similar calls
+in the reconfig were still left forgotten. This caused the
+conflicting and duplicated PCMs and controls.
+
+The fix is trivial: just remove these superfluous calls from
+reconfig_codec().
+
+Fixes: bcd96557bd0a ('ALSA: hda - Build PCMs and controls at codec driver probe')
+Reported-by: Jochen Henneberg <jh@henneberg-systemdesign.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/hda_sysfs.c | 8 --------
+ 1 file changed, 8 deletions(-)
+
+--- a/sound/pci/hda/hda_sysfs.c
++++ b/sound/pci/hda/hda_sysfs.c
+@@ -141,14 +141,6 @@ static int reconfig_codec(struct hda_cod
+ err = snd_hda_codec_configure(codec);
+ if (err < 0)
+ goto error;
+- /* rebuild PCMs */
+- err = snd_hda_codec_build_pcms(codec);
+- if (err < 0)
+- goto error;
+- /* rebuild mixers */
+- err = snd_hda_codec_build_controls(codec);
+- if (err < 0)
+- goto error;
+ err = snd_card_register(codec->card);
+ error:
+ snd_hda_power_down(codec);
--- /dev/null
+From 3231e2053eaeee70bdfb216a78a30f11e88e2243 Mon Sep 17 00:00:00 2001
+From: Yura Pakhuchiy <pakhuchiy@gmail.com>
+Date: Sat, 7 May 2016 23:53:36 +0700
+Subject: ALSA: hda - Fix subwoofer pin on ASUS N751 and N551
+
+From: Yura Pakhuchiy <pakhuchiy@gmail.com>
+
+commit 3231e2053eaeee70bdfb216a78a30f11e88e2243 upstream.
+
+Subwoofer does not work out of the box on ASUS N751/N551 laptops. This
+patch fixes it. Patch tested on N751 laptop. N551 part is not tested,
+but according to [1] and [2] this laptop requires similar changes, so I
+included them in the patch.
+
+1. https://github.com/honsiorovskyi/asus-n551-hda-fix
+2. https://bugs.launchpad.net/ubuntu/+source/alsa-tools/+bug/1405691
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=117781
+Signed-off-by: Yura Pakhuchiy <pakhuchiy@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6426,6 +6426,7 @@ enum {
+ ALC668_FIXUP_DELL_DISABLE_AAMIX,
+ ALC668_FIXUP_DELL_XPS13,
+ ALC662_FIXUP_ASUS_Nx50,
++ ALC668_FIXUP_ASUS_Nx51,
+ };
+
+ static const struct hda_fixup alc662_fixups[] = {
+@@ -6672,6 +6673,15 @@ static const struct hda_fixup alc662_fix
+ .chained = true,
+ .chain_id = ALC662_FIXUP_BASS_1A
+ },
++ [ALC668_FIXUP_ASUS_Nx51] = {
++ .type = HDA_FIXUP_PINS,
++ .v.pins = (const struct hda_pintbl[]) {
++ {0x1a, 0x90170151}, /* bass speaker */
++ {}
++ },
++ .chained = true,
++ .chain_id = ALC662_FIXUP_BASS_CHMAP,
++ },
+ };
+
+ static const struct snd_pci_quirk alc662_fixup_tbl[] = {
+@@ -6699,6 +6709,8 @@ static const struct snd_pci_quirk alc662
+ SND_PCI_QUIRK(0x1043, 0x129d, "Asus N750", ALC662_FIXUP_ASUS_Nx50),
+ SND_PCI_QUIRK(0x1043, 0x1477, "ASUS N56VZ", ALC662_FIXUP_BASS_MODE4_CHMAP),
+ SND_PCI_QUIRK(0x1043, 0x15a7, "ASUS UX51VZH", ALC662_FIXUP_BASS_16),
++ SND_PCI_QUIRK(0x1043, 0x177d, "ASUS N551", ALC668_FIXUP_ASUS_Nx51),
++ SND_PCI_QUIRK(0x1043, 0x17bd, "ASUS N751", ALC668_FIXUP_ASUS_Nx51),
+ SND_PCI_QUIRK(0x1043, 0x1b73, "ASUS N55SF", ALC662_FIXUP_BASS_16),
+ SND_PCI_QUIRK(0x1043, 0x1bf3, "ASUS N76VZ", ALC662_FIXUP_BASS_MODE4_CHMAP),
+ SND_PCI_QUIRK(0x1043, 0x8469, "ASUS mobo", ALC662_FIXUP_NO_JACK_DETECT),
--- /dev/null
+From 2da2dc9ead232f25601404335cca13c0f722d41b Mon Sep 17 00:00:00 2001
+From: Kaho Ng <ngkaho1234@gmail.com>
+Date: Mon, 9 May 2016 00:27:49 +0800
+Subject: ALSA: hda - Fix white noise on Asus UX501VW headset
+
+From: Kaho Ng <ngkaho1234@gmail.com>
+
+commit 2da2dc9ead232f25601404335cca13c0f722d41b upstream.
+
+For reducing the noise from the headset output on ASUS UX501VW,
+call the existing fixup, alc_fixup_headset_mode_alc668(), additionally.
+
+Thread: https://bbs.archlinux.org/viewtopic.php?id=209554
+
+Signed-off-by: Kaho Ng <ngkaho1234@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6704,6 +6704,7 @@ static const struct snd_pci_quirk alc662
+ SND_PCI_QUIRK(0x1028, 0x0698, "Dell", ALC668_FIXUP_DELL_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1028, 0x069f, "Dell", ALC668_FIXUP_DELL_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x103c, 0x1632, "HP RP5800", ALC662_FIXUP_HP_RP5800),
++ SND_PCI_QUIRK(0x1043, 0x1080, "Asus UX501VW", ALC668_FIXUP_HEADSET_MODE),
+ SND_PCI_QUIRK(0x1043, 0x11cd, "Asus N550", ALC662_FIXUP_ASUS_Nx50),
+ SND_PCI_QUIRK(0x1043, 0x13df, "Asus N550JX", ALC662_FIXUP_BASS_1A),
+ SND_PCI_QUIRK(0x1043, 0x129d, "Asus N750", ALC662_FIXUP_ASUS_Nx50),
--- /dev/null
+From 2d2c038a9999f423e820d89db2b5d7774b67ba49 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 29 Apr 2016 11:20:15 +0200
+Subject: ALSA: usb-audio: Quirk for yet another Phoenix Audio devices (v2)
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 2d2c038a9999f423e820d89db2b5d7774b67ba49 upstream.
+
+Phoenix Audio MT202pcs (1de7:0114) and MT202exe (1de7:0013) need the
+same workaround as TMX320 for avoiding the firmware bug. It fixes the
+frequent error about the sample rate inquiries and the slow device
+probe as consequence.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=117321
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/quirks.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -1139,7 +1139,9 @@ bool snd_usb_get_sample_rate_quirk(struc
+ case USB_ID(0x047F, 0xAA05): /* Plantronics DA45 */
+ case USB_ID(0x04D8, 0xFEEA): /* Benchmark DAC1 Pre */
+ case USB_ID(0x074D, 0x3553): /* Outlaw RR2150 (Micronas UAC3553B) */
++ case USB_ID(0x1de7, 0x0013): /* Phoenix Audio MT202exe */
+ case USB_ID(0x1de7, 0x0014): /* Phoenix Audio TMX320 */
++ case USB_ID(0x1de7, 0x0114): /* Phoenix Audio MT202pcs */
+ case USB_ID(0x21B4, 0x0081): /* AudioQuest DragonFly */
+ return true;
+ }
--- /dev/null
+From 84add303ef950b8d85f54bc2248c2bc73467c329 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 11 May 2016 17:48:00 +0200
+Subject: ALSA: usb-audio: Yet another Phoneix Audio device quirk
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 84add303ef950b8d85f54bc2248c2bc73467c329 upstream.
+
+Phoenix Audio has yet another device with another id (even a different
+vendor id, 0556:0014) that requires the same quirk for the sample
+rate.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=110221
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/quirks.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -1138,6 +1138,7 @@ bool snd_usb_get_sample_rate_quirk(struc
+ case USB_ID(0x047F, 0x0415): /* Plantronics BT-300 */
+ case USB_ID(0x047F, 0xAA05): /* Plantronics DA45 */
+ case USB_ID(0x04D8, 0xFEEA): /* Benchmark DAC1 Pre */
++ case USB_ID(0x0556, 0x0014): /* Phoenix Audio TMX320VC */
+ case USB_ID(0x074D, 0x3553): /* Outlaw RR2150 (Micronas UAC3553B) */
+ case USB_ID(0x1de7, 0x0013): /* Phoenix Audio MT202exe */
+ case USB_ID(0x1de7, 0x0014): /* Phoenix Audio TMX320 */
--- /dev/null
+From aab0a4c83ceb344d2327194bf354820e50607af6 Mon Sep 17 00:00:00 2001
+From: Boris Brezillon <boris.brezillon@free-electrons.com>
+Date: Wed, 11 May 2016 11:00:02 +0200
+Subject: ARM: dts: at91: sam9x5: Fix the memory range assigned to the PMC
+
+From: Boris Brezillon <boris.brezillon@free-electrons.com>
+
+commit aab0a4c83ceb344d2327194bf354820e50607af6 upstream.
+
+The memory range assigned to the PMC (Power Management Controller) was
+not including the PMC_PCR register which are used to control peripheral
+clocks.
+
+This was working fine thanks to the page granularity of ioremap(), but
+started to fail when we switched to syscon/regmap, because regmap is
+making sure that all accesses are falling into the reserved range.
+
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Reported-by: Richard Genoud <richard.genoud@gmail.com>
+Tested-by: Richard Genoud <richard.genoud@gmail.com>
+Fixes: 863a81c3be1d ("clk: at91: make use of syscon to share PMC registers in several drivers")
+Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/at91sam9x5.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/at91sam9x5.dtsi
++++ b/arch/arm/boot/dts/at91sam9x5.dtsi
+@@ -106,7 +106,7 @@
+
+ pmc: pmc@fffffc00 {
+ compatible = "atmel,at91sam9x5-pmc", "syscon";
+- reg = <0xfffffc00 0x100>;
++ reg = <0xfffffc00 0x200>;
+ interrupts = <1 IRQ_TYPE_LEVEL_HIGH 7>;
+ interrupt-controller;
+ #address-cells = <1>;
--- /dev/null
+From 10c64cea04d3c75c306b3f990586ffb343b63287 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Wed, 27 Apr 2016 01:11:55 -0400
+Subject: atomic_open(): fix the handling of create_error
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 10c64cea04d3c75c306b3f990586ffb343b63287 upstream.
+
+* if we have a hashed negative dentry and either CREAT|EXCL on
+r/o filesystem, or CREAT|TRUNC on r/o filesystem, or CREAT|EXCL
+with failing may_o_create(), we should fail with EROFS or the
+error may_o_create() has returned, but not ENOENT. Which is what
+the current code ends up returning.
+
+* if we have CREAT|TRUNC hitting a regular file on a read-only
+filesystem, we can't fail with EROFS here. At the very least,
+not until we'd done follow_managed() - we might have a writable
+file (or a device, for that matter) bound on top of that one.
+Moreover, the code downstream will see that O_TRUNC and attempt
+to grab the write access (*after* following possible mount), so
+if we really should fail with EROFS, it will happen. No need
+to do that inside atomic_open().
+
+The real logics is much simpler than what the current code is
+trying to do - if we decided to go for simple lookup, ended
+up with a negative dentry *and* had create_error set, fail with
+create_error. No matter whether we'd got that negative dentry
+from lookup_real() or had found it in dcache.
+
+Acked-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/namei.c | 20 ++++----------------
+ 1 file changed, 4 insertions(+), 16 deletions(-)
+
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -2906,22 +2906,10 @@ no_open:
+ dentry = lookup_real(dir, dentry, nd->flags);
+ if (IS_ERR(dentry))
+ return PTR_ERR(dentry);
+-
+- if (create_error) {
+- int open_flag = op->open_flag;
+-
+- error = create_error;
+- if ((open_flag & O_EXCL)) {
+- if (!dentry->d_inode)
+- goto out;
+- } else if (!dentry->d_inode) {
+- goto out;
+- } else if ((open_flag & O_TRUNC) &&
+- d_is_reg(dentry)) {
+- goto out;
+- }
+- /* will fail later, go on to get the right error */
+- }
++ }
++ if (create_error && !dentry->d_inode) {
++ error = create_error;
++ goto out;
+ }
+ looked_up:
+ path->dentry = dentry;
--- /dev/null
+From 13f4bb78cf6a312bbdec367ba3da044b09bf0e29 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Wed, 4 May 2016 17:52:56 +0800
+Subject: crypto: hash - Fix page length clamping in hash walk
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit 13f4bb78cf6a312bbdec367ba3da044b09bf0e29 upstream.
+
+The crypto hash walk code is broken when supplied with an offset
+greater than or equal to PAGE_SIZE. This patch fixes it by adjusting
+walk->pg and walk->offset when this happens.
+
+Reported-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/ahash.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/crypto/ahash.c
++++ b/crypto/ahash.c
+@@ -69,8 +69,9 @@ static int hash_walk_new_entry(struct cr
+ struct scatterlist *sg;
+
+ sg = walk->sg;
+- walk->pg = sg_page(sg);
+ walk->offset = sg->offset;
++ walk->pg = sg_page(walk->sg) + (walk->offset >> PAGE_SHIFT);
++ walk->offset = offset_in_page(walk->offset);
+ walk->entrylen = sg->length;
+
+ if (walk->entrylen > walk->total)
--- /dev/null
+From 9e209fcfb804da262e38e5cd2e680c47a41f0f95 Mon Sep 17 00:00:00 2001
+From: Tadeusz Struk <tadeusz.struk@intel.com>
+Date: Mon, 25 Apr 2016 07:32:19 -0700
+Subject: crypto: qat - fix invalid pf2vf_resp_wq logic
+
+From: Tadeusz Struk <tadeusz.struk@intel.com>
+
+commit 9e209fcfb804da262e38e5cd2e680c47a41f0f95 upstream.
+
+The pf2vf_resp_wq is a global so it has to be created at init
+and destroyed at exit, instead of per device.
+
+Tested-by: Suresh Marikkannu <sureshx.marikkannu@intel.com>
+Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/qat/qat_common/adf_common_drv.h | 2 +
+ drivers/crypto/qat/qat_common/adf_ctl_drv.c | 6 +++++
+ drivers/crypto/qat/qat_common/adf_sriov.c | 26 +++++++++++++++----------
+ 3 files changed, 24 insertions(+), 10 deletions(-)
+
+--- a/drivers/crypto/qat/qat_common/adf_common_drv.h
++++ b/drivers/crypto/qat/qat_common/adf_common_drv.h
+@@ -145,6 +145,8 @@ int adf_enable_aer(struct adf_accel_dev
+ void adf_disable_aer(struct adf_accel_dev *accel_dev);
+ int adf_init_aer(void);
+ void adf_exit_aer(void);
++int adf_init_pf_wq(void);
++void adf_exit_pf_wq(void);
+ int adf_init_admin_comms(struct adf_accel_dev *accel_dev);
+ void adf_exit_admin_comms(struct adf_accel_dev *accel_dev);
+ int adf_send_admin_init(struct adf_accel_dev *accel_dev);
+--- a/drivers/crypto/qat/qat_common/adf_ctl_drv.c
++++ b/drivers/crypto/qat/qat_common/adf_ctl_drv.c
+@@ -469,12 +469,17 @@ static int __init adf_register_ctl_devic
+ if (adf_init_aer())
+ goto err_aer;
+
++ if (adf_init_pf_wq())
++ goto err_pf_wq;
++
+ if (qat_crypto_register())
+ goto err_crypto_register;
+
+ return 0;
+
+ err_crypto_register:
++ adf_exit_pf_wq();
++err_pf_wq:
+ adf_exit_aer();
+ err_aer:
+ adf_chr_drv_destroy();
+@@ -487,6 +492,7 @@ static void __exit adf_unregister_ctl_de
+ {
+ adf_chr_drv_destroy();
+ adf_exit_aer();
++ adf_exit_pf_wq();
+ qat_crypto_unregister();
+ adf_clean_vf_map(false);
+ mutex_destroy(&adf_ctl_lock);
+--- a/drivers/crypto/qat/qat_common/adf_sriov.c
++++ b/drivers/crypto/qat/qat_common/adf_sriov.c
+@@ -119,11 +119,6 @@ static int adf_enable_sriov(struct adf_a
+ int i;
+ u32 reg;
+
+- /* Workqueue for PF2VF responses */
+- pf2vf_resp_wq = create_workqueue("qat_pf2vf_resp_wq");
+- if (!pf2vf_resp_wq)
+- return -ENOMEM;
+-
+ for (i = 0, vf_info = accel_dev->pf.vf_info; i < totalvfs;
+ i++, vf_info++) {
+ /* This ptr will be populated when VFs will be created */
+@@ -216,11 +211,6 @@ void adf_disable_sriov(struct adf_accel_
+
+ kfree(accel_dev->pf.vf_info);
+ accel_dev->pf.vf_info = NULL;
+-
+- if (pf2vf_resp_wq) {
+- destroy_workqueue(pf2vf_resp_wq);
+- pf2vf_resp_wq = NULL;
+- }
+ }
+ EXPORT_SYMBOL_GPL(adf_disable_sriov);
+
+@@ -304,3 +294,19 @@ int adf_sriov_configure(struct pci_dev *
+ return numvfs;
+ }
+ EXPORT_SYMBOL_GPL(adf_sriov_configure);
++
++int __init adf_init_pf_wq(void)
++{
++ /* Workqueue for PF2VF responses */
++ pf2vf_resp_wq = create_workqueue("qat_pf2vf_resp_wq");
++
++ return !pf2vf_resp_wq ? -ENOMEM : 0;
++}
++
++void adf_exit_pf_wq(void)
++{
++ if (pf2vf_resp_wq) {
++ destroy_workqueue(pf2vf_resp_wq);
++ pf2vf_resp_wq = NULL;
++ }
++}
--- /dev/null
+From df27b26f04ed388ff4cc2b5d8cfdb5d97678816f Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Thu, 5 May 2016 16:42:49 +0800
+Subject: crypto: testmgr - Use kmalloc memory for RSA input
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit df27b26f04ed388ff4cc2b5d8cfdb5d97678816f upstream.
+
+As akcipher uses an SG interface, you must not use vmalloc memory
+as input for it. This patch fixes testmgr to copy the vmalloc
+test vectors to kmalloc memory before running the test.
+
+This patch also removes a superfluous sg_virt call in do_test_rsa.
+
+Reported-by: Anatoly Pugachev <matorola@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/testmgr.c | 27 ++++++++++++++++++++++-----
+ 1 file changed, 22 insertions(+), 5 deletions(-)
+
+--- a/crypto/testmgr.c
++++ b/crypto/testmgr.c
+@@ -1849,6 +1849,7 @@ static int alg_test_drbg(const struct al
+ static int do_test_rsa(struct crypto_akcipher *tfm,
+ struct akcipher_testvec *vecs)
+ {
++ char *xbuf[XBUFSIZE];
+ struct akcipher_request *req;
+ void *outbuf_enc = NULL;
+ void *outbuf_dec = NULL;
+@@ -1857,9 +1858,12 @@ static int do_test_rsa(struct crypto_akc
+ int err = -ENOMEM;
+ struct scatterlist src, dst, src_tab[2];
+
++ if (testmgr_alloc_buf(xbuf))
++ return err;
++
+ req = akcipher_request_alloc(tfm, GFP_KERNEL);
+ if (!req)
+- return err;
++ goto free_xbuf;
+
+ init_completion(&result.completion);
+
+@@ -1877,9 +1881,14 @@ static int do_test_rsa(struct crypto_akc
+ if (!outbuf_enc)
+ goto free_req;
+
++ if (WARN_ON(vecs->m_size > PAGE_SIZE))
++ goto free_all;
++
++ memcpy(xbuf[0], vecs->m, vecs->m_size);
++
+ sg_init_table(src_tab, 2);
+- sg_set_buf(&src_tab[0], vecs->m, 8);
+- sg_set_buf(&src_tab[1], vecs->m + 8, vecs->m_size - 8);
++ sg_set_buf(&src_tab[0], xbuf[0], 8);
++ sg_set_buf(&src_tab[1], xbuf[0] + 8, vecs->m_size - 8);
+ sg_init_one(&dst, outbuf_enc, out_len_max);
+ akcipher_request_set_crypt(req, src_tab, &dst, vecs->m_size,
+ out_len_max);
+@@ -1898,7 +1907,7 @@ static int do_test_rsa(struct crypto_akc
+ goto free_all;
+ }
+ /* verify that encrypted message is equal to expected */
+- if (memcmp(vecs->c, sg_virt(req->dst), vecs->c_size)) {
++ if (memcmp(vecs->c, outbuf_enc, vecs->c_size)) {
+ pr_err("alg: rsa: encrypt test failed. Invalid output\n");
+ err = -EINVAL;
+ goto free_all;
+@@ -1913,7 +1922,13 @@ static int do_test_rsa(struct crypto_akc
+ err = -ENOMEM;
+ goto free_all;
+ }
+- sg_init_one(&src, vecs->c, vecs->c_size);
++
++ if (WARN_ON(vecs->c_size > PAGE_SIZE))
++ goto free_all;
++
++ memcpy(xbuf[0], vecs->c, vecs->c_size);
++
++ sg_init_one(&src, xbuf[0], vecs->c_size);
+ sg_init_one(&dst, outbuf_dec, out_len_max);
+ init_completion(&result.completion);
+ akcipher_request_set_crypt(req, &src, &dst, vecs->c_size, out_len_max);
+@@ -1940,6 +1955,8 @@ free_all:
+ kfree(outbuf_enc);
+ free_req:
+ akcipher_request_free(req);
++free_xbuf:
++ testmgr_free_buf(xbuf);
+ return err;
+ }
+
--- /dev/null
+From 99d825822eade8d827a1817357cbf3f889a552d6 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Thu, 5 May 2016 16:25:35 -0400
+Subject: get_rock_ridge_filename(): handle malformed NM entries
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 99d825822eade8d827a1817357cbf3f889a552d6 upstream.
+
+Payloads of NM entries are not supposed to contain NUL. When we run
+into such, only the part prior to the first NUL goes into the
+concatenation (i.e. the directory entry name being encoded by a bunch
+of NM entries). We do stop when the amount collected so far + the
+claimed amount in the current NM entry exceed 254. So far, so good,
+but what we return as the total length is the sum of *claimed*
+sizes, not the actual amount collected. And that can grow pretty
+large - not unlimited, since you'd need to put CE entries in
+between to be able to get more than the maximum that could be
+contained in one isofs directory entry / continuation chunk and
+we are stop once we'd encountered 32 CEs, but you can get about 8Kb
+easily. And that's what will be passed to readdir callback as the
+name length. 8Kb __copy_to_user() from a buffer allocated by
+__get_free_page()
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/isofs/rock.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/fs/isofs/rock.c
++++ b/fs/isofs/rock.c
+@@ -203,6 +203,8 @@ int get_rock_ridge_filename(struct iso_d
+ int retnamlen = 0;
+ int truncate = 0;
+ int ret = 0;
++ char *p;
++ int len;
+
+ if (!ISOFS_SB(inode->i_sb)->s_rock)
+ return 0;
+@@ -267,12 +269,17 @@ repeat:
+ rr->u.NM.flags);
+ break;
+ }
+- if ((strlen(retname) + rr->len - 5) >= 254) {
++ len = rr->len - 5;
++ if (retnamlen + len >= 254) {
+ truncate = 1;
+ break;
+ }
+- strncat(retname, rr->u.NM.name, rr->len - 5);
+- retnamlen += rr->len - 5;
++ p = memchr(rr->u.NM.name, '\0', len);
++ if (unlikely(p))
++ len = p - rr->u.NM.name;
++ memcpy(retname + retnamlen, rr->u.NM.name, len);
++ retnamlen += len;
++ retname[retnamlen] = '\0';
+ break;
+ case SIG('R', 'E'):
+ kfree(rs.buffer);
--- /dev/null
+From 6ae645d5fa385f3787bf1723639cd907fe5865e7 Mon Sep 17 00:00:00 2001
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+Date: Mon, 9 May 2016 09:31:47 -0700
+Subject: Input: max8997-haptic - fix NULL pointer dereference
+
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+
+commit 6ae645d5fa385f3787bf1723639cd907fe5865e7 upstream.
+
+NULL pointer derefence happens when booting with DTB because the
+platform data for haptic device is not set in supplied data from parent
+MFD device.
+
+The MFD device creates only platform data (from Device Tree) for itself,
+not for haptic child.
+
+Unable to handle kernel NULL pointer dereference at virtual address 0000009c
+pgd = c0004000
+ [0000009c] *pgd=00000000
+ Internal error: Oops: 5 [#1] PREEMPT SMP ARM
+ (max8997_haptic_probe) from [<c03f9cec>] (platform_drv_probe+0x4c/0xb0)
+ (platform_drv_probe) from [<c03f8440>] (driver_probe_device+0x214/0x2c0)
+ (driver_probe_device) from [<c03f8598>] (__driver_attach+0xac/0xb0)
+ (__driver_attach) from [<c03f67ac>] (bus_for_each_dev+0x68/0x9c)
+ (bus_for_each_dev) from [<c03f7a38>] (bus_add_driver+0x1a0/0x218)
+ (bus_add_driver) from [<c03f8db0>] (driver_register+0x78/0xf8)
+ (driver_register) from [<c0101774>] (do_one_initcall+0x90/0x1d8)
+ (do_one_initcall) from [<c0a00dbc>] (kernel_init_freeable+0x15c/0x1fc)
+ (kernel_init_freeable) from [<c06bb5b4>] (kernel_init+0x8/0x114)
+ (kernel_init) from [<c0107938>] (ret_from_fork+0x14/0x3c)
+
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Fixes: 104594b01ce7 ("Input: add driver support for MAX8997-haptic")
+[k.kozlowski: Write commit message, add CC-stable]
+Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/misc/max8997_haptic.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/input/misc/max8997_haptic.c
++++ b/drivers/input/misc/max8997_haptic.c
+@@ -255,12 +255,14 @@ static int max8997_haptic_probe(struct p
+ struct max8997_dev *iodev = dev_get_drvdata(pdev->dev.parent);
+ const struct max8997_platform_data *pdata =
+ dev_get_platdata(iodev->dev);
+- const struct max8997_haptic_platform_data *haptic_pdata =
+- pdata->haptic_pdata;
++ const struct max8997_haptic_platform_data *haptic_pdata = NULL;
+ struct max8997_haptic *chip;
+ struct input_dev *input_dev;
+ int error;
+
++ if (pdata)
++ haptic_pdata = pdata->haptic_pdata;
++
+ if (!haptic_pdata) {
+ dev_err(&pdev->dev, "no haptic platform data\n");
+ return -EINVAL;
--- /dev/null
+From c25a1e0671fbca7b2c0d0757d533bd2650d6dc0c Mon Sep 17 00:00:00 2001
+From: Junxiao Bi <junxiao.bi@oracle.com>
+Date: Thu, 12 May 2016 15:42:18 -0700
+Subject: ocfs2: fix posix_acl_create deadlock
+
+From: Junxiao Bi <junxiao.bi@oracle.com>
+
+commit c25a1e0671fbca7b2c0d0757d533bd2650d6dc0c upstream.
+
+Commit 702e5bc68ad2 ("ocfs2: use generic posix ACL infrastructure")
+refactored code to use posix_acl_create. The problem with this function
+is that it is not mindful of the cluster wide inode lock making it
+unsuitable for use with ocfs2 inode creation with ACLs. For example,
+when used in ocfs2_mknod, this function can cause deadlock as follows.
+The parent dir inode lock is taken when calling posix_acl_create ->
+get_acl -> ocfs2_iop_get_acl which takes the inode lock again. This can
+cause deadlock if there is a blocked remote lock request waiting for the
+lock to be downconverted. And same deadlock happened in ocfs2_reflink.
+This fix is to revert back using ocfs2_init_acl.
+
+Fixes: 702e5bc68ad2 ("ocfs2: use generic posix ACL infrastructure")
+Signed-off-by: Tariq Saeed <tariq.x.saeed@oracle.com>
+Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Mark Fasheh <mfasheh@suse.de>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Joseph Qi <joseph.qi@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ocfs2/acl.c | 63 ++++++++++++++++++++++++++++++++++++++++++++++++
+ fs/ocfs2/acl.h | 4 +++
+ fs/ocfs2/namei.c | 23 +----------------
+ fs/ocfs2/refcounttree.c | 17 +-----------
+ fs/ocfs2/xattr.c | 14 +++-------
+ fs/ocfs2/xattr.h | 4 ---
+ 6 files changed, 77 insertions(+), 48 deletions(-)
+
+--- a/fs/ocfs2/acl.c
++++ b/fs/ocfs2/acl.c
+@@ -346,3 +346,66 @@ int ocfs2_acl_chmod(struct inode *inode,
+ posix_acl_release(acl);
+ return ret;
+ }
++
++/*
++ * Initialize the ACLs of a new inode. If parent directory has default ACL,
++ * then clone to new inode. Called from ocfs2_mknod.
++ */
++int ocfs2_init_acl(handle_t *handle,
++ struct inode *inode,
++ struct inode *dir,
++ struct buffer_head *di_bh,
++ struct buffer_head *dir_bh,
++ struct ocfs2_alloc_context *meta_ac,
++ struct ocfs2_alloc_context *data_ac)
++{
++ struct ocfs2_super *osb = OCFS2_SB(inode->i_sb);
++ struct posix_acl *acl = NULL;
++ int ret = 0, ret2;
++ umode_t mode;
++
++ if (!S_ISLNK(inode->i_mode)) {
++ if (osb->s_mount_opt & OCFS2_MOUNT_POSIX_ACL) {
++ acl = ocfs2_get_acl_nolock(dir, ACL_TYPE_DEFAULT,
++ dir_bh);
++ if (IS_ERR(acl))
++ return PTR_ERR(acl);
++ }
++ if (!acl) {
++ mode = inode->i_mode & ~current_umask();
++ ret = ocfs2_acl_set_mode(inode, di_bh, handle, mode);
++ if (ret) {
++ mlog_errno(ret);
++ goto cleanup;
++ }
++ }
++ }
++ if ((osb->s_mount_opt & OCFS2_MOUNT_POSIX_ACL) && acl) {
++ if (S_ISDIR(inode->i_mode)) {
++ ret = ocfs2_set_acl(handle, inode, di_bh,
++ ACL_TYPE_DEFAULT, acl,
++ meta_ac, data_ac);
++ if (ret)
++ goto cleanup;
++ }
++ mode = inode->i_mode;
++ ret = __posix_acl_create(&acl, GFP_NOFS, &mode);
++ if (ret < 0)
++ return ret;
++
++ ret2 = ocfs2_acl_set_mode(inode, di_bh, handle, mode);
++ if (ret2) {
++ mlog_errno(ret2);
++ ret = ret2;
++ goto cleanup;
++ }
++ if (ret > 0) {
++ ret = ocfs2_set_acl(handle, inode,
++ di_bh, ACL_TYPE_ACCESS,
++ acl, meta_ac, data_ac);
++ }
++ }
++cleanup:
++ posix_acl_release(acl);
++ return ret;
++}
+--- a/fs/ocfs2/acl.h
++++ b/fs/ocfs2/acl.h
+@@ -36,5 +36,9 @@ int ocfs2_set_acl(handle_t *handle,
+ struct ocfs2_alloc_context *meta_ac,
+ struct ocfs2_alloc_context *data_ac);
+ extern int ocfs2_acl_chmod(struct inode *, struct buffer_head *);
++extern int ocfs2_init_acl(handle_t *, struct inode *, struct inode *,
++ struct buffer_head *, struct buffer_head *,
++ struct ocfs2_alloc_context *,
++ struct ocfs2_alloc_context *);
+
+ #endif /* OCFS2_ACL_H */
+--- a/fs/ocfs2/namei.c
++++ b/fs/ocfs2/namei.c
+@@ -259,7 +259,6 @@ static int ocfs2_mknod(struct inode *dir
+ struct ocfs2_dir_lookup_result lookup = { NULL, };
+ sigset_t oldset;
+ int did_block_signals = 0;
+- struct posix_acl *default_acl = NULL, *acl = NULL;
+ struct ocfs2_dentry_lock *dl = NULL;
+
+ trace_ocfs2_mknod(dir, dentry, dentry->d_name.len, dentry->d_name.name,
+@@ -367,12 +366,6 @@ static int ocfs2_mknod(struct inode *dir
+ goto leave;
+ }
+
+- status = posix_acl_create(dir, &inode->i_mode, &default_acl, &acl);
+- if (status) {
+- mlog_errno(status);
+- goto leave;
+- }
+-
+ handle = ocfs2_start_trans(osb, ocfs2_mknod_credits(osb->sb,
+ S_ISDIR(mode),
+ xattr_credits));
+@@ -421,16 +414,8 @@ static int ocfs2_mknod(struct inode *dir
+ inc_nlink(dir);
+ }
+
+- if (default_acl) {
+- status = ocfs2_set_acl(handle, inode, new_fe_bh,
+- ACL_TYPE_DEFAULT, default_acl,
+- meta_ac, data_ac);
+- }
+- if (!status && acl) {
+- status = ocfs2_set_acl(handle, inode, new_fe_bh,
+- ACL_TYPE_ACCESS, acl,
+- meta_ac, data_ac);
+- }
++ status = ocfs2_init_acl(handle, inode, dir, new_fe_bh, parent_fe_bh,
++ meta_ac, data_ac);
+
+ if (status < 0) {
+ mlog_errno(status);
+@@ -472,10 +457,6 @@ static int ocfs2_mknod(struct inode *dir
+ d_instantiate(dentry, inode);
+ status = 0;
+ leave:
+- if (default_acl)
+- posix_acl_release(default_acl);
+- if (acl)
+- posix_acl_release(acl);
+ if (status < 0 && did_quota_inode)
+ dquot_free_inode(inode);
+ if (handle)
+--- a/fs/ocfs2/refcounttree.c
++++ b/fs/ocfs2/refcounttree.c
+@@ -4248,20 +4248,12 @@ static int ocfs2_reflink(struct dentry *
+ struct inode *inode = d_inode(old_dentry);
+ struct buffer_head *old_bh = NULL;
+ struct inode *new_orphan_inode = NULL;
+- struct posix_acl *default_acl, *acl;
+- umode_t mode;
+
+ if (!ocfs2_refcount_tree(OCFS2_SB(inode->i_sb)))
+ return -EOPNOTSUPP;
+
+- mode = inode->i_mode;
+- error = posix_acl_create(dir, &mode, &default_acl, &acl);
+- if (error) {
+- mlog_errno(error);
+- return error;
+- }
+
+- error = ocfs2_create_inode_in_orphan(dir, mode,
++ error = ocfs2_create_inode_in_orphan(dir, inode->i_mode,
+ &new_orphan_inode);
+ if (error) {
+ mlog_errno(error);
+@@ -4300,16 +4292,11 @@ static int ocfs2_reflink(struct dentry *
+ /* If the security isn't preserved, we need to re-initialize them. */
+ if (!preserve) {
+ error = ocfs2_init_security_and_acl(dir, new_orphan_inode,
+- &new_dentry->d_name,
+- default_acl, acl);
++ &new_dentry->d_name);
+ if (error)
+ mlog_errno(error);
+ }
+ out:
+- if (default_acl)
+- posix_acl_release(default_acl);
+- if (acl)
+- posix_acl_release(acl);
+ if (!error) {
+ error = ocfs2_mv_orphaned_inode_to_new(dir, new_orphan_inode,
+ new_dentry);
+--- a/fs/ocfs2/xattr.c
++++ b/fs/ocfs2/xattr.c
+@@ -7197,12 +7197,10 @@ out:
+ */
+ int ocfs2_init_security_and_acl(struct inode *dir,
+ struct inode *inode,
+- const struct qstr *qstr,
+- struct posix_acl *default_acl,
+- struct posix_acl *acl)
++ const struct qstr *qstr)
+ {
+- struct buffer_head *dir_bh = NULL;
+ int ret = 0;
++ struct buffer_head *dir_bh = NULL;
+
+ ret = ocfs2_init_security_get(inode, dir, qstr, NULL);
+ if (ret) {
+@@ -7215,11 +7213,9 @@ int ocfs2_init_security_and_acl(struct i
+ mlog_errno(ret);
+ goto leave;
+ }
+-
+- if (!ret && default_acl)
+- ret = ocfs2_iop_set_acl(inode, default_acl, ACL_TYPE_DEFAULT);
+- if (!ret && acl)
+- ret = ocfs2_iop_set_acl(inode, acl, ACL_TYPE_ACCESS);
++ ret = ocfs2_init_acl(NULL, inode, dir, NULL, dir_bh, NULL, NULL);
++ if (ret)
++ mlog_errno(ret);
+
+ ocfs2_inode_unlock(dir, 0);
+ brelse(dir_bh);
+--- a/fs/ocfs2/xattr.h
++++ b/fs/ocfs2/xattr.h
+@@ -94,7 +94,5 @@ int ocfs2_reflink_xattrs(struct inode *o
+ bool preserve_security);
+ int ocfs2_init_security_and_acl(struct inode *dir,
+ struct inode *inode,
+- const struct qstr *qstr,
+- struct posix_acl *default_acl,
+- struct posix_acl *acl);
++ const struct qstr *qstr);
+ #endif /* OCFS2_XATTR_H */
--- /dev/null
+From 5ee0fbd50fdf1c1329de8bee35ea9d7c6a81a2e0 Mon Sep 17 00:00:00 2001
+From: Junxiao Bi <junxiao.bi@oracle.com>
+Date: Thu, 12 May 2016 15:42:15 -0700
+Subject: ocfs2: revert using ocfs2_acl_chmod to avoid inode cluster lock hang
+
+From: Junxiao Bi <junxiao.bi@oracle.com>
+
+commit 5ee0fbd50fdf1c1329de8bee35ea9d7c6a81a2e0 upstream.
+
+Commit 743b5f1434f5 ("ocfs2: take inode lock in ocfs2_iop_set/get_acl()")
+introduced this issue. ocfs2_setattr called by chmod command holds
+cluster wide inode lock when calling posix_acl_chmod. This latter
+function in turn calls ocfs2_iop_get_acl and ocfs2_iop_set_acl. These
+two are also called directly from vfs layer for getfacl/setfacl commands
+and therefore acquire the cluster wide inode lock. If a remote
+conversion request comes after the first inode lock in ocfs2_setattr,
+OCFS2_LOCK_BLOCKED will be set. And this will cause the second call to
+inode lock from the ocfs2_iop_get_acl() to block indefinetly.
+
+The deleted version of ocfs2_acl_chmod() calls __posix_acl_chmod() which
+does not call back into the filesystem. Therefore, we restore
+ocfs2_acl_chmod(), modify it slightly for locking as needed, and use that
+instead.
+
+Fixes: 743b5f1434f5 ("ocfs2: take inode lock in ocfs2_iop_set/get_acl()")
+Signed-off-by: Tariq Saeed <tariq.x.saeed@oracle.com>
+Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Mark Fasheh <mfasheh@suse.de>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Joseph Qi <joseph.qi@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ocfs2/acl.c | 24 ++++++++++++++++++++++++
+ fs/ocfs2/acl.h | 1 +
+ fs/ocfs2/file.c | 4 ++--
+ 3 files changed, 27 insertions(+), 2 deletions(-)
+
+--- a/fs/ocfs2/acl.c
++++ b/fs/ocfs2/acl.c
+@@ -322,3 +322,27 @@ struct posix_acl *ocfs2_iop_get_acl(stru
+ brelse(di_bh);
+ return acl;
+ }
++
++int ocfs2_acl_chmod(struct inode *inode, struct buffer_head *bh)
++{
++ struct ocfs2_super *osb = OCFS2_SB(inode->i_sb);
++ struct posix_acl *acl;
++ int ret;
++
++ if (S_ISLNK(inode->i_mode))
++ return -EOPNOTSUPP;
++
++ if (!(osb->s_mount_opt & OCFS2_MOUNT_POSIX_ACL))
++ return 0;
++
++ acl = ocfs2_get_acl_nolock(inode, ACL_TYPE_ACCESS, bh);
++ if (IS_ERR(acl) || !acl)
++ return PTR_ERR(acl);
++ ret = __posix_acl_chmod(&acl, GFP_KERNEL, inode->i_mode);
++ if (ret)
++ return ret;
++ ret = ocfs2_set_acl(NULL, inode, NULL, ACL_TYPE_ACCESS,
++ acl, NULL, NULL);
++ posix_acl_release(acl);
++ return ret;
++}
+--- a/fs/ocfs2/acl.h
++++ b/fs/ocfs2/acl.h
+@@ -35,5 +35,6 @@ int ocfs2_set_acl(handle_t *handle,
+ struct posix_acl *acl,
+ struct ocfs2_alloc_context *meta_ac,
+ struct ocfs2_alloc_context *data_ac);
++extern int ocfs2_acl_chmod(struct inode *, struct buffer_head *);
+
+ #endif /* OCFS2_ACL_H */
+--- a/fs/ocfs2/file.c
++++ b/fs/ocfs2/file.c
+@@ -1268,20 +1268,20 @@ bail_unlock_rw:
+ if (size_change)
+ ocfs2_rw_unlock(inode, 1);
+ bail:
+- brelse(bh);
+
+ /* Release quota pointers in case we acquired them */
+ for (qtype = 0; qtype < OCFS2_MAXQUOTAS; qtype++)
+ dqput(transfer_to[qtype]);
+
+ if (!status && attr->ia_valid & ATTR_MODE) {
+- status = posix_acl_chmod(inode, inode->i_mode);
++ status = ocfs2_acl_chmod(inode, bh);
+ if (status < 0)
+ mlog_errno(status);
+ }
+ if (inode_locked)
+ ocfs2_inode_unlock(inode, 1);
+
++ brelse(bh);
+ return status;
+ }
+
--- /dev/null
+From 9f448cd3cbcec8995935e60b27802ae56aac8cc0 Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Tue, 10 May 2016 16:18:33 +0300
+Subject: perf/core: Disable the event on a truncated AUX record
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+commit 9f448cd3cbcec8995935e60b27802ae56aac8cc0 upstream.
+
+When the PMU driver reports a truncated AUX record, it effectively means
+that there is no more usable room in the event's AUX buffer (even though
+there may still be some room, so that perf_aux_output_begin() doesn't take
+action). At this point the consumer still has to be woken up and the event
+has to be disabled, otherwise the event will just keep spinning between
+perf_aux_output_begin() and perf_aux_output_end() until its context gets
+unscheduled.
+
+Again, for cpu-wide events this means never, so once in this condition,
+they will be forever losing data.
+
+Fix this by disabling the event and waking up the consumer in case of a
+truncated AUX record.
+
+Reported-by: Markus Metzger <markus.t.metzger@intel.com>
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Arnaldo Carvalho de Melo <acme@infradead.org>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Cc: vince@deater.net
+Link: http://lkml.kernel.org/r/1462886313-13660-3-git-send-email-alexander.shishkin@linux.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/events/ring_buffer.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/kernel/events/ring_buffer.c
++++ b/kernel/events/ring_buffer.c
+@@ -347,6 +347,7 @@ void perf_aux_output_end(struct perf_out
+ bool truncated)
+ {
+ struct ring_buffer *rb = handle->rb;
++ bool wakeup = truncated;
+ unsigned long aux_head;
+ u64 flags = 0;
+
+@@ -375,9 +376,16 @@ void perf_aux_output_end(struct perf_out
+ aux_head = rb->user_page->aux_head = local_read(&rb->aux_head);
+
+ if (aux_head - local_read(&rb->aux_wakeup) >= rb->aux_watermark) {
+- perf_output_wakeup(handle);
++ wakeup = true;
+ local_add(rb->aux_watermark, &rb->aux_wakeup);
+ }
++
++ if (wakeup) {
++ if (truncated)
++ handle->event->pending_disable = 1;
++ perf_output_wakeup(handle);
++ }
++
+ handle->event = NULL;
+
+ local_set(&rb->aux_nest, 0);
--- /dev/null
+From 5305a7b7e860bb40ab226bc7d58019416073948a Mon Sep 17 00:00:00 2001
+From: Ludovic Desroches <ludovic.desroches@atmel.com>
+Date: Tue, 19 Apr 2016 16:03:45 +0200
+Subject: pinctrl: at91-pio4: fix pull-up/down logic
+
+From: Ludovic Desroches <ludovic.desroches@atmel.com>
+
+commit 5305a7b7e860bb40ab226bc7d58019416073948a upstream.
+
+The default configuration of a pin is often with a value in the
+pull-up/down field at chip reset. So, even if the internal logic of the
+controller prevents writing a configuration with pull-up and pull-down at
+the same time, we must ensure explicitly this condition before writing the
+register.
+
+This was leading to a pull-down condition not taken into account for
+instance.
+
+Signed-off-by: Ludovic Desroches <ludovic.desroches@atmel.com>
+Fixes: 776180848b57 ("pinctrl: introduce driver for Atmel PIO4 controller")
+Acked-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/pinctrl-at91-pio4.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/pinctrl/pinctrl-at91-pio4.c
++++ b/drivers/pinctrl/pinctrl-at91-pio4.c
+@@ -717,9 +717,11 @@ static int atmel_conf_pin_config_group_s
+ break;
+ case PIN_CONFIG_BIAS_PULL_UP:
+ conf |= ATMEL_PIO_PUEN_MASK;
++ conf &= (~ATMEL_PIO_PDEN_MASK);
+ break;
+ case PIN_CONFIG_BIAS_PULL_DOWN:
+ conf |= ATMEL_PIO_PDEN_MASK;
++ conf &= (~ATMEL_PIO_PUEN_MASK);
+ break;
+ case PIN_CONFIG_DRIVE_OPEN_DRAIN:
+ if (arg == 0)
--- /dev/null
+From 2bcbc81421c511ef117cadcf0bee9c4340e68db0 Mon Sep 17 00:00:00 2001
+From: Johannes Thumshirn <jthumshirn@suse.de>
+Date: Wed, 27 Apr 2016 10:48:52 +0200
+Subject: qla1280: Don't allocate 512kb of host tags
+
+From: Johannes Thumshirn <jthumshirn@suse.de>
+
+commit 2bcbc81421c511ef117cadcf0bee9c4340e68db0 upstream.
+
+The qla1280 driver sets the scsi_host_template's can_queue field to 0xfffff
+which results in an allocation failure when allocating the block layer tags
+for the driver's queues. This was introduced with the change for host wide
+tags in commit 64d513ac31b - "scsi: use host wide tags by default".
+
+Reduce can_queue to MAX_OUTSTANDING_COMMANDS (512) to solve the allocation
+error.
+
+Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
+Fixes: 64d513ac31b - "scsi: use host wide tags by default"
+Cc: Laura Abbott <labbott@redhat.com>
+Cc: Michael Reed <mdr@sgi.com>
+Reviewed-by: Laurence Oberman <loberman@redhat.com>
+Reviewed-by: Lee Duncan <lduncan@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: James Bottomley <jejb@linux.vnet.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla1280.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/qla1280.c
++++ b/drivers/scsi/qla1280.c
+@@ -4214,7 +4214,7 @@ static struct scsi_host_template qla1280
+ .eh_bus_reset_handler = qla1280_eh_bus_reset,
+ .eh_host_reset_handler = qla1280_eh_adapter_reset,
+ .bios_param = qla1280_biosparam,
+- .can_queue = 0xfffff,
++ .can_queue = MAX_OUTSTANDING_COMMANDS,
+ .this_id = -1,
+ .sg_tablesize = SG_ALL,
+ .use_clustering = ENABLE_CLUSTERING,
--- /dev/null
+From dec8e8f6e6504aa3496c0f7cc10c756bb0e10f44 Mon Sep 17 00:00:00 2001
+From: Jack Pham <jackp@codeaurora.org>
+Date: Thu, 14 Apr 2016 23:37:26 -0700
+Subject: regmap: spmi: Fix regmap_spmi_ext_read in multi-byte case
+
+From: Jack Pham <jackp@codeaurora.org>
+
+commit dec8e8f6e6504aa3496c0f7cc10c756bb0e10f44 upstream.
+
+Specifically for the case of reads that use the Extended Register
+Read Long command, a multi-byte read operation is broken up into
+8-byte chunks. However the call to spmi_ext_register_readl() is
+incorrectly passing 'val_size', which if greater than 8 will
+always fail. The argument should instead be 'len'.
+
+Fixes: c9afbb05a9ff ("regmap: spmi: support base and extended register spaces")
+Signed-off-by: Jack Pham <jackp@codeaurora.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/regmap/regmap-spmi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/base/regmap/regmap-spmi.c
++++ b/drivers/base/regmap/regmap-spmi.c
+@@ -142,7 +142,7 @@ static int regmap_spmi_ext_read(void *co
+ while (val_size) {
+ len = min_t(size_t, val_size, 8);
+
+- err = spmi_ext_register_readl(context, addr, val, val_size);
++ err = spmi_ext_register_readl(context, addr, val, len);
+ if (err)
+ goto err_out;
+
--- /dev/null
+From a2262e5a12e05389ab4c7fc5cf60016b041dd8dc Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 27 Apr 2016 15:59:27 +0200
+Subject: regulator: axp20x: Fix axp22x ldo_io voltage ranges
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit a2262e5a12e05389ab4c7fc5cf60016b041dd8dc upstream.
+
+The minium voltage of 1800mV is a copy and paste error from the axp20x
+regulator info. The correct minimum voltage for the ldo_io regulators
+on the axp22x is 700mV.
+
+Fixes: 1b82b4e4f954 ("regulator: axp20x: Add support for AXP22X regulators")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Chen-Yu Tsai <wens@csie.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/regulator/axp20x-regulator.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/regulator/axp20x-regulator.c
++++ b/drivers/regulator/axp20x-regulator.c
+@@ -221,10 +221,10 @@ static const struct regulator_desc axp22
+ AXP22X_ELDO2_V_OUT, 0x1f, AXP22X_PWR_OUT_CTRL2, BIT(1)),
+ AXP_DESC(AXP22X, ELDO3, "eldo3", "eldoin", 700, 3300, 100,
+ AXP22X_ELDO3_V_OUT, 0x1f, AXP22X_PWR_OUT_CTRL2, BIT(2)),
+- AXP_DESC_IO(AXP22X, LDO_IO0, "ldo_io0", "ips", 1800, 3300, 100,
++ AXP_DESC_IO(AXP22X, LDO_IO0, "ldo_io0", "ips", 700, 3300, 100,
+ AXP22X_LDO_IO0_V_OUT, 0x1f, AXP20X_GPIO0_CTRL, 0x07,
+ AXP22X_IO_ENABLED, AXP22X_IO_DISABLED),
+- AXP_DESC_IO(AXP22X, LDO_IO1, "ldo_io1", "ips", 1800, 3300, 100,
++ AXP_DESC_IO(AXP22X, LDO_IO1, "ldo_io1", "ips", 700, 3300, 100,
+ AXP22X_LDO_IO1_V_OUT, 0x1f, AXP20X_GPIO1_CTRL, 0x07,
+ AXP22X_IO_ENABLED, AXP22X_IO_DISABLED),
+ AXP_DESC_FIXED(AXP22X, RTC_LDO, "rtc_ldo", "ips", 3000),
--- /dev/null
+From 3b672623079bb3e5685b8549e514f2dfaa564406 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Date: Mon, 28 Mar 2016 13:09:56 +0900
+Subject: regulator: s2mps11: Fix invalid selector mask and voltages for buck9
+
+From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+
+commit 3b672623079bb3e5685b8549e514f2dfaa564406 upstream.
+
+The buck9 regulator of S2MPS11 PMIC had incorrect vsel_mask (0xff
+instead of 0x1f) thus reading entire register as buck9's voltage. This
+effectively caused regulator core to interpret values as higher voltages
+than they were and then to set real voltage much lower than intended.
+
+The buck9 provides power to other regulators, including LDO13
+and LDO19 which supply the MMC2 (SD card). On Odroid XU3/XU4 the lower
+voltage caused SD card detection errors on Odroid XU3/XU4:
+ mmc1: card never left busy state
+ mmc1: error -110 whilst initialising SD card
+
+During driver probe the regulator core was checking whether initial
+voltage matches the constraints. With incorrect vsel_mask of 0xff and
+default value of 0x50, the core interpreted this as 5 V which is outside
+of constraints (3-3.775 V). Then the regulator core was adjusting the
+voltage to match the constraints. With incorrect vsel_mask this new
+voltage mapped to a vere low voltage in the driver.
+
+Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Reviewed-by: Javier Martinez Canillas <javier@osg.samsung.com>
+Tested-by: Javier Martinez Canillas <javier@osg.samsung.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/regulator/s2mps11.c | 28 ++++++++++++++++++++++------
+ include/linux/mfd/samsung/s2mps11.h | 2 ++
+ 2 files changed, 24 insertions(+), 6 deletions(-)
+
+--- a/drivers/regulator/s2mps11.c
++++ b/drivers/regulator/s2mps11.c
+@@ -305,7 +305,7 @@ static struct regulator_ops s2mps11_buck
+ .enable_mask = S2MPS11_ENABLE_MASK \
+ }
+
+-#define regulator_desc_s2mps11_buck6_10(num, min, step) { \
++#define regulator_desc_s2mps11_buck67810(num, min, step) { \
+ .name = "BUCK"#num, \
+ .id = S2MPS11_BUCK##num, \
+ .ops = &s2mps11_buck_ops, \
+@@ -321,6 +321,22 @@ static struct regulator_ops s2mps11_buck
+ .enable_mask = S2MPS11_ENABLE_MASK \
+ }
+
++#define regulator_desc_s2mps11_buck9 { \
++ .name = "BUCK9", \
++ .id = S2MPS11_BUCK9, \
++ .ops = &s2mps11_buck_ops, \
++ .type = REGULATOR_VOLTAGE, \
++ .owner = THIS_MODULE, \
++ .min_uV = MIN_3000_MV, \
++ .uV_step = STEP_25_MV, \
++ .n_voltages = S2MPS11_BUCK9_N_VOLTAGES, \
++ .ramp_delay = S2MPS11_RAMP_DELAY, \
++ .vsel_reg = S2MPS11_REG_B9CTRL2, \
++ .vsel_mask = S2MPS11_BUCK9_VSEL_MASK, \
++ .enable_reg = S2MPS11_REG_B9CTRL1, \
++ .enable_mask = S2MPS11_ENABLE_MASK \
++}
++
+ static const struct regulator_desc s2mps11_regulators[] = {
+ regulator_desc_s2mps11_ldo(1, STEP_25_MV),
+ regulator_desc_s2mps11_ldo(2, STEP_50_MV),
+@@ -365,11 +381,11 @@ static const struct regulator_desc s2mps
+ regulator_desc_s2mps11_buck1_4(3),
+ regulator_desc_s2mps11_buck1_4(4),
+ regulator_desc_s2mps11_buck5,
+- regulator_desc_s2mps11_buck6_10(6, MIN_600_MV, STEP_6_25_MV),
+- regulator_desc_s2mps11_buck6_10(7, MIN_600_MV, STEP_6_25_MV),
+- regulator_desc_s2mps11_buck6_10(8, MIN_600_MV, STEP_6_25_MV),
+- regulator_desc_s2mps11_buck6_10(9, MIN_3000_MV, STEP_25_MV),
+- regulator_desc_s2mps11_buck6_10(10, MIN_750_MV, STEP_12_5_MV),
++ regulator_desc_s2mps11_buck67810(6, MIN_600_MV, STEP_6_25_MV),
++ regulator_desc_s2mps11_buck67810(7, MIN_600_MV, STEP_6_25_MV),
++ regulator_desc_s2mps11_buck67810(8, MIN_600_MV, STEP_6_25_MV),
++ regulator_desc_s2mps11_buck9,
++ regulator_desc_s2mps11_buck67810(10, MIN_750_MV, STEP_12_5_MV),
+ };
+
+ static struct regulator_ops s2mps14_reg_ops;
+--- a/include/linux/mfd/samsung/s2mps11.h
++++ b/include/linux/mfd/samsung/s2mps11.h
+@@ -173,10 +173,12 @@ enum s2mps11_regulators {
+
+ #define S2MPS11_LDO_VSEL_MASK 0x3F
+ #define S2MPS11_BUCK_VSEL_MASK 0xFF
++#define S2MPS11_BUCK9_VSEL_MASK 0x1F
+ #define S2MPS11_ENABLE_MASK (0x03 << S2MPS11_ENABLE_SHIFT)
+ #define S2MPS11_ENABLE_SHIFT 0x06
+ #define S2MPS11_LDO_N_VOLTAGES (S2MPS11_LDO_VSEL_MASK + 1)
+ #define S2MPS11_BUCK_N_VOLTAGES (S2MPS11_BUCK_VSEL_MASK + 1)
++#define S2MPS11_BUCK9_N_VOLTAGES (S2MPS11_BUCK9_VSEL_MASK + 1)
+ #define S2MPS11_RAMP_DELAY 25000 /* uV/us */
+
+ #define S2MPS11_CTRL1_PWRHOLD_MASK BIT(4)
--- /dev/null
+From 93f0750dcdaed083d6209b01e952e98ca730db66 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Date: Wed, 11 May 2016 13:09:34 -0300
+Subject: Revert "[media] videobuf2-v4l2: Verify planes array in buffer dequeueing"
+
+From: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+
+commit 93f0750dcdaed083d6209b01e952e98ca730db66 upstream.
+
+This patch causes a Kernel panic when called on a DVB driver.
+
+This was also reported by David R <david@unsolicited.net>:
+
+May 7 14:47:35 server kernel: [ 501.247123] BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
+May 7 14:47:35 server kernel: [ 501.247239] IP: [<ffffffffa0222c71>] __verify_planes_array.isra.3+0x1/0x80 [videobuf2_v4l2]
+May 7 14:47:35 server kernel: [ 501.247354] PGD cae6f067 PUD ca99c067 PMD 0
+May 7 14:47:35 server kernel: [ 501.247426] Oops: 0000 [#1] SMP
+May 7 14:47:35 server kernel: [ 501.247482] Modules linked in: xfs tun xt_connmark xt_TCPMSS xt_tcpmss xt_owner xt_REDIRECT nf_nat_redirect xt_nat ipt_MASQUERADE nf_nat_masquerade_ipv4 ts_kmp ts_bm xt_string ipt_REJECT nf_reject_ipv4 xt_recent xt_conntrack xt_multiport xt_pkttype xt_tcpudp xt_mark nf_log_ipv4 nf_log_common xt_LOG xt_limit iptable_mangle iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_filter ip_tables ip6table_filter ip6_tables x_tables pppoe pppox dm_crypt ts2020 regmap_i2c ds3000 cx88_dvb dvb_pll cx88_vp3054_i2c mt352 videobuf2_dvb cx8800 cx8802 cx88xx pl2303 tveeprom videobuf2_dma_sg ppdev videobuf2_memops videobuf2_v4l2 videobuf2_core dvb_usb_digitv snd_hda_codec_via snd_hda_codec_hdmi snd_hda_codec_generic radeon dvb_usb snd_hda_intel amd64_edac_mod serio_raw snd_hda_codec edac_core fbcon k10temp bitblit softcursor snd_hda_core font snd_pcm_oss i2c_piix4 snd_mixer_oss tileblit drm_kms_helper syscopyarea snd_pcm snd_seq_dummy sysfillrect snd_seq_oss sysimgblt fb_sys_fops ttm snd_seq_midi r8169 snd_rawmidi drm snd_seq_midi_event e1000e snd_seq snd_seq_device snd_timer snd ptp pps_core i2c_algo_bit soundcore parport_pc ohci_pci shpchp tpm_tis tpm nfsd auth_rpcgss oid_registry hwmon_vid exportfs nfs_acl mii nfs bonding lockd grace lp sunrpc parport
+May 7 14:47:35 server kernel: [ 501.249564] CPU: 1 PID: 6889 Comm: vb2-cx88[0] Not tainted 4.5.3 #3
+May 7 14:47:35 server kernel: [ 501.249644] Hardware name: System manufacturer System Product Name/M4A785TD-V EVO, BIOS 0211 07/08/2009
+May 7 14:47:35 server kernel: [ 501.249767] task: ffff8800aebf3600 ti: ffff8801e07a0000 task.ti: ffff8801e07a0000
+May 7 14:47:35 server kernel: [ 501.249861] RIP: 0010:[<ffffffffa0222c71>] [<ffffffffa0222c71>] __verify_planes_array.isra.3+0x1/0x80 [videobuf2_v4l2]
+May 7 14:47:35 server kernel: [ 501.250002] RSP: 0018:ffff8801e07a3de8 EFLAGS: 00010086
+May 7 14:47:35 server kernel: [ 501.250071] RAX: 0000000000000283 RBX: ffff880210dc5000 RCX: 0000000000000283
+May 7 14:47:35 server kernel: [ 501.250161] RDX: ffffffffa0222cf0 RSI: 0000000000000000 RDI: ffff880210dc5014
+May 7 14:47:35 server kernel: [ 501.250251] RBP: ffff8801e07a3df8 R08: ffff8801e07a0000 R09: 0000000000000000
+May 7 14:47:35 server kernel: [ 501.250348] R10: 0000000000000000 R11: 0000000000000001 R12: ffff8800cda2a9d8
+May 7 14:47:35 server kernel: [ 501.250438] R13: ffff880210dc51b8 R14: 0000000000000000 R15: ffff8800cda2a828
+May 7 14:47:35 server kernel: [ 501.250528] FS: 00007f5b77fff700(0000) GS:ffff88021fc40000(0000) knlGS:00000000adaffb40
+May 7 14:47:35 server kernel: [ 501.250631] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+May 7 14:47:35 server kernel: [ 501.250704] CR2: 0000000000000004 CR3: 00000000ca19d000 CR4: 00000000000006e0
+May 7 14:47:35 server kernel: [ 501.250794] Stack:
+May 7 14:47:35 server kernel: [ 501.250822] ffff8801e07a3df8 ffffffffa0222cfd ffff8801e07a3e70 ffffffffa0236beb
+May 7 14:47:35 server kernel: [ 501.250937] 0000000000000283 ffff8801e07a3e94 0000000000000000 0000000000000000
+May 7 14:47:35 server kernel: [ 501.251051] ffff8800aebf3600 ffffffff8108d8e0 ffff8801e07a3e38 ffff8801e07a3e38
+May 7 14:47:35 server kernel: [ 501.251165] Call Trace:
+May 7 14:47:35 server kernel: [ 501.251200] [<ffffffffa0222cfd>] ? __verify_planes_array_core+0xd/0x10 [videobuf2_v4l2]
+May 7 14:47:35 server kernel: [ 501.251306] [<ffffffffa0236beb>] vb2_core_dqbuf+0x2eb/0x4c0 [videobuf2_core]
+May 7 14:47:35 server kernel: [ 501.251398] [<ffffffff8108d8e0>] ? prepare_to_wait_event+0x100/0x100
+May 7 14:47:35 server kernel: [ 501.251482] [<ffffffffa023855b>] vb2_thread+0x1cb/0x220 [videobuf2_core]
+May 7 14:47:35 server kernel: [ 501.251569] [<ffffffffa0238390>] ? vb2_core_qbuf+0x230/0x230 [videobuf2_core]
+May 7 14:47:35 server kernel: [ 501.251662] [<ffffffffa0238390>] ? vb2_core_qbuf+0x230/0x230 [videobuf2_core]
+May 7 14:47:35 server kernel: [ 501.255982] [<ffffffff8106f984>] kthread+0xc4/0xe0
+May 7 14:47:35 server kernel: [ 501.260292] [<ffffffff8106f8c0>] ? kthread_park+0x50/0x50
+May 7 14:47:35 server kernel: [ 501.264615] [<ffffffff81697a5f>] ret_from_fork+0x3f/0x70
+May 7 14:47:35 server kernel: [ 501.268962] [<ffffffff8106f8c0>] ? kthread_park+0x50/0x50
+May 7 14:47:35 server kernel: [ 501.273216] Code: 0d 01 74 16 48 8b 46 28 48 8b 56 30 48 89 87 d0 01 00 00 48 89 97 d8 01 00 00 5d c3 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 55 <8b> 46 04 48 89 e5 8d 50 f7 31 c0 83 fa 01 76 02 5d c3 48 83 7e
+May 7 14:47:35 server kernel: [ 501.282146] RIP [<ffffffffa0222c71>] __verify_planes_array.isra.3+0x1/0x80 [videobuf2_v4l2]
+May 7 14:47:35 server kernel: [ 501.286391] RSP <ffff8801e07a3de8>
+May 7 14:47:35 server kernel: [ 501.290619] CR2: 0000000000000004
+May 7 14:47:35 server kernel: [ 501.294786] ---[ end trace b2b354153ccad110 ]---
+
+This reverts commit 2c1f6951a8a82e6de0d82b1158b5e493fc6c54ab.
+
+Cc: Sakari Ailus <sakari.ailus@linux.intel.com>
+Cc: Hans Verkuil <hans.verkuil@cisco.com>
+Fixes: 2c1f6951a8a8 ("[media] videobuf2-v4l2: Verify planes array in buffer dequeueing")
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/v4l2-core/videobuf2-v4l2.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+--- a/drivers/media/v4l2-core/videobuf2-v4l2.c
++++ b/drivers/media/v4l2-core/videobuf2-v4l2.c
+@@ -67,11 +67,6 @@ static int __verify_planes_array(struct
+ return 0;
+ }
+
+-static int __verify_planes_array_core(struct vb2_buffer *vb, const void *pb)
+-{
+- return __verify_planes_array(vb, pb);
+-}
+-
+ /**
+ * __verify_length() - Verify that the bytesused value for each plane fits in
+ * the plane length and that the data offset doesn't exceed the bytesused value.
+@@ -437,7 +432,6 @@ static int __fill_vb2_buffer(struct vb2_
+ }
+
+ static const struct vb2_buf_ops v4l2_buf_ops = {
+- .verify_planes_array = __verify_planes_array_core,
+ .fill_user_buffer = __fill_v4l2_buffer,
+ .fill_vb2_buffer = __fill_vb2_buffer,
+ .set_timestamp = __set_timestamp,
--- /dev/null
+From 723cacbd9dc79582e562c123a0bacf8bfc69e72a Mon Sep 17 00:00:00 2001
+From: Gerald Schaefer <gerald.schaefer@de.ibm.com>
+Date: Fri, 15 Apr 2016 16:38:40 +0200
+Subject: s390/mm: fix asce_bits handling with dynamic pagetable levels
+
+From: Gerald Schaefer <gerald.schaefer@de.ibm.com>
+
+commit 723cacbd9dc79582e562c123a0bacf8bfc69e72a upstream.
+
+There is a race with multi-threaded applications between context switch and
+pagetable upgrade. In switch_mm() a new user_asce is built from mm->pgd and
+mm->context.asce_bits, w/o holding any locks. A concurrent mmap with a
+pagetable upgrade on another thread in crst_table_upgrade() could already
+have set new asce_bits, but not yet the new mm->pgd. This would result in a
+corrupt user_asce in switch_mm(), and eventually in a kernel panic from a
+translation exception.
+
+Fix this by storing the complete asce instead of just the asce_bits, which
+can then be read atomically from switch_mm(), so that it either sees the
+old value or the new value, but no mixture. Both cases are OK. Having the
+old value would result in a page fault on access to the higher level memory,
+but the fault handler would see the new mm->pgd, if it was a valid access
+after the mmap on the other thread has completed. So as worst-case scenario
+we would have a page fault loop for the racing thread until the next time
+slice.
+
+Also remove dead code and simplify the upgrade/downgrade path, there are no
+upgrades from 2 levels, and only downgrades from 3 levels for compat tasks.
+There are also no concurrent upgrades, because the mmap_sem is held with
+down_write() in do_mmap, so the flush and table checks during upgrade can
+be removed.
+
+Reported-by: Michael Munday <munday@ca.ibm.com>
+Reviewed-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/include/asm/mmu.h | 2
+ arch/s390/include/asm/mmu_context.h | 28 +++++++++--
+ arch/s390/include/asm/pgalloc.h | 4 -
+ arch/s390/include/asm/processor.h | 2
+ arch/s390/include/asm/tlbflush.h | 9 +--
+ arch/s390/mm/init.c | 3 -
+ arch/s390/mm/mmap.c | 6 +-
+ arch/s390/mm/pgtable.c | 85 +++++++++++-------------------------
+ 8 files changed, 62 insertions(+), 77 deletions(-)
+
+--- a/arch/s390/include/asm/mmu.h
++++ b/arch/s390/include/asm/mmu.h
+@@ -11,7 +11,7 @@ typedef struct {
+ spinlock_t list_lock;
+ struct list_head pgtable_list;
+ struct list_head gmap_list;
+- unsigned long asce_bits;
++ unsigned long asce;
+ unsigned long asce_limit;
+ unsigned long vdso_base;
+ /* The mmu context allocates 4K page tables. */
+--- a/arch/s390/include/asm/mmu_context.h
++++ b/arch/s390/include/asm/mmu_context.h
+@@ -26,12 +26,28 @@ static inline int init_new_context(struc
+ mm->context.has_pgste = 0;
+ mm->context.use_skey = 0;
+ #endif
+- if (mm->context.asce_limit == 0) {
++ switch (mm->context.asce_limit) {
++ case 1UL << 42:
++ /*
++ * forked 3-level task, fall through to set new asce with new
++ * mm->pgd
++ */
++ case 0:
+ /* context created by exec, set asce limit to 4TB */
+- mm->context.asce_bits = _ASCE_TABLE_LENGTH |
+- _ASCE_USER_BITS | _ASCE_TYPE_REGION3;
+ mm->context.asce_limit = STACK_TOP_MAX;
+- } else if (mm->context.asce_limit == (1UL << 31)) {
++ mm->context.asce = __pa(mm->pgd) | _ASCE_TABLE_LENGTH |
++ _ASCE_USER_BITS | _ASCE_TYPE_REGION3;
++ break;
++ case 1UL << 53:
++ /* forked 4-level task, set new asce with new mm->pgd */
++ mm->context.asce = __pa(mm->pgd) | _ASCE_TABLE_LENGTH |
++ _ASCE_USER_BITS | _ASCE_TYPE_REGION2;
++ break;
++ case 1UL << 31:
++ /* forked 2-level compat task, set new asce with new mm->pgd */
++ mm->context.asce = __pa(mm->pgd) | _ASCE_TABLE_LENGTH |
++ _ASCE_USER_BITS | _ASCE_TYPE_SEGMENT;
++ /* pgd_alloc() did not increase mm->nr_pmds */
+ mm_inc_nr_pmds(mm);
+ }
+ crst_table_init((unsigned long *) mm->pgd, pgd_entry_type(mm));
+@@ -42,7 +58,7 @@ static inline int init_new_context(struc
+
+ static inline void set_user_asce(struct mm_struct *mm)
+ {
+- S390_lowcore.user_asce = mm->context.asce_bits | __pa(mm->pgd);
++ S390_lowcore.user_asce = mm->context.asce;
+ if (current->thread.mm_segment.ar4)
+ __ctl_load(S390_lowcore.user_asce, 7, 7);
+ set_cpu_flag(CIF_ASCE);
+@@ -71,7 +87,7 @@ static inline void switch_mm(struct mm_s
+ {
+ int cpu = smp_processor_id();
+
+- S390_lowcore.user_asce = next->context.asce_bits | __pa(next->pgd);
++ S390_lowcore.user_asce = next->context.asce;
+ if (prev == next)
+ return;
+ if (MACHINE_HAS_TLB_LC)
+--- a/arch/s390/include/asm/pgalloc.h
++++ b/arch/s390/include/asm/pgalloc.h
+@@ -56,8 +56,8 @@ static inline unsigned long pgd_entry_ty
+ return _REGION2_ENTRY_EMPTY;
+ }
+
+-int crst_table_upgrade(struct mm_struct *, unsigned long limit);
+-void crst_table_downgrade(struct mm_struct *, unsigned long limit);
++int crst_table_upgrade(struct mm_struct *);
++void crst_table_downgrade(struct mm_struct *);
+
+ static inline pud_t *pud_alloc_one(struct mm_struct *mm, unsigned long address)
+ {
+--- a/arch/s390/include/asm/processor.h
++++ b/arch/s390/include/asm/processor.h
+@@ -163,7 +163,7 @@ extern __vector128 init_task_fpu_regs[__
+ regs->psw.mask = PSW_USER_BITS | PSW_MASK_BA; \
+ regs->psw.addr = new_psw | PSW_ADDR_AMODE; \
+ regs->gprs[15] = new_stackp; \
+- crst_table_downgrade(current->mm, 1UL << 31); \
++ crst_table_downgrade(current->mm); \
+ execve_tail(); \
+ } while (0)
+
+--- a/arch/s390/include/asm/tlbflush.h
++++ b/arch/s390/include/asm/tlbflush.h
+@@ -110,8 +110,7 @@ static inline void __tlb_flush_asce(stru
+ static inline void __tlb_flush_kernel(void)
+ {
+ if (MACHINE_HAS_IDTE)
+- __tlb_flush_idte((unsigned long) init_mm.pgd |
+- init_mm.context.asce_bits);
++ __tlb_flush_idte(init_mm.context.asce);
+ else
+ __tlb_flush_global();
+ }
+@@ -133,8 +132,7 @@ static inline void __tlb_flush_asce(stru
+ static inline void __tlb_flush_kernel(void)
+ {
+ if (MACHINE_HAS_TLB_LC)
+- __tlb_flush_idte_local((unsigned long) init_mm.pgd |
+- init_mm.context.asce_bits);
++ __tlb_flush_idte_local(init_mm.context.asce);
+ else
+ __tlb_flush_local();
+ }
+@@ -148,8 +146,7 @@ static inline void __tlb_flush_mm(struct
+ * only ran on the local cpu.
+ */
+ if (MACHINE_HAS_IDTE && list_empty(&mm->context.gmap_list))
+- __tlb_flush_asce(mm, (unsigned long) mm->pgd |
+- mm->context.asce_bits);
++ __tlb_flush_asce(mm, mm->context.asce);
+ else
+ __tlb_flush_full(mm);
+ }
+--- a/arch/s390/mm/init.c
++++ b/arch/s390/mm/init.c
+@@ -89,7 +89,8 @@ void __init paging_init(void)
+ asce_bits = _ASCE_TYPE_REGION3 | _ASCE_TABLE_LENGTH;
+ pgd_type = _REGION3_ENTRY_EMPTY;
+ }
+- S390_lowcore.kernel_asce = (__pa(init_mm.pgd) & PAGE_MASK) | asce_bits;
++ init_mm.context.asce = (__pa(init_mm.pgd) & PAGE_MASK) | asce_bits;
++ S390_lowcore.kernel_asce = init_mm.context.asce;
+ clear_table((unsigned long *) init_mm.pgd, pgd_type,
+ sizeof(unsigned long)*2048);
+ vmem_map_init();
+--- a/arch/s390/mm/mmap.c
++++ b/arch/s390/mm/mmap.c
+@@ -174,7 +174,7 @@ int s390_mmap_check(unsigned long addr,
+ if (!(flags & MAP_FIXED))
+ addr = 0;
+ if ((addr + len) >= TASK_SIZE)
+- return crst_table_upgrade(current->mm, 1UL << 53);
++ return crst_table_upgrade(current->mm);
+ return 0;
+ }
+
+@@ -191,7 +191,7 @@ s390_get_unmapped_area(struct file *filp
+ return area;
+ if (area == -ENOMEM && !is_compat_task() && TASK_SIZE < (1UL << 53)) {
+ /* Upgrade the page table to 4 levels and retry. */
+- rc = crst_table_upgrade(mm, 1UL << 53);
++ rc = crst_table_upgrade(mm);
+ if (rc)
+ return (unsigned long) rc;
+ area = arch_get_unmapped_area(filp, addr, len, pgoff, flags);
+@@ -213,7 +213,7 @@ s390_get_unmapped_area_topdown(struct fi
+ return area;
+ if (area == -ENOMEM && !is_compat_task() && TASK_SIZE < (1UL << 53)) {
+ /* Upgrade the page table to 4 levels and retry. */
+- rc = crst_table_upgrade(mm, 1UL << 53);
++ rc = crst_table_upgrade(mm);
+ if (rc)
+ return (unsigned long) rc;
+ area = arch_get_unmapped_area_topdown(filp, addr, len,
+--- a/arch/s390/mm/pgtable.c
++++ b/arch/s390/mm/pgtable.c
+@@ -49,81 +49,52 @@ static void __crst_table_upgrade(void *a
+ __tlb_flush_local();
+ }
+
+-int crst_table_upgrade(struct mm_struct *mm, unsigned long limit)
++int crst_table_upgrade(struct mm_struct *mm)
+ {
+ unsigned long *table, *pgd;
+- unsigned long entry;
+- int flush;
+
+- BUG_ON(limit > (1UL << 53));
+- flush = 0;
+-repeat:
++ /* upgrade should only happen from 3 to 4 levels */
++ BUG_ON(mm->context.asce_limit != (1UL << 42));
++
+ table = crst_table_alloc(mm);
+ if (!table)
+ return -ENOMEM;
++
+ spin_lock_bh(&mm->page_table_lock);
+- if (mm->context.asce_limit < limit) {
+- pgd = (unsigned long *) mm->pgd;
+- if (mm->context.asce_limit <= (1UL << 31)) {
+- entry = _REGION3_ENTRY_EMPTY;
+- mm->context.asce_limit = 1UL << 42;
+- mm->context.asce_bits = _ASCE_TABLE_LENGTH |
+- _ASCE_USER_BITS |
+- _ASCE_TYPE_REGION3;
+- } else {
+- entry = _REGION2_ENTRY_EMPTY;
+- mm->context.asce_limit = 1UL << 53;
+- mm->context.asce_bits = _ASCE_TABLE_LENGTH |
+- _ASCE_USER_BITS |
+- _ASCE_TYPE_REGION2;
+- }
+- crst_table_init(table, entry);
+- pgd_populate(mm, (pgd_t *) table, (pud_t *) pgd);
+- mm->pgd = (pgd_t *) table;
+- mm->task_size = mm->context.asce_limit;
+- table = NULL;
+- flush = 1;
+- }
++ pgd = (unsigned long *) mm->pgd;
++ crst_table_init(table, _REGION2_ENTRY_EMPTY);
++ pgd_populate(mm, (pgd_t *) table, (pud_t *) pgd);
++ mm->pgd = (pgd_t *) table;
++ mm->context.asce_limit = 1UL << 53;
++ mm->context.asce = __pa(mm->pgd) | _ASCE_TABLE_LENGTH |
++ _ASCE_USER_BITS | _ASCE_TYPE_REGION2;
++ mm->task_size = mm->context.asce_limit;
+ spin_unlock_bh(&mm->page_table_lock);
+- if (table)
+- crst_table_free(mm, table);
+- if (mm->context.asce_limit < limit)
+- goto repeat;
+- if (flush)
+- on_each_cpu(__crst_table_upgrade, mm, 0);
++
++ on_each_cpu(__crst_table_upgrade, mm, 0);
+ return 0;
+ }
+
+-void crst_table_downgrade(struct mm_struct *mm, unsigned long limit)
++void crst_table_downgrade(struct mm_struct *mm)
+ {
+ pgd_t *pgd;
+
++ /* downgrade should only happen from 3 to 2 levels (compat only) */
++ BUG_ON(mm->context.asce_limit != (1UL << 42));
++
+ if (current->active_mm == mm) {
+ clear_user_asce();
+ __tlb_flush_mm(mm);
+ }
+- while (mm->context.asce_limit > limit) {
+- pgd = mm->pgd;
+- switch (pgd_val(*pgd) & _REGION_ENTRY_TYPE_MASK) {
+- case _REGION_ENTRY_TYPE_R2:
+- mm->context.asce_limit = 1UL << 42;
+- mm->context.asce_bits = _ASCE_TABLE_LENGTH |
+- _ASCE_USER_BITS |
+- _ASCE_TYPE_REGION3;
+- break;
+- case _REGION_ENTRY_TYPE_R3:
+- mm->context.asce_limit = 1UL << 31;
+- mm->context.asce_bits = _ASCE_TABLE_LENGTH |
+- _ASCE_USER_BITS |
+- _ASCE_TYPE_SEGMENT;
+- break;
+- default:
+- BUG();
+- }
+- mm->pgd = (pgd_t *) (pgd_val(*pgd) & _REGION_ENTRY_ORIGIN);
+- mm->task_size = mm->context.asce_limit;
+- crst_table_free(mm, (unsigned long *) pgd);
+- }
++
++ pgd = mm->pgd;
++ mm->pgd = (pgd_t *) (pgd_val(*pgd) & _REGION_ENTRY_ORIGIN);
++ mm->context.asce_limit = 1UL << 31;
++ mm->context.asce = __pa(mm->pgd) | _ASCE_TABLE_LENGTH |
++ _ASCE_USER_BITS | _ASCE_TYPE_SEGMENT;
++ mm->task_size = mm->context.asce_limit;
++ crst_table_free(mm, (unsigned long *) pgd);
++
+ if (current->active_mm == mm)
+ set_user_asce(mm);
+ }
--- /dev/null
+From 66ec246eb9982e7eb8e15e1fc55f543230310dd0 Mon Sep 17 00:00:00 2001
+From: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+Date: Tue, 26 Apr 2016 10:08:26 +0300
+Subject: spi: pxa2xx: Do not detect number of enabled chip selects on Intel SPT
+
+From: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+
+commit 66ec246eb9982e7eb8e15e1fc55f543230310dd0 upstream.
+
+Certain Intel Sunrisepoint PCH variants report zero chip selects in SPI
+capabilities register even they have one per port. Detection in
+pxa2xx_spi_probe() sets master->num_chipselect to 0 leading to -EINVAL
+from spi_register_master() where chip select count is validated.
+
+Fix this by not using SPI capabilities register on Sunrisepoint. They don't
+have more than one chip select so use the default value 1 instead of
+detection.
+
+Fixes: 8b136baa5892 ("spi: pxa2xx: Detect number of enabled Intel LPSS SPI chip select signals")
+Signed-off-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-pxa2xx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-pxa2xx.c
++++ b/drivers/spi/spi-pxa2xx.c
+@@ -111,7 +111,7 @@ static const struct lpss_config lpss_pla
+ .reg_general = -1,
+ .reg_ssp = 0x20,
+ .reg_cs_ctrl = 0x24,
+- .reg_capabilities = 0xfc,
++ .reg_capabilities = -1,
+ .rx_threshold = 1,
+ .tx_threshold_lo = 32,
+ .tx_threshold_hi = 56,
--- /dev/null
+From ea1b60fb085839a9544cb3a0069992991beabb7f Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Date: Tue, 12 Apr 2016 12:56:25 +0100
+Subject: spi: spi-ti-qspi: Fix FLEN and WLEN settings if bits_per_word is overridden
+
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+
+commit ea1b60fb085839a9544cb3a0069992991beabb7f upstream.
+
+Each transfer can specify 8, 16 or 32 bits per word independently of
+the default for the device being addressed. However, currently we
+calculate the number of words in the frame assuming that the word size
+is the device default.
+
+If multiple transfers in the same message have differing
+bits_per_word, we bitwise-or the different values in the WLEN register
+field.
+
+Fix both of these. Also rename 'frame_length' to 'frame_len_words' to
+make clear that it's not a byte count like spi_message::frame_length.
+
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-ti-qspi.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/drivers/spi/spi-ti-qspi.c
++++ b/drivers/spi/spi-ti-qspi.c
+@@ -94,6 +94,7 @@ struct ti_qspi {
+ #define QSPI_FLEN(n) ((n - 1) << 0)
+ #define QSPI_WLEN_MAX_BITS 128
+ #define QSPI_WLEN_MAX_BYTES 16
++#define QSPI_WLEN_MASK QSPI_WLEN(QSPI_WLEN_MAX_BITS)
+
+ /* STATUS REGISTER */
+ #define BUSY 0x01
+@@ -373,7 +374,7 @@ static int ti_qspi_start_transfer_one(st
+ struct spi_device *spi = m->spi;
+ struct spi_transfer *t;
+ int status = 0, ret;
+- int frame_length;
++ unsigned int frame_len_words;
+
+ /* setup device control reg */
+ qspi->dc = 0;
+@@ -385,21 +386,23 @@ static int ti_qspi_start_transfer_one(st
+ if (spi->mode & SPI_CS_HIGH)
+ qspi->dc |= QSPI_CSPOL(spi->chip_select);
+
+- frame_length = (m->frame_length << 3) / spi->bits_per_word;
+-
+- frame_length = clamp(frame_length, 0, QSPI_FRAME);
++ frame_len_words = 0;
++ list_for_each_entry(t, &m->transfers, transfer_list)
++ frame_len_words += t->len / (t->bits_per_word >> 3);
++ frame_len_words = min_t(unsigned int, frame_len_words, QSPI_FRAME);
+
+ /* setup command reg */
+ qspi->cmd = 0;
+ qspi->cmd |= QSPI_EN_CS(spi->chip_select);
+- qspi->cmd |= QSPI_FLEN(frame_length);
++ qspi->cmd |= QSPI_FLEN(frame_len_words);
+
+ ti_qspi_write(qspi, qspi->dc, QSPI_SPI_DC_REG);
+
+ mutex_lock(&qspi->list_lock);
+
+ list_for_each_entry(t, &m->transfers, transfer_list) {
+- qspi->cmd |= QSPI_WLEN(t->bits_per_word);
++ qspi->cmd = ((qspi->cmd & ~QSPI_WLEN_MASK) |
++ QSPI_WLEN(t->bits_per_word));
+
+ ret = qspi_transfer_msg(qspi, t);
+ if (ret) {
--- /dev/null
+From 1ff7760ff66b98ef244bf0e5e2bd5310651205ad Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Date: Tue, 12 Apr 2016 12:58:14 +0100
+Subject: spi: spi-ti-qspi: Handle truncated frames properly
+
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+
+commit 1ff7760ff66b98ef244bf0e5e2bd5310651205ad upstream.
+
+We clamp frame_len_words to a maximum of 4096, but do not actually
+limit the number of words written or read through the DATA registers
+or the length added to spi_message::actual_length. This results in
+silent data corruption for commands longer than this maximum.
+
+Recalculate the length of each transfer, taking frame_len_words into
+account. Use this length in qspi_{read,write}_msg(), and to increment
+spi_message::actual_length.
+
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-ti-qspi.c | 32 ++++++++++++++++++++------------
+ 1 file changed, 20 insertions(+), 12 deletions(-)
+
+--- a/drivers/spi/spi-ti-qspi.c
++++ b/drivers/spi/spi-ti-qspi.c
+@@ -225,16 +225,16 @@ static inline int ti_qspi_poll_wc(struct
+ return -ETIMEDOUT;
+ }
+
+-static int qspi_write_msg(struct ti_qspi *qspi, struct spi_transfer *t)
++static int qspi_write_msg(struct ti_qspi *qspi, struct spi_transfer *t,
++ int count)
+ {
+- int wlen, count, xfer_len;
++ int wlen, xfer_len;
+ unsigned int cmd;
+ const u8 *txbuf;
+ u32 data;
+
+ txbuf = t->tx_buf;
+ cmd = qspi->cmd | QSPI_WR_SNGL;
+- count = t->len;
+ wlen = t->bits_per_word >> 3; /* in bytes */
+ xfer_len = wlen;
+
+@@ -294,9 +294,10 @@ static int qspi_write_msg(struct ti_qspi
+ return 0;
+ }
+
+-static int qspi_read_msg(struct ti_qspi *qspi, struct spi_transfer *t)
++static int qspi_read_msg(struct ti_qspi *qspi, struct spi_transfer *t,
++ int count)
+ {
+- int wlen, count;
++ int wlen;
+ unsigned int cmd;
+ u8 *rxbuf;
+
+@@ -313,7 +314,6 @@ static int qspi_read_msg(struct ti_qspi
+ cmd |= QSPI_RD_SNGL;
+ break;
+ }
+- count = t->len;
+ wlen = t->bits_per_word >> 3; /* in bytes */
+
+ while (count) {
+@@ -344,12 +344,13 @@ static int qspi_read_msg(struct ti_qspi
+ return 0;
+ }
+
+-static int qspi_transfer_msg(struct ti_qspi *qspi, struct spi_transfer *t)
++static int qspi_transfer_msg(struct ti_qspi *qspi, struct spi_transfer *t,
++ int count)
+ {
+ int ret;
+
+ if (t->tx_buf) {
+- ret = qspi_write_msg(qspi, t);
++ ret = qspi_write_msg(qspi, t, count);
+ if (ret) {
+ dev_dbg(qspi->dev, "Error while writing\n");
+ return ret;
+@@ -357,7 +358,7 @@ static int qspi_transfer_msg(struct ti_q
+ }
+
+ if (t->rx_buf) {
+- ret = qspi_read_msg(qspi, t);
++ ret = qspi_read_msg(qspi, t, count);
+ if (ret) {
+ dev_dbg(qspi->dev, "Error while reading\n");
+ return ret;
+@@ -374,7 +375,8 @@ static int ti_qspi_start_transfer_one(st
+ struct spi_device *spi = m->spi;
+ struct spi_transfer *t;
+ int status = 0, ret;
+- unsigned int frame_len_words;
++ unsigned int frame_len_words, transfer_len_words;
++ int wlen;
+
+ /* setup device control reg */
+ qspi->dc = 0;
+@@ -404,14 +406,20 @@ static int ti_qspi_start_transfer_one(st
+ qspi->cmd = ((qspi->cmd & ~QSPI_WLEN_MASK) |
+ QSPI_WLEN(t->bits_per_word));
+
+- ret = qspi_transfer_msg(qspi, t);
++ wlen = t->bits_per_word >> 3;
++ transfer_len_words = min(t->len / wlen, frame_len_words);
++
++ ret = qspi_transfer_msg(qspi, t, transfer_len_words * wlen);
+ if (ret) {
+ dev_dbg(qspi->dev, "transfer message failed\n");
+ mutex_unlock(&qspi->list_lock);
+ return -EINVAL;
+ }
+
+- m->actual_length += t->len;
++ m->actual_length += transfer_len_words * wlen;
++ frame_len_words -= transfer_len_words;
++ if (frame_len_words == 0)
++ break;
+ }
+
+ mutex_unlock(&qspi->list_lock);
--- /dev/null
+From 106b816cb46ebd87408b4ed99a2e16203114daa6 Mon Sep 17 00:00:00 2001
+From: Steven Rostedt <rostedt@goodmis.org>
+Date: Wed, 11 May 2016 15:09:36 -0400
+Subject: tools lib traceevent: Do not reassign parg after collapse_tree()
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+commit 106b816cb46ebd87408b4ed99a2e16203114daa6 upstream.
+
+At the end of process_filter(), collapse_tree() was changed to update
+the parg parameter, but the reassignment after the call wasn't removed.
+
+What happens is that the "current_op" gets modified and freed and parg
+is assigned to the new allocated argument. But after the call to
+collapse_tree(), parg is assigned again to the just freed "current_op",
+and this causes the tool to crash.
+
+The current_op variable must also be assigned to NULL in case of error,
+otherwise it will cause it to be free()ed twice.
+
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Acked-by: Namhyung Kim <namhyung@kernel.org>
+Fixes: 42d6194d133c ("tools lib traceevent: Refactor process_filter()")
+Link: http://lkml.kernel.org/r/20160511150936.678c18a1@gandalf.local.home
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/lib/traceevent/parse-filter.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/tools/lib/traceevent/parse-filter.c
++++ b/tools/lib/traceevent/parse-filter.c
+@@ -1164,11 +1164,11 @@ process_filter(struct event_format *even
+ current_op = current_exp;
+
+ ret = collapse_tree(current_op, parg, error_str);
++ /* collapse_tree() may free current_op, and updates parg accordingly */
++ current_op = NULL;
+ if (ret < 0)
+ goto fail;
+
+- *parg = current_op;
+-
+ free(token);
+ return 0;
+
--- /dev/null
+From 54d5ca871e72f2bb172ec9323497f01cd5091ec7 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Wed, 11 May 2016 01:16:37 +0200
+Subject: vfs: add vfs_select_inode() helper
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 54d5ca871e72f2bb172ec9323497f01cd5091ec7 upstream.
+
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/open.c | 12 ++++--------
+ include/linux/dcache.h | 12 ++++++++++++
+ 2 files changed, 16 insertions(+), 8 deletions(-)
+
+--- a/fs/open.c
++++ b/fs/open.c
+@@ -840,16 +840,12 @@ EXPORT_SYMBOL(file_path);
+ int vfs_open(const struct path *path, struct file *file,
+ const struct cred *cred)
+ {
+- struct dentry *dentry = path->dentry;
+- struct inode *inode = dentry->d_inode;
++ struct inode *inode = vfs_select_inode(path->dentry, file->f_flags);
+
+- file->f_path = *path;
+- if (dentry->d_flags & DCACHE_OP_SELECT_INODE) {
+- inode = dentry->d_op->d_select_inode(dentry, file->f_flags);
+- if (IS_ERR(inode))
+- return PTR_ERR(inode);
+- }
++ if (IS_ERR(inode))
++ return PTR_ERR(inode);
+
++ file->f_path = *path;
+ return do_dentry_open(file, inode, NULL, cred);
+ }
+
+--- a/include/linux/dcache.h
++++ b/include/linux/dcache.h
+@@ -592,4 +592,16 @@ static inline struct dentry *d_real(stru
+ return dentry;
+ }
+
++static inline struct inode *vfs_select_inode(struct dentry *dentry,
++ unsigned open_flags)
++{
++ struct inode *inode = d_inode(dentry);
++
++ if (inode && unlikely(dentry->d_flags & DCACHE_OP_SELECT_INODE))
++ inode = dentry->d_op->d_select_inode(dentry, open_flags);
++
++ return inode;
++}
++
++
+ #endif /* __LINUX_DCACHE_H */
--- /dev/null
+From 9409e22acdfc9153f88d9b1ed2bd2a5b34d2d3ca Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Wed, 11 May 2016 01:16:37 +0200
+Subject: vfs: rename: check backing inode being equal
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 9409e22acdfc9153f88d9b1ed2bd2a5b34d2d3ca upstream.
+
+If a file is renamed to a hardlink of itself POSIX specifies that rename(2)
+should do nothing and return success.
+
+This condition is checked in vfs_rename(). However it won't detect hard
+links on overlayfs where these are given separate inodes on the overlayfs
+layer.
+
+Overlayfs itself detects this condition and returns success without doing
+anything, but then vfs_rename() will proceed as if this was a successful
+rename (detach_mounts(), d_move()).
+
+The correct thing to do is to detect this condition before even calling
+into overlayfs. This patch does this by calling vfs_select_inode() to get
+the underlying inodes.
+
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/namei.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -4195,7 +4195,11 @@ int vfs_rename(struct inode *old_dir, st
+ bool new_is_dir = false;
+ unsigned max_links = new_dir->i_sb->s_max_links;
+
+- if (source == target)
++ /*
++ * Check source == target.
++ * On overlayfs need to look at underlying inodes.
++ */
++ if (vfs_select_inode(old_dentry, 0) == vfs_select_inode(new_dentry, 0))
+ return 0;
+
+ error = may_delete(old_dir, old_dentry, is_dir);
--- /dev/null
+From f7c17d26f43d5cc1b7a6b896cd2fa24a079739b9 Mon Sep 17 00:00:00 2001
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+Date: Wed, 11 May 2016 17:55:18 +0800
+Subject: workqueue: fix rebind bound workers warning
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+
+commit f7c17d26f43d5cc1b7a6b896cd2fa24a079739b9 upstream.
+
+------------[ cut here ]------------
+WARNING: CPU: 0 PID: 16 at kernel/workqueue.c:4559 rebind_workers+0x1c0/0x1d0
+Modules linked in:
+CPU: 0 PID: 16 Comm: cpuhp/0 Not tainted 4.6.0-rc4+ #31
+Hardware name: IBM IBM System x3550 M4 Server -[7914IUW]-/00Y8603, BIOS -[D7E128FUS-1.40]- 07/23/2013
+ 0000000000000000 ffff881037babb58 ffffffff8139d885 0000000000000010
+ 0000000000000000 0000000000000000 0000000000000000 ffff881037babba8
+ ffffffff8108505d ffff881037ba0000 000011cf3e7d6e60 0000000000000046
+Call Trace:
+ dump_stack+0x89/0xd4
+ __warn+0xfd/0x120
+ warn_slowpath_null+0x1d/0x20
+ rebind_workers+0x1c0/0x1d0
+ workqueue_cpu_up_callback+0xf5/0x1d0
+ notifier_call_chain+0x64/0x90
+ ? trace_hardirqs_on_caller+0xf2/0x220
+ ? notify_prepare+0x80/0x80
+ __raw_notifier_call_chain+0xe/0x10
+ __cpu_notify+0x35/0x50
+ notify_down_prepare+0x5e/0x80
+ ? notify_prepare+0x80/0x80
+ cpuhp_invoke_callback+0x73/0x330
+ ? __schedule+0x33e/0x8a0
+ cpuhp_down_callbacks+0x51/0xc0
+ cpuhp_thread_fun+0xc1/0xf0
+ smpboot_thread_fn+0x159/0x2a0
+ ? smpboot_create_threads+0x80/0x80
+ kthread+0xef/0x110
+ ? wait_for_completion+0xf0/0x120
+ ? schedule_tail+0x35/0xf0
+ ret_from_fork+0x22/0x50
+ ? __init_kthread_worker+0x70/0x70
+---[ end trace eb12ae47d2382d8f ]---
+notify_down_prepare: attempt to take down CPU 0 failed
+
+This bug can be reproduced by below config w/ nohz_full= all cpus:
+
+CONFIG_BOOTPARAM_HOTPLUG_CPU0=y
+CONFIG_DEBUG_HOTPLUG_CPU0=y
+CONFIG_NO_HZ_FULL=y
+
+As Thomas pointed out:
+
+| If a down prepare callback fails, then DOWN_FAILED is invoked for all
+| callbacks which have successfully executed DOWN_PREPARE.
+|
+| But, workqueue has actually two notifiers. One which handles
+| UP/DOWN_FAILED/ONLINE and one which handles DOWN_PREPARE.
+|
+| Now look at the priorities of those callbacks:
+|
+| CPU_PRI_WORKQUEUE_UP = 5
+| CPU_PRI_WORKQUEUE_DOWN = -5
+|
+| So the call order on DOWN_PREPARE is:
+|
+| CB 1
+| CB ...
+| CB workqueue_up() -> Ignores DOWN_PREPARE
+| CB ...
+| CB X ---> Fails
+|
+| So we call up to CB X with DOWN_FAILED
+|
+| CB 1
+| CB ...
+| CB workqueue_up() -> Handles DOWN_FAILED
+| CB ...
+| CB X-1
+|
+| So the problem is that the workqueue stuff handles DOWN_FAILED in the up
+| callback, while it should do it in the down callback. Which is not a good idea
+| either because it wants to be called early on rollback...
+|
+| Brilliant stuff, isn't it? The hotplug rework will solve this problem because
+| the callbacks become symetric, but for the existing mess, we need some
+| workaround in the workqueue code.
+
+The boot CPU handles housekeeping duty(unbound timers, workqueues,
+timekeeping, ...) on behalf of full dynticks CPUs. It must remain
+online when nohz full is enabled. There is a priority set to every
+notifier_blocks:
+
+workqueue_cpu_up > tick_nohz_cpu_down > workqueue_cpu_down
+
+So tick_nohz_cpu_down callback failed when down prepare cpu 0, and
+notifier_blocks behind tick_nohz_cpu_down will not be called any
+more, which leads to workers are actually not unbound. Then hotplug
+state machine will fallback to undo and online cpu 0 again. Workers
+will be rebound unconditionally even if they are not unbound and
+trigger the warning in this progress.
+
+This patch fix it by catching !DISASSOCIATED to avoid rebind bound
+workers.
+
+Cc: Tejun Heo <tj@kernel.org>
+Cc: Lai Jiangshan <jiangshanlai@gmail.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Frédéric Weisbecker <fweisbec@gmail.com>
+Suggested-by: Lai Jiangshan <jiangshanlai@gmail.com>
+Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/workqueue.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/kernel/workqueue.c
++++ b/kernel/workqueue.c
+@@ -4457,6 +4457,17 @@ static void rebind_workers(struct worker
+ pool->attrs->cpumask) < 0);
+
+ spin_lock_irq(&pool->lock);
++
++ /*
++ * XXX: CPU hotplug notifiers are weird and can call DOWN_FAILED
++ * w/o preceding DOWN_PREPARE. Work around it. CPU hotplug is
++ * being reworked and this can go away in time.
++ */
++ if (!(pool->flags & POOL_DISASSOCIATED)) {
++ spin_unlock_irq(&pool->lock);
++ return;
++ }
++
+ pool->flags &= ~POOL_DISASSOCIATED;
+
+ for_each_pool_worker(worker, pool) {
--- /dev/null
+From 44f43e99fe70833058482d183e99fdfd11220996 Mon Sep 17 00:00:00 2001
+From: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Date: Mon, 9 May 2016 16:28:49 -0700
+Subject: zsmalloc: fix zs_can_compact() integer overflow
+
+From: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+
+commit 44f43e99fe70833058482d183e99fdfd11220996 upstream.
+
+zs_can_compact() has two race conditions in its core calculation:
+
+unsigned long obj_wasted = zs_stat_get(class, OBJ_ALLOCATED) -
+ zs_stat_get(class, OBJ_USED);
+
+1) classes are not locked, so the numbers of allocated and used
+ objects can change by the concurrent ops happening on other CPUs
+2) shrinker invokes it from preemptible context
+
+Depending on the circumstances, thus, OBJ_ALLOCATED can become
+less than OBJ_USED, which can result in either very high or
+negative `total_scan' value calculated later in do_shrink_slab().
+
+do_shrink_slab() has some logic to prevent those cases:
+
+ vmscan: shrink_slab: zs_shrinker_scan+0x0/0x28 [zsmalloc] negative objects to delete nr=-62
+ vmscan: shrink_slab: zs_shrinker_scan+0x0/0x28 [zsmalloc] negative objects to delete nr=-62
+ vmscan: shrink_slab: zs_shrinker_scan+0x0/0x28 [zsmalloc] negative objects to delete nr=-64
+ vmscan: shrink_slab: zs_shrinker_scan+0x0/0x28 [zsmalloc] negative objects to delete nr=-62
+ vmscan: shrink_slab: zs_shrinker_scan+0x0/0x28 [zsmalloc] negative objects to delete nr=-62
+ vmscan: shrink_slab: zs_shrinker_scan+0x0/0x28 [zsmalloc] negative objects to delete nr=-62
+
+However, due to the way `total_scan' is calculated, not every
+shrinker->count_objects() overflow can be spotted and handled.
+To demonstrate the latter, I added some debugging code to do_shrink_slab()
+(x86_64) and the results were:
+
+ vmscan: OVERFLOW: shrinker->count_objects() == -1 [18446744073709551615]
+ vmscan: but total_scan > 0: 92679974445502
+ vmscan: resulting total_scan: 92679974445502
+[..]
+ vmscan: OVERFLOW: shrinker->count_objects() == -1 [18446744073709551615]
+ vmscan: but total_scan > 0: 22634041808232578
+ vmscan: resulting total_scan: 22634041808232578
+
+Even though shrinker->count_objects() has returned an overflowed value,
+the resulting `total_scan' is positive, and, what is more worrisome, it
+is insanely huge. This value is getting used later on in
+shrinker->scan_objects() loop:
+
+ while (total_scan >= batch_size ||
+ total_scan >= freeable) {
+ unsigned long ret;
+ unsigned long nr_to_scan = min(batch_size, total_scan);
+
+ shrinkctl->nr_to_scan = nr_to_scan;
+ ret = shrinker->scan_objects(shrinker, shrinkctl);
+ if (ret == SHRINK_STOP)
+ break;
+ freed += ret;
+
+ count_vm_events(SLABS_SCANNED, nr_to_scan);
+ total_scan -= nr_to_scan;
+
+ cond_resched();
+ }
+
+`total_scan >= batch_size' is true for a very-very long time and
+'total_scan >= freeable' is also true for quite some time, because
+`freeable < 0' and `total_scan' is large enough, for example,
+22634041808232578. The only break condition, in the given scheme of
+things, is shrinker->scan_objects() == SHRINK_STOP test, which is a
+bit too weak to rely on, especially in heavy zsmalloc-usage scenarios.
+
+To fix the issue, take a pool stat snapshot and use it instead of
+racy zs_stat_get() calls.
+
+Link: http://lkml.kernel.org/r/20160509140052.3389-1-sergey.senozhatsky@gmail.com
+Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Cc: Minchan Kim <minchan@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/zsmalloc.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/mm/zsmalloc.c
++++ b/mm/zsmalloc.c
+@@ -1732,10 +1732,13 @@ static struct page *isolate_source_page(
+ static unsigned long zs_can_compact(struct size_class *class)
+ {
+ unsigned long obj_wasted;
++ unsigned long obj_allocated = zs_stat_get(class, OBJ_ALLOCATED);
++ unsigned long obj_used = zs_stat_get(class, OBJ_USED);
+
+- obj_wasted = zs_stat_get(class, OBJ_ALLOCATED) -
+- zs_stat_get(class, OBJ_USED);
++ if (obj_allocated <= obj_used)
++ return 0;
+
++ obj_wasted = obj_allocated - obj_used;
+ obj_wasted /= get_maxobj_per_zspage(class->size,
+ class->pages_per_zspage);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
