--- /dev/null
+From 97a98ae5b8acf08d07d972c087b2def060bc9b73 Mon Sep 17 00:00:00 2001
+From: Alexander Sverdlin <alexander.sverdlin@gmail.com>
+Date: Tue, 17 Jan 2017 21:10:11 +0100
+Subject: ARM: 8642/1: LPAE: catch pending imprecise abort on unmask
+
+From: Alexander Sverdlin <alexander.sverdlin@gmail.com>
+
+commit 97a98ae5b8acf08d07d972c087b2def060bc9b73 upstream.
+
+Asynchronous external abort is coded differently in DFSR with LPAE enabled.
+
+Fixes: 9254970c "ARM: 8447/1: catch pending imprecise abort on unmask".
+Signed-off-by: Alexander Sverdlin <alexander.sverdlin@nokia.com>
+Cc: Russell King <linux@armlinux.org.uk>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: linux-arm-kernel@lists.infradead.org
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mm/fault.c | 4 ++--
+ arch/arm/mm/fault.h | 4 ++++
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/mm/fault.c
++++ b/arch/arm/mm/fault.c
+@@ -610,9 +610,9 @@ static int __init early_abort_handler(un
+
+ void __init early_abt_enable(void)
+ {
+- fsr_info[22].fn = early_abort_handler;
++ fsr_info[FSR_FS_AEA].fn = early_abort_handler;
+ local_abt_enable();
+- fsr_info[22].fn = do_bad;
++ fsr_info[FSR_FS_AEA].fn = do_bad;
+ }
+
+ #ifndef CONFIG_ARM_LPAE
+--- a/arch/arm/mm/fault.h
++++ b/arch/arm/mm/fault.h
+@@ -11,11 +11,15 @@
+ #define FSR_FS5_0 (0x3f)
+
+ #ifdef CONFIG_ARM_LPAE
++#define FSR_FS_AEA 17
++
+ static inline int fsr_fs(unsigned int fsr)
+ {
+ return fsr & FSR_FS5_0;
+ }
+ #else
++#define FSR_FS_AEA 22
++
+ static inline int fsr_fs(unsigned int fsr)
+ {
+ return (fsr & FSR_FS3_0) | (fsr & FSR_FS4) >> 6;
--- /dev/null
+From 228dbbfb5d77f8e047b2a1d78da14b7158433027 Mon Sep 17 00:00:00 2001
+From: Dave Martin <Dave.Martin@arm.com>
+Date: Wed, 18 Jan 2017 17:11:56 +0100
+Subject: ARM: 8643/3: arm/ptrace: Preserve previous registers for short regset write
+
+From: Dave Martin <Dave.Martin@arm.com>
+
+commit 228dbbfb5d77f8e047b2a1d78da14b7158433027 upstream.
+
+Ensure that if userspace supplies insufficient data to
+PTRACE_SETREGSET to fill all the registers, the thread's old
+registers are preserved.
+
+Fixes: 5be6f62b0059 ("ARM: 6883/1: ptrace: Migrate to regsets framework")
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+Acked-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/kernel/ptrace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/kernel/ptrace.c
++++ b/arch/arm/kernel/ptrace.c
+@@ -600,7 +600,7 @@ static int gpr_set(struct task_struct *t
+ const void *kbuf, const void __user *ubuf)
+ {
+ int ret;
+- struct pt_regs newregs;
++ struct pt_regs newregs = *task_pt_regs(target);
+
+ ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
+ &newregs,
--- /dev/null
+From 7f59b319111bbc3a5f32730c8a43b201e9522f52 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?S=C3=A9bastien=20Szymanski?=
+ <sebastien.szymanski@armadeus.com>
+Date: Wed, 18 Jan 2017 11:09:51 +0100
+Subject: ARM: dts: imx6dl: fix GPIO4 range
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
+
+commit 7f59b319111bbc3a5f32730c8a43b201e9522f52 upstream.
+
+GPIO4_11 is on pin 152(MX6DL_PAD_KEY_ROW2) and not on pin
+151(MX6DL_PAD_KEY_ROW1).
+
+I found the error while booting a mainline kernel on APF6S SoM and
+noticed the following message:
+
+[ 2.609337] imx6dl-pinctrl 20e0000.iomuxc: pin MX6DL_PAD_KEY_ROW1
+already requested by 20a8000.gpio:105; cannot claim for 20a8000.gpio:107
+[ 2.621884] imx6dl-pinctrl 20e0000.iomuxc: pin-151 (20a8000.gpio:107)
+status -22
+[ 2.629303] spi_imx 2008000.ecspi: Can't get CS GPIO 107
+
+With this patch, the message is gone and spi_imx driver probes correctly.
+
+Fixes: bb728d662bed ("ARM: dts: add gpio-ranges property to iMX GPIO controllers")
+Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/imx6dl.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/imx6dl.dtsi
++++ b/arch/arm/boot/dts/imx6dl.dtsi
+@@ -137,7 +137,7 @@
+ &gpio4 {
+ gpio-ranges = <&iomuxc 5 136 1>, <&iomuxc 6 145 1>, <&iomuxc 7 150 1>,
+ <&iomuxc 8 146 1>, <&iomuxc 9 151 1>, <&iomuxc 10 147 1>,
+- <&iomuxc 11 151 1>, <&iomuxc 12 148 1>, <&iomuxc 13 153 1>,
++ <&iomuxc 11 152 1>, <&iomuxc 12 148 1>, <&iomuxc 13 153 1>,
+ <&iomuxc 14 149 1>, <&iomuxc 15 154 1>, <&iomuxc 16 39 7>,
+ <&iomuxc 23 56 1>, <&iomuxc 24 61 7>, <&iomuxc 31 46 1>;
+ };
--- /dev/null
+From 4d59b6ccf000862beed6fc0765d3209f98a8d8a2 Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Wed, 8 Feb 2017 14:30:56 -0800
+Subject: cpumask: use nr_cpumask_bits for parsing functions
+
+From: Tejun Heo <tj@kernel.org>
+
+commit 4d59b6ccf000862beed6fc0765d3209f98a8d8a2 upstream.
+
+Commit 513e3d2d11c9 ("cpumask: always use nr_cpu_ids in formatting and
+parsing functions") converted both cpumask printing and parsing
+functions to use nr_cpu_ids instead of nr_cpumask_bits. While this was
+okay for the printing functions as it just picked one of the two output
+formats that we were alternating between depending on a kernel config,
+doing the same for parsing wasn't okay.
+
+nr_cpumask_bits can be either nr_cpu_ids or NR_CPUS. We can always use
+nr_cpu_ids but that is a variable while NR_CPUS is a constant, so it can
+be more efficient to use NR_CPUS when we can get away with it.
+Converting the printing functions to nr_cpu_ids makes sense because it
+affects how the masks get presented to userspace and doesn't break
+anything; however, using nr_cpu_ids for parsing functions can
+incorrectly leave the higher bits uninitialized while reading in these
+masks from userland. As all testing and comparison functions use
+nr_cpumask_bits which can be larger than nr_cpu_ids, the parsed cpumasks
+can erroneously yield false negative results.
+
+This made the taskstats interface incorrectly return -EINVAL even when
+the inputs were correct.
+
+Fix it by restoring the parse functions to use nr_cpumask_bits instead
+of nr_cpu_ids.
+
+Link: http://lkml.kernel.org/r/20170206182442.GB31078@htj.duckdns.org
+Fixes: 513e3d2d11c9 ("cpumask: always use nr_cpu_ids in formatting and parsing functions")
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reported-by: Martin Steigerwald <martin.steigerwald@teamix.de>
+Debugged-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/cpumask.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/include/linux/cpumask.h
++++ b/include/linux/cpumask.h
+@@ -560,7 +560,7 @@ static inline void cpumask_copy(struct c
+ static inline int cpumask_parse_user(const char __user *buf, int len,
+ struct cpumask *dstp)
+ {
+- return bitmap_parse_user(buf, len, cpumask_bits(dstp), nr_cpu_ids);
++ return bitmap_parse_user(buf, len, cpumask_bits(dstp), nr_cpumask_bits);
+ }
+
+ /**
+@@ -575,7 +575,7 @@ static inline int cpumask_parselist_user
+ struct cpumask *dstp)
+ {
+ return bitmap_parselist_user(buf, len, cpumask_bits(dstp),
+- nr_cpu_ids);
++ nr_cpumask_bits);
+ }
+
+ /**
+@@ -590,7 +590,7 @@ static inline int cpumask_parse(const ch
+ char *nl = strchr(buf, '\n');
+ unsigned int len = nl ? (unsigned int)(nl - buf) : strlen(buf);
+
+- return bitmap_parse(buf, len, cpumask_bits(dstp), nr_cpu_ids);
++ return bitmap_parse(buf, len, cpumask_bits(dstp), nr_cpumask_bits);
+ }
+
+ /**
+@@ -602,7 +602,7 @@ static inline int cpumask_parse(const ch
+ */
+ static inline int cpulist_parse(const char *buf, struct cpumask *dstp)
+ {
+- return bitmap_parselist(buf, cpumask_bits(dstp), nr_cpu_ids);
++ return bitmap_parselist(buf, cpumask_bits(dstp), nr_cpumask_bits);
+ }
+
+ /**
--- /dev/null
+From 92c715fca907686f5298220ece53423e38ba3aed Mon Sep 17 00:00:00 2001
+From: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Date: Tue, 31 Jan 2017 10:25:25 +0100
+Subject: drm/atomic: Fix double free in drm_atomic_state_default_clear
+
+From: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+
+commit 92c715fca907686f5298220ece53423e38ba3aed upstream.
+
+drm_atomic_helper_page_flip and drm_atomic_ioctl set their own events
+in crtc_state->event. But when it's set the event is freed in 2 places.
+
+Solve this by only freeing the event in the atomic ioctl when it
+allocated its own event.
+
+This has been broken twice. The first time when the code was introduced,
+but only in the corner case when an event is allocated, but more crtc's
+were included by atomic check and then failing. This can mostly
+happen when you do an atomic modeset in i915 and the display clock is
+changed, which forces all crtc's to be included to the state.
+
+This has been broken worse by adding in-fences support, which caused
+the double free to be done unconditionally.
+
+[IGT] kms_rotation_crc: starting subtest primary-rotation-180
+=============================================================================
+BUG kmalloc-128 (Tainted: G U ): Object already free
+-----------------------------------------------------------------------------
+
+Disabling lock debugging due to kernel taint
+INFO: Allocated in drm_atomic_helper_setup_commit+0x285/0x2f0 [drm_kms_helper] age=0 cpu=3 pid=1529
+ ___slab_alloc+0x308/0x3b0
+ __slab_alloc+0xd/0x20
+ kmem_cache_alloc_trace+0x92/0x1c0
+ drm_atomic_helper_setup_commit+0x285/0x2f0 [drm_kms_helper]
+ intel_atomic_commit+0x35/0x4f0 [i915]
+ drm_atomic_commit+0x46/0x50 [drm]
+ drm_mode_atomic_ioctl+0x7d4/0xab0 [drm]
+ drm_ioctl+0x2b3/0x490 [drm]
+ do_vfs_ioctl+0x69c/0x700
+ SyS_ioctl+0x4e/0x80
+ entry_SYSCALL_64_fastpath+0x13/0x94
+INFO: Freed in drm_event_cancel_free+0xa3/0xb0 [drm] age=0 cpu=3 pid=1529
+ __slab_free+0x48/0x2e0
+ kfree+0x159/0x1a0
+ drm_event_cancel_free+0xa3/0xb0 [drm]
+ drm_mode_atomic_ioctl+0x86d/0xab0 [drm]
+ drm_ioctl+0x2b3/0x490 [drm]
+ do_vfs_ioctl+0x69c/0x700
+ SyS_ioctl+0x4e/0x80
+ entry_SYSCALL_64_fastpath+0x13/0x94
+INFO: Slab 0xffffde1f0997b080 objects=17 used=2 fp=0xffff92fb65ec2578 flags=0x200000000008101
+INFO: Object 0xffff92fb65ec2578 @offset=1400 fp=0xffff92fb65ec2ae8
+
+Redzone ffff92fb65ec2570: bb bb bb bb bb bb bb bb ........
+Object ffff92fb65ec2578: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
+Object ffff92fb65ec2588: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
+Object ffff92fb65ec2598: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
+Object ffff92fb65ec25a8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
+Object ffff92fb65ec25b8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
+Object ffff92fb65ec25c8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
+Object ffff92fb65ec25d8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
+Object ffff92fb65ec25e8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkkkkkkkkkk.
+Redzone ffff92fb65ec25f8: bb bb bb bb bb bb bb bb ........
+Padding ffff92fb65ec2738: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ
+CPU: 3 PID: 180 Comm: kworker/3:2 Tainted: G BU 4.10.0-rc6-patser+ #5039
+Hardware name: /NUC5PPYB, BIOS PYBSWCEL.86A.0031.2015.0601.1712 06/01/2015
+Workqueue: events intel_atomic_helper_free_state [i915]
+Call Trace:
+ dump_stack+0x4d/0x6d
+ print_trailer+0x20c/0x220
+ free_debug_processing+0x1c6/0x330
+ ? drm_atomic_state_default_clear+0xf7/0x1c0 [drm]
+ __slab_free+0x48/0x2e0
+ ? drm_atomic_state_default_clear+0xf7/0x1c0 [drm]
+ kfree+0x159/0x1a0
+ drm_atomic_state_default_clear+0xf7/0x1c0 [drm]
+ ? drm_atomic_state_clear+0x30/0x30 [drm]
+ intel_atomic_state_clear+0xd/0x20 [i915]
+ drm_atomic_state_clear+0x1a/0x30 [drm]
+ __drm_atomic_state_free+0x13/0x60 [drm]
+ intel_atomic_helper_free_state+0x5d/0x70 [i915]
+ process_one_work+0x260/0x4a0
+ worker_thread+0x2d1/0x4f0
+ kthread+0x127/0x130
+ ? process_one_work+0x4a0/0x4a0
+ ? kthread_stop+0x120/0x120
+ ret_from_fork+0x29/0x40
+FIX kmalloc-128: Object at 0xffff92fb65ec2578 not freed
+
+Fixes: 3b24f7d67581 ("drm/atomic: Add struct drm_crtc_commit to track async updates")
+Fixes: 9626014258a5 ("drm/fence: add in-fences support")
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Reviewed-by: Gustavo Padovan <gustavo.padovan@collabora.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: http://patchwork.freedesktop.org/patch/msgid/1485854725-27640-1-git-send-email-maarten.lankhorst@linux.intel.com
+CC: koos vriezen <koos.vriezen@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_atomic.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/drivers/gpu/drm/drm_atomic.c
++++ b/drivers/gpu/drm/drm_atomic.c
+@@ -1759,16 +1759,16 @@ out:
+
+ if (ret && arg->flags & DRM_MODE_PAGE_FLIP_EVENT) {
+ /*
+- * TEST_ONLY and PAGE_FLIP_EVENT are mutually exclusive,
+- * if they weren't, this code should be called on success
+- * for TEST_ONLY too.
++ * Free the allocated event. drm_atomic_helper_setup_commit
++ * can allocate an event too, so only free it if it's ours
++ * to prevent a double free in drm_atomic_state_clear.
+ */
+-
+ for_each_crtc_in_state(state, crtc, crtc_state, i) {
+- if (!crtc_state->event)
+- continue;
+-
+- drm_event_cancel_free(dev, &crtc_state->event->base);
++ struct drm_pending_vblank_event *event = crtc_state->event;
++ if (event && (event->base.fence || event->base.file_priv)) {
++ drm_event_cancel_free(dev, &event->base);
++ crtc_state->event = NULL;
++ }
+ }
+ }
+
--- /dev/null
+From 6e7eb1783be7f19eb071c96ddda0bbf22279ff46 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micha=C5=82=20Winiarski?= <michal.winiarski@intel.com>
+Date: Tue, 7 Feb 2017 20:55:59 +0100
+Subject: drm/i915: Always convert incoming exec offsets to non-canonical
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Michał Winiarski <michal.winiarski@intel.com>
+
+commit 6e7eb1783be7f19eb071c96ddda0bbf22279ff46 upstream.
+
+We're using non-canonical addresses in drm_mm, and we're making sure that
+userspace is using canonical addressing - both in case of softpin
+(verifying incoming offset) and when relocating (converting to canonical
+when updating offset returned to userspace).
+Unfortunately when considering the need for relocations, we're comparing
+offset from userspace (in canonical form) with drm_mm node (in
+non-canonical form), and as a result, we end up always relocating if our
+offsets are in the "problematic" range.
+Let's always convert the offsets to avoid the performance impact of
+relocations.
+
+Fixes: a5f0edf63bdf ("drm/i915: Avoid writing relocs with addresses in non-canonical form")
+Cc: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: Michel Thierry <michel.thierry@intel.com>
+Reported-by: Michał Pyrzowski <michal.pyrzowski@intel.com>
+Signed-off-by: Michał Winiarski <michal.winiarski@intel.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/20170207195559.18798-1-michal.winiarski@intel.com
+Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+(cherry picked from commit 038c95a313e4ca954ee5ab8a0c7559a646b0f462)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
++++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+@@ -1215,14 +1215,14 @@ validate_exec_list(struct drm_device *de
+ if (exec[i].offset !=
+ gen8_canonical_addr(exec[i].offset & PAGE_MASK))
+ return -EINVAL;
+-
+- /* From drm_mm perspective address space is continuous,
+- * so from this point we're always using non-canonical
+- * form internally.
+- */
+- exec[i].offset = gen8_noncanonical_addr(exec[i].offset);
+ }
+
++ /* From drm_mm perspective address space is continuous,
++ * so from this point we're always using non-canonical
++ * form internally.
++ */
++ exec[i].offset = gen8_noncanonical_addr(exec[i].offset);
++
+ if (exec[i].alignment && !is_power_of_2(exec[i].alignment))
+ return -EINVAL;
+
--- /dev/null
+From 789ea12500e5ce3911d0a6a822277c3133451927 Mon Sep 17 00:00:00 2001
+From: "Lee, Shawn C" <shawn.c.lee@intel.com>
+Date: Fri, 3 Feb 2017 12:32:09 +0800
+Subject: drm/i915/bxt: Add MST support when do DPLL calculation
+
+From: Lee, Shawn C <shawn.c.lee@intel.com>
+
+commit 789ea12500e5ce3911d0a6a822277c3133451927 upstream.
+
+Add the missing INTEL_OUTPUT_DP_MST case in bxt_get_dpll()
+to correctly initialize the crtc_state and port plls when
+link training a DP MST monitor on BXT/APL devices.
+
+Fixes: a277ca7dc01d ("drm/i915: Split bxt_ddi_pll_select()")
+Bugs: https://bugs.freedesktop.org/show_bug.cgi?id=99572
+Reviewed-by: Cooper Chiou <cooper.chiou@intel.com>
+Reviewed-by: Gary C Wang <gary.c.wang@intel.com>
+Reviewed-by: Ciobanu, Nathan D <nathan.d.ciobanu@intel.com>
+Reviewed-by: Herbert, Marc <marc.herbert@intel.com>
+Reviewed-by: Bride, Jim <jim.bride@intel.com>
+Reviewed-by: Navare, Manasi D <manasi.d.navare@intel.com>
+Cc: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Lee, Shawn C <shawn.c.lee@intel.com>
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/1486096329-6255-1-git-send-email-shawn.c.lee@intel.com
+(cherry picked from commit 0aab2c721d81590012a5021a516f00666646741f)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_dpll_mgr.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/i915/intel_dpll_mgr.c
++++ b/drivers/gpu/drm/i915/intel_dpll_mgr.c
+@@ -1723,7 +1723,8 @@ bxt_get_dpll(struct intel_crtc *crtc,
+ return NULL;
+
+ if ((encoder->type == INTEL_OUTPUT_DP ||
+- encoder->type == INTEL_OUTPUT_EDP) &&
++ encoder->type == INTEL_OUTPUT_EDP ||
++ encoder->type == INTEL_OUTPUT_DP_MST) &&
+ !bxt_ddi_dp_set_dpll_hw_state(clock, &dpll_hw_state))
+ return NULL;
+
--- /dev/null
+From 5351fbb1bf1413f6024892093528280769ca852f Mon Sep 17 00:00:00 2001
+From: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Date: Thu, 26 Jan 2017 17:32:11 +0300
+Subject: drm/i915: fix use-after-free in page_flip_completed()
+
+From: Andrey Ryabinin <aryabinin@virtuozzo.com>
+
+commit 5351fbb1bf1413f6024892093528280769ca852f upstream.
+
+page_flip_completed() dereferences 'work' variable after executing
+queue_work(). This is not safe as the 'work' item might be already freed
+by queued work:
+
+ BUG: KASAN: use-after-free in page_flip_completed+0x3ff/0x490 at addr ffff8803dc010f90
+ Call Trace:
+ __asan_report_load8_noabort+0x59/0x80
+ page_flip_completed+0x3ff/0x490
+ intel_finish_page_flip_mmio+0xe3/0x130
+ intel_pipe_handle_vblank+0x2d/0x40
+ gen8_irq_handler+0x4a7/0xed0
+ __handle_irq_event_percpu+0xf6/0x860
+ handle_irq_event_percpu+0x6b/0x160
+ handle_irq_event+0xc7/0x1b0
+ handle_edge_irq+0x1f4/0xa50
+ handle_irq+0x41/0x70
+ do_IRQ+0x9a/0x200
+ common_interrupt+0x89/0x89
+
+ Freed:
+ kfree+0x113/0x4d0
+ intel_unpin_work_fn+0x29a/0x3b0
+ process_one_work+0x79e/0x1b70
+ worker_thread+0x611/0x1460
+ kthread+0x241/0x3a0
+ ret_from_fork+0x27/0x40
+
+Move queue_work() after trace_i915_flip_complete() to fix this.
+
+Fixes: e5510fac98a7 ("drm/i915: add tracepoints for flip requests & completions")
+Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: http://patchwork.freedesktop.org/patch/msgid/20170126143211.24013-1-aryabinin@virtuozzo.com
+(cherry picked from commit 05c41f926fcc7ef838c80a6a99d84f67b4e0b824)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_display.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/i915/intel_display.c
++++ b/drivers/gpu/drm/i915/intel_display.c
+@@ -4280,10 +4280,10 @@ static void page_flip_completed(struct i
+ drm_crtc_vblank_put(&intel_crtc->base);
+
+ wake_up_all(&dev_priv->pending_flip_queue);
+- queue_work(dev_priv->wq, &work->unpin_work);
+-
+ trace_i915_flip_complete(intel_crtc->plane,
+ work->pending_flip_obj);
++
++ queue_work(dev_priv->wq, &work->unpin_work);
+ }
+
+ static int intel_crtc_wait_for_pending_flips(struct drm_crtc *crtc)
--- /dev/null
+From b3f2d07f4649adcf6905953a10d217b5683e4077 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 3 Feb 2017 17:35:46 +0100
+Subject: hns: avoid stack overflow with CONFIG_KASAN
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit b3f2d07f4649adcf6905953a10d217b5683e4077 upstream.
+
+The use of ACCESS_ONCE() looks like a micro-optimization to force gcc to use
+an indexed load for the register address, but it has an absolutely detrimental
+effect on builds with gcc-5 and CONFIG_KASAN=y, leading to a very likely
+kernel stack overflow aside from very complex object code:
+
+hisilicon/hns/hns_dsaf_gmac.c: In function 'hns_gmac_update_stats':
+hisilicon/hns/hns_dsaf_gmac.c:419:1: error: the frame size of 2912 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
+hisilicon/hns/hns_dsaf_ppe.c: In function 'hns_ppe_reset_common':
+hisilicon/hns/hns_dsaf_ppe.c:390:1: error: the frame size of 1184 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
+hisilicon/hns/hns_dsaf_ppe.c: In function 'hns_ppe_get_regs':
+hisilicon/hns/hns_dsaf_ppe.c:621:1: error: the frame size of 3632 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
+hisilicon/hns/hns_dsaf_rcb.c: In function 'hns_rcb_get_common_regs':
+hisilicon/hns/hns_dsaf_rcb.c:970:1: error: the frame size of 2784 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
+hisilicon/hns/hns_dsaf_gmac.c: In function 'hns_gmac_get_regs':
+hisilicon/hns/hns_dsaf_gmac.c:641:1: error: the frame size of 5728 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
+hisilicon/hns/hns_dsaf_rcb.c: In function 'hns_rcb_get_ring_regs':
+hisilicon/hns/hns_dsaf_rcb.c:1021:1: error: the frame size of 2208 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
+hisilicon/hns/hns_dsaf_main.c: In function 'hns_dsaf_comm_init':
+hisilicon/hns/hns_dsaf_main.c:1209:1: error: the frame size of 1904 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
+hisilicon/hns/hns_dsaf_xgmac.c: In function 'hns_xgmac_get_regs':
+hisilicon/hns/hns_dsaf_xgmac.c:748:1: error: the frame size of 4704 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
+hisilicon/hns/hns_dsaf_main.c: In function 'hns_dsaf_update_stats':
+hisilicon/hns/hns_dsaf_main.c:2420:1: error: the frame size of 1088 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
+hisilicon/hns/hns_dsaf_main.c: In function 'hns_dsaf_get_regs':
+hisilicon/hns/hns_dsaf_main.c:2753:1: error: the frame size of 10768 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
+
+This does not seem to happen any more with gcc-7, but removing the ACCESS_ONCE
+seems safe anyway and it avoids a serious issue for some people. I have verified
+that with gcc-5.3.1, the object code we get is better in the new version
+both with and without CONFIG_KASAN, as we no longer allocate a 1344 byte
+stack frame for hns_dsaf_get_regs() but otherwise have practically identical
+object code.
+
+With gcc-7.0.0, removing ACCESS_ONCE has no effect, the object code is already
+good either way.
+
+This patch is probably not urgent to get into 4.11 as only KASAN=y builds
+with certain compilers are affected, but I still think it makes sense to
+backport into older kernels.
+
+Fixes: 511e6bc ("net: add Hisilicon Network Subsystem DSAF support")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/hisilicon/hns/hns_dsaf_reg.h | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_reg.h
++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_reg.h
+@@ -1007,9 +1007,7 @@
+
+ static inline void dsaf_write_reg(void __iomem *base, u32 reg, u32 value)
+ {
+- u8 __iomem *reg_addr = ACCESS_ONCE(base);
+-
+- writel(value, reg_addr + reg);
++ writel(value, base + reg);
+ }
+
+ #define dsaf_write_dev(a, reg, value) \
+@@ -1017,9 +1015,7 @@ static inline void dsaf_write_reg(void _
+
+ static inline u32 dsaf_read_reg(u8 __iomem *base, u32 reg)
+ {
+- u8 __iomem *reg_addr = ACCESS_ONCE(base);
+-
+- return readl(reg_addr + reg);
++ return readl(base + reg);
+ }
+
+ static inline void dsaf_write_syscon(struct regmap *base, u32 reg, u32 value)
--- /dev/null
+From b22bc27868e8c11fe3f00937a341b44f80b50364 Mon Sep 17 00:00:00 2001
+From: "Bryant G. Ly" <bryantly@linux.vnet.ibm.com>
+Date: Mon, 6 Feb 2017 10:04:28 -0600
+Subject: ibmvscsis: Add SGL limit
+
+From: Bryant G. Ly <bryantly@linux.vnet.ibm.com>
+
+commit b22bc27868e8c11fe3f00937a341b44f80b50364 upstream.
+
+This patch adds internal LIO sgl limit since the driver already
+sets a max transfer limit on transport layer of 1MB to the client.
+
+Tested-by: Steven Royer <seroyer@linux.vnet.ibm.com>
+Signed-off-by: Bryant G. Ly <bryantly@linux.vnet.ibm.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c
++++ b/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c
+@@ -3929,6 +3929,7 @@ static struct configfs_attribute *ibmvsc
+ static const struct target_core_fabric_ops ibmvscsis_ops = {
+ .module = THIS_MODULE,
+ .name = "ibmvscsis",
++ .max_data_sg_nents = MAX_TXU / PAGE_SIZE,
+ .get_fabric_name = ibmvscsis_get_fabric_name,
+ .tpg_get_wwn = ibmvscsis_get_fabric_wwn,
+ .tpg_get_tag = ibmvscsis_get_tag,
--- /dev/null
+From da7061c82e4a1bc6a5e134ef362c86261906c860 Mon Sep 17 00:00:00 2001
+From: Thorsten Horstmann <thorsten@defutech.de>
+Date: Fri, 3 Feb 2017 14:38:29 +0100
+Subject: mac80211: Fix adding of mesh vendor IEs
+
+From: Thorsten Horstmann <thorsten@defutech.de>
+
+commit da7061c82e4a1bc6a5e134ef362c86261906c860 upstream.
+
+The function ieee80211_ie_split_vendor doesn't return 0 on errors. Instead
+it returns any offset < ielen when WLAN_EID_VENDOR_SPECIFIC is found. The
+return value in mesh_add_vendor_ies must therefore be checked against
+ifmsh->ie_len and not 0. Otherwise all ifmsh->ie starting with
+WLAN_EID_VENDOR_SPECIFIC will be rejected.
+
+Fixes: 082ebb0c258d ("mac80211: fix mesh beacon format")
+Signed-off-by: Thorsten Horstmann <thorsten@defutech.de>
+Signed-off-by: Mathias Kretschmer <mathias.kretschmer@fit.fraunhofer.de>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+[sven@narfation.org: Add commit message]
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/mesh.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mac80211/mesh.c
++++ b/net/mac80211/mesh.c
+@@ -339,7 +339,7 @@ int mesh_add_vendor_ies(struct ieee80211
+ /* fast-forward to vendor IEs */
+ offset = ieee80211_ie_split_vendor(ifmsh->ie, ifmsh->ie_len, 0);
+
+- if (offset) {
++ if (offset < ifmsh->ie_len) {
+ len = ifmsh->ie_len - offset;
+ data = ifmsh->ie + offset;
+ if (skb_tailroom(skb) < len)
--- /dev/null
+From a810007afe239d59c1115fcaa06eb5b480f876e9 Mon Sep 17 00:00:00 2001
+From: Sean Rees <sean@erifax.org>
+Date: Wed, 8 Feb 2017 14:30:59 -0800
+Subject: mm/slub.c: fix random_seq offset destruction
+
+From: Sean Rees <sean@erifax.org>
+
+commit a810007afe239d59c1115fcaa06eb5b480f876e9 upstream.
+
+Commit 210e7a43fa90 ("mm: SLUB freelist randomization") broke USB hub
+initialisation as described in
+
+ https://bugzilla.kernel.org/show_bug.cgi?id=177551.
+
+Bail out early from init_cache_random_seq if s->random_seq is already
+initialised. This prevents destroying the previously computed
+random_seq offsets later in the function.
+
+If the offsets are destroyed, then shuffle_freelist will truncate
+page->freelist to just the first object (orphaning the rest).
+
+Fixes: 210e7a43fa90 ("mm: SLUB freelist randomization")
+Link: http://lkml.kernel.org/r/20170207140707.20824-1-sean@erifax.org
+Signed-off-by: Sean Rees <sean@erifax.org>
+Reported-by: <userwithuid@gmail.com>
+Cc: Christoph Lameter <cl@linux.com>
+Cc: Pekka Enberg <penberg@kernel.org>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Cc: Thomas Garnier <thgarnie@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/slub.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/mm/slub.c
++++ b/mm/slub.c
+@@ -1419,6 +1419,10 @@ static int init_cache_random_seq(struct
+ int err;
+ unsigned long i, count = oo_objects(s->oo);
+
++ /* Bailout if already initialised */
++ if (s->random_seq)
++ return 0;
++
+ err = cache_random_seq_create(s, count, GFP_KERNEL);
+ if (err) {
+ pr_err("SLUB: Unable to initialize free list for %s\n",
--- /dev/null
+From 1d3398facd08a7fd4202f269317a95668eb880b9 Mon Sep 17 00:00:00 2001
+From: Gal Pressman <galp@mellanox.com>
+Date: Wed, 11 Jan 2017 14:32:26 +0200
+Subject: net/mlx5e: Modify TIRs hash only when it's needed
+
+From: Gal Pressman <galp@mellanox.com>
+
+commit 1d3398facd08a7fd4202f269317a95668eb880b9 upstream.
+
+We don't need to modify our TIRs unless the user requested a change in
+the hash function/key, for example when changing indirection only.
+
+Tested:
+ # Modify TIRs hash is needed
+ethtool -X ethX hkey <new key>
+ethtool -X ethX hfunc <new func>
+
+ # Modify TIRs hash is not needed
+ethtool -X ethX equal <new indirection table>
+
+All cases are verified with TCP Multi-Stream traffic over IPv4 & IPv6.
+
+Fixes: bdfc028de1b3 ("net/mlx5e: Fix ethtool RX hash func configuration change")
+Signed-off-by: Gal Pressman <galp@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
+@@ -991,6 +991,7 @@ static int mlx5e_set_rxfh(struct net_dev
+ {
+ struct mlx5e_priv *priv = netdev_priv(dev);
+ int inlen = MLX5_ST_SZ_BYTES(modify_tir_in);
++ bool hash_changed = false;
+ void *in;
+
+ if ((hfunc != ETH_RSS_HASH_NO_CHANGE) &&
+@@ -1012,14 +1013,21 @@ static int mlx5e_set_rxfh(struct net_dev
+ mlx5e_redirect_rqt(priv, rqtn, MLX5E_INDIR_RQT_SIZE, 0);
+ }
+
+- if (key)
++ if (hfunc != ETH_RSS_HASH_NO_CHANGE &&
++ hfunc != priv->params.rss_hfunc) {
++ priv->params.rss_hfunc = hfunc;
++ hash_changed = true;
++ }
++
++ if (key) {
+ memcpy(priv->params.toeplitz_hash_key, key,
+ sizeof(priv->params.toeplitz_hash_key));
++ hash_changed = hash_changed ||
++ priv->params.rss_hfunc == ETH_RSS_HASH_TOP;
++ }
+
+- if (hfunc != ETH_RSS_HASH_NO_CHANGE)
+- priv->params.rss_hfunc = hfunc;
+-
+- mlx5e_modify_tirs_hash(priv, in, inlen);
++ if (hash_changed)
++ mlx5e_modify_tirs_hash(priv, in, inlen);
+
+ mutex_unlock(&priv->state_lock);
+
--- /dev/null
+From fd551bac4795854adaa87bad7e5136083719802b Mon Sep 17 00:00:00 2001
+From: Masashi Honma <masashi.honma@gmail.com>
+Date: Thu, 26 Jan 2017 08:56:13 +0900
+Subject: nl80211: Fix mesh HT operation check
+
+From: Masashi Honma <masashi.honma@gmail.com>
+
+commit fd551bac4795854adaa87bad7e5136083719802b upstream.
+
+A previous change to fix checks for NL80211_MESHCONF_HT_OPMODE
+missed setting the flag when replacing FILL_IN_MESH_PARAM_IF_SET
+with checking codes. This results in dropping the received HT
+operation value when called by nl80211_update_mesh_config(). Fix
+this by setting the flag properly.
+
+Fixes: 9757235f451c ("nl80211: correct checks for NL80211_MESHCONF_HT_OPMODE value")
+Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
+[rewrite commit message to use Fixes: line]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/nl80211.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -5874,6 +5874,7 @@ do { \
+ break;
+ }
+ cfg->ht_opmode = ht_opmode;
++ mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
+ }
+ FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathToRootTimeout,
+ 1, 65535, mask,
--- /dev/null
+From 52f5631a4c056ad01682393be56d2be237e81610 Mon Sep 17 00:00:00 2001
+From: Jurij Smakov <jurij@wooyd.org>
+Date: Mon, 30 Jan 2017 15:41:36 -0600
+Subject: rtlwifi: rtl8192ce: Fix loading of incorrect firmware
+
+From: Jurij Smakov <jurij@wooyd.org>
+
+commit 52f5631a4c056ad01682393be56d2be237e81610 upstream.
+
+In commit cf4747d7535a ("rtlwifi: Fix regression caused by commit
+d86e64768859, an error in the edit results in the wrong firmware
+being loaded for some models of the RTL8188/8192CE. In this condition,
+the connection suffered from high ping latency, slow transfer rates,
+ and required higher signal strengths to work at all
+
+See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853073,
+https://bugzilla.opensuse.org/show_bug.cgi?id=1017471, and
+https://github.com/lwfinger/rtlwifi_new/issues/203 for descriptions
+of the problems. This patch fixes all of those problems.
+
+Fixes: cf4747d7535a ("rtlwifi: Fix regression caused by commit d86e64768859")
+Signed-off-by: Jurij Smakov <jurij@wooyd.org>
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/realtek/rtlwifi/rtl8192ce/sw.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/sw.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/sw.c
+@@ -96,7 +96,7 @@ int rtl92c_init_sw_vars(struct ieee80211
+ struct rtl_priv *rtlpriv = rtl_priv(hw);
+ struct rtl_pci *rtlpci = rtl_pcidev(rtl_pcipriv(hw));
+ struct rtl_hal *rtlhal = rtl_hal(rtl_priv(hw));
+- char *fw_name = "rtlwifi/rtl8192cfwU.bin";
++ char *fw_name;
+
+ rtl8192ce_bt_reg_init(hw);
+
+@@ -168,8 +168,13 @@ int rtl92c_init_sw_vars(struct ieee80211
+ }
+
+ /* request fw */
+- if (IS_81XXC_VENDOR_UMC_B_CUT(rtlhal->version))
++ if (IS_VENDOR_UMC_A_CUT(rtlhal->version) &&
++ !IS_92C_SERIAL(rtlhal->version))
++ fw_name = "rtlwifi/rtl8192cfwU.bin";
++ else if (IS_81XXC_VENDOR_UMC_B_CUT(rtlhal->version))
+ fw_name = "rtlwifi/rtl8192cfwU_B.bin";
++ else
++ fw_name = "rtlwifi/rtl8192cfw.bin";
+
+ rtlpriv->max_fw_size = 0x4000;
+ pr_info("Using firmware %s\n", fw_name);
input-uinput-fix-crash-when-mixing-old-and-new-init-style.patch
selinux-fix-off-by-one-in-setprocattr.patch
revert-x86-ioapic-restore-io-apic-irq_chip-retrigger-callback.patch
+rtlwifi-rtl8192ce-fix-loading-of-incorrect-firmware.patch
+cpumask-use-nr_cpumask_bits-for-parsing-functions.patch
+mm-slub.c-fix-random_seq-offset-destruction.patch
+ibmvscsis-add-sgl-limit.patch
+hns-avoid-stack-overflow-with-config_kasan.patch
+arm-8643-3-arm-ptrace-preserve-previous-registers-for-short-regset-write.patch
+drm-i915-fix-use-after-free-in-page_flip_completed.patch
+drm-i915-bxt-add-mst-support-when-do-dpll-calculation.patch
+drm-atomic-fix-double-free-in-drm_atomic_state_default_clear.patch
+target-don-t-bug_on-during-nodeacl-dynamic-explicit-conversion.patch
+target-use-correct-scsi-status-during-extended_copy-exception.patch
+target-fix-early-transport_generic_handle_tmr-abort-scenario.patch
+target-fix-multi-session-dynamic-se_node_acl-double-free-oops.patch
+target-fix-compare_and_write-ref-leak-for-non-good-status.patch
+arm-dts-imx6dl-fix-gpio4-range.patch
+arm-8642-1-lpae-catch-pending-imprecise-abort-on-unmask.patch
+drm-i915-always-convert-incoming-exec-offsets-to-non-canonical.patch
+nl80211-fix-mesh-ht-operation-check.patch
+mac80211-fix-adding-of-mesh-vendor-ies.patch
+net-mlx5e-modify-tirs-hash-only-when-it-s-needed.patch
--- /dev/null
+From 391e2a6de9781e4906dd7e0b1cc097050bf43e11 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Sun, 23 Oct 2016 14:28:15 -0700
+Subject: target: Don't BUG_ON during NodeACL dynamic -> explicit conversion
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 391e2a6de9781e4906dd7e0b1cc097050bf43e11 upstream.
+
+After the v4.2+ RCU conversion to se_node_acl->lun_entry_hlist,
+a BUG_ON() was added in core_enable_device_list_for_node() to
+detect when the located orig->se_lun_acl contains an existing
+se_lun_acl pointer reference.
+
+However, this scenario can happen when a dynamically generated
+NodeACL is being converted to an explicit NodeACL, when the
+explicit NodeACL contains a different LUN mapping than the
+default provided by the WWN endpoint.
+
+So instead of triggering BUG_ON(), go ahead and fail instead
+following the original pre RCU conversion logic.
+
+Reported-by: Benjamin ESTRABAUD <ben.estrabaud@mpstor.com>
+Cc: Benjamin ESTRABAUD <ben.estrabaud@mpstor.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_device.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/target/target_core_device.c
++++ b/drivers/target/target_core_device.c
+@@ -351,7 +351,15 @@ int core_enable_device_list_for_node(
+ kfree(new);
+ return -EINVAL;
+ }
+- BUG_ON(orig->se_lun_acl != NULL);
++ if (orig->se_lun_acl != NULL) {
++ pr_warn_ratelimited("Detected existing explicit"
++ " se_lun_acl->se_lun_group reference for %s"
++ " mapped_lun: %llu, failing\n",
++ nacl->initiatorname, mapped_lun);
++ mutex_unlock(&nacl->lun_entry_mutex);
++ kfree(new);
++ return -EINVAL;
++ }
+
+ rcu_assign_pointer(new->se_lun, lun);
+ rcu_assign_pointer(new->se_lun_acl, lun_acl);
--- /dev/null
+From 9b2792c3da1e80f2d460167d319302a24c9ca2b7 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Mon, 6 Feb 2017 14:28:09 -0800
+Subject: target: Fix COMPARE_AND_WRITE ref leak for non GOOD status
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 9b2792c3da1e80f2d460167d319302a24c9ca2b7 upstream.
+
+This patch addresses a long standing bug where the commit phase
+of COMPARE_AND_WRITE would result in a se_cmd->cmd_kref reference
+leak if se_cmd->scsi_status returned non SAM_STAT_GOOD.
+
+This would manifest first as a lost SCSI response, and eventual
+hung task during fabric driver logout or re-login, as existing
+shutdown logic waited for the COMPARE_AND_WRITE se_cmd->cmd_kref
+to reach zero.
+
+To address this bug, compare_and_write_post() has been changed
+to drop the incorrect !cmd->scsi_status conditional that was
+preventing *post_ret = 1 for being set during non SAM_STAT_GOOD
+status.
+
+This patch has been tested with SAM_STAT_CHECK_CONDITION status
+from normal target_complete_cmd() callback path, as well as the
+incoming __target_execute_cmd() submission failure path when
+se_cmd->execute_cmd() returns non zero status.
+
+Reported-by: Donald White <dew@datera.io>
+Cc: Donald White <dew@datera.io>
+Tested-by: Gary Guo <ghg@datera.io>
+Cc: Gary Guo <ghg@datera.io>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_sbc.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/target/target_core_sbc.c
++++ b/drivers/target/target_core_sbc.c
+@@ -450,6 +450,7 @@ static sense_reason_t compare_and_write_
+ int *post_ret)
+ {
+ struct se_device *dev = cmd->se_dev;
++ sense_reason_t ret = TCM_NO_SENSE;
+
+ /*
+ * Only set SCF_COMPARE_AND_WRITE_POST to force a response fall-through
+@@ -457,9 +458,12 @@ static sense_reason_t compare_and_write_
+ * sent to the backend driver.
+ */
+ spin_lock_irq(&cmd->t_state_lock);
+- if ((cmd->transport_state & CMD_T_SENT) && !cmd->scsi_status) {
++ if (cmd->transport_state & CMD_T_SENT) {
+ cmd->se_cmd_flags |= SCF_COMPARE_AND_WRITE_POST;
+ *post_ret = 1;
++
++ if (cmd->scsi_status == SAM_STAT_CHECK_CONDITION)
++ ret = TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE;
+ }
+ spin_unlock_irq(&cmd->t_state_lock);
+
+@@ -469,7 +473,7 @@ static sense_reason_t compare_and_write_
+ */
+ up(&dev->caw_sem);
+
+- return TCM_NO_SENSE;
++ return ret;
+ }
+
+ static sense_reason_t compare_and_write_callback(struct se_cmd *cmd, bool success,
--- /dev/null
+From c54eeffbe9338fa982dc853d816fda9202a13b5a Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Tue, 6 Dec 2016 22:45:46 -0800
+Subject: target: Fix early transport_generic_handle_tmr abort scenario
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit c54eeffbe9338fa982dc853d816fda9202a13b5a upstream.
+
+This patch fixes a bug where incoming task management requests
+can be explicitly aborted during an active LUN_RESET, but who's
+struct work_struct are canceled in-flight before execution.
+
+This occurs when core_tmr_drain_tmr_list() invokes cancel_work_sync()
+for the incoming se_tmr_req->task_cmd->work, resulting in cmd->work
+for target_tmr_work() never getting invoked and the aborted TMR
+waiting indefinately within transport_wait_for_tasks().
+
+To address this case, perform a CMD_T_ABORTED check early in
+transport_generic_handle_tmr(), and invoke the normal path via
+transport_cmd_check_stop_to_fabric() to complete any TMR kthreads
+blocked waiting for CMD_T_STOP in transport_wait_for_tasks().
+
+Also, move the TRANSPORT_ISTATE_PROCESSING assignment earlier
+into transport_generic_handle_tmr() so the existing check in
+core_tmr_drain_tmr_list() avoids attempting abort the incoming
+se_tmr_req->task_cmd->work if it has already been queued into
+se_device->tmr_wq.
+
+Reported-by: Rob Millner <rlm@daterainc.com>
+Tested-by: Rob Millner <rlm@daterainc.com>
+Cc: Rob Millner <rlm@daterainc.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_transport.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+--- a/drivers/target/target_core_transport.c
++++ b/drivers/target/target_core_transport.c
+@@ -3086,7 +3086,6 @@ static void target_tmr_work(struct work_
+ spin_unlock_irqrestore(&cmd->t_state_lock, flags);
+ goto check_stop;
+ }
+- cmd->t_state = TRANSPORT_ISTATE_PROCESSING;
+ spin_unlock_irqrestore(&cmd->t_state_lock, flags);
+
+ cmd->se_tfo->queue_tm_rsp(cmd);
+@@ -3099,11 +3098,25 @@ int transport_generic_handle_tmr(
+ struct se_cmd *cmd)
+ {
+ unsigned long flags;
++ bool aborted = false;
+
+ spin_lock_irqsave(&cmd->t_state_lock, flags);
+- cmd->transport_state |= CMD_T_ACTIVE;
++ if (cmd->transport_state & CMD_T_ABORTED) {
++ aborted = true;
++ } else {
++ cmd->t_state = TRANSPORT_ISTATE_PROCESSING;
++ cmd->transport_state |= CMD_T_ACTIVE;
++ }
+ spin_unlock_irqrestore(&cmd->t_state_lock, flags);
+
++ if (aborted) {
++ pr_warn_ratelimited("handle_tmr caught CMD_T_ABORTED TMR %d"
++ "ref_tag: %llu tag: %llu\n", cmd->se_tmr_req->function,
++ cmd->se_tmr_req->ref_task_tag, cmd->tag);
++ transport_cmd_check_stop_to_fabric(cmd);
++ return 0;
++ }
++
+ INIT_WORK(&cmd->work, target_tmr_work);
+ queue_work(cmd->se_dev->tmr_wq, &cmd->work);
+ return 0;
--- /dev/null
+From 01d4d673558985d9a118e1e05026633c3e2ade9b Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Wed, 7 Dec 2016 12:55:54 -0800
+Subject: target: Fix multi-session dynamic se_node_acl double free OOPs
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 01d4d673558985d9a118e1e05026633c3e2ade9b upstream.
+
+This patch addresses a long-standing bug with multi-session
+(eg: iscsi-target + iser-target) se_node_acl dynamic free
+withini transport_deregister_session().
+
+This bug is caused when a storage endpoint is configured with
+demo-mode (generate_node_acls = 1 + cache_dynamic_acls = 1)
+initiators, and initiator login creates a new dynamic node acl
+and attaches two sessions to it.
+
+After that, demo-mode for the storage instance is disabled via
+configfs (generate_node_acls = 0 + cache_dynamic_acls = 0) and
+the existing dynamic acl is never converted to an explicit ACL.
+
+The end result is dynamic acl resources are released twice when
+the sessions are shutdown in transport_deregister_session().
+
+If the storage instance is not changed to disable demo-mode,
+or the dynamic acl is converted to an explict ACL, or there
+is only a single session associated with the dynamic ACL,
+the bug is not triggered.
+
+To address this big, move the release of dynamic se_node_acl
+memory into target_complete_nacl() so it's only freed once
+when se_node_acl->acl_kref reaches zero.
+
+(Drop unnecessary list_del_init usage - HCH)
+
+Reported-by: Rob Millner <rlm@daterainc.com>
+Tested-by: Rob Millner <rlm@daterainc.com>
+Cc: Rob Millner <rlm@daterainc.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_transport.c | 69 ++++++++++++++++++++-------------
+ include/target/target_core_base.h | 1
+ 2 files changed, 44 insertions(+), 26 deletions(-)
+
+--- a/drivers/target/target_core_transport.c
++++ b/drivers/target/target_core_transport.c
+@@ -457,8 +457,20 @@ static void target_complete_nacl(struct
+ {
+ struct se_node_acl *nacl = container_of(kref,
+ struct se_node_acl, acl_kref);
++ struct se_portal_group *se_tpg = nacl->se_tpg;
+
+- complete(&nacl->acl_free_comp);
++ if (!nacl->dynamic_stop) {
++ complete(&nacl->acl_free_comp);
++ return;
++ }
++
++ mutex_lock(&se_tpg->acl_node_mutex);
++ list_del(&nacl->acl_list);
++ mutex_unlock(&se_tpg->acl_node_mutex);
++
++ core_tpg_wait_for_nacl_pr_ref(nacl);
++ core_free_device_list_for_node(nacl, se_tpg);
++ kfree(nacl);
+ }
+
+ void target_put_nacl(struct se_node_acl *nacl)
+@@ -499,12 +511,39 @@ EXPORT_SYMBOL(transport_deregister_sessi
+ void transport_free_session(struct se_session *se_sess)
+ {
+ struct se_node_acl *se_nacl = se_sess->se_node_acl;
++
+ /*
+ * Drop the se_node_acl->nacl_kref obtained from within
+ * core_tpg_get_initiator_node_acl().
+ */
+ if (se_nacl) {
++ struct se_portal_group *se_tpg = se_nacl->se_tpg;
++ const struct target_core_fabric_ops *se_tfo = se_tpg->se_tpg_tfo;
++ unsigned long flags;
++
+ se_sess->se_node_acl = NULL;
++
++ /*
++ * Also determine if we need to drop the extra ->cmd_kref if
++ * it had been previously dynamically generated, and
++ * the endpoint is not caching dynamic ACLs.
++ */
++ mutex_lock(&se_tpg->acl_node_mutex);
++ if (se_nacl->dynamic_node_acl &&
++ !se_tfo->tpg_check_demo_mode_cache(se_tpg)) {
++ spin_lock_irqsave(&se_nacl->nacl_sess_lock, flags);
++ if (list_empty(&se_nacl->acl_sess_list))
++ se_nacl->dynamic_stop = true;
++ spin_unlock_irqrestore(&se_nacl->nacl_sess_lock, flags);
++
++ if (se_nacl->dynamic_stop)
++ list_del(&se_nacl->acl_list);
++ }
++ mutex_unlock(&se_tpg->acl_node_mutex);
++
++ if (se_nacl->dynamic_stop)
++ target_put_nacl(se_nacl);
++
+ target_put_nacl(se_nacl);
+ }
+ if (se_sess->sess_cmd_map) {
+@@ -518,16 +557,12 @@ EXPORT_SYMBOL(transport_free_session);
+ void transport_deregister_session(struct se_session *se_sess)
+ {
+ struct se_portal_group *se_tpg = se_sess->se_tpg;
+- const struct target_core_fabric_ops *se_tfo;
+- struct se_node_acl *se_nacl;
+ unsigned long flags;
+- bool drop_nacl = false;
+
+ if (!se_tpg) {
+ transport_free_session(se_sess);
+ return;
+ }
+- se_tfo = se_tpg->se_tpg_tfo;
+
+ spin_lock_irqsave(&se_tpg->session_lock, flags);
+ list_del(&se_sess->sess_list);
+@@ -535,33 +570,15 @@ void transport_deregister_session(struct
+ se_sess->fabric_sess_ptr = NULL;
+ spin_unlock_irqrestore(&se_tpg->session_lock, flags);
+
+- /*
+- * Determine if we need to do extra work for this initiator node's
+- * struct se_node_acl if it had been previously dynamically generated.
+- */
+- se_nacl = se_sess->se_node_acl;
+-
+- mutex_lock(&se_tpg->acl_node_mutex);
+- if (se_nacl && se_nacl->dynamic_node_acl) {
+- if (!se_tfo->tpg_check_demo_mode_cache(se_tpg)) {
+- list_del(&se_nacl->acl_list);
+- drop_nacl = true;
+- }
+- }
+- mutex_unlock(&se_tpg->acl_node_mutex);
+-
+- if (drop_nacl) {
+- core_tpg_wait_for_nacl_pr_ref(se_nacl);
+- core_free_device_list_for_node(se_nacl, se_tpg);
+- se_sess->se_node_acl = NULL;
+- kfree(se_nacl);
+- }
+ pr_debug("TARGET_CORE[%s]: Deregistered fabric_sess\n",
+ se_tpg->se_tpg_tfo->get_fabric_name());
+ /*
+ * If last kref is dropping now for an explicit NodeACL, awake sleeping
+ * ->acl_free_comp caller to wakeup configfs se_node_acl->acl_group
+ * removal context from within transport_free_session() code.
++ *
++ * For dynamic ACL, target_put_nacl() uses target_complete_nacl()
++ * to release all remaining generate_node_acl=1 created ACL resources.
+ */
+
+ transport_free_session(se_sess);
+--- a/include/target/target_core_base.h
++++ b/include/target/target_core_base.h
+@@ -538,6 +538,7 @@ struct se_node_acl {
+ char initiatorname[TRANSPORT_IQN_LEN];
+ /* Used to signal demo mode created ACL, disabled by default */
+ bool dynamic_node_acl;
++ bool dynamic_stop;
+ u32 queue_depth;
+ u32 acl_index;
+ enum target_prot_type saved_prot_type;
--- /dev/null
+From 0583c261e6325f392c1f7a1b9112e31298e1a4bd Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Mon, 31 Oct 2016 00:54:40 -0700
+Subject: target: Use correct SCSI status during EXTENDED_COPY exception
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 0583c261e6325f392c1f7a1b9112e31298e1a4bd upstream.
+
+This patch adds the missing target_complete_cmd() SCSI status
+parameter change in target_xcopy_do_work(), that was originally
+missing in commit 926317de33.
+
+It correctly propigates up the correct SCSI status during
+EXTENDED_COPY exception cases, instead of always using the
+hardcoded SAM_STAT_CHECK_CONDITION from original code.
+
+This is required for ESX host environments that expect to
+hit SAM_STAT_RESERVATION_CONFLICT for certain scenarios,
+and SAM_STAT_CHECK_CONDITION results in non-retriable
+status for these cases.
+
+Reported-by: Nixon Vincent <nixon.vincent@calsoftinc.com>
+Tested-by: Nixon Vincent <nixon.vincent@calsoftinc.com>
+Cc: Nixon Vincent <nixon.vincent@calsoftinc.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_xcopy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/target/target_core_xcopy.c
++++ b/drivers/target/target_core_xcopy.c
+@@ -836,7 +836,7 @@ out:
+ " CHECK_CONDITION -> sending response\n", rc);
+ ec_cmd->scsi_status = SAM_STAT_CHECK_CONDITION;
+ }
+- target_complete_cmd(ec_cmd, SAM_STAT_CHECK_CONDITION);
++ target_complete_cmd(ec_cmd, ec_cmd->scsi_status);
+ }
+
+ sense_reason_t target_do_xcopy(struct se_cmd *se_cmd)
projects / thirdparty / kernel / stable-queue.git / commitdiff
