--- /dev/null
+From 562e2689baebaa2ac25b7ec934385480ed1cb7d6 Mon Sep 17 00:00:00 2001
+From: Sonny Jiang <sonny.jiang@amd.com>
+Date: Mon, 18 Apr 2016 16:05:04 -0400
+Subject: amdgpu/uvd: add uvd fw version for amdgpu
+
+From: Sonny Jiang <sonny.jiang@amd.com>
+
+commit 562e2689baebaa2ac25b7ec934385480ed1cb7d6 upstream.
+
+Was previously always hardcoded to 0.
+
+Signed-off-by: Sonny Jiang <sonny.jiang@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu.h | 1 +
+ drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 2 +-
+ drivers/gpu/drm/amd/amdgpu/amdgpu_uvd.c | 3 +++
+ 3 files changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu.h
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu.h
+@@ -1619,6 +1619,7 @@ struct amdgpu_uvd {
+ struct amdgpu_bo *vcpu_bo;
+ void *cpu_addr;
+ uint64_t gpu_addr;
++ unsigned fw_version;
+ atomic_t handles[AMDGPU_MAX_UVD_HANDLES];
+ struct drm_file *filp[AMDGPU_MAX_UVD_HANDLES];
+ struct delayed_work idle_work;
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
+@@ -303,7 +303,7 @@ static int amdgpu_info_ioctl(struct drm_
+ fw_info.feature = adev->vce.fb_version;
+ break;
+ case AMDGPU_INFO_FW_UVD:
+- fw_info.ver = 0;
++ fw_info.ver = adev->uvd.fw_version;
+ fw_info.feature = 0;
+ break;
+ case AMDGPU_INFO_FW_GMC:
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_uvd.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_uvd.c
+@@ -156,6 +156,9 @@ int amdgpu_uvd_sw_init(struct amdgpu_dev
+ DRM_INFO("Found UVD firmware Version: %hu.%hu Family ID: %hu\n",
+ version_major, version_minor, family_id);
+
++ adev->uvd.fw_version = ((version_major << 24) | (version_minor << 16) |
++ (family_id << 8));
++
+ bo_size = AMDGPU_GPU_PAGE_ALIGN(le32_to_cpu(hdr->ucode_size_bytes) + 8)
+ + AMDGPU_UVD_STACK_SIZE + AMDGPU_UVD_HEAP_SIZE;
+ r = amdgpu_bo_create(adev, bo_size, PAGE_SIZE, true,
--- /dev/null
+From f709b45ec461b548c41a00044dba1f1b572783bf Mon Sep 17 00:00:00 2001
+From: Tom Lendacky <thomas.lendacky@amd.com>
+Date: Wed, 13 Apr 2016 10:52:25 -0500
+Subject: crypto: ccp - Prevent information leakage on export
+
+From: Tom Lendacky <thomas.lendacky@amd.com>
+
+commit f709b45ec461b548c41a00044dba1f1b572783bf upstream.
+
+Prevent information from leaking to userspace by doing a memset to 0 of
+the export state structure before setting the structure values and copying
+it. This prevents un-initialized padding areas from being copied into the
+export area.
+
+Reported-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/ccp/ccp-crypto-aes-cmac.c | 3 +++
+ drivers/crypto/ccp/ccp-crypto-sha.c | 3 +++
+ 2 files changed, 6 insertions(+)
+
+--- a/drivers/crypto/ccp/ccp-crypto-aes-cmac.c
++++ b/drivers/crypto/ccp/ccp-crypto-aes-cmac.c
+@@ -225,6 +225,9 @@ static int ccp_aes_cmac_export(struct ah
+ struct ccp_aes_cmac_req_ctx *rctx = ahash_request_ctx(req);
+ struct ccp_aes_cmac_exp_ctx state;
+
++ /* Don't let anything leak to 'out' */
++ memset(&state, 0, sizeof(state));
++
+ state.null_msg = rctx->null_msg;
+ memcpy(state.iv, rctx->iv, sizeof(state.iv));
+ state.buf_count = rctx->buf_count;
+--- a/drivers/crypto/ccp/ccp-crypto-sha.c
++++ b/drivers/crypto/ccp/ccp-crypto-sha.c
+@@ -212,6 +212,9 @@ static int ccp_sha_export(struct ahash_r
+ struct ccp_sha_req_ctx *rctx = ahash_request_ctx(req);
+ struct ccp_sha_exp_ctx state;
+
++ /* Don't let anything leak to 'out' */
++ memset(&state, 0, sizeof(state));
++
+ state.type = rctx->type;
+ state.msg_bits = rctx->msg_bits;
+ state.first = rctx->first;
--- /dev/null
+From 6f0904ada402a45b3a0a3b9b6507d91d3a9da67a Mon Sep 17 00:00:00 2001
+From: Tadeusz Struk <tadeusz.struk@intel.com>
+Date: Wed, 6 Apr 2016 14:42:32 -0700
+Subject: crypto: rsa-pkcs1pad - fix dst len
+
+From: Tadeusz Struk <tadeusz.struk@intel.com>
+
+commit 6f0904ada402a45b3a0a3b9b6507d91d3a9da67a upstream.
+
+The output buffer length has to be at least as big as the key_size.
+It is then updated to the actual output size by the implementation.
+
+Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/rsa-pkcs1pad.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/crypto/rsa-pkcs1pad.c
++++ b/crypto/rsa-pkcs1pad.c
+@@ -310,16 +310,16 @@ static int pkcs1pad_decrypt(struct akcip
+ req_ctx->child_req.src = req->src;
+ req_ctx->child_req.src_len = req->src_len;
+ req_ctx->child_req.dst = req_ctx->out_sg;
+- req_ctx->child_req.dst_len = ctx->key_size - 1;
++ req_ctx->child_req.dst_len = ctx->key_size ;
+
+- req_ctx->out_buf = kmalloc(ctx->key_size - 1,
++ req_ctx->out_buf = kmalloc(ctx->key_size,
+ (req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP) ?
+ GFP_KERNEL : GFP_ATOMIC);
+ if (!req_ctx->out_buf)
+ return -ENOMEM;
+
+ pkcs1pad_sg_set_buf(req_ctx->out_sg, req_ctx->out_buf,
+- ctx->key_size - 1, NULL);
++ ctx->key_size, NULL);
+
+ akcipher_request_set_tfm(&req_ctx->child_req, ctx->child);
+ akcipher_request_set_callback(&req_ctx->child_req, req->base.flags,
+@@ -491,16 +491,16 @@ static int pkcs1pad_verify(struct akciph
+ req_ctx->child_req.src = req->src;
+ req_ctx->child_req.src_len = req->src_len;
+ req_ctx->child_req.dst = req_ctx->out_sg;
+- req_ctx->child_req.dst_len = ctx->key_size - 1;
++ req_ctx->child_req.dst_len = ctx->key_size;
+
+- req_ctx->out_buf = kmalloc(ctx->key_size - 1,
++ req_ctx->out_buf = kmalloc(ctx->key_size,
+ (req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP) ?
+ GFP_KERNEL : GFP_ATOMIC);
+ if (!req_ctx->out_buf)
+ return -ENOMEM;
+
+ pkcs1pad_sg_set_buf(req_ctx->out_sg, req_ctx->out_buf,
+- ctx->key_size - 1, NULL);
++ ctx->key_size, NULL);
+
+ akcipher_request_set_tfm(&req_ctx->child_req, ctx->child);
+ akcipher_request_set_callback(&req_ctx->child_req, req->base.flags,
--- /dev/null
+From 0851561d9c965df086ef8a53f981f5f95a57c2c8 Mon Sep 17 00:00:00 2001
+From: Xiaodong Liu <xiaodong.liu@intel.com>
+Date: Tue, 12 Apr 2016 09:45:51 +0000
+Subject: crypto: sha1-mb - use corrcet pointer while completing jobs
+
+From: Xiaodong Liu <xiaodong.liu@intel.com>
+
+commit 0851561d9c965df086ef8a53f981f5f95a57c2c8 upstream.
+
+In sha_complete_job, incorrect mcryptd_hash_request_ctx pointer is used
+when check and complete other jobs. If the memory of first completed req
+is freed, while still completing other jobs in the func, kernel will
+crash since NULL pointer is assigned to RIP.
+
+Signed-off-by: Xiaodong Liu <xiaodong.liu@intel.com>
+Acked-by: Tim Chen <tim.c.chen@linux.intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/crypto/sha-mb/sha1_mb.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/crypto/sha-mb/sha1_mb.c
++++ b/arch/x86/crypto/sha-mb/sha1_mb.c
+@@ -453,10 +453,10 @@ static int sha_complete_job(struct mcryp
+
+ req = cast_mcryptd_ctx_to_req(req_ctx);
+ if (irqs_disabled())
+- rctx->complete(&req->base, ret);
++ req_ctx->complete(&req->base, ret);
+ else {
+ local_bh_disable();
+- rctx->complete(&req->base, ret);
++ req_ctx->complete(&req->base, ret);
+ local_bh_enable();
+ }
+ }
--- /dev/null
+From 340ff60ae93a5db2b2be6f38868df9a1293b6007 Mon Sep 17 00:00:00 2001
+From: Horia Geant? <horia.geanta@nxp.com>
+Date: Tue, 19 Apr 2016 20:33:48 +0300
+Subject: crypto: talitos - fix AEAD tcrypt tests
+
+From: Horia Geant? <horia.geanta@nxp.com>
+
+commit 340ff60ae93a5db2b2be6f38868df9a1293b6007 upstream.
+
+After conversion to new AEAD interface, tcrypt tests fail as follows:
+
+[...]
+[ 1.145414] alg: aead: Test 1 failed on encryption for authenc-hmac-sha1-cbc-aes-talitos
+[ 1.153564] 00000000: 53 69 6e 67 6c 65 20 62 6c 6f 63 6b 20 6d 73 67
+[ 1.160041] 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 1.166509] 00000020: 00 00 00 00
+[...]
+
+Fix them by providing the correct cipher in & cipher out pointers,
+i.e. must skip over associated data in src and dst S/G.
+
+While here, fix a problem with the HW S/G table index usage:
+tbl_off must be updated after the pointer to the table entries is set.
+
+Fixes: aeb4c132f33d ("crypto: talitos - Convert to new AEAD interface")
+Reported-by: Jonas Eymann <J.Eymann@gmx.net>
+Signed-off-by: Horia Geant? <horia.geanta@nxp.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/talitos.c | 46 ++++++++++++++++++++++++++++++----------------
+ 1 file changed, 30 insertions(+), 16 deletions(-)
+
+--- a/drivers/crypto/talitos.c
++++ b/drivers/crypto/talitos.c
+@@ -63,6 +63,14 @@ static void to_talitos_ptr(struct talito
+ ptr->eptr = upper_32_bits(dma_addr);
+ }
+
++static void copy_talitos_ptr(struct talitos_ptr *dst_ptr,
++ struct talitos_ptr *src_ptr, bool is_sec1)
++{
++ dst_ptr->ptr = src_ptr->ptr;
++ if (!is_sec1)
++ dst_ptr->eptr = src_ptr->eptr;
++}
++
+ static void to_talitos_ptr_len(struct talitos_ptr *ptr, unsigned int len,
+ bool is_sec1)
+ {
+@@ -1083,21 +1091,20 @@ static int ipsec_esp(struct talitos_edes
+ sg_count = dma_map_sg(dev, areq->src, edesc->src_nents ?: 1,
+ (areq->src == areq->dst) ? DMA_BIDIRECTIONAL
+ : DMA_TO_DEVICE);
+-
+ /* hmac data */
+ desc->ptr[1].len = cpu_to_be16(areq->assoclen);
+ if (sg_count > 1 &&
+ (ret = sg_to_link_tbl_offset(areq->src, sg_count, 0,
+ areq->assoclen,
+ &edesc->link_tbl[tbl_off])) > 1) {
+- tbl_off += ret;
+-
+ to_talitos_ptr(&desc->ptr[1], edesc->dma_link_tbl + tbl_off *
+ sizeof(struct talitos_ptr), 0);
+ desc->ptr[1].j_extent = DESC_PTR_LNKTBL_JUMP;
+
+ dma_sync_single_for_device(dev, edesc->dma_link_tbl,
+ edesc->dma_len, DMA_BIDIRECTIONAL);
++
++ tbl_off += ret;
+ } else {
+ to_talitos_ptr(&desc->ptr[1], sg_dma_address(areq->src), 0);
+ desc->ptr[1].j_extent = 0;
+@@ -1126,11 +1133,13 @@ static int ipsec_esp(struct talitos_edes
+ if (edesc->desc.hdr & DESC_HDR_MODE1_MDEU_CICV)
+ sg_link_tbl_len += authsize;
+
+- if (sg_count > 1 &&
+- (ret = sg_to_link_tbl_offset(areq->src, sg_count, areq->assoclen,
+- sg_link_tbl_len,
+- &edesc->link_tbl[tbl_off])) > 1) {
+- tbl_off += ret;
++ if (sg_count == 1) {
++ to_talitos_ptr(&desc->ptr[4], sg_dma_address(areq->src) +
++ areq->assoclen, 0);
++ } else if ((ret = sg_to_link_tbl_offset(areq->src, sg_count,
++ areq->assoclen, sg_link_tbl_len,
++ &edesc->link_tbl[tbl_off])) >
++ 1) {
+ desc->ptr[4].j_extent |= DESC_PTR_LNKTBL_JUMP;
+ to_talitos_ptr(&desc->ptr[4], edesc->dma_link_tbl +
+ tbl_off *
+@@ -1138,8 +1147,10 @@ static int ipsec_esp(struct talitos_edes
+ dma_sync_single_for_device(dev, edesc->dma_link_tbl,
+ edesc->dma_len,
+ DMA_BIDIRECTIONAL);
+- } else
+- to_talitos_ptr(&desc->ptr[4], sg_dma_address(areq->src), 0);
++ tbl_off += ret;
++ } else {
++ copy_talitos_ptr(&desc->ptr[4], &edesc->link_tbl[tbl_off], 0);
++ }
+
+ /* cipher out */
+ desc->ptr[5].len = cpu_to_be16(cryptlen);
+@@ -1151,11 +1162,13 @@ static int ipsec_esp(struct talitos_edes
+
+ edesc->icv_ool = false;
+
+- if (sg_count > 1 &&
+- (sg_count = sg_to_link_tbl_offset(areq->dst, sg_count,
++ if (sg_count == 1) {
++ to_talitos_ptr(&desc->ptr[5], sg_dma_address(areq->dst) +
++ areq->assoclen, 0);
++ } else if ((sg_count =
++ sg_to_link_tbl_offset(areq->dst, sg_count,
+ areq->assoclen, cryptlen,
+- &edesc->link_tbl[tbl_off])) >
+- 1) {
++ &edesc->link_tbl[tbl_off])) > 1) {
+ struct talitos_ptr *tbl_ptr = &edesc->link_tbl[tbl_off];
+
+ to_talitos_ptr(&desc->ptr[5], edesc->dma_link_tbl +
+@@ -1178,8 +1191,9 @@ static int ipsec_esp(struct talitos_edes
+ edesc->dma_len, DMA_BIDIRECTIONAL);
+
+ edesc->icv_ool = true;
+- } else
+- to_talitos_ptr(&desc->ptr[5], sg_dma_address(areq->dst), 0);
++ } else {
++ copy_talitos_ptr(&desc->ptr[5], &edesc->link_tbl[tbl_off], 0);
++ }
+
+ /* iv out */
+ map_single_talitos_ptr(dev, &desc->ptr[6], ivsize, ctx->iv,
--- /dev/null
+From 89d124cb61b39900959e2839ac06b6339b6a54cb Mon Sep 17 00:00:00 2001
+From: Jonas Eymann <J.Eymann@gmx.net>
+Date: Tue, 19 Apr 2016 20:33:47 +0300
+Subject: crypto: talitos - fix crash in talitos_cra_init()
+
+From: Jonas Eymann <J.Eymann@gmx.net>
+
+commit 89d124cb61b39900959e2839ac06b6339b6a54cb upstream.
+
+Conversion of talitos driver to the new AEAD interface
+hasn't been properly tested.
+
+AEAD algorithms crash in talitos_cra_init as follows:
+
+[...]
+[ 1.141095] talitos ffe30000.crypto: hwrng
+[ 1.145381] Unable to handle kernel paging request for data at address 0x00000058
+[ 1.152913] Faulting instruction address: 0xc02accc0
+[ 1.157910] Oops: Kernel access of bad area, sig: 11 [#1]
+[ 1.163315] SMP NR_CPUS=2 P1020 RDB
+[ 1.166810] Modules linked in:
+[ 1.169875] CPU: 0 PID: 1007 Comm: cryptomgr_test Not tainted 4.4.6 #1
+[ 1.176415] task: db5ec200 ti: db4d6000 task.ti: db4d6000
+[ 1.181821] NIP: c02accc0 LR: c02acd18 CTR: c02acd04
+[ 1.186793] REGS: db4d7d30 TRAP: 0300 Not tainted (4.4.6)
+[ 1.192457] MSR: 00029000 <CE,EE,ME> CR: 95009359 XER: e0000000
+[ 1.198585] DEAR: 00000058 ESR: 00000000
+GPR00: c017bdc0 db4d7de0 db5ec200 df424b48 00000000 00000000 df424bfc db75a600
+GPR08: df424b48 00000000 db75a628 db4d6000 00000149 00000000 c0044cac db5acda0
+GPR16: 00000000 00000000 00000000 00000000 00000000 00000000 00000400 df424940
+GPR24: df424900 00003083 00000400 c0180000 db75a640 c03e9f84 df424b40 df424b48
+[ 1.230978] NIP [c02accc0] talitos_cra_init+0x28/0x6c
+[ 1.236039] LR [c02acd18] talitos_cra_init_aead+0x14/0x28
+[ 1.241443] Call Trace:
+[ 1.243894] [db4d7de0] [c03e9f84] 0xc03e9f84 (unreliable)
+[ 1.249322] [db4d7df0] [c017bdc0] crypto_create_tfm+0x5c/0xf0
+[ 1.255083] [db4d7e10] [c017beec] crypto_alloc_tfm+0x98/0xf8
+[ 1.260769] [db4d7e40] [c0186a20] alg_test_aead+0x28/0xc8
+[ 1.266181] [db4d7e60] [c0186718] alg_test+0x260/0x2e0
+[ 1.271333] [db4d7ee0] [c0183860] cryptomgr_test+0x30/0x54
+[ 1.276843] [db4d7ef0] [c0044d80] kthread+0xd4/0xd8
+[ 1.281741] [db4d7f40] [c000e4a4] ret_from_kernel_thread+0x5c/0x64
+[ 1.287930] Instruction dump:
+[ 1.290902] 38600000 4e800020 81230028 7c681b78 81490010 38e9ffc0 3929ffe8 554a073e
+[ 1.298691] 2b8a000a 7d474f9e 812a0008 91230030 <80e90058> 39270060 7c0004ac 7cc04828
+
+Fixes: aeb4c132f33d ("crypto: talitos - Convert to new AEAD interface")
+Signed-off-by: Jonas Eymann <J.Eymann@gmx.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+Fix typo - replaced parameter of __crypto_ahash_alg(): s/tfm/alg
+Remove checkpatch warnings.
+Add commit message.
+
+Signed-off-by: Horia Geant? <horia.geanta@nxp.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+
+---
+ drivers/crypto/talitos.c | 41 +++++++++++++++++++++++++++--------------
+ 1 file changed, 27 insertions(+), 14 deletions(-)
+
+--- a/drivers/crypto/talitos.c
++++ b/drivers/crypto/talitos.c
+@@ -2629,21 +2629,11 @@ struct talitos_crypto_alg {
+ struct talitos_alg_template algt;
+ };
+
+-static int talitos_cra_init(struct crypto_tfm *tfm)
++static int talitos_init_common(struct talitos_ctx *ctx,
++ struct talitos_crypto_alg *talitos_alg)
+ {
+- struct crypto_alg *alg = tfm->__crt_alg;
+- struct talitos_crypto_alg *talitos_alg;
+- struct talitos_ctx *ctx = crypto_tfm_ctx(tfm);
+ struct talitos_private *priv;
+
+- if ((alg->cra_flags & CRYPTO_ALG_TYPE_MASK) == CRYPTO_ALG_TYPE_AHASH)
+- talitos_alg = container_of(__crypto_ahash_alg(alg),
+- struct talitos_crypto_alg,
+- algt.alg.hash);
+- else
+- talitos_alg = container_of(alg, struct talitos_crypto_alg,
+- algt.alg.crypto);
+-
+ /* update context with ptr to dev */
+ ctx->dev = talitos_alg->dev;
+
+@@ -2661,10 +2651,33 @@ static int talitos_cra_init(struct crypt
+ return 0;
+ }
+
++static int talitos_cra_init(struct crypto_tfm *tfm)
++{
++ struct crypto_alg *alg = tfm->__crt_alg;
++ struct talitos_crypto_alg *talitos_alg;
++ struct talitos_ctx *ctx = crypto_tfm_ctx(tfm);
++
++ if ((alg->cra_flags & CRYPTO_ALG_TYPE_MASK) == CRYPTO_ALG_TYPE_AHASH)
++ talitos_alg = container_of(__crypto_ahash_alg(alg),
++ struct talitos_crypto_alg,
++ algt.alg.hash);
++ else
++ talitos_alg = container_of(alg, struct talitos_crypto_alg,
++ algt.alg.crypto);
++
++ return talitos_init_common(ctx, talitos_alg);
++}
++
+ static int talitos_cra_init_aead(struct crypto_aead *tfm)
+ {
+- talitos_cra_init(crypto_aead_tfm(tfm));
+- return 0;
++ struct aead_alg *alg = crypto_aead_alg(tfm);
++ struct talitos_crypto_alg *talitos_alg;
++ struct talitos_ctx *ctx = crypto_aead_ctx(tfm);
++
++ talitos_alg = container_of(alg, struct talitos_crypto_alg,
++ algt.alg.aead);
++
++ return talitos_init_common(ctx, talitos_alg);
+ }
+
+ static int talitos_cra_init_ahash(struct crypto_tfm *tfm)
--- /dev/null
+From 83c5cda2ccf40a7a7e4bb674321509b346e23d5a Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Mon, 18 Apr 2016 18:25:34 -0400
+Subject: drm/amdgpu: bump the afmt limit for CZ, ST, Polaris
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 83c5cda2ccf40a7a7e4bb674321509b346e23d5a upstream.
+
+Fixes array overflow on these chips.
+
+Reviewed-by: Harry Wentland <harry.wentland@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_mode.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_mode.h
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_mode.h
+@@ -53,7 +53,7 @@ struct amdgpu_hpd;
+
+ #define AMDGPU_MAX_HPD_PINS 6
+ #define AMDGPU_MAX_CRTCS 6
+-#define AMDGPU_MAX_AFMT_BLOCKS 7
++#define AMDGPU_MAX_AFMT_BLOCKS 9
+
+ enum amdgpu_rmx_type {
+ RMX_OFF,
--- /dev/null
+From 3ea25f858fd5aeee888059952bbb8e910541eebb Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Mon, 18 Apr 2016 18:09:57 -0400
+Subject: drm/amdgpu: use defines for CRTCs and AMFT blocks
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 3ea25f858fd5aeee888059952bbb8e910541eebb upstream.
+
+Prerequiste for the next patch which ups the limits.
+
+Reviewed-by: Harry Wentland <harry.wentland@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_mode.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_mode.h
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_mode.h
+@@ -309,8 +309,8 @@ struct amdgpu_mode_info {
+ struct atom_context *atom_context;
+ struct card_info *atom_card_info;
+ bool mode_config_initialized;
+- struct amdgpu_crtc *crtcs[6];
+- struct amdgpu_afmt *afmt[7];
++ struct amdgpu_crtc *crtcs[AMDGPU_MAX_CRTCS];
++ struct amdgpu_afmt *afmt[AMDGPU_MAX_AFMT_BLOCKS];
+ /* DVI-I properties */
+ struct drm_property *coherent_mode_property;
+ /* DAC enable load detect */
--- /dev/null
+From 85cc88f02eb0ecf44493c1b2ebb6f206cd5fc321 Mon Sep 17 00:00:00 2001
+From: Rex Zhu <Rex.Zhu@amd.com>
+Date: Tue, 12 Apr 2016 19:25:52 +0800
+Subject: drm/amdgpu: when suspending, if uvd/vce was running. need to cancel delay work.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rex Zhu <Rex.Zhu@amd.com>
+
+commit 85cc88f02eb0ecf44493c1b2ebb6f206cd5fc321 upstream.
+
+fix the issue that when resume back, uvd/vce
+dpm was disabled and uvd/vce's performace
+dropped.
+
+Signed-off-by: Rex Zhu <Rex.Zhu@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_uvd.c | 2 ++
+ drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c | 1 +
+ 2 files changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_uvd.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_uvd.c
+@@ -273,6 +273,8 @@ int amdgpu_uvd_resume(struct amdgpu_devi
+ memcpy(adev->uvd.cpu_addr, (adev->uvd.fw->data) + offset,
+ (adev->uvd.fw->size) - offset);
+
++ cancel_delayed_work_sync(&adev->uvd.idle_work);
++
+ size = amdgpu_bo_size(adev->uvd.vcpu_bo);
+ size -= le32_to_cpu(hdr->ucode_size_bytes);
+ ptr = adev->uvd.cpu_addr;
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c
+@@ -220,6 +220,7 @@ int amdgpu_vce_suspend(struct amdgpu_dev
+ if (i == AMDGPU_MAX_VCE_HANDLES)
+ return 0;
+
++ cancel_delayed_work_sync(&adev->vce.idle_work);
+ /* TODO: suspending running encoding sessions isn't supported */
+ return -EINVAL;
+ }
--- /dev/null
+From 162f98dea487206d9ab79fc12ed64700667a894d Mon Sep 17 00:00:00 2001
+From: Vladis Dronov <vdronov@redhat.com>
+Date: Thu, 31 Mar 2016 10:53:42 -0700
+Subject: Input: gtco - fix crash on detecting device without endpoints
+
+From: Vladis Dronov <vdronov@redhat.com>
+
+commit 162f98dea487206d9ab79fc12ed64700667a894d upstream.
+
+The gtco driver expects at least one valid endpoint. If given malicious
+descriptors that specify 0 for the number of endpoints, it will crash in
+the probe function. Ensure there is at least one endpoint on the interface
+before using it.
+
+Also let's fix a minor coding style issue.
+
+The full correct report of this issue can be found in the public
+Red Hat Bugzilla:
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1283385
+
+Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
+Signed-off-by: Vladis Dronov <vdronov@redhat.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/tablet/gtco.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/input/tablet/gtco.c
++++ b/drivers/input/tablet/gtco.c
+@@ -858,6 +858,14 @@ static int gtco_probe(struct usb_interfa
+ goto err_free_buf;
+ }
+
++ /* Sanity check that a device has an endpoint */
++ if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) {
++ dev_err(&usbinterface->dev,
++ "Invalid number of endpoints\n");
++ error = -EINVAL;
++ goto err_free_urb;
++ }
++
+ /*
+ * The endpoint is always altsetting 0, we know this since we know
+ * this device only has one interrupt endpoint
+@@ -879,7 +887,7 @@ static int gtco_probe(struct usb_interfa
+ * HID report descriptor
+ */
+ if (usb_get_extra_descriptor(usbinterface->cur_altsetting,
+- HID_DEVICE_TYPE, &hid_desc) != 0){
++ HID_DEVICE_TYPE, &hid_desc) != 0) {
+ dev_err(&usbinterface->dev,
+ "Can't retrieve exta USB descriptor to get hid report descriptor length\n");
+ error = -EIO;
--- /dev/null
+From eda5ecc0a6b865561997e177c393f0b0136fe3b7 Mon Sep 17 00:00:00 2001
+From: Stephen Boyd <sboyd@codeaurora.org>
+Date: Sun, 17 Apr 2016 05:21:42 -0700
+Subject: Input: pmic8xxx-pwrkey - fix algorithm for converting trigger delay
+
+From: Stephen Boyd <sboyd@codeaurora.org>
+
+commit eda5ecc0a6b865561997e177c393f0b0136fe3b7 upstream.
+
+The trigger delay algorithm that converts from microseconds to
+the register value looks incorrect. According to most of the PMIC
+documentation, the equation is
+
+ delay (Seconds) = (1 / 1024) * 2 ^ (x + 4)
+
+except for one case where the documentation looks to have a
+formatting issue and the equation looks like
+
+ delay (Seconds) = (1 / 1024) * 2 x + 4
+
+Most likely this driver was written with the improper
+documentation to begin with. According to the downstream sources
+the valid delays are from 2 seconds to 1/64 second, and the
+latter equation just doesn't make sense for that. Let's fix the
+algorithm and the range check to match the documentation and the
+downstream sources.
+
+Reported-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Fixes: 92d57a73e410 ("input: Add support for Qualcomm PMIC8XXX power key")
+Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
+Tested-by: John Stultz <john.stultz@linaro.org>
+Acked-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/misc/pmic8xxx-pwrkey.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/input/misc/pmic8xxx-pwrkey.c
++++ b/drivers/input/misc/pmic8xxx-pwrkey.c
+@@ -353,7 +353,8 @@ static int pmic8xxx_pwrkey_probe(struct
+ if (of_property_read_u32(pdev->dev.of_node, "debounce", &kpd_delay))
+ kpd_delay = 15625;
+
+- if (kpd_delay > 62500 || kpd_delay == 0) {
++ /* Valid range of pwr key trigger delay is 1/64 sec to 2 seconds. */
++ if (kpd_delay > USEC_PER_SEC * 2 || kpd_delay < USEC_PER_SEC / 64) {
+ dev_err(&pdev->dev, "invalid power key trigger delay\n");
+ return -EINVAL;
+ }
+@@ -385,8 +386,8 @@ static int pmic8xxx_pwrkey_probe(struct
+ pwr->name = "pmic8xxx_pwrkey";
+ pwr->phys = "pmic8xxx_pwrkey/input0";
+
+- delay = (kpd_delay << 10) / USEC_PER_SEC;
+- delay = 1 + ilog2(delay);
++ delay = (kpd_delay << 6) / USEC_PER_SEC;
++ delay = ilog2(delay);
+
+ err = regmap_read(regmap, PON_CNTL_1, &pon_cntl);
+ if (err < 0) {
--- /dev/null
+From e3156048346c28c695f5cf9db67a8cf88c90f947 Mon Sep 17 00:00:00 2001
+From: Joerg Roedel <jroedel@suse.de>
+Date: Fri, 8 Apr 2016 15:12:24 +0200
+Subject: iommu/amd: Fix checking of pci dma aliases
+
+From: Joerg Roedel <jroedel@suse.de>
+
+commit e3156048346c28c695f5cf9db67a8cf88c90f947 upstream.
+
+Commit 61289cb ('iommu/amd: Remove old alias handling code')
+removed the old alias handling code from the AMD IOMMU
+driver because this is now handled by the IOMMU core code.
+
+But this also removed the handling of PCI aliases, which is
+not handled by the core code. This caused issues with PCI
+devices that have hidden PCIe-to-PCI bridges that rewrite
+the request-id.
+
+Fix this bug by re-introducing some of the removed functions
+from commit 61289cbaf6c8 and add a alias field
+'struct iommu_dev_data'. This field carrys the return value
+of the get_alias() function and uses that instead of the
+amd_iommu_alias_table[] array in the code.
+
+Fixes: 61289cbaf6c8 ('iommu/amd: Remove old alias handling code')
+Tested-by: Tomasz Golinski <tomaszg@math.uwb.edu.pl>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/amd_iommu.c | 87 ++++++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 76 insertions(+), 11 deletions(-)
+
+--- a/drivers/iommu/amd_iommu.c
++++ b/drivers/iommu/amd_iommu.c
+@@ -92,6 +92,7 @@ struct iommu_dev_data {
+ struct list_head dev_data_list; /* For global dev_data_list */
+ struct protection_domain *domain; /* Domain the device is bound to */
+ u16 devid; /* PCI Device ID */
++ u16 alias; /* Alias Device ID */
+ bool iommu_v2; /* Device can make use of IOMMUv2 */
+ bool passthrough; /* Device is identity mapped */
+ struct {
+@@ -166,6 +167,13 @@ static struct protection_domain *to_pdom
+ return container_of(dom, struct protection_domain, domain);
+ }
+
++static inline u16 get_device_id(struct device *dev)
++{
++ struct pci_dev *pdev = to_pci_dev(dev);
++
++ return PCI_DEVID(pdev->bus->number, pdev->devfn);
++}
++
+ static struct iommu_dev_data *alloc_dev_data(u16 devid)
+ {
+ struct iommu_dev_data *dev_data;
+@@ -203,6 +211,68 @@ out_unlock:
+ return dev_data;
+ }
+
++static int __last_alias(struct pci_dev *pdev, u16 alias, void *data)
++{
++ *(u16 *)data = alias;
++ return 0;
++}
++
++static u16 get_alias(struct device *dev)
++{
++ struct pci_dev *pdev = to_pci_dev(dev);
++ u16 devid, ivrs_alias, pci_alias;
++
++ devid = get_device_id(dev);
++ ivrs_alias = amd_iommu_alias_table[devid];
++ pci_for_each_dma_alias(pdev, __last_alias, &pci_alias);
++
++ if (ivrs_alias == pci_alias)
++ return ivrs_alias;
++
++ /*
++ * DMA alias showdown
++ *
++ * The IVRS is fairly reliable in telling us about aliases, but it
++ * can't know about every screwy device. If we don't have an IVRS
++ * reported alias, use the PCI reported alias. In that case we may
++ * still need to initialize the rlookup and dev_table entries if the
++ * alias is to a non-existent device.
++ */
++ if (ivrs_alias == devid) {
++ if (!amd_iommu_rlookup_table[pci_alias]) {
++ amd_iommu_rlookup_table[pci_alias] =
++ amd_iommu_rlookup_table[devid];
++ memcpy(amd_iommu_dev_table[pci_alias].data,
++ amd_iommu_dev_table[devid].data,
++ sizeof(amd_iommu_dev_table[pci_alias].data));
++ }
++
++ return pci_alias;
++ }
++
++ pr_info("AMD-Vi: Using IVRS reported alias %02x:%02x.%d "
++ "for device %s[%04x:%04x], kernel reported alias "
++ "%02x:%02x.%d\n", PCI_BUS_NUM(ivrs_alias), PCI_SLOT(ivrs_alias),
++ PCI_FUNC(ivrs_alias), dev_name(dev), pdev->vendor, pdev->device,
++ PCI_BUS_NUM(pci_alias), PCI_SLOT(pci_alias),
++ PCI_FUNC(pci_alias));
++
++ /*
++ * If we don't have a PCI DMA alias and the IVRS alias is on the same
++ * bus, then the IVRS table may know about a quirk that we don't.
++ */
++ if (pci_alias == devid &&
++ PCI_BUS_NUM(ivrs_alias) == pdev->bus->number) {
++ pdev->dev_flags |= PCI_DEV_FLAGS_DMA_ALIAS_DEVFN;
++ pdev->dma_alias_devfn = ivrs_alias & 0xff;
++ pr_info("AMD-Vi: Added PCI DMA alias %02x.%d for %s\n",
++ PCI_SLOT(ivrs_alias), PCI_FUNC(ivrs_alias),
++ dev_name(dev));
++ }
++
++ return ivrs_alias;
++}
++
+ static struct iommu_dev_data *find_dev_data(u16 devid)
+ {
+ struct iommu_dev_data *dev_data;
+@@ -215,13 +285,6 @@ static struct iommu_dev_data *find_dev_d
+ return dev_data;
+ }
+
+-static inline u16 get_device_id(struct device *dev)
+-{
+- struct pci_dev *pdev = to_pci_dev(dev);
+-
+- return PCI_DEVID(pdev->bus->number, pdev->devfn);
+-}
+-
+ static struct iommu_dev_data *get_dev_data(struct device *dev)
+ {
+ return dev->archdata.iommu;
+@@ -349,6 +412,8 @@ static int iommu_init_device(struct devi
+ if (!dev_data)
+ return -ENOMEM;
+
++ dev_data->alias = get_alias(dev);
++
+ if (pci_iommuv2_capable(pdev)) {
+ struct amd_iommu *iommu;
+
+@@ -369,7 +434,7 @@ static void iommu_ignore_device(struct d
+ u16 devid, alias;
+
+ devid = get_device_id(dev);
+- alias = amd_iommu_alias_table[devid];
++ alias = get_alias(dev);
+
+ memset(&amd_iommu_dev_table[devid], 0, sizeof(struct dev_table_entry));
+ memset(&amd_iommu_dev_table[alias], 0, sizeof(struct dev_table_entry));
+@@ -1061,7 +1126,7 @@ static int device_flush_dte(struct iommu
+ int ret;
+
+ iommu = amd_iommu_rlookup_table[dev_data->devid];
+- alias = amd_iommu_alias_table[dev_data->devid];
++ alias = dev_data->alias;
+
+ ret = iommu_flush_dte(iommu, dev_data->devid);
+ if (!ret && alias != dev_data->devid)
+@@ -2039,7 +2104,7 @@ static void do_attach(struct iommu_dev_d
+ bool ats;
+
+ iommu = amd_iommu_rlookup_table[dev_data->devid];
+- alias = amd_iommu_alias_table[dev_data->devid];
++ alias = dev_data->alias;
+ ats = dev_data->ats.enabled;
+
+ /* Update data structures */
+@@ -2073,7 +2138,7 @@ static void do_detach(struct iommu_dev_d
+ return;
+
+ iommu = amd_iommu_rlookup_table[dev_data->devid];
+- alias = amd_iommu_alias_table[dev_data->devid];
++ alias = dev_data->alias;
+
+ /* decrease reference counters */
+ dev_data->domain->dev_iommu[iommu->index] -= 1;
--- /dev/null
+From 07b48ac4bbe527e68cfc555f2b2b206908437141 Mon Sep 17 00:00:00 2001
+From: Robin Murphy <robin.murphy@arm.com>
+Date: Thu, 10 Mar 2016 19:28:12 +0000
+Subject: iommu/dma: Restore scatterlist offsets correctly
+
+From: Robin Murphy <robin.murphy@arm.com>
+
+commit 07b48ac4bbe527e68cfc555f2b2b206908437141 upstream.
+
+With the change to stashing just the IOVA-page-aligned remainder of the
+CPU-page offset rather than the whole thing, the failure path in
+__invalidate_sg() also needs tweaking to account for that in the case of
+differing page sizes where the two offsets may not be equivalent.
+Similarly in __finalise_sg(), lest the architecture-specific wrappers
+later get the wrong address for cache maintenance on sync or unmap.
+
+Fixes: 164afb1d85b8 ("iommu/dma: Use correct offset in map_sg")
+Reported-by: Magnus Damm <damm+renesas@opensource.se>
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/dma-iommu.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/iommu/dma-iommu.c
++++ b/drivers/iommu/dma-iommu.c
+@@ -403,7 +403,7 @@ static int __finalise_sg(struct device *
+ unsigned int s_length = sg_dma_len(s);
+ unsigned int s_dma_len = s->length;
+
+- s->offset = s_offset;
++ s->offset += s_offset;
+ s->length = s_length;
+ sg_dma_address(s) = dma_addr + s_offset;
+ dma_addr += s_dma_len;
+@@ -422,7 +422,7 @@ static void __invalidate_sg(struct scatt
+
+ for_each_sg(sg, s, nents, i) {
+ if (sg_dma_address(s) != DMA_ERROR_CODE)
+- s->offset = sg_dma_address(s);
++ s->offset += sg_dma_address(s);
+ if (sg_dma_len(s))
+ s->length = sg_dma_len(s);
+ sg_dma_address(s) = DMA_ERROR_CODE;
--- /dev/null
+From 7fdf9663261cc77a516396fec82cee8a8ea07e76 Mon Sep 17 00:00:00 2001
+From: Matti Gottlieb <matti.gottlieb@intel.com>
+Date: Tue, 15 Mar 2016 13:46:47 +0200
+Subject: iwlwifi: mvm: fix memory leak in paging
+
+From: Matti Gottlieb <matti.gottlieb@intel.com>
+
+commit 7fdf9663261cc77a516396fec82cee8a8ea07e76 upstream.
+
+Currently paging download buffer is freed during the
+the unloading of the opmode which happens when the driver
+is unloaded.
+
+This causes a memory leak since the paging download
+buffer is allocated every time we enable the
+interface, so the download buffer can be allocated many
+times, but only be freed once.
+
+Free paging download buffer during disabling of the
+interface.
+
+Signed-off-by: Matti Gottlieb <matti.gottlieb@intel.com>
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 2 ++
+ drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 2 --
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+@@ -1143,6 +1143,8 @@ void __iwl_mvm_mac_stop(struct iwl_mvm *
+ /* the fw is stopped, the aux sta is dead: clean up driver state */
+ iwl_mvm_del_aux_sta(mvm);
+
++ iwl_free_fw_paging(mvm);
++
+ /*
+ * Clear IN_HW_RESTART flag when stopping the hw (as restart_complete()
+ * won't be called in this case).
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
+@@ -684,8 +684,6 @@ static void iwl_op_mode_mvm_stop(struct
+ for (i = 0; i < NVM_MAX_NUM_SECTIONS; i++)
+ kfree(mvm->nvm_sections[i].data);
+
+- iwl_free_fw_paging(mvm);
+-
+ iwl_mvm_tof_clean(mvm);
+
+ ieee80211_free_hw(mvm->hw);
--- /dev/null
+From 9fc515bc9e735c10cd327f05c20f5ef69474188d Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Thu, 10 Mar 2016 13:07:17 +0200
+Subject: iwlwifi: pcie: lower the debug level for RSA semaphore access
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit 9fc515bc9e735c10cd327f05c20f5ef69474188d upstream.
+
+IWL_INFO is not an error but still printed by default.
+"can't access the RSA semaphore it is write protected" seems
+worrisome but it is not really a problem.
+
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
+@@ -731,8 +731,8 @@ static int iwl_pcie_rsa_race_bug_wa(stru
+ */
+ val = iwl_read_prph(trans, PREG_AUX_BUS_WPROT_0);
+ if (val & (BIT(1) | BIT(17))) {
+- IWL_INFO(trans,
+- "can't access the RSA semaphore it is write protected\n");
++ IWL_DEBUG_INFO(trans,
++ "can't access the RSA semaphore it is write protected\n");
+ return 0;
+ }
+
--- /dev/null
+From e27260203912b40751fa353d009eaa5a642c739f Mon Sep 17 00:00:00 2001
+From: Dmitry Ivanov <dmitrijs.ivanovs@ubnt.com>
+Date: Thu, 7 Apr 2016 09:31:38 +0200
+Subject: netlink: don't send NETLINK_URELEASE for unbound sockets
+
+From: Dmitry Ivanov <dmitrijs.ivanovs@ubnt.com>
+
+commit e27260203912b40751fa353d009eaa5a642c739f upstream.
+
+All existing users of NETLINK_URELEASE use it to clean up resources that
+were previously allocated to a socket via some command. As a result, no
+users require getting this notification for unbound sockets.
+
+Sending it for unbound sockets, however, is a problem because any user
+(including unprivileged users) can create a socket that uses the same ID
+as an existing socket. Binding this new socket will fail, but if the
+NETLINK_URELEASE notification is generated for such sockets, the users
+thereof will be tricked into thinking the socket that they allocated the
+resources for is closed.
+
+In the nl80211 case, this will cause destruction of virtual interfaces
+that still belong to an existing hostapd process; this is the case that
+Dmitry noticed. In the NFC case, it will cause a poll abort. In the case
+of netlink log/queue it will cause them to stop reporting events, as if
+NFULNL_CFG_CMD_UNBIND/NFQNL_CFG_CMD_UNBIND had been called.
+
+Fix this problem by checking that the socket is bound before generating
+the NETLINK_URELEASE notification.
+
+Signed-off-by: Dmitry Ivanov <dima@ubnt.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netlink/af_netlink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -1305,7 +1305,7 @@ static int netlink_release(struct socket
+
+ skb_queue_purge(&sk->sk_write_queue);
+
+- if (nlk->portid) {
++ if (nlk->portid && nlk->bound) {
+ struct netlink_notify n = {
+ .net = sock_net(sk),
+ .protocol = sk->sk_protocol,
--- /dev/null
+From 8f815cdde3e550e10c2736990d791f60c2ce43eb Mon Sep 17 00:00:00 2001
+From: Dmitry Ivanov <dmitrijs.ivanovs@ubnt.com>
+Date: Wed, 6 Apr 2016 17:23:18 +0300
+Subject: nl80211: check netlink protocol in socket release notification
+
+From: Dmitry Ivanov <dmitrijs.ivanovs@ubnt.com>
+
+commit 8f815cdde3e550e10c2736990d791f60c2ce43eb upstream.
+
+A non-privileged user can create a netlink socket with the same port_id as
+used by an existing open nl80211 netlink socket (e.g. as used by a hostapd
+process) with a different protocol number.
+
+Closing this socket will then lead to the notification going to nl80211's
+socket release notification handler, and possibly cause an action such as
+removing a virtual interface.
+
+Fix this issue by checking that the netlink protocol is NETLINK_GENERIC.
+Since generic netlink has no notifier chain of its own, we can't fix the
+problem more generically.
+
+Fixes: 026331c4d9b5 ("cfg80211/mac80211: allow registering for and sending action frames")
+Signed-off-by: Dmitry Ivanov <dima@ubnt.com>
+[rewrite commit message]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/nl80211.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -13201,7 +13201,7 @@ static int nl80211_netlink_notify(struct
+ struct wireless_dev *wdev;
+ struct cfg80211_beacon_registration *reg, *tmp;
+
+- if (state != NETLINK_URELEASE)
++ if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
+ return NOTIFY_DONE;
+
+ rcu_read_lock();
--- /dev/null
+From 5fedbb923936174ab4d1d5cc92bca1cf6b2e0ca2 Mon Sep 17 00:00:00 2001
+From: Yingjoe Chen <yingjoe.chen@mediatek.com>
+Date: Sat, 2 Apr 2016 14:57:49 +0800
+Subject: pinctrl: mediatek: correct debounce time unit in mtk_gpio_set_debounce
+
+From: Yingjoe Chen <yingjoe.chen@mediatek.com>
+
+commit 5fedbb923936174ab4d1d5cc92bca1cf6b2e0ca2 upstream.
+
+The debounce time unit for gpio_chip.set_debounce is us but
+mtk_gpio_set_debounce regard it as ms.
+Fix this by correct debounce time array dbnc_arr so it can find correct
+debounce setting. Debounce time for first debounce setting is 500us,
+correct this as well.
+
+While I'm at it, also change the debounce time array name to
+"debounce_time" for readability.
+
+Signed-off-by: Yingjoe Chen <yingjoe.chen@mediatek.com>
+Reviewed-by: Daniel Kurtz <djkurtz@chromium.org>
+Acked-by: Hongzhou Yang <hongzhou.yang@mediatek.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/mediatek/pinctrl-mtk-common.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/pinctrl/mediatek/pinctrl-mtk-common.c
++++ b/drivers/pinctrl/mediatek/pinctrl-mtk-common.c
+@@ -949,7 +949,8 @@ static int mtk_gpio_set_debounce(struct
+ struct mtk_pinctrl *pctl = dev_get_drvdata(chip->parent);
+ int eint_num, virq, eint_offset;
+ unsigned int set_offset, bit, clr_bit, clr_offset, rst, i, unmask, dbnc;
+- static const unsigned int dbnc_arr[] = {0 , 1, 16, 32, 64, 128, 256};
++ static const unsigned int debounce_time[] = {500, 1000, 16000, 32000, 64000,
++ 128000, 256000};
+ const struct mtk_desc_pin *pin;
+ struct irq_data *d;
+
+@@ -967,9 +968,9 @@ static int mtk_gpio_set_debounce(struct
+ if (!mtk_eint_can_en_debounce(pctl, eint_num))
+ return -ENOSYS;
+
+- dbnc = ARRAY_SIZE(dbnc_arr);
+- for (i = 0; i < ARRAY_SIZE(dbnc_arr); i++) {
+- if (debounce <= dbnc_arr[i]) {
++ dbnc = ARRAY_SIZE(debounce_time);
++ for (i = 0; i < ARRAY_SIZE(debounce_time); i++) {
++ if (debounce <= debounce_time[i]) {
+ dbnc = i;
+ break;
+ }
--- /dev/null
+From 56b367c0cd67d4c3006738e7dc9dda9273fd2bfe Mon Sep 17 00:00:00 2001
+From: Keerthy <j-keerthy@ti.com>
+Date: Thu, 14 Apr 2016 10:29:16 +0530
+Subject: pinctrl: single: Fix pcs_parse_bits_in_pinctrl_entry to use __ffs than ffs
+
+From: Keerthy <j-keerthy@ti.com>
+
+commit 56b367c0cd67d4c3006738e7dc9dda9273fd2bfe upstream.
+
+pcs_parse_bits_in_pinctrl_entry uses ffs which gives bit indices
+ranging from 1 to MAX. This leads to a corner case where we try to request
+the pin number = MAX and fails.
+
+bit_pos value is being calculted using ffs. pin_num_from_lsb uses
+bit_pos value. pins array is populated with:
+
+pin + pin_num_from_lsb.
+
+The above is 1 more than usual bit indices as bit_pos uses ffs to compute
+first set bit. Hence the last of the pins array is populated with the MAX
+value and not MAX - 1 which causes error when we call pin_request.
+
+mask_pos is rightly calculated as ((pcs->fmask) << (bit_pos - 1))
+Consequently val_pos and submask are correct.
+
+Hence use __ffs which gives (ffs(x) - 1) as the first bit set.
+
+fixes: 4e7e8017a8 ("pinctrl: pinctrl-single: enhance to configure multiple pins of different modules")
+Signed-off-by: Keerthy <j-keerthy@ti.com>
+Acked-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/pinctrl-single.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/pinctrl/pinctrl-single.c
++++ b/drivers/pinctrl/pinctrl-single.c
+@@ -1273,9 +1273,9 @@ static int pcs_parse_bits_in_pinctrl_ent
+
+ /* Parse pins in each row from LSB */
+ while (mask) {
+- bit_pos = ffs(mask);
++ bit_pos = __ffs(mask);
+ pin_num_from_lsb = bit_pos / pcs->bits_per_pin;
+- mask_pos = ((pcs->fmask) << (bit_pos - 1));
++ mask_pos = ((pcs->fmask) << bit_pos);
+ val_pos = val & mask_pos;
+ submask = mask & mask_pos;
+
+@@ -1844,7 +1844,7 @@ static int pcs_probe(struct platform_dev
+ ret = of_property_read_u32(np, "pinctrl-single,function-mask",
+ &pcs->fmask);
+ if (!ret) {
+- pcs->fshift = ffs(pcs->fmask) - 1;
++ pcs->fshift = __ffs(pcs->fmask);
+ pcs->fmax = pcs->fmask >> pcs->fshift;
+ } else {
+ /* If mask property doesn't exist, function mux is invalid. */
--- /dev/null
+From 6997e57d693b07289694239e52a10d2f02c3a46f Mon Sep 17 00:00:00 2001
+From: Anton Blanchard <anton@samba.org>
+Date: Fri, 15 Apr 2016 12:06:13 +1000
+Subject: powerpc: scan_features() updates incorrect bits for REAL_LE
+
+From: Anton Blanchard <anton@samba.org>
+
+commit 6997e57d693b07289694239e52a10d2f02c3a46f upstream.
+
+The REAL_LE feature entry in the ibm_pa_feature struct is missing an MMU
+feature value, meaning all the remaining elements initialise the wrong
+values.
+
+This means instead of checking for byte 5, bit 0, we check for byte 0,
+bit 0, and then we incorrectly set the CPU feature bit as well as MMU
+feature bit 1 and CPU user feature bits 0 and 2 (5).
+
+Checking byte 0 bit 0 (IBM numbering), means we're looking at the
+"Memory Management Unit (MMU)" feature - ie. does the CPU have an MMU.
+In practice that bit is set on all platforms which have the property.
+
+This means we set CPU_FTR_REAL_LE always. In practice that seems not to
+matter because all the modern cpus which have this property also
+implement REAL_LE, and we've never needed to disable it.
+
+We're also incorrectly setting MMU feature bit 1, which is:
+
+ #define MMU_FTR_TYPE_8xx 0x00000002
+
+Luckily the only place that looks for MMU_FTR_TYPE_8xx is in Book3E
+code, which can't run on the same cpus as scan_features(). So this also
+doesn't matter in practice.
+
+Finally in the CPU user feature mask, we're setting bits 0 and 2. Bit 2
+is not currently used, and bit 0 is:
+
+ #define PPC_FEATURE_PPC_LE 0x00000001
+
+Which says the CPU supports the old style "PPC Little Endian" mode.
+Again this should be harmless in practice as no 64-bit CPUs implement
+that mode.
+
+Fix the code by adding the missing initialisation of the MMU feature.
+
+Also add a comment marking CPU user feature bit 2 (0x4) as reserved. It
+would be unsafe to start using it as old kernels incorrectly set it.
+
+Fixes: 44ae3ab3358e ("powerpc: Free up some CPU feature bits by moving out MMU-related features")
+Signed-off-by: Anton Blanchard <anton@samba.org>
+[mpe: Flesh out changelog, add comment reserving 0x4]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/uapi/asm/cputable.h | 1 +
+ arch/powerpc/kernel/prom.c | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/include/uapi/asm/cputable.h
++++ b/arch/powerpc/include/uapi/asm/cputable.h
+@@ -31,6 +31,7 @@
+ #define PPC_FEATURE_PSERIES_PERFMON_COMPAT \
+ 0x00000040
+
++/* Reserved - do not use 0x00000004 */
+ #define PPC_FEATURE_TRUE_LE 0x00000002
+ #define PPC_FEATURE_PPC_LE 0x00000001
+
+--- a/arch/powerpc/kernel/prom.c
++++ b/arch/powerpc/kernel/prom.c
+@@ -158,7 +158,7 @@ static struct ibm_pa_feature {
+ {CPU_FTR_NOEXECUTE, 0, 0, 0, 6, 0},
+ {CPU_FTR_NODSISRALIGN, 0, 0, 1, 1, 1},
+ {0, MMU_FTR_CI_LARGE_PAGE, 0, 1, 2, 0},
+- {CPU_FTR_REAL_LE, PPC_FEATURE_TRUE_LE, 5, 0, 0},
++ {CPU_FTR_REAL_LE, 0, PPC_FEATURE_TRUE_LE, 5, 0, 0},
+ /*
+ * If the kernel doesn't support TM (ie. CONFIG_PPC_TRANSACTIONAL_MEM=n),
+ * we don't want to turn on CPU_FTR_TM here, so we use CPU_FTR_TM_COMP
--- /dev/null
+From beff82374b259d726e2625ec6c518a5f2613f0ae Mon Sep 17 00:00:00 2001
+From: Anton Blanchard <anton@samba.org>
+Date: Fri, 15 Apr 2016 12:07:24 +1000
+Subject: powerpc: Update cpu_user_features2 in scan_features()
+
+From: Anton Blanchard <anton@samba.org>
+
+commit beff82374b259d726e2625ec6c518a5f2613f0ae upstream.
+
+scan_features() updates cpu_user_features but not cpu_user_features2.
+
+Amongst other things, cpu_user_features2 contains the user TM feature
+bits which we must keep in sync with the kernel TM feature bit.
+
+Signed-off-by: Anton Blanchard <anton@samba.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/prom.c | 19 +++++++++++--------
+ 1 file changed, 11 insertions(+), 8 deletions(-)
+
+--- a/arch/powerpc/kernel/prom.c
++++ b/arch/powerpc/kernel/prom.c
+@@ -148,23 +148,24 @@ static struct ibm_pa_feature {
+ unsigned long cpu_features; /* CPU_FTR_xxx bit */
+ unsigned long mmu_features; /* MMU_FTR_xxx bit */
+ unsigned int cpu_user_ftrs; /* PPC_FEATURE_xxx bit */
++ unsigned int cpu_user_ftrs2; /* PPC_FEATURE2_xxx bit */
+ unsigned char pabyte; /* byte number in ibm,pa-features */
+ unsigned char pabit; /* bit number (big-endian) */
+ unsigned char invert; /* if 1, pa bit set => clear feature */
+ } ibm_pa_features[] __initdata = {
+- {0, 0, PPC_FEATURE_HAS_MMU, 0, 0, 0},
+- {0, 0, PPC_FEATURE_HAS_FPU, 0, 1, 0},
+- {CPU_FTR_CTRL, 0, 0, 0, 3, 0},
+- {CPU_FTR_NOEXECUTE, 0, 0, 0, 6, 0},
+- {CPU_FTR_NODSISRALIGN, 0, 0, 1, 1, 1},
+- {0, MMU_FTR_CI_LARGE_PAGE, 0, 1, 2, 0},
+- {CPU_FTR_REAL_LE, 0, PPC_FEATURE_TRUE_LE, 5, 0, 0},
++ {0, 0, PPC_FEATURE_HAS_MMU, 0, 0, 0, 0},
++ {0, 0, PPC_FEATURE_HAS_FPU, 0, 0, 1, 0},
++ {CPU_FTR_CTRL, 0, 0, 0, 0, 3, 0},
++ {CPU_FTR_NOEXECUTE, 0, 0, 0, 0, 6, 0},
++ {CPU_FTR_NODSISRALIGN, 0, 0, 0, 1, 1, 1},
++ {0, MMU_FTR_CI_LARGE_PAGE, 0, 0, 1, 2, 0},
++ {CPU_FTR_REAL_LE, 0, PPC_FEATURE_TRUE_LE, 0, 5, 0, 0},
+ /*
+ * If the kernel doesn't support TM (ie. CONFIG_PPC_TRANSACTIONAL_MEM=n),
+ * we don't want to turn on CPU_FTR_TM here, so we use CPU_FTR_TM_COMP
+ * which is 0 if the kernel doesn't support TM.
+ */
+- {CPU_FTR_TM_COMP, 0, 0, 22, 0, 0},
++ {CPU_FTR_TM_COMP, 0, 0, 0, 22, 0, 0},
+ };
+
+ static void __init scan_features(unsigned long node, const unsigned char *ftrs,
+@@ -195,10 +196,12 @@ static void __init scan_features(unsigne
+ if (bit ^ fp->invert) {
+ cur_cpu_spec->cpu_features |= fp->cpu_features;
+ cur_cpu_spec->cpu_user_features |= fp->cpu_user_ftrs;
++ cur_cpu_spec->cpu_user_features2 |= fp->cpu_user_ftrs2;
+ cur_cpu_spec->mmu_features |= fp->mmu_features;
+ } else {
+ cur_cpu_spec->cpu_features &= ~fp->cpu_features;
+ cur_cpu_spec->cpu_user_features &= ~fp->cpu_user_ftrs;
++ cur_cpu_spec->cpu_user_features2 &= ~fp->cpu_user_ftrs2;
+ cur_cpu_spec->mmu_features &= ~fp->mmu_features;
+ }
+ }
--- /dev/null
+From 4705e02498d6d5a7ab98dfee9595cd5e91db2017 Mon Sep 17 00:00:00 2001
+From: Anton Blanchard <anton@samba.org>
+Date: Fri, 15 Apr 2016 12:08:19 +1000
+Subject: powerpc: Update TM user feature bits in scan_features()
+
+From: Anton Blanchard <anton@samba.org>
+
+commit 4705e02498d6d5a7ab98dfee9595cd5e91db2017 upstream.
+
+We need to update the user TM feature bits (PPC_FEATURE2_HTM and
+PPC_FEATURE2_HTM) to mirror what we do with the kernel TM feature
+bit.
+
+At the moment, if firmware reports TM is not available we turn off
+the kernel TM feature bit but leave the userspace ones on. Userspace
+thinks it can execute TM instructions and it dies trying.
+
+This (together with a QEMU patch) fixes PR KVM, which doesn't currently
+support TM.
+
+Signed-off-by: Anton Blanchard <anton@samba.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/prom.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/arch/powerpc/kernel/prom.c
++++ b/arch/powerpc/kernel/prom.c
+@@ -161,11 +161,12 @@ static struct ibm_pa_feature {
+ {0, MMU_FTR_CI_LARGE_PAGE, 0, 0, 1, 2, 0},
+ {CPU_FTR_REAL_LE, 0, PPC_FEATURE_TRUE_LE, 0, 5, 0, 0},
+ /*
+- * If the kernel doesn't support TM (ie. CONFIG_PPC_TRANSACTIONAL_MEM=n),
+- * we don't want to turn on CPU_FTR_TM here, so we use CPU_FTR_TM_COMP
+- * which is 0 if the kernel doesn't support TM.
++ * If the kernel doesn't support TM (ie CONFIG_PPC_TRANSACTIONAL_MEM=n),
++ * we don't want to turn on TM here, so we use the *_COMP versions
++ * which are 0 if the kernel doesn't support TM.
+ */
+- {CPU_FTR_TM_COMP, 0, 0, 0, 22, 0, 0},
++ {CPU_FTR_TM_COMP, 0, 0,
++ PPC_FEATURE2_HTM_COMP|PPC_FEATURE2_HTM_NOSC_COMP, 22, 0, 0},
+ };
+
+ static void __init scan_features(unsigned long node, const unsigned char *ftrs,
--- /dev/null
+From 9d89d9e61d361f3adb75e1aebe4bb367faf16cfa Mon Sep 17 00:00:00 2001
+From: Sebastian Ott <sebott@linux.vnet.ibm.com>
+Date: Thu, 31 Mar 2016 11:48:31 +0200
+Subject: s390/pci: add extra padding to function measurement block
+
+From: Sebastian Ott <sebott@linux.vnet.ibm.com>
+
+commit 9d89d9e61d361f3adb75e1aebe4bb367faf16cfa upstream.
+
+Newer machines might use a different (larger) format for function
+measurement blocks. To ensure that we comply with the alignment
+requirement on these machines and prevent memory corruption (when
+firmware writes more data than we expect) add 16 padding bytes
+at the end of the fmb.
+
+Signed-off-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/include/asm/pci.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/s390/include/asm/pci.h
++++ b/arch/s390/include/asm/pci.h
+@@ -45,7 +45,8 @@ struct zpci_fmb {
+ u64 rpcit_ops;
+ u64 dma_rbytes;
+ u64 dma_wbytes;
+-} __packed __aligned(64);
++ u64 pad[2];
++} __packed __aligned(128);
+
+ enum zpci_state {
+ ZPCI_FN_STATE_RESERVED,
usbvision-revert-commit-588afcc1.patch
revert-drm-amdgpu-disable-runtime-pm-on-px-laptops-without-dgpu-power-control.patch
cpufreq-intel_pstate-fix-processing-for-turbo-activation-ratio.patch
+s390-pci-add-extra-padding-to-function-measurement-block.patch
+iwlwifi-pcie-lower-the-debug-level-for-rsa-semaphore-access.patch
+iwlwifi-mvm-fix-memory-leak-in-paging.patch
+crypto-rsa-pkcs1pad-fix-dst-len.patch
+crypto-ccp-prevent-information-leakage-on-export.patch
+crypto-sha1-mb-use-corrcet-pointer-while-completing-jobs.patch
+crypto-talitos-fix-crash-in-talitos_cra_init.patch
+crypto-talitos-fix-aead-tcrypt-tests.patch
+powerpc-scan_features-updates-incorrect-bits-for-real_le.patch
+powerpc-update-cpu_user_features2-in-scan_features.patch
+powerpc-update-tm-user-feature-bits-in-scan_features.patch
+nl80211-check-netlink-protocol-in-socket-release-notification.patch
+netlink-don-t-send-netlink_urelease-for-unbound-sockets.patch
+input-gtco-fix-crash-on-detecting-device-without-endpoints.patch
+input-pmic8xxx-pwrkey-fix-algorithm-for-converting-trigger-delay.patch
+xen-kconfig-don-t-select-input_xen_kbddev_frontend.patch
+pinctrl-mediatek-correct-debounce-time-unit-in-mtk_gpio_set_debounce.patch
+pinctrl-single-fix-pcs_parse_bits_in_pinctrl_entry-to-use-__ffs-than-ffs.patch
+iommu-amd-fix-checking-of-pci-dma-aliases.patch
+iommu-dma-restore-scatterlist-offsets-correctly.patch
+drm-amdgpu-when-suspending-if-uvd-vce-was-running.-need-to-cancel-delay-work.patch
+drm-amdgpu-use-defines-for-crtcs-and-amft-blocks.patch
+drm-amdgpu-bump-the-afmt-limit-for-cz-st-polaris.patch
+amdgpu-uvd-add-uvd-fw-version-for-amdgpu.patch
--- /dev/null
+From 13aa38e291bdd4e4018f40dd2f75e464814dcbf3 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 16 Feb 2016 16:03:23 +0100
+Subject: xen kconfig: don't "select INPUT_XEN_KBDDEV_FRONTEND"
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 13aa38e291bdd4e4018f40dd2f75e464814dcbf3 upstream.
+
+The Xen framebuffer driver selects the xen keyboard driver, so the latter
+will be built-in if XEN_FBDEV_FRONTEND=y. However, when CONFIG_INPUT
+is a loadable module, this configuration cannot work. On mainline kernels,
+the symbol will be enabled but not used, while in combination with
+a patch I have to detect such useless configurations, we get the
+expected link failure:
+
+drivers/input/built-in.o: In function `xenkbd_remove':
+xen-kbdfront.c:(.text+0x2f0): undefined reference to `input_unregister_device'
+xen-kbdfront.c:(.text+0x30e): undefined reference to `input_unregister_device'
+
+This removes the extra "select", as it just causes more trouble than
+it helps. In theory, some defconfig file might break if it has
+XEN_FBDEV_FRONTEND in it but not INPUT_XEN_KBDDEV_FRONTEND. The Kconfig
+fragment we ship in the kernel (kernel/configs/xen.config) however
+already enables both, and anyone using an old .config file would
+keep having both enabled.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Suggested-by: David Vrabel <david.vrabel@citrix.com>
+Fixes: 36c1132e34bd ("xen kconfig: fix select INPUT_XEN_KBDDEV_FRONTEND")
+Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/fbdev/Kconfig | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/video/fbdev/Kconfig
++++ b/drivers/video/fbdev/Kconfig
+@@ -2246,7 +2246,6 @@ config XEN_FBDEV_FRONTEND
+ select FB_SYS_IMAGEBLIT
+ select FB_SYS_FOPS
+ select FB_DEFERRED_IO
+- select INPUT_XEN_KBDDEV_FRONTEND if INPUT_MISC
+ select XEN_XENBUS_FRONTEND
+ default y
+ help
projects / thirdparty / kernel / stable-queue.git / commitdiff
