--- /dev/null
+From db68577966abc1aeae4ec597b3dcfa0d56e92041 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 21 Sep 2016 14:38:02 +0200
+Subject: ALSA: ali5451: Fix out-of-bound position reporting
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit db68577966abc1aeae4ec597b3dcfa0d56e92041 upstream.
+
+The pointer callbacks of ali5451 driver may return the value at the
+boundary occasionally, and it results in the kernel warning like
+ snd_ali5451 0000:00:06.0: BUG: , pos = 16384, buffer size = 16384, period size = 1024
+
+It seems that folding the position offset is enough for fixing the
+warning and no ill-effect has been seen by that.
+
+Reported-by: Enrico Mioso <mrkiko.rs@gmail.com>
+Tested-by: Enrico Mioso <mrkiko.rs@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/ali5451/ali5451.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/pci/ali5451/ali5451.c
++++ b/sound/pci/ali5451/ali5451.c
+@@ -1408,6 +1408,7 @@ snd_ali_playback_pointer(struct snd_pcm_
+ spin_unlock(&codec->reg_lock);
+ dev_dbg(codec->card->dev, "playback pointer returned cso=%xh.\n", cso);
+
++ cso %= runtime->buffer_size;
+ return cso;
+ }
+
+@@ -1428,6 +1429,7 @@ static snd_pcm_uframes_t snd_ali_pointer
+ cso = inw(ALI_REG(codec, ALI_CSO_ALPHA_FMS + 2));
+ spin_unlock(&codec->reg_lock);
+
++ cso %= runtime->buffer_size;
+ return cso;
+ }
+
--- /dev/null
+From eb1a74b7bea17eea31915c4f76385cefe69d9795 Mon Sep 17 00:00:00 2001
+From: Anssi Hannula <anssi.hannula@iki.fi>
+Date: Fri, 23 Sep 2016 06:43:47 +0300
+Subject: ALSA: usb-audio: Extend DragonFly dB scale quirk to cover other variants
+
+From: Anssi Hannula <anssi.hannula@iki.fi>
+
+commit eb1a74b7bea17eea31915c4f76385cefe69d9795 upstream.
+
+The DragonFly quirk added in 42e3121d90f4 ("ALSA: usb-audio: Add a more
+accurate volume quirk for AudioQuest DragonFly") applies a custom dB map
+on the volume control when its range is reported as 0..50 (0 .. 0.2dB).
+
+However, there exists at least one other variant (hw v1.0c, as opposed
+to the tested v1.2) which reports a different non-sensical volume range
+(0..53) and the custom map is therefore not applied for that device.
+
+This results in all of the volume change appearing close to 100% on
+mixer UIs that utilize the dB TLV information.
+
+Add a fallback case where no dB TLV is reported at all if the control
+range is not 0..50 but still 0..N where N <= 1000 (3.9 dB). Also
+restrict the quirk to only apply to the volume control as there is also
+a mute control which would match the check otherwise.
+
+Fixes: 42e3121d90f4 ("ALSA: usb-audio: Add a more accurate volume quirk for AudioQuest DragonFly")
+Signed-off-by: Anssi Hannula <anssi.hannula@iki.fi>
+Reported-by: David W <regulars@d-dub.org.uk>
+Tested-by: David W <regulars@d-dub.org.uk>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer_quirks.c | 22 ++++++++++++++++------
+ 1 file changed, 16 insertions(+), 6 deletions(-)
+
+--- a/sound/usb/mixer_quirks.c
++++ b/sound/usb/mixer_quirks.c
+@@ -1831,6 +1831,7 @@ void snd_usb_mixer_rc_memory_change(stru
+ }
+
+ static void snd_dragonfly_quirk_db_scale(struct usb_mixer_interface *mixer,
++ struct usb_mixer_elem_info *cval,
+ struct snd_kcontrol *kctl)
+ {
+ /* Approximation using 10 ranges based on output measurement on hw v1.2.
+@@ -1848,10 +1849,19 @@ static void snd_dragonfly_quirk_db_scale
+ 41, 50, TLV_DB_MINMAX_ITEM(-441, 0),
+ );
+
+- usb_audio_info(mixer->chip, "applying DragonFly dB scale quirk\n");
+- kctl->tlv.p = scale;
+- kctl->vd[0].access |= SNDRV_CTL_ELEM_ACCESS_TLV_READ;
+- kctl->vd[0].access &= ~SNDRV_CTL_ELEM_ACCESS_TLV_CALLBACK;
++ if (cval->min == 0 && cval->max == 50) {
++ usb_audio_info(mixer->chip, "applying DragonFly dB scale quirk (0-50 variant)\n");
++ kctl->tlv.p = scale;
++ kctl->vd[0].access |= SNDRV_CTL_ELEM_ACCESS_TLV_READ;
++ kctl->vd[0].access &= ~SNDRV_CTL_ELEM_ACCESS_TLV_CALLBACK;
++
++ } else if (cval->min == 0 && cval->max <= 1000) {
++ /* Some other clearly broken DragonFly variant.
++ * At least a 0..53 variant (hw v1.0) exists.
++ */
++ usb_audio_info(mixer->chip, "ignoring too narrow dB range on a DragonFly device");
++ kctl->vd[0].access &= ~SNDRV_CTL_ELEM_ACCESS_TLV_CALLBACK;
++ }
+ }
+
+ void snd_usb_mixer_fu_apply_quirk(struct usb_mixer_interface *mixer,
+@@ -1860,8 +1870,8 @@ void snd_usb_mixer_fu_apply_quirk(struct
+ {
+ switch (mixer->chip->usb_id) {
+ case USB_ID(0x21b4, 0x0081): /* AudioQuest DragonFly */
+- if (unitid == 7 && cval->min == 0 && cval->max == 50)
+- snd_dragonfly_quirk_db_scale(mixer, kctl);
++ if (unitid == 7 && cval->control == UAC_FU_VOLUME)
++ snd_dragonfly_quirk_db_scale(mixer, cval, kctl);
+ break;
+ }
+ }
--- /dev/null
+From 8da08ca03b73593d5299893bf29fc08569c3fb5f Mon Sep 17 00:00:00 2001
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Sun, 25 Sep 2016 22:00:20 +0900
+Subject: ALSA: usb-line6: use the same declaration as definition in header for MIDI manufacturer ID
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+commit 8da08ca03b73593d5299893bf29fc08569c3fb5f upstream.
+
+Currently, usb-line6 module exports an array of MIDI manufacturer ID and
+usb-pod module uses it. However, the declaration is not the definition in
+common header. The difference is explicit length of array. Although
+compiler calculates it and everything goes well, it's better to use the
+same representation between definition and declaration.
+
+This commit fills the length of array for usb-line6 module. As a small
+good sub-effect, this commit suppress below warnings from static analysis
+by sparse v0.5.0.
+
+sound/usb/line6/driver.c:274:43: error: cannot size expression
+sound/usb/line6/driver.c:275:16: error: cannot size expression
+sound/usb/line6/driver.c:276:16: error: cannot size expression
+sound/usb/line6/driver.c:277:16: error: cannot size expression
+
+Fixes: 705ececd1c60 ("Staging: add line6 usb driver")
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/line6/driver.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/usb/line6/driver.c
++++ b/sound/usb/line6/driver.c
+@@ -29,7 +29,7 @@
+ /*
+ This is Line 6's MIDI manufacturer ID.
+ */
+-const unsigned char line6_midi_id[] = {
++const unsigned char line6_midi_id[3] = {
+ 0x00, 0x01, 0x0c
+ };
+ EXPORT_SYMBOL_GPL(line6_midi_id);
--- /dev/null
+From 2a51fe083eba7f99cbda72f5ef90cdf2f4df882c Mon Sep 17 00:00:00 2001
+From: Prarit Bhargava <prarit@redhat.com>
+Date: Mon, 3 Oct 2016 13:07:12 -0400
+Subject: arch/x86: Handle non enumerated CPU after physical hotplug
+
+From: Prarit Bhargava <prarit@redhat.com>
+
+commit 2a51fe083eba7f99cbda72f5ef90cdf2f4df882c upstream.
+
+When a CPU is physically added to a system then the MADT table is not
+updated.
+
+If subsequently a kdump kernel is started on that physically added CPU then
+the ACPI enumeration fails to provide the information for this CPU which is
+now the boot CPU of the kdump kernel.
+
+As a consequence, generic_processor_info() is not invoked for that CPU so
+the number of enumerated processors is 0 and none of the initializations,
+including the logical package id management, are performed.
+
+We have code which relies on the correctness of the logical package map and
+other information which is initialized via generic_processor_info().
+Executing such code will result in undefined behaviour or kernel crashes.
+
+This problem applies only to the kdump kernel because a normal kexec will
+switch to the original boot CPU, which is enumerated in MADT, before
+jumping into the kexec kernel.
+
+The boot code already has a check for num_processors equal 0 in
+prefill_possible_map(). We can use that check as an indicator that the
+enumeration of the boot CPU did not happen and invoke generic_processor_info()
+for it. That initializes the relevant data for the boot CPU and therefore
+prevents subsequent failure.
+
+[ tglx: Refined the code and rewrote the changelog ]
+
+Signed-off-by: Prarit Bhargava <prarit@redhat.com>
+Fixes: 1f12e32f4cd5 ("x86/topology: Create logical package id")
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Len Brown <len.brown@intel.com>
+Cc: Borislav Petkov <bp@suse.de>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Juergen Gross <jgross@suse.com>
+Cc: dyoung@redhat.com
+Cc: Eric Biederman <ebiederm@xmission.com>
+Cc: kexec@lists.infradead.org
+Link: http://lkml.kernel.org/r/1475514432-27682-1-git-send-email-prarit@redhat.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/smpboot.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kernel/smpboot.c
++++ b/arch/x86/kernel/smpboot.c
+@@ -1393,9 +1393,21 @@ __init void prefill_possible_map(void)
+ {
+ int i, possible;
+
+- /* no processor from mptable or madt */
+- if (!num_processors)
+- num_processors = 1;
++ /* No boot processor was found in mptable or ACPI MADT */
++ if (!num_processors) {
++ int apicid = boot_cpu_physical_apicid;
++ int cpu = hard_smp_processor_id();
++
++ pr_warn("Boot CPU (id %d) not listed by BIOS\n", cpu);
++
++ /* Make sure boot cpu is enumerated */
++ if (apic->cpu_present_to_apicid(0) == BAD_APICID &&
++ apic->apic_id_valid(apicid))
++ generic_processor_info(apicid, boot_cpu_apic_version);
++
++ if (!num_processors)
++ num_processors = 1;
++ }
+
+ i = setup_max_cpus ?: 1;
+ if (setup_possible_cpus == -1) {
--- /dev/null
+From af48d7bc3756a0cd882d65bff14ab39746ba57fe Mon Sep 17 00:00:00 2001
+From: Christophe Jaillet <christophe.jaillet@wanadoo.fr>
+Date: Thu, 11 Aug 2016 15:02:30 +0200
+Subject: ARM: cpuidle: Fix error return code
+
+From: Christophe Jaillet <christophe.jaillet@wanadoo.fr>
+
+commit af48d7bc3756a0cd882d65bff14ab39746ba57fe upstream.
+
+We know that 'ret = 0' because it has been tested a few lines above.
+So, if 'kzalloc' fails, 0 will be returned instead of an error code.
+Return -ENOMEM instead.
+
+Fixes: a0d46a3dfdc3 ("ARM: cpuidle: Register per cpuidle device")
+Signed-off-by: Christophe Jaillet <christophe.jaillet@wanadoo.fr>
+Acked-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/cpuidle/cpuidle-arm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/cpuidle/cpuidle-arm.c
++++ b/drivers/cpuidle/cpuidle-arm.c
+@@ -135,6 +135,7 @@ static int __init arm_idle_init(void)
+ dev = kzalloc(sizeof(*dev), GFP_KERNEL);
+ if (!dev) {
+ pr_err("Failed to allocate cpuidle device\n");
++ ret = -ENOMEM;
+ goto out_fail;
+ }
+ dev->cpu = cpu;
--- /dev/null
+From ca88696e8b73a9fa2b1de445747e9235c3a7bd50 Mon Sep 17 00:00:00 2001
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Fri, 5 Aug 2016 10:38:37 +0200
+Subject: ARM: dts: MSM8064 remove flags from SPMI/MPP IRQs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+commit ca88696e8b73a9fa2b1de445747e9235c3a7bd50 upstream.
+
+The Qualcomm PMIC GPIO and MPP lines are problematic: the
+are fetched from the main MFD driver with platform_get_irq()
+which means that at this point they will all be assigned the
+flags set up for the interrupts in the device tree.
+
+That is problematic since these are flagged as rising edge
+and an this point the interrupt descriptor is assigned a
+rising edge, while the only thing the GPIO/MPP drivers really
+do is issue irq_get_irqchip_state() on the line to read it
+out and to provide a .to_irq() helper for *other* IRQ
+consumers.
+
+If another device tree node tries to flag the same IRQ
+for use as something else than rising edge, the kernel
+irqdomain core will protest like this:
+
+ type mismatch, failed to map hwirq-NN for <FOO>!
+
+Which is what happens when the device tree defines two
+contradictory flags for the same interrupt line.
+
+To work around this and alleviate the problem, assign 0
+as flag for the interrupts taken by the PM GPIO and MPP
+drivers. This will lead to the flag being unset, and a
+second consumer requesting rising, falling, both or level
+interrupts will be respected. This is what the qcom-pm*.dtsi
+files already do.
+
+Switched to using the symbolic name IRQ_TYPE_NONE so that
+we get this more readable.
+
+Fixes: bce360469676 ("ARM: dts: apq8064: add pm8921 mpp support")
+Fixes: 874443fe9e33 ("ARM: dts: apq8064: Add pm8921 mfd and its gpio node")
+Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Cc: Stephen Boyd <sboyd@codeaurora.org>
+Cc: Björn Andersson <bjorn.andersson@linaro.org>
+Cc: Ivan T. Ivanov <ivan.ivanov@linaro.org>
+Cc: John Stultz <john.stultz@linaro.org>
+Cc: Andy Gross <andy.gross@linaro.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Andy Gross <andy.gross@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/qcom-apq8064.dtsi | 76 +++++++++++++++++++++++++++---------
+ 1 file changed, 57 insertions(+), 19 deletions(-)
+
+--- a/arch/arm/boot/dts/qcom-apq8064.dtsi
++++ b/arch/arm/boot/dts/qcom-apq8064.dtsi
+@@ -5,6 +5,7 @@
+ #include <dt-bindings/reset/qcom,gcc-msm8960.h>
+ #include <dt-bindings/clock/qcom,mmcc-msm8960.h>
+ #include <dt-bindings/soc/qcom,gsbi.h>
++#include <dt-bindings/interrupt-controller/irq.h>
+ #include <dt-bindings/interrupt-controller/arm-gic.h>
+ / {
+ model = "Qualcomm APQ8064";
+@@ -552,22 +553,50 @@
+ compatible = "qcom,pm8921-gpio",
+ "qcom,ssbi-gpio";
+ reg = <0x150>;
+- interrupts = <192 1>, <193 1>, <194 1>,
+- <195 1>, <196 1>, <197 1>,
+- <198 1>, <199 1>, <200 1>,
+- <201 1>, <202 1>, <203 1>,
+- <204 1>, <205 1>, <206 1>,
+- <207 1>, <208 1>, <209 1>,
+- <210 1>, <211 1>, <212 1>,
+- <213 1>, <214 1>, <215 1>,
+- <216 1>, <217 1>, <218 1>,
+- <219 1>, <220 1>, <221 1>,
+- <222 1>, <223 1>, <224 1>,
+- <225 1>, <226 1>, <227 1>,
+- <228 1>, <229 1>, <230 1>,
+- <231 1>, <232 1>, <233 1>,
+- <234 1>, <235 1>;
+-
++ interrupts = <192 IRQ_TYPE_NONE>,
++ <193 IRQ_TYPE_NONE>,
++ <194 IRQ_TYPE_NONE>,
++ <195 IRQ_TYPE_NONE>,
++ <196 IRQ_TYPE_NONE>,
++ <197 IRQ_TYPE_NONE>,
++ <198 IRQ_TYPE_NONE>,
++ <199 IRQ_TYPE_NONE>,
++ <200 IRQ_TYPE_NONE>,
++ <201 IRQ_TYPE_NONE>,
++ <202 IRQ_TYPE_NONE>,
++ <203 IRQ_TYPE_NONE>,
++ <204 IRQ_TYPE_NONE>,
++ <205 IRQ_TYPE_NONE>,
++ <206 IRQ_TYPE_NONE>,
++ <207 IRQ_TYPE_NONE>,
++ <208 IRQ_TYPE_NONE>,
++ <209 IRQ_TYPE_NONE>,
++ <210 IRQ_TYPE_NONE>,
++ <211 IRQ_TYPE_NONE>,
++ <212 IRQ_TYPE_NONE>,
++ <213 IRQ_TYPE_NONE>,
++ <214 IRQ_TYPE_NONE>,
++ <215 IRQ_TYPE_NONE>,
++ <216 IRQ_TYPE_NONE>,
++ <217 IRQ_TYPE_NONE>,
++ <218 IRQ_TYPE_NONE>,
++ <219 IRQ_TYPE_NONE>,
++ <220 IRQ_TYPE_NONE>,
++ <221 IRQ_TYPE_NONE>,
++ <222 IRQ_TYPE_NONE>,
++ <223 IRQ_TYPE_NONE>,
++ <224 IRQ_TYPE_NONE>,
++ <225 IRQ_TYPE_NONE>,
++ <226 IRQ_TYPE_NONE>,
++ <227 IRQ_TYPE_NONE>,
++ <228 IRQ_TYPE_NONE>,
++ <229 IRQ_TYPE_NONE>,
++ <230 IRQ_TYPE_NONE>,
++ <231 IRQ_TYPE_NONE>,
++ <232 IRQ_TYPE_NONE>,
++ <233 IRQ_TYPE_NONE>,
++ <234 IRQ_TYPE_NONE>,
++ <235 IRQ_TYPE_NONE>;
+ gpio-controller;
+ #gpio-cells = <2>;
+
+@@ -580,9 +609,18 @@
+ gpio-controller;
+ #gpio-cells = <2>;
+ interrupts =
+- <128 1>, <129 1>, <130 1>, <131 1>,
+- <132 1>, <133 1>, <134 1>, <135 1>,
+- <136 1>, <137 1>, <138 1>, <139 1>;
++ <128 IRQ_TYPE_NONE>,
++ <129 IRQ_TYPE_NONE>,
++ <130 IRQ_TYPE_NONE>,
++ <131 IRQ_TYPE_NONE>,
++ <132 IRQ_TYPE_NONE>,
++ <133 IRQ_TYPE_NONE>,
++ <134 IRQ_TYPE_NONE>,
++ <135 IRQ_TYPE_NONE>,
++ <136 IRQ_TYPE_NONE>,
++ <137 IRQ_TYPE_NONE>,
++ <138 IRQ_TYPE_NONE>,
++ <139 IRQ_TYPE_NONE>;
+ };
+
+ rtc@11d {
--- /dev/null
+From 061492cfad9f11dbc32df741a7164f307b69b6e6 Mon Sep 17 00:00:00 2001
+From: Grzegorz Jaszczyk <jaz@semihalf.com>
+Date: Thu, 4 Aug 2016 12:14:08 +0200
+Subject: ARM: dts: mvebu: armada-390: add missing compatibility string and bracket
+
+From: Grzegorz Jaszczyk <jaz@semihalf.com>
+
+commit 061492cfad9f11dbc32df741a7164f307b69b6e6 upstream.
+
+The armada-390.dtsi was broken since the first patch which adds Device Tree
+files for Armada 39x SoC was introduced.
+
+Signed-off-by: Grzegorz Jaszczyk <jaz@semihalf.com>
+Acked-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
+Fixes 538da83 ("ARM: mvebu: add Device Tree files for Armada 39x SoC and board")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
+
+---
+ arch/arm/boot/dts/armada-390.dtsi | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/arm/boot/dts/armada-390.dtsi
++++ b/arch/arm/boot/dts/armada-390.dtsi
+@@ -47,6 +47,8 @@
+ #include "armada-39x.dtsi"
+
+ / {
++ compatible = "marvell,armada390";
++
+ soc {
+ internal-regs {
+ pinctrl@18000 {
+@@ -54,4 +56,5 @@
+ reg = <0x18000 0x20>;
+ };
+ };
++ };
+ };
--- /dev/null
+From b5e7307d9d5a340d2c9fabbe1cee137d4c682c71 Mon Sep 17 00:00:00 2001
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Fri, 23 Sep 2016 17:55:05 +0100
+Subject: arm64: fix dump_backtrace/unwind_frame with NULL tsk
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+commit b5e7307d9d5a340d2c9fabbe1cee137d4c682c71 upstream.
+
+In some places, dump_backtrace() is called with a NULL tsk parameter,
+e.g. in bug_handler() in arch/arm64, or indirectly via show_stack() in
+core code. The expectation is that this is treated as if current were
+passed instead of NULL. Similar is true of unwind_frame().
+
+Commit a80a0eb70c358f8c ("arm64: make irq_stack_ptr more robust") didn't
+take this into account. In dump_backtrace() it compares tsk against
+current *before* we check if tsk is NULL, and in unwind_frame() we never
+set tsk if it is NULL.
+
+Due to this, we won't initialise irq_stack_ptr in either function. In
+dump_backtrace() this results in calling dump_mem() for memory
+immediately above the IRQ stack range, rather than for the relevant
+range on the task stack. In unwind_frame we'll reject unwinding frames
+on the IRQ stack.
+
+In either case this results in incomplete or misleading backtrace
+information, but is not otherwise problematic. The initial percpu areas
+(including the IRQ stacks) are allocated in the linear map, and dump_mem
+uses __get_user(), so we shouldn't access anything with side-effects,
+and will handle holes safely.
+
+This patch fixes the issue by having both functions handle the NULL tsk
+case before doing anything else with tsk.
+
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Fixes: a80a0eb70c358f8c ("arm64: make irq_stack_ptr more robust")
+Acked-by: James Morse <james.morse@arm.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: Yang Shi <yang.shi@linaro.org>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/stacktrace.c | 5 ++++-
+ arch/arm64/kernel/traps.c | 10 +++++-----
+ 2 files changed, 9 insertions(+), 6 deletions(-)
+
+--- a/arch/arm64/kernel/stacktrace.c
++++ b/arch/arm64/kernel/stacktrace.c
+@@ -43,6 +43,9 @@ int notrace unwind_frame(struct task_str
+ unsigned long fp = frame->fp;
+ unsigned long irq_stack_ptr;
+
++ if (!tsk)
++ tsk = current;
++
+ /*
+ * Switching between stacks is valid when tracing current and in
+ * non-preemptible context.
+@@ -67,7 +70,7 @@ int notrace unwind_frame(struct task_str
+ frame->pc = READ_ONCE_NOCHECK(*(unsigned long *)(fp + 8));
+
+ #ifdef CONFIG_FUNCTION_GRAPH_TRACER
+- if (tsk && tsk->ret_stack &&
++ if (tsk->ret_stack &&
+ (frame->pc == (unsigned long)return_to_handler)) {
+ /*
+ * This is a case where function graph tracer has
+--- a/arch/arm64/kernel/traps.c
++++ b/arch/arm64/kernel/traps.c
+@@ -149,6 +149,11 @@ static void dump_backtrace(struct pt_reg
+ unsigned long irq_stack_ptr;
+ int skip;
+
++ pr_debug("%s(regs = %p tsk = %p)\n", __func__, regs, tsk);
++
++ if (!tsk)
++ tsk = current;
++
+ /*
+ * Switching between stacks is valid when tracing current and in
+ * non-preemptible context.
+@@ -158,11 +163,6 @@ static void dump_backtrace(struct pt_reg
+ else
+ irq_stack_ptr = 0;
+
+- pr_debug("%s(regs = %p tsk = %p)\n", __func__, regs, tsk);
+-
+- if (!tsk)
+- tsk = current;
+-
+ if (tsk == current) {
+ frame.fp = (unsigned long)__builtin_frame_address(0);
+ frame.sp = current_stack_pointer;
--- /dev/null
+From 0099b7701f5296a758d9e6b945ec96f96847cc2f Mon Sep 17 00:00:00 2001
+From: Christoffer Dall <christoffer.dall@linaro.org>
+Date: Tue, 27 Sep 2016 18:53:35 +0200
+Subject: KVM: arm/arm64: vgic: Don't flush/sync without a working vgic
+
+From: Christoffer Dall <christoffer.dall@linaro.org>
+
+commit 0099b7701f5296a758d9e6b945ec96f96847cc2f upstream.
+
+If the vgic hasn't been created and initialized, we shouldn't attempt to
+look at its data structures or flush/sync anything to the GIC hardware.
+
+This fixes an issue reported by Alexander Graf when using a userspace
+irqchip.
+
+Fixes: 0919e84c0fc1 ("KVM: arm/arm64: vgic-new: Add IRQ sync/flush framework")
+Reported-by: Alexander Graf <agraf@suse.de>
+Acked-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/arm/vgic/vgic.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/virt/kvm/arm/vgic/vgic.c
++++ b/virt/kvm/arm/vgic/vgic.c
+@@ -553,6 +553,9 @@ next:
+ /* Sync back the hardware VGIC state into our emulation after a guest's run. */
+ void kvm_vgic_sync_hwstate(struct kvm_vcpu *vcpu)
+ {
++ if (unlikely(!vgic_initialized(vcpu->kvm)))
++ return;
++
+ vgic_process_maintenance_interrupt(vcpu);
+ vgic_fold_lr_state(vcpu);
+ vgic_prune_ap_list(vcpu);
+@@ -561,6 +564,9 @@ void kvm_vgic_sync_hwstate(struct kvm_vc
+ /* Flush our emulation state into the GIC hardware before entering the guest. */
+ void kvm_vgic_flush_hwstate(struct kvm_vcpu *vcpu)
+ {
++ if (unlikely(!vgic_initialized(vcpu->kvm)))
++ return;
++
+ spin_lock(&vcpu->arch.vgic_cpu.ap_list_lock);
+ vgic_flush_lr_state(vcpu);
+ spin_unlock(&vcpu->arch.vgic_cpu.ap_list_lock);
--- /dev/null
+From 6fe407f2d18a4f94216263f91cb7d1f08fa5887c Mon Sep 17 00:00:00 2001
+From: Christoffer Dall <christoffer.dall@linaro.org>
+Date: Mon, 26 Sep 2016 18:51:47 -0700
+Subject: KVM: arm64: Require in-kernel irqchip for PMU support
+
+From: Christoffer Dall <christoffer.dall@linaro.org>
+
+commit 6fe407f2d18a4f94216263f91cb7d1f08fa5887c upstream.
+
+If userspace creates a PMU for the VCPU, but doesn't create an in-kernel
+irqchip, then we end up in a nasty path where we try to take an
+uninitialized spinlock, which can lead to all sorts of breakages.
+
+Luckily, QEMU always creates the VGIC before the PMU, so we can
+establish this as ABI and check for the VGIC in the PMU init stage.
+This can be relaxed at a later time if we want to support PMU with a
+userspace irqchip.
+
+Cc: Shannon Zhao <shannon.zhao@linaro.org>
+Acked-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/virtual/kvm/devices/vcpu.txt | 4 +++-
+ virt/kvm/arm/pmu.c | 8 ++++++++
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+--- a/Documentation/virtual/kvm/devices/vcpu.txt
++++ b/Documentation/virtual/kvm/devices/vcpu.txt
+@@ -30,4 +30,6 @@ Returns: -ENODEV: PMUv3 not supported
+ attribute
+ -EBUSY: PMUv3 already initialized
+
+-Request the initialization of the PMUv3.
++Request the initialization of the PMUv3. This must be done after creating the
++in-kernel irqchip. Creating a PMU with a userspace irqchip is currently not
++supported.
+--- a/virt/kvm/arm/pmu.c
++++ b/virt/kvm/arm/pmu.c
+@@ -423,6 +423,14 @@ static int kvm_arm_pmu_v3_init(struct kv
+ if (!kvm_arm_support_pmu_v3())
+ return -ENODEV;
+
++ /*
++ * We currently require an in-kernel VGIC to use the PMU emulation,
++ * because we do not support forwarding PMU overflow interrupts to
++ * userspace yet.
++ */
++ if (!irqchip_in_kernel(vcpu->kvm) || !vgic_initialized(vcpu->kvm))
++ return -ENODEV;
++
+ if (!test_bit(KVM_ARM_VCPU_PMU_V3, vcpu->arch.features) ||
+ !kvm_arm_pmu_irq_initialized(vcpu))
+ return -ENXIO;
--- /dev/null
+From 91e4f1b6073dd680d86cdb7e42d7cccca9db39d8 Mon Sep 17 00:00:00 2001
+From: James Hogan <james.hogan@imgtec.com>
+Date: Thu, 15 Sep 2016 17:20:06 +0100
+Subject: KVM: MIPS: Drop other CPU ASIDs on guest MMU changes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: James Hogan <james.hogan@imgtec.com>
+
+commit 91e4f1b6073dd680d86cdb7e42d7cccca9db39d8 upstream.
+
+When a guest TLB entry is replaced by TLBWI or TLBWR, we only invalidate
+TLB entries on the local CPU. This doesn't work correctly on an SMP host
+when the guest is migrated to a different physical CPU, as it could pick
+up stale TLB mappings from the last time the vCPU ran on that physical
+CPU.
+
+Therefore invalidate both user and kernel host ASIDs on other CPUs,
+which will cause new ASIDs to be generated when it next runs on those
+CPUs.
+
+We're careful only to do this if the TLB entry was already valid, and
+only for the kernel ASID where the virtual address it mapped is outside
+of the guest user address range.
+
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: "Radim Krčmář" <rkrcmar@redhat.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Cc: kvm@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kvm/emulate.c | 63 ++++++++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 53 insertions(+), 10 deletions(-)
+
+--- a/arch/mips/kvm/emulate.c
++++ b/arch/mips/kvm/emulate.c
+@@ -807,6 +807,47 @@ enum emulation_result kvm_mips_emul_tlbr
+ return EMULATE_FAIL;
+ }
+
++/**
++ * kvm_mips_invalidate_guest_tlb() - Indicates a change in guest MMU map.
++ * @vcpu: VCPU with changed mappings.
++ * @tlb: TLB entry being removed.
++ *
++ * This is called to indicate a single change in guest MMU mappings, so that we
++ * can arrange TLB flushes on this and other CPUs.
++ */
++static void kvm_mips_invalidate_guest_tlb(struct kvm_vcpu *vcpu,
++ struct kvm_mips_tlb *tlb)
++{
++ int cpu, i;
++ bool user;
++
++ /* No need to flush for entries which are already invalid */
++ if (!((tlb->tlb_lo[0] | tlb->tlb_lo[1]) & ENTRYLO_V))
++ return;
++ /* User address space doesn't need flushing for KSeg2/3 changes */
++ user = tlb->tlb_hi < KVM_GUEST_KSEG0;
++
++ preempt_disable();
++
++ /*
++ * Probe the shadow host TLB for the entry being overwritten, if one
++ * matches, invalidate it
++ */
++ kvm_mips_host_tlb_inv(vcpu, tlb->tlb_hi);
++
++ /* Invalidate the whole ASID on other CPUs */
++ cpu = smp_processor_id();
++ for_each_possible_cpu(i) {
++ if (i == cpu)
++ continue;
++ if (user)
++ vcpu->arch.guest_user_asid[i] = 0;
++ vcpu->arch.guest_kernel_asid[i] = 0;
++ }
++
++ preempt_enable();
++}
++
+ /* Write Guest TLB Entry @ Index */
+ enum emulation_result kvm_mips_emul_tlbwi(struct kvm_vcpu *vcpu)
+ {
+@@ -826,11 +867,8 @@ enum emulation_result kvm_mips_emul_tlbw
+ }
+
+ tlb = &vcpu->arch.guest_tlb[index];
+- /*
+- * Probe the shadow host TLB for the entry being overwritten, if one
+- * matches, invalidate it
+- */
+- kvm_mips_host_tlb_inv(vcpu, tlb->tlb_hi);
++
++ kvm_mips_invalidate_guest_tlb(vcpu, tlb);
+
+ tlb->tlb_mask = kvm_read_c0_guest_pagemask(cop0);
+ tlb->tlb_hi = kvm_read_c0_guest_entryhi(cop0);
+@@ -859,11 +897,7 @@ enum emulation_result kvm_mips_emul_tlbw
+
+ tlb = &vcpu->arch.guest_tlb[index];
+
+- /*
+- * Probe the shadow host TLB for the entry being overwritten, if one
+- * matches, invalidate it
+- */
+- kvm_mips_host_tlb_inv(vcpu, tlb->tlb_hi);
++ kvm_mips_invalidate_guest_tlb(vcpu, tlb);
+
+ tlb->tlb_mask = kvm_read_c0_guest_pagemask(cop0);
+ tlb->tlb_hi = kvm_read_c0_guest_entryhi(cop0);
+@@ -982,6 +1016,7 @@ enum emulation_result kvm_mips_emulate_C
+ int32_t rt, rd, copz, sel, co_bit, op;
+ uint32_t pc = vcpu->arch.pc;
+ unsigned long curr_pc;
++ int cpu, i;
+
+ /*
+ * Update PC and hold onto current PC in case there is
+@@ -1089,8 +1124,16 @@ enum emulation_result kvm_mips_emulate_C
+ vcpu->arch.gprs[rt]
+ & KVM_ENTRYHI_ASID);
+
++ preempt_disable();
+ /* Blow away the shadow host TLBs */
+ kvm_mips_flush_host_tlb(1);
++ cpu = smp_processor_id();
++ for_each_possible_cpu(i)
++ if (i != cpu) {
++ vcpu->arch.guest_user_asid[i] = 0;
++ vcpu->arch.guest_kernel_asid[i] = 0;
++ }
++ preempt_enable();
+ }
+ kvm_write_c0_guest_entryhi(cop0,
+ vcpu->arch.gprs[rt]);
--- /dev/null
+From fa73c3b25bd8d0d393dc6109a1dba3c2aef0451e Mon Sep 17 00:00:00 2001
+From: Thomas Huth <thuth@redhat.com>
+Date: Wed, 21 Sep 2016 15:06:45 +0200
+Subject: KVM: PPC: Book3s PR: Allow access to unprivileged MMCR2 register
+
+From: Thomas Huth <thuth@redhat.com>
+
+commit fa73c3b25bd8d0d393dc6109a1dba3c2aef0451e upstream.
+
+The MMCR2 register is available twice, one time with number 785
+(privileged access), and one time with number 769 (unprivileged,
+but it can be disabled completely). In former times, the Linux
+kernel was using the unprivileged register 769 only, but since
+commit 8dd75ccb571f3c92c ("powerpc: Use privileged SPR number
+for MMCR2"), it uses the privileged register 785 instead.
+The KVM-PR code then of course also switched to use the SPR 785,
+but this is causing older guest kernels to crash, since these
+kernels still access 769 instead. So to support older kernels
+with KVM-PR again, we have to support register 769 in KVM-PR, too.
+
+Fixes: 8dd75ccb571f3c92c48014b3dabd3d51a115ab41
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/reg.h | 1 +
+ arch/powerpc/kvm/book3s_emulate.c | 2 ++
+ 2 files changed, 3 insertions(+)
+
+--- a/arch/powerpc/include/asm/reg.h
++++ b/arch/powerpc/include/asm/reg.h
+@@ -718,6 +718,7 @@
+ #define MMCR0_FCHV 0x00000001UL /* freeze conditions in hypervisor mode */
+ #define SPRN_MMCR1 798
+ #define SPRN_MMCR2 785
++#define SPRN_UMMCR2 769
+ #define SPRN_MMCRA 0x312
+ #define MMCRA_SDSYNC 0x80000000UL /* SDAR synced with SIAR */
+ #define MMCRA_SDAR_DCACHE_MISS 0x40000000UL
+--- a/arch/powerpc/kvm/book3s_emulate.c
++++ b/arch/powerpc/kvm/book3s_emulate.c
+@@ -498,6 +498,7 @@ int kvmppc_core_emulate_mtspr_pr(struct
+ case SPRN_MMCR0:
+ case SPRN_MMCR1:
+ case SPRN_MMCR2:
++ case SPRN_UMMCR2:
+ #endif
+ break;
+ unprivileged:
+@@ -640,6 +641,7 @@ int kvmppc_core_emulate_mfspr_pr(struct
+ case SPRN_MMCR0:
+ case SPRN_MMCR1:
+ case SPRN_MMCR2:
++ case SPRN_UMMCR2:
+ case SPRN_TIR:
+ #endif
+ *spr_val = 0;
--- /dev/null
+From ac0e89bb4744d3882ccd275f2416d9ce22f4e1e7 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 14 Jul 2016 13:15:46 +0300
+Subject: KVM: PPC: BookE: Fix a sanity check
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit ac0e89bb4744d3882ccd275f2416d9ce22f4e1e7 upstream.
+
+We use logical negate where bitwise negate was intended. It means that
+we never return -EINVAL here.
+
+Fixes: ce11e48b7fdd ('KVM: PPC: E500: Add userspace debug stub support')
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Alexander Graf <agraf@suse.de>
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kvm/booke.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/kvm/booke.c
++++ b/arch/powerpc/kvm/booke.c
+@@ -2038,7 +2038,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(
+ if (type == KVMPPC_DEBUG_NONE)
+ continue;
+
+- if (type & !(KVMPPC_DEBUG_WATCH_READ |
++ if (type & ~(KVMPPC_DEBUG_WATCH_READ |
+ KVMPPC_DEBUG_WATCH_WRITE |
+ KVMPPC_DEBUG_BREAKPOINT))
+ return -EINVAL;
--- /dev/null
+From 9a6dc644512fd083400a96ac4a035ac154fe6b8d Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 4 Aug 2016 08:26:56 +0300
+Subject: mfd: 88pm80x: Double shifting bug in suspend/resume
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 9a6dc644512fd083400a96ac4a035ac154fe6b8d upstream.
+
+set_bit() and clear_bit() take the bit number so this code is really
+doing "1 << (1 << irq)" which is a double shift bug. It's done
+consistently so it won't cause a problem unless "irq" is more than 4.
+
+Fixes: 70c6cce04066 ('mfd: Support 88pm80x in 80x driver')
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/mfd/88pm80x.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/linux/mfd/88pm80x.h
++++ b/include/linux/mfd/88pm80x.h
+@@ -350,7 +350,7 @@ static inline int pm80x_dev_suspend(stru
+ int irq = platform_get_irq(pdev, 0);
+
+ if (device_may_wakeup(dev))
+- set_bit((1 << irq), &chip->wu_flag);
++ set_bit(irq, &chip->wu_flag);
+
+ return 0;
+ }
+@@ -362,7 +362,7 @@ static inline int pm80x_dev_resume(struc
+ int irq = platform_get_irq(pdev, 0);
+
+ if (device_may_wakeup(dev))
+- clear_bit((1 << irq), &chip->wu_flag);
++ clear_bit(irq, &chip->wu_flag);
+
+ return 0;
+ }
--- /dev/null
+From 2c2469bc03d569c49119db2cccb5cb3f0c6a5b33 Mon Sep 17 00:00:00 2001
+From: Boris Brezillon <boris.brezillon@free-electrons.com>
+Date: Tue, 6 Sep 2016 14:19:29 +0200
+Subject: mfd: atmel-hlcdc: Do not sleep in atomic context
+
+From: Boris Brezillon <boris.brezillon@free-electrons.com>
+
+commit 2c2469bc03d569c49119db2cccb5cb3f0c6a5b33 upstream.
+
+readl_poll_timeout() calls usleep_range(), but
+regmap_atmel_hlcdc_reg_write() is called in atomic context (regmap
+spinlock held).
+
+Replace the readl_poll_timeout() call by readl_poll_timeout_atomic().
+
+Fixes: ea31c0cf9b07 ("mfd: atmel-hlcdc: Implement config synchronization")
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mfd/atmel-hlcdc.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/mfd/atmel-hlcdc.c
++++ b/drivers/mfd/atmel-hlcdc.c
+@@ -50,8 +50,9 @@ static int regmap_atmel_hlcdc_reg_write(
+ if (reg <= ATMEL_HLCDC_DIS) {
+ u32 status;
+
+- readl_poll_timeout(hregmap->regs + ATMEL_HLCDC_SR, status,
+- !(status & ATMEL_HLCDC_SIP), 1, 100);
++ readl_poll_timeout_atomic(hregmap->regs + ATMEL_HLCDC_SR,
++ status, !(status & ATMEL_HLCDC_SIP),
++ 1, 100);
+ }
+
+ writel(val, hregmap->regs + reg);
--- /dev/null
+From 8dcc5ff8fcaf778bb57ab4448fedca9e381d088f Mon Sep 17 00:00:00 2001
+From: Lu Baolu <baolu.lu@linux.intel.com>
+Date: Thu, 11 Aug 2016 10:39:03 +0800
+Subject: mfd: rtsx_usb: Avoid setting ucr->current_sg.status
+
+From: Lu Baolu <baolu.lu@linux.intel.com>
+
+commit 8dcc5ff8fcaf778bb57ab4448fedca9e381d088f upstream.
+
+Member "status" of struct usb_sg_request is managed by usb core. A
+spin lock is used to serialize the change of it. The driver could
+check the value of req->status, but should avoid changing it without
+the hold of the spinlock. Otherwise, it could cause race or error
+in usb core.
+
+This patch could be backported to stable kernels with version later
+than v3.14.
+
+Cc: Alan Stern <stern@rowland.harvard.edu>
+Cc: Roger Tseng <rogerable@realtek.com>
+Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mfd/rtsx_usb.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/mfd/rtsx_usb.c
++++ b/drivers/mfd/rtsx_usb.c
+@@ -46,9 +46,6 @@ static void rtsx_usb_sg_timed_out(unsign
+
+ dev_dbg(&ucr->pusb_intf->dev, "%s: sg transfer timed out", __func__);
+ usb_sg_cancel(&ucr->current_sg);
+-
+- /* we know the cancellation is caused by time-out */
+- ucr->current_sg.status = -ETIMEDOUT;
+ }
+
+ static int rtsx_usb_bulk_transfer_sglist(struct rtsx_ucr *ucr,
+@@ -67,12 +64,15 @@ static int rtsx_usb_bulk_transfer_sglist
+ ucr->sg_timer.expires = jiffies + msecs_to_jiffies(timeout);
+ add_timer(&ucr->sg_timer);
+ usb_sg_wait(&ucr->current_sg);
+- del_timer_sync(&ucr->sg_timer);
++ if (!del_timer_sync(&ucr->sg_timer))
++ ret = -ETIMEDOUT;
++ else
++ ret = ucr->current_sg.status;
+
+ if (act_len)
+ *act_len = ucr->current_sg.bytes;
+
+- return ucr->current_sg.status;
++ return ret;
+ }
+
+ int rtsx_usb_transfer_data(struct rtsx_ucr *ucr, unsigned int pipe,
--- /dev/null
+From 88003fb10f1fc606e1704611c62ceae95fd1d7da Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <u.kleine-koenig@pengutronix.de>
+Date: Fri, 29 Jul 2016 21:29:15 +0200
+Subject: mfd: wm8350-i2c: Make sure the i2c regmap functions are compiled
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+commit 88003fb10f1fc606e1704611c62ceae95fd1d7da upstream.
+
+This fixes a compile failure:
+
+ drivers/built-in.o: In function `wm8350_i2c_probe':
+ core.c:(.text+0x828b0): undefined reference to `__devm_regmap_init_i2c'
+ Makefile:953: recipe for target 'vmlinux' failed
+
+Fixes: 52b461b86a9f ("mfd: Add regmap cache support for wm8350")
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Acked-by: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mfd/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mfd/Kconfig
++++ b/drivers/mfd/Kconfig
+@@ -1535,6 +1535,7 @@ config MFD_WM8350
+ config MFD_WM8350_I2C
+ bool "Wolfson Microelectronics WM8350 with I2C"
+ select MFD_WM8350
++ select REGMAP_I2C
+ depends on I2C=y
+ help
+ The WM8350 is an integrated audio and power management
powerpc-pseries-use-pci_host_bridge.release_fn-to-kfree-phb.patch
cxl-use-pcibios_free_controller_deferred-when-removing-vphbs.patch
timekeeping-fix-__ktime_get_fast_ns-regression.patch
+usb-dwc3-fix-clear-stall-ep-command-failure.patch
+alsa-ali5451-fix-out-of-bound-position-reporting.patch
+alsa-usb-audio-extend-dragonfly-db-scale-quirk-to-cover-other-variants.patch
+alsa-usb-line6-use-the-same-declaration-as-definition-in-header-for-midi-manufacturer-id.patch
+mfd-rtsx_usb-avoid-setting-ucr-current_sg.status.patch
+mfd-atmel-hlcdc-do-not-sleep-in-atomic-context.patch
+mfd-88pm80x-double-shifting-bug-in-suspend-resume.patch
+mfd-wm8350-i2c-make-sure-the-i2c-regmap-functions-are-compiled.patch
+xen-x86-update-topology-map-for-pv-vcpus.patch
+kvm-ppc-book3s-pr-allow-access-to-unprivileged-mmcr2-register.patch
+kvm-mips-drop-other-cpu-asids-on-guest-mmu-changes.patch
+kvm-arm64-require-in-kernel-irqchip-for-pmu-support.patch
+kvm-arm-arm64-vgic-don-t-flush-sync-without-a-working-vgic.patch
+kvm-ppc-booke-fix-a-sanity-check.patch
+arm64-fix-dump_backtrace-unwind_frame-with-null-tsk.patch
+x86-boot-fix-kdump-cleanup-aborted-e820_pram-max_pfn-manipulation.patch
+x86-irq-prevent-force-migration-of-irqs-which-are-not-in-the-vector-domain.patch
+x86-pkeys-make-protection-keys-an-eager-feature.patch
+x86-apic-get-rid-of-apic_version-array.patch
+arch-x86-handle-non-enumerated-cpu-after-physical-hotplug.patch
+x86-mm-pkeys-do-not-skip-pkru-register-if-debug-registers-are-not-used.patch
+x86-dumpstack-fix-x86_32-kernel_stack_pointer-previous-stack-access.patch
+arm-dts-mvebu-armada-390-add-missing-compatibility-string-and-bracket.patch
+arm-dts-msm8064-remove-flags-from-spmi-mpp-irqs.patch
+arm-cpuidle-fix-error-return-code.patch
--- /dev/null
+From 5e6c88d28ccbe72bedee1fbf4f9fea4764208598 Mon Sep 17 00:00:00 2001
+From: Lu Baolu <baolu.lu@linux.intel.com>
+Date: Fri, 9 Sep 2016 12:51:27 +0800
+Subject: usb: dwc3: fix Clear Stall EP command failure
+
+From: Lu Baolu <baolu.lu@linux.intel.com>
+
+commit 5e6c88d28ccbe72bedee1fbf4f9fea4764208598 upstream.
+
+Commit 50c763f8c1bac ("usb: dwc3: Set the ClearPendIN bit on Clear
+Stall EP command") sets ClearPendIN bit for all IN endpoints of
+v2.60a+ cores. This causes ClearStall command fails on 2.60+ cores
+operating in HighSpeed mode.
+
+In page 539 of 2.60a specification:
+
+"When issuing Clear Stall command for IN endpoints in SuperSpeed
+mode, the software must set the "ClearPendIN" bit to '1' to
+clear any pending IN transcations, so that the device does not
+expect any ACK TP from the host for the data sent earlier."
+
+It's obvious that we only need to apply this rule to those IN
+endpoints that currently operating in SuperSpeed mode.
+
+Fixes: 50c763f8c1bac ("usb: dwc3: Set the ClearPendIN bit on Clear Stall EP command")
+Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc3/gadget.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -363,7 +363,8 @@ static int dwc3_send_clear_stall_ep_cmd(
+ * IN transfers due to a mishandled error condition. Synopsys
+ * STAR 9000614252.
+ */
+- if (dep->direction && (dwc->revision >= DWC3_REVISION_260A))
++ if (dep->direction && (dwc->revision >= DWC3_REVISION_260A) &&
++ (dwc->gadget.speed >= USB_SPEED_SUPER))
+ cmd |= DWC3_DEPCMD_CLEARPENDIN;
+
+ memset(¶ms, 0, sizeof(params));
--- /dev/null
+From cff9ab2b291e64259d97add48fe073c081afe4e2 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <dvlasenk@redhat.com>
+Date: Tue, 13 Sep 2016 20:12:32 +0200
+Subject: x86/apic: Get rid of apic_version[] array
+
+From: Denys Vlasenko <dvlasenk@redhat.com>
+
+commit cff9ab2b291e64259d97add48fe073c081afe4e2 upstream.
+
+The array has a size of MAX_LOCAL_APIC, which can be as large as 32k, so it
+can consume up to 128k.
+
+The array has been there forever and was never used for anything useful
+other than a version mismatch check which was introduced in 2009.
+
+There is no reason to store the version in an array. The kernel is not
+prepared to handle different APIC versions anyway, so the real important
+part is to detect a version mismatch and warn about it, which can be done
+with a single variable as well.
+
+[ tglx: Massaged changelog ]
+
+Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com>
+CC: Andy Lutomirski <luto@amacapital.net>
+CC: Borislav Petkov <bp@alien8.de>
+CC: Brian Gerst <brgerst@gmail.com>
+CC: Mike Travis <travis@sgi.com>
+Link: http://lkml.kernel.org/r/20160913181232.30815-1-dvlasenk@redhat.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/mpspec.h | 2 +-
+ arch/x86/kernel/acpi/boot.c | 2 +-
+ arch/x86/kernel/apic/apic.c | 17 +++++++----------
+ arch/x86/kernel/apic/io_apic.c | 4 ++--
+ arch/x86/kernel/apic/probe_32.c | 2 +-
+ arch/x86/kernel/smpboot.c | 10 +++++-----
+ 6 files changed, 17 insertions(+), 20 deletions(-)
+
+--- a/arch/x86/include/asm/mpspec.h
++++ b/arch/x86/include/asm/mpspec.h
+@@ -6,7 +6,6 @@
+ #include <asm/x86_init.h>
+ #include <asm/apicdef.h>
+
+-extern int apic_version[];
+ extern int pic_mode;
+
+ #ifdef CONFIG_X86_32
+@@ -40,6 +39,7 @@ extern int mp_bus_id_to_type[MAX_MP_BUSS
+ extern DECLARE_BITMAP(mp_bus_not_pci, MAX_MP_BUSSES);
+
+ extern unsigned int boot_cpu_physical_apicid;
++extern u8 boot_cpu_apic_version;
+ extern unsigned long mp_lapic_addr;
+
+ #ifdef CONFIG_X86_LOCAL_APIC
+--- a/arch/x86/kernel/acpi/boot.c
++++ b/arch/x86/kernel/acpi/boot.c
+@@ -180,7 +180,7 @@ static int acpi_register_lapic(int id, u
+ }
+
+ if (boot_cpu_physical_apicid != -1U)
+- ver = apic_version[boot_cpu_physical_apicid];
++ ver = boot_cpu_apic_version;
+
+ return generic_processor_info(id, ver);
+ }
+--- a/arch/x86/kernel/apic/apic.c
++++ b/arch/x86/kernel/apic/apic.c
+@@ -64,6 +64,8 @@ unsigned disabled_cpus;
+ unsigned int boot_cpu_physical_apicid = -1U;
+ EXPORT_SYMBOL_GPL(boot_cpu_physical_apicid);
+
++u8 boot_cpu_apic_version;
++
+ /*
+ * The highest APIC ID seen during enumeration.
+ */
+@@ -1790,8 +1792,7 @@ void __init init_apic_mappings(void)
+ * since smp_sanity_check is prepared for such a case
+ * and disable smp mode
+ */
+- apic_version[new_apicid] =
+- GET_APIC_VERSION(apic_read(APIC_LVR));
++ boot_cpu_apic_version = GET_APIC_VERSION(apic_read(APIC_LVR));
+ }
+ }
+
+@@ -1806,13 +1807,10 @@ void __init register_lapic_address(unsig
+ }
+ if (boot_cpu_physical_apicid == -1U) {
+ boot_cpu_physical_apicid = read_apic_id();
+- apic_version[boot_cpu_physical_apicid] =
+- GET_APIC_VERSION(apic_read(APIC_LVR));
++ boot_cpu_apic_version = GET_APIC_VERSION(apic_read(APIC_LVR));
+ }
+ }
+
+-int apic_version[MAX_LOCAL_APIC];
+-
+ /*
+ * Local APIC interrupts
+ */
+@@ -2102,11 +2100,10 @@ int generic_processor_info(int apicid, i
+ cpu, apicid);
+ version = 0x10;
+ }
+- apic_version[apicid] = version;
+
+- if (version != apic_version[boot_cpu_physical_apicid]) {
++ if (version != boot_cpu_apic_version) {
+ pr_warning("BIOS bug: APIC version mismatch, boot CPU: %x, CPU %d: version %x\n",
+- apic_version[boot_cpu_physical_apicid], cpu, version);
++ boot_cpu_apic_version, cpu, version);
+ }
+
+ physid_set(apicid, phys_cpu_present_map);
+@@ -2249,7 +2246,7 @@ int __init APIC_init_uniprocessor(void)
+ * Complain if the BIOS pretends there is one.
+ */
+ if (!boot_cpu_has(X86_FEATURE_APIC) &&
+- APIC_INTEGRATED(apic_version[boot_cpu_physical_apicid])) {
++ APIC_INTEGRATED(boot_cpu_apic_version)) {
+ pr_err("BIOS bug, local APIC 0x%x not detected!...\n",
+ boot_cpu_physical_apicid);
+ return -1;
+--- a/arch/x86/kernel/apic/io_apic.c
++++ b/arch/x86/kernel/apic/io_apic.c
+@@ -1592,7 +1592,7 @@ void __init setup_ioapic_ids_from_mpc(vo
+ * no meaning without the serial APIC bus.
+ */
+ if (!(boot_cpu_data.x86_vendor == X86_VENDOR_INTEL)
+- || APIC_XAPIC(apic_version[boot_cpu_physical_apicid]))
++ || APIC_XAPIC(boot_cpu_apic_version))
+ return;
+ setup_ioapic_ids_from_mpc_nocheck();
+ }
+@@ -2422,7 +2422,7 @@ static int io_apic_get_unique_id(int ioa
+ static u8 io_apic_unique_id(int idx, u8 id)
+ {
+ if ((boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) &&
+- !APIC_XAPIC(apic_version[boot_cpu_physical_apicid]))
++ !APIC_XAPIC(boot_cpu_apic_version))
+ return io_apic_get_unique_id(idx, id);
+ else
+ return id;
+--- a/arch/x86/kernel/apic/probe_32.c
++++ b/arch/x86/kernel/apic/probe_32.c
+@@ -153,7 +153,7 @@ early_param("apic", parse_apic);
+
+ void __init default_setup_apic_routing(void)
+ {
+- int version = apic_version[boot_cpu_physical_apicid];
++ int version = boot_cpu_apic_version;
+
+ if (num_possible_cpus() > 8) {
+ switch (boot_cpu_data.x86_vendor) {
+--- a/arch/x86/kernel/smpboot.c
++++ b/arch/x86/kernel/smpboot.c
+@@ -676,7 +676,7 @@ wakeup_secondary_cpu_via_nmi(int apicid,
+ * Give the other CPU some time to accept the IPI.
+ */
+ udelay(200);
+- if (APIC_INTEGRATED(apic_version[boot_cpu_physical_apicid])) {
++ if (APIC_INTEGRATED(boot_cpu_apic_version)) {
+ maxlvt = lapic_get_maxlvt();
+ if (maxlvt > 3) /* Due to the Pentium erratum 3AP. */
+ apic_write(APIC_ESR, 0);
+@@ -703,7 +703,7 @@ wakeup_secondary_cpu_via_init(int phys_a
+ /*
+ * Be paranoid about clearing APIC errors.
+ */
+- if (APIC_INTEGRATED(apic_version[phys_apicid])) {
++ if (APIC_INTEGRATED(boot_cpu_apic_version)) {
+ if (maxlvt > 3) /* Due to the Pentium erratum 3AP. */
+ apic_write(APIC_ESR, 0);
+ apic_read(APIC_ESR);
+@@ -742,7 +742,7 @@ wakeup_secondary_cpu_via_init(int phys_a
+ * Determine this based on the APIC version.
+ * If we don't have an integrated APIC, don't send the STARTUP IPIs.
+ */
+- if (APIC_INTEGRATED(apic_version[phys_apicid]))
++ if (APIC_INTEGRATED(boot_cpu_apic_version))
+ num_starts = 2;
+ else
+ num_starts = 0;
+@@ -980,7 +980,7 @@ static int do_boot_cpu(int apicid, int c
+ /*
+ * Be paranoid about clearing APIC errors.
+ */
+- if (APIC_INTEGRATED(apic_version[boot_cpu_physical_apicid])) {
++ if (APIC_INTEGRATED(boot_cpu_apic_version)) {
+ apic_write(APIC_ESR, 0);
+ apic_read(APIC_ESR);
+ }
+@@ -1235,7 +1235,7 @@ static int __init smp_sanity_check(unsig
+ /*
+ * If we couldn't find a local APIC, then get out of here now!
+ */
+- if (APIC_INTEGRATED(apic_version[boot_cpu_physical_apicid]) &&
++ if (APIC_INTEGRATED(boot_cpu_apic_version) &&
+ !boot_cpu_has(X86_FEATURE_APIC)) {
+ if (!disable_apic) {
+ pr_err("BIOS bug, local APIC #%d not detected!...\n",
--- /dev/null
+From 917db484dc6a69969d317b3e57add4208a8d9d42 Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Wed, 21 Sep 2016 12:50:45 -0700
+Subject: x86/boot: Fix kdump, cleanup aborted E820_PRAM max_pfn manipulation
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit 917db484dc6a69969d317b3e57add4208a8d9d42 upstream.
+
+In commit:
+
+ ec776ef6bbe1 ("x86/mm: Add support for the non-standard protected e820 type")
+
+Christoph references the original patch I wrote implementing pmem support.
+The intent of the 'max_pfn' changes in that commit were to enable persistent
+memory ranges to be covered by the struct page memmap by default.
+
+However, that approach was abandoned when Christoph ported the patches [1], and
+that functionality has since been replaced by devm_memremap_pages().
+
+In the meantime, this max_pfn manipulation is confusing kdump [2] that
+assumes that everything covered by the max_pfn is "System RAM". This
+results in kdump hanging or crashing.
+
+ [1]: https://lists.01.org/pipermail/linux-nvdimm/2015-March/000348.html
+ [2]: https://bugzilla.redhat.com/show_bug.cgi?id=1351098
+
+So fix it.
+
+Reported-by: Zhang Yi <yizhan@redhat.com>
+Reported-by: Jeff Moyer <jmoyer@redhat.com>
+Tested-by: Zhang Yi <yizhan@redhat.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Boaz Harrosh <boaz@plexistor.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Ross Zwisler <ross.zwisler@linux.intel.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-nvdimm@lists.01.org
+Fixes: ec776ef6bbe1 ("x86/mm: Add support for the non-standard protected e820 type")
+Link: http://lkml.kernel.org/r/147448744538.34910.11287693517367139607.stgit@dwillia2-desk3.amr.corp.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/e820.c | 14 +++++---------
+ 1 file changed, 5 insertions(+), 9 deletions(-)
+
+--- a/arch/x86/kernel/e820.c
++++ b/arch/x86/kernel/e820.c
+@@ -348,7 +348,7 @@ int __init sanitize_e820_map(struct e820
+ * continue building up new bios map based on this
+ * information
+ */
+- if (current_type != last_type || current_type == E820_PRAM) {
++ if (current_type != last_type) {
+ if (last_type != 0) {
+ new_bios[new_bios_entry].size =
+ change_point[chgidx]->addr - last_addr;
+@@ -754,7 +754,7 @@ u64 __init early_reserve_e820(u64 size,
+ /*
+ * Find the highest page frame number we have available
+ */
+-static unsigned long __init e820_end_pfn(unsigned long limit_pfn)
++static unsigned long __init e820_end_pfn(unsigned long limit_pfn, unsigned type)
+ {
+ int i;
+ unsigned long last_pfn = 0;
+@@ -765,11 +765,7 @@ static unsigned long __init e820_end_pfn
+ unsigned long start_pfn;
+ unsigned long end_pfn;
+
+- /*
+- * Persistent memory is accounted as ram for purposes of
+- * establishing max_pfn and mem_map.
+- */
+- if (ei->type != E820_RAM && ei->type != E820_PRAM)
++ if (ei->type != type)
+ continue;
+
+ start_pfn = ei->addr >> PAGE_SHIFT;
+@@ -794,12 +790,12 @@ static unsigned long __init e820_end_pfn
+ }
+ unsigned long __init e820_end_of_ram_pfn(void)
+ {
+- return e820_end_pfn(MAX_ARCH_PFN);
++ return e820_end_pfn(MAX_ARCH_PFN, E820_RAM);
+ }
+
+ unsigned long __init e820_end_of_low_ram_pfn(void)
+ {
+- return e820_end_pfn(1UL << (32-PAGE_SHIFT));
++ return e820_end_pfn(1UL << (32 - PAGE_SHIFT), E820_RAM);
+ }
+
+ static void early_panic(char *msg)
--- /dev/null
+From 72b4f6a5e903b071f2a7c4eb1418cbe4eefdc344 Mon Sep 17 00:00:00 2001
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+Date: Thu, 18 Aug 2016 10:59:06 -0500
+Subject: x86/dumpstack: Fix x86_32 kernel_stack_pointer() previous stack access
+
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+
+commit 72b4f6a5e903b071f2a7c4eb1418cbe4eefdc344 upstream.
+
+On x86_32, when an interrupt happens from kernel space, SS and SP aren't
+pushed and the existing stack is used. So pt_regs is effectively two
+words shorter, and the previous stack pointer is normally the memory
+after the shortened pt_regs, aka '®s->sp'.
+
+But in the rare case where the interrupt hits right after the stack
+pointer has been changed to point to an empty stack, like for example
+when call_on_stack() is used, the address immediately after the
+shortened pt_regs is no longer on the stack. In that case, instead of
+'®s->sp', the previous stack pointer should be retrieved from the
+beginning of the current stack page.
+
+kernel_stack_pointer() wants to do that, but it forgets to dereference
+the pointer. So instead of returning a pointer to the previous stack,
+it returns a pointer to the beginning of the current stack.
+
+Note that it's probably outside of kernel_stack_pointer()'s scope to be
+switching stacks at all. The x86_64 version of this function doesn't do
+it, and it would be better for the caller to do it if necessary. But
+that's a patch for another day. This just fixes the original intent.
+
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Byungchul Park <byungchul.park@lge.com>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: Frederic Weisbecker <fweisbec@gmail.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Nilay Vaish <nilayvaish@gmail.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: 0788aa6a23cb ("x86: Prepare removal of previous_esp from i386 thread_info structure")
+Link: http://lkml.kernel.org/r/472453d6e9f6a2d4ab16aaed4935f43117111566.1471535549.git.jpoimboe@redhat.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/ptrace.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/ptrace.c
++++ b/arch/x86/kernel/ptrace.c
+@@ -173,8 +173,8 @@ unsigned long kernel_stack_pointer(struc
+ return sp;
+
+ prev_esp = (u32 *)(context);
+- if (prev_esp)
+- return (unsigned long)prev_esp;
++ if (*prev_esp)
++ return (unsigned long)*prev_esp;
+
+ return (unsigned long)regs;
+ }
--- /dev/null
+From db91aa793ff984ac048e199ea1c54202543952fe Mon Sep 17 00:00:00 2001
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Mon, 3 Oct 2016 13:17:08 +0300
+Subject: x86/irq: Prevent force migration of irqs which are not in the vector domain
+
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+
+commit db91aa793ff984ac048e199ea1c54202543952fe upstream.
+
+When a CPU is about to be offlined we call fixup_irqs() that resets IRQ
+affinities related to the CPU in question. The same thing is also done when
+the system is suspended to S-states like S3 (mem).
+
+For each IRQ we try to complete any on-going move regardless whether the
+IRQ is actually part of x86_vector_domain. For each IRQ descriptor we fetch
+its chip_data, assume it is of type struct apic_chip_data and manipulate it
+by clearing old_domain mask etc. For irq_chips that are not part of the
+x86_vector_domain, like those created by various GPIO drivers, will find
+their chip_data being changed unexpectly.
+
+Below is an example where GPIO chip owned by pinctrl-sunrisepoint.c gets
+corrupted after resume:
+
+ # cat /sys/kernel/debug/gpio
+ gpiochip0: GPIOs 360-511, parent: platform/INT344B:00, INT344B:00:
+ gpio-511 ( |sysfs ) in hi
+
+ # rtcwake -s10 -mmem
+ <10 seconds passes>
+
+ # cat /sys/kernel/debug/gpio
+ gpiochip0: GPIOs 360-511, parent: platform/INT344B:00, INT344B:00:
+ gpio-511 ( |sysfs ) in ?
+
+Note '?' in the output. It means the struct gpio_chip ->get function is
+NULL whereas before suspend it was there.
+
+Fix this by first checking that the IRQ belongs to x86_vector_domain before
+we try to use the chip_data as struct apic_chip_data.
+
+Reported-and-tested-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Link: http://lkml.kernel.org/r/20161003101708.34795-1-mika.westerberg@linux.intel.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/apic/vector.c | 23 ++++++++++++++++++++---
+ 1 file changed, 20 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kernel/apic/vector.c
++++ b/arch/x86/kernel/apic/vector.c
+@@ -661,11 +661,28 @@ void irq_complete_move(struct irq_cfg *c
+ */
+ void irq_force_complete_move(struct irq_desc *desc)
+ {
+- struct irq_data *irqdata = irq_desc_get_irq_data(desc);
+- struct apic_chip_data *data = apic_chip_data(irqdata);
+- struct irq_cfg *cfg = data ? &data->cfg : NULL;
++ struct irq_data *irqdata;
++ struct apic_chip_data *data;
++ struct irq_cfg *cfg;
+ unsigned int cpu;
+
++ /*
++ * The function is called for all descriptors regardless of which
++ * irqdomain they belong to. For example if an IRQ is provided by
++ * an irq_chip as part of a GPIO driver, the chip data for that
++ * descriptor is specific to the irq_chip in question.
++ *
++ * Check first that the chip_data is what we expect
++ * (apic_chip_data) before touching it any further.
++ */
++ irqdata = irq_domain_get_irq_data(x86_vector_domain,
++ irq_desc_get_irq(desc));
++ if (!irqdata)
++ return;
++
++ data = apic_chip_data(irqdata);
++ cfg = data ? &data->cfg : NULL;
++
+ if (!cfg)
+ return;
+
--- /dev/null
+From ba6d018e3d2f6a0fad58a668cadf66b2d1f80f59 Mon Sep 17 00:00:00 2001
+From: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
+Date: Sat, 10 Sep 2016 20:30:45 +0200
+Subject: x86/mm/pkeys: Do not skip PKRU register if debug registers are not used
+
+From: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
+
+commit ba6d018e3d2f6a0fad58a668cadf66b2d1f80f59 upstream.
+
+__show_regs() fails to dump the PKRU state when the debug registers are in
+their default state because there is a return statement on the debug
+register state.
+
+Change the logic to report PKRU value even when debug registers are in
+their default state.
+
+Fixes:c0b17b5bd4b7 ("x86/mm/pkeys: Dump PKRU with other kernel registers")
+Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
+Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
+Link: http://lkml.kernel.org/r/20160910183045.4618-1-nicolas.iooss_linux@m4x.org
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/process_64.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/kernel/process_64.c
++++ b/arch/x86/kernel/process_64.c
+@@ -110,12 +110,13 @@ void __show_regs(struct pt_regs *regs, i
+ get_debugreg(d7, 7);
+
+ /* Only print out debug registers if they are in their non-default state. */
+- if ((d0 == 0) && (d1 == 0) && (d2 == 0) && (d3 == 0) &&
+- (d6 == DR6_RESERVED) && (d7 == 0x400))
+- return;
+-
+- printk(KERN_DEFAULT "DR0: %016lx DR1: %016lx DR2: %016lx\n", d0, d1, d2);
+- printk(KERN_DEFAULT "DR3: %016lx DR6: %016lx DR7: %016lx\n", d3, d6, d7);
++ if (!((d0 == 0) && (d1 == 0) && (d2 == 0) && (d3 == 0) &&
++ (d6 == DR6_RESERVED) && (d7 == 0x400))) {
++ printk(KERN_DEFAULT "DR0: %016lx DR1: %016lx DR2: %016lx\n",
++ d0, d1, d2);
++ printk(KERN_DEFAULT "DR3: %016lx DR6: %016lx DR7: %016lx\n",
++ d3, d6, d7);
++ }
+
+ if (boot_cpu_has(X86_FEATURE_OSPKE))
+ printk(KERN_DEFAULT "PKRU: %08x\n", read_pkru());
--- /dev/null
+From d4b05923f579c234137317cdf9a5eb69ddab76d1 Mon Sep 17 00:00:00 2001
+From: Dave Hansen <dave.hansen@intel.com>
+Date: Fri, 7 Oct 2016 09:23:42 -0700
+Subject: x86/pkeys: Make protection keys an "eager" feature
+
+From: Dave Hansen <dave.hansen@intel.com>
+
+commit d4b05923f579c234137317cdf9a5eb69ddab76d1 upstream.
+
+Our XSAVE features are divided into two categories: those that
+generate FPU exceptions, and those that do not. MPX and pkeys do
+not generate FPU exceptions and thus can not be used lazily. We
+disable them when lazy mode is forced on.
+
+We have a pair of masks to collect these two sets of features, but
+XFEATURE_MASK_PKRU was added to the wrong mask: XFEATURE_MASK_LAZY.
+Fix it by moving the feature to XFEATURE_MASK_EAGER.
+
+Note: this only causes problem if you boot with lazy FPU mode
+(eagerfpu=off) which is *not* the default. It also only affects
+hardware which is not currently publicly available. It looks like
+eager mode is going away, but we still need this patch applied
+to any kernel that has protection keys and lazy mode, which is 4.6
+through 4.8 at this point, and 4.9 if the lazy removal isn't sent
+to Linus for 4.9.
+
+Fixes: c8df40098451 ("x86/fpu, x86/mm/pkeys: Add PKRU xsave fields and data structures")
+Signed-off-by: Dave Hansen <dave.hansen@intel.com>
+Cc: Dave Hansen <dave@sr71.net>
+Link: http://lkml.kernel.org/r/20161007162342.28A49813@viggo.jf.intel.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/fpu/xstate.h | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/include/asm/fpu/xstate.h
++++ b/arch/x86/include/asm/fpu/xstate.h
+@@ -24,11 +24,12 @@
+ XFEATURE_MASK_YMM | \
+ XFEATURE_MASK_OPMASK | \
+ XFEATURE_MASK_ZMM_Hi256 | \
+- XFEATURE_MASK_Hi16_ZMM | \
+- XFEATURE_MASK_PKRU)
++ XFEATURE_MASK_Hi16_ZMM)
+
+ /* Supported features which require eager state saving */
+-#define XFEATURE_MASK_EAGER (XFEATURE_MASK_BNDREGS | XFEATURE_MASK_BNDCSR)
++#define XFEATURE_MASK_EAGER (XFEATURE_MASK_BNDREGS | \
++ XFEATURE_MASK_BNDCSR | \
++ XFEATURE_MASK_PKRU)
+
+ /* All currently supported features */
+ #define XCNTXT_MASK (XFEATURE_MASK_LAZY | XFEATURE_MASK_EAGER)
--- /dev/null
+From a6a198bc60e6c980a56eca24d33dc7f29139f8ea Mon Sep 17 00:00:00 2001
+From: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Date: Wed, 5 Oct 2016 13:09:33 -0400
+Subject: xen/x86: Update topology map for PV VCPUs
+
+From: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+
+commit a6a198bc60e6c980a56eca24d33dc7f29139f8ea upstream.
+
+Early during boot topology_update_package_map() computes
+logical_pkg_ids for all present processors.
+
+Later, when processors are brought up, identify_cpu() updates
+these values based on phys_pkg_id which is a function of
+initial_apicid. On PV guests the latter may point to a
+non-existing node, causing logical_pkg_ids to be set to -1.
+
+Intel's RAPL uses logical_pkg_id (as topology_logical_package_id())
+to index its arrays and therefore in this case will point to index
+65535 (since logical_pkg_id is a u16). This could lead to either a
+crash or may actually access random memory location.
+
+As a workaround, we recompute topology during CPU bringup to reset
+logical_pkg_id to a valid value.
+
+(The reason for initial_apicid being bogus is because it is
+initial_apicid of the processor from which the guest is launched.
+This value is CPUID(1).EBX[31:24])
+
+Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: David Vrabel <david.vrabel@citrix.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/xen/smp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/arch/x86/xen/smp.c
++++ b/arch/x86/xen/smp.c
+@@ -87,6 +87,12 @@ static void cpu_bringup(void)
+ cpu_data(cpu).x86_max_cores = 1;
+ set_cpu_sibling_map(cpu);
+
++ /*
++ * identify_cpu() may have set logical_pkg_id to -1 due
++ * to incorrect phys_proc_id. Let's re-comupte it.
++ */
++ topology_update_package_map(apic->cpu_present_to_apicid(cpu), cpu);
++
+ xen_setup_cpu_clockevents();
+
+ notify_cpu_starting(cpu);
projects / thirdparty / kernel / stable-queue.git / commitdiff
