--- /dev/null
+From 1c3c909303924d30145601f47b6c058fdd2cbc2e Mon Sep 17 00:00:00 2001
+From: Vineet Gupta <vgupta@synopsys.com>
+Date: Tue, 16 Aug 2016 18:27:07 -0700
+Subject: ARC: mm: fix build breakage with STRICT_MM_TYPECHECKS
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Vineet Gupta <vgupta@synopsys.com>
+
+commit 1c3c909303924d30145601f47b6c058fdd2cbc2e upstream.
+
+| CC mm/memory.o
+| In file included from ../mm/memory.c:53:0:
+| ../include/linux/pfn_t.h: In function ‘pfn_t_pte’:
+| ../include/linux/pfn_t.h:78:2: error: conversion to non-scalar type requested
+| return pfn_pte(pfn_t_to_pfn(pfn), pgprot);
+
+With STRICT_MM_TYPECHECKS pte_t is a struct and the offending code
+forces a cast which ends up shifting a struct and hence the gcc warning.
+
+Note that in recent past some of the arches (aarch64, s390) made
+STRICT_MM_TYPECHECKS default, but we don't for ARC as this leads to slightly
+worse generated code, given ARC ABI definition of returning structs
+(which pte_t would become)
+
+Quoting from ARC ABI...
+
+ "Results of type struct are returned in a caller-supplied temporary
+ variable whose address is passed in r0.
+ For such functions, the arguments are shifted so that they are
+ passed in r1 and up."
+
+So
+ - struct to be returned would be allocated on stack requiring extra
+ code at call sites
+ - callee updates stack memory to facilitate the return (vs. simple
+ MOV into return reg r0)
+
+Hence STRICT_MM_TYPECHECKS is not enabled by default for ARC
+
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ arch/arc/include/asm/pgtable.h | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/arch/arc/include/asm/pgtable.h
++++ b/arch/arc/include/asm/pgtable.h
+@@ -277,8 +277,7 @@ static inline void pmd_set(pmd_t *pmdp,
+
+ #define mk_pte(page, prot) pfn_pte(page_to_pfn(page), prot)
+ #define pte_pfn(pte) (pte_val(pte) >> PAGE_SHIFT)
+-#define pfn_pte(pfn, prot) (__pte(((pte_t)(pfn) << PAGE_SHIFT) | \
+- pgprot_val(prot)))
++#define pfn_pte(pfn, prot) (__pte(((pfn) << PAGE_SHIFT) | pgprot_val(prot)))
+ #define __pte_index(addr) (((addr) >> PAGE_SHIFT) & (PTRS_PER_PTE - 1))
+
+ /*
--- /dev/null
+From b00ccf5b684992829610d162e78a7836933a1b19 Mon Sep 17 00:00:00 2001
+From: Keerthy <j-keerthy@ti.com>
+Date: Mon, 20 Jun 2016 09:22:25 +0530
+Subject: ARM: AM43XX: hwmod: Fix RSTST register offset for pruss
+
+From: Keerthy <j-keerthy@ti.com>
+
+commit b00ccf5b684992829610d162e78a7836933a1b19 upstream.
+
+pruss hwmod RSTST register wrongly points to PWRSTCTRL register in case of
+am43xx. Fix the RSTST register offset value.
+
+This can lead to setting of wrong power state values for PER domain.
+
+Fixes: 1c7e224d ("ARM: OMAP2+: hwmod: AM335x: runtime register update")
+Signed-off-by: Keerthy <j-keerthy@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-omap2/omap_hwmod_33xx_43xx_ipblock_data.c | 1 +
+ arch/arm/mach-omap2/prcm43xx.h | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/arch/arm/mach-omap2/omap_hwmod_33xx_43xx_ipblock_data.c
++++ b/arch/arm/mach-omap2/omap_hwmod_33xx_43xx_ipblock_data.c
+@@ -1474,6 +1474,7 @@ static void omap_hwmod_am43xx_rst(void)
+ {
+ RSTCTRL(am33xx_pruss_hwmod, AM43XX_RM_PER_RSTCTRL_OFFSET);
+ RSTCTRL(am33xx_gfx_hwmod, AM43XX_RM_GFX_RSTCTRL_OFFSET);
++ RSTST(am33xx_pruss_hwmod, AM43XX_RM_PER_RSTST_OFFSET);
+ RSTST(am33xx_gfx_hwmod, AM43XX_RM_GFX_RSTST_OFFSET);
+ }
+
+--- a/arch/arm/mach-omap2/prcm43xx.h
++++ b/arch/arm/mach-omap2/prcm43xx.h
+@@ -39,6 +39,7 @@
+
+ /* RM RSTST offsets */
+ #define AM43XX_RM_GFX_RSTST_OFFSET 0x0014
++#define AM43XX_RM_PER_RSTST_OFFSET 0x0014
+ #define AM43XX_RM_WKUP_RSTST_OFFSET 0x0014
+
+ /* CM instances */
--- /dev/null
+From f065e9e4addd75c21bb976bb2558648bf4f61de6 Mon Sep 17 00:00:00 2001
+From: Fabio Estevam <fabio.estevam@nxp.com>
+Date: Wed, 31 Aug 2016 10:56:48 -0300
+Subject: ARM: dts: imx6qdl: Fix SPDIF regression
+
+From: Fabio Estevam <fabio.estevam@nxp.com>
+
+commit f065e9e4addd75c21bb976bb2558648bf4f61de6 upstream.
+
+Commit 833f2cbf7091 ("ARM: dts: imx6: change the core clock of spdif")
+changed many more clocks than only the SPDIF core clock as stated in
+the commit message.
+
+The MLB clock has been added and this causes SPDIF regression as
+reported by Xavi Drudis Ferran and also in this forum post:
+https://forum.digikey.com/thread/34240
+
+The MX6Q Reference Manual does not mention that MLB is a clock related
+to SPDIF, so change it back to a dummy clock to restore SPDIF
+functionality.
+
+Thanks to Ambika for providing the fix at:
+https://community.nxp.com/thread/387131
+
+Fixes: 833f2cbf7091 ("ARM: dts: imx6: change the core clock of spdif")
+Reported-by: Xavi Drudis Ferran <xdrudis@tinet.cat>
+Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
+Tested-by: Xavi Drudis Ferran <xdrudis@tinet.cat>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/imx6qdl.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/imx6qdl.dtsi
++++ b/arch/arm/boot/dts/imx6qdl.dtsi
+@@ -221,7 +221,7 @@
+ clocks = <&clks IMX6QDL_CLK_SPDIF_GCLK>, <&clks IMX6QDL_CLK_OSC>,
+ <&clks IMX6QDL_CLK_SPDIF>, <&clks IMX6QDL_CLK_ASRC>,
+ <&clks IMX6QDL_CLK_DUMMY>, <&clks IMX6QDL_CLK_ESAI_EXTAL>,
+- <&clks IMX6QDL_CLK_IPG>, <&clks IMX6QDL_CLK_MLB>,
++ <&clks IMX6QDL_CLK_IPG>, <&clks IMX6QDL_CLK_DUMMY>,
+ <&clks IMX6QDL_CLK_DUMMY>, <&clks IMX6QDL_CLK_SPBA>;
+ clock-names = "core", "rxtx0",
+ "rxtx1", "rxtx2",
--- /dev/null
+From 5e0568dfbfb8c13cdb69c9fd06d600593ad4b430 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 15 Aug 2016 09:10:45 -0700
+Subject: ARM: dts: overo: fix gpmc nand cs0 range
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 5e0568dfbfb8c13cdb69c9fd06d600593ad4b430 upstream.
+
+The gpmc ranges property for NAND at CS0 has been broken since it was
+first added.
+
+This currently prevents the nand gpmc child node from being probed:
+
+ omap-gpmc 6e000000.gpmc: /ocp/gpmc@6e000000/nand@0,0 has
+ malformed 'reg' property
+
+and consequently the NAND device from being registered.
+
+Fixes: 98ce6007efb4 ("ARM: dts: overo: Support PoP NAND")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/omap3-overo-base.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/omap3-overo-base.dtsi
++++ b/arch/arm/boot/dts/omap3-overo-base.dtsi
+@@ -223,7 +223,7 @@
+ };
+
+ &gpmc {
+- ranges = <0 0 0x00000000 0x20000000>;
++ ranges = <0 0 0x30000000 0x1000000>; /* CS0 */
+
+ nand@0,0 {
+ linux,mtd-name= "micron,mt29c4g96maz";
--- /dev/null
+From 153b58ea932b2d0642fa5cd41c93bb0555f3f09b Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 15 Aug 2016 09:10:49 -0700
+Subject: ARM: dts: overo: fix gpmc nand on boards with ethernet
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 153b58ea932b2d0642fa5cd41c93bb0555f3f09b upstream.
+
+The gpmc ranges property for NAND at CS0 was being overridden by later
+includes that defined gpmc ethernet nodes, effectively breaking NAND on
+these systems:
+
+ omap-gpmc 6e000000.gpmc: /ocp/gpmc@6e000000/nand@0,0 has
+ malformed 'reg' property
+
+Instead of redefining the NAND range in every such dtsi, define all
+currently used ranges in omap3-overo-base.dtsi.
+
+Fixes: 98ce6007efb4 ("ARM: dts: overo: Support PoP NAND")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/omap3-overo-base.dtsi | 4 +++-
+ arch/arm/boot/dts/omap3-overo-chestnut43-common.dtsi | 2 --
+ arch/arm/boot/dts/omap3-overo-tobi-common.dtsi | 2 --
+ arch/arm/boot/dts/omap3-overo-tobiduo-common.dtsi | 3 ---
+ 4 files changed, 3 insertions(+), 8 deletions(-)
+
+--- a/arch/arm/boot/dts/omap3-overo-base.dtsi
++++ b/arch/arm/boot/dts/omap3-overo-base.dtsi
+@@ -223,7 +223,9 @@
+ };
+
+ &gpmc {
+- ranges = <0 0 0x30000000 0x1000000>; /* CS0 */
++ ranges = <0 0 0x30000000 0x1000000>, /* CS0 */
++ <4 0 0x2b000000 0x1000000>, /* CS4 */
++ <5 0 0x2c000000 0x1000000>; /* CS5 */
+
+ nand@0,0 {
+ linux,mtd-name= "micron,mt29c4g96maz";
+--- a/arch/arm/boot/dts/omap3-overo-chestnut43-common.dtsi
++++ b/arch/arm/boot/dts/omap3-overo-chestnut43-common.dtsi
+@@ -55,8 +55,6 @@
+ #include "omap-gpmc-smsc9221.dtsi"
+
+ &gpmc {
+- ranges = <5 0 0x2c000000 0x1000000>; /* CS5 */
+-
+ ethernet@gpmc {
+ reg = <5 0 0xff>;
+ interrupt-parent = <&gpio6>;
+--- a/arch/arm/boot/dts/omap3-overo-tobi-common.dtsi
++++ b/arch/arm/boot/dts/omap3-overo-tobi-common.dtsi
+@@ -27,8 +27,6 @@
+ #include "omap-gpmc-smsc9221.dtsi"
+
+ &gpmc {
+- ranges = <5 0 0x2c000000 0x1000000>; /* CS5 */
+-
+ ethernet@gpmc {
+ reg = <5 0 0xff>;
+ interrupt-parent = <&gpio6>;
+--- a/arch/arm/boot/dts/omap3-overo-tobiduo-common.dtsi
++++ b/arch/arm/boot/dts/omap3-overo-tobiduo-common.dtsi
+@@ -15,9 +15,6 @@
+ #include "omap-gpmc-smsc9221.dtsi"
+
+ &gpmc {
+- ranges = <4 0 0x2b000000 0x1000000>, /* CS4 */
+- <5 0 0x2c000000 0x1000000>; /* CS5 */
+-
+ smsc1: ethernet@gpmc {
+ reg = <5 0 0xff>;
+ interrupt-parent = <&gpio6>;
--- /dev/null
+From 78567f135d9bbbaf4538f63656d3e4d957c35fe9 Mon Sep 17 00:00:00 2001
+From: Lee Jones <lee.jones@linaro.org>
+Date: Thu, 8 Sep 2016 11:11:00 +0200
+Subject: ARM: dts: STiH407-family: Provide interconnect clock for consumption in ST SDHCI
+
+From: Lee Jones <lee.jones@linaro.org>
+
+commit 78567f135d9bbbaf4538f63656d3e4d957c35fe9 upstream.
+
+The STiH4{07,10} platform contains some interconnect clocks which are used
+by various IPs. If these clocks aren't handled correctly by ST's SDHCI
+driver MMC will break and the following output can be observed:
+
+[ 13.916949] mmc0: Timeout waiting for hardware interrupt.
+[ 13.922349] sdhci: =========== REGISTER DUMP (mmc0)===========
+[ 13.928175] sdhci: Sys addr: 0x00000000 | Version: 0x00001002
+[ 13.933999] sdhci: Blk size: 0x00007040 | Blk cnt: 0x00000001
+[ 13.939825] sdhci: Argument: 0x00fffff0 | Trn mode: 0x00000013
+[ 13.945650] sdhci: Present: 0x1fff0206 | Host ctl: 0x00000011
+[ 13.951475] sdhci: Power: 0x0000000f | Blk gap: 0x00000080
+[ 13.957300] sdhci: Wake-up: 0x00000000 | Clock: 0x00003f07
+[ 13.963126] sdhci: Timeout: 0x00000004 | Int stat: 0x00000000
+[ 13.968952] sdhci: Int enab: 0x02ff008b | Sig enab: 0x02ff008b
+[ 13.974777] sdhci: AC12 err: 0x00000000 | Slot int: 0x00000000
+[ 13.980602] sdhci: Caps: 0x21ed3281 | Caps_1: 0x00000000
+[ 13.986428] sdhci: Cmd: 0x0000063a | Max curr: 0x00000000
+[ 13.992252] sdhci: Host ctl2: 0x00000000
+[ 13.996166] sdhci: ADMA Err: 0x00000000 | ADMA Ptr: 0x7c048200
+[ 14.001990] sdhci: ===========================================
+[ 14.009802] mmc0: Got data interrupt 0x02000000 even though no data operation was in progress.
+
+Tested-by: Peter Griffin <peter.griffin@linaro.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Acked-by: Patrice Chotard <patrice.chotard@st.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/stih407-family.dtsi | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/arch/arm/boot/dts/stih407-family.dtsi
++++ b/arch/arm/boot/dts/stih407-family.dtsi
+@@ -497,8 +497,9 @@
+ interrupt-names = "mmcirq";
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_mmc0>;
+- clock-names = "mmc";
+- clocks = <&clk_s_c0_flexgen CLK_MMC_0>;
++ clock-names = "mmc", "icn";
++ clocks = <&clk_s_c0_flexgen CLK_MMC_0>,
++ <&clk_s_c0_flexgen CLK_RX_ICN_HVA>;
+ bus-width = <8>;
+ non-removable;
+ };
+@@ -512,8 +513,9 @@
+ interrupt-names = "mmcirq";
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_sd1>;
+- clock-names = "mmc";
+- clocks = <&clk_s_c0_flexgen CLK_MMC_1>;
++ clock-names = "mmc", "icn";
++ clocks = <&clk_s_c0_flexgen CLK_MMC_1>,
++ <&clk_s_c0_flexgen CLK_RX_ICN_HVA>;
+ resets = <&softreset STIH407_MMC1_SOFTRESET>;
+ bus-width = <4>;
+ };
--- /dev/null
+From 7e9d2850a8db4e0d85a20bb692198bf2cc4be3b7 Mon Sep 17 00:00:00 2001
+From: Lee Jones <lee.jones@linaro.org>
+Date: Thu, 8 Sep 2016 11:11:00 +0200
+Subject: ARM: dts: STiH410: Handle interconnect clock required by EHCI/OHCI (USB)
+
+From: Lee Jones <lee.jones@linaro.org>
+
+commit 7e9d2850a8db4e0d85a20bb692198bf2cc4be3b7 upstream.
+
+The STiH4{07,10} platform contains some interconnect clocks which are used
+by various IPs. If this clock isn't handled correctly by ST's EHCI/OHCI
+drivers, their hub won't be found, the following error be shown and the
+result will be non-working USB:
+
+ [ 97.221963] hub 2-1:1.0: hub_ext_port_status failed (err = -110)
+
+Tested-by: Peter Griffin <peter.griffin@linaro.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Acked-by: Patrice Chotard <patrice.chotard@st.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/stih410.dtsi | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/arch/arm/boot/dts/stih410.dtsi
++++ b/arch/arm/boot/dts/stih410.dtsi
+@@ -41,7 +41,8 @@
+ compatible = "st,st-ohci-300x";
+ reg = <0x9a03c00 0x100>;
+ interrupts = <GIC_SPI 180 IRQ_TYPE_NONE>;
+- clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>;
++ clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>,
++ <&clk_s_c0_flexgen CLK_RX_ICN_DISP_0>;
+ resets = <&powerdown STIH407_USB2_PORT0_POWERDOWN>,
+ <&softreset STIH407_USB2_PORT0_SOFTRESET>;
+ reset-names = "power", "softreset";
+@@ -57,7 +58,8 @@
+ interrupts = <GIC_SPI 151 IRQ_TYPE_NONE>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_usb0>;
+- clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>;
++ clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>,
++ <&clk_s_c0_flexgen CLK_RX_ICN_DISP_0>;
+ resets = <&powerdown STIH407_USB2_PORT0_POWERDOWN>,
+ <&softreset STIH407_USB2_PORT0_SOFTRESET>;
+ reset-names = "power", "softreset";
+@@ -71,7 +73,8 @@
+ compatible = "st,st-ohci-300x";
+ reg = <0x9a83c00 0x100>;
+ interrupts = <GIC_SPI 181 IRQ_TYPE_NONE>;
+- clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>;
++ clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>,
++ <&clk_s_c0_flexgen CLK_RX_ICN_DISP_0>;
+ resets = <&powerdown STIH407_USB2_PORT1_POWERDOWN>,
+ <&softreset STIH407_USB2_PORT1_SOFTRESET>;
+ reset-names = "power", "softreset";
+@@ -87,7 +90,8 @@
+ interrupts = <GIC_SPI 153 IRQ_TYPE_NONE>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_usb1>;
+- clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>;
++ clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>,
++ <&clk_s_c0_flexgen CLK_RX_ICN_DISP_0>;
+ resets = <&powerdown STIH407_USB2_PORT1_POWERDOWN>,
+ <&softreset STIH407_USB2_PORT1_SOFTRESET>;
+ reset-names = "power", "softreset";
--- /dev/null
+From f5a49057c71433e35a4712ab8d8f00641b3e1ec0 Mon Sep 17 00:00:00 2001
+From: Peter Chen <peter.chen@nxp.com>
+Date: Tue, 9 Aug 2016 16:24:43 +0800
+Subject: ARM: imx6: add missing BM_CLPCR_BYP_MMDC_CH0_LPM_HS setting for imx6ul
+
+From: Peter Chen <peter.chen@nxp.com>
+
+commit f5a49057c71433e35a4712ab8d8f00641b3e1ec0 upstream.
+
+There is a missing BM_CLPCR_BYP_MMDC_CH0_LPM_HS setting for imx6ul,
+without it, the "standby" mode can't work well, the system can't be
+resumed.
+
+With this commit, the "standby" mode works well.
+
+Signed-off-by: Peter Chen <peter.chen@nxp.com>
+Cc: Anson Huang <anson.huang@nxp.com>
+Fixes: ee4a5f838c84 ("ARM: imx: add suspend/resume support for i.mx6ul")
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-imx/pm-imx6.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/mach-imx/pm-imx6.c
++++ b/arch/arm/mach-imx/pm-imx6.c
+@@ -295,7 +295,7 @@ int imx6_set_lpm(enum mxc_cpu_pwr_mode m
+ val &= ~BM_CLPCR_SBYOS;
+ if (cpu_is_imx6sl())
+ val |= BM_CLPCR_BYPASS_PMIC_READY;
+- if (cpu_is_imx6sl() || cpu_is_imx6sx())
++ if (cpu_is_imx6sl() || cpu_is_imx6sx() || cpu_is_imx6ul())
+ val |= BM_CLPCR_BYP_MMDC_CH0_LPM_HS;
+ else
+ val |= BM_CLPCR_BYP_MMDC_CH1_LPM_HS;
--- /dev/null
+From 8aade778f787305fdbfd3c1d54e6b583601b5902 Mon Sep 17 00:00:00 2001
+From: Anson Huang <Anson.Huang@nxp.com>
+Date: Mon, 22 Aug 2016 23:53:25 +0800
+Subject: ARM: imx6: add missing BM_CLPCR_BYPASS_PMIC_READY setting for imx6sx
+
+From: Anson Huang <Anson.Huang@nxp.com>
+
+commit 8aade778f787305fdbfd3c1d54e6b583601b5902 upstream.
+
+i.MX6SX has bypass PMIC ready function, as this function
+is normally NOT enabled on the board design, so we need
+to bypass the PMIC ready pin check during DSM mode resume
+flow, otherwise, the internal DSM resume logic will be
+waiting for this signal to be ready forever and cause
+resume fail.
+
+Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
+Fixes: ff843d621bfc ("ARM: imx: add suspend support for i.mx6sx")
+Tested-by: Peter Chen <peter.chen@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-imx/pm-imx6.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/mach-imx/pm-imx6.c
++++ b/arch/arm/mach-imx/pm-imx6.c
+@@ -310,7 +310,7 @@ int imx6_set_lpm(enum mxc_cpu_pwr_mode m
+ val |= 0x3 << BP_CLPCR_STBY_COUNT;
+ val |= BM_CLPCR_VSTBY;
+ val |= BM_CLPCR_SBYOS;
+- if (cpu_is_imx6sl())
++ if (cpu_is_imx6sl() || cpu_is_imx6sx())
+ val |= BM_CLPCR_BYPASS_PMIC_READY;
+ if (cpu_is_imx6sl() || cpu_is_imx6sx() || cpu_is_imx6ul())
+ val |= BM_CLPCR_BYP_MMDC_CH0_LPM_HS;
--- /dev/null
+From a778937888867aac17a33887d1c429120790fbc2 Mon Sep 17 00:00:00 2001
+From: Simon Baatz <gmbnomis@gmail.com>
+Date: Fri, 12 Aug 2016 19:12:50 +0200
+Subject: ARM: kirkwood: ib62x0: fix size of u-boot environment partition
+
+From: Simon Baatz <gmbnomis@gmail.com>
+
+commit a778937888867aac17a33887d1c429120790fbc2 upstream.
+
+Commit 148c274ea644 ("ARM: kirkwood: ib62x0: add u-boot environment
+partition") split the "u-boot" partition into "u-boot" and "u-boot
+environment". However, instead of the size of the environment, an offset
+was given, resulting in overlapping partitions.
+
+Signed-off-by: Simon Baatz <gmbnomis@gmail.com>
+Fixes: 148c274ea644 ("ARM: kirkwood: ib62x0: add u-boot environment partition")
+Cc: Jason Cooper <jason@lakedaemon.net>
+Cc: Andrew Lunn <andrew@lunn.ch>
+Cc: Gregory Clement <gregory.clement@free-electrons.com>
+Cc: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
+Cc: Luka Perkov <luka@openwrt.org>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/kirkwood-ib62x0.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/kirkwood-ib62x0.dts
++++ b/arch/arm/boot/dts/kirkwood-ib62x0.dts
+@@ -113,7 +113,7 @@
+
+ partition@e0000 {
+ label = "u-boot environment";
+- reg = <0xe0000 0x100000>;
++ reg = <0xe0000 0x20000>;
+ };
+
+ partition@100000 {
--- /dev/null
+From b46211d6dcfb81a8af66b8684a42d629183670d4 Mon Sep 17 00:00:00 2001
+From: Sebastian Reichel <sre@kernel.org>
+Date: Fri, 24 Jun 2016 03:59:33 +0200
+Subject: ARM: OMAP3: hwmod data: Add sysc information for DSI
+
+From: Sebastian Reichel <sre@kernel.org>
+
+commit b46211d6dcfb81a8af66b8684a42d629183670d4 upstream.
+
+Add missing sysconfig/sysstatus information
+to OMAP3 hwmod. The information has been
+checked against OMAP34xx and OMAP36xx TRM.
+
+Without this change DSI block is not reset
+during boot, which is required for working
+Nokia N950 display.
+
+Signed-off-by: Sebastian Reichel <sre@kernel.org>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-omap2/omap_hwmod_3xxx_data.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
++++ b/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
+@@ -723,8 +723,20 @@ static struct omap_hwmod omap3xxx_dss_di
+ * display serial interface controller
+ */
+
++static struct omap_hwmod_class_sysconfig omap3xxx_dsi_sysc = {
++ .rev_offs = 0x0000,
++ .sysc_offs = 0x0010,
++ .syss_offs = 0x0014,
++ .sysc_flags = (SYSC_HAS_AUTOIDLE | SYSC_HAS_CLOCKACTIVITY |
++ SYSC_HAS_ENAWAKEUP | SYSC_HAS_SIDLEMODE |
++ SYSC_HAS_SOFTRESET | SYSS_HAS_RESET_STATUS),
++ .idlemodes = (SIDLE_FORCE | SIDLE_NO | SIDLE_SMART),
++ .sysc_fields = &omap_hwmod_sysc_type1,
++};
++
+ static struct omap_hwmod_class omap3xxx_dsi_hwmod_class = {
+ .name = "dsi",
++ .sysc = &omap3xxx_dsi_sysc,
+ };
+
+ static struct omap_hwmod_irq_info omap3xxx_dsi1_irqs[] = {
--- /dev/null
+From 872c63fbf9e153146b07f0cece4da0d70b283eeb Mon Sep 17 00:00:00 2001
+From: Will Deacon <will.deacon@arm.com>
+Date: Mon, 5 Sep 2016 11:56:05 +0100
+Subject: arm64: spinlocks: implement smp_mb__before_spinlock() as smp_mb()
+
+From: Will Deacon <will.deacon@arm.com>
+
+commit 872c63fbf9e153146b07f0cece4da0d70b283eeb upstream.
+
+smp_mb__before_spinlock() is intended to upgrade a spin_lock() operation
+to a full barrier, such that prior stores are ordered with respect to
+loads and stores occuring inside the critical section.
+
+Unfortunately, the core code defines the barrier as smp_wmb(), which
+is insufficient to provide the required ordering guarantees when used in
+conjunction with our load-acquire-based spinlock implementation.
+
+This patch overrides the arm64 definition of smp_mb__before_spinlock()
+to map to a full smp_mb().
+
+Cc: Peter Zijlstra <peterz@infradead.org>
+Reported-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/include/asm/spinlock.h | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/arch/arm64/include/asm/spinlock.h
++++ b/arch/arm64/include/asm/spinlock.h
+@@ -312,4 +312,14 @@ static inline int arch_read_trylock(arch
+ #define arch_read_relax(lock) cpu_relax()
+ #define arch_write_relax(lock) cpu_relax()
+
++/*
++ * Accesses appearing in program order before a spin_lock() operation
++ * can be reordered with accesses inside the critical section, by virtue
++ * of arch_spin_lock being constructed using acquire semantics.
++ *
++ * In cases where this is problematic (e.g. try_to_wake_up), an
++ * smp_mb__before_spinlock() can restore the required ordering.
++ */
++#define smp_mb__before_spinlock() smp_mb()
++
+ #endif /* __ASM_SPINLOCK_H */
--- /dev/null
+From 7711aaf08ad3fc4d0e937eec1de0a63620444ce7 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Fri, 19 Aug 2016 13:37:46 +0300
+Subject: ath9k: fix using sta->drv_priv before initializing it
+
+From: Felix Fietkau <nbd@nbd.name>
+
+commit 7711aaf08ad3fc4d0e937eec1de0a63620444ce7 upstream.
+
+A station pointer can be passed to the driver on tx, before it has been
+marked as associated. Since ath9k_sta_state was initializing the entry
+too late, it resulted in some spurious crashes.
+
+Fixes: df3c6eb34da5 ("ath9k: Use sta_state() callback")
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath9k/main.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath9k/main.c
++++ b/drivers/net/wireless/ath/ath9k/main.c
+@@ -1550,13 +1550,13 @@ static int ath9k_sta_state(struct ieee80
+ struct ath_common *common = ath9k_hw_common(sc->sc_ah);
+ int ret = 0;
+
+- if (old_state == IEEE80211_STA_AUTH &&
+- new_state == IEEE80211_STA_ASSOC) {
++ if (old_state == IEEE80211_STA_NOTEXIST &&
++ new_state == IEEE80211_STA_NONE) {
+ ret = ath9k_sta_add(hw, vif, sta);
+ ath_dbg(common, CONFIG,
+ "Add station: %pM\n", sta->addr);
+- } else if (old_state == IEEE80211_STA_ASSOC &&
+- new_state == IEEE80211_STA_AUTH) {
++ } else if (old_state == IEEE80211_STA_NONE &&
++ new_state == IEEE80211_STA_NOTEXIST) {
+ ret = ath9k_sta_remove(hw, vif, sta);
+ ath_dbg(common, CONFIG,
+ "Remove station: %pM\n", sta->addr);
--- /dev/null
+From 5efc244346f9f338765da3d592f7947b0afdc4b5 Mon Sep 17 00:00:00 2001
+From: Mateusz Guzik <mguzik@redhat.com>
+Date: Tue, 23 Aug 2016 16:20:39 +0200
+Subject: audit: fix exe_file access in audit_exe_compare
+
+From: Mateusz Guzik <mguzik@redhat.com>
+
+commit 5efc244346f9f338765da3d592f7947b0afdc4b5 upstream.
+
+Prior to the change the function would blindly deference mm, exe_file
+and exe_file->f_inode, each of which could have been NULL or freed.
+
+Use get_task_exe_file to safely obtain stable exe_file.
+
+Signed-off-by: Mateusz Guzik <mguzik@redhat.com>
+Acked-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Acked-by: Richard Guy Briggs <rgb@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/audit_watch.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/kernel/audit_watch.c
++++ b/kernel/audit_watch.c
+@@ -19,6 +19,7 @@
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
++#include <linux/file.h>
+ #include <linux/kernel.h>
+ #include <linux/audit.h>
+ #include <linux/kthread.h>
+@@ -544,10 +545,11 @@ int audit_exe_compare(struct task_struct
+ unsigned long ino;
+ dev_t dev;
+
+- rcu_read_lock();
+- exe_file = rcu_dereference(tsk->mm->exe_file);
++ exe_file = get_task_exe_file(tsk);
++ if (!exe_file)
++ return 0;
+ ino = exe_file->f_inode->i_ino;
+ dev = exe_file->f_inode->i_sb->s_dev;
+- rcu_read_unlock();
++ fput(exe_file);
+ return audit_mark_compare(mark, ino, dev);
+ }
--- /dev/null
+From cbd60aa7cd17d81a434234268c55192862147439 Mon Sep 17 00:00:00 2001
+From: Chris Mason <clm@fb.com>
+Date: Tue, 6 Sep 2016 05:37:40 -0700
+Subject: Btrfs: remove root_log_ctx from ctx list before btrfs_sync_log returns
+
+From: Chris Mason <clm@fb.com>
+
+commit cbd60aa7cd17d81a434234268c55192862147439 upstream.
+
+We use a btrfs_log_ctx structure to pass information into the
+tree log commit, and get error values out. It gets added to a per
+log-transaction list which we walk when things go bad.
+
+Commit d1433debe added an optimization to skip waiting for the log
+commit, but didn't take root_log_ctx out of the list. This
+patch makes sure we remove things before exiting.
+
+Signed-off-by: Chris Mason <clm@fb.com>
+Fixes: d1433debe7f4346cf9fc0dafc71c3137d2a97bc4
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/tree-log.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -2850,6 +2850,7 @@ int btrfs_sync_log(struct btrfs_trans_ha
+
+ if (log_root_tree->log_transid_committed >= root_log_ctx.log_transid) {
+ blk_finish_plug(&plug);
++ list_del_init(&root_log_ctx.list);
+ mutex_unlock(&log_root_tree->log_mutex);
+ ret = root_log_ctx.log_ret;
+ goto out;
--- /dev/null
+From b7c1beb278e8e3dc664ed3df3fc786db126120a9 Mon Sep 17 00:00:00 2001
+From: Pawel Moll <pawel.moll@arm.com>
+Date: Fri, 5 Aug 2016 15:07:10 +0100
+Subject: bus: arm-ccn: Do not attempt to configure XPs for cycle counter
+
+From: Pawel Moll <pawel.moll@arm.com>
+
+commit b7c1beb278e8e3dc664ed3df3fc786db126120a9 upstream.
+
+Fuzzing the CCN perf driver revealed a small but definitely dangerous
+mistake in the event setup code. When a cycle counter is requested, the
+driver should not reconfigure the events bus at all, otherwise it will
+corrupt (in most but the simplest cases) its configuration and may end
+up accessing XP array out of its bounds and corrupting control
+registers.
+
+Reported-by: Mark Rutland <mark.rutland@arm.com>
+Reviewed-by: Mark Rutland <mark.rutland@arm.com>
+Tested-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Pawel Moll <pawel.moll@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bus/arm-ccn.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/bus/arm-ccn.c
++++ b/drivers/bus/arm-ccn.c
+@@ -895,6 +895,10 @@ static void arm_ccn_pmu_xp_dt_config(str
+ struct arm_ccn_component *xp;
+ u32 val, dt_cfg;
+
++ /* Nothing to do for cycle counter */
++ if (hw->idx == CCN_IDX_PMU_CYCLE_COUNTER)
++ return;
++
+ if (CCN_CONFIG_TYPE(event->attr.config) == CCN_TYPE_XP)
+ xp = &ccn->xp[CCN_CONFIG_XP(event->attr.config)];
+ else
--- /dev/null
+From 4e486cba285ff06a1f28f0fc2991dde1482d1dcf Mon Sep 17 00:00:00 2001
+From: Pawel Moll <pawel.moll@arm.com>
+Date: Tue, 2 Aug 2016 16:45:37 +0100
+Subject: bus: arm-ccn: Fix PMU handling of MN
+
+From: Pawel Moll <pawel.moll@arm.com>
+
+commit 4e486cba285ff06a1f28f0fc2991dde1482d1dcf upstream.
+
+The "Miscellaneous Node" fell through cracks of node initialisation,
+as its ID is shared with HN-I.
+
+This patch treats MN as a special case (which it is), adding separate
+validation check for it and pre-defining the node ID in relevant events
+descriptions. That way one can simply run:
+
+ # perf stat -a -e ccn/mn_ecbarrier/ <workload>
+
+Additionally, direction in the MN pseudo-events XP watchpoint
+definitions is corrected to be "TX" (1) as they are defined from the
+crosspoint point of view (thus barriers are transmitted from XP to MN).
+
+Signed-off-by: Pawel Moll <pawel.moll@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bus/arm-ccn.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+--- a/drivers/bus/arm-ccn.c
++++ b/drivers/bus/arm-ccn.c
+@@ -187,6 +187,7 @@ struct arm_ccn {
+ struct arm_ccn_component *xp;
+
+ struct arm_ccn_dt dt;
++ int mn_id;
+ };
+
+
+@@ -326,6 +327,7 @@ struct arm_ccn_pmu_event {
+ static ssize_t arm_ccn_pmu_event_show(struct device *dev,
+ struct device_attribute *attr, char *buf)
+ {
++ struct arm_ccn *ccn = pmu_to_arm_ccn(dev_get_drvdata(dev));
+ struct arm_ccn_pmu_event *event = container_of(attr,
+ struct arm_ccn_pmu_event, attr);
+ ssize_t res;
+@@ -352,6 +354,9 @@ static ssize_t arm_ccn_pmu_event_show(st
+ res += snprintf(buf + res, PAGE_SIZE - res,
+ ",cmp_l=?,cmp_h=?,mask=?");
+ break;
++ case CCN_TYPE_MN:
++ res += snprintf(buf + res, PAGE_SIZE - res, ",node=%d", ccn->mn_id);
++ break;
+ default:
+ res += snprintf(buf + res, PAGE_SIZE - res, ",node=?");
+ break;
+@@ -381,9 +386,9 @@ static umode_t arm_ccn_pmu_events_is_vis
+ }
+
+ static struct arm_ccn_pmu_event arm_ccn_pmu_events[] = {
+- CCN_EVENT_MN(eobarrier, "dir=0,vc=0,cmp_h=0x1c00", CCN_IDX_MASK_OPCODE),
+- CCN_EVENT_MN(ecbarrier, "dir=0,vc=0,cmp_h=0x1e00", CCN_IDX_MASK_OPCODE),
+- CCN_EVENT_MN(dvmop, "dir=0,vc=0,cmp_h=0x2800", CCN_IDX_MASK_OPCODE),
++ CCN_EVENT_MN(eobarrier, "dir=1,vc=0,cmp_h=0x1c00", CCN_IDX_MASK_OPCODE),
++ CCN_EVENT_MN(ecbarrier, "dir=1,vc=0,cmp_h=0x1e00", CCN_IDX_MASK_OPCODE),
++ CCN_EVENT_MN(dvmop, "dir=1,vc=0,cmp_h=0x2800", CCN_IDX_MASK_OPCODE),
+ CCN_EVENT_HNI(txdatflits, "dir=1,vc=3", CCN_IDX_MASK_ANY),
+ CCN_EVENT_HNI(rxdatflits, "dir=0,vc=3", CCN_IDX_MASK_ANY),
+ CCN_EVENT_HNI(txreqflits, "dir=1,vc=0", CCN_IDX_MASK_ANY),
+@@ -757,6 +762,12 @@ static int arm_ccn_pmu_event_init(struct
+
+ /* Validate node/xp vs topology */
+ switch (type) {
++ case CCN_TYPE_MN:
++ if (node_xp != ccn->mn_id) {
++ dev_warn(ccn->dev, "Invalid MN ID %d!\n", node_xp);
++ return -EINVAL;
++ }
++ break;
+ case CCN_TYPE_XP:
+ if (node_xp >= ccn->num_xps) {
+ dev_warn(ccn->dev, "Invalid XP ID %d!\n", node_xp);
+@@ -1368,6 +1379,8 @@ static int arm_ccn_init_nodes(struct arm
+
+ switch (type) {
+ case CCN_TYPE_MN:
++ ccn->mn_id = id;
++ return 0;
+ case CCN_TYPE_DT:
+ return 0;
+ case CCN_TYPE_XP:
--- /dev/null
+From b928466b2169e061822daad48ecf55b005445547 Mon Sep 17 00:00:00 2001
+From: Pawel Moll <pawel.moll@arm.com>
+Date: Wed, 10 Aug 2016 17:06:26 +0100
+Subject: bus: arm-ccn: Fix XP watchpoint settings bitmask
+
+From: Pawel Moll <pawel.moll@arm.com>
+
+commit b928466b2169e061822daad48ecf55b005445547 upstream.
+
+The code setting XP watchpoint comparator and mask registers should, in
+order to be fully compliant with specification, zero one or more most
+significant bits of each field. In both L cases it means zeroing bit 63.
+The bitmask doing this was wrong, though, zeroing bit 60 instead.
+Fortunately, due to a lucky coincidence, this turned out to be fairly
+innocent with the existing hardware.
+
+Fixed now.
+
+Signed-off-by: Pawel Moll <pawel.moll@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bus/arm-ccn.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/bus/arm-ccn.c
++++ b/drivers/bus/arm-ccn.c
+@@ -1001,7 +1001,7 @@ static void arm_ccn_pmu_xp_watchpoint_co
+
+ /* Comparison values */
+ writel(cmp_l & 0xffffffff, source->base + CCN_XP_DT_CMP_VAL_L(wp));
+- writel((cmp_l >> 32) & 0xefffffff,
++ writel((cmp_l >> 32) & 0x7fffffff,
+ source->base + CCN_XP_DT_CMP_VAL_L(wp) + 4);
+ writel(cmp_h & 0xffffffff, source->base + CCN_XP_DT_CMP_VAL_H(wp));
+ writel((cmp_h >> 32) & 0x0fffffff,
+@@ -1009,7 +1009,7 @@ static void arm_ccn_pmu_xp_watchpoint_co
+
+ /* Mask */
+ writel(mask_l & 0xffffffff, source->base + CCN_XP_DT_CMP_MASK_L(wp));
+- writel((mask_l >> 32) & 0xefffffff,
++ writel((mask_l >> 32) & 0x7fffffff,
+ source->base + CCN_XP_DT_CMP_MASK_L(wp) + 4);
+ writel(mask_h & 0xffffffff, source->base + CCN_XP_DT_CMP_MASK_H(wp));
+ writel((mask_h >> 32) & 0x0fffffff,
--- /dev/null
+From 06f4e94898918bcad00cdd4d349313a439d6911e Mon Sep 17 00:00:00 2001
+From: Zefan Li <lizefan@huawei.com>
+Date: Tue, 9 Aug 2016 11:25:01 +0800
+Subject: cpuset: make sure new tasks conform to the current config of the cpuset
+
+From: Zefan Li <lizefan@huawei.com>
+
+commit 06f4e94898918bcad00cdd4d349313a439d6911e upstream.
+
+A new task inherits cpus_allowed and mems_allowed masks from its parent,
+but if someone changes cpuset's config by writing to cpuset.cpus/cpuset.mems
+before this new task is inserted into the cgroup's task list, the new task
+won't be updated accordingly.
+
+Signed-off-by: Zefan Li <lizefan@huawei.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/cpuset.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/kernel/cpuset.c
++++ b/kernel/cpuset.c
+@@ -2074,6 +2074,20 @@ static void cpuset_bind(struct cgroup_su
+ mutex_unlock(&cpuset_mutex);
+ }
+
++/*
++ * Make sure the new task conform to the current state of its parent,
++ * which could have been changed by cpuset just after it inherits the
++ * state from the parent and before it sits on the cgroup's task list.
++ */
++void cpuset_fork(struct task_struct *task)
++{
++ if (task_css_is_root(task, cpuset_cgrp_id))
++ return;
++
++ set_cpus_allowed_ptr(task, ¤t->cpus_allowed);
++ task->mems_allowed = current->mems_allowed;
++}
++
+ struct cgroup_subsys cpuset_cgrp_subsys = {
+ .css_alloc = cpuset_css_alloc,
+ .css_online = cpuset_css_online,
+@@ -2084,6 +2098,7 @@ struct cgroup_subsys cpuset_cgrp_subsys
+ .attach = cpuset_attach,
+ .post_attach = cpuset_post_attach,
+ .bind = cpuset_bind,
++ .fork = cpuset_fork,
+ .legacy_cftypes = files,
+ .early_init = 1,
+ };
--- /dev/null
+From 0bd2223594a4dcddc1e34b15774a3a4776f7749e Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Thu, 1 Sep 2016 14:25:43 +0100
+Subject: crypto: cryptd - initialize child shash_desc on import
+
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+
+commit 0bd2223594a4dcddc1e34b15774a3a4776f7749e upstream.
+
+When calling .import() on a cryptd ahash_request, the structure members
+that describe the child transform in the shash_desc need to be initialized
+like they are when calling .init()
+
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/cryptd.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/crypto/cryptd.c
++++ b/crypto/cryptd.c
+@@ -594,9 +594,14 @@ static int cryptd_hash_export(struct aha
+
+ static int cryptd_hash_import(struct ahash_request *req, const void *in)
+ {
+- struct cryptd_hash_request_ctx *rctx = ahash_request_ctx(req);
++ struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
++ struct cryptd_hash_ctx *ctx = crypto_ahash_ctx(tfm);
++ struct shash_desc *desc = cryptd_shash_desc(req);
+
+- return crypto_shash_import(&rctx->desc, in);
++ desc->tfm = ctx->child;
++ desc->flags = req->base.flags;
++
++ return crypto_shash_import(desc, in);
+ }
+
+ static int cryptd_create_hash(struct crypto_template *tmpl, struct rtattr **tb,
--- /dev/null
+From 6f38a8b9a45833495dc878c335c5431cd98a16ed Mon Sep 17 00:00:00 2001
+From: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
+Date: Thu, 18 Aug 2016 17:35:14 +1000
+Subject: cxl: use pcibios_free_controller_deferred() when removing vPHBs
+
+From: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
+
+commit 6f38a8b9a45833495dc878c335c5431cd98a16ed upstream.
+
+When cxl removes a vPHB, it's possible that the pci_controller may be freed
+before all references to the devices on the vPHB have been released. This
+in turn causes an invalid memory access when the devices are eventually
+released, as pcibios_release_device() attempts to call the phb's
+release_device hook.
+
+In cxl_pci_vphb_remove(), remove the existing call to
+pcibios_free_controller(). Instead, use
+pcibios_free_controller_deferred() to free the pci_controller after all
+devices have been released. Export pci_set_host_bridge_release() so we can
+do this.
+
+Signed-off-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
+Reviewed-by: Matthew R. Ochs <mrochs@linux.vnet.ibm.com>
+Acked-by: Ian Munsie <imunsie@au1.ibm.com>
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/cxl/vphb.c | 10 +++++++++-
+ drivers/pci/host-bridge.c | 1 +
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/misc/cxl/vphb.c
++++ b/drivers/misc/cxl/vphb.c
+@@ -258,6 +258,11 @@ int cxl_pci_vphb_add(struct cxl_afu *afu
+ if (phb->bus == NULL)
+ return -ENXIO;
+
++ /* Set release hook on root bus */
++ pci_set_host_bridge_release(to_pci_host_bridge(phb->bus->bridge),
++ pcibios_free_controller_deferred,
++ (void *) phb);
++
+ /* Claim resources. This might need some rework as well depending
+ * whether we are doing probe-only or not, like assigning unassigned
+ * resources etc...
+@@ -293,7 +298,10 @@ void cxl_pci_vphb_remove(struct cxl_afu
+ afu->phb = NULL;
+
+ pci_remove_root_bus(phb->bus);
+- pcibios_free_controller(phb);
++ /*
++ * We don't free phb here - that's handled by
++ * pcibios_free_controller_deferred()
++ */
+ }
+
+ struct cxl_afu *cxl_pci_to_afu(struct pci_dev *dev)
+--- a/drivers/pci/host-bridge.c
++++ b/drivers/pci/host-bridge.c
+@@ -44,6 +44,7 @@ void pci_set_host_bridge_release(struct
+ bridge->release_fn = release_fn;
+ bridge->release_data = release_data;
+ }
++EXPORT_SYMBOL_GPL(pci_set_host_bridge_release);
+
+ void pcibios_resource_to_bus(struct pci_bus *bus, struct pci_bus_region *region,
+ struct resource *res)
--- /dev/null
+From 4e870e948fbabf62b78e8410f04c67703e7c816b Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Tue, 30 Aug 2016 16:38:42 -0400
+Subject: dm crypt: fix error with too large bios
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 4e870e948fbabf62b78e8410f04c67703e7c816b upstream.
+
+When dm-crypt processes writes, it allocates a new bio in
+crypt_alloc_buffer(). The bio is allocated from a bio set and it can
+have at most BIO_MAX_PAGES vector entries, however the incoming bio can be
+larger (e.g. if it was allocated by bcache). If the incoming bio is
+larger, bio_alloc_bioset() fails and an error is returned.
+
+To avoid the error, we test for a too large bio in the function
+crypt_map() and use dm_accept_partial_bio() to split the bio.
+dm_accept_partial_bio() trims the current bio to the desired size and
+asks DM core to send another bio with the rest of the data.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-crypt.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/md/dm-crypt.c
++++ b/drivers/md/dm-crypt.c
+@@ -1920,6 +1920,13 @@ static int crypt_map(struct dm_target *t
+ return DM_MAPIO_REMAPPED;
+ }
+
++ /*
++ * Check if bio is too large, split as needed.
++ */
++ if (unlikely(bio->bi_iter.bi_size > (BIO_MAX_PAGES << PAGE_SHIFT)) &&
++ bio_data_dir(bio) == WRITE)
++ dm_accept_partial_bio(bio, ((BIO_MAX_PAGES << PAGE_SHIFT) >> SECTOR_SHIFT));
++
+ io = dm_per_bio_data(bio, cc->per_bio_data_size);
+ crypt_io_init(io, cc, bio, dm_target_offset(ti, bio->bi_iter.bi_sector));
+ io->ctx.req = (struct ablkcipher_request *)(io + 1);
--- /dev/null
+From 299f6230bc6d0ccd5f95bb0fb865d80a9c7d5ccc Mon Sep 17 00:00:00 2001
+From: Mike Snitzer <snitzer@redhat.com>
+Date: Wed, 24 Aug 2016 21:12:58 -0400
+Subject: dm flakey: fix reads to be issued if drop_writes configured
+
+From: Mike Snitzer <snitzer@redhat.com>
+
+commit 299f6230bc6d0ccd5f95bb0fb865d80a9c7d5ccc upstream.
+
+v4.8-rc3 commit 99f3c90d0d ("dm flakey: error READ bios during the
+down_interval") overlooked the 'drop_writes' feature, which is meant to
+allow reads to be issued rather than errored, during the down_interval.
+
+Fixes: 99f3c90d0d ("dm flakey: error READ bios during the down_interval")
+Reported-by: Qu Wenruo <quwenruo@cn.fujitsu.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-flakey.c | 27 ++++++++++++++++-----------
+ 1 file changed, 16 insertions(+), 11 deletions(-)
+
+--- a/drivers/md/dm-flakey.c
++++ b/drivers/md/dm-flakey.c
+@@ -289,15 +289,13 @@ static int flakey_map(struct dm_target *
+ pb->bio_submitted = true;
+
+ /*
+- * Map reads as normal only if corrupt_bio_byte set.
++ * Error reads if neither corrupt_bio_byte or drop_writes are set.
++ * Otherwise, flakey_end_io() will decide if the reads should be modified.
+ */
+ if (bio_data_dir(bio) == READ) {
+- /* If flags were specified, only corrupt those that match. */
+- if (fc->corrupt_bio_byte && (fc->corrupt_bio_rw == READ) &&
+- all_corrupt_bio_flags_match(bio, fc))
+- goto map_bio;
+- else
++ if (!fc->corrupt_bio_byte && !test_bit(DROP_WRITES, &fc->flags))
+ return -EIO;
++ goto map_bio;
+ }
+
+ /*
+@@ -334,14 +332,21 @@ static int flakey_end_io(struct dm_targe
+ struct flakey_c *fc = ti->private;
+ struct per_bio_data *pb = dm_per_bio_data(bio, sizeof(struct per_bio_data));
+
+- /*
+- * Corrupt successful READs while in down state.
+- */
+ if (!error && pb->bio_submitted && (bio_data_dir(bio) == READ)) {
+- if (fc->corrupt_bio_byte)
++ if (fc->corrupt_bio_byte && (fc->corrupt_bio_rw == READ) &&
++ all_corrupt_bio_flags_match(bio, fc)) {
++ /*
++ * Corrupt successful matching READs while in down state.
++ */
+ corrupt_bio_data(bio, fc);
+- else
++
++ } else if (!test_bit(DROP_WRITES, &fc->flags)) {
++ /*
++ * Error read during the down_interval if drop_writes
++ * wasn't configured.
++ */
+ return -EIO;
++ }
+ }
+
+ return error;
--- /dev/null
+From 91e630d9ae6de6f740ef7c8176736eb55366833e Mon Sep 17 00:00:00 2001
+From: Vladimir Zapolskiy <vz@mleia.com>
+Date: Thu, 10 Mar 2016 01:22:19 +0200
+Subject: dm log writes: fix check of kthread_run() return value
+
+From: Vladimir Zapolskiy <vz@mleia.com>
+
+commit 91e630d9ae6de6f740ef7c8176736eb55366833e upstream.
+
+The kthread_run() function returns either a valid task_struct or
+ERR_PTR() value, check for NULL is invalid. This change fixes potential
+for oops, e.g. in OOM situation.
+
+Signed-off-by: Vladimir Zapolskiy <vz@mleia.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-log-writes.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/dm-log-writes.c
++++ b/drivers/md/dm-log-writes.c
+@@ -456,9 +456,9 @@ static int log_writes_ctr(struct dm_targ
+ goto bad;
+ }
+
+- ret = -EINVAL;
+ lc->log_kthread = kthread_run(log_writes_kthread, lc, "log-write");
+- if (!lc->log_kthread) {
++ if (IS_ERR(lc->log_kthread)) {
++ ret = PTR_ERR(lc->log_kthread);
+ ti->error = "Couldn't alloc kthread";
+ dm_put_device(ti, lc->dev);
+ dm_put_device(ti, lc->logdev);
--- /dev/null
+From a5d60783df61fbb67b7596b8a0f6b4b2e05251d5 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Tue, 30 Aug 2016 16:11:53 -0400
+Subject: dm log writes: move IO accounting earlier to fix error path
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit a5d60783df61fbb67b7596b8a0f6b4b2e05251d5 upstream.
+
+Move log_one_block()'s atomic_inc(&lc->io_blocks) before bio_alloc() to
+fix a bug that the target hangs if bio_alloc() fails. The error path
+does put_io_block(lc), so atomic_inc(&lc->io_blocks) must occur before
+invoking the error path to avoid underflow of lc->io_blocks.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Reviewed-by: Josef Bacik <jbacik@fb.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-log-writes.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/dm-log-writes.c
++++ b/drivers/md/dm-log-writes.c
+@@ -258,12 +258,12 @@ static int log_one_block(struct log_writ
+ goto out;
+ sector++;
+
++ atomic_inc(&lc->io_blocks);
+ bio = bio_alloc(GFP_KERNEL, block->vec_cnt);
+ if (!bio) {
+ DMERR("Couldn't alloc log bio");
+ goto error;
+ }
+- atomic_inc(&lc->io_blocks);
+ bio->bi_iter.bi_size = 0;
+ bio->bi_iter.bi_sector = sector;
+ bio->bi_bdev = lc->logdev->bdev;
--- /dev/null
+From 8fba54aebbdf1f999738121922e74bf796ad60ee Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Wed, 24 Aug 2016 18:17:04 +0200
+Subject: fuse: direct-io: don't dirty ITER_BVEC pages
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 8fba54aebbdf1f999738121922e74bf796ad60ee upstream.
+
+When reading from a loop device backed by a fuse file it deadlocks on
+lock_page().
+
+This is because the page is already locked by the read() operation done on
+the loop device. In this case we don't want to either lock the page or
+dirty it.
+
+So do what fs/direct-io.c does: only dirty the page for ITER_IOVEC vectors.
+
+Reported-by: Sheng Yang <sheng@yasker.org>
+Fixes: aa4d86163e4e ("block: loop: switch to VFS ITER_BVEC")
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Reviewed-by: Sheng Yang <sheng@yasker.org>
+Reviewed-by: Ashish Samant <ashish.samant@oracle.com>
+Tested-by: Sheng Yang <sheng@yasker.org>
+Tested-by: Ashish Samant <ashish.samant@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/file.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -540,13 +540,13 @@ void fuse_read_fill(struct fuse_req *req
+ req->out.args[0].size = count;
+ }
+
+-static void fuse_release_user_pages(struct fuse_req *req, int write)
++static void fuse_release_user_pages(struct fuse_req *req, bool should_dirty)
+ {
+ unsigned i;
+
+ for (i = 0; i < req->num_pages; i++) {
+ struct page *page = req->pages[i];
+- if (write)
++ if (should_dirty)
+ set_page_dirty_lock(page);
+ put_page(page);
+ }
+@@ -1331,6 +1331,7 @@ ssize_t fuse_direct_io(struct fuse_io_pr
+ loff_t *ppos, int flags)
+ {
+ int write = flags & FUSE_DIO_WRITE;
++ bool should_dirty = !write && iter_is_iovec(iter);
+ int cuse = flags & FUSE_DIO_CUSE;
+ struct file *file = io->file;
+ struct inode *inode = file->f_mapping->host;
+@@ -1375,7 +1376,7 @@ ssize_t fuse_direct_io(struct fuse_io_pr
+ nres = fuse_send_read(req, io, pos, nbytes, owner);
+
+ if (!io->async)
+- fuse_release_user_pages(req, !write);
++ fuse_release_user_pages(req, should_dirty);
+ if (req->out.h.error) {
+ if (!res)
+ res = req->out.h.error;
--- /dev/null
+From d1e09f304a1d9651c5059ebfeb696dc2effc9b32 Mon Sep 17 00:00:00 2001
+From: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
+Date: Sun, 3 Jul 2016 15:28:18 +0300
+Subject: IB/uverbs: Fix race between uverbs_close and remove_one
+
+From: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
+
+commit d1e09f304a1d9651c5059ebfeb696dc2effc9b32 upstream.
+
+Fixes an oops that might happen if uverbs_close races with
+remove_one.
+
+Both contexts may run ib_uverbs_cleanup_ucontext, it depends
+on the flow.
+
+Currently, there is no protection for a case that remove_one
+didn't make the cleanup it runs to its end, the underlying
+ib_device was freed then uverbs_close will call
+ib_uverbs_cleanup_ucontext and OOPs.
+
+Above might happen if uverbs_close deleted the file from the list
+then remove_one didn't find it and runs to its end.
+
+Fixes to protect against that case by a new cleanup lock so that
+ib_uverbs_cleanup_ucontext will be called always before that
+remove_one is ended.
+
+Fixes: 35d4a0b63dc0 ("IB/uverbs: Fix race between ib_uverbs_open and remove_one")
+Reported-by: Devesh Sharma <devesh.sharma@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
+Signed-off-by: Yishai Hadas <yishaih@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/uverbs.h | 1
+ drivers/infiniband/core/uverbs_main.c | 37 ++++++++++++++++++++++------------
+ 2 files changed, 25 insertions(+), 13 deletions(-)
+
+--- a/drivers/infiniband/core/uverbs.h
++++ b/drivers/infiniband/core/uverbs.h
+@@ -116,6 +116,7 @@ struct ib_uverbs_event_file {
+ struct ib_uverbs_file {
+ struct kref ref;
+ struct mutex mutex;
++ struct mutex cleanup_mutex; /* protect cleanup */
+ struct ib_uverbs_device *device;
+ struct ib_ucontext *ucontext;
+ struct ib_event_handler event_handler;
+--- a/drivers/infiniband/core/uverbs_main.c
++++ b/drivers/infiniband/core/uverbs_main.c
+@@ -922,6 +922,7 @@ static int ib_uverbs_open(struct inode *
+ file->async_file = NULL;
+ kref_init(&file->ref);
+ mutex_init(&file->mutex);
++ mutex_init(&file->cleanup_mutex);
+
+ filp->private_data = file;
+ kobject_get(&dev->kobj);
+@@ -947,18 +948,20 @@ static int ib_uverbs_close(struct inode
+ {
+ struct ib_uverbs_file *file = filp->private_data;
+ struct ib_uverbs_device *dev = file->device;
+- struct ib_ucontext *ucontext = NULL;
++
++ mutex_lock(&file->cleanup_mutex);
++ if (file->ucontext) {
++ ib_uverbs_cleanup_ucontext(file, file->ucontext);
++ file->ucontext = NULL;
++ }
++ mutex_unlock(&file->cleanup_mutex);
+
+ mutex_lock(&file->device->lists_mutex);
+- ucontext = file->ucontext;
+- file->ucontext = NULL;
+ if (!file->is_closed) {
+ list_del(&file->list);
+ file->is_closed = 1;
+ }
+ mutex_unlock(&file->device->lists_mutex);
+- if (ucontext)
+- ib_uverbs_cleanup_ucontext(file, ucontext);
+
+ if (file->async_file)
+ kref_put(&file->async_file->ref, ib_uverbs_release_event_file);
+@@ -1172,22 +1175,30 @@ static void ib_uverbs_free_hw_resources(
+ mutex_lock(&uverbs_dev->lists_mutex);
+ while (!list_empty(&uverbs_dev->uverbs_file_list)) {
+ struct ib_ucontext *ucontext;
+-
+ file = list_first_entry(&uverbs_dev->uverbs_file_list,
+ struct ib_uverbs_file, list);
+ file->is_closed = 1;
+- ucontext = file->ucontext;
+ list_del(&file->list);
+- file->ucontext = NULL;
+ kref_get(&file->ref);
+ mutex_unlock(&uverbs_dev->lists_mutex);
+- /* We must release the mutex before going ahead and calling
+- * disassociate_ucontext. disassociate_ucontext might end up
+- * indirectly calling uverbs_close, for example due to freeing
+- * the resources (e.g mmput).
+- */
++
+ ib_uverbs_event_handler(&file->event_handler, &event);
++
++ mutex_lock(&file->cleanup_mutex);
++ ucontext = file->ucontext;
++ file->ucontext = NULL;
++ mutex_unlock(&file->cleanup_mutex);
++
++ /* At this point ib_uverbs_close cannot be running
++ * ib_uverbs_cleanup_ucontext
++ */
+ if (ucontext) {
++ /* We must release the mutex before going ahead and
++ * calling disassociate_ucontext. disassociate_ucontext
++ * might end up indirectly calling uverbs_close,
++ * for example due to freeing the resources
++ * (e.g mmput).
++ */
+ ib_dev->disassociate_ucontext(ucontext);
+ ib_uverbs_cleanup_ucontext(file, ucontext);
+ }
--- /dev/null
+From 1c500840934a138bd6b13556c210516e9301fbee Mon Sep 17 00:00:00 2001
+From: Olof Johansson <olof@lixom.net>
+Date: Thu, 25 Aug 2016 09:45:33 -0700
+Subject: iio: accel: bmc150: reset chip at init time
+
+From: Olof Johansson <olof@lixom.net>
+
+commit 1c500840934a138bd6b13556c210516e9301fbee upstream.
+
+In at least one known setup, the chip comes up in a state where reading
+the chip ID returns garbage unless it's been reset, due to noise on the
+wires during system boot.
+
+All supported chips have the same reset method, and based on the
+datasheets they all need 1.3 or 1.8ms to recover after reset. So, do
+the conservative thing here and always reset the chip.
+
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Reviewed-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/accel/bmc150-accel-core.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/iio/accel/bmc150-accel-core.c
++++ b/drivers/iio/accel/bmc150-accel-core.c
+@@ -68,6 +68,9 @@
+ #define BMC150_ACCEL_REG_PMU_BW 0x10
+ #define BMC150_ACCEL_DEF_BW 125
+
++#define BMC150_ACCEL_REG_RESET 0x14
++#define BMC150_ACCEL_RESET_VAL 0xB6
++
+ #define BMC150_ACCEL_REG_INT_MAP_0 0x19
+ #define BMC150_ACCEL_INT_MAP_0_BIT_SLOPE BIT(2)
+
+@@ -1487,6 +1490,14 @@ static int bmc150_accel_chip_init(struct
+ int ret, i;
+ unsigned int val;
+
++ /*
++ * Reset chip to get it in a known good state. A delay of 1.8ms after
++ * reset is required according to the data sheets of supported chips.
++ */
++ regmap_write(data->regmap, BMC150_ACCEL_REG_RESET,
++ BMC150_ACCEL_RESET_VAL);
++ usleep_range(1800, 2500);
++
+ ret = regmap_read(data->regmap, BMC150_ACCEL_REG_CHIP_ID, &val);
+ if (ret < 0) {
+ dev_err(data->dev,
--- /dev/null
+From 7ac61a062f3147dc23e3f12b9dfe7c4dd35f9cb8 Mon Sep 17 00:00:00 2001
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Tue, 16 Aug 2016 15:33:28 +0200
+Subject: iio: accel: kxsd9: Fix raw read return
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+commit 7ac61a062f3147dc23e3f12b9dfe7c4dd35f9cb8 upstream.
+
+Any readings from the raw interface of the KXSD9 driver will
+return an empty string, because it does not return
+IIO_VAL_INT but rather some random value from the accelerometer
+to the caller.
+
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/accel/kxsd9.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/iio/accel/kxsd9.c
++++ b/drivers/iio/accel/kxsd9.c
+@@ -160,6 +160,7 @@ static int kxsd9_read_raw(struct iio_dev
+ if (ret < 0)
+ goto error_ret;
+ *val = ret;
++ ret = IIO_VAL_INT;
+ break;
+ case IIO_CHAN_INFO_SCALE:
+ ret = spi_w8r8(st->us, KXSD9_READ(KXSD9_REG_CTRL_C));
--- /dev/null
+From 307fe9dd11ae44d4f8881ee449a7cbac36e1f5de Mon Sep 17 00:00:00 2001
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Thu, 1 Sep 2016 11:44:35 +0200
+Subject: iio: accel: kxsd9: Fix scaling bug
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+commit 307fe9dd11ae44d4f8881ee449a7cbac36e1f5de upstream.
+
+All the scaling of the KXSD9 involves multiplication with a
+fraction number < 1.
+
+However the scaling value returned from IIO_INFO_SCALE was
+unpredictable as only the micros of the value was assigned, and
+not the integer part, resulting in scaling like this:
+
+$cat in_accel_scale
+-1057462640.011978
+
+Fix this by assigning zero to the integer part.
+
+Tested-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/accel/kxsd9.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/iio/accel/kxsd9.c
++++ b/drivers/iio/accel/kxsd9.c
+@@ -166,6 +166,7 @@ static int kxsd9_read_raw(struct iio_dev
+ ret = spi_w8r8(st->us, KXSD9_READ(KXSD9_REG_CTRL_C));
+ if (ret < 0)
+ goto error_ret;
++ *val = 0;
+ *val2 = kxsd9_micro_scales[ret & KXSD9_FS_MASK];
+ ret = IIO_VAL_INT_PLUS_MICRO;
+ break;
--- /dev/null
+From 7d3cc21dab5313a02f2f3ca8164529b828a030d1 Mon Sep 17 00:00:00 2001
+From: Lars-Peter Clausen <lars@metafoo.de>
+Date: Mon, 11 Jul 2016 13:54:17 +0200
+Subject: iio: ad799x: Fix buffered capture for ad7991/ad7995/ad7999
+
+From: Lars-Peter Clausen <lars@metafoo.de>
+
+commit 7d3cc21dab5313a02f2f3ca8164529b828a030d1 upstream.
+
+The data buffer for captured mode for the ad799x driver is allocated in the
+update_scan_mode() callback. This callback is not set in the iio_info
+struct for the ad7791/ad7995/ad7999, which means that the data buffer is
+not allocated when a captured transfer is started. As a result the driver
+crashes when the first sample is received. To fix this properly set the
+update_scan_mode() callback.
+
+Fixes: d8dca33027c1 ("staging:iio:ad799x: Preallocate sample buffer")
+Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/ad799x.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/iio/adc/ad799x.c
++++ b/drivers/iio/adc/ad799x.c
+@@ -533,6 +533,7 @@ static struct attribute_group ad799x_eve
+ static const struct iio_info ad7991_info = {
+ .read_raw = &ad799x_read_raw,
+ .driver_module = THIS_MODULE,
++ .update_scan_mode = ad799x_update_scan_mode,
+ };
+
+ static const struct iio_info ad7993_4_7_8_noirq_info = {
--- /dev/null
+From c2ab447454d498e709d9011c0f2d2945ee321f9b Mon Sep 17 00:00:00 2001
+From: Anders Darander <anders@chargestorm.se>
+Date: Mon, 8 Aug 2016 14:42:16 +0200
+Subject: iio: adc: at91: unbreak channel adc channel 3
+
+From: Anders Darander <anders@chargestorm.se>
+
+commit c2ab447454d498e709d9011c0f2d2945ee321f9b upstream.
+
+The driver always assumes that an input device has been created when
+reading channel 3. This causes a kernel panic when dereferencing
+st->ts_input.
+
+The change was introduced in
+commit 84882b060301 ("iio: adc: at91_adc: Add support for touchscreens
+without TSMR"). Earlier versions only entered that part of the if-else
+statement if only the following flags are set:
+
+AT91_ADC_IER_XRDY | AT91_ADC_IER_YRDY | AT91_ADC_IER_PRDY
+
+Signed-off-by: Anders Darander <anders@chargestorm.se>
+Acked-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/at91_adc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/iio/adc/at91_adc.c
++++ b/drivers/iio/adc/at91_adc.c
+@@ -381,8 +381,8 @@ static irqreturn_t at91_adc_rl_interrupt
+ st->ts_bufferedmeasure = false;
+ input_report_key(st->ts_input, BTN_TOUCH, 0);
+ input_sync(st->ts_input);
+- } else if (status & AT91_ADC_EOC(3)) {
+- /* Conversion finished */
++ } else if (status & AT91_ADC_EOC(3) && st->ts_input) {
++ /* Conversion finished and we've a touchscreen */
+ if (st->ts_bufferedmeasure) {
+ /*
+ * Last measurement is always discarded, since it can
--- /dev/null
+From 543852af8e5902aee8f7c72c89e1513663e0f696 Mon Sep 17 00:00:00 2001
+From: Caesar Wang <wxt@rock-chips.com>
+Date: Wed, 27 Jul 2016 22:24:04 +0800
+Subject: iio: adc: rockchip_saradc: reset saradc controller before programming it
+
+From: Caesar Wang <wxt@rock-chips.com>
+
+commit 543852af8e5902aee8f7c72c89e1513663e0f696 upstream.
+
+SARADC controller needs to be reset before programming it, otherwise
+it will not function properly.
+
+Signed-off-by: Caesar Wang <wxt@rock-chips.com>
+Cc: Jonathan Cameron <jic23@kernel.org>
+Cc: Heiko Stuebner <heiko@sntech.de>
+Cc: Rob Herring <robh+dt@kernel.org>
+Cc: linux-iio@vger.kernel.org
+Cc: linux-rockchip@lists.infradead.org
+Tested-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/devicetree/bindings/iio/adc/rockchip-saradc.txt | 7 ++
+ drivers/iio/adc/Kconfig | 1
+ drivers/iio/adc/rockchip_saradc.c | 30 ++++++++++
+ 3 files changed, 38 insertions(+)
+
+--- a/Documentation/devicetree/bindings/iio/adc/rockchip-saradc.txt
++++ b/Documentation/devicetree/bindings/iio/adc/rockchip-saradc.txt
+@@ -12,6 +12,11 @@ Required properties:
+ - vref-supply: The regulator supply ADC reference voltage.
+ - #io-channel-cells: Should be 1, see ../iio-bindings.txt
+
++Optional properties:
++- resets: Must contain an entry for each entry in reset-names if need support
++ this option. See ../reset/reset.txt for details.
++- reset-names: Must include the name "saradc-apb".
++
+ Example:
+ saradc: saradc@2006c000 {
+ compatible = "rockchip,saradc";
+@@ -19,6 +24,8 @@ Example:
+ interrupts = <GIC_SPI 26 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&cru SCLK_SARADC>, <&cru PCLK_SARADC>;
+ clock-names = "saradc", "apb_pclk";
++ resets = <&cru SRST_SARADC>;
++ reset-names = "saradc-apb";
+ #io-channel-cells = <1>;
+ vref-supply = <&vcc18>;
+ };
+--- a/drivers/iio/adc/Kconfig
++++ b/drivers/iio/adc/Kconfig
+@@ -306,6 +306,7 @@ config QCOM_SPMI_VADC
+ config ROCKCHIP_SARADC
+ tristate "Rockchip SARADC driver"
+ depends on ARCH_ROCKCHIP || (ARM && COMPILE_TEST)
++ depends on RESET_CONTROLLER
+ help
+ Say yes here to build support for the SARADC found in SoCs from
+ Rockchip.
+--- a/drivers/iio/adc/rockchip_saradc.c
++++ b/drivers/iio/adc/rockchip_saradc.c
+@@ -21,6 +21,8 @@
+ #include <linux/of_device.h>
+ #include <linux/clk.h>
+ #include <linux/completion.h>
++#include <linux/delay.h>
++#include <linux/reset.h>
+ #include <linux/regulator/consumer.h>
+ #include <linux/iio/iio.h>
+
+@@ -53,6 +55,7 @@ struct rockchip_saradc {
+ struct clk *clk;
+ struct completion completion;
+ struct regulator *vref;
++ struct reset_control *reset;
+ const struct rockchip_saradc_data *data;
+ u16 last_val;
+ };
+@@ -171,6 +174,16 @@ static const struct of_device_id rockchi
+ };
+ MODULE_DEVICE_TABLE(of, rockchip_saradc_match);
+
++/**
++ * Reset SARADC Controller.
++ */
++static void rockchip_saradc_reset_controller(struct reset_control *reset)
++{
++ reset_control_assert(reset);
++ usleep_range(10, 20);
++ reset_control_deassert(reset);
++}
++
+ static int rockchip_saradc_probe(struct platform_device *pdev)
+ {
+ struct rockchip_saradc *info = NULL;
+@@ -199,6 +212,20 @@ static int rockchip_saradc_probe(struct
+ if (IS_ERR(info->regs))
+ return PTR_ERR(info->regs);
+
++ /*
++ * The reset should be an optional property, as it should work
++ * with old devicetrees as well
++ */
++ info->reset = devm_reset_control_get(&pdev->dev, "saradc-apb");
++ if (IS_ERR(info->reset)) {
++ ret = PTR_ERR(info->reset);
++ if (ret != -ENOENT)
++ return ret;
++
++ dev_dbg(&pdev->dev, "no reset control found\n");
++ info->reset = NULL;
++ }
++
+ init_completion(&info->completion);
+
+ irq = platform_get_irq(pdev, 0);
+@@ -233,6 +260,9 @@ static int rockchip_saradc_probe(struct
+ return PTR_ERR(info->vref);
+ }
+
++ if (info->reset)
++ rockchip_saradc_reset_controller(info->reset);
++
+ /*
+ * Use a default value for the converter clock.
+ * This may become user-configurable in the future.
--- /dev/null
+From 7175cce1c3f1d8c8840d2004f78f96a3904249b5 Mon Sep 17 00:00:00 2001
+From: Vignesh R <vigneshr@ti.com>
+Date: Wed, 17 Aug 2016 17:43:01 +0530
+Subject: iio: adc: ti_am335x_adc: Increase timeout value waiting for ADC sample
+
+From: Vignesh R <vigneshr@ti.com>
+
+commit 7175cce1c3f1d8c8840d2004f78f96a3904249b5 upstream.
+
+Now that open delay and sample delay for each channel is configurable
+via DT, the default IDLE_TIMEOUT value is not enough as this is
+calculated based on hardcoded macros. This results in driver returning
+EBUSY sometimes. Fix this by increasing the timeout
+value based on maximum value possible to open delay and sample delays
+for each channel.
+
+Fixes: 5dc11e810676e ("iio: adc: ti_am335x_adc: make sample delay, open delay, averaging DT parameters")
+Signed-off-by: Vignesh R <vigneshr@ti.com>
+Acked-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/ti_am335x_adc.c | 2 +-
+ include/linux/mfd/ti_am335x_tscadc.h | 8 ++++----
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/iio/adc/ti_am335x_adc.c
++++ b/drivers/iio/adc/ti_am335x_adc.c
+@@ -382,7 +382,7 @@ static int tiadc_read_raw(struct iio_dev
+
+ am335x_tsc_se_set_once(adc_dev->mfd_tscadc, step_en);
+
+- timeout = jiffies + usecs_to_jiffies
++ timeout = jiffies + msecs_to_jiffies
+ (IDLE_TIMEOUT * adc_dev->channels);
+ /* Wait for Fifo threshold interrupt */
+ while (1) {
+--- a/include/linux/mfd/ti_am335x_tscadc.h
++++ b/include/linux/mfd/ti_am335x_tscadc.h
+@@ -138,16 +138,16 @@
+ /*
+ * time in us for processing a single channel, calculated as follows:
+ *
+- * num cycles = open delay + (sample delay + conv time) * averaging
++ * max num cycles = open delay + (sample delay + conv time) * averaging
+ *
+- * num cycles: 152 + (1 + 13) * 16 = 376
++ * max num cycles: 262143 + (255 + 13) * 16 = 266431
+ *
+ * clock frequency: 26MHz / 8 = 3.25MHz
+ * clock period: 1 / 3.25MHz = 308ns
+ *
+- * processing time: 376 * 308ns = 116us
++ * max processing time: 266431 * 308ns = 83ms(approx)
+ */
+-#define IDLE_TIMEOUT 116 /* microsec */
++#define IDLE_TIMEOUT 83 /* milliseconds */
+
+ #define TSCADC_CELLS 2
+
--- /dev/null
+From 90c43ec6997a892448f1f86180a515f59cafd8a3 Mon Sep 17 00:00:00 2001
+From: Vignesh R <vigneshr@ti.com>
+Date: Wed, 17 Aug 2016 17:43:00 +0530
+Subject: iio: adc: ti_am335x_adc: Protect FIFO1 from concurrent access
+
+From: Vignesh R <vigneshr@ti.com>
+
+commit 90c43ec6997a892448f1f86180a515f59cafd8a3 upstream.
+
+It is possible that two or more ADC channels can be simultaneously
+requested for raw samples, in which case there can be race in access to
+FIFO data resulting in loss of samples.
+If am335x_tsc_se_set_once() is called again from tiadc_read_raw(), when
+ADC is still acquired to sample one of the channels, the second process
+might be put into uninterruptible sleep state. Fix these issues, by
+protecting FIFO access and channel configurations with a mutex. Since
+tiadc_read_raw() might take anywhere between few microseconds to few
+milliseconds to finish execution (depending on averaging and delay
+values supplied via DT), its better to use mutex instead of spinlock.
+
+Fixes: 7ca6740cd1cd4 ("mfd: input: iio: ti_amm335x: Rework TSC/ADC synchronization")
+Signed-off-by: Vignesh R <vigneshr@ti.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/ti_am335x_adc.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/drivers/iio/adc/ti_am335x_adc.c
++++ b/drivers/iio/adc/ti_am335x_adc.c
+@@ -32,6 +32,7 @@
+
+ struct tiadc_device {
+ struct ti_tscadc_dev *mfd_tscadc;
++ struct mutex fifo1_lock; /* to protect fifo access */
+ int channels;
+ u8 channel_line[8];
+ u8 channel_step[8];
+@@ -360,6 +361,7 @@ static int tiadc_read_raw(struct iio_dev
+ int *val, int *val2, long mask)
+ {
+ struct tiadc_device *adc_dev = iio_priv(indio_dev);
++ int ret = IIO_VAL_INT;
+ int i, map_val;
+ unsigned int fifo1count, read, stepid;
+ bool found = false;
+@@ -373,6 +375,7 @@ static int tiadc_read_raw(struct iio_dev
+ if (!step_en)
+ return -EINVAL;
+
++ mutex_lock(&adc_dev->fifo1_lock);
+ fifo1count = tiadc_readl(adc_dev, REG_FIFO1CNT);
+ while (fifo1count--)
+ tiadc_readl(adc_dev, REG_FIFO1);
+@@ -389,7 +392,8 @@ static int tiadc_read_raw(struct iio_dev
+
+ if (time_after(jiffies, timeout)) {
+ am335x_tsc_se_adc_done(adc_dev->mfd_tscadc);
+- return -EAGAIN;
++ ret = -EAGAIN;
++ goto err_unlock;
+ }
+ }
+ map_val = adc_dev->channel_step[chan->scan_index];
+@@ -415,8 +419,11 @@ static int tiadc_read_raw(struct iio_dev
+ am335x_tsc_se_adc_done(adc_dev->mfd_tscadc);
+
+ if (found == false)
+- return -EBUSY;
+- return IIO_VAL_INT;
++ ret = -EBUSY;
++
++err_unlock:
++ mutex_unlock(&adc_dev->fifo1_lock);
++ return ret;
+ }
+
+ static const struct iio_info tiadc_info = {
+@@ -485,6 +492,7 @@ static int tiadc_probe(struct platform_d
+
+ tiadc_step_config(indio_dev);
+ tiadc_writel(adc_dev, REG_FIFO1THR, FIFO1_THRESHOLD);
++ mutex_init(&adc_dev->fifo1_lock);
+
+ err = tiadc_channel_init(indio_dev, adc_dev->channels);
+ if (err < 0)
--- /dev/null
+From 171c0091837c81ed5c949fec6966bb5afff2d1cf Mon Sep 17 00:00:00 2001
+From: Gregor Boirie <gregor.boirie@parrot.com>
+Date: Fri, 2 Sep 2016 20:27:46 +0200
+Subject: iio:core: fix IIO_VAL_FRACTIONAL sign handling
+
+From: Gregor Boirie <gregor.boirie@parrot.com>
+
+commit 171c0091837c81ed5c949fec6966bb5afff2d1cf upstream.
+
+7985e7c100 ("iio: Introduce a new fractional value type") introduced a
+new IIO_VAL_FRACTIONAL value type meant to represent rational type numbers
+expressed by a numerator and denominator combination.
+
+Formating of IIO_VAL_FRACTIONAL values relies upon do_div() usage. This
+fails handling negative values properly since parameters are reevaluated
+as unsigned values.
+Fix this by using div_s64_rem() instead. Computed integer part will carry
+properly signed value. Formatted fractional part will always be positive.
+
+Fixes: 7985e7c100 ("iio: Introduce a new fractional value type")
+Signed-off-by: Gregor Boirie <gregor.boirie@parrot.com>
+Reviewed-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/industrialio-core.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/iio/industrialio-core.c
++++ b/drivers/iio/industrialio-core.c
+@@ -447,9 +447,8 @@ ssize_t iio_format_value(char *buf, unsi
+ return sprintf(buf, "%d.%09u\n", vals[0], vals[1]);
+ case IIO_VAL_FRACTIONAL:
+ tmp = div_s64((s64)vals[0] * 1000000000LL, vals[1]);
+- vals[1] = do_div(tmp, 1000000000LL);
+- vals[0] = tmp;
+- return sprintf(buf, "%d.%09u\n", vals[0], vals[1]);
++ vals[0] = (int)div_s64_rem(tmp, 1000000000, &vals[1]);
++ return sprintf(buf, "%d.%09u\n", vals[0], abs(vals[1]));
+ case IIO_VAL_FRACTIONAL_LOG2:
+ tmp = (s64)vals[0] * 1000000000LL >> vals[1];
+ vals[1] = do_div(tmp, 1000000000LL);
--- /dev/null
+From 5dba4b14bafe801083d01e1f400816df7e5a8f2e Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Mon, 5 Sep 2016 15:39:06 +0100
+Subject: iio: ensure ret is initialized to zero before entering do loop
+
+From: Colin Ian King <colin.king@canonical.com>
+
+commit 5dba4b14bafe801083d01e1f400816df7e5a8f2e upstream.
+
+A recent fix to iio_buffer_read_first_n_outer removed ret from being set by
+a return from wait_event_interruptible and also added a continue in a loop
+which causes the variable ret to not be set when it reaches the end of the
+loop. Fix this by initializing ret to zero.
+
+Also remove extraneous white space at the end of the loop.
+
+Fixes: fcf68f3c0bb2a5 ("fix sched WARNING "do not call blocking ops when !TASK_RUNNING")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/industrialio-buffer.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/iio/industrialio-buffer.c
++++ b/drivers/iio/industrialio-buffer.c
+@@ -110,7 +110,7 @@ ssize_t iio_buffer_read_first_n_outer(st
+ DEFINE_WAIT_FUNC(wait, woken_wake_function);
+ size_t datum_size;
+ size_t to_wait;
+- int ret;
++ int ret = 0;
+
+ if (!indio_dev->info)
+ return -ENODEV;
+@@ -153,7 +153,7 @@ ssize_t iio_buffer_read_first_n_outer(st
+ ret = rb->access->read_first_n(rb, n, buf);
+ if (ret == 0 && (filp->f_flags & O_NONBLOCK))
+ ret = -EAGAIN;
+- } while (ret == 0);
++ } while (ret == 0);
+ remove_wait_queue(&rb->pollq, &wait);
+
+ return ret;
--- /dev/null
+From 36afb176d3c9580651d7f410ed7f000ec48b5137 Mon Sep 17 00:00:00 2001
+From: "Kweh, Hock Leong" <hock.leong.kweh@intel.com>
+Date: Mon, 29 Aug 2016 18:50:56 +0800
+Subject: iio: fix pressure data output unit in hid-sensor-attributes
+
+From: Kweh, Hock Leong <hock.leong.kweh@intel.com>
+
+commit 36afb176d3c9580651d7f410ed7f000ec48b5137 upstream.
+
+According to IIO ABI definition, IIO_PRESSURE data output unit is
+kilopascal:
+http://lxr.free-electrons.com/source/Documentation/ABI/testing/sysfs-bus-iio
+
+This patch fix output unit of HID pressure sensor IIO driver from pascal to
+kilopascal to follow IIO ABI definition.
+
+Signed-off-by: Kweh, Hock Leong <hock.leong.kweh@intel.com>
+Reviewed-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/common/hid-sensors/hid-sensor-attributes.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/iio/common/hid-sensors/hid-sensor-attributes.c
++++ b/drivers/iio/common/hid-sensors/hid-sensor-attributes.c
+@@ -56,8 +56,8 @@ static struct {
+ {HID_USAGE_SENSOR_ALS, 0, 1, 0},
+ {HID_USAGE_SENSOR_ALS, HID_USAGE_SENSOR_UNITS_LUX, 1, 0},
+
+- {HID_USAGE_SENSOR_PRESSURE, 0, 100000, 0},
+- {HID_USAGE_SENSOR_PRESSURE, HID_USAGE_SENSOR_UNITS_PASCAL, 1, 0},
++ {HID_USAGE_SENSOR_PRESSURE, 0, 100, 0},
++ {HID_USAGE_SENSOR_PRESSURE, HID_USAGE_SENSOR_UNITS_PASCAL, 0, 1000},
+ };
+
+ static int pow_10(unsigned power)
--- /dev/null
+From f8adf645db03345af2d9a8b6095b02327ea50885 Mon Sep 17 00:00:00 2001
+From: Alison Schofield <amsfield22@gmail.com>
+Date: Mon, 11 Jul 2016 08:26:56 -0700
+Subject: iio: proximity: as3935: set up buffer timestamps for non-zero values
+
+From: Alison Schofield <amsfield22@gmail.com>
+
+commit f8adf645db03345af2d9a8b6095b02327ea50885 upstream.
+
+Use the iio_pollfunc_store_time parameter during triggered buffer
+set-up to get valid timestamps.
+
+Signed-off-by: Alison Schofield <amsfield22@gmail.com>
+Cc: Daniel Baluta <daniel.baluta@gmail.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/proximity/as3935.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/proximity/as3935.c
++++ b/drivers/iio/proximity/as3935.c
+@@ -392,7 +392,7 @@ static int as3935_probe(struct spi_devic
+ return ret;
+ }
+
+- ret = iio_triggered_buffer_setup(indio_dev, NULL,
++ ret = iio_triggered_buffer_setup(indio_dev, iio_pollfunc_store_time,
+ &as3935_trigger_handler, NULL);
+
+ if (ret) {
--- /dev/null
+From 751eb6b6042a596b0080967c1a529a9fe98dac1d Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <weiyongjun1@huawei.com>
+Date: Mon, 5 Sep 2016 16:06:31 +0800
+Subject: ipv6: addrconf: fix dev refcont leak when DAD failed
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+commit 751eb6b6042a596b0080967c1a529a9fe98dac1d upstream.
+
+In general, when DAD detected IPv6 duplicate address, ifp->state
+will be set to INET6_IFADDR_STATE_ERRDAD and DAD is stopped by a
+delayed work, the call tree should be like this:
+
+ndisc_recv_ns
+ -> addrconf_dad_failure <- missing ifp put
+ -> addrconf_mod_dad_work
+ -> schedule addrconf_dad_work()
+ -> addrconf_dad_stop() <- missing ifp hold before call it
+
+addrconf_dad_failure() called with ifp refcont holding but not put.
+addrconf_dad_work() call addrconf_dad_stop() without extra holding
+refcount. This will not cause any issue normally.
+
+But the race between addrconf_dad_failure() and addrconf_dad_work()
+may cause ifp refcount leak and netdevice can not be unregister,
+dmesg show the following messages:
+
+IPv6: eth0: IPv6 duplicate address fe80::XX:XXXX:XXXX:XX detected!
+...
+unregister_netdevice: waiting for eth0 to become free. Usage count = 1
+
+Fixes: c15b1ccadb32 ("ipv6: move DAD and addrconf_verify processing
+to workqueue")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv6/addrconf.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -1898,6 +1898,7 @@ errdad:
+ spin_unlock_bh(&ifp->lock);
+
+ addrconf_mod_dad_work(ifp, 0);
++ in6_ifa_put(ifp);
+ }
+
+ /* Join to solicited addr multicast group.
+@@ -3609,6 +3610,7 @@ static void addrconf_dad_work(struct wor
+ addrconf_dad_begin(ifp);
+ goto out;
+ } else if (action == DAD_ABORT) {
++ in6_ifa_hold(ifp);
+ addrconf_dad_stop(ifp, 1);
+ goto out;
+ }
--- /dev/null
+From df6a58c5c5aa8ecb1e088ecead3fa33ae70181f1 Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Fri, 17 Jun 2016 17:51:17 -0400
+Subject: kernfs: don't depend on d_find_any_alias() when generating notifications
+
+From: Tejun Heo <tj@kernel.org>
+
+commit df6a58c5c5aa8ecb1e088ecead3fa33ae70181f1 upstream.
+
+kernfs_notify_workfn() sends out file modified events for the
+scheduled kernfs_nodes. Because the modifications aren't from
+userland, it doesn't have the matching file struct at hand and can't
+use fsnotify_modify(). Instead, it looked up the inode and then used
+d_find_any_alias() to find the dentry and used fsnotify_parent() and
+fsnotify() directly to generate notifications.
+
+The assumption was that the relevant dentries would have been pinned
+if there are listeners, which isn't true as inotify doesn't pin
+dentries at all and watching the parent doesn't pin the child dentries
+even for dnotify. This led to, for example, inotify watchers not
+getting notifications if the system is under memory pressure and the
+matching dentries got reclaimed. It can also be triggered through
+/proc/sys/vm/drop_caches or a remount attempt which involves shrinking
+dcache.
+
+fsnotify_parent() only uses the dentry to access the parent inode,
+which kernfs can do easily. Update kernfs_notify_workfn() so that it
+uses fsnotify() directly for both the parent and target inodes without
+going through d_find_any_alias(). While at it, supply the target file
+name to fsnotify() from kernfs_node->name.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reported-by: Evgeny Vereshchagin <evvers@ya.ru>
+Fixes: d911d9874801 ("kernfs: make kernfs_notify() trigger inotify events too")
+Cc: John McCutchan <john@johnmccutchan.com>
+Cc: Robert Love <rlove@rlove.org>
+Cc: Eric Paris <eparis@parisplace.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/kernfs/file.c | 28 +++++++++++++++++++++-------
+ 1 file changed, 21 insertions(+), 7 deletions(-)
+
+--- a/fs/kernfs/file.c
++++ b/fs/kernfs/file.c
+@@ -833,21 +833,35 @@ repeat:
+ mutex_lock(&kernfs_mutex);
+
+ list_for_each_entry(info, &kernfs_root(kn)->supers, node) {
++ struct kernfs_node *parent;
+ struct inode *inode;
+- struct dentry *dentry;
+
++ /*
++ * We want fsnotify_modify() on @kn but as the
++ * modifications aren't originating from userland don't
++ * have the matching @file available. Look up the inodes
++ * and generate the events manually.
++ */
+ inode = ilookup(info->sb, kn->ino);
+ if (!inode)
+ continue;
+
+- dentry = d_find_any_alias(inode);
+- if (dentry) {
+- fsnotify_parent(NULL, dentry, FS_MODIFY);
+- fsnotify(inode, FS_MODIFY, inode, FSNOTIFY_EVENT_INODE,
+- NULL, 0);
+- dput(dentry);
++ parent = kernfs_get_parent(kn);
++ if (parent) {
++ struct inode *p_inode;
++
++ p_inode = ilookup(info->sb, parent->ino);
++ if (p_inode) {
++ fsnotify(p_inode, FS_MODIFY | FS_EVENT_ON_CHILD,
++ inode, FSNOTIFY_EVENT_INODE, kn->name, 0);
++ iput(p_inode);
++ }
++
++ kernfs_put(parent);
+ }
+
++ fsnotify(inode, FS_MODIFY, inode, FSNOTIFY_EVENT_INODE,
++ kn->name, 0);
+ iput(inode);
+ }
+
--- /dev/null
+From 070c43eea5043e950daa423707ae3c77e2f48edb Mon Sep 17 00:00:00 2001
+From: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>
+Date: Thu, 1 Sep 2016 16:14:44 -0700
+Subject: kexec: fix double-free when failing to relocate the purgatory
+
+From: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>
+
+commit 070c43eea5043e950daa423707ae3c77e2f48edb upstream.
+
+If kexec_apply_relocations fails, kexec_load_purgatory frees pi->sechdrs
+and pi->purgatory_buf. This is redundant, because in case of error
+kimage_file_prepare_segments calls kimage_file_post_load_cleanup, which
+will also free those buffers.
+
+This causes two warnings like the following, one for pi->sechdrs and the
+other for pi->purgatory_buf:
+
+ kexec-bzImage64: Loading purgatory failed
+ ------------[ cut here ]------------
+ WARNING: CPU: 1 PID: 2119 at mm/vmalloc.c:1490 __vunmap+0xc1/0xd0
+ Trying to vfree() nonexistent vm area (ffffc90000e91000)
+ Modules linked in:
+ CPU: 1 PID: 2119 Comm: kexec Not tainted 4.8.0-rc3+ #5
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+ Call Trace:
+ dump_stack+0x4d/0x65
+ __warn+0xcb/0xf0
+ warn_slowpath_fmt+0x4f/0x60
+ ? find_vmap_area+0x19/0x70
+ ? kimage_file_post_load_cleanup+0x47/0xb0
+ __vunmap+0xc1/0xd0
+ vfree+0x2e/0x70
+ kimage_file_post_load_cleanup+0x5e/0xb0
+ SyS_kexec_file_load+0x448/0x680
+ ? putname+0x54/0x60
+ ? do_sys_open+0x190/0x1f0
+ entry_SYSCALL_64_fastpath+0x13/0x8f
+ ---[ end trace 158bb74f5950ca2b ]---
+
+Fix by setting pi->sechdrs an pi->purgatory_buf to NULL, since vfree
+won't try to free a NULL pointer.
+
+Link: http://lkml.kernel.org/r/1472083546-23683-1-git-send-email-bauerman@linux.vnet.ibm.com
+Signed-off-by: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>
+Acked-by: Baoquan He <bhe@redhat.com>
+Cc: "Eric W. Biederman" <ebiederm@xmission.com>
+Cc: Vivek Goyal <vgoyal@redhat.com>
+Cc: Dave Young <dyoung@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/kexec_file.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/kernel/kexec_file.c
++++ b/kernel/kexec_file.c
+@@ -934,7 +934,10 @@ int kexec_load_purgatory(struct kimage *
+ return 0;
+ out:
+ vfree(pi->sechdrs);
++ pi->sechdrs = NULL;
++
+ vfree(pi->purgatory_buf);
++ pi->purgatory_buf = NULL;
+ return ret;
+ }
+
--- /dev/null
+From 293f293637b55db4f9f522a5a72514e98a541076 Mon Sep 17 00:00:00 2001
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+Date: Thu, 8 Sep 2016 16:25:49 +0100
+Subject: kvm-arm: Unmap shadow pagetables properly
+
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+
+commit 293f293637b55db4f9f522a5a72514e98a541076 upstream.
+
+On arm/arm64, we depend on the kvm_unmap_hva* callbacks (via
+mmu_notifiers::invalidate_*) to unmap the stage2 pagetables when
+the userspace buffer gets unmapped. However, when the Hypervisor
+process exits without explicit unmap of the guest buffers, the only
+notifier we get is kvm_arch_flush_shadow_all() (via mmu_notifier::release
+) which does nothing on arm. Later this causes us to access pages that
+were already released [via exit_mmap() -> unmap_vmas()] when we actually
+get to unmap the stage2 pagetable [via kvm_arch_destroy_vm() ->
+kvm_free_stage2_pgd()]. This triggers crashes with CONFIG_DEBUG_PAGEALLOC,
+which unmaps any free'd pages from the linear map.
+
+ [ 757.644120] Unable to handle kernel paging request at virtual address
+ ffff800661e00000
+ [ 757.652046] pgd = ffff20000b1a2000
+ [ 757.655471] [ffff800661e00000] *pgd=00000047fffe3003, *pud=00000047fcd8c003,
+ *pmd=00000047fcc7c003, *pte=00e8004661e00712
+ [ 757.666492] Internal error: Oops: 96000147 [#3] PREEMPT SMP
+ [ 757.672041] Modules linked in:
+ [ 757.675100] CPU: 7 PID: 3630 Comm: qemu-system-aar Tainted: G D
+ 4.8.0-rc1 #3
+ [ 757.683240] Hardware name: AppliedMicro X-Gene Mustang Board/X-Gene Mustang Board,
+ BIOS 3.06.15 Aug 19 2016
+ [ 757.692938] task: ffff80069cdd3580 task.stack: ffff8006adb7c000
+ [ 757.698840] PC is at __flush_dcache_area+0x1c/0x40
+ [ 757.703613] LR is at kvm_flush_dcache_pmd+0x60/0x70
+ [ 757.708469] pc : [<ffff20000809dbdc>] lr : [<ffff2000080b4a70>] pstate: 20000145
+ ...
+ [ 758.357249] [<ffff20000809dbdc>] __flush_dcache_area+0x1c/0x40
+ [ 758.363059] [<ffff2000080b6748>] unmap_stage2_range+0x458/0x5f0
+ [ 758.368954] [<ffff2000080b708c>] kvm_free_stage2_pgd+0x34/0x60
+ [ 758.374761] [<ffff2000080b2280>] kvm_arch_destroy_vm+0x20/0x68
+ [ 758.380570] [<ffff2000080aa330>] kvm_put_kvm+0x210/0x358
+ [ 758.385860] [<ffff2000080aa524>] kvm_vm_release+0x2c/0x40
+ [ 758.391239] [<ffff2000082ad234>] __fput+0x114/0x2e8
+ [ 758.396096] [<ffff2000082ad46c>] ____fput+0xc/0x18
+ [ 758.400869] [<ffff200008104658>] task_work_run+0x108/0x138
+ [ 758.406332] [<ffff2000080dc8ec>] do_exit+0x48c/0x10e8
+ [ 758.411363] [<ffff2000080dd5fc>] do_group_exit+0x6c/0x130
+ [ 758.416739] [<ffff2000080ed924>] get_signal+0x284/0xa18
+ [ 758.421943] [<ffff20000808a098>] do_signal+0x158/0x860
+ [ 758.427060] [<ffff20000808aad4>] do_notify_resume+0x6c/0x88
+ [ 758.432608] [<ffff200008083624>] work_pending+0x10/0x14
+ [ 758.437812] Code: 9ac32042 8b010001 d1000443 8a230000 (d50b7e20)
+
+This patch fixes the issue by moving the kvm_free_stage2_pgd() to
+kvm_arch_flush_shadow_all().
+
+Tested-by: Itaru Kitayama <itaru.kitayama@riken.jp>
+Reported-by: Itaru Kitayama <itaru.kitayama@riken.jp>
+Reported-by: James Morse <james.morse@arm.com>
+Cc: Marc Zyngier <marc.zyngier@arm.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/kvm/arm.c | 2 --
+ arch/arm/kvm/mmu.c | 1 +
+ 2 files changed, 1 insertion(+), 2 deletions(-)
+
+--- a/arch/arm/kvm/arm.c
++++ b/arch/arm/kvm/arm.c
+@@ -155,8 +155,6 @@ void kvm_arch_destroy_vm(struct kvm *kvm
+ {
+ int i;
+
+- kvm_free_stage2_pgd(kvm);
+-
+ for (i = 0; i < KVM_MAX_VCPUS; ++i) {
+ if (kvm->vcpus[i]) {
+ kvm_arch_vcpu_free(kvm->vcpus[i]);
+--- a/arch/arm/kvm/mmu.c
++++ b/arch/arm/kvm/mmu.c
+@@ -1852,6 +1852,7 @@ void kvm_arch_memslots_updated(struct kv
+
+ void kvm_arch_flush_shadow_all(struct kvm *kvm)
+ {
++ kvm_free_stage2_pgd(kvm);
+ }
+
+ void kvm_arch_flush_shadow_memslot(struct kvm *kvm,
--- /dev/null
+From 47a7b0d8888c04c9746812820b6e60553cc77bbc Mon Sep 17 00:00:00 2001
+From: Guoqing Jiang <gqjiang@suse.com>
+Date: Sun, 4 Sep 2016 22:17:28 -0400
+Subject: md-cluster: make md-cluster also can work when compiled into kernel
+
+From: Guoqing Jiang <gqjiang@suse.com>
+
+commit 47a7b0d8888c04c9746812820b6e60553cc77bbc upstream.
+
+The md-cluster is compiled as module by default,
+if it is compiled by built-in way, then we can't
+make md-cluster works.
+
+[64782.630008] md/raid1:md127: active with 2 out of 2 mirrors
+[64782.630528] md-cluster module not found.
+[64782.630530] md127: Could not setup cluster service (-2)
+
+Fixes: edb39c9 ("Introduce md_cluster_operations to handle cluster functions")
+Reported-by: Marc Smith <marc.smith@mcc.edu>
+Reviewed-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Guoqing Jiang <gqjiang@suse.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/md.c | 12 ++++--------
+ 1 file changed, 4 insertions(+), 8 deletions(-)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -7572,16 +7572,12 @@ EXPORT_SYMBOL(unregister_md_cluster_oper
+
+ int md_setup_cluster(struct mddev *mddev, int nodes)
+ {
+- int err;
+-
+- err = request_module("md-cluster");
+- if (err) {
+- pr_err("md-cluster module not found.\n");
+- return -ENOENT;
+- }
+-
++ if (!md_cluster_ops)
++ request_module("md-cluster");
+ spin_lock(&pers_lock);
++ /* ensure module won't be unloaded */
+ if (!md_cluster_ops || !try_module_get(md_cluster_mod)) {
++ pr_err("can't find md-cluster module or get it's reference.\n");
+ spin_unlock(&pers_lock);
+ return -ENOENT;
+ }
--- /dev/null
+From cd81a9170e69e018bbaba547c1fd85a585f5697a Mon Sep 17 00:00:00 2001
+From: Mateusz Guzik <mguzik@redhat.com>
+Date: Tue, 23 Aug 2016 16:20:38 +0200
+Subject: mm: introduce get_task_exe_file
+
+From: Mateusz Guzik <mguzik@redhat.com>
+
+commit cd81a9170e69e018bbaba547c1fd85a585f5697a upstream.
+
+For more convenient access if one has a pointer to the task.
+
+As a minor nit take advantage of the fact that only task lock + rcu are
+needed to safely grab ->exe_file. This saves mm refcount dance.
+
+Use the helper in proc_exe_link.
+
+Signed-off-by: Mateusz Guzik <mguzik@redhat.com>
+Acked-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Acked-by: Richard Guy Briggs <rgb@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/proc/base.c | 7 +------
+ include/linux/mm.h | 1 +
+ kernel/fork.c | 23 +++++++++++++++++++++++
+ 3 files changed, 25 insertions(+), 6 deletions(-)
+
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -1545,18 +1545,13 @@ static const struct file_operations proc
+ static int proc_exe_link(struct dentry *dentry, struct path *exe_path)
+ {
+ struct task_struct *task;
+- struct mm_struct *mm;
+ struct file *exe_file;
+
+ task = get_proc_task(d_inode(dentry));
+ if (!task)
+ return -ENOENT;
+- mm = get_task_mm(task);
++ exe_file = get_task_exe_file(task);
+ put_task_struct(task);
+- if (!mm)
+- return -ENOENT;
+- exe_file = get_mm_exe_file(mm);
+- mmput(mm);
+ if (exe_file) {
+ *exe_path = exe_file->f_path;
+ path_get(&exe_file->f_path);
+--- a/include/linux/mm.h
++++ b/include/linux/mm.h
+@@ -1898,6 +1898,7 @@ extern void mm_drop_all_locks(struct mm_
+
+ extern void set_mm_exe_file(struct mm_struct *mm, struct file *new_exe_file);
+ extern struct file *get_mm_exe_file(struct mm_struct *mm);
++extern struct file *get_task_exe_file(struct task_struct *task);
+
+ extern int may_expand_vm(struct mm_struct *mm, unsigned long npages);
+ extern struct vm_area_struct *_install_special_mapping(struct mm_struct *mm,
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -764,6 +764,29 @@ struct file *get_mm_exe_file(struct mm_s
+ EXPORT_SYMBOL(get_mm_exe_file);
+
+ /**
++ * get_task_exe_file - acquire a reference to the task's executable file
++ *
++ * Returns %NULL if task's mm (if any) has no associated executable file or
++ * this is a kernel thread with borrowed mm (see the comment above get_task_mm).
++ * User must release file via fput().
++ */
++struct file *get_task_exe_file(struct task_struct *task)
++{
++ struct file *exe_file = NULL;
++ struct mm_struct *mm;
++
++ task_lock(task);
++ mm = task->mm;
++ if (mm) {
++ if (!(task->flags & PF_KTHREAD))
++ exe_file = get_mm_exe_file(mm);
++ }
++ task_unlock(task);
++ return exe_file;
++}
++EXPORT_SYMBOL(get_task_exe_file);
++
++/**
+ * get_task_mm - acquire a reference to the task's mm
+ *
+ * Returns %NULL if the task has no mm. Checks PF_KTHREAD (meaning
--- /dev/null
+From 1423661fed2c40d6d71b5e2e3aa390f85157f9d5 Mon Sep 17 00:00:00 2001
+From: David Daney <david.daney@cavium.com>
+Date: Tue, 16 Aug 2016 13:30:36 -0700
+Subject: net: thunderx: Fix OOPs with ethtool --register-dump
+
+From: David Daney <david.daney@cavium.com>
+
+commit 1423661fed2c40d6d71b5e2e3aa390f85157f9d5 upstream.
+
+The ethtool_ops .get_regs function attempts to read the nonexistent
+register NIC_QSET_SQ_0_7_CNM_CHG, which produces a "bus error" type
+OOPs.
+
+Fix by not attempting to read, and removing the definition of,
+NIC_QSET_SQ_0_7_CNM_CHG. A zero is written into the register dump to
+keep the layout unchanged.
+
+Signed-off-by: David Daney <david.daney@cavium.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/cavium/thunder/nic_reg.h | 1 -
+ drivers/net/ethernet/cavium/thunder/nicvf_ethtool.c | 5 ++++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/cavium/thunder/nic_reg.h
++++ b/drivers/net/ethernet/cavium/thunder/nic_reg.h
+@@ -170,7 +170,6 @@
+ #define NIC_QSET_SQ_0_7_DOOR (0x010838)
+ #define NIC_QSET_SQ_0_7_STATUS (0x010840)
+ #define NIC_QSET_SQ_0_7_DEBUG (0x010848)
+-#define NIC_QSET_SQ_0_7_CNM_CHG (0x010860)
+ #define NIC_QSET_SQ_0_7_STAT_0_1 (0x010900)
+
+ #define NIC_QSET_RBDR_0_1_CFG (0x010C00)
+--- a/drivers/net/ethernet/cavium/thunder/nicvf_ethtool.c
++++ b/drivers/net/ethernet/cavium/thunder/nicvf_ethtool.c
+@@ -380,7 +380,10 @@ static void nicvf_get_regs(struct net_de
+ p[i++] = nicvf_queue_reg_read(nic, NIC_QSET_SQ_0_7_DOOR, q);
+ p[i++] = nicvf_queue_reg_read(nic, NIC_QSET_SQ_0_7_STATUS, q);
+ p[i++] = nicvf_queue_reg_read(nic, NIC_QSET_SQ_0_7_DEBUG, q);
+- p[i++] = nicvf_queue_reg_read(nic, NIC_QSET_SQ_0_7_CNM_CHG, q);
++ /* Padding, was NIC_QSET_SQ_0_7_CNM_CHG, which
++ * produces bus errors when read
++ */
++ p[i++] = 0;
+ p[i++] = nicvf_queue_reg_read(nic, NIC_QSET_SQ_0_7_STAT_0_1, q);
+ reg_offset = NIC_QSET_SQ_0_7_STAT_0_1 | (1 << 3);
+ p[i++] = nicvf_queue_reg_read(nic, reg_offset, q);
--- /dev/null
+From 885848186fbc2d1d8fb6d2fdc2156638ae289a46 Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Wed, 13 Jul 2016 16:40:14 -0400
+Subject: nfsd: Close race between nfsd4_release_lockowner and nfsd4_lock
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+commit 885848186fbc2d1d8fb6d2fdc2156638ae289a46 upstream.
+
+nfsd4_release_lockowner finds a lock owner that has no lock state,
+and drops cl_lock. Then release_lockowner picks up cl_lock and
+unhashes the lock owner.
+
+During the window where cl_lock is dropped, I don't see anything
+preventing a concurrent nfsd4_lock from finding that same lock owner
+and adding lock state to it.
+
+Move release_lockowner() into nfsd4_release_lockowner and hang onto
+the cl_lock until after the lock owner's state cannot be found
+again.
+
+Found by inspection, we don't currently have a reproducer.
+
+Fixes: 2c41beb0e5cf ("nfsd: reduce cl_lock thrashing in ... ")
+Reviewed-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs4state.c | 40 +++++++++++++++++-----------------------
+ 1 file changed, 17 insertions(+), 23 deletions(-)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -1200,27 +1200,6 @@ free_ol_stateid_reaplist(struct list_hea
+ }
+ }
+
+-static void release_lockowner(struct nfs4_lockowner *lo)
+-{
+- struct nfs4_client *clp = lo->lo_owner.so_client;
+- struct nfs4_ol_stateid *stp;
+- struct list_head reaplist;
+-
+- INIT_LIST_HEAD(&reaplist);
+-
+- spin_lock(&clp->cl_lock);
+- unhash_lockowner_locked(lo);
+- while (!list_empty(&lo->lo_owner.so_stateids)) {
+- stp = list_first_entry(&lo->lo_owner.so_stateids,
+- struct nfs4_ol_stateid, st_perstateowner);
+- WARN_ON(!unhash_lock_stateid(stp));
+- put_ol_stateid_locked(stp, &reaplist);
+- }
+- spin_unlock(&clp->cl_lock);
+- free_ol_stateid_reaplist(&reaplist);
+- nfs4_put_stateowner(&lo->lo_owner);
+-}
+-
+ static void release_open_stateid_locks(struct nfs4_ol_stateid *open_stp,
+ struct list_head *reaplist)
+ {
+@@ -5952,6 +5931,7 @@ nfsd4_release_lockowner(struct svc_rqst
+ __be32 status;
+ struct nfsd_net *nn = net_generic(SVC_NET(rqstp), nfsd_net_id);
+ struct nfs4_client *clp;
++ LIST_HEAD (reaplist);
+
+ dprintk("nfsd4_release_lockowner clientid: (%08x/%08x):\n",
+ clid->cl_boot, clid->cl_id);
+@@ -5982,9 +5962,23 @@ nfsd4_release_lockowner(struct svc_rqst
+ nfs4_get_stateowner(sop);
+ break;
+ }
++ if (!lo) {
++ spin_unlock(&clp->cl_lock);
++ return status;
++ }
++
++ unhash_lockowner_locked(lo);
++ while (!list_empty(&lo->lo_owner.so_stateids)) {
++ stp = list_first_entry(&lo->lo_owner.so_stateids,
++ struct nfs4_ol_stateid,
++ st_perstateowner);
++ WARN_ON(!unhash_lock_stateid(stp));
++ put_ol_stateid_locked(stp, &reaplist);
++ }
+ spin_unlock(&clp->cl_lock);
+- if (lo)
+- release_lockowner(lo);
++ free_ol_stateid_reaplist(&reaplist);
++ nfs4_put_stateowner(&lo->lo_owner);
++
+ return status;
+ }
+
--- /dev/null
+From e09c978aae5bedfdb379be80363b024b7d82638b Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Sat, 27 Aug 2016 23:44:04 -0400
+Subject: NFSv4.1: Fix Oopsable condition in server callback races
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+commit e09c978aae5bedfdb379be80363b024b7d82638b upstream.
+
+The slot table hasn't been an array since v3.7. Ensure that we
+use nfs4_lookup_slot() to access the slot correctly.
+
+Fixes: 87dda67e7386 ("NFSv4.1: Allow SEQUENCE to resize the slot table...")
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/callback_proc.c | 5 +----
+ fs/nfs/nfs4session.c | 33 +++++++++++++++++++++++++++++++++
+ fs/nfs/nfs4session.h | 1 +
+ 3 files changed, 35 insertions(+), 4 deletions(-)
+
+--- a/fs/nfs/callback_proc.c
++++ b/fs/nfs/callback_proc.c
+@@ -400,11 +400,8 @@ static bool referring_call_exists(struct
+ ((u32 *)&rclist->rcl_sessionid.data)[3],
+ ref->rc_sequenceid, ref->rc_slotid);
+
+- spin_lock(&tbl->slot_tbl_lock);
+- status = (test_bit(ref->rc_slotid, tbl->used_slots) &&
+- tbl->slots[ref->rc_slotid].seq_nr ==
++ status = nfs4_slot_seqid_in_use(tbl, ref->rc_slotid,
+ ref->rc_sequenceid);
+- spin_unlock(&tbl->slot_tbl_lock);
+ if (status)
+ goto out;
+ }
+--- a/fs/nfs/nfs4session.c
++++ b/fs/nfs/nfs4session.c
+@@ -135,6 +135,39 @@ static struct nfs4_slot *nfs4_find_or_cr
+ return ERR_PTR(-ENOMEM);
+ }
+
++static int nfs4_slot_get_seqid(struct nfs4_slot_table *tbl, u32 slotid,
++ u32 *seq_nr)
++ __must_hold(&tbl->slot_tbl_lock)
++{
++ struct nfs4_slot *slot;
++
++ slot = nfs4_lookup_slot(tbl, slotid);
++ if (IS_ERR(slot))
++ return PTR_ERR(slot);
++ *seq_nr = slot->seq_nr;
++ return 0;
++}
++
++/*
++ * nfs4_slot_seqid_in_use - test if a slot sequence id is still in use
++ *
++ * Given a slot table, slot id and sequence number, determine if the
++ * RPC call in question is still in flight. This function is mainly
++ * intended for use by the callback channel.
++ */
++bool nfs4_slot_seqid_in_use(struct nfs4_slot_table *tbl, u32 slotid, u32 seq_nr)
++{
++ u32 cur_seq;
++ bool ret = false;
++
++ spin_lock(&tbl->slot_tbl_lock);
++ if (nfs4_slot_get_seqid(tbl, slotid, &cur_seq) == 0 &&
++ cur_seq == seq_nr && test_bit(slotid, tbl->used_slots))
++ ret = true;
++ spin_unlock(&tbl->slot_tbl_lock);
++ return ret;
++}
++
+ /*
+ * nfs4_alloc_slot - efficiently look for a free slot
+ *
+--- a/fs/nfs/nfs4session.h
++++ b/fs/nfs/nfs4session.h
+@@ -77,6 +77,7 @@ extern int nfs4_setup_slot_table(struct
+ unsigned int max_reqs, const char *queue);
+ extern void nfs4_shutdown_slot_table(struct nfs4_slot_table *tbl);
+ extern struct nfs4_slot *nfs4_alloc_slot(struct nfs4_slot_table *tbl);
++extern bool nfs4_slot_seqid_in_use(struct nfs4_slot_table *tbl, u32 slotid, u32 seq_nr);
+ extern void nfs4_free_slot(struct nfs4_slot_table *tbl, struct nfs4_slot *slot);
+ extern void nfs4_slot_tbl_drain_complete(struct nfs4_slot_table *tbl);
+ bool nfs41_wake_and_assign_slot(struct nfs4_slot_table *tbl,
--- /dev/null
+From b519d408ea32040b1c7e10b155a3ee9a36660947 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Sun, 11 Sep 2016 14:50:01 -0400
+Subject: NFSv4.1: Fix the CREATE_SESSION slot number accounting
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+commit b519d408ea32040b1c7e10b155a3ee9a36660947 upstream.
+
+Ensure that we conform to the algorithm described in RFC5661, section
+18.36.4 for when to bump the sequence id. In essence we do it for all
+cases except when the RPC call timed out, or in case of the server returning
+NFS4ERR_DELAY or NFS4ERR_STALE_CLIENTID.
+
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs4proc.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -7424,12 +7424,20 @@ static int _nfs4_proc_create_session(str
+ status = rpc_call_sync(session->clp->cl_rpcclient, &msg, RPC_TASK_TIMEOUT);
+ trace_nfs4_create_session(clp, status);
+
++ switch (status) {
++ case -NFS4ERR_STALE_CLIENTID:
++ case -NFS4ERR_DELAY:
++ case -ETIMEDOUT:
++ case -EACCES:
++ case -EAGAIN:
++ goto out;
++ };
++
++ clp->cl_seqid++;
+ if (!status) {
+ /* Verify the session's negotiated channel_attrs values */
+ status = nfs4_verify_channel_attrs(&args, &res);
+ /* Increment the clientid slot sequence id */
+- if (clp->cl_seqid == res.seqid)
+- clp->cl_seqid++;
+ if (status)
+ goto out;
+ nfs4_update_session(session, &res);
--- /dev/null
+From 98b0f80c2396224bbbed81792b526e6c72ba9efa Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Mon, 29 Aug 2016 11:15:36 -0400
+Subject: NFSv4.x: Fix a refcount leak in nfs_callback_up_net
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+commit 98b0f80c2396224bbbed81792b526e6c72ba9efa upstream.
+
+On error, the callers expect us to return without bumping
+nn->cb_users[].
+
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/callback.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/nfs/callback.c
++++ b/fs/nfs/callback.c
+@@ -275,6 +275,7 @@ static int nfs_callback_up_net(int minor
+ err_socks:
+ svc_rpcb_cleanup(serv, net);
+ err_bind:
++ nn->cb_users[minorversion]--;
+ dprintk("NFS: Couldn't create callback socket: err = %d; "
+ "net = %p\n", ret, net);
+ return ret;
--- /dev/null
+From a32ac2912f97d7ea9b67eb67bb4aa30b9156a88e Mon Sep 17 00:00:00 2001
+From: James Hartley <james.hartley@imgtec.com>
+Date: Fri, 19 Aug 2016 12:03:23 +0100
+Subject: pinctrl: pistachio: fix mfio pll_lock pinmux
+
+From: James Hartley <james.hartley@imgtec.com>
+
+commit a32ac2912f97d7ea9b67eb67bb4aa30b9156a88e upstream.
+
+A previous patch attempted to fix the pinmuxes for mfio 84 - 89, but it
+omitted a change to pistachio_pin_group pistachio_groups, which results
+in incorrect pll_lock signals being routed.
+
+Apply the correct mux settings throughout the driver.
+
+fixes: cefc03e5995e ("pinctrl: Add Pistachio SoC pin control driver")
+fixes: e9adb336d0bf ("pinctrl: pistachio: fix mfio84-89 function description and pinmux.")
+Signed-off-by: James Hartley <james.hartley@imgtec.com>
+Reviewed-by: Sifan Naeem <Sifan.Naeem@imgtec.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/pinctrl-pistachio.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/pinctrl/pinctrl-pistachio.c
++++ b/drivers/pinctrl/pinctrl-pistachio.c
+@@ -809,17 +809,17 @@ static const struct pistachio_pin_group
+ PADS_FUNCTION_SELECT2, 12, 0x3),
+ MFIO_MUX_PIN_GROUP(83, MIPS_PLL_LOCK, MIPS_TRACE_DATA, USB_DEBUG,
+ PADS_FUNCTION_SELECT2, 14, 0x3),
+- MFIO_MUX_PIN_GROUP(84, SYS_PLL_LOCK, MIPS_TRACE_DATA, USB_DEBUG,
++ MFIO_MUX_PIN_GROUP(84, AUDIO_PLL_LOCK, MIPS_TRACE_DATA, USB_DEBUG,
+ PADS_FUNCTION_SELECT2, 16, 0x3),
+- MFIO_MUX_PIN_GROUP(85, WIFI_PLL_LOCK, MIPS_TRACE_DATA, SDHOST_DEBUG,
++ MFIO_MUX_PIN_GROUP(85, RPU_V_PLL_LOCK, MIPS_TRACE_DATA, SDHOST_DEBUG,
+ PADS_FUNCTION_SELECT2, 18, 0x3),
+- MFIO_MUX_PIN_GROUP(86, BT_PLL_LOCK, MIPS_TRACE_DATA, SDHOST_DEBUG,
++ MFIO_MUX_PIN_GROUP(86, RPU_L_PLL_LOCK, MIPS_TRACE_DATA, SDHOST_DEBUG,
+ PADS_FUNCTION_SELECT2, 20, 0x3),
+- MFIO_MUX_PIN_GROUP(87, RPU_V_PLL_LOCK, DREQ2, SOCIF_DEBUG,
++ MFIO_MUX_PIN_GROUP(87, SYS_PLL_LOCK, DREQ2, SOCIF_DEBUG,
+ PADS_FUNCTION_SELECT2, 22, 0x3),
+- MFIO_MUX_PIN_GROUP(88, RPU_L_PLL_LOCK, DREQ3, SOCIF_DEBUG,
++ MFIO_MUX_PIN_GROUP(88, WIFI_PLL_LOCK, DREQ3, SOCIF_DEBUG,
+ PADS_FUNCTION_SELECT2, 24, 0x3),
+- MFIO_MUX_PIN_GROUP(89, AUDIO_PLL_LOCK, DREQ4, DREQ5,
++ MFIO_MUX_PIN_GROUP(89, BT_PLL_LOCK, DREQ4, DREQ5,
+ PADS_FUNCTION_SELECT2, 26, 0x3),
+ PIN_GROUP(TCK, "tck"),
+ PIN_GROUP(TRSTN, "trstn"),
--- /dev/null
+From 486095fae3a8a6b1ae07c51844699d9bd5cfbebc Mon Sep 17 00:00:00 2001
+From: Icenowy Zheng <icenowy@aosc.xyz>
+Date: Tue, 23 Aug 2016 13:58:25 +0800
+Subject: pinctrl: sunxi: fix uart1 CTS/RTS pins at PG on A23/A33
+
+From: Icenowy Zheng <icenowy@aosc.xyz>
+
+commit 486095fae3a8a6b1ae07c51844699d9bd5cfbebc upstream.
+
+PG8, PG9 is said to be the CTS/RTS pins for UART1 according to the A23/33
+datasheets. However, the function is wrongly named "uart2" in the pinctrl
+driver. This patch fixes this by modifying them to be named "uart1".
+
+Signed-off-by: Icenowy Zheng <icenowy@aosc.xyz>
+Acked-by: Maxime Ripard <maxime.ripard@free-electrons.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/sunxi/pinctrl-sun8i-a23.c | 4 ++--
+ drivers/pinctrl/sunxi/pinctrl-sun8i-a33.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/pinctrl/sunxi/pinctrl-sun8i-a23.c
++++ b/drivers/pinctrl/sunxi/pinctrl-sun8i-a23.c
+@@ -485,12 +485,12 @@ static const struct sunxi_desc_pin sun8i
+ SUNXI_PIN(SUNXI_PINCTRL_PIN(G, 8),
+ SUNXI_FUNCTION(0x0, "gpio_in"),
+ SUNXI_FUNCTION(0x1, "gpio_out"),
+- SUNXI_FUNCTION(0x2, "uart2"), /* RTS */
++ SUNXI_FUNCTION(0x2, "uart1"), /* RTS */
+ SUNXI_FUNCTION_IRQ_BANK(0x4, 2, 8)), /* PG_EINT8 */
+ SUNXI_PIN(SUNXI_PINCTRL_PIN(G, 9),
+ SUNXI_FUNCTION(0x0, "gpio_in"),
+ SUNXI_FUNCTION(0x1, "gpio_out"),
+- SUNXI_FUNCTION(0x2, "uart2"), /* CTS */
++ SUNXI_FUNCTION(0x2, "uart1"), /* CTS */
+ SUNXI_FUNCTION_IRQ_BANK(0x4, 2, 9)), /* PG_EINT9 */
+ SUNXI_PIN(SUNXI_PINCTRL_PIN(G, 10),
+ SUNXI_FUNCTION(0x0, "gpio_in"),
+--- a/drivers/pinctrl/sunxi/pinctrl-sun8i-a33.c
++++ b/drivers/pinctrl/sunxi/pinctrl-sun8i-a33.c
+@@ -407,12 +407,12 @@ static const struct sunxi_desc_pin sun8i
+ SUNXI_PIN(SUNXI_PINCTRL_PIN(G, 8),
+ SUNXI_FUNCTION(0x0, "gpio_in"),
+ SUNXI_FUNCTION(0x1, "gpio_out"),
+- SUNXI_FUNCTION(0x2, "uart2"), /* RTS */
++ SUNXI_FUNCTION(0x2, "uart1"), /* RTS */
+ SUNXI_FUNCTION_IRQ_BANK(0x4, 1, 8)), /* PG_EINT8 */
+ SUNXI_PIN(SUNXI_PINCTRL_PIN(G, 9),
+ SUNXI_FUNCTION(0x0, "gpio_in"),
+ SUNXI_FUNCTION(0x1, "gpio_out"),
+- SUNXI_FUNCTION(0x2, "uart2"), /* CTS */
++ SUNXI_FUNCTION(0x2, "uart1"), /* CTS */
+ SUNXI_FUNCTION_IRQ_BANK(0x4, 1, 9)), /* PG_EINT9 */
+ SUNXI_PIN(SUNXI_PINCTRL_PIN(G, 10),
+ SUNXI_FUNCTION(0x0, "gpio_in"),
--- /dev/null
+From bf0291dd2267a2b9a4cd74d65249553d11bb45d6 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Sat, 3 Sep 2016 10:39:51 -0400
+Subject: pNFS: Ensure LAYOUTGET and LAYOUTRETURN are properly serialised
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+commit bf0291dd2267a2b9a4cd74d65249553d11bb45d6 upstream.
+
+According to RFC5661, the client is responsible for serialising
+LAYOUTGET and LAYOUTRETURN to avoid ambiguity. Consider the case
+where we send both in parallel.
+
+Client Server
+====== ======
+LAYOUTGET(seqid=X)
+LAYOUTRETURN(seqid=X)
+ LAYOUTGET return seqid=X+1
+ LAYOUTRETURN return seqid=X+2
+Process LAYOUTRETURN
+ Forget layout stateid
+Process LAYOUTGET
+ Set seqid=X+1
+
+The client processes the layoutget/layoutreturn in the wrong order,
+and since the result of the layoutreturn was to clear the only
+existing layout segment, the client forgets the layout stateid.
+
+When the LAYOUTGET comes in, it is treated as having a completely
+new stateid, and so the client sets the wrong sequence id...
+
+Fix is to check if there are outstanding LAYOUTGET requests
+before we send the LAYOUTRETURN (note that LAYOUGET will already
+wait if it sees an outstanding LAYOUTRETURN).
+
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/pnfs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/nfs/pnfs.c
++++ b/fs/nfs/pnfs.c
+@@ -365,6 +365,9 @@ pnfs_layout_need_return(struct pnfs_layo
+ static bool
+ pnfs_prepare_layoutreturn(struct pnfs_layout_hdr *lo)
+ {
++ /* Serialise LAYOUTGET/LAYOUTRETURN */
++ if (atomic_read(&lo->plh_outstanding) != 0)
++ return false;
+ if (test_and_set_bit(NFS_LAYOUT_RETURN, &lo->plh_flags))
+ return false;
+ lo->plh_return_iomode = 0;
--- /dev/null
+From b88fa69eaa8649f11828158c7b65c4bcd886ebd5 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Tue, 23 Aug 2016 11:19:33 -0400
+Subject: pNFS: The client must not do I/O to the DS if it's lease has expired
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+commit b88fa69eaa8649f11828158c7b65c4bcd886ebd5 upstream.
+
+Ensure that the client conforms to the normative behaviour described in
+RFC5661 Section 12.7.2: "If a client believes its lease has expired,
+it MUST NOT send I/O to the storage device until it has validated its
+lease."
+
+So ensure that we wait for the lease to be validated before using
+the layout.
+
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/pnfs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/nfs/pnfs.c
++++ b/fs/nfs/pnfs.c
+@@ -1530,6 +1530,7 @@ pnfs_update_layout(struct inode *ino,
+ goto out;
+
+ lookup_again:
++ nfs4_client_recover_expired_lease(clp);
+ first = false;
+ spin_lock(&ino->i_lock);
+ lo = pnfs_find_alloc_layout(ino, ctx, gfp_flags);
--- /dev/null
+From f077aaf0754bcba0fffdbd925bc12f09cd1e38aa Mon Sep 17 00:00:00 2001
+From: Paul Mackerras <paulus@ozlabs.org>
+Date: Fri, 2 Sep 2016 21:47:59 +1000
+Subject: powerpc/mm: Don't alias user region to other regions below PAGE_OFFSET
+
+From: Paul Mackerras <paulus@ozlabs.org>
+
+commit f077aaf0754bcba0fffdbd925bc12f09cd1e38aa upstream.
+
+In commit c60ac5693c47 ("powerpc: Update kernel VSID range", 2013-03-13)
+we lost a check on the region number (the top four bits of the effective
+address) for addresses below PAGE_OFFSET. That commit replaced a check
+that the top 18 bits were all zero with a check that bits 46 - 59 were
+zero (performed for all addresses, not just user addresses).
+
+This means that userspace can access an address like 0x1000_0xxx_xxxx_xxxx
+and we will insert a valid SLB entry for it. The VSID used will be the
+same as if the top 4 bits were 0, but the page size will be some random
+value obtained by indexing beyond the end of the mm_ctx_high_slices_psize
+array in the paca. If that page size is the same as would be used for
+region 0, then userspace just has an alias of the region 0 space. If the
+page size is different, then no HPTE will be found for the access, and
+the process will get a SIGSEGV (since hash_page_mm() will refuse to create
+a HPTE for the bogus address).
+
+The access beyond the end of the mm_ctx_high_slices_psize can be at most
+5.5MB past the array, and so will be in RAM somewhere. Since the access
+is a load performed in real mode, it won't fault or crash the kernel.
+At most this bug could perhaps leak a little bit of information about
+blocks of 32 bytes of memory located at offsets of i * 512kB past the
+paca->mm_ctx_high_slices_psize array, for 1 <= i <= 11.
+
+Fixes: c60ac5693c47 ("powerpc: Update kernel VSID range")
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/mm/slb_low.S | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/mm/slb_low.S
++++ b/arch/powerpc/mm/slb_low.S
+@@ -113,7 +113,12 @@ BEGIN_FTR_SECTION
+ END_MMU_FTR_SECTION_IFCLR(MMU_FTR_1T_SEGMENT)
+ b slb_finish_load_1T
+
+-0:
++0: /*
++ * For userspace addresses, make sure this is region 0.
++ */
++ cmpdi r9, 0
++ bne 8f
++
+ /* when using slices, we extract the psize off the slice bitmaps
+ * and then we need to get the sllp encoding off the mmu_psize_defs
+ * array.
--- /dev/null
+From a9cbf0b2195b695cbeeeecaa4e2770948c212e9a Mon Sep 17 00:00:00 2001
+From: Mukesh Ojha <mukesh02@linux.vnet.ibm.com>
+Date: Mon, 22 Aug 2016 12:17:44 +0530
+Subject: powerpc/powernv : Drop reference added by kset_find_obj()
+
+From: Mukesh Ojha <mukesh02@linux.vnet.ibm.com>
+
+commit a9cbf0b2195b695cbeeeecaa4e2770948c212e9a upstream.
+
+In a situation, where Linux kernel gets notified about duplicate error log
+from OPAL, it is been observed that kernel fails to remove sysfs entries
+(/sys/firmware/opal/elog/0xXXXXXXXX) of such error logs. This is because,
+we currently search the error log/dump kobject in the kset list via
+'kset_find_obj()' routine. Which eventually increment the reference count
+by one, once it founds the kobject.
+
+So, unless we decrement the reference count by one after it found the kobject,
+we would not be able to release the kobject properly later.
+
+This patch adds the 'kobject_put()' which was missing earlier.
+
+Signed-off-by: Mukesh Ojha <mukesh02@linux.vnet.ibm.com>
+Reviewed-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/platforms/powernv/opal-dump.c | 7 ++++++-
+ arch/powerpc/platforms/powernv/opal-elog.c | 7 ++++++-
+ 2 files changed, 12 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/platforms/powernv/opal-dump.c
++++ b/arch/powerpc/platforms/powernv/opal-dump.c
+@@ -370,6 +370,7 @@ static irqreturn_t process_dump(int irq,
+ uint32_t dump_id, dump_size, dump_type;
+ struct dump_obj *dump;
+ char name[22];
++ struct kobject *kobj;
+
+ rc = dump_read_info(&dump_id, &dump_size, &dump_type);
+ if (rc != OPAL_SUCCESS)
+@@ -381,8 +382,12 @@ static irqreturn_t process_dump(int irq,
+ * that gracefully and not create two conflicting
+ * entries.
+ */
+- if (kset_find_obj(dump_kset, name))
++ kobj = kset_find_obj(dump_kset, name);
++ if (kobj) {
++ /* Drop reference added by kset_find_obj() */
++ kobject_put(kobj);
+ return 0;
++ }
+
+ dump = create_dump_obj(dump_id, dump_size, dump_type);
+ if (!dump)
+--- a/arch/powerpc/platforms/powernv/opal-elog.c
++++ b/arch/powerpc/platforms/powernv/opal-elog.c
+@@ -247,6 +247,7 @@ static irqreturn_t elog_event(int irq, v
+ uint64_t elog_type;
+ int rc;
+ char name[2+16+1];
++ struct kobject *kobj;
+
+ rc = opal_get_elog_size(&id, &size, &type);
+ if (rc != OPAL_SUCCESS) {
+@@ -269,8 +270,12 @@ static irqreturn_t elog_event(int irq, v
+ * that gracefully and not create two conflicting
+ * entries.
+ */
+- if (kset_find_obj(elog_kset, name))
++ kobj = kset_find_obj(elog_kset, name);
++ if (kobj) {
++ /* Drop reference added by kset_find_obj() */
++ kobject_put(kobj);
+ return IRQ_HANDLED;
++ }
+
+ create_elog_obj(log_id, elog_size, elog_type);
+
--- /dev/null
+From cc7786d3ee7e3c979799db834b528db2c0834c2e Mon Sep 17 00:00:00 2001
+From: Nicholas Piggin <npiggin@gmail.com>
+Date: Mon, 25 Jul 2016 14:26:51 +1000
+Subject: powerpc/tm: do not use r13 for tabort_syscall
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+commit cc7786d3ee7e3c979799db834b528db2c0834c2e upstream.
+
+tabort_syscall runs with RI=1, so a nested recoverable machine
+check will load the paca into r13 and overwrite what we loaded
+it with, because exceptions returning to privileged mode do not
+restore r13.
+
+Fixes: b4b56f9ecab4 (powerpc/tm: Abort syscalls in active transactions)
+Signed-off-by: Nick Piggin <npiggin@gmail.com>
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/entry_64.S | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/arch/powerpc/kernel/entry_64.S
++++ b/arch/powerpc/kernel/entry_64.S
+@@ -334,13 +334,13 @@ syscall_exit_work:
+ tabort_syscall:
+ /* Firstly we need to enable TM in the kernel */
+ mfmsr r10
+- li r13, 1
+- rldimi r10, r13, MSR_TM_LG, 63-MSR_TM_LG
++ li r9, 1
++ rldimi r10, r9, MSR_TM_LG, 63-MSR_TM_LG
+ mtmsrd r10, 0
+
+ /* tabort, this dooms the transaction, nothing else */
+- li r13, (TM_CAUSE_SYSCALL|TM_CAUSE_PERSISTENT)
+- TABORT(R13)
++ li r9, (TM_CAUSE_SYSCALL|TM_CAUSE_PERSISTENT)
++ TABORT(R9)
+
+ /*
+ * Return directly to userspace. We have corrupted user register state,
+@@ -348,8 +348,8 @@ tabort_syscall:
+ * resume after the tbegin of the aborted transaction with the
+ * checkpointed register state.
+ */
+- li r13, MSR_RI
+- andc r10, r10, r13
++ li r9, MSR_RI
++ andc r10, r10, r9
+ mtmsrd r10, 1
+ mtspr SPRN_SRR0, r11
+ mtspr SPRN_SRR1, r12
--- /dev/null
+From 4d0bd46a4d55383f7b925e6cf7865a77e0f0e020 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Mon, 8 Aug 2016 08:45:33 +0200
+Subject: Revert "wext: Fix 32 bit iwpriv compatibility issue with 64 bit Kernel"
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 4d0bd46a4d55383f7b925e6cf7865a77e0f0e020 upstream.
+
+This reverts commit 3d5fdff46c4b2b9534fa2f9fc78e90a48e0ff724.
+
+Ben Hutchings pointed out that the commit isn't safe since it assumes
+that the structure used by the driver is iw_point, when in fact there's
+no way to know about that.
+
+Fortunately, the only driver in the tree that ever runs this code path
+is the wilc1000 staging driver, so it doesn't really matter.
+
+Clearly I should have investigated this better before applying, sorry.
+
+Reported-by: Ben Hutchings <ben@decadent.org.uk>
+Fixes: 3d5fdff46c4b ("wext: Fix 32 bit iwpriv compatibility issue with 64 bit Kernel")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/wext-core.c | 25 ++-----------------------
+ 1 file changed, 2 insertions(+), 23 deletions(-)
+
+--- a/net/wireless/wext-core.c
++++ b/net/wireless/wext-core.c
+@@ -955,29 +955,8 @@ static int wireless_process_ioctl(struct
+ return private(dev, iwr, cmd, info, handler);
+ }
+ /* Old driver API : call driver ioctl handler */
+- if (dev->netdev_ops->ndo_do_ioctl) {
+-#ifdef CONFIG_COMPAT
+- if (info->flags & IW_REQUEST_FLAG_COMPAT) {
+- int ret = 0;
+- struct iwreq iwr_lcl;
+- struct compat_iw_point *iwp_compat = (void *) &iwr->u.data;
+-
+- memcpy(&iwr_lcl, iwr, sizeof(struct iwreq));
+- iwr_lcl.u.data.pointer = compat_ptr(iwp_compat->pointer);
+- iwr_lcl.u.data.length = iwp_compat->length;
+- iwr_lcl.u.data.flags = iwp_compat->flags;
+-
+- ret = dev->netdev_ops->ndo_do_ioctl(dev, (void *) &iwr_lcl, cmd);
+-
+- iwp_compat->pointer = ptr_to_compat(iwr_lcl.u.data.pointer);
+- iwp_compat->length = iwr_lcl.u.data.length;
+- iwp_compat->flags = iwr_lcl.u.data.flags;
+-
+- return ret;
+- } else
+-#endif
+- return dev->netdev_ops->ndo_do_ioctl(dev, ifr, cmd);
+- }
++ if (dev->netdev_ops->ndo_do_ioctl)
++ return dev->netdev_ops->ndo_do_ioctl(dev, ifr, cmd);
+ return -EOPNOTSUPP;
+ }
+
--- /dev/null
+From 135e8c9250dd5c8c9aae5984fde6f230d0cbfeaf Mon Sep 17 00:00:00 2001
+From: Balbir Singh <bsingharora@gmail.com>
+Date: Mon, 5 Sep 2016 13:16:40 +1000
+Subject: sched/core: Fix a race between try_to_wake_up() and a woken up task
+
+From: Balbir Singh <bsingharora@gmail.com>
+
+commit 135e8c9250dd5c8c9aae5984fde6f230d0cbfeaf upstream.
+
+The origin of the issue I've seen is related to
+a missing memory barrier between check for task->state and
+the check for task->on_rq.
+
+The task being woken up is already awake from a schedule()
+and is doing the following:
+
+ do {
+ schedule()
+ set_current_state(TASK_(UN)INTERRUPTIBLE);
+ } while (!cond);
+
+The waker, actually gets stuck doing the following in
+try_to_wake_up():
+
+ while (p->on_cpu)
+ cpu_relax();
+
+Analysis:
+
+The instance I've seen involves the following race:
+
+ CPU1 CPU2
+
+ while () {
+ if (cond)
+ break;
+ do {
+ schedule();
+ set_current_state(TASK_UN..)
+ } while (!cond);
+ wakeup_routine()
+ spin_lock_irqsave(wait_lock)
+ raw_spin_lock_irqsave(wait_lock) wake_up_process()
+ } try_to_wake_up()
+ set_current_state(TASK_RUNNING); ..
+ list_del(&waiter.list);
+
+CPU2 wakes up CPU1, but before it can get the wait_lock and set
+current state to TASK_RUNNING the following occurs:
+
+ CPU3
+ wakeup_routine()
+ raw_spin_lock_irqsave(wait_lock)
+ if (!list_empty)
+ wake_up_process()
+ try_to_wake_up()
+ raw_spin_lock_irqsave(p->pi_lock)
+ ..
+ if (p->on_rq && ttwu_wakeup())
+ ..
+ while (p->on_cpu)
+ cpu_relax()
+ ..
+
+CPU3 tries to wake up the task on CPU1 again since it finds
+it on the wait_queue, CPU1 is spinning on wait_lock, but immediately
+after CPU2, CPU3 got it.
+
+CPU3 checks the state of p on CPU1, it is TASK_UNINTERRUPTIBLE and
+the task is spinning on the wait_lock. Interestingly since p->on_rq
+is checked under pi_lock, I've noticed that try_to_wake_up() finds
+p->on_rq to be 0. This was the most confusing bit of the analysis,
+but p->on_rq is changed under runqueue lock, rq_lock, the p->on_rq
+check is not reliable without this fix IMHO. The race is visible
+(based on the analysis) only when ttwu_queue() does a remote wakeup
+via ttwu_queue_remote. In which case the p->on_rq change is not
+done uder the pi_lock.
+
+The result is that after a while the entire system locks up on
+the raw_spin_irqlock_save(wait_lock) and the holder spins infintely
+
+Reproduction of the issue:
+
+The issue can be reproduced after a long run on my system with 80
+threads and having to tweak available memory to very low and running
+memory stress-ng mmapfork test. It usually takes a long time to
+reproduce. I am trying to work on a test case that can reproduce
+the issue faster, but thats work in progress. I am still testing the
+changes on my still in a loop and the tests seem OK thus far.
+
+Big thanks to Benjamin and Nick for helping debug this as well.
+Ben helped catch the missing barrier, Nick caught every missing
+bit in my theory.
+
+Signed-off-by: Balbir Singh <bsingharora@gmail.com>
+[ Updated comment to clarify matching barriers. Many
+ architectures do not have a full barrier in switch_to()
+ so that cannot be relied upon. ]
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: Alexey Kardashevskiy <aik@ozlabs.ru>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Nicholas Piggin <nicholas.piggin@gmail.com>
+Cc: Nicholas Piggin <npiggin@gmail.com>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/e02cce7b-d9ca-1ad0-7a61-ea97c7582b37@gmail.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/sched/core.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -1945,6 +1945,28 @@ try_to_wake_up(struct task_struct *p, un
+ success = 1; /* we're going to change ->state */
+ cpu = task_cpu(p);
+
++ /*
++ * Ensure we load p->on_rq _after_ p->state, otherwise it would
++ * be possible to, falsely, observe p->on_rq == 0 and get stuck
++ * in smp_cond_load_acquire() below.
++ *
++ * sched_ttwu_pending() try_to_wake_up()
++ * [S] p->on_rq = 1; [L] P->state
++ * UNLOCK rq->lock -----.
++ * \
++ * +--- RMB
++ * schedule() /
++ * LOCK rq->lock -----'
++ * UNLOCK rq->lock
++ *
++ * [task p]
++ * [S] p->state = UNINTERRUPTIBLE [L] p->on_rq
++ *
++ * Pairs with the UNLOCK+LOCK on rq->lock from the
++ * last wakeup of our task and the schedule that got our task
++ * current.
++ */
++ smp_rmb();
+ if (p->on_rq && ttwu_remote(p, wake_flags))
+ goto stat;
+
--- /dev/null
+From c8d192428f52f244130b84650ad616df09f2b1e1 Mon Sep 17 00:00:00 2001
+From: Jimi Damon <jdamon@accesio.com>
+Date: Wed, 20 Jul 2016 17:00:40 -0700
+Subject: serial: 8250: added acces i/o products quad and octal serial cards
+
+From: Jimi Damon <jdamon@accesio.com>
+
+commit c8d192428f52f244130b84650ad616df09f2b1e1 upstream.
+
+Added devices ids for acces i/o products quad and octal serial cards
+that make use of existing Pericom PI7C9X7954 and PI7C9X7958
+configurations .
+
+Signed-off-by: Jimi Damon <jdamon@accesio.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/8250/8250_pci.c | 139 +++++++++++++++++++++++++++++++++++++
+ 1 file changed, 139 insertions(+)
+
+--- a/drivers/tty/serial/8250/8250_pci.c
++++ b/drivers/tty/serial/8250/8250_pci.c
+@@ -1952,6 +1952,43 @@ pci_wch_ch38x_setup(struct serial_privat
+ #define PCI_DEVICE_ID_PERICOM_PI7C9X7954 0x7954
+ #define PCI_DEVICE_ID_PERICOM_PI7C9X7958 0x7958
+
++#define PCI_VENDOR_ID_ACCESIO 0x494f
++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM_2SDB 0x1051
++#define PCI_DEVICE_ID_ACCESIO_MPCIE_COM_2S 0x1053
++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SDB 0x105C
++#define PCI_DEVICE_ID_ACCESIO_MPCIE_COM_4S 0x105E
++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM232_2DB 0x1091
++#define PCI_DEVICE_ID_ACCESIO_MPCIE_COM232_2 0x1093
++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM232_4DB 0x1099
++#define PCI_DEVICE_ID_ACCESIO_MPCIE_COM232_4 0x109B
++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM_2SMDB 0x10D1
++#define PCI_DEVICE_ID_ACCESIO_MPCIE_COM_2SM 0x10D3
++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SMDB 0x10DA
++#define PCI_DEVICE_ID_ACCESIO_MPCIE_COM_4SM 0x10DC
++#define PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_1 0x1108
++#define PCI_DEVICE_ID_ACCESIO_MPCIE_ICM422_2 0x1110
++#define PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_2 0x1111
++#define PCI_DEVICE_ID_ACCESIO_MPCIE_ICM422_4 0x1118
++#define PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_4 0x1119
++#define PCI_DEVICE_ID_ACCESIO_PCIE_ICM_2S 0x1152
++#define PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4S 0x115A
++#define PCI_DEVICE_ID_ACCESIO_PCIE_ICM232_2 0x1190
++#define PCI_DEVICE_ID_ACCESIO_MPCIE_ICM232_2 0x1191
++#define PCI_DEVICE_ID_ACCESIO_PCIE_ICM232_4 0x1198
++#define PCI_DEVICE_ID_ACCESIO_MPCIE_ICM232_4 0x1199
++#define PCI_DEVICE_ID_ACCESIO_PCIE_ICM_2SM 0x11D0
++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM422_4 0x105A
++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM485_4 0x105B
++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM422_8 0x106A
++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM485_8 0x106B
++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM232_4 0x1098
++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM232_8 0x10A9
++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SM 0x10D9
++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM_8SM 0x10E9
++#define PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4SM 0x11D8
++
++
++
+ /* Unknown vendors/cards - this should not be in linux/pci_ids.h */
+ #define PCI_SUBDEVICE_ID_UNKNOWN_0x1584 0x1584
+ #define PCI_SUBDEVICE_ID_UNKNOWN_0x1588 0x1588
+@@ -5120,6 +5157,108 @@ static struct pci_device_id serial_pci_t
+ 0,
+ 0, pbn_pericom_PI7C9X7958 },
+ /*
++ * ACCES I/O Products quad
++ */
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_2SDB,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM_2S,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SDB,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM_4S,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM232_2DB,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM232_2,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM232_4DB,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM232_4,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_2SMDB,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM_2SM,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SMDB,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM_4SM,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_1,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM422_2,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_2,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM422_4,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_4,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM_2S,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4S,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM232_2,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM232_2,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM232_4,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM232_4,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM_2SM,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM422_4,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7958 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM485_4,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7958 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM422_8,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7958 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM485_8,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7958 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM232_4,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7958 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM232_8,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7958 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SM,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7958 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_8SM,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7958 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4SM,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7958 },
++ /*
+ * Topic TP560 Data/Fax/Voice 56k modem (reported by Evan Clarke)
+ */
+ { PCI_VENDOR_ID_TOPIC, PCI_DEVICE_ID_TOPIC_TP560,
--- /dev/null
+From 47b34d2ef266e2c283b514d65c8963c2ccd42474 Mon Sep 17 00:00:00 2001
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Fri, 1 Jul 2016 17:21:49 +0300
+Subject: serial: 8250_mid: fix divide error bug if baud rate is 0
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+commit 47b34d2ef266e2c283b514d65c8963c2ccd42474 upstream.
+
+Since the commit c1a67b48f6a5 ("serial: 8250_pci: replace switch-case by
+formula for Intel MID"), the 8250 driver crashes in the byt_set_termios()
+function with a divide error. This is caused by the fact that a baud rate of 0
+(B0) is not handled properly. Fix it by falling back to B9600 in this case.
+
+Reported-by: "Mendez Salinas, Fernando" <fernando.mendez.salinas@intel.com>
+Fixes: c1a67b48f6a5 ("serial: 8250_pci: replace switch-case by formula for Intel MID")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/8250/8250_mid.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/tty/serial/8250/8250_mid.c
++++ b/drivers/tty/serial/8250/8250_mid.c
+@@ -149,6 +149,9 @@ static void mid8250_set_termios(struct u
+ unsigned long w = BIT(24) - 1;
+ unsigned long mul, div;
+
++ /* Gracefully handle the B0 case: fall back to B9600 */
++ fuart = fuart ? fuart : 9600 * 16;
++
+ if (mid->board->freq < fuart) {
+ /* Find prescaler value that satisfies Fuart < Fref */
+ if (mid->board->freq > baud)
fscrypto-require-write-access-to-mount-to-set-encryption-policy.patch
lightnvm-put-bio-before-return.patch
tipc-move-linearization-of-buffers-to-generic-code.patch
+powerpc-tm-do-not-use-r13-for-tabort_syscall.patch
+powerpc-powernv-drop-reference-added-by-kset_find_obj.patch
+powerpc-mm-don-t-alias-user-region-to-other-regions-below-page_offset.patch
+kernfs-don-t-depend-on-d_find_any_alias-when-generating-notifications.patch
+pnfs-the-client-must-not-do-i-o-to-the-ds-if-it-s-lease-has-expired.patch
+nfsv4.1-fix-oopsable-condition-in-server-callback-races.patch
+nfsv4.x-fix-a-refcount-leak-in-nfs_callback_up_net.patch
+nfsd-close-race-between-nfsd4_release_lockowner-and-nfsd4_lock.patch
+pnfs-ensure-layoutget-and-layoutreturn-are-properly-serialised.patch
+nfsv4.1-fix-the-create_session-slot-number-accounting.patch
+kexec-fix-double-free-when-failing-to-relocate-the-purgatory.patch
+mm-introduce-get_task_exe_file.patch
+audit-fix-exe_file-access-in-audit_exe_compare.patch
+dm-flakey-fix-reads-to-be-issued-if-drop_writes-configured.patch
+ib-uverbs-fix-race-between-uverbs_close-and-remove_one.patch
+arc-mm-fix-build-breakage-with-strict_mm_typechecks.patch
+x86-paravirt-do-not-trace-_paravirt_ident_-functions.patch
+x86-amd-apply-erratum-665-on-machines-without-a-bios-fix.patch
+kvm-arm-unmap-shadow-pagetables-properly.patch
+iio-accel-kxsd9-fix-raw-read-return.patch
+iio-proximity-as3935-set-up-buffer-timestamps-for-non-zero-values.patch
+iio-adc-rockchip_saradc-reset-saradc-controller-before-programming-it.patch
+iio-adc-ti_am335x_adc-protect-fifo1-from-concurrent-access.patch
+iio-adc-ti_am335x_adc-increase-timeout-value-waiting-for-adc-sample.patch
+iio-ad799x-fix-buffered-capture-for-ad7991-ad7995-ad7999.patch
+iio-adc-at91-unbreak-channel-adc-channel-3.patch
+iio-accel-bmc150-reset-chip-at-init-time.patch
+iio-fix-pressure-data-output-unit-in-hid-sensor-attributes.patch
+iio-accel-kxsd9-fix-scaling-bug.patch
+iio-core-fix-iio_val_fractional-sign-handling.patch
+iio-ensure-ret-is-initialized-to-zero-before-entering-do-loop.patch
+serial-8250_mid-fix-divide-error-bug-if-baud-rate-is-0.patch
+serial-8250-added-acces-i-o-products-quad-and-octal-serial-cards.patch
+usb-serial-simple-add-support-for-another-infineon-flashloader.patch
+usb-renesas_usbhs-fix-clearing-the-brdy-bemp-sts-condition.patch
+usb-chipidea-udc-fix-null-ptr-dereference-in-isr_setup_status_phase.patch
+arm-dts-stih410-handle-interconnect-clock-required-by-ehci-ohci-usb.patch
+usb-change-binterval-default-to-10-ms.patch
+cxl-use-pcibios_free_controller_deferred-when-removing-vphbs.patch
+net-thunderx-fix-oops-with-ethtool-register-dump.patch
+cpuset-make-sure-new-tasks-conform-to-the-current-config-of-the-cpuset.patch
+arm-am43xx-hwmod-fix-rstst-register-offset-for-pruss.patch
+arm-imx6-add-missing-bm_clpcr_byp_mmdc_ch0_lpm_hs-setting-for-imx6ul.patch
+arm-imx6-add-missing-bm_clpcr_bypass_pmic_ready-setting-for-imx6sx.patch
+arm-kirkwood-ib62x0-fix-size-of-u-boot-environment-partition.patch
+arm-omap3-hwmod-data-add-sysc-information-for-dsi.patch
+arm-dts-imx6qdl-fix-spdif-regression.patch
+arm-dts-overo-fix-gpmc-nand-cs0-range.patch
+arm-dts-overo-fix-gpmc-nand-on-boards-with-ethernet.patch
+arm-dts-stih407-family-provide-interconnect-clock-for-consumption-in-st-sdhci.patch
+bus-arm-ccn-fix-pmu-handling-of-mn.patch
+bus-arm-ccn-do-not-attempt-to-configure-xps-for-cycle-counter.patch
+bus-arm-ccn-fix-xp-watchpoint-settings-bitmask.patch
+dm-log-writes-fix-check-of-kthread_run-return-value.patch
+dm-log-writes-move-io-accounting-earlier-to-fix-error-path.patch
+dm-crypt-fix-error-with-too-large-bios.patch
+pinctrl-pistachio-fix-mfio-pll_lock-pinmux.patch
+pinctrl-sunxi-fix-uart1-cts-rts-pins-at-pg-on-a23-a33.patch
+arm64-spinlocks-implement-smp_mb__before_spinlock-as-smp_mb.patch
+crypto-cryptd-initialize-child-shash_desc-on-import.patch
+btrfs-remove-root_log_ctx-from-ctx-list-before-btrfs_sync_log-returns.patch
+fuse-direct-io-don-t-dirty-iter_bvec-pages.patch
+xhci-fix-null-pointer-dereference-in-stop-command-timeout-function.patch
+md-cluster-make-md-cluster-also-can-work-when-compiled-into-kernel.patch
+ath9k-fix-using-sta-drv_priv-before-initializing-it.patch
+revert-wext-fix-32-bit-iwpriv-compatibility-issue-with-64-bit-kernel.patch
+sched-core-fix-a-race-between-try_to_wake_up-and-a-woken-up-task.patch
+ipv6-addrconf-fix-dev-refcont-leak-when-dad-failed.patch
--- /dev/null
+From 08c5cd37480f59ea39682f4585d92269be6b1424 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Fri, 16 Sep 2016 10:24:26 -0400
+Subject: USB: change bInterval default to 10 ms
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 08c5cd37480f59ea39682f4585d92269be6b1424 upstream.
+
+Some full-speed mceusb infrared transceivers contain invalid endpoint
+descriptors for their interrupt endpoints, with bInterval set to 0.
+In the past they have worked out okay with the mceusb driver, because
+the driver sets the bInterval field in the descriptor to 1,
+overwriting whatever value may have been there before. However, this
+approach was never sanctioned by the USB core, and in fact it does not
+work with xHCI controllers, because they use the bInterval value that
+was present when the configuration was installed.
+
+Currently usbcore uses 32 ms as the default interval if the value in
+the endpoint descriptor is invalid. It turns out that these IR
+transceivers don't work properly unless the interval is set to 10 ms
+or below. To work around this mceusb problem, this patch changes the
+endpoint-descriptor parsing routine, making the default interval value
+be 10 ms rather than 32 ms.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Tested-by: Wade Berrier <wberrier@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/config.c | 28 +++++++++++++++++-----------
+ 1 file changed, 17 insertions(+), 11 deletions(-)
+
+--- a/drivers/usb/core/config.c
++++ b/drivers/usb/core/config.c
+@@ -211,8 +211,10 @@ static int usb_parse_endpoint(struct dev
+ memcpy(&endpoint->desc, d, n);
+ INIT_LIST_HEAD(&endpoint->urb_list);
+
+- /* Fix up bInterval values outside the legal range. Use 32 ms if no
+- * proper value can be guessed. */
++ /*
++ * Fix up bInterval values outside the legal range.
++ * Use 10 or 8 ms if no proper value can be guessed.
++ */
+ i = 0; /* i = min, j = max, n = default */
+ j = 255;
+ if (usb_endpoint_xfer_int(d)) {
+@@ -221,13 +223,15 @@ static int usb_parse_endpoint(struct dev
+ case USB_SPEED_SUPER_PLUS:
+ case USB_SPEED_SUPER:
+ case USB_SPEED_HIGH:
+- /* Many device manufacturers are using full-speed
++ /*
++ * Many device manufacturers are using full-speed
+ * bInterval values in high-speed interrupt endpoint
+- * descriptors. Try to fix those and fall back to a
+- * 32 ms default value otherwise. */
++ * descriptors. Try to fix those and fall back to an
++ * 8-ms default value otherwise.
++ */
+ n = fls(d->bInterval*8);
+ if (n == 0)
+- n = 9; /* 32 ms = 2^(9-1) uframes */
++ n = 7; /* 8 ms = 2^(7-1) uframes */
+ j = 16;
+
+ /*
+@@ -242,10 +246,12 @@ static int usb_parse_endpoint(struct dev
+ }
+ break;
+ default: /* USB_SPEED_FULL or _LOW */
+- /* For low-speed, 10 ms is the official minimum.
++ /*
++ * For low-speed, 10 ms is the official minimum.
+ * But some "overclocked" devices might want faster
+- * polling so we'll allow it. */
+- n = 32;
++ * polling so we'll allow it.
++ */
++ n = 10;
+ break;
+ }
+ } else if (usb_endpoint_xfer_isoc(d)) {
+@@ -253,10 +259,10 @@ static int usb_parse_endpoint(struct dev
+ j = 16;
+ switch (to_usb_device(ddev)->speed) {
+ case USB_SPEED_HIGH:
+- n = 9; /* 32 ms = 2^(9-1) uframes */
++ n = 7; /* 8 ms = 2^(7-1) uframes */
+ break;
+ default: /* USB_SPEED_FULL */
+- n = 6; /* 32 ms = 2^(6-1) frames */
++ n = 4; /* 8 ms = 2^(4-1) frames */
+ break;
+ }
+ }
--- /dev/null
+From 6f3c4fb6d05e63c9c6d8968302491c3a5457be61 Mon Sep 17 00:00:00 2001
+From: Clemens Gruber <clemens.gruber@pqgruber.com>
+Date: Mon, 5 Sep 2016 19:29:58 +0200
+Subject: usb: chipidea: udc: fix NULL ptr dereference in isr_setup_status_phase
+
+From: Clemens Gruber <clemens.gruber@pqgruber.com>
+
+commit 6f3c4fb6d05e63c9c6d8968302491c3a5457be61 upstream.
+
+Problems with the signal integrity of the high speed USB data lines or
+noise on reference ground lines can cause the i.MX6 USB controller to
+violate USB specs and exhibit unexpected behavior.
+
+It was observed that USBi_UI interrupts were triggered first and when
+isr_setup_status_phase was called, ci->status was NULL, which lead to a
+NULL pointer dereference kernel panic.
+
+This patch fixes the kernel panic, emits a warning once and returns
+-EPIPE to halt the device and let the host get stalled.
+It also adds a comment to point people, who are experiencing this issue,
+to their USB hardware design.
+
+Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com>
+Signed-off-by: Peter Chen <peter.chen@nxp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/chipidea/udc.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/usb/chipidea/udc.c
++++ b/drivers/usb/chipidea/udc.c
+@@ -939,6 +939,15 @@ static int isr_setup_status_phase(struct
+ int retval;
+ struct ci_hw_ep *hwep;
+
++ /*
++ * Unexpected USB controller behavior, caused by bad signal integrity
++ * or ground reference problems, can lead to isr_setup_status_phase
++ * being called with ci->status equal to NULL.
++ * If this situation occurs, you should review your USB hardware design.
++ */
++ if (WARN_ON_ONCE(!ci->status))
++ return -EPIPE;
++
+ hwep = (ci->ep0_dir == TX) ? ci->ep0out : ci->ep0in;
+ ci->status->context = ci;
+ ci->status->complete = isr_setup_status_complete;
--- /dev/null
+From 519d8bd4b5d3d82c413eac5bb42b106bb4b9ec15 Mon Sep 17 00:00:00 2001
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Mon, 29 Aug 2016 18:00:38 +0900
+Subject: usb: renesas_usbhs: fix clearing the {BRDY,BEMP}STS condition
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+commit 519d8bd4b5d3d82c413eac5bb42b106bb4b9ec15 upstream.
+
+The previous driver is possible to stop the transfer wrongly.
+For example:
+ 1) An interrupt happens, but not BRDY interruption.
+ 2) Read INTSTS0. And than state->intsts0 is not set to BRDY.
+ 3) BRDY is set to 1 here.
+ 4) Read BRDYSTS.
+ 5) Clear the BRDYSTS. And then. the BRDY is cleared wrongly.
+
+Remarks:
+ - The INTSTS0.BRDY is read only.
+ - If any bits of BRDYSTS are set to 1, the BRDY is set to 1.
+ - If BRDYSTS is 0, the BRDY is set to 0.
+
+So, this patch adds condition to avoid such situation. (And about
+NRDYSTS, this is not used for now. But, avoiding any side effects,
+this patch doesn't touch it.)
+
+Fixes: d5c6a1e024dd ("usb: renesas_usbhs: fixup interrupt status clear method")
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/renesas_usbhs/mod.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/renesas_usbhs/mod.c
++++ b/drivers/usb/renesas_usbhs/mod.c
+@@ -282,9 +282,16 @@ static irqreturn_t usbhs_interrupt(int i
+ if (usbhs_mod_is_host(priv))
+ usbhs_write(priv, INTSTS1, ~irq_state.intsts1 & INTSTS1_MAGIC);
+
+- usbhs_write(priv, BRDYSTS, ~irq_state.brdysts);
++ /*
++ * The driver should not clear the xxxSTS after the line of
++ * "call irq callback functions" because each "if" statement is
++ * possible to call the callback function for avoiding any side effects.
++ */
++ if (irq_state.intsts0 & BRDY)
++ usbhs_write(priv, BRDYSTS, ~irq_state.brdysts);
+ usbhs_write(priv, NRDYSTS, ~irq_state.nrdysts);
+- usbhs_write(priv, BEMPSTS, ~irq_state.bempsts);
++ if (irq_state.intsts0 & BEMP)
++ usbhs_write(priv, BEMPSTS, ~irq_state.bempsts);
+
+ /*
+ * call irq callback functions
--- /dev/null
+From f190fd92458da3e869b4e2c6289e2c617490ae53 Mon Sep 17 00:00:00 2001
+From: Daniele Palmas <dnlplm@gmail.com>
+Date: Fri, 2 Sep 2016 10:37:56 +0200
+Subject: USB: serial: simple: add support for another Infineon flashloader
+
+From: Daniele Palmas <dnlplm@gmail.com>
+
+commit f190fd92458da3e869b4e2c6289e2c617490ae53 upstream.
+
+This patch adds support for Infineon flashloader 0x8087/0x0801.
+
+The flashloader is used in Telit LE940B modem family with Telit
+flashing application.
+
+Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/usb-serial-simple.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/serial/usb-serial-simple.c
++++ b/drivers/usb/serial/usb-serial-simple.c
+@@ -54,7 +54,8 @@ DEVICE(funsoft, FUNSOFT_IDS);
+ /* Infineon Flashloader driver */
+ #define FLASHLOADER_IDS() \
+ { USB_DEVICE_INTERFACE_CLASS(0x058b, 0x0041, USB_CLASS_CDC_DATA) }, \
+- { USB_DEVICE(0x8087, 0x0716) }
++ { USB_DEVICE(0x8087, 0x0716) }, \
++ { USB_DEVICE(0x8087, 0x0801) }
+ DEVICE(flashloader, FLASHLOADER_IDS);
+
+ /* Google Serial USB SubClass */
--- /dev/null
+From d1992996753132e2dafe955cccb2fb0714d3cfc4 Mon Sep 17 00:00:00 2001
+From: Emanuel Czirai <icanrealizeum@gmail.com>
+Date: Fri, 2 Sep 2016 07:35:50 +0200
+Subject: x86/AMD: Apply erratum 665 on machines without a BIOS fix
+
+From: Emanuel Czirai <icanrealizeum@gmail.com>
+
+commit d1992996753132e2dafe955cccb2fb0714d3cfc4 upstream.
+
+AMD F12h machines have an erratum which can cause DIV/IDIV to behave
+unpredictably. The workaround is to set MSRC001_1029[31] but sometimes
+there is no BIOS update containing that workaround so let's do it
+ourselves unconditionally. It is simple enough.
+
+[ Borislav: Wrote commit message. ]
+
+Signed-off-by: Emanuel Czirai <icanrealizeum@gmail.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: Yaowu Xu <yaowu@google.com>
+Link: http://lkml.kernel.org/r/20160902053550.18097-1-bp@alien8.de
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/amd.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -656,6 +656,17 @@ static void init_amd_gh(struct cpuinfo_x
+ set_cpu_bug(c, X86_BUG_AMD_TLB_MMATCH);
+ }
+
++#define MSR_AMD64_DE_CFG 0xC0011029
++
++static void init_amd_ln(struct cpuinfo_x86 *c)
++{
++ /*
++ * Apply erratum 665 fix unconditionally so machines without a BIOS
++ * fix work.
++ */
++ msr_set_bit(MSR_AMD64_DE_CFG, 31);
++}
++
+ static void init_amd_bd(struct cpuinfo_x86 *c)
+ {
+ u64 value;
+@@ -713,6 +724,7 @@ static void init_amd(struct cpuinfo_x86
+ case 6: init_amd_k7(c); break;
+ case 0xf: init_amd_k8(c); break;
+ case 0x10: init_amd_gh(c); break;
++ case 0x12: init_amd_ln(c); break;
+ case 0x15: init_amd_bd(c); break;
+ }
+
--- /dev/null
+From 15301a570754c7af60335d094dd2d1808b0641a5 Mon Sep 17 00:00:00 2001
+From: Steven Rostedt <rostedt@goodmis.org>
+Date: Wed, 25 May 2016 13:47:26 -0400
+Subject: x86/paravirt: Do not trace _paravirt_ident_*() functions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+commit 15301a570754c7af60335d094dd2d1808b0641a5 upstream.
+
+Łukasz Daniluk reported that on a RHEL kernel that his machine would lock up
+after enabling function tracer. I asked him to bisect the functions within
+available_filter_functions, which he did and it came down to three:
+
+ _paravirt_nop(), _paravirt_ident_32() and _paravirt_ident_64()
+
+It was found that this is only an issue when noreplace-paravirt is added
+to the kernel command line.
+
+This means that those functions are most likely called within critical
+sections of the funtion tracer, and must not be traced.
+
+In newer kenels _paravirt_nop() is defined within gcc asm(), and is no
+longer an issue. But both _paravirt_ident_{32,64}() causes the
+following splat when they are traced:
+
+ mm/pgtable-generic.c:33: bad pmd ffff8800d2435150(0000000001d00054)
+ mm/pgtable-generic.c:33: bad pmd ffff8800d3624190(0000000001d00070)
+ mm/pgtable-generic.c:33: bad pmd ffff8800d36a5110(0000000001d00054)
+ mm/pgtable-generic.c:33: bad pmd ffff880118eb1450(0000000001d00054)
+ NMI watchdog: BUG: soft lockup - CPU#2 stuck for 22s! [systemd-journal:469]
+ Modules linked in: e1000e
+ CPU: 2 PID: 469 Comm: systemd-journal Not tainted 4.6.0-rc4-test+ #513
+ Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v02.05 05/07/2012
+ task: ffff880118f740c0 ti: ffff8800d4aec000 task.ti: ffff8800d4aec000
+ RIP: 0010:[<ffffffff81134148>] [<ffffffff81134148>] queued_spin_lock_slowpath+0x118/0x1a0
+ RSP: 0018:ffff8800d4aefb90 EFLAGS: 00000246
+ RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88011eb16d40
+ RDX: ffffffff82485760 RSI: 000000001f288820 RDI: ffffea0000008030
+ RBP: ffff8800d4aefb90 R08: 00000000000c0000 R09: 0000000000000000
+ R10: ffffffff821c8e0e R11: 0000000000000000 R12: ffff880000200fb8
+ R13: 00007f7a4e3f7000 R14: ffffea000303f600 R15: ffff8800d4b562e0
+ FS: 00007f7a4e3d7840(0000) GS:ffff88011eb00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007f7a4e3f7000 CR3: 00000000d3e71000 CR4: 00000000001406e0
+ Call Trace:
+ _raw_spin_lock+0x27/0x30
+ handle_pte_fault+0x13db/0x16b0
+ handle_mm_fault+0x312/0x670
+ __do_page_fault+0x1b1/0x4e0
+ do_page_fault+0x22/0x30
+ page_fault+0x28/0x30
+ __vfs_read+0x28/0xe0
+ vfs_read+0x86/0x130
+ SyS_read+0x46/0xa0
+ entry_SYSCALL_64_fastpath+0x1e/0xa8
+ Code: 12 48 c1 ea 0c 83 e8 01 83 e2 30 48 98 48 81 c2 40 6d 01 00 48 03 14 c5 80 6a 5d 82 48 89 0a 8b 41 08 85 c0 75 09 f3 90 8b 41 08 <85> c0 74 f7 4c 8b 09 4d 85 c9 74 08 41 0f 18 09 eb 02 f3 90 8b
+
+Reported-by: Łukasz Daniluk <lukasz.daniluk@intel.com>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/paravirt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/paravirt.c
++++ b/arch/x86/kernel/paravirt.c
+@@ -55,12 +55,12 @@ asm (".pushsection .entry.text, \"ax\"\n
+ ".popsection");
+
+ /* identity function, which can be inlined */
+-u32 _paravirt_ident_32(u32 x)
++u32 notrace _paravirt_ident_32(u32 x)
+ {
+ return x;
+ }
+
+-u64 _paravirt_ident_64(u64 x)
++u64 notrace _paravirt_ident_64(u64 x)
+ {
+ return x;
+ }
--- /dev/null
+From bcf42aa60c2832510b9be0f30c090bfd35bb172d Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Wed, 7 Sep 2016 17:26:33 +0300
+Subject: xhci: fix null pointer dereference in stop command timeout function
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit bcf42aa60c2832510b9be0f30c090bfd35bb172d upstream.
+
+The stop endpoint command has its own 5 second timeout timer.
+If the timeout function is triggered between USB3 and USB2 host
+removal it will try to call usb_hc_died(xhci_to_hcd(xhci)->primary_hcd)
+
+the ->primary_hcd will be set to NULL at USB3 hcd removal.
+
+Fix this by first checking if the PCI host is being removed, and
+also by using only xhci_to_hcd() as it will always return the primary
+hcd.
+
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-ring.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -846,6 +846,10 @@ void xhci_stop_endpoint_command_watchdog
+ spin_lock_irqsave(&xhci->lock, flags);
+
+ ep->stop_cmds_pending--;
++ if (xhci->xhc_state & XHCI_STATE_REMOVING) {
++ spin_unlock_irqrestore(&xhci->lock, flags);
++ return;
++ }
+ if (xhci->xhc_state & XHCI_STATE_DYING) {
+ xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
+ "Stop EP timer ran, but another timer marked "
+@@ -899,7 +903,7 @@ void xhci_stop_endpoint_command_watchdog
+ spin_unlock_irqrestore(&xhci->lock, flags);
+ xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
+ "Calling usb_hc_died()");
+- usb_hc_died(xhci_to_hcd(xhci)->primary_hcd);
++ usb_hc_died(xhci_to_hcd(xhci));
+ xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
+ "xHCI host controller is dead.");
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
