--- /dev/null
+From 117e5e9c4cfcb7628f08de074fbfefec1bb678b7 Mon Sep 17 00:00:00 2001
+From: Srinivas Ramana <sramana@codeaurora.org>
+Date: Fri, 30 Sep 2016 15:03:31 +0100
+Subject: ARM: 8618/1: decompressor: reset ttbcr fields to use TTBR0 on ARMv7
+
+From: Srinivas Ramana <sramana@codeaurora.org>
+
+commit 117e5e9c4cfcb7628f08de074fbfefec1bb678b7 upstream.
+
+If the bootloader uses the long descriptor format and jumps to
+kernel decompressor code, TTBCR may not be in a right state.
+Before enabling the MMU, it is required to clear the TTBCR.PD0
+field to use TTBR0 for translation table walks.
+
+The commit dbece45894d3a ("ARM: 7501/1: decompressor:
+reset ttbcr for VMSA ARMv7 cores") does the reset of TTBCR.N, but
+doesn't consider all the bits for the size of TTBCR.N.
+
+Clear TTBCR.PD0 field and reset all the three bits of TTBCR.N to
+indicate the use of TTBR0 and the correct base address width.
+
+Fixes: dbece45894d3 ("ARM: 7501/1: decompressor: reset ttbcr for VMSA ARMv7 cores")
+Acked-by: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Srinivas Ramana <sramana@codeaurora.org>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/compressed/head.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/compressed/head.S
++++ b/arch/arm/boot/compressed/head.S
+@@ -779,7 +779,7 @@ __armv7_mmu_cache_on:
+ orrne r0, r0, #1 @ MMU enabled
+ movne r1, #0xfffffffd @ domain 0 = client
+ bic r6, r6, #1 << 31 @ 32-bit translation system
+- bic r6, r6, #3 << 0 @ use only ttbr0
++ bic r6, r6, #(7 << 0) | (1 << 4) @ use only ttbr0
+ mcrne p15, 0, r3, c2, c0, 0 @ load page table pointer
+ mcrne p15, 0, r1, c3, c0, 0 @ load domain access control
+ mcrne p15, 0, r6, c2, c0, 2 @ load ttb control
--- /dev/null
+From 3a402a709500c5a3faca2111668c33d96555e35a Mon Sep 17 00:00:00 2001
+From: Will Deacon <will.deacon@arm.com>
+Date: Fri, 26 Aug 2016 11:36:39 +0100
+Subject: arm64: debug: avoid resetting stepping state machine when TIF_SINGLESTEP
+
+From: Will Deacon <will.deacon@arm.com>
+
+commit 3a402a709500c5a3faca2111668c33d96555e35a upstream.
+
+When TIF_SINGLESTEP is set for a task, the single-step state machine is
+enabled and we must take care not to reset it to the active-not-pending
+state if it is already in the active-pending state.
+
+Unfortunately, that's exactly what user_enable_single_step does, by
+unconditionally setting the SS bit in the SPSR for the current task.
+This causes failures in the GDB testsuite, where GDB ends up missing
+expected step traps if the instruction being stepped generates another
+trap, e.g. PTRACE_EVENT_FORK from an SVC instruction.
+
+This patch fixes the problem by preserving the current state of the
+stepping state machine when TIF_SINGLESTEP is set on the current thread.
+
+Cc: <stable@vger.kernel.org>
+Reported-by: Yao Qi <yao.qi@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/debug-monitors.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/kernel/debug-monitors.c
++++ b/arch/arm64/kernel/debug-monitors.c
+@@ -417,8 +417,10 @@ int kernel_active_single_step(void)
+ /* ptrace API */
+ void user_enable_single_step(struct task_struct *task)
+ {
+- set_ti_thread_flag(task_thread_info(task), TIF_SINGLESTEP);
+- set_regs_spsr_ss(task_pt_regs(task));
++ struct thread_info *ti = task_thread_info(task);
++
++ if (!test_and_set_ti_thread_flag(ti, TIF_SINGLESTEP))
++ set_regs_spsr_ss(task_pt_regs(task));
+ }
+
+ void user_disable_single_step(struct task_struct *task)
--- /dev/null
+From 936523441bb64cdc9a5b263e8fd2782e70313a57 Mon Sep 17 00:00:00 2001
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sat, 6 Aug 2016 15:50:52 +0200
+Subject: batman-adv: Add missing refcnt for last_candidate
+
+From: Sven Eckelmann <sven@narfation.org>
+
+commit 936523441bb64cdc9a5b263e8fd2782e70313a57 upstream.
+
+batadv_find_router dereferences last_bonding_candidate from
+orig_node without making sure that it has a valid reference. This reference
+has to be retrieved by increasing the reference counter while holding
+neigh_list_lock. The lock is required to avoid that
+batadv_last_bonding_replace removes the current last_bonding_candidate,
+reduces the reference counter and maybe destroys the object in this
+process.
+
+Fixes: f3b3d9018975 ("batman-adv: add bonding again")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/batman-adv/routing.c | 28 +++++++++++++++++++++++++++-
+ 1 file changed, 27 insertions(+), 1 deletion(-)
+
+--- a/net/batman-adv/routing.c
++++ b/net/batman-adv/routing.c
+@@ -456,6 +456,29 @@ static int batadv_check_unicast_packet(s
+ }
+
+ /**
++ * batadv_last_bonding_get - Get last_bonding_candidate of orig_node
++ * @orig_node: originator node whose last bonding candidate should be retrieved
++ *
++ * Return: last bonding candidate of router or NULL if not found
++ *
++ * The object is returned with refcounter increased by 1.
++ */
++static struct batadv_orig_ifinfo *
++batadv_last_bonding_get(struct batadv_orig_node *orig_node)
++{
++ struct batadv_orig_ifinfo *last_bonding_candidate;
++
++ spin_lock_bh(&orig_node->neigh_list_lock);
++ last_bonding_candidate = orig_node->last_bonding_candidate;
++
++ if (last_bonding_candidate)
++ kref_get(&last_bonding_candidate->refcount);
++ spin_unlock_bh(&orig_node->neigh_list_lock);
++
++ return last_bonding_candidate;
++}
++
++/**
+ * batadv_last_bonding_replace - Replace last_bonding_candidate of orig_node
+ * @orig_node: originator node whose bonding candidates should be replaced
+ * @new_candidate: new bonding candidate or NULL
+@@ -525,7 +548,7 @@ batadv_find_router(struct batadv_priv *b
+ * router - obviously there are no other candidates.
+ */
+ rcu_read_lock();
+- last_candidate = orig_node->last_bonding_candidate;
++ last_candidate = batadv_last_bonding_get(orig_node);
+ if (last_candidate)
+ last_cand_router = rcu_dereference(last_candidate->router);
+
+@@ -617,6 +640,9 @@ next:
+ batadv_orig_ifinfo_put(next_candidate);
+ }
+
++ if (last_candidate)
++ batadv_orig_ifinfo_put(last_candidate);
++
+ return router;
+ }
+
--- /dev/null
+From 1e5d343b8f23770e8ac5d31f5c439826bdb35148 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Linus=20L=C3=BCssing?= <linus.luessing@c0d3.blue>
+Date: Tue, 23 Aug 2016 03:13:03 +0200
+Subject: batman-adv: fix elp packet data reservation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Lüssing <linus.luessing@c0d3.blue>
+
+commit 1e5d343b8f23770e8ac5d31f5c439826bdb35148 upstream.
+
+The skb_reserve() call only reserved headroom for the mac header, but
+not the elp packet header itself.
+
+Fixing this by using skb_put()'ing towards the skb tail instead of
+skb_push()'ing towards the skb head.
+
+Fixes: d6f94d91f766 ("batman-adv: ELP - adding basic infrastructure")
+Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/batman-adv/bat_v_elp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/batman-adv/bat_v_elp.c
++++ b/net/batman-adv/bat_v_elp.c
+@@ -334,7 +334,7 @@ int batadv_v_elp_iface_enable(struct bat
+ goto out;
+
+ skb_reserve(hard_iface->bat_v.elp_skb, ETH_HLEN + NET_IP_ALIGN);
+- elp_buff = skb_push(hard_iface->bat_v.elp_skb, BATADV_ELP_HLEN);
++ elp_buff = skb_put(hard_iface->bat_v.elp_skb, BATADV_ELP_HLEN);
+ elp_packet = (struct batadv_elp_packet *)elp_buff;
+ memset(elp_packet, 0, BATADV_ELP_HLEN);
+
--- /dev/null
+From 56beac95cb88c188d2a885825a5da131edb41fe3 Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Mon, 29 Aug 2016 11:24:10 +0100
+Subject: gpio: sa1100: fix irq probing for ucb1x00
+
+From: Russell King <rmk+kernel@armlinux.org.uk>
+
+commit 56beac95cb88c188d2a885825a5da131edb41fe3 upstream.
+
+ucb1x00 has used IRQ probing since it's dawn to find the GPIO interrupt
+that it's connected to. However, commit 23393d49fb75 ("gpio: kill off
+set_irq_flags usage") broke this by disabling IRQ probing on GPIO
+interrupts. Fix this.
+
+Fixes: 23393d49fb75 ("gpio: kill off set_irq_flags usage")
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpio/gpio-sa1100.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpio/gpio-sa1100.c
++++ b/drivers/gpio/gpio-sa1100.c
+@@ -155,7 +155,7 @@ static int sa1100_gpio_irqdomain_map(str
+ {
+ irq_set_chip_and_handler(irq, &sa1100_gpio_irq_chip,
+ handle_edge_irq);
+- irq_set_noprobe(irq);
++ irq_set_probe(irq);
+
+ return 0;
+ }
--- /dev/null
+From faa739fb5df56aadab96bcd2f6eb3486cc3a3aec Mon Sep 17 00:00:00 2001
+From: Mustafa Ismail <mustafa.ismail@intel.com>
+Date: Mon, 22 Aug 2016 18:17:12 -0500
+Subject: i40iw: Add missing check for interface already open
+
+From: Mustafa Ismail <mustafa.ismail@intel.com>
+
+commit faa739fb5df56aadab96bcd2f6eb3486cc3a3aec upstream.
+
+In i40iw_open(), check if interface is already open
+and return success if it is.
+
+Fixes: 8e06af711bf2 ("i40iw: add main, hdr, status")
+
+Reported-by: Stefan Assmann <sassmann@redhat.com>
+Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com>
+Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/i40iw/i40iw_main.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/infiniband/hw/i40iw/i40iw_main.c
++++ b/drivers/infiniband/hw/i40iw/i40iw_main.c
+@@ -1558,6 +1558,10 @@ static int i40iw_open(struct i40e_info *
+ enum i40iw_status_code status;
+ struct i40iw_handler *hdl;
+
++ hdl = i40iw_find_netdev(ldev->netdev);
++ if (hdl)
++ return 0;
++
+ hdl = kzalloc(sizeof(*hdl), GFP_KERNEL);
+ if (!hdl)
+ return -ENOMEM;
--- /dev/null
+From 5dfd5e5e3bc68ab3912acc712c8180942094fc69 Mon Sep 17 00:00:00 2001
+From: Shiraz Saleem <shiraz.saleem@intel.com>
+Date: Mon, 22 Aug 2016 18:16:37 -0500
+Subject: i40iw: Add missing NULL check for MPA private data
+
+From: Shiraz Saleem <shiraz.saleem@intel.com>
+
+commit 5dfd5e5e3bc68ab3912acc712c8180942094fc69 upstream.
+
+Add NULL check for pdata and pdata->addr before the memcpy in
+i40iw_form_cm_frame(). This fixes a NULL pointer de-reference
+which occurs when the MPA private data pointer is NULL. Also
+only copy pdata->size bytes in the memcpy to prevent reading
+past the length of the private data buffer provided by upper layer.
+
+Fixes: f27b4746f378 ("i40iw: add connection management code")
+
+Reported-by: Stefan Assmann <sassmann@redhat.com>
+Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com>
+Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/i40iw/i40iw_cm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/hw/i40iw/i40iw_cm.c
++++ b/drivers/infiniband/hw/i40iw/i40iw_cm.c
+@@ -535,8 +535,8 @@ static struct i40iw_puda_buf *i40iw_form
+ buf += hdr_len;
+ }
+
+- if (pd_len)
+- memcpy(buf, pdata->addr, pd_len);
++ if (pdata && pdata->addr)
++ memcpy(buf, pdata->addr, pdata->size);
+
+ atomic_set(&sqbuf->refcount, 1);
+
--- /dev/null
+From 433c58139f6a7d59824aadd23d6c9cac1d4e6100 Mon Sep 17 00:00:00 2001
+From: Mustafa Ismail <mustafa.ismail@intel.com>
+Date: Tue, 23 Aug 2016 17:24:56 -0500
+Subject: i40iw: Avoid writing to freed memory
+
+From: Mustafa Ismail <mustafa.ismail@intel.com>
+
+commit 433c58139f6a7d59824aadd23d6c9cac1d4e6100 upstream.
+
+iwpbl->iwmr points to the structure that contains iwpbl,
+which is iwmr. Setting this to NULL would result in
+writing to freed memory. So just free iwmr, and return.
+
+Fixes: d37498417947 ("i40iw: add files for iwarp interface")
+
+Reported-by: Stefan Assmann <sassmann@redhat.com>
+Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com>
+Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/i40iw/i40iw_verbs.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/infiniband/hw/i40iw/i40iw_verbs.c
++++ b/drivers/infiniband/hw/i40iw/i40iw_verbs.c
+@@ -1924,8 +1924,7 @@ static int i40iw_dereg_mr(struct ib_mr *
+ }
+ if (iwpbl->pbl_allocated)
+ i40iw_free_pble(iwdev->pble_rsrc, palloc);
+- kfree(iwpbl->iwmr);
+- iwpbl->iwmr = NULL;
++ kfree(iwmr);
+ return 0;
+ }
+
--- /dev/null
+From 6c7d46fdb8165ece4b0a17fb8f0b9320dbfeffc2 Mon Sep 17 00:00:00 2001
+From: Shiraz Saleem <shiraz.saleem@intel.com>
+Date: Mon, 22 Aug 2016 18:09:14 -0500
+Subject: i40iw: Change mem_resources pointer to a u8
+
+From: Shiraz Saleem <shiraz.saleem@intel.com>
+
+commit 6c7d46fdb8165ece4b0a17fb8f0b9320dbfeffc2 upstream.
+
+iwdev->mem_resources is incorrectly defined as an unsigned
+long instead of u8. As a result, the offset into the dynamic
+allocated structures in i40iw_initialize_hw_resources() is
+incorrectly calculated and would lead to writing of memory
+regions outside of the allocated buffer.
+
+Fixes: 8e06af711bf2 ("i40iw: add main, hdr, status")
+
+Reported-by: Stefan Assmann <sassmann@redhat.com>
+Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com>
+Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/i40iw/i40iw.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/i40iw/i40iw.h
++++ b/drivers/infiniband/hw/i40iw/i40iw.h
+@@ -232,7 +232,7 @@ struct i40iw_device {
+ struct i40e_client *client;
+ struct i40iw_hw hw;
+ struct i40iw_cm_core cm_core;
+- unsigned long *mem_resources;
++ u8 *mem_resources;
+ unsigned long *allocated_qps;
+ unsigned long *allocated_cqs;
+ unsigned long *allocated_mrs;
--- /dev/null
+From 7eaf8313b1cfe93417a22bdc3f7380cac2a3dc6d Mon Sep 17 00:00:00 2001
+From: Mustafa Ismail <mustafa.ismail@intel.com>
+Date: Mon, 22 Aug 2016 19:01:47 -0500
+Subject: i40iw: Do not set self-referencing pointer to NULL after kfree
+
+From: Mustafa Ismail <mustafa.ismail@intel.com>
+
+commit 7eaf8313b1cfe93417a22bdc3f7380cac2a3dc6d upstream.
+
+In i40iw_free_virt_mem(), do not set mem->va to NULL
+after freeing it as mem->va is a self-referencing pointer
+to mem.
+
+Fixes: 4e9042e647ff ("i40iw: add hw and utils files")
+
+Reported-by: Stefan Assmann <sassmann@redhat.com>
+Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com>
+Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/i40iw/i40iw_utils.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/i40iw/i40iw_utils.c
++++ b/drivers/infiniband/hw/i40iw/i40iw_utils.c
+@@ -673,8 +673,11 @@ enum i40iw_status_code i40iw_free_virt_m
+ {
+ if (!mem)
+ return I40IW_ERR_PARAM;
++ /*
++ * mem->va points to the parent of mem, so both mem and mem->va
++ * can not be touched once mem->va is freed
++ */
+ kfree(mem->va);
+- mem->va = NULL;
+ return 0;
+ }
+
--- /dev/null
+From d41d0910d97f05be987d2d60de7e8685c108963b Mon Sep 17 00:00:00 2001
+From: Mustafa Ismail <mustafa.ismail@intel.com>
+Date: Tue, 23 Aug 2016 16:50:13 -0500
+Subject: i40iw: Fix double free of allocated_buffer
+
+From: Mustafa Ismail <mustafa.ismail@intel.com>
+
+commit d41d0910d97f05be987d2d60de7e8685c108963b upstream.
+
+Memory allocated for iwqp; iwqp->allocated_buffer is freed twice in
+the create_qp error path. Correct this by having it freed only once in
+i40iw_free_qp_resources().
+
+Fixes: d37498417947 ("i40iw: add files for iwarp interface")
+
+Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com>
+Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/i40iw/i40iw_verbs.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/infiniband/hw/i40iw/i40iw_verbs.c
++++ b/drivers/infiniband/hw/i40iw/i40iw_verbs.c
+@@ -794,7 +794,6 @@ static struct ib_qp *i40iw_create_qp(str
+ return &iwqp->ibqp;
+ error:
+ i40iw_free_qp_resources(iwdev, iwqp, qp_num);
+- kfree(mem);
+ return ERR_PTR(err_code);
+ }
+
--- /dev/null
+From 44856be3e95c87f03e850ef4fdf8c0503c2dde18 Mon Sep 17 00:00:00 2001
+From: Mustafa Ismail <mustafa.ismail@intel.com>
+Date: Mon, 22 Aug 2016 18:15:58 -0500
+Subject: i40iw: Protect req_resource_num update
+
+From: Mustafa Ismail <mustafa.ismail@intel.com>
+
+commit 44856be3e95c87f03e850ef4fdf8c0503c2dde18 upstream.
+
+In i40iw_alloc_resource(), ensure that the update to
+req_resource_num is protected by the lock.
+
+Fixes: 8e06af711bf2 ("i40iw: add main, hdr, status")
+
+Reported-by: Stefan Assmann <sassmann@redhat.com>
+Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com>
+Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/i40iw/i40iw.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/i40iw/i40iw.h
++++ b/drivers/infiniband/hw/i40iw/i40iw.h
+@@ -435,8 +435,8 @@ static inline int i40iw_alloc_resource(s
+ *next = resource_num + 1;
+ if (*next == max_resources)
+ *next = 0;
+- spin_unlock_irqrestore(&iwdev->resource_lock, flags);
+ *req_resource_num = resource_num;
++ spin_unlock_irqrestore(&iwdev->resource_lock, flags);
+
+ return 0;
+ }
--- /dev/null
+From b71121b4b70a995c0b794026e84c880c4f26c361 Mon Sep 17 00:00:00 2001
+From: Shiraz Saleem <shiraz.saleem@intel.com>
+Date: Thu, 25 Aug 2016 11:53:24 -0500
+Subject: i40iw: Receive notification events correctly
+
+From: Shiraz Saleem <shiraz.saleem@intel.com>
+
+commit b71121b4b70a995c0b794026e84c880c4f26c361 upstream.
+
+Device notifications are not received after the first interface is
+closed; since there is an unregister for notifications on every
+interface close. Correct this by unregistering for device
+notifications only when the last interface is closed. Also, make
+all operations on the i40iw_notifiers_registered atomic as it
+can be read/modified concurrently.
+
+Fixes: 8e06af711bf2 ("i40iw: add main, hdr, status")
+
+Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com>
+Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/i40iw/i40iw_main.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/drivers/infiniband/hw/i40iw/i40iw_main.c
++++ b/drivers/infiniband/hw/i40iw/i40iw_main.c
+@@ -100,7 +100,7 @@ static struct notifier_block i40iw_net_n
+ .notifier_call = i40iw_net_event
+ };
+
+-static int i40iw_notifiers_registered;
++static atomic_t i40iw_notifiers_registered;
+
+ /**
+ * i40iw_find_i40e_handler - find a handler given a client info
+@@ -1342,12 +1342,11 @@ exit:
+ */
+ static void i40iw_register_notifiers(void)
+ {
+- if (!i40iw_notifiers_registered) {
++ if (atomic_inc_return(&i40iw_notifiers_registered) == 1) {
+ register_inetaddr_notifier(&i40iw_inetaddr_notifier);
+ register_inet6addr_notifier(&i40iw_inetaddr6_notifier);
+ register_netevent_notifier(&i40iw_net_notifier);
+ }
+- i40iw_notifiers_registered++;
+ }
+
+ /**
+@@ -1429,8 +1428,7 @@ static void i40iw_deinit_device(struct i
+ i40iw_del_macip_entry(iwdev, (u8)iwdev->mac_ip_table_idx);
+ /* fallthrough */
+ case INET_NOTIFIER:
+- if (i40iw_notifiers_registered > 0) {
+- i40iw_notifiers_registered--;
++ if (!atomic_dec_return(&i40iw_notifiers_registered)) {
+ unregister_netevent_notifier(&i40iw_net_notifier);
+ unregister_inetaddr_notifier(&i40iw_inetaddr_notifier);
+ unregister_inet6addr_notifier(&i40iw_inetaddr6_notifier);
--- /dev/null
+From 07c72d7d54d138eb2ca37709a5a3d55fbcc01536 Mon Sep 17 00:00:00 2001
+From: Tatyana Nikolova <tatyana.e.nikolova@intel.com>
+Date: Wed, 24 Aug 2016 13:59:17 -0500
+Subject: i40iw: Send last streaming mode message for loopback connections
+
+From: Tatyana Nikolova <tatyana.e.nikolova@intel.com>
+
+commit 07c72d7d54d138eb2ca37709a5a3d55fbcc01536 upstream.
+
+Send a zero length last streaming mode message for loopback
+connections to synchronize between accepting QP and connecting QP.
+This avoids data transfer to start on the accepting QP before
+the connecting QP is in RTS. Also remove function i40iw_loopback_nop()
+as it is no longer used.
+
+Fixes: f27b4746f378 ("i40iw: add connection management code")
+
+Signed-off-by: Tatyana Nikolova <tatyana.e.nikolova@intel.com>
+Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/i40iw/i40iw_cm.c | 22 +---------------------
+ 1 file changed, 1 insertion(+), 21 deletions(-)
+
+--- a/drivers/infiniband/hw/i40iw/i40iw_cm.c
++++ b/drivers/infiniband/hw/i40iw/i40iw_cm.c
+@@ -3347,26 +3347,6 @@ int i40iw_cm_disconn(struct i40iw_qp *iw
+ }
+
+ /**
+- * i40iw_loopback_nop - Send a nop
+- * @qp: associated hw qp
+- */
+-static void i40iw_loopback_nop(struct i40iw_sc_qp *qp)
+-{
+- u64 *wqe;
+- u64 header;
+-
+- wqe = qp->qp_uk.sq_base->elem;
+- set_64bit_val(wqe, 0, 0);
+- set_64bit_val(wqe, 8, 0);
+- set_64bit_val(wqe, 16, 0);
+-
+- header = LS_64(I40IWQP_OP_NOP, I40IWQPSQ_OPCODE) |
+- LS_64(0, I40IWQPSQ_SIGCOMPL) |
+- LS_64(qp->qp_uk.swqe_polarity, I40IWQPSQ_VALID);
+- set_64bit_val(wqe, 24, header);
+-}
+-
+-/**
+ * i40iw_qp_disconnect - free qp and close cm
+ * @iwqp: associate qp for the connection
+ */
+@@ -3638,7 +3618,7 @@ int i40iw_accept(struct iw_cm_id *cm_id,
+ } else {
+ if (iwqp->page)
+ iwqp->sc_qp.qp_uk.sq_base = kmap(iwqp->page);
+- i40iw_loopback_nop(&iwqp->sc_qp);
++ dev->iw_priv_qp_ops->qp_send_lsmm(&iwqp->sc_qp, NULL, 0, 0);
+ }
+
+ if (iwqp->page)
--- /dev/null
+From 866e0f4d73390ee6f5cd68aa92cf74eef3a2b0f2 Mon Sep 17 00:00:00 2001
+From: Mustafa Ismail <mustafa.ismail@intel.com>
+Date: Thu, 25 Aug 2016 11:52:47 -0500
+Subject: i40iw: Update hw_iwarp_state
+
+From: Mustafa Ismail <mustafa.ismail@intel.com>
+
+commit 866e0f4d73390ee6f5cd68aa92cf74eef3a2b0f2 upstream.
+
+Update iwqp->hw_iwarp_state to reflect the new state of the CQP
+modify QP operation. This avoids reissuing a CQP operation to
+modify a QP to a state that it is already in.
+
+Fixes: 4e9042e647ff ("i40iw: add hw and utils files")
+
+Reported-by: Stefan Assmann <sassmann@redhat.com>
+Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com>
+Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/i40iw/i40iw_hw.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/infiniband/hw/i40iw/i40iw_hw.c
++++ b/drivers/infiniband/hw/i40iw/i40iw_hw.c
+@@ -265,6 +265,7 @@ void i40iw_next_iw_state(struct i40iw_qp
+ info.dont_send_fin = false;
+ if (iwqp->sc_qp.term_flags && (state == I40IW_QP_STATE_ERROR))
+ info.reset_tcp_conn = true;
++ iwqp->hw_iwarp_state = state;
+ i40iw_hw_modify_qp(iwqp->iwdev, iwqp, &info, 0);
+ }
+
--- /dev/null
+From 727653d6ce7103b245eb8041f55dd5885f4c3289 Mon Sep 17 00:00:00 2001
+From: James Morse <james.morse@arm.com>
+Date: Mon, 19 Sep 2016 18:29:15 +0100
+Subject: irqchip/gicv3: Silence noisy DEBUG_PER_CPU_MAPS warning
+
+From: James Morse <james.morse@arm.com>
+
+commit 727653d6ce7103b245eb8041f55dd5885f4c3289 upstream.
+
+gic_raise_softirq() walks the list of cpus using for_each_cpu(), it calls
+gic_compute_target_list() which advances the iterator by the number of
+CPUs in the cluster.
+
+If gic_compute_target_list() reaches the last CPU it leaves the iterator
+pointing at the last CPU. This means the next time round the for_each_cpu()
+loop cpumask_next() will be called with an invalid CPU.
+
+This triggers a warning when built with CONFIG_DEBUG_PER_CPU_MAPS:
+[ 3.077738] GICv3: CPU1: found redistributor 1 region 0:0x000000002f120000
+[ 3.077943] CPU1: Booted secondary processor [410fd0f0]
+[ 3.078542] ------------[ cut here ]------------
+[ 3.078746] WARNING: CPU: 1 PID: 0 at ../include/linux/cpumask.h:121 gic_raise_softirq+0x12c/0x170
+[ 3.078812] Modules linked in:
+[ 3.078869]
+[ 3.078930] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.8.0-rc5+ #5188
+[ 3.078994] Hardware name: Foundation-v8A (DT)
+[ 3.079059] task: ffff80087a1a0080 task.stack: ffff80087a19c000
+[ 3.079145] PC is at gic_raise_softirq+0x12c/0x170
+[ 3.079226] LR is at gic_raise_softirq+0xa4/0x170
+[ 3.079296] pc : [<ffff0000083ead24>] lr : [<ffff0000083eac9c>] pstate: 200001c9
+[ 3.081139] Call trace:
+[ 3.081202] Exception stack(0xffff80087a19fbe0 to 0xffff80087a19fd10)
+
+[ 3.082269] [<ffff0000083ead24>] gic_raise_softirq+0x12c/0x170
+[ 3.082354] [<ffff00000808e614>] smp_send_reschedule+0x34/0x40
+[ 3.082433] [<ffff0000080e80a0>] resched_curr+0x50/0x88
+[ 3.082512] [<ffff0000080e89d0>] check_preempt_curr+0x60/0xd0
+[ 3.082593] [<ffff0000080e8a60>] ttwu_do_wakeup+0x20/0xe8
+[ 3.082672] [<ffff0000080e8bb8>] ttwu_do_activate+0x90/0xc0
+[ 3.082753] [<ffff0000080ea9a4>] try_to_wake_up+0x224/0x370
+[ 3.082836] [<ffff0000080eabc8>] default_wake_function+0x10/0x18
+[ 3.082920] [<ffff000008103134>] __wake_up_common+0x5c/0xa0
+[ 3.083003] [<ffff0000081031f4>] __wake_up_locked+0x14/0x20
+[ 3.083086] [<ffff000008103f80>] complete+0x40/0x60
+[ 3.083168] [<ffff00000808df7c>] secondary_start_kernel+0x15c/0x1d0
+[ 3.083240] [<00000000808911a4>] 0x808911a4
+[ 3.113401] Detected PIPT I-cache on CPU2
+
+Avoid updating the iterator if the next call to cpumask_next() would
+cause the for_each_cpu() loop to exit.
+
+There is no change to gic_raise_softirq()'s behaviour, (cpumask_next()s
+eventual call to _find_next_bit() will return early as start >= nbits),
+this patch just silences the warning.
+
+Fixes: 021f653791ad ("irqchip: gic-v3: Initial support for GICv3")
+Signed-off-by: James Morse <james.morse@arm.com>
+Acked-by: Marc Zyngier <marc.zyngier@arm.com>
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: Jason Cooper <jason@lakedaemon.net>
+Link: http://lkml.kernel.org/r/1474306155-3303-1-git-send-email-james.morse@arm.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/irqchip/irq-gic-v3.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/irqchip/irq-gic-v3.c
++++ b/drivers/irqchip/irq-gic-v3.c
+@@ -558,7 +558,7 @@ static struct notifier_block gic_cpu_not
+ static u16 gic_compute_target_list(int *base_cpu, const struct cpumask *mask,
+ unsigned long cluster_id)
+ {
+- int cpu = *base_cpu;
++ int next_cpu, cpu = *base_cpu;
+ unsigned long mpidr = cpu_logical_map(cpu);
+ u16 tlist = 0;
+
+@@ -572,9 +572,10 @@ static u16 gic_compute_target_list(int *
+
+ tlist |= 1 << (mpidr & 0xf);
+
+- cpu = cpumask_next(cpu, mask);
+- if (cpu >= nr_cpu_ids)
++ next_cpu = cpumask_next(cpu, mask);
++ if (next_cpu >= nr_cpu_ids)
+ goto out;
++ cpu = next_cpu;
+
+ mpidr = cpu_logical_map(cpu);
+
+++ /dev/null
-From 58035432d60616cc2ef6514a3d0e6d6ad01bf705 Mon Sep 17 00:00:00 2001
-From: Johannes Berg <johannes.berg@intel.com>
-Date: Wed, 27 Apr 2016 13:33:26 +0200
-Subject: iwlwifi: mvm: handle FRAME_RELEASE in MQ code
-
-From: Johannes Berg <johannes.berg@intel.com>
-
-commit 58035432d60616cc2ef6514a3d0e6d6ad01bf705 upstream.
-
-For some reason, the FRAME_RELEASE message handling for the
-default queue ended up being in the only/default queue for
-non-RSS devices; fix that and handle FRAME_RELEASE properly
-on the default queue for RSS devices.
-
-Fixes: 585a6fccf5b8 ("iwlwifi: mvm: infrastructure for frame-release message")
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
-+++ b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
-@@ -936,8 +936,6 @@ static void iwl_mvm_rx(struct iwl_op_mod
-
- if (likely(pkt->hdr.cmd == REPLY_RX_MPDU_CMD))
- iwl_mvm_rx_rx_mpdu(mvm, napi, rxb);
-- else if (pkt->hdr.cmd == FRAME_RELEASE)
-- iwl_mvm_rx_frame_release(mvm, napi, rxb, 0);
- else if (pkt->hdr.cmd == REPLY_RX_PHY_CMD)
- iwl_mvm_rx_rx_phy_cmd(mvm, rxb);
- else
-@@ -958,6 +956,8 @@ static void iwl_mvm_rx_mq(struct iwl_op_
- else if (unlikely(pkt->hdr.group_id == DATA_PATH_GROUP &&
- pkt->hdr.cmd == RX_QUEUES_NOTIFICATION))
- iwl_mvm_rx_queue_notif(mvm, rxb, 0);
-+ else if (pkt->hdr.cmd == FRAME_RELEASE)
-+ iwl_mvm_rx_frame_release(mvm, napi, rxb, 0);
- else
- iwl_mvm_rx_common(mvm, rxb, pkt);
- }
--- /dev/null
+From 0b97a484e52cb423662eb98904aad82dafcc1f10 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Wed, 14 Sep 2016 09:41:34 +0200
+Subject: mac80211: check skb_linearize() return value
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 0b97a484e52cb423662eb98904aad82dafcc1f10 upstream.
+
+The A-MSDU TX code (within TXQs) didn't always check the return value
+of skb_linearize() properly, resulting in potentially passing a frag-
+list SKB down to the driver even when it said it can't handle it. Fix
+that.
+
+Fixes: 6e0456b545456 ("mac80211: add A-MSDU tx support")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/tx.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -1330,8 +1330,12 @@ out:
+ spin_unlock_bh(&txqi->queue.lock);
+
+ if (skb && skb_has_frag_list(skb) &&
+- !ieee80211_hw_check(&local->hw, TX_FRAG_LIST))
+- skb_linearize(skb);
++ !ieee80211_hw_check(&local->hw, TX_FRAG_LIST)) {
++ if (skb_linearize(skb)) {
++ ieee80211_free_txskb(&local->hw, skb);
++ return NULL;
++ }
++ }
+
+ return skb;
+ }
hwmon-adt7411-set-bit-3-in-cfg1-register.patch
sched-cputime-fix-prev-steal-time-accouting-during-cpu-hotplug.patch
spi-sh-msiof-avoid-invalid-clock-generator-parameters.patch
-iwlwifi-mvm-handle-frame_release-in-mq-code.patch
iwlwifi-mvm-checksum-ipv6-fragmented-packet.patch
iwlwifi-mvm-fix-txq-aggregation-bug.patch
iwlwifi-mvm-write-the-correct-internal-txf-index.patch
iwlwifi-mvm-free-rx-reorder-buffer-on-restart.patch
iwlwifi-mvm-avoid-harmless-wmaybe-uninialized-warning.patch
iwlwifi-mvm-don-t-use-ret-when-not-initialised.patch
+usb-gadget-fsl_qe_udc-signedness-bug-in-qe_get_frame.patch
+gpio-sa1100-fix-irq-probing-for-ucb1x00.patch
+mac80211-check-skb_linearize-return-value.patch
+i40iw-protect-req_resource_num-update.patch
+i40iw-add-missing-check-for-interface-already-open.patch
+i40iw-change-mem_resources-pointer-to-a-u8.patch
+i40iw-fix-double-free-of-allocated_buffer.patch
+i40iw-do-not-set-self-referencing-pointer-to-null-after-kfree.patch
+i40iw-avoid-writing-to-freed-memory.patch
+i40iw-add-missing-null-check-for-mpa-private-data.patch
+i40iw-send-last-streaming-mode-message-for-loopback-connections.patch
+i40iw-update-hw_iwarp_state.patch
+i40iw-receive-notification-events-correctly.patch
+batman-adv-add-missing-refcnt-for-last_candidate.patch
+batman-adv-fix-elp-packet-data-reservation.patch
+irqchip-gicv3-silence-noisy-debug_per_cpu_maps-warning.patch
+arm-8618-1-decompressor-reset-ttbcr-fields-to-use-ttbr0-on-armv7.patch
+arm64-debug-avoid-resetting-stepping-state-machine-when-tif_singlestep.patch
--- /dev/null
+From f4693b08cc901912a87369c46537b94ed4084ea0 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 15 Jul 2016 14:15:47 +0300
+Subject: usb: gadget: fsl_qe_udc: signedness bug in qe_get_frame()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit f4693b08cc901912a87369c46537b94ed4084ea0 upstream.
+
+We can't assign -EINVAL to a u16.
+
+Fixes: 3948f0e0c999 ('usb: add Freescale QE/CPM USB peripheral controller driver')
+Acked-by: Peter Chen <peter.chen@nxp.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/udc/fsl_qe_udc.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/gadget/udc/fsl_qe_udc.c
++++ b/drivers/usb/gadget/udc/fsl_qe_udc.c
+@@ -1878,11 +1878,8 @@ static int qe_get_frame(struct usb_gadge
+
+ tmp = in_be16(&udc->usb_param->frame_n);
+ if (tmp & 0x8000)
+- tmp = tmp & 0x07ff;
+- else
+- tmp = -EINVAL;
+-
+- return (int)tmp;
++ return tmp & 0x07ff;
++ return -EINVAL;
+ }
+
+ static int fsl_qe_start(struct usb_gadget *gadget,
projects / thirdparty / kernel / stable-queue.git / commitdiff
