--- /dev/null
+From b2a6d1b999a4c13e5997bb864694e77172d45250 Mon Sep 17 00:00:00 2001
+From: Martijn Coenen <maco@android.com>
+Date: Fri, 28 Jul 2017 13:56:08 +0200
+Subject: ANDROID: binder: fix proc->tsk check.
+
+From: Martijn Coenen <maco@android.com>
+
+commit b2a6d1b999a4c13e5997bb864694e77172d45250 upstream.
+
+Commit c4ea41ba195d ("binder: use group leader instead of open thread")'
+was incomplete and didn't update a check in binder_mmap(), causing all
+mmap() calls into the binder driver to fail.
+
+Signed-off-by: Martijn Coenen <maco@android.com>
+Tested-by: John Stultz <john.stultz@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/android/binder.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -3362,7 +3362,7 @@ static int binder_mmap(struct file *filp
+ const char *failure_string;
+ struct binder_buffer *buffer;
+
+- if (proc->tsk != current)
++ if (proc->tsk != current->group_leader)
+ return -EINVAL;
+
+ if ((vma->vm_end - vma->vm_start) > SZ_4M)
--- /dev/null
+From c4ea41ba195d01c9af66fb28711a16cc97caa9c5 Mon Sep 17 00:00:00 2001
+From: Todd Kjos <tkjos@android.com>
+Date: Thu, 29 Jun 2017 12:01:36 -0700
+Subject: binder: use group leader instead of open thread
+
+From: Todd Kjos <tkjos@android.com>
+
+commit c4ea41ba195d01c9af66fb28711a16cc97caa9c5 upstream.
+
+The binder allocator assumes that the thread that
+called binder_open will never die for the lifetime of
+that proc. That thread is normally the group_leader,
+however it may not be. Use the group_leader instead
+of current.
+
+Signed-off-by: Todd Kjos <tkjos@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/android/binder.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -3460,8 +3460,8 @@ static int binder_open(struct inode *nod
+ proc = kzalloc(sizeof(*proc), GFP_KERNEL);
+ if (proc == NULL)
+ return -ENOMEM;
+- get_task_struct(current);
+- proc->tsk = current;
++ get_task_struct(current->group_leader);
++ proc->tsk = current->group_leader;
+ INIT_LIST_HEAD(&proc->todo);
+ init_waitqueue_head(&proc->wait);
+ proc->default_priority = task_nice(current);
--- /dev/null
+From 00b40d613352c623aaae88a44e5ded7c912909d7 Mon Sep 17 00:00:00 2001
+From: Riley Andrews <riandrews@google.com>
+Date: Thu, 29 Jun 2017 12:01:37 -0700
+Subject: binder: Use wake up hint for synchronous transactions.
+
+From: Riley Andrews <riandrews@google.com>
+
+commit 00b40d613352c623aaae88a44e5ded7c912909d7 upstream.
+
+Use wake_up_interruptible_sync() to hint to the scheduler binder
+transactions are synchronous wakeups. Disable preemption while waking
+to avoid ping-ponging on the binder lock.
+
+Signed-off-by: Todd Kjos <tkjos@google.com>
+Signed-off-by: Omprakash Dhyade <odhyade@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/android/binder.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -2200,8 +2200,12 @@ static void binder_transaction(struct bi
+ list_add_tail(&t->work.entry, target_list);
+ tcomplete->type = BINDER_WORK_TRANSACTION_COMPLETE;
+ list_add_tail(&tcomplete->entry, &thread->todo);
+- if (target_wait)
+- wake_up_interruptible(target_wait);
++ if (target_wait) {
++ if (reply || !(t->flags & TF_ONE_WAY))
++ wake_up_interruptible_sync(target_wait);
++ else
++ wake_up_interruptible(target_wait);
++ }
+ return;
+
+ err_translate_failed:
--- /dev/null
+From 0cc3b0ec23ce4c69e1e890ed2b8d2fa932b14aad Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Sun, 27 Aug 2017 12:12:25 -0700
+Subject: Clarify (and fix) MAX_LFS_FILESIZE macros
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 0cc3b0ec23ce4c69e1e890ed2b8d2fa932b14aad upstream.
+
+We have a MAX_LFS_FILESIZE macro that is meant to be filled in by
+filesystems (and other IO targets) that know they are 64-bit clean and
+don't have any 32-bit limits in their IO path.
+
+It turns out that our 32-bit value for that limit was bogus. On 32-bit,
+the VM layer is limited by the page cache to only 32-bit index values,
+but our logic for that was confusing and actually wrong. We used to
+define that value to
+
+ (((loff_t)PAGE_SIZE << (BITS_PER_LONG-1))-1)
+
+which is actually odd in several ways: it limits the index to 31 bits,
+and then it limits files so that they can't have data in that last byte
+of a page that has the highest 31-bit index (ie page index 0x7fffffff).
+
+Neither of those limitations make sense. The index is actually the full
+32 bit unsigned value, and we can use that whole full page. So the
+maximum size of the file would logically be "PAGE_SIZE << BITS_PER_LONG".
+
+However, we do wan tto avoid the maximum index, because we have code
+that iterates over the page indexes, and we don't want that code to
+overflow. So the maximum size of a file on a 32-bit host should
+actually be one page less than the full 32-bit index.
+
+So the actual limit is ULONG_MAX << PAGE_SHIFT. That means that we will
+not actually be using the page of that last index (ULONG_MAX), but we
+can grow a file up to that limit.
+
+The wrong value of MAX_LFS_FILESIZE actually caused problems for Doug
+Nazar, who was still using a 32-bit host, but with a 9.7TB 2 x RAID5
+volume. It turns out that our old MAX_LFS_FILESIZE was 8TiB (well, one
+byte less), but the actual true VM limit is one page less than 16TiB.
+
+This was invisible until commit c2a9737f45e2 ("vfs,mm: fix a dead loop
+in truncate_inode_pages_range()"), which started applying that
+MAX_LFS_FILESIZE limit to block devices too.
+
+NOTE! On 64-bit, the page index isn't a limiter at all, and the limit is
+actually just the offset type itself (loff_t), which is signed. But for
+clarity, on 64-bit, just use the maximum signed value, and don't make
+people have to count the number of 'f' characters in the hex constant.
+
+So just use LLONG_MAX for the 64-bit case. That was what the value had
+been before too, just written out as a hex constant.
+
+Fixes: c2a9737f45e2 ("vfs,mm: fix a dead loop in truncate_inode_pages_range()")
+Reported-and-tested-by: Doug Nazar <nazard@nazar.ca>
+Cc: Andreas Dilger <adilger@dilger.ca>
+Cc: Mark Fasheh <mfasheh@versity.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Dave Kleikamp <shaggy@kernel.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/fs.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/linux/fs.h
++++ b/include/linux/fs.h
+@@ -891,9 +891,9 @@ static inline struct file *get_file(stru
+ /* Page cache limit. The filesystems should put that into their s_maxbytes
+ limits, otherwise bad things can happen in VM. */
+ #if BITS_PER_LONG==32
+-#define MAX_LFS_FILESIZE (((loff_t)PAGE_SIZE << (BITS_PER_LONG-1))-1)
++#define MAX_LFS_FILESIZE ((loff_t)ULONG_MAX << PAGE_SHIFT)
+ #elif BITS_PER_LONG==64
+-#define MAX_LFS_FILESIZE ((loff_t)0x7fffffffffffffffLL)
++#define MAX_LFS_FILESIZE ((loff_t)LLONG_MAX)
+ #endif
+
+ #define FL_POSIX 1
--- /dev/null
+From f1664eaacec31035450132c46ed2915fd2b2049a Mon Sep 17 00:00:00 2001
+From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Date: Sat, 12 Aug 2017 09:09:21 -0700
+Subject: iio: hid-sensor-trigger: Fix the race with user space powering up sensors
+
+From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+
+commit f1664eaacec31035450132c46ed2915fd2b2049a upstream.
+
+It has been reported for a while that with iio-sensor-proxy service the
+rotation only works after one suspend/resume cycle. This required a wait
+in the systemd unit file to avoid race. I found a Yoga 900 where I could
+reproduce this.
+
+The problem scenerio is:
+- During sensor driver init, enable run time PM and also set a
+ auto-suspend for 3 seconds.
+ This result in one runtime resume. But there is a check to avoid
+a powerup in this sequence, but rpm is active
+- User space iio-sensor-proxy tries to power up the sensor. Since rpm is
+ active it will simply return. But sensors were not actually
+powered up in the prior sequence, so actaully the sensors will not work
+- After 3 seconds the auto suspend kicks
+
+If we add a wait in systemd service file to fire iio-sensor-proxy after
+3 seconds, then now everything will work as the runtime resume will
+actually powerup the sensor as this is a user request.
+
+To avoid this:
+- Remove the check to match user requested state, this will cause a
+ brief powerup, but if the iio-sensor-proxy starts immediately it will
+still work as the sensors are ON.
+- Also move the autosuspend delay to place when user requested turn off
+ of sensors, like after user finished raw read or buffer disable
+
+Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Tested-by: Bastien Nocera <hadess@hadess.net>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/common/hid-sensors/hid-sensor-trigger.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/iio/common/hid-sensors/hid-sensor-trigger.c
++++ b/drivers/iio/common/hid-sensors/hid-sensor-trigger.c
+@@ -36,8 +36,6 @@ static int _hid_sensor_power_state(struc
+ s32 poll_value = 0;
+
+ if (state) {
+- if (!atomic_read(&st->user_requested_state))
+- return 0;
+ if (sensor_hub_device_open(st->hsdev))
+ return -EIO;
+
+@@ -86,6 +84,9 @@ static int _hid_sensor_power_state(struc
+ &report_val);
+ }
+
++ pr_debug("HID_SENSOR %s set power_state %d report_state %d\n",
++ st->pdev->name, state_val, report_val);
++
+ sensor_hub_get_feature(st->hsdev, st->power_state.report_id,
+ st->power_state.index,
+ sizeof(state_val), &state_val);
+@@ -107,6 +108,7 @@ int hid_sensor_power_state(struct hid_se
+ ret = pm_runtime_get_sync(&st->pdev->dev);
+ else {
+ pm_runtime_mark_last_busy(&st->pdev->dev);
++ pm_runtime_use_autosuspend(&st->pdev->dev);
+ ret = pm_runtime_put_autosuspend(&st->pdev->dev);
+ }
+ if (ret < 0) {
+@@ -205,8 +207,6 @@ int hid_sensor_setup_trigger(struct iio_
+ /* Default to 3 seconds, but can be changed from sysfs */
+ pm_runtime_set_autosuspend_delay(&attrb->pdev->dev,
+ 3000);
+- pm_runtime_use_autosuspend(&attrb->pdev->dev);
+-
+ return ret;
+ error_unreg_trigger:
+ iio_trigger_unregister(trig);
--- /dev/null
+From fdd0d32eb95f135041236a6885d9006315aa9a1d Mon Sep 17 00:00:00 2001
+From: Dragos Bogdan <dragos.bogdan@analog.com>
+Date: Fri, 4 Aug 2017 01:37:27 +0300
+Subject: iio: imu: adis16480: Fix acceleration scale factor for adis16480
+
+From: Dragos Bogdan <dragos.bogdan@analog.com>
+
+commit fdd0d32eb95f135041236a6885d9006315aa9a1d upstream.
+
+According to the datasheet, the range of the acceleration is [-10 g, + 10 g],
+so the scale factor should be 10 instead of 5.
+
+Signed-off-by: Dragos Bogdan <dragos.bogdan@analog.com>
+Acked-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/imu/adis16480.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/imu/adis16480.c
++++ b/drivers/iio/imu/adis16480.c
+@@ -696,7 +696,7 @@ static const struct adis16480_chip_info
+ .gyro_max_val = IIO_RAD_TO_DEGREE(22500),
+ .gyro_max_scale = 450,
+ .accel_max_val = IIO_M_S_2_TO_G(12500),
+- .accel_max_scale = 5,
++ .accel_max_scale = 10,
+ },
+ [ADIS16485] = {
+ .channels = adis16485_channels,
--- /dev/null
+From 541ee9b24fca587f510fe1bc58508d5cf40707af Mon Sep 17 00:00:00 2001
+From: Lorenzo Bianconi <lorenzo.bianconi83@gmail.com>
+Date: Wed, 16 Aug 2017 19:02:50 +0200
+Subject: iio: magnetometer: st_magn: fix status register address for LSM303AGR
+
+From: Lorenzo Bianconi <lorenzo.bianconi83@gmail.com>
+
+commit 541ee9b24fca587f510fe1bc58508d5cf40707af upstream.
+
+Fixes: 97865fe41322 (iio: st_sensors: verify interrupt event to status)
+Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@st.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/magnetometer/st_magn_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/magnetometer/st_magn_core.c
++++ b/drivers/iio/magnetometer/st_magn_core.c
+@@ -358,7 +358,7 @@ static const struct st_sensor_settings s
+ .mask_int1 = 0x01,
+ .addr_ihl = 0x63,
+ .mask_ihl = 0x04,
+- .addr_stat_drdy = ST_SENSORS_DEFAULT_STAT_ADDR,
++ .addr_stat_drdy = 0x67,
+ },
+ .multi_read_bit = false,
+ .bootime = 2,
--- /dev/null
+From 8b35a5f87a73842601cd376e0f5b9b25831390f4 Mon Sep 17 00:00:00 2001
+From: Lorenzo Bianconi <lorenzo.bianconi83@gmail.com>
+Date: Wed, 16 Aug 2017 19:02:51 +0200
+Subject: iio: magnetometer: st_magn: remove ihl property for LSM303AGR
+
+From: Lorenzo Bianconi <lorenzo.bianconi83@gmail.com>
+
+commit 8b35a5f87a73842601cd376e0f5b9b25831390f4 upstream.
+
+Remove IRQ active low support for LSM303AGR since the sensor does not
+support that capability for data-ready line
+
+Fixes: a9fd053b56c6 (iio: st_sensors: support active-low interrupts)
+Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@st.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/magnetometer/st_magn_core.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/iio/magnetometer/st_magn_core.c
++++ b/drivers/iio/magnetometer/st_magn_core.c
+@@ -356,8 +356,6 @@ static const struct st_sensor_settings s
+ .drdy_irq = {
+ .addr = 0x62,
+ .mask_int1 = 0x01,
+- .addr_ihl = 0x63,
+- .mask_ihl = 0x04,
+ .addr_stat_drdy = 0x67,
+ },
+ .multi_read_bit = false,
--- /dev/null
+From 2926a2aa5c14fb2add75e6584845b1c03022235f Mon Sep 17 00:00:00 2001
+From: Joerg Roedel <jroedel@suse.de>
+Date: Mon, 14 Aug 2017 17:19:26 +0200
+Subject: iommu: Fix wrong freeing of iommu_device->dev
+
+From: Joerg Roedel <jroedel@suse.de>
+
+commit 2926a2aa5c14fb2add75e6584845b1c03022235f upstream.
+
+The struct iommu_device has a 'struct device' embedded into
+it, not as a pointer, but the whole struct. In the
+conversion of the iommu drivers to use struct iommu_device
+it was forgotten that the relase function for that struct
+device simply calls kfree() on the pointer.
+
+This frees memory that was never allocated and causes memory
+corruption.
+
+To fix this issue, use a pointer to struct device instead of
+embedding the whole struct. This needs some updates in the
+iommu sysfs code as well as the Intel VT-d and AMD IOMMU
+driver.
+
+Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
+Fixes: 39ab9555c241 ('iommu: Add sysfs bindings for struct iommu_device')
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/amd_iommu_types.h | 4 +++-
+ drivers/iommu/intel-iommu.c | 4 +++-
+ drivers/iommu/iommu-sysfs.c | 34 +++++++++++++++++++++-------------
+ include/linux/iommu.h | 12 +++++++++++-
+ 4 files changed, 38 insertions(+), 16 deletions(-)
+
+--- a/drivers/iommu/amd_iommu_types.h
++++ b/drivers/iommu/amd_iommu_types.h
+@@ -571,7 +571,9 @@ struct amd_iommu {
+
+ static inline struct amd_iommu *dev_to_amd_iommu(struct device *dev)
+ {
+- return container_of(dev, struct amd_iommu, iommu.dev);
++ struct iommu_device *iommu = dev_to_iommu_device(dev);
++
++ return container_of(iommu, struct amd_iommu, iommu);
+ }
+
+ #define ACPIHID_UID_LEN 256
+--- a/drivers/iommu/intel-iommu.c
++++ b/drivers/iommu/intel-iommu.c
+@@ -4749,7 +4749,9 @@ static void intel_disable_iommus(void)
+
+ static inline struct intel_iommu *dev_to_intel_iommu(struct device *dev)
+ {
+- return container_of(dev, struct intel_iommu, iommu.dev);
++ struct iommu_device *iommu_dev = dev_to_iommu_device(dev);
++
++ return container_of(iommu_dev, struct intel_iommu, iommu);
+ }
+
+ static ssize_t intel_iommu_show_version(struct device *dev,
+--- a/drivers/iommu/iommu-sysfs.c
++++ b/drivers/iommu/iommu-sysfs.c
+@@ -62,32 +62,40 @@ int iommu_device_sysfs_add(struct iommu_
+ va_list vargs;
+ int ret;
+
+- device_initialize(&iommu->dev);
+-
+- iommu->dev.class = &iommu_class;
+- iommu->dev.parent = parent;
+- iommu->dev.groups = groups;
++ iommu->dev = kzalloc(sizeof(*iommu->dev), GFP_KERNEL);
++ if (!iommu->dev)
++ return -ENOMEM;
++
++ device_initialize(iommu->dev);
++
++ iommu->dev->class = &iommu_class;
++ iommu->dev->parent = parent;
++ iommu->dev->groups = groups;
+
+ va_start(vargs, fmt);
+- ret = kobject_set_name_vargs(&iommu->dev.kobj, fmt, vargs);
++ ret = kobject_set_name_vargs(&iommu->dev->kobj, fmt, vargs);
+ va_end(vargs);
+ if (ret)
+ goto error;
+
+- ret = device_add(&iommu->dev);
++ ret = device_add(iommu->dev);
+ if (ret)
+ goto error;
+
++ dev_set_drvdata(iommu->dev, iommu);
++
+ return 0;
+
+ error:
+- put_device(&iommu->dev);
++ put_device(iommu->dev);
+ return ret;
+ }
+
+ void iommu_device_sysfs_remove(struct iommu_device *iommu)
+ {
+- device_unregister(&iommu->dev);
++ dev_set_drvdata(iommu->dev, NULL);
++ device_unregister(iommu->dev);
++ iommu->dev = NULL;
+ }
+ /*
+ * IOMMU drivers can indicate a device is managed by a given IOMMU using
+@@ -102,14 +110,14 @@ int iommu_device_link(struct iommu_devic
+ if (!iommu || IS_ERR(iommu))
+ return -ENODEV;
+
+- ret = sysfs_add_link_to_group(&iommu->dev.kobj, "devices",
++ ret = sysfs_add_link_to_group(&iommu->dev->kobj, "devices",
+ &link->kobj, dev_name(link));
+ if (ret)
+ return ret;
+
+- ret = sysfs_create_link_nowarn(&link->kobj, &iommu->dev.kobj, "iommu");
++ ret = sysfs_create_link_nowarn(&link->kobj, &iommu->dev->kobj, "iommu");
+ if (ret)
+- sysfs_remove_link_from_group(&iommu->dev.kobj, "devices",
++ sysfs_remove_link_from_group(&iommu->dev->kobj, "devices",
+ dev_name(link));
+
+ return ret;
+@@ -121,5 +129,5 @@ void iommu_device_unlink(struct iommu_de
+ return;
+
+ sysfs_remove_link(&link->kobj, "iommu");
+- sysfs_remove_link_from_group(&iommu->dev.kobj, "devices", dev_name(link));
++ sysfs_remove_link_from_group(&iommu->dev->kobj, "devices", dev_name(link));
+ }
+--- a/include/linux/iommu.h
++++ b/include/linux/iommu.h
+@@ -240,7 +240,7 @@ struct iommu_device {
+ struct list_head list;
+ const struct iommu_ops *ops;
+ struct fwnode_handle *fwnode;
+- struct device dev;
++ struct device *dev;
+ };
+
+ int iommu_device_register(struct iommu_device *iommu);
+@@ -265,6 +265,11 @@ static inline void iommu_device_set_fwno
+ iommu->fwnode = fwnode;
+ }
+
++static inline struct iommu_device *dev_to_iommu_device(struct device *dev)
++{
++ return (struct iommu_device *)dev_get_drvdata(dev);
++}
++
+ #define IOMMU_GROUP_NOTIFY_ADD_DEVICE 1 /* Device added */
+ #define IOMMU_GROUP_NOTIFY_DEL_DEVICE 2 /* Pre Device removed */
+ #define IOMMU_GROUP_NOTIFY_BIND_DRIVER 3 /* Pre Driver bind */
+@@ -589,6 +594,11 @@ static inline void iommu_device_set_fwno
+ {
+ }
+
++static inline struct iommu_device *dev_to_iommu_device(struct device *dev)
++{
++ return NULL;
++}
++
+ static inline void iommu_device_unregister(struct iommu_device *iommu)
+ {
+ }
--- /dev/null
+From a2b18708ee14baec4ef9c0fba96070bba14d0081 Mon Sep 17 00:00:00 2001
+From: Todd Kjos <tkjos@android.com>
+Date: Wed, 5 Jul 2017 13:46:01 -0700
+Subject: Revert "android: binder: Sanity check at binder ioctl"
+
+From: Todd Kjos <tkjos@android.com>
+
+commit a2b18708ee14baec4ef9c0fba96070bba14d0081 upstream.
+
+This reverts commit a906d6931f3ccaf7de805643190765ddd7378e27.
+
+The patch introduced a race in the binder driver. An attempt to fix the
+race was submitted in "[PATCH v2] android: binder: fix dangling pointer
+comparison", however the conclusion in the discussion for that patch
+was that the original patch should be reverted.
+
+The reversion is being done as part of the fine-grained locking
+patchset since the patch would need to be refactored when
+proc->vmm_vm_mm is removed from struct binder_proc and added
+in the binder allocator.
+
+Signed-off-by: Todd Kjos <tkjos@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/android/binder.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -3247,10 +3247,6 @@ static long binder_ioctl(struct file *fi
+ /*pr_info("binder_ioctl: %d:%d %x %lx\n",
+ proc->pid, current->pid, cmd, arg);*/
+
+- if (unlikely(current->mm != proc->vma_vm_mm)) {
+- pr_err("current mm mismatch proc mm\n");
+- return -EINVAL;
+- }
+ trace_binder_ioctl(cmd, arg);
+
+ ret = wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2);
+@@ -3466,7 +3462,6 @@ static int binder_open(struct inode *nod
+ return -ENOMEM;
+ get_task_struct(current);
+ proc->tsk = current;
+- proc->vma_vm_mm = current->mm;
+ INIT_LIST_HEAD(&proc->todo);
+ init_waitqueue_head(&proc->wait);
+ proc->default_priority = task_nice(current);
bluetooth-hidp-fix-possible-might-sleep-error-in-hidp_session_thread.patch
bluetooth-cmtp-fix-possible-might-sleep-error-in-cmtp_session.patch
bluetooth-bnep-fix-possible-might-sleep-error-in-bnep_session.patch
+revert-android-binder-sanity-check-at-binder-ioctl.patch
+binder-use-group-leader-instead-of-open-thread.patch
+binder-use-wake-up-hint-for-synchronous-transactions.patch
+android-binder-fix-proc-tsk-check.patch
+iio-imu-adis16480-fix-acceleration-scale-factor-for-adis16480.patch
+iio-hid-sensor-trigger-fix-the-race-with-user-space-powering-up-sensors.patch
+iio-magnetometer-st_magn-fix-status-register-address-for-lsm303agr.patch
+iio-magnetometer-st_magn-remove-ihl-property-for-lsm303agr.patch
+staging-rtl8188eu-add-rnx-n150nub-support.patch
+iommu-fix-wrong-freeing-of-iommu_device-dev.patch
+clarify-and-fix-max_lfs_filesize-macros.patch
--- /dev/null
+From f299aec6ebd747298e35934cff7709c6b119ca52 Mon Sep 17 00:00:00 2001
+From: Charles Milette <charlesmilette@gmail.com>
+Date: Fri, 18 Aug 2017 16:30:34 -0400
+Subject: staging: rtl8188eu: add RNX-N150NUB support
+
+From: Charles Milette <charlesmilette@gmail.com>
+
+commit f299aec6ebd747298e35934cff7709c6b119ca52 upstream.
+
+Add support for USB Device Rosewill RNX-N150NUB.
+VendorID: 0x0bda, ProductID: 0xffef
+
+Signed-off-by: Charles Milette <charles.milette@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/rtl8188eu/os_dep/usb_intf.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c
++++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c
+@@ -45,6 +45,7 @@ static struct usb_device_id rtw_usb_id_t
+ {USB_DEVICE(0x2001, 0x3311)}, /* DLink GO-USB-N150 REV B1 */
+ {USB_DEVICE(0x2357, 0x010c)}, /* TP-Link TL-WN722N v2 */
+ {USB_DEVICE(0x0df6, 0x0076)}, /* Sitecom N150 v2 */
++ {USB_DEVICE(USB_VENDER_ID_REALTEK, 0xffef)}, /* Rosewill RNX-N150NUB */
+ {} /* Terminating entry */
+ };
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
