--- /dev/null
+From ddc37832a1349f474c4532de381498020ed71d31 Mon Sep 17 00:00:00 2001
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Fri, 6 Jan 2017 13:12:47 +0100
+Subject: ARM: 8634/1: hw_breakpoint: blacklist Scorpion CPUs
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+commit ddc37832a1349f474c4532de381498020ed71d31 upstream.
+
+On APQ8060, the kernel crashes in arch_hw_breakpoint_init, taking an
+undefined instruction trap within write_wb_reg. This is because Scorpion
+CPUs erroneously appear to set DBGPRSR.SPD when WFI is issued, even if
+the core is not powered down. When DBGPRSR.SPD is set, breakpoint and
+watchpoint registers are treated as undefined.
+
+It's possible to trigger similar crashes later on from userspace, by
+requesting the kernel to install a breakpoint or watchpoint, as we can
+go idle at any point between the reset of the debug registers and their
+later use. This has always been the case.
+
+Given that this has always been broken, no-one has complained until now,
+and there is no clear workaround, disable hardware breakpoints and
+watchpoints on Scorpion to avoid these issues.
+
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Reported-by: Linus Walleij <linus.walleij@linaro.org>
+Reviewed-by: Stephen Boyd <sboyd@codeaurora.org>
+Acked-by: Will Deacon <will.deacon@arm.com>
+Cc: Russell King <linux@armlinux.org.uk>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/include/asm/cputype.h | 3 +++
+ arch/arm/kernel/hw_breakpoint.c | 16 ++++++++++++++++
+ 2 files changed, 19 insertions(+)
+
+--- a/arch/arm/include/asm/cputype.h
++++ b/arch/arm/include/asm/cputype.h
+@@ -81,6 +81,9 @@
+ #define ARM_CPU_XSCALE_ARCH_V2 0x4000
+ #define ARM_CPU_XSCALE_ARCH_V3 0x6000
+
++/* Qualcomm implemented cores */
++#define ARM_CPU_PART_SCORPION 0x510002d0
++
+ extern unsigned int processor_id;
+
+ #ifdef CONFIG_CPU_CP15
+--- a/arch/arm/kernel/hw_breakpoint.c
++++ b/arch/arm/kernel/hw_breakpoint.c
+@@ -1066,6 +1066,22 @@ static int __init arch_hw_breakpoint_ini
+ return 0;
+ }
+
++ /*
++ * Scorpion CPUs (at least those in APQ8060) seem to set DBGPRSR.SPD
++ * whenever a WFI is issued, even if the core is not powered down, in
++ * violation of the architecture. When DBGPRSR.SPD is set, accesses to
++ * breakpoint and watchpoint registers are treated as undefined, so
++ * this results in boot time and runtime failures when these are
++ * accessed and we unexpectedly take a trap.
++ *
++ * It's not clear if/how this can be worked around, so we blacklist
++ * Scorpion CPUs to avoid these issues.
++ */
++ if (read_cpuid_part() == ARM_CPU_PART_SCORPION) {
++ pr_info("Scorpion CPU detected. Hardware breakpoints and watchpoints disabled\n");
++ return 0;
++ }
++
+ has_ossr = core_has_os_save_restore();
+
+ /* Determine how many BRPs/WRPs are available. */
--- /dev/null
+From 43849785e1079f6606a31cb7fda92d1200849728 Mon Sep 17 00:00:00 2001
+From: Fabien Parent <fparent@baylibre.com>
+Date: Tue, 17 Jan 2017 13:57:42 +0100
+Subject: ARM: dts: da850-evm: fix read access to SPI flash
+
+From: Fabien Parent <fparent@baylibre.com>
+
+commit 43849785e1079f6606a31cb7fda92d1200849728 upstream.
+
+Read access to the SPI flash are broken on da850-evm, i.e. the data
+read is not what is actually programmed on the flash.
+According to the datasheet for the M25P64 part present on the da850-evm,
+if the SPI frequency is higher than 20MHz then the READ command is not
+usable anymore and only the FAST_READ command can be used to read data.
+
+This commit specifies in the DTS that we should use FAST_READ command
+instead of the READ command.
+
+Tested-by: Kevin Hilman <khilman@baylibre.com>
+Signed-off-by: Fabien Parent <fparent@baylibre.com>
+[nsekhar@ti.com: subject line adjustment]
+Signed-off-by: Sekhar Nori <nsekhar@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+Signed-off-by: Olof Johansson <olof@lixom.net>
+
+---
+ arch/arm/boot/dts/da850-evm.dts | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm/boot/dts/da850-evm.dts
++++ b/arch/arm/boot/dts/da850-evm.dts
+@@ -85,6 +85,7 @@
+ #size-cells = <1>;
+ compatible = "m25p64";
+ spi-max-frequency = <30000000>;
++ m25p,fast-read;
+ reg = <0>;
+ partition@0 {
+ label = "U-Boot-SPL";
--- /dev/null
+From aeb1f39d814b2e21e5e5706a48834bfd553d0059 Mon Sep 17 00:00:00 2001
+From: Dave Martin <Dave.Martin@arm.com>
+Date: Wed, 18 Jan 2017 16:25:23 +0000
+Subject: arm64/ptrace: Avoid uninitialised struct padding in fpr_set()
+
+From: Dave Martin <Dave.Martin@arm.com>
+
+commit aeb1f39d814b2e21e5e5706a48834bfd553d0059 upstream.
+
+This patch adds an explicit __reserved[] field to user_fpsimd_state
+to replace what was previously unnamed padding.
+
+This ensures that data in this region are propagated across
+assignment rather than being left possibly uninitialised at the
+destination.
+
+Fixes: 60ffc30d5652 ("arm64: Exception handling")
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+Acked-by: Will Deacon <Will.Deacon@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/include/uapi/asm/ptrace.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm64/include/uapi/asm/ptrace.h
++++ b/arch/arm64/include/uapi/asm/ptrace.h
+@@ -76,6 +76,7 @@ struct user_fpsimd_state {
+ __uint128_t vregs[32];
+ __u32 fpsr;
+ __u32 fpcr;
++ __u32 __reserved[2];
+ };
+
+ struct user_hwdebug_state {
--- /dev/null
+From 9dd73f72f218320c6c90da5f834996e7360dc227 Mon Sep 17 00:00:00 2001
+From: Dave Martin <Dave.Martin@arm.com>
+Date: Wed, 18 Jan 2017 16:25:21 +0000
+Subject: arm64/ptrace: Preserve previous registers for short regset write - 2
+
+From: Dave Martin <Dave.Martin@arm.com>
+
+commit 9dd73f72f218320c6c90da5f834996e7360dc227 upstream.
+
+Ensure that if userspace supplies insufficient data to
+PTRACE_SETREGSET to fill all the registers, the thread's old
+registers are preserved.
+
+Fixes: 766a85d7bc5d ("arm64: ptrace: add NT_ARM_SYSTEM_CALL regset")
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+Acked-by: Will Deacon <Will.Deacon@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/ptrace.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/arm64/kernel/ptrace.c
++++ b/arch/arm64/kernel/ptrace.c
+@@ -576,7 +576,8 @@ static int system_call_set(struct task_s
+ unsigned int pos, unsigned int count,
+ const void *kbuf, const void __user *ubuf)
+ {
+- int syscallno, ret;
++ int syscallno = task_pt_regs(target)->syscallno;
++ int ret;
+
+ ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &syscallno, 0, -1);
+ if (ret)
--- /dev/null
+From a672401c00f82e4e19704aff361d9bad18003714 Mon Sep 17 00:00:00 2001
+From: Dave Martin <Dave.Martin@arm.com>
+Date: Wed, 18 Jan 2017 16:25:22 +0000
+Subject: arm64/ptrace: Preserve previous registers for short regset write - 3
+
+From: Dave Martin <Dave.Martin@arm.com>
+
+commit a672401c00f82e4e19704aff361d9bad18003714 upstream.
+
+Ensure that if userspace supplies insufficient data to
+PTRACE_SETREGSET to fill all the registers, the thread's old
+registers are preserved.
+
+Fixes: 5d220ff9420f ("arm64: Better native ptrace support for compat tasks")
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+Acked-by: Will Deacon <Will.Deacon@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/ptrace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/kernel/ptrace.c
++++ b/arch/arm64/kernel/ptrace.c
+@@ -849,7 +849,7 @@ static int compat_tls_set(struct task_st
+ const void __user *ubuf)
+ {
+ int ret;
+- compat_ulong_t tls;
++ compat_ulong_t tls = target->thread.tp_value;
+
+ ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &tls, 0, -1);
+ if (ret)
--- /dev/null
+From 9a17b876b573441bfb3387ad55d98bf7184daf9d Mon Sep 17 00:00:00 2001
+From: Dave Martin <Dave.Martin@arm.com>
+Date: Wed, 18 Jan 2017 16:25:20 +0000
+Subject: arm64/ptrace: Preserve previous registers for short regset write
+
+From: Dave Martin <Dave.Martin@arm.com>
+
+commit 9a17b876b573441bfb3387ad55d98bf7184daf9d upstream.
+
+Ensure that if userspace supplies insufficient data to
+PTRACE_SETREGSET to fill all the registers, the thread's old
+registers are preserved.
+
+Fixes: 478fcb2cdb23 ("arm64: Debugging support")
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+Acked-by: Will Deacon <Will.Deacon@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/ptrace.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/arch/arm64/kernel/ptrace.c
++++ b/arch/arm64/kernel/ptrace.c
+@@ -495,7 +495,7 @@ static int gpr_set(struct task_struct *t
+ const void *kbuf, const void __user *ubuf)
+ {
+ int ret;
+- struct user_pt_regs newregs;
++ struct user_pt_regs newregs = task_pt_regs(target)->user_regs;
+
+ ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &newregs, 0, -1);
+ if (ret)
+@@ -525,7 +525,8 @@ static int fpr_set(struct task_struct *t
+ const void *kbuf, const void __user *ubuf)
+ {
+ int ret;
+- struct user_fpsimd_state newstate;
++ struct user_fpsimd_state newstate =
++ target->thread.fpsimd_state.user_fpsimd;
+
+ ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &newstate, 0, -1);
+ if (ret)
+@@ -549,7 +550,7 @@ static int tls_set(struct task_struct *t
+ const void *kbuf, const void __user *ubuf)
+ {
+ int ret;
+- unsigned long tls;
++ unsigned long tls = target->thread.tp_value;
+
+ ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &tls, 0, -1);
+ if (ret)
--- /dev/null
+From ad9e202aa1ce571b1d7fed969d06f66067f8a086 Mon Sep 17 00:00:00 2001
+From: Dave Martin <Dave.Martin@arm.com>
+Date: Wed, 18 Jan 2017 16:25:24 +0000
+Subject: arm64/ptrace: Reject attempts to set incomplete hardware breakpoint fields
+
+From: Dave Martin <Dave.Martin@arm.com>
+
+commit ad9e202aa1ce571b1d7fed969d06f66067f8a086 upstream.
+
+We cannot preserve partial fields for hardware breakpoints, because
+the values written by userspace to the hardware breakpoint
+registers can't subsequently be recovered intact from the hardware.
+
+So, just reject attempts to write incomplete fields with -EINVAL.
+
+Fixes: 478fcb2cdb23 ("arm64: Debugging support")
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+Acked-by: Will Deacon <Will.Deacon@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/ptrace.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/arm64/kernel/ptrace.c
++++ b/arch/arm64/kernel/ptrace.c
+@@ -450,6 +450,8 @@ static int hw_break_set(struct task_stru
+ /* (address, ctrl) registers */
+ limit = regset->n * regset->size;
+ while (count && offset < limit) {
++ if (count < PTRACE_HBP_ADDR_SZ)
++ return -EINVAL;
+ ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &addr,
+ offset, offset + PTRACE_HBP_ADDR_SZ);
+ if (ret)
+@@ -459,6 +461,8 @@ static int hw_break_set(struct task_stru
+ return ret;
+ offset += PTRACE_HBP_ADDR_SZ;
+
++ if (!count)
++ break;
+ ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &ctrl,
+ offset, offset + PTRACE_HBP_CTRL_SZ);
+ if (ret)
--- /dev/null
+From 6df8c9d80a27cb587f61b4f06b57e248d8bc3f86 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@redhat.com>
+Date: Thu, 12 Jan 2017 14:42:41 -0500
+Subject: ceph: fix bad endianness handling in parse_reply_info_extra
+
+From: Jeff Layton <jlayton@redhat.com>
+
+commit 6df8c9d80a27cb587f61b4f06b57e248d8bc3f86 upstream.
+
+sparse says:
+
+ fs/ceph/mds_client.c:291:23: warning: restricted __le32 degrades to integer
+ fs/ceph/mds_client.c:293:28: warning: restricted __le32 degrades to integer
+ fs/ceph/mds_client.c:294:28: warning: restricted __le32 degrades to integer
+ fs/ceph/mds_client.c:296:28: warning: restricted __le32 degrades to integer
+
+The op value is __le32, so we need to convert it before comparing it.
+
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+Reviewed-by: Sage Weil <sage@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ceph/mds_client.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/fs/ceph/mds_client.c
++++ b/fs/ceph/mds_client.c
+@@ -274,12 +274,13 @@ static int parse_reply_info_extra(void *
+ struct ceph_mds_reply_info_parsed *info,
+ u64 features)
+ {
+- if (info->head->op == CEPH_MDS_OP_GETFILELOCK)
++ u32 op = le32_to_cpu(info->head->op);
++
++ if (op == CEPH_MDS_OP_GETFILELOCK)
+ return parse_reply_info_filelock(p, end, info, features);
+- else if (info->head->op == CEPH_MDS_OP_READDIR ||
+- info->head->op == CEPH_MDS_OP_LSSNAP)
++ else if (op == CEPH_MDS_OP_READDIR || op == CEPH_MDS_OP_LSSNAP)
+ return parse_reply_info_dir(p, end, info, features);
+- else if (info->head->op == CEPH_MDS_OP_CREATE)
++ else if (op == CEPH_MDS_OP_CREATE)
+ return parse_reply_info_create(p, end, info, features);
+ else
+ return -EIO;
--- /dev/null
+From bc7c36eedb0c7004aa06c2afc3c5385adada8fa3 Mon Sep 17 00:00:00 2001
+From: Joonyoung Shim <jy0922.shim@samsung.com>
+Date: Tue, 17 Jan 2017 13:54:36 +0900
+Subject: clocksource/exynos_mct: Clear interrupt when cpu is shut down
+
+From: Joonyoung Shim <jy0922.shim@samsung.com>
+
+commit bc7c36eedb0c7004aa06c2afc3c5385adada8fa3 upstream.
+
+When a CPU goes offline a potentially pending timer interrupt is not
+cleared. When the CPU comes online again then the pending interrupt is
+delivered before the per cpu clockevent device is initialized. As a
+consequence the tick interrupt handler dereferences a NULL pointer.
+
+[ 51.251378] Unable to handle kernel NULL pointer dereference at virtual address 00000040
+[ 51.289348] task: ee942d00 task.stack: ee960000
+[ 51.293861] PC is at tick_periodic+0x38/0xb0
+[ 51.298102] LR is at tick_handle_periodic+0x1c/0x90
+
+Clear the pending interrupt in the cpu dying path.
+
+Fixes: 56a94f13919c ("clocksource: exynos_mct: Avoid blocking calls in the cpu hotplug notifier")
+Reported-by: Seung-Woo Kim <sw0312.kim@samsung.com>
+Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
+Cc: linux-samsung-soc@vger.kernel.org
+Cc: cw00.choi@samsung.com
+Cc: daniel.lezcano@linaro.org
+Cc: javier@osg.samsung.com
+Cc: kgene@kernel.org
+Cc: krzk@kernel.org
+Cc: linux-arm-kernel@lists.infradead.org
+Link: http://lkml.kernel.org/r/1484628876-22065-1-git-send-email-jy0922.shim@samsung.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clocksource/exynos_mct.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/clocksource/exynos_mct.c
++++ b/drivers/clocksource/exynos_mct.c
+@@ -482,6 +482,7 @@ static void exynos4_local_timer_stop(str
+ if (mct_int_type == MCT_INT_SPI) {
+ if (evt->irq != -1)
+ disable_irq_nosync(evt->irq);
++ exynos4_mct_write(0x1, mevt->base + MCT_L_INT_CSTAT_OFFSET);
+ } else {
+ disable_percpu_irq(mct_irqs[MCT_L0_IRQ]);
+ }
--- /dev/null
+From a8a86d78d673b1c99fe9b0064739fde9e9774184 Mon Sep 17 00:00:00 2001
+From: Tahsin Erdogan <tahsin@google.com>
+Date: Thu, 12 Jan 2017 12:04:04 -0800
+Subject: fuse: clear FR_PENDING flag when moving requests out of pending queue
+
+From: Tahsin Erdogan <tahsin@google.com>
+
+commit a8a86d78d673b1c99fe9b0064739fde9e9774184 upstream.
+
+fuse_abort_conn() moves requests from pending list to a temporary list
+before canceling them. This operation races with request_wait_answer()
+which also tries to remove the request after it gets a fatal signal. It
+checks FR_PENDING flag to determine whether the request is still in the
+pending list.
+
+Make fuse_abort_conn() clear FR_PENDING flag so that request_wait_answer()
+does not remove the request from temporary list.
+
+This bug causes an Oops when trying to delete an already deleted list entry
+in end_requests().
+
+Fixes: ee314a870e40 ("fuse: abort: no fc->lock needed for request ending")
+Signed-off-by: Tahsin Erdogan <tahsin@google.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/dev.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -2083,7 +2083,6 @@ static void end_requests(struct fuse_con
+ struct fuse_req *req;
+ req = list_entry(head->next, struct fuse_req, list);
+ req->out.h.error = -ECONNABORTED;
+- clear_bit(FR_PENDING, &req->flags);
+ clear_bit(FR_SENT, &req->flags);
+ list_del_init(&req->list);
+ request_end(fc, req);
+@@ -2161,6 +2160,8 @@ void fuse_abort_conn(struct fuse_conn *f
+ spin_lock(&fiq->waitq.lock);
+ fiq->connected = 0;
+ list_splice_init(&fiq->pending, &to_end2);
++ list_for_each_entry(req, &to_end2, list)
++ clear_bit(FR_PENDING, &req->flags);
+ while (forget_pending(fiq))
+ kfree(dequeue_forget(fiq, 1, NULL));
+ wake_up_all_locked(&fiq->waitq);
--- /dev/null
+From 7a546af50eb78ab99840903083231eb635c8a566 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 12 Jan 2017 18:17:43 +0100
+Subject: HID: corsair: fix control-transfer error handling
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 7a546af50eb78ab99840903083231eb635c8a566 upstream.
+
+Make sure to check for short control transfers in order to avoid parsing
+uninitialised buffer data and leaking it to user space.
+
+Note that the backlight and macro-mode buffer constraints are kept as
+loose as possible in order to avoid any regressions should the current
+buffer sizes be larger than necessary.
+
+Fixes: 6f78193ee9ea ("HID: corsair: Add Corsair Vengeance K90 driver")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-corsair.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/hid/hid-corsair.c
++++ b/drivers/hid/hid-corsair.c
+@@ -159,7 +159,7 @@ static enum led_brightness k90_backlight
+ USB_DIR_IN | USB_TYPE_VENDOR |
+ USB_RECIP_DEVICE, 0, 0, data, 8,
+ USB_CTRL_SET_TIMEOUT);
+- if (ret < 0) {
++ if (ret < 5) {
+ dev_warn(dev, "Failed to get K90 initial state (error %d).\n",
+ ret);
+ ret = -EIO;
+@@ -274,7 +274,7 @@ static ssize_t k90_show_macro_mode(struc
+ USB_DIR_IN | USB_TYPE_VENDOR |
+ USB_RECIP_DEVICE, 0, 0, data, 2,
+ USB_CTRL_SET_TIMEOUT);
+- if (ret < 0) {
++ if (ret < 1) {
+ dev_warn(dev, "Failed to get K90 initial mode (error %d).\n",
+ ret);
+ ret = -EIO;
+@@ -351,7 +351,7 @@ static ssize_t k90_show_current_profile(
+ USB_DIR_IN | USB_TYPE_VENDOR |
+ USB_RECIP_DEVICE, 0, 0, data, 8,
+ USB_CTRL_SET_TIMEOUT);
+- if (ret < 0) {
++ if (ret < 8) {
+ dev_warn(dev, "Failed to get K90 initial state (error %d).\n",
+ ret);
+ ret = -EIO;
--- /dev/null
+From 6d104af38b570d37aa32a5803b04c354f8ed513d Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 12 Jan 2017 18:17:42 +0100
+Subject: HID: corsair: fix DMA buffers on stack
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 6d104af38b570d37aa32a5803b04c354f8ed513d upstream.
+
+Not all platforms support DMA to the stack, and specifically since v4.9
+this is no longer supported on x86 with VMAP_STACK either.
+
+Note that the macro-mode buffer was larger than necessary.
+
+Fixes: 6f78193ee9ea ("HID: corsair: Add Corsair Vengeance K90 driver")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-corsair.c | 54 +++++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 42 insertions(+), 12 deletions(-)
+
+--- a/drivers/hid/hid-corsair.c
++++ b/drivers/hid/hid-corsair.c
+@@ -148,7 +148,11 @@ static enum led_brightness k90_backlight
+ struct usb_interface *usbif = to_usb_interface(dev->parent);
+ struct usb_device *usbdev = interface_to_usbdev(usbif);
+ int brightness;
+- char data[8];
++ char *data;
++
++ data = kmalloc(8, GFP_KERNEL);
++ if (!data)
++ return -ENOMEM;
+
+ ret = usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0),
+ K90_REQUEST_STATUS,
+@@ -158,16 +162,22 @@ static enum led_brightness k90_backlight
+ if (ret < 0) {
+ dev_warn(dev, "Failed to get K90 initial state (error %d).\n",
+ ret);
+- return -EIO;
++ ret = -EIO;
++ goto out;
+ }
+ brightness = data[4];
+ if (brightness < 0 || brightness > 3) {
+ dev_warn(dev,
+ "Read invalid backlight brightness: %02hhx.\n",
+ data[4]);
+- return -EIO;
++ ret = -EIO;
++ goto out;
+ }
+- return brightness;
++ ret = brightness;
++out:
++ kfree(data);
++
++ return ret;
+ }
+
+ static enum led_brightness k90_record_led_get(struct led_classdev *led_cdev)
+@@ -253,7 +263,11 @@ static ssize_t k90_show_macro_mode(struc
+ struct usb_interface *usbif = to_usb_interface(dev->parent);
+ struct usb_device *usbdev = interface_to_usbdev(usbif);
+ const char *macro_mode;
+- char data[8];
++ char *data;
++
++ data = kmalloc(2, GFP_KERNEL);
++ if (!data)
++ return -ENOMEM;
+
+ ret = usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0),
+ K90_REQUEST_GET_MODE,
+@@ -263,7 +277,8 @@ static ssize_t k90_show_macro_mode(struc
+ if (ret < 0) {
+ dev_warn(dev, "Failed to get K90 initial mode (error %d).\n",
+ ret);
+- return -EIO;
++ ret = -EIO;
++ goto out;
+ }
+
+ switch (data[0]) {
+@@ -277,10 +292,15 @@ static ssize_t k90_show_macro_mode(struc
+ default:
+ dev_warn(dev, "K90 in unknown mode: %02hhx.\n",
+ data[0]);
+- return -EIO;
++ ret = -EIO;
++ goto out;
+ }
+
+- return snprintf(buf, PAGE_SIZE, "%s\n", macro_mode);
++ ret = snprintf(buf, PAGE_SIZE, "%s\n", macro_mode);
++out:
++ kfree(data);
++
++ return ret;
+ }
+
+ static ssize_t k90_store_macro_mode(struct device *dev,
+@@ -320,7 +340,11 @@ static ssize_t k90_show_current_profile(
+ struct usb_interface *usbif = to_usb_interface(dev->parent);
+ struct usb_device *usbdev = interface_to_usbdev(usbif);
+ int current_profile;
+- char data[8];
++ char *data;
++
++ data = kmalloc(8, GFP_KERNEL);
++ if (!data)
++ return -ENOMEM;
+
+ ret = usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0),
+ K90_REQUEST_STATUS,
+@@ -330,16 +354,22 @@ static ssize_t k90_show_current_profile(
+ if (ret < 0) {
+ dev_warn(dev, "Failed to get K90 initial state (error %d).\n",
+ ret);
+- return -EIO;
++ ret = -EIO;
++ goto out;
+ }
+ current_profile = data[7];
+ if (current_profile < 1 || current_profile > 3) {
+ dev_warn(dev, "Read invalid current profile: %02hhx.\n",
+ data[7]);
+- return -EIO;
++ ret = -EIO;
++ goto out;
+ }
+
+- return snprintf(buf, PAGE_SIZE, "%d\n", current_profile);
++ ret = snprintf(buf, PAGE_SIZE, "%d\n", current_profile);
++out:
++ kfree(data);
++
++ return ret;
+ }
+
+ static ssize_t k90_store_current_profile(struct device *dev,
--- /dev/null
+From 05a974efa4bdf6e2a150e3f27dc6fcf0a9ad5655 Mon Sep 17 00:00:00 2001
+From: Stefan Schmidt <stefan@osg.samsung.com>
+Date: Thu, 15 Dec 2016 18:40:14 +0100
+Subject: ieee802154: atusb: do not use the stack for buffers to make them DMA able
+
+From: Stefan Schmidt <stefan@osg.samsung.com>
+
+commit 05a974efa4bdf6e2a150e3f27dc6fcf0a9ad5655 upstream.
+
+From 4.9 we should really avoid using the stack here as this will not be DMA
+able on various platforms. This changes the buffers already being present in
+time of 4.9 being released. This should go into stable as well.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Stefan Schmidt <stefan@osg.samsung.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ieee802154/atusb.c | 31 +++++++++++++++++++++++++++----
+ 1 file changed, 27 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ieee802154/atusb.c
++++ b/drivers/net/ieee802154/atusb.c
+@@ -110,13 +110,26 @@ static int atusb_read_reg(struct atusb *
+ {
+ struct usb_device *usb_dev = atusb->usb_dev;
+ int ret;
++ uint8_t *buffer;
+ uint8_t value;
+
++ buffer = kmalloc(1, GFP_KERNEL);
++ if (!buffer)
++ return -ENOMEM;
++
+ dev_dbg(&usb_dev->dev, "atusb: reg = 0x%x\n", reg);
+ ret = atusb_control_msg(atusb, usb_rcvctrlpipe(usb_dev, 0),
+ ATUSB_REG_READ, ATUSB_REQ_FROM_DEV,
+- 0, reg, &value, 1, 1000);
+- return ret >= 0 ? value : ret;
++ 0, reg, buffer, 1, 1000);
++
++ if (ret >= 0) {
++ value = buffer[0];
++ kfree(buffer);
++ return value;
++ } else {
++ kfree(buffer);
++ return ret;
++ }
+ }
+
+ static int atusb_write_subreg(struct atusb *atusb, uint8_t reg, uint8_t mask,
+@@ -517,9 +530,13 @@ static struct ieee802154_ops atusb_ops =
+ static int atusb_get_and_show_revision(struct atusb *atusb)
+ {
+ struct usb_device *usb_dev = atusb->usb_dev;
+- unsigned char buffer[3];
++ unsigned char *buffer;
+ int ret;
+
++ buffer = kmalloc(3, GFP_KERNEL);
++ if (!buffer)
++ return -ENOMEM;
++
+ /* Get a couple of the ATMega Firmware values */
+ ret = atusb_control_msg(atusb, usb_rcvctrlpipe(usb_dev, 0),
+ ATUSB_ID, ATUSB_REQ_FROM_DEV, 0, 0,
+@@ -535,15 +552,20 @@ static int atusb_get_and_show_revision(s
+ dev_info(&usb_dev->dev, "Please update to version 0.2 or newer");
+ }
+
++ kfree(buffer);
+ return ret;
+ }
+
+ static int atusb_get_and_show_build(struct atusb *atusb)
+ {
+ struct usb_device *usb_dev = atusb->usb_dev;
+- char build[ATUSB_BUILD_SIZE + 1];
++ char *build;
+ int ret;
+
++ build = kmalloc(ATUSB_BUILD_SIZE + 1, GFP_KERNEL);
++ if (!build)
++ return -ENOMEM;
++
+ ret = atusb_control_msg(atusb, usb_rcvctrlpipe(usb_dev, 0),
+ ATUSB_BUILD, ATUSB_REQ_FROM_DEV, 0, 0,
+ build, ATUSB_BUILD_SIZE, 1000);
+@@ -552,6 +574,7 @@ static int atusb_get_and_show_build(stru
+ dev_info(&usb_dev->dev, "Firmware: build %s\n", build);
+ }
+
++ kfree(build);
+ return ret;
+ }
+
--- /dev/null
+From 01167c7b9cbf099c69fe411a228e4e9c7104e123 Mon Sep 17 00:00:00 2001
+From: Stefan Wahren <stefan.wahren@i2se.com>
+Date: Thu, 5 Jan 2017 19:24:04 +0000
+Subject: mmc: mxs-mmc: Fix additional cycles after transmission stop
+
+From: Stefan Wahren <stefan.wahren@i2se.com>
+
+commit 01167c7b9cbf099c69fe411a228e4e9c7104e123 upstream.
+
+According to the code the intention is to append 8 SCK cycles
+instead of 4 at end of a MMC_STOP_TRANSMISSION command. But this
+will never happened because it's an AC command not an ADTC command.
+So fix this by moving the statement into the right function.
+
+Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
+Fixes: e4243f13d10e (mmc: mxs-mmc: add mmc host driver for i.MX23/28)
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/mxs-mmc.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/mmc/host/mxs-mmc.c
++++ b/drivers/mmc/host/mxs-mmc.c
+@@ -309,6 +309,9 @@ static void mxs_mmc_ac(struct mxs_mmc_ho
+ cmd0 = BF_SSP(cmd->opcode, CMD0_CMD);
+ cmd1 = cmd->arg;
+
++ if (cmd->opcode == MMC_STOP_TRANSMISSION)
++ cmd0 |= BM_SSP_CMD0_APPEND_8CYC;
++
+ if (host->sdio_irq_en) {
+ ctrl0 |= BM_SSP_CTRL0_SDIO_IRQ_CHECK;
+ cmd0 |= BM_SSP_CMD0_CONT_CLKING_EN | BM_SSP_CMD0_SLOW_CLKING_EN;
+@@ -417,8 +420,7 @@ static void mxs_mmc_adtc(struct mxs_mmc_
+ ssp->base + HW_SSP_BLOCK_SIZE);
+ }
+
+- if ((cmd->opcode == MMC_STOP_TRANSMISSION) ||
+- (cmd->opcode == SD_IO_RW_EXTENDED))
++ if (cmd->opcode == SD_IO_RW_EXTENDED)
+ cmd0 |= BM_SSP_CMD0_APPEND_8CYC;
+
+ cmd1 = cmd->arg;
--- /dev/null
+From 73529c872a189c747bdb528ce9b85b67b0e28dec Mon Sep 17 00:00:00 2001
+From: Hauke Mehrtens <hauke@hauke-m.de>
+Date: Mon, 5 Dec 2016 22:14:36 +0100
+Subject: mtd: nand: xway: disable module support
+
+From: Hauke Mehrtens <hauke@hauke-m.de>
+
+commit 73529c872a189c747bdb528ce9b85b67b0e28dec upstream.
+
+The xway_nand driver accesses the ltq_ebu_membase symbol which is not
+exported. This also should not get exported and we should handle the
+EBU interface in a better way later. This quick fix just deactivated
+support for building as module.
+
+Fixes: 99f2b107924c ("mtd: lantiq: Add NAND support on Lantiq XWAY SoC.")
+Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mtd/nand/Kconfig
++++ b/drivers/mtd/nand/Kconfig
+@@ -527,7 +527,7 @@ config MTD_NAND_FSMC
+ Flexible Static Memory Controller (FSMC)
+
+ config MTD_NAND_XWAY
+- tristate "Support for NAND on Lantiq XWAY SoC"
++ bool "Support for NAND on Lantiq XWAY SoC"
+ depends on LANTIQ && SOC_TYPE_XWAY
+ select MTD_NAND_PLATFORM
+ help
--- /dev/null
+From 51ebfc92b72b4f7dac1ab45683bf56741e454b8c Mon Sep 17 00:00:00 2001
+From: Bjorn Helgaas <bhelgaas@google.com>
+Date: Wed, 11 Jan 2017 09:11:53 -0600
+Subject: PCI: Enumerate switches below PCI-to-PCIe bridges
+
+From: Bjorn Helgaas <bhelgaas@google.com>
+
+commit 51ebfc92b72b4f7dac1ab45683bf56741e454b8c upstream.
+
+A PCI-to-PCIe bridge (a "reverse bridge") has a PCI or PCI-X primary
+interface and a PCI Express secondary interface. The PCIe interface is a
+Downstream Port that originates a Link. See the "PCI Express to PCI/PCI-X
+Bridge Specification", rev 1.0, sections 1.2 and A.6.
+
+The bug report below involves a PCI-to-PCIe bridge and a PCIe switch below
+the bridge:
+
+ 00:1e.0 Intel 82801 PCI Bridge to [bus 01-0a]
+ 01:00.0 Pericom PI7C9X111SL PCIe-to-PCI Reversible Bridge to [bus 02-0a]
+ 02:00.0 Pericom Device 8608 [PCIe Upstream Port] to [bus 03-0a]
+ 03:01.0 Pericom Device 8608 [PCIe Downstream Port] to [bus 0a]
+
+01:00.0 is configured as a PCI-to-PCIe bridge (despite the name printed by
+lspci). As we traverse a PCIe hierarchy, device connections alternate
+between PCIe Links and internal Switch logic. Previously we did not
+recognize that 01:00.0 had a secondary link, so we thought the 02:00.0
+Upstream Port *did* have a secondary link. In fact, it's the other way
+around: 01:00.0 has a secondary link, and 02:00.0 has internal Switch logic
+on its secondary side.
+
+When we thought 02:00.0 had a secondary link, the pci_scan_slot() ->
+only_one_child() path assumed 02:00.0 could have only one child, so 03:00.0
+was the only possible downstream device. But 03:00.0 doesn't exist, so we
+didn't look for any other devices on bus 03.
+
+Booting with "pci=pcie_scan_all" is a workaround, but we don't want users
+to have to do that.
+
+Recognize that PCI-to-PCIe bridges originate links on their secondary
+interfaces.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=189361
+Fixes: d0751b98dfa3 ("PCI: Add dev->has_secondary_link to track downstream PCIe links")
+Tested-by: Blake Moore <blake.moore@men.de>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/probe.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/pci/probe.c
++++ b/drivers/pci/probe.c
+@@ -1019,6 +1019,7 @@ void set_pcie_port_type(struct pci_dev *
+ pos = pci_find_capability(pdev, PCI_CAP_ID_EXP);
+ if (!pos)
+ return;
++
+ pdev->pcie_cap = pos;
+ pci_read_config_word(pdev, pos + PCI_EXP_FLAGS, ®16);
+ pdev->pcie_flags_reg = reg16;
+@@ -1026,13 +1027,14 @@ void set_pcie_port_type(struct pci_dev *
+ pdev->pcie_mpss = reg16 & PCI_EXP_DEVCAP_PAYLOAD;
+
+ /*
+- * A Root Port is always the upstream end of a Link. No PCIe
+- * component has two Links. Two Links are connected by a Switch
+- * that has a Port on each Link and internal logic to connect the
+- * two Ports.
++ * A Root Port or a PCI-to-PCIe bridge is always the upstream end
++ * of a Link. No PCIe component has two Links. Two Links are
++ * connected by a Switch that has a Port on each Link and internal
++ * logic to connect the two Ports.
+ */
+ type = pci_pcie_type(pdev);
+- if (type == PCI_EXP_TYPE_ROOT_PORT)
++ if (type == PCI_EXP_TYPE_ROOT_PORT ||
++ type == PCI_EXP_TYPE_PCIE_BRIDGE)
+ pdev->has_secondary_link = 1;
+ else if (type == PCI_EXP_TYPE_UPSTREAM ||
+ type == PCI_EXP_TYPE_DOWNSTREAM) {
--- /dev/null
+From fc1ffd6cb38a1c1af625b9833c41928039e733f5 Mon Sep 17 00:00:00 2001
+From: Quinn Tran <quinn.tran@cavium.com>
+Date: Fri, 23 Dec 2016 18:06:10 -0800
+Subject: qla2xxx: Fix crash due to null pointer access
+
+From: Quinn Tran <quinn.tran@cavium.com>
+
+commit fc1ffd6cb38a1c1af625b9833c41928039e733f5 upstream.
+
+During code inspection, while investigating following stack trace
+seen on one of the test setup, we found out there was possibility
+of memory leak becuase driver was not unwinding the stack properly.
+
+This issue has not been reproduced in a test environment or on a
+customer setup.
+
+Here's stack trace that was seen.
+
+[1469877.797315] Call Trace:
+[1469877.799940] [<ffffffffa03ab6e9>] qla2x00_mem_alloc+0xb09/0x10c0 [qla2xxx]
+[1469877.806980] [<ffffffffa03ac50a>] qla2x00_probe_one+0x86a/0x1b50 [qla2xxx]
+[1469877.814013] [<ffffffff813b6d01>] ? __pm_runtime_resume+0x51/0xa0
+[1469877.820265] [<ffffffff8157c1f5>] ? _raw_spin_lock_irqsave+0x25/0x90
+[1469877.826776] [<ffffffff8157cd2d>] ? _raw_spin_unlock_irqrestore+0x6d/0x80
+[1469877.833720] [<ffffffff810741d1>] ? preempt_count_sub+0xb1/0x100
+[1469877.839885] [<ffffffff8157cd0c>] ? _raw_spin_unlock_irqrestore+0x4c/0x80
+[1469877.846830] [<ffffffff81319b9c>] local_pci_probe+0x4c/0xb0
+[1469877.852562] [<ffffffff810741d1>] ? preempt_count_sub+0xb1/0x100
+[1469877.858727] [<ffffffff81319c89>] pci_call_probe+0x89/0xb0
+
+Signed-off-by: Quinn Tran <quinn.tran@cavium.com>
+Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+[ bvanassche: Fixed spelling in patch description ]
+Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_os.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -3365,7 +3365,7 @@ qla2x00_mem_alloc(struct qla_hw_data *ha
+ sizeof(struct ct6_dsd), 0,
+ SLAB_HWCACHE_ALIGN, NULL);
+ if (!ctx_cachep)
+- goto fail_free_gid_list;
++ goto fail_free_srb_mempool;
+ }
+ ha->ctx_mempool = mempool_create_slab_pool(SRB_MIN_REQ,
+ ctx_cachep);
+@@ -3518,7 +3518,7 @@ qla2x00_mem_alloc(struct qla_hw_data *ha
+ ha->loop_id_map = kzalloc(BITS_TO_LONGS(LOOPID_MAP_SIZE) * sizeof(long),
+ GFP_KERNEL);
+ if (!ha->loop_id_map)
+- goto fail_async_pd;
++ goto fail_loop_id_map;
+ else {
+ qla2x00_set_reserved_loop_ids(ha);
+ ql_dbg_pci(ql_dbg_init, ha->pdev, 0x0123,
+@@ -3527,6 +3527,8 @@ qla2x00_mem_alloc(struct qla_hw_data *ha
+
+ return 0;
+
++fail_loop_id_map:
++ dma_pool_free(ha->s_dma_pool, ha->async_pd, ha->async_pd_dma);
+ fail_async_pd:
+ dma_pool_free(ha->s_dma_pool, ha->ex_init_cb, ha->ex_init_cb_dma);
+ fail_ex_init_cb:
+@@ -3554,6 +3556,10 @@ fail_free_ms_iocb:
+ dma_pool_free(ha->s_dma_pool, ha->ms_iocb, ha->ms_iocb_dma);
+ ha->ms_iocb = NULL;
+ ha->ms_iocb_dma = 0;
++
++ if (ha->sns_cmd)
++ dma_free_coherent(&ha->pdev->dev, sizeof(struct sns_cmd_pkt),
++ ha->sns_cmd, ha->sns_cmd_dma);
+ fail_dma_pool:
+ if (IS_QLA82XX(ha) || ql2xenabledif) {
+ dma_pool_destroy(ha->fcp_cmnd_dma_pool);
+@@ -3571,10 +3577,12 @@ fail_free_nvram:
+ kfree(ha->nvram);
+ ha->nvram = NULL;
+ fail_free_ctx_mempool:
+- mempool_destroy(ha->ctx_mempool);
++ if (ha->ctx_mempool)
++ mempool_destroy(ha->ctx_mempool);
+ ha->ctx_mempool = NULL;
+ fail_free_srb_mempool:
+- mempool_destroy(ha->srb_mempool);
++ if (ha->srb_mempool)
++ mempool_destroy(ha->srb_mempool);
+ ha->srb_mempool = NULL;
+ fail_free_gid_list:
+ dma_free_coherent(&ha->pdev->dev, qla2x00_gid_list_size(ha),
arm-dts-imx31-fix-avic-base-address.patch
tmpfs-clear-s_isgid-when-setting-posix-acls.patch
x86-pci-ignore-_crs-on-supermicro-x8dth-i-6-if-6f.patch
+svcrpc-don-t-leak-contexts-on-proc_destroy.patch
+fuse-clear-fr_pending-flag-when-moving-requests-out-of-pending-queue.patch
+pci-enumerate-switches-below-pci-to-pcie-bridges.patch
+hid-corsair-fix-dma-buffers-on-stack.patch
+hid-corsair-fix-control-transfer-error-handling.patch
+mmc-mxs-mmc-fix-additional-cycles-after-transmission-stop.patch
+ieee802154-atusb-do-not-use-the-stack-for-buffers-to-make-them-dma-able.patch
+mtd-nand-xway-disable-module-support.patch
+x86-ioapic-restore-io-apic-irq_chip-retrigger-callback.patch
+qla2xxx-fix-crash-due-to-null-pointer-access.patch
+ubifs-fix-journal-replay-wrt.-xattr-nodes.patch
+clocksource-exynos_mct-clear-interrupt-when-cpu-is-shut-down.patch
+svcrdma-avoid-duplicate-dma-unmapping-during-error-recovery.patch
+arm-8634-1-hw_breakpoint-blacklist-scorpion-cpus.patch
+ceph-fix-bad-endianness-handling-in-parse_reply_info_extra.patch
+arm-dts-da850-evm-fix-read-access-to-spi-flash.patch
+arm64-ptrace-preserve-previous-registers-for-short-regset-write.patch
+arm64-ptrace-preserve-previous-registers-for-short-regset-write-2.patch
+arm64-ptrace-preserve-previous-registers-for-short-regset-write-3.patch
+arm64-ptrace-avoid-uninitialised-struct-padding-in-fpr_set.patch
+arm64-ptrace-reject-attempts-to-set-incomplete-hardware-breakpoint-fields.patch
--- /dev/null
+From ce1ca7d2d140a1f4aaffd297ac487f246963dd2f Mon Sep 17 00:00:00 2001
+From: Sriharsha Basavapatna <sriharsha.basavapatna@broadcom.com>
+Date: Mon, 9 Jan 2017 16:00:44 +0530
+Subject: svcrdma: avoid duplicate dma unmapping during error recovery
+
+From: Sriharsha Basavapatna <sriharsha.basavapatna@broadcom.com>
+
+commit ce1ca7d2d140a1f4aaffd297ac487f246963dd2f upstream.
+
+In rdma_read_chunk_frmr() when ib_post_send() fails, the error code path
+invokes ib_dma_unmap_sg() to unmap the sg list. It then invokes
+svc_rdma_put_frmr() which in turn tries to unmap the same sg list through
+ib_dma_unmap_sg() again. This second unmap is invalid and could lead to
+problems when the iova being unmapped is subsequently reused. Remove
+the call to unmap in rdma_read_chunk_frmr() and let svc_rdma_put_frmr()
+handle it.
+
+Fixes: 412a15c0fe53 ("svcrdma: Port to new memory registration API")
+Signed-off-by: Sriharsha Basavapatna <sriharsha.basavapatna@broadcom.com>
+Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
+Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
++++ b/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
+@@ -346,8 +346,6 @@ int rdma_read_chunk_frmr(struct svcxprt_
+ atomic_inc(&rdma_stat_read);
+ return ret;
+ err:
+- ib_dma_unmap_sg(xprt->sc_cm_id->device,
+- frmr->sg, frmr->sg_nents, frmr->direction);
+ svc_rdma_put_context(ctxt, 0);
+ svc_rdma_put_frmr(xprt, frmr);
+ return ret;
--- /dev/null
+From 78794d1890708cf94e3961261e52dcec2cc34722 Mon Sep 17 00:00:00 2001
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Mon, 9 Jan 2017 17:15:18 -0500
+Subject: svcrpc: don't leak contexts on PROC_DESTROY
+
+From: J. Bruce Fields <bfields@redhat.com>
+
+commit 78794d1890708cf94e3961261e52dcec2cc34722 upstream.
+
+Context expiry times are in units of seconds since boot, not unix time.
+
+The use of get_seconds() here therefore sets the expiry time decades in
+the future. This prevents timely freeing of contexts destroyed by
+client RPC_GSS_PROC_DESTROY requests. We'd still free them eventually
+(when the module is unloaded or the container shut down), but a lot of
+contexts could pile up before then.
+
+Fixes: c5b29f885afe "sunrpc: use seconds since boot in expiry cache"
+Reported-by: Andy Adamson <andros@netapp.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/auth_gss/svcauth_gss.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sunrpc/auth_gss/svcauth_gss.c
++++ b/net/sunrpc/auth_gss/svcauth_gss.c
+@@ -1481,7 +1481,7 @@ svcauth_gss_accept(struct svc_rqst *rqst
+ case RPC_GSS_PROC_DESTROY:
+ if (gss_write_verf(rqstp, rsci->mechctx, gc->gc_seq))
+ goto auth_err;
+- rsci->h.expiry_time = get_seconds();
++ rsci->h.expiry_time = seconds_since_boot();
+ set_bit(CACHE_NEGATIVE, &rsci->h.flags);
+ if (resv->iov_len + 4 > PAGE_SIZE)
+ goto drop;
--- /dev/null
+From 1cb51a15b576ee325d527726afff40947218fd5e Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Tue, 10 Jan 2017 11:49:40 +0100
+Subject: ubifs: Fix journal replay wrt. xattr nodes
+
+From: Richard Weinberger <richard@nod.at>
+
+commit 1cb51a15b576ee325d527726afff40947218fd5e upstream.
+
+When replaying the journal it can happen that a journal entry points to
+a garbage collected node.
+This is the case when a power-cut occurred between a garbage collect run
+and a commit. In such a case nodes have to be read using the failable
+read functions to detect whether the found node matches what we expect.
+
+One corner case was forgotten, when the journal contains an entry to
+remove an inode all xattrs have to be removed too. UBIFS models xattr
+like directory entries, so the TNC code iterates over
+all xattrs of the inode and removes them too. This code re-uses the
+functions for walking directories and calls ubifs_tnc_next_ent().
+ubifs_tnc_next_ent() expects to be used only after the journal and
+aborts when a node does not match the expected result. This behavior can
+render an UBIFS volume unmountable after a power-cut when xattrs are
+used.
+
+Fix this issue by using failable read functions in ubifs_tnc_next_ent()
+too when replaying the journal.
+Fixes: 1e51764a3c2ac05a ("UBIFS: add new flash file system")
+Reported-by: Rock Lee <rockdotlee@gmail.com>
+Reviewed-by: David Gstir <david@sigma-star.at>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ubifs/tnc.c | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+--- a/fs/ubifs/tnc.c
++++ b/fs/ubifs/tnc.c
+@@ -34,6 +34,11 @@
+ #include <linux/slab.h>
+ #include "ubifs.h"
+
++static int try_read_node(const struct ubifs_info *c, void *buf, int type,
++ int len, int lnum, int offs);
++static int fallible_read_node(struct ubifs_info *c, const union ubifs_key *key,
++ struct ubifs_zbranch *zbr, void *node);
++
+ /*
+ * Returned codes of 'matches_name()' and 'fallible_matches_name()' functions.
+ * @NAME_LESS: name corresponding to the first argument is less than second
+@@ -402,7 +407,19 @@ static int tnc_read_node_nm(struct ubifs
+ return 0;
+ }
+
+- err = ubifs_tnc_read_node(c, zbr, node);
++ if (c->replaying) {
++ err = fallible_read_node(c, &zbr->key, zbr, node);
++ /*
++ * When the node was not found, return -ENOENT, 0 otherwise.
++ * Negative return codes stay as-is.
++ */
++ if (err == 0)
++ err = -ENOENT;
++ else if (err == 1)
++ err = 0;
++ } else {
++ err = ubifs_tnc_read_node(c, zbr, node);
++ }
+ if (err)
+ return err;
+
+@@ -2766,7 +2783,11 @@ struct ubifs_dent_node *ubifs_tnc_next_e
+ if (nm->name) {
+ if (err) {
+ /* Handle collisions */
+- err = resolve_collision(c, key, &znode, &n, nm);
++ if (c->replaying)
++ err = fallible_resolve_collision(c, key, &znode, &n,
++ nm, 0);
++ else
++ err = resolve_collision(c, key, &znode, &n, nm);
+ dbg_tnc("rc returned %d, znode %p, n %d",
+ err, znode, n);
+ if (unlikely(err < 0))
--- /dev/null
+From 020eb3daaba2857b32c4cf4c82f503d6a00a67de Mon Sep 17 00:00:00 2001
+From: Ruslan Ruslichenko <rruslich@cisco.com>
+Date: Tue, 17 Jan 2017 16:13:52 +0200
+Subject: x86/ioapic: Restore IO-APIC irq_chip retrigger callback
+
+From: Ruslan Ruslichenko <rruslich@cisco.com>
+
+commit 020eb3daaba2857b32c4cf4c82f503d6a00a67de upstream.
+
+commit d32932d02e18 removed the irq_retrigger callback from the IO-APIC
+chip and did not add it to the new IO-APIC-IR irq chip.
+
+Unfortunately the software resend fallback is not enabled on X86, so edge
+interrupts which are received during the lazy disabled state of the
+interrupt line are not retriggered and therefor lost.
+
+Restore the callbacks.
+
+[ tglx: Massaged changelog ]
+
+Fixes: d32932d02e18 ("x86/irq: Convert IOAPIC to use hierarchical irqdomain interfaces")
+Signed-off-by: Ruslan Ruslichenko <rruslich@cisco.com>
+Cc: xe-linux-external@cisco.com
+Link: http://lkml.kernel.org/r/1484662432-13580-1-git-send-email-rruslich@cisco.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/apic/io_apic.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/x86/kernel/apic/io_apic.c
++++ b/arch/x86/kernel/apic/io_apic.c
+@@ -1875,6 +1875,7 @@ static struct irq_chip ioapic_chip __rea
+ .irq_ack = irq_chip_ack_parent,
+ .irq_eoi = ioapic_ack_level,
+ .irq_set_affinity = ioapic_set_affinity,
++ .irq_retrigger = irq_chip_retrigger_hierarchy,
+ .flags = IRQCHIP_SKIP_SET_WAKE,
+ };
+
+@@ -1886,6 +1887,7 @@ static struct irq_chip ioapic_ir_chip __
+ .irq_ack = irq_chip_ack_parent,
+ .irq_eoi = ioapic_ir_ack_level,
+ .irq_set_affinity = ioapic_set_affinity,
++ .irq_retrigger = irq_chip_retrigger_hierarchy,
+ .flags = IRQCHIP_SKIP_SET_WAKE,
+ };
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
