--- /dev/null
+From 5accd17d0eb523350c9ef754d655e379c9bb93b3 Mon Sep 17 00:00:00 2001
+From: Robin Murphy <robin.murphy@arm.com>
+Date: Thu, 22 Oct 2015 15:41:52 +0100
+Subject: arm64: Fix compat register mappings
+
+From: Robin Murphy <robin.murphy@arm.com>
+
+commit 5accd17d0eb523350c9ef754d655e379c9bb93b3 upstream.
+
+For reasons not entirely apparent, but now enshrined in history, the
+architectural mapping of AArch32 banked registers to AArch64 registers
+actually orders SP_<mode> and LR_<mode> backwards compared to the
+intuitive r13/r14 order, for all modes except FIQ.
+
+Fix the compat_<reg>_<mode> macros accordingly, in the hope of avoiding
+subtle bugs with KVM and AArch32 guests.
+
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Acked-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/include/asm/ptrace.h | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/arch/arm64/include/asm/ptrace.h
++++ b/arch/arm64/include/asm/ptrace.h
+@@ -83,14 +83,14 @@
+ #define compat_sp regs[13]
+ #define compat_lr regs[14]
+ #define compat_sp_hyp regs[15]
+-#define compat_sp_irq regs[16]
+-#define compat_lr_irq regs[17]
+-#define compat_sp_svc regs[18]
+-#define compat_lr_svc regs[19]
+-#define compat_sp_abt regs[20]
+-#define compat_lr_abt regs[21]
+-#define compat_sp_und regs[22]
+-#define compat_lr_und regs[23]
++#define compat_lr_irq regs[16]
++#define compat_sp_irq regs[17]
++#define compat_lr_svc regs[18]
++#define compat_sp_svc regs[19]
++#define compat_lr_abt regs[20]
++#define compat_sp_abt regs[21]
++#define compat_lr_und regs[22]
++#define compat_sp_und regs[23]
+ #define compat_r8_fiq regs[24]
+ #define compat_r9_fiq regs[25]
+ #define compat_r10_fiq regs[26]
--- /dev/null
+From cb083816ab5ac3d10a9417527f07fc5962cc3808 Mon Sep 17 00:00:00 2001
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Mon, 26 Oct 2015 21:42:33 +0000
+Subject: arm64: page-align sections for DEBUG_RODATA
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+commit cb083816ab5ac3d10a9417527f07fc5962cc3808 upstream.
+
+A kernel built with DEBUG_RO_DATA && !CONFIG_DEBUG_ALIGN_RODATA doesn't
+have .text aligned to a page boundary, though fixup_executable works at
+page-granularity thanks to its use of create_mapping. If .text is not
+page-aligned, the first page it exists in may be marked non-executable,
+leading to failures when an attempt is made to execute code in said
+page.
+
+This patch upgrades ALIGN_DEBUG_RO and ALIGN_DEBUG_RO_MIN to force page
+alignment for DEBUG_RO_DATA && !CONFIG_DEBUG_ALIGN_RODATA kernels,
+ensuring that all sections with specific RWX permission requirements are
+mapped with the correct permissions.
+
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Reported-by: Jeremy Linton <jeremy.linton@arm.com>
+Reviewed-by: Laura Abbott <laura@labbott.name>
+Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Suzuki Poulose <suzuki.poulose@arm.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Fixes: da141706aea52c1a ("arm64: add better page protections to arm64")
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/vmlinux.lds.S | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/arch/arm64/kernel/vmlinux.lds.S
++++ b/arch/arm64/kernel/vmlinux.lds.S
+@@ -54,9 +54,12 @@ PECOFF_FILE_ALIGNMENT = 0x200;
+ #define PECOFF_EDATA_PADDING
+ #endif
+
+-#ifdef CONFIG_DEBUG_ALIGN_RODATA
++#if defined(CONFIG_DEBUG_ALIGN_RODATA)
+ #define ALIGN_DEBUG_RO . = ALIGN(1<<SECTION_SHIFT);
+ #define ALIGN_DEBUG_RO_MIN(min) ALIGN_DEBUG_RO
++#elif defined(CONFIG_DEBUG_RODATA)
++#define ALIGN_DEBUG_RO . = ALIGN(1<<PAGE_SHIFT);
++#define ALIGN_DEBUG_RO_MIN(min) ALIGN_DEBUG_RO
+ #else
+ #define ALIGN_DEBUG_RO
+ #define ALIGN_DEBUG_RO_MIN(min) . = ALIGN(min);
--- /dev/null
+From f680f70adbeab28b35f849016b964dd645db6237 Mon Sep 17 00:00:00 2001
+From: Rajkumar Manoharan <rmanohar@qti.qualcomm.com>
+Date: Tue, 3 Nov 2015 11:51:33 +0530
+Subject: ath10k: fix invalid NSS for 4x4 devices
+
+From: Rajkumar Manoharan <rmanohar@qti.qualcomm.com>
+
+commit f680f70adbeab28b35f849016b964dd645db6237 upstream.
+
+The number of spatial streams that are derived from chain mask
+for 4x4 devices is using wrong bitmask and conditional check.
+This is affecting downlink throughput for QCA99x0 devices. Earlier
+cfg_tx_chainmask is not filled by default until user configured it
+and so get_nss_from_chainmask never be called. This issue is exposed
+by recent commit 166de3f1895d ("ath10k: remove supported chain mask").
+By default maximum supported chain mask is filled in cfg_tx_chainmask.
+
+Fixes: 5572a95b4b ("ath10k: apply chainmask settings to vdev on creation")
+Signed-off-by: Rajkumar Manoharan <rmanohar@qti.qualcomm.com>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath10k/mac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/ath10k/mac.c
++++ b/drivers/net/wireless/ath/ath10k/mac.c
+@@ -3183,7 +3183,7 @@ static int ath10k_config(struct ieee8021
+
+ static u32 get_nss_from_chainmask(u16 chain_mask)
+ {
+- if ((chain_mask & 0x15) == 0x15)
++ if ((chain_mask & 0xf) == 0xf)
+ return 4;
+ else if ((chain_mask & 0x7) == 0x7)
+ return 3;
--- /dev/null
+From cd355ff071cd37e7197eccf9216770b2b29369f7 Mon Sep 17 00:00:00 2001
+From: Dmitry Tunin <hanipouspilot@gmail.com>
+Date: Mon, 5 Oct 2015 19:29:33 +0300
+Subject: Bluetooth: ath3k: Add new AR3012 0930:021c id
+
+From: Dmitry Tunin <hanipouspilot@gmail.com>
+
+commit cd355ff071cd37e7197eccf9216770b2b29369f7 upstream.
+
+This adapter works with the existing linux-firmware.
+
+T: Bus=01 Lev=01 Prnt=01 Port=03 Cnt=02 Dev#= 3 Spd=12 MxCh= 0
+D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=0930 ProdID=021c Rev=00.01
+C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
+I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+
+BugLink: https://bugs.launchpad.net/bugs/1502781
+
+Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bluetooth/ath3k.c | 2 ++
+ drivers/bluetooth/btusb.c | 1 +
+ 2 files changed, 3 insertions(+)
+
+--- a/drivers/bluetooth/ath3k.c
++++ b/drivers/bluetooth/ath3k.c
+@@ -93,6 +93,7 @@ static const struct usb_device_id ath3k_
+ { USB_DEVICE(0x04CA, 0x300f) },
+ { USB_DEVICE(0x04CA, 0x3010) },
+ { USB_DEVICE(0x0930, 0x0219) },
++ { USB_DEVICE(0x0930, 0x021c) },
+ { USB_DEVICE(0x0930, 0x0220) },
+ { USB_DEVICE(0x0930, 0x0227) },
+ { USB_DEVICE(0x0b05, 0x17d0) },
+@@ -153,6 +154,7 @@ static const struct usb_device_id ath3k_
+ { USB_DEVICE(0x04ca, 0x300f), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 },
++ { USB_DEVICE(0x0930, 0x021c), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0930, 0x0227), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 },
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -191,6 +191,7 @@ static const struct usb_device_id blackl
+ { USB_DEVICE(0x04ca, 0x300f), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 },
++ { USB_DEVICE(0x0930, 0x021c), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0930, 0x0227), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 },
--- /dev/null
+From 18e0afab8ce3f1230ce3fef52b2e73374fd9c0e7 Mon Sep 17 00:00:00 2001
+From: Dmitry Tunin <hanipouspilot@gmail.com>
+Date: Fri, 16 Oct 2015 11:45:26 +0300
+Subject: Bluetooth: ath3k: Add support of AR3012 0cf3:817b device
+
+From: Dmitry Tunin <hanipouspilot@gmail.com>
+
+commit 18e0afab8ce3f1230ce3fef52b2e73374fd9c0e7 upstream.
+
+T: Bus=04 Lev=02 Prnt=02 Port=04 Cnt=01 Dev#= 3 Spd=12 MxCh= 0
+D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=0cf3 ProdID=817b Rev=00.02
+C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
+I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+
+BugLink: https://bugs.launchpad.net/bugs/1506615
+
+Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bluetooth/ath3k.c | 2 ++
+ drivers/bluetooth/btusb.c | 1 +
+ 2 files changed, 3 insertions(+)
+
+--- a/drivers/bluetooth/ath3k.c
++++ b/drivers/bluetooth/ath3k.c
+@@ -105,6 +105,7 @@ static const struct usb_device_id ath3k_
+ { USB_DEVICE(0x0CF3, 0x311F) },
+ { USB_DEVICE(0x0cf3, 0x3121) },
+ { USB_DEVICE(0x0CF3, 0x817a) },
++ { USB_DEVICE(0x0CF3, 0x817b) },
+ { USB_DEVICE(0x0cf3, 0xe003) },
+ { USB_DEVICE(0x0CF3, 0xE004) },
+ { USB_DEVICE(0x0CF3, 0xE005) },
+@@ -166,6 +167,7 @@ static const struct usb_device_id ath3k_
+ { USB_DEVICE(0x0cf3, 0x311F), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0CF3, 0x817a), .driver_info = BTUSB_ATH3012 },
++ { USB_DEVICE(0x0CF3, 0x817b), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0cf3, 0xe006), .driver_info = BTUSB_ATH3012 },
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -203,6 +203,7 @@ static const struct usb_device_id blackl
+ { USB_DEVICE(0x0cf3, 0x311f), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0cf3, 0x817a), .driver_info = BTUSB_ATH3012 },
++ { USB_DEVICE(0x0cf3, 0x817b), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0cf3, 0xe003), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 },
--- /dev/null
+From a6ad2a6b9cc1d9d791aee5462cfb8528f366f1d4 Mon Sep 17 00:00:00 2001
+From: Johan Hedberg <johan.hedberg@intel.com>
+Date: Mon, 19 Oct 2015 10:51:47 +0300
+Subject: Bluetooth: Fix removing connection parameters when unpairing
+
+From: Johan Hedberg <johan.hedberg@intel.com>
+
+commit a6ad2a6b9cc1d9d791aee5462cfb8528f366f1d4 upstream.
+
+The commit 89cbb0638e9b7 introduced support for deferred connection
+parameter removal when unpairing by removing them only once an
+existing connection gets disconnected. However, it failed to address
+the scenario when we're *not* connected and do an unpair operation.
+
+What makes things worse is that most user space BlueZ versions will
+first issue a disconnect request and only then unpair, meaning the
+buggy code will be triggered every time. This effectively causes the
+kernel to resume scanning and reconnect to a device for which we've
+removed all keys and GATT database information.
+
+This patch fixes the issue by adding the missing call to the
+hci_conn_params_del() function to a branch which handles the case of
+no existing connection.
+
+Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/mgmt.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -2962,6 +2962,11 @@ static int unpair_device(struct sock *sk
+ } else {
+ u8 addr_type;
+
++ if (cp->addr.type == BDADDR_LE_PUBLIC)
++ addr_type = ADDR_LE_DEV_PUBLIC;
++ else
++ addr_type = ADDR_LE_DEV_RANDOM;
++
+ conn = hci_conn_hash_lookup_ba(hdev, LE_LINK,
+ &cp->addr.bdaddr);
+ if (conn) {
+@@ -2977,13 +2982,10 @@ static int unpair_device(struct sock *sk
+ */
+ if (!cp->disconnect)
+ conn = NULL;
++ } else {
++ hci_conn_params_del(hdev, &cp->addr.bdaddr, addr_type);
+ }
+
+- if (cp->addr.type == BDADDR_LE_PUBLIC)
+- addr_type = ADDR_LE_DEV_PUBLIC;
+- else
+- addr_type = ADDR_LE_DEV_RANDOM;
+-
+ hci_remove_irk(hdev, &cp->addr.bdaddr, addr_type);
+
+ err = hci_remove_ltk(hdev, &cp->addr.bdaddr, addr_type);
--- /dev/null
+From 660f0fc07d21114549c1862e67e78b1cf0c90c29 Mon Sep 17 00:00:00 2001
+From: David Herrmann <dh.herrmann@gmail.com>
+Date: Mon, 7 Sep 2015 12:05:41 +0200
+Subject: Bluetooth: hidp: fix device disconnect on idle timeout
+
+From: David Herrmann <dh.herrmann@gmail.com>
+
+commit 660f0fc07d21114549c1862e67e78b1cf0c90c29 upstream.
+
+The HIDP specs define an idle-timeout which automatically disconnects a
+device. This has always been implemented in the HIDP layer and forced a
+synchronous shutdown of the hidp-scheduler. This works just fine, but
+lacks a forced disconnect on the underlying l2cap channels. This has been
+broken since:
+
+ commit 5205185d461d5902325e457ca80bd421127b7308
+ Author: David Herrmann <dh.herrmann@gmail.com>
+ Date: Sat Apr 6 20:28:47 2013 +0200
+
+ Bluetooth: hidp: remove old session-management
+
+The old session-management always forced an l2cap error on the ctrl/intr
+channels when shutting down. The new session-management skips this, as we
+don't want to enforce channel policy on the caller. In other words, if
+user-space removes an HIDP device, the underlying channels (which are
+*owned* and *referenced* by user-space) are still left active. User-space
+needs to call shutdown(2) or close(2) to release them.
+
+Unfortunately, this does not work with idle-timeouts. There is no way to
+signal user-space that the HIDP layer has been stopped. The API simply
+does not support any event-passing except for poll(2). Hence, we restore
+old behavior and force EUNATCH on the sockets if the HIDP layer is
+disconnected due to idle-timeouts (behavior of explicit disconnects
+remains unmodified). User-space can still call
+
+ getsockopt(..., SO_ERROR, ...)
+
+..to retrieve the EUNATCH error and clear sk_err. Hence, the channels can
+still be re-used (which nobody does so far, though). Therefore, the API
+still supports the new behavior, but with this patch it's also compatible
+to the old implicit channel shutdown.
+
+Reported-by: Mark Haun <haunma@keteu.org>
+Reported-by: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
+Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/hidp/core.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/net/bluetooth/hidp/core.c
++++ b/net/bluetooth/hidp/core.c
+@@ -401,6 +401,20 @@ static void hidp_idle_timeout(unsigned l
+ {
+ struct hidp_session *session = (struct hidp_session *) arg;
+
++ /* The HIDP user-space API only contains calls to add and remove
++ * devices. There is no way to forward events of any kind. Therefore,
++ * we have to forcefully disconnect a device on idle-timeouts. This is
++ * unfortunate and weird API design, but it is spec-compliant and
++ * required for backwards-compatibility. Hence, on idle-timeout, we
++ * signal driver-detach events, so poll() will be woken up with an
++ * error-condition on both sockets.
++ */
++
++ session->intr_sock->sk->sk_err = EUNATCH;
++ session->ctrl_sock->sk->sk_err = EUNATCH;
++ wake_up_interruptible(sk_sleep(session->intr_sock->sk));
++ wake_up_interruptible(sk_sleep(session->ctrl_sock->sk));
++
+ hidp_session_terminate(session);
+ }
+
--- /dev/null
+From 7cecd9ab80f43972c056dc068338f7bcc407b71c Mon Sep 17 00:00:00 2001
+From: Mirza Krak <mirza.krak@hostmobility.com>
+Date: Tue, 10 Nov 2015 14:59:34 +0100
+Subject: can: sja1000: clear interrupts on start
+
+From: Mirza Krak <mirza.krak@hostmobility.com>
+
+commit 7cecd9ab80f43972c056dc068338f7bcc407b71c upstream.
+
+According to SJA1000 data sheet error-warning (EI) interrupt is not
+cleared by setting the controller in to reset-mode.
+
+Then if we have the following case:
+- system is suspended (echo mem > /sys/power/state) and SJA1000 is left
+ in operating state
+- A bus error condition occurs which activates EI interrupt, system is
+ still suspended which means EI interrupt will be not be handled nor
+ cleared.
+
+If the above two events occur, on resume there is no way to return the
+SJA1000 to operating state, except to cycle power to it.
+
+By simply reading the IR register on start we will clear any previous
+conditions that could be present.
+
+Signed-off-by: Mirza Krak <mirza.krak@hostmobility.com>
+Reported-by: Christian Magnusson <Christian.Magnusson@semcon.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/sja1000/sja1000.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/can/sja1000/sja1000.c
++++ b/drivers/net/can/sja1000/sja1000.c
+@@ -218,6 +218,9 @@ static void sja1000_start(struct net_dev
+ priv->write_reg(priv, SJA1000_RXERR, 0x0);
+ priv->read_reg(priv, SJA1000_ECC);
+
++ /* clear interrupt flags */
++ priv->read_reg(priv, SJA1000_IR);
++
+ /* leave reset mode */
+ set_normal_mode(dev);
+ }
--- /dev/null
+From 562b103a21974c2f9cd67514d110f918bb3e1796 Mon Sep 17 00:00:00 2001
+From: Marek Vasut <marex@denx.de>
+Date: Fri, 30 Oct 2015 13:48:19 +0100
+Subject: can: Use correct type in sizeof() in nla_put()
+
+From: Marek Vasut <marex@denx.de>
+
+commit 562b103a21974c2f9cd67514d110f918bb3e1796 upstream.
+
+The sizeof() is invoked on an incorrect variable, likely due to some
+copy-paste error, and this might result in memory corruption. Fix this.
+
+Signed-off-by: Marek Vasut <marex@denx.de>
+Cc: Wolfgang Grandegger <wg@grandegger.com>
+Cc: netdev@vger.kernel.org
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -915,7 +915,7 @@ static int can_fill_info(struct sk_buff
+ nla_put(skb, IFLA_CAN_BITTIMING_CONST,
+ sizeof(*priv->bittiming_const), priv->bittiming_const)) ||
+
+- nla_put(skb, IFLA_CAN_CLOCK, sizeof(cm), &priv->clock) ||
++ nla_put(skb, IFLA_CAN_CLOCK, sizeof(priv->clock), &priv->clock) ||
+ nla_put_u32(skb, IFLA_CAN_STATE, state) ||
+ nla_put(skb, IFLA_CAN_CTRLMODE, sizeof(cm), &cm) ||
+ nla_put_u32(skb, IFLA_CAN_RESTART_MS, priv->restart_ms) ||
--- /dev/null
+From 7bdccef34fc67d3fce6778a018601dd41e43c5ce Mon Sep 17 00:00:00 2001
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Fri, 23 Oct 2015 11:36:01 +0200
+Subject: clk: versatile-icst: fix memory leak
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+commit 7bdccef34fc67d3fce6778a018601dd41e43c5ce upstream.
+
+A static code checker found a memory leak in the Versatile
+ICST code. Fix it.
+
+Fixes: a183da637c52 "clk: versatile: respect parent rate in ICST clock"
+Reported-by: Stephen Boyd <sboyd@codeaurora.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clk/versatile/clk-icst.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/clk/versatile/clk-icst.c
++++ b/drivers/clk/versatile/clk-icst.c
+@@ -156,8 +156,10 @@ struct clk *icst_clk_register(struct dev
+ icst->lockreg = base + desc->lock_offset;
+
+ clk = clk_register(dev, &icst->hw);
+- if (IS_ERR(clk))
++ if (IS_ERR(clk)) {
++ kfree(pclone);
+ kfree(icst);
++ }
+
+ return clk;
+ }
--- /dev/null
+From b2f73922d119686323f14fbbe46587f863852328 Mon Sep 17 00:00:00 2001
+From: Ingo Molnar <mingo@kernel.org>
+Date: Wed, 30 Sep 2015 15:59:17 +0200
+Subject: fs/proc, core/debug: Don't expose absolute kernel addresses via wchan
+
+From: Ingo Molnar <mingo@kernel.org>
+
+commit b2f73922d119686323f14fbbe46587f863852328 upstream.
+
+So the /proc/PID/stat 'wchan' field (the 30th field, which contains
+the absolute kernel address of the kernel function a task is blocked in)
+leaks absolute kernel addresses to unprivileged user-space:
+
+ seq_put_decimal_ull(m, ' ', wchan);
+
+The absolute address might also leak via /proc/PID/wchan as well, if
+KALLSYMS is turned off or if the symbol lookup fails for some reason:
+
+static int proc_pid_wchan(struct seq_file *m, struct pid_namespace *ns,
+ struct pid *pid, struct task_struct *task)
+{
+ unsigned long wchan;
+ char symname[KSYM_NAME_LEN];
+
+ wchan = get_wchan(task);
+
+ if (lookup_symbol_name(wchan, symname) < 0) {
+ if (!ptrace_may_access(task, PTRACE_MODE_READ))
+ return 0;
+ seq_printf(m, "%lu", wchan);
+ } else {
+ seq_printf(m, "%s", symname);
+ }
+
+ return 0;
+}
+
+This isn't ideal, because for example it trivially leaks the KASLR offset
+to any local attacker:
+
+ fomalhaut:~> printf "%016lx\n" $(cat /proc/$$/stat | cut -d' ' -f35)
+ ffffffff8123b380
+
+Most real-life uses of wchan are symbolic:
+
+ ps -eo pid:10,tid:10,wchan:30,comm
+
+and procps uses /proc/PID/wchan, not the absolute address in /proc/PID/stat:
+
+ triton:~/tip> strace -f ps -eo pid:10,tid:10,wchan:30,comm 2>&1 | grep wchan | tail -1
+ open("/proc/30833/wchan", O_RDONLY) = 6
+
+There's one compatibility quirk here: procps relies on whether the
+absolute value is non-zero - and we can provide that functionality
+by outputing "0" or "1" depending on whether the task is blocked
+(whether there's a wchan address).
+
+These days there appears to be very little legitimate reason
+user-space would be interested in the absolute address. The
+absolute address is mostly historic: from the days when we
+didn't have kallsyms and user-space procps had to do the
+decoding itself via the System.map.
+
+So this patch sets all numeric output to "0" or "1" and keeps only
+symbolic output, in /proc/PID/wchan.
+
+( The absolute sleep address can generally still be profiled via
+ perf, by tasks with sufficient privileges. )
+
+Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Kees Cook <keescook@chromium.org>
+Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Alexander Potapenko <glider@google.com>
+Cc: Andrey Konovalov <andreyknvl@google.com>
+Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Kostya Serebryany <kcc@google.com>
+Cc: Mike Galbraith <efault@gmx.de>
+Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Sasha Levin <sasha.levin@oracle.com>
+Cc: kasan-dev <kasan-dev@googlegroups.com>
+Cc: linux-kernel@vger.kernel.org
+Link: http://lkml.kernel.org/r/20150930135917.GA3285@gmail.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/filesystems/proc.txt | 5 +++--
+ fs/proc/array.c | 16 ++++++++++++++--
+ fs/proc/base.c | 9 +++------
+ 3 files changed, 20 insertions(+), 10 deletions(-)
+
+--- a/Documentation/filesystems/proc.txt
++++ b/Documentation/filesystems/proc.txt
+@@ -140,7 +140,8 @@ Table 1-1: Process specific entries in /
+ stat Process status
+ statm Process memory status information
+ status Process status in human readable form
+- wchan If CONFIG_KALLSYMS is set, a pre-decoded wchan
++ wchan Present with CONFIG_KALLSYMS=y: it shows the kernel function
++ symbol the task is blocked in - or "0" if not blocked.
+ pagemap Page table
+ stack Report full stack trace, enable via CONFIG_STACKTRACE
+ smaps a extension based on maps, showing the memory consumption of
+@@ -309,7 +310,7 @@ Table 1-4: Contents of the stat files (a
+ blocked bitmap of blocked signals
+ sigign bitmap of ignored signals
+ sigcatch bitmap of caught signals
+- wchan address where process went to sleep
++ 0 (place holder, used to be the wchan address, use /proc/PID/wchan instead)
+ 0 (place holder)
+ 0 (place holder)
+ exit_signal signal to send to parent thread on exit
+--- a/fs/proc/array.c
++++ b/fs/proc/array.c
+@@ -364,7 +364,7 @@ int proc_pid_status(struct seq_file *m,
+ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
+ struct pid *pid, struct task_struct *task, int whole)
+ {
+- unsigned long vsize, eip, esp, wchan = ~0UL;
++ unsigned long vsize, eip, esp, wchan = 0;
+ int priority, nice;
+ int tty_pgrp = -1, tty_nr = 0;
+ sigset_t sigign, sigcatch;
+@@ -496,7 +496,19 @@ static int do_task_stat(struct seq_file
+ seq_put_decimal_ull(m, ' ', task->blocked.sig[0] & 0x7fffffffUL);
+ seq_put_decimal_ull(m, ' ', sigign.sig[0] & 0x7fffffffUL);
+ seq_put_decimal_ull(m, ' ', sigcatch.sig[0] & 0x7fffffffUL);
+- seq_put_decimal_ull(m, ' ', wchan);
++
++ /*
++ * We used to output the absolute kernel address, but that's an
++ * information leak - so instead we show a 0/1 flag here, to signal
++ * to user-space whether there's a wchan field in /proc/PID/wchan.
++ *
++ * This works with older implementations of procps as well.
++ */
++ if (wchan)
++ seq_puts(m, " 1");
++ else
++ seq_puts(m, " 0");
++
+ seq_put_decimal_ull(m, ' ', 0);
+ seq_put_decimal_ull(m, ' ', 0);
+ seq_put_decimal_ll(m, ' ', task->exit_signal);
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -238,13 +238,10 @@ static int proc_pid_wchan(struct seq_fil
+
+ wchan = get_wchan(task);
+
+- if (lookup_symbol_name(wchan, symname) < 0) {
+- if (!ptrace_may_access(task, PTRACE_MODE_READ))
+- return 0;
+- seq_printf(m, "%lu", wchan);
+- } else {
++ if (wchan && ptrace_may_access(task, PTRACE_MODE_READ) && !lookup_symbol_name(wchan, symname))
+ seq_printf(m, "%s", symname);
+- }
++ else
++ seq_putc(m, '0');
+
+ return 0;
+ }
--- /dev/null
+From 4ab75944c4b324c1f5f01dbd4c4d122d2b9da187 Mon Sep 17 00:00:00 2001
+From: Oren Givon <oren.givon@intel.com>
+Date: Wed, 28 Oct 2015 12:32:20 +0200
+Subject: iwlwifi: Add new PCI IDs for the 8260 series
+
+From: Oren Givon <oren.givon@intel.com>
+
+commit 4ab75944c4b324c1f5f01dbd4c4d122d2b9da187 upstream.
+
+Add some new PCI IDs for the 8260 series which were missing.
+The following sub-system IDs were added:
+0x0130, 0x1130, 0x0132, 0x1132, 0x1150, 0x8110, 0x9110, 0x8130,
+0x9130, 0x8132, 0x9132, 0x8150, 0x9150, 0x0044, 0x0930
+
+Signed-off-by: Oren Givon <oren.givon@intel.com>
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/iwlwifi/pcie/drv.c | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/iwlwifi/pcie/drv.c
++++ b/drivers/net/wireless/iwlwifi/pcie/drv.c
+@@ -421,14 +421,21 @@ static const struct pci_device_id iwl_hw
+ /* 8000 Series */
+ {IWL_PCI_DEVICE(0x24F3, 0x0010, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x1010, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x0130, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x1130, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x0132, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x1132, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x0110, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x01F0, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x0012, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x1012, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x1110, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x0050, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x0250, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x1050, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x0150, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x1150, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F4, 0x0030, iwl8260_2ac_cfg)},
+- {IWL_PCI_DEVICE(0x24F4, 0x1130, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F4, 0x1030, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0xC010, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0xD010, iwl8260_2ac_cfg)},
+@@ -437,18 +444,28 @@ static const struct pci_device_id iwl_hw
+ {IWL_PCI_DEVICE(0x24F3, 0xC050, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0xD050, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x8010, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x8110, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x9010, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x9110, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F4, 0x8030, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F4, 0x9030, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x8130, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x9130, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x8132, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x9132, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x8050, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x8150, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x9050, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x9150, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x0004, iwl8260_2n_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x0044, iwl8260_2n_cfg)},
+ {IWL_PCI_DEVICE(0x24F5, 0x0010, iwl4165_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F6, 0x0030, iwl4165_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x0810, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x0910, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x0850, iwl8260_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x24F3, 0x0950, iwl8260_2ac_cfg)},
++ {IWL_PCI_DEVICE(0x24F3, 0x0930, iwl8260_2ac_cfg)},
+ #endif /* CONFIG_IWLMVM */
+
+ {0}
--- /dev/null
+From 03a19cbb91994212be72ce15ac3406fa9f8ba079 Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Wed, 21 Oct 2015 19:55:32 +0300
+Subject: iwlwifi: pcie: fix (again) prepare card flow
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit 03a19cbb91994212be72ce15ac3406fa9f8ba079 upstream.
+
+The hardware bug in the commit mentioned below forces us
+not to re-enable the clock gating in the Host Cluster.
+The impact on the power consumption is minimal and it allows
+the WAKE_ME interrupt to propagate.
+
+Fixes: c9fdec9f3970 ("iwlwifi: pcie: fix prepare card flow")
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/iwlwifi/pcie/trans.c | 10 ++--------
+ 1 file changed, 2 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/wireless/iwlwifi/pcie/trans.c
++++ b/drivers/net/wireless/iwlwifi/pcie/trans.c
+@@ -572,10 +572,8 @@ static int iwl_pcie_prepare_card_hw(stru
+
+ do {
+ ret = iwl_pcie_set_hw_ready(trans);
+- if (ret >= 0) {
+- ret = 0;
+- goto out;
+- }
++ if (ret >= 0)
++ return 0;
+
+ usleep_range(200, 1000);
+ t += 200;
+@@ -585,10 +583,6 @@ static int iwl_pcie_prepare_card_hw(stru
+
+ IWL_ERR(trans, "Couldn't prepare the card\n");
+
+-out:
+- iwl_clear_bit(trans, CSR_DBG_LINK_PWR_MGMT_REG,
+- CSR_RESET_LINK_PWR_MGMT_DISABLED);
+-
+ return ret;
+ }
+
--- /dev/null
+From b85de33a1a3433487b6a721cfdce25ec8673e622 Mon Sep 17 00:00:00 2001
+From: David Hildenbrand <dahi@linux.vnet.ibm.com>
+Date: Thu, 5 Nov 2015 09:38:15 +0100
+Subject: KVM: s390: avoid memory overwrites on emergency signal injection
+
+From: David Hildenbrand <dahi@linux.vnet.ibm.com>
+
+commit b85de33a1a3433487b6a721cfdce25ec8673e622 upstream.
+
+Commit 383d0b050106 ("KVM: s390: handle pending local interrupts via
+bitmap") introduced a possible memory overwrite from user space.
+
+User space could pass an invalid emergency signal code (sending VCPU)
+and therefore exceed the bitmap. Let's take care of this case and
+check that the id is in the valid range.
+
+Reviewed-by: Dominik Dingel <dingel@linux.vnet.ibm.com>
+Signed-off-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kvm/interrupt.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/s390/kvm/interrupt.c
++++ b/arch/s390/kvm/interrupt.c
+@@ -1133,6 +1133,10 @@ static int __inject_sigp_emergency(struc
+ trace_kvm_s390_inject_vcpu(vcpu->vcpu_id, KVM_S390_INT_EMERGENCY,
+ irq->u.emerg.code, 0, 2);
+
++ /* sending vcpu invalid */
++ if (kvm_get_vcpu_by_id(vcpu->kvm, irq->u.emerg.code) == NULL)
++ return -EINVAL;
++
+ set_bit(irq->u.emerg.code, li->sigp_emerg_pending);
+ set_bit(IRQ_PEND_EXT_EMERGENCY, &li->pending_irqs);
+ atomic_set_mask(CPUSTAT_EXT_INT, li->cpuflags);
--- /dev/null
+From 152e9f65d66f0a3891efc3869440becc0e7ff53f Mon Sep 17 00:00:00 2001
+From: David Hildenbrand <dahi@linux.vnet.ibm.com>
+Date: Thu, 5 Nov 2015 09:06:06 +0100
+Subject: KVM: s390: fix wrong lookup of VCPUs by array index
+
+From: David Hildenbrand <dahi@linux.vnet.ibm.com>
+
+commit 152e9f65d66f0a3891efc3869440becc0e7ff53f upstream.
+
+For now, VCPUs were always created sequentially with incrementing
+VCPU ids. Therefore, the index in the VCPUs array matched the id.
+
+As sequential creation might change with cpu hotplug, let's use
+the correct lookup function to find a VCPU by id, not array index.
+
+Let's also use kvm_lookup_vcpu() for validation of the sending VCPU
+on external call injection.
+
+Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kvm/interrupt.c | 3 +--
+ arch/s390/kvm/sigp.c | 8 ++------
+ 2 files changed, 3 insertions(+), 8 deletions(-)
+
+--- a/arch/s390/kvm/interrupt.c
++++ b/arch/s390/kvm/interrupt.c
+@@ -1054,8 +1054,7 @@ static int __inject_extcall(struct kvm_v
+ src_id, 0, 2);
+
+ /* sending vcpu invalid */
+- if (src_id >= KVM_MAX_VCPUS ||
+- kvm_get_vcpu(vcpu->kvm, src_id) == NULL)
++ if (kvm_get_vcpu_by_id(vcpu->kvm, src_id) == NULL)
+ return -EINVAL;
+
+ if (sclp_has_sigpif())
+--- a/arch/s390/kvm/sigp.c
++++ b/arch/s390/kvm/sigp.c
+@@ -294,12 +294,8 @@ static int handle_sigp_dst(struct kvm_vc
+ u16 cpu_addr, u32 parameter, u64 *status_reg)
+ {
+ int rc;
+- struct kvm_vcpu *dst_vcpu;
++ struct kvm_vcpu *dst_vcpu = kvm_get_vcpu_by_id(vcpu->kvm, cpu_addr);
+
+- if (cpu_addr >= KVM_MAX_VCPUS)
+- return SIGP_CC_NOT_OPERATIONAL;
+-
+- dst_vcpu = kvm_get_vcpu(vcpu->kvm, cpu_addr);
+ if (!dst_vcpu)
+ return SIGP_CC_NOT_OPERATIONAL;
+
+@@ -481,7 +477,7 @@ int kvm_s390_handle_sigp_pei(struct kvm_
+ trace_kvm_s390_handle_sigp_pei(vcpu, order_code, cpu_addr);
+
+ if (order_code == SIGP_EXTERNAL_CALL) {
+- dest_vcpu = kvm_get_vcpu(vcpu->kvm, cpu_addr);
++ dest_vcpu = kvm_get_vcpu_by_id(vcpu->kvm, cpu_addr);
+ BUG_ON(dest_vcpu == NULL);
+
+ kvm_s390_vcpu_wakeup(dest_vcpu);
--- /dev/null
+From c5c2c393468576bad6d10b2b5fefff8cd25df3f4 Mon Sep 17 00:00:00 2001
+From: David Hildenbrand <dahi@linux.vnet.ibm.com>
+Date: Mon, 26 Oct 2015 08:41:29 +0100
+Subject: KVM: s390: SCA must not cross page boundaries
+
+From: David Hildenbrand <dahi@linux.vnet.ibm.com>
+
+commit c5c2c393468576bad6d10b2b5fefff8cd25df3f4 upstream.
+
+We seemed to have missed a few corner cases in commit f6c137ff00a4
+("KVM: s390: randomize sca address").
+
+The SCA has a maximum size of 2112 bytes. By setting the sca_offset to
+some unlucky numbers, we exceed the page.
+
+0x7c0 (1984) -> Fits exactly
+0x7d0 (2000) -> 16 bytes out
+0x7e0 (2016) -> 32 bytes out
+0x7f0 (2032) -> 48 bytes out
+
+One VCPU entry is 32 bytes long.
+
+For the last two cases, we actually write data to the other page.
+1. The address of the VCPU.
+2. Injection/delivery/clearing of SIGP externall calls via SIGP IF.
+
+Especially the 2. happens regularly. So this could produce two problems:
+1. The guest losing/getting external calls.
+2. Random memory overwrites in the host.
+
+So this problem happens on every 127 + 128 created VM with 64 VCPUs.
+
+Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kvm/kvm-s390.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/s390/kvm/kvm-s390.c
++++ b/arch/s390/kvm/kvm-s390.c
+@@ -1031,7 +1031,9 @@ int kvm_arch_init_vm(struct kvm *kvm, un
+ if (!kvm->arch.sca)
+ goto out_err;
+ spin_lock(&kvm_lock);
+- sca_offset = (sca_offset + 16) & 0x7f0;
++ sca_offset += 16;
++ if (sca_offset + sizeof(struct sca_block) > PAGE_SIZE)
++ sca_offset = 0;
+ kvm->arch.sca = (struct sca_block *) ((char *) kvm->arch.sca + sca_offset);
+ spin_unlock(&kvm_lock);
+
--- /dev/null
+From c77f3fab441c3e466b4c3601a475fc31ce156b06 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
+Date: Thu, 8 Oct 2015 20:23:33 +0200
+Subject: kvm: x86: set KVM_REQ_EVENT when updating IRR
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
+
+commit c77f3fab441c3e466b4c3601a475fc31ce156b06 upstream.
+
+After moving PIR to IRR, the interrupt needs to be delivered manually.
+
+Reported-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/lapic.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/x86/kvm/lapic.c
++++ b/arch/x86/kvm/lapic.c
+@@ -339,6 +339,8 @@ void kvm_apic_update_irr(struct kvm_vcpu
+ struct kvm_lapic *apic = vcpu->arch.apic;
+
+ __kvm_apic_update_irr(pir, apic->regs);
++
++ kvm_make_request(KVM_REQ_EVENT, vcpu);
+ }
+ EXPORT_SYMBOL_GPL(kvm_apic_update_irr);
+
--- /dev/null
+From 54a20552e1eae07aa240fa370a0293e006b5faed Mon Sep 17 00:00:00 2001
+From: Eric Northup <digitaleric@google.com>
+Date: Tue, 3 Nov 2015 18:03:53 +0100
+Subject: KVM: x86: work around infinite loop in microcode when #AC is delivered
+
+From: Eric Northup <digitaleric@google.com>
+
+commit 54a20552e1eae07aa240fa370a0293e006b5faed upstream.
+
+It was found that a guest can DoS a host by triggering an infinite
+stream of "alignment check" (#AC) exceptions. This causes the
+microcode to enter an infinite loop where the core never receives
+another interrupt. The host kernel panics pretty quickly due to the
+effects (CVE-2015-5307).
+
+Signed-off-by: Eric Northup <digitaleric@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/uapi/asm/svm.h | 1 +
+ arch/x86/kvm/svm.c | 8 ++++++++
+ arch/x86/kvm/vmx.c | 5 ++++-
+ 3 files changed, 13 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/include/uapi/asm/svm.h
++++ b/arch/x86/include/uapi/asm/svm.h
+@@ -100,6 +100,7 @@
+ { SVM_EXIT_EXCP_BASE + UD_VECTOR, "UD excp" }, \
+ { SVM_EXIT_EXCP_BASE + PF_VECTOR, "PF excp" }, \
+ { SVM_EXIT_EXCP_BASE + NM_VECTOR, "NM excp" }, \
++ { SVM_EXIT_EXCP_BASE + AC_VECTOR, "AC excp" }, \
+ { SVM_EXIT_EXCP_BASE + MC_VECTOR, "MC excp" }, \
+ { SVM_EXIT_INTR, "interrupt" }, \
+ { SVM_EXIT_NMI, "nmi" }, \
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -1105,6 +1105,7 @@ static void init_vmcb(struct vcpu_svm *s
+ set_exception_intercept(svm, PF_VECTOR);
+ set_exception_intercept(svm, UD_VECTOR);
+ set_exception_intercept(svm, MC_VECTOR);
++ set_exception_intercept(svm, AC_VECTOR);
+
+ set_intercept(svm, INTERCEPT_INTR);
+ set_intercept(svm, INTERCEPT_NMI);
+@@ -1791,6 +1792,12 @@ static int ud_interception(struct vcpu_s
+ return 1;
+ }
+
++static int ac_interception(struct vcpu_svm *svm)
++{
++ kvm_queue_exception_e(&svm->vcpu, AC_VECTOR, 0);
++ return 1;
++}
++
+ static void svm_fpu_activate(struct kvm_vcpu *vcpu)
+ {
+ struct vcpu_svm *svm = to_svm(vcpu);
+@@ -3361,6 +3368,7 @@ static int (*const svm_exit_handlers[])(
+ [SVM_EXIT_EXCP_BASE + PF_VECTOR] = pf_interception,
+ [SVM_EXIT_EXCP_BASE + NM_VECTOR] = nm_interception,
+ [SVM_EXIT_EXCP_BASE + MC_VECTOR] = mc_interception,
++ [SVM_EXIT_EXCP_BASE + AC_VECTOR] = ac_interception,
+ [SVM_EXIT_INTR] = intr_interception,
+ [SVM_EXIT_NMI] = nmi_interception,
+ [SVM_EXIT_SMI] = nop_on_interception,
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -1567,7 +1567,7 @@ static void update_exception_bitmap(stru
+ u32 eb;
+
+ eb = (1u << PF_VECTOR) | (1u << UD_VECTOR) | (1u << MC_VECTOR) |
+- (1u << NM_VECTOR) | (1u << DB_VECTOR);
++ (1u << NM_VECTOR) | (1u << DB_VECTOR) | (1u << AC_VECTOR);
+ if ((vcpu->guest_debug &
+ (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP)) ==
+ (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP))
+@@ -5127,6 +5127,9 @@ static int handle_exception(struct kvm_v
+ return handle_rmode_exception(vcpu, ex_no, error_code);
+
+ switch (ex_no) {
++ case AC_VECTOR:
++ kvm_queue_exception_e(vcpu, AC_VECTOR, error_code);
++ return 1;
+ case DB_VECTOR:
+ dr6 = vmcs_readl(EXIT_QUALIFICATION);
+ if (!(vcpu->guest_debug &
--- /dev/null
+From 254d3dfe445f94a764e399ca12e04365ac9413ed Mon Sep 17 00:00:00 2001
+From: Arik Nemtsov <arik@wizery.com>
+Date: Sun, 25 Oct 2015 10:59:41 +0200
+Subject: mac80211: allow null chandef in tracing
+
+From: Arik Nemtsov <arik@wizery.com>
+
+commit 254d3dfe445f94a764e399ca12e04365ac9413ed upstream.
+
+In TDLS channel-switch operations the chandef can sometimes be NULL.
+Avoid an oops in the trace code for these cases and just print a
+chandef full of zeros.
+
+Fixes: a7a6bdd0670fe ("mac80211: introduce TDLS channel switch ops")
+Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/trace.h | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/net/mac80211/trace.h
++++ b/net/mac80211/trace.h
+@@ -33,11 +33,11 @@
+ __field(u32, chan_width) \
+ __field(u32, center_freq1) \
+ __field(u32, center_freq2)
+-#define CHANDEF_ASSIGN(c) \
+- __entry->control_freq = (c)->chan ? (c)->chan->center_freq : 0; \
+- __entry->chan_width = (c)->width; \
+- __entry->center_freq1 = (c)->center_freq1; \
+- __entry->center_freq2 = (c)->center_freq2;
++#define CHANDEF_ASSIGN(c) \
++ __entry->control_freq = (c) ? ((c)->chan ? (c)->chan->center_freq : 0) : 0; \
++ __entry->chan_width = (c) ? (c)->width : 0; \
++ __entry->center_freq1 = (c) ? (c)->center_freq1 : 0; \
++ __entry->center_freq2 = (c) ? (c)->center_freq2 : 0;
+ #define CHANDEF_PR_FMT " control:%d MHz width:%d center: %d/%d MHz"
+ #define CHANDEF_PR_ARG __entry->control_freq, __entry->chan_width, \
+ __entry->center_freq1, __entry->center_freq2
--- /dev/null
+From 519ee6918b91abdc4bc9720deae17599a109eb40 Mon Sep 17 00:00:00 2001
+From: "Janusz.Dziedzic@tieto.com" <Janusz.Dziedzic@tieto.com>
+Date: Tue, 27 Oct 2015 08:35:11 +0100
+Subject: mac80211: fix divide by zero when NOA update
+
+From: "Janusz.Dziedzic@tieto.com" <Janusz.Dziedzic@tieto.com>
+
+commit 519ee6918b91abdc4bc9720deae17599a109eb40 upstream.
+
+In case of one shot NOA the interval can be 0, catch that
+instead of potentially (depending on the driver) crashing
+like this:
+
+divide error: 0000 [#1] SMP
+[...]
+Call Trace:
+<IRQ>
+[<ffffffffc08e891c>] ieee80211_extend_absent_time+0x6c/0xb0 [mac80211]
+[<ffffffffc08e8a17>] ieee80211_update_p2p_noa+0xb7/0xe0 [mac80211]
+[<ffffffffc069cc30>] ath9k_p2p_ps_timer+0x170/0x190 [ath9k]
+[<ffffffffc070adf8>] ath_gen_timer_isr+0xc8/0xf0 [ath9k_hw]
+[<ffffffffc0691156>] ath9k_tasklet+0x296/0x2f0 [ath9k]
+[<ffffffff8107ad65>] tasklet_action+0xe5/0xf0
+[...]
+
+Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/util.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/mac80211/util.c
++++ b/net/mac80211/util.c
+@@ -2984,6 +2984,13 @@ ieee80211_extend_noa_desc(struct ieee802
+ if (end > 0)
+ return false;
+
++ /* One shot NOA */
++ if (data->count[i] == 1)
++ return false;
++
++ if (data->desc[i].interval == 0)
++ return false;
++
+ /* End time is in the past, check for repetitions */
+ skip = DIV_ROUND_UP(-end, data->desc[i].interval);
+ if (data->count[i] < 255) {
--- /dev/null
+From 8ec6d97871f37e4743678ea4a455bd59580aa0f4 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Fri, 28 Aug 2015 10:52:53 +0200
+Subject: mac80211: fix driver RSSI event calculations
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 8ec6d97871f37e4743678ea4a455bd59580aa0f4 upstream.
+
+The ifmgd->ave_beacon_signal value cannot be taken as is for
+comparisons, it must be divided by since it's represented
+like that for better accuracy of the EWMA calculations. This
+would lead to invalid driver RSSI events. Fix the used value.
+
+Fixes: 615f7b9bb1f8 ("mac80211: add driver RSSI threshold events")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/mlme.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -3340,7 +3340,7 @@ static void ieee80211_rx_mgmt_beacon(str
+
+ if (ifmgd->rssi_min_thold != ifmgd->rssi_max_thold &&
+ ifmgd->count_beacon_signal >= IEEE80211_SIGNAL_AVE_MIN_COUNT) {
+- int sig = ifmgd->ave_beacon_signal;
++ int sig = ifmgd->ave_beacon_signal / 16;
+ int last_sig = ifmgd->last_ave_beacon_signal;
+ struct ieee80211_event event = {
+ .type = RSSI_EVENT,
--- /dev/null
+From a64cba3c5330704a034bd3179270b8d04daf6987 Mon Sep 17 00:00:00 2001
+From: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+Date: Sun, 25 Oct 2015 10:59:38 +0200
+Subject: mac80211: Fix local deauth while associating
+
+From: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+
+commit a64cba3c5330704a034bd3179270b8d04daf6987 upstream.
+
+Local request to deauthenticate wasn't handled while associating, thus
+the association could continue even when the user space required to
+disconnect.
+
+Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/mlme.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -4946,6 +4946,25 @@ int ieee80211_mgd_deauth(struct ieee8021
+ return 0;
+ }
+
++ if (ifmgd->assoc_data &&
++ ether_addr_equal(ifmgd->assoc_data->bss->bssid, req->bssid)) {
++ sdata_info(sdata,
++ "aborting association with %pM by local choice (Reason: %u=%s)\n",
++ req->bssid, req->reason_code,
++ ieee80211_get_reason_code_string(req->reason_code));
++
++ drv_mgd_prepare_tx(sdata->local, sdata);
++ ieee80211_send_deauth_disassoc(sdata, req->bssid,
++ IEEE80211_STYPE_DEAUTH,
++ req->reason_code, tx,
++ frame_buf);
++ ieee80211_destroy_assoc_data(sdata, false);
++ ieee80211_report_disconnect(sdata, frame_buf,
++ sizeof(frame_buf), true,
++ req->reason_code);
++ return 0;
++ }
++
+ if (ifmgd->associated &&
+ ether_addr_equal(ifmgd->associated->bssid, req->bssid)) {
+ sdata_info(sdata,
--- /dev/null
+From 75c08f17ec87c2d742487bb87408d6feebc526bd Mon Sep 17 00:00:00 2001
+From: Tony Lindgren <tony@atomide.com>
+Date: Fri, 18 Sep 2015 09:29:04 -0700
+Subject: mfd: twl6040: Fix deferred probe handling for clk32k
+
+From: Tony Lindgren <tony@atomide.com>
+
+commit 75c08f17ec87c2d742487bb87408d6feebc526bd upstream.
+
+Commit 68bab8662f49 ("mfd: twl6040: Optional clk32k clock handling")
+added clock handling for the 32k clock from palmas-clk. However, that
+patch did not consider a typical situation where twl6040 is built-in,
+and palmas-clk is a loadable module like we have in omap2plus_defconfig.
+
+If palmas-clk is not loaded before twl6040 probes, we will get a
+"clk32k is not handled" warning during booting. This means that any
+drivers relying on this clock will mysteriously fail, including
+omap5-uevm WLAN and audio.
+
+Note that for WLAN, we probably should also eventually get
+the clk32kgaudio for MMC3 directly as that's shared between
+audio and WLAN SDIO at least for omap5-uevm. It seems the
+WLAN chip cannot get it as otherwise MMC3 won't get properly
+probed.
+
+Fixes: 68bab8662f49 ("mfd: twl6040: Optional clk32k clock handling")
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Reviewed-by: Felipe Balbi <balbi@ti.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mfd/twl6040.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/mfd/twl6040.c
++++ b/drivers/mfd/twl6040.c
+@@ -647,6 +647,8 @@ static int twl6040_probe(struct i2c_clie
+
+ twl6040->clk32k = devm_clk_get(&client->dev, "clk32k");
+ if (IS_ERR(twl6040->clk32k)) {
++ if (PTR_ERR(twl6040->clk32k) == -EPROBE_DEFER)
++ return -EPROBE_DEFER;
+ dev_info(&client->dev, "clk32k is not handled\n");
+ twl6040->clk32k = NULL;
+ }
--- /dev/null
+From 002374f371bd02df864cce1fe85d90dc5b292837 Mon Sep 17 00:00:00 2001
+From: James Hogan <james.hogan@imgtec.com>
+Date: Wed, 11 Nov 2015 14:21:18 +0000
+Subject: MIPS: KVM: Fix ASID restoration logic
+
+From: James Hogan <james.hogan@imgtec.com>
+
+commit 002374f371bd02df864cce1fe85d90dc5b292837 upstream.
+
+ASID restoration on guest resume should determine the guest execution
+mode based on the guest Status register rather than bit 30 of the guest
+PC.
+
+Fix the two places in locore.S that do this, loading the guest status
+from the cop0 area. Note, this assembly is specific to the trap &
+emulate implementation of KVM, so it doesn't need to check the
+supervisor bit as that mode is not implemented in the guest.
+
+Fixes: b680f70fc111 ("KVM/MIPS32: Entry point for trampolining to...")
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Gleb Natapov <gleb@kernel.org>
+Cc: linux-mips@linux-mips.org
+Cc: kvm@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kvm/locore.S | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+--- a/arch/mips/kvm/locore.S
++++ b/arch/mips/kvm/locore.S
+@@ -165,9 +165,11 @@ FEXPORT(__kvm_mips_vcpu_run)
+
+ FEXPORT(__kvm_mips_load_asid)
+ /* Set the ASID for the Guest Kernel */
+- INT_SLL t0, t0, 1 /* with kseg0 @ 0x40000000, kernel */
+- /* addresses shift to 0x80000000 */
+- bltz t0, 1f /* If kernel */
++ PTR_L t0, VCPU_COP0(k1)
++ LONG_L t0, COP0_STATUS(t0)
++ andi t0, KSU_USER | ST0_ERL | ST0_EXL
++ xori t0, KSU_USER
++ bnez t0, 1f /* If kernel */
+ INT_ADDIU t1, k1, VCPU_GUEST_KERNEL_ASID /* (BD) */
+ INT_ADDIU t1, k1, VCPU_GUEST_USER_ASID /* else user */
+ 1:
+@@ -482,9 +484,11 @@ __kvm_mips_return_to_guest:
+ mtc0 t0, CP0_EPC
+
+ /* Set the ASID for the Guest Kernel */
+- INT_SLL t0, t0, 1 /* with kseg0 @ 0x40000000, kernel */
+- /* addresses shift to 0x80000000 */
+- bltz t0, 1f /* If kernel */
++ PTR_L t0, VCPU_COP0(k1)
++ LONG_L t0, COP0_STATUS(t0)
++ andi t0, KSU_USER | ST0_ERL | ST0_EXL
++ xori t0, KSU_USER
++ bnez t0, 1f /* If kernel */
+ INT_ADDIU t1, k1, VCPU_GUEST_KERNEL_ASID /* (BD) */
+ INT_ADDIU t1, k1, VCPU_GUEST_USER_ASID /* else user */
+ 1:
--- /dev/null
+From c5c2a3b998f1ff5a586f9d37e154070b8d550d17 Mon Sep 17 00:00:00 2001
+From: James Hogan <james.hogan@imgtec.com>
+Date: Wed, 11 Nov 2015 14:21:19 +0000
+Subject: MIPS: KVM: Fix CACHE immediate offset sign extension
+
+From: James Hogan <james.hogan@imgtec.com>
+
+commit c5c2a3b998f1ff5a586f9d37e154070b8d550d17 upstream.
+
+The immediate field of the CACHE instruction is signed, so ensure that
+it gets sign extended by casting it to an int16_t rather than just
+masking the low 16 bits.
+
+Fixes: e685c689f3a8 ("KVM/MIPS32: Privileged instruction/target branch emulation.")
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Gleb Natapov <gleb@kernel.org>
+Cc: linux-mips@linux-mips.org
+Cc: kvm@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kvm/emulate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/kvm/emulate.c
++++ b/arch/mips/kvm/emulate.c
+@@ -1581,7 +1581,7 @@ enum emulation_result kvm_mips_emulate_c
+
+ base = (inst >> 21) & 0x1f;
+ op_inst = (inst >> 16) & 0x1f;
+- offset = inst & 0xffff;
++ offset = (int16_t)inst;
+ cache = (inst >> 16) & 0x3;
+ op = (inst >> 18) & 0x7;
+
--- /dev/null
+From 585bb8f9a5e592f2ce7abbe5ed3112d5438d2754 Mon Sep 17 00:00:00 2001
+From: James Hogan <james.hogan@imgtec.com>
+Date: Wed, 11 Nov 2015 14:21:20 +0000
+Subject: MIPS: KVM: Uninit VCPU in vcpu_create error path
+
+From: James Hogan <james.hogan@imgtec.com>
+
+commit 585bb8f9a5e592f2ce7abbe5ed3112d5438d2754 upstream.
+
+If either of the memory allocations in kvm_arch_vcpu_create() fail, the
+vcpu which has been allocated and kvm_vcpu_init'd doesn't get uninit'd
+in the error handling path. Add a call to kvm_vcpu_uninit() to fix this.
+
+Fixes: 669e846e6c4e ("KVM/MIPS32: MIPS arch specific APIs for KVM")
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Gleb Natapov <gleb@kernel.org>
+Cc: linux-mips@linux-mips.org
+Cc: kvm@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kvm/mips.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/arch/mips/kvm/mips.c
++++ b/arch/mips/kvm/mips.c
+@@ -277,7 +277,7 @@ struct kvm_vcpu *kvm_arch_vcpu_create(st
+
+ if (!gebase) {
+ err = -ENOMEM;
+- goto out_free_cpu;
++ goto out_uninit_cpu;
+ }
+ kvm_debug("Allocated %d bytes for KVM Exception Handlers @ %p\n",
+ ALIGN(size, PAGE_SIZE), gebase);
+@@ -341,6 +341,9 @@ struct kvm_vcpu *kvm_arch_vcpu_create(st
+ out_free_gebase:
+ kfree(gebase);
+
++out_uninit_cpu:
++ kvm_vcpu_uninit(vcpu);
++
+ out_free_cpu:
+ kfree(vcpu);
+
--- /dev/null
+From 4e7d30dba493b60a80e9b590add1b4402265cc83 Mon Sep 17 00:00:00 2001
+From: Hauke Mehrtens <hauke@hauke-m.de>
+Date: Sun, 25 Oct 2015 23:21:42 +0100
+Subject: MIPS: lantiq: add clk_round_rate()
+
+From: Hauke Mehrtens <hauke@hauke-m.de>
+
+commit 4e7d30dba493b60a80e9b590add1b4402265cc83 upstream.
+
+This adds a basic implementation of clk_round_rate()
+The clk_round_rate() function is called by multiple drivers and
+subsystems now and the lantiq clk driver is supposed to export this,
+but doesn't do so, this causes linking problems like this one:
+ERROR: "clk_round_rate" [drivers/media/v4l2-core/videodev.ko] undefined!
+
+Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
+Acked-by: John Crispin <blogic@openwrt.org>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/11358/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/lantiq/clk.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+--- a/arch/mips/lantiq/clk.c
++++ b/arch/mips/lantiq/clk.c
+@@ -99,6 +99,23 @@ int clk_set_rate(struct clk *clk, unsign
+ }
+ EXPORT_SYMBOL(clk_set_rate);
+
++long clk_round_rate(struct clk *clk, unsigned long rate)
++{
++ if (unlikely(!clk_good(clk)))
++ return 0;
++ if (clk->rates && *clk->rates) {
++ unsigned long *r = clk->rates;
++
++ while (*r && (*r != rate))
++ r++;
++ if (!*r) {
++ return clk->rate;
++ }
++ }
++ return rate;
++}
++EXPORT_SYMBOL(clk_round_rate);
++
+ int clk_enable(struct clk *clk)
+ {
+ if (unlikely(!clk_good(clk)))
--- /dev/null
+From 1f9c6e1bc1ba5f8a10fcd6e99d170954d7c6d382 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 21 Sep 2015 19:19:53 +0300
+Subject: mwifiex: fix mwifiex_rdeeprom_read()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 1f9c6e1bc1ba5f8a10fcd6e99d170954d7c6d382 upstream.
+
+There were several bugs here.
+
+1) The done label was in the wrong place so we didn't copy any
+ information out when there was no command given.
+
+2) We were using PAGE_SIZE as the size of the buffer instead of
+ "PAGE_SIZE - pos".
+
+3) snprintf() returns the number of characters that would have been
+ printed if there were enough space. If there was not enough space
+ (and we had fixed the memory corruption bug #2) then it would result
+ in an information leak when we do simple_read_from_buffer(). I've
+ changed it to use scnprintf() instead.
+
+I also removed the initialization at the start of the function, because
+I thought it made the code a little more clear.
+
+Fixes: 5e6e3a92b9a4 ('wireless: mwifiex: initial commit for Marvell mwifiex driver')
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Amitkumar Karwar <akarwar@marvell.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mwifiex/debugfs.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/wireless/mwifiex/debugfs.c
++++ b/drivers/net/wireless/mwifiex/debugfs.c
+@@ -593,7 +593,7 @@ mwifiex_rdeeprom_read(struct file *file,
+ (struct mwifiex_private *) file->private_data;
+ unsigned long addr = get_zeroed_page(GFP_KERNEL);
+ char *buf = (char *) addr;
+- int pos = 0, ret = 0, i;
++ int pos, ret, i;
+ u8 value[MAX_EEPROM_DATA];
+
+ if (!buf)
+@@ -601,7 +601,7 @@ mwifiex_rdeeprom_read(struct file *file,
+
+ if (saved_offset == -1) {
+ /* No command has been given */
+- pos += snprintf(buf, PAGE_SIZE, "0");
++ pos = snprintf(buf, PAGE_SIZE, "0");
+ goto done;
+ }
+
+@@ -610,17 +610,17 @@ mwifiex_rdeeprom_read(struct file *file,
+ (u16) saved_bytes, value);
+ if (ret) {
+ ret = -EINVAL;
+- goto done;
++ goto out_free;
+ }
+
+- pos += snprintf(buf, PAGE_SIZE, "%d %d ", saved_offset, saved_bytes);
++ pos = snprintf(buf, PAGE_SIZE, "%d %d ", saved_offset, saved_bytes);
+
+ for (i = 0; i < saved_bytes; i++)
+- pos += snprintf(buf + strlen(buf), PAGE_SIZE, "%d ", value[i]);
+-
+- ret = simple_read_from_buffer(ubuf, count, ppos, buf, pos);
++ pos += scnprintf(buf + pos, PAGE_SIZE - pos, "%d ", value[i]);
+
+ done:
++ ret = simple_read_from_buffer(ubuf, count, ppos, buf, pos);
++out_free:
+ free_page(addr);
+ return ret;
+ }
--- /dev/null
+From 2502d0ef272da7058ef303b849a2c8dc324c2e2e Mon Sep 17 00:00:00 2001
+From: Maxime Ripard <maxime.ripard@free-electrons.com>
+Date: Fri, 25 Sep 2015 18:09:35 +0200
+Subject: net: mvneta: Fix CPU_MAP registers initialisation
+
+From: Maxime Ripard <maxime.ripard@free-electrons.com>
+
+commit 2502d0ef272da7058ef303b849a2c8dc324c2e2e upstream.
+
+The CPU_MAP register is duplicated for each CPUs at different addresses,
+each instance being at a different address.
+
+However, the code so far was using CONFIG_NR_CPUS to initialise the CPU_MAP
+registers for each registers, while the SoCs embed at most 4 CPUs.
+
+This is especially an issue with multi_v7_defconfig, where CONFIG_NR_CPUS
+is currently set to 16, resulting in writes to registers that are not
+CPU_MAP.
+
+Fixes: c5aff18204da ("net: mvneta: driver for Marvell Armada 370/XP network unit")
+Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
+Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/marvell/mvneta.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/marvell/mvneta.c
++++ b/drivers/net/ethernet/marvell/mvneta.c
+@@ -949,7 +949,7 @@ static void mvneta_defaults_set(struct m
+ /* Set CPU queue access map - all CPUs have access to all RX
+ * queues and to all TX queues
+ */
+- for (cpu = 0; cpu < CONFIG_NR_CPUS; cpu++)
++ for_each_present_cpu(cpu)
+ mvreg_write(pp, MVNETA_CPU_MAP(cpu),
+ (MVNETA_CPU_RXQ_ACCESS_ALL_MASK |
+ MVNETA_CPU_TXQ_ACCESS_ALL_MASK));
--- /dev/null
+From e65917b6d54f8b47d8293ea96adfa604fd46cf0d Mon Sep 17 00:00:00 2001
+From: Christophe Ricard <christophe.ricard@gmail.com>
+Date: Sun, 25 Oct 2015 22:54:22 +0100
+Subject: NFC: nci: extract pipe value using NCI_HCP_MSG_GET_PIPE
+
+From: Christophe Ricard <christophe.ricard@gmail.com>
+
+commit e65917b6d54f8b47d8293ea96adfa604fd46cf0d upstream.
+
+When receiving data in nci_hci_msg_rx_work, extract pipe
+value using NCI_HCP_MSG_GET_PIPE macro.
+
+Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
+Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/nfc/nci/hci.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/nfc/nci/hci.c
++++ b/net/nfc/nci/hci.c
+@@ -402,7 +402,7 @@ static void nci_hci_msg_rx_work(struct w
+ u8 pipe, type, instruction;
+
+ while ((skb = skb_dequeue(&hdev->msg_rx_queue)) != NULL) {
+- pipe = skb->data[0];
++ pipe = NCI_HCP_MSG_GET_PIPE(skb->data[0]);
+ skb_pull(skb, NCI_HCI_HCP_PACKET_HEADER_LEN);
+ message = (struct nci_hcp_message *)skb->data;
+ type = NCI_HCP_MSG_GET_TYPE(message->header);
+@@ -439,7 +439,7 @@ void nci_hci_data_received_cb(void *cont
+
+ /* it's the last fragment. Does it need re-aggregation? */
+ if (skb_queue_len(&ndev->hci_dev->rx_hcp_frags)) {
+- pipe = packet->header & NCI_HCI_FRAGMENT;
++ pipe = NCI_HCP_MSG_GET_PIPE(packet->header);
+ skb_queue_tail(&ndev->hci_dev->rx_hcp_frags, skb);
+
+ msg_len = 0;
--- /dev/null
+From d8cd37ed2fc871c66b4c79c59f651dc2cdf7091c Mon Sep 17 00:00:00 2001
+From: Christophe Ricard <christophe.ricard@gmail.com>
+Date: Sun, 25 Oct 2015 22:54:21 +0100
+Subject: NFC: nci: Fix improper management of HCI return code
+
+From: Christophe Ricard <christophe.ricard@gmail.com>
+
+commit d8cd37ed2fc871c66b4c79c59f651dc2cdf7091c upstream.
+
+When sending HCI data over NCI, HCI return code is part
+of the NCI data. In order to get correctly the HCI return
+code, we assume the NCI communication is successful and
+extract the return code for the nci_hci functions return code.
+
+This is done because nci_to_errno does not match hci return
+code value.
+
+Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
+Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/nfc/nci/hci.c | 64 ++++++++++++++++++++++++++++++++++++++++--------------
+ 1 file changed, 48 insertions(+), 16 deletions(-)
+
+--- a/net/nfc/nci/hci.c
++++ b/net/nfc/nci/hci.c
+@@ -101,6 +101,20 @@ struct nci_hcp_packet {
+ #define NCI_HCP_MSG_GET_CMD(header) (header & 0x3f)
+ #define NCI_HCP_MSG_GET_PIPE(header) (header & 0x7f)
+
++static int nci_hci_result_to_errno(u8 result)
++{
++ switch (result) {
++ case NCI_HCI_ANY_OK:
++ return 0;
++ case NCI_HCI_ANY_E_REG_PAR_UNKNOWN:
++ return -EOPNOTSUPP;
++ case NCI_HCI_ANY_E_TIMEOUT:
++ return -ETIME;
++ default:
++ return -1;
++ }
++}
++
+ /* HCI core */
+ static void nci_hci_reset_pipes(struct nci_hci_dev *hdev)
+ {
+@@ -218,7 +232,8 @@ int nci_hci_send_cmd(struct nci_dev *nde
+ const u8 *param, size_t param_len,
+ struct sk_buff **skb)
+ {
+- struct nci_conn_info *conn_info;
++ struct nci_hcp_message *message;
++ struct nci_conn_info *conn_info;
+ struct nci_data data;
+ int r;
+ u8 pipe = ndev->hci_dev->gate2pipe[gate];
+@@ -238,9 +253,15 @@ int nci_hci_send_cmd(struct nci_dev *nde
+
+ r = nci_request(ndev, nci_hci_send_data_req, (unsigned long)&data,
+ msecs_to_jiffies(NCI_DATA_TIMEOUT));
++ if (r == NCI_STATUS_OK) {
++ message = (struct nci_hcp_message *)conn_info->rx_skb->data;
++ r = nci_hci_result_to_errno(
++ NCI_HCP_MSG_GET_CMD(message->header));
++ skb_pull(conn_info->rx_skb, NCI_HCI_HCP_MESSAGE_HEADER_LEN);
+
+- if (r == NCI_STATUS_OK && skb)
+- *skb = conn_info->rx_skb;
++ if (!r && skb)
++ *skb = conn_info->rx_skb;
++ }
+
+ return r;
+ }
+@@ -334,9 +355,6 @@ static void nci_hci_resp_received(struct
+ struct nci_conn_info *conn_info;
+ u8 status = result;
+
+- if (result != NCI_HCI_ANY_OK)
+- goto exit;
+-
+ conn_info = ndev->hci_dev->conn_info;
+ if (!conn_info) {
+ status = NCI_STATUS_REJECTED;
+@@ -346,7 +364,7 @@ static void nci_hci_resp_received(struct
+ conn_info->rx_skb = skb;
+
+ exit:
+- nci_req_complete(ndev, status);
++ nci_req_complete(ndev, NCI_STATUS_OK);
+ }
+
+ /* Receive hcp message for pipe, with type and cmd.
+@@ -401,7 +419,7 @@ void nci_hci_data_received_cb(void *cont
+ {
+ struct nci_dev *ndev = (struct nci_dev *)context;
+ struct nci_hcp_packet *packet;
+- u8 pipe, type, instruction;
++ u8 pipe, type;
+ struct sk_buff *hcp_skb;
+ struct sk_buff *frag_skb;
+ int msg_len;
+@@ -440,7 +458,7 @@ void nci_hci_data_received_cb(void *cont
+ *skb_put(hcp_skb, NCI_HCI_HCP_PACKET_HEADER_LEN) = pipe;
+
+ skb_queue_walk(&ndev->hci_dev->rx_hcp_frags, frag_skb) {
+- msg_len = frag_skb->len - NCI_HCI_HCP_PACKET_HEADER_LEN;
++ msg_len = frag_skb->len - NCI_HCI_HCP_PACKET_HEADER_LEN;
+ memcpy(skb_put(hcp_skb, msg_len), frag_skb->data +
+ NCI_HCI_HCP_PACKET_HEADER_LEN, msg_len);
+ }
+@@ -458,11 +476,10 @@ void nci_hci_data_received_cb(void *cont
+ packet = (struct nci_hcp_packet *)hcp_skb->data;
+ type = NCI_HCP_MSG_GET_TYPE(packet->message.header);
+ if (type == NCI_HCI_HCP_RESPONSE) {
+- pipe = packet->header;
+- instruction = NCI_HCP_MSG_GET_CMD(packet->message.header);
+- skb_pull(hcp_skb, NCI_HCI_HCP_PACKET_HEADER_LEN +
+- NCI_HCI_HCP_MESSAGE_HEADER_LEN);
+- nci_hci_hcp_message_rx(ndev, pipe, type, instruction, hcp_skb);
++ pipe = NCI_HCP_MSG_GET_PIPE(packet->header);
++ skb_pull(hcp_skb, NCI_HCI_HCP_PACKET_HEADER_LEN);
++ nci_hci_hcp_message_rx(ndev, pipe, type,
++ NCI_STATUS_OK, hcp_skb);
+ } else {
+ skb_queue_tail(&ndev->hci_dev->msg_rx_queue, hcp_skb);
+ schedule_work(&ndev->hci_dev->msg_rx_work);
+@@ -494,6 +511,7 @@ EXPORT_SYMBOL(nci_hci_open_pipe);
+ int nci_hci_set_param(struct nci_dev *ndev, u8 gate, u8 idx,
+ const u8 *param, size_t param_len)
+ {
++ struct nci_hcp_message *message;
+ struct nci_conn_info *conn_info;
+ struct nci_data data;
+ int r;
+@@ -526,6 +544,12 @@ int nci_hci_set_param(struct nci_dev *nd
+ r = nci_request(ndev, nci_hci_send_data_req,
+ (unsigned long)&data,
+ msecs_to_jiffies(NCI_DATA_TIMEOUT));
++ if (r == NCI_STATUS_OK) {
++ message = (struct nci_hcp_message *)conn_info->rx_skb->data;
++ r = nci_hci_result_to_errno(
++ NCI_HCP_MSG_GET_CMD(message->header));
++ skb_pull(conn_info->rx_skb, NCI_HCI_HCP_MESSAGE_HEADER_LEN);
++ }
+
+ kfree(tmp);
+ return r;
+@@ -535,6 +559,7 @@ EXPORT_SYMBOL(nci_hci_set_param);
+ int nci_hci_get_param(struct nci_dev *ndev, u8 gate, u8 idx,
+ struct sk_buff **skb)
+ {
++ struct nci_hcp_message *message;
+ struct nci_conn_info *conn_info;
+ struct nci_data data;
+ int r;
+@@ -559,8 +584,15 @@ int nci_hci_get_param(struct nci_dev *nd
+ r = nci_request(ndev, nci_hci_send_data_req, (unsigned long)&data,
+ msecs_to_jiffies(NCI_DATA_TIMEOUT));
+
+- if (r == NCI_STATUS_OK)
+- *skb = conn_info->rx_skb;
++ if (r == NCI_STATUS_OK) {
++ message = (struct nci_hcp_message *)conn_info->rx_skb->data;
++ r = nci_hci_result_to_errno(
++ NCI_HCP_MSG_GET_CMD(message->header));
++ skb_pull(conn_info->rx_skb, NCI_HCI_HCP_MESSAGE_HEADER_LEN);
++
++ if (!r && skb)
++ *skb = conn_info->rx_skb;
++ }
+
+ return r;
+ }
--- /dev/null
+From 500c4ef02277eaadbfe20537f963b6221f6ac007 Mon Sep 17 00:00:00 2001
+From: Christophe Ricard <christophe.ricard@gmail.com>
+Date: Sun, 25 Oct 2015 22:54:20 +0100
+Subject: NFC: nci: Fix incorrect data chaining when sending data
+
+From: Christophe Ricard <christophe.ricard@gmail.com>
+
+commit 500c4ef02277eaadbfe20537f963b6221f6ac007 upstream.
+
+When sending HCI data over NCI, cmd information should be
+present only on the first packet.
+Each packet shall be specifically allocated and sent to the
+NCI layer.
+
+Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
+Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/nfc/nci/hci.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+--- a/net/nfc/nci/hci.c
++++ b/net/nfc/nci/hci.c
+@@ -146,18 +146,18 @@ static int nci_hci_send_data(struct nci_
+ if (!conn_info)
+ return -EPROTO;
+
+- skb = nci_skb_alloc(ndev, 2 + conn_info->max_pkt_payload_len +
++ i = 0;
++ skb = nci_skb_alloc(ndev, conn_info->max_pkt_payload_len +
+ NCI_DATA_HDR_SIZE, GFP_KERNEL);
+ if (!skb)
+ return -ENOMEM;
+
+- skb_reserve(skb, 2 + NCI_DATA_HDR_SIZE);
++ skb_reserve(skb, NCI_DATA_HDR_SIZE + 2);
+ *skb_push(skb, 1) = data_type;
+
+- i = 0;
+- len = conn_info->max_pkt_payload_len;
+-
+ do {
++ len = conn_info->max_pkt_payload_len;
++
+ /* If last packet add NCI_HFP_NO_CHAINING */
+ if (i + conn_info->max_pkt_payload_len -
+ (skb->len + 1) >= data_len) {
+@@ -177,9 +177,15 @@ static int nci_hci_send_data(struct nci_
+ return r;
+
+ i += len;
++
+ if (i < data_len) {
+- skb_trim(skb, 0);
+- skb_pull(skb, len);
++ skb = nci_skb_alloc(ndev,
++ conn_info->max_pkt_payload_len +
++ NCI_DATA_HDR_SIZE, GFP_KERNEL);
++ if (!skb)
++ return -ENOMEM;
++
++ skb_reserve(skb, NCI_DATA_HDR_SIZE + 1);
+ }
+ } while (i < data_len);
+
--- /dev/null
+From 4baf6bea37247e59f1971e8009d13aeda95edba2 Mon Sep 17 00:00:00 2001
+From: Ola Olsson <ola1olsson@gmail.com>
+Date: Thu, 29 Oct 2015 07:04:58 +0100
+Subject: nl80211: Fix potential memory leak from parse_acl_data
+
+From: Ola Olsson <ola1olsson@gmail.com>
+
+commit 4baf6bea37247e59f1971e8009d13aeda95edba2 upstream.
+
+If parse_acl_data succeeds but the subsequent parsing of smps
+attributes fails, there will be a memory leak due to early returns.
+Fix that by moving the ACL parsing later.
+
+Fixes: 18998c381b19b ("cfg80211: allow requesting SMPS mode on ap start")
+Signed-off-by: Ola Olsson <ola.olsson@sonymobile.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/nl80211.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -3407,12 +3407,6 @@ static int nl80211_start_ap(struct sk_bu
+ wdev->iftype))
+ return -EINVAL;
+
+- if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
+- params.acl = parse_acl_data(&rdev->wiphy, info);
+- if (IS_ERR(params.acl))
+- return PTR_ERR(params.acl);
+- }
+-
+ if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
+ params.smps_mode =
+ nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
+@@ -3436,6 +3430,12 @@ static int nl80211_start_ap(struct sk_bu
+ params.smps_mode = NL80211_SMPS_OFF;
+ }
+
++ if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
++ params.acl = parse_acl_data(&rdev->wiphy, info);
++ if (IS_ERR(params.acl))
++ return PTR_ERR(params.acl);
++ }
++
+ wdev_lock(wdev);
+ err = rdev_start_ap(rdev, dev, ¶ms);
+ if (!err) {
arm-at91-pm-at91_pm_suspend_in_sram-must-be-8-byte-aligned.patch
arm-dts-fix-wlan-regression-on-omap5-uevm.patch
arm-pxa-remove-incorrect-__init-annotation-on-pxa27x_set_pwrmode.patch
+mips-lantiq-add-clk_round_rate.patch
+mips-kvm-fix-asid-restoration-logic.patch
+mips-kvm-fix-cache-immediate-offset-sign-extension.patch
+mips-kvm-uninit-vcpu-in-vcpu_create-error-path.patch
+kvm-x86-set-kvm_req_event-when-updating-irr.patch
+kvm-x86-work-around-infinite-loop-in-microcode-when-ac-is-delivered.patch
+x86-setup-extend-low-identity-map-to-cover-whole-kernel-range.patch
+x86-setup-fix-low-identity-map-for-2gb-kernel-range.patch
+x86-cpu-call-verify_cpu-after-having-entered-long-mode-too.patch
+x86-cpu-fix-smap-check-in-pvops-environments.patch
+mac80211-fix-local-deauth-while-associating.patch
+mac80211-fix-driver-rssi-event-calculations.patch
+mac80211-allow-null-chandef-in-tracing.patch
+mac80211-fix-divide-by-zero-when-noa-update.patch
+nl80211-fix-potential-memory-leak-from-parse_acl_data.patch
+nfc-nci-fix-incorrect-data-chaining-when-sending-data.patch
+nfc-nci-fix-improper-management-of-hci-return-code.patch
+nfc-nci-extract-pipe-value-using-nci_hcp_msg_get_pipe.patch
+iwlwifi-pcie-fix-again-prepare-card-flow.patch
+iwlwifi-add-new-pci-ids-for-the-8260-series.patch
+net-mvneta-fix-cpu_map-registers-initialisation.patch
+fs-proc-core-debug-don-t-expose-absolute-kernel-addresses-via-wchan.patch
+clk-versatile-icst-fix-memory-leak.patch
+mfd-twl6040-fix-deferred-probe-handling-for-clk32k.patch
+mwifiex-fix-mwifiex_rdeeprom_read.patch
+staging-rtl8712-add-device-id-for-sitecom-wla2100.patch
+bluetooth-hidp-fix-device-disconnect-on-idle-timeout.patch
+bluetooth-ath3k-add-new-ar3012-0930-021c-id.patch
+bluetooth-ath3k-add-support-of-ar3012-0cf3-817b-device.patch
+bluetooth-fix-removing-connection-parameters-when-unpairing.patch
+can-use-correct-type-in-sizeof-in-nla_put.patch
+can-sja1000-clear-interrupts-on-start.patch
+arm64-fix-compat-register-mappings.patch
+arm64-page-align-sections-for-debug_rodata.patch
+ath10k-fix-invalid-nss-for-4x4-devices.patch
+kvm-s390-sca-must-not-cross-page-boundaries.patch
+kvm-s390-fix-wrong-lookup-of-vcpus-by-array-index.patch
+kvm-s390-avoid-memory-overwrites-on-emergency-signal-injection.patch
--- /dev/null
+From 1e6e63283691a2a9048a35d9c6c59cf0abd342e4 Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Sun, 18 Oct 2015 22:14:48 -0500
+Subject: staging: rtl8712: Add device ID for Sitecom WLA2100
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit 1e6e63283691a2a9048a35d9c6c59cf0abd342e4 upstream.
+
+This adds the USB ID for the Sitecom WLA2100. The Windows 10 inf file
+was checked to verify that the addition is correct.
+
+Reported-by: Frans van de Wiel <fvdw@fvdw.eu>
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Cc: Frans van de Wiel <fvdw@fvdw.eu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/rtl8712/usb_intf.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/staging/rtl8712/usb_intf.c
++++ b/drivers/staging/rtl8712/usb_intf.c
+@@ -144,6 +144,7 @@ static struct usb_device_id rtl871x_usb_
+ {USB_DEVICE(0x0DF6, 0x0058)},
+ {USB_DEVICE(0x0DF6, 0x0049)},
+ {USB_DEVICE(0x0DF6, 0x004C)},
++ {USB_DEVICE(0x0DF6, 0x006C)},
+ {USB_DEVICE(0x0DF6, 0x0064)},
+ /* Skyworth */
+ {USB_DEVICE(0x14b2, 0x3300)},
--- /dev/null
+From 04633df0c43d710e5f696b06539c100898678235 Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <bp@suse.de>
+Date: Thu, 5 Nov 2015 16:57:56 +0100
+Subject: x86/cpu: Call verify_cpu() after having entered long mode too
+
+From: Borislav Petkov <bp@suse.de>
+
+commit 04633df0c43d710e5f696b06539c100898678235 upstream.
+
+When we get loaded by a 64-bit bootloader, kernel entry point is
+startup_64 in head_64.S. We don't trust any and all bootloaders because
+some will fiddle with CPU configuration so we go ahead and massage each
+CPU into sanity again.
+
+For example, some dell BIOSes have this XD disable feature which set
+IA32_MISC_ENABLE[34] and disable NX. This might be some dumb workaround
+for other OSes but Linux sure doesn't need it.
+
+A similar thing is present in the Surface 3 firmware - see
+https://bugzilla.kernel.org/show_bug.cgi?id=106051 - which sets this bit
+only on the BSP:
+
+ # rdmsr -a 0x1a0
+ 400850089
+ 850089
+ 850089
+ 850089
+
+I know, right?!
+
+There's not even an off switch in there.
+
+So fix all those cases by sanitizing the 64-bit entry point too. For
+that, make verify_cpu() callable in 64-bit mode also.
+
+Requested-and-debugged-by: "H. Peter Anvin" <hpa@zytor.com>
+Reported-and-tested-by: Bastien Nocera <bugzilla@hadess.net>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: Matt Fleming <matt@codeblueprint.co.uk>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lkml.kernel.org/r/1446739076-21303-1-git-send-email-bp@alien8.de
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/head_64.S | 8 ++++++++
+ arch/x86/kernel/verify_cpu.S | 12 +++++++-----
+ 2 files changed, 15 insertions(+), 5 deletions(-)
+
+--- a/arch/x86/kernel/head_64.S
++++ b/arch/x86/kernel/head_64.S
+@@ -65,6 +65,9 @@ startup_64:
+ * tables and then reload them.
+ */
+
++ /* Sanitize CPU configuration */
++ call verify_cpu
++
+ /*
+ * Compute the delta between the address I am compiled to run at and the
+ * address I am actually running at.
+@@ -174,6 +177,9 @@ ENTRY(secondary_startup_64)
+ * after the boot processor executes this code.
+ */
+
++ /* Sanitize CPU configuration */
++ call verify_cpu
++
+ movq $(init_level4_pgt - __START_KERNEL_map), %rax
+ 1:
+
+@@ -288,6 +294,8 @@ ENTRY(secondary_startup_64)
+ pushq %rax # target address in negative space
+ lretq
+
++#include "verify_cpu.S"
++
+ #ifdef CONFIG_HOTPLUG_CPU
+ /*
+ * Boot CPU0 entry point. It's called from play_dead(). Everything has been set
+--- a/arch/x86/kernel/verify_cpu.S
++++ b/arch/x86/kernel/verify_cpu.S
+@@ -34,10 +34,11 @@
+ #include <asm/msr-index.h>
+
+ verify_cpu:
+- pushfl # Save caller passed flags
+- pushl $0 # Kill any dangerous flags
+- popfl
++ pushf # Save caller passed flags
++ push $0 # Kill any dangerous flags
++ popf
+
++#ifndef __x86_64__
+ pushfl # standard way to check for cpuid
+ popl %eax
+ movl %eax,%ebx
+@@ -48,6 +49,7 @@ verify_cpu:
+ popl %eax
+ cmpl %eax,%ebx
+ jz verify_cpu_no_longmode # cpu has no cpuid
++#endif
+
+ movl $0x0,%eax # See if cpuid 1 is implemented
+ cpuid
+@@ -130,10 +132,10 @@ verify_cpu_sse_test:
+ jmp verify_cpu_sse_test # try again
+
+ verify_cpu_no_longmode:
+- popfl # Restore caller passed flags
++ popf # Restore caller passed flags
+ movl $1,%eax
+ ret
+ verify_cpu_sse_ok:
+- popfl # Restore caller passed flags
++ popf # Restore caller passed flags
+ xorl %eax, %eax
+ ret
--- /dev/null
+From 581b7f158fe0383b492acd1ce3fb4e99d4e57808 Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Wed, 3 Jun 2015 10:31:14 +0100
+Subject: x86/cpu: Fix SMAP check in PVOPS environments
+
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+
+commit 581b7f158fe0383b492acd1ce3fb4e99d4e57808 upstream.
+
+There appears to be no formal statement of what pv_irq_ops.save_fl() is
+supposed to return precisely. Native returns the full flags, while lguest and
+Xen only return the Interrupt Flag, and both have comments by the
+implementations stating that only the Interrupt Flag is looked at. This may
+have been true when initially implemented, but no longer is.
+
+To make matters worse, the Xen PVOP leaves the upper bits undefined, making
+the BUG_ON() undefined behaviour. Experimentally, this now trips for 32bit PV
+guests on Broadwell hardware. The BUG_ON() is consistent for an individual
+build, but not consistent for all builds. It has also been a sitting timebomb
+since SMAP support was introduced.
+
+Use native_save_fl() instead, which will obtain an accurate view of the AC
+flag.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: David Vrabel <david.vrabel@citrix.com>
+Tested-by: Rusty Russell <rusty@rustcorp.com.au>
+Cc: Rusty Russell <rusty@rustcorp.com.au>
+Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: <lguest@lists.ozlabs.org>
+Cc: Xen-devel <xen-devel@lists.xen.org>
+Link: http://lkml.kernel.org/r/1433323874-6927-1-git-send-email-andrew.cooper3@citrix.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/common.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/cpu/common.c
++++ b/arch/x86/kernel/cpu/common.c
+@@ -291,10 +291,9 @@ __setup("nosmap", setup_disable_smap);
+
+ static __always_inline void setup_smap(struct cpuinfo_x86 *c)
+ {
+- unsigned long eflags;
++ unsigned long eflags = native_save_fl();
+
+ /* This should have been cleared long ago */
+- raw_local_save_flags(eflags);
+ BUG_ON(eflags & X86_EFLAGS_AC);
+
+ if (cpu_has(c, X86_FEATURE_SMAP)) {
--- /dev/null
+From f5f3497cad8c8416a74b9aaceb127908755d020a Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed, 14 Oct 2015 13:30:45 +0200
+Subject: x86/setup: Extend low identity map to cover whole kernel range
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit f5f3497cad8c8416a74b9aaceb127908755d020a upstream.
+
+On 32-bit systems, the initial_page_table is reused by
+efi_call_phys_prolog as an identity map to call
+SetVirtualAddressMap. efi_call_phys_prolog takes care of
+converting the current CPU's GDT to a physical address too.
+
+For PAE kernels the identity mapping is achieved by aliasing the
+first PDPE for the kernel memory mapping into the first PDPE
+of initial_page_table. This makes the EFI stub's trick "just work".
+
+However, for non-PAE kernels there is no guarantee that the identity
+mapping in the initial_page_table extends as far as the GDT; in this
+case, accesses to the GDT will cause a page fault (which quickly becomes
+a triple fault). Fix this by copying the kernel mappings from
+swapper_pg_dir to initial_page_table twice, both at PAGE_OFFSET and at
+identity mapping.
+
+For some reason, this is only reproducible with QEMU's dynamic translation
+mode, and not for example with KVM. However, even under KVM one can clearly
+see that the page table is bogus:
+
+ $ qemu-system-i386 -pflash OVMF.fd -M q35 vmlinuz0 -s -S -daemonize
+ $ gdb
+ (gdb) target remote localhost:1234
+ (gdb) hb *0x02858f6f
+ Hardware assisted breakpoint 1 at 0x2858f6f
+ (gdb) c
+ Continuing.
+
+ Breakpoint 1, 0x02858f6f in ?? ()
+ (gdb) monitor info registers
+ ...
+ GDT= 0724e000 000000ff
+ IDT= fffbb000 000007ff
+ CR0=0005003b CR2=ff896000 CR3=032b7000 CR4=00000690
+ ...
+
+The page directory is sane:
+
+ (gdb) x/4wx 0x32b7000
+ 0x32b7000: 0x03398063 0x03399063 0x0339a063 0x0339b063
+ (gdb) x/4wx 0x3398000
+ 0x3398000: 0x00000163 0x00001163 0x00002163 0x00003163
+ (gdb) x/4wx 0x3399000
+ 0x3399000: 0x00400003 0x00401003 0x00402003 0x00403003
+
+but our particular page directory entry is empty:
+
+ (gdb) x/1wx 0x32b7000 + (0x724e000 >> 22) * 4
+ 0x32b7070: 0x00000000
+
+[ It appears that you can skate past this issue if you don't receive
+ any interrupts while the bogus GDT pointer is loaded, or if you avoid
+ reloading the segment registers in general.
+
+ Andy Lutomirski provides some additional insight:
+
+ "AFAICT it's entirely permissible for the GDTR and/or LDT
+ descriptor to point to unmapped memory. Any attempt to use them
+ (segment loads, interrupts, IRET, etc) will try to access that memory
+ as if the access came from CPL 0 and, if the access fails, will
+ generate a valid page fault with CR2 pointing into the GDT or
+ LDT."
+
+ Up until commit 23a0d4e8fa6d ("efi: Disable interrupts around EFI
+ calls, not in the epilog/prolog calls") interrupts were disabled
+ around the prolog and epilog calls, and the functional GDT was
+ re-installed before interrupts were re-enabled.
+
+ Which explains why no one has hit this issue until now. ]
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Reported-by: Laszlo Ersek <lersek@redhat.com>
+Cc: <stable@vger.kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Signed-off-by: Matt Fleming <matt.fleming@intel.com>
+[ Updated changelog. ]
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/setup.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/arch/x86/kernel/setup.c
++++ b/arch/x86/kernel/setup.c
+@@ -1194,6 +1194,14 @@ void __init setup_arch(char **cmdline_p)
+ clone_pgd_range(initial_page_table + KERNEL_PGD_BOUNDARY,
+ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
+ KERNEL_PGD_PTRS);
++
++ /*
++ * sync back low identity map too. It is used for example
++ * in the 32-bit EFI stub.
++ */
++ clone_pgd_range(initial_page_table,
++ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
++ KERNEL_PGD_PTRS);
+ #endif
+
+ tboot_probe();
--- /dev/null
+From 68accac392d859d24adcf1be3a90e41f978bd54c Mon Sep 17 00:00:00 2001
+From: Krzysztof Mazur <krzysiek@podlesie.net>
+Date: Fri, 6 Nov 2015 14:18:36 +0100
+Subject: x86/setup: Fix low identity map for >= 2GB kernel range
+
+From: Krzysztof Mazur <krzysiek@podlesie.net>
+
+commit 68accac392d859d24adcf1be3a90e41f978bd54c upstream.
+
+The commit f5f3497cad8c extended the low identity mapping. However, if
+the kernel uses more than 2 GB (VMSPLIT_2G_OPT or VMSPLIT_1G memory
+split), the normal memory mapping is overwritten by the low identity
+mapping causing a crash. To avoid overwritting, limit the low identity
+map to cover only memory before kernel range (PAGE_OFFSET).
+
+Fixes: f5f3497cad8c "x86/setup: Extend low identity map to cover whole kernel range
+Signed-off-by: Krzysztof Mazur <krzysiek@podlesie.net>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Laszlo Ersek <lersek@redhat.com>
+Cc: Matt Fleming <matt.fleming@intel.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Link: http://lkml.kernel.org/r/1446815916-22105-1-git-send-email-krzysiek@podlesie.net
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/setup.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/setup.c
++++ b/arch/x86/kernel/setup.c
+@@ -1201,7 +1201,7 @@ void __init setup_arch(char **cmdline_p)
+ */
+ clone_pgd_range(initial_page_table,
+ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
+- KERNEL_PGD_PTRS);
++ min(KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
+ #endif
+
+ tboot_probe();
projects / thirdparty / kernel / stable-queue.git / commitdiff
