--- /dev/null
+From fa00c437eef8dc2e7b25f8cd868cfa405fcc2bb3 Mon Sep 17 00:00:00 2001
+From: Dave Carroll <david.carroll@microsemi.com>
+Date: Fri, 5 Aug 2016 13:44:10 -0600
+Subject: aacraid: Check size values after double-fetch from user
+
+From: Dave Carroll <david.carroll@microsemi.com>
+
+commit fa00c437eef8dc2e7b25f8cd868cfa405fcc2bb3 upstream.
+
+In aacraid's ioctl_send_fib() we do two fetches from userspace, one the
+get the fib header's size and one for the fib itself. Later we use the
+size field from the second fetch to further process the fib. If for some
+reason the size from the second fetch is different than from the first
+fix, we may encounter an out-of- bounds access in aac_fib_send(). We
+also check the sender size to insure it is not out of bounds. This was
+reported in https://bugzilla.kernel.org/show_bug.cgi?id=116751 and was
+assigned CVE-2016-6480.
+
+Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
+Fixes: 7c00ffa31 '[SCSI] 2.6 aacraid: Variable FIB size (updated patch)'
+Signed-off-by: Dave Carroll <david.carroll@microsemi.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/aacraid/commctrl.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/aacraid/commctrl.c
++++ b/drivers/scsi/aacraid/commctrl.c
+@@ -63,7 +63,7 @@ static int ioctl_send_fib(struct aac_dev
+ struct fib *fibptr;
+ struct hw_fib * hw_fib = (struct hw_fib *)0;
+ dma_addr_t hw_fib_pa = (dma_addr_t)0LL;
+- unsigned size;
++ unsigned int size, osize;
+ int retval;
+
+ if (dev->in_reset) {
+@@ -87,7 +87,8 @@ static int ioctl_send_fib(struct aac_dev
+ * will not overrun the buffer when we copy the memory. Return
+ * an error if we would.
+ */
+- size = le16_to_cpu(kfib->header.Size) + sizeof(struct aac_fibhdr);
++ osize = size = le16_to_cpu(kfib->header.Size) +
++ sizeof(struct aac_fibhdr);
+ if (size < le16_to_cpu(kfib->header.SenderSize))
+ size = le16_to_cpu(kfib->header.SenderSize);
+ if (size > dev->max_fib_size) {
+@@ -118,6 +119,14 @@ static int ioctl_send_fib(struct aac_dev
+ goto cleanup;
+ }
+
++ /* Sanity check the second copy */
++ if ((osize != le16_to_cpu(kfib->header.Size) +
++ sizeof(struct aac_fibhdr))
++ || (size < le16_to_cpu(kfib->header.SenderSize))) {
++ retval = -EINVAL;
++ goto cleanup;
++ }
++
+ if (kfib->header.Command == cpu_to_le16(TakeABreakPt)) {
+ aac_adapter_interrupt(dev);
+ /*
--- /dev/null
+From 20d780374c81cf237834af2202c26df2100ddd69 Mon Sep 17 00:00:00 2001
+From: Vineet Gupta <vgupta@synopsys.com>
+Date: Thu, 25 Feb 2016 22:04:38 +0530
+Subject: ARC: build: Better way to detect ISA compatible toolchain
+
+From: Vineet Gupta <vgupta@synopsys.com>
+
+commit 20d780374c81cf237834af2202c26df2100ddd69 upstream.
+
+ARC architecture has 2 instruction sets: ARCompact/ARCv2.
+While same gcc supports compiling for either (using appropriate toggles),
+we can't use the same toolchain to build kernel because libgcc needs
+to be unique and the toolchian (uClibc based) is not multilibed.
+
+uClibc toolchain is convenient since it allows all userspace and
+kernel to be built with a single install for an ISA.
+
+This however means 2 gnu installs (with same triplet prefix) are needed
+for building for 2 ISA and need to be in PATH.
+As developers we keep switching the builds, but would occassionally fail
+to update the PATH leading to usage of wrong tools. And this would only
+show up at the end of kernel build when linking incompatible libgcc.
+
+So the initial solution was to have gcc define a special preprocessor macro
+DEFAULT_CPU_xxx which is unique for default toolchain configuration.
+Claudiu proposed using grep for an existing preprocessor macro which is
+again uniquely defined per ISA.
+
+Cc: Michal Marek <mmarek@suse.cz>
+Suggested-by: Claudiu Zissulescu <claziss@synopsys.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arc/Makefile | 14 ++++++++++++++
+ arch/arc/include/asm/arcregs.h | 6 ------
+ 2 files changed, 14 insertions(+), 6 deletions(-)
+
+--- a/arch/arc/Makefile
++++ b/arch/arc/Makefile
+@@ -18,6 +18,20 @@ cflags-y += -fno-common -pipe -fno-built
+ cflags-$(CONFIG_ISA_ARCOMPACT) += -mA7
+ cflags-$(CONFIG_ISA_ARCV2) += -mcpu=archs
+
++is_700 = $(shell $(CC) -dM -E - < /dev/null | grep -q "ARC700" && echo 1 || echo 0)
++
++ifdef CONFIG_ISA_ARCOMPACT
++ifeq ($(is_700), 0)
++ $(error Toolchain not configured for ARCompact builds)
++endif
++endif
++
++ifdef CONFIG_ISA_ARCV2
++ifeq ($(is_700), 1)
++ $(error Toolchain not configured for ARCv2 builds)
++endif
++endif
++
+ ifdef CONFIG_ARC_CURR_IN_REG
+ # For a global register defintion, make sure it gets passed to every file
+ # We had a customer reported bug where some code built in kernel was NOT using
+--- a/arch/arc/include/asm/arcregs.h
++++ b/arch/arc/include/asm/arcregs.h
+@@ -374,12 +374,6 @@ static inline int is_isa_arcompact(void)
+ return IS_ENABLED(CONFIG_ISA_ARCOMPACT);
+ }
+
+-#if defined(CONFIG_ISA_ARCOMPACT) && !defined(_CPU_DEFAULT_A7)
+-#error "Toolchain not configured for ARCompact builds"
+-#elif defined(CONFIG_ISA_ARCV2) && !defined(_CPU_DEFAULT_HS)
+-#error "Toolchain not configured for ARCv2 builds"
+-#endif
+-
+ #endif /* __ASEMBLY__ */
+
+ #endif /* _ASM_ARC_ARCREGS_H */
--- /dev/null
+From 18b43e89d295cc65151c505c643c98fb2c320e59 Mon Sep 17 00:00:00 2001
+From: Daniel Mentz <danielmentz@google.com>
+Date: Thu, 4 Aug 2016 17:56:53 -0700
+Subject: ARC: Call trace_hardirqs_on() before enabling irqs
+
+From: Daniel Mentz <danielmentz@google.com>
+
+commit 18b43e89d295cc65151c505c643c98fb2c320e59 upstream.
+
+trace_hardirqs_on_caller() in lockdep.c expects to be called before, not
+after interrupts are actually enabled.
+
+The following comment in kernel/locking/lockdep.c substantiates this
+claim:
+
+"
+/*
+ * We're enabling irqs and according to our state above irqs weren't
+ * already enabled, yet we find the hardware thinks they are in fact
+ * enabled.. someone messed up their IRQ state tracing.
+ */
+"
+
+An example can be found in include/linux/irqflags.h:
+
+ do { trace_hardirqs_on(); raw_local_irq_enable(); } while (0)
+
+Without this change, we hit the following DEBUG_LOCKS_WARN_ON.
+
+[ 7.760000] ------------[ cut here ]------------
+[ 7.760000] WARNING: CPU: 0 PID: 1 at kernel/locking/lockdep.c:2711 resume_user_mode_begin+0x48/0xf0
+[ 7.770000] DEBUG_LOCKS_WARN_ON(!irqs_disabled())
+[ 7.780000] Modules linked in:
+[ 7.780000] CPU: 0 PID: 1 Comm: init Not tainted 4.7.0-00003-gc668bb9-dirty #366
+[ 7.790000]
+[ 7.790000] Stack Trace:
+[ 7.790000] arc_unwind_core.constprop.1+0xa4/0x118
+[ 7.800000] warn_slowpath_fmt+0x72/0x158
+[ 7.800000] resume_user_mode_begin+0x48/0xf0
+[ 7.810000] ---[ end trace 6f6a7a8fae20d2f0 ]---
+
+Signed-off-by: Daniel Mentz <danielmentz@google.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arc/include/asm/irqflags-compact.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arc/include/asm/irqflags-compact.h
++++ b/arch/arc/include/asm/irqflags-compact.h
+@@ -188,10 +188,10 @@ static inline int arch_irqs_disabled(voi
+ .endm
+
+ .macro IRQ_ENABLE scratch
++ TRACE_ASM_IRQ_ENABLE
+ lr \scratch, [status32]
+ or \scratch, \scratch, (STATUS_E1_MASK | STATUS_E2_MASK)
+ flag \scratch
+- TRACE_ASM_IRQ_ENABLE
+ .endm
+
+ #endif /* __ASSEMBLY__ */
--- /dev/null
+From 45c3b08a117e2232fc8d7b9e849ead36386f4f96 Mon Sep 17 00:00:00 2001
+From: Vineet Gupta <vgupta@synopsys.com>
+Date: Mon, 13 Jun 2016 16:38:27 +0200
+Subject: ARC: Elide redundant setup of DMA callbacks
+
+From: Vineet Gupta <vgupta@synopsys.com>
+
+commit 45c3b08a117e2232fc8d7b9e849ead36386f4f96 upstream.
+
+For resources shared by all cores such as SLC and IOC, only the master
+core needs to do any setups / enabling / disabling etc.
+
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arc/mm/cache.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/arch/arc/mm/cache.c
++++ b/arch/arc/mm/cache.c
+@@ -914,6 +914,15 @@ void arc_cache_init(void)
+
+ printk(arc_cache_mumbojumbo(0, str, sizeof(str)));
+
++ /*
++ * Only master CPU needs to execute rest of function:
++ * - Assume SMP so all cores will have same cache config so
++ * any geomtry checks will be same for all
++ * - IOC setup / dma callbacks only need to be setup once
++ */
++ if (cpu)
++ return;
++
+ if (IS_ENABLED(CONFIG_ARC_HAS_ICACHE)) {
+ struct cpuinfo_arc_cache *ic = &cpuinfo_arc700[cpu].icache;
+
--- /dev/null
+From 86147e3cfa5e118b61e78f4f0bf29e920dcbd477 Mon Sep 17 00:00:00 2001
+From: Liav Rehana <liavr@mellanox.com>
+Date: Tue, 16 Aug 2016 10:55:35 +0300
+Subject: ARC: use correct offset in pt_regs for saving/restoring user mode r25
+
+From: Liav Rehana <liavr@mellanox.com>
+
+commit 86147e3cfa5e118b61e78f4f0bf29e920dcbd477 upstream.
+
+User mode callee regs are explicitly collected before signal delivery or
+breakpoint trap. r25 is special for kernel as it serves as task pointer,
+so user mode value is clobbered very early. It is saved in pt_regs where
+generally only scratch (aka caller saved) regs are saved.
+
+The code to access the corresponding pt_regs location had a subtle bug as
+it was using load/store with scaling of offset, whereas the offset was already
+byte wise correct. So fix this by replacing LD.AS with a standard LD
+
+Signed-off-by: Liav Rehana <liavr@mellanox.com>
+Reviewed-by: Alexey Brodkin <abrodkin@synopsys.com>
+[vgupta: rewrote title and commit log]
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arc/include/asm/entry.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arc/include/asm/entry.h
++++ b/arch/arc/include/asm/entry.h
+@@ -142,7 +142,7 @@
+
+ #ifdef CONFIG_ARC_CURR_IN_REG
+ ; Retrieve orig r25 and save it with rest of callee_regs
+- ld.as r12, [r12, PT_user_r25]
++ ld r12, [r12, PT_user_r25]
+ PUSH r12
+ #else
+ PUSH r25
+@@ -198,7 +198,7 @@
+
+ ; SP is back to start of pt_regs
+ #ifdef CONFIG_ARC_CURR_IN_REG
+- st.as r12, [sp, PT_user_r25]
++ st r12, [sp, PT_user_r25]
+ #endif
+ .endm
+
--- /dev/null
+From 78ec79bfd59e126e1cb394302bfa531a420b3ecd Mon Sep 17 00:00:00 2001
+From: Caesar Wang <wxt@rock-chips.com>
+Date: Wed, 27 Jul 2016 22:24:06 +0800
+Subject: arm64: dts: rockchip: add reset saradc node for rk3368 SoCs
+
+From: Caesar Wang <wxt@rock-chips.com>
+
+commit 78ec79bfd59e126e1cb394302bfa531a420b3ecd upstream.
+
+SARADC controller needs to be reset before programming it, otherwise
+it will not function properly.
+
+Signed-off-by: Caesar Wang <wxt@rock-chips.com>
+Acked-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/boot/dts/rockchip/rk3368.dtsi | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm64/boot/dts/rockchip/rk3368.dtsi
++++ b/arch/arm64/boot/dts/rockchip/rk3368.dtsi
+@@ -262,6 +262,8 @@
+ #io-channel-cells = <1>;
+ clocks = <&cru SCLK_SARADC>, <&cru PCLK_SARADC>;
+ clock-names = "saradc", "apb_pclk";
++ resets = <&cru SRST_SARADC>;
++ reset-names = "saradc-apb";
+ status = "disabled";
+ };
+
--- /dev/null
+From d2c609b834d62f1e91f1635a27dca29f7806d3d6 Mon Sep 17 00:00:00 2001
+From: Jeff Mahoney <jeffm@suse.com>
+Date: Mon, 15 Aug 2016 12:10:33 -0400
+Subject: btrfs: properly track when rescan worker is running
+
+From: Jeff Mahoney <jeffm@suse.com>
+
+commit d2c609b834d62f1e91f1635a27dca29f7806d3d6 upstream.
+
+The qgroup_flags field is overloaded such that it reflects the on-disk
+status of qgroups and the runtime state. The BTRFS_QGROUP_STATUS_FLAG_RESCAN
+flag is used to indicate that a rescan operation is in progress, but if
+the file system is unmounted while a rescan is running, the rescan
+operation is paused. If the file system is then mounted read-only,
+the flag will still be present but the rescan operation will not have
+been resumed. When we go to umount, btrfs_qgroup_wait_for_completion
+will see the flag and interpret it to mean that the rescan worker is
+still running and will wait for a completion that will never come.
+
+This patch uses a separate flag to indicate when the worker is
+running. The locking and state surrounding the qgroup rescan worker
+needs a lot of attention beyond this patch but this is enough to
+avoid a hung umount.
+
+Signed-off-by; Jeff Mahoney <jeffm@suse.com>
+Reviewed-by: Qu Wenruo <quwenruo@cn.fujitsu.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+Signed-off-by: Chris Mason <clm@fb.com>
+
+---
+ fs/btrfs/ctree.h | 1 +
+ fs/btrfs/disk-io.c | 1 +
+ fs/btrfs/qgroup.c | 9 ++++++++-
+ 3 files changed, 10 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/ctree.h
++++ b/fs/btrfs/ctree.h
+@@ -1770,6 +1770,7 @@ struct btrfs_fs_info {
+ struct btrfs_workqueue *qgroup_rescan_workers;
+ struct completion qgroup_rescan_completion;
+ struct btrfs_work qgroup_rescan_work;
++ bool qgroup_rescan_running; /* protected by qgroup_rescan_lock */
+
+ /* filesystem state */
+ unsigned long fs_state;
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -2276,6 +2276,7 @@ static void btrfs_init_qgroup(struct btr
+ fs_info->quota_enabled = 0;
+ fs_info->pending_quota_state = 0;
+ fs_info->qgroup_ulist = NULL;
++ fs_info->qgroup_rescan_running = false;
+ mutex_init(&fs_info->qgroup_rescan_lock);
+ }
+
+--- a/fs/btrfs/qgroup.c
++++ b/fs/btrfs/qgroup.c
+@@ -2283,6 +2283,10 @@ static void btrfs_qgroup_rescan_worker(s
+ int err = -ENOMEM;
+ int ret = 0;
+
++ mutex_lock(&fs_info->qgroup_rescan_lock);
++ fs_info->qgroup_rescan_running = true;
++ mutex_unlock(&fs_info->qgroup_rescan_lock);
++
+ path = btrfs_alloc_path();
+ if (!path)
+ goto out;
+@@ -2349,6 +2353,9 @@ out:
+ }
+
+ done:
++ mutex_lock(&fs_info->qgroup_rescan_lock);
++ fs_info->qgroup_rescan_running = false;
++ mutex_unlock(&fs_info->qgroup_rescan_lock);
+ complete_all(&fs_info->qgroup_rescan_completion);
+ }
+
+@@ -2475,7 +2482,7 @@ int btrfs_qgroup_wait_for_completion(str
+
+ mutex_lock(&fs_info->qgroup_rescan_lock);
+ spin_lock(&fs_info->qgroup_lock);
+- running = fs_info->qgroup_flags & BTRFS_QGROUP_STATUS_FLAG_RESCAN;
++ running = fs_info->qgroup_rescan_running;
+ spin_unlock(&fs_info->qgroup_lock);
+ mutex_unlock(&fs_info->qgroup_rescan_lock);
+
--- /dev/null
+From d06f23d6a947c9abae41dc46be69a56baf36f436 Mon Sep 17 00:00:00 2001
+From: Jeff Mahoney <jeffm@suse.com>
+Date: Mon, 8 Aug 2016 22:08:06 -0400
+Subject: btrfs: waiting on qgroup rescan should not always be interruptible
+
+From: Jeff Mahoney <jeffm@suse.com>
+
+commit d06f23d6a947c9abae41dc46be69a56baf36f436 upstream.
+
+We wait on qgroup rescan completion in three places: file system
+shutdown, the quota disable ioctl, and the rescan wait ioctl. If the
+user sends a signal while we're waiting, we continue happily along. This
+is expected behavior for the rescan wait ioctl. It's racy in the shutdown
+path but mostly works due to other unrelated synchronization points.
+In the quota disable path, it Oopses the kernel pretty much immediately.
+
+Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Chris Mason <clm@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/disk-io.c | 2 +-
+ fs/btrfs/ioctl.c | 2 +-
+ fs/btrfs/qgroup.c | 12 +++++++++---
+ fs/btrfs/qgroup.h | 3 ++-
+ 4 files changed, 13 insertions(+), 6 deletions(-)
+
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -3811,7 +3811,7 @@ void close_ctree(struct btrfs_root *root
+ smp_mb();
+
+ /* wait for the qgroup rescan worker to stop */
+- btrfs_qgroup_wait_for_completion(fs_info);
++ btrfs_qgroup_wait_for_completion(fs_info, false);
+
+ /* wait for the uuid_scan task to finish */
+ down(&fs_info->uuid_tree_rescan_sem);
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -5121,7 +5121,7 @@ static long btrfs_ioctl_quota_rescan_wai
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
+
+- return btrfs_qgroup_wait_for_completion(root->fs_info);
++ return btrfs_qgroup_wait_for_completion(root->fs_info, true);
+ }
+
+ static long _btrfs_ioctl_set_received_subvol(struct file *file,
+--- a/fs/btrfs/qgroup.c
++++ b/fs/btrfs/qgroup.c
+@@ -995,7 +995,7 @@ int btrfs_quota_disable(struct btrfs_tra
+ goto out;
+ fs_info->quota_enabled = 0;
+ fs_info->pending_quota_state = 0;
+- btrfs_qgroup_wait_for_completion(fs_info);
++ btrfs_qgroup_wait_for_completion(fs_info, false);
+ spin_lock(&fs_info->qgroup_lock);
+ quota_root = fs_info->quota_root;
+ fs_info->quota_root = NULL;
+@@ -2467,7 +2467,8 @@ btrfs_qgroup_rescan(struct btrfs_fs_info
+ return 0;
+ }
+
+-int btrfs_qgroup_wait_for_completion(struct btrfs_fs_info *fs_info)
++int btrfs_qgroup_wait_for_completion(struct btrfs_fs_info *fs_info,
++ bool interruptible)
+ {
+ int running;
+ int ret = 0;
+@@ -2478,9 +2479,14 @@ int btrfs_qgroup_wait_for_completion(str
+ spin_unlock(&fs_info->qgroup_lock);
+ mutex_unlock(&fs_info->qgroup_rescan_lock);
+
+- if (running)
++ if (!running)
++ return 0;
++
++ if (interruptible)
+ ret = wait_for_completion_interruptible(
+ &fs_info->qgroup_rescan_completion);
++ else
++ wait_for_completion(&fs_info->qgroup_rescan_completion);
+
+ return ret;
+ }
+--- a/fs/btrfs/qgroup.h
++++ b/fs/btrfs/qgroup.h
+@@ -46,7 +46,8 @@ int btrfs_quota_disable(struct btrfs_tra
+ struct btrfs_fs_info *fs_info);
+ int btrfs_qgroup_rescan(struct btrfs_fs_info *fs_info);
+ void btrfs_qgroup_rescan_resume(struct btrfs_fs_info *fs_info);
+-int btrfs_qgroup_wait_for_completion(struct btrfs_fs_info *fs_info);
++int btrfs_qgroup_wait_for_completion(struct btrfs_fs_info *fs_info,
++ bool interruptible);
+ int btrfs_add_qgroup_relation(struct btrfs_trans_handle *trans,
+ struct btrfs_fs_info *fs_info, u64 src, u64 dst);
+ int btrfs_del_qgroup_relation(struct btrfs_trans_handle *trans,
--- /dev/null
+From add125054b8727103631dce116361668436ef6a7 Mon Sep 17 00:00:00 2001
+From: Gavin Li <git@thegavinli.com>
+Date: Fri, 12 Aug 2016 00:52:56 -0700
+Subject: cdc-acm: fix wrong pipe type on rx interrupt xfers
+
+From: Gavin Li <git@thegavinli.com>
+
+commit add125054b8727103631dce116361668436ef6a7 upstream.
+
+This fixes the "BOGUS urb xfer" warning logged by usb_submit_urb().
+
+Signed-off-by: Gavin Li <git@thegavinli.com>
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/class/cdc-acm.c | 5 ++---
+ drivers/usb/class/cdc-acm.h | 1 -
+ 2 files changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -1336,7 +1336,6 @@ made_compressed_probe:
+ spin_lock_init(&acm->write_lock);
+ spin_lock_init(&acm->read_lock);
+ mutex_init(&acm->mutex);
+- acm->rx_endpoint = usb_rcvbulkpipe(usb_dev, epread->bEndpointAddress);
+ acm->is_int_ep = usb_endpoint_xfer_int(epread);
+ if (acm->is_int_ep)
+ acm->bInterval = epread->bInterval;
+@@ -1376,14 +1375,14 @@ made_compressed_probe:
+ urb->transfer_dma = rb->dma;
+ if (acm->is_int_ep) {
+ usb_fill_int_urb(urb, acm->dev,
+- acm->rx_endpoint,
++ usb_rcvintpipe(usb_dev, epread->bEndpointAddress),
+ rb->base,
+ acm->readsize,
+ acm_read_bulk_callback, rb,
+ acm->bInterval);
+ } else {
+ usb_fill_bulk_urb(urb, acm->dev,
+- acm->rx_endpoint,
++ usb_rcvbulkpipe(usb_dev, epread->bEndpointAddress),
+ rb->base,
+ acm->readsize,
+ acm_read_bulk_callback, rb);
+--- a/drivers/usb/class/cdc-acm.h
++++ b/drivers/usb/class/cdc-acm.h
+@@ -95,7 +95,6 @@ struct acm {
+ struct urb *read_urbs[ACM_NR];
+ struct acm_rb read_buffers[ACM_NR];
+ int rx_buflimit;
+- int rx_endpoint;
+ spinlock_t read_lock;
+ int write_used; /* number of non-empty write buffers */
+ int transmitting;
--- /dev/null
+From 10ea9434065e56fe14287f89258ecf2fb684ed1a Mon Sep 17 00:00:00 2001
+From: jimqu <Jim.Qu@amd.com>
+Date: Tue, 30 Aug 2016 08:59:42 +0800
+Subject: drm/amd/amdgpu: sdma resume fail during S4 on CI
+
+From: jimqu <Jim.Qu@amd.com>
+
+commit 10ea9434065e56fe14287f89258ecf2fb684ed1a upstream.
+
+SDMA could be fail in the thaw() and restore() processes, do software reset
+if each SDMA engine is busy.
+
+Signed-off-by: JimQu <Jim.Qu@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/cik_sdma.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/cik_sdma.c
++++ b/drivers/gpu/drm/amd/amdgpu/cik_sdma.c
+@@ -52,6 +52,7 @@ static void cik_sdma_set_ring_funcs(stru
+ static void cik_sdma_set_irq_funcs(struct amdgpu_device *adev);
+ static void cik_sdma_set_buffer_funcs(struct amdgpu_device *adev);
+ static void cik_sdma_set_vm_pte_funcs(struct amdgpu_device *adev);
++static int cik_sdma_soft_reset(void *handle);
+
+ MODULE_FIRMWARE("radeon/bonaire_sdma.bin");
+ MODULE_FIRMWARE("radeon/bonaire_sdma1.bin");
+@@ -1030,6 +1031,8 @@ static int cik_sdma_resume(void *handle)
+ {
+ struct amdgpu_device *adev = (struct amdgpu_device *)handle;
+
++ cik_sdma_soft_reset(handle);
++
+ return cik_sdma_hw_init(adev);
+ }
+
--- /dev/null
+From e1718d97aa88ea44a6a8f50ff464253dd0dacf01 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Wed, 24 Aug 2016 12:31:36 -0400
+Subject: drm/amdgpu: avoid a possible array overflow
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit e1718d97aa88ea44a6a8f50ff464253dd0dacf01 upstream.
+
+When looking up the connector type make sure the index
+is valid. Avoids a later crash if we read past the end
+of the array.
+
+Workaround for bug:
+https://bugs.freedesktop.org/show_bug.cgi?id=97460
+
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c
+@@ -331,6 +331,12 @@ bool amdgpu_atombios_get_connector_info_
+ (le16_to_cpu(path->usConnObjectId) &
+ OBJECT_TYPE_MASK) >> OBJECT_TYPE_SHIFT;
+
++ if (con_obj_id >= ARRAY_SIZE(object_connector_convert)) {
++ DRM_ERROR("invalid con_obj_id %d for device tag 0x%04x\n",
++ con_obj_id, le16_to_cpu(path->usDeviceTag));
++ continue;
++ }
++
+ connector_type =
+ object_connector_convert[con_obj_id];
+ connector_object_id = con_obj_id;
--- /dev/null
+From cab0b8d50e9bbef62c04067072c953433a87a9ff Mon Sep 17 00:00:00 2001
+From: Felix Kuehling <Felix.Kuehling@amd.com>
+Date: Fri, 12 Aug 2016 19:25:21 -0400
+Subject: drm/amdgpu: Change GART offset to 64-bit
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Felix Kuehling <Felix.Kuehling@amd.com>
+
+commit cab0b8d50e9bbef62c04067072c953433a87a9ff upstream.
+
+The GART aperture size can be bigger than 4GB. Therefore the offset
+used in amdgpu_gart_bind and amdgpu_gart_unbind must be 64-bit.
+
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu.h | 4 ++--
+ drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu.h
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu.h
+@@ -710,9 +710,9 @@ int amdgpu_gart_table_vram_pin(struct am
+ void amdgpu_gart_table_vram_unpin(struct amdgpu_device *adev);
+ int amdgpu_gart_init(struct amdgpu_device *adev);
+ void amdgpu_gart_fini(struct amdgpu_device *adev);
+-void amdgpu_gart_unbind(struct amdgpu_device *adev, unsigned offset,
++void amdgpu_gart_unbind(struct amdgpu_device *adev, uint64_t offset,
+ int pages);
+-int amdgpu_gart_bind(struct amdgpu_device *adev, unsigned offset,
++int amdgpu_gart_bind(struct amdgpu_device *adev, uint64_t offset,
+ int pages, struct page **pagelist,
+ dma_addr_t *dma_addr, uint32_t flags);
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c
+@@ -221,7 +221,7 @@ void amdgpu_gart_table_vram_free(struct
+ * Unbinds the requested pages from the gart page table and
+ * replaces them with the dummy page (all asics).
+ */
+-void amdgpu_gart_unbind(struct amdgpu_device *adev, unsigned offset,
++void amdgpu_gart_unbind(struct amdgpu_device *adev, uint64_t offset,
+ int pages)
+ {
+ unsigned t;
+@@ -269,7 +269,7 @@ void amdgpu_gart_unbind(struct amdgpu_de
+ * (all asics).
+ * Returns 0 for success, -EINVAL for failure.
+ */
+-int amdgpu_gart_bind(struct amdgpu_device *adev, unsigned offset,
++int amdgpu_gart_bind(struct amdgpu_device *adev, uint64_t offset,
+ int pages, struct page **pagelist, dma_addr_t *dma_addr,
+ uint32_t flags)
+ {
--- /dev/null
+From 815d27a46f3119f74fe01fe10bf683aa5bc55597 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20K=C3=B6nig?= <christian.koenig@amd.com>
+Date: Wed, 17 Aug 2016 09:45:25 +0200
+Subject: drm/amdgpu: fix amdgpu_move_blit on 32bit systems
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Christian König <christian.koenig@amd.com>
+
+commit 815d27a46f3119f74fe01fe10bf683aa5bc55597 upstream.
+
+This bug seems to be present for a very long time.
+
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
+@@ -233,8 +233,8 @@ static int amdgpu_move_blit(struct ttm_b
+
+ adev = amdgpu_get_adev(bo->bdev);
+ ring = adev->mman.buffer_funcs_ring;
+- old_start = old_mem->start << PAGE_SHIFT;
+- new_start = new_mem->start << PAGE_SHIFT;
++ old_start = (u64)old_mem->start << PAGE_SHIFT;
++ new_start = (u64)new_mem->start << PAGE_SHIFT;
+
+ switch (old_mem->mem_type) {
+ case TTM_PL_VRAM:
--- /dev/null
+From 1f703e6679f373f5bba4efe7093aa82e91af4037 Mon Sep 17 00:00:00 2001
+From: Chunming Zhou <David1.Zhou@amd.com>
+Date: Tue, 30 Aug 2016 17:59:11 +0800
+Subject: drm/amdgpu: record error code when ring test failed
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Chunming Zhou <David1.Zhou@amd.com>
+
+commit 1f703e6679f373f5bba4efe7093aa82e91af4037 upstream.
+
+Otherwise we may miss errors.
+
+Signed-off-by: Chunming Zhou <David1.Zhou@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c
+@@ -288,7 +288,7 @@ void amdgpu_ib_pool_fini(struct amdgpu_d
+ int amdgpu_ib_ring_tests(struct amdgpu_device *adev)
+ {
+ unsigned i;
+- int r;
++ int r, ret = 0;
+
+ for (i = 0; i < AMDGPU_MAX_RINGS; ++i) {
+ struct amdgpu_ring *ring = adev->rings[i];
+@@ -309,10 +309,11 @@ int amdgpu_ib_ring_tests(struct amdgpu_d
+ } else {
+ /* still not good, but we can live with it */
+ DRM_ERROR("amdgpu: failed testing IB on ring %d (%d).\n", i, r);
++ ret = r;
+ }
+ }
+ }
+- return 0;
++ return ret;
+ }
+
+ /*
--- /dev/null
+From 611a1507fe8569ce1adab3abc982ea58ab559fb9 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Wed, 24 Aug 2016 13:04:15 -0400
+Subject: drm/amdgpu: skip TV/CV in display parsing
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 611a1507fe8569ce1adab3abc982ea58ab559fb9 upstream.
+
+No asics supported by amdgpu support analog TV.
+
+Workaround for bug:
+https://bugs.freedesktop.org/show_bug.cgi?id=97460
+
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c
+@@ -331,6 +331,13 @@ bool amdgpu_atombios_get_connector_info_
+ (le16_to_cpu(path->usConnObjectId) &
+ OBJECT_TYPE_MASK) >> OBJECT_TYPE_SHIFT;
+
++ /* Skip TV/CV support */
++ if ((le16_to_cpu(path->usDeviceTag) ==
++ ATOM_DEVICE_TV1_SUPPORT) ||
++ (le16_to_cpu(path->usDeviceTag) ==
++ ATOM_DEVICE_CV_SUPPORT))
++ continue;
++
+ if (con_obj_id >= ARRAY_SIZE(object_connector_convert)) {
+ DRM_ERROR("invalid con_obj_id %d for device tag 0x%04x\n",
+ con_obj_id, le16_to_cpu(path->usDeviceTag));
--- /dev/null
+From 3871f42a57efcdc6a9da751a8cb6fa196c212289 Mon Sep 17 00:00:00 2001
+From: Matthew Auld <matthew.auld@intel.com>
+Date: Fri, 5 Aug 2016 19:04:40 +0100
+Subject: drm/i915: fix aliasing_ppgtt leak
+
+From: Matthew Auld <matthew.auld@intel.com>
+
+commit 3871f42a57efcdc6a9da751a8cb6fa196c212289 upstream.
+
+In i915_ggtt_cleanup_hw we need to remember to free aliasing_ppgtt. This
+fixes the following kmemleak message:
+
+unreferenced object 0xffff880213cca000 (size 8192):
+ comm "modprobe", pid 1298, jiffies 4294745402 (age 703.930s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffffffff817c808e>] kmemleak_alloc+0x4e/0xb0
+ [<ffffffff8121f9c2>] kmem_cache_alloc_trace+0x142/0x1d0
+ [<ffffffffa06d11ef>] i915_gem_init_ggtt+0x10f/0x210 [i915]
+ [<ffffffffa06d71bb>] i915_gem_init+0x5b/0xd0 [i915]
+ [<ffffffffa069749a>] i915_driver_load+0x97a/0x1460 [i915]
+ [<ffffffffa06a26ef>] i915_pci_probe+0x4f/0x70 [i915]
+ [<ffffffff81423015>] local_pci_probe+0x45/0xa0
+ [<ffffffff81424463>] pci_device_probe+0x103/0x150
+ [<ffffffff81515e6c>] driver_probe_device+0x22c/0x440
+ [<ffffffff81516151>] __driver_attach+0xd1/0xf0
+ [<ffffffff8151379c>] bus_for_each_dev+0x6c/0xc0
+ [<ffffffff8151555e>] driver_attach+0x1e/0x20
+ [<ffffffff81514fa3>] bus_add_driver+0x1c3/0x280
+ [<ffffffff81516aa0>] driver_register+0x60/0xe0
+ [<ffffffff8142297c>] __pci_register_driver+0x4c/0x50
+ [<ffffffffa013605b>] 0xffffffffa013605b
+
+Signed-off-by: Matthew Auld <matthew.auld@intel.com>
+Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
+Fixes: b18b6bde300e ("drm/i915/bdw: Free PPGTT struct")
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: http://patchwork.freedesktop.org/patch/msgid/1470420280-21417-1-git-send-email-matthew.auld@intel.com
+(cherry picked from commit cb7f27601c81a1e0454e9461e96f65b31fafbea0)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/i915_gem_gtt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/i915/i915_gem_gtt.c
++++ b/drivers/gpu/drm/i915/i915_gem_gtt.c
+@@ -2747,6 +2747,7 @@ void i915_global_gtt_cleanup(struct drm_
+ struct i915_hw_ppgtt *ppgtt = dev_priv->mm.aliasing_ppgtt;
+
+ ppgtt->base.cleanup(&ppgtt->base);
++ kfree(ppgtt);
+ }
+
+ if (drm_mm_initialized(&vm->mm)) {
--- /dev/null
+From 993f88f1cc7f0879047ff353e824e5cc8f10adfc Mon Sep 17 00:00:00 2001
+From: Emmanouil Maroudas <emmanouil.maroudas@gmail.com>
+Date: Sat, 23 Apr 2016 18:33:00 +0300
+Subject: EDAC: Increment correct counter in edac_inc_ue_error()
+
+From: Emmanouil Maroudas <emmanouil.maroudas@gmail.com>
+
+commit 993f88f1cc7f0879047ff353e824e5cc8f10adfc upstream.
+
+Fix typo in edac_inc_ue_error() to increment ue_noinfo_count instead of
+ce_noinfo_count.
+
+Signed-off-by: Emmanouil Maroudas <emmanouil.maroudas@gmail.com>
+Cc: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Fixes: 4275be635597 ("edac: Change internal representation to work with layers")
+Link: http://lkml.kernel.org/r/1461425580-5898-1-git-send-email-emmanouil.maroudas@gmail.com
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/edac/edac_mc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/edac/edac_mc.c
++++ b/drivers/edac/edac_mc.c
+@@ -966,7 +966,7 @@ static void edac_inc_ue_error(struct mem
+ mci->ue_mc += count;
+
+ if (!enable_per_layer_report) {
+- mci->ce_noinfo_count += count;
++ mci->ue_noinfo_count += count;
+ return;
+ }
+
--- /dev/null
+From 088bf2ff5d12e2e32ee52a4024fec26e582f44d3 Mon Sep 17 00:00:00 2001
+From: Vegard Nossum <vegard.nossum@oracle.com>
+Date: Thu, 25 Aug 2016 15:17:11 -0700
+Subject: fs/seq_file: fix out-of-bounds read
+
+From: Vegard Nossum <vegard.nossum@oracle.com>
+
+commit 088bf2ff5d12e2e32ee52a4024fec26e582f44d3 upstream.
+
+seq_read() is a nasty piece of work, not to mention buggy.
+
+It has (I think) an old bug which allows unprivileged userspace to read
+beyond the end of m->buf.
+
+I was getting these:
+
+ BUG: KASAN: slab-out-of-bounds in seq_read+0xcd2/0x1480 at addr ffff880116889880
+ Read of size 2713 by task trinity-c2/1329
+ CPU: 2 PID: 1329 Comm: trinity-c2 Not tainted 4.8.0-rc1+ #96
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
+ Call Trace:
+ kasan_object_err+0x1c/0x80
+ kasan_report_error+0x2cb/0x7e0
+ kasan_report+0x4e/0x80
+ check_memory_region+0x13e/0x1a0
+ kasan_check_read+0x11/0x20
+ seq_read+0xcd2/0x1480
+ proc_reg_read+0x10b/0x260
+ do_loop_readv_writev.part.5+0x140/0x2c0
+ do_readv_writev+0x589/0x860
+ vfs_readv+0x7b/0xd0
+ do_readv+0xd8/0x2c0
+ SyS_readv+0xb/0x10
+ do_syscall_64+0x1b3/0x4b0
+ entry_SYSCALL64_slow_path+0x25/0x25
+ Object at ffff880116889100, in cache kmalloc-4096 size: 4096
+ Allocated:
+ PID = 1329
+ save_stack_trace+0x26/0x80
+ save_stack+0x46/0xd0
+ kasan_kmalloc+0xad/0xe0
+ __kmalloc+0x1aa/0x4a0
+ seq_buf_alloc+0x35/0x40
+ seq_read+0x7d8/0x1480
+ proc_reg_read+0x10b/0x260
+ do_loop_readv_writev.part.5+0x140/0x2c0
+ do_readv_writev+0x589/0x860
+ vfs_readv+0x7b/0xd0
+ do_readv+0xd8/0x2c0
+ SyS_readv+0xb/0x10
+ do_syscall_64+0x1b3/0x4b0
+ return_from_SYSCALL_64+0x0/0x6a
+ Freed:
+ PID = 0
+ (stack is not available)
+ Memory state around the buggy address:
+ ffff88011688a000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ ffff88011688a080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ >ffff88011688a100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ^
+ ffff88011688a180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff88011688a200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ==================================================================
+ Disabling lock debugging due to kernel taint
+
+This seems to be the same thing that Dave Jones was seeing here:
+
+ https://lkml.org/lkml/2016/8/12/334
+
+There are multiple issues here:
+
+ 1) If we enter the function with a non-empty buffer, there is an attempt
+ to flush it. But it was not clearing m->from after doing so, which
+ means that if we try to do this flush twice in a row without any call
+ to traverse() in between, we are going to be reading from the wrong
+ place -- the splat above, fixed by this patch.
+
+ 2) If there's a short write to userspace because of page faults, the
+ buffer may already contain multiple lines (i.e. pos has advanced by
+ more than 1), but we don't save the progress that was made so the
+ next call will output what we've already returned previously. Since
+ that is a much less serious issue (and I have a headache after
+ staring at seq_read() for the past 8 hours), I'll leave that for now.
+
+Link: http://lkml.kernel.org/r/1471447270-32093-1-git-send-email-vegard.nossum@oracle.com
+Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
+Reported-by: Dave Jones <davej@codemonkey.org.uk>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/seq_file.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/seq_file.c
++++ b/fs/seq_file.c
+@@ -222,8 +222,10 @@ ssize_t seq_read(struct file *file, char
+ size -= n;
+ buf += n;
+ copied += n;
+- if (!m->count)
++ if (!m->count) {
++ m->from = 0;
+ m->index++;
++ }
+ if (!size)
+ goto Done;
+ }
--- /dev/null
+From 2527ecc9195e9c66252af24c4689e8a67cd4ccb9 Mon Sep 17 00:00:00 2001
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Tue, 16 Aug 2016 09:58:25 +0200
+Subject: gpio: Fix OF build problem on UM
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+commit 2527ecc9195e9c66252af24c4689e8a67cd4ccb9 upstream.
+
+The UserMode (UM) Linux build was failing in gpiolib-of as it requires
+ioremap()/iounmap() to exist, which is absent from UM. The non-existence
+of IO memory is negatively defined as CONFIG_NO_IOMEM which means we
+need to depend on HAS_IOMEM.
+
+Cc: Geert Uytterhoeven <geert@linux-m68k.org>
+Reported-by: kbuild test robot <fengguang.wu@intel.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpio/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpio/Kconfig
++++ b/drivers/gpio/Kconfig
+@@ -50,6 +50,7 @@ config GPIO_DEVRES
+ config OF_GPIO
+ def_bool y
+ depends on OF
++ depends on HAS_IOMEM
+
+ config GPIO_ACPI
+ def_bool y
--- /dev/null
+From 4d01d88019261d05ec3bff5f1a6013393faa3b9e Mon Sep 17 00:00:00 2001
+From: Brian Norris <briannorris@chromium.org>
+Date: Wed, 10 Aug 2016 13:37:18 -0700
+Subject: i2c: cros-ec-tunnel: Fix usage of cros_ec_cmd_xfer()
+
+From: Brian Norris <briannorris@chromium.org>
+
+commit 4d01d88019261d05ec3bff5f1a6013393faa3b9e upstream.
+
+cros_ec_cmd_xfer returns success status if the command transport
+completes successfully, but the execution result is incorrectly ignored.
+In many cases, the execution result is assumed to be successful, leading
+to ignored errors and operating on uninitialized data.
+
+We've recently introduced the cros_ec_cmd_xfer_status() helper to avoid these
+problems. Let's use it.
+
+[Regarding the 'Fixes' tag; there is significant refactoring since the driver's
+introduction, but the underlying logical error exists throughout I believe]
+
+Fixes: 9d230c9e4f4e ("i2c: ChromeOS EC tunnel driver")
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Reviewed-by: Javier Martinez Canillas <javier@osg.samsung.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-cros-ec-tunnel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-cros-ec-tunnel.c
++++ b/drivers/i2c/busses/i2c-cros-ec-tunnel.c
+@@ -215,7 +215,7 @@ static int ec_i2c_xfer(struct i2c_adapte
+ msg->outsize = request_len;
+ msg->insize = response_len;
+
+- result = cros_ec_cmd_xfer(bus->ec, msg);
++ result = cros_ec_cmd_xfer_status(bus->ec, msg);
+ if (result < 0) {
+ dev_err(dev, "Error transferring EC i2c message %d\n", result);
+ goto exit;
--- /dev/null
+From fcf68f3c0bb2a541aa47a2a38b8939edf84fd529 Mon Sep 17 00:00:00 2001
+From: Brian Norris <briannorris@chromium.org>
+Date: Mon, 8 Aug 2016 17:19:38 -0700
+Subject: iio: fix sched WARNING "do not call blocking ops when !TASK_RUNNING"
+
+From: Brian Norris <briannorris@chromium.org>
+
+commit fcf68f3c0bb2a541aa47a2a38b8939edf84fd529 upstream.
+
+When using CONFIG_DEBUG_ATOMIC_SLEEP, the scheduler nicely points out
+that we're calling sleeping primitives within the wait_event loop, which
+means we might clobber the task state:
+
+[ 10.831289] do not call blocking ops when !TASK_RUNNING; state=1 set at [<ffffffc00026b610>]
+[ 10.845531] ------------[ cut here ]------------
+[ 10.850161] WARNING: at kernel/sched/core.c:7630
+...
+[ 12.164333] ---[ end trace 45409966a9a76438 ]---
+[ 12.168942] Call trace:
+[ 12.171391] [<ffffffc00024ed44>] __might_sleep+0x64/0x90
+[ 12.176699] [<ffffffc000954774>] mutex_lock_nested+0x50/0x3fc
+[ 12.182440] [<ffffffc0007b9424>] iio_kfifo_buf_data_available+0x28/0x4c
+[ 12.189043] [<ffffffc0007b76ac>] iio_buffer_ready+0x60/0xe0
+[ 12.194608] [<ffffffc0007b7834>] iio_buffer_read_first_n_outer+0x108/0x1a8
+[ 12.201474] [<ffffffc000370d48>] __vfs_read+0x58/0x114
+[ 12.206606] [<ffffffc000371740>] vfs_read+0x94/0x118
+[ 12.211564] [<ffffffc0003720f8>] SyS_read+0x64/0xb4
+[ 12.216436] [<ffffffc000203cb4>] el0_svc_naked+0x24/0x28
+
+To avoid this, we should (a la https://lwn.net/Articles/628628/) use the
+wait_woken() function, which avoids the nested sleeping while still
+handling races between waiting / wake-events.
+
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Reviewed-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/industrialio-buffer.c | 25 ++++++++++++++++++-------
+ 1 file changed, 18 insertions(+), 7 deletions(-)
+
+--- a/drivers/iio/industrialio-buffer.c
++++ b/drivers/iio/industrialio-buffer.c
+@@ -107,6 +107,7 @@ ssize_t iio_buffer_read_first_n_outer(st
+ {
+ struct iio_dev *indio_dev = filp->private_data;
+ struct iio_buffer *rb = indio_dev->buffer;
++ DEFINE_WAIT_FUNC(wait, woken_wake_function);
+ size_t datum_size;
+ size_t to_wait;
+ int ret;
+@@ -131,19 +132,29 @@ ssize_t iio_buffer_read_first_n_outer(st
+ else
+ to_wait = min_t(size_t, n / datum_size, rb->watermark);
+
++ add_wait_queue(&rb->pollq, &wait);
+ do {
+- ret = wait_event_interruptible(rb->pollq,
+- iio_buffer_ready(indio_dev, rb, to_wait, n / datum_size));
+- if (ret)
+- return ret;
+-
+- if (!indio_dev->info)
+- return -ENODEV;
++ if (!indio_dev->info) {
++ ret = -ENODEV;
++ break;
++ }
++
++ if (!iio_buffer_ready(indio_dev, rb, to_wait, n / datum_size)) {
++ if (signal_pending(current)) {
++ ret = -ERESTARTSYS;
++ break;
++ }
++
++ wait_woken(&wait, TASK_INTERRUPTIBLE,
++ MAX_SCHEDULE_TIMEOUT);
++ continue;
++ }
+
+ ret = rb->access->read_first_n(rb, n, buf);
+ if (ret == 0 && (filp->f_flags & O_NONBLOCK))
+ ret = -EAGAIN;
+ } while (ret == 0);
++ remove_wait_queue(&rb->pollq, &wait);
+
+ return ret;
+ }
--- /dev/null
+From 5bc0a11664e17e9f9551983f5b660bd48b57483c Mon Sep 17 00:00:00 2001
+From: Will Deacon <will.deacon@arm.com>
+Date: Tue, 16 Aug 2016 14:29:16 +0100
+Subject: iommu/arm-smmu: Don't BUG() if we find aborting STEs with disable_bypass
+
+From: Will Deacon <will.deacon@arm.com>
+
+commit 5bc0a11664e17e9f9551983f5b660bd48b57483c upstream.
+
+The disable_bypass cmdline option changes the SMMUv3 driver to put down
+faulting stream table entries by default, as opposed to bypassing
+transactions from unconfigured devices.
+
+In this mode of operation, it is entirely expected to see aborting
+entries in the stream table if and when we come to installing a valid
+translation, so don't trigger a BUG() as a result of misdiagnosing these
+entries as stream table corruption.
+
+Fixes: 48ec83bcbcf5 ("iommu/arm-smmu: Add initial driver support for ARM SMMUv3 devices")
+Tested-by: Robin Murphy <robin.murphy@arm.com>
+Reported-by: Robin Murphy <robin.murphy@arm.com>
+Reviewed-by: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/arm-smmu-v3.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/iommu/arm-smmu-v3.c
++++ b/drivers/iommu/arm-smmu-v3.c
+@@ -1025,6 +1025,9 @@ static void arm_smmu_write_strtab_ent(st
+ case STRTAB_STE_0_CFG_S2_TRANS:
+ ste_live = true;
+ break;
++ case STRTAB_STE_0_CFG_ABORT:
++ if (disable_bypass)
++ break;
+ default:
+ BUG(); /* STE corruption */
+ }
--- /dev/null
+From aea2037e0d3e23c3be1498feae29f71ca997d9e6 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will.deacon@arm.com>
+Date: Fri, 29 Jul 2016 11:15:37 +0100
+Subject: iommu/arm-smmu: Fix CMDQ error handling
+
+From: Will Deacon <will.deacon@arm.com>
+
+commit aea2037e0d3e23c3be1498feae29f71ca997d9e6 upstream.
+
+In the unlikely event of a global command queue error, the ARM SMMUv3
+driver attempts to convert the problematic command into a CMD_SYNC and
+resume the command queue. Unfortunately, this code is pretty badly
+broken:
+
+ 1. It uses the index into the error string table as the CMDQ index,
+ so we probably read the wrong entry out of the queue
+
+ 2. The arguments to queue_write are the wrong way round, so we end up
+ writing from the queue onto the stack.
+
+These happily cancel out, so the kernel is likely to stay alive, but
+the command queue will probably fault again when we resume.
+
+This patch fixes the error handling code to use the correct queue index
+and write back the CMD_SYNC to the faulting entry.
+
+Fixes: 48ec83bcbcf5 ("iommu/arm-smmu: Add initial driver support for ARM SMMUv3 devices")
+Reported-by: Diwakar Subraveti <Diwakar.Subraveti@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/arm-smmu-v3.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/iommu/arm-smmu-v3.c
++++ b/drivers/iommu/arm-smmu-v3.c
+@@ -870,7 +870,7 @@ static void arm_smmu_cmdq_skip_err(struc
+ * We may have concurrent producers, so we need to be careful
+ * not to touch any of the shadow cmdq state.
+ */
+- queue_read(cmd, Q_ENT(q, idx), q->ent_dwords);
++ queue_read(cmd, Q_ENT(q, cons), q->ent_dwords);
+ dev_err(smmu->dev, "skipping command in error state:\n");
+ for (i = 0; i < ARRAY_SIZE(cmd); ++i)
+ dev_err(smmu->dev, "\t0x%016llx\n", (unsigned long long)cmd[i]);
+@@ -881,7 +881,7 @@ static void arm_smmu_cmdq_skip_err(struc
+ return;
+ }
+
+- queue_write(cmd, Q_ENT(q, idx), q->ent_dwords);
++ queue_write(Q_ENT(q, cons), cmd, q->ent_dwords);
+ }
+
+ static void arm_smmu_cmdq_issue_cmd(struct arm_smmu_device *smmu,
--- /dev/null
+From 3ec60043f7c02e1f79e4a90045ff2d2e80042941 Mon Sep 17 00:00:00 2001
+From: Robin Murphy <robin.murphy@arm.com>
+Date: Tue, 9 Aug 2016 16:23:17 +0100
+Subject: iommu/dma: Don't put uninitialised IOVA domains
+
+From: Robin Murphy <robin.murphy@arm.com>
+
+commit 3ec60043f7c02e1f79e4a90045ff2d2e80042941 upstream.
+
+Due to the limitations of having to wait until we see a device's DMA
+restrictions before we know how we want an IOVA domain initialised,
+there is a window for error if a DMA ops domain is allocated but later
+freed without ever being used. In that case, init_iova_domain() was
+never called, so calling put_iova_domain() from iommu_put_dma_cookie()
+ends up trying to take an uninitialised lock and crashing.
+
+Make things robust by skipping the call unless the IOVA domain actually
+has been initialised, as we probably should have done from the start.
+
+Fixes: 0db2e5d18f76 ("iommu: Implement common IOMMU ops for DMA mapping")
+Reported-by: Nate Watterson <nwatters@codeaurora.org>
+Reviewed-by: Nate Watterson <nwatters@codeaurora.org>
+Tested-by: Nate Watterson <nwatters@codeaurora.org>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Tested-by: Eric Auger <eric.auger@redhat.com>
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/dma-iommu.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/iommu/dma-iommu.c
++++ b/drivers/iommu/dma-iommu.c
+@@ -68,7 +68,8 @@ void iommu_put_dma_cookie(struct iommu_d
+ if (!iovad)
+ return;
+
+- put_iova_domain(iovad);
++ if (iovad->granule)
++ put_iova_domain(iovad);
+ kfree(iovad);
+ domain->iova_cookie = NULL;
+ }
--- /dev/null
+From 6b07d9ca9b5363dda959b9582a3fc9c0b89ef3b5 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Tue, 2 Aug 2016 11:13:41 +0200
+Subject: mac80211: fix purging multicast PS buffer queue
+
+From: Felix Fietkau <nbd@nbd.name>
+
+commit 6b07d9ca9b5363dda959b9582a3fc9c0b89ef3b5 upstream.
+
+The code currently assumes that buffered multicast PS frames don't have
+a pending ACK frame for tx status reporting.
+However, hostapd sends a broadcast deauth frame on teardown for which tx
+status is requested. This can lead to the "Have pending ack frames"
+warning on module reload.
+Fix this by using ieee80211_free_txskb/ieee80211_purge_tx_queue.
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/cfg.c | 2 +-
+ net/mac80211/tx.c | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -865,7 +865,7 @@ static int ieee80211_stop_ap(struct wiph
+
+ /* free all potentially still buffered bcast frames */
+ local->total_ps_buffered -= skb_queue_len(&sdata->u.ap.ps.bc_buf);
+- skb_queue_purge(&sdata->u.ap.ps.bc_buf);
++ ieee80211_purge_tx_queue(&local->hw, &sdata->u.ap.ps.bc_buf);
+
+ mutex_lock(&local->mtx);
+ ieee80211_vif_copy_chanctx_to_vlans(sdata, true);
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -365,7 +365,7 @@ static void purge_old_ps_buffers(struct
+ skb = skb_dequeue(&ps->bc_buf);
+ if (skb) {
+ purged++;
+- dev_kfree_skb(skb);
++ ieee80211_free_txskb(&local->hw, skb);
+ }
+ total += skb_queue_len(&ps->bc_buf);
+ }
+@@ -448,7 +448,7 @@ ieee80211_tx_h_multicast_ps_buf(struct i
+ if (skb_queue_len(&ps->bc_buf) >= AP_MAX_BC_BUFFER) {
+ ps_dbg(tx->sdata,
+ "BC TX buffer full - dropping the oldest frame\n");
+- dev_kfree_skb(skb_dequeue(&ps->bc_buf));
++ ieee80211_free_txskb(&tx->local->hw, skb_dequeue(&ps->bc_buf));
+ } else
+ tx->local->total_ps_buffered++;
+
+@@ -3781,7 +3781,7 @@ ieee80211_get_buffered_bc(struct ieee802
+ sdata = IEEE80211_DEV_TO_SUB_IF(skb->dev);
+ if (!ieee80211_tx_prepare(sdata, &tx, NULL, skb))
+ break;
+- dev_kfree_skb_any(skb);
++ ieee80211_free_txskb(hw, skb);
+ }
+
+ info = IEEE80211_SKB_CB(skb);
--- /dev/null
+From e7f851684efb3377e9c93aca7fae6e76212e5680 Mon Sep 17 00:00:00 2001
+From: Yinghai Lu <yinghai@kernel.org>
+Date: Fri, 5 Aug 2016 23:37:34 -0700
+Subject: megaraid_sas: Fix probing cards without io port
+
+From: Yinghai Lu <yinghai@kernel.org>
+
+commit e7f851684efb3377e9c93aca7fae6e76212e5680 upstream.
+
+Found one megaraid_sas HBA probe fails,
+
+[ 187.235190] scsi host2: Avago SAS based MegaRAID driver
+[ 191.112365] megaraid_sas 0000:89:00.0: BAR 0: can't reserve [io 0x0000-0x00ff]
+[ 191.120548] megaraid_sas 0000:89:00.0: IO memory region busy!
+
+and the card has resource like,
+[ 125.097714] pci 0000:89:00.0: [1000:005d] type 00 class 0x010400
+[ 125.104446] pci 0000:89:00.0: reg 0x10: [io 0x0000-0x00ff]
+[ 125.110686] pci 0000:89:00.0: reg 0x14: [mem 0xce400000-0xce40ffff 64bit]
+[ 125.118286] pci 0000:89:00.0: reg 0x1c: [mem 0xce300000-0xce3fffff 64bit]
+[ 125.125891] pci 0000:89:00.0: reg 0x30: [mem 0xce200000-0xce2fffff pref]
+
+that does not io port resource allocated from BIOS, and kernel can not
+assign one as io port shortage.
+
+The driver is only looking for MEM, and should not fail.
+
+It turns out megasas_init_fw() etc are using bar index as mask. index 1
+is used as mask 1, so that pci_request_selected_regions() is trying to
+request BAR0 instead of BAR1.
+
+Fix all related reference.
+
+Fixes: b6d5d8808b4c ("megaraid_sas: Use lowest memory bar for SR-IOV VF support")
+Signed-off-by: Yinghai Lu <yinghai@kernel.org>
+Acked-by: Kashyap Desai <kashyap.desai@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/megaraid/megaraid_sas_base.c | 6 +++---
+ drivers/scsi/megaraid/megaraid_sas_fusion.c | 2 +-
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/scsi/megaraid/megaraid_sas_base.c
++++ b/drivers/scsi/megaraid/megaraid_sas_base.c
+@@ -4669,7 +4669,7 @@ static int megasas_init_fw(struct megasa
+ /* Find first memory bar */
+ bar_list = pci_select_bars(instance->pdev, IORESOURCE_MEM);
+ instance->bar = find_first_bit(&bar_list, sizeof(unsigned long));
+- if (pci_request_selected_regions(instance->pdev, instance->bar,
++ if (pci_request_selected_regions(instance->pdev, 1<<instance->bar,
+ "megasas: LSI")) {
+ dev_printk(KERN_DEBUG, &instance->pdev->dev, "IO memory region busy!\n");
+ return -EBUSY;
+@@ -4960,7 +4960,7 @@ fail_ready_state:
+ iounmap(instance->reg_set);
+
+ fail_ioremap:
+- pci_release_selected_regions(instance->pdev, instance->bar);
++ pci_release_selected_regions(instance->pdev, 1<<instance->bar);
+
+ return -EINVAL;
+ }
+@@ -4981,7 +4981,7 @@ static void megasas_release_mfi(struct m
+
+ iounmap(instance->reg_set);
+
+- pci_release_selected_regions(instance->pdev, instance->bar);
++ pci_release_selected_regions(instance->pdev, 1<<instance->bar);
+ }
+
+ /**
+--- a/drivers/scsi/megaraid/megaraid_sas_fusion.c
++++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c
+@@ -2437,7 +2437,7 @@ megasas_release_fusion(struct megasas_in
+
+ iounmap(instance->reg_set);
+
+- pci_release_selected_regions(instance->pdev, instance->bar);
++ pci_release_selected_regions(instance->pdev, 1<<instance->bar);
+ }
+
+ /**
--- /dev/null
+From 9798ac6d32c1a32d6d92d853ff507d2d39c4300c Mon Sep 17 00:00:00 2001
+From: Tomeu Vizoso <tomeu.vizoso@collabora.com>
+Date: Fri, 15 Jul 2016 16:28:41 -0700
+Subject: mfd: cros_ec: Add cros_ec_cmd_xfer_status() helper
+
+From: Tomeu Vizoso <tomeu.vizoso@collabora.com>
+
+commit 9798ac6d32c1a32d6d92d853ff507d2d39c4300c upstream.
+
+So that callers of cros_ec_cmd_xfer() don't have to repeat boilerplate
+code when checking for errors from the EC side.
+
+Signed-off-by: Tomeu Vizoso <tomeu.vizoso@collabora.com>
+Reviewed-by: Benson Leung <bleung@chromium.org>
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Acked-by: Lee Jones <lee.jones@linaro.org>
+Tested-by: Enric Balletbo i Serra <enric.balletbo@collabora.com>
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/platform/chrome/cros_ec_proto.c | 17 +++++++++++++++++
+ include/linux/mfd/cros_ec.h | 15 +++++++++++++++
+ 2 files changed, 32 insertions(+)
+
+--- a/drivers/platform/chrome/cros_ec_proto.c
++++ b/drivers/platform/chrome/cros_ec_proto.c
+@@ -380,3 +380,20 @@ int cros_ec_cmd_xfer(struct cros_ec_devi
+ return ret;
+ }
+ EXPORT_SYMBOL(cros_ec_cmd_xfer);
++
++int cros_ec_cmd_xfer_status(struct cros_ec_device *ec_dev,
++ struct cros_ec_command *msg)
++{
++ int ret;
++
++ ret = cros_ec_cmd_xfer(ec_dev, msg);
++ if (ret < 0) {
++ dev_err(ec_dev->dev, "Command xfer error (err:%d)\n", ret);
++ } else if (msg->result != EC_RES_SUCCESS) {
++ dev_dbg(ec_dev->dev, "Command result (err: %d)\n", msg->result);
++ return -EPROTO;
++ }
++
++ return ret;
++}
++EXPORT_SYMBOL(cros_ec_cmd_xfer_status);
+--- a/include/linux/mfd/cros_ec.h
++++ b/include/linux/mfd/cros_ec.h
+@@ -224,6 +224,21 @@ int cros_ec_cmd_xfer(struct cros_ec_devi
+ struct cros_ec_command *msg);
+
+ /**
++ * cros_ec_cmd_xfer_status - Send a command to the ChromeOS EC
++ *
++ * This function is identical to cros_ec_cmd_xfer, except it returns success
++ * status only if both the command was transmitted successfully and the EC
++ * replied with success status. It's not necessary to check msg->result when
++ * using this function.
++ *
++ * @ec_dev: EC device
++ * @msg: Message to write
++ * @return: Num. of bytes transferred on success, <0 on failure
++ */
++int cros_ec_cmd_xfer_status(struct cros_ec_device *ec_dev,
++ struct cros_ec_command *msg);
++
++/**
+ * cros_ec_remove - Remove a ChromeOS EC
+ *
+ * Call this to deregister a ChromeOS EC, then clean up any private data.
--- /dev/null
+From ce7c6c9e1d997a2670aead3a7b87f4df32c11118 Mon Sep 17 00:00:00 2001
+From: Greg Edwards <gedwards@fireweed.org>
+Date: Sat, 30 Jul 2016 10:06:26 -0600
+Subject: mpt3sas: Fix resume on WarpDrive flash cards
+
+From: Greg Edwards <gedwards@fireweed.org>
+
+commit ce7c6c9e1d997a2670aead3a7b87f4df32c11118 upstream.
+
+mpt3sas crashes on resume after suspend with WarpDrive flash cards. The
+reply_post_host_index array is not set back up after the resume, and we
+deference a stale pointer in _base_interrupt().
+
+[ 47.309711] BUG: unable to handle kernel paging request at ffffc90001f8006c
+[ 47.318289] IP: [<ffffffffc00863ef>] _base_interrupt+0x49f/0xa30 [mpt3sas]
+[ 47.326749] PGD 41ccaa067 PUD 41ccab067 PMD 3466c067 PTE 0
+[ 47.333848] Oops: 0002 [#1] SMP
+...
+[ 47.452708] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.7.0 #6
+[ 47.460506] Hardware name: Dell Inc. OptiPlex 990/06D7TR, BIOS A18 09/24/2013
+[ 47.469629] task: ffffffff81c0d500 ti: ffffffff81c00000 task.ti: ffffffff81c00000
+[ 47.479112] RIP: 0010:[<ffffffffc00863ef>] [<ffffffffc00863ef>] _base_interrupt+0x49f/0xa30 [mpt3sas]
+[ 47.490466] RSP: 0018:ffff88041d203e30 EFLAGS: 00010002
+[ 47.497801] RAX: 0000000000000001 RBX: ffff880033f4c000 RCX: 0000000000000001
+[ 47.506973] RDX: ffffc90001f8006c RSI: 0000000000000082 RDI: 0000000000000082
+[ 47.516141] RBP: ffff88041d203eb0 R08: ffff8804118e2820 R09: 0000000000000001
+[ 47.525300] R10: 0000000000000001 R11: 00000000100c0000 R12: 0000000000000000
+[ 47.534457] R13: ffff880412c487e0 R14: ffff88041a8987d8 R15: 0000000000000001
+[ 47.543632] FS: 0000000000000000(0000) GS:ffff88041d200000(0000) knlGS:0000000000000000
+[ 47.553796] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 47.561632] CR2: ffffc90001f8006c CR3: 0000000001c06000 CR4: 00000000000406f0
+[ 47.570883] Stack:
+[ 47.575015] 000000001d211228 ffff88041d2100c0 ffff8800c47d8130 0000000000000100
+[ 47.584625] ffff8804100c0000 100c000000000000 ffff88041a8992a0 ffff88041a8987f8
+[ 47.594230] ffff88041d203e00 ffffffff81111e55 000000000000038c ffff880414ad4280
+[ 47.603862] Call Trace:
+[ 47.608474] <IRQ>
+[ 47.610413] [<ffffffff81111e55>] ? call_timer_fn+0x35/0x120
+[ 47.620539] [<ffffffff81100a1f>] handle_irq_event_percpu+0x7f/0x1c0
+[ 47.629061] [<ffffffff81100b8c>] handle_irq_event+0x2c/0x50
+[ 47.636859] [<ffffffff81103fff>] handle_edge_irq+0x6f/0x130
+[ 47.644654] [<ffffffff8102fbf3>] handle_irq+0x73/0x120
+[ 47.652011] [<ffffffff810c6ada>] ? atomic_notifier_call_chain+0x1a/0x20
+[ 47.660854] [<ffffffff817e374b>] do_IRQ+0x4b/0xd0
+[ 47.667777] [<ffffffff817e160c>] common_interrupt+0x8c/0x8c
+[ 47.675635] <EOI>
+
+Move the reply_post_host_index array setup into
+mpt3sas_base_map_resources(), which is also in the resume path.
+
+Signed-off-by: Greg Edwards <gedwards@fireweed.org>
+Acked-by: Chaitra P B <chaitra.basappa@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/mpt3sas/mpt3sas_base.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+--- a/drivers/scsi/mpt3sas/mpt3sas_base.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_base.c
+@@ -2155,6 +2155,17 @@ mpt3sas_base_map_resources(struct MPT3SA
+ } else
+ ioc->msix96_vector = 0;
+
++ if (ioc->is_warpdrive) {
++ ioc->reply_post_host_index[0] = (resource_size_t __iomem *)
++ &ioc->chip->ReplyPostHostIndex;
++
++ for (i = 1; i < ioc->cpu_msix_table_sz; i++)
++ ioc->reply_post_host_index[i] =
++ (resource_size_t __iomem *)
++ ((u8 __iomem *)&ioc->chip->Doorbell + (0x4000 + ((i - 1)
++ * 4)));
++ }
++
+ list_for_each_entry(reply_q, &ioc->reply_queue_list, list)
+ pr_info(MPT3SAS_FMT "%s: IRQ %d\n",
+ reply_q->name, ((ioc->msix_enable) ? "PCI-MSI-X enabled" :
+@@ -5201,17 +5212,6 @@ mpt3sas_base_attach(struct MPT3SAS_ADAPT
+ if (r)
+ goto out_free_resources;
+
+- if (ioc->is_warpdrive) {
+- ioc->reply_post_host_index[0] = (resource_size_t __iomem *)
+- &ioc->chip->ReplyPostHostIndex;
+-
+- for (i = 1; i < ioc->cpu_msix_table_sz; i++)
+- ioc->reply_post_host_index[i] =
+- (resource_size_t __iomem *)
+- ((u8 __iomem *)&ioc->chip->Doorbell + (0x4000 + ((i - 1)
+- * 4)));
+- }
+-
+ pci_set_drvdata(ioc->pdev, ioc->shost);
+ r = _base_get_ioc_facts(ioc, CAN_SLEEP);
+ if (r)
--- /dev/null
+From 34276bb062b8449b3b0a208c9b848a1a27920075 Mon Sep 17 00:00:00 2001
+From: Lucas Stach <l.stach@pengutronix.de>
+Date: Mon, 15 Aug 2016 14:58:43 +0200
+Subject: of: fix reference counting in of_graph_get_endpoint_by_regs
+
+From: Lucas Stach <l.stach@pengutronix.de>
+
+commit 34276bb062b8449b3b0a208c9b848a1a27920075 upstream.
+
+The called of_graph_get_next_endpoint() already decrements the refcount
+of the prev node, so it is wrong to do it again in the calling function.
+
+Use the for_each_endpoint_of_node() helper to interate through the
+endpoint OF nodes, which already does the right thing and simplifies
+the code a bit.
+
+Fixes: 8ccd0d0ca041
+(of: add helper for getting endpoint node of specific identifiers)
+Reported-by: David Jander <david@protonic.nl>
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Acked-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/of/base.c | 11 ++---------
+ 1 file changed, 2 insertions(+), 9 deletions(-)
+
+--- a/drivers/of/base.c
++++ b/drivers/of/base.c
+@@ -2253,20 +2253,13 @@ struct device_node *of_graph_get_endpoin
+ const struct device_node *parent, int port_reg, int reg)
+ {
+ struct of_endpoint endpoint;
+- struct device_node *node, *prev_node = NULL;
+-
+- while (1) {
+- node = of_graph_get_next_endpoint(parent, prev_node);
+- of_node_put(prev_node);
+- if (!node)
+- break;
++ struct device_node *node = NULL;
+
++ for_each_endpoint_of_node(parent, node) {
+ of_graph_parse_endpoint(node, &endpoint);
+ if (((port_reg == -1) || (endpoint.port == port_reg)) &&
+ ((reg == -1) || (endpoint.id == reg)))
+ return node;
+-
+- prev_node = node;
+ }
+
+ return NULL;
--- /dev/null
+From 8cf4345575a416e6856a6856ac6eaa31ad883126 Mon Sep 17 00:00:00 2001
+From: "Agrawal, Nitesh-kumar" <Nitesh-kumar.Agrawal@amd.com>
+Date: Tue, 26 Jul 2016 08:28:19 +0000
+Subject: pinctrl/amd: Remove the default de-bounce time
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Agrawal, Nitesh-kumar <Nitesh-kumar.Agrawal@amd.com>
+
+commit 8cf4345575a416e6856a6856ac6eaa31ad883126 upstream.
+
+In the function amd_gpio_irq_enable() and
+amd_gpio_direction_input(), remove the code which is setting
+the default de-bounce time to 2.75ms.
+
+The driver code shall use the same settings as specified in
+BIOS. Any default assignment impacts TouchPad behaviour when
+the LevelTrig is set to EDGE FALLING.
+
+Reviewed-by: Ken Xue <Ken.Xue@amd.com>
+Signed-off-by: Nitesh Kumar Agrawal <Nitesh-kumar.Agrawal@amd.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/pinctrl-amd.c | 20 --------------------
+ 1 file changed, 20 deletions(-)
+
+--- a/drivers/pinctrl/pinctrl-amd.c
++++ b/drivers/pinctrl/pinctrl-amd.c
+@@ -48,17 +48,6 @@ static int amd_gpio_direction_input(stru
+
+ spin_lock_irqsave(&gpio_dev->lock, flags);
+ pin_reg = readl(gpio_dev->base + offset * 4);
+- /*
+- * Suppose BIOS or Bootloader sets specific debounce for the
+- * GPIO. if not, set debounce to be 2.75ms and remove glitch.
+- */
+- if ((pin_reg & DB_TMR_OUT_MASK) == 0) {
+- pin_reg |= 0xf;
+- pin_reg |= BIT(DB_TMR_OUT_UNIT_OFF);
+- pin_reg |= DB_TYPE_REMOVE_GLITCH << DB_CNTRL_OFF;
+- pin_reg &= ~BIT(DB_TMR_LARGE_OFF);
+- }
+-
+ pin_reg &= ~BIT(OUTPUT_ENABLE_OFF);
+ writel(pin_reg, gpio_dev->base + offset * 4);
+ spin_unlock_irqrestore(&gpio_dev->lock, flags);
+@@ -331,15 +320,6 @@ static void amd_gpio_irq_enable(struct i
+
+ spin_lock_irqsave(&gpio_dev->lock, flags);
+ pin_reg = readl(gpio_dev->base + (d->hwirq)*4);
+- /*
+- Suppose BIOS or Bootloader sets specific debounce for the
+- GPIO. if not, set debounce to be 2.75ms.
+- */
+- if ((pin_reg & DB_TMR_OUT_MASK) == 0) {
+- pin_reg |= 0xf;
+- pin_reg |= BIT(DB_TMR_OUT_UNIT_OFF);
+- pin_reg &= ~BIT(DB_TMR_LARGE_OFF);
+- }
+ pin_reg |= BIT(INTERRUPT_ENABLE_OFF);
+ pin_reg |= BIT(INTERRUPT_MASK_OFF);
+ writel(pin_reg, gpio_dev->base + (d->hwirq)*4);
--- /dev/null
+From 9ba333dc55cbb9523553df973adb3024d223e905 Mon Sep 17 00:00:00 2001
+From: Stefan Haberland <sth@linux.vnet.ibm.com>
+Date: Mon, 8 Aug 2016 14:08:17 +0200
+Subject: s390/dasd: fix hanging device after clear subchannel
+
+From: Stefan Haberland <sth@linux.vnet.ibm.com>
+
+commit 9ba333dc55cbb9523553df973adb3024d223e905 upstream.
+
+When a device is in a status where CIO has killed all I/O by itself the
+interrupt for a clear request may not contain an irb to determine the
+clear function. Instead it contains an error pointer -EIO.
+This was ignored by the DASD int_handler leading to a hanging device
+waiting for a clear interrupt.
+
+Handle -EIO error pointer correctly for requests that are clear pending and
+treat the clear as successful.
+
+Signed-off-by: Stefan Haberland <sth@linux.vnet.ibm.com>
+Reviewed-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/s390/block/dasd.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/s390/block/dasd.c
++++ b/drivers/s390/block/dasd.c
+@@ -1584,9 +1584,18 @@ void dasd_int_handler(struct ccw_device
+ unsigned long long now;
+ int expires;
+
++ cqr = (struct dasd_ccw_req *) intparm;
+ if (IS_ERR(irb)) {
+ switch (PTR_ERR(irb)) {
+ case -EIO:
++ if (cqr && cqr->status == DASD_CQR_CLEAR_PENDING) {
++ device = (struct dasd_device *) cqr->startdev;
++ cqr->status = DASD_CQR_CLEARED;
++ dasd_device_clear_timer(device);
++ wake_up(&dasd_flush_wq);
++ dasd_schedule_device_bh(device);
++ return;
++ }
+ break;
+ case -ETIMEDOUT:
+ DBF_EVENT_DEVID(DBF_WARNING, cdev, "%s: "
+@@ -1602,7 +1611,6 @@ void dasd_int_handler(struct ccw_device
+ }
+
+ now = get_tod_clock();
+- cqr = (struct dasd_ccw_req *) intparm;
+ /* check for conditions that should be handled immediately */
+ if (!cqr ||
+ !(scsw_dstat(&irb->scsw) == (DEV_STAT_CHN_END | DEV_STAT_DEV_END) &&
--- /dev/null
+From 173be9a14f7b2e901cf77c18b1aafd4d672e9d9e Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Mon, 15 Aug 2016 18:38:42 +0200
+Subject: sched/cputime: Fix NO_HZ_FULL getrusage() monotonicity regression
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit 173be9a14f7b2e901cf77c18b1aafd4d672e9d9e upstream.
+
+Mike reports:
+
+ Roughly 10% of the time, ltp testcase getrusage04 fails:
+ getrusage04 0 TINFO : Expected timers granularity is 4000 us
+ getrusage04 0 TINFO : Using 1 as multiply factor for max [us]time increment (1000+4000us)!
+ getrusage04 0 TINFO : utime: 0us; stime: 179us
+ getrusage04 0 TINFO : utime: 3751us; stime: 0us
+ getrusage04 1 TFAIL : getrusage04.c:133: stime increased > 5000us:
+
+And tracked it down to the case where the task simply doesn't get
+_any_ [us]time ticks.
+
+Update the code to assume all rtime is utime when we lack information,
+thus ensuring a task that elides the tick gets time accounted.
+
+Reported-by: Mike Galbraith <umgwanakikbuti@gmail.com>
+Tested-by: Mike Galbraith <umgwanakikbuti@gmail.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Frederic Weisbecker <fweisbec@gmail.com>
+Cc: Fredrik Markstrom <fredrik.markstrom@gmail.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Radim <rkrcmar@redhat.com>
+Cc: Rik van Riel <riel@redhat.com>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Cc: Wanpeng Li <wanpeng.li@hotmail.com>
+Fixes: 9d7fb0427648 ("sched/cputime: Guarantee stime + utime == rtime")
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/sched/cputime.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/kernel/sched/cputime.c
++++ b/kernel/sched/cputime.c
+@@ -600,19 +600,25 @@ static void cputime_adjust(struct task_c
+ stime = curr->stime;
+ utime = curr->utime;
+
+- if (utime == 0) {
+- stime = rtime;
++ /*
++ * If either stime or both stime and utime are 0, assume all runtime is
++ * userspace. Once a task gets some ticks, the monotonicy code at
++ * 'update' will ensure things converge to the observed ratio.
++ */
++ if (stime == 0) {
++ utime = rtime;
+ goto update;
+ }
+
+- if (stime == 0) {
+- utime = rtime;
++ if (utime == 0) {
++ stime = rtime;
+ goto update;
+ }
+
+ stime = scale_stime((__force u64)stime, (__force u64)rtime,
+ (__force u64)(stime + utime));
+
++update:
+ /*
+ * Make sure stime doesn't go backwards; this preserves monotonicity
+ * for utime because rtime is monotonic.
+@@ -635,7 +641,6 @@ static void cputime_adjust(struct task_c
+ stime = rtime - utime;
+ }
+
+-update:
+ prev->stime = stime;
+ prev->utime = utime;
+ out:
--- /dev/null
+From 444969223c81c7d0a95136b7b4cfdcfbc96ac5bd Mon Sep 17 00:00:00 2001
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+Date: Wed, 4 May 2016 14:45:34 +0800
+Subject: sched/nohz: Fix affine unpinned timers mess
+
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+
+commit 444969223c81c7d0a95136b7b4cfdcfbc96ac5bd upstream.
+
+The following commit:
+
+ 9642d18eee2c ("nohz: Affine unpinned timers to housekeepers")'
+
+intended to affine unpinned timers to housekeepers:
+
+ unpinned timers(full dynaticks, idle) => nearest busy housekeepers(otherwise, fallback to any housekeepers)
+ unpinned timers(full dynaticks, busy) => nearest busy housekeepers(otherwise, fallback to any housekeepers)
+ unpinned timers(houserkeepers, idle) => nearest busy housekeepers(otherwise, fallback to itself)
+
+However, the !idle_cpu(i) && is_housekeeping_cpu(cpu) check modified the
+intention to:
+
+ unpinned timers(full dynaticks, idle) => any housekeepers(no mattter cpu topology)
+ unpinned timers(full dynaticks, busy) => any housekeepers(no mattter cpu topology)
+ unpinned timers(housekeepers, idle) => any busy cpus(otherwise, fallback to any housekeepers)
+
+This patch fixes it by checking if there are busy housekeepers nearby,
+otherwise falls to any housekeepers/itself. After the patch:
+
+ unpinned timers(full dynaticks, idle) => nearest busy housekeepers(otherwise, fallback to any housekeepers)
+ unpinned timers(full dynaticks, busy) => nearest busy housekeepers(otherwise, fallback to any housekeepers)
+ unpinned timers(housekeepers, idle) => nearest busy housekeepers(otherwise, fallback to itself)
+
+Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+[ Fixed the changelog. ]
+Cc: Frederic Weisbecker <fweisbec@gmail.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Mike Galbraith <efault@gmx.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-kernel@vger.kernel.org
+Fixes: 'commit 9642d18eee2c ("nohz: Affine unpinned timers to housekeepers")'
+Link: http://lkml.kernel.org/r/1462344334-8303-1-git-send-email-wanpeng.li@hotmail.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/sched/core.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -627,7 +627,10 @@ int get_nohz_timer_target(void)
+ rcu_read_lock();
+ for_each_domain(cpu, sd) {
+ for_each_cpu(i, sched_domain_span(sd)) {
+- if (!idle_cpu(i) && is_housekeeping_cpu(cpu)) {
++ if (cpu == i)
++ continue;
++
++ if (!idle_cpu(i) && is_housekeeping_cpu(i)) {
+ cpu = i;
+ goto unlock;
+ }
usb-serial-ftdi_sio-add-device-id-for-wiced-usb-uart-dev-board.patch
usb-serial-ftdi_sio-add-pids-for-ivium-technologies-devices.patch
xhci-make-sure-xhci-handles-usb_speed_super_plus-devices.patch
+iommu-dma-don-t-put-uninitialised-iova-domains.patch
+iommu-arm-smmu-fix-cmdq-error-handling.patch
+iommu-arm-smmu-don-t-bug-if-we-find-aborting-stes-with-disable_bypass.patch
+pinctrl-amd-remove-the-default-de-bounce-time.patch
+edac-increment-correct-counter-in-edac_inc_ue_error.patch
+s390-dasd-fix-hanging-device-after-clear-subchannel.patch
+mac80211-fix-purging-multicast-ps-buffer-queue.patch
+arm64-dts-rockchip-add-reset-saradc-node-for-rk3368-socs.patch
+of-fix-reference-counting-in-of_graph_get_endpoint_by_regs.patch
+sched-cputime-fix-no_hz_full-getrusage-monotonicity-regression.patch
+sched-nohz-fix-affine-unpinned-timers-mess.patch
+iio-fix-sched-warning-do-not-call-blocking-ops-when-task_running.patch
+drm-amdgpu-change-gart-offset-to-64-bit.patch
+drm-amdgpu-fix-amdgpu_move_blit-on-32bit-systems.patch
+drm-amdgpu-avoid-a-possible-array-overflow.patch
+drm-amdgpu-skip-tv-cv-in-display-parsing.patch
+drm-amd-amdgpu-sdma-resume-fail-during-s4-on-ci.patch
+drm-amdgpu-record-error-code-when-ring-test-failed.patch
+drm-i915-fix-aliasing_ppgtt-leak.patch
+arc-build-better-way-to-detect-isa-compatible-toolchain.patch
+arc-use-correct-offset-in-pt_regs-for-saving-restoring-user-mode-r25.patch
+arc-call-trace_hardirqs_on-before-enabling-irqs.patch
+arc-elide-redundant-setup-of-dma-callbacks.patch
+aacraid-check-size-values-after-double-fetch-from-user.patch
+mfd-cros_ec-add-cros_ec_cmd_xfer_status-helper.patch
+i2c-cros-ec-tunnel-fix-usage-of-cros_ec_cmd_xfer.patch
+cdc-acm-fix-wrong-pipe-type-on-rx-interrupt-xfers.patch
+mpt3sas-fix-resume-on-warpdrive-flash-cards.patch
+megaraid_sas-fix-probing-cards-without-io-port.patch
+usb-renesas_usbhs-gadget-fix-return-value-check-in-usbhs_mod_gadget_probe.patch
+gpio-fix-of-build-problem-on-um.patch
+fs-seq_file-fix-out-of-bounds-read.patch
+btrfs-waiting-on-qgroup-rescan-should-not-always-be-interruptible.patch
+btrfs-properly-track-when-rescan-worker-is-running.patch
--- /dev/null
+From 3295235fd70ed6d594aadee8c892a14f6a4b2d2e Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <weiyj.lk@gmail.com>
+Date: Sat, 13 Aug 2016 01:28:24 +0000
+Subject: usb: renesas_usbhs: gadget: fix return value check in usbhs_mod_gadget_probe()
+
+From: Wei Yongjun <weiyj.lk@gmail.com>
+
+commit 3295235fd70ed6d594aadee8c892a14f6a4b2d2e upstream.
+
+In case of error, the function usb_get_phy() returns ERR_PTR() and never
+returns NULL. The NULL test in the return value check should be replaced
+with IS_ERR().
+
+Fixes: b5a2875605ca ("usb: renesas_usbhs: Allow an OTG PHY driver to
+ provide VBUS")
+Acked-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Signed-off-by: Wei Yongjun <weiyj.lk@gmail.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/renesas_usbhs/mod_gadget.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/renesas_usbhs/mod_gadget.c
++++ b/drivers/usb/renesas_usbhs/mod_gadget.c
+@@ -1075,7 +1075,7 @@ int usbhs_mod_gadget_probe(struct usbhs_
+
+ gpriv->transceiver = usb_get_phy(USB_PHY_TYPE_UNDEFINED);
+ dev_info(dev, "%stransceiver found\n",
+- gpriv->transceiver ? "" : "no ");
++ !IS_ERR(gpriv->transceiver) ? "" : "no ");
+
+ /*
+ * CAUTION
projects / thirdparty / kernel / stable-queue.git / commitdiff
