--- /dev/null
+From a545715d2dae8d071c5b06af947b07ffa846b288 Mon Sep 17 00:00:00 2001
+From: Prarit Bhargava <prarit@redhat.com>
+Date: Wed, 30 Nov 2016 08:19:39 -0500
+Subject: ACPI / APEI: Fix NMI notification handling
+
+From: Prarit Bhargava <prarit@redhat.com>
+
+commit a545715d2dae8d071c5b06af947b07ffa846b288 upstream.
+
+When removing and adding cpu 0 on a system with GHES NMI the following stack
+trace is seen when re-adding the cpu:
+
+WARNING: CPU: 0 PID: 0 at arch/x86/kernel/apic/apic.c:1349 setup_local_APIC+
+Modules linked in: nfsv3 rpcsec_gss_krb5 nfsv4 nfs fscache coretemp intel_ra
+CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.9.0-rc6+ #2
+Call Trace:
+ dump_stack+0x63/0x8e
+ __warn+0xd1/0xf0
+ warn_slowpath_null+0x1d/0x20
+ setup_local_APIC+0x275/0x370
+ apic_ap_setup+0xe/0x20
+ start_secondary+0x48/0x180
+ set_init_arg+0x55/0x55
+ early_idt_handler_array+0x120/0x120
+ x86_64_start_reservations+0x2a/0x2c
+ x86_64_start_kernel+0x13d/0x14c
+
+During the cpu bringup, wakeup_cpu_via_init_nmi() is called and issues an
+NMI on CPU 0. The GHES NMI handler, ghes_notify_nmi() runs the
+ghes_proc_irq_work work queue which ends up setting IRQ_WORK_VECTOR
+(0xf6). The "faulty" IR line set at arch/x86/kernel/apic/apic.c:1349 is also
+0xf6 (specifically APIC IRR for irqs 255 to 224 is 0x400000) which confirms
+that something has set the IRQ_WORK_VECTOR line prior to the APIC being
+initialized.
+
+Commit 2383844d4850 ("GHES: Elliminate double-loop in the NMI handler")
+incorrectly modified the behavior such that the handler returns
+NMI_HANDLED only if an error was processed, and incorrectly runs the ghes
+work queue for every NMI.
+
+This patch modifies the ghes_proc_irq_work() to run as it did prior to
+2383844d4850 ("GHES: Elliminate double-loop in the NMI handler") by
+properly returning NMI_HANDLED and only calling the work queue if
+NMI_HANDLED has been set.
+
+Fixes: 2383844d4850 (GHES: Elliminate double-loop in the NMI handler)
+Signed-off-by: Prarit Bhargava <prarit@redhat.com>
+Reviewed-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/apei/ghes.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/acpi/apei/ghes.c
++++ b/drivers/acpi/apei/ghes.c
+@@ -847,6 +847,8 @@ static int ghes_notify_nmi(unsigned int
+ if (ghes_read_estatus(ghes, 1)) {
+ ghes_clear_estatus(ghes);
+ continue;
++ } else {
++ ret = NMI_HANDLED;
+ }
+
+ sev = ghes_severity(ghes->estatus->error_severity);
+@@ -858,12 +860,11 @@ static int ghes_notify_nmi(unsigned int
+
+ __process_error(ghes);
+ ghes_clear_estatus(ghes);
+-
+- ret = NMI_HANDLED;
+ }
+
+ #ifdef CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG
+- irq_work_queue(&ghes_proc_irq_work);
++ if (ret == NMI_HANDLED)
++ irq_work_queue(&ghes_proc_irq_work);
+ #endif
+ atomic_dec(&ghes_in_nmi);
+ return ret;
--- /dev/null
+From c02ebfdddbafa9a6a0f52fbd715e6bfa229af9d3 Mon Sep 17 00:00:00 2001
+From: Gabriel Krisman Bertazi <krisman@linux.vnet.ibm.com>
+Date: Wed, 28 Sep 2016 00:24:24 -0300
+Subject: blk-mq: Always schedule hctx->next_cpu
+
+From: Gabriel Krisman Bertazi <krisman@linux.vnet.ibm.com>
+
+commit c02ebfdddbafa9a6a0f52fbd715e6bfa229af9d3 upstream.
+
+Commit 0e87e58bf60e ("blk-mq: improve warning for running a queue on the
+wrong CPU") attempts to avoid triggering the WARN_ON in
+__blk_mq_run_hw_queue when the expected CPU is dead. Problem is, in the
+last batch execution before round robin, blk_mq_hctx_next_cpu can
+schedule a dead CPU and also update next_cpu to the next alive CPU in
+the mask, which will trigger the WARN_ON despite the previous
+workaround.
+
+The following patch fixes this scenario by always scheduling the value
+in hctx->next_cpu. This changes the moment when we round-robin the CPU
+running the hctx, but it really doesn't matter, since it still executes
+BLK_MQ_CPU_WORK_BATCH times in a row before switching to another CPU.
+
+Fixes: 0e87e58bf60e ("blk-mq: improve warning for running a queue on the wrong CPU")
+Signed-off-by: Gabriel Krisman Bertazi <krisman@linux.vnet.ibm.com>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/blk-mq.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -842,7 +842,7 @@ static int blk_mq_hctx_next_cpu(struct b
+ return WORK_CPU_UNBOUND;
+
+ if (--hctx->next_cpu_batch <= 0) {
+- int cpu = hctx->next_cpu, next_cpu;
++ int next_cpu;
+
+ next_cpu = cpumask_next(hctx->next_cpu, hctx->cpumask);
+ if (next_cpu >= nr_cpu_ids)
+@@ -850,8 +850,6 @@ static int blk_mq_hctx_next_cpu(struct b
+
+ hctx->next_cpu = next_cpu;
+ hctx->next_cpu_batch = BLK_MQ_CPU_WORK_BATCH;
+-
+- return cpu;
+ }
+
+ return hctx->next_cpu;
--- /dev/null
+From ebc4ff661fbe76781c6b16dfb7b754a5d5073f8e Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Thu, 10 Nov 2016 11:16:37 -0500
+Subject: block: cfq_cpd_alloc() should use @gfp
+
+From: Tejun Heo <tj@kernel.org>
+
+commit ebc4ff661fbe76781c6b16dfb7b754a5d5073f8e upstream.
+
+cfq_cpd_alloc() which is the cpd_alloc_fn implementation for cfq was
+incorrectly hard coding GFP_KERNEL instead of using the mask specified
+through the @gfp parameter. This currently doesn't cause any actual
+issues because all current callers specify GFP_KERNEL. Fix it.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Fixes: e4a9bde9589f ("blkcg: replace blkcg_policy->cpd_size with ->cpd_alloc/free_fn() methods")
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/cfq-iosched.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/block/cfq-iosched.c
++++ b/block/cfq-iosched.c
+@@ -1572,7 +1572,7 @@ static struct blkcg_policy_data *cfq_cpd
+ {
+ struct cfq_group_data *cgd;
+
+- cgd = kzalloc(sizeof(*cgd), GFP_KERNEL);
++ cgd = kzalloc(sizeof(*cgd), gfp);
+ if (!cgd)
+ return NULL;
+ return &cgd->cpd;
--- /dev/null
+From aa7c8da35d1905d80e840d075f07d26ec90144b5 Mon Sep 17 00:00:00 2001
+From: Jeff Mahoney <jeffm@suse.com>
+Date: Tue, 20 Dec 2016 13:28:27 -0500
+Subject: btrfs: fix error handling when run_delayed_extent_op fails
+
+From: Jeff Mahoney <jeffm@suse.com>
+
+commit aa7c8da35d1905d80e840d075f07d26ec90144b5 upstream.
+
+In __btrfs_run_delayed_refs, the error path when run_delayed_extent_op
+fails sets locked_ref->processing = 0 but doesn't re-increment
+delayed_refs->num_heads_ready. As a result, we end up triggering
+the WARN_ON in btrfs_select_ref_head.
+
+Fixes: d7df2c796d7 (Btrfs: attach delayed ref updates to delayed ref heads)
+Reported-by: Jon Nelson <jnelson-suse@jamponi.net>
+Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+Reviewed-by: Liu Bo <bo.li.liu@oracle.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/extent-tree.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -2570,7 +2570,10 @@ static noinline int __btrfs_run_delayed_
+ */
+ if (must_insert_reserved)
+ locked_ref->must_insert_reserved = 1;
++ spin_lock(&delayed_refs->lock);
+ locked_ref->processing = 0;
++ delayed_refs->num_heads_ready++;
++ spin_unlock(&delayed_refs->lock);
+ btrfs_debug(fs_info, "run_delayed_extent_op returned %d", ret);
+ btrfs_delayed_ref_unlock(locked_ref);
+ return ret;
--- /dev/null
+From d0280996437081dd12ed1e982ac8aeaa62835ec4 Mon Sep 17 00:00:00 2001
+From: Jeff Mahoney <jeffm@suse.com>
+Date: Tue, 20 Dec 2016 13:28:28 -0500
+Subject: btrfs: fix locking when we put back a delayed ref that's too new
+
+From: Jeff Mahoney <jeffm@suse.com>
+
+commit d0280996437081dd12ed1e982ac8aeaa62835ec4 upstream.
+
+In __btrfs_run_delayed_refs, when we put back a delayed ref that's too
+new, we have already dropped the lock on locked_ref when we set
+->processing = 0.
+
+This patch keeps the lock to cover that assignment.
+
+Fixes: d7df2c796d7 (Btrfs: attach delayed ref updates to delayed ref heads)
+Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+Reviewed-by: Liu Bo <bo.li.liu@oracle.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/extent-tree.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -2520,11 +2520,11 @@ static noinline int __btrfs_run_delayed_
+ if (ref && ref->seq &&
+ btrfs_check_delayed_seq(fs_info, delayed_refs, ref->seq)) {
+ spin_unlock(&locked_ref->lock);
+- btrfs_delayed_ref_unlock(locked_ref);
+ spin_lock(&delayed_refs->lock);
+ locked_ref->processing = 0;
+ delayed_refs->num_heads_ready++;
+ spin_unlock(&delayed_refs->lock);
++ btrfs_delayed_ref_unlock(locked_ref);
+ locked_ref = NULL;
+ cond_resched();
+ count++;
--- /dev/null
+From c090959b9dd8c87703e275079aa4b4a824ba3f8e Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 16 Nov 2016 17:31:30 +0000
+Subject: bus: vexpress-config: fix device reference leak
+
+From: Johan Hovold <johan@kernel.org>
+
+commit c090959b9dd8c87703e275079aa4b4a824ba3f8e upstream.
+
+Make sure to drop the reference to the parent device taken by
+class_find_device() after populating the bus.
+
+Fixes: 3b9334ac835b ("mfd: vexpress: Convert custom func API to regmap")
+Acked-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bus/vexpress-config.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/bus/vexpress-config.c
++++ b/drivers/bus/vexpress-config.c
+@@ -171,6 +171,7 @@ static int vexpress_config_populate(stru
+ {
+ struct device_node *bridge;
+ struct device *parent;
++ int ret;
+
+ bridge = of_parse_phandle(node, "arm,vexpress,config-bridge", 0);
+ if (!bridge)
+@@ -181,7 +182,11 @@ static int vexpress_config_populate(stru
+ if (WARN_ON(!parent))
+ return -ENODEV;
+
+- return of_platform_populate(node, NULL, NULL, parent);
++ ret = of_platform_populate(node, NULL, NULL, parent);
++
++ put_device(parent);
++
++ return ret;
+ }
+
+ static int __init vexpress_config_init(void)
--- /dev/null
+From 8a10c06a20ec8097a68fd7a4a1c0e285095b4d2f Mon Sep 17 00:00:00 2001
+From: Denis Kirjanov <kda@linux-powerpc.org>
+Date: Tue, 8 Nov 2016 05:39:28 -0500
+Subject: cpufreq: powernv: Disable preemption while checking CPU throttling state
+
+From: Denis Kirjanov <kda@linux-powerpc.org>
+
+commit 8a10c06a20ec8097a68fd7a4a1c0e285095b4d2f upstream.
+
+With preemption turned on we can read incorrect throttling state
+while being switched to CPU on a different chip.
+
+ BUG: using smp_processor_id() in preemptible [00000000] code: cat/7343
+ caller is .powernv_cpufreq_throttle_check+0x2c/0x710
+ CPU: 13 PID: 7343 Comm: cat Not tainted 4.8.0-rc5-dirty #1
+ Call Trace:
+ [c0000007d25b75b0] [c000000000971378] .dump_stack+0xe4/0x150 (unreliable)
+ [c0000007d25b7640] [c0000000005162e4] .check_preemption_disabled+0x134/0x150
+ [c0000007d25b76e0] [c0000000007b63ac] .powernv_cpufreq_throttle_check+0x2c/0x710
+ [c0000007d25b7790] [c0000000007b6d18] .powernv_cpufreq_target_index+0x288/0x360
+ [c0000007d25b7870] [c0000000007acee4] .__cpufreq_driver_target+0x394/0x8c0
+ [c0000007d25b7920] [c0000000007b22ac] .cpufreq_set+0x7c/0xd0
+ [c0000007d25b79b0] [c0000000007adf50] .store_scaling_setspeed+0x80/0xc0
+ [c0000007d25b7a40] [c0000000007ae270] .store+0xa0/0x100
+ [c0000007d25b7ae0] [c0000000003566e8] .sysfs_kf_write+0x88/0xb0
+ [c0000007d25b7b70] [c0000000003553b8] .kernfs_fop_write+0x178/0x260
+ [c0000007d25b7c10] [c0000000002ac3cc] .__vfs_write+0x3c/0x1c0
+ [c0000007d25b7cf0] [c0000000002ad584] .vfs_write+0xc4/0x230
+ [c0000007d25b7d90] [c0000000002aeef8] .SyS_write+0x58/0x100
+ [c0000007d25b7e30] [c00000000000bfec] system_call+0x38/0xfc
+
+Fixes: 09a972d16209 (cpufreq: powernv: Report cpu frequency throttling)
+Reviewed-by: Gautham R. Shenoy <ego@linux.vnet.ibm.com>
+Signed-off-by: Denis Kirjanov <kda@linux-powerpc.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/cpufreq/powernv-cpufreq.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/cpufreq/powernv-cpufreq.c
++++ b/drivers/cpufreq/powernv-cpufreq.c
+@@ -373,8 +373,14 @@ static int powernv_cpufreq_target_index(
+ if (unlikely(rebooting) && new_index != get_nominal_index())
+ return 0;
+
+- if (!throttled)
++ if (!throttled) {
++ /* we don't want to be preempted while
++ * checking if the CPU frequency has been throttled
++ */
++ preempt_disable();
+ powernv_cpufreq_throttle_check(NULL);
++ preempt_enable();
++ }
+
+ freq_data.pstate_id = powernv_freqs[new_index].driver_data;
+
--- /dev/null
+From 8a08403bcb39f5d0e733bcf59a8a74f16b538f6e Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Thu, 5 Jan 2017 12:39:01 -0500
+Subject: drm/radeon: drop verde dpm quirks
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 8a08403bcb39f5d0e733bcf59a8a74f16b538f6e upstream.
+
+fixes:
+https://bugs.freedesktop.org/show_bug.cgi?id=98897
+https://bugs.launchpad.net/bugs/1651981
+
+Acked-by: Edward O'Callaghan <funfunctor@folklore1984.net>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: Adrian Fiergolski <A.Fiergolski@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/radeon/si_dpm.c | 13 -------------
+ 1 file changed, 13 deletions(-)
+
+--- a/drivers/gpu/drm/radeon/si_dpm.c
++++ b/drivers/gpu/drm/radeon/si_dpm.c
+@@ -3008,19 +3008,6 @@ static void si_apply_state_adjust_rules(
+ (rdev->pdev->device == 0x6817) ||
+ (rdev->pdev->device == 0x6806))
+ max_mclk = 120000;
+- } else if (rdev->family == CHIP_VERDE) {
+- if ((rdev->pdev->revision == 0x81) ||
+- (rdev->pdev->revision == 0x83) ||
+- (rdev->pdev->revision == 0x87) ||
+- (rdev->pdev->device == 0x6820) ||
+- (rdev->pdev->device == 0x6821) ||
+- (rdev->pdev->device == 0x6822) ||
+- (rdev->pdev->device == 0x6823) ||
+- (rdev->pdev->device == 0x682A) ||
+- (rdev->pdev->device == 0x682B)) {
+- max_sclk = 75000;
+- max_mclk = 80000;
+- }
+ } else if (rdev->family == CHIP_OLAND) {
+ if ((rdev->pdev->revision == 0xC7) ||
+ (rdev->pdev->revision == 0x80) ||
--- /dev/null
+From 79f687a3de9e3ba2518b4ea33f38ca6cbe9133eb Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Sat, 19 Nov 2016 10:54:55 -0500
+Subject: NFS: Fix a performance regression in readdir
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+commit 79f687a3de9e3ba2518b4ea33f38ca6cbe9133eb upstream.
+
+Ben Coddington reports that commit 311324ad1713, by adding the function
+nfs_dir_mapping_need_revalidate() that checks page cache validity on
+each call to nfs_readdir() causes a performance regression when
+the directory is being modified.
+
+If the directory is changing while we're iterating through the directory,
+POSIX does not require us to invalidate the page cache unless the user
+calls rewinddir(). However, we still do want to ensure that we use
+readdirplus in order to avoid a load of stat() calls when the user
+is doing an 'ls -l' workload.
+
+The fix should be to invalidate the page cache immediately when we're
+setting the NFS_INO_ADVISE_RDPLUS bit.
+
+Reported-by: Benjamin Coddington <bcodding@redhat.com>
+Fixes: 311324ad1713 ("NFS: Be more aggressive in using readdirplus...")
+Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
+Tested-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/dir.c | 15 ++-------------
+ 1 file changed, 2 insertions(+), 13 deletions(-)
+
+--- a/fs/nfs/dir.c
++++ b/fs/nfs/dir.c
+@@ -462,7 +462,7 @@ void nfs_force_use_readdirplus(struct in
+ {
+ if (!list_empty(&NFS_I(dir)->open_files)) {
+ nfs_advise_use_readdirplus(dir);
+- nfs_zap_mapping(dir, dir->i_mapping);
++ invalidate_mapping_pages(dir->i_mapping, 0, -1);
+ }
+ }
+
+@@ -847,17 +847,6 @@ int uncached_readdir(nfs_readdir_descrip
+ goto out;
+ }
+
+-static bool nfs_dir_mapping_need_revalidate(struct inode *dir)
+-{
+- struct nfs_inode *nfsi = NFS_I(dir);
+-
+- if (nfs_attribute_cache_expired(dir))
+- return true;
+- if (nfsi->cache_validity & NFS_INO_INVALID_DATA)
+- return true;
+- return false;
+-}
+-
+ /* The file offset position represents the dirent entry number. A
+ last cookie cache takes care of the common case of reading the
+ whole directory.
+@@ -890,7 +879,7 @@ static int nfs_readdir(struct file *file
+ desc->plus = nfs_use_readdirplus(inode, ctx) ? 1 : 0;
+
+ nfs_block_sillyrename(dentry);
+- if (ctx->pos == 0 || nfs_dir_mapping_need_revalidate(inode))
++ if (ctx->pos == 0 || nfs_attribute_cache_expired(inode))
+ res = nfs_revalidate_mapping(inode, file->f_mapping);
+ if (res < 0)
+ goto out;
--- /dev/null
+From cfd278c280f997cf2fe4662e0acab0fe465f637b Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.com>
+Date: Mon, 19 Dec 2016 11:19:31 +1100
+Subject: NFSv4.1: nfs4_fl_prepare_ds must be careful about reporting success.
+
+From: NeilBrown <neilb@suse.com>
+
+commit cfd278c280f997cf2fe4662e0acab0fe465f637b upstream.
+
+Various places assume that if nfs4_fl_prepare_ds() turns a non-NULL 'ds',
+then ds->ds_clp will also be non-NULL.
+
+This is not necessasrily true in the case when the process received a fatal signal
+while nfs4_pnfs_ds_connect is waiting in nfs4_wait_ds_connect().
+In that case ->ds_clp may not be set, and the devid may not recently have been marked
+unavailable.
+
+So add a test for ds_clp == NULL and return NULL in that case.
+
+Fixes: c23266d532b4 ("NFS4.1 Fix data server connection race")
+Signed-off-by: NeilBrown <neilb@suse.com>
+Acked-by: Olga Kornievskaia <aglo@umich.edu>
+Acked-by: Adamson, Andy <William.Adamson@netapp.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/filelayout/filelayoutdev.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/nfs/filelayout/filelayoutdev.c
++++ b/fs/nfs/filelayout/filelayoutdev.c
+@@ -283,7 +283,8 @@ nfs4_fl_prepare_ds(struct pnfs_layout_se
+ s->nfs_client->cl_rpcclient->cl_auth->au_flavor);
+
+ out_test_devid:
+- if (filelayout_test_devid_unavailable(devid))
++ if (ret->ds_clp == NULL ||
++ filelayout_test_devid_unavailable(devid))
+ ret = NULL;
+ out:
+ return ret;
--- /dev/null
+From f24d311f92b516a8aadef5056424ccabb4068e7b Mon Sep 17 00:00:00 2001
+From: Neil Armstrong <narmstrong@baylibre.com>
+Date: Tue, 6 Dec 2016 15:08:16 +0100
+Subject: pinctrl: meson: fix gpio request disabling other modes
+
+From: Neil Armstrong <narmstrong@baylibre.com>
+
+commit f24d311f92b516a8aadef5056424ccabb4068e7b upstream.
+
+The pinctrl_gpio_request is called with the "full" gpio number, already
+containing the base, then meson_pmx_request_gpio is then called with the
+final pin number.
+Remove the base addition when calling meson_pmx_disable_other_groups.
+
+Fixes: 6ac730951104 ("pinctrl: add driver for Amlogic Meson SoCs")
+CC: Beniamino Galvani <b.galvani@gmail.com>
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Acked-by: Kevin Hilman <khilman@baylibre.com>
+Acked-by: Beniamino Galvani <b.galvani@gmail.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/meson/pinctrl-meson.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pinctrl/meson/pinctrl-meson.c
++++ b/drivers/pinctrl/meson/pinctrl-meson.c
+@@ -246,7 +246,7 @@ static int meson_pmx_request_gpio(struct
+ {
+ struct meson_pinctrl *pc = pinctrl_dev_get_drvdata(pcdev);
+
+- meson_pmx_disable_other_groups(pc, range->pin_base + offset, -1);
++ meson_pmx_disable_other_groups(pc, offset, -1);
+
+ return 0;
+ }
--- /dev/null
+From ee284e35d8c71bf5d4d807eaff6f67a17134b359 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Fri, 18 Nov 2016 15:21:30 -0500
+Subject: pNFS: Fix race in pnfs_wait_on_layoutreturn
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+commit ee284e35d8c71bf5d4d807eaff6f67a17134b359 upstream.
+
+We must put the task to sleep while holding the inode->i_lock in order
+to ensure atomicity with the test for NFS_LAYOUT_RETURN.
+
+Fixes: 500d701f336b ("NFS41: make close wait for layoutreturn")
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/pnfs.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/fs/nfs/pnfs.c
++++ b/fs/nfs/pnfs.c
+@@ -1185,13 +1185,11 @@ bool pnfs_wait_on_layoutreturn(struct in
+ * i_lock */
+ spin_lock(&ino->i_lock);
+ lo = nfsi->layout;
+- if (lo && test_bit(NFS_LAYOUT_RETURN, &lo->plh_flags))
++ if (lo && test_bit(NFS_LAYOUT_RETURN, &lo->plh_flags)) {
++ rpc_sleep_on(&NFS_SERVER(ino)->roc_rpcwaitq, task, NULL);
+ sleep = true;
++ }
+ spin_unlock(&ino->i_lock);
+-
+- if (sleep)
+- rpc_sleep_on(&NFS_SERVER(ino)->roc_rpcwaitq, task, NULL);
+-
+ return sleep;
+ }
+
--- /dev/null
+From fe0f3168169f7c34c29b0cf0c489f126a7f29643 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 1 Nov 2016 16:26:00 +0100
+Subject: powerpc/ibmebus: Fix device reference leaks in sysfs interface
+
+From: Johan Hovold <johan@kernel.org>
+
+commit fe0f3168169f7c34c29b0cf0c489f126a7f29643 upstream.
+
+Make sure to drop any reference taken by bus_find_device() in the sysfs
+callbacks that are used to create and destroy devices based on
+device-tree entries.
+
+Fixes: 6bccf755ff53 ("[POWERPC] ibmebus: dynamic addition/removal of adapters, some code cleanup")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/ibmebus.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/kernel/ibmebus.c
++++ b/arch/powerpc/kernel/ibmebus.c
+@@ -266,6 +266,7 @@ static ssize_t ibmebus_store_probe(struc
+ const char *buf, size_t count)
+ {
+ struct device_node *dn = NULL;
++ struct device *dev;
+ char *path;
+ ssize_t rc = 0;
+
+@@ -273,8 +274,10 @@ static ssize_t ibmebus_store_probe(struc
+ if (!path)
+ return -ENOMEM;
+
+- if (bus_find_device(&ibmebus_bus_type, NULL, path,
+- ibmebus_match_path)) {
++ dev = bus_find_device(&ibmebus_bus_type, NULL, path,
++ ibmebus_match_path);
++ if (dev) {
++ put_device(dev);
+ printk(KERN_WARNING "%s: %s has already been probed\n",
+ __func__, path);
+ rc = -EEXIST;
+@@ -311,6 +314,7 @@ static ssize_t ibmebus_store_remove(stru
+ if ((dev = bus_find_device(&ibmebus_bus_type, NULL, path,
+ ibmebus_match_path))) {
+ of_device_unregister(to_platform_device(dev));
++ put_device(dev);
+
+ kfree(path);
+ return count;
--- /dev/null
+From 815a7141c4d1b11610dccb7fcbb38633759824f2 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 1 Nov 2016 16:26:01 +0100
+Subject: powerpc/ibmebus: Fix further device reference leaks
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 815a7141c4d1b11610dccb7fcbb38633759824f2 upstream.
+
+Make sure to drop any reference taken by bus_find_device() when creating
+devices during init and driver registration.
+
+Fixes: 55347cc9962f ("[POWERPC] ibmebus: Add device creation and bus probing based on of_device")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/ibmebus.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/kernel/ibmebus.c
++++ b/arch/powerpc/kernel/ibmebus.c
+@@ -180,6 +180,7 @@ static int ibmebus_create_device(struct
+ static int ibmebus_create_devices(const struct of_device_id *matches)
+ {
+ struct device_node *root, *child;
++ struct device *dev;
+ int ret = 0;
+
+ root = of_find_node_by_path("/");
+@@ -188,9 +189,12 @@ static int ibmebus_create_devices(const
+ if (!of_match_node(matches, child))
+ continue;
+
+- if (bus_find_device(&ibmebus_bus_type, NULL, child,
+- ibmebus_match_node))
++ dev = bus_find_device(&ibmebus_bus_type, NULL, child,
++ ibmebus_match_node);
++ if (dev) {
++ put_device(dev);
+ continue;
++ }
+
+ ret = ibmebus_create_device(child);
+ if (ret) {
xhci-fix-deadlock-at-host-remove-by-running-watchdog-correctly.patch
vme-fix-wrong-pointer-utilization-in-ca91cx42_slave_get.patch
mnt-protect-the-mountpoint-hashtable-with-mount_lock.patch
+tty-serial-atmel_serial-bug-stop-dma-from-transmitting-in-stop_tx.patch
+sysrq-attach-sysrq-handler-correctly-for-32-bit-kernel.patch
+sysctl-drop-reference-added-by-grab_header-in-proc_sys_readdir.patch
+drm-radeon-drop-verde-dpm-quirks.patch
+usb-serial-ch341-fix-resume-after-reset.patch
+usb-serial-ch341-fix-modem-control-and-b0-handling.patch
+x86-cpu-fix-bootup-crashes-by-sanitizing-the-argument-of-the-clearcpuid-command-line-option.patch
+btrfs-fix-locking-when-we-put-back-a-delayed-ref-that-s-too-new.patch
+btrfs-fix-error-handling-when-run_delayed_extent_op-fails.patch
+pinctrl-meson-fix-gpio-request-disabling-other-modes.patch
+pnfs-fix-race-in-pnfs_wait_on_layoutreturn.patch
+nfs-fix-a-performance-regression-in-readdir.patch
+nfsv4.1-nfs4_fl_prepare_ds-must-be-careful-about-reporting-success.patch
+cpufreq-powernv-disable-preemption-while-checking-cpu-throttling-state.patch
+block-cfq_cpd_alloc-should-use-gfp.patch
+acpi-apei-fix-nmi-notification-handling.patch
+blk-mq-always-schedule-hctx-next_cpu.patch
+bus-vexpress-config-fix-device-reference-leak.patch
+powerpc-ibmebus-fix-further-device-reference-leaks.patch
+powerpc-ibmebus-fix-device-reference-leaks-in-sysfs-interface.patch
--- /dev/null
+From 93362fa47fe98b62e4a34ab408c4a418432e7939 Mon Sep 17 00:00:00 2001
+From: Zhou Chengming <zhouchengming1@huawei.com>
+Date: Fri, 6 Jan 2017 09:32:32 +0800
+Subject: sysctl: Drop reference added by grab_header in proc_sys_readdir
+
+From: Zhou Chengming <zhouchengming1@huawei.com>
+
+commit 93362fa47fe98b62e4a34ab408c4a418432e7939 upstream.
+
+Fixes CVE-2016-9191, proc_sys_readdir doesn't drop reference
+added by grab_header when return from !dir_emit_dots path.
+It can cause any path called unregister_sysctl_table will
+wait forever.
+
+The calltrace of CVE-2016-9191:
+
+[ 5535.960522] Call Trace:
+[ 5535.963265] [<ffffffff817cdaaf>] schedule+0x3f/0xa0
+[ 5535.968817] [<ffffffff817d33fb>] schedule_timeout+0x3db/0x6f0
+[ 5535.975346] [<ffffffff817cf055>] ? wait_for_completion+0x45/0x130
+[ 5535.982256] [<ffffffff817cf0d3>] wait_for_completion+0xc3/0x130
+[ 5535.988972] [<ffffffff810d1fd0>] ? wake_up_q+0x80/0x80
+[ 5535.994804] [<ffffffff8130de64>] drop_sysctl_table+0xc4/0xe0
+[ 5536.001227] [<ffffffff8130de17>] drop_sysctl_table+0x77/0xe0
+[ 5536.007648] [<ffffffff8130decd>] unregister_sysctl_table+0x4d/0xa0
+[ 5536.014654] [<ffffffff8130deff>] unregister_sysctl_table+0x7f/0xa0
+[ 5536.021657] [<ffffffff810f57f5>] unregister_sched_domain_sysctl+0x15/0x40
+[ 5536.029344] [<ffffffff810d7704>] partition_sched_domains+0x44/0x450
+[ 5536.036447] [<ffffffff817d0761>] ? __mutex_unlock_slowpath+0x111/0x1f0
+[ 5536.043844] [<ffffffff81167684>] rebuild_sched_domains_locked+0x64/0xb0
+[ 5536.051336] [<ffffffff8116789d>] update_flag+0x11d/0x210
+[ 5536.057373] [<ffffffff817cf61f>] ? mutex_lock_nested+0x2df/0x450
+[ 5536.064186] [<ffffffff81167acb>] ? cpuset_css_offline+0x1b/0x60
+[ 5536.070899] [<ffffffff810fce3d>] ? trace_hardirqs_on+0xd/0x10
+[ 5536.077420] [<ffffffff817cf61f>] ? mutex_lock_nested+0x2df/0x450
+[ 5536.084234] [<ffffffff8115a9f5>] ? css_killed_work_fn+0x25/0x220
+[ 5536.091049] [<ffffffff81167ae5>] cpuset_css_offline+0x35/0x60
+[ 5536.097571] [<ffffffff8115aa2c>] css_killed_work_fn+0x5c/0x220
+[ 5536.104207] [<ffffffff810bc83f>] process_one_work+0x1df/0x710
+[ 5536.110736] [<ffffffff810bc7c0>] ? process_one_work+0x160/0x710
+[ 5536.117461] [<ffffffff810bce9b>] worker_thread+0x12b/0x4a0
+[ 5536.123697] [<ffffffff810bcd70>] ? process_one_work+0x710/0x710
+[ 5536.130426] [<ffffffff810c3f7e>] kthread+0xfe/0x120
+[ 5536.135991] [<ffffffff817d4baf>] ret_from_fork+0x1f/0x40
+[ 5536.142041] [<ffffffff810c3e80>] ? kthread_create_on_node+0x230/0x230
+
+One cgroup maintainer mentioned that "cgroup is trying to offline
+a cpuset css, which takes place under cgroup_mutex. The offlining
+ends up trying to drain active usages of a sysctl table which apprently
+is not happening."
+The real reason is that proc_sys_readdir doesn't drop reference added
+by grab_header when return from !dir_emit_dots path. So this cpuset
+offline path will wait here forever.
+
+See here for details: http://www.openwall.com/lists/oss-security/2016/11/04/13
+
+Fixes: f0c3b5093add ("[readdir] convert procfs")
+Reported-by: CAI Qian <caiqian@redhat.com>
+Tested-by: Yang Shukui <yangshukui@huawei.com>
+Signed-off-by: Zhou Chengming <zhouchengming1@huawei.com>
+Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
+Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/proc/proc_sysctl.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/proc/proc_sysctl.c
++++ b/fs/proc/proc_sysctl.c
+@@ -703,7 +703,7 @@ static int proc_sys_readdir(struct file
+ ctl_dir = container_of(head, struct ctl_dir, header);
+
+ if (!dir_emit_dots(file, ctx))
+- return 0;
++ goto out;
+
+ pos = 2;
+
+@@ -713,6 +713,7 @@ static int proc_sys_readdir(struct file
+ break;
+ }
+ }
++out:
+ sysctl_head_finish(head);
+ return 0;
+ }
--- /dev/null
+From 802c03881f29844af0252b6e22be5d2f65f93fd0 Mon Sep 17 00:00:00 2001
+From: Akinobu Mita <akinobu.mita@gmail.com>
+Date: Fri, 6 Jan 2017 02:14:16 +0900
+Subject: sysrq: attach sysrq handler correctly for 32-bit kernel
+
+From: Akinobu Mita <akinobu.mita@gmail.com>
+
+commit 802c03881f29844af0252b6e22be5d2f65f93fd0 upstream.
+
+The sysrq input handler should be attached to the input device which has
+a left alt key.
+
+On 32-bit kernels, some input devices which has a left alt key cannot
+attach sysrq handler. Because the keybit bitmap in struct input_device_id
+for sysrq is not correctly initialized. KEY_LEFTALT is 56 which is
+greater than BITS_PER_LONG on 32-bit kernels.
+
+I found this problem when using a matrix keypad device which defines
+a KEY_LEFTALT (56) but doesn't have a KEY_O (24 == 56%32).
+
+Cc: Jiri Slaby <jslaby@suse.com>
+Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
+Acked-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/sysrq.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/sysrq.c
++++ b/drivers/tty/sysrq.c
+@@ -939,8 +939,8 @@ static const struct input_device_id sysr
+ {
+ .flags = INPUT_DEVICE_ID_MATCH_EVBIT |
+ INPUT_DEVICE_ID_MATCH_KEYBIT,
+- .evbit = { BIT_MASK(EV_KEY) },
+- .keybit = { BIT_MASK(KEY_LEFTALT) },
++ .evbit = { [BIT_WORD(EV_KEY)] = BIT_MASK(EV_KEY) },
++ .keybit = { [BIT_WORD(KEY_LEFTALT)] = BIT_MASK(KEY_LEFTALT) },
+ },
+ { },
+ };
--- /dev/null
+From 89d8232411a85b9a6b12fd5da4d07d8a138a8e0c Mon Sep 17 00:00:00 2001
+From: Richard Genoud <richard.genoud@gmail.com>
+Date: Tue, 13 Dec 2016 17:27:56 +0100
+Subject: tty/serial: atmel_serial: BUG: stop DMA from transmitting in stop_tx
+
+From: Richard Genoud <richard.genoud@gmail.com>
+
+commit 89d8232411a85b9a6b12fd5da4d07d8a138a8e0c upstream.
+
+If we don't disable the transmitter in atmel_stop_tx, the DMA buffer
+continues to send data until it is emptied.
+This cause problems with the flow control (CTS is asserted and data are
+still sent).
+
+So, disabling the transmitter in atmel_stop_tx is a sane thing to do.
+
+Tested on at91sam9g35-cm(DMA)
+Tested for regressions on sama5d2-xplained(Fifo) and at91sam9g20ek(PDC)
+
+Signed-off-by: Richard Genoud <richard.genoud@gmail.com>
+Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/atmel_serial.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/tty/serial/atmel_serial.c
++++ b/drivers/tty/serial/atmel_serial.c
+@@ -470,6 +470,14 @@ static void atmel_stop_tx(struct uart_po
+ /* disable PDC transmit */
+ atmel_uart_writel(port, ATMEL_PDC_PTCR, ATMEL_PDC_TXTDIS);
+ }
++
++ /*
++ * Disable the transmitter.
++ * This is mandatory when DMA is used, otherwise the DMA buffer
++ * is fully transmitted.
++ */
++ atmel_uart_writel(port, ATMEL_US_CR, ATMEL_US_TXDIS);
++
+ /* Disable interrupts */
+ atmel_uart_writel(port, ATMEL_US_IDR, atmel_port->tx_done_mask);
+
+@@ -502,6 +510,9 @@ static void atmel_start_tx(struct uart_p
+
+ /* Enable interrupts */
+ atmel_uart_writel(port, ATMEL_US_IER, atmel_port->tx_done_mask);
++
++ /* re-enable the transmitter */
++ atmel_uart_writel(port, ATMEL_US_CR, ATMEL_US_TXEN);
+ }
+
+ /*
--- /dev/null
+From 030ee7ae52a46a2be52ccc8242c4a330aba8d38e Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 6 Jan 2017 19:15:12 +0100
+Subject: USB: serial: ch341: fix modem-control and B0 handling
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 030ee7ae52a46a2be52ccc8242c4a330aba8d38e upstream.
+
+The modem-control signals are managed by the tty-layer during open and
+should not be asserted prematurely when set_termios is called from
+driver open.
+
+Also make sure that the signals are asserted only when changing speed
+from B0.
+
+Fixes: 664d5df92e88 ("USB: usb-serial ch341: support for DTR/RTS/CTS")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/ch341.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/drivers/usb/serial/ch341.c
++++ b/drivers/usb/serial/ch341.c
+@@ -362,24 +362,24 @@ static void ch341_set_termios(struct tty
+ baud_rate = tty_get_baud_rate(tty);
+
+ if (baud_rate) {
+- spin_lock_irqsave(&priv->lock, flags);
+- priv->line_control |= (CH341_BIT_DTR | CH341_BIT_RTS);
+- spin_unlock_irqrestore(&priv->lock, flags);
+ priv->baud_rate = baud_rate;
+ ch341_set_baudrate(port->serial->dev, priv);
+- } else {
+- spin_lock_irqsave(&priv->lock, flags);
+- priv->line_control &= ~(CH341_BIT_DTR | CH341_BIT_RTS);
+- spin_unlock_irqrestore(&priv->lock, flags);
+ }
+
+- ch341_set_handshake(port->serial->dev, priv->line_control);
+-
+ /* Unimplemented:
+ * (cflag & CSIZE) : data bits [5, 8]
+ * (cflag & PARENB) : parity {NONE, EVEN, ODD}
+ * (cflag & CSTOPB) : stop bits [1, 2]
+ */
++
++ spin_lock_irqsave(&priv->lock, flags);
++ if (C_BAUD(tty) == B0)
++ priv->line_control &= ~(CH341_BIT_DTR | CH341_BIT_RTS);
++ else if (old_termios && (old_termios->c_cflag & CBAUD) == B0)
++ priv->line_control |= (CH341_BIT_DTR | CH341_BIT_RTS);
++ spin_unlock_irqrestore(&priv->lock, flags);
++
++ ch341_set_handshake(port->serial->dev, priv->line_control);
+ }
+
+ static void ch341_break_ctl(struct tty_struct *tty, int break_state)
--- /dev/null
+From ce5e292828117d1b71cbd3edf9e9137cf31acd30 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 6 Jan 2017 19:15:14 +0100
+Subject: USB: serial: ch341: fix resume after reset
+
+From: Johan Hovold <johan@kernel.org>
+
+commit ce5e292828117d1b71cbd3edf9e9137cf31acd30 upstream.
+
+Fix reset-resume handling which failed to resubmit the read and
+interrupt URBs, thereby leaving a port that was open before suspend in a
+broken state until closed and reopened.
+
+Fixes: 1ded7ea47b88 ("USB: ch341 serial: fix port number changed after
+resume")
+Fixes: 2bfd1c96a9fb ("USB: serial: ch341: remove reset_resume callback")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/ch341.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/serial/ch341.c
++++ b/drivers/usb/serial/ch341.c
+@@ -554,14 +554,23 @@ static int ch341_tiocmget(struct tty_str
+
+ static int ch341_reset_resume(struct usb_serial *serial)
+ {
+- struct ch341_private *priv;
+-
+- priv = usb_get_serial_port_data(serial->port[0]);
++ struct usb_serial_port *port = serial->port[0];
++ struct ch341_private *priv = usb_get_serial_port_data(port);
++ int ret;
+
+ /* reconfigure ch341 serial port after bus-reset */
+ ch341_configure(serial->dev, priv);
+
+- return 0;
++ if (test_bit(ASYNCB_INITIALIZED, &port->port.flags)) {
++ ret = usb_submit_urb(port->interrupt_in_urb, GFP_NOIO);
++ if (ret) {
++ dev_err(&port->dev, "failed to submit interrupt urb: %d\n",
++ ret);
++ return ret;
++ }
++ }
++
++ return usb_serial_generic_resume(serial);
+ }
+
+ static struct usb_serial_driver ch341_device = {
--- /dev/null
+From dd853fd216d1485ed3045ff772079cc8689a9a4a Mon Sep 17 00:00:00 2001
+From: Lukasz Odzioba <lukasz.odzioba@intel.com>
+Date: Wed, 28 Dec 2016 14:55:40 +0100
+Subject: x86/cpu: Fix bootup crashes by sanitizing the argument of the 'clearcpuid=' command-line option
+
+From: Lukasz Odzioba <lukasz.odzioba@intel.com>
+
+commit dd853fd216d1485ed3045ff772079cc8689a9a4a upstream.
+
+A negative number can be specified in the cmdline which will be used as
+setup_clear_cpu_cap() argument. With that we can clear/set some bit in
+memory predceeding boot_cpu_data/cpu_caps_cleared which may cause kernel
+to misbehave. This patch adds lower bound check to setup_disablecpuid().
+
+Boris Petkov reproduced a crash:
+
+ [ 1.234575] BUG: unable to handle kernel paging request at ffffffff858bd540
+ [ 1.236535] IP: memcpy_erms+0x6/0x10
+
+Signed-off-by: Lukasz Odzioba <lukasz.odzioba@intel.com>
+Acked-by: Borislav Petkov <bp@suse.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: andi.kleen@intel.com
+Cc: bp@alien8.de
+Cc: dave.hansen@linux.intel.com
+Cc: luto@kernel.org
+Cc: slaoub@gmail.com
+Fixes: ac72e7888a61 ("x86: add generic clearcpuid=... option")
+Link: http://lkml.kernel.org/r/1482933340-11857-1-git-send-email-lukasz.odzioba@intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/cpu/common.c
++++ b/arch/x86/kernel/cpu/common.c
+@@ -1129,7 +1129,7 @@ static __init int setup_disablecpuid(cha
+ {
+ int bit;
+
+- if (get_option(&arg, &bit) && bit < NCAPINTS*32)
++ if (get_option(&arg, &bit) && bit >= 0 && bit < NCAPINTS * 32)
+ setup_clear_cpu_cap(bit);
+ else
+ return 0;
projects / thirdparty / kernel / stable-queue.git / commitdiff
