--- /dev/null
+From d7b76c91f471413de9ded837bddeca2164786571 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Date: Tue, 28 Apr 2015 19:02:19 -0300
+Subject: [media] af9013: Don't accept invalid bandwidth
+
+From: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+
+commit d7b76c91f471413de9ded837bddeca2164786571 upstream.
+
+If userspace sends an invalid bandwidth, it should either return
+EINVAL or switch to auto mode.
+
+This driver will go past an array and program the hardware on a
+wrong way if this happens.
+
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/dvb-frontends/af9013.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/media/dvb-frontends/af9013.c
++++ b/drivers/media/dvb-frontends/af9013.c
+@@ -606,6 +606,10 @@ static int af9013_set_frontend(struct dv
+ }
+ }
+
++ /* Return an error if can't find bandwidth or the right clock */
++ if (i == ARRAY_SIZE(coeff_lut))
++ return -EINVAL;
++
+ ret = af9013_wr_regs(state, 0xae00, coeff_lut[i].val,
+ sizeof(coeff_lut[i].val));
+ }
--- /dev/null
+From 14ba3ec1de043260cecd9e828ea2e3a0ad302893 Mon Sep 17 00:00:00 2001
+From: Axel Lin <axel.lin@ingics.com>
+Date: Sun, 10 May 2015 11:35:06 +0800
+Subject: ASoC: wm8737: Fixup setting VMID Impedance control register
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Axel Lin <axel.lin@ingics.com>
+
+commit 14ba3ec1de043260cecd9e828ea2e3a0ad302893 upstream.
+
+According to the datasheet:
+R10 (0Ah) VMID Impedance Control
+
+BIT 3:2 VMIDSEL DEFAULT 00
+
+DESCRIPTION: VMID impedance selection control
+00: 75kΩ output
+01: 300kΩ output
+10: 2.5kΩ output
+
+WM8737_VMIDSEL_MASK is 0xC (VMIDSEL - [3:2]),
+so it needs to left shift WM8737_VMIDSEL_SHIFT bits for setting these bits.
+
+Signed-off-by: Axel Lin <axel.lin@ingics.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/codecs/wm8737.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/sound/soc/codecs/wm8737.c
++++ b/sound/soc/codecs/wm8737.c
+@@ -494,7 +494,8 @@ static int wm8737_set_bias_level(struct
+
+ /* Fast VMID ramp at 2*2.5k */
+ snd_soc_update_bits(codec, WM8737_MISC_BIAS_CONTROL,
+- WM8737_VMIDSEL_MASK, 0x4);
++ WM8737_VMIDSEL_MASK,
++ 2 << WM8737_VMIDSEL_SHIFT);
+
+ /* Bring VMID up */
+ snd_soc_update_bits(codec, WM8737_POWER_MANAGEMENT,
+@@ -508,7 +509,8 @@ static int wm8737_set_bias_level(struct
+
+ /* VMID at 2*300k */
+ snd_soc_update_bits(codec, WM8737_MISC_BIAS_CONTROL,
+- WM8737_VMIDSEL_MASK, 2);
++ WM8737_VMIDSEL_MASK,
++ 1 << WM8737_VMIDSEL_SHIFT);
+
+ break;
+
--- /dev/null
+From ebb6ad73e645b8f2d098dd3c41d2ff0da4146a02 Mon Sep 17 00:00:00 2001
+From: Axel Lin <axel.lin@ingics.com>
+Date: Mon, 11 May 2015 09:04:06 +0800
+Subject: ASoC: wm8903: Fix define for WM8903_VMID_RES_250K
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Axel Lin <axel.lin@ingics.com>
+
+commit ebb6ad73e645b8f2d098dd3c41d2ff0da4146a02 upstream.
+
+VMID Control 0 BIT[2:1] is VMID Divider Enable and Select
+
+00 = VMID disabled (for OFF mode)
+01 = 2 x 50kΩ divider (for normal operation)
+10 = 2 x 250kΩ divider (for low power standby)
+11 = 2 x 5kΩ divider (for fast start-up)
+
+So WM8903_VMID_RES_250K should be 2 << 1, which is 4.
+
+Signed-off-by: Axel Lin <axel.lin@ingics.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/codecs/wm8903.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/soc/codecs/wm8903.h
++++ b/sound/soc/codecs/wm8903.h
+@@ -172,7 +172,7 @@ extern int wm8903_mic_detect(struct snd_
+ #define WM8903_VMID_BUF_ENA_WIDTH 1 /* VMID_BUF_ENA */
+
+ #define WM8903_VMID_RES_50K 2
+-#define WM8903_VMID_RES_250K 3
++#define WM8903_VMID_RES_250K 4
+ #define WM8903_VMID_RES_5K 6
+
+ /*
--- /dev/null
+From 12c350050538c7dc779c083b7342bfd20f74949c Mon Sep 17 00:00:00 2001
+From: Axel Lin <axel.lin@ingics.com>
+Date: Fri, 15 May 2015 09:15:16 +0800
+Subject: ASoC: wm8955: Fix setting wrong register for WM8955_K_8_0_MASK bits
+
+From: Axel Lin <axel.lin@ingics.com>
+
+commit 12c350050538c7dc779c083b7342bfd20f74949c upstream.
+
+WM8955_K_8_0_MASK bits is controlled by WM8955_PLL_CONTROL_3 rather than
+WM8955_PLL_CONTROL_2.
+
+Signed-off-by: Axel Lin <axel.lin@ingics.com>
+Acked-by: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/codecs/wm8955.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/soc/codecs/wm8955.c
++++ b/sound/soc/codecs/wm8955.c
+@@ -298,7 +298,7 @@ static int wm8955_configure_clocking(str
+ snd_soc_update_bits(codec, WM8955_PLL_CONTROL_2,
+ WM8955_K_17_9_MASK,
+ (pll.k >> 9) & WM8955_K_17_9_MASK);
+- snd_soc_update_bits(codec, WM8955_PLL_CONTROL_2,
++ snd_soc_update_bits(codec, WM8955_PLL_CONTROL_3,
+ WM8955_K_8_0_MASK,
+ pll.k & WM8955_K_8_0_MASK);
+ if (pll.k)
--- /dev/null
+From a077e81ec61e07a7f86997d045109f06719fbffe Mon Sep 17 00:00:00 2001
+From: Zidan Wang <zidan.wang@freescale.com>
+Date: Thu, 11 Jun 2015 19:14:36 +0800
+Subject: ASoC: wm8960: the enum of "DAC Polarity" should be wm8960_enum[1]
+
+From: Zidan Wang <zidan.wang@freescale.com>
+
+commit a077e81ec61e07a7f86997d045109f06719fbffe upstream.
+
+the enum of "DAC Polarity" should be wm8960_enum[1].
+
+Signed-off-by: Zidan Wang <zidan.wang@freescale.com>
+Acked-by: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/codecs/wm8960.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/soc/codecs/wm8960.c
++++ b/sound/soc/codecs/wm8960.c
+@@ -242,7 +242,7 @@ SOC_SINGLE("PCM Playback -6dB Switch", W
+ SOC_ENUM("ADC Polarity", wm8960_enum[0]),
+ SOC_SINGLE("ADC High Pass Filter Switch", WM8960_DACCTL1, 0, 1, 0),
+
+-SOC_ENUM("DAC Polarity", wm8960_enum[2]),
++SOC_ENUM("DAC Polarity", wm8960_enum[1]),
+ SOC_SINGLE_BOOL_EXT("DAC Deemphasis Switch", 0,
+ wm8960_get_deemph, wm8960_put_deemph),
+
--- /dev/null
+From 300f77c08ded96d33f492aaa02549103852f0c12 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@openwrt.org>
+Date: Tue, 2 Jun 2015 10:38:32 +0200
+Subject: ath9k: fix DMA stop sequence for AR9003+
+
+From: Felix Fietkau <nbd@openwrt.org>
+
+commit 300f77c08ded96d33f492aaa02549103852f0c12 upstream.
+
+AR93xx and newer needs to stop rx before tx to avoid getting the DMA
+engine or MAC into a stuck state.
+This should reduce/fix the occurence of "Failed to stop Tx DMA" logspam.
+
+Signed-off-by: Felix Fietkau <nbd@openwrt.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath9k/main.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath9k/main.c
++++ b/drivers/net/wireless/ath/ath9k/main.c
+@@ -195,11 +195,13 @@ static bool ath_prepare_reset(struct ath
+ ath9k_debug_samp_bb_mac(sc);
+ ath9k_hw_disable_interrupts(ah);
+
+- if (!ath_drain_all_txq(sc))
+- ret = false;
+-
+- if (!ath_stoprecv(sc))
+- ret = false;
++ if (AR_SREV_9300_20_OR_LATER(ah)) {
++ ret &= ath_stoprecv(sc);
++ ret &= ath_drain_all_txq(sc);
++ } else {
++ ret &= ath_drain_all_txq(sc);
++ ret &= ath_stoprecv(sc);
++ }
+
+ return ret;
+ }
--- /dev/null
+From ecffc80478cdce122f0ecb6a4e4f909132dd5c47 Mon Sep 17 00:00:00 2001
+From: Marcel Holtmann <marcel@holtmann.org>
+Date: Sun, 7 Jun 2015 09:42:19 +0200
+Subject: Bluetooth: btusb: Fix memory leak in Intel setup routine
+
+From: Marcel Holtmann <marcel@holtmann.org>
+
+commit ecffc80478cdce122f0ecb6a4e4f909132dd5c47 upstream.
+
+The SKB returned from the Intel specific version information command is
+missing a kfree_skb.
+
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bluetooth/btusb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -1234,6 +1234,8 @@ static int btusb_setup_intel(struct hci_
+ }
+ fw_ptr = fw->data;
+
++ kfree_skb(skb);
++
+ /* This Intel specific command enables the manufacturer mode of the
+ * controller.
+ *
--- /dev/null
+From 1fa2337a315a2448c5434f41e00d56b01a22283c Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Date: Tue, 28 Apr 2015 18:51:17 -0300
+Subject: [media] cx24116: fix a buffer overflow when checking userspace params
+
+From: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+
+commit 1fa2337a315a2448c5434f41e00d56b01a22283c upstream.
+
+The maximum size for a DiSEqC command is 6, according to the
+userspace API. However, the code allows to write up much more values:
+ drivers/media/dvb-frontends/cx24116.c:983 cx24116_send_diseqc_msg() error: buffer overflow 'd->msg' 6 <= 23
+
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/dvb-frontends/cx24116.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/media/dvb-frontends/cx24116.c
++++ b/drivers/media/dvb-frontends/cx24116.c
+@@ -963,6 +963,10 @@ static int cx24116_send_diseqc_msg(struc
+ struct cx24116_state *state = fe->demodulator_priv;
+ int i, ret;
+
++ /* Validate length */
++ if (d->msg_len > sizeof(d->msg))
++ return -EINVAL;
++
+ /* Dump DiSEqC message */
+ if (debug) {
+ printk(KERN_INFO "cx24116: %s(", __func__);
+@@ -974,10 +978,6 @@ static int cx24116_send_diseqc_msg(struc
+ printk(") toneburst=%d\n", toneburst);
+ }
+
+- /* Validate length */
+- if (d->msg_len > (CX24116_ARGLEN - CX24116_DISEQC_MSGOFS))
+- return -EINVAL;
+-
+ /* DiSEqC message */
+ for (i = 0; i < d->msg_len; i++)
+ state->dsec_cmd.args[CX24116_DISEQC_MSGOFS + i] = d->msg[i];
--- /dev/null
+From d6f123a9297496ad0b6335fe881504c4b5b2a5e5 Mon Sep 17 00:00:00 2001
+From: Eryu Guan <guaneryu@gmail.com>
+Date: Fri, 3 Jul 2015 23:56:50 -0400
+Subject: ext4: be more strict when migrating to non-extent based file
+
+From: Eryu Guan <guaneryu@gmail.com>
+
+commit d6f123a9297496ad0b6335fe881504c4b5b2a5e5 upstream.
+
+Currently the check in ext4_ind_migrate() is not enough before doing the
+real conversion:
+
+a) delayed allocated extents could bypass the check on eh->eh_entries
+ and eh->eh_depth
+
+This can be demonstrated by this script
+
+ xfs_io -fc "pwrite 0 4k" -c "pwrite 8k 4k" /mnt/ext4/testfile
+ chattr -e /mnt/ext4/testfile
+
+where testfile has two extents but still be converted to non-extent
+based file format.
+
+b) only extent length is checked but not the offset, which would result
+ in data lose (delalloc) or fs corruption (nodelalloc), because
+ non-extent based file only supports at most (12 + 2^10 + 2^20 + 2^30)
+ blocks
+
+This can be demostrated by
+
+ xfs_io -fc "pwrite 5T 4k" /mnt/ext4/testfile
+ chattr -e /mnt/ext4/testfile
+ sync
+
+If delalloc is enabled, dmesg prints
+ EXT4-fs warning (device dm-4): ext4_block_to_path:105: block 1342177280 > max in inode 53
+ EXT4-fs (dm-4): Delayed block allocation failed for inode 53 at logical offset 1342177280 with max blocks 1 with error 5
+ EXT4-fs (dm-4): This should not happen!! Data will be lost
+
+If delalloc is disabled, e2fsck -nf shows corruption
+ Inode 53, i_size is 5497558142976, should be 4096. Fix? no
+
+Fix the two issues by
+
+a) forcing all delayed allocation blocks to be allocated before checking
+ eh->eh_depth and eh->eh_entries
+b) limiting the last logical block of the extent is within direct map
+
+Signed-off-by: Eryu Guan <guaneryu@gmail.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/migrate.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/fs/ext4/migrate.c
++++ b/fs/ext4/migrate.c
+@@ -616,6 +616,7 @@ int ext4_ind_migrate(struct inode *inode
+ struct ext4_inode_info *ei = EXT4_I(inode);
+ struct ext4_extent *ex;
+ unsigned int i, len;
++ ext4_lblk_t end;
+ ext4_fsblk_t blk;
+ handle_t *handle;
+ int ret;
+@@ -629,6 +630,14 @@ int ext4_ind_migrate(struct inode *inode
+ EXT4_FEATURE_RO_COMPAT_BIGALLOC))
+ return -EOPNOTSUPP;
+
++ /*
++ * In order to get correct extent info, force all delayed allocation
++ * blocks to be allocated, otherwise delayed allocation blocks may not
++ * be reflected and bypass the checks on extent header.
++ */
++ if (test_opt(inode->i_sb, DELALLOC))
++ ext4_alloc_da_blocks(inode);
++
+ handle = ext4_journal_start(inode, EXT4_HT_MIGRATE, 1);
+ if (IS_ERR(handle))
+ return PTR_ERR(handle);
+@@ -650,7 +659,8 @@ int ext4_ind_migrate(struct inode *inode
+ else {
+ len = le16_to_cpu(ex->ee_len);
+ blk = ext4_ext_pblock(ex);
+- if (len > EXT4_NDIR_BLOCKS) {
++ end = le32_to_cpu(ex->ee_block) + len - 1;
++ if (end >= EXT4_NDIR_BLOCKS) {
+ ret = -EOPNOTSUPP;
+ goto errout;
+ }
--- /dev/null
+From 89d96a6f8e6491f24fc8f99fd6ae66820e85c6c1 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Sat, 20 Jun 2015 22:50:33 -0400
+Subject: ext4: call sync_blockdev() before invalidate_bdev() in put_super()
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 89d96a6f8e6491f24fc8f99fd6ae66820e85c6c1 upstream.
+
+Normally all of the buffers will have been forced out to disk before
+we call invalidate_bdev(), but there will be some cases, where a file
+system operation was aborted due to an ext4_error(), where there may
+still be some dirty buffers in the buffer cache for the device. So
+try to force them out to memory before calling invalidate_bdev().
+
+This fixes a warning triggered by generic/081:
+
+WARNING: CPU: 1 PID: 3473 at /usr/projects/linux/ext4/fs/block_dev.c:56 __blkdev_put+0xb5/0x16f()
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/super.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -803,6 +803,7 @@ static void ext4_put_super(struct super_
+ dump_orphan_list(sb, sbi);
+ J_ASSERT(list_empty(&sbi->s_orphan));
+
++ sync_blockdev(sb->s_bdev);
+ invalidate_bdev(sb->s_bdev);
+ if (sbi->journal_bdev && sbi->journal_bdev != sb->s_bdev) {
+ /*
--- /dev/null
+From 8974fec7d72e3e02752fe0f27b4c3719c78d9a15 Mon Sep 17 00:00:00 2001
+From: Eryu Guan <guaneryu@gmail.com>
+Date: Sat, 4 Jul 2015 00:03:44 -0400
+Subject: ext4: correctly migrate a file with a hole at the beginning
+
+From: Eryu Guan <guaneryu@gmail.com>
+
+commit 8974fec7d72e3e02752fe0f27b4c3719c78d9a15 upstream.
+
+Currently ext4_ind_migrate() doesn't correctly handle a file which
+contains a hole at the beginning of the file. This caused the migration
+to be done incorrectly, and then if there is a subsequent following
+delayed allocation write to the "hole", this would reclaim the same data
+blocks again and results in fs corruption.
+
+ # assmuing 4k block size ext4, with delalloc enabled
+ # skip the first block and write to the second block
+ xfs_io -fc "pwrite 4k 4k" -c "fsync" /mnt/ext4/testfile
+
+ # converting to indirect-mapped file, which would move the data blocks
+ # to the beginning of the file, but extent status cache still marks
+ # that region as a hole
+ chattr -e /mnt/ext4/testfile
+
+ # delayed allocation writes to the "hole", reclaim the same data block
+ # again, results in i_blocks corruption
+ xfs_io -c "pwrite 0 4k" /mnt/ext4/testfile
+ umount /mnt/ext4
+ e2fsck -nf /dev/sda6
+ ...
+ Inode 53, i_blocks is 16, should be 8. Fix? no
+ ...
+
+Signed-off-by: Eryu Guan <guaneryu@gmail.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/migrate.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/fs/ext4/migrate.c
++++ b/fs/ext4/migrate.c
+@@ -616,7 +616,7 @@ int ext4_ind_migrate(struct inode *inode
+ struct ext4_inode_info *ei = EXT4_I(inode);
+ struct ext4_extent *ex;
+ unsigned int i, len;
+- ext4_lblk_t end;
++ ext4_lblk_t start, end;
+ ext4_fsblk_t blk;
+ handle_t *handle;
+ int ret;
+@@ -655,11 +655,12 @@ int ext4_ind_migrate(struct inode *inode
+ goto errout;
+ }
+ if (eh->eh_entries == 0)
+- blk = len = 0;
++ blk = len = start = end = 0;
+ else {
+ len = le16_to_cpu(ex->ee_len);
+ blk = ext4_ext_pblock(ex);
+- end = le32_to_cpu(ex->ee_block) + len - 1;
++ start = le32_to_cpu(ex->ee_block);
++ end = start + len - 1;
+ if (end >= EXT4_NDIR_BLOCKS) {
+ ret = -EOPNOTSUPP;
+ goto errout;
+@@ -668,7 +669,7 @@ int ext4_ind_migrate(struct inode *inode
+
+ ext4_clear_inode_flag(inode, EXT4_INODE_EXTENTS);
+ memset(ei->i_data, 0, sizeof(ei->i_data));
+- for (i=0; i < len; i++)
++ for (i = start; i <= end; i++)
+ ei->i_data[i] = cpu_to_le32(blk++);
+ ext4_mark_inode_dirty(handle, inode);
+ errout:
--- /dev/null
+From 292db1bc6c105d86111e858859456bcb11f90f91 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Sun, 21 Jun 2015 21:10:51 -0400
+Subject: ext4: don't retry file block mapping on bigalloc fs with non-extent file
+
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+
+commit 292db1bc6c105d86111e858859456bcb11f90f91 upstream.
+
+ext4 isn't willing to map clusters to a non-extent file. Don't signal
+this with an out of space error, since the FS will retry the
+allocation (which didn't fail) forever. Instead, return EUCLEAN so
+that the operation will fail immediately all the way back to userspace.
+
+(The fix is either to run e2fsck -E bmap2extent, or to chattr +e the file.)
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/indirect.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ext4/indirect.c
++++ b/fs/ext4/indirect.c
+@@ -577,7 +577,7 @@ int ext4_ind_map_blocks(handle_t *handle
+ EXT4_FEATURE_RO_COMPAT_BIGALLOC)) {
+ EXT4_ERROR_INODE(inode, "Can't allocate blocks for "
+ "non-extent mapped inodes with bigalloc");
+- return -ENOSPC;
++ return -EUCLEAN;
+ }
+
+ goal = ext4_find_goal(inode, map->m_lblk, partial);
--- /dev/null
+From bdf96838aea6a265f2ae6cbcfb12a778c84a0b8e Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Fri, 12 Jun 2015 23:45:33 -0400
+Subject: ext4: fix race between truncate and __ext4_journalled_writepage()
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit bdf96838aea6a265f2ae6cbcfb12a778c84a0b8e upstream.
+
+The commit cf108bca465d: "ext4: Invert the locking order of page_lock
+and transaction start" caused __ext4_journalled_writepage() to drop
+the page lock before the page was written back, as part of changing
+the locking order to jbd2_journal_start -> page_lock. However, this
+introduced a potential race if there was a truncate racing with the
+data=journalled writeback mode.
+
+Fix this by grabbing the page lock after starting the journal handle,
+and then checking to see if page had gotten truncated out from under
+us.
+
+This fixes a number of different warnings or BUG_ON's when running
+xfstests generic/086 in data=journalled mode, including:
+
+jbd2_journal_dirty_metadata: vdc-8: bad jh for block 115643: transaction (ee3fe7
+c0, 164), jh->b_transaction ( (null), 0), jh->b_next_transaction ( (null), 0), jlist 0
+
+ - and -
+
+kernel BUG at /usr/projects/linux/ext4/fs/jbd2/transaction.c:2200!
+ ...
+Call Trace:
+ [<c02b2ded>] ? __ext4_journalled_invalidatepage+0x117/0x117
+ [<c02b2de5>] __ext4_journalled_invalidatepage+0x10f/0x117
+ [<c02b2ded>] ? __ext4_journalled_invalidatepage+0x117/0x117
+ [<c027d883>] ? lock_buffer+0x36/0x36
+ [<c02b2dfa>] ext4_journalled_invalidatepage+0xd/0x22
+ [<c0229139>] do_invalidatepage+0x22/0x26
+ [<c0229198>] truncate_inode_page+0x5b/0x85
+ [<c022934b>] truncate_inode_pages_range+0x156/0x38c
+ [<c0229592>] truncate_inode_pages+0x11/0x15
+ [<c022962d>] truncate_pagecache+0x55/0x71
+ [<c02b913b>] ext4_setattr+0x4a9/0x560
+ [<c01ca542>] ? current_kernel_time+0x10/0x44
+ [<c026c4d8>] notify_change+0x1c7/0x2be
+ [<c0256a00>] do_truncate+0x65/0x85
+ [<c0226f31>] ? file_ra_state_init+0x12/0x29
+
+ - and -
+
+WARNING: CPU: 1 PID: 1331 at /usr/projects/linux/ext4/fs/jbd2/transaction.c:1396
+irty_metadata+0x14a/0x1ae()
+ ...
+Call Trace:
+ [<c01b879f>] ? console_unlock+0x3a1/0x3ce
+ [<c082cbb4>] dump_stack+0x48/0x60
+ [<c0178b65>] warn_slowpath_common+0x89/0xa0
+ [<c02ef2cf>] ? jbd2_journal_dirty_metadata+0x14a/0x1ae
+ [<c0178bef>] warn_slowpath_null+0x14/0x18
+ [<c02ef2cf>] jbd2_journal_dirty_metadata+0x14a/0x1ae
+ [<c02d8615>] __ext4_handle_dirty_metadata+0xd4/0x19d
+ [<c02b2f44>] write_end_fn+0x40/0x53
+ [<c02b4a16>] ext4_walk_page_buffers+0x4e/0x6a
+ [<c02b59e7>] ext4_writepage+0x354/0x3b8
+ [<c02b2f04>] ? mpage_release_unused_pages+0xd4/0xd4
+ [<c02b1b21>] ? wait_on_buffer+0x2c/0x2c
+ [<c02b5a4b>] ? ext4_writepage+0x3b8/0x3b8
+ [<c02b5a5b>] __writepage+0x10/0x2e
+ [<c0225956>] write_cache_pages+0x22d/0x32c
+ [<c02b5a4b>] ? ext4_writepage+0x3b8/0x3b8
+ [<c02b6ee8>] ext4_writepages+0x102/0x607
+ [<c019adfe>] ? sched_clock_local+0x10/0x10e
+ [<c01a8a7c>] ? __lock_is_held+0x2e/0x44
+ [<c01a8ad5>] ? lock_is_held+0x43/0x51
+ [<c0226dff>] do_writepages+0x1c/0x29
+ [<c0276bed>] __writeback_single_inode+0xc3/0x545
+ [<c0277c07>] writeback_sb_inodes+0x21f/0x36d
+ ...
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/inode.c | 23 +++++++++++++++++++----
+ 1 file changed, 19 insertions(+), 4 deletions(-)
+
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -2099,19 +2099,32 @@ static int __ext4_journalled_writepage(s
+ ext4_walk_page_buffers(handle, page_bufs, 0, len,
+ NULL, bget_one);
+ }
+- /* As soon as we unlock the page, it can go away, but we have
+- * references to buffers so we are safe */
++ /*
++ * We need to release the page lock before we start the
++ * journal, so grab a reference so the page won't disappear
++ * out from under us.
++ */
++ get_page(page);
+ unlock_page(page);
+
+ handle = ext4_journal_start(inode, EXT4_HT_WRITE_PAGE,
+ ext4_writepage_trans_blocks(inode));
+ if (IS_ERR(handle)) {
+ ret = PTR_ERR(handle);
+- goto out;
++ put_page(page);
++ goto out_no_pagelock;
+ }
+-
+ BUG_ON(!ext4_handle_valid(handle));
+
++ lock_page(page);
++ put_page(page);
++ if (page->mapping != mapping) {
++ /* The page got truncated from under us */
++ ext4_journal_stop(handle);
++ ret = 0;
++ goto out;
++ }
++
+ if (inline_data) {
+ ret = ext4_journal_get_write_access(handle, inode_bh);
+
+@@ -2136,6 +2149,8 @@ static int __ext4_journalled_writepage(s
+ NULL, bput_one);
+ ext4_set_inode_state(inode, EXT4_STATE_JDATA);
+ out:
++ unlock_page(page);
++out_no_pagelock:
+ brelse(inode_bh);
+ return ret;
+ }
--- /dev/null
+From 9705acd63b125dee8b15c705216d7186daea4625 Mon Sep 17 00:00:00 2001
+From: Lukas Czerner <lczerner@redhat.com>
+Date: Fri, 3 Jul 2015 21:13:55 -0400
+Subject: ext4: fix reservation release on invalidatepage for delalloc fs
+
+From: Lukas Czerner <lczerner@redhat.com>
+
+commit 9705acd63b125dee8b15c705216d7186daea4625 upstream.
+
+On delalloc enabled file system on invalidatepage operation
+in ext4_da_page_release_reservation() we want to clear the delayed
+buffer and remove the extent covering the delayed buffer from the extent
+status tree.
+
+However currently there is a bug where on the systems with page size >
+block size we will always remove extents from the start of the page
+regardless where the actual delayed buffers are positioned in the page.
+This leads to the errors like this:
+
+EXT4-fs warning (device loop0): ext4_da_release_space:1225:
+ext4_da_release_space: ino 13, to_free 1 with only 0 reserved data
+blocks
+
+This however can cause data loss on writeback time if the file system is
+in ENOSPC condition because we're releasing reservation for someones
+else delayed buffer.
+
+Fix this by only removing extents that corresponds to the part of the
+page we want to invalidate.
+
+This problem is reproducible by the following fio receipt (however I was
+only able to reproduce it with fio-2.1 or older.
+
+[global]
+bs=8k
+iodepth=1024
+iodepth_batch=60
+randrepeat=1
+size=1m
+directory=/mnt/test
+numjobs=20
+[job1]
+ioengine=sync
+bs=1k
+direct=1
+rw=randread
+filename=file1:file2
+[job2]
+ioengine=libaio
+rw=randwrite
+direct=1
+filename=file1:file2
+[job3]
+bs=1k
+ioengine=posixaio
+rw=randwrite
+direct=1
+filename=file1:file2
+[job5]
+bs=1k
+ioengine=sync
+rw=randread
+filename=file1:file2
+[job7]
+ioengine=libaio
+rw=randwrite
+filename=file1:file2
+[job8]
+ioengine=posixaio
+rw=randwrite
+filename=file1:file2
+[job10]
+ioengine=mmap
+rw=randwrite
+bs=1k
+filename=file1:file2
+[job11]
+ioengine=mmap
+rw=randwrite
+direct=1
+filename=file1:file2
+
+Signed-off-by: Lukas Czerner <lczerner@redhat.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/inode.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -1412,7 +1412,7 @@ static void ext4_da_release_space(struct
+ static void ext4_da_page_release_reservation(struct page *page,
+ unsigned long offset)
+ {
+- int to_release = 0;
++ int to_release = 0, contiguous_blks = 0;
+ struct buffer_head *head, *bh;
+ unsigned int curr_off = 0;
+ struct inode *inode = page->mapping->host;
+@@ -1427,14 +1427,23 @@ static void ext4_da_page_release_reserva
+
+ if ((offset <= curr_off) && (buffer_delay(bh))) {
+ to_release++;
++ contiguous_blks++;
+ clear_buffer_delay(bh);
++ } else if (contiguous_blks) {
++ lblk = page->index <<
++ (PAGE_CACHE_SHIFT - inode->i_blkbits);
++ lblk += (curr_off >> inode->i_blkbits) -
++ contiguous_blks;
++ ext4_es_remove_extent(inode, lblk, contiguous_blks);
++ contiguous_blks = 0;
+ }
+ curr_off = next_off;
+ } while ((bh = bh->b_this_page) != head);
+
+- if (to_release) {
++ if (contiguous_blks) {
+ lblk = page->index << (PAGE_CACHE_SHIFT - inode->i_blkbits);
+- ext4_es_remove_extent(inode, lblk, to_release);
++ lblk += (curr_off >> inode->i_blkbits) - contiguous_blks;
++ ext4_es_remove_extent(inode, lblk, contiguous_blks);
+ }
+
+ /* If we have released all the blocks belonging to a cluster, then we
--- /dev/null
+From 7444a072c387a93ebee7066e8aee776954ab0e41 Mon Sep 17 00:00:00 2001
+From: Michal Hocko <mhocko@suse.cz>
+Date: Sun, 5 Jul 2015 12:33:44 -0400
+Subject: ext4: replace open coded nofail allocation in ext4_free_blocks()
+
+From: Michal Hocko <mhocko@suse.cz>
+
+commit 7444a072c387a93ebee7066e8aee776954ab0e41 upstream.
+
+ext4_free_blocks is looping around the allocation request and mimics
+__GFP_NOFAIL behavior without any allocation fallback strategy. Let's
+remove the open coded loop and replace it with __GFP_NOFAIL. Without the
+flag the allocator has no way to find out never-fail requirement and
+cannot help in any way.
+
+Signed-off-by: Michal Hocko <mhocko@suse.cz>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/mballoc.c | 16 +++++-----------
+ 1 file changed, 5 insertions(+), 11 deletions(-)
+
+--- a/fs/ext4/mballoc.c
++++ b/fs/ext4/mballoc.c
+@@ -4764,18 +4764,12 @@ do_more:
+ /*
+ * blocks being freed are metadata. these blocks shouldn't
+ * be used until this transaction is committed
++ *
++ * We use __GFP_NOFAIL because ext4_free_blocks() is not allowed
++ * to fail.
+ */
+- retry:
+- new_entry = kmem_cache_alloc(ext4_free_data_cachep, GFP_NOFS);
+- if (!new_entry) {
+- /*
+- * We use a retry loop because
+- * ext4_free_blocks() is not allowed to fail.
+- */
+- cond_resched();
+- congestion_wait(BLK_RW_ASYNC, HZ/50);
+- goto retry;
+- }
++ new_entry = kmem_cache_alloc(ext4_free_data_cachep,
++ GFP_NOFS|__GFP_NOFAIL);
+ new_entry->efd_start_cluster = bit;
+ new_entry->efd_group = block_group;
+ new_entry->efd_count = count_clusters;
--- /dev/null
+From 93563a6a71bb69dd324fc7354c60fb05f84aae6b Mon Sep 17 00:00:00 2001
+From: Cyrille Pitchen <cyrille.pitchen@atmel.com>
+Date: Tue, 9 Jun 2015 18:22:14 +0200
+Subject: i2c: at91: fix a race condition when using the DMA controller
+
+From: Cyrille Pitchen <cyrille.pitchen@atmel.com>
+
+commit 93563a6a71bb69dd324fc7354c60fb05f84aae6b upstream.
+
+For TX transactions, the TXCOMP bit in the Status Register is cleared
+when the first data is written into the Transmit Holding Register.
+
+In the lines from at91_do_twi_transfer():
+at91_twi_write_data_dma(dev);
+at91_twi_write(dev, AT91_TWI_IER, AT91_TWI_TXCOMP);
+
+the TXCOMP interrupt may be enabled before the DMA controller has
+actually started to write into the THR. In such a case, the TXCOMP bit
+is still set into the Status Register so the interrupt is triggered
+immediately. The driver understands that a transaction completion has
+occurred but this transaction hasn't started yet. Hence the TXCOMP
+interrupt is no longer enabled by at91_do_twi_transfer() but instead
+by at91_twi_write_data_dma_callback().
+
+Also, the TXCOMP bit in the Status Register in not a clear on read flag
+but a snapshot of the transmission state at the time the Status
+Register is read.
+When a NACK error is dectected by the I2C controller, the TXCOMP, NACK
+and TXRDY bits are set together to 1 in the SR. If enabled, the TXCOMP
+interrupt is triggered at the same time. Also setting the TXRDY to 1
+triggers the DMA controller to write the next data into the THR. Such
+a write resets the TXCOMP bit to 0 in the SR. So depending on when the
+interrupt handler reads the SR, it may fail to detect the NACK error
+if it relies on the TXCOMP bit. The NACK bit and its interrupt should
+be used instead.
+
+For RX transactions, the TXCOMP bit in the Status Register is cleared
+when the START bit is set into the Control Register. However to unify
+the management of the TXCOMP bit when the DMA controller is used, the
+TXCOMP interrupt is now enabled by the DMA callbacks for both TX and
+RX transfers.
+
+Signed-off-by: Cyrille Pitchen <cyrille.pitchen@atmel.com>
+Acked-by: Ludovic Desroches <ludovic.desroches@atmel.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-at91.c | 70 +++++++++++++++++++++++++++++++-----------
+ 1 file changed, 53 insertions(+), 17 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-at91.c
++++ b/drivers/i2c/busses/i2c-at91.c
+@@ -63,6 +63,9 @@
+ #define AT91_TWI_UNRE 0x0080 /* Underrun Error */
+ #define AT91_TWI_NACK 0x0100 /* Not Acknowledged */
+
++#define AT91_TWI_INT_MASK \
++ (AT91_TWI_TXCOMP | AT91_TWI_RXRDY | AT91_TWI_TXRDY | AT91_TWI_NACK)
++
+ #define AT91_TWI_IER 0x0024 /* Interrupt Enable Register */
+ #define AT91_TWI_IDR 0x0028 /* Interrupt Disable Register */
+ #define AT91_TWI_IMR 0x002c /* Interrupt Mask Register */
+@@ -118,13 +121,12 @@ static void at91_twi_write(struct at91_t
+
+ static void at91_disable_twi_interrupts(struct at91_twi_dev *dev)
+ {
+- at91_twi_write(dev, AT91_TWI_IDR,
+- AT91_TWI_TXCOMP | AT91_TWI_RXRDY | AT91_TWI_TXRDY);
++ at91_twi_write(dev, AT91_TWI_IDR, AT91_TWI_INT_MASK);
+ }
+
+ static void at91_twi_irq_save(struct at91_twi_dev *dev)
+ {
+- dev->imr = at91_twi_read(dev, AT91_TWI_IMR) & 0x7;
++ dev->imr = at91_twi_read(dev, AT91_TWI_IMR) & AT91_TWI_INT_MASK;
+ at91_disable_twi_interrupts(dev);
+ }
+
+@@ -214,6 +216,14 @@ static void at91_twi_write_data_dma_call
+ dma_unmap_single(dev->dev, sg_dma_address(&dev->dma.sg),
+ dev->buf_len, DMA_TO_DEVICE);
+
++ /*
++ * When this callback is called, THR/TX FIFO is likely not to be empty
++ * yet. So we have to wait for TXCOMP or NACK bits to be set into the
++ * Status Register to be sure that the STOP bit has been sent and the
++ * transfer is completed. The NACK interrupt has already been enabled,
++ * we just have to enable TXCOMP one.
++ */
++ at91_twi_write(dev, AT91_TWI_IER, AT91_TWI_TXCOMP);
+ at91_twi_write(dev, AT91_TWI_CR, AT91_TWI_STOP);
+ }
+
+@@ -308,7 +318,7 @@ static void at91_twi_read_data_dma_callb
+ /* The last two bytes have to be read without using dma */
+ dev->buf += dev->buf_len - 2;
+ dev->buf_len = 2;
+- at91_twi_write(dev, AT91_TWI_IER, AT91_TWI_RXRDY);
++ at91_twi_write(dev, AT91_TWI_IER, AT91_TWI_RXRDY | AT91_TWI_TXCOMP);
+ }
+
+ static void at91_twi_read_data_dma(struct at91_twi_dev *dev)
+@@ -369,7 +379,7 @@ static irqreturn_t atmel_twi_interrupt(i
+ /* catch error flags */
+ dev->transfer_status |= status;
+
+- if (irqstatus & AT91_TWI_TXCOMP) {
++ if (irqstatus & (AT91_TWI_TXCOMP | AT91_TWI_NACK)) {
+ at91_disable_twi_interrupts(dev);
+ complete(&dev->cmd_complete);
+ }
+@@ -382,6 +392,34 @@ static int at91_do_twi_transfer(struct a
+ int ret;
+ bool has_unre_flag = dev->pdata->has_unre_flag;
+
++ /*
++ * WARNING: the TXCOMP bit in the Status Register is NOT a clear on
++ * read flag but shows the state of the transmission at the time the
++ * Status Register is read. According to the programmer datasheet,
++ * TXCOMP is set when both holding register and internal shifter are
++ * empty and STOP condition has been sent.
++ * Consequently, we should enable NACK interrupt rather than TXCOMP to
++ * detect transmission failure.
++ *
++ * Besides, the TXCOMP bit is already set before the i2c transaction
++ * has been started. For read transactions, this bit is cleared when
++ * writing the START bit into the Control Register. So the
++ * corresponding interrupt can safely be enabled just after.
++ * However for write transactions managed by the CPU, we first write
++ * into THR, so TXCOMP is cleared. Then we can safely enable TXCOMP
++ * interrupt. If TXCOMP interrupt were enabled before writing into THR,
++ * the interrupt handler would be called immediately and the i2c command
++ * would be reported as completed.
++ * Also when a write transaction is managed by the DMA controller,
++ * enabling the TXCOMP interrupt in this function may lead to a race
++ * condition since we don't know whether the TXCOMP interrupt is enabled
++ * before or after the DMA has started to write into THR. So the TXCOMP
++ * interrupt is enabled later by at91_twi_write_data_dma_callback().
++ * Immediately after in that DMA callback, we still need to send the
++ * STOP condition manually writing the corresponding bit into the
++ * Control Register.
++ */
++
+ dev_dbg(dev->dev, "transfer: %s %d bytes.\n",
+ (dev->msg->flags & I2C_M_RD) ? "read" : "write", dev->buf_len);
+
+@@ -412,26 +450,24 @@ static int at91_do_twi_transfer(struct a
+ * seems to be the best solution.
+ */
+ if (dev->use_dma && (dev->buf_len > AT91_I2C_DMA_THRESHOLD)) {
++ at91_twi_write(dev, AT91_TWI_IER, AT91_TWI_NACK);
+ at91_twi_read_data_dma(dev);
+- /*
+- * It is important to enable TXCOMP irq here because
+- * doing it only when transferring the last two bytes
+- * will mask NACK errors since TXCOMP is set when a
+- * NACK occurs.
+- */
+- at91_twi_write(dev, AT91_TWI_IER,
+- AT91_TWI_TXCOMP);
+- } else
++ } else {
+ at91_twi_write(dev, AT91_TWI_IER,
+- AT91_TWI_TXCOMP | AT91_TWI_RXRDY);
++ AT91_TWI_TXCOMP |
++ AT91_TWI_NACK |
++ AT91_TWI_RXRDY);
++ }
+ } else {
+ if (dev->use_dma && (dev->buf_len > AT91_I2C_DMA_THRESHOLD)) {
++ at91_twi_write(dev, AT91_TWI_IER, AT91_TWI_NACK);
+ at91_twi_write_data_dma(dev);
+- at91_twi_write(dev, AT91_TWI_IER, AT91_TWI_TXCOMP);
+ } else {
+ at91_twi_write_next_byte(dev);
+ at91_twi_write(dev, AT91_TWI_IER,
+- AT91_TWI_TXCOMP | AT91_TWI_TXRDY);
++ AT91_TWI_TXCOMP |
++ AT91_TWI_NACK |
++ AT91_TWI_TXRDY);
+ }
+ }
+
--- /dev/null
+From adfa969850ae93beca57f7527f0e4dc10cbe1309 Mon Sep 17 00:00:00 2001
+From: JM Friedt <jmfriedt@femto-st.fr>
+Date: Fri, 19 Jun 2015 14:48:06 +0200
+Subject: iio: DAC: ad5624r_spi: fix bit shift of output data value
+
+From: JM Friedt <jmfriedt@femto-st.fr>
+
+commit adfa969850ae93beca57f7527f0e4dc10cbe1309 upstream.
+
+The value sent on the SPI bus is shifted by an erroneous number of bits.
+The shift value was already computed in the iio_chan_spec structure and
+hence subtracting this argument to 16 yields an erroneous data position
+in the SPI stream.
+
+Signed-off-by: JM Friedt <jmfriedt@femto-st.fr>
+Acked-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/dac/ad5624r_spi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/iio/dac/ad5624r_spi.c
++++ b/drivers/iio/dac/ad5624r_spi.c
+@@ -22,7 +22,7 @@
+ #include "ad5624r.h"
+
+ static int ad5624r_spi_write(struct spi_device *spi,
+- u8 cmd, u8 addr, u16 val, u8 len)
++ u8 cmd, u8 addr, u16 val, u8 shift)
+ {
+ u32 data;
+ u8 msg[3];
+@@ -35,7 +35,7 @@ static int ad5624r_spi_write(struct spi_
+ * 14-, 12-bit input code followed by 0, 2, or 4 don't care bits,
+ * for the AD5664R, AD5644R, and AD5624R, respectively.
+ */
+- data = (0 << 22) | (cmd << 19) | (addr << 16) | (val << (16 - len));
++ data = (0 << 22) | (cmd << 19) | (addr << 16) | (val << shift);
+ msg[0] = data >> 16;
+ msg[1] = data >> 8;
+ msg[2] = data;
--- /dev/null
+From 6f6a6fda294506dfe0e3e0a253bb2d2923f28f0a Mon Sep 17 00:00:00 2001
+From: Joseph Qi <joseph.qi@huawei.com>
+Date: Mon, 15 Jun 2015 14:36:01 -0400
+Subject: jbd2: fix ocfs2 corrupt when updating journal superblock fails
+
+From: Joseph Qi <joseph.qi@huawei.com>
+
+commit 6f6a6fda294506dfe0e3e0a253bb2d2923f28f0a upstream.
+
+If updating journal superblock fails after journal data has been
+flushed, the error is omitted and this will mislead the caller as a
+normal case. In ocfs2, the checkpoint will be treated successfully
+and the other node can get the lock to update. Since the sb_start is
+still pointing to the old log block, it will rewrite the journal data
+during journal recovery by the other node. Thus the new updates will
+be overwritten and ocfs2 corrupts. So in above case we have to return
+the error, and ocfs2_commit_cache will take care of the error and
+prevent the other node to do update first. And only after recovering
+journal it can do the new updates.
+
+The issue discussion mail can be found at:
+https://oss.oracle.com/pipermail/ocfs2-devel/2015-June/010856.html
+http://comments.gmane.org/gmane.comp.file-systems.ext4/48841
+
+[ Fixed bug in patch which allowed a non-negative error return from
+ jbd2_cleanup_journal_tail() to leak out of jbd2_fjournal_flush(); this
+ was causing xfstests ext4/306 to fail. -- Ted ]
+
+Reported-by: Yiwen Jiang <jiangyiwen@huawei.com>
+Signed-off-by: Joseph Qi <joseph.qi@huawei.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Tested-by: Yiwen Jiang <jiangyiwen@huawei.com>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/jbd2/checkpoint.c | 5 ++---
+ fs/jbd2/journal.c | 38 +++++++++++++++++++++++++++++++-------
+ include/linux/jbd2.h | 4 ++--
+ 3 files changed, 35 insertions(+), 12 deletions(-)
+
+--- a/fs/jbd2/checkpoint.c
++++ b/fs/jbd2/checkpoint.c
+@@ -440,7 +440,7 @@ int jbd2_cleanup_journal_tail(journal_t
+ unsigned long blocknr;
+
+ if (is_journal_aborted(journal))
+- return 1;
++ return -EIO;
+
+ if (!jbd2_journal_get_log_tail(journal, &first_tid, &blocknr))
+ return 1;
+@@ -457,8 +457,7 @@ int jbd2_cleanup_journal_tail(journal_t
+ if (journal->j_flags & JBD2_BARRIER)
+ blkdev_issue_flush(journal->j_fs_dev, GFP_NOFS, NULL);
+
+- __jbd2_update_log_tail(journal, first_tid, blocknr);
+- return 0;
++ return __jbd2_update_log_tail(journal, first_tid, blocknr);
+ }
+
+
+--- a/fs/jbd2/journal.c
++++ b/fs/jbd2/journal.c
+@@ -869,9 +869,10 @@ int jbd2_journal_get_log_tail(journal_t
+ *
+ * Requires j_checkpoint_mutex
+ */
+-void __jbd2_update_log_tail(journal_t *journal, tid_t tid, unsigned long block)
++int __jbd2_update_log_tail(journal_t *journal, tid_t tid, unsigned long block)
+ {
+ unsigned long freed;
++ int ret;
+
+ BUG_ON(!mutex_is_locked(&journal->j_checkpoint_mutex));
+
+@@ -881,7 +882,10 @@ void __jbd2_update_log_tail(journal_t *j
+ * space and if we lose sb update during power failure we'd replay
+ * old transaction with possibly newly overwritten data.
+ */
+- jbd2_journal_update_sb_log_tail(journal, tid, block, WRITE_FUA);
++ ret = jbd2_journal_update_sb_log_tail(journal, tid, block, WRITE_FUA);
++ if (ret)
++ goto out;
++
+ write_lock(&journal->j_state_lock);
+ freed = block - journal->j_tail;
+ if (block < journal->j_tail)
+@@ -897,6 +901,9 @@ void __jbd2_update_log_tail(journal_t *j
+ journal->j_tail_sequence = tid;
+ journal->j_tail = block;
+ write_unlock(&journal->j_state_lock);
++
++out:
++ return ret;
+ }
+
+ /*
+@@ -1315,7 +1322,7 @@ static int journal_reset(journal_t *jour
+ return jbd2_journal_start_thread(journal);
+ }
+
+-static void jbd2_write_superblock(journal_t *journal, int write_op)
++static int jbd2_write_superblock(journal_t *journal, int write_op)
+ {
+ struct buffer_head *bh = journal->j_sb_buffer;
+ journal_superblock_t *sb = journal->j_superblock;
+@@ -1354,7 +1361,10 @@ static void jbd2_write_superblock(journa
+ printk(KERN_ERR "JBD2: Error %d detected when updating "
+ "journal superblock for %s.\n", ret,
+ journal->j_devname);
++ jbd2_journal_abort(journal, ret);
+ }
++
++ return ret;
+ }
+
+ /**
+@@ -1367,10 +1377,11 @@ static void jbd2_write_superblock(journa
+ * Update a journal's superblock information about log tail and write it to
+ * disk, waiting for the IO to complete.
+ */
+-void jbd2_journal_update_sb_log_tail(journal_t *journal, tid_t tail_tid,
++int jbd2_journal_update_sb_log_tail(journal_t *journal, tid_t tail_tid,
+ unsigned long tail_block, int write_op)
+ {
+ journal_superblock_t *sb = journal->j_superblock;
++ int ret;
+
+ BUG_ON(!mutex_is_locked(&journal->j_checkpoint_mutex));
+ jbd_debug(1, "JBD2: updating superblock (start %lu, seq %u)\n",
+@@ -1379,13 +1390,18 @@ void jbd2_journal_update_sb_log_tail(jou
+ sb->s_sequence = cpu_to_be32(tail_tid);
+ sb->s_start = cpu_to_be32(tail_block);
+
+- jbd2_write_superblock(journal, write_op);
++ ret = jbd2_write_superblock(journal, write_op);
++ if (ret)
++ goto out;
+
+ /* Log is no longer empty */
+ write_lock(&journal->j_state_lock);
+ WARN_ON(!sb->s_sequence);
+ journal->j_flags &= ~JBD2_FLUSHED;
+ write_unlock(&journal->j_state_lock);
++
++out:
++ return ret;
+ }
+
+ /**
+@@ -1922,7 +1938,14 @@ int jbd2_journal_flush(journal_t *journa
+ return -EIO;
+
+ mutex_lock(&journal->j_checkpoint_mutex);
+- jbd2_cleanup_journal_tail(journal);
++ if (!err) {
++ err = jbd2_cleanup_journal_tail(journal);
++ if (err < 0) {
++ mutex_unlock(&journal->j_checkpoint_mutex);
++ goto out;
++ }
++ err = 0;
++ }
+
+ /* Finally, mark the journal as really needing no recovery.
+ * This sets s_start==0 in the underlying superblock, which is
+@@ -1938,7 +1961,8 @@ int jbd2_journal_flush(journal_t *journa
+ J_ASSERT(journal->j_head == journal->j_tail);
+ J_ASSERT(journal->j_tail_sequence == journal->j_transaction_sequence);
+ write_unlock(&journal->j_state_lock);
+- return 0;
++out:
++ return err;
+ }
+
+ /**
+--- a/include/linux/jbd2.h
++++ b/include/linux/jbd2.h
+@@ -997,7 +997,7 @@ extern struct journal_head * jbd2_journa
+ int jbd2_journal_next_log_block(journal_t *, unsigned long long *);
+ int jbd2_journal_get_log_tail(journal_t *journal, tid_t *tid,
+ unsigned long *block);
+-void __jbd2_update_log_tail(journal_t *journal, tid_t tid, unsigned long block);
++int __jbd2_update_log_tail(journal_t *journal, tid_t tid, unsigned long block);
+ void jbd2_update_log_tail(journal_t *journal, tid_t tid, unsigned long block);
+
+ /* Commit management */
+@@ -1116,7 +1116,7 @@ extern int jbd2_journal_recover (j
+ extern int jbd2_journal_wipe (journal_t *, int);
+ extern int jbd2_journal_skip_recovery (journal_t *);
+ extern void jbd2_journal_update_sb_errno(journal_t *);
+-extern void jbd2_journal_update_sb_log_tail (journal_t *, tid_t,
++extern int jbd2_journal_update_sb_log_tail (journal_t *, tid_t,
+ unsigned long, int);
+ extern void __jbd2_journal_abort_hard (journal_t *);
+ extern void jbd2_journal_abort (journal_t *, int);
--- /dev/null
+From b4f1afcd068f6e533230dfed00782cd8a907f96b Mon Sep 17 00:00:00 2001
+From: Dmitry Monakhov <dmonakhov@openvz.org>
+Date: Mon, 15 Jun 2015 00:18:02 -0400
+Subject: jbd2: use GFP_NOFS in jbd2_cleanup_journal_tail()
+
+From: Dmitry Monakhov <dmonakhov@openvz.org>
+
+commit b4f1afcd068f6e533230dfed00782cd8a907f96b upstream.
+
+jbd2_cleanup_journal_tail() can be invoked by jbd2__journal_start()
+So allocations should be done with GFP_NOFS
+
+[Full stack trace snipped from 3.10-rh7]
+[<ffffffff815c4bd4>] dump_stack+0x19/0x1b
+[<ffffffff8105dba1>] warn_slowpath_common+0x61/0x80
+[<ffffffff8105dcca>] warn_slowpath_null+0x1a/0x20
+[<ffffffff815c2142>] slab_pre_alloc_hook.isra.31.part.32+0x15/0x17
+[<ffffffff8119c045>] kmem_cache_alloc+0x55/0x210
+[<ffffffff811477f5>] ? mempool_alloc_slab+0x15/0x20
+[<ffffffff811477f5>] mempool_alloc_slab+0x15/0x20
+[<ffffffff81147939>] mempool_alloc+0x69/0x170
+[<ffffffff815cb69e>] ? _raw_spin_unlock_irq+0xe/0x20
+[<ffffffff8109160d>] ? finish_task_switch+0x5d/0x150
+[<ffffffff811f1a8e>] bio_alloc_bioset+0x1be/0x2e0
+[<ffffffff8127ee49>] blkdev_issue_flush+0x99/0x120
+[<ffffffffa019a733>] jbd2_cleanup_journal_tail+0x93/0xa0 [jbd2] -->GFP_KERNEL
+[<ffffffffa019aca1>] jbd2_log_do_checkpoint+0x221/0x4a0 [jbd2]
+[<ffffffffa019afc7>] __jbd2_log_wait_for_space+0xa7/0x1e0 [jbd2]
+[<ffffffffa01952d8>] start_this_handle+0x2d8/0x550 [jbd2]
+[<ffffffff811b02a9>] ? __memcg_kmem_put_cache+0x29/0x30
+[<ffffffff8119c120>] ? kmem_cache_alloc+0x130/0x210
+[<ffffffffa019573a>] jbd2__journal_start+0xba/0x190 [jbd2]
+[<ffffffff811532ce>] ? lru_cache_add+0xe/0x10
+[<ffffffffa01c9549>] ? ext4_da_write_begin+0xf9/0x330 [ext4]
+[<ffffffffa01f2c77>] __ext4_journal_start_sb+0x77/0x160 [ext4]
+[<ffffffffa01c9549>] ext4_da_write_begin+0xf9/0x330 [ext4]
+[<ffffffff811446ec>] generic_file_buffered_write_iter+0x10c/0x270
+[<ffffffff81146918>] __generic_file_write_iter+0x178/0x390
+[<ffffffff81146c6b>] __generic_file_aio_write+0x8b/0xb0
+[<ffffffff81146ced>] generic_file_aio_write+0x5d/0xc0
+[<ffffffffa01bf289>] ext4_file_write+0xa9/0x450 [ext4]
+[<ffffffff811c31d9>] ? pipe_read+0x379/0x4f0
+[<ffffffff811b93f0>] do_sync_write+0x90/0xe0
+[<ffffffff811b9b6d>] vfs_write+0xbd/0x1e0
+[<ffffffff811ba5b8>] SyS_write+0x58/0xb0
+[<ffffffff815d4799>] system_call_fastpath+0x16/0x1b
+
+Signed-off-by: Dmitry Monakhov <dmonakhov@openvz.org>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/jbd2/checkpoint.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/jbd2/checkpoint.c
++++ b/fs/jbd2/checkpoint.c
+@@ -455,7 +455,7 @@ int jbd2_cleanup_journal_tail(journal_t
+ * jbd2_cleanup_journal_tail() doesn't get called all that often.
+ */
+ if (journal->j_flags & JBD2_BARRIER)
+- blkdev_issue_flush(journal->j_fs_dev, GFP_KERNEL, NULL);
++ blkdev_issue_flush(journal->j_fs_dev, GFP_NOFS, NULL);
+
+ __jbd2_update_log_tail(journal, first_tid, blocknr);
+ return 0;
--- /dev/null
+From 08c85d2a599d967ede38a847f5594447b6100642 Mon Sep 17 00:00:00 2001
+From: Aleksei Mamlin <mamlinav@gmail.com>
+Date: Wed, 1 Jul 2015 13:48:30 +0300
+Subject: libata: add ATA_HORKAGE_BROKEN_FPDMA_AA quirk for HP 250GB SATA disk VB0250EAVER
+
+From: Aleksei Mamlin <mamlinav@gmail.com>
+
+commit 08c85d2a599d967ede38a847f5594447b6100642 upstream.
+
+Enabling AA on HP 250GB SATA disk VB0250EAVER causes errors:
+
+[ 3.788362] ata3.00: failed to enable AA (error_mask=0x1)
+[ 3.789243] ata3.00: failed to enable AA (error_mask=0x1)
+
+Add the ATA_HORKAGE_BROKEN_FPDMA_AA for this specific harddisk.
+
+tj: Collected FPDMA_AA entries and updated comment.
+
+Signed-off-by: Aleksei Mamlin <mamlinav@gmail.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/libata-core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -4150,9 +4150,10 @@ static const struct ata_blacklist_entry
+ { "ST3320[68]13AS", "SD1[5-9]", ATA_HORKAGE_NONCQ |
+ ATA_HORKAGE_FIRMWARE_WARN },
+
+- /* Seagate Momentus SpinPoint M8 seem to have FPMDA_AA issues */
++ /* drives which fail FPDMA_AA activation (some may freeze afterwards) */
+ { "ST1000LM024 HN-M101MBB", "2AR10001", ATA_HORKAGE_BROKEN_FPDMA_AA },
+ { "ST1000LM024 HN-M101MBB", "2BA30001", ATA_HORKAGE_BROKEN_FPDMA_AA },
++ { "VB0250EAVER", "HPG7", ATA_HORKAGE_BROKEN_FPDMA_AA },
+
+ /* Blacklist entries taken from Silicon Image 3124/3132
+ Windows driver .inf file - also several Linux problem reports */
--- /dev/null
+From cda57b1b05cf7b8b99ab4b732bea0b05b6c015cc Mon Sep 17 00:00:00 2001
+From: Arne Fitzenreiter <arne_f@ipfire.org>
+Date: Wed, 15 Jul 2015 13:54:37 +0200
+Subject: libata: force disable trim for SuperSSpeed S238
+
+From: Arne Fitzenreiter <arne_f@ipfire.org>
+
+commit cda57b1b05cf7b8b99ab4b732bea0b05b6c015cc upstream.
+
+This device loses blocks, often the partition table area, on trim.
+Disable TRIM.
+http://pcengines.ch/msata16a.htm
+
+Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/libata-core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -4201,6 +4201,9 @@ static const struct ata_blacklist_entry
+ { "PIONEER DVD-RW DVR-212D", NULL, ATA_HORKAGE_NOSETXFER },
+ { "PIONEER DVD-RW DVR-216D", NULL, ATA_HORKAGE_NOSETXFER },
+
++ /* devices that don't properly handle TRIM commands */
++ { "SuperSSpeed S238*", NULL, ATA_HORKAGE_NOTRIM, },
++
+ /*
+ * Some WD SATA-I drives spin up and down erratically when the link
+ * is put into the slumber mode. We don't have full list of the
--- /dev/null
+From d531be2ca2f27cca5f041b6a140504999144a617 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Wed, 8 Jul 2015 13:06:12 -0400
+Subject: libata: increase the timeout when setting transfer mode
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit d531be2ca2f27cca5f041b6a140504999144a617 upstream.
+
+I have a ST4000DM000 disk. If Linux is booted while the disk is spun down,
+the command that sets transfer mode causes the disk to spin up. The
+spin-up takes longer than the default 5s timeout, so the command fails and
+timeout is reported.
+
+Fix this by increasing the timeout to 15s, which is enough for the disk to
+spin up.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/libata-core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -4505,7 +4505,8 @@ static unsigned int ata_dev_set_xfermode
+ else /* In the ancient relic department - skip all of this */
+ return 0;
+
+- err_mask = ata_exec_internal(dev, &tf, NULL, DMA_NONE, NULL, 0, 0);
++ /* On some disks, this command causes spin-up, so we need longer timeout */
++ err_mask = ata_exec_internal(dev, &tf, NULL, DMA_NONE, NULL, 0, 15000);
+
+ DPRINTK("EXIT, err_mask=%x\n", err_mask);
+ return err_mask;
--- /dev/null
+From 12f4543f5d6811f864e6c4952eb27253c7466c02 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Date: Tue, 28 Apr 2015 18:34:40 -0300
+Subject: [media] s5h1420: fix a buffer overflow when checking userspace params
+
+From: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+
+commit 12f4543f5d6811f864e6c4952eb27253c7466c02 upstream.
+
+The maximum size for a DiSEqC command is 6, according to the
+userspace API. However, the code allows to write up to 7 values:
+ drivers/media/dvb-frontends/s5h1420.c:193 s5h1420_send_master_cmd() error: buffer overflow 'cmd->msg' 6 <= 7
+
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/dvb-frontends/s5h1420.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/dvb-frontends/s5h1420.c
++++ b/drivers/media/dvb-frontends/s5h1420.c
+@@ -180,7 +180,7 @@ static int s5h1420_send_master_cmd (stru
+ int result = 0;
+
+ dprintk("enter %s\n", __func__);
+- if (cmd->msg_len > 8)
++ if (cmd->msg_len > sizeof(cmd->msg))
+ return -EINVAL;
+
+ /* setup for DISEQC */
--- /dev/null
+From 534bc3e2ee93835badca753bedce8073c67caa92 Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil@xs4all.nl>
+Date: Fri, 27 Mar 2015 15:17:56 -0300
+Subject: [media] saa7164: fix querycap warning
+
+From: Hans Verkuil <hverkuil@xs4all.nl>
+
+commit 534bc3e2ee93835badca753bedce8073c67caa92 upstream.
+
+Fix the VIDIOC_QUERYCAP warning due to the missing device_caps. Don't fill
+in the version field, the V4L2 core will do that for you.
+
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/pci/saa7164/saa7164-encoder.c | 11 ++++++-----
+ drivers/media/pci/saa7164/saa7164-vbi.c | 11 ++++++-----
+ 2 files changed, 12 insertions(+), 10 deletions(-)
+
+--- a/drivers/media/pci/saa7164/saa7164-encoder.c
++++ b/drivers/media/pci/saa7164/saa7164-encoder.c
+@@ -711,13 +711,14 @@ static int vidioc_querycap(struct file *
+ sizeof(cap->card));
+ sprintf(cap->bus_info, "PCI:%s", pci_name(dev->pci));
+
+- cap->capabilities =
++ cap->device_caps =
+ V4L2_CAP_VIDEO_CAPTURE |
+- V4L2_CAP_READWRITE |
+- 0;
++ V4L2_CAP_READWRITE |
++ V4L2_CAP_TUNER;
+
+- cap->capabilities |= V4L2_CAP_TUNER;
+- cap->version = 0;
++ cap->capabilities = cap->device_caps |
++ V4L2_CAP_VBI_CAPTURE |
++ V4L2_CAP_DEVICE_CAPS;
+
+ return 0;
+ }
+--- a/drivers/media/pci/saa7164/saa7164-vbi.c
++++ b/drivers/media/pci/saa7164/saa7164-vbi.c
+@@ -650,13 +650,14 @@ static int vidioc_querycap(struct file *
+ sizeof(cap->card));
+ sprintf(cap->bus_info, "PCI:%s", pci_name(dev->pci));
+
+- cap->capabilities =
++ cap->device_caps =
+ V4L2_CAP_VBI_CAPTURE |
+- V4L2_CAP_READWRITE |
+- 0;
++ V4L2_CAP_READWRITE |
++ V4L2_CAP_TUNER;
+
+- cap->capabilities |= V4L2_CAP_TUNER;
+- cap->version = 0;
++ cap->capabilities = cap->device_caps |
++ V4L2_CAP_VIDEO_CAPTURE |
++ V4L2_CAP_DEVICE_CAPS;
+
+ return 0;
+ }
pinctrl-mvebu-armada-xp-remove-non-existing-nand-pins.patch
pinctrl-mvebu-armada-xp-remove-non-existing-vdd-cpu_pd-functions.patch
pinctrl-mvebu-armada-xp-fix-functions-of-mpp48.patch
+bluetooth-btusb-fix-memory-leak-in-intel-setup-routine.patch
+ath9k-fix-dma-stop-sequence-for-ar9003.patch
+staging-rtl8712-prevent-buffer-overrun-in-recvbuf2recvframe.patch
+ext4-fix-race-between-truncate-and-__ext4_journalled_writepage.patch
+ext4-call-sync_blockdev-before-invalidate_bdev-in-put_super.patch
+ext4-don-t-retry-file-block-mapping-on-bigalloc-fs-with-non-extent-file.patch
+ext4-fix-reservation-release-on-invalidatepage-for-delalloc-fs.patch
+ext4-be-more-strict-when-migrating-to-non-extent-based-file.patch
+ext4-correctly-migrate-a-file-with-a-hole-at-the-beginning.patch
+ext4-replace-open-coded-nofail-allocation-in-ext4_free_blocks.patch
+jbd2-use-gfp_nofs-in-jbd2_cleanup_journal_tail.patch
+jbd2-fix-ocfs2-corrupt-when-updating-journal-superblock-fails.patch
+i2c-at91-fix-a-race-condition-when-using-the-dma-controller.patch
+iio-dac-ad5624r_spi-fix-bit-shift-of-output-data-value.patch
+af9013-don-t-accept-invalid-bandwidth.patch
+saa7164-fix-querycap-warning.patch
+s5h1420-fix-a-buffer-overflow-when-checking-userspace-params.patch
+cx24116-fix-a-buffer-overflow-when-checking-userspace-params.patch
+asoc-wm8737-fixup-setting-vmid-impedance-control-register.patch
+asoc-wm8955-fix-setting-wrong-register-for-wm8955_k_8_0_mask-bits.patch
+asoc-wm8903-fix-define-for-wm8903_vmid_res_250k.patch
+asoc-wm8960-the-enum-of-dac-polarity-should-be-wm8960_enum.patch
+libata-add-ata_horkage_broken_fpdma_aa-quirk-for-hp-250gb-sata-disk-vb0250eaver.patch
+libata-increase-the-timeout-when-setting-transfer-mode.patch
+libata-force-disable-trim-for-supersspeed-s238.patch
--- /dev/null
+From cab462140f8a183e3cca0b51c8b59ef715cb6148 Mon Sep 17 00:00:00 2001
+From: Haggai Eran <haggai.eran@gmail.com>
+Date: Sat, 23 May 2015 23:13:51 +0300
+Subject: staging: rtl8712: prevent buffer overrun in recvbuf2recvframe
+
+From: Haggai Eran <haggai.eran@gmail.com>
+
+commit cab462140f8a183e3cca0b51c8b59ef715cb6148 upstream.
+
+With an RTL8191SU USB adaptor, sometimes the hints for a fragmented
+packet are set, but the packet length is too large. Allocate enough
+space to prevent memory corruption and a resulting kernel panic [1].
+
+[1] http://www.spinics.net/lists/linux-wireless/msg136546.html
+
+Signed-off-by: Haggai Eran <haggai.eran@gmail.com>
+ACKed-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/rtl8712/rtl8712_recv.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/staging/rtl8712/rtl8712_recv.c
++++ b/drivers/staging/rtl8712/rtl8712_recv.c
+@@ -1075,7 +1075,8 @@ static int recvbuf2recvframe(struct _ada
+ /* for first fragment packet, driver need allocate 1536 +
+ * drvinfo_sz + RXDESC_SIZE to defrag packet. */
+ if ((mf == 1) && (frag == 0))
+- alloc_sz = 1658;/*1658+6=1664, 1664 is 128 alignment.*/
++ /*1658+6=1664, 1664 is 128 alignment.*/
++ alloc_sz = max_t(u16, tmp_len, 1658);
+ else
+ alloc_sz = tmp_len;
+ /* 2 is for IP header 4 bytes alignment in QoS packet case.
projects / thirdparty / kernel / stable-queue.git / commitdiff
