--- /dev/null
+From 3e103a65514c2947e53f3171b21255fbde8b60c6 Mon Sep 17 00:00:00 2001
+From: Christoph Huber <c.huber@bct-electronic.com>
+Date: Mon, 15 Aug 2016 18:59:25 +0200
+Subject: ASoC: atmel_ssc_dai: Don't unconditionally reset SSC on stream startup
+
+From: Christoph Huber <c.huber@bct-electronic.com>
+
+commit 3e103a65514c2947e53f3171b21255fbde8b60c6 upstream.
+
+commit cbaadf0f90d6 ("ASoC: atmel_ssc_dai: refactor the startup and
+shutdown") refactored code such that the SSC is reset on every
+startup; this breaks duplex audio (e.g. first start audio playback,
+then start record, causing the playback to stop/hang)
+
+Fixes: cbaadf0f90d6 (ASoC: atmel_ssc_dai: refactor the startup and shutdown)
+Signed-off-by: Christoph Huber <c.huber@bct-electronic.com>
+Signed-off-by: Peter Meerwald-Stadler <p.meerwald@bct-electronic.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/atmel/atmel_ssc_dai.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/sound/soc/atmel/atmel_ssc_dai.c
++++ b/sound/soc/atmel/atmel_ssc_dai.c
+@@ -299,8 +299,9 @@ static int atmel_ssc_startup(struct snd_
+ clk_enable(ssc_p->ssc->clk);
+ ssc_p->mck_rate = clk_get_rate(ssc_p->ssc->clk);
+
+- /* Reset the SSC to keep it at a clean status */
+- ssc_writel(ssc_p->ssc->regs, CR, SSC_BIT(CR_SWRST));
++ /* Reset the SSC unless initialized to keep it in a clean state */
++ if (!ssc_p->initialized)
++ ssc_writel(ssc_p->ssc->regs, CR, SSC_BIT(CR_SWRST));
+
+ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) {
+ dir = 0;
--- /dev/null
+From add1fa75101263ab4d74240f93000998d4325624 Mon Sep 17 00:00:00 2001
+From: Mario Kleiner <mario.kleiner.de@gmail.com>
+Date: Sat, 27 Aug 2016 01:02:28 +0200
+Subject: drm/atomic: Don't potentially reset color_mgmt_changed on successive property updates.
+
+From: Mario Kleiner <mario.kleiner.de@gmail.com>
+
+commit add1fa75101263ab4d74240f93000998d4325624 upstream.
+
+Due to assigning the 'replaced' value instead of or'ing it,
+if drm_atomic_crtc_set_property() gets called multiple times,
+the last call will define the color_mgmt_changed flag, so
+a non-updating call to a property can reset the flag and
+prevent actual hw state updates required by preceding
+property updates.
+
+Signed-off-by: Mario Kleiner <mario.kleiner.de@gmail.com>
+Cc: Daniel Vetter <daniel.vetter@intel.com>
+Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_atomic.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/drm_atomic.c
++++ b/drivers/gpu/drm/drm_atomic.c
+@@ -465,7 +465,7 @@ int drm_atomic_crtc_set_property(struct
+ val,
+ -1,
+ &replaced);
+- state->color_mgmt_changed = replaced;
++ state->color_mgmt_changed |= replaced;
+ return ret;
+ } else if (property == config->ctm_property) {
+ ret = drm_atomic_replace_property_blob_from_id(crtc,
+@@ -473,7 +473,7 @@ int drm_atomic_crtc_set_property(struct
+ val,
+ sizeof(struct drm_color_ctm),
+ &replaced);
+- state->color_mgmt_changed = replaced;
++ state->color_mgmt_changed |= replaced;
+ return ret;
+ } else if (property == config->gamma_lut_property) {
+ ret = drm_atomic_replace_property_blob_from_id(crtc,
+@@ -481,7 +481,7 @@ int drm_atomic_crtc_set_property(struct
+ val,
+ -1,
+ &replaced);
+- state->color_mgmt_changed = replaced;
++ state->color_mgmt_changed |= replaced;
+ return ret;
+ } else if (crtc->funcs->atomic_set_property)
+ return crtc->funcs->atomic_set_property(crtc, state, property, val);
--- /dev/null
+From 89f82cbb0d5c0ab768c8d02914188aa2211cd2e3 Mon Sep 17 00:00:00 2001
+From: Rob Clark <robdclark@gmail.com>
+Date: Mon, 22 Aug 2016 15:15:23 -0400
+Subject: drm/msm: fix use of copy_from_user() while holding spinlock
+
+From: Rob Clark <robdclark@gmail.com>
+
+commit 89f82cbb0d5c0ab768c8d02914188aa2211cd2e3 upstream.
+
+Use instead __copy_from_user_inatomic() and fallback to slow-path where
+we drop and re-aquire the lock in case of fault.
+
+Reported-by: Vaishali Thakkar <vaishali.thakkar@oracle.com>
+Signed-off-by: Rob Clark <robdclark@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/msm/msm_gem_submit.c | 27 ++++++++++++++++++++++-----
+ 1 file changed, 22 insertions(+), 5 deletions(-)
+
+--- a/drivers/gpu/drm/msm/msm_gem_submit.c
++++ b/drivers/gpu/drm/msm/msm_gem_submit.c
+@@ -62,6 +62,14 @@ void msm_gem_submit_free(struct msm_gem_
+ kfree(submit);
+ }
+
++static inline unsigned long __must_check
++copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
++{
++ if (access_ok(VERIFY_READ, from, n))
++ return __copy_from_user_inatomic(to, from, n);
++ return -EFAULT;
++}
++
+ static int submit_lookup_objects(struct msm_gem_submit *submit,
+ struct drm_msm_gem_submit *args, struct drm_file *file)
+ {
+@@ -69,6 +77,7 @@ static int submit_lookup_objects(struct
+ int ret = 0;
+
+ spin_lock(&file->table_lock);
++ pagefault_disable();
+
+ for (i = 0; i < args->nr_bos; i++) {
+ struct drm_msm_gem_submit_bo submit_bo;
+@@ -82,10 +91,15 @@ static int submit_lookup_objects(struct
+ */
+ submit->bos[i].flags = 0;
+
+- ret = copy_from_user(&submit_bo, userptr, sizeof(submit_bo));
+- if (ret) {
+- ret = -EFAULT;
+- goto out_unlock;
++ ret = copy_from_user_inatomic(&submit_bo, userptr, sizeof(submit_bo));
++ if (unlikely(ret)) {
++ pagefault_enable();
++ spin_unlock(&file->table_lock);
++ ret = copy_from_user(&submit_bo, userptr, sizeof(submit_bo));
++ if (ret)
++ goto out;
++ spin_lock(&file->table_lock);
++ pagefault_disable();
+ }
+
+ if (submit_bo.flags & ~MSM_SUBMIT_BO_FLAGS) {
+@@ -125,9 +139,12 @@ static int submit_lookup_objects(struct
+ }
+
+ out_unlock:
+- submit->nr_bos = i;
++ pagefault_enable();
+ spin_unlock(&file->table_lock);
+
++out:
++ submit->nr_bos = i;
++
+ return ret;
+ }
+
--- /dev/null
+From 13f479b9df4e2bbf2d16e7e1b02f3f55f70e2455 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20K=C3=B6nig?= <christian.koenig@amd.com>
+Date: Wed, 17 Aug 2016 09:46:42 +0200
+Subject: drm/radeon: fix radeon_move_blit on 32bit systems
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Christian König <christian.koenig@amd.com>
+
+commit 13f479b9df4e2bbf2d16e7e1b02f3f55f70e2455 upstream.
+
+This bug seems to be present for a very long time.
+
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/radeon/radeon_ttm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/radeon/radeon_ttm.c
++++ b/drivers/gpu/drm/radeon/radeon_ttm.c
+@@ -263,8 +263,8 @@ static int radeon_move_blit(struct ttm_b
+
+ rdev = radeon_get_rdev(bo->bdev);
+ ridx = radeon_copy_ring_index(rdev);
+- old_start = old_mem->start << PAGE_SHIFT;
+- new_start = new_mem->start << PAGE_SHIFT;
++ old_start = (u64)old_mem->start << PAGE_SHIFT;
++ new_start = (u64)new_mem->start << PAGE_SHIFT;
+
+ switch (old_mem->mem_type) {
+ case TTM_PL_VRAM:
--- /dev/null
+From ae5b80d2b68eac945b124227dea34462118a6f01 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20K=C3=B6nig?= <christian.koenig@amd.com>
+Date: Thu, 18 Aug 2016 11:51:14 +0200
+Subject: drm/radeon: only apply the SS fractional workaround to RS[78]80
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Christian König <christian.koenig@amd.com>
+
+commit ae5b80d2b68eac945b124227dea34462118a6f01 upstream.
+
+Looks like some RV6xx have problems with that.
+
+bug:
+https://bugs.freedesktop.org/show_bug.cgi?id=97099
+
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/radeon/atombios_crtc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/radeon/atombios_crtc.c
++++ b/drivers/gpu/drm/radeon/atombios_crtc.c
+@@ -627,7 +627,9 @@ static u32 atombios_adjust_pll(struct dr
+ if (radeon_crtc->ss.refdiv) {
+ radeon_crtc->pll_flags |= RADEON_PLL_USE_REF_DIV;
+ radeon_crtc->pll_reference_div = radeon_crtc->ss.refdiv;
+- if (rdev->family >= CHIP_RV770)
++ if (ASIC_IS_AVIVO(rdev) &&
++ rdev->family != CHIP_RS780 &&
++ rdev->family != CHIP_RS880)
+ radeon_crtc->pll_flags |= RADEON_PLL_USE_FRAC_FB_DIV;
+ }
+ }
--- /dev/null
+From 6f00975c619064a18c23fd3aced325ae165a73b9 Mon Sep 17 00:00:00 2001
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+Date: Sat, 20 Aug 2016 12:22:11 +0200
+Subject: drm: Reject page_flip for !DRIVER_MODESET
+
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+
+commit 6f00975c619064a18c23fd3aced325ae165a73b9 upstream.
+
+Somehow this one slipped through, which means drivers without modeset
+support can be oopsed (since those also don't call
+drm_mode_config_init, which means the crtc lookup will chase an
+uninitalized idr).
+
+Reported-by: Alexander Potapenko <glider@google.com>
+Cc: Alexander Potapenko <glider@google.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
+Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_crtc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/drm_crtc.c
++++ b/drivers/gpu/drm/drm_crtc.c
+@@ -5312,6 +5312,9 @@ int drm_mode_page_flip_ioctl(struct drm_
+ struct drm_pending_vblank_event *e = NULL;
+ int ret = -EINVAL;
+
++ if (!drm_core_check_feature(dev, DRIVER_MODESET))
++ return -EINVAL;
++
+ if (page_flip->flags & ~DRM_MODE_PAGE_FLIP_FLAGS ||
+ page_flip->reserved != 0)
+ return -EINVAL;
--- /dev/null
+From 552416c146fadc67cd9b53ef7adf88d3381c43a6 Mon Sep 17 00:00:00 2001
+From: Eric Anholt <eric@anholt.net>
+Date: Tue, 26 Jul 2016 13:47:15 -0700
+Subject: drm/vc4: Fix oops when userspace hands in a bad BO.
+
+From: Eric Anholt <eric@anholt.net>
+
+commit 552416c146fadc67cd9b53ef7adf88d3381c43a6 upstream.
+
+We'd end up NULL pointer dereferencing because we didn't take the
+error path out in the parent. Fixes igt vc4_lookup_fail test.
+
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/vc4/vc4_gem.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/vc4/vc4_gem.c
++++ b/drivers/gpu/drm/vc4/vc4_gem.c
+@@ -575,7 +575,7 @@ vc4_cl_lookup_bos(struct drm_device *dev
+
+ fail:
+ drm_free_large(handles);
+- return 0;
++ return ret;
+ }
+
+ static int
--- /dev/null
+From 9326e6f25574bbb8bd48206d245654780e3fd665 Mon Sep 17 00:00:00 2001
+From: Eric Anholt <eric@anholt.net>
+Date: Tue, 26 Jul 2016 13:47:14 -0700
+Subject: drm/vc4: Fix overflow mem unreferencing when the binner runs dry.
+
+From: Eric Anholt <eric@anholt.net>
+
+commit 9326e6f25574bbb8bd48206d245654780e3fd665 upstream.
+
+Overflow memory handling is tricky: While it's still referenced by the
+BPO registers, we want to keep it from being freed. When we are
+putting a new set of overflow memory in the registers, we need to
+assign the old one to the last rendering job using it.
+
+We were looking at "what's currently running in the binner", but since
+the bin/render submission split, we may end up with the binner
+completing and having no new job while the renderer is still
+processing. So, if we don't find a bin job at all, look at the
+highest-seqno (last) render job to attach our overflow to.
+
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Fixes: ca26d28bbaa3 ("drm/vc4: improve throughput by pipelining binning and rendering jobs")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/vc4/vc4_drv.h | 9 +++++++++
+ drivers/gpu/drm/vc4/vc4_irq.c | 4 +++-
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/vc4/vc4_drv.h
++++ b/drivers/gpu/drm/vc4/vc4_drv.h
+@@ -321,6 +321,15 @@ vc4_first_render_job(struct vc4_dev *vc4
+ struct vc4_exec_info, head);
+ }
+
++static inline struct vc4_exec_info *
++vc4_last_render_job(struct vc4_dev *vc4)
++{
++ if (list_empty(&vc4->render_job_list))
++ return NULL;
++ return list_last_entry(&vc4->render_job_list,
++ struct vc4_exec_info, head);
++}
++
+ /**
+ * struct vc4_texture_sample_info - saves the offsets into the UBO for texture
+ * setup parameters.
+--- a/drivers/gpu/drm/vc4/vc4_irq.c
++++ b/drivers/gpu/drm/vc4/vc4_irq.c
+@@ -83,8 +83,10 @@ vc4_overflow_mem_work(struct work_struct
+
+ spin_lock_irqsave(&vc4->job_lock, irqflags);
+ current_exec = vc4_first_bin_job(vc4);
++ if (!current_exec)
++ current_exec = vc4_last_render_job(vc4);
+ if (current_exec) {
+- vc4->overflow_mem->seqno = vc4->finished_seqno + 1;
++ vc4->overflow_mem->seqno = current_exec->seqno;
+ list_add_tail(&vc4->overflow_mem->unref_head,
+ ¤t_exec->unref_list);
+ vc4->overflow_mem = NULL;
--- /dev/null
+From d5fb46e0e3b7e49ee83ba92efc3ab4e1a545ecc1 Mon Sep 17 00:00:00 2001
+From: Eric Anholt <eric@anholt.net>
+Date: Tue, 26 Jul 2016 13:47:10 -0700
+Subject: drm/vc4: Use drm_free_large() on handles to match its allocation.
+
+From: Eric Anholt <eric@anholt.net>
+
+commit d5fb46e0e3b7e49ee83ba92efc3ab4e1a545ecc1 upstream.
+
+If you managed to exceed the limit to switch to vmalloc, we'd use the
+wrong free.
+
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/vc4/vc4_gem.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/vc4/vc4_gem.c
++++ b/drivers/gpu/drm/vc4/vc4_gem.c
+@@ -574,7 +574,7 @@ vc4_cl_lookup_bos(struct drm_device *dev
+ spin_unlock(&file_priv->table_lock);
+
+ fail:
+- kfree(handles);
++ drm_free_large(handles);
+ return 0;
+ }
+
block-make-sure-a-big-bio-is-split-into-at-most-256-bvecs.patch
cgroup-reduce-read-locked-section-of-cgroup_threadgroup_rwsem-during-fork.patch
cdc-acm-added-sanity-checking-for-probe.patch
+drm-radeon-fix-radeon_move_blit-on-32bit-systems.patch
+drm-radeon-only-apply-the-ss-fractional-workaround-to-rs80.patch
+drm-atomic-don-t-potentially-reset-color_mgmt_changed-on-successive-property-updates.patch
+drm-reject-page_flip-for-driver_modeset.patch
+drm-msm-fix-use-of-copy_from_user-while-holding-spinlock.patch
+drm-vc4-use-drm_free_large-on-handles-to-match-its-allocation.patch
+drm-vc4-fix-overflow-mem-unreferencing-when-the-binner-runs-dry.patch
+drm-vc4-fix-oops-when-userspace-hands-in-a-bad-bo.patch
+asoc-atmel_ssc_dai-don-t-unconditionally-reset-ssc-on-stream-startup.patch
+xfs-fix-superblock-inprogress-check.patch
+timekeeping-cap-array-access-in-timekeeping_debug.patch
+timekeeping-avoid-taking-lock-in-nmi-path-with-config_debug_timekeeping.patch
+xenbus-don-t-look-up-transaction-ids-for-ordinary-writes.patch
--- /dev/null
+From 27727df240c7cc84f2ba6047c6f18d5addfd25ef Mon Sep 17 00:00:00 2001
+From: John Stultz <john.stultz@linaro.org>
+Date: Tue, 23 Aug 2016 16:08:21 -0700
+Subject: timekeeping: Avoid taking lock in NMI path with CONFIG_DEBUG_TIMEKEEPING
+
+From: John Stultz <john.stultz@linaro.org>
+
+commit 27727df240c7cc84f2ba6047c6f18d5addfd25ef upstream.
+
+When I added some extra sanity checking in timekeeping_get_ns() under
+CONFIG_DEBUG_TIMEKEEPING, I missed that the NMI safe __ktime_get_fast_ns()
+method was using timekeeping_get_ns().
+
+Thus the locking added to the debug checks broke the NMI-safety of
+__ktime_get_fast_ns().
+
+This patch open-codes the timekeeping_get_ns() logic for
+__ktime_get_fast_ns(), so can avoid any deadlocks in NMI.
+
+Fixes: 4ca22c2648f9 "timekeeping: Add warnings when overflows or underflows are observed"
+Reported-by: Steven Rostedt <rostedt@goodmis.org>
+Reported-by: Peter Zijlstra <peterz@infradead.org>
+Signed-off-by: John Stultz <john.stultz@linaro.org>
+Link: http://lkml.kernel.org/r/1471993702-29148-2-git-send-email-john.stultz@linaro.org
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/time/timekeeping.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/kernel/time/timekeeping.c
++++ b/kernel/time/timekeeping.c
+@@ -401,7 +401,10 @@ static __always_inline u64 __ktime_get_f
+ do {
+ seq = raw_read_seqcount_latch(&tkf->seq);
+ tkr = tkf->base + (seq & 0x01);
+- now = ktime_to_ns(tkr->base) + timekeeping_get_ns(tkr);
++ now = ktime_to_ns(tkr->base);
++
++ now += clocksource_delta(tkr->read(tkr->clock),
++ tkr->cycle_last, tkr->mask);
+ } while (read_seqcount_retry(&tkf->seq, seq));
+
+ return now;
--- /dev/null
+From a4f8f6667f099036c88f231dcad4cf233652c824 Mon Sep 17 00:00:00 2001
+From: John Stultz <john.stultz@linaro.org>
+Date: Tue, 23 Aug 2016 16:08:22 -0700
+Subject: timekeeping: Cap array access in timekeeping_debug
+
+From: John Stultz <john.stultz@linaro.org>
+
+commit a4f8f6667f099036c88f231dcad4cf233652c824 upstream.
+
+It was reported that hibernation could fail on the 2nd attempt, where the
+system hangs at hibernate() -> syscore_resume() -> i8237A_resume() ->
+claim_dma_lock(), because the lock has already been taken.
+
+However there is actually no other process would like to grab this lock on
+that problematic platform.
+
+Further investigation showed that the problem is triggered by setting
+/sys/power/pm_trace to 1 before the 1st hibernation.
+
+Since once pm_trace is enabled, the rtc becomes unmeaningful after suspend,
+and meanwhile some BIOSes would like to adjust the 'invalid' RTC (e.g, smaller
+than 1970) to the release date of that motherboard during POST stage, thus
+after resumed, it may seem that the system had a significant long sleep time
+which is a completely meaningless value.
+
+Then in timekeeping_resume -> tk_debug_account_sleep_time, if the bit31 of the
+sleep time happened to be set to 1, fls() returns 32 and we add 1 to
+sleep_time_bin[32], which causes an out of bounds array access and therefor
+memory being overwritten.
+
+As depicted by System.map:
+0xffffffff81c9d080 b sleep_time_bin
+0xffffffff81c9d100 B dma_spin_lock
+the dma_spin_lock.val is set to 1, which caused this problem.
+
+This patch adds a sanity check in tk_debug_account_sleep_time()
+to ensure we don't index past the sleep_time_bin array.
+
+[jstultz: Problem diagnosed and original patch by Chen Yu, I've solved the
+ issue slightly differently, but borrowed his excelent explanation of the
+ issue here.]
+
+Fixes: 5c83545f24ab "power: Add option to log time spent in suspend"
+Reported-by: Janek Kozicki <cosurgi@gmail.com>
+Reported-by: Chen Yu <yu.c.chen@intel.com>
+Signed-off-by: John Stultz <john.stultz@linaro.org>
+Cc: linux-pm@vger.kernel.org
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Xunlei Pang <xpang@redhat.com>
+Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
+Cc: Zhang Rui <rui.zhang@intel.com>
+Link: http://lkml.kernel.org/r/1471993702-29148-3-git-send-email-john.stultz@linaro.org
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/time/timekeeping_debug.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/kernel/time/timekeeping_debug.c
++++ b/kernel/time/timekeeping_debug.c
+@@ -23,7 +23,9 @@
+
+ #include "timekeeping_internal.h"
+
+-static unsigned int sleep_time_bin[32] = {0};
++#define NUM_BINS 32
++
++static unsigned int sleep_time_bin[NUM_BINS] = {0};
+
+ static int tk_debug_show_sleep_time(struct seq_file *s, void *data)
+ {
+@@ -69,6 +71,9 @@ late_initcall(tk_debug_sleep_time_init);
+
+ void tk_debug_account_sleep_time(struct timespec64 *t)
+ {
+- sleep_time_bin[fls(t->tv_sec)]++;
++ /* Cap bin index so we don't overflow the array */
++ int bin = min(fls(t->tv_sec), NUM_BINS-1);
++
++ sleep_time_bin[bin]++;
+ }
+
--- /dev/null
+From 9a035a40f7f3f6708b79224b86c5777a3334f7ea Mon Sep 17 00:00:00 2001
+From: Jan Beulich <JBeulich@suse.com>
+Date: Mon, 15 Aug 2016 09:02:38 -0600
+Subject: xenbus: don't look up transaction IDs for ordinary writes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jan Beulich <JBeulich@suse.com>
+
+commit 9a035a40f7f3f6708b79224b86c5777a3334f7ea upstream.
+
+This should really only be done for XS_TRANSACTION_END messages, or
+else at least some of the xenstore-* tools don't work anymore.
+
+Fixes: 0beef634b8 ("xenbus: don't BUG() on user mode induced condition")
+Reported-by: Richard Schütz <rschuetz@uni-koblenz.de>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Tested-by: Richard Schütz <rschuetz@uni-koblenz.de>
+Signed-off-by: David Vrabel <david.vrabel@citrix.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/xenbus/xenbus_dev_frontend.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/xen/xenbus/xenbus_dev_frontend.c
++++ b/drivers/xen/xenbus/xenbus_dev_frontend.c
+@@ -316,7 +316,7 @@ static int xenbus_write_transaction(unsi
+ rc = -ENOMEM;
+ goto out;
+ }
+- } else {
++ } else if (msg_type == XS_TRANSACTION_END) {
+ list_for_each_entry(trans, &u->transactions, list)
+ if (trans->handle.id == u->u.msg.tx_id)
+ break;
--- /dev/null
+From f3d7ebdeb2c297bd26272384e955033493ca291c Mon Sep 17 00:00:00 2001
+From: Dave Chinner <dchinner@redhat.com>
+Date: Fri, 26 Aug 2016 16:01:30 +1000
+Subject: xfs: fix superblock inprogress check
+
+From: Dave Chinner <dchinner@redhat.com>
+
+commit f3d7ebdeb2c297bd26272384e955033493ca291c upstream.
+
+From inspection, the superblock sb_inprogress check is done in the
+verifier and triggered only for the primary superblock via a
+"bp->b_bn == XFS_SB_DADDR" check.
+
+Unfortunately, the primary superblock is an uncached buffer, and
+hence it is configured by xfs_buf_read_uncached() with:
+
+ bp->b_bn = XFS_BUF_DADDR_NULL; /* always null for uncached buffers */
+
+And so this check never triggers. Fix it.
+
+Signed-off-by: Dave Chinner <dchinner@redhat.com>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Dave Chinner <david@fromorbit.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/xfs/libxfs/xfs_sb.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/xfs/libxfs/xfs_sb.c
++++ b/fs/xfs/libxfs/xfs_sb.c
+@@ -581,7 +581,8 @@ xfs_sb_verify(
+ * Only check the in progress field for the primary superblock as
+ * mkfs.xfs doesn't clear it from secondary superblocks.
+ */
+- return xfs_mount_validate_sb(mp, &sb, bp->b_bn == XFS_SB_DADDR,
++ return xfs_mount_validate_sb(mp, &sb,
++ bp->b_maps[0].bm_bn == XFS_SB_DADDR,
+ check_version);
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
