--- /dev/null
+From 979cf59acc9d634cc140aadd0d2915947ab303cc Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <weiyj.lk@gmail.com>
+Date: Fri, 12 Aug 2016 11:45:18 +0000
+Subject: ASoC: Intel: Skylake: Fix error return code in skl_probe()
+
+From: Wei Yongjun <weiyj.lk@gmail.com>
+
+commit 979cf59acc9d634cc140aadd0d2915947ab303cc upstream.
+
+Fix to return error code -ENODEV from the error handling
+case instead of 0, as done elsewhere in this function.
+
+Fixes: 87b2bdf02278 ("ASoC: Intel: Skylake: Initialize NHLT table")
+Signed-off-by: Wei Yongjun <weiyj.lk@gmail.com>
+Acked-By: Vinod Koul <vinod.kou@intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/intel/skylake/skl.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/sound/soc/intel/skylake/skl.c
++++ b/sound/soc/intel/skylake/skl.c
+@@ -659,8 +659,10 @@ static int skl_probe(struct pci_dev *pci
+
+ skl->nhlt = skl_nhlt_init(bus->dev);
+
+- if (skl->nhlt == NULL)
++ if (skl->nhlt == NULL) {
++ err = -ENODEV;
+ goto out_free;
++ }
+
+ skl_nhlt_update_topology_bin(skl);
+
--- /dev/null
+From a8719670687c46ed2e904c0d05fa4cd7e4950cd1 Mon Sep 17 00:00:00 2001
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Date: Tue, 23 Aug 2016 10:27:19 +0300
+Subject: ASoC: omap-mcpdm: Fix irq resource handling
+
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+
+commit a8719670687c46ed2e904c0d05fa4cd7e4950cd1 upstream.
+
+Fixes: ddd17531ad908 ("ASoC: omap-mcpdm: Clean up with devm_* function")
+
+Managed irq request will not doing any good in ASoC probe level as it is
+not going to free up the irq when the driver is unbound from the sound
+card.
+
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Reported-by: Russell King <linux@armlinux.org.uk>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/omap/omap-mcpdm.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/sound/soc/omap/omap-mcpdm.c
++++ b/sound/soc/omap/omap-mcpdm.c
+@@ -390,8 +390,8 @@ static int omap_mcpdm_probe(struct snd_s
+ pm_runtime_get_sync(mcpdm->dev);
+ omap_mcpdm_write(mcpdm, MCPDM_REG_CTRL, 0x00);
+
+- ret = devm_request_irq(mcpdm->dev, mcpdm->irq, omap_mcpdm_irq_handler,
+- 0, "McPDM", (void *)mcpdm);
++ ret = request_irq(mcpdm->irq, omap_mcpdm_irq_handler, 0, "McPDM",
++ (void *)mcpdm);
+
+ pm_runtime_put_sync(mcpdm->dev);
+
+@@ -416,6 +416,7 @@ static int omap_mcpdm_remove(struct snd_
+ {
+ struct omap_mcpdm *mcpdm = snd_soc_dai_get_drvdata(dai);
+
++ free_irq(mcpdm->irq, (void *)mcpdm);
+ pm_runtime_disable(mcpdm->dev);
+
+ return 0;
--- /dev/null
+From 3bdae810721b33061d2e541bd78a70f86ca42af3 Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Mon, 18 Jul 2016 16:24:34 -0700
+Subject: brcmfmac: Fix glob_skb leak in brcmf_sdiod_recv_chain
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+commit 3bdae810721b33061d2e541bd78a70f86ca42af3 upstream.
+
+In case brcmf_sdiod_recv_chain() cannot complete a succeful call to
+brcmf_sdiod_buffrw, we would be leaking glom_skb and not free it as we
+should, fix this.
+
+Reported-by: coverity (CID 1164856)
+Fixes: a413e39a38573 ("brcmfmac: fix brcmf_sdcard_recv_chain() for host without sg support")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
+@@ -722,8 +722,10 @@ int brcmf_sdiod_recv_chain(struct brcmf_
+ return -ENOMEM;
+ err = brcmf_sdiod_buffrw(sdiodev, SDIO_FUNC_2, false, addr,
+ glom_skb);
+- if (err)
++ if (err) {
++ brcmu_pkt_buf_free_skb(glom_skb);
+ goto done;
++ }
+
+ skb_queue_walk(pktq, skb) {
+ memcpy(skb->data, glom_skb->data, skb->len);
--- /dev/null
+From 5c5fa1f464ac954982df1d96b9f9a5103d21aedd Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Mon, 18 Jul 2016 16:24:35 -0700
+Subject: brcmsmac: Free packet if dma_mapping_error() fails in dma_rxfill
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+commit 5c5fa1f464ac954982df1d96b9f9a5103d21aedd upstream.
+
+In case dma_mapping_error() returns an error in dma_rxfill, we would be
+leaking a packet that we allocated with brcmu_pkt_buf_get_skb().
+
+Reported-by: coverity (CID 1081819)
+Fixes: 67d0cf50bd32 ("brcmsmac: Fix WARNING caused by lack of calls to dma_mapping_error()")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Acked-by: Arend van Spriel <arend@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmsmac/dma.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/dma.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/dma.c
+@@ -1079,8 +1079,10 @@ bool dma_rxfill(struct dma_pub *pub)
+
+ pa = dma_map_single(di->dmadev, p->data, di->rxbufsize,
+ DMA_FROM_DEVICE);
+- if (dma_mapping_error(di->dmadev, pa))
++ if (dma_mapping_error(di->dmadev, pa)) {
++ brcmu_pkt_buf_free_skb(p);
+ return false;
++ }
+
+ /* save the free packet pointer */
+ di->rxp[rxout] = p;
--- /dev/null
+From f823a2aa8f4674c095a5413b9e3ba12d82df06f2 Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Mon, 18 Jul 2016 16:24:37 -0700
+Subject: brcmsmac: Initialize power in brcms_c_stf_ss_algo_channel_get()
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+commit f823a2aa8f4674c095a5413b9e3ba12d82df06f2 upstream.
+
+wlc_phy_txpower_get_current() does a logical OR of power->flags, which
+presumes that power.flags was initiliazed earlier by the caller,
+unfortunately, this is not the case, so make sure we zero out the struct
+tx_power before calling into wlc_phy_txpower_get_current().
+
+Reported-by: coverity (CID 146011)
+Fixes: 5b435de0d7868 ("net: wireless: add brcm80211 drivers")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmsmac/stf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/stf.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/stf.c
+@@ -87,7 +87,7 @@ void
+ brcms_c_stf_ss_algo_channel_get(struct brcms_c_info *wlc, u16 *ss_algo_channel,
+ u16 chanspec)
+ {
+- struct tx_power power;
++ struct tx_power power = { };
+ u8 siso_mcs_id, cdd_mcs_id, stbc_mcs_id;
+
+ /* Clear previous settings */
--- /dev/null
+From 8fbaa51d43ef2c6a72849ec34060910723a0365f Mon Sep 17 00:00:00 2001
+From: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
+Date: Fri, 15 Jul 2016 17:20:36 +1000
+Subject: cxl: fix potential NULL dereference in free_adapter()
+
+From: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
+
+commit 8fbaa51d43ef2c6a72849ec34060910723a0365f upstream.
+
+If kzalloc() fails when allocating adapter->guest in
+cxl_guest_init_adapter(), we call free_adapter() before erroring out.
+free_adapter() in turn attempts to dereference adapter->guest, which in
+this case is NULL.
+
+In free_adapter(), skip the adapter->guest cleanup if adapter->guest is
+NULL.
+
+Fixes: 14baf4d9c739 ("cxl: Add guest-specific code")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/cxl/guest.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+--- a/drivers/misc/cxl/guest.c
++++ b/drivers/misc/cxl/guest.c
+@@ -1052,16 +1052,18 @@ static void free_adapter(struct cxl *ada
+ struct irq_avail *cur;
+ int i;
+
+- if (adapter->guest->irq_avail) {
+- for (i = 0; i < adapter->guest->irq_nranges; i++) {
+- cur = &adapter->guest->irq_avail[i];
+- kfree(cur->bitmap);
++ if (adapter->guest) {
++ if (adapter->guest->irq_avail) {
++ for (i = 0; i < adapter->guest->irq_nranges; i++) {
++ cur = &adapter->guest->irq_avail[i];
++ kfree(cur->bitmap);
++ }
++ kfree(adapter->guest->irq_avail);
+ }
+- kfree(adapter->guest->irq_avail);
++ kfree(adapter->guest->status);
++ kfree(adapter->guest);
+ }
+- kfree(adapter->guest->status);
+ cxl_remove_adapter_nr(adapter);
+- kfree(adapter->guest);
+ kfree(adapter);
+ }
+
--- /dev/null
+From 23d70503ee187819a3775c7ac73f17c5bfe3fad0 Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <weiyj.lk@gmail.com>
+Date: Fri, 5 Aug 2016 13:46:49 +0000
+Subject: IB/core: Fix possible memory leak in cma_resolve_iboe_route()
+
+From: Wei Yongjun <weiyj.lk@gmail.com>
+
+commit 23d70503ee187819a3775c7ac73f17c5bfe3fad0 upstream.
+
+'work' and 'route->path_rec' are malloced in cma_resolve_iboe_route()
+and should be freed before leaving from the error handling cases,
+otherwise it will cause memory leak.
+
+Fixes: 200298326b27 ('IB/core: Validate route when we init ah')
+Signed-off-by: Wei Yongjun <weiyj.lk@gmail.com>
+Reviewed-by: Haggai Eran <haggaie@mellanox.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/cma.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+--- a/drivers/infiniband/core/cma.c
++++ b/drivers/infiniband/core/cma.c
+@@ -2452,18 +2452,24 @@ static int cma_resolve_iboe_route(struct
+
+ if (addr->dev_addr.bound_dev_if) {
+ ndev = dev_get_by_index(&init_net, addr->dev_addr.bound_dev_if);
+- if (!ndev)
+- return -ENODEV;
++ if (!ndev) {
++ ret = -ENODEV;
++ goto err2;
++ }
+
+ if (ndev->flags & IFF_LOOPBACK) {
+ dev_put(ndev);
+- if (!id_priv->id.device->get_netdev)
+- return -EOPNOTSUPP;
++ if (!id_priv->id.device->get_netdev) {
++ ret = -EOPNOTSUPP;
++ goto err2;
++ }
+
+ ndev = id_priv->id.device->get_netdev(id_priv->id.device,
+ id_priv->id.port_num);
+- if (!ndev)
+- return -ENODEV;
++ if (!ndev) {
++ ret = -ENODEV;
++ goto err2;
++ }
+ }
+
+ route->path_rec->net = &init_net;
--- /dev/null
+From a4e187d83d88eeaba6252aac0a2ffe5eaa73a818 Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Wed, 29 Jun 2016 13:55:22 -0400
+Subject: NFS: Don't drop CB requests with invalid principals
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+commit a4e187d83d88eeaba6252aac0a2ffe5eaa73a818 upstream.
+
+Before commit 778be232a207 ("NFS do not find client in NFSv4
+pg_authenticate"), the Linux callback server replied with
+RPC_AUTH_ERROR / RPC_AUTH_BADCRED, instead of dropping the CB
+request. Let's restore that behavior so the server has a chance to
+do something useful about it, and provide a warning that helps
+admins correct the problem.
+
+Fixes: 778be232a207 ("NFS do not find client in NFSv4 ...")
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Tested-by: Steve Wise <swise@opengridcomputing.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/callback_xdr.c | 6 +++++-
+ net/sunrpc/svc.c | 5 +++++
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+--- a/fs/nfs/callback_xdr.c
++++ b/fs/nfs/callback_xdr.c
+@@ -925,7 +925,7 @@ static __be32 nfs4_callback_compound(str
+ if (hdr_arg.minorversion == 0) {
+ cps.clp = nfs4_find_client_ident(SVC_NET(rqstp), hdr_arg.cb_ident);
+ if (!cps.clp || !check_gss_callback_principal(cps.clp, rqstp))
+- return rpc_drop_reply;
++ goto out_invalidcred;
+ }
+
+ cps.minorversion = hdr_arg.minorversion;
+@@ -953,6 +953,10 @@ static __be32 nfs4_callback_compound(str
+ nfs_put_client(cps.clp);
+ dprintk("%s: done, status = %u\n", __func__, ntohl(status));
+ return rpc_success;
++
++out_invalidcred:
++ pr_warn_ratelimited("NFS: NFSv4 callback contains invalid cred\n");
++ return rpc_autherr_badcred;
+ }
+
+ /*
+--- a/net/sunrpc/svc.c
++++ b/net/sunrpc/svc.c
+@@ -1194,6 +1194,11 @@ svc_process_common(struct svc_rqst *rqst
+ procp->pc_release(rqstp, NULL, rqstp->rq_resp);
+ goto dropit;
+ }
++ if (*statp == rpc_autherr_badcred) {
++ if (procp->pc_release)
++ procp->pc_release(rqstp, NULL, rqstp->rq_resp);
++ goto err_bad_auth;
++ }
+ if (*statp == rpc_success &&
+ (xdr = procp->pc_encode) &&
+ !xdr(rqstp, resv->iov_base+resv->iov_len, rqstp->rq_resp)) {
--- /dev/null
+From 73e6c5d854d3f7f75e8b46d3e54aeb5d83fe6b1f Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Sun, 26 Jun 2016 12:27:25 -0400
+Subject: pNFS/files: Fix layoutcommit after a commit to DS
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+commit 73e6c5d854d3f7f75e8b46d3e54aeb5d83fe6b1f upstream.
+
+According to the errata
+https://www.rfc-editor.org/errata_search.php?rfc=5661&eid=2751
+we should always send layout commit after a commit to DS.
+
+Fixes: bc7d4b8fd091 ("nfs/filelayout: set layoutcommit...")
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/filelayout/filelayout.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/fs/nfs/filelayout/filelayout.c
++++ b/fs/nfs/filelayout/filelayout.c
+@@ -375,8 +375,7 @@ static int filelayout_commit_done_cb(str
+ return -EAGAIN;
+ }
+
+- if (data->verf.committed == NFS_UNSTABLE)
+- pnfs_set_layoutcommit(data->inode, data->lseg, data->lwb);
++ pnfs_set_layoutcommit(data->inode, data->lseg, data->lwb);
+
+ return 0;
+ }
--- /dev/null
+From c001c87a63aa2f35358e33eb05e45e4cbcb34f54 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Sun, 26 Jun 2016 12:39:49 -0400
+Subject: pNFS/flexfiles: Fix layoutcommit after a commit to DS
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+commit c001c87a63aa2f35358e33eb05e45e4cbcb34f54 upstream.
+
+We should always do a layoutcommit after commit to DS, except if
+the layout segment we're using has set FF_FLAGS_NO_LAYOUTCOMMIT.
+
+Fixes: d67ae825a59d ("pnfs/flexfiles: Add the FlexFile Layout Driver")
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/flexfilelayout/flexfilelayout.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/fs/nfs/flexfilelayout/flexfilelayout.c
++++ b/fs/nfs/flexfilelayout/flexfilelayout.c
+@@ -1529,8 +1529,7 @@ static int ff_layout_commit_done_cb(stru
+ return -EAGAIN;
+ }
+
+- if (data->verf.committed == NFS_UNSTABLE
+- && ff_layout_need_layoutcommit(data->lseg))
++ if (ff_layout_need_layoutcommit(data->lseg))
+ pnfs_set_layoutcommit(data->inode, data->lseg, data->lwb);
+
+ return 0;
--- /dev/null
+From 66443efa83dc73775100b7442962ce2cb0d4472e Mon Sep 17 00:00:00 2001
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Fri, 12 Aug 2016 21:45:52 +1000
+Subject: powerpc/prom: Fix sub-processor option passed to ibm, client-architecture-support
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+commit 66443efa83dc73775100b7442962ce2cb0d4472e upstream.
+
+When booting from an OpenFirmware which supports it, we use the
+"ibm,client-architecture-support" firmware call to communicate
+our capabilities to firmware.
+
+The format of the structure we pass to firmware is specified in
+PAPR (Power Architecture Platform Requirements), or the public version
+LoPAPR (Linux on Power Architecture Platform Reference).
+
+Referring to table 244 in LoPAPR v1.1, option vector 5 contains a 4 byte
+field at bytes 17-20 for the "Platform Facilities Enable". This is
+followed by a 1 byte field at byte 21 for "Sub-Processor Represenation
+Level".
+
+Comparing to the code, there we have the Platform Facilities
+options (OV5_PFO_*) at byte 17, but we fail to pad that field out to its
+full width of 4 bytes. This means the OV5_SUB_PROCESSORS option is
+incorrectly placed at byte 18.
+
+Fix it by adding zero bytes for bytes 18, 19, 20, and comment the bytes
+to hopefully make it clearer in future.
+
+As far as I'm aware nothing actually consumes this value at this time,
+so the effect of this bug is nil in practice.
+
+It does mean we've been incorrectly setting bit 15 of the "Platform
+Facilities Enable" option for the past ~3 1/2 years, so we should avoid
+allocating that bit to anything else in future.
+
+Fixes: df77c7992029 ("powerpc/pseries: Update ibm,architecture.vec for PAPR 2.7/POWER8")
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/prom_init.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/arch/powerpc/kernel/prom_init.c
++++ b/arch/powerpc/kernel/prom_init.c
+@@ -695,7 +695,7 @@ unsigned char ibm_architecture_vec[] = {
+ OV4_MIN_ENT_CAP, /* minimum VP entitled capacity */
+
+ /* option vector 5: PAPR/OF options */
+- VECTOR_LENGTH(18), /* length */
++ VECTOR_LENGTH(21), /* length */
+ 0, /* don't ignore, don't halt */
+ OV5_FEAT(OV5_LPAR) | OV5_FEAT(OV5_SPLPAR) | OV5_FEAT(OV5_LARGE_PAGES) |
+ OV5_FEAT(OV5_DRCONF_MEMORY) | OV5_FEAT(OV5_DONATE_DEDICATE_CPU) |
+@@ -726,8 +726,11 @@ unsigned char ibm_architecture_vec[] = {
+ 0,
+ 0,
+ OV5_FEAT(OV5_PFO_HW_RNG) | OV5_FEAT(OV5_PFO_HW_ENCR) |
+- OV5_FEAT(OV5_PFO_HW_842),
+- OV5_FEAT(OV5_SUB_PROCESSORS),
++ OV5_FEAT(OV5_PFO_HW_842), /* Byte 17 */
++ 0, /* Byte 18 */
++ 0, /* Byte 19 */
++ 0, /* Byte 20 */
++ OV5_FEAT(OV5_SUB_PROCESSORS), /* Byte 21 */
+
+ /* option vector 6: IBM PAPR hints */
+ VECTOR_LENGTH(3), /* length */
dmaengine-bcm2835-fix-64-bit-warning.patch
dmaengine-at_xdmac-fix-debug-string.patch
nfs-pnfs-do-not-clobber-existing-pgio_done_cb-in-nfs4_proc_read_setup.patch
+svc-avoid-garbage-replies-when-pc_func-returns-rpc_drop_reply.patch
+nfs-don-t-drop-cb-requests-with-invalid-principals.patch
+pnfs-files-fix-layoutcommit-after-a-commit-to-ds.patch
+pnfs-flexfiles-fix-layoutcommit-after-a-commit-to-ds.patch
+watchdog-core-clear-wdog_hw_running-before-calling-the-stop-function.patch
+cxl-fix-potential-null-dereference-in-free_adapter.patch
+xprtrdma-remove-fmrs-from-the-unmap-list-after-unmapping.patch
+asoc-intel-skylake-fix-error-return-code-in-skl_probe.patch
+brcmfmac-fix-glob_skb-leak-in-brcmf_sdiod_recv_chain.patch
+brcmsmac-free-packet-if-dma_mapping_error-fails-in-dma_rxfill.patch
+brcmsmac-initialize-power-in-brcms_c_stf_ss_algo_channel_get.patch
+staging-comedi-adv_pci1760-do-not-return-einval-for-cmdf_round_down.patch
+powerpc-prom-fix-sub-processor-option-passed-to-ibm-client-architecture-support.patch
+sysctl-handle-error-writing-uint_max-to-u32-fields.patch
+asoc-omap-mcpdm-fix-irq-resource-handling.patch
+ib-core-fix-possible-memory-leak-in-cma_resolve_iboe_route.patch
--- /dev/null
+From c71f20ee76342376e3c4c67cdbe7421d8c4e886e Mon Sep 17 00:00:00 2001
+From: Phil Turnbull <phil.turnbull@oracle.com>
+Date: Fri, 29 Jul 2016 09:43:56 -0400
+Subject: staging: comedi: adv_pci1760: Do not return EINVAL for CMDF_ROUND_DOWN.
+
+From: Phil Turnbull <phil.turnbull@oracle.com>
+
+commit c71f20ee76342376e3c4c67cdbe7421d8c4e886e upstream.
+
+The CMDF_ROUND_DOWN case falls through and so always returns -EINVAL.
+
+Fixes: 14b93bb6bbf0 ("staging: comedi: adv_pci_dio: separate out PCI-1760 support")
+Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com>
+Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/comedi/drivers/adv_pci1760.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/staging/comedi/drivers/adv_pci1760.c
++++ b/drivers/staging/comedi/drivers/adv_pci1760.c
+@@ -196,6 +196,7 @@ static int pci1760_pwm_ns_to_div(unsigne
+ break;
+ case CMDF_ROUND_DOWN:
+ divisor = ns / PCI1760_PWM_TIMEBASE;
++ break;
+ default:
+ return -EINVAL;
+ }
--- /dev/null
+From 0533b13072f4bf35738290d2cf9e299c7bc6c42a Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Wed, 29 Jun 2016 13:55:14 -0400
+Subject: svc: Avoid garbage replies when pc_func() returns rpc_drop_reply
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+commit 0533b13072f4bf35738290d2cf9e299c7bc6c42a upstream.
+
+If an RPC program does not set vs_dispatch and pc_func() returns
+rpc_drop_reply, the server sends a reply anyway containing a single
+word containing the value RPC_DROP_REPLY (in network byte-order, of
+course). This is a nonsense RPC message.
+
+Fixes: 9e701c610923 ("svcrpc: simpler request dropping")
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Tested-by: Steve Wise <swise@opengridcomputing.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/svc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/sunrpc/svc.c
++++ b/net/sunrpc/svc.c
+@@ -1188,7 +1188,8 @@ svc_process_common(struct svc_rqst *rqst
+ *statp = procp->pc_func(rqstp, rqstp->rq_argp, rqstp->rq_resp);
+
+ /* Encode reply */
+- if (test_bit(RQ_DROPME, &rqstp->rq_flags)) {
++ if (*statp == rpc_drop_reply ||
++ test_bit(RQ_DROPME, &rqstp->rq_flags)) {
+ if (procp->pc_release)
+ procp->pc_release(rqstp, NULL, rqstp->rq_resp);
+ goto dropit;
--- /dev/null
+From e7d316a02f683864a12389f8808570e37fb90aa3 Mon Sep 17 00:00:00 2001
+From: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
+Date: Thu, 25 Aug 2016 15:16:51 -0700
+Subject: sysctl: handle error writing UINT_MAX to u32 fields
+
+From: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
+
+commit e7d316a02f683864a12389f8808570e37fb90aa3 upstream.
+
+We have scripts which write to certain fields on 3.18 kernels but this
+seems to be failing on 4.4 kernels. An entry which we write to here is
+xfrm_aevent_rseqth which is u32.
+
+ echo 4294967295 > /proc/sys/net/core/xfrm_aevent_rseqth
+
+Commit 230633d109e3 ("kernel/sysctl.c: detect overflows when converting
+to int") prevented writing to sysctl entries when integer overflow
+occurs. However, this does not apply to unsigned integers.
+
+Heinrich suggested that we introduce a new option to handle 64 bit
+limits and set min as 0 and max as UINT_MAX. This might not work as it
+leads to issues similar to __do_proc_doulongvec_minmax. Alternatively,
+we would need to change the datatype of the entry to 64 bit.
+
+ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table
+ {
+ i = (unsigned long *) data; //This cast is causing to read beyond the size of data (u32)
+ vleft = table->maxlen / sizeof(unsigned long); //vleft is 0 because maxlen is sizeof(u32) which is lesser than sizeof(unsigned long) on x86_64.
+
+Introduce a new proc handler proc_douintvec. Individual proc entries
+will need to be updated to use the new handler.
+
+[akpm@linux-foundation.org: coding-style fixes]
+Fixes: 230633d109e3 ("kernel/sysctl.c:detect overflows when converting to int")
+Link: http://lkml.kernel.org/r/1471479806-5252-1-git-send-email-subashab@codeaurora.org
+Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
+Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Ingo Molnar <mingo@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/sysctl.h | 2 ++
+ kernel/sysctl.c | 45 +++++++++++++++++++++++++++++++++++++++++++--
+ 2 files changed, 45 insertions(+), 2 deletions(-)
+
+--- a/include/linux/sysctl.h
++++ b/include/linux/sysctl.h
+@@ -41,6 +41,8 @@ extern int proc_dostring(struct ctl_tabl
+ void __user *, size_t *, loff_t *);
+ extern int proc_dointvec(struct ctl_table *, int,
+ void __user *, size_t *, loff_t *);
++extern int proc_douintvec(struct ctl_table *, int,
++ void __user *, size_t *, loff_t *);
+ extern int proc_dointvec_minmax(struct ctl_table *, int,
+ void __user *, size_t *, loff_t *);
+ extern int proc_dointvec_jiffies(struct ctl_table *, int,
+--- a/kernel/sysctl.c
++++ b/kernel/sysctl.c
+@@ -2122,6 +2122,21 @@ static int do_proc_dointvec_conv(bool *n
+ return 0;
+ }
+
++static int do_proc_douintvec_conv(bool *negp, unsigned long *lvalp,
++ int *valp,
++ int write, void *data)
++{
++ if (write) {
++ if (*negp)
++ return -EINVAL;
++ *valp = *lvalp;
++ } else {
++ unsigned int val = *valp;
++ *lvalp = (unsigned long)val;
++ }
++ return 0;
++}
++
+ static const char proc_wspace_sep[] = { ' ', '\t', '\n' };
+
+ static int __do_proc_dointvec(void *tbl_data, struct ctl_table *table,
+@@ -2241,8 +2256,27 @@ static int do_proc_dointvec(struct ctl_t
+ int proc_dointvec(struct ctl_table *table, int write,
+ void __user *buffer, size_t *lenp, loff_t *ppos)
+ {
+- return do_proc_dointvec(table,write,buffer,lenp,ppos,
+- NULL,NULL);
++ return do_proc_dointvec(table, write, buffer, lenp, ppos, NULL, NULL);
++}
++
++/**
++ * proc_douintvec - read a vector of unsigned integers
++ * @table: the sysctl table
++ * @write: %TRUE if this is a write to the sysctl file
++ * @buffer: the user buffer
++ * @lenp: the size of the user buffer
++ * @ppos: file position
++ *
++ * Reads/writes up to table->maxlen/sizeof(unsigned int) unsigned integer
++ * values from/to the user buffer, treated as an ASCII string.
++ *
++ * Returns 0 on success.
++ */
++int proc_douintvec(struct ctl_table *table, int write,
++ void __user *buffer, size_t *lenp, loff_t *ppos)
++{
++ return do_proc_dointvec(table, write, buffer, lenp, ppos,
++ do_proc_douintvec_conv, NULL);
+ }
+
+ /*
+@@ -2840,6 +2874,12 @@ int proc_dointvec(struct ctl_table *tabl
+ return -ENOSYS;
+ }
+
++int proc_douintvec(struct ctl_table *table, int write,
++ void __user *buffer, size_t *lenp, loff_t *ppos)
++{
++ return -ENOSYS;
++}
++
+ int proc_dointvec_minmax(struct ctl_table *table, int write,
+ void __user *buffer, size_t *lenp, loff_t *ppos)
+ {
+@@ -2885,6 +2925,7 @@ int proc_doulongvec_ms_jiffies_minmax(st
+ * exception granted :-)
+ */
+ EXPORT_SYMBOL(proc_dointvec);
++EXPORT_SYMBOL(proc_douintvec);
+ EXPORT_SYMBOL(proc_dointvec_jiffies);
+ EXPORT_SYMBOL(proc_dointvec_minmax);
+ EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
--- /dev/null
+From 3c10bbde10fe4dca52726e246cefa6b0a1dfbd3e Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Thu, 21 Jul 2016 14:21:56 -0700
+Subject: watchdog: core: Clear WDOG_HW_RUNNING before calling the stop function
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+commit 3c10bbde10fe4dca52726e246cefa6b0a1dfbd3e upstream.
+
+WDOG_HW_RUNNING indicates that the hardware watchdog is running while the
+watchdog device is closed. The flag may be set by the driver when it is
+instantiated to indicate that the watchdog is running, and that the
+watchdog core needs to send heartbeat requests to the driver until the
+watchdog device is opened.
+
+When the watchdog device is closed, the flag can be used by the driver's
+stop function to indicate to the watchdog core that it was unable to stop
+the watchdog, and that the watchdog core needs to send heartbeat requests.
+This only works if the flag is actually cleared when the watchdog is
+stopped. To avoid having to clear the flag in each driver's stop function,
+clear it in the watchdog core before calling the stop function.
+
+Reported-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
+Fixes: ee142889e32f ("watchdog: Introduce WDOG_HW_RUNNING flag")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@iguana.be>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/watchdog/watchdog_dev.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/watchdog/watchdog_dev.c
++++ b/drivers/watchdog/watchdog_dev.c
+@@ -258,10 +258,12 @@ static int watchdog_stop(struct watchdog
+ return -EBUSY;
+ }
+
+- if (wdd->ops->stop)
++ if (wdd->ops->stop) {
++ clear_bit(WDOG_HW_RUNNING, &wdd->status);
+ err = wdd->ops->stop(wdd);
+- else
++ } else {
+ set_bit(WDOG_HW_RUNNING, &wdd->status);
++ }
+
+ if (err == 0) {
+ clear_bit(WDOG_ACTIVE, &wdd->status);
--- /dev/null
+From 38f1932e60ba249660bbae585f61ef2dee3313a4 Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Wed, 29 Jun 2016 13:52:12 -0400
+Subject: xprtrdma: Remove FMRs from the unmap list after unmapping
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+commit 38f1932e60ba249660bbae585f61ef2dee3313a4 upstream.
+
+ib_unmap_fmr() takes a list of FMRs to unmap. However, it does not
+remove the FMRs from this list as it processes them. Other
+ib_unmap_fmr() call sites are careful to remove FMRs from the list
+after ib_unmap_fmr() returns.
+
+Since commit 7c7a5390dc6c8 ("xprtrdma: Add ro_unmap_sync method for FMR")
+fmr_op_unmap_sync passes more than one FMR to ib_unmap_fmr(), but
+it didn't bother to remove the FMRs from that list once the call was
+complete.
+
+I've noticed some instability that could be related to list
+tangling by the new fmr_op_unmap_sync() logic. In an abundance
+of caution, add some defensive logic to clean up properly after
+ib_unmap_fmr().
+
+Fixes: 7c7a5390dc6c8 ("xprtrdma: Add ro_unmap_sync method for FMR")
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Tested-by: Steve Wise <swise@opengridcomputing.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/xprtrdma/fmr_ops.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/net/sunrpc/xprtrdma/fmr_ops.c
++++ b/net/sunrpc/xprtrdma/fmr_ops.c
+@@ -63,9 +63,12 @@ static int
+ __fmr_unmap(struct rpcrdma_mw *mw)
+ {
+ LIST_HEAD(l);
++ int rc;
+
+ list_add(&mw->fmr.fmr->list, &l);
+- return ib_unmap_fmr(&l);
++ rc = ib_unmap_fmr(&l);
++ list_del_init(&mw->fmr.fmr->list);
++ return rc;
+ }
+
+ /* Deferred reset of a single FMR. Generate a fresh rkey by
+@@ -267,7 +270,7 @@ fmr_op_unmap_sync(struct rpcrdma_xprt *r
+ seg = &req->rl_segments[i];
+ mw = seg->rl_mw;
+
+- list_add(&mw->fmr.fmr->list, &unmap_list);
++ list_add_tail(&mw->fmr.fmr->list, &unmap_list);
+
+ i += seg->mr_nsegs;
+ }
+@@ -280,7 +283,9 @@ fmr_op_unmap_sync(struct rpcrdma_xprt *r
+ */
+ for (i = 0, nchunks = req->rl_nchunks; nchunks; nchunks--) {
+ seg = &req->rl_segments[i];
++ mw = seg->rl_mw;
+
++ list_del_init(&mw->fmr.fmr->list);
+ __fmr_dma_unmap(r_xprt, seg);
+ rpcrdma_put_mw(r_xprt, seg->rl_mw);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
