--- /dev/null
+From 5008efc83bf85b647aa1cbc44718b1675bbb7444 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Tue, 22 Dec 2015 08:24:59 +0100
+Subject: ARM: 8452/3: PJ4: make coprocessor access sequences buildable in Thumb2 mode
+
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+
+commit 5008efc83bf85b647aa1cbc44718b1675bbb7444 upstream.
+
+The PJ4 inline asm sequence to write to cp15 cannot be built in Thumb-2
+mode, due to the way it performs arithmetic on the program counter, so it
+is built in ARM mode instead. However, building C files in ARM mode under
+CONFIG_THUMB2_KERNEL is problematic, since the instrumentation performed
+by subsystems like ftrace does not expect having to deal with interworking
+branches.
+
+Since the sequence in question is simply a poor man's ISB instruction,
+let's use a straight 'isb' instead when building in Thumb2 mode. Thumb2
+implies V7, so 'isb' should always be supported in that case.
+
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Nicolas Pitre <nico@linaro.org>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/kernel/Makefile | 1 -
+ arch/arm/kernel/pj4-cp0.c | 4 ++++
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+--- a/arch/arm/kernel/Makefile
++++ b/arch/arm/kernel/Makefile
+@@ -73,7 +73,6 @@ obj-$(CONFIG_IWMMXT) += iwmmxt.o
+ obj-$(CONFIG_PERF_EVENTS) += perf_regs.o perf_callchain.o
+ obj-$(CONFIG_HW_PERF_EVENTS) += perf_event_xscale.o perf_event_v6.o \
+ perf_event_v7.o
+-CFLAGS_pj4-cp0.o := -marm
+ AFLAGS_iwmmxt.o := -Wa,-mcpu=iwmmxt
+ obj-$(CONFIG_ARM_CPU_TOPOLOGY) += topology.o
+ obj-$(CONFIG_VDSO) += vdso.o
+--- a/arch/arm/kernel/pj4-cp0.c
++++ b/arch/arm/kernel/pj4-cp0.c
+@@ -66,9 +66,13 @@ static void __init pj4_cp_access_write(u
+
+ __asm__ __volatile__ (
+ "mcr p15, 0, %1, c1, c0, 2\n\t"
++#ifdef CONFIG_THUMB2_KERNEL
++ "isb\n\t"
++#else
+ "mrc p15, 0, %0, c1, c0, 2\n\t"
+ "mov %0, %0\n\t"
+ "sub pc, pc, #4\n\t"
++#endif
+ : "=r" (temp) : "r" (value));
+ }
+
--- /dev/null
+From 448c077eeb02240c430db2a2c3bf5285a4c65d66 Mon Sep 17 00:00:00 2001
+From: Matthijs van Duin <matthijsvanduin@gmail.com>
+Date: Thu, 16 Feb 2017 01:05:04 +0100
+Subject: ARM: OMAP5 / DRA7: Fix HYP mode boot for thumb2 build
+
+From: Matthijs van Duin <matthijsvanduin@gmail.com>
+
+commit 448c077eeb02240c430db2a2c3bf5285a4c65d66 upstream.
+
+'adr' yields a data-pointer, not a function-pointer.
+
+Fixes: 999f934de195 ("ARM: omap5/dra7xx: Enable booting secondary
+CPU in HYP mode")
+Signed-off-by: Matthijs van Duin <matthijsvanduin@gmail.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-omap2/omap-headsmp.S | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/arm/mach-omap2/omap-headsmp.S
++++ b/arch/arm/mach-omap2/omap-headsmp.S
+@@ -17,6 +17,7 @@
+
+ #include <linux/linkage.h>
+ #include <linux/init.h>
++#include <asm/assembler.h>
+
+ #include "omap44xx.h"
+
+@@ -56,7 +57,7 @@ wait_2: ldr r2, =AUX_CORE_BOOT0_PA @ rea
+ cmp r0, r4
+ bne wait_2
+ ldr r12, =API_HYP_ENTRY
+- adr r0, hyp_boot
++ badr r0, hyp_boot
+ smc #0
+ hyp_boot:
+ b secondary_startup
--- /dev/null
+From f35b6542c3ac3f28056d298348a81f7d56d3a041 Mon Sep 17 00:00:00 2001
+From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Date: Mon, 23 Jan 2017 12:07:41 -0600
+Subject: clk: Make x86/ conditional on CONFIG_COMMON_CLK
+
+From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+
+commit f35b6542c3ac3f28056d298348a81f7d56d3a041 upstream.
+
+Fix Makefile for x86 support, dependency on CONFIG_COMMON_CLK
+was not explicit
+
+Fixes: 701190fd7419 ('clk: x86: add support for Lynxpoint LPSS clocks')
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Acked-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clk/Makefile | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/clk/Makefile
++++ b/drivers/clk/Makefile
+@@ -78,7 +78,9 @@ obj-$(CONFIG_ARCH_TEGRA) += tegra/
+ obj-$(CONFIG_ARCH_OMAP2PLUS) += ti/
+ obj-$(CONFIG_ARCH_U8500) += ux500/
+ obj-$(CONFIG_COMMON_CLK_VERSATILE) += versatile/
++ifeq ($(CONFIG_COMMON_CLK), y)
+ obj-$(CONFIG_X86) += x86/
++endif
+ obj-$(CONFIG_ARCH_ZX) += zte/
+ obj-$(CONFIG_ARCH_ZYNQ) += zynq/
+ obj-$(CONFIG_H8300) += h8300/
--- /dev/null
+From 4cca0457686e4ee1677d69469e4ddfd94d389a80 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Tue, 11 Apr 2017 00:29:44 +0100
+Subject: cpupower: Fix turbo frequency reporting for pre-Sandy Bridge cores
+
+From: Ben Hutchings <ben@decadent.org.uk>
+
+commit 4cca0457686e4ee1677d69469e4ddfd94d389a80 upstream.
+
+The switch that conditionally sets CPUPOWER_CAP_HAS_TURBO_RATIO and
+CPUPOWER_CAP_IS_SNB flags is missing a break, so all cores get both
+flags set and an assumed base clock of 100 MHz for turbo values.
+
+Reported-by: GSR <gsr.bugs@infernal-iceberg.com>
+Tested-by: GSR <gsr.bugs@infernal-iceberg.com>
+References: https://bugs.debian.org/859978
+Fixes: 8fb2e440b223 (cpupower: Show Intel turbo ratio support via ...)
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/power/cpupower/utils/helpers/cpuid.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/tools/power/cpupower/utils/helpers/cpuid.c
++++ b/tools/power/cpupower/utils/helpers/cpuid.c
+@@ -156,6 +156,7 @@ out:
+ */
+ case 0x2C: /* Westmere EP - Gulftown */
+ cpu_info->caps |= CPUPOWER_CAP_HAS_TURBO_RATIO;
++ break;
+ case 0x2A: /* SNB */
+ case 0x2D: /* SNB Xeon */
+ case 0x3A: /* IVB */
--- /dev/null
+From 3ce4a03852d6dd3fd28c2fb2ee9f89bb9ccf9a9b Mon Sep 17 00:00:00 2001
+From: Kirtika Ruchandani <kirtika.ruchandani@gmail.com>
+Date: Tue, 8 Nov 2016 21:50:48 -0800
+Subject: iwlwifi: pcie: trans: Remove unused 'shift_param'
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kirtika Ruchandani <kirtika.ruchandani@gmail.com>
+
+commit 3ce4a03852d6dd3fd28c2fb2ee9f89bb9ccf9a9b upstream.
+
+shift_param is defined and set in iwl_pcie_load_cpu_sections but not
+used. Fix this to avoid -Wunused-but-set-variable warning.
+
+The code using it turned into dead code with commit dcab8ecd5617
+("iwlwifi: mvm: support ucode load for family_8000 B0 only") which
+added a separate function iwl_pcie_load_given_ucode_8000 (then 8000b)
+for IWL_DEVICE_FAMILY_8000. Commit 76f8c0e17edc ("iwlwifi: pcie:
+remove dead code") removed the dead code but left shift_param as is.
+
+iwlwifi/pcie/trans.c: In function ‘iwl_pcie_load_cpu_sections’:
+iwlwifi/pcie/trans.c:871:6: warning: variable ‘shift_param’ set but not used [-Wunused-but-set-variable]
+
+Fixes: dcab8ecd5617 ("iwlwifi: mvm: support ucode load for family_8000 B0 only")
+Fixes: 76f8c0e17edc ("iwlwifi: pcie: remove dead code")
+Signed-off-by: Kirtika Ruchandani <kirtika@google.com>
+Cc: Sara Sharon <sara.sharon@intel.com>
+Cc: Luca Coelho <luciano.coelho@intel.com>
+Cc: Liad Kaufman <liad.kaufman@intel.com>
+Cc: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+[removed some unnecessary braces]
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/iwlwifi/pcie/trans.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/wireless/iwlwifi/pcie/trans.c
++++ b/drivers/net/wireless/iwlwifi/pcie/trans.c
+@@ -817,17 +817,13 @@ static int iwl_pcie_load_cpu_sections(st
+ int cpu,
+ int *first_ucode_section)
+ {
+- int shift_param;
+ int i, ret = 0;
+ u32 last_read_idx = 0;
+
+- if (cpu == 1) {
+- shift_param = 0;
++ if (cpu == 1)
+ *first_ucode_section = 0;
+- } else {
+- shift_param = 16;
++ else
+ (*first_ucode_section)++;
+- }
+
+ for (i = *first_ucode_section; i < IWL_UCODE_SECTION_MAX; i++) {
+ last_read_idx = i;
--- /dev/null
+From 75013fb16f8484898eaa8d0b08fed942d790f029 Mon Sep 17 00:00:00 2001
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Wed, 1 Mar 2017 01:23:24 +0900
+Subject: kprobes/x86: Fix kernel panic when certain exception-handling addresses are probed
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+commit 75013fb16f8484898eaa8d0b08fed942d790f029 upstream.
+
+Fix to the exception table entry check by using probed address
+instead of the address of copied instruction.
+
+This bug may cause unexpected kernel panic if user probe an address
+where an exception can happen which should be fixup by __ex_table
+(e.g. copy_from_user.)
+
+Unless user puts a kprobe on such address, this doesn't
+cause any problem.
+
+This bug has been introduced years ago, by commit:
+
+ 464846888d9a ("x86/kprobes: Fix a bug which can modify kernel code permanently").
+
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: 464846888d9a ("x86/kprobes: Fix a bug which can modify kernel code permanently")
+Link: http://lkml.kernel.org/r/148829899399.28855.12581062400757221722.stgit@devbox
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/kprobes/common.h | 2 +-
+ arch/x86/kernel/kprobes/core.c | 6 +++---
+ arch/x86/kernel/kprobes/opt.c | 2 +-
+ 3 files changed, 5 insertions(+), 5 deletions(-)
+
+--- a/arch/x86/kernel/kprobes/common.h
++++ b/arch/x86/kernel/kprobes/common.h
+@@ -67,7 +67,7 @@
+ #endif
+
+ /* Ensure if the instruction can be boostable */
+-extern int can_boost(kprobe_opcode_t *instruction);
++extern int can_boost(kprobe_opcode_t *instruction, void *addr);
+ /* Recover instruction if given address is probed */
+ extern unsigned long recover_probed_instruction(kprobe_opcode_t *buf,
+ unsigned long addr);
+--- a/arch/x86/kernel/kprobes/core.c
++++ b/arch/x86/kernel/kprobes/core.c
+@@ -163,12 +163,12 @@ NOKPROBE_SYMBOL(skip_prefixes);
+ * Returns non-zero if opcode is boostable.
+ * RIP relative instructions are adjusted at copying time in 64 bits mode
+ */
+-int can_boost(kprobe_opcode_t *opcodes)
++int can_boost(kprobe_opcode_t *opcodes, void *addr)
+ {
+ kprobe_opcode_t opcode;
+ kprobe_opcode_t *orig_opcodes = opcodes;
+
+- if (search_exception_tables((unsigned long)opcodes))
++ if (search_exception_tables((unsigned long)addr))
+ return 0; /* Page fault may occur on this address. */
+
+ retry:
+@@ -413,7 +413,7 @@ static int arch_copy_kprobe(struct kprob
+ * __copy_instruction can modify the displacement of the instruction,
+ * but it doesn't affect boostable check.
+ */
+- if (can_boost(p->ainsn.insn))
++ if (can_boost(p->ainsn.insn, p->addr))
+ p->ainsn.boostable = 0;
+ else
+ p->ainsn.boostable = -1;
+--- a/arch/x86/kernel/kprobes/opt.c
++++ b/arch/x86/kernel/kprobes/opt.c
+@@ -177,7 +177,7 @@ static int copy_optimized_instructions(u
+
+ while (len < RELATIVEJUMP_SIZE) {
+ ret = __copy_instruction(dest + len, src + len);
+- if (!ret || !can_boost(dest + len))
++ if (!ret || !can_boost(dest + len, src + len))
+ return -EINVAL;
+ len += ret;
+ }
--- /dev/null
+From ab007cc94ff9d82f5a8db8363b3becbd946e58cf Mon Sep 17 00:00:00 2001
+From: Ladi Prosek <lprosek@redhat.com>
+Date: Fri, 31 Mar 2017 10:19:26 +0200
+Subject: KVM: nVMX: do not leak PML full vmexit to L1
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ladi Prosek <lprosek@redhat.com>
+
+commit ab007cc94ff9d82f5a8db8363b3becbd946e58cf upstream.
+
+The PML feature is not exposed to guests so we should not be forwarding
+the vmexit either.
+
+This commit fixes BSOD 0x20001 (HYPERVISOR_ERROR) when running Hyper-V
+enabled Windows Server 2016 in L1 on hardware that supports PML.
+
+Fixes: 843e4330573c ("KVM: VMX: Add PML support in VMX")
+Signed-off-by: Ladi Prosek <lprosek@redhat.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -7838,6 +7838,9 @@ static bool nested_vmx_exit_handled(stru
+ return nested_cpu_has2(vmcs12, SECONDARY_EXEC_XSAVES);
+ case EXIT_REASON_PCOMMIT:
+ return nested_cpu_has2(vmcs12, SECONDARY_EXEC_PCOMMIT);
++ case EXIT_REASON_PML_FULL:
++ /* We don't expose PML support to L1. */
++ return false;
+ default:
+ return true;
+ }
--- /dev/null
+From 1fb883bb827ee8efc1cc9ea0154f953f8a219d38 Mon Sep 17 00:00:00 2001
+From: Ladi Prosek <lprosek@redhat.com>
+Date: Tue, 4 Apr 2017 14:18:53 +0200
+Subject: KVM: nVMX: initialize PML fields in vmcs02
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ladi Prosek <lprosek@redhat.com>
+
+commit 1fb883bb827ee8efc1cc9ea0154f953f8a219d38 upstream.
+
+L2 was running with uninitialized PML fields which led to incomplete
+dirty bitmap logging. This manifested as all kinds of subtle erratic
+behavior of the nested guest.
+
+Fixes: 843e4330573c ("KVM: VMX: Add PML support in VMX")
+Signed-off-by: Ladi Prosek <lprosek@redhat.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -9757,6 +9757,18 @@ static void prepare_vmcs02(struct kvm_vc
+
+ }
+
++ if (enable_pml) {
++ /*
++ * Conceptually we want to copy the PML address and index from
++ * vmcs01 here, and then back to vmcs01 on nested vmexit. But,
++ * since we always flush the log on each vmexit, this happens
++ * to be equivalent to simply resetting the fields in vmcs02.
++ */
++ ASSERT(vmx->pml_pg);
++ vmcs_write64(PML_ADDRESS, page_to_phys(vmx->pml_pg));
++ vmcs_write16(GUEST_PML_INDEX, PML_ENTITY_NUM - 1);
++ }
++
+ if (nested_cpu_has_ept(vmcs12)) {
+ kvm_mmu_unload(vcpu);
+ nested_ept_init_mmu_context(vcpu);
--- /dev/null
+From cbe99c538d1776009e8710755bb6e726f7fffa9b Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Wed, 25 Jan 2017 23:22:36 +0100
+Subject: leds: ktd2692: avoid harmless maybe-uninitialized warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit cbe99c538d1776009e8710755bb6e726f7fffa9b upstream.
+
+gcc gets confused about the control flow in ktd2692_parse_dt(), causing
+it to warn about what seems like a potential bug:
+
+drivers/leds/leds-ktd2692.c: In function 'ktd2692_probe':
+drivers/leds/leds-ktd2692.c:244:15: error: '*((void *)&led_cfg+8)' may be used uninitialized in this function [-Werror=maybe-uninitialized]
+drivers/leds/leds-ktd2692.c:225:7: error: 'led_cfg.flash_max_microamp' may be used uninitialized in this function [-Werror=maybe-uninitialized]
+drivers/leds/leds-ktd2692.c:232:3: error: 'led_cfg.movie_max_microamp' may be used uninitialized in this function [-Werror=maybe-uninitialized]
+
+The code is fine, and slightly reworking it in an equivalent way lets
+gcc figure that out too, which gets rid of the warning.
+
+Fixes: 77e7915b15bb ("leds: ktd2692: Add missing of_node_put")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Jacek Anaszewski <jacek.anaszewski@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/leds/leds-ktd2692.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/leds/leds-ktd2692.c
++++ b/drivers/leds/leds-ktd2692.c
+@@ -296,15 +296,15 @@ static int ktd2692_parse_dt(struct ktd26
+ return -ENXIO;
+
+ led->ctrl_gpio = devm_gpiod_get(dev, "ctrl", GPIOD_ASIS);
+- if (IS_ERR(led->ctrl_gpio)) {
+- ret = PTR_ERR(led->ctrl_gpio);
++ ret = PTR_ERR_OR_ZERO(led->ctrl_gpio);
++ if (ret) {
+ dev_err(dev, "cannot get ctrl-gpios %d\n", ret);
+ return ret;
+ }
+
+ led->aux_gpio = devm_gpiod_get(dev, "aux", GPIOD_ASIS);
+- if (IS_ERR(led->aux_gpio)) {
+- ret = PTR_ERR(led->aux_gpio);
++ ret = PTR_ERR_OR_ZERO(led->aux_gpio);
++ if (ret) {
+ dev_err(dev, "cannot get aux-gpios %d\n", ret);
+ return ret;
+ }
--- /dev/null
+From d65e5677ad5b3a49c43f60ec07644dc1f87bbd2e Mon Sep 17 00:00:00 2001
+From: Leonid Yegoshin <Leonid.Yegoshin@imgtec.com>
+Date: Thu, 25 Aug 2016 10:37:38 -0700
+Subject: MIPS: R2-on-R6 MULTU/MADDU/MSUBU emulation bugfix
+
+From: Leonid Yegoshin <Leonid.Yegoshin@imgtec.com>
+
+commit d65e5677ad5b3a49c43f60ec07644dc1f87bbd2e upstream.
+
+MIPS instructions MULTU, MADDU and MSUBU emulation requires registers HI/LO
+to be converted to signed 32bits before 64bit sign extension on MIPS64.
+
+Bug was found on running MIPS32 R2 test application on MIPS64 R6 kernel.
+
+Fixes: b0a668fb2038 ("MIPS: kernel: mips-r2-to-r6-emul: Add R2 emulator for MIPS R6")
+Signed-off-by: Leonid Yegoshin <Leonid.Yegoshin@imgtec.com>
+Reported-by: Nikola.Veljkovic@imgtec.com
+Cc: paul.burton@imgtec.com
+Cc: yamada.masahiro@socionext.com
+Cc: akpm@linux-foundation.org
+Cc: andrea.gelmini@gelma.net
+Cc: macro@imgtec.com
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/14043/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/mips-r2-to-r6-emul.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/arch/mips/kernel/mips-r2-to-r6-emul.c
++++ b/arch/mips/kernel/mips-r2-to-r6-emul.c
+@@ -434,8 +434,8 @@ static int multu_func(struct pt_regs *re
+ rs = regs->regs[MIPSInst_RS(ir)];
+ res = (u64)rt * (u64)rs;
+ rt = res;
+- regs->lo = (s64)rt;
+- regs->hi = (s64)(res >> 32);
++ regs->lo = (s64)(s32)rt;
++ regs->hi = (s64)(s32)(res >> 32);
+
+ MIPS_R2_STATS(muls);
+
+@@ -671,9 +671,9 @@ static int maddu_func(struct pt_regs *re
+ res += ((((s64)rt) << 32) | (u32)rs);
+
+ rt = res;
+- regs->lo = (s64)rt;
++ regs->lo = (s64)(s32)rt;
+ rs = res >> 32;
+- regs->hi = (s64)rs;
++ regs->hi = (s64)(s32)rs;
+
+ MIPS_R2_STATS(dsps);
+
+@@ -729,9 +729,9 @@ static int msubu_func(struct pt_regs *re
+ res = ((((s64)rt) << 32) | (u32)rs) - res;
+
+ rt = res;
+- regs->lo = (s64)rt;
++ regs->lo = (s64)(s32)rt;
+ rs = res >> 32;
+- regs->hi = (s64)rs;
++ regs->hi = (s64)(s32)rs;
+
+ MIPS_R2_STATS(dsps);
+
--- /dev/null
+From a5b60de6972decc6b50a39abb376077c3c3621c8 Mon Sep 17 00:00:00 2001
+From: Ganapathi Bhat <gbhat@marvell.com>
+Date: Fri, 3 Feb 2017 18:30:22 +0530
+Subject: mwifiex: Avoid skipping WEP key deletion for AP
+
+From: Ganapathi Bhat <gbhat@marvell.com>
+
+commit a5b60de6972decc6b50a39abb376077c3c3621c8 upstream.
+
+This patch fixes the issue specific to AP. AP is started with WEP
+security and external station is connected to it. Data path works
+in this case. Now if AP is restarted with WPA/WPA2 security,
+station is able to connect but ping fails.
+
+Driver skips the deletion of WEP keys if interface type is AP.
+Removing that redundant check resolves the issue.
+
+Fixes: e57f1734d87a ("mwifiex: add key material v2 support")
+Signed-off-by: Ganapathi Bhat <gbhat@marvell.com>
+Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mwifiex/sta_ioctl.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/net/wireless/mwifiex/sta_ioctl.c
++++ b/drivers/net/wireless/mwifiex/sta_ioctl.c
+@@ -1098,8 +1098,6 @@ int mwifiex_set_encode(struct mwifiex_pr
+ encrypt_key.is_rx_seq_valid = true;
+ }
+ } else {
+- if (GET_BSS_ROLE(priv) == MWIFIEX_BSS_ROLE_UAP)
+- return 0;
+ encrypt_key.key_disable = true;
+ if (mac_addr)
+ memcpy(encrypt_key.mac_addr, mac_addr, ETH_ALEN);
--- /dev/null
+From 6183468a23fc6b6903f8597982017ad2c7fdefcf Mon Sep 17 00:00:00 2001
+From: Brian Norris <briannorris@chromium.org>
+Date: Mon, 9 Jan 2017 15:33:50 -0800
+Subject: mwifiex: debugfs: Fix (sometimes) off-by-1 SSID print
+
+From: Brian Norris <briannorris@chromium.org>
+
+commit 6183468a23fc6b6903f8597982017ad2c7fdefcf upstream.
+
+Similar to commit fcd2042e8d36 ("mwifiex: printk() overflow with 32-byte
+SSIDs"), we failed to account for the existence of 32-char SSIDs in our
+debugfs code. Unlike in that case though, we zeroed out the containing
+struct first, and I'm pretty sure we're guaranteed to have some padding
+after the 'ssid.ssid' and 'ssid.ssid_len' fields (the struct is 33 bytes
+long).
+
+So, this is the difference between:
+
+ # cat /sys/kernel/debug/mwifiex/mlan0/info
+ ...
+ essid="0123456789abcdef0123456789abcdef "
+ ...
+
+and the correct output:
+
+ # cat /sys/kernel/debug/mwifiex/mlan0/info
+ ...
+ essid="0123456789abcdef0123456789abcdef"
+ ...
+
+Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver")
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mwifiex/debugfs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/mwifiex/debugfs.c
++++ b/drivers/net/wireless/mwifiex/debugfs.c
+@@ -115,7 +115,8 @@ mwifiex_info_read(struct file *file, cha
+ if (GET_BSS_ROLE(priv) == MWIFIEX_BSS_ROLE_STA) {
+ p += sprintf(p, "multicast_count=\"%d\"\n",
+ netdev_mc_count(netdev));
+- p += sprintf(p, "essid=\"%s\"\n", info.ssid.ssid);
++ p += sprintf(p, "essid=\"%.*s\"\n", info.ssid.ssid_len,
++ info.ssid.ssid);
+ p += sprintf(p, "bssid=\"%pM\"\n", info.bssid);
+ p += sprintf(p, "channel=\"%d\"\n", (int) info.bss_chan);
+ p += sprintf(p, "country_code = \"%s\"\n", info.country_code);
--- /dev/null
+From 5f0a221f59ad6b72202ef9c6e232086de8c336f2 Mon Sep 17 00:00:00 2001
+From: Xinming Hu <huxm@marvell.com>
+Date: Wed, 11 Jan 2017 21:41:24 +0530
+Subject: mwifiex: remove redundant dma padding in AMSDU
+
+From: Xinming Hu <huxm@marvell.com>
+
+commit 5f0a221f59ad6b72202ef9c6e232086de8c336f2 upstream.
+
+We already ensure 64 bytes alignment and add padding if required
+during skb_aggr allocation.
+
+Alignment and padding in mwifiex_11n_form_amsdu_txpd() is redundant.
+We may end up accessing more data than allocated size with this.
+
+This patch fixes following issue by removing redundant padding.
+
+[ 370.241338] skbuff: skb_over_panic: text:ffffffffc046946a len:3550
+put:72 head:ffff880000110000 data:ffff8800001100e4 tail:0xec2 end:0xec0 dev:<NULL>
+[ 370.241374] ------------[ cut here ]------------
+[ 370.241382] kernel BUG at net/core/skbuff.c:104!
+ 370.244032] Call Trace:
+[ 370.244041] [<ffffffff8c3df5ec>] skb_put+0x44/0x45
+[ 370.244055] [<ffffffffc046946a>]
+mwifiex_11n_aggregate_pkt+0x1e9/0xa50 [mwifiex]
+[ 370.244067] [<ffffffffc0467c16>] mwifiex_wmm_process_tx+0x44a/0x6b7
+[mwifiex]
+[ 370.244074] [<ffffffffc0411eb8>] ? 0xffffffffc0411eb8
+[ 370.244084] [<ffffffffc046116b>] mwifiex_main_process+0x476/0x5a5
+[mwifiex]
+[ 370.244098] [<ffffffffc0461298>] mwifiex_main_process+0x5a3/0x5a5
+[mwifiex]
+[ 370.244113] [<ffffffff8be7e9ff>] process_one_work+0x1a4/0x309
+[ 370.244123] [<ffffffff8be7f4ca>] worker_thread+0x20c/0x2ee
+[ 370.244130] [<ffffffff8be7f2be>] ? rescuer_thread+0x383/0x383
+[ 370.244136] [<ffffffff8be7f2be>] ? rescuer_thread+0x383/0x383
+[ 370.244143] [<ffffffff8be83742>] kthread+0x11c/0x124
+[ 370.244150] [<ffffffff8be83626>] ? kthread_parkme+0x24/0x24
+[ 370.244157] [<ffffffff8c4da1ef>] ret_from_fork+0x3f/0x70
+[ 370.244168] [<ffffffff8be83626>] ? kthread_parkme+0x24/0x24
+
+Fixes: 84b313b35f8158d ("mwifiex: make tx packet 64 byte DMA aligned")
+Signed-off-by: Xinming Hu <huxm@marvell.com>
+Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mwifiex/11n_aggr.c | 19 +++++++------------
+ 1 file changed, 7 insertions(+), 12 deletions(-)
+
+--- a/drivers/net/wireless/mwifiex/11n_aggr.c
++++ b/drivers/net/wireless/mwifiex/11n_aggr.c
+@@ -101,13 +101,6 @@ mwifiex_11n_form_amsdu_txpd(struct mwifi
+ {
+ struct txpd *local_tx_pd;
+ struct mwifiex_txinfo *tx_info = MWIFIEX_SKB_TXCB(skb);
+- unsigned int pad;
+- int headroom = (priv->adapter->iface_type ==
+- MWIFIEX_USB) ? 0 : INTF_HEADER_LEN;
+-
+- pad = ((void *)skb->data - sizeof(*local_tx_pd) -
+- headroom - NULL) & (MWIFIEX_DMA_ALIGN_SZ - 1);
+- skb_push(skb, pad);
+
+ skb_push(skb, sizeof(*local_tx_pd));
+
+@@ -121,12 +114,10 @@ mwifiex_11n_form_amsdu_txpd(struct mwifi
+ local_tx_pd->bss_num = priv->bss_num;
+ local_tx_pd->bss_type = priv->bss_type;
+ /* Always zero as the data is followed by struct txpd */
+- local_tx_pd->tx_pkt_offset = cpu_to_le16(sizeof(struct txpd) +
+- pad);
++ local_tx_pd->tx_pkt_offset = cpu_to_le16(sizeof(struct txpd));
+ local_tx_pd->tx_pkt_type = cpu_to_le16(PKT_TYPE_AMSDU);
+ local_tx_pd->tx_pkt_length = cpu_to_le16(skb->len -
+- sizeof(*local_tx_pd) -
+- pad);
++ sizeof(*local_tx_pd));
+
+ if (tx_info->flags & MWIFIEX_BUF_FLAG_TDLS_PKT)
+ local_tx_pd->flags |= MWIFIEX_TXPD_FLAGS_TDLS_PACKET;
+@@ -190,7 +181,11 @@ mwifiex_11n_aggregate_pkt(struct mwifiex
+ ra_list_flags);
+ return -1;
+ }
+- skb_reserve(skb_aggr, MWIFIEX_MIN_DATA_HEADER_LEN);
++
++ /* skb_aggr->data already 64 byte align, just reserve bus interface
++ * header and txpd.
++ */
++ skb_reserve(skb_aggr, headroom + sizeof(struct txpd));
+ tx_info_aggr = MWIFIEX_SKB_TXCB(skb_aggr);
+
+ memset(tx_info_aggr, 0, sizeof(*tx_info_aggr));
--- /dev/null
+From 1a09b6a7c10e22c489a8b212dd6862b1fd9674ad Mon Sep 17 00:00:00 2001
+From: Stephen Boyd <stephen.boyd@linaro.org>
+Date: Thu, 9 Mar 2017 13:45:44 +0530
+Subject: phy: qcom-usb-hs: Add depends on EXTCON
+
+From: Stephen Boyd <stephen.boyd@linaro.org>
+
+commit 1a09b6a7c10e22c489a8b212dd6862b1fd9674ad upstream.
+
+We get the following compile errors if EXTCON is enabled as a
+module but this driver is builtin:
+
+drivers/built-in.o: In function `qcom_usb_hs_phy_power_off':
+phy-qcom-usb-hs.c:(.text+0x1089): undefined reference to `extcon_unregister_notifier'
+drivers/built-in.o: In function `qcom_usb_hs_phy_probe':
+phy-qcom-usb-hs.c:(.text+0x11b5): undefined reference to `extcon_get_edev_by_phandle'
+drivers/built-in.o: In function `qcom_usb_hs_phy_power_on':
+phy-qcom-usb-hs.c:(.text+0x128e): undefined reference to `extcon_get_state'
+phy-qcom-usb-hs.c:(.text+0x12a9): undefined reference to `extcon_register_notifier'
+
+so let's mark this as needing to follow the modular status of
+the extcon framework.
+
+Fixes: 9994a33865f4 e2427b09ba929c2b9 (phy: Add support for Qualcomm's USB HS phy")
+Signed-off-by: Stephen Boyd <stephen.boyd@linaro.org>
+Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/phy/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/phy/Kconfig
++++ b/drivers/phy/Kconfig
+@@ -368,6 +368,7 @@ config PHY_QCOM_UFS
+ config PHY_TUSB1210
+ tristate "TI TUSB1210 ULPI PHY module"
+ depends on USB_ULPI_BUS
++ depends on EXTCON || !EXTCON # if EXTCON=m, this cannot be built-in
+ select GENERIC_PHY
+ help
+ Support for TI TUSB1210 USB ULPI PHY.
--- /dev/null
+From 2d9fee6a42ea170e4378b3363a7ad385d0e67281 Mon Sep 17 00:00:00 2001
+From: Liam Breck <liam@networkimprov.net>
+Date: Wed, 18 Jan 2017 09:26:52 -0800
+Subject: power: supply: bq24190_charger: Call power_supply_changed() for relevant component
+
+From: Liam Breck <liam@networkimprov.net>
+
+commit 2d9fee6a42ea170e4378b3363a7ad385d0e67281 upstream.
+
+We wrongly get uevents for bq24190-charger and bq24190-battery on every
+register change.
+
+Fix by checking the association with charger and battery before
+emitting uevent(s).
+
+Fixes: d7bf353fd0aa3 ("bq24190_charger: Add support for TI BQ24190 Battery Charger")
+Signed-off-by: Liam Breck <kernel@networkimprov.net>
+Acked-by: Mark Greer <mgreer@animalcreek.com>
+Acked-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sebastian Reichel <sre@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/power/bq24190_charger.c | 50 +++++++++++++++++++++-------------------
+ 1 file changed, 27 insertions(+), 23 deletions(-)
+
+--- a/drivers/power/bq24190_charger.c
++++ b/drivers/power/bq24190_charger.c
+@@ -159,7 +159,6 @@ struct bq24190_dev_info {
+ unsigned int gpio_int;
+ unsigned int irq;
+ struct mutex f_reg_lock;
+- bool first_time;
+ bool charger_health_valid;
+ bool battery_health_valid;
+ bool battery_status_valid;
+@@ -1197,7 +1196,10 @@ static const struct power_supply_desc bq
+ static irqreturn_t bq24190_irq_handler_thread(int irq, void *data)
+ {
+ struct bq24190_dev_info *bdi = data;
+- bool alert_userspace = false;
++ const u8 battery_mask_ss = BQ24190_REG_SS_CHRG_STAT_MASK;
++ const u8 battery_mask_f = BQ24190_REG_F_BAT_FAULT_MASK
++ | BQ24190_REG_F_NTC_FAULT_MASK;
++ bool alert_charger = false, alert_battery = false;
+ u8 ss_reg = 0, f_reg = 0;
+ int ret;
+
+@@ -1225,8 +1227,12 @@ static irqreturn_t bq24190_irq_handler_t
+ ret);
+ }
+
++ if ((bdi->ss_reg & battery_mask_ss) != (ss_reg & battery_mask_ss))
++ alert_battery = true;
++ if ((bdi->ss_reg & ~battery_mask_ss) != (ss_reg & ~battery_mask_ss))
++ alert_charger = true;
++
+ bdi->ss_reg = ss_reg;
+- alert_userspace = true;
+ }
+
+ mutex_lock(&bdi->f_reg_lock);
+@@ -1239,33 +1245,23 @@ static irqreturn_t bq24190_irq_handler_t
+ }
+
+ if (f_reg != bdi->f_reg) {
++ if ((bdi->f_reg & battery_mask_f) != (f_reg & battery_mask_f))
++ alert_battery = true;
++ if ((bdi->f_reg & ~battery_mask_f) != (f_reg & ~battery_mask_f))
++ alert_charger = true;
++
+ bdi->f_reg = f_reg;
+ bdi->charger_health_valid = true;
+ bdi->battery_health_valid = true;
+ bdi->battery_status_valid = true;
+-
+- alert_userspace = true;
+ }
+
+ mutex_unlock(&bdi->f_reg_lock);
+
+- /*
+- * Sometimes bq24190 gives a steady trickle of interrupts even
+- * though the watchdog timer is turned off and neither the STATUS
+- * nor FAULT registers have changed. Weed out these sprurious
+- * interrupts so userspace isn't alerted for no reason.
+- * In addition, the chip always generates an interrupt after
+- * register reset so we should ignore that one (the very first
+- * interrupt received).
+- */
+- if (alert_userspace) {
+- if (!bdi->first_time) {
+- power_supply_changed(bdi->charger);
+- power_supply_changed(bdi->battery);
+- } else {
+- bdi->first_time = false;
+- }
+- }
++ if (alert_charger)
++ power_supply_changed(bdi->charger);
++ if (alert_battery)
++ power_supply_changed(bdi->battery);
+
+ out:
+ pm_runtime_put_sync(bdi->dev);
+@@ -1300,6 +1296,10 @@ static int bq24190_hw_init(struct bq2419
+ goto out;
+
+ ret = bq24190_set_mode_host(bdi);
++ if (ret < 0)
++ goto out;
++
++ ret = bq24190_read(bdi, BQ24190_REG_SS, &bdi->ss_reg);
+ out:
+ pm_runtime_put_sync(bdi->dev);
+ return ret;
+@@ -1375,7 +1375,8 @@ static int bq24190_probe(struct i2c_clie
+ bdi->model = id->driver_data;
+ strncpy(bdi->model_name, id->name, I2C_NAME_SIZE);
+ mutex_init(&bdi->f_reg_lock);
+- bdi->first_time = true;
++ bdi->f_reg = 0;
++ bdi->ss_reg = BQ24190_REG_SS_VBUS_STAT_MASK; /* impossible state */
+ bdi->charger_health_valid = false;
+ bdi->battery_health_valid = false;
+ bdi->battery_status_valid = false;
+@@ -1489,6 +1490,8 @@ static int bq24190_pm_resume(struct devi
+ struct i2c_client *client = to_i2c_client(dev);
+ struct bq24190_dev_info *bdi = i2c_get_clientdata(client);
+
++ bdi->f_reg = 0;
++ bdi->ss_reg = BQ24190_REG_SS_VBUS_STAT_MASK; /* impossible state */
+ bdi->charger_health_valid = false;
+ bdi->battery_health_valid = false;
+ bdi->battery_status_valid = false;
+@@ -1496,6 +1499,7 @@ static int bq24190_pm_resume(struct devi
+ pm_runtime_get_sync(bdi->dev);
+ bq24190_register_reset(bdi);
+ bq24190_set_mode_host(bdi);
++ bq24190_read(bdi, BQ24190_REG_SS, &bdi->ss_reg);
+ pm_runtime_put_sync(bdi->dev);
+
+ /* Things may have changed while suspended so alert upper layer */
--- /dev/null
+From e05ad7e0741ce0505e1df157c62b22b95172bb97 Mon Sep 17 00:00:00 2001
+From: Liam Breck <liam@networkimprov.net>
+Date: Wed, 18 Jan 2017 09:26:49 -0800
+Subject: power: supply: bq24190_charger: Call set_mode_host() on pm_resume()
+
+From: Liam Breck <liam@networkimprov.net>
+
+commit e05ad7e0741ce0505e1df157c62b22b95172bb97 upstream.
+
+pm_resume() does a register_reset() which clears charger host mode.
+
+Fix by calling set_mode_host() after the reset.
+
+Fixes: d7bf353fd0aa3 ("bq24190_charger: Add support for TI BQ24190 Battery Charger")
+Signed-off-by: Liam Breck <kernel@networkimprov.net>
+Acked-by: Mark Greer <mgreer@animalcreek.com>
+Acked-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sebastian Reichel <sre@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/power/bq24190_charger.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/power/bq24190_charger.c
++++ b/drivers/power/bq24190_charger.c
+@@ -1494,6 +1494,7 @@ static int bq24190_pm_resume(struct devi
+
+ pm_runtime_get_sync(bdi->dev);
+ bq24190_register_reset(bdi);
++ bq24190_set_mode_host(bdi);
+ pm_runtime_put_sync(bdi->dev);
+
+ /* Things may have changed while suspended so alert upper layer */
--- /dev/null
+From 68abfb8015832ddf728b911769659468efaf8bd9 Mon Sep 17 00:00:00 2001
+From: Liam Breck <liam@networkimprov.net>
+Date: Wed, 18 Jan 2017 09:26:53 -0800
+Subject: power: supply: bq24190_charger: Don't read fault register outside irq_handle_thread()
+
+From: Liam Breck <liam@networkimprov.net>
+
+commit 68abfb8015832ddf728b911769659468efaf8bd9 upstream.
+
+Caching the fault register after a single I2C read may not keep an accurate
+value.
+
+Fix by doing two reads in irq_handle_thread() and using the cached value
+elsewhere. If a safety timer fault later clears itself, we apparently don't get
+an interrupt (INT), however other interrupts would refresh the register cache.
+
+From the data sheet: "When a fault occurs, the charger device sends out INT
+ and keeps the fault state in REG09 until the host reads the fault register.
+ Before the host reads REG09 and all the faults are cleared, the charger
+ device would not send any INT upon new faults. In order to read the
+ current fault status, the host has to read REG09 two times consecutively.
+ The 1st reads fault register status from the last read [1] and the 2nd reads
+ the current fault register status."
+
+[1] presumably a typo; should be "last fault"
+
+Fixes: d7bf353fd0aa3 ("bq24190_charger: Add support for TI BQ24190 Battery Charger")
+Signed-off-by: Liam Breck <kernel@networkimprov.net>
+Acked-by: Mark Greer <mgreer@animalcreek.com>
+Acked-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sebastian Reichel <sre@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/power/bq24190_charger.c | 94 +++++++++++-----------------------------
+ 1 file changed, 27 insertions(+), 67 deletions(-)
+
+--- a/drivers/power/bq24190_charger.c
++++ b/drivers/power/bq24190_charger.c
+@@ -144,10 +144,7 @@
+ * so the first read after a fault returns the latched value and subsequent
+ * reads return the current value. In order to return the fault status
+ * to the user, have the interrupt handler save the reg's value and retrieve
+- * it in the appropriate health/status routine. Each routine has its own
+- * flag indicating whether it should use the value stored by the last run
+- * of the interrupt handler or do an actual reg read. That way each routine
+- * can report back whatever fault may have occured.
++ * it in the appropriate health/status routine.
+ */
+ struct bq24190_dev_info {
+ struct i2c_client *client;
+@@ -159,9 +156,6 @@ struct bq24190_dev_info {
+ unsigned int gpio_int;
+ unsigned int irq;
+ struct mutex f_reg_lock;
+- bool charger_health_valid;
+- bool battery_health_valid;
+- bool battery_status_valid;
+ u8 f_reg;
+ u8 ss_reg;
+ u8 watchdog;
+@@ -635,21 +629,11 @@ static int bq24190_charger_get_health(st
+ union power_supply_propval *val)
+ {
+ u8 v;
+- int health, ret;
++ int health;
+
+ mutex_lock(&bdi->f_reg_lock);
+-
+- if (bdi->charger_health_valid) {
+- v = bdi->f_reg;
+- bdi->charger_health_valid = false;
+- mutex_unlock(&bdi->f_reg_lock);
+- } else {
+- mutex_unlock(&bdi->f_reg_lock);
+-
+- ret = bq24190_read(bdi, BQ24190_REG_F, &v);
+- if (ret < 0)
+- return ret;
+- }
++ v = bdi->f_reg;
++ mutex_unlock(&bdi->f_reg_lock);
+
+ if (v & BQ24190_REG_F_BOOST_FAULT_MASK) {
+ /*
+@@ -936,18 +920,8 @@ static int bq24190_battery_get_status(st
+ int status, ret;
+
+ mutex_lock(&bdi->f_reg_lock);
+-
+- if (bdi->battery_status_valid) {
+- chrg_fault = bdi->f_reg;
+- bdi->battery_status_valid = false;
+- mutex_unlock(&bdi->f_reg_lock);
+- } else {
+- mutex_unlock(&bdi->f_reg_lock);
+-
+- ret = bq24190_read(bdi, BQ24190_REG_F, &chrg_fault);
+- if (ret < 0)
+- return ret;
+- }
++ chrg_fault = bdi->f_reg;
++ mutex_unlock(&bdi->f_reg_lock);
+
+ chrg_fault &= BQ24190_REG_F_CHRG_FAULT_MASK;
+ chrg_fault >>= BQ24190_REG_F_CHRG_FAULT_SHIFT;
+@@ -995,21 +969,11 @@ static int bq24190_battery_get_health(st
+ union power_supply_propval *val)
+ {
+ u8 v;
+- int health, ret;
++ int health;
+
+ mutex_lock(&bdi->f_reg_lock);
+-
+- if (bdi->battery_health_valid) {
+- v = bdi->f_reg;
+- bdi->battery_health_valid = false;
+- mutex_unlock(&bdi->f_reg_lock);
+- } else {
+- mutex_unlock(&bdi->f_reg_lock);
+-
+- ret = bq24190_read(bdi, BQ24190_REG_F, &v);
+- if (ret < 0)
+- return ret;
+- }
++ v = bdi->f_reg;
++ mutex_unlock(&bdi->f_reg_lock);
+
+ if (v & BQ24190_REG_F_BAT_FAULT_MASK) {
+ health = POWER_SUPPLY_HEALTH_OVERVOLTAGE;
+@@ -1201,7 +1165,7 @@ static irqreturn_t bq24190_irq_handler_t
+ | BQ24190_REG_F_NTC_FAULT_MASK;
+ bool alert_charger = false, alert_battery = false;
+ u8 ss_reg = 0, f_reg = 0;
+- int ret;
++ int i, ret;
+
+ pm_runtime_get_sync(bdi->dev);
+
+@@ -1231,33 +1195,35 @@ static irqreturn_t bq24190_irq_handler_t
+ alert_battery = true;
+ if ((bdi->ss_reg & ~battery_mask_ss) != (ss_reg & ~battery_mask_ss))
+ alert_charger = true;
+-
+ bdi->ss_reg = ss_reg;
+ }
+
+- mutex_lock(&bdi->f_reg_lock);
+-
+- ret = bq24190_read(bdi, BQ24190_REG_F, &f_reg);
+- if (ret < 0) {
+- mutex_unlock(&bdi->f_reg_lock);
+- dev_err(bdi->dev, "Can't read F reg: %d\n", ret);
+- goto out;
+- }
++ i = 0;
++ do {
++ ret = bq24190_read(bdi, BQ24190_REG_F, &f_reg);
++ if (ret < 0) {
++ dev_err(bdi->dev, "Can't read F reg: %d\n", ret);
++ goto out;
++ }
++ } while (f_reg && ++i < 2);
+
+ if (f_reg != bdi->f_reg) {
++ dev_info(bdi->dev,
++ "Fault: boost %d, charge %d, battery %d, ntc %d\n",
++ !!(f_reg & BQ24190_REG_F_BOOST_FAULT_MASK),
++ !!(f_reg & BQ24190_REG_F_CHRG_FAULT_MASK),
++ !!(f_reg & BQ24190_REG_F_BAT_FAULT_MASK),
++ !!(f_reg & BQ24190_REG_F_NTC_FAULT_MASK));
++
++ mutex_lock(&bdi->f_reg_lock);
+ if ((bdi->f_reg & battery_mask_f) != (f_reg & battery_mask_f))
+ alert_battery = true;
+ if ((bdi->f_reg & ~battery_mask_f) != (f_reg & ~battery_mask_f))
+ alert_charger = true;
+-
+ bdi->f_reg = f_reg;
+- bdi->charger_health_valid = true;
+- bdi->battery_health_valid = true;
+- bdi->battery_status_valid = true;
++ mutex_unlock(&bdi->f_reg_lock);
+ }
+
+- mutex_unlock(&bdi->f_reg_lock);
+-
+ if (alert_charger)
+ power_supply_changed(bdi->charger);
+ if (alert_battery)
+@@ -1377,9 +1343,6 @@ static int bq24190_probe(struct i2c_clie
+ mutex_init(&bdi->f_reg_lock);
+ bdi->f_reg = 0;
+ bdi->ss_reg = BQ24190_REG_SS_VBUS_STAT_MASK; /* impossible state */
+- bdi->charger_health_valid = false;
+- bdi->battery_health_valid = false;
+- bdi->battery_status_valid = false;
+
+ i2c_set_clientdata(client, bdi);
+
+@@ -1492,9 +1455,6 @@ static int bq24190_pm_resume(struct devi
+
+ bdi->f_reg = 0;
+ bdi->ss_reg = BQ24190_REG_SS_VBUS_STAT_MASK; /* impossible state */
+- bdi->charger_health_valid = false;
+- bdi->battery_health_valid = false;
+- bdi->battery_status_valid = false;
+
+ pm_runtime_get_sync(bdi->dev);
+ bq24190_register_reset(bdi);
--- /dev/null
+From 767eee362fd72bb2ca44cc80419ca4b38c6d8369 Mon Sep 17 00:00:00 2001
+From: Liam Breck <liam@networkimprov.net>
+Date: Wed, 18 Jan 2017 09:26:48 -0800
+Subject: power: supply: bq24190_charger: Fix irq trigger to IRQF_TRIGGER_FALLING
+
+From: Liam Breck <liam@networkimprov.net>
+
+commit 767eee362fd72bb2ca44cc80419ca4b38c6d8369 upstream.
+
+The interrupt signal is TRIGGER_FALLING. This is is specified in the
+data sheet PIN FUNCTIONS: "The INT pin sends active low, 256us
+pulse to host to report charger device status and fault."
+
+Also the direction can be seen in the data sheet Figure 37 "BQ24190
+with D+/D- Detection and USB On-The-Go (OTG)" which shows a 10k
+pull-up resistor installed for the sample configurations.
+
+Fixes: d7bf353fd0aa3 ("bq24190_charger: Add support for TI BQ24190 Battery Charger")
+Signed-off-by: Liam Breck <kernel@networkimprov.net>
+Acked-by: Mark Greer <mgreer@animalcreek.com>
+Acked-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sebastian Reichel <sre@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/power/bq24190_charger.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/power/bq24190_charger.c
++++ b/drivers/power/bq24190_charger.c
+@@ -1394,7 +1394,7 @@ static int bq24190_probe(struct i2c_clie
+
+ ret = devm_request_threaded_irq(dev, bdi->irq, NULL,
+ bq24190_irq_handler_thread,
+- IRQF_TRIGGER_RISING | IRQF_ONESHOT,
++ IRQF_TRIGGER_FALLING | IRQF_ONESHOT,
+ "bq24190-charger", bdi);
+ if (ret < 0) {
+ dev_err(dev, "Can't set up irq handler\n");
--- /dev/null
+From ba52e75718784fda1b683ee0bfded72a0b83b047 Mon Sep 17 00:00:00 2001
+From: Liam Breck <liam@networkimprov.net>
+Date: Wed, 18 Jan 2017 09:26:54 -0800
+Subject: power: supply: bq24190_charger: Handle fault before status on interrupt
+
+From: Liam Breck <liam@networkimprov.net>
+
+commit ba52e75718784fda1b683ee0bfded72a0b83b047 upstream.
+
+Reading both fault and status registers and logging any fault should
+take priority over handling status register update.
+
+Fix by moving the status handling to later in interrupt routine.
+
+Fixes: d7bf353fd0aa3 ("bq24190_charger: Add support for TI BQ24190 Battery Charger")
+Signed-off-by: Liam Breck <kernel@networkimprov.net>
+Acked-by: Mark Greer <mgreer@animalcreek.com>
+Acked-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sebastian Reichel <sre@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/power/bq24190_charger.c | 46 ++++++++++++++++++++--------------------
+ 1 file changed, 23 insertions(+), 23 deletions(-)
+
+--- a/drivers/power/bq24190_charger.c
++++ b/drivers/power/bq24190_charger.c
+@@ -1175,29 +1175,6 @@ static irqreturn_t bq24190_irq_handler_t
+ goto out;
+ }
+
+- if (ss_reg != bdi->ss_reg) {
+- /*
+- * The device is in host mode so when PG_STAT goes from 1->0
+- * (i.e., power removed) HIZ needs to be disabled.
+- */
+- if ((bdi->ss_reg & BQ24190_REG_SS_PG_STAT_MASK) &&
+- !(ss_reg & BQ24190_REG_SS_PG_STAT_MASK)) {
+- ret = bq24190_write_mask(bdi, BQ24190_REG_ISC,
+- BQ24190_REG_ISC_EN_HIZ_MASK,
+- BQ24190_REG_ISC_EN_HIZ_SHIFT,
+- 0);
+- if (ret < 0)
+- dev_err(bdi->dev, "Can't access ISC reg: %d\n",
+- ret);
+- }
+-
+- if ((bdi->ss_reg & battery_mask_ss) != (ss_reg & battery_mask_ss))
+- alert_battery = true;
+- if ((bdi->ss_reg & ~battery_mask_ss) != (ss_reg & ~battery_mask_ss))
+- alert_charger = true;
+- bdi->ss_reg = ss_reg;
+- }
+-
+ i = 0;
+ do {
+ ret = bq24190_read(bdi, BQ24190_REG_F, &f_reg);
+@@ -1224,6 +1201,29 @@ static irqreturn_t bq24190_irq_handler_t
+ mutex_unlock(&bdi->f_reg_lock);
+ }
+
++ if (ss_reg != bdi->ss_reg) {
++ /*
++ * The device is in host mode so when PG_STAT goes from 1->0
++ * (i.e., power removed) HIZ needs to be disabled.
++ */
++ if ((bdi->ss_reg & BQ24190_REG_SS_PG_STAT_MASK) &&
++ !(ss_reg & BQ24190_REG_SS_PG_STAT_MASK)) {
++ ret = bq24190_write_mask(bdi, BQ24190_REG_ISC,
++ BQ24190_REG_ISC_EN_HIZ_MASK,
++ BQ24190_REG_ISC_EN_HIZ_SHIFT,
++ 0);
++ if (ret < 0)
++ dev_err(bdi->dev, "Can't access ISC reg: %d\n",
++ ret);
++ }
++
++ if ((bdi->ss_reg & battery_mask_ss) != (ss_reg & battery_mask_ss))
++ alert_battery = true;
++ if ((bdi->ss_reg & ~battery_mask_ss) != (ss_reg & ~battery_mask_ss))
++ alert_charger = true;
++ bdi->ss_reg = ss_reg;
++ }
++
+ if (alert_charger)
+ power_supply_changed(bdi->charger);
+ if (alert_battery)
--- /dev/null
+From d62acc5ef0621463446091ebd7a345e06e9ab80c Mon Sep 17 00:00:00 2001
+From: Liam Breck <liam@networkimprov.net>
+Date: Wed, 18 Jan 2017 09:26:50 -0800
+Subject: power: supply: bq24190_charger: Install irq_handler_thread() at end of probe()
+
+From: Liam Breck <liam@networkimprov.net>
+
+commit d62acc5ef0621463446091ebd7a345e06e9ab80c upstream.
+
+The device specific data is not fully initialized on
+request_threaded_irq(). This may cause a crash when the IRQ handler
+tries to reference them.
+
+Fix the issue by installing IRQ handler at the end of the probe.
+
+Fixes: d7bf353fd0aa3 ("bq24190_charger: Add support for TI BQ24190 Battery Charger")
+Signed-off-by: Liam Breck <kernel@networkimprov.net>
+Acked-by: Mark Greer <mgreer@animalcreek.com>
+Acked-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sebastian Reichel <sre@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/power/bq24190_charger.c | 31 ++++++++++++++++---------------
+ 1 file changed, 16 insertions(+), 15 deletions(-)
+
+--- a/drivers/power/bq24190_charger.c
++++ b/drivers/power/bq24190_charger.c
+@@ -1392,22 +1392,13 @@ static int bq24190_probe(struct i2c_clie
+ return -EINVAL;
+ }
+
+- ret = devm_request_threaded_irq(dev, bdi->irq, NULL,
+- bq24190_irq_handler_thread,
+- IRQF_TRIGGER_FALLING | IRQF_ONESHOT,
+- "bq24190-charger", bdi);
+- if (ret < 0) {
+- dev_err(dev, "Can't set up irq handler\n");
+- goto out1;
+- }
+-
+ pm_runtime_enable(dev);
+ pm_runtime_resume(dev);
+
+ ret = bq24190_hw_init(bdi);
+ if (ret < 0) {
+ dev_err(dev, "Hardware init failed\n");
+- goto out2;
++ goto out1;
+ }
+
+ charger_cfg.drv_data = bdi;
+@@ -1418,7 +1409,7 @@ static int bq24190_probe(struct i2c_clie
+ if (IS_ERR(bdi->charger)) {
+ dev_err(dev, "Can't register charger\n");
+ ret = PTR_ERR(bdi->charger);
+- goto out2;
++ goto out1;
+ }
+
+ battery_cfg.drv_data = bdi;
+@@ -1427,24 +1418,34 @@ static int bq24190_probe(struct i2c_clie
+ if (IS_ERR(bdi->battery)) {
+ dev_err(dev, "Can't register battery\n");
+ ret = PTR_ERR(bdi->battery);
+- goto out3;
++ goto out2;
+ }
+
+ ret = bq24190_sysfs_create_group(bdi);
+ if (ret) {
+ dev_err(dev, "Can't create sysfs entries\n");
++ goto out3;
++ }
++
++ ret = devm_request_threaded_irq(dev, bdi->irq, NULL,
++ bq24190_irq_handler_thread,
++ IRQF_TRIGGER_FALLING | IRQF_ONESHOT,
++ "bq24190-charger", bdi);
++ if (ret < 0) {
++ dev_err(dev, "Can't set up irq handler\n");
+ goto out4;
+ }
+
+ return 0;
+
+ out4:
+- power_supply_unregister(bdi->battery);
++ bq24190_sysfs_remove_group(bdi);
+ out3:
+- power_supply_unregister(bdi->charger);
++ power_supply_unregister(bdi->battery);
+ out2:
+- pm_runtime_disable(dev);
++ power_supply_unregister(bdi->charger);
+ out1:
++ pm_runtime_disable(dev);
+ if (bdi->gpio_int)
+ gpio_free(bdi->gpio_int);
+
--- /dev/null
+From a7e0fb6c2029a780444d09560f739e020d54fe4d Mon Sep 17 00:00:00 2001
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Tue, 7 Feb 2017 21:01:01 +1100
+Subject: powerpc/powernv: Fix opal_exit tracepoint opcode
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+commit a7e0fb6c2029a780444d09560f739e020d54fe4d upstream.
+
+Currently the opal_exit tracepoint usually shows the opcode as 0:
+
+ <idle>-0 [047] d.h. 635.654292: opal_entry: opcode=63
+ <idle>-0 [047] d.h. 635.654296: opal_exit: opcode=0 retval=0
+ kopald-1209 [019] d... 636.420943: opal_entry: opcode=10
+ kopald-1209 [019] d... 636.420959: opal_exit: opcode=0 retval=0
+
+This is because we incorrectly load the opcode into r0 before calling
+__trace_opal_exit(), whereas it expects the opcode in r3 (first function
+parameter). In fact we are leaving the retval in r3, so opcode and
+retval will always show the same value.
+
+Instead load the opcode into r3, resulting in:
+
+ <idle>-0 [040] d.h. 636.618625: opal_entry: opcode=63
+ <idle>-0 [040] d.h. 636.618627: opal_exit: opcode=63 retval=0
+
+Fixes: c49f63530bb6 ("powernv: Add OPAL tracepoints")
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/platforms/powernv/opal-wrappers.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/platforms/powernv/opal-wrappers.S
++++ b/arch/powerpc/platforms/powernv/opal-wrappers.S
+@@ -148,7 +148,7 @@ opal_tracepoint_entry:
+ opal_tracepoint_return:
+ std r3,STK_REG(R31)(r1)
+ mr r4,r3
+- ld r0,STK_REG(R23)(r1)
++ ld r3,STK_REG(R23)(r1)
+ bl __trace_opal_exit
+ ld r3,STK_REG(R31)(r1)
+ addi r1,r1,STACKFRAMESIZE
--- /dev/null
+From 0b4c208d443ba2af82b4c70f99ca8df31e9a0020 Mon Sep 17 00:00:00 2001
+From: Jim Mattson <jmattson@google.com>
+Date: Tue, 20 Dec 2016 16:34:50 -0800
+Subject: Revert "KVM: nested VMX: disable perf cpuid reporting"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jim Mattson <jmattson@google.com>
+
+commit 0b4c208d443ba2af82b4c70f99ca8df31e9a0020 upstream.
+
+This reverts commit bc6134942dbbf31c25e9bd7c876be5da81c9e1ce.
+
+A CPUID instruction executed in VMX non-root mode always causes a
+VM-exit, regardless of the leaf being queried.
+
+Fixes: bc6134942dbb ("KVM: nested VMX: disable perf cpuid reporting")
+Signed-off-by: Jim Mattson <jmattson@google.com>
+[The issue solved by bc6134942dbb has been resolved with ff651cb613b4
+ ("KVM: nVMX: Add nested msr load/restore algorithm").]
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/cpuid.c | 6 ------
+ arch/x86/kvm/vmx.c | 2 --
+ 2 files changed, 8 deletions(-)
+
+--- a/arch/x86/kvm/cpuid.c
++++ b/arch/x86/kvm/cpuid.c
+@@ -818,12 +818,6 @@ void kvm_cpuid(struct kvm_vcpu *vcpu, u3
+ if (!best)
+ best = check_cpuid_limit(vcpu, function, index);
+
+- /*
+- * Perfmon not yet supported for L2 guest.
+- */
+- if (is_guest_mode(vcpu) && function == 0xa)
+- best = NULL;
+-
+ if (best) {
+ *eax = best->eax;
+ *ebx = best->ebx;
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -7754,8 +7754,6 @@ static bool nested_vmx_exit_handled(stru
+ case EXIT_REASON_TASK_SWITCH:
+ return true;
+ case EXIT_REASON_CPUID:
+- if (kvm_register_read(vcpu, VCPU_REGS_RAX) == 0xa)
+- return false;
+ return true;
+ case EXIT_REASON_HLT:
+ return nested_cpu_has(vmcs12, CPU_BASED_HLT_EXITING);
--- /dev/null
+From 2559a1ef688f933835912c731bed2254146a9b04 Mon Sep 17 00:00:00 2001
+From: Finn Thain <fthain@telegraphics.com.au>
+Date: Thu, 23 Feb 2017 09:08:02 +1100
+Subject: scsi: mac_scsi: Fix MAC_SCSI=m option when SCSI=m
+
+From: Finn Thain <fthain@telegraphics.com.au>
+
+commit 2559a1ef688f933835912c731bed2254146a9b04 upstream.
+
+The mac_scsi driver still gets disabled when SCSI=m. This should have
+been fixed back when I enabled the tristate but I didn't see the bug.
+
+Fixes: 6e9ae6d560e1 ("[PATCH] mac_scsi: Add module option to Kconfig")
+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/Kconfig
++++ b/drivers/scsi/Kconfig
+@@ -1637,7 +1637,7 @@ config ATARI_SCSI_RESET_BOOT
+
+ config MAC_SCSI
+ tristate "Macintosh NCR5380 SCSI"
+- depends on MAC && SCSI=y
++ depends on MAC && SCSI
+ select SCSI_SPI_ATTRS
+ help
+ This is the NCR 5380 SCSI controller included on most of the 68030
--- /dev/null
+From 4d7d39a18b8b81511f0b893b7d2203790bf8a58b Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 21 Feb 2017 21:46:37 +0300
+Subject: scsi: scsi_dh_emc: return success in clariion_std_inquiry()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 4d7d39a18b8b81511f0b893b7d2203790bf8a58b upstream.
+
+We accidentally return an uninitialized variable on success.
+
+Fixes: b6ff1b14cdf4 ("[SCSI] scsi_dh: Update EMC handler")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/device_handler/scsi_dh_emc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/device_handler/scsi_dh_emc.c
++++ b/drivers/scsi/device_handler/scsi_dh_emc.c
+@@ -456,7 +456,7 @@ static int clariion_prep_fn(struct scsi_
+ static int clariion_std_inquiry(struct scsi_device *sdev,
+ struct clariion_dh_data *csdev)
+ {
+- int err;
++ int err = SCSI_DH_OK;
+ char *sp_model;
+
+ err = send_inquiry_cmd(sdev, 0, csdev);
--- /dev/null
+From 4e0f5cc65098ea32a1e77baae74215b9bd5276b1 Mon Sep 17 00:00:00 2001
+From: Tony Lindgren <tony@atomide.com>
+Date: Fri, 20 Jan 2017 12:22:31 -0800
+Subject: serial: 8250_omap: Fix probe and remove for PM runtime
+
+From: Tony Lindgren <tony@atomide.com>
+
+commit 4e0f5cc65098ea32a1e77baae74215b9bd5276b1 upstream.
+
+Otherwise the interconnect related code implementing PM runtime will
+produce these errors on a failed probe:
+
+omap_uart 48066000.serial: omap_device: omap_device_enable() called from invalid state 1
+omap_uart 48066000.serial: use pm_runtime_put_sync_suspend() in driver?
+
+Note that we now also need to check for priv in omap8250_runtime_suspend()
+as it has not yet been registered if probe fails. And we need to use
+pm_runtime_put_sync() to properly idle the device like we already do
+in omap8250_remove().
+
+Fixes: 61929cf0169d ("tty: serial: Add 8250-core based omap driver")
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/8250/8250_omap.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/8250/8250_omap.c
++++ b/drivers/tty/serial/8250/8250_omap.c
+@@ -1235,7 +1235,8 @@ static int omap8250_probe(struct platfor
+ pm_runtime_put_autosuspend(&pdev->dev);
+ return 0;
+ err:
+- pm_runtime_put(&pdev->dev);
++ pm_runtime_dont_use_autosuspend(&pdev->dev);
++ pm_runtime_put_sync(&pdev->dev);
+ pm_runtime_disable(&pdev->dev);
+ return ret;
+ }
+@@ -1244,6 +1245,7 @@ static int omap8250_remove(struct platfo
+ {
+ struct omap8250_priv *priv = platform_get_drvdata(pdev);
+
++ pm_runtime_dont_use_autosuspend(&pdev->dev);
+ pm_runtime_put_sync(&pdev->dev);
+ pm_runtime_disable(&pdev->dev);
+ serial8250_unregister_port(priv->line);
+@@ -1343,6 +1345,10 @@ static int omap8250_runtime_suspend(stru
+ struct omap8250_priv *priv = dev_get_drvdata(dev);
+ struct uart_8250_port *up;
+
++ /* In case runtime-pm tries this before we are setup */
++ if (!priv)
++ return 0;
++
+ up = serial8250_get_port(priv->line);
+ /*
+ * When using 'no_console_suspend', the console UART must not be
9p-fix-a-potential-acl-leak.patch
+arm-8452-3-pj4-make-coprocessor-access-sequences-buildable-in-thumb2-mode.patch
+cpupower-fix-turbo-frequency-reporting-for-pre-sandy-bridge-cores.patch
+powerpc-powernv-fix-opal_exit-tracepoint-opcode.patch
+power-supply-bq24190_charger-fix-irq-trigger-to-irqf_trigger_falling.patch
+power-supply-bq24190_charger-call-set_mode_host-on-pm_resume.patch
+power-supply-bq24190_charger-install-irq_handler_thread-at-end-of-probe.patch
+power-supply-bq24190_charger-call-power_supply_changed-for-relevant-component.patch
+power-supply-bq24190_charger-don-t-read-fault-register-outside-irq_handle_thread.patch
+power-supply-bq24190_charger-handle-fault-before-status-on-interrupt.patch
+leds-ktd2692-avoid-harmless-maybe-uninitialized-warning.patch
+arm-omap5-dra7-fix-hyp-mode-boot-for-thumb2-build.patch
+mwifiex-debugfs-fix-sometimes-off-by-1-ssid-print.patch
+mwifiex-remove-redundant-dma-padding-in-amsdu.patch
+mwifiex-avoid-skipping-wep-key-deletion-for-ap.patch
+iwlwifi-pcie-trans-remove-unused-shift_param.patch
+x86-ioapic-restore-io-apic-irq_chip-retrigger-callback.patch
+x86-pci-calgary-fix-iommu_free-comparison-of-unsigned-expression-0.patch
+clk-make-x86-conditional-on-config_common_clk.patch
+kprobes-x86-fix-kernel-panic-when-certain-exception-handling-addresses-are-probed.patch
+x86-platform-intel-mid-correct-msi-irq-line-for-watchdog-device.patch
+revert-kvm-nested-vmx-disable-perf-cpuid-reporting.patch
+kvm-nvmx-initialize-pml-fields-in-vmcs02.patch
+kvm-nvmx-do-not-leak-pml-full-vmexit-to-l1.patch
+usb-host-ehci-exynos-decrese-node-refcount-on-exynos_ehci_get_phy-error-paths.patch
+usb-host-ohci-exynos-decrese-node-refcount-on-exynos_ehci_get_phy-error-paths.patch
+usb-chipidea-only-read-write-otgsc-from-one-place.patch
+usb-chipidea-handle-extcon-events-properly.patch
+usb-serial-keyspan_pda-fix-receive-sanity-checks.patch
+usb-serial-digi_acceleport-fix-incomplete-rx-sanity-check.patch
+usb-serial-ssu100-fix-control-message-error-handling.patch
+usb-serial-io_edgeport-fix-epic-descriptor-handling.patch
+usb-serial-ti_usb_3410_5052-fix-control-message-error-handling.patch
+usb-serial-ark3116-fix-open-error-handling.patch
+usb-serial-ftdi_sio-fix-latency-timer-error-handling.patch
+usb-serial-quatech2-fix-control-message-error-handling.patch
+usb-serial-mct_u232-fix-modem-status-error-handling.patch
+usb-serial-io_edgeport-fix-descriptor-error-handling.patch
+usb-serial-sierra-fix-bogus-alternate-setting-assumption.patch
+phy-qcom-usb-hs-add-depends-on-extcon.patch
+serial-8250_omap-fix-probe-and-remove-for-pm-runtime.patch
+scsi-mac_scsi-fix-mac_scsi-m-option-when-scsi-m.patch
+scsi-scsi_dh_emc-return-success-in-clariion_std_inquiry.patch
+mips-r2-on-r6-multu-maddu-msubu-emulation-bugfix.patch
--- /dev/null
+From a89b94b53371bbfa582787c2fa3378000ea4263d Mon Sep 17 00:00:00 2001
+From: Stephen Boyd <stephen.boyd@linaro.org>
+Date: Wed, 28 Dec 2016 14:56:51 -0800
+Subject: usb: chipidea: Handle extcon events properly
+
+From: Stephen Boyd <stephen.boyd@linaro.org>
+
+commit a89b94b53371bbfa582787c2fa3378000ea4263d upstream.
+
+We're currently emulating the vbus and id interrupts in the OTGSC
+read API, but we also need to make sure that if we're handling
+the events with extcon that we don't enable the interrupts for
+those events in the hardware. Therefore, properly emulate this
+register if we're using extcon, but don't enable the interrupts.
+This allows me to get my cable connect/disconnect working
+properly without getting spurious interrupts on my device that
+uses an extcon for these two events.
+
+Acked-by: Peter Chen <peter.chen@nxp.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: "Ivan T. Ivanov" <iivanov.xz@gmail.com>
+Fixes: 3ecb3e09b042 ("usb: chipidea: Use extcon framework for VBUS and ID detect")
+Signed-off-by: Stephen Boyd <stephen.boyd@linaro.org>
+Signed-off-by: Peter Chen <peter.chen@nxp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/chipidea/otg.c | 46 ++++++++++++++++++++++++++++++++++++++-----
+ include/linux/usb/chipidea.h | 2 +
+ 2 files changed, 43 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/chipidea/otg.c
++++ b/drivers/usb/chipidea/otg.c
+@@ -44,12 +44,15 @@ u32 hw_read_otgsc(struct ci_hdrc *ci, u3
+ else
+ val &= ~OTGSC_BSVIS;
+
+- cable->changed = false;
+-
+ if (cable->state)
+ val |= OTGSC_BSV;
+ else
+ val &= ~OTGSC_BSV;
++
++ if (cable->enabled)
++ val |= OTGSC_BSVIE;
++ else
++ val &= ~OTGSC_BSVIE;
+ }
+
+ cable = &ci->platdata->id_extcon;
+@@ -59,15 +62,18 @@ u32 hw_read_otgsc(struct ci_hdrc *ci, u3
+ else
+ val &= ~OTGSC_IDIS;
+
+- cable->changed = false;
+-
+ if (cable->state)
+ val |= OTGSC_ID;
+ else
+ val &= ~OTGSC_ID;
++
++ if (cable->enabled)
++ val |= OTGSC_IDIE;
++ else
++ val &= ~OTGSC_IDIE;
+ }
+
+- return val;
++ return val & mask;
+ }
+
+ /**
+@@ -77,6 +83,36 @@ u32 hw_read_otgsc(struct ci_hdrc *ci, u3
+ */
+ void hw_write_otgsc(struct ci_hdrc *ci, u32 mask, u32 data)
+ {
++ struct ci_hdrc_cable *cable;
++
++ cable = &ci->platdata->vbus_extcon;
++ if (!IS_ERR(cable->edev)) {
++ if (data & mask & OTGSC_BSVIS)
++ cable->changed = false;
++
++ /* Don't enable vbus interrupt if using external notifier */
++ if (data & mask & OTGSC_BSVIE) {
++ cable->enabled = true;
++ data &= ~OTGSC_BSVIE;
++ } else if (mask & OTGSC_BSVIE) {
++ cable->enabled = false;
++ }
++ }
++
++ cable = &ci->platdata->id_extcon;
++ if (!IS_ERR(cable->edev)) {
++ if (data & mask & OTGSC_IDIS)
++ cable->changed = false;
++
++ /* Don't enable id interrupt if using external notifier */
++ if (data & mask & OTGSC_IDIE) {
++ cable->enabled = true;
++ data &= ~OTGSC_IDIE;
++ } else if (mask & OTGSC_IDIE) {
++ cable->enabled = false;
++ }
++ }
++
+ hw_write(ci, OP_OTGSC, mask | OTGSC_INT_STATUS_BITS, data);
+ }
+
+--- a/include/linux/usb/chipidea.h
++++ b/include/linux/usb/chipidea.h
+@@ -14,6 +14,7 @@ struct ci_hdrc;
+ * struct ci_hdrc_cable - structure for external connector cable state tracking
+ * @state: current state of the line
+ * @changed: set to true when extcon event happen
++ * @enabled: set to true if we've enabled the vbus or id interrupt
+ * @edev: device which generate events
+ * @ci: driver state of the chipidea device
+ * @nb: hold event notification callback
+@@ -22,6 +23,7 @@ struct ci_hdrc;
+ struct ci_hdrc_cable {
+ bool state;
+ bool changed;
++ bool enabled;
+ struct extcon_dev *edev;
+ struct ci_hdrc *ci;
+ struct notifier_block nb;
--- /dev/null
+From f60f8ccd54e03c1afafb2b20ceb029a0eaf7a134 Mon Sep 17 00:00:00 2001
+From: Stephen Boyd <stephen.boyd@linaro.org>
+Date: Wed, 28 Dec 2016 14:56:50 -0800
+Subject: usb: chipidea: Only read/write OTGSC from one place
+
+From: Stephen Boyd <stephen.boyd@linaro.org>
+
+commit f60f8ccd54e03c1afafb2b20ceb029a0eaf7a134 upstream.
+
+With the id and vbus detection done via extcon we need to make
+sure we poll the status of OTGSC properly by considering what the
+extcon is saying, and not just what the register is saying. Let's
+move this hw_wait_reg() function to the only place it's used and
+simplify it for polling the OTGSC register. Then we can make
+certain we only use the hw_read_otgsc() API to read OTGSC, which
+will make sure we properly handle extcon events.
+
+Acked-by: Peter Chen <peter.chen@nxp.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: "Ivan T. Ivanov" <iivanov.xz@gmail.com>
+Fixes: 3ecb3e09b042 ("usb: chipidea: Use extcon framework for VBUS and ID detect")
+Signed-off-by: Stephen Boyd <stephen.boyd@linaro.org>
+Signed-off-by: Peter Chen <peter.chen@nxp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/chipidea/ci.h | 3 ---
+ drivers/usb/chipidea/core.c | 32 --------------------------------
+ drivers/usb/chipidea/otg.c | 34 ++++++++++++++++++++++++++++++----
+ 3 files changed, 30 insertions(+), 39 deletions(-)
+
+--- a/drivers/usb/chipidea/ci.h
++++ b/drivers/usb/chipidea/ci.h
+@@ -428,9 +428,6 @@ int hw_port_test_set(struct ci_hdrc *ci,
+
+ u8 hw_port_test_get(struct ci_hdrc *ci);
+
+-int hw_wait_reg(struct ci_hdrc *ci, enum ci_hw_regs reg, u32 mask,
+- u32 value, unsigned int timeout_ms);
+-
+ void ci_platform_configure(struct ci_hdrc *ci);
+
+ #endif /* __DRIVERS_USB_CHIPIDEA_CI_H */
+--- a/drivers/usb/chipidea/core.c
++++ b/drivers/usb/chipidea/core.c
+@@ -518,38 +518,6 @@ int hw_device_reset(struct ci_hdrc *ci)
+ return 0;
+ }
+
+-/**
+- * hw_wait_reg: wait the register value
+- *
+- * Sometimes, it needs to wait register value before going on.
+- * Eg, when switch to device mode, the vbus value should be lower
+- * than OTGSC_BSV before connects to host.
+- *
+- * @ci: the controller
+- * @reg: register index
+- * @mask: mast bit
+- * @value: the bit value to wait
+- * @timeout_ms: timeout in millisecond
+- *
+- * This function returns an error code if timeout
+- */
+-int hw_wait_reg(struct ci_hdrc *ci, enum ci_hw_regs reg, u32 mask,
+- u32 value, unsigned int timeout_ms)
+-{
+- unsigned long elapse = jiffies + msecs_to_jiffies(timeout_ms);
+-
+- while (hw_read(ci, reg, mask) != value) {
+- if (time_after(jiffies, elapse)) {
+- dev_err(ci->dev, "timeout waiting for %08x in %d\n",
+- mask, reg);
+- return -ETIMEDOUT;
+- }
+- msleep(20);
+- }
+-
+- return 0;
+-}
+-
+ static irqreturn_t ci_irq(int irq, void *data)
+ {
+ struct ci_hdrc *ci = data;
+--- a/drivers/usb/chipidea/otg.c
++++ b/drivers/usb/chipidea/otg.c
+@@ -104,7 +104,31 @@ void ci_handle_vbus_change(struct ci_hdr
+ usb_gadget_vbus_disconnect(&ci->gadget);
+ }
+
+-#define CI_VBUS_STABLE_TIMEOUT_MS 5000
++/**
++ * When we switch to device mode, the vbus value should be lower
++ * than OTGSC_BSV before connecting to host.
++ *
++ * @ci: the controller
++ *
++ * This function returns an error code if timeout
++ */
++static int hw_wait_vbus_lower_bsv(struct ci_hdrc *ci)
++{
++ unsigned long elapse = jiffies + msecs_to_jiffies(5000);
++ u32 mask = OTGSC_BSV;
++
++ while (hw_read_otgsc(ci, mask)) {
++ if (time_after(jiffies, elapse)) {
++ dev_err(ci->dev, "timeout waiting for %08x in OTGSC\n",
++ mask);
++ return -ETIMEDOUT;
++ }
++ msleep(20);
++ }
++
++ return 0;
++}
++
+ static void ci_handle_id_switch(struct ci_hdrc *ci)
+ {
+ enum ci_role role = ci_otg_role(ci);
+@@ -116,9 +140,11 @@ static void ci_handle_id_switch(struct c
+ ci_role_stop(ci);
+
+ if (role == CI_ROLE_GADGET)
+- /* wait vbus lower than OTGSC_BSV */
+- hw_wait_reg(ci, OP_OTGSC, OTGSC_BSV, 0,
+- CI_VBUS_STABLE_TIMEOUT_MS);
++ /*
++ * wait vbus lower than OTGSC_BSV before connecting
++ * to host
++ */
++ hw_wait_vbus_lower_bsv(ci);
+
+ ci_role_start(ci, role);
+ }
--- /dev/null
+From 3f6026b1dcb3c8ee71198c485a72ac674c6890dd Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzk@kernel.org>
+Date: Sat, 7 Jan 2017 10:41:40 +0200
+Subject: usb: host: ehci-exynos: Decrese node refcount on exynos_ehci_get_phy() error paths
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+commit 3f6026b1dcb3c8ee71198c485a72ac674c6890dd upstream.
+
+Returning from for_each_available_child_of_node() loop requires cleaning
+up node refcount. Error paths lacked it so for example in case of
+deferred probe, the refcount of phy node was left increased.
+
+Fixes: 6d40500ac9b6 ("usb: ehci/ohci-exynos: Fix of_node_put() for child when getting PHYs")
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Reviewed-by: Javier Martinez Canillas <javier@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/ehci-exynos.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/host/ehci-exynos.c
++++ b/drivers/usb/host/ehci-exynos.c
+@@ -77,10 +77,12 @@ static int exynos_ehci_get_phy(struct de
+ if (IS_ERR(phy)) {
+ ret = PTR_ERR(phy);
+ if (ret == -EPROBE_DEFER) {
++ of_node_put(child);
+ return ret;
+ } else if (ret != -ENOSYS && ret != -ENODEV) {
+ dev_err(dev,
+ "Error retrieving usb2 phy: %d\n", ret);
++ of_node_put(child);
+ return ret;
+ }
+ }
--- /dev/null
+From 68bd6fc3cfa98ef253e17307ccafd8ef907b5556 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzk@kernel.org>
+Date: Sat, 7 Jan 2017 10:41:41 +0200
+Subject: usb: host: ohci-exynos: Decrese node refcount on exynos_ehci_get_phy() error paths
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+commit 68bd6fc3cfa98ef253e17307ccafd8ef907b5556 upstream.
+
+Returning from for_each_available_child_of_node() loop requires cleaning
+up node refcount. Error paths lacked it so for example in case of
+deferred probe, the refcount of phy node was left increased.
+
+Fixes: 6d40500ac9b6 ("usb: ehci/ohci-exynos: Fix of_node_put() for child when getting PHYs")
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Reviewed-by: Javier Martinez Canillas <javier@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/ohci-exynos.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/host/ohci-exynos.c
++++ b/drivers/usb/host/ohci-exynos.c
+@@ -66,10 +66,12 @@ static int exynos_ohci_get_phy(struct de
+ if (IS_ERR(phy)) {
+ ret = PTR_ERR(phy);
+ if (ret == -EPROBE_DEFER) {
++ of_node_put(child);
+ return ret;
+ } else if (ret != -ENOSYS && ret != -ENODEV) {
+ dev_err(dev,
+ "Error retrieving usb2 phy: %d\n", ret);
++ of_node_put(child);
+ return ret;
+ }
+ }
--- /dev/null
+From b631433b175f1002a31020e09bbfc2e5caecf290 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 12 Jan 2017 14:56:10 +0100
+Subject: USB: serial: ark3116: fix open error handling
+
+From: Johan Hovold <johan@kernel.org>
+
+commit b631433b175f1002a31020e09bbfc2e5caecf290 upstream.
+
+Fix open error handling which failed to detect errors when reading the
+MSR and LSR registers, something which could lead to the shadow
+registers being initialised from errnos.
+
+Note that calling the generic close implementation is sufficient in the
+error paths as the interrupt urb has not yet been submitted and the
+register updates have not been made.
+
+Fixes: f4c1e8d597d1 ("USB: ark3116: Make existing functions 16450-aware
+and add close and release functions.")
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/ark3116.c | 25 +++++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+--- a/drivers/usb/serial/ark3116.c
++++ b/drivers/usb/serial/ark3116.c
+@@ -373,23 +373,29 @@ static int ark3116_open(struct tty_struc
+ dev_dbg(&port->dev,
+ "%s - usb_serial_generic_open failed: %d\n",
+ __func__, result);
+- goto err_out;
++ goto err_free;
+ }
+
+ /* remove any data still left: also clears error state */
+ ark3116_read_reg(serial, UART_RX, buf);
+
+ /* read modem status */
+- priv->msr = ark3116_read_reg(serial, UART_MSR, buf);
++ result = ark3116_read_reg(serial, UART_MSR, buf);
++ if (result < 0)
++ goto err_close;
++ priv->msr = *buf;
++
+ /* read line status */
+- priv->lsr = ark3116_read_reg(serial, UART_LSR, buf);
++ result = ark3116_read_reg(serial, UART_LSR, buf);
++ if (result < 0)
++ goto err_close;
++ priv->lsr = *buf;
+
+ result = usb_submit_urb(port->interrupt_in_urb, GFP_KERNEL);
+ if (result) {
+ dev_err(&port->dev, "submit irq_in urb failed %d\n",
+ result);
+- ark3116_close(port);
+- goto err_out;
++ goto err_close;
+ }
+
+ /* activate interrupts */
+@@ -402,8 +408,15 @@ static int ark3116_open(struct tty_struc
+ if (tty)
+ ark3116_set_termios(tty, port, NULL);
+
+-err_out:
+ kfree(buf);
++
++ return 0;
++
++err_close:
++ usb_serial_generic_close(port);
++err_free:
++ kfree(buf);
++
+ return result;
+ }
+
--- /dev/null
+From 1b0aed2b1600f6e5c7b9acfbd610a4e351ef5232 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 31 Jan 2017 17:17:28 +0100
+Subject: USB: serial: digi_acceleport: fix incomplete rx sanity check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 1b0aed2b1600f6e5c7b9acfbd610a4e351ef5232 upstream.
+
+Make sure the received data has the required headers before parsing it.
+
+Also drop the redundant urb-status check, which has already been handled
+by the caller.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/digi_acceleport.c | 38 +++++++++++++++++++++--------------
+ 1 file changed, 23 insertions(+), 15 deletions(-)
+
+--- a/drivers/usb/serial/digi_acceleport.c
++++ b/drivers/usb/serial/digi_acceleport.c
+@@ -1399,25 +1399,30 @@ static int digi_read_inb_callback(struct
+ {
+ struct usb_serial_port *port = urb->context;
+ struct digi_port *priv = usb_get_serial_port_data(port);
+- int opcode = ((unsigned char *)urb->transfer_buffer)[0];
+- int len = ((unsigned char *)urb->transfer_buffer)[1];
+- int port_status = ((unsigned char *)urb->transfer_buffer)[2];
+- unsigned char *data = ((unsigned char *)urb->transfer_buffer) + 3;
++ unsigned char *buf = urb->transfer_buffer;
++ int opcode;
++ int len;
++ int port_status;
++ unsigned char *data;
+ int flag, throttled;
+- int status = urb->status;
+-
+- /* do not process callbacks on closed ports */
+- /* but do continue the read chain */
+- if (urb->status == -ENOENT)
+- return 0;
+
+ /* short/multiple packet check */
++ if (urb->actual_length < 2) {
++ dev_warn(&port->dev, "short packet received\n");
++ return -1;
++ }
++
++ opcode = buf[0];
++ len = buf[1];
++
+ if (urb->actual_length != len + 2) {
+- dev_err(&port->dev, "%s: INCOMPLETE OR MULTIPLE PACKET, "
+- "status=%d, port=%d, opcode=%d, len=%d, "
+- "actual_length=%d, status=%d\n", __func__, status,
+- priv->dp_port_num, opcode, len, urb->actual_length,
+- port_status);
++ dev_err(&port->dev, "malformed packet received: port=%d, opcode=%d, len=%d, actual_length=%u\n",
++ priv->dp_port_num, opcode, len, urb->actual_length);
++ return -1;
++ }
++
++ if (opcode == DIGI_CMD_RECEIVE_DATA && len < 1) {
++ dev_err(&port->dev, "malformed data packet received\n");
+ return -1;
+ }
+
+@@ -1431,6 +1436,9 @@ static int digi_read_inb_callback(struct
+
+ /* receive data */
+ if (opcode == DIGI_CMD_RECEIVE_DATA) {
++ port_status = buf[2];
++ data = &buf[3];
++
+ /* get flag from port_status */
+ flag = 0;
+
--- /dev/null
+From e3e574ad85a208cb179f33720bb5f12b453de33c Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 12 Jan 2017 14:56:12 +0100
+Subject: USB: serial: ftdi_sio: fix latency-timer error handling
+
+From: Johan Hovold <johan@kernel.org>
+
+commit e3e574ad85a208cb179f33720bb5f12b453de33c upstream.
+
+Make sure to detect short responses when reading the latency timer to
+avoid using stale buffer data.
+
+Note that no heap data would currently leak through sysfs as
+ASYNC_LOW_LATENCY is set by default.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/ftdi_sio.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -1439,10 +1439,13 @@ static int read_latency_timer(struct usb
+ FTDI_SIO_GET_LATENCY_TIMER_REQUEST_TYPE,
+ 0, priv->interface,
+ buf, 1, WDR_TIMEOUT);
+- if (rv < 0)
++ if (rv < 1) {
+ dev_err(&port->dev, "Unable to read latency timer: %i\n", rv);
+- else
++ if (rv >= 0)
++ rv = -EIO;
++ } else {
+ priv->latency = buf[0];
++ }
+
+ kfree(buf);
+
--- /dev/null
+From 3c0e25d883d06a1fbd1ad35257e8abaa57befb37 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 12 Jan 2017 14:56:14 +0100
+Subject: USB: serial: io_edgeport: fix descriptor error handling
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 3c0e25d883d06a1fbd1ad35257e8abaa57befb37 upstream.
+
+Make sure to detect short control-message transfers and log an error
+when reading incomplete manufacturer and boot descriptors.
+
+Note that the default all-zero descriptors will now be used after a
+short transfer is detected instead of partially initialised ones.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/io_edgeport.c | 24 +++++++++++++++---------
+ 1 file changed, 15 insertions(+), 9 deletions(-)
+
+--- a/drivers/usb/serial/io_edgeport.c
++++ b/drivers/usb/serial/io_edgeport.c
+@@ -2109,8 +2109,7 @@ static int rom_write(struct usb_serial *
+ * rom_read
+ * reads a number of bytes from the Edgeport device starting at the given
+ * address.
+- * If successful returns the number of bytes read, otherwise it returns
+- * a negative error number of the problem.
++ * Returns zero on success or a negative error number.
+ ****************************************************************************/
+ static int rom_read(struct usb_serial *serial, __u16 extAddr,
+ __u16 addr, __u16 length, __u8 *data)
+@@ -2135,12 +2134,17 @@ static int rom_read(struct usb_serial *s
+ USB_REQUEST_ION_READ_ROM,
+ 0xC0, addr, extAddr, transfer_buffer,
+ current_length, 300);
+- if (result < 0)
++ if (result < current_length) {
++ if (result >= 0)
++ result = -EIO;
+ break;
++ }
+ memcpy(data, transfer_buffer, current_length);
+ length -= current_length;
+ addr += current_length;
+ data += current_length;
++
++ result = 0;
+ }
+
+ kfree(transfer_buffer);
+@@ -2597,9 +2601,10 @@ static void get_manufacturing_desc(struc
+ EDGE_MANUF_DESC_LEN,
+ (__u8 *)(&edge_serial->manuf_descriptor));
+
+- if (response < 1)
+- dev_err(dev, "error in getting manufacturer descriptor\n");
+- else {
++ if (response < 0) {
++ dev_err(dev, "error in getting manufacturer descriptor: %d\n",
++ response);
++ } else {
+ char string[30];
+ dev_dbg(dev, "**Manufacturer Descriptor\n");
+ dev_dbg(dev, " RomSize: %dK\n",
+@@ -2656,9 +2661,10 @@ static void get_boot_desc(struct edgepor
+ EDGE_BOOT_DESC_LEN,
+ (__u8 *)(&edge_serial->boot_descriptor));
+
+- if (response < 1)
+- dev_err(dev, "error in getting boot descriptor\n");
+- else {
++ if (response < 0) {
++ dev_err(dev, "error in getting boot descriptor: %d\n",
++ response);
++ } else {
+ dev_dbg(dev, "**Boot Descriptor:\n");
+ dev_dbg(dev, " BootCodeLength: %d\n",
+ le16_to_cpu(edge_serial->boot_descriptor.BootCodeLength));
--- /dev/null
+From e4457d9798adb96272468e93da663de9bd0a4198 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 12 Jan 2017 14:56:13 +0100
+Subject: USB: serial: io_edgeport: fix epic-descriptor handling
+
+From: Johan Hovold <johan@kernel.org>
+
+commit e4457d9798adb96272468e93da663de9bd0a4198 upstream.
+
+Use a dedicated buffer for the DMA transfer and make sure to detect
+short transfers to avoid parsing a corrupt descriptor.
+
+Fixes: 6e8cf7751f9f ("USB: add EPIC support to the io_edgeport driver")
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/io_edgeport.c | 24 ++++++++++++++++++------
+ 1 file changed, 18 insertions(+), 6 deletions(-)
+
+--- a/drivers/usb/serial/io_edgeport.c
++++ b/drivers/usb/serial/io_edgeport.c
+@@ -492,20 +492,24 @@ static int get_epic_descriptor(struct ed
+ int result;
+ struct usb_serial *serial = ep->serial;
+ struct edgeport_product_info *product_info = &ep->product_info;
+- struct edge_compatibility_descriptor *epic = &ep->epic_descriptor;
++ struct edge_compatibility_descriptor *epic;
+ struct edge_compatibility_bits *bits;
+ struct device *dev = &serial->dev->dev;
+
+ ep->is_epic = 0;
++
++ epic = kmalloc(sizeof(*epic), GFP_KERNEL);
++ if (!epic)
++ return -ENOMEM;
++
+ result = usb_control_msg(serial->dev, usb_rcvctrlpipe(serial->dev, 0),
+ USB_REQUEST_ION_GET_EPIC_DESC,
+ 0xC0, 0x00, 0x00,
+- &ep->epic_descriptor,
+- sizeof(struct edge_compatibility_descriptor),
++ epic, sizeof(*epic),
+ 300);
+-
+- if (result > 0) {
++ if (result == sizeof(*epic)) {
+ ep->is_epic = 1;
++ memcpy(&ep->epic_descriptor, epic, sizeof(*epic));
+ memset(product_info, 0, sizeof(struct edgeport_product_info));
+
+ product_info->NumPorts = epic->NumPorts;
+@@ -534,8 +538,16 @@ static int get_epic_descriptor(struct ed
+ dev_dbg(dev, " IOSPWriteLCR : %s\n", bits->IOSPWriteLCR ? "TRUE": "FALSE");
+ dev_dbg(dev, " IOSPSetBaudRate : %s\n", bits->IOSPSetBaudRate ? "TRUE": "FALSE");
+ dev_dbg(dev, " TrueEdgeport : %s\n", bits->TrueEdgeport ? "TRUE": "FALSE");
++
++ result = 0;
++ } else if (result >= 0) {
++ dev_warn(&serial->interface->dev, "short epic descriptor received: %d\n",
++ result);
++ result = -EIO;
+ }
+
++ kfree(epic);
++
+ return result;
+ }
+
+@@ -2789,7 +2801,7 @@ static int edge_startup(struct usb_seria
+ dev_info(&serial->dev->dev, "%s detected\n", edge_serial->name);
+
+ /* Read the epic descriptor */
+- if (get_epic_descriptor(edge_serial) <= 0) {
++ if (get_epic_descriptor(edge_serial) < 0) {
+ /* memcpy descriptor to Supports structures */
+ memcpy(&edge_serial->epic_descriptor.Supports, descriptor,
+ sizeof(struct edge_compatibility_bits));
--- /dev/null
+From c528fcb116e61afc379a2e0a0f70906b937f1e2c Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 31 Jan 2017 17:17:29 +0100
+Subject: USB: serial: keyspan_pda: fix receive sanity checks
+
+From: Johan Hovold <johan@kernel.org>
+
+commit c528fcb116e61afc379a2e0a0f70906b937f1e2c upstream.
+
+Make sure to check for short transfers before parsing the receive buffer
+to avoid acting on stale data.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/keyspan_pda.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/serial/keyspan_pda.c
++++ b/drivers/usb/serial/keyspan_pda.c
+@@ -139,6 +139,7 @@ static void keyspan_pda_rx_interrupt(str
+ {
+ struct usb_serial_port *port = urb->context;
+ unsigned char *data = urb->transfer_buffer;
++ unsigned int len = urb->actual_length;
+ int retval;
+ int status = urb->status;
+ struct keyspan_pda_private *priv;
+@@ -159,18 +160,26 @@ static void keyspan_pda_rx_interrupt(str
+ goto exit;
+ }
+
++ if (len < 1) {
++ dev_warn(&port->dev, "short message received\n");
++ goto exit;
++ }
++
+ /* see if the message is data or a status interrupt */
+ switch (data[0]) {
+ case 0:
+ /* rest of message is rx data */
+- if (urb->actual_length) {
+- tty_insert_flip_string(&port->port, data + 1,
+- urb->actual_length - 1);
+- tty_flip_buffer_push(&port->port);
+- }
++ if (len < 2)
++ break;
++ tty_insert_flip_string(&port->port, data + 1, len - 1);
++ tty_flip_buffer_push(&port->port);
+ break;
+ case 1:
+ /* status interrupt */
++ if (len < 3) {
++ dev_warn(&port->dev, "short interrupt message received\n");
++ break;
++ }
+ dev_dbg(&port->dev, "rx int, d1=%d, d2=%d\n", data[1], data[2]);
+ switch (data[1]) {
+ case 1: /* modemline change */
--- /dev/null
+From 36356a669eddb32917fc4b5c2b9b8bf80ede69de Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 12 Jan 2017 14:56:16 +0100
+Subject: USB: serial: mct_u232: fix modem-status error handling
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 36356a669eddb32917fc4b5c2b9b8bf80ede69de upstream.
+
+Make sure to detect short control-message transfers so that errors are
+logged when reading the modem status at open.
+
+Note that while this also avoids initialising the modem status using
+uninitialised heap data, these bits could not leak to user space as they
+are currently not used.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/mct_u232.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/serial/mct_u232.c
++++ b/drivers/usb/serial/mct_u232.c
+@@ -322,8 +322,12 @@ static int mct_u232_get_modem_stat(struc
+ MCT_U232_GET_REQUEST_TYPE,
+ 0, 0, buf, MCT_U232_GET_MODEM_STAT_SIZE,
+ WDR_TIMEOUT);
+- if (rc < 0) {
++ if (rc < MCT_U232_GET_MODEM_STAT_SIZE) {
+ dev_err(&port->dev, "Get MODEM STATus failed (error = %d)\n", rc);
++
++ if (rc >= 0)
++ rc = -EIO;
++
+ *msr = 0;
+ } else {
+ *msr = buf[0];
--- /dev/null
+From 8c34cb8ddfe808d557b51da983ff10c02793beb2 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 12 Jan 2017 14:56:20 +0100
+Subject: USB: serial: quatech2: fix control-message error handling
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 8c34cb8ddfe808d557b51da983ff10c02793beb2 upstream.
+
+Make sure to detect short control-message transfers when fetching
+modem and line state in open and when retrieving registers.
+
+This specifically makes sure that an errno is returned to user space on
+errors in TIOCMGET instead of a zero bitmask.
+
+Also drop the unused getdevice function which also lacked appropriate
+error handling.
+
+Fixes: f7a33e608d9a ("USB: serial: add quatech2 usb to serial driver")
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/quatech2.c | 24 +++++++++++++-----------
+ 1 file changed, 13 insertions(+), 11 deletions(-)
+
+--- a/drivers/usb/serial/quatech2.c
++++ b/drivers/usb/serial/quatech2.c
+@@ -188,22 +188,22 @@ static inline int qt2_setdevice(struct u
+ }
+
+
+-static inline int qt2_getdevice(struct usb_device *dev, u8 *data)
+-{
+- return usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
+- QT_SET_GET_DEVICE, 0xc0, 0, 0,
+- data, 3, QT2_USB_TIMEOUT);
+-}
+-
+ static inline int qt2_getregister(struct usb_device *dev,
+ u8 uart,
+ u8 reg,
+ u8 *data)
+ {
+- return usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
+- QT_SET_GET_REGISTER, 0xc0, reg,
+- uart, data, sizeof(*data), QT2_USB_TIMEOUT);
++ int ret;
+
++ ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
++ QT_SET_GET_REGISTER, 0xc0, reg,
++ uart, data, sizeof(*data), QT2_USB_TIMEOUT);
++ if (ret < sizeof(*data)) {
++ if (ret >= 0)
++ ret = -EIO;
++ }
++
++ return ret;
+ }
+
+ static inline int qt2_setregister(struct usb_device *dev,
+@@ -372,9 +372,11 @@ static int qt2_open(struct tty_struct *t
+ 0xc0, 0,
+ device_port, data, 2, QT2_USB_TIMEOUT);
+
+- if (status < 0) {
++ if (status < 2) {
+ dev_err(&port->dev, "%s - open port failed %i\n", __func__,
+ status);
++ if (status >= 0)
++ status = -EIO;
+ kfree(data);
+ return status;
+ }
--- /dev/null
+From 16620b483eaf7750413bae472f4363b6b959fcaa Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 6 Feb 2017 16:28:14 +0100
+Subject: USB: serial: sierra: fix bogus alternate-setting assumption
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 16620b483eaf7750413bae472f4363b6b959fcaa upstream.
+
+Interface numbers do not change when enabling alternate settings as
+comment and code in this driver suggested.
+
+Remove the confusing comment and redundant retrieval of the interface
+number in probe, while simplifying and renaming the interface-number
+helper.
+
+Fixes: 4db2299da213 ("sierra: driver interface blacklisting")
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/sierra.c | 28 +++++-----------------------
+ 1 file changed, 5 insertions(+), 23 deletions(-)
+
+--- a/drivers/usb/serial/sierra.c
++++ b/drivers/usb/serial/sierra.c
+@@ -137,24 +137,9 @@ static int is_himemory(const u8 ifnum,
+ return 0;
+ }
+
+-static int sierra_calc_interface(struct usb_serial *serial)
++static u8 sierra_interface_num(struct usb_serial *serial)
+ {
+- int interface;
+- struct usb_interface *p_interface;
+- struct usb_host_interface *p_host_interface;
+-
+- /* Get the interface structure pointer from the serial struct */
+- p_interface = serial->interface;
+-
+- /* Get a pointer to the host interface structure */
+- p_host_interface = p_interface->cur_altsetting;
+-
+- /* read the interface descriptor for this active altsetting
+- * to find out the interface number we are on
+- */
+- interface = p_host_interface->desc.bInterfaceNumber;
+-
+- return interface;
++ return serial->interface->cur_altsetting->desc.bInterfaceNumber;
+ }
+
+ static int sierra_probe(struct usb_serial *serial,
+@@ -165,7 +150,7 @@ static int sierra_probe(struct usb_seria
+ u8 ifnum;
+
+ udev = serial->dev;
+- ifnum = sierra_calc_interface(serial);
++ ifnum = sierra_interface_num(serial);
+
+ /*
+ * If this interface supports more than 1 alternate
+@@ -178,9 +163,6 @@ static int sierra_probe(struct usb_seria
+ usb_set_interface(udev, ifnum, 1);
+ }
+
+- /* ifnum could have changed - by calling usb_set_interface */
+- ifnum = sierra_calc_interface(serial);
+-
+ if (is_blacklisted(ifnum,
+ (struct sierra_iface_info *)id->driver_info)) {
+ dev_dbg(&serial->dev->dev,
+@@ -342,7 +324,7 @@ static int sierra_send_setup(struct usb_
+
+ /* If composite device then properly report interface */
+ if (serial->num_ports == 1) {
+- interface = sierra_calc_interface(serial);
++ interface = sierra_interface_num(serial);
+ /* Control message is sent only to interfaces with
+ * interrupt_in endpoints
+ */
+@@ -916,7 +898,7 @@ static int sierra_port_probe(struct usb_
+ /* Determine actual memory requirements */
+ if (serial->num_ports == 1) {
+ /* Get interface number for composite device */
+- ifnum = sierra_calc_interface(serial);
++ ifnum = sierra_interface_num(serial);
+ himemoryp = &typeB_interface_list;
+ } else {
+ /* This is really the usb-serial port number of the interface
--- /dev/null
+From 1eac5c244f705182d1552a53e2f74e2775ed95d6 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 12 Jan 2017 14:56:22 +0100
+Subject: USB: serial: ssu100: fix control-message error handling
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 1eac5c244f705182d1552a53e2f74e2775ed95d6 upstream.
+
+Make sure to detect short control-message transfers rather than continue
+with zero-initialised data when retrieving modem status and during
+device initialisation.
+
+Fixes: 52af95459939 ("USB: add USB serial ssu100 driver")
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/ssu100.c | 31 ++++++++++++++++++++++++-------
+ 1 file changed, 24 insertions(+), 7 deletions(-)
+
+--- a/drivers/usb/serial/ssu100.c
++++ b/drivers/usb/serial/ssu100.c
+@@ -80,9 +80,17 @@ static inline int ssu100_setdevice(struc
+
+ static inline int ssu100_getdevice(struct usb_device *dev, u8 *data)
+ {
+- return usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
+- QT_SET_GET_DEVICE, 0xc0, 0, 0,
+- data, 3, 300);
++ int ret;
++
++ ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
++ QT_SET_GET_DEVICE, 0xc0, 0, 0,
++ data, 3, 300);
++ if (ret < 3) {
++ if (ret >= 0)
++ ret = -EIO;
++ }
++
++ return ret;
+ }
+
+ static inline int ssu100_getregister(struct usb_device *dev,
+@@ -90,10 +98,17 @@ static inline int ssu100_getregister(str
+ unsigned short reg,
+ u8 *data)
+ {
+- return usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
+- QT_SET_GET_REGISTER, 0xc0, reg,
+- uart, data, sizeof(*data), 300);
++ int ret;
+
++ ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
++ QT_SET_GET_REGISTER, 0xc0, reg,
++ uart, data, sizeof(*data), 300);
++ if (ret < sizeof(*data)) {
++ if (ret >= 0)
++ ret = -EIO;
++ }
++
++ return ret;
+ }
+
+
+@@ -289,8 +304,10 @@ static int ssu100_open(struct tty_struct
+ QT_OPEN_CLOSE_CHANNEL,
+ QT_TRANSFER_IN, 0x01,
+ 0, data, 2, 300);
+- if (result < 0) {
++ if (result < 2) {
+ dev_dbg(&port->dev, "%s - open failed %i\n", __func__, result);
++ if (result >= 0)
++ result = -EIO;
+ kfree(data);
+ return result;
+ }
--- /dev/null
+From 39712e8bfa8d3aa6ce1e60fc9d62c9b076c17a30 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 12 Jan 2017 14:56:23 +0100
+Subject: USB: serial: ti_usb_3410_5052: fix control-message error handling
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 39712e8bfa8d3aa6ce1e60fc9d62c9b076c17a30 upstream.
+
+Make sure to detect and return an error on zero-length control-message
+transfers when reading from the device.
+
+This addresses a potential failure to detect an empty transmit buffer
+during close.
+
+Also remove a redundant check for short transfer when sending a command.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/ti_usb_3410_5052.c | 12 ++++--------
+ 1 file changed, 4 insertions(+), 8 deletions(-)
+
+--- a/drivers/usb/serial/ti_usb_3410_5052.c
++++ b/drivers/usb/serial/ti_usb_3410_5052.c
+@@ -1352,13 +1352,10 @@ static int ti_command_out_sync(struct ti
+ (USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT),
+ value, moduleid, data, size, 1000);
+
+- if (status == size)
+- status = 0;
+-
+- if (status > 0)
+- status = -ECOMM;
++ if (status < 0)
++ return status;
+
+- return status;
++ return 0;
+ }
+
+
+@@ -1374,8 +1371,7 @@ static int ti_command_in_sync(struct ti_
+
+ if (status == size)
+ status = 0;
+-
+- if (status > 0)
++ else if (status >= 0)
+ status = -ECOMM;
+
+ return status;
--- /dev/null
+From a9b4f08770b415f30f2fb0f8329a370c8f554aa3 Mon Sep 17 00:00:00 2001
+From: Ruslan Ruslichenko <rruslich@cisco.com>
+Date: Tue, 17 Jan 2017 16:13:52 +0200
+Subject: x86/ioapic: Restore IO-APIC irq_chip retrigger callback
+
+From: Ruslan Ruslichenko <rruslich@cisco.com>
+
+commit a9b4f08770b415f30f2fb0f8329a370c8f554aa3 upstream.
+
+commit d32932d02e18 removed the irq_retrigger callback from the IO-APIC
+chip and did not add it to the new IO-APIC-IR irq chip.
+
+There is no harm because the interrupts are resent in software when the
+retrigger callback is NULL, but it's less efficient. So restore them.
+
+[ tglx: Massaged changelog ]
+
+Fixes: d32932d02e18 ("x86/irq: Convert IOAPIC to use hierarchical irqdomain interfaces")
+Signed-off-by: Ruslan Ruslichenko <rruslich@cisco.com>
+Cc: xe-linux-external@cisco.com
+Link: http://lkml.kernel.org/r/1484662432-13580-1-git-send-email-rruslich@cisco.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/apic/io_apic.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/x86/kernel/apic/io_apic.c
++++ b/arch/x86/kernel/apic/io_apic.c
+@@ -1875,6 +1875,7 @@ static struct irq_chip ioapic_chip __rea
+ .irq_ack = irq_chip_ack_parent,
+ .irq_eoi = ioapic_ack_level,
+ .irq_set_affinity = ioapic_set_affinity,
++ .irq_retrigger = irq_chip_retrigger_hierarchy,
+ .flags = IRQCHIP_SKIP_SET_WAKE,
+ };
+
+@@ -1886,6 +1887,7 @@ static struct irq_chip ioapic_ir_chip __
+ .irq_ack = irq_chip_ack_parent,
+ .irq_eoi = ioapic_ir_ack_level,
+ .irq_set_affinity = ioapic_set_affinity,
++ .irq_retrigger = irq_chip_retrigger_hierarchy,
+ .flags = IRQCHIP_SKIP_SET_WAKE,
+ };
+
--- /dev/null
+From 68dee8e2f2cacc54d038394e70d22411dee89da2 Mon Sep 17 00:00:00 2001
+From: Nikola Pajkovsky <npajkovsky@suse.cz>
+Date: Tue, 15 Nov 2016 09:47:49 +0100
+Subject: x86/pci-calgary: Fix iommu_free() comparison of unsigned expression >= 0
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nikola Pajkovsky <npajkovsky@suse.cz>
+
+commit 68dee8e2f2cacc54d038394e70d22411dee89da2 upstream.
+
+commit 8fd524b355da ("x86: Kill bad_dma_address variable") has killed
+bad_dma_address variable and used instead of macro DMA_ERROR_CODE
+which is always zero. Since dma_addr is unsigned, the statement
+
+ dma_addr >= DMA_ERROR_CODE
+
+is always true, and not needed.
+
+arch/x86/kernel/pci-calgary_64.c: In function ‘iommu_free’:
+arch/x86/kernel/pci-calgary_64.c:299:2: warning: comparison of unsigned expression >= 0 is always true [-Wtype-limits]
+ if (unlikely((dma_addr >= DMA_ERROR_CODE) && (dma_addr < badend))) {
+
+Fixes: 8fd524b355da ("x86: Kill bad_dma_address variable")
+Signed-off-by: Nikola Pajkovsky <npajkovsky@suse.cz>
+Cc: iommu@lists.linux-foundation.org
+Cc: Jon Mason <jdmason@kudzu.us>
+Cc: Muli Ben-Yehuda <mulix@mulix.org>
+Link: http://lkml.kernel.org/r/7612c0f9dd7c1290407dbf8e809def922006920b.1479161177.git.npajkovsky@suse.cz
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/pci-calgary_64.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/pci-calgary_64.c
++++ b/arch/x86/kernel/pci-calgary_64.c
+@@ -296,7 +296,7 @@ static void iommu_free(struct iommu_tabl
+
+ /* were we called with bad_dma_address? */
+ badend = DMA_ERROR_CODE + (EMERGENCY_PAGES * PAGE_SIZE);
+- if (unlikely((dma_addr >= DMA_ERROR_CODE) && (dma_addr < badend))) {
++ if (unlikely(dma_addr < badend)) {
+ WARN(1, KERN_ERR "Calgary: driver tried unmapping bad DMA "
+ "address 0x%Lx\n", dma_addr);
+ return;
--- /dev/null
+From 80354c29025833acd72ddac1ffa21c6cb50128cd Mon Sep 17 00:00:00 2001
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Sun, 12 Mar 2017 17:07:44 +0200
+Subject: x86/platform/intel-mid: Correct MSI IRQ line for watchdog device
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+commit 80354c29025833acd72ddac1ffa21c6cb50128cd upstream.
+
+The interrupt line used for the watchdog is 12, according to the official
+Intel Edison BSP code.
+
+And indeed after fixing it we start getting an interrupt and thus the
+watchdog starts working again:
+
+ [ 191.699951] Kernel panic - not syncing: Kernel Watchdog
+
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: David Cohen <david.a.cohen@linux.intel.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: 78a3bb9e408b ("x86: intel-mid: add watchdog platform code for Merrifield")
+Link: http://lkml.kernel.org/r/20170312150744.45493-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/platform/intel-mid/device_libs/platform_wdt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/platform/intel-mid/device_libs/platform_wdt.c
++++ b/arch/x86/platform/intel-mid/device_libs/platform_wdt.c
+@@ -17,7 +17,7 @@
+ #include <asm/intel-mid.h>
+ #include <asm/io_apic.h>
+
+-#define TANGIER_EXT_TIMER0_MSI 15
++#define TANGIER_EXT_TIMER0_MSI 12
+
+ static struct platform_device wdt_dev = {
+ .name = "intel_mid_wdt",
projects / thirdparty / kernel / stable-queue.git / commitdiff
