--- /dev/null
+From 8defb3367fcd19d1af64c07792aade0747b54e0f Mon Sep 17 00:00:00 2001
+From: Andrey Ryabinin <a.ryabinin@samsung.com>
+Date: Fri, 20 Mar 2015 15:42:27 +0100
+Subject: ARM: 8320/1: fix integer overflow in ELF_ET_DYN_BASE
+
+From: Andrey Ryabinin <a.ryabinin@samsung.com>
+
+commit 8defb3367fcd19d1af64c07792aade0747b54e0f upstream.
+
+Usually ELF_ET_DYN_BASE is 2/3 of TASK_SIZE. With 3G/1G user/kernel
+split this is not so, because 2*TASK_SIZE overflows 32 bits,
+so the actual value of ELF_ET_DYN_BASE is:
+ (2 * TASK_SIZE / 3) = 0x2a000000
+
+When ASLR is disabled PIE binaries will load at ELF_ET_DYN_BASE address.
+On 32bit platforms AddressSanitzer uses addresses [0x20000000 - 0x40000000]
+for shadow memory [1]. So ASan doesn't work for PIE binaries when ASLR disabled
+as it fails to map shadow memory.
+Also after Kees's 'split ET_DYN ASLR from mmap ASLR' patchset PIE binaries
+has a high chance of loading somewhere in between [0x2a000000 - 0x40000000]
+even if ASLR enabled. This makes ASan with PIE absolutely incompatible.
+
+Fix overflow by dividing TASK_SIZE prior to multiplying.
+After this patch ELF_ET_DYN_BASE equals to (for CONFIG_VMSPLIT_3G=y):
+ (TASK_SIZE / 3 * 2) = 0x7f555554
+
+[1] https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm#Mapping
+
+Signed-off-by: Andrey Ryabinin <a.ryabinin@samsung.com>
+Reported-by: Maria Guseva <m.guseva@samsung.com>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/include/asm/elf.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/include/asm/elf.h
++++ b/arch/arm/include/asm/elf.h
+@@ -114,7 +114,7 @@ int dump_task_regs(struct task_struct *t
+ the loader. We need to make sure that it is out of the way of the program
+ that it will "exec", and that there is sufficient room for the brk. */
+
+-#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
++#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
+
+ /* When the program starts, a1 contains a pointer to a function to be
+ registered with atexit, as per the SVR4 ABI. A value of 0 means we
--- /dev/null
+From 98b80987c940956da48f0c703f60340128bb8521 Mon Sep 17 00:00:00 2001
+From: Nicolas Ferre <nicolas.ferre@atmel.com>
+Date: Tue, 31 Mar 2015 10:56:10 +0200
+Subject: ARM: at91/dt: sama5d3 xplained: add phy address for macb1
+
+From: Nicolas Ferre <nicolas.ferre@atmel.com>
+
+commit 98b80987c940956da48f0c703f60340128bb8521 upstream.
+
+After 57a38effa598 (net: phy: micrel: disable broadcast for KSZ8081/KSZ8091)
+the macb1 interface refuses to work properly because it tries
+to cling to address 0 which isn't able to communicate in broadcast with
+the mac anymore. The micrel phy on the board is actually configured
+to show up at address 1.
+Adding the phy node and its real address fixes the issue.
+
+Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
+Cc: Johan Hovold <johan@kernel.org>
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/at91-sama5d3_xplained.dts | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/arch/arm/boot/dts/at91-sama5d3_xplained.dts
++++ b/arch/arm/boot/dts/at91-sama5d3_xplained.dts
+@@ -107,7 +107,13 @@
+
+ macb1: ethernet@f802c000 {
+ phy-mode = "rmii";
++ #address-cells = <1>;
++ #size-cells = <0>;
+ status = "okay";
++
++ ethernet-phy@1 {
++ reg = <0x1>;
++ };
+ };
+
+ dbgu: serial@ffffee00 {
--- /dev/null
+From a74cd13b807029397f7232449df929bac11fb228 Mon Sep 17 00:00:00 2001
+From: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
+Date: Tue, 17 Feb 2015 19:52:04 +0100
+Subject: ARM: dts: dove: Fix uart[23] reg property
+
+From: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
+
+commit a74cd13b807029397f7232449df929bac11fb228 upstream.
+
+Fix Dove's register addresses of uart2 and uart3 nodes that seem to
+be broken since ages due to a copy-and-paste error.
+
+Signed-off-by: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
+Acked-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
+Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/dove.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/boot/dts/dove.dtsi
++++ b/arch/arm/boot/dts/dove.dtsi
+@@ -154,7 +154,7 @@
+
+ uart2: serial@12200 {
+ compatible = "ns16550a";
+- reg = <0x12000 0x100>;
++ reg = <0x12200 0x100>;
+ reg-shift = <2>;
+ interrupts = <9>;
+ clocks = <&core_clk 0>;
+@@ -163,7 +163,7 @@
+
+ uart3: serial@12300 {
+ compatible = "ns16550a";
+- reg = <0x12100 0x100>;
++ reg = <0x12300 0x100>;
+ reg-shift = <2>;
+ interrupts = <10>;
+ clocks = <&core_clk 0>;
--- /dev/null
+From 4e330ae4ab2915444f1e6dca1358a910aa259362 Mon Sep 17 00:00:00 2001
+From: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
+Date: Fri, 27 Mar 2015 01:58:08 +0900
+Subject: ARM: S3C64XX: Use fixed IRQ bases to avoid conflicts on Cragganmore
+
+From: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
+
+commit 4e330ae4ab2915444f1e6dca1358a910aa259362 upstream.
+
+There are two PMICs on Cragganmore, currently one dynamically assign
+its IRQ base and the other uses a fixed base. It is possible for the
+statically assigned PMIC to fail if its IRQ is taken by the dynamically
+assigned one. Fix this by statically assigning both the IRQ bases.
+
+Signed-off-by: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
+Signed-off-by: Kukjin Kim <kgene@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-s3c64xx/crag6410.h | 1 +
+ arch/arm/mach-s3c64xx/mach-crag6410.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/arch/arm/mach-s3c64xx/crag6410.h
++++ b/arch/arm/mach-s3c64xx/crag6410.h
+@@ -14,6 +14,7 @@
+ #include <mach/gpio-samsung.h>
+
+ #define GLENFARCLAS_PMIC_IRQ_BASE IRQ_BOARD_START
++#define BANFF_PMIC_IRQ_BASE (IRQ_BOARD_START + 64)
+
+ #define PCA935X_GPIO_BASE GPIO_BOARD_START
+ #define CODEC_GPIO_BASE (GPIO_BOARD_START + 8)
+--- a/arch/arm/mach-s3c64xx/mach-crag6410.c
++++ b/arch/arm/mach-s3c64xx/mach-crag6410.c
+@@ -555,6 +555,7 @@ static struct wm831x_touch_pdata touch_p
+
+ static struct wm831x_pdata crag_pmic_pdata = {
+ .wm831x_num = 1,
++ .irq_base = BANFF_PMIC_IRQ_BASE,
+ .gpio_base = BANFF_PMIC_GPIO_BASE,
+ .soft_shutdown = true,
+
--- /dev/null
+From 323ece54e0761198946ecd0c2091f1d2bfdfcb64 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.de>
+Date: Fri, 20 Mar 2015 14:29:34 +0100
+Subject: cdc-wdm: fix endianness bug in debug statements
+
+From: Oliver Neukum <oneukum@suse.de>
+
+commit 323ece54e0761198946ecd0c2091f1d2bfdfcb64 upstream.
+
+Values directly from descriptors given in debug statements
+must be converted to native endianness.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/class/cdc-wdm.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/class/cdc-wdm.c
++++ b/drivers/usb/class/cdc-wdm.c
+@@ -245,7 +245,7 @@ static void wdm_int_callback(struct urb
+ case USB_CDC_NOTIFY_RESPONSE_AVAILABLE:
+ dev_dbg(&desc->intf->dev,
+ "NOTIFY_RESPONSE_AVAILABLE received: index %d len %d",
+- dr->wIndex, dr->wLength);
++ le16_to_cpu(dr->wIndex), le16_to_cpu(dr->wLength));
+ break;
+
+ case USB_CDC_NOTIFY_NETWORK_CONNECTION:
+@@ -262,7 +262,9 @@ static void wdm_int_callback(struct urb
+ clear_bit(WDM_POLL_RUNNING, &desc->flags);
+ dev_err(&desc->intf->dev,
+ "unknown notification %d received: index %d len %d\n",
+- dr->bNotificationType, dr->wIndex, dr->wLength);
++ dr->bNotificationType,
++ le16_to_cpu(dr->wIndex),
++ le16_to_cpu(dr->wLength));
+ goto exit;
+ }
+
+@@ -408,7 +410,7 @@ static ssize_t wdm_write
+ USB_RECIP_INTERFACE);
+ req->bRequest = USB_CDC_SEND_ENCAPSULATED_COMMAND;
+ req->wValue = 0;
+- req->wIndex = desc->inum;
++ req->wIndex = desc->inum; /* already converted */
+ req->wLength = cpu_to_le16(count);
+ set_bit(WDM_IN_USE, &desc->flags);
+ desc->outbuf = buf;
+@@ -422,7 +424,7 @@ static ssize_t wdm_write
+ rv = usb_translate_errors(rv);
+ } else {
+ dev_dbg(&desc->intf->dev, "Tx URB has been submitted index=%d",
+- req->wIndex);
++ le16_to_cpu(req->wIndex));
+ }
+ out:
+ usb_autopm_put_interface(desc->intf);
+@@ -820,7 +822,7 @@ static int wdm_create(struct usb_interfa
+ desc->irq->bRequestType = (USB_DIR_IN | USB_TYPE_CLASS | USB_RECIP_INTERFACE);
+ desc->irq->bRequest = USB_CDC_GET_ENCAPSULATED_RESPONSE;
+ desc->irq->wValue = 0;
+- desc->irq->wIndex = desc->inum;
++ desc->irq->wIndex = desc->inum; /* already converted */
+ desc->irq->wLength = cpu_to_le16(desc->wMaxCommand);
+
+ usb_fill_control_urb(
--- /dev/null
+From 1915a718b1872edffcb13e5436a9f7302d3d36f0 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Date: Thu, 12 Mar 2015 08:44:00 +0100
+Subject: compal-laptop: Check return value of power_supply_register
+
+From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+
+commit 1915a718b1872edffcb13e5436a9f7302d3d36f0 upstream.
+
+The return value of power_supply_register() call was not checked and
+even on error probe() function returned 0. If registering failed then
+during unbind the driver tried to unregister power supply which was not
+actually registered.
+
+This could lead to memory corruption because power_supply_unregister()
+unconditionally cleans up given power supply.
+
+Fix this by checking return status of power_supply_register() call. In
+case of failure, clean up sysfs entries and fail the probe.
+
+Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Fixes: 9be0fcb5ed46 ("compal-laptop: add JHL90, battery & hwmon interface")
+Signed-off-by: Sebastian Reichel <sre@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/platform/x86/compal-laptop.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/platform/x86/compal-laptop.c
++++ b/drivers/platform/x86/compal-laptop.c
+@@ -1037,7 +1037,9 @@ static int compal_probe(struct platform_
+
+ /* Power supply */
+ initialize_power_supply_data(data);
+- power_supply_register(&compal_device->dev, &data->psy);
++ err = power_supply_register(&compal_device->dev, &data->psy);
++ if (err < 0)
++ goto remove;
+
+ platform_set_drvdata(pdev, data);
+
--- /dev/null
+From 47d68979cc968535cb87f3e5f2e6a3533ea48fbd Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.de>
+Date: Fri, 10 Apr 2015 13:19:04 +1000
+Subject: md/raid0: fix bug with chunksize not a power of 2.
+
+From: NeilBrown <neilb@suse.de>
+
+commit 47d68979cc968535cb87f3e5f2e6a3533ea48fbd upstream.
+
+Since commit 20d0189b1012a37d2533a87fb451f7852f2418d1
+in v3.14-rc1 RAID0 has performed incorrect calculations
+when the chunksize is not a power of 2.
+
+This happens because "sector_div()" modifies its first argument, but
+this wasn't taken into account in the patch.
+
+So restore that first arg before re-using the variable.
+
+Reported-by: Joe Landman <joe.landman@gmail.com>
+Reported-by: Dave Chinner <david@fromorbit.com>
+Fixes: 20d0189b1012a37d2533a87fb451f7852f2418d1
+Signed-off-by: NeilBrown <neilb@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/raid0.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/raid0.c
++++ b/drivers/md/raid0.c
+@@ -320,7 +320,7 @@ static struct strip_zone *find_zone(stru
+
+ /*
+ * remaps the bio to the target device. we separate two flows.
+- * power 2 flow and a general flow for the sake of perfromance
++ * power 2 flow and a general flow for the sake of performance
+ */
+ static struct md_rdev *map_sector(struct mddev *mddev, struct strip_zone *zone,
+ sector_t sector, sector_t *sector_offset)
+@@ -538,6 +538,7 @@ static void raid0_make_request(struct md
+ split = bio;
+ }
+
++ sector = bio->bi_iter.bi_sector;
+ zone = find_zone(mddev->private, §or);
+ tmp_dev = map_sector(mddev, zone, sector, §or);
+ split->bi_bdev = tmp_dev->bdev;
--- /dev/null
+From c1b8940b42bb6487b10f2267a96b486276ce9ff7 Mon Sep 17 00:00:00 2001
+From: Andrew Elble <aweits@rit.edu>
+Date: Mon, 23 Feb 2015 08:51:24 -0500
+Subject: NFS: fix BUG() crash in notify_change() with patch to chown_common()
+
+From: Andrew Elble <aweits@rit.edu>
+
+commit c1b8940b42bb6487b10f2267a96b486276ce9ff7 upstream.
+
+We have observed a BUG() crash in fs/attr.c:notify_change(). The crash
+occurs during an rsync into a filesystem that is exported via NFS.
+
+1.) fs/attr.c:notify_change() modifies the caller's version of attr.
+2.) 6de0ec00ba8d ("VFS: make notify_change pass ATTR_KILL_S*ID to
+ setattr operations") introduced a BUG() restriction such that "no
+ function will ever call notify_change() with both ATTR_MODE and
+ ATTR_KILL_S*ID set". Under some circumstances though, it will have
+ assisted in setting the caller's version of attr to this very
+ combination.
+3.) 27ac0ffeac80 ("locks: break delegations on any attribute
+ modification") introduced code to handle breaking
+ delegations. This can result in notify_change() being re-called. attr
+ _must_ be explicitly reset to avoid triggering the BUG() established
+ in #2.
+4.) The path that that triggers this is via fs/open.c:chmod_common().
+ The combination of attr flags set here and in the first call to
+ notify_change() along with a later failed break_deleg_wait()
+ results in notify_change() being called again via retry_deleg
+ without resetting attr.
+
+Solution is to move retry_deleg in chmod_common() a bit further up to
+ensure attr is completely reset.
+
+There are other places where this seemingly could occur, such as
+fs/utimes.c:utimes_common(), but the attr flags are not initially
+set in such a way to trigger this.
+
+Fixes: 27ac0ffeac80 ("locks: break delegations on any attribute modification")
+Reported-by: Eric Meddaugh <etmsys@rit.edu>
+Tested-by: Eric Meddaugh <etmsys@rit.edu>
+Signed-off-by: Andrew Elble <aweits@rit.edu>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/open.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/open.c
++++ b/fs/open.c
+@@ -539,6 +539,7 @@ static int chown_common(struct path *pat
+ uid = make_kuid(current_user_ns(), user);
+ gid = make_kgid(current_user_ns(), group);
+
++retry_deleg:
+ newattrs.ia_valid = ATTR_CTIME;
+ if (user != (uid_t) -1) {
+ if (!uid_valid(uid))
+@@ -555,7 +556,6 @@ static int chown_common(struct path *pat
+ if (!S_ISDIR(inode->i_mode))
+ newattrs.ia_valid |=
+ ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_KILL_PRIV;
+-retry_deleg:
+ mutex_lock(&inode->i_mutex);
+ error = security_path_chown(path, uid, gid);
+ if (!error)
--- /dev/null
+From a7117f81e8391e035c49b3440792f7e6cea28173 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Date: Fri, 20 Feb 2015 14:32:25 +0100
+Subject: power_supply: lp8788-charger: Fix leaked power supply on probe fail
+
+From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+
+commit a7117f81e8391e035c49b3440792f7e6cea28173 upstream.
+
+Driver forgot to unregister charger power supply if registering of
+battery supply failed in probe(). In such case the memory associated
+with power supply leaked.
+
+Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Fixes: 98a276649358 ("power_supply: Add new lp8788 charger driver")
+Signed-off-by: Sebastian Reichel <sre@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/power/lp8788-charger.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/power/lp8788-charger.c
++++ b/drivers/power/lp8788-charger.c
+@@ -417,8 +417,10 @@ static int lp8788_psy_register(struct pl
+ pchg->battery.num_properties = ARRAY_SIZE(lp8788_battery_prop);
+ pchg->battery.get_property = lp8788_battery_get_property;
+
+- if (power_supply_register(&pdev->dev, &pchg->battery))
++ if (power_supply_register(&pdev->dev, &pchg->battery)) {
++ power_supply_unregister(&pchg->charger);
+ return -EPERM;
++ }
+
+ return 0;
+ }
--- /dev/null
+From 68c3ed6fa7e0d69529ced772d650ab128916a81d Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Date: Fri, 20 Feb 2015 14:32:22 +0100
+Subject: power_supply: twl4030_madc: Check return value of power_supply_register
+
+From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+
+commit 68c3ed6fa7e0d69529ced772d650ab128916a81d upstream.
+
+The return value of power_supply_register() call was not checked and
+even on error probe() function returned 0. If registering failed then
+during unbind the driver tried to unregister power supply which was not
+actually registered.
+
+This could lead to memory corruption because power_supply_unregister()
+unconditionally cleans up given power supply.
+
+Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Fixes: da0a00ebc239 ("power: Add twl4030_madc battery driver.")
+Signed-off-by: Sebastian Reichel <sre@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/power/twl4030_madc_battery.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/power/twl4030_madc_battery.c
++++ b/drivers/power/twl4030_madc_battery.c
+@@ -192,6 +192,7 @@ static int twl4030_madc_battery_probe(st
+ {
+ struct twl4030_madc_battery *twl4030_madc_bat;
+ struct twl4030_madc_bat_platform_data *pdata = pdev->dev.platform_data;
++ int ret = 0;
+
+ twl4030_madc_bat = kzalloc(sizeof(*twl4030_madc_bat), GFP_KERNEL);
+ if (!twl4030_madc_bat)
+@@ -216,9 +217,11 @@ static int twl4030_madc_battery_probe(st
+
+ twl4030_madc_bat->pdata = pdata;
+ platform_set_drvdata(pdev, twl4030_madc_bat);
+- power_supply_register(&pdev->dev, &twl4030_madc_bat->psy);
++ ret = power_supply_register(&pdev->dev, &twl4030_madc_bat->psy);
++ if (ret < 0)
++ kfree(twl4030_madc_bat);
+
+- return 0;
++ return ret;
+ }
+
+ static int twl4030_madc_battery_remove(struct platform_device *pdev)
--- /dev/null
+From 80a9b64e2c156b6523e7a01f2ba6e5d86e722814 Mon Sep 17 00:00:00 2001
+From: Steven Rostedt <rostedt@goodmis.org>
+Date: Tue, 17 Mar 2015 10:40:38 -0400
+Subject: ring-buffer: Replace this_cpu_*() with __this_cpu_*()
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+commit 80a9b64e2c156b6523e7a01f2ba6e5d86e722814 upstream.
+
+It has come to my attention that this_cpu_read/write are horrible on
+architectures other than x86. Worse yet, they actually disable
+preemption or interrupts! This caused some unexpected tracing results
+on ARM.
+
+ 101.356868: preempt_count_add <-ring_buffer_lock_reserve
+ 101.356870: preempt_count_sub <-ring_buffer_lock_reserve
+
+The ring_buffer_lock_reserve has recursion protection that requires
+accessing a per cpu variable. But since preempt_disable() is traced, it
+too got traced while accessing the variable that is suppose to prevent
+recursion like this.
+
+The generic version of this_cpu_read() and write() are:
+
+ #define this_cpu_generic_read(pcp) \
+ ({ typeof(pcp) ret__; \
+ preempt_disable(); \
+ ret__ = *this_cpu_ptr(&(pcp)); \
+ preempt_enable(); \
+ ret__; \
+ })
+
+ #define this_cpu_generic_to_op(pcp, val, op) \
+ do { \
+ unsigned long flags; \
+ raw_local_irq_save(flags); \
+ *__this_cpu_ptr(&(pcp)) op val; \
+ raw_local_irq_restore(flags); \
+ } while (0)
+
+Which is unacceptable for locations that know they are within preempt
+disabled or interrupt disabled locations.
+
+Paul McKenney stated that __this_cpu_() versions produce much better code on
+other architectures than this_cpu_() does, if we know that the call is done in
+a preempt disabled location.
+
+I also changed the recursive_unlock() to use two local variables instead
+of accessing the per_cpu variable twice.
+
+Link: http://lkml.kernel.org/r/20150317114411.GE3589@linux.vnet.ibm.com
+Link: http://lkml.kernel.org/r/20150317104038.312e73d1@gandalf.local.home
+
+Acked-by: Christoph Lameter <cl@linux.com>
+Reported-by: Uwe Kleine-Koenig <u.kleine-koenig@pengutronix.de>
+Tested-by: Uwe Kleine-Koenig <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/ring_buffer.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+--- a/kernel/trace/ring_buffer.c
++++ b/kernel/trace/ring_buffer.c
+@@ -2651,7 +2651,7 @@ static DEFINE_PER_CPU(unsigned int, curr
+
+ static __always_inline int trace_recursive_lock(void)
+ {
+- unsigned int val = this_cpu_read(current_context);
++ unsigned int val = __this_cpu_read(current_context);
+ int bit;
+
+ if (in_interrupt()) {
+@@ -2668,18 +2668,17 @@ static __always_inline int trace_recursi
+ return 1;
+
+ val |= (1 << bit);
+- this_cpu_write(current_context, val);
++ __this_cpu_write(current_context, val);
+
+ return 0;
+ }
+
+ static __always_inline void trace_recursive_unlock(void)
+ {
+- unsigned int val = this_cpu_read(current_context);
++ unsigned int val = __this_cpu_read(current_context);
+
+- val--;
+- val &= this_cpu_read(current_context);
+- this_cpu_write(current_context, val);
++ val &= val & (val - 1);
++ __this_cpu_write(current_context, val);
+ }
+
+ #else
s390-hibernate-fix-save-and-restore-of-kernel-text-section.patch
kvm-use-slowpath-for-cross-page-cached-accesses.patch
mips-hibernate-flush-tlb-entries-earlier.patch
+md-raid0-fix-bug-with-chunksize-not-a-power-of-2.patch
+cdc-wdm-fix-endianness-bug-in-debug-statements.patch
+spi-spidev-fix-possible-arithmetic-overflow-for-multi-transfer-message.patch
+compal-laptop-check-return-value-of-power_supply_register.patch
+ring-buffer-replace-this_cpu_-with-__this_cpu_.patch
+power_supply-twl4030_madc-check-return-value-of-power_supply_register.patch
+power_supply-lp8788-charger-fix-leaked-power-supply-on-probe-fail.patch
+nfs-fix-bug-crash-in-notify_change-with-patch-to-chown_common.patch
+arm-8320-1-fix-integer-overflow-in-elf_et_dyn_base.patch
+arm-s3c64xx-use-fixed-irq-bases-to-avoid-conflicts-on-cragganmore.patch
+arm-at91-dt-sama5d3-xplained-add-phy-address-for-macb1.patch
+arm-dts-dove-fix-uart-reg-property.patch
+usb-phy-find-the-right-match-in-devm_usb_phy_match.patch
+usb-define-a-generic-usb_resume_timeout-macro.patch
--- /dev/null
+From f20fbaad7620af2df36a1f9d1c9ecf48ead5b747 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Mon, 23 Mar 2015 17:50:27 +0000
+Subject: spi: spidev: fix possible arithmetic overflow for multi-transfer message
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit f20fbaad7620af2df36a1f9d1c9ecf48ead5b747 upstream.
+
+`spidev_message()` sums the lengths of the individual SPI transfers to
+determine the overall SPI message length. It restricts the total
+length, returning an error if too long, but it does not check for
+arithmetic overflow. For example, if the SPI message consisted of two
+transfers and the first has a length of 10 and the second has a length
+of (__u32)(-1), the total length would be seen as 9, even though the
+second transfer is actually very long. If the second transfer specifies
+a null `rx_buf` and a non-null `tx_buf`, the `copy_from_user()` could
+overrun the spidev's pre-allocated tx buffer before it reaches an
+invalid user memory address. Fix it by checking that neither the total
+nor the individual transfer lengths exceed the maximum allowed value.
+
+Thanks to Dan Carpenter for reporting the potential integer overflow.
+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spidev.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spidev.c
++++ b/drivers/spi/spidev.c
+@@ -243,7 +243,10 @@ static int spidev_message(struct spidev_
+ k_tmp->len = u_tmp->len;
+
+ total += k_tmp->len;
+- if (total > bufsiz) {
++ /* Check total length of transfers. Also check each
++ * transfer length to avoid arithmetic overflow.
++ */
++ if (total > bufsiz || k_tmp->len > bufsiz) {
+ status = -EMSGSIZE;
+ goto done;
+ }
--- /dev/null
+From 62f0342de1f012f3e90607d39e20fce811391169 Mon Sep 17 00:00:00 2001
+From: Felipe Balbi <balbi@ti.com>
+Date: Fri, 13 Feb 2015 14:34:25 -0600
+Subject: usb: define a generic USB_RESUME_TIMEOUT macro
+
+From: Felipe Balbi <balbi@ti.com>
+
+commit 62f0342de1f012f3e90607d39e20fce811391169 upstream.
+
+Every USB Host controller should use this new
+macro to define for how long resume signalling
+should be driven on the bus.
+
+Currently, almost every single USB controller
+is using a 20ms timeout for resume signalling.
+
+That's problematic for two reasons:
+
+a) sometimes that 20ms timer expires a little
+before 20ms, which makes us fail certification
+
+b) some (many) devices actually need more than
+20ms resume signalling.
+
+Sure, in case of (b) we can state that the device
+is against the USB spec, but the fact is that
+we have no control over which device the certification
+lab will use. We also have no control over which host
+they will use. Most likely they'll be using a Windows
+PC which, again, we have no control over how that
+USB stack is written and how long resume signalling
+they are using.
+
+At the end of the day, we must make sure Linux passes
+electrical compliance when working as Host or as Device
+and currently we don't pass compliance as host because
+we're driving resume signallig for exactly 20ms and
+that confuses certification test setup resulting in
+Certification failure.
+
+Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Peter Chen <peter.chen@freescale.com>
+Signed-off-by: Felipe Balbi <balbi@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/usb.h | 26 ++++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+
+--- a/include/linux/usb.h
++++ b/include/linux/usb.h
+@@ -206,6 +206,32 @@ void usb_put_intf(struct usb_interface *
+ #define USB_MAXINTERFACES 32
+ #define USB_MAXIADS (USB_MAXINTERFACES/2)
+
++/*
++ * USB Resume Timer: Every Host controller driver should drive the resume
++ * signalling on the bus for the amount of time defined by this macro.
++ *
++ * That way we will have a 'stable' behavior among all HCDs supported by Linux.
++ *
++ * Note that the USB Specification states we should drive resume for *at least*
++ * 20 ms, but it doesn't give an upper bound. This creates two possible
++ * situations which we want to avoid:
++ *
++ * (a) sometimes an msleep(20) might expire slightly before 20 ms, which causes
++ * us to fail USB Electrical Tests, thus failing Certification
++ *
++ * (b) Some (many) devices actually need more than 20 ms of resume signalling,
++ * and while we can argue that's against the USB Specification, we don't have
++ * control over which devices a certification laboratory will be using for
++ * certification. If CertLab uses a device which was tested against Windows and
++ * that happens to have relaxed resume signalling rules, we might fall into
++ * situations where we fail interoperability and electrical tests.
++ *
++ * In order to avoid both conditions, we're using a 40 ms resume timeout, which
++ * should cope with both LPJ calibration errors and devices not following every
++ * detail of the USB Specification.
++ */
++#define USB_RESUME_TIMEOUT 40 /* ms */
++
+ /**
+ * struct usb_interface_cache - long-term representation of a device interface
+ * @num_altsetting: number of altsettings defined.
--- /dev/null
+From 869aee0f31429fa9d94d5aef539602b73ae0cf4b Mon Sep 17 00:00:00 2001
+From: Axel Lin <axel.lin@ingics.com>
+Date: Thu, 12 Mar 2015 09:15:28 +0800
+Subject: usb: phy: Find the right match in devm_usb_phy_match
+
+From: Axel Lin <axel.lin@ingics.com>
+
+commit 869aee0f31429fa9d94d5aef539602b73ae0cf4b upstream.
+
+The res parameter passed to devm_usb_phy_match() is the location where the
+pointer to the usb_phy is stored, hence it needs to be dereferenced before
+comparing to the match data in order to find the correct match.
+
+Fixes: 410219dcd2ba ("usb: otg: utils: devres: Add API's to associate a device with the phy")
+Signed-off-by: Axel Lin <axel.lin@ingics.com>
+Signed-off-by: Felipe Balbi <balbi@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/phy/phy.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/phy/phy.c
++++ b/drivers/usb/phy/phy.c
+@@ -78,7 +78,9 @@ static void devm_usb_phy_release(struct
+
+ static int devm_usb_phy_match(struct device *dev, void *res, void *match_data)
+ {
+- return res == match_data;
++ struct usb_phy **phy = res;
++
++ return *phy == match_data;
+ }
+
+ /**
projects / thirdparty / kernel / stable-queue.git / commitdiff
