--- /dev/null
+From 7f518ad0a212e2a6fd68630e176af1de395070a7 Mon Sep 17 00:00:00 2001
+From: Joe Thornber <ejt@redhat.com>
+Date: Wed, 12 Aug 2015 15:10:21 +0100
+Subject: dm thin metadata: delete btrees when releasing metadata snapshot
+
+From: Joe Thornber <ejt@redhat.com>
+
+commit 7f518ad0a212e2a6fd68630e176af1de395070a7 upstream.
+
+The device details and mapping trees were just being decremented
+before. Now btree_del() is called to do a deep delete.
+
+Signed-off-by: Joe Thornber <ejt@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-thin-metadata.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/dm-thin-metadata.c
++++ b/drivers/md/dm-thin-metadata.c
+@@ -1295,8 +1295,8 @@ static int __release_metadata_snap(struc
+ return r;
+
+ disk_super = dm_block_data(copy);
+- dm_sm_dec_block(pmd->metadata_sm, le64_to_cpu(disk_super->data_mapping_root));
+- dm_sm_dec_block(pmd->metadata_sm, le64_to_cpu(disk_super->device_details_root));
++ dm_btree_del(&pmd->info, le64_to_cpu(disk_super->data_mapping_root));
++ dm_btree_del(&pmd->details_info, le64_to_cpu(disk_super->device_details_root));
+ dm_sm_dec_block(pmd->metadata_sm, held_root);
+
+ return dm_tm_unlock(pmd->tm, copy);
--- /dev/null
+From e037239e5e7b61007763984aa35a8329596d8c88 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Mon, 10 Aug 2015 15:28:49 -0400
+Subject: drm/radeon: add new OLAND pci id
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit e037239e5e7b61007763984aa35a8329596d8c88 upstream.
+
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/drm/drm_pciids.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/include/drm/drm_pciids.h
++++ b/include/drm/drm_pciids.h
+@@ -172,6 +172,7 @@
+ {0x1002, 0x6610, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_OLAND|RADEON_NEW_MEMMAP}, \
+ {0x1002, 0x6611, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_OLAND|RADEON_NEW_MEMMAP}, \
+ {0x1002, 0x6613, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_OLAND|RADEON_NEW_MEMMAP}, \
++ {0x1002, 0x6617, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_OLAND|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP}, \
+ {0x1002, 0x6620, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_OLAND|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP}, \
+ {0x1002, 0x6621, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_OLAND|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP}, \
+ {0x1002, 0x6623, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_OLAND|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP}, \
--- /dev/null
+From 3e04e2fe6d87807d27521ad6ebb9e7919d628f25 Mon Sep 17 00:00:00 2001
+From: Thomas Hellstrom <thellstrom@vmware.com>
+Date: Tue, 11 Aug 2015 22:31:17 -0700
+Subject: drm/vmwgfx: Fix execbuf locking issues
+
+From: Thomas Hellstrom <thellstrom@vmware.com>
+
+commit 3e04e2fe6d87807d27521ad6ebb9e7919d628f25 upstream.
+
+This addresses two issues that cause problems with viewperf maya-03 in
+situation with memory pressure.
+
+The first issue causes attempts to unreserve buffers if batched
+reservation fails due to, for example, a signal pending. While previously
+the ttm_eu api was resistant against this type of error, it is no longer
+and the lockdep code will complain about attempting to unreserve buffers
+that are not reserved. The issue is resolved by avoid calling
+ttm_eu_backoff_reservation in the buffer reserve error path.
+
+The second issue is that the binding_mutex may be held when user-space
+fence objects are created and hence during memory reclaims. This may cause
+recursive attempts to grab the binding mutex. The issue is resolved by not
+holding the binding mutex across fence creation and submission.
+
+Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
+Reviewed-by: Sinclair Yeh <syeh@vmware.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+@@ -2492,7 +2492,7 @@ int vmw_execbuf_process(struct drm_file
+ ret = ttm_eu_reserve_buffers(&ticket, &sw_context->validate_nodes,
+ true, NULL);
+ if (unlikely(ret != 0))
+- goto out_err;
++ goto out_err_nores;
+
+ ret = vmw_validate_buffers(dev_priv, sw_context);
+ if (unlikely(ret != 0))
+@@ -2536,6 +2536,7 @@ int vmw_execbuf_process(struct drm_file
+ vmw_resource_relocations_free(&sw_context->res_relocations);
+
+ vmw_fifo_commit(dev_priv, command_size);
++ mutex_unlock(&dev_priv->binding_mutex);
+
+ vmw_query_bo_switch_commit(dev_priv, sw_context);
+ ret = vmw_execbuf_fence_commands(file_priv, dev_priv,
+@@ -2551,7 +2552,6 @@ int vmw_execbuf_process(struct drm_file
+ DRM_ERROR("Fence submission error. Syncing.\n");
+
+ vmw_resource_list_unreserve(&sw_context->resource_list, false);
+- mutex_unlock(&dev_priv->binding_mutex);
+
+ ttm_eu_fence_buffer_objects(&ticket, &sw_context->validate_nodes,
+ (void *) fence);
--- /dev/null
+From 5c16179b550b9fd8114637a56b153c9768ea06a5 Mon Sep 17 00:00:00 2001
+From: Michael Walle <michael@walle.cc>
+Date: Tue, 21 Jul 2015 11:00:53 +0200
+Subject: EDAC, ppc4xx: Access mci->csrows array elements properly
+
+From: Michael Walle <michael@walle.cc>
+
+commit 5c16179b550b9fd8114637a56b153c9768ea06a5 upstream.
+
+The commit
+
+ de3910eb79ac ("edac: change the mem allocation scheme to
+ make Documentation/kobject.txt happy")
+
+changed the memory allocation for the csrows member. But ppc4xx_edac was
+forgotten in the patch. Fix it.
+
+Signed-off-by: Michael Walle <michael@walle.cc>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Cc: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Link: http://lkml.kernel.org/r/1437469253-8611-1-git-send-email-michael@walle.cc
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/edac/ppc4xx_edac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/edac/ppc4xx_edac.c
++++ b/drivers/edac/ppc4xx_edac.c
+@@ -920,7 +920,7 @@ static int ppc4xx_edac_init_csrows(struc
+ */
+
+ for (row = 0; row < mci->nr_csrows; row++) {
+- struct csrow_info *csi = &mci->csrows[row];
++ struct csrow_info *csi = mci->csrows[row];
+
+ /*
+ * Get the configuration settings for this
--- /dev/null
+From 0621809e37936e7c2b3eac9165cf2aad7f9189eb Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Date: Mon, 3 Aug 2015 14:57:30 +0900
+Subject: HID: hid-input: Fix accessing freed memory during device disconnect
+
+From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+
+commit 0621809e37936e7c2b3eac9165cf2aad7f9189eb upstream.
+
+During unbinding the driver was dereferencing a pointer to memory
+already freed by power_supply_unregister().
+
+Driver was freeing its internal description of battery through pointers
+stored in power_supply structure. However, because the core owns the
+power supply instance, after calling power_supply_unregister() this
+memory is freed and the driver cannot access these members.
+
+Fix this by storing the pointer to internal description of battery in a
+local variable before calling power_supply_unregister(), so the pointer
+remains valid.
+
+Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Reported-by: H.J. Lu <hjl.tools@gmail.com>
+Fixes: 297d716f6260 ("power_supply: Change ownership from driver to core")
+Reviewed-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-input.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/hid/hid-input.c
++++ b/drivers/hid/hid-input.c
+@@ -462,12 +462,15 @@ out:
+
+ static void hidinput_cleanup_battery(struct hid_device *dev)
+ {
++ const struct power_supply_desc *psy_desc;
++
+ if (!dev->battery)
+ return;
+
++ psy_desc = dev->battery->desc;
+ power_supply_unregister(dev->battery);
+- kfree(dev->battery->desc->name);
+- kfree(dev->battery->desc);
++ kfree(psy_desc->name);
++ kfree(psy_desc);
+ dev->battery = NULL;
+ }
+ #else /* !CONFIG_HID_BATTERY_STRENGTH */
--- /dev/null
+From 4a8e70f5d0d80675fc17b9ba1e62db8ca6b91775 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 29 Jul 2015 13:16:06 +0300
+Subject: HID: uclogic: fix limit in uclogic_tablet_enable()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 4a8e70f5d0d80675fc17b9ba1e62db8ca6b91775 upstream.
+
+The limit should be ARRAY_SIZE(params) (5 elements) here instead of
+sizeof(params) (20 bytes).
+
+Fixes: 08177f40bd00 ('HID: uclogic: merge hid-huion driver in hid-uclogic')
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Nikolai Kondrashov <spbnick@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-uclogic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hid/hid-uclogic.c
++++ b/drivers/hid/hid-uclogic.c
+@@ -858,7 +858,7 @@ static int uclogic_tablet_enable(struct
+ for (p = drvdata->rdesc;
+ p <= drvdata->rdesc + drvdata->rsize - 4;) {
+ if (p[0] == 0xFE && p[1] == 0xED && p[2] == 0x1D &&
+- p[3] < sizeof(params)) {
++ p[3] < ARRAY_SIZE(params)) {
+ v = params[p[3]];
+ put_unaligned(cpu_to_le32(v), (s32 *)p);
+ p += 4;
--- /dev/null
+From c9fdec9f3970eeaa1b176422f46167f5f5158804 Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Mon, 20 Jul 2015 12:14:39 +0300
+Subject: iwlwifi: pcie: fix prepare card flow
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit c9fdec9f3970eeaa1b176422f46167f5f5158804 upstream.
+
+When the card is not owned by the PCIe bus, we need to
+acquire ownership first. This flow is implemented in
+iwl_pcie_prepare_card_hw. Because of a hardware bug, we
+need to disable link power management before we can
+request ownership otherwise the other user of the device
+won't get notified that we are requesting the device which
+will prevent us from acquire ownership.
+
+Same holds for the down flow where we need to make sure
+that any other potential user is notified that the driver
+is going down.
+
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/iwlwifi/pcie/trans.c | 22 +++++++++++++++++++---
+ 1 file changed, 19 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/iwlwifi/pcie/trans.c
++++ b/drivers/net/wireless/iwlwifi/pcie/trans.c
+@@ -457,10 +457,16 @@ static void iwl_pcie_apm_stop(struct iwl
+ if (trans->cfg->device_family == IWL_DEVICE_FAMILY_7000)
+ iwl_set_bits_prph(trans, APMG_PCIDEV_STT_REG,
+ APMG_PCIDEV_STT_VAL_WAKE_ME);
+- else if (trans->cfg->device_family == IWL_DEVICE_FAMILY_8000)
++ else if (trans->cfg->device_family == IWL_DEVICE_FAMILY_8000) {
++ iwl_set_bit(trans, CSR_DBG_LINK_PWR_MGMT_REG,
++ CSR_RESET_LINK_PWR_MGMT_DISABLED);
+ iwl_set_bit(trans, CSR_HW_IF_CONFIG_REG,
+ CSR_HW_IF_CONFIG_REG_PREPARE |
+ CSR_HW_IF_CONFIG_REG_ENABLE_PME);
++ mdelay(1);
++ iwl_clear_bit(trans, CSR_DBG_LINK_PWR_MGMT_REG,
++ CSR_RESET_LINK_PWR_MGMT_DISABLED);
++ }
+ mdelay(5);
+ }
+
+@@ -555,6 +561,10 @@ static int iwl_pcie_prepare_card_hw(stru
+ if (ret >= 0)
+ return 0;
+
++ iwl_set_bit(trans, CSR_DBG_LINK_PWR_MGMT_REG,
++ CSR_RESET_LINK_PWR_MGMT_DISABLED);
++ msleep(1);
++
+ for (iter = 0; iter < 10; iter++) {
+ /* If HW is not ready, prepare the conditions to check again */
+ iwl_set_bit(trans, CSR_HW_IF_CONFIG_REG,
+@@ -562,8 +572,10 @@ static int iwl_pcie_prepare_card_hw(stru
+
+ do {
+ ret = iwl_pcie_set_hw_ready(trans);
+- if (ret >= 0)
+- return 0;
++ if (ret >= 0) {
++ ret = 0;
++ goto out;
++ }
+
+ usleep_range(200, 1000);
+ t += 200;
+@@ -573,6 +585,10 @@ static int iwl_pcie_prepare_card_hw(stru
+
+ IWL_ERR(trans, "Couldn't prepare the card\n");
+
++out:
++ iwl_clear_bit(trans, CSR_DBG_LINK_PWR_MGMT_REG,
++ CSR_RESET_LINK_PWR_MGMT_DISABLED);
++
+ return ret;
+ }
+
--- /dev/null
+From c0ddc8c745b7f89c50385fd7aa03c78dc543fa7a Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Mon, 27 Jul 2015 00:06:55 +0200
+Subject: localmodconfig: Use Kbuild files too
+
+From: Richard Weinberger <richard@nod.at>
+
+commit c0ddc8c745b7f89c50385fd7aa03c78dc543fa7a upstream.
+
+In kbuild it is allowed to define objects in files named "Makefile"
+and "Kbuild".
+Currently localmodconfig reads objects only from "Makefile"s and misses
+modules like nouveau.
+
+Link: http://lkml.kernel.org/r/1437948415-16290-1-git-send-email-richard@nod.at
+
+Reported-and-tested-by: Leonidas Spyropoulos <artafinde@gmail.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ scripts/kconfig/streamline_config.pl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/scripts/kconfig/streamline_config.pl
++++ b/scripts/kconfig/streamline_config.pl
+@@ -137,7 +137,7 @@ my $ksource = ($ARGV[0] ? $ARGV[0] : '.'
+ my $kconfig = $ARGV[1];
+ my $lsmod_file = $ENV{'LSMOD'};
+
+-my @makefiles = `find $ksource -name Makefile 2>/dev/null`;
++my @makefiles = `find $ksource -name Makefile -or -name Kbuild 2>/dev/null`;
+ chomp @makefiles;
+
+ my %depends;
--- /dev/null
+From ee9397a6fb9bc4e52677f5e33eed4abee0f515e6 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Mon, 27 Jul 2015 00:31:08 +0100
+Subject: perf: Fix double-free of the AUX buffer
+
+From: Ben Hutchings <ben@decadent.org.uk>
+
+commit ee9397a6fb9bc4e52677f5e33eed4abee0f515e6 upstream.
+
+If rb->aux_refcount is decremented to zero before rb->refcount,
+__rb_free_aux() may be called twice resulting in a double free of
+rb->aux_pages. Fix this by adding a check to __rb_free_aux().
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: 57ffc5ca679f ("perf: Fix AUX buffer refcounting")
+Link: http://lkml.kernel.org/r/1437953468.12842.17.camel@decadent.org.uk
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/events/ring_buffer.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/kernel/events/ring_buffer.c
++++ b/kernel/events/ring_buffer.c
+@@ -547,11 +547,13 @@ static void __rb_free_aux(struct ring_bu
+ rb->aux_priv = NULL;
+ }
+
+- for (pg = 0; pg < rb->aux_nr_pages; pg++)
+- rb_free_aux_page(rb, pg);
++ if (rb->aux_nr_pages) {
++ for (pg = 0; pg < rb->aux_nr_pages; pg++)
++ rb_free_aux_page(rb, pg);
+
+- kfree(rb->aux_pages);
+- rb->aux_nr_pages = 0;
++ kfree(rb->aux_pages);
++ rb->aux_nr_pages = 0;
++ }
+ }
+
+ void rb_free_aux(struct ring_buffer *rb)
--- /dev/null
+From fed66e2cdd4f127a43fd11b8d92a99bdd429528c Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Thu, 11 Jun 2015 10:32:01 +0200
+Subject: perf: Fix fasync handling on inherited events
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit fed66e2cdd4f127a43fd11b8d92a99bdd429528c upstream.
+
+Vince reported that the fasync signal stuff doesn't work proper for
+inherited events. So fix that.
+
+Installing fasync allocates memory and sets filp->f_flags |= FASYNC,
+which upon the demise of the file descriptor ensures the allocation is
+freed and state is updated.
+
+Now for perf, we can have the events stick around for a while after the
+original FD is dead because of references from child events. So we
+cannot copy the fasync pointer around. We can however consistently use
+the parent's fasync, as that will be updated.
+
+Reported-and-Tested-by: Vince Weaver <vincent.weaver@maine.edu>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Arnaldo Carvalho deMelo <acme@kernel.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: eranian@google.com
+Link: http://lkml.kernel.org/r/1434011521.1495.71.camel@twins
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/events/core.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -4766,12 +4766,20 @@ static const struct file_operations perf
+ * to user-space before waking everybody up.
+ */
+
++static inline struct fasync_struct **perf_event_fasync(struct perf_event *event)
++{
++ /* only the parent has fasync state */
++ if (event->parent)
++ event = event->parent;
++ return &event->fasync;
++}
++
+ void perf_event_wakeup(struct perf_event *event)
+ {
+ ring_buffer_wakeup(event);
+
+ if (event->pending_kill) {
+- kill_fasync(&event->fasync, SIGIO, event->pending_kill);
++ kill_fasync(perf_event_fasync(event), SIGIO, event->pending_kill);
+ event->pending_kill = 0;
+ }
+ }
+@@ -6117,7 +6125,7 @@ static int __perf_event_overflow(struct
+ else
+ perf_event_output(event, data, regs);
+
+- if (event->fasync && event->pending_kill) {
++ if (*perf_event_fasync(event) && event->pending_kill) {
+ event->pending_wakeup = 1;
+ irq_work_queue(&event->pending);
+ }
--- /dev/null
+From c7999c6f3fed9e383d3131474588f282ae6d56b9 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Tue, 4 Aug 2015 19:22:49 +0200
+Subject: perf: Fix PERF_EVENT_IOC_PERIOD migration race
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit c7999c6f3fed9e383d3131474588f282ae6d56b9 upstream.
+
+I ran the perf fuzzer, which triggered some WARN()s which are due to
+trying to stop/restart an event on the wrong CPU.
+
+Use the normal IPI pattern to ensure we run the code on the correct CPU.
+
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: bad7192b842c ("perf: Fix PERF_EVENT_IOC_PERIOD to force-reset the period")
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/events/core.c | 75 +++++++++++++++++++++++++++++++++++++--------------
+ 1 file changed, 55 insertions(+), 20 deletions(-)
+
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -3976,28 +3976,21 @@ static void perf_event_for_each(struct p
+ perf_event_for_each_child(sibling, func);
+ }
+
+-static int perf_event_period(struct perf_event *event, u64 __user *arg)
+-{
+- struct perf_event_context *ctx = event->ctx;
+- int ret = 0, active;
++struct period_event {
++ struct perf_event *event;
+ u64 value;
++};
+
+- if (!is_sampling_event(event))
+- return -EINVAL;
+-
+- if (copy_from_user(&value, arg, sizeof(value)))
+- return -EFAULT;
+-
+- if (!value)
+- return -EINVAL;
++static int __perf_event_period(void *info)
++{
++ struct period_event *pe = info;
++ struct perf_event *event = pe->event;
++ struct perf_event_context *ctx = event->ctx;
++ u64 value = pe->value;
++ bool active;
+
+- raw_spin_lock_irq(&ctx->lock);
++ raw_spin_lock(&ctx->lock);
+ if (event->attr.freq) {
+- if (value > sysctl_perf_event_sample_rate) {
+- ret = -EINVAL;
+- goto unlock;
+- }
+-
+ event->attr.sample_freq = value;
+ } else {
+ event->attr.sample_period = value;
+@@ -4016,11 +4009,53 @@ static int perf_event_period(struct perf
+ event->pmu->start(event, PERF_EF_RELOAD);
+ perf_pmu_enable(ctx->pmu);
+ }
++ raw_spin_unlock(&ctx->lock);
++
++ return 0;
++}
++
++static int perf_event_period(struct perf_event *event, u64 __user *arg)
++{
++ struct period_event pe = { .event = event, };
++ struct perf_event_context *ctx = event->ctx;
++ struct task_struct *task;
++ u64 value;
++
++ if (!is_sampling_event(event))
++ return -EINVAL;
++
++ if (copy_from_user(&value, arg, sizeof(value)))
++ return -EFAULT;
++
++ if (!value)
++ return -EINVAL;
++
++ if (event->attr.freq && value > sysctl_perf_event_sample_rate)
++ return -EINVAL;
++
++ task = ctx->task;
++ pe.value = value;
++
++ if (!task) {
++ cpu_function_call(event->cpu, __perf_event_period, &pe);
++ return 0;
++ }
++
++retry:
++ if (!task_function_call(task, __perf_event_period, &pe))
++ return 0;
++
++ raw_spin_lock_irq(&ctx->lock);
++ if (ctx->is_active) {
++ raw_spin_unlock_irq(&ctx->lock);
++ task = ctx->task;
++ goto retry;
++ }
+
+-unlock:
++ __perf_event_period(&pe);
+ raw_spin_unlock_irq(&ctx->lock);
+
+- return ret;
++ return 0;
+ }
+
+ static const struct file_operations perf_fops;
--- /dev/null
+From 00a2916f7f82c348a2a94dbb572874173bc308a3 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Mon, 27 Jul 2015 10:35:07 +0200
+Subject: perf: Fix running time accounting
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit 00a2916f7f82c348a2a94dbb572874173bc308a3 upstream.
+
+A recent fix to the shadow timestamp inadvertly broke the running time
+accounting.
+
+We must not update the running timestamp if we fail to schedule the
+event, the event will not have ran. This can (and did) result in
+negative total runtime because the stopped timestamp was before the
+running timestamp (we 'started' but never stopped the event -- because
+it never really started we didn't have to stop it either).
+
+Reported-and-Tested-by: Vince Weaver <vincent.weaver@maine.edu>
+Fixes: 72f669c0086f ("perf: Update shadow timestamp before add event")
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Shaohua Li <shli@fb.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/events/core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -1886,8 +1886,6 @@ event_sched_in(struct perf_event *event,
+
+ perf_pmu_disable(event->pmu);
+
+- event->tstamp_running += tstamp - event->tstamp_stopped;
+-
+ perf_set_shadow_time(event, ctx, tstamp);
+
+ perf_log_itrace_start(event);
+@@ -1899,6 +1897,8 @@ event_sched_in(struct perf_event *event,
+ goto out;
+ }
+
++ event->tstamp_running += tstamp - event->tstamp_stopped;
++
+ if (!is_software_event(event))
+ cpuctx->active_oncpu++;
+ if (!ctx->nr_active++)
--- /dev/null
+From 7c62940165e9ae4004ce4e6b5117330bab94df68 Mon Sep 17 00:00:00 2001
+From: Luis Felipe Dominguez Vega <lfdominguez@nauta.cu>
+Date: Wed, 29 Jul 2015 21:11:20 -0500
+Subject: rtlwifi: Fix NULL dereference when PCI driver used as an AP
+
+From: Luis Felipe Dominguez Vega <lfdominguez@nauta.cu>
+
+commit 7c62940165e9ae4004ce4e6b5117330bab94df68 upstream.
+
+In commit 33511b157bbcebaef853cc1811992b664a2e5862 ("rtlwifi: add support to
+send beacon frame"), the mechanism for sending beacons was established. That
+patch works correctly for rtl8192cu, but there is a possibility of getting
+the following warnings in the PCI drivers:
+
+WARNING: CPU: 1 PID: 2439 at net/mac80211/driver-ops.h:12
+ieee80211_bss_info_change_notify+0x179/0x1d0 [mac80211]()
+wlp5s0: Failed check-sdata-in-driver check, flags: 0x0
+
+The warning is followed by a NULL pointer dereference as follows:
+
+BUG: unable to handle kernel NULL pointer dereference at 0000000000000006
+IP: [<ffffffffc073998e>] rtl_get_tcb_desc+0x5e/0x760 [rtlwifi]
+
+This problem was reported at http://thread.gmane.org/gmane.linux.kernel.wireless.general/138645,
+but no solution was found at that time.
+
+The problem was also reported at https://bugzilla.kernel.org/show_bug.cgi?id=9744
+and this solution was developed and tested there.
+
+The USB driver works with a NULL final argument in the adapter_tx() callback;
+however, the PCI drivers need a struct rtl_tcb_desc in that position.
+
+Fixes: 33511b157bbc ("rtlwifi: add support to send beacon frame.")
+Signed-off-by: Luis Felipe Dominguez Vega <lfdominguez@nauta.cu>
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rtlwifi/core.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/rtlwifi/core.c
++++ b/drivers/net/wireless/rtlwifi/core.c
+@@ -1015,9 +1015,12 @@ static void send_beacon_frame(struct iee
+ {
+ struct rtl_priv *rtlpriv = rtl_priv(hw);
+ struct sk_buff *skb = ieee80211_beacon_get(hw, vif);
++ struct rtl_tcb_desc tcb_desc;
+
+- if (skb)
+- rtlpriv->intf_ops->adapter_tx(hw, NULL, skb, NULL);
++ if (skb) {
++ memset(&tcb_desc, 0, sizeof(struct rtl_tcb_desc));
++ rtlpriv->intf_ops->adapter_tx(hw, NULL, skb, &tcb_desc);
++ }
+ }
+
+ static void rtl_op_bss_info_changed(struct ieee80211_hw *hw,
--- /dev/null
+From 741e3b9902d11585e18bfc7f8d47e913616bb070 Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Sun, 2 Aug 2015 13:24:13 -0500
+Subject: rtlwifi: rtl8723be: Add module parameter for MSI interrupts
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit 741e3b9902d11585e18bfc7f8d47e913616bb070 upstream.
+
+The driver code allows for the disabling of MSI interrupts; however the
+module_parm line was missed and the option fails to show with modinfo.
+
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rtlwifi/rtl8723be/sw.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/rtlwifi/rtl8723be/sw.c
++++ b/drivers/net/wireless/rtlwifi/rtl8723be/sw.c
+@@ -385,6 +385,7 @@ module_param_named(debug, rtl8723be_mod_
+ module_param_named(ips, rtl8723be_mod_params.inactiveps, bool, 0444);
+ module_param_named(swlps, rtl8723be_mod_params.swctrl_lps, bool, 0444);
+ module_param_named(fwlps, rtl8723be_mod_params.fwctrl_lps, bool, 0444);
++module_param_named(msi, rtl8723be_mod_params.msi_support, bool, 0444);
+ module_param_named(disable_watchdog, rtl8723be_mod_params.disable_watchdog,
+ bool, 0444);
+ MODULE_PARM_DESC(swenc, "Set to 1 for software crypto (default 0)\n");
xen-blkfront-don-t-add-indirect-pages-to-list-when.patch
xen-blkback-replace-work_pending-with-work_busy-in-purge_persistent_gnt.patch
rsi-fix-failure-to-load-firmware-after-memory-leak-fix-and-fix-the-leak.patch
+perf-fix-fasync-handling-on-inherited-events.patch
+perf-fix-running-time-accounting.patch
+perf-fix-double-free-of-the-aux-buffer.patch
+perf-fix-perf_event_ioc_period-migration-race.patch
+iwlwifi-pcie-fix-prepare-card-flow.patch
+rtlwifi-rtl8723be-add-module-parameter-for-msi-interrupts.patch
+rtlwifi-fix-null-dereference-when-pci-driver-used-as-an-ap.patch
+x86-xen-build-xen-pv-apic-driver-for-domu-as-well.patch
+xen-xenbus-don-t-leak-memory-when-unmapping-the-ring-on-hvm-backend.patch
+dm-thin-metadata-delete-btrees-when-releasing-metadata-snapshot.patch
+localmodconfig-use-kbuild-files-too.patch
+edac-ppc4xx-access-mci-csrows-array-elements-properly.patch
+hid-hid-input-fix-accessing-freed-memory-during-device-disconnect.patch
+hid-uclogic-fix-limit-in-uclogic_tablet_enable.patch
+drm-radeon-add-new-oland-pci-id.patch
+drm-vmwgfx-fix-execbuf-locking-issues.patch
--- /dev/null
+From fc5fee86bdd3d720e2d1d324e4fae0c35845fa63 Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Mon, 10 Aug 2015 15:40:27 +0200
+Subject: x86/xen: build "Xen PV" APIC driver for domU as well
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit fc5fee86bdd3d720e2d1d324e4fae0c35845fa63 upstream.
+
+It turns out that a PV domU also requires the "Xen PV" APIC
+driver. Otherwise, the flat driver is used and we get stuck in busy
+loops that never exit, such as in this stack trace:
+
+(gdb) target remote localhost:9999
+Remote debugging using localhost:9999
+__xapic_wait_icr_idle () at ./arch/x86/include/asm/ipi.h:56
+56 while (native_apic_mem_read(APIC_ICR) & APIC_ICR_BUSY)
+(gdb) bt
+ #0 __xapic_wait_icr_idle () at ./arch/x86/include/asm/ipi.h:56
+ #1 __default_send_IPI_shortcut (shortcut=<optimized out>,
+dest=<optimized out>, vector=<optimized out>) at
+./arch/x86/include/asm/ipi.h:75
+ #2 apic_send_IPI_self (vector=246) at arch/x86/kernel/apic/probe_64.c:54
+ #3 0xffffffff81011336 in arch_irq_work_raise () at
+arch/x86/kernel/irq_work.c:47
+ #4 0xffffffff8114990c in irq_work_queue (work=0xffff88000fc0e400) at
+kernel/irq_work.c:100
+ #5 0xffffffff8110c29d in wake_up_klogd () at kernel/printk/printk.c:2633
+ #6 0xffffffff8110ca60 in vprintk_emit (facility=0, level=<optimized
+out>, dict=0x0 <irq_stack_union>, dictlen=<optimized out>,
+fmt=<optimized out>, args=<optimized out>)
+ at kernel/printk/printk.c:1778
+ #7 0xffffffff816010c8 in printk (fmt=<optimized out>) at
+kernel/printk/printk.c:1868
+ #8 0xffffffffc00013ea in ?? ()
+ #9 0x0000000000000000 in ?? ()
+
+Mailing-list-thread: https://lkml.org/lkml/2015/8/4/755
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: David Vrabel <david.vrabel@citrix.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/xen/Makefile | 4 ++--
+ arch/x86/xen/xen-ops.h | 6 ++----
+ 2 files changed, 4 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/xen/Makefile
++++ b/arch/x86/xen/Makefile
+@@ -13,13 +13,13 @@ CFLAGS_mmu.o := $(nostackp)
+ obj-y := enlighten.o setup.o multicalls.o mmu.o irq.o \
+ time.o xen-asm.o xen-asm_$(BITS).o \
+ grant-table.o suspend.o platform-pci-unplug.o \
+- p2m.o
++ p2m.o apic.o
+
+ obj-$(CONFIG_EVENT_TRACING) += trace.o
+
+ obj-$(CONFIG_SMP) += smp.o
+ obj-$(CONFIG_PARAVIRT_SPINLOCKS)+= spinlock.o
+ obj-$(CONFIG_XEN_DEBUG_FS) += debugfs.o
+-obj-$(CONFIG_XEN_DOM0) += apic.o vga.o
++obj-$(CONFIG_XEN_DOM0) += vga.o
+ obj-$(CONFIG_SWIOTLB_XEN) += pci-swiotlb-xen.o
+ obj-$(CONFIG_XEN_EFI) += efi.o
+--- a/arch/x86/xen/xen-ops.h
++++ b/arch/x86/xen/xen-ops.h
+@@ -101,17 +101,15 @@ struct dom0_vga_console_info;
+
+ #ifdef CONFIG_XEN_DOM0
+ void __init xen_init_vga(const struct dom0_vga_console_info *, size_t size);
+-void __init xen_init_apic(void);
+ #else
+ static inline void __init xen_init_vga(const struct dom0_vga_console_info *info,
+ size_t size)
+ {
+ }
+-static inline void __init xen_init_apic(void)
+-{
+-}
+ #endif
+
++void __init xen_init_apic(void);
++
+ #ifdef CONFIG_XEN_EFI
+ extern void xen_efi_init(void);
+ #else
--- /dev/null
+From c22fe519e7e2b94ad173e0ea3b89c1a7d8be8d00 Mon Sep 17 00:00:00 2001
+From: Julien Grall <julien.grall@citrix.com>
+Date: Mon, 10 Aug 2015 19:10:38 +0100
+Subject: xen/xenbus: Don't leak memory when unmapping the ring on HVM backend
+
+From: Julien Grall <julien.grall@citrix.com>
+
+commit c22fe519e7e2b94ad173e0ea3b89c1a7d8be8d00 upstream.
+
+The commit ccc9d90a9a8b5c4ad7e9708ec41f75ff9e98d61d "xenbus_client:
+Extend interface to support multi-page ring" removes the call to
+free_xenballooned_pages() in xenbus_unmap_ring_vfree_hvm(), leaking a
+page for every shared ring.
+
+Only with backends running in HVM domains were affected.
+
+Signed-off-by: Julien Grall <julien.grall@citrix.com>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Reviewed-by: Wei Liu <wei.liu2@citrix.com>
+Signed-off-by: David Vrabel <david.vrabel@citrix.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/xenbus/xenbus_client.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/xen/xenbus/xenbus_client.c
++++ b/drivers/xen/xenbus/xenbus_client.c
+@@ -814,8 +814,10 @@ static int xenbus_unmap_ring_vfree_hvm(s
+
+ rv = xenbus_unmap_ring(dev, node->handles, node->nr_handles,
+ addrs);
+- if (!rv)
++ if (!rv) {
+ vunmap(vaddr);
++ free_xenballooned_pages(node->nr_handles, node->hvm.pages);
++ }
+ else
+ WARN(1, "Leaking %p, size %u page(s)\n", vaddr,
+ node->nr_handles);
projects / thirdparty / kernel / stable-queue.git / commitdiff
