--- /dev/null
+From eb1357d942e5d96de6b4c20a8ffa55acf96233a2 Mon Sep 17 00:00:00 2001
+From: Vineet Gupta <vgupta@synopsys.com>
+Date: Mon, 16 Jan 2017 10:48:09 -0800
+Subject: ARC: module: Fix !CONFIG_ARC_DW2_UNWIND builds
+
+From: Vineet Gupta <vgupta@synopsys.com>
+
+commit eb1357d942e5d96de6b4c20a8ffa55acf96233a2 upstream.
+
+commit d65283f7b695b5 added mod->arch.secstr under
+CONFIG_ARC_DW2_UNWIND, but used it unconditionally which broke builds
+when the option was disabled. Fix that by adjusting the #ifdef guard.
+
+And while at it add a missing guard (for unwinder) in module.c as well
+
+Reported-by: Waldemar Brodkorb <wbx@openadk.org>
+Fixes: d65283f7b695b5 ("ARC: module: elide loop to save reference to .eh_frame")
+Tested-by: Anton Kolesov <akolesov@synopsys.com>
+Reviewed-by: Alexey Brodkin <abrodkin@synopsys.com>
+[abrodkin: provided fixlet to Kconfig per failure in allnoconfig build]
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arc/Kconfig | 2 +-
+ arch/arc/include/asm/module.h | 4 ++--
+ arch/arc/kernel/module.c | 4 +++-
+ 3 files changed, 6 insertions(+), 4 deletions(-)
+
+--- a/arch/arc/Kconfig
++++ b/arch/arc/Kconfig
+@@ -28,7 +28,7 @@ config ARC
+ select HAVE_KPROBES
+ select HAVE_KRETPROBES
+ select HAVE_MEMBLOCK
+- select HAVE_MOD_ARCH_SPECIFIC if ARC_DW2_UNWIND
++ select HAVE_MOD_ARCH_SPECIFIC
+ select HAVE_OPROFILE
+ select HAVE_PERF_EVENTS
+ select HANDLE_DOMAIN_IRQ
+--- a/arch/arc/include/asm/module.h
++++ b/arch/arc/include/asm/module.h
+@@ -14,13 +14,13 @@
+
+ #include <asm-generic/module.h>
+
+-#ifdef CONFIG_ARC_DW2_UNWIND
+ struct mod_arch_specific {
++#ifdef CONFIG_ARC_DW2_UNWIND
+ void *unw_info;
+ int unw_sec_idx;
++#endif
+ const char *secstr;
+ };
+-#endif
+
+ #define MODULE_PROC_FAMILY "ARC700"
+
+--- a/arch/arc/kernel/module.c
++++ b/arch/arc/kernel/module.c
+@@ -32,8 +32,8 @@ int module_frob_arch_sections(Elf_Ehdr *
+ #ifdef CONFIG_ARC_DW2_UNWIND
+ mod->arch.unw_sec_idx = 0;
+ mod->arch.unw_info = NULL;
+- mod->arch.secstr = secstr;
+ #endif
++ mod->arch.secstr = secstr;
+ return 0;
+ }
+
+@@ -113,8 +113,10 @@ int apply_relocate_add(Elf32_Shdr *sechd
+
+ }
+
++#ifdef CONFIG_ARC_DW2_UNWIND
+ if (strcmp(module->arch.secstr+sechdrs[tgtsec].sh_name, ".eh_frame") == 0)
+ module->arch.unw_sec_idx = tgtsec;
++#endif
+
+ return 0;
+
--- /dev/null
+From ddc37832a1349f474c4532de381498020ed71d31 Mon Sep 17 00:00:00 2001
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Fri, 6 Jan 2017 13:12:47 +0100
+Subject: ARM: 8634/1: hw_breakpoint: blacklist Scorpion CPUs
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+commit ddc37832a1349f474c4532de381498020ed71d31 upstream.
+
+On APQ8060, the kernel crashes in arch_hw_breakpoint_init, taking an
+undefined instruction trap within write_wb_reg. This is because Scorpion
+CPUs erroneously appear to set DBGPRSR.SPD when WFI is issued, even if
+the core is not powered down. When DBGPRSR.SPD is set, breakpoint and
+watchpoint registers are treated as undefined.
+
+It's possible to trigger similar crashes later on from userspace, by
+requesting the kernel to install a breakpoint or watchpoint, as we can
+go idle at any point between the reset of the debug registers and their
+later use. This has always been the case.
+
+Given that this has always been broken, no-one has complained until now,
+and there is no clear workaround, disable hardware breakpoints and
+watchpoints on Scorpion to avoid these issues.
+
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Reported-by: Linus Walleij <linus.walleij@linaro.org>
+Reviewed-by: Stephen Boyd <sboyd@codeaurora.org>
+Acked-by: Will Deacon <will.deacon@arm.com>
+Cc: Russell King <linux@armlinux.org.uk>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/include/asm/cputype.h | 3 +++
+ arch/arm/kernel/hw_breakpoint.c | 16 ++++++++++++++++
+ 2 files changed, 19 insertions(+)
+
+--- a/arch/arm/include/asm/cputype.h
++++ b/arch/arm/include/asm/cputype.h
+@@ -94,6 +94,9 @@
+ #define ARM_CPU_XSCALE_ARCH_V2 0x4000
+ #define ARM_CPU_XSCALE_ARCH_V3 0x6000
+
++/* Qualcomm implemented cores */
++#define ARM_CPU_PART_SCORPION 0x510002d0
++
+ extern unsigned int processor_id;
+
+ #ifdef CONFIG_CPU_CP15
+--- a/arch/arm/kernel/hw_breakpoint.c
++++ b/arch/arm/kernel/hw_breakpoint.c
+@@ -1066,6 +1066,22 @@ static int __init arch_hw_breakpoint_ini
+ return 0;
+ }
+
++ /*
++ * Scorpion CPUs (at least those in APQ8060) seem to set DBGPRSR.SPD
++ * whenever a WFI is issued, even if the core is not powered down, in
++ * violation of the architecture. When DBGPRSR.SPD is set, accesses to
++ * breakpoint and watchpoint registers are treated as undefined, so
++ * this results in boot time and runtime failures when these are
++ * accessed and we unexpectedly take a trap.
++ *
++ * It's not clear if/how this can be worked around, so we blacklist
++ * Scorpion CPUs to avoid these issues.
++ */
++ if (read_cpuid_part() == ARM_CPU_PART_SCORPION) {
++ pr_info("Scorpion CPU detected. Hardware breakpoints and watchpoints disabled\n");
++ return 0;
++ }
++
+ has_ossr = core_has_os_save_restore();
+
+ /* Determine how many BRPs/WRPs are available. */
--- /dev/null
+From 43849785e1079f6606a31cb7fda92d1200849728 Mon Sep 17 00:00:00 2001
+From: Fabien Parent <fparent@baylibre.com>
+Date: Tue, 17 Jan 2017 13:57:42 +0100
+Subject: ARM: dts: da850-evm: fix read access to SPI flash
+
+From: Fabien Parent <fparent@baylibre.com>
+
+commit 43849785e1079f6606a31cb7fda92d1200849728 upstream.
+
+Read access to the SPI flash are broken on da850-evm, i.e. the data
+read is not what is actually programmed on the flash.
+According to the datasheet for the M25P64 part present on the da850-evm,
+if the SPI frequency is higher than 20MHz then the READ command is not
+usable anymore and only the FAST_READ command can be used to read data.
+
+This commit specifies in the DTS that we should use FAST_READ command
+instead of the READ command.
+
+Tested-by: Kevin Hilman <khilman@baylibre.com>
+Signed-off-by: Fabien Parent <fparent@baylibre.com>
+[nsekhar@ti.com: subject line adjustment]
+Signed-off-by: Sekhar Nori <nsekhar@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+Signed-off-by: Olof Johansson <olof@lixom.net>
+
+---
+ arch/arm/boot/dts/da850-evm.dts | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm/boot/dts/da850-evm.dts
++++ b/arch/arm/boot/dts/da850-evm.dts
+@@ -99,6 +99,7 @@
+ #size-cells = <1>;
+ compatible = "m25p64";
+ spi-max-frequency = <30000000>;
++ m25p,fast-read;
+ reg = <0>;
+ partition@0 {
+ label = "U-Boot-SPL";
--- /dev/null
+From 87cb12910a2ab6ed41ae951ea4d9c1cc1120199a Mon Sep 17 00:00:00 2001
+From: Jean-Jacques Hiblot <jjhiblot@ti.com>
+Date: Mon, 9 Jan 2017 13:22:15 +0100
+Subject: ARM: dts: OMAP5 / DRA7: indicate that SATA port 0 is available.
+
+From: Jean-Jacques Hiblot <jjhiblot@ti.com>
+
+commit 87cb12910a2ab6ed41ae951ea4d9c1cc1120199a upstream.
+
+AHCI provides the register PORTS_IMPL to let the software know which port
+is supported. The register must be initialized by the bootloader. However
+in some cases u-boot doesn't properly initialize this value (if it is not
+compiled with SATA support for example or if the SATA initialization fails).
+The DTS entry "ports-implemented" can be used to override the value in
+PORTS_IMPL.
+
+Without this patch the SATA will not work in the following two cases:
+
+* if there has been a failure to initialize SATA in u-boot.
+
+* if ahci_platform module has been removed and re-inserted. The reason is
+ that the content of PORTS_IMPL is lost after the module is removed.
+ I suspect that it's because the controller is reset by the hwmod.
+
+Signed-off-by: Jean-Jacques Hiblot <jjhiblot@ti.com>
+Acked-by: Roger Quadros <rogerq@ti.com>
+[tony@atomide.com: updated comments with what goes wrong]
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/dra7.dtsi | 1 +
+ arch/arm/boot/dts/omap5.dtsi | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/arch/arm/boot/dts/dra7.dtsi
++++ b/arch/arm/boot/dts/dra7.dtsi
+@@ -1376,6 +1376,7 @@
+ phy-names = "sata-phy";
+ clocks = <&sata_ref_clk>;
+ ti,hwmods = "sata";
++ ports-implemented = <0x1>;
+ };
+
+ rtc: rtc@48838000 {
+--- a/arch/arm/boot/dts/omap5.dtsi
++++ b/arch/arm/boot/dts/omap5.dtsi
+@@ -985,6 +985,7 @@
+ phy-names = "sata-phy";
+ clocks = <&sata_ref_clk>;
+ ti,hwmods = "sata";
++ ports-implemented = <0x1>;
+ };
+
+ dss: dss@58000000 {
--- /dev/null
+From 7d9e8f71b989230bc613d121ca38507d34ada849 Mon Sep 17 00:00:00 2001
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Wed, 18 Jan 2017 17:23:41 +0000
+Subject: arm64: avoid returning from bad_mode
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+commit 7d9e8f71b989230bc613d121ca38507d34ada849 upstream.
+
+Generally, taking an unexpected exception should be a fatal event, and
+bad_mode is intended to cater for this. However, it should be possible
+to contain unexpected synchronous exceptions from EL0 without bringing
+the kernel down, by sending a SIGILL to the task.
+
+We tried to apply this approach in commit 9955ac47f4ba1c95 ("arm64:
+don't kill the kernel on a bad esr from el0"), by sending a signal for
+any bad_mode call resulting from an EL0 exception.
+
+However, this also applies to other unexpected exceptions, such as
+SError and FIQ. The entry paths for these exceptions branch to bad_mode
+without configuring the link register, and have no kernel_exit. Thus, if
+we take one of these exceptions from EL0, bad_mode will eventually
+return to the original user link register value.
+
+This patch fixes this by introducing a new bad_el0_sync handler to cater
+for the recoverable case, and restoring bad_mode to its original state,
+whereby it calls panic() and never returns. The recoverable case
+branches to bad_el0_sync with a bl, and returns to userspace via the
+usual ret_to_user mechanism.
+
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Fixes: 9955ac47f4ba1c95 ("arm64: don't kill the kernel on a bad esr from el0")
+Reported-by: Mark Salter <msalter@redhat.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/entry.S | 2 +-
+ arch/arm64/kernel/traps.c | 28 ++++++++++++++++++++++++----
+ 2 files changed, 25 insertions(+), 5 deletions(-)
+
+--- a/arch/arm64/kernel/entry.S
++++ b/arch/arm64/kernel/entry.S
+@@ -624,7 +624,7 @@ el0_inv:
+ mov x0, sp
+ mov x1, #BAD_SYNC
+ mov x2, x25
+- bl bad_mode
++ bl bad_el0_sync
+ b ret_to_user
+ ENDPROC(el0_sync)
+
+--- a/arch/arm64/kernel/traps.c
++++ b/arch/arm64/kernel/traps.c
+@@ -596,17 +596,34 @@ const char *esr_get_class_string(u32 esr
+ }
+
+ /*
+- * bad_mode handles the impossible case in the exception vector.
++ * bad_mode handles the impossible case in the exception vector. This is always
++ * fatal.
+ */
+ asmlinkage void bad_mode(struct pt_regs *regs, int reason, unsigned int esr)
+ {
+- siginfo_t info;
+- void __user *pc = (void __user *)instruction_pointer(regs);
+ console_verbose();
+
+ pr_crit("Bad mode in %s handler detected on CPU%d, code 0x%08x -- %s\n",
+ handler[reason], smp_processor_id(), esr,
+ esr_get_class_string(esr));
++
++ die("Oops - bad mode", regs, 0);
++ local_irq_disable();
++ panic("bad mode");
++}
++
++/*
++ * bad_el0_sync handles unexpected, but potentially recoverable synchronous
++ * exceptions taken from EL0. Unlike bad_mode, this returns.
++ */
++asmlinkage void bad_el0_sync(struct pt_regs *regs, int reason, unsigned int esr)
++{
++ siginfo_t info;
++ void __user *pc = (void __user *)instruction_pointer(regs);
++ console_verbose();
++
++ pr_crit("Bad EL0 synchronous exception detected on CPU%d, code 0x%08x -- %s\n",
++ smp_processor_id(), esr, esr_get_class_string(esr));
+ __show_regs(regs);
+
+ info.si_signo = SIGILL;
+@@ -614,7 +631,10 @@ asmlinkage void bad_mode(struct pt_regs
+ info.si_code = ILL_ILLOPC;
+ info.si_addr = pc;
+
+- arm64_notify_die("Oops - bad mode", regs, &info, 0);
++ current->thread.fault_address = 0;
++ current->thread.fault_code = 0;
++
++ force_sig_info(info.si_signo, &info, current);
+ }
+
+ void __pte_error(const char *file, int line, unsigned long val)
--- /dev/null
+From aeb1f39d814b2e21e5e5706a48834bfd553d0059 Mon Sep 17 00:00:00 2001
+From: Dave Martin <Dave.Martin@arm.com>
+Date: Wed, 18 Jan 2017 16:25:23 +0000
+Subject: arm64/ptrace: Avoid uninitialised struct padding in fpr_set()
+
+From: Dave Martin <Dave.Martin@arm.com>
+
+commit aeb1f39d814b2e21e5e5706a48834bfd553d0059 upstream.
+
+This patch adds an explicit __reserved[] field to user_fpsimd_state
+to replace what was previously unnamed padding.
+
+This ensures that data in this region are propagated across
+assignment rather than being left possibly uninitialised at the
+destination.
+
+Fixes: 60ffc30d5652 ("arm64: Exception handling")
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+Acked-by: Will Deacon <Will.Deacon@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/include/uapi/asm/ptrace.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm64/include/uapi/asm/ptrace.h
++++ b/arch/arm64/include/uapi/asm/ptrace.h
+@@ -77,6 +77,7 @@ struct user_fpsimd_state {
+ __uint128_t vregs[32];
+ __u32 fpsr;
+ __u32 fpcr;
++ __u32 __reserved[2];
+ };
+
+ struct user_hwdebug_state {
--- /dev/null
+From 9dd73f72f218320c6c90da5f834996e7360dc227 Mon Sep 17 00:00:00 2001
+From: Dave Martin <Dave.Martin@arm.com>
+Date: Wed, 18 Jan 2017 16:25:21 +0000
+Subject: arm64/ptrace: Preserve previous registers for short regset write - 2
+
+From: Dave Martin <Dave.Martin@arm.com>
+
+commit 9dd73f72f218320c6c90da5f834996e7360dc227 upstream.
+
+Ensure that if userspace supplies insufficient data to
+PTRACE_SETREGSET to fill all the registers, the thread's old
+registers are preserved.
+
+Fixes: 766a85d7bc5d ("arm64: ptrace: add NT_ARM_SYSTEM_CALL regset")
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+Acked-by: Will Deacon <Will.Deacon@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/ptrace.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/arm64/kernel/ptrace.c
++++ b/arch/arm64/kernel/ptrace.c
+@@ -676,7 +676,8 @@ static int system_call_set(struct task_s
+ unsigned int pos, unsigned int count,
+ const void *kbuf, const void __user *ubuf)
+ {
+- int syscallno, ret;
++ int syscallno = task_pt_regs(target)->syscallno;
++ int ret;
+
+ ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &syscallno, 0, -1);
+ if (ret)
--- /dev/null
+From a672401c00f82e4e19704aff361d9bad18003714 Mon Sep 17 00:00:00 2001
+From: Dave Martin <Dave.Martin@arm.com>
+Date: Wed, 18 Jan 2017 16:25:22 +0000
+Subject: arm64/ptrace: Preserve previous registers for short regset write - 3
+
+From: Dave Martin <Dave.Martin@arm.com>
+
+commit a672401c00f82e4e19704aff361d9bad18003714 upstream.
+
+Ensure that if userspace supplies insufficient data to
+PTRACE_SETREGSET to fill all the registers, the thread's old
+registers are preserved.
+
+Fixes: 5d220ff9420f ("arm64: Better native ptrace support for compat tasks")
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+Acked-by: Will Deacon <Will.Deacon@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/ptrace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/kernel/ptrace.c
++++ b/arch/arm64/kernel/ptrace.c
+@@ -949,7 +949,7 @@ static int compat_tls_set(struct task_st
+ const void __user *ubuf)
+ {
+ int ret;
+- compat_ulong_t tls;
++ compat_ulong_t tls = target->thread.tp_value;
+
+ ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &tls, 0, -1);
+ if (ret)
--- /dev/null
+From 9a17b876b573441bfb3387ad55d98bf7184daf9d Mon Sep 17 00:00:00 2001
+From: Dave Martin <Dave.Martin@arm.com>
+Date: Wed, 18 Jan 2017 16:25:20 +0000
+Subject: arm64/ptrace: Preserve previous registers for short regset write
+
+From: Dave Martin <Dave.Martin@arm.com>
+
+commit 9a17b876b573441bfb3387ad55d98bf7184daf9d upstream.
+
+Ensure that if userspace supplies insufficient data to
+PTRACE_SETREGSET to fill all the registers, the thread's old
+registers are preserved.
+
+Fixes: 478fcb2cdb23 ("arm64: Debugging support")
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+Acked-by: Will Deacon <Will.Deacon@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/ptrace.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/arch/arm64/kernel/ptrace.c
++++ b/arch/arm64/kernel/ptrace.c
+@@ -595,7 +595,7 @@ static int gpr_set(struct task_struct *t
+ const void *kbuf, const void __user *ubuf)
+ {
+ int ret;
+- struct user_pt_regs newregs;
++ struct user_pt_regs newregs = task_pt_regs(target)->user_regs;
+
+ ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &newregs, 0, -1);
+ if (ret)
+@@ -625,7 +625,8 @@ static int fpr_set(struct task_struct *t
+ const void *kbuf, const void __user *ubuf)
+ {
+ int ret;
+- struct user_fpsimd_state newstate;
++ struct user_fpsimd_state newstate =
++ target->thread.fpsimd_state.user_fpsimd;
+
+ ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &newstate, 0, -1);
+ if (ret)
+@@ -649,7 +650,7 @@ static int tls_set(struct task_struct *t
+ const void *kbuf, const void __user *ubuf)
+ {
+ int ret;
+- unsigned long tls;
++ unsigned long tls = target->thread.tp_value;
+
+ ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &tls, 0, -1);
+ if (ret)
--- /dev/null
+From ad9e202aa1ce571b1d7fed969d06f66067f8a086 Mon Sep 17 00:00:00 2001
+From: Dave Martin <Dave.Martin@arm.com>
+Date: Wed, 18 Jan 2017 16:25:24 +0000
+Subject: arm64/ptrace: Reject attempts to set incomplete hardware breakpoint fields
+
+From: Dave Martin <Dave.Martin@arm.com>
+
+commit ad9e202aa1ce571b1d7fed969d06f66067f8a086 upstream.
+
+We cannot preserve partial fields for hardware breakpoints, because
+the values written by userspace to the hardware breakpoint
+registers can't subsequently be recovered intact from the hardware.
+
+So, just reject attempts to write incomplete fields with -EINVAL.
+
+Fixes: 478fcb2cdb23 ("arm64: Debugging support")
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+Acked-by: Will Deacon <Will.Deacon@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/ptrace.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/arm64/kernel/ptrace.c
++++ b/arch/arm64/kernel/ptrace.c
+@@ -550,6 +550,8 @@ static int hw_break_set(struct task_stru
+ /* (address, ctrl) registers */
+ limit = regset->n * regset->size;
+ while (count && offset < limit) {
++ if (count < PTRACE_HBP_ADDR_SZ)
++ return -EINVAL;
+ ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &addr,
+ offset, offset + PTRACE_HBP_ADDR_SZ);
+ if (ret)
+@@ -559,6 +561,8 @@ static int hw_break_set(struct task_stru
+ return ret;
+ offset += PTRACE_HBP_ADDR_SZ;
+
++ if (!count)
++ break;
+ ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &ctrl,
+ offset, offset + PTRACE_HBP_CTRL_SZ);
+ if (ret)
--- /dev/null
+From 6df8c9d80a27cb587f61b4f06b57e248d8bc3f86 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@redhat.com>
+Date: Thu, 12 Jan 2017 14:42:41 -0500
+Subject: ceph: fix bad endianness handling in parse_reply_info_extra
+
+From: Jeff Layton <jlayton@redhat.com>
+
+commit 6df8c9d80a27cb587f61b4f06b57e248d8bc3f86 upstream.
+
+sparse says:
+
+ fs/ceph/mds_client.c:291:23: warning: restricted __le32 degrades to integer
+ fs/ceph/mds_client.c:293:28: warning: restricted __le32 degrades to integer
+ fs/ceph/mds_client.c:294:28: warning: restricted __le32 degrades to integer
+ fs/ceph/mds_client.c:296:28: warning: restricted __le32 degrades to integer
+
+The op value is __le32, so we need to convert it before comparing it.
+
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+Reviewed-by: Sage Weil <sage@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ceph/mds_client.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/fs/ceph/mds_client.c
++++ b/fs/ceph/mds_client.c
+@@ -288,12 +288,13 @@ static int parse_reply_info_extra(void *
+ struct ceph_mds_reply_info_parsed *info,
+ u64 features)
+ {
+- if (info->head->op == CEPH_MDS_OP_GETFILELOCK)
++ u32 op = le32_to_cpu(info->head->op);
++
++ if (op == CEPH_MDS_OP_GETFILELOCK)
+ return parse_reply_info_filelock(p, end, info, features);
+- else if (info->head->op == CEPH_MDS_OP_READDIR ||
+- info->head->op == CEPH_MDS_OP_LSSNAP)
++ else if (op == CEPH_MDS_OP_READDIR || op == CEPH_MDS_OP_LSSNAP)
+ return parse_reply_info_dir(p, end, info, features);
+- else if (info->head->op == CEPH_MDS_OP_CREATE)
++ else if (op == CEPH_MDS_OP_CREATE)
+ return parse_reply_info_create(p, end, info, features);
+ else
+ return -EIO;
--- /dev/null
+From bc7c36eedb0c7004aa06c2afc3c5385adada8fa3 Mon Sep 17 00:00:00 2001
+From: Joonyoung Shim <jy0922.shim@samsung.com>
+Date: Tue, 17 Jan 2017 13:54:36 +0900
+Subject: clocksource/exynos_mct: Clear interrupt when cpu is shut down
+
+From: Joonyoung Shim <jy0922.shim@samsung.com>
+
+commit bc7c36eedb0c7004aa06c2afc3c5385adada8fa3 upstream.
+
+When a CPU goes offline a potentially pending timer interrupt is not
+cleared. When the CPU comes online again then the pending interrupt is
+delivered before the per cpu clockevent device is initialized. As a
+consequence the tick interrupt handler dereferences a NULL pointer.
+
+[ 51.251378] Unable to handle kernel NULL pointer dereference at virtual address 00000040
+[ 51.289348] task: ee942d00 task.stack: ee960000
+[ 51.293861] PC is at tick_periodic+0x38/0xb0
+[ 51.298102] LR is at tick_handle_periodic+0x1c/0x90
+
+Clear the pending interrupt in the cpu dying path.
+
+Fixes: 56a94f13919c ("clocksource: exynos_mct: Avoid blocking calls in the cpu hotplug notifier")
+Reported-by: Seung-Woo Kim <sw0312.kim@samsung.com>
+Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
+Cc: linux-samsung-soc@vger.kernel.org
+Cc: cw00.choi@samsung.com
+Cc: daniel.lezcano@linaro.org
+Cc: javier@osg.samsung.com
+Cc: kgene@kernel.org
+Cc: krzk@kernel.org
+Cc: linux-arm-kernel@lists.infradead.org
+Link: http://lkml.kernel.org/r/1484628876-22065-1-git-send-email-jy0922.shim@samsung.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clocksource/exynos_mct.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/clocksource/exynos_mct.c
++++ b/drivers/clocksource/exynos_mct.c
+@@ -495,6 +495,7 @@ static int exynos4_mct_dying_cpu(unsigne
+ if (mct_int_type == MCT_INT_SPI) {
+ if (evt->irq != -1)
+ disable_irq_nosync(evt->irq);
++ exynos4_mct_write(0x1, mevt->base + MCT_L_INT_CSTAT_OFFSET);
+ } else {
+ disable_percpu_irq(mct_irqs[MCT_L0_IRQ]);
+ }
--- /dev/null
+From a8a86d78d673b1c99fe9b0064739fde9e9774184 Mon Sep 17 00:00:00 2001
+From: Tahsin Erdogan <tahsin@google.com>
+Date: Thu, 12 Jan 2017 12:04:04 -0800
+Subject: fuse: clear FR_PENDING flag when moving requests out of pending queue
+
+From: Tahsin Erdogan <tahsin@google.com>
+
+commit a8a86d78d673b1c99fe9b0064739fde9e9774184 upstream.
+
+fuse_abort_conn() moves requests from pending list to a temporary list
+before canceling them. This operation races with request_wait_answer()
+which also tries to remove the request after it gets a fatal signal. It
+checks FR_PENDING flag to determine whether the request is still in the
+pending list.
+
+Make fuse_abort_conn() clear FR_PENDING flag so that request_wait_answer()
+does not remove the request from temporary list.
+
+This bug causes an Oops when trying to delete an already deleted list entry
+in end_requests().
+
+Fixes: ee314a870e40 ("fuse: abort: no fc->lock needed for request ending")
+Signed-off-by: Tahsin Erdogan <tahsin@google.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/dev.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -2025,7 +2025,6 @@ static void end_requests(struct fuse_con
+ struct fuse_req *req;
+ req = list_entry(head->next, struct fuse_req, list);
+ req->out.h.error = -ECONNABORTED;
+- clear_bit(FR_PENDING, &req->flags);
+ clear_bit(FR_SENT, &req->flags);
+ list_del_init(&req->list);
+ request_end(fc, req);
+@@ -2103,6 +2102,8 @@ void fuse_abort_conn(struct fuse_conn *f
+ spin_lock(&fiq->waitq.lock);
+ fiq->connected = 0;
+ list_splice_init(&fiq->pending, &to_end2);
++ list_for_each_entry(req, &to_end2, list)
++ clear_bit(FR_PENDING, &req->flags);
+ while (forget_pending(fiq))
+ kfree(dequeue_forget(fiq, 1, NULL));
+ wake_up_all_locked(&fiq->waitq);
--- /dev/null
+From 210675270caa33253e4c33f3c5e657e7d6060812 Mon Sep 17 00:00:00 2001
+From: David Sheets <david.sheets@docker.com>
+Date: Fri, 13 Jan 2017 15:58:30 +0000
+Subject: fuse: fix time_to_jiffies nsec sanity check
+
+From: David Sheets <david.sheets@docker.com>
+
+commit 210675270caa33253e4c33f3c5e657e7d6060812 upstream.
+
+Commit bcb6f6d2b9c2 ("fuse: use timespec64") introduced clamped nsec values
+in time_to_jiffies but used the max of nsec and NSEC_PER_SEC - 1 instead of
+the min. Because of this, dentries would stay in the cache longer than
+requested and go stale in scenarios that relied on their timely eviction.
+
+Fixes: bcb6f6d2b9c2 ("fuse: use timespec64")
+Signed-off-by: David Sheets <dsheets@docker.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/dir.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/fuse/dir.c
++++ b/fs/fuse/dir.c
+@@ -68,7 +68,7 @@ static u64 time_to_jiffies(u64 sec, u32
+ if (sec || nsec) {
+ struct timespec64 ts = {
+ sec,
+- max_t(u32, nsec, NSEC_PER_SEC - 1)
++ min_t(u32, nsec, NSEC_PER_SEC - 1)
+ };
+
+ return get_jiffies_64() + timespec64_to_jiffies(&ts);
--- /dev/null
+From 7a546af50eb78ab99840903083231eb635c8a566 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 12 Jan 2017 18:17:43 +0100
+Subject: HID: corsair: fix control-transfer error handling
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 7a546af50eb78ab99840903083231eb635c8a566 upstream.
+
+Make sure to check for short control transfers in order to avoid parsing
+uninitialised buffer data and leaking it to user space.
+
+Note that the backlight and macro-mode buffer constraints are kept as
+loose as possible in order to avoid any regressions should the current
+buffer sizes be larger than necessary.
+
+Fixes: 6f78193ee9ea ("HID: corsair: Add Corsair Vengeance K90 driver")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-corsair.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/hid/hid-corsair.c
++++ b/drivers/hid/hid-corsair.c
+@@ -159,7 +159,7 @@ static enum led_brightness k90_backlight
+ USB_DIR_IN | USB_TYPE_VENDOR |
+ USB_RECIP_DEVICE, 0, 0, data, 8,
+ USB_CTRL_SET_TIMEOUT);
+- if (ret < 0) {
++ if (ret < 5) {
+ dev_warn(dev, "Failed to get K90 initial state (error %d).\n",
+ ret);
+ ret = -EIO;
+@@ -274,7 +274,7 @@ static ssize_t k90_show_macro_mode(struc
+ USB_DIR_IN | USB_TYPE_VENDOR |
+ USB_RECIP_DEVICE, 0, 0, data, 2,
+ USB_CTRL_SET_TIMEOUT);
+- if (ret < 0) {
++ if (ret < 1) {
+ dev_warn(dev, "Failed to get K90 initial mode (error %d).\n",
+ ret);
+ ret = -EIO;
+@@ -351,7 +351,7 @@ static ssize_t k90_show_current_profile(
+ USB_DIR_IN | USB_TYPE_VENDOR |
+ USB_RECIP_DEVICE, 0, 0, data, 8,
+ USB_CTRL_SET_TIMEOUT);
+- if (ret < 0) {
++ if (ret < 8) {
+ dev_warn(dev, "Failed to get K90 initial state (error %d).\n",
+ ret);
+ ret = -EIO;
--- /dev/null
+From 6d104af38b570d37aa32a5803b04c354f8ed513d Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 12 Jan 2017 18:17:42 +0100
+Subject: HID: corsair: fix DMA buffers on stack
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 6d104af38b570d37aa32a5803b04c354f8ed513d upstream.
+
+Not all platforms support DMA to the stack, and specifically since v4.9
+this is no longer supported on x86 with VMAP_STACK either.
+
+Note that the macro-mode buffer was larger than necessary.
+
+Fixes: 6f78193ee9ea ("HID: corsair: Add Corsair Vengeance K90 driver")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-corsair.c | 54 +++++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 42 insertions(+), 12 deletions(-)
+
+--- a/drivers/hid/hid-corsair.c
++++ b/drivers/hid/hid-corsair.c
+@@ -148,7 +148,11 @@ static enum led_brightness k90_backlight
+ struct usb_interface *usbif = to_usb_interface(dev->parent);
+ struct usb_device *usbdev = interface_to_usbdev(usbif);
+ int brightness;
+- char data[8];
++ char *data;
++
++ data = kmalloc(8, GFP_KERNEL);
++ if (!data)
++ return -ENOMEM;
+
+ ret = usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0),
+ K90_REQUEST_STATUS,
+@@ -158,16 +162,22 @@ static enum led_brightness k90_backlight
+ if (ret < 0) {
+ dev_warn(dev, "Failed to get K90 initial state (error %d).\n",
+ ret);
+- return -EIO;
++ ret = -EIO;
++ goto out;
+ }
+ brightness = data[4];
+ if (brightness < 0 || brightness > 3) {
+ dev_warn(dev,
+ "Read invalid backlight brightness: %02hhx.\n",
+ data[4]);
+- return -EIO;
++ ret = -EIO;
++ goto out;
+ }
+- return brightness;
++ ret = brightness;
++out:
++ kfree(data);
++
++ return ret;
+ }
+
+ static enum led_brightness k90_record_led_get(struct led_classdev *led_cdev)
+@@ -253,7 +263,11 @@ static ssize_t k90_show_macro_mode(struc
+ struct usb_interface *usbif = to_usb_interface(dev->parent);
+ struct usb_device *usbdev = interface_to_usbdev(usbif);
+ const char *macro_mode;
+- char data[8];
++ char *data;
++
++ data = kmalloc(2, GFP_KERNEL);
++ if (!data)
++ return -ENOMEM;
+
+ ret = usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0),
+ K90_REQUEST_GET_MODE,
+@@ -263,7 +277,8 @@ static ssize_t k90_show_macro_mode(struc
+ if (ret < 0) {
+ dev_warn(dev, "Failed to get K90 initial mode (error %d).\n",
+ ret);
+- return -EIO;
++ ret = -EIO;
++ goto out;
+ }
+
+ switch (data[0]) {
+@@ -277,10 +292,15 @@ static ssize_t k90_show_macro_mode(struc
+ default:
+ dev_warn(dev, "K90 in unknown mode: %02hhx.\n",
+ data[0]);
+- return -EIO;
++ ret = -EIO;
++ goto out;
+ }
+
+- return snprintf(buf, PAGE_SIZE, "%s\n", macro_mode);
++ ret = snprintf(buf, PAGE_SIZE, "%s\n", macro_mode);
++out:
++ kfree(data);
++
++ return ret;
+ }
+
+ static ssize_t k90_store_macro_mode(struct device *dev,
+@@ -320,7 +340,11 @@ static ssize_t k90_show_current_profile(
+ struct usb_interface *usbif = to_usb_interface(dev->parent);
+ struct usb_device *usbdev = interface_to_usbdev(usbif);
+ int current_profile;
+- char data[8];
++ char *data;
++
++ data = kmalloc(8, GFP_KERNEL);
++ if (!data)
++ return -ENOMEM;
+
+ ret = usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0),
+ K90_REQUEST_STATUS,
+@@ -330,16 +354,22 @@ static ssize_t k90_show_current_profile(
+ if (ret < 0) {
+ dev_warn(dev, "Failed to get K90 initial state (error %d).\n",
+ ret);
+- return -EIO;
++ ret = -EIO;
++ goto out;
+ }
+ current_profile = data[7];
+ if (current_profile < 1 || current_profile > 3) {
+ dev_warn(dev, "Read invalid current profile: %02hhx.\n",
+ data[7]);
+- return -EIO;
++ ret = -EIO;
++ goto out;
+ }
+
+- return snprintf(buf, PAGE_SIZE, "%d\n", current_profile);
++ ret = snprintf(buf, PAGE_SIZE, "%d\n", current_profile);
++out:
++ kfree(data);
++
++ return ret;
+ }
+
+ static ssize_t k90_store_current_profile(struct device *dev,
--- /dev/null
+From 387b978cb0d12cf3720ecb17e652e0a9991a08e2 Mon Sep 17 00:00:00 2001
+From: "Bryant G. Ly" <bryantly@linux.vnet.ibm.com>
+Date: Wed, 11 Jan 2017 13:52:27 -0600
+Subject: ibmvscsis: Fix max transfer length
+
+From: Bryant G. Ly <bryantly@linux.vnet.ibm.com>
+
+commit 387b978cb0d12cf3720ecb17e652e0a9991a08e2 upstream.
+
+Current code incorrectly calculates the max transfer length, since
+it is assuming a 4k page table, but ppc64 all run on 64k page tables.
+
+Reported-by: Steven Royer <seroyer@linux.vnet.ibm.com>
+Tested-by: Steven Royer <seroyer@linux.vnet.ibm.com>
+Signed-off-by: Bryant G. Ly <bryantly@linux.vnet.ibm.com>
+Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c
++++ b/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c
+@@ -45,6 +45,7 @@
+
+ #define INITIAL_SRP_LIMIT 800
+ #define DEFAULT_MAX_SECTORS 256
++#define MAX_TXU 1024 * 1024
+
+ static uint max_vdma_size = MAX_H_COPY_RDMA;
+
+@@ -1291,7 +1292,7 @@ static long ibmvscsis_adapter_info(struc
+ info->mad_version = cpu_to_be32(MAD_VERSION_1);
+ info->os_type = cpu_to_be32(LINUX);
+ memset(&info->port_max_txu[0], 0, sizeof(info->port_max_txu));
+- info->port_max_txu[0] = cpu_to_be32(128 * PAGE_SIZE);
++ info->port_max_txu[0] = cpu_to_be32(MAX_TXU);
+
+ dma_wmb();
+ rc = h_copy_rdma(sizeof(*info), vscsi->dds.window[LOCAL].liobn,
--- /dev/null
+From a5b0e4062fb225155189e593699bbfcd0597f8b5 Mon Sep 17 00:00:00 2001
+From: "Bryant G. Ly" <bryantly@linux.vnet.ibm.com>
+Date: Wed, 11 Jan 2017 13:16:42 -0600
+Subject: ibmvscsis: Fix sleeping in interrupt context
+
+From: Bryant G. Ly <bryantly@linux.vnet.ibm.com>
+
+commit a5b0e4062fb225155189e593699bbfcd0597f8b5 upstream.
+
+Currently, dma_alloc_coherent is being called with a GFP_KERNEL
+flag which allows it to sleep in an interrupt context, need to
+change to GFP_ATOMIC.
+
+Tested-by: Steven Royer <seroyer@linux.vnet.ibm.com>
+Reviewed-by: Michael Cyr <mikecyr@linux.vnet.ibm.com>
+Signed-off-by: Bryant G. Ly <bryantly@linux.vnet.ibm.com>
+Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c
++++ b/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c
+@@ -1239,7 +1239,7 @@ static long ibmvscsis_adapter_info(struc
+ }
+
+ info = dma_alloc_coherent(&vscsi->dma_dev->dev, sizeof(*info), &token,
+- GFP_KERNEL);
++ GFP_ATOMIC);
+ if (!info) {
+ dev_err(&vscsi->dev, "bad dma_alloc_coherent %p\n",
+ iue->target);
+@@ -1357,7 +1357,7 @@ static int ibmvscsis_cap_mad(struct scsi
+ }
+
+ cap = dma_alloc_coherent(&vscsi->dma_dev->dev, olen, &token,
+- GFP_KERNEL);
++ GFP_ATOMIC);
+ if (!cap) {
+ dev_err(&vscsi->dev, "bad dma_alloc_coherent %p\n",
+ iue->target);
--- /dev/null
+From 05a974efa4bdf6e2a150e3f27dc6fcf0a9ad5655 Mon Sep 17 00:00:00 2001
+From: Stefan Schmidt <stefan@osg.samsung.com>
+Date: Thu, 15 Dec 2016 18:40:14 +0100
+Subject: ieee802154: atusb: do not use the stack for buffers to make them DMA able
+
+From: Stefan Schmidt <stefan@osg.samsung.com>
+
+commit 05a974efa4bdf6e2a150e3f27dc6fcf0a9ad5655 upstream.
+
+From 4.9 we should really avoid using the stack here as this will not be DMA
+able on various platforms. This changes the buffers already being present in
+time of 4.9 being released. This should go into stable as well.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Stefan Schmidt <stefan@osg.samsung.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ieee802154/atusb.c | 31 +++++++++++++++++++++++++++----
+ 1 file changed, 27 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ieee802154/atusb.c
++++ b/drivers/net/ieee802154/atusb.c
+@@ -112,13 +112,26 @@ static int atusb_read_reg(struct atusb *
+ {
+ struct usb_device *usb_dev = atusb->usb_dev;
+ int ret;
++ uint8_t *buffer;
+ uint8_t value;
+
++ buffer = kmalloc(1, GFP_KERNEL);
++ if (!buffer)
++ return -ENOMEM;
++
+ dev_dbg(&usb_dev->dev, "atusb: reg = 0x%x\n", reg);
+ ret = atusb_control_msg(atusb, usb_rcvctrlpipe(usb_dev, 0),
+ ATUSB_REG_READ, ATUSB_REQ_FROM_DEV,
+- 0, reg, &value, 1, 1000);
+- return ret >= 0 ? value : ret;
++ 0, reg, buffer, 1, 1000);
++
++ if (ret >= 0) {
++ value = buffer[0];
++ kfree(buffer);
++ return value;
++ } else {
++ kfree(buffer);
++ return ret;
++ }
+ }
+
+ static int atusb_write_subreg(struct atusb *atusb, uint8_t reg, uint8_t mask,
+@@ -587,9 +600,13 @@ static struct ieee802154_ops atusb_ops =
+ static int atusb_get_and_show_revision(struct atusb *atusb)
+ {
+ struct usb_device *usb_dev = atusb->usb_dev;
+- unsigned char buffer[3];
++ unsigned char *buffer;
+ int ret;
+
++ buffer = kmalloc(3, GFP_KERNEL);
++ if (!buffer)
++ return -ENOMEM;
++
+ /* Get a couple of the ATMega Firmware values */
+ ret = atusb_control_msg(atusb, usb_rcvctrlpipe(usb_dev, 0),
+ ATUSB_ID, ATUSB_REQ_FROM_DEV, 0, 0,
+@@ -605,15 +622,20 @@ static int atusb_get_and_show_revision(s
+ dev_info(&usb_dev->dev, "Please update to version 0.2 or newer");
+ }
+
++ kfree(buffer);
+ return ret;
+ }
+
+ static int atusb_get_and_show_build(struct atusb *atusb)
+ {
+ struct usb_device *usb_dev = atusb->usb_dev;
+- char build[ATUSB_BUILD_SIZE + 1];
++ char *build;
+ int ret;
+
++ build = kmalloc(ATUSB_BUILD_SIZE + 1, GFP_KERNEL);
++ if (!build)
++ return -ENOMEM;
++
+ ret = atusb_control_msg(atusb, usb_rcvctrlpipe(usb_dev, 0),
+ ATUSB_BUILD, ATUSB_REQ_FROM_DEV, 0, 0,
+ build, ATUSB_BUILD_SIZE, 1000);
+@@ -622,6 +644,7 @@ static int atusb_get_and_show_build(stru
+ dev_info(&usb_dev->dev, "Firmware: build %s\n", build);
+ }
+
++ kfree(build);
+ return ret;
+ }
+
--- /dev/null
+From 1193e6aeecb36c74c48c7cd0f641acbbed9ddeef Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Thu, 12 Jan 2017 09:21:56 +0000
+Subject: KVM: arm/arm64: vgic: Fix deadlock on error handling
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+commit 1193e6aeecb36c74c48c7cd0f641acbbed9ddeef upstream.
+
+Dmitry Vyukov reported that the syzkaller fuzzer triggered a
+deadlock in the vgic setup code when an error was detected, as
+the cleanup code tries to take a lock that is already held by
+the setup code.
+
+The fix is to avoid retaking the lock when cleaning up, by
+telling the cleanup function that we already hold it.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/arm/vgic/vgic-init.c | 18 +++++++++++++-----
+ virt/kvm/arm/vgic/vgic-v2.c | 2 --
+ virt/kvm/arm/vgic/vgic-v3.c | 2 --
+ 3 files changed, 13 insertions(+), 9 deletions(-)
+
+--- a/virt/kvm/arm/vgic/vgic-init.c
++++ b/virt/kvm/arm/vgic/vgic-init.c
+@@ -268,15 +268,11 @@ static void kvm_vgic_dist_destroy(struct
+ {
+ struct vgic_dist *dist = &kvm->arch.vgic;
+
+- mutex_lock(&kvm->lock);
+-
+ dist->ready = false;
+ dist->initialized = false;
+
+ kfree(dist->spis);
+ dist->nr_spis = 0;
+-
+- mutex_unlock(&kvm->lock);
+ }
+
+ void kvm_vgic_vcpu_destroy(struct kvm_vcpu *vcpu)
+@@ -286,7 +282,8 @@ void kvm_vgic_vcpu_destroy(struct kvm_vc
+ INIT_LIST_HEAD(&vgic_cpu->ap_list_head);
+ }
+
+-void kvm_vgic_destroy(struct kvm *kvm)
++/* To be called with kvm->lock held */
++static void __kvm_vgic_destroy(struct kvm *kvm)
+ {
+ struct kvm_vcpu *vcpu;
+ int i;
+@@ -297,6 +294,13 @@ void kvm_vgic_destroy(struct kvm *kvm)
+ kvm_vgic_vcpu_destroy(vcpu);
+ }
+
++void kvm_vgic_destroy(struct kvm *kvm)
++{
++ mutex_lock(&kvm->lock);
++ __kvm_vgic_destroy(kvm);
++ mutex_unlock(&kvm->lock);
++}
++
+ /**
+ * vgic_lazy_init: Lazy init is only allowed if the GIC exposed to the guest
+ * is a GICv2. A GICv3 must be explicitly initialized by the guest using the
+@@ -348,6 +352,10 @@ int kvm_vgic_map_resources(struct kvm *k
+ ret = vgic_v2_map_resources(kvm);
+ else
+ ret = vgic_v3_map_resources(kvm);
++
++ if (ret)
++ __kvm_vgic_destroy(kvm);
++
+ out:
+ mutex_unlock(&kvm->lock);
+ return ret;
+--- a/virt/kvm/arm/vgic/vgic-v2.c
++++ b/virt/kvm/arm/vgic/vgic-v2.c
+@@ -293,8 +293,6 @@ int vgic_v2_map_resources(struct kvm *kv
+ dist->ready = true;
+
+ out:
+- if (ret)
+- kvm_vgic_destroy(kvm);
+ return ret;
+ }
+
+--- a/virt/kvm/arm/vgic/vgic-v3.c
++++ b/virt/kvm/arm/vgic/vgic-v3.c
+@@ -302,8 +302,6 @@ int vgic_v3_map_resources(struct kvm *kv
+ dist->ready = true;
+
+ out:
+- if (ret)
+- kvm_vgic_destroy(kvm);
+ return ret;
+ }
+
--- /dev/null
+From 04478197416e3a302e9ebc917ba1aa884ef9bfab Mon Sep 17 00:00:00 2001
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+Date: Thu, 12 Jan 2017 16:25:15 +0100
+Subject: KVM: s390: do not expose random data via facility bitmap
+
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+
+commit 04478197416e3a302e9ebc917ba1aa884ef9bfab upstream.
+
+kvm_s390_get_machine() populates the facility bitmap by copying bytes
+from the host results that are stored in a 256 byte array in the prefix
+page. The KVM code does use the size of the target buffer (2k), thus
+copying and exposing unrelated kernel memory (mostly machine check
+related logout data).
+
+Let's use the size of the source buffer instead. This is ok, as the
+target buffer will always be greater or equal than the source buffer as
+the KVM internal buffers (and thus S390_ARCH_FAC_LIST_SIZE_BYTE) cover
+the maximum possible size that is allowed by STFLE, which is 256
+doublewords. All structures are zero allocated so we can leave bytes
+256-2047 unchanged.
+
+Add a similar fix for kvm_arch_init_vm().
+
+Reported-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+[found with smatch]
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Acked-by: Cornelia Huck <cornelia.huck@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kvm/kvm-s390.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/s390/kvm/kvm-s390.c
++++ b/arch/s390/kvm/kvm-s390.c
+@@ -916,7 +916,7 @@ static int kvm_s390_get_machine(struct k
+ memcpy(&mach->fac_mask, kvm->arch.model.fac_mask,
+ S390_ARCH_FAC_LIST_SIZE_BYTE);
+ memcpy((unsigned long *)&mach->fac_list, S390_lowcore.stfle_fac_list,
+- S390_ARCH_FAC_LIST_SIZE_BYTE);
++ sizeof(S390_lowcore.stfle_fac_list));
+ if (copy_to_user((void __user *)attr->addr, mach, sizeof(*mach)))
+ ret = -EFAULT;
+ kfree(mach);
+@@ -1437,7 +1437,7 @@ int kvm_arch_init_vm(struct kvm *kvm, un
+
+ /* Populate the facility mask initially. */
+ memcpy(kvm->arch.model.fac_mask, S390_lowcore.stfle_fac_list,
+- S390_ARCH_FAC_LIST_SIZE_BYTE);
++ sizeof(S390_lowcore.stfle_fac_list));
+ for (i = 0; i < S390_ARCH_FAC_LIST_SIZE_U64; i++) {
+ if (i < kvm_s390_fac_list_mask_size())
+ kvm->arch.model.fac_mask[i] &= kvm_s390_fac_list_mask[i];
--- /dev/null
+From 1f19b983a8877f81763fab3e693c6befe212736d Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Mon, 9 Jan 2017 17:30:49 -0800
+Subject: libnvdimm, namespace: fix pmem namespace leak, delete when size set to zero
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit 1f19b983a8877f81763fab3e693c6befe212736d upstream.
+
+Commit 98a29c39dc68 ("libnvdimm, namespace: allow creation of multiple
+pmem-namespaces per region") added support for establishing additional
+pmem namespace beyond the seed device, similar to blk namespaces.
+However, it neglected to delete the namespace when the size is set to
+zero.
+
+Fixes: 98a29c39dc68 ("libnvdimm, namespace: allow creation of multiple pmem-namespaces per region")
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvdimm/namespace_devs.c | 23 ++++++++++-------------
+ 1 file changed, 10 insertions(+), 13 deletions(-)
+
+--- a/drivers/nvdimm/namespace_devs.c
++++ b/drivers/nvdimm/namespace_devs.c
+@@ -957,6 +957,7 @@ static ssize_t __size_store(struct devic
+ {
+ resource_size_t allocated = 0, available = 0;
+ struct nd_region *nd_region = to_nd_region(dev->parent);
++ struct nd_namespace_common *ndns = to_ndns(dev);
+ struct nd_mapping *nd_mapping;
+ struct nvdimm_drvdata *ndd;
+ struct nd_label_id label_id;
+@@ -964,7 +965,7 @@ static ssize_t __size_store(struct devic
+ u8 *uuid = NULL;
+ int rc, i;
+
+- if (dev->driver || to_ndns(dev)->claim)
++ if (dev->driver || ndns->claim)
+ return -EBUSY;
+
+ if (is_namespace_pmem(dev)) {
+@@ -1034,20 +1035,16 @@ static ssize_t __size_store(struct devic
+
+ nd_namespace_pmem_set_resource(nd_region, nspm,
+ val * nd_region->ndr_mappings);
+- } else if (is_namespace_blk(dev)) {
+- struct nd_namespace_blk *nsblk = to_nd_namespace_blk(dev);
+-
+- /*
+- * Try to delete the namespace if we deleted all of its
+- * allocation, this is not the seed device for the
+- * region, and it is not actively claimed by a btt
+- * instance.
+- */
+- if (val == 0 && nd_region->ns_seed != dev
+- && !nsblk->common.claim)
+- nd_device_unregister(dev, ND_ASYNC);
+ }
+
++ /*
++ * Try to delete the namespace if we deleted all of its
++ * allocation, this is not the seed device for the region, and
++ * it is not actively claimed by a btt instance.
++ */
++ if (val == 0 && nd_region->ns_seed != dev && !ndns->claim)
++ nd_device_unregister(dev, ND_ASYNC);
++
+ return rc;
+ }
+
--- /dev/null
+From eeb0d56fab4cd7848cf2be6704fa48900dbc1381 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Wed, 14 Dec 2016 16:47:43 +0100
+Subject: mac80211: implement multicast forwarding on fast-RX path
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit eeb0d56fab4cd7848cf2be6704fa48900dbc1381 upstream.
+
+In AP (or VLAN) mode, when unicast 802.11 packets are received,
+they might actually be multicast after conversion. In this case
+the fast-RX path didn't handle them properly to send them back
+to the wireless medium. Implement that by copying the SKB and
+sending it back out.
+
+The possible alternative would be to just punt the packet back
+to the regular (slow) RX path, but since we have almost all of
+the required code here already it's not so complicated to add
+here. Punting it back would also mean acquiring the spinlock,
+which would be bad for the stated purpose of the fast-RX path,
+to enable well-performing parallel RX.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/rx.c | 26 ++++++++++++++++++--------
+ 1 file changed, 18 insertions(+), 8 deletions(-)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -3939,21 +3939,31 @@ static bool ieee80211_invoke_fast_rx(str
+ u64_stats_update_end(&stats->syncp);
+
+ if (fast_rx->internal_forward) {
+- struct sta_info *dsta = sta_info_get(rx->sdata, skb->data);
++ struct sk_buff *xmit_skb = NULL;
++ bool multicast = is_multicast_ether_addr(skb->data);
+
+- if (dsta) {
++ if (multicast) {
++ xmit_skb = skb_copy(skb, GFP_ATOMIC);
++ } else if (sta_info_get(rx->sdata, skb->data)) {
++ xmit_skb = skb;
++ skb = NULL;
++ }
++
++ if (xmit_skb) {
+ /*
+ * Send to wireless media and increase priority by 256
+ * to keep the received priority instead of
+ * reclassifying the frame (see cfg80211_classify8021d).
+ */
+- skb->priority += 256;
+- skb->protocol = htons(ETH_P_802_3);
+- skb_reset_network_header(skb);
+- skb_reset_mac_header(skb);
+- dev_queue_xmit(skb);
+- return true;
++ xmit_skb->priority += 256;
++ xmit_skb->protocol = htons(ETH_P_802_3);
++ skb_reset_network_header(xmit_skb);
++ skb_reset_mac_header(xmit_skb);
++ dev_queue_xmit(xmit_skb);
+ }
++
++ if (!skb)
++ return true;
+ }
+
+ /* deliver to local stack */
--- /dev/null
+From 01167c7b9cbf099c69fe411a228e4e9c7104e123 Mon Sep 17 00:00:00 2001
+From: Stefan Wahren <stefan.wahren@i2se.com>
+Date: Thu, 5 Jan 2017 19:24:04 +0000
+Subject: mmc: mxs-mmc: Fix additional cycles after transmission stop
+
+From: Stefan Wahren <stefan.wahren@i2se.com>
+
+commit 01167c7b9cbf099c69fe411a228e4e9c7104e123 upstream.
+
+According to the code the intention is to append 8 SCK cycles
+instead of 4 at end of a MMC_STOP_TRANSMISSION command. But this
+will never happened because it's an AC command not an ADTC command.
+So fix this by moving the statement into the right function.
+
+Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
+Fixes: e4243f13d10e (mmc: mxs-mmc: add mmc host driver for i.MX23/28)
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/mxs-mmc.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/mmc/host/mxs-mmc.c
++++ b/drivers/mmc/host/mxs-mmc.c
+@@ -309,6 +309,9 @@ static void mxs_mmc_ac(struct mxs_mmc_ho
+ cmd0 = BF_SSP(cmd->opcode, CMD0_CMD);
+ cmd1 = cmd->arg;
+
++ if (cmd->opcode == MMC_STOP_TRANSMISSION)
++ cmd0 |= BM_SSP_CMD0_APPEND_8CYC;
++
+ if (host->sdio_irq_en) {
+ ctrl0 |= BM_SSP_CTRL0_SDIO_IRQ_CHECK;
+ cmd0 |= BM_SSP_CMD0_CONT_CLKING_EN | BM_SSP_CMD0_SLOW_CLKING_EN;
+@@ -417,8 +420,7 @@ static void mxs_mmc_adtc(struct mxs_mmc_
+ ssp->base + HW_SSP_BLOCK_SIZE);
+ }
+
+- if ((cmd->opcode == MMC_STOP_TRANSMISSION) ||
+- (cmd->opcode == SD_IO_RW_EXTENDED))
++ if (cmd->opcode == SD_IO_RW_EXTENDED)
+ cmd0 |= BM_SSP_CMD0_APPEND_8CYC;
+
+ cmd1 = cmd->arg;
--- /dev/null
+From e1d070c3793a2766122865a7c2142853b48808c5 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 21 Dec 2016 00:19:19 +0100
+Subject: mmc: sdhci-acpi: Only powered up enabled acpi child devices
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit e1d070c3793a2766122865a7c2142853b48808c5 upstream.
+
+Commit e5bbf30733f9 ("mmc: sdhci-acpi: Ensure connected devices are
+powered when probing") introduced code to powerup any acpi child
+nodes listed in the dstd. But some dstd-s list all possible devices
+used on some board variants, while reporting if the device is actually
+present and enabled in the status field of the device.
+
+So we end up calling the acpi _PS0 (power-on) method for devices which
+are not actually present. This does not always end well, e.g. on my
+cube iwork8 air tablet, this results in freezing the entire tablet as
+soon as the r8723bs module is loaded.
+
+This commit fixes this by checking the child device's status.present
+and status.enabled bits and only call acpi_device_fix_up_power()
+if both are set.
+
+Fixes: e5bbf30733f9 ("mmc: sdhci-acpi: Ensure connected devices are powered when probing")
+BugLink: https://github.com/hadess/rtl8723bs/issues/80
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sdhci-acpi.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/sdhci-acpi.c
++++ b/drivers/mmc/host/sdhci-acpi.c
+@@ -394,7 +394,8 @@ static int sdhci_acpi_probe(struct platf
+ /* Power on the SDHCI controller and its children */
+ acpi_device_fix_up_power(device);
+ list_for_each_entry(child, &device->children, node)
+- acpi_device_fix_up_power(child);
++ if (child->status.present && child->status.enabled)
++ acpi_device_fix_up_power(child);
+
+ if (acpi_bus_get_status(device) || !device->status.present)
+ return -ENODEV;
--- /dev/null
+From cf9e1672a66c49ed8903c01b4c380a2f2dc91b40 Mon Sep 17 00:00:00 2001
+From: Vladimir Zapolskiy <vz@mleia.com>
+Date: Mon, 5 Dec 2016 03:47:10 +0200
+Subject: mtd: nand: lpc32xx: fix invalid error handling of a requested irq
+
+From: Vladimir Zapolskiy <vz@mleia.com>
+
+commit cf9e1672a66c49ed8903c01b4c380a2f2dc91b40 upstream.
+
+Semantics of NR_IRQS is different on machines with SPARSE_IRQ option
+disabled or enabled, in the latter case IRQs are allocated starting
+at least from the value specified by NR_IRQS and going upwards, so
+the check of (irq >= NR_IRQ) to decide about an error code returned by
+platform_get_irq() is completely invalid, don't attempt to overrule
+irq subsystem in the driver.
+
+The change fixes LPC32xx NAND MLC driver initialization on boot.
+
+Fixes: 8cb17b5ed017 ("irqchip: Add LPC32xx interrupt controller driver")
+Signed-off-by: Vladimir Zapolskiy <vz@mleia.com>
+Acked-by: Sylvain Lemieux <slemieux.tyco@gmail.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/lpc32xx_mlc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mtd/nand/lpc32xx_mlc.c
++++ b/drivers/mtd/nand/lpc32xx_mlc.c
+@@ -776,7 +776,7 @@ static int lpc32xx_nand_probe(struct pla
+ init_completion(&host->comp_controller);
+
+ host->irq = platform_get_irq(pdev, 0);
+- if ((host->irq < 0) || (host->irq >= NR_IRQS)) {
++ if (host->irq < 0) {
+ dev_err(&pdev->dev, "failed to get platform irq\n");
+ res = -EINVAL;
+ goto err_exit3;
--- /dev/null
+From 73529c872a189c747bdb528ce9b85b67b0e28dec Mon Sep 17 00:00:00 2001
+From: Hauke Mehrtens <hauke@hauke-m.de>
+Date: Mon, 5 Dec 2016 22:14:36 +0100
+Subject: mtd: nand: xway: disable module support
+
+From: Hauke Mehrtens <hauke@hauke-m.de>
+
+commit 73529c872a189c747bdb528ce9b85b67b0e28dec upstream.
+
+The xway_nand driver accesses the ltq_ebu_membase symbol which is not
+exported. This also should not get exported and we should handle the
+EBU interface in a better way later. This quick fix just deactivated
+support for building as module.
+
+Fixes: 99f2b107924c ("mtd: lantiq: Add NAND support on Lantiq XWAY SoC.")
+Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mtd/nand/Kconfig
++++ b/drivers/mtd/nand/Kconfig
+@@ -537,7 +537,7 @@ config MTD_NAND_FSMC
+ Flexible Static Memory Controller (FSMC)
+
+ config MTD_NAND_XWAY
+- tristate "Support for NAND on Lantiq XWAY SoC"
++ bool "Support for NAND on Lantiq XWAY SoC"
+ depends on LANTIQ && SOC_TYPE_XWAY
+ help
+ Enables support for NAND Flash chips on Lantiq XWAY SoCs. NAND is attached
--- /dev/null
+From a2724663494f7313f53da10d8c0a729c5e3c4dea Mon Sep 17 00:00:00 2001
+From: Hauke Mehrtens <hauke@hauke-m.de>
+Date: Mon, 5 Dec 2016 22:14:37 +0100
+Subject: mtd: nand: xway: fix build because of module functions
+
+From: Hauke Mehrtens <hauke@hauke-m.de>
+
+commit a2724663494f7313f53da10d8c0a729c5e3c4dea upstream.
+
+Remove the usage of modules functions to make this driver compile
+again. Otherwise an include of linux/modules.h would be needed.
+
+Fixes: 024366750c2e ("mtd: nand: xway: convert to normal platform driver")
+Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/xway_nand.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/drivers/mtd/nand/xway_nand.c
++++ b/drivers/mtd/nand/xway_nand.c
+@@ -232,7 +232,6 @@ static const struct of_device_id xway_na
+ { .compatible = "lantiq,nand-xway" },
+ {},
+ };
+-MODULE_DEVICE_TABLE(of, xway_nand_match);
+
+ static struct platform_driver xway_nand_driver = {
+ .probe = xway_nand_probe,
+@@ -243,6 +242,4 @@ static struct platform_driver xway_nand_
+ },
+ };
+
+-module_platform_driver(xway_nand_driver);
+-
+-MODULE_LICENSE("GPL");
++builtin_platform_driver(xway_nand_driver);
--- /dev/null
+From a782b5f986c3fa1cfa7f2b57941200c6a5809242 Mon Sep 17 00:00:00 2001
+From: Murali Karicheri <m-karicheri2@ti.com>
+Date: Wed, 4 Jan 2017 14:32:30 -0500
+Subject: PCI: designware: Check for iATU unroll only on platforms that use ATU
+
+From: Murali Karicheri <m-karicheri2@ti.com>
+
+commit a782b5f986c3fa1cfa7f2b57941200c6a5809242 upstream.
+
+Previously we checked for iATU unroll support by reading PCIE_ATU_VIEWPORT
+even on platforms, e.g., Keystone, that do not have ATU ports. This can
+cause bad behavior such as asynchronous external aborts:
+
+ OF: PCI: MEM 0x60000000..0x6fffffff -> 0x60000000
+ Unhandled fault: asynchronous external abort (0x1211) at 0x00000000
+ pgd = c0003000
+ [00000000] *pgd=80000800004003, *pmd=00000000
+ Internal error: : 1211 [#1] PREEMPT SMP ARM
+ Modules linked in:
+ CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.9.0-00009-g6ff59d2-dirty #7
+ Hardware name: Keystone
+ task: eb878000 task.stack: eb866000
+ PC is at dw_pcie_setup_rc+0x24/0x380
+ LR is at ks_pcie_host_init+0x10/0x170
+
+Move the dw_pcie_iatu_unroll_enabled() check so we only call it on
+platforms that do not use the ATU. These platforms supply their own
+->rd_other_conf() and ->wr_other_conf() methods.
+
+[bhelgaas: changelog]
+Fixes: a0601a470537 ("PCI: designware: Add iATU Unroll feature")
+Fixes: 416379f9ebde ("PCI: designware: Check for iATU unroll support after initializing host")
+Tested-by: Kishon Vijay Abraham I <kishon@ti.com>
+Signed-off-by: Murali Karicheri <m-karicheri2@ti.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Acked-By: Joao Pinto <jpinto@synopsys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/host/pcie-designware.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/pci/host/pcie-designware.c
++++ b/drivers/pci/host/pcie-designware.c
+@@ -807,11 +807,6 @@ void dw_pcie_setup_rc(struct pcie_port *
+ {
+ u32 val;
+
+- /* get iATU unroll support */
+- pp->iatu_unroll_enabled = dw_pcie_iatu_unroll_enabled(pp);
+- dev_dbg(pp->dev, "iATU unroll: %s\n",
+- pp->iatu_unroll_enabled ? "enabled" : "disabled");
+-
+ /* set the number of lanes */
+ val = dw_pcie_readl_rc(pp, PCIE_PORT_LINK_CONTROL);
+ val &= ~PORT_LINK_MODE_MASK;
+@@ -882,6 +877,11 @@ void dw_pcie_setup_rc(struct pcie_port *
+ * we should not program the ATU here.
+ */
+ if (!pp->ops->rd_other_conf) {
++ /* get iATU unroll support */
++ pp->iatu_unroll_enabled = dw_pcie_iatu_unroll_enabled(pp);
++ dev_dbg(pp->dev, "iATU unroll: %s\n",
++ pp->iatu_unroll_enabled ? "enabled" : "disabled");
++
+ dw_pcie_prog_outbound_atu(pp, PCIE_ATU_REGION_INDEX0,
+ PCIE_ATU_TYPE_MEM, pp->mem_base,
+ pp->mem_bus_addr, pp->mem_size);
--- /dev/null
+From 51ebfc92b72b4f7dac1ab45683bf56741e454b8c Mon Sep 17 00:00:00 2001
+From: Bjorn Helgaas <bhelgaas@google.com>
+Date: Wed, 11 Jan 2017 09:11:53 -0600
+Subject: PCI: Enumerate switches below PCI-to-PCIe bridges
+
+From: Bjorn Helgaas <bhelgaas@google.com>
+
+commit 51ebfc92b72b4f7dac1ab45683bf56741e454b8c upstream.
+
+A PCI-to-PCIe bridge (a "reverse bridge") has a PCI or PCI-X primary
+interface and a PCI Express secondary interface. The PCIe interface is a
+Downstream Port that originates a Link. See the "PCI Express to PCI/PCI-X
+Bridge Specification", rev 1.0, sections 1.2 and A.6.
+
+The bug report below involves a PCI-to-PCIe bridge and a PCIe switch below
+the bridge:
+
+ 00:1e.0 Intel 82801 PCI Bridge to [bus 01-0a]
+ 01:00.0 Pericom PI7C9X111SL PCIe-to-PCI Reversible Bridge to [bus 02-0a]
+ 02:00.0 Pericom Device 8608 [PCIe Upstream Port] to [bus 03-0a]
+ 03:01.0 Pericom Device 8608 [PCIe Downstream Port] to [bus 0a]
+
+01:00.0 is configured as a PCI-to-PCIe bridge (despite the name printed by
+lspci). As we traverse a PCIe hierarchy, device connections alternate
+between PCIe Links and internal Switch logic. Previously we did not
+recognize that 01:00.0 had a secondary link, so we thought the 02:00.0
+Upstream Port *did* have a secondary link. In fact, it's the other way
+around: 01:00.0 has a secondary link, and 02:00.0 has internal Switch logic
+on its secondary side.
+
+When we thought 02:00.0 had a secondary link, the pci_scan_slot() ->
+only_one_child() path assumed 02:00.0 could have only one child, so 03:00.0
+was the only possible downstream device. But 03:00.0 doesn't exist, so we
+didn't look for any other devices on bus 03.
+
+Booting with "pci=pcie_scan_all" is a workaround, but we don't want users
+to have to do that.
+
+Recognize that PCI-to-PCIe bridges originate links on their secondary
+interfaces.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=189361
+Fixes: d0751b98dfa3 ("PCI: Add dev->has_secondary_link to track downstream PCIe links")
+Tested-by: Blake Moore <blake.moore@men.de>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/probe.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/pci/probe.c
++++ b/drivers/pci/probe.c
+@@ -1050,6 +1050,7 @@ void set_pcie_port_type(struct pci_dev *
+ pos = pci_find_capability(pdev, PCI_CAP_ID_EXP);
+ if (!pos)
+ return;
++
+ pdev->pcie_cap = pos;
+ pci_read_config_word(pdev, pos + PCI_EXP_FLAGS, ®16);
+ pdev->pcie_flags_reg = reg16;
+@@ -1057,13 +1058,14 @@ void set_pcie_port_type(struct pci_dev *
+ pdev->pcie_mpss = reg16 & PCI_EXP_DEVCAP_PAYLOAD;
+
+ /*
+- * A Root Port is always the upstream end of a Link. No PCIe
+- * component has two Links. Two Links are connected by a Switch
+- * that has a Port on each Link and internal logic to connect the
+- * two Ports.
++ * A Root Port or a PCI-to-PCIe bridge is always the upstream end
++ * of a Link. No PCIe component has two Links. Two Links are
++ * connected by a Switch that has a Port on each Link and internal
++ * logic to connect the two Ports.
+ */
+ type = pci_pcie_type(pdev);
+- if (type == PCI_EXP_TYPE_ROOT_PORT)
++ if (type == PCI_EXP_TYPE_ROOT_PORT ||
++ type == PCI_EXP_TYPE_PCIE_BRIDGE)
+ pdev->has_secondary_link = 1;
+ else if (type == PCI_EXP_TYPE_UPSTREAM ||
+ type == PCI_EXP_TYPE_DOWNSTREAM) {
--- /dev/null
+From 9728a7c8ab2f7a1c8d5c95278d2e4f4ac1285385 Mon Sep 17 00:00:00 2001
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Date: Mon, 16 Jan 2017 11:58:53 -0600
+Subject: powerpc/icp-opal: Fix missing KVM case and harden replay
+
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+
+commit 9728a7c8ab2f7a1c8d5c95278d2e4f4ac1285385 upstream.
+
+The icp-opal call is missing the code from icp-native to recover
+interrupts snatched by KVM. Without that, when running KVM, we can
+get into a situation where an interrupt is lost and the CPU stuck
+with an elevated CPPR.
+
+Also harden replay by always checking the return from opal_int_eoi().
+
+Fixes: d74361881f0d ("powerpc/xics: Add ICP OPAL backend")
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/sysdev/xics/icp-opal.c | 31 ++++++++++++++++++++++++-------
+ 1 file changed, 24 insertions(+), 7 deletions(-)
+
+--- a/arch/powerpc/sysdev/xics/icp-opal.c
++++ b/arch/powerpc/sysdev/xics/icp-opal.c
+@@ -20,6 +20,7 @@
+ #include <asm/xics.h>
+ #include <asm/io.h>
+ #include <asm/opal.h>
++#include <asm/kvm_ppc.h>
+
+ static void icp_opal_teardown_cpu(void)
+ {
+@@ -39,7 +40,26 @@ static void icp_opal_flush_ipi(void)
+ * Should we be flagging idle loop instead?
+ * Or creating some task to be scheduled?
+ */
+- opal_int_eoi((0x00 << 24) | XICS_IPI);
++ if (opal_int_eoi((0x00 << 24) | XICS_IPI) > 0)
++ force_external_irq_replay();
++}
++
++static unsigned int icp_opal_get_xirr(void)
++{
++ unsigned int kvm_xirr;
++ __be32 hw_xirr;
++ int64_t rc;
++
++ /* Handle an interrupt latched by KVM first */
++ kvm_xirr = kvmppc_get_xics_latch();
++ if (kvm_xirr)
++ return kvm_xirr;
++
++ /* Then ask OPAL */
++ rc = opal_int_get_xirr(&hw_xirr, false);
++ if (rc < 0)
++ return 0;
++ return be32_to_cpu(hw_xirr);
+ }
+
+ static unsigned int icp_opal_get_irq(void)
+@@ -47,12 +67,8 @@ static unsigned int icp_opal_get_irq(voi
+ unsigned int xirr;
+ unsigned int vec;
+ unsigned int irq;
+- int64_t rc;
+
+- rc = opal_int_get_xirr(&xirr, false);
+- if (rc < 0)
+- return 0;
+- xirr = be32_to_cpu(xirr);
++ xirr = icp_opal_get_xirr();
+ vec = xirr & 0x00ffffff;
+ if (vec == XICS_IRQ_SPURIOUS)
+ return 0;
+@@ -67,7 +83,8 @@ static unsigned int icp_opal_get_irq(voi
+ xics_mask_unknown_vec(vec);
+
+ /* We might learn about it later, so EOI it */
+- opal_int_eoi(xirr);
++ if (opal_int_eoi(xirr) > 0)
++ force_external_irq_replay();
+
+ return 0;
+ }
--- /dev/null
+From 178f358208ceb8b38e5cff3f815e0db4a6a70a07 Mon Sep 17 00:00:00 2001
+From: Anton Blanchard <anton@samba.org>
+Date: Thu, 19 Jan 2017 14:19:10 +1100
+Subject: powerpc: Ignore reserved field in DCSR and PVR reads and writes
+
+From: Anton Blanchard <anton@samba.org>
+
+commit 178f358208ceb8b38e5cff3f815e0db4a6a70a07 upstream.
+
+IBM bit 31 (for the rest of us - bit 0) is a reserved field in the
+instruction definition of mtspr and mfspr. Hardware is encouraged to
+(and does) ignore it.
+
+As a result, if userspace executes an mtspr DSCR with the reserved bit
+set, we get a DSCR facility unavailable exception. The kernel fails to
+match against the expected value/mask, and we silently return to
+userspace to try and re-execute the same mtspr DSCR instruction. We
+loop forever until the process is killed.
+
+We should do something here, and it seems mirroring what hardware does
+is the better option vs killing the process. While here, relax the
+matching of mfspr PVR too.
+
+Signed-off-by: Anton Blanchard <anton@samba.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/ppc-opcode.h | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/arch/powerpc/include/asm/ppc-opcode.h
++++ b/arch/powerpc/include/asm/ppc-opcode.h
+@@ -157,7 +157,7 @@
+ #define PPC_INST_MCRXR 0x7c000400
+ #define PPC_INST_MCRXR_MASK 0xfc0007fe
+ #define PPC_INST_MFSPR_PVR 0x7c1f42a6
+-#define PPC_INST_MFSPR_PVR_MASK 0xfc1fffff
++#define PPC_INST_MFSPR_PVR_MASK 0xfc1ffffe
+ #define PPC_INST_MFTMR 0x7c0002dc
+ #define PPC_INST_MSGSND 0x7c00019c
+ #define PPC_INST_MSGCLR 0x7c0001dc
+@@ -174,13 +174,13 @@
+ #define PPC_INST_RFDI 0x4c00004e
+ #define PPC_INST_RFMCI 0x4c00004c
+ #define PPC_INST_MFSPR_DSCR 0x7c1102a6
+-#define PPC_INST_MFSPR_DSCR_MASK 0xfc1fffff
++#define PPC_INST_MFSPR_DSCR_MASK 0xfc1ffffe
+ #define PPC_INST_MTSPR_DSCR 0x7c1103a6
+-#define PPC_INST_MTSPR_DSCR_MASK 0xfc1fffff
++#define PPC_INST_MTSPR_DSCR_MASK 0xfc1ffffe
+ #define PPC_INST_MFSPR_DSCR_USER 0x7c0302a6
+-#define PPC_INST_MFSPR_DSCR_USER_MASK 0xfc1fffff
++#define PPC_INST_MFSPR_DSCR_USER_MASK 0xfc1ffffe
+ #define PPC_INST_MTSPR_DSCR_USER 0x7c0303a6
+-#define PPC_INST_MTSPR_DSCR_USER_MASK 0xfc1fffff
++#define PPC_INST_MTSPR_DSCR_USER_MASK 0xfc1ffffe
+ #define PPC_INST_MFVSRD 0x7c000066
+ #define PPC_INST_MTVSRD 0x7c000166
+ #define PPC_INST_SLBFEE 0x7c0007a7
--- /dev/null
+From d89f473ff6f84872e761419f7233d6e00f99c340 Mon Sep 17 00:00:00 2001
+From: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
+Date: Mon, 9 Jan 2017 19:00:15 +0530
+Subject: powerpc/perf: Fix PM_BRU_CMPL event code for power9
+
+From: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
+
+commit d89f473ff6f84872e761419f7233d6e00f99c340 upstream.
+
+Use 0x10012 event code for PM_BRU_CMPL event in power9 event list
+instead of current 0x40060.
+
+Fixes: 34922527a2bcb ('powerpc/perf: Add power9 event list macros for generic and cache events')
+Signed-off-by: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/perf/power9-events-list.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/perf/power9-events-list.h
++++ b/arch/powerpc/perf/power9-events-list.h
+@@ -16,7 +16,7 @@ EVENT(PM_CYC, 0x0001e)
+ EVENT(PM_ICT_NOSLOT_CYC, 0x100f8)
+ EVENT(PM_CMPLU_STALL, 0x1e054)
+ EVENT(PM_INST_CMPL, 0x00002)
+-EVENT(PM_BRU_CMPL, 0x40060)
++EVENT(PM_BRU_CMPL, 0x10012)
+ EVENT(PM_BR_MPRED_CMPL, 0x400f6)
+
+ /* All L1 D cache load references counted at finish, gated by reject */
--- /dev/null
+From 99dfe80a2a246c600440a815741fd2e74a8b4977 Mon Sep 17 00:00:00 2001
+From: Dave Martin <Dave.Martin@arm.com>
+Date: Thu, 5 Jan 2017 16:50:57 +0000
+Subject: powerpc/ptrace: Preserve previous fprs/vsrs on short regset write
+
+From: Dave Martin <Dave.Martin@arm.com>
+
+commit 99dfe80a2a246c600440a815741fd2e74a8b4977 upstream.
+
+Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET
+to fill all the registers, the thread's old registers are preserved.
+
+Fixes: c6e6771b87d4 ("powerpc: Introduce VSX thread_struct and CONFIG_VSX")
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/ptrace.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/arch/powerpc/kernel/ptrace.c
++++ b/arch/powerpc/kernel/ptrace.c
+@@ -463,6 +463,10 @@ static int fpr_set(struct task_struct *t
+
+ flush_fp_to_thread(target);
+
++ for (i = 0; i < 32 ; i++)
++ buf[i] = target->thread.TS_FPR(i);
++ buf[32] = target->thread.fp_state.fpscr;
++
+ /* copy to local buffer then write that out */
+ i = user_regset_copyin(&pos, &count, &kbuf, &ubuf, buf, 0, -1);
+ if (i)
+@@ -672,6 +676,9 @@ static int vsr_set(struct task_struct *t
+ flush_altivec_to_thread(target);
+ flush_vsx_to_thread(target);
+
++ for (i = 0; i < 32 ; i++)
++ buf[i] = target->thread.fp_state.fpr[i][TS_VSRLOWOFFSET];
++
+ ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
+ buf, 0, 32 * sizeof(double));
+ if (!ret)
--- /dev/null
+From b34ca60148c53971d373643195cc5c4d5d20be78 Mon Sep 17 00:00:00 2001
+From: Dave Martin <Dave.Martin@arm.com>
+Date: Thu, 5 Jan 2017 16:50:57 +0000
+Subject: powerpc/ptrace: Preserve previous TM fprs/vsrs on short regset write
+
+From: Dave Martin <Dave.Martin@arm.com>
+
+commit b34ca60148c53971d373643195cc5c4d5d20be78 upstream.
+
+Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET
+to fill all the check pointed registers, the thread's old check pointed
+registers are preserved.
+
+Fixes: 9d3918f7c0e5 ("powerpc/ptrace: Enable support for NT_PPC_CVSX")
+Fixes: 19cbcbf75a0c ("powerpc/ptrace: Enable support for NT_PPC_CFPR")
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/ptrace.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/arch/powerpc/kernel/ptrace.c
++++ b/arch/powerpc/kernel/ptrace.c
+@@ -1026,6 +1026,10 @@ static int tm_cfpr_set(struct task_struc
+ flush_fp_to_thread(target);
+ flush_altivec_to_thread(target);
+
++ for (i = 0; i < 32; i++)
++ buf[i] = target->thread.TS_CKFPR(i);
++ buf[32] = target->thread.ckfp_state.fpscr;
++
+ /* copy to local buffer then write that out */
+ i = user_regset_copyin(&pos, &count, &kbuf, &ubuf, buf, 0, -1);
+ if (i)
+@@ -1290,6 +1294,9 @@ static int tm_cvsx_set(struct task_struc
+ flush_altivec_to_thread(target);
+ flush_vsx_to_thread(target);
+
++ for (i = 0; i < 32 ; i++)
++ buf[i] = target->thread.ckfp_state.fpr[i][TS_VSRLOWOFFSET];
++
+ ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
+ buf, 0, 32 * sizeof(double));
+ if (!ret)
--- /dev/null
+From fc1ffd6cb38a1c1af625b9833c41928039e733f5 Mon Sep 17 00:00:00 2001
+From: Quinn Tran <quinn.tran@cavium.com>
+Date: Fri, 23 Dec 2016 18:06:10 -0800
+Subject: qla2xxx: Fix crash due to null pointer access
+
+From: Quinn Tran <quinn.tran@cavium.com>
+
+commit fc1ffd6cb38a1c1af625b9833c41928039e733f5 upstream.
+
+During code inspection, while investigating following stack trace
+seen on one of the test setup, we found out there was possibility
+of memory leak becuase driver was not unwinding the stack properly.
+
+This issue has not been reproduced in a test environment or on a
+customer setup.
+
+Here's stack trace that was seen.
+
+[1469877.797315] Call Trace:
+[1469877.799940] [<ffffffffa03ab6e9>] qla2x00_mem_alloc+0xb09/0x10c0 [qla2xxx]
+[1469877.806980] [<ffffffffa03ac50a>] qla2x00_probe_one+0x86a/0x1b50 [qla2xxx]
+[1469877.814013] [<ffffffff813b6d01>] ? __pm_runtime_resume+0x51/0xa0
+[1469877.820265] [<ffffffff8157c1f5>] ? _raw_spin_lock_irqsave+0x25/0x90
+[1469877.826776] [<ffffffff8157cd2d>] ? _raw_spin_unlock_irqrestore+0x6d/0x80
+[1469877.833720] [<ffffffff810741d1>] ? preempt_count_sub+0xb1/0x100
+[1469877.839885] [<ffffffff8157cd0c>] ? _raw_spin_unlock_irqrestore+0x4c/0x80
+[1469877.846830] [<ffffffff81319b9c>] local_pci_probe+0x4c/0xb0
+[1469877.852562] [<ffffffff810741d1>] ? preempt_count_sub+0xb1/0x100
+[1469877.858727] [<ffffffff81319c89>] pci_call_probe+0x89/0xb0
+
+Signed-off-by: Quinn Tran <quinn.tran@cavium.com>
+Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+[ bvanassche: Fixed spelling in patch description ]
+Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_os.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -3489,7 +3489,7 @@ qla2x00_mem_alloc(struct qla_hw_data *ha
+ sizeof(struct ct6_dsd), 0,
+ SLAB_HWCACHE_ALIGN, NULL);
+ if (!ctx_cachep)
+- goto fail_free_gid_list;
++ goto fail_free_srb_mempool;
+ }
+ ha->ctx_mempool = mempool_create_slab_pool(SRB_MIN_REQ,
+ ctx_cachep);
+@@ -3642,7 +3642,7 @@ qla2x00_mem_alloc(struct qla_hw_data *ha
+ ha->loop_id_map = kzalloc(BITS_TO_LONGS(LOOPID_MAP_SIZE) * sizeof(long),
+ GFP_KERNEL);
+ if (!ha->loop_id_map)
+- goto fail_async_pd;
++ goto fail_loop_id_map;
+ else {
+ qla2x00_set_reserved_loop_ids(ha);
+ ql_dbg_pci(ql_dbg_init, ha->pdev, 0x0123,
+@@ -3651,6 +3651,8 @@ qla2x00_mem_alloc(struct qla_hw_data *ha
+
+ return 0;
+
++fail_loop_id_map:
++ dma_pool_free(ha->s_dma_pool, ha->async_pd, ha->async_pd_dma);
+ fail_async_pd:
+ dma_pool_free(ha->s_dma_pool, ha->ex_init_cb, ha->ex_init_cb_dma);
+ fail_ex_init_cb:
+@@ -3678,6 +3680,10 @@ fail_free_ms_iocb:
+ dma_pool_free(ha->s_dma_pool, ha->ms_iocb, ha->ms_iocb_dma);
+ ha->ms_iocb = NULL;
+ ha->ms_iocb_dma = 0;
++
++ if (ha->sns_cmd)
++ dma_free_coherent(&ha->pdev->dev, sizeof(struct sns_cmd_pkt),
++ ha->sns_cmd, ha->sns_cmd_dma);
+ fail_dma_pool:
+ if (IS_QLA82XX(ha) || ql2xenabledif) {
+ dma_pool_destroy(ha->fcp_cmnd_dma_pool);
+@@ -3695,10 +3701,12 @@ fail_free_nvram:
+ kfree(ha->nvram);
+ ha->nvram = NULL;
+ fail_free_ctx_mempool:
+- mempool_destroy(ha->ctx_mempool);
++ if (ha->ctx_mempool)
++ mempool_destroy(ha->ctx_mempool);
+ ha->ctx_mempool = NULL;
+ fail_free_srb_mempool:
+- mempool_destroy(ha->srb_mempool);
++ if (ha->srb_mempool)
++ mempool_destroy(ha->srb_mempool);
+ ha->srb_mempool = NULL;
+ fail_free_gid_list:
+ dma_free_coherent(&ha->pdev->dev, qla2x00_gid_list_size(ha),
rcu-remove-cond_resched-from-tiny-synchronize_sched.patch
rcu-narrow-early-boot-window-of-illegal-synchronous-grace-periods.patch
sunrpc-don-t-call-sleeping-functions-from-the-notifier-block-callbacks.patch
+svcrpc-don-t-leak-contexts-on-proc_destroy.patch
+libnvdimm-namespace-fix-pmem-namespace-leak-delete-when-size-set-to-zero.patch
+arc-module-fix-config_arc_dw2_unwind-builds.patch
+fuse-clear-fr_pending-flag-when-moving-requests-out-of-pending-queue.patch
+fuse-fix-time_to_jiffies-nsec-sanity-check.patch
+pci-designware-check-for-iatu-unroll-only-on-platforms-that-use-atu.patch
+pci-enumerate-switches-below-pci-to-pcie-bridges.patch
+hid-corsair-fix-dma-buffers-on-stack.patch
+hid-corsair-fix-control-transfer-error-handling.patch
+mmc-sdhci-acpi-only-powered-up-enabled-acpi-child-devices.patch
+mmc-mxs-mmc-fix-additional-cycles-after-transmission-stop.patch
+ieee802154-atusb-do-not-use-the-stack-for-buffers-to-make-them-dma-able.patch
+mtd-nand-lpc32xx-fix-invalid-error-handling-of-a-requested-irq.patch
+mtd-nand-xway-disable-module-support.patch
+mtd-nand-xway-fix-build-because-of-module-functions.patch
+kvm-s390-do-not-expose-random-data-via-facility-bitmap.patch
+kvm-arm-arm64-vgic-fix-deadlock-on-error-handling.patch
+powerpc-icp-opal-fix-missing-kvm-case-and-harden-replay.patch
+powerpc-perf-fix-pm_bru_cmpl-event-code-for-power9.patch
+powerpc-ptrace-preserve-previous-fprs-vsrs-on-short-regset-write.patch
+powerpc-ptrace-preserve-previous-tm-fprs-vsrs-on-short-regset-write.patch
+powerpc-ignore-reserved-field-in-dcsr-and-pvr-reads-and-writes.patch
+x86-ioapic-restore-io-apic-irq_chip-retrigger-callback.patch
+qla2xxx-fix-crash-due-to-null-pointer-access.patch
+mac80211-implement-multicast-forwarding-on-fast-rx-path.patch
+ubifs-fix-journal-replay-wrt.-xattr-nodes.patch
+clocksource-exynos_mct-clear-interrupt-when-cpu-is-shut-down.patch
+svcrdma-avoid-duplicate-dma-unmapping-during-error-recovery.patch
+arm-8634-1-hw_breakpoint-blacklist-scorpion-cpus.patch
+ibmvscsis-fix-sleeping-in-interrupt-context.patch
+ibmvscsis-fix-max-transfer-length.patch
+ceph-fix-bad-endianness-handling-in-parse_reply_info_extra.patch
+arm-dts-omap5-dra7-indicate-that-sata-port-0-is-available.patch
+arm-dts-da850-evm-fix-read-access-to-spi-flash.patch
+arm64-avoid-returning-from-bad_mode.patch
+arm64-ptrace-preserve-previous-registers-for-short-regset-write.patch
+arm64-ptrace-preserve-previous-registers-for-short-regset-write-2.patch
+arm64-ptrace-preserve-previous-registers-for-short-regset-write-3.patch
+arm64-ptrace-avoid-uninitialised-struct-padding-in-fpr_set.patch
+arm64-ptrace-reject-attempts-to-set-incomplete-hardware-breakpoint-fields.patch
--- /dev/null
+From ce1ca7d2d140a1f4aaffd297ac487f246963dd2f Mon Sep 17 00:00:00 2001
+From: Sriharsha Basavapatna <sriharsha.basavapatna@broadcom.com>
+Date: Mon, 9 Jan 2017 16:00:44 +0530
+Subject: svcrdma: avoid duplicate dma unmapping during error recovery
+
+From: Sriharsha Basavapatna <sriharsha.basavapatna@broadcom.com>
+
+commit ce1ca7d2d140a1f4aaffd297ac487f246963dd2f upstream.
+
+In rdma_read_chunk_frmr() when ib_post_send() fails, the error code path
+invokes ib_dma_unmap_sg() to unmap the sg list. It then invokes
+svc_rdma_put_frmr() which in turn tries to unmap the same sg list through
+ib_dma_unmap_sg() again. This second unmap is invalid and could lead to
+problems when the iova being unmapped is subsequently reused. Remove
+the call to unmap in rdma_read_chunk_frmr() and let svc_rdma_put_frmr()
+handle it.
+
+Fixes: 412a15c0fe53 ("svcrdma: Port to new memory registration API")
+Signed-off-by: Sriharsha Basavapatna <sriharsha.basavapatna@broadcom.com>
+Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
+Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
++++ b/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
+@@ -348,8 +348,6 @@ int rdma_read_chunk_frmr(struct svcxprt_
+ atomic_inc(&rdma_stat_read);
+ return ret;
+ err:
+- ib_dma_unmap_sg(xprt->sc_cm_id->device,
+- frmr->sg, frmr->sg_nents, frmr->direction);
+ svc_rdma_put_context(ctxt, 0);
+ svc_rdma_put_frmr(xprt, frmr);
+ return ret;
--- /dev/null
+From 78794d1890708cf94e3961261e52dcec2cc34722 Mon Sep 17 00:00:00 2001
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Mon, 9 Jan 2017 17:15:18 -0500
+Subject: svcrpc: don't leak contexts on PROC_DESTROY
+
+From: J. Bruce Fields <bfields@redhat.com>
+
+commit 78794d1890708cf94e3961261e52dcec2cc34722 upstream.
+
+Context expiry times are in units of seconds since boot, not unix time.
+
+The use of get_seconds() here therefore sets the expiry time decades in
+the future. This prevents timely freeing of contexts destroyed by
+client RPC_GSS_PROC_DESTROY requests. We'd still free them eventually
+(when the module is unloaded or the container shut down), but a lot of
+contexts could pile up before then.
+
+Fixes: c5b29f885afe "sunrpc: use seconds since boot in expiry cache"
+Reported-by: Andy Adamson <andros@netapp.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/auth_gss/svcauth_gss.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sunrpc/auth_gss/svcauth_gss.c
++++ b/net/sunrpc/auth_gss/svcauth_gss.c
+@@ -1489,7 +1489,7 @@ svcauth_gss_accept(struct svc_rqst *rqst
+ case RPC_GSS_PROC_DESTROY:
+ if (gss_write_verf(rqstp, rsci->mechctx, gc->gc_seq))
+ goto auth_err;
+- rsci->h.expiry_time = get_seconds();
++ rsci->h.expiry_time = seconds_since_boot();
+ set_bit(CACHE_NEGATIVE, &rsci->h.flags);
+ if (resv->iov_len + 4 > PAGE_SIZE)
+ goto drop;
--- /dev/null
+From 1cb51a15b576ee325d527726afff40947218fd5e Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Tue, 10 Jan 2017 11:49:40 +0100
+Subject: ubifs: Fix journal replay wrt. xattr nodes
+
+From: Richard Weinberger <richard@nod.at>
+
+commit 1cb51a15b576ee325d527726afff40947218fd5e upstream.
+
+When replaying the journal it can happen that a journal entry points to
+a garbage collected node.
+This is the case when a power-cut occurred between a garbage collect run
+and a commit. In such a case nodes have to be read using the failable
+read functions to detect whether the found node matches what we expect.
+
+One corner case was forgotten, when the journal contains an entry to
+remove an inode all xattrs have to be removed too. UBIFS models xattr
+like directory entries, so the TNC code iterates over
+all xattrs of the inode and removes them too. This code re-uses the
+functions for walking directories and calls ubifs_tnc_next_ent().
+ubifs_tnc_next_ent() expects to be used only after the journal and
+aborts when a node does not match the expected result. This behavior can
+render an UBIFS volume unmountable after a power-cut when xattrs are
+used.
+
+Fix this issue by using failable read functions in ubifs_tnc_next_ent()
+too when replaying the journal.
+Fixes: 1e51764a3c2ac05a ("UBIFS: add new flash file system")
+Reported-by: Rock Lee <rockdotlee@gmail.com>
+Reviewed-by: David Gstir <david@sigma-star.at>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ubifs/tnc.c | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+--- a/fs/ubifs/tnc.c
++++ b/fs/ubifs/tnc.c
+@@ -34,6 +34,11 @@
+ #include <linux/slab.h>
+ #include "ubifs.h"
+
++static int try_read_node(const struct ubifs_info *c, void *buf, int type,
++ int len, int lnum, int offs);
++static int fallible_read_node(struct ubifs_info *c, const union ubifs_key *key,
++ struct ubifs_zbranch *zbr, void *node);
++
+ /*
+ * Returned codes of 'matches_name()' and 'fallible_matches_name()' functions.
+ * @NAME_LESS: name corresponding to the first argument is less than second
+@@ -402,7 +407,19 @@ static int tnc_read_node_nm(struct ubifs
+ return 0;
+ }
+
+- err = ubifs_tnc_read_node(c, zbr, node);
++ if (c->replaying) {
++ err = fallible_read_node(c, &zbr->key, zbr, node);
++ /*
++ * When the node was not found, return -ENOENT, 0 otherwise.
++ * Negative return codes stay as-is.
++ */
++ if (err == 0)
++ err = -ENOENT;
++ else if (err == 1)
++ err = 0;
++ } else {
++ err = ubifs_tnc_read_node(c, zbr, node);
++ }
+ if (err)
+ return err;
+
+@@ -2766,7 +2783,11 @@ struct ubifs_dent_node *ubifs_tnc_next_e
+ if (nm->name) {
+ if (err) {
+ /* Handle collisions */
+- err = resolve_collision(c, key, &znode, &n, nm);
++ if (c->replaying)
++ err = fallible_resolve_collision(c, key, &znode, &n,
++ nm, 0);
++ else
++ err = resolve_collision(c, key, &znode, &n, nm);
+ dbg_tnc("rc returned %d, znode %p, n %d",
+ err, znode, n);
+ if (unlikely(err < 0))
--- /dev/null
+From 020eb3daaba2857b32c4cf4c82f503d6a00a67de Mon Sep 17 00:00:00 2001
+From: Ruslan Ruslichenko <rruslich@cisco.com>
+Date: Tue, 17 Jan 2017 16:13:52 +0200
+Subject: x86/ioapic: Restore IO-APIC irq_chip retrigger callback
+
+From: Ruslan Ruslichenko <rruslich@cisco.com>
+
+commit 020eb3daaba2857b32c4cf4c82f503d6a00a67de upstream.
+
+commit d32932d02e18 removed the irq_retrigger callback from the IO-APIC
+chip and did not add it to the new IO-APIC-IR irq chip.
+
+Unfortunately the software resend fallback is not enabled on X86, so edge
+interrupts which are received during the lazy disabled state of the
+interrupt line are not retriggered and therefor lost.
+
+Restore the callbacks.
+
+[ tglx: Massaged changelog ]
+
+Fixes: d32932d02e18 ("x86/irq: Convert IOAPIC to use hierarchical irqdomain interfaces")
+Signed-off-by: Ruslan Ruslichenko <rruslich@cisco.com>
+Cc: xe-linux-external@cisco.com
+Link: http://lkml.kernel.org/r/1484662432-13580-1-git-send-email-rruslich@cisco.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/apic/io_apic.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/x86/kernel/apic/io_apic.c
++++ b/arch/x86/kernel/apic/io_apic.c
+@@ -1876,6 +1876,7 @@ static struct irq_chip ioapic_chip __rea
+ .irq_ack = irq_chip_ack_parent,
+ .irq_eoi = ioapic_ack_level,
+ .irq_set_affinity = ioapic_set_affinity,
++ .irq_retrigger = irq_chip_retrigger_hierarchy,
+ .flags = IRQCHIP_SKIP_SET_WAKE,
+ };
+
+@@ -1887,6 +1888,7 @@ static struct irq_chip ioapic_ir_chip __
+ .irq_ack = irq_chip_ack_parent,
+ .irq_eoi = ioapic_ir_ack_level,
+ .irq_set_affinity = ioapic_set_affinity,
++ .irq_retrigger = irq_chip_retrigger_hierarchy,
+ .flags = IRQCHIP_SKIP_SET_WAKE,
+ };
+