--- /dev/null
+From a971df0b9d04674e325346c17de9a895425ca5e1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Sat, 28 Jan 2017 14:31:22 +0100
+Subject: bcma: use (get|put)_device when probing/removing device driver
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rafał Miłecki <rafal@milecki.pl>
+
+commit a971df0b9d04674e325346c17de9a895425ca5e1 upstream.
+
+This allows tracking device state and e.g. makes devm work as expected.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bcma/main.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/bcma/main.c
++++ b/drivers/bcma/main.c
+@@ -640,8 +640,11 @@ static int bcma_device_probe(struct devi
+ drv);
+ int err = 0;
+
++ get_device(dev);
+ if (adrv->probe)
+ err = adrv->probe(core);
++ if (err)
++ put_device(dev);
+
+ return err;
+ }
+@@ -654,6 +657,7 @@ static int bcma_device_remove(struct dev
+
+ if (adrv->remove)
+ adrv->remove(core);
++ put_device(dev);
+
+ return 0;
+ }
--- /dev/null
+From 7c42631376306fb3f34d51fda546b50a9b6dd6ec Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Thu, 2 Mar 2017 12:03:40 +0100
+Subject: can: usb_8dev: Fix memory leak of priv->cmd_msg_buffer
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit 7c42631376306fb3f34d51fda546b50a9b6dd6ec upstream.
+
+The priv->cmd_msg_buffer is allocated in the probe function, but never
+kfree()ed. This patch converts the kzalloc() to resource-managed
+kzalloc.
+
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/usb/usb_8dev.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/can/usb/usb_8dev.c
++++ b/drivers/net/can/usb/usb_8dev.c
+@@ -954,8 +954,8 @@ static int usb_8dev_probe(struct usb_int
+ for (i = 0; i < MAX_TX_URBS; i++)
+ priv->tx_contexts[i].echo_index = MAX_TX_URBS;
+
+- priv->cmd_msg_buffer = kzalloc(sizeof(struct usb_8dev_cmd_msg),
+- GFP_KERNEL);
++ priv->cmd_msg_buffer = devm_kzalloc(&intf->dev, sizeof(struct usb_8dev_cmd_msg),
++ GFP_KERNEL);
+ if (!priv->cmd_msg_buffer)
+ goto cleanup_candev;
+
+@@ -969,7 +969,7 @@ static int usb_8dev_probe(struct usb_int
+ if (err) {
+ netdev_err(netdev,
+ "couldn't register CAN device: %d\n", err);
+- goto cleanup_cmd_msg_buffer;
++ goto cleanup_candev;
+ }
+
+ err = usb_8dev_cmd_version(priv, &version);
+@@ -990,9 +990,6 @@ static int usb_8dev_probe(struct usb_int
+ cleanup_unregister_candev:
+ unregister_netdev(priv->netdev);
+
+-cleanup_cmd_msg_buffer:
+- kfree(priv->cmd_msg_buffer);
+-
+ cleanup_candev:
+ free_candev(netdev);
+
--- /dev/null
+From adee40b265d7568296e218f079f478197ffa15bf Mon Sep 17 00:00:00 2001
+From: Magnus Lilja <lilja.magnus@gmail.com>
+Date: Wed, 21 Dec 2016 22:13:58 +0100
+Subject: dmaengine: ipu: Make sure the interrupt routine checks all interrupts.
+
+From: Magnus Lilja <lilja.magnus@gmail.com>
+
+commit adee40b265d7568296e218f079f478197ffa15bf upstream.
+
+Commit 3d8cc00073d6 ("dmaengine: ipu: Consolidate duplicated irq handlers")
+consolidated the two interrupts routines into one, but the remaining
+interrupt routine only checks the status of the error interrupts, not the
+normal interrupts.
+
+This patch fixes that problem (tested on i.MX31 PDK board).
+
+Fixes: 3d8cc00073d6 ("dmaengine: ipu: Consolidate duplicated irq handlers")
+Cc: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Magnus Lilja <lilja.magnus@gmail.com>
+Signed-off-by: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma/ipu/ipu_irq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/dma/ipu/ipu_irq.c
++++ b/drivers/dma/ipu/ipu_irq.c
+@@ -272,7 +272,7 @@ static void ipu_irq_handler(struct irq_d
+ u32 status;
+ int i, line;
+
+- for (i = IPU_IRQ_NR_FN_BANKS; i < IPU_IRQ_NR_BANKS; i++) {
++ for (i = 0; i < IPU_IRQ_NR_BANKS; i++) {
+ struct ipu_irq_bank *bank = irq_bank + i;
+
+ raw_spin_lock(&bank_lock);
--- /dev/null
+From d77044d142e960f7b5f814a91ecb8bcf86aa552c Mon Sep 17 00:00:00 2001
+From: "K. Y. Srinivasan" <kys@microsoft.com>
+Date: Thu, 22 Dec 2016 16:54:03 -0800
+Subject: Drivers: hv: util: Backup: Fix a rescind processing issue
+
+From: K. Y. Srinivasan <kys@microsoft.com>
+
+commit d77044d142e960f7b5f814a91ecb8bcf86aa552c upstream.
+
+VSS may use a char device to support the communication between
+the user level daemon and the driver. When the VSS channel is rescinded
+we need to make sure that the char device is fully cleaned up before
+we can process a new VSS offer from the host. Implement this logic.
+
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hv/hv_snapshot.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/hv/hv_snapshot.c
++++ b/drivers/hv/hv_snapshot.c
+@@ -66,6 +66,7 @@ static int dm_reg_value;
+ static const char vss_devname[] = "vmbus/hv_vss";
+ static __u8 *recv_buffer;
+ static struct hvutil_transport *hvt;
++static struct completion release_event;
+
+ static void vss_send_op(struct work_struct *dummy);
+ static void vss_timeout_func(struct work_struct *dummy);
+@@ -326,11 +327,13 @@ static void vss_on_reset(void)
+ if (cancel_delayed_work_sync(&vss_timeout_work))
+ vss_respond_to_host(HV_E_FAIL);
+ vss_transaction.state = HVUTIL_DEVICE_INIT;
++ complete(&release_event);
+ }
+
+ int
+ hv_vss_init(struct hv_util_service *srv)
+ {
++ init_completion(&release_event);
+ if (vmbus_proto_version < VERSION_WIN8_1) {
+ pr_warn("Integration service 'Backup (volume snapshot)'"
+ " not supported on this host version.\n");
+@@ -360,4 +363,5 @@ void hv_vss_deinit(void)
+ cancel_delayed_work_sync(&vss_timeout_work);
+ cancel_work_sync(&vss_send_op_work);
+ hvutil_transport_destroy(hvt);
++ wait_for_completion(&release_event);
+ }
--- /dev/null
+From 20951c7535b5e6af46bc37b7142105f716df739c Mon Sep 17 00:00:00 2001
+From: "K. Y. Srinivasan" <kys@microsoft.com>
+Date: Thu, 22 Dec 2016 16:54:02 -0800
+Subject: Drivers: hv: util: Fcopy: Fix a rescind processing issue
+
+From: K. Y. Srinivasan <kys@microsoft.com>
+
+commit 20951c7535b5e6af46bc37b7142105f716df739c upstream.
+
+Fcopy may use a char device to support the communication between
+the user level daemon and the driver. When the Fcopy channel is rescinded
+we need to make sure that the char device is fully cleaned up before
+we can process a new Fcopy offer from the host. Implement this logic.
+
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hv/hv_fcopy.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/hv/hv_fcopy.c
++++ b/drivers/hv/hv_fcopy.c
+@@ -61,6 +61,7 @@ static DECLARE_WORK(fcopy_send_work, fco
+ static const char fcopy_devname[] = "vmbus/hv_fcopy";
+ static u8 *recv_buffer;
+ static struct hvutil_transport *hvt;
++static struct completion release_event;
+ /*
+ * This state maintains the version number registered by the daemon.
+ */
+@@ -312,12 +313,14 @@ static void fcopy_on_reset(void)
+
+ if (cancel_delayed_work_sync(&fcopy_timeout_work))
+ fcopy_respond_to_host(HV_E_FAIL);
++ complete(&release_event);
+ }
+
+ int hv_fcopy_init(struct hv_util_service *srv)
+ {
+ recv_buffer = srv->recv_buffer;
+
++ init_completion(&release_event);
+ /*
+ * When this driver loads, the user level daemon that
+ * processes the host requests may not yet be running.
+@@ -339,4 +342,5 @@ void hv_fcopy_deinit(void)
+ fcopy_transaction.state = HVUTIL_DEVICE_DYING;
+ cancel_delayed_work_sync(&fcopy_timeout_work);
+ hvutil_transport_destroy(hvt);
++ wait_for_completion(&release_event);
+ }
--- /dev/null
+From 5a66fecbf6aa528e375cbebccb1061cc58d80c84 Mon Sep 17 00:00:00 2001
+From: "K. Y. Srinivasan" <kys@microsoft.com>
+Date: Thu, 22 Dec 2016 16:54:01 -0800
+Subject: Drivers: hv: util: kvp: Fix a rescind processing issue
+
+From: K. Y. Srinivasan <kys@microsoft.com>
+
+commit 5a66fecbf6aa528e375cbebccb1061cc58d80c84 upstream.
+
+KVP may use a char device to support the communication between
+the user level daemon and the driver. When the KVP channel is rescinded
+we need to make sure that the char device is fully cleaned up before
+we can process a new KVP offer from the host. Implement this logic.
+
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hv/hv_kvp.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/hv/hv_kvp.c
++++ b/drivers/hv/hv_kvp.c
+@@ -86,6 +86,7 @@ static DECLARE_WORK(kvp_sendkey_work, kv
+ static const char kvp_devname[] = "vmbus/hv_kvp";
+ static u8 *recv_buffer;
+ static struct hvutil_transport *hvt;
++static struct completion release_event;
+ /*
+ * Register the kernel component with the user-level daemon.
+ * As part of this registration, pass the LIC version number.
+@@ -682,6 +683,7 @@ static void kvp_on_reset(void)
+ if (cancel_delayed_work_sync(&kvp_timeout_work))
+ kvp_respond_to_host(NULL, HV_E_FAIL);
+ kvp_transaction.state = HVUTIL_DEVICE_INIT;
++ complete(&release_event);
+ }
+
+ int
+@@ -689,6 +691,7 @@ hv_kvp_init(struct hv_util_service *srv)
+ {
+ recv_buffer = srv->recv_buffer;
+
++ init_completion(&release_event);
+ /*
+ * When this driver loads, the user level daemon that
+ * processes the host requests may not yet be running.
+@@ -711,4 +714,5 @@ void hv_kvp_deinit(void)
+ cancel_delayed_work_sync(&kvp_timeout_work);
+ cancel_work_sync(&kvp_sendkey_work);
+ hvutil_transport_destroy(hvt);
++ wait_for_completion(&release_event);
+ }
--- /dev/null
+From f38e5fb95a1f8feda88531eedc98f69b24748712 Mon Sep 17 00:00:00 2001
+From: Andrew Price <anprice@redhat.com>
+Date: Wed, 22 Feb 2017 12:05:03 -0500
+Subject: gfs2: Add missing rcu locking for glock lookup
+
+From: Andrew Price <anprice@redhat.com>
+
+commit f38e5fb95a1f8feda88531eedc98f69b24748712 upstream.
+
+We must hold the rcu read lock across looking up glocks and trying to
+bump their refcount to prevent the glocks from being freed in between.
+
+Signed-off-by: Andrew Price <anprice@redhat.com>
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Bob Peterson <rpeterso@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/gfs2/glock.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/gfs2/glock.c
++++ b/fs/gfs2/glock.c
+@@ -651,9 +651,11 @@ int gfs2_glock_get(struct gfs2_sbd *sdp,
+ struct kmem_cache *cachep;
+ int ret, tries = 0;
+
++ rcu_read_lock();
+ gl = rhashtable_lookup_fast(&gl_hash_table, &name, ht_parms);
+ if (gl && !lockref_get_not_dead(&gl->gl_lockref))
+ gl = NULL;
++ rcu_read_unlock();
+
+ *glp = gl;
+ if (gl)
+@@ -721,15 +723,18 @@ again:
+
+ if (ret == -EEXIST) {
+ ret = 0;
++ rcu_read_lock();
+ tmp = rhashtable_lookup_fast(&gl_hash_table, &name, ht_parms);
+ if (tmp == NULL || !lockref_get_not_dead(&tmp->gl_lockref)) {
+ if (++tries < 100) {
++ rcu_read_unlock();
+ cond_resched();
+ goto again;
+ }
+ tmp = NULL;
+ ret = -ENOMEM;
+ }
++ rcu_read_unlock();
+ } else {
+ WARN_ON_ONCE(ret);
+ }
--- /dev/null
+From 421b8f20d3c381b215f988b42428f56fc3b82405 Mon Sep 17 00:00:00 2001
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+Date: Wed, 7 Dec 2016 01:16:25 -0800
+Subject: hv: allocate synic pages for all present CPUs
+
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+commit 421b8f20d3c381b215f988b42428f56fc3b82405 upstream.
+
+It may happen that not all CPUs are online when we do hv_synic_alloc() and
+in case more CPUs come online later we may try accessing these allocated
+structures.
+
+Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hv/hv.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/hv/hv.c
++++ b/drivers/hv/hv.c
+@@ -422,7 +422,7 @@ int hv_synic_alloc(void)
+ goto err;
+ }
+
+- for_each_online_cpu(cpu) {
++ for_each_present_cpu(cpu) {
+ hv_context.event_dpc[cpu] = kmalloc(size, GFP_ATOMIC);
+ if (hv_context.event_dpc[cpu] == NULL) {
+ pr_err("Unable to allocate event dpc\n");
+@@ -485,7 +485,7 @@ void hv_synic_free(void)
+ int cpu;
+
+ kfree(hv_context.hv_numa_map);
+- for_each_online_cpu(cpu)
++ for_each_present_cpu(cpu)
+ hv_synic_free_cpu(cpu);
+ }
+
--- /dev/null
+From 3c7630d35009e6635e5b58d62de554fd5b6db5df Mon Sep 17 00:00:00 2001
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+Date: Wed, 7 Dec 2016 01:16:26 -0800
+Subject: hv: init percpu_list in hv_synic_alloc()
+
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+commit 3c7630d35009e6635e5b58d62de554fd5b6db5df upstream.
+
+Initializing hv_context.percpu_list in hv_synic_alloc() helps to prevent a
+crash in percpu_channel_enq() when not all CPUs were online during
+initialization and it naturally belongs there.
+
+Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hv/hv.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/hv/hv.c
++++ b/drivers/hv/hv.c
+@@ -461,6 +461,8 @@ int hv_synic_alloc(void)
+ pr_err("Unable to allocate post msg page\n");
+ goto err;
+ }
++
++ INIT_LIST_HEAD(&hv_context.percpu_list[cpu]);
+ }
+
+ return 0;
+@@ -555,8 +557,6 @@ void hv_synic_init(void *arg)
+ rdmsrl(HV_X64_MSR_VP_INDEX, vp_index);
+ hv_context.vp_index[cpu] = (u32)vp_index;
+
+- INIT_LIST_HEAD(&hv_context.percpu_list[cpu]);
+-
+ /*
+ * Register the per-cpu clockevent source.
+ */
--- /dev/null
+From 6a6e1d56a0769795a36c0461c64bf5e5b9bbb4c0 Mon Sep 17 00:00:00 2001
+From: Peter Rosin <peda@axentia.se>
+Date: Wed, 1 Feb 2017 21:40:57 +0100
+Subject: iio: pressure: mpl115: do not rely on structure field ordering
+
+From: Peter Rosin <peda@axentia.se>
+
+commit 6a6e1d56a0769795a36c0461c64bf5e5b9bbb4c0 upstream.
+
+Fixes a regression triggered by a change in the layout of
+struct iio_chan_spec, but the real bug is in the driver which assumed
+a specific structure layout in the first place. Hint: the three bits were
+not OR:ed together as implied by the indentation prior to this patch,
+there was a comma between the first two, which accidentally moved the
+..._SCALE and ..._OFFSET bits to the next structure field. That field
+was .info_mask_shared_by_type before the _available attributes was added
+by commit 51239600074b ("iio:core: add a callback to allow drivers to
+provide _available attributes") and .info_mask_separate_available
+afterwards, and the regression happened.
+
+info_mask_shared_by_type is actually a better choice than the originally
+intended info_mask_separate for the ..._SCALE and ..._OFFSET bits since
+a constant is returned from mpl115_read_raw for the scale/offset. Using
+info_mask_shared_by_type also preserves the behavior from before the
+regression and is therefore less likely to cause other interesting side
+effects.
+
+The above mentioned regression causes unintended sysfs attibutes to
+show up that are not backed by code, in turn causing a NULL pointer
+defererence to happen on access.
+
+Fixes: 3017d90e8931 ("iio: Add Freescale MPL115A2 pressure / temperature sensor driver")
+Fixes: 51239600074b ("iio:core: add a callback to allow drivers to provide _available attributes")
+Signed-off-by: Peter Rosin <peda@axentia.se>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/pressure/mpl115.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/iio/pressure/mpl115.c
++++ b/drivers/iio/pressure/mpl115.c
+@@ -136,6 +136,7 @@ static const struct iio_chan_spec mpl115
+ {
+ .type = IIO_TEMP,
+ .info_mask_separate = BIT(IIO_CHAN_INFO_RAW),
++ .info_mask_shared_by_type =
+ BIT(IIO_CHAN_INFO_OFFSET) | BIT(IIO_CHAN_INFO_SCALE),
+ },
+ };
--- /dev/null
+From 9cf6cdba586ced75c69b8314b88b2d2f5ce9b3ed Mon Sep 17 00:00:00 2001
+From: Peter Rosin <peda@axentia.se>
+Date: Wed, 1 Feb 2017 21:40:56 +0100
+Subject: iio: pressure: mpl3115: do not rely on structure field ordering
+
+From: Peter Rosin <peda@axentia.se>
+
+commit 9cf6cdba586ced75c69b8314b88b2d2f5ce9b3ed upstream.
+
+Fixes a regression triggered by a change in the layout of
+struct iio_chan_spec, but the real bug is in the driver which assumed
+a specific structure layout in the first place. Hint: the two bits were
+not OR:ed together as implied by the indentation prior to this patch,
+there was a comma between them, which accidentally moved the ..._SCALE
+bit to the next structure field. That field was .info_mask_shared_by_type
+before the _available attributes was added by commit 51239600074b
+("iio:core: add a callback to allow drivers to provide _available
+attributes") and .info_mask_separate_available afterwards, and the
+regression happened.
+
+info_mask_shared_by_type is actually a better choice than the originally
+intended info_mask_separate for the ..._SCALE bit since a constant is
+returned from mpl3115_read_raw for the scale. Using
+info_mask_shared_by_type also preserves the behavior from before the
+regression and is therefore less likely to cause other interesting side
+effects.
+
+The above mentioned regression causes an unintended sysfs attibute to
+show up that is not backed by code, in turn causing the following NULL
+pointer defererence to happen on access.
+
+Segmentation fault
+
+Unable to handle kernel NULL pointer dereference at virtual address 00000000
+pgd = ecc3c000
+[00000000] *pgd=87f91831
+Internal error: Oops: 80000007 [#1] SMP ARM
+Modules linked in:
+CPU: 1 PID: 1051 Comm: cat Not tainted 4.10.0-rc5-00009-gffd8858-dirty #3
+Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
+task: ed54ec00 task.stack: ee2bc000
+PC is at 0x0
+LR is at iio_read_channel_info_avail+0x40/0x280
+pc : [<00000000>] lr : [<c06fbc1c>] psr: a0070013
+sp : ee2bdda8 ip : 00000000 fp : ee2bddf4
+r10: c0a53c74 r9 : ed79f000 r8 : ee8d1018
+r7 : 00001000 r6 : 00000fff r5 : ee8b9a00 r4 : ed79f000
+r3 : ee2bddc4 r2 : ee2bddbc r1 : c0a86dcc r0 : ee8d1000
+Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
+Control: 10c5387d Table: 3cc3c04a DAC: 00000051
+Process cat (pid: 1051, stack limit = 0xee2bc210)
+Stack: (0xee2bdda8 to 0xee2be000)
+dda0: ee2bddc0 00000002 c016d720 c016d394 ed54ec00 00000000
+ddc0: 60070013 ed413780 00000001 edffd480 ee8b9a00 00000fff 00001000 ee8d1018
+dde0: ed79f000 c0a53c74 ee2bde0c ee2bddf8 c0513c58 c06fbbe8 edffd480 edffd540
+de00: ee2bde3c ee2bde10 c0293474 c0513c40 c02933e4 ee2bde60 00000001 ed413780
+de20: 00000001 ed413780 00000000 edffd480 ee2bde4c ee2bde40 c0291d00 c02933f0
+de40: ee2bde9c ee2bde50 c024679c c0291ce0 edffd4b0 b6e37000 00020000 ee2bdf78
+de60: 00000000 00000000 ed54ec00 ed013200 00000817 c0a111fc edffd540 ed413780
+de80: b6e37000 00020000 00020000 ee2bdf78 ee2bded4 ee2bdea0 c0292890 c0246604
+dea0: c0117940 c016ba50 00000025 c0a111fc b6e37000 ed413780 ee2bdf78 00020000
+dec0: ee2bc000 b6e37000 ee2bdf44 ee2bded8 c021d158 c0292770 c0117764 b6e36004
+dee0: c0f0d7c4 ee2bdfb0 b6f89228 00021008 ee2bdfac ee2bdf00 c0101374 c0117770
+df00: 00000000 00000000 ee2bc000 00000000 ee2bdf34 ee2bdf20 c016ba04 c0171080
+df20: 00000000 00020000 ed413780 b6e37000 00000000 ee2bdf78 ee2bdf74 ee2bdf48
+df40: c021e7a0 c021d130 c023e300 c023e280 ee2bdf74 00000000 00000000 ed413780
+df60: ed413780 00020000 ee2bdfa4 ee2bdf78 c021e870 c021e71c 00000000 00000000
+df80: 00020000 00020000 b6e37000 00000003 c0108084 00000000 00000000 ee2bdfa8
+dfa0: c0107ee0 c021e838 00020000 00020000 00000003 b6e37000 00020000 0001a2b4
+dfc0: 00020000 00020000 b6e37000 00000003 7fffe000 00000000 00000000 00020000
+dfe0: 00000000 be98eb4c 0000c740 b6f1985c 60070010 00000003 00000000 00000000
+Backtrace:
+[<c06fbbdc>] (iio_read_channel_info_avail) from [<c0513c58>] (dev_attr_show+0x24/0x50)
+ r10:c0a53c74 r9:ed79f000 r8:ee8d1018 r7:00001000 r6:00000fff r5:ee8b9a00
+ r4:edffd480
+[<c0513c34>] (dev_attr_show) from [<c0293474>] (sysfs_kf_seq_show+0x90/0x110)
+ r5:edffd540 r4:edffd480
+[<c02933e4>] (sysfs_kf_seq_show) from [<c0291d00>] (kernfs_seq_show+0x2c/0x30)
+ r10:edffd480 r9:00000000 r8:ed413780 r7:00000001 r6:ed413780 r5:00000001
+ r4:ee2bde60 r3:c02933e4
+[<c0291cd4>] (kernfs_seq_show) from [<c024679c>] (seq_read+0x1a4/0x4e0)
+[<c02465f8>] (seq_read) from [<c0292890>] (kernfs_fop_read+0x12c/0x1cc)
+ r10:ee2bdf78 r9:00020000 r8:00020000 r7:b6e37000 r6:ed413780 r5:edffd540
+ r4:c0a111fc
+[<c0292764>] (kernfs_fop_read) from [<c021d158>] (__vfs_read+0x34/0x118)
+ r10:b6e37000 r9:ee2bc000 r8:00020000 r7:ee2bdf78 r6:ed413780 r5:b6e37000
+ r4:c0a111fc
+[<c021d124>] (__vfs_read) from [<c021e7a0>] (vfs_read+0x90/0x11c)
+ r8:ee2bdf78 r7:00000000 r6:b6e37000 r5:ed413780 r4:00020000
+[<c021e710>] (vfs_read) from [<c021e870>] (SyS_read+0x44/0x90)
+ r8:00020000 r7:ed413780 r6:ed413780 r5:00000000 r4:00000000
+[<c021e82c>] (SyS_read) from [<c0107ee0>] (ret_fast_syscall+0x0/0x1c)
+ r10:00000000 r8:c0108084 r7:00000003 r6:b6e37000 r5:00020000 r4:00020000
+Code: bad PC value
+---[ end trace 9c4938ccd0389004 ]---
+
+Fixes: cc26ad455f57 ("iio: Add Freescale MPL3115A2 pressure / temperature sensor driver")
+Fixes: 51239600074b ("iio:core: add a callback to allow drivers to provide _available attributes")
+Reported-by: Ken Lin <ken.lin@advantech.com>
+Tested-by: Ken Lin <ken.lin@advantech.com>
+Signed-off-by: Peter Rosin <peda@axentia.se>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/pressure/mpl3115.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/iio/pressure/mpl3115.c
++++ b/drivers/iio/pressure/mpl3115.c
+@@ -182,7 +182,7 @@ static const struct iio_chan_spec mpl311
+ {
+ .type = IIO_PRESSURE,
+ .info_mask_separate = BIT(IIO_CHAN_INFO_RAW),
+- BIT(IIO_CHAN_INFO_SCALE),
++ .info_mask_shared_by_type = BIT(IIO_CHAN_INFO_SCALE),
+ .scan_index = 0,
+ .scan_type = {
+ .sign = 'u',
+@@ -195,7 +195,7 @@ static const struct iio_chan_spec mpl311
+ {
+ .type = IIO_TEMP,
+ .info_mask_separate = BIT(IIO_CHAN_INFO_RAW),
+- BIT(IIO_CHAN_INFO_SCALE),
++ .info_mask_shared_by_type = BIT(IIO_CHAN_INFO_SCALE),
+ .scan_index = 1,
+ .scan_type = {
+ .sign = 's',
--- /dev/null
+From 03a9e24ef2aaa5f1f9837356aed79c860521407a Mon Sep 17 00:00:00 2001
+From: "colyli@suse.de" <colyli@suse.de>
+Date: Sat, 28 Jan 2017 21:11:49 +0800
+Subject: md linear: fix a race between linear_add() and linear_congested()
+
+From: colyli@suse.de <colyli@suse.de>
+
+commit 03a9e24ef2aaa5f1f9837356aed79c860521407a upstream.
+
+Recently I receive a bug report that on Linux v3.0 based kerenl, hot add
+disk to a md linear device causes kernel crash at linear_congested(). From
+the crash image analysis, I find in linear_congested(), mddev->raid_disks
+contains value N, but conf->disks[] only has N-1 pointers available. Then
+a NULL pointer deference crashes the kernel.
+
+There is a race between linear_add() and linear_congested(), RCU stuffs
+used in these two functions cannot avoid the race. Since Linuv v4.0
+RCU code is replaced by introducing mddev_suspend(). After checking the
+upstream code, it seems linear_congested() is not called in
+generic_make_request() code patch, so mddev_suspend() cannot provent it
+from being called. The possible race still exists.
+
+Here I explain how the race still exists in current code. For a machine
+has many CPUs, on one CPU, linear_add() is called to add a hard disk to a
+md linear device; at the same time on other CPU, linear_congested() is
+called to detect whether this md linear device is congested before issuing
+an I/O request onto it.
+
+Now I use a possible code execution time sequence to demo how the possible
+race happens,
+
+seq linear_add() linear_congested()
+ 0 conf=mddev->private
+ 1 oldconf=mddev->private
+ 2 mddev->raid_disks++
+ 3 for (i=0; i<mddev->raid_disks;i++)
+ 4 bdev_get_queue(conf->disks[i].rdev->bdev)
+ 5 mddev->private=newconf
+
+In linear_add() mddev->raid_disks is increased in time seq 2, and on
+another CPU in linear_congested() the for-loop iterates conf->disks[i] by
+the increased mddev->raid_disks in time seq 3,4. But conf with one more
+element (which is a pointer to struct dev_info type) to conf->disks[] is
+not updated yet, accessing its structure member in time seq 4 will cause a
+NULL pointer deference fault.
+
+To fix this race, there are 2 parts of modification in the patch,
+ 1) Add 'int raid_disks' in struct linear_conf, as a copy of
+ mddev->raid_disks. It is initialized in linear_conf(), always being
+ consistent with pointers number of 'struct dev_info disks[]'. When
+ iterating conf->disks[] in linear_congested(), use conf->raid_disks to
+ replace mddev->raid_disks in the for-loop, then NULL pointer deference
+ will not happen again.
+ 2) RCU stuffs are back again, and use kfree_rcu() in linear_add() to
+ free oldconf memory. Because oldconf may be referenced as mddev->private
+ in linear_congested(), kfree_rcu() makes sure that its memory will not
+ be released until no one uses it any more.
+Also some code comments are added in this patch, to make this modification
+to be easier understandable.
+
+This patch can be applied for kernels since v4.0 after commit:
+3be260cc18f8 ("md/linear: remove rcu protections in favour of
+suspend/resume"). But this bug is reported on Linux v3.0 based kernel, for
+people who maintain kernels before Linux v4.0, they need to do some back
+back port to this patch.
+
+Changelog:
+ - V3: add 'int raid_disks' in struct linear_conf, and use kfree_rcu() to
+ replace rcu_call() in linear_add().
+ - v2: add RCU stuffs by suggestion from Shaohua and Neil.
+ - v1: initial effort.
+
+Signed-off-by: Coly Li <colyli@suse.de>
+Cc: Shaohua Li <shli@fb.com>
+Cc: Neil Brown <neilb@suse.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/linear.c | 39 ++++++++++++++++++++++++++++++++++-----
+ drivers/md/linear.h | 1 +
+ 2 files changed, 35 insertions(+), 5 deletions(-)
+
+--- a/drivers/md/linear.c
++++ b/drivers/md/linear.c
+@@ -52,18 +52,26 @@ static inline struct dev_info *which_dev
+ return conf->disks + lo;
+ }
+
++/*
++ * In linear_congested() conf->raid_disks is used as a copy of
++ * mddev->raid_disks to iterate conf->disks[], because conf->raid_disks
++ * and conf->disks[] are created in linear_conf(), they are always
++ * consitent with each other, but mddev->raid_disks does not.
++ */
+ static int linear_congested(struct mddev *mddev, int bits)
+ {
+ struct linear_conf *conf;
+ int i, ret = 0;
+
+- conf = mddev->private;
++ rcu_read_lock();
++ conf = rcu_dereference(mddev->private);
+
+- for (i = 0; i < mddev->raid_disks && !ret ; i++) {
++ for (i = 0; i < conf->raid_disks && !ret ; i++) {
+ struct request_queue *q = bdev_get_queue(conf->disks[i].rdev->bdev);
+ ret |= bdi_congested(&q->backing_dev_info, bits);
+ }
+
++ rcu_read_unlock();
+ return ret;
+ }
+
+@@ -143,6 +151,19 @@ static struct linear_conf *linear_conf(s
+ conf->disks[i-1].end_sector +
+ conf->disks[i].rdev->sectors;
+
++ /*
++ * conf->raid_disks is copy of mddev->raid_disks. The reason to
++ * keep a copy of mddev->raid_disks in struct linear_conf is,
++ * mddev->raid_disks may not be consistent with pointers number of
++ * conf->disks[] when it is updated in linear_add() and used to
++ * iterate old conf->disks[] earray in linear_congested().
++ * Here conf->raid_disks is always consitent with number of
++ * pointers in conf->disks[] array, and mddev->private is updated
++ * with rcu_assign_pointer() in linear_addr(), such race can be
++ * avoided.
++ */
++ conf->raid_disks = raid_disks;
++
+ return conf;
+
+ out:
+@@ -195,15 +216,23 @@ static int linear_add(struct mddev *mdde
+ if (!newconf)
+ return -ENOMEM;
+
++ /* newconf->raid_disks already keeps a copy of * the increased
++ * value of mddev->raid_disks, WARN_ONCE() is just used to make
++ * sure of this. It is possible that oldconf is still referenced
++ * in linear_congested(), therefore kfree_rcu() is used to free
++ * oldconf until no one uses it anymore.
++ */
+ mddev_suspend(mddev);
+- oldconf = mddev->private;
++ oldconf = rcu_dereference(mddev->private);
+ mddev->raid_disks++;
+- mddev->private = newconf;
++ WARN_ONCE(mddev->raid_disks != newconf->raid_disks,
++ "copied raid_disks doesn't match mddev->raid_disks");
++ rcu_assign_pointer(mddev->private, newconf);
+ md_set_array_sectors(mddev, linear_size(mddev, 0, 0));
+ set_capacity(mddev->gendisk, mddev->array_sectors);
+ mddev_resume(mddev);
+ revalidate_disk(mddev->gendisk);
+- kfree(oldconf);
++ kfree_rcu(oldconf, rcu);
+ return 0;
+ }
+
+--- a/drivers/md/linear.h
++++ b/drivers/md/linear.h
+@@ -10,6 +10,7 @@ struct linear_conf
+ {
+ struct rcu_head rcu;
+ sector_t array_sectors;
++ int raid_disks; /* a copy of mddev->raid_disks */
+ struct dev_info disks[0];
+ };
+ #endif
--- /dev/null
+From 758e99fefe1d9230111296956335cd35995c0eaf Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Mon, 20 Feb 2017 17:04:42 -0500
+Subject: nfsd: minor nfsd_setattr cleanup
+
+From: Christoph Hellwig <hch@lst.de>
+
+commit 758e99fefe1d9230111296956335cd35995c0eaf upstream.
+
+Simplify exit paths, size_change use.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/vfs.c | 29 ++++++++++++-----------------
+ 1 file changed, 12 insertions(+), 17 deletions(-)
+
+--- a/fs/nfsd/vfs.c
++++ b/fs/nfsd/vfs.c
+@@ -369,7 +369,7 @@ nfsd_setattr(struct svc_rqst *rqstp, str
+ __be32 err;
+ int host_err;
+ bool get_write_count;
+- int size_change = 0;
++ bool size_change = (iap->ia_valid & ATTR_SIZE);
+
+ if (iap->ia_valid & (ATTR_ATIME | ATTR_MTIME | ATTR_SIZE))
+ accmode |= NFSD_MAY_WRITE|NFSD_MAY_OWNER_OVERRIDE;
+@@ -382,11 +382,11 @@ nfsd_setattr(struct svc_rqst *rqstp, str
+ /* Get inode */
+ err = fh_verify(rqstp, fhp, ftype, accmode);
+ if (err)
+- goto out;
++ return err;
+ if (get_write_count) {
+ host_err = fh_want_write(fhp);
+ if (host_err)
+- return nfserrno(host_err);
++ goto out;
+ }
+
+ dentry = fhp->fh_dentry;
+@@ -397,19 +397,21 @@ nfsd_setattr(struct svc_rqst *rqstp, str
+ iap->ia_valid &= ~ATTR_MODE;
+
+ if (!iap->ia_valid)
+- goto out;
++ return 0;
+
+ nfsd_sanitize_attrs(inode, iap);
+
++ if (check_guard && guardtime != inode->i_ctime.tv_sec)
++ return nfserr_notsync;
++
+ /*
+ * The size case is special, it changes the file in addition to the
+ * attributes.
+ */
+- if (iap->ia_valid & ATTR_SIZE) {
++ if (size_change) {
+ err = nfsd_get_write_access(rqstp, fhp, iap);
+ if (err)
+- goto out;
+- size_change = 1;
++ return err;
+
+ /*
+ * RFC5661, Section 18.30.4:
+@@ -424,23 +426,16 @@ nfsd_setattr(struct svc_rqst *rqstp, str
+
+ iap->ia_valid |= ATTR_CTIME;
+
+- if (check_guard && guardtime != inode->i_ctime.tv_sec) {
+- err = nfserr_notsync;
+- goto out_put_write_access;
+- }
+-
+ fh_lock(fhp);
+ host_err = notify_change(dentry, iap, NULL);
+ fh_unlock(fhp);
+- err = nfserrno(host_err);
+
+-out_put_write_access:
+ if (size_change)
+ put_write_access(inode);
+- if (!err)
+- err = nfserrno(commit_metadata(fhp));
+ out:
+- return err;
++ if (!host_err)
++ host_err = commit_metadata(fhp);
++ return nfserrno(host_err);
+ }
+
+ #if defined(CONFIG_NFSD_V4)
--- /dev/null
+From 783112f7401ff449d979530209b3f6c2594fdb4e Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Mon, 20 Feb 2017 07:21:33 +0100
+Subject: nfsd: special case truncates some more
+
+From: Christoph Hellwig <hch@lst.de>
+
+commit 783112f7401ff449d979530209b3f6c2594fdb4e upstream.
+
+Both the NFS protocols and the Linux VFS use a setattr operation with a
+bitmap of attributes to set to set various file attributes including the
+file size and the uid/gid.
+
+The Linux syscalls never mix size updates with unrelated updates like
+the uid/gid, and some file systems like XFS and GFS2 rely on the fact
+that truncates don't update random other attributes, and many other file
+systems handle the case but do not update the other attributes in the
+same transaction. NFSD on the other hand passes the attributes it gets
+on the wire more or less directly through to the VFS, leading to updates
+the file systems don't expect. XFS at least has an assert on the
+allowed attributes, which caught an unusual NFS client setting the size
+and group at the same time.
+
+To handle this issue properly this splits the notify_change call in
+nfsd_setattr into two separate ones.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Tested-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/vfs.c | 32 ++++++++++++++++++++++++++------
+ 1 file changed, 26 insertions(+), 6 deletions(-)
+
+--- a/fs/nfsd/vfs.c
++++ b/fs/nfsd/vfs.c
+@@ -406,13 +406,19 @@ nfsd_setattr(struct svc_rqst *rqstp, str
+
+ /*
+ * The size case is special, it changes the file in addition to the
+- * attributes.
++ * attributes, and file systems don't expect it to be mixed with
++ * "random" attribute changes. We thus split out the size change
++ * into a separate call to ->setattr, and do the rest as a separate
++ * setattr call.
+ */
+ if (size_change) {
+ err = nfsd_get_write_access(rqstp, fhp, iap);
+ if (err)
+ return err;
++ }
+
++ fh_lock(fhp);
++ if (size_change) {
+ /*
+ * RFC5661, Section 18.30.4:
+ * Changing the size of a file with SETATTR indirectly
+@@ -420,16 +426,30 @@ nfsd_setattr(struct svc_rqst *rqstp, str
+ *
+ * (and similar for the older RFCs)
+ */
+- if (iap->ia_size != i_size_read(inode))
+- iap->ia_valid |= ATTR_MTIME;
++ struct iattr size_attr = {
++ .ia_valid = ATTR_SIZE | ATTR_CTIME | ATTR_MTIME,
++ .ia_size = iap->ia_size,
++ };
++
++ host_err = notify_change(dentry, &size_attr, NULL);
++ if (host_err)
++ goto out_unlock;
++ iap->ia_valid &= ~ATTR_SIZE;
++
++ /*
++ * Avoid the additional setattr call below if the only other
++ * attribute that the client sends is the mtime, as we update
++ * it as part of the size change above.
++ */
++ if ((iap->ia_valid & ~ATTR_MTIME) == 0)
++ goto out_unlock;
+ }
+
+ iap->ia_valid |= ATTR_CTIME;
+-
+- fh_lock(fhp);
+ host_err = notify_change(dentry, iap, NULL);
+- fh_unlock(fhp);
+
++out_unlock:
++ fh_unlock(fhp);
+ if (size_change)
+ put_write_access(inode);
+ out:
--- /dev/null
+From ed92d8c137b7794c2c2aa14479298b9885967607 Mon Sep 17 00:00:00 2001
+From: Weston Andros Adamson <dros@primarydata.com>
+Date: Thu, 23 Feb 2017 14:54:21 -0500
+Subject: NFSv4: fix getacl ERANGE for some ACL buffer sizes
+
+From: Weston Andros Adamson <dros@primarydata.com>
+
+commit ed92d8c137b7794c2c2aa14479298b9885967607 upstream.
+
+We're not taking into account that the space needed for the (variable
+length) attr bitmap, with the result that we'd sometimes get a spurious
+ERANGE when the ACL data got close to the end of a page.
+
+Just add in an extra page to make sure.
+
+Signed-off-by: Weston Andros Adamson <dros@primarydata.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs4proc.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -4711,7 +4711,7 @@ out:
+ */
+ static ssize_t __nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t buflen)
+ {
+- struct page *pages[NFS4ACL_MAXPAGES] = {NULL, };
++ struct page *pages[NFS4ACL_MAXPAGES + 1] = {NULL, };
+ struct nfs_getaclargs args = {
+ .fh = NFS_FH(inode),
+ .acl_pages = pages,
+@@ -4725,13 +4725,9 @@ static ssize_t __nfs4_get_acl_uncached(s
+ .rpc_argp = &args,
+ .rpc_resp = &res,
+ };
+- unsigned int npages = DIV_ROUND_UP(buflen, PAGE_SIZE);
++ unsigned int npages = DIV_ROUND_UP(buflen, PAGE_SIZE) + 1;
+ int ret = -ENOMEM, i;
+
+- /* As long as we're doing a round trip to the server anyway,
+- * let's be prepared for a page of acl data. */
+- if (npages == 0)
+- npages = 1;
+ if (npages > ARRAY_SIZE(pages))
+ return -ERANGE;
+
--- /dev/null
+From 6682c14bbe505a8b912c57faf544f866777ee48d Mon Sep 17 00:00:00 2001
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Thu, 23 Feb 2017 14:53:39 -0500
+Subject: NFSv4: fix getacl head length estimation
+
+From: J. Bruce Fields <bfields@redhat.com>
+
+commit 6682c14bbe505a8b912c57faf544f866777ee48d upstream.
+
+Bitmap and attrlen follow immediately after the op reply header. This
+was an oversight from commit bf118a342f.
+
+Consequences of this are just minor efficiency (extra calls to
+xdr_shrink_bufhead).
+
+Fixes: bf118a342f10 "NFSv4: include bitmap in nfsv4 get acl data"
+Reviewed-by: Kinglong Mee <kinglongmee@gmail.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs4xdr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/nfs4xdr.c
++++ b/fs/nfs/nfs4xdr.c
+@@ -2487,7 +2487,7 @@ static void nfs4_xdr_enc_getacl(struct r
+ encode_compound_hdr(xdr, req, &hdr);
+ encode_sequence(xdr, &args->seq_args, &hdr);
+ encode_putfh(xdr, args->fh, &hdr);
+- replen = hdr.replen + op_decode_hdr_maxsz + 1;
++ replen = hdr.replen + op_decode_hdr_maxsz;
+ encode_getattr_two(xdr, FATTR4_WORD0_ACL, 0, &hdr);
+
+ xdr_inline_pages(&req->rq_rcv_buf, replen << 2,
--- /dev/null
+From a974deee477af89411e0f80456bfb344ac433c98 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Wed, 8 Feb 2017 11:29:46 -0500
+Subject: NFSv4: Fix memory and state leak in _nfs4_open_and_get_state
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+commit a974deee477af89411e0f80456bfb344ac433c98 upstream.
+
+If we exit because the file access check failed, we currently
+leak the struct nfs4_state. We need to attach it to the
+open context before returning.
+
+Fixes: 3efb9722475e ("NFSv4: Refactor _nfs4_open_and_get_state..")
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs4proc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -2452,6 +2452,7 @@ static int _nfs4_open_and_get_state(stru
+ ret = PTR_ERR(state);
+ if (IS_ERR(state))
+ goto out;
++ ctx->state = state;
+ if (server->caps & NFS_CAP_POSIX_LOCK)
+ set_bit(NFS_STATE_POSIX_LOCKS, &state->flags);
+
+@@ -2474,7 +2475,6 @@ static int _nfs4_open_and_get_state(stru
+ if (ret != 0)
+ goto out;
+
+- ctx->state = state;
+ if (d_inode(dentry) == state->inode) {
+ nfs_inode_attach_open_context(ctx);
+ if (read_seqcount_retry(&sp->so_reclaim_seqcount, seq))
--- /dev/null
+From c21a493a2b44650707d06741601894329486f2ad Mon Sep 17 00:00:00 2001
+From: Ravi Bangoria <ravi.bangoria@linux.vnet.ibm.com>
+Date: Tue, 22 Nov 2016 14:55:59 +0530
+Subject: powerpc/xmon: Fix data-breakpoint
+
+From: Ravi Bangoria <ravi.bangoria@linux.vnet.ibm.com>
+
+commit c21a493a2b44650707d06741601894329486f2ad upstream.
+
+Currently xmon data-breakpoint feature is broken.
+
+Whenever there is a watchpoint match occurs, hw_breakpoint_handler will
+be called by do_break via notifier chains mechanism. If watchpoint is
+registered by xmon, hw_breakpoint_handler won't find any associated
+perf_event and returns immediately with NOTIFY_STOP. Similarly, do_break
+also returns without notifying to xmon.
+
+Solve this by returning NOTIFY_DONE when hw_breakpoint_handler does not
+find any perf_event associated with matched watchpoint, rather than
+NOTIFY_STOP, which tells the core code to continue calling the other
+breakpoint handlers including the xmon one.
+
+Signed-off-by: Ravi Bangoria <ravi.bangoria@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/hw_breakpoint.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/kernel/hw_breakpoint.c
++++ b/arch/powerpc/kernel/hw_breakpoint.c
+@@ -227,8 +227,10 @@ int __kprobes hw_breakpoint_handler(stru
+ rcu_read_lock();
+
+ bp = __this_cpu_read(bp_per_reg);
+- if (!bp)
++ if (!bp) {
++ rc = NOTIFY_DONE;
+ goto out;
++ }
+ info = counter_arch_bp(bp);
+
+ /*
--- /dev/null
+From 55efcfcd7776165b294f8b5cd6e05ca00ec89b7c Mon Sep 17 00:00:00 2001
+From: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
+Date: Thu, 22 Dec 2016 18:07:52 -0700
+Subject: RDMA/core: Fix incorrect structure packing for booleans
+
+From: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
+
+commit 55efcfcd7776165b294f8b5cd6e05ca00ec89b7c upstream.
+
+The RDMA core uses ib_pack() to convert from unpacked CPU structs
+to on-the-wire bitpacked structs.
+
+This process requires that 1 bit fields are declared as u8 in the
+unpacked struct, otherwise the packing process does not read the
+value properly and the packed result is wired to 0. Several
+places wrongly used int.
+
+Crucially this means the kernel has never, set reversible
+correctly in the path record request. It has always asked for
+irreversible paths even if the ULP requests otherwise.
+
+When the kernel is used with a SM that supports this feature, it
+completely breaks communication management if reversible paths are
+not properly requested.
+
+The only reason this ever worked is because opensm ignores the
+reversible bit.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/rdma/ib_sa.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/include/rdma/ib_sa.h
++++ b/include/rdma/ib_sa.h
+@@ -138,12 +138,12 @@ struct ib_sa_path_rec {
+ union ib_gid sgid;
+ __be16 dlid;
+ __be16 slid;
+- int raw_traffic;
++ u8 raw_traffic;
+ /* reserved */
+ __be32 flow_label;
+ u8 hop_limit;
+ u8 traffic_class;
+- int reversible;
++ u8 reversible;
+ u8 numb_path;
+ __be16 pkey;
+ __be16 qos_class;
+@@ -204,7 +204,7 @@ struct ib_sa_mcmember_rec {
+ u8 hop_limit;
+ u8 scope;
+ u8 join_state;
+- int proxy_join;
++ u8 proxy_join;
+ };
+
+ /* Service Record Component Mask Sec 15.2.5.14 Ver 1.1 */
--- /dev/null
+From f2625f7db4dd0bbd16a9c7d2950e7621f9aa57ad Mon Sep 17 00:00:00 2001
+From: Steve Wise <swise@opengridcomputing.com>
+Date: Tue, 21 Feb 2017 11:21:57 -0800
+Subject: rdma_cm: fail iwarp accepts w/o connection params
+
+From: Steve Wise <swise@opengridcomputing.com>
+
+commit f2625f7db4dd0bbd16a9c7d2950e7621f9aa57ad upstream.
+
+cma_accept_iw() needs to return an error if conn_params is NULL.
+Since this is coming from user space, we can crash.
+
+Reported-by: Shaobo He <shaobo@cs.utah.edu>
+Acked-by: Sean Hefty <sean.hefty@intel.com>
+Signed-off-by: Steve Wise <swise@opengridcomputing.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/cma.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/infiniband/core/cma.c
++++ b/drivers/infiniband/core/cma.c
+@@ -3349,6 +3349,9 @@ static int cma_accept_iw(struct rdma_id_
+ struct iw_cm_conn_param iw_param;
+ int ret;
+
++ if (!conn_param)
++ return -EINVAL;
++
+ ret = cma_modify_qp_rtr(id_priv, conn_param);
+ if (ret)
+ return ret;
--- /dev/null
+From a9422a19ce270a22fc520f2278fb7e80c58be508 Mon Sep 17 00:00:00 2001
+From: Maxime Ripard <maxime.ripard@free-electrons.com>
+Date: Mon, 23 Jan 2017 11:41:47 +0100
+Subject: rtc: sun6i: Add some locking
+
+From: Maxime Ripard <maxime.ripard@free-electrons.com>
+
+commit a9422a19ce270a22fc520f2278fb7e80c58be508 upstream.
+
+Some registers have a read-modify-write access pattern that are not atomic.
+
+Add some locking to prevent from concurrent accesses.
+
+Acked-by: Chen-Yu Tsai <wens@csie.org>
+Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/rtc/rtc-sun6i.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+--- a/drivers/rtc/rtc-sun6i.c
++++ b/drivers/rtc/rtc-sun6i.c
+@@ -114,13 +114,17 @@ struct sun6i_rtc_dev {
+ void __iomem *base;
+ int irq;
+ unsigned long alarm;
++
++ spinlock_t lock;
+ };
+
+ static irqreturn_t sun6i_rtc_alarmirq(int irq, void *id)
+ {
+ struct sun6i_rtc_dev *chip = (struct sun6i_rtc_dev *) id;
++ irqreturn_t ret = IRQ_NONE;
+ u32 val;
+
++ spin_lock(&chip->lock);
+ val = readl(chip->base + SUN6I_ALRM_IRQ_STA);
+
+ if (val & SUN6I_ALRM_IRQ_STA_CNT_IRQ_PEND) {
+@@ -129,10 +133,11 @@ static irqreturn_t sun6i_rtc_alarmirq(in
+
+ rtc_update_irq(chip->rtc, 1, RTC_AF | RTC_IRQF);
+
+- return IRQ_HANDLED;
++ ret = IRQ_HANDLED;
+ }
++ spin_unlock(&chip->lock);
+
+- return IRQ_NONE;
++ return ret;
+ }
+
+ static void sun6i_rtc_setaie(int to, struct sun6i_rtc_dev *chip)
+@@ -140,6 +145,7 @@ static void sun6i_rtc_setaie(int to, str
+ u32 alrm_val = 0;
+ u32 alrm_irq_val = 0;
+ u32 alrm_wake_val = 0;
++ unsigned long flags;
+
+ if (to) {
+ alrm_val = SUN6I_ALRM_EN_CNT_EN;
+@@ -150,9 +156,11 @@ static void sun6i_rtc_setaie(int to, str
+ chip->base + SUN6I_ALRM_IRQ_STA);
+ }
+
++ spin_lock_irqsave(&chip->lock, flags);
+ writel(alrm_val, chip->base + SUN6I_ALRM_EN);
+ writel(alrm_irq_val, chip->base + SUN6I_ALRM_IRQ_EN);
+ writel(alrm_wake_val, chip->base + SUN6I_ALARM_CONFIG);
++ spin_unlock_irqrestore(&chip->lock, flags);
+ }
+
+ static int sun6i_rtc_gettime(struct device *dev, struct rtc_time *rtc_tm)
+@@ -191,11 +199,15 @@ static int sun6i_rtc_gettime(struct devi
+ static int sun6i_rtc_getalarm(struct device *dev, struct rtc_wkalrm *wkalrm)
+ {
+ struct sun6i_rtc_dev *chip = dev_get_drvdata(dev);
++ unsigned long flags;
+ u32 alrm_st;
+ u32 alrm_en;
+
++ spin_lock_irqsave(&chip->lock, flags);
+ alrm_en = readl(chip->base + SUN6I_ALRM_IRQ_EN);
+ alrm_st = readl(chip->base + SUN6I_ALRM_IRQ_STA);
++ spin_unlock_irqrestore(&chip->lock, flags);
++
+ wkalrm->enabled = !!(alrm_en & SUN6I_ALRM_EN_CNT_EN);
+ wkalrm->pending = !!(alrm_st & SUN6I_ALRM_EN_CNT_EN);
+ rtc_time_to_tm(chip->alarm, &wkalrm->time);
+@@ -356,6 +368,7 @@ static int sun6i_rtc_probe(struct platfo
+ chip = devm_kzalloc(&pdev->dev, sizeof(*chip), GFP_KERNEL);
+ if (!chip)
+ return -ENOMEM;
++ spin_lock_init(&chip->lock);
+
+ platform_set_drvdata(pdev, chip);
+ chip->dev = &pdev->dev;
--- /dev/null
+From fb61bb82cb46a932ef2fc62e1c731c8e7e6640d5 Mon Sep 17 00:00:00 2001
+From: Maxime Ripard <maxime.ripard@free-electrons.com>
+Date: Mon, 23 Jan 2017 11:41:48 +0100
+Subject: rtc: sun6i: Switch to the external oscillator
+
+From: Maxime Ripard <maxime.ripard@free-electrons.com>
+
+commit fb61bb82cb46a932ef2fc62e1c731c8e7e6640d5 upstream.
+
+The RTC is clocked from either an internal, imprecise, oscillator or an
+external one, which is usually much more accurate.
+
+The difference perceived between the time elapsed and the time reported by
+the RTC is in a 10% scale, which prevents the RTC from being useful at all.
+
+Fortunately, the external oscillator is reported to be mandatory in the
+Allwinner datasheet, so we can just switch to it.
+
+Fixes: 9765d2d94309 ("rtc: sun6i: Add sun6i RTC driver")
+Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/rtc/rtc-sun6i.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/rtc/rtc-sun6i.c
++++ b/drivers/rtc/rtc-sun6i.c
+@@ -37,9 +37,11 @@
+
+ /* Control register */
+ #define SUN6I_LOSC_CTRL 0x0000
++#define SUN6I_LOSC_CTRL_KEY (0x16aa << 16)
+ #define SUN6I_LOSC_CTRL_ALM_DHMS_ACC BIT(9)
+ #define SUN6I_LOSC_CTRL_RTC_HMS_ACC BIT(8)
+ #define SUN6I_LOSC_CTRL_RTC_YMD_ACC BIT(7)
++#define SUN6I_LOSC_CTRL_EXT_OSC BIT(0)
+ #define SUN6I_LOSC_CTRL_ACC_MASK GENMASK(9, 7)
+
+ /* RTC */
+@@ -417,6 +419,10 @@ static int sun6i_rtc_probe(struct platfo
+ /* disable alarm wakeup */
+ writel(0, chip->base + SUN6I_ALARM_CONFIG);
+
++ /* switch to the external, more precise, oscillator */
++ writel(SUN6I_LOSC_CTRL_KEY | SUN6I_LOSC_CTRL_EXT_OSC,
++ chip->base + SUN6I_LOSC_CTRL);
++
+ chip->rtc = rtc_device_register("rtc-sun6i", &pdev->dev,
+ &sun6i_rtc_ops, THIS_MODULE);
+ if (IS_ERR(chip->rtc)) {
--- /dev/null
+From 40b368af4b750863b2cb66a3a9513241db2f0793 Mon Sep 17 00:00:00 2001
+From: Ping-Ke Shih <pkshih@realtek.com>
+Date: Wed, 28 Dec 2016 15:40:04 -0600
+Subject: rtlwifi: Fix alignment issues
+
+From: Ping-Ke Shih <pkshih@realtek.com>
+
+commit 40b368af4b750863b2cb66a3a9513241db2f0793 upstream.
+
+The addresses of Wlan NIC registers are natural alignment, but some
+drivers have bugs. These are evident on platforms that need natural
+alignment to access registers. This change contains the following:
+ 1. Function _rtl8821ae_dbi_read() is used to read one byte from DBI,
+ thus it should use rtl_read_byte().
+ 2. Register 0x4C7 of 8192ee is single byte.
+
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/realtek/rtlwifi/rtl8192ee/hw.c | 2 +-
+ drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/hw.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/hw.c
+@@ -1003,7 +1003,7 @@ static void _rtl92ee_hw_configure(struct
+ rtl_write_word(rtlpriv, REG_SIFS_TRX, 0x100a);
+
+ /* Note Data sheet don't define */
+- rtl_write_word(rtlpriv, 0x4C7, 0x80);
++ rtl_write_byte(rtlpriv, 0x4C7, 0x80);
+
+ rtl_write_byte(rtlpriv, REG_RX_PKT_LIMIT, 0x20);
+
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c
+@@ -1127,7 +1127,7 @@ static u8 _rtl8821ae_dbi_read(struct rtl
+ }
+ if (0 == tmp) {
+ read_addr = REG_DBI_RDATA + addr % 4;
+- ret = rtl_read_word(rtlpriv, read_addr);
++ ret = rtl_read_byte(rtlpriv, read_addr);
+ }
+ return ret;
+ }
--- /dev/null
+From 6773386f977ce5af339f9678fa2918909a946c6b Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Sun, 5 Feb 2017 10:24:22 -0600
+Subject: rtlwifi: rtl8192c-common: Fix "BUG: KASAN:
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit 6773386f977ce5af339f9678fa2918909a946c6b upstream.
+
+Kernels built with CONFIG_KASAN=y report the following BUG for rtl8192cu
+and rtl8192c-common:
+
+==================================================================
+BUG: KASAN: slab-out-of-bounds in rtl92c_dm_bt_coexist+0x858/0x1e40
+ [rtl8192c_common] at addr ffff8801c90edb08
+Read of size 1 by task kworker/0:1/38
+page:ffffea0007243800 count:1 mapcount:0 mapping: (null)
+ index:0x0 compound_mapcount: 0
+flags: 0x8000000000004000(head)
+page dumped because: kasan: bad access detected
+CPU: 0 PID: 38 Comm: kworker/0:1 Not tainted 4.9.7-gentoo #3
+Hardware name: Gigabyte Technology Co., Ltd. To be filled by
+ O.E.M./Z77-DS3H, BIOS F11a 11/13/2013
+Workqueue: rtl92c_usb rtl_watchdog_wq_callback [rtlwifi]
+ 0000000000000000 ffffffff829eea33 ffff8801d7f0fa30 ffff8801c90edb08
+ ffffffff824c0f09 ffff8801d4abee80 0000000000000004 0000000000000297
+ ffffffffc070b57c ffff8801c7aa7c48 ffff880100000004 ffffffff000003e8
+Call Trace:
+ [<ffffffff829eea33>] ? dump_stack+0x5c/0x79
+ [<ffffffff824c0f09>] ? kasan_report_error+0x4b9/0x4e0
+ [<ffffffffc070b57c>] ? _usb_read_sync+0x15c/0x280 [rtl_usb]
+ [<ffffffff824c0f75>] ? __asan_report_load1_noabort+0x45/0x50
+ [<ffffffffc06d7a88>] ? rtl92c_dm_bt_coexist+0x858/0x1e40 [rtl8192c_common]
+ [<ffffffffc06d7a88>] ? rtl92c_dm_bt_coexist+0x858/0x1e40 [rtl8192c_common]
+ [<ffffffffc06d0cbe>] ? rtl92c_dm_rf_saving+0x96e/0x1330 [rtl8192c_common]
+...
+
+The problem is due to rtl8192ce and rtl8192cu sharing routines, and having
+different layouts of struct rtl_pci_priv, which is used by rtl8192ce, and
+struct rtl_usb_priv, which is used by rtl8192cu. The problem was resolved
+by placing the struct bt_coexist_info at the head of each of those private
+areas.
+
+Reported-and-tested-by: Dmitry Osipenko <digetx@gmail.com>
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Cc: Dmitry Osipenko <digetx@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/realtek/rtlwifi/pci.h | 4 ++--
+ drivers/net/wireless/realtek/rtlwifi/usb.h | 3 ++-
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/realtek/rtlwifi/pci.h
++++ b/drivers/net/wireless/realtek/rtlwifi/pci.h
+@@ -275,10 +275,10 @@ struct mp_adapter {
+ };
+
+ struct rtl_pci_priv {
++ struct bt_coexist_info bt_coexist;
++ struct rtl_led_ctl ledctl;
+ struct rtl_pci dev;
+ struct mp_adapter ndis_adapter;
+- struct rtl_led_ctl ledctl;
+- struct bt_coexist_info bt_coexist;
+ };
+
+ #define rtl_pcipriv(hw) (((struct rtl_pci_priv *)(rtl_priv(hw))->priv))
+--- a/drivers/net/wireless/realtek/rtlwifi/usb.h
++++ b/drivers/net/wireless/realtek/rtlwifi/usb.h
+@@ -150,8 +150,9 @@ struct rtl_usb {
+ };
+
+ struct rtl_usb_priv {
+- struct rtl_usb dev;
++ struct bt_coexist_info bt_coexist;
+ struct rtl_led_ctl ledctl;
++ struct rtl_usb dev;
+ };
+
+ #define rtl_usbpriv(hw) (((struct rtl_usb_priv *)(rtl_priv(hw))->priv))
crypto-testmgr-pad-aes_ccm_enc_tv_template-vector.patch
fuse-add-missing-fr_force.patch
arm-arm64-kvm-enforce-unconditional-flush-to-poc-when-mapping-to-stage-2.patch
+iio-pressure-mpl115-do-not-rely-on-structure-field-ordering.patch
+iio-pressure-mpl3115-do-not-rely-on-structure-field-ordering.patch
+can-usb_8dev-fix-memory-leak-of-priv-cmd_msg_buffer.patch
+w1-don-t-leak-refcount-on-slave-attach-failure-in-w1_attach_slave_device.patch
+w1-ds2490-usb-transfer-buffers-need-to-be-dmaable.patch
+usb-musb-da8xx-remove-cppi-3.0-quirk-and-methods.patch
+usb-host-xhci-plat-check-hcc_params-after-add-hcd.patch
+usb-gadget-udc-fsl-add-missing-complete-function.patch
+hv-allocate-synic-pages-for-all-present-cpus.patch
+hv-init-percpu_list-in-hv_synic_alloc.patch
+drivers-hv-util-kvp-fix-a-rescind-processing-issue.patch
+drivers-hv-util-fcopy-fix-a-rescind-processing-issue.patch
+drivers-hv-util-backup-fix-a-rescind-processing-issue.patch
+rdma-core-fix-incorrect-structure-packing-for-booleans.patch
+rdma_cm-fail-iwarp-accepts-w-o-connection-params.patch
+gfs2-add-missing-rcu-locking-for-glock-lookup.patch
+rtlwifi-fix-alignment-issues.patch
+rtlwifi-rtl8192c-common-fix-bug-kasan.patch
+nfsd-minor-nfsd_setattr-cleanup.patch
+nfsd-special-case-truncates-some-more.patch
+nfsv4-fix-memory-and-state-leak-in-_nfs4_open_and_get_state.patch
+nfsv4-fix-getacl-head-length-estimation.patch
+nfsv4-fix-getacl-erange-for-some-acl-buffer-sizes.patch
+rtc-sun6i-add-some-locking.patch
+rtc-sun6i-switch-to-the-external-oscillator.patch
+md-linear-fix-a-race-between-linear_add-and-linear_congested.patch
+bcma-use-get-put-_device-when-probing-removing-device-driver.patch
+dmaengine-ipu-make-sure-the-interrupt-routine-checks-all-interrupts.patch
+powerpc-xmon-fix-data-breakpoint.patch
--- /dev/null
+From 5528954a1a0c49c6974ef1b8d6eaceff536204d5 Mon Sep 17 00:00:00 2001
+From: Magnus Lilja <lilja.magnus@gmail.com>
+Date: Wed, 25 Jan 2017 22:07:59 +0100
+Subject: usb: gadget: udc: fsl: Add missing complete function.
+
+From: Magnus Lilja <lilja.magnus@gmail.com>
+
+commit 5528954a1a0c49c6974ef1b8d6eaceff536204d5 upstream.
+
+Commit 304f7e5e1d08 ("usb: gadget: Refactor request completion")
+removed check if req->req.complete is non-NULL, resulting in a NULL
+pointer derefence and a kernel panic.
+This patch adds an empty complete function instead of re-introducing
+the req->req.complete check.
+
+Fixes: 304f7e5e1d08 ("usb: gadget: Refactor request completion")
+
+Signed-off-by: Magnus Lilja <lilja.magnus@gmail.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/udc/fsl_udc_core.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/gadget/udc/fsl_udc_core.c
++++ b/drivers/usb/gadget/udc/fsl_udc_core.c
+@@ -1249,6 +1249,12 @@ static const struct usb_gadget_ops fsl_g
+ .udc_stop = fsl_udc_stop,
+ };
+
++/*
++ * Empty complete function used by this driver to fill in the req->complete
++ * field when creating a request since the complete field is mandatory.
++ */
++static void fsl_noop_complete(struct usb_ep *ep, struct usb_request *req) { }
++
+ /* Set protocol stall on ep0, protocol stall will automatically be cleared
+ on new transaction */
+ static void ep0stall(struct fsl_udc *udc)
+@@ -1283,7 +1289,7 @@ static int ep0_prime_status(struct fsl_u
+ req->req.length = 0;
+ req->req.status = -EINPROGRESS;
+ req->req.actual = 0;
+- req->req.complete = NULL;
++ req->req.complete = fsl_noop_complete;
+ req->dtd_count = 0;
+
+ ret = usb_gadget_map_request(&ep->udc->gadget, &req->req, ep_is_in(ep));
+@@ -1366,7 +1372,7 @@ static void ch9getstatus(struct fsl_udc
+ req->req.length = 2;
+ req->req.status = -EINPROGRESS;
+ req->req.actual = 0;
+- req->req.complete = NULL;
++ req->req.complete = fsl_noop_complete;
+ req->dtd_count = 0;
+
+ ret = usb_gadget_map_request(&ep->udc->gadget, &req->req, ep_is_in(ep));
--- /dev/null
+From 5de4e1ea9a731cad195ce5152705c21daef3bbba Mon Sep 17 00:00:00 2001
+From: William wu <william.wu@rock-chips.com>
+Date: Tue, 17 Jan 2017 15:32:07 +0800
+Subject: usb: host: xhci: plat: check hcc_params after add hcd
+
+From: William wu <william.wu@rock-chips.com>
+
+commit 5de4e1ea9a731cad195ce5152705c21daef3bbba upstream.
+
+The commit 4ac53087d6d4 ("usb: xhci: plat: Create both
+HCDs before adding them") move add hcd to the end of
+probe, this cause hcc_params uninitiated, because xHCI
+driver sets hcc_params in xhci_gen_setup() called from
+usb_add_hcd().
+
+This patch checks the Maximum Primary Stream Array Size
+in the hcc_params register after add primary hcd.
+
+Signed-off-by: William wu <william.wu@rock-chips.com>
+Acked-by: Roger Quadros <rogerq@ti.com>
+Fixes: 4ac53087d6d4 ("usb: xhci: plat: Create both HCDs before adding them")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-plat.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/host/xhci-plat.c
++++ b/drivers/usb/host/xhci-plat.c
+@@ -162,9 +162,6 @@ static int xhci_plat_probe(struct platfo
+ (pdata && pdata->usb3_lpm_capable))
+ xhci->quirks |= XHCI_LPM_SUPPORT;
+
+- if (HCC_MAX_PSA(xhci->hcc_params) >= 4)
+- xhci->shared_hcd->can_do_streams = 1;
+-
+ hcd->usb_phy = devm_usb_get_phy_by_phandle(&pdev->dev, "usb-phy", 0);
+ if (IS_ERR(hcd->usb_phy)) {
+ ret = PTR_ERR(hcd->usb_phy);
+@@ -181,6 +178,9 @@ static int xhci_plat_probe(struct platfo
+ if (ret)
+ goto disable_usb_phy;
+
++ if (HCC_MAX_PSA(xhci->hcc_params) >= 4)
++ xhci->shared_hcd->can_do_streams = 1;
++
+ ret = usb_add_hcd(xhci->shared_hcd, irq, IRQF_SHARED);
+ if (ret)
+ goto dealloc_usb2_hcd;
--- /dev/null
+From a994ce2d7e66008381a0b184c73be9ae9b72eb5c Mon Sep 17 00:00:00 2001
+From: Alexandre Bailon <abailon@baylibre.com>
+Date: Wed, 1 Feb 2017 21:30:12 -0600
+Subject: usb: musb: da8xx: Remove CPPI 3.0 quirk and methods
+
+From: Alexandre Bailon <abailon@baylibre.com>
+
+commit a994ce2d7e66008381a0b184c73be9ae9b72eb5c upstream.
+
+DA8xx driver is registering and using the CPPI 3.0 DMA controller but
+actually, the DA8xx has a CPPI 4.1 DMA controller.
+Remove the CPPI 3.0 quirk and methods.
+
+Fixes: f8e9f34f80a2 ("usb: musb: Fix up DMA related macros")
+Fixes: 7f6283ed6fe8 ("usb: musb: Set up function pointers for DMA")
+Signed-off-by: Alexandre Bailon <abailon@baylibre.com>
+Acked-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Acked-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Bin Liu <b-liu@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/musb/da8xx.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+--- a/drivers/usb/musb/da8xx.c
++++ b/drivers/usb/musb/da8xx.c
+@@ -458,15 +458,11 @@ static int da8xx_musb_exit(struct musb *
+ }
+
+ static const struct musb_platform_ops da8xx_ops = {
+- .quirks = MUSB_DMA_CPPI | MUSB_INDEXED_EP,
++ .quirks = MUSB_INDEXED_EP,
+ .init = da8xx_musb_init,
+ .exit = da8xx_musb_exit,
+
+ .fifo_mode = 2,
+-#ifdef CONFIG_USB_TI_CPPI_DMA
+- .dma_init = cppi_dma_controller_create,
+- .dma_exit = cppi_dma_controller_destroy,
+-#endif
+ .enable = da8xx_musb_enable,
+ .disable = da8xx_musb_disable,
+
--- /dev/null
+From d2ce4ea1a0b0162e5d2d7e7942ab6f5cc2063d5a Mon Sep 17 00:00:00 2001
+From: "Maciej S. Szmigiero" <mail@maciej.szmigiero.name>
+Date: Sat, 21 Jan 2017 23:50:18 +0100
+Subject: w1: don't leak refcount on slave attach failure in w1_attach_slave_device()
+
+From: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
+
+commit d2ce4ea1a0b0162e5d2d7e7942ab6f5cc2063d5a upstream.
+
+Near the beginning of w1_attach_slave_device() we increment a w1 master
+reference count.
+Later, when we are going to exit this function without actually attaching
+a slave device (due to failure of __w1_attach_slave_device()) we need to
+decrement this reference count back.
+
+Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
+Fixes: 9fcbbac5ded489 ("w1: process w1 netlink commands in w1_process thread")
+Cc: Evgeniy Polyakov <zbr@ioremap.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/w1/w1.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/w1/w1.c
++++ b/drivers/w1/w1.c
+@@ -763,6 +763,7 @@ int w1_attach_slave_device(struct w1_mas
+ dev_err(&dev->dev, "%s: Attaching %s failed.\n", __func__,
+ sl->name);
+ w1_family_put(sl->family);
++ atomic_dec(&sl->master->refcnt);
+ kfree(sl);
+ return err;
+ }
--- /dev/null
+From 61cd1b4cd1e8f7f7642ab64529d9bd52e8374641 Mon Sep 17 00:00:00 2001
+From: "Maciej S. Szmigiero" <mail@maciej.szmigiero.name>
+Date: Wed, 18 Jan 2017 21:31:11 +0100
+Subject: w1: ds2490: USB transfer buffers need to be DMAable
+
+From: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
+
+commit 61cd1b4cd1e8f7f7642ab64529d9bd52e8374641 upstream.
+
+ds2490 driver was doing USB transfers from / to buffers on a stack.
+This is not permitted and made the driver non-working with vmapped stacks.
+
+Since all these transfers are done under the same bus_mutex lock we can
+simply use shared buffers in a device private structure for two most common
+of them.
+
+While we are at it, let's also fix a comparison between int and size_t in
+ds9490r_search() which made the driver spin in this function if state
+register get requests were failing.
+
+Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
+Acked-by: Evgeniy Polyakov <zbr@ioremap.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/w1/masters/ds2490.c | 142 ++++++++++++++++++++++++++------------------
+ 1 file changed, 84 insertions(+), 58 deletions(-)
+
+--- a/drivers/w1/masters/ds2490.c
++++ b/drivers/w1/masters/ds2490.c
+@@ -153,6 +153,9 @@ struct ds_device
+ */
+ u16 spu_bit;
+
++ u8 st_buf[ST_SIZE];
++ u8 byte_buf;
++
+ struct w1_bus_master master;
+ };
+
+@@ -174,7 +177,6 @@ struct ds_status
+ u8 data_in_buffer_status;
+ u8 reserved1;
+ u8 reserved2;
+-
+ };
+
+ static struct usb_device_id ds_id_table [] = {
+@@ -244,28 +246,6 @@ static int ds_send_control(struct ds_dev
+ return err;
+ }
+
+-static int ds_recv_status_nodump(struct ds_device *dev, struct ds_status *st,
+- unsigned char *buf, int size)
+-{
+- int count, err;
+-
+- memset(st, 0, sizeof(*st));
+-
+- count = 0;
+- err = usb_interrupt_msg(dev->udev, usb_rcvintpipe(dev->udev,
+- dev->ep[EP_STATUS]), buf, size, &count, 1000);
+- if (err < 0) {
+- pr_err("Failed to read 1-wire data from 0x%x: err=%d.\n",
+- dev->ep[EP_STATUS], err);
+- return err;
+- }
+-
+- if (count >= sizeof(*st))
+- memcpy(st, buf, sizeof(*st));
+-
+- return count;
+-}
+-
+ static inline void ds_print_msg(unsigned char *buf, unsigned char *str, int off)
+ {
+ pr_info("%45s: %8x\n", str, buf[off]);
+@@ -324,6 +304,35 @@ static void ds_dump_status(struct ds_dev
+ }
+ }
+
++static int ds_recv_status(struct ds_device *dev, struct ds_status *st,
++ bool dump)
++{
++ int count, err;
++
++ if (st)
++ memset(st, 0, sizeof(*st));
++
++ count = 0;
++ err = usb_interrupt_msg(dev->udev,
++ usb_rcvintpipe(dev->udev,
++ dev->ep[EP_STATUS]),
++ dev->st_buf, sizeof(dev->st_buf),
++ &count, 1000);
++ if (err < 0) {
++ pr_err("Failed to read 1-wire data from 0x%x: err=%d.\n",
++ dev->ep[EP_STATUS], err);
++ return err;
++ }
++
++ if (dump)
++ ds_dump_status(dev, dev->st_buf, count);
++
++ if (st && count >= sizeof(*st))
++ memcpy(st, dev->st_buf, sizeof(*st));
++
++ return count;
++}
++
+ static void ds_reset_device(struct ds_device *dev)
+ {
+ ds_send_control_cmd(dev, CTL_RESET_DEVICE, 0);
+@@ -344,7 +353,6 @@ static void ds_reset_device(struct ds_de
+ static int ds_recv_data(struct ds_device *dev, unsigned char *buf, int size)
+ {
+ int count, err;
+- struct ds_status st;
+
+ /* Careful on size. If size is less than what is available in
+ * the input buffer, the device fails the bulk transfer and
+@@ -359,14 +367,9 @@ static int ds_recv_data(struct ds_device
+ err = usb_bulk_msg(dev->udev, usb_rcvbulkpipe(dev->udev, dev->ep[EP_DATA_IN]),
+ buf, size, &count, 1000);
+ if (err < 0) {
+- u8 buf[ST_SIZE];
+- int count;
+-
+ pr_info("Clearing ep0x%x.\n", dev->ep[EP_DATA_IN]);
+ usb_clear_halt(dev->udev, usb_rcvbulkpipe(dev->udev, dev->ep[EP_DATA_IN]));
+-
+- count = ds_recv_status_nodump(dev, &st, buf, sizeof(buf));
+- ds_dump_status(dev, buf, count);
++ ds_recv_status(dev, NULL, true);
+ return err;
+ }
+
+@@ -404,7 +407,6 @@ int ds_stop_pulse(struct ds_device *dev,
+ {
+ struct ds_status st;
+ int count = 0, err = 0;
+- u8 buf[ST_SIZE];
+
+ do {
+ err = ds_send_control(dev, CTL_HALT_EXE_IDLE, 0);
+@@ -413,7 +415,7 @@ int ds_stop_pulse(struct ds_device *dev,
+ err = ds_send_control(dev, CTL_RESUME_EXE, 0);
+ if (err)
+ break;
+- err = ds_recv_status_nodump(dev, &st, buf, sizeof(buf));
++ err = ds_recv_status(dev, &st, false);
+ if (err)
+ break;
+
+@@ -456,18 +458,17 @@ int ds_detect(struct ds_device *dev, str
+
+ static int ds_wait_status(struct ds_device *dev, struct ds_status *st)
+ {
+- u8 buf[ST_SIZE];
+ int err, count = 0;
+
+ do {
+ st->status = 0;
+- err = ds_recv_status_nodump(dev, st, buf, sizeof(buf));
++ err = ds_recv_status(dev, st, false);
+ #if 0
+ if (err >= 0) {
+ int i;
+ printk("0x%x: count=%d, status: ", dev->ep[EP_STATUS], err);
+ for (i=0; i<err; ++i)
+- printk("%02x ", buf[i]);
++ printk("%02x ", dev->st_buf[i]);
+ printk("\n");
+ }
+ #endif
+@@ -485,7 +486,7 @@ static int ds_wait_status(struct ds_devi
+ * can do something with it).
+ */
+ if (err > 16 || count >= 100 || err < 0)
+- ds_dump_status(dev, buf, err);
++ ds_dump_status(dev, dev->st_buf, err);
+
+ /* Extended data isn't an error. Well, a short is, but the dump
+ * would have already told the user that and we can't do anything
+@@ -608,7 +609,6 @@ static int ds_write_byte(struct ds_devic
+ {
+ int err;
+ struct ds_status st;
+- u8 rbyte;
+
+ err = ds_send_control(dev, COMM_BYTE_IO | COMM_IM | dev->spu_bit, byte);
+ if (err)
+@@ -621,11 +621,11 @@ static int ds_write_byte(struct ds_devic
+ if (err)
+ return err;
+
+- err = ds_recv_data(dev, &rbyte, sizeof(rbyte));
++ err = ds_recv_data(dev, &dev->byte_buf, 1);
+ if (err < 0)
+ return err;
+
+- return !(byte == rbyte);
++ return !(byte == dev->byte_buf);
+ }
+
+ static int ds_read_byte(struct ds_device *dev, u8 *byte)
+@@ -712,7 +712,6 @@ static void ds9490r_search(void *data, s
+ int err;
+ u16 value, index;
+ struct ds_status st;
+- u8 st_buf[ST_SIZE];
+ int search_limit;
+ int found = 0;
+ int i;
+@@ -724,7 +723,12 @@ static void ds9490r_search(void *data, s
+ /* FIFO 128 bytes, bulk packet size 64, read a multiple of the
+ * packet size.
+ */
+- u64 buf[2*64/8];
++ const size_t bufsize = 2 * 64;
++ u64 *buf;
++
++ buf = kmalloc(bufsize, GFP_KERNEL);
++ if (!buf)
++ return;
+
+ mutex_lock(&master->bus_mutex);
+
+@@ -745,10 +749,9 @@ static void ds9490r_search(void *data, s
+ do {
+ schedule_timeout(jtime);
+
+- if (ds_recv_status_nodump(dev, &st, st_buf, sizeof(st_buf)) <
+- sizeof(st)) {
++ err = ds_recv_status(dev, &st, false);
++ if (err < 0 || err < sizeof(st))
+ break;
+- }
+
+ if (st.data_in_buffer_status) {
+ /* Bulk in can receive partial ids, but when it does
+@@ -758,7 +761,7 @@ static void ds9490r_search(void *data, s
+ * bulk without first checking if status says there
+ * is data to read.
+ */
+- err = ds_recv_data(dev, (u8 *)buf, sizeof(buf));
++ err = ds_recv_data(dev, (u8 *)buf, bufsize);
+ if (err < 0)
+ break;
+ for (i = 0; i < err/8; ++i) {
+@@ -794,9 +797,14 @@ static void ds9490r_search(void *data, s
+ }
+ search_out:
+ mutex_unlock(&master->bus_mutex);
++ kfree(buf);
+ }
+
+ #if 0
++/*
++ * FIXME: if this disabled code is ever used in the future all ds_send_data()
++ * calls must be changed to use a DMAable buffer.
++ */
+ static int ds_match_access(struct ds_device *dev, u64 init)
+ {
+ int err;
+@@ -845,13 +853,12 @@ static int ds_set_path(struct ds_device
+
+ static u8 ds9490r_touch_bit(void *data, u8 bit)
+ {
+- u8 ret;
+ struct ds_device *dev = data;
+
+- if (ds_touch_bit(dev, bit, &ret))
++ if (ds_touch_bit(dev, bit, &dev->byte_buf))
+ return 0;
+
+- return ret;
++ return dev->byte_buf;
+ }
+
+ #if 0
+@@ -866,13 +873,12 @@ static u8 ds9490r_read_bit(void *data)
+ {
+ struct ds_device *dev = data;
+ int err;
+- u8 bit = 0;
+
+- err = ds_touch_bit(dev, 1, &bit);
++ err = ds_touch_bit(dev, 1, &dev->byte_buf);
+ if (err)
+ return 0;
+
+- return bit & 1;
++ return dev->byte_buf & 1;
+ }
+ #endif
+
+@@ -887,32 +893,52 @@ static u8 ds9490r_read_byte(void *data)
+ {
+ struct ds_device *dev = data;
+ int err;
+- u8 byte = 0;
+
+- err = ds_read_byte(dev, &byte);
++ err = ds_read_byte(dev, &dev->byte_buf);
+ if (err)
+ return 0;
+
+- return byte;
++ return dev->byte_buf;
+ }
+
+ static void ds9490r_write_block(void *data, const u8 *buf, int len)
+ {
+ struct ds_device *dev = data;
++ u8 *tbuf;
++
++ if (len <= 0)
++ return;
++
++ tbuf = kmalloc(len, GFP_KERNEL);
++ if (!tbuf)
++ return;
++
++ memcpy(tbuf, buf, len);
++ ds_write_block(dev, tbuf, len);
+
+- ds_write_block(dev, (u8 *)buf, len);
++ kfree(tbuf);
+ }
+
+ static u8 ds9490r_read_block(void *data, u8 *buf, int len)
+ {
+ struct ds_device *dev = data;
+ int err;
++ u8 *tbuf;
+
+- err = ds_read_block(dev, buf, len);
+- if (err < 0)
++ if (len <= 0)
++ return 0;
++
++ tbuf = kmalloc(len, GFP_KERNEL);
++ if (!tbuf)
+ return 0;
+
+- return len;
++ err = ds_read_block(dev, tbuf, len);
++ if (err >= 0)
++ memcpy(buf, tbuf, len);
++
++ kfree(tbuf);
++
++ return err >= 0 ? len : 0;
+ }
+
+ static u8 ds9490r_reset(void *data)
projects / thirdparty / kernel / stable-queue.git / commitdiff
