--- /dev/null
+From 896533a7da929136d0432713f02a3edffece2826 Mon Sep 17 00:00:00 2001
+From: Jeff Mahoney <jeffm@suse.com>
+Date: Wed, 17 May 2017 09:49:37 -0400
+Subject: btrfs: fix memory leak in update_space_info failure path
+
+From: Jeff Mahoney <jeffm@suse.com>
+
+commit 896533a7da929136d0432713f02a3edffece2826 upstream.
+
+If we fail to add the space_info kobject, we'll leak the memory
+for the percpu counter.
+
+Fixes: 6ab0a2029c (btrfs: publish allocation data in sysfs)
+Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+Reviewed-by: Liu Bo <bo.li.liu@oracle.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/extent-tree.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -3854,6 +3854,7 @@ static int update_space_info(struct btrf
+ info->space_info_kobj, "%s",
+ alloc_name(found->flags));
+ if (ret) {
++ percpu_counter_destroy(&found->total_bytes_pinned);
+ kfree(found);
+ return ret;
+ }
--- /dev/null
+From cc2b702c52094b637a351d7491ac5200331d0445 Mon Sep 17 00:00:00 2001
+From: David Sterba <dsterba@suse.com>
+Date: Fri, 12 May 2017 01:03:52 +0200
+Subject: btrfs: use correct types for page indices in btrfs_page_exists_in_range
+
+From: David Sterba <dsterba@suse.com>
+
+commit cc2b702c52094b637a351d7491ac5200331d0445 upstream.
+
+Variables start_idx and end_idx are supposed to hold a page index
+derived from the file offsets. The int type is not the right one though,
+offsets larger than 1 << 44 will get silently trimmed off the high bits.
+(1 << 44 is 16TiB)
+
+What can go wrong, if start is below the boundary and end gets trimmed:
+- if there's a page after start, we'll find it (radix_tree_gang_lookup_slot)
+- the final check "if (page->index <= end_idx)" will unexpectedly fail
+
+The function will return false, ie. "there's no page in the range",
+although there is at least one.
+
+btrfs_page_exists_in_range is used to prevent races in:
+
+* in hole punching, where we make sure there are not pages in the
+ truncated range, otherwise we'll wait for them to finish and redo
+ truncation, but we're going to replace the pages with holes anyway so
+ the only problem is the intermediate state
+
+* lock_extent_direct: we want to make sure there are no pages before we
+ lock and start DIO, to prevent stale data reads
+
+For practical occurence of the bug, there are several constaints. The
+file must be quite large, the affected range must cross the 16TiB
+boundary and the internal state of the file pages and pending operations
+must match. Also, we must not have started any ordered data in the
+range, otherwise we don't even reach the buggy function check.
+
+DIO locking tries hard in several places to avoid deadlocks with
+buffered IO and avoids waiting for ranges. The worst consequence seems
+to be stale data read.
+
+CC: Liu Bo <bo.li.liu@oracle.com>
+Fixes: fc4adbff823f7 ("btrfs: Drop EXTENT_UPTODATE check in hole punching and direct locking")
+Reviewed-by: Liu Bo <bo.li.liu@oracle.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/inode.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -7318,8 +7318,8 @@ bool btrfs_page_exists_in_range(struct i
+ int found = false;
+ void **pagep = NULL;
+ struct page *page = NULL;
+- int start_idx;
+- int end_idx;
++ unsigned long start_idx;
++ unsigned long end_idx;
+
+ start_idx = start >> PAGE_CACHE_SHIFT;
+
--- /dev/null
+From 6c77003677d5f1ce15f26d24360cb66c0bc07bb3 Mon Sep 17 00:00:00 2001
+From: David Arcari <darcari@redhat.com>
+Date: Fri, 26 May 2017 11:37:31 -0400
+Subject: cpufreq: cpufreq_register_driver() should return -ENODEV if init fails
+
+From: David Arcari <darcari@redhat.com>
+
+commit 6c77003677d5f1ce15f26d24360cb66c0bc07bb3 upstream.
+
+For a driver that does not set the CPUFREQ_STICKY flag, if all of the
+->init() calls fail, cpufreq_register_driver() should return an error.
+This will prevent the driver from loading.
+
+Fixes: ce1bcfe94db8 (cpufreq: check cpufreq_policy_list instead of scanning policies for all CPUs)
+Signed-off-by: David Arcari <darcari@redhat.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/cpufreq/cpufreq.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/cpufreq/cpufreq.c
++++ b/drivers/cpufreq/cpufreq.c
+@@ -2451,6 +2451,7 @@ int cpufreq_register_driver(struct cpufr
+ if (!(cpufreq_driver->flags & CPUFREQ_STICKY) &&
+ list_empty(&cpufreq_policy_list)) {
+ /* if all ->init() calls failed, unregister */
++ ret = -ENODEV;
+ pr_debug("%s: No CPU initialized for driver %s\n", __func__,
+ driver_data->name);
+ goto err_if_unreg;
--- /dev/null
+From 41c25707d21716826e3c1f60967f5550610ec1c9 Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Wed, 24 May 2017 12:03:48 -0400
+Subject: cpuset: consider dying css as offline
+
+From: Tejun Heo <tj@kernel.org>
+
+commit 41c25707d21716826e3c1f60967f5550610ec1c9 upstream.
+
+In most cases, a cgroup controller don't care about the liftimes of
+cgroups. For the controller, a css becomes online when ->css_online()
+is called on it and offline when ->css_offline() is called.
+
+However, cpuset is special in that the user interface it exposes cares
+whether certain cgroups exist or not. Combined with the RCU delay
+between cgroup removal and css offlining, this can lead to user
+visible behavior oddities where operations which should succeed after
+cgroup removals fail for some time period. The effects of cgroup
+removals are delayed when seen from userland.
+
+This patch adds css_is_dying() which tests whether offline is pending
+and updates is_cpuset_online() so that the function returns false also
+while offline is pending. This gets rid of the userland visible
+delays.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reported-by: Daniel Jordan <daniel.m.jordan@oracle.com>
+Link: http://lkml.kernel.org/r/327ca1f5-7957-fbb9-9e5f-9ba149d40ba2@oracle.com
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/cgroup.h | 20 ++++++++++++++++++++
+ kernel/cpuset.c | 4 ++--
+ 2 files changed, 22 insertions(+), 2 deletions(-)
+
+--- a/include/linux/cgroup.h
++++ b/include/linux/cgroup.h
+@@ -340,6 +340,26 @@ static inline bool css_tryget_online(str
+ }
+
+ /**
++ * css_is_dying - test whether the specified css is dying
++ * @css: target css
++ *
++ * Test whether @css is in the process of offlining or already offline. In
++ * most cases, ->css_online() and ->css_offline() callbacks should be
++ * enough; however, the actual offline operations are RCU delayed and this
++ * test returns %true also when @css is scheduled to be offlined.
++ *
++ * This is useful, for example, when the use case requires synchronous
++ * behavior with respect to cgroup removal. cgroup removal schedules css
++ * offlining but the css can seem alive while the operation is being
++ * delayed. If the delay affects user visible semantics, this test can be
++ * used to resolve the situation.
++ */
++static inline bool css_is_dying(struct cgroup_subsys_state *css)
++{
++ return !(css->flags & CSS_NO_REF) && percpu_ref_is_dying(&css->refcnt);
++}
++
++/**
+ * css_put - put a css reference
+ * @css: target css
+ *
+--- a/kernel/cpuset.c
++++ b/kernel/cpuset.c
+@@ -173,9 +173,9 @@ typedef enum {
+ } cpuset_flagbits_t;
+
+ /* convenient tests for these bits */
+-static inline bool is_cpuset_online(const struct cpuset *cs)
++static inline bool is_cpuset_online(struct cpuset *cs)
+ {
+- return test_bit(CS_ONLINE, &cs->flags);
++ return test_bit(CS_ONLINE, &cs->flags) && !css_is_dying(&cs->css);
+ }
+
+ static inline int is_cpu_exclusive(const struct cpuset *cs)
--- /dev/null
+From cec422c11caeeccae709e9942058b6b644ce434c Mon Sep 17 00:00:00 2001
+From: Frederic Barrat <fbarrat@linux.vnet.ibm.com>
+Date: Tue, 6 Jun 2017 11:43:41 +0200
+Subject: cxl: Fix error path on bad ioctl
+
+From: Frederic Barrat <fbarrat@linux.vnet.ibm.com>
+
+commit cec422c11caeeccae709e9942058b6b644ce434c upstream.
+
+Fix error path if we can't copy user structure on CXL_IOCTL_START_WORK
+ioctl. We shouldn't unlock the context status mutex as it was not
+locked (yet).
+
+Fixes: 0712dc7e73e5 ("cxl: Fix issues when unmapping contexts")
+Signed-off-by: Frederic Barrat <fbarrat@linux.vnet.ibm.com>
+Reviewed-by: Vaibhav Jain <vaibhav@linux.vnet.ibm.com>
+Reviewed-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/cxl/file.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+--- a/drivers/misc/cxl/file.c
++++ b/drivers/misc/cxl/file.c
+@@ -158,11 +158,8 @@ static long afu_ioctl_start_work(struct
+
+ /* Do this outside the status_mutex to avoid a circular dependency with
+ * the locking in cxl_mmap_fault() */
+- if (copy_from_user(&work, uwork,
+- sizeof(struct cxl_ioctl_start_work))) {
+- rc = -EFAULT;
+- goto out;
+- }
++ if (copy_from_user(&work, uwork, sizeof(work)))
++ return -EFAULT;
+
+ mutex_lock(&ctx->status_mutex);
+ if (ctx->status != OPENED) {
--- /dev/null
+From 0037ae47812b1f431cc602100d1d51f37d77b61e Mon Sep 17 00:00:00 2001
+From: Alexander Sverdlin <alexander.sverdlin@gmail.com>
+Date: Mon, 22 May 2017 16:05:22 +0200
+Subject: dmaengine: ep93xx: Always start from BASE0
+
+From: Alexander Sverdlin <alexander.sverdlin@gmail.com>
+
+commit 0037ae47812b1f431cc602100d1d51f37d77b61e upstream.
+
+The current buffer is being reset to zero on device_free_chan_resources()
+but not on device_terminate_all(). It could happen that HW is restarted and
+expects BASE0 to be used, but the driver is not synchronized and will start
+from BASE1. One solution is to reset the buffer explicitly in
+m2p_hw_setup().
+
+Signed-off-by: Alexander Sverdlin <alexander.sverdlin@gmail.com>
+Signed-off-by: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma/ep93xx_dma.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/dma/ep93xx_dma.c
++++ b/drivers/dma/ep93xx_dma.c
+@@ -325,6 +325,8 @@ static int m2p_hw_setup(struct ep93xx_dm
+ | M2P_CONTROL_ENABLE;
+ m2p_set_control(edmac, control);
+
++ edmac->buffer = 0;
++
+ return 0;
+ }
+
--- /dev/null
+From 98f9de366fccee7572c646af226b2d4b4841e3b5 Mon Sep 17 00:00:00 2001
+From: Alexander Sverdlin <alexander.sverdlin@gmail.com>
+Date: Mon, 22 May 2017 16:05:23 +0200
+Subject: dmaengine: ep93xx: Don't drain the transfers in terminate_all()
+
+From: Alexander Sverdlin <alexander.sverdlin@gmail.com>
+
+commit 98f9de366fccee7572c646af226b2d4b4841e3b5 upstream.
+
+Draining the transfers in terminate_all callback happens with IRQs disabled,
+therefore induces huge latency:
+
+ irqsoff latency trace v1.1.5 on 4.11.0
+ --------------------------------------------------------------------
+ latency: 39770 us, #57/57, CPU#0 | (M:preempt VP:0, KP:0, SP:0 HP:0)
+ -----------------
+ | task: process-129 (uid:0 nice:0 policy:2 rt_prio:50)
+ -----------------
+ => started at: _snd_pcm_stream_lock_irqsave
+ => ended at: snd_pcm_stream_unlock_irqrestore
+
+ _------=> CPU#
+ / _-----=> irqs-off
+ | / _----=> need-resched
+ || / _---=> hardirq/softirq
+ ||| / _--=> preempt-depth
+ |||| / delay
+ cmd pid ||||| time | caller
+ \ / ||||| \ | /
+process-129 0d.s. 3us : _snd_pcm_stream_lock_irqsave
+process-129 0d.s1 9us : snd_pcm_stream_lock <-_snd_pcm_stream_lock_irqsave
+process-129 0d.s1 15us : preempt_count_add <-snd_pcm_stream_lock
+process-129 0d.s2 22us : preempt_count_add <-snd_pcm_stream_lock
+process-129 0d.s3 32us : snd_pcm_update_hw_ptr0 <-snd_pcm_period_elapsed
+process-129 0d.s3 41us : soc_pcm_pointer <-snd_pcm_update_hw_ptr0
+process-129 0d.s3 50us : dmaengine_pcm_pointer <-soc_pcm_pointer
+process-129 0d.s3 58us+: snd_dmaengine_pcm_pointer_no_residue <-dmaengine_pcm_pointer
+process-129 0d.s3 96us : update_audio_tstamp <-snd_pcm_update_hw_ptr0
+process-129 0d.s3 103us : snd_pcm_update_state <-snd_pcm_update_hw_ptr0
+process-129 0d.s3 112us : xrun <-snd_pcm_update_state
+process-129 0d.s3 119us : snd_pcm_stop <-xrun
+process-129 0d.s3 126us : snd_pcm_action <-snd_pcm_stop
+process-129 0d.s3 134us : snd_pcm_action_single <-snd_pcm_action
+process-129 0d.s3 141us : snd_pcm_pre_stop <-snd_pcm_action_single
+process-129 0d.s3 150us : snd_pcm_do_stop <-snd_pcm_action_single
+process-129 0d.s3 157us : soc_pcm_trigger <-snd_pcm_do_stop
+process-129 0d.s3 166us : snd_dmaengine_pcm_trigger <-soc_pcm_trigger
+process-129 0d.s3 175us : ep93xx_dma_terminate_all <-snd_dmaengine_pcm_trigger
+process-129 0d.s3 182us : preempt_count_add <-ep93xx_dma_terminate_all
+process-129 0d.s4 189us*: m2p_hw_shutdown <-ep93xx_dma_terminate_all
+process-129 0d.s4 39472us : m2p_hw_setup <-ep93xx_dma_terminate_all
+
+ ... rest skipped...
+
+process-129 0d.s. 40080us : <stack trace>
+ => ep93xx_dma_tasklet
+ => tasklet_action
+ => __do_softirq
+ => irq_exit
+ => __handle_domain_irq
+ => vic_handle_irq
+ => __irq_usr
+ => 0xb66c6668
+
+Just abort the transfers and warn if the HW state is not what we expect.
+Move draining into device_synchronize callback.
+
+Signed-off-by: Alexander Sverdlin <alexander.sverdlin@gmail.com>
+Signed-off-by: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma/ep93xx_dma.c | 37 +++++++++++++++++++++++++++++++++----
+ 1 file changed, 33 insertions(+), 4 deletions(-)
+
+--- a/drivers/dma/ep93xx_dma.c
++++ b/drivers/dma/ep93xx_dma.c
+@@ -201,6 +201,7 @@ struct ep93xx_dma_engine {
+ struct dma_device dma_dev;
+ bool m2m;
+ int (*hw_setup)(struct ep93xx_dma_chan *);
++ void (*hw_synchronize)(struct ep93xx_dma_chan *);
+ void (*hw_shutdown)(struct ep93xx_dma_chan *);
+ void (*hw_submit)(struct ep93xx_dma_chan *);
+ int (*hw_interrupt)(struct ep93xx_dma_chan *);
+@@ -335,21 +336,27 @@ static inline u32 m2p_channel_state(stru
+ return (readl(edmac->regs + M2P_STATUS) >> 4) & 0x3;
+ }
+
+-static void m2p_hw_shutdown(struct ep93xx_dma_chan *edmac)
++static void m2p_hw_synchronize(struct ep93xx_dma_chan *edmac)
+ {
++ unsigned long flags;
+ u32 control;
+
++ spin_lock_irqsave(&edmac->lock, flags);
+ control = readl(edmac->regs + M2P_CONTROL);
+ control &= ~(M2P_CONTROL_STALLINT | M2P_CONTROL_NFBINT);
+ m2p_set_control(edmac, control);
++ spin_unlock_irqrestore(&edmac->lock, flags);
+
+ while (m2p_channel_state(edmac) >= M2P_STATE_ON)
+- cpu_relax();
++ schedule();
++}
+
++static void m2p_hw_shutdown(struct ep93xx_dma_chan *edmac)
++{
+ m2p_set_control(edmac, 0);
+
+- while (m2p_channel_state(edmac) == M2P_STATE_STALL)
+- cpu_relax();
++ while (m2p_channel_state(edmac) != M2P_STATE_IDLE)
++ dev_warn(chan2dev(edmac), "M2P: Not yet IDLE\n");
+ }
+
+ static void m2p_fill_desc(struct ep93xx_dma_chan *edmac)
+@@ -1165,6 +1172,26 @@ fail:
+ }
+
+ /**
++ * ep93xx_dma_synchronize - Synchronizes the termination of transfers to the
++ * current context.
++ * @chan: channel
++ *
++ * Synchronizes the DMA channel termination to the current context. When this
++ * function returns it is guaranteed that all transfers for previously issued
++ * descriptors have stopped and and it is safe to free the memory associated
++ * with them. Furthermore it is guaranteed that all complete callback functions
++ * for a previously submitted descriptor have finished running and it is safe to
++ * free resources accessed from within the complete callbacks.
++ */
++static void ep93xx_dma_synchronize(struct dma_chan *chan)
++{
++ struct ep93xx_dma_chan *edmac = to_ep93xx_dma_chan(chan);
++
++ if (edmac->edma->hw_synchronize)
++ edmac->edma->hw_synchronize(edmac);
++}
++
++/**
+ * ep93xx_dma_terminate_all - terminate all transactions
+ * @chan: channel
+ *
+@@ -1327,6 +1354,7 @@ static int __init ep93xx_dma_probe(struc
+ dma_dev->device_prep_slave_sg = ep93xx_dma_prep_slave_sg;
+ dma_dev->device_prep_dma_cyclic = ep93xx_dma_prep_dma_cyclic;
+ dma_dev->device_config = ep93xx_dma_slave_config;
++ dma_dev->device_synchronize = ep93xx_dma_synchronize;
+ dma_dev->device_terminate_all = ep93xx_dma_terminate_all;
+ dma_dev->device_issue_pending = ep93xx_dma_issue_pending;
+ dma_dev->device_tx_status = ep93xx_dma_tx_status;
+@@ -1344,6 +1372,7 @@ static int __init ep93xx_dma_probe(struc
+ } else {
+ dma_cap_set(DMA_PRIVATE, dma_dev->cap_mask);
+
++ edma->hw_synchronize = m2p_hw_synchronize;
+ edma->hw_setup = m2p_hw_setup;
+ edma->hw_shutdown = m2p_hw_shutdown;
+ edma->hw_submit = m2p_hw_submit;
--- /dev/null
+From 9a445bbb1607d9f14556a532453dd86d1b7e381e Mon Sep 17 00:00:00 2001
+From: Hiroyuki Yokoyama <hiroyuki.yokoyama.vx@renesas.com>
+Date: Mon, 15 May 2017 17:49:52 +0900
+Subject: dmaengine: usb-dmac: Fix DMAOR AE bit definition
+
+From: Hiroyuki Yokoyama <hiroyuki.yokoyama.vx@renesas.com>
+
+commit 9a445bbb1607d9f14556a532453dd86d1b7e381e upstream.
+
+This patch fixes the register definition of AE (Address Error flag) bit.
+
+Fixes: 0c1c8ff32fa2 ("dmaengine: usb-dmac: Add Renesas USB DMA Controller (USB-DMAC) driver")
+Signed-off-by: Hiroyuki Yokoyama <hiroyuki.yokoyama.vx@renesas.com>
+[Shimoda: add Fixes and Cc tags in the commit log]
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma/sh/usb-dmac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/dma/sh/usb-dmac.c
++++ b/drivers/dma/sh/usb-dmac.c
+@@ -117,7 +117,7 @@ struct usb_dmac {
+ #define USB_DMASWR 0x0008
+ #define USB_DMASWR_SWR (1 << 0)
+ #define USB_DMAOR 0x0060
+-#define USB_DMAOR_AE (1 << 2)
++#define USB_DMAOR_AE (1 << 1)
+ #define USB_DMAOR_DME (1 << 0)
+
+ #define USB_DMASAR 0x0000
--- /dev/null
+From ec9ee4acd97c0039a61c0ae4f12705767ae62153 Mon Sep 17 00:00:00 2001
+From: Daniel Cashman <dcashman@android.com>
+Date: Fri, 26 Feb 2016 15:19:34 -0800
+Subject: drivers: char: random: add get_random_long()
+
+From: Daniel Cashman <dcashman@android.com>
+
+commit ec9ee4acd97c0039a61c0ae4f12705767ae62153 upstream.
+
+Commit d07e22597d1d ("mm: mmap: add new /proc tunable for mmap_base
+ASLR") added the ability to choose from a range of values to use for
+entropy count in generating the random offset to the mmap_base address.
+
+The maximum value on this range was set to 32 bits for 64-bit x86
+systems, but this value could be increased further, requiring more than
+the 32 bits of randomness provided by get_random_int(), as is already
+possible for arm64. Add a new function: get_random_long() which more
+naturally fits with the mmap usage of get_random_int() but operates
+exactly the same as get_random_int().
+
+Also, fix the shifting constant in mmap_rnd() to be an unsigned long so
+that values greater than 31 bits generate an appropriate mask without
+overflow. This is especially important on x86, as its shift instruction
+uses a 5-bit mask for the shift operand, which meant that any value for
+mmap_rnd_bits over 31 acts as a no-op and effectively disables mmap_base
+randomization.
+
+Finally, replace calls to get_random_int() with get_random_long() where
+appropriate.
+
+This patch (of 2):
+
+Add get_random_long().
+
+Signed-off-by: Daniel Cashman <dcashman@android.com>
+Acked-by: Kees Cook <keescook@chromium.org>
+Cc: "Theodore Ts'o" <tytso@mit.edu>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: Paul Mackerras <paulus@samba.org>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Nick Kralevich <nnk@google.com>
+Cc: Jeff Vander Stoep <jeffv@google.com>
+Cc: Mark Salyzyn <salyzyn@android.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/random.c | 22 ++++++++++++++++++++++
+ include/linux/random.h | 1 +
+ 2 files changed, 23 insertions(+)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1825,6 +1825,28 @@ unsigned int get_random_int(void)
+ EXPORT_SYMBOL(get_random_int);
+
+ /*
++ * Same as get_random_int(), but returns unsigned long.
++ */
++unsigned long get_random_long(void)
++{
++ __u32 *hash;
++ unsigned long ret;
++
++ if (arch_get_random_long(&ret))
++ return ret;
++
++ hash = get_cpu_var(get_random_int_hash);
++
++ hash[0] += current->pid + jiffies + random_get_entropy();
++ md5_transform(hash, random_int_secret);
++ ret = *(unsigned long *)hash;
++ put_cpu_var(get_random_int_hash);
++
++ return ret;
++}
++EXPORT_SYMBOL(get_random_long);
++
++/*
+ * randomize_range() returns a start address such that
+ *
+ * [...... <range> .....]
+--- a/include/linux/random.h
++++ b/include/linux/random.h
+@@ -34,6 +34,7 @@ extern const struct file_operations rand
+ #endif
+
+ unsigned int get_random_int(void);
++unsigned long get_random_long(void);
+ unsigned long randomize_range(unsigned long start, unsigned long end, unsigned long len);
+
+ u32 prandom_u32(void);
--- /dev/null
+From 43523eba79bda8f5b4c27f8ffe20ea078d20113a Mon Sep 17 00:00:00 2001
+From: Eric Anholt <eric@anholt.net>
+Date: Wed, 12 Apr 2017 12:11:58 -0700
+Subject: drm/msm: Expose our reservation object when exporting a dmabuf.
+
+From: Eric Anholt <eric@anholt.net>
+
+commit 43523eba79bda8f5b4c27f8ffe20ea078d20113a upstream.
+
+Without this, polling on the dma-buf (and presumably other devices
+synchronizing against our rendering) would return immediately, even
+while the BO was busy.
+
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: Rob Clark <robdclark@gmail.com>
+Cc: linux-arm-msm@vger.kernel.org
+Cc: freedreno@lists.freedesktop.org
+Reviewed-by: Rob Clark <robdclark@gmail.com>
+Signed-off-by: Rob Clark <robdclark@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/msm/msm_drv.c | 1 +
+ drivers/gpu/drm/msm/msm_drv.h | 1 +
+ drivers/gpu/drm/msm/msm_gem_prime.c | 7 +++++++
+ 3 files changed, 9 insertions(+)
+
+--- a/drivers/gpu/drm/msm/msm_drv.c
++++ b/drivers/gpu/drm/msm/msm_drv.c
+@@ -986,6 +986,7 @@ static struct drm_driver msm_driver = {
+ .prime_fd_to_handle = drm_gem_prime_fd_to_handle,
+ .gem_prime_export = drm_gem_prime_export,
+ .gem_prime_import = drm_gem_prime_import,
++ .gem_prime_res_obj = msm_gem_prime_res_obj,
+ .gem_prime_pin = msm_gem_prime_pin,
+ .gem_prime_unpin = msm_gem_prime_unpin,
+ .gem_prime_get_sg_table = msm_gem_prime_get_sg_table,
+--- a/drivers/gpu/drm/msm/msm_drv.h
++++ b/drivers/gpu/drm/msm/msm_drv.h
+@@ -212,6 +212,7 @@ struct sg_table *msm_gem_prime_get_sg_ta
+ void *msm_gem_prime_vmap(struct drm_gem_object *obj);
+ void msm_gem_prime_vunmap(struct drm_gem_object *obj, void *vaddr);
+ int msm_gem_prime_mmap(struct drm_gem_object *obj, struct vm_area_struct *vma);
++struct reservation_object *msm_gem_prime_res_obj(struct drm_gem_object *obj);
+ struct drm_gem_object *msm_gem_prime_import_sg_table(struct drm_device *dev,
+ struct dma_buf_attachment *attach, struct sg_table *sg);
+ int msm_gem_prime_pin(struct drm_gem_object *obj);
+--- a/drivers/gpu/drm/msm/msm_gem_prime.c
++++ b/drivers/gpu/drm/msm/msm_gem_prime.c
+@@ -70,3 +70,10 @@ void msm_gem_prime_unpin(struct drm_gem_
+ if (!obj->import_attach)
+ msm_gem_put_pages(obj);
+ }
++
++struct reservation_object *msm_gem_prime_res_obj(struct drm_gem_object *obj)
++{
++ struct msm_gem_object *msm_obj = to_msm_bo(obj);
++
++ return msm_obj->resv;
++}
--- /dev/null
+From 67a7d5f561f469ad2fa5154d2888258ab8e6df7c Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Mon, 29 May 2017 13:24:55 -0400
+Subject: ext4: fix fdatasync(2) after extent manipulation operations
+
+From: Jan Kara <jack@suse.cz>
+
+commit 67a7d5f561f469ad2fa5154d2888258ab8e6df7c upstream.
+
+Currently, extent manipulation operations such as hole punch, range
+zeroing, or extent shifting do not record the fact that file data has
+changed and thus fdatasync(2) has a work to do. As a result if we crash
+e.g. after a punch hole and fdatasync, user can still possibly see the
+punched out data after journal replay. Test generic/392 fails due to
+these problems.
+
+Fix the problem by properly marking that file data has changed in these
+operations.
+
+Fixes: a4bb6b64e39abc0e41ca077725f2a72c868e7622
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/extents.c | 5 +++++
+ fs/ext4/inode.c | 2 ++
+ 2 files changed, 7 insertions(+)
+
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -4902,6 +4902,8 @@ static long ext4_zero_range(struct file
+
+ /* Zero out partial block at the edges of the range */
+ ret = ext4_zero_partial_blocks(handle, inode, offset, len);
++ if (ret >= 0)
++ ext4_update_inode_fsync_trans(handle, inode, 1);
+
+ if (file->f_flags & O_SYNC)
+ ext4_handle_sync(handle);
+@@ -5597,6 +5599,7 @@ int ext4_collapse_range(struct inode *in
+ ext4_handle_sync(handle);
+ inode->i_mtime = inode->i_ctime = ext4_current_time(inode);
+ ext4_mark_inode_dirty(handle, inode);
++ ext4_update_inode_fsync_trans(handle, inode, 1);
+
+ out_stop:
+ ext4_journal_stop(handle);
+@@ -5770,6 +5773,8 @@ int ext4_insert_range(struct inode *inod
+ up_write(&EXT4_I(inode)->i_data_sem);
+ if (IS_SYNC(inode))
+ ext4_handle_sync(handle);
++ if (ret >= 0)
++ ext4_update_inode_fsync_trans(handle, inode, 1);
+
+ out_stop:
+ ext4_journal_stop(handle);
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -3793,6 +3793,8 @@ int ext4_punch_hole(struct inode *inode,
+
+ inode->i_mtime = inode->i_ctime = ext4_current_time(inode);
+ ext4_mark_inode_dirty(handle, inode);
++ if (ret >= 0)
++ ext4_update_inode_fsync_trans(handle, inode, 1);
+ out_stop:
+ ext4_journal_stop(handle);
+ out_dio:
--- /dev/null
+From 7d95eddf313c88b24f99d4ca9c2411a4b82fef33 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Sun, 21 May 2017 22:33:23 -0400
+Subject: ext4: fix SEEK_HOLE
+
+From: Jan Kara <jack@suse.cz>
+
+commit 7d95eddf313c88b24f99d4ca9c2411a4b82fef33 upstream.
+
+Currently, SEEK_HOLE implementation in ext4 may both return that there's
+a hole at some offset although that offset already has data and skip
+some holes during a search for the next hole. The first problem is
+demostrated by:
+
+xfs_io -c "falloc 0 256k" -c "pwrite 0 56k" -c "seek -h 0" file
+wrote 57344/57344 bytes at offset 0
+56 KiB, 14 ops; 0.0000 sec (2.054 GiB/sec and 538461.5385 ops/sec)
+Whence Result
+HOLE 0
+
+Where we can see that SEEK_HOLE wrongly returned offset 0 as containing
+a hole although we have written data there. The second problem can be
+demonstrated by:
+
+xfs_io -c "falloc 0 256k" -c "pwrite 0 56k" -c "pwrite 128k 8k"
+ -c "seek -h 0" file
+
+wrote 57344/57344 bytes at offset 0
+56 KiB, 14 ops; 0.0000 sec (1.978 GiB/sec and 518518.5185 ops/sec)
+wrote 8192/8192 bytes at offset 131072
+8 KiB, 2 ops; 0.0000 sec (2 GiB/sec and 500000.0000 ops/sec)
+Whence Result
+HOLE 139264
+
+Where we can see that hole at offsets 56k..128k has been ignored by the
+SEEK_HOLE call.
+
+The underlying problem is in the ext4_find_unwritten_pgoff() which is
+just buggy. In some cases it fails to update returned offset when it
+finds a hole (when no pages are found or when the first found page has
+higher index than expected), in some cases conditions for detecting hole
+are just missing (we fail to detect a situation where indices of
+returned pages are not contiguous).
+
+Fix ext4_find_unwritten_pgoff() to properly detect non-contiguous page
+indices and also handle all cases where we got less pages then expected
+in one place and handle it properly there.
+
+Fixes: c8c0df241cc2719b1262e627f999638411934f60
+CC: Zheng Liu <wenqing.lz@taobao.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/file.c | 50 ++++++++++++++------------------------------------
+ 1 file changed, 14 insertions(+), 36 deletions(-)
+
+--- a/fs/ext4/file.c
++++ b/fs/ext4/file.c
+@@ -463,47 +463,27 @@ static int ext4_find_unwritten_pgoff(str
+ num = min_t(pgoff_t, end - index, PAGEVEC_SIZE);
+ nr_pages = pagevec_lookup(&pvec, inode->i_mapping, index,
+ (pgoff_t)num);
+- if (nr_pages == 0) {
+- if (whence == SEEK_DATA)
+- break;
+-
+- BUG_ON(whence != SEEK_HOLE);
+- /*
+- * If this is the first time to go into the loop and
+- * offset is not beyond the end offset, it will be a
+- * hole at this offset
+- */
+- if (lastoff == startoff || lastoff < endoff)
+- found = 1;
++ if (nr_pages == 0)
+ break;
+- }
+-
+- /*
+- * If this is the first time to go into the loop and
+- * offset is smaller than the first page offset, it will be a
+- * hole at this offset.
+- */
+- if (lastoff == startoff && whence == SEEK_HOLE &&
+- lastoff < page_offset(pvec.pages[0])) {
+- found = 1;
+- break;
+- }
+
+ for (i = 0; i < nr_pages; i++) {
+ struct page *page = pvec.pages[i];
+ struct buffer_head *bh, *head;
+
+ /*
+- * If the current offset is not beyond the end of given
+- * range, it will be a hole.
++ * If current offset is smaller than the page offset,
++ * there is a hole at this offset.
+ */
+- if (lastoff < endoff && whence == SEEK_HOLE &&
+- page->index > end) {
++ if (whence == SEEK_HOLE && lastoff < endoff &&
++ lastoff < page_offset(pvec.pages[i])) {
+ found = 1;
+ *offset = lastoff;
+ goto out;
+ }
+
++ if (page->index > end)
++ goto out;
++
+ lock_page(page);
+
+ if (unlikely(page->mapping != inode->i_mapping)) {
+@@ -543,20 +523,18 @@ static int ext4_find_unwritten_pgoff(str
+ unlock_page(page);
+ }
+
+- /*
+- * The no. of pages is less than our desired, that would be a
+- * hole in there.
+- */
+- if (nr_pages < num && whence == SEEK_HOLE) {
+- found = 1;
+- *offset = lastoff;
++ /* The no. of pages is less than our desired, we are done. */
++ if (nr_pages < num)
+ break;
+- }
+
+ index = pvec.pages[i - 1]->index + 1;
+ pagevec_release(&pvec);
+ } while (index <= end);
+
++ if (whence == SEEK_HOLE && lastoff < endoff) {
++ found = 1;
++ *offset = lastoff;
++ }
+ out:
+ pagevec_release(&pvec);
+ return found;
--- /dev/null
+From 887a9730614727c4fff7cb756711b190593fc1df Mon Sep 17 00:00:00 2001
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Date: Sun, 21 May 2017 22:36:23 -0400
+Subject: ext4: keep existing extra fields when inode expands
+
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+
+commit 887a9730614727c4fff7cb756711b190593fc1df upstream.
+
+ext4_expand_extra_isize() should clear only space between old and new
+size.
+
+Fixes: 6dd4ee7cab7e # v2.6.23
+Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/inode.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -5162,8 +5162,9 @@ static int ext4_expand_extra_isize(struc
+ /* No extended attributes present */
+ if (!ext4_test_inode_state(inode, EXT4_STATE_XATTR) ||
+ header->h_magic != cpu_to_le32(EXT4_XATTR_MAGIC)) {
+- memset((void *)raw_inode + EXT4_GOOD_OLD_INODE_SIZE, 0,
+- new_extra_isize);
++ memset((void *)raw_inode + EXT4_GOOD_OLD_INODE_SIZE +
++ EXT4_I(inode)->i_extra_isize, 0,
++ new_extra_isize - EXT4_I(inode)->i_extra_isize);
+ EXT4_I(inode)->i_extra_isize = new_extra_isize;
+ return 0;
+ }
--- /dev/null
+From 414cf7186dbec29bd946c138d6b5c09da5955a08 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Thu, 8 Jun 2017 18:15:18 -0400
+Subject: fix ufs_isblockset()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 414cf7186dbec29bd946c138d6b5c09da5955a08 upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ufs/util.h | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/fs/ufs/util.h
++++ b/fs/ufs/util.h
+@@ -473,15 +473,19 @@ static inline unsigned _ubh_find_last_ze
+ static inline int _ubh_isblockset_(struct ufs_sb_private_info * uspi,
+ struct ufs_buffer_head * ubh, unsigned begin, unsigned block)
+ {
++ u8 mask;
+ switch (uspi->s_fpb) {
+ case 8:
+ return (*ubh_get_addr (ubh, begin + block) == 0xff);
+ case 4:
+- return (*ubh_get_addr (ubh, begin + (block >> 1)) == (0x0f << ((block & 0x01) << 2)));
++ mask = 0x0f << ((block & 0x01) << 2);
++ return (*ubh_get_addr (ubh, begin + (block >> 1)) & mask) == mask;
+ case 2:
+- return (*ubh_get_addr (ubh, begin + (block >> 2)) == (0x03 << ((block & 0x03) << 1)));
++ mask = 0x03 << ((block & 0x03) << 1);
++ return (*ubh_get_addr (ubh, begin + (block >> 2)) & mask) == mask;
+ case 1:
+- return (*ubh_get_addr (ubh, begin + (block >> 3)) == (0x01 << (block & 0x07)));
++ mask = 0x01 << (block & 0x07);
++ return (*ubh_get_addr (ubh, begin + (block >> 3)) & mask) == mask;
+ }
+ return 0;
+ }
--- /dev/null
+From 7cc3bff4efe6164a0c8163331c8aa55454799f42 Mon Sep 17 00:00:00 2001
+From: Franziska Naepelt <franziska.naepelt@idt.com>
+Date: Wed, 17 May 2017 12:41:19 +0200
+Subject: iio: light: ltr501 Fix interchanged als/ps register field
+
+From: Franziska Naepelt <franziska.naepelt@idt.com>
+
+commit 7cc3bff4efe6164a0c8163331c8aa55454799f42 upstream.
+
+The register mapping for the IIO driver for the Liteon Light and Proximity
+sensor LTR501 interrupt mode is interchanged (ALS/PS).
+There is a register called INTERRUPT register (address 0x8F)
+Bit 0 represents PS measurement trigger.
+Bit 1 represents ALS measurement trigger.
+This two bit fields are interchanged within the driver.
+see datasheet page 24:
+http://optoelectronics.liteon.com/upload/download/DS86-2012-0006/S_110_LTR-501ALS-01_PrelimDS_ver1%5B1%5D.pdf
+
+Signed-off-by: Franziska Naepelt <franziska.naepelt@idt.com>
+Fixes: 7ac702b3144b6 ("iio: ltr501: Add interrupt support")
+Acked-by: Peter Meerwald-Stadler <pmeerw@pmeerw.net>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/light/ltr501.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/iio/light/ltr501.c
++++ b/drivers/iio/light/ltr501.c
+@@ -74,9 +74,9 @@ static const int int_time_mapping[] = {1
+ static const struct reg_field reg_field_it =
+ REG_FIELD(LTR501_ALS_MEAS_RATE, 3, 4);
+ static const struct reg_field reg_field_als_intr =
+- REG_FIELD(LTR501_INTR, 0, 0);
+-static const struct reg_field reg_field_ps_intr =
+ REG_FIELD(LTR501_INTR, 1, 1);
++static const struct reg_field reg_field_ps_intr =
++ REG_FIELD(LTR501_INTR, 0, 0);
+ static const struct reg_field reg_field_als_rate =
+ REG_FIELD(LTR501_ALS_MEAS_RATE, 0, 2);
+ static const struct reg_field reg_field_ps_rate =
--- /dev/null
+From 275292d3a3d62670b1b13484707b74e5239b4bb0 Mon Sep 17 00:00:00 2001
+From: Matt Ranostay <matt.ranostay@konsulko.com>
+Date: Thu, 27 Apr 2017 00:52:32 -0700
+Subject: iio: proximity: as3935: fix AS3935_INT mask
+
+From: Matt Ranostay <matt.ranostay@konsulko.com>
+
+commit 275292d3a3d62670b1b13484707b74e5239b4bb0 upstream.
+
+AS3935 interrupt mask has been incorrect so valid lightning events
+would never trigger an buffer event. Also noise interrupt should be
+BIT(0).
+
+Fixes: 24ddb0e4bba4 ("iio: Add AS3935 lightning sensor support")
+Signed-off-by: Matt Ranostay <matt.ranostay@konsulko.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/proximity/as3935.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/iio/proximity/as3935.c
++++ b/drivers/iio/proximity/as3935.c
+@@ -40,9 +40,9 @@
+ #define AS3935_AFE_PWR_BIT BIT(0)
+
+ #define AS3935_INT 0x03
+-#define AS3935_INT_MASK 0x07
++#define AS3935_INT_MASK 0x0f
+ #define AS3935_EVENT_INT BIT(3)
+-#define AS3935_NOISE_INT BIT(1)
++#define AS3935_NOISE_INT BIT(0)
+
+ #define AS3935_DATA 0x07
+ #define AS3935_DATA_MASK 0x3F
--- /dev/null
+From 47eb0c8b4d9eb6368941c6a9bb443f00847a46d7 Mon Sep 17 00:00:00 2001
+From: Ulrik De Bie <ulrik.debie-os@e2big.org>
+Date: Wed, 7 Jun 2017 10:30:57 -0700
+Subject: Input: elantech - add Fujitsu Lifebook E546/E557 to force crc_enabled
+
+From: Ulrik De Bie <ulrik.debie-os@e2big.org>
+
+commit 47eb0c8b4d9eb6368941c6a9bb443f00847a46d7 upstream.
+
+The Lifebook E546 and E557 touchpad were also not functioning and
+worked after running:
+
+ echo "1" > /sys/devices/platform/i8042/serio2/crc_enabled
+
+Add them to the list of machines that need this workaround.
+
+Signed-off-by: Ulrik De Bie <ulrik.debie-os@e2big.org>
+Reviewed-by: Arjan Opmeer <arjan@opmeer.net>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/elantech.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/drivers/input/mouse/elantech.c
++++ b/drivers/input/mouse/elantech.c
+@@ -1122,8 +1122,10 @@ static int elantech_get_resolution_v4(st
+ * Asus UX32VD 0x361f02 00, 15, 0e clickpad
+ * Avatar AVIU-145A2 0x361f00 ? clickpad
+ * Fujitsu LIFEBOOK E544 0x470f00 d0, 12, 09 2 hw buttons
++ * Fujitsu LIFEBOOK E546 0x470f00 50, 12, 09 2 hw buttons
+ * Fujitsu LIFEBOOK E547 0x470f00 50, 12, 09 2 hw buttons
+ * Fujitsu LIFEBOOK E554 0x570f01 40, 14, 0c 2 hw buttons
++ * Fujitsu LIFEBOOK E557 0x570f01 40, 14, 0c 2 hw buttons
+ * Fujitsu T725 0x470f01 05, 12, 09 2 hw buttons
+ * Fujitsu H730 0x570f00 c0, 14, 0c 3 hw buttons (**)
+ * Gigabyte U2442 0x450f01 58, 17, 0c 2 hw buttons
+@@ -1529,6 +1531,13 @@ static const struct dmi_system_id elante
+ },
+ },
+ {
++ /* Fujitsu LIFEBOOK E546 does not work with crc_enabled == 0 */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK E546"),
++ },
++ },
++ {
+ /* Fujitsu LIFEBOOK E547 does not work with crc_enabled == 0 */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"),
+@@ -1550,6 +1559,13 @@ static const struct dmi_system_id elante
+ },
+ },
+ {
++ /* Fujitsu LIFEBOOK E557 does not work with crc_enabled == 0 */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK E557"),
++ },
++ },
++ {
+ /* Fujitsu LIFEBOOK U745 does not work with crc_enabled == 0 */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"),
--- /dev/null
+From b1132deac01c2332d234fa821a70022796b79182 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers3@gmail.com>
+Date: Wed, 4 May 2016 21:08:39 -0400
+Subject: random: properly align get_random_int_hash
+
+From: Eric Biggers <ebiggers3@gmail.com>
+
+commit b1132deac01c2332d234fa821a70022796b79182 upstream.
+
+get_random_long() reads from the get_random_int_hash array using an
+unsigned long pointer. For this code to be guaranteed correct on all
+architectures, the array must be aligned to an unsigned long boundary.
+
+Signed-off-by: Eric Biggers <ebiggers3@gmail.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/random.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1798,13 +1798,15 @@ int random_int_secret_init(void)
+ return 0;
+ }
+
++static DEFINE_PER_CPU(__u32 [MD5_DIGEST_WORDS], get_random_int_hash)
++ __aligned(sizeof(unsigned long));
++
+ /*
+ * Get a random word for internal kernel use only. Similar to urandom but
+ * with the goal of minimal entropy pool depletion. As a result, the random
+ * value is not cryptographically secure but for several uses the cost of
+ * depleting entropy is too high
+ */
+-static DEFINE_PER_CPU(__u32 [MD5_DIGEST_WORDS], get_random_int_hash);
+ unsigned int get_random_int(void)
+ {
+ __u32 *hash;
kvm-cpuid-fix-read-write-out-of-bounds-vulnerability-in-cpuid-emulation.patch
arm-kvm-allow-unaligned-accesses-at-hyp.patch
kvm-async_pf-avoid-async-pf-injection-when-in-guest-mode.patch
+dmaengine-usb-dmac-fix-dmaor-ae-bit-definition.patch
+dmaengine-ep93xx-always-start-from-base0.patch
+dmaengine-ep93xx-don-t-drain-the-transfers-in-terminate_all.patch
+xen-privcmd-support-correctly-64kb-page-granularity-when-mapping-memory.patch
+xen-netfront-do-not-cast-grant-table-reference-to-signed-short.patch
+xen-netfront-cast-grant-table-reference-first-to-type-int.patch
+ext4-fix-seek_hole.patch
+ext4-keep-existing-extra-fields-when-inode-expands.patch
+ext4-fix-fdatasync-2-after-extent-manipulation-operations.patch
+usb-gadget-f_mass_storage-serialize-wake-and-sleep-execution.patch
+usb-chipidea-udc-fix-null-pointer-dereference-if-udc_start-failed.patch
+usb-chipidea-debug-check-before-accessing-ci_role.patch
+staging-lustre-lov-remove-set_fs-call-from-lov_getstripe.patch
+iio-light-ltr501-fix-interchanged-als-ps-register-field.patch
+iio-proximity-as3935-fix-as3935_int-mask.patch
+drivers-char-random-add-get_random_long.patch
+random-properly-align-get_random_int_hash.patch
+stackprotector-increase-the-per-task-stack-canary-s-random-range-from-32-bits-to-64-bits-on-64-bit-platforms.patch
+cpufreq-cpufreq_register_driver-should-return-enodev-if-init-fails.patch
+target-re-add-check-to-reject-control-writes-with-overflow-data.patch
+drm-msm-expose-our-reservation-object-when-exporting-a-dmabuf.patch
+input-elantech-add-fujitsu-lifebook-e546-e557-to-force-crc_enabled.patch
+cpuset-consider-dying-css-as-offline.patch
+ufs-restore-proper-tail-allocation.patch
+fix-ufs_isblockset.patch
+ufs-restore-maintaining-i_blocks.patch
+ufs-set-correct-s_maxsize.patch
+ufs_extend_tail-fix-the-braino-in-calling-conventions-of-ufs_new_fragments.patch
+ufs_getfrag_block-we-only-grab-truncate_mutex-on-block-creation-path.patch
+cxl-fix-error-path-on-bad-ioctl.patch
+btrfs-use-correct-types-for-page-indices-in-btrfs_page_exists_in_range.patch
+btrfs-fix-memory-leak-in-update_space_info-failure-path.patch
--- /dev/null
+From 5ea30e4e58040cfd6434c2f33dc3ea76e2c15b05 Mon Sep 17 00:00:00 2001
+From: Daniel Micay <danielmicay@gmail.com>
+Date: Thu, 4 May 2017 09:32:09 -0400
+Subject: stackprotector: Increase the per-task stack canary's random range from 32 bits to 64 bits on 64-bit platforms
+
+From: Daniel Micay <danielmicay@gmail.com>
+
+commit 5ea30e4e58040cfd6434c2f33dc3ea76e2c15b05 upstream.
+
+The stack canary is an 'unsigned long' and should be fully initialized to
+random data rather than only 32 bits of random data.
+
+Signed-off-by: Daniel Micay <danielmicay@gmail.com>
+Acked-by: Arjan van de Ven <arjan@linux.intel.com>
+Acked-by: Rik van Riel <riel@redhat.com>
+Acked-by: Kees Cook <keescook@chromium.org>
+Cc: Arjan van Ven <arjan@linux.intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: kernel-hardening@lists.openwall.com
+Cc: stable@vger.kernel.org
+Link: http://lkml.kernel.org/r/20170504133209.3053-1-danielmicay@gmail.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/fork.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -368,7 +368,7 @@ static struct task_struct *dup_task_stru
+ set_task_stack_end_magic(tsk);
+
+ #ifdef CONFIG_CC_STACKPROTECTOR
+- tsk->stack_canary = get_random_int();
++ tsk->stack_canary = get_random_long();
+ #endif
+
+ /*
--- /dev/null
+From 0a33252e060e97ed3fbdcec9517672f1e91aaef3 Mon Sep 17 00:00:00 2001
+From: Oleg Drokin <green@linuxhacker.ru>
+Date: Fri, 26 May 2017 23:40:33 -0400
+Subject: staging/lustre/lov: remove set_fs() call from lov_getstripe()
+
+From: Oleg Drokin <green@linuxhacker.ru>
+
+commit 0a33252e060e97ed3fbdcec9517672f1e91aaef3 upstream.
+
+lov_getstripe() calls set_fs(KERNEL_DS) so that it can handle a struct
+lov_user_md pointer from user- or kernel-space. This changes the
+behavior of copy_from_user() on SPARC and may result in a misaligned
+access exception which in turn oopses the kernel. In fact the
+relevant argument to lov_getstripe() is never called with a
+kernel-space pointer and so changing the address limits is unnecessary
+and so we remove the calls to save, set, and restore the address
+limits.
+
+Signed-off-by: John L. Hammond <john.hammond@intel.com>
+Reviewed-on: http://review.whamcloud.com/6150
+Intel-bug-id: https://jira.hpdd.intel.com/browse/LU-3221
+Reviewed-by: Andreas Dilger <andreas.dilger@intel.com>
+Reviewed-by: Li Wei <wei.g.li@intel.com>
+Signed-off-by: Oleg Drokin <green@linuxhacker.ru>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/lustre/lustre/lov/lov_pack.c | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+--- a/drivers/staging/lustre/lustre/lov/lov_pack.c
++++ b/drivers/staging/lustre/lustre/lov/lov_pack.c
+@@ -399,18 +399,10 @@ int lov_getstripe(struct obd_export *exp
+ struct lov_mds_md *lmmk = NULL;
+ int rc, lmm_size;
+ int lum_size;
+- mm_segment_t seg;
+
+ if (!lsm)
+ return -ENODATA;
+
+- /*
+- * "Switch to kernel segment" to allow copying from kernel space by
+- * copy_{to,from}_user().
+- */
+- seg = get_fs();
+- set_fs(KERNEL_DS);
+-
+ /* we only need the header part from user space to get lmm_magic and
+ * lmm_stripe_count, (the header part is common to v1 and v3) */
+ lum_size = sizeof(struct lov_user_md_v1);
+@@ -485,6 +477,5 @@ int lov_getstripe(struct obd_export *exp
+
+ obd_free_diskmd(exp, &lmmk);
+ out_set:
+- set_fs(seg);
+ return rc;
+ }
--- /dev/null
+From 4ff83daa0200affe1894bd33d17bac404e3d78d4 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Thu, 11 May 2017 01:07:24 -0700
+Subject: target: Re-add check to reject control WRITEs with overflow data
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 4ff83daa0200affe1894bd33d17bac404e3d78d4 upstream.
+
+During v4.3 when the overflow/underflow check was relaxed by
+commit c72c525022:
+
+ commit c72c5250224d475614a00c1d7e54a67f77cd3410
+ Author: Roland Dreier <roland@purestorage.com>
+ Date: Wed Jul 22 15:08:18 2015 -0700
+
+ target: allow underflow/overflow for PR OUT etc. commands
+
+to allow underflow/overflow for Windows compliance + FCP, a
+consequence was to allow control CDBs to process overflow
+data for iscsi-target with immediate data as well.
+
+As per Roland's original change, continue to allow underflow
+cases for control CDBs to make Windows compliance + FCP happy,
+but until overflow for control CDBs is supported tree-wide,
+explicitly reject all control WRITEs with overflow following
+pre v4.3.y logic.
+
+Reported-by: Bart Van Assche <bart.vanassche@sandisk.com>
+Cc: Roland Dreier <roland@purestorage.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_transport.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+--- a/drivers/target/target_core_transport.c
++++ b/drivers/target/target_core_transport.c
+@@ -1154,15 +1154,28 @@ target_cmd_size_check(struct se_cmd *cmd
+ if (cmd->unknown_data_length) {
+ cmd->data_length = size;
+ } else if (size != cmd->data_length) {
+- pr_warn("TARGET_CORE[%s]: Expected Transfer Length:"
++ pr_warn_ratelimited("TARGET_CORE[%s]: Expected Transfer Length:"
+ " %u does not match SCSI CDB Length: %u for SAM Opcode:"
+ " 0x%02x\n", cmd->se_tfo->get_fabric_name(),
+ cmd->data_length, size, cmd->t_task_cdb[0]);
+
+- if (cmd->data_direction == DMA_TO_DEVICE &&
+- cmd->se_cmd_flags & SCF_SCSI_DATA_CDB) {
+- pr_err("Rejecting underflow/overflow WRITE data\n");
+- return TCM_INVALID_CDB_FIELD;
++ if (cmd->data_direction == DMA_TO_DEVICE) {
++ if (cmd->se_cmd_flags & SCF_SCSI_DATA_CDB) {
++ pr_err_ratelimited("Rejecting underflow/overflow"
++ " for WRITE data CDB\n");
++ return TCM_INVALID_CDB_FIELD;
++ }
++ /*
++ * Some fabric drivers like iscsi-target still expect to
++ * always reject overflow writes. Reject this case until
++ * full fabric driver level support for overflow writes
++ * is introduced tree-wide.
++ */
++ if (size > cmd->data_length) {
++ pr_err_ratelimited("Rejecting overflow for"
++ " WRITE control CDB\n");
++ return TCM_INVALID_CDB_FIELD;
++ }
+ }
+ /*
+ * Reject READ_* or WRITE_* with overflow/underflow for
--- /dev/null
+From eb315d2ae614493fd1ebb026c75a80573d84f7ad Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Thu, 8 Jun 2017 21:15:03 -0400
+Subject: ufs: restore maintaining ->i_blocks
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit eb315d2ae614493fd1ebb026c75a80573d84f7ad upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/stat.c | 1 +
+ fs/ufs/balloc.c | 26 +++++++++++++++++++++++++-
+ 2 files changed, 26 insertions(+), 1 deletion(-)
+
+--- a/fs/stat.c
++++ b/fs/stat.c
+@@ -454,6 +454,7 @@ void __inode_add_bytes(struct inode *ino
+ inode->i_bytes -= 512;
+ }
+ }
++EXPORT_SYMBOL(__inode_add_bytes);
+
+ void inode_add_bytes(struct inode *inode, loff_t bytes)
+ {
+--- a/fs/ufs/balloc.c
++++ b/fs/ufs/balloc.c
+@@ -81,7 +81,8 @@ void ufs_free_fragments(struct inode *in
+ ufs_error (sb, "ufs_free_fragments",
+ "bit already cleared for fragment %u", i);
+ }
+-
++
++ inode_sub_bytes(inode, count << uspi->s_fshift);
+ fs32_add(sb, &ucg->cg_cs.cs_nffree, count);
+ uspi->cs_total.cs_nffree += count;
+ fs32_add(sb, &UFS_SB(sb)->fs_cs(cgno).cs_nffree, count);
+@@ -183,6 +184,7 @@ do_more:
+ ufs_error(sb, "ufs_free_blocks", "freeing free fragment");
+ }
+ ubh_setblock(UCPI_UBH(ucpi), ucpi->c_freeoff, blkno);
++ inode_sub_bytes(inode, uspi->s_fpb << uspi->s_fshift);
+ if ((UFS_SB(sb)->s_flags & UFS_CG_MASK) == UFS_CG_44BSD)
+ ufs_clusteracct (sb, ucpi, blkno, 1);
+
+@@ -494,6 +496,20 @@ u64 ufs_new_fragments(struct inode *inod
+ return 0;
+ }
+
++static bool try_add_frags(struct inode *inode, unsigned frags)
++{
++ unsigned size = frags * i_blocksize(inode);
++ spin_lock(&inode->i_lock);
++ __inode_add_bytes(inode, size);
++ if (unlikely((u32)inode->i_blocks != inode->i_blocks)) {
++ __inode_sub_bytes(inode, size);
++ spin_unlock(&inode->i_lock);
++ return false;
++ }
++ spin_unlock(&inode->i_lock);
++ return true;
++}
++
+ static u64 ufs_add_fragments(struct inode *inode, u64 fragment,
+ unsigned oldcount, unsigned newcount)
+ {
+@@ -530,6 +546,9 @@ static u64 ufs_add_fragments(struct inod
+ for (i = oldcount; i < newcount; i++)
+ if (ubh_isclr (UCPI_UBH(ucpi), ucpi->c_freeoff, fragno + i))
+ return 0;
++
++ if (!try_add_frags(inode, count))
++ return 0;
+ /*
+ * Block can be extended
+ */
+@@ -647,6 +666,7 @@ cg_found:
+ ubh_setbit (UCPI_UBH(ucpi), ucpi->c_freeoff, goal + i);
+ i = uspi->s_fpb - count;
+
++ inode_sub_bytes(inode, i << uspi->s_fshift);
+ fs32_add(sb, &ucg->cg_cs.cs_nffree, i);
+ uspi->cs_total.cs_nffree += i;
+ fs32_add(sb, &UFS_SB(sb)->fs_cs(cgno).cs_nffree, i);
+@@ -657,6 +677,8 @@ cg_found:
+ result = ufs_bitmap_search (sb, ucpi, goal, allocsize);
+ if (result == INVBLOCK)
+ return 0;
++ if (!try_add_frags(inode, count))
++ return 0;
+ for (i = 0; i < count; i++)
+ ubh_clrbit (UCPI_UBH(ucpi), ucpi->c_freeoff, result + i);
+
+@@ -716,6 +738,8 @@ norot:
+ return INVBLOCK;
+ ucpi->c_rotor = result;
+ gotit:
++ if (!try_add_frags(inode, uspi->s_fpb))
++ return 0;
+ blkno = ufs_fragstoblks(result);
+ ubh_clrblock (UCPI_UBH(ucpi), ucpi->c_freeoff, blkno);
+ if ((UFS_SB(sb)->s_flags & UFS_CG_MASK) == UFS_CG_44BSD)
--- /dev/null
+From 8785d84d002c2ce0f68fbcd6c2c86be859802c7e Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Thu, 8 Jun 2017 02:42:03 -0400
+Subject: ufs: restore proper tail allocation
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 8785d84d002c2ce0f68fbcd6c2c86be859802c7e upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ufs/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ufs/inode.c
++++ b/fs/ufs/inode.c
+@@ -284,7 +284,7 @@ ufs_inode_getfrag(struct inode *inode, u
+ goal += uspi->s_fpb;
+ }
+ tmp = ufs_new_fragments(inode, p, ufs_blknum(new_fragment),
+- goal, uspi->s_fpb, err, locked_page);
++ goal, nfrags, err, locked_page);
+
+ if (!tmp) {
+ *err = -ENOSPC;
--- /dev/null
+From 6b0d144fa758869bdd652c50aa41aaf601232550 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Thu, 8 Jun 2017 21:15:45 -0400
+Subject: ufs: set correct ->s_maxsize
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 6b0d144fa758869bdd652c50aa41aaf601232550 upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ufs/super.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+--- a/fs/ufs/super.c
++++ b/fs/ufs/super.c
+@@ -746,6 +746,23 @@ static void ufs_put_super(struct super_b
+ return;
+ }
+
++static u64 ufs_max_bytes(struct super_block *sb)
++{
++ struct ufs_sb_private_info *uspi = UFS_SB(sb)->s_uspi;
++ int bits = uspi->s_apbshift;
++ u64 res;
++
++ if (bits > 21)
++ res = ~0ULL;
++ else
++ res = UFS_NDADDR + (1LL << bits) + (1LL << (2*bits)) +
++ (1LL << (3*bits));
++
++ if (res >= (MAX_LFS_FILESIZE >> uspi->s_bshift))
++ return MAX_LFS_FILESIZE;
++ return res << uspi->s_bshift;
++}
++
+ static int ufs_fill_super(struct super_block *sb, void *data, int silent)
+ {
+ struct ufs_sb_info * sbi;
+@@ -1212,6 +1229,7 @@ magic_found:
+ "fast symlink size (%u)\n", uspi->s_maxsymlinklen);
+ uspi->s_maxsymlinklen = maxsymlen;
+ }
++ sb->s_maxbytes = ufs_max_bytes(sb);
+ sb->s_max_links = UFS_LINK_MAX;
+
+ inode = ufs_iget(sb, UFS_ROOTINO);
--- /dev/null
+From 940ef1a0ed939c2ca029fca715e25e7778ce1e34 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Thu, 8 Jun 2017 23:27:12 -0400
+Subject: ufs_extend_tail(): fix the braino in calling conventions of ufs_new_fragments()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 940ef1a0ed939c2ca029fca715e25e7778ce1e34 upstream.
+
+... and it really needs splitting into "new" and "extend" cases, but that's for
+later
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ufs/inode.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/ufs/inode.c
++++ b/fs/ufs/inode.c
+@@ -235,7 +235,8 @@ ufs_extend_tail(struct inode *inode, u64
+
+ p = ufs_get_direct_data_ptr(uspi, ufsi, block);
+ tmp = ufs_new_fragments(inode, p, lastfrag, ufs_data_ptr_to_cpu(sb, p),
+- new_size, err, locked_page);
++ new_size - (lastfrag & uspi->s_fpbmask), err,
++ locked_page);
+ return tmp != 0;
+ }
+
--- /dev/null
+From 006351ac8ead0d4a67dd3845e3ceffe650a23212 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Thu, 8 Jun 2017 23:28:53 -0400
+Subject: ufs_getfrag_block(): we only grab ->truncate_mutex on block creation path
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 006351ac8ead0d4a67dd3845e3ceffe650a23212 upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ufs/inode.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/ufs/inode.c
++++ b/fs/ufs/inode.c
+@@ -403,7 +403,9 @@ static int ufs_getfrag_block(struct inod
+
+ if (!create) {
+ phys64 = ufs_frag_map(inode, offsets, depth);
+- goto out;
++ if (phys64)
++ map_bh(bh_result, sb, phys64 + frag);
++ return 0;
+ }
+
+ /* This code entered only while writing ....? */
--- /dev/null
+From 0340ff83cd4475261e7474033a381bc125b45244 Mon Sep 17 00:00:00 2001
+From: Michael Thalmeier <michael.thalmeier@hale.at>
+Date: Thu, 18 May 2017 16:14:14 +0200
+Subject: usb: chipidea: debug: check before accessing ci_role
+
+From: Michael Thalmeier <michael.thalmeier@hale.at>
+
+commit 0340ff83cd4475261e7474033a381bc125b45244 upstream.
+
+ci_role BUGs when the role is >= CI_ROLE_END.
+
+Signed-off-by: Michael Thalmeier <michael.thalmeier@hale.at>
+Signed-off-by: Peter Chen <peter.chen@nxp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/chipidea/debug.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/chipidea/debug.c
++++ b/drivers/usb/chipidea/debug.c
+@@ -295,7 +295,8 @@ static int ci_role_show(struct seq_file
+ {
+ struct ci_hdrc *ci = s->private;
+
+- seq_printf(s, "%s\n", ci_role(ci)->name);
++ if (ci->role != CI_ROLE_END)
++ seq_printf(s, "%s\n", ci_role(ci)->name);
+
+ return 0;
+ }
--- /dev/null
+From aa1f058d7d9244423b8c5a75b9484b1115df7f02 Mon Sep 17 00:00:00 2001
+From: Jisheng Zhang <jszhang@marvell.com>
+Date: Mon, 24 Apr 2017 12:35:51 +0000
+Subject: usb: chipidea: udc: fix NULL pointer dereference if udc_start failed
+
+From: Jisheng Zhang <jszhang@marvell.com>
+
+commit aa1f058d7d9244423b8c5a75b9484b1115df7f02 upstream.
+
+Fix below NULL pointer dereference. we set ci->roles[CI_ROLE_GADGET]
+too early in ci_hdrc_gadget_init(), if udc_start() fails due to some
+reason, the ci->roles[CI_ROLE_GADGET] check in ci_hdrc_gadget_destroy
+can't protect us.
+
+We fix this issue by only setting ci->roles[CI_ROLE_GADGET] if
+udc_start() succeed.
+
+[ 1.398550] Unable to handle kernel NULL pointer dereference at
+virtual address 00000000
+...
+[ 1.448600] PC is at dma_pool_free+0xb8/0xf0
+[ 1.453012] LR is at dma_pool_free+0x28/0xf0
+[ 2.113369] [<ffffff80081817d8>] dma_pool_free+0xb8/0xf0
+[ 2.118857] [<ffffff800841209c>] destroy_eps+0x4c/0x68
+[ 2.124165] [<ffffff8008413770>] ci_hdrc_gadget_destroy+0x28/0x50
+[ 2.130461] [<ffffff800840fa30>] ci_hdrc_probe+0x588/0x7e8
+[ 2.136129] [<ffffff8008380fb8>] platform_drv_probe+0x50/0xb8
+[ 2.142066] [<ffffff800837f494>] driver_probe_device+0x1fc/0x2a8
+[ 2.148270] [<ffffff800837f68c>] __device_attach_driver+0x9c/0xf8
+[ 2.154563] [<ffffff800837d570>] bus_for_each_drv+0x58/0x98
+[ 2.160317] [<ffffff800837f174>] __device_attach+0xc4/0x138
+[ 2.166072] [<ffffff800837f738>] device_initial_probe+0x10/0x18
+[ 2.172185] [<ffffff800837e58c>] bus_probe_device+0x94/0xa0
+[ 2.177940] [<ffffff800837c560>] device_add+0x3f0/0x560
+[ 2.183337] [<ffffff8008380d20>] platform_device_add+0x180/0x240
+[ 2.189541] [<ffffff800840f0e8>] ci_hdrc_add_device+0x440/0x4f8
+[ 2.195654] [<ffffff8008414194>] ci_hdrc_usb2_probe+0x13c/0x2d8
+[ 2.201769] [<ffffff8008380fb8>] platform_drv_probe+0x50/0xb8
+[ 2.207705] [<ffffff800837f494>] driver_probe_device+0x1fc/0x2a8
+[ 2.213910] [<ffffff800837f5ec>] __driver_attach+0xac/0xb0
+[ 2.219575] [<ffffff800837d4b0>] bus_for_each_dev+0x60/0xa0
+[ 2.225329] [<ffffff800837ec80>] driver_attach+0x20/0x28
+[ 2.230816] [<ffffff800837e880>] bus_add_driver+0x1d0/0x238
+[ 2.236571] [<ffffff800837fdb0>] driver_register+0x60/0xf8
+[ 2.242237] [<ffffff8008380ef4>] __platform_driver_register+0x44/0x50
+[ 2.248891] [<ffffff80086fd440>] ci_hdrc_usb2_driver_init+0x18/0x20
+[ 2.255365] [<ffffff8008082950>] do_one_initcall+0x38/0x128
+[ 2.261121] [<ffffff80086e0d00>] kernel_init_freeable+0x1ac/0x250
+[ 2.267414] [<ffffff800852f0b8>] kernel_init+0x10/0x100
+[ 2.272810] [<ffffff8008082680>] ret_from_fork+0x10/0x50
+
+Fixes: 3f124d233e97 ("usb: chipidea: add role init and destroy APIs")
+Signed-off-by: Jisheng Zhang <jszhang@marvell.com>
+Signed-off-by: Peter Chen <peter.chen@nxp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/chipidea/udc.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/chipidea/udc.c
++++ b/drivers/usb/chipidea/udc.c
+@@ -1982,6 +1982,7 @@ static void udc_id_switch_for_host(struc
+ int ci_hdrc_gadget_init(struct ci_hdrc *ci)
+ {
+ struct ci_role_driver *rdrv;
++ int ret;
+
+ if (!hw_read(ci, CAP_DCCPARAMS, DCCPARAMS_DC))
+ return -ENXIO;
+@@ -1994,7 +1995,10 @@ int ci_hdrc_gadget_init(struct ci_hdrc *
+ rdrv->stop = udc_id_switch_for_host;
+ rdrv->irq = udc_irq;
+ rdrv->name = "gadget";
+- ci->roles[CI_ROLE_GADGET] = rdrv;
+
+- return udc_start(ci);
++ ret = udc_start(ci);
++ if (!ret)
++ ci->roles[CI_ROLE_GADGET] = rdrv;
++
++ return ret;
+ }
--- /dev/null
+From dc9217b69dd6089dcfeb86ed4b3c671504326087 Mon Sep 17 00:00:00 2001
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Date: Thu, 11 May 2017 17:26:48 -0700
+Subject: usb: gadget: f_mass_storage: Serialize wake and sleep execution
+
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+
+commit dc9217b69dd6089dcfeb86ed4b3c671504326087 upstream.
+
+f_mass_storage has a memorry barrier issue with the sleep and wake
+functions that can cause a deadlock. This results in intermittent hangs
+during MSC file transfer. The host will reset the device after receiving
+no response to resume the transfer. This issue is seen when dwc3 is
+processing 2 transfer-in-progress events at the same time, invoking
+completion handlers for CSW and CBW. Also this issue occurs depending on
+the system timing and latency.
+
+To increase the chance to hit this issue, you can force dwc3 driver to
+wait and process those 2 events at once by adding a small delay (~100us)
+in dwc3_check_event_buf() whenever the request is for CSW and read the
+event count again. Avoid debugging with printk and ftrace as extra
+delays and memory barrier will mask this issue.
+
+Scenario which can lead to failure:
+-----------------------------------
+1) The main thread sleeps and waits for the next command in
+ get_next_command().
+2) bulk_in_complete() wakes up main thread for CSW.
+3) bulk_out_complete() tries to wake up the running main thread for CBW.
+4) thread_wakeup_needed is not loaded with correct value in
+ sleep_thread().
+5) Main thread goes to sleep again.
+
+The pattern is shown below. Note the 2 critical variables.
+ * common->thread_wakeup_needed
+ * bh->state
+
+ CPU 0 (sleep_thread) CPU 1 (wakeup_thread)
+ ============================== ===============================
+
+ bh->state = BH_STATE_FULL;
+ smp_wmb();
+ thread_wakeup_needed = 0; thread_wakeup_needed = 1;
+ smp_rmb();
+ if (bh->state != BH_STATE_FULL)
+ sleep again ...
+
+As pointed out by Alan Stern, this is an R-pattern issue. The issue can
+be seen when there are two wakeups in quick succession. The
+thread_wakeup_needed can be overwritten in sleep_thread, and the read of
+the bh->state maybe reordered before the write to thread_wakeup_needed.
+
+This patch applies full memory barrier smp_mb() in both sleep_thread()
+and wakeup_thread() to ensure the order which the thread_wakeup_needed
+and bh->state are written and loaded.
+
+However, a better solution in the future would be to use wait_queue
+method that takes care of managing memory barrier between waker and
+waiter.
+
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Thinh Nguyen <thinhn@synopsys.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/f_mass_storage.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_mass_storage.c
++++ b/drivers/usb/gadget/function/f_mass_storage.c
+@@ -399,7 +399,11 @@ static int fsg_set_halt(struct fsg_dev *
+ /* Caller must hold fsg->lock */
+ static void wakeup_thread(struct fsg_common *common)
+ {
+- smp_wmb(); /* ensure the write of bh->state is complete */
++ /*
++ * Ensure the reading of thread_wakeup_needed
++ * and the writing of bh->state are completed
++ */
++ smp_mb();
+ /* Tell the main thread that something has happened */
+ common->thread_wakeup_needed = 1;
+ if (common->thread_task)
+@@ -630,7 +634,12 @@ static int sleep_thread(struct fsg_commo
+ }
+ __set_current_state(TASK_RUNNING);
+ common->thread_wakeup_needed = 0;
+- smp_rmb(); /* ensure the latest bh->state is visible */
++
++ /*
++ * Ensure the writing of thread_wakeup_needed
++ * and the reading of bh->state are completed
++ */
++ smp_mb();
+ return rc;
+ }
+
--- /dev/null
+From 269ebce4531b8edc4224259a02143181a1c1d77c Mon Sep 17 00:00:00 2001
+From: Dongli Zhang <dongli.zhang@oracle.com>
+Date: Wed, 2 Nov 2016 09:04:33 +0800
+Subject: xen-netfront: cast grant table reference first to type int
+
+From: Dongli Zhang <dongli.zhang@oracle.com>
+
+commit 269ebce4531b8edc4224259a02143181a1c1d77c upstream.
+
+IS_ERR_VALUE() in commit 87557efc27f6a50140fb20df06a917f368ce3c66
+("xen-netfront: do not cast grant table reference to signed short") would
+not return true for error code unless we cast ref first to type int.
+
+Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Cc: Blake Cooper <blake.cooper@braintreepayments.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/xen-netfront.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/xen-netfront.c
++++ b/drivers/net/xen-netfront.c
+@@ -304,7 +304,7 @@ static void xennet_alloc_rx_buffers(stru
+ queue->rx_skbs[id] = skb;
+
+ ref = gnttab_claim_grant_reference(&queue->gref_rx_head);
+- WARN_ON_ONCE(IS_ERR_VALUE((unsigned long)ref));
++ WARN_ON_ONCE(IS_ERR_VALUE((unsigned long)(int)ref));
+ queue->grant_rx_ref[id] = ref;
+
+ page = skb_frag_page(&skb_shinfo(skb)->frags[0]);
+@@ -437,7 +437,7 @@ static void xennet_tx_setup_grant(unsign
+ id = get_id_from_freelist(&queue->tx_skb_freelist, queue->tx_skbs);
+ tx = RING_GET_REQUEST(&queue->tx, queue->tx.req_prod_pvt++);
+ ref = gnttab_claim_grant_reference(&queue->gref_tx_head);
+- WARN_ON_ONCE(IS_ERR_VALUE((unsigned long)ref));
++ WARN_ON_ONCE(IS_ERR_VALUE((unsigned long)(int)ref));
+
+ gnttab_grant_foreign_access_ref(ref, queue->info->xbdev->otherend_id,
+ gfn, GNTMAP_readonly);
--- /dev/null
+From 87557efc27f6a50140fb20df06a917f368ce3c66 Mon Sep 17 00:00:00 2001
+From: Dongli Zhang <dongli.zhang@oracle.com>
+Date: Mon, 31 Oct 2016 13:38:29 +0800
+Subject: xen-netfront: do not cast grant table reference to signed short
+
+From: Dongli Zhang <dongli.zhang@oracle.com>
+
+commit 87557efc27f6a50140fb20df06a917f368ce3c66 upstream.
+
+While grant reference is of type uint32_t, xen-netfront erroneously casts
+it to signed short in BUG_ON().
+
+This would lead to the xen domU panic during boot-up or migration when it
+is attached with lots of paravirtual devices.
+
+Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Cc: Blake Cooper <blake.cooper@braintreepayments.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/xen-netfront.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/xen-netfront.c
++++ b/drivers/net/xen-netfront.c
+@@ -304,7 +304,7 @@ static void xennet_alloc_rx_buffers(stru
+ queue->rx_skbs[id] = skb;
+
+ ref = gnttab_claim_grant_reference(&queue->gref_rx_head);
+- BUG_ON((signed short)ref < 0);
++ WARN_ON_ONCE(IS_ERR_VALUE((unsigned long)ref));
+ queue->grant_rx_ref[id] = ref;
+
+ page = skb_frag_page(&skb_shinfo(skb)->frags[0]);
+@@ -437,7 +437,7 @@ static void xennet_tx_setup_grant(unsign
+ id = get_id_from_freelist(&queue->tx_skb_freelist, queue->tx_skbs);
+ tx = RING_GET_REQUEST(&queue->tx, queue->tx.req_prod_pvt++);
+ ref = gnttab_claim_grant_reference(&queue->gref_tx_head);
+- BUG_ON((signed short)ref < 0);
++ WARN_ON_ONCE(IS_ERR_VALUE((unsigned long)ref));
+
+ gnttab_grant_foreign_access_ref(ref, queue->info->xbdev->otherend_id,
+ gfn, GNTMAP_readonly);
--- /dev/null
+From 753c09b5652bb4fe53e2db648002ec64b32b8827 Mon Sep 17 00:00:00 2001
+From: Julien Grall <julien.grall@arm.com>
+Date: Wed, 31 May 2017 14:03:57 +0100
+Subject: xen/privcmd: Support correctly 64KB page granularity when mapping memory
+
+From: Julien Grall <julien.grall@arm.com>
+
+commit 753c09b5652bb4fe53e2db648002ec64b32b8827 upstream.
+
+Commit 5995a68 "xen/privcmd: Add support for Linux 64KB page granularity" did
+not go far enough to support 64KB in mmap_batch_fn.
+
+The variable 'nr' is the number of 4KB chunk to map. However, when Linux
+is using 64KB page granularity the array of pages (vma->vm_private_data)
+contain one page per 64KB. Fix it by incrementing st->index correctly.
+
+Furthermore, st->va is not correctly incremented as PAGE_SIZE !=
+XEN_PAGE_SIZE.
+
+Fixes: 5995a68 ("xen/privcmd: Add support for Linux 64KB page granularity")
+Reported-by: Feng Kan <fkan@apm.com>
+Signed-off-by: Julien Grall <julien.grall@arm.com>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/privcmd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/xen/privcmd.c
++++ b/drivers/xen/privcmd.c
+@@ -335,8 +335,8 @@ static int mmap_batch_fn(void *data, int
+ st->global_error = 1;
+ }
+ }
+- st->va += PAGE_SIZE * nr;
+- st->index += nr;
++ st->va += XEN_PAGE_SIZE * nr;
++ st->index += nr / XEN_PFN_PER_PAGE;
+
+ return 0;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
