--- /dev/null
+From 3d07d9cfa09d0dc2cad0d620c826ff26779b4dae Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dtor@chromium.org>
+Date: Mon, 14 Dec 2015 17:34:08 -0800
+Subject: android: unconditionally remove callbacks in sync_fence_free()
+
+[ Upstream commit 699f685569434510d944e419f4048c4e3ba8d631 ]
+
+Using fence->status to determine whether or not there are callbacks
+remaining on the sync_fence is racy since fence->status may have been
+decremented to 0 on another CPU before fence_check_cb_func() has
+completed. By unconditionally calling fence_remove_callback() for each
+fence in the sync_fence, we guarantee that each callback has either
+completed (since fence_remove_callback() grabs the fence lock) or been
+removed.
+
+Signed-off-by: Andrew Bresticker <abrestic@chromium.org>
+Signed-off-by: Dmitry Torokhov <dtor@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/android/sync.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/staging/android/sync.c b/drivers/staging/android/sync.c
+index f83e00c78051..50a9945da27e 100644
+--- a/drivers/staging/android/sync.c
++++ b/drivers/staging/android/sync.c
+@@ -519,12 +519,10 @@ static const struct fence_ops android_fence_ops = {
+ static void sync_fence_free(struct kref *kref)
+ {
+ struct sync_fence *fence = container_of(kref, struct sync_fence, kref);
+- int i, status = atomic_read(&fence->status);
++ int i;
+
+ for (i = 0; i < fence->num_fences; ++i) {
+- if (status)
+- fence_remove_callback(fence->cbs[i].sync_pt,
+- &fence->cbs[i].cb);
++ fence_remove_callback(fence->cbs[i].sync_pt, &fence->cbs[i].cb);
+ fence_put(fence->cbs[i].sync_pt);
+ }
+
+--
+2.19.1
+
--- /dev/null
+From e8c3cbce4003ec8f61049dc61633a1a49e48c335 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Thu, 19 Nov 2015 15:49:23 +0100
+Subject: ARM: 8458/1: bL_switcher: add GIC dependency
+
+[ Upstream commit 6c044fecdf78be3fda159a5036bb33700cdd5e59 ]
+
+It is not possible to build the bL_switcher code if the GIC
+driver is disabled, because it relies on calling into some
+gic specific interfaces, and that would result in this build
+error:
+
+arch/arm/common/built-in.o: In function `bL_switch_to':
+:(.text+0x1230): undefined reference to `gic_get_sgir_physaddr'
+:(.text+0x1244): undefined reference to `gic_send_sgi'
+:(.text+0x1268): undefined reference to `gic_migrate_target'
+arch/arm/common/built-in.o: In function `bL_switcher_enable.part.4':
+:(.text.unlikely+0x2f8): undefined reference to `gic_get_cpu_id'
+
+This adds a Kconfig dependency to ensure we only build the big-little
+switcher if the GIC driver is present as well.
+
+Almost all ARMv7 platforms come with a GIC anyway, but it is possible
+to build a kernel that disables all platforms.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Nicolas Pitre <nico@linaro.org>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
+index 3a0277c6c060..4cc908ee107f 100644
+--- a/arch/arm/Kconfig
++++ b/arch/arm/Kconfig
+@@ -1422,7 +1422,7 @@ config BIG_LITTLE
+
+ config BL_SWITCHER
+ bool "big.LITTLE switcher support"
+- depends on BIG_LITTLE && MCPM && HOTPLUG_CPU
++ depends on BIG_LITTLE && MCPM && HOTPLUG_CPU && ARM_GIC
+ select ARM_CPU_SUSPEND
+ select CPU_PM
+ help
+--
+2.19.1
+
--- /dev/null
+From 2891fcf3b3b20211dabf0e9a95851d3c56618620 Mon Sep 17 00:00:00 2001
+From: Jungseung Lee <js07.lee@samsung.com>
+Date: Tue, 29 Dec 2015 05:47:00 +0100
+Subject: ARM: 8494/1: mm: Enable PXN when running non-LPAE kernel on LPAE
+ processor
+
+[ Upstream commit ad84f56bf6d620fe6ed4d57ce6ec9945684d7f35 ]
+
+The VMSA field of MMFR0 (bottom 4 bits) is incremented for each
+added feature. PXN is supported if the value is >= 4 and LPAE
+is supported if it is >= 5.
+
+In case a kernel with CONFIG_ARM_LPAE disabled is used on a
+processor that supports LPAE, we can still use PXN in short
+descriptors. So check for >= 4 not == 4.
+
+Signed-off-by: Jungseung Lee <js07.lee@samsung.com>
+Acked-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mm/mmu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/mm/mmu.c b/arch/arm/mm/mmu.c
+index e47cffd25c6c..aead23f15213 100644
+--- a/arch/arm/mm/mmu.c
++++ b/arch/arm/mm/mmu.c
+@@ -572,7 +572,7 @@ static void __init build_mem_type_table(void)
+ * in the Short-descriptor translation table format descriptors.
+ */
+ if (cpu_arch == CPU_ARCH_ARMv7 &&
+- (read_cpuid_ext(CPUID_EXT_MMFR0) & 0xF) == 4) {
++ (read_cpuid_ext(CPUID_EXT_MMFR0) & 0xF) >= 4) {
+ user_pmd_table |= PMD_PXNTABLE;
+ }
+ #endif
+--
+2.19.1
+
--- /dev/null
+From 3b3ec87f5ebfd85f74c5b66d2d299112701cbf21 Mon Sep 17 00:00:00 2001
+From: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Date: Mon, 1 Feb 2016 18:01:29 +0100
+Subject: ARM: 8510/1: rework ARM_CPU_SUSPEND dependencies
+
+[ Upstream commit 1b9bdf5c1661873a10e193b8cbb803a87fe5c4a1 ]
+
+The code enabled by the ARM_CPU_SUSPEND config option is used by
+kernel subsystems for purposes that go beyond system suspend so its
+config entry should be augmented to take more default options into
+account and avoid forcing its selection to prevent dependencies
+override.
+
+To achieve this goal, this patch reworks the ARM_CPU_SUSPEND config
+entry and updates its default config value (by adding the BL_SWITCHER
+option to it) and its dependencies (ARCH_SUSPEND_POSSIBLE), so that the
+symbol is still selected by default by the subsystems requiring it and
+at the same time enforcing the dependencies correctly.
+
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Cc: Nicolas Pitre <nico@fluxnic.net>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/Kconfig | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
+index 4cc908ee107f..737c8b0dda84 100644
+--- a/arch/arm/Kconfig
++++ b/arch/arm/Kconfig
+@@ -1423,7 +1423,6 @@ config BIG_LITTLE
+ config BL_SWITCHER
+ bool "big.LITTLE switcher support"
+ depends on BIG_LITTLE && MCPM && HOTPLUG_CPU && ARM_GIC
+- select ARM_CPU_SUSPEND
+ select CPU_PM
+ help
+ The big.LITTLE "switcher" provides the core functionality to
+@@ -2141,7 +2140,8 @@ config ARCH_SUSPEND_POSSIBLE
+ def_bool y
+
+ config ARM_CPU_SUSPEND
+- def_bool PM_SLEEP
++ def_bool PM_SLEEP || BL_SWITCHER
++ depends on ARCH_SUSPEND_POSSIBLE
+
+ config ARCH_HIBERNATION_POSSIBLE
+ bool
+--
+2.19.1
+
--- /dev/null
+From 40b4775c3d87d54a334d79d6e0ed5f6966eaa485 Mon Sep 17 00:00:00 2001
+From: Yury Norov <ynorov@caviumnetworks.com>
+Date: Wed, 2 Dec 2015 14:00:10 +0000
+Subject: arm64: fix COMPAT_SHMLBA definition for large pages
+
+[ Upstream commit b9b7aebb42d1b1392f3111de61136bb6cf3aae3f ]
+
+ARM glibc uses (4 * __getpagesize()) for SHMLBA, which is correct for
+4KB pages and works fine for 64KB pages, but the kernel uses a hardcoded
+16KB that is too small for 64KB page based kernels. This changes the
+definition to what user space sees when using 64KB pages.
+
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Yury Norov <ynorov@caviumnetworks.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/shmparam.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/include/asm/shmparam.h b/arch/arm64/include/asm/shmparam.h
+index 4df608a8459e..e368a55ebd22 100644
+--- a/arch/arm64/include/asm/shmparam.h
++++ b/arch/arm64/include/asm/shmparam.h
+@@ -21,7 +21,7 @@
+ * alignment value. Since we don't have aliasing D-caches, the rest of
+ * the time we can safely use PAGE_SIZE.
+ */
+-#define COMPAT_SHMLBA 0x4000
++#define COMPAT_SHMLBA (4 * PAGE_SIZE)
+
+ #include <asm-generic/shmparam.h>
+
+--
+2.19.1
+
--- /dev/null
+From 9b1093f1ab327525288594ab8bf7b1d7d88f7fc9 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Fri, 15 Jan 2016 13:28:57 +0100
+Subject: arm64: hide __efistub_ aliases from kallsyms
+
+[ Upstream commit 75feee3d9d51775072d3a04f47d4a439a4c4590e ]
+
+Commit e8f3010f7326 ("arm64/efi: isolate EFI stub from the kernel
+proper") isolated the EFI stub code from the kernel proper by prefixing
+all of its symbols with __efistub_, and selectively allowing access to
+core kernel symbols from the stub by emitting __efistub_ aliases for
+functions and variables that the stub can access legally.
+
+As an unintended side effect, these aliases are emitted into the
+kallsyms symbol table, which means they may turn up in backtraces,
+e.g.,
+
+ ...
+ PC is at __efistub_memset+0x108/0x200
+ LR is at fixup_init+0x3c/0x48
+ ...
+ [<ffffff8008328608>] __efistub_memset+0x108/0x200
+ [<ffffff8008094dcc>] free_initmem+0x2c/0x40
+ [<ffffff8008645198>] kernel_init+0x20/0xe0
+ [<ffffff8008085cd0>] ret_from_fork+0x10/0x40
+
+The backtrace in question has nothing to do with the EFI stub, but
+simply returns one of the several aliases of memset() that have been
+recorded in the kallsyms table. This is undesirable, since it may
+suggest to people who are not aware of this that the issue they are
+seeing is somehow EFI related.
+
+So hide the __efistub_ aliases from kallsyms, by emitting them as
+absolute linker symbols explicitly. The distinction between those
+and section relative symbols is completely irrelevant to these
+definitions, and to the final link we are performing when these
+definitions are being taken into account (the distinction is only
+relevant to symbols defined inside a section definition when performing
+a partial link), and so the resulting values are identical to the
+original ones. Since absolute symbols are ignored by kallsyms, this
+will result in these values to be omitted from its symbol table.
+
+After this patch, the backtrace generated from the same address looks
+like this:
+ ...
+ PC is at __memset+0x108/0x200
+ LR is at fixup_init+0x3c/0x48
+ ...
+ [<ffffff8008328608>] __memset+0x108/0x200
+ [<ffffff8008094dcc>] free_initmem+0x2c/0x40
+ [<ffffff8008645198>] kernel_init+0x20/0xe0
+ [<ffffff8008085cd0>] ret_from_fork+0x10/0x40
+
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/image.h | 40 ++++++++++++++++++++++++---------------
+ 1 file changed, 25 insertions(+), 15 deletions(-)
+
+diff --git a/arch/arm64/kernel/image.h b/arch/arm64/kernel/image.h
+index bc2abb8b1599..999633bd7294 100644
+--- a/arch/arm64/kernel/image.h
++++ b/arch/arm64/kernel/image.h
+@@ -64,6 +64,16 @@
+
+ #ifdef CONFIG_EFI
+
++/*
++ * Prevent the symbol aliases below from being emitted into the kallsyms
++ * table, by forcing them to be absolute symbols (which are conveniently
++ * ignored by scripts/kallsyms) rather than section relative symbols.
++ * The distinction is only relevant for partial linking, and only for symbols
++ * that are defined within a section declaration (which is not the case for
++ * the definitions below) so the resulting values will be identical.
++ */
++#define KALLSYMS_HIDE(sym) ABSOLUTE(sym)
++
+ /*
+ * The EFI stub has its own symbol namespace prefixed by __efistub_, to
+ * isolate it from the kernel proper. The following symbols are legally
+@@ -73,25 +83,25 @@
+ * linked at. The routines below are all implemented in assembler in a
+ * position independent manner
+ */
+-__efistub_memcmp = __pi_memcmp;
+-__efistub_memchr = __pi_memchr;
+-__efistub_memcpy = __pi_memcpy;
+-__efistub_memmove = __pi_memmove;
+-__efistub_memset = __pi_memset;
+-__efistub_strlen = __pi_strlen;
+-__efistub_strcmp = __pi_strcmp;
+-__efistub_strncmp = __pi_strncmp;
+-__efistub___flush_dcache_area = __pi___flush_dcache_area;
++__efistub_memcmp = KALLSYMS_HIDE(__pi_memcmp);
++__efistub_memchr = KALLSYMS_HIDE(__pi_memchr);
++__efistub_memcpy = KALLSYMS_HIDE(__pi_memcpy);
++__efistub_memmove = KALLSYMS_HIDE(__pi_memmove);
++__efistub_memset = KALLSYMS_HIDE(__pi_memset);
++__efistub_strlen = KALLSYMS_HIDE(__pi_strlen);
++__efistub_strcmp = KALLSYMS_HIDE(__pi_strcmp);
++__efistub_strncmp = KALLSYMS_HIDE(__pi_strncmp);
++__efistub___flush_dcache_area = KALLSYMS_HIDE(__pi___flush_dcache_area);
+
+ #ifdef CONFIG_KASAN
+-__efistub___memcpy = __pi_memcpy;
+-__efistub___memmove = __pi_memmove;
+-__efistub___memset = __pi_memset;
++__efistub___memcpy = KALLSYMS_HIDE(__pi_memcpy);
++__efistub___memmove = KALLSYMS_HIDE(__pi_memmove);
++__efistub___memset = KALLSYMS_HIDE(__pi_memset);
+ #endif
+
+-__efistub__text = _text;
+-__efistub__end = _end;
+-__efistub__edata = _edata;
++__efistub__text = KALLSYMS_HIDE(_text);
++__efistub__end = KALLSYMS_HIDE(_end);
++__efistub__edata = KALLSYMS_HIDE(_edata);
+
+ #endif
+
+--
+2.19.1
+
--- /dev/null
+From 88d12d1f9acea41a7f6abf53b1d8255207f6bbc5 Mon Sep 17 00:00:00 2001
+From: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
+Date: Wed, 27 Apr 2016 13:55:28 -0300
+Subject: arm64: kconfig: drop CONFIG_RTC_LIB dependency
+
+[ Upstream commit 99a507771fa57238dc7ffe674ae06090333d02c9 ]
+
+The rtc-lib dependency is not required, and seems it was just
+copy-pasted from ARM's Kconfig. If platform requires rtc-lib,
+they should select it individually.
+
+Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/Kconfig | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
+index 5b47218809e0..00c491750918 100644
+--- a/arch/arm64/Kconfig
++++ b/arch/arm64/Kconfig
+@@ -89,7 +89,6 @@ config ARM64
+ select PERF_USE_VMALLOC
+ select POWER_RESET
+ select POWER_SUPPLY
+- select RTC_LIB
+ select SPARSE_IRQ
+ select SYSCTL_EXCEPTION_TRACE
+ select HAVE_CONTEXT_TRACKING
+--
+2.19.1
+
--- /dev/null
+From 43e3b66af3871e40bb2bee7a8f0392e44ec7132b Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Fri, 18 Mar 2016 10:58:09 +0100
+Subject: arm64/kernel: fix incorrect EL0 check in inv_entry macro
+
+[ Upstream commit b660950c60a7278f9d8deb7c32a162031207c758 ]
+
+The implementation of macro inv_entry refers to its 'el' argument without
+the required leading backslash, which results in an undefined symbol
+'el' to be passed into the kernel_entry macro rather than the index of
+the exception level as intended.
+
+This undefined symbol strangely enough does not result in build failures,
+although it is visible in vmlinux:
+
+ $ nm -n vmlinux |head
+ U el
+ 0000000000000000 A _kernel_flags_le_hi32
+ 0000000000000000 A _kernel_offset_le_hi32
+ 0000000000000000 A _kernel_size_le_hi32
+ 000000000000000a A _kernel_flags_le_lo32
+ .....
+
+However, it does result in incorrect code being generated for invalid
+exceptions taken from EL0, since the argument check in kernel_entry
+assumes EL1 if its argument does not equal '0'.
+
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/entry.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
+index 3028d9b028c7..586326981769 100644
+--- a/arch/arm64/kernel/entry.S
++++ b/arch/arm64/kernel/entry.S
+@@ -243,7 +243,7 @@ END(vectors)
+ * Invalid mode handlers
+ */
+ .macro inv_entry, el, reason, regsize = 64
+- kernel_entry el, \regsize
++ kernel_entry \el, \regsize
+ mov x0, sp
+ mov x1, #\reason
+ mrs x2, esr_el1
+--
+2.19.1
+
--- /dev/null
+From b875c61b79d4f1c9a74bb8dc8bd8fa4cbdab9a4f Mon Sep 17 00:00:00 2001
+From: James Morse <james.morse@arm.com>
+Date: Wed, 27 Apr 2016 17:47:08 +0100
+Subject: arm64: kernel: Include _AC definition in page.h
+
+[ Upstream commit 812264550dcba6cdbe84bfac2f27e7d23b5b8733 ]
+
+page.h uses '_AC' in the definition of PAGE_SIZE, but doesn't include
+linux/const.h where this is defined. This produces build warnings when only
+asm/page.h is included by asm code.
+
+Signed-off-by: James Morse <james.morse@arm.com>
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Acked-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/page.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm64/include/asm/page.h b/arch/arm64/include/asm/page.h
+index 9b2f5a9d019d..fbafd0ad16df 100644
+--- a/arch/arm64/include/asm/page.h
++++ b/arch/arm64/include/asm/page.h
+@@ -19,6 +19,8 @@
+ #ifndef __ASM_PAGE_H
+ #define __ASM_PAGE_H
+
++#include <linux/const.h>
++
+ /* PAGE_SHIFT determines the page size */
+ /* CONT_SHIFT determines the number of pages which can be tracked together */
+ #ifdef CONFIG_ARM64_64K_PAGES
+--
+2.19.1
+
--- /dev/null
+From 7946bf63085a1c37d9b36f08e3c0e089df794e0d Mon Sep 17 00:00:00 2001
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Mon, 25 Jan 2016 11:44:55 +0000
+Subject: asm-generic: Fix local variable shadow in __set_fixmap_offset
+
+[ Upstream commit 3694bd76781b76c4f8d2ecd85018feeb1609f0e5 ]
+
+Currently __set_fixmap_offset is a macro function which has a local
+variable called 'addr'. If a caller passes a 'phys' parameter which is
+derived from a variable also called 'addr', the local variable will
+shadow this, and the compiler will complain about the use of an
+uninitialized variable. To avoid the issue with namespace clashes,
+'addr' is prefixed with a liberal sprinkling of underscores.
+
+Turning __set_fixmap_offset into a static inline breaks the build for
+several architectures. Fixing this properly requires updates to a number
+of architectures to make them agree on the prototype of __set_fixmap (it
+could be done as a subsequent patch series).
+
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+[catalin.marinas@arm.com: squashed the original function patch and macro fixup]
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/asm-generic/fixmap.h | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/include/asm-generic/fixmap.h b/include/asm-generic/fixmap.h
+index 1cbb8338edf3..827e4d3bbc7a 100644
+--- a/include/asm-generic/fixmap.h
++++ b/include/asm-generic/fixmap.h
+@@ -70,12 +70,12 @@ static inline unsigned long virt_to_fix(const unsigned long vaddr)
+ #endif
+
+ /* Return a pointer with offset calculated */
+-#define __set_fixmap_offset(idx, phys, flags) \
+-({ \
+- unsigned long addr; \
+- __set_fixmap(idx, phys, flags); \
+- addr = fix_to_virt(idx) + ((phys) & (PAGE_SIZE - 1)); \
+- addr; \
++#define __set_fixmap_offset(idx, phys, flags) \
++({ \
++ unsigned long ________addr; \
++ __set_fixmap(idx, phys, flags); \
++ ________addr = fix_to_virt(idx) + ((phys) & (PAGE_SIZE - 1)); \
++ ________addr; \
+ })
+
+ #define set_fixmap_offset(idx, phys) \
+--
+2.19.1
+
--- /dev/null
+From ba7306fbf272d5613819f04965e95c03fa1e764c Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Mon, 9 Jan 2017 11:10:42 +0100
+Subject: cfg80211: size various nl80211 messages correctly
+
+[ Upstream commit 4ef8c1c93f848e360754f10eb2e7134c872b6597 ]
+
+Ilan reported that sometimes nl80211 messages weren't working if
+the frames being transported got very large, which was really a
+problem for userspace-to-kernel messages, but prompted me to look
+at the code.
+
+Upon review, I found various places where variable-length data is
+transported in an nl80211 message but the message isn't allocated
+taking that into account. This shouldn't cause any problems since
+the frames aren't really that long, apart in one place where two
+(possibly very long frames) might not fit.
+
+Fix all the places (that I found) that get variable length data
+from the driver and put it into a message to take the length of
+the variable data into account. The 100 there is just a safe
+constant for the remaining message overhead (it's usually around
+50 for most messages.)
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/nl80211.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index 642a78079ae1..81013490a99f 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -11721,7 +11721,7 @@ static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
+ struct sk_buff *msg;
+ void *hdr;
+
+- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
++ msg = nlmsg_new(100 + len, gfp);
+ if (!msg)
+ return;
+
+@@ -11873,7 +11873,7 @@ void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
+ struct sk_buff *msg;
+ void *hdr;
+
+- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
++ msg = nlmsg_new(100 + req_ie_len + resp_ie_len, gfp);
+ if (!msg)
+ return;
+
+@@ -11913,7 +11913,7 @@ void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
+ struct sk_buff *msg;
+ void *hdr;
+
+- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
++ msg = nlmsg_new(100 + req_ie_len + resp_ie_len, gfp);
+ if (!msg)
+ return;
+
+@@ -11951,7 +11951,7 @@ void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
+ struct sk_buff *msg;
+ void *hdr;
+
+- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
++ msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
+ if (!msg)
+ return;
+
+@@ -12028,7 +12028,7 @@ void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
+
+ trace_cfg80211_notify_new_peer_candidate(dev, addr);
+
+- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
++ msg = nlmsg_new(100 + ie_len, gfp);
+ if (!msg)
+ return;
+
+@@ -12397,7 +12397,7 @@ int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
+ struct sk_buff *msg;
+ void *hdr;
+
+- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
++ msg = nlmsg_new(100 + len, gfp);
+ if (!msg)
+ return -ENOMEM;
+
+@@ -12440,7 +12440,7 @@ void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie,
+
+ trace_cfg80211_mgmt_tx_status(wdev, cookie, ack);
+
+- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
++ msg = nlmsg_new(100 + len, gfp);
+ if (!msg)
+ return;
+
+@@ -13244,7 +13244,7 @@ void cfg80211_ft_event(struct net_device *netdev,
+ if (!ft_event->target_ap)
+ return;
+
+- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
++ msg = nlmsg_new(100 + ft_event->ric_ies_len, GFP_KERNEL);
+ if (!msg)
+ return;
+
+--
+2.19.1
+
--- /dev/null
+From 6625ab3319db8e942a99634560beda2aaef8c89b Mon Sep 17 00:00:00 2001
+From: Mathieu Poirier <mathieu.poirier@linaro.org>
+Date: Tue, 2 Feb 2016 14:13:57 -0700
+Subject: coresight: coresight_unregister() function cleanup
+
+[ Upstream commit fae54158792aec705620bdc3938d342879204f0c ]
+
+In its current form the code never frees csdev->refcnt allocated
+in coresight_register(). There is also a problem with csdev->conns
+that is freed before device_unregister() rather than in the device
+release function.
+
+This patch addresses both issues by moving kfree(csdev->conns) to
+coresight_device_release() and freeing csdev->refcnt, also in
+the same function.
+
+Reported-by: Rabin Vincent <rabin@rab.in>
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwtracing/coresight/coresight.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hwtracing/coresight/coresight.c b/drivers/hwtracing/coresight/coresight.c
+index 84fc60318f79..a7d1edbf3340 100644
+--- a/drivers/hwtracing/coresight/coresight.c
++++ b/drivers/hwtracing/coresight/coresight.c
+@@ -484,6 +484,8 @@ static void coresight_device_release(struct device *dev)
+ {
+ struct coresight_device *csdev = to_coresight_device(dev);
+
++ kfree(csdev->conns);
++ kfree(csdev->refcnt);
+ kfree(csdev);
+ }
+
+@@ -716,7 +718,6 @@ EXPORT_SYMBOL_GPL(coresight_register);
+
+ void coresight_unregister(struct coresight_device *csdev)
+ {
+- kfree(csdev->conns);
+ device_unregister(&csdev->dev);
+ }
+ EXPORT_SYMBOL_GPL(coresight_unregister);
+--
+2.19.1
+
--- /dev/null
+From d81faeaca54ee0a30246db002524edc05fcad84f Mon Sep 17 00:00:00 2001
+From: Eric Long <eric.long@linaro.org>
+Date: Wed, 17 Feb 2016 17:51:43 -0700
+Subject: coresight: "DEVICE_ATTR_RO" should defined as static.
+
+[ Upstream commit bf16e5b8cdeabc1fe6565af0be475bb2084dc388 ]
+
+"DEVICE_ATTR_RO(name)" should be defined as static. And
+there is an unnecessary space at the front of the code.
+
+The sparse tool output logs as the following:
+coresight-etm4x.c:2224:1: warning: symbol 'dev_attr_trcoslsr' was
+not declared. Should it be static?
+coresight-etm4x.c:2225:1: warning: symbol 'dev_attr_trcpdcr' was
+not declared. Should it be static?
+coresight-etm4x.c:2226:1: warning: symbol 'dev_attr_trcpdsr' was
+not declared. Should it be static?
+And the smatch tool output logs as the following:
+of_coresight.c:89 of_coresight_alloc_memory() warn:
+inconsistent indenting
+
+Signed-off-by: Eric Long <eric.long@linaro.org>
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwtracing/coresight/coresight-etm4x.c | 2 +-
+ drivers/hwtracing/coresight/of_coresight.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hwtracing/coresight/coresight-etm4x.c b/drivers/hwtracing/coresight/coresight-etm4x.c
+index a6707642bb23..1ec6798b21e8 100644
+--- a/drivers/hwtracing/coresight/coresight-etm4x.c
++++ b/drivers/hwtracing/coresight/coresight-etm4x.c
+@@ -2219,7 +2219,7 @@ static ssize_t name##_show(struct device *_dev, \
+ return scnprintf(buf, PAGE_SIZE, "0x%x\n", \
+ readl_relaxed(drvdata->base + offset)); \
+ } \
+-DEVICE_ATTR_RO(name)
++static DEVICE_ATTR_RO(name)
+
+ coresight_simple_func(trcoslsr, TRCOSLSR);
+ coresight_simple_func(trcpdcr, TRCPDCR);
+diff --git a/drivers/hwtracing/coresight/of_coresight.c b/drivers/hwtracing/coresight/of_coresight.c
+index 7d2bb1549608..fb7597b1c66f 100644
+--- a/drivers/hwtracing/coresight/of_coresight.c
++++ b/drivers/hwtracing/coresight/of_coresight.c
+@@ -86,7 +86,7 @@ static int of_coresight_alloc_memory(struct device *dev,
+ return -ENOMEM;
+
+ /* Children connected to this component via @outports */
+- pdata->child_names = devm_kzalloc(dev, pdata->nr_outport *
++ pdata->child_names = devm_kzalloc(dev, pdata->nr_outport *
+ sizeof(*pdata->child_names),
+ GFP_KERNEL);
+ if (!pdata->child_names)
+--
+2.19.1
+
--- /dev/null
+From de75ae6e6787c7577f8c052373f7f51131bd7973 Mon Sep 17 00:00:00 2001
+From: Eric Long <eric.long@linaro.org>
+Date: Wed, 17 Feb 2016 17:51:44 -0700
+Subject: coresight: etm4x: Check every parameter used by dma_xx_coherent.
+
+[ Upstream commit 61390593f72377c3a8f41ef998462e2d3985adac ]
+
+The dma_alloc_coherent return an "void *" not an "void __iomen *".
+It uses the wrong parameters when calls dma_free_coherent function.
+
+The sparse tool output logs as the following:
+coresight-tmc.c:199:23: expected void *<noident>
+coresight-tmc.c:199:23: got void [noderef] <asn:2>*vaddr
+coresight-tmc.c:336:30: warning: incorrect type in assignment
+(different address spaces)
+coresight-tmc.c:336:30: expected char *buf
+coresight-tmc.c:336:30: got void [noderef] <asn:2>*
+coresight-tmc.c:769:50: warning: incorrect type in argument 4
+(different base types)
+coresight-tmc.c:769:50: expected unsigned long long
+[unsigned] [usertype] dma_handle
+coresight-tmc.c:769:50: got restricted gfp_t
+
+Signed-off-by: Eric Long <eric.long@linaro.org>
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwtracing/coresight/coresight-tmc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hwtracing/coresight/coresight-tmc.c b/drivers/hwtracing/coresight/coresight-tmc.c
+index a57c7ec1661f..62f9d7372e3a 100644
+--- a/drivers/hwtracing/coresight/coresight-tmc.c
++++ b/drivers/hwtracing/coresight/coresight-tmc.c
+@@ -124,7 +124,7 @@ struct tmc_drvdata {
+ bool reading;
+ char *buf;
+ dma_addr_t paddr;
+- void __iomem *vaddr;
++ void *vaddr;
+ u32 size;
+ bool enable;
+ enum tmc_config_type config_type;
+@@ -766,7 +766,7 @@ static int tmc_probe(struct amba_device *adev, const struct amba_id *id)
+ err_devm_kzalloc:
+ if (drvdata->config_type == TMC_CONFIG_TYPE_ETR)
+ dma_free_coherent(dev, drvdata->size,
+- &drvdata->paddr, GFP_KERNEL);
++ drvdata->vaddr, drvdata->paddr);
+ return ret;
+ }
+
+--
+2.19.1
+
--- /dev/null
+From 474e88c98233b5698d11ca6e76839b1576681d38 Mon Sep 17 00:00:00 2001
+From: Mathieu Poirier <mathieu.poirier@linaro.org>
+Date: Tue, 2 Feb 2016 14:13:56 -0700
+Subject: coresight: fixing lockdep error
+
+[ Upstream commit a9ddc71f5840c2711e530f2e055b278f79948b29 ]
+
+On some platform the following lockdep error occurs when doing simple
+manipulations:
+
+ [ 23.197021]
+ [ 23.198608] ======================================================
+ [ 23.205078] [ INFO: possible circular locking dependency detected ]
+ [ 23.211639] 4.4.0-rc8-00025-gbbf360b #172 Not tainted
+ [ 23.216918] -------------------------------------------------------
+ [ 23.223480] sh/858 is trying to acquire lock:
+ [ 23.228057] (coresight_mutex){+.+.+.}, at: [<c0415d40>] coresight_enable+0x1c/0x1b4
+ [ 23.236206]
+ [ 23.236206] but task is already holding lock:
+ [ 23.242309] (s_active#52){++++.+}, at: [<c01d4b40>] kernfs_fop_write+0x5c/0x1c0
+ [ 23.250122]
+ [ 23.250122] which lock already depends on the new lock.
+ [ 23.250122]
+ [ 23.258697]
+ [ 23.258697] the existing dependency chain (in reverse order) is:
+ [ 23.266510]
+ -> #1 (s_active#52){++++.+}:
+ [ 23.270843] [<c01d30ec>] __kernfs_remove+0x294/0x35c
+ [ 23.276672] [<c01d3e44>] kernfs_remove_by_name_ns+0x44/0x8c
+ [ 23.283172] [<c01d6318>] remove_files+0x3c/0x84
+ [ 23.288543] [<c01d66b4>] sysfs_remove_group+0x48/0x9c
+ [ 23.294494] [<c01d6734>] sysfs_remove_groups+0x2c/0x3c
+ [ 23.300506] [<c030b658>] device_remove_attrs+0x5c/0x74
+ [ 23.306549] [<c030c290>] device_del+0x110/0x218
+ [ 23.311950] [<c030c3c4>] device_unregister+0x2c/0x6c
+ [ 23.317779] [<c04156d8>] coresight_unregister+0x30/0x40
+ [ 23.323883] [<c041a290>] etm_probe+0x228/0x2e8
+ [ 23.329193] [<c02bc760>] amba_probe+0xe4/0x160
+ [ 23.334503] [<c0310540>] driver_probe_device+0x23c/0x480
+ [ 23.340728] [<c0310820>] __driver_attach+0x9c/0xa0
+ [ 23.346374] [<c030e400>] bus_for_each_dev+0x70/0xa4
+ [ 23.352142] [<c030fcf4>] driver_attach+0x24/0x28
+ [ 23.357604] [<c030f86c>] bus_add_driver+0x1e0/0x278
+ [ 23.363372] [<c0310d48>] driver_register+0x80/0x100
+ [ 23.369110] [<c02bc508>] amba_driver_register+0x58/0x5c
+ [ 23.375244] [<c0749514>] etm_driver_init+0x18/0x1c
+ [ 23.380889] [<c0009918>] do_one_initcall+0xc4/0x20c
+ [ 23.386657] [<c0715e7c>] kernel_init_freeable+0x160/0x208
+ [ 23.392974] [<c052d7fc>] kernel_init+0x18/0xf0
+ [ 23.398254] [<c0010850>] ret_from_fork+0x14/0x24
+ [ 23.403747]
+ -> #0 (coresight_mutex){+.+.+.}:
+ [ 23.408447] [<c008ed60>] lock_acquire+0xe4/0x210
+ [ 23.413909] [<c0530a30>] mutex_lock_nested+0x74/0x450
+ [ 23.419860] [<c0415d40>] coresight_enable+0x1c/0x1b4
+ [ 23.425689] [<c0416030>] enable_source_store+0x58/0x68
+ [ 23.431732] [<c030b358>] dev_attr_store+0x20/0x2c
+ [ 23.437286] [<c01d55e8>] sysfs_kf_write+0x50/0x54
+ [ 23.442871] [<c01d4ba8>] kernfs_fop_write+0xc4/0x1c0
+ [ 23.448699] [<c015b60c>] __vfs_write+0x34/0xe4
+ [ 23.454040] [<c015bf38>] vfs_write+0x98/0x174
+ [ 23.459228] [<c015c7a8>] SyS_write+0x4c/0xa8
+ [ 23.464355] [<c00107c0>] ret_fast_syscall+0x0/0x1c
+ [ 23.470031]
+ [ 23.470031] other info that might help us debug this:
+ [ 23.470031]
+ [ 23.478393] Possible unsafe locking scenario:
+ [ 23.478393]
+ [ 23.484619] CPU0 CPU1
+ [ 23.489349] ---- ----
+ [ 23.494079] lock(s_active#52);
+ [ 23.497497] lock(coresight_mutex);
+ [ 23.503906] lock(s_active#52);
+ [ 23.509918] lock(coresight_mutex);
+ [ 23.513702]
+ [ 23.513702] *** DEADLOCK ***
+ [ 23.513702]
+ [ 23.519897] 3 locks held by sh/858:
+ [ 23.523529] #0: (sb_writers#7){.+.+.+}, at: [<c015ec38>] __sb_start_write+0xa8/0xd4
+ [ 23.531799] #1: (&of->mutex){+.+...}, at: [<c01d4b38>] kernfs_fop_write+0x54/0x1c0
+ [ 23.539916] #2: (s_active#52){++++.+}, at: [<c01d4b40>] kernfs_fop_write+0x5c/0x1c0
+ [ 23.548156]
+ [ 23.548156] stack backtrace:
+ [ 23.552734] CPU: 0 PID: 858 Comm: sh Not tainted 4.4.0-rc8-00025-gbbf360b #172
+ [ 23.560302] Hardware name: Generic OMAP4 (Flattened Device Tree)
+ [ 23.566589] Backtrace:
+ [ 23.569152] [<c00154d4>] (dump_backtrace) from [<c00156d0>] (show_stack+0x18/0x1c)
+ [ 23.577087] r7:ed4b8570 r6:c0936400 r5:c07ae71c r4:00000000
+ [ 23.583038] [<c00156b8>] (show_stack) from [<c027e69c>] (dump_stack+0x98/0xc0)
+ [ 23.590606] [<c027e604>] (dump_stack) from [<c008a750>] (print_circular_bug+0x21c/0x33c)
+ [ 23.599090] r5:c0939d60 r4:c0936400
+ [ 23.602874] [<c008a534>] (print_circular_bug) from [<c008e370>] (__lock_acquire+0x1c98/0x1d88)
+ [ 23.611877] r10:00000003 r9:c0fd7a5c r8:ed4b8550 r7:ed4b8570 r6:ed4b8000 r5:c0ff69e4
+ [ 23.620117] r4:c0936400 r3:ed4b8550
+ [ 23.623901] [<c008c6d8>] (__lock_acquire) from [<c008ed60>] (lock_acquire+0xe4/0x210)
+ [ 23.632080] r10:00000000 r9:00000000 r8:60000013 r7:c07cb7b4 r6:00000001 r5:00000000
+ [ 23.640350] r4:00000000
+ [ 23.643005] [<c008ec7c>] (lock_acquire) from [<c0530a30>] (mutex_lock_nested+0x74/0x450)
+ [ 23.651458] r10:ecc0bf80 r9:edbe7dcc r8:ed4b8000 r7:c0fd7a5c r6:c0415d40 r5:00000000
+ [ 23.659729] r4:c07cb780
+ [ 23.662384] [<c05309bc>] (mutex_lock_nested) from [<c0415d40>] (coresight_enable+0x1c/0x1b4)
+ [ 23.671234] r10:ecc0bf80 r9:edbe7dcc r8:ed733c00 r7:00000000 r6:ed733c00 r5:00000002
+ [ 23.679473] r4:ed762140
+ [ 23.682128] [<c0415d24>] (coresight_enable) from [<c0416030>] (enable_source_store+0x58/0x68)
+ [ 23.691070] r7:00000000 r6:ed733c00 r5:00000002 r4:ed762160
+ [ 23.697052] [<c0415fd8>] (enable_source_store) from [<c030b358>] (dev_attr_store+0x20/0x2c)
+ [ 23.705780] r5:edbe7dc0 r4:c0415fd8
+ [ 23.709533] [<c030b338>] (dev_attr_store) from [<c01d55e8>] (sysfs_kf_write+0x50/0x54)
+ [ 23.717834] r5:edbe7dc0 r4:c030b338
+ [ 23.721618] [<c01d5598>] (sysfs_kf_write) from [<c01d4ba8>] (kernfs_fop_write+0xc4/0x1c0)
+ [ 23.730163] r7:00000000 r6:00000000 r5:00000002 r4:edbe7dc0
+ [ 23.736145] [<c01d4ae4>] (kernfs_fop_write) from [<c015b60c>] (__vfs_write+0x34/0xe4)
+ [ 23.744323] r10:00000000 r9:ecc0a000 r8:c0010964 r7:ecc0bf80 r6:00000002 r5:c01d4ae4
+ [ 23.752593] r4:ee385a40
+ [ 23.755249] [<c015b5d8>] (__vfs_write) from [<c015bf38>] (vfs_write+0x98/0x174)
+ [ 23.762908] r9:ecc0a000 r8:c0010964 r7:ecc0bf80 r6:000ab0d8 r5:00000002 r4:ee385a40
+ [ 23.771057] [<c015bea0>] (vfs_write) from [<c015c7a8>] (SyS_write+0x4c/0xa8)
+ [ 23.778442] r8:c0010964 r7:00000002 r6:000ab0d8 r5:ee385a40 r4:ee385a40
+ [ 23.785522] [<c015c75c>] (SyS_write) from [<c00107c0>] (ret_fast_syscall+0x0/0x1c)
+ [ 23.793457] r7:00000004 r6:00000001 r5:000ab0d8 r4:00000002
+ [ 23.799652] coresight-etb10 54162000.etb: ETB enabled
+ [ 23.805084] coresight-funnel 54164000.funnel: FUNNEL inport 0 enabled
+ [ 23.811859] coresight-replicator 44000000.ocp:replicator: REPLICATOR enabled
+ [ 23.819335] coresight-funnel 54158000.funnel: FUNNEL inport 0 enabled
+ [ 23.826110] coresight-etm3x 5414c000.ptm: ETM tracing enabled
+
+The locking in coresight_unregister() is not required as the only customers of
+the function are drivers themselves when an initialisation failure has been
+encoutered.
+
+Reported-by: Rabin Vincent <rabin@rab.in>
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwtracing/coresight/coresight.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/hwtracing/coresight/coresight.c b/drivers/hwtracing/coresight/coresight.c
+index 902ee6efd09c..84fc60318f79 100644
+--- a/drivers/hwtracing/coresight/coresight.c
++++ b/drivers/hwtracing/coresight/coresight.c
+@@ -716,12 +716,8 @@ EXPORT_SYMBOL_GPL(coresight_register);
+
+ void coresight_unregister(struct coresight_device *csdev)
+ {
+- mutex_lock(&coresight_mutex);
+-
+ kfree(csdev->conns);
+ device_unregister(&csdev->dev);
+-
+- mutex_unlock(&coresight_mutex);
+ }
+ EXPORT_SYMBOL_GPL(coresight_unregister);
+
+--
+2.19.1
+
--- /dev/null
+From f3a304b7fc07a0f1d8afdb9cc92645e37df7a9d2 Mon Sep 17 00:00:00 2001
+From: Mathieu Poirier <mathieu.poirier@linaro.org>
+Date: Tue, 2 Feb 2016 14:13:58 -0700
+Subject: coresight: release reference taken by 'bus_find_device()'
+
+[ Upstream commit f2dfab3568fc32afeac8b698481e80e7ab2dc658 ]
+
+The reference count taken by function bus_find_device() needs
+to be released if a child device is found, something this patch
+is adding.
+
+Reported-by: Rabin Vincent <rabin@rab.in>
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwtracing/coresight/coresight.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/hwtracing/coresight/coresight.c b/drivers/hwtracing/coresight/coresight.c
+index a7d1edbf3340..5e2a2a5ad601 100644
+--- a/drivers/hwtracing/coresight/coresight.c
++++ b/drivers/hwtracing/coresight/coresight.c
+@@ -573,6 +573,8 @@ static void coresight_fixup_device_conns(struct coresight_device *csdev)
+
+ if (dev) {
+ conn->child_dev = to_coresight_device(dev);
++ /* and put reference from 'bus_find_device()' */
++ put_device(dev);
+ } else {
+ csdev->orphan = true;
+ conn->child_dev = NULL;
+--
+2.19.1
+
--- /dev/null
+From 3b1be5512461aff2f7bb60a391ce0369922f6d59 Mon Sep 17 00:00:00 2001
+From: Mathieu Poirier <mathieu.poirier@linaro.org>
+Date: Tue, 2 Feb 2016 14:13:59 -0700
+Subject: coresight: remove csdev's link from topology
+
+[ Upstream commit ad725aee070caf8fa93d84d6fb78321f9642db18 ]
+
+In function 'coresight_unregister()', all references to the csdev that
+is being taken away need to be removed from the topology. Otherwise
+building the next coresight path from source to sink may use memory
+that has been released.
+
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwtracing/coresight/coresight.c | 46 +++++++++++++++++++++++++
+ 1 file changed, 46 insertions(+)
+
+diff --git a/drivers/hwtracing/coresight/coresight.c b/drivers/hwtracing/coresight/coresight.c
+index 5e2a2a5ad601..c6aea4795d0b 100644
+--- a/drivers/hwtracing/coresight/coresight.c
++++ b/drivers/hwtracing/coresight/coresight.c
+@@ -582,6 +582,50 @@ static void coresight_fixup_device_conns(struct coresight_device *csdev)
+ }
+ }
+
++static int coresight_remove_match(struct device *dev, void *data)
++{
++ int i;
++ struct coresight_device *csdev, *iterator;
++ struct coresight_connection *conn;
++
++ csdev = data;
++ iterator = to_coresight_device(dev);
++
++ /* No need to check oneself */
++ if (csdev == iterator)
++ return 0;
++
++ /*
++ * Circle throuch all the connection of that component. If we find
++ * a connection whose name matches @csdev, remove it.
++ */
++ for (i = 0; i < iterator->nr_outport; i++) {
++ conn = &iterator->conns[i];
++
++ if (conn->child_dev == NULL)
++ continue;
++
++ if (!strcmp(dev_name(&csdev->dev), conn->child_name)) {
++ iterator->orphan = true;
++ conn->child_dev = NULL;
++ /* No need to continue */
++ break;
++ }
++ }
++
++ /*
++ * Returning '0' ensures that all known component on the
++ * bus will be checked.
++ */
++ return 0;
++}
++
++static void coresight_remove_conns(struct coresight_device *csdev)
++{
++ bus_for_each_dev(&coresight_bustype, NULL,
++ csdev, coresight_remove_match);
++}
++
+ /**
+ * coresight_timeout - loop until a bit has changed to a specific state.
+ * @addr: base address of the area of interest.
+@@ -720,6 +764,8 @@ EXPORT_SYMBOL_GPL(coresight_register);
+
+ void coresight_unregister(struct coresight_device *csdev)
+ {
++ /* Remove references of that device in the topology */
++ coresight_remove_conns(csdev);
+ device_unregister(&csdev->dev);
+ }
+ EXPORT_SYMBOL_GPL(coresight_unregister);
+--
+2.19.1
+
--- /dev/null
+From bbe2c87d36fb253b9d025ffe8452afde01284514 Mon Sep 17 00:00:00 2001
+From: Lianwei Wang <lianwei.wang@gmail.com>
+Date: Thu, 9 Jun 2016 23:43:28 -0700
+Subject: cpu/hotplug: Handle unbalanced hotplug enable/disable
+
+[ Upstream commit 01b41159066531cc8d664362ff0cd89dd137bbfa ]
+
+When cpu_hotplug_enable() is called unbalanced w/o a preceeding
+cpu_hotplug_disable() the code emits a warning, but happily decrements the
+disabled counter. This causes the next operations to malfunction.
+
+Prevent the decrement and just emit a warning.
+
+Signed-off-by: Lianwei Wang <lianwei.wang@gmail.com>
+Cc: peterz@infradead.org
+Cc: linux-pm@vger.kernel.org
+Cc: oleg@redhat.com
+Link: http://lkml.kernel.org/r/1465541008-12476-1-git-send-email-lianwei.wang@gmail.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/cpu.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/cpu.c b/kernel/cpu.c
+index 40d20bf5de28..42ce0b0ae5c5 100644
+--- a/kernel/cpu.c
++++ b/kernel/cpu.c
+@@ -183,10 +183,17 @@ void cpu_hotplug_disable(void)
+ }
+ EXPORT_SYMBOL_GPL(cpu_hotplug_disable);
+
++static void __cpu_hotplug_enable(void)
++{
++ if (WARN_ONCE(!cpu_hotplug_disabled, "Unbalanced cpu hotplug enable\n"))
++ return;
++ cpu_hotplug_disabled--;
++}
++
+ void cpu_hotplug_enable(void)
+ {
+ cpu_maps_update_begin();
+- WARN_ON(--cpu_hotplug_disabled < 0);
++ __cpu_hotplug_enable();
+ cpu_maps_update_done();
+ }
+ EXPORT_SYMBOL_GPL(cpu_hotplug_enable);
+@@ -626,7 +633,7 @@ void enable_nonboot_cpus(void)
+
+ /* Allow everyone to use the CPU hotplug again */
+ cpu_maps_update_begin();
+- WARN_ON(--cpu_hotplug_disabled < 0);
++ __cpu_hotplug_enable();
+ if (cpumask_empty(frozen_cpus))
+ goto out;
+
+--
+2.19.1
+
--- /dev/null
+From 9f7f22fa0564842d239de686eb66a7ddd30abf50 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Wed, 23 Dec 2015 10:29:28 +0100
+Subject: efi: stub: define DISABLE_BRANCH_PROFILING for all architectures
+
+[ Upstream commit b523e185bba36164ca48a190f5468c140d815414 ]
+
+This moves the DISABLE_BRANCH_PROFILING define from the x86 specific
+to the general CFLAGS definition for the stub. This fixes build errors
+when building for arm64 with CONFIG_PROFILE_ALL_BRANCHES_ENABLED.
+
+Reviewed-by: Matt Fleming <matt@codeblueprint.co.uk>
+Reported-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/libstub/Makefile | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/firmware/efi/libstub/Makefile b/drivers/firmware/efi/libstub/Makefile
+index 88bd6829a358..edb45f72b34c 100644
+--- a/drivers/firmware/efi/libstub/Makefile
++++ b/drivers/firmware/efi/libstub/Makefile
+@@ -8,7 +8,7 @@ cflags-$(CONFIG_X86_32) := -march=i386
+ cflags-$(CONFIG_X86_64) := -mcmodel=small
+ cflags-$(CONFIG_X86) += -m$(BITS) -D__KERNEL__ $(LINUX_INCLUDE) -O2 \
+ -fPIC -fno-strict-aliasing -mno-red-zone \
+- -mno-mmx -mno-sse -DDISABLE_BRANCH_PROFILING
++ -mno-mmx -mno-sse
+
+ cflags-$(CONFIG_ARM64) := $(subst -pg,,$(KBUILD_CFLAGS)) -fpie
+ cflags-$(CONFIG_ARM) := $(subst -pg,,$(KBUILD_CFLAGS)) \
+@@ -16,7 +16,7 @@ cflags-$(CONFIG_ARM) := $(subst -pg,,$(KBUILD_CFLAGS)) \
+
+ cflags-$(CONFIG_EFI_ARMSTUB) += -I$(srctree)/scripts/dtc/libfdt
+
+-KBUILD_CFLAGS := $(cflags-y) \
++KBUILD_CFLAGS := $(cflags-y) -DDISABLE_BRANCH_PROFILING \
+ $(call cc-option,-ffreestanding) \
+ $(call cc-option,-fno-stack-protector)
+
+--
+2.19.1
+
--- /dev/null
+From cf784aacc096dc61b0192fe500bfdb518663716b Mon Sep 17 00:00:00 2001
+From: Nicolas Pitre <nicolas.pitre@linaro.org>
+Date: Tue, 3 Nov 2015 17:01:46 -0500
+Subject: hid-sensor-hub.c: fix wrong do_div() usage
+
+[ Upstream commit 8d43b49e7e0070f96ac46d30659a336c0224fa0b ]
+
+do_div() must only be used with a u64 dividend.
+
+Signed-off-by: Nicolas Pitre <nico@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-sensor-hub.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c
+index 92870cdb52d9..8efaa88329aa 100644
+--- a/drivers/hid/hid-sensor-hub.c
++++ b/drivers/hid/hid-sensor-hub.c
+@@ -218,7 +218,8 @@ int sensor_hub_set_feature(struct hid_sensor_hub_device *hsdev, u32 report_id,
+ goto done_proc;
+ }
+
+- remaining_bytes = do_div(buffer_size, sizeof(__s32));
++ remaining_bytes = buffer_size % sizeof(__s32);
++ buffer_size = buffer_size / sizeof(__s32);
+ if (buffer_size) {
+ for (i = 0; i < buffer_size; ++i) {
+ hid_set_field(report->field[field_index], i,
+--
+2.19.1
+
--- /dev/null
+From a3d914e582a7a7d690428c844b83f624095996ba Mon Sep 17 00:00:00 2001
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Sat, 11 Jun 2016 20:32:06 +0200
+Subject: ipv6: fix endianness error in icmpv6_err
+
+[ Upstream commit dcb94b88c09ce82a80e188d49bcffdc83ba215a6 ]
+
+IPv6 ping socket error handler doesn't correctly convert the new 32 bit
+mtu to host endianness before using.
+
+Cc: Lorenzo Colitti <lorenzo@google.com>
+Fixes: 6d0bfe22611602f ("net: ipv6: Add IPv6 support to the ping socket.")
+Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Acked-by: Lorenzo Colitti <lorenzo@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/icmp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
+index 0a37ddc7af51..3697cd08c515 100644
+--- a/net/ipv6/icmp.c
++++ b/net/ipv6/icmp.c
+@@ -98,7 +98,7 @@ static void icmpv6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
+
+ if (!(type & ICMPV6_INFOMSG_MASK))
+ if (icmp6->icmp6_type == ICMPV6_ECHO_REQUEST)
+- ping_err(skb, offset, info);
++ ping_err(skb, offset, ntohl(info));
+ }
+
+ static int icmpv6_rcv(struct sk_buff *skb);
+--
+2.19.1
+
--- /dev/null
+From 6974530abbff214d7930b1a121f54d4720b42861 Mon Sep 17 00:00:00 2001
+From: Jeff Mahoney <jeffm@suse.com>
+Date: Mon, 4 Apr 2016 14:15:23 -0400
+Subject: =?UTF-8?q?mac80211:=20fix=20"warning:=20=E2=80=98target=5Fmetric?=
+ =?UTF-8?q?=E2=80=99=20may=20be=20used=20uninitialized"?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit b4201cc4fc6e1c57d6d306b1f787865043d60129 ]
+
+This fixes:
+
+net/mac80211/mesh_hwmp.c:603:26: warning: ‘target_metric’ may be used uninitialized in this function
+
+target_metric is only consumed when reply = true so no bug exists here,
+but not all versions of gcc realize it. Initialize to 0 to remove the
+warning.
+
+Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mesh_hwmp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c
+index 33d5271a9e32..466922f09d04 100644
+--- a/net/mac80211/mesh_hwmp.c
++++ b/net/mac80211/mesh_hwmp.c
+@@ -530,7 +530,7 @@ static void hwmp_preq_frame_process(struct ieee80211_sub_if_data *sdata,
+ const u8 *target_addr, *orig_addr;
+ const u8 *da;
+ u8 target_flags, ttl, flags;
+- u32 orig_sn, target_sn, lifetime, target_metric;
++ u32 orig_sn, target_sn, lifetime, target_metric = 0;
+ bool reply = false;
+ bool forward = true;
+ bool root_is_gate;
+--
+2.19.1
+
--- /dev/null
+From e9932785f5b963b4950976da5cdff1611d7d460e Mon Sep 17 00:00:00 2001
+From: Colin Cross <ccross@android.com>
+Date: Thu, 22 Oct 2015 10:00:41 -0700
+Subject: mmc: block: Allow more than 8 partitions per card
+
+[ Upstream commit 382c55f88ffeb218c446bf0c46d0fc25d2795fe2 ]
+
+It is quite common for Android devices to utilize more
+then 8 partitions on internal eMMC storage.
+
+The vanilla kernel can support this via
+CONFIG_MMC_BLOCK_MINORS, however that solution caps the
+system to 256 minors total, which limits the number of
+mmc cards the system can support.
+
+This patch, which has been carried for quite awhile in
+the AOSP common tree, provides an alternative solution
+that doesn't seem to limit the total card count. So I
+wanted to submit it for consideration upstream.
+
+This patch sets the GENHD_FL_EXT_DEVT flag, which will
+allocate minor number in major 259 for partitions past
+disk->minors.
+
+It also removes the use of disk_devt to determine devidx
+from md->disk. md->disk->first_minor is always initialized
+from devidx and can always be used to recover it.
+
+Cc: Ulf Hansson <ulf.hansson@linaro.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Cc: Chuanxiao Dong <chuanxiao.dong@intel.com>
+Cc: Shawn Lin <shawn.lin@rock-chips.com>
+Cc: Austin S Hemmelgarn <ahferroin7@gmail.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Android Kernel Team <kernel-team@android.com>
+Cc: linux-mmc@vger.kernel.org
+Signed-off-by: Colin Cross <ccross@android.com>
+[jstultz: Added context to commit message]
+Signed-off-by: John Stultz <john.stultz@linaro.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/card/block.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
+index f2b733275a0a..c15b879c3070 100644
+--- a/drivers/mmc/card/block.c
++++ b/drivers/mmc/card/block.c
+@@ -171,11 +171,7 @@ static struct mmc_blk_data *mmc_blk_get(struct gendisk *disk)
+
+ static inline int mmc_get_devidx(struct gendisk *disk)
+ {
+- int devmaj = MAJOR(disk_devt(disk));
+- int devidx = MINOR(disk_devt(disk)) / perdev_minors;
+-
+- if (!devmaj)
+- devidx = disk->first_minor / perdev_minors;
++ int devidx = disk->first_minor / perdev_minors;
+ return devidx;
+ }
+
+@@ -2252,6 +2248,7 @@ static struct mmc_blk_data *mmc_blk_alloc_req(struct mmc_card *card,
+ md->disk->queue = md->queue.queue;
+ md->disk->driverfs_dev = parent;
+ set_disk_ro(md->disk, md->read_only || default_ro);
++ md->disk->flags = GENHD_FL_EXT_DEVT;
+ if (area_type & (MMC_BLK_DATA_AREA_RPMB | MMC_BLK_DATA_AREA_BOOT))
+ md->disk->flags |= GENHD_FL_NO_PART_SCAN;
+
+--
+2.19.1
+
--- /dev/null
+From f473f662dbc59f645cacea775dab22680cc79754 Mon Sep 17 00:00:00 2001
+From: Chaotian Jing <chaotian.jing@mediatek.com>
+Date: Thu, 19 May 2016 16:47:42 +0800
+Subject: mmc: mmc: fix switch timeout issue caused by jiffies precision
+
+[ Upstream commit 987aa5f8059613bf85cbb6f64ffbd34f5cb7a9d1 ]
+
+with CONFIG_HZ=100, the precision of jiffies is 10ms, and the
+generic_cmd6_time of some card is also 10ms. then, may be current
+time is only 5ms, but already timed out caused by jiffies precision.
+
+Signed-off-by: Chaotian Jing <chaotian.jing@mediatek.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/core/mmc_ops.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/core/mmc_ops.c b/drivers/mmc/core/mmc_ops.c
+index 1f444269ebbe..76b49b9772d0 100644
+--- a/drivers/mmc/core/mmc_ops.c
++++ b/drivers/mmc/core/mmc_ops.c
+@@ -542,7 +542,7 @@ int __mmc_switch(struct mmc_card *card, u8 set, u8 index, u8 value,
+ timeout_ms = MMC_OPS_TIMEOUT_MS;
+
+ /* Must check status to be sure of no errors. */
+- timeout = jiffies + msecs_to_jiffies(timeout_ms);
++ timeout = jiffies + msecs_to_jiffies(timeout_ms) + 1;
+ do {
+ if (send_status) {
+ err = __mmc_send_status(card, &status, ignore_crc);
+--
+2.19.1
+
--- /dev/null
+From 62404a8df58886fea913e94fd0a1751d0ccdf70f Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 20 Jan 2016 16:25:01 -0800
+Subject: net: diag: support v4mapped sockets in inet_diag_find_one_icsk()
+
+[ Upstream commit 7c1306723ee916ea9f1fa7d9e4c7a6d029ca7aaf ]
+
+Lorenzo reported that we could not properly find v4mapped sockets
+in inet_diag_find_one_icsk(). This patch fixes the issue.
+
+Reported-by: Lorenzo Colitti <lorenzo@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Lorenzo Colitti <lorenzo@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/inet_diag.c | 21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
+index ab9f8a66615d..386443e780da 100644
+--- a/net/ipv4/inet_diag.c
++++ b/net/ipv4/inet_diag.c
+@@ -366,13 +366,20 @@ int inet_diag_dump_one_icsk(struct inet_hashinfo *hashinfo,
+ req->id.idiag_dport, req->id.idiag_src[0],
+ req->id.idiag_sport, req->id.idiag_if);
+ #if IS_ENABLED(CONFIG_IPV6)
+- else if (req->sdiag_family == AF_INET6)
+- sk = inet6_lookup(net, hashinfo,
+- (struct in6_addr *)req->id.idiag_dst,
+- req->id.idiag_dport,
+- (struct in6_addr *)req->id.idiag_src,
+- req->id.idiag_sport,
+- req->id.idiag_if);
++ else if (req->sdiag_family == AF_INET6) {
++ if (ipv6_addr_v4mapped((struct in6_addr *)req->id.idiag_dst) &&
++ ipv6_addr_v4mapped((struct in6_addr *)req->id.idiag_src))
++ sk = inet_lookup(net, hashinfo, req->id.idiag_dst[3],
++ req->id.idiag_dport, req->id.idiag_src[3],
++ req->id.idiag_sport, req->id.idiag_if);
++ else
++ sk = inet6_lookup(net, hashinfo,
++ (struct in6_addr *)req->id.idiag_dst,
++ req->id.idiag_dport,
++ (struct in6_addr *)req->id.idiag_src,
++ req->id.idiag_sport,
++ req->id.idiag_if);
++ }
+ #endif
+ else
+ goto out_nosk;
+--
+2.19.1
+
--- /dev/null
+From 46f60a062260188e6366329f7655243ebcaef5df Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Fri, 4 Mar 2016 15:42:45 +0200
+Subject: perf/ring_buffer: Refuse to begin AUX transaction after
+ rb->aux_mmap_count drops
+
+[ Upstream commit dcb10a967ce82d5ad20570693091139ae716ff76 ]
+
+When ring buffer's AUX area is unmapped and rb->aux_mmap_count drops to
+zero, new AUX transactions into this buffer can still be started,
+even though the buffer in en route to deallocation.
+
+This patch adds a check to perf_aux_output_begin() for rb->aux_mmap_count
+being zero, in which case there is no point starting new transactions,
+in other words, the ring buffers that pass a certain point in
+perf_mmap_close will not have their events sending new data, which
+clears path for freeing those buffers' pages right there and then,
+provided that no active transactions are holding the AUX reference.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Arnaldo Carvalho de Melo <acme@infradead.org>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Cc: vince@deater.net
+Link: http://lkml.kernel.org/r/1457098969-21595-2-git-send-email-alexander.shishkin@linux.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/events/ring_buffer.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/kernel/events/ring_buffer.c b/kernel/events/ring_buffer.c
+index 94dc6b0763ab..7324d83d6bd8 100644
+--- a/kernel/events/ring_buffer.c
++++ b/kernel/events/ring_buffer.c
+@@ -288,6 +288,13 @@ void *perf_aux_output_begin(struct perf_output_handle *handle,
+ if (!rb_has_aux(rb) || !atomic_inc_not_zero(&rb->aux_refcount))
+ goto err;
+
++ /*
++ * If rb::aux_mmap_count is zero (and rb_has_aux() above went through),
++ * the aux buffer is in perf_mmap_close(), about to get freed.
++ */
++ if (!atomic_read(&rb->aux_mmap_count))
++ goto err;
++
+ /*
+ * Nesting is not supported for AUX area, make sure nested
+ * writers are caught early
+--
+2.19.1
+
--- /dev/null
+From 41c517657b6d380e8218d770ed5f4342e41706d2 Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Tue, 19 Jan 2016 17:14:29 +0200
+Subject: perf: Synchronously free aux pages in case of allocation failure
+
+[ Upstream commit 45c815f06b80031659c63d7b93e580015d6024dd ]
+
+We are currently using asynchronous deallocation in the error path in
+AUX mmap code, which is unnecessary and also presents a problem for users
+that wish to probe for the biggest possible buffer size they can get:
+they'll get -EINVAL on all subsequent attemts to allocate a smaller
+buffer before the asynchronous deallocation callback frees up the pages
+from the previous unsuccessful attempt.
+
+Currently, gdb does that for allocating AUX buffers for Intel PT traces.
+More specifically, overwrite mode of AUX pmus that don't support hardware
+sg (some implementations of Intel PT, for instance) is limited to only
+one contiguous high order allocation for its buffer and there is no way
+of knowing its size without trying.
+
+This patch changes error path freeing to be synchronous as there won't
+be any contenders for the AUX pages at that point.
+
+Reported-by: Markus Metzger <markus.t.metzger@intel.com>
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Arnaldo Carvalho de Melo <acme@infradead.org>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: David Ahern <dsahern@gmail.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Cc: vince@deater.net
+Link: http://lkml.kernel.org/r/1453216469-9509-1-git-send-email-alexander.shishkin@linux.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/events/ring_buffer.c | 40 ++++++++++++++++++-------------------
+ 1 file changed, 20 insertions(+), 20 deletions(-)
+
+diff --git a/kernel/events/ring_buffer.c b/kernel/events/ring_buffer.c
+index 358bb53c1e74..94dc6b0763ab 100644
+--- a/kernel/events/ring_buffer.c
++++ b/kernel/events/ring_buffer.c
+@@ -468,6 +468,25 @@ static void rb_free_aux_page(struct ring_buffer *rb, int idx)
+ __free_page(page);
+ }
+
++static void __rb_free_aux(struct ring_buffer *rb)
++{
++ int pg;
++
++ if (rb->aux_priv) {
++ rb->free_aux(rb->aux_priv);
++ rb->free_aux = NULL;
++ rb->aux_priv = NULL;
++ }
++
++ if (rb->aux_nr_pages) {
++ for (pg = 0; pg < rb->aux_nr_pages; pg++)
++ rb_free_aux_page(rb, pg);
++
++ kfree(rb->aux_pages);
++ rb->aux_nr_pages = 0;
++ }
++}
++
+ int rb_alloc_aux(struct ring_buffer *rb, struct perf_event *event,
+ pgoff_t pgoff, int nr_pages, long watermark, int flags)
+ {
+@@ -556,30 +575,11 @@ int rb_alloc_aux(struct ring_buffer *rb, struct perf_event *event,
+ if (!ret)
+ rb->aux_pgoff = pgoff;
+ else
+- rb_free_aux(rb);
++ __rb_free_aux(rb);
+
+ return ret;
+ }
+
+-static void __rb_free_aux(struct ring_buffer *rb)
+-{
+- int pg;
+-
+- if (rb->aux_priv) {
+- rb->free_aux(rb->aux_priv);
+- rb->free_aux = NULL;
+- rb->aux_priv = NULL;
+- }
+-
+- if (rb->aux_nr_pages) {
+- for (pg = 0; pg < rb->aux_nr_pages; pg++)
+- rb_free_aux_page(rb, pg);
+-
+- kfree(rb->aux_pages);
+- rb->aux_nr_pages = 0;
+- }
+-}
+-
+ void rb_free_aux(struct ring_buffer *rb)
+ {
+ if (atomic_dec_and_test(&rb->aux_refcount))
+--
+2.19.1
+
--- /dev/null
+From e2d4d5e7d4087552f2c3f2430338dd6f747d9e4a Mon Sep 17 00:00:00 2001
+From: James Morse <james.morse@arm.com>
+Date: Wed, 27 Apr 2016 17:47:11 +0100
+Subject: PM / Hibernate: Call flush_icache_range() on pages restored in-place
+
+[ Upstream commit f6cf0545ec697ddc278b7457b7d0c0d86a2ea88e ]
+
+Some architectures require code written to memory as if it were data to be
+'cleaned' from any data caches before the processor can fetch them as new
+instructions.
+
+During resume from hibernate, the snapshot code copies some pages directly,
+meaning these architectures do not get a chance to perform their cache
+maintenance. Modify the read and decompress code to call
+flush_icache_range() on all pages that are restored, so that the restored
+in-place pages are guaranteed to be executable on these architectures.
+
+Signed-off-by: James Morse <james.morse@arm.com>
+Acked-by: Pavel Machek <pavel@ucw.cz>
+Acked-by: Rafael J. Wysocki <rjw@rjwysocki.net>
+Acked-by: Catalin Marinas <catalin.marinas@arm.com>
+[will: make clean_pages_on_* static and remove initialisers]
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/power/swap.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/kernel/power/swap.c b/kernel/power/swap.c
+index 12cd989dadf6..160e1006640d 100644
+--- a/kernel/power/swap.c
++++ b/kernel/power/swap.c
+@@ -36,6 +36,14 @@
+
+ #define HIBERNATE_SIG "S1SUSPEND"
+
++/*
++ * When reading an {un,}compressed image, we may restore pages in place,
++ * in which case some architectures need these pages cleaning before they
++ * can be executed. We don't know which pages these may be, so clean the lot.
++ */
++static bool clean_pages_on_read;
++static bool clean_pages_on_decompress;
++
+ /*
+ * The swap map is a data structure used for keeping track of each page
+ * written to a swap partition. It consists of many swap_map_page
+@@ -241,6 +249,9 @@ static void hib_end_io(struct bio *bio)
+
+ if (bio_data_dir(bio) == WRITE)
+ put_page(page);
++ else if (clean_pages_on_read)
++ flush_icache_range((unsigned long)page_address(page),
++ (unsigned long)page_address(page) + PAGE_SIZE);
+
+ if (bio->bi_error && !hb->error)
+ hb->error = bio->bi_error;
+@@ -1049,6 +1060,7 @@ static int load_image(struct swap_map_handle *handle,
+
+ hib_init_batch(&hb);
+
++ clean_pages_on_read = true;
+ printk(KERN_INFO "PM: Loading image data pages (%u pages)...\n",
+ nr_to_read);
+ m = nr_to_read / 10;
+@@ -1124,6 +1136,10 @@ static int lzo_decompress_threadfn(void *data)
+ d->unc_len = LZO_UNC_SIZE;
+ d->ret = lzo1x_decompress_safe(d->cmp + LZO_HEADER, d->cmp_len,
+ d->unc, &d->unc_len);
++ if (clean_pages_on_decompress)
++ flush_icache_range((unsigned long)d->unc,
++ (unsigned long)d->unc + d->unc_len);
++
+ atomic_set(&d->stop, 1);
+ wake_up(&d->done);
+ }
+@@ -1189,6 +1205,8 @@ static int load_image_lzo(struct swap_map_handle *handle,
+ }
+ memset(crc, 0, offsetof(struct crc_data, go));
+
++ clean_pages_on_decompress = true;
++
+ /*
+ * Start the decompression threads.
+ */
+--
+2.19.1
+
--- /dev/null
+From a5b734deb77c8d001b93a7526f068b38f53cb290 Mon Sep 17 00:00:00 2001
+From: Ulf Hansson <ulf.hansson@linaro.org>
+Date: Thu, 11 Feb 2016 16:42:58 +0100
+Subject: Revert "mmc: block: don't use parameter prefix if built as module"
+
+[ Upstream commit a5ebb87db84392edfd3142c3a6a78431d820a789 ]
+
+This reverts commit 829b6962f7e3cfc06f7c5c26269fd47ad48cf503.
+
+Revert this change as it causes a sysfs path to change and therefore
+introduces and ABI regression. More precisely Android's vold is not being
+able to access /sys/module/mmcblk/parameters/perdev_minors any more, since
+the path becomes changed to: "/sys/module/mmc_block/..."
+
+Fixes: 829b6962f7e3 ("mmc: block: don't use parameter prefix if built as
+module")
+Reported-by: John Stultz <john.stultz@linaro.org>
+Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/card/block.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
+index c15b879c3070..f600bdcaf5b4 100644
+--- a/drivers/mmc/card/block.c
++++ b/drivers/mmc/card/block.c
+@@ -47,13 +47,10 @@
+ #include "queue.h"
+
+ MODULE_ALIAS("mmc:block");
+-
+-#ifdef KERNEL
+ #ifdef MODULE_PARAM_PREFIX
+ #undef MODULE_PARAM_PREFIX
+ #endif
+ #define MODULE_PARAM_PREFIX "mmcblk."
+-#endif
+
+ #define INAND_CMD38_ARG_EXT_CSD 113
+ #define INAND_CMD38_ARG_ERASE 0x00
+--
+2.19.1
+
--- /dev/null
+From 43ce7d3e79e8d11c3be7c1f925371e7a596df5f6 Mon Sep 17 00:00:00 2001
+From: Yuyang Du <yuyang.du@intel.com>
+Date: Thu, 17 Dec 2015 07:34:27 +0800
+Subject: sched/fair: Fix new task's load avg removed from source CPU in
+ wake_up_new_task()
+
+[ Upstream commit 0905f04eb21fc1c2e690bed5d0418a061d56c225 ]
+
+If a newly created task is selected to go to a different CPU in fork
+balance when it wakes up the first time, its load averages should
+not be removed from the source CPU since they are never added to
+it before. The same is also applicable to a never used group entity.
+
+Fix it in remove_entity_load_avg(): when entity's last_update_time
+is 0, simply return. This should precisely identify the case in
+question, because in other migrations, the last_update_time is set
+to 0 after remove_entity_load_avg().
+
+Reported-by: Steve Muckle <steve.muckle@linaro.org>
+Signed-off-by: Yuyang Du <yuyang.du@intel.com>
+[peterz: cfs_rq_last_update_time]
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Dietmar Eggemann <dietmar.eggemann@arm.com>
+Cc: Juri Lelli <Juri.Lelli@arm.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Mike Galbraith <efault@gmx.de>
+Cc: Morten Rasmussen <morten.rasmussen@arm.com>
+Cc: Patrick Bellasi <patrick.bellasi@arm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vincent Guittot <vincent.guittot@linaro.org>
+Link: http://lkml.kernel.org/r/20151216233427.GJ28098@intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/fair.c | 38 ++++++++++++++++++++++++++++----------
+ 1 file changed, 28 insertions(+), 10 deletions(-)
+
+diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
+index c2af250547bb..6051007918ad 100644
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -2841,27 +2841,45 @@ dequeue_entity_load_avg(struct cfs_rq *cfs_rq, struct sched_entity *se)
+ max_t(s64, cfs_rq->runnable_load_sum - se->avg.load_sum, 0);
+ }
+
+-/*
+- * Task first catches up with cfs_rq, and then subtract
+- * itself from the cfs_rq (task must be off the queue now).
+- */
+-void remove_entity_load_avg(struct sched_entity *se)
+-{
+- struct cfs_rq *cfs_rq = cfs_rq_of(se);
+- u64 last_update_time;
+-
+ #ifndef CONFIG_64BIT
++static inline u64 cfs_rq_last_update_time(struct cfs_rq *cfs_rq)
++{
+ u64 last_update_time_copy;
++ u64 last_update_time;
+
+ do {
+ last_update_time_copy = cfs_rq->load_last_update_time_copy;
+ smp_rmb();
+ last_update_time = cfs_rq->avg.last_update_time;
+ } while (last_update_time != last_update_time_copy);
++
++ return last_update_time;
++}
+ #else
+- last_update_time = cfs_rq->avg.last_update_time;
++static inline u64 cfs_rq_last_update_time(struct cfs_rq *cfs_rq)
++{
++ return cfs_rq->avg.last_update_time;
++}
+ #endif
+
++/*
++ * Task first catches up with cfs_rq, and then subtract
++ * itself from the cfs_rq (task must be off the queue now).
++ */
++void remove_entity_load_avg(struct sched_entity *se)
++{
++ struct cfs_rq *cfs_rq = cfs_rq_of(se);
++ u64 last_update_time;
++
++ /*
++ * Newly created task or never used group entity should not be removed
++ * from its (source) cfs_rq
++ */
++ if (se->avg.last_update_time == 0)
++ return;
++
++ last_update_time = cfs_rq_last_update_time(cfs_rq);
++
+ __update_load_avg(last_update_time, cpu_of(rq_of(cfs_rq)), &se->avg, 0, 0, NULL);
+ atomic_long_add(se->avg.load_avg, &cfs_rq->removed_load_avg);
+ atomic_long_add(se->avg.util_avg, &cfs_rq->removed_util_avg);
+--
+2.19.1
+
ath10k-avoid-possible-string-overflow.patch
bluetooth-check-l2cap-option-sizes-returned-from-l2cap_get_conf_opt.patch
bluetooth-verify-that-l2cap_get_conf_opt-provides-large-enough-buffer.patch
+sched-fair-fix-new-task-s-load-avg-removed-from-sour.patch
+mmc-block-allow-more-than-8-partitions-per-card.patch
+arm64-fix-compat_shmlba-definition-for-large-pages.patch
+efi-stub-define-disable_branch_profiling-for-all-arc.patch
+arm-8458-1-bl_switcher-add-gic-dependency.patch
+arm-8494-1-mm-enable-pxn-when-running-non-lpae-kerne.patch
+android-unconditionally-remove-callbacks-in-sync_fen.patch
+vmstat-make-vmstat_updater-deferrable-again-and-shut.patch
+hid-sensor-hub.c-fix-wrong-do_div-usage.patch
+arm64-hide-__efistub_-aliases-from-kallsyms.patch
+perf-synchronously-free-aux-pages-in-case-of-allocat.patch
+net-diag-support-v4mapped-sockets-in-inet_diag_find_.patch
+revert-mmc-block-don-t-use-parameter-prefix-if-built.patch
+writeback-initialize-inode-members-that-track-writeb.patch
+coresight-fixing-lockdep-error.patch
+coresight-coresight_unregister-function-cleanup.patch
+coresight-release-reference-taken-by-bus_find_device.patch
+coresight-remove-csdev-s-link-from-topology.patch
+stm-class-fix-locking-in-unbinding-policy-path.patch
+stm-class-fix-link-list-locking.patch
+stm-class-prevent-user-controllable-allocations.patch
+stm-class-support-devices-with-multiple-instances.patch
+stm-class-fix-unlocking-braino-in-the-error-path.patch
+stm-class-guard-output-assignment-against-concurrenc.patch
+stm-class-fix-unbalanced-module-device-refcounting.patch
+stm-class-fix-a-race-in-unlinking.patch
+coresight-device_attr_ro-should-defined-as-static.patch
+coresight-etm4x-check-every-parameter-used-by-dma_xx.patch
+asm-generic-fix-local-variable-shadow-in-__set_fixma.patch
+staging-ashmem-avoid-deadlock-with-mmap-shrink.patch
+staging-ashmem-add-missing-include.patch
+staging-ion-set-minimum-carveout-heap-allocation-ord.patch
+staging-goldfish-audio-fix-compiliation-on-arm.patch
+arm-8510-1-rework-arm_cpu_suspend-dependencies.patch
+arm64-kernel-fix-incorrect-el0-check-in-inv_entry-ma.patch
+mac80211-fix-warning-target_metric-may-be-used-unini.patch
+perf-ring_buffer-refuse-to-begin-aux-transaction-aft.patch
+arm64-kernel-include-_ac-definition-in-page.h.patch
+pm-hibernate-call-flush_icache_range-on-pages-restor.patch
+stm-class-do-not-leak-the-chrdev-in-error-path.patch
+stm-class-fix-stm-device-initialization-order.patch
+ipv6-fix-endianness-error-in-icmpv6_err.patch
+usb-gadget-configfs-add-mutex-lock-before-unregister.patch
+usb-gadget-rndis-free-response-queue-during-remote_n.patch
+cpu-hotplug-handle-unbalanced-hotplug-enable-disable.patch
+video-fbdev-set-pixclock-0-in-goldfishfb.patch
+arm64-kconfig-drop-config_rtc_lib-dependency.patch
+mmc-mmc-fix-switch-timeout-issue-caused-by-jiffies-p.patch
+cfg80211-size-various-nl80211-messages-correctly.patch
+stmmac-copy-unicast-mac-address-to-mac-registers.patch
--- /dev/null
+From 4c73e39d9e2a69af7fa6dd3fcc7a3ddc4991ca24 Mon Sep 17 00:00:00 2001
+From: Rom Lemarchand <romlem@android.com>
+Date: Fri, 29 Jan 2016 22:07:31 -0800
+Subject: staging: ashmem: Add missing include
+
+[ Upstream commit 90a2f171383b5ae43b33ab4d9d566b9765622ac7 ]
+
+Include <linux/types.h> into ashmem.h to ensure referenced types
+are defined
+
+Cc: Android Kernel Team <kernel-team@android.com>
+Cc: Greg KH <gregkh@linuxfoundation.org>
+Signed-off-by: Rom Lemarchand <romlem@android.com>
+[jstultz: Minor commit message tweaks]
+Signed-off-by: John Stultz <john.stultz@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/android/uapi/ashmem.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/staging/android/uapi/ashmem.h b/drivers/staging/android/uapi/ashmem.h
+index ba4743c71d6b..13df42d200b7 100644
+--- a/drivers/staging/android/uapi/ashmem.h
++++ b/drivers/staging/android/uapi/ashmem.h
+@@ -13,6 +13,7 @@
+ #define _UAPI_LINUX_ASHMEM_H
+
+ #include <linux/ioctl.h>
++#include <linux/types.h>
+
+ #define ASHMEM_NAME_LEN 256
+
+--
+2.19.1
+
--- /dev/null
+From 8ac6256d2d24ca82af05601971eb7d22ebcd14ef Mon Sep 17 00:00:00 2001
+From: Laura Abbott <lauraa@codeaurora.org>
+Date: Fri, 29 Jan 2016 22:07:30 -0800
+Subject: staging: ashmem: Avoid deadlock with mmap/shrink
+
+[ Upstream commit 18e77054de741ef3ed2a2489bc9bf82a318b2d5e ]
+
+Both ashmem_mmap and ashmem_shrink take the ashmem_lock. It may
+be possible for ashmem_mmap to invoke ashmem_shrink:
+
+-000|mutex_lock(lock = 0x0)
+-001|ashmem_shrink(?, sc = 0x0) <--- try to take ashmem_mutex again
+-002|shrink_slab(shrink = 0xDA5F1CC0, nr_pages_scanned = 0, lru_pages
+-002|=
+-002|124)
+-003|try_to_free_pages(zonelist = 0x0, ?, ?, ?)
+-004|__alloc_pages_nodemask(gfp_mask = 21200, order = 1, zonelist =
+-004|0xC11D0940,
+-005|new_slab(s = 0xE4841E80, ?, node = -1)
+-006|__slab_alloc.isra.43.constprop.50(s = 0xE4841E80, gfpflags =
+-006|2148925462, ad
+-007|kmem_cache_alloc(s = 0xE4841E80, gfpflags = 208)
+-008|shmem_alloc_inode(?)
+-009|alloc_inode(sb = 0xE480E800)
+-010|new_inode_pseudo(?)
+-011|new_inode(?)
+-012|shmem_get_inode(sb = 0xE480E800, dir = 0x0, ?, dev = 0, flags =
+-012|187)
+-013|shmem_file_setup(?, ?, flags = 187)
+-014|ashmem_mmap(?, vma = 0xC5D64210) <---- Acquire ashmem_mutex
+-015|mmap_region(file = 0xDF8E2C00, addr = 1772974080, len = 233472,
+-015|flags = 57,
+-016|sys_mmap_pgoff(addr = 0, len = 230400, prot = 3, flags = 1, fd =
+-016|157, pgoff
+-017|ret_fast_syscall(asm)
+-->|exception
+-018|NUR:0x40097508(asm)
+---|end of frame
+
+Avoid this deadlock by using mutex_trylock in ashmem_shrink; if the mutex
+is already held, do not attempt to shrink.
+
+Cc: Greg KH <gregkh@linuxfoundation.org>
+Cc: Android Kernel Team <kernel-team@android.com>
+Reported-by: Matt Wagantall <mattw@codeaurora.org>
+Reported-by: Syed Rameez Mustafa <rameezmustafa@codeaurora.org>
+Reported-by: Osvaldo Banuelos <osvaldob@codeaurora.org>
+Reported-by: Subbaraman Narayanamurthy <subbaram@codeaurora.org>
+Signed-off-by: Laura Abbott <lauraa@codeaurora.org>
+[jstultz: Minor commit message tweaks]
+Signed-off-by: John Stultz <john.stultz@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/android/ashmem.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c
+index e9c74c41aece..b4c425383f99 100644
+--- a/drivers/staging/android/ashmem.c
++++ b/drivers/staging/android/ashmem.c
+@@ -447,7 +447,9 @@ ashmem_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
+ if (!(sc->gfp_mask & __GFP_FS))
+ return SHRINK_STOP;
+
+- mutex_lock(&ashmem_mutex);
++ if (!mutex_trylock(&ashmem_mutex))
++ return -1;
++
+ list_for_each_entry_safe(range, next, &ashmem_lru_list, lru) {
+ loff_t start = range->pgstart * PAGE_SIZE;
+ loff_t end = (range->pgend + 1) * PAGE_SIZE;
+--
+2.19.1
+
--- /dev/null
+From 6336fe288d390ac998f03460b06dd296cb8d0677 Mon Sep 17 00:00:00 2001
+From: Greg Hackmann <ghackmann@google.com>
+Date: Fri, 26 Feb 2016 19:00:18 +0000
+Subject: staging: goldfish: audio: fix compiliation on arm
+
+[ Upstream commit 4532150762ceb0d6fd765ebcb3ba6966fbb8faab ]
+
+We do actually need slab.h, by luck we get it on other platforms but not
+always on ARM. Include it properly.
+
+Signed-off-by: Greg Hackmann <ghackmann@google.com>
+Signed-off-by: Jin Qian <jinqian@android.com>
+Signed-off-by: Alan <alan@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/goldfish/goldfish_audio.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/staging/goldfish/goldfish_audio.c b/drivers/staging/goldfish/goldfish_audio.c
+index b0927e49d0a8..6ca288bf4059 100644
+--- a/drivers/staging/goldfish/goldfish_audio.c
++++ b/drivers/staging/goldfish/goldfish_audio.c
+@@ -26,6 +26,7 @@
+ #include <linux/sched.h>
+ #include <linux/dma-mapping.h>
+ #include <linux/uaccess.h>
++#include <linux/slab.h>
+ #include <linux/goldfish.h>
+
+ MODULE_AUTHOR("Google, Inc.");
+--
+2.19.1
+
--- /dev/null
+From 862fc19b7663718ff190cc37cab0dfecff106cc4 Mon Sep 17 00:00:00 2001
+From: Rajmal Menariya <rajmal.menariya@spreadtrum.com>
+Date: Fri, 29 Jan 2016 22:07:35 -0800
+Subject: staging: ion: Set minimum carveout heap allocation order to
+ PAGE_SHIFT
+
+[ Upstream commit 1328d8efef17d5e16bd6e9cfe59130a833674534 ]
+
+In carveout heap, change minimum allocation order from 12 to
+PAGE_SHIFT. After this change each bit in bitmap (genalloc -
+General purpose special memory pool) represents one page size
+memory.
+
+Cc: sprd-ind-kernel-group@googlegroups.com
+Cc: sanjeev.yadav@spreadtrum.com
+Cc: Colin Cross <ccross@android.com>
+Cc: Android Kernel Team <kernel-team@android.com>
+Cc: Greg KH <gregkh@linuxfoundation.org>
+Cc: Sumit Semwal <sumit.semwal@linaro.org>
+Signed-off-by: Rajmal Menariya <rajmal.menariya@spreadtrum.com>
+[jstultz: Reworked commit message]
+Signed-off-by: John Stultz <john.stultz@linaro.org>
+Acked-by: Laura Abbott <labbott@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/android/ion/ion_carveout_heap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/staging/android/ion/ion_carveout_heap.c b/drivers/staging/android/ion/ion_carveout_heap.c
+index 9156d8238c97..e702ce6461fc 100644
+--- a/drivers/staging/android/ion/ion_carveout_heap.c
++++ b/drivers/staging/android/ion/ion_carveout_heap.c
+@@ -167,7 +167,7 @@ struct ion_heap *ion_carveout_heap_create(struct ion_platform_heap *heap_data)
+ if (!carveout_heap)
+ return ERR_PTR(-ENOMEM);
+
+- carveout_heap->pool = gen_pool_create(12, -1);
++ carveout_heap->pool = gen_pool_create(PAGE_SHIFT, -1);
+ if (!carveout_heap->pool) {
+ kfree(carveout_heap);
+ return ERR_PTR(-ENOMEM);
+--
+2.19.1
+
--- /dev/null
+From f200741ac27f79e3164949e562976558e70407a3 Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Fri, 4 Mar 2016 16:36:10 +0200
+Subject: stm class: Do not leak the chrdev in error path
+
+[ Upstream commit cbe4a61d1ddc4790d950ca8c33ef79ee68ef5e2b ]
+
+Currently, the error path of stm_register_device() forgets to unregister
+the chrdev. Fix this.
+
+Reported-by: Alan Cox <alan.cox@intel.com>
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Reviewed-by: Laurent Fert <laurent.fert@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwtracing/stm/core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/hwtracing/stm/core.c b/drivers/hwtracing/stm/core.c
+index 03b34dcff7f2..0c7f0bae001a 100644
+--- a/drivers/hwtracing/stm/core.c
++++ b/drivers/hwtracing/stm/core.c
+@@ -686,6 +686,8 @@ int stm_register_device(struct device *parent, struct stm_data *stm_data,
+ return 0;
+
+ err_device:
++ unregister_chrdev(stm->major, stm_data->name);
++
+ /* matches device_initialize() above */
+ put_device(&stm->dev);
+ err_free:
+--
+2.19.1
+
--- /dev/null
+From 579733ac3cd5b8c95931c59957d920833b66a6f1 Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Mon, 15 Feb 2016 19:12:08 +0200
+Subject: stm class: Fix a race in unlinking
+
+[ Upstream commit b4ca34aaf78ed0cdfc15956d377064104257a437 ]
+
+There is a window in stm_source_link_drop(), during which the source's
+link may change before locks are acquired. When this happens, it throws
+a warning, since this is not an expected scenario.
+
+This patch handles the race in such a way that if the link appears to
+have changed by the time we took the locks, it will release them and
+repeat the whole unlinking procedure from the beginning, unless the
+other contender beat us to it.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwtracing/stm/core.c | 54 ++++++++++++++++++++++++++++--------
+ 1 file changed, 42 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/hwtracing/stm/core.c b/drivers/hwtracing/stm/core.c
+index cdc692d6cedd..03b34dcff7f2 100644
+--- a/drivers/hwtracing/stm/core.c
++++ b/drivers/hwtracing/stm/core.c
+@@ -695,18 +695,26 @@ int stm_register_device(struct device *parent, struct stm_data *stm_data,
+ }
+ EXPORT_SYMBOL_GPL(stm_register_device);
+
+-static void __stm_source_link_drop(struct stm_source_device *src,
+- struct stm_device *stm);
++static int __stm_source_link_drop(struct stm_source_device *src,
++ struct stm_device *stm);
+
+ void stm_unregister_device(struct stm_data *stm_data)
+ {
+ struct stm_device *stm = stm_data->stm;
+ struct stm_source_device *src, *iter;
+- int i;
++ int i, ret;
+
+ mutex_lock(&stm->link_mutex);
+ list_for_each_entry_safe(src, iter, &stm->link_list, link_entry) {
+- __stm_source_link_drop(src, stm);
++ ret = __stm_source_link_drop(src, stm);
++ /*
++ * src <-> stm link must not change under the same
++ * stm::link_mutex, so complain loudly if it has;
++ * also in this situation ret!=0 means this src is
++ * not connected to this stm and it should be otherwise
++ * safe to proceed with the tear-down of stm.
++ */
++ WARN_ON_ONCE(ret);
+ }
+ mutex_unlock(&stm->link_mutex);
+
+@@ -825,22 +833,28 @@ static int stm_source_link_add(struct stm_source_device *src,
+ *
+ * Caller must hold stm::link_mutex.
+ */
+-static void __stm_source_link_drop(struct stm_source_device *src,
+- struct stm_device *stm)
++static int __stm_source_link_drop(struct stm_source_device *src,
++ struct stm_device *stm)
+ {
+ struct stm_device *link;
++ int ret = 0;
+
+ lockdep_assert_held(&stm->link_mutex);
+
+- if (src->data->unlink)
+- src->data->unlink(src->data);
+-
+ /* for stm::link_list modification, we hold both mutex and spinlock */
+ spin_lock(&stm->link_lock);
+ spin_lock(&src->link_lock);
+ link = srcu_dereference_check(src->link, &stm_source_srcu, 1);
+- if (WARN_ON_ONCE(link != stm))
++
++ /*
++ * The linked device may have changed since we last looked, because
++ * we weren't holding the src::link_lock back then; if this is the
++ * case, tell the caller to retry.
++ */
++ if (link != stm) {
++ ret = -EAGAIN;
+ goto unlock;
++ }
+
+ stm_output_free(link, &src->output);
+ list_del_init(&src->link_entry);
+@@ -851,6 +865,11 @@ static void __stm_source_link_drop(struct stm_source_device *src,
+ unlock:
+ spin_unlock(&src->link_lock);
+ spin_unlock(&stm->link_lock);
++
++ if (!ret && src->data->unlink)
++ src->data->unlink(src->data);
++
++ return ret;
+ }
+
+ /**
+@@ -866,18 +885,29 @@ static void __stm_source_link_drop(struct stm_source_device *src,
+ static void stm_source_link_drop(struct stm_source_device *src)
+ {
+ struct stm_device *stm;
+- int idx;
++ int idx, ret;
+
++retry:
+ idx = srcu_read_lock(&stm_source_srcu);
++ /*
++ * The stm device will be valid for the duration of this
++ * read section, but the link may change before we grab
++ * the src::link_lock in __stm_source_link_drop().
++ */
+ stm = srcu_dereference(src->link, &stm_source_srcu);
+
++ ret = 0;
+ if (stm) {
+ mutex_lock(&stm->link_mutex);
+- __stm_source_link_drop(src, stm);
++ ret = __stm_source_link_drop(src, stm);
+ mutex_unlock(&stm->link_mutex);
+ }
+
+ srcu_read_unlock(&stm_source_srcu, idx);
++
++ /* if it did change, retry */
++ if (ret == -EAGAIN)
++ goto retry;
+ }
+
+ static ssize_t stm_source_link_show(struct device *dev,
+--
+2.19.1
+
--- /dev/null
+From 503f811643c4d333e13e11866428dd9dc7cd92d2 Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Tue, 22 Dec 2015 17:25:19 +0200
+Subject: stm class: Fix link list locking
+
+[ Upstream commit c74f7e8281add80bdfa0ad2998b8df287b13df73 ]
+
+Currently, the list of stm_sources linked to an stm device is protected by
+a spinlock, which also means that sources' .unlink() method is called under
+this spinlock. However, this method may (and does) sleep, which means
+trouble.
+
+This patch slightly reworks locking around stm::link_list so that bits that
+might_sleep() are called with a mutex held instead. Modification of this
+list requires both mutex and spinlock to be held, while looking at the list
+can be done under either mutex or spinlock.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwtracing/stm/core.c | 38 +++++++++++++++++++++++++++---------
+ drivers/hwtracing/stm/stm.h | 1 +
+ 2 files changed, 30 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/hwtracing/stm/core.c b/drivers/hwtracing/stm/core.c
+index 92ab51aa8a74..f286de2e86af 100644
+--- a/drivers/hwtracing/stm/core.c
++++ b/drivers/hwtracing/stm/core.c
+@@ -647,6 +647,7 @@ int stm_register_device(struct device *parent, struct stm_data *stm_data,
+ if (err)
+ goto err_device;
+
++ mutex_init(&stm->link_mutex);
+ spin_lock_init(&stm->link_lock);
+ INIT_LIST_HEAD(&stm->link_list);
+
+@@ -677,11 +678,11 @@ void stm_unregister_device(struct stm_data *stm_data)
+ struct stm_source_device *src, *iter;
+ int i;
+
+- spin_lock(&stm->link_lock);
++ mutex_lock(&stm->link_mutex);
+ list_for_each_entry_safe(src, iter, &stm->link_list, link_entry) {
+ __stm_source_link_drop(src, stm);
+ }
+- spin_unlock(&stm->link_lock);
++ mutex_unlock(&stm->link_mutex);
+
+ synchronize_srcu(&stm_source_srcu);
+
+@@ -700,6 +701,17 @@ void stm_unregister_device(struct stm_data *stm_data)
+ }
+ EXPORT_SYMBOL_GPL(stm_unregister_device);
+
++/*
++ * stm::link_list access serialization uses a spinlock and a mutex; holding
++ * either of them guarantees that the list is stable; modification requires
++ * holding both of them.
++ *
++ * Lock ordering is as follows:
++ * stm::link_mutex
++ * stm::link_lock
++ * src::link_lock
++ */
++
+ /**
+ * stm_source_link_add() - connect an stm_source device to an stm device
+ * @src: stm_source device
+@@ -716,6 +728,7 @@ static int stm_source_link_add(struct stm_source_device *src,
+ char *id;
+ int err;
+
++ mutex_lock(&stm->link_mutex);
+ spin_lock(&stm->link_lock);
+ spin_lock(&src->link_lock);
+
+@@ -725,6 +738,7 @@ static int stm_source_link_add(struct stm_source_device *src,
+
+ spin_unlock(&src->link_lock);
+ spin_unlock(&stm->link_lock);
++ mutex_unlock(&stm->link_mutex);
+
+ id = kstrdup(src->data->name, GFP_KERNEL);
+ if (id) {
+@@ -762,6 +776,7 @@ static int stm_source_link_add(struct stm_source_device *src,
+ stm_put_device(stm);
+
+ fail_detach:
++ mutex_lock(&stm->link_mutex);
+ spin_lock(&stm->link_lock);
+ spin_lock(&src->link_lock);
+
+@@ -770,6 +785,7 @@ static int stm_source_link_add(struct stm_source_device *src,
+
+ spin_unlock(&src->link_lock);
+ spin_unlock(&stm->link_lock);
++ mutex_unlock(&stm->link_mutex);
+
+ return err;
+ }
+@@ -782,13 +798,20 @@ static int stm_source_link_add(struct stm_source_device *src,
+ * If @stm is @src::link, disconnect them from one another and put the
+ * reference on the @stm device.
+ *
+- * Caller must hold stm::link_lock.
++ * Caller must hold stm::link_mutex.
+ */
+ static void __stm_source_link_drop(struct stm_source_device *src,
+ struct stm_device *stm)
+ {
+ struct stm_device *link;
+
++ lockdep_assert_held(&stm->link_mutex);
++
++ if (src->data->unlink)
++ src->data->unlink(src->data);
++
++ /* for stm::link_list modification, we hold both mutex and spinlock */
++ spin_lock(&stm->link_lock);
+ spin_lock(&src->link_lock);
+ link = srcu_dereference_check(src->link, &stm_source_srcu, 1);
+ if (WARN_ON_ONCE(link != stm)) {
+@@ -797,13 +820,13 @@ static void __stm_source_link_drop(struct stm_source_device *src,
+ }
+
+ stm_output_free(link, &src->output);
+- /* caller must hold stm::link_lock */
+ list_del_init(&src->link_entry);
+ /* matches stm_find_device() from stm_source_link_store() */
+ stm_put_device(link);
+ rcu_assign_pointer(src->link, NULL);
+
+ spin_unlock(&src->link_lock);
++ spin_unlock(&stm->link_lock);
+ }
+
+ /**
+@@ -825,12 +848,9 @@ static void stm_source_link_drop(struct stm_source_device *src)
+ stm = srcu_dereference(src->link, &stm_source_srcu);
+
+ if (stm) {
+- if (src->data->unlink)
+- src->data->unlink(src->data);
+-
+- spin_lock(&stm->link_lock);
++ mutex_lock(&stm->link_mutex);
+ __stm_source_link_drop(src, stm);
+- spin_unlock(&stm->link_lock);
++ mutex_unlock(&stm->link_mutex);
+ }
+
+ srcu_read_unlock(&stm_source_srcu, idx);
+diff --git a/drivers/hwtracing/stm/stm.h b/drivers/hwtracing/stm/stm.h
+index 95ece0292c99..97ee02241440 100644
+--- a/drivers/hwtracing/stm/stm.h
++++ b/drivers/hwtracing/stm/stm.h
+@@ -45,6 +45,7 @@ struct stm_device {
+ int major;
+ unsigned int sw_nmasters;
+ struct stm_data *data;
++ struct mutex link_mutex;
+ spinlock_t link_lock;
+ struct list_head link_list;
+ /* master allocation */
+--
+2.19.1
+
--- /dev/null
+From 574faba4fb0d1b443a241e4381695e5cc3ae9da6 Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Tue, 22 Dec 2015 17:25:18 +0200
+Subject: stm class: Fix locking in unbinding policy path
+
+[ Upstream commit 4c127fd16e6b33ecb7badc091480c84ea9aebeb6 ]
+
+Right now, if stm device removal has to unbind from a policy (that is,
+an stm device that has STP policy, gets removed), it will trigger a
+nested lock on the stm device's policy mutex.
+
+This patch fixes the problem by moving the locking from the policy
+unbinding to policy removal (configfs path), where it's actually needed;
+the other caller of the policy unbinding function already takes the
+mutex around the call.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwtracing/stm/policy.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/hwtracing/stm/policy.c b/drivers/hwtracing/stm/policy.c
+index 11ab6d01adf6..94d3abfb737a 100644
+--- a/drivers/hwtracing/stm/policy.c
++++ b/drivers/hwtracing/stm/policy.c
+@@ -272,13 +272,17 @@ void stp_policy_unbind(struct stp_policy *policy)
+ {
+ struct stm_device *stm = policy->stm;
+
++ /*
++ * stp_policy_release() will not call here if the policy is already
++ * unbound; other users should not either, as no link exists between
++ * this policy and anything else in that case
++ */
+ if (WARN_ON_ONCE(!policy->stm))
+ return;
+
+- mutex_lock(&stm->policy_mutex);
+- stm->policy = NULL;
+- mutex_unlock(&stm->policy_mutex);
++ lockdep_assert_held(&stm->policy_mutex);
+
++ stm->policy = NULL;
+ policy->stm = NULL;
+
+ stm_put_device(stm);
+@@ -287,8 +291,16 @@ void stp_policy_unbind(struct stp_policy *policy)
+ static void stp_policy_release(struct config_item *item)
+ {
+ struct stp_policy *policy = to_stp_policy(item);
++ struct stm_device *stm = policy->stm;
+
++ /* a policy *can* be unbound and still exist in configfs tree */
++ if (!stm)
++ return;
++
++ mutex_lock(&stm->policy_mutex);
+ stp_policy_unbind(policy);
++ mutex_unlock(&stm->policy_mutex);
++
+ kfree(policy);
+ }
+
+--
+2.19.1
+
--- /dev/null
+From 3e3511dab21ad155c06d9f5dafa89747771ae693 Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Fri, 4 Mar 2016 16:48:14 +0200
+Subject: stm class: Fix stm device initialization order
+
+[ Upstream commit 389b6699a2aa0b457aa69986e9ddf39f3b4030fd ]
+
+Currently, stm_register_device() makes the device visible and then
+proceeds to initializing spinlocks and other properties, which leaves
+a window when the device can already be opened but is not yet fully
+operational.
+
+Fix this by reversing the initialization order.
+
+Reported-by: Alan Cox <alan.cox@intel.com>
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Reviewed-by: Laurent Fert <laurent.fert@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwtracing/stm/core.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/hwtracing/stm/core.c b/drivers/hwtracing/stm/core.c
+index 0c7f0bae001a..b6cc841de79d 100644
+--- a/drivers/hwtracing/stm/core.c
++++ b/drivers/hwtracing/stm/core.c
+@@ -664,18 +664,11 @@ int stm_register_device(struct device *parent, struct stm_data *stm_data,
+ stm->dev.parent = parent;
+ stm->dev.release = stm_device_release;
+
+- err = kobject_set_name(&stm->dev.kobj, "%s", stm_data->name);
+- if (err)
+- goto err_device;
+-
+- err = device_add(&stm->dev);
+- if (err)
+- goto err_device;
+-
+ mutex_init(&stm->link_mutex);
+ spin_lock_init(&stm->link_lock);
+ INIT_LIST_HEAD(&stm->link_list);
+
++ /* initialize the object before it is accessible via sysfs */
+ spin_lock_init(&stm->mc_lock);
+ mutex_init(&stm->policy_mutex);
+ stm->sw_nmasters = nmasters;
+@@ -683,6 +676,14 @@ int stm_register_device(struct device *parent, struct stm_data *stm_data,
+ stm->data = stm_data;
+ stm_data->stm = stm;
+
++ err = kobject_set_name(&stm->dev.kobj, "%s", stm_data->name);
++ if (err)
++ goto err_device;
++
++ err = device_add(&stm->dev);
++ if (err)
++ goto err_device;
++
+ return 0;
+
+ err_device:
+--
+2.19.1
+
--- /dev/null
+From beb1788daaa21b442a9b0f76ba24255dac487c8c Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Mon, 15 Feb 2016 19:12:07 +0200
+Subject: stm class: Fix unbalanced module/device refcounting
+
+[ Upstream commit f7c81c7176c72c7899390754b4b038a64b296e4d ]
+
+STM code takes references to the stm device and its module for the
+duration of the character device's existence or the stm_source link.
+Dropping these references is not well balanced everywhere, which may
+lead to leaks.
+
+This patch balances the acquisition and releasing of these two
+references and annotates each site so that it's easier to verify
+correctness by reading the code.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwtracing/stm/core.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/hwtracing/stm/core.c b/drivers/hwtracing/stm/core.c
+index f8e46c38b565..cdc692d6cedd 100644
+--- a/drivers/hwtracing/stm/core.c
++++ b/drivers/hwtracing/stm/core.c
+@@ -114,6 +114,7 @@ struct stm_device *stm_find_device(const char *buf)
+
+ stm = to_stm_device(dev);
+ if (!try_module_get(stm->owner)) {
++ /* matches class_find_device() above */
+ put_device(dev);
+ return NULL;
+ }
+@@ -126,7 +127,7 @@ struct stm_device *stm_find_device(const char *buf)
+ * @stm: stm device, previously acquired by stm_find_device()
+ *
+ * This drops the module reference and device reference taken by
+- * stm_find_device().
++ * stm_find_device() or stm_char_open().
+ */
+ void stm_put_device(struct stm_device *stm)
+ {
+@@ -369,6 +370,8 @@ static int stm_char_open(struct inode *inode, struct file *file)
+ return nonseekable_open(inode, file);
+
+ err_free:
++ /* matches class_find_device() above */
++ put_device(dev);
+ kfree(stmf);
+
+ return err;
+@@ -379,6 +382,11 @@ static int stm_char_release(struct inode *inode, struct file *file)
+ struct stm_file *stmf = file->private_data;
+
+ stm_output_free(stmf->stm, &stmf->output);
++
++ /*
++ * matches the stm_char_open()'s
++ * class_find_device() + try_module_get()
++ */
+ stm_put_device(stmf->stm);
+ kfree(stmf);
+
+@@ -540,10 +548,8 @@ static int stm_char_policy_set_ioctl(struct stm_file *stmf, void __user *arg)
+ ret = stm->data->link(stm->data, stmf->output.master,
+ stmf->output.channel);
+
+- if (ret) {
++ if (ret)
+ stm_output_free(stmf->stm, &stmf->output);
+- stm_put_device(stmf->stm);
+- }
+
+ err_free:
+ kfree(id);
+@@ -680,6 +686,7 @@ int stm_register_device(struct device *parent, struct stm_data *stm_data,
+ return 0;
+
+ err_device:
++ /* matches device_initialize() above */
+ put_device(&stm->dev);
+ err_free:
+ vfree(stm);
+@@ -792,7 +799,6 @@ static int stm_source_link_add(struct stm_source_device *src,
+
+ fail_free_output:
+ stm_output_free(stm, &src->output);
+- stm_put_device(stm);
+
+ fail_detach:
+ mutex_lock(&stm->link_mutex);
+@@ -906,8 +912,10 @@ static ssize_t stm_source_link_store(struct device *dev,
+ return -EINVAL;
+
+ err = stm_source_link_add(src, link);
+- if (err)
++ if (err) {
++ /* matches the stm_find_device() above */
+ stm_put_device(link);
++ }
+
+ return err ? : count;
+ }
+--
+2.19.1
+
--- /dev/null
+From 6f93407793e24d5c8670ae7884735c6c1c781754 Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Mon, 15 Feb 2016 19:12:05 +0200
+Subject: stm class: Fix unlocking braino in the error path
+
+[ Upstream commit 1810f2c44817c74ca3d05d1e3981e3a2e2ceb6f5 ]
+
+If an illegal attempt is made to unlink stm source device from an
+stm device, the stm device's link spinlock mistakenly remains locked.
+While this really shouldn't happen (there's a warning in place), the
+locking should remain in order so that we can still recover from this
+situation if it indeed does happen.
+
+This patch unifies the unlocking in the exit path of
+__stm_source_link_drop() to fix this.
+
+Reported-by: Laurent Fert <laurent.fert@intel.com>
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwtracing/stm/core.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/hwtracing/stm/core.c b/drivers/hwtracing/stm/core.c
+index e4fa583b57a6..d4deac108578 100644
+--- a/drivers/hwtracing/stm/core.c
++++ b/drivers/hwtracing/stm/core.c
+@@ -817,10 +817,8 @@ static void __stm_source_link_drop(struct stm_source_device *src,
+ spin_lock(&stm->link_lock);
+ spin_lock(&src->link_lock);
+ link = srcu_dereference_check(src->link, &stm_source_srcu, 1);
+- if (WARN_ON_ONCE(link != stm)) {
+- spin_unlock(&src->link_lock);
+- return;
+- }
++ if (WARN_ON_ONCE(link != stm))
++ goto unlock;
+
+ stm_output_free(link, &src->output);
+ list_del_init(&src->link_entry);
+@@ -828,6 +826,7 @@ static void __stm_source_link_drop(struct stm_source_device *src,
+ stm_put_device(link);
+ rcu_assign_pointer(src->link, NULL);
+
++unlock:
+ spin_unlock(&src->link_lock);
+ spin_unlock(&stm->link_lock);
+ }
+--
+2.19.1
+
--- /dev/null
+From 0ed6be72a6fbe5e6a86ef04e341227715c3a50ba Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Mon, 15 Feb 2016 19:12:06 +0200
+Subject: stm class: Guard output assignment against concurrency
+
+[ Upstream commit cde4ad8368840e414ecf67db258fe1dabaa5fd2e ]
+
+It is possible to concurrently assign the same output (a character
+device writer or an stm_source device) to different stm devices,
+which sets off a strategically placed warning in stm_output_assign().
+
+To avoid this, use a spinlock to serialize (un)assignments between
+outputs and stm devices.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwtracing/stm/core.c | 17 +++++++++++++++++
+ drivers/hwtracing/stm/stm.h | 1 +
+ 2 files changed, 18 insertions(+)
+
+diff --git a/drivers/hwtracing/stm/core.c b/drivers/hwtracing/stm/core.c
+index d4deac108578..f8e46c38b565 100644
+--- a/drivers/hwtracing/stm/core.c
++++ b/drivers/hwtracing/stm/core.c
+@@ -186,6 +186,9 @@ static void stm_output_claim(struct stm_device *stm, struct stm_output *output)
+ {
+ struct stp_master *master = stm_master(stm, output->master);
+
++ lockdep_assert_held(&stm->mc_lock);
++ lockdep_assert_held(&output->lock);
++
+ if (WARN_ON_ONCE(master->nr_free < output->nr_chans))
+ return;
+
+@@ -200,6 +203,9 @@ stm_output_disclaim(struct stm_device *stm, struct stm_output *output)
+ {
+ struct stp_master *master = stm_master(stm, output->master);
+
++ lockdep_assert_held(&stm->mc_lock);
++ lockdep_assert_held(&output->lock);
++
+ bitmap_release_region(&master->chan_map[0], output->channel,
+ ilog2(output->nr_chans));
+
+@@ -292,6 +298,7 @@ static int stm_output_assign(struct stm_device *stm, unsigned int width,
+ }
+
+ spin_lock(&stm->mc_lock);
++ spin_lock(&output->lock);
+ /* output is already assigned -- shouldn't happen */
+ if (WARN_ON_ONCE(output->nr_chans))
+ goto unlock;
+@@ -308,6 +315,7 @@ static int stm_output_assign(struct stm_device *stm, unsigned int width,
+
+ ret = 0;
+ unlock:
++ spin_unlock(&output->lock);
+ spin_unlock(&stm->mc_lock);
+
+ return ret;
+@@ -316,11 +324,18 @@ static int stm_output_assign(struct stm_device *stm, unsigned int width,
+ static void stm_output_free(struct stm_device *stm, struct stm_output *output)
+ {
+ spin_lock(&stm->mc_lock);
++ spin_lock(&output->lock);
+ if (output->nr_chans)
+ stm_output_disclaim(stm, output);
++ spin_unlock(&output->lock);
+ spin_unlock(&stm->mc_lock);
+ }
+
++static void stm_output_init(struct stm_output *output)
++{
++ spin_lock_init(&output->lock);
++}
++
+ static int major_match(struct device *dev, const void *data)
+ {
+ unsigned int major = *(unsigned int *)data;
+@@ -343,6 +358,7 @@ static int stm_char_open(struct inode *inode, struct file *file)
+ if (!stmf)
+ return -ENOMEM;
+
++ stm_output_init(&stmf->output);
+ stmf->stm = to_stm_device(dev);
+
+ if (!try_module_get(stmf->stm->owner))
+@@ -953,6 +969,7 @@ int stm_source_register_device(struct device *parent,
+ if (err)
+ goto err;
+
++ stm_output_init(&src->output);
+ spin_lock_init(&src->link_lock);
+ INIT_LIST_HEAD(&src->link_entry);
+ src->data = data;
+diff --git a/drivers/hwtracing/stm/stm.h b/drivers/hwtracing/stm/stm.h
+index 97ee02241440..4e8c6926260f 100644
+--- a/drivers/hwtracing/stm/stm.h
++++ b/drivers/hwtracing/stm/stm.h
+@@ -57,6 +57,7 @@ struct stm_device {
+ container_of((_d), struct stm_device, dev)
+
+ struct stm_output {
++ spinlock_t lock;
+ unsigned int master;
+ unsigned int channel;
+ unsigned int nr_chans;
+--
+2.19.1
+
--- /dev/null
+From 7e82a1e16fde722d7c8f9c17e2a6f6871d40d507 Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Tue, 22 Dec 2015 17:25:21 +0200
+Subject: stm class: Prevent user-controllable allocations
+
+[ Upstream commit f08b18266c7116e2ec6885dd53a928f580060a71 ]
+
+Currently, the character device write method allocates a temporary buffer
+for user's data, but the user's data size is not sanitized and can cause
+arbitrarily large allocations via kzalloc() or an integer overflow that
+will then result in overwriting kernel memory.
+
+This patch trims the input buffer size to avoid these issues.
+
+Reported-by: Sasha Levin <sasha.levin@oracle.com>
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwtracing/stm/core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/hwtracing/stm/core.c b/drivers/hwtracing/stm/core.c
+index f286de2e86af..e4fa583b57a6 100644
+--- a/drivers/hwtracing/stm/core.c
++++ b/drivers/hwtracing/stm/core.c
+@@ -410,6 +410,9 @@ static ssize_t stm_char_write(struct file *file, const char __user *buf,
+ char *kbuf;
+ int err;
+
++ if (count + 1 > PAGE_SIZE)
++ count = PAGE_SIZE - 1;
++
+ /*
+ * if no m/c have been assigned to this writer up to this
+ * point, use "default" policy entry
+--
+2.19.1
+
--- /dev/null
+From d4ce9f89ef9e6d2e088df31c9dc2d75ad763f556 Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Mon, 15 Feb 2016 19:12:02 +0200
+Subject: stm class: Support devices with multiple instances
+
+[ Upstream commit 59be422e4ce10e3d49d4c9407a80fab8a9b7bc84 ]
+
+By convention, the name of the stm policy directory in configfs consists of
+the device name to which it applies and the actual policy name, separated
+by a dot. Now, some devices already have dots in their names that separate
+name of the actual device from its instance identifier. Such devices will
+result in two (or more, who can tell) dots in the policy directory name.
+
+Existing policy code, however, will treat the first dot as the one that
+separates device name from policy name, therefore failing the above case.
+
+This patch makes the last dot in the directory name be the separator, thus
+prohibiting dots from being used in policy names.
+
+Suggested-by: Chunyan Zhang <zhang.chunyan@linaro.org>
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwtracing/stm/policy.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/hwtracing/stm/policy.c b/drivers/hwtracing/stm/policy.c
+index 94d3abfb737a..1db189657b2b 100644
+--- a/drivers/hwtracing/stm/policy.c
++++ b/drivers/hwtracing/stm/policy.c
+@@ -332,10 +332,11 @@ stp_policies_make(struct config_group *group, const char *name)
+
+ /*
+ * node must look like <device_name>.<policy_name>, where
+- * <device_name> is the name of an existing stm device and
+- * <policy_name> is an arbitrary string
++ * <device_name> is the name of an existing stm device; may
++ * contain dots;
++ * <policy_name> is an arbitrary string; may not contain dots
+ */
+- p = strchr(devname, '.');
++ p = strrchr(devname, '.');
+ if (!p) {
+ kfree(devname);
+ return ERR_PTR(-EINVAL);
+--
+2.19.1
+
--- /dev/null
+From e368bf484b807a8f543f31858af9f6dda46e0c74 Mon Sep 17 00:00:00 2001
+From: Bhadram Varka <vbhadram@nvidia.com>
+Date: Fri, 27 Oct 2017 08:22:02 +0530
+Subject: stmmac: copy unicast mac address to MAC registers
+
+[ Upstream commit a830405ee452ddc4101c3c9334e6fedd42c6b357 ]
+
+Currently stmmac driver not copying the valid ethernet
+MAC address to MAC registers. This patch takes care
+of updating the MAC register with MAC address.
+
+Signed-off-by: Bhadram Varka <vbhadram@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/stmicro/stmmac/stmmac_main.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index 7bba30f24135..059113dce6e0 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -2529,6 +2529,20 @@ static int stmmac_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
+ return ret;
+ }
+
++static int stmmac_set_mac_address(struct net_device *ndev, void *addr)
++{
++ struct stmmac_priv *priv = netdev_priv(ndev);
++ int ret = 0;
++
++ ret = eth_mac_addr(ndev, addr);
++ if (ret)
++ return ret;
++
++ priv->hw->mac->set_umac_addr(priv->hw, ndev->dev_addr, 0);
++
++ return ret;
++}
++
+ #ifdef CONFIG_DEBUG_FS
+ static struct dentry *stmmac_fs_dir;
+
+@@ -2730,7 +2744,7 @@ static const struct net_device_ops stmmac_netdev_ops = {
+ #ifdef CONFIG_NET_POLL_CONTROLLER
+ .ndo_poll_controller = stmmac_poll_controller,
+ #endif
+- .ndo_set_mac_address = eth_mac_addr,
++ .ndo_set_mac_address = stmmac_set_mac_address,
+ };
+
+ /**
+--
+2.19.1
+
--- /dev/null
+From aac1985f1ea02002b2079463b731b798ede2cc2d Mon Sep 17 00:00:00 2001
+From: Winter Wang <wente.wang@nxp.com>
+Date: Wed, 27 Jul 2016 10:03:19 +0800
+Subject: usb: gadget: configfs: add mutex lock before unregister gadget
+
+[ Upstream commit cee51c33f52ebf673a088a428ac0fecc33ab77fa ]
+
+There may be a race condition if f_fs calls unregister_gadget_item in
+ffs_closed() when unregister_gadget is called by UDC store at the same time.
+this leads to a kernel NULL pointer dereference:
+
+[ 310.644928] Unable to handle kernel NULL pointer dereference at virtual address 00000004
+[ 310.645053] init: Service 'adbd' is being killed...
+[ 310.658938] pgd = c9528000
+[ 310.662515] [00000004] *pgd=19451831, *pte=00000000, *ppte=00000000
+[ 310.669702] Internal error: Oops: 817 [#1] PREEMPT SMP ARM
+[ 310.675211] Modules linked in:
+[ 310.678294] CPU: 0 PID: 1537 Comm: ->transport Not tainted 4.1.15-03725-g793404c #2
+[ 310.685958] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
+[ 310.692493] task: c8e24200 ti: c945e000 task.ti: c945e000
+[ 310.697911] PC is at usb_gadget_unregister_driver+0xb4/0xd0
+[ 310.703502] LR is at __mutex_lock_slowpath+0x10c/0x16c
+[ 310.708648] pc : [<c075efc0>] lr : [<c0bfb0bc>] psr: 600f0113
+<snip..>
+[ 311.565585] [<c075efc0>] (usb_gadget_unregister_driver) from [<c075e2b8>] (unregister_gadget_item+0x1c/0x34)
+[ 311.575426] [<c075e2b8>] (unregister_gadget_item) from [<c076fcc8>] (ffs_closed+0x8c/0x9c)
+[ 311.583702] [<c076fcc8>] (ffs_closed) from [<c07736b8>] (ffs_data_reset+0xc/0xa0)
+[ 311.591194] [<c07736b8>] (ffs_data_reset) from [<c07738ac>] (ffs_data_closed+0x90/0xd0)
+[ 311.599208] [<c07738ac>] (ffs_data_closed) from [<c07738f8>] (ffs_ep0_release+0xc/0x14)
+[ 311.607224] [<c07738f8>] (ffs_ep0_release) from [<c023e030>] (__fput+0x80/0x1d0)
+[ 311.614635] [<c023e030>] (__fput) from [<c014e688>] (task_work_run+0xb0/0xe8)
+[ 311.621788] [<c014e688>] (task_work_run) from [<c010afdc>] (do_work_pending+0x7c/0xa4)
+[ 311.629718] [<c010afdc>] (do_work_pending) from [<c010770c>] (work_pending+0xc/0x20)
+
+for functions using functionFS, i.e. android adbd will close /dev/usb-ffs/adb/ep0
+when usb IO thread fails, but switch adb from on to off also triggers write
+"none" > UDC. These 2 operations both call unregister_gadget, which will lead
+to the panic above.
+
+add a mutex before calling unregister_gadget for api used in f_fs.
+
+Signed-off-by: Winter Wang <wente.wang@nxp.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/configfs.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/usb/gadget/configfs.c b/drivers/usb/gadget/configfs.c
+index 6abb6a10ee82..d412e234f336 100644
+--- a/drivers/usb/gadget/configfs.c
++++ b/drivers/usb/gadget/configfs.c
+@@ -1496,7 +1496,9 @@ void unregister_gadget_item(struct config_item *item)
+ {
+ struct gadget_info *gi = to_gadget_info(item);
+
++ mutex_lock(&gi->lock);
+ unregister_gadget(gi);
++ mutex_unlock(&gi->lock);
+ }
+ EXPORT_SYMBOL_GPL(unregister_gadget_item);
+
+--
+2.19.1
+
--- /dev/null
+From b3731b5141c6e152890acb6ee9fa11a2b0d22062 Mon Sep 17 00:00:00 2001
+From: Xerox Lin <xerox_lin@htc.com>
+Date: Wed, 29 Jun 2016 14:34:21 +0530
+Subject: usb: gadget: rndis: free response queue during REMOTE_NDIS_RESET_MSG
+
+[ Upstream commit 207707d8fd48ebc977fb2b2794004a020e1ee08e ]
+
+When rndis data transfer is in progress, some Windows7 Host PC is not
+sending the GET_ENCAPSULATED_RESPONSE command for receiving the response
+for the previous SEND_ENCAPSULATED_COMMAND processed.
+
+The rndis function driver appends each response for the
+SEND_ENCAPSULATED_COMMAND in a queue. As the above process got corrupted,
+the Host sends a REMOTE_NDIS_RESET_MSG command to do a soft-reset.
+As the rndis response queue is not freed, the previous response is sent
+as a part of this REMOTE_NDIS_RESET_MSG's reset response and the Host
+block any more Rndis transfers.
+
+Hence free the rndis response queue as a part of this soft-reset so that
+the correct response for REMOTE_NDIS_RESET_MSG is sent properly during the
+response command.
+
+Signed-off-by: Rajkumar Raghupathy <raghup@codeaurora.org>
+Signed-off-by: Xerox Lin <xerox_lin@htc.com>
+[AmitP: Cherry-picked this patch and folded other relevant
+ fixes from Android common kernel android-4.4]
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/rndis.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/usb/gadget/function/rndis.c b/drivers/usb/gadget/function/rndis.c
+index 70d3917cc003..2582db38d6a6 100644
+--- a/drivers/usb/gadget/function/rndis.c
++++ b/drivers/usb/gadget/function/rndis.c
+@@ -680,6 +680,12 @@ static int rndis_reset_response(struct rndis_params *params,
+ {
+ rndis_reset_cmplt_type *resp;
+ rndis_resp_t *r;
++ u8 *xbuf;
++ u32 length;
++
++ /* drain the response queue */
++ while ((xbuf = rndis_get_next_response(params, &length)))
++ rndis_free_response(params, xbuf);
+
+ r = rndis_add_response(params, sizeof(rndis_reset_cmplt_type));
+ if (!r)
+--
+2.19.1
+
--- /dev/null
+From 2b5cec2b9c9f966a917c78c5969ce72353b4d367 Mon Sep 17 00:00:00 2001
+From: Christoffer Dall <christoffer.dall@linaro.org>
+Date: Tue, 3 Jul 2018 17:43:09 +0200
+Subject: video: fbdev: Set pixclock = 0 in goldfishfb
+
+[ Upstream commit ace6033ec5c356615eaa3582fb1946e9eaff6662 ]
+
+User space Android code identifies pixclock == 0 as a sign for emulation
+and will set the frame rate to 60 fps when reading this value, which is
+the desired outcome.
+
+Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Roman Kiryanov <rkir@google.com>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/goldfishfb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/video/fbdev/goldfishfb.c b/drivers/video/fbdev/goldfishfb.c
+index 14a93cb21310..66d58e93bc32 100644
+--- a/drivers/video/fbdev/goldfishfb.c
++++ b/drivers/video/fbdev/goldfishfb.c
+@@ -234,7 +234,7 @@ static int goldfish_fb_probe(struct platform_device *pdev)
+ fb->fb.var.activate = FB_ACTIVATE_NOW;
+ fb->fb.var.height = readl(fb->reg_base + FB_GET_PHYS_HEIGHT);
+ fb->fb.var.width = readl(fb->reg_base + FB_GET_PHYS_WIDTH);
+- fb->fb.var.pixclock = 10000;
++ fb->fb.var.pixclock = 0;
+
+ fb->fb.var.red.offset = 11;
+ fb->fb.var.red.length = 5;
+--
+2.19.1
+
--- /dev/null
+From 06ebb9e32fe88b5860812cb676c1e0018f43fe42 Mon Sep 17 00:00:00 2001
+From: Christoph Lameter <cl@linux.com>
+Date: Thu, 14 Jan 2016 15:21:40 -0800
+Subject: vmstat: make vmstat_updater deferrable again and shut down on idle
+
+[ Upstream commit 0eb77e9880321915322d42913c3b53241739c8aa ]
+
+Currently the vmstat updater is not deferrable as a result of commit
+ba4877b9ca51 ("vmstat: do not use deferrable delayed work for
+vmstat_update"). This in turn can cause multiple interruptions of the
+applications because the vmstat updater may run at
+
+Make vmstate_update deferrable again and provide a function that folds
+the differentials when the processor is going to idle mode thus
+addressing the issue of the above commit in a clean way.
+
+Note that the shepherd thread will continue scanning the differentials
+from another processor and will reenable the vmstat workers if it
+detects any changes.
+
+Fixes: ba4877b9ca51 ("vmstat: do not use deferrable delayed work for vmstat_update")
+Signed-off-by: Christoph Lameter <cl@linux.com>
+Cc: Michal Hocko <mhocko@suse.cz>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/vmstat.h | 2 ++
+ kernel/sched/idle.c | 1 +
+ mm/vmstat.c | 69 +++++++++++++++++++++++++++---------------
+ 3 files changed, 47 insertions(+), 25 deletions(-)
+
+diff --git a/include/linux/vmstat.h b/include/linux/vmstat.h
+index 3e5d9075960f..73fae8c4a5fb 100644
+--- a/include/linux/vmstat.h
++++ b/include/linux/vmstat.h
+@@ -189,6 +189,7 @@ extern void __inc_zone_state(struct zone *, enum zone_stat_item);
+ extern void dec_zone_state(struct zone *, enum zone_stat_item);
+ extern void __dec_zone_state(struct zone *, enum zone_stat_item);
+
++void quiet_vmstat(void);
+ void cpu_vm_stats_fold(int cpu);
+ void refresh_zone_stat_thresholds(void);
+
+@@ -249,6 +250,7 @@ static inline void __dec_zone_page_state(struct page *page,
+
+ static inline void refresh_zone_stat_thresholds(void) { }
+ static inline void cpu_vm_stats_fold(int cpu) { }
++static inline void quiet_vmstat(void) { }
+
+ static inline void drain_zonestat(struct zone *zone,
+ struct per_cpu_pageset *pset) { }
+diff --git a/kernel/sched/idle.c b/kernel/sched/idle.c
+index bfd573122e0d..306a859b36f0 100644
+--- a/kernel/sched/idle.c
++++ b/kernel/sched/idle.c
+@@ -219,6 +219,7 @@ static void cpu_idle_loop(void)
+ */
+
+ __current_set_polling();
++ quiet_vmstat();
+ tick_nohz_idle_enter();
+
+ while (!need_resched()) {
+diff --git a/mm/vmstat.c b/mm/vmstat.c
+index a2d70ef74db7..6af9bbad94c7 100644
+--- a/mm/vmstat.c
++++ b/mm/vmstat.c
+@@ -460,7 +460,7 @@ static int fold_diff(int *diff)
+ *
+ * The function returns the number of global counters updated.
+ */
+-static int refresh_cpu_vm_stats(void)
++static int refresh_cpu_vm_stats(bool do_pagesets)
+ {
+ struct zone *zone;
+ int i;
+@@ -484,33 +484,35 @@ static int refresh_cpu_vm_stats(void)
+ #endif
+ }
+ }
+- cond_resched();
+ #ifdef CONFIG_NUMA
+- /*
+- * Deal with draining the remote pageset of this
+- * processor
+- *
+- * Check if there are pages remaining in this pageset
+- * if not then there is nothing to expire.
+- */
+- if (!__this_cpu_read(p->expire) ||
++ if (do_pagesets) {
++ cond_resched();
++ /*
++ * Deal with draining the remote pageset of this
++ * processor
++ *
++ * Check if there are pages remaining in this pageset
++ * if not then there is nothing to expire.
++ */
++ if (!__this_cpu_read(p->expire) ||
+ !__this_cpu_read(p->pcp.count))
+- continue;
++ continue;
+
+- /*
+- * We never drain zones local to this processor.
+- */
+- if (zone_to_nid(zone) == numa_node_id()) {
+- __this_cpu_write(p->expire, 0);
+- continue;
+- }
++ /*
++ * We never drain zones local to this processor.
++ */
++ if (zone_to_nid(zone) == numa_node_id()) {
++ __this_cpu_write(p->expire, 0);
++ continue;
++ }
+
+- if (__this_cpu_dec_return(p->expire))
+- continue;
++ if (__this_cpu_dec_return(p->expire))
++ continue;
+
+- if (__this_cpu_read(p->pcp.count)) {
+- drain_zone_pages(zone, this_cpu_ptr(&p->pcp));
+- changes++;
++ if (__this_cpu_read(p->pcp.count)) {
++ drain_zone_pages(zone, this_cpu_ptr(&p->pcp));
++ changes++;
++ }
+ }
+ #endif
+ }
+@@ -1393,7 +1395,7 @@ static cpumask_var_t cpu_stat_off;
+
+ static void vmstat_update(struct work_struct *w)
+ {
+- if (refresh_cpu_vm_stats()) {
++ if (refresh_cpu_vm_stats(true)) {
+ /*
+ * Counters were updated so we expect more updates
+ * to occur in the future. Keep on running the
+@@ -1424,6 +1426,23 @@ static void vmstat_update(struct work_struct *w)
+ }
+ }
+
++/*
++ * Switch off vmstat processing and then fold all the remaining differentials
++ * until the diffs stay at zero. The function is used by NOHZ and can only be
++ * invoked when tick processing is not active.
++ */
++void quiet_vmstat(void)
++{
++ if (system_state != SYSTEM_RUNNING)
++ return;
++
++ do {
++ if (!cpumask_test_and_set_cpu(smp_processor_id(), cpu_stat_off))
++ cancel_delayed_work(this_cpu_ptr(&vmstat_work));
++
++ } while (refresh_cpu_vm_stats(false));
++}
++
+ /*
+ * Check if the diffs for a certain cpu indicate that
+ * an update is needed.
+@@ -1456,7 +1475,7 @@ static bool need_update(int cpu)
+ */
+ static void vmstat_shepherd(struct work_struct *w);
+
+-static DECLARE_DELAYED_WORK(shepherd, vmstat_shepherd);
++static DECLARE_DEFERRABLE_WORK(shepherd, vmstat_shepherd);
+
+ static void vmstat_shepherd(struct work_struct *w)
+ {
+--
+2.19.1
+
--- /dev/null
+From 7ad1b3cfd1989edaa716a4bf979a5396a77a5a15 Mon Sep 17 00:00:00 2001
+From: Tahsin Erdogan <tahsin@google.com>
+Date: Tue, 16 Feb 2016 13:34:39 -0800
+Subject: writeback: initialize inode members that track writeback history
+
+[ Upstream commit 3d65ae4634ed8350aee98a4e6f4e41fe40c7d282 ]
+
+inode struct members that track cgroup writeback information
+should be reinitialized when inode gets allocated from
+kmem_cache. Otherwise, their values remain and get used by the
+new inode.
+
+Signed-off-by: Tahsin Erdogan <tahsin@google.com>
+Acked-by: Tejun Heo <tj@kernel.org>
+Fixes: d10c80955265 ("writeback: implement foreign cgroup inode bdi_writeback switching")
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/inode.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fs/inode.c b/fs/inode.c
+index a39c2724d8a0..b5c3a6473aaa 100644
+--- a/fs/inode.c
++++ b/fs/inode.c
+@@ -154,6 +154,12 @@ int inode_init_always(struct super_block *sb, struct inode *inode)
+ inode->i_rdev = 0;
+ inode->dirtied_when = 0;
+
++#ifdef CONFIG_CGROUP_WRITEBACK
++ inode->i_wb_frn_winner = 0;
++ inode->i_wb_frn_avg_time = 0;
++ inode->i_wb_frn_history = 0;
++#endif
++
+ if (security_inode_alloc(inode))
+ goto out;
+ spin_lock_init(&inode->i_lock);
+--
+2.19.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
