--- /dev/null
+From 9b4b3f6a062b22550e62523efe5213776cdd426b Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Thu, 11 Aug 2016 07:26:01 -0700
+Subject: ahci: disable correct irq for dummy ports
+
+From: Christoph Hellwig <hch@lst.de>
+
+commit 9b4b3f6a062b22550e62523efe5213776cdd426b upstream.
+
+irq already contains the interrupt number for the port, don't add the
+port index to it.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Fixes: d684a90d38e2 ("ahci: per-port msix support")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/libahci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/ata/libahci.c
++++ b/drivers/ata/libahci.c
+@@ -2516,7 +2516,7 @@ static int ahci_host_activate_multi_irqs
+
+ /* Do not receive interrupts sent by dummy ports */
+ if (!pp) {
+- disable_irq(irq + i);
++ disable_irq(irq);
+ continue;
+ }
+
--- /dev/null
+From b00ccf5b684992829610d162e78a7836933a1b19 Mon Sep 17 00:00:00 2001
+From: Keerthy <j-keerthy@ti.com>
+Date: Mon, 20 Jun 2016 09:22:25 +0530
+Subject: ARM: AM43XX: hwmod: Fix RSTST register offset for pruss
+
+From: Keerthy <j-keerthy@ti.com>
+
+commit b00ccf5b684992829610d162e78a7836933a1b19 upstream.
+
+pruss hwmod RSTST register wrongly points to PWRSTCTRL register in case of
+am43xx. Fix the RSTST register offset value.
+
+This can lead to setting of wrong power state values for PER domain.
+
+Fixes: 1c7e224d ("ARM: OMAP2+: hwmod: AM335x: runtime register update")
+Signed-off-by: Keerthy <j-keerthy@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-omap2/omap_hwmod_33xx_43xx_ipblock_data.c | 1 +
+ arch/arm/mach-omap2/prcm43xx.h | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/arch/arm/mach-omap2/omap_hwmod_33xx_43xx_ipblock_data.c
++++ b/arch/arm/mach-omap2/omap_hwmod_33xx_43xx_ipblock_data.c
+@@ -1476,6 +1476,7 @@ static void omap_hwmod_am43xx_rst(void)
+ {
+ RSTCTRL(am33xx_pruss_hwmod, AM43XX_RM_PER_RSTCTRL_OFFSET);
+ RSTCTRL(am33xx_gfx_hwmod, AM43XX_RM_GFX_RSTCTRL_OFFSET);
++ RSTST(am33xx_pruss_hwmod, AM43XX_RM_PER_RSTST_OFFSET);
+ RSTST(am33xx_gfx_hwmod, AM43XX_RM_GFX_RSTST_OFFSET);
+ }
+
+--- a/arch/arm/mach-omap2/prcm43xx.h
++++ b/arch/arm/mach-omap2/prcm43xx.h
+@@ -39,6 +39,7 @@
+
+ /* RM RSTST offsets */
+ #define AM43XX_RM_GFX_RSTST_OFFSET 0x0014
++#define AM43XX_RM_PER_RSTST_OFFSET 0x0014
+ #define AM43XX_RM_WKUP_RSTST_OFFSET 0x0014
+
+ /* CM instances */
--- /dev/null
+From d9fd3c918114cfd3995947339549c7341181efb0 Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Fri, 8 Jul 2016 14:58:39 +0100
+Subject: ARM: dts: armada-388-clearfog: number LAN ports properly
+
+From: Russell King <rmk+kernel@armlinux.org.uk>
+
+commit d9fd3c918114cfd3995947339549c7341181efb0 upstream.
+
+Currently, the ports as seen from the rear number as:
+
+ eth0 sfp lan5 lan4 lan3 lan2 lan1 lan6
+
+which is illogical - this came about because the rev 2.0 boards have the
+LEDs on the front for the DSA switch (lan5-1) reversed. Rev 2.1 boards
+fixed the LED issue, and the Clearfog case numbers the lan ports
+increasing from left to right.
+
+Maintaining this illogical numbering causes confusion, with reports that
+"my link isn't coming up" and "my connection negotiates 10base-Half"
+both of which are due to people thinking that the port next to the SFP
+is lan1.
+
+Fix this by renumbering the ports to match people's expectations.
+
+[gregory.clement@free-electrons.com: added the Fixes and stable tags]
+
+Fixes: 4c945e8556ec ("ARM: dts: Add SolidRun Armada 388 Clearfog A1 DT
+file")
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/armada-388-clearfog.dts | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/arm/boot/dts/armada-388-clearfog.dts
++++ b/arch/arm/boot/dts/armada-388-clearfog.dts
+@@ -406,12 +406,12 @@
+
+ port@0 {
+ reg = <0>;
+- label = "lan1";
++ label = "lan5";
+ };
+
+ port@1 {
+ reg = <1>;
+- label = "lan2";
++ label = "lan4";
+ };
+
+ port@2 {
+@@ -421,12 +421,12 @@
+
+ port@3 {
+ reg = <3>;
+- label = "lan4";
++ label = "lan2";
+ };
+
+ port@4 {
+ reg = <4>;
+- label = "lan5";
++ label = "lan1";
+ };
+
+ port@5 {
--- /dev/null
+From f065e9e4addd75c21bb976bb2558648bf4f61de6 Mon Sep 17 00:00:00 2001
+From: Fabio Estevam <fabio.estevam@nxp.com>
+Date: Wed, 31 Aug 2016 10:56:48 -0300
+Subject: ARM: dts: imx6qdl: Fix SPDIF regression
+
+From: Fabio Estevam <fabio.estevam@nxp.com>
+
+commit f065e9e4addd75c21bb976bb2558648bf4f61de6 upstream.
+
+Commit 833f2cbf7091 ("ARM: dts: imx6: change the core clock of spdif")
+changed many more clocks than only the SPDIF core clock as stated in
+the commit message.
+
+The MLB clock has been added and this causes SPDIF regression as
+reported by Xavi Drudis Ferran and also in this forum post:
+https://forum.digikey.com/thread/34240
+
+The MX6Q Reference Manual does not mention that MLB is a clock related
+to SPDIF, so change it back to a dummy clock to restore SPDIF
+functionality.
+
+Thanks to Ambika for providing the fix at:
+https://community.nxp.com/thread/387131
+
+Fixes: 833f2cbf7091 ("ARM: dts: imx6: change the core clock of spdif")
+Reported-by: Xavi Drudis Ferran <xdrudis@tinet.cat>
+Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
+Tested-by: Xavi Drudis Ferran <xdrudis@tinet.cat>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/imx6qdl.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/imx6qdl.dtsi
++++ b/arch/arm/boot/dts/imx6qdl.dtsi
+@@ -242,7 +242,7 @@
+ clocks = <&clks IMX6QDL_CLK_SPDIF_GCLK>, <&clks IMX6QDL_CLK_OSC>,
+ <&clks IMX6QDL_CLK_SPDIF>, <&clks IMX6QDL_CLK_ASRC>,
+ <&clks IMX6QDL_CLK_DUMMY>, <&clks IMX6QDL_CLK_ESAI_EXTAL>,
+- <&clks IMX6QDL_CLK_IPG>, <&clks IMX6QDL_CLK_MLB>,
++ <&clks IMX6QDL_CLK_IPG>, <&clks IMX6QDL_CLK_DUMMY>,
+ <&clks IMX6QDL_CLK_DUMMY>, <&clks IMX6QDL_CLK_SPBA>;
+ clock-names = "core", "rxtx0",
+ "rxtx1", "rxtx2",
--- /dev/null
+From c721da1d05760ad0b4e7670896dae31b6b07d8d6 Mon Sep 17 00:00:00 2001
+From: Gregory CLEMENT <gregory.clement@free-electrons.com>
+Date: Mon, 22 Aug 2016 18:09:36 +0200
+Subject: ARM: dts: kirkwood: Fix PCIe label on OpenRD
+
+From: Gregory CLEMENT <gregory.clement@free-electrons.com>
+
+commit c721da1d05760ad0b4e7670896dae31b6b07d8d6 upstream.
+
+While converting PCIe node on kirkwood by using label, the following
+commit eb13cf8345e9 ("ARM: dts: kirkwood: Fixup pcie DT warnings")
+introduced a regression on the OpenRD boards: the PCIe didn't work
+anymore. As reported by Aaro Koskinen, the display/framebuffer was
+lost. This commit adds the forgotten label.
+
+Reported-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Tested-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Fixes: eb13cf8345e9 ("ARM: dts: kirkwood: Fixup pcie DT warnings")
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/kirkwood-openrd.dtsi | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/arm/boot/dts/kirkwood-openrd.dtsi
++++ b/arch/arm/boot/dts/kirkwood-openrd.dtsi
+@@ -116,6 +116,10 @@
+ };
+ };
+
++&pciec {
++ status = "okay";
++};
++
+ &pcie0 {
+ status = "okay";
+ };
--- /dev/null
+From 5e0568dfbfb8c13cdb69c9fd06d600593ad4b430 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 15 Aug 2016 09:10:45 -0700
+Subject: ARM: dts: overo: fix gpmc nand cs0 range
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 5e0568dfbfb8c13cdb69c9fd06d600593ad4b430 upstream.
+
+The gpmc ranges property for NAND at CS0 has been broken since it was
+first added.
+
+This currently prevents the nand gpmc child node from being probed:
+
+ omap-gpmc 6e000000.gpmc: /ocp/gpmc@6e000000/nand@0,0 has
+ malformed 'reg' property
+
+and consequently the NAND device from being registered.
+
+Fixes: 98ce6007efb4 ("ARM: dts: overo: Support PoP NAND")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/omap3-overo-base.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/omap3-overo-base.dtsi
++++ b/arch/arm/boot/dts/omap3-overo-base.dtsi
+@@ -223,7 +223,7 @@
+ };
+
+ &gpmc {
+- ranges = <0 0 0x00000000 0x20000000>;
++ ranges = <0 0 0x30000000 0x1000000>; /* CS0 */
+
+ nand@0,0 {
+ compatible = "ti,omap2-nand";
--- /dev/null
+From 153b58ea932b2d0642fa5cd41c93bb0555f3f09b Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 15 Aug 2016 09:10:49 -0700
+Subject: ARM: dts: overo: fix gpmc nand on boards with ethernet
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 153b58ea932b2d0642fa5cd41c93bb0555f3f09b upstream.
+
+The gpmc ranges property for NAND at CS0 was being overridden by later
+includes that defined gpmc ethernet nodes, effectively breaking NAND on
+these systems:
+
+ omap-gpmc 6e000000.gpmc: /ocp/gpmc@6e000000/nand@0,0 has
+ malformed 'reg' property
+
+Instead of redefining the NAND range in every such dtsi, define all
+currently used ranges in omap3-overo-base.dtsi.
+
+Fixes: 98ce6007efb4 ("ARM: dts: overo: Support PoP NAND")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/omap3-overo-base.dtsi | 4 +++-
+ arch/arm/boot/dts/omap3-overo-chestnut43-common.dtsi | 2 --
+ arch/arm/boot/dts/omap3-overo-tobi-common.dtsi | 2 --
+ arch/arm/boot/dts/omap3-overo-tobiduo-common.dtsi | 3 ---
+ 4 files changed, 3 insertions(+), 8 deletions(-)
+
+--- a/arch/arm/boot/dts/omap3-overo-base.dtsi
++++ b/arch/arm/boot/dts/omap3-overo-base.dtsi
+@@ -223,7 +223,9 @@
+ };
+
+ &gpmc {
+- ranges = <0 0 0x30000000 0x1000000>; /* CS0 */
++ ranges = <0 0 0x30000000 0x1000000>, /* CS0 */
++ <4 0 0x2b000000 0x1000000>, /* CS4 */
++ <5 0 0x2c000000 0x1000000>; /* CS5 */
+
+ nand@0,0 {
+ compatible = "ti,omap2-nand";
+--- a/arch/arm/boot/dts/omap3-overo-chestnut43-common.dtsi
++++ b/arch/arm/boot/dts/omap3-overo-chestnut43-common.dtsi
+@@ -55,8 +55,6 @@
+ #include "omap-gpmc-smsc9221.dtsi"
+
+ &gpmc {
+- ranges = <5 0 0x2c000000 0x1000000>; /* CS5 */
+-
+ ethernet@gpmc {
+ reg = <5 0 0xff>;
+ interrupt-parent = <&gpio6>;
+--- a/arch/arm/boot/dts/omap3-overo-tobi-common.dtsi
++++ b/arch/arm/boot/dts/omap3-overo-tobi-common.dtsi
+@@ -27,8 +27,6 @@
+ #include "omap-gpmc-smsc9221.dtsi"
+
+ &gpmc {
+- ranges = <5 0 0x2c000000 0x1000000>; /* CS5 */
+-
+ ethernet@gpmc {
+ reg = <5 0 0xff>;
+ interrupt-parent = <&gpio6>;
+--- a/arch/arm/boot/dts/omap3-overo-tobiduo-common.dtsi
++++ b/arch/arm/boot/dts/omap3-overo-tobiduo-common.dtsi
+@@ -15,9 +15,6 @@
+ #include "omap-gpmc-smsc9221.dtsi"
+
+ &gpmc {
+- ranges = <4 0 0x2b000000 0x1000000>, /* CS4 */
+- <5 0 0x2c000000 0x1000000>; /* CS5 */
+-
+ smsc1: ethernet@gpmc {
+ reg = <5 0 0xff>;
+ interrupt-parent = <&gpio6>;
--- /dev/null
+From 3d4267a5a3a4b7619b80ad1839d8b3bedd8b7a8d Mon Sep 17 00:00:00 2001
+From: Caesar Wang <wxt@rock-chips.com>
+Date: Wed, 27 Jul 2016 22:24:07 +0800
+Subject: arm: dts: rockchip: add reset node for the exist saradc SoCs
+
+From: Caesar Wang <wxt@rock-chips.com>
+
+commit 3d4267a5a3a4b7619b80ad1839d8b3bedd8b7a8d upstream.
+
+SARADC controller needs to be reset before programming it, otherwise
+it will not function properly.
+
+Signed-off-by: Caesar Wang <wxt@rock-chips.com>
+Acked-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/rk3066a.dtsi | 2 ++
+ arch/arm/boot/dts/rk3288.dtsi | 2 ++
+ arch/arm/boot/dts/rk3xxx.dtsi | 2 ++
+ 3 files changed, 6 insertions(+)
+
+--- a/arch/arm/boot/dts/rk3066a.dtsi
++++ b/arch/arm/boot/dts/rk3066a.dtsi
+@@ -197,6 +197,8 @@
+ clock-names = "saradc", "apb_pclk";
+ interrupts = <GIC_SPI 21 IRQ_TYPE_LEVEL_HIGH>;
+ #io-channel-cells = <1>;
++ resets = <&cru SRST_SARADC>;
++ reset-names = "saradc-apb";
+ status = "disabled";
+ };
+
+--- a/arch/arm/boot/dts/rk3288.dtsi
++++ b/arch/arm/boot/dts/rk3288.dtsi
+@@ -279,6 +279,8 @@
+ #io-channel-cells = <1>;
+ clocks = <&cru SCLK_SARADC>, <&cru PCLK_SARADC>;
+ clock-names = "saradc", "apb_pclk";
++ resets = <&cru SRST_SARADC>;
++ reset-names = "saradc-apb";
+ status = "disabled";
+ };
+
+--- a/arch/arm/boot/dts/rk3xxx.dtsi
++++ b/arch/arm/boot/dts/rk3xxx.dtsi
+@@ -399,6 +399,8 @@
+ #io-channel-cells = <1>;
+ clocks = <&cru SCLK_SARADC>, <&cru PCLK_SARADC>;
+ clock-names = "saradc", "apb_pclk";
++ resets = <&cru SRST_SARADC>;
++ reset-names = "saradc-apb";
+ status = "disabled";
+ };
+
--- /dev/null
+From 78567f135d9bbbaf4538f63656d3e4d957c35fe9 Mon Sep 17 00:00:00 2001
+From: Lee Jones <lee.jones@linaro.org>
+Date: Thu, 8 Sep 2016 11:11:00 +0200
+Subject: ARM: dts: STiH407-family: Provide interconnect clock for consumption in ST SDHCI
+
+From: Lee Jones <lee.jones@linaro.org>
+
+commit 78567f135d9bbbaf4538f63656d3e4d957c35fe9 upstream.
+
+The STiH4{07,10} platform contains some interconnect clocks which are used
+by various IPs. If these clocks aren't handled correctly by ST's SDHCI
+driver MMC will break and the following output can be observed:
+
+[ 13.916949] mmc0: Timeout waiting for hardware interrupt.
+[ 13.922349] sdhci: =========== REGISTER DUMP (mmc0)===========
+[ 13.928175] sdhci: Sys addr: 0x00000000 | Version: 0x00001002
+[ 13.933999] sdhci: Blk size: 0x00007040 | Blk cnt: 0x00000001
+[ 13.939825] sdhci: Argument: 0x00fffff0 | Trn mode: 0x00000013
+[ 13.945650] sdhci: Present: 0x1fff0206 | Host ctl: 0x00000011
+[ 13.951475] sdhci: Power: 0x0000000f | Blk gap: 0x00000080
+[ 13.957300] sdhci: Wake-up: 0x00000000 | Clock: 0x00003f07
+[ 13.963126] sdhci: Timeout: 0x00000004 | Int stat: 0x00000000
+[ 13.968952] sdhci: Int enab: 0x02ff008b | Sig enab: 0x02ff008b
+[ 13.974777] sdhci: AC12 err: 0x00000000 | Slot int: 0x00000000
+[ 13.980602] sdhci: Caps: 0x21ed3281 | Caps_1: 0x00000000
+[ 13.986428] sdhci: Cmd: 0x0000063a | Max curr: 0x00000000
+[ 13.992252] sdhci: Host ctl2: 0x00000000
+[ 13.996166] sdhci: ADMA Err: 0x00000000 | ADMA Ptr: 0x7c048200
+[ 14.001990] sdhci: ===========================================
+[ 14.009802] mmc0: Got data interrupt 0x02000000 even though no data operation was in progress.
+
+Tested-by: Peter Griffin <peter.griffin@linaro.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Acked-by: Patrice Chotard <patrice.chotard@st.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/stih407-family.dtsi | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/arch/arm/boot/dts/stih407-family.dtsi
++++ b/arch/arm/boot/dts/stih407-family.dtsi
+@@ -550,8 +550,9 @@
+ interrupt-names = "mmcirq";
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_mmc0>;
+- clock-names = "mmc";
+- clocks = <&clk_s_c0_flexgen CLK_MMC_0>;
++ clock-names = "mmc", "icn";
++ clocks = <&clk_s_c0_flexgen CLK_MMC_0>,
++ <&clk_s_c0_flexgen CLK_RX_ICN_HVA>;
+ bus-width = <8>;
+ non-removable;
+ };
+@@ -565,8 +566,9 @@
+ interrupt-names = "mmcirq";
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_sd1>;
+- clock-names = "mmc";
+- clocks = <&clk_s_c0_flexgen CLK_MMC_1>;
++ clock-names = "mmc", "icn";
++ clocks = <&clk_s_c0_flexgen CLK_MMC_1>,
++ <&clk_s_c0_flexgen CLK_RX_ICN_HVA>;
+ resets = <&softreset STIH407_MMC1_SOFTRESET>;
+ bus-width = <4>;
+ };
--- /dev/null
+From 7e9d2850a8db4e0d85a20bb692198bf2cc4be3b7 Mon Sep 17 00:00:00 2001
+From: Lee Jones <lee.jones@linaro.org>
+Date: Thu, 8 Sep 2016 11:11:00 +0200
+Subject: ARM: dts: STiH410: Handle interconnect clock required by EHCI/OHCI (USB)
+
+From: Lee Jones <lee.jones@linaro.org>
+
+commit 7e9d2850a8db4e0d85a20bb692198bf2cc4be3b7 upstream.
+
+The STiH4{07,10} platform contains some interconnect clocks which are used
+by various IPs. If this clock isn't handled correctly by ST's EHCI/OHCI
+drivers, their hub won't be found, the following error be shown and the
+result will be non-working USB:
+
+ [ 97.221963] hub 2-1:1.0: hub_ext_port_status failed (err = -110)
+
+Tested-by: Peter Griffin <peter.griffin@linaro.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Acked-by: Patrice Chotard <patrice.chotard@st.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/stih410.dtsi | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/arch/arm/boot/dts/stih410.dtsi
++++ b/arch/arm/boot/dts/stih410.dtsi
+@@ -41,7 +41,8 @@
+ compatible = "st,st-ohci-300x";
+ reg = <0x9a03c00 0x100>;
+ interrupts = <GIC_SPI 180 IRQ_TYPE_NONE>;
+- clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>;
++ clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>,
++ <&clk_s_c0_flexgen CLK_RX_ICN_DISP_0>;
+ resets = <&powerdown STIH407_USB2_PORT0_POWERDOWN>,
+ <&softreset STIH407_USB2_PORT0_SOFTRESET>;
+ reset-names = "power", "softreset";
+@@ -57,7 +58,8 @@
+ interrupts = <GIC_SPI 151 IRQ_TYPE_NONE>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_usb0>;
+- clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>;
++ clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>,
++ <&clk_s_c0_flexgen CLK_RX_ICN_DISP_0>;
+ resets = <&powerdown STIH407_USB2_PORT0_POWERDOWN>,
+ <&softreset STIH407_USB2_PORT0_SOFTRESET>;
+ reset-names = "power", "softreset";
+@@ -71,7 +73,8 @@
+ compatible = "st,st-ohci-300x";
+ reg = <0x9a83c00 0x100>;
+ interrupts = <GIC_SPI 181 IRQ_TYPE_NONE>;
+- clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>;
++ clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>,
++ <&clk_s_c0_flexgen CLK_RX_ICN_DISP_0>;
+ resets = <&powerdown STIH407_USB2_PORT1_POWERDOWN>,
+ <&softreset STIH407_USB2_PORT1_SOFTRESET>;
+ reset-names = "power", "softreset";
+@@ -87,7 +90,8 @@
+ interrupts = <GIC_SPI 153 IRQ_TYPE_NONE>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_usb1>;
+- clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>;
++ clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>,
++ <&clk_s_c0_flexgen CLK_RX_ICN_DISP_0>;
+ resets = <&powerdown STIH407_USB2_PORT1_POWERDOWN>,
+ <&softreset STIH407_USB2_PORT1_SOFTRESET>;
+ reset-names = "power", "softreset";
--- /dev/null
+From f5a49057c71433e35a4712ab8d8f00641b3e1ec0 Mon Sep 17 00:00:00 2001
+From: Peter Chen <peter.chen@nxp.com>
+Date: Tue, 9 Aug 2016 16:24:43 +0800
+Subject: ARM: imx6: add missing BM_CLPCR_BYP_MMDC_CH0_LPM_HS setting for imx6ul
+
+From: Peter Chen <peter.chen@nxp.com>
+
+commit f5a49057c71433e35a4712ab8d8f00641b3e1ec0 upstream.
+
+There is a missing BM_CLPCR_BYP_MMDC_CH0_LPM_HS setting for imx6ul,
+without it, the "standby" mode can't work well, the system can't be
+resumed.
+
+With this commit, the "standby" mode works well.
+
+Signed-off-by: Peter Chen <peter.chen@nxp.com>
+Cc: Anson Huang <anson.huang@nxp.com>
+Fixes: ee4a5f838c84 ("ARM: imx: add suspend/resume support for i.mx6ul")
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-imx/pm-imx6.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/mach-imx/pm-imx6.c
++++ b/arch/arm/mach-imx/pm-imx6.c
+@@ -295,7 +295,7 @@ int imx6_set_lpm(enum mxc_cpu_pwr_mode m
+ val &= ~BM_CLPCR_SBYOS;
+ if (cpu_is_imx6sl())
+ val |= BM_CLPCR_BYPASS_PMIC_READY;
+- if (cpu_is_imx6sl() || cpu_is_imx6sx())
++ if (cpu_is_imx6sl() || cpu_is_imx6sx() || cpu_is_imx6ul())
+ val |= BM_CLPCR_BYP_MMDC_CH0_LPM_HS;
+ else
+ val |= BM_CLPCR_BYP_MMDC_CH1_LPM_HS;
--- /dev/null
+From 8aade778f787305fdbfd3c1d54e6b583601b5902 Mon Sep 17 00:00:00 2001
+From: Anson Huang <Anson.Huang@nxp.com>
+Date: Mon, 22 Aug 2016 23:53:25 +0800
+Subject: ARM: imx6: add missing BM_CLPCR_BYPASS_PMIC_READY setting for imx6sx
+
+From: Anson Huang <Anson.Huang@nxp.com>
+
+commit 8aade778f787305fdbfd3c1d54e6b583601b5902 upstream.
+
+i.MX6SX has bypass PMIC ready function, as this function
+is normally NOT enabled on the board design, so we need
+to bypass the PMIC ready pin check during DSM mode resume
+flow, otherwise, the internal DSM resume logic will be
+waiting for this signal to be ready forever and cause
+resume fail.
+
+Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
+Fixes: ff843d621bfc ("ARM: imx: add suspend support for i.mx6sx")
+Tested-by: Peter Chen <peter.chen@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-imx/pm-imx6.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/mach-imx/pm-imx6.c
++++ b/arch/arm/mach-imx/pm-imx6.c
+@@ -310,7 +310,7 @@ int imx6_set_lpm(enum mxc_cpu_pwr_mode m
+ val |= 0x3 << BP_CLPCR_STBY_COUNT;
+ val |= BM_CLPCR_VSTBY;
+ val |= BM_CLPCR_SBYOS;
+- if (cpu_is_imx6sl())
++ if (cpu_is_imx6sl() || cpu_is_imx6sx())
+ val |= BM_CLPCR_BYPASS_PMIC_READY;
+ if (cpu_is_imx6sl() || cpu_is_imx6sx() || cpu_is_imx6ul())
+ val |= BM_CLPCR_BYP_MMDC_CH0_LPM_HS;
--- /dev/null
+From a778937888867aac17a33887d1c429120790fbc2 Mon Sep 17 00:00:00 2001
+From: Simon Baatz <gmbnomis@gmail.com>
+Date: Fri, 12 Aug 2016 19:12:50 +0200
+Subject: ARM: kirkwood: ib62x0: fix size of u-boot environment partition
+
+From: Simon Baatz <gmbnomis@gmail.com>
+
+commit a778937888867aac17a33887d1c429120790fbc2 upstream.
+
+Commit 148c274ea644 ("ARM: kirkwood: ib62x0: add u-boot environment
+partition") split the "u-boot" partition into "u-boot" and "u-boot
+environment". However, instead of the size of the environment, an offset
+was given, resulting in overlapping partitions.
+
+Signed-off-by: Simon Baatz <gmbnomis@gmail.com>
+Fixes: 148c274ea644 ("ARM: kirkwood: ib62x0: add u-boot environment partition")
+Cc: Jason Cooper <jason@lakedaemon.net>
+Cc: Andrew Lunn <andrew@lunn.ch>
+Cc: Gregory Clement <gregory.clement@free-electrons.com>
+Cc: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
+Cc: Luka Perkov <luka@openwrt.org>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/kirkwood-ib62x0.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/kirkwood-ib62x0.dts
++++ b/arch/arm/boot/dts/kirkwood-ib62x0.dts
+@@ -113,7 +113,7 @@
+
+ partition@e0000 {
+ label = "u-boot environment";
+- reg = <0xe0000 0x100000>;
++ reg = <0xe0000 0x20000>;
+ };
+
+ partition@100000 {
--- /dev/null
+From b46211d6dcfb81a8af66b8684a42d629183670d4 Mon Sep 17 00:00:00 2001
+From: Sebastian Reichel <sre@kernel.org>
+Date: Fri, 24 Jun 2016 03:59:33 +0200
+Subject: ARM: OMAP3: hwmod data: Add sysc information for DSI
+
+From: Sebastian Reichel <sre@kernel.org>
+
+commit b46211d6dcfb81a8af66b8684a42d629183670d4 upstream.
+
+Add missing sysconfig/sysstatus information
+to OMAP3 hwmod. The information has been
+checked against OMAP34xx and OMAP36xx TRM.
+
+Without this change DSI block is not reset
+during boot, which is required for working
+Nokia N950 display.
+
+Signed-off-by: Sebastian Reichel <sre@kernel.org>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-omap2/omap_hwmod_3xxx_data.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
++++ b/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
+@@ -722,8 +722,20 @@ static struct omap_hwmod omap3xxx_dss_di
+ * display serial interface controller
+ */
+
++static struct omap_hwmod_class_sysconfig omap3xxx_dsi_sysc = {
++ .rev_offs = 0x0000,
++ .sysc_offs = 0x0010,
++ .syss_offs = 0x0014,
++ .sysc_flags = (SYSC_HAS_AUTOIDLE | SYSC_HAS_CLOCKACTIVITY |
++ SYSC_HAS_ENAWAKEUP | SYSC_HAS_SIDLEMODE |
++ SYSC_HAS_SOFTRESET | SYSS_HAS_RESET_STATUS),
++ .idlemodes = (SIDLE_FORCE | SIDLE_NO | SIDLE_SMART),
++ .sysc_fields = &omap_hwmod_sysc_type1,
++};
++
+ static struct omap_hwmod_class omap3xxx_dsi_hwmod_class = {
+ .name = "dsi",
++ .sysc = &omap3xxx_dsi_sysc,
+ };
+
+ static struct omap_hwmod_irq_info omap3xxx_dsi1_irqs[] = {
--- /dev/null
+From 872c63fbf9e153146b07f0cece4da0d70b283eeb Mon Sep 17 00:00:00 2001
+From: Will Deacon <will.deacon@arm.com>
+Date: Mon, 5 Sep 2016 11:56:05 +0100
+Subject: arm64: spinlocks: implement smp_mb__before_spinlock() as smp_mb()
+
+From: Will Deacon <will.deacon@arm.com>
+
+commit 872c63fbf9e153146b07f0cece4da0d70b283eeb upstream.
+
+smp_mb__before_spinlock() is intended to upgrade a spin_lock() operation
+to a full barrier, such that prior stores are ordered with respect to
+loads and stores occuring inside the critical section.
+
+Unfortunately, the core code defines the barrier as smp_wmb(), which
+is insufficient to provide the required ordering guarantees when used in
+conjunction with our load-acquire-based spinlock implementation.
+
+This patch overrides the arm64 definition of smp_mb__before_spinlock()
+to map to a full smp_mb().
+
+Cc: Peter Zijlstra <peterz@infradead.org>
+Reported-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/include/asm/spinlock.h | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/arch/arm64/include/asm/spinlock.h
++++ b/arch/arm64/include/asm/spinlock.h
+@@ -363,4 +363,14 @@ static inline int arch_read_trylock(arch
+ #define arch_read_relax(lock) cpu_relax()
+ #define arch_write_relax(lock) cpu_relax()
+
++/*
++ * Accesses appearing in program order before a spin_lock() operation
++ * can be reordered with accesses inside the critical section, by virtue
++ * of arch_spin_lock being constructed using acquire semantics.
++ *
++ * In cases where this is problematic (e.g. try_to_wake_up), an
++ * smp_mb__before_spinlock() can restore the required ordering.
++ */
++#define smp_mb__before_spinlock() smp_mb()
++
+ #endif /* __ASM_SPINLOCK_H */
--- /dev/null
+From e34f2ff40e0339f6a379e1ecf49e8f2759056453 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Giedrius=20Statkevi=C4=8Dius?=
+ <giedrius.statkevicius@gmail.com>
+Date: Thu, 1 Sep 2016 20:47:02 +0300
+Subject: ath9k: bring back direction setting in ath9k_{start_stop}
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Giedrius Statkevičius <giedrius.statkevicius@gmail.com>
+
+commit e34f2ff40e0339f6a379e1ecf49e8f2759056453 upstream.
+
+A regression was introduced in commit id 79d4db1214a ("ath9k: cleanup
+led_pin initial") that broken the WLAN status led on my laptop with
+AR9287 after suspending and resuming.
+
+Steps to reproduce:
+* Suspend (laptop)
+* Resume (laptop)
+* Observe that the WLAN led no longer turns ON/OFF depending on the
+ status and is always red
+
+Even though for my case it only needs to be set to OUT in ath9k_start
+but for consistency bring back the IN direction setting as well.
+
+Fixes: 79d4db1214a0 ("ath9k: cleanup led_pin initial")
+Cc: Miaoqing Pan <miaoqing@codeaurora.org>
+Cc: Kalle Valo <kvalo@qca.qualcomm.com>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=151711
+Signed-off-by: Giedrius Statkevičius <giedrius.statkevicius@gmail.com>
+[kvalo@qca.qualcomm.com: improve commit log]
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath9k/main.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath9k/main.c
++++ b/drivers/net/wireless/ath/ath9k/main.c
+@@ -718,9 +718,12 @@ static int ath9k_start(struct ieee80211_
+ if (!ath_complete_reset(sc, false))
+ ah->reset_power_on = false;
+
+- if (ah->led_pin >= 0)
++ if (ah->led_pin >= 0) {
+ ath9k_hw_set_gpio(ah, ah->led_pin,
+ (ah->config.led_active_high) ? 1 : 0);
++ ath9k_hw_gpio_request_out(ah, ah->led_pin, NULL,
++ AR_GPIO_OUTPUT_MUX_AS_OUTPUT);
++ }
+
+ /*
+ * Reset key cache to sane defaults (all entries cleared) instead of
+@@ -864,9 +867,11 @@ static void ath9k_stop(struct ieee80211_
+
+ spin_lock_bh(&sc->sc_pcu_lock);
+
+- if (ah->led_pin >= 0)
++ if (ah->led_pin >= 0) {
+ ath9k_hw_set_gpio(ah, ah->led_pin,
+ (ah->config.led_active_high) ? 0 : 1);
++ ath9k_hw_gpio_request_in(ah, ah->led_pin, NULL);
++ }
+
+ ath_prepare_reset(sc);
+
--- /dev/null
+From 7711aaf08ad3fc4d0e937eec1de0a63620444ce7 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Fri, 19 Aug 2016 13:37:46 +0300
+Subject: ath9k: fix using sta->drv_priv before initializing it
+
+From: Felix Fietkau <nbd@nbd.name>
+
+commit 7711aaf08ad3fc4d0e937eec1de0a63620444ce7 upstream.
+
+A station pointer can be passed to the driver on tx, before it has been
+marked as associated. Since ath9k_sta_state was initializing the entry
+too late, it resulted in some spurious crashes.
+
+Fixes: df3c6eb34da5 ("ath9k: Use sta_state() callback")
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath9k/main.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath9k/main.c
++++ b/drivers/net/wireless/ath/ath9k/main.c
+@@ -1552,13 +1552,13 @@ static int ath9k_sta_state(struct ieee80
+ struct ath_common *common = ath9k_hw_common(sc->sc_ah);
+ int ret = 0;
+
+- if (old_state == IEEE80211_STA_AUTH &&
+- new_state == IEEE80211_STA_ASSOC) {
++ if (old_state == IEEE80211_STA_NOTEXIST &&
++ new_state == IEEE80211_STA_NONE) {
+ ret = ath9k_sta_add(hw, vif, sta);
+ ath_dbg(common, CONFIG,
+ "Add station: %pM\n", sta->addr);
+- } else if (old_state == IEEE80211_STA_ASSOC &&
+- new_state == IEEE80211_STA_AUTH) {
++ } else if (old_state == IEEE80211_STA_NONE &&
++ new_state == IEEE80211_STA_NOTEXIST) {
+ ret = ath9k_sta_remove(hw, vif, sta);
+ ath_dbg(common, CONFIG,
+ "Remove station: %pM\n", sta->addr);
--- /dev/null
+From 5efc244346f9f338765da3d592f7947b0afdc4b5 Mon Sep 17 00:00:00 2001
+From: Mateusz Guzik <mguzik@redhat.com>
+Date: Tue, 23 Aug 2016 16:20:39 +0200
+Subject: audit: fix exe_file access in audit_exe_compare
+
+From: Mateusz Guzik <mguzik@redhat.com>
+
+commit 5efc244346f9f338765da3d592f7947b0afdc4b5 upstream.
+
+Prior to the change the function would blindly deference mm, exe_file
+and exe_file->f_inode, each of which could have been NULL or freed.
+
+Use get_task_exe_file to safely obtain stable exe_file.
+
+Signed-off-by: Mateusz Guzik <mguzik@redhat.com>
+Acked-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Acked-by: Richard Guy Briggs <rgb@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/audit_watch.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/kernel/audit_watch.c
++++ b/kernel/audit_watch.c
+@@ -19,6 +19,7 @@
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
++#include <linux/file.h>
+ #include <linux/kernel.h>
+ #include <linux/audit.h>
+ #include <linux/kthread.h>
+@@ -544,10 +545,11 @@ int audit_exe_compare(struct task_struct
+ unsigned long ino;
+ dev_t dev;
+
+- rcu_read_lock();
+- exe_file = rcu_dereference(tsk->mm->exe_file);
++ exe_file = get_task_exe_file(tsk);
++ if (!exe_file)
++ return 0;
+ ino = exe_file->f_inode->i_ino;
+ dev = exe_file->f_inode->i_sb->s_dev;
+- rcu_read_unlock();
++ fput(exe_file);
+ return audit_mark_compare(mark, ino, dev);
+ }
--- /dev/null
+From ded89912156b1a47d940a0c954c43afbabd0c42c Mon Sep 17 00:00:00 2001
+From: Arend Van Spriel <arend.vanspriel@broadcom.com>
+Date: Mon, 5 Sep 2016 10:45:47 +0100
+Subject: brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap()
+
+From: Arend Van Spriel <arend.vanspriel@broadcom.com>
+
+commit ded89912156b1a47d940a0c954c43afbabd0c42c upstream.
+
+User-space can choose to omit NL80211_ATTR_SSID and only provide raw
+IE TLV data. When doing so it can provide SSID IE with length exceeding
+the allowed size. The driver further processes this IE copying it
+into a local variable without checking the length. Hence stack can be
+corrupted and used as exploit.
+
+Reported-by: Daxing Guo <freener.gdx@gmail.com>
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -4467,7 +4467,7 @@ brcmf_cfg80211_start_ap(struct wiphy *wi
+ (u8 *)&settings->beacon.head[ie_offset],
+ settings->beacon.head_len - ie_offset,
+ WLAN_EID_SSID);
+- if (!ssid_ie)
++ if (!ssid_ie || ssid_ie->len > IEEE80211_MAX_SSID_LEN)
+ return -EINVAL;
+
+ memcpy(ssid_le.SSID, ssid_ie->data, ssid_ie->len);
--- /dev/null
+From cbd60aa7cd17d81a434234268c55192862147439 Mon Sep 17 00:00:00 2001
+From: Chris Mason <clm@fb.com>
+Date: Tue, 6 Sep 2016 05:37:40 -0700
+Subject: Btrfs: remove root_log_ctx from ctx list before btrfs_sync_log returns
+
+From: Chris Mason <clm@fb.com>
+
+commit cbd60aa7cd17d81a434234268c55192862147439 upstream.
+
+We use a btrfs_log_ctx structure to pass information into the
+tree log commit, and get error values out. It gets added to a per
+log-transaction list which we walk when things go bad.
+
+Commit d1433debe added an optimization to skip waiting for the log
+commit, but didn't take root_log_ctx out of the list. This
+patch makes sure we remove things before exiting.
+
+Signed-off-by: Chris Mason <clm@fb.com>
+Fixes: d1433debe7f4346cf9fc0dafc71c3137d2a97bc4
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/tree-log.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -2851,6 +2851,7 @@ int btrfs_sync_log(struct btrfs_trans_ha
+
+ if (log_root_tree->log_transid_committed >= root_log_ctx.log_transid) {
+ blk_finish_plug(&plug);
++ list_del_init(&root_log_ctx.list);
+ mutex_unlock(&log_root_tree->log_mutex);
+ ret = root_log_ctx.log_ret;
+ goto out;
--- /dev/null
+From b7c1beb278e8e3dc664ed3df3fc786db126120a9 Mon Sep 17 00:00:00 2001
+From: Pawel Moll <pawel.moll@arm.com>
+Date: Fri, 5 Aug 2016 15:07:10 +0100
+Subject: bus: arm-ccn: Do not attempt to configure XPs for cycle counter
+
+From: Pawel Moll <pawel.moll@arm.com>
+
+commit b7c1beb278e8e3dc664ed3df3fc786db126120a9 upstream.
+
+Fuzzing the CCN perf driver revealed a small but definitely dangerous
+mistake in the event setup code. When a cycle counter is requested, the
+driver should not reconfigure the events bus at all, otherwise it will
+corrupt (in most but the simplest cases) its configuration and may end
+up accessing XP array out of its bounds and corrupting control
+registers.
+
+Reported-by: Mark Rutland <mark.rutland@arm.com>
+Reviewed-by: Mark Rutland <mark.rutland@arm.com>
+Tested-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Pawel Moll <pawel.moll@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bus/arm-ccn.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/bus/arm-ccn.c
++++ b/drivers/bus/arm-ccn.c
+@@ -895,6 +895,10 @@ static void arm_ccn_pmu_xp_dt_config(str
+ struct arm_ccn_component *xp;
+ u32 val, dt_cfg;
+
++ /* Nothing to do for cycle counter */
++ if (hw->idx == CCN_IDX_PMU_CYCLE_COUNTER)
++ return;
++
+ if (CCN_CONFIG_TYPE(event->attr.config) == CCN_TYPE_XP)
+ xp = &ccn->xp[CCN_CONFIG_XP(event->attr.config)];
+ else
--- /dev/null
+From 4e486cba285ff06a1f28f0fc2991dde1482d1dcf Mon Sep 17 00:00:00 2001
+From: Pawel Moll <pawel.moll@arm.com>
+Date: Tue, 2 Aug 2016 16:45:37 +0100
+Subject: bus: arm-ccn: Fix PMU handling of MN
+
+From: Pawel Moll <pawel.moll@arm.com>
+
+commit 4e486cba285ff06a1f28f0fc2991dde1482d1dcf upstream.
+
+The "Miscellaneous Node" fell through cracks of node initialisation,
+as its ID is shared with HN-I.
+
+This patch treats MN as a special case (which it is), adding separate
+validation check for it and pre-defining the node ID in relevant events
+descriptions. That way one can simply run:
+
+ # perf stat -a -e ccn/mn_ecbarrier/ <workload>
+
+Additionally, direction in the MN pseudo-events XP watchpoint
+definitions is corrected to be "TX" (1) as they are defined from the
+crosspoint point of view (thus barriers are transmitted from XP to MN).
+
+Signed-off-by: Pawel Moll <pawel.moll@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bus/arm-ccn.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+--- a/drivers/bus/arm-ccn.c
++++ b/drivers/bus/arm-ccn.c
+@@ -187,6 +187,7 @@ struct arm_ccn {
+ struct arm_ccn_component *xp;
+
+ struct arm_ccn_dt dt;
++ int mn_id;
+ };
+
+
+@@ -326,6 +327,7 @@ struct arm_ccn_pmu_event {
+ static ssize_t arm_ccn_pmu_event_show(struct device *dev,
+ struct device_attribute *attr, char *buf)
+ {
++ struct arm_ccn *ccn = pmu_to_arm_ccn(dev_get_drvdata(dev));
+ struct arm_ccn_pmu_event *event = container_of(attr,
+ struct arm_ccn_pmu_event, attr);
+ ssize_t res;
+@@ -352,6 +354,9 @@ static ssize_t arm_ccn_pmu_event_show(st
+ res += snprintf(buf + res, PAGE_SIZE - res,
+ ",cmp_l=?,cmp_h=?,mask=?");
+ break;
++ case CCN_TYPE_MN:
++ res += snprintf(buf + res, PAGE_SIZE - res, ",node=%d", ccn->mn_id);
++ break;
+ default:
+ res += snprintf(buf + res, PAGE_SIZE - res, ",node=?");
+ break;
+@@ -381,9 +386,9 @@ static umode_t arm_ccn_pmu_events_is_vis
+ }
+
+ static struct arm_ccn_pmu_event arm_ccn_pmu_events[] = {
+- CCN_EVENT_MN(eobarrier, "dir=0,vc=0,cmp_h=0x1c00", CCN_IDX_MASK_OPCODE),
+- CCN_EVENT_MN(ecbarrier, "dir=0,vc=0,cmp_h=0x1e00", CCN_IDX_MASK_OPCODE),
+- CCN_EVENT_MN(dvmop, "dir=0,vc=0,cmp_h=0x2800", CCN_IDX_MASK_OPCODE),
++ CCN_EVENT_MN(eobarrier, "dir=1,vc=0,cmp_h=0x1c00", CCN_IDX_MASK_OPCODE),
++ CCN_EVENT_MN(ecbarrier, "dir=1,vc=0,cmp_h=0x1e00", CCN_IDX_MASK_OPCODE),
++ CCN_EVENT_MN(dvmop, "dir=1,vc=0,cmp_h=0x2800", CCN_IDX_MASK_OPCODE),
+ CCN_EVENT_HNI(txdatflits, "dir=1,vc=3", CCN_IDX_MASK_ANY),
+ CCN_EVENT_HNI(rxdatflits, "dir=0,vc=3", CCN_IDX_MASK_ANY),
+ CCN_EVENT_HNI(txreqflits, "dir=1,vc=0", CCN_IDX_MASK_ANY),
+@@ -757,6 +762,12 @@ static int arm_ccn_pmu_event_init(struct
+
+ /* Validate node/xp vs topology */
+ switch (type) {
++ case CCN_TYPE_MN:
++ if (node_xp != ccn->mn_id) {
++ dev_warn(ccn->dev, "Invalid MN ID %d!\n", node_xp);
++ return -EINVAL;
++ }
++ break;
+ case CCN_TYPE_XP:
+ if (node_xp >= ccn->num_xps) {
+ dev_warn(ccn->dev, "Invalid XP ID %d!\n", node_xp);
+@@ -1369,6 +1380,8 @@ static int arm_ccn_init_nodes(struct arm
+
+ switch (type) {
+ case CCN_TYPE_MN:
++ ccn->mn_id = id;
++ return 0;
+ case CCN_TYPE_DT:
+ return 0;
+ case CCN_TYPE_XP:
--- /dev/null
+From b928466b2169e061822daad48ecf55b005445547 Mon Sep 17 00:00:00 2001
+From: Pawel Moll <pawel.moll@arm.com>
+Date: Wed, 10 Aug 2016 17:06:26 +0100
+Subject: bus: arm-ccn: Fix XP watchpoint settings bitmask
+
+From: Pawel Moll <pawel.moll@arm.com>
+
+commit b928466b2169e061822daad48ecf55b005445547 upstream.
+
+The code setting XP watchpoint comparator and mask registers should, in
+order to be fully compliant with specification, zero one or more most
+significant bits of each field. In both L cases it means zeroing bit 63.
+The bitmask doing this was wrong, though, zeroing bit 60 instead.
+Fortunately, due to a lucky coincidence, this turned out to be fairly
+innocent with the existing hardware.
+
+Fixed now.
+
+Signed-off-by: Pawel Moll <pawel.moll@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bus/arm-ccn.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/bus/arm-ccn.c
++++ b/drivers/bus/arm-ccn.c
+@@ -1001,7 +1001,7 @@ static void arm_ccn_pmu_xp_watchpoint_co
+
+ /* Comparison values */
+ writel(cmp_l & 0xffffffff, source->base + CCN_XP_DT_CMP_VAL_L(wp));
+- writel((cmp_l >> 32) & 0xefffffff,
++ writel((cmp_l >> 32) & 0x7fffffff,
+ source->base + CCN_XP_DT_CMP_VAL_L(wp) + 4);
+ writel(cmp_h & 0xffffffff, source->base + CCN_XP_DT_CMP_VAL_H(wp));
+ writel((cmp_h >> 32) & 0x0fffffff,
+@@ -1009,7 +1009,7 @@ static void arm_ccn_pmu_xp_watchpoint_co
+
+ /* Mask */
+ writel(mask_l & 0xffffffff, source->base + CCN_XP_DT_CMP_MASK_L(wp));
+- writel((mask_l >> 32) & 0xefffffff,
++ writel((mask_l >> 32) & 0x7fffffff,
+ source->base + CCN_XP_DT_CMP_MASK_L(wp) + 4);
+ writel(mask_h & 0xffffffff, source->base + CCN_XP_DT_CMP_MASK_H(wp));
+ writel((mask_h >> 32) & 0x0fffffff,
--- /dev/null
+From 06f4e94898918bcad00cdd4d349313a439d6911e Mon Sep 17 00:00:00 2001
+From: Zefan Li <lizefan@huawei.com>
+Date: Tue, 9 Aug 2016 11:25:01 +0800
+Subject: cpuset: make sure new tasks conform to the current config of the cpuset
+
+From: Zefan Li <lizefan@huawei.com>
+
+commit 06f4e94898918bcad00cdd4d349313a439d6911e upstream.
+
+A new task inherits cpus_allowed and mems_allowed masks from its parent,
+but if someone changes cpuset's config by writing to cpuset.cpus/cpuset.mems
+before this new task is inserted into the cgroup's task list, the new task
+won't be updated accordingly.
+
+Signed-off-by: Zefan Li <lizefan@huawei.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/cpuset.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/kernel/cpuset.c
++++ b/kernel/cpuset.c
+@@ -2078,6 +2078,20 @@ static void cpuset_bind(struct cgroup_su
+ mutex_unlock(&cpuset_mutex);
+ }
+
++/*
++ * Make sure the new task conform to the current state of its parent,
++ * which could have been changed by cpuset just after it inherits the
++ * state from the parent and before it sits on the cgroup's task list.
++ */
++void cpuset_fork(struct task_struct *task)
++{
++ if (task_css_is_root(task, cpuset_cgrp_id))
++ return;
++
++ set_cpus_allowed_ptr(task, ¤t->cpus_allowed);
++ task->mems_allowed = current->mems_allowed;
++}
++
+ struct cgroup_subsys cpuset_cgrp_subsys = {
+ .css_alloc = cpuset_css_alloc,
+ .css_online = cpuset_css_online,
+@@ -2088,6 +2102,7 @@ struct cgroup_subsys cpuset_cgrp_subsys
+ .attach = cpuset_attach,
+ .post_attach = cpuset_post_attach,
+ .bind = cpuset_bind,
++ .fork = cpuset_fork,
+ .legacy_cftypes = files,
+ .early_init = true,
+ };
--- /dev/null
+From 0bd2223594a4dcddc1e34b15774a3a4776f7749e Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Thu, 1 Sep 2016 14:25:43 +0100
+Subject: crypto: cryptd - initialize child shash_desc on import
+
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+
+commit 0bd2223594a4dcddc1e34b15774a3a4776f7749e upstream.
+
+When calling .import() on a cryptd ahash_request, the structure members
+that describe the child transform in the shash_desc need to be initialized
+like they are when calling .init()
+
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/cryptd.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/crypto/cryptd.c
++++ b/crypto/cryptd.c
+@@ -594,9 +594,14 @@ static int cryptd_hash_export(struct aha
+
+ static int cryptd_hash_import(struct ahash_request *req, const void *in)
+ {
+- struct cryptd_hash_request_ctx *rctx = ahash_request_ctx(req);
++ struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
++ struct cryptd_hash_ctx *ctx = crypto_ahash_ctx(tfm);
++ struct shash_desc *desc = cryptd_shash_desc(req);
+
+- return crypto_shash_import(&rctx->desc, in);
++ desc->tfm = ctx->child;
++ desc->flags = req->base.flags;
++
++ return crypto_shash_import(desc, in);
+ }
+
+ static int cryptd_create_hash(struct crypto_template *tmpl, struct rtattr **tb,
--- /dev/null
+From 6f38a8b9a45833495dc878c335c5431cd98a16ed Mon Sep 17 00:00:00 2001
+From: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
+Date: Thu, 18 Aug 2016 17:35:14 +1000
+Subject: cxl: use pcibios_free_controller_deferred() when removing vPHBs
+
+From: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
+
+commit 6f38a8b9a45833495dc878c335c5431cd98a16ed upstream.
+
+When cxl removes a vPHB, it's possible that the pci_controller may be freed
+before all references to the devices on the vPHB have been released. This
+in turn causes an invalid memory access when the devices are eventually
+released, as pcibios_release_device() attempts to call the phb's
+release_device hook.
+
+In cxl_pci_vphb_remove(), remove the existing call to
+pcibios_free_controller(). Instead, use
+pcibios_free_controller_deferred() to free the pci_controller after all
+devices have been released. Export pci_set_host_bridge_release() so we can
+do this.
+
+Signed-off-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
+Reviewed-by: Matthew R. Ochs <mrochs@linux.vnet.ibm.com>
+Acked-by: Ian Munsie <imunsie@au1.ibm.com>
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/cxl/vphb.c | 10 +++++++++-
+ drivers/pci/host-bridge.c | 1 +
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/misc/cxl/vphb.c
++++ b/drivers/misc/cxl/vphb.c
+@@ -243,6 +243,11 @@ int cxl_pci_vphb_add(struct cxl_afu *afu
+ if (phb->bus == NULL)
+ return -ENXIO;
+
++ /* Set release hook on root bus */
++ pci_set_host_bridge_release(to_pci_host_bridge(phb->bus->bridge),
++ pcibios_free_controller_deferred,
++ (void *) phb);
++
+ /* Claim resources. This might need some rework as well depending
+ * whether we are doing probe-only or not, like assigning unassigned
+ * resources etc...
+@@ -269,7 +274,10 @@ void cxl_pci_vphb_remove(struct cxl_afu
+ afu->phb = NULL;
+
+ pci_remove_root_bus(phb->bus);
+- pcibios_free_controller(phb);
++ /*
++ * We don't free phb here - that's handled by
++ * pcibios_free_controller_deferred()
++ */
+ }
+
+ bool cxl_pci_is_vphb_device(struct pci_dev *dev)
+--- a/drivers/pci/host-bridge.c
++++ b/drivers/pci/host-bridge.c
+@@ -44,6 +44,7 @@ void pci_set_host_bridge_release(struct
+ bridge->release_fn = release_fn;
+ bridge->release_data = release_data;
+ }
++EXPORT_SYMBOL_GPL(pci_set_host_bridge_release);
+
+ void pcibios_resource_to_bus(struct pci_bus *bus, struct pci_bus_region *region,
+ struct resource *res)
--- /dev/null
+From 3e423945ea94412283eaba8bfbe9d6e0a80b434f Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Sat, 3 Sep 2016 11:02:50 -0700
+Subject: devpts: return NULL pts 'priv' entry for non-devpts nodes
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 3e423945ea94412283eaba8bfbe9d6e0a80b434f upstream.
+
+In commit 8ead9dd54716 ("devpts: more pty driver interface cleanups") I
+made devpts_get_priv() just return the dentry->fs_data directly. And
+because I thought it wouldn't happen, I added a warning if you ever saw
+a pts node that wasn't on devpts.
+
+And no, that warning never triggered under any actual real use, but you
+can trigger it by creating nonsensical pts nodes by hand.
+
+So just revert the warning, and make devpts_get_priv() return NULL for
+that case like it used to.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Cc: Eric W Biederman" <ebiederm@xmission.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/devpts/inode.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/devpts/inode.c
++++ b/fs/devpts/inode.c
+@@ -584,7 +584,8 @@ struct dentry *devpts_pty_new(struct pts
+ */
+ void *devpts_get_priv(struct dentry *dentry)
+ {
+- WARN_ON_ONCE(dentry->d_sb->s_magic != DEVPTS_SUPER_MAGIC);
++ if (dentry->d_sb->s_magic != DEVPTS_SUPER_MAGIC)
++ return NULL;
+ return dentry->d_fsdata;
+ }
+
--- /dev/null
+From 4e870e948fbabf62b78e8410f04c67703e7c816b Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Tue, 30 Aug 2016 16:38:42 -0400
+Subject: dm crypt: fix error with too large bios
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 4e870e948fbabf62b78e8410f04c67703e7c816b upstream.
+
+When dm-crypt processes writes, it allocates a new bio in
+crypt_alloc_buffer(). The bio is allocated from a bio set and it can
+have at most BIO_MAX_PAGES vector entries, however the incoming bio can be
+larger (e.g. if it was allocated by bcache). If the incoming bio is
+larger, bio_alloc_bioset() fails and an error is returned.
+
+To avoid the error, we test for a too large bio in the function
+crypt_map() and use dm_accept_partial_bio() to split the bio.
+dm_accept_partial_bio() trims the current bio to the desired size and
+asks DM core to send another bio with the rest of the data.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-crypt.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/md/dm-crypt.c
++++ b/drivers/md/dm-crypt.c
+@@ -1923,6 +1923,13 @@ static int crypt_map(struct dm_target *t
+ return DM_MAPIO_REMAPPED;
+ }
+
++ /*
++ * Check if bio is too large, split as needed.
++ */
++ if (unlikely(bio->bi_iter.bi_size > (BIO_MAX_PAGES << PAGE_SHIFT)) &&
++ bio_data_dir(bio) == WRITE)
++ dm_accept_partial_bio(bio, ((BIO_MAX_PAGES << PAGE_SHIFT) >> SECTOR_SHIFT));
++
+ io = dm_per_bio_data(bio, cc->per_bio_data_size);
+ crypt_io_init(io, cc, bio, dm_target_offset(ti, bio->bi_iter.bi_sector));
+ io->ctx.req = (struct skcipher_request *)(io + 1);
--- /dev/null
+From 5d0be84ec0cacfc7a6d6ea548afdd07d481324cd Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Tue, 30 Aug 2016 09:51:44 -0700
+Subject: dm crypt: fix free of bad values after tfm allocation failure
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 5d0be84ec0cacfc7a6d6ea548afdd07d481324cd upstream.
+
+If crypt_alloc_tfms() had to allocate multiple tfms and it failed before
+the last allocation, then it would call crypt_free_tfms() and could free
+pointers from uninitialized memory -- due to the crypt_free_tfms() check
+for non-zero cc->tfms[i]. Fix by allocating zeroed memory.
+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-crypt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/dm-crypt.c
++++ b/drivers/md/dm-crypt.c
+@@ -1453,7 +1453,7 @@ static int crypt_alloc_tfms(struct crypt
+ unsigned i;
+ int err;
+
+- cc->tfms = kmalloc(cc->tfms_count * sizeof(struct crypto_skcipher *),
++ cc->tfms = kzalloc(cc->tfms_count * sizeof(struct crypto_skcipher *),
+ GFP_KERNEL);
+ if (!cc->tfms)
+ return -ENOMEM;
--- /dev/null
+From 299f6230bc6d0ccd5f95bb0fb865d80a9c7d5ccc Mon Sep 17 00:00:00 2001
+From: Mike Snitzer <snitzer@redhat.com>
+Date: Wed, 24 Aug 2016 21:12:58 -0400
+Subject: dm flakey: fix reads to be issued if drop_writes configured
+
+From: Mike Snitzer <snitzer@redhat.com>
+
+commit 299f6230bc6d0ccd5f95bb0fb865d80a9c7d5ccc upstream.
+
+v4.8-rc3 commit 99f3c90d0d ("dm flakey: error READ bios during the
+down_interval") overlooked the 'drop_writes' feature, which is meant to
+allow reads to be issued rather than errored, during the down_interval.
+
+Fixes: 99f3c90d0d ("dm flakey: error READ bios during the down_interval")
+Reported-by: Qu Wenruo <quwenruo@cn.fujitsu.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-flakey.c | 27 ++++++++++++++++-----------
+ 1 file changed, 16 insertions(+), 11 deletions(-)
+
+--- a/drivers/md/dm-flakey.c
++++ b/drivers/md/dm-flakey.c
+@@ -289,15 +289,13 @@ static int flakey_map(struct dm_target *
+ pb->bio_submitted = true;
+
+ /*
+- * Map reads as normal only if corrupt_bio_byte set.
++ * Error reads if neither corrupt_bio_byte or drop_writes are set.
++ * Otherwise, flakey_end_io() will decide if the reads should be modified.
+ */
+ if (bio_data_dir(bio) == READ) {
+- /* If flags were specified, only corrupt those that match. */
+- if (fc->corrupt_bio_byte && (fc->corrupt_bio_rw == READ) &&
+- all_corrupt_bio_flags_match(bio, fc))
+- goto map_bio;
+- else
++ if (!fc->corrupt_bio_byte && !test_bit(DROP_WRITES, &fc->flags))
+ return -EIO;
++ goto map_bio;
+ }
+
+ /*
+@@ -334,14 +332,21 @@ static int flakey_end_io(struct dm_targe
+ struct flakey_c *fc = ti->private;
+ struct per_bio_data *pb = dm_per_bio_data(bio, sizeof(struct per_bio_data));
+
+- /*
+- * Corrupt successful READs while in down state.
+- */
+ if (!error && pb->bio_submitted && (bio_data_dir(bio) == READ)) {
+- if (fc->corrupt_bio_byte)
++ if (fc->corrupt_bio_byte && (fc->corrupt_bio_rw == READ) &&
++ all_corrupt_bio_flags_match(bio, fc)) {
++ /*
++ * Corrupt successful matching READs while in down state.
++ */
+ corrupt_bio_data(bio, fc);
+- else
++
++ } else if (!test_bit(DROP_WRITES, &fc->flags)) {
++ /*
++ * Error read during the down_interval if drop_writes
++ * wasn't configured.
++ */
+ return -EIO;
++ }
+ }
+
+ return error;
--- /dev/null
+From 91e630d9ae6de6f740ef7c8176736eb55366833e Mon Sep 17 00:00:00 2001
+From: Vladimir Zapolskiy <vz@mleia.com>
+Date: Thu, 10 Mar 2016 01:22:19 +0200
+Subject: dm log writes: fix check of kthread_run() return value
+
+From: Vladimir Zapolskiy <vz@mleia.com>
+
+commit 91e630d9ae6de6f740ef7c8176736eb55366833e upstream.
+
+The kthread_run() function returns either a valid task_struct or
+ERR_PTR() value, check for NULL is invalid. This change fixes potential
+for oops, e.g. in OOM situation.
+
+Signed-off-by: Vladimir Zapolskiy <vz@mleia.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-log-writes.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/dm-log-writes.c
++++ b/drivers/md/dm-log-writes.c
+@@ -456,9 +456,9 @@ static int log_writes_ctr(struct dm_targ
+ goto bad;
+ }
+
+- ret = -EINVAL;
+ lc->log_kthread = kthread_run(log_writes_kthread, lc, "log-write");
+- if (!lc->log_kthread) {
++ if (IS_ERR(lc->log_kthread)) {
++ ret = PTR_ERR(lc->log_kthread);
+ ti->error = "Couldn't alloc kthread";
+ dm_put_device(ti, lc->dev);
+ dm_put_device(ti, lc->logdev);
--- /dev/null
+From a5d60783df61fbb67b7596b8a0f6b4b2e05251d5 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Tue, 30 Aug 2016 16:11:53 -0400
+Subject: dm log writes: move IO accounting earlier to fix error path
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit a5d60783df61fbb67b7596b8a0f6b4b2e05251d5 upstream.
+
+Move log_one_block()'s atomic_inc(&lc->io_blocks) before bio_alloc() to
+fix a bug that the target hangs if bio_alloc() fails. The error path
+does put_io_block(lc), so atomic_inc(&lc->io_blocks) must occur before
+invoking the error path to avoid underflow of lc->io_blocks.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Reviewed-by: Josef Bacik <jbacik@fb,com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-log-writes.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/dm-log-writes.c
++++ b/drivers/md/dm-log-writes.c
+@@ -258,12 +258,12 @@ static int log_one_block(struct log_writ
+ goto out;
+ sector++;
+
++ atomic_inc(&lc->io_blocks);
+ bio = bio_alloc(GFP_KERNEL, block->vec_cnt);
+ if (!bio) {
+ DMERR("Couldn't alloc log bio");
+ goto error;
+ }
+- atomic_inc(&lc->io_blocks);
+ bio->bi_iter.bi_size = 0;
+ bio->bi_iter.bi_sector = sector;
+ bio->bi_bdev = lc->logdev->bdev;
--- /dev/null
+From dadb57abc37499f565b23933dbf49b435c3ba8af Mon Sep 17 00:00:00 2001
+From: Jeffrey Hugo <jhugo@codeaurora.org>
+Date: Mon, 29 Aug 2016 14:38:51 -0600
+Subject: efi/libstub: Allocate headspace in efi_get_memory_map()
+
+From: Jeffrey Hugo <jhugo@codeaurora.org>
+
+commit dadb57abc37499f565b23933dbf49b435c3ba8af upstream.
+
+efi_get_memory_map() allocates a buffer to store the memory map that it
+retrieves. This buffer may need to be reused by the client after
+ExitBootServices() is called, at which point allocations are not longer
+permitted. To support this usecase, provide the allocated buffer size back
+to the client, and allocate some additional headroom to account for any
+reasonable growth in the map that is likely to happen between the call to
+efi_get_memory_map() and the client reusing the buffer.
+
+Signed-off-by: Jeffrey Hugo <jhugo@codeaurora.org>
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Leif Lindholm <leif.lindholm@linaro.org>
+Cc: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/boot/compressed/eboot.c | 18 +++-
+ drivers/firmware/efi/libstub/efi-stub-helper.c | 96 +++++++++++++++++--------
+ drivers/firmware/efi/libstub/fdt.c | 17 +++-
+ drivers/firmware/efi/libstub/random.c | 12 ++-
+ include/linux/efi.h | 15 ++-
+ 5 files changed, 110 insertions(+), 48 deletions(-)
+
+--- a/arch/x86/boot/compressed/eboot.c
++++ b/arch/x86/boot/compressed/eboot.c
+@@ -1010,7 +1010,7 @@ static efi_status_t exit_boot(struct boo
+ void *handle, bool is64)
+ {
+ struct efi_info *efi = &boot_params->efi_info;
+- unsigned long map_sz, key, desc_size;
++ unsigned long map_sz, key, desc_size, buff_size;
+ efi_memory_desc_t *mem_map;
+ struct setup_data *e820ext;
+ const char *signature;
+@@ -1021,14 +1021,20 @@ static efi_status_t exit_boot(struct boo
+ bool called_exit = false;
+ u8 nr_entries;
+ int i;
++ struct efi_boot_memmap map;
+
+- nr_desc = 0;
+- e820ext = NULL;
+- e820ext_size = 0;
++ nr_desc = 0;
++ e820ext = NULL;
++ e820ext_size = 0;
++ map.map = &mem_map;
++ map.map_size = &map_sz;
++ map.desc_size = &desc_size;
++ map.desc_ver = &desc_version;
++ map.key_ptr = &key;
++ map.buff_size = &buff_size;
+
+ get_map:
+- status = efi_get_memory_map(sys_table, &mem_map, &map_sz, &desc_size,
+- &desc_version, &key);
++ status = efi_get_memory_map(sys_table, &map);
+
+ if (status != EFI_SUCCESS)
+ return status;
+--- a/drivers/firmware/efi/libstub/efi-stub-helper.c
++++ b/drivers/firmware/efi/libstub/efi-stub-helper.c
+@@ -41,6 +41,8 @@ static unsigned long __chunk_size = EFI_
+ #define EFI_ALLOC_ALIGN EFI_PAGE_SIZE
+ #endif
+
++#define EFI_MMAP_NR_SLACK_SLOTS 8
++
+ struct file_info {
+ efi_file_handle_t *handle;
+ u64 size;
+@@ -63,49 +65,62 @@ void efi_printk(efi_system_table_t *sys_
+ }
+ }
+
++static inline bool mmap_has_headroom(unsigned long buff_size,
++ unsigned long map_size,
++ unsigned long desc_size)
++{
++ unsigned long slack = buff_size - map_size;
++
++ return slack / desc_size >= EFI_MMAP_NR_SLACK_SLOTS;
++}
++
+ efi_status_t efi_get_memory_map(efi_system_table_t *sys_table_arg,
+- efi_memory_desc_t **map,
+- unsigned long *map_size,
+- unsigned long *desc_size,
+- u32 *desc_ver,
+- unsigned long *key_ptr)
++ struct efi_boot_memmap *map)
+ {
+ efi_memory_desc_t *m = NULL;
+ efi_status_t status;
+ unsigned long key;
+ u32 desc_version;
+
+- *map_size = sizeof(*m) * 32;
++ *map->desc_size = sizeof(*m);
++ *map->map_size = *map->desc_size * 32;
++ *map->buff_size = *map->map_size;
+ again:
+- /*
+- * Add an additional efi_memory_desc_t because we're doing an
+- * allocation which may be in a new descriptor region.
+- */
+- *map_size += sizeof(*m);
+ status = efi_call_early(allocate_pool, EFI_LOADER_DATA,
+- *map_size, (void **)&m);
++ *map->map_size, (void **)&m);
+ if (status != EFI_SUCCESS)
+ goto fail;
+
+- *desc_size = 0;
++ *map->desc_size = 0;
+ key = 0;
+- status = efi_call_early(get_memory_map, map_size, m,
+- &key, desc_size, &desc_version);
+- if (status == EFI_BUFFER_TOO_SMALL) {
++ status = efi_call_early(get_memory_map, map->map_size, m,
++ &key, map->desc_size, &desc_version);
++ if (status == EFI_BUFFER_TOO_SMALL ||
++ !mmap_has_headroom(*map->buff_size, *map->map_size,
++ *map->desc_size)) {
+ efi_call_early(free_pool, m);
++ /*
++ * Make sure there is some entries of headroom so that the
++ * buffer can be reused for a new map after allocations are
++ * no longer permitted. Its unlikely that the map will grow to
++ * exceed this headroom once we are ready to trigger
++ * ExitBootServices()
++ */
++ *map->map_size += *map->desc_size * EFI_MMAP_NR_SLACK_SLOTS;
++ *map->buff_size = *map->map_size;
+ goto again;
+ }
+
+ if (status != EFI_SUCCESS)
+ efi_call_early(free_pool, m);
+
+- if (key_ptr && status == EFI_SUCCESS)
+- *key_ptr = key;
+- if (desc_ver && status == EFI_SUCCESS)
+- *desc_ver = desc_version;
++ if (map->key_ptr && status == EFI_SUCCESS)
++ *map->key_ptr = key;
++ if (map->desc_ver && status == EFI_SUCCESS)
++ *map->desc_ver = desc_version;
+
+ fail:
+- *map = m;
++ *map->map = m;
+ return status;
+ }
+
+@@ -113,13 +128,20 @@ fail:
+ unsigned long get_dram_base(efi_system_table_t *sys_table_arg)
+ {
+ efi_status_t status;
+- unsigned long map_size;
++ unsigned long map_size, buff_size;
+ unsigned long membase = EFI_ERROR;
+ struct efi_memory_map map;
+ efi_memory_desc_t *md;
++ struct efi_boot_memmap boot_map;
+
+- status = efi_get_memory_map(sys_table_arg, (efi_memory_desc_t **)&map.map,
+- &map_size, &map.desc_size, NULL, NULL);
++ boot_map.map = (efi_memory_desc_t **)&map.map;
++ boot_map.map_size = &map_size;
++ boot_map.desc_size = &map.desc_size;
++ boot_map.desc_ver = NULL;
++ boot_map.key_ptr = NULL;
++ boot_map.buff_size = &buff_size;
++
++ status = efi_get_memory_map(sys_table_arg, &boot_map);
+ if (status != EFI_SUCCESS)
+ return membase;
+
+@@ -144,15 +166,22 @@ efi_status_t efi_high_alloc(efi_system_t
+ unsigned long size, unsigned long align,
+ unsigned long *addr, unsigned long max)
+ {
+- unsigned long map_size, desc_size;
++ unsigned long map_size, desc_size, buff_size;
+ efi_memory_desc_t *map;
+ efi_status_t status;
+ unsigned long nr_pages;
+ u64 max_addr = 0;
+ int i;
++ struct efi_boot_memmap boot_map;
++
++ boot_map.map = ↦
++ boot_map.map_size = &map_size;
++ boot_map.desc_size = &desc_size;
++ boot_map.desc_ver = NULL;
++ boot_map.key_ptr = NULL;
++ boot_map.buff_size = &buff_size;
+
+- status = efi_get_memory_map(sys_table_arg, &map, &map_size, &desc_size,
+- NULL, NULL);
++ status = efi_get_memory_map(sys_table_arg, &boot_map);
+ if (status != EFI_SUCCESS)
+ goto fail;
+
+@@ -230,14 +259,21 @@ efi_status_t efi_low_alloc(efi_system_ta
+ unsigned long size, unsigned long align,
+ unsigned long *addr)
+ {
+- unsigned long map_size, desc_size;
++ unsigned long map_size, desc_size, buff_size;
+ efi_memory_desc_t *map;
+ efi_status_t status;
+ unsigned long nr_pages;
+ int i;
++ struct efi_boot_memmap boot_map;
++
++ boot_map.map = ↦
++ boot_map.map_size = &map_size;
++ boot_map.desc_size = &desc_size;
++ boot_map.desc_ver = NULL;
++ boot_map.key_ptr = NULL;
++ boot_map.buff_size = &buff_size;
+
+- status = efi_get_memory_map(sys_table_arg, &map, &map_size, &desc_size,
+- NULL, NULL);
++ status = efi_get_memory_map(sys_table_arg, &boot_map);
+ if (status != EFI_SUCCESS)
+ goto fail;
+
+--- a/drivers/firmware/efi/libstub/fdt.c
++++ b/drivers/firmware/efi/libstub/fdt.c
+@@ -175,13 +175,21 @@ efi_status_t allocate_new_fdt_and_exit_b
+ unsigned long fdt_addr,
+ unsigned long fdt_size)
+ {
+- unsigned long map_size, desc_size;
++ unsigned long map_size, desc_size, buff_size;
+ u32 desc_ver;
+ unsigned long mmap_key;
+ efi_memory_desc_t *memory_map, *runtime_map;
+ unsigned long new_fdt_size;
+ efi_status_t status;
+ int runtime_entry_count = 0;
++ struct efi_boot_memmap map;
++
++ map.map = &runtime_map;
++ map.map_size = &map_size;
++ map.desc_size = &desc_size;
++ map.desc_ver = &desc_ver;
++ map.key_ptr = &mmap_key;
++ map.buff_size = &buff_size;
+
+ /*
+ * Get a copy of the current memory map that we will use to prepare
+@@ -189,8 +197,7 @@ efi_status_t allocate_new_fdt_and_exit_b
+ * subsequent allocations adding entries, since they could not affect
+ * the number of EFI_MEMORY_RUNTIME regions.
+ */
+- status = efi_get_memory_map(sys_table, &runtime_map, &map_size,
+- &desc_size, &desc_ver, &mmap_key);
++ status = efi_get_memory_map(sys_table, &map);
+ if (status != EFI_SUCCESS) {
+ pr_efi_err(sys_table, "Unable to retrieve UEFI memory map.\n");
+ return status;
+@@ -199,6 +206,7 @@ efi_status_t allocate_new_fdt_and_exit_b
+ pr_efi(sys_table,
+ "Exiting boot services and installing virtual address map...\n");
+
++ map.map = &memory_map;
+ /*
+ * Estimate size of new FDT, and allocate memory for it. We
+ * will allocate a bigger buffer if this ends up being too
+@@ -218,8 +226,7 @@ efi_status_t allocate_new_fdt_and_exit_b
+ * we can get the memory map key needed for
+ * exit_boot_services().
+ */
+- status = efi_get_memory_map(sys_table, &memory_map, &map_size,
+- &desc_size, &desc_ver, &mmap_key);
++ status = efi_get_memory_map(sys_table, &map);
+ if (status != EFI_SUCCESS)
+ goto fail_free_new_fdt;
+
+--- a/drivers/firmware/efi/libstub/random.c
++++ b/drivers/firmware/efi/libstub/random.c
+@@ -73,12 +73,20 @@ efi_status_t efi_random_alloc(efi_system
+ unsigned long random_seed)
+ {
+ unsigned long map_size, desc_size, total_slots = 0, target_slot;
++ unsigned long buff_size;
+ efi_status_t status;
+ efi_memory_desc_t *memory_map;
+ int map_offset;
++ struct efi_boot_memmap map;
+
+- status = efi_get_memory_map(sys_table_arg, &memory_map, &map_size,
+- &desc_size, NULL, NULL);
++ map.map = &memory_map;
++ map.map_size = &map_size;
++ map.desc_size = &desc_size;
++ map.desc_ver = NULL;
++ map.key_ptr = NULL;
++ map.buff_size = &buff_size;
++
++ status = efi_get_memory_map(sys_table_arg, &map);
+ if (status != EFI_SUCCESS)
+ return status;
+
+--- a/include/linux/efi.h
++++ b/include/linux/efi.h
+@@ -118,6 +118,15 @@ typedef struct {
+ u32 imagesize;
+ } efi_capsule_header_t;
+
++struct efi_boot_memmap {
++ efi_memory_desc_t **map;
++ unsigned long *map_size;
++ unsigned long *desc_size;
++ u32 *desc_ver;
++ unsigned long *key_ptr;
++ unsigned long *buff_size;
++};
++
+ /*
+ * EFI capsule flags
+ */
+@@ -1430,11 +1439,7 @@ char *efi_convert_cmdline(efi_system_tab
+ efi_loaded_image_t *image, int *cmd_line_len);
+
+ efi_status_t efi_get_memory_map(efi_system_table_t *sys_table_arg,
+- efi_memory_desc_t **map,
+- unsigned long *map_size,
+- unsigned long *desc_size,
+- u32 *desc_ver,
+- unsigned long *key_ptr);
++ struct efi_boot_memmap *map);
+
+ efi_status_t efi_low_alloc(efi_system_table_t *sys_table_arg,
+ unsigned long size, unsigned long align,
--- /dev/null
+From fc07716ba803483be91bc4b2344f9c84985e6f07 Mon Sep 17 00:00:00 2001
+From: Jeffrey Hugo <jhugo@codeaurora.org>
+Date: Mon, 29 Aug 2016 14:38:52 -0600
+Subject: efi/libstub: Introduce ExitBootServices helper
+
+From: Jeffrey Hugo <jhugo@codeaurora.org>
+
+commit fc07716ba803483be91bc4b2344f9c84985e6f07 upstream.
+
+The spec allows ExitBootServices to fail with EFI_INVALID_PARAMETER if a
+race condition has occurred where the EFI has updated the memory map after
+the stub grabbed a reference to the map. The spec defines a retry
+proceedure with specific requirements to handle this scenario.
+
+This scenario was previously observed on x86 - commit d3768d885c6c ("x86,
+efi: retry ExitBootServices() on failure") but the current fix is not spec
+compliant and the scenario is now observed on the Qualcomm Technologies
+QDF2432 via the FDT stub which does not handle the error and thus causes
+boot failures. The user will notice the boot failure as the kernel is not
+executed and the system may drop back to a UEFI shell, but will be
+unresponsive to input and the system will require a power cycle to recover.
+
+Add a helper to the stub library that correctly adheres to the spec in the
+case of EFI_INVALID_PARAMETER from ExitBootServices and can be universally
+used across all stub implementations.
+
+Signed-off-by: Jeffrey Hugo <jhugo@codeaurora.org>
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Leif Lindholm <leif.lindholm@linaro.org>
+Cc: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/firmware/efi/libstub/efi-stub-helper.c | 73 +++++++++++++++++++++++++
+ include/linux/efi.h | 11 +++
+ 2 files changed, 84 insertions(+)
+
+--- a/drivers/firmware/efi/libstub/efi-stub-helper.c
++++ b/drivers/firmware/efi/libstub/efi-stub-helper.c
+@@ -740,3 +740,76 @@ char *efi_convert_cmdline(efi_system_tab
+ *cmd_line_len = options_bytes;
+ return (char *)cmdline_addr;
+ }
++
++/*
++ * Handle calling ExitBootServices according to the requirements set out by the
++ * spec. Obtains the current memory map, and returns that info after calling
++ * ExitBootServices. The client must specify a function to perform any
++ * processing of the memory map data prior to ExitBootServices. A client
++ * specific structure may be passed to the function via priv. The client
++ * function may be called multiple times.
++ */
++efi_status_t efi_exit_boot_services(efi_system_table_t *sys_table_arg,
++ void *handle,
++ struct efi_boot_memmap *map,
++ void *priv,
++ efi_exit_boot_map_processing priv_func)
++{
++ efi_status_t status;
++
++ status = efi_get_memory_map(sys_table_arg, map);
++
++ if (status != EFI_SUCCESS)
++ goto fail;
++
++ status = priv_func(sys_table_arg, map, priv);
++ if (status != EFI_SUCCESS)
++ goto free_map;
++
++ status = efi_call_early(exit_boot_services, handle, *map->key_ptr);
++
++ if (status == EFI_INVALID_PARAMETER) {
++ /*
++ * The memory map changed between efi_get_memory_map() and
++ * exit_boot_services(). Per the UEFI Spec v2.6, Section 6.4:
++ * EFI_BOOT_SERVICES.ExitBootServices we need to get the
++ * updated map, and try again. The spec implies one retry
++ * should be sufficent, which is confirmed against the EDK2
++ * implementation. Per the spec, we can only invoke
++ * get_memory_map() and exit_boot_services() - we cannot alloc
++ * so efi_get_memory_map() cannot be used, and we must reuse
++ * the buffer. For all practical purposes, the headroom in the
++ * buffer should account for any changes in the map so the call
++ * to get_memory_map() is expected to succeed here.
++ */
++ *map->map_size = *map->buff_size;
++ status = efi_call_early(get_memory_map,
++ map->map_size,
++ *map->map,
++ map->key_ptr,
++ map->desc_size,
++ map->desc_ver);
++
++ /* exit_boot_services() was called, thus cannot free */
++ if (status != EFI_SUCCESS)
++ goto fail;
++
++ status = priv_func(sys_table_arg, map, priv);
++ /* exit_boot_services() was called, thus cannot free */
++ if (status != EFI_SUCCESS)
++ goto fail;
++
++ status = efi_call_early(exit_boot_services, handle, *map->key_ptr);
++ }
++
++ /* exit_boot_services() was called, thus cannot free */
++ if (status != EFI_SUCCESS)
++ goto fail;
++
++ return EFI_SUCCESS;
++
++free_map:
++ efi_call_early(free_pool, *map->map);
++fail:
++ return status;
++}
+--- a/include/linux/efi.h
++++ b/include/linux/efi.h
+@@ -1470,4 +1470,15 @@ efi_status_t efi_setup_gop(efi_system_ta
+ unsigned long size);
+
+ bool efi_runtime_disabled(void);
++
++typedef efi_status_t (*efi_exit_boot_map_processing)(
++ efi_system_table_t *sys_table_arg,
++ struct efi_boot_memmap *map,
++ void *priv);
++
++efi_status_t efi_exit_boot_services(efi_system_table_t *sys_table,
++ void *handle,
++ struct efi_boot_memmap *map,
++ void *priv,
++ efi_exit_boot_map_processing priv_func);
+ #endif /* _LINUX_EFI_H */
--- /dev/null
+From ed9cc156c42ff0c0bf9b1d09df48a12bf0873473 Mon Sep 17 00:00:00 2001
+From: Jeffrey Hugo <jhugo@codeaurora.org>
+Date: Mon, 29 Aug 2016 14:38:53 -0600
+Subject: efi/libstub: Use efi_exit_boot_services() in FDT
+
+From: Jeffrey Hugo <jhugo@codeaurora.org>
+
+commit ed9cc156c42ff0c0bf9b1d09df48a12bf0873473 upstream.
+
+The FDT code directly calls ExitBootServices. This is inadvisable as the
+UEFI spec details a complex set of errors, race conditions, and API
+interactions that the caller of ExitBootServices must get correct. The
+FDT code does not handle EFI_INVALID_PARAMETER as required by the spec,
+which causes intermittent boot failures on the Qualcomm Technologies
+QDF2432. Call the efi_exit_boot_services() helper intead, which handles
+the EFI_INVALID_PARAMETER scenario properly.
+
+Signed-off-by: Jeffrey Hugo <jhugo@codeaurora.org>
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Leif Lindholm <leif.lindholm@linaro.org>
+Cc: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/firmware/efi/libstub/fdt.c | 37 +++++++++++++++++++++++++++----------
+ 1 file changed, 27 insertions(+), 10 deletions(-)
+
+--- a/drivers/firmware/efi/libstub/fdt.c
++++ b/drivers/firmware/efi/libstub/fdt.c
+@@ -152,6 +152,27 @@ fdt_set_fail:
+ #define EFI_FDT_ALIGN EFI_PAGE_SIZE
+ #endif
+
++struct exit_boot_struct {
++ efi_memory_desc_t *runtime_map;
++ int *runtime_entry_count;
++};
++
++static efi_status_t exit_boot_func(efi_system_table_t *sys_table_arg,
++ struct efi_boot_memmap *map,
++ void *priv)
++{
++ struct exit_boot_struct *p = priv;
++ /*
++ * Update the memory map with virtual addresses. The function will also
++ * populate @runtime_map with copies of just the EFI_MEMORY_RUNTIME
++ * entries so that we can pass it straight to SetVirtualAddressMap()
++ */
++ efi_get_virtmap(*map->map, *map->map_size, *map->desc_size,
++ p->runtime_map, p->runtime_entry_count);
++
++ return EFI_SUCCESS;
++}
++
+ /*
+ * Allocate memory for a new FDT, then add EFI, commandline, and
+ * initrd related fields to the FDT. This routine increases the
+@@ -183,6 +204,7 @@ efi_status_t allocate_new_fdt_and_exit_b
+ efi_status_t status;
+ int runtime_entry_count = 0;
+ struct efi_boot_memmap map;
++ struct exit_boot_struct priv;
+
+ map.map = &runtime_map;
+ map.map_size = &map_size;
+@@ -257,16 +279,11 @@ efi_status_t allocate_new_fdt_and_exit_b
+ }
+ }
+
+- /*
+- * Update the memory map with virtual addresses. The function will also
+- * populate @runtime_map with copies of just the EFI_MEMORY_RUNTIME
+- * entries so that we can pass it straight into SetVirtualAddressMap()
+- */
+- efi_get_virtmap(memory_map, map_size, desc_size, runtime_map,
+- &runtime_entry_count);
+-
+- /* Now we are ready to exit_boot_services.*/
+- status = sys_table->boottime->exit_boot_services(handle, mmap_key);
++ sys_table->boottime->free_pool(memory_map);
++ priv.runtime_map = runtime_map;
++ priv.runtime_entry_count = &runtime_entry_count;
++ status = efi_exit_boot_services(sys_table, handle, &map, &priv,
++ exit_boot_func);
+
+ if (status == EFI_SUCCESS) {
+ efi_set_virtual_address_map_t *svam;
--- /dev/null
+From d4c4fed08f31f3746000c46cb1b20bed2959547a Mon Sep 17 00:00:00 2001
+From: Jan Beulich <JBeulich@suse.com>
+Date: Mon, 15 Aug 2016 09:05:45 -0600
+Subject: efi: Make for_each_efi_memory_desc_in_map() cope with running on Xen
+
+From: Jan Beulich <JBeulich@suse.com>
+
+commit d4c4fed08f31f3746000c46cb1b20bed2959547a upstream.
+
+While commit 55f1ea15216 ("efi: Fix for_each_efi_memory_desc_in_map()
+for empty memmaps") made an attempt to deal with empty memory maps, it
+didn't address the case where the map field never gets set, as is
+apparently the case when running under Xen.
+
+Reported-by: <lists@ssl-mail.com>
+Tested-by: <lists@ssl-mail.com>
+Cc: Vitaly Kuznetsov <vkuznets@redhat.com>
+Cc: Jiri Slaby <jslaby@suse.cz>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+[ Guard the loop with a NULL check instead of pointer underflow ]
+Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/efi.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/efi.h
++++ b/include/linux/efi.h
+@@ -1005,7 +1005,7 @@ extern int efi_memattr_apply_permissions
+ /* Iterate through an efi_memory_map */
+ #define for_each_efi_memory_desc_in_map(m, md) \
+ for ((md) = (m)->map; \
+- ((void *)(md) + (m)->desc_size) <= (m)->map_end; \
++ (md) && ((void *)(md) + (m)->desc_size) <= (m)->map_end; \
+ (md) = (void *)(md) + (m)->desc_size)
+
+ /**
--- /dev/null
+From 8fba54aebbdf1f999738121922e74bf796ad60ee Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Wed, 24 Aug 2016 18:17:04 +0200
+Subject: fuse: direct-io: don't dirty ITER_BVEC pages
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 8fba54aebbdf1f999738121922e74bf796ad60ee upstream.
+
+When reading from a loop device backed by a fuse file it deadlocks on
+lock_page().
+
+This is because the page is already locked by the read() operation done on
+the loop device. In this case we don't want to either lock the page or
+dirty it.
+
+So do what fs/direct-io.c does: only dirty the page for ITER_IOVEC vectors.
+
+Reported-by: Sheng Yang <sheng@yasker.org>
+Fixes: aa4d86163e4e ("block: loop: switch to VFS ITER_BVEC")
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Reviewed-by: Sheng Yang <sheng@yasker.org>
+Reviewed-by: Ashish Samant <ashish.samant@oracle.com>
+Tested-by: Sheng Yang <sheng@yasker.org>
+Tested-by: Ashish Samant <ashish.samant@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/file.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -540,13 +540,13 @@ void fuse_read_fill(struct fuse_req *req
+ req->out.args[0].size = count;
+ }
+
+-static void fuse_release_user_pages(struct fuse_req *req, int write)
++static void fuse_release_user_pages(struct fuse_req *req, bool should_dirty)
+ {
+ unsigned i;
+
+ for (i = 0; i < req->num_pages; i++) {
+ struct page *page = req->pages[i];
+- if (write)
++ if (should_dirty)
+ set_page_dirty_lock(page);
+ put_page(page);
+ }
+@@ -1331,6 +1331,7 @@ ssize_t fuse_direct_io(struct fuse_io_pr
+ loff_t *ppos, int flags)
+ {
+ int write = flags & FUSE_DIO_WRITE;
++ bool should_dirty = !write && iter_is_iovec(iter);
+ int cuse = flags & FUSE_DIO_CUSE;
+ struct file *file = io->file;
+ struct inode *inode = file->f_mapping->host;
+@@ -1374,7 +1375,7 @@ ssize_t fuse_direct_io(struct fuse_io_pr
+ nres = fuse_send_read(req, io, pos, nbytes, owner);
+
+ if (!io->async)
+- fuse_release_user_pages(req, !write);
++ fuse_release_user_pages(req, should_dirty);
+ if (req->out.h.error) {
+ err = req->out.h.error;
+ break;
--- /dev/null
+From c62fb260a86dde3df5b2905432caa0e9f6898434 Mon Sep 17 00:00:00 2001
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Date: Fri, 12 Aug 2016 11:17:37 -0400
+Subject: IB/hfi1,IB/qib: Fix qp_stats sleep with rcu read lock held
+
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+
+commit c62fb260a86dde3df5b2905432caa0e9f6898434 upstream.
+
+The qp init function does a kzalloc() while holding the RCU
+lock that encounters the following warning with a debug kernel
+when a cat of the qp_stats is done:
+
+[ 231.723948] rcu_scheduler_active = 1, debug_locks = 0
+[ 231.731939] 3 locks held by cat/11355:
+[ 231.736492] #0: (debugfs_srcu){......}, at: [<ffffffff813001a5>] debugfs_use_file_start+0x5/0x90
+[ 231.746955] #1: (&p->lock){+.+.+.}, at: [<ffffffff81289a6c>] seq_read+0x4c/0x3c0
+[ 231.755873] #2: (rcu_read_lock){......}, at: [<ffffffffa0a0c535>] _qp_stats_seq_start+0x5/0xd0 [hfi1]
+[ 231.766862]
+
+The init functions do an implicit next which requires the rcu read lock
+before the kzalloc().
+
+Fix for both drivers is to change the scope of the init function to only
+do the allocation and the initialization of the just allocated iter.
+
+The implict next is moved back into the respective start functions to fix
+the issue.
+
+Signed-off-by: Ira Weiny <ira.weiny@intel.com>
+Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/hfi1/debugfs.c | 14 +++++++++-----
+ drivers/infiniband/hw/hfi1/qp.c | 4 ----
+ drivers/infiniband/hw/qib/qib_debugfs.c | 12 +++++++++---
+ drivers/infiniband/hw/qib/qib_qp.c | 4 ----
+ 4 files changed, 18 insertions(+), 16 deletions(-)
+
+--- a/drivers/infiniband/hw/hfi1/debugfs.c
++++ b/drivers/infiniband/hw/hfi1/debugfs.c
+@@ -223,28 +223,32 @@ DEBUGFS_SEQ_FILE_OPEN(ctx_stats)
+ DEBUGFS_FILE_OPS(ctx_stats);
+
+ static void *_qp_stats_seq_start(struct seq_file *s, loff_t *pos)
+-__acquires(RCU)
++ __acquires(RCU)
+ {
+ struct qp_iter *iter;
+ loff_t n = *pos;
+
+- rcu_read_lock();
+ iter = qp_iter_init(s->private);
++
++ /* stop calls rcu_read_unlock */
++ rcu_read_lock();
++
+ if (!iter)
+ return NULL;
+
+- while (n--) {
++ do {
+ if (qp_iter_next(iter)) {
+ kfree(iter);
+ return NULL;
+ }
+- }
++ } while (n--);
+
+ return iter;
+ }
+
+ static void *_qp_stats_seq_next(struct seq_file *s, void *iter_ptr,
+ loff_t *pos)
++ __must_hold(RCU)
+ {
+ struct qp_iter *iter = iter_ptr;
+
+@@ -259,7 +263,7 @@ static void *_qp_stats_seq_next(struct s
+ }
+
+ static void _qp_stats_seq_stop(struct seq_file *s, void *iter_ptr)
+-__releases(RCU)
++ __releases(RCU)
+ {
+ rcu_read_unlock();
+ }
+--- a/drivers/infiniband/hw/hfi1/qp.c
++++ b/drivers/infiniband/hw/hfi1/qp.c
+@@ -595,10 +595,6 @@ struct qp_iter *qp_iter_init(struct hfi1
+
+ iter->dev = dev;
+ iter->specials = dev->rdi.ibdev.phys_port_cnt * 2;
+- if (qp_iter_next(iter)) {
+- kfree(iter);
+- return NULL;
+- }
+
+ return iter;
+ }
+--- a/drivers/infiniband/hw/qib/qib_debugfs.c
++++ b/drivers/infiniband/hw/qib/qib_debugfs.c
+@@ -189,27 +189,32 @@ static int _ctx_stats_seq_show(struct se
+ DEBUGFS_FILE(ctx_stats)
+
+ static void *_qp_stats_seq_start(struct seq_file *s, loff_t *pos)
++ __acquires(RCU)
+ {
+ struct qib_qp_iter *iter;
+ loff_t n = *pos;
+
+- rcu_read_lock();
+ iter = qib_qp_iter_init(s->private);
++
++ /* stop calls rcu_read_unlock */
++ rcu_read_lock();
++
+ if (!iter)
+ return NULL;
+
+- while (n--) {
++ do {
+ if (qib_qp_iter_next(iter)) {
+ kfree(iter);
+ return NULL;
+ }
+- }
++ } while (n--);
+
+ return iter;
+ }
+
+ static void *_qp_stats_seq_next(struct seq_file *s, void *iter_ptr,
+ loff_t *pos)
++ __must_hold(RCU)
+ {
+ struct qib_qp_iter *iter = iter_ptr;
+
+@@ -224,6 +229,7 @@ static void *_qp_stats_seq_next(struct s
+ }
+
+ static void _qp_stats_seq_stop(struct seq_file *s, void *iter_ptr)
++ __releases(RCU)
+ {
+ rcu_read_unlock();
+ }
+--- a/drivers/infiniband/hw/qib/qib_qp.c
++++ b/drivers/infiniband/hw/qib/qib_qp.c
+@@ -530,10 +530,6 @@ struct qib_qp_iter *qib_qp_iter_init(str
+ return NULL;
+
+ iter->dev = dev;
+- if (qib_qp_iter_next(iter)) {
+- kfree(iter);
+- return NULL;
+- }
+
+ return iter;
+ }
--- /dev/null
+From b5e710195492f682d93097cddac13e594d39a946 Mon Sep 17 00:00:00 2001
+From: Easwar Hariharan <easwar.hariharan@intel.com>
+Date: Mon, 25 Jul 2016 13:40:03 -0700
+Subject: IB/hfi1: Reset QSFP on every run through channel tuning
+
+From: Easwar Hariharan <easwar.hariharan@intel.com>
+
+commit b5e710195492f682d93097cddac13e594d39a946 upstream.
+
+Active QSFP cables were reset only every alternate iteration of the
+channel tuning algorithm instead of every iteration due to incorrect
+reset of the flag that controlled QSFP reset, resulting in using stale
+QSFP status in the channel tuning algorithm.
+
+Fixes: 8ebd4cf1852a ("Add active and optical cable support")
+Reviewed-by: Dean Luick <dean.luick@intel.com>
+Signed-off-by: Easwar Hariharan <easwar.hariharan@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/hfi1/platform.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/hfi1/platform.c
++++ b/drivers/infiniband/hw/hfi1/platform.c
+@@ -638,9 +638,13 @@ static int tune_active_qsfp(struct hfi1_
+ if (ret)
+ return ret;
+
++ /*
++ * We'll change the QSFP memory contents from here on out, thus we set a
++ * flag here to remind ourselves to reset the QSFP module. This prevents
++ * reuse of stale settings established in our previous pass through.
++ */
+ if (ppd->qsfp_info.reset_needed) {
+ reset_qsfp(ppd);
+- ppd->qsfp_info.reset_needed = 0;
+ refresh_qsfp_cache(ppd, &ppd->qsfp_info);
+ } else {
+ ppd->qsfp_info.reset_needed = 1;
--- /dev/null
+From d1e09f304a1d9651c5059ebfeb696dc2effc9b32 Mon Sep 17 00:00:00 2001
+From: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
+Date: Sun, 3 Jul 2016 15:28:18 +0300
+Subject: IB/uverbs: Fix race between uverbs_close and remove_one
+
+From: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
+
+commit d1e09f304a1d9651c5059ebfeb696dc2effc9b32 upstream.
+
+Fixes an oops that might happen if uverbs_close races with
+remove_one.
+
+Both contexts may run ib_uverbs_cleanup_ucontext, it depends
+on the flow.
+
+Currently, there is no protection for a case that remove_one
+didn't make the cleanup it runs to its end, the underlying
+ib_device was freed then uverbs_close will call
+ib_uverbs_cleanup_ucontext and OOPs.
+
+Above might happen if uverbs_close deleted the file from the list
+then remove_one didn't find it and runs to its end.
+
+Fixes to protect against that case by a new cleanup lock so that
+ib_uverbs_cleanup_ucontext will be called always before that
+remove_one is ended.
+
+Fixes: 35d4a0b63dc0 ("IB/uverbs: Fix race between ib_uverbs_open and remove_one")
+Reported-by: Devesh Sharma <devesh.sharma@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
+Signed-off-by: Yishai Hadas <yishaih@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/uverbs.h | 1
+ drivers/infiniband/core/uverbs_main.c | 37 ++++++++++++++++++++++------------
+ 2 files changed, 25 insertions(+), 13 deletions(-)
+
+--- a/drivers/infiniband/core/uverbs.h
++++ b/drivers/infiniband/core/uverbs.h
+@@ -116,6 +116,7 @@ struct ib_uverbs_event_file {
+ struct ib_uverbs_file {
+ struct kref ref;
+ struct mutex mutex;
++ struct mutex cleanup_mutex; /* protect cleanup */
+ struct ib_uverbs_device *device;
+ struct ib_ucontext *ucontext;
+ struct ib_event_handler event_handler;
+--- a/drivers/infiniband/core/uverbs_main.c
++++ b/drivers/infiniband/core/uverbs_main.c
+@@ -931,6 +931,7 @@ static int ib_uverbs_open(struct inode *
+ file->async_file = NULL;
+ kref_init(&file->ref);
+ mutex_init(&file->mutex);
++ mutex_init(&file->cleanup_mutex);
+
+ filp->private_data = file;
+ kobject_get(&dev->kobj);
+@@ -956,18 +957,20 @@ static int ib_uverbs_close(struct inode
+ {
+ struct ib_uverbs_file *file = filp->private_data;
+ struct ib_uverbs_device *dev = file->device;
+- struct ib_ucontext *ucontext = NULL;
++
++ mutex_lock(&file->cleanup_mutex);
++ if (file->ucontext) {
++ ib_uverbs_cleanup_ucontext(file, file->ucontext);
++ file->ucontext = NULL;
++ }
++ mutex_unlock(&file->cleanup_mutex);
+
+ mutex_lock(&file->device->lists_mutex);
+- ucontext = file->ucontext;
+- file->ucontext = NULL;
+ if (!file->is_closed) {
+ list_del(&file->list);
+ file->is_closed = 1;
+ }
+ mutex_unlock(&file->device->lists_mutex);
+- if (ucontext)
+- ib_uverbs_cleanup_ucontext(file, ucontext);
+
+ if (file->async_file)
+ kref_put(&file->async_file->ref, ib_uverbs_release_event_file);
+@@ -1181,22 +1184,30 @@ static void ib_uverbs_free_hw_resources(
+ mutex_lock(&uverbs_dev->lists_mutex);
+ while (!list_empty(&uverbs_dev->uverbs_file_list)) {
+ struct ib_ucontext *ucontext;
+-
+ file = list_first_entry(&uverbs_dev->uverbs_file_list,
+ struct ib_uverbs_file, list);
+ file->is_closed = 1;
+- ucontext = file->ucontext;
+ list_del(&file->list);
+- file->ucontext = NULL;
+ kref_get(&file->ref);
+ mutex_unlock(&uverbs_dev->lists_mutex);
+- /* We must release the mutex before going ahead and calling
+- * disassociate_ucontext. disassociate_ucontext might end up
+- * indirectly calling uverbs_close, for example due to freeing
+- * the resources (e.g mmput).
+- */
++
+ ib_uverbs_event_handler(&file->event_handler, &event);
++
++ mutex_lock(&file->cleanup_mutex);
++ ucontext = file->ucontext;
++ file->ucontext = NULL;
++ mutex_unlock(&file->cleanup_mutex);
++
++ /* At this point ib_uverbs_close cannot be running
++ * ib_uverbs_cleanup_ucontext
++ */
+ if (ucontext) {
++ /* We must release the mutex before going ahead and
++ * calling disassociate_ucontext. disassociate_ucontext
++ * might end up indirectly calling uverbs_close,
++ * for example due to freeing the resources
++ * (e.g mmput).
++ */
+ ib_dev->disassociate_ucontext(ucontext);
+ ib_uverbs_cleanup_ucontext(file, ucontext);
+ }
--- /dev/null
+From 1c500840934a138bd6b13556c210516e9301fbee Mon Sep 17 00:00:00 2001
+From: Olof Johansson <olof@lixom.net>
+Date: Thu, 25 Aug 2016 09:45:33 -0700
+Subject: iio: accel: bmc150: reset chip at init time
+
+From: Olof Johansson <olof@lixom.net>
+
+commit 1c500840934a138bd6b13556c210516e9301fbee upstream.
+
+In at least one known setup, the chip comes up in a state where reading
+the chip ID returns garbage unless it's been reset, due to noise on the
+wires during system boot.
+
+All supported chips have the same reset method, and based on the
+datasheets they all need 1.3 or 1.8ms to recover after reset. So, do
+the conservative thing here and always reset the chip.
+
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Reviewed-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/accel/bmc150-accel-core.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/iio/accel/bmc150-accel-core.c
++++ b/drivers/iio/accel/bmc150-accel-core.c
+@@ -67,6 +67,9 @@
+ #define BMC150_ACCEL_REG_PMU_BW 0x10
+ #define BMC150_ACCEL_DEF_BW 125
+
++#define BMC150_ACCEL_REG_RESET 0x14
++#define BMC150_ACCEL_RESET_VAL 0xB6
++
+ #define BMC150_ACCEL_REG_INT_MAP_0 0x19
+ #define BMC150_ACCEL_INT_MAP_0_BIT_SLOPE BIT(2)
+
+@@ -1497,6 +1500,14 @@ static int bmc150_accel_chip_init(struct
+ int ret, i;
+ unsigned int val;
+
++ /*
++ * Reset chip to get it in a known good state. A delay of 1.8ms after
++ * reset is required according to the data sheets of supported chips.
++ */
++ regmap_write(data->regmap, BMC150_ACCEL_REG_RESET,
++ BMC150_ACCEL_RESET_VAL);
++ usleep_range(1800, 2500);
++
+ ret = regmap_read(data->regmap, BMC150_ACCEL_REG_CHIP_ID, &val);
+ if (ret < 0) {
+ dev_err(dev, "Error: Reading chip id\n");
--- /dev/null
+From 7ac61a062f3147dc23e3f12b9dfe7c4dd35f9cb8 Mon Sep 17 00:00:00 2001
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Tue, 16 Aug 2016 15:33:28 +0200
+Subject: iio: accel: kxsd9: Fix raw read return
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+commit 7ac61a062f3147dc23e3f12b9dfe7c4dd35f9cb8 upstream.
+
+Any readings from the raw interface of the KXSD9 driver will
+return an empty string, because it does not return
+IIO_VAL_INT but rather some random value from the accelerometer
+to the caller.
+
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/accel/kxsd9.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/iio/accel/kxsd9.c
++++ b/drivers/iio/accel/kxsd9.c
+@@ -160,6 +160,7 @@ static int kxsd9_read_raw(struct iio_dev
+ if (ret < 0)
+ goto error_ret;
+ *val = ret;
++ ret = IIO_VAL_INT;
+ break;
+ case IIO_CHAN_INFO_SCALE:
+ ret = spi_w8r8(st->us, KXSD9_READ(KXSD9_REG_CTRL_C));
--- /dev/null
+From 307fe9dd11ae44d4f8881ee449a7cbac36e1f5de Mon Sep 17 00:00:00 2001
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Thu, 1 Sep 2016 11:44:35 +0200
+Subject: iio: accel: kxsd9: Fix scaling bug
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+commit 307fe9dd11ae44d4f8881ee449a7cbac36e1f5de upstream.
+
+All the scaling of the KXSD9 involves multiplication with a
+fraction number < 1.
+
+However the scaling value returned from IIO_INFO_SCALE was
+unpredictable as only the micros of the value was assigned, and
+not the integer part, resulting in scaling like this:
+
+$cat in_accel_scale
+-1057462640.011978
+
+Fix this by assigning zero to the integer part.
+
+Tested-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/accel/kxsd9.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/iio/accel/kxsd9.c
++++ b/drivers/iio/accel/kxsd9.c
+@@ -166,6 +166,7 @@ static int kxsd9_read_raw(struct iio_dev
+ ret = spi_w8r8(st->us, KXSD9_READ(KXSD9_REG_CTRL_C));
+ if (ret < 0)
+ goto error_ret;
++ *val = 0;
+ *val2 = kxsd9_micro_scales[ret & KXSD9_FS_MASK];
+ ret = IIO_VAL_INT_PLUS_MICRO;
+ break;
--- /dev/null
+From 7d3cc21dab5313a02f2f3ca8164529b828a030d1 Mon Sep 17 00:00:00 2001
+From: Lars-Peter Clausen <lars@metafoo.de>
+Date: Mon, 11 Jul 2016 13:54:17 +0200
+Subject: iio: ad799x: Fix buffered capture for ad7991/ad7995/ad7999
+
+From: Lars-Peter Clausen <lars@metafoo.de>
+
+commit 7d3cc21dab5313a02f2f3ca8164529b828a030d1 upstream.
+
+The data buffer for captured mode for the ad799x driver is allocated in the
+update_scan_mode() callback. This callback is not set in the iio_info
+struct for the ad7791/ad7995/ad7999, which means that the data buffer is
+not allocated when a captured transfer is started. As a result the driver
+crashes when the first sample is received. To fix this properly set the
+update_scan_mode() callback.
+
+Fixes: d8dca33027c1 ("staging:iio:ad799x: Preallocate sample buffer")
+Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/ad799x.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/iio/adc/ad799x.c
++++ b/drivers/iio/adc/ad799x.c
+@@ -533,6 +533,7 @@ static struct attribute_group ad799x_eve
+ static const struct iio_info ad7991_info = {
+ .read_raw = &ad799x_read_raw,
+ .driver_module = THIS_MODULE,
++ .update_scan_mode = ad799x_update_scan_mode,
+ };
+
+ static const struct iio_info ad7993_4_7_8_noirq_info = {
--- /dev/null
+From c2ab447454d498e709d9011c0f2d2945ee321f9b Mon Sep 17 00:00:00 2001
+From: Anders Darander <anders@chargestorm.se>
+Date: Mon, 8 Aug 2016 14:42:16 +0200
+Subject: iio: adc: at91: unbreak channel adc channel 3
+
+From: Anders Darander <anders@chargestorm.se>
+
+commit c2ab447454d498e709d9011c0f2d2945ee321f9b upstream.
+
+The driver always assumes that an input device has been created when
+reading channel 3. This causes a kernel panic when dereferencing
+st->ts_input.
+
+The change was introduced in
+commit 84882b060301 ("iio: adc: at91_adc: Add support for touchscreens
+without TSMR"). Earlier versions only entered that part of the if-else
+statement if only the following flags are set:
+
+AT91_ADC_IER_XRDY | AT91_ADC_IER_YRDY | AT91_ADC_IER_PRDY
+
+Signed-off-by: Anders Darander <anders@chargestorm.se>
+Acked-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/at91_adc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/iio/adc/at91_adc.c
++++ b/drivers/iio/adc/at91_adc.c
+@@ -381,8 +381,8 @@ static irqreturn_t at91_adc_rl_interrupt
+ st->ts_bufferedmeasure = false;
+ input_report_key(st->ts_input, BTN_TOUCH, 0);
+ input_sync(st->ts_input);
+- } else if (status & AT91_ADC_EOC(3)) {
+- /* Conversion finished */
++ } else if (status & AT91_ADC_EOC(3) && st->ts_input) {
++ /* Conversion finished and we've a touchscreen */
+ if (st->ts_bufferedmeasure) {
+ /*
+ * Last measurement is always discarded, since it can
--- /dev/null
+From 543852af8e5902aee8f7c72c89e1513663e0f696 Mon Sep 17 00:00:00 2001
+From: Caesar Wang <wxt@rock-chips.com>
+Date: Wed, 27 Jul 2016 22:24:04 +0800
+Subject: iio: adc: rockchip_saradc: reset saradc controller before programming it
+
+From: Caesar Wang <wxt@rock-chips.com>
+
+commit 543852af8e5902aee8f7c72c89e1513663e0f696 upstream.
+
+SARADC controller needs to be reset before programming it, otherwise
+it will not function properly.
+
+Signed-off-by: Caesar Wang <wxt@rock-chips.com>
+Cc: Jonathan Cameron <jic23@kernel.org>
+Cc: Heiko Stuebner <heiko@sntech.de>
+Cc: Rob Herring <robh+dt@kernel.org>
+Cc: linux-iio@vger.kernel.org
+Cc: linux-rockchip@lists.infradead.org
+Tested-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/devicetree/bindings/iio/adc/rockchip-saradc.txt | 7 ++
+ drivers/iio/adc/Kconfig | 1
+ drivers/iio/adc/rockchip_saradc.c | 30 ++++++++++
+ 3 files changed, 38 insertions(+)
+
+--- a/Documentation/devicetree/bindings/iio/adc/rockchip-saradc.txt
++++ b/Documentation/devicetree/bindings/iio/adc/rockchip-saradc.txt
+@@ -16,6 +16,11 @@ Required properties:
+ - vref-supply: The regulator supply ADC reference voltage.
+ - #io-channel-cells: Should be 1, see ../iio-bindings.txt
+
++Optional properties:
++- resets: Must contain an entry for each entry in reset-names if need support
++ this option. See ../reset/reset.txt for details.
++- reset-names: Must include the name "saradc-apb".
++
+ Example:
+ saradc: saradc@2006c000 {
+ compatible = "rockchip,saradc";
+@@ -23,6 +28,8 @@ Example:
+ interrupts = <GIC_SPI 26 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&cru SCLK_SARADC>, <&cru PCLK_SARADC>;
+ clock-names = "saradc", "apb_pclk";
++ resets = <&cru SRST_SARADC>;
++ reset-names = "saradc-apb";
+ #io-channel-cells = <1>;
+ vref-supply = <&vcc18>;
+ };
+--- a/drivers/iio/adc/Kconfig
++++ b/drivers/iio/adc/Kconfig
+@@ -377,6 +377,7 @@ config QCOM_SPMI_VADC
+ config ROCKCHIP_SARADC
+ tristate "Rockchip SARADC driver"
+ depends on ARCH_ROCKCHIP || (ARM && COMPILE_TEST)
++ depends on RESET_CONTROLLER
+ help
+ Say yes here to build support for the SARADC found in SoCs from
+ Rockchip.
+--- a/drivers/iio/adc/rockchip_saradc.c
++++ b/drivers/iio/adc/rockchip_saradc.c
+@@ -21,6 +21,8 @@
+ #include <linux/of_device.h>
+ #include <linux/clk.h>
+ #include <linux/completion.h>
++#include <linux/delay.h>
++#include <linux/reset.h>
+ #include <linux/regulator/consumer.h>
+ #include <linux/iio/iio.h>
+
+@@ -53,6 +55,7 @@ struct rockchip_saradc {
+ struct clk *clk;
+ struct completion completion;
+ struct regulator *vref;
++ struct reset_control *reset;
+ const struct rockchip_saradc_data *data;
+ u16 last_val;
+ };
+@@ -190,6 +193,16 @@ static const struct of_device_id rockchi
+ };
+ MODULE_DEVICE_TABLE(of, rockchip_saradc_match);
+
++/**
++ * Reset SARADC Controller.
++ */
++static void rockchip_saradc_reset_controller(struct reset_control *reset)
++{
++ reset_control_assert(reset);
++ usleep_range(10, 20);
++ reset_control_deassert(reset);
++}
++
+ static int rockchip_saradc_probe(struct platform_device *pdev)
+ {
+ struct rockchip_saradc *info = NULL;
+@@ -218,6 +231,20 @@ static int rockchip_saradc_probe(struct
+ if (IS_ERR(info->regs))
+ return PTR_ERR(info->regs);
+
++ /*
++ * The reset should be an optional property, as it should work
++ * with old devicetrees as well
++ */
++ info->reset = devm_reset_control_get(&pdev->dev, "saradc-apb");
++ if (IS_ERR(info->reset)) {
++ ret = PTR_ERR(info->reset);
++ if (ret != -ENOENT)
++ return ret;
++
++ dev_dbg(&pdev->dev, "no reset control found\n");
++ info->reset = NULL;
++ }
++
+ init_completion(&info->completion);
+
+ irq = platform_get_irq(pdev, 0);
+@@ -252,6 +279,9 @@ static int rockchip_saradc_probe(struct
+ return PTR_ERR(info->vref);
+ }
+
++ if (info->reset)
++ rockchip_saradc_reset_controller(info->reset);
++
+ /*
+ * Use a default value for the converter clock.
+ * This may become user-configurable in the future.
--- /dev/null
+From 7175cce1c3f1d8c8840d2004f78f96a3904249b5 Mon Sep 17 00:00:00 2001
+From: Vignesh R <vigneshr@ti.com>
+Date: Wed, 17 Aug 2016 17:43:01 +0530
+Subject: iio: adc: ti_am335x_adc: Increase timeout value waiting for ADC sample
+
+From: Vignesh R <vigneshr@ti.com>
+
+commit 7175cce1c3f1d8c8840d2004f78f96a3904249b5 upstream.
+
+Now that open delay and sample delay for each channel is configurable
+via DT, the default IDLE_TIMEOUT value is not enough as this is
+calculated based on hardcoded macros. This results in driver returning
+EBUSY sometimes. Fix this by increasing the timeout
+value based on maximum value possible to open delay and sample delays
+for each channel.
+
+Fixes: 5dc11e810676e ("iio: adc: ti_am335x_adc: make sample delay, open delay, averaging DT parameters")
+Signed-off-by: Vignesh R <vigneshr@ti.com>
+Acked-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/ti_am335x_adc.c | 2 +-
+ include/linux/mfd/ti_am335x_tscadc.h | 8 ++++----
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/iio/adc/ti_am335x_adc.c
++++ b/drivers/iio/adc/ti_am335x_adc.c
+@@ -382,7 +382,7 @@ static int tiadc_read_raw(struct iio_dev
+
+ am335x_tsc_se_set_once(adc_dev->mfd_tscadc, step_en);
+
+- timeout = jiffies + usecs_to_jiffies
++ timeout = jiffies + msecs_to_jiffies
+ (IDLE_TIMEOUT * adc_dev->channels);
+ /* Wait for Fifo threshold interrupt */
+ while (1) {
+--- a/include/linux/mfd/ti_am335x_tscadc.h
++++ b/include/linux/mfd/ti_am335x_tscadc.h
+@@ -138,16 +138,16 @@
+ /*
+ * time in us for processing a single channel, calculated as follows:
+ *
+- * num cycles = open delay + (sample delay + conv time) * averaging
++ * max num cycles = open delay + (sample delay + conv time) * averaging
+ *
+- * num cycles: 152 + (1 + 13) * 16 = 376
++ * max num cycles: 262143 + (255 + 13) * 16 = 266431
+ *
+ * clock frequency: 26MHz / 8 = 3.25MHz
+ * clock period: 1 / 3.25MHz = 308ns
+ *
+- * processing time: 376 * 308ns = 116us
++ * max processing time: 266431 * 308ns = 83ms(approx)
+ */
+-#define IDLE_TIMEOUT 116 /* microsec */
++#define IDLE_TIMEOUT 83 /* milliseconds */
+
+ #define TSCADC_CELLS 2
+
--- /dev/null
+From 90c43ec6997a892448f1f86180a515f59cafd8a3 Mon Sep 17 00:00:00 2001
+From: Vignesh R <vigneshr@ti.com>
+Date: Wed, 17 Aug 2016 17:43:00 +0530
+Subject: iio: adc: ti_am335x_adc: Protect FIFO1 from concurrent access
+
+From: Vignesh R <vigneshr@ti.com>
+
+commit 90c43ec6997a892448f1f86180a515f59cafd8a3 upstream.
+
+It is possible that two or more ADC channels can be simultaneously
+requested for raw samples, in which case there can be race in access to
+FIFO data resulting in loss of samples.
+If am335x_tsc_se_set_once() is called again from tiadc_read_raw(), when
+ADC is still acquired to sample one of the channels, the second process
+might be put into uninterruptible sleep state. Fix these issues, by
+protecting FIFO access and channel configurations with a mutex. Since
+tiadc_read_raw() might take anywhere between few microseconds to few
+milliseconds to finish execution (depending on averaging and delay
+values supplied via DT), its better to use mutex instead of spinlock.
+
+Fixes: 7ca6740cd1cd4 ("mfd: input: iio: ti_amm335x: Rework TSC/ADC synchronization")
+Signed-off-by: Vignesh R <vigneshr@ti.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/ti_am335x_adc.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/drivers/iio/adc/ti_am335x_adc.c
++++ b/drivers/iio/adc/ti_am335x_adc.c
+@@ -32,6 +32,7 @@
+
+ struct tiadc_device {
+ struct ti_tscadc_dev *mfd_tscadc;
++ struct mutex fifo1_lock; /* to protect fifo access */
+ int channels;
+ u8 channel_line[8];
+ u8 channel_step[8];
+@@ -360,6 +361,7 @@ static int tiadc_read_raw(struct iio_dev
+ int *val, int *val2, long mask)
+ {
+ struct tiadc_device *adc_dev = iio_priv(indio_dev);
++ int ret = IIO_VAL_INT;
+ int i, map_val;
+ unsigned int fifo1count, read, stepid;
+ bool found = false;
+@@ -373,6 +375,7 @@ static int tiadc_read_raw(struct iio_dev
+ if (!step_en)
+ return -EINVAL;
+
++ mutex_lock(&adc_dev->fifo1_lock);
+ fifo1count = tiadc_readl(adc_dev, REG_FIFO1CNT);
+ while (fifo1count--)
+ tiadc_readl(adc_dev, REG_FIFO1);
+@@ -389,7 +392,8 @@ static int tiadc_read_raw(struct iio_dev
+
+ if (time_after(jiffies, timeout)) {
+ am335x_tsc_se_adc_done(adc_dev->mfd_tscadc);
+- return -EAGAIN;
++ ret = -EAGAIN;
++ goto err_unlock;
+ }
+ }
+ map_val = adc_dev->channel_step[chan->scan_index];
+@@ -415,8 +419,11 @@ static int tiadc_read_raw(struct iio_dev
+ am335x_tsc_se_adc_done(adc_dev->mfd_tscadc);
+
+ if (found == false)
+- return -EBUSY;
+- return IIO_VAL_INT;
++ ret = -EBUSY;
++
++err_unlock:
++ mutex_unlock(&adc_dev->fifo1_lock);
++ return ret;
+ }
+
+ static const struct iio_info tiadc_info = {
+@@ -485,6 +492,7 @@ static int tiadc_probe(struct platform_d
+
+ tiadc_step_config(indio_dev);
+ tiadc_writel(adc_dev, REG_FIFO1THR, FIFO1_THRESHOLD);
++ mutex_init(&adc_dev->fifo1_lock);
+
+ err = tiadc_channel_init(indio_dev, adc_dev->channels);
+ if (err < 0)
--- /dev/null
+From 171c0091837c81ed5c949fec6966bb5afff2d1cf Mon Sep 17 00:00:00 2001
+From: Gregor Boirie <gregor.boirie@parrot.com>
+Date: Fri, 2 Sep 2016 20:27:46 +0200
+Subject: iio:core: fix IIO_VAL_FRACTIONAL sign handling
+
+From: Gregor Boirie <gregor.boirie@parrot.com>
+
+commit 171c0091837c81ed5c949fec6966bb5afff2d1cf upstream.
+
+7985e7c100 ("iio: Introduce a new fractional value type") introduced a
+new IIO_VAL_FRACTIONAL value type meant to represent rational type numbers
+expressed by a numerator and denominator combination.
+
+Formating of IIO_VAL_FRACTIONAL values relies upon do_div() usage. This
+fails handling negative values properly since parameters are reevaluated
+as unsigned values.
+Fix this by using div_s64_rem() instead. Computed integer part will carry
+properly signed value. Formatted fractional part will always be positive.
+
+Fixes: 7985e7c100 ("iio: Introduce a new fractional value type")
+Signed-off-by: Gregor Boirie <gregor.boirie@parrot.com>
+Reviewed-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/industrialio-core.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/iio/industrialio-core.c
++++ b/drivers/iio/industrialio-core.c
+@@ -532,9 +532,8 @@ ssize_t iio_format_value(char *buf, unsi
+ return sprintf(buf, "%d.%09u\n", vals[0], vals[1]);
+ case IIO_VAL_FRACTIONAL:
+ tmp = div_s64((s64)vals[0] * 1000000000LL, vals[1]);
+- vals[1] = do_div(tmp, 1000000000LL);
+- vals[0] = tmp;
+- return sprintf(buf, "%d.%09u\n", vals[0], vals[1]);
++ vals[0] = (int)div_s64_rem(tmp, 1000000000, &vals[1]);
++ return sprintf(buf, "%d.%09u\n", vals[0], abs(vals[1]));
+ case IIO_VAL_FRACTIONAL_LOG2:
+ tmp = (s64)vals[0] * 1000000000LL >> vals[1];
+ vals[1] = do_div(tmp, 1000000000LL);
--- /dev/null
+From 5dba4b14bafe801083d01e1f400816df7e5a8f2e Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Mon, 5 Sep 2016 15:39:06 +0100
+Subject: iio: ensure ret is initialized to zero before entering do loop
+
+From: Colin Ian King <colin.king@canonical.com>
+
+commit 5dba4b14bafe801083d01e1f400816df7e5a8f2e upstream.
+
+A recent fix to iio_buffer_read_first_n_outer removed ret from being set by
+a return from wait_event_interruptible and also added a continue in a loop
+which causes the variable ret to not be set when it reaches the end of the
+loop. Fix this by initializing ret to zero.
+
+Also remove extraneous white space at the end of the loop.
+
+Fixes: fcf68f3c0bb2a5 ("fix sched WARNING "do not call blocking ops when !TASK_RUNNING")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/industrialio-buffer.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/iio/industrialio-buffer.c
++++ b/drivers/iio/industrialio-buffer.c
+@@ -110,7 +110,7 @@ ssize_t iio_buffer_read_first_n_outer(st
+ DEFINE_WAIT_FUNC(wait, woken_wake_function);
+ size_t datum_size;
+ size_t to_wait;
+- int ret;
++ int ret = 0;
+
+ if (!indio_dev->info)
+ return -ENODEV;
+@@ -153,7 +153,7 @@ ssize_t iio_buffer_read_first_n_outer(st
+ ret = rb->access->read_first_n(rb, n, buf);
+ if (ret == 0 && (filp->f_flags & O_NONBLOCK))
+ ret = -EAGAIN;
+- } while (ret == 0);
++ } while (ret == 0);
+ remove_wait_queue(&rb->pollq, &wait);
+
+ return ret;
--- /dev/null
+From 36afb176d3c9580651d7f410ed7f000ec48b5137 Mon Sep 17 00:00:00 2001
+From: "Kweh, Hock Leong" <hock.leong.kweh@intel.com>
+Date: Mon, 29 Aug 2016 18:50:56 +0800
+Subject: iio: fix pressure data output unit in hid-sensor-attributes
+
+From: Kweh, Hock Leong <hock.leong.kweh@intel.com>
+
+commit 36afb176d3c9580651d7f410ed7f000ec48b5137 upstream.
+
+According to IIO ABI definition, IIO_PRESSURE data output unit is
+kilopascal:
+http://lxr.free-electrons.com/source/Documentation/ABI/testing/sysfs-bus-iio
+
+This patch fix output unit of HID pressure sensor IIO driver from pascal to
+kilopascal to follow IIO ABI definition.
+
+Signed-off-by: Kweh, Hock Leong <hock.leong.kweh@intel.com>
+Reviewed-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/common/hid-sensors/hid-sensor-attributes.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/iio/common/hid-sensors/hid-sensor-attributes.c
++++ b/drivers/iio/common/hid-sensors/hid-sensor-attributes.c
+@@ -56,8 +56,8 @@ static struct {
+ {HID_USAGE_SENSOR_ALS, 0, 1, 0},
+ {HID_USAGE_SENSOR_ALS, HID_USAGE_SENSOR_UNITS_LUX, 1, 0},
+
+- {HID_USAGE_SENSOR_PRESSURE, 0, 100000, 0},
+- {HID_USAGE_SENSOR_PRESSURE, HID_USAGE_SENSOR_UNITS_PASCAL, 1, 0},
++ {HID_USAGE_SENSOR_PRESSURE, 0, 100, 0},
++ {HID_USAGE_SENSOR_PRESSURE, HID_USAGE_SENSOR_UNITS_PASCAL, 0, 1000},
+ };
+
+ static int pow_10(unsigned power)
--- /dev/null
+From 3c68858df7c2f0c4c343bb4702733fe827491f9e Mon Sep 17 00:00:00 2001
+From: Alison Schofield <amsfield22@gmail.com>
+Date: Mon, 11 Jul 2016 08:26:13 -0700
+Subject: iio: humidity: am2315: set up buffer timestamps for non-zero values
+
+From: Alison Schofield <amsfield22@gmail.com>
+
+commit 3c68858df7c2f0c4c343bb4702733fe827491f9e upstream.
+
+Use the iio_pollfunc_store_time parameter during triggered buffer
+set-up to get valid timestamps.
+
+Signed-off-by: Alison Schofield <amsfield22@gmail.com>
+Cc: Daniel Baluta <daniel.baluta@gmail.com>
+Reviewed-By: Tiberiu Breana <tiberiu.a.breana@intel.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/humidity/am2315.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/humidity/am2315.c
++++ b/drivers/iio/humidity/am2315.c
+@@ -244,7 +244,7 @@ static int am2315_probe(struct i2c_clien
+ indio_dev->channels = am2315_channels;
+ indio_dev->num_channels = ARRAY_SIZE(am2315_channels);
+
+- ret = iio_triggered_buffer_setup(indio_dev, NULL,
++ ret = iio_triggered_buffer_setup(indio_dev, iio_pollfunc_store_time,
+ am2315_trigger_handler, NULL);
+ if (ret < 0) {
+ dev_err(&client->dev, "iio triggered buffer setup failed\n");
--- /dev/null
+From 0d9dcf852334b796bacc7020364afba3122db81e Mon Sep 17 00:00:00 2001
+From: Alison Schofield <amsfield22@gmail.com>
+Date: Mon, 8 Aug 2016 11:14:36 -0700
+Subject: iio: humidity: hdc100x: fix sensor data reads of temp and humidity
+
+From: Alison Schofield <amsfield22@gmail.com>
+
+commit 0d9dcf852334b796bacc7020364afba3122db81e upstream.
+
+Replace the i2c_smbus_read_byte commmands used to retrieve the sensor
+data with an i2c_master_recv command.
+
+The smbus read byte method fails because the device does not expect a
+stop condition after sending the first byte. When we issue the second
+read, we are getting the first byte again. Net effect is that of the 14
+bits used for the measurement, the 8 most significant bits are correct,
+the lower 6 are not.
+
+None of the smbus read protocols follow the pattern this device requires
+(S Addr Rd [A] Data [A] Data NA P), hence the switch to an i2c receive
+transaction.
+
+Applicable from original introduction of this driver, but will require
+backporting due to churn in the code.
+
+Signed-off-by: Alison Schofield <amsfield22@gmail.com>
+Cc: Daniel Baluta <daniel.baluta@gmail.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/humidity/hdc100x.c | 27 +++++++--------------------
+ 1 file changed, 7 insertions(+), 20 deletions(-)
+
+--- a/drivers/iio/humidity/hdc100x.c
++++ b/drivers/iio/humidity/hdc100x.c
+@@ -142,7 +142,7 @@ static int hdc100x_get_measurement(struc
+ struct i2c_client *client = data->client;
+ int delay = data->adc_int_us[chan->address];
+ int ret;
+- int val;
++ __be16 val;
+
+ /* start measurement */
+ ret = i2c_smbus_write_byte(client, chan->address);
+@@ -154,26 +154,13 @@ static int hdc100x_get_measurement(struc
+ /* wait for integration time to pass */
+ usleep_range(delay, delay + 1000);
+
+- /*
+- * i2c_smbus_read_word_data cannot() be used here due to the command
+- * value not being understood and causes NAKs preventing any reading
+- * from being accessed.
+- */
+- ret = i2c_smbus_read_byte(client);
++ /* read measurement */
++ ret = i2c_master_recv(data->client, (char *)&val, sizeof(val));
+ if (ret < 0) {
+- dev_err(&client->dev, "cannot read high byte measurement");
++ dev_err(&client->dev, "cannot read sensor data\n");
+ return ret;
+ }
+- val = ret << 8;
+-
+- ret = i2c_smbus_read_byte(client);
+- if (ret < 0) {
+- dev_err(&client->dev, "cannot read low byte measurement");
+- return ret;
+- }
+- val |= ret;
+-
+- return val;
++ return be16_to_cpu(val);
+ }
+
+ static int hdc100x_get_heater_status(struct hdc100x_data *data)
+@@ -272,8 +259,8 @@ static int hdc100x_probe(struct i2c_clie
+ struct iio_dev *indio_dev;
+ struct hdc100x_data *data;
+
+- if (!i2c_check_functionality(client->adapter,
+- I2C_FUNC_SMBUS_WORD_DATA | I2C_FUNC_SMBUS_BYTE))
++ if (!i2c_check_functionality(client->adapter, I2C_FUNC_SMBUS_WORD_DATA |
++ I2C_FUNC_SMBUS_BYTE | I2C_FUNC_I2C))
+ return -EOPNOTSUPP;
+
+ indio_dev = devm_iio_device_alloc(&client->dev, sizeof(*data));
--- /dev/null
+From f8adf645db03345af2d9a8b6095b02327ea50885 Mon Sep 17 00:00:00 2001
+From: Alison Schofield <amsfield22@gmail.com>
+Date: Mon, 11 Jul 2016 08:26:56 -0700
+Subject: iio: proximity: as3935: set up buffer timestamps for non-zero values
+
+From: Alison Schofield <amsfield22@gmail.com>
+
+commit f8adf645db03345af2d9a8b6095b02327ea50885 upstream.
+
+Use the iio_pollfunc_store_time parameter during triggered buffer
+set-up to get valid timestamps.
+
+Signed-off-by: Alison Schofield <amsfield22@gmail.com>
+Cc: Daniel Baluta <daniel.baluta@gmail.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/proximity/as3935.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/proximity/as3935.c
++++ b/drivers/iio/proximity/as3935.c
+@@ -392,7 +392,7 @@ static int as3935_probe(struct spi_devic
+ return ret;
+ }
+
+- ret = iio_triggered_buffer_setup(indio_dev, NULL,
++ ret = iio_triggered_buffer_setup(indio_dev, iio_pollfunc_store_time,
+ &as3935_trigger_handler, NULL);
+
+ if (ret) {
--- /dev/null
+From b2f0c09664b72b2f8c581383a9337ac3092e42c8 Mon Sep 17 00:00:00 2001
+From: Lars-Peter Clausen <lars@metafoo.de>
+Date: Mon, 11 Jul 2016 13:50:01 +0200
+Subject: iio: sw-trigger: Fix config group initialization
+
+From: Lars-Peter Clausen <lars@metafoo.de>
+
+commit b2f0c09664b72b2f8c581383a9337ac3092e42c8 upstream.
+
+Use the IS_ENABLED() helper macro to ensure that the configfs group is
+initialized either when configfs is built-in or when configfs is built as a
+module. Otherwise software trigger creation will result in undefined
+behaviour when configfs is built as a mdoule since the configfs group for
+the trigger is not properly initialized.
+
+Fixes: b662f809d410 ("iio: core: Introduce IIO software triggers")
+Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
+Acked-by: Daniel Baluta <daniel.baluta@intel.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/iio/sw_trigger.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/iio/sw_trigger.h
++++ b/include/linux/iio/sw_trigger.h
+@@ -62,7 +62,7 @@ void iio_swt_group_init_type_name(struct
+ const char *name,
+ struct config_item_type *type)
+ {
+-#ifdef CONFIG_CONFIGFS_FS
++#if IS_ENABLED(CONFIG_CONFIGFS_FS)
+ config_group_init_type_name(&t->group, name, type);
+ #endif
+ }
--- /dev/null
+From 522caebb2c3684f4a1d154526fb5e33f1381e92a Mon Sep 17 00:00:00 2001
+From: Giorgio Dal Molin <giorgio.nicole@arcor.de>
+Date: Tue, 16 Aug 2016 20:43:37 +0200
+Subject: iio:ti-ads1015: fix a wrong pointer definition.
+
+From: Giorgio Dal Molin <giorgio.nicole@arcor.de>
+
+commit 522caebb2c3684f4a1d154526fb5e33f1381e92a upstream.
+
+The call to i2c_get_clientdata(client) returns a struct iio_dev*, not
+the needed struct ads1015_data*. We need here an intermediate step as
+in the function: void ads1015_get_channels_config(struct i2c_client *client).
+
+Signed-off-by: Giorgio Dal Molin <giorgio.nicole@arcor.de>
+Fixes: ecc24e72f437 ("iio: adc: Add TI ADS1015 ADC driver support")
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/ti-ads1015.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/iio/adc/ti-ads1015.c
++++ b/drivers/iio/adc/ti-ads1015.c
+@@ -403,7 +403,8 @@ static const struct iio_info ads1015_inf
+ #ifdef CONFIG_OF
+ static int ads1015_get_channels_config_of(struct i2c_client *client)
+ {
+- struct ads1015_data *data = i2c_get_clientdata(client);
++ struct iio_dev *indio_dev = i2c_get_clientdata(client);
++ struct ads1015_data *data = iio_priv(indio_dev);
+ struct device_node *node;
+
+ if (!client->dev.of_node ||
--- /dev/null
+From ab34380162cbc9b5172afdadf5136643c687bb73 Mon Sep 17 00:00:00 2001
+From: Eli Cooper <elicooper@gmx.com>
+Date: Fri, 26 Aug 2016 23:52:29 +0800
+Subject: ipv6: Don't unset flowi6_proto in ipxip6_tnl_xmit()
+
+From: Eli Cooper <elicooper@gmx.com>
+
+commit ab34380162cbc9b5172afdadf5136643c687bb73 upstream.
+
+Commit 8eb30be0352d0916 ("ipv6: Create ip6_tnl_xmit") unsets
+flowi6_proto in ip4ip6_tnl_xmit() and ip6ip6_tnl_xmit().
+Since xfrm_selector_match() relies on this info, IPv6 packets
+sent by an ip6tunnel cannot be properly selected by their
+protocols after removing it. This patch puts flowi6_proto back.
+
+Fixes: 8eb30be0352d ("ipv6: Create ip6_tnl_xmit")
+Signed-off-by: Eli Cooper <elicooper@gmx.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv6/ip6_tunnel.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -1174,6 +1174,7 @@ ip4ip6_tnl_xmit(struct sk_buff *skb, str
+ encap_limit = t->parms.encap_limit;
+
+ memcpy(&fl6, &t->fl.u.ip6, sizeof(fl6));
++ fl6.flowi6_proto = IPPROTO_IPIP;
+
+ dsfield = ipv4_get_dsfield(iph);
+
+@@ -1233,6 +1234,7 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, str
+ encap_limit = t->parms.encap_limit;
+
+ memcpy(&fl6, &t->fl.u.ip6, sizeof(fl6));
++ fl6.flowi6_proto = IPPROTO_IPV6;
+
+ dsfield = ipv6_get_dsfield(ipv6h);
+ if (t->parms.flags & IP6_TNL_F_USE_ORIG_TCLASS)
--- /dev/null
+From df6a58c5c5aa8ecb1e088ecead3fa33ae70181f1 Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Fri, 17 Jun 2016 17:51:17 -0400
+Subject: kernfs: don't depend on d_find_any_alias() when generating notifications
+
+From: Tejun Heo <tj@kernel.org>
+
+commit df6a58c5c5aa8ecb1e088ecead3fa33ae70181f1 upstream.
+
+kernfs_notify_workfn() sends out file modified events for the
+scheduled kernfs_nodes. Because the modifications aren't from
+userland, it doesn't have the matching file struct at hand and can't
+use fsnotify_modify(). Instead, it looked up the inode and then used
+d_find_any_alias() to find the dentry and used fsnotify_parent() and
+fsnotify() directly to generate notifications.
+
+The assumption was that the relevant dentries would have been pinned
+if there are listeners, which isn't true as inotify doesn't pin
+dentries at all and watching the parent doesn't pin the child dentries
+even for dnotify. This led to, for example, inotify watchers not
+getting notifications if the system is under memory pressure and the
+matching dentries got reclaimed. It can also be triggered through
+/proc/sys/vm/drop_caches or a remount attempt which involves shrinking
+dcache.
+
+fsnotify_parent() only uses the dentry to access the parent inode,
+which kernfs can do easily. Update kernfs_notify_workfn() so that it
+uses fsnotify() directly for both the parent and target inodes without
+going through d_find_any_alias(). While at it, supply the target file
+name to fsnotify() from kernfs_node->name.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reported-by: Evgeny Vereshchagin <evvers@ya.ru>
+Fixes: d911d9874801 ("kernfs: make kernfs_notify() trigger inotify events too")
+Cc: John McCutchan <john@johnmccutchan.com>
+Cc: Robert Love <rlove@rlove.org>
+Cc: Eric Paris <eparis@parisplace.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/kernfs/file.c | 28 +++++++++++++++++++++-------
+ 1 file changed, 21 insertions(+), 7 deletions(-)
+
+--- a/fs/kernfs/file.c
++++ b/fs/kernfs/file.c
+@@ -840,21 +840,35 @@ repeat:
+ mutex_lock(&kernfs_mutex);
+
+ list_for_each_entry(info, &kernfs_root(kn)->supers, node) {
++ struct kernfs_node *parent;
+ struct inode *inode;
+- struct dentry *dentry;
+
++ /*
++ * We want fsnotify_modify() on @kn but as the
++ * modifications aren't originating from userland don't
++ * have the matching @file available. Look up the inodes
++ * and generate the events manually.
++ */
+ inode = ilookup(info->sb, kn->ino);
+ if (!inode)
+ continue;
+
+- dentry = d_find_any_alias(inode);
+- if (dentry) {
+- fsnotify_parent(NULL, dentry, FS_MODIFY);
+- fsnotify(inode, FS_MODIFY, inode, FSNOTIFY_EVENT_INODE,
+- NULL, 0);
+- dput(dentry);
++ parent = kernfs_get_parent(kn);
++ if (parent) {
++ struct inode *p_inode;
++
++ p_inode = ilookup(info->sb, parent->ino);
++ if (p_inode) {
++ fsnotify(p_inode, FS_MODIFY | FS_EVENT_ON_CHILD,
++ inode, FSNOTIFY_EVENT_INODE, kn->name, 0);
++ iput(p_inode);
++ }
++
++ kernfs_put(parent);
+ }
+
++ fsnotify(inode, FS_MODIFY, inode, FSNOTIFY_EVENT_INODE,
++ kn->name, 0);
+ iput(inode);
+ }
+
--- /dev/null
+From 070c43eea5043e950daa423707ae3c77e2f48edb Mon Sep 17 00:00:00 2001
+From: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>
+Date: Thu, 1 Sep 2016 16:14:44 -0700
+Subject: kexec: fix double-free when failing to relocate the purgatory
+
+From: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>
+
+commit 070c43eea5043e950daa423707ae3c77e2f48edb upstream.
+
+If kexec_apply_relocations fails, kexec_load_purgatory frees pi->sechdrs
+and pi->purgatory_buf. This is redundant, because in case of error
+kimage_file_prepare_segments calls kimage_file_post_load_cleanup, which
+will also free those buffers.
+
+This causes two warnings like the following, one for pi->sechdrs and the
+other for pi->purgatory_buf:
+
+ kexec-bzImage64: Loading purgatory failed
+ ------------[ cut here ]------------
+ WARNING: CPU: 1 PID: 2119 at mm/vmalloc.c:1490 __vunmap+0xc1/0xd0
+ Trying to vfree() nonexistent vm area (ffffc90000e91000)
+ Modules linked in:
+ CPU: 1 PID: 2119 Comm: kexec Not tainted 4.8.0-rc3+ #5
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+ Call Trace:
+ dump_stack+0x4d/0x65
+ __warn+0xcb/0xf0
+ warn_slowpath_fmt+0x4f/0x60
+ ? find_vmap_area+0x19/0x70
+ ? kimage_file_post_load_cleanup+0x47/0xb0
+ __vunmap+0xc1/0xd0
+ vfree+0x2e/0x70
+ kimage_file_post_load_cleanup+0x5e/0xb0
+ SyS_kexec_file_load+0x448/0x680
+ ? putname+0x54/0x60
+ ? do_sys_open+0x190/0x1f0
+ entry_SYSCALL_64_fastpath+0x13/0x8f
+ ---[ end trace 158bb74f5950ca2b ]---
+
+Fix by setting pi->sechdrs an pi->purgatory_buf to NULL, since vfree
+won't try to free a NULL pointer.
+
+Link: http://lkml.kernel.org/r/1472083546-23683-1-git-send-email-bauerman@linux.vnet.ibm.com
+Signed-off-by: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>
+Acked-by: Baoquan He <bhe@redhat.com>
+Cc: "Eric W. Biederman" <ebiederm@xmission.com>
+Cc: Vivek Goyal <vgoyal@redhat.com>
+Cc: Dave Young <dyoung@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/kexec_file.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/kernel/kexec_file.c
++++ b/kernel/kexec_file.c
+@@ -887,7 +887,10 @@ int kexec_load_purgatory(struct kimage *
+ return 0;
+ out:
+ vfree(pi->sechdrs);
++ pi->sechdrs = NULL;
++
+ vfree(pi->purgatory_buf);
++ pi->purgatory_buf = NULL;
+ return ret;
+ }
+
--- /dev/null
+From 293f293637b55db4f9f522a5a72514e98a541076 Mon Sep 17 00:00:00 2001
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+Date: Thu, 8 Sep 2016 16:25:49 +0100
+Subject: kvm-arm: Unmap shadow pagetables properly
+
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+
+commit 293f293637b55db4f9f522a5a72514e98a541076 upstream.
+
+On arm/arm64, we depend on the kvm_unmap_hva* callbacks (via
+mmu_notifiers::invalidate_*) to unmap the stage2 pagetables when
+the userspace buffer gets unmapped. However, when the Hypervisor
+process exits without explicit unmap of the guest buffers, the only
+notifier we get is kvm_arch_flush_shadow_all() (via mmu_notifier::release
+) which does nothing on arm. Later this causes us to access pages that
+were already released [via exit_mmap() -> unmap_vmas()] when we actually
+get to unmap the stage2 pagetable [via kvm_arch_destroy_vm() ->
+kvm_free_stage2_pgd()]. This triggers crashes with CONFIG_DEBUG_PAGEALLOC,
+which unmaps any free'd pages from the linear map.
+
+ [ 757.644120] Unable to handle kernel paging request at virtual address
+ ffff800661e00000
+ [ 757.652046] pgd = ffff20000b1a2000
+ [ 757.655471] [ffff800661e00000] *pgd=00000047fffe3003, *pud=00000047fcd8c003,
+ *pmd=00000047fcc7c003, *pte=00e8004661e00712
+ [ 757.666492] Internal error: Oops: 96000147 [#3] PREEMPT SMP
+ [ 757.672041] Modules linked in:
+ [ 757.675100] CPU: 7 PID: 3630 Comm: qemu-system-aar Tainted: G D
+ 4.8.0-rc1 #3
+ [ 757.683240] Hardware name: AppliedMicro X-Gene Mustang Board/X-Gene Mustang Board,
+ BIOS 3.06.15 Aug 19 2016
+ [ 757.692938] task: ffff80069cdd3580 task.stack: ffff8006adb7c000
+ [ 757.698840] PC is at __flush_dcache_area+0x1c/0x40
+ [ 757.703613] LR is at kvm_flush_dcache_pmd+0x60/0x70
+ [ 757.708469] pc : [<ffff20000809dbdc>] lr : [<ffff2000080b4a70>] pstate: 20000145
+ ...
+ [ 758.357249] [<ffff20000809dbdc>] __flush_dcache_area+0x1c/0x40
+ [ 758.363059] [<ffff2000080b6748>] unmap_stage2_range+0x458/0x5f0
+ [ 758.368954] [<ffff2000080b708c>] kvm_free_stage2_pgd+0x34/0x60
+ [ 758.374761] [<ffff2000080b2280>] kvm_arch_destroy_vm+0x20/0x68
+ [ 758.380570] [<ffff2000080aa330>] kvm_put_kvm+0x210/0x358
+ [ 758.385860] [<ffff2000080aa524>] kvm_vm_release+0x2c/0x40
+ [ 758.391239] [<ffff2000082ad234>] __fput+0x114/0x2e8
+ [ 758.396096] [<ffff2000082ad46c>] ____fput+0xc/0x18
+ [ 758.400869] [<ffff200008104658>] task_work_run+0x108/0x138
+ [ 758.406332] [<ffff2000080dc8ec>] do_exit+0x48c/0x10e8
+ [ 758.411363] [<ffff2000080dd5fc>] do_group_exit+0x6c/0x130
+ [ 758.416739] [<ffff2000080ed924>] get_signal+0x284/0xa18
+ [ 758.421943] [<ffff20000808a098>] do_signal+0x158/0x860
+ [ 758.427060] [<ffff20000808aad4>] do_notify_resume+0x6c/0x88
+ [ 758.432608] [<ffff200008083624>] work_pending+0x10/0x14
+ [ 758.437812] Code: 9ac32042 8b010001 d1000443 8a230000 (d50b7e20)
+
+This patch fixes the issue by moving the kvm_free_stage2_pgd() to
+kvm_arch_flush_shadow_all().
+
+Tested-by: Itaru Kitayama <itaru.kitayama@riken.jp>
+Reported-by: Itaru Kitayama <itaru.kitayama@riken.jp>
+Reported-by: James Morse <james.morse@arm.com>
+Cc: Marc Zyngier <marc.zyngier@arm.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/kvm/arm.c | 2 --
+ arch/arm/kvm/mmu.c | 1 +
+ 2 files changed, 1 insertion(+), 2 deletions(-)
+
+--- a/arch/arm/kvm/arm.c
++++ b/arch/arm/kvm/arm.c
+@@ -157,8 +157,6 @@ void kvm_arch_destroy_vm(struct kvm *kvm
+ {
+ int i;
+
+- kvm_free_stage2_pgd(kvm);
+-
+ for (i = 0; i < KVM_MAX_VCPUS; ++i) {
+ if (kvm->vcpus[i]) {
+ kvm_arch_vcpu_free(kvm->vcpus[i]);
+--- a/arch/arm/kvm/mmu.c
++++ b/arch/arm/kvm/mmu.c
+@@ -1909,6 +1909,7 @@ void kvm_arch_memslots_updated(struct kv
+
+ void kvm_arch_flush_shadow_all(struct kvm *kvm)
+ {
++ kvm_free_stage2_pgd(kvm);
+ }
+
+ void kvm_arch_flush_shadow_memslot(struct kvm *kvm,
--- /dev/null
+From a7d4b8f2565ad0dfdff9a222d1d87990c73b36e8 Mon Sep 17 00:00:00 2001
+From: David Hildenbrand <dahi@linux.vnet.ibm.com>
+Date: Tue, 16 Aug 2016 14:38:24 +0200
+Subject: KVM: s390: don't use current->thread.fpu.* when accessing registers
+
+From: David Hildenbrand <dahi@linux.vnet.ibm.com>
+
+commit a7d4b8f2565ad0dfdff9a222d1d87990c73b36e8 upstream.
+
+As the meaning of these variables and pointers seems to change more
+frequently, let's directly access our save area, instead of going via
+current->thread.
+
+Right now, this is broken for set/get_fpu. They simply overwrite the
+host registers, as the pointers to the current save area were turned
+into the static host save area.
+
+Fixes: 3f6813b9a5e0 ("s390/fpu: allocate 'struct fpu' with the task_struct")
+Reported-by: Hao QingFeng <haoqf@linux.vnet.ibm.com>
+Signed-off-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kvm/kvm-s390.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/arch/s390/kvm/kvm-s390.c
++++ b/arch/s390/kvm/kvm-s390.c
+@@ -1951,9 +1951,10 @@ int kvm_arch_vcpu_ioctl_set_fpu(struct k
+ return -EINVAL;
+ current->thread.fpu.fpc = fpu->fpc;
+ if (MACHINE_HAS_VX)
+- convert_fp_to_vx(current->thread.fpu.vxrs, (freg_t *)fpu->fprs);
++ convert_fp_to_vx((__vector128 *) vcpu->run->s.regs.vrs,
++ (freg_t *) fpu->fprs);
+ else
+- memcpy(current->thread.fpu.fprs, &fpu->fprs, sizeof(fpu->fprs));
++ memcpy(vcpu->run->s.regs.fprs, &fpu->fprs, sizeof(fpu->fprs));
+ return 0;
+ }
+
+@@ -1962,9 +1963,10 @@ int kvm_arch_vcpu_ioctl_get_fpu(struct k
+ /* make sure we have the latest values */
+ save_fpu_regs();
+ if (MACHINE_HAS_VX)
+- convert_vx_to_fp((freg_t *)fpu->fprs, current->thread.fpu.vxrs);
++ convert_vx_to_fp((freg_t *) fpu->fprs,
++ (__vector128 *) vcpu->run->s.regs.vrs);
+ else
+- memcpy(fpu->fprs, current->thread.fpu.fprs, sizeof(fpu->fprs));
++ memcpy(fpu->fprs, vcpu->run->s.regs.fprs, sizeof(fpu->fprs));
+ fpu->fpc = current->thread.fpu.fpc;
+ return 0;
+ }
--- /dev/null
+From b0eaf4506f5f95d15d6731d72c0ddf4a2179eefa Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed, 14 Sep 2016 23:39:12 +0200
+Subject: kvm: x86: correctly reset dest_map->vector when restoring LAPIC state
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit b0eaf4506f5f95d15d6731d72c0ddf4a2179eefa upstream.
+
+When userspace sends KVM_SET_LAPIC, KVM schedules a check between
+the vCPU's IRR and ISR and the IOAPIC redirection table, in order
+to re-establish the IOAPIC's dest_map (the list of CPUs servicing
+the real-time clock interrupt with the corresponding vectors).
+
+However, __rtc_irq_eoi_tracking_restore_one was forgetting to
+set dest_map->vectors. Because of this, the IOAPIC did not process
+the real-time clock interrupt EOI, ioapic->rtc_status.pending_eoi
+got stuck at a non-zero value, and further RTC interrupts were
+reported to userspace as coalesced.
+
+Fixes: 9e4aabe2bb3454c83dac8139cf9974503ee044db
+Fixes: 4d99ba898dd0c521ca6cdfdde55c9b58aea3cb3d
+Cc: Joerg Roedel <jroedel@suse.de>
+Cc: David Gilbert <dgilbert@redhat.com>
+Reviewed-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/ioapic.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kvm/ioapic.c
++++ b/arch/x86/kvm/ioapic.c
+@@ -109,6 +109,7 @@ static void __rtc_irq_eoi_tracking_resto
+ {
+ bool new_val, old_val;
+ struct kvm_ioapic *ioapic = vcpu->kvm->arch.vioapic;
++ struct dest_map *dest_map = &ioapic->rtc_status.dest_map;
+ union kvm_ioapic_redirect_entry *e;
+
+ e = &ioapic->redirtbl[RTC_GSI];
+@@ -117,16 +118,17 @@ static void __rtc_irq_eoi_tracking_resto
+ return;
+
+ new_val = kvm_apic_pending_eoi(vcpu, e->fields.vector);
+- old_val = test_bit(vcpu->vcpu_id, ioapic->rtc_status.dest_map.map);
++ old_val = test_bit(vcpu->vcpu_id, dest_map->map);
+
+ if (new_val == old_val)
+ return;
+
+ if (new_val) {
+- __set_bit(vcpu->vcpu_id, ioapic->rtc_status.dest_map.map);
++ __set_bit(vcpu->vcpu_id, dest_map->map);
++ dest_map->vectors[vcpu->vcpu_id] = e->fields.vector;
+ ioapic->rtc_status.pending_eoi++;
+ } else {
+- __clear_bit(vcpu->vcpu_id, ioapic->rtc_status.dest_map.map);
++ __clear_bit(vcpu->vcpu_id, dest_map->map);
+ ioapic->rtc_status.pending_eoi--;
+ rtc_status_pending_eoi_check_valid(ioapic);
+ }
--- /dev/null
+From 47a7b0d8888c04c9746812820b6e60553cc77bbc Mon Sep 17 00:00:00 2001
+From: Guoqing Jiang <gqjiang@suse.com>
+Date: Sun, 4 Sep 2016 22:17:28 -0400
+Subject: md-cluster: make md-cluster also can work when compiled into kernel
+
+From: Guoqing Jiang <gqjiang@suse.com>
+
+commit 47a7b0d8888c04c9746812820b6e60553cc77bbc upstream.
+
+The md-cluster is compiled as module by default,
+if it is compiled by built-in way, then we can't
+make md-cluster works.
+
+[64782.630008] md/raid1:md127: active with 2 out of 2 mirrors
+[64782.630528] md-cluster module not found.
+[64782.630530] md127: Could not setup cluster service (-2)
+
+Fixes: edb39c9 ("Introduce md_cluster_operations to handle cluster functions")
+Reported-by: Marc Smith <marc.smith@mcc.edu>
+Reviewed-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Guoqing Jiang <gqjiang@suse.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/md.c | 12 ++++--------
+ 1 file changed, 4 insertions(+), 8 deletions(-)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -7599,16 +7599,12 @@ EXPORT_SYMBOL(unregister_md_cluster_oper
+
+ int md_setup_cluster(struct mddev *mddev, int nodes)
+ {
+- int err;
+-
+- err = request_module("md-cluster");
+- if (err) {
+- pr_err("md-cluster module not found.\n");
+- return -ENOENT;
+- }
+-
++ if (!md_cluster_ops)
++ request_module("md-cluster");
+ spin_lock(&pers_lock);
++ /* ensure module won't be unloaded */
+ if (!md_cluster_ops || !try_module_get(md_cluster_mod)) {
++ pr_err("can't find md-cluster module or get it's reference.\n");
+ spin_unlock(&pers_lock);
+ return -ENOENT;
+ }
--- /dev/null
+From 23540d6e2f3193b946c4de43e3f9654fa6d23fe7 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Sun, 24 Jul 2016 14:10:58 +0200
+Subject: memory: omap-gpmc: allow probe of child nodes to fail
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 23540d6e2f3193b946c4de43e3f9654fa6d23fe7 upstream.
+
+A recent commit (inadvertently?) changed how failed probe of a gpmc
+child node was handled. Instead of proceeding with setting up any other
+children as before, a single error now aborts the whole process.
+
+This change broke networking on some Overo boards due to probe failing
+for an unrelated nand node. This second issue should obviously be
+fixed, but let's restore the old behaviour of allowing child-node
+probe to fail to avoid further similar breakage on other systems.
+
+Fixes: d2d00862dfbb ("memory: omap-gpmc: Support general purpose input
+for WAITPINs")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Roger Quadros <rogerq@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/memory/omap-gpmc.c | 21 +++++++--------------
+ 1 file changed, 7 insertions(+), 14 deletions(-)
+
+--- a/drivers/memory/omap-gpmc.c
++++ b/drivers/memory/omap-gpmc.c
+@@ -2250,7 +2250,7 @@ static int gpmc_probe_dt(struct platform
+ return 0;
+ }
+
+-static int gpmc_probe_dt_children(struct platform_device *pdev)
++static void gpmc_probe_dt_children(struct platform_device *pdev)
+ {
+ int ret;
+ struct device_node *child;
+@@ -2265,11 +2265,11 @@ static int gpmc_probe_dt_children(struct
+ else
+ ret = gpmc_probe_generic_child(pdev, child);
+
+- if (ret)
+- return ret;
++ if (ret) {
++ dev_err(&pdev->dev, "failed to probe DT child '%s': %d\n",
++ child->name, ret);
++ }
+ }
+-
+- return 0;
+ }
+ #else
+ static int gpmc_probe_dt(struct platform_device *pdev)
+@@ -2277,9 +2277,8 @@ static int gpmc_probe_dt(struct platform
+ return 0;
+ }
+
+-static int gpmc_probe_dt_children(struct platform_device *pdev)
++static void gpmc_probe_dt_children(struct platform_device *pdev)
+ {
+- return 0;
+ }
+ #endif
+
+@@ -2372,16 +2371,10 @@ static int gpmc_probe(struct platform_de
+ goto setup_irq_failed;
+ }
+
+- rc = gpmc_probe_dt_children(pdev);
+- if (rc < 0) {
+- dev_err(gpmc->dev, "failed to probe DT children\n");
+- goto dt_children_failed;
+- }
++ gpmc_probe_dt_children(pdev);
+
+ return 0;
+
+-dt_children_failed:
+- gpmc_free_irq(gpmc);
+ setup_irq_failed:
+ gpmc_gpio_exit(gpmc);
+ gpio_init_failed:
--- /dev/null
+From 9049771f7d5490a302589976984810064c83ab40 Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Wed, 7 Sep 2016 08:51:21 -0700
+Subject: mm: fix cache mode of dax pmd mappings
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit 9049771f7d5490a302589976984810064c83ab40 upstream.
+
+track_pfn_insert() in vmf_insert_pfn_pmd() is marking dax mappings as
+uncacheable rendering them impractical for application usage. DAX-pte
+mappings are cached and the goal of establishing DAX-pmd mappings is to
+attain more performance, not dramatically less (3 orders of magnitude).
+
+track_pfn_insert() relies on a previous call to reserve_memtype() to
+establish the expected page_cache_mode for the range. While memremap()
+arranges for reserve_memtype() to be called, devm_memremap_pages() does
+not. So, teach track_pfn_insert() and untrack_pfn() how to handle
+tracking without a vma, and arrange for devm_memremap_pages() to
+establish the write-back-cache reservation in the memtype tree.
+
+Cc: Matthew Wilcox <mawilcox@microsoft.com>
+Cc: Ross Zwisler <ross.zwisler@linux.intel.com>
+Cc: Nilesh Choudhury <nilesh.choudhury@oracle.com>
+Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Reported-by: Toshi Kani <toshi.kani@hpe.com>
+Reported-by: Kai Zhang <kai.ka.zhang@oracle.com>
+Acked-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/mm/pat.c | 17 ++++++++++-------
+ kernel/memremap.c | 9 +++++++++
+ 2 files changed, 19 insertions(+), 7 deletions(-)
+
+--- a/arch/x86/mm/pat.c
++++ b/arch/x86/mm/pat.c
+@@ -931,9 +931,10 @@ int track_pfn_copy(struct vm_area_struct
+ }
+
+ /*
+- * prot is passed in as a parameter for the new mapping. If the vma has a
+- * linear pfn mapping for the entire range reserve the entire vma range with
+- * single reserve_pfn_range call.
++ * prot is passed in as a parameter for the new mapping. If the vma has
++ * a linear pfn mapping for the entire range, or no vma is provided,
++ * reserve the entire pfn + size range with single reserve_pfn_range
++ * call.
+ */
+ int track_pfn_remap(struct vm_area_struct *vma, pgprot_t *prot,
+ unsigned long pfn, unsigned long addr, unsigned long size)
+@@ -942,11 +943,12 @@ int track_pfn_remap(struct vm_area_struc
+ enum page_cache_mode pcm;
+
+ /* reserve the whole chunk starting from paddr */
+- if (addr == vma->vm_start && size == (vma->vm_end - vma->vm_start)) {
++ if (!vma || (addr == vma->vm_start
++ && size == (vma->vm_end - vma->vm_start))) {
+ int ret;
+
+ ret = reserve_pfn_range(paddr, size, prot, 0);
+- if (!ret)
++ if (ret == 0 && vma)
+ vma->vm_flags |= VM_PAT;
+ return ret;
+ }
+@@ -1001,7 +1003,7 @@ void untrack_pfn(struct vm_area_struct *
+ resource_size_t paddr;
+ unsigned long prot;
+
+- if (!(vma->vm_flags & VM_PAT))
++ if (vma && !(vma->vm_flags & VM_PAT))
+ return;
+
+ /* free the chunk starting from pfn or the whole chunk */
+@@ -1015,7 +1017,8 @@ void untrack_pfn(struct vm_area_struct *
+ size = vma->vm_end - vma->vm_start;
+ }
+ free_pfn_range(paddr, size);
+- vma->vm_flags &= ~VM_PAT;
++ if (vma)
++ vma->vm_flags &= ~VM_PAT;
+ }
+
+ /*
+--- a/kernel/memremap.c
++++ b/kernel/memremap.c
+@@ -253,6 +253,7 @@ static void devm_memremap_pages_release(
+ align_start = res->start & ~(SECTION_SIZE - 1);
+ align_size = ALIGN(resource_size(res), SECTION_SIZE);
+ arch_remove_memory(align_start, align_size);
++ untrack_pfn(NULL, PHYS_PFN(align_start), align_size);
+ pgmap_radix_release(res);
+ dev_WARN_ONCE(dev, pgmap->altmap && pgmap->altmap->alloc,
+ "%s: failed to free all reserved pages\n", __func__);
+@@ -288,6 +289,7 @@ void *devm_memremap_pages(struct device
+ struct percpu_ref *ref, struct vmem_altmap *altmap)
+ {
+ resource_size_t key, align_start, align_size, align_end;
++ pgprot_t pgprot = PAGE_KERNEL;
+ struct dev_pagemap *pgmap;
+ struct page_map *page_map;
+ int error, nid, is_ram;
+@@ -363,6 +365,11 @@ void *devm_memremap_pages(struct device
+ if (nid < 0)
+ nid = numa_mem_id();
+
++ error = track_pfn_remap(NULL, &pgprot, PHYS_PFN(align_start), 0,
++ align_size);
++ if (error)
++ goto err_pfn_remap;
++
+ error = arch_add_memory(nid, align_start, align_size, true);
+ if (error)
+ goto err_add_memory;
+@@ -383,6 +390,8 @@ void *devm_memremap_pages(struct device
+ return __va(res->start);
+
+ err_add_memory:
++ untrack_pfn(NULL, PHYS_PFN(align_start), align_size);
++ err_pfn_remap:
+ err_radix:
+ pgmap_radix_release(res);
+ devres_free(page_map);
--- /dev/null
+From cd81a9170e69e018bbaba547c1fd85a585f5697a Mon Sep 17 00:00:00 2001
+From: Mateusz Guzik <mguzik@redhat.com>
+Date: Tue, 23 Aug 2016 16:20:38 +0200
+Subject: mm: introduce get_task_exe_file
+
+From: Mateusz Guzik <mguzik@redhat.com>
+
+commit cd81a9170e69e018bbaba547c1fd85a585f5697a upstream.
+
+For more convenient access if one has a pointer to the task.
+
+As a minor nit take advantage of the fact that only task lock + rcu are
+needed to safely grab ->exe_file. This saves mm refcount dance.
+
+Use the helper in proc_exe_link.
+
+Signed-off-by: Mateusz Guzik <mguzik@redhat.com>
+Acked-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Acked-by: Richard Guy Briggs <rgb@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/proc/base.c | 7 +------
+ include/linux/mm.h | 1 +
+ kernel/fork.c | 23 +++++++++++++++++++++++
+ 3 files changed, 25 insertions(+), 6 deletions(-)
+
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -1552,18 +1552,13 @@ static const struct file_operations proc
+ static int proc_exe_link(struct dentry *dentry, struct path *exe_path)
+ {
+ struct task_struct *task;
+- struct mm_struct *mm;
+ struct file *exe_file;
+
+ task = get_proc_task(d_inode(dentry));
+ if (!task)
+ return -ENOENT;
+- mm = get_task_mm(task);
++ exe_file = get_task_exe_file(task);
+ put_task_struct(task);
+- if (!mm)
+- return -ENOENT;
+- exe_file = get_mm_exe_file(mm);
+- mmput(mm);
+ if (exe_file) {
+ *exe_path = exe_file->f_path;
+ path_get(&exe_file->f_path);
+--- a/include/linux/mm.h
++++ b/include/linux/mm.h
+@@ -1975,6 +1975,7 @@ extern void mm_drop_all_locks(struct mm_
+
+ extern void set_mm_exe_file(struct mm_struct *mm, struct file *new_exe_file);
+ extern struct file *get_mm_exe_file(struct mm_struct *mm);
++extern struct file *get_task_exe_file(struct task_struct *task);
+
+ extern bool may_expand_vm(struct mm_struct *, vm_flags_t, unsigned long npages);
+ extern void vm_stat_account(struct mm_struct *, vm_flags_t, long npages);
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -801,6 +801,29 @@ struct file *get_mm_exe_file(struct mm_s
+ EXPORT_SYMBOL(get_mm_exe_file);
+
+ /**
++ * get_task_exe_file - acquire a reference to the task's executable file
++ *
++ * Returns %NULL if task's mm (if any) has no associated executable file or
++ * this is a kernel thread with borrowed mm (see the comment above get_task_mm).
++ * User must release file via fput().
++ */
++struct file *get_task_exe_file(struct task_struct *task)
++{
++ struct file *exe_file = NULL;
++ struct mm_struct *mm;
++
++ task_lock(task);
++ mm = task->mm;
++ if (mm) {
++ if (!(task->flags & PF_KTHREAD))
++ exe_file = get_mm_exe_file(mm);
++ }
++ task_unlock(task);
++ return exe_file;
++}
++EXPORT_SYMBOL(get_task_exe_file);
++
++/**
+ * get_task_mm - acquire a reference to the task's mm
+ *
+ * Returns %NULL if the task has no mm. Checks PF_KTHREAD (meaning
--- /dev/null
+From c11600e4fed67ae4cd6a8096936afd445410e8ed Mon Sep 17 00:00:00 2001
+From: David Rientjes <rientjes@google.com>
+Date: Thu, 1 Sep 2016 16:15:07 -0700
+Subject: mm, mempolicy: task->mempolicy must be NULL before dropping final reference
+
+From: David Rientjes <rientjes@google.com>
+
+commit c11600e4fed67ae4cd6a8096936afd445410e8ed upstream.
+
+KASAN allocates memory from the page allocator as part of
+kmem_cache_free(), and that can reference current->mempolicy through any
+number of allocation functions. It needs to be NULL'd out before the
+final reference is dropped to prevent a use-after-free bug:
+
+ BUG: KASAN: use-after-free in alloc_pages_current+0x363/0x370 at addr ffff88010b48102c
+ CPU: 0 PID: 15425 Comm: trinity-c2 Not tainted 4.8.0-rc2+ #140
+ ...
+ Call Trace:
+ dump_stack
+ kasan_object_err
+ kasan_report_error
+ __asan_report_load2_noabort
+ alloc_pages_current <-- use after free
+ depot_save_stack
+ save_stack
+ kasan_slab_free
+ kmem_cache_free
+ __mpol_put <-- free
+ do_exit
+
+This patch sets current->mempolicy to NULL before dropping the final
+reference.
+
+Link: http://lkml.kernel.org/r/alpine.DEB.2.10.1608301442180.63329@chino.kir.corp.google.com
+Fixes: cd11016e5f52 ("mm, kasan: stackdepot implementation. Enable stackdepot for SLAB")
+Signed-off-by: David Rientjes <rientjes@google.com>
+Reported-by: Vegard Nossum <vegard.nossum@oracle.com>
+Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Cc: Alexander Potapenko <glider@google.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/mempolicy.h | 4 ++++
+ kernel/exit.c | 7 +------
+ mm/mempolicy.c | 17 +++++++++++++++++
+ 3 files changed, 22 insertions(+), 6 deletions(-)
+
+--- a/include/linux/mempolicy.h
++++ b/include/linux/mempolicy.h
+@@ -195,6 +195,7 @@ static inline bool vma_migratable(struct
+ }
+
+ extern int mpol_misplaced(struct page *, struct vm_area_struct *, unsigned long);
++extern void mpol_put_task_policy(struct task_struct *);
+
+ #else
+
+@@ -297,5 +298,8 @@ static inline int mpol_misplaced(struct
+ return -1; /* no node preference */
+ }
+
++static inline void mpol_put_task_policy(struct task_struct *task)
++{
++}
+ #endif /* CONFIG_NUMA */
+ #endif
+--- a/kernel/exit.c
++++ b/kernel/exit.c
+@@ -768,12 +768,7 @@ void do_exit(long code)
+ TASKS_RCU(preempt_enable());
+ exit_notify(tsk, group_dead);
+ proc_exit_connector(tsk);
+-#ifdef CONFIG_NUMA
+- task_lock(tsk);
+- mpol_put(tsk->mempolicy);
+- tsk->mempolicy = NULL;
+- task_unlock(tsk);
+-#endif
++ mpol_put_task_policy(tsk);
+ #ifdef CONFIG_FUTEX
+ if (unlikely(current->pi_state_cache))
+ kfree(current->pi_state_cache);
+--- a/mm/mempolicy.c
++++ b/mm/mempolicy.c
+@@ -2334,6 +2334,23 @@ out:
+ return ret;
+ }
+
++/*
++ * Drop the (possibly final) reference to task->mempolicy. It needs to be
++ * dropped after task->mempolicy is set to NULL so that any allocation done as
++ * part of its kmem_cache_free(), such as by KASAN, doesn't reference a freed
++ * policy.
++ */
++void mpol_put_task_policy(struct task_struct *task)
++{
++ struct mempolicy *pol;
++
++ task_lock(task);
++ pol = task->mempolicy;
++ task->mempolicy = NULL;
++ task_unlock(task);
++ mpol_put(pol);
++}
++
+ static void sp_delete(struct shared_policy *sp, struct sp_node *n)
+ {
+ pr_debug("deleting %lx-l%lx\n", n->start, n->end);
--- /dev/null
+From 6b4e3181d7bd5ca5ab6f45929e4a5ffa7ab4ab7f Mon Sep 17 00:00:00 2001
+From: Michal Hocko <mhocko@suse.com>
+Date: Thu, 1 Sep 2016 16:14:41 -0700
+Subject: mm, oom: prevent premature OOM killer invocation for high order request
+
+From: Michal Hocko <mhocko@suse.com>
+
+commit 6b4e3181d7bd5ca5ab6f45929e4a5ffa7ab4ab7f upstream.
+
+There have been several reports about pre-mature OOM killer invocation
+in 4.7 kernel when order-2 allocation request (for the kernel stack)
+invoked OOM killer even during basic workloads (light IO or even kernel
+compile on some filesystems). In all reported cases the memory is
+fragmented and there are no order-2+ pages available. There is usually
+a large amount of slab memory (usually dentries/inodes) and further
+debugging has shown that there are way too many unmovable blocks which
+are skipped during the compaction. Multiple reporters have confirmed
+that the current linux-next which includes [1] and [2] helped and OOMs
+are not reproducible anymore.
+
+A simpler fix for the late rc and stable is to simply ignore the
+compaction feedback and retry as long as there is a reclaim progress and
+we are not getting OOM for order-0 pages. We already do that for
+CONFING_COMPACTION=n so let's reuse the same code when compaction is
+enabled as well.
+
+[1] http://lkml.kernel.org/r/20160810091226.6709-1-vbabka@suse.cz
+[2] http://lkml.kernel.org/r/f7a9ea9d-bb88-bfd6-e340-3a933559305a@suse.cz
+
+Fixes: 0a0337e0d1d1 ("mm, oom: rework oom detection")
+Link: http://lkml.kernel.org/r/20160823074339.GB23577@dhcp22.suse.cz
+Signed-off-by: Michal Hocko <mhocko@suse.com>
+Tested-by: Olaf Hering <olaf@aepfle.de>
+Tested-by: Ralf-Peter Rohbeck <Ralf-Peter.Rohbeck@quantum.com>
+Cc: Markus Trippelsdorf <markus@trippelsdorf.de>
+Cc: Arkadiusz Miskiewicz <a.miskiewicz@gmail.com>
+Cc: Ralf-Peter Rohbeck <Ralf-Peter.Rohbeck@quantum.com>
+Cc: Jiri Slaby <jslaby@suse.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: Joonsoo Kim <js1304@gmail.com>
+Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+Cc: David Rientjes <rientjes@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/page_alloc.c | 50 ++------------------------------------------------
+ 1 file changed, 2 insertions(+), 48 deletions(-)
+
+--- a/mm/page_alloc.c
++++ b/mm/page_alloc.c
+@@ -3254,53 +3254,6 @@ __alloc_pages_direct_compact(gfp_t gfp_m
+ return NULL;
+ }
+
+-static inline bool
+-should_compact_retry(struct alloc_context *ac, int order, int alloc_flags,
+- enum compact_result compact_result, enum migrate_mode *migrate_mode,
+- int compaction_retries)
+-{
+- int max_retries = MAX_COMPACT_RETRIES;
+-
+- if (!order)
+- return false;
+-
+- /*
+- * compaction considers all the zone as desperately out of memory
+- * so it doesn't really make much sense to retry except when the
+- * failure could be caused by weak migration mode.
+- */
+- if (compaction_failed(compact_result)) {
+- if (*migrate_mode == MIGRATE_ASYNC) {
+- *migrate_mode = MIGRATE_SYNC_LIGHT;
+- return true;
+- }
+- return false;
+- }
+-
+- /*
+- * make sure the compaction wasn't deferred or didn't bail out early
+- * due to locks contention before we declare that we should give up.
+- * But do not retry if the given zonelist is not suitable for
+- * compaction.
+- */
+- if (compaction_withdrawn(compact_result))
+- return compaction_zonelist_suitable(ac, order, alloc_flags);
+-
+- /*
+- * !costly requests are much more important than __GFP_REPEAT
+- * costly ones because they are de facto nofail and invoke OOM
+- * killer to move on while costly can fail and users are ready
+- * to cope with that. 1/4 retries is rather arbitrary but we
+- * would need much more detailed feedback from compaction to
+- * make a better decision.
+- */
+- if (order > PAGE_ALLOC_COSTLY_ORDER)
+- max_retries /= 4;
+- if (compaction_retries <= max_retries)
+- return true;
+-
+- return false;
+-}
+ #else
+ static inline struct page *
+ __alloc_pages_direct_compact(gfp_t gfp_mask, unsigned int order,
+@@ -3311,6 +3264,8 @@ __alloc_pages_direct_compact(gfp_t gfp_m
+ return NULL;
+ }
+
++#endif /* CONFIG_COMPACTION */
++
+ static inline bool
+ should_compact_retry(struct alloc_context *ac, unsigned int order, int alloc_flags,
+ enum compact_result compact_result,
+@@ -3337,7 +3292,6 @@ should_compact_retry(struct alloc_contex
+ }
+ return false;
+ }
+-#endif /* CONFIG_COMPACTION */
+
+ /* Perform direct synchronous page reclaim */
+ static int
--- /dev/null
+From c518189567eaf42b2ec50a4d982484c8e38799f8 Mon Sep 17 00:00:00 2001
+From: Harini Katakam <harini.katakam@xilinx.com>
+Date: Fri, 5 Aug 2016 10:31:58 +0530
+Subject: net: macb: Correct CAPS mask
+
+From: Harini Katakam <harini.katakam@xilinx.com>
+
+commit c518189567eaf42b2ec50a4d982484c8e38799f8 upstream.
+
+USRIO and JUMBO CAPS have the same mask.
+Fix the same.
+
+Fixes: ce721a702197 ("net: ethernet: cadence-macb: Add disabled usrio caps")
+Signed-off-by: Harini Katakam <harinik@xilinx.com>
+Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/cadence/macb.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/cadence/macb.h
++++ b/drivers/net/ethernet/cadence/macb.h
+@@ -403,11 +403,11 @@
+ #define MACB_CAPS_USRIO_DEFAULT_IS_MII_GMII 0x00000004
+ #define MACB_CAPS_NO_GIGABIT_HALF 0x00000008
+ #define MACB_CAPS_USRIO_DISABLED 0x00000010
++#define MACB_CAPS_JUMBO 0x00000020
+ #define MACB_CAPS_FIFO_MODE 0x10000000
+ #define MACB_CAPS_GIGABIT_MODE_AVAILABLE 0x20000000
+ #define MACB_CAPS_SG_DISABLED 0x40000000
+ #define MACB_CAPS_MACB_IS_GEM 0x80000000
+-#define MACB_CAPS_JUMBO 0x00000010
+
+ /* Bit manipulation macros */
+ #define MACB_BIT(name) \
--- /dev/null
+From 1423661fed2c40d6d71b5e2e3aa390f85157f9d5 Mon Sep 17 00:00:00 2001
+From: David Daney <david.daney@cavium.com>
+Date: Tue, 16 Aug 2016 13:30:36 -0700
+Subject: net: thunderx: Fix OOPs with ethtool --register-dump
+
+From: David Daney <david.daney@cavium.com>
+
+commit 1423661fed2c40d6d71b5e2e3aa390f85157f9d5 upstream.
+
+The ethtool_ops .get_regs function attempts to read the nonexistent
+register NIC_QSET_SQ_0_7_CNM_CHG, which produces a "bus error" type
+OOPs.
+
+Fix by not attempting to read, and removing the definition of,
+NIC_QSET_SQ_0_7_CNM_CHG. A zero is written into the register dump to
+keep the layout unchanged.
+
+Signed-off-by: David Daney <david.daney@cavium.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/cavium/thunder/nic_reg.h | 1 -
+ drivers/net/ethernet/cavium/thunder/nicvf_ethtool.c | 5 ++++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/cavium/thunder/nic_reg.h
++++ b/drivers/net/ethernet/cavium/thunder/nic_reg.h
+@@ -170,7 +170,6 @@
+ #define NIC_QSET_SQ_0_7_DOOR (0x010838)
+ #define NIC_QSET_SQ_0_7_STATUS (0x010840)
+ #define NIC_QSET_SQ_0_7_DEBUG (0x010848)
+-#define NIC_QSET_SQ_0_7_CNM_CHG (0x010860)
+ #define NIC_QSET_SQ_0_7_STAT_0_1 (0x010900)
+
+ #define NIC_QSET_RBDR_0_1_CFG (0x010C00)
+--- a/drivers/net/ethernet/cavium/thunder/nicvf_ethtool.c
++++ b/drivers/net/ethernet/cavium/thunder/nicvf_ethtool.c
+@@ -382,7 +382,10 @@ static void nicvf_get_regs(struct net_de
+ p[i++] = nicvf_queue_reg_read(nic, NIC_QSET_SQ_0_7_DOOR, q);
+ p[i++] = nicvf_queue_reg_read(nic, NIC_QSET_SQ_0_7_STATUS, q);
+ p[i++] = nicvf_queue_reg_read(nic, NIC_QSET_SQ_0_7_DEBUG, q);
+- p[i++] = nicvf_queue_reg_read(nic, NIC_QSET_SQ_0_7_CNM_CHG, q);
++ /* Padding, was NIC_QSET_SQ_0_7_CNM_CHG, which
++ * produces bus errors when read
++ */
++ p[i++] = 0;
+ p[i++] = nicvf_queue_reg_read(nic, NIC_QSET_SQ_0_7_STAT_0_1, q);
+ reg_offset = NIC_QSET_SQ_0_7_STAT_0_1 | (1 << 3);
+ p[i++] = nicvf_queue_reg_read(nic, reg_offset, q);
--- /dev/null
+From 885848186fbc2d1d8fb6d2fdc2156638ae289a46 Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Wed, 13 Jul 2016 16:40:14 -0400
+Subject: nfsd: Close race between nfsd4_release_lockowner and nfsd4_lock
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+commit 885848186fbc2d1d8fb6d2fdc2156638ae289a46 upstream.
+
+nfsd4_release_lockowner finds a lock owner that has no lock state,
+and drops cl_lock. Then release_lockowner picks up cl_lock and
+unhashes the lock owner.
+
+During the window where cl_lock is dropped, I don't see anything
+preventing a concurrent nfsd4_lock from finding that same lock owner
+and adding lock state to it.
+
+Move release_lockowner() into nfsd4_release_lockowner and hang onto
+the cl_lock until after the lock owner's state cannot be found
+again.
+
+Found by inspection, we don't currently have a reproducer.
+
+Fixes: 2c41beb0e5cf ("nfsd: reduce cl_lock thrashing in ... ")
+Reviewed-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs4state.c | 40 +++++++++++++++++-----------------------
+ 1 file changed, 17 insertions(+), 23 deletions(-)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -1200,27 +1200,6 @@ free_ol_stateid_reaplist(struct list_hea
+ }
+ }
+
+-static void release_lockowner(struct nfs4_lockowner *lo)
+-{
+- struct nfs4_client *clp = lo->lo_owner.so_client;
+- struct nfs4_ol_stateid *stp;
+- struct list_head reaplist;
+-
+- INIT_LIST_HEAD(&reaplist);
+-
+- spin_lock(&clp->cl_lock);
+- unhash_lockowner_locked(lo);
+- while (!list_empty(&lo->lo_owner.so_stateids)) {
+- stp = list_first_entry(&lo->lo_owner.so_stateids,
+- struct nfs4_ol_stateid, st_perstateowner);
+- WARN_ON(!unhash_lock_stateid(stp));
+- put_ol_stateid_locked(stp, &reaplist);
+- }
+- spin_unlock(&clp->cl_lock);
+- free_ol_stateid_reaplist(&reaplist);
+- nfs4_put_stateowner(&lo->lo_owner);
+-}
+-
+ static void release_open_stateid_locks(struct nfs4_ol_stateid *open_stp,
+ struct list_head *reaplist)
+ {
+@@ -5976,6 +5955,7 @@ nfsd4_release_lockowner(struct svc_rqst
+ __be32 status;
+ struct nfsd_net *nn = net_generic(SVC_NET(rqstp), nfsd_net_id);
+ struct nfs4_client *clp;
++ LIST_HEAD (reaplist);
+
+ dprintk("nfsd4_release_lockowner clientid: (%08x/%08x):\n",
+ clid->cl_boot, clid->cl_id);
+@@ -6006,9 +5986,23 @@ nfsd4_release_lockowner(struct svc_rqst
+ nfs4_get_stateowner(sop);
+ break;
+ }
++ if (!lo) {
++ spin_unlock(&clp->cl_lock);
++ return status;
++ }
++
++ unhash_lockowner_locked(lo);
++ while (!list_empty(&lo->lo_owner.so_stateids)) {
++ stp = list_first_entry(&lo->lo_owner.so_stateids,
++ struct nfs4_ol_stateid,
++ st_perstateowner);
++ WARN_ON(!unhash_lock_stateid(stp));
++ put_ol_stateid_locked(stp, &reaplist);
++ }
+ spin_unlock(&clp->cl_lock);
+- if (lo)
+- release_lockowner(lo);
++ free_ol_stateid_reaplist(&reaplist);
++ nfs4_put_stateowner(&lo->lo_owner);
++
+ return status;
+ }
+
--- /dev/null
+From e09c978aae5bedfdb379be80363b024b7d82638b Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Sat, 27 Aug 2016 23:44:04 -0400
+Subject: NFSv4.1: Fix Oopsable condition in server callback races
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+commit e09c978aae5bedfdb379be80363b024b7d82638b upstream.
+
+The slot table hasn't been an array since v3.7. Ensure that we
+use nfs4_lookup_slot() to access the slot correctly.
+
+Fixes: 87dda67e7386 ("NFSv4.1: Allow SEQUENCE to resize the slot table...")
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/callback_proc.c | 5 +----
+ fs/nfs/nfs4session.c | 33 +++++++++++++++++++++++++++++++++
+ fs/nfs/nfs4session.h | 1 +
+ 3 files changed, 35 insertions(+), 4 deletions(-)
+
+--- a/fs/nfs/callback_proc.c
++++ b/fs/nfs/callback_proc.c
+@@ -430,11 +430,8 @@ static bool referring_call_exists(struct
+ ((u32 *)&rclist->rcl_sessionid.data)[3],
+ ref->rc_sequenceid, ref->rc_slotid);
+
+- spin_lock(&tbl->slot_tbl_lock);
+- status = (test_bit(ref->rc_slotid, tbl->used_slots) &&
+- tbl->slots[ref->rc_slotid].seq_nr ==
++ status = nfs4_slot_seqid_in_use(tbl, ref->rc_slotid,
+ ref->rc_sequenceid);
+- spin_unlock(&tbl->slot_tbl_lock);
+ if (status)
+ goto out;
+ }
+--- a/fs/nfs/nfs4session.c
++++ b/fs/nfs/nfs4session.c
+@@ -172,6 +172,39 @@ struct nfs4_slot *nfs4_lookup_slot(struc
+ return ERR_PTR(-E2BIG);
+ }
+
++static int nfs4_slot_get_seqid(struct nfs4_slot_table *tbl, u32 slotid,
++ u32 *seq_nr)
++ __must_hold(&tbl->slot_tbl_lock)
++{
++ struct nfs4_slot *slot;
++
++ slot = nfs4_lookup_slot(tbl, slotid);
++ if (IS_ERR(slot))
++ return PTR_ERR(slot);
++ *seq_nr = slot->seq_nr;
++ return 0;
++}
++
++/*
++ * nfs4_slot_seqid_in_use - test if a slot sequence id is still in use
++ *
++ * Given a slot table, slot id and sequence number, determine if the
++ * RPC call in question is still in flight. This function is mainly
++ * intended for use by the callback channel.
++ */
++bool nfs4_slot_seqid_in_use(struct nfs4_slot_table *tbl, u32 slotid, u32 seq_nr)
++{
++ u32 cur_seq;
++ bool ret = false;
++
++ spin_lock(&tbl->slot_tbl_lock);
++ if (nfs4_slot_get_seqid(tbl, slotid, &cur_seq) == 0 &&
++ cur_seq == seq_nr && test_bit(slotid, tbl->used_slots))
++ ret = true;
++ spin_unlock(&tbl->slot_tbl_lock);
++ return ret;
++}
++
+ /*
+ * nfs4_alloc_slot - efficiently look for a free slot
+ *
+--- a/fs/nfs/nfs4session.h
++++ b/fs/nfs/nfs4session.h
+@@ -78,6 +78,7 @@ extern int nfs4_setup_slot_table(struct
+ extern void nfs4_shutdown_slot_table(struct nfs4_slot_table *tbl);
+ extern struct nfs4_slot *nfs4_alloc_slot(struct nfs4_slot_table *tbl);
+ extern struct nfs4_slot *nfs4_lookup_slot(struct nfs4_slot_table *tbl, u32 slotid);
++extern bool nfs4_slot_seqid_in_use(struct nfs4_slot_table *tbl, u32 slotid, u32 seq_nr);
+ extern bool nfs4_try_to_lock_slot(struct nfs4_slot_table *tbl, struct nfs4_slot *slot);
+ extern void nfs4_free_slot(struct nfs4_slot_table *tbl, struct nfs4_slot *slot);
+ extern void nfs4_slot_tbl_drain_complete(struct nfs4_slot_table *tbl);
--- /dev/null
+From b519d408ea32040b1c7e10b155a3ee9a36660947 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Sun, 11 Sep 2016 14:50:01 -0400
+Subject: NFSv4.1: Fix the CREATE_SESSION slot number accounting
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+commit b519d408ea32040b1c7e10b155a3ee9a36660947 upstream.
+
+Ensure that we conform to the algorithm described in RFC5661, section
+18.36.4 for when to bump the sequence id. In essence we do it for all
+cases except when the RPC call timed out, or in case of the server returning
+NFS4ERR_DELAY or NFS4ERR_STALE_CLIENTID.
+
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs4proc.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -7509,12 +7509,20 @@ static int _nfs4_proc_create_session(str
+ status = rpc_call_sync(session->clp->cl_rpcclient, &msg, RPC_TASK_TIMEOUT);
+ trace_nfs4_create_session(clp, status);
+
++ switch (status) {
++ case -NFS4ERR_STALE_CLIENTID:
++ case -NFS4ERR_DELAY:
++ case -ETIMEDOUT:
++ case -EACCES:
++ case -EAGAIN:
++ goto out;
++ };
++
++ clp->cl_seqid++;
+ if (!status) {
+ /* Verify the session's negotiated channel_attrs values */
+ status = nfs4_verify_channel_attrs(&args, &res);
+ /* Increment the clientid slot sequence id */
+- if (clp->cl_seqid == res.seqid)
+- clp->cl_seqid++;
+ if (status)
+ goto out;
+ nfs4_update_session(session, &res);
--- /dev/null
+From 98b0f80c2396224bbbed81792b526e6c72ba9efa Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Mon, 29 Aug 2016 11:15:36 -0400
+Subject: NFSv4.x: Fix a refcount leak in nfs_callback_up_net
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+commit 98b0f80c2396224bbbed81792b526e6c72ba9efa upstream.
+
+On error, the callers expect us to return without bumping
+nn->cb_users[].
+
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/callback.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/nfs/callback.c
++++ b/fs/nfs/callback.c
+@@ -275,6 +275,7 @@ static int nfs_callback_up_net(int minor
+ err_socks:
+ svc_rpcb_cleanup(serv, net);
+ err_bind:
++ nn->cb_users[minorversion]--;
+ dprintk("NFS: Couldn't create callback socket: err = %d; "
+ "net = %p\n", ret, net);
+ return ret;
--- /dev/null
+From 080fe0b790ad438fc1b61621dac37c1964ce7f35 Mon Sep 17 00:00:00 2001
+From: Matt Fleming <matt@codeblueprint.co.uk>
+Date: Wed, 24 Aug 2016 14:12:08 +0100
+Subject: perf/x86/amd: Make HW_CACHE_REFERENCES and HW_CACHE_MISSES measure L2
+
+From: Matt Fleming <matt@codeblueprint.co.uk>
+
+commit 080fe0b790ad438fc1b61621dac37c1964ce7f35 upstream.
+
+While the Intel PMU monitors the LLC when perf enables the
+HW_CACHE_REFERENCES and HW_CACHE_MISSES events, these events monitor
+L1 instruction cache fetches (0x0080) and instruction cache misses
+(0x0081) on the AMD PMU.
+
+This is extremely confusing when monitoring the same workload across
+Intel and AMD machines, since parameters like,
+
+ $ perf stat -e cache-references,cache-misses
+
+measure completely different things.
+
+Instead, make the AMD PMU measure instruction/data cache and TLB fill
+requests to the L2 and instruction/data cache and TLB misses in the L2
+when HW_CACHE_REFERENCES and HW_CACHE_MISSES are enabled,
+respectively. That way the events measure unified caches on both
+platforms.
+
+Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
+Acked-by: Peter Zijlstra <peterz@infradead.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/1472044328-21302-1-git-send-email-matt@codeblueprint.co.uk
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/events/amd/core.c | 4 ++--
+ arch/x86/kvm/pmu_amd.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/events/amd/core.c
++++ b/arch/x86/events/amd/core.c
+@@ -119,8 +119,8 @@ static const u64 amd_perfmon_event_map[P
+ {
+ [PERF_COUNT_HW_CPU_CYCLES] = 0x0076,
+ [PERF_COUNT_HW_INSTRUCTIONS] = 0x00c0,
+- [PERF_COUNT_HW_CACHE_REFERENCES] = 0x0080,
+- [PERF_COUNT_HW_CACHE_MISSES] = 0x0081,
++ [PERF_COUNT_HW_CACHE_REFERENCES] = 0x077d,
++ [PERF_COUNT_HW_CACHE_MISSES] = 0x077e,
+ [PERF_COUNT_HW_BRANCH_INSTRUCTIONS] = 0x00c2,
+ [PERF_COUNT_HW_BRANCH_MISSES] = 0x00c3,
+ [PERF_COUNT_HW_STALLED_CYCLES_FRONTEND] = 0x00d0, /* "Decoder empty" event */
+--- a/arch/x86/kvm/pmu_amd.c
++++ b/arch/x86/kvm/pmu_amd.c
+@@ -23,8 +23,8 @@
+ static struct kvm_event_hw_type_mapping amd_event_mapping[] = {
+ [0] = { 0x76, 0x00, PERF_COUNT_HW_CPU_CYCLES },
+ [1] = { 0xc0, 0x00, PERF_COUNT_HW_INSTRUCTIONS },
+- [2] = { 0x80, 0x00, PERF_COUNT_HW_CACHE_REFERENCES },
+- [3] = { 0x81, 0x00, PERF_COUNT_HW_CACHE_MISSES },
++ [2] = { 0x7d, 0x07, PERF_COUNT_HW_CACHE_REFERENCES },
++ [3] = { 0x7e, 0x07, PERF_COUNT_HW_CACHE_MISSES },
+ [4] = { 0xc2, 0x00, PERF_COUNT_HW_BRANCH_INSTRUCTIONS },
+ [5] = { 0xc3, 0x00, PERF_COUNT_HW_BRANCH_MISSES },
+ [6] = { 0xd0, 0x00, PERF_COUNT_HW_STALLED_CYCLES_FRONTEND },
--- /dev/null
+From 79d102cbfd2e9d94257fcc7c82807ef1cdf80322 Mon Sep 17 00:00:00 2001
+From: Jiri Olsa <jolsa@kernel.org>
+Date: Mon, 5 Sep 2016 17:30:07 +0200
+Subject: perf/x86/intel/cqm: Check cqm/mbm enabled state in event init
+
+From: Jiri Olsa <jolsa@kernel.org>
+
+commit 79d102cbfd2e9d94257fcc7c82807ef1cdf80322 upstream.
+
+Yanqiu Zhang reported kernel panic when using mbm event
+on system where CQM is detected but without mbm event
+support, like with perf:
+
+ # perf stat -e 'intel_cqm/event=3/' -a
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
+ IP: [<ffffffff8100d64c>] update_sample+0xbc/0xe0
+ ...
+ <IRQ>
+ [<ffffffff8100d688>] __intel_mbm_event_init+0x18/0x20
+ [<ffffffff81113d6b>] flush_smp_call_function_queue+0x7b/0x160
+ [<ffffffff81114853>] generic_smp_call_function_single_interrupt+0x13/0x60
+ [<ffffffff81052017>] smp_call_function_interrupt+0x27/0x40
+ [<ffffffff816fb06c>] call_function_interrupt+0x8c/0xa0
+ ...
+
+The reason is that we currently allow to init mbm event
+even if mbm support is not detected. Adding checks for
+both cqm and mbm events and support into cqm's event_init.
+
+Fixes: 33c3cc7acfd9 ("perf/x86/mbm: Add Intel Memory B/W Monitoring enumeration and init")
+Reported-by: Yanqiu Zhang <yanqzhan@redhat.com>
+Signed-off-by: Jiri Olsa <jolsa@redhat.com>
+Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: Vikas Shivappa <vikas.shivappa@linux.intel.com>
+Cc: Tony Luck <tony.luck@intel.com>
+Link: http://lkml.kernel.org/r/1473089407-21857-1-git-send-email-jolsa@kernel.org
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/events/intel/cqm.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/arch/x86/events/intel/cqm.c
++++ b/arch/x86/events/intel/cqm.c
+@@ -458,6 +458,11 @@ static void __intel_cqm_event_count(void
+ static void init_mbm_sample(u32 rmid, u32 evt_type);
+ static void __intel_mbm_event_count(void *info);
+
++static bool is_cqm_event(int e)
++{
++ return (e == QOS_L3_OCCUP_EVENT_ID);
++}
++
+ static bool is_mbm_event(int e)
+ {
+ return (e >= QOS_MBM_TOTAL_EVENT_ID && e <= QOS_MBM_LOCAL_EVENT_ID);
+@@ -1366,6 +1371,10 @@ static int intel_cqm_event_init(struct p
+ (event->attr.config > QOS_MBM_LOCAL_EVENT_ID))
+ return -EINVAL;
+
++ if ((is_cqm_event(event->attr.config) && !cqm_enabled) ||
++ (is_mbm_event(event->attr.config) && !mbm_enabled))
++ return -EINVAL;
++
+ /* unsupported modes and filters */
+ if (event->attr.exclude_user ||
+ event->attr.exclude_kernel ||
--- /dev/null
+From 8ef9b8455a2a3049efa9e46e8a6402b972a3eb41 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Wed, 7 Sep 2016 14:42:55 +0200
+Subject: perf/x86/intel: Fix PEBSv3 record drain
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit 8ef9b8455a2a3049efa9e46e8a6402b972a3eb41 upstream.
+
+Alexander hit the WARN_ON_ONCE(!event) on his Skylake while running
+the perf fuzzer.
+
+This means the PEBSv3 record included a status bit for an inactive
+event, something that _should_ not happen.
+
+Move the code that filters the status bits against our known PEBS
+events up a spot to guarantee we only deal with events we know about.
+
+Further add "continue" statements to the WARN_ON_ONCE()s such that
+we'll not die nor generate silly events in case we ever do hit them
+again.
+
+Reported-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Tested-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Kan Liang <kan.liang@intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vince@deater.net>
+Fixes: a3d86542de88 ("perf/x86/intel/pebs: Add PEBSv3 decoding")
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/events/intel/ds.c | 19 +++++++++++--------
+ 1 file changed, 11 insertions(+), 8 deletions(-)
+
+--- a/arch/x86/events/intel/ds.c
++++ b/arch/x86/events/intel/ds.c
+@@ -1274,18 +1274,18 @@ static void intel_pmu_drain_pebs_nhm(str
+ struct pebs_record_nhm *p = at;
+ u64 pebs_status;
+
+- /* PEBS v3 has accurate status bits */
++ pebs_status = p->status & cpuc->pebs_enabled;
++ pebs_status &= (1ULL << x86_pmu.max_pebs_events) - 1;
++
++ /* PEBS v3 has more accurate status bits */
+ if (x86_pmu.intel_cap.pebs_format >= 3) {
+- for_each_set_bit(bit, (unsigned long *)&p->status,
+- MAX_PEBS_EVENTS)
++ for_each_set_bit(bit, (unsigned long *)&pebs_status,
++ x86_pmu.max_pebs_events)
+ counts[bit]++;
+
+ continue;
+ }
+
+- pebs_status = p->status & cpuc->pebs_enabled;
+- pebs_status &= (1ULL << x86_pmu.max_pebs_events) - 1;
+-
+ /*
+ * On some CPUs the PEBS status can be zero when PEBS is
+ * racing with clearing of GLOBAL_STATUS.
+@@ -1333,8 +1333,11 @@ static void intel_pmu_drain_pebs_nhm(str
+ continue;
+
+ event = cpuc->events[bit];
+- WARN_ON_ONCE(!event);
+- WARN_ON_ONCE(!event->attr.precise_ip);
++ if (WARN_ON_ONCE(!event))
++ continue;
++
++ if (WARN_ON_ONCE(!event->attr.precise_ip))
++ continue;
+
+ /* log dropped samples number */
+ if (error[bit])
--- /dev/null
+From 1155bafcb79208abc6ae234c6e135ac70607755c Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Thu, 15 Sep 2016 18:13:52 +0300
+Subject: perf/x86/intel/pt: Do validate the size of a kernel address filter
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+commit 1155bafcb79208abc6ae234c6e135ac70607755c upstream.
+
+Right now, the kernel address filters in PT are prone to integer overflow
+that may happen in adding filter's size to its offset to obtain the end
+of the range. Such an overflow would also throw a #GP in the PT event
+configuration path.
+
+Fix this by explicitly validating the result of this calculation.
+
+Reported-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Acked-by: Peter Zijlstra <peterz@infradead.org>
+Cc: Arnaldo Carvalho de Melo <acme@infradead.org>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Cc: vince@deater.net
+Link: http://lkml.kernel.org/r/20160915151352.21306-4-alexander.shishkin@linux.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/events/intel/pt.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/events/intel/pt.c
++++ b/arch/x86/events/intel/pt.c
+@@ -1089,8 +1089,13 @@ static int pt_event_addr_filters_validat
+ if (!filter->range || !filter->size)
+ return -EOPNOTSUPP;
+
+- if (!filter->inode && !valid_kernel_ip(filter->offset))
+- return -EINVAL;
++ if (!filter->inode) {
++ if (!valid_kernel_ip(filter->offset))
++ return -EINVAL;
++
++ if (!valid_kernel_ip(filter->offset + filter->size))
++ return -EINVAL;
++ }
+
+ if (++range > pt_cap_get(PT_CAP_num_address_ranges))
+ return -EOPNOTSUPP;
--- /dev/null
+From 95f60084acbcee6c466256cf26eb52191fad9edc Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Thu, 15 Sep 2016 18:13:50 +0300
+Subject: perf/x86/intel/pt: Fix an off-by-one in address filter configuration
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+commit 95f60084acbcee6c466256cf26eb52191fad9edc upstream.
+
+PT address filter configuration requires that a range is specified by
+its first and last address, but at the moment we're obtaining the end
+of the range by adding user specified size to its start, which is off
+by one from what it actually needs to be.
+
+Fix this and make sure that zero-sized filters don't pass the filter
+validation.
+
+Reported-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Acked-by: Peter Zijlstra <peterz@infradead.org>
+Cc: Arnaldo Carvalho de Melo <acme@infradead.org>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Cc: vince@deater.net
+Link: http://lkml.kernel.org/r/20160915151352.21306-2-alexander.shishkin@linux.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/events/intel/pt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/events/intel/pt.c
++++ b/arch/x86/events/intel/pt.c
+@@ -1081,7 +1081,7 @@ static int pt_event_addr_filters_validat
+
+ list_for_each_entry(filter, filters, entry) {
+ /* PT doesn't support single address triggers */
+- if (!filter->range)
++ if (!filter->range || !filter->size)
+ return -EOPNOTSUPP;
+
+ if (!filter->inode && !kernel_ip(filter->offset))
+@@ -1111,7 +1111,7 @@ static void pt_event_addr_filters_sync(s
+ } else {
+ /* apply the offset */
+ msr_a = filter->offset + offs[range];
+- msr_b = filter->size + msr_a;
++ msr_b = filter->size + msr_a - 1;
+ }
+
+ filters->filter[range].msr_a = msr_a;
--- /dev/null
+From ddfdad991e55b65c1cc4ee29502f6dceee04455a Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Thu, 15 Sep 2016 18:13:51 +0300
+Subject: perf/x86/intel/pt: Fix kernel address filter's offset validation
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+commit ddfdad991e55b65c1cc4ee29502f6dceee04455a upstream.
+
+The kernel_ip() filter is used mostly by the DS/LBR code to look at the
+branch addresses, but Intel PT also uses it to validate the address
+filter offsets for kernel addresses, for which it is not sufficient:
+supplying something in bits 64:48 that's not a sign extension of the lower
+address bits (like 0xf00d000000000000) throws a #GP.
+
+This patch adds address validation for the user supplied kernel filters.
+
+Reported-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Acked-by: Peter Zijlstra <peterz@infradead.org>
+Cc: Arnaldo Carvalho de Melo <acme@infradead.org>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Cc: vince@deater.net
+Link: http://lkml.kernel.org/r/20160915151352.21306-3-alexander.shishkin@linux.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/events/intel/pt.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/events/intel/pt.c
++++ b/arch/x86/events/intel/pt.c
+@@ -1074,6 +1074,11 @@ static void pt_addr_filters_fini(struct
+ event->hw.addr_filters = NULL;
+ }
+
++static inline bool valid_kernel_ip(unsigned long ip)
++{
++ return virt_addr_valid(ip) && kernel_ip(ip);
++}
++
+ static int pt_event_addr_filters_validate(struct list_head *filters)
+ {
+ struct perf_addr_filter *filter;
+@@ -1084,7 +1089,7 @@ static int pt_event_addr_filters_validat
+ if (!filter->range || !filter->size)
+ return -EOPNOTSUPP;
+
+- if (!filter->inode && !kernel_ip(filter->offset))
++ if (!filter->inode && !valid_kernel_ip(filter->offset))
+ return -EINVAL;
+
+ if (++range > pt_cap_get(PT_CAP_num_address_ranges))
--- /dev/null
+From a32ac2912f97d7ea9b67eb67bb4aa30b9156a88e Mon Sep 17 00:00:00 2001
+From: James Hartley <james.hartley@imgtec.com>
+Date: Fri, 19 Aug 2016 12:03:23 +0100
+Subject: pinctrl: pistachio: fix mfio pll_lock pinmux
+
+From: James Hartley <james.hartley@imgtec.com>
+
+commit a32ac2912f97d7ea9b67eb67bb4aa30b9156a88e upstream.
+
+A previous patch attempted to fix the pinmuxes for mfio 84 - 89, but it
+omitted a change to pistachio_pin_group pistachio_groups, which results
+in incorrect pll_lock signals being routed.
+
+Apply the correct mux settings throughout the driver.
+
+fixes: cefc03e5995e ("pinctrl: Add Pistachio SoC pin control driver")
+fixes: e9adb336d0bf ("pinctrl: pistachio: fix mfio84-89 function description and pinmux.")
+Signed-off-by: James Hartley <james.hartley@imgtec.com>
+Reviewed-by: Sifan Naeem <Sifan.Naeem@imgtec.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/pinctrl-pistachio.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/pinctrl/pinctrl-pistachio.c
++++ b/drivers/pinctrl/pinctrl-pistachio.c
+@@ -809,17 +809,17 @@ static const struct pistachio_pin_group
+ PADS_FUNCTION_SELECT2, 12, 0x3),
+ MFIO_MUX_PIN_GROUP(83, MIPS_PLL_LOCK, MIPS_TRACE_DATA, USB_DEBUG,
+ PADS_FUNCTION_SELECT2, 14, 0x3),
+- MFIO_MUX_PIN_GROUP(84, SYS_PLL_LOCK, MIPS_TRACE_DATA, USB_DEBUG,
++ MFIO_MUX_PIN_GROUP(84, AUDIO_PLL_LOCK, MIPS_TRACE_DATA, USB_DEBUG,
+ PADS_FUNCTION_SELECT2, 16, 0x3),
+- MFIO_MUX_PIN_GROUP(85, WIFI_PLL_LOCK, MIPS_TRACE_DATA, SDHOST_DEBUG,
++ MFIO_MUX_PIN_GROUP(85, RPU_V_PLL_LOCK, MIPS_TRACE_DATA, SDHOST_DEBUG,
+ PADS_FUNCTION_SELECT2, 18, 0x3),
+- MFIO_MUX_PIN_GROUP(86, BT_PLL_LOCK, MIPS_TRACE_DATA, SDHOST_DEBUG,
++ MFIO_MUX_PIN_GROUP(86, RPU_L_PLL_LOCK, MIPS_TRACE_DATA, SDHOST_DEBUG,
+ PADS_FUNCTION_SELECT2, 20, 0x3),
+- MFIO_MUX_PIN_GROUP(87, RPU_V_PLL_LOCK, DREQ2, SOCIF_DEBUG,
++ MFIO_MUX_PIN_GROUP(87, SYS_PLL_LOCK, DREQ2, SOCIF_DEBUG,
+ PADS_FUNCTION_SELECT2, 22, 0x3),
+- MFIO_MUX_PIN_GROUP(88, RPU_L_PLL_LOCK, DREQ3, SOCIF_DEBUG,
++ MFIO_MUX_PIN_GROUP(88, WIFI_PLL_LOCK, DREQ3, SOCIF_DEBUG,
+ PADS_FUNCTION_SELECT2, 24, 0x3),
+- MFIO_MUX_PIN_GROUP(89, AUDIO_PLL_LOCK, DREQ4, DREQ5,
++ MFIO_MUX_PIN_GROUP(89, BT_PLL_LOCK, DREQ4, DREQ5,
+ PADS_FUNCTION_SELECT2, 26, 0x3),
+ PIN_GROUP(TCK, "tck"),
+ PIN_GROUP(TRSTN, "trstn"),
--- /dev/null
+From 486095fae3a8a6b1ae07c51844699d9bd5cfbebc Mon Sep 17 00:00:00 2001
+From: Icenowy Zheng <icenowy@aosc.xyz>
+Date: Tue, 23 Aug 2016 13:58:25 +0800
+Subject: pinctrl: sunxi: fix uart1 CTS/RTS pins at PG on A23/A33
+
+From: Icenowy Zheng <icenowy@aosc.xyz>
+
+commit 486095fae3a8a6b1ae07c51844699d9bd5cfbebc upstream.
+
+PG8, PG9 is said to be the CTS/RTS pins for UART1 according to the A23/33
+datasheets. However, the function is wrongly named "uart2" in the pinctrl
+driver. This patch fixes this by modifying them to be named "uart1".
+
+Signed-off-by: Icenowy Zheng <icenowy@aosc.xyz>
+Acked-by: Maxime Ripard <maxime.ripard@free-electrons.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/sunxi/pinctrl-sun8i-a23.c | 4 ++--
+ drivers/pinctrl/sunxi/pinctrl-sun8i-a33.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/pinctrl/sunxi/pinctrl-sun8i-a23.c
++++ b/drivers/pinctrl/sunxi/pinctrl-sun8i-a23.c
+@@ -485,12 +485,12 @@ static const struct sunxi_desc_pin sun8i
+ SUNXI_PIN(SUNXI_PINCTRL_PIN(G, 8),
+ SUNXI_FUNCTION(0x0, "gpio_in"),
+ SUNXI_FUNCTION(0x1, "gpio_out"),
+- SUNXI_FUNCTION(0x2, "uart2"), /* RTS */
++ SUNXI_FUNCTION(0x2, "uart1"), /* RTS */
+ SUNXI_FUNCTION_IRQ_BANK(0x4, 2, 8)), /* PG_EINT8 */
+ SUNXI_PIN(SUNXI_PINCTRL_PIN(G, 9),
+ SUNXI_FUNCTION(0x0, "gpio_in"),
+ SUNXI_FUNCTION(0x1, "gpio_out"),
+- SUNXI_FUNCTION(0x2, "uart2"), /* CTS */
++ SUNXI_FUNCTION(0x2, "uart1"), /* CTS */
+ SUNXI_FUNCTION_IRQ_BANK(0x4, 2, 9)), /* PG_EINT9 */
+ SUNXI_PIN(SUNXI_PINCTRL_PIN(G, 10),
+ SUNXI_FUNCTION(0x0, "gpio_in"),
+--- a/drivers/pinctrl/sunxi/pinctrl-sun8i-a33.c
++++ b/drivers/pinctrl/sunxi/pinctrl-sun8i-a33.c
+@@ -407,12 +407,12 @@ static const struct sunxi_desc_pin sun8i
+ SUNXI_PIN(SUNXI_PINCTRL_PIN(G, 8),
+ SUNXI_FUNCTION(0x0, "gpio_in"),
+ SUNXI_FUNCTION(0x1, "gpio_out"),
+- SUNXI_FUNCTION(0x2, "uart2"), /* RTS */
++ SUNXI_FUNCTION(0x2, "uart1"), /* RTS */
+ SUNXI_FUNCTION_IRQ_BANK(0x4, 1, 8)), /* PG_EINT8 */
+ SUNXI_PIN(SUNXI_PINCTRL_PIN(G, 9),
+ SUNXI_FUNCTION(0x0, "gpio_in"),
+ SUNXI_FUNCTION(0x1, "gpio_out"),
+- SUNXI_FUNCTION(0x2, "uart2"), /* CTS */
++ SUNXI_FUNCTION(0x2, "uart1"), /* CTS */
+ SUNXI_FUNCTION_IRQ_BANK(0x4, 1, 9)), /* PG_EINT9 */
+ SUNXI_PIN(SUNXI_PINCTRL_PIN(G, 10),
+ SUNXI_FUNCTION(0x0, "gpio_in"),
--- /dev/null
+From bf0291dd2267a2b9a4cd74d65249553d11bb45d6 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Sat, 3 Sep 2016 10:39:51 -0400
+Subject: pNFS: Ensure LAYOUTGET and LAYOUTRETURN are properly serialised
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+commit bf0291dd2267a2b9a4cd74d65249553d11bb45d6 upstream.
+
+According to RFC5661, the client is responsible for serialising
+LAYOUTGET and LAYOUTRETURN to avoid ambiguity. Consider the case
+where we send both in parallel.
+
+Client Server
+====== ======
+LAYOUTGET(seqid=X)
+LAYOUTRETURN(seqid=X)
+ LAYOUTGET return seqid=X+1
+ LAYOUTRETURN return seqid=X+2
+Process LAYOUTRETURN
+ Forget layout stateid
+Process LAYOUTGET
+ Set seqid=X+1
+
+The client processes the layoutget/layoutreturn in the wrong order,
+and since the result of the layoutreturn was to clear the only
+existing layout segment, the client forgets the layout stateid.
+
+When the LAYOUTGET comes in, it is treated as having a completely
+new stateid, and so the client sets the wrong sequence id...
+
+Fix is to check if there are outstanding LAYOUTGET requests
+before we send the LAYOUTRETURN (note that LAYOUGET will already
+wait if it sees an outstanding LAYOUTRETURN).
+
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/pnfs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/nfs/pnfs.c
++++ b/fs/nfs/pnfs.c
+@@ -876,6 +876,9 @@ void pnfs_clear_layoutreturn_waitbit(str
+ static bool
+ pnfs_prepare_layoutreturn(struct pnfs_layout_hdr *lo)
+ {
++ /* Serialise LAYOUTGET/LAYOUTRETURN */
++ if (atomic_read(&lo->plh_outstanding) != 0)
++ return false;
+ if (test_and_set_bit(NFS_LAYOUT_RETURN, &lo->plh_flags))
+ return false;
+ lo->plh_return_iomode = 0;
--- /dev/null
+From 3dc147359e3dcdf0648f1e2c11f62cfae3160df0 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Mon, 29 Aug 2016 15:12:54 -0400
+Subject: pNFS/flexfiles: Fix an Oopsable condition when connection to the DS fails
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+commit 3dc147359e3dcdf0648f1e2c11f62cfae3160df0 upstream.
+
+If the attempt to connect to a DS fails inside ff_layout_pg_init_read or
+ff_layout_pg_init_write, then we currently end up clearing the layout
+segment carried by the struct nfs_pageio_descriptor, causing an Oops
+when we later call into ff_layout_read_pagelist/ff_layout_write_pagelist.
+
+The fix is to ensure we return the layout and then retry.
+
+Fixes: 446ca2195303 ("pNFS/flexfiles: When initing reads or writes, we...")
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/flexfilelayout/flexfilelayout.c | 37 ++++++++++++++----------------
+ fs/nfs/flexfilelayout/flexfilelayoutdev.c | 19 ++++++++-------
+ 2 files changed, 28 insertions(+), 28 deletions(-)
+
+--- a/fs/nfs/flexfilelayout/flexfilelayout.c
++++ b/fs/nfs/flexfilelayout/flexfilelayout.c
+@@ -806,11 +806,14 @@ ff_layout_choose_best_ds_for_read(struct
+ {
+ struct nfs4_ff_layout_segment *fls = FF_LAYOUT_LSEG(lseg);
+ struct nfs4_pnfs_ds *ds;
++ bool fail_return = false;
+ int idx;
+
+ /* mirrors are sorted by efficiency */
+ for (idx = start_idx; idx < fls->mirror_array_cnt; idx++) {
+- ds = nfs4_ff_layout_prepare_ds(lseg, idx, false);
++ if (idx+1 == fls->mirror_array_cnt)
++ fail_return = true;
++ ds = nfs4_ff_layout_prepare_ds(lseg, idx, fail_return);
+ if (ds) {
+ *best_idx = idx;
+ return ds;
+@@ -859,6 +862,7 @@ ff_layout_pg_init_read(struct nfs_pageio
+ struct nfs4_pnfs_ds *ds;
+ int ds_idx;
+
++retry:
+ /* Use full layout for now */
+ if (!pgio->pg_lseg)
+ ff_layout_pg_get_read(pgio, req, false);
+@@ -871,10 +875,13 @@ ff_layout_pg_init_read(struct nfs_pageio
+
+ ds = ff_layout_choose_best_ds_for_read(pgio->pg_lseg, 0, &ds_idx);
+ if (!ds) {
+- if (ff_layout_no_fallback_to_mds(pgio->pg_lseg))
+- goto out_pnfs;
+- else
++ if (!ff_layout_no_fallback_to_mds(pgio->pg_lseg))
+ goto out_mds;
++ pnfs_put_lseg(pgio->pg_lseg);
++ pgio->pg_lseg = NULL;
++ /* Sleep for 1 second before retrying */
++ ssleep(1);
++ goto retry;
+ }
+
+ mirror = FF_LAYOUT_COMP(pgio->pg_lseg, ds_idx);
+@@ -890,12 +897,6 @@ out_mds:
+ pnfs_put_lseg(pgio->pg_lseg);
+ pgio->pg_lseg = NULL;
+ nfs_pageio_reset_read_mds(pgio);
+- return;
+-
+-out_pnfs:
+- pnfs_set_lo_fail(pgio->pg_lseg);
+- pnfs_put_lseg(pgio->pg_lseg);
+- pgio->pg_lseg = NULL;
+ }
+
+ static void
+@@ -909,6 +910,7 @@ ff_layout_pg_init_write(struct nfs_pagei
+ int i;
+ int status;
+
++retry:
+ if (!pgio->pg_lseg) {
+ pgio->pg_lseg = pnfs_update_layout(pgio->pg_inode,
+ req->wb_context,
+@@ -940,10 +942,13 @@ ff_layout_pg_init_write(struct nfs_pagei
+ for (i = 0; i < pgio->pg_mirror_count; i++) {
+ ds = nfs4_ff_layout_prepare_ds(pgio->pg_lseg, i, true);
+ if (!ds) {
+- if (ff_layout_no_fallback_to_mds(pgio->pg_lseg))
+- goto out_pnfs;
+- else
++ if (!ff_layout_no_fallback_to_mds(pgio->pg_lseg))
+ goto out_mds;
++ pnfs_put_lseg(pgio->pg_lseg);
++ pgio->pg_lseg = NULL;
++ /* Sleep for 1 second before retrying */
++ ssleep(1);
++ goto retry;
+ }
+ pgm = &pgio->pg_mirrors[i];
+ mirror = FF_LAYOUT_COMP(pgio->pg_lseg, i);
+@@ -956,12 +961,6 @@ out_mds:
+ pnfs_put_lseg(pgio->pg_lseg);
+ pgio->pg_lseg = NULL;
+ nfs_pageio_reset_write_mds(pgio);
+- return;
+-
+-out_pnfs:
+- pnfs_set_lo_fail(pgio->pg_lseg);
+- pnfs_put_lseg(pgio->pg_lseg);
+- pgio->pg_lseg = NULL;
+ }
+
+ static unsigned int
+--- a/fs/nfs/flexfilelayout/flexfilelayoutdev.c
++++ b/fs/nfs/flexfilelayout/flexfilelayoutdev.c
+@@ -379,7 +379,7 @@ nfs4_ff_layout_prepare_ds(struct pnfs_la
+
+ devid = &mirror->mirror_ds->id_node;
+ if (ff_layout_test_devid_unavailable(devid))
+- goto out;
++ goto out_fail;
+
+ ds = mirror->mirror_ds->ds;
+ /* matching smp_wmb() in _nfs4_pnfs_v3/4_ds_connect */
+@@ -405,15 +405,16 @@ nfs4_ff_layout_prepare_ds(struct pnfs_la
+ mirror->mirror_ds->ds_versions[0].rsize = max_payload;
+ if (mirror->mirror_ds->ds_versions[0].wsize > max_payload)
+ mirror->mirror_ds->ds_versions[0].wsize = max_payload;
+- } else {
+- ff_layout_track_ds_error(FF_LAYOUT_FROM_HDR(lseg->pls_layout),
+- mirror, lseg->pls_range.offset,
+- lseg->pls_range.length, NFS4ERR_NXIO,
+- OP_ILLEGAL, GFP_NOIO);
+- if (fail_return || !ff_layout_has_available_ds(lseg))
+- pnfs_error_mark_layout_for_return(ino, lseg);
+- ds = NULL;
++ goto out;
+ }
++ ff_layout_track_ds_error(FF_LAYOUT_FROM_HDR(lseg->pls_layout),
++ mirror, lseg->pls_range.offset,
++ lseg->pls_range.length, NFS4ERR_NXIO,
++ OP_ILLEGAL, GFP_NOIO);
++out_fail:
++ if (fail_return || !ff_layout_has_available_ds(lseg))
++ pnfs_error_mark_layout_for_return(ino, lseg);
++ ds = NULL;
+ out:
+ return ds;
+ }
--- /dev/null
+From b88fa69eaa8649f11828158c7b65c4bcd886ebd5 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Tue, 23 Aug 2016 11:19:33 -0400
+Subject: pNFS: The client must not do I/O to the DS if it's lease has expired
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+commit b88fa69eaa8649f11828158c7b65c4bcd886ebd5 upstream.
+
+Ensure that the client conforms to the normative behaviour described in
+RFC5661 Section 12.7.2: "If a client believes its lease has expired,
+it MUST NOT send I/O to the storage device until it has validated its
+lease."
+
+So ensure that we wait for the lease to be validated before using
+the layout.
+
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/pnfs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/nfs/pnfs.c
++++ b/fs/nfs/pnfs.c
+@@ -1527,6 +1527,7 @@ pnfs_update_layout(struct inode *ino,
+ }
+
+ lookup_again:
++ nfs4_client_recover_expired_lease(clp);
+ first = false;
+ spin_lock(&ino->i_lock);
+ lo = pnfs_find_alloc_layout(ino, ctx, gfp_flags);
--- /dev/null
+From f077aaf0754bcba0fffdbd925bc12f09cd1e38aa Mon Sep 17 00:00:00 2001
+From: Paul Mackerras <paulus@ozlabs.org>
+Date: Fri, 2 Sep 2016 21:47:59 +1000
+Subject: powerpc/mm: Don't alias user region to other regions below PAGE_OFFSET
+
+From: Paul Mackerras <paulus@ozlabs.org>
+
+commit f077aaf0754bcba0fffdbd925bc12f09cd1e38aa upstream.
+
+In commit c60ac5693c47 ("powerpc: Update kernel VSID range", 2013-03-13)
+we lost a check on the region number (the top four bits of the effective
+address) for addresses below PAGE_OFFSET. That commit replaced a check
+that the top 18 bits were all zero with a check that bits 46 - 59 were
+zero (performed for all addresses, not just user addresses).
+
+This means that userspace can access an address like 0x1000_0xxx_xxxx_xxxx
+and we will insert a valid SLB entry for it. The VSID used will be the
+same as if the top 4 bits were 0, but the page size will be some random
+value obtained by indexing beyond the end of the mm_ctx_high_slices_psize
+array in the paca. If that page size is the same as would be used for
+region 0, then userspace just has an alias of the region 0 space. If the
+page size is different, then no HPTE will be found for the access, and
+the process will get a SIGSEGV (since hash_page_mm() will refuse to create
+a HPTE for the bogus address).
+
+The access beyond the end of the mm_ctx_high_slices_psize can be at most
+5.5MB past the array, and so will be in RAM somewhere. Since the access
+is a load performed in real mode, it won't fault or crash the kernel.
+At most this bug could perhaps leak a little bit of information about
+blocks of 32 bytes of memory located at offsets of i * 512kB past the
+paca->mm_ctx_high_slices_psize array, for 1 <= i <= 11.
+
+Fixes: c60ac5693c47 ("powerpc: Update kernel VSID range")
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/mm/slb_low.S | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/mm/slb_low.S
++++ b/arch/powerpc/mm/slb_low.S
+@@ -113,7 +113,12 @@ BEGIN_FTR_SECTION
+ END_MMU_FTR_SECTION_IFCLR(MMU_FTR_1T_SEGMENT)
+ b slb_finish_load_1T
+
+-0:
++0: /*
++ * For userspace addresses, make sure this is region 0.
++ */
++ cmpdi r9, 0
++ bne 8f
++
+ /* when using slices, we extract the psize off the slice bitmaps
+ * and then we need to get the sllp encoding off the mmu_psize_defs
+ * array.
--- /dev/null
+From a9cbf0b2195b695cbeeeecaa4e2770948c212e9a Mon Sep 17 00:00:00 2001
+From: Mukesh Ojha <mukesh02@linux.vnet.ibm.com>
+Date: Mon, 22 Aug 2016 12:17:44 +0530
+Subject: powerpc/powernv : Drop reference added by kset_find_obj()
+
+From: Mukesh Ojha <mukesh02@linux.vnet.ibm.com>
+
+commit a9cbf0b2195b695cbeeeecaa4e2770948c212e9a upstream.
+
+In a situation, where Linux kernel gets notified about duplicate error log
+from OPAL, it is been observed that kernel fails to remove sysfs entries
+(/sys/firmware/opal/elog/0xXXXXXXXX) of such error logs. This is because,
+we currently search the error log/dump kobject in the kset list via
+'kset_find_obj()' routine. Which eventually increment the reference count
+by one, once it founds the kobject.
+
+So, unless we decrement the reference count by one after it found the kobject,
+we would not be able to release the kobject properly later.
+
+This patch adds the 'kobject_put()' which was missing earlier.
+
+Signed-off-by: Mukesh Ojha <mukesh02@linux.vnet.ibm.com>
+Reviewed-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/platforms/powernv/opal-dump.c | 7 ++++++-
+ arch/powerpc/platforms/powernv/opal-elog.c | 7 ++++++-
+ 2 files changed, 12 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/platforms/powernv/opal-dump.c
++++ b/arch/powerpc/platforms/powernv/opal-dump.c
+@@ -370,6 +370,7 @@ static irqreturn_t process_dump(int irq,
+ uint32_t dump_id, dump_size, dump_type;
+ struct dump_obj *dump;
+ char name[22];
++ struct kobject *kobj;
+
+ rc = dump_read_info(&dump_id, &dump_size, &dump_type);
+ if (rc != OPAL_SUCCESS)
+@@ -381,8 +382,12 @@ static irqreturn_t process_dump(int irq,
+ * that gracefully and not create two conflicting
+ * entries.
+ */
+- if (kset_find_obj(dump_kset, name))
++ kobj = kset_find_obj(dump_kset, name);
++ if (kobj) {
++ /* Drop reference added by kset_find_obj() */
++ kobject_put(kobj);
+ return 0;
++ }
+
+ dump = create_dump_obj(dump_id, dump_size, dump_type);
+ if (!dump)
+--- a/arch/powerpc/platforms/powernv/opal-elog.c
++++ b/arch/powerpc/platforms/powernv/opal-elog.c
+@@ -247,6 +247,7 @@ static irqreturn_t elog_event(int irq, v
+ uint64_t elog_type;
+ int rc;
+ char name[2+16+1];
++ struct kobject *kobj;
+
+ rc = opal_get_elog_size(&id, &size, &type);
+ if (rc != OPAL_SUCCESS) {
+@@ -269,8 +270,12 @@ static irqreturn_t elog_event(int irq, v
+ * that gracefully and not create two conflicting
+ * entries.
+ */
+- if (kset_find_obj(elog_kset, name))
++ kobj = kset_find_obj(elog_kset, name);
++ if (kobj) {
++ /* Drop reference added by kset_find_obj() */
++ kobject_put(kobj);
+ return IRQ_HANDLED;
++ }
+
+ create_elog_obj(log_id, elog_size, elog_type);
+
--- /dev/null
+From caa58f808834fca9a4443233fd09df5ab639690d Mon Sep 17 00:00:00 2001
+From: Gavin Shan <gwshan@linux.vnet.ibm.com>
+Date: Tue, 6 Sep 2016 14:17:18 +1000
+Subject: powerpc/powernv: Fix corrupted PE allocation bitmap on releasing PE
+
+From: Gavin Shan <gwshan@linux.vnet.ibm.com>
+
+commit caa58f808834fca9a4443233fd09df5ab639690d upstream.
+
+In pnv_ioda_free_pe(), the PE object (including the associated PE
+number) is cleared before resetting the corresponding bit in the
+PE allocation bitmap. It means PE#0 is always released to the bitmap
+wrongly.
+
+This fixes above issue by caching the PE number before the PE object
+is cleared.
+
+Fixes: 1e9167726c41 ("powerpc/powernv: Use PE instead of number during setup and release"
+Signed-off-by: Gavin Shan <gwshan@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/platforms/powernv/pci-ioda.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/platforms/powernv/pci-ioda.c
++++ b/arch/powerpc/platforms/powernv/pci-ioda.c
+@@ -156,11 +156,12 @@ static struct pnv_ioda_pe *pnv_ioda_allo
+ static void pnv_ioda_free_pe(struct pnv_ioda_pe *pe)
+ {
+ struct pnv_phb *phb = pe->phb;
++ unsigned int pe_num = pe->pe_number;
+
+ WARN_ON(pe->pdev);
+
+ memset(pe, 0, sizeof(struct pnv_ioda_pe));
+- clear_bit(pe->pe_number, phb->ioda.pe_alloc);
++ clear_bit(pe_num, phb->ioda.pe_alloc);
+ }
+
+ /* The default M64 BAR is shared by all PEs */
--- /dev/null
+From 41017a7579cf49cb5513e17df1570dc918760079 Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Thu, 11 Aug 2016 10:50:40 +0200
+Subject: powerpc: sysdev: cpm: fix gpio save_regs functions
+
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+
+commit 41017a7579cf49cb5513e17df1570dc918760079 upstream.
+
+of_mm_gpiochip_add_data() calls mm_gc->save_regs() before
+setting the data. Therefore ->save_regs() cannot use
+gpiochip_get_data()
+
+[ 0.275940] Unable to handle kernel paging request for data at address 0x00000130
+[ 0.283120] Faulting instruction address: 0xc01b44cc
+[ 0.288175] Oops: Kernel access of bad area, sig: 11 [#1]
+[ 0.293343] PREEMPT CMPC885
+[ 0.296141] CPU: 0 PID: 1 Comm: swapper Not tainted 4.7.0-g65124df-dirty #68
+[ 0.304131] task: c6074000 ti: c6080000 task.ti: c6080000
+[ 0.309459] NIP: c01b44cc LR: c0011720 CTR: c0011708
+[ 0.314372] REGS: c6081d90 TRAP: 0300 Not tainted (4.7.0-g65124df-dirty)
+[ 0.322267] MSR: 00009032 <EE,ME,IR,DR,RI> CR: 24000028 XER: 20000000
+[ 0.328813] DAR: 00000130 DSISR: c0000000
+GPR00: c01b6d0c c6081e40 c6074000 c6017000 c9028000 c601d028 c6081dd8 00000000
+GPR08: c601d028 00000000 ffffffff 00000001 24000044 00000000 c0002790 00000000
+GPR16: 00000000 00000000 00000000 00000000 00000000 00000000 c05643b0 00000083
+GPR24: c04a1a6c c0560000 c04a8308 c04c6480 c0012498 c6017000 c7ffcc78 c6017000
+[ 0.360806] NIP [c01b44cc] gpiochip_get_data+0x4/0xc
+[ 0.365684] LR [c0011720] cpm1_gpio16_save_regs+0x18/0x44
+[ 0.370972] Call Trace:
+[ 0.373451] [c6081e50] [c01b6d0c] of_mm_gpiochip_add_data+0x70/0xdc
+[ 0.379624] [c6081e70] [c00124c0] cpm_init_par_io+0x28/0x118
+[ 0.385238] [c6081e80] [c04a8ac0] do_one_initcall+0xb0/0x17c
+[ 0.390819] [c6081ef0] [c04a8cbc] kernel_init_freeable+0x130/0x1dc
+[ 0.396924] [c6081f30] [c00027a4] kernel_init+0x14/0x110
+[ 0.402177] [c6081f40] [c000b424] ret_from_kernel_thread+0x5c/0x64
+[ 0.408233] Instruction dump:
+[ 0.411168] 4182fafc 3f80c040 48234c6d 3bc0fff0 3b9c5ed0 4bfffaf4 81290020 712a0004
+[ 0.418825] 4182fb34 48234c51 4bfffb2c 81230004 <80690130> 4e800020 7c0802a6 9421ffe0
+[ 0.426763] ---[ end trace fe4113ee21d72ffa ]---
+
+fixes: e65078f1f3490 ("powerpc: sysdev: cpm1: use gpiochip data pointer")
+fixes: a14a2d484b386 ("powerpc: cpm_common: use gpiochip data pointer")
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/sysdev/cpm1.c | 6 ++++--
+ arch/powerpc/sysdev/cpm_common.c | 3 ++-
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+--- a/arch/powerpc/sysdev/cpm1.c
++++ b/arch/powerpc/sysdev/cpm1.c
+@@ -534,7 +534,8 @@ struct cpm1_gpio16_chip {
+
+ static void cpm1_gpio16_save_regs(struct of_mm_gpio_chip *mm_gc)
+ {
+- struct cpm1_gpio16_chip *cpm1_gc = gpiochip_get_data(&mm_gc->gc);
++ struct cpm1_gpio16_chip *cpm1_gc =
++ container_of(mm_gc, struct cpm1_gpio16_chip, mm_gc);
+ struct cpm_ioport16 __iomem *iop = mm_gc->regs;
+
+ cpm1_gc->cpdata = in_be16(&iop->dat);
+@@ -649,7 +650,8 @@ struct cpm1_gpio32_chip {
+
+ static void cpm1_gpio32_save_regs(struct of_mm_gpio_chip *mm_gc)
+ {
+- struct cpm1_gpio32_chip *cpm1_gc = gpiochip_get_data(&mm_gc->gc);
++ struct cpm1_gpio32_chip *cpm1_gc =
++ container_of(mm_gc, struct cpm1_gpio32_chip, mm_gc);
+ struct cpm_ioport32b __iomem *iop = mm_gc->regs;
+
+ cpm1_gc->cpdata = in_be32(&iop->dat);
+--- a/arch/powerpc/sysdev/cpm_common.c
++++ b/arch/powerpc/sysdev/cpm_common.c
+@@ -82,7 +82,8 @@ struct cpm2_gpio32_chip {
+
+ static void cpm2_gpio32_save_regs(struct of_mm_gpio_chip *mm_gc)
+ {
+- struct cpm2_gpio32_chip *cpm2_gc = gpiochip_get_data(&mm_gc->gc);
++ struct cpm2_gpio32_chip *cpm2_gc =
++ container_of(mm_gc, struct cpm2_gpio32_chip, mm_gc);
+ struct cpm2_ioports __iomem *iop = mm_gc->regs;
+
+ cpm2_gc->cpdata = in_be32(&iop->dat);
--- /dev/null
+From cc7786d3ee7e3c979799db834b528db2c0834c2e Mon Sep 17 00:00:00 2001
+From: Nicholas Piggin <npiggin@gmail.com>
+Date: Mon, 25 Jul 2016 14:26:51 +1000
+Subject: powerpc/tm: do not use r13 for tabort_syscall
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+commit cc7786d3ee7e3c979799db834b528db2c0834c2e upstream.
+
+tabort_syscall runs with RI=1, so a nested recoverable machine
+check will load the paca into r13 and overwrite what we loaded
+it with, because exceptions returning to privileged mode do not
+restore r13.
+
+Fixes: b4b56f9ecab4 (powerpc/tm: Abort syscalls in active transactions)
+Signed-off-by: Nick Piggin <npiggin@gmail.com>
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/entry_64.S | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/arch/powerpc/kernel/entry_64.S
++++ b/arch/powerpc/kernel/entry_64.S
+@@ -368,13 +368,13 @@ END_FTR_SECTION_IFSET(CPU_FTR_HAS_PPR)
+ tabort_syscall:
+ /* Firstly we need to enable TM in the kernel */
+ mfmsr r10
+- li r13, 1
+- rldimi r10, r13, MSR_TM_LG, 63-MSR_TM_LG
++ li r9, 1
++ rldimi r10, r9, MSR_TM_LG, 63-MSR_TM_LG
+ mtmsrd r10, 0
+
+ /* tabort, this dooms the transaction, nothing else */
+- li r13, (TM_CAUSE_SYSCALL|TM_CAUSE_PERSISTENT)
+- TABORT(R13)
++ li r9, (TM_CAUSE_SYSCALL|TM_CAUSE_PERSISTENT)
++ TABORT(R9)
+
+ /*
+ * Return directly to userspace. We have corrupted user register state,
+@@ -382,8 +382,8 @@ tabort_syscall:
+ * resume after the tbegin of the aborted transaction with the
+ * checkpointed register state.
+ */
+- li r13, MSR_RI
+- andc r10, r10, r13
++ li r9, MSR_RI
++ andc r10, r10, r9
+ mtmsrd r10, 1
+ mtspr SPRN_SRR0, r11
+ mtspr SPRN_SRR1, r12
--- /dev/null
+From b30069291dc7f9b9a073c33d619818fe4a8e50de Mon Sep 17 00:00:00 2001
+From: Alexandre Bounine <alexandre.bounine@idt.com>
+Date: Thu, 1 Sep 2016 16:15:18 -0700
+Subject: rapidio/tsi721: fix incorrect detection of address translation condition
+
+From: Alexandre Bounine <alexandre.bounine@idt.com>
+
+commit b30069291dc7f9b9a073c33d619818fe4a8e50de upstream.
+
+Fix incorrect condition to identify involvment of a address translation
+mechanism.
+
+This bug results in NULL pointer kernel crash dump in cases when mapping
+of inbound RapidIO address range is requested within existing aprture.
+
+Link: http://lkml.kernel.org/r/20160901173144.2983-1-alexandre.bounine@idt.com
+Signed-off-by: Alexandre Bounine <alexandre.bounine@idt.com>
+Cc: Matt Porter <mporter@kernel.crashing.org>
+Cc: Andre van Herk <andre.van.herk@prodrive-technologies.com>
+Cc: Barry Wood <barry.wood@idt.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/rapidio/devices/tsi721.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/rapidio/devices/tsi721.c
++++ b/drivers/rapidio/devices/tsi721.c
+@@ -1148,7 +1148,7 @@ static int tsi721_rio_map_inb_mem(struct
+ } else if (ibw_start < (ib_win->rstart + ib_win->size) &&
+ (ibw_start + ibw_size) > ib_win->rstart) {
+ /* Return error if address translation involved */
+- if (direct && ib_win->xlat) {
++ if (!direct || ib_win->xlat) {
+ ret = -EFAULT;
+ break;
+ }
--- /dev/null
+From 4d0bd46a4d55383f7b925e6cf7865a77e0f0e020 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Mon, 8 Aug 2016 08:45:33 +0200
+Subject: Revert "wext: Fix 32 bit iwpriv compatibility issue with 64 bit Kernel"
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 4d0bd46a4d55383f7b925e6cf7865a77e0f0e020 upstream.
+
+This reverts commit 3d5fdff46c4b2b9534fa2f9fc78e90a48e0ff724.
+
+Ben Hutchings pointed out that the commit isn't safe since it assumes
+that the structure used by the driver is iw_point, when in fact there's
+no way to know about that.
+
+Fortunately, the only driver in the tree that ever runs this code path
+is the wilc1000 staging driver, so it doesn't really matter.
+
+Clearly I should have investigated this better before applying, sorry.
+
+Reported-by: Ben Hutchings <ben@decadent.org.uk>
+Fixes: 3d5fdff46c4b ("wext: Fix 32 bit iwpriv compatibility issue with 64 bit Kernel")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/wext-core.c | 25 ++-----------------------
+ 1 file changed, 2 insertions(+), 23 deletions(-)
+
+--- a/net/wireless/wext-core.c
++++ b/net/wireless/wext-core.c
+@@ -958,29 +958,8 @@ static int wireless_process_ioctl(struct
+ return private(dev, iwr, cmd, info, handler);
+ }
+ /* Old driver API : call driver ioctl handler */
+- if (dev->netdev_ops->ndo_do_ioctl) {
+-#ifdef CONFIG_COMPAT
+- if (info->flags & IW_REQUEST_FLAG_COMPAT) {
+- int ret = 0;
+- struct iwreq iwr_lcl;
+- struct compat_iw_point *iwp_compat = (void *) &iwr->u.data;
+-
+- memcpy(&iwr_lcl, iwr, sizeof(struct iwreq));
+- iwr_lcl.u.data.pointer = compat_ptr(iwp_compat->pointer);
+- iwr_lcl.u.data.length = iwp_compat->length;
+- iwr_lcl.u.data.flags = iwp_compat->flags;
+-
+- ret = dev->netdev_ops->ndo_do_ioctl(dev, (void *) &iwr_lcl, cmd);
+-
+- iwp_compat->pointer = ptr_to_compat(iwr_lcl.u.data.pointer);
+- iwp_compat->length = iwr_lcl.u.data.length;
+- iwp_compat->flags = iwr_lcl.u.data.flags;
+-
+- return ret;
+- } else
+-#endif
+- return dev->netdev_ops->ndo_do_ioctl(dev, ifr, cmd);
+- }
++ if (dev->netdev_ops->ndo_do_ioctl)
++ return dev->netdev_ops->ndo_do_ioctl(dev, ifr, cmd);
+ return -EOPNOTSUPP;
+ }
+
--- /dev/null
+From 135e8c9250dd5c8c9aae5984fde6f230d0cbfeaf Mon Sep 17 00:00:00 2001
+From: Balbir Singh <bsingharora@gmail.com>
+Date: Mon, 5 Sep 2016 13:16:40 +1000
+Subject: sched/core: Fix a race between try_to_wake_up() and a woken up task
+
+From: Balbir Singh <bsingharora@gmail.com>
+
+commit 135e8c9250dd5c8c9aae5984fde6f230d0cbfeaf upstream.
+
+The origin of the issue I've seen is related to
+a missing memory barrier between check for task->state and
+the check for task->on_rq.
+
+The task being woken up is already awake from a schedule()
+and is doing the following:
+
+ do {
+ schedule()
+ set_current_state(TASK_(UN)INTERRUPTIBLE);
+ } while (!cond);
+
+The waker, actually gets stuck doing the following in
+try_to_wake_up():
+
+ while (p->on_cpu)
+ cpu_relax();
+
+Analysis:
+
+The instance I've seen involves the following race:
+
+ CPU1 CPU2
+
+ while () {
+ if (cond)
+ break;
+ do {
+ schedule();
+ set_current_state(TASK_UN..)
+ } while (!cond);
+ wakeup_routine()
+ spin_lock_irqsave(wait_lock)
+ raw_spin_lock_irqsave(wait_lock) wake_up_process()
+ } try_to_wake_up()
+ set_current_state(TASK_RUNNING); ..
+ list_del(&waiter.list);
+
+CPU2 wakes up CPU1, but before it can get the wait_lock and set
+current state to TASK_RUNNING the following occurs:
+
+ CPU3
+ wakeup_routine()
+ raw_spin_lock_irqsave(wait_lock)
+ if (!list_empty)
+ wake_up_process()
+ try_to_wake_up()
+ raw_spin_lock_irqsave(p->pi_lock)
+ ..
+ if (p->on_rq && ttwu_wakeup())
+ ..
+ while (p->on_cpu)
+ cpu_relax()
+ ..
+
+CPU3 tries to wake up the task on CPU1 again since it finds
+it on the wait_queue, CPU1 is spinning on wait_lock, but immediately
+after CPU2, CPU3 got it.
+
+CPU3 checks the state of p on CPU1, it is TASK_UNINTERRUPTIBLE and
+the task is spinning on the wait_lock. Interestingly since p->on_rq
+is checked under pi_lock, I've noticed that try_to_wake_up() finds
+p->on_rq to be 0. This was the most confusing bit of the analysis,
+but p->on_rq is changed under runqueue lock, rq_lock, the p->on_rq
+check is not reliable without this fix IMHO. The race is visible
+(based on the analysis) only when ttwu_queue() does a remote wakeup
+via ttwu_queue_remote. In which case the p->on_rq change is not
+done uder the pi_lock.
+
+The result is that after a while the entire system locks up on
+the raw_spin_irqlock_save(wait_lock) and the holder spins infintely
+
+Reproduction of the issue:
+
+The issue can be reproduced after a long run on my system with 80
+threads and having to tweak available memory to very low and running
+memory stress-ng mmapfork test. It usually takes a long time to
+reproduce. I am trying to work on a test case that can reproduce
+the issue faster, but thats work in progress. I am still testing the
+changes on my still in a loop and the tests seem OK thus far.
+
+Big thanks to Benjamin and Nick for helping debug this as well.
+Ben helped catch the missing barrier, Nick caught every missing
+bit in my theory.
+
+Signed-off-by: Balbir Singh <bsingharora@gmail.com>
+[ Updated comment to clarify matching barriers. Many
+ architectures do not have a full barrier in switch_to()
+ so that cannot be relied upon. ]
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: Alexey Kardashevskiy <aik@ozlabs.ru>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Nicholas Piggin <nicholas.piggin@gmail.com>
+Cc: Nicholas Piggin <npiggin@gmail.com>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/e02cce7b-d9ca-1ad0-7a61-ea97c7582b37@gmail.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/sched/core.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -2015,6 +2015,28 @@ try_to_wake_up(struct task_struct *p, un
+ success = 1; /* we're going to change ->state */
+ cpu = task_cpu(p);
+
++ /*
++ * Ensure we load p->on_rq _after_ p->state, otherwise it would
++ * be possible to, falsely, observe p->on_rq == 0 and get stuck
++ * in smp_cond_load_acquire() below.
++ *
++ * sched_ttwu_pending() try_to_wake_up()
++ * [S] p->on_rq = 1; [L] P->state
++ * UNLOCK rq->lock -----.
++ * \
++ * +--- RMB
++ * schedule() /
++ * LOCK rq->lock -----'
++ * UNLOCK rq->lock
++ *
++ * [task p]
++ * [S] p->state = UNINTERRUPTIBLE [L] p->on_rq
++ *
++ * Pairs with the UNLOCK+LOCK on rq->lock from the
++ * last wakeup of our task and the schedule that got our task
++ * current.
++ */
++ smp_rmb();
+ if (p->on_rq && ttwu_remote(p, wake_flags))
+ goto stat;
+
--- /dev/null
+From c8d192428f52f244130b84650ad616df09f2b1e1 Mon Sep 17 00:00:00 2001
+From: Jimi Damon <jdamon@accesio.com>
+Date: Wed, 20 Jul 2016 17:00:40 -0700
+Subject: serial: 8250: added acces i/o products quad and octal serial cards
+
+From: Jimi Damon <jdamon@accesio.com>
+
+commit c8d192428f52f244130b84650ad616df09f2b1e1 upstream.
+
+Added devices ids for acces i/o products quad and octal serial cards
+that make use of existing Pericom PI7C9X7954 and PI7C9X7958
+configurations .
+
+Signed-off-by: Jimi Damon <jdamon@accesio.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/8250/8250_pci.c | 139 +++++++++++++++++++++++++++++++++++++
+ 1 file changed, 139 insertions(+)
+
+--- a/drivers/tty/serial/8250/8250_pci.c
++++ b/drivers/tty/serial/8250/8250_pci.c
+@@ -1939,6 +1939,43 @@ pci_wch_ch38x_setup(struct serial_privat
+ #define PCI_DEVICE_ID_PERICOM_PI7C9X7954 0x7954
+ #define PCI_DEVICE_ID_PERICOM_PI7C9X7958 0x7958
+
++#define PCI_VENDOR_ID_ACCESIO 0x494f
++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM_2SDB 0x1051
++#define PCI_DEVICE_ID_ACCESIO_MPCIE_COM_2S 0x1053
++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SDB 0x105C
++#define PCI_DEVICE_ID_ACCESIO_MPCIE_COM_4S 0x105E
++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM232_2DB 0x1091
++#define PCI_DEVICE_ID_ACCESIO_MPCIE_COM232_2 0x1093
++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM232_4DB 0x1099
++#define PCI_DEVICE_ID_ACCESIO_MPCIE_COM232_4 0x109B
++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM_2SMDB 0x10D1
++#define PCI_DEVICE_ID_ACCESIO_MPCIE_COM_2SM 0x10D3
++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SMDB 0x10DA
++#define PCI_DEVICE_ID_ACCESIO_MPCIE_COM_4SM 0x10DC
++#define PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_1 0x1108
++#define PCI_DEVICE_ID_ACCESIO_MPCIE_ICM422_2 0x1110
++#define PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_2 0x1111
++#define PCI_DEVICE_ID_ACCESIO_MPCIE_ICM422_4 0x1118
++#define PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_4 0x1119
++#define PCI_DEVICE_ID_ACCESIO_PCIE_ICM_2S 0x1152
++#define PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4S 0x115A
++#define PCI_DEVICE_ID_ACCESIO_PCIE_ICM232_2 0x1190
++#define PCI_DEVICE_ID_ACCESIO_MPCIE_ICM232_2 0x1191
++#define PCI_DEVICE_ID_ACCESIO_PCIE_ICM232_4 0x1198
++#define PCI_DEVICE_ID_ACCESIO_MPCIE_ICM232_4 0x1199
++#define PCI_DEVICE_ID_ACCESIO_PCIE_ICM_2SM 0x11D0
++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM422_4 0x105A
++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM485_4 0x105B
++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM422_8 0x106A
++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM485_8 0x106B
++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM232_4 0x1098
++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM232_8 0x10A9
++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SM 0x10D9
++#define PCI_DEVICE_ID_ACCESIO_PCIE_COM_8SM 0x10E9
++#define PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4SM 0x11D8
++
++
++
+ /* Unknown vendors/cards - this should not be in linux/pci_ids.h */
+ #define PCI_SUBDEVICE_ID_UNKNOWN_0x1584 0x1584
+ #define PCI_SUBDEVICE_ID_UNKNOWN_0x1588 0x1588
+@@ -5093,6 +5130,108 @@ static struct pci_device_id serial_pci_t
+ 0,
+ 0, pbn_pericom_PI7C9X7958 },
+ /*
++ * ACCES I/O Products quad
++ */
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_2SDB,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM_2S,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SDB,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM_4S,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM232_2DB,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM232_2,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM232_4DB,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM232_4,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_2SMDB,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM_2SM,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SMDB,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM_4SM,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_1,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM422_2,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_2,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM422_4,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_4,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM_2S,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4S,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM232_2,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM232_2,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM232_4,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM232_4,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM_2SM,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7954 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM422_4,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7958 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM485_4,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7958 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM422_8,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7958 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM485_8,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7958 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM232_4,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7958 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM232_8,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7958 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SM,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7958 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_8SM,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7958 },
++ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4SM,
++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
++ pbn_pericom_PI7C9X7958 },
++ /*
+ * Topic TP560 Data/Fax/Voice 56k modem (reported by Evan Clarke)
+ */
+ { PCI_VENDOR_ID_TOPIC, PCI_DEVICE_ID_TOPIC_TP560,
--- /dev/null
+From 47b34d2ef266e2c283b514d65c8963c2ccd42474 Mon Sep 17 00:00:00 2001
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Fri, 1 Jul 2016 17:21:49 +0300
+Subject: serial: 8250_mid: fix divide error bug if baud rate is 0
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+commit 47b34d2ef266e2c283b514d65c8963c2ccd42474 upstream.
+
+Since the commit c1a67b48f6a5 ("serial: 8250_pci: replace switch-case by
+formula for Intel MID"), the 8250 driver crashes in the byt_set_termios()
+function with a divide error. This is caused by the fact that a baud rate of 0
+(B0) is not handled properly. Fix it by falling back to B9600 in this case.
+
+Reported-by: "Mendez Salinas, Fernando" <fernando.mendez.salinas@intel.com>
+Fixes: c1a67b48f6a5 ("serial: 8250_pci: replace switch-case by formula for Intel MID")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/8250/8250_mid.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/tty/serial/8250/8250_mid.c
++++ b/drivers/tty/serial/8250/8250_mid.c
+@@ -154,6 +154,9 @@ static void mid8250_set_termios(struct u
+ unsigned long w = BIT(24) - 1;
+ unsigned long mul, div;
+
++ /* Gracefully handle the B0 case: fall back to B9600 */
++ fuart = fuart ? fuart : 9600 * 16;
++
+ if (mid->board->freq < fuart) {
+ /* Find prescaler value that satisfies Fuart < Fref */
+ if (mid->board->freq > baud)
tcp-fastopen-avoid-negative-sk_forward_alloc.patch
net-mlx5e-fix-parsing-of-vlan-packets-when-updating-lro-header.patch
tcp-cwnd-does-not-increase-in-tcp-yeah.patch
+powerpc-tm-do-not-use-r13-for-tabort_syscall.patch
+powerpc-powernv-drop-reference-added-by-kset_find_obj.patch
+powerpc-sysdev-cpm-fix-gpio-save_regs-functions.patch
+powerpc-mm-don-t-alias-user-region-to-other-regions-below-page_offset.patch
+powerpc-powernv-fix-corrupted-pe-allocation-bitmap-on-releasing-pe.patch
+kernfs-don-t-depend-on-d_find_any_alias-when-generating-notifications.patch
+pnfs-flexfiles-fix-an-oopsable-condition-when-connection-to-the-ds-fails.patch
+pnfs-the-client-must-not-do-i-o-to-the-ds-if-it-s-lease-has-expired.patch
+nfsv4.1-fix-oopsable-condition-in-server-callback-races.patch
+nfsv4.x-fix-a-refcount-leak-in-nfs_callback_up_net.patch
+nfsd-close-race-between-nfsd4_release_lockowner-and-nfsd4_lock.patch
+pnfs-ensure-layoutget-and-layoutreturn-are-properly-serialised.patch
+nfsv4.1-fix-the-create_session-slot-number-accounting.patch
+kexec-fix-double-free-when-failing-to-relocate-the-purgatory.patch
+mm-oom-prevent-premature-oom-killer-invocation-for-high-order-request.patch
+mm-mempolicy-task-mempolicy-must-be-null-before-dropping-final-reference.patch
+ahci-disable-correct-irq-for-dummy-ports.patch
+rapidio-tsi721-fix-incorrect-detection-of-address-translation-condition.patch
+mm-introduce-get_task_exe_file.patch
+audit-fix-exe_file-access-in-audit_exe_compare.patch
+dm-flakey-fix-reads-to-be-issued-if-drop_writes-configured.patch
+ib-hfi1-ib-qib-fix-qp_stats-sleep-with-rcu-read-lock-held.patch
+ib-uverbs-fix-race-between-uverbs_close-and-remove_one.patch
+ib-hfi1-reset-qsfp-on-every-run-through-channel-tuning.patch
+mm-fix-cache-mode-of-dax-pmd-mappings.patch
+x86-paravirt-do-not-trace-_paravirt_ident_-functions.patch
+x86-amd-apply-erratum-665-on-machines-without-a-bios-fix.patch
+kvm-s390-don-t-use-current-thread.fpu.-when-accessing-registers.patch
+kvm-arm-unmap-shadow-pagetables-properly.patch
+kvm-x86-correctly-reset-dest_map-vector-when-restoring-lapic-state.patch
+iio-accel-kxsd9-fix-raw-read-return.patch
+iio-sw-trigger-fix-config-group-initialization.patch
+iio-proximity-as3935-set-up-buffer-timestamps-for-non-zero-values.patch
+iio-adc-rockchip_saradc-reset-saradc-controller-before-programming-it.patch
+iio-adc-ti_am335x_adc-protect-fifo1-from-concurrent-access.patch
+iio-adc-ti_am335x_adc-increase-timeout-value-waiting-for-adc-sample.patch
+iio-ti-ads1015-fix-a-wrong-pointer-definition.patch
+iio-ad799x-fix-buffered-capture-for-ad7991-ad7995-ad7999.patch
+iio-humidity-am2315-set-up-buffer-timestamps-for-non-zero-values.patch
+iio-adc-at91-unbreak-channel-adc-channel-3.patch
+iio-humidity-hdc100x-fix-sensor-data-reads-of-temp-and-humidity.patch
+iio-accel-bmc150-reset-chip-at-init-time.patch
+iio-fix-pressure-data-output-unit-in-hid-sensor-attributes.patch
+iio-accel-kxsd9-fix-scaling-bug.patch
+iio-core-fix-iio_val_fractional-sign-handling.patch
+iio-ensure-ret-is-initialized-to-zero-before-entering-do-loop.patch
+serial-8250_mid-fix-divide-error-bug-if-baud-rate-is-0.patch
+serial-8250-added-acces-i-o-products-quad-and-octal-serial-cards.patch
+usb-serial-simple-add-support-for-another-infineon-flashloader.patch
+usb-gadget-udc-renesas-usb3-clear-vbout-bit-in-drd_con.patch
+usb-renesas_usbhs-fix-clearing-the-brdy-bemp-sts-condition.patch
+usb-chipidea-udc-fix-null-ptr-dereference-in-isr_setup_status_phase.patch
+arm-dts-stih410-handle-interconnect-clock-required-by-ehci-ohci-usb.patch
+usb-change-binterval-default-to-10-ms.patch
+devpts-return-null-pts-priv-entry-for-non-devpts-nodes.patch
+cxl-use-pcibios_free_controller_deferred-when-removing-vphbs.patch
+net-thunderx-fix-oops-with-ethtool-register-dump.patch
+net-macb-correct-caps-mask.patch
+cpuset-make-sure-new-tasks-conform-to-the-current-config-of-the-cpuset.patch
+arm-dts-rockchip-add-reset-node-for-the-exist-saradc-socs.patch
+arm-am43xx-hwmod-fix-rstst-register-offset-for-pruss.patch
+arm-imx6-add-missing-bm_clpcr_byp_mmdc_ch0_lpm_hs-setting-for-imx6ul.patch
+arm-imx6-add-missing-bm_clpcr_bypass_pmic_ready-setting-for-imx6sx.patch
+arm-kirkwood-ib62x0-fix-size-of-u-boot-environment-partition.patch
+arm-omap3-hwmod-data-add-sysc-information-for-dsi.patch
+arm-dts-kirkwood-fix-pcie-label-on-openrd.patch
+arm-dts-imx6qdl-fix-spdif-regression.patch
+arm-dts-armada-388-clearfog-number-lan-ports-properly.patch
+arm-dts-overo-fix-gpmc-nand-cs0-range.patch
+arm-dts-overo-fix-gpmc-nand-on-boards-with-ethernet.patch
+arm-dts-stih407-family-provide-interconnect-clock-for-consumption-in-st-sdhci.patch
+bus-arm-ccn-fix-pmu-handling-of-mn.patch
+bus-arm-ccn-do-not-attempt-to-configure-xps-for-cycle-counter.patch
+bus-arm-ccn-fix-xp-watchpoint-settings-bitmask.patch
+dm-log-writes-fix-check-of-kthread_run-return-value.patch
+dm-crypt-fix-free-of-bad-values-after-tfm-allocation-failure.patch
+dm-log-writes-move-io-accounting-earlier-to-fix-error-path.patch
+dm-crypt-fix-error-with-too-large-bios.patch
+pinctrl-pistachio-fix-mfio-pll_lock-pinmux.patch
+pinctrl-sunxi-fix-uart1-cts-rts-pins-at-pg-on-a23-a33.patch
+memory-omap-gpmc-allow-probe-of-child-nodes-to-fail.patch
+arm64-spinlocks-implement-smp_mb__before_spinlock-as-smp_mb.patch
+crypto-cryptd-initialize-child-shash_desc-on-import.patch
+btrfs-remove-root_log_ctx-from-ctx-list-before-btrfs_sync_log-returns.patch
+fuse-direct-io-don-t-dirty-iter_bvec-pages.patch
+xhci-fix-null-pointer-dereference-in-stop-command-timeout-function.patch
+brcmfmac-avoid-potential-stack-overflow-in-brcmf_cfg80211_start_ap.patch
+md-cluster-make-md-cluster-also-can-work-when-compiled-into-kernel.patch
+ath9k-fix-using-sta-drv_priv-before-initializing-it.patch
+ath9k-bring-back-direction-setting-in-ath9k_-start_stop.patch
+perf-x86-intel-fix-pebsv3-record-drain.patch
+perf-x86-intel-cqm-check-cqm-mbm-enabled-state-in-event-init.patch
+perf-x86-amd-make-hw_cache_references-and-hw_cache_misses-measure-l2.patch
+perf-x86-intel-pt-fix-an-off-by-one-in-address-filter-configuration.patch
+perf-x86-intel-pt-fix-kernel-address-filter-s-offset-validation.patch
+perf-x86-intel-pt-do-validate-the-size-of-a-kernel-address-filter.patch
+revert-wext-fix-32-bit-iwpriv-compatibility-issue-with-64-bit-kernel.patch
+sched-core-fix-a-race-between-try_to_wake_up-and-a-woken-up-task.patch
+ipv6-don-t-unset-flowi6_proto-in-ipxip6_tnl_xmit.patch
+efi-make-for_each_efi_memory_desc_in_map-cope-with-running-on-xen.patch
+efi-libstub-allocate-headspace-in-efi_get_memory_map.patch
+efi-libstub-introduce-exitbootservices-helper.patch
+efi-libstub-use-efi_exit_boot_services-in-fdt.patch
+x86-efi-use-efi_exit_boot_services.patch
--- /dev/null
+From 08c5cd37480f59ea39682f4585d92269be6b1424 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Fri, 16 Sep 2016 10:24:26 -0400
+Subject: USB: change bInterval default to 10 ms
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 08c5cd37480f59ea39682f4585d92269be6b1424 upstream.
+
+Some full-speed mceusb infrared transceivers contain invalid endpoint
+descriptors for their interrupt endpoints, with bInterval set to 0.
+In the past they have worked out okay with the mceusb driver, because
+the driver sets the bInterval field in the descriptor to 1,
+overwriting whatever value may have been there before. However, this
+approach was never sanctioned by the USB core, and in fact it does not
+work with xHCI controllers, because they use the bInterval value that
+was present when the configuration was installed.
+
+Currently usbcore uses 32 ms as the default interval if the value in
+the endpoint descriptor is invalid. It turns out that these IR
+transceivers don't work properly unless the interval is set to 10 ms
+or below. To work around this mceusb problem, this patch changes the
+endpoint-descriptor parsing routine, making the default interval value
+be 10 ms rather than 32 ms.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Tested-by: Wade Berrier <wberrier@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/config.c | 28 +++++++++++++++++-----------
+ 1 file changed, 17 insertions(+), 11 deletions(-)
+
+--- a/drivers/usb/core/config.c
++++ b/drivers/usb/core/config.c
+@@ -240,8 +240,10 @@ static int usb_parse_endpoint(struct dev
+ memcpy(&endpoint->desc, d, n);
+ INIT_LIST_HEAD(&endpoint->urb_list);
+
+- /* Fix up bInterval values outside the legal range. Use 32 ms if no
+- * proper value can be guessed. */
++ /*
++ * Fix up bInterval values outside the legal range.
++ * Use 10 or 8 ms if no proper value can be guessed.
++ */
+ i = 0; /* i = min, j = max, n = default */
+ j = 255;
+ if (usb_endpoint_xfer_int(d)) {
+@@ -250,13 +252,15 @@ static int usb_parse_endpoint(struct dev
+ case USB_SPEED_SUPER_PLUS:
+ case USB_SPEED_SUPER:
+ case USB_SPEED_HIGH:
+- /* Many device manufacturers are using full-speed
++ /*
++ * Many device manufacturers are using full-speed
+ * bInterval values in high-speed interrupt endpoint
+- * descriptors. Try to fix those and fall back to a
+- * 32 ms default value otherwise. */
++ * descriptors. Try to fix those and fall back to an
++ * 8-ms default value otherwise.
++ */
+ n = fls(d->bInterval*8);
+ if (n == 0)
+- n = 9; /* 32 ms = 2^(9-1) uframes */
++ n = 7; /* 8 ms = 2^(7-1) uframes */
+ j = 16;
+
+ /*
+@@ -271,10 +275,12 @@ static int usb_parse_endpoint(struct dev
+ }
+ break;
+ default: /* USB_SPEED_FULL or _LOW */
+- /* For low-speed, 10 ms is the official minimum.
++ /*
++ * For low-speed, 10 ms is the official minimum.
+ * But some "overclocked" devices might want faster
+- * polling so we'll allow it. */
+- n = 32;
++ * polling so we'll allow it.
++ */
++ n = 10;
+ break;
+ }
+ } else if (usb_endpoint_xfer_isoc(d)) {
+@@ -282,10 +288,10 @@ static int usb_parse_endpoint(struct dev
+ j = 16;
+ switch (to_usb_device(ddev)->speed) {
+ case USB_SPEED_HIGH:
+- n = 9; /* 32 ms = 2^(9-1) uframes */
++ n = 7; /* 8 ms = 2^(7-1) uframes */
+ break;
+ default: /* USB_SPEED_FULL */
+- n = 6; /* 32 ms = 2^(6-1) frames */
++ n = 4; /* 8 ms = 2^(4-1) frames */
+ break;
+ }
+ }
--- /dev/null
+From 6f3c4fb6d05e63c9c6d8968302491c3a5457be61 Mon Sep 17 00:00:00 2001
+From: Clemens Gruber <clemens.gruber@pqgruber.com>
+Date: Mon, 5 Sep 2016 19:29:58 +0200
+Subject: usb: chipidea: udc: fix NULL ptr dereference in isr_setup_status_phase
+
+From: Clemens Gruber <clemens.gruber@pqgruber.com>
+
+commit 6f3c4fb6d05e63c9c6d8968302491c3a5457be61 upstream.
+
+Problems with the signal integrity of the high speed USB data lines or
+noise on reference ground lines can cause the i.MX6 USB controller to
+violate USB specs and exhibit unexpected behavior.
+
+It was observed that USBi_UI interrupts were triggered first and when
+isr_setup_status_phase was called, ci->status was NULL, which lead to a
+NULL pointer dereference kernel panic.
+
+This patch fixes the kernel panic, emits a warning once and returns
+-EPIPE to halt the device and let the host get stalled.
+It also adds a comment to point people, who are experiencing this issue,
+to their USB hardware design.
+
+Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com>
+Signed-off-by: Peter Chen <peter.chen@nxp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/chipidea/udc.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/usb/chipidea/udc.c
++++ b/drivers/usb/chipidea/udc.c
+@@ -949,6 +949,15 @@ static int isr_setup_status_phase(struct
+ int retval;
+ struct ci_hw_ep *hwep;
+
++ /*
++ * Unexpected USB controller behavior, caused by bad signal integrity
++ * or ground reference problems, can lead to isr_setup_status_phase
++ * being called with ci->status equal to NULL.
++ * If this situation occurs, you should review your USB hardware design.
++ */
++ if (WARN_ON_ONCE(!ci->status))
++ return -EPIPE;
++
+ hwep = (ci->ep0_dir == TX) ? ci->ep0out : ci->ep0in;
+ ci->status->context = ci;
+ ci->status->complete = isr_setup_status_complete;
--- /dev/null
+From b2f1eaaee564c5593c303f4d15d827924cb6d20d Mon Sep 17 00:00:00 2001
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Tue, 23 Aug 2016 21:11:13 +0900
+Subject: usb: gadget: udc: renesas-usb3: clear VBOUT bit in DRD_CON
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+commit b2f1eaaee564c5593c303f4d15d827924cb6d20d upstream.
+
+This driver should clear the bit. Otherwise, the VBUS will output
+wrongly if the usb port on a board has VBUS output capability.
+
+Fixes: 746bfe63bba3 ("usb: gadget: renesas_usb3: add support for
+ Renesas USB3.0 peripheral controller")
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/udc/renesas_usb3.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/gadget/udc/renesas_usb3.c
++++ b/drivers/usb/gadget/udc/renesas_usb3.c
+@@ -106,6 +106,7 @@
+
+ /* DRD_CON */
+ #define DRD_CON_PERI_CON BIT(24)
++#define DRD_CON_VBOUT BIT(0)
+
+ /* USB_INT_ENA_1 and USB_INT_STA_1 */
+ #define USB_INT_1_B3_PLLWKUP BIT(31)
+@@ -363,6 +364,7 @@ static void usb3_init_epc_registers(stru
+ {
+ /* FIXME: How to change host / peripheral mode as well? */
+ usb3_set_bit(usb3, DRD_CON_PERI_CON, USB3_DRD_CON);
++ usb3_clear_bit(usb3, DRD_CON_VBOUT, USB3_DRD_CON);
+
+ usb3_write(usb3, ~0, USB3_USB_INT_STA_1);
+ usb3_enable_irq_1(usb3, USB_INT_1_VBUS_CNG);
--- /dev/null
+From 519d8bd4b5d3d82c413eac5bb42b106bb4b9ec15 Mon Sep 17 00:00:00 2001
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Mon, 29 Aug 2016 18:00:38 +0900
+Subject: usb: renesas_usbhs: fix clearing the {BRDY,BEMP}STS condition
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+commit 519d8bd4b5d3d82c413eac5bb42b106bb4b9ec15 upstream.
+
+The previous driver is possible to stop the transfer wrongly.
+For example:
+ 1) An interrupt happens, but not BRDY interruption.
+ 2) Read INTSTS0. And than state->intsts0 is not set to BRDY.
+ 3) BRDY is set to 1 here.
+ 4) Read BRDYSTS.
+ 5) Clear the BRDYSTS. And then. the BRDY is cleared wrongly.
+
+Remarks:
+ - The INTSTS0.BRDY is read only.
+ - If any bits of BRDYSTS are set to 1, the BRDY is set to 1.
+ - If BRDYSTS is 0, the BRDY is set to 0.
+
+So, this patch adds condition to avoid such situation. (And about
+NRDYSTS, this is not used for now. But, avoiding any side effects,
+this patch doesn't touch it.)
+
+Fixes: d5c6a1e024dd ("usb: renesas_usbhs: fixup interrupt status clear method")
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/renesas_usbhs/mod.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/renesas_usbhs/mod.c
++++ b/drivers/usb/renesas_usbhs/mod.c
+@@ -282,9 +282,16 @@ static irqreturn_t usbhs_interrupt(int i
+ if (usbhs_mod_is_host(priv))
+ usbhs_write(priv, INTSTS1, ~irq_state.intsts1 & INTSTS1_MAGIC);
+
+- usbhs_write(priv, BRDYSTS, ~irq_state.brdysts);
++ /*
++ * The driver should not clear the xxxSTS after the line of
++ * "call irq callback functions" because each "if" statement is
++ * possible to call the callback function for avoiding any side effects.
++ */
++ if (irq_state.intsts0 & BRDY)
++ usbhs_write(priv, BRDYSTS, ~irq_state.brdysts);
+ usbhs_write(priv, NRDYSTS, ~irq_state.nrdysts);
+- usbhs_write(priv, BEMPSTS, ~irq_state.bempsts);
++ if (irq_state.intsts0 & BEMP)
++ usbhs_write(priv, BEMPSTS, ~irq_state.bempsts);
+
+ /*
+ * call irq callback functions
--- /dev/null
+From f190fd92458da3e869b4e2c6289e2c617490ae53 Mon Sep 17 00:00:00 2001
+From: Daniele Palmas <dnlplm@gmail.com>
+Date: Fri, 2 Sep 2016 10:37:56 +0200
+Subject: USB: serial: simple: add support for another Infineon flashloader
+
+From: Daniele Palmas <dnlplm@gmail.com>
+
+commit f190fd92458da3e869b4e2c6289e2c617490ae53 upstream.
+
+This patch adds support for Infineon flashloader 0x8087/0x0801.
+
+The flashloader is used in Telit LE940B modem family with Telit
+flashing application.
+
+Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/usb-serial-simple.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/serial/usb-serial-simple.c
++++ b/drivers/usb/serial/usb-serial-simple.c
+@@ -54,7 +54,8 @@ DEVICE(funsoft, FUNSOFT_IDS);
+ /* Infineon Flashloader driver */
+ #define FLASHLOADER_IDS() \
+ { USB_DEVICE_INTERFACE_CLASS(0x058b, 0x0041, USB_CLASS_CDC_DATA) }, \
+- { USB_DEVICE(0x8087, 0x0716) }
++ { USB_DEVICE(0x8087, 0x0716) }, \
++ { USB_DEVICE(0x8087, 0x0801) }
+ DEVICE(flashloader, FLASHLOADER_IDS);
+
+ /* Google Serial USB SubClass */
--- /dev/null
+From d1992996753132e2dafe955cccb2fb0714d3cfc4 Mon Sep 17 00:00:00 2001
+From: Emanuel Czirai <icanrealizeum@gmail.com>
+Date: Fri, 2 Sep 2016 07:35:50 +0200
+Subject: x86/AMD: Apply erratum 665 on machines without a BIOS fix
+
+From: Emanuel Czirai <icanrealizeum@gmail.com>
+
+commit d1992996753132e2dafe955cccb2fb0714d3cfc4 upstream.
+
+AMD F12h machines have an erratum which can cause DIV/IDIV to behave
+unpredictably. The workaround is to set MSRC001_1029[31] but sometimes
+there is no BIOS update containing that workaround so let's do it
+ourselves unconditionally. It is simple enough.
+
+[ Borislav: Wrote commit message. ]
+
+Signed-off-by: Emanuel Czirai <icanrealizeum@gmail.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: Yaowu Xu <yaowu@google.com>
+Link: http://lkml.kernel.org/r/20160902053550.18097-1-bp@alien8.de
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/amd.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -669,6 +669,17 @@ static void init_amd_gh(struct cpuinfo_x
+ set_cpu_bug(c, X86_BUG_AMD_TLB_MMATCH);
+ }
+
++#define MSR_AMD64_DE_CFG 0xC0011029
++
++static void init_amd_ln(struct cpuinfo_x86 *c)
++{
++ /*
++ * Apply erratum 665 fix unconditionally so machines without a BIOS
++ * fix work.
++ */
++ msr_set_bit(MSR_AMD64_DE_CFG, 31);
++}
++
+ static void init_amd_bd(struct cpuinfo_x86 *c)
+ {
+ u64 value;
+@@ -726,6 +737,7 @@ static void init_amd(struct cpuinfo_x86
+ case 6: init_amd_k7(c); break;
+ case 0xf: init_amd_k8(c); break;
+ case 0x10: init_amd_gh(c); break;
++ case 0x12: init_amd_ln(c); break;
+ case 0x15: init_amd_bd(c); break;
+ }
+
--- /dev/null
+From d64934019f6cc39202e2f78063709f61ca5cb364 Mon Sep 17 00:00:00 2001
+From: Jeffrey Hugo <jhugo@codeaurora.org>
+Date: Mon, 29 Aug 2016 14:38:54 -0600
+Subject: x86/efi: Use efi_exit_boot_services()
+
+From: Jeffrey Hugo <jhugo@codeaurora.org>
+
+commit d64934019f6cc39202e2f78063709f61ca5cb364 upstream.
+
+The eboot code directly calls ExitBootServices. This is inadvisable as the
+UEFI spec details a complex set of errors, race conditions, and API
+interactions that the caller of ExitBootServices must get correct. The
+eboot code attempts allocations after calling ExitBootSerives which is
+not permitted per the spec. Call the efi_exit_boot_services() helper
+intead, which handles the allocation scenario properly.
+
+Signed-off-by: Jeffrey Hugo <jhugo@codeaurora.org>
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Leif Lindholm <leif.lindholm@linaro.org>
+Cc: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/boot/compressed/eboot.c | 134 +++++++++++++++++++--------------------
+ 1 file changed, 66 insertions(+), 68 deletions(-)
+
+--- a/arch/x86/boot/compressed/eboot.c
++++ b/arch/x86/boot/compressed/eboot.c
+@@ -1006,85 +1006,87 @@ static efi_status_t alloc_e820ext(u32 nr
+ return status;
+ }
+
++struct exit_boot_struct {
++ struct boot_params *boot_params;
++ struct efi_info *efi;
++ struct setup_data *e820ext;
++ __u32 e820ext_size;
++ bool is64;
++};
++
++static efi_status_t exit_boot_func(efi_system_table_t *sys_table_arg,
++ struct efi_boot_memmap *map,
++ void *priv)
++{
++ static bool first = true;
++ const char *signature;
++ __u32 nr_desc;
++ efi_status_t status;
++ struct exit_boot_struct *p = priv;
++
++ if (first) {
++ nr_desc = *map->buff_size / *map->desc_size;
++ if (nr_desc > ARRAY_SIZE(p->boot_params->e820_map)) {
++ u32 nr_e820ext = nr_desc -
++ ARRAY_SIZE(p->boot_params->e820_map);
++
++ status = alloc_e820ext(nr_e820ext, &p->e820ext,
++ &p->e820ext_size);
++ if (status != EFI_SUCCESS)
++ return status;
++ }
++ first = false;
++ }
++
++ signature = p->is64 ? EFI64_LOADER_SIGNATURE : EFI32_LOADER_SIGNATURE;
++ memcpy(&p->efi->efi_loader_signature, signature, sizeof(__u32));
++
++ p->efi->efi_systab = (unsigned long)sys_table_arg;
++ p->efi->efi_memdesc_size = *map->desc_size;
++ p->efi->efi_memdesc_version = *map->desc_ver;
++ p->efi->efi_memmap = (unsigned long)*map->map;
++ p->efi->efi_memmap_size = *map->map_size;
++
++#ifdef CONFIG_X86_64
++ p->efi->efi_systab_hi = (unsigned long)sys_table_arg >> 32;
++ p->efi->efi_memmap_hi = (unsigned long)*map->map >> 32;
++#endif
++
++ return EFI_SUCCESS;
++}
++
+ static efi_status_t exit_boot(struct boot_params *boot_params,
+ void *handle, bool is64)
+ {
+- struct efi_info *efi = &boot_params->efi_info;
+ unsigned long map_sz, key, desc_size, buff_size;
+ efi_memory_desc_t *mem_map;
+ struct setup_data *e820ext;
+- const char *signature;
+ __u32 e820ext_size;
+- __u32 nr_desc, prev_nr_desc;
+ efi_status_t status;
+ __u32 desc_version;
+- bool called_exit = false;
+- u8 nr_entries;
+- int i;
+ struct efi_boot_memmap map;
++ struct exit_boot_struct priv;
+
+- nr_desc = 0;
+- e820ext = NULL;
+- e820ext_size = 0;
+- map.map = &mem_map;
+- map.map_size = &map_sz;
+- map.desc_size = &desc_size;
+- map.desc_ver = &desc_version;
+- map.key_ptr = &key;
+- map.buff_size = &buff_size;
+-
+-get_map:
+- status = efi_get_memory_map(sys_table, &map);
++ map.map = &mem_map;
++ map.map_size = &map_sz;
++ map.desc_size = &desc_size;
++ map.desc_ver = &desc_version;
++ map.key_ptr = &key;
++ map.buff_size = &buff_size;
++ priv.boot_params = boot_params;
++ priv.efi = &boot_params->efi_info;
++ priv.e820ext = NULL;
++ priv.e820ext_size = 0;
++ priv.is64 = is64;
+
++ /* Might as well exit boot services now */
++ status = efi_exit_boot_services(sys_table, handle, &map, &priv,
++ exit_boot_func);
+ if (status != EFI_SUCCESS)
+ return status;
+
+- prev_nr_desc = nr_desc;
+- nr_desc = map_sz / desc_size;
+- if (nr_desc > prev_nr_desc &&
+- nr_desc > ARRAY_SIZE(boot_params->e820_map)) {
+- u32 nr_e820ext = nr_desc - ARRAY_SIZE(boot_params->e820_map);
+-
+- status = alloc_e820ext(nr_e820ext, &e820ext, &e820ext_size);
+- if (status != EFI_SUCCESS)
+- goto free_mem_map;
+-
+- efi_call_early(free_pool, mem_map);
+- goto get_map; /* Allocated memory, get map again */
+- }
+-
+- signature = is64 ? EFI64_LOADER_SIGNATURE : EFI32_LOADER_SIGNATURE;
+- memcpy(&efi->efi_loader_signature, signature, sizeof(__u32));
+-
+- efi->efi_systab = (unsigned long)sys_table;
+- efi->efi_memdesc_size = desc_size;
+- efi->efi_memdesc_version = desc_version;
+- efi->efi_memmap = (unsigned long)mem_map;
+- efi->efi_memmap_size = map_sz;
+-
+-#ifdef CONFIG_X86_64
+- efi->efi_systab_hi = (unsigned long)sys_table >> 32;
+- efi->efi_memmap_hi = (unsigned long)mem_map >> 32;
+-#endif
+-
+- /* Might as well exit boot services now */
+- status = efi_call_early(exit_boot_services, handle, key);
+- if (status != EFI_SUCCESS) {
+- /*
+- * ExitBootServices() will fail if any of the event
+- * handlers change the memory map. In which case, we
+- * must be prepared to retry, but only once so that
+- * we're guaranteed to exit on repeated failures instead
+- * of spinning forever.
+- */
+- if (called_exit)
+- goto free_mem_map;
+-
+- called_exit = true;
+- efi_call_early(free_pool, mem_map);
+- goto get_map;
+- }
+-
++ e820ext = priv.e820ext;
++ e820ext_size = priv.e820ext_size;
+ /* Historic? */
+ boot_params->alt_mem_k = 32 * 1024;
+
+@@ -1093,10 +1095,6 @@ get_map:
+ return status;
+
+ return EFI_SUCCESS;
+-
+-free_mem_map:
+- efi_call_early(free_pool, mem_map);
+- return status;
+ }
+
+ /*
--- /dev/null
+From 15301a570754c7af60335d094dd2d1808b0641a5 Mon Sep 17 00:00:00 2001
+From: Steven Rostedt <rostedt@goodmis.org>
+Date: Wed, 25 May 2016 13:47:26 -0400
+Subject: x86/paravirt: Do not trace _paravirt_ident_*() functions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+commit 15301a570754c7af60335d094dd2d1808b0641a5 upstream.
+
+Łukasz Daniluk reported that on a RHEL kernel that his machine would lock up
+after enabling function tracer. I asked him to bisect the functions within
+available_filter_functions, which he did and it came down to three:
+
+ _paravirt_nop(), _paravirt_ident_32() and _paravirt_ident_64()
+
+It was found that this is only an issue when noreplace-paravirt is added
+to the kernel command line.
+
+This means that those functions are most likely called within critical
+sections of the funtion tracer, and must not be traced.
+
+In newer kenels _paravirt_nop() is defined within gcc asm(), and is no
+longer an issue. But both _paravirt_ident_{32,64}() causes the
+following splat when they are traced:
+
+ mm/pgtable-generic.c:33: bad pmd ffff8800d2435150(0000000001d00054)
+ mm/pgtable-generic.c:33: bad pmd ffff8800d3624190(0000000001d00070)
+ mm/pgtable-generic.c:33: bad pmd ffff8800d36a5110(0000000001d00054)
+ mm/pgtable-generic.c:33: bad pmd ffff880118eb1450(0000000001d00054)
+ NMI watchdog: BUG: soft lockup - CPU#2 stuck for 22s! [systemd-journal:469]
+ Modules linked in: e1000e
+ CPU: 2 PID: 469 Comm: systemd-journal Not tainted 4.6.0-rc4-test+ #513
+ Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v02.05 05/07/2012
+ task: ffff880118f740c0 ti: ffff8800d4aec000 task.ti: ffff8800d4aec000
+ RIP: 0010:[<ffffffff81134148>] [<ffffffff81134148>] queued_spin_lock_slowpath+0x118/0x1a0
+ RSP: 0018:ffff8800d4aefb90 EFLAGS: 00000246
+ RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88011eb16d40
+ RDX: ffffffff82485760 RSI: 000000001f288820 RDI: ffffea0000008030
+ RBP: ffff8800d4aefb90 R08: 00000000000c0000 R09: 0000000000000000
+ R10: ffffffff821c8e0e R11: 0000000000000000 R12: ffff880000200fb8
+ R13: 00007f7a4e3f7000 R14: ffffea000303f600 R15: ffff8800d4b562e0
+ FS: 00007f7a4e3d7840(0000) GS:ffff88011eb00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007f7a4e3f7000 CR3: 00000000d3e71000 CR4: 00000000001406e0
+ Call Trace:
+ _raw_spin_lock+0x27/0x30
+ handle_pte_fault+0x13db/0x16b0
+ handle_mm_fault+0x312/0x670
+ __do_page_fault+0x1b1/0x4e0
+ do_page_fault+0x22/0x30
+ page_fault+0x28/0x30
+ __vfs_read+0x28/0xe0
+ vfs_read+0x86/0x130
+ SyS_read+0x46/0xa0
+ entry_SYSCALL_64_fastpath+0x1e/0xa8
+ Code: 12 48 c1 ea 0c 83 e8 01 83 e2 30 48 98 48 81 c2 40 6d 01 00 48 03 14 c5 80 6a 5d 82 48 89 0a 8b 41 08 85 c0 75 09 f3 90 8b 41 08 <85> c0 74 f7 4c 8b 09 4d 85 c9 74 08 41 0f 18 09 eb 02 f3 90 8b
+
+Reported-by: Łukasz Daniluk <lukasz.daniluk@intel.com>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/paravirt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/paravirt.c
++++ b/arch/x86/kernel/paravirt.c
+@@ -55,12 +55,12 @@ asm (".pushsection .entry.text, \"ax\"\n
+ ".popsection");
+
+ /* identity function, which can be inlined */
+-u32 _paravirt_ident_32(u32 x)
++u32 notrace _paravirt_ident_32(u32 x)
+ {
+ return x;
+ }
+
+-u64 _paravirt_ident_64(u64 x)
++u64 notrace _paravirt_ident_64(u64 x)
+ {
+ return x;
+ }
--- /dev/null
+From bcf42aa60c2832510b9be0f30c090bfd35bb172d Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Wed, 7 Sep 2016 17:26:33 +0300
+Subject: xhci: fix null pointer dereference in stop command timeout function
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit bcf42aa60c2832510b9be0f30c090bfd35bb172d upstream.
+
+The stop endpoint command has its own 5 second timeout timer.
+If the timeout function is triggered between USB3 and USB2 host
+removal it will try to call usb_hc_died(xhci_to_hcd(xhci)->primary_hcd)
+
+the ->primary_hcd will be set to NULL at USB3 hcd removal.
+
+Fix this by first checking if the PCI host is being removed, and
+also by using only xhci_to_hcd() as it will always return the primary
+hcd.
+
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-ring.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -840,6 +840,10 @@ void xhci_stop_endpoint_command_watchdog
+ spin_lock_irqsave(&xhci->lock, flags);
+
+ ep->stop_cmds_pending--;
++ if (xhci->xhc_state & XHCI_STATE_REMOVING) {
++ spin_unlock_irqrestore(&xhci->lock, flags);
++ return;
++ }
+ if (xhci->xhc_state & XHCI_STATE_DYING) {
+ xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
+ "Stop EP timer ran, but another timer marked "
+@@ -893,7 +897,7 @@ void xhci_stop_endpoint_command_watchdog
+ spin_unlock_irqrestore(&xhci->lock, flags);
+ xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
+ "Calling usb_hc_died()");
+- usb_hc_died(xhci_to_hcd(xhci)->primary_hcd);
++ usb_hc_died(xhci_to_hcd(xhci));
+ xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
+ "xHCI host controller is dead.");
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
