--- /dev/null
+From 3d40658c977769ce2138f286cf131537bf68bdfe Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Wed, 31 Aug 2016 21:10:06 -0700
+Subject: apparmor: fix change_hat not finding hat after policy replacement
+
+From: John Johansen <john.johansen@canonical.com>
+
+commit 3d40658c977769ce2138f286cf131537bf68bdfe upstream.
+
+After a policy replacement, the task cred may be out of date and need
+to be updated. However change_hat is using the stale profiles from
+the out of date cred resulting in either: a stale profile being applied
+or, incorrect failure when searching for a hat profile as it has been
+migrated to the new parent profile.
+
+Fixes: 01e2b670aa898a39259bc85c78e3d74820f4d3b6 (failure to find hat)
+Fixes: 898127c34ec03291c86f4ff3856d79e9e18952bc (stale policy being applied)
+Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1000287
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: James Morris <james.l.morris@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/apparmor/domain.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/security/apparmor/domain.c
++++ b/security/apparmor/domain.c
+@@ -623,8 +623,8 @@ int aa_change_hat(const char *hats[], in
+ /* released below */
+ cred = get_current_cred();
+ cxt = cred_cxt(cred);
+- profile = aa_cred_profile(cred);
+- previous_profile = cxt->previous;
++ profile = aa_get_newest_profile(aa_cred_profile(cred));
++ previous_profile = aa_get_newest_profile(cxt->previous);
+
+ if (unconfined(profile)) {
+ info = "unconfined";
+@@ -720,6 +720,8 @@ audit:
+ out:
+ aa_put_profile(hat);
+ kfree(name);
++ aa_put_profile(profile);
++ aa_put_profile(previous_profile);
+ put_cred(cred);
+
+ return error;
--- /dev/null
+From 9853a55ef1bb66d7411136046060bbfb69c714fa Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 15 Nov 2016 12:05:11 +0100
+Subject: cfg80211: limit scan results cache size
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 9853a55ef1bb66d7411136046060bbfb69c714fa upstream.
+
+It's possible to make scanning consume almost arbitrary amounts
+of memory, e.g. by sending beacon frames with random BSSIDs at
+high rates while somebody is scanning.
+
+Limit the number of BSS table entries we're willing to cache to
+1000, limiting maximum memory usage to maybe 4-5MB, but lower
+in practice - that would be the case for having both full-sized
+beacon and probe response frames for each entry; this seems not
+possible in practice, so a limit of 1000 entries will likely be
+closer to 0.5 MB.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/core.h | 1
+ net/wireless/scan.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 70 insertions(+)
+
+--- a/net/wireless/core.h
++++ b/net/wireless/core.h
+@@ -72,6 +72,7 @@ struct cfg80211_registered_device {
+ struct list_head bss_list;
+ struct rb_root bss_tree;
+ u32 bss_generation;
++ u32 bss_entries;
+ struct cfg80211_scan_request *scan_req; /* protected by RTNL */
+ struct sk_buff *scan_msg;
+ struct cfg80211_sched_scan_request __rcu *sched_scan_req;
+--- a/net/wireless/scan.c
++++ b/net/wireless/scan.c
+@@ -56,6 +56,19 @@
+ * also linked into the probe response struct.
+ */
+
++/*
++ * Limit the number of BSS entries stored in mac80211. Each one is
++ * a bit over 4k at most, so this limits to roughly 4-5M of memory.
++ * If somebody wants to really attack this though, they'd likely
++ * use small beacons, and only one type of frame, limiting each of
++ * the entries to a much smaller size (in order to generate more
++ * entries in total, so overhead is bigger.)
++ */
++static int bss_entries_limit = 1000;
++module_param(bss_entries_limit, int, 0644);
++MODULE_PARM_DESC(bss_entries_limit,
++ "limit to number of scan BSS entries (per wiphy, default 1000)");
++
+ #define IEEE80211_SCAN_RESULT_EXPIRE (30 * HZ)
+
+ static void bss_free(struct cfg80211_internal_bss *bss)
+@@ -136,6 +149,10 @@ static bool __cfg80211_unlink_bss(struct
+
+ list_del_init(&bss->list);
+ rb_erase(&bss->rbn, &rdev->bss_tree);
++ rdev->bss_entries--;
++ WARN_ONCE((rdev->bss_entries == 0) ^ list_empty(&rdev->bss_list),
++ "rdev bss entries[%d]/list[empty:%d] corruption\n",
++ rdev->bss_entries, list_empty(&rdev->bss_list));
+ bss_ref_put(rdev, bss);
+ return true;
+ }
+@@ -162,6 +179,40 @@ static void __cfg80211_bss_expire(struct
+ rdev->bss_generation++;
+ }
+
++static bool cfg80211_bss_expire_oldest(struct cfg80211_registered_device *rdev)
++{
++ struct cfg80211_internal_bss *bss, *oldest = NULL;
++ bool ret;
++
++ lockdep_assert_held(&rdev->bss_lock);
++
++ list_for_each_entry(bss, &rdev->bss_list, list) {
++ if (atomic_read(&bss->hold))
++ continue;
++
++ if (!list_empty(&bss->hidden_list) &&
++ !bss->pub.hidden_beacon_bss)
++ continue;
++
++ if (oldest && time_before(oldest->ts, bss->ts))
++ continue;
++ oldest = bss;
++ }
++
++ if (WARN_ON(!oldest))
++ return false;
++
++ /*
++ * The callers make sure to increase rdev->bss_generation if anything
++ * gets removed (and a new entry added), so there's no need to also do
++ * it here.
++ */
++
++ ret = __cfg80211_unlink_bss(rdev, oldest);
++ WARN_ON(!ret);
++ return ret;
++}
++
+ void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev,
+ bool send_message)
+ {
+@@ -687,6 +738,7 @@ static bool cfg80211_combine_bsses(struc
+ const u8 *ie;
+ int i, ssidlen;
+ u8 fold = 0;
++ u32 n_entries = 0;
+
+ ies = rcu_access_pointer(new->pub.beacon_ies);
+ if (WARN_ON(!ies))
+@@ -710,6 +762,12 @@ static bool cfg80211_combine_bsses(struc
+ /* This is the bad part ... */
+
+ list_for_each_entry(bss, &rdev->bss_list, list) {
++ /*
++ * we're iterating all the entries anyway, so take the
++ * opportunity to validate the list length accounting
++ */
++ n_entries++;
++
+ if (!ether_addr_equal(bss->pub.bssid, new->pub.bssid))
+ continue;
+ if (bss->pub.channel != new->pub.channel)
+@@ -738,6 +796,10 @@ static bool cfg80211_combine_bsses(struc
+ new->pub.beacon_ies);
+ }
+
++ WARN_ONCE(n_entries != rdev->bss_entries,
++ "rdev bss entries[%d]/list[len:%d] corruption\n",
++ rdev->bss_entries, n_entries);
++
+ return true;
+ }
+
+@@ -890,7 +952,14 @@ cfg80211_bss_update(struct cfg80211_regi
+ }
+ }
+
++ if (rdev->bss_entries >= bss_entries_limit &&
++ !cfg80211_bss_expire_oldest(rdev)) {
++ kfree(new);
++ goto drop;
++ }
++
+ list_add_tail(&new->list, &rdev->bss_list);
++ rdev->bss_entries++;
+ rb_insert_bss(rdev, new);
+ found = new;
+ }
--- /dev/null
+From michel@daenzer.net Tue Nov 29 16:29:26 2016
+From: Michel Dänzer <michel@daenzer.net>
+Date: Tue, 29 Nov 2016 18:40:20 +0900
+Subject: [PATCH] drm/radeon: Ensure vblank interrupt is enabled on DPMS transition to on
+To: stable@vger.kernel.org
+Cc: Max Staudt <mstaudt@suse.de>
+Message-ID: <20161129094020.27353-1-michel@daenzer.net>
+
+From: Michel Dänzer <michel@daenzer.net>
+
+NOTE: This patch only applies to 4.5.y or older kernels. With newer
+kernels, this problem cannot happen because the driver now uses
+drm_crtc_vblank_on/off instead of drm_vblank_pre/post_modeset[0]. I
+consider this patch safer for older kernels than backporting the API
+change, because drm_crtc_vblank_on/off had various issues in older
+kernels, and I'm not sure all fixes for those have been backported to
+all stable branches where this patch could be applied.
+
+ ---------------------
+
+Fixes the vblank interrupt being disabled when it should be on, which
+can cause at least the following symptoms:
+
+* Hangs when running 'xset dpms force off' in a GNOME session with
+ gnome-shell using DRI2.
+* RandR 1.4 slave outputs freezing with garbage displayed using
+ xf86-video-ati 7.8.0 or newer.
+
+[0] See upstream commit:
+
+commit 777e3cbc791f131806d9bf24b3325637c7fc228d
+Author: Daniel Vetter <daniel.vetter@ffwll.ch>
+Date: Thu Jan 21 11:08:57 2016 +0100
+
+ drm/radeon: Switch to drm_vblank_on/off
+
+Reported-and-Tested-by: Max Staudt <mstaudt@suse.de>
+Reviewed-by: Daniel Vetter <daniel@ffwll.ch>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Michel Dänzer <michel.daenzer@amd.com>
+---
+ drivers/gpu/drm/radeon/atombios_crtc.c | 2 ++
+ drivers/gpu/drm/radeon/radeon_legacy_crtc.c | 2 ++
+ 2 files changed, 4 insertions(+)
+
+--- a/drivers/gpu/drm/radeon/atombios_crtc.c
++++ b/drivers/gpu/drm/radeon/atombios_crtc.c
+@@ -275,6 +275,8 @@ void atombios_crtc_dpms(struct drm_crtc
+ atombios_enable_crtc_memreq(crtc, ATOM_ENABLE);
+ atombios_blank_crtc(crtc, ATOM_DISABLE);
+ drm_vblank_post_modeset(dev, radeon_crtc->crtc_id);
++ /* Make sure vblank interrupt is still enabled if needed */
++ radeon_irq_set(rdev);
+ radeon_crtc_load_lut(crtc);
+ break;
+ case DRM_MODE_DPMS_STANDBY:
+--- a/drivers/gpu/drm/radeon/radeon_legacy_crtc.c
++++ b/drivers/gpu/drm/radeon/radeon_legacy_crtc.c
+@@ -331,6 +331,8 @@ static void radeon_crtc_dpms(struct drm_
+ WREG32_P(RADEON_CRTC_EXT_CNTL, crtc_ext_cntl, ~(mask | crtc_ext_cntl));
+ }
+ drm_vblank_post_modeset(dev, radeon_crtc->crtc_id);
++ /* Make sure vblank interrupt is still enabled if needed */
++ radeon_irq_set(rdev);
+ radeon_crtc_load_lut(crtc);
+ break;
+ case DRM_MODE_DPMS_STANDBY:
--- /dev/null
+From 2ce9d2272b98743b911196c49e7af5841381c206 Mon Sep 17 00:00:00 2001
+From: Petr Vandrovec <petr@vandrovec.name>
+Date: Thu, 10 Nov 2016 13:57:14 -0800
+Subject: Fix USB CB/CBI storage devices with CONFIG_VMAP_STACK=y
+
+From: Petr Vandrovec <petr@vandrovec.name>
+
+commit 2ce9d2272b98743b911196c49e7af5841381c206 upstream.
+
+Some code (all error handling) submits CDBs that are allocated
+on the stack. This breaks with CB/CBI code that tries to create
+URB directly from SCSI command buffer - which happens to be in
+vmalloced memory with vmalloced kernel stacks.
+
+Let's make copy of the command in usb_stor_CB_transport.
+
+Signed-off-by: Petr Vandrovec <petr@vandrovec.name>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/storage/transport.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/storage/transport.c
++++ b/drivers/usb/storage/transport.c
+@@ -919,10 +919,15 @@ int usb_stor_CB_transport(struct scsi_cm
+
+ /* COMMAND STAGE */
+ /* let's send the command via the control pipe */
++ /*
++ * Command is sometime (f.e. after scsi_eh_prep_cmnd) on the stack.
++ * Stack may be vmallocated. So no DMA for us. Make a copy.
++ */
++ memcpy(us->iobuf, srb->cmnd, srb->cmd_len);
+ result = usb_stor_ctrl_transfer(us, us->send_ctrl_pipe,
+ US_CBI_ADSC,
+ USB_TYPE_CLASS | USB_RECIP_INTERFACE, 0,
+- us->ifnum, srb->cmnd, srb->cmd_len);
++ us->ifnum, us->iobuf, srb->cmd_len);
+
+ /* check the return code for the command */
+ usb_stor_dbg(us, "Call to usb_stor_ctrl_transfer() returned %d\n",
--- /dev/null
+From 1c387188c60f53b338c20eee32db055dfe022a9b Mon Sep 17 00:00:00 2001
+From: Ashok Raj <ashok.raj@intel.com>
+Date: Fri, 21 Oct 2016 15:32:05 -0700
+Subject: iommu/vt-d: Fix IOMMU lookup for SR-IOV Virtual Functions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ashok Raj <ashok.raj@intel.com>
+
+commit 1c387188c60f53b338c20eee32db055dfe022a9b upstream.
+
+The VT-d specification (§8.3.3) says:
+ ‘Virtual Functions’ of a ‘Physical Function’ are under the scope
+ of the same remapping unit as the ‘Physical Function’.
+
+The BIOS is not required to list all the possible VFs in the scope
+tables, and arguably *shouldn't* make any attempt to do so, since there
+could be a huge number of them.
+
+This has been broken basically for ever — the VF is never going to match
+against a specific unit's scope, so it ends up being assigned to the
+INCLUDE_ALL IOMMU. Which was always actually correct by coincidence, but
+now we're looking at Root-Complex integrated devices with SR-IOV support
+it's going to start being wrong.
+
+Fix it to simply use pci_physfn() before doing the lookup for PCI devices.
+
+Signed-off-by: Sainath Grandhi <sainath.grandhi@intel.com>
+Signed-off-by: Ashok Raj <ashok.raj@intel.com>
+Signed-off-by: David Woodhouse <dwmw2@infradead.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/dmar.c | 4 +++-
+ drivers/iommu/intel-iommu.c | 13 +++++++++++++
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+
+--- a/drivers/iommu/dmar.c
++++ b/drivers/iommu/dmar.c
+@@ -326,7 +326,9 @@ static int dmar_pci_bus_notifier(struct
+ struct pci_dev *pdev = to_pci_dev(data);
+ struct dmar_pci_notify_info *info;
+
+- /* Only care about add/remove events for physical functions */
++ /* Only care about add/remove events for physical functions.
++ * For VFs we actually do the lookup based on the corresponding
++ * PF in device_to_iommu() anyway. */
+ if (pdev->is_virtfn)
+ return NOTIFY_DONE;
+ if (action != BUS_NOTIFY_ADD_DEVICE &&
+--- a/drivers/iommu/intel-iommu.c
++++ b/drivers/iommu/intel-iommu.c
+@@ -885,7 +885,13 @@ static struct intel_iommu *device_to_iom
+ return NULL;
+
+ if (dev_is_pci(dev)) {
++ struct pci_dev *pf_pdev;
++
+ pdev = to_pci_dev(dev);
++ /* VFs aren't listed in scope tables; we need to look up
++ * the PF instead to find the IOMMU. */
++ pf_pdev = pci_physfn(pdev);
++ dev = &pf_pdev->dev;
+ segment = pci_domain_nr(pdev->bus);
+ } else if (has_acpi_companion(dev))
+ dev = &ACPI_COMPANION(dev)->dev;
+@@ -898,6 +904,13 @@ static struct intel_iommu *device_to_iom
+ for_each_active_dev_scope(drhd->devices,
+ drhd->devices_cnt, i, tmp) {
+ if (tmp == dev) {
++ /* For a VF use its original BDF# not that of the PF
++ * which we used for the IOMMU lookup. Strictly speaking
++ * we could do this for all PCI devices; we only need to
++ * get the BDF# from the scope table for ACPI matches. */
++ if (pdev->is_virtfn)
++ goto got_pdev;
++
+ *bus = drhd->devices[i].bus;
+ *devfn = drhd->devices[i].devfn;
+ goto out;
--- /dev/null
+From 910170442944e1f8674fd5ddbeeb8ccd1877ea98 Mon Sep 17 00:00:00 2001
+From: David Woodhouse <dwmw2@infradead.org>
+Date: Mon, 12 Sep 2016 10:49:11 +0800
+Subject: iommu/vt-d: Fix PASID table allocation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: David Woodhouse <dwmw2@infradead.org>
+
+commit 910170442944e1f8674fd5ddbeeb8ccd1877ea98 upstream.
+
+Somehow I ended up with an off-by-three error in calculating the size of
+the PASID and PASID State tables, which triggers allocations failures as
+those tables unfortunately have to be physically contiguous.
+
+In fact, even the *correct* maximum size of 8MiB is problematic and is
+wont to lead to allocation failures. Since I have extracted a promise
+that this *will* be fixed in hardware, I'm happy to limit it on the
+current hardware to a maximum of 0x20000 PASIDs, which gives us 1MiB
+tables — still not ideal, but better than before.
+
+Reported by Mika Kuoppala <mika.kuoppala@linux.intel.com> and also by
+Xunlei Pang <xlpang@redhat.com> who submitted a simpler patch to fix
+only the allocation (and not the free) to the "correct" limit... which
+was still problematic.
+
+Signed-off-by: David Woodhouse <dwmw2@infradead.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/intel-svm.c | 26 ++++++++++++++++----------
+ include/linux/intel-iommu.h | 1 +
+ 2 files changed, 17 insertions(+), 10 deletions(-)
+
+--- a/drivers/iommu/intel-svm.c
++++ b/drivers/iommu/intel-svm.c
+@@ -39,10 +39,18 @@ int intel_svm_alloc_pasid_tables(struct
+ struct page *pages;
+ int order;
+
+- order = ecap_pss(iommu->ecap) + 7 - PAGE_SHIFT;
+- if (order < 0)
+- order = 0;
++ /* Start at 2 because it's defined as 2^(1+PSS) */
++ iommu->pasid_max = 2 << ecap_pss(iommu->ecap);
+
++ /* Eventually I'm promised we will get a multi-level PASID table
++ * and it won't have to be physically contiguous. Until then,
++ * limit the size because 8MiB contiguous allocations can be hard
++ * to come by. The limit of 0x20000, which is 1MiB for each of
++ * the PASID and PASID-state tables, is somewhat arbitrary. */
++ if (iommu->pasid_max > 0x20000)
++ iommu->pasid_max = 0x20000;
++
++ order = get_order(sizeof(struct pasid_entry) * iommu->pasid_max);
+ pages = alloc_pages(GFP_KERNEL | __GFP_ZERO, order);
+ if (!pages) {
+ pr_warn("IOMMU: %s: Failed to allocate PASID table\n",
+@@ -53,6 +61,8 @@ int intel_svm_alloc_pasid_tables(struct
+ pr_info("%s: Allocated order %d PASID table.\n", iommu->name, order);
+
+ if (ecap_dis(iommu->ecap)) {
++ /* Just making it explicit... */
++ BUILD_BUG_ON(sizeof(struct pasid_entry) != sizeof(struct pasid_state_entry));
+ pages = alloc_pages(GFP_KERNEL | __GFP_ZERO, order);
+ if (pages)
+ iommu->pasid_state_table = page_address(pages);
+@@ -68,11 +78,7 @@ int intel_svm_alloc_pasid_tables(struct
+
+ int intel_svm_free_pasid_tables(struct intel_iommu *iommu)
+ {
+- int order;
+-
+- order = ecap_pss(iommu->ecap) + 7 - PAGE_SHIFT;
+- if (order < 0)
+- order = 0;
++ int order = get_order(sizeof(struct pasid_entry) * iommu->pasid_max);
+
+ if (iommu->pasid_table) {
+ free_pages((unsigned long)iommu->pasid_table, order);
+@@ -371,8 +377,8 @@ int intel_svm_bind_mm(struct device *dev
+ }
+ svm->iommu = iommu;
+
+- if (pasid_max > 2 << ecap_pss(iommu->ecap))
+- pasid_max = 2 << ecap_pss(iommu->ecap);
++ if (pasid_max > iommu->pasid_max)
++ pasid_max = iommu->pasid_max;
+
+ /* Do not use PASID 0 in caching mode (virtualised IOMMU) */
+ ret = idr_alloc(&iommu->pasid_idr, svm,
+--- a/include/linux/intel-iommu.h
++++ b/include/linux/intel-iommu.h
+@@ -429,6 +429,7 @@ struct intel_iommu {
+ struct page_req_dsc *prq;
+ unsigned char prq_name[16]; /* Name for PRQ interrupt */
+ struct idr pasid_idr;
++ u32 pasid_max;
+ #endif
+ struct q_inval *qi; /* Queued invalidation info */
+ u32 *iommu_state; /* Store iommu states between suspend and resume.*/
--- /dev/null
+From df492896e6dfb44fd1154f5402428d8e52705081 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
+Date: Wed, 23 Nov 2016 21:25:48 +0100
+Subject: KVM: x86: check for pic and ioapic presence before use
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Radim Krčmář <rkrcmar@redhat.com>
+
+commit df492896e6dfb44fd1154f5402428d8e52705081 upstream.
+
+Split irqchip allows pic and ioapic routes to be used without them being
+created, which results in NULL access. Check for NULL and avoid it.
+(The setup is too racy for a nicer solutions.)
+
+Found by syzkaller:
+
+ general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN
+ Dumping ftrace buffer:
+ (ftrace buffer empty)
+ Modules linked in:
+ CPU: 3 PID: 11923 Comm: kworker/3:2 Not tainted 4.9.0-rc5+ #27
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+ Workqueue: events irqfd_inject
+ task: ffff88006a06c7c0 task.stack: ffff880068638000
+ RIP: 0010:[...] [...] __lock_acquire+0xb35/0x3380 kernel/locking/lockdep.c:3221
+ RSP: 0000:ffff88006863ea20 EFLAGS: 00010006
+ RAX: dffffc0000000000 RBX: dffffc0000000000 RCX: 0000000000000000
+ RDX: 0000000000000039 RSI: 0000000000000000 RDI: 1ffff1000d0c7d9e
+ RBP: ffff88006863ef58 R08: 0000000000000001 R09: 0000000000000000
+ R10: 00000000000001c8 R11: 0000000000000000 R12: ffff88006a06c7c0
+ R13: 0000000000000001 R14: ffffffff8baab1a0 R15: 0000000000000001
+ FS: 0000000000000000(0000) GS:ffff88006d100000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00000000004abdd0 CR3: 000000003e2f2000 CR4: 00000000000026e0
+ Stack:
+ ffffffff894d0098 1ffff1000d0c7d56 ffff88006863ecd0 dffffc0000000000
+ ffff88006a06c7c0 0000000000000000 ffff88006863ecf8 0000000000000082
+ 0000000000000000 ffffffff815dd7c1 ffffffff00000000 ffffffff00000000
+ Call Trace:
+ [...] lock_acquire+0x2a2/0x790 kernel/locking/lockdep.c:3746
+ [...] __raw_spin_lock include/linux/spinlock_api_smp.h:144
+ [...] _raw_spin_lock+0x38/0x50 kernel/locking/spinlock.c:151
+ [...] spin_lock include/linux/spinlock.h:302
+ [...] kvm_ioapic_set_irq+0x4c/0x100 arch/x86/kvm/ioapic.c:379
+ [...] kvm_set_ioapic_irq+0x8f/0xc0 arch/x86/kvm/irq_comm.c:52
+ [...] kvm_set_irq+0x239/0x640 arch/x86/kvm/../../../virt/kvm/irqchip.c:101
+ [...] irqfd_inject+0xb4/0x150 arch/x86/kvm/../../../virt/kvm/eventfd.c:60
+ [...] process_one_work+0xb40/0x1ba0 kernel/workqueue.c:2096
+ [...] worker_thread+0x214/0x18a0 kernel/workqueue.c:2230
+ [...] kthread+0x328/0x3e0 kernel/kthread.c:209
+ [...] ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:433
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Fixes: 49df6397edfc ("KVM: x86: Split the APIC from the rest of IRQCHIP.")
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/irq_comm.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/arch/x86/kvm/irq_comm.c
++++ b/arch/x86/kvm/irq_comm.c
+@@ -38,6 +38,15 @@ static int kvm_set_pic_irq(struct kvm_ke
+ bool line_status)
+ {
+ struct kvm_pic *pic = pic_irqchip(kvm);
++
++ /*
++ * XXX: rejecting pic routes when pic isn't in use would be better,
++ * but the default routing table is installed while kvm->arch.vpic is
++ * NULL and KVM_CREATE_IRQCHIP can race with KVM_IRQ_LINE.
++ */
++ if (!pic)
++ return -1;
++
+ return kvm_pic_set_irq(pic, e->irqchip.pin, irq_source_id, level);
+ }
+
+@@ -46,6 +55,10 @@ static int kvm_set_ioapic_irq(struct kvm
+ bool line_status)
+ {
+ struct kvm_ioapic *ioapic = kvm->arch.vioapic;
++
++ if (!ioapic)
++ return -1;
++
+ return kvm_ioapic_set_irq(ioapic, e->irqchip.pin, irq_source_id, level,
+ line_status);
+ }
--- /dev/null
+From 2117d5398c81554fbf803f5fd1dc55eb78216c0c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
+Date: Wed, 23 Nov 2016 21:15:00 +0100
+Subject: KVM: x86: drop error recovery in em_jmp_far and em_ret_far
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Radim Krčmář <rkrcmar@redhat.com>
+
+commit 2117d5398c81554fbf803f5fd1dc55eb78216c0c upstream.
+
+em_jmp_far and em_ret_far assumed that setting IP can only fail in 64
+bit mode, but syzkaller proved otherwise (and SDM agrees).
+Code segment was restored upon failure, but it was left uninitialized
+outside of long mode, which could lead to a leak of host kernel stack.
+We could have fixed that by always saving and restoring the CS, but we
+take a simpler approach and just break any guest that manages to fail
+as the error recovery is error-prone and modern CPUs don't need emulator
+for this.
+
+Found by syzkaller:
+
+ WARNING: CPU: 2 PID: 3668 at arch/x86/kvm/emulate.c:2217 em_ret_far+0x428/0x480
+ Kernel panic - not syncing: panic_on_warn set ...
+
+ CPU: 2 PID: 3668 Comm: syz-executor Not tainted 4.9.0-rc4+ #49
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+ [...]
+ Call Trace:
+ [...] __dump_stack lib/dump_stack.c:15
+ [...] dump_stack+0xb3/0x118 lib/dump_stack.c:51
+ [...] panic+0x1b7/0x3a3 kernel/panic.c:179
+ [...] __warn+0x1c4/0x1e0 kernel/panic.c:542
+ [...] warn_slowpath_null+0x2c/0x40 kernel/panic.c:585
+ [...] em_ret_far+0x428/0x480 arch/x86/kvm/emulate.c:2217
+ [...] em_ret_far_imm+0x17/0x70 arch/x86/kvm/emulate.c:2227
+ [...] x86_emulate_insn+0x87a/0x3730 arch/x86/kvm/emulate.c:5294
+ [...] x86_emulate_instruction+0x520/0x1ba0 arch/x86/kvm/x86.c:5545
+ [...] emulate_instruction arch/x86/include/asm/kvm_host.h:1116
+ [...] complete_emulated_io arch/x86/kvm/x86.c:6870
+ [...] complete_emulated_mmio+0x4e9/0x710 arch/x86/kvm/x86.c:6934
+ [...] kvm_arch_vcpu_ioctl_run+0x3b7a/0x5a90 arch/x86/kvm/x86.c:6978
+ [...] kvm_vcpu_ioctl+0x61e/0xdd0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2557
+ [...] vfs_ioctl fs/ioctl.c:43
+ [...] do_vfs_ioctl+0x18c/0x1040 fs/ioctl.c:679
+ [...] SYSC_ioctl fs/ioctl.c:694
+ [...] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
+ [...] entry_SYSCALL_64_fastpath+0x1f/0xc2
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Fixes: d1442d85cc30 ("KVM: x86: Handle errors when RIP is set during far jumps")
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/emulate.c | 36 +++++++++++-------------------------
+ 1 file changed, 11 insertions(+), 25 deletions(-)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -2093,16 +2093,10 @@ static int em_iret(struct x86_emulate_ct
+ static int em_jmp_far(struct x86_emulate_ctxt *ctxt)
+ {
+ int rc;
+- unsigned short sel, old_sel;
+- struct desc_struct old_desc, new_desc;
+- const struct x86_emulate_ops *ops = ctxt->ops;
++ unsigned short sel;
++ struct desc_struct new_desc;
+ u8 cpl = ctxt->ops->cpl(ctxt);
+
+- /* Assignment of RIP may only fail in 64-bit mode */
+- if (ctxt->mode == X86EMUL_MODE_PROT64)
+- ops->get_segment(ctxt, &old_sel, &old_desc, NULL,
+- VCPU_SREG_CS);
+-
+ memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
+
+ rc = __load_segment_descriptor(ctxt, sel, VCPU_SREG_CS, cpl,
+@@ -2112,12 +2106,10 @@ static int em_jmp_far(struct x86_emulate
+ return rc;
+
+ rc = assign_eip_far(ctxt, ctxt->src.val, &new_desc);
+- if (rc != X86EMUL_CONTINUE) {
+- WARN_ON(ctxt->mode != X86EMUL_MODE_PROT64);
+- /* assigning eip failed; restore the old cs */
+- ops->set_segment(ctxt, old_sel, &old_desc, 0, VCPU_SREG_CS);
+- return rc;
+- }
++ /* Error handling is not implemented. */
++ if (rc != X86EMUL_CONTINUE)
++ return X86EMUL_UNHANDLEABLE;
++
+ return rc;
+ }
+
+@@ -2177,14 +2169,8 @@ static int em_ret_far(struct x86_emulate
+ {
+ int rc;
+ unsigned long eip, cs;
+- u16 old_cs;
+ int cpl = ctxt->ops->cpl(ctxt);
+- struct desc_struct old_desc, new_desc;
+- const struct x86_emulate_ops *ops = ctxt->ops;
+-
+- if (ctxt->mode == X86EMUL_MODE_PROT64)
+- ops->get_segment(ctxt, &old_cs, &old_desc, NULL,
+- VCPU_SREG_CS);
++ struct desc_struct new_desc;
+
+ rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
+ if (rc != X86EMUL_CONTINUE)
+@@ -2201,10 +2187,10 @@ static int em_ret_far(struct x86_emulate
+ if (rc != X86EMUL_CONTINUE)
+ return rc;
+ rc = assign_eip_far(ctxt, eip, &new_desc);
+- if (rc != X86EMUL_CONTINUE) {
+- WARN_ON(ctxt->mode != X86EMUL_MODE_PROT64);
+- ops->set_segment(ctxt, old_cs, &old_desc, 0, VCPU_SREG_CS);
+- }
++ /* Error handling is not implemented. */
++ if (rc != X86EMUL_CONTINUE)
++ return X86EMUL_UNHANDLEABLE;
++
+ return rc;
+ }
+
--- /dev/null
+From f5527fffff3f002b0a6b376163613b82f69de073 Mon Sep 17 00:00:00 2001
+From: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Date: Thu, 24 Nov 2016 13:23:10 +0000
+Subject: mpi: Fix NULL ptr dereference in mpi_powm() [ver #3]
+
+From: Andrey Ryabinin <aryabinin@virtuozzo.com>
+
+commit f5527fffff3f002b0a6b376163613b82f69de073 upstream.
+
+This fixes CVE-2016-8650.
+
+If mpi_powm() is given a zero exponent, it wants to immediately return
+either 1 or 0, depending on the modulus. However, if the result was
+initalised with zero limb space, no limbs space is allocated and a
+NULL-pointer exception ensues.
+
+Fix this by allocating a minimal amount of limb space for the result when
+the 0-exponent case when the result is 1 and not touching the limb space
+when the result is 0.
+
+This affects the use of RSA keys and X.509 certificates that carry them.
+
+BUG: unable to handle kernel NULL pointer dereference at (null)
+IP: [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6
+PGD 0
+Oops: 0002 [#1] SMP
+Modules linked in:
+CPU: 3 PID: 3014 Comm: keyctl Not tainted 4.9.0-rc6-fscache+ #278
+Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014
+task: ffff8804011944c0 task.stack: ffff880401294000
+RIP: 0010:[<ffffffff8138ce5d>] [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6
+RSP: 0018:ffff880401297ad8 EFLAGS: 00010212
+RAX: 0000000000000000 RBX: ffff88040868bec0 RCX: ffff88040868bba0
+RDX: ffff88040868b260 RSI: ffff88040868bec0 RDI: ffff88040868bee0
+RBP: ffff880401297ba8 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000047 R11: ffffffff8183b210 R12: 0000000000000000
+R13: ffff8804087c7600 R14: 000000000000001f R15: ffff880401297c50
+FS: 00007f7a7918c700(0000) GS:ffff88041fb80000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000000 CR3: 0000000401250000 CR4: 00000000001406e0
+Stack:
+ ffff88040868bec0 0000000000000020 ffff880401297b00 ffffffff81376cd4
+ 0000000000000100 ffff880401297b10 ffffffff81376d12 ffff880401297b30
+ ffffffff81376f37 0000000000000100 0000000000000000 ffff880401297ba8
+Call Trace:
+ [<ffffffff81376cd4>] ? __sg_page_iter_next+0x43/0x66
+ [<ffffffff81376d12>] ? sg_miter_get_next_page+0x1b/0x5d
+ [<ffffffff81376f37>] ? sg_miter_next+0x17/0xbd
+ [<ffffffff8138ba3a>] ? mpi_read_raw_from_sgl+0xf2/0x146
+ [<ffffffff8132a95c>] rsa_verify+0x9d/0xee
+ [<ffffffff8132acca>] ? pkcs1pad_sg_set_buf+0x2e/0xbb
+ [<ffffffff8132af40>] pkcs1pad_verify+0xc0/0xe1
+ [<ffffffff8133cb5e>] public_key_verify_signature+0x1b0/0x228
+ [<ffffffff8133d974>] x509_check_for_self_signed+0xa1/0xc4
+ [<ffffffff8133cdde>] x509_cert_parse+0x167/0x1a1
+ [<ffffffff8133d609>] x509_key_preparse+0x21/0x1a1
+ [<ffffffff8133c3d7>] asymmetric_key_preparse+0x34/0x61
+ [<ffffffff812fc9f3>] key_create_or_update+0x145/0x399
+ [<ffffffff812fe227>] SyS_add_key+0x154/0x19e
+ [<ffffffff81001c2b>] do_syscall_64+0x80/0x191
+ [<ffffffff816825e4>] entry_SYSCALL64_slow_path+0x25/0x25
+Code: 56 41 55 41 54 53 48 81 ec a8 00 00 00 44 8b 71 04 8b 42 04 4c 8b 67 18 45 85 f6 89 45 80 0f 84 b4 06 00 00 85 c0 75 2f 41 ff ce <49> c7 04 24 01 00 00 00 b0 01 75 0b 48 8b 41 18 48 83 38 01 0f
+RIP [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6
+ RSP <ffff880401297ad8>
+CR2: 0000000000000000
+---[ end trace d82015255d4a5d8d ]---
+
+Basically, this is a backport of a libgcrypt patch:
+
+ http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=patch;h=6e1adb05d290aeeb1c230c763970695f4a538526
+
+Fixes: cdec9cb5167a ("crypto: GnuPG based MPI lib - source files (part 1)")
+Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
+cc: linux-ima-devel@lists.sourceforge.net
+Signed-off-by: James Morris <james.l.morris@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/mpi/mpi-pow.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/lib/mpi/mpi-pow.c
++++ b/lib/mpi/mpi-pow.c
+@@ -64,8 +64,13 @@ int mpi_powm(MPI res, MPI base, MPI exp,
+ if (!esize) {
+ /* Exponent is zero, result is 1 mod MOD, i.e., 1 or 0
+ * depending on if MOD equals 1. */
+- rp[0] = 1;
+ res->nlimbs = (msize == 1 && mod->d[0] == 1) ? 0 : 1;
++ if (res->nlimbs) {
++ if (mpi_resize(res, 1) < 0)
++ goto enomem;
++ rp = res->d;
++ rp[0] = 1;
++ }
+ res->sign = 0;
+ goto leave;
+ }
--- /dev/null
+From d55b352b01bc78fbc3d1bb650140668b87e58bf9 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 22 Nov 2016 21:50:52 +0100
+Subject: NFSv4.x: hide array-bounds warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit d55b352b01bc78fbc3d1bb650140668b87e58bf9 upstream.
+
+A correct bugfix introduced a harmless warning that shows up with gcc-7:
+
+fs/nfs/callback.c: In function 'nfs_callback_up':
+fs/nfs/callback.c:214:14: error: array subscript is outside array bounds [-Werror=array-bounds]
+
+What happens here is that the 'minorversion == 0' check tells the
+compiler that we assume minorversion can be something other than 0,
+but when CONFIG_NFS_V4_1 is disabled that would be invalid and
+result in an out-of-bounds access.
+
+The added check for IS_ENABLED(CONFIG_NFS_V4_1) tells gcc that this
+really can't happen, which makes the code slightly smaller and also
+avoids the warning.
+
+The bugfix that introduced the warning is marked for stable backports,
+we want this one backported to the same releases.
+
+Fixes: 98b0f80c2396 ("NFSv4.x: Fix a refcount leak in nfs_callback_up_net")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/callback.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/callback.c
++++ b/fs/nfs/callback.c
+@@ -261,7 +261,7 @@ static int nfs_callback_up_net(int minor
+ }
+
+ ret = -EPROTONOSUPPORT;
+- if (minorversion == 0)
++ if (!IS_ENABLED(CONFIG_NFS_V4_1) || minorversion == 0)
+ ret = nfs4_callback_up_net(serv, net);
+ else if (xprt->ops->bc_up)
+ ret = xprt->ops->bc_up(serv, net);
--- /dev/null
+From 5035b230e7b67ac12691ed3b5495bbb617027b68 Mon Sep 17 00:00:00 2001
+From: John David Anglin <dave.anglin@bell.net>
+Date: Thu, 24 Nov 2016 20:18:14 -0500
+Subject: parisc: Also flush data TLB in flush_icache_page_asm
+
+From: John David Anglin <dave.anglin@bell.net>
+
+commit 5035b230e7b67ac12691ed3b5495bbb617027b68 upstream.
+
+This is the second issue I noticed in reviewing the parisc TLB code.
+
+The fic instruction may use either the instruction or data TLB in
+flushing the instruction cache. Thus, on machines with a split TLB, we
+should also flush the data TLB after setting up the temporary alias
+registers.
+
+Although this has no functional impact, I changed the pdtlb and pitlb
+instructions to consistently use the index register %r0. These
+instructions do not support integer displacements.
+
+Tested on rp3440 and c8000.
+
+Signed-off-by: John David Anglin <dave.anglin@bell.net>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/kernel/pacache.S | 37 ++++++++++++++++++++++---------------
+ 1 file changed, 22 insertions(+), 15 deletions(-)
+
+--- a/arch/parisc/kernel/pacache.S
++++ b/arch/parisc/kernel/pacache.S
+@@ -96,7 +96,7 @@ fitmanyloop: /* Loop if LOOP >= 2 */
+
+ fitmanymiddle: /* Loop if LOOP >= 2 */
+ addib,COND(>) -1, %r31, fitmanymiddle /* Adjusted inner loop decr */
+- pitlbe 0(%sr1, %r28)
++ pitlbe %r0(%sr1, %r28)
+ pitlbe,m %arg1(%sr1, %r28) /* Last pitlbe and addr adjust */
+ addib,COND(>) -1, %r29, fitmanymiddle /* Middle loop decr */
+ copy %arg3, %r31 /* Re-init inner loop count */
+@@ -139,7 +139,7 @@ fdtmanyloop: /* Loop if LOOP >= 2 */
+
+ fdtmanymiddle: /* Loop if LOOP >= 2 */
+ addib,COND(>) -1, %r31, fdtmanymiddle /* Adjusted inner loop decr */
+- pdtlbe 0(%sr1, %r28)
++ pdtlbe %r0(%sr1, %r28)
+ pdtlbe,m %arg1(%sr1, %r28) /* Last pdtlbe and addr adjust */
+ addib,COND(>) -1, %r29, fdtmanymiddle /* Middle loop decr */
+ copy %arg3, %r31 /* Re-init inner loop count */
+@@ -620,12 +620,12 @@ ENTRY(copy_user_page_asm)
+ /* Purge any old translations */
+
+ #ifdef CONFIG_PA20
+- pdtlb,l 0(%r28)
+- pdtlb,l 0(%r29)
++ pdtlb,l %r0(%r28)
++ pdtlb,l %r0(%r29)
+ #else
+ tlb_lock %r20,%r21,%r22
+- pdtlb 0(%r28)
+- pdtlb 0(%r29)
++ pdtlb %r0(%r28)
++ pdtlb %r0(%r29)
+ tlb_unlock %r20,%r21,%r22
+ #endif
+
+@@ -768,10 +768,10 @@ ENTRY(clear_user_page_asm)
+ /* Purge any old translation */
+
+ #ifdef CONFIG_PA20
+- pdtlb,l 0(%r28)
++ pdtlb,l %r0(%r28)
+ #else
+ tlb_lock %r20,%r21,%r22
+- pdtlb 0(%r28)
++ pdtlb %r0(%r28)
+ tlb_unlock %r20,%r21,%r22
+ #endif
+
+@@ -852,10 +852,10 @@ ENTRY(flush_dcache_page_asm)
+ /* Purge any old translation */
+
+ #ifdef CONFIG_PA20
+- pdtlb,l 0(%r28)
++ pdtlb,l %r0(%r28)
+ #else
+ tlb_lock %r20,%r21,%r22
+- pdtlb 0(%r28)
++ pdtlb %r0(%r28)
+ tlb_unlock %r20,%r21,%r22
+ #endif
+
+@@ -892,10 +892,10 @@ ENTRY(flush_dcache_page_asm)
+ sync
+
+ #ifdef CONFIG_PA20
+- pdtlb,l 0(%r25)
++ pdtlb,l %r0(%r25)
+ #else
+ tlb_lock %r20,%r21,%r22
+- pdtlb 0(%r25)
++ pdtlb %r0(%r25)
+ tlb_unlock %r20,%r21,%r22
+ #endif
+
+@@ -925,13 +925,18 @@ ENTRY(flush_icache_page_asm)
+ depwi 0, 31,PAGE_SHIFT, %r28 /* Clear any offset bits */
+ #endif
+
+- /* Purge any old translation */
++ /* Purge any old translation. Note that the FIC instruction
++ * may use either the instruction or data TLB. Given that we
++ * have a flat address space, it's not clear which TLB will be
++ * used. So, we purge both entries. */
+
+ #ifdef CONFIG_PA20
++ pdtlb,l %r0(%r28)
+ pitlb,l %r0(%sr4,%r28)
+ #else
+ tlb_lock %r20,%r21,%r22
+- pitlb (%sr4,%r28)
++ pdtlb %r0(%r28)
++ pitlb %r0(%sr4,%r28)
+ tlb_unlock %r20,%r21,%r22
+ #endif
+
+@@ -970,10 +975,12 @@ ENTRY(flush_icache_page_asm)
+ sync
+
+ #ifdef CONFIG_PA20
++ pdtlb,l %r0(%r28)
+ pitlb,l %r0(%sr4,%r25)
+ #else
+ tlb_lock %r20,%r21,%r22
+- pitlb (%sr4,%r25)
++ pdtlb %r0(%r28)
++ pitlb %r0(%sr4,%r25)
+ tlb_unlock %r20,%r21,%r22
+ #endif
+
--- /dev/null
+From c0452fb9fb8f49c7d68ab9fa0ad092016be7b45f Mon Sep 17 00:00:00 2001
+From: John David Anglin <dave.anglin@bell.net>
+Date: Thu, 24 Nov 2016 20:06:32 -0500
+Subject: parisc: Fix race in pci-dma.c
+
+From: John David Anglin <dave.anglin@bell.net>
+
+commit c0452fb9fb8f49c7d68ab9fa0ad092016be7b45f upstream.
+
+We are still troubled by occasional random segmentation faults and
+memory memory corruption on SMP machines. The causes quite a few
+package builds to fail on the Debian buildd machines for parisc. When
+gcc-6 failed to build three times in a row, I looked again at the TLB
+related code. I found a couple of issues. This is the first.
+
+In general, we need to ensure page table updates and corresponding TLB
+purges are atomic. The attached patch fixes an instance in pci-dma.c
+where the page table update was not guarded by the TLB lock.
+
+Tested on rp3440 and c8000. So far, no further random segmentation
+faults have been observed.
+
+Signed-off-by: John David Anglin <dave.anglin@bell.net>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/kernel/pci-dma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/parisc/kernel/pci-dma.c
++++ b/arch/parisc/kernel/pci-dma.c
+@@ -95,8 +95,8 @@ static inline int map_pte_uncached(pte_t
+
+ if (!pte_none(*pte))
+ printk(KERN_ERR "map_pte_uncached: page already exists\n");
+- set_pte(pte, __mk_pte(*paddr_ptr, PAGE_KERNEL_UNC));
+ purge_tlb_start(flags);
++ set_pte(pte, __mk_pte(*paddr_ptr, PAGE_KERNEL_UNC));
+ pdtlb_kernel(orig_vaddr);
+ purge_tlb_end(flags);
+ vaddr += PAGE_SIZE;
--- /dev/null
+From 741dc7bf1c7c7d93b853bb55efe77baa27e1b0a9 Mon Sep 17 00:00:00 2001
+From: John David Anglin <dave.anglin@bell.net>
+Date: Sun, 20 Nov 2016 21:12:36 -0500
+Subject: parisc: Fix races in parisc_setup_cache_timing()
+
+From: John David Anglin <dave.anglin@bell.net>
+
+commit 741dc7bf1c7c7d93b853bb55efe77baa27e1b0a9 upstream.
+
+Helge reported to me the following startup crash:
+
+[ 0.000000] Linux version 4.8.0-1-parisc64-smp (debian-kernel@lists.debian.org) (gcc version 5.4.1 20161019 (GCC) ) #1 SMP Debian 4.8.7-1 (2016-11-13)
+[ 0.000000] The 64-bit Kernel has started...
+[ 0.000000] Kernel default page size is 4 KB. Huge pages enabled with 1 MB physical and 2 MB virtual size.
+[ 0.000000] Determining PDC firmware type: System Map.
+[ 0.000000] model 9000/785/J5000
+[ 0.000000] Total Memory: 2048 MB
+[ 0.000000] Memory: 2018528K/2097152K available (9272K kernel code, 3053K rwdata, 1319K rodata, 1024K init, 840K bss, 78624K reserved, 0K cma-reserved)
+[ 0.000000] virtual kernel memory layout:
+[ 0.000000] vmalloc : 0x0000000000008000 - 0x000000003f000000 (1007 MB)
+[ 0.000000] memory : 0x0000000040000000 - 0x00000000c0000000 (2048 MB)
+[ 0.000000] .init : 0x0000000040100000 - 0x0000000040200000 (1024 kB)
+[ 0.000000] .data : 0x0000000040b0e000 - 0x0000000040f533e0 (4372 kB)
+[ 0.000000] .text : 0x0000000040200000 - 0x0000000040b0e000 (9272 kB)
+[ 0.768910] Brought up 1 CPUs
+[ 0.992465] NET: Registered protocol family 16
+[ 2.429981] Releasing cpu 1 now, hpa=fffffffffffa2000
+[ 2.635751] CPU(s): 2 out of 2 PA8500 (PCX-W) at 440.000000 MHz online
+[ 2.726692] Setting cache flush threshold to 1024 kB
+[ 2.729932] Not-handled unaligned insn 0x43ffff80
+[ 2.798114] Setting TLB flush threshold to 140 kB
+[ 2.928039] Unaligned handler failed, ret = -1
+[ 3.000419] _______________________________
+[ 3.000419] < Your System ate a SPARC! Gah! >
+[ 3.000419] -------------------------------
+[ 3.000419] \ ^__^
+[ 3.000419] (__)\ )\/\
+[ 3.000419] U ||----w |
+[ 3.000419] || ||
+[ 9.340055] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.8.0-1-parisc64-smp #1 Debian 4.8.7-1
+[ 9.448082] task: 00000000bfd48060 task.stack: 00000000bfd50000
+[ 9.528040]
+[ 10.760029] IASQ: 0000000000000000 0000000000000000 IAOQ: 000000004025d154 000000004025d158
+[ 10.868052] IIR: 43ffff80 ISR: 0000000000340000 IOR: 000001ff54150960
+[ 10.960029] CPU: 1 CR30: 00000000bfd50000 CR31: 0000000011111111
+[ 11.052057] ORIG_R28: 000000004021e3b4
+[ 11.100045] IAOQ[0]: irq_exit+0x94/0x120
+[ 11.152062] IAOQ[1]: irq_exit+0x98/0x120
+[ 11.208031] RP(r2): irq_exit+0xb8/0x120
+[ 11.256074] Backtrace:
+[ 11.288067] [<00000000402cd944>] cpu_startup_entry+0x1e4/0x598
+[ 11.368058] [<0000000040109528>] smp_callin+0x2c0/0x2f0
+[ 11.436308] [<00000000402b53fc>] update_curr+0x18c/0x2d0
+[ 11.508055] [<00000000402b73b8>] dequeue_entity+0x2c0/0x1030
+[ 11.584040] [<00000000402b3cc0>] set_next_entity+0x80/0xd30
+[ 11.660069] [<00000000402c1594>] pick_next_task_fair+0x614/0x720
+[ 11.740085] [<000000004020dd34>] __schedule+0x394/0xa60
+[ 11.808054] [<000000004020e488>] schedule+0x88/0x118
+[ 11.876039] [<0000000040283d3c>] rescuer_thread+0x4d4/0x5b0
+[ 11.948090] [<000000004028fc4c>] kthread+0x1ec/0x248
+[ 12.016053] [<0000000040205020>] end_fault_vector+0x20/0xc0
+[ 12.092239] [<00000000402050c0>] _switch_to_ret+0x0/0xf40
+[ 12.164044]
+[ 12.184036] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.8.0-1-parisc64-smp #1 Debian 4.8.7-1
+[ 12.244040] Backtrace:
+[ 12.244040] [<000000004021c480>] show_stack+0x68/0x80
+[ 12.244040] [<00000000406f332c>] dump_stack+0xec/0x168
+[ 12.244040] [<000000004021c74c>] die_if_kernel+0x25c/0x430
+[ 12.244040] [<000000004022d320>] handle_unaligned+0xb48/0xb50
+[ 12.244040]
+[ 12.632066] ---[ end trace 9ca05a7215c7bbb2 ]---
+[ 12.692036] Kernel panic - not syncing: Attempted to kill the idle task!
+
+We have the insn 0x43ffff80 in IIR but from IAOQ we should have:
+ 4025d150: 0f f3 20 df ldd,s r19(r31),r31
+ 4025d154: 0f 9f 00 9c ldw r31(ret0),ret0
+ 4025d158: bf 80 20 58 cmpb,*<> r0,ret0,4025d18c <irq_exit+0xcc>
+
+Cpu0 has just completed running parisc_setup_cache_timing:
+
+[ 2.429981] Releasing cpu 1 now, hpa=fffffffffffa2000
+[ 2.635751] CPU(s): 2 out of 2 PA8500 (PCX-W) at 440.000000 MHz online
+[ 2.726692] Setting cache flush threshold to 1024 kB
+[ 2.729932] Not-handled unaligned insn 0x43ffff80
+[ 2.798114] Setting TLB flush threshold to 140 kB
+[ 2.928039] Unaligned handler failed, ret = -1
+
+From the backtrace, cpu1 is in smp_callin:
+
+void __init smp_callin(void)
+{
+ int slave_id = cpu_now_booting;
+
+ smp_cpu_init(slave_id);
+ preempt_disable();
+
+ flush_cache_all_local(); /* start with known state */
+ flush_tlb_all_local(NULL);
+
+ local_irq_enable(); /* Interrupts have been off until now */
+
+ cpu_startup_entry(CPUHP_AP_ONLINE_IDLE);
+
+So, it has just flushed its caches and the TLB. It would seem either the
+flushes in parisc_setup_cache_timing or smp_callin have corrupted kernel
+memory.
+
+The attached patch reworks parisc_setup_cache_timing to remove the races
+in setting the cache and TLB flush thresholds. It also corrects the
+number of bytes flushed in the TLB calculation.
+
+The patch flushes the cache and TLB on cpu0 before starting the
+secondary processors so that they are started from a known state.
+
+Tested with a few reboots on c8000.
+
+Signed-off-by: John David Anglin <dave.anglin@bell.net>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/kernel/cache.c | 31 ++++++++++++-------------------
+ arch/parisc/kernel/setup.c | 4 ++++
+ 2 files changed, 16 insertions(+), 19 deletions(-)
+
+--- a/arch/parisc/kernel/cache.c
++++ b/arch/parisc/kernel/cache.c
+@@ -351,6 +351,7 @@ void __init parisc_setup_cache_timing(vo
+ {
+ unsigned long rangetime, alltime;
+ unsigned long size, start;
++ unsigned long threshold;
+
+ alltime = mfctl(16);
+ flush_data_cache();
+@@ -364,17 +365,12 @@ void __init parisc_setup_cache_timing(vo
+ printk(KERN_DEBUG "Whole cache flush %lu cycles, flushing %lu bytes %lu cycles\n",
+ alltime, size, rangetime);
+
+- /* Racy, but if we see an intermediate value, it's ok too... */
+- parisc_cache_flush_threshold = size * alltime / rangetime;
+-
+- parisc_cache_flush_threshold = L1_CACHE_ALIGN(parisc_cache_flush_threshold);
+- if (!parisc_cache_flush_threshold)
+- parisc_cache_flush_threshold = FLUSH_THRESHOLD;
+-
+- if (parisc_cache_flush_threshold > cache_info.dc_size)
+- parisc_cache_flush_threshold = cache_info.dc_size;
+-
+- printk(KERN_INFO "Setting cache flush threshold to %lu kB\n",
++ threshold = L1_CACHE_ALIGN(size * alltime / rangetime);
++ if (threshold > cache_info.dc_size)
++ threshold = cache_info.dc_size;
++ if (threshold)
++ parisc_cache_flush_threshold = threshold;
++ printk(KERN_INFO "Cache flush threshold set to %lu KiB\n",
+ parisc_cache_flush_threshold/1024);
+
+ /* calculate TLB flush threshold */
+@@ -383,7 +379,7 @@ void __init parisc_setup_cache_timing(vo
+ flush_tlb_all();
+ alltime = mfctl(16) - alltime;
+
+- size = PAGE_SIZE;
++ size = 0;
+ start = (unsigned long) _text;
+ rangetime = mfctl(16);
+ while (start < (unsigned long) _end) {
+@@ -396,13 +392,10 @@ void __init parisc_setup_cache_timing(vo
+ printk(KERN_DEBUG "Whole TLB flush %lu cycles, flushing %lu bytes %lu cycles\n",
+ alltime, size, rangetime);
+
+- parisc_tlb_flush_threshold = size * alltime / rangetime;
+- parisc_tlb_flush_threshold *= num_online_cpus();
+- parisc_tlb_flush_threshold = PAGE_ALIGN(parisc_tlb_flush_threshold);
+- if (!parisc_tlb_flush_threshold)
+- parisc_tlb_flush_threshold = FLUSH_TLB_THRESHOLD;
+-
+- printk(KERN_INFO "Setting TLB flush threshold to %lu kB\n",
++ threshold = PAGE_ALIGN(num_online_cpus() * size * alltime / rangetime);
++ if (threshold)
++ parisc_tlb_flush_threshold = threshold;
++ printk(KERN_INFO "TLB flush threshold set to %lu KiB\n",
+ parisc_tlb_flush_threshold/1024);
+ }
+
+--- a/arch/parisc/kernel/setup.c
++++ b/arch/parisc/kernel/setup.c
+@@ -334,6 +334,10 @@ static int __init parisc_init(void)
+ /* tell PDC we're Linux. Nevermind failure. */
+ pdc_stable_write(0x40, &osid, sizeof(osid));
+
++ /* start with known state */
++ flush_cache_all_local();
++ flush_tlb_all_local(NULL);
++
+ processor_init();
+ #ifdef CONFIG_SMP
+ pr_info("CPU(s): %d out of %d %s at %d.%06d MHz online\n",
--- /dev/null
+From 18f6084a989ba1b38702f9af37a2e4049a924be6 Mon Sep 17 00:00:00 2001
+From: Andrey Grodzovsky <andrey2805@gmail.com>
+Date: Thu, 10 Nov 2016 09:35:27 -0500
+Subject: scsi: mpt3sas: Fix secure erase premature termination
+
+From: Andrey Grodzovsky <andrey2805@gmail.com>
+
+commit 18f6084a989ba1b38702f9af37a2e4049a924be6 upstream.
+
+This is a work around for a bug with LSI Fusion MPT SAS2 when perfoming
+secure erase. Due to the very long time the operation takes, commands
+issued during the erase will time out and will trigger execution of the
+abort hook. Even though the abort hook is called for the specific
+command which timed out, this leads to entire device halt
+(scsi_state terminated) and premature termination of the secure erase.
+
+Set device state to busy while ATA passthrough commands are in progress.
+
+[mkp: hand applied to 4.9/scsi-fixes, tweaked patch description]
+
+Signed-off-by: Andrey Grodzovsky <andrey2805@gmail.com>
+Acked-by: Sreekanth Reddy <Sreekanth.Reddy@broadcom.com>
+Cc: <linux-scsi@vger.kernel.org>
+Cc: Sathya Prakash <sathya.prakash@broadcom.com>
+Cc: Chaitra P B <chaitra.basappa@broadcom.com>
+Cc: Suganath Prabu Subramani <suganath-prabu.subramani@broadcom.com>
+Cc: Sreekanth Reddy <Sreekanth.Reddy@broadcom.com>
+Cc: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/mpt3sas/mpt3sas_scsih.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+@@ -3831,7 +3831,10 @@ _scsih_eedp_error_handling(struct scsi_c
+ SAM_STAT_CHECK_CONDITION;
+ }
+
+-
++static inline bool ata_12_16_cmd(struct scsi_cmnd *scmd)
++{
++ return (scmd->cmnd[0] == ATA_12 || scmd->cmnd[0] == ATA_16);
++}
+
+ /**
+ * scsih_qcmd - main scsi request entry point
+@@ -3859,6 +3862,13 @@ scsih_qcmd(struct Scsi_Host *shost, stru
+ if (ioc->logging_level & MPT_DEBUG_SCSI)
+ scsi_print_command(scmd);
+
++ /*
++ * Lock the device for any subsequent command until command is
++ * done.
++ */
++ if (ata_12_16_cmd(scmd))
++ scsi_internal_device_block(scmd->device);
++
+ sas_device_priv_data = scmd->device->hostdata;
+ if (!sas_device_priv_data || !sas_device_priv_data->sas_target) {
+ scmd->result = DID_NO_CONNECT << 16;
+@@ -4431,6 +4441,9 @@ _scsih_io_done(struct MPT3SAS_ADAPTER *i
+ if (scmd == NULL)
+ return 1;
+
++ if (ata_12_16_cmd(scmd))
++ scsi_internal_device_unblock(scmd->device, SDEV_RUNNING);
++
+ mpi_request = mpt3sas_base_get_msg_frame(ioc, smid);
+
+ if (mpi_reply == NULL) {
--- /dev/null
+iommu-vt-d-fix-pasid-table-allocation.patch
+iommu-vt-d-fix-iommu-lookup-for-sr-iov-virtual-functions.patch
+kvm-x86-drop-error-recovery-in-em_jmp_far-and-em_ret_far.patch
+kvm-x86-check-for-pic-and-ioapic-presence-before-use.patch
+usb-chipidea-move-the-lock-initialization-to-core-file.patch
+usb-serial-cp210x-add-id-for-the-zone-dpmx.patch
+usb-serial-ftdi_sio-add-support-for-ti-cc3200-launchpad.patch
+fix-usb-cb-cbi-storage-devices-with-config_vmap_stack-y.patch
+scsi-mpt3sas-fix-secure-erase-premature-termination.patch
+tile-avoid-using-clocksource_cyc2ns-with-absolute-cycle-count.patch
+cfg80211-limit-scan-results-cache-size.patch
+apparmor-fix-change_hat-not-finding-hat-after-policy-replacement.patch
+nfsv4.x-hide-array-bounds-warning.patch
+parisc-fix-races-in-parisc_setup_cache_timing.patch
+parisc-fix-race-in-pci-dma.c.patch
+parisc-also-flush-data-tlb-in-flush_icache_page_asm.patch
+mpi-fix-null-ptr-dereference-in-mpi_powm.patch
+drm-radeon-ensure-vblank-interrupt-is-enabled-on-dpms-transition-to-on.patch
--- /dev/null
+From e658a6f14d7c0243205f035979d0ecf6c12a036f Mon Sep 17 00:00:00 2001
+From: Chris Metcalf <cmetcalf@mellanox.com>
+Date: Wed, 16 Nov 2016 11:18:05 -0500
+Subject: tile: avoid using clocksource_cyc2ns with absolute cycle count
+
+From: Chris Metcalf <cmetcalf@mellanox.com>
+
+commit e658a6f14d7c0243205f035979d0ecf6c12a036f upstream.
+
+For large values of "mult" and long uptimes, the intermediate
+result of "cycles * mult" can overflow 64 bits. For example,
+the tile platform calls clocksource_cyc2ns with a 1.2 GHz clock;
+we have mult = 853, and after 208.5 days, we overflow 64 bits.
+
+Since clocksource_cyc2ns() is intended to be used for relative
+cycle counts, not absolute cycle counts, performance is more
+importance than accepting a wider range of cycle values. So,
+just use mult_frac() directly in tile's sched_clock().
+
+Commit 4cecf6d401a0 ("sched, x86: Avoid unnecessary overflow
+in sched_clock") by Salman Qazi results in essentially the same
+generated code for x86 as this change does for tile. In fact,
+a follow-on change by Salman introduced mult_frac() and switched
+to using it, so the C code was largely identical at that point too.
+
+Peter Zijlstra then added mul_u64_u32_shr() and switched x86
+to use it. This is, in principle, better; by optimizing the
+64x64->64 multiplies to be 32x32->64 multiplies we can potentially
+save some time. However, the compiler piplines the 64x64->64
+multiplies pretty well, and the conditional branch in the generic
+mul_u64_u32_shr() causes some bubbles in execution, with the
+result that it's pretty much a wash. If tilegx provided its own
+implementation of mul_u64_u32_shr() without the conditional branch,
+we could potentially save 3 cycles, but that seems like small gain
+for a fair amount of additional build scaffolding; no other platform
+currently provides a mul_u64_u32_shr() override, and tile doesn't
+currently have an <asm/div64.h> header to put the override in.
+
+Additionally, gcc currently has an optimization bug that prevents
+it from recognizing the opportunity to use a 32x32->64 multiply,
+and so the result would be no better than the existing mult_frac()
+until such time as the compiler is fixed.
+
+For now, just using mult_frac() seems like the right answer.
+
+Signed-off-by: Chris Metcalf <cmetcalf@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/tile/kernel/time.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/tile/kernel/time.c
++++ b/arch/tile/kernel/time.c
+@@ -218,8 +218,8 @@ void do_timer_interrupt(struct pt_regs *
+ */
+ unsigned long long sched_clock(void)
+ {
+- return clocksource_cyc2ns(get_cycles(),
+- sched_clock_mult, SCHED_CLOCK_SHIFT);
++ return mult_frac(get_cycles(),
++ sched_clock_mult, 1ULL << SCHED_CLOCK_SHIFT);
+ }
+
+ int setup_profiling_timer(unsigned int multiplier)
--- /dev/null
+From a5d906bb261cde5f881a949d3b0fbaa285dcc574 Mon Sep 17 00:00:00 2001
+From: Peter Chen <peter.chen@nxp.com>
+Date: Tue, 15 Nov 2016 18:05:33 +0800
+Subject: usb: chipidea: move the lock initialization to core file
+
+From: Peter Chen <peter.chen@nxp.com>
+
+commit a5d906bb261cde5f881a949d3b0fbaa285dcc574 upstream.
+
+This can fix below dump when the lock is accessed at host
+mode due to it is not initialized.
+
+[ 46.119638] INFO: trying to register non-static key.
+[ 46.124643] the code is fine but needs lockdep annotation.
+[ 46.130144] turning off the locking correctness validator.
+[ 46.135659] CPU: 0 PID: 690 Comm: cat Not tainted 4.9.0-rc3-00079-g4b75f1d #1210
+[ 46.143075] Hardware name: Freescale i.MX6 SoloX (Device Tree)
+[ 46.148923] Backtrace:
+[ 46.151448] [<c010c460>] (dump_backtrace) from [<c010c658>] (show_stack+0x18/0x1c)
+[ 46.159038] r7:edf52000
+[ 46.161412] r6:60000193
+[ 46.163967] r5:00000000
+[ 46.165035] r4:c0e25c2c
+
+[ 46.169109] [<c010c640>] (show_stack) from [<c03f58a4>] (dump_stack+0xb4/0xe8)
+[ 46.176362] [<c03f57f0>] (dump_stack) from [<c016d690>] (register_lock_class+0x4fc/0x56c)
+[ 46.184554] r10:c0e25d24
+[ 46.187014] r9:edf53e70
+[ 46.189569] r8:c1642444
+[ 46.190637] r7:ee9da024
+[ 46.193191] r6:00000000
+[ 46.194258] r5:00000000
+[ 46.196812] r4:00000000
+[ 46.199185] r3:00000001
+
+[ 46.203259] [<c016d194>] (register_lock_class) from [<c0171294>] (__lock_acquire+0x80/0x10f0)
+[ 46.211797] r10:c0e25d24
+[ 46.214257] r9:edf53e70
+[ 46.216813] r8:ee9da024
+[ 46.217880] r7:c1642444
+[ 46.220435] r6:edcd1800
+[ 46.221502] r5:60000193
+[ 46.224057] r4:00000000
+
+[ 46.227953] [<c0171214>] (__lock_acquire) from [<c01726c0>] (lock_acquire+0x74/0x94)
+[ 46.235710] r10:00000001
+[ 46.238169] r9:edf53e70
+[ 46.240723] r8:edf53f80
+[ 46.241790] r7:00000001
+[ 46.244344] r6:00000001
+[ 46.245412] r5:60000193
+[ 46.247966] r4:00000000
+
+[ 46.251866] [<c017264c>] (lock_acquire) from [<c096c8fc>] (_raw_spin_lock_irqsave+0x40/0x54)
+[ 46.260319] r7:ee1c6a00
+[ 46.262691] r6:c062a570
+[ 46.265247] r5:20000113
+[ 46.266314] r4:ee9da014
+
+[ 46.270393] [<c096c8bc>] (_raw_spin_lock_irqsave) from [<c062a570>] (ci_port_test_show+0x2c/0x70)
+[ 46.279280] r6:eebd2000
+[ 46.281652] r5:ee9da010
+[ 46.284207] r4:ee9da014
+
+[ 46.286810] [<c062a544>] (ci_port_test_show) from [<c0248d04>] (seq_read+0x1ac/0x4f8)
+[ 46.294655] r9:edf53e70
+[ 46.297028] r8:edf53f80
+[ 46.299583] r7:ee1c6a00
+[ 46.300650] r6:00000001
+[ 46.303205] r5:00000000
+[ 46.304273] r4:eebd2000
+[ 46.306850] [<c0248b58>] (seq_read) from [<c039e864>] (full_proxy_read+0x54/0x6c)
+[ 46.314348] r10:00000000
+[ 46.316808] r9:c0a6ad30
+[ 46.319363] r8:edf53f80
+[ 46.320430] r7:00020000
+[ 46.322986] r6:b6de3000
+[ 46.324053] r5:ee1c6a00
+[ 46.326607] r4:c0248b58
+
+[ 46.330505] [<c039e810>] (full_proxy_read) from [<c021ec98>] (__vfs_read+0x34/0x118)
+[ 46.338262] r9:edf52000
+[ 46.340635] r8:c0107fc4
+[ 46.343190] r7:00020000
+[ 46.344257] r6:edf53f80
+[ 46.346812] r5:c039e810
+[ 46.347879] r4:ee1c6a00
+[ 46.350447] [<c021ec64>] (__vfs_read) from [<c021fbd0>] (vfs_read+0x8c/0x11c)
+[ 46.357597] r9:edf52000
+[ 46.359969] r8:c0107fc4
+[ 46.362524] r7:edf53f80
+[ 46.363592] r6:b6de3000
+[ 46.366147] r5:ee1c6a00
+[ 46.367214] r4:00020000
+[ 46.369782] [<c021fb44>] (vfs_read) from [<c0220a4c>] (SyS_read+0x4c/0xa8)
+[ 46.376672] r8:c0107fc4
+[ 46.379045] r7:00020000
+[ 46.381600] r6:b6de3000
+[ 46.382667] r5:ee1c6a00
+[ 46.385222] r4:ee1c6a00
+
+[ 46.387817] [<c0220a00>] (SyS_read) from [<c0107e20>] (ret_fast_syscall+0x0/0x1c)
+[ 46.395314] r7:00000003
+[ 46.397687] r6:b6de3000
+[ 46.400243] r5:00020000
+[ 46.401310] r4:00020000
+
+Fixes: 26c696c678c4 ("USB: Chipidea: rename struct ci13xxx variables from udc to ci")
+Signed-off-by: Peter Chen <peter.chen@nxp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/chipidea/core.c | 1 +
+ drivers/usb/chipidea/udc.c | 2 --
+ 2 files changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/usb/chipidea/core.c
++++ b/drivers/usb/chipidea/core.c
+@@ -926,6 +926,7 @@ static int ci_hdrc_probe(struct platform
+ if (!ci)
+ return -ENOMEM;
+
++ spin_lock_init(&ci->lock);
+ ci->dev = dev;
+ ci->platdata = dev_get_platdata(dev);
+ ci->imx28_write_fix = !!(ci->platdata->flags &
+--- a/drivers/usb/chipidea/udc.c
++++ b/drivers/usb/chipidea/udc.c
+@@ -1884,8 +1884,6 @@ static int udc_start(struct ci_hdrc *ci)
+ struct usb_otg_caps *otg_caps = &ci->platdata->ci_otg_caps;
+ int retval = 0;
+
+- spin_lock_init(&ci->lock);
+-
+ ci->gadget.ops = &usb_gadget_ops;
+ ci->gadget.speed = USB_SPEED_UNKNOWN;
+ ci->gadget.max_speed = USB_SPEED_HIGH;
--- /dev/null
+From 2ab13292d7a314fa45de0acc808e41aaad31989c Mon Sep 17 00:00:00 2001
+From: Paul Jakma <paul@jakma.org>
+Date: Wed, 16 Nov 2016 10:13:49 +0000
+Subject: USB: serial: cp210x: add ID for the Zone DPMX
+
+From: Paul Jakma <paul@jakma.org>
+
+commit 2ab13292d7a314fa45de0acc808e41aaad31989c upstream.
+
+The BRIM Brothers Zone DPMX is a bicycle powermeter. This ID is for the USB
+serial interface in its charging dock for the control pods, via which some
+settings for the pods can be modified.
+
+Signed-off-by: Paul Jakma <paul@jakma.org>
+Cc: Barry Redmond <barry@brimbrothers.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/cp210x.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/serial/cp210x.c
++++ b/drivers/usb/serial/cp210x.c
+@@ -130,6 +130,7 @@ static const struct usb_device_id id_tab
+ { USB_DEVICE(0x10C4, 0x88A4) }, /* MMB Networks ZigBee USB Device */
+ { USB_DEVICE(0x10C4, 0x88A5) }, /* Planet Innovation Ingeni ZigBee USB Device */
+ { USB_DEVICE(0x10C4, 0x8946) }, /* Ketra N1 Wireless Interface */
++ { USB_DEVICE(0x10C4, 0x8962) }, /* Brim Brothers charging dock */
+ { USB_DEVICE(0x10C4, 0x8977) }, /* CEL MeshWorks DevKit Device */
+ { USB_DEVICE(0x10C4, 0x8998) }, /* KCF Technologies PRN */
+ { USB_DEVICE(0x10C4, 0x8A2A) }, /* HubZ dual ZigBee and Z-Wave dongle */
--- /dev/null
+From 9bfef729a3d11f04d12788d749a3ce6b47645734 Mon Sep 17 00:00:00 2001
+From: Doug Brown <doug@schmorgal.com>
+Date: Fri, 4 Nov 2016 21:18:20 -0700
+Subject: USB: serial: ftdi_sio: add support for TI CC3200 LaunchPad
+
+From: Doug Brown <doug@schmorgal.com>
+
+commit 9bfef729a3d11f04d12788d749a3ce6b47645734 upstream.
+
+This patch adds support for the TI CC3200 LaunchPad board, which uses a
+custom USB vendor ID and product ID. Channel A is used for JTAG, and
+channel B is used for a UART.
+
+Signed-off-by: Doug Brown <doug@schmorgal.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/ftdi_sio.c | 2 ++
+ drivers/usb/serial/ftdi_sio_ids.h | 6 ++++++
+ 2 files changed, 8 insertions(+)
+
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -1012,6 +1012,8 @@ static const struct usb_device_id id_tab
+ { USB_DEVICE(ICPDAS_VID, ICPDAS_I7561U_PID) },
+ { USB_DEVICE(ICPDAS_VID, ICPDAS_I7563U_PID) },
+ { USB_DEVICE(WICED_VID, WICED_USB20706V2_PID) },
++ { USB_DEVICE(TI_VID, TI_CC3200_LAUNCHPAD_PID),
++ .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+ { } /* Terminating entry */
+ };
+
+--- a/drivers/usb/serial/ftdi_sio_ids.h
++++ b/drivers/usb/serial/ftdi_sio_ids.h
+@@ -596,6 +596,12 @@
+ #define STK541_PID 0x2109 /* Zigbee Controller */
+
+ /*
++ * Texas Instruments
++ */
++#define TI_VID 0x0451
++#define TI_CC3200_LAUNCHPAD_PID 0xC32A /* SimpleLink Wi-Fi CC3200 LaunchPad */
++
++/*
+ * Blackfin gnICE JTAG
+ * http://docs.blackfin.uclinux.org/doku.php?id=hw:jtag:gnice
+ */
--- /dev/null
+iommu-vt-d-fix-pasid-table-allocation.patch
+iommu-vt-d-fix-iommu-lookup-for-sr-iov-virtual-functions.patch
+kvm-x86-fix-out-of-bounds-access-in-lapic.patch
+kvm-x86-drop-error-recovery-in-em_jmp_far-and-em_ret_far.patch
+kvm-x86-fix-out-of-bounds-accesses-of-rtc_eoi-map.patch
+kvm-x86-check-for-pic-and-ioapic-presence-before-use.patch
+usb-chipidea-move-the-lock-initialization-to-core-file.patch
+usb-serial-cp210x-add-id-for-the-zone-dpmx.patch
+usb-serial-ftdi_sio-add-support-for-ti-cc3200-launchpad.patch
+fix-usb-cb-cbi-storage-devices-with-config_vmap_stack-y.patch
+scsi-mpt3sas-fix-secure-erase-premature-termination.patch
+tile-avoid-using-clocksource_cyc2ns-with-absolute-cycle-count.patch
+cfg80211-limit-scan-results-cache-size.patch
+drm-amdgpu-fix-power-state-when-port-pm-is-unavailable.patch
+drm-radeon-fix-power-state-when-port-pm-is-unavailable-v2.patch
+apparmor-fix-change_hat-not-finding-hat-after-policy-replacement.patch
+nfsv4.x-hide-array-bounds-warning.patch
+x86-fpu-fix-invalid-fpu-ptrace-state-after-execve.patch
+x86-traps-ignore-high-word-of-regs-cs-in-early_fixup_exception.patch
+perf-core-fix-address-filter-parser.patch
+perf-x86-intel-cure-bogus-unwind-from-pebs-entries.patch
+thermal-powerclamp-add-back-module-device-table.patch
+parisc-fix-races-in-parisc_setup_cache_timing.patch
+parisc-switch-to-generic-sched_clock-implementation.patch
+parisc-fix-race-in-pci-dma.c.patch
+parisc-also-flush-data-tlb-in-flush_icache_page_asm.patch
+mmc-sdhci-of-esdhc-fixup-present_state-read.patch
+mpi-fix-null-ptr-dereference-in-mpi_powm.patch
+x.509-fix-double-free-in-x509_cert_parse.patch
+xc2028-fix-use-after-free-bug-properly.patch
+device-dax-check-devm_nsio_enable-return-value.patch
+device-dax-fail-all-private-mapping-attempts.patch
+powerpc-set-missing-wakeup-bit-in-lpcr-on-power9.patch
+powerpc-mm-fixup-kernel-read-only-mapping.patch
+powerpc-boot-fix-the-early-opal-console-wrappers.patch
+can-bcm-fix-support-for-can-fd-frames.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
