--- /dev/null
+From 79f5b6ae960d380c829fb67d5dadcd1d025d2775 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 19 Oct 2015 04:17:30 -0200
+Subject: [media] c8sectpfe: Remove select on CONFIG_FW_LOADER_USER_HELPER_FALLBACK
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 79f5b6ae960d380c829fb67d5dadcd1d025d2775 upstream.
+
+c8sectpfe driver selects CONFIG_FW_LOADER_USER_HELPER_FALLBACK by some
+reason, but this option is known to be harmful, leading to minutes of
+stalls at boot time. The option was intended for only compatibility
+for an old exotic system that mandates the udev interaction, and not a
+thing a driver selects by itself. Let's remove it.
+
+Fixes: 850a3f7d5911 ('[media] c8sectpfe: Add Kconfig and Makefile for the driver')
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/platform/sti/c8sectpfe/Kconfig | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/media/platform/sti/c8sectpfe/Kconfig
++++ b/drivers/media/platform/sti/c8sectpfe/Kconfig
+@@ -3,7 +3,6 @@ config DVB_C8SECTPFE
+ depends on PINCTRL && DVB_CORE && I2C
+ depends on ARCH_STI || ARCH_MULTIPLATFORM || COMPILE_TEST
+ select FW_LOADER
+- select FW_LOADER_USER_HELPER_FALLBACK
+ select DEBUG_FS
+ select DVB_LNBP21 if MEDIA_SUBDRV_AUTOSELECT
+ select DVB_STV090x if MEDIA_SUBDRV_AUTOSELECT
--- /dev/null
+From ad5f498f610fa3fd8bd265139098bc1405cd2783 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Tue, 27 Oct 2015 19:06:55 -0400
+Subject: dm: initialize non-blk-mq queue data before queue is used
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit ad5f498f610fa3fd8bd265139098bc1405cd2783 upstream.
+
+Commit bfebd1cdb497a57757c83f5fbf1a29931591e2a4 ("dm: add full blk-mq
+support to request-based DM") moves the initialization of the fields
+backing_dev_info.congested_fn, backing_dev_info.congested_data and
+queuedata from the function dm_init_md_queue (that is called when the
+device is created) to dm_init_old_md_queue (that is called after the
+device type is determined).
+
+There is no locking when accessing these variables, thus it is possible
+for other parts of the kernel to briefly see this data in a transient
+state (e.g. queue->backing_dev_info.congested_fn initialized and
+md->queue->backing_dev_info.congested_data uninitialized, resulting in
+passing an incorrect parameter to the function dm_any_congested).
+
+This queue data is left initialized for blk-mq devices even though they
+that don't use it.
+
+Fixes: bfebd1cdb497 ("dm: add full blk-mq support to request-based DM")
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -2198,6 +2198,13 @@ static void dm_init_md_queue(struct mapp
+ * This queue is new, so no concurrency on the queue_flags.
+ */
+ queue_flag_clear_unlocked(QUEUE_FLAG_STACKABLE, md->queue);
++
++ /*
++ * Initialize data that will only be used by a non-blk-mq DM queue
++ * - must do so here (in alloc_dev callchain) before queue is used
++ */
++ md->queue->queuedata = md;
++ md->queue->backing_dev_info.congested_data = md;
+ }
+
+ static void dm_init_old_md_queue(struct mapped_device *md)
+@@ -2208,10 +2215,7 @@ static void dm_init_old_md_queue(struct
+ /*
+ * Initialize aspects of queue that aren't relevant for blk-mq
+ */
+- md->queue->queuedata = md;
+ md->queue->backing_dev_info.congested_fn = dm_any_congested;
+- md->queue->backing_dev_info.congested_data = md;
+-
+ blk_queue_bounce_limit(md->queue, BLK_BOUNCE_ANY);
+ }
+
--- /dev/null
+From 904dad4742d211b7a8910e92695c0fa957483836 Mon Sep 17 00:00:00 2001
+From: Andy Leiserson <andy@leiserson.org>
+Date: Sun, 18 Oct 2015 00:36:29 -0400
+Subject: [PATCH] fix calculation of meta_bg descriptor backups
+
+From: Andy Leiserson <andy@leiserson.org>
+
+commit 904dad4742d211b7a8910e92695c0fa957483836 upstream.
+
+"group" is the group where the backup will be placed, and is
+initialized to zero in the declaration. This meant that backups for
+meta_bg descriptors were erroneously written to the backup block group
+descriptors in groups 1 and (desc_per_block-1).
+
+Reproduction information:
+ mke2fs -Fq -t ext4 -b 1024 -O ^resize_inode /tmp/foo.img 16G
+ truncate -s 24G /tmp/foo.img
+ losetup /dev/loop0 /tmp/foo.img
+ mount /dev/loop0 /mnt
+ resize2fs /dev/loop0
+ umount /dev/loop0
+ dd if=/dev/zero of=/dev/loop0 bs=1024 count=2
+ e2fsck -fy /dev/loop0
+ losetup -d /dev/loop0
+
+Signed-off-by: Andy Leiserson <andy@leiserson.org>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/resize.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/ext4/resize.c
++++ b/fs/ext4/resize.c
+@@ -1040,7 +1040,7 @@ exit_free:
+ * do not copy the full number of backups at this time. The resize
+ * which changed s_groups_count will backup again.
+ */
+-static void update_backups(struct super_block *sb, int blk_off, char *data,
++static void update_backups(struct super_block *sb, sector_t blk_off, char *data,
+ int size, int meta_bg)
+ {
+ struct ext4_sb_info *sbi = EXT4_SB(sb);
+@@ -1065,7 +1065,7 @@ static void update_backups(struct super_
+ group = ext4_list_backups(sb, &three, &five, &seven);
+ last = sbi->s_groups_count;
+ } else {
+- group = ext4_meta_bg_first_group(sb, group) + 1;
++ group = ext4_get_group_number(sb, blk_off) + 1;
+ last = (ext4_group_t)(group + EXT4_DESC_PER_BLOCK(sb) - 2);
+ }
+
--- /dev/null
+From 6f6ddbb09d2a5baded0e23add3ad2d9e9417ab30 Mon Sep 17 00:00:00 2001
+From: Cyrille Pitchen <cyrille.pitchen@atmel.com>
+Date: Wed, 21 Oct 2015 15:44:03 +0200
+Subject: i2c: at91: fix write transfers by clearing pending interrupt first
+
+From: Cyrille Pitchen <cyrille.pitchen@atmel.com>
+
+commit 6f6ddbb09d2a5baded0e23add3ad2d9e9417ab30 upstream.
+
+In some cases a NACK interrupt may be pending in the Status Register (SR)
+as a result of a previous transfer. However at91_do_twi_transfer() did not
+read the SR to clear pending interruptions before starting a new transfer.
+Hence a NACK interrupt rose as soon as it was enabled again at the I2C
+controller level, resulting in a wrong sequence of operations and strange
+patterns of behaviour on the I2C bus, such as a clock stretch followed by
+a restart of the transfer.
+
+This first issue occurred with both DMA and PIO write transfers.
+
+Also when a NACK error was detected during a PIO write transfer, the
+interrupt handler used to wrongly start a new transfer by writing into the
+Transmit Holding Register (THR). Then the I2C slave was likely to reply
+with a second NACK.
+
+This second issue is fixed in atmel_twi_interrupt() by handling the TXRDY
+status bit only if both the TXCOMP and NACK status bits are cleared.
+
+Tested with a at24 eeprom on sama5d36ek board running a linux-4.1-at91
+kernel image. Adapted to linux-next.
+
+Reported-by: Peter Rosin <peda@lysator.liu.se>
+Signed-off-by: Cyrille Pitchen <cyrille.pitchen@atmel.com>
+Signed-off-by: Ludovic Desroches <ludovic.desroches@atmel.com>
+Tested-by: Peter Rosin <peda@lysator.liu.se>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Fixes: 93563a6a71bb ("i2c: at91: fix a race condition when using the DMA controller")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-at91.c | 58 ++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 50 insertions(+), 8 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-at91.c
++++ b/drivers/i2c/busses/i2c-at91.c
+@@ -465,19 +465,57 @@ static irqreturn_t atmel_twi_interrupt(i
+
+ if (!irqstatus)
+ return IRQ_NONE;
+- else if (irqstatus & AT91_TWI_RXRDY)
+- at91_twi_read_next_byte(dev);
+- else if (irqstatus & AT91_TWI_TXRDY)
+- at91_twi_write_next_byte(dev);
+-
+- /* catch error flags */
+- dev->transfer_status |= status;
+
++ /*
++ * When a NACK condition is detected, the I2C controller sets the NACK,
++ * TXCOMP and TXRDY bits all together in the Status Register (SR).
++ *
++ * 1 - Handling NACK errors with CPU write transfer.
++ *
++ * In such case, we should not write the next byte into the Transmit
++ * Holding Register (THR) otherwise the I2C controller would start a new
++ * transfer and the I2C slave is likely to reply by another NACK.
++ *
++ * 2 - Handling NACK errors with DMA write transfer.
++ *
++ * By setting the TXRDY bit in the SR, the I2C controller also triggers
++ * the DMA controller to write the next data into the THR. Then the
++ * result depends on the hardware version of the I2C controller.
++ *
++ * 2a - Without support of the Alternative Command mode.
++ *
++ * This is the worst case: the DMA controller is triggered to write the
++ * next data into the THR, hence starting a new transfer: the I2C slave
++ * is likely to reply by another NACK.
++ * Concurrently, this interrupt handler is likely to be called to manage
++ * the first NACK before the I2C controller detects the second NACK and
++ * sets once again the NACK bit into the SR.
++ * When handling the first NACK, this interrupt handler disables the I2C
++ * controller interruptions, especially the NACK interrupt.
++ * Hence, the NACK bit is pending into the SR. This is why we should
++ * read the SR to clear all pending interrupts at the beginning of
++ * at91_do_twi_transfer() before actually starting a new transfer.
++ *
++ * 2b - With support of the Alternative Command mode.
++ *
++ * When a NACK condition is detected, the I2C controller also locks the
++ * THR (and sets the LOCK bit in the SR): even though the DMA controller
++ * is triggered by the TXRDY bit to write the next data into the THR,
++ * this data actually won't go on the I2C bus hence a second NACK is not
++ * generated.
++ */
+ if (irqstatus & (AT91_TWI_TXCOMP | AT91_TWI_NACK)) {
+ at91_disable_twi_interrupts(dev);
+ complete(&dev->cmd_complete);
++ } else if (irqstatus & AT91_TWI_RXRDY) {
++ at91_twi_read_next_byte(dev);
++ } else if (irqstatus & AT91_TWI_TXRDY) {
++ at91_twi_write_next_byte(dev);
+ }
+
++ /* catch error flags */
++ dev->transfer_status |= status;
++
+ return IRQ_HANDLED;
+ }
+
+@@ -487,6 +525,7 @@ static int at91_do_twi_transfer(struct a
+ unsigned long time_left;
+ bool has_unre_flag = dev->pdata->has_unre_flag;
+ bool has_alt_cmd = dev->pdata->has_alt_cmd;
++ unsigned sr;
+
+ /*
+ * WARNING: the TXCOMP bit in the Status Register is NOT a clear on
+@@ -537,6 +576,9 @@ static int at91_do_twi_transfer(struct a
+ reinit_completion(&dev->cmd_complete);
+ dev->transfer_status = 0;
+
++ /* Clear pending interrupts, such as NACK. */
++ sr = at91_twi_read(dev, AT91_TWI_SR);
++
+ if (dev->fifo_size) {
+ unsigned fifo_mr = at91_twi_read(dev, AT91_TWI_FMR);
+
+@@ -558,7 +600,7 @@ static int at91_do_twi_transfer(struct a
+ } else if (dev->msg->flags & I2C_M_RD) {
+ unsigned start_flags = AT91_TWI_START;
+
+- if (at91_twi_read(dev, AT91_TWI_SR) & AT91_TWI_RXRDY) {
++ if (sr & AT91_TWI_RXRDY) {
+ dev_err(dev->dev, "RXRDY still set!");
+ at91_twi_read(dev, AT91_TWI_RHR);
+ }
--- /dev/null
+From a9bed6b10bd117a300cceb9062003f7a2761ef99 Mon Sep 17 00:00:00 2001
+From: Ludovic Desroches <ludovic.desroches@atmel.com>
+Date: Mon, 26 Oct 2015 10:38:27 +0100
+Subject: i2c: at91: manage unexpected RXRDY flag when starting a transfer
+
+From: Ludovic Desroches <ludovic.desroches@atmel.com>
+
+commit a9bed6b10bd117a300cceb9062003f7a2761ef99 upstream.
+
+In some cases, we could start a new i2c transfer with the RXRDY flag
+set. It is not a clean state and it leads to print annoying error
+messages even if there no real issue. The cause is only having garbage
+data in the Receive Holding Register because of a weird behavior of the
+RXRDY flag.
+
+Reported-by: Peter Rosin <peda@lysator.liu.se>
+Signed-off-by: Ludovic Desroches <ludovic.desroches@atmel.com>
+Tested-by: Peter Rosin <peda@lysator.liu.se>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Fixes: 93563a6a71bb ("i2c: at91: fix a race condition when using the DMA controller")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-at91.c | 36 ++++++++++++++++++++++++++----------
+ 1 file changed, 26 insertions(+), 10 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-at91.c
++++ b/drivers/i2c/busses/i2c-at91.c
+@@ -347,8 +347,14 @@ error:
+
+ static void at91_twi_read_next_byte(struct at91_twi_dev *dev)
+ {
+- if (!dev->buf_len)
++ /*
++ * If we are in this case, it means there is garbage data in RHR, so
++ * delete them.
++ */
++ if (!dev->buf_len) {
++ at91_twi_read(dev, AT91_TWI_RHR);
+ return;
++ }
+
+ /* 8bit read works with and without FIFO */
+ *dev->buf = readb_relaxed(dev->base + AT91_TWI_RHR);
+@@ -465,6 +471,24 @@ static irqreturn_t atmel_twi_interrupt(i
+
+ if (!irqstatus)
+ return IRQ_NONE;
++ /*
++ * In reception, the behavior of the twi device (before sama5d2) is
++ * weird. There is some magic about RXRDY flag! When a data has been
++ * almost received, the reception of a new one is anticipated if there
++ * is no stop command to send. That is the reason why ask for sending
++ * the stop command not on the last data but on the second last one.
++ *
++ * Unfortunately, we could still have the RXRDY flag set even if the
++ * transfer is done and we have read the last data. It might happen
++ * when the i2c slave device sends too quickly data after receiving the
++ * ack from the master. The data has been almost received before having
++ * the order to send stop. In this case, sending the stop command could
++ * cause a RXRDY interrupt with a TXCOMP one. It is better to manage
++ * the RXRDY interrupt first in order to not keep garbage data in the
++ * Receive Holding Register for the next transfer.
++ */
++ if (irqstatus & AT91_TWI_RXRDY)
++ at91_twi_read_next_byte(dev);
+
+ /*
+ * When a NACK condition is detected, the I2C controller sets the NACK,
+@@ -507,8 +531,6 @@ static irqreturn_t atmel_twi_interrupt(i
+ if (irqstatus & (AT91_TWI_TXCOMP | AT91_TWI_NACK)) {
+ at91_disable_twi_interrupts(dev);
+ complete(&dev->cmd_complete);
+- } else if (irqstatus & AT91_TWI_RXRDY) {
+- at91_twi_read_next_byte(dev);
+ } else if (irqstatus & AT91_TWI_TXRDY) {
+ at91_twi_write_next_byte(dev);
+ }
+@@ -525,7 +547,6 @@ static int at91_do_twi_transfer(struct a
+ unsigned long time_left;
+ bool has_unre_flag = dev->pdata->has_unre_flag;
+ bool has_alt_cmd = dev->pdata->has_alt_cmd;
+- unsigned sr;
+
+ /*
+ * WARNING: the TXCOMP bit in the Status Register is NOT a clear on
+@@ -577,7 +598,7 @@ static int at91_do_twi_transfer(struct a
+ dev->transfer_status = 0;
+
+ /* Clear pending interrupts, such as NACK. */
+- sr = at91_twi_read(dev, AT91_TWI_SR);
++ at91_twi_read(dev, AT91_TWI_SR);
+
+ if (dev->fifo_size) {
+ unsigned fifo_mr = at91_twi_read(dev, AT91_TWI_FMR);
+@@ -600,11 +621,6 @@ static int at91_do_twi_transfer(struct a
+ } else if (dev->msg->flags & I2C_M_RD) {
+ unsigned start_flags = AT91_TWI_START;
+
+- if (sr & AT91_TWI_RXRDY) {
+- dev_err(dev->dev, "RXRDY still set!");
+- at91_twi_read(dev, AT91_TWI_RHR);
+- }
+-
+ /* if only one byte is to be read, immediately stop transfer */
+ if (!has_alt_cmd && dev->buf_len <= 1 &&
+ !(dev->msg->flags & I2C_M_RECV_LEN))
--- /dev/null
+From c18fba23061f16dde128e10d4869ba4e88e0e81a Mon Sep 17 00:00:00 2001
+From: Grygorii Strashko <grygorii.strashko@ti.com>
+Date: Thu, 12 Nov 2015 15:42:26 +0200
+Subject: i2c: fix wakeup irq parsing
+
+From: Grygorii Strashko <grygorii.strashko@ti.com>
+
+commit c18fba23061f16dde128e10d4869ba4e88e0e81a upstream.
+
+This patch fixes obvious copy-past error in wake up irq parsing
+code which leads to the fact that dev_pm_set_wake_irq() will
+be called with wrong IRQ number when "wakeup" IRQ is not
+defined in DT.
+
+Fixes: 3fffd1283927 ("i2c: allow specifying separate wakeup interrupt in device tree")
+Signed-off-by: Grygorii Strashko <grygorii.strashko@ti.com>
+Acked-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/i2c-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/i2c/i2c-core.c
++++ b/drivers/i2c/i2c-core.c
+@@ -679,7 +679,7 @@ static int i2c_device_probe(struct devic
+ if (wakeirq > 0 && wakeirq != client->irq)
+ status = dev_pm_set_dedicated_wake_irq(dev, wakeirq);
+ else if (client->irq > 0)
+- status = dev_pm_set_wake_irq(dev, wakeirq);
++ status = dev_pm_set_wake_irq(dev, client->irq);
+ else
+ status = 0;
+
--- /dev/null
+From bba61f50f76574ca5b84b310925be7c2e8e64275 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sun, 27 Sep 2015 16:57:08 +0200
+Subject: i2c: mv64xxx: The n clockdiv factor is 0 based on sunxi SoCs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit bba61f50f76574ca5b84b310925be7c2e8e64275 upstream.
+
+According to the datasheets the n factor for dividing the tclk is
+2 to the power n on Allwinner SoCs, not 2 to the power n + 1 as it is
+on other mv64xxx implementations.
+
+I've contacted Allwinner about this and they have confirmed that the
+datasheet is correct.
+
+This commit fixes the clk-divider calculations for Allwinner SoCs
+accordingly.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Maxime Ripard <maxime.ripard@free-electrons.com>
+Tested-by: Olliver Schinagl <oliver@schinagl.nl>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-mv64xxx.c | 27 ++++++++++++++++++---------
+ 1 file changed, 18 insertions(+), 9 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-mv64xxx.c
++++ b/drivers/i2c/busses/i2c-mv64xxx.c
+@@ -146,6 +146,8 @@ struct mv64xxx_i2c_data {
+ bool errata_delay;
+ struct reset_control *rstc;
+ bool irq_clear_inverted;
++ /* Clk div is 2 to the power n, not 2 to the power n + 1 */
++ bool clk_n_base_0;
+ };
+
+ static struct mv64xxx_i2c_regs mv64xxx_i2c_regs_mv64xxx = {
+@@ -757,25 +759,29 @@ MODULE_DEVICE_TABLE(of, mv64xxx_i2c_of_m
+ #ifdef CONFIG_OF
+ #ifdef CONFIG_HAVE_CLK
+ static int
+-mv64xxx_calc_freq(const int tclk, const int n, const int m)
++mv64xxx_calc_freq(struct mv64xxx_i2c_data *drv_data,
++ const int tclk, const int n, const int m)
+ {
+- return tclk / (10 * (m + 1) * (2 << n));
++ if (drv_data->clk_n_base_0)
++ return tclk / (10 * (m + 1) * (1 << n));
++ else
++ return tclk / (10 * (m + 1) * (2 << n));
+ }
+
+ static bool
+-mv64xxx_find_baud_factors(const u32 req_freq, const u32 tclk, u32 *best_n,
+- u32 *best_m)
++mv64xxx_find_baud_factors(struct mv64xxx_i2c_data *drv_data,
++ const u32 req_freq, const u32 tclk)
+ {
+ int freq, delta, best_delta = INT_MAX;
+ int m, n;
+
+ for (n = 0; n <= 7; n++)
+ for (m = 0; m <= 15; m++) {
+- freq = mv64xxx_calc_freq(tclk, n, m);
++ freq = mv64xxx_calc_freq(drv_data, tclk, n, m);
+ delta = req_freq - freq;
+ if (delta >= 0 && delta < best_delta) {
+- *best_m = m;
+- *best_n = n;
++ drv_data->freq_m = m;
++ drv_data->freq_n = n;
+ best_delta = delta;
+ }
+ if (best_delta == 0)
+@@ -813,8 +819,11 @@ mv64xxx_of_config(struct mv64xxx_i2c_dat
+ if (of_property_read_u32(np, "clock-frequency", &bus_freq))
+ bus_freq = 100000; /* 100kHz by default */
+
+- if (!mv64xxx_find_baud_factors(bus_freq, tclk,
+- &drv_data->freq_n, &drv_data->freq_m)) {
++ if (of_device_is_compatible(np, "allwinner,sun4i-a10-i2c") ||
++ of_device_is_compatible(np, "allwinner,sun6i-a31-i2c"))
++ drv_data->clk_n_base_0 = true;
++
++ if (!mv64xxx_find_baud_factors(drv_data, bus_freq, tclk)) {
+ rc = -EINVAL;
+ goto out;
+ }
--- /dev/null
+From b4cd08aa1f53c831e67dc5c6bc9f9acff27abcba Mon Sep 17 00:00:00 2001
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Date: Wed, 16 Dec 2015 20:05:18 +0100
+Subject: i2c: rcar: disable runtime PM correctly in slave mode
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+commit b4cd08aa1f53c831e67dc5c6bc9f9acff27abcba upstream.
+
+When we also are I2C slave, we need to disable runtime PM because the
+address detection mechanism needs to be active all the time. However, we
+can reenable runtime PM once the slave instance was unregistered. So,
+use pm_runtime_get_sync/put to achieve this, since it has proper
+refcounting. pm_runtime_allow/forbid is like a global knob controllable
+from userspace which is unsuitable here.
+
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-rcar.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-rcar.c
++++ b/drivers/i2c/busses/i2c-rcar.c
+@@ -575,7 +575,7 @@ static int rcar_reg_slave(struct i2c_cli
+ if (slave->flags & I2C_CLIENT_TEN)
+ return -EAFNOSUPPORT;
+
+- pm_runtime_forbid(rcar_i2c_priv_to_dev(priv));
++ pm_runtime_get_sync(rcar_i2c_priv_to_dev(priv));
+
+ priv->slave = slave;
+ rcar_i2c_write(priv, ICSAR, slave->addr);
+@@ -597,7 +597,7 @@ static int rcar_unreg_slave(struct i2c_c
+
+ priv->slave = NULL;
+
+- pm_runtime_allow(rcar_i2c_priv_to_dev(priv));
++ pm_runtime_put(rcar_i2c_priv_to_dev(priv));
+
+ return 0;
+ }
--- /dev/null
+From 9abd29e7c13de24ce73213a425d9574b35ac0c6a Mon Sep 17 00:00:00 2001
+From: Wolfram Sang <wsa@the-dreams.de>
+Date: Wed, 25 Nov 2015 16:58:18 +0100
+Subject: i2c: rk3x: populate correct variable for sda_falling_time
+
+From: Wolfram Sang <wsa@the-dreams.de>
+
+commit 9abd29e7c13de24ce73213a425d9574b35ac0c6a upstream.
+
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-rk3x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-rk3x.c
++++ b/drivers/i2c/busses/i2c-rk3x.c
+@@ -907,7 +907,7 @@ static int rk3x_i2c_probe(struct platfor
+ &i2c->scl_fall_ns))
+ i2c->scl_fall_ns = 300;
+ if (of_property_read_u32(pdev->dev.of_node, "i2c-sda-falling-time-ns",
+- &i2c->scl_fall_ns))
++ &i2c->sda_fall_ns))
+ i2c->sda_fall_ns = i2c->scl_fall_ns;
+
+ strlcpy(i2c->adap.name, "rk3x-i2c", sizeof(i2c->adap.name));
--- /dev/null
+From 72e1eed8abb11c79749266d433c817ce36732893 Mon Sep 17 00:00:00 2001
+From: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
+Date: Thu, 10 Sep 2015 22:06:15 +0300
+Subject: integrity: prevent loading untrusted certificates on the IMA trusted keyring
+
+From: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
+
+commit 72e1eed8abb11c79749266d433c817ce36732893 upstream.
+
+If IMA_LOAD_X509 is enabled, either directly or indirectly via
+IMA_APPRAISE_SIGNED_INIT, certificates are loaded onto the IMA
+trusted keyring by the kernel via key_create_or_update(). When
+the KEY_ALLOC_TRUSTED flag is provided, certificates are loaded
+without first verifying the certificate is properly signed by a
+trusted key on the system keyring. This patch removes the
+KEY_ALLOC_TRUSTED flag.
+
+Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
+Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/integrity/digsig.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/security/integrity/digsig.c
++++ b/security/integrity/digsig.c
+@@ -105,7 +105,7 @@ int __init integrity_load_x509(const uns
+ rc,
+ ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
+ KEY_USR_VIEW | KEY_USR_READ),
+- KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_TRUSTED);
++ KEY_ALLOC_NOT_IN_QUOTA);
+ if (IS_ERR(key)) {
+ rc = PTR_ERR(key);
+ pr_err("Problem loading X.509 certificate (%d): %s\n",
--- /dev/null
+From 33d14975e5ac469963d5d63856b61698ad0bff07 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.com>
+Date: Sat, 17 Oct 2015 22:35:09 -0400
+Subject: jbd2: fix checkpoint list cleanup
+
+From: Jan Kara <jack@suse.com>
+
+commit 33d14975e5ac469963d5d63856b61698ad0bff07 upstream.
+
+Unlike comments and expectation of callers journal_clean_one_cp_list()
+returned 1 not only if it freed the transaction but also if it freed
+some buffers in the transaction. That could make
+__jbd2_journal_clean_checkpoint_list() skip processing
+t_checkpoint_io_list and continue with processing the next transaction.
+This is mostly a cosmetic issue since the only result is we can
+sometimes free less memory than we could. But it's still worth fixing.
+Fix journal_clean_one_cp_list() to return 1 only if the transaction was
+really freed.
+
+Fixes: 50849db32a9f529235a84bcc84a6b8e631b1d0ec
+Signed-off-by: Jan Kara <jack@suse.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/jbd2/checkpoint.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/fs/jbd2/checkpoint.c
++++ b/fs/jbd2/checkpoint.c
+@@ -427,7 +427,6 @@ static int journal_clean_one_cp_list(str
+ struct journal_head *last_jh;
+ struct journal_head *next_jh = jh;
+ int ret;
+- int freed = 0;
+
+ if (!jh)
+ return 0;
+@@ -441,10 +440,9 @@ static int journal_clean_one_cp_list(str
+ else
+ ret = __jbd2_journal_remove_checkpoint(jh) + 1;
+ if (!ret)
+- return freed;
++ return 0;
+ if (ret == 2)
+ return 1;
+- freed = 1;
+ /*
+ * This function only frees up some memory
+ * if possible so we dont have an obligation
+@@ -452,10 +450,10 @@ static int journal_clean_one_cp_list(str
+ * requested:
+ */
+ if (need_resched())
+- return freed;
++ return 0;
+ } while (jh != last_jh);
+
+- return freed;
++ return 0;
+ }
+
+ /*
--- /dev/null
+From 087ffd4eae9929afd06f6a709861df3c3508492a Mon Sep 17 00:00:00 2001
+From: Junxiao Bi <junxiao.bi@oracle.com>
+Date: Fri, 4 Dec 2015 12:29:28 -0500
+Subject: jbd2: fix null committed data return in undo_access
+
+From: Junxiao Bi <junxiao.bi@oracle.com>
+
+commit 087ffd4eae9929afd06f6a709861df3c3508492a upstream.
+
+introduced jbd2_write_access_granted() to improve write|undo_access
+speed, but missed to check the status of b_committed_data which caused
+a kernel panic on ocfs2.
+
+[ 6538.405938] ------------[ cut here ]------------
+[ 6538.406686] kernel BUG at fs/ocfs2/suballoc.c:2400!
+[ 6538.406686] invalid opcode: 0000 [#1] SMP
+[ 6538.406686] Modules linked in: ocfs2 nfsd lockd grace nfs_acl auth_rpcgss sunrpc autofs4 ocfs2_dlmfs ocfs2_stack_o2cb ocfs2_dlm ocfs2_nodemanager ocfs2_stackglue configfs sd_mod sg ip6t_REJECT nf_reject_ipv6 nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i libcxgbi cxgb3 mdio ib_iser rdma_cm ib_cm iw_cm ib_sa ib_mad ib_core ib_addr ipv6 iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ppdev xen_kbdfront xen_netfront xen_fbfront parport_pc parport pcspkr i2c_piix4 acpi_cpufreq ext4 jbd2 mbcache xen_blkfront floppy pata_acpi ata_generic ata_piix cirrus ttm drm_kms_helper drm fb_sys_fops sysimgblt sysfillrect i2c_core syscopyarea dm_mirror dm_region_hash dm_log dm_mod
+[ 6538.406686] CPU: 1 PID: 16265 Comm: mmap_truncate Not tainted 4.3.0 #1
+[ 6538.406686] Hardware name: Xen HVM domU, BIOS 4.3.1OVM 05/14/2014
+[ 6538.406686] task: ffff88007c2bab00 ti: ffff880075b78000 task.ti: ffff880075b78000
+[ 6538.406686] RIP: 0010:[<ffffffffa06a286b>] [<ffffffffa06a286b>] ocfs2_block_group_clear_bits+0x23b/0x250 [ocfs2]
+[ 6538.406686] RSP: 0018:ffff880075b7b7f8 EFLAGS: 00010246
+[ 6538.406686] RAX: ffff8800760c5b40 RBX: ffff88006c06a000 RCX: ffffffffa06e6df0
+[ 6538.406686] RDX: 0000000000000000 RSI: ffff88007a6f6ea0 RDI: ffff88007a760430
+[ 6538.406686] RBP: ffff880075b7b878 R08: 0000000000000002 R09: 0000000000000001
+[ 6538.406686] R10: ffffffffa06769be R11: 0000000000000000 R12: 0000000000000001
+[ 6538.406686] R13: ffffffffa06a1750 R14: 0000000000000001 R15: ffff88007a6f6ea0
+[ 6538.406686] FS: 00007f17fde30720(0000) GS:ffff88007f040000(0000) knlGS:0000000000000000
+[ 6538.406686] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 6538.406686] CR2: 0000000000601730 CR3: 000000007aea0000 CR4: 00000000000406e0
+[ 6538.406686] Stack:
+[ 6538.406686] ffff88007c2bb5b0 ffff880075b7b8e0 ffff88007a7604b0 ffff88006c640800
+[ 6538.406686] ffff88007a7604b0 ffff880075d77390 0000000075b7b878 ffffffffa06a309d
+[ 6538.406686] ffff880075d752d8 ffff880075b7b990 ffff880075b7b898 0000000000000000
+[ 6538.406686] Call Trace:
+[ 6538.406686] [<ffffffffa06a309d>] ? ocfs2_read_group_descriptor+0x6d/0xa0 [ocfs2]
+[ 6538.406686] [<ffffffffa06a3654>] _ocfs2_free_suballoc_bits+0xe4/0x320 [ocfs2]
+[ 6538.406686] [<ffffffffa06a1750>] ? ocfs2_put_slot+0xf0/0xf0 [ocfs2]
+[ 6538.406686] [<ffffffffa06a397e>] _ocfs2_free_clusters+0xee/0x210 [ocfs2]
+[ 6538.406686] [<ffffffffa06a1750>] ? ocfs2_put_slot+0xf0/0xf0 [ocfs2]
+[ 6538.406686] [<ffffffffa06a1750>] ? ocfs2_put_slot+0xf0/0xf0 [ocfs2]
+[ 6538.406686] [<ffffffffa0682d50>] ? ocfs2_extend_trans+0x50/0x1a0 [ocfs2]
+[ 6538.406686] [<ffffffffa06a3ad5>] ocfs2_free_clusters+0x15/0x20 [ocfs2]
+[ 6538.406686] [<ffffffffa065072c>] ocfs2_replay_truncate_records+0xfc/0x290 [ocfs2]
+[ 6538.406686] [<ffffffffa06843ac>] ? ocfs2_start_trans+0xec/0x1d0 [ocfs2]
+[ 6538.406686] [<ffffffffa0654600>] __ocfs2_flush_truncate_log+0x140/0x2d0 [ocfs2]
+[ 6538.406686] [<ffffffffa0654394>] ? ocfs2_reserve_blocks_for_rec_trunc.clone.0+0x44/0x170 [ocfs2]
+[ 6538.406686] [<ffffffffa065acd4>] ocfs2_remove_btree_range+0x374/0x630 [ocfs2]
+[ 6538.406686] [<ffffffffa017486b>] ? jbd2_journal_stop+0x25b/0x470 [jbd2]
+[ 6538.406686] [<ffffffffa065d5b5>] ocfs2_commit_truncate+0x305/0x670 [ocfs2]
+[ 6538.406686] [<ffffffffa0683430>] ? ocfs2_journal_access_eb+0x20/0x20 [ocfs2]
+[ 6538.406686] [<ffffffffa067adb7>] ocfs2_truncate_file+0x297/0x380 [ocfs2]
+[ 6538.406686] [<ffffffffa01759e4>] ? jbd2_journal_begin_ordered_truncate+0x64/0xc0 [jbd2]
+[ 6538.406686] [<ffffffffa067c7a2>] ocfs2_setattr+0x572/0x860 [ocfs2]
+[ 6538.406686] [<ffffffff810e4a3f>] ? current_fs_time+0x3f/0x50
+[ 6538.406686] [<ffffffff812124b7>] notify_change+0x1d7/0x340
+[ 6538.406686] [<ffffffff8121abf9>] ? generic_getxattr+0x79/0x80
+[ 6538.406686] [<ffffffff811f5876>] do_truncate+0x66/0x90
+[ 6538.406686] [<ffffffff81120e30>] ? __audit_syscall_entry+0xb0/0x110
+[ 6538.406686] [<ffffffff811f5bb3>] do_sys_ftruncate.clone.0+0xf3/0x120
+[ 6538.406686] [<ffffffff811f5bee>] SyS_ftruncate+0xe/0x10
+[ 6538.406686] [<ffffffff816aa2ae>] entry_SYSCALL_64_fastpath+0x12/0x71
+[ 6538.406686] Code: 28 48 81 ee b0 04 00 00 48 8b 92 50 fb ff ff 48 8b 80 b0 03 00 00 48 39 90 88 00 00 00 0f 84 30 fe ff ff 0f 0b eb fe 0f 0b eb fe <0f> 0b 0f 1f 00 eb fb 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00
+[ 6538.406686] RIP [<ffffffffa06a286b>] ocfs2_block_group_clear_bits+0x23b/0x250 [ocfs2]
+[ 6538.406686] RSP <ffff880075b7b7f8>
+[ 6538.691128] ---[ end trace 31cd7011d6770d7e ]---
+[ 6538.694492] Kernel panic - not syncing: Fatal exception
+[ 6538.695484] Kernel Offset: disabled
+
+Fixes: de92c8caf16c("jbd2: speedup jbd2_journal_get_[write|undo]_access()")
+Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/jbd2/transaction.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/fs/jbd2/transaction.c
++++ b/fs/jbd2/transaction.c
+@@ -1009,7 +1009,8 @@ out:
+ }
+
+ /* Fast check whether buffer is already attached to the required transaction */
+-static bool jbd2_write_access_granted(handle_t *handle, struct buffer_head *bh)
++static bool jbd2_write_access_granted(handle_t *handle, struct buffer_head *bh,
++ bool undo)
+ {
+ struct journal_head *jh;
+ bool ret = false;
+@@ -1036,6 +1037,9 @@ static bool jbd2_write_access_granted(ha
+ jh = READ_ONCE(bh->b_private);
+ if (!jh)
+ goto out;
++ /* For undo access buffer must have data copied */
++ if (undo && !jh->b_committed_data)
++ goto out;
+ if (jh->b_transaction != handle->h_transaction &&
+ jh->b_next_transaction != handle->h_transaction)
+ goto out;
+@@ -1073,7 +1077,7 @@ int jbd2_journal_get_write_access(handle
+ struct journal_head *jh;
+ int rc;
+
+- if (jbd2_write_access_granted(handle, bh))
++ if (jbd2_write_access_granted(handle, bh, false))
+ return 0;
+
+ jh = jbd2_journal_add_journal_head(bh);
+@@ -1210,7 +1214,7 @@ int jbd2_journal_get_undo_access(handle_
+ char *committed_data = NULL;
+
+ JBUFFER_TRACE(jh, "entry");
+- if (jbd2_write_access_granted(handle, bh))
++ if (jbd2_write_access_granted(handle, bh, true))
+ return 0;
+
+ jh = jbd2_journal_add_journal_head(bh);
--- /dev/null
+From bc23f0c8d7ccd8d924c4e70ce311288cb3e61ea8 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Tue, 24 Nov 2015 15:34:35 -0500
+Subject: jbd2: Fix unreclaimed pages after truncate in data=journal mode
+
+From: Jan Kara <jack@suse.cz>
+
+commit bc23f0c8d7ccd8d924c4e70ce311288cb3e61ea8 upstream.
+
+Ted and Namjae have reported that truncated pages don't get timely
+reclaimed after being truncated in data=journal mode. The following test
+triggers the issue easily:
+
+for (i = 0; i < 1000; i++) {
+ pwrite(fd, buf, 1024*1024, 0);
+ fsync(fd);
+ fsync(fd);
+ ftruncate(fd, 0);
+}
+
+The reason is that journal_unmap_buffer() finds that truncated buffers
+are not journalled (jh->b_transaction == NULL), they are part of
+checkpoint list of a transaction (jh->b_cp_transaction != NULL) and have
+been already written out (!buffer_dirty(bh)). We clean such buffers but
+we leave them in the checkpoint list. Since checkpoint transaction holds
+a reference to the journal head, these buffers cannot be released until
+the checkpoint transaction is cleaned up. And at that point we don't
+call release_buffer_page() anymore so pages detached from mapping are
+lingering in the system waiting for reclaim to find them and free them.
+
+Fix the problem by removing buffers from transaction checkpoint lists
+when journal_unmap_buffer() finds out they don't have to be there
+anymore.
+
+Reported-and-tested-by: Namjae Jeon <namjae.jeon@samsung.com>
+Fixes: de1b794130b130e77ffa975bb58cb843744f9ae5
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/jbd2/transaction.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/jbd2/transaction.c
++++ b/fs/jbd2/transaction.c
+@@ -2152,6 +2152,7 @@ static int journal_unmap_buffer(journal_
+
+ if (!buffer_dirty(bh)) {
+ /* bdflush has written it. We can drop it now */
++ __jbd2_journal_remove_checkpoint(jh);
+ goto zap_buffer;
+ }
+
+@@ -2181,6 +2182,7 @@ static int journal_unmap_buffer(journal_
+ /* The orphan record's transaction has
+ * committed. We can cleanse this buffer */
+ clear_buffer_jbddirty(bh);
++ __jbd2_journal_remove_checkpoint(jh);
+ goto zap_buffer;
+ }
+ }
--- /dev/null
+From 329d88da4df9a96da43018aceabd3a06e6a7e7ae Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javier@osg.samsung.com>
+Date: Wed, 27 Jan 2016 12:03:23 -0200
+Subject: [media] media: i2c: Don't export ir-kbd-i2c module alias
+
+From: Javier Martinez Canillas <javier@osg.samsung.com>
+
+commit 329d88da4df9a96da43018aceabd3a06e6a7e7ae upstream.
+
+This is a partial revert of commit ed8d1cf07cb16d ("[media] Export I2C
+module alias information in missing drivers") that exported the module
+aliases for the I2C drivers that were missing to make autoload to work.
+
+But there is a bug report [0] that auto load of the ir-kbd-i2c driver
+cause the Hauppauge HD-PVR driver to not behave correctly.
+
+This is a hdpvr latent bug that was just exposed by ir-kbd-i2c module
+autoloading working and will also happen if the I2C driver is built-in
+or a user calls modprobe to load the module and register the driver.
+
+But there is a regression experimented by users so until the real bug
+is fixed, let's not export the module alias for the ir-kbd-i2c driver
+even when this just masks the actual issue.
+
+[0]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=810726
+
+Fixes: ed8d1cf07cb1 ("[media] Export I2C module alias information in missing drivers")
+
+Signed-off-by: Javier Martinez Canillas <javier@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/i2c/ir-kbd-i2c.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/media/i2c/ir-kbd-i2c.c
++++ b/drivers/media/i2c/ir-kbd-i2c.c
+@@ -478,7 +478,6 @@ static const struct i2c_device_id ir_kbd
+ { "ir_rx_z8f0811_hdpvr", 0 },
+ { }
+ };
+-MODULE_DEVICE_TABLE(i2c, ir_kbd_id);
+
+ static struct i2c_driver ir_kbd_driver = {
+ .driver = {
--- /dev/null
+From a8077734055f870ba630563868a6349671ca8dfc Mon Sep 17 00:00:00 2001
+From: Benoit Parrot <bparrot@ti.com>
+Date: Mon, 21 Sep 2015 13:03:21 -0300
+Subject: [media] media: v4l2-ctrls: Fix 64bit support in get_ctrl()
+
+From: Benoit Parrot <bparrot@ti.com>
+
+commit a8077734055f870ba630563868a6349671ca8dfc upstream.
+
+When trying to use v4l2_ctrl_g_ctrl_int64() to retrieve a
+V4L2_CTRL_TYPE_INTEGER64 type value the internal helper function
+get_ctrl() would prematurely exit because for this control type
+the 'is_int' flag is not set. This would result in v4l2_ctrl_g_ctrl_int64
+always returning 0.
+
+Also v4l2_ctrl_g_ctrl_int64() is reading and returning the 32bit value
+member instead of the 64bit version, so fixing that as well.
+
+This patch extends the condition check to allow the V4L2_CTRL_TYPE_INTEGER64
+type to continue processing instead of exiting.
+
+Signed-off-by: Benoit Parrot <bparrot@ti.com>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/v4l2-core/v4l2-ctrls.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/media/v4l2-core/v4l2-ctrls.c
++++ b/drivers/media/v4l2-core/v4l2-ctrls.c
+@@ -2884,7 +2884,7 @@ static int get_ctrl(struct v4l2_ctrl *ct
+ * cur_to_user() calls below would need to be modified not to access
+ * userspace memory when called from get_ctrl().
+ */
+- if (!ctrl->is_int)
++ if (!ctrl->is_int && ctrl->type != V4L2_CTRL_TYPE_INTEGER64)
+ return -EINVAL;
+
+ if (ctrl->flags & V4L2_CTRL_FLAG_WRITE_ONLY)
+@@ -2942,9 +2942,9 @@ s64 v4l2_ctrl_g_ctrl_int64(struct v4l2_c
+
+ /* It's a driver bug if this happens. */
+ WARN_ON(ctrl->is_ptr || ctrl->type != V4L2_CTRL_TYPE_INTEGER64);
+- c.value = 0;
++ c.value64 = 0;
+ get_ctrl(ctrl, &c);
+- return c.value;
++ return c.value64;
+ }
+ EXPORT_SYMBOL(v4l2_ctrl_g_ctrl_int64);
+
--- /dev/null
+From 759b26a1d916400a1a20948eb964dea6ad0bd9e9 Mon Sep 17 00:00:00 2001
+From: Antonio Ospite <ao2@ao2.it>
+Date: Wed, 14 Oct 2015 10:57:32 -0300
+Subject: [media] media/v4l2-ctrls: fix setting autocluster to manual with VIDIOC_S_CTRL
+
+From: Antonio Ospite <ao2@ao2.it>
+
+commit 759b26a1d916400a1a20948eb964dea6ad0bd9e9 upstream.
+
+Since commit 5d0360a4f027576e5419d4a7c711c9ca0f1be8ca it's not possible
+anymore to set auto clusters from auto to manual using VIDIOC_S_CTRL.
+
+For example, setting autogain to manual with gspca/ov534 driver and this
+sequence of commands does not work:
+
+ v4l2-ctl --set-ctrl=gain_automatic=1
+ v4l2-ctl --list-ctrls | grep gain_automatic
+ # The following does not work
+ v4l2-ctl --set-ctrl=gain_automatic=0
+ v4l2-ctl --list-ctrls | grep gain_automatic
+
+Changing the value using VIDIOC_S_EXT_CTRLS (like qv4l2 does) works
+fine.
+
+The apparent cause by looking at the changes in 5d0360a and comparing
+with the code path for VIDIOC_S_EXT_CTRLS seems to be that the code in
+v4l2-ctrls.c::set_ctrl() is not calling user_to_new() anymore after
+calling update_from_auto_cluster(master).
+
+However the root cause of the problem is that calling
+update_from_auto_cluster(master) overrides also the _master_ control
+state calling cur_to_new() while it was supposed to only update the
+volatile controls.
+
+Calling user_to_new() after update_from_auto_cluster(master) was just
+masking the original bug by restoring the correct new value of the
+master control before making the changes permanent.
+
+Fix the original bug by making update_from_auto_cluster() not override
+the new master control value.
+
+Signed-off-by: Antonio Ospite <ao2@ao2.it>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/v4l2-core/v4l2-ctrls.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/v4l2-core/v4l2-ctrls.c
++++ b/drivers/media/v4l2-core/v4l2-ctrls.c
+@@ -3043,7 +3043,7 @@ static void update_from_auto_cluster(str
+ {
+ int i;
+
+- for (i = 0; i < master->ncontrols; i++)
++ for (i = 1; i < master->ncontrols; i++)
+ cur_to_new(master->cluster[i]);
+ if (!call_op(master, g_volatile_ctrl))
+ for (i = 1; i < master->ncontrols; i++)
--- /dev/null
+From d9a985883fa32453d099d6293188c11d75cef1fa Mon Sep 17 00:00:00 2001
+From: Tiffany Lin <tiffany.lin@mediatek.com>
+Date: Thu, 24 Sep 2015 06:02:36 -0300
+Subject: [media] media: vb2 dma-contig: Fully cache synchronise buffers in prepare and finish
+
+From: Tiffany Lin <tiffany.lin@mediatek.com>
+
+commit d9a985883fa32453d099d6293188c11d75cef1fa upstream.
+
+In videobuf2 dma-contig memory type the prepare and finish ops, instead of
+passing the number of entries in the original scatterlist as the "nents"
+parameter to dma_sync_sg_for_device() and dma_sync_sg_for_cpu(), the value
+returned by dma_map_sg() was used. Albeit this has been suggested in
+comments of some implementations (which have since been corrected), this
+is wrong.
+
+Fixes: 199d101efdba ("v4l: vb2-dma-contig: add prepare/finish to dma-contig allocator")
+
+Signed-off-by: Tiffany Lin <tiffany.lin@mediatek.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/v4l2-core/videobuf2-dma-contig.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/v4l2-core/videobuf2-dma-contig.c
++++ b/drivers/media/v4l2-core/videobuf2-dma-contig.c
+@@ -100,7 +100,8 @@ static void vb2_dc_prepare(void *buf_pri
+ if (!sgt || buf->db_attach)
+ return;
+
+- dma_sync_sg_for_device(buf->dev, sgt->sgl, sgt->nents, buf->dma_dir);
++ dma_sync_sg_for_device(buf->dev, sgt->sgl, sgt->orig_nents,
++ buf->dma_dir);
+ }
+
+ static void vb2_dc_finish(void *buf_priv)
+@@ -112,7 +113,7 @@ static void vb2_dc_finish(void *buf_priv
+ if (!sgt || buf->db_attach)
+ return;
+
+- dma_sync_sg_for_cpu(buf->dev, sgt->sgl, sgt->nents, buf->dma_dir);
++ dma_sync_sg_for_cpu(buf->dev, sgt->sgl, sgt->orig_nents, buf->dma_dir);
+ }
+
+ /*********************************************/
--- /dev/null
+From 418dae2276065680bde7ae27d2c075e612a54de6 Mon Sep 17 00:00:00 2001
+From: Tiffany Lin <tiffany.lin@mediatek.com>
+Date: Thu, 24 Sep 2015 06:02:36 -0300
+Subject: [media] media: vb2 dma-sg: Fully cache synchronise buffers in prepare and finish
+
+From: Tiffany Lin <tiffany.lin@mediatek.com>
+
+commit 418dae2276065680bde7ae27d2c075e612a54de6 upstream.
+
+In videobuf2 dma-sg memory types the prepare and finish ops, instead
+of passing the number of entries in the original scatterlist as the
+"nents" parameter to dma_sync_sg_for_device() and dma_sync_sg_for_cpu(),
+the value returned by dma_map_sg() was used. Albeit this has been
+suggested in comments of some implementations (which have since been
+corrected), this is wrong.
+
+Fixes: d790b7eda953 ("vb2-dma-sg: move dma_(un)map_sg here")
+
+Signed-off-by: Tiffany Lin <tiffany.lin@mediatek.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/v4l2-core/videobuf2-dma-sg.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/v4l2-core/videobuf2-dma-sg.c
++++ b/drivers/media/v4l2-core/videobuf2-dma-sg.c
+@@ -210,7 +210,8 @@ static void vb2_dma_sg_prepare(void *buf
+ if (buf->db_attach)
+ return;
+
+- dma_sync_sg_for_device(buf->dev, sgt->sgl, sgt->nents, buf->dma_dir);
++ dma_sync_sg_for_device(buf->dev, sgt->sgl, sgt->orig_nents,
++ buf->dma_dir);
+ }
+
+ static void vb2_dma_sg_finish(void *buf_priv)
+@@ -222,7 +223,7 @@ static void vb2_dma_sg_finish(void *buf_
+ if (buf->db_attach)
+ return;
+
+- dma_sync_sg_for_cpu(buf->dev, sgt->sgl, sgt->nents, buf->dma_dir);
++ dma_sync_sg_for_cpu(buf->dev, sgt->sgl, sgt->orig_nents, buf->dma_dir);
+ }
+
+ static void *vb2_dma_sg_get_userptr(void *alloc_ctx, unsigned long vaddr,
--- /dev/null
+From f3c63795e90f0c6238306883b6c72f14d5355721 Mon Sep 17 00:00:00 2001
+From: Brian Norris <computersforpeace@gmail.com>
+Date: Mon, 26 Oct 2015 10:20:23 -0700
+Subject: mtd: blkdevs: fix potential deadlock + lockdep warnings
+
+From: Brian Norris <computersforpeace@gmail.com>
+
+commit f3c63795e90f0c6238306883b6c72f14d5355721 upstream.
+
+Commit 073db4a51ee4 ("mtd: fix: avoid race condition when accessing
+mtd->usecount") fixed a race condition but due to poor ordering of the
+mutex acquisition, introduced a potential deadlock.
+
+The deadlock can occur, for example, when rmmod'ing the m25p80 module, which
+will delete one or more MTDs, along with any corresponding mtdblock
+devices. This could potentially race with an acquisition of the block
+device as follows.
+
+ -> blktrans_open()
+ -> mutex_lock(&dev->lock);
+ -> mutex_lock(&mtd_table_mutex);
+
+ -> del_mtd_device()
+ -> mutex_lock(&mtd_table_mutex);
+ -> blktrans_notify_remove() -> del_mtd_blktrans_dev()
+ -> mutex_lock(&dev->lock);
+
+This is a classic (potential) ABBA deadlock, which can be fixed by
+making the A->B ordering consistent everywhere. There was no real
+purpose to the ordering in the original patch, AFAIR, so this shouldn't
+be a problem. This ordering was actually already present in
+del_mtd_blktrans_dev(), for one, where the function tried to ensure that
+its caller already held mtd_table_mutex before it acquired &dev->lock:
+
+ if (mutex_trylock(&mtd_table_mutex)) {
+ mutex_unlock(&mtd_table_mutex);
+ BUG();
+ }
+
+So, reverse the ordering of acquisition of &dev->lock and &mtd_table_mutex so
+we always acquire mtd_table_mutex first.
+
+Snippets of the lockdep output follow:
+
+ # modprobe -r m25p80
+ [ 53.419251]
+ [ 53.420838] ======================================================
+ [ 53.427300] [ INFO: possible circular locking dependency detected ]
+ [ 53.433865] 4.3.0-rc6 #96 Not tainted
+ [ 53.437686] -------------------------------------------------------
+ [ 53.444220] modprobe/372 is trying to acquire lock:
+ [ 53.449320] (&new->lock){+.+...}, at: [<c043fe4c>] del_mtd_blktrans_dev+0x80/0xdc
+ [ 53.457271]
+ [ 53.457271] but task is already holding lock:
+ [ 53.463372] (mtd_table_mutex){+.+.+.}, at: [<c0439994>] del_mtd_device+0x18/0x100
+ [ 53.471321]
+ [ 53.471321] which lock already depends on the new lock.
+ [ 53.471321]
+ [ 53.479856]
+ [ 53.479856] the existing dependency chain (in reverse order) is:
+ [ 53.487660]
+ -> #1 (mtd_table_mutex){+.+.+.}:
+ [ 53.492331] [<c043fc5c>] blktrans_open+0x34/0x1a4
+ [ 53.497879] [<c01afce0>] __blkdev_get+0xc4/0x3b0
+ [ 53.503364] [<c01b0bb8>] blkdev_get+0x108/0x320
+ [ 53.508743] [<c01713c0>] do_dentry_open+0x218/0x314
+ [ 53.514496] [<c0180454>] path_openat+0x4c0/0xf9c
+ [ 53.519959] [<c0182044>] do_filp_open+0x5c/0xc0
+ [ 53.525336] [<c0172758>] do_sys_open+0xfc/0x1cc
+ [ 53.530716] [<c000f740>] ret_fast_syscall+0x0/0x1c
+ [ 53.536375]
+ -> #0 (&new->lock){+.+...}:
+ [ 53.540587] [<c063f124>] mutex_lock_nested+0x38/0x3cc
+ [ 53.546504] [<c043fe4c>] del_mtd_blktrans_dev+0x80/0xdc
+ [ 53.552606] [<c043f164>] blktrans_notify_remove+0x7c/0x84
+ [ 53.558891] [<c04399f0>] del_mtd_device+0x74/0x100
+ [ 53.564544] [<c043c670>] del_mtd_partitions+0x80/0xc8
+ [ 53.570451] [<c0439aa0>] mtd_device_unregister+0x24/0x48
+ [ 53.576637] [<c046ce6c>] spi_drv_remove+0x1c/0x34
+ [ 53.582207] [<c03de0f0>] __device_release_driver+0x88/0x114
+ [ 53.588663] [<c03de19c>] device_release_driver+0x20/0x2c
+ [ 53.594843] [<c03dd9e8>] bus_remove_device+0xd8/0x108
+ [ 53.600748] [<c03dacc0>] device_del+0x10c/0x210
+ [ 53.606127] [<c03dadd0>] device_unregister+0xc/0x20
+ [ 53.611849] [<c046d878>] __unregister+0x10/0x20
+ [ 53.617211] [<c03da868>] device_for_each_child+0x50/0x7c
+ [ 53.623387] [<c046eae8>] spi_unregister_master+0x58/0x8c
+ [ 53.629578] [<c03e12f0>] release_nodes+0x15c/0x1c8
+ [ 53.635223] [<c03de0f8>] __device_release_driver+0x90/0x114
+ [ 53.641689] [<c03de900>] driver_detach+0xb4/0xb8
+ [ 53.647147] [<c03ddc78>] bus_remove_driver+0x4c/0xa0
+ [ 53.652970] [<c00cab50>] SyS_delete_module+0x11c/0x1e4
+ [ 53.658976] [<c000f740>] ret_fast_syscall+0x0/0x1c
+ [ 53.664621]
+ [ 53.664621] other info that might help us debug this:
+ [ 53.664621]
+ [ 53.672979] Possible unsafe locking scenario:
+ [ 53.672979]
+ [ 53.679169] CPU0 CPU1
+ [ 53.683900] ---- ----
+ [ 53.688633] lock(mtd_table_mutex);
+ [ 53.692383] lock(&new->lock);
+ [ 53.698306] lock(mtd_table_mutex);
+ [ 53.704658] lock(&new->lock);
+ [ 53.707946]
+ [ 53.707946] *** DEADLOCK ***
+
+Fixes: 073db4a51ee4 ("mtd: fix: avoid race condition when accessing mtd->usecount")
+Reported-by: Felipe Balbi <balbi@ti.com>
+Tested-by: Felipe Balbi <balbi@ti.com>
+Signed-off-by: Brian Norris <computersforpeace@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/mtd_blkdevs.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/mtd/mtd_blkdevs.c
++++ b/drivers/mtd/mtd_blkdevs.c
+@@ -192,8 +192,8 @@ static int blktrans_open(struct block_de
+ if (!dev)
+ return -ERESTARTSYS; /* FIXME: busy loop! -arnd*/
+
+- mutex_lock(&dev->lock);
+ mutex_lock(&mtd_table_mutex);
++ mutex_lock(&dev->lock);
+
+ if (dev->open)
+ goto unlock;
+@@ -217,8 +217,8 @@ static int blktrans_open(struct block_de
+
+ unlock:
+ dev->open++;
+- mutex_unlock(&mtd_table_mutex);
+ mutex_unlock(&dev->lock);
++ mutex_unlock(&mtd_table_mutex);
+ blktrans_dev_put(dev);
+ return ret;
+
+@@ -228,8 +228,8 @@ error_release:
+ error_put:
+ module_put(dev->tr->owner);
+ kref_put(&dev->ref, blktrans_dev_release);
+- mutex_unlock(&mtd_table_mutex);
+ mutex_unlock(&dev->lock);
++ mutex_unlock(&mtd_table_mutex);
+ blktrans_dev_put(dev);
+ return ret;
+ }
+@@ -241,8 +241,8 @@ static void blktrans_release(struct gend
+ if (!dev)
+ return;
+
+- mutex_lock(&dev->lock);
+ mutex_lock(&mtd_table_mutex);
++ mutex_lock(&dev->lock);
+
+ if (--dev->open)
+ goto unlock;
+@@ -256,8 +256,8 @@ static void blktrans_release(struct gend
+ __put_mtd_device(dev->mtd);
+ }
+ unlock:
+- mutex_unlock(&mtd_table_mutex);
+ mutex_unlock(&dev->lock);
++ mutex_unlock(&mtd_table_mutex);
+ blktrans_dev_put(dev);
+ }
+
--- /dev/null
+From 96dd922c198286681fbbc15100e196e0f629e2fb Mon Sep 17 00:00:00 2001
+From: Brian Norris <computersforpeace@gmail.com>
+Date: Wed, 11 Nov 2015 15:36:16 -0800
+Subject: mtd: jz4740_nand: fix build on jz4740 after removing gpio.h
+
+From: Brian Norris <computersforpeace@gmail.com>
+
+commit 96dd922c198286681fbbc15100e196e0f629e2fb upstream.
+
+Fallout from commit 832f5dacfa0b ("MIPS: Remove all the uses of custom gpio.h")
+
+We see errors like this:
+
+drivers/mtd/nand/jz4740_nand.c: In function 'jz_nand_detect_bank':
+drivers/mtd/nand/jz4740_nand.c:340:9: error: 'JZ_GPIO_MEM_CS0' undeclared (first use in this function)
+drivers/mtd/nand/jz4740_nand.c:340:9: note: each undeclared identifier is reported only once for each function it appears in
+drivers/mtd/nand/jz4740_nand.c:359:2: error: implicit declaration of function 'jz_gpio_set_function' [-Werror=implicit-function-declaration]
+drivers/mtd/nand/jz4740_nand.c:359:29: error: 'JZ_GPIO_FUNC_MEM_CS0' undeclared (first use in this function)
+drivers/mtd/nand/jz4740_nand.c:399:29: error: 'JZ_GPIO_FUNC_NONE' undeclared (first use in this function)
+drivers/mtd/nand/jz4740_nand.c: In function 'jz_nand_probe':
+drivers/mtd/nand/jz4740_nand.c:528:13: error: 'JZ_GPIO_MEM_CS0' undeclared (first use in this function)
+drivers/mtd/nand/jz4740_nand.c: In function 'jz_nand_remove':
+drivers/mtd/nand/jz4740_nand.c:555:14: error: 'JZ_GPIO_MEM_CS0' undeclared (first use in this function)
+
+Patched similarly to:
+
+https://patchwork.linux-mips.org/patch/11089/
+
+Fixes: 832f5dacfa0b ("MIPS: Remove all the uses of custom gpio.h")
+Signed-off-by: Brian Norris <computersforpeace@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/jz4740_nand.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mtd/nand/jz4740_nand.c
++++ b/drivers/mtd/nand/jz4740_nand.c
+@@ -25,6 +25,7 @@
+
+ #include <linux/gpio.h>
+
++#include <asm/mach-jz4740/gpio.h>
+ #include <asm/mach-jz4740/jz4740_nand.h>
+
+ #define JZ_REG_NAND_CTRL 0x50
--- /dev/null
+From e5bae86797141e4a95e42d825f737cb36d7b8c37 Mon Sep 17 00:00:00 2001
+From: Boris BREZILLON <boris.brezillon@free-electrons.com>
+Date: Thu, 30 Jul 2015 12:18:03 +0200
+Subject: mtd: mtdpart: fix add_mtd_partitions error path
+
+From: Boris BREZILLON <boris.brezillon@free-electrons.com>
+
+commit e5bae86797141e4a95e42d825f737cb36d7b8c37 upstream.
+
+If we fail to allocate a partition structure in the middle of the partition
+creation process, the already allocated partitions are never removed, which
+means they are still present in the partition list and their resources are
+never freed.
+
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Signed-off-by: Brian Norris <computersforpeace@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/mtdpart.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/mtd/mtdpart.c
++++ b/drivers/mtd/mtdpart.c
+@@ -664,8 +664,10 @@ int add_mtd_partitions(struct mtd_info *
+
+ for (i = 0; i < nbparts; i++) {
+ slave = allocate_partition(master, parts + i, i, cur_offset);
+- if (IS_ERR(slave))
++ if (IS_ERR(slave)) {
++ del_mtd_partitions(master);
+ return PTR_ERR(slave);
++ }
+
+ mutex_lock(&mtd_partitions_mutex);
+ list_add(&slave->list, &mtd_partitions);
--- /dev/null
+From 9ca641b0f02a3a1eedbc8c296e695326da9bbaf9 Mon Sep 17 00:00:00 2001
+From: Brian Norris <computersforpeace@gmail.com>
+Date: Mon, 9 Nov 2015 16:37:28 -0800
+Subject: mtd: nand: fix shutdown/reboot for multi-chip systems
+
+From: Brian Norris <computersforpeace@gmail.com>
+
+commit 9ca641b0f02a3a1eedbc8c296e695326da9bbaf9 upstream.
+
+If multiple NAND chips are registered to the same controller, then when
+rebooting the system, the first one will grab the controller lock, while
+the second will wait forever for the first one to release it. i.e., a
+classic deadlock.
+
+This problem was solved for a similar case (suspend/resume) back in
+commit 6b0d9a841249 ("mtd: nand: fix multi-chip suspend problem"), and
+the shutdown state really isn't much different for us, so rather than
+adding a new special case to nand_get_device(), we can just overload the
+FL_PM_SUSPENDED state.
+
+Now, multiple chips can "get" the same controller lock (preventing
+further I/O), while we still allow other chips to pass through
+nand_shutdown().
+
+Original report:
+http://thread.gmane.org/gmane.linux.drivers.mtd/59726
+http://lists.infradead.org/pipermail/linux-mtd/2015-July/059992.html
+
+Fixes: 72ea403669c7 ("mtd: nand: added nand_shutdown")
+Reported-by: Andrew E. Mileski <andrewm@isoar.ca>
+Signed-off-by: Brian Norris <computersforpeace@gmail.com>
+Cc: Scott Branden <sbranden@broadcom.com>
+Cc: Andrew E. Mileski <andrewm@isoar.ca>
+Acked-by: Scott Branden <sbranden@broadcom.com>
+Reviewed-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/nand_base.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mtd/nand/nand_base.c
++++ b/drivers/mtd/nand/nand_base.c
+@@ -2964,7 +2964,7 @@ static void nand_resume(struct mtd_info
+ */
+ static void nand_shutdown(struct mtd_info *mtd)
+ {
+- nand_get_device(mtd, FL_SHUTDOWN);
++ nand_get_device(mtd, FL_PM_SUSPENDED);
+ }
+
+ /* Set default functions */
--- /dev/null
+From 6b238de189f69dc77d660d4cce62eed15547f4c3 Mon Sep 17 00:00:00 2001
+From: Sebastian Siewior <bigeasy@linutronix.de>
+Date: Thu, 26 Nov 2015 21:23:49 +0100
+Subject: mtd: ubi: don't leak e if schedule_erase() fails
+
+From: Sebastian Siewior <bigeasy@linutronix.de>
+
+commit 6b238de189f69dc77d660d4cce62eed15547f4c3 upstream.
+
+If __erase_worker() fails to erase the EB and schedule_erase() fails as
+well to do anything about it then we go RO. But that is not a reason to
+leak the e argument here. Therefore clean up e.
+
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/ubi/wl.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mtd/ubi/wl.c
++++ b/drivers/mtd/ubi/wl.c
+@@ -1060,6 +1060,7 @@ static int __erase_worker(struct ubi_dev
+ /* Re-schedule the LEB for erasure */
+ err1 = schedule_erase(ubi, e, vol_id, lnum, 0);
+ if (err1) {
++ wl_entry_destroy(ubi, e);
+ err = err1;
+ goto out_ro;
+ }
--- /dev/null
+From 1a31b20cd81d5cbc7ec6e24cb08066009a1ca32d Mon Sep 17 00:00:00 2001
+From: Sebastian Siewior <bigeasy@linutronix.de>
+Date: Thu, 26 Nov 2015 21:23:48 +0100
+Subject: mtd: ubi: fixup error correction in do_sync_erase()
+
+From: Sebastian Siewior <bigeasy@linutronix.de>
+
+commit 1a31b20cd81d5cbc7ec6e24cb08066009a1ca32d upstream.
+
+Since fastmap we gained do_sync_erase(). This function can return an error
+and its error handling isn't obvious. First the memory allocation for
+struct ubi_work can fail and as such struct ubi_wl_entry is leaked.
+However if the memory allocation succeeds then the tail function takes
+care of the struct ubi_wl_entry. A free here could result in a double
+free.
+To make the error handling simpler, I split the tail function into one
+piece which does the work and another which frees the struct ubi_work
+which is passed as argument. As result do_sync_erase() can keep the
+struct on stack and we get rid of one error source.
+
+Fixes: 8199b901a ("UBI: Add fastmap support to the WL sub-system")
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/ubi/wl.c | 52 +++++++++++++++++++++++++++------------------------
+ 1 file changed, 28 insertions(+), 24 deletions(-)
+
+--- a/drivers/mtd/ubi/wl.c
++++ b/drivers/mtd/ubi/wl.c
+@@ -603,6 +603,7 @@ static int schedule_erase(struct ubi_dev
+ return 0;
+ }
+
++static int __erase_worker(struct ubi_device *ubi, struct ubi_work *wl_wrk);
+ /**
+ * do_sync_erase - run the erase worker synchronously.
+ * @ubi: UBI device description object
+@@ -615,20 +616,16 @@ static int schedule_erase(struct ubi_dev
+ static int do_sync_erase(struct ubi_device *ubi, struct ubi_wl_entry *e,
+ int vol_id, int lnum, int torture)
+ {
+- struct ubi_work *wl_wrk;
++ struct ubi_work wl_wrk;
+
+ dbg_wl("sync erase of PEB %i", e->pnum);
+
+- wl_wrk = kmalloc(sizeof(struct ubi_work), GFP_NOFS);
+- if (!wl_wrk)
+- return -ENOMEM;
+-
+- wl_wrk->e = e;
+- wl_wrk->vol_id = vol_id;
+- wl_wrk->lnum = lnum;
+- wl_wrk->torture = torture;
++ wl_wrk.e = e;
++ wl_wrk.vol_id = vol_id;
++ wl_wrk.lnum = lnum;
++ wl_wrk.torture = torture;
+
+- return erase_worker(ubi, wl_wrk, 0);
++ return __erase_worker(ubi, &wl_wrk);
+ }
+
+ /**
+@@ -1014,7 +1011,7 @@ out_unlock:
+ }
+
+ /**
+- * erase_worker - physical eraseblock erase worker function.
++ * __erase_worker - physical eraseblock erase worker function.
+ * @ubi: UBI device description object
+ * @wl_wrk: the work object
+ * @shutdown: non-zero if the worker has to free memory and exit
+@@ -1025,8 +1022,7 @@ out_unlock:
+ * needed. Returns zero in case of success and a negative error code in case of
+ * failure.
+ */
+-static int erase_worker(struct ubi_device *ubi, struct ubi_work *wl_wrk,
+- int shutdown)
++static int __erase_worker(struct ubi_device *ubi, struct ubi_work *wl_wrk)
+ {
+ struct ubi_wl_entry *e = wl_wrk->e;
+ int pnum = e->pnum;
+@@ -1034,21 +1030,11 @@ static int erase_worker(struct ubi_devic
+ int lnum = wl_wrk->lnum;
+ int err, available_consumed = 0;
+
+- if (shutdown) {
+- dbg_wl("cancel erasure of PEB %d EC %d", pnum, e->ec);
+- kfree(wl_wrk);
+- wl_entry_destroy(ubi, e);
+- return 0;
+- }
+-
+ dbg_wl("erase PEB %d EC %d LEB %d:%d",
+ pnum, e->ec, wl_wrk->vol_id, wl_wrk->lnum);
+
+ err = sync_erase(ubi, e, wl_wrk->torture);
+ if (!err) {
+- /* Fine, we've erased it successfully */
+- kfree(wl_wrk);
+-
+ spin_lock(&ubi->wl_lock);
+ wl_tree_add(e, &ubi->free);
+ ubi->free_count++;
+@@ -1066,7 +1052,6 @@ static int erase_worker(struct ubi_devic
+ }
+
+ ubi_err(ubi, "failed to erase PEB %d, error %d", pnum, err);
+- kfree(wl_wrk);
+
+ if (err == -EINTR || err == -ENOMEM || err == -EAGAIN ||
+ err == -EBUSY) {
+@@ -1150,6 +1135,25 @@ out_ro:
+ return err;
+ }
+
++static int erase_worker(struct ubi_device *ubi, struct ubi_work *wl_wrk,
++ int shutdown)
++{
++ int ret;
++
++ if (shutdown) {
++ struct ubi_wl_entry *e = wl_wrk->e;
++
++ dbg_wl("cancel erasure of PEB %d EC %d", e->pnum, e->ec);
++ kfree(wl_wrk);
++ wl_entry_destroy(ubi, e);
++ return 0;
++ }
++
++ ret = __erase_worker(ubi, wl_wrk);
++ kfree(wl_wrk);
++ return ret;
++}
++
+ /**
+ * ubi_wl_put_peb - return a PEB to the wear-leveling sub-system.
+ * @ubi: UBI device description object
--- /dev/null
+From dcbf0d299c00ed4f82ea8d6e359ad88a5182f9b8 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Sun, 22 Nov 2015 12:14:14 +0100
+Subject: parisc: Drop unused MADV_xxxK_PAGES flags from asm/mman.h
+
+From: Helge Deller <deller@gmx.de>
+
+commit dcbf0d299c00ed4f82ea8d6e359ad88a5182f9b8 upstream.
+
+Drop the MADV_xxK_PAGES flags, which were never used and were from a proposed
+API which was never integrated into the generic Linux kernel code.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/include/uapi/asm/mman.h | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+--- a/arch/parisc/include/uapi/asm/mman.h
++++ b/arch/parisc/include/uapi/asm/mman.h
+@@ -46,16 +46,6 @@
+ #define MADV_DONTFORK 10 /* don't inherit across fork */
+ #define MADV_DOFORK 11 /* do inherit across fork */
+
+-/* The range 12-64 is reserved for page size specification. */
+-#define MADV_4K_PAGES 12 /* Use 4K pages */
+-#define MADV_16K_PAGES 14 /* Use 16K pages */
+-#define MADV_64K_PAGES 16 /* Use 64K pages */
+-#define MADV_256K_PAGES 18 /* Use 256K pages */
+-#define MADV_1M_PAGES 20 /* Use 1 Megabyte pages */
+-#define MADV_4M_PAGES 22 /* Use 4 Megabyte pages */
+-#define MADV_16M_PAGES 24 /* Use 16 Megabyte pages */
+-#define MADV_64M_PAGES 26 /* Use 64 Megabyte pages */
+-
+ #define MADV_MERGEABLE 65 /* KSM may merge identical pages */
+ #define MADV_UNMERGEABLE 66 /* KSM may not merge identical pages */
+
--- /dev/null
+From e60fc5aa608eb38b47ba4ee058f306f739eb70a0 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Sun, 10 Jan 2016 09:30:42 +0100
+Subject: parisc: Fix __ARCH_SI_PREAMBLE_SIZE
+
+From: Helge Deller <deller@gmx.de>
+
+commit e60fc5aa608eb38b47ba4ee058f306f739eb70a0 upstream.
+
+On a 64bit kernel build the compiler aligns the _sifields union in the
+struct siginfo_t on a 64bit address. The __ARCH_SI_PREAMBLE_SIZE define
+compensates for this alignment and thus fixes the wait testcase of the
+strace package.
+
+The symptoms of a wrong __ARCH_SI_PREAMBLE_SIZE value is that
+_sigchld.si_stime variable is missed to be copied and thus after a
+copy_siginfo() will have uninitialized values.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/include/uapi/asm/siginfo.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/parisc/include/uapi/asm/siginfo.h
++++ b/arch/parisc/include/uapi/asm/siginfo.h
+@@ -1,6 +1,10 @@
+ #ifndef _PARISC_SIGINFO_H
+ #define _PARISC_SIGINFO_H
+
++#if defined(__LP64__)
++#define __ARCH_SI_PREAMBLE_SIZE (4 * sizeof(int))
++#endif
++
+ #include <asm-generic/siginfo.h>
+
+ #undef NSIGTRAP
--- /dev/null
+From 71a71fb5374a23be36a91981b5614590b9e722c3 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Mon, 21 Dec 2015 10:03:30 +0100
+Subject: parisc: Fix syscall restarts
+
+From: Helge Deller <deller@gmx.de>
+
+commit 71a71fb5374a23be36a91981b5614590b9e722c3 upstream.
+
+On parisc syscalls which are interrupted by signals sometimes failed to
+restart and instead returned -ENOSYS which in the worst case lead to
+userspace crashes.
+A similiar problem existed on MIPS and was fixed by commit e967ef02
+("MIPS: Fix restart of indirect syscalls").
+
+On parisc the current syscall restart code assumes that all syscall
+callers load the syscall number in the delay slot of the ble
+instruction. That's how it is e.g. done in the unistd.h header file:
+ ble 0x100(%sr2, %r0)
+ ldi #syscall_nr, %r20
+Because of that assumption the current code never restored %r20 before
+returning to userspace.
+
+This assumption is at least not true for code which uses the glibc
+syscall() function, which instead uses this syntax:
+ ble 0x100(%sr2, %r0)
+ copy regX, %r20
+where regX depend on how the compiler optimizes the code and register
+usage.
+
+This patch fixes this problem by adding code to analyze how the syscall
+number is loaded in the delay branch and - if needed - copy the syscall
+number to regX prior returning to userspace for the syscall restart.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/kernel/signal.c | 64 +++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 52 insertions(+), 12 deletions(-)
+
+--- a/arch/parisc/kernel/signal.c
++++ b/arch/parisc/kernel/signal.c
+@@ -435,6 +435,55 @@ handle_signal(struct ksignal *ksig, stru
+ regs->gr[28]);
+ }
+
++/*
++ * Check how the syscall number gets loaded into %r20 within
++ * the delay branch in userspace and adjust as needed.
++ */
++
++static void check_syscallno_in_delay_branch(struct pt_regs *regs)
++{
++ u32 opcode, source_reg;
++ u32 __user *uaddr;
++ int err;
++
++ /* Usually we don't have to restore %r20 (the system call number)
++ * because it gets loaded in the delay slot of the branch external
++ * instruction via the ldi instruction.
++ * In some cases a register-to-register copy instruction might have
++ * been used instead, in which case we need to copy the syscall
++ * number into the source register before returning to userspace.
++ */
++
++ /* A syscall is just a branch, so all we have to do is fiddle the
++ * return pointer so that the ble instruction gets executed again.
++ */
++ regs->gr[31] -= 8; /* delayed branching */
++
++ /* Get assembler opcode of code in delay branch */
++ uaddr = (unsigned int *) ((regs->gr[31] & ~3) + 4);
++ err = get_user(opcode, uaddr);
++ if (err)
++ return;
++
++ /* Check if delay branch uses "ldi int,%r20" */
++ if ((opcode & 0xffff0000) == 0x34140000)
++ return; /* everything ok, just return */
++
++ /* Check if delay branch uses "nop" */
++ if (opcode == INSN_NOP)
++ return;
++
++ /* Check if delay branch uses "copy %rX,%r20" */
++ if ((opcode & 0xffe0ffff) == 0x08000254) {
++ source_reg = (opcode >> 16) & 31;
++ regs->gr[source_reg] = regs->gr[20];
++ return;
++ }
++
++ pr_warn("syscall restart: %s (pid %d): unexpected opcode 0x%08x\n",
++ current->comm, task_pid_nr(current), opcode);
++}
++
+ static inline void
+ syscall_restart(struct pt_regs *regs, struct k_sigaction *ka)
+ {
+@@ -457,10 +506,7 @@ syscall_restart(struct pt_regs *regs, st
+ }
+ /* fallthrough */
+ case -ERESTARTNOINTR:
+- /* A syscall is just a branch, so all
+- * we have to do is fiddle the return pointer.
+- */
+- regs->gr[31] -= 8; /* delayed branching */
++ check_syscallno_in_delay_branch(regs);
+ break;
+ }
+ }
+@@ -510,15 +556,9 @@ insert_restart_trampoline(struct pt_regs
+ }
+ case -ERESTARTNOHAND:
+ case -ERESTARTSYS:
+- case -ERESTARTNOINTR: {
+- /* Hooray for delayed branching. We don't
+- * have to restore %r20 (the system call
+- * number) because it gets loaded in the delay
+- * slot of the branch external instruction.
+- */
+- regs->gr[31] -= 8;
++ case -ERESTARTNOINTR:
++ check_syscallno_in_delay_branch(regs);
+ return;
+- }
+ default:
+ break;
+ }
--- /dev/null
+From d0cf62fb63f760e98244d31396b3b58f3a1e326b Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Fri, 6 Nov 2015 23:36:01 +0100
+Subject: parisc: Fixes and cleanups in kernel uapi header files
+
+From: Helge Deller <deller@gmx.de>
+
+commit d0cf62fb63f760e98244d31396b3b58f3a1e326b upstream.
+
+This patch fixes some bugs and partly cleans up the parisc uapi header
+files to what glibc defined:
+- compat_semid64_ds was wrong and did not take the endianess into
+ account
+- ipc64_perm exported userspace types which broke building userspace
+ packages on debian (e.g. trinity)
+- ipc64_perm needs to use a 32bit mode_t on 64bit kernel
+- msqid64_ds and semid64_ds needs unsigned longs for various struct members
+- shmid64_ds exported size_t instead of __kernel_size_t
+
+And finally add some compile-time checks for the sizes of those structs
+to avoid future breakage.
+
+Runtime-tested with the Linux Test Project (LTP) testsuite.
+
+Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/include/asm/compat.h | 4 ++--
+ arch/parisc/include/uapi/asm/ipcbuf.h | 19 ++++++++++++-------
+ arch/parisc/include/uapi/asm/msgbuf.h | 10 +++++-----
+ arch/parisc/include/uapi/asm/posix_types.h | 2 ++
+ arch/parisc/include/uapi/asm/sembuf.h | 6 +++---
+ arch/parisc/include/uapi/asm/shmbuf.h | 8 ++++----
+ arch/parisc/mm/init.c | 16 ++++++++++++++++
+ 7 files changed, 44 insertions(+), 21 deletions(-)
+
+--- a/arch/parisc/include/asm/compat.h
++++ b/arch/parisc/include/asm/compat.h
+@@ -206,10 +206,10 @@ struct compat_ipc64_perm {
+
+ struct compat_semid64_ds {
+ struct compat_ipc64_perm sem_perm;
+- compat_time_t sem_otime;
+ unsigned int __unused1;
+- compat_time_t sem_ctime;
++ compat_time_t sem_otime;
+ unsigned int __unused2;
++ compat_time_t sem_ctime;
+ compat_ulong_t sem_nsems;
+ compat_ulong_t __unused3;
+ compat_ulong_t __unused4;
+--- a/arch/parisc/include/uapi/asm/ipcbuf.h
++++ b/arch/parisc/include/uapi/asm/ipcbuf.h
+@@ -1,6 +1,9 @@
+ #ifndef __PARISC_IPCBUF_H__
+ #define __PARISC_IPCBUF_H__
+
++#include <asm/bitsperlong.h>
++#include <linux/posix_types.h>
++
+ /*
+ * The ipc64_perm structure for PA-RISC is almost identical to
+ * kern_ipc_perm as we have always had 32-bit UIDs and GIDs in the kernel.
+@@ -10,16 +13,18 @@
+
+ struct ipc64_perm
+ {
+- key_t key;
+- uid_t uid;
+- gid_t gid;
+- uid_t cuid;
+- gid_t cgid;
++ __kernel_key_t key;
++ __kernel_uid_t uid;
++ __kernel_gid_t gid;
++ __kernel_uid_t cuid;
++ __kernel_gid_t cgid;
++#if __BITS_PER_LONG != 64
+ unsigned short int __pad1;
+- mode_t mode;
++#endif
++ __kernel_mode_t mode;
+ unsigned short int __pad2;
+ unsigned short int seq;
+- unsigned int __pad3;
++ unsigned int __pad3;
+ unsigned long long int __unused1;
+ unsigned long long int __unused2;
+ };
+--- a/arch/parisc/include/uapi/asm/msgbuf.h
++++ b/arch/parisc/include/uapi/asm/msgbuf.h
+@@ -27,13 +27,13 @@ struct msqid64_ds {
+ unsigned int __pad3;
+ #endif
+ __kernel_time_t msg_ctime; /* last change time */
+- unsigned int msg_cbytes; /* current number of bytes on queue */
+- unsigned int msg_qnum; /* number of messages in queue */
+- unsigned int msg_qbytes; /* max number of bytes on queue */
++ unsigned long msg_cbytes; /* current number of bytes on queue */
++ unsigned long msg_qnum; /* number of messages in queue */
++ unsigned long msg_qbytes; /* max number of bytes on queue */
+ __kernel_pid_t msg_lspid; /* pid of last msgsnd */
+ __kernel_pid_t msg_lrpid; /* last receive pid */
+- unsigned int __unused1;
+- unsigned int __unused2;
++ unsigned long __unused1;
++ unsigned long __unused2;
+ };
+
+ #endif /* _PARISC_MSGBUF_H */
+--- a/arch/parisc/include/uapi/asm/posix_types.h
++++ b/arch/parisc/include/uapi/asm/posix_types.h
+@@ -7,8 +7,10 @@
+ * assume GCC is being used.
+ */
+
++#ifndef __LP64__
+ typedef unsigned short __kernel_mode_t;
+ #define __kernel_mode_t __kernel_mode_t
++#endif
+
+ typedef unsigned short __kernel_ipc_pid_t;
+ #define __kernel_ipc_pid_t __kernel_ipc_pid_t
+--- a/arch/parisc/include/uapi/asm/sembuf.h
++++ b/arch/parisc/include/uapi/asm/sembuf.h
+@@ -23,9 +23,9 @@ struct semid64_ds {
+ unsigned int __pad2;
+ #endif
+ __kernel_time_t sem_ctime; /* last change time */
+- unsigned int sem_nsems; /* no. of semaphores in array */
+- unsigned int __unused1;
+- unsigned int __unused2;
++ unsigned long sem_nsems; /* no. of semaphores in array */
++ unsigned long __unused1;
++ unsigned long __unused2;
+ };
+
+ #endif /* _PARISC_SEMBUF_H */
+--- a/arch/parisc/include/uapi/asm/shmbuf.h
++++ b/arch/parisc/include/uapi/asm/shmbuf.h
+@@ -30,12 +30,12 @@ struct shmid64_ds {
+ #if __BITS_PER_LONG != 64
+ unsigned int __pad4;
+ #endif
+- size_t shm_segsz; /* size of segment (bytes) */
++ __kernel_size_t shm_segsz; /* size of segment (bytes) */
+ __kernel_pid_t shm_cpid; /* pid of creator */
+ __kernel_pid_t shm_lpid; /* pid of last operator */
+- unsigned int shm_nattch; /* no. of current attaches */
+- unsigned int __unused1;
+- unsigned int __unused2;
++ unsigned long shm_nattch; /* no. of current attaches */
++ unsigned long __unused1;
++ unsigned long __unused2;
+ };
+
+ struct shminfo64 {
+--- a/arch/parisc/mm/init.c
++++ b/arch/parisc/mm/init.c
+@@ -23,6 +23,7 @@
+ #include <linux/unistd.h>
+ #include <linux/nodemask.h> /* for node_online_map */
+ #include <linux/pagemap.h> /* for release_pages and page_cache_release */
++#include <linux/compat.h>
+
+ #include <asm/pgalloc.h>
+ #include <asm/pgtable.h>
+@@ -30,6 +31,7 @@
+ #include <asm/pdc_chassis.h>
+ #include <asm/mmzone.h>
+ #include <asm/sections.h>
++#include <asm/msgbuf.h>
+
+ extern int data_start;
+ extern void parisc_kernel_start(void); /* Kernel entry point in head.S */
+@@ -590,6 +592,20 @@ unsigned long pcxl_dma_start __read_most
+
+ void __init mem_init(void)
+ {
++ /* Do sanity checks on IPC (compat) structures */
++ BUILD_BUG_ON(sizeof(struct ipc64_perm) != 48);
++#ifndef CONFIG_64BIT
++ BUILD_BUG_ON(sizeof(struct semid64_ds) != 80);
++ BUILD_BUG_ON(sizeof(struct msqid64_ds) != 104);
++ BUILD_BUG_ON(sizeof(struct shmid64_ds) != 104);
++#endif
++#ifdef CONFIG_COMPAT
++ BUILD_BUG_ON(sizeof(struct compat_ipc64_perm) != sizeof(struct ipc64_perm));
++ BUILD_BUG_ON(sizeof(struct compat_semid64_ds) != 80);
++ BUILD_BUG_ON(sizeof(struct compat_msqid64_ds) != 104);
++ BUILD_BUG_ON(sizeof(struct compat_shmid64_ds) != 104);
++#endif
++
+ /* Do sanity checks on page table constants */
+ BUILD_BUG_ON(PTE_ENTRY_SIZE != sizeof(pte_t));
+ BUILD_BUG_ON(PMD_ENTRY_SIZE != sizeof(pmd_t));
--- /dev/null
+From 3460baa620685c20f5ee19afb6d99d26150c382c Mon Sep 17 00:00:00 2001
+From: Christoph Biedl <linux-kernel.bfrz@manchmal.in-ulm.de>
+Date: Wed, 23 Dec 2015 16:51:57 +0100
+Subject: PCI: Fix minimum allocation address overwrite
+
+From: Christoph Biedl <linux-kernel.bfrz@manchmal.in-ulm.de>
+
+commit 3460baa620685c20f5ee19afb6d99d26150c382c upstream.
+
+Commit 36e097a8a297 ("PCI: Split out bridge window override of minimum
+allocation address") claimed to do no functional changes but unfortunately
+did: The "min" variable is altered. At least the AVM A1 PCMCIA adapter was
+no longer detected, breaking ISDN operation.
+
+Use a local copy of "min" to restore the previous behaviour.
+
+[bhelgaas: avoid gcc "?:" extension for portability and readability]
+Fixes: 36e097a8a297 ("PCI: Split out bridge window override of minimum allocation address")
+Signed-off-by: Christoph Biedl <linux-kernel.bfrz@manchmal.in-ulm.de>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/bus.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/pci/bus.c
++++ b/drivers/pci/bus.c
+@@ -140,6 +140,8 @@ static int pci_bus_alloc_from_region(str
+ type_mask |= IORESOURCE_TYPE_BITS;
+
+ pci_bus_for_each_resource(bus, r, i) {
++ resource_size_t min_used = min;
++
+ if (!r)
+ continue;
+
+@@ -163,12 +165,12 @@ static int pci_bus_alloc_from_region(str
+ * overrides "min".
+ */
+ if (avail.start)
+- min = avail.start;
++ min_used = avail.start;
+
+ max = avail.end;
+
+ /* Ok, try it out.. */
+- ret = allocate_resource(r, res, size, min, max,
++ ret = allocate_resource(r, res, size, min_used, max,
+ align, alignf, alignf_data);
+ if (ret == 0)
+ return 0;
--- /dev/null
+From 8ff0ef996ca00028519c70e8d51d32bd37eb51dc Mon Sep 17 00:00:00 2001
+From: Grygorii Strashko <grygorii.strashko@ti.com>
+Date: Thu, 10 Dec 2015 21:18:20 +0200
+Subject: PCI: host: Mark PCIe/PCI (MSI) IRQ cascade handlers as IRQF_NO_THREAD
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Grygorii Strashko <grygorii.strashko@ti.com>
+
+commit 8ff0ef996ca00028519c70e8d51d32bd37eb51dc upstream.
+
+On -RT and if kernel is booting with "threadirqs" cmd line parameter,
+PCIe/PCI (MSI) IRQ cascade handlers (like dra7xx_pcie_msi_irq_handler())
+will be forced threaded and, as result, will generate warnings like this:
+
+ WARNING: CPU: 1 PID: 82 at kernel/irq/handle.c:150 handle_irq_event_percpu+0x14c/0x174()
+ irq 460 handler irq_default_primary_handler+0x0/0x14 enabled interrupts
+ Backtrace:
+ (warn_slowpath_common) from (warn_slowpath_fmt+0x38/0x40)
+ (warn_slowpath_fmt) from (handle_irq_event_percpu+0x14c/0x174)
+ (handle_irq_event_percpu) from (handle_irq_event+0x84/0xb8)
+ (handle_irq_event) from (handle_simple_irq+0x90/0x118)
+ (handle_simple_irq) from (generic_handle_irq+0x30/0x44)
+ (generic_handle_irq) from (dra7xx_pcie_msi_irq_handler+0x7c/0x8c)
+ (dra7xx_pcie_msi_irq_handler) from (irq_forced_thread_fn+0x28/0x5c)
+ (irq_forced_thread_fn) from (irq_thread+0x128/0x204)
+
+This happens because all of them invoke generic_handle_irq() from the
+requested handler. generic_handle_irq() grabs raw_locks and thus needs to
+run in raw-IRQ context.
+
+This issue was originally reproduced on TI dra7-evem, but, as was
+identified during discussion [1], other hosts can also suffer from this
+issue. Fix all them at once by marking PCIe/PCI (MSI) IRQ cascade handlers
+IRQF_NO_THREAD explicitly.
+
+[1] http://lkml.kernel.org/r/1448027966-21610-1-git-send-email-grygorii.strashko@ti.com
+
+[bhelgaas: add stable tag, fix typos]
+Signed-off-by: Grygorii Strashko <grygorii.strashko@ti.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Acked-by: Lucas Stach <l.stach@pengutronix.de> (for imx6)
+CC: Kishon Vijay Abraham I <kishon@ti.com>
+CC: Jingoo Han <jingoohan1@gmail.com>
+CC: Kukjin Kim <kgene@kernel.org>
+CC: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+CC: Richard Zhu <Richard.Zhu@freescale.com>
+CC: Thierry Reding <thierry.reding@gmail.com>
+CC: Stephen Warren <swarren@wwwdotorg.org>
+CC: Alexandre Courbot <gnurou@gmail.com>
+CC: Simon Horman <horms@verge.net.au>
+CC: Pratyush Anand <pratyush.anand@gmail.com>
+CC: Michal Simek <michal.simek@xilinx.com>
+CC: "Sören Brinkmann" <soren.brinkmann@xilinx.com>
+CC: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/host/pci-dra7xx.c | 3 ++-
+ drivers/pci/host/pci-exynos.c | 3 ++-
+ drivers/pci/host/pci-imx6.c | 3 ++-
+ drivers/pci/host/pci-tegra.c | 2 +-
+ drivers/pci/host/pcie-rcar.c | 6 ++++--
+ drivers/pci/host/pcie-spear13xx.c | 3 ++-
+ drivers/pci/host/pcie-xilinx.c | 3 ++-
+ 7 files changed, 15 insertions(+), 8 deletions(-)
+
+--- a/drivers/pci/host/pci-dra7xx.c
++++ b/drivers/pci/host/pci-dra7xx.c
+@@ -295,7 +295,8 @@ static int __init dra7xx_add_pcie_port(s
+ }
+
+ ret = devm_request_irq(&pdev->dev, pp->irq,
+- dra7xx_pcie_msi_irq_handler, IRQF_SHARED,
++ dra7xx_pcie_msi_irq_handler,
++ IRQF_SHARED | IRQF_NO_THREAD,
+ "dra7-pcie-msi", pp);
+ if (ret) {
+ dev_err(&pdev->dev, "failed to request irq\n");
+--- a/drivers/pci/host/pci-exynos.c
++++ b/drivers/pci/host/pci-exynos.c
+@@ -523,7 +523,8 @@ static int __init exynos_add_pcie_port(s
+
+ ret = devm_request_irq(&pdev->dev, pp->msi_irq,
+ exynos_pcie_msi_irq_handler,
+- IRQF_SHARED, "exynos-pcie", pp);
++ IRQF_SHARED | IRQF_NO_THREAD,
++ "exynos-pcie", pp);
+ if (ret) {
+ dev_err(&pdev->dev, "failed to request msi irq\n");
+ return ret;
+--- a/drivers/pci/host/pci-imx6.c
++++ b/drivers/pci/host/pci-imx6.c
+@@ -536,7 +536,8 @@ static int __init imx6_add_pcie_port(str
+
+ ret = devm_request_irq(&pdev->dev, pp->msi_irq,
+ imx6_pcie_msi_handler,
+- IRQF_SHARED, "mx6-pcie-msi", pp);
++ IRQF_SHARED | IRQF_NO_THREAD,
++ "mx6-pcie-msi", pp);
+ if (ret) {
+ dev_err(&pdev->dev, "failed to request MSI irq\n");
+ return -ENODEV;
+--- a/drivers/pci/host/pci-tegra.c
++++ b/drivers/pci/host/pci-tegra.c
+@@ -1288,7 +1288,7 @@ static int tegra_pcie_enable_msi(struct
+
+ msi->irq = err;
+
+- err = request_irq(msi->irq, tegra_pcie_msi_irq, 0,
++ err = request_irq(msi->irq, tegra_pcie_msi_irq, IRQF_NO_THREAD,
+ tegra_msi_irq_chip.name, pcie);
+ if (err < 0) {
+ dev_err(&pdev->dev, "failed to request IRQ: %d\n", err);
+--- a/drivers/pci/host/pcie-rcar.c
++++ b/drivers/pci/host/pcie-rcar.c
+@@ -694,14 +694,16 @@ static int rcar_pcie_enable_msi(struct r
+
+ /* Two irqs are for MSI, but they are also used for non-MSI irqs */
+ err = devm_request_irq(&pdev->dev, msi->irq1, rcar_pcie_msi_irq,
+- IRQF_SHARED, rcar_msi_irq_chip.name, pcie);
++ IRQF_SHARED | IRQF_NO_THREAD,
++ rcar_msi_irq_chip.name, pcie);
+ if (err < 0) {
+ dev_err(&pdev->dev, "failed to request IRQ: %d\n", err);
+ goto err;
+ }
+
+ err = devm_request_irq(&pdev->dev, msi->irq2, rcar_pcie_msi_irq,
+- IRQF_SHARED, rcar_msi_irq_chip.name, pcie);
++ IRQF_SHARED | IRQF_NO_THREAD,
++ rcar_msi_irq_chip.name, pcie);
+ if (err < 0) {
+ dev_err(&pdev->dev, "failed to request IRQ: %d\n", err);
+ goto err;
+--- a/drivers/pci/host/pcie-spear13xx.c
++++ b/drivers/pci/host/pcie-spear13xx.c
+@@ -281,7 +281,8 @@ static int spear13xx_add_pcie_port(struc
+ return -ENODEV;
+ }
+ ret = devm_request_irq(dev, pp->irq, spear13xx_pcie_irq_handler,
+- IRQF_SHARED, "spear1340-pcie", pp);
++ IRQF_SHARED | IRQF_NO_THREAD,
++ "spear1340-pcie", pp);
+ if (ret) {
+ dev_err(dev, "failed to request irq %d\n", pp->irq);
+ return ret;
+--- a/drivers/pci/host/pcie-xilinx.c
++++ b/drivers/pci/host/pcie-xilinx.c
+@@ -781,7 +781,8 @@ static int xilinx_pcie_parse_dt(struct x
+
+ port->irq = irq_of_parse_and_map(node, 0);
+ err = devm_request_irq(dev, port->irq, xilinx_pcie_intr_handler,
+- IRQF_SHARED, "xilinx-pcie", port);
++ IRQF_SHARED | IRQF_NO_THREAD,
++ "xilinx-pcie", port);
+ if (err) {
+ dev_err(dev, "unable to request irq %d\n", port->irq);
+ return err;
--- /dev/null
+From 3dcc8d39cf15fa3ceabedcffcbd3958fe953555a Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Mon, 9 Nov 2015 20:00:27 +0100
+Subject: PCI: Prevent out of bounds access in numa_node override
+
+From: Mathias Krause <minipli@googlemail.com>
+
+commit 3dcc8d39cf15fa3ceabedcffcbd3958fe953555a upstream.
+
+Commit 1266963170f5 ("PCI: Prevent out of bounds access in numa_node
+override") missed that the user-provided node could also be negative.
+Handle this case as well to avoid out-of-bounds accesses to the
+node_states[] array. However, allow the special value -1, i.e.
+NUMA_NO_NODE, to be able to set the 'no specific node' configuration.
+
+Fixes: 1266963170f5 ("PCI: Prevent out of bounds access in numa_node override")
+Fixes: 63692df103e9 ("PCI: Allow numa_node override via sysfs")
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+CC: Sasha Levin <sasha.levin@oracle.com>
+CC: Prarit Bhargava <prarit@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/pci-sysfs.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/pci/pci-sysfs.c
++++ b/drivers/pci/pci-sysfs.c
+@@ -216,7 +216,10 @@ static ssize_t numa_node_store(struct de
+ if (ret)
+ return ret;
+
+- if (node >= MAX_NUMNODES || !node_online(node))
++ if ((node < 0 && node != NUMA_NO_NODE) || node >= MAX_NUMNODES)
++ return -EINVAL;
++
++ if (node != NUMA_NO_NODE && !node_online(node))
+ return -EINVAL;
+
+ add_taint(TAINT_FIRMWARE_WORKAROUND, LOCKDEP_STILL_OK);
--- /dev/null
+From ea9a8854161d9580cfabe011c0ae296ecc0e1d4f Mon Sep 17 00:00:00 2001
+From: Alexander Duyck <aduyck@mirantis.com>
+Date: Thu, 29 Oct 2015 16:20:50 -0500
+Subject: PCI: Set SR-IOV NumVFs to zero after enumeration
+
+From: Alexander Duyck <aduyck@mirantis.com>
+
+commit ea9a8854161d9580cfabe011c0ae296ecc0e1d4f upstream.
+
+The enumeration path should leave NumVFs set to zero. But after
+4449f079722c ("PCI: Calculate maximum number of buses required for VFs"),
+we call virtfn_max_buses() in the enumeration path, which changes NumVFs.
+This NumVFs change is visible via lspci and sysfs until a driver enables
+SR-IOV.
+
+Iterate from TotalVFs down to zero so NumVFs is zero when we're finished
+computing the maximum number of buses. Validate offset and stride in
+the loop, so we can test it at every possible NumVFs setting. Rename
+virtfn_max_buses() to compute_max_vf_buses() to hint that it does have a
+side effect of updating iov->max_VF_buses.
+
+[bhelgaas: changelog, rename, allow numVF==1 && stride==0, rework loop,
+reverse sense of error path]
+Fixes: 4449f079722c ("PCI: Calculate maximum number of buses required for VFs")
+Based-on-patch-by: Ethan Zhao <ethan.zhao@oracle.com>
+Signed-off-by: Alexander Duyck <aduyck@mirantis.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/iov.c | 41 ++++++++++++++++++++++-------------------
+ 1 file changed, 22 insertions(+), 19 deletions(-)
+
+--- a/drivers/pci/iov.c
++++ b/drivers/pci/iov.c
+@@ -54,24 +54,29 @@ static inline void pci_iov_set_numvfs(st
+ * The PF consumes one bus number. NumVFs, First VF Offset, and VF Stride
+ * determine how many additional bus numbers will be consumed by VFs.
+ *
+- * Iterate over all valid NumVFs and calculate the maximum number of bus
+- * numbers that could ever be required.
++ * Iterate over all valid NumVFs, validate offset and stride, and calculate
++ * the maximum number of bus numbers that could ever be required.
+ */
+-static inline u8 virtfn_max_buses(struct pci_dev *dev)
++static int compute_max_vf_buses(struct pci_dev *dev)
+ {
+ struct pci_sriov *iov = dev->sriov;
+- int nr_virtfn;
+- u8 max = 0;
+- int busnr;
++ int nr_virtfn, busnr, rc = 0;
+
+- for (nr_virtfn = 1; nr_virtfn <= iov->total_VFs; nr_virtfn++) {
++ for (nr_virtfn = iov->total_VFs; nr_virtfn; nr_virtfn--) {
+ pci_iov_set_numvfs(dev, nr_virtfn);
++ if (!iov->offset || (nr_virtfn > 1 && !iov->stride)) {
++ rc = -EIO;
++ goto out;
++ }
++
+ busnr = pci_iov_virtfn_bus(dev, nr_virtfn - 1);
+- if (busnr > max)
+- max = busnr;
++ if (busnr > iov->max_VF_buses)
++ iov->max_VF_buses = busnr;
+ }
+
+- return max;
++out:
++ pci_iov_set_numvfs(dev, 0);
++ return rc;
+ }
+
+ static struct pci_bus *virtfn_add_bus(struct pci_bus *bus, int busnr)
+@@ -384,7 +389,7 @@ static int sriov_init(struct pci_dev *de
+ int rc;
+ int nres;
+ u32 pgsz;
+- u16 ctrl, total, offset, stride;
++ u16 ctrl, total;
+ struct pci_sriov *iov;
+ struct resource *res;
+ struct pci_dev *pdev;
+@@ -414,11 +419,6 @@ static int sriov_init(struct pci_dev *de
+
+ found:
+ pci_write_config_word(dev, pos + PCI_SRIOV_CTRL, ctrl);
+- pci_write_config_word(dev, pos + PCI_SRIOV_NUM_VF, 0);
+- pci_read_config_word(dev, pos + PCI_SRIOV_VF_OFFSET, &offset);
+- pci_read_config_word(dev, pos + PCI_SRIOV_VF_STRIDE, &stride);
+- if (!offset || (total > 1 && !stride))
+- return -EIO;
+
+ pci_read_config_dword(dev, pos + PCI_SRIOV_SUP_PGSIZE, &pgsz);
+ i = PAGE_SHIFT > 12 ? PAGE_SHIFT - 12 : 0;
+@@ -456,8 +456,6 @@ found:
+ iov->nres = nres;
+ iov->ctrl = ctrl;
+ iov->total_VFs = total;
+- iov->offset = offset;
+- iov->stride = stride;
+ iov->pgsz = pgsz;
+ iov->self = dev;
+ pci_read_config_dword(dev, pos + PCI_SRIOV_CAP, &iov->cap);
+@@ -474,10 +472,15 @@ found:
+
+ dev->sriov = iov;
+ dev->is_physfn = 1;
+- iov->max_VF_buses = virtfn_max_buses(dev);
++ rc = compute_max_vf_buses(dev);
++ if (rc)
++ goto fail_max_buses;
+
+ return 0;
+
++fail_max_buses:
++ dev->sriov = NULL;
++ dev->is_physfn = 0;
+ failed:
+ for (i = 0; i < PCI_SRIOV_NUM_BARS; i++) {
+ res = &dev->resource[i + PCI_IOV_RESOURCES];
--- /dev/null
+From fa3b7cbab548b15da438b0cc13aa515f7f291f4d Mon Sep 17 00:00:00 2001
+From: Gabriele Paoloni <gabriele.paoloni@huawei.com>
+Date: Thu, 8 Oct 2015 14:27:38 -0500
+Subject: PCI: spear: Fix dw_pcie_cfg_read/write() usage
+
+From: Gabriele Paoloni <gabriele.paoloni@huawei.com>
+
+commit fa3b7cbab548b15da438b0cc13aa515f7f291f4d upstream.
+
+The first argument of dw_pcie_cfg_read/write() is a 32-bit aligned address.
+The second argument is the byte offset into a 32-bit word, and
+dw_pcie_cfg_read/write() only look at the low two bits.
+
+SPEAr13xx used dw_pcie_cfg_read() and dw_pcie_cfg_write() incorrectly: it
+passed important address bits in the second argument, where they were
+ignored.
+
+Pass the complete 32-bit word address in the first argument and only the
+2-bit offset into that word in the second argument.
+
+Without this fix, SPEAr13xx host will never work with few buggy gen1 card
+which connects with only gen1 host and also with any endpoint which would
+generate a read request of more than 128 bytes.
+
+[bhelgaas: changelog]
+Reported-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Pratyush Anand <panand@redhat.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/host/pcie-spear13xx.c | 26 ++++++++++++++------------
+ 1 file changed, 14 insertions(+), 12 deletions(-)
+
+--- a/drivers/pci/host/pcie-spear13xx.c
++++ b/drivers/pci/host/pcie-spear13xx.c
+@@ -163,34 +163,36 @@ static int spear13xx_pcie_establish_link
+ * default value in capability register is 512 bytes. So force
+ * it to 128 here.
+ */
+- dw_pcie_cfg_read(pp->dbi_base, exp_cap_off + PCI_EXP_DEVCTL, 4, &val);
++ dw_pcie_cfg_read(pp->dbi_base + exp_cap_off + PCI_EXP_DEVCTL,
++ 0, 2, &val);
+ val &= ~PCI_EXP_DEVCTL_READRQ;
+- dw_pcie_cfg_write(pp->dbi_base, exp_cap_off + PCI_EXP_DEVCTL, 4, val);
++ dw_pcie_cfg_write(pp->dbi_base + exp_cap_off + PCI_EXP_DEVCTL,
++ 0, 2, val);
+
+- dw_pcie_cfg_write(pp->dbi_base, PCI_VENDOR_ID, 2, 0x104A);
+- dw_pcie_cfg_write(pp->dbi_base, PCI_DEVICE_ID, 2, 0xCD80);
++ dw_pcie_cfg_write(pp->dbi_base + PCI_VENDOR_ID, 0, 2, 0x104A);
++ dw_pcie_cfg_write(pp->dbi_base + PCI_VENDOR_ID, 2, 2, 0xCD80);
+
+ /*
+ * if is_gen1 is set then handle it, so that some buggy card
+ * also works
+ */
+ if (spear13xx_pcie->is_gen1) {
+- dw_pcie_cfg_read(pp->dbi_base, exp_cap_off + PCI_EXP_LNKCAP, 4,
+- &val);
++ dw_pcie_cfg_read(pp->dbi_base + exp_cap_off + PCI_EXP_LNKCAP,
++ 0, 4, &val);
+ if ((val & PCI_EXP_LNKCAP_SLS) != PCI_EXP_LNKCAP_SLS_2_5GB) {
+ val &= ~((u32)PCI_EXP_LNKCAP_SLS);
+ val |= PCI_EXP_LNKCAP_SLS_2_5GB;
+- dw_pcie_cfg_write(pp->dbi_base, exp_cap_off +
+- PCI_EXP_LNKCAP, 4, val);
++ dw_pcie_cfg_write(pp->dbi_base + exp_cap_off +
++ PCI_EXP_LNKCAP, 0, 4, val);
+ }
+
+- dw_pcie_cfg_read(pp->dbi_base, exp_cap_off + PCI_EXP_LNKCTL2, 4,
+- &val);
++ dw_pcie_cfg_read(pp->dbi_base + exp_cap_off + PCI_EXP_LNKCTL2,
++ 0, 2, &val);
+ if ((val & PCI_EXP_LNKCAP_SLS) != PCI_EXP_LNKCAP_SLS_2_5GB) {
+ val &= ~((u32)PCI_EXP_LNKCAP_SLS);
+ val |= PCI_EXP_LNKCAP_SLS_2_5GB;
+- dw_pcie_cfg_write(pp->dbi_base, exp_cap_off +
+- PCI_EXP_LNKCTL2, 4, val);
++ dw_pcie_cfg_write(pp->dbi_base + exp_cap_off +
++ PCI_EXP_LNKCTL2, 0, 2, val);
+ }
+ }
+
--- /dev/null
+From 3824657c522f19f85a76bd932821174a5557a382 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Fri, 6 Nov 2015 16:30:38 -0800
+Subject: printk: prevent userland from spoofing kernel messages
+
+From: Mathias Krause <minipli@googlemail.com>
+
+commit 3824657c522f19f85a76bd932821174a5557a382 upstream.
+
+The following statement of ABI/testing/dev-kmsg is not quite right:
+
+ It is not possible to inject messages from userspace with the
+ facility number LOG_KERN (0), to make sure that the origin of the
+ messages can always be reliably determined.
+
+Userland actually can inject messages with a facility of 0 by abusing the
+fact that the facility is stored in a u8 data type. By using a facility
+which is a multiple of 256 the assignment of msg->facility in log_store()
+implicitly truncates it to 0, i.e. LOG_KERN, allowing users of /dev/kmsg
+to spoof kernel messages as shown below:
+
+The following call...
+ # printf '<%d>Kernel panic - not syncing: beer empty\n' 0 >/dev/kmsg
+...leads to the following log entry (dmesg -x | tail -n 1):
+ user :emerg : [ 66.137758] Kernel panic - not syncing: beer empty
+
+However, this call...
+ # printf '<%d>Kernel panic - not syncing: beer empty\n' 0x800 >/dev/kmsg
+...leads to the slightly different log entry (note the kernel facility):
+ kern :emerg : [ 74.177343] Kernel panic - not syncing: beer empty
+
+Fix that by limiting the user provided facility to 8 bit right from the
+beginning and catch the truncation early.
+
+Fixes: 7ff9554bb578 ("printk: convert byte-buffer to variable-length...")
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Petr Mladek <pmladek@suse.cz>
+Cc: Alex Elder <elder@linaro.org>
+Cc: Joe Perches <joe@perches.com>
+Cc: Kay Sievers <kay@vrfy.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/printk/printk.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/kernel/printk/printk.c
++++ b/kernel/printk/printk.c
+@@ -269,6 +269,9 @@ static u32 clear_idx;
+ #define PREFIX_MAX 32
+ #define LOG_LINE_MAX (1024 - PREFIX_MAX)
+
++#define LOG_LEVEL(v) ((v) & 0x07)
++#define LOG_FACILITY(v) ((v) >> 3 & 0xff)
++
+ /* record buffer */
+ #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
+ #define LOG_ALIGN 4
+@@ -611,7 +614,6 @@ struct devkmsg_user {
+ static ssize_t devkmsg_write(struct kiocb *iocb, struct iov_iter *from)
+ {
+ char *buf, *line;
+- int i;
+ int level = default_message_loglevel;
+ int facility = 1; /* LOG_USER */
+ size_t len = iov_iter_count(from);
+@@ -641,12 +643,13 @@ static ssize_t devkmsg_write(struct kioc
+ line = buf;
+ if (line[0] == '<') {
+ char *endp = NULL;
++ unsigned int u;
+
+- i = simple_strtoul(line+1, &endp, 10);
++ u = simple_strtoul(line + 1, &endp, 10);
+ if (endp && endp[0] == '>') {
+- level = i & 7;
+- if (i >> 3)
+- facility = i >> 3;
++ level = LOG_LEVEL(u);
++ if (LOG_FACILITY(u) != 0)
++ facility = LOG_FACILITY(u);
+ endp++;
+ len -= endp - line;
+ line = endp;
--- /dev/null
+From 47796938c46b943d157ac8a6f9ed4e3b98b83cf4 Mon Sep 17 00:00:00 2001
+From: Mauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
+Date: Thu, 29 Oct 2015 10:24:23 -0200
+Subject: Revert "dm mpath: fix stalls when handling invalid ioctls"
+
+From: Mauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
+
+commit 47796938c46b943d157ac8a6f9ed4e3b98b83cf4 upstream.
+
+This reverts commit a1989b330093578ea5470bea0a00f940c444c466.
+
+That commit introduced a regression at least for the case of the SG_IO ioctl()
+running without CAP_SYS_RAWIO capability (e.g., unprivileged users) when there
+are no active paths: the ioctl() fails with the ENOTTY errno immediately rather
+than blocking due to queue_if_no_path until a path becomes active, for example.
+
+That case happens to be exercised by QEMU KVM guests with 'scsi-block' devices
+(qemu "-device scsi-block" [1], libvirt "<disk type='block' device='lun'>" [2])
+from multipath devices; which leads to SCSI/filesystem errors in such a guest.
+
+More general scenarios can hit that regression too. The following demonstration
+employs a SG_IO ioctl() with a standard SCSI INQUIRY command for this objective
+(some output & user changes omitted for brevity and comments added for clarity).
+
+Reverting that commit restores normal operation (queueing) in failing scenarios;
+tested on linux-next (next-20151022).
+
+1) Test-case is based on sg_simple0 [3] (just SG_IO; remove SG_GET_VERSION_NUM)
+
+ $ cat sg_simple0.c
+ ... see [3] ...
+ $ sed '/SG_GET_VERSION_NUM/,/}/d' sg_simple0.c > sgio_inquiry.c
+ $ gcc sgio_inquiry.c -o sgio_inquiry
+
+2) The ioctl() works fine with active paths present.
+
+ # multipath -l 85ag56
+ 85ag56 (...) dm-19 IBM ,2145
+ size=60G features='1 queue_if_no_path' hwhandler='0' wp=rw
+ |-+- policy='service-time 0' prio=0 status=active
+ | |- 8:0:11:0 sdz 65:144 active undef running
+ | `- 9:0:9:0 sdbf 67:144 active undef running
+ `-+- policy='service-time 0' prio=0 status=enabled
+ |- 8:0:12:0 sdae 65:224 active undef running
+ `- 9:0:12:0 sdbo 68:32 active undef running
+
+ $ ./sgio_inquiry /dev/mapper/85ag56
+ Some of the INQUIRY command's response:
+ IBM 2145 0000
+ INQUIRY duration=0 millisecs, resid=0
+
+3) The ioctl() fails with ENOTTY errno with _no_ active paths present,
+ for unprivileged users (rather than blocking due to queue_if_no_path).
+
+ # for path in $(multipath -l 85ag56 | grep -o 'sd[a-z]\+'); \
+ do multipathd -k"fail path $path"; done
+
+ # multipath -l 85ag56
+ 85ag56 (...) dm-19 IBM ,2145
+ size=60G features='1 queue_if_no_path' hwhandler='0' wp=rw
+ |-+- policy='service-time 0' prio=0 status=enabled
+ | |- 8:0:11:0 sdz 65:144 failed undef running
+ | `- 9:0:9:0 sdbf 67:144 failed undef running
+ `-+- policy='service-time 0' prio=0 status=enabled
+ |- 8:0:12:0 sdae 65:224 failed undef running
+ `- 9:0:12:0 sdbo 68:32 failed undef running
+
+ $ ./sgio_inquiry /dev/mapper/85ag56
+ sg_simple0: Inquiry SG_IO ioctl error: Inappropriate ioctl for device
+
+4) dmesg shows that scsi_verify_blk_ioctl() failed for SG_IO (0x2285);
+ it returns -ENOIOCTLCMD, later replaced with -ENOTTY in vfs_ioctl().
+
+ $ dmesg
+ <...>
+ [] device-mapper: multipath: Failing path 65:144.
+ [] device-mapper: multipath: Failing path 67:144.
+ [] device-mapper: multipath: Failing path 65:224.
+ [] device-mapper: multipath: Failing path 68:32.
+ [] sgio_inquiry: sending ioctl 2285 to a partition!
+
+5) The ioctl() only works if the SYS_CAP_RAWIO capability is present
+ (then queueing happens -- in this example, queue_if_no_path is set);
+ this is due to a conditional check in scsi_verify_blk_ioctl().
+
+ # capsh --drop=cap_sys_rawio -- -c './sgio_inquiry /dev/mapper/85ag56'
+ sg_simple0: Inquiry SG_IO ioctl error: Inappropriate ioctl for device
+
+ # ./sgio_inquiry /dev/mapper/85ag56 &
+ [1] 72830
+
+ # cat /proc/72830/stack
+ [<c00000171c0df700>] 0xc00000171c0df700
+ [<c000000000015934>] __switch_to+0x204/0x350
+ [<c000000000152d4c>] msleep+0x5c/0x80
+ [<c00000000077dfb0>] dm_blk_ioctl+0x70/0x170
+ [<c000000000487c40>] blkdev_ioctl+0x2b0/0x9b0
+ [<c0000000003128e4>] block_ioctl+0x64/0xd0
+ [<c0000000002dd3b0>] do_vfs_ioctl+0x490/0x780
+ [<c0000000002dd774>] SyS_ioctl+0xd4/0xf0
+ [<c000000000009358>] system_call+0x38/0xd0
+
+6) This is the function call chain exercised in this analysis:
+
+SYSCALL_DEFINE3(ioctl, <...>) @ fs/ioctl.c
+ -> do_vfs_ioctl()
+ -> vfs_ioctl()
+ ...
+ error = filp->f_op->unlocked_ioctl(filp, cmd, arg);
+ ...
+ -> dm_blk_ioctl() @ drivers/md/dm.c
+ -> multipath_ioctl() @ drivers/md/dm-mpath.c
+ ...
+ (bdev = NULL, due to no active paths)
+ ...
+ if (!bdev || <...>) {
+ int err = scsi_verify_blk_ioctl(NULL, cmd);
+ if (err)
+ r = err;
+ }
+ ...
+ -> scsi_verify_blk_ioctl() @ block/scsi_ioctl.c
+ ...
+ if (bd && bd == bd->bd_contains) // not taken (bd = NULL)
+ return 0;
+ ...
+ if (capable(CAP_SYS_RAWIO)) // not taken (unprivileged user)
+ return 0;
+ ...
+ printk_ratelimited(KERN_WARNING
+ "%s: sending ioctl %x to a partition!\n" <...>);
+
+ return -ENOIOCTLCMD;
+ <-
+ ...
+ return r ? : <...>
+ <-
+ ...
+ if (error == -ENOIOCTLCMD)
+ error = -ENOTTY;
+ out:
+ return error;
+ ...
+
+Links:
+[1] http://git.qemu.org/?p=qemu.git;a=commit;h=336a6915bc7089fb20fea4ba99972ad9a97c5f52
+[2] https://libvirt.org/formatdomain.html#elementsDisks (see 'disk' -> 'device')
+[3] http://tldp.org/HOWTO/SCSI-Generic-HOWTO/pexample.html (Revision 1.2, 2002-05-03)
+
+Signed-off-by: Mauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-mpath.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+--- a/drivers/md/dm-mpath.c
++++ b/drivers/md/dm-mpath.c
+@@ -1569,11 +1569,8 @@ static int multipath_ioctl(struct dm_tar
+ /*
+ * Only pass ioctls through if the device sizes match exactly.
+ */
+- if (!bdev || ti->len != i_size_read(bdev->bd_inode) >> SECTOR_SHIFT) {
+- int err = scsi_verify_blk_ioctl(NULL, cmd);
+- if (err)
+- r = err;
+- }
++ if (!r && ti->len != i_size_read(bdev->bd_inode) >> SECTOR_SHIFT)
++ r = scsi_verify_blk_ioctl(NULL, cmd);
+
+ if (r == -ENOTCONN && !fatal_signal_pending(current)) {
+ spin_lock_irqsave(&m->lock, flags);
--- /dev/null
+From 823873481b2a17ce5900899f8ef85118f8407b67 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Date: Wed, 11 Nov 2015 09:22:36 -0200
+Subject: [media] Revert "[media] ivtv: avoid going past input/audio array"
+
+From: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+
+commit 823873481b2a17ce5900899f8ef85118f8407b67 upstream.
+
+This patch broke ivtv logic, as reported at
+ https://bugzilla.redhat.com/show_bug.cgi?id=1278942
+
+This reverts commit 09290cc885937cab3b2d60a6d48fe3d2d3e04061.
+
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/pci/ivtv/ivtv-driver.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/pci/ivtv/ivtv-driver.c
++++ b/drivers/media/pci/ivtv/ivtv-driver.c
+@@ -805,11 +805,11 @@ static void ivtv_init_struct2(struct ivt
+ {
+ int i;
+
+- for (i = 0; i < IVTV_CARD_MAX_VIDEO_INPUTS - 1; i++)
++ for (i = 0; i < IVTV_CARD_MAX_VIDEO_INPUTS; i++)
+ if (itv->card->video_inputs[i].video_type == 0)
+ break;
+ itv->nof_inputs = i;
+- for (i = 0; i < IVTV_CARD_MAX_AUDIO_INPUTS - 1; i++)
++ for (i = 0; i < IVTV_CARD_MAX_AUDIO_INPUTS; i++)
+ if (itv->card->audio_inputs[i].audio_type == 0)
+ break;
+ itv->nof_audio_inputs = i;
ocfs2-dlm-ignore-cleaning-the-migration-mle-that-is-inuse.patch
ocfs2-dlm-clear-refmap-bit-of-recovery-lock-while-doing-local-recovery-cleanup.patch
sh64-fix-__nr_fgetxattr.patch
+dm-initialize-non-blk-mq-queue-data-before-queue-is-used.patch
+revert-dm-mpath-fix-stalls-when-handling-invalid-ioctls.patch
+spi-omap2-mcspi-disable-other-channels-chconf_force-in-prepare_message.patch
+spi-atmel-fix-dma-setup-for-transfers-with-more-than-8-bits-per-word.patch
+spi-ti-qspi-fix-data-corruption-seen-on-r-w-stress-test.patch
+spi-fix-parent-device-reference-leak.patch
+wlcore-wl12xx-spi-fix-oops-on-firmware-load.patch
+wlcore-wl12xx-spi-fix-null-pointer-dereference-oops.patch
+spi-spi-xilinx-fix-race-condition-on-last-word-read.patch
+tpm-tpm_crb-fix-unaligned-read-of-the-command-buffer-address.patch
+vtpm-fix-memory-allocation-flag-for-rtce-buffer-at-kernel-boot.patch
+tpm_tis-free-irq-after-probing.patch
+tpm-revert-the-list-handling-logic-fixed-in-398a1e7.patch
+integrity-prevent-loading-untrusted-certificates-on-the-ima-trusted-keyring.patch
+mtd-mtdpart-fix-add_mtd_partitions-error-path.patch
+mtd-blkdevs-fix-potential-deadlock-lockdep-warnings.patch
+mtd-nand-fix-shutdown-reboot-for-multi-chip-systems.patch
+mtd-jz4740_nand-fix-build-on-jz4740-after-removing-gpio.h.patch
+mtd-ubi-fixup-error-correction-in-do_sync_erase.patch
+mtd-ubi-don-t-leak-e-if-schedule_erase-fails.patch
+pci-spear-fix-dw_pcie_cfg_read-write-usage.patch
+pci-set-sr-iov-numvfs-to-zero-after-enumeration.patch
+pci-prevent-out-of-bounds-access-in-numa_node-override.patch
+pci-host-mark-pcie-pci-msi-irq-cascade-handlers-as-irqf_no_thread.patch
+pci-fix-minimum-allocation-address-overwrite.patch
+tracing-update-instance_rmdir-to-use-tracefs_remove_recursive.patch
+tracing-fix-setting-of-start_index-in-find_next.patch
+tracing-stacktrace-show-entire-trace-if-passed-in-function-not-found.patch
+tracefs-fix-refcount-imbalance-in-start_creating.patch
+jbd2-fix-checkpoint-list-cleanup.patch
+jbd2-fix-unreclaimed-pages-after-truncate-in-data-journal-mode.patch
+jbd2-fix-null-committed-data-return-in-undo_access.patch
+fix-calculation-of-meta_bg-descriptor-backups.patch
+printk-prevent-userland-from-spoofing-kernel-messages.patch
+parisc-fixes-and-cleanups-in-kernel-uapi-header-files.patch
+parisc-drop-unused-madv_xxxk_pages-flags-from-asm-mman.h.patch
+parisc-fix-syscall-restarts.patch
+parisc-fix-__arch_si_preamble_size.patch
+xtensa-fixes-for-configs-without-loop-option.patch
+xtensa-fix-secondary-core-boot-in-smp.patch
+i2c-at91-fix-write-transfers-by-clearing-pending-interrupt-first.patch
+i2c-at91-manage-unexpected-rxrdy-flag-when-starting-a-transfer.patch
+i2c-fix-wakeup-irq-parsing.patch
+media-i2c-don-t-export-ir-kbd-i2c-module-alias.patch
+i2c-mv64xxx-the-n-clockdiv-factor-is-0-based-on-sunxi-socs.patch
+i2c-rk3x-populate-correct-variable-for-sda_falling_time.patch
+i2c-rcar-disable-runtime-pm-correctly-in-slave-mode.patch
+vivid-fix-iteration-in-driver-removal-path.patch
+v4l2-compat-ioctl32-fix-alignment-for-arm64.patch
+c8sectpfe-remove-select-on-config_fw_loader_user_helper_fallback.patch
+v4l2-ctrls-arrays-are-also-considered-compound-controls.patch
+media-v4l2-ctrls-fix-64bit-support-in-get_ctrl.patch
+media-vb2-dma-contig-fully-cache-synchronise-buffers-in-prepare-and-finish.patch
+media-vb2-dma-sg-fully-cache-synchronise-buffers-in-prepare-and-finish.patch
+media-v4l2-ctrls-fix-setting-autocluster-to-manual-with-vidioc_s_ctrl.patch
+revert-ivtv-avoid-going-past-input-audio-array.patch
--- /dev/null
+From 06515f83908d038d9e12ffa3dcca27a1b67f2de0 Mon Sep 17 00:00:00 2001
+From: David Mosberger-Tang <davidm@egauge.net>
+Date: Tue, 20 Oct 2015 14:26:47 +0200
+Subject: spi: atmel: Fix DMA-setup for transfers with more than 8 bits per word
+
+From: David Mosberger-Tang <davidm@egauge.net>
+
+commit 06515f83908d038d9e12ffa3dcca27a1b67f2de0 upstream.
+
+The DMA-slave configuration depends on the whether <= 8 or > 8 bits
+are transferred per word, so we need to call
+atmel_spi_dma_slave_config() with the correct value.
+
+Signed-off-by: David Mosberger <davidm@egauge.net>
+Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-atmel.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-atmel.c
++++ b/drivers/spi/spi-atmel.c
+@@ -773,7 +773,8 @@ static int atmel_spi_next_xfer_dma_submi
+
+ *plen = len;
+
+- if (atmel_spi_dma_slave_config(as, &slave_config, 8))
++ if (atmel_spi_dma_slave_config(as, &slave_config,
++ xfer->bits_per_word))
+ goto err_exit;
+
+ /* Send both scatterlists */
--- /dev/null
+From 157f38f993919b648187ba341bfb05d0e91ad2f6 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 14 Dec 2015 16:16:19 +0100
+Subject: spi: fix parent-device reference leak
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 157f38f993919b648187ba341bfb05d0e91ad2f6 upstream.
+
+Fix parent-device reference leak due to SPI-core taking an unnecessary
+reference to the parent when allocating the master structure, a
+reference that was never released.
+
+Note that driver core takes its own reference to the parent when the
+master device is registered.
+
+Fixes: 49dce689ad4e ("spi doesn't need class_device")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/spi/spi.c
++++ b/drivers/spi/spi.c
+@@ -1627,7 +1627,7 @@ struct spi_master *spi_alloc_master(stru
+ master->bus_num = -1;
+ master->num_chipselect = 1;
+ master->dev.class = &spi_master_class;
+- master->dev.parent = get_device(dev);
++ master->dev.parent = dev;
+ spi_master_set_devdata(master, &master[1]);
+
+ return master;
--- /dev/null
+From 468a32082b04c7febccfcd55b06ecbc438fcddcc Mon Sep 17 00:00:00 2001
+From: Neil Armstrong <narmstrong@baylibre.com>
+Date: Fri, 9 Oct 2015 15:47:41 +0200
+Subject: spi: omap2-mcspi: disable other channels CHCONF_FORCE in prepare_message
+
+From: Neil Armstrong <narmstrong@baylibre.com>
+
+commit 468a32082b04c7febccfcd55b06ecbc438fcddcc upstream.
+
+Since the "Switch driver to use transfer_one" change, the cs_change
+behavior has changed and a channel chip select can still be
+asserted when changing channel from a previous last transfer in a
+message having the cs_change attribute.
+
+Since there is no sense having multiple chip select being asserted at the
+same time, disable all the remaining forced chip selects in a the
+prepare_message called right before a spi_transfer_one_message call.
+It ignores the current channel configuration in order to keep the
+possibility to leave the chip select asserted between messages.
+
+It fixes this bug on a DM8168 SoC ES2.1 Soc and an OMAP4 ES2.1 SoC.
+It was hanging all the other channels transfers when a CHCONF_FORCE
+is present on the wrong channel.
+
+Fixes: b28cb9414db9 ("spi: omap2-mcspi: Switch driver to use transfer_one")
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Reviewed-by: Michael Welling <mwelling@ieee.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-omap2-mcspi.c | 28 ++++++++++++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+
+--- a/drivers/spi/spi-omap2-mcspi.c
++++ b/drivers/spi/spi-omap2-mcspi.c
+@@ -1217,6 +1217,33 @@ out:
+ return status;
+ }
+
++static int omap2_mcspi_prepare_message(struct spi_master *master,
++ struct spi_message *msg)
++{
++ struct omap2_mcspi *mcspi = spi_master_get_devdata(master);
++ struct omap2_mcspi_regs *ctx = &mcspi->ctx;
++ struct omap2_mcspi_cs *cs;
++
++ /* Only a single channel can have the FORCE bit enabled
++ * in its chconf0 register.
++ * Scan all channels and disable them except the current one.
++ * A FORCE can remain from a last transfer having cs_change enabled
++ */
++ list_for_each_entry(cs, &ctx->cs, node) {
++ if (msg->spi->controller_state == cs)
++ continue;
++
++ if ((cs->chconf0 & OMAP2_MCSPI_CHCONF_FORCE)) {
++ cs->chconf0 &= ~OMAP2_MCSPI_CHCONF_FORCE;
++ writel_relaxed(cs->chconf0,
++ cs->base + OMAP2_MCSPI_CHCONF0);
++ readl_relaxed(cs->base + OMAP2_MCSPI_CHCONF0);
++ }
++ }
++
++ return 0;
++}
++
+ static int omap2_mcspi_transfer_one(struct spi_master *master,
+ struct spi_device *spi, struct spi_transfer *t)
+ {
+@@ -1344,6 +1371,7 @@ static int omap2_mcspi_probe(struct plat
+ master->bits_per_word_mask = SPI_BPW_RANGE_MASK(4, 32);
+ master->setup = omap2_mcspi_setup;
+ master->auto_runtime_pm = true;
++ master->prepare_message = omap2_mcspi_prepare_message;
+ master->transfer_one = omap2_mcspi_transfer_one;
+ master->set_cs = omap2_mcspi_set_cs;
+ master->cleanup = omap2_mcspi_cleanup;
--- /dev/null
+From eca37c7c117460e2fbe4e32c991bff32a961f688 Mon Sep 17 00:00:00 2001
+From: Ricardo Ribalda Delgado <ricardo.ribalda@gmail.com>
+Date: Wed, 28 Oct 2015 16:16:02 +0100
+Subject: spi/spi-xilinx: Fix race condition on last word read
+
+From: Ricardo Ribalda Delgado <ricardo.ribalda@gmail.com>
+
+commit eca37c7c117460e2fbe4e32c991bff32a961f688 upstream.
+
+Some users have reported that in polled mode the driver fails randomly
+to read the last word of the transfer.
+
+The end condition used for the transmissions (in polled and irq mode)
+has been the TX_EMPTY flag. But Lars-Peter Clausen has identified a delay
+from the TX_EMPTY to the actual end of the data rx.
+
+I believe that this race condition has not been detected until now
+because of the latency added by the IRQ handler or the PCIe bridge.
+This bugs affects setups with low latency access to the spi core.
+
+This patch replaces the readout logic:
+
+For all the words, except the last one, the TX_EMPTY flag is used (and
+cached).
+
+If !TX_EMPY or is the last word. The status register is read and the
+RX_EMPTY flag is used.
+
+The performance is not affected: there is an extra read of the
+Status Register, but the readout can start as soon as there is a word
+in the buffer.
+
+Reported-by: Edward Kigwana <ekigwana@scires.com>
+Initial-fix-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Ricardo Ribalda Delgado <ricardo.ribalda@gmail.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-xilinx.c | 38 ++++++++++++++++++++++++--------------
+ 1 file changed, 24 insertions(+), 14 deletions(-)
+
+--- a/drivers/spi/spi-xilinx.c
++++ b/drivers/spi/spi-xilinx.c
+@@ -270,6 +270,7 @@ static int xilinx_spi_txrx_bufs(struct s
+
+ while (remaining_words) {
+ int n_words, tx_words, rx_words;
++ u32 sr;
+
+ n_words = min(remaining_words, xspi->buffer_size);
+
+@@ -284,24 +285,33 @@ static int xilinx_spi_txrx_bufs(struct s
+ if (use_irq) {
+ xspi->write_fn(cr, xspi->regs + XSPI_CR_OFFSET);
+ wait_for_completion(&xspi->done);
+- } else
+- while (!(xspi->read_fn(xspi->regs + XSPI_SR_OFFSET) &
+- XSPI_SR_TX_EMPTY_MASK))
+- ;
+-
+- /* A transmit has just completed. Process received data and
+- * check for more data to transmit. Always inhibit the
+- * transmitter while the Isr refills the transmit register/FIFO,
+- * or make sure it is stopped if we're done.
+- */
+- if (use_irq)
++ /* A transmit has just completed. Process received data
++ * and check for more data to transmit. Always inhibit
++ * the transmitter while the Isr refills the transmit
++ * register/FIFO, or make sure it is stopped if we're
++ * done.
++ */
+ xspi->write_fn(cr | XSPI_CR_TRANS_INHIBIT,
+- xspi->regs + XSPI_CR_OFFSET);
++ xspi->regs + XSPI_CR_OFFSET);
++ sr = XSPI_SR_TX_EMPTY_MASK;
++ } else
++ sr = xspi->read_fn(xspi->regs + XSPI_SR_OFFSET);
+
+ /* Read out all the data from the Rx FIFO */
+ rx_words = n_words;
+- while (rx_words--)
+- xilinx_spi_rx(xspi);
++ while (rx_words) {
++ if ((sr & XSPI_SR_TX_EMPTY_MASK) && (rx_words > 1)) {
++ xilinx_spi_rx(xspi);
++ rx_words--;
++ continue;
++ }
++
++ sr = xspi->read_fn(xspi->regs + XSPI_SR_OFFSET);
++ if (!(sr & XSPI_SR_RX_EMPTY_MASK)) {
++ xilinx_spi_rx(xspi);
++ rx_words--;
++ }
++ }
+
+ remaining_words -= n_words;
+ }
--- /dev/null
+From bc27a53928981662079aa243915b443370294a03 Mon Sep 17 00:00:00 2001
+From: Vignesh R <vigneshr@ti.com>
+Date: Mon, 12 Oct 2015 13:22:02 +0530
+Subject: spi: ti-qspi: Fix data corruption seen on r/w stress test
+
+From: Vignesh R <vigneshr@ti.com>
+
+commit bc27a53928981662079aa243915b443370294a03 upstream.
+
+Writing invalid command to QSPI_SPI_CMD_REG will terminate current
+transfer and de-assert the chip select. This has to be done before
+calling spi_finalize_current_message(). Because
+spi_finalize_current_message() will mark the end of current message
+transfer and schedule the next transfer. If the chipselect is not
+de-asserted before calling spi_finalize_current_message() then the next
+transfer will overlap with the previous transfer leading to data
+corruption.
+__spi_pump_message() can be called either from kthread worker context or
+directly from the calling process's context. It is possible that these
+two calls can race against each other. But race is serialized by
+checking whether master->cur_msg == NULL (pointer to msg being handled
+by transfer_one() at present). The master->cur_msg is set to NULL when
+spi_finalize_current_message() is called on that message, which means
+calling spi_finalize_current_message() allows __spi_sync() to pump next
+message in calling process context.
+Now if spi-ti-qspi calls spi_finalize_current_message() before we
+terminate transfer at hardware side, if __spi_pump_message() is called
+from process context then the successive transactions can overlap.
+
+Fix this by moving writing invalid command to QSPI_SPI_CMD_REG to
+before calling spi_finalize_current_message() call.
+
+Signed-off-by: Vignesh R <vigneshr@ti.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-ti-qspi.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/spi/spi-ti-qspi.c
++++ b/drivers/spi/spi-ti-qspi.c
+@@ -410,11 +410,10 @@ static int ti_qspi_start_transfer_one(st
+
+ mutex_unlock(&qspi->list_lock);
+
++ ti_qspi_write(qspi, qspi->cmd | QSPI_INVAL, QSPI_SPI_CMD_REG);
+ m->status = status;
+ spi_finalize_current_message(master);
+
+- ti_qspi_write(qspi, qspi->cmd | QSPI_INVAL, QSPI_SPI_CMD_REG);
+-
+ return status;
+ }
+
--- /dev/null
+From b1a4144a695ff4a6834a2680600f36f991fa4926 Mon Sep 17 00:00:00 2001
+From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Date: Mon, 2 Nov 2015 19:55:29 +0200
+Subject: TPM: revert the list handling logic fixed in 398a1e7
+
+From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+
+commit b1a4144a695ff4a6834a2680600f36f991fa4926 upstream.
+
+Mimi reported that afb5abc reverts the fix in 398a1e7. This patch
+reverts it back.
+
+Fixes: afb5abc262e9 ("tpm: two-phase chip management functions")
+Reported-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Acked-by: Peter Huewe <PeterHuewe@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/tpm/tpm-chip.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/char/tpm/tpm-chip.c
++++ b/drivers/char/tpm/tpm-chip.c
+@@ -231,7 +231,7 @@ int tpm_chip_register(struct tpm_chip *c
+
+ /* Make the chip available. */
+ spin_lock(&driver_lock);
+- list_add_rcu(&chip->list, &tpm_chip_list);
++ list_add_tail_rcu(&chip->list, &tpm_chip_list);
+ spin_unlock(&driver_lock);
+
+ chip->flags |= TPM_CHIP_FLAG_REGISTERED;
--- /dev/null
+From 149789ce9d472e6b4fd99336e779ab843754a96c Mon Sep 17 00:00:00 2001
+From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Date: Tue, 15 Sep 2015 20:05:40 +0300
+Subject: tpm, tpm_crb: fix unaligned read of the command buffer address
+
+From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+
+commit 149789ce9d472e6b4fd99336e779ab843754a96c upstream.
+
+The command buffer address must be read with exactly two 32-bit reads.
+Otherwise, on some HW platforms, it seems that HW will abort the read
+operation, which causes CPU to fill the read bytes with 1's. Therefore,
+we cannot rely on memcpy_fromio() but must call ioread32() two times
+instead.
+
+Also, this matches the PC Client Platform TPM Profile specification,
+which defines command buffer address with two 32-bit fields.
+
+Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Reviewed-by: Peter Huewe <peterhuewe@gmx.de>
+Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/tpm/tpm_crb.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/char/tpm/tpm_crb.c
++++ b/drivers/char/tpm/tpm_crb.c
+@@ -68,7 +68,8 @@ struct crb_control_area {
+ u32 int_enable;
+ u32 int_sts;
+ u32 cmd_size;
+- u64 cmd_pa;
++ u32 cmd_pa_low;
++ u32 cmd_pa_high;
+ u32 rsp_size;
+ u64 rsp_pa;
+ } __packed;
+@@ -263,8 +264,8 @@ static int crb_acpi_add(struct acpi_devi
+ return -ENOMEM;
+ }
+
+- memcpy_fromio(&pa, &priv->cca->cmd_pa, 8);
+- pa = le64_to_cpu(pa);
++ pa = ((u64) le32_to_cpu(ioread32(&priv->cca->cmd_pa_high)) << 32) |
++ (u64) le32_to_cpu(ioread32(&priv->cca->cmd_pa_low));
+ priv->cmd = devm_ioremap_nocache(dev, pa,
+ ioread32(&priv->cca->cmd_size));
+ if (!priv->cmd) {
--- /dev/null
+From 2aef9da60bfdeb68dbcd4f114c098cbaa841b4ee Mon Sep 17 00:00:00 2001
+From: Martin Wilck <Martin.Wilck@ts.fujitsu.com>
+Date: Thu, 5 Nov 2015 17:19:09 +0100
+Subject: tpm_tis: free irq after probing
+
+From: Martin Wilck <Martin.Wilck@ts.fujitsu.com>
+
+commit 2aef9da60bfdeb68dbcd4f114c098cbaa841b4ee upstream.
+
+Release IRQs used for probing only. Otherwise the TPM will end up
+with all IRQs 3-15 assigned.
+
+Fixes: afb5abc262e9 ("tpm: two-phase chip management functions")
+Signed-off-by: Martin Wilck <Martin.Wilck@ts.fujitsu.com>
+Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Acked-by: Peter Huewe <PeterHuewe@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/tpm/tpm_tis.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/char/tpm/tpm_tis.c
++++ b/drivers/char/tpm/tpm_tis.c
+@@ -805,6 +805,8 @@ static int tpm_tis_init(struct device *d
+ iowrite32(intmask,
+ chip->vendor.iobase +
+ TPM_INT_ENABLE(chip->vendor.locality));
++
++ devm_free_irq(dev, i, chip);
+ }
+ }
+ if (chip->vendor.irq) {
--- /dev/null
+From d227c3ae4e94e5eb11dd780a811f59e1a7b74ccd Mon Sep 17 00:00:00 2001
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Wed, 4 Nov 2015 23:33:17 +0100
+Subject: tracefs: Fix refcount imbalance in start_creating()
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+commit d227c3ae4e94e5eb11dd780a811f59e1a7b74ccd upstream.
+
+In tracefs' start_creating(), we pin the file system to safely access
+its root. When we failed to create a file, we unpin the file system via
+failed_creating() to release the mount count and eventually the reference
+of the singleton vfsmount.
+
+However, when we run into an error during lookup_one_len() when still
+in start_creating(), we only release the parent's mutex but not so the
+reference on the mount.
+
+F.e., in securityfs_create_file(), after doing simple_pin_fs() when
+lookup_one_len() fails there, we infact do simple_release_fs(). This
+seems necessary here as well.
+
+Same issue seen in debugfs due to 190afd81e4a5 ("debugfs: split the
+beginning and the end of __create_file() off"), which seemed to got
+carried over into tracefs, too. Noticed during code review.
+
+Link: http://lkml.kernel.org/r/68efa86101b778cf7517ed7c6ad573bd69f60ec6.1446672850.git.daniel@iogearbox.net
+
+Fixes: 4282d60689d4 ("tracefs: Add new tracefs file system")
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/tracefs/inode.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/fs/tracefs/inode.c
++++ b/fs/tracefs/inode.c
+@@ -340,8 +340,12 @@ static struct dentry *start_creating(con
+ dput(dentry);
+ dentry = ERR_PTR(-EEXIST);
+ }
+- if (IS_ERR(dentry))
++
++ if (IS_ERR(dentry)) {
+ mutex_unlock(&parent->d_inode->i_mutex);
++ simple_release_fs(&tracefs_mount, &tracefs_mount_count);
++ }
++
+ return dentry;
+ }
+
--- /dev/null
+From f36d1be2930ede0a1947686e1126ffda5d5ee1bb Mon Sep 17 00:00:00 2001
+From: Qiu Peiyang <peiyangx.qiu@intel.com>
+Date: Thu, 31 Dec 2015 13:11:28 +0800
+Subject: tracing: Fix setting of start_index in find_next()
+
+From: Qiu Peiyang <peiyangx.qiu@intel.com>
+
+commit f36d1be2930ede0a1947686e1126ffda5d5ee1bb upstream.
+
+When we do cat /sys/kernel/debug/tracing/printk_formats, we hit kernel
+panic at t_show.
+
+general protection fault: 0000 [#1] PREEMPT SMP
+CPU: 0 PID: 2957 Comm: sh Tainted: G W O 3.14.55-x86_64-01062-gd4acdc7 #2
+RIP: 0010:[<ffffffff811375b2>]
+ [<ffffffff811375b2>] t_show+0x22/0xe0
+RSP: 0000:ffff88002b4ebe80 EFLAGS: 00010246
+RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000004
+RDX: 0000000000000004 RSI: ffffffff81fd26a6 RDI: ffff880032f9f7b1
+RBP: ffff88002b4ebe98 R08: 0000000000001000 R09: 000000000000ffec
+R10: 0000000000000000 R11: 000000000000000f R12: ffff880004d9b6c0
+R13: 7365725f6d706400 R14: ffff880004d9b6c0 R15: ffffffff82020570
+FS: 0000000000000000(0000) GS:ffff88003aa00000(0063) knlGS:00000000f776bc40
+CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
+CR2: 00000000f6c02ff0 CR3: 000000002c2b3000 CR4: 00000000001007f0
+Call Trace:
+ [<ffffffff811dc076>] seq_read+0x2f6/0x3e0
+ [<ffffffff811b749b>] vfs_read+0x9b/0x160
+ [<ffffffff811b7f69>] SyS_read+0x49/0xb0
+ [<ffffffff81a3a4b9>] ia32_do_call+0x13/0x13
+ ---[ end trace 5bd9eb630614861e ]---
+Kernel panic - not syncing: Fatal exception
+
+When the first time find_next calls find_next_mod_format, it should
+iterate the trace_bprintk_fmt_list to find the first print format of
+the module. However in current code, start_index is smaller than *pos
+at first, and code will not iterate the list. Latter container_of will
+get the wrong address with former v, which will cause mod_fmt be a
+meaningless object and so is the returned mod_fmt->fmt.
+
+This patch will fix it by correcting the start_index. After fixed,
+when the first time calls find_next_mod_format, start_index will be
+equal to *pos, and code will iterate the trace_bprintk_fmt_list to
+get the right module printk format, so is the returned mod_fmt->fmt.
+
+Link: http://lkml.kernel.org/r/5684B900.9000309@intel.com
+
+Fixes: 102c9323c35a8 "tracing: Add __tracepoint_string() to export string pointers"
+Signed-off-by: Qiu Peiyang <peiyangx.qiu@intel.com>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_printk.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/trace/trace_printk.c
++++ b/kernel/trace/trace_printk.c
+@@ -267,6 +267,7 @@ static const char **find_next(void *v, l
+ if (*pos < last_index + start_index)
+ return __start___tracepoint_str + (*pos - last_index);
+
++ start_index += last_index;
+ return find_next_mod_format(start_index, v, fmt, pos);
+ }
+
--- /dev/null
+From 6ccd83714a009ee301b50c15f6c3a5dc1f30164c Mon Sep 17 00:00:00 2001
+From: Steven Rostedt <rostedt@goodmis.org>
+Date: Fri, 29 Jan 2016 10:22:41 -0500
+Subject: tracing/stacktrace: Show entire trace if passed in function not found
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+commit 6ccd83714a009ee301b50c15f6c3a5dc1f30164c upstream.
+
+When a max stack trace is discovered, the stack dump is saved. In order to
+not record the overhead of the stack tracer, the ip of the traced function
+is looked for within the dump. The trace is started from the location of
+that function. But if for some reason the ip is not found, the entire stack
+trace is then truncated. That's not very useful. Instead, print everything
+if the ip of the traced function is not found within the trace.
+
+This issue showed up on s390.
+
+Link: http://lkml.kernel.org/r/20160129102241.1b3c9c04@gandalf.local.home
+
+Fixes: 72ac426a5bb0 ("tracing: Clean up stack tracing and fix fentry updates")
+Reported-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Tested-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_stack.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/kernel/trace/trace_stack.c
++++ b/kernel/trace/trace_stack.c
+@@ -120,6 +120,13 @@ check_stack(unsigned long ip, unsigned l
+ }
+
+ /*
++ * Some archs may not have the passed in ip in the dump.
++ * If that happens, we need to show everything.
++ */
++ if (i == stack_trace_max.nr_entries)
++ i = 0;
++
++ /*
+ * Now find where in the stack these are.
+ */
+ x = 0;
--- /dev/null
+From 681a4a2f4529517422835b7395df07404dfe2278 Mon Sep 17 00:00:00 2001
+From: Jiaxing Wang <hello.wjx@gmail.com>
+Date: Sun, 18 Oct 2015 19:58:08 +0800
+Subject: tracing: Update instance_rmdir() to use tracefs_remove_recursive
+
+From: Jiaxing Wang <hello.wjx@gmail.com>
+
+commit 681a4a2f4529517422835b7395df07404dfe2278 upstream.
+
+Update instancd_rmdir to use tracefs_remove_recursive instead of
+debugfs_remove_recursive.This was left in the transition from debugfs
+to tracefs.
+
+Link: http://lkml.kernel.org/r/1445169490-18315-2-git-send-email-hello.wjx@gmail.com
+
+Fixes: 8434dc9340cd2 ("tracing: Convert the tracing facility over to use tracefs")
+Signed-off-by: Jiaxing Wang <hello.wjx@gmail.com>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -6602,7 +6602,7 @@ static int instance_rmdir(const char *na
+ tracing_set_nop(tr);
+ event_trace_del_tracer(tr);
+ ftrace_destroy_function_files(tr);
+- debugfs_remove_recursive(tr->dir);
++ tracefs_remove_recursive(tr->dir);
+ free_trace_buffers(tr);
+
+ kfree(tr->name);
--- /dev/null
+From 655e9780ab913a3a06d4a164d55e3b755524186d Mon Sep 17 00:00:00 2001
+From: Andrzej Hajda <a.hajda@samsung.com>
+Date: Mon, 31 Aug 2015 08:56:15 -0300
+Subject: [media] v4l2-compat-ioctl32: fix alignment for ARM64
+
+From: Andrzej Hajda <a.hajda@samsung.com>
+
+commit 655e9780ab913a3a06d4a164d55e3b755524186d upstream.
+
+Alignment/padding rules on AMD64 and ARM64 differs. To allow properly match
+compatible ioctls on ARM64 kernels without breaking AMD64 some fields
+should be aligned using compat_s64 type and in one case struct should be
+unpacked.
+
+Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
+[hans.verkuil@cisco.com: use compat_u64 instead of compat_s64 in v4l2_input32]
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+
+---
+ drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
++++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+@@ -266,7 +266,7 @@ static int put_v4l2_create32(struct v4l2
+
+ struct v4l2_standard32 {
+ __u32 index;
+- __u32 id[2]; /* __u64 would get the alignment wrong */
++ compat_u64 id;
+ __u8 name[24];
+ struct v4l2_fract frameperiod; /* Frames, not fields */
+ __u32 framelines;
+@@ -286,7 +286,7 @@ static int put_v4l2_standard32(struct v4
+ {
+ if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_standard32)) ||
+ put_user(kp->index, &up->index) ||
+- copy_to_user(up->id, &kp->id, sizeof(__u64)) ||
++ put_user(kp->id, &up->id) ||
+ copy_to_user(up->name, kp->name, 24) ||
+ copy_to_user(&up->frameperiod, &kp->frameperiod, sizeof(kp->frameperiod)) ||
+ put_user(kp->framelines, &up->framelines) ||
+@@ -587,10 +587,10 @@ struct v4l2_input32 {
+ __u32 type; /* Type of input */
+ __u32 audioset; /* Associated audios (bitfield) */
+ __u32 tuner; /* Associated tuner */
+- v4l2_std_id std;
++ compat_u64 std;
+ __u32 status;
+ __u32 reserved[4];
+-} __attribute__ ((packed));
++};
+
+ /* The 64-bit v4l2_input struct has extra padding at the end of the struct.
+ Otherwise it is identical to the 32-bit version. */
+@@ -738,6 +738,7 @@ static int put_v4l2_ext_controls32(struc
+ struct v4l2_event32 {
+ __u32 type;
+ union {
++ compat_s64 value64;
+ __u8 data[64];
+ } u;
+ __u32 pending;
--- /dev/null
+From 35204e2e84f2dae72012f8ca319659c12f428430 Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hans.verkuil@cisco.com>
+Date: Mon, 21 Sep 2015 06:14:16 -0300
+Subject: [media] v4l2-ctrls: arrays are also considered compound controls
+
+From: Hans Verkuil <hans.verkuil@cisco.com>
+
+commit 35204e2e84f2dae72012f8ca319659c12f428430 upstream.
+
+Array controls weren't skipped when only V4L2_CTRL_FLAG_NEXT_CTRL was
+provided (so no V4L2_CTRL_FLAG_NEXT_COMPOUND was set). This is wrong
+since arrays are also considered compound controls (i.e. with more than
+one value), and applications that do not know about arrays will not
+be able to handle such controls.
+
+Fix the test to include arrays.
+
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Reported-by: Ricardo Ribalda Delgado <ricardo.ribalda@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/v4l2-core/v4l2-ctrls.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/v4l2-core/v4l2-ctrls.c
++++ b/drivers/media/v4l2-core/v4l2-ctrls.c
+@@ -2498,7 +2498,7 @@ int v4l2_query_ext_ctrl(struct v4l2_ctrl
+ /* We found a control with the given ID, so just get
+ the next valid one in the list. */
+ list_for_each_entry_continue(ref, &hdl->ctrl_refs, node) {
+- is_compound =
++ is_compound = ref->ctrl->is_array ||
+ ref->ctrl->type >= V4L2_CTRL_COMPOUND_TYPES;
+ if (id < ref->ctrl->id &&
+ (is_compound & mask) == match)
+@@ -2512,7 +2512,7 @@ int v4l2_query_ext_ctrl(struct v4l2_ctrl
+ is one, otherwise the first 'if' above would have
+ been true. */
+ list_for_each_entry(ref, &hdl->ctrl_refs, node) {
+- is_compound =
++ is_compound = ref->ctrl->is_array ||
+ ref->ctrl->type >= V4L2_CTRL_COMPOUND_TYPES;
+ if (id < ref->ctrl->id &&
+ (is_compound & mask) == match)
--- /dev/null
+From a5d42b8c3b3ddccd88dc1c70957177d31a6699fb Mon Sep 17 00:00:00 2001
+From: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
+Date: Mon, 28 Sep 2015 18:36:51 -0300
+Subject: [media] vivid: Fix iteration in driver removal path
+
+From: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
+
+commit a5d42b8c3b3ddccd88dc1c70957177d31a6699fb upstream.
+
+When the diver is removed and all the resources are deallocated,
+we should be iterating through the created devices only.
+
+Currently, the iteration ends when vivid_devs[i] is NULL. Since
+the array contains VIVID_MAX_DEVS elements, it will oops if
+n_devs=VIVID_MAX_DEVS because in that case, no element is NULL.
+
+Fixes: c88a96b023d8 ('[media] vivid: add core driver code')
+
+Signed-off-by: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/platform/vivid/vivid-core.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/platform/vivid/vivid-core.c
++++ b/drivers/media/platform/vivid/vivid-core.c
+@@ -1341,8 +1341,11 @@ static int vivid_remove(struct platform_
+ struct vivid_dev *dev;
+ unsigned i;
+
+- for (i = 0; vivid_devs[i]; i++) {
++
++ for (i = 0; i < n_devs; i++) {
+ dev = vivid_devs[i];
++ if (!dev)
++ continue;
+
+ if (dev->has_vid_cap) {
+ v4l2_info(&dev->v4l2_dev, "unregistering %s\n",
--- /dev/null
+From 60ecd86c4d985750efa0ea3d8610972b09951715 Mon Sep 17 00:00:00 2001
+From: "Hon Ching \\(Vicky\\) Lo" <honclo@linux.vnet.ibm.com>
+Date: Wed, 7 Oct 2015 20:11:51 -0400
+Subject: vTPM: fix memory allocation flag for rtce buffer at kernel boot
+
+From: Hon Ching \(Vicky\) Lo <honclo@linux.vnet.ibm.com>
+
+commit 60ecd86c4d985750efa0ea3d8610972b09951715 upstream.
+
+At ibm vtpm initialzation, tpm_ibmvtpm_probe() registers its interrupt
+handler, ibmvtpm_interrupt, which calls ibmvtpm_crq_process to allocate
+memory for rtce buffer. The current code uses 'GFP_KERNEL' as the
+type of kernel memory allocation, which resulted a warning at
+kernel/lockdep.c. This patch uses 'GFP_ATOMIC' instead so that the
+allocation is high-priority and does not sleep.
+
+Signed-off-by: Hon Ching(Vicky) Lo <honclo@linux.vnet.ibm.com>
+Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/tpm/tpm_ibmvtpm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/char/tpm/tpm_ibmvtpm.c
++++ b/drivers/char/tpm/tpm_ibmvtpm.c
+@@ -491,7 +491,7 @@ static void ibmvtpm_crq_process(struct i
+ }
+ ibmvtpm->rtce_size = be16_to_cpu(crq->len);
+ ibmvtpm->rtce_buf = kmalloc(ibmvtpm->rtce_size,
+- GFP_KERNEL);
++ GFP_ATOMIC);
+ if (!ibmvtpm->rtce_buf) {
+ dev_err(ibmvtpm->dev, "Failed to allocate memory for rtce buffer\n");
+ return;
--- /dev/null
+From e47301b06d5a65678690f04c2248fd181db1e59a Mon Sep 17 00:00:00 2001
+From: Uri Mashiach <uri.mashiach@compulab.co.il>
+Date: Thu, 24 Dec 2015 16:05:00 +0200
+Subject: wlcore/wl12xx: spi: fix NULL pointer dereference (Oops)
+
+From: Uri Mashiach <uri.mashiach@compulab.co.il>
+
+commit e47301b06d5a65678690f04c2248fd181db1e59a upstream.
+
+Fix the below Oops when trying to modprobe wlcore_spi.
+The oops occurs because the wl1271_power_{off,on}()
+function doesn't check the power() function pointer.
+
+[ 23.401447] Unable to handle kernel NULL pointer dereference at
+virtual address 00000000
+[ 23.409954] pgd = c0004000
+[ 23.412922] [00000000] *pgd=00000000
+[ 23.416693] Internal error: Oops: 80000007 [#1] SMP ARM
+[ 23.422168] Modules linked in: wl12xx wlcore mac80211 cfg80211
+musb_dsps musb_hdrc usbcore usb_common snd_soc_simple_card evdev joydev
+omap_rng wlcore_spi snd_soc_tlv320aic23_i2c rng_core snd_soc_tlv320aic23
+c_can_platform c_can can_dev snd_soc_davinci_mcasp snd_soc_edma
+snd_soc_omap omap_wdt musb_am335x cpufreq_dt thermal_sys hwmon
+[ 23.453253] CPU: 0 PID: 36 Comm: kworker/0:2 Not tainted
+4.2.0-00002-g951efee-dirty #233
+[ 23.461720] Hardware name: Generic AM33XX (Flattened Device Tree)
+[ 23.468123] Workqueue: events request_firmware_work_func
+[ 23.473690] task: de32efc0 ti: de4ee000 task.ti: de4ee000
+[ 23.479341] PC is at 0x0
+[ 23.482112] LR is at wl12xx_set_power_on+0x28/0x124 [wlcore]
+[ 23.488074] pc : [<00000000>] lr : [<bf2581f0>] psr: 60000013
+[ 23.488074] sp : de4efe50 ip : 00000002 fp : 00000000
+[ 23.500162] r10: de7cdd00 r9 : dc848800 r8 : bf27af00
+[ 23.505663] r7 : bf27a1a8 r6 : dcbd8a80 r5 : dce0e2e0 r4 :
+dce0d2e0
+[ 23.512536] r3 : 00000000 r2 : 00000000 r1 : 00000001 r0 :
+dc848810
+[ 23.519412] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM
+Segment kernel
+[ 23.527109] Control: 10c5387d Table: 9cb78019 DAC: 00000015
+[ 23.533160] Process kworker/0:2 (pid: 36, stack limit = 0xde4ee218)
+[ 23.539760] Stack: (0xde4efe50 to 0xde4f0000)
+
+[...]
+
+[ 23.665030] [<bf2581f0>] (wl12xx_set_power_on [wlcore]) from
+[<bf25f7ac>] (wlcore_nvs_cb+0x118/0xa4c [wlcore])
+[ 23.675604] [<bf25f7ac>] (wlcore_nvs_cb [wlcore]) from [<c04387ec>]
+(request_firmware_work_func+0x30/0x58)
+[ 23.685784] [<c04387ec>] (request_firmware_work_func) from
+[<c0058e2c>] (process_one_work+0x1b4/0x4b4)
+[ 23.695591] [<c0058e2c>] (process_one_work) from [<c0059168>]
+(worker_thread+0x3c/0x4a4)
+[ 23.704124] [<c0059168>] (worker_thread) from [<c005ee68>]
+(kthread+0xd4/0xf0)
+[ 23.711747] [<c005ee68>] (kthread) from [<c000f598>]
+(ret_from_fork+0x14/0x3c)
+[ 23.719357] Code: bad PC value
+[ 23.722760] ---[ end trace 981be8510db9b3a9 ]---
+
+Prevent oops by validationg power() pointer value before
+calling the function.
+
+Signed-off-by: Uri Mashiach <uri.mashiach@compulab.co.il>
+Acked-by: Igor Grinberg <grinberg@compulab.co.il>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ti/wlcore/io.h | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/ti/wlcore/io.h
++++ b/drivers/net/wireless/ti/wlcore/io.h
+@@ -207,19 +207,23 @@ static inline int __must_check wlcore_wr
+
+ static inline void wl1271_power_off(struct wl1271 *wl)
+ {
+- int ret;
++ int ret = 0;
+
+ if (!test_bit(WL1271_FLAG_GPIO_POWER, &wl->flags))
+ return;
+
+- ret = wl->if_ops->power(wl->dev, false);
++ if (wl->if_ops->power)
++ ret = wl->if_ops->power(wl->dev, false);
+ if (!ret)
+ clear_bit(WL1271_FLAG_GPIO_POWER, &wl->flags);
+ }
+
+ static inline int wl1271_power_on(struct wl1271 *wl)
+ {
+- int ret = wl->if_ops->power(wl->dev, true);
++ int ret = 0;
++
++ if (wl->if_ops->power)
++ ret = wl->if_ops->power(wl->dev, true);
+ if (ret == 0)
+ set_bit(WL1271_FLAG_GPIO_POWER, &wl->flags);
+
--- /dev/null
+From 9b2761cb72dc41e1948c8a5512b4efd384eda130 Mon Sep 17 00:00:00 2001
+From: Uri Mashiach <uri.mashiach@compulab.co.il>
+Date: Thu, 10 Dec 2015 15:12:56 +0200
+Subject: wlcore/wl12xx: spi: fix oops on firmware load
+
+From: Uri Mashiach <uri.mashiach@compulab.co.il>
+
+commit 9b2761cb72dc41e1948c8a5512b4efd384eda130 upstream.
+
+The maximum chunks used by the function is
+(SPI_AGGR_BUFFER_SIZE / WSPI_MAX_CHUNK_SIZE + 1).
+The original commands array had space for
+(SPI_AGGR_BUFFER_SIZE / WSPI_MAX_CHUNK_SIZE) commands.
+When the last chunk is used (len > 4 * WSPI_MAX_CHUNK_SIZE), the last
+command is stored outside the bounds of the commands array.
+
+Oops 5 (page fault) is generated during current wl1271 firmware load
+attempt:
+
+root@debian-armhf:~# ifconfig wlan0 up
+[ 294.312399] Unable to handle kernel paging request at virtual address
+00203fc4
+[ 294.320173] pgd = de528000
+[ 294.323028] [00203fc4] *pgd=00000000
+[ 294.326916] Internal error: Oops: 5 [#1] SMP ARM
+[ 294.331789] Modules linked in: bnep rfcomm bluetooth ipv6 arc4 wl12xx
+wlcore mac80211 musb_dsps cfg80211 musb_hdrc usbcore usb_common
+wlcore_spi omap_rng rng_core musb_am335x omap_wdt cpufreq_dt thermal_sys
+hwmon
+[ 294.351838] CPU: 0 PID: 1827 Comm: ifconfig Not tainted
+4.2.0-00002-g3e9ad27-dirty #78
+[ 294.360154] Hardware name: Generic AM33XX (Flattened Device Tree)
+[ 294.366557] task: dc9d6d40 ti: de550000 task.ti: de550000
+[ 294.372236] PC is at __spi_validate+0xa8/0x2ac
+[ 294.376902] LR is at __spi_sync+0x78/0x210
+[ 294.381200] pc : [<c049c760>] lr : [<c049ebe0>] psr: 60000013
+[ 294.381200] sp : de551998 ip : de5519d8 fp : 00200000
+[ 294.393242] r10: de551c8c r9 : de5519d8 r8 : de3a9000
+[ 294.398730] r7 : de3a9258 r6 : de3a9400 r5 : de551a48 r4 :
+00203fbc
+[ 294.405577] r3 : 00000000 r2 : 00000000 r1 : 00000000 r0 :
+de3a9000
+[ 294.412420] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM
+Segment user
+[ 294.419918] Control: 10c5387d Table: 9e528019 DAC: 00000015
+[ 294.425954] Process ifconfig (pid: 1827, stack limit = 0xde550218)
+[ 294.432437] Stack: (0xde551998 to 0xde552000)
+
+...
+
+[ 294.883613] [<c049c760>] (__spi_validate) from [<c049ebe0>]
+(__spi_sync+0x78/0x210)
+[ 294.891670] [<c049ebe0>] (__spi_sync) from [<bf036598>]
+(wl12xx_spi_raw_write+0xfc/0x148 [wlcore_spi])
+[ 294.901661] [<bf036598>] (wl12xx_spi_raw_write [wlcore_spi]) from
+[<bf21c694>] (wlcore_boot_upload_firmware+0x1ec/0x458 [wlcore])
+[ 294.914038] [<bf21c694>] (wlcore_boot_upload_firmware [wlcore]) from
+[<bf24532c>] (wl12xx_boot+0xc10/0xfac [wl12xx])
+[ 294.925161] [<bf24532c>] (wl12xx_boot [wl12xx]) from [<bf20d5cc>]
+(wl1271_op_add_interface+0x5b0/0x910 [wlcore])
+[ 294.936364] [<bf20d5cc>] (wl1271_op_add_interface [wlcore]) from
+[<bf15c4ac>] (ieee80211_do_open+0x44c/0xf7c [mac80211])
+[ 294.947963] [<bf15c4ac>] (ieee80211_do_open [mac80211]) from
+[<c0537978>] (__dev_open+0xa8/0x110)
+[ 294.957307] [<c0537978>] (__dev_open) from [<c0537bf8>]
+(__dev_change_flags+0x88/0x148)
+[ 294.965713] [<c0537bf8>] (__dev_change_flags) from [<c0537cd0>]
+(dev_change_flags+0x18/0x48)
+[ 294.974576] [<c0537cd0>] (dev_change_flags) from [<c05a55a0>]
+(devinet_ioctl+0x6b4/0x7d0)
+[ 294.983191] [<c05a55a0>] (devinet_ioctl) from [<c0517040>]
+(sock_ioctl+0x1e4/0x2bc)
+[ 294.991244] [<c0517040>] (sock_ioctl) from [<c017d378>]
+(do_vfs_ioctl+0x420/0x6b0)
+[ 294.999208] [<c017d378>] (do_vfs_ioctl) from [<c017d674>]
+(SyS_ioctl+0x6c/0x7c)
+[ 295.006880] [<c017d674>] (SyS_ioctl) from [<c000f4c0>]
+(ret_fast_syscall+0x0/0x54)
+[ 295.014835] Code: e1550004 e2444034 0a00007d e5953018 (e5942008)
+[ 295.021544] ---[ end trace 66ed188198f4e24e ]---
+
+Signed-off-by: Uri Mashiach <uri.mashiach@compulab.co.il>
+Acked-by: Igor Grinberg <grinberg@compulab.co.il>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ti/wlcore/spi.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/ti/wlcore/spi.c
++++ b/drivers/net/wireless/ti/wlcore/spi.c
+@@ -73,7 +73,10 @@
+ */
+ #define SPI_AGGR_BUFFER_SIZE (4 * PAGE_SIZE)
+
+-#define WSPI_MAX_NUM_OF_CHUNKS (SPI_AGGR_BUFFER_SIZE / WSPI_MAX_CHUNK_SIZE)
++/* Maximum number of SPI write chunks */
++#define WSPI_MAX_NUM_OF_CHUNKS \
++ ((SPI_AGGR_BUFFER_SIZE / WSPI_MAX_CHUNK_SIZE) + 1)
++
+
+ struct wl12xx_spi_glue {
+ struct device *dev;
+@@ -268,9 +271,10 @@ static int __must_check wl12xx_spi_raw_w
+ void *buf, size_t len, bool fixed)
+ {
+ struct wl12xx_spi_glue *glue = dev_get_drvdata(child->parent);
+- struct spi_transfer t[2 * (WSPI_MAX_NUM_OF_CHUNKS + 1)];
++ /* SPI write buffers - 2 for each chunk */
++ struct spi_transfer t[2 * WSPI_MAX_NUM_OF_CHUNKS];
+ struct spi_message m;
+- u32 commands[WSPI_MAX_NUM_OF_CHUNKS];
++ u32 commands[WSPI_MAX_NUM_OF_CHUNKS]; /* 1 command per chunk */
+ u32 *cmd;
+ u32 chunk_len;
+ int i;
--- /dev/null
+From ab45fb145096799dabd18afc58bb5f97171017cd Mon Sep 17 00:00:00 2001
+From: Max Filippov <jcmvbkbc@gmail.com>
+Date: Fri, 16 Oct 2015 17:01:04 +0300
+Subject: xtensa: fix secondary core boot in SMP
+
+From: Max Filippov <jcmvbkbc@gmail.com>
+
+commit ab45fb145096799dabd18afc58bb5f97171017cd upstream.
+
+There are multiple factors adding to the issue in different
+configurations:
+
+- commit 17290231df16eeee ("xtensa: add fixup for double exception raised
+ in window overflow") added function window_overflow_restore_a0_fixup to
+ double exception vector overlapping reset vector location of secondary
+ processor cores.
+- on MMUv2 cores RESET_VECTOR1_VADDR may point to uncached kernel memory
+ making code overlapping depend on cache type and size, so that without
+ cache or with WT cache reset vector code overwrites double exception
+ code, making issue even harder to detect.
+- on MMUv3 cores RESET_VECTOR1_VADDR may point to unmapped area, as
+ MMUv3 cores change virtual address map to match MMUv2 layout, but
+ reset vector virtual address is given for the original MMUv3 mapping.
+- physical memory region of the secondary reset vector is not reserved
+ in the physical memory map, and thus may be allocated and overwritten
+ at arbitrary moment.
+
+Fix it as follows:
+
+- move window_overflow_restore_a0_fixup code to .text section.
+- define RESET_VECTOR1_VADDR so that it points to reset vector in the
+ cacheable MMUv2 map for cores with MMU.
+- reserve reset vector region in the physical memory map. Drop separate
+ literal section and build mxhead.S with text section literals.
+
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/xtensa/include/asm/vectors.h | 9 +++++----
+ arch/xtensa/kernel/Makefile | 1 +
+ arch/xtensa/kernel/setup.c | 9 ++++++++-
+ arch/xtensa/kernel/vectors.S | 4 +++-
+ arch/xtensa/kernel/vmlinux.lds.S | 12 ++----------
+ 5 files changed, 19 insertions(+), 16 deletions(-)
+
+--- a/arch/xtensa/include/asm/vectors.h
++++ b/arch/xtensa/include/asm/vectors.h
+@@ -48,6 +48,9 @@
+ #define LOAD_MEMORY_ADDRESS 0xD0003000
+ #endif
+
++#define RESET_VECTOR1_VADDR (VIRTUAL_MEMORY_ADDRESS + \
++ XCHAL_RESET_VECTOR1_PADDR)
++
+ #else /* !defined(CONFIG_MMU) */
+ /* MMU Not being used - Virtual == Physical */
+
+@@ -60,6 +63,8 @@
+ /* Loaded just above possibly live vectors */
+ #define LOAD_MEMORY_ADDRESS (PLATFORM_DEFAULT_MEM_START + 0x3000)
+
++#define RESET_VECTOR1_VADDR (XCHAL_RESET_VECTOR1_VADDR)
++
+ #endif /* CONFIG_MMU */
+
+ #define XC_VADDR(offset) (VIRTUAL_MEMORY_ADDRESS + offset)
+@@ -71,10 +76,6 @@
+ VECBASE_RESET_VADDR)
+ #define RESET_VECTOR_VADDR XC_VADDR(RESET_VECTOR_VECOFS)
+
+-#define RESET_VECTOR1_VECOFS (XCHAL_RESET_VECTOR1_VADDR - \
+- VECBASE_RESET_VADDR)
+-#define RESET_VECTOR1_VADDR XC_VADDR(RESET_VECTOR1_VECOFS)
+-
+ #if defined(XCHAL_HAVE_VECBASE) && XCHAL_HAVE_VECBASE
+
+ #define USER_VECTOR_VADDR XC_VADDR(XCHAL_USER_VECOFS)
+--- a/arch/xtensa/kernel/Makefile
++++ b/arch/xtensa/kernel/Makefile
+@@ -16,6 +16,7 @@ obj-$(CONFIG_SMP) += smp.o mxhead.o
+ obj-$(CONFIG_XTENSA_VARIANT_HAVE_PERF_EVENTS) += perf_event.o
+
+ AFLAGS_head.o += -mtext-section-literals
++AFLAGS_mxhead.o += -mtext-section-literals
+
+ # In the Xtensa architecture, assembly generates literals which must always
+ # precede the L32R instruction with a relative offset less than 256 kB.
+--- a/arch/xtensa/kernel/setup.c
++++ b/arch/xtensa/kernel/setup.c
+@@ -334,7 +334,10 @@ extern char _Level5InterruptVector_text_
+ extern char _Level6InterruptVector_text_start;
+ extern char _Level6InterruptVector_text_end;
+ #endif
+-
++#ifdef CONFIG_SMP
++extern char _SecondaryResetVector_text_start;
++extern char _SecondaryResetVector_text_end;
++#endif
+
+
+ #ifdef CONFIG_S32C1I_SELFTEST
+@@ -506,6 +509,10 @@ void __init setup_arch(char **cmdline_p)
+ __pa(&_Level6InterruptVector_text_end), 0);
+ #endif
+
++#ifdef CONFIG_SMP
++ mem_reserve(__pa(&_SecondaryResetVector_text_start),
++ __pa(&_SecondaryResetVector_text_end), 0);
++#endif
+ parse_early_param();
+ bootmem_init();
+
+--- a/arch/xtensa/kernel/vectors.S
++++ b/arch/xtensa/kernel/vectors.S
+@@ -478,6 +478,9 @@ _DoubleExceptionVector_handle_exception:
+
+ ENDPROC(_DoubleExceptionVector)
+
++ .end literal_prefix
++
++ .text
+ /*
+ * Fixup handler for TLB miss in double exception handler for window owerflow.
+ * We get here with windowbase set to the window that was being spilled and
+@@ -587,7 +590,6 @@ ENTRY(window_overflow_restore_a0_fixup)
+
+ ENDPROC(window_overflow_restore_a0_fixup)
+
+- .end literal_prefix
+ /*
+ * Debug interrupt vector
+ *
+--- a/arch/xtensa/kernel/vmlinux.lds.S
++++ b/arch/xtensa/kernel/vmlinux.lds.S
+@@ -166,8 +166,6 @@ SECTIONS
+ RELOCATE_ENTRY(_DebugInterruptVector_text,
+ .DebugInterruptVector.text);
+ #if defined(CONFIG_SMP)
+- RELOCATE_ENTRY(_SecondaryResetVector_literal,
+- .SecondaryResetVector.literal);
+ RELOCATE_ENTRY(_SecondaryResetVector_text,
+ .SecondaryResetVector.text);
+ #endif
+@@ -282,17 +280,11 @@ SECTIONS
+
+ #if defined(CONFIG_SMP)
+
+- SECTION_VECTOR (_SecondaryResetVector_literal,
+- .SecondaryResetVector.literal,
+- RESET_VECTOR1_VADDR - 4,
+- SIZEOF(.DoubleExceptionVector.text),
+- .DoubleExceptionVector.text)
+-
+ SECTION_VECTOR (_SecondaryResetVector_text,
+ .SecondaryResetVector.text,
+ RESET_VECTOR1_VADDR,
+- 4,
+- .SecondaryResetVector.literal)
++ SIZEOF(.DoubleExceptionVector.text),
++ .DoubleExceptionVector.text)
+
+ . = LOADADDR(.SecondaryResetVector.text)+SIZEOF(.SecondaryResetVector.text);
+
--- /dev/null
+From 5029615e25dc5040beb065f36743c127a8e51497 Mon Sep 17 00:00:00 2001
+From: Max Filippov <jcmvbkbc@gmail.com>
+Date: Thu, 24 Sep 2015 23:11:53 +0300
+Subject: xtensa: fixes for configs without loop option
+
+From: Max Filippov <jcmvbkbc@gmail.com>
+
+commit 5029615e25dc5040beb065f36743c127a8e51497 upstream.
+
+Build-time fixes:
+- make lbeg/lend/lcount save/restore conditional on kernel entry;
+- don't clear lcount in platform_restart functions unconditionally.
+
+Run-time fixes:
+- use correct end of range register in __endla paired with __loopt, not
+ the unused temporary register. This fixes .bss zero-initialization.
+ Update comments in asmmacro.h;
+- don't clobber a10 in the usercopy that leads to access to unmapped
+ memory.
+
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/xtensa/include/asm/asmmacro.h | 7 ++++---
+ arch/xtensa/kernel/entry.S | 8 ++++++--
+ arch/xtensa/kernel/head.S | 2 +-
+ arch/xtensa/lib/usercopy.S | 6 +++---
+ arch/xtensa/platforms/iss/setup.c | 2 ++
+ arch/xtensa/platforms/xt2000/setup.c | 2 ++
+ arch/xtensa/platforms/xtfpga/setup.c | 2 ++
+ 7 files changed, 20 insertions(+), 9 deletions(-)
+
+--- a/arch/xtensa/include/asm/asmmacro.h
++++ b/arch/xtensa/include/asm/asmmacro.h
+@@ -35,9 +35,10 @@
+ * __loop as
+ * restart loop. 'as' register must not have been modified!
+ *
+- * __endla ar, at, incr
++ * __endla ar, as, incr
+ * ar start address (modified)
+- * as scratch register used by macro
++ * as scratch register used by __loops/__loopi macros or
++ * end address used by __loopt macro
+ * inc increment
+ */
+
+@@ -97,7 +98,7 @@
+ .endm
+
+ /*
+- * loop from ar to ax
++ * loop from ar to as
+ */
+
+ .macro __loopt ar, as, at, incr_log2
+--- a/arch/xtensa/kernel/entry.S
++++ b/arch/xtensa/kernel/entry.S
+@@ -367,8 +367,10 @@ common_exception:
+ s32i a2, a1, PT_SYSCALL
+ movi a2, 0
+ s32i a3, a1, PT_EXCVADDR
++#if XCHAL_HAVE_LOOPS
+ xsr a2, lcount
+ s32i a2, a1, PT_LCOUNT
++#endif
+
+ /* It is now save to restore the EXC_TABLE_FIXUP variable. */
+
+@@ -429,11 +431,12 @@ common_exception:
+ rsync # PS.WOE => rsync => overflow
+
+ /* Save lbeg, lend */
+-
++#if XCHAL_HAVE_LOOPS
+ rsr a4, lbeg
+ rsr a3, lend
+ s32i a4, a1, PT_LBEG
+ s32i a3, a1, PT_LEND
++#endif
+
+ /* Save SCOMPARE1 */
+
+@@ -724,13 +727,14 @@ common_exception_exit:
+ wsr a3, sar
+
+ /* Restore LBEG, LEND, LCOUNT */
+-
++#if XCHAL_HAVE_LOOPS
+ l32i a2, a1, PT_LBEG
+ l32i a3, a1, PT_LEND
+ wsr a2, lbeg
+ l32i a2, a1, PT_LCOUNT
+ wsr a3, lend
+ wsr a2, lcount
++#endif
+
+ /* We control single stepping through the ICOUNTLEVEL register. */
+
+--- a/arch/xtensa/kernel/head.S
++++ b/arch/xtensa/kernel/head.S
+@@ -249,7 +249,7 @@ ENTRY(_startup)
+
+ __loopt a2, a3, a4, 2
+ s32i a0, a2, 0
+- __endla a2, a4, 4
++ __endla a2, a3, 4
+
+ #if XCHAL_DCACHE_IS_WRITEBACK
+
+--- a/arch/xtensa/lib/usercopy.S
++++ b/arch/xtensa/lib/usercopy.S
+@@ -222,8 +222,8 @@ __xtensa_copy_user:
+ loopnez a7, .Loop2done
+ #else /* !XCHAL_HAVE_LOOPS */
+ beqz a7, .Loop2done
+- slli a10, a7, 4
+- add a10, a10, a3 # a10 = end of last 16B source chunk
++ slli a12, a7, 4
++ add a12, a12, a3 # a12 = end of last 16B source chunk
+ #endif /* !XCHAL_HAVE_LOOPS */
+ .Loop2:
+ EX(l32i, a7, a3, 4, l_fixup)
+@@ -241,7 +241,7 @@ __xtensa_copy_user:
+ EX(s32i, a9, a5, 12, s_fixup)
+ addi a5, a5, 16
+ #if !XCHAL_HAVE_LOOPS
+- blt a3, a10, .Loop2
++ blt a3, a12, .Loop2
+ #endif /* !XCHAL_HAVE_LOOPS */
+ .Loop2done:
+ bbci.l a4, 3, .L12
+--- a/arch/xtensa/platforms/iss/setup.c
++++ b/arch/xtensa/platforms/iss/setup.c
+@@ -61,7 +61,9 @@ void platform_restart(void)
+ #if XCHAL_NUM_IBREAK > 0
+ "wsr a2, ibreakenable\n\t"
+ #endif
++#if XCHAL_HAVE_LOOPS
+ "wsr a2, lcount\n\t"
++#endif
+ "movi a2, 0x1f\n\t"
+ "wsr a2, ps\n\t"
+ "isync\n\t"
+--- a/arch/xtensa/platforms/xt2000/setup.c
++++ b/arch/xtensa/platforms/xt2000/setup.c
+@@ -72,7 +72,9 @@ void platform_restart(void)
+ #if XCHAL_NUM_IBREAK > 0
+ "wsr a2, ibreakenable\n\t"
+ #endif
++#if XCHAL_HAVE_LOOPS
+ "wsr a2, lcount\n\t"
++#endif
+ "movi a2, 0x1f\n\t"
+ "wsr a2, ps\n\t"
+ "isync\n\t"
+--- a/arch/xtensa/platforms/xtfpga/setup.c
++++ b/arch/xtensa/platforms/xtfpga/setup.c
+@@ -63,7 +63,9 @@ void platform_restart(void)
+ #if XCHAL_NUM_IBREAK > 0
+ "wsr a2, ibreakenable\n\t"
+ #endif
++#if XCHAL_HAVE_LOOPS
+ "wsr a2, lcount\n\t"
++#endif
+ "movi a2, 0x1f\n\t"
+ "wsr a2, ps\n\t"
+ "isync\n\t"
projects / thirdparty / kernel / stable-queue.git / commitdiff
