--- /dev/null
+From 04946fb60fb157faafa01658dff3131d49f49ccb Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Tue, 18 Oct 2016 10:24:49 +0100
+Subject: ARM: fix oops when using older ARMv4T CPUs
+
+From: Russell King <rmk+kernel@armlinux.org.uk>
+
+commit 04946fb60fb157faafa01658dff3131d49f49ccb upstream.
+
+Alexander Shiyan reports that CLPS711x fails at boot time in the data
+exception handler due to a NULL pointer dereference. This is caused by
+the late-v4t abort handler overwriting R9 (which becomes zero). Fix
+this by making the abort handler save and restore R9.
+
+Unable to handle kernel NULL pointer dereference at virtual address 00000008
+pgd = c3b58000
+[00000008] *pgd=800000000, *pte=00000000, *ppte=feff4140
+Internal error: Oops: 63c11817 [#1] PREEMPT ARM
+CPU: 0 PID: 448 Comm: ash Not tainted 4.8.1+ #1
+Hardware name: Cirrus Logic CLPS711X (Device Tree Support)
+task: c39e03a0 ti: c3b4e000 task.ti: c3b4e000
+PC is at __dabt_svc+0x4c/0x60
+LR is at do_page_fault+0x144/0x2ac
+pc : [<c000d3ac>] lr : [<c000fcec>] psr: 60000093
+sp : c3b4fe6c ip : 00000001 fp : b6f1bf88
+r10: c387a5a0 r9 : 00000000 r8 : e4e0e001
+r7 : bee3ef83 r6 : 00100000 r5 : 80000013 r4 : c022fcf8
+r3 : 00000000 r2 : 00000008 r1 : bf000000 r0 : 00000000
+Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user
+Control: 0000217f Table: c3b58055 DAC: 00000055
+Process ash (pid: 448, stack limit = 0xc3b4e190)
+Stack: (0xc3b4fe6c to 0xc3b50000)
+fe60: bee3ef83 c05168d1 ffffffff 00000000 c3adfe80
+fe80: c3a03300 00000000 c3b4fed0 c3a03400 bee3ef83 c387a5a0 b6f1bf88 00000001
+fea0: c3b4febc 00000076 c022fcf8 80000013 ffffffff 0000003f bf000000 bee3ef83
+fec0: 00000004 00000000 c3adfe80 c00e432c 00000812 00000005 00000001 00000006
+fee0: b6f1b000 00000000 00010000 0003c944 0004d000 0004d439 00010000 b6f1b000
+ff00: 00000005 00000000 00015ecc c3b4fed0 0000000a 00000000 00000000 c00a1dc0
+ff20: befff000 c3a03300 c3b4e000 c0507cd8 c0508024 fffffff8 c3a03300 00000000
+ff40: c0516a58 c00a35bc c39e03a0 000001c0 bea84ce8 0004e008 c3b3a000 c00a3ac0
+ff60: c3b40374 c3b3a000 bea84d11 00000000 c0500188 bea84d11 bea84ce8 00000001
+ff80: 0000000b c000a304 c3b4e000 00000000 bea84ce4 c00a3cd0 00000000 bea84d11
+ffa0: bea84ce8 c000a160 bea84d11 bea84ce8 bea84d11 bea84ce8 0004e008 0004d450
+ffc0: bea84d11 bea84ce8 00000001 0000000b b6f45ee4 00000000 b6f5ff70 bea84ce4
+ffe0: b6f2f130 bea84cb0 b6f2f194 b6ef29f4 a0000010 bea84d11 02c7cffa 02c7cffd
+[<c000d3ac>] (__dabt_svc) from [<c022fcf8>] (__copy_to_user_std+0xf8/0x330)
+[<c022fcf8>] (__copy_to_user_std) from [<c00e432c>]
++(load_elf_binary+0x920/0x107c)
+[<c00e432c>] (load_elf_binary) from [<c00a35bc>]
++(search_binary_handler+0x80/0x16c)
+[<c00a35bc>] (search_binary_handler) from [<c00a3ac0>]
++(do_execveat_common+0x418/0x600)
+[<c00a3ac0>] (do_execveat_common) from [<c00a3cd0>] (do_execve+0x28/0x30)
+[<c00a3cd0>] (do_execve) from [<c000a160>] (ret_fast_syscall+0x0/0x30)
+Code: e1a0200d eb00136b e321f093 e59d104c (e5891008)
+---[ end trace 4b4f8086ebef98c5 ]---
+
+Fixes: e6978e4bf181 ("ARM: save and reset the address limit when entering an exception")
+Reported-by: Alexander Shiyan <shc_work@mail.ru>
+Tested-by: Alexander Shiyan <shc_work@mail.ru>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mm/abort-lv4t.S | 34 ++++++++++++++++++++++++----------
+ 1 file changed, 24 insertions(+), 10 deletions(-)
+
+--- a/arch/arm/mm/abort-lv4t.S
++++ b/arch/arm/mm/abort-lv4t.S
+@@ -7,7 +7,7 @@
+ * : r4 = aborted context pc
+ * : r5 = aborted context psr
+ *
+- * Returns : r4-r5, r10-r11, r13 preserved
++ * Returns : r4-r5, r9-r11, r13 preserved
+ *
+ * Purpose : obtain information about current aborted instruction.
+ * Note: we read user space. This means we might cause a data
+@@ -48,7 +48,10 @@ ENTRY(v4t_late_abort)
+ /* c */ b do_DataAbort @ ldc rd, [rn], #m @ Same as ldr rd, [rn], #m
+ /* d */ b do_DataAbort @ ldc rd, [rn, #m]
+ /* e */ b .data_unknown
+-/* f */
++/* f */ b .data_unknown
++
++.data_unknown_r9:
++ ldr r9, [sp], #4
+ .data_unknown: @ Part of jumptable
+ mov r0, r4
+ mov r1, r8
+@@ -57,6 +60,7 @@ ENTRY(v4t_late_abort)
+ .data_arm_ldmstm:
+ tst r8, #1 << 21 @ check writeback bit
+ beq do_DataAbort @ no writeback -> no fixup
++ str r9, [sp, #-4]!
+ mov r7, #0x11
+ orr r7, r7, #0x1100
+ and r6, r8, r7
+@@ -75,12 +79,14 @@ ENTRY(v4t_late_abort)
+ subne r7, r7, r6, lsl #2 @ Undo increment
+ addeq r7, r7, r6, lsl #2 @ Undo decrement
+ str r7, [r2, r9, lsr #14] @ Put register 'Rn'
++ ldr r9, [sp], #4
+ b do_DataAbort
+
+ .data_arm_lateldrhpre:
+ tst r8, #1 << 21 @ Check writeback bit
+ beq do_DataAbort @ No writeback -> no fixup
+ .data_arm_lateldrhpost:
++ str r9, [sp, #-4]!
+ and r9, r8, #0x00f @ get Rm / low nibble of immediate value
+ tst r8, #1 << 22 @ if (immediate offset)
+ andne r6, r8, #0xf00 @ { immediate high nibble
+@@ -93,6 +99,7 @@ ENTRY(v4t_late_abort)
+ subne r7, r7, r6 @ Undo incrmenet
+ addeq r7, r7, r6 @ Undo decrement
+ str r7, [r2, r9, lsr #14] @ Put register 'Rn'
++ ldr r9, [sp], #4
+ b do_DataAbort
+
+ .data_arm_lateldrpreconst:
+@@ -101,12 +108,14 @@ ENTRY(v4t_late_abort)
+ .data_arm_lateldrpostconst:
+ movs r6, r8, lsl #20 @ Get offset
+ beq do_DataAbort @ zero -> no fixup
++ str r9, [sp, #-4]!
+ and r9, r8, #15 << 16 @ Extract 'n' from instruction
+ ldr r7, [r2, r9, lsr #14] @ Get register 'Rn'
+ tst r8, #1 << 23 @ Check U bit
+ subne r7, r7, r6, lsr #20 @ Undo increment
+ addeq r7, r7, r6, lsr #20 @ Undo decrement
+ str r7, [r2, r9, lsr #14] @ Put register 'Rn'
++ ldr r9, [sp], #4
+ b do_DataAbort
+
+ .data_arm_lateldrprereg:
+@@ -115,6 +124,7 @@ ENTRY(v4t_late_abort)
+ .data_arm_lateldrpostreg:
+ and r7, r8, #15 @ Extract 'm' from instruction
+ ldr r6, [r2, r7, lsl #2] @ Get register 'Rm'
++ str r9, [sp, #-4]!
+ mov r9, r8, lsr #7 @ get shift count
+ ands r9, r9, #31
+ and r7, r8, #0x70 @ get shift type
+@@ -126,33 +136,33 @@ ENTRY(v4t_late_abort)
+ b .data_arm_apply_r6_and_rn
+ b .data_arm_apply_r6_and_rn @ 1: LSL #0
+ nop
+- b .data_unknown @ 2: MUL?
++ b .data_unknown_r9 @ 2: MUL?
+ nop
+- b .data_unknown @ 3: MUL?
++ b .data_unknown_r9 @ 3: MUL?
+ nop
+ mov r6, r6, lsr r9 @ 4: LSR #!0
+ b .data_arm_apply_r6_and_rn
+ mov r6, r6, lsr #32 @ 5: LSR #32
+ b .data_arm_apply_r6_and_rn
+- b .data_unknown @ 6: MUL?
++ b .data_unknown_r9 @ 6: MUL?
+ nop
+- b .data_unknown @ 7: MUL?
++ b .data_unknown_r9 @ 7: MUL?
+ nop
+ mov r6, r6, asr r9 @ 8: ASR #!0
+ b .data_arm_apply_r6_and_rn
+ mov r6, r6, asr #32 @ 9: ASR #32
+ b .data_arm_apply_r6_and_rn
+- b .data_unknown @ A: MUL?
++ b .data_unknown_r9 @ A: MUL?
+ nop
+- b .data_unknown @ B: MUL?
++ b .data_unknown_r9 @ B: MUL?
+ nop
+ mov r6, r6, ror r9 @ C: ROR #!0
+ b .data_arm_apply_r6_and_rn
+ mov r6, r6, rrx @ D: RRX
+ b .data_arm_apply_r6_and_rn
+- b .data_unknown @ E: MUL?
++ b .data_unknown_r9 @ E: MUL?
+ nop
+- b .data_unknown @ F: MUL?
++ b .data_unknown_r9 @ F: MUL?
+
+ .data_thumb_abort:
+ ldrh r8, [r4] @ read instruction
+@@ -190,6 +200,7 @@ ENTRY(v4t_late_abort)
+ .data_thumb_pushpop:
+ tst r8, #1 << 10
+ beq .data_unknown
++ str r9, [sp, #-4]!
+ and r6, r8, #0x55 @ hweight8(r8) + R bit
+ and r9, r8, #0xaa
+ add r6, r6, r9, lsr #1
+@@ -204,9 +215,11 @@ ENTRY(v4t_late_abort)
+ addeq r7, r7, r6, lsl #2 @ increment SP if PUSH
+ subne r7, r7, r6, lsl #2 @ decrement SP if POP
+ str r7, [r2, #13 << 2]
++ ldr r9, [sp], #4
+ b do_DataAbort
+
+ .data_thumb_ldmstm:
++ str r9, [sp, #-4]!
+ and r6, r8, #0x55 @ hweight8(r8)
+ and r9, r8, #0xaa
+ add r6, r6, r9, lsr #1
+@@ -219,4 +232,5 @@ ENTRY(v4t_late_abort)
+ and r6, r6, #15 @ number of regs to transfer
+ sub r7, r7, r6, lsl #2 @ always decrement
+ str r7, [r2, r9, lsr #6]
++ ldr r9, [sp], #4
+ b do_DataAbort
--- /dev/null
+From 0b34c261e235a5c74dcf78bd305845bd15fe2b42 Mon Sep 17 00:00:00 2001
+From: Goldwyn Rodrigues <rgoldwyn@suse.com>
+Date: Fri, 30 Sep 2016 10:40:52 -0500
+Subject: btrfs: qgroup: Prevent qgroup->reserved from going subzero
+
+From: Goldwyn Rodrigues <rgoldwyn@suse.com>
+
+commit 0b34c261e235a5c74dcf78bd305845bd15fe2b42 upstream.
+
+While free'ing qgroup->reserved resources, we much check if
+the page has not been invalidated by a truncate operation
+by checking if the page is still dirty before reducing the
+qgroup resources. Resources in such a case are free'd when
+the entire extent is released by delayed_ref.
+
+This fixes a double accounting while releasing resources
+in case of truncating a file, reproduced by the following testcase.
+
+SCRATCH_DEV=/dev/vdb
+SCRATCH_MNT=/mnt
+mkfs.btrfs -f $SCRATCH_DEV
+mount -t btrfs $SCRATCH_DEV $SCRATCH_MNT
+cd $SCRATCH_MNT
+btrfs quota enable $SCRATCH_MNT
+btrfs subvolume create a
+btrfs qgroup limit 500m a $SCRATCH_MNT
+sync
+for c in {1..15}; do
+dd if=/dev/zero bs=1M count=40 of=$SCRATCH_MNT/a/file;
+done
+
+sleep 10
+sync
+sleep 5
+
+touch $SCRATCH_MNT/a/newfile
+
+echo "Removing file"
+rm $SCRATCH_MNT/a/file
+
+Fixes: b9d0b38928 ("btrfs: Add handler for invalidate page")
+Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
+Reviewed-by: Qu Wenruo <quwenruo@cn.fujitsu.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/inode.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -8915,9 +8915,14 @@ again:
+ * So even we call qgroup_free_data(), it won't decrease reserved
+ * space.
+ * 2) Not written to disk
+- * This means the reserved space should be freed here.
++ * This means the reserved space should be freed here. However,
++ * if a truncate invalidates the page (by clearing PageDirty)
++ * and the page is accounted for while allocating extent
++ * in btrfs_check_data_free_space() we let delayed_ref to
++ * free the entire extent.
+ */
+- btrfs_qgroup_free_data(inode, page_start, PAGE_SIZE);
++ if (PageDirty(page))
++ btrfs_qgroup_free_data(inode, page_start, PAGE_SIZE);
+ if (!inode_evicting) {
+ clear_extent_bit(tree, page_start, page_end,
+ EXTENT_LOCKED | EXTENT_DIRTY |
--- /dev/null
+From a6c6ead14183ea4ec8ce7551e1f3451024b9c4db Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Wed, 19 Oct 2016 02:57:22 +0200
+Subject: cpufreq: intel_pstate: Set P-state upfront in performance mode
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit a6c6ead14183ea4ec8ce7551e1f3451024b9c4db upstream.
+
+After commit a4675fbc4a7a (cpufreq: intel_pstate: Replace timers with
+utilization update callbacks) the cpufreq governor callbacks may not
+be invoked on NOHZ_FULL CPUs and, in particular, switching to the
+"performance" policy via sysfs may not have any effect on them. That
+is a problem, because it usually is desirable to squeeze the last
+bit of performance out of those CPUs, so work around it by setting
+the maximum P-state (within the limits) in intel_pstate_set_policy()
+upfront when the policy is CPUFREQ_POLICY_PERFORMANCE.
+
+Fixes: a4675fbc4a7a (cpufreq: intel_pstate: Replace timers with utilization update callbacks)
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/cpufreq/intel_pstate.c | 29 +++++++++++++++++++++++++----
+ 1 file changed, 25 insertions(+), 4 deletions(-)
+
+--- a/drivers/cpufreq/intel_pstate.c
++++ b/drivers/cpufreq/intel_pstate.c
+@@ -1133,10 +1133,8 @@ static void intel_pstate_get_min_max(str
+ *min = clamp_t(int, min_perf, cpu->pstate.min_pstate, max_perf);
+ }
+
+-static void intel_pstate_set_min_pstate(struct cpudata *cpu)
++static void intel_pstate_set_pstate(struct cpudata *cpu, int pstate)
+ {
+- int pstate = cpu->pstate.min_pstate;
+-
+ trace_cpu_frequency(pstate * cpu->pstate.scaling, cpu->cpu);
+ cpu->pstate.current_pstate = pstate;
+ /*
+@@ -1148,6 +1146,20 @@ static void intel_pstate_set_min_pstate(
+ pstate_funcs.get_val(cpu, pstate));
+ }
+
++static void intel_pstate_set_min_pstate(struct cpudata *cpu)
++{
++ intel_pstate_set_pstate(cpu, cpu->pstate.min_pstate);
++}
++
++static void intel_pstate_max_within_limits(struct cpudata *cpu)
++{
++ int min_pstate, max_pstate;
++
++ update_turbo_state();
++ intel_pstate_get_min_max(cpu, &min_pstate, &max_pstate);
++ intel_pstate_set_pstate(cpu, max_pstate);
++}
++
+ static void intel_pstate_get_cpu_pstates(struct cpudata *cpu)
+ {
+ cpu->pstate.min_pstate = pstate_funcs.get_min();
+@@ -1465,7 +1477,7 @@ static int intel_pstate_set_policy(struc
+ pr_debug("set_policy cpuinfo.max %u policy->max %u\n",
+ policy->cpuinfo.max_freq, policy->max);
+
+- cpu = all_cpu_data[0];
++ cpu = all_cpu_data[policy->cpu];
+ if (cpu->pstate.max_pstate_physical > cpu->pstate.max_pstate &&
+ policy->max < policy->cpuinfo.max_freq &&
+ policy->max > cpu->pstate.max_pstate * cpu->pstate.scaling) {
+@@ -1509,6 +1521,15 @@ static int intel_pstate_set_policy(struc
+ limits->max_perf = round_up(limits->max_perf, FRAC_BITS);
+
+ out:
++ if (policy->policy == CPUFREQ_POLICY_PERFORMANCE) {
++ /*
++ * NOHZ_FULL CPUs need this as the governor callback may not
++ * be invoked on them.
++ */
++ intel_pstate_clear_update_util_hook(policy->cpu);
++ intel_pstate_max_within_limits(cpu);
++ }
++
+ intel_pstate_set_update_util_hook(policy->cpu);
+
+ intel_pstate_hwp_set_policy(policy);
--- /dev/null
+From cf0ea4da4c7df11f7a508b2f37518e0f117f3791 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 3 Nov 2016 12:31:41 +0100
+Subject: HID: usbhid: add ATEN CS962 to list of quirky devices
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit cf0ea4da4c7df11f7a508b2f37518e0f117f3791 upstream.
+
+Like many similar devices it needs a quirk to work.
+Issuing the request gets the device into an irrecoverable state.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-ids.h | 1 +
+ drivers/hid/usbhid/hid-quirks.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -179,6 +179,7 @@
+ #define USB_DEVICE_ID_ATEN_4PORTKVM 0x2205
+ #define USB_DEVICE_ID_ATEN_4PORTKVMC 0x2208
+ #define USB_DEVICE_ID_ATEN_CS682 0x2213
++#define USB_DEVICE_ID_ATEN_CS692 0x8021
+
+ #define USB_VENDOR_ID_ATMEL 0x03eb
+ #define USB_DEVICE_ID_ATMEL_MULTITOUCH 0x211c
+--- a/drivers/hid/usbhid/hid-quirks.c
++++ b/drivers/hid/usbhid/hid-quirks.c
+@@ -63,6 +63,7 @@ static const struct hid_blacklist {
+ { USB_VENDOR_ID_ATEN, USB_DEVICE_ID_ATEN_4PORTKVM, HID_QUIRK_NOGET },
+ { USB_VENDOR_ID_ATEN, USB_DEVICE_ID_ATEN_4PORTKVMC, HID_QUIRK_NOGET },
+ { USB_VENDOR_ID_ATEN, USB_DEVICE_ID_ATEN_CS682, HID_QUIRK_NOGET },
++ { USB_VENDOR_ID_ATEN, USB_DEVICE_ID_ATEN_CS692, HID_QUIRK_NOGET },
+ { USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_FIGHTERSTICK, HID_QUIRK_NOGET },
+ { USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_COMBATSTICK, HID_QUIRK_NOGET },
+ { USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_FLIGHT_SIM_ECLIPSE_YOKE, HID_QUIRK_NOGET },
--- /dev/null
+From d9092f52d7e61dd1557f2db2400ddb430e85937e Mon Sep 17 00:00:00 2001
+From: Owen Hofmann <osh@google.com>
+Date: Thu, 27 Oct 2016 11:25:52 -0700
+Subject: kvm: x86: Check memopp before dereference (CVE-2016-8630)
+
+From: Owen Hofmann <osh@google.com>
+
+commit d9092f52d7e61dd1557f2db2400ddb430e85937e upstream.
+
+Commit 41061cdb98 ("KVM: emulate: do not initialize memopp") removes a
+check for non-NULL under incorrect assumptions. An undefined instruction
+with a ModR/M byte with Mod=0 and R/M-5 (e.g. 0xc7 0x15) will attempt
+to dereference a null pointer here.
+
+Fixes: 41061cdb98a0bec464278b4db8e894a3121671f5
+Message-Id: <1477592752-126650-2-git-send-email-osh@google.com>
+Signed-off-by: Owen Hofmann <osh@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/emulate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -5045,7 +5045,7 @@ done_prefixes:
+ /* Decode and fetch the destination operand: register or memory. */
+ rc = decode_operand(ctxt, &ctxt->dst, (ctxt->d >> DstShift) & OpMask);
+
+- if (ctxt->rip_relative)
++ if (ctxt->rip_relative && likely(ctxt->memopp))
+ ctxt->memopp->addr.mem.ea = address_mask(ctxt,
+ ctxt->memopp->addr.mem.ea + ctxt->_eip);
+
--- /dev/null
+From 43da7575cdecaf5af2d6b3f3a9e4e6c9144be428 Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <weiyongjun1@huawei.com>
+Date: Sat, 17 Sep 2016 15:53:34 +0000
+Subject: omapfb: fix return value check in dsi_bind()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+commit 43da7575cdecaf5af2d6b3f3a9e4e6c9144be428 upstream.
+
+Fix the retrn value check which testing the wrong variable
+in dsi_bind().
+
+Fixes: f76ee892a99e ("omapfb: copy omapdss & displays for omapfb")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Reviewed-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/fbdev/omap2/omapfb/dss/dsi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/video/fbdev/omap2/omapfb/dss/dsi.c
++++ b/drivers/video/fbdev/omap2/omapfb/dss/dsi.c
+@@ -5348,7 +5348,7 @@ static int dsi_bind(struct device *dev,
+
+ dsi->phy_base = devm_ioremap(&dsidev->dev, res->start,
+ resource_size(res));
+- if (!dsi->proto_base) {
++ if (!dsi->phy_base) {
+ DSSERR("can't ioremap DSI PHY\n");
+ return -ENOMEM;
+ }
+@@ -5368,7 +5368,7 @@ static int dsi_bind(struct device *dev,
+
+ dsi->pll_base = devm_ioremap(&dsidev->dev, res->start,
+ resource_size(res));
+- if (!dsi->proto_base) {
++ if (!dsi->pll_base) {
+ DSSERR("can't ioremap DSI PLL\n");
+ return -ENOMEM;
+ }
--- /dev/null
+From 0733424c9ba9f42242409d1ece780777272f7ea1 Mon Sep 17 00:00:00 2001
+From: David Hsu <davidhsu@google.com>
+Date: Tue, 9 Aug 2016 14:57:46 -0700
+Subject: pwm: Unexport children before chip removal
+
+From: David Hsu <davidhsu@google.com>
+
+commit 0733424c9ba9f42242409d1ece780777272f7ea1 upstream.
+
+Exported pwm channels aren't removed before the pwmchip and are
+leaked. This results in invalid sysfs files. This fix removes
+all exported pwm channels before chip removal.
+
+Signed-off-by: David Hsu <davidhsu@google.com>
+Fixes: 76abbdde2d95 ("pwm: Add sysfs interface")
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pwm/core.c | 2 ++
+ drivers/pwm/sysfs.c | 18 ++++++++++++++++++
+ include/linux/pwm.h | 5 +++++
+ 3 files changed, 25 insertions(+)
+
+--- a/drivers/pwm/core.c
++++ b/drivers/pwm/core.c
+@@ -339,6 +339,8 @@ int pwmchip_remove(struct pwm_chip *chip
+ unsigned int i;
+ int ret = 0;
+
++ pwmchip_sysfs_unexport_children(chip);
++
+ mutex_lock(&pwm_lock);
+
+ for (i = 0; i < chip->npwm; i++) {
+--- a/drivers/pwm/sysfs.c
++++ b/drivers/pwm/sysfs.c
+@@ -409,6 +409,24 @@ void pwmchip_sysfs_unexport(struct pwm_c
+ }
+ }
+
++void pwmchip_sysfs_unexport_children(struct pwm_chip *chip)
++{
++ struct device *parent;
++ unsigned int i;
++
++ parent = class_find_device(&pwm_class, NULL, chip,
++ pwmchip_sysfs_match);
++ if (!parent)
++ return;
++
++ for (i = 0; i < chip->npwm; i++) {
++ struct pwm_device *pwm = &chip->pwms[i];
++
++ if (test_bit(PWMF_EXPORTED, &pwm->flags))
++ pwm_unexport_child(parent, pwm);
++ }
++}
++
+ static int __init pwm_sysfs_init(void)
+ {
+ return class_register(&pwm_class);
+--- a/include/linux/pwm.h
++++ b/include/linux/pwm.h
+@@ -641,6 +641,7 @@ static inline void pwm_remove_table(stru
+ #ifdef CONFIG_PWM_SYSFS
+ void pwmchip_sysfs_export(struct pwm_chip *chip);
+ void pwmchip_sysfs_unexport(struct pwm_chip *chip);
++void pwmchip_sysfs_unexport_children(struct pwm_chip *chip);
+ #else
+ static inline void pwmchip_sysfs_export(struct pwm_chip *chip)
+ {
+@@ -649,6 +650,10 @@ static inline void pwmchip_sysfs_export(
+ static inline void pwmchip_sysfs_unexport(struct pwm_chip *chip)
+ {
+ }
++
++static inline void pwmchip_sysfs_unexport_children(struct pwm_chip *chip)
++{
++}
+ #endif /* CONFIG_PWM_SYSFS */
+
+ #endif /* __LINUX_PWM_H */
drm-i915-wait-for-fences-on-new-fb-not-old.patch
i2c-mark-device-nodes-only-in-case-of-successful-instantiation.patch
netfilter-xt_nflog-fix-unexpected-truncated-packet.patch
+ubi-fastmap-scrub-peb-when-bitflips-are-detected-in-a-free-peb-ec-header.patch
+uapi-add-missing-install-of-sync_file.h.patch
+video-fbdev-pxafb-potential-null-dereference-on-error.patch
+omapfb-fix-return-value-check-in-dsi_bind.patch
+pwm-unexport-children-before-chip-removal.patch
+usb-dwc3-fix-size-used-in-dma_free_coherent.patch
+usb-chipidea-host-fix-null-ptr-dereference-during-shutdown.patch
+usb-musb-fix-hardirq-safe-hardirq-unsafe-lock-order-error.patch
+v4l-vsp1-prevent-pipelines-from-running-when-not-streaming.patch
+tty-vt-fix-bogus-division-in-csi_j.patch
+arm-fix-oops-when-using-older-armv4t-cpus.patch
+kvm-x86-check-memopp-before-dereference-cve-2016-8630.patch
+btrfs-qgroup-prevent-qgroup-reserved-from-going-subzero.patch
+ubi-fastmap-fix-add_vol-return-value-test-in-ubi_attach_fastmap.patch
+cpufreq-intel_pstate-set-p-state-upfront-in-performance-mode.patch
+hid-usbhid-add-aten-cs962-to-list-of-quirky-devices.patch
--- /dev/null
+From 42acfc6615f47e465731c263bee0c799edb098f2 Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jslaby@suse.cz>
+Date: Mon, 3 Oct 2016 11:00:17 +0200
+Subject: tty: vt, fix bogus division in csi_J
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jiri Slaby <jslaby@suse.cz>
+
+commit 42acfc6615f47e465731c263bee0c799edb098f2 upstream.
+
+In csi_J(3), the third parameter of scr_memsetw (vc_screenbuf_size) is
+divided by 2 inappropriatelly. But scr_memsetw expects size, not
+count, because it divides the size by 2 on its own before doing actual
+memset-by-words.
+
+So remove the bogus division.
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Cc: Petr Písař <ppisar@redhat.com>
+Fixes: f8df13e0a9 (tty: Clean console safely)
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/vt/vt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/vt/vt.c
++++ b/drivers/tty/vt/vt.c
+@@ -1181,7 +1181,7 @@ static void csi_J(struct vc_data *vc, in
+ break;
+ case 3: /* erase scroll-back buffer (and whole display) */
+ scr_memsetw(vc->vc_screenbuf, vc->vc_video_erase_char,
+- vc->vc_screenbuf_size >> 1);
++ vc->vc_screenbuf_size);
+ set_origin(vc);
+ if (con_is_visible(vc))
+ update_screen(vc);
--- /dev/null
+From 58f0f9f75c1b94dabbfc3daa333a4e68536b0a42 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Emilio=20L=C3=B3pez?= <emilio.lopez@collabora.co.uk>
+Date: Tue, 27 Sep 2016 11:31:42 -0300
+Subject: uapi: add missing install of sync_file.h
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Emilio López <emilio.lopez@collabora.co.uk>
+
+commit 58f0f9f75c1b94dabbfc3daa333a4e68536b0a42 upstream.
+
+As part of the sync framework destaging, the sync_file.h header
+was moved, but an entry was not added on Kbuild to install it.
+This patch resolves this omission so that "make headers_install"
+installs this header.
+
+Fixes: 460bfc41fd52 ("dma-buf/sync_file: de-stage sync_file headers")
+Reported-by: Michael Ellerman <mpe@ellerman.id.au>
+Reviewed-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
+Signed-off-by: Emilio López <emilio.lopez@collabora.co.uk>
+Signed-off-by: Sean Paul <seanpaul@chromium.org>
+Link: http://patchwork.freedesktop.org/patch/msgid/20160927143142.8975-1-emilio.lopez@collabora.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/uapi/linux/Kbuild | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/include/uapi/linux/Kbuild
++++ b/include/uapi/linux/Kbuild
+@@ -396,6 +396,7 @@ header-y += string.h
+ header-y += suspend_ioctls.h
+ header-y += swab.h
+ header-y += synclink.h
++header-y += sync_file.h
+ header-y += sysctl.h
+ header-y += sysinfo.h
+ header-y += target_core_user.h
--- /dev/null
+From 40b6e61ac72e99672e47cdb99c8d7d226004169b Mon Sep 17 00:00:00 2001
+From: Boris Brezillon <boris.brezillon@free-electrons.com>
+Date: Fri, 28 Oct 2016 11:08:44 +0200
+Subject: ubi: fastmap: Fix add_vol() return value test in ubi_attach_fastmap()
+
+From: Boris Brezillon <boris.brezillon@free-electrons.com>
+
+commit 40b6e61ac72e99672e47cdb99c8d7d226004169b upstream.
+
+Commit e96a8a3bb671 ("UBI: Fastmap: Do not add vol if it already
+exists") introduced a bug by changing the possible error codes returned
+by add_vol():
+- this function no longer returns NULL in case of allocation failure
+ but return ERR_PTR(-ENOMEM)
+- when a duplicate entry in the volume RB tree is found it returns
+ ERR_PTR(-EEXIST) instead of ERR_PTR(-EINVAL)
+
+Fix the tests done on add_vol() return val to match this new behavior.
+
+Fixes: e96a8a3bb671 ("UBI: Fastmap: Do not add vol if it already exists")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Acked-by: Sheng Yong <shengyong1@huawei.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/ubi/fastmap.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/mtd/ubi/fastmap.c
++++ b/drivers/mtd/ubi/fastmap.c
+@@ -751,11 +751,11 @@ static int ubi_attach_fastmap(struct ubi
+ fmvhdr->vol_type,
+ be32_to_cpu(fmvhdr->last_eb_bytes));
+
+- if (!av)
+- goto fail_bad;
+- if (PTR_ERR(av) == -EINVAL) {
+- ubi_err(ubi, "volume (ID %i) already exists",
+- fmvhdr->vol_id);
++ if (IS_ERR(av)) {
++ if (PTR_ERR(av) == -EEXIST)
++ ubi_err(ubi, "volume (ID %i) already exists",
++ fmvhdr->vol_id);
++
+ goto fail_bad;
+ }
+
--- /dev/null
+From ecbfa8eabae9cd73522d1d3d15869703c263d859 Mon Sep 17 00:00:00 2001
+From: Boris Brezillon <boris.brezillon@free-electrons.com>
+Date: Fri, 16 Sep 2016 16:59:12 +0200
+Subject: UBI: fastmap: scrub PEB when bitflips are detected in a free PEB EC header
+
+From: Boris Brezillon <boris.brezillon@free-electrons.com>
+
+commit ecbfa8eabae9cd73522d1d3d15869703c263d859 upstream.
+
+scan_pool() does not mark the PEB for scrubing when bitflips are
+detected in the EC header of a free PEB (VID header region left to
+0xff).
+Make sure we scrub the PEB in this case.
+
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Fixes: dbb7d2a88d2a ("UBI: Add fastmap core")
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/ubi/fastmap.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/mtd/ubi/fastmap.c
++++ b/drivers/mtd/ubi/fastmap.c
+@@ -515,10 +515,11 @@ static int scan_pool(struct ubi_device *
+ unsigned long long ec = be64_to_cpu(ech->ec);
+ unmap_peb(ai, pnum);
+ dbg_bld("Adding PEB to free: %i", pnum);
++
+ if (err == UBI_IO_FF_BITFLIPS)
+- add_aeb(ai, free, pnum, ec, 1);
+- else
+- add_aeb(ai, free, pnum, ec, 0);
++ scrub = 1;
++
++ add_aeb(ai, free, pnum, ec, scrub);
+ continue;
+ } else if (err == 0 || err == UBI_IO_BITFLIPS) {
+ dbg_bld("Found non empty PEB:%i in pool", pnum);
--- /dev/null
+From 991d5add50a5bb6ab8f12f2129f5c7487f6baaf6 Mon Sep 17 00:00:00 2001
+From: Stefan Wahren <stefan.wahren@i2se.com>
+Date: Sat, 10 Sep 2016 12:53:21 +0000
+Subject: usb: chipidea: host: fix NULL ptr dereference during shutdown
+
+From: Stefan Wahren <stefan.wahren@i2se.com>
+
+commit 991d5add50a5bb6ab8f12f2129f5c7487f6baaf6 upstream.
+
+After commit b09b5224fe86 ("usb: chipidea: implement platform shutdown
+callback") and commit 43a404577a93 ("usb: chipidea: host: set host to
+be null after hcd is freed") a NULL pointer dereference is caused
+on i.MX23 during shutdown. So ensure that role is set to CI_ROLE_END and
+we finish interrupt handling before the hcd is deallocated. This avoids
+the NULL pointer dereference.
+
+Suggested-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
+Fixes: b09b5224fe86 ("usb: chipidea: implement platform shutdown callback")
+Signed-off-by: Peter Chen <peter.chen@nxp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/chipidea/host.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/chipidea/host.c
++++ b/drivers/usb/chipidea/host.c
+@@ -185,6 +185,8 @@ static void host_stop(struct ci_hdrc *ci
+
+ if (hcd) {
+ usb_remove_hcd(hcd);
++ ci->role = CI_ROLE_END;
++ synchronize_irq(ci->irq);
+ usb_put_hcd(hcd);
+ if (ci->platdata->reg_vbus && !ci_otg_is_fsm_mode(ci) &&
+ (ci->platdata->flags & CI_HDRC_TURN_VBUS_EARLY_ON))
--- /dev/null
+From 51fbc7c06c8900370c6da5fc4a4685add8fa4fb0 Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Fri, 7 Oct 2016 22:12:39 +0200
+Subject: usb: dwc3: Fix size used in dma_free_coherent()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+commit 51fbc7c06c8900370c6da5fc4a4685add8fa4fb0 upstream.
+
+In commit 2abd9d5fa60f9 ("usb: dwc3: ep0: Add chained TRB support"), the
+size of the memory allocated with 'dma_alloc_coherent()' has been modified
+but the corresponding calls to 'dma_free_coherent()' have not been updated
+accordingly.
+
+This has been spotted with coccinelle, using the following script:
+////////////////////
+@r@
+expression x0, x1, y0, y1, z0, z1, t0, t1, ret;
+@@
+
+* ret = dma_alloc_coherent(x0, y0, z0, t0);
+ ...
+* dma_free_coherent(x1, y1, ret, t1);
+
+@script:python@
+y0 << r.y0;
+y1 << r.y1;
+
+@@
+if y1.find(y0) == -1:
+ print "WARNING: sizes look different: '%s' vs '%s'" % (y0, y1)
+////////////////////
+
+Fixes: 2abd9d5fa60f9 ("usb: dwc3: ep0: Add chained TRB support")
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc3/gadget.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -3055,7 +3055,7 @@ err3:
+ kfree(dwc->setup_buf);
+
+ err2:
+- dma_free_coherent(dwc->dev, sizeof(*dwc->ep0_trb),
++ dma_free_coherent(dwc->dev, sizeof(*dwc->ep0_trb) * 2,
+ dwc->ep0_trb, dwc->ep0_trb_addr);
+
+ err1:
+@@ -3080,7 +3080,7 @@ void dwc3_gadget_exit(struct dwc3 *dwc)
+ kfree(dwc->setup_buf);
+ kfree(dwc->zlp_buf);
+
+- dma_free_coherent(dwc->dev, sizeof(*dwc->ep0_trb),
++ dma_free_coherent(dwc->dev, sizeof(*dwc->ep0_trb) * 2,
+ dwc->ep0_trb, dwc->ep0_trb_addr);
+
+ dma_free_coherent(dwc->dev, sizeof(*dwc->ctrl_req),
--- /dev/null
+From d8e5f0eca1e88215e45aca27115ea747e6164da1 Mon Sep 17 00:00:00 2001
+From: Tony Lindgren <tony@atomide.com>
+Date: Wed, 19 Oct 2016 12:03:39 -0500
+Subject: usb: musb: Fix hardirq-safe hardirq-unsafe lock order error
+
+From: Tony Lindgren <tony@atomide.com>
+
+commit d8e5f0eca1e88215e45aca27115ea747e6164da1 upstream.
+
+If we configure musb with 2430 glue as a peripheral, and then rmmod
+omap2430 module, we'll get the following error:
+
+[ INFO: HARDIRQ-safe -> HARDIRQ-unsafe lock order detected ]
+...
+rmmod/413 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire:
+ (&phy->mutex){+.+.+.}, at: [<c04b9fd0>] phy_power_off+0x1c/0xb8
+[ 204.678710]
+ and this task is already holding:
+ (&(&musb->lock)->rlock){-.-...}, at: [<bf3a482c>]
+ musb_gadget_stop+0x24/0xec [musb_hdrc]
+which would create a new lock dependency:
+ (&(&musb->lock)->rlock){-.-...} -> (&phy->mutex){+.+.+.}
+...
+
+This is because some glue layers expect musb_platform_enable/disable
+to be called with spinlock held, and 2430 glue layer has USB PHY on
+the I2C bus using a mutex.
+
+We could fix the glue layers to take the spinlock, but we still have
+a problem of musb_plaform_enable/disable being called in an unbalanced
+manner. So that would still lead into USB PHY enable/disable related
+problems for omap2430 glue layer.
+
+While it makes sense to only enable USB PHY when needed from PM point
+of view, in this case we just can't do it yet without breaking things.
+So let's just revert phy_enable/disable related changes instead and
+reconsider this after we have fixed musb_platform_enable/disable to
+be balanced.
+
+Fixes: a83e17d0f73b ("usb: musb: Improve PM runtime and phy handling for 2430 glue layer")
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Bin Liu <b-liu@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/musb/omap2430.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/musb/omap2430.c
++++ b/drivers/usb/musb/omap2430.c
+@@ -337,6 +337,7 @@ static int omap2430_musb_init(struct mus
+ }
+ musb->isr = omap2430_musb_interrupt;
+ phy_init(musb->phy);
++ phy_power_on(musb->phy);
+
+ l = musb_readl(musb->mregs, OTG_INTERFSEL);
+
+@@ -373,8 +374,6 @@ static void omap2430_musb_enable(struct
+ struct musb_hdrc_platform_data *pdata = dev_get_platdata(dev);
+ struct omap_musb_board_data *data = pdata->board_data;
+
+- if (!WARN_ON(!musb->phy))
+- phy_power_on(musb->phy);
+
+ omap2430_set_power(musb, true, glue->cable_connected);
+
+@@ -413,9 +412,6 @@ static void omap2430_musb_disable(struct
+ struct device *dev = musb->controller;
+ struct omap2430_glue *glue = dev_get_drvdata(dev->parent);
+
+- if (!WARN_ON(!musb->phy))
+- phy_power_off(musb->phy);
+-
+ if (glue->status != MUSB_UNKNOWN)
+ omap_control_usb_set_mode(glue->control_otghs,
+ USB_MODE_DISCONNECT);
+@@ -429,6 +425,7 @@ static int omap2430_musb_exit(struct mus
+ struct omap2430_glue *glue = dev_get_drvdata(dev->parent);
+
+ omap2430_low_level_exit(musb);
++ phy_power_off(musb->phy);
+ phy_exit(musb->phy);
+ musb->phy = NULL;
+ cancel_work_sync(&glue->omap_musb_mailbox_work);
--- /dev/null
+From e4e70a147a48618a36ae1b81c641516cb9d45993 Mon Sep 17 00:00:00 2001
+From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Date: Fri, 8 Jul 2016 06:20:51 -0300
+Subject: [media] v4l: vsp1: Prevent pipelines from running when not streaming
+
+From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+
+commit e4e70a147a48618a36ae1b81c641516cb9d45993 upstream.
+
+Pipelines can only be run if all their video nodes are streaming. Commit
+b4dfb9b35a19 ("[media] v4l: vsp1: Stop the pipeline upon the first
+STREAMOFF") fixed the pipeline stop sequence, but introduced a race
+condition that makes it possible to run a pipeline after stopping the
+stream on a video node by queuing a buffer on the other side of the
+pipeline.
+
+Fix this by clearing the buffers ready flag when stopping the stream,
+which will prevent the QBUF handler from running the pipeline.
+
+Fixes: b4dfb9b35a19 ("[media] v4l: vsp1: Stop the pipeline upon the first STREAMOFF")
+
+Reported-by: Kieran Bingham <kieran@bingham.xyz>
+Tested-by: Kieran Bingham <kieran@bingham.xyz>
+Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/platform/vsp1/vsp1_video.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/media/platform/vsp1/vsp1_video.c
++++ b/drivers/media/platform/vsp1/vsp1_video.c
+@@ -675,6 +675,13 @@ static void vsp1_video_stop_streaming(st
+ unsigned long flags;
+ int ret;
+
++ /* Clear the buffers ready flag to make sure the device won't be started
++ * by a QBUF on the video node on the other side of the pipeline.
++ */
++ spin_lock_irqsave(&video->irqlock, flags);
++ pipe->buffers_ready &= ~(1 << video->pipe_index);
++ spin_unlock_irqrestore(&video->irqlock, flags);
++
+ mutex_lock(&pipe->lock);
+ if (--pipe->stream_count == pipe->num_inputs) {
+ /* Stop the pipeline. */
--- /dev/null
+From e0299908d606a99e7ffb467bc3c11dfe54133af3 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 15 Jul 2016 14:07:32 +0300
+Subject: video: fbdev: pxafb: potential NULL dereference on error
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit e0299908d606a99e7ffb467bc3c11dfe54133af3 upstream.
+
+If we "goto out;" then it calls display_timings_release(timings);
+Since "timings" is NULL, that's going to oops. Just return directly.
+
+Fixes: 420a488278e8 ('video: fbdev: pxafb: initial devicetree conversion')
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Robert Jarzmik <robert.jarzmik@free.fr>
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/fbdev/pxafb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/video/fbdev/pxafb.c
++++ b/drivers/video/fbdev/pxafb.c
+@@ -2125,7 +2125,7 @@ static int of_get_pxafb_display(struct d
+
+ timings = of_get_display_timings(disp);
+ if (!timings)
+- goto out;
++ return -EINVAL;
+
+ ret = -ENOMEM;
+ info->modes = kmalloc_array(timings->num_timings,
projects / thirdparty / kernel / stable-queue.git / commitdiff
