--- /dev/null
+From 1b283eea6228880b765bc40fe4e555416437ce58 Mon Sep 17 00:00:00 2001
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Fri, 7 Oct 2016 10:52:17 +0200
+Subject: ARM: dts: fix the SD card on the Snowball
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+commit 1b283eea6228880b765bc40fe4e555416437ce58 upstream.
+
+This fixes a very annoying regression on the Snowball SD card
+that has been around for a while. It turns out that the device
+tree does not configure the direction pins properly, nor sets
+up the pins for the voltage converter properly at boot. Unless
+all things are correctly set up, the feedback clock will not
+work, and makes the driver spew messages in the console (but
+it works, very slowly):
+
+root@Ux500:/ mount /dev/mmcblk0p2 /mnt/
+[ 9.953460] mmci-pl18x 80126000.sdi0_per1: error during DMA transfer!
+[ 9.960296] mmcblk0: error -110 sending status command, retrying
+[ 9.966461] mmcblk0: error -110 sending status command, retrying
+[ 9.972534] mmcblk0: error -110 sending status command, aborting
+
+Fix this by rectifying the device tree to correspond to that of
+the Ux500 HREF boards plus the DAT31DIR setting that is unique for
+the Snowball, and things start working smoothly. Add in the SDR12
+and SDR25 modes which this host can do without any problems.
+
+I don't know if this has ever been correct, sadly. It works after
+this patch.
+
+Reported-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Cc: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/ste-snowball.dts | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/boot/dts/ste-snowball.dts
++++ b/arch/arm/boot/dts/ste-snowball.dts
+@@ -239,14 +239,25 @@
+ arm,primecell-periphid = <0x10480180>;
+ max-frequency = <100000000>;
+ bus-width = <4>;
++ cap-sd-highspeed;
+ cap-mmc-highspeed;
++ sd-uhs-sdr12;
++ sd-uhs-sdr25;
++ /* All direction control is used */
++ st,sig-dir-cmd;
++ st,sig-dir-dat0;
++ st,sig-dir-dat2;
++ st,sig-dir-dat31;
++ st,sig-pin-fbclk;
++ full-pwr-cycle;
+ vmmc-supply = <&ab8500_ldo_aux3_reg>;
+ vqmmc-supply = <&vmmci>;
+ pinctrl-names = "default", "sleep";
+ pinctrl-0 = <&sdi0_default_mode>;
+ pinctrl-1 = <&sdi0_sleep_mode>;
+
+- cd-gpios = <&gpio6 26 GPIO_ACTIVE_LOW>; // 218
++ /* GPIO218 MMC_CD */
++ cd-gpios = <&gpio6 26 GPIO_ACTIVE_LOW>;
+
+ status = "okay";
+ };
+@@ -549,7 +560,7 @@
+ /* VMMCI level-shifter enable */
+ snowball_cfg3 {
+ pins = "GPIO217_AH12";
+- ste,config = <&gpio_out_lo>;
++ ste,config = <&gpio_out_hi>;
+ };
+ /* VMMCI level-shifter voltage select */
+ snowball_cfg4 {
--- /dev/null
+From 33c45ef8adc8a7cf781b2566d50e6ea8e97b3596 Mon Sep 17 00:00:00 2001
+From: Gregory CLEMENT <gregory.clement@free-electrons.com>
+Date: Mon, 19 Sep 2016 12:02:50 +0200
+Subject: ARM: mvebu: Select corediv clk for all mvebu v7 SoC
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Gregory CLEMENT <gregory.clement@free-electrons.com>
+
+commit 33c45ef8adc8a7cf781b2566d50e6ea8e97b3596 upstream.
+
+Since the commit bd3677ff31a3 ("clk: mvebu: Remove corediv clock from
+Armada XP"), the corediv clk is no more selected for Armada XP, however
+this clock is used for Armada XP using the compatible
+armada-370-corediv-clock.
+
+While since commit 1594d568c6e3 ("clk: mvebu: Move corediv config to
+mvebu config") Armada 38x and Armada 375 got corediv support again, not
+only Armada XP was missed but also Armada 39x.
+
+Actually all the SoC selecting MVEBU_V7 config need this clock:
+git grep "\-corediv-clock" arch/arm/boot/dts
+arch/arm/boot/dts/armada-370-xp.dtsi: compatible = "marvell,armada-370-corediv-clock";
+arch/arm/boot/dts/armada-375.dtsi: compatible = "marvell,armada-375-corediv-clock";
+arch/arm/boot/dts/armada-38x.dtsi: compatible = "marvell,armada-380-corediv-clock";
+arch/arm/boot/dts/armada-39x.dtsi: compatible = "marvell,armada-390-corediv-clock"
+
+This commit now fixes this behavior by letting MVEBU_V7 select
+MVEBU_CLK_COREDIV.
+
+Fixes: bd3677ff31a3 ("clk: mvebu: Remove corediv clock from Armada XP")
+Reported-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-mvebu/Kconfig | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/arch/arm/mach-mvebu/Kconfig
++++ b/arch/arm/mach-mvebu/Kconfig
+@@ -23,6 +23,7 @@ config MACH_MVEBU_V7
+ select CACHE_L2X0
+ select ARM_CPU_SUSPEND
+ select MACH_MVEBU_ANY
++ select MVEBU_CLK_COREDIV
+
+ config MACH_ARMADA_370
+ bool "Marvell Armada 370 boards"
+@@ -32,7 +33,6 @@ config MACH_ARMADA_370
+ select CPU_PJ4B
+ select MACH_MVEBU_V7
+ select PINCTRL_ARMADA_370
+- select MVEBU_CLK_COREDIV
+ help
+ Say 'Y' here if you want your kernel to support boards based
+ on the Marvell Armada 370 SoC with device tree.
+@@ -50,7 +50,6 @@ config MACH_ARMADA_375
+ select HAVE_SMP
+ select MACH_MVEBU_V7
+ select PINCTRL_ARMADA_375
+- select MVEBU_CLK_COREDIV
+ help
+ Say 'Y' here if you want your kernel to support boards based
+ on the Marvell Armada 375 SoC with device tree.
+@@ -68,7 +67,6 @@ config MACH_ARMADA_38X
+ select HAVE_SMP
+ select MACH_MVEBU_V7
+ select PINCTRL_ARMADA_38X
+- select MVEBU_CLK_COREDIV
+ help
+ Say 'Y' here if you want your kernel to support boards based
+ on the Marvell Armada 380/385 SoC with device tree.
--- /dev/null
+From dcb2ff56417362c31f6b430c3c531a84581e8721 Mon Sep 17 00:00:00 2001
+From: Heinz Mauelshagen <heinzm@redhat.com>
+Date: Mon, 10 Oct 2016 17:58:32 +0200
+Subject: dm mirror: fix read error on recovery after default leg failure
+
+From: Heinz Mauelshagen <heinzm@redhat.com>
+
+commit dcb2ff56417362c31f6b430c3c531a84581e8721 upstream.
+
+If a default leg has failed, any read will cause a new operational
+default leg to be selected and the read is resubmitted. But until now
+the read will return failure even though it was successful due to
+resubmission. The reason for this is bio->bi_error was not being
+cleared before resubmitting the bio.
+
+Fix by clearing bio->bi_error before resubmission.
+
+Fixes: 4246a0b63bd8 ("block: add a bi_error field to struct bio")
+Signed-off-by: Heinz Mauelshagen <heinzm@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-raid1.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/md/dm-raid1.c
++++ b/drivers/md/dm-raid1.c
+@@ -1292,6 +1292,7 @@ static int mirror_end_io(struct dm_targe
+
+ dm_bio_restore(bd, bio);
+ bio_record->details.bi_bdev = NULL;
++ bio->bi_error = 0;
+
+ queue_bio(ms, bio, rw);
+ return DM_ENDIO_INCOMPLETE;
--- /dev/null
+From b052b07c39d593c9954a84d5bbe1563999483f38 Mon Sep 17 00:00:00 2001
+From: Heinz Mauelshagen <heinzm@redhat.com>
+Date: Mon, 17 Oct 2016 21:20:07 +0200
+Subject: dm raid: fix activation of existing raid4/10 devices
+
+From: Heinz Mauelshagen <heinzm@redhat.com>
+
+commit b052b07c39d593c9954a84d5bbe1563999483f38 upstream.
+
+dm-raid 1.9.0 fails to activate existing RAID4/10 devices that have the
+old superblock format (which does not have takeover/reshaping support
+that was added via commit 33e53f06850f).
+
+Fix validation path for old superblocks by reverting to the old raid4
+layout and basing checks on mddev->new_{level,layout,...} members in
+super_init_validation().
+
+Signed-off-by: Heinz Mauelshagen <heinzm@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/device-mapper/dm-raid.txt | 1 +
+ drivers/md/dm-raid.c | 12 +++++++-----
+ 2 files changed, 8 insertions(+), 5 deletions(-)
+
+--- a/Documentation/device-mapper/dm-raid.txt
++++ b/Documentation/device-mapper/dm-raid.txt
+@@ -309,3 +309,4 @@ Version History
+ with a reshape in progress.
+ 1.9.0 Add support for RAID level takeover/reshape/region size
+ and set size reduction.
++1.9.1 Fix activation of existing RAID 4/10 mapped devices
+--- a/drivers/md/dm-raid.c
++++ b/drivers/md/dm-raid.c
+@@ -266,7 +266,7 @@ static struct raid_type {
+ {"raid10_offset", "raid10 offset (striped mirrors)", 0, 2, 10, ALGORITHM_RAID10_OFFSET},
+ {"raid10_near", "raid10 near (striped mirrors)", 0, 2, 10, ALGORITHM_RAID10_NEAR},
+ {"raid10", "raid10 (striped mirrors)", 0, 2, 10, ALGORITHM_RAID10_DEFAULT},
+- {"raid4", "raid4 (dedicated last parity disk)", 1, 2, 4, ALGORITHM_PARITY_N}, /* raid4 layout = raid5_n */
++ {"raid4", "raid4 (dedicated first parity disk)", 1, 2, 5, ALGORITHM_PARITY_0}, /* raid4 layout = raid5_0 */
+ {"raid5_n", "raid5 (dedicated last parity disk)", 1, 2, 5, ALGORITHM_PARITY_N},
+ {"raid5_ls", "raid5 (left symmetric)", 1, 2, 5, ALGORITHM_LEFT_SYMMETRIC},
+ {"raid5_rs", "raid5 (right symmetric)", 1, 2, 5, ALGORITHM_RIGHT_SYMMETRIC},
+@@ -2087,11 +2087,11 @@ static int super_init_validation(struct
+ /*
+ * No takeover/reshaping, because we don't have the extended v1.9.0 metadata
+ */
+- if (le32_to_cpu(sb->level) != mddev->level) {
++ if (le32_to_cpu(sb->level) != mddev->new_level) {
+ DMERR("Reshaping/takeover raid sets not yet supported. (raid level/stripes/size change)");
+ return -EINVAL;
+ }
+- if (le32_to_cpu(sb->layout) != mddev->layout) {
++ if (le32_to_cpu(sb->layout) != mddev->new_layout) {
+ DMERR("Reshaping raid sets not yet supported. (raid layout change)");
+ DMERR(" 0x%X vs 0x%X", le32_to_cpu(sb->layout), mddev->layout);
+ DMERR(" Old layout: %s w/ %d copies",
+@@ -2102,7 +2102,7 @@ static int super_init_validation(struct
+ raid10_md_layout_to_copies(mddev->layout));
+ return -EINVAL;
+ }
+- if (le32_to_cpu(sb->stripe_sectors) != mddev->chunk_sectors) {
++ if (le32_to_cpu(sb->stripe_sectors) != mddev->new_chunk_sectors) {
+ DMERR("Reshaping raid sets not yet supported. (stripe sectors change)");
+ return -EINVAL;
+ }
+@@ -2115,6 +2115,8 @@ static int super_init_validation(struct
+ return -EINVAL;
+ }
+
++ DMINFO("Discovered old metadata format; upgrading to extended metadata format");
++
+ /* Table line is checked vs. authoritative superblock */
+ rs_set_new(rs);
+ }
+@@ -3647,7 +3649,7 @@ static void raid_resume(struct dm_target
+
+ static struct target_type raid_target = {
+ .name = "raid",
+- .version = {1, 9, 0},
++ .version = {1, 9, 1},
+ .module = THIS_MODULE,
+ .ctr = raid_ctr,
+ .dtr = raid_dtr,
--- /dev/null
+From 5c33677c87cbe44ae04df69c4a29c1750a9ec4e5 Mon Sep 17 00:00:00 2001
+From: Andy Whitcroft <apw@canonical.com>
+Date: Tue, 11 Oct 2016 15:16:57 +0100
+Subject: dm raid: fix compat_features validation
+
+From: Andy Whitcroft <apw@canonical.com>
+
+commit 5c33677c87cbe44ae04df69c4a29c1750a9ec4e5 upstream.
+
+In ecbfb9f118bce4 ("dm raid: add raid level takeover support") a new
+compatible feature flag was added. Validation for these compat_features
+was added but this only passes for new raid mappings with this feature
+flag. This causes previously created raid mappings to be failed at
+import.
+
+Check compat_features for the only valid combination.
+
+Fixes: ecbfb9f118bce4 ("dm raid: add raid level takeover support")
+Signed-off-by: Andy Whitcroft <apw@canonical.com>
+Signed-off-by: Heinz Mauelshagen <heinzm@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-raid.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/dm-raid.c
++++ b/drivers/md/dm-raid.c
+@@ -2258,7 +2258,8 @@ static int super_validate(struct raid_se
+ if (!mddev->events && super_init_validation(rs, rdev))
+ return -EINVAL;
+
+- if (le32_to_cpu(sb->compat_features) != FEATURE_FLAG_SUPPORTS_V190) {
++ if (le32_to_cpu(sb->compat_features) &&
++ le32_to_cpu(sb->compat_features) != FEATURE_FLAG_SUPPORTS_V190) {
+ rs->ti->error = "Unable to assemble array: Unknown flag(s) in compatible feature flags";
+ return -EINVAL;
+ }
--- /dev/null
+From 937fa62e8a00d0b4bc2c0a40567d7c88ab2b2e8d Mon Sep 17 00:00:00 2001
+From: Mike Snitzer <snitzer@redhat.com>
+Date: Tue, 18 Oct 2016 14:02:04 -0400
+Subject: dm rq: clear kworker_task if kthread_run() returned an error
+
+From: Mike Snitzer <snitzer@redhat.com>
+
+commit 937fa62e8a00d0b4bc2c0a40567d7c88ab2b2e8d upstream.
+
+cleanup_mapped_device() calls kthread_stop() if kworker_task is
+non-NULL. Currently the assigned value could be a valid task struct or
+an error code (e.g -ENOMEM). Reset md->kworker_task to NULL if
+kthread_run() returned an erorr.
+
+Fixes: 7193a9defc ("dm rq: check kthread_run return for .request_fn request-based DM")
+Reported-by: Tahsin Erdogan <tahsin@google.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-rq.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/dm-rq.c
++++ b/drivers/md/dm-rq.c
+@@ -835,8 +835,11 @@ int dm_old_init_request_queue(struct map
+ init_kthread_worker(&md->kworker);
+ md->kworker_task = kthread_run(kthread_worker_fn, &md->kworker,
+ "kdmwork-%s", dm_device_name(md));
+- if (IS_ERR(md->kworker_task))
+- return PTR_ERR(md->kworker_task);
++ if (IS_ERR(md->kworker_task)) {
++ int error = PTR_ERR(md->kworker_task);
++ md->kworker_task = NULL;
++ return error;
++ }
+
+ elv_register_queue(md->queue);
+
--- /dev/null
+From dafa724bf582181d9a7d54f5cb4ca0bf8ef29269 Mon Sep 17 00:00:00 2001
+From: "tang.junhui" <tang.junhui@zte.com.cn>
+Date: Fri, 21 Oct 2016 09:35:32 +0800
+Subject: dm table: fix missing dm_put_target_type() in dm_table_add_target()
+
+From: tang.junhui <tang.junhui@zte.com.cn>
+
+commit dafa724bf582181d9a7d54f5cb4ca0bf8ef29269 upstream.
+
+dm_get_target_type() was previously called so any error returned from
+dm_table_add_target() must first call dm_put_target_type(). Otherwise
+the DM target module's reference count will leak and the associated
+kernel module will be unable to be removed.
+
+Also, leverage the fact that r is already -EINVAL and remove an extra
+newline.
+
+Fixes: 36a0456 ("dm table: add immutable feature")
+Fixes: cc6cbe1 ("dm table: add always writeable feature")
+Fixes: 3791e2f ("dm table: add singleton feature")
+Signed-off-by: tang.junhui <tang.junhui@zte.com.cn>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-table.c | 24 +++++++++---------------
+ 1 file changed, 9 insertions(+), 15 deletions(-)
+
+--- a/drivers/md/dm-table.c
++++ b/drivers/md/dm-table.c
+@@ -695,37 +695,32 @@ int dm_table_add_target(struct dm_table
+
+ tgt->type = dm_get_target_type(type);
+ if (!tgt->type) {
+- DMERR("%s: %s: unknown target type", dm_device_name(t->md),
+- type);
++ DMERR("%s: %s: unknown target type", dm_device_name(t->md), type);
+ return -EINVAL;
+ }
+
+ if (dm_target_needs_singleton(tgt->type)) {
+ if (t->num_targets) {
+- DMERR("%s: target type %s must appear alone in table",
+- dm_device_name(t->md), type);
+- return -EINVAL;
++ tgt->error = "singleton target type must appear alone in table";
++ goto bad;
+ }
+ t->singleton = true;
+ }
+
+ if (dm_target_always_writeable(tgt->type) && !(t->mode & FMODE_WRITE)) {
+- DMERR("%s: target type %s may not be included in read-only tables",
+- dm_device_name(t->md), type);
+- return -EINVAL;
++ tgt->error = "target type may not be included in a read-only table";
++ goto bad;
+ }
+
+ if (t->immutable_target_type) {
+ if (t->immutable_target_type != tgt->type) {
+- DMERR("%s: immutable target type %s cannot be mixed with other target types",
+- dm_device_name(t->md), t->immutable_target_type->name);
+- return -EINVAL;
++ tgt->error = "immutable target type cannot be mixed with other target types";
++ goto bad;
+ }
+ } else if (dm_target_is_immutable(tgt->type)) {
+ if (t->num_targets) {
+- DMERR("%s: immutable target type %s cannot be mixed with other target types",
+- dm_device_name(t->md), tgt->type->name);
+- return -EINVAL;
++ tgt->error = "immutable target type cannot be mixed with other target types";
++ goto bad;
+ }
+ t->immutable_target_type = tgt->type;
+ }
+@@ -740,7 +735,6 @@ int dm_table_add_target(struct dm_table
+ */
+ if (!adjoin(t, tgt)) {
+ tgt->error = "Gap in table";
+- r = -EINVAL;
+ goto bad;
+ }
+
--- /dev/null
+From e9300a4b7bbae83af1f7703938c94cf6dc6d308f Mon Sep 17 00:00:00 2001
+From: Stefan Richter <stefanr@s5r6.in-berlin.de>
+Date: Sun, 30 Oct 2016 17:32:01 +0100
+Subject: firewire: net: fix fragmented datagram_size off-by-one
+
+From: Stefan Richter <stefanr@s5r6.in-berlin.de>
+
+commit e9300a4b7bbae83af1f7703938c94cf6dc6d308f upstream.
+
+RFC 2734 defines the datagram_size field in fragment encapsulation
+headers thus:
+
+ datagram_size: The encoded size of the entire IP datagram. The
+ value of datagram_size [...] SHALL be one less than the value of
+ Total Length in the datagram's IP header (see STD 5, RFC 791).
+
+Accordingly, the eth1394 driver of Linux 2.6.36 and older set and got
+this field with a -/+1 offset:
+
+ ether1394_tx() /* transmit */
+ ether1394_encapsulate_prep()
+ hdr->ff.dg_size = dg_size - 1;
+
+ ether1394_data_handler() /* receive */
+ if (hdr->common.lf == ETH1394_HDR_LF_FF)
+ dg_size = hdr->ff.dg_size + 1;
+ else
+ dg_size = hdr->sf.dg_size + 1;
+
+Likewise, I observe OS X 10.4 and Windows XP Pro SP3 to transmit 1500
+byte sized datagrams in fragments with datagram_size=1499 if link
+fragmentation is required.
+
+Only firewire-net sets and gets datagram_size without this offset. The
+result is lacking interoperability of firewire-net with OS X, Windows
+XP, and presumably Linux' eth1394. (I did not test with the latter.)
+For example, FTP data transfers to a Linux firewire-net box with max_rec
+smaller than the 1500 bytes MTU
+ - from OS X fail entirely,
+ - from Win XP start out with a bunch of fragmented datagrams which
+ time out, then continue with unfragmented datagrams because Win XP
+ temporarily reduces the MTU to 576 bytes.
+
+So let's fix firewire-net's datagram_size accessors.
+
+Note that firewire-net thereby loses interoperability with unpatched
+firewire-net, but only if link fragmentation is employed. (This happens
+with large broadcast datagrams, and with large datagrams on several
+FireWire CardBus cards with smaller max_rec than equivalent PCI cards,
+and it can be worked around by setting a small enough MTU.)
+
+Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/firewire/net.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/firewire/net.c
++++ b/drivers/firewire/net.c
+@@ -73,13 +73,13 @@ struct rfc2734_header {
+
+ #define fwnet_get_hdr_lf(h) (((h)->w0 & 0xc0000000) >> 30)
+ #define fwnet_get_hdr_ether_type(h) (((h)->w0 & 0x0000ffff))
+-#define fwnet_get_hdr_dg_size(h) (((h)->w0 & 0x0fff0000) >> 16)
++#define fwnet_get_hdr_dg_size(h) ((((h)->w0 & 0x0fff0000) >> 16) + 1)
+ #define fwnet_get_hdr_fg_off(h) (((h)->w0 & 0x00000fff))
+ #define fwnet_get_hdr_dgl(h) (((h)->w1 & 0xffff0000) >> 16)
+
+-#define fwnet_set_hdr_lf(lf) ((lf) << 30)
++#define fwnet_set_hdr_lf(lf) ((lf) << 30)
+ #define fwnet_set_hdr_ether_type(et) (et)
+-#define fwnet_set_hdr_dg_size(dgs) ((dgs) << 16)
++#define fwnet_set_hdr_dg_size(dgs) (((dgs) - 1) << 16)
+ #define fwnet_set_hdr_fg_off(fgo) (fgo)
+
+ #define fwnet_set_hdr_dgl(dgl) ((dgl) << 16)
+@@ -622,7 +622,7 @@ static int fwnet_incoming_packet(struct
+ fg_off = fwnet_get_hdr_fg_off(&hdr);
+ }
+ datagram_label = fwnet_get_hdr_dgl(&hdr);
+- dg_size = fwnet_get_hdr_dg_size(&hdr); /* ??? + 1 */
++ dg_size = fwnet_get_hdr_dg_size(&hdr);
+
+ if (fg_off + len > dg_size)
+ return 0;
--- /dev/null
+From 667121ace9dbafb368618dbabcf07901c962ddac Mon Sep 17 00:00:00 2001
+From: Stefan Richter <stefanr@s5r6.in-berlin.de>
+Date: Sat, 29 Oct 2016 21:28:18 +0200
+Subject: firewire: net: guard against rx buffer overflows
+
+From: Stefan Richter <stefanr@s5r6.in-berlin.de>
+
+commit 667121ace9dbafb368618dbabcf07901c962ddac upstream.
+
+The IP-over-1394 driver firewire-net lacked input validation when
+handling incoming fragmented datagrams. A maliciously formed fragment
+with a respectively large datagram_offset would cause a memcpy past the
+datagram buffer.
+
+So, drop any packets carrying a fragment with offset + length larger
+than datagram_size.
+
+In addition, ensure that
+ - GASP header, unfragmented encapsulation header, or fragment
+ encapsulation header actually exists before we access it,
+ - the encapsulated datagram or fragment is of nonzero size.
+
+Reported-by: Eyal Itkin <eyal.itkin@gmail.com>
+Reviewed-by: Eyal Itkin <eyal.itkin@gmail.com>
+Fixes: CVE 2016-8633
+Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/firewire/net.c | 51 +++++++++++++++++++++++++++++++++----------------
+ 1 file changed, 35 insertions(+), 16 deletions(-)
+
+--- a/drivers/firewire/net.c
++++ b/drivers/firewire/net.c
+@@ -578,6 +578,9 @@ static int fwnet_incoming_packet(struct
+ int retval;
+ u16 ether_type;
+
++ if (len <= RFC2374_UNFRAG_HDR_SIZE)
++ return 0;
++
+ hdr.w0 = be32_to_cpu(buf[0]);
+ lf = fwnet_get_hdr_lf(&hdr);
+ if (lf == RFC2374_HDR_UNFRAG) {
+@@ -602,7 +605,12 @@ static int fwnet_incoming_packet(struct
+ return fwnet_finish_incoming_packet(net, skb, source_node_id,
+ is_broadcast, ether_type);
+ }
++
+ /* A datagram fragment has been received, now the fun begins. */
++
++ if (len <= RFC2374_FRAG_HDR_SIZE)
++ return 0;
++
+ hdr.w1 = ntohl(buf[1]);
+ buf += 2;
+ len -= RFC2374_FRAG_HDR_SIZE;
+@@ -616,6 +624,9 @@ static int fwnet_incoming_packet(struct
+ datagram_label = fwnet_get_hdr_dgl(&hdr);
+ dg_size = fwnet_get_hdr_dg_size(&hdr); /* ??? + 1 */
+
++ if (fg_off + len > dg_size)
++ return 0;
++
+ spin_lock_irqsave(&dev->lock, flags);
+
+ peer = fwnet_peer_find_by_node_id(dev, source_node_id, generation);
+@@ -722,6 +733,22 @@ static void fwnet_receive_packet(struct
+ fw_send_response(card, r, rcode);
+ }
+
++static int gasp_source_id(__be32 *p)
++{
++ return be32_to_cpu(p[0]) >> 16;
++}
++
++static u32 gasp_specifier_id(__be32 *p)
++{
++ return (be32_to_cpu(p[0]) & 0xffff) << 8 |
++ (be32_to_cpu(p[1]) & 0xff000000) >> 24;
++}
++
++static u32 gasp_version(__be32 *p)
++{
++ return be32_to_cpu(p[1]) & 0xffffff;
++}
++
+ static void fwnet_receive_broadcast(struct fw_iso_context *context,
+ u32 cycle, size_t header_length, void *header, void *data)
+ {
+@@ -731,9 +758,6 @@ static void fwnet_receive_broadcast(stru
+ __be32 *buf_ptr;
+ int retval;
+ u32 length;
+- u16 source_node_id;
+- u32 specifier_id;
+- u32 ver;
+ unsigned long offset;
+ unsigned long flags;
+
+@@ -750,22 +774,17 @@ static void fwnet_receive_broadcast(stru
+
+ spin_unlock_irqrestore(&dev->lock, flags);
+
+- specifier_id = (be32_to_cpu(buf_ptr[0]) & 0xffff) << 8
+- | (be32_to_cpu(buf_ptr[1]) & 0xff000000) >> 24;
+- ver = be32_to_cpu(buf_ptr[1]) & 0xffffff;
+- source_node_id = be32_to_cpu(buf_ptr[0]) >> 16;
+-
+- if (specifier_id == IANA_SPECIFIER_ID &&
+- (ver == RFC2734_SW_VERSION
++ if (length > IEEE1394_GASP_HDR_SIZE &&
++ gasp_specifier_id(buf_ptr) == IANA_SPECIFIER_ID &&
++ (gasp_version(buf_ptr) == RFC2734_SW_VERSION
+ #if IS_ENABLED(CONFIG_IPV6)
+- || ver == RFC3146_SW_VERSION
++ || gasp_version(buf_ptr) == RFC3146_SW_VERSION
+ #endif
+- )) {
+- buf_ptr += 2;
+- length -= IEEE1394_GASP_HDR_SIZE;
+- fwnet_incoming_packet(dev, buf_ptr, length, source_node_id,
++ ))
++ fwnet_incoming_packet(dev, buf_ptr + 2,
++ length - IEEE1394_GASP_HDR_SIZE,
++ gasp_source_id(buf_ptr),
+ context->card->generation, true);
+- }
+
+ packet.payload_length = dev->rcv_buffer_size;
+ packet.interrupt = 1;
--- /dev/null
+From da25311c7ca8b0254a686fc0d597075b9aa3b683 Mon Sep 17 00:00:00 2001
+From: Patrick Scheuring <patrick.scheuring.dev@gmail.com>
+Date: Wed, 19 Oct 2016 12:04:02 -0700
+Subject: Input: i8042 - add XMG C504 to keyboard reset table
+
+From: Patrick Scheuring <patrick.scheuring.dev@gmail.com>
+
+commit da25311c7ca8b0254a686fc0d597075b9aa3b683 upstream.
+
+The Schenker XMG C504 is a rebranded Gigabyte P35 v2 laptop.
+Therefore it also needs a keyboard reset to detect the Elantech touchpad.
+Otherwise the touchpad appears to be dead.
+
+With this patch the touchpad is detected:
+
+$ dmesg | grep -E "(i8042|Elantech|elantech)"
+
+[ 2.675399] i8042: PNP: PS/2 Controller [PNP0303:PS2K,PNP0f13:PS2M] at 0x60,0x64 irq 1,12
+[ 2.680372] i8042: Attempting to reset device connected to KBD port
+[ 2.789037] serio: i8042 KBD port at 0x60,0x64 irq 1
+[ 2.791586] serio: i8042 AUX port at 0x60,0x64 irq 12
+[ 2.813840] input: AT Translated Set 2 keyboard as /devices/platform/i8042/serio0/input/input4
+[ 3.811431] psmouse serio1: elantech: assuming hardware version 4 (with firmware version 0x361f0e)
+[ 3.825424] psmouse serio1: elantech: Synaptics capabilities query result 0x00, 0x15, 0x0f.
+[ 3.839424] psmouse serio1: elantech: Elan sample query result 03, 58, 74
+[ 3.911349] input: ETPS/2 Elantech Touchpad as /devices/platform/i8042/serio1/input/input6
+
+Signed-off-by: Patrick Scheuring <patrick.scheuring.dev@gmail.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/serio/i8042-x86ia64io.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/input/serio/i8042-x86ia64io.h
++++ b/drivers/input/serio/i8042-x86ia64io.h
+@@ -877,6 +877,13 @@ static const struct dmi_system_id __init
+ DMI_MATCH(DMI_PRODUCT_NAME, "P34"),
+ },
+ },
++ {
++ /* Schenker XMG C504 - Elantech touchpad */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "XMG"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "C504"),
++ },
++ },
+ { }
+ };
+
--- /dev/null
+From ede5f3e7b54a4347be4d8525269eae50902bd7cd Mon Sep 17 00:00:00 2001
+From: James Hogan <james.hogan@imgtec.com>
+Date: Tue, 25 Oct 2016 16:11:11 +0100
+Subject: KVM: MIPS: Make ERET handle ERL before EXL
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: James Hogan <james.hogan@imgtec.com>
+
+commit ede5f3e7b54a4347be4d8525269eae50902bd7cd upstream.
+
+The ERET instruction to return from exception is used for returning from
+exception level (Status.EXL) and error level (Status.ERL). If both bits
+are set however we should be returning from ERL first, as ERL can
+interrupt EXL, for example when an NMI is taken. KVM however checks EXL
+first.
+
+Fix the order of the checks to match the pseudocode in the instruction
+set manual.
+
+Fixes: e685c689f3a8 ("KVM/MIPS32: Privileged instruction/target branch emulation.")
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: "Radim Krčmář <rkrcmar@redhat.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Cc: kvm@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kvm/emulate.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/mips/kvm/emulate.c
++++ b/arch/mips/kvm/emulate.c
+@@ -791,15 +791,15 @@ enum emulation_result kvm_mips_emul_eret
+ struct mips_coproc *cop0 = vcpu->arch.cop0;
+ enum emulation_result er = EMULATE_DONE;
+
+- if (kvm_read_c0_guest_status(cop0) & ST0_EXL) {
++ if (kvm_read_c0_guest_status(cop0) & ST0_ERL) {
++ kvm_clear_c0_guest_status(cop0, ST0_ERL);
++ vcpu->arch.pc = kvm_read_c0_guest_errorepc(cop0);
++ } else if (kvm_read_c0_guest_status(cop0) & ST0_EXL) {
+ kvm_debug("[%#lx] ERET to %#lx\n", vcpu->arch.pc,
+ kvm_read_c0_guest_epc(cop0));
+ kvm_clear_c0_guest_status(cop0, ST0_EXL);
+ vcpu->arch.pc = kvm_read_c0_guest_epc(cop0);
+
+- } else if (kvm_read_c0_guest_status(cop0) & ST0_ERL) {
+- kvm_clear_c0_guest_status(cop0, ST0_ERL);
+- vcpu->arch.pc = kvm_read_c0_guest_errorepc(cop0);
+ } else {
+ kvm_err("[%#lx] ERET when MIPS_SR_EXL|MIPS_SR_ERL == 0\n",
+ vcpu->arch.pc);
--- /dev/null
+From e1e575f6b026734be3b1f075e780e91ab08ca541 Mon Sep 17 00:00:00 2001
+From: James Hogan <james.hogan@imgtec.com>
+Date: Tue, 25 Oct 2016 16:11:12 +0100
+Subject: KVM: MIPS: Precalculate MMIO load resume PC
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: James Hogan <james.hogan@imgtec.com>
+
+commit e1e575f6b026734be3b1f075e780e91ab08ca541 upstream.
+
+The advancing of the PC when completing an MMIO load is done before
+re-entering the guest, i.e. before restoring the guest ASID. However if
+the load is in a branch delay slot it may need to access guest code to
+read the prior branch instruction. This isn't safe in TLB mapped code at
+the moment, nor in the future when we'll access unmapped guest segments
+using direct user accessors too, as it could read the branch from host
+user memory instead.
+
+Therefore calculate the resume PC in advance while we're still in the
+right context and save it in the new vcpu->arch.io_pc (replacing the no
+longer needed vcpu->arch.pending_load_cause), and restore it on MMIO
+completion.
+
+Fixes: e685c689f3a8 ("KVM/MIPS32: Privileged instruction/target branch emulation.")
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: "Radim Krčmář <rkrcmar@redhat.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Cc: kvm@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/include/asm/kvm_host.h | 7 ++++---
+ arch/mips/kvm/emulate.c | 24 +++++++++++++++---------
+ 2 files changed, 19 insertions(+), 12 deletions(-)
+
+--- a/arch/mips/include/asm/kvm_host.h
++++ b/arch/mips/include/asm/kvm_host.h
+@@ -279,7 +279,10 @@ struct kvm_vcpu_arch {
+ /* Host KSEG0 address of the EI/DI offset */
+ void *kseg0_commpage;
+
+- u32 io_gpr; /* GPR used as IO source/target */
++ /* Resume PC after MMIO completion */
++ unsigned long io_pc;
++ /* GPR used as IO source/target */
++ u32 io_gpr;
+
+ struct hrtimer comparecount_timer;
+ /* Count timer control KVM register */
+@@ -301,8 +304,6 @@ struct kvm_vcpu_arch {
+ /* Bitmask of pending exceptions to be cleared */
+ unsigned long pending_exceptions_clr;
+
+- u32 pending_load_cause;
+-
+ /* Save/Restore the entryhi register when are are preempted/scheduled back in */
+ unsigned long preempt_entryhi;
+
+--- a/arch/mips/kvm/emulate.c
++++ b/arch/mips/kvm/emulate.c
+@@ -1522,13 +1522,25 @@ enum emulation_result kvm_mips_emulate_l
+ struct kvm_vcpu *vcpu)
+ {
+ enum emulation_result er = EMULATE_DO_MMIO;
++ unsigned long curr_pc;
+ u32 op, rt;
+ u32 bytes;
+
+ rt = inst.i_format.rt;
+ op = inst.i_format.opcode;
+
+- vcpu->arch.pending_load_cause = cause;
++ /*
++ * Find the resume PC now while we have safe and easy access to the
++ * prior branch instruction, and save it for
++ * kvm_mips_complete_mmio_load() to restore later.
++ */
++ curr_pc = vcpu->arch.pc;
++ er = update_pc(vcpu, cause);
++ if (er == EMULATE_FAIL)
++ return er;
++ vcpu->arch.io_pc = vcpu->arch.pc;
++ vcpu->arch.pc = curr_pc;
++
+ vcpu->arch.io_gpr = rt;
+
+ switch (op) {
+@@ -2488,9 +2500,8 @@ enum emulation_result kvm_mips_complete_
+ goto done;
+ }
+
+- er = update_pc(vcpu, vcpu->arch.pending_load_cause);
+- if (er == EMULATE_FAIL)
+- return er;
++ /* Restore saved resume PC */
++ vcpu->arch.pc = vcpu->arch.io_pc;
+
+ switch (run->mmio.len) {
+ case 4:
+@@ -2512,11 +2523,6 @@ enum emulation_result kvm_mips_complete_
+ break;
+ }
+
+- if (vcpu->arch.pending_load_cause & CAUSEF_BD)
+- kvm_debug("[%#lx] Completing %d byte BD Load to gpr %d (0x%08lx) type %d\n",
+- vcpu->arch.pc, run->mmio.len, vcpu->arch.io_gpr, *gpr,
+- vcpu->mmio_needed);
+-
+ done:
+ return er;
+ }
--- /dev/null
+From 45c7ee43a5184ddbff652ee0d2e826f86f1b616b Mon Sep 17 00:00:00 2001
+From: Janosch Frank <frankja@linux.vnet.ibm.com>
+Date: Wed, 26 Oct 2016 08:48:11 +0200
+Subject: KVM: s390: Fix STHYI buffer alignment for diag224
+
+From: Janosch Frank <frankja@linux.vnet.ibm.com>
+
+commit 45c7ee43a5184ddbff652ee0d2e826f86f1b616b upstream.
+
+Diag224 requires a page-aligned 4k buffer to store the name table
+into. kmalloc does not guarantee page alignment, hence we replace it
+with __get_free_page for the buffer allocation.
+
+Reported-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
+Signed-off-by: Janosch Frank <frankja@linux.vnet.ibm.com>
+Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kvm/sthyi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/s390/kvm/sthyi.c
++++ b/arch/s390/kvm/sthyi.c
+@@ -315,7 +315,7 @@ static void fill_diag(struct sthyi_sctns
+ if (r < 0)
+ goto out;
+
+- diag224_buf = kmalloc(PAGE_SIZE, GFP_KERNEL | GFP_DMA);
++ diag224_buf = (void *)__get_free_page(GFP_KERNEL | GFP_DMA);
+ if (!diag224_buf || diag224(diag224_buf))
+ goto out;
+
+@@ -378,7 +378,7 @@ static void fill_diag(struct sthyi_sctns
+ sctns->par.infpval1 |= PAR_WGHT_VLD;
+
+ out:
+- kfree(diag224_buf);
++ free_page((unsigned long)diag224_buf);
+ vfree(diag204_buf);
+ }
+
--- /dev/null
+From bd768e146624cbec7122ed15dead8daa137d909d Mon Sep 17 00:00:00 2001
+From: Ido Yariv <ido@wizery.com>
+Date: Fri, 21 Oct 2016 12:39:57 -0400
+Subject: KVM: x86: fix wbinvd_dirty_mask use-after-free
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ido Yariv <ido@wizery.com>
+
+commit bd768e146624cbec7122ed15dead8daa137d909d upstream.
+
+vcpu->arch.wbinvd_dirty_mask may still be used after freeing it,
+corrupting memory. For example, the following call trace may set a bit
+in an already freed cpu mask:
+ kvm_arch_vcpu_load
+ vcpu_load
+ vmx_free_vcpu_nested
+ vmx_free_vcpu
+ kvm_arch_vcpu_free
+
+Fix this by deferring freeing of wbinvd_dirty_mask.
+
+Signed-off-by: Ido Yariv <ido@wizery.com>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/x86.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -7372,10 +7372,12 @@ void kvm_put_guest_fpu(struct kvm_vcpu *
+
+ void kvm_arch_vcpu_free(struct kvm_vcpu *vcpu)
+ {
++ void *wbinvd_dirty_mask = vcpu->arch.wbinvd_dirty_mask;
++
+ kvmclock_reset(vcpu);
+
+- free_cpumask_var(vcpu->arch.wbinvd_dirty_mask);
+ kvm_x86_ops->vcpu_free(vcpu);
++ free_cpumask_var(wbinvd_dirty_mask);
+ }
+
+ struct kvm_vcpu *kvm_arch_vcpu_create(struct kvm *kvm,
--- /dev/null
+From 4736697963385e6257ee8e260e97347e858cd962 Mon Sep 17 00:00:00 2001
+From: Matt Redfearn <matt.redfearn@imgtec.com>
+Date: Mon, 17 Oct 2016 17:21:46 +0100
+Subject: MIPS: KASLR: Fix handling of NULL FDT
+
+From: Matt Redfearn <matt.redfearn@imgtec.com>
+
+commit 4736697963385e6257ee8e260e97347e858cd962 upstream.
+
+If platform code returns a NULL pointer to the FDT, initial_boot_params
+will not get set to a valid pointer and attempting to find the /chosen
+node in it will cause a NULL pointer dereference and the kernel to crash
+immediately on startup - with no output to the console.
+
+Fix this by checking that initial_boot_params is valid before using it.
+
+Fixes: 405bc8fd12f5 ("MIPS: Kernel: Implement KASLR using CONFIG_RELOCATABLE")
+Signed-off-by: Matt Redfearn <matt.redfearn@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Cc: linux-kernel@vger.kernel.org
+Patchwork: https://patchwork.linux-mips.org/patch/14414/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/relocate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/kernel/relocate.c
++++ b/arch/mips/kernel/relocate.c
+@@ -200,7 +200,7 @@ static inline __init unsigned long get_r
+
+ #if defined(CONFIG_USE_OF)
+ /* Get any additional entropy passed in device tree */
+- {
++ if (initial_boot_params) {
+ int node, len;
+ u64 *prop;
+
--- /dev/null
+From f46c445b79906a9da55c13e0a6f6b6a006b892fe Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Sat, 29 Oct 2016 18:19:03 -0400
+Subject: nfsd: Fix general protection fault in release_lock_stateid()
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+commit f46c445b79906a9da55c13e0a6f6b6a006b892fe upstream.
+
+When I push NFSv4.1 / RDMA hard, (xfstests generic/089, for example),
+I get this crash on the server:
+
+Oct 28 22:04:30 klimt kernel: general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC
+Oct 28 22:04:30 klimt kernel: Modules linked in: cts rpcsec_gss_krb5 iTCO_wdt iTCO_vendor_support sb_edac edac_core x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm btrfs irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd xor pcspkr raid6_pq i2c_i801 i2c_smbus lpc_ich mfd_core sg mei_me mei ioatdma shpchp wmi ipmi_si ipmi_msghandler rpcrdma ib_ipoib rdma_ucm acpi_power_meter acpi_pad ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c mlx4_ib mlx4_en ib_core sr_mod cdrom sd_mod ast drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm crc32c_intel igb ahci libahci ptp mlx4_core pps_core dca libata i2c_algo_bit i2c_core dm_mirror dm_region_hash dm_log dm_mod
+Oct 28 22:04:30 klimt kernel: CPU: 7 PID: 1558 Comm: nfsd Not tainted 4.9.0-rc2-00005-g82cd754 #8
+Oct 28 22:04:30 klimt kernel: Hardware name: Supermicro Super Server/X10SRL-F, BIOS 1.0c 09/09/2015
+Oct 28 22:04:30 klimt kernel: task: ffff880835c3a100 task.stack: ffff8808420d8000
+Oct 28 22:04:30 klimt kernel: RIP: 0010:[<ffffffffa05a759f>] [<ffffffffa05a759f>] release_lock_stateid+0x1f/0x60 [nfsd]
+Oct 28 22:04:30 klimt kernel: RSP: 0018:ffff8808420dbce0 EFLAGS: 00010246
+Oct 28 22:04:30 klimt kernel: RAX: ffff88084e6660f0 RBX: ffff88084e667020 RCX: 0000000000000000
+Oct 28 22:04:30 klimt kernel: RDX: 0000000000000007 RSI: 0000000000000000 RDI: ffff88084e667020
+Oct 28 22:04:30 klimt kernel: RBP: ffff8808420dbcf8 R08: 0000000000000001 R09: 0000000000000000
+Oct 28 22:04:30 klimt kernel: R10: ffff880835c3a100 R11: ffff880835c3aca8 R12: 6b6b6b6b6b6b6b6b
+Oct 28 22:04:30 klimt kernel: R13: ffff88084e6670d8 R14: ffff880835f546f0 R15: ffff880835f1c548
+Oct 28 22:04:30 klimt kernel: FS: 0000000000000000(0000) GS:ffff88087bdc0000(0000) knlGS:0000000000000000
+Oct 28 22:04:30 klimt kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+Oct 28 22:04:30 klimt kernel: CR2: 00007ff020389000 CR3: 0000000001c06000 CR4: 00000000001406e0
+Oct 28 22:04:30 klimt kernel: Stack:
+Oct 28 22:04:30 klimt kernel: ffff88084e667020 0000000000000000 ffff88084e6670d8 ffff8808420dbd20
+Oct 28 22:04:30 klimt kernel: ffffffffa05ac80d ffff880835f54548 ffff88084e640008 ffff880835f545b0
+Oct 28 22:04:30 klimt kernel: ffff8808420dbd70 ffffffffa059803d ffff880835f1c768 0000000000000870
+Oct 28 22:04:30 klimt kernel: Call Trace:
+Oct 28 22:04:30 klimt kernel: [<ffffffffa05ac80d>] nfsd4_free_stateid+0xfd/0x1b0 [nfsd]
+Oct 28 22:04:30 klimt kernel: [<ffffffffa059803d>] nfsd4_proc_compound+0x40d/0x690 [nfsd]
+Oct 28 22:04:30 klimt kernel: [<ffffffffa0583114>] nfsd_dispatch+0xd4/0x1d0 [nfsd]
+Oct 28 22:04:30 klimt kernel: [<ffffffffa047bbf9>] svc_process_common+0x3d9/0x700 [sunrpc]
+Oct 28 22:04:30 klimt kernel: [<ffffffffa047ca64>] svc_process+0xf4/0x330 [sunrpc]
+Oct 28 22:04:30 klimt kernel: [<ffffffffa05827ca>] nfsd+0xfa/0x160 [nfsd]
+Oct 28 22:04:30 klimt kernel: [<ffffffffa05826d0>] ? nfsd_destroy+0x170/0x170 [nfsd]
+Oct 28 22:04:30 klimt kernel: [<ffffffff810b367b>] kthread+0x10b/0x120
+Oct 28 22:04:30 klimt kernel: [<ffffffff810b3570>] ? kthread_stop+0x280/0x280
+Oct 28 22:04:30 klimt kernel: [<ffffffff8174e8ba>] ret_from_fork+0x2a/0x40
+Oct 28 22:04:30 klimt kernel: Code: c3 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 55 41 54 53 48 8b 87 b0 00 00 00 48 89 fb 4c 8b a0 98 00 00 00 <49> 8b 44 24 20 48 8d b8 80 03 00 00 e8 10 66 1a e1 48 89 df e8
+Oct 28 22:04:30 klimt kernel: RIP [<ffffffffa05a759f>] release_lock_stateid+0x1f/0x60 [nfsd]
+Oct 28 22:04:30 klimt kernel: RSP <ffff8808420dbce0>
+Oct 28 22:04:30 klimt kernel: ---[ end trace cf5d0b371973e167 ]---
+
+Jeff Layton says:
+> Hm...now that I look though, this is a little suspicious:
+>
+> struct nfs4_openowner *oo = openowner(stp->st_openstp->st_stateowner);
+>
+> I wonder if it's possible for the openstateid to have already been
+> destroyed at this point.
+>
+> We might be better off doing something like this to get the client pointer:
+>
+> stp->st_stid.sc_client;
+>
+> ...which should be more direct and less dependent on other stateids
+> staying valid.
+
+With the suggested change, I am no longer able to reproduce the above oops.
+
+v2: Fix unhash_lock_stateid() as well
+
+Fix-suggested-by: Jeff Layton <jlayton@redhat.com>
+Fixes: 42691398be08 ('nfsd: Fix race between FREE_STATEID and LOCK')
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Reviewed-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs4state.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -1147,9 +1147,7 @@ static void put_ol_stateid_locked(struct
+
+ static bool unhash_lock_stateid(struct nfs4_ol_stateid *stp)
+ {
+- struct nfs4_openowner *oo = openowner(stp->st_openstp->st_stateowner);
+-
+- lockdep_assert_held(&oo->oo_owner.so_client->cl_lock);
++ lockdep_assert_held(&stp->st_stid.sc_client->cl_lock);
+
+ list_del_init(&stp->st_locks);
+ nfs4_unhash_stid(&stp->st_stid);
+@@ -1158,12 +1156,12 @@ static bool unhash_lock_stateid(struct n
+
+ static void release_lock_stateid(struct nfs4_ol_stateid *stp)
+ {
+- struct nfs4_openowner *oo = openowner(stp->st_openstp->st_stateowner);
++ struct nfs4_client *clp = stp->st_stid.sc_client;
+ bool unhashed;
+
+- spin_lock(&oo->oo_owner.so_client->cl_lock);
++ spin_lock(&clp->cl_lock);
+ unhashed = unhash_lock_stateid(stp);
+- spin_unlock(&oo->oo_owner.so_client->cl_lock);
++ spin_unlock(&clp->cl_lock);
+ if (unhashed)
+ nfs4_put_stid(&stp->st_stid);
+ }
--- /dev/null
+From b93d4a0eb308d4400b84c8b24c1b80e09a9497d0 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Mon, 31 Oct 2016 14:42:14 +0100
+Subject: ovl: fix get_acl() on tmpfs
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit b93d4a0eb308d4400b84c8b24c1b80e09a9497d0 upstream.
+
+tmpfs doesn't have ->get_acl() because it only uses cached acls.
+
+This fixes the acl tests in pjdfstest when tmpfs is used as the upper layer
+of the overlay.
+
+Reported-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Fixes: 39a25b2b3762 ("ovl: define ->get_acl() for overlay inodes")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/overlayfs/inode.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/fs/overlayfs/inode.c
++++ b/fs/overlayfs/inode.c
+@@ -294,9 +294,6 @@ struct posix_acl *ovl_get_acl(struct ino
+ if (!IS_ENABLED(CONFIG_FS_POSIX_ACL) || !IS_POSIXACL(realinode))
+ return NULL;
+
+- if (!realinode->i_op->get_acl)
+- return NULL;
+-
+ old_cred = ovl_override_creds(inode->i_sb);
+ acl = get_acl(realinode, type);
+ revert_creds(old_cred);
--- /dev/null
+From 641089c1549d8d3df0b047b5de7e9a111362cdce Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Mon, 31 Oct 2016 14:42:14 +0100
+Subject: ovl: fsync after copy-up
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 641089c1549d8d3df0b047b5de7e9a111362cdce upstream.
+
+Make sure the copied up file hits the disk before renaming to the final
+destination. If this is not done then the copy-up may corrupt the data in
+the file in case of a crash.
+
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/overlayfs/copy_up.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/overlayfs/copy_up.c
++++ b/fs/overlayfs/copy_up.c
+@@ -171,6 +171,8 @@ static int ovl_copy_up_data(struct path
+ len -= bytes;
+ }
+
++ if (!error)
++ error = vfs_fsync(new_file, 0);
+ fput(new_file);
+ out_fput:
+ fput(old_file);
--- /dev/null
+From fd3220d37b1f6f0cab6142d98b0e6c4082e63299 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Mon, 31 Oct 2016 14:42:14 +0100
+Subject: ovl: update S_ISGID when setting posix ACLs
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit fd3220d37b1f6f0cab6142d98b0e6c4082e63299 upstream.
+
+This change fixes xfstest generic/375, which failed to clear the
+setgid bit in the following test case on overlayfs:
+
+ touch $testfile
+ chown 100:100 $testfile
+ chmod 2755 $testfile
+ _runas -u 100 -g 101 -- setfacl -m u::rwx,g::rwx,o::rwx $testfile
+
+Reported-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Tested-by: Amir Goldstein <amir73il@gmail.com>
+Fixes: d837a49bd57f ("ovl: fix POSIX ACL setting")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/overlayfs/super.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/fs/overlayfs/super.c
++++ b/fs/overlayfs/super.c
+@@ -1026,6 +1026,21 @@ ovl_posix_acl_xattr_set(const struct xat
+
+ posix_acl_release(acl);
+
++ /*
++ * Check if sgid bit needs to be cleared (actual setacl operation will
++ * be done with mounter's capabilities and so that won't do it for us).
++ */
++ if (unlikely(inode->i_mode & S_ISGID) &&
++ handler->flags == ACL_TYPE_ACCESS &&
++ !in_group_p(inode->i_gid) &&
++ !capable_wrt_inode_uidgid(inode, CAP_FSETID)) {
++ struct iattr iattr = { .ia_valid = ATTR_KILL_SGID };
++
++ err = ovl_setattr(dentry, &iattr);
++ if (err)
++ return err;
++ }
++
+ err = ovl_xattr_set(dentry, handler->name, value, size, flags);
+ if (!err)
+ ovl_copyattr(ovl_inode_real(inode, NULL), inode);
--- /dev/null
+From 6ed518328d0189e0fdf1bb7c73290d546143ea66 Mon Sep 17 00:00:00 2001
+From: John David Anglin <dave.anglin@bell.net>
+Date: Fri, 28 Oct 2016 23:00:34 -0400
+Subject: parisc: Ensure consistent state when switching to kernel stack at syscall entry
+
+From: John David Anglin <dave.anglin@bell.net>
+
+commit 6ed518328d0189e0fdf1bb7c73290d546143ea66 upstream.
+
+We have one critical section in the syscall entry path in which we switch from
+the userspace stack to kernel stack. In the event of an external interrupt, the
+interrupt code distinguishes between those two states by analyzing the value of
+sr7. If sr7 is zero, it uses the kernel stack. Therefore it's important, that
+the value of sr7 is in sync with the currently enabled stack.
+
+This patch now disables interrupts while executing the critical section. This
+prevents the interrupt handler to possibly see an inconsistent state which in
+the worst case can lead to crashes.
+
+Interestingly, in the syscall exit path interrupts were already disabled in the
+critical section which switches back to the userspace stack.
+
+Signed-off-by: John David Anglin <dave.anglin@bell.net>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/kernel/syscall.S | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/arch/parisc/kernel/syscall.S
++++ b/arch/parisc/kernel/syscall.S
+@@ -106,8 +106,6 @@ linux_gateway_entry:
+ mtsp %r0,%sr4 /* get kernel space into sr4 */
+ mtsp %r0,%sr5 /* get kernel space into sr5 */
+ mtsp %r0,%sr6 /* get kernel space into sr6 */
+- mfsp %sr7,%r1 /* save user sr7 */
+- mtsp %r1,%sr3 /* and store it in sr3 */
+
+ #ifdef CONFIG_64BIT
+ /* for now we can *always* set the W bit on entry to the syscall
+@@ -133,6 +131,14 @@ linux_gateway_entry:
+ depdi 0, 31, 32, %r21
+ 1:
+ #endif
++
++ /* We use a rsm/ssm pair to prevent sr3 from being clobbered
++ * by external interrupts.
++ */
++ mfsp %sr7,%r1 /* save user sr7 */
++ rsm PSW_SM_I, %r0 /* disable interrupts */
++ mtsp %r1,%sr3 /* and store it in sr3 */
++
+ mfctl %cr30,%r1
+ xor %r1,%r30,%r30 /* ye olde xor trick */
+ xor %r1,%r30,%r1
+@@ -147,6 +153,7 @@ linux_gateway_entry:
+ */
+
+ mtsp %r0,%sr7 /* get kernel space into sr7 */
++ ssm PSW_SM_I, %r0 /* enable interrupts */
+ STREGM %r1,FRAME_SIZE(%r30) /* save r1 (usp) here for now */
+ mfctl %cr30,%r1 /* get task ptr in %r1 */
+ LDREG TI_TASK(%r1),%r1
--- /dev/null
+From 8a55698f2f29d227825173420d7b99b9277ca88c Mon Sep 17 00:00:00 2001
+From: Jes Sorensen <Jes.Sorensen@redhat.com>
+Date: Thu, 29 Sep 2016 15:40:55 -0400
+Subject: rtl8xxxu: Fix big-endian problem reporting mactime
+
+From: Jes Sorensen <Jes.Sorensen@redhat.com>
+
+commit 8a55698f2f29d227825173420d7b99b9277ca88c upstream.
+
+The full RX descriptor is converted so converting tsfl again would
+return it to it's original endian value.
+
+Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h | 4 ++--
+ drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h
++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h
+@@ -231,7 +231,7 @@ struct rtl8xxxu_rxdesc16 {
+ u32 pattern1match:1;
+ u32 pattern0match:1;
+ #endif
+- __le32 tsfl;
++ u32 tsfl;
+ #if 0
+ u32 bassn:12;
+ u32 bavld:1;
+@@ -361,7 +361,7 @@ struct rtl8xxxu_rxdesc24 {
+ u32 ldcp:1;
+ u32 splcp:1;
+ #endif
+- __le32 tsfl;
++ u32 tsfl;
+ };
+
+ struct rtl8xxxu_txdesc32 {
+--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+@@ -5224,7 +5224,7 @@ int rtl8xxxu_parse_rxdesc16(struct rtl8x
+ rtl8xxxu_rx_parse_phystats(priv, rx_status, phy_stats,
+ rx_desc->rxmcs);
+
+- rx_status->mactime = le32_to_cpu(rx_desc->tsfl);
++ rx_status->mactime = rx_desc->tsfl;
+ rx_status->flag |= RX_FLAG_MACTIME_START;
+
+ if (!rx_desc->swdec)
+@@ -5294,7 +5294,7 @@ int rtl8xxxu_parse_rxdesc24(struct rtl8x
+ rtl8xxxu_rx_parse_phystats(priv, rx_status, phy_stats,
+ rx_desc->rxmcs);
+
+- rx_status->mactime = le32_to_cpu(rx_desc->tsfl);
++ rx_status->mactime = rx_desc->tsfl;
+ rx_status->flag |= RX_FLAG_MACTIME_START;
+
+ if (!rx_desc->swdec)
--- /dev/null
+From 1e54134ccad00f76ddf00f3e77db3dc8fdefbb47 Mon Sep 17 00:00:00 2001
+From: Jes Sorensen <Jes.Sorensen@redhat.com>
+Date: Thu, 29 Sep 2016 15:40:54 -0400
+Subject: rtl8xxxu: Fix memory leak in handling rxdesc16 packets
+
+From: Jes Sorensen <Jes.Sorensen@redhat.com>
+
+commit 1e54134ccad00f76ddf00f3e77db3dc8fdefbb47 upstream.
+
+A device running without RX package aggregation could return more data
+in the USB packet than the actual network packet. In this case we
+could would clone the skb but then determine that that there was no
+packet to handle and exit without freeing the cloned skb first.
+
+This has so far only been observed with 8188eu devices, but could
+affect others.
+
+Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+@@ -5201,7 +5201,12 @@ int rtl8xxxu_parse_rxdesc16(struct rtl8x
+ pkt_offset = roundup(pkt_len + drvinfo_sz + desc_shift +
+ sizeof(struct rtl8xxxu_rxdesc16), 128);
+
+- if (pkt_cnt > 1)
++ /*
++ * Only clone the skb if there's enough data at the end to
++ * at least cover the rx descriptor
++ */
++ if (pkt_cnt > 1 &&
++ urb_len > (pkt_offset + sizeof(struct rtl8xxxu_rxdesc16)))
+ next_skb = skb_clone(skb, GFP_ATOMIC);
+
+ rx_status = IEEE80211_SKB_RXCB(skb);
--- /dev/null
+From ab05e5ec81c76f3a852919c22984c885edd2414a Mon Sep 17 00:00:00 2001
+From: Jes Sorensen <Jes.Sorensen@redhat.com>
+Date: Fri, 30 Sep 2016 19:35:17 -0400
+Subject: rtl8xxxu: Fix rtl8723bu driver reload issue
+
+From: Jes Sorensen <Jes.Sorensen@redhat.com>
+
+commit ab05e5ec81c76f3a852919c22984c885edd2414a upstream.
+
+The generic disable_rf() function clears bits 22 and 23 in
+REG_RX_WAIT_CCA, however we did not re-enable them again in
+rtl8723b_enable_rf()
+
+This resolves the problem for me with 8723bu devices not working again
+after reloading the driver.
+
+Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_8723b.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_8723b.c
++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_8723b.c
+@@ -1498,6 +1498,10 @@ static void rtl8723b_enable_rf(struct rt
+ u32 val32;
+ u8 val8;
+
++ val32 = rtl8xxxu_read32(priv, REG_RX_WAIT_CCA);
++ val32 |= (BIT(22) | BIT(23));
++ rtl8xxxu_write32(priv, REG_RX_WAIT_CCA, val32);
++
+ /*
+ * No indication anywhere as to what 0x0790 does. The 2 antenna
+ * vendor code preserves bits 6-7 here.
iio-chemical-atlas-ph-sensor-fix-use-of-32-bit-int-to-hold-16-bit-big-endian-value.patch
staging-wilc1000-fix-kernel-oops-on-opening-the-device.patch
dm-free-io_barrier-after-blk_cleanup_queue-call.patch
+kvm-x86-fix-wbinvd_dirty_mask-use-after-free.patch
+kvm-s390-fix-sthyi-buffer-alignment-for-diag224.patch
+kvm-mips-make-eret-handle-erl-before-exl.patch
+kvm-mips-precalculate-mmio-load-resume-pc.patch
+arm-mvebu-select-corediv-clk-for-all-mvebu-v7-soc.patch
+arm-dts-fix-the-sd-card-on-the-snowball.patch
+nfsd-fix-general-protection-fault-in-release_lock_stateid.patch
+mips-kaslr-fix-handling-of-null-fdt.patch
+ovl-fix-get_acl-on-tmpfs.patch
+ovl-update-s_isgid-when-setting-posix-acls.patch
+ovl-fsync-after-copy-up.patch
+parisc-ensure-consistent-state-when-switching-to-kernel-stack-at-syscall-entry.patch
+virtio_ring-make-interrupt-suppression-spec-compliant.patch
+virtio_pci-limit-dma-mask-to-44-bits-for-legacy-virtio-devices.patch
+virtio-console-unlock-vqs-while-freeing-buffers.patch
+dm-mirror-fix-read-error-on-recovery-after-default-leg-failure.patch
+dm-table-fix-missing-dm_put_target_type-in-dm_table_add_target.patch
+dm-rq-clear-kworker_task-if-kthread_run-returned-an-error.patch
+dm-raid-fix-compat_features-validation.patch
+dm-raid-fix-activation-of-existing-raid4-10-devices.patch
+rtl8xxxu-fix-memory-leak-in-handling-rxdesc16-packets.patch
+rtl8xxxu-fix-big-endian-problem-reporting-mactime.patch
+rtl8xxxu-fix-rtl8723bu-driver-reload-issue.patch
+input-i8042-add-xmg-c504-to-keyboard-reset-table.patch
+firewire-net-guard-against-rx-buffer-overflows.patch
+firewire-net-fix-fragmented-datagram_size-off-by-one.patch
--- /dev/null
+From 34563769e438d2881f62cf4d9badc4e589ac0ec0 Mon Sep 17 00:00:00 2001
+From: Matt Redfearn <matt.redfearn@imgtec.com>
+Date: Tue, 11 Oct 2016 12:05:15 +0100
+Subject: virtio: console: Unlock vqs while freeing buffers
+
+From: Matt Redfearn <matt.redfearn@imgtec.com>
+
+commit 34563769e438d2881f62cf4d9badc4e589ac0ec0 upstream.
+
+Commit c6017e793b93 ("virtio: console: add locks around buffer removal
+in port unplug path") added locking around the freeing of buffers in the
+vq. However, when free_buf() is called with can_sleep = true and rproc
+is enabled, it calls dma_free_coherent() directly, requiring interrupts
+to be enabled. Currently a WARNING is triggered due to the spin locking
+around free_buf, with a call stack like this:
+
+WARNING: CPU: 3 PID: 121 at ./include/linux/dma-mapping.h:433
+free_buf+0x1a8/0x288
+Call Trace:
+[<8040c538>] show_stack+0x74/0xc0
+[<80757240>] dump_stack+0xd0/0x110
+[<80430d98>] __warn+0xfc/0x130
+[<80430ee0>] warn_slowpath_null+0x2c/0x3c
+[<807e7c6c>] free_buf+0x1a8/0x288
+[<807ea590>] remove_port_data+0x50/0xac
+[<807ea6a0>] unplug_port+0xb4/0x1bc
+[<807ea858>] virtcons_remove+0xb0/0xfc
+[<807b6734>] virtio_dev_remove+0x58/0xc0
+[<807f918c>] __device_release_driver+0xac/0x134
+[<807f924c>] device_release_driver+0x38/0x50
+[<807f7edc>] bus_remove_device+0xfc/0x130
+[<807f4b74>] device_del+0x17c/0x21c
+[<807f4c38>] device_unregister+0x24/0x38
+[<807b6b50>] unregister_virtio_device+0x28/0x44
+
+Fix this by restructuring the loops to allow the locks to only be taken
+where it is necessary to protect the vqs, and release it while the
+buffer is being freed.
+
+Fixes: c6017e793b93 ("virtio: console: add locks around buffer removal in port unplug path")
+Signed-off-by: Matt Redfearn <matt.redfearn@imgtec.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/virtio_console.c | 22 ++++++++++++++++------
+ 1 file changed, 16 insertions(+), 6 deletions(-)
+
+--- a/drivers/char/virtio_console.c
++++ b/drivers/char/virtio_console.c
+@@ -1540,19 +1540,29 @@ static void remove_port_data(struct port
+ spin_lock_irq(&port->inbuf_lock);
+ /* Remove unused data this port might have received. */
+ discard_port_data(port);
++ spin_unlock_irq(&port->inbuf_lock);
+
+ /* Remove buffers we queued up for the Host to send us data in. */
+- while ((buf = virtqueue_detach_unused_buf(port->in_vq)))
+- free_buf(buf, true);
+- spin_unlock_irq(&port->inbuf_lock);
++ do {
++ spin_lock_irq(&port->inbuf_lock);
++ buf = virtqueue_detach_unused_buf(port->in_vq);
++ spin_unlock_irq(&port->inbuf_lock);
++ if (buf)
++ free_buf(buf, true);
++ } while (buf);
+
+ spin_lock_irq(&port->outvq_lock);
+ reclaim_consumed_buffers(port);
++ spin_unlock_irq(&port->outvq_lock);
+
+ /* Free pending buffers from the out-queue. */
+- while ((buf = virtqueue_detach_unused_buf(port->out_vq)))
+- free_buf(buf, true);
+- spin_unlock_irq(&port->outvq_lock);
++ do {
++ spin_lock_irq(&port->outvq_lock);
++ buf = virtqueue_detach_unused_buf(port->out_vq);
++ spin_unlock_irq(&port->outvq_lock);
++ if (buf)
++ free_buf(buf, true);
++ } while (buf);
+ }
+
+ /*
--- /dev/null
+From a0be1db4304f51c99af6b6e515549794182a94df Mon Sep 17 00:00:00 2001
+From: Will Deacon <will.deacon@arm.com>
+Date: Wed, 14 Sep 2016 17:33:26 +0100
+Subject: virtio_pci: Limit DMA mask to 44 bits for legacy virtio devices
+
+From: Will Deacon <will.deacon@arm.com>
+
+commit a0be1db4304f51c99af6b6e515549794182a94df upstream.
+
+Legacy virtio defines the virtqueue base using a 32-bit PFN field, with
+a read-only register indicating a fixed page size of 4k.
+
+This can cause problems for DMA allocators that allocate top down from
+the DMA mask, which is set to 64 bits. In this case, the addresses are
+silently truncated to 44-bit, leading to IOMMU faults, failure to read
+from the queue or data corruption.
+
+This patch restricts the coherent DMA mask for legacy PCI virtio devices
+to 44 bits, which matches the specification.
+
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Michael S. Tsirkin <mst@redhat.com>
+Cc: Benjamin Serebrin <serebrin@google.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/virtio/virtio_pci_legacy.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/virtio/virtio_pci_legacy.c
++++ b/drivers/virtio/virtio_pci_legacy.c
+@@ -212,10 +212,18 @@ int virtio_pci_legacy_probe(struct virti
+ return -ENODEV;
+ }
+
+- rc = dma_set_mask_and_coherent(&pci_dev->dev, DMA_BIT_MASK(64));
+- if (rc)
+- rc = dma_set_mask_and_coherent(&pci_dev->dev,
+- DMA_BIT_MASK(32));
++ rc = dma_set_mask(&pci_dev->dev, DMA_BIT_MASK(64));
++ if (rc) {
++ rc = dma_set_mask_and_coherent(&pci_dev->dev, DMA_BIT_MASK(32));
++ } else {
++ /*
++ * The virtio ring base address is expressed as a 32-bit PFN,
++ * with a page size of 1 << VIRTIO_PCI_QUEUE_ADDR_SHIFT.
++ */
++ dma_set_coherent_mask(&pci_dev->dev,
++ DMA_BIT_MASK(32 + VIRTIO_PCI_QUEUE_ADDR_SHIFT));
++ }
++
+ if (rc)
+ dev_warn(&pci_dev->dev, "Failed to enable 64-bit or 32-bit DMA. Trying to continue, but this might not work.\n");
+
--- /dev/null
+From 0ea1e4a6d9b62cf29e210d2b4ba9fd43917522e3 Mon Sep 17 00:00:00 2001
+From: Ladi Prosek <lprosek@redhat.com>
+Date: Wed, 31 Aug 2016 14:00:04 +0200
+Subject: virtio_ring: Make interrupt suppression spec compliant
+
+From: Ladi Prosek <lprosek@redhat.com>
+
+commit 0ea1e4a6d9b62cf29e210d2b4ba9fd43917522e3 upstream.
+
+According to the spec, if the VIRTIO_RING_F_EVENT_IDX feature bit is
+negotiated the driver MUST set flags to 0. Not dirtying the available
+ring in virtqueue_disable_cb also has a minor positive performance
+impact, improving L1 dcache load missed by ~0.5% in vring_bench.
+
+Writes to the used event field (vring_used_event) are still unconditional.
+
+Cc: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Ladi Prosek <lprosek@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/virtio/virtio_ring.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+--- a/drivers/virtio/virtio_ring.c
++++ b/drivers/virtio/virtio_ring.c
+@@ -732,7 +732,8 @@ void virtqueue_disable_cb(struct virtque
+
+ if (!(vq->avail_flags_shadow & VRING_AVAIL_F_NO_INTERRUPT)) {
+ vq->avail_flags_shadow |= VRING_AVAIL_F_NO_INTERRUPT;
+- vq->vring.avail->flags = cpu_to_virtio16(_vq->vdev, vq->avail_flags_shadow);
++ if (!vq->event)
++ vq->vring.avail->flags = cpu_to_virtio16(_vq->vdev, vq->avail_flags_shadow);
+ }
+
+ }
+@@ -764,7 +765,8 @@ unsigned virtqueue_enable_cb_prepare(str
+ * entry. Always do both to keep code simple. */
+ if (vq->avail_flags_shadow & VRING_AVAIL_F_NO_INTERRUPT) {
+ vq->avail_flags_shadow &= ~VRING_AVAIL_F_NO_INTERRUPT;
+- vq->vring.avail->flags = cpu_to_virtio16(_vq->vdev, vq->avail_flags_shadow);
++ if (!vq->event)
++ vq->vring.avail->flags = cpu_to_virtio16(_vq->vdev, vq->avail_flags_shadow);
+ }
+ vring_used_event(&vq->vring) = cpu_to_virtio16(_vq->vdev, last_used_idx = vq->last_used_idx);
+ END_USE(vq);
+@@ -832,10 +834,11 @@ bool virtqueue_enable_cb_delayed(struct
+ * more to do. */
+ /* Depending on the VIRTIO_RING_F_USED_EVENT_IDX feature, we need to
+ * either clear the flags bit or point the event index at the next
+- * entry. Always do both to keep code simple. */
++ * entry. Always update the event index to keep code simple. */
+ if (vq->avail_flags_shadow & VRING_AVAIL_F_NO_INTERRUPT) {
+ vq->avail_flags_shadow &= ~VRING_AVAIL_F_NO_INTERRUPT;
+- vq->vring.avail->flags = cpu_to_virtio16(_vq->vdev, vq->avail_flags_shadow);
++ if (!vq->event)
++ vq->vring.avail->flags = cpu_to_virtio16(_vq->vdev, vq->avail_flags_shadow);
+ }
+ /* TODO: tune this threshold */
+ bufs = (u16)(vq->avail_idx_shadow - vq->last_used_idx) * 3 / 4;
+@@ -953,7 +956,8 @@ struct virtqueue *__vring_new_virtqueue(
+ /* No callback? Tell other side not to bother us. */
+ if (!callback) {
+ vq->avail_flags_shadow |= VRING_AVAIL_F_NO_INTERRUPT;
+- vq->vring.avail->flags = cpu_to_virtio16(vdev, vq->avail_flags_shadow);
++ if (!vq->event)
++ vq->vring.avail->flags = cpu_to_virtio16(vdev, vq->avail_flags_shadow);
+ }
+
+ /* Put everything in free lists. */
projects / thirdparty / kernel / stable-queue.git / commitdiff
