--- /dev/null
+From 0a90a0cff9f429f886f423967ae053150dce9259 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Mon, 27 Jul 2015 19:24:31 -0400
+Subject: drm/radeon/combios: add some validation of lvds values
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 0a90a0cff9f429f886f423967ae053150dce9259 upstream.
+
+Fixes a broken hsync start value uncovered by:
+abc0b1447d4974963548777a5ba4a4457c82c426
+(drm: Perform basic sanity checks on probed modes)
+
+The driver handled the bad hsync start elsewhere, but
+the above commit prevented it from getting added.
+
+bug:
+https://bugs.freedesktop.org/show_bug.cgi?id=91401
+
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/radeon/radeon_combios.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/radeon/radeon_combios.c
++++ b/drivers/gpu/drm/radeon/radeon_combios.c
+@@ -1255,10 +1255,15 @@ struct radeon_encoder_lvds *radeon_combi
+
+ if ((RBIOS16(tmp) == lvds->native_mode.hdisplay) &&
+ (RBIOS16(tmp + 2) == lvds->native_mode.vdisplay)) {
++ u32 hss = (RBIOS16(tmp + 21) - RBIOS16(tmp + 19) - 1) * 8;
++
++ if (hss > lvds->native_mode.hdisplay)
++ hss = (10 - 1) * 8;
++
+ lvds->native_mode.htotal = lvds->native_mode.hdisplay +
+ (RBIOS16(tmp + 17) - RBIOS16(tmp + 19)) * 8;
+ lvds->native_mode.hsync_start = lvds->native_mode.hdisplay +
+- (RBIOS16(tmp + 21) - RBIOS16(tmp + 19) - 1) * 8;
++ hss;
+ lvds->native_mode.hsync_end = lvds->native_mode.hsync_start +
+ (RBIOS8(tmp + 23) * 8);
+
--- /dev/null
+From 8f2f3eb59dff4ec538de55f2e0592fec85966aab Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.com>
+Date: Thu, 6 Aug 2015 15:46:42 -0700
+Subject: fsnotify: fix oops in fsnotify_clear_marks_by_group_flags()
+
+From: Jan Kara <jack@suse.com>
+
+commit 8f2f3eb59dff4ec538de55f2e0592fec85966aab upstream.
+
+fsnotify_clear_marks_by_group_flags() can race with
+fsnotify_destroy_marks() so that when fsnotify_destroy_mark_locked()
+drops mark_mutex, a mark from the list iterated by
+fsnotify_clear_marks_by_group_flags() can be freed and thus the next
+entry pointer we have cached may become stale and we dereference free
+memory.
+
+Fix the problem by first moving marks to free to a special private list
+and then always free the first entry in the special list. This method
+is safe even when entries from the list can disappear once we drop the
+lock.
+
+Signed-off-by: Jan Kara <jack@suse.com>
+Reported-by: Ashish Sangwan <a.sangwan@samsung.com>
+Reviewed-by: Ashish Sangwan <a.sangwan@samsung.com>
+Cc: Lino Sanfilippo <LinoSanfilippo@gmx.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/notify/mark.c | 30 +++++++++++++++++++++++++-----
+ 1 file changed, 25 insertions(+), 5 deletions(-)
+
+--- a/fs/notify/mark.c
++++ b/fs/notify/mark.c
+@@ -293,16 +293,36 @@ void fsnotify_clear_marks_by_group_flags
+ unsigned int flags)
+ {
+ struct fsnotify_mark *lmark, *mark;
++ LIST_HEAD(to_free);
+
++ /*
++ * We have to be really careful here. Anytime we drop mark_mutex, e.g.
++ * fsnotify_clear_marks_by_inode() can come and free marks. Even in our
++ * to_free list so we have to use mark_mutex even when accessing that
++ * list. And freeing mark requires us to drop mark_mutex. So we can
++ * reliably free only the first mark in the list. That's why we first
++ * move marks to free to to_free list in one go and then free marks in
++ * to_free list one by one.
++ */
+ mutex_lock_nested(&group->mark_mutex, SINGLE_DEPTH_NESTING);
+ list_for_each_entry_safe(mark, lmark, &group->marks_list, g_list) {
+- if (mark->flags & flags) {
+- fsnotify_get_mark(mark);
+- fsnotify_destroy_mark_locked(mark, group);
+- fsnotify_put_mark(mark);
+- }
++ if (mark->flags & flags)
++ list_move(&mark->g_list, &to_free);
+ }
+ mutex_unlock(&group->mark_mutex);
++
++ while (1) {
++ mutex_lock_nested(&group->mark_mutex, SINGLE_DEPTH_NESTING);
++ if (list_empty(&to_free)) {
++ mutex_unlock(&group->mark_mutex);
++ break;
++ }
++ mark = list_first_entry(&to_free, struct fsnotify_mark, g_list);
++ fsnotify_get_mark(mark);
++ fsnotify_destroy_mark_locked(mark, group);
++ mutex_unlock(&group->mark_mutex);
++ fsnotify_put_mark(mark);
++ }
+ }
+
+ /*
--- /dev/null
+From bb7c54339e6a10ecce5c4961adf5e75b3cf0af30 Mon Sep 17 00:00:00 2001
+From: Brian King <brking@linux.vnet.ibm.com>
+Date: Tue, 14 Jul 2015 11:41:31 -0500
+Subject: ipr: Fix incorrect trace indexing
+
+From: Brian King <brking@linux.vnet.ibm.com>
+
+commit bb7c54339e6a10ecce5c4961adf5e75b3cf0af30 upstream.
+
+When ipr's internal driver trace was changed to an atomic, a signed/unsigned
+bug slipped in which results in us indexing backwards in our memory buffer
+writing on memory that does not belong to us. This patch fixes this by removing
+the modulo and instead just mask off the low bits.
+
+Tested-by: Wen Xiong <wenxiong@linux.vnet.ibm.com>
+Reviewed-by: Wen Xiong <wenxiong@linux.vnet.ibm.com>
+Reviewed-by: Gabriel Krisman Bertazi <krisman@linux.vnet.ibm.com>
+Signed-off-by: Brian King <brking@linux.vnet.ibm.com>
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: James Bottomley <JBottomley@Odin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/ipr.c | 5 +++--
+ drivers/scsi/ipr.h | 1 +
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/ipr.c
++++ b/drivers/scsi/ipr.c
+@@ -592,9 +592,10 @@ static void ipr_trc_hook(struct ipr_cmnd
+ {
+ struct ipr_trace_entry *trace_entry;
+ struct ipr_ioa_cfg *ioa_cfg = ipr_cmd->ioa_cfg;
++ unsigned int trace_index;
+
+- trace_entry = &ioa_cfg->trace[atomic_add_return
+- (1, &ioa_cfg->trace_index)%IPR_NUM_TRACE_ENTRIES];
++ trace_index = atomic_add_return(1, &ioa_cfg->trace_index) & IPR_TRACE_INDEX_MASK;
++ trace_entry = &ioa_cfg->trace[trace_index];
+ trace_entry->time = jiffies;
+ trace_entry->op_code = ipr_cmd->ioarcb.cmd_pkt.cdb[0];
+ trace_entry->type = type;
+--- a/drivers/scsi/ipr.h
++++ b/drivers/scsi/ipr.h
+@@ -1459,6 +1459,7 @@ struct ipr_ioa_cfg {
+
+ #define IPR_NUM_TRACE_INDEX_BITS 8
+ #define IPR_NUM_TRACE_ENTRIES (1 << IPR_NUM_TRACE_INDEX_BITS)
++#define IPR_TRACE_INDEX_MASK (IPR_NUM_TRACE_ENTRIES - 1)
+ #define IPR_TRACE_SIZE (sizeof(struct ipr_trace_entry) * IPR_NUM_TRACE_ENTRIES)
+ char trace_start[8];
+ #define IPR_TRACE_START_LABEL "trace"
--- /dev/null
+From 3f1c0581310d5d94bd72740231507e763a6252a4 Mon Sep 17 00:00:00 2001
+From: Brian King <brking@linux.vnet.ibm.com>
+Date: Tue, 14 Jul 2015 11:41:33 -0500
+Subject: ipr: Fix invalid array indexing for HRRQ
+
+From: Brian King <brking@linux.vnet.ibm.com>
+
+commit 3f1c0581310d5d94bd72740231507e763a6252a4 upstream.
+
+Fixes another signed / unsigned array indexing bug in the ipr driver.
+Currently, when hrrq_index wraps, it becomes a negative number. We
+do the modulo, but still have a negative number, so we end up indexing
+backwards in the array. Given where the hrrq array is located in memory,
+we probably won't actually reference memory we don't own, but nonetheless
+ipr is still looking at data within struct ipr_ioa_cfg and interpreting it as
+struct ipr_hrr_queue data, so bad things could certainly happen.
+
+Each ipr adapter has anywhere from 1 to 16 HRRQs. By default, we use 2 on new
+adapters. Let's take an example:
+
+Assume ioa_cfg->hrrq_index=0x7fffffffe and ioa_cfg->hrrq_num=4:
+
+The atomic_add_return will then return -1. We mod this with 3 and get -2, add
+one and get -1 for an array index.
+
+On adapters which support more than a single HRRQ, we dedicate HRRQ to adapter
+initialization and error interrupts so that we can optimize the other queues
+for fast path I/O. So all normal I/O uses HRRQ 1-15. So we want to spread the
+I/O requests across those HRRQs.
+
+With the default module parameter settings, this bug won't hit, only when
+someone sets the ipr.number_of_msix parameter to a value larger than 3 is when
+bad things start to happen.
+
+Tested-by: Wen Xiong <wenxiong@linux.vnet.ibm.com>
+Reviewed-by: Wen Xiong <wenxiong@linux.vnet.ibm.com>
+Reviewed-by: Gabriel Krisman Bertazi <krisman@linux.vnet.ibm.com>
+Signed-off-by: Brian King <brking@linux.vnet.ibm.com>
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: James Bottomley <JBottomley@Odin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/ipr.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/scsi/ipr.c
++++ b/drivers/scsi/ipr.c
+@@ -1045,10 +1045,15 @@ static void ipr_send_blocking_cmd(struct
+
+ static int ipr_get_hrrq_index(struct ipr_ioa_cfg *ioa_cfg)
+ {
++ unsigned int hrrq;
++
+ if (ioa_cfg->hrrq_num == 1)
+- return 0;
+- else
+- return (atomic_add_return(1, &ioa_cfg->hrrq_index) % (ioa_cfg->hrrq_num - 1)) + 1;
++ hrrq = 0;
++ else {
++ hrrq = atomic_add_return(1, &ioa_cfg->hrrq_index);
++ hrrq = (hrrq % (ioa_cfg->hrrq_num - 1)) + 1;
++ }
++ return hrrq;
+ }
+
+ /**
--- /dev/null
+From 36b8e180e1e929e00b351c3b72aab3147fc14116 Mon Sep 17 00:00:00 2001
+From: Brian King <brking@linux.vnet.ibm.com>
+Date: Tue, 14 Jul 2015 11:41:29 -0500
+Subject: ipr: Fix locking for unit attention handling
+
+From: Brian King <brking@linux.vnet.ibm.com>
+
+commit 36b8e180e1e929e00b351c3b72aab3147fc14116 upstream.
+
+Make sure we have the host lock held when calling scsi_report_bus_reset. Fixes
+a crash seen as the __devices list in the scsi host was changing as we were
+iterating through it.
+
+Reviewed-by: Wen Xiong <wenxiong@linux.vnet.ibm.com>
+Reviewed-by: Gabriel Krisman Bertazi <krisman@linux.vnet.ibm.com>
+Signed-off-by: Brian King <brking@linux.vnet.ibm.com>
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: James Bottomley <JBottomley@Odin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/ipr.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/scsi/ipr.c
++++ b/drivers/scsi/ipr.c
+@@ -6179,21 +6179,23 @@ static void ipr_scsi_done(struct ipr_cmn
+ struct ipr_ioa_cfg *ioa_cfg = ipr_cmd->ioa_cfg;
+ struct scsi_cmnd *scsi_cmd = ipr_cmd->scsi_cmd;
+ u32 ioasc = be32_to_cpu(ipr_cmd->s.ioasa.hdr.ioasc);
+- unsigned long hrrq_flags;
++ unsigned long lock_flags;
+
+ scsi_set_resid(scsi_cmd, be32_to_cpu(ipr_cmd->s.ioasa.hdr.residual_data_len));
+
+ if (likely(IPR_IOASC_SENSE_KEY(ioasc) == 0)) {
+ scsi_dma_unmap(scsi_cmd);
+
+- spin_lock_irqsave(ipr_cmd->hrrq->lock, hrrq_flags);
++ spin_lock_irqsave(ipr_cmd->hrrq->lock, lock_flags);
+ list_add_tail(&ipr_cmd->queue, &ipr_cmd->hrrq->hrrq_free_q);
+ scsi_cmd->scsi_done(scsi_cmd);
+- spin_unlock_irqrestore(ipr_cmd->hrrq->lock, hrrq_flags);
++ spin_unlock_irqrestore(ipr_cmd->hrrq->lock, lock_flags);
+ } else {
+- spin_lock_irqsave(ipr_cmd->hrrq->lock, hrrq_flags);
++ spin_lock_irqsave(ioa_cfg->host->host_lock, lock_flags);
++ spin_lock(&ipr_cmd->hrrq->_lock);
+ ipr_erp_start(ioa_cfg, ipr_cmd);
+- spin_unlock_irqrestore(ipr_cmd->hrrq->lock, hrrq_flags);
++ spin_unlock(&ipr_cmd->hrrq->_lock);
++ spin_unlock_irqrestore(ioa_cfg->host->host_lock, lock_flags);
+ }
+ }
+
--- /dev/null
+From 1d62d737555e1378eb62a8bba26644f7d97139d2 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@openwrt.org>
+Date: Sun, 19 Jul 2015 00:38:41 +0200
+Subject: MIPS: Fix sched_getaffinity with MT FPAFF enabled
+
+From: Felix Fietkau <nbd@openwrt.org>
+
+commit 1d62d737555e1378eb62a8bba26644f7d97139d2 upstream.
+
+p->thread.user_cpus_allowed is zero-initialized and is only filled on
+the first sched_setaffinity call.
+
+To avoid adding overhead in the task initialization codepath, simply OR
+the returned mask in sched_getaffinity with p->cpus_allowed.
+
+Signed-off-by: Felix Fietkau <nbd@openwrt.org>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/10740/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/mips-mt-fpaff.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/arch/mips/kernel/mips-mt-fpaff.c
++++ b/arch/mips/kernel/mips-mt-fpaff.c
+@@ -154,7 +154,7 @@ asmlinkage long mipsmt_sys_sched_getaffi
+ unsigned long __user *user_mask_ptr)
+ {
+ unsigned int real_len;
+- cpumask_t mask;
++ cpumask_t allowed, mask;
+ int retval;
+ struct task_struct *p;
+
+@@ -173,7 +173,8 @@ asmlinkage long mipsmt_sys_sched_getaffi
+ if (retval)
+ goto out_unlock;
+
+- cpumask_and(&mask, &p->thread.user_cpus_allowed, cpu_possible_mask);
++ cpumask_or(&allowed, &p->thread.user_cpus_allowed, &p->cpus_allowed);
++ cpumask_and(&mask, &allowed, cpu_active_mask);
+
+ out_unlock:
+ read_unlock(&tasklist_lock);
--- /dev/null
+From 46011e6ea39235e4aca656673c500eac81a07a17 Mon Sep 17 00:00:00 2001
+From: David Daney <david.daney@cavium.com>
+Date: Mon, 3 Aug 2015 17:48:43 -0700
+Subject: MIPS: Make set_pte() SMP safe.
+
+From: David Daney <david.daney@cavium.com>
+
+commit 46011e6ea39235e4aca656673c500eac81a07a17 upstream.
+
+On MIPS the GLOBAL bit of the PTE must have the same value in any
+aligned pair of PTEs. These pairs of PTEs are referred to as
+"buddies". In a SMP system is is possible for two CPUs to be calling
+set_pte() on adjacent PTEs at the same time. There is a race between
+setting the PTE and a different CPU setting the GLOBAL bit in its
+buddy PTE.
+
+This race can be observed when multiple CPUs are executing
+vmap()/vfree() at the same time.
+
+Make setting the buddy PTE's GLOBAL bit an atomic operation to close
+the race condition.
+
+The case of CONFIG_64BIT_PHYS_ADDR && CONFIG_CPU_MIPS32 is *not*
+handled.
+
+Signed-off-by: David Daney <david.daney@cavium.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/10835/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/include/asm/pgtable.h | 31 +++++++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+
+--- a/arch/mips/include/asm/pgtable.h
++++ b/arch/mips/include/asm/pgtable.h
+@@ -150,8 +150,39 @@ static inline void set_pte(pte_t *ptep,
+ * Make sure the buddy is global too (if it's !none,
+ * it better already be global)
+ */
++#ifdef CONFIG_SMP
++ /*
++ * For SMP, multiple CPUs can race, so we need to do
++ * this atomically.
++ */
++#ifdef CONFIG_64BIT
++#define LL_INSN "lld"
++#define SC_INSN "scd"
++#else /* CONFIG_32BIT */
++#define LL_INSN "ll"
++#define SC_INSN "sc"
++#endif
++ unsigned long page_global = _PAGE_GLOBAL;
++ unsigned long tmp;
++
++ __asm__ __volatile__ (
++ " .set push\n"
++ " .set noreorder\n"
++ "1: " LL_INSN " %[tmp], %[buddy]\n"
++ " bnez %[tmp], 2f\n"
++ " or %[tmp], %[tmp], %[global]\n"
++ " " SC_INSN " %[tmp], %[buddy]\n"
++ " beqz %[tmp], 1b\n"
++ " nop\n"
++ "2:\n"
++ " .set pop"
++ : [buddy] "+m" (buddy->pte),
++ [tmp] "=&r" (tmp)
++ : [global] "r" (page_global));
++#else /* !CONFIG_SMP */
+ if (pte_none(*buddy))
+ pte_val(*buddy) = pte_val(*buddy) | _PAGE_GLOBAL;
++#endif /* CONFIG_SMP */
+ }
+ #endif
+ }
--- /dev/null
+From 106eccb4d20f35ebc58ff2286c170d9e79c5ff68 Mon Sep 17 00:00:00 2001
+From: James Hogan <james.hogan@imgtec.com>
+Date: Fri, 17 Jul 2015 15:54:41 +0100
+Subject: MIPS: Malta: Don't reinitialise RTC
+
+From: James Hogan <james.hogan@imgtec.com>
+
+commit 106eccb4d20f35ebc58ff2286c170d9e79c5ff68 upstream.
+
+On Malta, since commit a87ea88d8f6c ("MIPS: Malta: initialise the RTC at
+boot"), the RTC is reinitialised and forced into binary coded decimal
+(BCD) mode during init, even if the bootloader has already initialised
+it, and may even have already put it into binary mode (as YAMON does).
+This corrupts the current time, can result in the RTC seconds being an
+invalid BCD (e.g. 0x1a..0x1f) for up to 6 seconds, as well as confusing
+YAMON for a while after reset, enough for it to report timeouts when
+attempting to load from TFTP (it actually uses the RTC in that code).
+
+Therefore only initialise the RTC to the extent that is necessary so
+that Linux avoids interfering with the bootloader setup, while also
+allowing it to estimate the CPU frequency without hanging, without a
+bootloader necessarily having done anything with the RTC (for example
+when the kernel is loaded via EJTAG).
+
+The divider control is configured for a 32KHZ reference clock if
+necessary, and the SET bit of the RTC_CONTROL register is cleared if
+necessary without changing any other bits (this bit will be set when
+coming out of reset if the battery has been disconnected).
+
+Fixes: a87ea88d8f6c ("MIPS: Malta: initialise the RTC at boot")
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Reviewed-by: Paul Burton <paul.burton@imgtec.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Maciej W. Rozycki <macro@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/10739/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/mti-malta/malta-time.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/arch/mips/mti-malta/malta-time.c
++++ b/arch/mips/mti-malta/malta-time.c
+@@ -168,14 +168,17 @@ unsigned int get_c0_compare_int(void)
+
+ static void __init init_rtc(void)
+ {
+- /* stop the clock whilst setting it up */
+- CMOS_WRITE(RTC_SET | RTC_24H, RTC_CONTROL);
++ unsigned char freq, ctrl;
+
+- /* 32KHz time base */
+- CMOS_WRITE(RTC_REF_CLCK_32KHZ, RTC_FREQ_SELECT);
++ /* Set 32KHz time base if not already set */
++ freq = CMOS_READ(RTC_FREQ_SELECT);
++ if ((freq & RTC_DIV_CTL) != RTC_REF_CLCK_32KHZ)
++ CMOS_WRITE(RTC_REF_CLCK_32KHZ, RTC_FREQ_SELECT);
+
+- /* start the clock */
+- CMOS_WRITE(RTC_24H, RTC_CONTROL);
++ /* Ensure SET bit is clear so RTC can run */
++ ctrl = CMOS_READ(RTC_CONTROL);
++ if (ctrl & RTC_SET)
++ CMOS_WRITE(ctrl & ~RTC_SET, RTC_CONTROL);
+ }
+
+ void __init plat_time_init(void)
arm-realview-fix-sparsemem-build.patch
+mips-malta-don-t-reinitialise-rtc.patch
+mips-fix-sched_getaffinity-with-mt-fpaff-enabled.patch
+mips-make-set_pte-smp-safe.patch
+fsnotify-fix-oops-in-fsnotify_clear_marks_by_group_flags.patch
+drm-radeon-combios-add-some-validation-of-lvds-values.patch
+ipr-fix-locking-for-unit-attention-handling.patch
+ipr-fix-incorrect-trace-indexing.patch
+ipr-fix-invalid-array-indexing-for-hrrq.patch
+xhci-fix-off-by-one-error-in-trb-dma-address-boundary-check.patch
+usb-sierra-add-1199-68ab-device-id.patch
--- /dev/null
+From 74472233233f577eaa0ca6d6e17d9017b6e53150 Mon Sep 17 00:00:00 2001
+From: Dirk Behme <dirk.behme@de.bosch.com>
+Date: Mon, 27 Jul 2015 08:56:05 +0200
+Subject: USB: sierra: add 1199:68AB device ID
+
+From: Dirk Behme <dirk.behme@de.bosch.com>
+
+commit 74472233233f577eaa0ca6d6e17d9017b6e53150 upstream.
+
+Add support for the Sierra Wireless AR8550 device with
+USB descriptor 0x1199, 0x68AB.
+
+It is common with MC879x modules 1199:683c/683d which
+also are composite devices with 7 interfaces (0..6)
+and also MDM62xx based as the AR8550.
+
+The major difference are only the interface attributes
+02/02/01 on interfaces 3 and 4 on the AR8550. They are
+vendor specific ff/ff/ff on MC879x modules.
+
+lsusb reports:
+
+Bus 001 Device 004: ID 1199:68ab Sierra Wireless, Inc.
+Device Descriptor:
+ bLength 18
+ bDescriptorType 1
+ bcdUSB 2.00
+ bDeviceClass 0 (Defined at Interface level)
+ bDeviceSubClass 0
+ bDeviceProtocol 0
+ bMaxPacketSize0 64
+ idVendor 0x1199 Sierra Wireless, Inc.
+ idProduct 0x68ab
+ bcdDevice 0.06
+ iManufacturer 3 Sierra Wireless, Incorporated
+ iProduct 2 AR8550
+ iSerial 0
+ bNumConfigurations 1
+ Configuration Descriptor:
+ bLength 9
+ bDescriptorType 2
+ wTotalLength 198
+ bNumInterfaces 7
+ bConfigurationValue 1
+ iConfiguration 1 Sierra Configuration
+ bmAttributes 0xe0
+ Self Powered
+ Remote Wakeup
+ MaxPower 0mA
+ Interface Descriptor:
+ bLength 9
+ bDescriptorType 4
+ bInterfaceNumber 0
+ bAlternateSetting 0
+ bNumEndpoints 2
+ bInterfaceClass 255 Vendor Specific Class
+ bInterfaceSubClass 255 Vendor Specific Subclass
+ bInterfaceProtocol 255 Vendor Specific Protocol
+ iInterface 0
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x81 EP 1 IN
+ bmAttributes 2
+ Transfer Type Bulk
+ Synch Type None
+ Usage Type Data
+ wMaxPacketSize 0x0200 1x 512 bytes
+ bInterval 32
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x01 EP 1 OUT
+ bmAttributes 2
+ Transfer Type Bulk
+ Synch Type None
+ Usage Type Data
+ wMaxPacketSize 0x0200 1x 512 bytes
+ bInterval 32
+ Interface Descriptor:
+ bLength 9
+ bDescriptorType 4
+ bInterfaceNumber 1
+ bAlternateSetting 0
+ bNumEndpoints 2
+ bInterfaceClass 255 Vendor Specific Class
+ bInterfaceSubClass 255 Vendor Specific Subclass
+ bInterfaceProtocol 255 Vendor Specific Protocol
+ iInterface 0
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x82 EP 2 IN
+ bmAttributes 2
+ Transfer Type Bulk
+ Synch Type None
+ Usage Type Data
+ wMaxPacketSize 0x0200 1x 512 bytes
+ bInterval 32
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x02 EP 2 OUT
+ bmAttributes 2
+ Transfer Type Bulk
+ Synch Type None
+ Usage Type Data
+ wMaxPacketSize 0x0200 1x 512 bytes
+ bInterval 32
+ Interface Descriptor:
+ bLength 9
+ bDescriptorType 4
+ bInterfaceNumber 2
+ bAlternateSetting 0
+ bNumEndpoints 2
+ bInterfaceClass 255 Vendor Specific Class
+ bInterfaceSubClass 255 Vendor Specific Subclass
+ bInterfaceProtocol 255 Vendor Specific Protocol
+ iInterface 0
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x83 EP 3 IN
+ bmAttributes 2
+ Transfer Type Bulk
+ Synch Type None
+ Usage Type Data
+ wMaxPacketSize 0x0200 1x 512 bytes
+ bInterval 32
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x03 EP 3 OUT
+ bmAttributes 2
+ Transfer Type Bulk
+ Synch Type None
+ Usage Type Data
+ wMaxPacketSize 0x0200 1x 512 bytes
+ bInterval 32
+ Interface Descriptor:
+ bLength 9
+ bDescriptorType 4
+ bInterfaceNumber 3
+ bAlternateSetting 0
+ bNumEndpoints 3
+ bInterfaceClass 2 Communications
+ bInterfaceSubClass 2 Abstract (modem)
+ bInterfaceProtocol 1 AT-commands (v.25ter)
+ iInterface 0
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x84 EP 4 IN
+ bmAttributes 3
+ Transfer Type Interrupt
+ Synch Type None
+ Usage Type Data
+ wMaxPacketSize 0x0040 1x 64 bytes
+ bInterval 5
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x85 EP 5 IN
+ bmAttributes 2
+ Transfer Type Bulk
+ Synch Type None
+ Usage Type Data
+ wMaxPacketSize 0x0200 1x 512 bytes
+ bInterval 32
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x04 EP 4 OUT
+ bmAttributes 2
+ Transfer Type Bulk
+ Synch Type None
+ Usage Type Data
+ wMaxPacketSize 0x0200 1x 512 bytes
+ bInterval 32
+ Interface Descriptor:
+ bLength 9
+ bDescriptorType 4
+ bInterfaceNumber 4
+ bAlternateSetting 0
+ bNumEndpoints 3
+ bInterfaceClass 2 Communications
+ bInterfaceSubClass 2 Abstract (modem)
+ bInterfaceProtocol 1 AT-commands (v.25ter)
+ iInterface 0
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x86 EP 6 IN
+ bmAttributes 3
+ Transfer Type Interrupt
+ Synch Type None
+ Usage Type Data
+ wMaxPacketSize 0x0040 1x 64 bytes
+ bInterval 5
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x87 EP 7 IN
+ bmAttributes 2
+ Transfer Type Bulk
+ Synch Type None
+ Usage Type Data
+ wMaxPacketSize 0x0200 1x 512 bytes
+ bInterval 32
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x05 EP 5 OUT
+ bmAttributes 2
+ Transfer Type Bulk
+ Synch Type None
+ Usage Type Data
+ wMaxPacketSize 0x0200 1x 512 bytes
+ bInterval 32
+ Interface Descriptor:
+ bLength 9
+ bDescriptorType 4
+ bInterfaceNumber 5
+ bAlternateSetting 0
+ bNumEndpoints 3
+ bInterfaceClass 255 Vendor Specific Class
+ bInterfaceSubClass 255 Vendor Specific Subclass
+ bInterfaceProtocol 255 Vendor Specific Protocol
+ iInterface 0
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x88 EP 8 IN
+ bmAttributes 3
+ Transfer Type Interrupt
+ Synch Type None
+ Usage Type Data
+ wMaxPacketSize 0x0040 1x 64 bytes
+ bInterval 5
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x89 EP 9 IN
+ bmAttributes 2
+ Transfer Type Bulk
+ Synch Type None
+ Usage Type Data
+ wMaxPacketSize 0x0200 1x 512 bytes
+ bInterval 32
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x06 EP 6 OUT
+ bmAttributes 2
+ Transfer Type Bulk
+ Synch Type None
+ Usage Type Data
+ wMaxPacketSize 0x0200 1x 512 bytes
+ bInterval 32
+ Interface Descriptor:
+ bLength 9
+ bDescriptorType 4
+ bInterfaceNumber 6
+ bAlternateSetting 0
+ bNumEndpoints 3
+ bInterfaceClass 255 Vendor Specific Class
+ bInterfaceSubClass 255 Vendor Specific Subclass
+ bInterfaceProtocol 255 Vendor Specific Protocol
+ iInterface 0
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x8a EP 10 IN
+ bmAttributes 3
+ Transfer Type Interrupt
+ Synch Type None
+ Usage Type Data
+ wMaxPacketSize 0x0040 1x 64 bytes
+ bInterval 5
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x8b EP 11 IN
+ bmAttributes 2
+ Transfer Type Bulk
+ Synch Type None
+ Usage Type Data
+ wMaxPacketSize 0x0200 1x 512 bytes
+ bInterval 32
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x07 EP 7 OUT
+ bmAttributes 2
+ Transfer Type Bulk
+ Synch Type None
+ Usage Type Data
+ wMaxPacketSize 0x0200 1x 512 bytes
+ bInterval 32
+Device Qualifier (for other device speed):
+ bLength 10
+ bDescriptorType 6
+ bcdUSB 2.00
+ bDeviceClass 0 (Defined at Interface level)
+ bDeviceSubClass 0
+ bDeviceProtocol 0
+ bMaxPacketSize0 64
+ bNumConfigurations 1
+Device Status: 0x0001
+ Self Powered
+
+Signed-off-by: Dirk Behme <dirk.behme@de.bosch.com>
+Cc: Lars Melin <larsm17@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/sierra.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/serial/sierra.c
++++ b/drivers/usb/serial/sierra.c
+@@ -289,6 +289,7 @@ static const struct usb_device_id id_tab
+ { USB_DEVICE_AND_INTERFACE_INFO(0x1199, 0x68AA, 0xFF, 0xFF, 0xFF),
+ .driver_info = (kernel_ulong_t)&direct_ip_interface_blacklist
+ },
++ { USB_DEVICE(0x1199, 0x68AB) }, /* Sierra Wireless AR8550 */
+ /* AT&T Direct IP LTE modems */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x0F3D, 0x68AA, 0xFF, 0xFF, 0xFF),
+ .driver_info = (kernel_ulong_t)&direct_ip_interface_blacklist
--- /dev/null
+From 7895086afde2a05fa24a0e410d8e6b75ca7c8fdd Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Mon, 3 Aug 2015 16:07:48 +0300
+Subject: xhci: fix off by one error in TRB DMA address boundary check
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit 7895086afde2a05fa24a0e410d8e6b75ca7c8fdd upstream.
+
+We need to check that a TRB is part of the current segment
+before calculating its DMA address.
+
+Previously a ring segment didn't use a full memory page, and every
+new ring segment got a new memory page, so the off by one
+error in checking the upper bound was never seen.
+
+Now that we use a full memory page, 256 TRBs (4096 bytes), the off by one
+didn't catch the case when a TRB was the first element of the next segment.
+
+This is triggered if the virtual memory pages for a ring segment are
+next to each in increasing order where the ring buffer wraps around and
+causes errors like:
+
+[ 106.398223] xhci_hcd 0000:00:14.0: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 0 comp_code 1
+[ 106.398230] xhci_hcd 0000:00:14.0: Looking for event-dma fffd3000 trb-start fffd4fd0 trb-end fffd5000 seg-start fffd4000 seg-end fffd4ff0
+
+The trb-end address is one outside the end-seg address.
+
+Tested-by: Arkadiusz MiĆkiewicz <arekm@maven.pl>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-ring.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -86,7 +86,7 @@ dma_addr_t xhci_trb_virt_to_dma(struct x
+ return 0;
+ /* offset in TRBs */
+ segment_offset = trb - seg->trbs;
+- if (segment_offset > TRBS_PER_SEGMENT)
++ if (segment_offset >= TRBS_PER_SEGMENT)
+ return 0;
+ return seg->dma + (segment_offset * sizeof(*trb));
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
