--- /dev/null
+From 2f974865ffdfe7b9f46a9940836c8b167342563d Mon Sep 17 00:00:00 2001
+From: Eryu Guan <guaneryu@gmail.com>
+Date: Thu, 14 May 2015 19:00:45 -0400
+Subject: ext4: check for zero length extent explicitly
+
+From: Eryu Guan <guaneryu@gmail.com>
+
+commit 2f974865ffdfe7b9f46a9940836c8b167342563d upstream.
+
+The following commit introduced a bug when checking for zero length extent
+
+5946d08 ext4: check for overlapping extents in ext4_valid_extent_entries()
+
+Zero length extent could pass the check if lblock is zero.
+
+Adding the explicit check for zero length back.
+
+Signed-off-by: Eryu Guan <guaneryu@gmail.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/extents.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -361,7 +361,7 @@ static int ext4_valid_extent(struct inod
+ ext4_lblk_t lblock = le32_to_cpu(ext->ee_block);
+ ext4_lblk_t last = lblock + len - 1;
+
+- if (lblock > last)
++ if (len == 0 || lblock > last)
+ return 0;
+ return ext4_data_block_valid(EXT4_SB(inode->i_sb), block, len);
+ }
--- /dev/null
+From 9d506594069355d1fb2de3f9104667312ff08ed3 Mon Sep 17 00:00:00 2001
+From: Lukas Czerner <lczerner@redhat.com>
+Date: Thu, 14 May 2015 18:55:18 -0400
+Subject: ext4: fix NULL pointer dereference when journal restart fails
+
+From: Lukas Czerner <lczerner@redhat.com>
+
+commit 9d506594069355d1fb2de3f9104667312ff08ed3 upstream.
+
+Currently when journal restart fails, we'll have the h_transaction of
+the handle set to NULL to indicate that the handle has been effectively
+aborted. We handle this situation quietly in the jbd2_journal_stop() and just
+free the handle and exit because everything else has been done before we
+attempted (and failed) to restart the journal.
+
+Unfortunately there are a number of problems with that approach
+introduced with commit
+
+41a5b913197c "jbd2: invalidate handle if jbd2_journal_restart()
+fails"
+
+First of all in ext4 jbd2_journal_stop() will be called through
+__ext4_journal_stop() where we would try to get a hold of the superblock
+by dereferencing h_transaction which in this case would lead to NULL
+pointer dereference and crash.
+
+In addition we're going to free the handle regardless of the refcount
+which is bad as well, because others up the call chain will still
+reference the handle so we might potentially reference already freed
+memory.
+
+Moreover it's expected that we'll get aborted handle as well as detached
+handle in some of the journalling function as the error propagates up
+the stack, so it's unnecessary to call WARN_ON every time we get
+detached handle.
+
+And finally we might leak some memory by forgetting to free reserved
+handle in jbd2_journal_stop() in the case where handle was detached from
+the transaction (h_transaction is NULL).
+
+Fix the NULL pointer dereference in __ext4_journal_stop() by just
+calling jbd2_journal_stop() quietly as suggested by Jan Kara. Also fix
+the potential memory leak in jbd2_journal_stop() and use proper
+handle refcounting before we attempt to free it to avoid use-after-free
+issues.
+
+And finally remove all WARN_ON(!transaction) from the code so that we do
+not get random traces when something goes wrong because when journal
+restart fails we will get to some of those functions.
+
+Signed-off-by: Lukas Czerner <lczerner@redhat.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/ext4_jbd2.c | 6 ++++++
+ fs/jbd2/transaction.c | 25 ++++++++++++++++---------
+ 2 files changed, 22 insertions(+), 9 deletions(-)
+
+--- a/fs/ext4/ext4_jbd2.c
++++ b/fs/ext4/ext4_jbd2.c
+@@ -87,6 +87,12 @@ int __ext4_journal_stop(const char *wher
+ ext4_put_nojournal(handle);
+ return 0;
+ }
++
++ if (!handle->h_transaction) {
++ err = jbd2_journal_stop(handle);
++ return handle->h_err ? handle->h_err : err;
++ }
++
+ sb = handle->h_transaction->t_journal->j_private;
+ err = handle->h_err;
+ rc = jbd2_journal_stop(handle);
+--- a/fs/jbd2/transaction.c
++++ b/fs/jbd2/transaction.c
+@@ -551,7 +551,6 @@ int jbd2_journal_extend(handle_t *handle
+ int result;
+ int wanted;
+
+- WARN_ON(!transaction);
+ if (is_handle_aborted(handle))
+ return -EROFS;
+ journal = transaction->t_journal;
+@@ -627,7 +626,6 @@ int jbd2__journal_restart(handle_t *hand
+ tid_t tid;
+ int need_to_start, ret;
+
+- WARN_ON(!transaction);
+ /* If we've had an abort of any type, don't even think about
+ * actually doing the restart! */
+ if (is_handle_aborted(handle))
+@@ -791,7 +789,6 @@ do_get_write_access(handle_t *handle, st
+ int need_copy = 0;
+ unsigned long start_lock, time_lock;
+
+- WARN_ON(!transaction);
+ if (is_handle_aborted(handle))
+ return -EROFS;
+ journal = transaction->t_journal;
+@@ -1057,7 +1054,6 @@ int jbd2_journal_get_create_access(handl
+ int err;
+
+ jbd_debug(5, "journal_head %p\n", jh);
+- WARN_ON(!transaction);
+ err = -EROFS;
+ if (is_handle_aborted(handle))
+ goto out;
+@@ -1271,7 +1267,6 @@ int jbd2_journal_dirty_metadata(handle_t
+ struct journal_head *jh;
+ int ret = 0;
+
+- WARN_ON(!transaction);
+ if (is_handle_aborted(handle))
+ return -EROFS;
+ journal = transaction->t_journal;
+@@ -1407,7 +1402,6 @@ int jbd2_journal_forget (handle_t *handl
+ int err = 0;
+ int was_modified = 0;
+
+- WARN_ON(!transaction);
+ if (is_handle_aborted(handle))
+ return -EROFS;
+ journal = transaction->t_journal;
+@@ -1538,8 +1532,22 @@ int jbd2_journal_stop(handle_t *handle)
+ tid_t tid;
+ pid_t pid;
+
+- if (!transaction)
+- goto free_and_exit;
++ if (!transaction) {
++ /*
++ * Handle is already detached from the transaction so
++ * there is nothing to do other than decrease a refcount,
++ * or free the handle if refcount drops to zero
++ */
++ if (--handle->h_ref > 0) {
++ jbd_debug(4, "h_ref %d -> %d\n", handle->h_ref + 1,
++ handle->h_ref);
++ return err;
++ } else {
++ if (handle->h_rsv_handle)
++ jbd2_free_handle(handle->h_rsv_handle);
++ goto free_and_exit;
++ }
++ }
+ journal = transaction->t_journal;
+
+ J_ASSERT(journal_current_handle() == handle);
+@@ -2381,7 +2389,6 @@ int jbd2_journal_file_inode(handle_t *ha
+ transaction_t *transaction = handle->h_transaction;
+ journal_t *journal;
+
+- WARN_ON(!transaction);
+ if (is_handle_aborted(handle))
+ return -EROFS;
+ journal = transaction->t_journal;
--- /dev/null
+From e531d0bceb402e643a4499de40dd3fa39d8d2e43 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Thu, 14 May 2015 19:11:50 -0400
+Subject: jbd2: fix r_count overflows leading to buffer overflow in journal recovery
+
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+
+commit e531d0bceb402e643a4499de40dd3fa39d8d2e43 upstream.
+
+The journal revoke block recovery code does not check r_count for
+sanity, which means that an evil value of r_count could result in
+the kernel reading off the end of the revoke table and into whatever
+garbage lies beyond. This could crash the kernel, so fix that.
+
+However, in testing this fix, I discovered that the code to write
+out the revoke tables also was not correctly checking to see if the
+block was full -- the current offset check is fine so long as the
+revoke table space size is a multiple of the record size, but this
+is not true when either journal_csum_v[23] are set.
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/jbd2/recovery.c | 10 +++++++++-
+ fs/jbd2/revoke.c | 18 ++++++++++--------
+ 2 files changed, 19 insertions(+), 9 deletions(-)
+
+--- a/fs/jbd2/recovery.c
++++ b/fs/jbd2/recovery.c
+@@ -839,15 +839,23 @@ static int scan_revoke_records(journal_t
+ {
+ jbd2_journal_revoke_header_t *header;
+ int offset, max;
++ int csum_size = 0;
++ __u32 rcount;
+ int record_len = 4;
+
+ header = (jbd2_journal_revoke_header_t *) bh->b_data;
+ offset = sizeof(jbd2_journal_revoke_header_t);
+- max = be32_to_cpu(header->r_count);
++ rcount = be32_to_cpu(header->r_count);
+
+ if (!jbd2_revoke_block_csum_verify(journal, header))
+ return -EINVAL;
+
++ if (jbd2_journal_has_csum_v2or3(journal))
++ csum_size = sizeof(struct jbd2_journal_revoke_tail);
++ if (rcount > journal->j_blocksize - csum_size)
++ return -EINVAL;
++ max = rcount;
++
+ if (JBD2_HAS_INCOMPAT_FEATURE(journal, JBD2_FEATURE_INCOMPAT_64BIT))
+ record_len = 8;
+
+--- a/fs/jbd2/revoke.c
++++ b/fs/jbd2/revoke.c
+@@ -583,7 +583,7 @@ static void write_one_revoke_record(jour
+ {
+ int csum_size = 0;
+ struct buffer_head *descriptor;
+- int offset;
++ int sz, offset;
+ journal_header_t *header;
+
+ /* If we are already aborting, this all becomes a noop. We
+@@ -600,9 +600,14 @@ static void write_one_revoke_record(jour
+ if (jbd2_journal_has_csum_v2or3(journal))
+ csum_size = sizeof(struct jbd2_journal_revoke_tail);
+
++ if (JBD2_HAS_INCOMPAT_FEATURE(journal, JBD2_FEATURE_INCOMPAT_64BIT))
++ sz = 8;
++ else
++ sz = 4;
++
+ /* Make sure we have a descriptor with space left for the record */
+ if (descriptor) {
+- if (offset >= journal->j_blocksize - csum_size) {
++ if (offset + sz > journal->j_blocksize - csum_size) {
+ flush_descriptor(journal, descriptor, offset, write_op);
+ descriptor = NULL;
+ }
+@@ -625,16 +630,13 @@ static void write_one_revoke_record(jour
+ *descriptorp = descriptor;
+ }
+
+- if (JBD2_HAS_INCOMPAT_FEATURE(journal, JBD2_FEATURE_INCOMPAT_64BIT)) {
++ if (JBD2_HAS_INCOMPAT_FEATURE(journal, JBD2_FEATURE_INCOMPAT_64BIT))
+ * ((__be64 *)(&descriptor->b_data[offset])) =
+ cpu_to_be64(record->blocknr);
+- offset += 8;
+-
+- } else {
++ else
+ * ((__be32 *)(&descriptor->b_data[offset])) =
+ cpu_to_be32(record->blocknr);
+- offset += 4;
+- }
++ offset += sz;
+
+ *offsetp = offset;
+ }
--- /dev/null
+From 8393b811f38acdf7fd8da2028708edad3e68ce1f Mon Sep 17 00:00:00 2001
+From: Gabriele Mazzotta <gabriele.mzt@gmail.com>
+Date: Sat, 25 Apr 2015 19:52:36 +0200
+Subject: libata: Add helper to determine when PHY events should be ignored
+
+From: Gabriele Mazzotta <gabriele.mzt@gmail.com>
+
+commit 8393b811f38acdf7fd8da2028708edad3e68ce1f upstream.
+
+This is a preparation commit that will allow to add other criteria
+according to which PHY events should be dropped.
+
+Signed-off-by: Gabriele Mazzotta <gabriele.mzt@gmail.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/libahci.c | 3 +--
+ drivers/ata/libata-core.c | 19 +++++++++++++++++++
+ include/linux/libata.h | 1 +
+ 3 files changed, 21 insertions(+), 2 deletions(-)
+
+--- a/drivers/ata/libahci.c
++++ b/drivers/ata/libahci.c
+@@ -1693,8 +1693,7 @@ static void ahci_handle_port_interrupt(s
+ if (unlikely(resetting))
+ status &= ~PORT_IRQ_BAD_PMP;
+
+- /* if LPM is enabled, PHYRDY doesn't mean anything */
+- if (ap->link.lpm_policy > ATA_LPM_MAX_POWER) {
++ if (sata_lpm_ignore_phy_events(&ap->link)) {
+ status &= ~PORT_IRQ_PHYRDY;
+ ahci_scr_write(&ap->link, SCR_ERROR, SERR_PHYRDY_CHG);
+ }
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -6825,6 +6825,25 @@ u32 ata_wait_register(struct ata_port *a
+ return tmp;
+ }
+
++/**
++ * sata_lpm_ignore_phy_events - test if PHY event should be ignored
++ * @link: Link receiving the event
++ *
++ * Test whether the received PHY event has to be ignored or not.
++ *
++ * LOCKING:
++ * None:
++ *
++ * RETURNS:
++ * True if the event has to be ignored.
++ */
++bool sata_lpm_ignore_phy_events(struct ata_link *link)
++{
++ /* if LPM is enabled, PHYRDY doesn't mean anything */
++ return !!(link->lpm_policy > ATA_LPM_MAX_POWER);
++}
++EXPORT_SYMBOL_GPL(sata_lpm_ignore_phy_events);
++
+ /*
+ * Dummy port_ops
+ */
+--- a/include/linux/libata.h
++++ b/include/linux/libata.h
+@@ -1201,6 +1201,7 @@ extern struct ata_device *ata_dev_pair(s
+ extern int ata_do_set_mode(struct ata_link *link, struct ata_device **r_failed_dev);
+ extern void ata_scsi_port_error_handler(struct Scsi_Host *host, struct ata_port *ap);
+ extern void ata_scsi_cmd_error_handler(struct Scsi_Host *host, struct ata_port *ap, struct list_head *eh_q);
++extern bool sata_lpm_ignore_phy_events(struct ata_link *link);
+
+ extern int ata_cable_40wire(struct ata_port *ap);
+ extern int ata_cable_80wire(struct ata_port *ap);
--- /dev/null
+From 09c5b4803a80a5451d950d6a539d2eb311dc0fb1 Mon Sep 17 00:00:00 2001
+From: Gabriele Mazzotta <gabriele.mzt@gmail.com>
+Date: Sat, 25 Apr 2015 19:52:37 +0200
+Subject: libata: Ignore spurious PHY event on LPM policy change
+
+From: Gabriele Mazzotta <gabriele.mzt@gmail.com>
+
+commit 09c5b4803a80a5451d950d6a539d2eb311dc0fb1 upstream.
+
+When the LPM policy is set to ATA_LPM_MAX_POWER, the device might
+generate a spurious PHY event that cuases errors on the link.
+Ignore this event if it occured within 10s after the policy change.
+
+The timeout was chosen observing that on a Dell XPS13 9333 these
+spurious events can occur up to roughly 6s after the policy change.
+
+Link: http://lkml.kernel.org/g/3352987.ugV1Ipy7Z5@xps13
+Signed-off-by: Gabriele Mazzotta <gabriele.mzt@gmail.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/libata-core.c | 15 ++++++++++++++-
+ drivers/ata/libata-eh.c | 3 +++
+ include/linux/libata.h | 9 +++++++++
+ 3 files changed, 26 insertions(+), 1 deletion(-)
+
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -6839,8 +6839,21 @@ u32 ata_wait_register(struct ata_port *a
+ */
+ bool sata_lpm_ignore_phy_events(struct ata_link *link)
+ {
++ unsigned long lpm_timeout = link->last_lpm_change +
++ msecs_to_jiffies(ATA_TMOUT_SPURIOUS_PHY);
++
+ /* if LPM is enabled, PHYRDY doesn't mean anything */
+- return !!(link->lpm_policy > ATA_LPM_MAX_POWER);
++ if (link->lpm_policy > ATA_LPM_MAX_POWER)
++ return true;
++
++ /* ignore the first PHY event after the LPM policy changed
++ * as it is might be spurious
++ */
++ if ((link->flags & ATA_LFLAG_CHANGED) &&
++ time_before(jiffies, lpm_timeout))
++ return true;
++
++ return false;
+ }
+ EXPORT_SYMBOL_GPL(sata_lpm_ignore_phy_events);
+
+--- a/drivers/ata/libata-eh.c
++++ b/drivers/ata/libata-eh.c
+@@ -3488,6 +3488,9 @@ static int ata_eh_set_lpm(struct ata_lin
+ }
+ }
+
++ link->last_lpm_change = jiffies;
++ link->flags |= ATA_LFLAG_CHANGED;
++
+ return 0;
+
+ fail:
+--- a/include/linux/libata.h
++++ b/include/linux/libata.h
+@@ -204,6 +204,7 @@ enum {
+ ATA_LFLAG_SW_ACTIVITY = (1 << 7), /* keep activity stats */
+ ATA_LFLAG_NO_LPM = (1 << 8), /* disable LPM on this link */
+ ATA_LFLAG_RST_ONCE = (1 << 9), /* limit recovery to one reset */
++ ATA_LFLAG_CHANGED = (1 << 10), /* LPM state changed on this link */
+
+ /* struct ata_port flags */
+ ATA_FLAG_SLAVE_POSS = (1 << 0), /* host supports slave dev */
+@@ -307,6 +308,12 @@ enum {
+ */
+ ATA_TMOUT_PMP_SRST_WAIT = 5000,
+
++ /* When the LPM policy is set to ATA_LPM_MAX_POWER, there might
++ * be a spurious PHY event, so ignore the first PHY event that
++ * occurs within 10s after the policy change.
++ */
++ ATA_TMOUT_SPURIOUS_PHY = 10000,
++
+ /* ATA bus states */
+ BUS_UNKNOWN = 0,
+ BUS_DMA = 1,
+@@ -785,6 +792,8 @@ struct ata_link {
+ struct ata_eh_context eh_context;
+
+ struct ata_device device[ATA_MAX_DEVICES];
++
++ unsigned long last_lpm_change; /* when last LPM change happened */
+ };
+ #define ATA_LINK_CLEAR_BEGIN offsetof(struct ata_link, active_tag)
+ #define ATA_LINK_CLEAR_END offsetof(struct ata_link, device[0])
--- /dev/null
+From 60c8f783a18feb95ad967c87e9660caf09fb4700 Mon Sep 17 00:00:00 2001
+From: Ludovic Desroches <ludovic.desroches@atmel.com>
+Date: Wed, 6 May 2015 15:16:46 +0200
+Subject: mmc: atmel-mci: fix bad variable type for clkdiv
+
+From: Ludovic Desroches <ludovic.desroches@atmel.com>
+
+commit 60c8f783a18feb95ad967c87e9660caf09fb4700 upstream.
+
+clkdiv is declared as an u32 but it can be set to a negative value
+causing a huge divisor value. Change its type to int to avoid this case.
+
+Signed-off-by: Ludovic Desroches <ludovic.desroches@atmel.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/atmel-mci.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/mmc/host/atmel-mci.c
++++ b/drivers/mmc/host/atmel-mci.c
+@@ -1300,7 +1300,7 @@ static void atmci_set_ios(struct mmc_hos
+
+ if (ios->clock) {
+ unsigned int clock_min = ~0U;
+- u32 clkdiv;
++ int clkdiv;
+
+ clk_prepare(host->mck);
+ unprepare_clk = true;
+@@ -1329,7 +1329,12 @@ static void atmci_set_ios(struct mmc_hos
+ /* Calculate clock divider */
+ if (host->caps.has_odd_clk_div) {
+ clkdiv = DIV_ROUND_UP(host->bus_hz, clock_min) - 2;
+- if (clkdiv > 511) {
++ if (clkdiv < 0) {
++ dev_warn(&mmc->class_dev,
++ "clock %u too fast; using %lu\n",
++ clock_min, host->bus_hz / 2);
++ clkdiv = 0;
++ } else if (clkdiv > 511) {
+ dev_warn(&mmc->class_dev,
+ "clock %u too slow; using %lu\n",
+ clock_min, host->bus_hz / (511 + 2));
--- /dev/null
+From 5e95235ccd5442d4a4fe11ec4eb99ba1b7959368 Mon Sep 17 00:00:00 2001
+From: Anton Blanchard <anton@samba.org>
+Date: Thu, 14 May 2015 14:45:40 +1000
+Subject: powerpc: Align TOC to 256 bytes
+
+From: Anton Blanchard <anton@samba.org>
+
+commit 5e95235ccd5442d4a4fe11ec4eb99ba1b7959368 upstream.
+
+Recent toolchains force the TOC to be 256 byte aligned. We need
+to enforce this alignment in our linker script, otherwise pointers
+to our TOC variables (__toc_start, __prom_init_toc_start) could
+be incorrect.
+
+If they are bad, we die a few hundred instructions into boot.
+
+Signed-off-by: Anton Blanchard <anton@samba.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/vmlinux.lds.S | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/powerpc/kernel/vmlinux.lds.S
++++ b/arch/powerpc/kernel/vmlinux.lds.S
+@@ -213,6 +213,7 @@ SECTIONS
+ *(.opd)
+ }
+
++ . = ALIGN(256);
+ .got : AT(ADDR(.got) - LOAD_OFFSET) {
+ __toc_start = .;
+ #ifndef CONFIG_RELOCATABLE
--- /dev/null
+From ea345c145ff23197eab34d0c4d0c8a93d7bea8c6 Mon Sep 17 00:00:00 2001
+From: Scott Branden <sbranden@broadcom.com>
+Date: Mon, 16 Mar 2015 10:59:52 -0700
+Subject: rt2x00: add new rt2800usb device DWA 130
+
+From: Scott Branden <sbranden@broadcom.com>
+
+commit ea345c145ff23197eab34d0c4d0c8a93d7bea8c6 upstream.
+
+Add the USB Id to link the D-Link DWA 130 USB Wifi adapter
+to the rt2830 driver.
+
+Signed-off-by: Scott Branden <sbranden@broadcom.com>
+Signed-off-by: Pieter Truter <ptruter@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Cc: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rt2x00/rt2800usb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/rt2x00/rt2800usb.c
++++ b/drivers/net/wireless/rt2x00/rt2800usb.c
+@@ -991,6 +991,7 @@ static struct usb_device_id rt2800usb_de
+ { USB_DEVICE(0x07d1, 0x3c17) },
+ { USB_DEVICE(0x2001, 0x3317) },
+ { USB_DEVICE(0x2001, 0x3c1b) },
++ { USB_DEVICE(0x2001, 0x3c25) },
+ /* Draytek */
+ { USB_DEVICE(0x07fa, 0x7712) },
+ /* DVICO */
asoc-wm8960-fix-rinput3-audio-route-error.patch
asoc-wm8994-correct-bclk-div-348-to-384.patch
staging-gdm724x-correction-of-variable-usage-after-applying-align.patch
+target-pscsi-don-t-leak-scsi_host-if-hba-is-virtual_host.patch
+xhci-fix-isoc-endpoint-dequeue-from-advancing-too-far-on-transaction-error.patch
+xhci-solve-full-event-ring-by-increasing-trbs_per_segment-to-256.patch
+xhci-gracefully-handle-xhci_irq-dead-device.patch
+usb-visor-match-i330-phone-more-precisely.patch
+usb-pl2303-remove-support-for-samsung-i330.patch
+usb-cp210x-add-id-for-kcf-technologies-prn-device.patch
+usb-storage-add-no_wp_detect-quirk-for-lacie-059f-0651-devices.patch
+usb-gadget-configfs-fix-interfaces-array-null-termination.patch
+powerpc-align-toc-to-256-bytes.patch
+mmc-atmel-mci-fix-bad-variable-type-for-clkdiv.patch
+tty-n_gsm.c-fix-a-memory-leak-when-gsmtty-is-removed.patch
+ext4-fix-null-pointer-dereference-when-journal-restart-fails.patch
+ext4-check-for-zero-length-extent-explicitly.patch
+jbd2-fix-r_count-overflows-leading-to-buffer-overflow-in-journal-recovery.patch
+libata-add-helper-to-determine-when-phy-events-should-be-ignored.patch
+libata-ignore-spurious-phy-event-on-lpm-policy-change.patch
+rt2x00-add-new-rt2800usb-device-dwa-130.patch
--- /dev/null
+From 5a7125c64def3b21f8147eca8b54949a60963942 Mon Sep 17 00:00:00 2001
+From: Andy Grover <agrover@redhat.com>
+Date: Fri, 22 May 2015 14:07:44 -0700
+Subject: target/pscsi: Don't leak scsi_host if hba is VIRTUAL_HOST
+
+From: Andy Grover <agrover@redhat.com>
+
+commit 5a7125c64def3b21f8147eca8b54949a60963942 upstream.
+
+See https://bugzilla.redhat.com/show_bug.cgi?id=1025672
+
+We need to put() the reference to the scsi host that we got in
+pscsi_configure_device(). In VIRTUAL_HOST mode it is associated with
+the dev_virt, not the hba_virt.
+
+Signed-off-by: Andy Grover <agrover@redhat.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_pscsi.c | 3 +++
+ drivers/target/target_core_pscsi.h | 1 +
+ 2 files changed, 4 insertions(+)
+
+--- a/drivers/target/target_core_pscsi.c
++++ b/drivers/target/target_core_pscsi.c
+@@ -520,6 +520,7 @@ static int pscsi_configure_device(struct
+ " pdv_host_id: %d\n", pdv->pdv_host_id);
+ return -EINVAL;
+ }
++ pdv->pdv_lld_host = sh;
+ }
+ } else {
+ if (phv->phv_mode == PHV_VIRTUAL_HOST_ID) {
+@@ -602,6 +603,8 @@ static void pscsi_free_device(struct se_
+ if ((phv->phv_mode == PHV_LLD_SCSI_HOST_NO) &&
+ (phv->phv_lld_host != NULL))
+ scsi_host_put(phv->phv_lld_host);
++ else if (pdv->pdv_lld_host)
++ scsi_host_put(pdv->pdv_lld_host);
+
+ if ((sd->type == TYPE_DISK) || (sd->type == TYPE_ROM))
+ scsi_device_put(sd);
+--- a/drivers/target/target_core_pscsi.h
++++ b/drivers/target/target_core_pscsi.h
+@@ -45,6 +45,7 @@ struct pscsi_dev_virt {
+ int pdv_lun_id;
+ struct block_device *pdv_bd;
+ struct scsi_device *pdv_sd;
++ struct Scsi_Host *pdv_lld_host;
+ } ____cacheline_aligned;
+
+ typedef enum phv_modes {
--- /dev/null
+From 8f9cfeed3eae86c70d3b04445a6f2036b27b6304 Mon Sep 17 00:00:00 2001
+From: Pan Xinhui <xinhuix.pan@intel.com>
+Date: Sat, 28 Mar 2015 10:42:56 +0800
+Subject: tty/n_gsm.c: fix a memory leak when gsmtty is removed
+
+From: Pan Xinhui <xinhuix.pan@intel.com>
+
+commit 8f9cfeed3eae86c70d3b04445a6f2036b27b6304 upstream.
+
+when gsmtty_remove put dlci, it will cause memory leak if dlci->port's refcount is zero.
+So we do the cleanup work in .cleanup callback instead.
+
+dlci will be last put in two call chains.
+1) gsmld_close -> gsm_cleanup_mux -> gsm_dlci_release -> dlci_put
+2) gsmld_remove -> dlci_put
+so there is a race. the memory leak depends on the race.
+
+In call chain 2. we hit the memory leak. below comment tells.
+
+release_tty -> tty_driver_remove_tty -> gsmtty_remove -> dlci_put -> tty_port_destructor (WARN_ON(port->itty) and return directly)
+ |
+ tty->port->itty = NULL;
+ |
+ tty_kref_put ---> release_one_tty -> gsmtty_cleanup (added by our patch)
+
+So our patch fix the memory leak by doing the cleanup work after tty core did.
+
+Signed-off-by: Pan Xinhui <xinhuix.pan@intel.com>
+Fixes: dfabf7ffa30585
+Acked-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/n_gsm.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/tty/n_gsm.c
++++ b/drivers/tty/n_gsm.c
+@@ -3166,7 +3166,7 @@ static int gsmtty_break_ctl(struct tty_s
+ return gsmtty_modem_update(dlci, encode);
+ }
+
+-static void gsmtty_remove(struct tty_driver *driver, struct tty_struct *tty)
++static void gsmtty_cleanup(struct tty_struct *tty)
+ {
+ struct gsm_dlci *dlci = tty->driver_data;
+ struct gsm_mux *gsm = dlci->gsm;
+@@ -3174,7 +3174,6 @@ static void gsmtty_remove(struct tty_dri
+ dlci_put(dlci);
+ dlci_put(gsm->dlci[0]);
+ mux_put(gsm);
+- driver->ttys[tty->index] = NULL;
+ }
+
+ /* Virtual ttys for the demux */
+@@ -3195,7 +3194,7 @@ static const struct tty_operations gsmtt
+ .tiocmget = gsmtty_tiocmget,
+ .tiocmset = gsmtty_tiocmset,
+ .break_ctl = gsmtty_break_ctl,
+- .remove = gsmtty_remove,
++ .cleanup = gsmtty_cleanup,
+ };
+
+
--- /dev/null
+From c735ed74d83f8ecb45c4c4c95a16853c9c3c8157 Mon Sep 17 00:00:00 2001
+From: Mark Edwards <sonofaforester@gmail.com>
+Date: Tue, 14 Apr 2015 08:52:34 -0400
+Subject: USB: cp210x: add ID for KCF Technologies PRN device
+
+From: Mark Edwards <sonofaforester@gmail.com>
+
+commit c735ed74d83f8ecb45c4c4c95a16853c9c3c8157 upstream.
+
+Added the USB serial console device ID for KCF Technologies PRN device
+which has a USB port for its serial console.
+
+Signed-off-by: Mark Edwards <sonofaforester@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/cp210x.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/serial/cp210x.c
++++ b/drivers/usb/serial/cp210x.c
+@@ -127,6 +127,7 @@ static const struct usb_device_id id_tab
+ { USB_DEVICE(0x10C4, 0x88A5) }, /* Planet Innovation Ingeni ZigBee USB Device */
+ { USB_DEVICE(0x10C4, 0x8946) }, /* Ketra N1 Wireless Interface */
+ { USB_DEVICE(0x10C4, 0x8977) }, /* CEL MeshWorks DevKit Device */
++ { USB_DEVICE(0x10C4, 0x8998) }, /* KCF Technologies PRN */
+ { USB_DEVICE(0x10C4, 0xEA60) }, /* Silicon Labs factory default */
+ { USB_DEVICE(0x10C4, 0xEA61) }, /* Silicon Labs factory default */
+ { USB_DEVICE(0x10C4, 0xEA70) }, /* Silicon Labs factory default */
--- /dev/null
+From 903124fe1aa284f61745a9dd4fbfa0184e569fff Mon Sep 17 00:00:00 2001
+From: Krzysztof Opasiak <k.opasiak@samsung.com>
+Date: Fri, 20 Mar 2015 15:48:56 +0100
+Subject: usb: gadget: configfs: Fix interfaces array NULL-termination
+
+From: Krzysztof Opasiak <k.opasiak@samsung.com>
+
+commit 903124fe1aa284f61745a9dd4fbfa0184e569fff upstream.
+
+memset() to 0 interfaces array before reusing
+usb_configuration structure.
+
+This commit fix bug:
+
+ln -s functions/acm.1 configs/c.1
+ln -s functions/acm.2 configs/c.1
+ln -s functions/acm.3 configs/c.1
+echo "UDC name" > UDC
+echo "" > UDC
+rm configs/c.1/acm.*
+rmdir functions/*
+mkdir functions/ecm.usb0
+ln -s functions/ecm.usb0 configs/c.1
+echo "UDC name" > UDC
+
+[ 82.220969] Unable to handle kernel NULL pointer dereference at virtual address 00000000
+[ 82.229009] pgd = c0004000
+[ 82.231698] [00000000] *pgd=00000000
+[ 82.235260] Internal error: Oops: 17 [#1] PREEMPT SMP ARM
+[ 82.240638] Modules linked in:
+[ 82.243681] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.0.0-rc2 #39
+[ 82.249926] Hardware name: SAMSUNG EXYNOS (Flattened Device Tree)
+[ 82.256003] task: c07cd2f0 ti: c07c8000 task.ti: c07c8000
+[ 82.261393] PC is at composite_setup+0xe3c/0x1674
+[ 82.266073] LR is at composite_setup+0xf20/0x1674
+[ 82.270760] pc : [<c03510d4>] lr : [<c03511b8>] psr: 600001d3
+[ 82.270760] sp : c07c9df0 ip : c0806448 fp : ed8c9c9c
+[ 82.282216] r10: 00000001 r9 : 00000000 r8 : edaae918
+[ 82.287425] r7 : ed551cc0 r6 : 00007fff r5 : 00000000 r4 : ed799634
+[ 82.293934] r3 : 00000003 r2 : 00010002 r1 : edaae918 r0 : 0000002e
+[ 82.300446] Flags: nZCv IRQs off FIQs off Mode SVC_32 ISA ARM Segment kernel
+[ 82.307910] Control: 10c5387d Table: 6bc1804a DAC: 00000015
+[ 82.313638] Process swapper/0 (pid: 0, stack limit = 0xc07c8210)
+[ 82.319627] Stack: (0xc07c9df0 to 0xc07ca000)
+[ 82.323969] 9de0: 00000000 c06e65f4 00000000 c07c9f68
+[ 82.332130] 9e00: 00000067 c07c59ac 000003f7 edaae918 ed8c9c98 ed799690 eca2f140 200001d3
+[ 82.340289] 9e20: ee79a2d8 c07c9e88 c07c5304 ffff55db 00010002 edaae810 edaae860 eda96d50
+[ 82.348448] 9e40: 00000009 ee264510 00000007 c07ca444 edaae860 c0340890 c0827a40 ffff55e0
+[ 82.356607] 9e60: c0827a40 eda96e40 ee264510 edaae810 00000000 edaae860 00000007 c07ca444
+[ 82.364766] 9e80: edaae860 c0354170 c03407dc c033db4c edaae810 00000000 00000000 00000010
+[ 82.372925] 9ea0: 00000032 c0341670 00000000 00000000 00000001 eda96e00 00000000 00000000
+[ 82.381084] 9ec0: 00000000 00000032 c0803a23 ee1aa840 00000001 c005d54c 249e2450 00000000
+[ 82.389244] 9ee0: 200001d3 ee1aa840 ee1aa8a0 ed84f4c0 00000000 c07c9f68 00000067 c07c59ac
+[ 82.397403] 9f00: 00000000 c005d688 ee1aa840 ee1aa8a0 c07db4b4 c006009c 00000032 00000000
+[ 82.405562] 9f20: 00000001 c005ce20 c07c59ac c005cf34 f002000c c07ca780 c07c9f68 00000057
+[ 82.413722] 9f40: f0020000 413fc090 00000001 c00086b4 c000f804 60000053 ffffffff c07c9f9c
+[ 82.421880] 9f60: c0803a20 c0011fc0 00000000 00000000 c07c9fb8 c001bee0 c07ca4f0 c057004c
+[ 82.430040] 9f80: c07ca4fc c0803a20 c0803a20 413fc090 00000001 00000000 01000000 c07c9fb0
+[ 82.438199] 9fa0: c000f800 c000f804 60000053 ffffffff 00000000 c0050e70 c0803bc0 c0783bd8
+[ 82.446358] 9fc0: ffffffff ffffffff c0783664 00000000 00000000 c07b13e8 00000000 c0803e54
+[ 82.454517] 9fe0: c07ca480 c07b13e4 c07ce40c 4000406a 00000000 40008074 00000000 00000000
+[ 82.462689] [<c03510d4>] (composite_setup) from [<c0340890>] (s3c_hsotg_complete_setup+0xb4/0x418)
+[ 82.471626] [<c0340890>] (s3c_hsotg_complete_setup) from [<c0354170>] (usb_gadget_giveback_request+0xc/0x10)
+[ 82.481429] [<c0354170>] (usb_gadget_giveback_request) from [<c033db4c>] (s3c_hsotg_complete_request+0xcc/0x12c)
+[ 82.491583] [<c033db4c>] (s3c_hsotg_complete_request) from [<c0341670>] (s3c_hsotg_irq+0x4fc/0x558)
+[ 82.500614] [<c0341670>] (s3c_hsotg_irq) from [<c005d54c>] (handle_irq_event_percpu+0x50/0x150)
+[ 82.509291] [<c005d54c>] (handle_irq_event_percpu) from [<c005d688>] (handle_irq_event+0x3c/0x5c)
+[ 82.518145] [<c005d688>] (handle_irq_event) from [<c006009c>] (handle_fasteoi_irq+0xd4/0x18c)
+[ 82.526650] [<c006009c>] (handle_fasteoi_irq) from [<c005ce20>] (generic_handle_irq+0x20/0x30)
+[ 82.535242] [<c005ce20>] (generic_handle_irq) from [<c005cf34>] (__handle_domain_irq+0x6c/0xdc)
+[ 82.543923] [<c005cf34>] (__handle_domain_irq) from [<c00086b4>] (gic_handle_irq+0x2c/0x6c)
+[ 82.552256] [<c00086b4>] (gic_handle_irq) from [<c0011fc0>] (__irq_svc+0x40/0x74)
+[ 82.559716] Exception stack(0xc07c9f68 to 0xc07c9fb0)
+[ 82.564753] 9f60: 00000000 00000000 c07c9fb8 c001bee0 c07ca4f0 c057004c
+[ 82.572913] 9f80: c07ca4fc c0803a20 c0803a20 413fc090 00000001 00000000 01000000 c07c9fb0
+[ 82.581069] 9fa0: c000f800 c000f804 60000053 ffffffff
+[ 82.586113] [<c0011fc0>] (__irq_svc) from [<c000f804>] (arch_cpu_idle+0x30/0x3c)
+[ 82.593491] [<c000f804>] (arch_cpu_idle) from [<c0050e70>] (cpu_startup_entry+0x128/0x1a4)
+[ 82.601740] [<c0050e70>] (cpu_startup_entry) from [<c0783bd8>] (start_kernel+0x350/0x3bc)
+[ 82.609890] Code: 0a000002 e3530005 05975010 15975008 (e5953000)
+[ 82.615965] ---[ end trace f57d5f599a5f1bfa ]---
+
+Most of kernel code assume that interface array in
+struct usb_configuration is NULL terminated.
+
+When gadget is composed with configfs configuration
+structure may be reused for different functions set.
+
+This bug happens because purge_configs_funcs() sets
+only next_interface_id to 0. Interface array still
+contains pointers to already freed interfaces. If in
+second try we add less interfaces than earlier we
+may access unallocated memory when trying to get
+interface descriptors.
+
+Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
+Signed-off-by: Felipe Balbi <balbi@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/configfs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/gadget/configfs.c
++++ b/drivers/usb/gadget/configfs.c
+@@ -765,6 +765,7 @@ static void purge_configs_funcs(struct g
+ }
+ }
+ c->next_interface_id = 0;
++ memset(c->interface, 0, sizeof(c->interface));
+ c->superspeed = 0;
+ c->highspeed = 0;
+ c->fullspeed = 0;
--- /dev/null
+From 48ef23a4f686b1e4519d4193c20d26834ff810ff Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Wed, 22 Apr 2015 14:35:08 +0200
+Subject: USB: pl2303: Remove support for Samsung I330
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 48ef23a4f686b1e4519d4193c20d26834ff810ff upstream.
+
+This phone is already supported by the visor driver.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/pl2303.c | 1 -
+ drivers/usb/serial/pl2303.h | 4 ----
+ 2 files changed, 5 deletions(-)
+
+--- a/drivers/usb/serial/pl2303.c
++++ b/drivers/usb/serial/pl2303.c
+@@ -61,7 +61,6 @@ static const struct usb_device_id id_tab
+ { USB_DEVICE(DCU10_VENDOR_ID, DCU10_PRODUCT_ID) },
+ { USB_DEVICE(SITECOM_VENDOR_ID, SITECOM_PRODUCT_ID) },
+ { USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_ID) },
+- { USB_DEVICE(SAMSUNG_VENDOR_ID, SAMSUNG_PRODUCT_ID) },
+ { USB_DEVICE(SIEMENS_VENDOR_ID, SIEMENS_PRODUCT_ID_SX1),
+ .driver_info = PL2303_QUIRK_UART_STATE_IDX0 },
+ { USB_DEVICE(SIEMENS_VENDOR_ID, SIEMENS_PRODUCT_ID_X65),
+--- a/drivers/usb/serial/pl2303.h
++++ b/drivers/usb/serial/pl2303.h
+@@ -62,10 +62,6 @@
+ #define ALCATEL_VENDOR_ID 0x11f7
+ #define ALCATEL_PRODUCT_ID 0x02df
+
+-/* Samsung I330 phone cradle */
+-#define SAMSUNG_VENDOR_ID 0x04e8
+-#define SAMSUNG_PRODUCT_ID 0x8001
+-
+ #define SIEMENS_VENDOR_ID 0x11f5
+ #define SIEMENS_PRODUCT_ID_SX1 0x0001
+ #define SIEMENS_PRODUCT_ID_X65 0x0003
--- /dev/null
+From 172115090f5e739660b97694618a2ba86457063a Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Thu, 30 Apr 2015 11:09:44 +0200
+Subject: usb-storage: Add NO_WP_DETECT quirk for Lacie 059f:0651 devices
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 172115090f5e739660b97694618a2ba86457063a upstream.
+
+Without this flag some versions of these enclosures do not work.
+
+Reported-and-tested-by: Christian Schaller <cschalle@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/storage/unusual_devs.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/usb/storage/unusual_devs.h
++++ b/drivers/usb/storage/unusual_devs.h
+@@ -760,6 +760,13 @@ UNUSUAL_DEV( 0x059f, 0x0643, 0x0000, 0x
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+ US_FL_GO_SLOW ),
+
++/* Reported by Christian Schaller <cschalle@redhat.com> */
++UNUSUAL_DEV( 0x059f, 0x0651, 0x0000, 0x0000,
++ "LaCie",
++ "External HDD",
++ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
++ US_FL_NO_WP_DETECT ),
++
+ /* Submitted by Joel Bourquard <numlock@freesurf.ch>
+ * Some versions of this device need the SubClass and Protocol overrides
+ * while others don't.
--- /dev/null
+From 82ee3aeb9295c5fc37fd2ddf20f13ac2b40ec97d Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Wed, 22 Apr 2015 14:35:09 +0200
+Subject: USB: visor: Match I330 phone more precisely
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+commit 82ee3aeb9295c5fc37fd2ddf20f13ac2b40ec97d upstream.
+
+Samsung has just released a portable USB3 SSD, coming in a very small
+and nice form factor. It's USB ID is 04e8:8001, which unfortunately is
+already used by the Palm Visor driver for the Samsung I330 phone cradle.
+Having pl2303 or visor pick up this device ID results in conflicts with
+the usb-storage driver, which handles the newly released portable USB3
+SSD.
+
+To work around this conflict, I've dug up a mailing list post [1] from a
+long time ago, in which a user posts the full USB descriptor
+information. The most specific value in this appears to be the interface
+class, which has value 255 (0xff). Since usb-storage requires an
+interface class of 0x8, I believe it's correct to disambiguate the two
+devices by matching on 0xff inside visor.
+
+[1] http://permalink.gmane.org/gmane.linux.usb.user/4264
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/visor.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/serial/visor.c
++++ b/drivers/usb/serial/visor.c
+@@ -95,7 +95,7 @@ static const struct usb_device_id id_tab
+ .driver_info = (kernel_ulong_t)&palm_os_4_probe },
+ { USB_DEVICE(ACER_VENDOR_ID, ACER_S10_ID),
+ .driver_info = (kernel_ulong_t)&palm_os_4_probe },
+- { USB_DEVICE(SAMSUNG_VENDOR_ID, SAMSUNG_SCH_I330_ID),
++ { USB_DEVICE_INTERFACE_CLASS(SAMSUNG_VENDOR_ID, SAMSUNG_SCH_I330_ID, 0xff),
+ .driver_info = (kernel_ulong_t)&palm_os_4_probe },
+ { USB_DEVICE(SAMSUNG_VENDOR_ID, SAMSUNG_SPH_I500_ID),
+ .driver_info = (kernel_ulong_t)&palm_os_4_probe },
--- /dev/null
+From d104d0152a97fade389f47635b73a9ccc7295d0b Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Thu, 30 Apr 2015 17:16:02 +0300
+Subject: xhci: fix isoc endpoint dequeue from advancing too far on transaction error
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit d104d0152a97fade389f47635b73a9ccc7295d0b upstream.
+
+Isoc TDs usually consist of one TRB, sometimes two. When all goes well we
+receive only one success event for a TD, and move the dequeue pointer to
+the next TD.
+
+This fails if the TD consists of two TRBs and we get a transfer error
+on the first TRB, we will then see two events for that TD.
+
+Fix this by making sure the event we get is for the last TRB in that TD
+before moving the dequeue pointer to the next TD. This will resolve some
+of the uvc and dvb issues with the
+"ERROR Transfer event TRB DMA ptr not part of current TD" error message
+
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-ring.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -2213,8 +2213,13 @@ static int process_isoc_td(struct xhci_h
+ break;
+ case COMP_DEV_ERR:
+ case COMP_STALL:
++ frame->status = -EPROTO;
++ skip_td = true;
++ break;
+ case COMP_TX_ERR:
+ frame->status = -EPROTO;
++ if (event_trb != td->last_trb)
++ return 0;
+ skip_td = true;
+ break;
+ case COMP_STOP:
--- /dev/null
+From 948fa13504f80b9765d2b753691ab94c83a10341 Mon Sep 17 00:00:00 2001
+From: Joe Lawrence <joe.lawrence@stratus.com>
+Date: Thu, 30 Apr 2015 17:16:04 +0300
+Subject: xhci: gracefully handle xhci_irq dead device
+
+From: Joe Lawrence <joe.lawrence@stratus.com>
+
+commit 948fa13504f80b9765d2b753691ab94c83a10341 upstream.
+
+If the xHCI host controller has died (ie, device removed) or suffered
+other serious fatal error (STS_FATAL), then xhci_irq should handle this
+condition with IRQ_HANDLED instead of -ESHUTDOWN.
+
+Signed-off-by: Joe Lawrence <joe.lawrence@stratus.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-ring.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -2827,7 +2827,7 @@ irqreturn_t xhci_irq(struct usb_hcd *hcd
+ xhci_halt(xhci);
+ hw_died:
+ spin_unlock(&xhci->lock);
+- return -ESHUTDOWN;
++ return IRQ_HANDLED;
+ }
+
+ /*
--- /dev/null
+From 18cc2f4cbbaf825a4fedcf2d60fd388d291e0a38 Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Thu, 30 Apr 2015 17:16:03 +0300
+Subject: xhci: Solve full event ring by increasing TRBS_PER_SEGMENT to 256
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit 18cc2f4cbbaf825a4fedcf2d60fd388d291e0a38 upstream.
+
+Our event ring consists of only one segment, and we risk filling
+the event ring in case we get isoc transfers with short intervals
+such as webcams that fill a TD every microframe (125us)
+
+With 64 TRB segment size one usb camera could fill the event ring in 8ms.
+A setup with several cameras and other devices can fill up the
+event ring as it is shared between all devices.
+This has occurred when uvcvideo queues 5 * 32TD URBs which then
+get cancelled when the video mode changes. The cancelled URBs are returned
+in the xhci interrupt context and blocks the interrupt handler from
+handling the new events.
+
+A full event ring will block xhci from scheduling traffic and affect all
+devices conneted to the xhci, will see errors such as Missed Service
+Intervals for isoc devices, and and Split transaction errors for LS/FS
+interrupt devices.
+
+Increasing the TRB_PER_SEGMENT will also increase the default endpoint ring
+size, which is welcome as for most isoc transfer we had to dynamically
+expand the endpoint ring anyway to be able to queue the 5 * 32TDs uvcvideo
+queues.
+
+The default size used to be 64 TRBs per segment
+
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci.h
++++ b/drivers/usb/host/xhci.h
+@@ -1268,7 +1268,7 @@ union xhci_trb {
+ * since the command ring is 64-byte aligned.
+ * It must also be greater than 16.
+ */
+-#define TRBS_PER_SEGMENT 64
++#define TRBS_PER_SEGMENT 256
+ /* Allow two commands + a link TRB, along with any reserved command TRBs */
+ #define MAX_RSVD_CMD_TRBS (TRBS_PER_SEGMENT - 3)
+ #define TRB_SEGMENT_SIZE (TRBS_PER_SEGMENT*16)
projects / thirdparty / kernel / stable-queue.git / commitdiff
