--- /dev/null
+From 5008efc83bf85b647aa1cbc44718b1675bbb7444 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Tue, 22 Dec 2015 08:24:59 +0100
+Subject: ARM: 8452/3: PJ4: make coprocessor access sequences buildable in Thumb2 mode
+
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+
+commit 5008efc83bf85b647aa1cbc44718b1675bbb7444 upstream.
+
+The PJ4 inline asm sequence to write to cp15 cannot be built in Thumb-2
+mode, due to the way it performs arithmetic on the program counter, so it
+is built in ARM mode instead. However, building C files in ARM mode under
+CONFIG_THUMB2_KERNEL is problematic, since the instrumentation performed
+by subsystems like ftrace does not expect having to deal with interworking
+branches.
+
+Since the sequence in question is simply a poor man's ISB instruction,
+let's use a straight 'isb' instead when building in Thumb2 mode. Thumb2
+implies V7, so 'isb' should always be supported in that case.
+
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Nicolas Pitre <nico@linaro.org>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/kernel/Makefile | 1 -
+ arch/arm/kernel/pj4-cp0.c | 4 ++++
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+--- a/arch/arm/kernel/Makefile
++++ b/arch/arm/kernel/Makefile
+@@ -84,7 +84,6 @@ obj-$(CONFIG_CPU_PJ4B) += pj4-cp0.o
+ obj-$(CONFIG_IWMMXT) += iwmmxt.o
+ obj-$(CONFIG_PERF_EVENTS) += perf_regs.o
+ obj-$(CONFIG_HW_PERF_EVENTS) += perf_event.o perf_event_cpu.o
+-CFLAGS_pj4-cp0.o := -marm
+ AFLAGS_iwmmxt.o := -Wa,-mcpu=iwmmxt
+ obj-$(CONFIG_ARM_CPU_TOPOLOGY) += topology.o
+
+--- a/arch/arm/kernel/pj4-cp0.c
++++ b/arch/arm/kernel/pj4-cp0.c
+@@ -66,9 +66,13 @@ static void __init pj4_cp_access_write(u
+
+ __asm__ __volatile__ (
+ "mcr p15, 0, %1, c1, c0, 2\n\t"
++#ifdef CONFIG_THUMB2_KERNEL
++ "isb\n\t"
++#else
+ "mrc p15, 0, %0, c1, c0, 2\n\t"
+ "mov %0, %0\n\t"
+ "sub pc, pc, #4\n\t"
++#endif
+ : "=r" (temp) : "r" (value));
+ }
+
--- /dev/null
+From 448c077eeb02240c430db2a2c3bf5285a4c65d66 Mon Sep 17 00:00:00 2001
+From: Matthijs van Duin <matthijsvanduin@gmail.com>
+Date: Thu, 16 Feb 2017 01:05:04 +0100
+Subject: ARM: OMAP5 / DRA7: Fix HYP mode boot for thumb2 build
+
+From: Matthijs van Duin <matthijsvanduin@gmail.com>
+
+commit 448c077eeb02240c430db2a2c3bf5285a4c65d66 upstream.
+
+'adr' yields a data-pointer, not a function-pointer.
+
+Fixes: 999f934de195 ("ARM: omap5/dra7xx: Enable booting secondary
+CPU in HYP mode")
+Signed-off-by: Matthijs van Duin <matthijsvanduin@gmail.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-omap2/omap-headsmp.S | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/arm/mach-omap2/omap-headsmp.S
++++ b/arch/arm/mach-omap2/omap-headsmp.S
+@@ -17,6 +17,7 @@
+
+ #include <linux/linkage.h>
+ #include <linux/init.h>
++#include <asm/assembler.h>
+
+ #include "omap44xx.h"
+
+@@ -56,7 +57,7 @@ wait_2: ldr r2, =AUX_CORE_BOOT0_PA @ rea
+ cmp r0, r4
+ bne wait_2
+ ldr r12, =API_HYP_ENTRY
+- adr r0, hyp_boot
++ badr r0, hyp_boot
+ smc #0
+ hyp_boot:
+ b secondary_startup
--- /dev/null
+From 4cca0457686e4ee1677d69469e4ddfd94d389a80 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Tue, 11 Apr 2017 00:29:44 +0100
+Subject: cpupower: Fix turbo frequency reporting for pre-Sandy Bridge cores
+
+From: Ben Hutchings <ben@decadent.org.uk>
+
+commit 4cca0457686e4ee1677d69469e4ddfd94d389a80 upstream.
+
+The switch that conditionally sets CPUPOWER_CAP_HAS_TURBO_RATIO and
+CPUPOWER_CAP_IS_SNB flags is missing a break, so all cores get both
+flags set and an assumed base clock of 100 MHz for turbo values.
+
+Reported-by: GSR <gsr.bugs@infernal-iceberg.com>
+Tested-by: GSR <gsr.bugs@infernal-iceberg.com>
+References: https://bugs.debian.org/859978
+Fixes: 8fb2e440b223 (cpupower: Show Intel turbo ratio support via ...)
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/power/cpupower/utils/helpers/cpuid.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/tools/power/cpupower/utils/helpers/cpuid.c
++++ b/tools/power/cpupower/utils/helpers/cpuid.c
+@@ -156,6 +156,7 @@ out:
+ */
+ case 0x2C: /* Westmere EP - Gulftown */
+ cpu_info->caps |= CPUPOWER_CAP_HAS_TURBO_RATIO;
++ break;
+ case 0x2A: /* SNB */
+ case 0x2D: /* SNB Xeon */
+ case 0x3A: /* IVB */
--- /dev/null
+From 75013fb16f8484898eaa8d0b08fed942d790f029 Mon Sep 17 00:00:00 2001
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Wed, 1 Mar 2017 01:23:24 +0900
+Subject: kprobes/x86: Fix kernel panic when certain exception-handling addresses are probed
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+commit 75013fb16f8484898eaa8d0b08fed942d790f029 upstream.
+
+Fix to the exception table entry check by using probed address
+instead of the address of copied instruction.
+
+This bug may cause unexpected kernel panic if user probe an address
+where an exception can happen which should be fixup by __ex_table
+(e.g. copy_from_user.)
+
+Unless user puts a kprobe on such address, this doesn't
+cause any problem.
+
+This bug has been introduced years ago, by commit:
+
+ 464846888d9a ("x86/kprobes: Fix a bug which can modify kernel code permanently").
+
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: 464846888d9a ("x86/kprobes: Fix a bug which can modify kernel code permanently")
+Link: http://lkml.kernel.org/r/148829899399.28855.12581062400757221722.stgit@devbox
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/kprobes/common.h | 2 +-
+ arch/x86/kernel/kprobes/core.c | 6 +++---
+ arch/x86/kernel/kprobes/opt.c | 2 +-
+ 3 files changed, 5 insertions(+), 5 deletions(-)
+
+--- a/arch/x86/kernel/kprobes/common.h
++++ b/arch/x86/kernel/kprobes/common.h
+@@ -67,7 +67,7 @@
+ #endif
+
+ /* Ensure if the instruction can be boostable */
+-extern int can_boost(kprobe_opcode_t *instruction);
++extern int can_boost(kprobe_opcode_t *instruction, void *addr);
+ /* Recover instruction if given address is probed */
+ extern unsigned long recover_probed_instruction(kprobe_opcode_t *buf,
+ unsigned long addr);
+--- a/arch/x86/kernel/kprobes/core.c
++++ b/arch/x86/kernel/kprobes/core.c
+@@ -163,12 +163,12 @@ NOKPROBE_SYMBOL(skip_prefixes);
+ * Returns non-zero if opcode is boostable.
+ * RIP relative instructions are adjusted at copying time in 64 bits mode
+ */
+-int can_boost(kprobe_opcode_t *opcodes)
++int can_boost(kprobe_opcode_t *opcodes, void *addr)
+ {
+ kprobe_opcode_t opcode;
+ kprobe_opcode_t *orig_opcodes = opcodes;
+
+- if (search_exception_tables((unsigned long)opcodes))
++ if (search_exception_tables((unsigned long)addr))
+ return 0; /* Page fault may occur on this address. */
+
+ retry:
+@@ -385,7 +385,7 @@ static int arch_copy_kprobe(struct kprob
+ * __copy_instruction can modify the displacement of the instruction,
+ * but it doesn't affect boostable check.
+ */
+- if (can_boost(p->ainsn.insn))
++ if (can_boost(p->ainsn.insn, p->addr))
+ p->ainsn.boostable = 0;
+ else
+ p->ainsn.boostable = -1;
+--- a/arch/x86/kernel/kprobes/opt.c
++++ b/arch/x86/kernel/kprobes/opt.c
+@@ -177,7 +177,7 @@ static int copy_optimized_instructions(u
+
+ while (len < RELATIVEJUMP_SIZE) {
+ ret = __copy_instruction(dest + len, src + len);
+- if (!ret || !can_boost(dest + len))
++ if (!ret || !can_boost(dest + len, src + len))
+ return -EINVAL;
+ len += ret;
+ }
--- /dev/null
+From a5b60de6972decc6b50a39abb376077c3c3621c8 Mon Sep 17 00:00:00 2001
+From: Ganapathi Bhat <gbhat@marvell.com>
+Date: Fri, 3 Feb 2017 18:30:22 +0530
+Subject: mwifiex: Avoid skipping WEP key deletion for AP
+
+From: Ganapathi Bhat <gbhat@marvell.com>
+
+commit a5b60de6972decc6b50a39abb376077c3c3621c8 upstream.
+
+This patch fixes the issue specific to AP. AP is started with WEP
+security and external station is connected to it. Data path works
+in this case. Now if AP is restarted with WPA/WPA2 security,
+station is able to connect but ping fails.
+
+Driver skips the deletion of WEP keys if interface type is AP.
+Removing that redundant check resolves the issue.
+
+Fixes: e57f1734d87a ("mwifiex: add key material v2 support")
+Signed-off-by: Ganapathi Bhat <gbhat@marvell.com>
+Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mwifiex/sta_ioctl.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/net/wireless/mwifiex/sta_ioctl.c
++++ b/drivers/net/wireless/mwifiex/sta_ioctl.c
+@@ -1074,8 +1074,6 @@ int mwifiex_set_encode(struct mwifiex_pr
+ encrypt_key.is_rx_seq_valid = true;
+ }
+ } else {
+- if (GET_BSS_ROLE(priv) == MWIFIEX_BSS_ROLE_UAP)
+- return 0;
+ encrypt_key.key_disable = true;
+ if (mac_addr)
+ memcpy(encrypt_key.mac_addr, mac_addr, ETH_ALEN);
--- /dev/null
+From 6183468a23fc6b6903f8597982017ad2c7fdefcf Mon Sep 17 00:00:00 2001
+From: Brian Norris <briannorris@chromium.org>
+Date: Mon, 9 Jan 2017 15:33:50 -0800
+Subject: mwifiex: debugfs: Fix (sometimes) off-by-1 SSID print
+
+From: Brian Norris <briannorris@chromium.org>
+
+commit 6183468a23fc6b6903f8597982017ad2c7fdefcf upstream.
+
+Similar to commit fcd2042e8d36 ("mwifiex: printk() overflow with 32-byte
+SSIDs"), we failed to account for the existence of 32-char SSIDs in our
+debugfs code. Unlike in that case though, we zeroed out the containing
+struct first, and I'm pretty sure we're guaranteed to have some padding
+after the 'ssid.ssid' and 'ssid.ssid_len' fields (the struct is 33 bytes
+long).
+
+So, this is the difference between:
+
+ # cat /sys/kernel/debug/mwifiex/mlan0/info
+ ...
+ essid="0123456789abcdef0123456789abcdef "
+ ...
+
+and the correct output:
+
+ # cat /sys/kernel/debug/mwifiex/mlan0/info
+ ...
+ essid="0123456789abcdef0123456789abcdef"
+ ...
+
+Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver")
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mwifiex/debugfs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/mwifiex/debugfs.c
++++ b/drivers/net/wireless/mwifiex/debugfs.c
+@@ -220,7 +220,8 @@ mwifiex_info_read(struct file *file, cha
+ if (GET_BSS_ROLE(priv) == MWIFIEX_BSS_ROLE_STA) {
+ p += sprintf(p, "multicast_count=\"%d\"\n",
+ netdev_mc_count(netdev));
+- p += sprintf(p, "essid=\"%s\"\n", info.ssid.ssid);
++ p += sprintf(p, "essid=\"%.*s\"\n", info.ssid.ssid_len,
++ info.ssid.ssid);
+ p += sprintf(p, "bssid=\"%pM\"\n", info.bssid);
+ p += sprintf(p, "channel=\"%d\"\n", (int) info.bss_chan);
+ p += sprintf(p, "country_code = \"%s\"\n", info.country_code);
--- /dev/null
+From e05ad7e0741ce0505e1df157c62b22b95172bb97 Mon Sep 17 00:00:00 2001
+From: Liam Breck <liam@networkimprov.net>
+Date: Wed, 18 Jan 2017 09:26:49 -0800
+Subject: power: supply: bq24190_charger: Call set_mode_host() on pm_resume()
+
+From: Liam Breck <liam@networkimprov.net>
+
+commit e05ad7e0741ce0505e1df157c62b22b95172bb97 upstream.
+
+pm_resume() does a register_reset() which clears charger host mode.
+
+Fix by calling set_mode_host() after the reset.
+
+Fixes: d7bf353fd0aa3 ("bq24190_charger: Add support for TI BQ24190 Battery Charger")
+Signed-off-by: Liam Breck <kernel@networkimprov.net>
+Acked-by: Mark Greer <mgreer@animalcreek.com>
+Acked-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sebastian Reichel <sre@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/power/bq24190_charger.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/power/bq24190_charger.c
++++ b/drivers/power/bq24190_charger.c
+@@ -1496,6 +1496,7 @@ static int bq24190_pm_resume(struct devi
+
+ pm_runtime_get_sync(bdi->dev);
+ bq24190_register_reset(bdi);
++ bq24190_set_mode_host(bdi);
+ pm_runtime_put_sync(bdi->dev);
+
+ /* Things may have changed while suspended so alert upper layer */
--- /dev/null
+From 767eee362fd72bb2ca44cc80419ca4b38c6d8369 Mon Sep 17 00:00:00 2001
+From: Liam Breck <liam@networkimprov.net>
+Date: Wed, 18 Jan 2017 09:26:48 -0800
+Subject: power: supply: bq24190_charger: Fix irq trigger to IRQF_TRIGGER_FALLING
+
+From: Liam Breck <liam@networkimprov.net>
+
+commit 767eee362fd72bb2ca44cc80419ca4b38c6d8369 upstream.
+
+The interrupt signal is TRIGGER_FALLING. This is is specified in the
+data sheet PIN FUNCTIONS: "The INT pin sends active low, 256us
+pulse to host to report charger device status and fault."
+
+Also the direction can be seen in the data sheet Figure 37 "BQ24190
+with D+/D- Detection and USB On-The-Go (OTG)" which shows a 10k
+pull-up resistor installed for the sample configurations.
+
+Fixes: d7bf353fd0aa3 ("bq24190_charger: Add support for TI BQ24190 Battery Charger")
+Signed-off-by: Liam Breck <kernel@networkimprov.net>
+Acked-by: Mark Greer <mgreer@animalcreek.com>
+Acked-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sebastian Reichel <sre@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/power/bq24190_charger.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/power/bq24190_charger.c
++++ b/drivers/power/bq24190_charger.c
+@@ -1400,7 +1400,7 @@ static int bq24190_probe(struct i2c_clie
+
+ ret = devm_request_threaded_irq(dev, bdi->irq, NULL,
+ bq24190_irq_handler_thread,
+- IRQF_TRIGGER_RISING | IRQF_ONESHOT,
++ IRQF_TRIGGER_FALLING | IRQF_ONESHOT,
+ "bq24190-charger", bdi);
+ if (ret < 0) {
+ dev_err(dev, "Can't set up irq handler\n");
--- /dev/null
+From a7e0fb6c2029a780444d09560f739e020d54fe4d Mon Sep 17 00:00:00 2001
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Tue, 7 Feb 2017 21:01:01 +1100
+Subject: powerpc/powernv: Fix opal_exit tracepoint opcode
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+commit a7e0fb6c2029a780444d09560f739e020d54fe4d upstream.
+
+Currently the opal_exit tracepoint usually shows the opcode as 0:
+
+ <idle>-0 [047] d.h. 635.654292: opal_entry: opcode=63
+ <idle>-0 [047] d.h. 635.654296: opal_exit: opcode=0 retval=0
+ kopald-1209 [019] d... 636.420943: opal_entry: opcode=10
+ kopald-1209 [019] d... 636.420959: opal_exit: opcode=0 retval=0
+
+This is because we incorrectly load the opcode into r0 before calling
+__trace_opal_exit(), whereas it expects the opcode in r3 (first function
+parameter). In fact we are leaving the retval in r3, so opcode and
+retval will always show the same value.
+
+Instead load the opcode into r3, resulting in:
+
+ <idle>-0 [040] d.h. 636.618625: opal_entry: opcode=63
+ <idle>-0 [040] d.h. 636.618627: opal_exit: opcode=63 retval=0
+
+Fixes: c49f63530bb6 ("powernv: Add OPAL tracepoints")
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/platforms/powernv/opal-wrappers.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/platforms/powernv/opal-wrappers.S
++++ b/arch/powerpc/platforms/powernv/opal-wrappers.S
+@@ -148,7 +148,7 @@ opal_tracepoint_entry:
+ opal_tracepoint_return:
+ std r3,STK_REG(R31)(r1)
+ mr r4,r3
+- ld r0,STK_REG(R23)(r1)
++ ld r3,STK_REG(R23)(r1)
+ bl __trace_opal_exit
+ ld r3,STK_REG(R31)(r1)
+ addi r1,r1,STACKFRAMESIZE
--- /dev/null
+From 0b4c208d443ba2af82b4c70f99ca8df31e9a0020 Mon Sep 17 00:00:00 2001
+From: Jim Mattson <jmattson@google.com>
+Date: Tue, 20 Dec 2016 16:34:50 -0800
+Subject: Revert "KVM: nested VMX: disable perf cpuid reporting"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jim Mattson <jmattson@google.com>
+
+commit 0b4c208d443ba2af82b4c70f99ca8df31e9a0020 upstream.
+
+This reverts commit bc6134942dbbf31c25e9bd7c876be5da81c9e1ce.
+
+A CPUID instruction executed in VMX non-root mode always causes a
+VM-exit, regardless of the leaf being queried.
+
+Fixes: bc6134942dbb ("KVM: nested VMX: disable perf cpuid reporting")
+Signed-off-by: Jim Mattson <jmattson@google.com>
+[The issue solved by bc6134942dbb has been resolved with ff651cb613b4
+ ("KVM: nVMX: Add nested msr load/restore algorithm").]
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/cpuid.c | 6 ------
+ arch/x86/kvm/vmx.c | 2 --
+ 2 files changed, 8 deletions(-)
+
+--- a/arch/x86/kvm/cpuid.c
++++ b/arch/x86/kvm/cpuid.c
+@@ -787,12 +787,6 @@ void kvm_cpuid(struct kvm_vcpu *vcpu, u3
+ if (!best)
+ best = check_cpuid_limit(vcpu, function, index);
+
+- /*
+- * Perfmon not yet supported for L2 guest.
+- */
+- if (is_guest_mode(vcpu) && function == 0xa)
+- best = NULL;
+-
+ if (best) {
+ *eax = best->eax;
+ *ebx = best->ebx;
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -7047,8 +7047,6 @@ static bool nested_vmx_exit_handled(stru
+ case EXIT_REASON_TASK_SWITCH:
+ return 1;
+ case EXIT_REASON_CPUID:
+- if (kvm_register_read(vcpu, VCPU_REGS_RAX) == 0xa)
+- return 0;
+ return 1;
+ case EXIT_REASON_HLT:
+ return nested_cpu_has(vmcs12, CPU_BASED_HLT_EXITING);
--- /dev/null
+From 4d7d39a18b8b81511f0b893b7d2203790bf8a58b Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 21 Feb 2017 21:46:37 +0300
+Subject: scsi: scsi_dh_emc: return success in clariion_std_inquiry()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 4d7d39a18b8b81511f0b893b7d2203790bf8a58b upstream.
+
+We accidentally return an uninitialized variable on success.
+
+Fixes: b6ff1b14cdf4 ("[SCSI] scsi_dh: Update EMC handler")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/device_handler/scsi_dh_emc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/device_handler/scsi_dh_emc.c
++++ b/drivers/scsi/device_handler/scsi_dh_emc.c
+@@ -464,7 +464,7 @@ static int clariion_prep_fn(struct scsi_
+ static int clariion_std_inquiry(struct scsi_device *sdev,
+ struct clariion_dh_data *csdev)
+ {
+- int err;
++ int err = SCSI_DH_OK;
+ char *sp_model;
+
+ err = send_inquiry_cmd(sdev, 0, csdev);
9p-fix-a-potential-acl-leak.patch
tty-remove-platform_sysrq_reset_seq.patch
mtd-cfi-reduce-stack-size.patch
+arm-8452-3-pj4-make-coprocessor-access-sequences-buildable-in-thumb2-mode.patch
+cpupower-fix-turbo-frequency-reporting-for-pre-sandy-bridge-cores.patch
+powerpc-powernv-fix-opal_exit-tracepoint-opcode.patch
+power-supply-bq24190_charger-fix-irq-trigger-to-irqf_trigger_falling.patch
+power-supply-bq24190_charger-call-set_mode_host-on-pm_resume.patch
+arm-omap5-dra7-fix-hyp-mode-boot-for-thumb2-build.patch
+mwifiex-debugfs-fix-sometimes-off-by-1-ssid-print.patch
+mwifiex-avoid-skipping-wep-key-deletion-for-ap.patch
+x86-pci-calgary-fix-iommu_free-comparison-of-unsigned-expression-0.patch
+kprobes-x86-fix-kernel-panic-when-certain-exception-handling-addresses-are-probed.patch
+x86-platform-intel-mid-correct-msi-irq-line-for-watchdog-device.patch
+revert-kvm-nested-vmx-disable-perf-cpuid-reporting.patch
+usb-host-ehci-exynos-decrese-node-refcount-on-exynos_ehci_get_phy-error-paths.patch
+usb-host-ohci-exynos-decrese-node-refcount-on-exynos_ehci_get_phy-error-paths.patch
+usb-serial-keyspan_pda-fix-receive-sanity-checks.patch
+usb-serial-digi_acceleport-fix-incomplete-rx-sanity-check.patch
+usb-serial-ssu100-fix-control-message-error-handling.patch
+usb-serial-io_edgeport-fix-epic-descriptor-handling.patch
+usb-serial-ti_usb_3410_5052-fix-control-message-error-handling.patch
+usb-serial-ark3116-fix-open-error-handling.patch
+usb-serial-ftdi_sio-fix-latency-timer-error-handling.patch
+usb-serial-quatech2-fix-control-message-error-handling.patch
+usb-serial-mct_u232-fix-modem-status-error-handling.patch
+usb-serial-io_edgeport-fix-descriptor-error-handling.patch
+usb-serial-sierra-fix-bogus-alternate-setting-assumption.patch
+scsi-scsi_dh_emc-return-success-in-clariion_std_inquiry.patch
--- /dev/null
+From 3f6026b1dcb3c8ee71198c485a72ac674c6890dd Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzk@kernel.org>
+Date: Sat, 7 Jan 2017 10:41:40 +0200
+Subject: usb: host: ehci-exynos: Decrese node refcount on exynos_ehci_get_phy() error paths
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+commit 3f6026b1dcb3c8ee71198c485a72ac674c6890dd upstream.
+
+Returning from for_each_available_child_of_node() loop requires cleaning
+up node refcount. Error paths lacked it so for example in case of
+deferred probe, the refcount of phy node was left increased.
+
+Fixes: 6d40500ac9b6 ("usb: ehci/ohci-exynos: Fix of_node_put() for child when getting PHYs")
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Reviewed-by: Javier Martinez Canillas <javier@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/ehci-exynos.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/host/ehci-exynos.c
++++ b/drivers/usb/host/ehci-exynos.c
+@@ -78,10 +78,12 @@ static int exynos_ehci_get_phy(struct de
+ if (IS_ERR(phy)) {
+ ret = PTR_ERR(phy);
+ if (ret == -EPROBE_DEFER) {
++ of_node_put(child);
+ return ret;
+ } else if (ret != -ENOSYS && ret != -ENODEV) {
+ dev_err(dev,
+ "Error retrieving usb2 phy: %d\n", ret);
++ of_node_put(child);
+ return ret;
+ }
+ }
--- /dev/null
+From 68bd6fc3cfa98ef253e17307ccafd8ef907b5556 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzk@kernel.org>
+Date: Sat, 7 Jan 2017 10:41:41 +0200
+Subject: usb: host: ohci-exynos: Decrese node refcount on exynos_ehci_get_phy() error paths
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+commit 68bd6fc3cfa98ef253e17307ccafd8ef907b5556 upstream.
+
+Returning from for_each_available_child_of_node() loop requires cleaning
+up node refcount. Error paths lacked it so for example in case of
+deferred probe, the refcount of phy node was left increased.
+
+Fixes: 6d40500ac9b6 ("usb: ehci/ohci-exynos: Fix of_node_put() for child when getting PHYs")
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Reviewed-by: Javier Martinez Canillas <javier@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/ohci-exynos.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/host/ohci-exynos.c
++++ b/drivers/usb/host/ohci-exynos.c
+@@ -67,10 +67,12 @@ static int exynos_ohci_get_phy(struct de
+ if (IS_ERR(phy)) {
+ ret = PTR_ERR(phy);
+ if (ret == -EPROBE_DEFER) {
++ of_node_put(child);
+ return ret;
+ } else if (ret != -ENOSYS && ret != -ENODEV) {
+ dev_err(dev,
+ "Error retrieving usb2 phy: %d\n", ret);
++ of_node_put(child);
+ return ret;
+ }
+ }
--- /dev/null
+From b631433b175f1002a31020e09bbfc2e5caecf290 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 12 Jan 2017 14:56:10 +0100
+Subject: USB: serial: ark3116: fix open error handling
+
+From: Johan Hovold <johan@kernel.org>
+
+commit b631433b175f1002a31020e09bbfc2e5caecf290 upstream.
+
+Fix open error handling which failed to detect errors when reading the
+MSR and LSR registers, something which could lead to the shadow
+registers being initialised from errnos.
+
+Note that calling the generic close implementation is sufficient in the
+error paths as the interrupt urb has not yet been submitted and the
+register updates have not been made.
+
+Fixes: f4c1e8d597d1 ("USB: ark3116: Make existing functions 16450-aware
+and add close and release functions.")
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/ark3116.c | 25 +++++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+--- a/drivers/usb/serial/ark3116.c
++++ b/drivers/usb/serial/ark3116.c
+@@ -366,23 +366,29 @@ static int ark3116_open(struct tty_struc
+ dev_dbg(&port->dev,
+ "%s - usb_serial_generic_open failed: %d\n",
+ __func__, result);
+- goto err_out;
++ goto err_free;
+ }
+
+ /* remove any data still left: also clears error state */
+ ark3116_read_reg(serial, UART_RX, buf);
+
+ /* read modem status */
+- priv->msr = ark3116_read_reg(serial, UART_MSR, buf);
++ result = ark3116_read_reg(serial, UART_MSR, buf);
++ if (result < 0)
++ goto err_close;
++ priv->msr = *buf;
++
+ /* read line status */
+- priv->lsr = ark3116_read_reg(serial, UART_LSR, buf);
++ result = ark3116_read_reg(serial, UART_LSR, buf);
++ if (result < 0)
++ goto err_close;
++ priv->lsr = *buf;
+
+ result = usb_submit_urb(port->interrupt_in_urb, GFP_KERNEL);
+ if (result) {
+ dev_err(&port->dev, "submit irq_in urb failed %d\n",
+ result);
+- ark3116_close(port);
+- goto err_out;
++ goto err_close;
+ }
+
+ /* activate interrupts */
+@@ -395,8 +401,15 @@ static int ark3116_open(struct tty_struc
+ if (tty)
+ ark3116_set_termios(tty, port, NULL);
+
+-err_out:
+ kfree(buf);
++
++ return 0;
++
++err_close:
++ usb_serial_generic_close(port);
++err_free:
++ kfree(buf);
++
+ return result;
+ }
+
--- /dev/null
+From 1b0aed2b1600f6e5c7b9acfbd610a4e351ef5232 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 31 Jan 2017 17:17:28 +0100
+Subject: USB: serial: digi_acceleport: fix incomplete rx sanity check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 1b0aed2b1600f6e5c7b9acfbd610a4e351ef5232 upstream.
+
+Make sure the received data has the required headers before parsing it.
+
+Also drop the redundant urb-status check, which has already been handled
+by the caller.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/digi_acceleport.c | 38 +++++++++++++++++++++--------------
+ 1 file changed, 23 insertions(+), 15 deletions(-)
+
+--- a/drivers/usb/serial/digi_acceleport.c
++++ b/drivers/usb/serial/digi_acceleport.c
+@@ -1399,25 +1399,30 @@ static int digi_read_inb_callback(struct
+ {
+ struct usb_serial_port *port = urb->context;
+ struct digi_port *priv = usb_get_serial_port_data(port);
+- int opcode = ((unsigned char *)urb->transfer_buffer)[0];
+- int len = ((unsigned char *)urb->transfer_buffer)[1];
+- int port_status = ((unsigned char *)urb->transfer_buffer)[2];
+- unsigned char *data = ((unsigned char *)urb->transfer_buffer) + 3;
++ unsigned char *buf = urb->transfer_buffer;
++ int opcode;
++ int len;
++ int port_status;
++ unsigned char *data;
+ int flag, throttled;
+- int status = urb->status;
+-
+- /* do not process callbacks on closed ports */
+- /* but do continue the read chain */
+- if (urb->status == -ENOENT)
+- return 0;
+
+ /* short/multiple packet check */
++ if (urb->actual_length < 2) {
++ dev_warn(&port->dev, "short packet received\n");
++ return -1;
++ }
++
++ opcode = buf[0];
++ len = buf[1];
++
+ if (urb->actual_length != len + 2) {
+- dev_err(&port->dev, "%s: INCOMPLETE OR MULTIPLE PACKET, "
+- "status=%d, port=%d, opcode=%d, len=%d, "
+- "actual_length=%d, status=%d\n", __func__, status,
+- priv->dp_port_num, opcode, len, urb->actual_length,
+- port_status);
++ dev_err(&port->dev, "malformed packet received: port=%d, opcode=%d, len=%d, actual_length=%u\n",
++ priv->dp_port_num, opcode, len, urb->actual_length);
++ return -1;
++ }
++
++ if (opcode == DIGI_CMD_RECEIVE_DATA && len < 1) {
++ dev_err(&port->dev, "malformed data packet received\n");
+ return -1;
+ }
+
+@@ -1431,6 +1436,9 @@ static int digi_read_inb_callback(struct
+
+ /* receive data */
+ if (opcode == DIGI_CMD_RECEIVE_DATA) {
++ port_status = buf[2];
++ data = &buf[3];
++
+ /* get flag from port_status */
+ flag = 0;
+
--- /dev/null
+From e3e574ad85a208cb179f33720bb5f12b453de33c Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 12 Jan 2017 14:56:12 +0100
+Subject: USB: serial: ftdi_sio: fix latency-timer error handling
+
+From: Johan Hovold <johan@kernel.org>
+
+commit e3e574ad85a208cb179f33720bb5f12b453de33c upstream.
+
+Make sure to detect short responses when reading the latency timer to
+avoid using stale buffer data.
+
+Note that no heap data would currently leak through sysfs as
+ASYNC_LOW_LATENCY is set by default.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/ftdi_sio.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -1437,10 +1437,13 @@ static int read_latency_timer(struct usb
+ FTDI_SIO_GET_LATENCY_TIMER_REQUEST_TYPE,
+ 0, priv->interface,
+ buf, 1, WDR_TIMEOUT);
+- if (rv < 0)
++ if (rv < 1) {
+ dev_err(&port->dev, "Unable to read latency timer: %i\n", rv);
+- else
++ if (rv >= 0)
++ rv = -EIO;
++ } else {
+ priv->latency = buf[0];
++ }
+
+ kfree(buf);
+
--- /dev/null
+From 3c0e25d883d06a1fbd1ad35257e8abaa57befb37 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 12 Jan 2017 14:56:14 +0100
+Subject: USB: serial: io_edgeport: fix descriptor error handling
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 3c0e25d883d06a1fbd1ad35257e8abaa57befb37 upstream.
+
+Make sure to detect short control-message transfers and log an error
+when reading incomplete manufacturer and boot descriptors.
+
+Note that the default all-zero descriptors will now be used after a
+short transfer is detected instead of partially initialised ones.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/io_edgeport.c | 24 +++++++++++++++---------
+ 1 file changed, 15 insertions(+), 9 deletions(-)
+
+--- a/drivers/usb/serial/io_edgeport.c
++++ b/drivers/usb/serial/io_edgeport.c
+@@ -2109,8 +2109,7 @@ static int rom_write(struct usb_serial *
+ * rom_read
+ * reads a number of bytes from the Edgeport device starting at the given
+ * address.
+- * If successful returns the number of bytes read, otherwise it returns
+- * a negative error number of the problem.
++ * Returns zero on success or a negative error number.
+ ****************************************************************************/
+ static int rom_read(struct usb_serial *serial, __u16 extAddr,
+ __u16 addr, __u16 length, __u8 *data)
+@@ -2135,12 +2134,17 @@ static int rom_read(struct usb_serial *s
+ USB_REQUEST_ION_READ_ROM,
+ 0xC0, addr, extAddr, transfer_buffer,
+ current_length, 300);
+- if (result < 0)
++ if (result < current_length) {
++ if (result >= 0)
++ result = -EIO;
+ break;
++ }
+ memcpy(data, transfer_buffer, current_length);
+ length -= current_length;
+ addr += current_length;
+ data += current_length;
++
++ result = 0;
+ }
+
+ kfree(transfer_buffer);
+@@ -2597,9 +2601,10 @@ static void get_manufacturing_desc(struc
+ EDGE_MANUF_DESC_LEN,
+ (__u8 *)(&edge_serial->manuf_descriptor));
+
+- if (response < 1)
+- dev_err(dev, "error in getting manufacturer descriptor\n");
+- else {
++ if (response < 0) {
++ dev_err(dev, "error in getting manufacturer descriptor: %d\n",
++ response);
++ } else {
+ char string[30];
+ dev_dbg(dev, "**Manufacturer Descriptor\n");
+ dev_dbg(dev, " RomSize: %dK\n",
+@@ -2656,9 +2661,10 @@ static void get_boot_desc(struct edgepor
+ EDGE_BOOT_DESC_LEN,
+ (__u8 *)(&edge_serial->boot_descriptor));
+
+- if (response < 1)
+- dev_err(dev, "error in getting boot descriptor\n");
+- else {
++ if (response < 0) {
++ dev_err(dev, "error in getting boot descriptor: %d\n",
++ response);
++ } else {
+ dev_dbg(dev, "**Boot Descriptor:\n");
+ dev_dbg(dev, " BootCodeLength: %d\n",
+ le16_to_cpu(edge_serial->boot_descriptor.BootCodeLength));
--- /dev/null
+From e4457d9798adb96272468e93da663de9bd0a4198 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 12 Jan 2017 14:56:13 +0100
+Subject: USB: serial: io_edgeport: fix epic-descriptor handling
+
+From: Johan Hovold <johan@kernel.org>
+
+commit e4457d9798adb96272468e93da663de9bd0a4198 upstream.
+
+Use a dedicated buffer for the DMA transfer and make sure to detect
+short transfers to avoid parsing a corrupt descriptor.
+
+Fixes: 6e8cf7751f9f ("USB: add EPIC support to the io_edgeport driver")
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/io_edgeport.c | 24 ++++++++++++++++++------
+ 1 file changed, 18 insertions(+), 6 deletions(-)
+
+--- a/drivers/usb/serial/io_edgeport.c
++++ b/drivers/usb/serial/io_edgeport.c
+@@ -492,20 +492,24 @@ static int get_epic_descriptor(struct ed
+ int result;
+ struct usb_serial *serial = ep->serial;
+ struct edgeport_product_info *product_info = &ep->product_info;
+- struct edge_compatibility_descriptor *epic = &ep->epic_descriptor;
++ struct edge_compatibility_descriptor *epic;
+ struct edge_compatibility_bits *bits;
+ struct device *dev = &serial->dev->dev;
+
+ ep->is_epic = 0;
++
++ epic = kmalloc(sizeof(*epic), GFP_KERNEL);
++ if (!epic)
++ return -ENOMEM;
++
+ result = usb_control_msg(serial->dev, usb_rcvctrlpipe(serial->dev, 0),
+ USB_REQUEST_ION_GET_EPIC_DESC,
+ 0xC0, 0x00, 0x00,
+- &ep->epic_descriptor,
+- sizeof(struct edge_compatibility_descriptor),
++ epic, sizeof(*epic),
+ 300);
+-
+- if (result > 0) {
++ if (result == sizeof(*epic)) {
+ ep->is_epic = 1;
++ memcpy(&ep->epic_descriptor, epic, sizeof(*epic));
+ memset(product_info, 0, sizeof(struct edgeport_product_info));
+
+ product_info->NumPorts = epic->NumPorts;
+@@ -534,8 +538,16 @@ static int get_epic_descriptor(struct ed
+ dev_dbg(dev, " IOSPWriteLCR : %s\n", bits->IOSPWriteLCR ? "TRUE": "FALSE");
+ dev_dbg(dev, " IOSPSetBaudRate : %s\n", bits->IOSPSetBaudRate ? "TRUE": "FALSE");
+ dev_dbg(dev, " TrueEdgeport : %s\n", bits->TrueEdgeport ? "TRUE": "FALSE");
++
++ result = 0;
++ } else if (result >= 0) {
++ dev_warn(&serial->interface->dev, "short epic descriptor received: %d\n",
++ result);
++ result = -EIO;
+ }
+
++ kfree(epic);
++
+ return result;
+ }
+
+@@ -2784,7 +2796,7 @@ static int edge_startup(struct usb_seria
+ dev_info(&serial->dev->dev, "%s detected\n", edge_serial->name);
+
+ /* Read the epic descriptor */
+- if (get_epic_descriptor(edge_serial) <= 0) {
++ if (get_epic_descriptor(edge_serial) < 0) {
+ /* memcpy descriptor to Supports structures */
+ memcpy(&edge_serial->epic_descriptor.Supports, descriptor,
+ sizeof(struct edge_compatibility_bits));
--- /dev/null
+From c528fcb116e61afc379a2e0a0f70906b937f1e2c Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 31 Jan 2017 17:17:29 +0100
+Subject: USB: serial: keyspan_pda: fix receive sanity checks
+
+From: Johan Hovold <johan@kernel.org>
+
+commit c528fcb116e61afc379a2e0a0f70906b937f1e2c upstream.
+
+Make sure to check for short transfers before parsing the receive buffer
+to avoid acting on stale data.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/keyspan_pda.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/serial/keyspan_pda.c
++++ b/drivers/usb/serial/keyspan_pda.c
+@@ -139,6 +139,7 @@ static void keyspan_pda_rx_interrupt(str
+ {
+ struct usb_serial_port *port = urb->context;
+ unsigned char *data = urb->transfer_buffer;
++ unsigned int len = urb->actual_length;
+ int retval;
+ int status = urb->status;
+ struct keyspan_pda_private *priv;
+@@ -159,18 +160,26 @@ static void keyspan_pda_rx_interrupt(str
+ goto exit;
+ }
+
++ if (len < 1) {
++ dev_warn(&port->dev, "short message received\n");
++ goto exit;
++ }
++
+ /* see if the message is data or a status interrupt */
+ switch (data[0]) {
+ case 0:
+ /* rest of message is rx data */
+- if (urb->actual_length) {
+- tty_insert_flip_string(&port->port, data + 1,
+- urb->actual_length - 1);
+- tty_flip_buffer_push(&port->port);
+- }
++ if (len < 2)
++ break;
++ tty_insert_flip_string(&port->port, data + 1, len - 1);
++ tty_flip_buffer_push(&port->port);
+ break;
+ case 1:
+ /* status interrupt */
++ if (len < 3) {
++ dev_warn(&port->dev, "short interrupt message received\n");
++ break;
++ }
+ dev_dbg(&port->dev, "rx int, d1=%d, d2=%d\n", data[1], data[2]);
+ switch (data[1]) {
+ case 1: /* modemline change */
--- /dev/null
+From 36356a669eddb32917fc4b5c2b9b8bf80ede69de Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 12 Jan 2017 14:56:16 +0100
+Subject: USB: serial: mct_u232: fix modem-status error handling
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 36356a669eddb32917fc4b5c2b9b8bf80ede69de upstream.
+
+Make sure to detect short control-message transfers so that errors are
+logged when reading the modem status at open.
+
+Note that while this also avoids initialising the modem status using
+uninitialised heap data, these bits could not leak to user space as they
+are currently not used.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/mct_u232.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/serial/mct_u232.c
++++ b/drivers/usb/serial/mct_u232.c
+@@ -322,8 +322,12 @@ static int mct_u232_get_modem_stat(struc
+ MCT_U232_GET_REQUEST_TYPE,
+ 0, 0, buf, MCT_U232_GET_MODEM_STAT_SIZE,
+ WDR_TIMEOUT);
+- if (rc < 0) {
++ if (rc < MCT_U232_GET_MODEM_STAT_SIZE) {
+ dev_err(&port->dev, "Get MODEM STATus failed (error = %d)\n", rc);
++
++ if (rc >= 0)
++ rc = -EIO;
++
+ *msr = 0;
+ } else {
+ *msr = buf[0];
--- /dev/null
+From 8c34cb8ddfe808d557b51da983ff10c02793beb2 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 12 Jan 2017 14:56:20 +0100
+Subject: USB: serial: quatech2: fix control-message error handling
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 8c34cb8ddfe808d557b51da983ff10c02793beb2 upstream.
+
+Make sure to detect short control-message transfers when fetching
+modem and line state in open and when retrieving registers.
+
+This specifically makes sure that an errno is returned to user space on
+errors in TIOCMGET instead of a zero bitmask.
+
+Also drop the unused getdevice function which also lacked appropriate
+error handling.
+
+Fixes: f7a33e608d9a ("USB: serial: add quatech2 usb to serial driver")
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/quatech2.c | 24 +++++++++++++-----------
+ 1 file changed, 13 insertions(+), 11 deletions(-)
+
+--- a/drivers/usb/serial/quatech2.c
++++ b/drivers/usb/serial/quatech2.c
+@@ -188,22 +188,22 @@ static inline int qt2_setdevice(struct u
+ }
+
+
+-static inline int qt2_getdevice(struct usb_device *dev, u8 *data)
+-{
+- return usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
+- QT_SET_GET_DEVICE, 0xc0, 0, 0,
+- data, 3, QT2_USB_TIMEOUT);
+-}
+-
+ static inline int qt2_getregister(struct usb_device *dev,
+ u8 uart,
+ u8 reg,
+ u8 *data)
+ {
+- return usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
+- QT_SET_GET_REGISTER, 0xc0, reg,
+- uart, data, sizeof(*data), QT2_USB_TIMEOUT);
++ int ret;
+
++ ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
++ QT_SET_GET_REGISTER, 0xc0, reg,
++ uart, data, sizeof(*data), QT2_USB_TIMEOUT);
++ if (ret < sizeof(*data)) {
++ if (ret >= 0)
++ ret = -EIO;
++ }
++
++ return ret;
+ }
+
+ static inline int qt2_setregister(struct usb_device *dev,
+@@ -372,9 +372,11 @@ static int qt2_open(struct tty_struct *t
+ 0xc0, 0,
+ device_port, data, 2, QT2_USB_TIMEOUT);
+
+- if (status < 0) {
++ if (status < 2) {
+ dev_err(&port->dev, "%s - open port failed %i\n", __func__,
+ status);
++ if (status >= 0)
++ status = -EIO;
+ kfree(data);
+ return status;
+ }
--- /dev/null
+From 16620b483eaf7750413bae472f4363b6b959fcaa Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 6 Feb 2017 16:28:14 +0100
+Subject: USB: serial: sierra: fix bogus alternate-setting assumption
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 16620b483eaf7750413bae472f4363b6b959fcaa upstream.
+
+Interface numbers do not change when enabling alternate settings as
+comment and code in this driver suggested.
+
+Remove the confusing comment and redundant retrieval of the interface
+number in probe, while simplifying and renaming the interface-number
+helper.
+
+Fixes: 4db2299da213 ("sierra: driver interface blacklisting")
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/sierra.c | 28 +++++-----------------------
+ 1 file changed, 5 insertions(+), 23 deletions(-)
+
+--- a/drivers/usb/serial/sierra.c
++++ b/drivers/usb/serial/sierra.c
+@@ -137,24 +137,9 @@ static int is_himemory(const u8 ifnum,
+ return 0;
+ }
+
+-static int sierra_calc_interface(struct usb_serial *serial)
++static u8 sierra_interface_num(struct usb_serial *serial)
+ {
+- int interface;
+- struct usb_interface *p_interface;
+- struct usb_host_interface *p_host_interface;
+-
+- /* Get the interface structure pointer from the serial struct */
+- p_interface = serial->interface;
+-
+- /* Get a pointer to the host interface structure */
+- p_host_interface = p_interface->cur_altsetting;
+-
+- /* read the interface descriptor for this active altsetting
+- * to find out the interface number we are on
+- */
+- interface = p_host_interface->desc.bInterfaceNumber;
+-
+- return interface;
++ return serial->interface->cur_altsetting->desc.bInterfaceNumber;
+ }
+
+ static int sierra_probe(struct usb_serial *serial,
+@@ -165,7 +150,7 @@ static int sierra_probe(struct usb_seria
+ u8 ifnum;
+
+ udev = serial->dev;
+- ifnum = sierra_calc_interface(serial);
++ ifnum = sierra_interface_num(serial);
+
+ /*
+ * If this interface supports more than 1 alternate
+@@ -178,9 +163,6 @@ static int sierra_probe(struct usb_seria
+ usb_set_interface(udev, ifnum, 1);
+ }
+
+- /* ifnum could have changed - by calling usb_set_interface */
+- ifnum = sierra_calc_interface(serial);
+-
+ if (is_blacklisted(ifnum,
+ (struct sierra_iface_info *)id->driver_info)) {
+ dev_dbg(&serial->dev->dev,
+@@ -342,7 +324,7 @@ static int sierra_send_setup(struct usb_
+
+ /* If composite device then properly report interface */
+ if (serial->num_ports == 1) {
+- interface = sierra_calc_interface(serial);
++ interface = sierra_interface_num(serial);
+ /* Control message is sent only to interfaces with
+ * interrupt_in endpoints
+ */
+@@ -916,7 +898,7 @@ static int sierra_port_probe(struct usb_
+ /* Determine actual memory requirements */
+ if (serial->num_ports == 1) {
+ /* Get interface number for composite device */
+- ifnum = sierra_calc_interface(serial);
++ ifnum = sierra_interface_num(serial);
+ himemoryp = &typeB_interface_list;
+ } else {
+ /* This is really the usb-serial port number of the interface
--- /dev/null
+From 1eac5c244f705182d1552a53e2f74e2775ed95d6 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 12 Jan 2017 14:56:22 +0100
+Subject: USB: serial: ssu100: fix control-message error handling
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 1eac5c244f705182d1552a53e2f74e2775ed95d6 upstream.
+
+Make sure to detect short control-message transfers rather than continue
+with zero-initialised data when retrieving modem status and during
+device initialisation.
+
+Fixes: 52af95459939 ("USB: add USB serial ssu100 driver")
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/ssu100.c | 31 ++++++++++++++++++++++++-------
+ 1 file changed, 24 insertions(+), 7 deletions(-)
+
+--- a/drivers/usb/serial/ssu100.c
++++ b/drivers/usb/serial/ssu100.c
+@@ -80,9 +80,17 @@ static inline int ssu100_setdevice(struc
+
+ static inline int ssu100_getdevice(struct usb_device *dev, u8 *data)
+ {
+- return usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
+- QT_SET_GET_DEVICE, 0xc0, 0, 0,
+- data, 3, 300);
++ int ret;
++
++ ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
++ QT_SET_GET_DEVICE, 0xc0, 0, 0,
++ data, 3, 300);
++ if (ret < 3) {
++ if (ret >= 0)
++ ret = -EIO;
++ }
++
++ return ret;
+ }
+
+ static inline int ssu100_getregister(struct usb_device *dev,
+@@ -90,10 +98,17 @@ static inline int ssu100_getregister(str
+ unsigned short reg,
+ u8 *data)
+ {
+- return usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
+- QT_SET_GET_REGISTER, 0xc0, reg,
+- uart, data, sizeof(*data), 300);
++ int ret;
+
++ ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
++ QT_SET_GET_REGISTER, 0xc0, reg,
++ uart, data, sizeof(*data), 300);
++ if (ret < sizeof(*data)) {
++ if (ret >= 0)
++ ret = -EIO;
++ }
++
++ return ret;
+ }
+
+
+@@ -289,8 +304,10 @@ static int ssu100_open(struct tty_struct
+ QT_OPEN_CLOSE_CHANNEL,
+ QT_TRANSFER_IN, 0x01,
+ 0, data, 2, 300);
+- if (result < 0) {
++ if (result < 2) {
+ dev_dbg(&port->dev, "%s - open failed %i\n", __func__, result);
++ if (result >= 0)
++ result = -EIO;
+ kfree(data);
+ return result;
+ }
--- /dev/null
+From 39712e8bfa8d3aa6ce1e60fc9d62c9b076c17a30 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 12 Jan 2017 14:56:23 +0100
+Subject: USB: serial: ti_usb_3410_5052: fix control-message error handling
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 39712e8bfa8d3aa6ce1e60fc9d62c9b076c17a30 upstream.
+
+Make sure to detect and return an error on zero-length control-message
+transfers when reading from the device.
+
+This addresses a potential failure to detect an empty transmit buffer
+during close.
+
+Also remove a redundant check for short transfer when sending a command.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/ti_usb_3410_5052.c | 12 ++++--------
+ 1 file changed, 4 insertions(+), 8 deletions(-)
+
+--- a/drivers/usb/serial/ti_usb_3410_5052.c
++++ b/drivers/usb/serial/ti_usb_3410_5052.c
+@@ -1343,13 +1343,10 @@ static int ti_command_out_sync(struct ti
+ (USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT),
+ value, moduleid, data, size, 1000);
+
+- if (status == size)
+- status = 0;
+-
+- if (status > 0)
+- status = -ECOMM;
++ if (status < 0)
++ return status;
+
+- return status;
++ return 0;
+ }
+
+
+@@ -1365,8 +1362,7 @@ static int ti_command_in_sync(struct ti_
+
+ if (status == size)
+ status = 0;
+-
+- if (status > 0)
++ else if (status >= 0)
+ status = -ECOMM;
+
+ return status;
--- /dev/null
+From 68dee8e2f2cacc54d038394e70d22411dee89da2 Mon Sep 17 00:00:00 2001
+From: Nikola Pajkovsky <npajkovsky@suse.cz>
+Date: Tue, 15 Nov 2016 09:47:49 +0100
+Subject: x86/pci-calgary: Fix iommu_free() comparison of unsigned expression >= 0
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nikola Pajkovsky <npajkovsky@suse.cz>
+
+commit 68dee8e2f2cacc54d038394e70d22411dee89da2 upstream.
+
+commit 8fd524b355da ("x86: Kill bad_dma_address variable") has killed
+bad_dma_address variable and used instead of macro DMA_ERROR_CODE
+which is always zero. Since dma_addr is unsigned, the statement
+
+ dma_addr >= DMA_ERROR_CODE
+
+is always true, and not needed.
+
+arch/x86/kernel/pci-calgary_64.c: In function ‘iommu_free’:
+arch/x86/kernel/pci-calgary_64.c:299:2: warning: comparison of unsigned expression >= 0 is always true [-Wtype-limits]
+ if (unlikely((dma_addr >= DMA_ERROR_CODE) && (dma_addr < badend))) {
+
+Fixes: 8fd524b355da ("x86: Kill bad_dma_address variable")
+Signed-off-by: Nikola Pajkovsky <npajkovsky@suse.cz>
+Cc: iommu@lists.linux-foundation.org
+Cc: Jon Mason <jdmason@kudzu.us>
+Cc: Muli Ben-Yehuda <mulix@mulix.org>
+Link: http://lkml.kernel.org/r/7612c0f9dd7c1290407dbf8e809def922006920b.1479161177.git.npajkovsky@suse.cz
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/pci-calgary_64.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/pci-calgary_64.c
++++ b/arch/x86/kernel/pci-calgary_64.c
+@@ -296,7 +296,7 @@ static void iommu_free(struct iommu_tabl
+
+ /* were we called with bad_dma_address? */
+ badend = DMA_ERROR_CODE + (EMERGENCY_PAGES * PAGE_SIZE);
+- if (unlikely((dma_addr >= DMA_ERROR_CODE) && (dma_addr < badend))) {
++ if (unlikely(dma_addr < badend)) {
+ WARN(1, KERN_ERR "Calgary: driver tried unmapping bad DMA "
+ "address 0x%Lx\n", dma_addr);
+ return;
--- /dev/null
+From 80354c29025833acd72ddac1ffa21c6cb50128cd Mon Sep 17 00:00:00 2001
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Sun, 12 Mar 2017 17:07:44 +0200
+Subject: x86/platform/intel-mid: Correct MSI IRQ line for watchdog device
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+commit 80354c29025833acd72ddac1ffa21c6cb50128cd upstream.
+
+The interrupt line used for the watchdog is 12, according to the official
+Intel Edison BSP code.
+
+And indeed after fixing it we start getting an interrupt and thus the
+watchdog starts working again:
+
+ [ 191.699951] Kernel panic - not syncing: Kernel Watchdog
+
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: David Cohen <david.a.cohen@linux.intel.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: 78a3bb9e408b ("x86: intel-mid: add watchdog platform code for Merrifield")
+Link: http://lkml.kernel.org/r/20170312150744.45493-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/platform/intel-mid/device_libs/platform_wdt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/platform/intel-mid/device_libs/platform_wdt.c
++++ b/arch/x86/platform/intel-mid/device_libs/platform_wdt.c
+@@ -17,7 +17,7 @@
+ #include <asm/intel-mid.h>
+ #include <asm/io_apic.h>
+
+-#define TANGIER_EXT_TIMER0_MSI 15
++#define TANGIER_EXT_TIMER0_MSI 12
+
+ static struct platform_device wdt_dev = {
+ .name = "intel_mid_wdt",
projects / thirdparty / kernel / stable-queue.git / commitdiff
