--- /dev/null
+From 5b47cb78e8ce1991ef58a57cfb76a2698ce10982 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dtor@chromium.org>
+Date: Mon, 14 Dec 2015 17:34:08 -0800
+Subject: android: unconditionally remove callbacks in sync_fence_free()
+
+[ Upstream commit 699f685569434510d944e419f4048c4e3ba8d631 ]
+
+Using fence->status to determine whether or not there are callbacks
+remaining on the sync_fence is racy since fence->status may have been
+decremented to 0 on another CPU before fence_check_cb_func() has
+completed. By unconditionally calling fence_remove_callback() for each
+fence in the sync_fence, we guarantee that each callback has either
+completed (since fence_remove_callback() grabs the fence lock) or been
+removed.
+
+Signed-off-by: Andrew Bresticker <abrestic@chromium.org>
+Signed-off-by: Dmitry Torokhov <dtor@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/android/sync.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/staging/android/sync.c b/drivers/staging/android/sync.c
+index f83e00c78051..50a9945da27e 100644
+--- a/drivers/staging/android/sync.c
++++ b/drivers/staging/android/sync.c
+@@ -519,12 +519,10 @@ static const struct fence_ops android_fence_ops = {
+ static void sync_fence_free(struct kref *kref)
+ {
+ struct sync_fence *fence = container_of(kref, struct sync_fence, kref);
+- int i, status = atomic_read(&fence->status);
++ int i;
+
+ for (i = 0; i < fence->num_fences; ++i) {
+- if (status)
+- fence_remove_callback(fence->cbs[i].sync_pt,
+- &fence->cbs[i].cb);
++ fence_remove_callback(fence->cbs[i].sync_pt, &fence->cbs[i].cb);
+ fence_put(fence->cbs[i].sync_pt);
+ }
+
+--
+2.19.1
+
--- /dev/null
+From 41e3e183d910551046fef7406e03b5f2157363f5 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Thu, 19 Nov 2015 15:49:23 +0100
+Subject: ARM: 8458/1: bL_switcher: add GIC dependency
+
+[ Upstream commit 6c044fecdf78be3fda159a5036bb33700cdd5e59 ]
+
+It is not possible to build the bL_switcher code if the GIC
+driver is disabled, because it relies on calling into some
+gic specific interfaces, and that would result in this build
+error:
+
+arch/arm/common/built-in.o: In function `bL_switch_to':
+:(.text+0x1230): undefined reference to `gic_get_sgir_physaddr'
+:(.text+0x1244): undefined reference to `gic_send_sgi'
+:(.text+0x1268): undefined reference to `gic_migrate_target'
+arch/arm/common/built-in.o: In function `bL_switcher_enable.part.4':
+:(.text.unlikely+0x2f8): undefined reference to `gic_get_cpu_id'
+
+This adds a Kconfig dependency to ensure we only build the big-little
+switcher if the GIC driver is present as well.
+
+Almost all ARMv7 platforms come with a GIC anyway, but it is possible
+to build a kernel that disables all platforms.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Nicolas Pitre <nico@linaro.org>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
+index 89c4b5ccc68d..bd3a806df001 100644
+--- a/arch/arm/Kconfig
++++ b/arch/arm/Kconfig
+@@ -1432,7 +1432,7 @@ config BIG_LITTLE
+
+ config BL_SWITCHER
+ bool "big.LITTLE switcher support"
+- depends on BIG_LITTLE && MCPM && HOTPLUG_CPU
++ depends on BIG_LITTLE && MCPM && HOTPLUG_CPU && ARM_GIC
+ select ARM_CPU_SUSPEND
+ select CPU_PM
+ help
+--
+2.19.1
+
--- /dev/null
+From 2ae95e2be90b6bb10a218996291ea8260e40d618 Mon Sep 17 00:00:00 2001
+From: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Date: Mon, 1 Feb 2016 18:01:29 +0100
+Subject: ARM: 8510/1: rework ARM_CPU_SUSPEND dependencies
+
+[ Upstream commit 1b9bdf5c1661873a10e193b8cbb803a87fe5c4a1 ]
+
+The code enabled by the ARM_CPU_SUSPEND config option is used by
+kernel subsystems for purposes that go beyond system suspend so its
+config entry should be augmented to take more default options into
+account and avoid forcing its selection to prevent dependencies
+override.
+
+To achieve this goal, this patch reworks the ARM_CPU_SUSPEND config
+entry and updates its default config value (by adding the BL_SWITCHER
+option to it) and its dependencies (ARCH_SUSPEND_POSSIBLE), so that the
+symbol is still selected by default by the subsystems requiring it and
+at the same time enforcing the dependencies correctly.
+
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Cc: Nicolas Pitre <nico@fluxnic.net>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/Kconfig | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
+index bd3a806df001..ee9acbfa7a1d 100644
+--- a/arch/arm/Kconfig
++++ b/arch/arm/Kconfig
+@@ -1433,7 +1433,6 @@ config BIG_LITTLE
+ config BL_SWITCHER
+ bool "big.LITTLE switcher support"
+ depends on BIG_LITTLE && MCPM && HOTPLUG_CPU && ARM_GIC
+- select ARM_CPU_SUSPEND
+ select CPU_PM
+ help
+ The big.LITTLE "switcher" provides the core functionality to
+@@ -2153,7 +2152,8 @@ config ARCH_SUSPEND_POSSIBLE
+ def_bool y
+
+ config ARM_CPU_SUSPEND
+- def_bool PM_SLEEP
++ def_bool PM_SLEEP || BL_SWITCHER
++ depends on ARCH_SUSPEND_POSSIBLE
+
+ config ARCH_HIBERNATION_POSSIBLE
+ bool
+--
+2.19.1
+
--- /dev/null
+From f8fa0614bed4fa0a5acac96d0ed77c265aaea829 Mon Sep 17 00:00:00 2001
+From: Yury Norov <ynorov@caviumnetworks.com>
+Date: Wed, 2 Dec 2015 14:00:10 +0000
+Subject: arm64: fix COMPAT_SHMLBA definition for large pages
+
+[ Upstream commit b9b7aebb42d1b1392f3111de61136bb6cf3aae3f ]
+
+ARM glibc uses (4 * __getpagesize()) for SHMLBA, which is correct for
+4KB pages and works fine for 64KB pages, but the kernel uses a hardcoded
+16KB that is too small for 64KB page based kernels. This changes the
+definition to what user space sees when using 64KB pages.
+
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Yury Norov <ynorov@caviumnetworks.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/shmparam.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/include/asm/shmparam.h b/arch/arm64/include/asm/shmparam.h
+index 4df608a8459e..e368a55ebd22 100644
+--- a/arch/arm64/include/asm/shmparam.h
++++ b/arch/arm64/include/asm/shmparam.h
+@@ -21,7 +21,7 @@
+ * alignment value. Since we don't have aliasing D-caches, the rest of
+ * the time we can safely use PAGE_SIZE.
+ */
+-#define COMPAT_SHMLBA 0x4000
++#define COMPAT_SHMLBA (4 * PAGE_SIZE)
+
+ #include <asm-generic/shmparam.h>
+
+--
+2.19.1
+
--- /dev/null
+From 0f08ca9e8e1f01183a5e81ab8a13bd29585ad846 Mon Sep 17 00:00:00 2001
+From: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
+Date: Wed, 27 Apr 2016 13:55:28 -0300
+Subject: arm64: kconfig: drop CONFIG_RTC_LIB dependency
+
+[ Upstream commit 99a507771fa57238dc7ffe674ae06090333d02c9 ]
+
+The rtc-lib dependency is not required, and seems it was just
+copy-pasted from ARM's Kconfig. If platform requires rtc-lib,
+they should select it individually.
+
+Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/Kconfig | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
+index 00b9c4870230..e8d81283c4fe 100644
+--- a/arch/arm64/Kconfig
++++ b/arch/arm64/Kconfig
+@@ -69,7 +69,6 @@ config ARM64
+ select PERF_USE_VMALLOC
+ select POWER_RESET
+ select POWER_SUPPLY
+- select RTC_LIB
+ select SPARSE_IRQ
+ select SYSCTL_EXCEPTION_TRACE
+ select HAVE_CONTEXT_TRACKING
+--
+2.19.1
+
--- /dev/null
+From a4b3735ed6485d9b5ca1c26237c284830f155f42 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Fri, 18 Mar 2016 10:58:09 +0100
+Subject: arm64/kernel: fix incorrect EL0 check in inv_entry macro
+
+[ Upstream commit b660950c60a7278f9d8deb7c32a162031207c758 ]
+
+The implementation of macro inv_entry refers to its 'el' argument without
+the required leading backslash, which results in an undefined symbol
+'el' to be passed into the kernel_entry macro rather than the index of
+the exception level as intended.
+
+This undefined symbol strangely enough does not result in build failures,
+although it is visible in vmlinux:
+
+ $ nm -n vmlinux |head
+ U el
+ 0000000000000000 A _kernel_flags_le_hi32
+ 0000000000000000 A _kernel_offset_le_hi32
+ 0000000000000000 A _kernel_size_le_hi32
+ 000000000000000a A _kernel_flags_le_lo32
+ .....
+
+However, it does result in incorrect code being generated for invalid
+exceptions taken from EL0, since the argument check in kernel_entry
+assumes EL1 if its argument does not equal '0'.
+
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/entry.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
+index 00f7ba3d82b8..2dfbb831e4af 100644
+--- a/arch/arm64/kernel/entry.S
++++ b/arch/arm64/kernel/entry.S
+@@ -234,7 +234,7 @@ END(vectors)
+ * Invalid mode handlers
+ */
+ .macro inv_entry, el, reason, regsize = 64
+- kernel_entry el, \regsize
++ kernel_entry \el, \regsize
+ mov x0, sp
+ mov x1, #\reason
+ mrs x2, esr_el1
+--
+2.19.1
+
--- /dev/null
+From 2f67d01213e250daf25c423315852b04da373222 Mon Sep 17 00:00:00 2001
+From: James Morse <james.morse@arm.com>
+Date: Wed, 27 Apr 2016 17:47:08 +0100
+Subject: arm64: kernel: Include _AC definition in page.h
+
+[ Upstream commit 812264550dcba6cdbe84bfac2f27e7d23b5b8733 ]
+
+page.h uses '_AC' in the definition of PAGE_SIZE, but doesn't include
+linux/const.h where this is defined. This produces build warnings when only
+asm/page.h is included by asm code.
+
+Signed-off-by: James Morse <james.morse@arm.com>
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Acked-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/page.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm64/include/asm/page.h b/arch/arm64/include/asm/page.h
+index 22b16232bd60..677c2bcc3318 100644
+--- a/arch/arm64/include/asm/page.h
++++ b/arch/arm64/include/asm/page.h
+@@ -19,6 +19,8 @@
+ #ifndef __ASM_PAGE_H
+ #define __ASM_PAGE_H
+
++#include <linux/const.h>
++
+ /* PAGE_SHIFT determines the page size */
+ #ifdef CONFIG_ARM64_64K_PAGES
+ #define PAGE_SHIFT 16
+--
+2.19.1
+
--- /dev/null
+From 8c7453632eac75cb83a55878d5034d1dd3fe8c71 Mon Sep 17 00:00:00 2001
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Mon, 25 Jan 2016 11:44:55 +0000
+Subject: asm-generic: Fix local variable shadow in __set_fixmap_offset
+
+[ Upstream commit 3694bd76781b76c4f8d2ecd85018feeb1609f0e5 ]
+
+Currently __set_fixmap_offset is a macro function which has a local
+variable called 'addr'. If a caller passes a 'phys' parameter which is
+derived from a variable also called 'addr', the local variable will
+shadow this, and the compiler will complain about the use of an
+uninitialized variable. To avoid the issue with namespace clashes,
+'addr' is prefixed with a liberal sprinkling of underscores.
+
+Turning __set_fixmap_offset into a static inline breaks the build for
+several architectures. Fixing this properly requires updates to a number
+of architectures to make them agree on the prototype of __set_fixmap (it
+could be done as a subsequent patch series).
+
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+[catalin.marinas@arm.com: squashed the original function patch and macro fixup]
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/asm-generic/fixmap.h | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/include/asm-generic/fixmap.h b/include/asm-generic/fixmap.h
+index f23174fb9ec4..10889b63af8f 100644
+--- a/include/asm-generic/fixmap.h
++++ b/include/asm-generic/fixmap.h
+@@ -67,12 +67,12 @@ static inline unsigned long virt_to_fix(const unsigned long vaddr)
+ #endif
+
+ /* Return a pointer with offset calculated */
+-#define __set_fixmap_offset(idx, phys, flags) \
+-({ \
+- unsigned long addr; \
+- __set_fixmap(idx, phys, flags); \
+- addr = fix_to_virt(idx) + ((phys) & (PAGE_SIZE - 1)); \
+- addr; \
++#define __set_fixmap_offset(idx, phys, flags) \
++({ \
++ unsigned long ________addr; \
++ __set_fixmap(idx, phys, flags); \
++ ________addr = fix_to_virt(idx) + ((phys) & (PAGE_SIZE - 1)); \
++ ________addr; \
+ })
+
+ #define set_fixmap_offset(idx, phys) \
+--
+2.19.1
+
--- /dev/null
+From ae695cda06d67b9bece97bb8749324c186129424 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Mon, 9 Jan 2017 11:10:42 +0100
+Subject: cfg80211: size various nl80211 messages correctly
+
+[ Upstream commit 4ef8c1c93f848e360754f10eb2e7134c872b6597 ]
+
+Ilan reported that sometimes nl80211 messages weren't working if
+the frames being transported got very large, which was really a
+problem for userspace-to-kernel messages, but prompted me to look
+at the code.
+
+Upon review, I found various places where variable-length data is
+transported in an nl80211 message but the message isn't allocated
+taking that into account. This shouldn't cause any problems since
+the frames aren't really that long, apart in one place where two
+(possibly very long frames) might not fit.
+
+Fix all the places (that I found) that get variable length data
+from the driver and put it into a message to take the length of
+the variable data into account. The 100 there is just a safe
+constant for the remaining message overhead (it's usually around
+50 for most messages.)
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/nl80211.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index 2e1633ac93f7..800ef920b4f6 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -10586,7 +10586,7 @@ static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
+ struct sk_buff *msg;
+ void *hdr;
+
+- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
++ msg = nlmsg_new(100 + len, gfp);
+ if (!msg)
+ return;
+
+@@ -10738,7 +10738,7 @@ void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
+ struct sk_buff *msg;
+ void *hdr;
+
+- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
++ msg = nlmsg_new(100 + req_ie_len + resp_ie_len, gfp);
+ if (!msg)
+ return;
+
+@@ -10778,7 +10778,7 @@ void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
+ struct sk_buff *msg;
+ void *hdr;
+
+- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
++ msg = nlmsg_new(100 + req_ie_len + resp_ie_len, gfp);
+ if (!msg)
+ return;
+
+@@ -10816,7 +10816,7 @@ void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
+ struct sk_buff *msg;
+ void *hdr;
+
+- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
++ msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
+ if (!msg)
+ return;
+
+@@ -10893,7 +10893,7 @@ void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
+
+ trace_cfg80211_notify_new_peer_candidate(dev, addr);
+
+- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
++ msg = nlmsg_new(100 + ie_len, gfp);
+ if (!msg)
+ return;
+
+@@ -11269,7 +11269,7 @@ int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
+ struct sk_buff *msg;
+ void *hdr;
+
+- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
++ msg = nlmsg_new(100 + len, gfp);
+ if (!msg)
+ return -ENOMEM;
+
+@@ -11312,7 +11312,7 @@ void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie,
+
+ trace_cfg80211_mgmt_tx_status(wdev, cookie, ack);
+
+- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
++ msg = nlmsg_new(100 + len, gfp);
+ if (!msg)
+ return;
+
+@@ -12022,7 +12022,7 @@ void cfg80211_ft_event(struct net_device *netdev,
+ if (!ft_event->target_ap)
+ return;
+
+- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
++ msg = nlmsg_new(100 + ft_event->ric_ies_len, GFP_KERNEL);
+ if (!msg)
+ return;
+
+--
+2.19.1
+
--- /dev/null
+From a2535c89d07766223b7f5f476552b2b75c146c65 Mon Sep 17 00:00:00 2001
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Sat, 11 Jun 2016 20:32:06 +0200
+Subject: ipv6: fix endianness error in icmpv6_err
+
+[ Upstream commit dcb94b88c09ce82a80e188d49bcffdc83ba215a6 ]
+
+IPv6 ping socket error handler doesn't correctly convert the new 32 bit
+mtu to host endianness before using.
+
+Cc: Lorenzo Colitti <lorenzo@google.com>
+Fixes: 6d0bfe22611602f ("net: ipv6: Add IPv6 support to the ping socket.")
+Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Acked-by: Lorenzo Colitti <lorenzo@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/icmp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
+index 97ae70077a4f..3b5c265dcb1d 100644
+--- a/net/ipv6/icmp.c
++++ b/net/ipv6/icmp.c
+@@ -97,7 +97,7 @@ static void icmpv6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
+
+ if (!(type & ICMPV6_INFOMSG_MASK))
+ if (icmp6->icmp6_type == ICMPV6_ECHO_REQUEST)
+- ping_err(skb, offset, info);
++ ping_err(skb, offset, ntohl(info));
+ }
+
+ static int icmpv6_rcv(struct sk_buff *skb);
+--
+2.19.1
+
--- /dev/null
+From 3e09eac23f9a4bad835758bb23ece58acdb5836a Mon Sep 17 00:00:00 2001
+From: Colin Cross <ccross@android.com>
+Date: Thu, 22 Oct 2015 10:00:41 -0700
+Subject: mmc: block: Allow more than 8 partitions per card
+
+[ Upstream commit 382c55f88ffeb218c446bf0c46d0fc25d2795fe2 ]
+
+It is quite common for Android devices to utilize more
+then 8 partitions on internal eMMC storage.
+
+The vanilla kernel can support this via
+CONFIG_MMC_BLOCK_MINORS, however that solution caps the
+system to 256 minors total, which limits the number of
+mmc cards the system can support.
+
+This patch, which has been carried for quite awhile in
+the AOSP common tree, provides an alternative solution
+that doesn't seem to limit the total card count. So I
+wanted to submit it for consideration upstream.
+
+This patch sets the GENHD_FL_EXT_DEVT flag, which will
+allocate minor number in major 259 for partitions past
+disk->minors.
+
+It also removes the use of disk_devt to determine devidx
+from md->disk. md->disk->first_minor is always initialized
+from devidx and can always be used to recover it.
+
+Cc: Ulf Hansson <ulf.hansson@linaro.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Cc: Chuanxiao Dong <chuanxiao.dong@intel.com>
+Cc: Shawn Lin <shawn.lin@rock-chips.com>
+Cc: Austin S Hemmelgarn <ahferroin7@gmail.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Android Kernel Team <kernel-team@android.com>
+Cc: linux-mmc@vger.kernel.org
+Signed-off-by: Colin Cross <ccross@android.com>
+[jstultz: Added context to commit message]
+Signed-off-by: John Stultz <john.stultz@linaro.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/card/block.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
+index dec6b0ec4def..8688ac7a45da 100644
+--- a/drivers/mmc/card/block.c
++++ b/drivers/mmc/card/block.c
+@@ -166,11 +166,7 @@ static struct mmc_blk_data *mmc_blk_get(struct gendisk *disk)
+
+ static inline int mmc_get_devidx(struct gendisk *disk)
+ {
+- int devmaj = MAJOR(disk_devt(disk));
+- int devidx = MINOR(disk_devt(disk)) / perdev_minors;
+-
+- if (!devmaj)
+- devidx = disk->first_minor / perdev_minors;
++ int devidx = disk->first_minor / perdev_minors;
+ return devidx;
+ }
+
+@@ -2152,6 +2148,7 @@ static struct mmc_blk_data *mmc_blk_alloc_req(struct mmc_card *card,
+ md->disk->queue = md->queue.queue;
+ md->disk->driverfs_dev = parent;
+ set_disk_ro(md->disk, md->read_only || default_ro);
++ md->disk->flags = GENHD_FL_EXT_DEVT;
+ if (area_type & (MMC_BLK_DATA_AREA_RPMB | MMC_BLK_DATA_AREA_BOOT))
+ md->disk->flags |= GENHD_FL_NO_PART_SCAN;
+
+--
+2.19.1
+
--- /dev/null
+From 5a6d1676b3474d092f4177697e9677e53b83ba45 Mon Sep 17 00:00:00 2001
+From: Chaotian Jing <chaotian.jing@mediatek.com>
+Date: Thu, 19 May 2016 16:47:42 +0800
+Subject: mmc: mmc: fix switch timeout issue caused by jiffies precision
+
+[ Upstream commit 987aa5f8059613bf85cbb6f64ffbd34f5cb7a9d1 ]
+
+with CONFIG_HZ=100, the precision of jiffies is 10ms, and the
+generic_cmd6_time of some card is also 10ms. then, may be current
+time is only 5ms, but already timed out caused by jiffies precision.
+
+Signed-off-by: Chaotian Jing <chaotian.jing@mediatek.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/core/mmc_ops.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/core/mmc_ops.c b/drivers/mmc/core/mmc_ops.c
+index 7911e0510a1d..16a39a8d2e7e 100644
+--- a/drivers/mmc/core/mmc_ops.c
++++ b/drivers/mmc/core/mmc_ops.c
+@@ -490,7 +490,7 @@ int __mmc_switch(struct mmc_card *card, u8 set, u8 index, u8 value,
+ timeout_ms = MMC_OPS_TIMEOUT_MS;
+
+ /* Must check status to be sure of no errors. */
+- timeout = jiffies + msecs_to_jiffies(timeout_ms);
++ timeout = jiffies + msecs_to_jiffies(timeout_ms) + 1;
+ do {
+ if (send_status) {
+ err = __mmc_send_status(card, &status, ignore_crc);
+--
+2.19.1
+
media-v4l2-ctrls.c-uvc-zero-v4l2_event.patch
bluetooth-check-l2cap-option-sizes-returned-from-l2cap_get_conf_opt.patch
bluetooth-verify-that-l2cap_get_conf_opt-provides-large-enough-buffer.patch
+mmc-block-allow-more-than-8-partitions-per-card.patch
+arm64-fix-compat_shmlba-definition-for-large-pages.patch
+arm-8458-1-bl_switcher-add-gic-dependency.patch
+android-unconditionally-remove-callbacks-in-sync_fen.patch
+asm-generic-fix-local-variable-shadow-in-__set_fixma.patch
+staging-ashmem-avoid-deadlock-with-mmap-shrink.patch
+staging-ashmem-add-missing-include.patch
+staging-ion-set-minimum-carveout-heap-allocation-ord.patch
+staging-goldfish-audio-fix-compiliation-on-arm.patch
+arm-8510-1-rework-arm_cpu_suspend-dependencies.patch
+arm64-kernel-fix-incorrect-el0-check-in-inv_entry-ma.patch
+arm64-kernel-include-_ac-definition-in-page.h.patch
+ipv6-fix-endianness-error-in-icmpv6_err.patch
+usb-gadget-configfs-add-mutex-lock-before-unregister.patch
+video-fbdev-set-pixclock-0-in-goldfishfb.patch
+arm64-kconfig-drop-config_rtc_lib-dependency.patch
+mmc-mmc-fix-switch-timeout-issue-caused-by-jiffies-p.patch
+cfg80211-size-various-nl80211-messages-correctly.patch
--- /dev/null
+From 2380b1dd99991f9ad9c8af3d52a2ff6e57d00732 Mon Sep 17 00:00:00 2001
+From: Rom Lemarchand <romlem@android.com>
+Date: Fri, 29 Jan 2016 22:07:31 -0800
+Subject: staging: ashmem: Add missing include
+
+[ Upstream commit 90a2f171383b5ae43b33ab4d9d566b9765622ac7 ]
+
+Include <linux/types.h> into ashmem.h to ensure referenced types
+are defined
+
+Cc: Android Kernel Team <kernel-team@android.com>
+Cc: Greg KH <gregkh@linuxfoundation.org>
+Signed-off-by: Rom Lemarchand <romlem@android.com>
+[jstultz: Minor commit message tweaks]
+Signed-off-by: John Stultz <john.stultz@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/android/uapi/ashmem.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/staging/android/uapi/ashmem.h b/drivers/staging/android/uapi/ashmem.h
+index ba4743c71d6b..13df42d200b7 100644
+--- a/drivers/staging/android/uapi/ashmem.h
++++ b/drivers/staging/android/uapi/ashmem.h
+@@ -13,6 +13,7 @@
+ #define _UAPI_LINUX_ASHMEM_H
+
+ #include <linux/ioctl.h>
++#include <linux/types.h>
+
+ #define ASHMEM_NAME_LEN 256
+
+--
+2.19.1
+
--- /dev/null
+From 09ea818c4030a62973b1aeb8ca3486994589434f Mon Sep 17 00:00:00 2001
+From: Laura Abbott <lauraa@codeaurora.org>
+Date: Fri, 29 Jan 2016 22:07:30 -0800
+Subject: staging: ashmem: Avoid deadlock with mmap/shrink
+
+[ Upstream commit 18e77054de741ef3ed2a2489bc9bf82a318b2d5e ]
+
+Both ashmem_mmap and ashmem_shrink take the ashmem_lock. It may
+be possible for ashmem_mmap to invoke ashmem_shrink:
+
+-000|mutex_lock(lock = 0x0)
+-001|ashmem_shrink(?, sc = 0x0) <--- try to take ashmem_mutex again
+-002|shrink_slab(shrink = 0xDA5F1CC0, nr_pages_scanned = 0, lru_pages
+-002|=
+-002|124)
+-003|try_to_free_pages(zonelist = 0x0, ?, ?, ?)
+-004|__alloc_pages_nodemask(gfp_mask = 21200, order = 1, zonelist =
+-004|0xC11D0940,
+-005|new_slab(s = 0xE4841E80, ?, node = -1)
+-006|__slab_alloc.isra.43.constprop.50(s = 0xE4841E80, gfpflags =
+-006|2148925462, ad
+-007|kmem_cache_alloc(s = 0xE4841E80, gfpflags = 208)
+-008|shmem_alloc_inode(?)
+-009|alloc_inode(sb = 0xE480E800)
+-010|new_inode_pseudo(?)
+-011|new_inode(?)
+-012|shmem_get_inode(sb = 0xE480E800, dir = 0x0, ?, dev = 0, flags =
+-012|187)
+-013|shmem_file_setup(?, ?, flags = 187)
+-014|ashmem_mmap(?, vma = 0xC5D64210) <---- Acquire ashmem_mutex
+-015|mmap_region(file = 0xDF8E2C00, addr = 1772974080, len = 233472,
+-015|flags = 57,
+-016|sys_mmap_pgoff(addr = 0, len = 230400, prot = 3, flags = 1, fd =
+-016|157, pgoff
+-017|ret_fast_syscall(asm)
+-->|exception
+-018|NUR:0x40097508(asm)
+---|end of frame
+
+Avoid this deadlock by using mutex_trylock in ashmem_shrink; if the mutex
+is already held, do not attempt to shrink.
+
+Cc: Greg KH <gregkh@linuxfoundation.org>
+Cc: Android Kernel Team <kernel-team@android.com>
+Reported-by: Matt Wagantall <mattw@codeaurora.org>
+Reported-by: Syed Rameez Mustafa <rameezmustafa@codeaurora.org>
+Reported-by: Osvaldo Banuelos <osvaldob@codeaurora.org>
+Reported-by: Subbaraman Narayanamurthy <subbaram@codeaurora.org>
+Signed-off-by: Laura Abbott <lauraa@codeaurora.org>
+[jstultz: Minor commit message tweaks]
+Signed-off-by: John Stultz <john.stultz@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/android/ashmem.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c
+index 22ddd4ce9dd6..5105fe5e6533 100644
+--- a/drivers/staging/android/ashmem.c
++++ b/drivers/staging/android/ashmem.c
+@@ -447,7 +447,9 @@ ashmem_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
+ if (!(sc->gfp_mask & __GFP_FS))
+ return SHRINK_STOP;
+
+- mutex_lock(&ashmem_mutex);
++ if (!mutex_trylock(&ashmem_mutex))
++ return -1;
++
+ list_for_each_entry_safe(range, next, &ashmem_lru_list, lru) {
+ loff_t start = range->pgstart * PAGE_SIZE;
+ loff_t end = (range->pgend + 1) * PAGE_SIZE;
+--
+2.19.1
+
--- /dev/null
+From 826d494a98ba40872ae845fa780e6151d6e6ae68 Mon Sep 17 00:00:00 2001
+From: Greg Hackmann <ghackmann@google.com>
+Date: Fri, 26 Feb 2016 19:00:18 +0000
+Subject: staging: goldfish: audio: fix compiliation on arm
+
+[ Upstream commit 4532150762ceb0d6fd765ebcb3ba6966fbb8faab ]
+
+We do actually need slab.h, by luck we get it on other platforms but not
+always on ARM. Include it properly.
+
+Signed-off-by: Greg Hackmann <ghackmann@google.com>
+Signed-off-by: Jin Qian <jinqian@android.com>
+Signed-off-by: Alan <alan@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/goldfish/goldfish_audio.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/staging/goldfish/goldfish_audio.c b/drivers/staging/goldfish/goldfish_audio.c
+index f200359c4443..57e931d0c940 100644
+--- a/drivers/staging/goldfish/goldfish_audio.c
++++ b/drivers/staging/goldfish/goldfish_audio.c
+@@ -26,6 +26,7 @@
+ #include <linux/sched.h>
+ #include <linux/dma-mapping.h>
+ #include <linux/uaccess.h>
++#include <linux/slab.h>
+ #include <linux/goldfish.h>
+
+ MODULE_AUTHOR("Google, Inc.");
+--
+2.19.1
+
--- /dev/null
+From ad6189a20c5d9ac2b0bcb776755c0772cf3e746d Mon Sep 17 00:00:00 2001
+From: Rajmal Menariya <rajmal.menariya@spreadtrum.com>
+Date: Fri, 29 Jan 2016 22:07:35 -0800
+Subject: staging: ion: Set minimum carveout heap allocation order to
+ PAGE_SHIFT
+
+[ Upstream commit 1328d8efef17d5e16bd6e9cfe59130a833674534 ]
+
+In carveout heap, change minimum allocation order from 12 to
+PAGE_SHIFT. After this change each bit in bitmap (genalloc -
+General purpose special memory pool) represents one page size
+memory.
+
+Cc: sprd-ind-kernel-group@googlegroups.com
+Cc: sanjeev.yadav@spreadtrum.com
+Cc: Colin Cross <ccross@android.com>
+Cc: Android Kernel Team <kernel-team@android.com>
+Cc: Greg KH <gregkh@linuxfoundation.org>
+Cc: Sumit Semwal <sumit.semwal@linaro.org>
+Signed-off-by: Rajmal Menariya <rajmal.menariya@spreadtrum.com>
+[jstultz: Reworked commit message]
+Signed-off-by: John Stultz <john.stultz@linaro.org>
+Acked-by: Laura Abbott <labbott@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/android/ion/ion_carveout_heap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/staging/android/ion/ion_carveout_heap.c b/drivers/staging/android/ion/ion_carveout_heap.c
+index 9156d8238c97..e702ce6461fc 100644
+--- a/drivers/staging/android/ion/ion_carveout_heap.c
++++ b/drivers/staging/android/ion/ion_carveout_heap.c
+@@ -167,7 +167,7 @@ struct ion_heap *ion_carveout_heap_create(struct ion_platform_heap *heap_data)
+ if (!carveout_heap)
+ return ERR_PTR(-ENOMEM);
+
+- carveout_heap->pool = gen_pool_create(12, -1);
++ carveout_heap->pool = gen_pool_create(PAGE_SHIFT, -1);
+ if (!carveout_heap->pool) {
+ kfree(carveout_heap);
+ return ERR_PTR(-ENOMEM);
+--
+2.19.1
+
--- /dev/null
+From 931eabf2fad4e7480b364b6f45e0f764dc141948 Mon Sep 17 00:00:00 2001
+From: Winter Wang <wente.wang@nxp.com>
+Date: Wed, 27 Jul 2016 10:03:19 +0800
+Subject: usb: gadget: configfs: add mutex lock before unregister gadget
+
+[ Upstream commit cee51c33f52ebf673a088a428ac0fecc33ab77fa ]
+
+There may be a race condition if f_fs calls unregister_gadget_item in
+ffs_closed() when unregister_gadget is called by UDC store at the same time.
+this leads to a kernel NULL pointer dereference:
+
+[ 310.644928] Unable to handle kernel NULL pointer dereference at virtual address 00000004
+[ 310.645053] init: Service 'adbd' is being killed...
+[ 310.658938] pgd = c9528000
+[ 310.662515] [00000004] *pgd=19451831, *pte=00000000, *ppte=00000000
+[ 310.669702] Internal error: Oops: 817 [#1] PREEMPT SMP ARM
+[ 310.675211] Modules linked in:
+[ 310.678294] CPU: 0 PID: 1537 Comm: ->transport Not tainted 4.1.15-03725-g793404c #2
+[ 310.685958] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
+[ 310.692493] task: c8e24200 ti: c945e000 task.ti: c945e000
+[ 310.697911] PC is at usb_gadget_unregister_driver+0xb4/0xd0
+[ 310.703502] LR is at __mutex_lock_slowpath+0x10c/0x16c
+[ 310.708648] pc : [<c075efc0>] lr : [<c0bfb0bc>] psr: 600f0113
+<snip..>
+[ 311.565585] [<c075efc0>] (usb_gadget_unregister_driver) from [<c075e2b8>] (unregister_gadget_item+0x1c/0x34)
+[ 311.575426] [<c075e2b8>] (unregister_gadget_item) from [<c076fcc8>] (ffs_closed+0x8c/0x9c)
+[ 311.583702] [<c076fcc8>] (ffs_closed) from [<c07736b8>] (ffs_data_reset+0xc/0xa0)
+[ 311.591194] [<c07736b8>] (ffs_data_reset) from [<c07738ac>] (ffs_data_closed+0x90/0xd0)
+[ 311.599208] [<c07738ac>] (ffs_data_closed) from [<c07738f8>] (ffs_ep0_release+0xc/0x14)
+[ 311.607224] [<c07738f8>] (ffs_ep0_release) from [<c023e030>] (__fput+0x80/0x1d0)
+[ 311.614635] [<c023e030>] (__fput) from [<c014e688>] (task_work_run+0xb0/0xe8)
+[ 311.621788] [<c014e688>] (task_work_run) from [<c010afdc>] (do_work_pending+0x7c/0xa4)
+[ 311.629718] [<c010afdc>] (do_work_pending) from [<c010770c>] (work_pending+0xc/0x20)
+
+for functions using functionFS, i.e. android adbd will close /dev/usb-ffs/adb/ep0
+when usb IO thread fails, but switch adb from on to off also triggers write
+"none" > UDC. These 2 operations both call unregister_gadget, which will lead
+to the panic above.
+
+add a mutex before calling unregister_gadget for api used in f_fs.
+
+Signed-off-by: Winter Wang <wente.wang@nxp.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/configfs.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/usb/gadget/configfs.c b/drivers/usb/gadget/configfs.c
+index 156c252c5aab..e5a67e9749f8 100644
+--- a/drivers/usb/gadget/configfs.c
++++ b/drivers/usb/gadget/configfs.c
+@@ -1551,7 +1551,9 @@ void unregister_gadget_item(struct config_item *item)
+ {
+ struct gadget_info *gi = to_gadget_info(item);
+
++ mutex_lock(&gi->lock);
+ unregister_gadget(gi);
++ mutex_unlock(&gi->lock);
+ }
+ EXPORT_SYMBOL_GPL(unregister_gadget_item);
+
+--
+2.19.1
+
--- /dev/null
+From 1781dcf034f97d6c0d6fd6766a63c7161818442c Mon Sep 17 00:00:00 2001
+From: Christoffer Dall <christoffer.dall@linaro.org>
+Date: Tue, 3 Jul 2018 17:43:09 +0200
+Subject: video: fbdev: Set pixclock = 0 in goldfishfb
+
+[ Upstream commit ace6033ec5c356615eaa3582fb1946e9eaff6662 ]
+
+User space Android code identifies pixclock == 0 as a sign for emulation
+and will set the frame rate to 60 fps when reading this value, which is
+the desired outcome.
+
+Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Roman Kiryanov <rkir@google.com>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/goldfishfb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/video/fbdev/goldfishfb.c b/drivers/video/fbdev/goldfishfb.c
+index 14a93cb21310..66d58e93bc32 100644
+--- a/drivers/video/fbdev/goldfishfb.c
++++ b/drivers/video/fbdev/goldfishfb.c
+@@ -234,7 +234,7 @@ static int goldfish_fb_probe(struct platform_device *pdev)
+ fb->fb.var.activate = FB_ACTIVATE_NOW;
+ fb->fb.var.height = readl(fb->reg_base + FB_GET_PHYS_HEIGHT);
+ fb->fb.var.width = readl(fb->reg_base + FB_GET_PHYS_WIDTH);
+- fb->fb.var.pixclock = 10000;
++ fb->fb.var.pixclock = 0;
+
+ fb->fb.var.red.offset = 11;
+ fb->fb.var.red.length = 5;
+--
+2.19.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
