--- /dev/null
+From 15f6d337159b2a9fdad8c0bef50ec826593ed5d2 Mon Sep 17 00:00:00 2001
+From: Wilfried Klaebe <linux-kernel@lebenslange-mailadresse.de>
+Date: Tue, 28 Jun 2016 12:21:33 +0000
+Subject: builddeb: really include objtool binary in headers package
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Wilfried Klaebe <linux-kernel@lebenslange-mailadresse.de>
+
+commit 15f6d337159b2a9fdad8c0bef50ec826593ed5d2 upstream.
+
+On May 4th, Bjørn Mork provided patch 697bbc7b8320 ("builddeb: include
+objtool binary in headers package"). However, that one only works if
+$srctree=$objtree, because the objtool binaries are not written to the
+srctree, but to the objtree.
+
+Signed-off-by: Wilfried Klaebe <linux-kernel@lebenslange-mailadresse.de>
+Fixes: 697bbc7b8320 ("builddeb: include objtool binary in headers package")
+Signed-off-by: Michal Marek <mmarek@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ scripts/package/builddeb | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/scripts/package/builddeb
++++ b/scripts/package/builddeb
+@@ -322,12 +322,12 @@ fi
+
+ # Build kernel header package
+ (cd $srctree; find . -name Makefile\* -o -name Kconfig\* -o -name \*.pl) > "$objtree/debian/hdrsrcfiles"
+-if grep -q '^CONFIG_STACK_VALIDATION=y' $KCONFIG_CONFIG ; then
+- (cd $srctree; find tools/objtool -type f -executable) >> "$objtree/debian/hdrsrcfiles"
+-fi
+ (cd $srctree; find arch/*/include include scripts -type f) >> "$objtree/debian/hdrsrcfiles"
+ (cd $srctree; find arch/$SRCARCH -name module.lds -o -name Kbuild.platforms -o -name Platform) >> "$objtree/debian/hdrsrcfiles"
+ (cd $srctree; find $(find arch/$SRCARCH -name include -o -name scripts -type d) -type f) >> "$objtree/debian/hdrsrcfiles"
++if grep -q '^CONFIG_STACK_VALIDATION=y' $KCONFIG_CONFIG ; then
++ (cd $objtree; find tools/objtool -type f -executable) >> "$objtree/debian/hdrobjfiles"
++fi
+ (cd $objtree; find arch/$SRCARCH/include Module.symvers include scripts -type f) >> "$objtree/debian/hdrobjfiles"
+ destdir=$kernel_headers_dir/usr/src/linux-headers-$version
+ mkdir -p "$destdir"
--- /dev/null
+From 955818cd5b6c4b58ea574ace4573e7afa4c19c1e Mon Sep 17 00:00:00 2001
+From: Phil Turnbull <phil.turnbull@oracle.com>
+Date: Thu, 21 Jul 2016 13:43:09 -0400
+Subject: ceph: Correctly return NXIO errors from ceph_llseek
+
+From: Phil Turnbull <phil.turnbull@oracle.com>
+
+commit 955818cd5b6c4b58ea574ace4573e7afa4c19c1e upstream.
+
+ceph_llseek does not correctly return NXIO errors because the 'out' path
+always returns 'offset'.
+
+Fixes: 06222e491e66 ("fs: handle SEEK_HOLE/SEEK_DATA properly in all fs's that define their own llseek")
+Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com>
+Signed-off-by: Yan, Zheng <zyan@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ceph/file.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+--- a/fs/ceph/file.c
++++ b/fs/ceph/file.c
+@@ -1448,16 +1448,14 @@ static loff_t ceph_llseek(struct file *f
+ {
+ struct inode *inode = file->f_mapping->host;
+ loff_t i_size;
+- int ret;
++ loff_t ret;
+
+ inode_lock(inode);
+
+ if (whence == SEEK_END || whence == SEEK_DATA || whence == SEEK_HOLE) {
+ ret = ceph_do_getattr(inode, CEPH_STAT_CAP_SIZE, false);
+- if (ret < 0) {
+- offset = ret;
++ if (ret < 0)
+ goto out;
+- }
+ }
+
+ i_size = i_size_read(inode);
+@@ -1473,7 +1471,7 @@ static loff_t ceph_llseek(struct file *f
+ * write() or lseek() might have altered it
+ */
+ if (offset == 0) {
+- offset = file->f_pos;
++ ret = file->f_pos;
+ goto out;
+ }
+ offset += file->f_pos;
+@@ -1493,11 +1491,11 @@ static loff_t ceph_llseek(struct file *f
+ break;
+ }
+
+- offset = vfs_setpos(file, offset, inode->i_sb->s_maxbytes);
++ ret = vfs_setpos(file, offset, inode->i_sb->s_maxbytes);
+
+ out:
+ inode_unlock(inode);
+- return offset;
++ return ret;
+ }
+
+ static inline void ceph_zero_partial_page(
--- /dev/null
+From a0f2b65275413b3438e9f55b1427273cd893c3b2 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 13 Jun 2016 15:04:56 +0200
+Subject: ceph: fix symbol versioning for ceph_monc_do_statfs
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit a0f2b65275413b3438e9f55b1427273cd893c3b2 upstream.
+
+The genksyms helper in the kernel cannot parse a type definition
+like "typeof(((type *)0)->keyfld)" that is used in the DEFINE_RB_FUNCS
+helper, causing the following EXPORT_SYMBOL() statement to be ignored
+when computing the crcs, and triggering a warning about this:
+
+WARNING: "ceph_monc_do_statfs" [fs/ceph/ceph.ko] has no CRC
+
+To work around the problem, we can rewrite the type to reference
+an undefined 'extern' symbol instead of a NULL pointer. This is
+evidently ok for genksyms, and it no longer complains about the
+line when calling it with 'genksyms -w'.
+
+I've looked briefly into extending genksyms instead, but it seems
+really hard to do. Jan Beulich introduced basic support for 'typeof'
+a while ago in dc53324060f3 ("genksyms: fix typeof() handling"),
+but that is not sufficient for the expression we have here.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Fixes: fcd00b68bbe2 ("libceph: DEFINE_RB_FUNCS macro")
+Cc: Jan Beulich <jbeulich@suse.com>
+Cc: Michal Marek <mmarek@suse.cz>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/ceph/libceph.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/include/linux/ceph/libceph.h
++++ b/include/linux/ceph/libceph.h
+@@ -214,8 +214,9 @@ static void erase_##name(struct rb_root
+ }
+
+ #define DEFINE_RB_LOOKUP_FUNC(name, type, keyfld, nodefld) \
++extern type __lookup_##name##_key; \
+ static type *lookup_##name(struct rb_root *root, \
+- typeof(((type *)0)->keyfld) key) \
++ typeof(__lookup_##name##_key.keyfld) key) \
+ { \
+ struct rb_node *n = root->rb_node; \
+ \
--- /dev/null
+From 8a545f185145e3c09348cd74326268ecfc6715a3 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 13 Jul 2016 13:12:34 +0300
+Subject: hostfs: Freeing an ERR_PTR in hostfs_fill_sb_common()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 8a545f185145e3c09348cd74326268ecfc6715a3 upstream.
+
+We can't pass error pointers to kfree() or it causes an oops.
+
+Fixes: 52b209f7b848 ('get rid of hostfs_read_inode()')
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/hostfs/hostfs_kern.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/fs/hostfs/hostfs_kern.c
++++ b/fs/hostfs/hostfs_kern.c
+@@ -959,10 +959,11 @@ static int hostfs_fill_sb_common(struct
+
+ if (S_ISLNK(root_inode->i_mode)) {
+ char *name = follow_link(host_root_path);
+- if (IS_ERR(name))
++ if (IS_ERR(name)) {
+ err = PTR_ERR(name);
+- else
+- err = read_name(root_inode, name);
++ goto out_put;
++ }
++ err = read_name(root_inode, name);
+ kfree(name);
+ if (err)
+ goto out_put;
--- /dev/null
+From 0066c8b6f4050d7c57f6379d6fd4535e2f267f17 Mon Sep 17 00:00:00 2001
+From: Kshitiz Gupta <kshitiz.gupta@ni.com>
+Date: Sat, 16 Jul 2016 02:23:45 -0500
+Subject: igb: fix adjusting PTP timestamps for Tx/Rx latency
+
+From: Kshitiz Gupta <kshitiz.gupta@ni.com>
+
+commit 0066c8b6f4050d7c57f6379d6fd4535e2f267f17 upstream.
+
+Fix PHY delay compensation math in igb_ptp_tx_hwtstamp() and
+igb_ptp_rx_rgtstamp. Add PHY delay compensation in
+igb_ptp_rx_pktstamp().
+
+In the IGB driver, there are two functions that retrieve timestamps
+received by the PHY - igb_ptp_rx_rgtstamp() and igb_ptp_rx_pktstamp().
+The previous commit only changed igb_ptp_rx_rgtstamp(), and the change
+was incorrect.
+
+There are two instances in which PHY delay compensations should be
+made:
+
+- Before the packet transmission over the PHY, the latency between
+ when the packet is timestamped and transmission of the packets,
+ should be an add operation, but it is currently a subtract.
+
+- After the packets are received from the PHY, the latency between
+ the receiving and timestamping of the packets should be a subtract
+ operation, but it is currently an add.
+
+Signed-off-by: Kshitiz Gupta <kshitiz.gupta@ni.com>
+Fixes: 3f544d2 (igb: adjust ptp timestamps for tx/rx latency)
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/intel/igb/igb_ptp.c | 26 +++++++++++++++++++++++---
+ 1 file changed, 23 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/intel/igb/igb_ptp.c
++++ b/drivers/net/ethernet/intel/igb/igb_ptp.c
+@@ -743,7 +743,8 @@ static void igb_ptp_tx_hwtstamp(struct i
+ }
+ }
+
+- shhwtstamps.hwtstamp = ktime_sub_ns(shhwtstamps.hwtstamp, adjust);
++ shhwtstamps.hwtstamp =
++ ktime_add_ns(shhwtstamps.hwtstamp, adjust);
+
+ skb_tstamp_tx(adapter->ptp_tx_skb, &shhwtstamps);
+ dev_kfree_skb_any(adapter->ptp_tx_skb);
+@@ -766,13 +767,32 @@ void igb_ptp_rx_pktstamp(struct igb_q_ve
+ struct sk_buff *skb)
+ {
+ __le64 *regval = (__le64 *)va;
++ struct igb_adapter *adapter = q_vector->adapter;
++ int adjust = 0;
+
+ /* The timestamp is recorded in little endian format.
+ * DWORD: 0 1 2 3
+ * Field: Reserved Reserved SYSTIML SYSTIMH
+ */
+- igb_ptp_systim_to_hwtstamp(q_vector->adapter, skb_hwtstamps(skb),
++ igb_ptp_systim_to_hwtstamp(adapter, skb_hwtstamps(skb),
+ le64_to_cpu(regval[1]));
++
++ /* adjust timestamp for the RX latency based on link speed */
++ if (adapter->hw.mac.type == e1000_i210) {
++ switch (adapter->link_speed) {
++ case SPEED_10:
++ adjust = IGB_I210_RX_LATENCY_10;
++ break;
++ case SPEED_100:
++ adjust = IGB_I210_RX_LATENCY_100;
++ break;
++ case SPEED_1000:
++ adjust = IGB_I210_RX_LATENCY_1000;
++ break;
++ }
++ }
++ skb_hwtstamps(skb)->hwtstamp =
++ ktime_sub_ns(skb_hwtstamps(skb)->hwtstamp, adjust);
+ }
+
+ /**
+@@ -824,7 +844,7 @@ void igb_ptp_rx_rgtstamp(struct igb_q_ve
+ }
+ }
+ skb_hwtstamps(skb)->hwtstamp =
+- ktime_add_ns(skb_hwtstamps(skb)->hwtstamp, adjust);
++ ktime_sub_ns(skb_hwtstamps(skb)->hwtstamp, adjust);
+
+ /* Update the last_rx_timestamp timer in order to enable watchdog check
+ * for error case of latched timestamp on a dropped packet.
--- /dev/null
+From 12eb5137edecfd8fb6d23dacec2a3630e729736f Mon Sep 17 00:00:00 2001
+From: Steve Wise <swise@opengridcomputing.com>
+Date: Fri, 29 Jul 2016 08:38:44 -0700
+Subject: iw_cxgb4: stop MPA_REPLY timer when disconnecting
+
+From: Steve Wise <swise@opengridcomputing.com>
+
+commit 12eb5137edecfd8fb6d23dacec2a3630e729736f upstream.
+
+There exists a race where the application can setup a connection
+and then disconnect it before iw_cxgb4 processes the fw4_ack
+message. For passive side connections, the fw4_ack message is
+used to know when to stop the ep timer for MPA_REPLY messages.
+
+If the application disconnects before the fw4_ack is handled then
+c4iw_ep_disconnect() needs to clean up the timer state and stop the
+timer before restarting it for the disconnect timer. Failure to do this
+results in a "timer already started" message and a premature stopping
+of the disconnect timer.
+
+Fixes: e4b76a2 ("RDMA/iw_cxgb4: stop_ep_timer() after MPA negotiation")
+
+Signed-off-by: Steve Wise <swise@opengridcomputing.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/cxgb4/cm.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/cxgb4/cm.c
++++ b/drivers/infiniband/hw/cxgb4/cm.c
+@@ -3011,9 +3011,9 @@ static int fw4_ack(struct c4iw_dev *dev,
+ PDBG("%s last streaming msg ack ep %p tid %u state %u "
+ "initiator %u freeing skb\n", __func__, ep, ep->hwtid,
+ state_read(&ep->com), ep->mpa_attr.initiator ? 1 : 0);
++ mutex_lock(&ep->com.mutex);
+ kfree_skb(ep->mpa_skb);
+ ep->mpa_skb = NULL;
+- mutex_lock(&ep->com.mutex);
+ if (test_bit(STOP_MPA_TIMER, &ep->com.flags))
+ stop_ep_timer(ep);
+ mutex_unlock(&ep->com.mutex);
+@@ -3582,6 +3582,16 @@ int c4iw_ep_disconnect(struct c4iw_ep *e
+ ep->com.state = ABORTING;
+ else {
+ ep->com.state = CLOSING;
++
++ /*
++ * if we close before we see the fw4_ack() then we fix
++ * up the timer state since we're reusing it.
++ */
++ if (ep->mpa_skb &&
++ test_bit(STOP_MPA_TIMER, &ep->com.flags)) {
++ clear_bit(STOP_MPA_TIMER, &ep->com.flags);
++ stop_ep_timer(ep);
++ }
+ start_ep_timer(ep);
+ }
+ set_bit(CLOSE_SENT, &ep->com.flags);
--- /dev/null
+From f60439bc21e3337429838e477903214f5bd8277f Mon Sep 17 00:00:00 2001
+From: Alexander Duyck <alexander.h.duyck@intel.com>
+Date: Thu, 11 Aug 2016 14:51:56 -0700
+Subject: ixgbe: Force VLNCTRL.VFE to be set in all VMDq paths
+
+From: Alexander Duyck <alexander.h.duyck@intel.com>
+
+commit f60439bc21e3337429838e477903214f5bd8277f upstream.
+
+When I was adding the code for enabling VLAN promiscuous mode with SR-IOV
+enabled I had inadvertently left the VLNCTRL.VFE bit unchanged as I has
+assumed there was code in another path that was setting it when we enabled
+SR-IOV. This wasn't the case and as a result we were just disabling VLAN
+filtering for all the VFs apparently.
+
+Also the previous patches were always clearing CFIEN which was always set
+to 0 by the hardware anyway so I am dropping the redundant bit clearing.
+
+Fixes: 16369564915a ("ixgbe: Add support for VLAN promiscuous with SR-IOV")
+Signed-off-by: Alexander Duyck <alexander.h.duyck@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+@@ -4100,6 +4100,8 @@ static void ixgbe_vlan_promisc_enable(st
+ struct ixgbe_hw *hw = &adapter->hw;
+ u32 vlnctrl, i;
+
++ vlnctrl = IXGBE_READ_REG(hw, IXGBE_VLNCTRL);
++
+ switch (hw->mac.type) {
+ case ixgbe_mac_82599EB:
+ case ixgbe_mac_X540:
+@@ -4112,8 +4114,7 @@ static void ixgbe_vlan_promisc_enable(st
+ /* fall through */
+ case ixgbe_mac_82598EB:
+ /* legacy case, we can just disable VLAN filtering */
+- vlnctrl = IXGBE_READ_REG(hw, IXGBE_VLNCTRL);
+- vlnctrl &= ~(IXGBE_VLNCTRL_VFE | IXGBE_VLNCTRL_CFIEN);
++ vlnctrl &= ~IXGBE_VLNCTRL_VFE;
+ IXGBE_WRITE_REG(hw, IXGBE_VLNCTRL, vlnctrl);
+ return;
+ }
+@@ -4125,6 +4126,10 @@ static void ixgbe_vlan_promisc_enable(st
+ /* Set flag so we don't redo unnecessary work */
+ adapter->flags2 |= IXGBE_FLAG2_VLAN_PROMISC;
+
++ /* For VMDq and SR-IOV we must leave VLAN filtering enabled */
++ vlnctrl |= IXGBE_VLNCTRL_VFE;
++ IXGBE_WRITE_REG(hw, IXGBE_VLNCTRL, vlnctrl);
++
+ /* Add PF to all active pools */
+ for (i = IXGBE_VLVF_ENTRIES; --i;) {
+ u32 reg_offset = IXGBE_VLVFB(i * 2 + VMDQ_P(0) / 32);
+@@ -4191,6 +4196,11 @@ static void ixgbe_vlan_promisc_disable(s
+ struct ixgbe_hw *hw = &adapter->hw;
+ u32 vlnctrl, i;
+
++ /* Set VLAN filtering to enabled */
++ vlnctrl = IXGBE_READ_REG(hw, IXGBE_VLNCTRL);
++ vlnctrl |= IXGBE_VLNCTRL_VFE;
++ IXGBE_WRITE_REG(hw, IXGBE_VLNCTRL, vlnctrl);
++
+ switch (hw->mac.type) {
+ case ixgbe_mac_82599EB:
+ case ixgbe_mac_X540:
+@@ -4202,10 +4212,6 @@ static void ixgbe_vlan_promisc_disable(s
+ break;
+ /* fall through */
+ case ixgbe_mac_82598EB:
+- vlnctrl = IXGBE_READ_REG(hw, IXGBE_VLNCTRL);
+- vlnctrl &= ~IXGBE_VLNCTRL_CFIEN;
+- vlnctrl |= IXGBE_VLNCTRL_VFE;
+- IXGBE_WRITE_REG(hw, IXGBE_VLNCTRL, vlnctrl);
+ return;
+ }
+
--- /dev/null
+From 3d951822be216d8c6fcfc8abf75e5ed307eeb646 Mon Sep 17 00:00:00 2001
+From: Alexander Duyck <alexander.h.duyck@intel.com>
+Date: Fri, 12 Aug 2016 09:53:39 -0700
+Subject: ixgbe: Re-enable ability to toggle VLAN filtering
+
+From: Alexander Duyck <alexander.h.duyck@intel.com>
+
+commit 3d951822be216d8c6fcfc8abf75e5ed307eeb646 upstream.
+
+Back when I submitted the GSO code I messed up and dropped the support for
+disabling the VLAN tag filtering via the feature bit. This patch
+re-enables the use of the NETIF_F_HW_VLAN_CTAG_FILTER to enable/disable the
+VLAN filtering independent of toggling promiscuous mode.
+
+Fixes: b83e30104b ("ixgbe/ixgbevf: Add support for GSO partial")
+Signed-off-by: Alexander Duyck <alexander.h.duyck@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+@@ -9502,6 +9502,7 @@ skip_sriov:
+
+ /* copy netdev features into list of user selectable features */
+ netdev->hw_features |= netdev->features |
++ NETIF_F_HW_VLAN_CTAG_FILTER |
+ NETIF_F_HW_VLAN_CTAG_RX |
+ NETIF_F_HW_VLAN_CTAG_TX |
+ NETIF_F_RXALL |
--- /dev/null
+From c3cee372282cb6bcdf19ac1457581d5dd5ecb554 Mon Sep 17 00:00:00 2001
+From: Alexander Potapenko <glider@google.com>
+Date: Tue, 2 Aug 2016 14:02:58 -0700
+Subject: kasan: avoid overflowing quarantine size on low memory systems
+
+From: Alexander Potapenko <glider@google.com>
+
+commit c3cee372282cb6bcdf19ac1457581d5dd5ecb554 upstream.
+
+If the total amount of memory assigned to quarantine is less than the
+amount of memory assigned to per-cpu quarantines, |new_quarantine_size|
+may overflow. Instead, set it to zero.
+
+[akpm@linux-foundation.org: cleanup: use WARN_ONCE return value]
+Link: http://lkml.kernel.org/r/1470063563-96266-1-git-send-email-glider@google.com
+Fixes: 55834c59098d ("mm: kasan: initial memory quarantine implementation")
+Signed-off-by: Alexander Potapenko <glider@google.com>
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/kasan/quarantine.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/mm/kasan/quarantine.c
++++ b/mm/kasan/quarantine.c
+@@ -196,7 +196,7 @@ void quarantine_put(struct kasan_free_me
+
+ void quarantine_reduce(void)
+ {
+- size_t new_quarantine_size;
++ size_t new_quarantine_size, percpu_quarantines;
+ unsigned long flags;
+ struct qlist_head to_free = QLIST_INIT;
+ size_t size_to_free = 0;
+@@ -214,7 +214,12 @@ void quarantine_reduce(void)
+ */
+ new_quarantine_size = (READ_ONCE(totalram_pages) << PAGE_SHIFT) /
+ QUARANTINE_FRACTION;
+- new_quarantine_size -= QUARANTINE_PERCPU_SIZE * num_online_cpus();
++ percpu_quarantines = QUARANTINE_PERCPU_SIZE * num_online_cpus();
++ if (WARN_ONCE(new_quarantine_size < percpu_quarantines,
++ "Too little memory, disabling global KASAN quarantine.\n"))
++ new_quarantine_size = 0;
++ else
++ new_quarantine_size -= percpu_quarantines;
+ WRITE_ONCE(quarantine_size, new_quarantine_size);
+
+ last = global_quarantine.head;
--- /dev/null
+From 281dbe5db81c6137def9757e07a7aea14b1ed86e Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Tue, 26 Jul 2016 15:22:35 +0200
+Subject: libceph: add an ONSTACK initializer for oids
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit 281dbe5db81c6137def9757e07a7aea14b1ed86e upstream.
+
+An on-stack oid in ceph_ioctl_get_dataloc() is not initialized,
+resulting in a WARN and a NULL pointer dereference later on. We will
+have more of these on-stack in the future, so fix it with a convenience
+macro.
+
+Fixes: d30291b985d1 ("libceph: variable-sized ceph_object_id")
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ceph/ioctl.c | 2 +-
+ include/linux/ceph/osdmap.h | 5 +++++
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+--- a/fs/ceph/ioctl.c
++++ b/fs/ceph/ioctl.c
+@@ -183,7 +183,7 @@ static long ceph_ioctl_get_dataloc(struc
+ struct ceph_osd_client *osdc =
+ &ceph_sb_to_client(inode->i_sb)->client->osdc;
+ struct ceph_object_locator oloc;
+- struct ceph_object_id oid;
++ CEPH_DEFINE_OID_ONSTACK(oid);
+ u64 len = 1, olen;
+ u64 tmp;
+ struct ceph_pg pgid;
+--- a/include/linux/ceph/osdmap.h
++++ b/include/linux/ceph/osdmap.h
+@@ -115,6 +115,11 @@ static inline void ceph_oid_init(struct
+ oid->name_len = 0;
+ }
+
++#define CEPH_OID_INIT_ONSTACK(oid) \
++ ({ ceph_oid_init(&oid); oid; })
++#define CEPH_DEFINE_OID_ONSTACK(oid) \
++ struct ceph_object_id oid = CEPH_OID_INIT_ONSTACK(oid)
++
+ static inline bool ceph_oid_empty(const struct ceph_object_id *oid)
+ {
+ return oid->name == oid->inline_name && !oid->name_len;
--- /dev/null
+From c22e853a2ed19321d00c1eae339ffdc4f5e7757e Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <weiyj.lk@gmail.com>
+Date: Sat, 30 Jul 2016 00:37:57 +0000
+Subject: libceph: fix return value check in alloc_msg_with_page_vector()
+
+From: Wei Yongjun <weiyj.lk@gmail.com>
+
+commit c22e853a2ed19321d00c1eae339ffdc4f5e7757e upstream.
+
+In case of error, the function ceph_alloc_page_vector() returns
+ERR_PTR() and never returns NULL. The NULL test in the return value
+check should be replaced with IS_ERR().
+
+Fixes: 1907920324f1 ('libceph: support for sending notifies')
+Signed-off-by: Wei Yongjun <weiyj.lk@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ceph/osd_client.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ceph/osd_client.c
++++ b/net/ceph/osd_client.c
+@@ -4187,7 +4187,7 @@ static struct ceph_msg *alloc_msg_with_p
+
+ pages = ceph_alloc_page_vector(calc_pages_for(0, data_len),
+ GFP_NOIO);
+- if (!pages) {
++ if (IS_ERR(pages)) {
+ ceph_msg_put(m);
+ return NULL;
+ }
--- /dev/null
+From 4b3ec5a3f4b1d5c9d64b9ab704042400d050d432 Mon Sep 17 00:00:00 2001
+From: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Date: Tue, 2 Aug 2016 14:02:43 -0700
+Subject: mm/kasan: don't reduce quarantine in atomic contexts
+
+From: Andrey Ryabinin <aryabinin@virtuozzo.com>
+
+commit 4b3ec5a3f4b1d5c9d64b9ab704042400d050d432 upstream.
+
+Currently we call quarantine_reduce() for ___GFP_KSWAPD_RECLAIM (implied
+by __GFP_RECLAIM) allocation. So, basically we call it on almost every
+allocation. quarantine_reduce() sometimes is heavy operation, and
+calling it with disabled interrupts may trigger hard LOCKUP:
+
+ NMI watchdog: Watchdog detected hard LOCKUP on cpu 2irq event stamp: 1411258
+ Call Trace:
+ <NMI> dump_stack+0x68/0x96
+ watchdog_overflow_callback+0x15b/0x190
+ __perf_event_overflow+0x1b1/0x540
+ perf_event_overflow+0x14/0x20
+ intel_pmu_handle_irq+0x36a/0xad0
+ perf_event_nmi_handler+0x2c/0x50
+ nmi_handle+0x128/0x480
+ default_do_nmi+0xb2/0x210
+ do_nmi+0x1aa/0x220
+ end_repeat_nmi+0x1a/0x1e
+ <<EOE>> __kernel_text_address+0x86/0xb0
+ print_context_stack+0x7b/0x100
+ dump_trace+0x12b/0x350
+ save_stack_trace+0x2b/0x50
+ set_track+0x83/0x140
+ free_debug_processing+0x1aa/0x420
+ __slab_free+0x1d6/0x2e0
+ ___cache_free+0xb6/0xd0
+ qlist_free_all+0x83/0x100
+ quarantine_reduce+0x177/0x1b0
+ kasan_kmalloc+0xf3/0x100
+
+Reduce the quarantine_reduce iff direct reclaim is allowed.
+
+Fixes: 55834c59098d("mm: kasan: initial memory quarantine implementation")
+Link: http://lkml.kernel.org/r/1470062715-14077-2-git-send-email-aryabinin@virtuozzo.com
+Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Reported-by: Dave Jones <davej@codemonkey.org.uk>
+Acked-by: Alexander Potapenko <glider@google.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/kasan/kasan.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/mm/kasan/kasan.c
++++ b/mm/kasan/kasan.c
+@@ -562,7 +562,7 @@ void kasan_kmalloc(struct kmem_cache *ca
+ unsigned long redzone_start;
+ unsigned long redzone_end;
+
+- if (flags & __GFP_RECLAIM)
++ if (gfpflags_allow_blocking(flags))
+ quarantine_reduce();
+
+ if (unlikely(object == NULL))
+@@ -595,7 +595,7 @@ void kasan_kmalloc_large(const void *ptr
+ unsigned long redzone_start;
+ unsigned long redzone_end;
+
+- if (flags & __GFP_RECLAIM)
++ if (gfpflags_allow_blocking(flags))
+ quarantine_reduce();
+
+ if (unlikely(ptr == NULL))
--- /dev/null
+From 924d8696751c4b9e58263bc82efdafcf875596a6 Mon Sep 17 00:00:00 2001
+From: James Morse <james.morse@arm.com>
+Date: Tue, 16 Aug 2016 10:46:38 +0100
+Subject: PM / hibernate: Fix rtree_next_node() to avoid walking off list ends
+
+From: James Morse <james.morse@arm.com>
+
+commit 924d8696751c4b9e58263bc82efdafcf875596a6 upstream.
+
+rtree_next_node() walks the linked list of leaf nodes to find the next
+block of pages in the struct memory_bitmap. If it walks off the end of
+the list of nodes, it walks the list of memory zones to find the next
+region of memory. If it walks off the end of the list of zones, it
+returns false.
+
+This leaves the struct bm_position's node and zone pointers pointing
+at their respective struct list_heads in struct mem_zone_bm_rtree.
+
+memory_bm_find_bit() uses struct bm_position's node and zone pointers
+to avoid walking lists and trees if the next bit appears in the same
+node/zone. It handles these values being stale.
+
+Swap rtree_next_node()s 'step then test' to 'test-next then step',
+this means if we reach the end of memory we return false and leave
+the node and zone pointers as they were.
+
+This fixes a panic on resume using AMD Seattle with 64K pages:
+[ 6.868732] Freezing user space processes ... (elapsed 0.000 seconds) done.
+[ 6.875753] Double checking all user space processes after OOM killer disable... (elapsed 0.000 seconds)
+[ 6.896453] PM: Using 3 thread(s) for decompression.
+[ 6.896453] PM: Loading and decompressing image data (5339 pages)...
+[ 7.318890] PM: Image loading progress: 0%
+[ 7.323395] Unable to handle kernel paging request at virtual address 00800040
+[ 7.330611] pgd = ffff000008df0000
+[ 7.334003] [00800040] *pgd=00000083fffe0003, *pud=00000083fffe0003, *pmd=00000083fffd0003, *pte=0000000000000000
+[ 7.344266] Internal error: Oops: 96000005 [#1] PREEMPT SMP
+[ 7.349825] Modules linked in:
+[ 7.352871] CPU: 2 PID: 1 Comm: swapper/0 Tainted: G W I 4.8.0-rc1 #4737
+[ 7.360512] Hardware name: AMD Overdrive/Supercharger/Default string, BIOS ROD1002C 04/08/2016
+[ 7.369109] task: ffff8003c0220000 task.stack: ffff8003c0280000
+[ 7.375020] PC is at set_bit+0x18/0x30
+[ 7.378758] LR is at memory_bm_set_bit+0x24/0x30
+[ 7.383362] pc : [<ffff00000835bbc8>] lr : [<ffff0000080faf18>] pstate: 60000045
+[ 7.390743] sp : ffff8003c0283b00
+[ 7.473551]
+[ 7.475031] Process swapper/0 (pid: 1, stack limit = 0xffff8003c0280020)
+[ 7.481718] Stack: (0xffff8003c0283b00 to 0xffff8003c0284000)
+[ 7.800075] Call trace:
+[ 7.887097] [<ffff00000835bbc8>] set_bit+0x18/0x30
+[ 7.891876] [<ffff0000080fb038>] duplicate_memory_bitmap.constprop.38+0x54/0x70
+[ 7.899172] [<ffff0000080fcc40>] snapshot_write_next+0x22c/0x47c
+[ 7.905166] [<ffff0000080fe1b4>] load_image_lzo+0x754/0xa88
+[ 7.910725] [<ffff0000080ff0a8>] swsusp_read+0x144/0x230
+[ 7.916025] [<ffff0000080fa338>] load_image_and_restore+0x58/0x90
+[ 7.922105] [<ffff0000080fa660>] software_resume+0x2f0/0x338
+[ 7.927752] [<ffff000008083350>] do_one_initcall+0x38/0x11c
+[ 7.933314] [<ffff000008b40cc0>] kernel_init_freeable+0x14c/0x1ec
+[ 7.939395] [<ffff0000087ce564>] kernel_init+0x10/0xfc
+[ 7.944520] [<ffff000008082e90>] ret_from_fork+0x10/0x40
+[ 7.949820] Code: d2800022 8b400c21 f9800031 9ac32043 (c85f7c22)
+[ 7.955909] ---[ end trace 0024a5986e6ff323 ]---
+[ 7.960529] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
+
+Here struct mem_zone_bm_rtree's start_pfn has been returned instead of
+struct rtree_node's addr as the node/zone pointers are corrupt after
+we walked off the end of the lists during mark_unsafe_pages().
+
+This behaviour was exposed by commit 6dbecfd345a6 ("PM / hibernate:
+Simplify mark_unsafe_pages()"), which caused mark_unsafe_pages() to call
+duplicate_memory_bitmap(), which uses memory_bm_find_bit() after walking
+off the end of the memory bitmap.
+
+Fixes: 3a20cb177961 (PM / Hibernate: Implement position keeping in radix tree)
+Signed-off-by: James Morse <james.morse@arm.com>
+[ rjw: Subject ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/power/snapshot.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/kernel/power/snapshot.c
++++ b/kernel/power/snapshot.c
+@@ -765,9 +765,9 @@ static bool memory_bm_pfn_present(struct
+ */
+ static bool rtree_next_node(struct memory_bitmap *bm)
+ {
+- bm->cur.node = list_entry(bm->cur.node->list.next,
+- struct rtree_node, list);
+- if (&bm->cur.node->list != &bm->cur.zone->leaves) {
++ if (!list_is_last(&bm->cur.node->list, &bm->cur.zone->leaves)) {
++ bm->cur.node = list_entry(bm->cur.node->list.next,
++ struct rtree_node, list);
+ bm->cur.node_pfn += BM_BITS_PER_BLOCK;
+ bm->cur.node_bit = 0;
+ touch_softlockup_watchdog();
+@@ -775,9 +775,9 @@ static bool rtree_next_node(struct memor
+ }
+
+ /* No more nodes, goto next zone */
+- bm->cur.zone = list_entry(bm->cur.zone->list.next,
++ if (!list_is_last(&bm->cur.zone->list, &bm->zones)) {
++ bm->cur.zone = list_entry(bm->cur.zone->list.next,
+ struct mem_zone_bm_rtree, list);
+- if (&bm->cur.zone->list != &bm->zones) {
+ bm->cur.node = list_entry(bm->cur.zone->leaves.next,
+ struct rtree_node, list);
+ bm->cur.node_pfn = 0;
--- /dev/null
+From 62822e2ec4ad091ba31f823f577ef80db52e3c2c Mon Sep 17 00:00:00 2001
+From: Thomas Garnier <thgarnie@google.com>
+Date: Thu, 11 Aug 2016 14:49:29 -0700
+Subject: PM / hibernate: Restore processor state before using per-CPU variables
+
+From: Thomas Garnier <thgarnie@google.com>
+
+commit 62822e2ec4ad091ba31f823f577ef80db52e3c2c upstream.
+
+Restore the processor state before calling any other functions to
+ensure per-CPU variables can be used with KASLR memory randomization.
+
+Tracing functions use per-CPU variables (GS based on x86) and one was
+called just before restoring the processor state fully. It resulted
+in a double fault when both the tracing & the exception handler
+functions tried to use a per-CPU variable.
+
+Fixes: bb3632c6101b (PM / sleep: trace events for suspend/resume)
+Reported-and-tested-by: Borislav Petkov <bp@suse.de>
+Reported-by: Jiri Kosina <jikos@kernel.org>
+Tested-by: Rafael J. Wysocki <rafael@kernel.org>
+Tested-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Thomas Garnier <thgarnie@google.com>
+Acked-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/power/hibernate.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/power/hibernate.c
++++ b/kernel/power/hibernate.c
+@@ -299,12 +299,12 @@ static int create_image(int platform_mod
+ save_processor_state();
+ trace_suspend_resume(TPS("machine_suspend"), PM_EVENT_HIBERNATE, true);
+ error = swsusp_arch_suspend();
++ /* Restore control flow magically appears here */
++ restore_processor_state();
+ trace_suspend_resume(TPS("machine_suspend"), PM_EVENT_HIBERNATE, false);
+ if (error)
+ printk(KERN_ERR "PM: Error %d creating hibernation image\n",
+ error);
+- /* Restore control flow magically appears here */
+- restore_processor_state();
+ if (!in_suspend)
+ events_check_enabled = false;
+
--- /dev/null
+From 5381cfb6f0422da24cfa9da35b0433c0415830e0 Mon Sep 17 00:00:00 2001
+From: Sven Van Asbroeck <thesven73@gmail.com>
+Date: Fri, 12 Aug 2016 09:10:27 -0400
+Subject: power: supply: max17042_battery: fix model download bug.
+
+From: Sven Van Asbroeck <thesven73@gmail.com>
+
+commit 5381cfb6f0422da24cfa9da35b0433c0415830e0 upstream.
+
+The device's model download function returns the model data as
+an array of u32s, which is later compared to the reference
+model data. However, since the latter is an array of u16s,
+the comparison does not happen correctly, and model verification
+fails. This in turn breaks the POR initialization sequence.
+
+Fixes: 39e7213edc4f3 ("max17042_battery: Support regmap to access device's registers")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Sven Van Asbroeck <TheSven73@googlemail.com>
+Reviewed-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Signed-off-by: Sebastian Reichel <sre@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/power/max17042_battery.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/drivers/power/max17042_battery.c
++++ b/drivers/power/max17042_battery.c
+@@ -457,13 +457,16 @@ static inline void max17042_write_model_
+ }
+
+ static inline void max17042_read_model_data(struct max17042_chip *chip,
+- u8 addr, u32 *data, int size)
++ u8 addr, u16 *data, int size)
+ {
+ struct regmap *map = chip->regmap;
+ int i;
++ u32 tmp;
+
+- for (i = 0; i < size; i++)
+- regmap_read(map, addr + i, &data[i]);
++ for (i = 0; i < size; i++) {
++ regmap_read(map, addr + i, &tmp);
++ data[i] = (u16)tmp;
++ }
+ }
+
+ static inline int max17042_model_data_compare(struct max17042_chip *chip,
+@@ -486,7 +489,7 @@ static int max17042_init_model(struct ma
+ {
+ int ret;
+ int table_size = ARRAY_SIZE(chip->pdata->config_data->cell_char_tbl);
+- u32 *temp_data;
++ u16 *temp_data;
+
+ temp_data = kcalloc(table_size, sizeof(*temp_data), GFP_KERNEL);
+ if (!temp_data)
+@@ -501,7 +504,7 @@ static int max17042_init_model(struct ma
+ ret = max17042_model_data_compare(
+ chip,
+ chip->pdata->config_data->cell_char_tbl,
+- (u16 *)temp_data,
++ temp_data,
+ table_size);
+
+ max10742_lock_model(chip);
+@@ -514,7 +517,7 @@ static int max17042_verify_model_lock(st
+ {
+ int i;
+ int table_size = ARRAY_SIZE(chip->pdata->config_data->cell_char_tbl);
+- u32 *temp_data;
++ u16 *temp_data;
+ int ret = 0;
+
+ temp_data = kcalloc(table_size, sizeof(*temp_data), GFP_KERNEL);
--- /dev/null
+From 33e7664a0af6e9a516f01014f39737aaa119b6d9 Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <weiyj.lk@gmail.com>
+Date: Tue, 26 Jul 2016 14:49:04 +0000
+Subject: power_supply: tps65217-charger: fix missing platform_set_drvdata()
+
+From: Wei Yongjun <weiyj.lk@gmail.com>
+
+commit 33e7664a0af6e9a516f01014f39737aaa119b6d9 upstream.
+
+Add missing platform_set_drvdata() in tps65217_charger_probe(), otherwise
+calling platform_get_drvdata() in remove returns NULL.
+
+This is detected by Coccinelle semantic patch.
+
+Fixes: 3636859b280c ("power_supply: Add support for tps65217-charger")
+Signed-off-by: Wei Yongjun <weiyj.lk@gmail.com>
+Signed-off-by: Sebastian Reichel <sre@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/power/tps65217_charger.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/power/tps65217_charger.c
++++ b/drivers/power/tps65217_charger.c
+@@ -206,6 +206,7 @@ static int tps65217_charger_probe(struct
+ if (!charger)
+ return -ENOMEM;
+
++ platform_set_drvdata(pdev, charger);
+ charger->tps = tps;
+ charger->dev = &pdev->dev;
+
--- /dev/null
+From f4cceb2affcd1285d4ce498089e8a79f4cd2fa66 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 11 Jul 2016 11:46:33 +0300
+Subject: qxl: check for kmap failures
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit f4cceb2affcd1285d4ce498089e8a79f4cd2fa66 upstream.
+
+If kmap fails, it leads to memory corruption.
+
+Fixes: f64122c1f6ad ('drm: add new QXL driver. (v1.4)')
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: http://patchwork.freedesktop.org/patch/msgid/20160711084633.GA31411@mwanda
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/qxl/qxl_draw.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpu/drm/qxl/qxl_draw.c
++++ b/drivers/gpu/drm/qxl/qxl_draw.c
+@@ -136,6 +136,8 @@ static int qxl_palette_create_1bit(struc
+ * correctly globaly, since that would require
+ * tracking all of our palettes. */
+ ret = qxl_bo_kmap(palette_bo, (void **)&pal);
++ if (ret)
++ return ret;
+ pal->num_ents = 2;
+ pal->unique = unique++;
+ if (visual == FB_VISUAL_TRUECOLOR || visual == FB_VISUAL_DIRECTCOLOR) {
mips-avoid-a-bug-warning-during-prctl-pr_set_fp_mode.patch
mips-add-a-missing-.set-pop-in-an-early-commit.patch
mips-paravirt-fix-undefined-reference-to-smp_bootstrap.patch
+x86-mm-pat-prevent-hang-during-boot-when-mapping-pages.patch
+libceph-add-an-onstack-initializer-for-oids.patch
+ceph-fix-symbol-versioning-for-ceph_monc_do_statfs.patch
+ceph-correctly-return-nxio-errors-from-ceph_llseek.patch
+libceph-fix-return-value-check-in-alloc_msg_with_page_vector.patch
+pm-hibernate-restore-processor-state-before-using-per-cpu-variables.patch
+pm-hibernate-fix-rtree_next_node-to-avoid-walking-off-list-ends.patch
+power_supply-tps65217-charger-fix-missing-platform_set_drvdata.patch
+power-supply-max17042_battery-fix-model-download-bug.patch
+ixgbe-force-vlnctrl.vfe-to-be-set-in-all-vmdq-paths.patch
+ixgbe-re-enable-ability-to-toggle-vlan-filtering.patch
+igb-fix-adjusting-ptp-timestamps-for-tx-rx-latency.patch
+soc-tegra-pmc-don-t-probe-pmc-if-early-initialisation-fails.patch
+qxl-check-for-kmap-failures.patch
+hostfs-freeing-an-err_ptr-in-hostfs_fill_sb_common.patch
+kasan-avoid-overflowing-quarantine-size-on-low-memory-systems.patch
+mm-kasan-don-t-reduce-quarantine-in-atomic-contexts.patch
+iw_cxgb4-stop-mpa_reply-timer-when-disconnecting.patch
+builddeb-really-include-objtool-binary-in-headers-package.patch
--- /dev/null
+From a83f1fc3f33930d01e579b9d4de92a045297b402 Mon Sep 17 00:00:00 2001
+From: Jon Hunter <jonathanh@nvidia.com>
+Date: Tue, 28 Jun 2016 11:38:28 +0100
+Subject: soc/tegra: pmc: Don't probe PMC if early initialisation fails
+
+From: Jon Hunter <jonathanh@nvidia.com>
+
+commit a83f1fc3f33930d01e579b9d4de92a045297b402 upstream.
+
+Commit 0259f522e04f ('soc/tegra: pmc: Restore base address on probe
+failure') fixes an issue where the PMC base address pointer is not
+restored on probe failure. However, this fix creates another problem
+where if early initialisation of the PMC driver fails and an initial
+mapping for the PMC address space is not created, then when the PMC
+device is probed, the PMC base address pointer will not be valid and
+this will cause a crash when tegra_pmc_init() is called and attempts
+to access a register.
+
+Although the PMC address space is mapped a 2nd time during the probe
+and so this could be fixed by populating the base address pointer
+earlier during the probe, this adds more complexity to the code.
+Moreover, the PMC probe also assumes the the soc data pointer is also
+initialised when the device is probed and if not will also lead to a
+crash when calling tegra_pmc_init_tsense_reset(). Given that if the
+early initialisation does fail then something bad has happen, it seems
+acceptable to allow the PMC device probe to fail as well. Therefore, if
+the PMC base address pointer or soc data pointer are not valid when
+probing the PMC device, WARN and return an error.
+
+Fixes: 0259f522e04f ('soc/tegra: pmc: Restore base address on probe failure')
+Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/soc/tegra/pmc.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/soc/tegra/pmc.c
++++ b/drivers/soc/tegra/pmc.c
+@@ -1205,6 +1205,14 @@ static int tegra_pmc_probe(struct platfo
+ struct resource *res;
+ int err;
+
++ /*
++ * Early initialisation should have configured an initial
++ * register mapping and setup the soc data pointer. If these
++ * are not valid then something went badly wrong!
++ */
++ if (WARN_ON(!pmc->base || !pmc->soc))
++ return -ENODEV;
++
+ err = tegra_pmc_parse_dt(pmc, pdev->dev.of_node);
+ if (err < 0)
+ return err;
--- /dev/null
+From e535ec0899d1fe52ec3a84c9bc03457ac67ad6f7 Mon Sep 17 00:00:00 2001
+From: Matt Fleming <matt@codeblueprint.co.uk>
+Date: Tue, 20 Sep 2016 14:26:21 +0100
+Subject: x86/mm/pat: Prevent hang during boot when mapping pages
+
+From: Matt Fleming <matt@codeblueprint.co.uk>
+
+commit e535ec0899d1fe52ec3a84c9bc03457ac67ad6f7 upstream.
+
+There's a mixture of signed 32-bit and unsigned 32-bit and 64-bit data
+types used for keeping track of how many pages have been mapped.
+
+This leads to hangs during boot when mapping large numbers of pages
+(multiple terabytes, as reported by Waiman) because those values are
+interpreted as being negative.
+
+commit 742563777e8d ("x86/mm/pat: Avoid truncation when converting
+cpa->numpages to address") fixed one of those bugs, but there is
+another lurking in __change_page_attr_set_clr().
+
+Additionally, the return value type for the populate_*() functions can
+return negative values when a large number of pages have been mapped,
+triggering the error paths even though no error occurred.
+
+Consistently use 64-bit types on 64-bit platforms when counting pages.
+Even in the signed case this gives us room for regions 8PiB
+(pebibytes) in size whilst still allowing the usual negative value
+error checking idiom.
+
+Reported-by: Waiman Long <waiman.long@hpe.com>
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+CC: Theodore Ts'o <tytso@mit.edu>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Scott J Norton <scott.norton@hpe.com>
+Cc: Douglas Hatch <doug.hatch@hpe.com>
+Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/mm/pageattr.c | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+--- a/arch/x86/mm/pageattr.c
++++ b/arch/x86/mm/pageattr.c
+@@ -932,11 +932,11 @@ static void populate_pte(struct cpa_data
+ }
+ }
+
+-static int populate_pmd(struct cpa_data *cpa,
+- unsigned long start, unsigned long end,
+- unsigned num_pages, pud_t *pud, pgprot_t pgprot)
++static long populate_pmd(struct cpa_data *cpa,
++ unsigned long start, unsigned long end,
++ unsigned num_pages, pud_t *pud, pgprot_t pgprot)
+ {
+- unsigned int cur_pages = 0;
++ long cur_pages = 0;
+ pmd_t *pmd;
+ pgprot_t pmd_pgprot;
+
+@@ -1006,12 +1006,12 @@ static int populate_pmd(struct cpa_data
+ return num_pages;
+ }
+
+-static int populate_pud(struct cpa_data *cpa, unsigned long start, pgd_t *pgd,
+- pgprot_t pgprot)
++static long populate_pud(struct cpa_data *cpa, unsigned long start, pgd_t *pgd,
++ pgprot_t pgprot)
+ {
+ pud_t *pud;
+ unsigned long end;
+- int cur_pages = 0;
++ long cur_pages = 0;
+ pgprot_t pud_pgprot;
+
+ end = start + (cpa->numpages << PAGE_SHIFT);
+@@ -1067,7 +1067,7 @@ static int populate_pud(struct cpa_data
+
+ /* Map trailing leftover */
+ if (start < end) {
+- int tmp;
++ long tmp;
+
+ pud = pud_offset(pgd, start);
+ if (pud_none(*pud))
+@@ -1093,7 +1093,7 @@ static int populate_pgd(struct cpa_data
+ pgprot_t pgprot = __pgprot(_KERNPG_TABLE);
+ pud_t *pud = NULL; /* shut up gcc */
+ pgd_t *pgd_entry;
+- int ret;
++ long ret;
+
+ pgd_entry = cpa->pgd + pgd_index(addr);
+
+@@ -1336,7 +1336,8 @@ static int cpa_process_alias(struct cpa_
+
+ static int __change_page_attr_set_clr(struct cpa_data *cpa, int checkalias)
+ {
+- int ret, numpages = cpa->numpages;
++ unsigned long numpages = cpa->numpages;
++ int ret;
+
+ while (numpages) {
+ /*
projects / thirdparty / kernel / stable-queue.git / commitdiff
