--- /dev/null
+From 9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kangjielu@gmail.com>
+Date: Tue, 3 May 2016 16:44:20 -0400
+Subject: ALSA: timer: Fix leak in events via snd_timer_user_ccallback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kangjie Lu <kangjielu@gmail.com>
+
+commit 9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6 upstream.
+
+The stack object “r1” has a total size of 32 bytes. Its field
+“event” and “val” both contain 4 bytes padding. These 8 bytes
+padding bytes are sent to user without being initialized.
+
+Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/timer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1225,6 +1225,7 @@ static void snd_timer_user_ccallback(str
+ tu->tstamp = *tstamp;
+ if ((tu->filter & (1 << event)) == 0 || !tu->tread)
+ return;
++ memset(&r1, 0, sizeof(r1));
+ r1.event = event;
+ r1.tstamp = *tstamp;
+ r1.val = resolution;
--- /dev/null
+From e4ec8cc8039a7063e24204299b462bd1383184a5 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kangjielu@gmail.com>
+Date: Tue, 3 May 2016 16:44:32 -0400
+Subject: ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kangjie Lu <kangjielu@gmail.com>
+
+commit e4ec8cc8039a7063e24204299b462bd1383184a5 upstream.
+
+The stack object “r1” has a total size of 32 bytes. Its field
+“event” and “val” both contain 4 bytes padding. These 8 bytes
+padding bytes are sent to user without being initialized.
+
+Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/timer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1268,6 +1268,7 @@ static void snd_timer_user_tinterrupt(st
+ }
+ if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) &&
+ tu->last_resolution != resolution) {
++ memset(&r1, 0, sizeof(r1));
+ r1.event = SNDRV_TIMER_EVENT_RESOLUTION;
+ r1.tstamp = tstamp;
+ r1.val = resolution;
--- /dev/null
+From cec8f96e49d9be372fdb0c3836dcf31ec71e457e Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kangjielu@gmail.com>
+Date: Tue, 3 May 2016 16:44:07 -0400
+Subject: ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kangjie Lu <kangjielu@gmail.com>
+
+commit cec8f96e49d9be372fdb0c3836dcf31ec71e457e upstream.
+
+The stack object “tread” has a total size of 32 bytes. Its field
+“event” and “val” both contain 4 bytes padding. These 8 bytes
+padding bytes are sent to user without being initialized.
+
+Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/timer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1739,6 +1739,7 @@ static int snd_timer_user_params(struct
+ if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) {
+ if (tu->tread) {
+ struct snd_timer_tread tread;
++ memset(&tread, 0, sizeof(tread));
+ tread.event = SNDRV_TIMER_EVENT_EARLY;
+ tread.tstamp.tv_sec = 0;
+ tread.tstamp.tv_nsec = 0;
--- /dev/null
+From 82d6489d0fed2ec8a8c48c19e8d8a04ac8e5bb26 Mon Sep 17 00:00:00 2001
+From: Daniel Bristot de Oliveira <bristot@redhat.com>
+Date: Wed, 22 Jun 2016 17:28:41 -0300
+Subject: cgroup: Disable IRQs while holding css_set_lock
+
+From: Daniel Bristot de Oliveira <bristot@redhat.com>
+
+commit 82d6489d0fed2ec8a8c48c19e8d8a04ac8e5bb26 upstream.
+
+While testing the deadline scheduler + cgroup setup I hit this
+warning.
+
+[ 132.612935] ------------[ cut here ]------------
+[ 132.612951] WARNING: CPU: 5 PID: 0 at kernel/softirq.c:150 __local_bh_enable_ip+0x6b/0x80
+[ 132.612952] Modules linked in: (a ton of modules...)
+[ 132.612981] CPU: 5 PID: 0 Comm: swapper/5 Not tainted 4.7.0-rc2 #2
+[ 132.612981] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.8.2-20150714_191134- 04/01/2014
+[ 132.612982] 0000000000000086 45c8bb5effdd088b ffff88013fd43da0 ffffffff813d229e
+[ 132.612984] 0000000000000000 0000000000000000 ffff88013fd43de0 ffffffff810a652b
+[ 132.612985] 00000096811387b5 0000000000000200 ffff8800bab29d80 ffff880034c54c00
+[ 132.612986] Call Trace:
+[ 132.612987] <IRQ> [<ffffffff813d229e>] dump_stack+0x63/0x85
+[ 132.612994] [<ffffffff810a652b>] __warn+0xcb/0xf0
+[ 132.612997] [<ffffffff810e76a0>] ? push_dl_task.part.32+0x170/0x170
+[ 132.612999] [<ffffffff810a665d>] warn_slowpath_null+0x1d/0x20
+[ 132.613000] [<ffffffff810aba5b>] __local_bh_enable_ip+0x6b/0x80
+[ 132.613008] [<ffffffff817d6c8a>] _raw_write_unlock_bh+0x1a/0x20
+[ 132.613010] [<ffffffff817d6c9e>] _raw_spin_unlock_bh+0xe/0x10
+[ 132.613015] [<ffffffff811388ac>] put_css_set+0x5c/0x60
+[ 132.613016] [<ffffffff8113dc7f>] cgroup_free+0x7f/0xa0
+[ 132.613017] [<ffffffff810a3912>] __put_task_struct+0x42/0x140
+[ 132.613018] [<ffffffff810e776a>] dl_task_timer+0xca/0x250
+[ 132.613027] [<ffffffff810e76a0>] ? push_dl_task.part.32+0x170/0x170
+[ 132.613030] [<ffffffff8111371e>] __hrtimer_run_queues+0xee/0x270
+[ 132.613031] [<ffffffff81113ec8>] hrtimer_interrupt+0xa8/0x190
+[ 132.613034] [<ffffffff81051a58>] local_apic_timer_interrupt+0x38/0x60
+[ 132.613035] [<ffffffff817d9b0d>] smp_apic_timer_interrupt+0x3d/0x50
+[ 132.613037] [<ffffffff817d7c5c>] apic_timer_interrupt+0x8c/0xa0
+[ 132.613038] <EOI> [<ffffffff81063466>] ? native_safe_halt+0x6/0x10
+[ 132.613043] [<ffffffff81037a4e>] default_idle+0x1e/0xd0
+[ 132.613044] [<ffffffff810381cf>] arch_cpu_idle+0xf/0x20
+[ 132.613046] [<ffffffff810e8fda>] default_idle_call+0x2a/0x40
+[ 132.613047] [<ffffffff810e92d7>] cpu_startup_entry+0x2e7/0x340
+[ 132.613048] [<ffffffff81050235>] start_secondary+0x155/0x190
+[ 132.613049] ---[ end trace f91934d162ce9977 ]---
+
+The warn is the spin_(lock|unlock)_bh(&css_set_lock) in the interrupt
+context. Converting the spin_lock_bh to spin_lock_irq(save) to avoid
+this problem - and other problems of sharing a spinlock with an
+interrupt.
+
+Cc: Tejun Heo <tj@kernel.org>
+Cc: Li Zefan <lizefan@huawei.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Juri Lelli <juri.lelli@arm.com>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: cgroups@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Reviewed-by: Rik van Riel <riel@redhat.com>
+Reviewed-by: "Luis Claudio R. Goncalves" <lgoncalv@redhat.com>
+Signed-off-by: Daniel Bristot de Oliveira <bristot@redhat.com>
+Acked-by: Zefan Li <lizefan@huawei.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/cgroup.c | 142 +++++++++++++++++++++++++++++---------------------------
+ 1 file changed, 74 insertions(+), 68 deletions(-)
+
+--- a/kernel/cgroup.c
++++ b/kernel/cgroup.c
+@@ -837,6 +837,8 @@ static void put_css_set_locked(struct cs
+
+ static void put_css_set(struct css_set *cset)
+ {
++ unsigned long flags;
++
+ /*
+ * Ensure that the refcount doesn't hit zero while any readers
+ * can see it. Similar to atomic_dec_and_lock(), but for an
+@@ -845,9 +847,9 @@ static void put_css_set(struct css_set *
+ if (atomic_add_unless(&cset->refcount, -1, 1))
+ return;
+
+- spin_lock_bh(&css_set_lock);
++ spin_lock_irqsave(&css_set_lock, flags);
+ put_css_set_locked(cset);
+- spin_unlock_bh(&css_set_lock);
++ spin_unlock_irqrestore(&css_set_lock, flags);
+ }
+
+ /*
+@@ -1070,11 +1072,11 @@ static struct css_set *find_css_set(stru
+
+ /* First see if we already have a cgroup group that matches
+ * the desired set */
+- spin_lock_bh(&css_set_lock);
++ spin_lock_irq(&css_set_lock);
+ cset = find_existing_css_set(old_cset, cgrp, template);
+ if (cset)
+ get_css_set(cset);
+- spin_unlock_bh(&css_set_lock);
++ spin_unlock_irq(&css_set_lock);
+
+ if (cset)
+ return cset;
+@@ -1102,7 +1104,7 @@ static struct css_set *find_css_set(stru
+ * find_existing_css_set() */
+ memcpy(cset->subsys, template, sizeof(cset->subsys));
+
+- spin_lock_bh(&css_set_lock);
++ spin_lock_irq(&css_set_lock);
+ /* Add reference counts and links from the new css_set. */
+ list_for_each_entry(link, &old_cset->cgrp_links, cgrp_link) {
+ struct cgroup *c = link->cgrp;
+@@ -1128,7 +1130,7 @@ static struct css_set *find_css_set(stru
+ css_get(css);
+ }
+
+- spin_unlock_bh(&css_set_lock);
++ spin_unlock_irq(&css_set_lock);
+
+ return cset;
+ }
+@@ -1192,7 +1194,7 @@ static void cgroup_destroy_root(struct c
+ * Release all the links from cset_links to this hierarchy's
+ * root cgroup
+ */
+- spin_lock_bh(&css_set_lock);
++ spin_lock_irq(&css_set_lock);
+
+ list_for_each_entry_safe(link, tmp_link, &cgrp->cset_links, cset_link) {
+ list_del(&link->cset_link);
+@@ -1200,7 +1202,7 @@ static void cgroup_destroy_root(struct c
+ kfree(link);
+ }
+
+- spin_unlock_bh(&css_set_lock);
++ spin_unlock_irq(&css_set_lock);
+
+ if (!list_empty(&root->root_list)) {
+ list_del(&root->root_list);
+@@ -1600,11 +1602,11 @@ static int rebind_subsystems(struct cgro
+ ss->root = dst_root;
+ css->cgroup = dcgrp;
+
+- spin_lock_bh(&css_set_lock);
++ spin_lock_irq(&css_set_lock);
+ hash_for_each(css_set_table, i, cset, hlist)
+ list_move_tail(&cset->e_cset_node[ss->id],
+ &dcgrp->e_csets[ss->id]);
+- spin_unlock_bh(&css_set_lock);
++ spin_unlock_irq(&css_set_lock);
+
+ /* default hierarchy doesn't enable controllers by default */
+ dst_root->subsys_mask |= 1 << ssid;
+@@ -1640,10 +1642,10 @@ static int cgroup_show_path(struct seq_f
+ if (!buf)
+ return -ENOMEM;
+
+- spin_lock_bh(&css_set_lock);
++ spin_lock_irq(&css_set_lock);
+ ns_cgroup = current_cgns_cgroup_from_root(kf_cgroot);
+ len = kernfs_path_from_node(kf_node, ns_cgroup->kn, buf, PATH_MAX);
+- spin_unlock_bh(&css_set_lock);
++ spin_unlock_irq(&css_set_lock);
+
+ if (len >= PATH_MAX)
+ len = -ERANGE;
+@@ -1897,7 +1899,7 @@ static void cgroup_enable_task_cg_lists(
+ {
+ struct task_struct *p, *g;
+
+- spin_lock_bh(&css_set_lock);
++ spin_lock_irq(&css_set_lock);
+
+ if (use_task_css_set_links)
+ goto out_unlock;
+@@ -1922,8 +1924,12 @@ static void cgroup_enable_task_cg_lists(
+ * entry won't be deleted though the process has exited.
+ * Do it while holding siglock so that we don't end up
+ * racing against cgroup_exit().
++ *
++ * Interrupts were already disabled while acquiring
++ * the css_set_lock, so we do not need to disable it
++ * again when acquiring the sighand->siglock here.
+ */
+- spin_lock_irq(&p->sighand->siglock);
++ spin_lock(&p->sighand->siglock);
+ if (!(p->flags & PF_EXITING)) {
+ struct css_set *cset = task_css_set(p);
+
+@@ -1932,11 +1938,11 @@ static void cgroup_enable_task_cg_lists(
+ list_add_tail(&p->cg_list, &cset->tasks);
+ get_css_set(cset);
+ }
+- spin_unlock_irq(&p->sighand->siglock);
++ spin_unlock(&p->sighand->siglock);
+ } while_each_thread(g, p);
+ read_unlock(&tasklist_lock);
+ out_unlock:
+- spin_unlock_bh(&css_set_lock);
++ spin_unlock_irq(&css_set_lock);
+ }
+
+ static void init_cgroup_housekeeping(struct cgroup *cgrp)
+@@ -2043,13 +2049,13 @@ static int cgroup_setup_root(struct cgro
+ * Link the root cgroup in this hierarchy into all the css_set
+ * objects.
+ */
+- spin_lock_bh(&css_set_lock);
++ spin_lock_irq(&css_set_lock);
+ hash_for_each(css_set_table, i, cset, hlist) {
+ link_css_set(&tmp_links, cset, root_cgrp);
+ if (css_set_populated(cset))
+ cgroup_update_populated(root_cgrp, true);
+ }
+- spin_unlock_bh(&css_set_lock);
++ spin_unlock_irq(&css_set_lock);
+
+ BUG_ON(!list_empty(&root_cgrp->self.children));
+ BUG_ON(atomic_read(&root->nr_cgrps) != 1);
+@@ -2256,11 +2262,11 @@ out_mount:
+ struct cgroup *cgrp;
+
+ mutex_lock(&cgroup_mutex);
+- spin_lock_bh(&css_set_lock);
++ spin_lock_irq(&css_set_lock);
+
+ cgrp = cset_cgroup_from_root(ns->root_cset, root);
+
+- spin_unlock_bh(&css_set_lock);
++ spin_unlock_irq(&css_set_lock);
+ mutex_unlock(&cgroup_mutex);
+
+ nsdentry = kernfs_node_dentry(cgrp->kn, dentry->d_sb);
+@@ -2337,11 +2343,11 @@ char *cgroup_path_ns(struct cgroup *cgrp
+ char *ret;
+
+ mutex_lock(&cgroup_mutex);
+- spin_lock_bh(&css_set_lock);
++ spin_lock_irq(&css_set_lock);
+
+ ret = cgroup_path_ns_locked(cgrp, buf, buflen, ns);
+
+- spin_unlock_bh(&css_set_lock);
++ spin_unlock_irq(&css_set_lock);
+ mutex_unlock(&cgroup_mutex);
+
+ return ret;
+@@ -2369,7 +2375,7 @@ char *task_cgroup_path(struct task_struc
+ char *path = NULL;
+
+ mutex_lock(&cgroup_mutex);
+- spin_lock_bh(&css_set_lock);
++ spin_lock_irq(&css_set_lock);
+
+ root = idr_get_next(&cgroup_hierarchy_idr, &hierarchy_id);
+
+@@ -2382,7 +2388,7 @@ char *task_cgroup_path(struct task_struc
+ path = buf;
+ }
+
+- spin_unlock_bh(&css_set_lock);
++ spin_unlock_irq(&css_set_lock);
+ mutex_unlock(&cgroup_mutex);
+ return path;
+ }
+@@ -2557,7 +2563,7 @@ static int cgroup_taskset_migrate(struct
+ * the new cgroup. There are no failure cases after here, so this
+ * is the commit point.
+ */
+- spin_lock_bh(&css_set_lock);
++ spin_lock_irq(&css_set_lock);
+ list_for_each_entry(cset, &tset->src_csets, mg_node) {
+ list_for_each_entry_safe(task, tmp_task, &cset->mg_tasks, cg_list) {
+ struct css_set *from_cset = task_css_set(task);
+@@ -2568,7 +2574,7 @@ static int cgroup_taskset_migrate(struct
+ put_css_set_locked(from_cset);
+ }
+ }
+- spin_unlock_bh(&css_set_lock);
++ spin_unlock_irq(&css_set_lock);
+
+ /*
+ * Migration is committed, all target tasks are now on dst_csets.
+@@ -2597,13 +2603,13 @@ out_cancel_attach:
+ }
+ } while_each_subsys_mask();
+ out_release_tset:
+- spin_lock_bh(&css_set_lock);
++ spin_lock_irq(&css_set_lock);
+ list_splice_init(&tset->dst_csets, &tset->src_csets);
+ list_for_each_entry_safe(cset, tmp_cset, &tset->src_csets, mg_node) {
+ list_splice_tail_init(&cset->mg_tasks, &cset->tasks);
+ list_del_init(&cset->mg_node);
+ }
+- spin_unlock_bh(&css_set_lock);
++ spin_unlock_irq(&css_set_lock);
+ return ret;
+ }
+
+@@ -2634,7 +2640,7 @@ static void cgroup_migrate_finish(struct
+
+ lockdep_assert_held(&cgroup_mutex);
+
+- spin_lock_bh(&css_set_lock);
++ spin_lock_irq(&css_set_lock);
+ list_for_each_entry_safe(cset, tmp_cset, preloaded_csets, mg_preload_node) {
+ cset->mg_src_cgrp = NULL;
+ cset->mg_dst_cgrp = NULL;
+@@ -2642,7 +2648,7 @@ static void cgroup_migrate_finish(struct
+ list_del_init(&cset->mg_preload_node);
+ put_css_set_locked(cset);
+ }
+- spin_unlock_bh(&css_set_lock);
++ spin_unlock_irq(&css_set_lock);
+ }
+
+ /**
+@@ -2783,7 +2789,7 @@ static int cgroup_migrate(struct task_st
+ * already PF_EXITING could be freed from underneath us unless we
+ * take an rcu_read_lock.
+ */
+- spin_lock_bh(&css_set_lock);
++ spin_lock_irq(&css_set_lock);
+ rcu_read_lock();
+ task = leader;
+ do {
+@@ -2792,7 +2798,7 @@ static int cgroup_migrate(struct task_st
+ break;
+ } while_each_thread(leader, task);
+ rcu_read_unlock();
+- spin_unlock_bh(&css_set_lock);
++ spin_unlock_irq(&css_set_lock);
+
+ return cgroup_taskset_migrate(&tset, root);
+ }
+@@ -2816,7 +2822,7 @@ static int cgroup_attach_task(struct cgr
+ return -EBUSY;
+
+ /* look up all src csets */
+- spin_lock_bh(&css_set_lock);
++ spin_lock_irq(&css_set_lock);
+ rcu_read_lock();
+ task = leader;
+ do {
+@@ -2826,7 +2832,7 @@ static int cgroup_attach_task(struct cgr
+ break;
+ } while_each_thread(leader, task);
+ rcu_read_unlock();
+- spin_unlock_bh(&css_set_lock);
++ spin_unlock_irq(&css_set_lock);
+
+ /* prepare dst csets and commit */
+ ret = cgroup_migrate_prepare_dst(&preloaded_csets);
+@@ -2859,9 +2865,9 @@ static int cgroup_procs_write_permission
+ struct cgroup *cgrp;
+ struct inode *inode;
+
+- spin_lock_bh(&css_set_lock);
++ spin_lock_irq(&css_set_lock);
+ cgrp = task_cgroup_from_root(task, &cgrp_dfl_root);
+- spin_unlock_bh(&css_set_lock);
++ spin_unlock_irq(&css_set_lock);
+
+ while (!cgroup_is_descendant(dst_cgrp, cgrp))
+ cgrp = cgroup_parent(cgrp);
+@@ -2962,9 +2968,9 @@ int cgroup_attach_task_all(struct task_s
+ if (root == &cgrp_dfl_root)
+ continue;
+
+- spin_lock_bh(&css_set_lock);
++ spin_lock_irq(&css_set_lock);
+ from_cgrp = task_cgroup_from_root(from, root);
+- spin_unlock_bh(&css_set_lock);
++ spin_unlock_irq(&css_set_lock);
+
+ retval = cgroup_attach_task(from_cgrp, tsk, false);
+ if (retval)
+@@ -3080,7 +3086,7 @@ static int cgroup_update_dfl_csses(struc
+ percpu_down_write(&cgroup_threadgroup_rwsem);
+
+ /* look up all csses currently attached to @cgrp's subtree */
+- spin_lock_bh(&css_set_lock);
++ spin_lock_irq(&css_set_lock);
+ cgroup_for_each_live_descendant_pre(dsct, d_css, cgrp) {
+ struct cgrp_cset_link *link;
+
+@@ -3088,14 +3094,14 @@ static int cgroup_update_dfl_csses(struc
+ cgroup_migrate_add_src(link->cset, dsct,
+ &preloaded_csets);
+ }
+- spin_unlock_bh(&css_set_lock);
++ spin_unlock_irq(&css_set_lock);
+
+ /* NULL dst indicates self on default hierarchy */
+ ret = cgroup_migrate_prepare_dst(&preloaded_csets);
+ if (ret)
+ goto out_finish;
+
+- spin_lock_bh(&css_set_lock);
++ spin_lock_irq(&css_set_lock);
+ list_for_each_entry(src_cset, &preloaded_csets, mg_preload_node) {
+ struct task_struct *task, *ntask;
+
+@@ -3107,7 +3113,7 @@ static int cgroup_update_dfl_csses(struc
+ list_for_each_entry_safe(task, ntask, &src_cset->tasks, cg_list)
+ cgroup_taskset_add(task, &tset);
+ }
+- spin_unlock_bh(&css_set_lock);
++ spin_unlock_irq(&css_set_lock);
+
+ ret = cgroup_taskset_migrate(&tset, cgrp->root);
+ out_finish:
+@@ -3908,10 +3914,10 @@ static int cgroup_task_count(const struc
+ int count = 0;
+ struct cgrp_cset_link *link;
+
+- spin_lock_bh(&css_set_lock);
++ spin_lock_irq(&css_set_lock);
+ list_for_each_entry(link, &cgrp->cset_links, cset_link)
+ count += atomic_read(&link->cset->refcount);
+- spin_unlock_bh(&css_set_lock);
++ spin_unlock_irq(&css_set_lock);
+ return count;
+ }
+
+@@ -4249,7 +4255,7 @@ void css_task_iter_start(struct cgroup_s
+
+ memset(it, 0, sizeof(*it));
+
+- spin_lock_bh(&css_set_lock);
++ spin_lock_irq(&css_set_lock);
+
+ it->ss = css->ss;
+
+@@ -4262,7 +4268,7 @@ void css_task_iter_start(struct cgroup_s
+
+ css_task_iter_advance_css_set(it);
+
+- spin_unlock_bh(&css_set_lock);
++ spin_unlock_irq(&css_set_lock);
+ }
+
+ /**
+@@ -4280,7 +4286,7 @@ struct task_struct *css_task_iter_next(s
+ it->cur_task = NULL;
+ }
+
+- spin_lock_bh(&css_set_lock);
++ spin_lock_irq(&css_set_lock);
+
+ if (it->task_pos) {
+ it->cur_task = list_entry(it->task_pos, struct task_struct,
+@@ -4289,7 +4295,7 @@ struct task_struct *css_task_iter_next(s
+ css_task_iter_advance(it);
+ }
+
+- spin_unlock_bh(&css_set_lock);
++ spin_unlock_irq(&css_set_lock);
+
+ return it->cur_task;
+ }
+@@ -4303,10 +4309,10 @@ struct task_struct *css_task_iter_next(s
+ void css_task_iter_end(struct css_task_iter *it)
+ {
+ if (it->cur_cset) {
+- spin_lock_bh(&css_set_lock);
++ spin_lock_irq(&css_set_lock);
+ list_del(&it->iters_node);
+ put_css_set_locked(it->cur_cset);
+- spin_unlock_bh(&css_set_lock);
++ spin_unlock_irq(&css_set_lock);
+ }
+
+ if (it->cur_task)
+@@ -4338,10 +4344,10 @@ int cgroup_transfer_tasks(struct cgroup
+ mutex_lock(&cgroup_mutex);
+
+ /* all tasks in @from are being moved, all csets are source */
+- spin_lock_bh(&css_set_lock);
++ spin_lock_irq(&css_set_lock);
+ list_for_each_entry(link, &from->cset_links, cset_link)
+ cgroup_migrate_add_src(link->cset, to, &preloaded_csets);
+- spin_unlock_bh(&css_set_lock);
++ spin_unlock_irq(&css_set_lock);
+
+ ret = cgroup_migrate_prepare_dst(&preloaded_csets);
+ if (ret)
+@@ -5449,10 +5455,10 @@ static int cgroup_destroy_locked(struct
+ */
+ cgrp->self.flags &= ~CSS_ONLINE;
+
+- spin_lock_bh(&css_set_lock);
++ spin_lock_irq(&css_set_lock);
+ list_for_each_entry(link, &cgrp->cset_links, cset_link)
+ link->cset->dead = true;
+- spin_unlock_bh(&css_set_lock);
++ spin_unlock_irq(&css_set_lock);
+
+ /* initiate massacre of all css's */
+ for_each_css(css, ssid, cgrp)
+@@ -5723,7 +5729,7 @@ int proc_cgroup_show(struct seq_file *m,
+ goto out;
+
+ mutex_lock(&cgroup_mutex);
+- spin_lock_bh(&css_set_lock);
++ spin_lock_irq(&css_set_lock);
+
+ for_each_root(root) {
+ struct cgroup_subsys *ss;
+@@ -5776,7 +5782,7 @@ int proc_cgroup_show(struct seq_file *m,
+
+ retval = 0;
+ out_unlock:
+- spin_unlock_bh(&css_set_lock);
++ spin_unlock_irq(&css_set_lock);
+ mutex_unlock(&cgroup_mutex);
+ kfree(buf);
+ out:
+@@ -5921,13 +5927,13 @@ void cgroup_post_fork(struct task_struct
+ if (use_task_css_set_links) {
+ struct css_set *cset;
+
+- spin_lock_bh(&css_set_lock);
++ spin_lock_irq(&css_set_lock);
+ cset = task_css_set(current);
+ if (list_empty(&child->cg_list)) {
+ get_css_set(cset);
+ css_set_move_task(child, NULL, cset, false);
+ }
+- spin_unlock_bh(&css_set_lock);
++ spin_unlock_irq(&css_set_lock);
+ }
+
+ /*
+@@ -5972,9 +5978,9 @@ void cgroup_exit(struct task_struct *tsk
+ cset = task_css_set(tsk);
+
+ if (!list_empty(&tsk->cg_list)) {
+- spin_lock_bh(&css_set_lock);
++ spin_lock_irq(&css_set_lock);
+ css_set_move_task(tsk, cset, NULL, false);
+- spin_unlock_bh(&css_set_lock);
++ spin_unlock_irq(&css_set_lock);
+ } else {
+ get_css_set(cset);
+ }
+@@ -6042,9 +6048,9 @@ static void cgroup_release_agent(struct
+ if (!pathbuf || !agentbuf)
+ goto out;
+
+- spin_lock_bh(&css_set_lock);
++ spin_lock_irq(&css_set_lock);
+ path = cgroup_path_ns_locked(cgrp, pathbuf, PATH_MAX, &init_cgroup_ns);
+- spin_unlock_bh(&css_set_lock);
++ spin_unlock_irq(&css_set_lock);
+ if (!path)
+ goto out;
+
+@@ -6304,12 +6310,12 @@ struct cgroup_namespace *copy_cgroup_ns(
+ return ERR_PTR(-EPERM);
+
+ mutex_lock(&cgroup_mutex);
+- spin_lock_bh(&css_set_lock);
++ spin_lock_irq(&css_set_lock);
+
+ cset = task_css_set(current);
+ get_css_set(cset);
+
+- spin_unlock_bh(&css_set_lock);
++ spin_unlock_irq(&css_set_lock);
+ mutex_unlock(&cgroup_mutex);
+
+ new_ns = alloc_cgroup_ns();
+@@ -6433,7 +6439,7 @@ static int current_css_set_cg_links_read
+ if (!name_buf)
+ return -ENOMEM;
+
+- spin_lock_bh(&css_set_lock);
++ spin_lock_irq(&css_set_lock);
+ rcu_read_lock();
+ cset = rcu_dereference(current->cgroups);
+ list_for_each_entry(link, &cset->cgrp_links, cgrp_link) {
+@@ -6444,7 +6450,7 @@ static int current_css_set_cg_links_read
+ c->root->hierarchy_id, name_buf);
+ }
+ rcu_read_unlock();
+- spin_unlock_bh(&css_set_lock);
++ spin_unlock_irq(&css_set_lock);
+ kfree(name_buf);
+ return 0;
+ }
+@@ -6455,7 +6461,7 @@ static int cgroup_css_links_read(struct
+ struct cgroup_subsys_state *css = seq_css(seq);
+ struct cgrp_cset_link *link;
+
+- spin_lock_bh(&css_set_lock);
++ spin_lock_irq(&css_set_lock);
+ list_for_each_entry(link, &css->cgroup->cset_links, cset_link) {
+ struct css_set *cset = link->cset;
+ struct task_struct *task;
+@@ -6478,7 +6484,7 @@ static int cgroup_css_links_read(struct
+ overflow:
+ seq_puts(seq, " ...\n");
+ }
+- spin_unlock_bh(&css_set_lock);
++ spin_unlock_irq(&css_set_lock);
+ return 0;
+ }
+
--- /dev/null
+From b00c52dae6d9ee8d0f2407118ef6544ae5524781 Mon Sep 17 00:00:00 2001
+From: Wenwei Tao <ww.tao0320@gmail.com>
+Date: Fri, 13 May 2016 22:59:20 +0800
+Subject: cgroup: remove redundant cleanup in css_create
+
+From: Wenwei Tao <ww.tao0320@gmail.com>
+
+commit b00c52dae6d9ee8d0f2407118ef6544ae5524781 upstream.
+
+When create css failed, before call css_free_rcu_fn, we remove the css
+id and exit the percpu_ref, but we will do these again in
+css_free_work_fn, so they are redundant. Especially the css id, that
+would cause problem if we remove it twice, since it may be assigned to
+another css after the first remove.
+
+tj: This was broken by two commits updating the free path without
+ synchronizing the creation failure path. This can be easily
+ triggered by trying to create more than 64k memory cgroups.
+
+Signed-off-by: Wenwei Tao <ww.tao0320@gmail.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Cc: Vladimir Davydov <vdavydov@parallels.com>
+Fixes: 9a1049da9bd2 ("percpu-refcount: require percpu_ref to be exited explicitly")
+Fixes: 01e586598b22 ("cgroup: release css->id after css_free")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/cgroup.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/kernel/cgroup.c
++++ b/kernel/cgroup.c
+@@ -5150,7 +5150,7 @@ static struct cgroup_subsys_state *css_c
+
+ err = cgroup_idr_alloc(&ss->css_idr, NULL, 2, 0, GFP_KERNEL);
+ if (err < 0)
+- goto err_free_percpu_ref;
++ goto err_free_css;
+ css->id = err;
+
+ /* @css is ready to be brought online now, make it visible */
+@@ -5174,9 +5174,6 @@ static struct cgroup_subsys_state *css_c
+
+ err_list_del:
+ list_del_rcu(&css->sibling);
+- cgroup_idr_remove(&ss->css_idr, css->id);
+-err_free_percpu_ref:
+- percpu_ref_exit(&css->refcnt);
+ err_free_css:
+ call_rcu(&css->rcu_head, css_free_rcu_fn);
+ return ERR_PTR(err);
--- /dev/null
+From 8fa3b8d689a54d6d04ff7803c724fb7aca6ce98e Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Thu, 26 May 2016 15:42:13 -0400
+Subject: cgroup: set css->id to -1 during init
+
+From: Tejun Heo <tj@kernel.org>
+
+commit 8fa3b8d689a54d6d04ff7803c724fb7aca6ce98e upstream.
+
+If percpu_ref initialization fails during css_create(), the free path
+can end up trying to free css->id of zero. As ID 0 is unused, it
+doesn't cause a critical breakage but it does trigger a warning
+message. Fix it by setting css->id to -1 from init_and_link_css().
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Cc: Wenwei Tao <ww.tao0320@gmail.com>
+Fixes: 01e586598b22 ("cgroup: release css->id after css_free")
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/cgroup.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/cgroup.c
++++ b/kernel/cgroup.c
+@@ -5063,6 +5063,7 @@ static void init_and_link_css(struct cgr
+ memset(css, 0, sizeof(*css));
+ css->cgroup = cgrp;
+ css->ss = ss;
++ css->id = -1;
+ INIT_LIST_HEAD(&css->sibling);
+ INIT_LIST_HEAD(&css->children);
+ css->serial_nr = css_serial_nr_next++;
--- /dev/null
+From f0fe970df3838c202ef6c07a4c2b36838ef0a88b Mon Sep 17 00:00:00 2001
+From: Jeff Mahoney <jeffm@suse.com>
+Date: Tue, 5 Jul 2016 17:32:30 -0400
+Subject: ecryptfs: don't allow mmap when the lower fs doesn't support it
+
+From: Jeff Mahoney <jeffm@suse.com>
+
+commit f0fe970df3838c202ef6c07a4c2b36838ef0a88b upstream.
+
+There are legitimate reasons to disallow mmap on certain files, notably
+in sysfs or procfs. We shouldn't emulate mmap support on file systems
+that don't offer support natively.
+
+CVE-2016-1583
+
+Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+[tyhicks: clean up f_op check by using ecryptfs_file_to_lower()]
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ecryptfs/file.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+--- a/fs/ecryptfs/file.c
++++ b/fs/ecryptfs/file.c
+@@ -169,6 +169,19 @@ out:
+ return rc;
+ }
+
++static int ecryptfs_mmap(struct file *file, struct vm_area_struct *vma)
++{
++ struct file *lower_file = ecryptfs_file_to_lower(file);
++ /*
++ * Don't allow mmap on top of file systems that don't support it
++ * natively. If FILESYSTEM_MAX_STACK_DEPTH > 2 or ecryptfs
++ * allows recursive mounting, this will need to be extended.
++ */
++ if (!lower_file->f_op->mmap)
++ return -ENODEV;
++ return generic_file_mmap(file, vma);
++}
++
+ /**
+ * ecryptfs_open
+ * @inode: inode speciying file to open
+@@ -403,7 +416,7 @@ const struct file_operations ecryptfs_ma
+ #ifdef CONFIG_COMPAT
+ .compat_ioctl = ecryptfs_compat_ioctl,
+ #endif
+- .mmap = generic_file_mmap,
++ .mmap = ecryptfs_mmap,
+ .open = ecryptfs_open,
+ .flush = ecryptfs_flush,
+ .release = ecryptfs_release,
--- /dev/null
+From 226ba707744a51acb4244724e09caacb1d96aed9 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Tue, 21 Jun 2016 16:09:00 -0700
+Subject: Input: elantech - add more IC body types to the list
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit 226ba707744a51acb4244724e09caacb1d96aed9 upstream.
+
+The touchpad in HP Pavilion 14-ab057ca reports it's version as 12 and
+according to Elan both 11 and 12 are valid IC types and should be
+identified as hw_version 4.
+
+Reported-by: Patrick Lessard <Patrick.Lessard@cogeco.com>
+Tested-by: Patrick Lessard <Patrick.Lessard@cogeco.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/elantech.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+--- a/drivers/input/mouse/elantech.c
++++ b/drivers/input/mouse/elantech.c
+@@ -1568,13 +1568,7 @@ static int elantech_set_properties(struc
+ case 5:
+ etd->hw_version = 3;
+ break;
+- case 6:
+- case 7:
+- case 8:
+- case 9:
+- case 10:
+- case 13:
+- case 14:
++ case 6 ... 14:
+ etd->hw_version = 4;
+ break;
+ default:
--- /dev/null
+From e4add7b6beaff4061693d0632bc1dcb306edba10 Mon Sep 17 00:00:00 2001
+From: Andrew Duggan <aduggan@synaptics.com>
+Date: Tue, 19 Jul 2016 17:53:59 -0700
+Subject: Input: synaptics-rmi4 - fix maximum size check for F12 control register 8
+
+From: Andrew Duggan <aduggan@synaptics.com>
+
+commit e4add7b6beaff4061693d0632bc1dcb306edba10 upstream.
+
+According to the RMI4 spec the maximum size of F12 control register 8 is
+15 bytes. The current code incorrectly reports an error if control 8 is
+greater then 14. Making sensors with a control register 8 with 15 bytes
+unusable.
+
+Signed-off-by: Andrew Duggan <aduggan@synaptics.com>
+Reported-by: Chris Healy <cphealy@gmail.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/rmi4/rmi_f12.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/input/rmi4/rmi_f12.c
++++ b/drivers/input/rmi4/rmi_f12.c
+@@ -66,7 +66,7 @@ static int rmi_f12_read_sensor_tuning(st
+ struct rmi_device *rmi_dev = fn->rmi_dev;
+ int ret;
+ int offset;
+- u8 buf[14];
++ u8 buf[15];
+ int pitch_x = 0;
+ int pitch_y = 0;
+ int clip_x_low = 0;
+@@ -86,9 +86,10 @@ static int rmi_f12_read_sensor_tuning(st
+
+ offset = rmi_register_desc_calc_reg_offset(&f12->control_reg_desc, 8);
+
+- if (item->reg_size > 14) {
+- dev_err(&fn->dev, "F12 control8 should be 14 bytes, not: %ld\n",
+- item->reg_size);
++ if (item->reg_size > sizeof(buf)) {
++ dev_err(&fn->dev,
++ "F12 control8 should be no bigger than %zd bytes, not: %ld\n",
++ sizeof(buf), item->reg_size);
+ return -ENODEV;
+ }
+
--- /dev/null
+From e9003c9cfaa17d26991688268b04244adb67ee2b Mon Sep 17 00:00:00 2001
+From: Michael Welling <mwelling@ieee.org>
+Date: Wed, 20 Jul 2016 10:02:07 -0700
+Subject: Input: tsc200x - report proper input_dev name
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Michael Welling <mwelling@ieee.org>
+
+commit e9003c9cfaa17d26991688268b04244adb67ee2b upstream.
+
+Passes input_id struct to the common probe function for the tsc200x drivers
+instead of just the bustype.
+
+This allows for the use of the product variable to set the input_dev->name
+variable according to the type of touchscreen used. Note that when we
+introduced support for TSC2004 we started calling everything TSC200X, so
+let's keep this quirk.
+
+Signed-off-by: Michael Welling <mwelling@ieee.org>
+Acked-by: Pavel Machek <pavel@ucw.cz>
+Acked-by: Pali Rohár <pali.rohar@gmail.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/touchscreen/tsc2004.c | 7 ++++++-
+ drivers/input/touchscreen/tsc2005.c | 7 ++++++-
+ drivers/input/touchscreen/tsc200x-core.c | 15 ++++++++++++---
+ drivers/input/touchscreen/tsc200x-core.h | 2 +-
+ 4 files changed, 25 insertions(+), 6 deletions(-)
+
+--- a/drivers/input/touchscreen/tsc2004.c
++++ b/drivers/input/touchscreen/tsc2004.c
+@@ -22,6 +22,11 @@
+ #include <linux/regmap.h>
+ #include "tsc200x-core.h"
+
++static const struct input_id tsc2004_input_id = {
++ .bustype = BUS_I2C,
++ .product = 2004,
++};
++
+ static int tsc2004_cmd(struct device *dev, u8 cmd)
+ {
+ u8 tx = TSC200X_CMD | TSC200X_CMD_12BIT | cmd;
+@@ -42,7 +47,7 @@ static int tsc2004_probe(struct i2c_clie
+ const struct i2c_device_id *id)
+
+ {
+- return tsc200x_probe(&i2c->dev, i2c->irq, BUS_I2C,
++ return tsc200x_probe(&i2c->dev, i2c->irq, &tsc2004_input_id,
+ devm_regmap_init_i2c(i2c, &tsc200x_regmap_config),
+ tsc2004_cmd);
+ }
+--- a/drivers/input/touchscreen/tsc2005.c
++++ b/drivers/input/touchscreen/tsc2005.c
+@@ -24,6 +24,11 @@
+ #include <linux/regmap.h>
+ #include "tsc200x-core.h"
+
++static const struct input_id tsc2005_input_id = {
++ .bustype = BUS_SPI,
++ .product = 2005,
++};
++
+ static int tsc2005_cmd(struct device *dev, u8 cmd)
+ {
+ u8 tx = TSC200X_CMD | TSC200X_CMD_12BIT | cmd;
+@@ -62,7 +67,7 @@ static int tsc2005_probe(struct spi_devi
+ if (error)
+ return error;
+
+- return tsc200x_probe(&spi->dev, spi->irq, BUS_SPI,
++ return tsc200x_probe(&spi->dev, spi->irq, &tsc2005_input_id,
+ devm_regmap_init_spi(spi, &tsc200x_regmap_config),
+ tsc2005_cmd);
+ }
+--- a/drivers/input/touchscreen/tsc200x-core.c
++++ b/drivers/input/touchscreen/tsc200x-core.c
+@@ -450,7 +450,7 @@ static void tsc200x_close(struct input_d
+ mutex_unlock(&ts->mutex);
+ }
+
+-int tsc200x_probe(struct device *dev, int irq, __u16 bustype,
++int tsc200x_probe(struct device *dev, int irq, const struct input_id *tsc_id,
+ struct regmap *regmap,
+ int (*tsc200x_cmd)(struct device *dev, u8 cmd))
+ {
+@@ -547,9 +547,18 @@ int tsc200x_probe(struct device *dev, in
+ snprintf(ts->phys, sizeof(ts->phys),
+ "%s/input-ts", dev_name(dev));
+
+- input_dev->name = "TSC200X touchscreen";
++ if (tsc_id->product == 2004) {
++ input_dev->name = "TSC200X touchscreen";
++ } else {
++ input_dev->name = devm_kasprintf(dev, GFP_KERNEL,
++ "TSC%04d touchscreen",
++ tsc_id->product);
++ if (!input_dev->name)
++ return -ENOMEM;
++ }
++
+ input_dev->phys = ts->phys;
+- input_dev->id.bustype = bustype;
++ input_dev->id = *tsc_id;
+ input_dev->dev.parent = dev;
+ input_dev->evbit[0] = BIT(EV_ABS) | BIT(EV_KEY);
+ input_dev->keybit[BIT_WORD(BTN_TOUCH)] = BIT_MASK(BTN_TOUCH);
+--- a/drivers/input/touchscreen/tsc200x-core.h
++++ b/drivers/input/touchscreen/tsc200x-core.h
+@@ -70,7 +70,7 @@
+ extern const struct regmap_config tsc200x_regmap_config;
+ extern const struct dev_pm_ops tsc200x_pm_ops;
+
+-int tsc200x_probe(struct device *dev, int irq, __u16 bustype,
++int tsc200x_probe(struct device *dev, int irq, const struct input_id *tsc_id,
+ struct regmap *regmap,
+ int (*tsc200x_cmd)(struct device *dev, u8 cmd));
+ int tsc200x_remove(struct device *dev);
--- /dev/null
+From 60842ef8128e7bf58c024814cd0dc14319232b6c Mon Sep 17 00:00:00 2001
+From: Sinclair Yeh <syeh@vmware.com>
+Date: Thu, 23 Jun 2016 17:37:34 -0700
+Subject: Input: vmmouse - remove port reservation
+
+From: Sinclair Yeh <syeh@vmware.com>
+
+commit 60842ef8128e7bf58c024814cd0dc14319232b6c upstream.
+
+The VMWare EFI BIOS will expose port 0x5658 as an ACPI resource. This
+causes the port to be reserved by the APCI module as the system comes up,
+making it unavailable to be reserved again by other drivers, thus
+preserving this VMWare port for special use in a VMWare guest.
+
+This port is designed to be shared among multiple VMWare services, such as
+the VMMOUSE. Because of this, VMMOUSE should not try to reserve this port
+on its own.
+
+The VMWare non-EFI BIOS does not do this to preserve compatibility with
+existing/legacy VMs. It is known that there is small chance a VM may be
+configured such that these ports get reserved by other non-VMWare devices,
+and if this ever happens, the result is undefined.
+
+Signed-off-by: Sinclair Yeh <syeh@vmware.com>
+Reviewed-by: Thomas Hellstrom <thellstrom@vmware.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/vmmouse.c | 22 ++--------------------
+ 1 file changed, 2 insertions(+), 20 deletions(-)
+
+--- a/drivers/input/mouse/vmmouse.c
++++ b/drivers/input/mouse/vmmouse.c
+@@ -355,18 +355,11 @@ int vmmouse_detect(struct psmouse *psmou
+ return -ENXIO;
+ }
+
+- if (!request_region(VMMOUSE_PROTO_PORT, 4, "vmmouse")) {
+- psmouse_dbg(psmouse, "VMMouse port in use.\n");
+- return -EBUSY;
+- }
+-
+ /* Check if the device is present */
+ response = ~VMMOUSE_PROTO_MAGIC;
+ VMMOUSE_CMD(GETVERSION, 0, version, response, dummy1, dummy2);
+- if (response != VMMOUSE_PROTO_MAGIC || version == 0xffffffffU) {
+- release_region(VMMOUSE_PROTO_PORT, 4);
++ if (response != VMMOUSE_PROTO_MAGIC || version == 0xffffffffU)
+ return -ENXIO;
+- }
+
+ if (set_properties) {
+ psmouse->vendor = VMMOUSE_VENDOR;
+@@ -374,8 +367,6 @@ int vmmouse_detect(struct psmouse *psmou
+ psmouse->model = version;
+ }
+
+- release_region(VMMOUSE_PROTO_PORT, 4);
+-
+ return 0;
+ }
+
+@@ -394,7 +385,6 @@ static void vmmouse_disconnect(struct ps
+ psmouse_reset(psmouse);
+ input_unregister_device(priv->abs_dev);
+ kfree(priv);
+- release_region(VMMOUSE_PROTO_PORT, 4);
+ }
+
+ /**
+@@ -438,15 +428,10 @@ int vmmouse_init(struct psmouse *psmouse
+ struct input_dev *rel_dev = psmouse->dev, *abs_dev;
+ int error;
+
+- if (!request_region(VMMOUSE_PROTO_PORT, 4, "vmmouse")) {
+- psmouse_dbg(psmouse, "VMMouse port in use.\n");
+- return -EBUSY;
+- }
+-
+ psmouse_reset(psmouse);
+ error = vmmouse_enable(psmouse);
+ if (error)
+- goto release_region;
++ return error;
+
+ priv = kzalloc(sizeof(*priv), GFP_KERNEL);
+ abs_dev = input_allocate_device();
+@@ -502,8 +487,5 @@ init_fail:
+ kfree(priv);
+ psmouse->private = NULL;
+
+-release_region:
+- release_region(VMMOUSE_PROTO_PORT, 4);
+-
+ return error;
+ }
--- /dev/null
+From 9e72ac7492149a229ce9039c680849cb682d7092 Mon Sep 17 00:00:00 2001
+From: Ping Cheng <pinglinux@gmail.com>
+Date: Thu, 23 Jun 2016 10:55:11 -0700
+Subject: Input: wacom_w8001 - ignore invalid pen data packets
+
+From: Ping Cheng <pinglinux@gmail.com>
+
+commit 9e72ac7492149a229ce9039c680849cb682d7092 upstream.
+
+ThinkPad X60 Tablet PC (pen only device) sometime posts
+packets that are larger than W8001_PKTLEN_TPCPEN.
+
+Reported-by: Chris J Arges <christopherarges@gmail.com>
+Tested-by: Chris J Arges <christopherarges@gmail.com>
+Signed-off-by: Ping Cheng <pingc@wacom.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/touchscreen/wacom_w8001.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/input/touchscreen/wacom_w8001.c
++++ b/drivers/input/touchscreen/wacom_w8001.c
+@@ -339,6 +339,15 @@ static irqreturn_t w8001_interrupt(struc
+ w8001->idx = 0;
+ parse_multi_touch(w8001);
+ break;
++
++ default:
++ /*
++ * ThinkPad X60 Tablet PC (pen only device) sometimes
++ * sends invalid data packets that are larger than
++ * W8001_PKTLEN_TPCPEN. Let's start over again.
++ */
++ if (!w8001->touch_dev && w8001->idx > W8001_PKTLEN_TPCPEN - 1)
++ w8001->idx = 0;
+ }
+
+ return IRQ_HANDLED;
--- /dev/null
+From 12afb34400eb2b301f06b2aa3535497d14faee59 Mon Sep 17 00:00:00 2001
+From: Ping Cheng <pinglinux@gmail.com>
+Date: Thu, 23 Jun 2016 10:54:17 -0700
+Subject: Input: wacom_w8001 - w8001_MAX_LENGTH should be 13
+
+From: Ping Cheng <pinglinux@gmail.com>
+
+commit 12afb34400eb2b301f06b2aa3535497d14faee59 upstream.
+
+Somehow the patch that added two-finger touch support forgot to update
+W8001_MAX_LENGTH from 11 to 13.
+
+Signed-off-by: Ping Cheng <pingc@wacom.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/touchscreen/wacom_w8001.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/touchscreen/wacom_w8001.c
++++ b/drivers/input/touchscreen/wacom_w8001.c
+@@ -27,7 +27,7 @@ MODULE_AUTHOR("Jaya Kumar <jayakumar.lkm
+ MODULE_DESCRIPTION(DRIVER_DESC);
+ MODULE_LICENSE("GPL");
+
+-#define W8001_MAX_LENGTH 11
++#define W8001_MAX_LENGTH 13
+ #define W8001_LEAD_MASK 0x80
+ #define W8001_LEAD_BYTE 0x80
+ #define W8001_TAB_MASK 0x40
--- /dev/null
+From c7f1429389ec1aa25e042bb13451385fbb596f8c Mon Sep 17 00:00:00 2001
+From: Cameron Gutman <aicommander@gmail.com>
+Date: Thu, 23 Jun 2016 10:24:42 -0700
+Subject: Input: xpad - fix oops when attaching an unknown Xbox One gamepad
+
+From: Cameron Gutman <aicommander@gmail.com>
+
+commit c7f1429389ec1aa25e042bb13451385fbb596f8c upstream.
+
+Xbox One controllers have multiple interfaces which all have the
+same class, subclass, and protocol. One of the these interfaces
+has only a single endpoint. When Xpad attempts to bind to this
+interface, it causes an oops when trying initialize the output URB
+by trying to access the second endpoint's descriptor.
+
+This situation was avoided for known Xbox One devices by checking
+the XTYPE constant associated with the VID and PID tuple. However,
+this breaks when new or previously unknown Xbox One controllers
+are attached to the system.
+
+This change addresses the problem by deriving the XTYPE for Xbox
+One controllers based on the interface protocol before checking
+the interface number.
+
+Fixes: 1a48ff81b391 ("Input: xpad - add support for Xbox One controllers")
+Signed-off-by: Cameron Gutman <aicommander@gmail.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/joystick/xpad.c | 23 +++++++++++++----------
+ 1 file changed, 13 insertions(+), 10 deletions(-)
+
+--- a/drivers/input/joystick/xpad.c
++++ b/drivers/input/joystick/xpad.c
+@@ -1427,16 +1427,6 @@ static int xpad_probe(struct usb_interfa
+ break;
+ }
+
+- if (xpad_device[i].xtype == XTYPE_XBOXONE &&
+- intf->cur_altsetting->desc.bInterfaceNumber != 0) {
+- /*
+- * The Xbox One controller lists three interfaces all with the
+- * same interface class, subclass and protocol. Differentiate by
+- * interface number.
+- */
+- return -ENODEV;
+- }
+-
+ xpad = kzalloc(sizeof(struct usb_xpad), GFP_KERNEL);
+ if (!xpad)
+ return -ENOMEM;
+@@ -1468,6 +1458,8 @@ static int xpad_probe(struct usb_interfa
+ if (intf->cur_altsetting->desc.bInterfaceClass == USB_CLASS_VENDOR_SPEC) {
+ if (intf->cur_altsetting->desc.bInterfaceProtocol == 129)
+ xpad->xtype = XTYPE_XBOX360W;
++ else if (intf->cur_altsetting->desc.bInterfaceProtocol == 208)
++ xpad->xtype = XTYPE_XBOXONE;
+ else
+ xpad->xtype = XTYPE_XBOX360;
+ } else {
+@@ -1482,6 +1474,17 @@ static int xpad_probe(struct usb_interfa
+ xpad->mapping |= MAP_STICKS_TO_NULL;
+ }
+
++ if (xpad->xtype == XTYPE_XBOXONE &&
++ intf->cur_altsetting->desc.bInterfaceNumber != 0) {
++ /*
++ * The Xbox One controller lists three interfaces all with the
++ * same interface class, subclass and protocol. Differentiate by
++ * interface number.
++ */
++ error = -ENODEV;
++ goto err_free_in_urb;
++ }
++
+ error = xpad_init_output(intf, xpad);
+ if (error)
+ goto err_free_in_urb;
--- /dev/null
+From caca925fca4fb30c67be88cacbe908eec6721e43 Mon Sep 17 00:00:00 2001
+From: Cameron Gutman <aicommander@gmail.com>
+Date: Wed, 29 Jun 2016 09:51:35 -0700
+Subject: Input: xpad - validate USB endpoint count during probe
+
+From: Cameron Gutman <aicommander@gmail.com>
+
+commit caca925fca4fb30c67be88cacbe908eec6721e43 upstream.
+
+This prevents a malicious USB device from causing an oops.
+
+Signed-off-by: Cameron Gutman <aicommander@gmail.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/joystick/xpad.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/input/joystick/xpad.c
++++ b/drivers/input/joystick/xpad.c
+@@ -1421,6 +1421,9 @@ static int xpad_probe(struct usb_interfa
+ int ep_irq_in_idx;
+ int i, error;
+
++ if (intf->cur_altsetting->desc.bNumEndpoints != 2)
++ return -ENODEV;
++
+ for (i = 0; xpad_device[i].idVendor; i++) {
+ if ((le16_to_cpu(udev->descriptor.idVendor) == xpad_device[i].idVendor) &&
+ (le16_to_cpu(udev->descriptor.idProduct) == xpad_device[i].idProduct))
--- /dev/null
+From 6343a2120862f7023006c8091ad95c1f16a32077 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Fri, 1 Jul 2016 14:56:07 +0200
+Subject: locks: use file_inode()
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 6343a2120862f7023006c8091ad95c1f16a32077 upstream.
+
+(Another one for the f_path debacle.)
+
+ltp fcntl33 testcase caused an Oops in selinux_file_send_sigiotask.
+
+The reason is that generic_add_lease() used filp->f_path.dentry->inode
+while all the others use file_inode(). This makes a difference for files
+opened on overlayfs since the former will point to the overlay inode the
+latter to the underlying inode.
+
+So generic_add_lease() added the lease to the overlay inode and
+generic_delete_lease() removed it from the underlying inode. When the file
+was released the lease remained on the overlay inode's lock list, resulting
+in use after free.
+
+Reported-by: Eryu Guan <eguan@redhat.com>
+Fixes: 4bacc9c9234c ("overlayfs: Make f_path always point to the overlay and f_inode to the underlay")
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Reviewed-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/locks.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/locks.c
++++ b/fs/locks.c
+@@ -1628,7 +1628,7 @@ generic_add_lease(struct file *filp, lon
+ {
+ struct file_lock *fl, *my_fl = NULL, *lease;
+ struct dentry *dentry = filp->f_path.dentry;
+- struct inode *inode = dentry->d_inode;
++ struct inode *inode = file_inode(filp);
+ struct file_lock_context *ctx;
+ bool is_deleg = (*flp)->fl_flags & FL_DELEG;
+ int error;
--- /dev/null
+From ba562d5e54fd3136bfea0457add3675850247774 Mon Sep 17 00:00:00 2001
+From: Alexander Shiyan <shc_work@mail.ru>
+Date: Wed, 1 Jun 2016 22:21:53 +0300
+Subject: pinctrl: imx: Do not treat a PIN without MUX register as an error
+
+From: Alexander Shiyan <shc_work@mail.ru>
+
+commit ba562d5e54fd3136bfea0457add3675850247774 upstream.
+
+Some PINs do not have a MUX register, it is not an error.
+It is necessary to allow the continuation of the PINs configuration,
+otherwise the whole PIN-group will be configured incorrectly.
+
+Signed-off-by: Alexander Shiyan <shc_work@mail.ru>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/freescale/pinctrl-imx.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/pinctrl/freescale/pinctrl-imx.c
++++ b/drivers/pinctrl/freescale/pinctrl-imx.c
+@@ -209,9 +209,9 @@ static int imx_pmx_set(struct pinctrl_de
+ pin_reg = &info->pin_regs[pin_id];
+
+ if (pin_reg->mux_reg == -1) {
+- dev_err(ipctl->dev, "Pin(%s) does not support mux function\n",
++ dev_dbg(ipctl->dev, "Pin(%s) does not support mux function\n",
+ info->pins[pin_id].name);
+- return -EINVAL;
++ continue;
+ }
+
+ if (info->flags & SHARE_MUX_CONF_REG) {
--- /dev/null
+From 0ac3c0a4025f41748a083bdd4970cb3ede802b15 Mon Sep 17 00:00:00 2001
+From: Tony Lindgren <tony@atomide.com>
+Date: Tue, 31 May 2016 14:17:06 -0700
+Subject: pinctrl: single: Fix missing flush of posted write for a wakeirq
+
+From: Tony Lindgren <tony@atomide.com>
+
+commit 0ac3c0a4025f41748a083bdd4970cb3ede802b15 upstream.
+
+With many repeated suspend resume cycles, the pin specific wakeirq
+may not always work on omaps. This is because the write to enable the
+pin interrupt may not have reached the device over the interconnect
+before suspend happens.
+
+Let's fix the issue with a flush of posted write with a readback.
+
+Reported-by: Nishanth Menon <nm@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/pinctrl-single.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/pinctrl/pinctrl-single.c
++++ b/drivers/pinctrl/pinctrl-single.c
+@@ -1580,6 +1580,9 @@ static inline void pcs_irq_set(struct pc
+ else
+ mask &= ~soc_mask;
+ pcs->write(mask, pcswi->reg);
++
++ /* flush posted write */
++ mask = pcs->read(pcswi->reg);
+ raw_spin_unlock(&pcs->lock);
+ }
+
--- /dev/null
+From 5bc28b93a36e3cb3acc2870fb75cb6ffb182fece Mon Sep 17 00:00:00 2001
+From: Rhyland Klein <rklein@nvidia.com>
+Date: Thu, 9 Jun 2016 17:28:39 -0400
+Subject: power_supply: power_supply_read_temp only if use_cnt > 0
+
+From: Rhyland Klein <rklein@nvidia.com>
+
+commit 5bc28b93a36e3cb3acc2870fb75cb6ffb182fece upstream.
+
+Change power_supply_read_temp() to use power_supply_get_property()
+so that it will check the use_cnt and ensure it is > 0. The use_cnt
+will be incremented at the end of __power_supply_register, so this
+will block to case where get_property can be called before the supply
+is fully registered. This fixes the issue show in the stack below:
+
+[ 1.452598] power_supply_read_temp+0x78/0x80
+[ 1.458680] thermal_zone_get_temp+0x5c/0x11c
+[ 1.464765] thermal_zone_device_update+0x34/0xb4
+[ 1.471195] thermal_zone_device_register+0x87c/0x8cc
+[ 1.477974] __power_supply_register+0x364/0x424
+[ 1.484317] power_supply_register_no_ws+0x10/0x18
+[ 1.490833] bq27xxx_battery_setup+0x10c/0x164
+[ 1.497003] bq27xxx_battery_i2c_probe+0xd0/0x1b0
+[ 1.503435] i2c_device_probe+0x174/0x240
+[ 1.509172] driver_probe_device+0x1fc/0x29c
+[ 1.515167] __driver_attach+0xa4/0xa8
+[ 1.520643] bus_for_each_dev+0x58/0x98
+[ 1.526204] driver_attach+0x20/0x28
+[ 1.531505] bus_add_driver+0x1c8/0x22c
+[ 1.537067] driver_register+0x68/0x108
+[ 1.542630] i2c_register_driver+0x38/0x7c
+[ 1.548457] bq27xxx_battery_i2c_driver_init+0x18/0x20
+[ 1.555321] do_one_initcall+0x38/0x12c
+[ 1.560886] kernel_init_freeable+0x148/0x1ec
+[ 1.566972] kernel_init+0x10/0xfc
+[ 1.572101] ret_from_fork+0x10/0x40
+
+Also make the same change to ps_get_max_charge_cntl_limit() and
+ps_get_cur_chrage_cntl_limit() to be safe. Lastly, change the return
+value of power_supply_get_property() to -EAGAIN from -ENODEV if
+use_cnt <= 0.
+
+Fixes: 297d716f6260 ("power_supply: Change ownership from driver to core")
+Signed-off-by: Rhyland Klein <rklein@nvidia.com>
+Reviewed-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Signed-off-by: Sebastian Reichel <sre@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/power/power_supply_core.c | 27 ++++++++++++++++-----------
+ 1 file changed, 16 insertions(+), 11 deletions(-)
+
+--- a/drivers/power/power_supply_core.c
++++ b/drivers/power/power_supply_core.c
+@@ -565,11 +565,12 @@ static int power_supply_read_temp(struct
+
+ WARN_ON(tzd == NULL);
+ psy = tzd->devdata;
+- ret = psy->desc->get_property(psy, POWER_SUPPLY_PROP_TEMP, &val);
++ ret = power_supply_get_property(psy, POWER_SUPPLY_PROP_TEMP, &val);
++ if (ret)
++ return ret;
+
+ /* Convert tenths of degree Celsius to milli degree Celsius. */
+- if (!ret)
+- *temp = val.intval * 100;
++ *temp = val.intval * 100;
+
+ return ret;
+ }
+@@ -612,10 +613,12 @@ static int ps_get_max_charge_cntl_limit(
+ int ret;
+
+ psy = tcd->devdata;
+- ret = psy->desc->get_property(psy,
+- POWER_SUPPLY_PROP_CHARGE_CONTROL_LIMIT_MAX, &val);
+- if (!ret)
+- *state = val.intval;
++ ret = power_supply_get_property(psy,
++ POWER_SUPPLY_PROP_CHARGE_CONTROL_LIMIT_MAX, &val);
++ if (ret)
++ return ret;
++
++ *state = val.intval;
+
+ return ret;
+ }
+@@ -628,10 +631,12 @@ static int ps_get_cur_chrage_cntl_limit(
+ int ret;
+
+ psy = tcd->devdata;
+- ret = psy->desc->get_property(psy,
+- POWER_SUPPLY_PROP_CHARGE_CONTROL_LIMIT, &val);
+- if (!ret)
+- *state = val.intval;
++ ret = power_supply_get_property(psy,
++ POWER_SUPPLY_PROP_CHARGE_CONTROL_LIMIT, &val);
++ if (ret)
++ return ret;
++
++ *state = val.intval;
+
+ return ret;
+ }
--- /dev/null
+From 749d088b8e7f4b9826ede02b9a043e417fa84aa1 Mon Sep 17 00:00:00 2001
+From: Minfei Huang <mnghuan@gmail.com>
+Date: Fri, 27 May 2016 14:17:10 +0800
+Subject: pvclock: Add CPU barriers to get correct version value
+
+From: Minfei Huang <mnghuan@gmail.com>
+
+commit 749d088b8e7f4b9826ede02b9a043e417fa84aa1 upstream.
+
+Protocol for the "version" fields is: hypervisor raises it (making it
+uneven) before it starts updating the fields and raises it again (making
+it even) when it is done. Thus the guest can make sure the time values
+it got are consistent by checking the version before and after reading
+them.
+
+Add CPU barries after getting version value just like what function
+vread_pvclock does, because all of callees in this function is inline.
+
+Fixes: 502dfeff239e8313bfbe906ca0a1a6827ac8481b
+Signed-off-by: Minfei Huang <mnghuan@gmail.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/pvclock.h | 2 ++
+ arch/x86/kernel/pvclock.c | 4 ++++
+ 2 files changed, 6 insertions(+)
+
+--- a/arch/x86/include/asm/pvclock.h
++++ b/arch/x86/include/asm/pvclock.h
+@@ -85,6 +85,8 @@ unsigned __pvclock_read_cycles(const str
+ u8 ret_flags;
+
+ version = src->version;
++ /* Make the latest version visible */
++ smp_rmb();
+
+ offset = pvclock_get_nsec_offset(src);
+ ret = src->system_time + offset;
+--- a/arch/x86/kernel/pvclock.c
++++ b/arch/x86/kernel/pvclock.c
+@@ -66,6 +66,8 @@ u8 pvclock_read_flags(struct pvclock_vcp
+
+ do {
+ version = __pvclock_read_cycles(src, &ret, &flags);
++ /* Make sure that the version double-check is last. */
++ smp_rmb();
+ } while ((src->version & 1) || version != src->version);
+
+ return flags & valid_flags;
+@@ -80,6 +82,8 @@ cycle_t pvclock_clocksource_read(struct
+
+ do {
+ version = __pvclock_read_cycles(src, &ret, &flags);
++ /* Make sure that the version double-check is last. */
++ smp_rmb();
+ } while ((src->version & 1) || version != src->version);
+
+ if (unlikely((flags & PVCLOCK_GUEST_STOPPED) != 0)) {
--- /dev/null
+From 78c4e172412de5d0456dc00d2b34050aa0b683b5 Mon Sep 17 00:00:00 2001
+From: Jeff Mahoney <jeffm@suse.com>
+Date: Tue, 5 Jul 2016 17:32:29 -0400
+Subject: Revert "ecryptfs: forbid opening files without mmap handler"
+
+From: Jeff Mahoney <jeffm@suse.com>
+
+commit 78c4e172412de5d0456dc00d2b34050aa0b683b5 upstream.
+
+This reverts commit 2f36db71009304b3f0b95afacd8eba1f9f046b87.
+
+It fixed a local root exploit but also introduced a dependency on
+the lower file system implementing an mmap operation just to open a file,
+which is a bit of a heavy hammer. The right fix is to have mmap depend
+on the existence of the mmap handler instead.
+
+Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ecryptfs/kthread.c | 13 ++-----------
+ 1 file changed, 2 insertions(+), 11 deletions(-)
+
+--- a/fs/ecryptfs/kthread.c
++++ b/fs/ecryptfs/kthread.c
+@@ -25,7 +25,6 @@
+ #include <linux/slab.h>
+ #include <linux/wait.h>
+ #include <linux/mount.h>
+-#include <linux/file.h>
+ #include "ecryptfs_kernel.h"
+
+ struct ecryptfs_open_req {
+@@ -148,7 +147,7 @@ int ecryptfs_privileged_open(struct file
+ flags |= IS_RDONLY(d_inode(lower_dentry)) ? O_RDONLY : O_RDWR;
+ (*lower_file) = dentry_open(&req.path, flags, cred);
+ if (!IS_ERR(*lower_file))
+- goto have_file;
++ goto out;
+ if ((flags & O_ACCMODE) == O_RDONLY) {
+ rc = PTR_ERR((*lower_file));
+ goto out;
+@@ -166,16 +165,8 @@ int ecryptfs_privileged_open(struct file
+ mutex_unlock(&ecryptfs_kthread_ctl.mux);
+ wake_up(&ecryptfs_kthread_ctl.wait);
+ wait_for_completion(&req.done);
+- if (IS_ERR(*lower_file)) {
++ if (IS_ERR(*lower_file))
+ rc = PTR_ERR(*lower_file);
+- goto out;
+- }
+-have_file:
+- if ((*lower_file)->f_op->mmap == NULL) {
+- fput(*lower_file);
+- *lower_file = NULL;
+- rc = -EMEDIUMTYPE;
+- }
+ out:
+ return rc;
+ }
--- /dev/null
+From 3e9161bfe0482f26efeaf584d5fd69398c69313c Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Thu, 14 Jul 2016 09:33:41 -0700
+Subject: Revert "Input: wacom_w8001 - drop use of ABS_MT_TOOL_TYPE"
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit 3e9161bfe0482f26efeaf584d5fd69398c69313c upstream.
+
+This reverts commit 5f7e5445a2de848c66d2d80ba5479197e8287c33 because
+removal of input_mt_report_slot_state() means we no longer generate
+tracking IDs for the reported contacts.
+
+Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
+Acked-by: Ping Cheng <pinglinux@gmail.com>
+
+---
+ drivers/input/touchscreen/wacom_w8001.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/input/touchscreen/wacom_w8001.c
++++ b/drivers/input/touchscreen/wacom_w8001.c
+@@ -155,6 +155,7 @@ static void parse_multi_touch(struct w80
+ bool touch = data[0] & (1 << i);
+
+ input_mt_slot(dev, i);
++ input_mt_report_slot_state(dev, MT_TOOL_FINGER, touch);
+ if (touch) {
+ x = (data[6 * i + 1] << 7) | data[6 * i + 2];
+ y = (data[6 * i + 3] << 7) | data[6 * i + 4];
+@@ -522,6 +523,8 @@ static int w8001_setup_touch(struct w800
+ 0, touch.x, 0, 0);
+ input_set_abs_params(dev, ABS_MT_POSITION_Y,
+ 0, touch.y, 0, 0);
++ input_set_abs_params(dev, ABS_MT_TOOL_TYPE,
++ 0, MT_TOOL_MAX, 0, 0);
+
+ strlcat(basename, " 2FG", basename_sz);
+ if (w8001->max_pen_x && w8001->max_pen_y)
xenbus-don-t-bail-early-from-xenbus_dev_request_and_reply.patch
xen-blkfront-fix-resume-issues-after-a-migration.patch
xen-blkfront-don-t-call-talk_to_blkback-when-already-connected-to-blkback.patch
+alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch
+alsa-timer-fix-leak-in-events-via-snd_timer_user_ccallback.patch
+alsa-timer-fix-leak-in-events-via-snd_timer_user_tinterrupt.patch
+input-vmmouse-remove-port-reservation.patch
+input-elantech-add-more-ic-body-types-to-the-list.patch
+input-xpad-fix-oops-when-attaching-an-unknown-xbox-one-gamepad.patch
+input-wacom_w8001-w8001_max_length-should-be-13.patch
+input-wacom_w8001-ignore-invalid-pen-data-packets.patch
+input-xpad-validate-usb-endpoint-count-during-probe.patch
+revert-input-wacom_w8001-drop-use-of-abs_mt_tool_type.patch
+input-synaptics-rmi4-fix-maximum-size-check-for-f12-control-register-8.patch
+input-tsc200x-report-proper-input_dev-name.patch
+pvclock-add-cpu-barriers-to-get-correct-version-value.patch
+pinctrl-single-fix-missing-flush-of-posted-write-for-a-wakeirq.patch
+pinctrl-imx-do-not-treat-a-pin-without-mux-register-as-an-error.patch
+cgroup-remove-redundant-cleanup-in-css_create.patch
+cgroup-set-css-id-to-1-during-init.patch
+cgroup-disable-irqs-while-holding-css_set_lock.patch
+power_supply-power_supply_read_temp-only-if-use_cnt-0.patch
+locks-use-file_inode.patch
+revert-ecryptfs-forbid-opening-files-without-mmap-handler.patch
+ecryptfs-don-t-allow-mmap-when-the-lower-fs-doesn-t-support-it.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
