--- /dev/null
+From 1059c6bf8534acda249e7e65c81e7696fb074dc1 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will.deacon@arm.com>
+Date: Mon, 22 Sep 2014 11:19:04 +0100
+Subject: arm64: debug: don't re-enable debug exceptions on return from el1_dbg
+
+From: Will Deacon <will.deacon@arm.com>
+
+commit 1059c6bf8534acda249e7e65c81e7696fb074dc1 upstream.
+
+When returning from a debug exception taken from EL1, we unmask debug
+exceptions after handling the exception. This is crucial for debug
+exceptions taken from EL0, so that any kernel work on the ret_to_user
+path can be debugged by kgdb.
+
+However, when returning back to EL1 the only thing left to do is to
+restore the original register state before the exception return. If
+single-step has been enabled by the debug exception handler, we will
+get stuck in an infinite debug exception loop, since we will take the
+step exception as soon as we unmask debug exceptions.
+
+This patch avoids unmasking debug exceptions on the debug exception
+return path when the exception was taken from EL1.
+
+Fixes: 2a2830703a23 (arm64: debug: avoid accessing mdscr_el1 on fault paths where possible)
+Reported-by: David Long <dave.long@linaro.org>
+Reported-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/entry.S | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/arch/arm64/kernel/entry.S
++++ b/arch/arm64/kernel/entry.S
+@@ -324,7 +324,6 @@ el1_dbg:
+ mrs x0, far_el1
+ mov x2, sp // struct pt_regs
+ bl do_debug_exception
+- enable_dbg
+ kernel_exit 1
+ el1_inv:
+ // TODO: add support for undefined instructions in kernel mode
--- /dev/null
+From a41a9ad3bbf61fae0b6bfb232153da60d14fdbd9 Mon Sep 17 00:00:00 2001
+From: Mike Christie <michaelc@cs.wisc.edu>
+Date: Mon, 29 Sep 2014 13:55:41 -0500
+Subject: be2iscsi: check ip buffer before copying
+
+From: Mike Christie <michaelc@cs.wisc.edu>
+
+commit a41a9ad3bbf61fae0b6bfb232153da60d14fdbd9 upstream.
+
+Dan Carpenter found a issue where be2iscsi would copy the ip
+from userspace to the driver buffer before checking the len
+of the data being copied:
+http://marc.info/?l=linux-scsi&m=140982651504251&w=2
+
+This patch just has us only copy what we the driver buffer
+can support.
+
+Tested-by: John Soni Jose <sony.john-n@emulex.com>
+Signed-off-by: Mike Christie <michaelc@cs.wisc.edu>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/be2iscsi/be_mgmt.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/drivers/scsi/be2iscsi/be_mgmt.c
++++ b/drivers/scsi/be2iscsi/be_mgmt.c
+@@ -943,17 +943,20 @@ mgmt_static_ip_modify(struct beiscsi_hba
+
+ if (ip_action == IP_ACTION_ADD) {
+ memcpy(req->ip_params.ip_record.ip_addr.addr, ip_param->value,
+- ip_param->len);
++ sizeof(req->ip_params.ip_record.ip_addr.addr));
+
+ if (subnet_param)
+ memcpy(req->ip_params.ip_record.ip_addr.subnet_mask,
+- subnet_param->value, subnet_param->len);
++ subnet_param->value,
++ sizeof(req->ip_params.ip_record.ip_addr.subnet_mask));
+ } else {
+ memcpy(req->ip_params.ip_record.ip_addr.addr,
+- if_info->ip_addr.addr, ip_param->len);
++ if_info->ip_addr.addr,
++ sizeof(req->ip_params.ip_record.ip_addr.addr));
+
+ memcpy(req->ip_params.ip_record.ip_addr.subnet_mask,
+- if_info->ip_addr.subnet_mask, ip_param->len);
++ if_info->ip_addr.subnet_mask,
++ sizeof(req->ip_params.ip_record.ip_addr.subnet_mask));
+ }
+
+ rc = mgmt_exec_nonemb_cmd(phba, &nonemb_cmd, NULL, 0);
+@@ -981,7 +984,7 @@ static int mgmt_modify_gateway(struct be
+ req->action = gtway_action;
+ req->ip_addr.ip_type = BE2_IPV4;
+
+- memcpy(req->ip_addr.addr, gt_addr, param_len);
++ memcpy(req->ip_addr.addr, gt_addr, sizeof(req->ip_addr.addr));
+
+ return mgmt_exec_nonemb_cmd(phba, &nonemb_cmd, NULL, 0);
+ }
--- /dev/null
+From 87cea76384257e6ac3fa4791b6a6b9d0335f7457 Mon Sep 17 00:00:00 2001
+From: Xuelin Shi <xuelin.shi@freescale.com>
+Date: Tue, 1 Jul 2014 16:32:38 +0800
+Subject: dmaengine: fix xor sources continuation
+
+From: Xuelin Shi <xuelin.shi@freescale.com>
+
+commit 87cea76384257e6ac3fa4791b6a6b9d0335f7457 upstream.
+
+the partial xor result must be kept until the next
+tx is generated.
+
+Signed-off-by: Xuelin Shi <xuelin.shi@freescale.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/async_tx/async_xor.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/crypto/async_tx/async_xor.c
++++ b/crypto/async_tx/async_xor.c
+@@ -78,8 +78,6 @@ do_async_xor(struct dma_chan *chan, stru
+ tx = dma->device_prep_dma_xor(chan, dma_dest, src_list,
+ xor_src_cnt, unmap->len,
+ dma_flags);
+- src_list[0] = tmp;
+-
+
+ if (unlikely(!tx))
+ async_tx_quiesce(&submit->depend_tx);
+@@ -92,6 +90,7 @@ do_async_xor(struct dma_chan *chan, stru
+ xor_src_cnt, unmap->len,
+ dma_flags);
+ }
++ src_list[0] = tmp;
+
+ dma_set_unmap(tx, unmap);
+ async_tx_submit(chan, tx, submit);
--- /dev/null
+From 6e4a2a83f95826201bbd89f55522537ea52d1d67 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Date: Mon, 29 Sep 2014 14:42:21 +0200
+Subject: dmaengine: pl330: Fix NULL pointer dereference on driver unbind
+
+From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+
+commit 6e4a2a83f95826201bbd89f55522537ea52d1d67 upstream.
+
+Fix a NULL pointer dereference after unbinding the driver, if channel
+resources were not yet allocated (no call to
+pl330_alloc_chan_resources()):
+$ echo 12850000.mdma > /sys/bus/amba/drivers/dma-pl330/unbind
+[ 13.606533] DMA pl330_control: removing pch: eeab6800, chan: eeab6814, thread: (null)
+[ 13.614472] Unable to handle kernel NULL pointer dereference at virtual address 0000000c
+[ 13.622537] pgd = ee284000
+[ 13.625228] [0000000c] *pgd=6e1e4831, *pte=00000000, *ppte=00000000
+[ 13.631482] Internal error: Oops: 17 [#1] PREEMPT SMP ARM
+[ 13.636859] Modules linked in:
+[ 13.639903] CPU: 0 PID: 1 Comm: sh Not tainted 3.17.0-rc3-next-20140904-00004-g7020ffc33ca3-dirty #420
+[ 13.649187] task: ee80a800 ti: ee888000 task.ti: ee888000
+[ 13.654589] PC is at _stop+0x8/0x2c8
+[ 13.658131] LR is at pl330_control+0x70/0x2e8
+[ 13.662468] pc : [<c0206028>] lr : [<c020649c>] psr: 60000093
+[ 13.662468] sp : ee889e58 ip : 00000001 fp : 000bab70
+[ 13.673922] r10: eeab6814 r9 : ee16debc r8 : 00000000
+[ 13.679131] r7 : eeab685c r6 : 60000013 r5 : ee16de10 r4 : eeab6800
+[ 13.685641] r3 : 00000002 r2 : 00000000 r1 : 00010000 r0 : 00000000
+[ 13.692153] Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user
+[ 13.699357] Control: 10c5387d Table: 6e28404a DAC: 00000015
+[ 13.705085] Process sh (pid: 1, stack limit = 0xee888240)
+[ 13.710466] Stack: (0xee889e58 to 0xee88a000)
+[ 13.714808] 9e40: 00000002 eeab6800
+[ 13.722969] 9e60: ee16de10 eeab6800 ee16de10 60000013 eeab685c c020649c 00000000 c040280c
+[ 13.731128] 9e80: ee889e80 ee889e80 ee16de18 ee16de10 eeab6880 eeab6814 00200200 eeab68a8
+[ 13.739287] 9ea0: 00100100 c0208048 00000000 c0409fc4 eea80800 eea808f8 c0605c44 0000000e
+[ 13.747446] 9ec0: 0000000e eeb3960c eeb39600 c0203c48 eea80800 c0605c44 c0605a8c c023f694
+[ 13.755605] 9ee0: ee80a800 eea80834 eea80800 c023f704 ee80a800 eea80800 c0605c44 c023e8ec
+[ 13.763764] 9f00: 0000000e ee149780 ee29e580 ee889f80 ee29e580 c023e19c 0000000e c01167e4
+[ 13.771923] 9f20: c01167a0 00000000 00000000 c0115e88 00000000 00000000 ee0b1a00 0000000e
+[ 13.780082] 9f40: b6f48000 ee889f80 0000000e ee888000 b6f48000 c00bfadc 00000000 00000003
+[ 13.788241] 9f60: 00000000 00000000 00000000 ee0b1a00 ee0b1a00 0000000e b6f48000 c00bfdf4
+[ 13.796401] 9f80: 00000000 00000000 ffffffff 0000000e b6f48000 b6edc5d0 00000004 c000e7a4
+[ 13.804560] 9fa0: 00000000 c000e620 0000000e b6f48000 00000001 b6f48000 0000000e 00000000
+[ 13.812719] 9fc0: 0000000e b6f48000 b6edc5d0 00000004 0000000e b6f4c8c0 000c3470 000bab70
+[ 13.820879] 9fe0: 00000000 bed2aa50 b6e18bdc b6e6b52c 60000010 00000001 c0c0c0c0 c0c0c0c0
+[ 13.829058] [<c0206028>] (_stop) from [<c020649c>] (pl330_control+0x70/0x2e8)
+[ 13.836165] [<c020649c>] (pl330_control) from [<c0208048>] (pl330_remove+0xb0/0xdc)
+[ 13.843800] [<c0208048>] (pl330_remove) from [<c0203c48>] (amba_remove+0x24/0xc0)
+[ 13.851272] [<c0203c48>] (amba_remove) from [<c023f694>] (__device_release_driver+0x70/0xc4)
+[ 13.859685] [<c023f694>] (__device_release_driver) from [<c023f704>] (device_release_driver+0x1c/0x28)
+[ 13.868971] [<c023f704>] (device_release_driver) from [<c023e8ec>] (unbind_store+0x58/0x90)
+[ 13.877303] [<c023e8ec>] (unbind_store) from [<c023e19c>] (drv_attr_store+0x20/0x2c)
+[ 13.885036] [<c023e19c>] (drv_attr_store) from [<c01167e4>] (sysfs_kf_write+0x44/0x48)
+[ 13.892928] [<c01167e4>] (sysfs_kf_write) from [<c0115e88>] (kernfs_fop_write+0xc0/0x17c)
+[ 13.901090] [<c0115e88>] (kernfs_fop_write) from [<c00bfadc>] (vfs_write+0xa0/0x1a8)
+[ 13.908812] [<c00bfadc>] (vfs_write) from [<c00bfdf4>] (SyS_write+0x40/0x8c)
+[ 13.915850] [<c00bfdf4>] (SyS_write) from [<c000e620>] (ret_fast_syscall+0x0/0x30)
+[ 13.923392] Code: e5813010 e12fff1e e92d40f0 e24dd00c (e590200c)
+[ 13.929467] ---[ end trace 10064e15a5929cf8 ]---
+
+Terminate the thread and free channel resource only if channel resources
+were allocated (thread is not NULL).
+
+Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Fixes: b3040e40675e ("DMA: PL330: Add dma api driver")
+Reviewed-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma/pl330.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/dma/pl330.c
++++ b/drivers/dma/pl330.c
+@@ -2784,8 +2784,10 @@ static int pl330_remove(struct amba_devi
+ list_del(&pch->chan.device_node);
+
+ /* Flush the channel */
+- pl330_control(&pch->chan, DMA_TERMINATE_ALL, 0);
+- pl330_free_chan_resources(&pch->chan);
++ if (pch->thread) {
++ pl330_control(&pch->chan, DMA_TERMINATE_ALL, 0);
++ pl330_free_chan_resources(&pch->chan);
++ }
+ }
+
+ pl330_del(pl330);
--- /dev/null
+From 0f5ebabdd03b471da1906f7edddc61ceb35cee02 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Date: Mon, 29 Sep 2014 14:42:20 +0200
+Subject: dmaengine: pl330: Fix NULL pointer dereference on probe failure
+
+From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+
+commit 0f5ebabdd03b471da1906f7edddc61ceb35cee02 upstream.
+
+If dma_async_device_register() returns error and probe should clean up
+and return error, a NULL pointer exception happens because of
+dereference of not allocated channel thread:
+
+Dmesg log (from early printk):
+dma-pl330 12680000.pdma: unable to register DMAC
+DMA pl330_control: removing pch: eeac4000, chan: eeac4014, thread: (null)
+Unable to handle kernel NULL pointer dereference at virtual address 0000000c
+pgd = c0004000
+[0000000c] *pgd=00000000
+Internal error: Oops: 5 [#1] PREEMPT SMP ARM
+Modules linked in:
+CPU: 2 PID: 1 Comm: swapper/0 Not tainted 3.17.0-rc3-next-20140904-00005-g6cc4c1937d90-dirty #427
+task: ee80a800 ti: ee888000 task.ti: ee888000
+PC is at _stop+0x8/0x2c8
+LR is at pl330_control+0x70/0x2e8
+pc : [<c0205dc8>] lr : [<c020623c>] psr: 60000193
+sp : ee889df8 ip : 00000002 fp : 00000000
+r10: eeac4014 r9 : ee0e62bc r8 : 00000000
+r7 : eeac405c r6 : 60000113 r5 : ee0e6210 r4 : eeac4000
+r3 : 00000002 r2 : 00000002 r1 : 00010000 r0 : 00000000
+Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel
+Control: 10c5387d Table: 4000404a DAC: 00000015
+Process swapper/0 (pid: 1, stack limit = 0xee888240)
+Stack: (0xee889df8 to 0xee88a000)
+9de0: 00000002 eeac4000
+9e00: ee0e6210 eeac4000 ee0e6210 60000113 eeac405c c020623c 00000000 c020725c
+9e20: ee889e20 ee889e20 ee0e6210 eeac4080 00200200 00100100 eeac4014 00000020
+9e40: ee0e6218 c0208374 00000000 ee9bb340 ee0e6210 00000000 00000000 c0605cd8
+9e60: ee970000 c0605c84 ee9700f8 00000000 c05c4270 00000000 00000000 c0203b3c
+9e80: ee970000 c06624a8 00000000 c0605c84 00000000 c023f890 ee970000 c0605c84
+9ea0: ee970034 00000000 c05b23d0 c023fa3c 00000000 c0605c84 c023f9b0 c023e0d4
+9ec0: ee947e78 ee9b9440 c0605c84 eea1e780 c0605acc c023f094 c0513b50 c0605c84
+9ee0: c05ecbd8 c0605c84 c05ecbd8 ee11ba40 c0626500 c0240064 00000000 c05ecbd8
+9f00: c05ecbd8 c0008964 c040f13c 0000009f c0626500 c057465c ee80a800 60000113
+9f20: 00000000 c05efdb0 60000113 00000000 ef7fc89d c0421168 0000008f c003787c
+9f40: c0573d6c 00000006 ef7fc8bb 00000006 c05efd50 ef7fc800 c05dfbc4 00000006
+9f60: c05c4264 c0626500 0000008f c05c4270 c059b518 c059bcb4 00000006 00000006
+9f80: c059b518 c003c08c 00000000 c040091c 00000000 00000000 00000000 00000000
+9fa0: 00000000 c0400924 00000000 c000e7b8 00000000 00000000 00000000 00000000
+9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+9fe0: 00000000 00000000 00000000 00000000 00000013 00000000 c0c0c0c0 c0c0c0c0
+[<c0205dc8>] (_stop) from [<c020623c>] (pl330_control+0x70/0x2e8)
+[<c020623c>] (pl330_control) from [<c0208374>] (pl330_probe+0x594/0x75c)
+[<c0208374>] (pl330_probe) from [<c0203b3c>] (amba_probe+0xb8/0x120)
+[<c0203b3c>] (amba_probe) from [<c023f890>] (driver_probe_device+0x10c/0x22c)
+[<c023f890>] (driver_probe_device) from [<c023fa3c>] (__driver_attach+0x8c/0x90)
+[<c023fa3c>] (__driver_attach) from [<c023e0d4>] (bus_for_each_dev+0x54/0x88)
+[<c023e0d4>] (bus_for_each_dev) from [<c023f094>] (bus_add_driver+0xd4/0x1d0)
+[<c023f094>] (bus_add_driver) from [<c0240064>] (driver_register+0x78/0xf4)
+[<c0240064>] (driver_register) from [<c0008964>] (do_one_initcall+0x80/0x1d0)
+[<c0008964>] (do_one_initcall) from [<c059bcb4>] (kernel_init_freeable+0x108/0x1d4)
+[<c059bcb4>] (kernel_init_freeable) from [<c0400924>] (kernel_init+0x8/0xec)
+[<c0400924>] (kernel_init) from [<c000e7b8>] (ret_from_fork+0x14/0x3c)
+Code: e5813010 e12fff1e e92d40f0 e24dd00c (e590200c)
+---[ end trace c94b2f4f38dff3bf ]---
+
+This happens because the necessary resources were not yet allocated - no
+call to pl330_alloc_chan_resources().
+
+Terminate the thread and free channel resource only if channel thread is not NULL.
+
+Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Fixes: 0b94c5771705 ("DMA: PL330: Add check if device tree compatible")
+Reviewed-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma/pl330.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/dma/pl330.c
++++ b/drivers/dma/pl330.c
+@@ -2755,8 +2755,10 @@ probe_err3:
+ list_del(&pch->chan.device_node);
+
+ /* Flush the channel */
+- pl330_control(&pch->chan, DMA_TERMINATE_ALL, 0);
+- pl330_free_chan_resources(&pch->chan);
++ if (pch->thread) {
++ pl330_control(&pch->chan, DMA_TERMINATE_ALL, 0);
++ pl330_free_chan_resources(&pch->chan);
++ }
+ }
+ probe_err2:
+ pl330_del(pl330);
--- /dev/null
+From bc5a5b02331a3175a5fca20a4beba249e573b672 Mon Sep 17 00:00:00 2001
+From: "K. Y. Srinivasan" <kys@microsoft.com>
+Date: Tue, 2 Sep 2014 19:21:47 -0700
+Subject: Drivers: hv: util: Properly pack the data for file copy functionality
+
+From: "K. Y. Srinivasan" <kys@microsoft.com>
+
+commit bc5a5b02331a3175a5fca20a4beba249e573b672 upstream.
+
+Properly pack the data for file copy functionality. Patch based on
+investigation done by Matej Muzila <mmuzila@redhat.com>
+
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Reported-by: <qge@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/uapi/linux/hyperv.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/uapi/linux/hyperv.h
++++ b/include/uapi/linux/hyperv.h
+@@ -137,7 +137,7 @@ struct hv_do_fcopy {
+ __u64 offset;
+ __u32 size;
+ __u8 data[DATA_FRAGMENT];
+-};
++} __attribute__((packed));
+
+ /*
+ * An implementation of HyperV key value pair (KVP) functionality for Linux.
--- /dev/null
+From b29ef3546aecb253a5552b198cef23750d56e1e4 Mon Sep 17 00:00:00 2001
+From: "K. Y. Srinivasan" <kys@microsoft.com>
+Date: Thu, 28 Aug 2014 18:29:52 -0700
+Subject: Drivers: hv: vmbus: Cleanup hv_post_message()
+
+From: "K. Y. Srinivasan" <kys@microsoft.com>
+
+commit b29ef3546aecb253a5552b198cef23750d56e1e4 upstream.
+
+Minimize failures in this function by pre-allocating the buffer
+for posting messages. The hypercall for posting the message can fail
+for a number of reasons:
+
+ 1. Transient resource related issues
+ 2. Buffer alignment
+ 3. Buffer cannot span a page boundry
+
+We address issues 2 and 3 by preallocating a per-cpu page for the buffer.
+Transient resource related failures are handled by retrying by the callers
+of this function.
+
+This patch is based on the investigation
+done by Dexuan Cui <decui@microsoft.com>.
+
+I would like to thank Sitsofe Wheeler <sitsofe@yahoo.com>
+for reporting the issue and helping in debuggging.
+
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Reported-by: Sitsofe Wheeler <sitsofe@yahoo.com>
+Tested-by: Sitsofe Wheeler <sitsofe@yahoo.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hv/hv.c | 27 +++++++++++++++------------
+ drivers/hv/hyperv_vmbus.h | 4 ++++
+ 2 files changed, 19 insertions(+), 12 deletions(-)
+
+--- a/drivers/hv/hv.c
++++ b/drivers/hv/hv.c
+@@ -138,6 +138,8 @@ int hv_init(void)
+ memset(hv_context.synic_event_page, 0, sizeof(void *) * NR_CPUS);
+ memset(hv_context.synic_message_page, 0,
+ sizeof(void *) * NR_CPUS);
++ memset(hv_context.post_msg_page, 0,
++ sizeof(void *) * NR_CPUS);
+ memset(hv_context.vp_index, 0,
+ sizeof(int) * NR_CPUS);
+ memset(hv_context.event_dpc, 0,
+@@ -217,26 +219,18 @@ int hv_post_message(union hv_connection_
+ enum hv_message_type message_type,
+ void *payload, size_t payload_size)
+ {
+- struct aligned_input {
+- u64 alignment8;
+- struct hv_input_post_message msg;
+- };
+
+ struct hv_input_post_message *aligned_msg;
+ u16 status;
+- unsigned long addr;
+
+ if (payload_size > HV_MESSAGE_PAYLOAD_BYTE_COUNT)
+ return -EMSGSIZE;
+
+- addr = (unsigned long)kmalloc(sizeof(struct aligned_input), GFP_ATOMIC);
+- if (!addr)
+- return -ENOMEM;
+-
+ aligned_msg = (struct hv_input_post_message *)
+- (ALIGN(addr, HV_HYPERCALL_PARAM_ALIGN));
++ hv_context.post_msg_page[get_cpu()];
+
+ aligned_msg->connectionid = connection_id;
++ aligned_msg->reserved = 0;
+ aligned_msg->message_type = message_type;
+ aligned_msg->payload_size = payload_size;
+ memcpy((void *)aligned_msg->payload, payload, payload_size);
+@@ -244,8 +238,7 @@ int hv_post_message(union hv_connection_
+ status = do_hypercall(HVCALL_POST_MESSAGE, aligned_msg, NULL)
+ & 0xFFFF;
+
+- kfree((void *)addr);
+-
++ put_cpu();
+ return status;
+ }
+
+@@ -294,6 +287,14 @@ int hv_synic_alloc(void)
+ pr_err("Unable to allocate SYNIC event page\n");
+ goto err;
+ }
++
++ hv_context.post_msg_page[cpu] =
++ (void *)get_zeroed_page(GFP_ATOMIC);
++
++ if (hv_context.post_msg_page[cpu] == NULL) {
++ pr_err("Unable to allocate post msg page\n");
++ goto err;
++ }
+ }
+
+ return 0;
+@@ -308,6 +309,8 @@ static void hv_synic_free_cpu(int cpu)
+ free_page((unsigned long)hv_context.synic_event_page[cpu]);
+ if (hv_context.synic_message_page[cpu])
+ free_page((unsigned long)hv_context.synic_message_page[cpu]);
++ if (hv_context.post_msg_page[cpu])
++ free_page((unsigned long)hv_context.post_msg_page[cpu]);
+ }
+
+ void hv_synic_free(void)
+--- a/drivers/hv/hyperv_vmbus.h
++++ b/drivers/hv/hyperv_vmbus.h
+@@ -515,6 +515,10 @@ struct hv_context {
+ * per-cpu list of the channels based on their CPU affinity.
+ */
+ struct list_head percpu_list[NR_CPUS];
++ /*
++ * buffer to post messages to the host.
++ */
++ void *post_msg_page[NR_CPUS];
+ };
+
+ extern struct hv_context hv_context;
--- /dev/null
+From 98d731bb064a9d1817a6ca9bf8b97051334a7cfe Mon Sep 17 00:00:00 2001
+From: "K. Y. Srinivasan" <kys@microsoft.com>
+Date: Wed, 27 Aug 2014 16:25:33 -0700
+Subject: Drivers: hv: vmbus: Cleanup vmbus_close_internal()
+
+From: "K. Y. Srinivasan" <kys@microsoft.com>
+
+commit 98d731bb064a9d1817a6ca9bf8b97051334a7cfe upstream.
+
+Eliminate calls to BUG_ON() in vmbus_close_internal().
+We have chosen to potentially leak memory, than crash the guest
+in case of failures.
+
+In this version of the patch I have addressed comments from
+Dan Carpenter (dan.carpenter@oracle.com).
+
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Tested-by: Sitsofe Wheeler <sitsofe@yahoo.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hv/channel.c | 29 +++++++++++++++++++++++------
+ 1 file changed, 23 insertions(+), 6 deletions(-)
+
+--- a/drivers/hv/channel.c
++++ b/drivers/hv/channel.c
+@@ -479,7 +479,7 @@ static void reset_channel_cb(void *arg)
+ channel->onchannel_callback = NULL;
+ }
+
+-static void vmbus_close_internal(struct vmbus_channel *channel)
++static int vmbus_close_internal(struct vmbus_channel *channel)
+ {
+ struct vmbus_channel_close_channel *msg;
+ int ret;
+@@ -502,11 +502,28 @@ static void vmbus_close_internal(struct
+
+ ret = vmbus_post_msg(msg, sizeof(struct vmbus_channel_close_channel));
+
+- BUG_ON(ret != 0);
++ if (ret) {
++ pr_err("Close failed: close post msg return is %d\n", ret);
++ /*
++ * If we failed to post the close msg,
++ * it is perhaps better to leak memory.
++ */
++ return ret;
++ }
++
+ /* Tear down the gpadl for the channel's ring buffer */
+- if (channel->ringbuffer_gpadlhandle)
+- vmbus_teardown_gpadl(channel,
+- channel->ringbuffer_gpadlhandle);
++ if (channel->ringbuffer_gpadlhandle) {
++ ret = vmbus_teardown_gpadl(channel,
++ channel->ringbuffer_gpadlhandle);
++ if (ret) {
++ pr_err("Close failed: teardown gpadl return %d\n", ret);
++ /*
++ * If we failed to teardown gpadl,
++ * it is perhaps better to leak memory.
++ */
++ return ret;
++ }
++ }
+
+ /* Cleanup the ring buffers for this channel */
+ hv_ringbuffer_cleanup(&channel->outbound);
+@@ -515,7 +532,7 @@ static void vmbus_close_internal(struct
+ free_pages((unsigned long)channel->ringbuffer_pages,
+ get_order(channel->ringbuffer_pagecount * PAGE_SIZE));
+
+-
++ return ret;
+ }
+
+ /*
--- /dev/null
+From 72c6b71c245dac8f371167d97ef471b367d0b66b Mon Sep 17 00:00:00 2001
+From: "K. Y. Srinivasan" <kys@microsoft.com>
+Date: Wed, 27 Aug 2014 16:25:34 -0700
+Subject: Drivers: hv: vmbus: Cleanup vmbus_establish_gpadl()
+
+From: "K. Y. Srinivasan" <kys@microsoft.com>
+
+commit 72c6b71c245dac8f371167d97ef471b367d0b66b upstream.
+
+Eliminate the call to BUG_ON() by waiting for the host to respond. We are
+trying to reclaim the ownership of memory that was given to the host and so
+we will have to wait until the host responds.
+
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Tested-by: Sitsofe Wheeler <sitsofe@yahoo.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hv/channel.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/drivers/hv/channel.c
++++ b/drivers/hv/channel.c
+@@ -363,7 +363,6 @@ int vmbus_establish_gpadl(struct vmbus_c
+ u32 next_gpadl_handle;
+ unsigned long flags;
+ int ret = 0;
+- int t;
+
+ next_gpadl_handle = atomic_read(&vmbus_connection.next_gpadl_handle);
+ atomic_inc(&vmbus_connection.next_gpadl_handle);
+@@ -410,9 +409,7 @@ int vmbus_establish_gpadl(struct vmbus_c
+
+ }
+ }
+- t = wait_for_completion_timeout(&msginfo->waitevent, 5*HZ);
+- BUG_ON(t == 0);
+-
++ wait_for_completion(&msginfo->waitevent);
+
+ /* At this point, we received the gpadl created msg */
+ *gpadl_handle = gpadlmsg->gpadl;
--- /dev/null
+From fdeebcc62279119dbeafbc1a2e39e773839025fd Mon Sep 17 00:00:00 2001
+From: "K. Y. Srinivasan" <kys@microsoft.com>
+Date: Wed, 27 Aug 2014 16:25:31 -0700
+Subject: Drivers: hv: vmbus: Cleanup vmbus_post_msg()
+
+From: "K. Y. Srinivasan" <kys@microsoft.com>
+
+commit fdeebcc62279119dbeafbc1a2e39e773839025fd upstream.
+
+Posting messages to the host can fail because of transient resource
+related failures. Correctly deal with these failures and increase the
+number of attempts to post the message before giving up.
+
+In this version of the patch, I have normalized the error code to
+Linux error code.
+
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Tested-by: Sitsofe Wheeler <sitsofe@yahoo.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hv/connection.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+--- a/drivers/hv/connection.c
++++ b/drivers/hv/connection.c
+@@ -427,10 +427,21 @@ int vmbus_post_msg(void *buffer, size_t
+ * insufficient resources. Retry the operation a couple of
+ * times before giving up.
+ */
+- while (retries < 3) {
+- ret = hv_post_message(conn_id, 1, buffer, buflen);
+- if (ret != HV_STATUS_INSUFFICIENT_BUFFERS)
++ while (retries < 10) {
++ ret = hv_post_message(conn_id, 1, buffer, buflen);
++
++ switch (ret) {
++ case HV_STATUS_INSUFFICIENT_BUFFERS:
++ ret = -ENOMEM;
++ case -ENOMEM:
++ break;
++ case HV_STATUS_SUCCESS:
+ return ret;
++ default:
++ pr_err("hv_post_msg() failed; error code:%d\n", ret);
++ return -EINVAL;
++ }
++
+ retries++;
+ msleep(100);
+ }
--- /dev/null
+From 66be653083057358724d56d817e870e53fb81ca7 Mon Sep 17 00:00:00 2001
+From: "K. Y. Srinivasan" <kys@microsoft.com>
+Date: Wed, 27 Aug 2014 16:25:32 -0700
+Subject: Drivers: hv: vmbus: Cleanup vmbus_teardown_gpadl()
+
+From: "K. Y. Srinivasan" <kys@microsoft.com>
+
+commit 66be653083057358724d56d817e870e53fb81ca7 upstream.
+
+Eliminate calls to BUG_ON() by properly handling errors. In cases where
+rollback is possible, we will return the appropriate error to have the
+calling code decide how to rollback state. In the case where we are
+transferring ownership of the guest physical pages to the host,
+we will wait for the host to respond.
+
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Tested-by: Sitsofe Wheeler <sitsofe@yahoo.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hv/channel.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/hv/channel.c
++++ b/drivers/hv/channel.c
+@@ -435,7 +435,7 @@ int vmbus_teardown_gpadl(struct vmbus_ch
+ struct vmbus_channel_gpadl_teardown *msg;
+ struct vmbus_channel_msginfo *info;
+ unsigned long flags;
+- int ret, t;
++ int ret;
+
+ info = kmalloc(sizeof(*info) +
+ sizeof(struct vmbus_channel_gpadl_teardown), GFP_KERNEL);
+@@ -457,11 +457,12 @@ int vmbus_teardown_gpadl(struct vmbus_ch
+ ret = vmbus_post_msg(msg,
+ sizeof(struct vmbus_channel_gpadl_teardown));
+
+- BUG_ON(ret != 0);
+- t = wait_for_completion_timeout(&info->waitevent, 5*HZ);
+- BUG_ON(t == 0);
++ if (ret)
++ goto post_msg_err;
+
+- /* Received a torndown response */
++ wait_for_completion(&info->waitevent);
++
++post_msg_err:
+ spin_lock_irqsave(&vmbus_connection.channelmsg_lock, flags);
+ list_del(&info->msglistentry);
+ spin_unlock_irqrestore(&vmbus_connection.channelmsg_lock, flags);
--- /dev/null
+From 45d727cee9e200f5b351528b9fb063b69cf702c8 Mon Sep 17 00:00:00 2001
+From: "K. Y. Srinivasan" <kys@microsoft.com>
+Date: Wed, 27 Aug 2014 16:25:35 -0700
+Subject: Drivers: hv: vmbus: Fix a bug in vmbus_open()
+
+From: "K. Y. Srinivasan" <kys@microsoft.com>
+
+commit 45d727cee9e200f5b351528b9fb063b69cf702c8 upstream.
+
+Fix a bug in vmbus_open() and properly propagate the error. I would
+like to thank Dexuan Cui <decui@microsoft.com> for identifying the
+issue.
+
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Tested-by: Sitsofe Wheeler <sitsofe@yahoo.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hv/channel.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/hv/channel.c
++++ b/drivers/hv/channel.c
+@@ -165,8 +165,10 @@ int vmbus_open(struct vmbus_channel *new
+ ret = vmbus_post_msg(open_msg,
+ sizeof(struct vmbus_channel_open_channel));
+
+- if (ret != 0)
++ if (ret != 0) {
++ err = ret;
+ goto error1;
++ }
+
+ t = wait_for_completion_timeout(&open_info->waitevent, 5*HZ);
+ if (t == 0) {
--- /dev/null
+From 471b095dfe0d693a8d624cbc716d1ee4d74eb437 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Thu, 18 Sep 2014 11:25:37 -0700
+Subject: firmware_class: make sure fw requests contain a name
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 471b095dfe0d693a8d624cbc716d1ee4d74eb437 upstream.
+
+An empty firmware request name will trigger warnings when building
+device names. Make sure this is caught earlier and rejected.
+
+The warning was visible via the test_firmware.ko module interface:
+
+echo -ne "\x00" > /sys/devices/virtual/misc/test_firmware/trigger_request
+
+Reported-by: Sasha Levin <sasha.levin@oracle.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Tested-by: Sasha Levin <sasha.levin@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/firmware_class.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/base/firmware_class.c
++++ b/drivers/base/firmware_class.c
+@@ -1105,6 +1105,9 @@ _request_firmware(const struct firmware
+ if (!firmware_p)
+ return -EINVAL;
+
++ if (!name || name[0] == '\0')
++ return -EINVAL;
++
+ ret = _request_firmware_prepare(&fw, name, device);
+ if (ret <= 0) /* error or already assigned */
+ goto out;
--- /dev/null
+From 5b65c2a0296644dd3dbdd590d6f00174d18c96b3 Mon Sep 17 00:00:00 2001
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Date: Wed, 10 Sep 2014 18:02:37 -0700
+Subject: HID: rmi: check sanity of the incoming report
+
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+
+commit 5b65c2a0296644dd3dbdd590d6f00174d18c96b3 upstream.
+
+In the Dell XPS 13 9333, it appears that sometimes the bus get confused
+and corrupts the incoming data. It fills the input report with the
+sentinel value "ff". Synaptics told us that such behavior does not comes
+from the touchpad itself, so we filter out such reports here.
+
+Unfortunately, we can not simply discard the incoming data because they
+may contain useful information. Most of the time, the misbehavior is
+quite near the end of the report, so we can still use the valid part of
+it.
+
+Fixes:
+https://bugzilla.redhat.com/show_bug.cgi?id=1123584
+
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Andrew Duggan <aduggan@synaptics.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-rmi.c | 44 ++++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 38 insertions(+), 6 deletions(-)
+
+--- a/drivers/hid/hid-rmi.c
++++ b/drivers/hid/hid-rmi.c
+@@ -320,10 +320,7 @@ static int rmi_f11_input_event(struct hi
+ int offset;
+ int i;
+
+- if (size < hdata->f11.report_size)
+- return 0;
+-
+- if (!(irq & hdata->f11.irq_mask))
++ if (!(irq & hdata->f11.irq_mask) || size <= 0)
+ return 0;
+
+ offset = (hdata->max_fingers >> 2) + 1;
+@@ -332,9 +329,19 @@ static int rmi_f11_input_event(struct hi
+ int fs_bit_position = (i & 0x3) << 1;
+ int finger_state = (data[fs_byte_position] >> fs_bit_position) &
+ 0x03;
++ int position = offset + 5 * i;
++
++ if (position + 5 > size) {
++ /* partial report, go on with what we received */
++ printk_once(KERN_WARNING
++ "%s %s: Detected incomplete finger report. Finger reports may occasionally get dropped on this platform.\n",
++ dev_driver_string(&hdev->dev),
++ dev_name(&hdev->dev));
++ hid_dbg(hdev, "Incomplete finger report\n");
++ break;
++ }
+
+- rmi_f11_process_touch(hdata, i, finger_state,
+- &data[offset + 5 * i]);
++ rmi_f11_process_touch(hdata, i, finger_state, &data[position]);
+ }
+ input_mt_sync_frame(hdata->input);
+ input_sync(hdata->input);
+@@ -352,6 +359,11 @@ static int rmi_f30_input_event(struct hi
+ if (!(irq & hdata->f30.irq_mask))
+ return 0;
+
++ if (size < (int)hdata->f30.report_size) {
++ hid_warn(hdev, "Click Button pressed, but the click data is missing\n");
++ return 0;
++ }
++
+ for (i = 0; i < hdata->gpio_led_count; i++) {
+ if (test_bit(i, &hdata->button_mask)) {
+ value = (data[i / 8] >> (i & 0x07)) & BIT(0);
+@@ -412,9 +424,29 @@ static int rmi_read_data_event(struct hi
+ return 1;
+ }
+
++static int rmi_check_sanity(struct hid_device *hdev, u8 *data, int size)
++{
++ int valid_size = size;
++ /*
++ * On the Dell XPS 13 9333, the bus sometimes get confused and fills
++ * the report with a sentinel value "ff". Synaptics told us that such
++ * behavior does not comes from the touchpad itself, so we filter out
++ * such reports here.
++ */
++
++ while ((data[valid_size - 1] == 0xff) && valid_size > 0)
++ valid_size--;
++
++ return valid_size;
++}
++
+ static int rmi_raw_event(struct hid_device *hdev,
+ struct hid_report *report, u8 *data, int size)
+ {
++ size = rmi_check_sanity(hdev, data, size);
++ if (size < 2)
++ return 0;
++
+ switch (data[0]) {
+ case RMI_READ_DATA_REPORT_ID:
+ return rmi_read_data_event(hdev, data, size);
--- /dev/null
+From 8ffffd5212846b72f116f7a9572e83d580e25802 Mon Sep 17 00:00:00 2001
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Date: Tue, 16 Sep 2014 16:56:39 -0400
+Subject: HID: wacom: fix timeout on probe for some wacoms
+
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+
+commit 8ffffd5212846b72f116f7a9572e83d580e25802 upstream.
+
+Some Wacom tablets (at least the ISDv4 found in the Lenovo X230) timeout
+during probe while retrieving the input reports.
+The only time this information is valuable is during the feature_mapping
+stage, so we can ask for it there and discard the generic input reports
+retrieval.
+
+This gives a code path closer to the wacom.ko driver when it was in the
+input subtree (not HID).
+
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/wacom_sys.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+--- a/drivers/hid/wacom_sys.c
++++ b/drivers/hid/wacom_sys.c
+@@ -106,12 +106,24 @@ static void wacom_feature_mapping(struct
+ {
+ struct wacom *wacom = hid_get_drvdata(hdev);
+ struct wacom_features *features = &wacom->wacom_wac.features;
++ u8 *data;
++ int ret;
+
+ switch (usage->hid) {
+ case HID_DG_CONTACTMAX:
+ /* leave touch_max as is if predefined */
+- if (!features->touch_max)
+- features->touch_max = field->value[0];
++ if (!features->touch_max) {
++ /* read manually */
++ data = kzalloc(2, GFP_KERNEL);
++ if (!data)
++ break;
++ data[0] = field->report->id;
++ ret = wacom_get_report(hdev, HID_FEATURE_REPORT,
++ data, 2, 0);
++ if (ret == 2)
++ features->touch_max = data[1];
++ kfree(data);
++ }
+ break;
+ }
+ }
+@@ -1245,6 +1257,8 @@ static int wacom_probe(struct hid_device
+ if (!id->driver_data)
+ return -EINVAL;
+
++ hdev->quirks |= HID_QUIRK_NO_INIT_REPORTS;
++
+ wacom = kzalloc(sizeof(struct wacom), GFP_KERNEL);
+ if (!wacom)
+ return -ENOMEM;
--- /dev/null
+From a18c3f16a907b8977ef65fc8dd71ed3f7b751748 Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <bp@suse.de>
+Date: Tue, 30 Sep 2014 12:55:41 +0200
+Subject: mpc85xx_edac: Make L2 interrupt shared too
+
+From: Borislav Petkov <bp@suse.de>
+
+commit a18c3f16a907b8977ef65fc8dd71ed3f7b751748 upstream.
+
+The other two interrupt handlers in this driver are shared, except this
+one. When loading the driver, it fails like this.
+
+So make the IRQ line shared.
+
+Freescale(R) MPC85xx EDAC driver, (C) 2006 Montavista Software
+mpc85xx_mc_err_probe: No ECC DIMMs discovered
+EDAC DEVICE0: Giving out device to module MPC85xx_edac controller mpc85xx_l2_err: DEV mpc85xx_l2_err (INTERRUPT)
+genirq: Flags mismatch irq 16. 00000000 ([EDAC] L2 err) vs. 00000080 ([EDAC] PCI err)
+mpc85xx_l2_err_probe: Unable to request irq 16 for MPC85xx L2 err
+remove_proc_entry: removing non-empty directory 'irq/16', leaking at least 'aerdrv'
+------------[ cut here ]------------
+WARNING: at fs/proc/generic.c:521
+Modules linked in:
+CPU: 0 PID: 1 Comm: swapper/0 Not tainted 3.17.0-rc5-dirty #1
+task: ee058000 ti: ee046000 task.ti: ee046000
+NIP: c016c0c4 LR: c016c0c4 CTR: c037b51c
+REGS: ee047c10 TRAP: 0700 Not tainted (3.17.0-rc5-dirty)
+MSR: 00029000 <CE,EE,ME> CR: 22008022 XER: 20000000
+
+GPR00: c016c0c4 ee047cc0 ee058000 00000053 00029000 00000000 c037c744 00000003
+GPR08: c09aab28 c09aab24 c09aab28 00000156 20008028 00000000 c0002ac8 00000000
+GPR16: 00000000 00000000 00000000 00000000 00000000 00000000 00000139 c0950394
+GPR24: c09f0000 ee5585b0 ee047d08 c0a10000 ee047d08 ee15f808 00000002 ee03f660
+NIP [c016c0c4] remove_proc_entry
+LR [c016c0c4] remove_proc_entry
+Call Trace:
+remove_proc_entry (unreliable)
+unregister_irq_proc
+free_desc
+irq_free_descs
+mpc85xx_l2_err_probe
+platform_drv_probe
+really_probe
+__driver_attach
+bus_for_each_dev
+bus_add_driver
+driver_register
+mpc85xx_mc_init
+do_one_initcall
+kernel_init_freeable
+kernel_init
+ret_from_kernel_thread
+Instruction dump: ...
+
+Reported-and-tested-by: <lpb_098@163.com>
+Acked-by: Johannes Thumshirn <johannes.thumshirn@men.de>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/edac/mpc85xx_edac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/edac/mpc85xx_edac.c
++++ b/drivers/edac/mpc85xx_edac.c
+@@ -633,7 +633,7 @@ static int mpc85xx_l2_err_probe(struct p
+ if (edac_op_state == EDAC_OPSTATE_INT) {
+ pdata->irq = irq_of_parse_and_map(op->dev.of_node, 0);
+ res = devm_request_irq(&op->dev, pdata->irq,
+- mpc85xx_l2_isr, 0,
++ mpc85xx_l2_isr, IRQF_SHARED,
+ "[EDAC] L2 err", edac_dev);
+ if (res < 0) {
+ printk(KERN_ERR
--- /dev/null
+From 4089b71cc820a426d601283c92fcd4ffeb5139c2 Mon Sep 17 00:00:00 2001
+From: Chris J Arges <chris.j.arges@canonical.com>
+Date: Tue, 23 Sep 2014 09:22:25 -0500
+Subject: mptfusion: enable no_write_same for vmware scsi disks
+
+From: Chris J Arges <chris.j.arges@canonical.com>
+
+commit 4089b71cc820a426d601283c92fcd4ffeb5139c2 upstream.
+
+When using a virtual SCSI disk in a VMWare VM if blkdev_issue_zeroout is used
+data can be improperly zeroed out using the mptfusion driver. This patch
+disables write_same for this driver and the vmware subsystem_vendor which
+ensures that manual zeroing out is used instead.
+
+BugLink: http://bugs.launchpad.net/bugs/1371591
+Reported-by: Bruce Lucas <bruce.lucas@mongodb.com>
+Tested-by: Chris J Arges <chris.j.arges@canonical.com>
+Signed-off-by: Chris J Arges <chris.j.arges@canonical.com>
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/message/fusion/mptspi.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/message/fusion/mptspi.c
++++ b/drivers/message/fusion/mptspi.c
+@@ -1419,6 +1419,11 @@ mptspi_probe(struct pci_dev *pdev, const
+ goto out_mptspi_probe;
+ }
+
++ /* VMWare emulation doesn't properly implement WRITE_SAME
++ */
++ if (pdev->subsystem_vendor == 0x15AD)
++ sh->no_write_same = 1;
++
+ spin_lock_irqsave(&ioc->FreeQlock, flags);
+
+ /* Attach the SCSI Host to the IOC structure
--- /dev/null
+From 78c2106a50e067f7168ee8c0944baaeb0e988272 Mon Sep 17 00:00:00 2001
+From: Himanshu Madhani <himanshu.madhani@qlogic.com>
+Date: Thu, 25 Sep 2014 06:14:44 -0400
+Subject: qla2xxx: fix kernel NULL pointer access
+
+From: Himanshu Madhani <himanshu.madhani@qlogic.com>
+
+commit 78c2106a50e067f7168ee8c0944baaeb0e988272 upstream.
+
+This patch is to fix regression added by commit id
+51a07f84649d2be206c4c2ad9a612956db0c2f8c.
+
+When allocating memory for new session original patch does
+not assign vha to op->vha resulting into NULL pointer
+access during qlt_create_sess_from_atio().
+
+Signed-off-by: Himanshu Madhani <himanshu.madhani@qlogic.com>
+Signed-off-by: Saurav Kashyap <saurav.kashyap@qlogic.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_target.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/scsi/qla2xxx/qla_target.c
++++ b/drivers/scsi/qla2xxx/qla_target.c
+@@ -3277,6 +3277,7 @@ static int qlt_handle_cmd_for_atio(struc
+ return -ENOMEM;
+
+ memcpy(&op->atio, atio, sizeof(*atio));
++ op->vha = vha;
+ INIT_WORK(&op->work, qlt_create_sess_from_atio);
+ queue_work(qla_tgt_wq, &op->work);
+ return 0;
--- /dev/null
+From db7157d4cfce6edf052452fb1d327d4d11b67f4c Mon Sep 17 00:00:00 2001
+From: Joe Lawrence <joe.lawrence@stratus.com>
+Date: Tue, 26 Aug 2014 17:10:41 -0400
+Subject: qla2xxx: Fix shost use-after-free on device removal
+
+From: Joe Lawrence <joe.lawrence@stratus.com>
+
+commit db7157d4cfce6edf052452fb1d327d4d11b67f4c upstream.
+
+Once calling scsi_host_put, be careful to not access qla_hw_data through
+the Scsi_Host private data (ie, scsi_qla_host base_vha).
+
+Fixes: fe1b806f4f71 ("qla2xxx: Refactor shutdown code so some functionality can be reused")
+Signed-off-by: Joe Lawrence <joe.lawrence@stratus.com>
+Acked-by: Chad Dupuis <chad.dupuis@qlogic.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_os.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -3119,10 +3119,8 @@ qla2x00_unmap_iobases(struct qla_hw_data
+ }
+
+ static void
+-qla2x00_clear_drv_active(scsi_qla_host_t *vha)
++qla2x00_clear_drv_active(struct qla_hw_data *ha)
+ {
+- struct qla_hw_data *ha = vha->hw;
+-
+ if (IS_QLA8044(ha)) {
+ qla8044_idc_lock(ha);
+ qla8044_clear_drv_active(ha);
+@@ -3193,7 +3191,7 @@ qla2x00_remove_one(struct pci_dev *pdev)
+
+ scsi_host_put(base_vha->host);
+
+- qla2x00_clear_drv_active(base_vha);
++ qla2x00_clear_drv_active(ha);
+
+ qla2x00_unmap_iobases(ha);
+
--- /dev/null
+From 75554b68ac1e018bca00d68a430b92ada8ab52dd Mon Sep 17 00:00:00 2001
+From: Arun Easi <arun.easi@qlogic.com>
+Date: Thu, 25 Sep 2014 06:14:45 -0400
+Subject: qla2xxx: Use correct offset to req-q-out for reserve calculation
+
+From: Arun Easi <arun.easi@qlogic.com>
+
+commit 75554b68ac1e018bca00d68a430b92ada8ab52dd upstream.
+
+Signed-off-by: Arun Easi <arun.easi@qlogic.com>
+Signed-off-by: Saurav Kashyap <saurav.kashyap@qlogic.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_target.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_target.c
++++ b/drivers/scsi/qla2xxx/qla_target.c
+@@ -1431,12 +1431,10 @@ static inline void qlt_unmap_sg(struct s
+ static int qlt_check_reserve_free_req(struct scsi_qla_host *vha,
+ uint32_t req_cnt)
+ {
+- struct qla_hw_data *ha = vha->hw;
+- device_reg_t __iomem *reg = ha->iobase;
+ uint32_t cnt;
+
+ if (vha->req->cnt < (req_cnt + 2)) {
+- cnt = (uint16_t)RD_REG_DWORD(®->isp24.req_q_out);
++ cnt = (uint16_t)RD_REG_DWORD(vha->req->req_q_out);
+
+ ql_dbg(ql_dbg_tgt, vha, 0xe00a,
+ "Request ring circled: cnt=%d, vha->->ring_index=%d, "
--- /dev/null
+From 2c98e0c1cc6b8e86f1978286c3d4e0769ee9d733 Mon Sep 17 00:00:00 2001
+From: Xiubo Li <Li.Xiubo@freescale.com>
+Date: Sun, 28 Sep 2014 11:35:25 +0800
+Subject: regmap: debugfs: fix possbile NULL pointer dereference
+
+From: Xiubo Li <Li.Xiubo@freescale.com>
+
+commit 2c98e0c1cc6b8e86f1978286c3d4e0769ee9d733 upstream.
+
+If 'map->dev' is NULL and there will lead dev_name() to be NULL pointer
+dereference. So before dev_name(), we need to have check of the map->dev
+pionter.
+
+We also should make sure that the 'name' pointer shouldn't be NULL for
+debugfs_create_dir(). So here using one default "dummy" debugfs name when
+the 'name' pointer and 'map->dev' are both NULL.
+
+Signed-off-by: Xiubo Li <Li.Xiubo@freescale.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/regmap/regmap-debugfs.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/base/regmap/regmap-debugfs.c
++++ b/drivers/base/regmap/regmap-debugfs.c
+@@ -473,6 +473,7 @@ void regmap_debugfs_init(struct regmap *
+ {
+ struct rb_node *next;
+ struct regmap_range_node *range_node;
++ const char *devname = "dummy";
+
+ /* If we don't have the debugfs root yet, postpone init */
+ if (!regmap_debugfs_root) {
+@@ -491,12 +492,15 @@ void regmap_debugfs_init(struct regmap *
+ INIT_LIST_HEAD(&map->debugfs_off_cache);
+ mutex_init(&map->cache_lock);
+
++ if (map->dev)
++ devname = dev_name(map->dev);
++
+ if (name) {
+ map->debugfs_name = kasprintf(GFP_KERNEL, "%s-%s",
+- dev_name(map->dev), name);
++ devname, name);
+ name = map->debugfs_name;
+ } else {
+- name = dev_name(map->dev);
++ name = devname;
+ }
+
+ map->debugfs = debugfs_create_dir(name, regmap_debugfs_root);
--- /dev/null
+From 5336be8416a71b5568d2cf54a2f2066abe9f2a53 Mon Sep 17 00:00:00 2001
+From: Pankaj Dubey <pankaj.dubey@samsung.com>
+Date: Sat, 27 Sep 2014 09:47:55 +0530
+Subject: regmap: fix NULL pointer dereference in _regmap_write/read
+
+From: Pankaj Dubey <pankaj.dubey@samsung.com>
+
+commit 5336be8416a71b5568d2cf54a2f2066abe9f2a53 upstream.
+
+If LOG_DEVICE is defined and map->dev is NULL it will lead to NULL
+pointer dereference. This patch fixes this issue by adding check for
+dev->NULL in all such places in regmap.c
+
+Signed-off-by: Pankaj Dubey <pankaj.dubey@samsung.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/regmap/regmap.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/base/regmap/regmap.c
++++ b/drivers/base/regmap/regmap.c
+@@ -1408,7 +1408,7 @@ int _regmap_write(struct regmap *map, un
+ }
+
+ #ifdef LOG_DEVICE
+- if (strcmp(dev_name(map->dev), LOG_DEVICE) == 0)
++ if (map->dev && strcmp(dev_name(map->dev), LOG_DEVICE) == 0)
+ dev_info(map->dev, "%x <= %x\n", reg, val);
+ #endif
+
+@@ -2058,7 +2058,7 @@ static int _regmap_read(struct regmap *m
+ ret = map->reg_read(context, reg, val);
+ if (ret == 0) {
+ #ifdef LOG_DEVICE
+- if (strcmp(dev_name(map->dev), LOG_DEVICE) == 0)
++ if (map->dev && strcmp(dev_name(map->dev), LOG_DEVICE) == 0)
+ dev_info(map->dev, "%x => %x\n", reg, *val);
+ #endif
+
--- /dev/null
+From d6b41cb06044a7d895db82bdd54f6e4219970510 Mon Sep 17 00:00:00 2001
+From: Xiubo Li <Li.Xiubo@freescale.com>
+Date: Sun, 28 Sep 2014 17:09:54 +0800
+Subject: regmap: fix possible ZERO_SIZE_PTR pointer dereferencing error.
+
+From: Xiubo Li <Li.Xiubo@freescale.com>
+
+commit d6b41cb06044a7d895db82bdd54f6e4219970510 upstream.
+
+Since we cannot make sure the 'val_count' will always be none zero
+here, and then if it equals to zero, the kmemdup() will return
+ZERO_SIZE_PTR, which equals to ((void *)16).
+
+So this patch fix this with just doing the zero check before calling
+kmemdup().
+
+Signed-off-by: Xiubo Li <Li.Xiubo@freescale.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/regmap/regmap.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/base/regmap/regmap.c
++++ b/drivers/base/regmap/regmap.c
+@@ -1659,6 +1659,9 @@ out:
+ } else {
+ void *wval;
+
++ if (!val_count)
++ return -EINVAL;
++
+ wval = kmemdup(val, val_count * val_bytes, GFP_KERNEL);
+ if (!wval) {
+ dev_err(map->dev, "Error in memory allocation\n");
--- /dev/null
+From c5bb725ac2d1a13e9e766bf9a16bac986ade17cd Mon Sep 17 00:00:00 2001
+From: Steffen Trumtrar <s.trumtrar@pengutronix.de>
+Date: Thu, 25 Sep 2014 16:39:11 +0200
+Subject: regulator: ltc3589: fix broken voltage transitions
+
+From: Steffen Trumtrar <s.trumtrar@pengutronix.de>
+
+commit c5bb725ac2d1a13e9e766bf9a16bac986ade17cd upstream.
+
+VCCR is used as a trigger to start voltage transitions, so
+we need to mark it volatile in order to make sure it gets
+written to hardware every time we set a new voltage.
+
+Fixes regulator voltage being stuck at the first voltage
+set after driver load.
+
+[lst: reworded commit message]
+Signed-off-by: Steffen Trumtrar <s.trumtrar@pengutronix.de>
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/regulator/ltc3589.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/regulator/ltc3589.c
++++ b/drivers/regulator/ltc3589.c
+@@ -372,6 +372,7 @@ static bool ltc3589_volatile_reg(struct
+ switch (reg) {
+ case LTC3589_IRQSTAT:
+ case LTC3589_PGSTAT:
++ case LTC3589_VCCR:
+ return true;
+ }
+ return false;
spi-dw-mid-respect-8-bit-mode.patch
spi-rockchip-fix-bug-that-cause-the-failure-to-read-data-in-dma-mode.patch
spi-dw-mid-check-that-dma-was-inited-before-exit.patch
+hid-wacom-fix-timeout-on-probe-for-some-wacoms.patch
+hid-rmi-check-sanity-of-the-incoming-report.patch
+mpc85xx_edac-make-l2-interrupt-shared-too.patch
+regmap-debugfs-fix-possbile-null-pointer-dereference.patch
+regmap-fix-null-pointer-dereference-in-_regmap_write-read.patch
+regmap-fix-possible-zero_size_ptr-pointer-dereferencing-error.patch
+be2iscsi-check-ip-buffer-before-copying.patch
+mptfusion-enable-no_write_same-for-vmware-scsi-disks.patch
+regulator-ltc3589-fix-broken-voltage-transitions.patch
+qla2xxx-fix-kernel-null-pointer-access.patch
+qla2xxx-use-correct-offset-to-req-q-out-for-reserve-calculation.patch
+qla2xxx-fix-shost-use-after-free-on-device-removal.patch
+dmaengine-fix-xor-sources-continuation.patch
+dmaengine-pl330-fix-null-pointer-dereference-on-probe-failure.patch
+dmaengine-pl330-fix-null-pointer-dereference-on-driver-unbind.patch
+firmware_class-make-sure-fw-requests-contain-a-name.patch
+arm64-debug-don-t-re-enable-debug-exceptions-on-return-from-el1_dbg.patch
+drivers-hv-util-properly-pack-the-data-for-file-copy-functionality.patch
+drivers-hv-vmbus-cleanup-vmbus_post_msg.patch
+drivers-hv-vmbus-cleanup-vmbus_teardown_gpadl.patch
+drivers-hv-vmbus-cleanup-vmbus_close_internal.patch
+drivers-hv-vmbus-cleanup-vmbus_establish_gpadl.patch
+drivers-hv-vmbus-fix-a-bug-in-vmbus_open.patch
+drivers-hv-vmbus-cleanup-hv_post_message.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
